=====================
= End-of-Day report =
=====================
Timeframe: Freitag 19-05-2023 18:00 − Montag 22-05-2023 18:00
Handler: Michael Schlagenhaufer
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Aktuelle Qakbot/Pikabot-Welle in Österreich ∗∗∗
---------------------------------------------
Aktuell ist neben anderen Ländern auch Österreich wieder von einer Phishing/Malspam-Welle durch Qakbot/Pikabot betroffen. Die aktuelle Kampagne läuft unter dem Namen BB28 und führt nach einer erfolgten Infektion zum Nachladen von Cobalt Strike und in weiterer Folge oft zu Ransomware - hier im Speziellen häufig BlackBasta. Eine Besonderheit dieser Kampagne ist das Auftreten eines potentiellen Nachfolgers oder Mitstreiters von Qakbot namens Pikabot.
---------------------------------------------
https://cert.at/de/aktuelles/2023/5/aktuelle-qakbotpikabot-welle-in-osterre…
∗∗∗ CISA warns of Samsung ASLR bypass flaw exploited in attacks ∗∗∗
---------------------------------------------
CISA warned today of a security vulnerability affecting Samsung devices used in attacks to bypass Android address space layout randomization (ASLR) protection.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/cisa-warns-of-samsung-aslr-b…
∗∗∗ Cloned CapCut websites push information stealing malware ∗∗∗
---------------------------------------------
A new malware distribution campaign is underway impersonating the CapCut video editing tool to push various malware strains to unsuspecting victims.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/cloned-capcut-websites-push-…
∗∗∗ Notorious Cyber Gang FIN7 Returns Cl0p Ransomware in New Wave of Attacks ∗∗∗
---------------------------------------------
The notorious cybercrime group known as FIN7 has been observed deploying Cl0p (aka Clop) ransomware, marking the threat actor's first ransomware campaign since late 2021. Microsoft, which detected the activity in April 2023, is tracking the financially motivated actor under its new taxonomy Sangria Tempest.
---------------------------------------------
https://thehackernews.com/2023/05/notorious-cyber-gang-fin7-returns-cl0p.ht…
∗∗∗ IcedID Macro Ends in Nokoyawa Ransomware ∗∗∗
---------------------------------------------
In this case we document an incident taking place during Q4 of 2022 consisting of threat actors targeting Italian organizations with Excel maldocs that deploy IcedID. The threat actors deploying such a campaign may hope to target organizations who have not updated their Microsoft Office deployments after the newly released patches to block macros on documents downloaded from the internet.
---------------------------------------------
https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomwa…
∗∗∗ Microsoft: BEC Scammers Use Residential IPs to Evade Detection ∗∗∗
---------------------------------------------
BEC scammers use residential IP addresses in attacks to make them seem locally generated and evade detection.
---------------------------------------------
https://www.securityweek.com/microsoft-bec-scammers-use-residential-ips-to-…
∗∗∗ Webinar: Wie schütze ich mich vor Love Scams? ∗∗∗
---------------------------------------------
Sie täuschen die große Liebe vor und bringen ihr Gegenüber damit um hohe Geldsummen: Beim Love-Scamming erschleichen sich Betrüger:innen auf Online-Partnerbörsen und in Sozialen Netzwerken das Vertrauen ihrer Opfer, um an deren Geld zu kommen. Nehmen Sie kostenlos teil: Dienstag 30. Mai 2023, 18:30 - 20:00 Uhr via zoom
---------------------------------------------
https://www.watchlist-internet.at/news/webinar-wie-schuetze-ich-mich-vor-lo…
∗∗∗ Gratis-Testangebot einer Lichttherapie nur ein Verkaufsgespräch ∗∗∗
---------------------------------------------
Um Kund:innen zu gewinnen, verspricht Lumina Vital Ihnen Gratis-Anwendungen. Telefonisch wird auf einen Besuch bei Ihnen zu Hause gedrängt. Auch wenn Sie keinem Datum zusagen, bekommen Sie einen Brief mit einem fixierten Termin zugeschickt. Lassen Sie sich nicht unter Druck setzen, wenn Sie nichts kaufen möchten!
---------------------------------------------
https://www.watchlist-internet.at/news/gratis-testangebot-einer-lichttherap…
∗∗∗ Threat Hunting mit PowerShell – Sicherheit auch mit kleinem Budget ∗∗∗
---------------------------------------------
[English]IT-Sicherheit sollte keine Frage des Geldes sein – das sind oft vorgeschobene Ausreden. MVP Tom Wechsler hat sich einige Gedanken um das Thema gemacht und zeigt, wie man sogar mit der PowerShell und wenigen Zeilen Code nach Problemen in der … Weiterlesen →
---------------------------------------------
https://www.borncity.com/blog/2023/05/22/threat-hunting-mit-powershell-sich…
∗∗∗ Distribution of Remcos RAT Exploiting sqlps.exe Utility of MS-SQL Servers ∗∗∗
---------------------------------------------
AhnLab Security Emergency response Center (ASEC) has recently discovered the case of Remcos RAT being installed on poorly managed MS-SQL servers. Unlike the past attack, the recent case showed the threat actor using sqlps to distribute the malware.
---------------------------------------------
https://asec.ahnlab.com/en/52920/
∗∗∗ Cloud-Based Malware Delivery: The Evolution of GuLoader ∗∗∗
---------------------------------------------
Antivirus products are constantly evolving to become more sophisticated and better equipped to handle complex threats. As a result, malware developers strive to create new threats that can bypass the defenses of antivirus products. “Packing” and “crypting” services are specifically designed to resist analysis. GuLoader is one of the most prominent services cybercriminals use to evade antivirus detection.
---------------------------------------------
https://research.checkpoint.com/2023/cloud-based-malware-delivery-the-evolu…
=====================
= Vulnerabilities =
=====================
∗∗∗ CUPS: Sicherheitslücke in Drucksystem ermöglicht Schadcodeausführung ∗∗∗
---------------------------------------------
Im Drucksystem CUPS können Angreifer im Netz eine Sicherheitslücke missbrauchen, um beliebigen Code einzuschmuggeln und auszuführen.
---------------------------------------------
https://heise.de/-9061315
∗∗∗ Angreifer könnten Entwicklungsumgebungen mit Jenkins attackieren ∗∗∗
---------------------------------------------
Softwareentwickler aufgepasst: Es gibt wichtige Sicherheitsupdates für mehrere Jenkins-Plug-ins. Angreifer könnten auf Log-in-Daten zugreifen.
---------------------------------------------
https://heise.de/-9061545
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (cups-filters, imagemagick, libwebp, sqlite, and texlive-bin), Fedora (chromium and vim), Gentoo (librecad, mediawiki, modsecurity-crs, snakeyaml, and tinyproxy), Mageia (apache-mod_security, cmark, dmidecode, freetype2, glib2.0, libssh, patchelf, python-sqlparse, sniproxy, suricata, and webkit2), Oracle (apr-util and firefox), Red Hat (git), SUSE (containerd, openvswitch, python-Flask, runc, terraform-provider-aws, and terraform-provider-null), and Ubuntu (tar).
---------------------------------------------
https://lwn.net/Articles/932625/
∗∗∗ Tornado vulnerable to open redirect ∗∗∗
---------------------------------------------
https://jvn.jp/en/jp/JVN45127776/
∗∗∗ WordPress 6.2.2 Security Release ∗∗∗
---------------------------------------------
https://wordpress.org/news/2023/05/wordpress-6-2-2-security-release/
∗∗∗ F5: K000134681 : Spring Framework vulnerability CVE-2023-20861 ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K000134681
∗∗∗ F5: K000134706 : Python IDNA vulnerability CVE-2022-45061 ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K000134706
∗∗∗ CISA Adds Three Known Exploited Vulnerabilities to Catalog ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2023/05/22/cisa-adds-three-known-ex…
∗∗∗ Vulnerability in IBM Java SDK affects IBM Tivoli Business Service Manager (CVE-2023-30441) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6995893
∗∗∗ Security vulnerability in IBM Java SDK affect IBM Tivoli Netcool Impact (CVE-2023-30441) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6995895
∗∗∗ Multiple vulnerabilities in IBM Java SDK affect AIX ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6995887
∗∗∗ IBM Security Guardium is affected by an AWS SDK vulnerability (CVE-2022-31159) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6960215
∗∗∗ IBM Operational Decision Manager April 2023 - Multiple CVEs ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6997063
∗∗∗ Multiple vulnerabilities of Mozilla Firefox (less than Firefox 102.9ESR) have affected APM Synthetic Playback Agent ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6997069
∗∗∗ A vulnerability in IBM Java SDK affects IBM Tivoli Monitoring for Virtual Environments Base(CVE-2023-30441) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6997075
∗∗∗ A vulnerability in IBM Java SDK affects IBM Tivoli Monitoring for Virtual Environments Agent for Linux Kernel-based Virtual Machines (CVE-2023-30441) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6997083
∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server used by IBM Rational ClearQuest (CVE-2023-27554) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6997097
∗∗∗ There are multiple vulnerabilites that affect IBM Engineering Requirements Quality Assistant On-Premises ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6997107
∗∗∗ IBM App Connect Enterprise and IBM Integration Bus are affected by a vulnerability in the IBM SDK, Java Technology Edition [CVE-2023-30441] ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6997131
∗∗∗ IBM b-type SAN switches and directors affected by XSS vulnerabilities CVE-2017-6225. ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/650695
∗∗∗ IBM b-type SAN Network\/Storage switches is affected by a denial of service vulnerability, caused by a CPU consumption in the IPv6 stack (CVE-2017-6227). ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/650699
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 17-05-2023 18:00 − Freitag 19-05-2023 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ Attacken könnten bevorstehen: Kritische Root-Lücken bedrohen Cisco-Switches ∗∗∗
---------------------------------------------
Cisco hat unter anderem mehrere kritische Sicherheitslücken in verschiedenen Small-Business-Switches geschlossen. Aber nicht alle Modelle bekommen Updates.
---------------------------------------------
https://heise.de/-9059775
∗∗∗ Passwortmanager KeePass: Sicherheitsforscher liest Master-Passwort aus ∗∗∗
---------------------------------------------
Einem Sicherheitsforscher ist es gelungen, Master-Passwörter von KeePass auszulesen. Entsprechende Angriffe sind allerdings aufwendig.
---------------------------------------------
https://heise.de/-9059945
∗∗∗ Zero-Days und mehr: Ein Blick auf Apples jüngste Sicherheitspatches ∗∗∗
---------------------------------------------
iOS 16.5, macOS 13.4 und die anderen Updates patchen wie üblich auch Sicherheitsfehler. Auch bereits ausgenutzte Fehler sind dabei.
---------------------------------------------
https://heise.de/-9059799
∗∗∗ Malware infizierte fast 10 Millionen Android-Handys ∗∗∗
---------------------------------------------
Zahlreiche Smartphones wurden mit vorinstallierter, schädlicher Software ausgeliefert.
---------------------------------------------
https://futurezone.at/produkte/android-schadsoftware-infiziert-10-millionen…
∗∗∗ MalasLocker ransomware targets Zimbra servers, demands charity donation ∗∗∗
---------------------------------------------
A new ransomware operation is hacking Zimbra servers to steal emails and encrypt files. However, instead of demanding a ransom payment, the threat actors claim to require a donation to charity to provide an encryptor and prevent data leaking.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/malaslocker-ransomware-targe…
∗∗∗ Hackers target vulnerable Wordpress Elementor plugin after PoC released ∗∗∗
---------------------------------------------
Hackers are now actively probing for vulnerable Essential Addons for Elementor plugin versions on thousands of WordPress websites in massive Internet scans, attempting to exploit a critical account password reset flaw disclosed earlier in the month.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/hackers-target-vulnerable-wo…
∗∗∗ Playing for the Wrong Team: Dangerous Functionalities in Microsoft Teams Enable Phishing and Malware Delivery by Attackers ∗∗∗
---------------------------------------------
Microsoft is a major productivity partner for many organizations and enterprises. These organizations widely trust Microsoft Office’s suite of products as a reliable foundation for their daily cloud ecosystem needs. However, as Proofpoint has shown in the past, this migration to the cloud also introduces new kinds of threats.
---------------------------------------------
https://www.proofpoint.com/us/blog/threat-insight/dangerous-functionalities…
∗∗∗ RATs found hiding in the npm attic ∗∗∗
---------------------------------------------
ReversingLabs researchers discovered two malicious packages that contained TurkoRat, an open source infostealer that lurked on npm for two months before being detected.
---------------------------------------------
https://www.reversinglabs.com/blog/rats-found-hiding-in-the-npm-attic
∗∗∗ The Paillier Cryptosystem with Applications to Threshold ECDSA ∗∗∗
---------------------------------------------
You may have heard of RSA (b. 1977), but have you heard of its cousin, Paillier (b. 1999)? In this post, we provide a close look at the Paillier homomorphic encryption scheme [Paillier1999], what it offers, how it’s used in complex protocols, and how to implement it securely.
---------------------------------------------
https://research.nccgroup.com/2023/05/19/the-paillier-cryptosystem-with-app…
∗∗∗ All your building are belong to us ∗∗∗
---------------------------------------------
TL;DR: Building Management Systems (BMS) bring new risks to businesses that haven’t had previous experience of securing Operational Technology (OT). While there might not be direct financial gain from hacking BMS, these systems can be a soft target for attackers to pivot into your business operations. IoT offerings in this space can help manage risk within your networks, but can also provide unintended access to sensitive information.
---------------------------------------------
https://www.pentestpartners.com/security-blog/all-your-building-are-belong-…
∗∗∗ CVE-2023-20869/20870: Exploiting VMware Workstation at Pwn2Own Vancouver ∗∗∗
---------------------------------------------
This post covers an exploit chain demonstrated by Nguyễn Hoàng Thạch (@hi_im_d4rkn3ss) of STAR Labs SG Pte. Ltd. during the Pwn2Own Vancouver event in 2023. During the contest, he used an uninitialized variable bug and a stack-based buffer overflow in VMware to escalate from a guest OS to execute code on the underlying hypervisor.
---------------------------------------------
https://www.thezdi.com/blog/2023/5/17/cve-2023-2086920870-exploiting-vmware…
∗∗∗ VSCode Security: Malicious Extensions Detected- More Than 45,000 Downloads- PII Exposed, and Backdoors Enabled ∗∗∗
---------------------------------------------
Highlights: CloudGuard Spectral detected malicious extensions on the VSCode marketplace Users installing these extensions were enabling attackers to steal PII records and to set remote shell to their machines Once detected, we’ve alerted VSCode on these extensions. Soon after notification, they were removed by the VSCode marketplace team. VSCode (short for Visual Studio Code) is a popular and free source code editor developed by Microsoft.
---------------------------------------------
https://blog.checkpoint.com/securing-the-cloud/malicious-vscode-extensions-…
∗∗∗ Visualizing QakBot Infrastructure ∗∗∗
---------------------------------------------
This blog post seeks to draw out some high-level trends and anomalies based on our ongoing tracking of QakBot command and control (C2) infrastructure. By looking at the data with a broader scope, we hope to supplement other research into this particular threat family, which in general focuses on specific infrastructure elements; e.g., daily alerting on active C2 servers.
---------------------------------------------
https://www.team-cymru.com/post/visualizing-qakbot-infrastructure
=====================
= Vulnerabilities =
=====================
∗∗∗ File Chooser Field - Moderately critical - Server Side Request Forgery, Information Disclosure - SA-CONTRIB-2023-015 ∗∗∗
---------------------------------------------
The File Chooser Field allows users to upload files using 3rd party plugins such as Google Drive and Dropbox. This module fails to validate user input sufficiently which could under certain circumstances lead to a Server Side Request Forgery (SSRF) vulnerability [...]
---------------------------------------------
https://www.drupal.org/sa-contrib-2023-015
∗∗∗ SECURITY BULLETIN: May 2023 Security Bulletin for Trend Micro Apex Central ∗∗∗
---------------------------------------------
Trend Micro has released a new build for Trend Micro Apex Central that resolves several known vulnerabilities.
---------------------------------------------
https://success.trendmicro.com/dcx/s/solution/000293107?language=en_US
∗∗∗ SECURITY BULLETIN: May 2023 Security Bulletin for Trend Micro Apex One ∗∗∗
---------------------------------------------
Trend Micro has released a new Critical Patch (CP) for Trend Micro Apex One and Trend Micro Apex One as a Service that resolves several known vulnerabilities.
---------------------------------------------
https://success.trendmicro.com/dcx/s/solution/000293108?language=en_US
∗∗∗ Cisco Security Advisories 2023-05-17 ∗∗∗
---------------------------------------------
Cisco has published 9 security advisories: (1x Critical, 8x Medium)
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/Search.x?publicationTypeIDs…
∗∗∗ CISA Releases Five Industrial Control Systems Advisories ∗∗∗
---------------------------------------------
* ICSA-23-138-04 Johnson Controls OpenBlue Enterprise Manager Data Collector * ICSA-23-138-03 Hitachi Energy’s MicroSCADA Pro/X SYS600 Products * ICSA-23-138-02 Mitsubishi Electric MELSEC WS Series * ICSA-23-138-01 Carlo Gavazzi Powersoft * ICSA-20-051-02 Rockwell Automation FactoryTalk Diagnostics (Update B)
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2023/05/18/cisa-releases-five-indus…
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (chromium and libapache2-mod-auth-openidc), Fedora (clevis-pin-tpm2, greetd, keyring-ima-signer, libkrun, mirrorlist-server, nispor, nmstate, qt5-qtbase, rust-afterburn, rust-below, rust-bodhi-cli, rust-cargo-c, rust-coreos-installer, rust-fedora-update-feedback, rust-git-delta, rust-gst-plugin-reqwest, rust-pore, rust-rpm-sequoia, rust-sequoia-octopus-librnp, rust-sequoia-policy-config, rust-sequoia-sq, rust-sevctl, rust-tealdeer, and rust-ybaas), Oracle (apr-util, curl, emacs, firefox, kernel, libreswan, mysql, nodejs and nodejs-nodemon, openssh, thunderbird, and webkit2gtk3), Red Hat (apr-util, emacs, firefox, git, jenkins and jenkins-2-plugins, kernel, kpatch-patch, and thunderbird), Scientific Linux (apr-util, firefox, and thunderbird), Slackware (curl), SUSE (cups-filters, curl, java-1_8_0-openjdk, kernel, mysql-connector-java, and ovmf), and Ubuntu (cups-filters, git, linux-gcp-4.15, linux-oracle, linux-raspi, node-minimatch, ruby2.3, ruby2.5, ruby2.7, and runc).
---------------------------------------------
https://lwn.net/Articles/932371/
∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Fedora (cups-filters, kitty, mingw-LibRaw, nispor, rust-ybaas, and rust-yubibomb), Mageia (kernel-linus), Red Hat (jenkins and jenkins-2-plugins), SUSE (openvswitch and ucode-intel), and Ubuntu (linux-azure, linux-azure-4.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gke-5.15, linux-gkeop, linux-oracle-5.15, linux-ibm, linux-oracle, and linux-oem-6.0).
---------------------------------------------
https://lwn.net/Articles/932464/
∗∗∗ Path Traversal in SymBox, SymOS (SYSS-2023-014) ∗∗∗
---------------------------------------------
Das Webinterface von SymBox, SymOS ermöglicht ein Path Traversal, wodurch Zugriff auf Systemdateien außerhalb des Web Root erlangt werden kann.
---------------------------------------------
https://www.syss.de/pentest-blog/path-traversal-in-symbox-symos-syss-2023-0…
∗∗∗ Spring Boot available now, fixing CVE-2023-20883 ∗∗∗
---------------------------------------------
https://spring.io/security/cve-2023-20883
∗∗∗ Mattermost security updates 7.10.1 / 7.9.4 / 7.8.5 (ESR) released ∗∗∗
---------------------------------------------
https://mattermost.com/blog/mattermost-security-updates-7-10-1-7-9-4-7-8-5-…
∗∗∗ CPE2023-002 Vulnerabilities of IJ Network Tool regarding Wi-Fi connection setup – 18 May 2023 ∗∗∗
---------------------------------------------
https://www.canon-europe.com/support/product-security-latest-news/
∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 16-05-2023 18:00 − Mittwoch 17-05-2023 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ Hackers use Azure Serial Console for stealthy access to VMs ∗∗∗
---------------------------------------------
A financially motivated cybergang tracked by Mandiant as UNC3944 is using phishing and SIM swapping attacks to hijack Microsoft Azure admin accounts and gain access to virtual machines.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/hackers-use-azure-serial-con…
∗∗∗ Phishing: Streit um Google-TLDs .zip und .mov ∗∗∗
---------------------------------------------
IT- und Sicherheitsexperten streiten sich um die Sinnhaftigkeit und Risiken neuer gTLD. Neu sind die Probleme allerdings nicht.
---------------------------------------------
https://www.golem.de/news/phishing-streit-um-google-tlds-zip-und-mov-2305-1…
∗∗∗ Minas – on the way to complexity ∗∗∗
---------------------------------------------
Kaspersky analysis of a complicated multi-stage attack dubbed Minas that features a number of detection evasion and persistence techniques and results in a cryptocurrency miner infection.
---------------------------------------------
https://securelist.com/minas-miner-on-the-way-to-complexity/109692/
∗∗∗ Wemo Wont Fix Smart Plug Vulnerability Allowing Remote Operation ∗∗∗
---------------------------------------------
IoT security research firm Sternum has discovered (and disclosed) a buffer overflow vulnerability in the Wemo Mini Smart Plug V2. The firms blog post is full of interesting details about how this device works (and doesnt), but a key takeaway is that you can predictably trigger a buffer overflow by passing the device a name longer than its 30-character limit -- a limit enforced solely by Wemos own apps -- with third-party tools.
---------------------------------------------
https://it.slashdot.org/story/23/05/17/141200/wemo-wont-fix-smart-plug-vuln…
∗∗∗ Respawning Malware Persists on PyPI ∗∗∗
---------------------------------------------
A bad actor on GitHub laces his repositories with malware written in Python and hosted on PyPI. Minutes after his malware is taken down from PyPI, the same malware respawns on PyPI under a slightly different name. He then immediately updates all of his repositories to point to this new package. Most of his GitHub projects are bots or some variety of a stealer.
---------------------------------------------
https://blog.phylum.io/respawning-malware-persists-on-pypi/
∗∗∗ Neue Scam-Website im Umlauf: finanavas.com ∗∗∗
---------------------------------------------
Investmentbetrüger versuchen mit einer neuen Website Leuten Geld aus der Tasche zu ziehen. Sie nutzen Telegram, um "Investoren" um den Finger zu wickeln.
---------------------------------------------
https://heise.de/-9058909
∗∗∗ Abo-Falle statt Informationen zu Telefonnummern auf reversera.com/de ∗∗∗
---------------------------------------------
In einer Zeit ständiger betrügerischer Anrufe und „Cold-Calls“ ist ein Service, der einem Informationen zu Telefonnummern und den Besitzer:innen liefert, äußerst nützlich. Reversera.com/de der АLРНАСLІС LТD bietet angeblich genau das an. Tatsächlich spielte man uns im Test bei erfundenen Nummern ein Ergebnis vor. Um dieses einsehen zu können, hätten wir 50 Cent per Kreditkarte bezahlen müssen, doch die Zahlung führt in eine Abo-Falle!
---------------------------------------------
https://www.watchlist-internet.at/news/abo-falle-statt-informationen-zu-tel…
∗∗∗ How to encrypt your email (and why you should) ∗∗∗
---------------------------------------------
If you send emails with sensitive or private info inside, you should consider email encryption. Heres what to know.
---------------------------------------------
https://www.zdnet.com/article/how-to-encrypt-your-email-and-why-you-should/
∗∗∗ WordPress 6.2.1 freigegeben ∗∗∗
---------------------------------------------
Die Entwickler haben zum 16. Mai 2023 WordPress Version 6.2.1 veröffentlicht. Es handelt sich um ein Wartungs- und Sicherheitsupdate, welches 30 Fehler behebt. Details lassen sich in den Veröffentlichungsmitteilungen nachlesen.
---------------------------------------------
https://www.borncity.com/blog/2023/05/16/wordpress-6-2-1-freigegeben/
∗∗∗ SIM Swapping and Abuse of the Microsoft Azure Serial Console: Serial Is Part of a Well Balanced Attack ∗∗∗
---------------------------------------------
In 2022, Mandiant identified attacker activity centered in Microsoft Azure that Mandiant attributed to UNC3944. Mandiant’s investigation revealed that the attacker employed malicious use of the Serial Console on Azure Virtual Machines (VM) to install third-party remote management software within client environments. This method of attack was unique in that it avoided many of the traditional detection methods employed within Azure and provided the attacker with full administrative access to the VM. Unfortunately, cloud resources are often poorly misunderstood, leading to misconfigurations that can leave these assets vulnerable to attackers. While methods of initial access, lateral movement, and persistence vary from one attacker to another, one thing is clear: Attackers have their eyes on the cloud.
---------------------------------------------
https://www.mandiant.com/resources/blog/sim-swapping-abuse-azure-serial
∗∗∗ CISA and Partners Release BianLian Ransomware Cybersecurity Advisory ∗∗∗
---------------------------------------------
CISA, the Federal Bureau of Investigation (FBI), and the Australian Cyber Security Centre (ACSC) have released a joint Cybersecurity Advisory (CSA) with known BianLian ransomware and data extortion group technical details. Microsoft and Sophos contributed to the advisory. To reduce the likelihood and impact of BianLian and other ransomware incidents, CISA encourages organizations to implement mitigations recommended in this advisory.
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2023/05/16/cisa-and-partners-releas…
=====================
= Vulnerabilities =
=====================
∗∗∗ Webbrowser: Kritische Sicherheitslücke in Google Chrome ∗∗∗
---------------------------------------------
Google hat ein Update für den Chrome-Webbrowser herausgegeben. Es schließt mindestens eine kritische Sicherheitslücke. Angreifer könnten Schadcode einschleusen.
---------------------------------------------
https://heise.de/-9057932
∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (netatalk), Mageia (connman, firefox/nss/rootcerts, freeimage, golang, indent, kernel, python-django, python-pillow, and thunderbird), Red Hat (apr-util, firefox, java-1.8.0-ibm, libreswan, and thunderbird), SUSE (conmon, curl, java-11-openjdk, and libheif), and Ubuntu (libwebp, linux, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15, linux-hwe-5.15, linux-ibm, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-oracle, linux, linux-aws, linux-aws-hwe, linux-kvm, linux, linux-aws, linux-azure, linux-azure-5.19, linux-kvm, linux-lowlatency, linux-raspi, node-eventsource, and openjdk-8, openjdk-lts, openjdk-17, openjdk-20).
---------------------------------------------
https://lwn.net/Articles/932130/
∗∗∗ Vulnerability Summary for the Week of May 8, 2023 ∗∗∗
---------------------------------------------
The CISA Vulnerability Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. NVD is sponsored by CISA. In some cases, the vulnerabilities in the bulletin may not yet have assigned CVSS scores. Please visit NVD for updated vulnerability entries, which include CVSS scores once they are available.
---------------------------------------------
https://www.cisa.gov/news-events/bulletins/sb23-135
∗∗∗ Path Traversal in IP-Symcon (SYSS-2023-014) ∗∗∗
---------------------------------------------
Das Webinterface von IP-Symcon ermöglicht ein Path Traversal, wodurch Zugriff auf Systemdateien außerhalb des Web Root erlangt werden kann.
---------------------------------------------
https://www.syss.de/pentest-blog/path-traversal-in-ip-symcon-syss-2023-014
∗∗∗ Security Advisory - Traffic Hijacking Vulnerability in Huawei Routers ∗∗∗
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2023/huawei-sa-thvihr-70…
∗∗∗ Stored XSS Schwachstelle in der Umbenennen Funktionalität von Wekan (Open-Source Kanban) ∗∗∗
---------------------------------------------
https://sec-consult.com/de/vulnerability-lab/advisory/stored-xss-schwachste…
∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Montag 15-05-2023 18:00 − Dienstag 16-05-2023 18:00
Handler: Michael Schlagenhaufer
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ VirusTotal AI code analysis expands Windows, Linux script support ∗∗∗
---------------------------------------------
Google has added support for more scripting languages to VirusTotal Code Insight, a recently introduced artificial intelligence-based code analysis feature.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/virustotal-ai-code-analysis-…
∗∗∗ Open-source Cobalt Strike port Geacon used in macOS attacks ∗∗∗
---------------------------------------------
Geacon, a Go-based implementation of the beacon from the widely abused penetration testing suite Cobalt Strike, is being used more and more to target macOS devices.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/open-source-cobalt-strike-po…
∗∗∗ Signals Defense With Faraday Bags & Flipper Zero, (Tue, May 16th) ∗∗∗
---------------------------------------------
There are situations where it is desired to block signals between devices. Commonly scenarios are when traveling, in a location of uncertain safety, or otherwise concerned with data privacy and geolocation. I was curious how well a faraday bags and similar products protected wireless communications.
---------------------------------------------
https://isc.sans.edu/diary/rss/29840
∗∗∗ Triple Threat: Breaking Teltonika Routers Three Ways ∗∗∗
---------------------------------------------
Comprehensive research was conducted on Teltonika Networks’ IIoT products, with a focus on industrial cellular devices widely used in various industries, specifically, the Teltonika Remote Management System, and RUT model routers.
---------------------------------------------
https://claroty.com/team82/research/triple-threat-breaking-teltonika-router…
∗∗∗ You’ve been kept in the dark (web): exposing Qilin’s RaaS program ∗∗∗
---------------------------------------------
All you need to know about Qilin ransomware and its operations targeting critical sectors.
---------------------------------------------
https://www.group-ib.com/blog/qilin-ransomware/
∗∗∗ Seitenkanalangriff auf Cortex-M: Zugriff auf sensible Informationen ∗∗∗
---------------------------------------------
Auf der Blackhat Asia haben IT-Forscher Seitenkanalangriffe auf ARM-Cortex-M-Mikroprozessoren vorgestellt. Sie ermöglichen Zugriff auf sensible Informationen.
---------------------------------------------
https://heise.de/-9057108
∗∗∗ It’s always DNS, here’s why… ∗∗∗
---------------------------------------------
There’s an old adage in network and Internet support: When something breaks in any network “it was DNS”. Sadly it’s usually true.
---------------------------------------------
https://www.pentestpartners.com/security-blog/its-always-dns-heres-why/
∗∗∗ Vorsicht vor Anrufen von „austriamegachance.com“ ∗∗∗
---------------------------------------------
Ihr Telefon klingelt. Austria Mega Chance meldet sich, eine Lotto-Tipp-Dienstleistung. Ihnen werden hohe Gewinnchancen beim Lotto versprochen und eine Dienstleistung für Gemeinschaftstipps angeboten. Die aufdringliche Person entlockt Ihnen Kontodaten. Einige Zeit später werden Ihnen dann monatlich, ohne schriftliche Infos oder einen Vertrag unterschieben zu haben, knapp 70 Euro von Ihrem Konto abgebucht. Wir zeigen Ihnen, was Sie tun können!
---------------------------------------------
https://www.watchlist-internet.at/news/vorsicht-vor-anrufen-von-austriamega…
∗∗∗ Microsoft SharePoint scannt Password-geschützte ZIP-Archive ∗∗∗
---------------------------------------------
Es sieht so aus, dass Microsoft in seinen Cloud-Speichern auch ZIP-Archive auf schädliche Inhalte (und ggf. weitere Inhalte) scannt – auch Archive, die vom Benutzer mit einem Kennwort vor der Einsichtnahme geschützt sind.
---------------------------------------------
https://www.borncity.com/blog/2023/05/16/microsoft-sharepoint-scannt-passwo…
∗∗∗ The Dragon Who Sold His Camaro: Analyzing Custom Router Implant ∗∗∗
---------------------------------------------
Through our investigation, we have gained a deeper comprehension of the ways in which attackers are employing malware to target edge devices, particularly routers. Our efforts have led us to uncover several of the tactics and tools utilized by Camaro Dragon in their attacks.
---------------------------------------------
https://research.checkpoint.com/2023/the-dragon-who-sold-his-camaro-analyzi…
∗∗∗ 8220 Gang Evolves With New Strategies ∗∗∗
---------------------------------------------
We observed the threat actor group known as “8220 Gang” employing new strategies for their respective campaigns, including exploits for the Linux utility “lwp-download” and CVE-2017-3506, an Oracle WebLogic vulnerability.
---------------------------------------------
https://www.trendmicro.com/en_us/research/23/e/8220-gang-evolution-new-stra…
∗∗∗ How to Write a PoC for an Uninitialized Smart Contract Vulnerability in BadgerDAO Using Foundry ∗∗∗
---------------------------------------------
In this post, we’re going to learn how Foundry can be used to write a proof of concept (PoC) for uninitialized smart contract vulnerabilities.
---------------------------------------------
https://www.cyberark.com/resources/threat-research-blog/how-to-write-a-poc-…
=====================
= Vulnerabilities =
=====================
∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
IBM Cloud Pak for Network Automation, IBM Control Desk, IBM Maximo, IBM Edge Application Manager, IBM Cloud Automation Manager, Tivoli Monitoring, IBM Business Monitor, IBM Business Automation Workflow Enterprise Service Bus, WebSphere Application Server, Tivoli Application Dependency Discovery Manager, IBM Operations Analytics - Predictive Insights, IBM Security Verify Information Queue.
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/
∗∗∗ CISA Releases Three Industrial Control Systems Advisories ∗∗∗
---------------------------------------------
* ICSA-23-136-02 Rockwell ArmorStart
* ICSA-23-136-03 Rockwell Automation FactoryTalk Vantagepoint
* ICSA-23-136-01 Snap One OvrC Cloud
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2023/05/16/cisa-releases-three-indu…
∗∗∗ JavaScript-Sandbox vm2: PoC zeigt neuen Sandbox-Ausbruch ∗∗∗
---------------------------------------------
Eine kritische Lücke in der JavaScript-Sandbox vm2 können Angreifer zum Ausbruch missbrauchen. Aktualisierte Software steht bereit, die die Lücken schließt.
---------------------------------------------
https://heise.de/-9056842
∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (epiphany-browser, python-ipaddress, and sqlparse), Fedora (python-django3 and qemu), Red Hat (apr-util, autotrace, bind, bind9.16, container-tools:4.0, container-tools:rhel8, ctags, curl, device-mapper-multipath, dhcp, edk2, emacs, freeradius:3.0, freerdp, frr, gcc-toolset-12-binutils, git, git-lfs, go-toolset:rhel8, grafana, grafana-pcp, gssntlmssp, Image Builder, kernel, kernel-rt, libarchive, libreswan, libtar, libtiff, mingw-expat, mysql:8.0, net-snmp, pcs, php:7.4, poppler, postgresql-jdbc, python-mako, python27:2.7, python38:3.8 and python38-devel:3.8, python39:3.9 and python39-devel:3.9, samba, sysstat, tigervnc, unbound, virt:rhel and virt-devel:rhel, wayland, webkit2gtk3, xorg-x11-server, and xorg-x11-server-Xwayland), SUSE (dmidecode, postgresql13, prometheus-sap_host_exporter, python-cryptography, rekor, and thunderbird), and Ubuntu (firefox, matrix-synapse, and mysql-8.0).
---------------------------------------------
https://lwn.net/Articles/932033/
∗∗∗ D-Link DIR-2150 DIR-2150 Firmware Release Notes v1.06 ∗∗∗
---------------------------------------------
https://support.dlink.com.au/Download/download.aspx?product=DIR-2150
∗∗∗ XSA-431 ∗∗∗
---------------------------------------------
https://xenbits.xen.org/xsa/advisory-431.html
∗∗∗ Zahlreiche Schwachstellen in Serenity and StartSharp Software ∗∗∗
---------------------------------------------
https://sec-consult.com/de/vulnerability-lab/advisory/zahlreiche-schwachste…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 12-05-2023 18:00 − Montag 15-05-2023 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ The .zip gTLD: Risks and Opportunities, (Fri, May 12th) ∗∗∗
---------------------------------------------
About ten years ago, ICANN started the "gTLD" program. "Generic TLDs" allows various brands to register their own trademark as a TLD. Instead of "google.com", you now can have ".google"! Applying for a gTLD isn't cheap, and success isn't guaranteed. But since its inception, dozens of new gTLDs have been approved and started to be used [1]. The reputation of these new gTLDs has been somewhat mixed.
---------------------------------------------
https://isc.sans.edu/diary/rss/29838
∗∗∗ XWorm Malware Exploits Follina Vulnerability in New Wave of Attacks ∗∗∗
---------------------------------------------
Cybersecurity researchers have discovered an ongoing phishing campaign that makes use of a unique attack chain to deliver the XWorm malware on targeted systems. Securonix, which is tracking the activity cluster under the name MEME#4CHAN, said some of the attacks have primarily targeted manufacturing firms and healthcare clinics located in Germany.
---------------------------------------------
https://thehackernews.com/2023/05/xworm-malware-exploits-follina.html
∗∗∗ CLR SqlShell Malware Targets MS SQL Servers for Crypto Mining and Ransomware ∗∗∗
---------------------------------------------
Poorly managed Microsoft SQL (MS SQL) servers are the target of a new campaign thats designed to propagate a category of malware called CLR SqlShell that ultimately facilitates the deployment of cryptocurrency miners and ransomware.
---------------------------------------------
https://thehackernews.com/2023/05/clr-sqlshell-malware-targets-ms-sql.html
∗∗∗ New MichaelKors Ransomware-as-a-Service Targeting Linux and VMware ESXi Systems ∗∗∗
---------------------------------------------
A new ransomware-as-service (RaaS) operation called MichaelKors has become the latest file-encrypting malware to target Linux and VMware ESXi systems as of April 2023. The development points to cybercriminal actors increasingly setting their eyes on the ESXi, cybersecurity firm CrowdStrike said in a report shared with The Hacker News.
---------------------------------------------
https://thehackernews.com/2023/05/new-michaelkors-ransomware-as-service.html
∗∗∗ WordPress Field Builder Plugin Vulnerability Exploited in Attacks Two Days After Patch ∗∗∗
---------------------------------------------
PoC exploit targeting an XSS vulnerability in the Advanced Custom Fields WordPress plugin started being used in malicious attacks two days after patch.
---------------------------------------------
https://www.securityweek.com/wordpress-field-builder-plugin-vulnerability-e…
∗∗∗ Webinar: Smartphone, Tablet & Co. sicher nutzen ∗∗∗
---------------------------------------------
Wie kann ich meine persönlichen Daten am Smartphone, Tablet & Co. schützen? In diesem Webinar zeigen wir Ihnen die wichtigsten Sicherheitseinstellungen – von Berechtigungen über Datenschutz bis hin zu Nutzungszeiten. Nehmen Sie kostenlos teil: Dienstag 23. Mai 2023, 18:30 - 20:00 Uhr via zoom
---------------------------------------------
https://www.watchlist-internet.at/news/webinar-smartphone-tablet-co-sicher-…
∗∗∗ Mit diesen 3 Einstellungen schützen Sie Ihr Smartphone ∗∗∗
---------------------------------------------
Sie denken Ihr Smartphone ist mit einer Bildschirmsperre vor fremden Zugriffen gut geschützt? Falsch! Kriminelle finden Wege, um in gestohlene oder verlorene Smartphones einzudringen. Im schlimmsten Fall greifen sie auf Ihre Banking-App zu und räumen Ihr Konto ab. Wir zeigen Ihnen 3 wichtige Einstellungen, um Ihr Smartphone bei Verlust oder Diebstahl zu schützen.
---------------------------------------------
https://www.watchlist-internet.at/news/mit-diesen-3-einstellungen-schuetzen…
∗∗∗ Ransomware tracker: The latest figures [May 2023] ∗∗∗
---------------------------------------------
Note: this Ransomware Tracker is updated on the second Sunday of each month to stay current Although ransomware attacks overall were down in April compared to the prior month, attacks against healthcare organizations shot up to one of its highest levels in years as hospitals and doctors offices increasingly find themselves targeted by hackers.
---------------------------------------------
https://therecord.media/ransomware-tracker-the-latest-figures
=====================
= Vulnerabilities =
=====================
∗∗∗ Industrial Cellular Routers at Risk: 11 New Vulnerabilities Expose OT Networks ∗∗∗
---------------------------------------------
Several security vulnerabilities have been disclosed in cloud management platforms associated with three industrial cellular router vendors that could expose operational technology (OT) networks to external attacks. The findings were presented by Israeli industrial cybersecurity firm OTORIO at the Black Hat Asia 2023 conference last week. The 11 vulnerabilities allow "remote code execution and full control over hundreds of thousands of devices and OT networks - in some cases, even those not actively configured to use the cloud."
---------------------------------------------
https://thehackernews.com/2023/05/industrial-cellular-routers-at-risk-11.ht…
∗∗∗ Screen SFT DAB 600/C: Multiple Vulnerabilities ∗∗∗
---------------------------------------------
* Authentication Bypass Account Creation Exploit * Authentication Bypass Password Change Exploit * Authentication Bypass Erase Account Exploit * Authentication Bypass Admin Password Change Exploit * Authentication Bypass Reset Board Config Exploit * Unauthenticated Information Disclosure (userManager.cgx)
---------------------------------------------
https://www.zeroscience.mk/en/vulnerabilities/
∗∗∗ SECURITY BULLETIN: May 2023 Security Bulletin for Trend Micro Mobile Security (Enterprise) ∗∗∗
---------------------------------------------
CVE Identifier(s): CVE-2023-32521 through CVE-2023-32528 Trend Micro has released a new build for Trend Micro Mobile Security (Enterprise) that resolves several vulnerabilities.
---------------------------------------------
https://success.trendmicro.com/dcx/s/solution/000293106?language=en_US
∗∗∗ Multiple Vulnerabilities in Kiddoware Kids Place Parental Control Android App ∗∗∗
---------------------------------------------
Multiple vulnerabilities have been identified in the Kiddoware Kids Place Parental Control Android App. Users of the parent's web dashboard can be attacked via cross site scripting or cross site request forgery vulnerabilities, or attackers may upload arbitrary files to the children's devices. Furthermore, children are able to bypass any restrictions without the parents noticing.
---------------------------------------------
https://sec-consult.com/vulnerability-lab/advisory/multiple-vulnerabilities…
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (golang-websocket, kernel, postgresql-11, and thunderbird), Fedora (firefox, kernel, libreswan, libssh, tcpreplay, and thunderbird), SUSE (dcmtk, gradle, libraw, postgresql12, postgresql13, postgresql14, and postgresql15), and Ubuntu (firefox, nova, and thunderbird).
---------------------------------------------
https://lwn.net/Articles/931892/
∗∗∗ VM2 Security Advisory: Inspect Manipulation ∗∗∗
---------------------------------------------
A threat actor can edit options for console.log.
---------------------------------------------
https://github.com//patriksimek/vm2/security/advisories/GHSA-p5gc-c584-jj6v
∗∗∗ VM2 Security Advisory: Sandbox Escape ∗∗∗
---------------------------------------------
A threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox.
---------------------------------------------
https://github.com//patriksimek/vm2/security/advisories/GHSA-whpj-8f3w-67p5
∗∗∗ WAGO: Unauthenticated command execution via Web-based-management ∗∗∗
---------------------------------------------
https://cert.vde.com/de/advisories/VDE-2023-007/
∗∗∗ Helmholz: Multiple vulnerabilites in myREX24 and myREX24.virtual ∗∗∗
---------------------------------------------
https://cert.vde.com/de/advisories/VDE-2023-008/
∗∗∗ MB Connect Line: Multiple vulnerabilities in mbConnect24 and mymbConnect24 ∗∗∗
---------------------------------------------
https://cert.vde.com/de/advisories/VDE-2023-002/
∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 11-05-2023 18:00 − Freitag 12-05-2023 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ Windows: Windows-Sicherheitspatch kann Bootmedien unbrauchbar machen ∗∗∗
---------------------------------------------
Aktuell lässt sich Secure Boot in Windows durch eine Lücke umgehen. Bis die gefixt ist, wird es wohl noch bis 2024 dauern - aus Gründen.
---------------------------------------------
https://www.golem.de/news/windows-windows-sicherheitspatch-kann-bootmedien-…
∗∗∗ New Stealthy Variant of Linux Backdoor BPFDoor Emerges from the Shadows ∗∗∗
---------------------------------------------
A previously undocumented and mostly undetected variant of a Linux backdoor called BPFDoor has been spotted in the wild, cybersecurity firm Deep Instinct said in a technical report published this week. "BPFDoor retains its reputation as an extremely stealthy and difficult-to-detect malware with this latest iteration," security researchers Shaul Vilkomir-Preisman and Eliran Nissan said.
---------------------------------------------
https://thehackernews.com/2023/05/new-variant-of-linux-backdoor-bpfdoor.html
∗∗∗ Malicious Actors Exploit CVE-2023-27350 in PaperCut MF and NG ∗∗∗
---------------------------------------------
This joint advisory provides detection methods for exploitation of CVE-2023-27350 as well and indicators of compromise (IOCs) associated with Bl00dy Ransomware Gang activity. FBI and CISA strongly encourage users and administrators to immediately apply patches, and workarounds if unable to patch. FBI and CISA especially encourage organizations who did not patch immediately to assume compromise and hunt for malicious activity using the detection signatures in this CSA.
---------------------------------------------
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-131a
∗∗∗ Mehrere Sicherheitslücken in VMwares Cloud-Management Aria Operations ∗∗∗
---------------------------------------------
Patches schließen mehrere Sicherheitslücken, die die Ausweitung von Rechten innerhalb von VMwares Cloud-Management Aria Operationse erlauben.
---------------------------------------------
https://heise.de/-9012909
∗∗∗ Verschlüsselungstrojaner: Es gibt Hoffnung für BlackCat-Opfer ∗∗∗
---------------------------------------------
Stimmen die Voraussetzungen, können Opfer des Verschlüsselungstrojaner BlackCat wieder auf ihre Daten zugreifen.
---------------------------------------------
https://heise.de/-9010373
∗∗∗ Shopsystem: Kritische Sicherheitslücke in Prestashop wird angegriffen ∗∗∗
---------------------------------------------
Eine kritische Sicherheitslücke klafft im Shopping-System Prestashop. Angreifer missbrauchen sie bereits. Ein aktueller Softwarestand schützt.
---------------------------------------------
https://heise.de/-9010286
∗∗∗ Cisco: SD-WAN-Zertifikate abgelaufen, jetzt updaten! ∗∗∗
---------------------------------------------
Cisco Systems weist seine Kundschaft darauf hin, dass einige SD-WAN Appliances der vEdge-Reihe dringende Updates benötigen.
---------------------------------------------
https://heise.de/-9014471
∗∗∗ Enforce Zero Trust in Microsoft 365 – Part 2: Protect against external users and applications ∗∗∗
---------------------------------------------
In the first blog post of this series, we have seen how strong authentication, i.e., Multi-Factor Authentication (MFA), could be enforced for users using a free Azure Active Directory subscription within the Microsoft 365 environment. In this blog post, we will continue to harden the configuration of our Azure AD tenant to enforce Zero Trust [...]
---------------------------------------------
https://blog.nviso.eu/2023/05/12/enforce-zero-trust-in-microsoft-365-part-2…
=====================
= Vulnerabilities =
=====================
∗∗∗ Severe Security Flaw Exposes Over a Million WordPress Sites to Hijack ∗∗∗
---------------------------------------------
The issue, tracked as CVE-2023-32243, has been addressed by the plugin maintainers in version 5.7.2 that was shipped on May 11, 2023. Essential Addons for Elementor has over one million active installations.
---------------------------------------------
https://thehackernews.com/2023/05/severe-security-flaw-exposes-over.html
∗∗∗ VMSA-2023-0009: VMware Aria Operations (formerly vRealize Operations) ∗∗∗
---------------------------------------------
CVSSv3 Range: 6.4-8.8 CVE(s): CVE-2023-20877, CVE-2023-20878, CVE-2023-20879, CVE-2023-20880 VMware Aria Operations update addresses multiple Local Privilege Escalations and a Deserialization issue
---------------------------------------------
https://www.vmware.com/security/advisories/VMSA-2023-0009.html
∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (postgresql-13 and webkit2gtk), Fedora (git), SUSE (helm and skopeo), and Ubuntu (cinder, nova, python-glance-store, and python-os-brick).
---------------------------------------------
https://lwn.net/Articles/931760/
∗∗∗ Case update: DIVD-2022-00068 - Multiple vulnerabilities identified within White Rabbit Switch from CERN ∗∗∗
---------------------------------------------
Last event: 11 Apr 2023 - CERN released White Rabbit Switch 6.0.2, which contains a fix for CVE-2023-22577 and CVE-2023-22581.
---------------------------------------------
https://csirt.divd.nl/cases/DIVD-2022-00068/
∗∗∗ Beekeeper Studio vulnerable to code injection ∗∗∗
---------------------------------------------
https://jvn.jp/en/jp/JVN11705010/
∗∗∗ [R1] Nessus Version 10.5.2 Fixes Multiple Vulnerabilities ∗∗∗
---------------------------------------------
https://www.tenable.com/security/tns-2023-20
∗∗∗ IBM WebSphere Application Server, which is bundled with IBM Cloud Pak for Applications, is vulnerable to an XML External Entity (XXE) Injection vulnerability (CVE-2023-27554) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6989667
∗∗∗ IBM WebSphere Application Server, which is bundled with IBM WebSphere Hybrid Edition, is vulnerable to an XML External Entity (XXE) Injection vulnerability (CVE-2023-27554) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6989665
∗∗∗ Deserialization vulnerability affect IBM Business Automation Workflow BPM Event Emitters - CVE-2022-1471 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6988027
∗∗∗ Multiple Vulnerabilities in Multicloud Management Security Services ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6991215
∗∗∗ IBM i Modernization Engine for Lifecycle Integration is vulnerable to cross-site scripting (CVE-2022-0225) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6991217
∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM WebSphere Remote Server (CVE-2023-27554) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6991213
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 10-05-2023 18:00 − Donnerstag 11-05-2023 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ Interview: Hacker Witold Waligóra über Seitenkanalangriffe ∗∗∗
---------------------------------------------
Wir haben beim Hacker Witold Waligóra nachgehakt, was man mit Seitenkanalattacken erreichen kann und wie man sich dagegen schützt.
---------------------------------------------
https://heise.de/-8983428
∗∗∗ Smishing: Vorsicht vor betrügerischer Reisepass-SMS! ∗∗∗
---------------------------------------------
Haben Sie ein SMS bekommen, in dem behauptet wird Ihr Reisepass wäre fertig? Klicken Sie nicht auf den Link "oesterreich.at-anmelden.net", es handelt sich um einen Betrugsversuch!
---------------------------------------------
https://www.watchlist-internet.at/news/smishing-vorsicht-vor-betruegerische…
∗∗∗ Fake in-browser Windows updates push Aurora info-stealer malware ∗∗∗
---------------------------------------------
A recently spotted malvertising campaign tricked users with an in-browser Windows update simulation to deliver the Aurora information stealing malware.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/fake-in-browser-windows-upda…
∗∗∗ RapperBot DDoS malware adds cryptojacking as new revenue stream ∗∗∗
---------------------------------------------
New samples of the RapperBot botnet malware have added cryptojacking capabilites to mine for cryptocurrency on compromised Intel x64 machines.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/rapperbot-ddos-malware-adds-…
∗∗∗ Multiple Ransomware Groups Adapt Babuk Code to Target ESXi VMs ∗∗∗
---------------------------------------------
Two years ago, a popular ransomware-as-a-service groups source code got leaked. Now other ransomware groups are using it for their own purposes.
---------------------------------------------
https://www.darkreading.com/cloud/multiple-ransomware-groups-adapt-babuk-co…
∗∗∗ New ransomware trends in 2023 ∗∗∗
---------------------------------------------
On the eve of the global Anti-Ransomware Day, Kaspersky researchers share an overview of the key trends observed among ransomware groups.
---------------------------------------------
https://securelist.com/new-ransomware-trends-in-2023/109660/
∗∗∗ Analysis of CLR SqlShell Used to Attack MS-SQL Servers ∗∗∗
---------------------------------------------
This blog post will analyze the CLR SqlShell malware that is being used to target MS-SQL servers. Similar to WebShell, which can be installed on web servers, SqlShell is a malware strain that supports various features after being installed on an MS-SQL server, such as executing commands from threat actors and carrying out all sorts of malicious behavior.
---------------------------------------------
https://asec.ahnlab.com/en/52479/
=====================
= Vulnerabilities =
=====================
∗∗∗ Experts share details of five flaws that can be chained to hack Netgear RAX30 Routers ∗∗∗
---------------------------------------------
Researchers disclosed the details of five vulnerabilities that can be chained to take over some Netgear router models.
---------------------------------------------
https://securityaffairs.com/146111/hacking/netgear-router-exploit-2.html
∗∗∗ Zyxel Chained Remote Code Execution ∗∗∗
---------------------------------------------
This module exploits multiple vulnerabilities in the `zhttpd` binary (/bin/zhttpd) and `zcmd` binary (/bin/zcmd). It is present on more than 40 Zyxel routers and CPE devices. The remote code execution vulnerability can be exploited by chaining the local file disclosure vulnerability in the zhttpd binary that allows an unauthenticated attacker to read the entire configuration of the router [..]
---------------------------------------------
https://cxsecurity.com/issue/WLB-2023050030
∗∗∗ Multiple vulnerabilities in Danfoss EM100 ∗∗∗
---------------------------------------------
Multiple injection-related vulnerabilities exist in a set of Danfoss products, among which the EM100. These vulnerabilities should be considered serious and could lead to the full compromise of your system. It is advised to phase out the EM100, as its vendor Danfoss confirms the EM100 to be End of Life and that it will not be releasing a patch for this product. [..] If this is not possible, ensure it is not connected to the public Internet.
---------------------------------------------
https://csirt.divd.nl/cases/DIVD-2023-00021/
∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (May 1, 2023 to May 7, 2023) ∗∗∗
---------------------------------------------
Last week, there were 58 vulnerabilities disclosed in 43 WordPress Plugins and 3 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database [..] Review those vulnerabilities in this report now to ensure your site is not affected.
---------------------------------------------
https://www.wordfence.com/blog/2023/05/wordfence-intelligence-weekly-wordpr…
∗∗∗ CISA Releases Fifteen Industrial Control Systems Advisories ∗∗∗
---------------------------------------------
* ICSA-23-131-01 Siemens Solid Edge
* ICSA-23-131-02 Siemens SCALANCE W1750D
* ICSA-23-131-03 Siemens Siveillance
* ICSA-23-131-04 Siemens SIMATIC Cloud Connect 7
* ICSA-23-131-05 Siemens SINEC NMS Third-Party
* ICSA-23-131-06 Siemens SCALANCE LPE9403
* ICSA-23-131-07 Sierra Wireless AirVantage
* ICSA-23-131-08 Teltonika Remote Management System and RUT Model Routers
* ICSA-23-131-09 Rockwell Automation Kinetix 5500 EtherNetIP Servo Drive
* ICSA-23-131-10 Rockwell Automation Arena Simulation Software
* ICSA-23-131-11 BirdDog Cameras & Encoders
* ICSA-23-131-12 SDG PnPSCADA
* ICSA-23-131-13 PTC Vuforia Studio
* ICSA-23-131-14 Rockwell PanelView 800
* ICSA-23-131-15 Rockwell ThinManager
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2023/05/11/cisa-releases-fifteen-in…
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (firefox-esr and nvidia-graphics-drivers-legacy-390xx), Fedora (firefox, java-11-openjdk, LibRaw, moodle, python-django3, and vtk), Slackware (mozilla), SUSE (buildah, cloud-init, container-suseconnect, firefox, golang-github-prometheus-prometheus, kernel, and ntp), and Ubuntu (heat, linux-azure-fde-5.15, linux-raspi, linux-oem-5.17, linux-oem-6.0, linux-raspi, linux-raspi-5.4, linux-raspi2, neutron, openvswitch, and sqlparse).
---------------------------------------------
https://lwn.net/Articles/931638/
∗∗∗ ThinkPad Dock Firmware Update Tool Elevation of Privilege Vulnerability ∗∗∗
---------------------------------------------
http://support.lenovo.com/product_security/PS500562-THINKPAD-DOCK-DRIVER-EL…
∗∗∗ CVE-2023-0008 PAN-OS: Local File Disclosure Vulnerability in the PAN-OS Web Interface (Severity: MEDIUM) ∗∗∗
---------------------------------------------
https://security.paloaltonetworks.com/CVE-2023-0008
∗∗∗ CVE-2023-0007 PAN-OS: Stored Cross-Site Scripting (XSS) Vulnerability in the Panorama Web Interface (Severity: MEDIUM) ∗∗∗
---------------------------------------------
https://security.paloaltonetworks.com/CVE-2023-0007
∗∗∗ Security vulnerabilities have been identified in IBM Db2 shipped with IBM Security Guardium Key Lifecycle Manager (CVE-2022-43930, CVE-2014-3577, CVE-2022-43927, CVE-2022-43929) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6989465
∗∗∗ IBM Content Manager Enterprise Edition is affected by a vulnerability in Eclipse Openj9 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6987029
∗∗∗ Content Manager Enterprise Edition is affected by a vulnerability in FasterXML jackson ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6856659
∗∗∗ Content Manager Enterprise Edition is affected by a vulnerability in FasterXML jackson ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6856661
∗∗∗ Content Manager Enterprise Edition is affected by a vulnerability in FasterXML jackson ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6856663
∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with Tivoli Netcool\/OMNIbus WebGUI - IBM\u00ae Java SDK CVE-2023-30441 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6989589
∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with Tivoli Netcool\/OMNIbus WebGUI (CVE-2023-24966) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6989591
∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with Tivoli Netcool\/OMNIbus WebGUI (CVE-2022-39161) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6989593
∗∗∗ Vega Vulnerabilities affect IBM Decision Optimization in IBM Cloud Pak for Data (CVE-2023-26486, CVE-2023-26487) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6989625
∗∗∗ IBM WebSphere Application Server is vulnerable to an XML External Entity (XXE) Injection vulnerability (CVE-2023-27554) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6989451
∗∗∗ Multiple Security Vulnerabilities have been fixed in IBM Security Verify Access ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6989653
∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with Asset and Service Management (CVE-2023-27554) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6989657
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 09-05-2023 18:00 − Mittwoch 10-05-2023 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ Patchday: Adobe schließt Schadcode-Lücke in Substance 3D Painter ∗∗∗
---------------------------------------------
Es gibt wichtige Sicherheitsupdates für Adobe Substance 3D Painter. Wer damit 3D-Modelle bearbeitet, sollte die Anwendung aktualisieren.
---------------------------------------------
https://heise.de/-8991973
∗∗∗ Microsoft Patchday: Angreifer verschaffen sich System-Rechte unter Windows ∗∗∗
---------------------------------------------
Microsoft schließt unter anderem in Windows mehrere kritische Schadcode-Lücken. Attacken laufen bereits, weitere könnten bevorstehen.
---------------------------------------------
https://heise.de/-8991967
∗∗∗ Kritische Schwachstellen ermöglichen Übernahme von Aruba Access Points ∗∗∗
---------------------------------------------
Die HPE-Tochter Aruba schließt mehrere, zum Teil kritische Sicherheitslücken in den Access Points. Angreifer aus dem Netz könnten Schadcode einschleusen.
---------------------------------------------
https://heise.de/-8992292
∗∗∗ Patchday: 18 Sicherheitsnotizen zu teils kritischen Lücken in SAP-Software ∗∗∗
---------------------------------------------
Am Mai-Patchday dichtet SAP zum Teil kritische Sicherheitslücken in der Software des Unternehmens ab. IT-Verantwortliche sollten die Updates zügig anwenden.
---------------------------------------------
https://heise.de/-8992005
∗∗∗ Root-Rechte für lokale Angreifer dank Lücken im Linux-Kernel ∗∗∗
---------------------------------------------
In zwei Komponenten des Linuxkernels verstecken sich Sicherheitslücken, die lokalen Angreifern eine Rootshell spendieren. Ein erster Exploit ist öffentlich.
---------------------------------------------
https://heise.de/-8992648
∗∗∗ Easily bypassed patch makes zero-click Outlook flaw exploitable again (CVE-2023-29324) ∗∗∗
---------------------------------------------
Among the vulnerabilities fixed by Microsoft on May 2023 Patch Tuesday is CVE-2023-29324, a bug in the Windows MSHTML platform that Microsoft rates as “important.” Akamai’s research team and Ben Barnea, the researcher who’s credited with finding the flaw, disagree with that assessment, because “the new vulnerability [CVE-2023-29324] re-enables the exploitation of a critical vulnerability [CVE-2023-23397] that was seen in the wild and used by APT operators.”
---------------------------------------------
https://www.helpnetsecurity.com/2023/05/10/cve-2023-29324/
∗∗∗ Vorsicht vor betrügerischem Tier-, Welpen- und Katzenhandel im Internet ∗∗∗
---------------------------------------------
Vermehrt werden der Watchlist Internet aktuell betrügerische Tierangebote aus dem Internet und auf Social Media wie Facebook gemeldet. Süße Bilder junger Kätzchen und Hunde auf Websites, die Vertrauen schaffen sollen, verleiten zu einer unüberlegten Bestellung und Vorabzahlung. Eine Lieferung erfolgt nie – egal wie vielen Zahlungsaufforderungen der kriminellen Züchter:innen nachgekommen wird!
---------------------------------------------
https://www.watchlist-internet.at/news/vorsicht-vor-betruegerischem-tier-we…
∗∗∗ Free Tool Unlocks Some Encrypted Data in Ransomware Attacks ∗∗∗
---------------------------------------------
"White Phoenix" automated tool for recovering data on partially encrypted files hit with ransomware is available on GitHub.
---------------------------------------------
https://www.darkreading.com/attacks-breaches/free-tool-unlocks-some-encrypt…
∗∗∗ PwnAssistant - Controlling /homes via a Home Assistant RCE ∗∗∗
---------------------------------------------
[..] we decided to look into the very established and known open-source automation ecosystem known as Home Assistant. [..] So without further ado, come with us on this journey to understanding the Home Assistant architecture, enumerating the attack surface and trawling for pre-authentication vulnerabilities within the code base.
---------------------------------------------
https://www.elttam.com/blog/pwnassistant/
∗∗∗ Xjquery Wave of WordPress SocGholish Injections ∗∗∗
---------------------------------------------
By the end of March, 2023, we started noticing a new wave of SocGholish injections that used the intermediary xjquery[.]com domain. It appeared to be another evolution of the same malware. This time, however, attackers were using the same tricks in a different way.
---------------------------------------------
https://blog.sucuri.net/2023/05/xjquery-wave-of-wordpress-socgholish-inject…
∗∗∗ ESET APT Activity Report Q4 2022–Q1 2023 ∗∗∗
---------------------------------------------
An overview of the activities of selected APT groups investigated and analyzed by ESET Research in Q4 2022 and Q1 2023
---------------------------------------------
https://www.welivesecurity.com/2023/05/09/eset-apt-activity-report-q42022-q…
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (emacs), Fedora (chromium, community-mysql, and LibRaw), Red Hat (nodejs nodejs-nodemon, nodejs:18, and webkit2gtk3), Slackware (mozilla), SUSE (amazon-ssm-agent, conmon, distribution, docker-distribution, google-cloud-sap-agent, ignition, kernel, ntp, prometheus-ha_cluster_exporter, protobuf-c, python-cryptography, runc, and shim), and Ubuntu (ceph, freetype, and node-css-what).
---------------------------------------------
https://lwn.net/Articles/931488/
∗∗∗ ICS Patch Tuesday: Siemens, Schneider Electric Address Few Dozen Vulnerabilities ∗∗∗
---------------------------------------------
Siemens and Schneider Electric’s Patch Tuesday advisories for May 2023 address a few dozen vulnerabilities found in their products.
---------------------------------------------
https://www.securityweek.com/ics-patch-tuesday-siemens-schneider-electric-a…
∗∗∗ Chipmaker Patch Tuesday: Intel, AMD Address Over 100 Vulnerabilities ∗∗∗
---------------------------------------------
Intel and AMD have informed their customers about a total of more than 100 vulnerabilities found in their products.
---------------------------------------------
https://www.securityweek.com/chipmaker-patch-tuesday-intel-amd-address-over…
∗∗∗ Hitachi Energy MSM ∗∗∗
---------------------------------------------
CVSS v3 9.8
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Hitachi Energy
Equipment: Modular Switchgear Monitoring (MSM)
Vulnerabilities: Improper Restriction of Excessive Authentication Attempts, Authentication Bypass by Capture-replay, Code Injection, Improper Restriction of Operations within the Bounds of a Memory Buffer, NULL Pointer Dereference, Insufficient Entropy
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-23-129-02
∗∗∗ Vulnerability Spotlight: Authentication bypass, use-after-free vulnerabilities found in a library for the µC/OS open-source operating system ∗∗∗
---------------------------------------------
TALOS-2022-1680 (CVE-2022-41985) could allow an attacker to bypass the authentication protocol on the operating system, or cause a denial-of-service, by sending the targeted machine a specially crafted set of network packets.
---------------------------------------------
https://blog.talosintelligence.com/vulnerability-spotlight-authentication-b…
∗∗∗ SLP Protocol Denial-of-Service Guidance ∗∗∗
---------------------------------------------
http://support.lenovo.com/product_security/PS500563-SLP-PROTOCOL-DENIAL-OF-…
∗∗∗ Multi-vendor BIOS Security Vulnerabilities (May 2023) ∗∗∗
---------------------------------------------
http://support.lenovo.com/product_security/PS500559-MULTI-VENDOR-BIOS-SECUR…
∗∗∗ ThinkPad Dock Driver Elevation of Privilege Vulnerability ∗∗∗
---------------------------------------------
http://support.lenovo.com/product_security/PS500562-THINKPAD-DOCK-DRIVER-EL…
∗∗∗ [R1] Nessus Network Monitor Version 6.2.1 Fixes Multiple Vulnerabilities ∗∗∗
---------------------------------------------
https://www.tenable.com/security/tns-2023-19
∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Montag 08-05-2023 18:00 − Dienstag 09-05-2023 18:00
Handler: Robert Waldner
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ A new, stealthier type of Typosquatting attack spotted targeting NPM ∗∗∗
---------------------------------------------
Attackers have been using lowercase letters in package names on the Node Package Manager (NPM) registry for potential malicious package impersonation. This deceptive tactic presents a dangerous twist on a well-known attack method -- "Typosquatting."
---------------------------------------------
https://checkmarx.com/blog/a-new-stealthier-type-of-typosquatting-attack-sp…
∗∗∗ AndoryuBot DDoS Botnet Exploiting Ruckus AP Vulnerability ∗∗∗
---------------------------------------------
Owners of Ruckus access points (APs) have been warned that a DDoS botnet named AndoryuBot has been exploiting a recently patched vulnerability to hack devices. The vulnerability in question is tracked as CVE-2023-25717 and it was patched by Ruckus in February in many of its wireless APs.
---------------------------------------------
https://www.securityweek.com/andoryubot-ddos-botnet-exploiting-ruckus-ap-vu…
∗∗∗ Building Automation System Exploit Brings KNX Security Back in Spotlight ∗∗∗
---------------------------------------------
A public exploit targeting building automation systems has brought KNX security back into the spotlight, with industrial giant Schneider Electric releasing a security bulletin to warn customers about the potential risks.
---------------------------------------------
https://www.securityweek.com/building-automation-system-exploit-brings-knx-…
∗∗∗ Buchen Sie Ihre Unterkunft nicht über booked.net oder hotel-mix.de ∗∗∗
---------------------------------------------
Sie suchen eine Unterkunft? Buchen Sie lieber nicht auf booked.net oder hotel-mix.de, denn die beiden Buchungsplattformen listen Unterkünfte, die keinen Vertrag mit der Plattform haben. In der gebuchten Unterkunft angekommen, kann es Ihnen passieren, dass die Betreiber:innen gar nichts von Ihrer Buchung wissen und Sie kurzfristig eine neue Schlafmöglichkeit suchen müssen.
---------------------------------------------
https://www.watchlist-internet.at/news/buchen-sie-ihre-unterkunft-nicht-ueb…
∗∗∗ New phishing-as-a-service tool “Greatness” already seen in the wild ∗∗∗
---------------------------------------------
A previously unreported phishing-as-a-service (PaaS) offering named “Greatness” has been used in several phishing campaigns since at least mid-2022. Greatness incorporates features seen in some of the most advanced PaaS offerings, such as multi-factor authentication (MFA) bypass, IP filtering and integration with Telegram bots.
---------------------------------------------
https://blog.talosintelligence.com/new-phishing-as-a-service-tool-greatness…
=====================
= Vulnerabilities =
=====================
∗∗∗ WordPress Plugin "Newsletter" vulnerable to cross-site scripting ∗∗∗
---------------------------------------------
WordPress Plugin "Newsletter" provided by Stefano Lissa & The Newsletter Team contains a cross-site scripting vulnerability (CWE-79). An arbitrary script may be executed on the web browser of the user who is logging in to the WordPress using the plugin.
---------------------------------------------
https://jvn.jp/en/jp/JVN59341308/
∗∗∗ WordPress Plugin "VK Blocks" and "VK All in One Expansion Unit" vulnerable to cross-site scripting ∗∗∗
---------------------------------------------
* An arbitrary script may be executed on the web browser of the user who is logging in to the product - CVE-2023-27923, CVE-2023-28367
* An arbitrary script may be executed on the web browser of the user who is accessing the site using the product - CVE-2023-27925, CVE-2023-27926
---------------------------------------------
https://jvn.jp/en/jp/JVN95792402/
∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Fedora (java-11-openjdk-portable and rubygem-redcarpet), Red Hat (autotrace, bind, buildah, butane, conmon, containernetworking-plugins, curl, device-mapper-multipath, dhcp, edk2, emacs, fence-agents, freeradius, freerdp, frr, fwupd, gdk-pixbuf2, git, git-lfs, golang-github-cpuguy83-md2man, grafana, grafana-pcp, gstreamer1-plugins-good, Image Builder, jackson, kernel, kernel-rt, krb5, libarchive, libguestfs-winsupport, libreswan, libtiff, libtpms, lua, mysql, net-snmp, openssh, openssl, pcs, php:8.1, pki-core, podman, poppler, postgresql-jdbc, python-mako, qemu-kvm, samba, skopeo, sysstat, tigervnc, toolbox, unbound, webkit2gtk3, wireshark, xorg-x11-server, and xorg-x11-server-Xwayland), SUSE (cfengine, cfengine-masterfiles, go1.19, go1.20, libfastjson, python-cryptography, and python-ujson), and Ubuntu (mysql-5.7).
---------------------------------------------
https://lwn.net/Articles/931384/
∗∗∗ Citrix ADC and Citrix Gateway Security Bulletin ∗∗∗
---------------------------------------------
* CVE-2023-24488, Cross site scripting, CVSS 6.1
* CVE-2023-24487, Arbitrary file read, CVSS 6.3
---------------------------------------------
https://support.citrix.com/article/CTX477714/citrix-adc-and-citrix-gateway-…
∗∗∗ SSA-932528 V1.0: Multiple File Parsing Vulnerabilities in Solid Edge ∗∗∗
---------------------------------------------
https://cert-portal.siemens.com/productcert/html/ssa-932528.html
∗∗∗ SSA-892048 V1.0: Third-Party Component Vulnerabilities in SINEC NMS before V1.0.3.1 ∗∗∗
---------------------------------------------
https://cert-portal.siemens.com/productcert/html/ssa-892048.html
∗∗∗ SSA-789345 V1.0: Code Execution Vulnerabilities in Siveillance Video Event and Management Servers ∗∗∗
---------------------------------------------
https://cert-portal.siemens.com/productcert/html/ssa-789345.html
∗∗∗ SSA-555292 V1.0: Security Vulnerabilities Fixed in SIMATIC Cloud Connect 7 V2.1 ∗∗∗
---------------------------------------------
https://cert-portal.siemens.com/productcert/html/ssa-555292.html
∗∗∗ SSA-516174 V1.0: Wi-Fi Encryption Bypass Vulnerabilities in SCALANCE W1750D ∗∗∗
---------------------------------------------
https://cert-portal.siemens.com/productcert/html/ssa-516174.html
∗∗∗ SSA-325383 V1.0: Multiple Vulnerabilities in SCALANCE LPE9403 before V2.1 ∗∗∗
---------------------------------------------
https://cert-portal.siemens.com/productcert/html/ssa-325383.html
∗∗∗ F5: K000133759 : Python vulnerability CVE-2020-26116 ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K000133759
∗∗∗ F5: K000134496 : Jettison vulnerability CVE-2022-45685 ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K000134496
∗∗∗ Security vulnerabilities have been identified in IBM DB2 shipped with IBM License Metric Tool v9. ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6988953
∗∗∗ Tensorflow is vulnerable to security CVEs used in IBM Maximo Application Suite - Monitor Component ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6988959
∗∗∗ IBM WebSphere Application Server is vulnerable to cross-site scripting in the Admin Console (CVE-2023-24966) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6986333
∗∗∗ TensorFlow is vulnerable to security CVEs used in IBM Maximo Application Suite - Monitor Component ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6988979
∗∗∗ Ansi-html is vulnerable to CVE-2021-23424 used in IBM Maximo Application Suite ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6988981
∗∗∗ Node-forge is vulnerable to security CVEs used in IBM Maximo Application Suite - Monitor Component ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6988969
∗∗∗ Apache Log4j is vulnerable to CVE-2021-45105 and CVE-2021-45046 used in IBM Maximo Application Suite - Monitor Component ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6988975
∗∗∗ Vulnerabilities in OpenSSL affect QLogic 8Gb Intelligent Pass-thru Module and SAN Switch Module for IBM BladeCenter and QLogic Virtual Fabric Extension Module for IBM BladeCenter ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/888295
∗∗∗ IBM Cloud Pak for Network Automation 2.4.6 fixes multiple security vulnerabilities ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6989099
∗∗∗ CVE-2023-24536, CVE-2023-24537 and CVE-2023-24534 may affect IBM CICS TX Standard ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6989115
∗∗∗ CVE-2023-24536, CVE-2023-24537, CVE-2023-24534 may affect IBM CICS TX Advanced ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6989117
∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM WebSphere Remote Server (CVE-2022-39161) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6989119
∗∗∗ WebSphere Application Server Liberty is vulnerable to CVE-2022-3509 and CVE-2022-3171 used in IBM Maximo Application Suite - Monitor Component ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6989133
∗∗∗ IBM WebSphere Application Server Liberty and Open Liberty is vulnerable to CVE-2022-22475 used in IBM Maximo Application Suite - Monitor Component ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6989131
∗∗∗ IBM WebSphere Application Server Liberty is vulnerable to CVE-2022-22393 used in IBM Maximo Application Suite - Monitor Component ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6989127
∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with Asset and Service Management (CVE-2022-39161) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6989145
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 05-05-2023 18:00 − Montag 08-05-2023 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ Meet Akira — A new ransomware operation targeting the enterprise ∗∗∗
---------------------------------------------
The new Akira ransomware operation has slowly been building a list of victims as they breach corporate networks worldwide, encrypt files, and then demand million-dollar ransoms.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/meet-akira-a-new-ransomware-…
∗∗∗ Datenleck: Firmware- und Bootguard-Schlüssel von MSI veröffentlicht ∗∗∗
---------------------------------------------
Eine Ransomwaregruppe hat nach einem Hack etliche interne Daten von MSI veröffentlicht. Darunter auch private Schlüssel zum Signieren.
---------------------------------------------
https://www.golem.de/news/datenleck-firmware-und-bootguard-schluessel-von-m…
∗∗∗ New Cactus ransomware encrypts itself to evade antivirus ∗∗∗
---------------------------------------------
While the new threat actor adopted the usual tactics seen in ransomware attacks - file encryption and data theft - it added its own touch to avoid detection. [..] Researchers at Kroll corporate investigation and risk consulting firm believe that Cactus obtains initial access into the victim network by exploiting known vulnerabilities in Fortinet VPN appliances.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-cactus-ransomware-encryp…
∗∗∗ Breaking down Reverse shell commands ∗∗∗
---------------------------------------------
In pentesting assessments and CTFs we always need reverse shells to execute commands on target machine once we have exploited a system and have a command injection at some point in our engagement. For that we have an awesome project: revshells.com or reverse-shell-generator where we have a ton of reverse shell payloads listed. This blog post tries to explain their working.
---------------------------------------------
https://adityatelange.in/blog/revshells/
∗∗∗ Quickly Finding Encoded Payloads in Office Documents ∗∗∗
---------------------------------------------
Malicious documents like this RevengeRAT ppam file found on MalwareBazaar contain VBA code that you can analyze with oledump.py. Some shortcuts can be used [..] But there is a quicker method: let zipdump.py produce JSON output that contains the decompressed content of each file, and then let base64dump.py consume this JSON output.
---------------------------------------------
https://isc.sans.edu/diary/rss/29818
∗∗∗ Dependabot Confusion: Gaining Access to Private GitHub Repositories using Dependabot ∗∗∗
---------------------------------------------
Dependabot is one of the most widely deployed tools to improve software supply chain security. But like all other software, it is not immune to security vulnerabilities. By using it, users take on the risk that any vulnerabilities in Dependabot itself may lead to the compromise of the very supply chain they are trying to secure. This article is about a vulnerability in Dependabot that allowed arbitrary user to gain access to a subset of GitHub repositories that have Dependabot enabled.
---------------------------------------------
https://giraffesecurity.dev/posts/dependabot-confusion/
∗∗∗ Microsoft-Webbrowser: Edge 113 schließt Sicherheitslücken ∗∗∗
---------------------------------------------
Microsoft hat den Webbrowser Edge in Version 113 veröffentlicht. Einige Funktionen haben die Entwickler darin verbessert sowie Schwachstellen abgedichtet.
---------------------------------------------
https://heise.de/-8990437
∗∗∗ Achtung! Diese Kosmetika sind gesundheitsschädigend! ∗∗∗
---------------------------------------------
Derzeit warnen die Agentur für Gesundheit und Ernährungssicherheit (AGES) und das Bundesamt für Verbrauchergesundheit (BAVG) vor kosmetischen Produkten, die verbotene und gesundheitsschädigende Duftstoffe enthalten. Die Produkte werden vor allem online verkauft. Wir zeigen Ihnen, von welchen Produkten Sie lieber die Finger lassen sollten.
---------------------------------------------
https://www.watchlist-internet.at/news/achtung-diese-kosmetika-sind-gesundh…
∗∗∗ Webinar: Sicher (ver)kaufen über Willhaben, Shpock & Co. ∗∗∗
---------------------------------------------
Was muss ich beachten, wenn ich auf Kleinanzeigenplattformen wie Willhaben, Shpock, Vinted & Co. etwas als Privatperson kaufen oder verkaufen möchte? Unser Rechtsexperte der Internet Ombudsstelle gibt Tipps für die sichere Abwicklung solcher Online-Geschäfte. Nehmen Sie kostenlos teil: Dienstag 16. Mai 2023, 18:30 - 20:00 Uhr via zoom
---------------------------------------------
https://www.watchlist-internet.at/news/webinar-sicher-verkaufen-ueber-willh…
∗∗∗ PRFs, PRPs and other fantastic things ∗∗∗
---------------------------------------------
A few weeks ago I ran into a conversation on Twitter about the weaknesses of applied cryptography textbooks, and how they tend to spend way too much time lecturing people about Feistel networks and the boring details of AES. Some of the folks in this conversation suggested that instead of these things, we should be into more fundamental topics like “what is a pseudorandom function.”
---------------------------------------------
https://blog.cryptographyengineering.com/2023/05/08/prfs-prps-and-other-fan…
∗∗∗ WordPress plugin vulnerability puts two million websites at risk ∗∗∗
---------------------------------------------
Millions of WordPress-powered websites are using the Advanced Custom Fields and Advanced Custom Fields Pro plugins, which security researchers say have been vulnerable to cross-site scripting (XSS) attacks.
---------------------------------------------
https://grahamcluley.com/wordpress-plugin-vulnerability-puts-two-million-we…
∗∗∗ Cisco SPA112 2-Port Telefonadapter unsicher, es bleibt nur noch entsorgen ∗∗∗
---------------------------------------------
Die US-Anbieter Cisco warnt in eine Meldung vor einer kritischen Schwachstelle in einem seiner Telefonadapter. Diese Schwachstelle ermöglicht einem Angreifer die Kontrolle über das Gerät zu übernehmen. Leider bleibt betroffenen Nutzern nur, diesen Telefonadapter zu entsorgen [...]
---------------------------------------------
https://www.borncity.com/blog/2023/05/06/cisco-spa112-2-port-telefonadapter…
=====================
= Vulnerabilities =
=====================
∗∗∗ ads-tec: Multiple Vulnerabilities in IRF1000, IRF2000 and IRF3000 ∗∗∗
---------------------------------------------
Vendor: ads-tec Industrial IT GmbH
Product name: IRF1000, IRF3000, IRF3000
CVE Numbers: CVE-2014-3669, CVE-2014-8142, CVE-2014-9425, CVE-2015-0231, CVE-2015-2348, CVE-2015-2787, CVE-2015-3414, CVE-2015-3415, CVE-2015-4602, CVE-2015-6835, CVE-2015-8876, CVE-2016-10161, CVE-2016-7124, CVE-2016-7411, CVE-2016-9138, CVE-2017-11142, CVE-2017-12933, CVE-2017-8923
CVSS Score: up to 9.8
---------------------------------------------
https://cert.vde.com/de/advisories/VDE-2023-009/
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Fedora (rust-cargo-c, rust-coreos-installer, rust-fedora-update-feedback, rust-git-delta, rust-gst-plugin-reqwest, rust-pore, rust-rpm-sequoia, rust-sequoia-octopus-librnp, rust-sequoia-policy-config, rust-sequoia-sq, rust-sevctl, rust-tealdeer, and rust-ybaas), Mageia (avahi, git, imagemagick, libfastjson, libxml2, parcellite, and virtualbox), SUSE (containerd, dnsmasq, ffmpeg, git, indent, installation-images, java-17-openjdk, maven and recommended update for antlr3, minlog, sbt, xmvn, ncurses, netty, netty-tcnative, openssl-1_0_0, python-Django1, redis, shim, terraform-provider-helm, and zstd), and Ubuntu (erlang, mysql-5.7, mysql-8.0, ruby2.3, ruby2.5, ruby2.7, and webkit2gtk).
---------------------------------------------
https://lwn.net/Articles/931259/
∗∗∗ 3 Schwachstellen in MS Azure API-Management entdeckt ∗∗∗
---------------------------------------------
Sicherheitsforscher des israelischen Sicherheitsanbieters Ermetic haben drei Schwachstellen in Microsofts Azure API-Management entdeckt. Zwei SSRF-Schwachstellen (Server-Side Request Forgery) und ein Problem beim uneingeschränkten Datei-Upload schaffen Risiken für die Microsoft Cloud-Umgebung. Die Schwachstellen können von böswilligen Akteuren missbraucht werden [...]
---------------------------------------------
https://www.borncity.com/blog/2023/05/06/3-schwachstellen-in-ms-azure-api-m…
∗∗∗ Multiple vulnerabilities in IBM Java SDK (January 2023) affect IBM InfoSphere Information Server ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6988347
∗∗∗ Security Vulnerabilities in IBM WebSphere Liberty and xml2js affect IBM Voice Gateway ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6988603
∗∗∗ Vulnerability in Jettison affects IBM Process Mining . CVE-2023-1436 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6988673
∗∗∗ Vulnerabilities have been identified in IBM WebSphere Application Server traditional and Liberty profile shipped with IBM Business Automation Workflow (CVE-2023-24966, CVE-2022-39161) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6988885
∗∗∗ Atlas eDiscovery Process Management is affected by a vulnerable dom4j-1.6.1.jar ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6988889
∗∗∗ Atlas eDiscovery Process Management is affected by a vulnerable xstream-1.4.17.jar ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6988899
∗∗∗ Atlas eDiscovery Process Management is affected by a vulnerable poi-ooxml-3.9.jar ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6988895
∗∗∗ Atlas eDiscovery Process Management is affected by a vulnerable org.apache.xerces_2.9.0.v201101211617-4.8.0.jar ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6988893
∗∗∗ Atlas eDiscovery Process Management is affected by a vulnerable xmlbeans-2.3.0.jar ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6988897
∗∗∗ Vulnerability in paramiko affects IBM Cloud Pak for Data System 2.0 (CPDS 2.0) [CVE-2022-24302] ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6988909
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 04-05-2023 18:00 − Freitag 05-05-2023 18:00
Handler: Robert Waldner
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ What is XML-RPC? Security Risks & How to Disable ∗∗∗
---------------------------------------------
In this article, we will discuss what xmlrpc.php is, why disabling it can improve your website’s security, and how to determine if it’s currently active on your WordPress site.
---------------------------------------------
https://blog.sucuri.net/2023/05/what-is-xml-rpc-security-risks-how-to-disab…
∗∗∗ Fleckpe Android Malware Sneaks onto Google Play Store with Over 620,000 Downloads ∗∗∗
---------------------------------------------
The list of the offending apps is as follows: - Beauty Camera Plus - Beauty Photo Camera - Beauty Slimming Photo Editor - Fingertip Graffiti - GIF Camera Editor - HD 4K Wallpaper - Impressionism Pro Camera - Microclip Video Editor - Night Mode Camera Pro - Photo Camera Editor - Photo Effect Editor
---------------------------------------------
https://thehackernews.com/2023/05/fleckpe-android-malware-sneaks-onto.html
∗∗∗ Packagist Repository Hacked: Over a Dozen PHP Packages with 500 Million Compromised ∗∗∗
---------------------------------------------
PHP software package repository Packagist revealed that an "attacker" gained access to four inactive accounts on the platform to hijack over a dozen packages with over 500 million installs to date. "The attacker forked each of the packages and replaced the package description in composer.json with their own message but did not otherwise make any malicious changes," [..]
---------------------------------------------
https://thehackernews.com/2023/05/packagist-repository-hacked-over-dozen.ht…
∗∗∗ An overview of the OSI model and its security threats ∗∗∗
---------------------------------------------
The OSI model is a representation of how communications between devices occur. The conceptual model makes it easier to understand how data is transmitted. In its complex process, threat actors have found ways to exploit and compromise systems. It is very important to identify the kind of attacks and vulnerabilities available on each layer and implement proper defense strategies to protect a network.
---------------------------------------------
https://www.tripwire.com/state-of-security/overview-osi-model-and-its-secur…
∗∗∗ „Login mit neuem Gerät“: Kriminelle versenden personalisierte E-Mail im Namen der BAWAG ∗∗∗
---------------------------------------------
Kriminelle versenden derzeit betrügerische Nachrichten im Namen der BAWAG. Die E-Mails sind personalisiert und daher besonders glaubwürdig. Sie werden zwar nicht mit Ihrem Namen, allerdings mit ihrer E-Mail-Adresse angesprochen. In der Nachricht behaupten die Kriminellen, dass mit einem neuen Gerät auf Ihr Konto zugegriffen wurde.
---------------------------------------------
https://www.watchlist-internet.at/news/login-mit-neuem-geraet-kriminelle-ve…
=====================
= Vulnerabilities =
=====================
∗∗∗ ZDI-23-547: (0Day) Linux Kernel IPv6 RPL Protocol Reachable Assertion Denial-of-Service Vulnerability ∗∗∗
---------------------------------------------
This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of Linux Kernel. Authentication is not required to exploit this vulnerability.
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-23-547/
∗∗∗ Sante DICOM Viewer Vulnerabilites ∗∗∗
---------------------------------------------
https://www.zerodayinitiative.com/advisories/ZDI-23-523/https://www.zerodayinitiative.com/advisories/ZDI-23-524/https://www.zerodayinitiative.com/advisories/ZDI-23-525/https://www.zerodayinitiative.com/advisories/ZDI-23-526/https://www.zerodayinitiative.com/advisories/ZDI-23-527/
---------------------------------------------
https://www.zerodayinitiative.com/advisories/published/
∗∗∗ Synology-SA-23:04 VPN Plus Server ∗∗∗
---------------------------------------------
A vulnerability allows remote attackers to inject SQL commands via a susceptible version of Synology VPN Plus Server. Affected Products: VPN Plus Server for SRM 1.3, VPN Plus Server for SRM 1.2
---------------------------------------------
https://www.synology.com/en-global/security/advisory/Synology_SA_23_04
∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
IBM Elastic Storage System, IBM Spectrum Scale, IBM Maximo Application Suite, IBM Cognos Command Center, AIX, IBMid, IBM SAN Volume Controller, IBM CICS TX, IBM PowerVM Novalink, IBM Process Mining, IBM Cognos Analytics, IBM Planning Analytics.
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/
∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (chromium, evolution, and odoo), Fedora (java-11-openjdk), Oracle (samba), Red Hat (libreswan and samba), Slackware (libssh), SUSE (amazon-ssm-agent, apache2-mod_auth_openidc, cmark, containerd, editorconfig-core-c, ffmpeg, go1.20, harfbuzz, helm, java-11-openjdk, java-1_8_0-ibm, liblouis, podman, and vim), and Ubuntu (linux-aws, linux-aws-hwe, linux-intel-iotg, and linux-oem-6.1).
---------------------------------------------
https://lwn.net/Articles/931050/
∗∗∗ K000134469 : MySQL vulnerability CVE-2023-21963 ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K000134469
∗∗∗ Spring Cloud Data Flow 2.10.3 Released ∗∗∗
---------------------------------------------
https://spring.io/blog/2023/05/05/spring-cloud-data-flow-2-10-3-released
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 03-05-2023 18:00 − Donnerstag 04-05-2023 18:00
Handler: Robert Waldner
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ Windows admins can now sign up for ‘known issue’ email alerts ∗∗∗
---------------------------------------------
Microsoft announced today that Windows admins can now choose to be emailed when new known issues are added to the Windows release health section of the Microsoft 365 admin center.
---------------------------------------------
https://www.bleepingcomputer.com/news/microsoft/windows-admins-can-now-sign…
∗∗∗ Infostealer Embedded in a Word Document, (Thu, May 4th) ∗∗∗
---------------------------------------------
hen attackers design malicious documents, one of their challenges is to make the potential victim confident to perform dangerous actions: click on a link, disable a security feature, etc. The best example is probably VBA macros in Microsoft Office documents. Disabled by default, the attacker must make the user confident to enable them by clicking on the “yellow ribbon” on top of the document. Yesterday I found a malicious document that implements another approach.
---------------------------------------------
https://isc.sans.edu/diary/rss/29810
∗∗∗ How to Analyze Java Malware – A Case Study of STRRAT ∗∗∗
---------------------------------------------
STRRAT is a Java-based malware that executes multiple commands transmitted by the C2 server. The JAR file was obfuscated using the Allatori obfuscator. It establishes persistence on the host by copying to the Startup folder and creating a scheduled task and a Run registry entry. The functionalities of the implemented commands include: reboot the machine, uninstall the malware and delete all its traces, download and execute files [..]
---------------------------------------------
https://resources.securityscorecard.com/cybersecurity/analyze-java-malware-…
=====================
= Vulnerabilities =
=====================
∗∗∗ S3 File System - Moderately critical - Access bypass - SA-CONTRIB-2023-014 ∗∗∗
---------------------------------------------
S3 File System (s3fs) provides an additional file system to your Drupal site, which stores files in Amazon's Simple Storage Service (S3) or any other S3-compatible storage service. This module may fail to validate that a file being requested to be moved to storage was uploaded during the same web request, possibly allowing an attacker to move files that should normally be inaccessible to them.
---------------------------------------------
https://www.drupal.org/sa-contrib-2023-014
∗∗∗ Cisco SPA112 2-Port Phone Adapters Remote Command Execution Vulnerability ∗∗∗
---------------------------------------------
A vulnerability in the web-based management interface of Cisco SPA112 2-Port Phone Adapters could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device. This vulnerability is due to a missing authentication process within the firmware upgrade function.
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso…
∗∗∗ Patchday Fortinet: Angreifer könnten eigene Befehle ausführen ∗∗∗
---------------------------------------------
Es gibt wichtige Sicherheitsupdates für verschiedene Produkte von Fortinet. Keine Lücke gilt als kritisch.
---------------------------------------------
https://heise.de/-8986618
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Fedora (python-sentry-sdk) and Ubuntu (python-django and ruby2.3, ruby2.5, ruby2.7).
---------------------------------------------
https://lwn.net/Articles/930903/
∗∗∗ Malicious IKEv1 packet by unauthenticated peer can cause libreswan to restart ∗∗∗
---------------------------------------------
The Libreswan Project was notified by github user "XU-huai" of an issue with receiving a malformed IKEv1 Aggressive Mode packet that would cause a crash and restart of the libreswan pluto daemon. When sent continuously, this could lead to a denial of service attack.
---------------------------------------------
https://libreswan.org/security/CVE-2023-30570/CVE-2023-30570.txt
∗∗∗ Apple: Beats Firmware Update 5B66 ∗∗∗
---------------------------------------------
http://support.apple.com/kb/HT213752
∗∗∗ Apple: AirPods Firmware Update 5E133 ∗∗∗
---------------------------------------------
http://support.apple.com/kb/HT213752
∗∗∗ IBM ECM Content Management Interoperability Services (CMIS) spring-expression security vulnerability CVE-2023-20861 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6988109
∗∗∗ IBM ECM Content Management Interoperability Services (CMIS) cfx-core security vulnerabilities CVE-2022-46363, CVE-2022-46364 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6988115
∗∗∗ IBM ECM Content Management Interoperability Services (CMIS) woodstox\/XStream security vulnerability CVE-2022-40152 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6988117
∗∗∗ IBM InfoSphere Information Server is affected but not classified as vulnerable to a denial of service vulnerability in NumPy (CVE-2021-34141) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6988125
∗∗∗ A vulnerability has been identified in IBM HTTP Server used by IBM Rational ClearQuest (CVE-2023-25690) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6988293
∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server used by IBM Rational ClearQuest (CVE-2023-26283) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6988295
∗∗∗ IBM Virtualization Engine TS7700 is vulnerable to a privilege escalation threat (CVE-2023-24958) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6980845
∗∗∗ IBM ECM Content Management Interoperability Services (CMIS) spring-expression\/spring-core security vulnerability [CVE-2023-20863] ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6988341
∗∗∗ IBM Cloud Transformation Advisor is vulnerable to multiple vulnerabilities ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6988351
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 02-05-2023 18:00 − Mittwoch 03-05-2023 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ Firmware-TPM: faulTPM knackt AMD-CPUs nach drei Stunden lokalem Zugriff ∗∗∗
---------------------------------------------
TPMs sollen Geheimnisse wie kryptographische Schlüssel schützen. IT-Forscher haben jetzt mit "faulTPM" unbefugten Zugriff auf AMDs Firmware-TPM erlangt.
---------------------------------------------
https://heise.de/-8985704
∗∗∗ OpenCore: Apples erste Sicherheitsmaßnahme macht gepatchten Macs Probleme ∗∗∗
---------------------------------------------
Mit OpenCore auf macOS Ventura aktualisierte Macs starten nach der Installation von Apples jüngstem Update unter Umständen nicht mehr. Es gibt einen Workaround.
---------------------------------------------
https://heise.de/-8986252
∗∗∗ Exploitation of BGP Implementation Vulnerabilities Can Lead to Disruptions ∗∗∗
---------------------------------------------
Open source BGP implementation FRRouting is affected by three vulnerabilities that can be exploited to cause disruption via DoS attacks.
---------------------------------------------
https://www.securityweek.com/exploitation-of-bgp-implementation-vulnerabili…
∗∗∗ Betrügerische Werbung auf Microsoft Edge Startseite! ∗∗∗
---------------------------------------------
Wer Microsoft Windows nützt, bekommt automatisch auch den Edge Browser fürs Surfen im Internet mitgeliefert. Die Startseite bietet neben der Suche per Bing auch eine Auflistung zahlreicher Newsartikel, unter die sich auch Werbeanzeigen mischen. Ein genauer Blick auf die Werbungen zeigt: Fast alle Werbeschaltungen führen zu Trading-Betrug oder anderen dubiosen Seiten. Vorsicht!
---------------------------------------------
https://www.watchlist-internet.at/news/betruegerische-werbung-auf-microsoft…
∗∗∗ CVE-2023-28231: RCE in the Microsoft Windows DHCPv6 Service ∗∗∗
---------------------------------------------
In this excerpt of a Trend Micro Vulnerability Research Service vulnerability report, Guy Lederfein and Lucas Miller of the Trend Micro Research Team detail a recently patched remote code execution vulnerability in the Microsoft Windows DHCPv6 Service. This bug was originally discovered by YanZiShuang@BigCJTeam of cyberkl. The vulnerability results from the improper processing of DHCPv6 Relay-forward messages. A network-adjacent attacker can leverage this vulnerability to execute code [...]
---------------------------------------------
https://www.thezdi.com/blog/2023/5/1/cve-2023-28231-rce-in-the-microsoft-wi…
=====================
= Vulnerabilities =
=====================
∗∗∗ Google Chrome 113: Sicherheitsupdate für den Webbrowser ∗∗∗
---------------------------------------------
Die Entwickler haben in Google Chrome 113 insgesamt 15 Schwachstellen ausgebessert. Für die Zukunft kündigen sie an, dass das Schlosssymbol ausgetauscht wird.
---------------------------------------------
https://heise.de/-8985368
∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (avahi, kernel, linux-5.10, nodejs, webkit2gtk, and wpewebkit), Gentoo (chromium, google-chrome, microsoft-edge, dbus, dbus-broker, dhcp, firefox, firejail-lts, libapreq2, libsdl, libsdl2, lua, proftpd, python, PyPy3, sudo, syslog-ng, systemd, tor, uptimed, vim, and xfce4-settings), Oracle (emacs and libwebp), Red Hat (libwebp), Scientific Linux (libwebp), and SUSE (ceph, ffmpeg-4, git, pdns-recursor, and shim).
---------------------------------------------
https://lwn.net/Articles/930775/
∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/
∗∗∗ K000132719 : BIG-IQ iControl REST vulnerability CVE-2023-29240 ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K000132719
∗∗∗ K000133417 : NGINX Management Suite vulnerability CVE-2023-28656 ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K000133417
∗∗∗ K000132522 : BIG-IP Edge Client for Windows and macOS vulnerability CVE-2023-22372 ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K000132522
∗∗∗ K000133132 : BIG-IP TMM SSL vulnerability CVE-2023-24594 ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K000133132
∗∗∗ K000132768 : BIG-IP Configuration utility vulnerability CVE-2023-28406 ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K000132768
∗∗∗ K000132972 : BIG-IP iQuery mesh vulnerability CVE-2023-28742 ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K000132972
∗∗∗ K000132726 : BIG-IP Configuration utility XSS vulnerability CVE-2023-27378 ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K000132726
∗∗∗ K000133233 : NGINX Management Suite vulnerability CVE-2023-28724 ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K000133233
∗∗∗ K000132539 : BIG-IP Edge Client for Windows and macOS vulnerability CVE-2023-24461 ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K000132539
∗∗∗ K20145107 : BIG-IP UDP profile vulnerability CVE-2023-29163 ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K20145107?
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 28-04-2023 18:00 − Dienstag 02-05-2023 18:00
Handler: Michael Schlagenhaufer
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Hackers target vulnerable Veeam backup servers exposed online ∗∗∗
---------------------------------------------
Veeam backup servers are being targeted by at least one group of threat actors known to work with multiple high-profile ransomware gangs.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/hackers-target-vulnerable-ve…
∗∗∗ New LOBSHOT malware gives hackers hidden VNC access to Windows devices ∗∗∗
---------------------------------------------
A new malware known as LOBSHOT distributed using Google ads allows threat actors to stealthily take over infected Windows devices using hVNC.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-lobshot-malware-gives-ha…
∗∗∗ Researchers Uncover New BGP Flaws in Popular Internet Routing Protocol Software ∗∗∗
---------------------------------------------
Cybersecurity researchers have uncovered weaknesses in a software implementation of the Border Gateway Protocol (BGP) that could be weaponized to achieve a denial-of-service (DoS) condition on vulnerable BGP peers.
---------------------------------------------
https://thehackernews.com/2023/05/researchers-uncover-new-bgp-flaws-in.html
∗∗∗ trawler: Dredging Windows for Persistence ∗∗∗
---------------------------------------------
Trawler is a PowerShell script designed to help Incident Responders discover potential indicators of compromise on Windows hosts, primarily focused on persistence mechanisms including Scheduled Tasks, Services, Registry Modifications, Startup Items, Binary Modifications and more.
---------------------------------------------
https://github.com/joeavanzato/Trawler
∗∗∗ Angriffe auf Lücken in TP-Link Archer, Apache Log4j2 und Oracle Weblogic ∗∗∗
---------------------------------------------
Angreifer nutzen Sicherheitslücken in TP-Link Archer, Apache Log4j2 und Oracle Weblogic aus, um Zugriff auf Netzwerke von Opfern zu erlangen.
---------------------------------------------
https://heise.de/-8984237
∗∗∗ Medizin-Geräte: Warnung vor kritischer Sicherheitslücke in Illumina-Software ∗∗∗
---------------------------------------------
Die US-IT-Sicherheitsbehörde CISA warnt vor kritischen Sicherheitslücken in den medizinischen Geräten von Illumina. Angreifer könnten die Kontrolle übernehmen.
---------------------------------------------
https://heise.de/-8983960
∗∗∗ Exploitation of 5-Year-Old TBK DVR Vulnerability Spikes ∗∗∗
---------------------------------------------
Fortinet warns of a massive spike in malicious attacks targeting a five-year-old authentication bypass vulnerability in TBK DVR devices.
---------------------------------------------
https://www.securityweek.com/exploitation-of-5-year-old-tbk-dvr-vulnerabili…
∗∗∗ Critical Infrastructure Organizations Urged to Identify Risky Communications Equipment ∗∗∗
---------------------------------------------
CISA urges organizations to review FCC’s Covered List of risky communications equipment and incorporate it in their supply chain risk management efforts.
---------------------------------------------
https://www.securityweek.com/critical-infrastructure-organizations-urged-to…
∗∗∗ Webinar: Recherchetools im Internet richtig nutzen ∗∗∗
---------------------------------------------
Wie kann ich Google, aber auch andere Suchmaschinen richtig nutzen? Welche Recherchetools und Suchmethoden gibt es noch? In diesem Webinar zeigen wir Ihnen, wie eine gute und effiziente Onlinerecherche aussehen kann. Nehmen Sie kostenlos teil: Dienstag 09. Mai 2023, 18:30 - 20:00 Uhr via zoom.
---------------------------------------------
https://www.watchlist-internet.at/news/webinar-recherchetools-im-internet-r…
∗∗∗ Online-Shopping: Bezahlen Sie nicht mit der PayPal-Funktion „Geld an einen Freund senden“ ∗∗∗
---------------------------------------------
Neuerdings missbrauchen Fake-Shops die PayPal-Funktion „Geld an Freunde und Familie senden“. Die Kriminellen hinter den Fake-Shops erstellen PayPal.Me-Zahlungslinks. Durch kleine Anpassungen der Kriminellen ist der Kaufbetrag dort hinterlegt und die Zahlungsart „Geld an einen Freund senden“ voreingestellt. Wenn Sie mit dieser Zahlungsart bezahlen, entfällt der Käuferschutz. Ihr Geld ist dann weg und kann nicht zurückgeholt werden.
---------------------------------------------
https://www.watchlist-internet.at/news/online-shopping-bezahlen-sie-nicht-m…
∗∗∗ Apple veröffentlicht „schnelle Sicherheitsmaßnahme“ für iOS, iPadOS und macOS ∗∗∗
---------------------------------------------
Die neue Updatemethode verkürzt den Installationsvorgang deutlich. Apple will mit schnellen Sicherheitsmaßnahmen künftig beispielsweise Bedrohungen wie Zero-Day-Lücken schneller beseitigen.
---------------------------------------------
https://www.zdnet.de/88408872/apple-veroeffentlicht-schnelle-sicherheitsmas…
∗∗∗ Enforce Zero Trust in Microsoft 365 – Part 1: Setting the basics ∗∗∗
---------------------------------------------
This first blog post is part of a series of blog posts related to the implementation of Zero Trust approach in Microsoft 365. This series will first cover the basics and then deep dive into the different features such as Azure Active Directory (Azure AD) Conditional Access policies, Microsoft Defender for Cloud Apps policies, Information Protection and Microsoft Endpoint Manager, to only cite a few.
---------------------------------------------
https://blog.nviso.eu/2023/05/02/enforce-zero-trust-in-microsoft-365-part-1…
∗∗∗ CoinMiner (KONO DIO DA) Distributed to Linux SSH Servers ∗∗∗
---------------------------------------------
AhnLab Security Emergency response Center (ASEC) has recently discovered XMRig CoinMiner being installed on poorly managed Linux SSH servers.
---------------------------------------------
https://asec.ahnlab.com/en/51908/
∗∗∗ A LNK Between Browsers: Hunting Methodologies and Extension Abusing Actors ∗∗∗
---------------------------------------------
Two pillars in sleight of hand magic are User Initiated Action, where the target needs to believe their actions are their own, and Hidden Action, the trick needs to be concealed behind something ordinary and nonthreatening. Mandiant became aware of a chain of adversary methodologies that leverage these two pillars to achieve persistence.
---------------------------------------------
https://www.mandiant.com/resources/blog/lnk-between-browsers
=====================
= Vulnerabilities =
=====================
∗∗∗ Wireshark 4.0.5 Released, (Sat, Apr 29th) ∗∗∗
---------------------------------------------
Wireshark version 4.0.5 was released with 11 bugs and 3 vulnerabilities fixed.
---------------------------------------------
https://isc.sans.edu/diary/rss/29790
∗∗∗ Azure DevOps CICD Pipelines - Command Injection with Parameters, Variables and a discussion on Runner hijacking ∗∗∗
---------------------------------------------
This article discusses a vulnerability with Azure DevOps that can be exploited by users able to run pipelines with user-controlled variables. The vulnerability allows malicious users with access to edit runtime parameter values to inject shell commands that execute on the pipeline runner. This can compromise the runner and allow access to sensitive information such as secrets used for deployments and Azure service principal credentials.
---------------------------------------------
https://pulsesecurity.co.nz/advisories/Azure-Devops-Command-Injection
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (distro-info-data, ffmpeg, jackson-databind, jruby, libapache2-mod-auth-openidc, libxml2, openvswitch, sniproxy, and wireshark), Fedora (git, libsignal-protocol-c, php-nyholm-psr7, python-setuptools, rust-askama, rust-askama_shared, rust-comrak, thunderbird, and webkitgtk), SUSE (git, glib2, shadow, thunderbird, and webkit2gtk3), and Ubuntu (Apache Commons Net, git, linux-azure-5.15, linux-azure-fde, linux-kvm, linux-ibm-5.4, linux-snapdragon, netty, and ZenLib).
---------------------------------------------
https://lwn.net/Articles/930588/
∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (libdatetime-timezone-perl and tzdata), Fedora (chromium), Red Hat (emacs and libwebp), Slackware (netatalk), and Ubuntu (php7.0).
---------------------------------------------
https://lwn.net/Articles/930649/
∗∗∗ IBM Security Bulletins 2023-04-28 - 2023-05-02 ∗∗∗
---------------------------------------------
IBM Engineering Test Management, IBM Spectrum Scale, IBM DataPower Gateway, IBM i, Rational ClearQuest, IBM Business Automation Workflow, IBM Business Automation Workflow Enterprise Service Bus, IBM Case Manager, BladeCenter, PureFlex System and Flex System, System x, IBM Maximo, IBM Control Desk, Db2 for Linux, UNIX and Windows, IBM Robotic Process Automation, Tivoli Business Service Manager, Content Manager Client, IBM Sterling Secure Proxy, IBM App Connect Enterprise, IBM Security Key Lifecycle Manager, IBM MQ, IBM MQ Appliance, Tivoli Application Dependency Discovery Manager, IBM Cloud Pak, IBM InfoSphere Information, WebSphere Remote Server, IBM Workload Scheduler.
---------------------------------------------
∗∗∗ ZDI-23-503: (Pwn2Own) NETGEAR RAX30 logCtrl Command Injection Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-23-503/
∗∗∗ ZDI-23-502: (Pwn2Own) NETGEAR RAX30 SOAP Request SQL Injection Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-23-502/
∗∗∗ ZDI-23-501: (Pwn2Own) NETGEAR RAX30 Device Configuration Cleartext Storage Information Disclosure Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-23-501/
∗∗∗ ZDI-23-496: NETGEAR RAX30 lighttpd Misconfiguration Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-23-496/
∗∗∗ ZDI-23-495: NETGEAR RAX30 rex_cgi JSON Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-23-495/
∗∗∗ Android-Sicherheitsbulletin – Mai 2023 ∗∗∗
---------------------------------------------
https://source.android.com/docs/security/bulletin/2023-05-01?hl=de
∗∗∗ F5: K000133706 : OpenSSL vulnerability CVE-2023-0464 ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K000133706
∗∗∗ F5: K000133615 : device-mapper-multipath vulnerability CVE-2022-41974 ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K000133615
∗∗∗ F5: K000133753 : PHP vulnerability CVE-2023-0662 ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K000133753
∗∗∗ Securing Databricks cluster init scripts ∗∗∗
---------------------------------------------
https://sec-consult.com/blog/detail/securing-databricks-cluster-init-script…
∗∗∗ Vulnerabilities in the Autodesk® 3ds Max® USD plugin ∗∗∗
---------------------------------------------
https://www.autodesk.com/trust/security-advisories/adsk-sa-2023-0008
∗∗∗ Mitsubishi Electric Factory Automation Products ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-23-122-01
∗∗∗ Zyxel security advisory for post-authentication command injection vulnerability in NBG6604 home router ∗∗∗
---------------------------------------------
https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-…
∗∗∗ Zyxel security advisory for multiple vulnerabilities in NBG-418N v2 home router ∗∗∗
---------------------------------------------
https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 27-04-2023 18:00 − Freitag 28-04-2023 18:00
Handler: Stephan Richter
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ CISA warns of critical bugs in Illumina DNA sequencing systems ∗∗∗
---------------------------------------------
The U.S. Cybersecurity Infrastructure Security Agency (CISA) and the FDA have issued an urgent alert about two vulnerabilities that impact Illuminas Universal Copy Service (UCS), used for DNA sequencing in medical facilities and labs worldwide.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/cisa-warns-of-critical-bugs-…
∗∗∗ Quick IOC Scan With Docker, (Fri, Apr 28th) ∗∗∗
---------------------------------------------
When investigating an incident, you must perform initial tasks quickly. There is one tool in my arsenal that I'm using to quickly scan for interesting IOCs ("Indicators of Compromise"). This tool is called Loki[1], the free version of the Thor scanner. I like this tool because you can scan for a computer (processes & files) or a specific directory (only files) for suspicious content.
---------------------------------------------
https://isc.sans.edu/diary/rss/29788
∗∗∗ WordPress Vulnerability & Patch Roundup April 2023 ∗∗∗
---------------------------------------------
Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises. To help educate website owners on emerging threats to their environments, we’ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this past month.
---------------------------------------------
https://blog.sucuri.net/2023/04/wordpress-vulnerability-patch-roundup-april…
∗∗∗ Attention Online Shoppers: Dont Be Fooled by Their Sleek, Modern Looks — Its Magecart! ∗∗∗
---------------------------------------------
An ongoing Magecart campaign has attracted the attention of cybersecurity researchers for leveraging realistic-looking fake payment screens to capture sensitive data entered by unsuspecting users.
---------------------------------------------
https://thehackernews.com/2023/04/attention-online-shoppers-dont-be.html
∗∗∗ New Atomic macOS Malware Steals Keychain Passwords and Crypto Wallets ∗∗∗
---------------------------------------------
Threat actors are advertising a new information stealer for the Apple macOS operating system called Atomic macOS Stealer (or AMOS) on Telegram for $1,000 per month, joining the likes of MacStealer. "The Atomic macOS Stealer can steal various types of information from the victims machine, including Keychain passwords, complete system information, files from the desktop and documents folder, and [...]
---------------------------------------------
https://thehackernews.com/2023/04/new-atomic-macos-stealer-can-steal-your.h…
∗∗∗ Microsoft Exchange Powershell Remoting Deserialization leading to RCE (CVE-2023-21707) ∗∗∗
---------------------------------------------
While analyzing CVE-2022-41082, also known as ProxyNotShell, we discovered this vulnerability which we have detailed in this blog. However, for a comprehensive understanding, we highly recommend reading the thorough analysis written by team ZDI.
---------------------------------------------
https://starlabs.sg/blog/2023/04-microsoft-exchange-powershell-remoting-des…
∗∗∗ Many Public Salesforce Sites are Leaking Private Data ∗∗∗
---------------------------------------------
A shocking number of organizations -- including banks and healthcare providers -- are leaking private and sensitive information from their public Salesforce Community websites, KrebsOnSecurity has learned. The data exposures all stem from a misconfiguration in Salesforce Community that allows an unauthenticated user to access records that should only be available after logging in.
---------------------------------------------
https://krebsonsecurity.com/2023/04/many-public-salesforce-sites-are-leakin…
∗∗∗ Rapture, a Ransomware Family With Similarities to Paradise ∗∗∗
---------------------------------------------
In March and April 2023, we observed a type of ransomware targeting its victims via a minimalistic approach with tools that leave only a minimal footprint behind. Our findings revealed many of the preparations made by the perpetrators and how quickly they managed to carry out the ransomware attack.
---------------------------------------------
https://www.trendmicro.com/en_us/research/23/d/rapture-a-ransomware-family-…
=====================
= Vulnerabilities =
=====================
∗∗∗ Cisco IP Phone 7800 and 8800 Series Cisco Discovery Protocol Stack Overflow Vulnerability ∗∗∗
---------------------------------------------
A vulnerability in the Cisco Discovery Protocol processing feature of Cisco IP Phone 7800 and 8800 Series firmware could allow an unauthenticated, adjacent attacker to cause a stack overflow on an affected device. This vulnerability is due to insufficient input validation of received Cisco Discovery Protocol packets. An attacker could exploit this vulnerability by sending crafted Cisco Discovery Protocol traffic to an affected device.
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso…
∗∗∗ Grafana: Update schließt hochriskante Schwachstelle im Datenvisualisierungs-Tool ∗∗∗
---------------------------------------------
Grafana hat Updates für zahlreiche Versionszweige veröffentlicht. Sie schließen unter anderem eine Denial-of-Service-Lücke, die als hochriskant gilt.
---------------------------------------------
https://heise.de/-8981605
∗∗∗ Long Term Support Channel Update for ChromeOS ∗∗∗
---------------------------------------------
LTS-108 is being updated in the LTS channel to 108.0.5359.230 (Platform Version: 15183.93.0) for most ChromeOS devices. [...] This update contains multiple Security fixes [...]
---------------------------------------------
https://chromereleases.googleblog.com/2023/04/long-term-support-channel-upd…
∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Fedora (git, libpcap, php-laminas-diactoros2, php-nyholm-psr7, tcpdump, and xen), Oracle (cloud-init), Scientific Linux (kernel), SUSE (conmon, docker, glib2, glibc, libmicrohttpd, libX11, liferea, python3, qemu, rubygem-actionview-5_1, s390-tools, stellarium, vim, and xen), and Ubuntu (linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-4.15, linux-azure-5.4, linux-gcp, linux-gcp-4.15, linux-gcp-5.4, linux-gke, linux-gkeop, linux-hwe, linux-hwe-5.4, linux-ibm, linux-kvm, linux-oracle, linux-oracle-5.4 and openssl-ibmca).
---------------------------------------------
https://lwn.net/Articles/930462/
∗∗∗ Use of Telnet in the interface module SLC-0-GPNT00300 ∗∗∗
---------------------------------------------
BOSCH-SA-387640: The SLC-0-GPNT00300 from Bosch Rexroth contains technology from SICK AG. The manufacturer has published a security bulletin [1] regarding the availability of a Telnet interface for debugging.The SLC-0-GPNT00300 provides a Telnet interface for debugging, which is enabled by factory default. No password is set in the default configuration. If the password is not set by the customer, a remote unauthorized adversary could connect via Telnet.
---------------------------------------------
https://psirt.bosch.com/security-advisories/bosch-sa-387640.html
∗∗∗ SonicOS SSLVPN: Schwachstelle CVE-2023-1101 bei MFA – neue Firmware für Gen6-Firewalls (6.5.4.12-101n) ∗∗∗
---------------------------------------------
Kleine Erinnerung für Administratoren, die Produkte von Sonic Wall verwenden. In SonicOS SSLVPN gibt es eine kritische Schwachstelle, die einem authentifizierten Angreifer ermöglicht, exzessive MFA-Codes zu verwenden. Die Schwachstelle CVE-2023-1101 hat von SonicWall [...]
---------------------------------------------
https://www.borncity.com/blog/2023/04/27/sonicos-sslvpn-schwachstelle-cve-2…
∗∗∗ Illumina Universal Copy Service ∗∗∗
---------------------------------------------
[...] Successful exploitation of these vulnerabilities could allow an attacker to take any action at the operating system level. A threat actor could impact settings, configurations, software, or data on the affected product; [...]
---------------------------------------------
https://www.cisa.gov/news-events/ics-medical-advisories/icsma-23-117-01
∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 26-04-2023 18:00 − Donnerstag 27-04-2023 18:00
Handler: Stephan Richter
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ Google disrupts the CryptBot info-stealing malware operation ∗∗∗
---------------------------------------------
Google is taking down malware infrastructure linked to the Cryptbot info stealer after suing those using it to infect Google Chrome users and steal their data.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/google-disrupts-the-cryptbot…
∗∗∗ Cisco discloses XSS zero-day flaw in server management tool ∗∗∗
---------------------------------------------
Cisco disclosed today a zero-day vulnerability in the companys Prime Collaboration Deployment (PCD) software that can be exploited for cross-site scripting attacks.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/cisco-discloses-xss-zero-day…
∗∗∗ LimeRAT Malware Analysis: Extracting the Config ∗∗∗
---------------------------------------------
ANY.RUN researchers have recently conducted an in-depth analysis of a LimeRAT sample and successfully extracted its configuration. In this article, we'll provide a brief overview of that analysis.
---------------------------------------------
https://thehackernews.com/2023/04/limerat-malware-analysis-extracting.html
∗∗∗ Healthy security habits to fight credential breaches: Cyberattack Series ∗∗∗
---------------------------------------------
This is the second in an ongoing series exploring some of the most notable cases of the Microsoft Incident Response Team. In this story, we’ll explore how organizations can adopt a defense-in-depth security posture to help protect against credential breaches and ransomware attacks.
---------------------------------------------
https://www.microsoft.com/en-us/security/blog/2023/04/26/healthy-security-h…
∗∗∗ Microsoft Confirms PaperCut Servers Used to Deliver LockBit and Cl0p Ransomware ∗∗∗
---------------------------------------------
Microsoft has confirmed that the active exploitation of PaperCut servers is linked to attacks designed to deliver Cl0p and LockBit ransomware families. The tech giant's threat intelligence team is attributing a subset of the intrusions to a financially motivated actor it tracks under the name Lace Tempest (formerly DEV-0950), which overlaps with other hacking groups like FIN11, TA505, and Evil Corp.
---------------------------------------------
https://thehackernews.com/2023/04/microsoft-confirms-papercut-servers.html
∗∗∗ RTM Lockers First Linux Ransomware Strain Targeting NAS and ESXi Hosts ∗∗∗
---------------------------------------------
The threat actors behind RTM Locker have developed a ransomware strain thats capable of targeting Linux machines, marking the groups first foray into the open source operating system.
---------------------------------------------
https://thehackernews.com/2023/04/rtm-lockers-first-linux-ransomware.html
∗∗∗ LUKS: Alte verschlüsselte Container unsicher? Ein Ratgeber für Updates ∗∗∗
---------------------------------------------
Angeblich konnte die französische Polizei einen LUKS-Container knacken. Kein Grund zur Panik, aber ein Anlass, Passwörter und LUKS-Parameter zu hinterfragen.
---------------------------------------------
https://heise.de/-8981054
∗∗∗ State of DNS Rebinding in 2023 ∗∗∗
---------------------------------------------
This update documents the state of DNS rebinding for April 2023. We describe Local Network Access, a new draft W3C specification currently implemented in some browsers that aims to prevent DNS rebinding, and show two potential ways to bypass these restrictions.
---------------------------------------------
https://research.nccgroup.com/2023/04/27/state-of-dns-rebinding-in-2023/
∗∗∗ Bringing IT & OT Security Together: Part 1 ∗∗∗
---------------------------------------------
Learn about the evolution of converged IT/OT environments and the impact on security control validation in this new blog series.
---------------------------------------------
https://www.safebreach.com/resources/blog/bringing-it-and-ot-security-toget…
=====================
= Vulnerabilities =
=====================
∗∗∗ Onlineshop-System PrestaShop: Angreifer könnten Datenbank manipulieren ∗∗∗
---------------------------------------------
Eine kritische Sicherheitslücke bedroht mit PrestaShop erstellte Onlineshops. Abgesicherte Versionen sind verfügbar.
---------------------------------------------
https://heise.de/-8980645
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Fedora (chromium, perl-Alien-ProtoBuf, and redis), Oracle (kernel), SUSE (dmidecode, fwupd, libtpms, libxml2, openssl-ibmca, and webkit2gtk3), and Ubuntu (cloud-init, ghostscript, linux, linux-aws, linux-aws-5.15, linux-azure, linux-gke, linux-gke-5.15, linux-gkeop, linux-hwe-5.15, linux-ibm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-oracle, linux-oracle-5.15, linux, linux-aws, linux-azure, linux-gcp, linux-hwe-5.19, linux-ibm, linux-kvm, linux-lowlatency, linux-oracle, linux-raspi, and linux, linux-aws, linux-kvm, linux-lts-xenial).
---------------------------------------------
https://lwn.net/Articles/930367/
∗∗∗ Apache Superset: Schwachstelle CVE-2023-27524 ermöglicht Remote Code Execution (RCE) ∗∗∗
---------------------------------------------
Kurzer Hinweis für Nutzer, die Apache Superset in ihrem Umfeld einsetzen. Es gibt in der Standardkonfiguration das Problem, dass die Software per Remote Code Execution-Schwachstelle angegriffen werden kann. Das wird zum Problem, wenn der Server per Internet erreichbar ist.
---------------------------------------------
https://www.borncity.com/blog/2023/04/27/apache-superset-schwachstelle-cve-…
∗∗∗ F5: K000133673 : Bootstrap vulnerability CVE-2016-10735 ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K000133673
∗∗∗ F5: K000133652 : Python vulnerability CVE-2018-18074 ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K000133652
∗∗∗ F5: K000133448 : Python urllib3 vulnerability CVE-2019-11324 ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K000133448
∗∗∗ F5: K000133668 : Python urllib3 vulnerability CVE-2018-20060 ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K000133668
∗∗∗ IBM WebSphere Application Server, which is bundled with IBM Cloud Pak for Applications, is vulnerable to cross-site scripting in the Admin Console (CVE-2023-24966) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6986343
∗∗∗ IBM WebSphere Application Server, which is bundled with IBM WebSphere Hybrid Edition, is vulnerable to cross-site scripting in the Admin Console (CVE-2023-24966) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6986341
∗∗∗ Multiple Security Vulnerabilities may affect IBM Robotic Process Automation for Cloud Pak. ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6986361
∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with Asset and Service Management (CVE-2023-24966) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6986365
∗∗∗ IBM Planning Analytics Workspace is affected by vulnerabilities in Node,js (CVE-2022-43548, CVE-2020-7676, CVE-2021-42550, CVE-2021-38561, CVE-2022-32149) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6985675
∗∗∗ IBM Integration Designer is vulnerable to a denial of service due to commons-fileupload-1.4.jar (CVE-2023-24998) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6986509
∗∗∗ Vulnerability in libXpm (CVE-2022-4883, CVE-2022-44617 and CVE-2022-46285) affects Power HMC ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6986543
∗∗∗ Vulnerability in libtasn1 (CVE-2021-46848) affects Power HMC ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6986547
∗∗∗ Multiple publicly disclosed Libcurl vulnerabilities affect IBM Safer Payments ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6986573
∗∗∗ IBM App Connect Enterprise Certified Container DesignerAuthoring operands may be vulnerable to arbitrary code execution due to [CVE-2022-37601] ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6986575
∗∗∗ Multiple Vulnerabilities in CloudPak for Watson AIOPs ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6986577
∗∗∗ IBM MQ Operator and Queue manager container images are vulnerable to multiple vulnerabilities from libcurl, openssl, gnutls, libarchive and libsepol ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6986323
∗∗∗ Multiple vulnerabilities in Spring Framework affects IBM Tivoli Application Dependency Discovery Manager (CVE-2023-20860, CVE-2023-20861). ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6986585
∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Business Monitor (CVE-2023-24966) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6986619
∗∗∗ Vulnerability in IBM\u00ae Java SDK affects IBM WebSphere Application Server and IBM WebSphere Application Server Liberty due to CVE-2023-30441 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6986617
∗∗∗ IBM App Connect Enterprise Certified Container IntegrationServer and Integration Runtime operands that run Designer flows containing a Box node may be vulnerable to arbitrary code execution due to [CVE-2023-29017] ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6986625
∗∗∗ IBM App Connect Enterprise Certified Container IntegrationServer and Integration Runtime operands that run Designer flows containing a Box node may be vulnerable to arbitrary code execution due to [CVE-2023-29199] ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6986629
∗∗∗ IBM App Connect Enterprise & IBM Integration Bus are vulnerable to a denial of service due to Eclipse Mosquitto (CVE-2021-41039, CVE-2021-34432, CVE-2021-34431) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6986627
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 25-04-2023 18:00 − Mittwoch 26-04-2023 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ Never Connect to RDP Servers Over Untrusted Networks ∗∗∗
---------------------------------------------
In this article, we will demonstrate why connecting using the Remote Desktop Protocol (RDP) must be avoided on untrusted networks like in hotels, conferences, or public Wi-Fi. Protecting the connection with a VPN or a Remote Desktop Gateway is the only safe alternative.
---------------------------------------------
https://www.gosecure.net/blog/2023/04/26/never-connect-to-rdp-servers-over-…
∗∗∗ So you think you can block Macros? ∗∗∗
---------------------------------------------
For the purpose of securing Microsoft Office installs we see many of our customers moving to a macro signing strategy. Furthermore, Microsoft is trying to battle macro malware by enforcing Mark-of-the-Web (MotW) control on macro-enabled documents. In this blog we will dive into some of the quirks of Microsoft Office macro security, various commonly used configuration options and their bypasses.
---------------------------------------------
https://outflank.nl/blog/2023/04/25/so-you-think-you-can-block-macros/
∗∗∗ Google Authenticator: Warnung - Backup der geheimen "Saat" im Klartext ∗∗∗
---------------------------------------------
Google spendierte dem Authenticator ein Backup der Geheimnisse, die zur Erstellung der Einmalpasswörter nötig sind. Google bekommt diese Daten aber im Klartext.
---------------------------------------------
https://heise.de/-8979932
∗∗∗ VMware Workstation und Fusion: Hersteller stopft kritische Zero-Day-Lücke ∗∗∗
---------------------------------------------
VMware stopft teils kritische Sicherheitslücken in Workstation und Fusion. Da sie auf der Pwn2Own-Konferenz vorgeführt wurden, handelt es sich um Zero-Days.
---------------------------------------------
https://heise.de/-8979106
∗∗∗ GuLoader returns with a rotten shipment ∗∗∗
---------------------------------------------
We take a look at a GuLoader campaign which comes bundled with an Italian language fake shipment email.
---------------------------------------------
https://www.malwarebytes.com/blog/news/2023/04/guloader-returns-with-a-rott…
∗∗∗ So bleiben Sie mit der Watchlist Internet am Laufenden! ∗∗∗
---------------------------------------------
Das Angebot der Watchlist Internet wächst stetig: Wir geben Ihnen einen Überblick, wie Sie mit uns in puncto Internetbetrug up to date bleiben, welche Angebote Sie wo finden und auf welchen Kanälen wir vertreten sind.
---------------------------------------------
https://www.watchlist-internet.at/news/so-bleiben-sie-mit-der-watchlist-int…
∗∗∗ Hacker greifen kritische Sicherheitslücke in Druckersoftware PaperCut an ∗∗∗
---------------------------------------------
Sie können die Kontrolle über einen PaperCut-Server übernehmen. Zudem steht nun auch Beispielcode für einen Exploit öffentlich zur Verfügung.
---------------------------------------------
https://www.zdnet.de/88408703/hacker-greifen-kritische-sicherheitsluecke-in…
∗∗∗ Attackers Use Containers for Profit via TrafficStealer ∗∗∗
---------------------------------------------
We found TrafficStealer abusing open container APIs in order to redirect traffic to specific websites and manipulate engagement with ads.
---------------------------------------------
https://www.trendmicro.com/en_us/research/23/d/attackers-use-containers-for…
=====================
= Vulnerabilities =
=====================
∗∗∗ VMSA-2023-0008 ∗∗∗
---------------------------------------------
VMware Workstation and Fusion updates address multiple security vulnerabilities (CVE-2023-20869, CVE-2023-20870, CVE-2023-20871, CVE-2023-20872)
---------------------------------------------
https://www.vmware.com/security/advisories/VMSA-2023-0008.html
∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Fedora (chromium, lilypond, and lilypond-doc), Oracle (java-1.8.0-openjdk), Red Hat (emacs, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, kernel, kernel-rt, pesign, and virt:rhel, virt-devel:rhel), Scientific Linux (java-1.8.0-openjdk and java-11-openjdk), Slackware (git), SUSE (fwupd, git, helm, and runc), and Ubuntu (firefox, golang-1.18, linux-hwe-5.15, and openssl, openssl1.0).
---------------------------------------------
https://lwn.net/Articles/930258/
∗∗∗ Insecure authentication in B420 legacy communication module ∗∗∗
---------------------------------------------
BOSCH-SA-341298-BT: An authentication vulnerability was found in the B420 Ethernet communication module from Bosch Security Systems. This is a legacy product which is currently obsolete and was announced to reach End on Life (EoL) on 2013. The B420 was last sold in July 2013 and was replaced by the B426. An EoL notice was provided to customers.
---------------------------------------------
https://psirt.bosch.com/security-advisories/bosch-sa-341298-bt.html
∗∗∗ Scada-LTS Third Party Component ∗∗∗
---------------------------------------------
Successful exploitation of this vulnerability could allow loss of sensitive information and execution of arbitrary code.
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-23-115-02
∗∗∗ Keysight N8844A Data Analytics Web Service ∗∗∗
---------------------------------------------
Successful exploitation of this vulnerability could lead to remote code execution.
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-23-115-01
∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/
∗∗∗ Security Advisory - Misinterpretation of Input Vulnerability in Huawei Printer ∗∗∗
---------------------------------------------
https://www.huawei.com/en/psirt/security-advisories/2023/huawei-sa-moivihp-…
∗∗∗ Security Advisory - Identity Authentication Bypass Vulnerability in Huawei HiLink AI Life Product ∗∗∗
---------------------------------------------
https://www.huawei.com/en/psirt/security-advisories/2023/huawei-sa-iabvihha…
∗∗∗ Security Advisory - Misinterpretation of Input Vulnerability in Huawei Printer ∗∗∗
---------------------------------------------
https://www.huawei.com/en/psirt/security-advisories/2023/huawei-sa-moivihp-…
∗∗∗ Security Advisory - System Command Injection Vulnerability in a Huawei Printer Product ∗∗∗
---------------------------------------------
https://www.huawei.com/en/psirt/security-advisories/2023/huawei-sa-sciviahp…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Montag 24-04-2023 18:00 − Dienstag 25-04-2023 18:00
Handler: Stephan Richter
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ Intel CPUs vulnerable to new transient execution side-channel attack ∗∗∗
---------------------------------------------
A new side-channel attack impacting multiple generations of Intel CPUs has been discovered, allowing data to be leaked through the EFLAGS register.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/intel-cpus-vulnerable-to-new…
∗∗∗ New .NET Malware “WhiteSnake” Targets Python Developers, Uses Tor for C&C Communication ∗∗∗
---------------------------------------------
The JFrog Security Research team recently discovered a new malware payload in the PyPI repository, written in C#. This is uncommon since PyPI is primarily a repository for Python packages, and its codebase consists mostly of Python code, or natively compiled libraries used by Python programs. This finding raised our concerns about the potential for cross-language malware attacks. Our team identified 22 malicious packages, containing the same payload, targeting both Windows and Linux systems[...]
---------------------------------------------
https://jfrog.com/blog/new-malware-targets-python-developers-uses-tor-for-c…
∗∗∗ Release of a Technical Report into Intel Trust Domain Extensions ∗∗∗
---------------------------------------------
Today, members of Google Project Zero and Google Cloud are releasing a report on a security review of Intels Trust Domain Extensions (TDX). [...] The result of the review was the discovery of 10 confirmed security vulnerabilities which were fixed before the final release of products with the TDX feature. The final report highlights the most interesting of these issues and provides an overview of the features architecture. 5 additional areas were identified for defense-in-depth changes [...]
---------------------------------------------
https://googleprojectzero.blogspot.com/2023/04/technical-report-into-intel-…
∗∗∗ New high-severity vulnerability (CVE-2023-29552) discovered in the Service Location Protocol (SLP) ∗∗∗
---------------------------------------------
Researchers from Bitsight and Curesec have jointly discovered a high-severity vulnerability — tracked as CVE-2023-29552 — in the Service Location Protocol (SLP), a legacy Internet protocol. Attackers exploiting this vulnerability could leverage vulnerable instances to launch massive Denial-of-Service (DoS) amplification attacks with a factor as high as 2200 times, potentially making it one of the largest amplification attacks ever reported.
---------------------------------------------
https://www.bitsight.com/blog/new-high-severity-vulnerability-cve-2023-2955…
∗∗∗ PoC for Pre-Auth RCE in Sophos Web Appliance (CVE-2023-1671) Published ∗∗∗
---------------------------------------------
The cybersecurity community is buzzing with the recent publication of a Proof-of-Concept (PoC) for CVE-2023-1671, a critical code execution vulnerability in Sophos Web Appliance with a CVSS score of 9.8. This high-risk vulnerability, caused by a pre-auth command injection flaw in the warn-proceed handler, poses significant risks to users.
---------------------------------------------
https://securityonline.info/poc-for-pre-auth-rce-in-sophos-web-appliance-cv…
∗∗∗ Attackers are logging in instead of breaking in ∗∗∗
---------------------------------------------
Cyberattackers leveraged more than 500 unique tools and tactics in 2022, according to Sophos. The data, analyzed from more than 150 Sophos Incident Response (IR) cases, identified more than 500 unique tools and techniques, including 118 “Living off the Land” binaries (LOLBins). Unlike malware, LOLBins are executables naturally found on operating systems, making them much more difficult for defenders to block when attackers exploit them for malicious activity.
---------------------------------------------
https://www.helpnetsecurity.com/2023/04/25/attacks-dwell-time/
∗∗∗ Gefälschte Facebook-Seite vom Tiergarten Schönbrunn verbreitet Fake-Gewinnspiel ∗∗∗
---------------------------------------------
Die gefälschte Facebook-Seite „ZooPark Wien“ verbreitet ein betrügerisches Gewinnspiel. Im Posting werden 4 Eintrittskarten verlost. Teilnehmer:innen müssen den Beitrag nur mit „Alles Gute zum Geburtstag“ kommentieren. Mit diesem Gewinnspiel versuchen Kriminelle aber an Ihre Kreditkartendaten zu kommen und Sie in eine Abo-Falle zu locken.
---------------------------------------------
https://www.watchlist-internet.at/news/gefaelschte-facebook-seite-vom-tierg…
=====================
= Vulnerabilities =
=====================
∗∗∗ CVE-2023-27524: Insecure Default Configuration in Apache Superset Leads to Remote Code Execution ∗∗∗
---------------------------------------------
Apache Superset is an open source data visualization and exploration tool. [...] there are more than 3000 instances of it exposed to the Internet. [...] at least 2000 (two-thirds of all servers) – are running with a dangerous default configuration. As a result, many of these servers are effectively open to the public. Any attacker can “log in” to these servers with administrative privileges, access and modify data connected to these servers, harvest credentials, and execute remote code.
---------------------------------------------
https://www.horizon3.ai/cve-2023-27524-insecure-default-configuration-in-ap…
∗∗∗ Xen Security Advisory CVE-2022-42335 / XSA-430 - x86 shadow paging arbitrary pointer dereference ∗∗∗
---------------------------------------------
Guests running in shadow mode and having a PCI device passed through may be able to cause Denial of Service and other problems, escalation of privilege cannot be ruled out.
---------------------------------------------
https://xenbits.xen.org/xsa/advisory-430.html
∗∗∗ Zyxel schließt teils kritische Sicherheitslücken in Firewalls und Access Points ∗∗∗
---------------------------------------------
Zyxel hat Warnungen vor Sicherheitslücken in Firewalls und Access Points herausgegeben. Firmware-Updates zum Abdichten der Lecks stehen bereit.
---------------------------------------------
https://heise.de/-8977831
∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by CentOS (firefox, java-11-openjdk, and thunderbird), Debian (apache2), Fedora (kernel), Oracle (emacs), Red Hat (emacs, haproxy, java-1.8.0-openjdk, kernel, kernel-rt, kpatch-patch, pcs, pki-core:10.6, and qatzip), and SUSE (avahi, cdi-apiserver-container, cdi-cloner-container, cdi- controller-container, cdi-importer-container, cdi-operator-container, cdi- uploadproxy-container, cdi-uploadserver-container, cont, giflib, kernel, kubevirt, virt-api-container, virt-controller-container, virt-handler-container, virt-launcher-container, virt-libguestfs-tools- container, virt-operator-container, ovmf, and protobuf-c).
---------------------------------------------
https://lwn.net/Articles/930128/
∗∗∗ WordPress Plugin "Appointment and Event Booking Calendar for WordPress - Amelia" vulnerable to cross-site scripting ∗∗∗
---------------------------------------------
https://jvn.jp/en/jp/JVN00971105/
∗∗∗ ZDI-23-458: SolarWinds Network Performance Monitor TFTP Link Following Local Privilege Escalation Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-23-458/
∗∗∗ ZDI-23-457: SolarWinds Network Performance Monitor ExecuteExternalProgram Command Injection Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-23-457/
∗∗∗ F5: K000133630 : Intel processor vulnerability CVE-2022-26343 ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K000133630
∗∗∗ F5: K000133633 : Intel BIOS firmware vulnerability CVE-2022-32231 ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K000133633
∗∗∗ Multiple Vulnerabilities Patched in Shield Security ∗∗∗
---------------------------------------------
https://www.wordfence.com/blog/2023/04/multiple-vulnerabilities-patched-in-…
∗∗∗ Belden: 2022-26 Multiple libexpat vulnerabilities in HiOS, Classic, HiSecOS, Wireless BAT-C2, Lite Managed, Edge ∗∗∗
---------------------------------------------
https://assets.belden.com/m/6f2d4e1f6bbaeb54/original/BSECV-2022-26.pdf
∗∗∗ Belden: 2022-29 strongSwan: integer overflow when replacing certificates in cache ∗∗∗
---------------------------------------------
https://assets.belden.com/m/25e4130e915c61a1/original/Belden_Security_Bulle…
∗∗∗ [R1] Stand-alone Security Patch Available for Tenable.sc versions 5.22.0, 5.23.1, and 6.0.0: SC-202304.1 ∗∗∗
---------------------------------------------
https://www.tenable.com/security/tns-2023-18
∗∗∗ Nextcloud: Missing brute force protection for passwords of password protected share links ∗∗∗
---------------------------------------------
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-r…
∗∗∗ Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect Rational Functional Tester ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6985649
∗∗∗ IBM Tivoli Composite Application Manager for Application Diagnostics Installed WebSphere Application Server is vulnerable to cross-site scripting in the Admin Console (CVE-2023-26283) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6985651
∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to a denial of service as the server may crash when using a specially crafted subquery. (CVE-2023-27559)) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6985667
∗∗∗ IBM® Db2® is vulnerable to a denial of service as the server may crash when an Out of Memory occurs. (CVE-2023-26022) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6985669
∗∗∗ IBM® Db2® is vulnerable to a denial of service. Under rare conditions, setting a special register may cause the Db2 server to terminate abnormally. (CVE-2023-25930) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6985677
∗∗∗ IBM® Db2® is vulnerable to a denial of service as the server may crash when compiling a specially crafted SQL query using a LIMIT clause. (CVE-2023-26021) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6985681
∗∗∗ IBM® Db2® is vulnerable to a denial of service as the server may crash when when attempting to use ACR client affinity for unfenced DRDA federation wrappers. (CVE-2023-27555) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6985683
∗∗∗ IBM® Db2® is vulnerable to a denial of service as as it may trap when compiling a variation of an anonymous block. (CVE-2023-29255) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6985687
∗∗∗ IBM® Db2® is vulnerable to remote code execution as a database administrator of one database may execute code or read\/write files from another database within the same instance. (CVE-2023-29257) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6985691
∗∗∗ IBM Maximo Asset Management is vulnerable to cross-site scripting (CVE-2023-27860) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6985679
∗∗∗ Multiple vulnerabilities affect IBM Db2\u00ae Graph ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6985689
∗∗∗ IBM WebSphere Application Server shipped with IBM Security Access Manager for Enterprise Single Sign-On is vulnerable to a denial of service due to IBM HTTP Server (CVE-2023-26281) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6985851
∗∗∗ Docker based datastores for IBM Instana do not currently require authentication ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6959969
∗∗∗ IBM® Engineering Requirements Management DOORS/DWA vulnerabilities fixed in 9.7.2.7 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6984347
∗∗∗ IBM Safer Payments is vulnerable to OpenSSL Denial of Sevice Attack (CVE-2022-0778) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6985865
∗∗∗ TADDM is vulnerable to a denial of service due to vulnerabilities in Apache HttpClient ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6985905
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 21-04-2023 18:00 − Montag 24-04-2023 18:00
Handler: Stephan Richter
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Decoy Dog malware toolkit found after analyzing 70 billion DNS queries ∗∗∗
---------------------------------------------
A new enterprise-targeting malware toolkit called Decoy Dog has been discovered after inspecting anomalous DNS traffic that is distinctive from regular internet activity.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/decoy-dog-malware-toolkit-fo…
∗∗∗ Open Source: Gelöschte Curl-Instanz zerschießt Windows-Updates ∗∗∗
---------------------------------------------
Auch wenn Security-Scanner vor ungepatchter Software warnen, sollten Windows-Systemkomponenten wie Curl nicht manipuliert werden.
---------------------------------------------
https://www.golem.de/news/open-source-geloeschte-curl-instanz-zerschiesst-w…
∗∗∗ New All-in-One "EvilExtractor" Stealer for Windows Systems Surfaces on the Dark Web ∗∗∗
---------------------------------------------
A new "all-in-one" stealer malware named EvilExtractor (also spelled Evil Extractor) is being marketed for sale for other threat actors to steal data and files from Windows systems. "It includes several modules that all work via an FTP service," Fortinet FortiGuard Labs researcher Cara Lin said.
---------------------------------------------
https://thehackernews.com/2023/04/new-all-in-one-evilextractor-stealer.html
∗∗∗ XWorm RAT: Avira-Sicherheitsexperten warnen vor Malware ∗∗∗
---------------------------------------------
Sicherheitsexperten von Avira warnen vor der Malware XWorm RAT
---------------------------------------------
https://heise.de/-8976282
∗∗∗ "Notstart" über CAN-Bus-Hack: Altes Nokia-Handy erlaubt Auto-Diebstahl per Klick ∗∗∗
---------------------------------------------
Der jüngst aufgezeigte CAN-Injection-Angriff auf das Bussystem Controller Area Network zieht weitere Kreise. Es tauchen immer mehr Kits zum "Notstarten" auf.
---------------------------------------------
https://heise.de/-8976444
∗∗∗ Bumblebee-Malware: Opfersuche mit Malvertising für trojanisierte Installer ∗∗∗
---------------------------------------------
IT-Forscher haben trojanisierte Installer für professionelle Software entdeckt. Sie würden mit Malvertising beworben und enthielten den Schädling Bumblebee.
---------------------------------------------
https://heise.de/-8977016
∗∗∗ Fake-Shops für Autoreifen boomen ∗∗∗
---------------------------------------------
Sie suchen im Internet nach günstigen Autoreifen? Nehmen Sie den Online-Shop genau unter die Lupe, es kursieren unzählige Fake-Shops! Die betrügerischen Shops wirken sehr professionell, haben ein Impressum und unschlagbare Preise. Wir zeigen Ihnen, wie Sie Shops überprüfen.
---------------------------------------------
https://www.watchlist-internet.at/news/fake-shops-fuer-autoreifen-boomen/
∗∗∗ TP-Link WAN-side Vulnerability CVE-2023-1389 Added to the Mirai Botnet Arsenal ∗∗∗
---------------------------------------------
Last week, the Zero Day Initiative (ZDI) threat-hunting team observed new exploit attempts coming from our telemetry system in Eastern Europe indicating that the Mirai botnet has updated its arsenal to include CVE-2023-1389, also known as ZDI-CAN-19557/ZDI-23-451.
---------------------------------------------
https://www.thezdi.com/blog/2023/4/21/tp-link-wan-side-vulnerability-cve-20…
∗∗∗ Updates and Timeline for 3CX and X_Trader Hacks ∗∗∗
---------------------------------------------
Mandiant revealed this week that the hack of 3CX was actually a double supply-chain hack that first involved hacking and compromising another companys software. Heres a timeline of the events.
---------------------------------------------
https://zetter.substack.com/p/updates-and-timeline-for-3cx-and
∗∗∗ Knapp zwei Drittel der XIoT-Schwachstellen remote ausnutzbar ∗∗∗
---------------------------------------------
Sicherheitstechnisch droht uns wohl ein Desaster - ich habe den State of XIoT Security Report: 2H 2022 von Claroty bereits einige Tage vorliegen. Dieser zeigt zwar die positiven Auswirkungen verstärkter Schwachstellen-Forschung und höheren Investitionen der Anbieter im Hinblick auf die XIoT-Sicherheit. Aber die Botschaft ist auch, dass Zahl der entdeckten Schwachstellen in diesem Bereit um 80 % zugenommen hat. Viele XIoT-Schwachstellen sind zudem remote ausnutzbar.
---------------------------------------------
https://www.borncity.com/blog/2023/04/23/knapp-zwei-drittel-der-xiot-schwac…
∗∗∗ ViperSoftX Updates Encryption, Steals Data ∗∗∗
---------------------------------------------
We observed cryptocurrency and information stealer ViperSoftX evading initial loader detection and making its lure more believable by making the initial package loader via cracks, keygens, activators, and packers non-malicious. We also noted more sophisticated encryption and basic anti-analysis techniques, such as byte remapping and web browser communication blocking.
---------------------------------------------
https://www.trendmicro.com/en_us/research/23/d/vipersoftx-updates-encryptio…
∗∗∗ Fortune 500 at Risk: 250M Artifacts Exposed via Misconfigured Registries ∗∗∗
---------------------------------------------
What if you were told that you had a misconfigured registry with hundreds of millions of software artifacts containing highly confidential and sensitive proprietary code and secrets exposed in your environment right now? This would be what you’d call a really bad day for security. Recently, the Aqua Nautilus research team found just that in some of the world’s largest organizations, including five Fortune 500 companies.
---------------------------------------------
https://blog.aquasec.com/250m-artifacts-exposed-via-misconfigured-registries
=====================
= Vulnerabilities =
=====================
∗∗∗ Vulnerability Spotlight: Vulnerabilities in IBM AIX could lead to command injection with elevated privileges ∗∗∗
---------------------------------------------
The issue could then allow the malicious actor to generate arbitrary logs which can trigger malicious commands to be run with elevated privileges.
---------------------------------------------
https://blog.talosintelligence.com/vuln-spotlight-ibm-aix-privilege-escalat…
∗∗∗ APC warns of critical unauthenticated RCE flaws in UPS software ∗∗∗
---------------------------------------------
APCs Easy UPS Online Monitoring Software is vulnerable to unauthenticated arbitrary remote code execution, allowing hackers to take over devices and, in a worst-case scenario, disabling its functionality altogether.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/apc-warns-of-critical-unauth…
∗∗∗ Jetzt patchen! Angreifer attackieren Druck-Management-Lösung Papercut MF/NG ∗∗∗
---------------------------------------------
Eine kritische Sicherheitslücke gefährdet Systeme, auf denen Papercut läuft. Sicherheitsupdates sind verfügbar.
---------------------------------------------
https://heise.de/-8976755
∗∗∗ Solarwinds-Update dichtet zwei hochriskante Sicherheitslücken ab ∗∗∗
---------------------------------------------
Solarwinds stopft mit Software-Updates mehrere Sicherheitslücken, zwei davon gelten als hochriskant. IT-Verantwortliche sollten zügig aktualisieren.
---------------------------------------------
https://heise.de/-8976832
∗∗∗ Sicherheitspatches: Angreifer könnten Nvidia Cuda, DGX-1 & Co. attackieren ∗∗∗
---------------------------------------------
Nvidia hat wichtige Sicherheitsupdates für verschiedene Produkte veröffentlicht. Admins sollten schnell handeln.
---------------------------------------------
https://heise.de/-8976961
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (389-ds-base, chromium, connman, curl, redis, and thunderbird), Fedora (ceph, doctl, dr_libs, ffmpeg, freeimage, golang-github-digitalocean-godo, insight, libreswan, mingw-binutils, mingw-freeimage, mingw-freetype, openvswitch, rnp, suricata, webkitgtk, and wireshark), Mageia (dnsmasq, emacs, openimageio, php-smarty, redis, squirrel/supertux, and tcpdump), Red Hat (emacs), and SUSE (avahi, chromium, dmidecode, indent, jettison, openssl, openstack-cinder, openstack-nova, python-oslo.utils, and ovmf).
---------------------------------------------
https://lwn.net/Articles/930052/
∗∗∗ Multiple Vulnerabilities in Autodesk® InfraWorks® Software ∗∗∗
---------------------------------------------
Autodesk® InfraWorks® has been affected by multiple vulnerabilities detailed below. Exploitation of these vulnerabilities may lead to remote code execution and/or denial-of-service to the software and user devices. Hotfixes are available in the Autodesk Desktop App or the Accounts Portal to help resolve these vulnerabilities.
---------------------------------------------
https://www.autodesk.com/trust/security-advisories/adsk-sa-2023-0007
∗∗∗ ZDI-23-451: (Pwn2Own) TP-Link Archer AX21 merge_country_config Command Injection Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-23-451/
∗∗∗ ZDI-23-452: (Pwn2Own) TP-Link AX1800 hotplugd Firewall Rule Race Condition Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-23-452/
∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 20-04-2023 18:00 − Freitag 21-04-2023 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Robert Waldner
=====================
= News =
=====================
∗∗∗ GhostToken Flaw Could Let Attackers Hide Malicious Apps in Google Cloud Platform ∗∗∗
---------------------------------------------
Cybersecurity researchers have disclosed details of a now-patched zero-day flaw in Google Cloud Platform (GCP) that could have enabled threat actors to conceal an unremovable, malicious application inside a victims Google account.
---------------------------------------------
https://thehackernews.com/2023/04/ghosttoken-flaw-could-let-attackers.html
∗∗∗ Kubernetes RBAC Exploited in Large-Scale Campaign for Cryptocurrency Mining ∗∗∗
---------------------------------------------
A large-scale attack campaign discovered in the wild has been exploiting Kubernetes (K8s) Role-Based Access Control (RBAC) to create backdoors and run cryptocurrency miners. "The attackers also deployed DaemonSets to take over and hijack resources of the K8s clusters they attack," cloud security firm Aqua said in a report shared with The Hacker News.
---------------------------------------------
https://thehackernews.com/2023/04/kubernetes-rbac-exploited-in-large.html
∗∗∗ VoIP-Anbieter 3CX: Die doppelte Supply-Chain-Attacke ∗∗∗
---------------------------------------------
Eine Analyse zeigt, dass die Verteilung des kompromittierten VoIP-Clients von 3CX auf einen vorausgehenden Lieferketten-Angriff zurückgeht.
---------------------------------------------
https://heise.de/-8974948
∗∗∗ CVE-2022-29844: A Classic Buffer Overflow on the Western Digital My Cloud Pro Series PR4100 ∗∗∗
---------------------------------------------
This post covers an exploit chain demonstrated by Luca Moro (@johncool__) during Pwn2Own Toronto 2022. At the contest, he used a classic buffer overflow to gain code execution on the My Cloud Pro Series PR4100 Network Attached Storage (NAS) device. He also displayed a nifty message on the device.
---------------------------------------------
https://www.zerodayinitiative.com/blog/2023/4/19/cve-2022-29844-a-classic-b…
∗∗∗ GitHub Announces New Security Improvements ∗∗∗
---------------------------------------------
GitHub this week introduced NPM package provenance and deployment protection rules and announced general availability of private vulnerability reporting.
---------------------------------------------
https://www.securityweek.com/github-announces-new-security-improvements/
∗∗∗ Abandoned WordPress Plugin Abused for Backdoor Deployment ∗∗∗
---------------------------------------------
Attackers are installing the abandoned Eval PHP plugin on compromised WordPress sites to inject PHP code into web pages.
---------------------------------------------
https://www.securityweek.com/abandoned-wordpress-plugin-abused-for-backdoor…
∗∗∗ Online-Händler:innen aufgepasst: Kriminelle machen Fake-Bestellungen und holen sich per SEPA-Lastschrift das Geld zurück ∗∗∗
---------------------------------------------
Mit vermeintlichen Bestellungen versuchen Kriminelle derzeit an das Geld von Online-Händler:innen zu kommen: Kriminellen bestellen „unabsichtlich“ zu viel, verlangen anschließend den bereits bezahlten Betrag von den Händler:innen zurück. Gleichzeitig nutzen die Betrüger:innen die Funktion der SEPA-Lastschrift, bei der Zahlungsanfechtungen in einem bestimmten Zeitraum automatisch anerkannt werden.
---------------------------------------------
https://www.watchlist-internet.at/news/online-haendlerinnen-aufgepasst-krim…
=====================
= Vulnerabilities =
=====================
∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2023-0003 ∗∗∗
---------------------------------------------
CVE identifiers: CVE-2023-25358, CVE-2022-0108, CVE-2022-32885, CVE-2023-27932, CVE-2023-27954, CVE-2023-28205. Several vulnerabilities were discovered in WebKitGTK and WPE WebKit.
---------------------------------------------
https://webkitgtk.org/security/WSA-2023-0003.html
∗∗∗ VMSA-2023-0007 ∗∗∗
---------------------------------------------
VMware Aria Operations for Logs contains a deserialization vulnerability. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.
---------------------------------------------
https://www.vmware.com/security/advisories/VMSA-2023-0007.html
∗∗∗ OpenSSL: Input buffer over-read in AES-XTS implementation on 64 bit ARM (CVE-2023-1255) ∗∗∗
---------------------------------------------
Severity: Low Issue summary: The AES-XTS cipher decryption implementation for 64 bit ARM platform contains a bug that could cause it to read past the input buffer, leading to a crash.
---------------------------------------------
https://www.openssl.org/news/secadv/20230420.txt
∗∗∗ Kritische Lücken bedrohen Cisco Industrial Network Director und Modeling Labs ∗∗∗
---------------------------------------------
Es gibt wichtige Sicherheitsupdates für mehrere Cisco-Produkte. Zwei Schwachstellen gelten als kritisch.
---------------------------------------------
https://heise.de/-8975027
∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (golang-1.11 and libxml2), Fedora (chromium, dr_libs, frr, ruby, and runc), Oracle (java-11-openjdk and java-17-openjdk), Red Hat (emacs, httpd and mod_http2, kpatch-patch, and webkit2gtk3), SUSE (libmicrohttpd, nodejs16, ovmf, and wireshark), and Ubuntu (kauth and patchelf).
---------------------------------------------
https://lwn.net/Articles/929828/
∗∗∗ CISA Adds Three Known Exploited Vulnerabilities to Catalog ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2023/04/21/cisa-adds-three-known-ex…
∗∗∗ IBM InfoSphere DataStage Flow Designer is vulnerable to Server-Side Request Forgery ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6509084
∗∗∗ Python is vulnerable to CVE-2022-26488 used in IBM Maximo Application Suite ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6985049
∗∗∗ iText.jar in Tom Sawyer Perspective is vulnerable to XML External Entity ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6985225
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 19-04-2023 18:00 − Donnerstag 20-04-2023 18:00
Handler: Robert Waldner
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Schwachstelle ermöglicht es Dieben, iPhones zu übernehmen ∗∗∗
---------------------------------------------
Über eine Sicherheitslücke verschaffen sich Kriminelle Zugang zu den Apple-IDs ihrer Opfer.
---------------------------------------------
https://futurezone.at/produkte/schwachstelle-diebstahl-iphones-uebernehmen-…
∗∗∗ Goldoson Android Malware Infects Over 100 Million Google Play Store Downloads ∗∗∗
---------------------------------------------
hA new Android malware strain named Goldoson has been detected in the official Google Play Store spanning more than 60 legitimate apps that collectively have over 100 million downloads. [..] Following responsible disclosure to Google, 36 of the 63 offending apps have been pulled from the Google Play Store. The remaining 27 apps have been updated to remove the malicious library.
---------------------------------------------
https://thehackernews.com/2023/04/goldoson-android-malware-infects-over.html
∗∗∗ The Huge 3CX Breach Was Actually 2 Linked Supply Chain Attacks ∗∗∗
---------------------------------------------
The mass compromise of the VoIP firms customers is the first confirmed incident where one software supply chain attack enabled another, researchers say.
---------------------------------------------
https://www.wired.com/story/3cx-supply-chain-attack-times-two/
∗∗∗ ‘AuKill’ EDR killer malware abuses Process Explorer driver ∗∗∗
---------------------------------------------
The AuKill tool abuses an outdated version of the driver used by version 16.32 of the Microsoft utility, Process Explorer, to disable EDR processes before deploying either a backdoor or ransomware on the target system.
---------------------------------------------
https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-p…
∗∗∗ Breaking Docker Named Pipes SYSTEMatically: Docker Desktop Privilege Escalation – Part 2 ∗∗∗
---------------------------------------------
In the previous blog post, we described how the Docker research started and showed how we could gain a full privilege escalation through a vulnerability in Docker Desktop. In this follow-up blog post, we will show the other vulnerable functions we were able to exploit.
---------------------------------------------
https://www.cyberark.com/resources/threat-research-blog/breaking-docker-nam…
∗∗∗ Vermehrte Angriffe auf Cisco Router und Switche mit Cisco IOS und IOS-XE ∗∗∗
---------------------------------------------
Mehrere Sicherheitsbehörden und Cisco selbst warnen vor der gehäuften Ausnutzung alter Schwachstellen in Cisco IOS und IOS-XE.
---------------------------------------------
https://heise.de/-8973626
∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (Apr 10, 2023 to Apr 16, 2023) ∗∗∗
---------------------------------------------
Last week, there were 69 vulnerabilities disclosed in 60 WordPress plugins and 4 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 32 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.
---------------------------------------------
https://www.wordfence.com/blog/2023/04/wordfence-intelligence-weekly-wordpr…
∗∗∗ LockBit-Ransomware bereitet Angriffe auf Apple vor ∗∗∗
---------------------------------------------
Hacker haben ihre Malware offenbar weiterentwickelt und eine neue Variante in Umlauf gebracht, die es auf Apple-Computer abgesehen hat.
---------------------------------------------
https://www.zdnet.de/88408574/lockbit-ransomware-bereitet-angriffe-auf-appl…
∗∗∗ CISA and Partners Release Cybersecurity Best Practices for Smart Cities ∗∗∗
---------------------------------------------
Today, CISA, NSA, FBI, NCSC-UK, ACSC, CCCS and NCSC-NZ released a joint guide: Cybersecurity Best Practices for Smart Cities. Smart cities may create safer, more efficient, resilient communities through technological innovation and data-driven decision making. However, this opportunity also introduces potential vulnerabilities and weaknesses that—if exploited—could impact national security, economic security, public health and safety, and critical infrastructure operations.
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2023/04/19/cisa-and-partners-releas…
=====================
= Vulnerabilities =
=====================
∗∗∗ Drupal core - Moderately critical - Access bypass - SA-CORE-2023-005 ∗∗∗
---------------------------------------------
Security risk: Moderately critical
The file download facility doesnt sufficiently sanitize file paths in certain situations. This may result in users gaining access to private files that they should not have access to.Some sites may require configuration changes following this security release.
---------------------------------------------
https://www.drupal.org/sa-core-2023-005
∗∗∗ Cisco Security Advisories Published on April 19, 2023 - 2 Critical, 2 High, 2 Medium ∗∗∗
---------------------------------------------
* StarOS Software Key-Based SSH Authentication Privilege Escalation Vulnerability
* SD-WAN vManage Software Arbitrary File Deletion Vulnerability
* TelePresence Collaboration Endpoint and RoomOS Arbitrary File Write Vulnerabilities
* Industrial Network Director Vulnerabilities
* Modeling Labs External Authentication Bypass Vulnerability
* BroadWorks Network Server TCP Denial of Service Vulnerability
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/Search.x?publicationTypeIDs…
∗∗∗ Mehrere Schadcode-Lücken in Foxit PDF geschlossen ∗∗∗
---------------------------------------------
Wer Foxit PDF Reader oder PDF Editor unter Windows nutzt, ist angreifbar.
---------------------------------------------
https://heise.de/-8974063
∗∗∗ Stable Channel Update for Desktop ∗∗∗
---------------------------------------------
The Stable and extended stable channel has been updated to 112.0.5615.137/138 for Windows and 112.0.5615.137 for Mac and 112.0.5615.165 for Linux which will roll out over the coming days/weeks. [..] Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix.
---------------------------------------------
http://chromereleases.googleblog.com/2023/04/stable-channel-update-for-desk…
∗∗∗ Blubrry Addresses Authenticated Stored XSS Vulnerability in PowerPress WordPress Plugin ∗∗∗
---------------------------------------------
On April 5, 2023, our Wordfence Threat Intelligence team identified and began the responsible disclosure process for a stored Cross-Site Scripting (XSS) vulnerability in Blubrry’s PowerPress plugin, which is actively installed on more than 50,000 WordPress websites.
---------------------------------------------
https://www.wordfence.com/blog/2023/04/blubrry-addresses-authenticated-stor…
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (golang-1.11), Fedora (chromium, golang-github-cenkalti-backoff, golang-github-cli-crypto, golang-github-cli-gh, golang-github-cli-oauth, golang-github-gabriel-vasile-mimetype, libpcap, lldpd, parcellite, tcpdump, thunderbird, and zchunk), Red Hat (java-11-openjdk, java-17-openjdk, and kernel), SUSE (chromium, dnsmasq, ImageMagick, nodejs16, openssl-1_0_0, openssl1, ovmf, and python-Flask), and Ubuntu (dnsmasq, libxml2, linux, linux-aws, linux-aws-5.4, linux-azure, linu linux-raspi-5.4, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15 linux-oracle, linux-raspi2, linux-oem-5.17, linux-oem-6.0, linux-oem-6.1, and linux-snapdragon).
---------------------------------------------
https://lwn.net/Articles/929671/
∗∗∗ Chromium: CVE-2023-2136 Integer overflow in Skia ∗∗∗
---------------------------------------------
This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. Google is aware that an exploit for CVE-2023-2136 exists in the wild.
---------------------------------------------
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-2136
∗∗∗ Spring Boot 2.7.11 available now fixing CVE-2023-20873 ∗∗∗
---------------------------------------------
https://spring.io/blog/2023/04/20/spring-boot-2-7-11-available-now-fixing-c…
∗∗∗ Spring Boot 3.0.6 available now fixing CVE-2023-20873 ∗∗∗
---------------------------------------------
https://spring.io/blog/2023/04/20/spring-boot-3-0-6-available-now-fixing-cv…
∗∗∗ Security Vulnerabilities have been identifed in the IBM WebSphere Liberty product as shipped with the IBM Security Verify Access products. ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6953617
∗∗∗ Unprivileged GPU access vulnerability - CVE-2013-5987 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/864038
∗∗∗ Multiple vulnerabilities found in third party libraries used by IBM\u00ae MobileFirst Platform ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6984763
∗∗∗ Multiple Vulnerabilities in Apache Commons Compress affect WebSphere Application Server used by IBM Maximo Application Suite ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6984785
∗∗∗ IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to Node.js npm module information disclosure (CVE-2022-29244) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6984799
∗∗∗ IBM WebSphere Application Server shipped with IBM Security Access Manager for Enterprise Single Sign-On is vulnerable to a denial of service due to Apache Commons FileUpload (CVE-2023-24998) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6984945
∗∗∗ Unprivileged GPU access vulnerability - CVE-2013-5987 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/864038
∗∗∗ IBM Security Verify Governance is vulnerable to sensitive information exposure (CVE-2021-31403) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6984957
∗∗∗ IBM Security Verify Governance is vulnerable to denial of service and security bypass (CVE-2018-10237, CVE-2020-8908) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6984959
∗∗∗ IBM Security Verify Governance is vulnerable to a denial of service (CVE-2022-42004, CVE-2022-42003) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6984967
∗∗∗ IBM Security Verify Governance is vulnerable to sensitive information exposure and denial of service (CVE-2021-31403, CVE-2021-33609) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6984971
∗∗∗ IBM Security Verify Governance is vulnerable to denial of service (CVE-2022-24839) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6984973
∗∗∗ IBM Security Verify Governance is vulnerable to arbitrary code execution (CVE-2020-10650) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6984963
∗∗∗ IBM Security Verify Governance is vulnerable to denial of service ( CVE-2023-24998) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6984969
∗∗∗ Security vulnerability has been identified in WebSphere Application Server shipped with WebSphere Service Registry and Repository (CVE-2023-24998) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6984965
∗∗∗ IBM Rational Build Forge is vulnerable and could allow an unauthenticated attacker to obtain sensitive information due to the use of JSSE component (CVE-2021-35603) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6984975
∗∗∗ IBM App Connect Enterprise is vulnerable to a denial of service due to the ua-parser-js module (CVE-2022-25927) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6984987
∗∗∗ Multiple vulnerabilities may affect IBM\u00ae SDK, Java\u2122 Technology Edition ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6839127
∗∗∗ Multiple vulnerabilities may affect IBM\u00ae SDK, Java\u2122 Technology Edition ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6967213
∗∗∗ CVE-2022-3676 may affect IBM\u00ae SDK, Java\u2122 Technology Edition ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6839777
∗∗∗ IBM Rational Build Forge is vulnerable and could allow attacker to obtain sensitive information due to the use of JSSE component(CVE-2021-35550) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6985007
∗∗∗ CVE-2023-30441 affects IBM\u00ae SDK, Java\u2122 Technology Edition ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6985011
∗∗∗ AIX is vulnerable to arbitrary command execution (CVE-2023-26286) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6983236
∗∗∗ INEA ME RTU ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-23-110-01
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 18-04-2023 18:00 − Mittwoch 19-04-2023 18:00
Handler: Stephan Richter
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Critical Patch Update: Oracle kümmert sich um 433 Sicherheitslücken ∗∗∗
---------------------------------------------
Der Softwarehersteller Oracle hat für seine Anwendungen zahlreiche Sicherheitsupdates veröffentlicht. Einige Lücken gelten als kritisch.
---------------------------------------------
https://heise.de/-8971485
∗∗∗ Sicherheitsupdates: Dell sichert seit 2022 verwundbare Laptops erst jetzt ab ∗∗∗
---------------------------------------------
BIOS-Updates für unter anderem Dell-Modelle der Alienware- und Inspiron-Serien schließen zwei Sicherheitslücken.
---------------------------------------------
https://heise.de/-8971821
∗∗∗ Wenn alte Router Firmengeheimnisse preisgeben ∗∗∗
---------------------------------------------
Bei der Stilllegung ihrer alten Hardware schütten viele Unternehmen das Kind mit dem Bade aus.
---------------------------------------------
https://www.welivesecurity.com/deutsch/2023/04/18/wenn-alte-router-firmenge…
∗∗∗ Hackers actively exploit critical RCE bug in PaperCut servers ∗∗∗
---------------------------------------------
Print management software developer PaperCut is warning customers to update their software immediately, as hackers are actively exploiting flaws to gain access to vulnerable servers.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/hackers-actively-exploit-cri…
∗∗∗ Zaraza Bot Targets Google Chrome to Extract Login Credentials ∗∗∗
---------------------------------------------
The data-stealing malware threatens the cyber safety of individual and organizational privacy by infecting a range of Web browsers.
---------------------------------------------
https://www.darkreading.com/remote-workforce/zaraza-bot-targets-google-chro…
∗∗∗ SecurePwn Part 1: Bypassing SecurePoint UTM’s Authentication (CVE-2023-22620) ∗∗∗
---------------------------------------------
While working on a recent customer penetration test, I discovered two fascinating and somewhat weird bugs in SecurePoint’s UTM firewall solution. The first one, aka CVE-2023-22620, is rated critical for an attacker to bypass the entire authentication and gain access to the firewall’s administrative panel. [...] The second one, aka CVE-2023-22897 is a heartbleed-like bug that allows the leaking of remote memory contents and is discussed in a second blog post.
---------------------------------------------
https://www.rcesecurity.com/2023/04/securepwn-part-1-bypassing-securepoint-…
∗∗∗ SecurePwn Part 2: Leaking Remote Memory Contents (CVE-2023-22897) ∗∗∗
---------------------------------------------
While my last finding affecting SecurePoint’s UTM was quite interesting already, I was hit by a really hard OpenSSL Heartbleed flashback with this one. [...] I’ve responsibly coordinated both vulnerabilities with the vendor SecurePoint and notified them about both issues on 5th January 2023. They did an amazing job acknowledging the vulnerability and providing a fix within a single business day. I barely see (hardware) vendors reacting so fast. Well done!
---------------------------------------------
https://www.rcesecurity.com/2023/04/securepwn-part-2-leaking-remote-memory-…
∗∗∗ Threat Actors Rapidly Adopt Web3 IPFS Technology ∗∗∗
---------------------------------------------
Web3 technologies are seeing widespread adoption — including by TAs. We discuss Web3 technology InterPlanetary File System (IPFS), and malicious use of it.
---------------------------------------------
https://unit42.paloaltonetworks.com/ipfs-used-maliciously/
∗∗∗ Play Ransomware Group Using New Custom Data-Gathering Tools ∗∗∗
---------------------------------------------
Tools allow attackers to harvest data typically locked by the operating system.
---------------------------------------------
https://symantec-enterprise-blogs.security.com/threat-intelligence/play-ran…
∗∗∗ Raspberry Robin: Anti-Evasion How-To & Exploit Analysis ∗∗∗
---------------------------------------------
During the last year, Raspberry Robin has evolved to be one of the most distributed malware currently active. During this time, it is likely to be used by many actors to distribute their own malware such as IcedID, Clop ransomware and more.
---------------------------------------------
https://research.checkpoint.com/2023/raspberry-robin-anti-evasion-how-to-ex…
∗∗∗ Breaking Docker Named Pipes SYSTEMatically: Docker Desktop Privilege Escalation – Part 2 ∗∗∗
---------------------------------------------
In the previous blog post, we described how the Docker research started and showed how we could gain a full privilege escalation through a vulnerability in Docker Desktop. In this follow-up blog [...]
---------------------------------------------
https://www.cyberark.com/resources/threat-research-blog/breaking-docker-nam…
∗∗∗ DDosia Project: How NoName057(16) is trying to improve the efficiency of DDoS attacks ∗∗∗
---------------------------------------------
NoName057(16) is still conducting DDoS attacks on the websites of institutions and companies in European countries. The new Go variant of bots implemented an authentication mechanism to communicate with C2 servers and their proxies. Moreover, the mechanism also provides IP address blocklisting, presumably to hinder the tracking of the project.
---------------------------------------------
https://decoded.avast.io/martinchlumecky/ddosia-project-how-noname05716-is-…
=====================
= Vulnerabilities =
=====================
∗∗∗ Webbrowser: Neue Zero-Day-Lücke in Google Chrome ∗∗∗
---------------------------------------------
Im Webbrowser Chrome greifen Cyberkriminelle eine neue Zero-Day-Lücke in freier Wildbahn an. Google verteilt Software-Updates, um die Lücke zu schließen.
---------------------------------------------
https://heise.de/-8971427
∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (asterisk), Fedora (lldpd and openssh), Red Hat (curl, kernel, and openvswitch2.13), SUSE (compat-openssl098, glib2, grafana, helm, libgit2, openssl, and openssl-1_1), and Ubuntu (linux, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15, linux-azure-fde, linux-gcp, linux-gcp-5.15, linux-gke, linux-gke-5.15, linux-gkeop, linux-ibm, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-oracle, linux-oracle-5.15, linux-raspi, linux, linux-aws, linux-azure, linux-gcp, linux-hwe-5.19, linux-kvm, linux-lowlatency, linux-oracle, linux-raspi, and vim).
---------------------------------------------
https://lwn.net/Articles/929533/
∗∗∗ Research by Positive Technologies helps to fix vulnerabilities in Nokia NetAct network management system ∗∗∗
---------------------------------------------
Nokia has fixed five vulnerabilities in Nokia NetAct found by Positive Technologies experts Vladimir Razov and Alexander Ustinov. Nokia NetAct is used by more than 500 communications service providers to monitor and control telecommunication networks, base stations, and other systems. The vendor was notified of the threat as part of standard responsible disclosure and has fixed the vulnerabilities in new versions of the software.
---------------------------------------------
https://www.ptsecurity.com/ww-en/about/news/research-by-positive-technologi…
∗∗∗ WordPress plugin "LIQUID SPEECH BALLOON” vulnerable to cross-site request forgery ∗∗∗
---------------------------------------------
https://jvn.jp/en/jp/JVN99657911/
∗∗∗ Oracle Critical Patch Update Advisory - April 2023 ∗∗∗
---------------------------------------------
https://www.oracle.com/security-alerts/cpuapr2023.html
∗∗∗ K000133390 : Apache Tomcat vulnerability CVE-2022-45143 ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K000133390
∗∗∗ K000133547 : Python urllib3 vulnerability CVE-2020-26137 ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K000133547
∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Montag 17-04-2023 18:00 − Dienstag 18-04-2023 18:00
Handler: Stephan Richter
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ Recycled Core Routers Exposed Sensitive Corporate Network Info ∗∗∗
---------------------------------------------
Researchers warn about a dangerous wave of unwiped, secondhand core-routers found containing corporate network configurations, credentials, and application and customer data.
---------------------------------------------
https://www.darkreading.com/vulnerabilities-threats/recycled-core-routers-e…
∗∗∗ YouTube Videos Distributing Aurora Stealer Malware via Highly Evasive Loader ∗∗∗
---------------------------------------------
Cybersecurity researchers have detailed the inner workings of a highly evasive loader named "in2al5d p3in4er" (read: invalid printer) thats used to deliver the Aurora information stealer malware.
---------------------------------------------
https://thehackernews.com/2023/04/youtube-videos-distributing-aurora.html
∗∗∗ Memory corruption in JCRE: An unpatchable HSM may swallow your private key ∗∗∗
---------------------------------------------
The key has always been a core target of security protection. Due to the limitation of key slots, most cryptocurrency hardware wallets use MCU chips (such as STM32F205RE) to implement. However, people who have higher security requirements to safeguarding the private keys are often interested in Java cards [...]
---------------------------------------------
https://hardenedvault.net/blog/2023-04-18-java-card-runtime-memory-corrupti…
∗∗∗ Living Off the Land (LOTL) attacks: Detecting ransomware gangs hiding in plain sight ∗∗∗
---------------------------------------------
[...] In order to truly protect ourselves from RaaS gangs, we have to ‘peel back the onion’, so to speak, and get a closer look at how, exactly, they behave. If we know how RaaS gangs evade detection once in a network, for example, we may be able to kick them out before they can do any damage. One of the most concerning behaviors we’ve observed from RaaS gangs is their use of Living off the Land (LOTL) attacks, where attackers leverage legitimate tools to evade detection, steal data, and more.
---------------------------------------------
https://www.malwarebytes.com/blog/business/2023/04/living-off-the-land-lotl…
∗∗∗ New Captcha Protected Phishing Attack Targets Access to Payroll Files ∗∗∗
---------------------------------------------
We have discovered a new phishing attack that specifically targets individuals who need access to payroll files through Microsoft Teams.
---------------------------------------------
https://cyberwarzone.com/new-captcha-protected-phishing-attack-targets-acce…
∗∗∗ Sicherheitsupdates: Trend Micro Security macht Windows-PCs verwundbar ∗∗∗
---------------------------------------------
Es gibt ein wichtiges Update für die Anti-Viren-Anwendung Trend Micro Security für Windows.
---------------------------------------------
https://heise.de/-8969449
∗∗∗ US-Behörde: Schwachstelle in altem macOS wird für Angriffe ausgenutzt ∗∗∗
---------------------------------------------
Nach Informationen der Cyber-Sicherheitsbehörde gibt es Hinweise auf aktiv durchgeführte Angriffe. Für sehr alte Macs liegen keine Patches vor.
---------------------------------------------
https://heise.de/-8970903
∗∗∗ Kleinanzeigenbetrug: Vorsicht, wenn jemand per Scheck bezahlen möchte ∗∗∗
---------------------------------------------
Sie verkaufen ein Fahrrad auf Ländleanzeiger.at. Ein Interessent meldet sich und möchte es kaufen. Weil der Interessent gerade keinen Zugriff auf sein Bankkonto hat, möchte er es per Scheck bezahlen. Nach einigen Tagen kommt tatsächlich ein Scheck an – aber mit einem viel zu hohen Betrag. Vorsicht: Der Scheck ist Fake. Brechen Sie den Kontakt ab, Sie werden betrogen.
---------------------------------------------
https://www.watchlist-internet.at/news/kleinanzeigenbetrug-vorsicht-wenn-je…
∗∗∗ Shodan Verified Vulns 2023-04-01 ∗∗∗
---------------------------------------------
Mit Stand 2023-04-01 sieht Shodan in Österreich die folgenden Schwachstellen: Dieses Monat stechen keine wirklich nennenswerten Veränderungen ins Auge.
---------------------------------------------
https://cert.at/de/aktuelles/2023/4/shodan-verified-vulns-2023-04-01
∗∗∗ APT28 Exploits Known Vulnerability to Carry Out Reconnaissance and Deploy Malware on Cisco Routers ∗∗∗
---------------------------------------------
APT28 accesses poorly maintained Cisco routers and deploys malware on unpatched devices using CVE-2017-6742.
---------------------------------------------
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-108
∗∗∗ Windows 10/11: Microsoft veröffentlicht Fix für OOBE-Bitlocker-Ausfall-Bug ∗∗∗
---------------------------------------------
Microsoft propagiert zwar Bitlocker zur Verschlüsselung von Laufwerken unter Windows. Aber es gibt immer wieder Bugs, die die Verschlüsselung verhindern oder Dritten unbefugten Zugriff auf verschlüsselte Laufwerke ermöglichen. Ein Microsoft Supporter hat jetzt einen Fall enthüllt, bei dem Bitlocker in der Out-of-the-Box (OOBE) Phase der Windows-Installation nicht aktiviert wird.
---------------------------------------------
https://www.borncity.com/blog/2023/04/18/windows-10-11-microsoft-verffentli…
∗∗∗ Automating Qakbot Detection at Scale With Velociraptor ∗∗∗
---------------------------------------------
This blog offers a practical methodology to extract configuration data from recent Qakbot samples.
---------------------------------------------
https://www.rapid7.com/blog/post/2023/04/18/automating-qakbot-detection-at-…
=====================
= Vulnerabilities =
=====================
∗∗∗ Garrett: PSA: upgrade your LUKS key derivation function ∗∗∗
---------------------------------------------
[...] the LUKS1 header format, and the only KDF supported in this format is PBKDF2. This is not a memory expensive KDF, and so is vulnerable to GPU-based attacks. But even so, systems using the LUKS2 header format used to default to argon2i, again not a memory expensive KDF. New versions default to argon2id, which is. You want to be using argon2id.
---------------------------------------------
https://lwn.net/Articles/929343/
∗∗∗ New sandbox escape PoC exploit available for VM2 library, patch now ∗∗∗
---------------------------------------------
Security researchers have released yet another sandbox escape proof of concept (PoC) exploit that makes it possible to execute unsafe code on the host running the VM2 sandbox. [...]
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-sandbox-escape-poc-explo…
∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (protobuf), Fedora (libpcap, libxml2, openssh, and tcpdump), Mageia (kernel and kernel-linus), Oracle (firefox, kernel, kernel-container, and thunderbird), Red Hat (thunderbird), Scientific Linux (thunderbird), SUSE (gradle, kernel, nodejs10, nodejs12, nodejs14, openssl-3, pgadmin4, rubygem-rack, and wayland), and Ubuntu (firefox).
---------------------------------------------
https://lwn.net/Articles/929389/
∗∗∗ Multiple critical vulnerabilities in Strapi versions <=4.7.1 ∗∗∗
---------------------------------------------
Strapi had multiple critical vulnerabilities that could be chained together to gain unauthenticated remote code execution. This is my public disclosure of the vulnerabilities i found in strapi, how they were patched and some nonsensical ramblings.
---------------------------------------------
https://www.ghostccamm.com/blog/multi_strapi_vulns/
∗∗∗ Hiding in Plain Sight: Cross-Site Scripting Vulnerabilities Patched in Weaver Products ∗∗∗
---------------------------------------------
https://www.wordfence.com/blog/2023/04/hiding-in-plain-sight-cross-site-scr…
∗∗∗ Omron CS/CJ Series ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-23-108-01
∗∗∗ Spring Security 6.1.0-RC1, 6.0.3, 5.8.3 and 5.7.8 released, fix CVE-2023-20862 ∗∗∗
---------------------------------------------
https://spring.io/blog/2023/04/17/spring-security-6-1-0-rc1-6-0-3-5-8-3-and…
∗∗∗ Kubernetes kube-apiserver vulnerability ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6982927
∗∗∗ IBM Sterling Order Management Golang Go Vulnerability ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/search?q=IBM%20Sterling%20Order%…
∗∗∗ Security Bulletin: Multiple vulnerabilities affect IBM Db2® REST ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6984199
∗∗∗ IBM InfoSphere Information Server is affected by a vulnerability in libcurl (CVE-2022-32221) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6984203
∗∗∗ Vulnerabilities in IBM Java included with IBM Tivoli Monitoring. ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6854647
∗∗∗ Security Bulletin: A security vulnerability has been identified in WebSphere Application Server and Websphere Liberty shipped with IBM Security Guardium Key Lifecycle Manager (SKLM/GKLM) (CVE-2023-24998)) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6984345
∗∗∗ Security Bulletin: The IBM® Engineering Requirements Management DOORS/DWA vulnerabilities fixes for 9.7.2.6 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6984347
∗∗∗ Vulnerabilities in Apache Shiro (CVE-2022-40664) and Apache Commons FileUpload (CVE-2023-24998) affect IBM WebSphere Service Registry and Repository. ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6962169
∗∗∗ Security Bulletin: Multiple vulnerabilities affect IBM Db2® REST ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6984413
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 14-04-2023 18:00 − Montag 17-04-2023 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ Juice Jacking: FBI warnt ohne Anlass vor öffentlichen USB-Ladestationen ∗∗∗
---------------------------------------------
Angreifer könnten USB-Ladestationen an Flughäfen & Co. kompromittieren, um so Malware auf Smartphones zu schieben. Das ist jedoch nicht wirklich aktuell.
---------------------------------------------
https://heise.de/-8966067
∗∗∗ Zero-Day: Pinduoduo konnte Daten stehlen und Malware installieren ∗∗∗
---------------------------------------------
Die chinesische Android-App Pinduoduo konnte eine Zero-Day-Lücke in Android missbrauchen. Die CISA mahnt zum Anwenden des Android-Updates.
---------------------------------------------
https://heise.de/-8968204
∗∗∗ Sonderupdate: Google Chrome 112.0.5615.121 und Edge 112.0.1722.48 ∗∗∗
---------------------------------------------
Google hat zum 14. April 2023 außerplanmäßig Updates des Google Chrome Browsers 112 im Extended und Stable Channel für Mac, Linux und Windows freigegeben. Microsoft hat gleichzeitig den Edge Version 112 aktualisiert. Es sind Sicherheitsupdates, welche die als hoch eingestufte Schwachstelle CVE-2023-2033 schließen.
---------------------------------------------
https://www.borncity.com/blog/2023/04/16/google-chrome-112-0-5615-121-sonde…
∗∗∗ Dating: Auf live-treffen.com & royacca.com chatten Sie kostenpflichtig mit Fake-Profilen ∗∗∗
---------------------------------------------
Auf den Dating-Plattformen live-treffen.com & royacca.com finden Sie schnell interessante Menschen. Ob es sich dabei um echte Personen handelt, ist unklar, denn die Plattformen nutzen „professionelle Animateure“, die mit Ihnen chatten. Das Problem dabei: Jede Nachricht kostet und Sie wissen nicht, ob Sie mit echten oder fiktiven Profilen schreiben.
---------------------------------------------
https://www.watchlist-internet.at/news/dating-auf-live-treffencom-royaccaco…
∗∗∗ Android malware infiltrates 60 Google Play apps with 100M installs ∗∗∗
---------------------------------------------
A new Android malware named Goldoson has infiltrated the platforms official app store, Google Play, through 60 apps that collectively have 100 million downloads.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/android-malware-infiltrates-…
∗∗∗ Hackers start abusing Action1 RMM in ransomware attacks ∗∗∗
---------------------------------------------
Security researchers are warning that cybercriminals are increasingly using the Action1 remote access software for persistence on compromised networks and to execute commands, scripts, and binaries.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/hackers-start-abusing-action…
∗∗∗ QBot banker delivered through business correspondence ∗∗∗
---------------------------------------------
In early April, we detected a significant increase in attacks that use banking Trojans of the QBot family (aka QakBot, QuackBot, and Pinkslipbot). The malware would be delivered through e-mails that were based on real business letters the attackers had gotten access to.
---------------------------------------------
https://securelist.com/qbot-banker-business-correspondence/109535/
∗∗∗ FIN7 and Ex-Conti Cybercrime Gangs Join Forces in Domino Malware Attacks ∗∗∗
---------------------------------------------
A new strain of malware developed by threat actors likely affiliated with the FIN7 cybercrime group has been put to use by the members of the now-defunct Conti ransomware gang, indicating collaboration between the two crews. The malware, dubbed Domino, is primarily designed to facilitate follow-on exploitation on compromised systems, including delivering a lesser-known information stealer [...]
---------------------------------------------
https://thehackernews.com/2023/04/fin7-and-ex-conti-cybercrime-gangs-join.h…
∗∗∗ Bypassing Windows Defender (10 Ways) ∗∗∗
---------------------------------------------
In this article I will be explaining 10 ways/techniques to bypass a fully updated Windows system with up-to-date Windows Defender intel in order to execute unrestricted code (other than permissions/ACLs, that is).
---------------------------------------------
https://www.fo-sec.com/articles/10-defender-bypass-methods
∗∗∗ LockBit Ransomware Group Developing Malware to Encrypt Files on macOS ∗∗∗
---------------------------------------------
The LockBit ransomware gang is developing malware designed to encrypt files on macOS systems and researchers have analyzed if it poses a real threat.
---------------------------------------------
https://www.securityweek.com/lockbit-ransomware-group-developing-malware-to…
∗∗∗ Trigona Ransomware Attacking MS-SQL Servers ∗∗∗
---------------------------------------------
AhnLab Security Emergency response Center (ASEC) has recently discovered the Trigona ransomware being installed on poorly managed MS-SQL servers. Trigona is a relatively recent ransomware that was first discovered in October 2022, and Unit 42 has recently published a report based on the similarity between Trigona and the CryLock ransomware.
---------------------------------------------
https://asec.ahnlab.com/en/51343/
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (chromium, rails, and ruby-rack), Fedora (firefox, ghostscript, libldb, samba, and tigervnc), Mageia (ceph, davmail, firefox, golang, jpegoptim, libheif, python-certifi, python-flask-restx, thunderbird, and tomcat), Oracle (firefox), Red Hat (firefox), Scientific Linux (firefox), SUSE (apache2-mod_auth_openidc, aws-nitro-enclaves-cli, container-suseconnect, firefox, golang-github-prometheus-prometheus, harfbuzz, java-1_8_0-ibm, kernel, liblouis, php7, tftpboot-installation images, tomcat, and wayland), and Ubuntu (chromium-browser, imagemagick, kamailio, and libreoffice).
---------------------------------------------
https://lwn.net/Articles/929303/
∗∗∗ K000133522 : Apache mod_proxy_wstunnel vulnerability CVE-2019-17567 ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K000133522?utm_source=f5support&utm_medi…
∗∗∗ Microsoft Defender Security Feature Bypass Vulnerability ∗∗∗
---------------------------------------------
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24934
∗∗∗ Vulnerabilities in Samba shipped with IBM OS Image for Red Hat Enterprise Linux System (CVE-2022-32742) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6983851
∗∗∗ IBM Workload Scheduler potentially affected by a vulnerability found in Json-smart library (CVE-2023-1370) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6984157
∗∗∗ There is a security vulnerability in Node.js http-cache-semantics module used by IBM Maximo for Civil Infrastructure in Maximo Application Suite (CVE-2022-25881) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6984165
∗∗∗ IBM Cloud Pak for Network Automation 2.4.5 addresses multiple security vulnerabilities ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6984171
∗∗∗ IBM Db2\u00ae Graph is vulnerable to remote execution of arbitrary commands due to Node.js CVE-2022-43548 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6984185
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 13-04-2023 18:00 − Freitag 14-04-2023 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ VoIP-Software von 3CX: Erste Analyse-Ergebnisse ∗∗∗
---------------------------------------------
3CX hat erste Ergebnisse der IT-Sicherheitsspezialisten von Mandiant bezüglich des Einbruchs und Lieferkettenangriffs auf die VoIP-Software herausgegeben.
---------------------------------------------
https://heise.de/-8962595
∗∗∗ Netzwerkausrüster Juniper verteilt viele Sicherheits-Aktualisierungen ∗∗∗
---------------------------------------------
In diversen Produkten des Netzwerkausrüsters Juniper klaffen Sicherheitslücken, die der Hersteller mit Updates schließt. Sie sollten zügig installiert werden.
---------------------------------------------
https://heise.de/-8951334
∗∗∗ Jetzt patchen! QueueJumper-Lücke gefährdet hunderttausende Windows-Systeme ∗∗∗
---------------------------------------------
Sicherheitsforscher haben nach weltweiten Scans über 400.000 potenziell angreifbare Windows-Systeme entdeckt. Sicherheitspatches sind verfügbar.
---------------------------------------------
https://heise.de/-8961420
∗∗∗ Passwortschutz umgehbar: Drupal-Modul Protected Pages verwundbar ∗∗∗
---------------------------------------------
Angreifer könnten auf eigentlich durch Passwörter abgeschottete Drupal-Websites zugreifen. Ein Sicherheitsupdate ist verfügbar.
---------------------------------------------
https://heise.de/-8959518
∗∗∗ Cloudflare: Botnetzwerke setzen auf gehackte VPS statt auf IoT ∗∗∗
---------------------------------------------
Laut Cloudflare setzen Botnetze auf gehackte Virtual Private Server (VPS), beispielsweise von Start-ups, die deutlich mehr Leistung für DDoS-Angriffe bieten.
---------------------------------------------
https://www.golem.de/news/cloudflare-botnetzwerke-setzen-auf-gehackte-vps-s…
∗∗∗ HTTP: Whats Left of it and the OCSP Problem, (Thu, Apr 13th) ∗∗∗
---------------------------------------------
It has been well documented that most "web" traffic these days uses TLS, either as traditional HTTPS or the more modern QUIC protocol. So it is always interesting to see what traffic remains as HTTP.
---------------------------------------------
https://isc.sans.edu/diary/rss/29744
∗∗∗ How to Set Up a Content Security Policy (CSP) in 3 Steps ∗∗∗
---------------------------------------------
What is a Content Security Policy (CSP)? A Content Security Policy (CSP) is a security feature used to help protect websites and web apps from clickjacking, cross-site scripting (XSS), and other malicious code injection attacks. At the most basic level, a CSP is a set of rules that restricts or green lights what content loads onto your website. It is a widely-supported security standard recommended to anyone who operates a website.
---------------------------------------------
https://blog.sucuri.net/2023/04/how-to-set-up-a-content-security-policy-csp…
∗∗∗ RTM Locker: Emerging Cybercrime Group Targeting Businesses with Ransomware ∗∗∗
---------------------------------------------
Cybersecurity researchers have detailed the tactics of a "rising" cybercriminal gang called "Read The Manual" (RTM) Locker that functions as a private ransomware-as-a-service (RaaS) provider and carries out opportunistic attacks to generate illicit profit.
---------------------------------------------
https://thehackernews.com/2023/04/rtm-locker-emerging-cybercrime-group.html
∗∗∗ Google, CISA Warn of Android Flaw After Reports of Chinese App Zero-Day Exploitation ∗∗∗
---------------------------------------------
The Android vulnerability CVE-2023-20963, reportedly exploited as a zero-day by a Chinese app against millions of devices, was added to CISA’s KEV catalog.
---------------------------------------------
https://www.securityweek.com/google-cisa-warn-of-android-flaw-after-reports…
∗∗∗ Automating Qakbot decode at scale ∗∗∗
---------------------------------------------
This is a technical post covering methodology to extract configuration data from recent Qakbot samples. I will provide background on Qakbot, walk through decode themes in an easy to visualize manner. I will then share a Velociraptor artifact to detect and automate the decode process at scale.
---------------------------------------------
https://www.rapid7.com/blog/post/2023/04/14/automating-qakbot-decode/
=====================
= Vulnerabilities =
=====================
∗∗∗ CISA Releases Sixteen Industrial Control Systems Advisories ∗∗∗
---------------------------------------------
CISA released sixteen Industrial Control Systems (ICS) advisories on April 13, 2023. * B. Braun Battery Pack SP with Wi-Fi * 13x Siemens * Datakit CrossCAD-WARE * Mitsubishi Electric GOC35 Series
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2023/04/13/cisa-releases-sixteen-in…
∗∗∗ Advisory SA23P002: Several Issues in B&R VC4 Visualization ∗∗∗
---------------------------------------------
An unauthenticated network-based attacker who successfully exploits these vulnerabilities could bypass the authentication mechanism of the VC4 visualization, read stack memory or execute code on an affected device.
---------------------------------------------
https://www.br-automation.com/downloads_br_productcatalogue/assets/16810468…
∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (haproxy and openvswitch), Fedora (bzip3, libyang, mingw-glib2, thunderbird, xorg-x11-server, and xorg-x11-server-Xwayland), and Ubuntu (apport, ghostscript, linux-bluefield, node-thenify, and python-flask-cors).
---------------------------------------------
https://lwn.net/Articles/929107/
∗∗∗ Cross-Site Scripting in Timesheet Tracking for Jira (SYSS-2022-050) ∗∗∗
---------------------------------------------
Über Cross-Site Scripting-Schwachstellen im Plug-in "Timesheet Tracking for Jira" kann Schadcode eingebaut werden, der von allen Besuchern ausgeführt wird.
---------------------------------------------
https://www.syss.de/pentest-blog/cross-site-scripting-in-timesheet-tracking…
∗∗∗ CPE2023-001 – Regarding vulnerabilities for Office/Small Office Multifunction Printers, Laser Printers and Inkjet Printers – 14 April 2023 ∗∗∗
---------------------------------------------
Several vulnerabilities have been identified for certain Office/Small Office Multifunction Printers, Laser Printers and Inkjet Printers.
---------------------------------------------
https://www.canon-europe.com/support/product-security-latest-news/
∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 12-04-2023 18:00 − Donnerstag 13-04-2023 18:00
Handler: Stephan Richter
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ (Gepatchte aber dennoch) üble Sicherheitslücke in (einer optionalen Komponente von) Microsoft Windows ∗∗∗
---------------------------------------------
Es entbehrt nicht einer gewissen Ironie, dass die meisten Blogeinträge, welche sich in den letzten Monaten mit Sicherheitslücken in Produkten von Microsoft beschäftigt haben, von dem Mitarbeiter des CERT stammen, dessen Kenntnisse rund um Windows, Office und den ganzen Rest wohl mit Abstand am schwächsten sind - und damit herzlich willkommen zu einem weiteren Beitrag, welcher diese Kriterien vollständig erfüllt.
---------------------------------------------
https://cert.at/de/blog/2023/4/gepatchte-aber-dennoch-uble-sicherheitslucke…
∗∗∗ NTP-Schwachstelle: Offenbar weniger bedrohlich als zunächst vermutet ∗∗∗
---------------------------------------------
Entwarnung: Nach der BSI-Warnung vor einer kritischen Lücke in NTP kommen IT-Experten bei der Analyse auf eine geringere Bedrohung. NTP will Patches liefern.
---------------------------------------------
https://heise.de/-8949340
∗∗∗ Uncommon infection methods—part 2 ∗∗∗
---------------------------------------------
Kaspersky researchers discuss infection methods used by Mirai-based RapperBot, Rhadamantys stealer, and CUEMiner: smart brute forcing, malvertising, and distribution through BitTorrent and OneDrive.
---------------------------------------------
https://securelist.com/crimeware-report-uncommon-infection-methods-2/109522/
∗∗∗ New Python-Based "Legion" Hacking Tool Emerges on Telegram ∗∗∗
---------------------------------------------
An emerging Python-based credential harvester and a hacking tool named Legion is being marketed via Telegram as a way for threat actors to break into various online services for further exploitation.
---------------------------------------------
https://thehackernews.com/2023/04/new-python-based-legion-hacking-tool.html
∗∗∗ Indirect Prompt Injection Threats ∗∗∗
---------------------------------------------
If allowed by the user, Bing Chat can see currently open websites. We show that an attacker can plant an injection in a website the user is visiting, which silently turns Bing Chat into a Social Engineer who seeks out and exfiltrates personal information. The user doesnt have to ask about the website or do anything except interact with Bing Chat while the website is opened in the browser.
---------------------------------------------
https://greshake.github.io/
∗∗∗ Malware Disguised as Document from Ukraines Energoatom Delivers Havoc Demon Backdoor ∗∗∗
---------------------------------------------
[...] FortiGuard Labs has encountered a malicious spoofed document pretending to be from the Ukrainian company, Energoatom, a state-owned enterprise that operates Ukraine’s nuclear power plants. [...] Aside from highlighting the technical details of this latest multi-staged attack [...] this article also discusses some strange artifacts that make us think this could be a work-in-progress or part of a red-team exercise.
---------------------------------------------
https://www.fortinet.com/blog/threat-research/malware-disguised-as-document…
∗∗∗ BSI-Studie: Gängige Mikrocontroller sind für Hardware-Angriffe anfällig ∗∗∗
---------------------------------------------
Bei Hardware-Sicherheitstoken und Krypto-Wallets, smarten Schlössern und Kassensystemen haben Hacker leichtes Spiel, warnen Fraunhofer-Forscher im BSI-Auftrag.
---------------------------------------------
https://heise.de/-8949244
∗∗∗ Vorsicht vor Fake Urlaubsangeboten! ∗∗∗
---------------------------------------------
Die Urlaubszeit rückt langsam aber sicher näher, das treibt auch Kriminelle auf den Plan. Betrügerische Anbieter wie Kofi Vermittlung (kofireisen.com) versuchen Sie mit angeblich günstigen Angeboten abzuzocken! Achten Sie bei der Urlaubsbuchung auf folgende Warnsignale für entspannte Ferien statt einer Kostenfalle!
---------------------------------------------
https://www.watchlist-internet.at/news/vorsicht-vor-fake-urlaubsangeboten/
∗∗∗ Vice Society: A Tale of Victim Data Exfiltration via PowerShell, aka Stealing off the Land ∗∗∗
---------------------------------------------
The Vice Society ransomware gang exfiltrated victim network data using a custom Microsoft PowerShell script. We dissect how each function of it works.
---------------------------------------------
https://unit42.paloaltonetworks.com/vice-society-ransomware-powershell/
=====================
= Vulnerabilities =
=====================
∗∗∗ Softwareentwicklung: Jenkins-Plug-ins verwundbar, viele Updates stehen noch aus ∗∗∗
---------------------------------------------
Software-Entwicklungsumgebungen mit Jenkins sind attackierbar. Bislang sind nur wenige betroffene Plug-ins abgesichert.
---------------------------------------------
https://heise.de/-8949204
∗∗∗ Sicherheitsupdates: Netzwerkanalysetool Wireshark anfällig für DoS-Attacken ∗∗∗
---------------------------------------------
Die Wireshark-Entwickler haben zwei neue Versionen des Tools veröffentlicht. Darin haben sie unter anderem drei Sicherheitslücken geschlossen.
---------------------------------------------
https://heise.de/-8949661
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (chromium, firefox-esr, lldpd, and zabbix), Fedora (ffmpeg, firefox, pdns-recursor, polkit, and thunderbird), Oracle (kernel and nodejs:14), Red Hat (nodejs:14, openvswitch2.17, openvswitch3.1, and pki-core:10.6), Slackware (mozilla), SUSE (nextcloud-desktop), and Ubuntu (exo, linux, linux-kvm, linux-lts-xenial, linux-aws, smarty3, and thunderbird).
---------------------------------------------
https://lwn.net/Articles/928976/
∗∗∗ Windows 7/Server 2008 R2; Server 2012 R2: Updates (11. April 2023) ∗∗∗
---------------------------------------------
Zum 11. April 2023 wurden diverse Sicherheitsupdates für Windows Server 2008 R2 (im 4. ESU Jahr) sowie für Windows Server 2012/R2 veröffentlicht (die Updates lassen sich ggf. auch noch unter Windows 7 SP1).
---------------------------------------------
https://www.borncity.com/blog/2023/04/13/windows-7-server-2008-r2-server-20…
∗∗∗ Patchday: Microsoft Office Updates (11. April 2023) ∗∗∗
---------------------------------------------
Am 11. April 2023 (zweiter Dienstag im Monat, Microsoft Patchday) hat Microsoft mehrere sicherheitsrelevante Updates für noch unterstützte Microsoft Office Versionen und andere Produkte veröffentlicht. Mit dem April 2023-Patchday endet der Support für Office 2013.
---------------------------------------------
https://www.borncity.com/blog/2023/04/13/patchday-microsoft-office-updates-…
∗∗∗ Drupal: Protected Pages - Critical - Access bypass - SA-CONTRIB-2023-013 ∗∗∗
---------------------------------------------
https://www.drupal.org/sa-contrib-2023-013
∗∗∗ Critical Vulnerability in Hikvision Storage Solutions Exposes Video Security Data ∗∗∗
---------------------------------------------
https://www.securityweek.com/critical-vulnerability-in-hikvision-storage-so…
∗∗∗ Mattermost security updates 7.9.2 / 7.8.3 (ESR) / 7.7.4 / 7.1.8 (ESR) released ∗∗∗
---------------------------------------------
https://mattermost.com/blog/mattermost-security-updates-7-9-2-7-8-3-esr-7-7…
∗∗∗ Multiple Vulnerabilities in the Autodesk® AutoCAD® Desktop Software ∗∗∗
---------------------------------------------
https://www.autodesk.com/trust/security-advisories/adsk-sa-2023-0005
∗∗∗ MISP 2.4.170 released with new features, workflow improvements and bugs fixed ∗∗∗
---------------------------------------------
https://github.com/MISP/MISP/releases/tag/v2.4.170
∗∗∗ CVE-2023-0004 PAN-OS: Local File Deletion Vulnerability (Severity: MEDIUM) ∗∗∗
---------------------------------------------
https://security.paloaltonetworks.com/CVE-2023-0004
∗∗∗ CVE-2023-0005 PAN-OS: Exposure of Sensitive Information Vulnerability (Severity: MEDIUM) ∗∗∗
---------------------------------------------
https://security.paloaltonetworks.com/CVE-2023-0005
∗∗∗ CVE-2023-0006 GlobalProtect App: Local File Deletion Vulnerability (Severity: MEDIUM) ∗∗∗
---------------------------------------------
https://security.paloaltonetworks.com/CVE-2023-0006
∗∗∗ Spring Framework 6.0.8, 5.3.27 and 5.2.24.RELEASE fix cve-2023-20863 ∗∗∗
---------------------------------------------
https://spring.io/blog/2023/04/13/spring-framework-6-0-8-5-3-27-and-5-2-24-…
∗∗∗ B. Braun Battery Pack SP with Wi-Fi ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-medical-advisories/icsma-23-103-01
∗∗∗ DataPower Operations Dashboard vulnerable to multiple CVEs ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6983234
∗∗∗ AIX is vulnerable to arbitrary command execution due to invscout (CVE-2023-28528) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6983232
∗∗∗ AIX is vulnerable to arbitrary command execution (CVE-2023-26286) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6983236
∗∗∗ Multiple Security Vulnerabilities may affect IBM Robotic Process Automation for Cloud Pak. ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6983270
∗∗∗ A CVE-2021-28165 vulnerability in Eclipse Jetty affects IBM Process Designer 8.5.7 shipped with IBM Business Automation Workflow ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6983272
∗∗∗ Multiple security vulnerabilities has been identified in IBM WebSphere Application Server shipped with Tivoli Netcool\/OMNIbus WebGUI - January 2023 CPU plus deferred CVE-2022-21426 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6983454
∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with Tivoli Netcool\/OMNIbus WebGUI (CVE-2023-24998) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6983456
∗∗∗ IBM Maximo Asset Management is vulnerable to HTML injection (CVE-2023-27864) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6983460
∗∗∗ IBM Security Verify Governance is vulnerable to remote attacks to execute arbitrary code on the system [CVE-2013-4521, CVE-2013-2165 and CVE-2018-14667] ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6983480
∗∗∗ IBM Security Verify Governance is vulnerable to a denial of service caused by multiple vulnerabilities. ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6983482
∗∗∗ IBM App Connect Enterprise Certified Container DesignerAuthoring operands may be vulnerable to denial of service due to [CVE-2022-37603] ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6983484
∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server and IBM WebSphere Application Server Liberty profile shipped with IBM Business Automation Workflow (CVE-2023-24998) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6983486
∗∗∗ A vulnerability has been identified in IBM WebSphere Application Server Liberty profile shipped with IBM Business Automation Workflow (CVE-2023-0482) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6983490
∗∗∗ A vulnerability has been identified in IBM WebSphere Application Server traditional and Liberty profile shipped with IBM Business Automation Workflow (IBM\u00ae Java SDK CPU January 2023) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6983492
∗∗∗ AIX is vulnerable to arbitrary command execution (CVE-2023-26286) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6983236
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 11-04-2023 18:00 − Mittwoch 12-04-2023 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ Patchday: Angreifer infizieren Windows mit Nokoyawa-Ransomware ∗∗∗
---------------------------------------------
Microsoft hat wichtige Sicherheitsupdates für etwa Azure, Dynamics 365 und Windows veröffentlicht.
---------------------------------------------
https://heise.de/-8935888
∗∗∗ BSI warnt vor kritischen Zero-Day-Lücken im NTP-Server ∗∗∗
---------------------------------------------
Ein IT-Forscher hat fünf Sicherheitslücken im Zeitserver NTP gemeldet. Das BSI stuft die Lücken als kritisch ein. Ein Update steht bislang noch nicht bereit.
---------------------------------------------
https://heise.de/-8948528
∗∗∗ Warten auf Sicherheitspatches: BIOS-Lücken gefährden Lenovo-Laptops ∗∗∗
---------------------------------------------
Angreifer könnten Lenovo-Laptops attackieren und im schlimmsten Fall Schadcode ausführen. Updates sind noch nicht verfügbar.
---------------------------------------------
https://heise.de/-8948481
∗∗∗ Phishing-Alarm: „New Fax Document(s) has been received” ∗∗∗
---------------------------------------------
Derzeit werden willkürlich E-Mails an Unternehmen versendet, in denen behauptet wird, dass die Empfänger:innen ein neues Fax-Dokument erhalten hätten. Um das Dokument anzusehen, muss ein Link angeklickt werden. Achtung: Kriminelle versuchen das Microsoft-Konto der betroffenen Mitarbeiter:innen zu kapern.
---------------------------------------------
https://www.watchlist-internet.at/news/phishing-alarm-new-fax-documents-has…
∗∗∗ Abo-Falle statt Kaffeemaschinen-Gewinnspiel im Namen von MediaMarkt ∗∗∗
---------------------------------------------
Auf Facebook wird ein betrügerisches Gewinnspiel im Namen von MediaMarkt durch Kriminelle beworben. Versprochen werden Kaffeemaschinen von DeLonghi für nur 1,95 Euro wegen einer angeblichen Vertragsauflösung zwischen dem Hersteller und MediaMarkt. Tatsächlich landen Sie hier aber in einer teuren Abo-Falle. Die Kaffeemaschinen gibt es nicht.
---------------------------------------------
https://www.watchlist-internet.at/news/abo-falle-statt-kaffeemaschinen-gewi…
∗∗∗ Remote Code Execution (RCE) in Hashicorp Vault ∗∗∗
---------------------------------------------
Hashicorp's Vault is a secure, open-source secrets management tool that stores and provides access to sensitive information like API keys, passwords, and certificates. This vulnerability, in certain conditions, allows attackers to execute code remotely on the target system through a SQL injection attack.
---------------------------------------------
https://www.oxeye.io/blog/rce-through-sql-injection-vulnerability-in-hashic…
∗∗∗ Hacked sites caught spreading malware via fake Chrome updates ∗∗∗
---------------------------------------------
Hackers are compromising websites to inject scripts that display fake Google Chrome automatic update errors that distribute malware to unaware visitors.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/hacked-sites-caught-spreadin…
∗∗∗ Guidance for investigating attacks using CVE-2022-21894: The BlackLotus campaign ∗∗∗
---------------------------------------------
This guide provides steps that organizations can take to assess whether users have been targeted or compromised by threat actors exploiting CVE-2022-21894 via a Unified Extensible Firmware Interface (UEFI) bootkit called BlackLotus.
---------------------------------------------
https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-inves…
∗∗∗ The Service Accounts Challenge: Cant See or Secure Them Until Its Too Late ∗∗∗
---------------------------------------------
Heres a hard question to answer: How many service accounts do you have in your environment?. A harder one is: Do you know what these accounts are doing?. And the hardest is probably: If any of your service account was compromised and used to access resources would you be able to detect and stop that in real-time?
---------------------------------------------
https://thehackernews.com/2023/04/the-service-accounts-challenge-cant-see.h…
∗∗∗ Another zero-click Apple spyware maker just popped up on the radar again ∗∗∗
---------------------------------------------
Malware reportedly developed by a little-known Israeli commercial spyware maker has been found on devices of journalists, politicians, and an NGO worker in multiple countries, say researchers.
---------------------------------------------
https://go.theregister.com/feed/www.theregister.com/2023/04/12/quadream_spy…
∗∗∗ Recent IcedID (Bokbot) activity ∗∗∗
---------------------------------------------
This week, weve seen IcedID (Bokbot) distributed through thread-hijacked emails with PDF attachments. The PDF files have links that redirect to Google Firebase Storage URLs hosting password-protected zip archives. The password for the downloaded zip archive is shown in the PDF file. The downloaded zip archives contain EXE files that are digitally-signed using a certificate issued by SSL.com.
---------------------------------------------
https://isc.sans.edu/diary/rss/29740
∗∗∗ BumbleBee hunting with a Velociraptor ∗∗∗
---------------------------------------------
The various detection opportunities described in the report can be useful for organizations to detect an infection in its first stages and, therefore, prevent further malicious activity starting from BumbleBee. The detection opportunities rely on open-source tools (e.g., Velociraptor) and rules (e.g., Yara, Sigma) so they can be used by any company or the wider community.
---------------------------------------------
https://sec-consult.com/blog/detail/bumblebee-hunting-with-a-velociraptor/
∗∗∗ Cryptocurrency Stealer Malware Distributed via 13 NuGet Packages ∗∗∗
---------------------------------------------
Cybersecurity researchers have detailed the inner workings of the cryptocurrency stealer malware that was distributed via 13 malicious NuGet packages as part of a supply chain attack targeting .NET developers. The sophisticated typosquatting campaign, which was uncovered by JFrog late last month, impersonated legitimate packages to execute PowerShell code designed to retrieve a follow-on binary from a hard-coded server.
---------------------------------------------
https://thehackernews.com/2023/04/cryptocurrency-stealer-malware.html
∗∗∗ Update Now! Severe Vulnerability Impacting 600,000 Sites Patched in Limit Login Attempts ∗∗∗
---------------------------------------------
On January 26, 2023, the Wordfence team responsibly disclosed an unauthenticated stored Cross-Site Scripting vulnerability in Limit Login Attempts, a WordPress plugin installed on over 600,000 sites that provides site owners with the ability to block IP addresses that have made repeated failed login attempts.
---------------------------------------------
https://www.wordfence.com/blog/2023/04/update-now-severe-vulnerability-impa…
∗∗∗ On self-healing code and the obvious issue ∗∗∗
---------------------------------------------
While browsing the news in the morning Ive found an article on Ars Technica titles "Developer creates “self-healing” programs that fix themselves thanks to AI". Its about Wolverine, which is an automated extension of what was demoed during the GPT-4 reveal, i.e. the perceived ability of GPT-4 to understand error messages and suggest fixes.
---------------------------------------------
https://gynvael.coldwind.pl/?id=766
=====================
= Vulnerabilities =
=====================
∗∗∗ Patchday: Fortinet schließt kritische und hochriskante Lücken ∗∗∗
---------------------------------------------
Am April-Patchday liefert Fortinet für zahlreiche Produkte Sicherheitsupdates aus. Eine der damit geschlossenen Lücken stuft der Hersteller als kritisch ein.
---------------------------------------------
https://heise.de/-8939457
∗∗∗ Patchday: Kritische Schadcode-Lücken in Adobe-Anwendungen geschlossen ∗∗∗
---------------------------------------------
Wer Anwendungen von Adobe nutzt, sollte diese aus Sicherheitsgründen auf den aktuellen Stand bringen.
---------------------------------------------
https://heise.de/-8935948
∗∗∗ Privilege Escalation Vulnerability Patched Promptly in WP Data Access WordPress Plugin ∗∗∗
---------------------------------------------
On April 5, 2023 the Wordfence Threat Intelligence team initiated the responsible disclosure process for a vulnerability we discovered in WP Data Access, a WordPress plugin that is installed on over 10,000 sites. This flaw makes it possible for an authenticated attacker to grant themselves administrative privileges via a profile update, [...]
---------------------------------------------
https://www.wordfence.com/blog/2023/04/privilege-escalation-vulnerability-p…
∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Fedora (chromium, ghostscript, glusterfs, netatalk, php-Smarty, and skopeo), Mageia (ghostscript, imgagmagick, ipmitool, openssl, sudo, thunderbird, tigervnc/x11-server, and vim), Oracle (curl, haproxy, and postgresql), Red Hat (curl, haproxy, httpd:2.4, kernel, kernel-rt, kpatch-patch, and postgresql), Slackware (mozilla), SUSE (firefox), and Ubuntu (dotnet6, dotnet7, firefox, json-smart, linux-gcp, linux-intel-iotg, and sudo).
---------------------------------------------
https://lwn.net/Articles/928870/
∗∗∗ Patchday: Windows 11/Server 2022-Updates (11. April 2023) ∗∗∗
---------------------------------------------
Am 11. April 2023 (zweiter Dienstag im Monat, Patchday bei Microsoft) hat Microsoft auch kumulative Updates für Windows 11 22H1 und 22H2 veröffentlicht. Zudem erhielt Windows Server 2022 ein Update. Hier einige Details zu diesen Updates, die Schwachstellen sowie Probleme [...]
---------------------------------------------
https://www.borncity.com/blog/2023/04/12/patchday-windows-11-server-2022-up…
∗∗∗ FANUC ROBOGUIDE-HandlingPRO ∗∗∗
---------------------------------------------
Successful exploitation of this vulnerability could allow an attacker to read and/or overwrite files on the system running the affected software.
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-23-101-01
∗∗∗ NVIDIA Display Driver Advisory - March 2023 ∗∗∗
---------------------------------------------
http://support.lenovo.com/product_security/PS500558-NVIDIA-DISPLAY-DRIVER-A…
∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 07-04-2023 18:00 − Dienstag 11-04-2023 18:00
Handler: Robert Waldner
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ YouTube warnt vor täuschend echter Betrugsmasche ∗∗∗
---------------------------------------------
Derzeit werden Phishing-E-Mails im Namen von YouTube versandt, die eine glaubwürdige Mailadresse verwenden.
---------------------------------------------
https://futurezone.at/digital-life/youtube-warnt-vor-taeuschend-echter-betr…
∗∗∗ Hijacking Arch Linux Packages by Repo Jacking GitHub Repositories ∗∗∗
---------------------------------------------
Repo jacking is an attack on GitHub repositories, where attackers are able to hijack GitHub repositories by reregistering previously used usernames. In this blog post, we discuss how many AUR packages (use GitHub packages that) are vulnerable to repo jacking attacks.
---------------------------------------------
https://blog.nietaanraken.nl/posts/aur-packages-github-repo-jacking/
∗∗∗ Stepping Insyde System Management Mode ∗∗∗
---------------------------------------------
In October of 2022, Intel’s Alder Lake BIOS source code was leaked online. [..] I obtained a copy of the leaked code and began to hunt for vulnerabilities. [..] All these vulnerabilities share a common root cause (insufficient input validation) and a common impact (SMRAM corruption). Their details are summarized in the following table [..]
---------------------------------------------
https://research.nccgroup.com/2023/04/11/stepping-insyde-system-management-…
∗∗∗ Jetzt patchen! ALPHV-Ransomware schlüpft durch Veritas-Backup-Lücken ∗∗∗
---------------------------------------------
Angreifer nehmen derzeit drei Sicherheitslücken in Veritas Backup Exec ins Visier. Patches sind verfügbar.
---------------------------------------------
https://heise.de/-8875233
∗∗∗ MSI-Hack: Hardware-Hersteller warnt vor Fake-BIOS-Updates ∗∗∗
---------------------------------------------
Bei MSI ist es zu einem IT-Sicherheitsvorfall gekommen. Die Angreifer sollen Zugriff auf interne Daten gehabt haben.
---------------------------------------------
https://heise.de/-8875303
∗∗∗ Studie: Kriminelle schmuggeln Trojaner-Apps ab 2000 US-Dollar in Google Play ∗∗∗
---------------------------------------------
Für die Abzocke von Android-Nutzern bieten Kriminelle in Untergrundforen All-in-one-Trojaner-Pakete zum Verkauf an.
---------------------------------------------
https://heise.de/-8927162
∗∗∗ Microsoft Azure Users Warned of Potential Shared Key Authorization Abuse ∗∗∗
---------------------------------------------
An exploitation path involving Azure shared key authorization could allow full access to accounts and business data and ultimately lead to remote code execution (RCE), cloud security company Orca warns.
---------------------------------------------
https://www.securityweek.com/microsoft-azure-users-warned-of-potential-shar…
∗∗∗ Webinar: Sicher unterwegs in Sozialen Netzwerken ∗∗∗
---------------------------------------------
Soziale Netzwerke sind längst unsere täglichen Begleiter geworden. Doch worauf muss ich eigentlich achten, wenn ich Plattformen wie Facebook oder Instagram sicher nutzen will? Das Webinar gibt Tipps zum verantwortungsvollen Umgang mit Sozialen Netzwerken. Nehmen Sie kostenlos teil: Dienstag 18. April 2023, 18:30 - 20:00 Uhr via zoom
---------------------------------------------
https://www.watchlist-internet.at/news/webinar-sicher-unterwegs-in-sozialen…
∗∗∗ Amazon ruft an? Legen Sie auf! ∗∗∗
---------------------------------------------
Am Telefon stellen sich Kriminelle als Amazon-Mitarbeiter:innen vor und behaupten, dass Ihr Amazon-Konto gehackt wurde. Sie hätten verdächtige Bestellungen entdeckt. Die „Amazon-Mitarbeiter:innen“ bieten Ihnen an, die Bestellung zu stornieren und Ihr Konto zu schützen. Dabei handelt es sich aber um Betrug! Kriminelle versuchen Ihnen Geld, Ausweiskopien und Amazon-Zugangsdaten zu stehlen!
---------------------------------------------
https://www.watchlist-internet.at/news/amazon-ruft-an-legen-sie-auf/
∗∗∗ AlienFox: Toolkit zur Kompromittierung von E-Mail- und Webhosting-Diensten in der Cloud ∗∗∗
---------------------------------------------
[English]AlienFox ist ein Toolkit zur Kompromittierung von E-Mail- und Webhosting-Diensten. Dieses Toolkit ist hochgradig modular, liegt in mehreren Versionen vor und versucht Fehlkonfigurationen in der Cloud auszunutzen, um die Anmeldedaten für Dienste wie AWS, Microsoft 365, Google Workspace, 1und1 etc. abzugreifen.
---------------------------------------------
https://www.borncity.com/blog/2023/04/11/alienfox-toolkit-zur-kompromittier…
∗∗∗ WinVerifyTrust Signature Validation Vulnerability ∗∗∗
---------------------------------------------
Why is Microsoft republishing a CVE from 2013? We are republishing CVE-2013-3900 in the Security Update Guide to update the Security Updates table and to inform customers that the EnableCertPaddingCheck is available in all currently supported versions of Windows 10 and Windows 11. While the format is different from the original CVE published in 2013, the information herein remains unchanged from the original text published on December 10, 2013.
---------------------------------------------
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2013-3900
=====================
= Vulnerabilities =
=====================
∗∗∗ Security Vulnerabilities fixed in Firefox 112, Firefox for Android 112, Focus for Android 112 ∗∗∗
---------------------------------------------
CVE-2023-29531, CVE-2023-29532, CVE-2023-29533, CVE-2023-29534, CVE-2023-29535, CVE-2023-29536, CVE-2023-29537, CVE-2023-29538, CVE-2023-29539, CVE-2023-29540, CVE-2023-29541, CVE-2023-29542, CVE-2023-29543, CVE-2023-29544, CVE-2023-29545, CVE-2023-29546, CVE-2023-29547, CVE-2023-29548, CVE-2023-29549, CVE-2023-29550, CVE-2023-29551
Davon 11x "Severity: high".
---------------------------------------------
https://www.mozilla.org/en-US/security/advisories/mfsa2023-13/
∗∗∗ Exploit-Code: Schadcode könnte aus JavaScript-Sandbox vm2 ausbrechen ∗∗∗
---------------------------------------------
Die populäre vm2-Sandbox hat eine kritische Sicherheitslücke und Exploit-Code ist bereits im Umlauf.
---------------------------------------------
https://heise.de/-8875269
∗∗∗ Patchday: SAP meldet 19 teils kritische Sicherheitslücken ∗∗∗
---------------------------------------------
Im April hat SAP 19 Schwachstellen in den eigenen Produkten mit Sicherheitsmeldungen bedacht. Davon stuft der Hersteller zwei als kritisch ein.
---------------------------------------------
https://heise.de/-8931365
∗∗∗ iOS 15, macOS 11 und 12: Apple schiebt Notfallfix nach ∗∗∗
---------------------------------------------
Nachdem iOS 16 und macOS 13 bereits voll gepatcht worden waren, legt Apple auch einen Fix für eine bereits ausgenutzte Lücke für ältere Betriebssysteme nach.
---------------------------------------------
https://heise.de/-8922448
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (openimageio and udisks2), Fedora (chromium, curl, kernel, mediawiki, and seamonkey), Oracle (httpd:2.4), Red Hat (httpd and mod_http2 and tigervnc), SUSE (ghostscript and kernel), and Ubuntu (irssi).
---------------------------------------------
https://lwn.net/Articles/928667/
∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (keepalived and lldpd), Oracle (kernel), and SUSE (kernel, podman, seamonkey, and upx).
---------------------------------------------
https://lwn.net/Articles/928736/
∗∗∗ ICS Patch Tuesday: Siemens, Schneider Electric Address Dozens of Vulnerabilities ∗∗∗
---------------------------------------------
Siemens and Schneider Electric’s Patch Tuesday advisories for April 2023 address a total of 38 vulnerabilities found in their products.
---------------------------------------------
https://www.securityweek.com/ics-patch-tuesday-siemens-schneider-electric-a…
∗∗∗ PHOENIX CONTACT: Directory Traversal Vulnerability in ENERGY AXC PU Web service ∗∗∗
---------------------------------------------
https://cert.vde.com/de/advisories/VDE-2023-004/
∗∗∗ Insyde BIOS Vulnerabilities ∗∗∗
---------------------------------------------
http://support.lenovo.com/product_security/PS500557
∗∗∗ Lenovo XClarity Controller (XCC) Vulnerabilities ∗∗∗
---------------------------------------------
http://support.lenovo.com/product_security/PS500556-LENOVO-XCLARITY-CONTROL…
∗∗∗ Lenovo Smart Clock Essential Vulnerability ∗∗∗
---------------------------------------------
http://support.lenovo.com/product_security/PS500555-LENOVO-SMART-CLOCK-ESSE…
∗∗∗ IBM WebSphere Application Server and IBM WebSphere Application Server Liberty, which are bundled with IBM Cloud Pak for Applications, are vulnerable to a denial of service due to Apache Commons FileUpload (CVE-2023-24998) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6982187
∗∗∗ IBM i components are affected by CVE-2021-4104 (log4j version 1.x) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6539162
∗∗∗ IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Apache Lucene ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6982359
∗∗∗ IBM Watson Explorer affected by vulnerability in Apache Commons. ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6964808
∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM WebSphere Remote Server (CVE-2023-24998) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6982539
∗∗∗ Vulnerabilities in OpenSSL affect QLogic 8Gb Intelligent Pass-thru Module and SAN Switch Module for IBM BladeCenter and QLogic Virtual Fabric Extension Module for IBM BladeCenter ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/888295
∗∗∗ Vulnerabilities in cURL affect QLogic Virtual Fabric Extension Module for IBM BladeCenter ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/888299
∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Business Monitor (CVE-2023-24998) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6982833
∗∗∗ Netcool Operations Insight v1.6.8 addresses multiple security vulnerabilities. ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6982841
∗∗∗ The IBM\u00ae Engineering Lifecycle Engineering product using IBM Java - Eclipse OpenJ9 is vulnerable to CVE-2022-3676 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6982847
∗∗∗ Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to Webpack (CVE-2023-28154) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6982851
∗∗∗ IBM Engineering Requirements Management DOORS Next is vulnerable to XML external entity (XXE) attacks due to a vulnerability in XML processing in Apache Jena, in versions up to 4.1.0 (CVE-2021-39239) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6981111
∗∗∗ IBM Operational Decision Manager March 2023 - CVE-2014-0114, CVE-2019-10086, CVE-2023-24998 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6982881
∗∗∗ IBM WebSphere Application Server Liberty is vulnerable to a privilege escalation due to RESTEasy (CVE-2023-0482) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6982895
∗∗∗ IBM WebSphere Application Server Liberty, which is bundled with IBM Cloud Pak for Applications, is vulnerable to a privilege escalation due to RESTEasy (CVE-2023-0482) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6982903
∗∗∗ IBM WebSphere Application Server Liberty, which is bundled with IBM WebSphere Hybrid Edition, is vulnerable to a privilege escalation due to RESTEasy (CVE-2023-0482) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6982905
∗∗∗ IBM WebSphere Application Server and IBM WebSphere Application Server Liberty are vulnerable to a denial of service due to Apache Commons FileUpload (CVE-2023-24998) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6982047
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 06-04-2023 18:00 − Freitag 07-04-2023 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Robert Waldner
=====================
= News =
=====================
∗∗∗ Security baseline for Microsoft Edge v112 ∗∗∗
---------------------------------------------
Microsoft is pleased to announce the release of the security baseline for Microsoft Edge, version 112! We have reviewed the settings in Microsoft Edge version 112 and updated our guidance with the removal of three obsolete settings. A new Microsoft Edge security baseline package was just released to the Download Center.
---------------------------------------------
https://techcommunity.microsoft.com/t5/microsoft-security-baselines/securit…
∗∗∗ Security headers you should add into your application to increase cyber risk protection, (Thu, Apr 6th) ∗∗∗
---------------------------------------------
Web applications are a wide world that is currently the object of numerous cyberattacks, mostly seeking to compromise the information directly in the clients that use them.
---------------------------------------------
https://isc.sans.edu/diary/rss/29720
∗∗∗ Detecting Suspicious API Usage with YARA Rules, (Fri, Apr 7th) ∗∗∗
---------------------------------------------
YARA is a beautiful tool for malware researchers and incident responders. No need to present it again. It became a standard tool to add to your arsenal. While teaching FOR610 (Malware Analysis & Reverse Engineering), a student asked me how to detect specific API calls with dangerous parameters during the triage phase. This phase will help you quickly assess the malware sample and help you decide how to perform the following steps.
---------------------------------------------
https://isc.sans.edu/diary/rss/29724
∗∗∗ Balada Injector: Synopsis of a Massive Ongoing WordPress Malware Campaign ∗∗∗
---------------------------------------------
Our team at Sucuri has been tracking a massive WordPress infection campaign since 2017 — but up until recently never bothered to give it a proper name. Typically, we refer to it as an ongoing long lasting massive WordPress infection campaign that leverages all known and recently discovered theme and plugin vulnerabilities.
---------------------------------------------
https://blog.sucuri.net/2023/04/balada-injector-synopsis-of-a-massive-ongoi…
∗∗∗ With ICMP magic, you can snoop on vulnerable HiSilicon, Qualcomm-powered Wi-Fi ∗∗∗
---------------------------------------------
WPA stands for will-provide-access, if you can successfully exploit a targets setup. A vulnerability identified in at least 55 Wi-Fi router models can be exploited by miscreants to spy on victims data as its sent over a wireless network.
---------------------------------------------
https://go.theregister.com/feed/www.theregister.com/2023/04/07/wifi_access_…
∗∗∗ Pwning Pixel 6 with a leftover patch ∗∗∗
---------------------------------------------
In this post, I’ll look at a security-related change in version r40p0 of the Arm Mali driver that was AWOL in the January update of the Pixel bulletin, where other patches from r40p0 was applied, and how these two lines of changes can be exploited to gain arbitrary kernel code execution and root from a malicious app. This highlights how treacherous it can be when backporting security changes.
---------------------------------------------
https://github.blog/2023-04-06-pwning-pixel-6-with-a-leftover-patch/
∗∗∗ Umfrage: Softwarebedingte Schwachstellen sind das größte Sicherheitsproblem ∗∗∗
---------------------------------------------
Hacker setzen vermehrt auf bekannte Sicherheitslücken. Ransomware ist der Umfrage zufolge nur die viertgrößte Bedrohung. Ein weiteres Problem: viele Unternehmen weisen Mitarbeiter an, meldepflichtige Vorfälle zu verschweigen.
---------------------------------------------
https://www.zdnet.de/88408311/umfrage-softwarebedingte-schwachstellen-sind-…
=====================
= Vulnerabilities =
=====================
∗∗∗ Release notes for Microsoft Edge Security Updates (CVE-2023-28284, CVE-2023-24935, CVE-2023-28301) ∗∗∗
---------------------------------------------
April 6, 2023: Microsoft has released the latest Microsoft Edge Stable Channel (Version 112.0.1722.34) which incorporates the latest Security Updates of the Chromium project.
---------------------------------------------
https://learn.microsoft.com/en-us/DeployEdge/microsoft-edge-relnotes-securi…
∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Mageia (ldb/samba, libapreq2, opencontainers-runc, peazip, python-cairosvg, stellarium, and zstd), Oracle (httpd and mod_http2, kernel, and nss), SUSE (conmon, go1.19, go1.20, libgit2, openssl-1_1, and openvswitch), and Ubuntu (emacs24).
---------------------------------------------
https://lwn.net/Articles/928559/
∗∗∗ F5: K000133432 : Intel CPU vulnerability CVE-2022-21216 ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K000133432
∗∗∗ CISA Adds Five Known Exploited Vulnerabilities to Catalog ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2023/04/07/cisa-adds-five-known-exp…
∗∗∗ IBM Informix Dynamic Server is affected when a specific function in the Spatial Datablade is called with an out-of-range parameter ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6343587
∗∗∗ IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to arbitrary code execution in GnuPG Libksba [CVE-2022-3515] ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6981855
∗∗∗ IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to an arbitrary code execution in libexpat [CVE-2022-40674] ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6981859
∗∗∗ IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to arbitrary code execution in SQlite [CVE-2020-35527] ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6981851
∗∗∗ IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to an arbitrary commands execution in Python (CVE-2015-20107) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6981849
∗∗∗ IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to a security restrictions bypass in GNU Libtasn1 [CVE-2021-46848] ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6981853
∗∗∗ IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to arbitrary code execution in Git [CVE-2022-23521] ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6981857
∗∗∗ IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to arbitrary code execution in Git [CVE-2022-41903] ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6981861
∗∗∗ Privilege Escalation vulnerability ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6981911
∗∗∗ Improper Error Handling ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6981917
∗∗∗ IBM WebSphere Application Server and IBM WebSphere Application Server Liberty are vulnerable to a denial of service due to Apache Commons FileUpload (CVE-2023-24998) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6982047
∗∗∗ Vulnerabilities in OpenSSL affect IBM InfoSphere Information Server ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/286971
∗∗∗ IBM WebSphere Application Server and IBM WebSphere Application Server Liberty, which are bundled with IBM WebSphere Hybrid Edition, are vulnerable to a denial of service due to Apache Commons FileUpload (CVE-2023-24998) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6982141
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 05-04-2023 18:00 − Donnerstag 06-04-2023 18:00
Handler: Stephan Richter
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ Telegram now the go-to place for selling phishing tools and services ∗∗∗
---------------------------------------------
Telegram has become the working ground for the creators of phishing bots and kits looking to market their products to a larger audience or to recruit unpaid helpers.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/telegram-now-the-go-to-place…
∗∗∗ CAN do attitude: How thieves steal cars using network bus ∗∗∗
---------------------------------------------
It starts with a headlamp and fake smart speaker, and ends in an injection attack and a vanished motor. Automotive security experts say they have uncovered a method of car theft relying on direct access to the vehicles system bus via a smart headlamps wiring.
---------------------------------------------
https://go.theregister.com/feed/www.theregister.com/2023/04/06/can_injectio…
∗∗∗ Technical analysis of the Genesis Market ∗∗∗
---------------------------------------------
[...] In case you are unfamiliar with this market, it was used to sell stolen login credentials, browser cookies and online fingerprints (in order to prevent ‘risky sign-in’ detections), by some referred to as IMPaas, or Impersonation-as-a-Service. [...] its activities have resulted in approximately two million victims. If you want to know more about this operation, you can read our other blog post. You can also check if your data has been compromised [...]
---------------------------------------------
https://sector7.computest.nl/post/2023-04-technical-analysis-genesis-market/
∗∗∗ CyberGhostVPN - the story of finding MITM, RCE, LPE in the Linux client ∗∗∗
---------------------------------------------
This article discloses the vulnerabilities that were present in the CyberGhostVPN Linux 1.3.5 client (and versions below). The latest version of the CyberGhostVPN Linux client is now free from these vulnerabilities.
---------------------------------------------
https://mmmds.pl/cyberghostvpn-mitm-rce-lpe/
∗∗∗ Cisco: Teils hochriskante Lücken in mehreren Produkten abgedichtet ∗∗∗
---------------------------------------------
Cisco-Administratoren bekommen über die Ostertage Arbeit: Der Hersteller hat in diversen Produkten Sicherheitslücken entdeckt. Updates sollen sie schließen.
---------------------------------------------
https://heise.de/-8644498
∗∗∗ Nexx Garagentorsteuerung: Schwachstelle erlaubt Zugriff für Hacker ∗∗∗
---------------------------------------------
Wer eine Home-Automatisierung von Nexx besitzt und diese per Fernsteuerung seiner Garagentore benutzt, hat nun ein fettes Problem. Eine Schwachstelle in der Nexx-Fernsteuerung ermöglicht Hackern den nicht autorisierten Zugriff auf die Garagentore.
---------------------------------------------
https://www.borncity.com/blog/2023/04/06/nexx-garagentorsteuerung-schwachst…
∗∗∗ Beware of new YouTube phishing scam using authentic email address ∗∗∗
---------------------------------------------
Watch out for a new YouTube phishing scam and ignore any email from YouTube that claims to provide details about "Changes in YouTube rules and policies | Check the Description.
---------------------------------------------
https://www.hackread.com/youtube-phishing-scam-authentic-email-address/
=====================
= Vulnerabilities =
=====================
*** Cisco Security Advisories 2023-04-05 ***
---------------------------------------------
Cisco has released 13 security advisories: (3x High, 9x Medium, 1x Informational)
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/Search.x?publicationTypeIDs…
∗∗∗ Trellix-Agent ermöglicht Rechteausweitung am System ∗∗∗
---------------------------------------------
Der Agent von Trellix – dem Zusammenschluss von McAfee und FireEye – ermöglicht Angreifern, ihre Rechte im System auszuweiten. Ein Update schließt die Lücke.
---------------------------------------------
https://heise.de/-8645652
∗∗∗ Datenleck: Mastodon-Lücke erlaubt Informationsabfluss ∗∗∗
---------------------------------------------
Aktualisierte Mastodon-Pakete dichten ein Datenleck in der LDAP-Authentifizierung ab. Administratorinnen und Administratoren sollten die Updates zügig anwenden.
---------------------------------------------
https://heise.de/-8645580
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (cairosvg, ghostscript, grunt, tomcat9, and trafficserver), Fedora (golang, podman, xen, and zchunk), Red Hat (kpatch-patch), SUSE (systemd), and Ubuntu (apache-log4j1.2, liblouis, linux-aws, and linux-bluefield).
---------------------------------------------
https://lwn.net/Articles/928476/
∗∗∗ Celery as used by IBM QRadar Advisor With Watson App is vulnerable to arbitrary command execution (CVE-2021-23727) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6981595
∗∗∗ Node.js passport is vulnerable to CVE-2022-25896 used in IBM Maximo Application Suite ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6966086
∗∗∗ IBM TRIRIGA Application Platform discloses XML external entities injection (CVE-2023-27876) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6981115
∗∗∗ IBM TRIRIGA Application Platform discloses Stored Cross Site Scripting (CVE-2022-43914) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6981597
∗∗∗ AIX is vulnerable to denial of service due to ISC BIND (CVE-2022-38178, CVE-2022-3080, CVE-2022-38177, CVE-2022-2795) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6851445
∗∗∗ decode-uri-component is vulnerable to CVE-2022-38900 used in IBM Maximo Application Suite ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6981607
∗∗∗ AIX is vulnerable to arbitrary code execution due to libxml2 (CVE-2022-40303 and CVE-2022-40304) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6953825
∗∗∗ AIX is vulnerable to denial of service vulnerabilities ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6847947
∗∗∗ Vulnerability in Apache Tomcat affects App Connect Professional. ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6981763
∗∗∗ IBM Security Verify Governance is vulnerable to cross-site scripting, caused by improper validation of user-supplied input related to the HtmlResponseWriter (CVE-2013-5855) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6981781
∗∗∗ IBM Watson Explorer affected by vulnerability in OpenSSL. ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6963622
∗∗∗ IBM Watson Explorer affected by vulnerability in Apache Commons. ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6964808
∗∗∗ Korenix Jetwave ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-23-096-04
∗∗∗ mySCADA myPRO ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-23-096-06
∗∗∗ JTEKT ELECTRONICS Kostac PLC Programming Software ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-23-096-03
∗∗∗ Hitachi Energy MicroSCADA System Data Manager SDM600 ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-23-096-05
∗∗∗ JTEKT ELECTRONICS Screen Creator Advance 2 ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-23-096-02
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 04-04-2023 18:00 − Mittwoch 05-04-2023 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ Open garage doors anywhere in the world by exploiting this “smart” device ∗∗∗
---------------------------------------------
A universal password. Unencrypted user data and commands. What could go wrong?
A market-leading garage door controller is so riddled with severe security and privacy vulnerabilities that the researcher who discovered them, Sam Sabetan, is advising anyone using one to immediately disconnect it until they are fixed.
Each $80 device, used to open and close garage doors and control home security alarms and smart power plugs, employs the same easy-to-find universal password to communicate with Nexx servers. The controllers also broadcast the unencrypted email address, device ID, first name, and last initial corresponding to each one, along with the message required to open or shut a door or turn on or off a smart plug or schedule such a command for a later time.
Immediately unplug all Nexx devices
---------------------------------------------
https://arstechnica.com/?p=1929120
∗∗∗ Exploration of DShield Cowrie Data with jq, (Wed, Apr 5th) ∗∗∗
---------------------------------------------
There have been other diaries [1][2] showing how to explore JSON data with jq [3]. We'll review some options to understand unfamiliar JSON data and ways to filter that information. Using tools like Security Information and Event Management (SIEM) systems can help aggregate data and make it more easily searched and visualized. There are still times where being able to quickly search JSON data can be useful, especially if a SIEM option is not immediately available.
---------------------------------------------
https://isc.sans.edu/diary/rss/29714
∗∗∗ ALPHV/BlackCat ransomware affiliate targets Veritas Backup solution bugs ∗∗∗
---------------------------------------------
An ALPHV/BlackCat ransomware affiliate was spotted exploiting vulnerabilities in the Veritas Backup solution. An affiliate of the ALPHV/BlackCat ransomware gang, tracked as UNC4466, was observed exploiting three vulnerabilities in the Veritas Backup solution to gain initial access to the target network. Unlike other ALPHV affiliates, UNC4466 doesn’t rely on stolen credentials for initial access to victim environments. Mandiant [...]
---------------------------------------------
https://securityaffairs.com/144438/cyber-crime/alphv-blackcat-ransomware-ve…
∗∗∗ Deobfuscating the Recent Emotet Epoch 4 Macro ∗∗∗
---------------------------------------------
This analysis is intended to help the cybersecurity community better understand the wider obfuscation and padding tricks Emotet is using.
---------------------------------------------
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/deobfuscati…
∗∗∗ Cyber-Betrüger: Zahlungsaufforderung für Lösegeld – jedoch ohne Ransomware ∗∗∗
---------------------------------------------
Auf die aktuell häufigen Cyber-Attacken stürzen sich weitere Betrüger. Sie verschicken Mails mit Zahlungsaufforderungen, ohne Ransomware eingeschleust zu haben.
---------------------------------------------
https://heise.de/-8587724
∗∗∗ Pre-ransomware notifications are paying off right from the bat ∗∗∗
---------------------------------------------
CISA (Cybersecurity and Infrastructure Security Agency) has published the first results of its pre-ransomware notifications that were introduced at the start of 2023.
Even though this initiative is relatively young, CISA says it has notified over 60 entities across the energy, healthcare, water/wastewater, education, and other sectors about potential pre-ransomware intrusions, and we’ve confirmed that many of them identified and remediated the intrusion before encryption or data loss occurred.
---------------------------------------------
https://www.malwarebytes.com/blog/news/2023/04/pre-ransomware-notifications…
∗∗∗ Detecting Karakurt – an extortion focused threat actor ∗∗∗
---------------------------------------------
NCC Group’s Cyber Incident Response Team (CIRT) have responded to several extortion cases recently involving the threat actor Karakurt. During these investigations NCC Group CIRT have identified some key indicators that the threat actor has breached an environment and want to share this information to assist the cyber security community.
---------------------------------------------
https://research.nccgroup.com/2023/04/05/detecting-karakurt-an-extortion-fo…
∗∗∗ Markenfälschungen im Online-Handel – So schützen Sie sich! ∗∗∗
---------------------------------------------
Wer im Internet nach Markenkleidung, Uhren, Accessoires oder aber Medikamenten sucht, stößt häufig auf unseriöse Angebote. In einigen Fällen führt eine Bestellung günstiger Markenprodukte zum Erhalt eines gefälschten Produkts, manchmal erhält man gar nichts und insbesondere bei Medikamenten kann das Produkt sogar gefährlich sein. Worauf man in Online-Shops und auf Plattformen wie Amazon achten kann, um sich zu schützen [...]
---------------------------------------------
https://www.watchlist-internet.at/news/markenfaelschungen-im-online-handel-…
∗∗∗ How we’re protecting users from government-backed attacks from North Korea ∗∗∗
---------------------------------------------
Googles Threat Analysis Group shares information on ARCHIPELAGO as well as the work to stop government-backed attackers.
---------------------------------------------
https://blog.google/threat-analysis-group/how-were-protecting-users-from-go…
∗∗∗ MS OneNote soll künftig 120 gefährliche Filetypen blockieren ∗∗∗
---------------------------------------------
Microsoft reagiert wohl auf den Umstand, dass OneNote inzwischen als Malware-Schleuder für Systeme missbraucht wird. Die Anwendung soll zukünftig 120 gefährliche Filetypen blockieren, so dass diese durch Downloads aus dem Internet nicht mehr für Malware-Angriffe missbraucht werden können.
---------------------------------------------
https://www.borncity.com/blog/2023/04/05/ms-onenote-soll-knftig-120-gefhrli…
=====================
= Vulnerabilities =
=====================
∗∗∗ Multiple Vulnerabilities in Autodesk® InfoWorks® software ∗∗∗
---------------------------------------------
Autodesk® InfoWorks® WS Pro and InfoWorks® ICM have been affected by multiple vulnerabilities detailed below. Exploitation of these vulnerabilities may lead to remote code execution and/or denial-of-service to the software and user devices. Patch releases are available in Autodesk Access or the Accounts Portal or the Innovyze Web Portal to help resolve these vulnerabilities. The patch versions are listed below.
---------------------------------------------
https://www.autodesk.com/trust/security-advisories/adsk-sa-2023-0001
∗∗∗ Chrome 112: 16 Sicherheitslücken gestopft ∗∗∗
---------------------------------------------
Google hat den Webbrowser Chrome in Version 112 freigegeben. Die Entwickler dichten 16 Schwachstellen ab. Chromium-basierte Browser dürften bald nachziehen.
---------------------------------------------
https://heise.de/-8572482
∗∗∗ Technical Advisory – play-pac4j Authentication rule bypass ∗∗∗
---------------------------------------------
Regular expressions used for path-based authentication by the play-pac4j library are evaluated against the full URI provided in a user’s HTTP request. If a requested URI matches one of these expressions, the associated authentication rule will be applied. These rules are only intended to validate the path and query string section of a URL.
---------------------------------------------
https://research.nccgroup.com/2023/04/05/technical-advisory-play-pac4j-auth…
∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (ghostscript and openimageio), Fedora (kernel, rubygem-actioncable, rubygem-actionmailbox, rubygem-actionmailer, rubygem-actionpack, rubygem-actiontext, rubygem-actionview, rubygem-activejob, rubygem-activemodel, rubygem-activerecord, rubygem-activestorage, rubygem-activesupport, rubygem-rails, and rubygem-railties), Oracle (gnutls, httpd, kernel, nodejs:16, nodejs:18, pesign, postgresql:13, tigervnc, and tigervnc, xorg-x11-server), Red Hat (gnutls, httpd, httpd:2.4, kernel, kpatch-patch, pcs, pesign, postgresql:13, tigervnc, and tigervnc, xorg-x11-server), Scientific Linux (httpd and tigervnc, xorg-x11-server), SUSE (aws-efs-utils.11048, libheif, liblouis, openssl, python-cryptography, python-Werkzeug, skopeo, tomcat, and wireshark), and Ubuntu (imagemagick, ipmitool, and node-trim-newlines).
---------------------------------------------
https://lwn.net/Articles/928408/
∗∗∗ Kritische Schwachstelle CVE-2023-1707 in HP-Drucker-Firmware, kein Patch verfügbar ∗∗∗
---------------------------------------------
Die Firmware von verschiedenen Laser-Drucker ist gegenüber der Schwachstelle CVE-2023-1707 anfällig. Bestimmte HP Enterprise LaserJet und HP LaserJet sind in verwalteten Umgebungen potenziell anfällig für die Offenlegung von Informationen, wenn IPsec mit FutureSmart Version 5.6 aktiviert ist.
---------------------------------------------
https://www.borncity.com/blog/2023/04/05/kritische-schwachstelle-cve-2023-1…
∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Montag 03-04-2023 18:00 − Dienstag 04-04-2023 18:00
Handler: Robert Waldner
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ WinRAR SFX archives can run PowerShell without being detected ∗∗∗
---------------------------------------------
Hackers are adding malicious functionality to WinRAR self-extracting archives that contain harmless decoy files, allowing them to plant backdoors without triggering the security agent on the target system.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/winrar-sfx-archives-can-run-…
∗∗∗ Analyzing the efile.com Malware "efail", (Tue, Apr 4th) ∗∗∗
---------------------------------------------
Yesterday, I wrote about efile.com serving malicious ake "Browser Updates" to some of its users. This morning, efile.com finally removed the malicious code from its site. The attacker reacted a bit faster and removed some of the additional malware. But luckily, I was able to retrieve some of the malware last evening before it was removed.
---------------------------------------------
https://isc.sans.edu/diary/rss/29712
∗∗∗ Rilide: A New Malicious Browser Extension for Stealing Cryptocurrencies ∗∗∗
---------------------------------------------
Trustwave SpiderLabs uncovered a new strain of malware that it dubbed Rilide, which targets Chromium-based browsers such as Google Chrome, Microsoft Edge, Brave, and Opera.
---------------------------------------------
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/rilide-a-ne…
∗∗∗ Microsoft Tightens OneNote Security by Auto-Blocking 120 Risky File Extensions ∗∗∗
---------------------------------------------
Microsoft has announced plans to automatically block embedded files with "dangerous extensions" in OneNote following reports that the note-taking service is being increasingly abused for malware delivery. Up until now, users were shown a dialog warning them that opening such attachments could harm their computer and data, but it was possible to dismiss the prompt and open the files That's going to change going forward.
---------------------------------------------
https://thehackernews.com/2023/04/microsoft-tightens-onenote-security-by.ht…
∗∗∗ A fresh look at user enumeration in Microsoft Teams ∗∗∗
---------------------------------------------
The technique to enumerate user details and presence information via Microsoft Teams is not new and was described in a blog post by immunit.ch and their tool "TeamsUserEnum". This blog post adds more information related to user enumeration via Teams and covers different endpoints used by different account types.
---------------------------------------------
https://www.securesystems.de/blog/a-fresh-look-at-user-enumeration-in-micro…
∗∗∗ Internationaler Monat zur Betrugsbekämpfung: Vorsicht vor Dark Patterns ∗∗∗
---------------------------------------------
Im März 2023 jährt sich der internationale Monat zur Betrugsbekämpfung („ICPEN Fraud Prevention Month"). Das diesjährige Schwerpunktthema sind Dark Patterns. Dark Patterns sind irreführende Designelemente und Webseiten-Gestaltungen, mit denen versucht wird, User:innen zu Entscheidungen zu verleiten, die nicht in ihrem besten Interesse liegen. Was Dark Patterns genau sind, wie Sie diese erkennen und sich am besten schützen, erfahren Sie hier!
---------------------------------------------
https://www.watchlist-internet.at/news/fraud-prevention-month-vorsicht-vor-…
∗∗∗ Lebenslauf-Editor auf zety.de führt in Abo-Falle ∗∗∗
---------------------------------------------
Auf zety.de können Sie angeblich professionelle Lebensläufe und Bewerbungen erstellen. Per Klick wählen Sie eine gewünschte Vorlage und befüllen sie mit Ihren Daten – scheinbar kostenlos. Erst wenn Sie Ihr Dokument herunterladen möchten, erfahren Sie, dass der Dienst doch nicht gratis ist. Wenn Sie überweisen, schließen Sie ein Abo ab!
---------------------------------------------
https://www.watchlist-internet.at/news/lebenslauf-editor-auf-zetyde-fuehrt-…
∗∗∗ Weitere Informationen zu Angriffen gegen 3CX Desktop App ∗∗∗
---------------------------------------------
Seit der Veröffentlichung unserer letzten Meldung zu den Angriffen gegen die bzw. durch Missbrauch der 3CX Desktop App sind inzwischen weitere Details und neue Informationen bekannt geworden. Die wichtigsten Details in dieser Hinsicht sind: [...]
---------------------------------------------
https://cert.at/de/aktuelles/2023/4/weitere-informationen-zu-angriffen-gege…
∗∗∗ Typhon Reborn V2: Updated stealer features enhanced anti-analysis and evasion capabilities ∗∗∗
---------------------------------------------
The developer of the Typhon Reborn information stealer released version 2 (V2) in January, which included significant updates to its codebase and improved capabilities.
Most notably, the new version features additional anti-analysis and anti-virtual machine (VM) capabilities to evade detection and make analysis more difficult.
---------------------------------------------
https://blog.talosintelligence.com/typhon-reborn-v2-features-enhanced-anti-…
∗∗∗ Rorschach – A New Sophisticated and Fast Ransomware ∗∗∗
---------------------------------------------
Rorschach ransomware appears to be unique, sharing no overlaps that could easily attribute it to any known ransomware strain. In addition, it does not bear any kind of branding which is a common practice among ransomware groups.
The ransomware is partly autonomous, carrying out tasks that are usually manually performed during enterprise-wide ransomware deployment, such as creating a domain group policy (GPO).
---------------------------------------------
https://research.checkpoint.com/2023/rorschach-a-new-sophisticated-and-fast…
=====================
= Vulnerabilities =
=====================
∗∗∗ VU#473698: uClibc, uClibc-ng libraries have monotonically increasing DNS transaction ID ∗∗∗
---------------------------------------------
The uClibc and uClibc-ng libraries, prior to uClibc-ng 1.0.41, are vulnerable to DNS cache poisoning due to the use of predicatble DNS transaction IDs when making DNS requests. This vulnerability can allow an attacker to perform DNS cache poisoning attacks against a vulnerable environment.[..] The uClibc library has not been updated since May of 2012.
---------------------------------------------
https://kb.cert.org/vuls/id/473698
∗∗∗ Pentah0wnage: Pre-Auth RCE in Pentaho Business Analytics Server (CVE-2022-43769, CVE-2022-43939, CVE-2022-43773, CVE-2022-43938) ∗∗∗
---------------------------------------------
A few months ago I was working on an engagement where Pentaho was used to collect data and generate reports. [..] I found a total of eight vulnerabilties, three of which enable command execution on the residing host. [..] 31 March 2023: Vendor released patches, but no public CVE disclosure.
---------------------------------------------
https://research.aurainfosec.io/pentest/pentah0wnage/
∗∗∗ Nexx Smart Home Device ∗∗∗
---------------------------------------------
AFFECTED PRODUCTS
- Nexx Garage Door Controller (NXG-100B, NXG-200): Version nxg200v-p3-4-1 and prior
- Nexx Smart Plug (NXPG-100W): Version nxpg100cv4-0-0 and prior
- Nexx Smart Alarm (NXAL-100): Version nxal100v-p1-9-1and prior
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-23-094-01
∗∗∗ Patchday: Android-Lücken mit kritischem Risiko gestopft ∗∗∗
---------------------------------------------
Zum April-Patchday hat Google Sicherheitslücken im Android-Betriebssystem geschlossen, die die Entwickler teils als kritisch einstufen.
---------------------------------------------
https://heise.de/-8522365
∗∗∗ Sophos: Kritische Sicherheitslücke in Web-Appliance ermöglicht Codeschmuggel ∗∗∗
---------------------------------------------
Sophos hat in der Web Appliance (SWA) Sicherheitslücken geschlossen, die Angreifern etwa das Ausführen beliebigen Codes ermöglichen.
---------------------------------------------
https://heise.de/-8525279
∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Fedora (openbgpd and seamonkey), Red Hat (httpd:2.4, kernel, kernel-rt, and pesign), SUSE (compat-openssl098, dpdk, drbd, ImageMagick, nextcloud, openssl, openssl-1_1, openssl-3, openssl1, oracleasm, pgadmin4, terraform-provider-helm, and yaml-cpp), and Ubuntu (haproxy, ldb, samba, and vim).
---------------------------------------------
https://lwn.net/Articles/928294/
∗∗∗ Netty Vulnerabilites 4.0.37 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6980407
∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Case Manager (CVE-2023-26283) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6980411
∗∗∗ IBM Sterling Order Management Golang Go Vulnerability ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6980457
∗∗∗ Vulnerabilities with kernel, MariaDB, Gnu GnuTLS, OpenJDK, commons-fileupload affect IBM Cloud Object Storage Systems (Mar 2023v1) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6962855
∗∗∗ IBM Aspera Faspex 5.0.5 has addressed CVE-2022-4304 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6980501
∗∗∗ IBM Security Verify Access Appliance includes components with known vulnerabilities (CVE-2022-29154, CVE-2022-0391) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6980521
∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Case Manager (CVE-2023-23477) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6980519
∗∗∗ Vulnerability in py library affects IBM Cloud Pak for Data System 1.0(CPDS 1.0) [CVE-2022-42969] ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6980723
∗∗∗ Vulnerability in cryptography affects IBM Cloud Pak for Data System 1.0(CPDS 1.0) [CVE-2023-0286] ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6980351
∗∗∗ A security vulnerability has been identified in WebSphere\u00ae Application Server shipped with IBM\u00ae Intelligent Operations Center (CVE-2023-26283) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6980725
∗∗∗ IBM Event Streams is affected by vulnerabilities in the jsonwebtoken package (CVE-2022-23529, CVE-2022-23539, CVE-2022-23540, CVE-2022-23541) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6980727
∗∗∗ IBM Event Streams is affected by vulnerabilities in Node.js (CVE-2022-25927 and CVE-2022-25881) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6980735
∗∗∗ IBM Event Streams is affected by a vulnerability in Apache Kafka (CVE-2023-25194) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6980743
∗∗∗ IBM Event Streams is vulnerable to a denial of service due to Redis (CVE-2023-25155) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6980747
∗∗∗ Multiple vulnerabilities have been identified in IBM HTTP Server used by IBM Rational ClearQuest ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6980737
∗∗∗ IBM Security Verify Governance is vulnerable to sensitive information exposure (CVE-2021-31403) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6956289
∗∗∗ CVE-2022-41721 may affect IBM CICS TX Standard ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6980755
∗∗∗ IBM Security Guardium is affected by multiple vulnerabilities ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6963075
∗∗∗ IBM Security Guardium is affected by an AWS SDK vulnerability (CVE-2022-31159) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6960215
∗∗∗ IBM HTTP Server is vulnerable to HTTP request splitting due to the included Apache HTTP Server (CVE-2023-25690) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6963650
∗∗∗ IBM Security Guardium is affected by a denial of service vulnerability (CVE-2022-3171, CVE-2022-3510, CVE-2022-3509) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6963077
∗∗∗ IBM Security Guardium is affected by remote code execution and sensitive information vulnerabilities (CVE-2022-31684, CVE-2022-41853) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6960211
∗∗∗ There are several vulnerabilities in Bootstrap used by IBM Maximo Asset Management ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6980757
∗∗∗ IBM Security Guardium is affected by a kernel vulnerability (CVE-2021-3715) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6828569
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 31-03-2023 18:00 − Montag 03-04-2023 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ New Money Message ransomware demands million dollar ransoms ∗∗∗
---------------------------------------------
A new ransomware gang named Money Message has appeared, targeting victims worldwide and demanding million-dollar ransoms not to leak data and release a decryptor.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-money-message-ransomware…
∗∗∗ Hacken ist für alle: Die Austria Cyber Security Challenge startet ∗∗∗
---------------------------------------------
Der Hackerwettbewerb will heuer verstärkt Frauen für die IT-Security begeistern.
---------------------------------------------
https://futurezone.at/digital-life/austria-cyber-security-challenge-acsc-be…
∗∗∗ With KEYPLUG, China’s RedGolf Spies On, Steals From Wide Field of Targets ∗∗∗
---------------------------------------------
The group remains highly active within a wide range of geographies and industry verticals, targeting aviation, automotive, education, government, media, information technology, and religious organizations. [..] Insikt Group has identified a wider cluster of KEYPLUG samples and infrastructure used by RedGolf from at least 2021 to 2023. (Anm.: das Paper enthält etliche beobachtenswerte IOCs).
---------------------------------------------
https://go.recordedfuture.com/hubfs/reports/cta-2023-0330.pdf
∗∗∗ Angriffe auf hochriskante Sicherheitslücke in Wordpress-Plug-in Elementor Pro ∗∗∗
---------------------------------------------
Angreifer missbrauchen eine Sicherheitslücke im Wordpress-Plug-in Elementor Pro zum Einbrechen in Webseiten. Admins sollten die Updates umgehend installieren.
---------------------------------------------
https://heise.de/-8384344
∗∗∗ IT-Forscher: Mehr als 15 Millionen verwundbare Systeme offen im Netz ∗∗∗
---------------------------------------------
IT-Forscher haben den Known-Exploited-Vulnerabilities-Catalog der CISA mit der Datenbank Sh0dan abgeglichen und Millionen verwundbarer Systeme gefunden.
---------------------------------------------
https://heise.de/-8511852
∗∗∗ Jetzt updaten: Kritische Schwachstelle in Nextcloud ∗∗∗
---------------------------------------------
Eine als kritisch eingestufte Sicherheitslücke in der Kollaborationssoftware Nextcloud könnte Angreifern das Ausführen von Schadcode ermöglichen.
---------------------------------------------
https://heise.de/-8515005
∗∗∗ Microsoft OneNote Starts Blocking Dangerous File Extensions ∗∗∗
---------------------------------------------
Microsoft is boosting the security of OneNote users by blocking embedded files with extensions that are considered dangerous.
---------------------------------------------
https://www.securityweek.com/microsoft-onenote-starts-blocking-dangerous-fi…
∗∗∗ Money Mule: Geldwäsche-Jobs über WhatsApp ∗∗∗
---------------------------------------------
Nehmen Sie sich vor betrügerischen Job-Angeboten auf WhatsApp in Acht. Kriminelle kontaktieren teils wahllos, teils gezielt Menschen auf Job-Suche über die bekannte Chat-Plattform. Ein Tageslohn von 50 bis 300 Euro täglich bei Arbeit aus dem Home-Office mag verlockend klingen. Doch Vorsicht: Sie werden hier zum Money Mule, helfen Kriminellen bei der Geldwäsche und machen sich womöglich selbst strafbar!
---------------------------------------------
https://www.watchlist-internet.at/news/money-mule-geldwaesche-jobs-ueber-wh…
∗∗∗ Malicious ISO File Leads to Domain Wide Ransomware ∗∗∗
---------------------------------------------
IcedID continues to deliver malspam emails to facilitate a compromise. This case covers the activity from a campaign in late September of 2022.
---------------------------------------------
https://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wid…
∗∗∗ Bi(n)gBang: Microsoft Azure-Schwachstelle ermöglicht Bing Search Hijacking und Office 365-Datenklau ∗∗∗
---------------------------------------------
Unschöne Geschichte, auf die alle gewartet haben, und die die Gefahren der Cloud aufzeigt. Microsoftsd Azure-Cloud-Dienste ermöglichten eine Fehlkonfigurierung, die dann eine Sicherheitslücke schuf. In der Folge konnten Angreifer potentiell Schadcode in die Suchergebnisseiten von Bing einschleusen, um diese zu [...]
---------------------------------------------
https://www.borncity.com/blog/2023/03/30/bigbang-microsoft-azure-schwachste…
∗∗∗ Design-Schwäche im WiFi-Protokoll ermöglicht Angreifern das Abfangen des Netzwerkverkehrs ∗∗∗
---------------------------------------------
Noch ein kleiner Nachtrag von Ende März 2023. Sicherheitsforscher sind auf eine gravierende Design-Schwäche im IEEE 802.11 WiFi-Protokollstandards gestoßen. Diese Schwäche könnte es Angreifern ermöglichen, WLAN-Zugangspunkte abzuhören und Netzwerk-Frames im Klartext zu übermitteln.
---------------------------------------------
https://www.borncity.com/blog/2023/04/02/design-schwche-im-wifi-protokoll-e…
=====================
= Vulnerabilities =
=====================
∗∗∗ Multiple vulnerabilities in Aten PE8108 power distribution unit (CVE-2023-25413, CVE-2023-25415, CVE-2023-25407, CVE-2023-25409, CVE-2023-25414, CVE-2023-25411) ∗∗∗
---------------------------------------------
Pentagrid identified several vulnerabilities in the PE8108 rack power distribution unit (PDU) manufactured by Aten. [..] At the time of publication, the most recent firmware is version v2.4.232 from 2022-11-22 and there is no new firmware available via Atens website.
---------------------------------------------
https://www.pentagrid.ch/en/blog/multiple-vulnerabilities-in-aten-PE8108-po…
∗∗∗ Nvidia schließt Sicherheitslücken in Treibern und Verwaltungssoftware ∗∗∗
---------------------------------------------
Nvidia hat zum Monatswechsel aktualisierte Treiber und Verwaltungssoftware veröffentlicht. Damit schließt der Hersteller teils hochriskante Sicherheitslecks.
---------------------------------------------
https://heise.de/-8511759
∗∗∗ Geräteverwaltung HCL Bigfix dichtet DoS-Lücke ab ∗∗∗
---------------------------------------------
Die Geräteverwaltungssoftware HCL Bigfix enthält eine Schwachstelle, die Angreifern das Lahmlegen der Software auf Endpoints ermöglicht.
---------------------------------------------
https://heise.de/-8514805
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (duktape, firmware-nonfree, intel-microcode, svgpp, and systemd), Fedora (amanda, dino, flatpak, golang, libldb, netconsd, samba, tigervnc, and vim), Red Hat (nodejs:14), Slackware (ruby and seamonkey), SUSE (drbd, flatpak, glibc, grub2, ImageMagick, kernel, runc, thunderbird, and xwayland), and Ubuntu (amanda).
---------------------------------------------
https://lwn.net/Articles/928204/
∗∗∗ Multiple Vulnerabilities in the Autodesk® FBX® SDK software ∗∗∗
---------------------------------------------
Applications and services utilizing the Autodesk® FBX® SDK software have been affected by an Out-Of-Bounds Write and Stack Buffer Overflow vulnerabilities. Exploitation of these vulnerabilities may lead to information disclosure, code execution and/or denial-of-service.
---------------------------------------------
https://www.autodesk.com/trust/security-advisories/adsk-sa-2023-0004
∗∗∗ Vulnerabilities for Autodesk® Maya® USD plugin ∗∗∗
---------------------------------------------
USD (Universal Scene Description) plugin for Autodesk® Maya® has been affected by a file uninitialized variable, out-of-bounds read, and out-of-bounds write vulnerabilities.
---------------------------------------------
https://www.autodesk.com/trust/security-advisories/adsk-sa-2023-0003
∗∗∗ Vulnerability Spotlight: Buffer overflow vulnerability in ADMesh library ∗∗∗
---------------------------------------------
https://blog.talosintelligence.com/vulnerability-spotlight-buffer-overflow-…
∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/
∗∗∗ HAProxy vulnerable to HTTP request/response smuggling ∗∗∗
---------------------------------------------
https://jvn.jp/en/jp/JVN38170084/
∗∗∗ Multiple vulnerabilities in Seiko Solutions SkyBridge MB-A100/A110/A200/A130 SkySpider MB-R210 ∗∗∗
---------------------------------------------
https://jvn.jp/en/jp/JVN40604023/
∗∗∗ Cisco Identity Services Engine Vulnerabilities ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso…
∗∗∗ Cisco Identity Services Engine Cross-Site Scripting Vulnerability ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso…
∗∗∗ Cisco Secure Web Appliance Content Encoding Filter Bypass Vulnerabilities ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso…
∗∗∗ ZDI-23-348: Bentley View SKP File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
https://www.zerodayinitiative.com/advisories/ZDI-23-348/
∗∗∗ ZDI-23-347: Bentley View SKP File Parsing Use-After-Free Information Disclosure Vulnerability ∗∗∗
---------------------------------------------
https://www.zerodayinitiative.com/advisories/ZDI-23-347/
∗∗∗ ZDI-23-346: Bentley View SKP File Parsing Use-After-Free Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
https://www.zerodayinitiative.com/advisories/ZDI-23-346/
∗∗∗ ZDI-23-345: Bentley View FBX File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability ∗∗∗
---------------------------------------------
https://www.zerodayinitiative.com/advisories/ZDI-23-345/
∗∗∗ ZDI-23-344: Bentley View FBX File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
https://www.zerodayinitiative.com/advisories/ZDI-23-344/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 30-03-2023 18:00 − Freitag 31-03-2023 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ 10-year-old Windows bug with opt-in fix exploited in 3CX attack ∗∗∗
---------------------------------------------
A 10-year-old Windows vulnerability is still being exploited in attacks to make it appear that executables are legitimately signed, with the fix from Microsoft still "opt-in" after all these years. Even worse, the fix is removed after upgrading to Windows 11.
---------------------------------------------
https://www.bleepingcomputer.com/news/microsoft/10-year-old-windows-bug-wit…
∗∗∗ Realtek and Cacti flaws now actively exploited by malware botnets ∗∗∗
---------------------------------------------
Multiple malware botnets actively target Cacti and Realtek vulnerabilities in campaigns detected between January and March 2023, spreading ShellBot and Moobot malware.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/realtek-and-cacti-flaws-now-…
∗∗∗ Hackers exploit bug in Elementor Pro WordPress plugin with 11M installs ∗∗∗
---------------------------------------------
Hackers are actively exploiting a high-severity vulnerability in the popular Elementor Pro WordPress plugin used by over eleven million websites.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/hackers-exploit-bug-in-eleme…
∗∗∗ Use of X-Frame-Options and CSP frame-ancestors security headers on 1 million most popular domains, (Fri, Mar 31st) ∗∗∗
---------------------------------------------
In my last Diary[1], I shortly mentioned the need for correctly set Content Security Policy and/or the obsolete[2] X-Frame-Options HTTP security headers (not just) in order to prevent phishing pages, which overlay a fake login prompt over a legitimate website, from functioning correctly. Or, to be more specific, to prevent them from dynamically loading a legitimate page in an iframe under the fake login prompt, since this makes such phishing websites look much less like a legitimate login page and thus much less effective.
---------------------------------------------
https://isc.sans.edu/diary/rss/29698
∗∗∗ WordPress Vulnerability & Patch Roundup March 2023 ∗∗∗
---------------------------------------------
Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises. To help educate website owners on emerging threats to their environments, we’ve compiled a list of important security updates and patches for the WordPress ecosystem this past month.
---------------------------------------------
https://blog.sucuri.net/2023/03/wordpress-vulnerability-patch-roundup-march…
∗∗∗ Booby Trapping IBM i ∗∗∗
---------------------------------------------
In our first post about IBM i we noted that the operating system includes a database engine, Db2. This level of integration means that practically all objects of the system are accessible via SQL, a powerful tool to discover and analyze system configuration, and also to identify potential vulnerabilities. However, the “database view” of the operating system not only allows us to read data, but lets us insert additional data that can affect the behavior of the system too.
---------------------------------------------
https://blog.silentsignal.eu/2023/03/30/booby-trapping-ibm-i/
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (joblib, json-smart, libmicrohttpd, and xrdp), Fedora (thunderbird and xorg-x11-server-Xwayland), Mageia (dino, perl-Cpanel-JSON-XS, perl-Net-Server, snort, tigervnc/x11-server, and xapian), SUSE (curl, kernel, openssl-1_0_0, and shim), and Ubuntu (glusterfs, linux-gcp-4.15, musl, and xcftools).
---------------------------------------------
https://lwn.net/Articles/928013/
∗∗∗ Samba Releases Security Updates for Multiple Versions of Samba ∗∗∗
---------------------------------------------
The Samba Team has released security updates addressing vulnerabilities in multiple versions of Samba. An attacker could exploit these vulnerabilities to take control of an affected system. CISA encourages users and administrators to review the following announcements and apply the necessary updates: CVE-2023-0225 CVE-2023-0922 CVE-2023-0614
---------------------------------------------
https://www.cisa.gov/news-events/alerts/2023/03/31/samba-releases-security-…
∗∗∗ Vulnerability Spotlight: Specially crafted files could lead to denial of service, information disclosure in OpenImageIO parser ∗∗∗
---------------------------------------------
OpenImageIO is a library that converts, compares and processes various image files. Blender and AliceVision, two often used computer imaging services, utilize the library, among other software offerings.
---------------------------------------------
https://blog.talosintelligence.com/vulnerability-spotlight-specially-crafte…
∗∗∗ Xcode 14.3 ∗∗∗
---------------------------------------------
https://support.apple.com/kb/HT213679
∗∗∗ [webapps] WooCommerce v7.1.0 - Remote Code Execution(RCE) ∗∗∗
---------------------------------------------
https://www.exploit-db.com/exploits/51156
∗∗∗ IBM Security Bulletins 2023-03-31 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 29-03-2023 18:00 − Donnerstag 30-03-2023 18:00
Handler: Robert Waldner
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Cyberkriminelle versenden Schadsoftware im Namen von DocuSign ∗∗∗
---------------------------------------------
Elektronische Signaturdienste wie DocuSign sind spätestens seit der Covid19-Pandemie beliebt, um Verträge oder andere Dokumente zeitsparend und unkompliziert zu unterzeichnen. Ein Trend, der auch von Betrüger:innen aufgegriffen wird: So geben sich Cyberkriminelle per E-Mail als DocuSign aus, um Schadsoftware zu verbreiten.
---------------------------------------------
https://www.watchlist-internet.at/news/cyberkriminelle-versenden-schadsoftw…
∗∗∗ Internationaler Monat zur Betrugsbekämpfung: Vorsicht vor Dark Patterns ∗∗∗
---------------------------------------------
Im März 2023 jährt sich der internationale Monat zur Betrugsbekämpfung („ICPEN Fraud Prevention Month"). Das diesjährige Schwerpunktthema ist Dark Patterns. Dark Patterns sind irreführende Designelemente und Webseiten-Gestaltungen, die versuchen User:innen zu verleiten Entscheidungen zu treffen, die nicht in Ihrem besten Interesse liegen. Was Dark Patterns sind, wie Sie diese erkennen und sich am besten schützen, erfahren Sie hier!
---------------------------------------------
https://www.watchlist-internet.at/news/fraud-prevention-month-vorsicht-vor-…
∗∗∗ EDR Product Analysis of an Infostealer ∗∗∗
---------------------------------------------
As mentioned in the report, an Infostealer is being distributed through various platforms, and the leaked information is causing both direct and indirect harm to users. Understanding what information has been stolen and where it is being sent is crucial in order to minimize the damage caused by an Infostealer
---------------------------------------------
https://asec.ahnlab.com/en/50685/
=====================
= Vulnerabilities =
=====================
∗∗∗ QNAP warns customers to patch Linux Sudo flaw in NAS devices ∗∗∗
---------------------------------------------
Taiwanese hardware vendor QNAP warns customers to secure their Linux-powered network-attached storage (NAS) devices against a high-severity Sudo privilege escalation vulnerability.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/qnap-warns-customers-to-patc…
∗∗∗ Xray Audit - Moderately critical - Cross site scripting - SA-CONTRIB-2023-012 ∗∗∗
---------------------------------------------
Security risk: Moderately critical
Description: This module is a tool for developers, analysts, and administrators that allows them to generate reports on a given Drupal installation.The module does not sufficiently sanitize some data presented in its reports.
---------------------------------------------
https://www.drupal.org/sa-contrib-2023-012
∗∗∗ CVE-2022-37734: graphql-java Denial-of-Service ∗∗∗
---------------------------------------------
graphql-java is the most popular GraphQL server written in Java. It was found to be vulnerable to DoS attacks through the directive overload. [..] The vulnerability was fixed in two stages. The first fix introduced a security control, whereas the second one targeted the root cause. The first fix is presented in the versions of graphql-java 19.0 and later, 18.3, and 17.4. The second fix has been applied in the version 20.1 [..]
---------------------------------------------
https://checkmarx.com/blog/cve-2022-37734-graphql-java-denial-of-service/
∗∗∗ Vulnerability Spotlight: SNIProxy contains remote code execution vulnerability (CVE-2023-25076) ∗∗∗
---------------------------------------------
Talos discovered a remote code execution vulnerability that exists if the user is utilizing wildcard backend hosts when configuring SNIProxy. An attacker could exploit this vulnerability by sending a specially crafted HTTP, TLS or DTLS packet to the target machine, potentially causing a denial of service or gaining the ability to execute remote code. Cisco Talos worked with the managers of SNIProxy to ensure that these issues are resolved and an update is available [..]
---------------------------------------------
https://blog.talosintelligence.com/vulnerability-spotlight-sniproxy-contain…
∗∗∗ X.org vulnerability and releases (CVE-2023-1393) ∗∗∗
---------------------------------------------
The X.Org project has announced a vulnerability in its X server and Xwayland. This issue can lead to local privileges elevation on systems where the X server is running privileged and remote code execution for ssh X forwarding sessions. [..] That has led to the release of xorg-server 21.1.8, xwayland 22.1.9, and xwayland 23.1.1.
---------------------------------------------
https://lwn.net/Articles/927887/
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (xorg-server and xrdp), Fedora (mingw-python-certifi, mingw-python3, mingw-zstd, moodle, python-cairosvg, python-markdown-it-py, redis, xorg-x11-server, and yarnpkg), Slackware (mozilla and xorg), SUSE (grub2, ldb, samba, libmicrohttpd, python-Werkzeug, rubygem-rack, samba, sudo, testng, tomcat, webkit2gtk3, xorg-x11-server, xstream, and zstd), and Ubuntu (linux, linux-aws, linux-dell300x, linux-kvm, linux-oracle, linux-raspi2, linux-aws-5.4, linux-azure-5.4, linux-gcp- linux-ibm-5.4, linux-oracle-5.4, linux-raspi-5.4, linux-gke, linux-gke-5.15, linux-ibm, linux-kvm, php-nette, and xorg-server, xorg-server-hwe-18.04, xwayland).
---------------------------------------------
https://lwn.net/Articles/927855/
∗∗∗ Synology-SA-23:02 Sudo ∗∗∗
---------------------------------------------
A vulnerability allows local users to conduct privilege escalation attacks via a susceptible version of Synology DiskStation Manager (DSM) and Synology Router Manager (SRM).
---------------------------------------------
https://www.synology.com/en-global/support/security/Synology_SA_23_02
∗∗∗ Popular PABX platform, 3CX Desktop App suffers supply chain attack ∗∗∗
---------------------------------------------
CrowdStrike and SentinelOne cybersecurity researchers identified an unusual spike in malicious activity from a single, legitimate binary, 3CX Voice Over Internet Protocol (VOIP) desktop App (3CX Desktop App).
---------------------------------------------
https://www.hackread.com/3cx-desktop-app-supply-chain-attack/
∗∗∗ Cisco Application Policy Infrastructure Controller and Cisco Cloud Network Controller Cross-Site Request Forgery Vulnerability ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso…
∗∗∗ Hitachi Energy IEC 61850 MMS-Server ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-23-089-01
∗∗∗ Multiple vulnerabilities in the mongo-tools utility affect IBM WebSphere Automation ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6966998
∗∗∗ IBM Maximo Asset Management is vulnerable to stored cross-site scripting (CVE-2022-35645) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6959353
∗∗∗ IBM Maximo Manage application in IBM Maximo Application Suite is vulnerable to stored cross-site scripting (CVE-2022-35645) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6959355
∗∗∗ IBM QRadar SIEM is vulnerable to using components with known vulnerabilities ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6967016
∗∗∗ Multiple Vulnerabilities in CloudPak for Watson AIOPs ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6967012
∗∗∗ CVE-2022-27664, CVE-2022-21698, CVE-2021-43565 and CVE-2022-27191 may affect IBM CICS TX Standard ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6967018
∗∗∗ CVE-2022-41723 may affect IBM CICS TX Advanced ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6967026
∗∗∗ CVE-2022-41723 may affect IBM CICS TX Standard ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6967022
∗∗∗ Multiple vulnerabilities may affect IBM SDK, Java Technology Edition ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6967213
∗∗∗ CVE-2022-21426 may affect IBM SDK, Java Technology Edition ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6967221
∗∗∗ Multiple Vulnerabilities in CloudPak for Watson AIOPs ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6967243
∗∗∗ IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to an information exposure in WebSphere Application Server Liberty (CVE-2016-0378 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6967241
∗∗∗ IBM QRadar User Behavior Analytics is vulnerable to components with known vulnerabilities ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6967283
∗∗∗ Vulnerabilities in PostgreSQL may affect IBM Spectrum Protect Plus (CVE-2022-2625, CVE-2022-1552, CVE-2021-3677) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6967285
∗∗∗ A vulnerability in GNU Tar affects IBM MQ Operator and Queue manager container images (CVE-2022-48303) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6966198
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 28-03-2023 18:00 − Mittwoch 29-03-2023 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Robert Waldner
=====================
= News =
=====================
∗∗∗ WiFi protocol flaw allows attackers to hijack network traffic ∗∗∗
---------------------------------------------
Cybersecurity researchers have discovered a fundamental security flaw in the design of the IEEE 802.11 WiFi protocol standard, allowing attackers to trick access points into leaking network frames in plaintext form.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/wifi-protocol-flaw-allows-at…
∗∗∗ H26Forge: Mehrheit der Video-Decoder wohl systematisch angreifbar ∗∗∗
---------------------------------------------
Immer wieder sorgen Bugs in Video-Decodern für Sicherheitslücken bis hin zu Zero Days. Wissenschaftler zeigen nun eine riesige Angriffsfläche.
---------------------------------------------
https://www.golem.de/news/h26forge-mehrheit-der-video-decoder-wohl-systemat…
∗∗∗ Network Data Collector Placement Makes a Difference, (Tue, Mar 28th) ∗∗∗
---------------------------------------------
A previous diary [1] described processing some local PCAP data with Zeek. This data was collected using tcpdump on a DShield Honeypot. When looking at the Zeek connection logs, the connection state information was unexpected. To help understand why, we will compare data from different locations on the network and process the data in a similar way. This will help narrow down where the discrepancies might be coming from, or at least where they are not coming from.
---------------------------------------------
https://isc.sans.edu/diary/rss/29664
∗∗∗ MacStealer: Mac-Malware will Passwörter und Krypto-Wallets klauen ∗∗∗
---------------------------------------------
Eine im Dark Web günstig angebotene Malware soll sensible Daten von Macs extrahieren und über den Messenger Telegram an Angreifer übermitteln.
---------------------------------------------
https://heise.de/-8153293
∗∗∗ Remote PowerShell: Einfallstor bei Exchange Online jetzt mit Gnadenfrist ∗∗∗
---------------------------------------------
Ein halbes Jahr länger bleibt Administratoren, bis sie sich von ihren unsicheren PowerShell-cmdlets für Exchange Online verabschieden müssen.
---------------------------------------------
https://heise.de/-8186790
∗∗∗ Kriminelle erfinden Behörden wie „finanzaufsichtsbehoerde.com“ für Authority-Scams ∗∗∗
---------------------------------------------
Um ihren Opfern das Geld aus der Tasche zu ziehen, greifen Kriminelle häufig zu kreativen Methoden. Aktuell erfinden sie Behörden wie zum Beispiel auf „finanzaufsichtsbehoerde.com“ und „betrugsdezernat.com“ oder imitieren echte Behörden und Institutionen. Egal, was man Ihnen hier verspricht, übermitteln Sie keine Daten und bezahlen Sie kein Geld an derartige Plattformen!
---------------------------------------------
https://www.watchlist-internet.at/news/kriminelle-erfinden-behoerden-wie-fi…
∗∗∗ Spyware vendors use 0-days and n-days against popular platforms ∗∗∗
---------------------------------------------
[...] In this blog, we’re sharing details about two distinct campaigns we’ve recently discovered which used various 0-day exploits against Android, iOS and Chrome and were both limited and highly targeted. The 0-day exploits were used alongside n-day exploits and took advantage of the large time gap between the fix release and when it was fully deployed on end-user devices. Our findings underscore the extent to which commercial surveillance vendors have proliferated capabilities historically only used by governments with the technical expertise to develop and operationalize exploits.
---------------------------------------------
https://blog.google/threat-analysis-group/spyware-vendors-use-0-days-and-n-…
∗∗∗ Active Exploitation of IBM Aspera Faspex CVE-2022-47986 ∗∗∗
---------------------------------------------
Rapid7 is aware of at least one incident where a customer was compromised via CVE-2022-47986. We strongly recommend patching on an emergency basis.
---------------------------------------------
https://www.rapid7.com/blog/post/2023/03/28/etr-active-exploitation-of-ibm-…
∗∗∗ New OpcJacker Malware Distributed via Fake VPN Malvertising ∗∗∗
---------------------------------------------
We discovered a new malware, which we named “OpcJacker” (due to its opcode configuration design and its cryptocurrency hijacking ability), that has been distributed in the wild since the second half of 2022.
---------------------------------------------
https://www.trendmicro.com/en_us/research/23/c/new-opcjacker-malware-distri…
∗∗∗ In eigener Sache: CERT.at sucht Verstärkung ∗∗∗
---------------------------------------------
Für unsere täglichen Routineaufgaben suchen wir derzeit 1 Berufsein- oder -umsteiger:in mit ausgeprägtem Interesse an IT-Security, welche:r uns bei den täglich anfallenden Standard-Aufgaben unterstützt. Details finden sich auf unserer Jobs-Seite.
---------------------------------------------
https://cert.at/de/blog/2023/3/in-eigener-sache-certat-sucht-verstarkung-20…
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (unbound and xorg-server), Fedora (stellarium), Oracle (kernel), SUSE (apache2, oracleasm, python-Werkzeug, rubygem-loofah, sudo, and tomcat), and Ubuntu (git, kernel, and linux-hwe-5.19).
---------------------------------------------
https://lwn.net/Articles/927666/
∗∗∗ Multiple Vulnerabilities in Rocket Software UniRPC server (Fixed) ∗∗∗
---------------------------------------------
In early 2023, Rapid7 discovered several vulnerabilities in Rocket Software UniData UniRPC. We worked with the company to fix issues and coordinate this disclosure.
---------------------------------------------
https://www.rapid7.com/blog/post/2023/03/29/multiple-vulnerabilities-in-roc…
∗∗∗ [R1] Stand-alone Security Patches Available for Tenable.sc versions 5.22.0, 5.23.1, and 6.0.0: SC-202303.2 ∗∗∗
---------------------------------------------
[R1] Stand-alone Security Patches Available for Tenable.sc versions 5.22.0, 5.23.1, and 6.0.0: SC-202303.2Arnie CabralTue, 03/28/2023 - 11:10 Tenable.sc leverages third-party software to help provide underlying functionality. One of the third-party components in use (Apache) was found to contain vulnerabilities, and updated versions have been made available by the providers.
---------------------------------------------
https://www.tenable.com/security/tns-2023-17
∗∗∗ Security Advisory 2023-02 for PowerDNS Recursor up to and including 4.6.5, 4.7.4 and 4.8.3 ∗∗∗
---------------------------------------------
Hello, Today we have released PowerDNS Recursor 4.6.6, 4.7.5 and 4.8.4 due to a low severity security issue found. Please find the full text of the advisory below. The 4.6, 4.7 and 4.8 changelogs are available. The 4.6.6 (signature), 4.7.5 (signature) and 4.8.4 (signature) tarballs are available from our download server. Patches are available at patches.
---------------------------------------------
https://blog.powerdns.com/2023/03/29/security-advisory-2023-02-for-powerdns…
∗∗∗ IBM Security Bulletins 2023-03-29 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/
∗∗∗ K000133135: NGINX Agent vulnerability CVE-2023-1550 ∗∗∗
---------------------------------------------
https://my.f5.com/manage/s/article/K000133135
∗∗∗ Security Vulnerabilities fixed in Thunderbird 102.9.1 ∗∗∗
---------------------------------------------
https://www.mozilla.org/en-US/security/advisories/mfsa2023-12/
∗∗∗ Buffer Overflow Vulnerabilities in Samba ∗∗∗
---------------------------------------------
https://www.qnap.com/en-us/security-advisory/QSA-23-02
∗∗∗ Buffer Overflow Vulnerability in Samba ∗∗∗
---------------------------------------------
https://www.qnap.com/en-us/security-advisory/QSA-23-03
∗∗∗ Vulnerabilities in QTS, QuTS hero, QuTScloud, and QVP ∗∗∗
---------------------------------------------
https://www.qnap.com/en-us/security-advisory/QSA-23-06
∗∗∗ Vulnerability in QTS, QuTS hero, QuTScloud, QVP, and QVR ∗∗∗
---------------------------------------------
https://www.qnap.com/en-us/security-advisory/QSA-23-10
∗∗∗ Vulnerability in sudo ∗∗∗
---------------------------------------------
https://www.qnap.com/en-us/security-advisory/QSA-23-11
∗∗∗ Multiple Vulnerabilities in OpenSSL ∗∗∗
---------------------------------------------
https://www.qnap.com/en-us/security-advisory/QSA-23-15
∗∗∗ Sielco Analog FM Transmitter 2.12 id Cookie Brute Force Session Hijacking ∗∗∗
---------------------------------------------
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5758.php
∗∗∗ Sielco Analog FM Transmitter 2.12 Cross-Site Request Forgery ∗∗∗
---------------------------------------------
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5757.php
∗∗∗ Sielco Analog FM Transmitter 2.12 Improper Access Control Change Admin Password ∗∗∗
---------------------------------------------
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5756.php
∗∗∗ Sielco Analog FM Transmitter 2.12 Remote Privilege Escalation ∗∗∗
---------------------------------------------
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5755.php
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Montag 27-03-2023 18:00 − Dienstag 28-03-2023 18:00
Handler: Robert Waldner
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ New MacStealer macOS malware steals passwords from iCloud Keychain ∗∗∗
---------------------------------------------
A new info-stealing malware named MacStealer is targeting Mac users, stealing their credentials stored in the iCloud KeyChain and web browsers, cryptocurrency wallets, and potentially sensitive files.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-macstealer-macos-malware…
∗∗∗ Exchange Online to block emails from vulnerable on-prem servers ∗∗∗
---------------------------------------------
Microsoft is introducing a new Exchange Online security feature that will automatically start throttling and eventually block all emails sent from "persistently vulnerable Exchange servers" 90 days after the admins are pinged to secure them.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/exchange-online-to-block-ema…
∗∗∗ Cybersecurity Challenges of Power Transformers ∗∗∗
---------------------------------------------
To the best of our knowledge, there is no study in the literature that systematically investigate the cybersecurity challenges against the newly emerged smart transformers. This paper addresses this shortcoming by exploring the vulnerabilities and the attack vectors of power transformers within electricity networks, the possible attack scenarios and the risks associated with these attacks.
---------------------------------------------
https://arxiv.org/abs/2302.13161
∗∗∗ OpenSSL 1.1.1 End of Life ∗∗∗
---------------------------------------------
We are now less than 6 months away from the End Of Life (EOL) date for the OpenSSL 1.1.1 series. Users of OpenSSL 1.1.1 should consider their options and plan any actions they might need to take. [..] OpenSSL 1.1.1 was released on 11th September 2018, and so it will be considered EOL on 11th September 2023. It will no longer be receiving publicly available security fixes after that date.
---------------------------------------------
https://www.openssl.org/blog/blog/2023/03/28/1.1.1-EOL/
∗∗∗ The curl quirk that exposed Burp Suite & Google Chrome ∗∗∗
---------------------------------------------
Although this feature took us (and Chrome) by surprise, it is fully documented so we dont consider it to be a vulnerability in curl itself. It reminds me of server-side template injection, where a sandbox escape can be as easy as reading a manual page everyone else overlooked.
---------------------------------------------
https://portswigger.net/research/the-curl-quirk-that-exposed-burp-suite-amp…
∗∗∗ Abo-Falle auf produkttester-werden.org ∗∗∗
---------------------------------------------
Produkttester-werden.org wirbt mit der Möglichkeit, regelmäßig und gratis Produkte testen zu können und dafür bis zu 25 Euro Aufwandsentschädigung zu erhalten. Schon bei der Erstregistrierung werden aber persönliche Daten inklusive IBAN abgefragt, eine Einzugsermächtigung verlangt und ein kostenpflichtiges Abonnement über einen versteckten Kostenhinweis abgeschlossen. Wir raten zu Abstand!
---------------------------------------------
https://www.watchlist-internet.at/news/abo-falle-auf-produkttester-werdenor…
∗∗∗ Emotet Being Distributed via OneNote ∗∗∗
---------------------------------------------
AhnLab Security Emergency response Center (ASEC) has recently discovered the distribution of Emotet being distributed via OneNote. A spear phishing email as below attached with a OneNote file prompts the reader to open the attachment which contains a malicious script file (JS file). Upon running the OneNote file, it directs the user to click the button to connect to the cloud to open the document.
---------------------------------------------
https://asec.ahnlab.com/en/50564/
=====================
= Vulnerabilities =
=====================
∗∗∗ Apple patches everything, including a zero-day fix for iOS 15 users ∗∗∗
---------------------------------------------
Got an older iPhone that cant run iOS 16? Youve got a zero-day to deal with! That super-cool Studio Display monitor needs patching, too.
---------------------------------------------
https://nakedsecurity.sophos.com/2023/03/28/apple-patches-everything-includ…
∗∗∗ FortiOS / FortiProxy - Unauthenticated access to static files containing logging information (CVE-2022-41329) ∗∗∗
---------------------------------------------
An exposure of sensitive information to an unauthorized actor vulnerability in FortiOS and FortiProxy administrative interface may allow an unauthenticated attacker to obtain sensitive logging information on the device via crafted HTTP or HTTPs GET requests.
---------------------------------------------
https://fortiguard.fortinet.com/psirt/FG-IR-22-364
∗∗∗ OpenSSL Security Advisory: Invalid certificate policies in leaf certificates are silently ignored (CVE-2023-0465) ∗∗∗
---------------------------------------------
Severity: Low
Applications that use a non-default option when verifying certificates may be vulnerable to an attack from a malicious CA to circumvent certain checks. nvalid certificate policies in leaf certificates are silently ignored by OpenSSL and other certificate policy checks are skipped for that certificate. [..] Policy processing is disabled by default
---------------------------------------------
https://www.openssl.org/news/secadv/20230328.txt
∗∗∗ [webapps] Moodle LMS 4.0 - Cross-Site Scripting (XSS) ∗∗∗
---------------------------------------------
A Cross Site Scripting (XSS) vulnerability exists in Moodle is a free and open-source Learning Management System (LMS) written in PHP [..]
---------------------------------------------
https://www.exploit-db.com/exploits/51115
∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (dino-im and runc), Fedora (qemu), Red Hat (firefox), SUSE (chromium, containerd, docker, kernel, and systemd), and Ubuntu (graphicsmagick, linux-azure, linux-gcp, linux-oem-5.14, linux-oem-5.17, linux-oem-6.0, linux-oem-6.1, and node-url-parse).
---------------------------------------------
https://lwn.net/Articles/927548/
∗∗∗ Cisco SD-WAN vManage Software Cluster Mode Cross-Site Request Forgery Vulnerability ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso…
∗∗∗ IBM Engineering Workflow Management (EWM) vulnerabilities CVE-2021-41182, CVE-2022-31160, CVE-2021-41184, CVE-2021-41183 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6966410
∗∗∗ IBM Engineering Workflow Management (EWM) vulnerability CVE-2021-43138 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6966400
∗∗∗ IBM Engineering Workflow Management (EWM) vulnerabilities CVE-2022-31129, CVE-2022-24785 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6966418
∗∗∗ IBM Engineering Workflow Management (EWM) vulnerability CVE-2021-21252 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6966412
∗∗∗ IBM Engineering Workflow Management (EWM) vulnerabilities CVE-2020-28500, CVE-2021-23337, CVE-2020-8203 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6966416
∗∗∗ IBM Engineering Workflow Management (EWM) vulnerability CVE-2022-24999 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6966420
∗∗∗ IBM WebSphere Application Server is vulnerable to cross-site scripting in the Admin Console (CVE-2023-26283) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6964836
∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server Liberty shipped with IBM Tivoli Netcool Impact(CVE-2022-3509, CVE-2022-3171) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6966436
∗∗∗ There is a vulnerability in jQuery UI used by IBM Maximo Asset Management (CVE-2022-31160) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6966428
∗∗∗ Maximo Application Suite is vulnerable to CVE-2022-40897 per setuptools dependency ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6966084
∗∗∗ Maximo Application Suite uses jsonwebtoken package which is vulnerable to CVE-2022-23541, CVE-2022-23539, CVE-2022-23529 and CVE-2022-23540 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6966434
∗∗∗ IBM Tivoli Netcool Impact is vulnerable to remote code execution from Apache Commons Net (CVE-2021-37533) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6966438
∗∗∗ IBM Tivoli Netcool Impact is vulnerable to denial of service attack due to Apache Commons FileUpload (CVE-2023-24998) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6966440
∗∗∗ There is a vulnerability in jQuery UI used by IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2022-31160) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6966442
∗∗∗ IBM Aspera Cargo 4.2.5 and IBM Aspera Connect 4.2.5 have addressed multiple buffer overflow vulnerabilities (CVE-2023-27286, CVE-2023-27284) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6966588
∗∗∗ A security vulnerability has been identified in IBM HTTP Server shipped with IBM Rational ClearCase [CVE-2023-26281] ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6966600
∗∗∗ A security vulnerability has been identified in IBM HTTP Server shipped with IBM Rational ClearCase [CVE-2023-25690] ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6966602
∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Rational ClearCase (CVE-2023-26283) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6966604
∗∗∗ IBM App Connect Enterprise Certified Container images may be vulnerable to denial of service due to libarchive [CVE-2017-14166] ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6966610
∗∗∗ IBM App Connect Enterprise Certified Container DesignerAuthoring operands that use mapping assistance may be vulnerable to denial of service due to [X-Force 247595] ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6966612
∗∗∗ IBM Cloud Pak for Data System (CPDS) is vulnerable to arbitrary code execution due to Apache Log4j [CVE-2022-23307] ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6966636
∗∗∗ There is a security vulnerability in snakeYAML used by IBM Maximo Data Loader (CVE-2022-41854) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6966646
∗∗∗ There is a security vulnerability in TinyMCE used by IBM Maximo for Civil Infrastructure in Maximo Application Suite (CVE-2022-23494) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6966644
∗∗∗ Vulnerability in jetty-http affects IBM Cloud Pak for Data System 2.0(CPDS 2.0) [CVE-2022-2047] ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6966652
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 24-03-2023 18:00 − Montag 27-03-2023 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ Guidance for investigating attacks using CVE-2023-23397 ∗∗∗
---------------------------------------------
This guide provides steps organizations can take to assess whether users have been targeted or compromised by threat actors exploiting CVE-2023-23397. A successful exploit of this vulnerability can result in unauthorized access to an organization’s environment by triggering a Net-NTLMv2 hash leak. Understanding the vulnerability and how it has been leveraged by threat actors can help guide the overall investigative process.
---------------------------------------------
https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-inves…
∗∗∗ WooCommerce Credit Card Skimmer Reveals Tampered Plugin ∗∗∗
---------------------------------------------
Disclaimer: The malware infection described in this article does not affect the software plugin as a whole and does not indicate any vulnerabilities or security flaws within WooCommerce or any associated WooCommerce plugin extensions. Overall they are both robust and secure payment platforms that are perfectly safe to use. Instead, this article highlights the importance of maintaining good security posture and keeping environments locked down to prevent tampering from threat actors.
---------------------------------------------
https://blog.sucuri.net/2023/03/woocommerce-skimmer-reveals-tampered-plugin…
∗∗∗ Framing Frames: Bypassing Wi-Fi Encryption by Manipulating Transmit Queues Affecting Multiple Cisco Products ∗∗∗
---------------------------------------------
On March 27, 2023, the research paper Framing Frames: Bypassing Wi-Fi Encryption by Manipulating Transmit Queues was made public. This paper discusses vulnerabilities in the 802.11 standard that could allow an attacker to spoof a targeted wireless client and redirect frames that are present in the transmit queues in an access point to an attacker-controlled device. This attack is seen as an opportunistic attack and the information gained by the attacker would be of minimal value in a securely configured network.
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso…
∗∗∗ Visual Signature Spoofing in PDFs ∗∗∗
---------------------------------------------
Visual Signature Spoofing was partially successful in forging signed documents. Due to the limited support of JavaScript in the other PDF applications, it was only possible to create visual signature spoofs for Adobe Acrobat Reader DC. Other PDF applications may also become vulnerable in the future if they add support for the necessary JavaScript functions.
---------------------------------------------
https://sec-consult.com/blog/detail/visual-signature-spoofing-in-pdfs/
∗∗∗ Using an Undocumented Amplify API to Leak AWS Account IDs ∗∗∗
---------------------------------------------
In a previous blog post I mentioned that I was getting back into AWS vulnerability research in my free time. I’ve been taking a closer look at undocumented AWS APIs, trying to find hidden functionality that may be useful for an attacker or cross tenant boundaries. [...] I reported this API to AWS who responded that it did not “represent a security issue”, however, 3 days later, the API was disabled.
---------------------------------------------
https://frichetten.com/blog/undocumented-amplify-api-leak-account-id/
∗∗∗ Microsoft verteilt Sicherheitsupdate für Windows Snipping Tool ∗∗∗
---------------------------------------------
Microsoft hat ein außerplanmäßiges Sicherheitsupdate veröffentlicht. Es soll eine Schwachstelle im Windows Snipping Tool beseitigen – der in Windows 10 und Windows 11 integrierten Screenshot-App. Ähnlich wie zuletzt auch unter Android entfernt das Tool „gelöschte“ Bereiche von zugeschnittenen Screenshots nicht vollständig, sodass sie nachträglich wiederhergestellt werden können.
---------------------------------------------
https://www.zdnet.de/88408044/microsoft-verteilt-sicherheitsupdate-fuer-win…
∗∗∗ Deprecation of Remote PowerShell in Exchange Online – Re-enabling or Extending RPS support ∗∗∗
---------------------------------------------
PowerShell (PS) cmdlets in Exchange Online use Remote PowerShell (RPS) for client to server communication. Unfortunately, RPS is legacy technology that is outdated and can pose security risks. As such, we recommend all customers move to the new more secure REST-based v3 PowerShell module, which will help us improve security – together.
---------------------------------------------
https://techcommunity.microsoft.com/t5/exchange-team-blog/deprecation-of-re…
∗∗∗ OneNote Embedded URL Abuse ∗∗∗
---------------------------------------------
Whilst Microsoft is fixing the embedded files feature in OneNote I decided to abuse a whole other feature. Embedded URLs. Turns out this is something they may also have to fix.
---------------------------------------------
https://blog.nviso.eu/2023/03/27/onenote-embedded-url-abuse/
∗∗∗ Rhadamanthys: The “Everything Bagel” Infostealer ∗∗∗
---------------------------------------------
Key Takeaways:
* Rhadamanthys is an advanced infostealer which debuted on the dark web in September of last year to a warm critical reception by cybercriminals.
* A maximalist approach to features: functionality is added for its own sake, never mind the effort required or expected payoff.
* Campaigns by default target countries indiscriminately, excluding the commonwealth of independent states. This is typical of this kind of malware.
* Multiple-stage loader/shellcode execution has been researched in prior publications and has made it difficult to reach a proper interactive disassembly workflow with the actual information-stealing logic.
---------------------------------------------
https://research.checkpoint.com/2023/rhadamanthys-the-everything-bagel-info…
=====================
= Vulnerabilities =
=====================
∗∗∗ Cisco IOS XE Software Privilege Escalation Vulnerability ∗∗∗
---------------------------------------------
A vulnerability in the Cloud Management for Catalyst migration feature of Cisco IOS XE Software could allow an authenticated, local attacker to gain root-level privileges on an affected device. This vulnerability is due to insufficient memory protection in the Cisco IOS XE Meraki migration feature of an affected device. An attacker could exploit this vulnerability by modifying the Meraki registration parameters. A successful exploit could allow the attacker to elevate privileges to root.
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso…
∗∗∗ ABB RCCMD – Use of default password (CVE-2022-4126) ∗∗∗
---------------------------------------------
A software update is available that resolves a privately reported vulnerability [...] An attacker who successfully exploited this vulnerability could take control of the computer the software runs on and possibly insert and run arbitrary code.
---------------------------------------------
https://search.abb.com/library/Download.aspx?Action=Launch&DocumentID=2CMT0…
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (libreoffice and xen), Fedora (chromium, curl, and xen), Red Hat (kernel, kernel-rt, kpatch-patch, and thunderbird), Scientific Linux (thunderbird), Slackware (tar), SUSE (apache2, ceph, curl, dpdk, helm, libgit2, and php7), and Ubuntu (firefox and thunderbird).
---------------------------------------------
https://lwn.net/Articles/927451/
∗∗∗ baserCMS vulnerable to arbitrary file uploads ∗∗∗
---------------------------------------------
https://jvn.jp/en/jp/JVN61105618/
∗∗∗ IBM Security Bulletins 2023-03-25 - 2023-03-27 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 23-03-2023 18:00 − Freitag 24-03-2023 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ Critical WooCommerce Payments Plugin Flaw Patched for 500,000+ WordPress Sites ∗∗∗
---------------------------------------------
Patches have been released for a critical security flaw impacting the WooCommerce Payments plugin for WordPress, which is installed on over 500,000 websites. The flaw, if left unresolved, could enable a bad actor to gain unauthorized admin access to impacted stores, the company said in an advisory on March 23, 2023. It impacts versions 4.8.0 through 5.6.1.
---------------------------------------------
https://thehackernews.com/2023/03/critical-woocommerce-payments-plugin.html
∗∗∗ GitHub publishes RSA SSH host keys by mistake, issues update ∗∗∗
---------------------------------------------
Getting connection failures? Dont panic. Get new keys GitHub has updated its SSH keys after accidentally publishing the private part to the world. Whoops.
---------------------------------------------
https://go.theregister.com/feed/www.theregister.com/2023/03/24/github_chang…
∗∗∗ ChinaZ DDoS Bot Malware Distributed to Linux SSH Servers ∗∗∗
---------------------------------------------
AhnLab Security Emergency response Center (ASEC) has recently discovered the ChinaZ DDoS Bot malware being installed on inadequately managed Linux SSH servers. [..] The threat group most likely scanned port 22, the area where SSH services operate, before finding an active SSH service and performing a dictionary attack using commonly used SSH account credentials.
---------------------------------------------
https://asec.ahnlab.com/en/50316/
∗∗∗ Hacking AI: System and Cloud Takeover via MLflow Exploit ∗∗∗
---------------------------------------------
Protect AI tested the security of MLflow and found a combined Local File Inclusion/Remote File Inclusion vulnerability which can lead to a complete system or cloud provider takeover. Organizations running an MLflow server are urged to update to the latest release immediately.
---------------------------------------------
https://protectai.com/blog/hacking-ai-system-takeover-exploit-in-mlflow
∗∗∗ JavaScript-Runtime: Deno 1.32 schließt kritische Sicherheitslücke ∗∗∗
---------------------------------------------
Die JS-Runtime Deno 1.32 liefert weitere Verbesserungen für die Kompatibilität mit Node.js und neue Funktionen für den Befehl deno compile.
---------------------------------------------
https://heise.de/-7971810
∗∗∗ CISA Ships ‘Untitled Goose Tool’ to Hunt for Microsoft Azure Cloud Infections ∗∗∗
---------------------------------------------
The U.S. government’s cybersecurity agency ships a new tool to help network defenders hunt for signs of compromise in Microsoft’s Azure and M365 cloud deployments.
---------------------------------------------
https://www.securityweek.com/cisa-ships-untitled-goose-tool-to-hunt-for-mic…
∗∗∗ APT attacks on industrial organizations in H2 2022 ∗∗∗
---------------------------------------------
This summary provides an overview of APT attacks on industrial enterprises and activity of groups that have been observed attacking industrial organizations and critical infrastructure facilities.
---------------------------------------------
https://ics-cert.kaspersky.com/publications/apt-attacks-on-industrial-organ…
∗∗∗ Outlook-Schwachstelle CVE-2023-23397 nicht vollständig gepatcht – Absicherung erforderlich ∗∗∗
---------------------------------------------
Noch ein kurzer Nachtrag zum März 2023-Patchday. Microsoft hat zum 14. März 2023 die kritische RCE-Schwachstelle CVE-2023-23397 in Outlook zwar mit einem Sicherheitsupdate versehen. Aber der Patch ist unvollständig, der Angriff kann weiterhin mit etwas modifizierten E-Mails immer noch ausgelöst werden. Und inzwischen ist ein Proof of Concept öffentlich, was demonstriert, wie die Schwachstelle ausgenutzt wird.
---------------------------------------------
https://www.borncity.com/blog/2023/03/24/outlook-schwachstelle-cve-2023-233…
=====================
= Vulnerabilities =
=====================
∗∗∗ Cisco DNA Center Information Disclosure Vulnerability ∗∗∗
---------------------------------------------
A vulnerability in the implementation of the Cisco Network Plug-and-Play (PnP) agent of Cisco DNA Center could allow an authenticated, remote attacker to view sensitive information in clear text. The attacker must have valid low-privileged user credentials. This vulnerability is due to improper role-based access control (RBAC) with the integration of PnP. An attacker could exploit this vulnerability by authenticating to the device and sending a query to an internal API.
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso…
∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (chromium, libdatetime-timezone-perl, and tzdata), Fedora (flatpak and gmailctl), Mageia (firefox, flatpak, golang, gssntlmssp, libmicrohttpd, libtiff, python-flask-security, python-owslib, ruby-rack, thunderbird, unarj, and vim), Red Hat (firefox, kpatch-patch, nss, openssl, and thunderbird), SUSE (containerd, hdf5, qt6-base, and squirrel), and Ubuntu (amanda, gif2apng, graphviz, and linux, linux-aws, linux-azure, linux-gcp, linux-ibm, linux-kvm, linux-lowlatency, linux-oracle, linux-raspi).
---------------------------------------------
https://lwn.net/Articles/927198/
∗∗∗ Drupal core - Moderately critical - Information Disclosure - SA-CORE-2023-003 ∗∗∗
---------------------------------------------
https://www.drupal.org/sa-core-2023-003
∗∗∗ ELECOM WAB-MAT registers its windows service executable with an unquoted file path ∗∗∗
---------------------------------------------
https://jvn.jp/en/jp/JVN35246979/
∗∗∗ TADDM is vulnerable to a denial of service vulnerability in Apache-Log4j (CVE-2023-26464) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6965790
∗∗∗ IBM Tivoli Application Dependency Discovery Manager is vulnerable to a bypass vulnerability due to the use of Python (CVE-2023-24329) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6965792
∗∗∗ IBM API Connect is impacted by an improper access control vulnerability (CVE-2023-28522) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6965612
∗∗∗ Vulnerabilities in Node.js, libcurl, Golang Go, Jetty, Guava, Netty, OpenSSL, Linux kernel may affect IBM Spectrum Protect Plus ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6965816
∗∗∗ Stored SMB credentials may allow access to vSnap after oracle backup in IBM Spectrum Protect Plus for Db2 and Oracle (CVE-2023-27863) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6965812
∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM WebSphere Remote Server (CVE-2023-26283) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6965822
∗∗∗ Multiple vulnerabilies in Java affect IBM Robotic Process Automation for Cloud Pak which may result in a denial of service (CVE-2023-21830, CVE-2023-21835, CVE-2023-21843) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6965846
∗∗∗ A vulnerability in Luxon may affect IBM Robotic Process Automation and result in a denial of service (CVE-2023-22467) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6965848
∗∗∗ Multiple vulnerabilities in IBM Content Navigator may affect IBM Business Automation Workflow ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6965908
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 22-03-2023 18:00 − Donnerstag 23-03-2023 18:00
Handler: Robert Waldner
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Developing an incident response playbook ∗∗∗
---------------------------------------------
Incident response playbooks help optimize the SOC processes, and are a major step forward to SOC maturity, but can be challenging for a company to develop. In this article, I want to share some insights on how to create the (almost) perfect playbook.
---------------------------------------------
https://securelist.com/developing-an-incident-response-playbook/109145/
∗∗∗ Cropping and Redacting Images Safely, (Thu, Mar 23rd) ∗∗∗
---------------------------------------------
The recent "acropalypse" vulnerabilities in Android and Windows 11 showed yet again the dangers of relying on image processing tools to redact images. [..] Here are some approaches to make image redaction safer. But please use them with caution.
---------------------------------------------
https://isc.sans.edu/diary/rss/29666
∗∗∗ German and South Korean Agencies Warn of Kimsukys Expanding Cyber Attack Tactics ∗∗∗
---------------------------------------------
German and South Korean government agencies have warned about cyber attacks mounted by a threat actor tracked as Kimsuky using rogue browser extensions to steal users Gmail inboxes.
---------------------------------------------
https://thehackernews.com/2023/03/german-and-south-korean-agencies-warn.html
∗∗∗ AIIPot: Adaptive Intelligent-Interaction Honeypot for IoT Devices ∗∗∗
---------------------------------------------
In this paper, we propose a honeypot for IoT devices that uses machine learning techniques to learn and interact with attackers automatically. The evaluation of the proposed model indicates that our system can improve the session length with attackers and capture more attacks on the IoT network.
---------------------------------------------
https://arxiv.org/abs/2303.12367
∗∗∗ Memory Forensics R&D Illustrated: Detecting Hidden Windows Services ∗∗∗
---------------------------------------------
To begin the series, this post discusses a new detection technique for hidden services on Windows 7 through 11. Since not all readers will be familiar with hidden services and the danger they pose on live systems, we will start with some brief background.
---------------------------------------------
https://volatility-labs.blogspot.com/2023/03/memory-forensics-r-d-illustrat…
∗∗∗ Malicious Actors Use Unicode Support in Python to Evade Detection ∗∗∗
---------------------------------------------
Phylum’s automated platform recently detected the onyxproxy package on PyPI, a malicious package that harvests and exfiltrates credentials and other sensitive data. In many ways, this package typifies other token stealers that we have found prevalent in PyPI. However, one feature of this particular package caught our eye: an obfuscation technique that was foreseen in 2007 during a discussion about Python’s support for Unicode [..]
---------------------------------------------
https://blog.phylum.io/malicious-actors-use-unicode-support-in-python-to-ev…
∗∗∗ Joomla! CVE-2023-23752 to Code Execution ∗∗∗
---------------------------------------------
On February 16, 2023, Joomla! published a security advisory for CVE-2023-23752. [..] disclosure was followed by a stream of exploits hitting GitHub, and multiple indicators of exploitation in the wild. The public exploits focus on leaking the victim’s MySQL database credentials – an unexciting prospect (we thought), because exposing the database to the internet is a dangerous misconfiguration. Nonetheless, attackers seemed interested in the vulnerability, so we sought to find out why.
---------------------------------------------
https://vulncheck.com/blog/joomla-for-rce
∗∗∗ Fehlalarm: Microsoft-Defender-Warnung vor deaktiviertem Schutz führt in die Irre ∗∗∗
---------------------------------------------
Unter Windows 11 zeigt Microsoft Defender auf vielen Systemen einen deaktivieren Schutz durch "die lokalen Sicherheitsautorität". Das ist ein Fehlalarm.
---------------------------------------------
https://heise.de/-7659972
∗∗∗ Technische Richtlinie zu Public Key Infrastrukturen für Technische Sicherheitseinrichtungen veröffentlicht ∗∗∗
---------------------------------------------
Das BSI hat am 23. März 2023 die neue Technische Richtlinie BSI TR-03145-5 für den sicheren Betrieb einer Public Key Infrastruktur für Technische Sicherheitseinrichtungen veröffentlicht.
---------------------------------------------
https://www.bsi.bund.de/DE/Service-Navi/Presse/Alle-Meldungen-News/Meldunge…
∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (Mar 13, 2023 to Mar 19, 2023) ∗∗∗
---------------------------------------------
Last week, there were 92 vulnerabilities disclosed in 76 WordPress Plugins and 7 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database [..]
---------------------------------------------
https://www.wordfence.com/blog/2023/03/wordfence-intelligence-weekly-wordpr…
∗∗∗ Pack it Secretly: Earth Preta’s Updated Stealthy Strategies ∗∗∗
---------------------------------------------
After months of investigation, we found that several undisclosed malware and interesting tools used for exfiltration purposes were being used by Earth Preta. We also observed that the threat actors were actively changing their tools, tactics, and procedures (TTPs) to bypass security solutions. In this blog entry, we will introduce and analyze the other tools and malware used by the threat actor.
---------------------------------------------
https://www.trendmicro.com/en_us/research/23/c/earth-preta-updated-stealthy…
=====================
= Vulnerabilities =
=====================
∗∗∗ Virenschutz: Malwarebytes ermöglicht Rechteausweitung ∗∗∗
---------------------------------------------
Der Virenschutz von Malwarebytes ermöglicht Angreifern, beliebige Dateien zu löschen oder ihre Rechte im System auszuweiten. Ein Update schließt die Lücke.
---------------------------------------------
https://heise.de/-7674565
∗∗∗ Sicherheitslücke: Angreifer könnten Switches von Aruba kompromittieren (CVE-2023-1168) ∗∗∗
---------------------------------------------
Aufgrund einer Schwachstelle sind bestimmte Switches von Aruba verwundbar. Admins sollten Geräte jetzt absichern.
Die Lücke betrifft die Network Analytics Engine. Dort könnte ein authentifizierter Angreifer für eine Schadcode-Attacke ansetzen, um Geräte vollständig zu kompromittieren. Wie eine Attacke ablaufen könnte, ist bislang nicht bekannt.
---------------------------------------------
https://heise.de/-7658264
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by CentOS (firefox, nss, and openssl), Fedora (firefox, liferea, python-cairosvg, and tar), Oracle (openssl and thunderbird), Scientific Linux (firefox, nss, and openssl), SUSE (container-suseconnect, grub2, libplist, and qemu), and Ubuntu (amanda, apache2, node-object-path, and python-git).
---------------------------------------------
https://lwn.net/Articles/926972/
∗∗∗ VARTA: Multiple devices prone to hard-coded credentials (CVE-2022-22512) ∗∗∗
---------------------------------------------
VARTA energy storage systems have a web user interface via which users and installers can access live data measurements and configure the system to their needs. It has been discovered that the corresponding credentials are hard-coded within the frontend and thus potentially exploitable.
---------------------------------------------
https://cert.vde.com/de/advisories/VDE-2022-061/
∗∗∗ Warning for Asset Management Program (TCO!Stream) Vulnerability and Update Recommendation ∗∗∗
---------------------------------------------
Solution: Users must check their program version by following the steps below and update their program to the latest version (versions 8.0.23.215 or above).
– Service operator: Replace with the latest version through MLsoft
– Service user: Updated automatically when the operator switches to the latest version
---------------------------------------------
https://asec.ahnlab.com/en/50213/
∗∗∗ SAUTER EY-modulo 5 Building Automation Stations ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-23-082-03
∗∗∗ RoboDK ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-23-082-01
∗∗∗ Schneider Electric IGSS ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-23-082-04
∗∗∗ CP Plus KVMS Pro ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-23-082-02
∗∗∗ ABB Pulsar Plus Controller ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-23-082-05
∗∗∗ ProPump and Controls Osprey Pump Controller ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-23-082-06
∗∗∗ IBM Integration Bus is vulnerable to a remote attack & denial of service due to Apache Thrift & Apache Commons Codec (CVE-2018-1320, CVE-2019-0205, IBM X-Force ID: 177835) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6965298
∗∗∗ IBM Watson CloudPak for Data Data Stores are vulnerable to web pages stored locally which can be read by another user on the system ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6965446
∗∗∗ IBM Watson CloudPak for Data Data Stores is vulnerable to allowing a user with physical access and specific knowledge of the system to modify files or data on the system.(CVE-2023-26282) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6965452
∗∗∗ IBM Watson CloudPak for Data Data Stores is vulnerable to an attacker with specific knowledge about the system to manipulate data due to improper input validation(CVE-2023-28512) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6965456
∗∗∗ Security Bulletin: Watson CP4D Data Stores for Cloud Pak for Data does not encypt sensitive information before storage or transmission (CVE-2023-27291) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6965458
∗∗∗ IBM API Connect is impacted by an improper access control vulnerability (CVE-2023-28522) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6965612
∗∗∗ Vulnerabilities found within Java collectors used by IBM Tivoli Network Manager (ITNM) IP Edition. ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6965698
∗∗∗ WebSphere Application Server traditional is vulnerable to a remote code execution vulnerability ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6965702
∗∗∗ A vulnerability has been identified in IBM Spectrum Scale Data Access Services (DAS) which can cause denial of service. ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6964532
∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with Asset and Service Management (CVE-2023-26283) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6965732
∗∗∗ Vulnerabilites in OpenSSL may affect IBM Spectrum Protect Backup-Archive Client NetApp Services (CVE-2022-4304, CVE-2023-0215, CVE-2023-0286) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6963786
∗∗∗ Stored cross-site vulnerability when performing a document upload using Responsive Document Explorer affect IBM Business Automation Workflow - CVE-2023-24957 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6965776
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 21-03-2023 18:00 − Mittwoch 22-03-2023 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Robert Waldner
=====================
= News =
=====================
∗∗∗ PoC exploits released for Netgear Orbi router vulnerabilities ∗∗∗
---------------------------------------------
Proof-of-concept exploits for vulnerabilities in Netgears Orbi 750 series router and extender satellites have been released, with one flaw a critical severity remote command execution bug.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/poc-exploits-released-for-ne…
∗∗∗ Windows Snipping-Tool anfällig für "Acropalypse" ∗∗∗
---------------------------------------------
Anfang der Woche wurde eine "Acropalypse" genannte Lücke im Screenshot-Tool von Google Pixel-Phones bekannt. Das Windows 11 Snipping-Tool verhält sich ebenso.
---------------------------------------------
https://heise.de/-7619561
∗∗∗ Cyber-Sicherheit für das Management ∗∗∗
---------------------------------------------
Das international erscheinende Handbuch „Management von Cyber-Risiken“, das durch das BSI in Zusammenarbeit mit der Internet Security Alliance entwickelt wurde, erhält ein weitreichendes Update
---------------------------------------------
https://www.bsi.bund.de/DE/Service-Navi/Presse/Pressemitteilungen/Presse202…
∗∗∗ Blackmail Roulette: The Risks of Electronic Shelf Labels for Retail and Critical Infrastructure ∗∗∗
---------------------------------------------
During our research, we analyzed the unknown micro-controller (MCU) of the SUNY ESL tag, which is a common Chinese ESL tag vendor, gained debug access and reverse engineered the proprietary 433 MHz radio-frequency (RF) protocol. As no authentication is used, we were able to update any ESL tag within RF range with arbitrary content.
---------------------------------------------
https://sec-consult.com/blog/detail/blackmail-roulette-the-risks-of-electro…
∗∗∗ Erpressungsmail: „Ich weiß von Ihrem sexuellen Interesse an kleinen Kindern“ ∗∗∗
---------------------------------------------
Aktuell wird uns vermehrt ein Erpressungsmail gemeldet, in dem Empfänger:innen beschuldigt werden, sexuelle Interessen an Kindern zu haben. Angeblich wurde beim Pornoschauen ein Programm heruntergeladen, welches die Kamera aktivierte und die Person beim Masturbieren filmte. Dieses Video wird verbreitet, wenn nicht innerhalb einer Woche Bitcoins überwiesen werden. Alles frei erfunden! Löschen Sie dieses E-Mail, es handelt sich um Fake.
---------------------------------------------
https://www.watchlist-internet.at/news/erpressungsmail-ich-weiss-von-ihrem-…
=====================
= Vulnerabilities =
=====================
∗∗∗ TYPO3-EXT-SA-2023-003: Cross-Site Scripting in extension "Fluid Components" (fluid_components) ∗∗∗
---------------------------------------------
The extension is vulnerable to cross-site scripting if user-controlled data is used as a component argument parameter. A detailed description of the issue as well as some examples are provided in the extension documentation.
---------------------------------------------
https://typo3.org/security/advisory/typo3-ext-sa-2023-003
∗∗∗ Java-Plattform: Kritische Lücke in VMware Tanzu Spring Framework geschlossen ∗∗∗
---------------------------------------------
Zwei Schwachstellen bedrohen das Spring Framework. Eine Lücke gilt als kritisch. Updates zum Schließen des Sicherheitslecks stehen bereit.
---------------------------------------------
https://heise.de/-7614914
∗∗∗ Webbrowser: Chrome-Update dichtet acht Sicherheitslücken ab ∗∗∗
---------------------------------------------
Der Webbrowser Chrome schließt acht Sicherheitslücken mit Updates. Angreifer können durch sie etwa mit manipulierten Webseiten Schadcode einschmuggeln.
---------------------------------------------
https://heise.de/-7611326
∗∗∗ OpenSSL Security Advisory: Excessive Resource Usage Verifying X.509 Policy Constraints (CVE-2023-0464) ∗∗∗
---------------------------------------------
Severity: Low
A security vulnerability has been identified in all supported versions
of OpenSSL related to the verification of X.509 certificate chains
that include policy constraints. [..] Policy processing is disabled by default
---------------------------------------------
https://www.openssl.org/news/secadv/20230322.txt
∗∗∗ Multiple Reflected Cross-Site Scripting Vulnerabilities in Three WordPress Plugins Patched ∗∗∗
---------------------------------------------
The Wordfence Threat Intelligence Team recently disclosed several Reflected Cross-Site Scripting vulnerabilities that we discovered in three different plugins – Watu Quiz (installed on 5,000 sites), GN-Publisher (installed on 40,000 sites), and Japanized For WooCommerce (installed on 10,000 sites).
---------------------------------------------
https://www.wordfence.com/blog/2023/03/multiple-reflected-cross-site-script…
∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Fedora (firefox), Oracle (kernel, kernel-container, and nss), and SUSE (curl, dpdk, drbd, go1.18, kernel, openstack-cinder, openstack-glance, openstack-neutron-gbp, openstack-nova, python-oslo.utils, oracleasm, python3, slirp4netns, and xen).
---------------------------------------------
https://lwn.net/Articles/926843/
∗∗∗ [R1] Tenable.sc Version 6.1.0 Fixes Multiple Vulnerabilities ∗∗∗
---------------------------------------------
Tenable.sc 6.1.0 updates Apache to version 2.4.56 and PHP to 8.1.16 to address the identified vulnerabilities.
---------------------------------------------
https://www.tenable.com/security/tns-2023-16
∗∗∗ CVE-2023-0391: MGT-COMMERCE CloudPanel Shared Certificate Vulnerability and Weak Installation Procedures ∗∗∗
---------------------------------------------
Rapid7 has discovered three security concerns in CloudPanel from MGT-COMMERCE, a self-hosted web administration solution.
---------------------------------------------
https://www.rapid7.com/blog/post/2023/03/21/cve-2023-0391-mgt-commerce-clou…
∗∗∗ Cisco Access Point Software Command Injection Vulnerability ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso…
∗∗∗ Cisco IOS XE Software Web UI Path Traversal Vulnerability ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso…
∗∗∗ Cisco SD-WAN vManage Software Cross-Site Request Forgery Vulnerability ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso…
∗∗∗ Cisco IOS XE Software Virtual Fragmentation Reassembly Denial of Service Vulnerability ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso…
∗∗∗ Cisco IOS XE Software IOx Application Hosting Environment Privilege Escalation Vulnerability ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso…
∗∗∗ Cisco IOS XE Software Privilege Escalation Vulnerability ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso…
∗∗∗ Cisco IOS XE SD-WAN Software Command Injection Vulnerability ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso…
∗∗∗ Cisco IOS XE Software Fragmented Tunnel Protocol Packet Denial of Service Vulnerability ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso…
∗∗∗ Cisco IOS and IOS XE Software IPv6 DHCP (DHCPv6) Relay and Server Denial of Service Vulnerability ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso…
∗∗∗ Cisco IOS XE Software for Wireless LAN Controllers HTTP Client Profiling Denial of Service Vulnerability ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso…
∗∗∗ Cisco DNA Center Privilege Escalation Vulnerability ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso…
∗∗∗ Cisco DNA Center Information Disclosure Vulnerability ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso…
∗∗∗ Cisco IOS XE Software for Wireless LAN Controllers CAPWAP Join Denial of Service Vulnerability ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso…
∗∗∗ Cisco IOS XE Software for Cisco Catalyst 9300 Series Switches Secure Boot Bypass Vulnerability ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso…
∗∗∗ Cisco Adaptive Security Appliance Software, Firepower Threat Defense Software, IOS Software, and IOS XE Software IPv6 DHCP (DHCPv6) Client Denial of Service Vulnerability ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso…
∗∗∗ Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Low-Entropy Keys Vulnerability ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso…
∗∗∗ Cisco Access Point Software Denial of Service Vulnerability ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso…
∗∗∗ Cisco Access Point Software Association Request Denial of Service Vulnerability ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso…
∗∗∗ Security vulnerabilities have been identified in IBM DB2 used by IBM Security Verify Governance, Identity Manager virtual appliance component ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6964832
∗∗∗ Multiple vulnerabilities in IBM WebSphere eXtreme Scale Liberty Deployment. ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6964844
∗∗∗ IBM WebSphere Application Server is vulnerable to cross-site scripting in the Admin Console (CVE-2023-26283) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6964836
∗∗∗ Multiple vulnerabilities in OpenSSL affect AIX ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6964854
∗∗∗ IBM QRadar SIEM is vulnerable to privilege escalation (CVE-2022-43863) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6964862
∗∗∗ Multiple vulnerabilities in Golang Go affect Cloud Pak System ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6612805
∗∗∗ IBM Workload Scheduler is vulnerable to XML External Entity Injection (XXE) attack ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6890697
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Montag 20-03-2023 18:00 − Dienstag 21-03-2023 18:00
Handler: Michael Schlagenhaufer
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Windows 11 bug warns Local Security Authority protection is off ∗∗∗
---------------------------------------------
Windows 11 users report seeing widespread Windows Security warnings that Local Security Authority (LSA) Protection has been disabled even though it shows as being toggled on.
---------------------------------------------
https://www.bleepingcomputer.com/news/microsoft/windows-11-bug-warns-local-…
∗∗∗ From Phishing Kit To Telegram... or Not!, (Mon, Mar 20th) ∗∗∗
---------------------------------------------
Today, I spotted a phishing campaign that stores collected credentials via a Telegram bot! Telegram bots are common in malicious Python scripts but less common in Phishing campaigns!
---------------------------------------------
https://isc.sans.edu/diary/rss/29650
∗∗∗ Google Cloud Log Extraction ∗∗∗
---------------------------------------------
In this blog post, we review the methods through which we can extract logs from Google Cloud.
---------------------------------------------
https://www.sans.org/blog/google-cloud-log-extraction/
∗∗∗ Find Threats in Event Logs with Hayabusa ∗∗∗
---------------------------------------------
Hayabusa is a Windows event log fast forensics timeline generator and threat hunting tool created by the Yamato Security group in Japan. Hayabusa means "peregrine falcon" in Japanese and was chosen as peregrine falcons are the fastest animal in the world, great at hunting and highly trainable.
---------------------------------------------
https://blog.ecapuano.com/p/find-threats-in-event-logs-with-hayabusa
∗∗∗ Black Angel Rootkit ∗∗∗
---------------------------------------------
Black Angel is a Windows 11/10 x64 kernel mode rootkit. Rootkit can be loaded with enabled DSE while maintaining its full functionality. Designed for Red Teams.
---------------------------------------------
https://github.com/XaFF-XaFF/Black-Angel-Rootkit
∗∗∗ Linux auditd for Threat Detection [Final] ∗∗∗
---------------------------------------------
The focus of this article will be to describe what behaviors allow for which events to be recorded by auditd. Additionally, you will see where auditd is not capable of recording certain events, despite verbose settings.
---------------------------------------------
https://izyknows.medium.com/linux-auditd-for-threat-detection-final-9d51737…
∗∗∗ Nexus: a new Android botnet? ∗∗∗
---------------------------------------------
On January 2023, a new Android banking trojan appeared on multiple hacking forums under the name of Nexus. However, Cleafy’s Threat Intelligence & Response Team traced the first Nexus infections way before the public announcement in June 2022.
---------------------------------------------
https://www.cleafy.com/cleafy-labs/nexus-a-new-android-botnet
∗∗∗ Mitigating SSRF in 2023 ∗∗∗
---------------------------------------------
Server-Side Request Forgery (SSRF) is a vulnerability that allows an attacker to trick a server-side application to make a request to an unintended location. SSRF, unlike most other specific vulnerabilities, has gained its own spot on the OWASP Top 10 2021. This reflects both how common and how impactful this type of vulnerability has become.
---------------------------------------------
https://blog.includesecurity.com/2023/03/mitigating-ssrf-in-2023/
∗∗∗ Malicious NuGet Packages Used to Target .NET Developers ∗∗∗
---------------------------------------------
Software developers have been targeted in a new attack via malicious packages in the NuGet repository.
---------------------------------------------
https://www.securityweek.com/malicious-nuget-packages-used-to-target-net-de…
∗∗∗ Achtung: Betrügerische Anrufe zu Eurojackpot-Gewinn! ∗∗∗
---------------------------------------------
Nehmen Sie sich vor angeblichen Gewinnbenachrichtigungen per Anruf, E-Mail, Post und Social Media im Namen von Eurojackpot in Acht. Kriminelle geben sich als die Lotterie aus und behaupten, dass Sie Geld gewonnen haben. Im weiteren Verlauf sollen Sie vorab Geld bezahlen, um die Auszahlung zu erhalten.
---------------------------------------------
https://www.watchlist-internet.at/news/achtung-betruegerische-anrufe-zu-eur…
∗∗∗ Patch CVE-2023-23397 Immediately: What You Need To Know and Do ∗∗∗
---------------------------------------------
We break down the basic information of CVE-2023-23397, the zero-day, zero-touch vulnerability that was rated 9.8 on the Common Vulnerability Scoring System (CVSS) scale.
---------------------------------------------
https://www.trendmicro.com/en_us/research/23/c/patch-cve-2023-23397-immedia…
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (apache2), Oracle (firefox, nss, and openssl), Slackware (curl and vim), SUSE (dpdk, firefox, grafana, oracleasm, python-cffi, python-Django, and qemu), and Ubuntu (ruby2.7, sox, and tigervnc).
---------------------------------------------
https://lwn.net/Articles/926759/
∗∗∗ XSA-429 ∗∗∗
---------------------------------------------
https://xenbits.xen.org/xsa/advisory-429.html
∗∗∗ XSA-428 ∗∗∗
---------------------------------------------
https://xenbits.xen.org/xsa/advisory-428.html
∗∗∗ XSA-427 ∗∗∗
---------------------------------------------
https://xenbits.xen.org/xsa/advisory-427.html
∗∗∗ Keysight N6845A Geolocation Server ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-23-080-01
∗∗∗ Delta Electronics InfraSuite Device Master ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-23-080-02
∗∗∗ VISAM VBASE Automation Base ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-23-080-05
∗∗∗ Siemens RUGGEDCOM APE1808 Product Family ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-23-080-03
∗∗∗ Rockwell Automation ThinManager ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-22-080-06
∗∗∗ Vulnerability Spotlight: WellinTech ICS platform vulnerable to information disclosure, buffer overflow vulnerabilities ∗∗∗
---------------------------------------------
https://blog.talosintelligence.com/vulnerability-spotlight-wellintech-ics-p…
∗∗∗ Spring Vault 3.0.2 and 2.3.3 fix CVE-2023-20859 ∗∗∗
---------------------------------------------
https://spring.io/blog/2023/03/20/spring-vault-3-0-2-and-2-3-3-fix-cve-2023…
∗∗∗ Automation Assets in IBM Cloud Pak for Integration is vulnerable to denial of service due to Moment CVE-2023-22467 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6964588
∗∗∗ A vulnerability in protobuf may affect IBM Robotic Process Automation and result in a denial of service (CVE-2022-1941) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6852651
∗∗∗ IBM Aspera Faspex 4.4.2 PL3 has addressed multiple vulnerabilities (CVE-2023-27871, CVE-2023-27873, CVE-2023-27874) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6964694
∗∗∗ IBM Aspera Faspex 5.0.4 can be vulnerable to improperly unauthorized password changes ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6963662
∗∗∗ Vulnerability in Apache Commons FileUpload library affect Tivoli Netcool\/OMNIbus WebGUI (CVE-2023-24998) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6964742
∗∗∗ Multiple vulnerabilities in IBM HTTP Server used by WebSphere Application Server affect IBM Business Automation Workflow (CVE-2023-25690) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6964752
∗∗∗ Multiple vulnerabilities of Mozilla Firefox ESR have affected APM Synthetic Playback Agent ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6964754
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 17-03-2023 18:00 − Montag 20-03-2023 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ New ‘HinataBot’ botnet could launch massive 3.3 Tbps DDoS attacks ∗∗∗
---------------------------------------------
A new malware botnet was discovered targeting Realtek SDK, Huawei routers, and Hadoop YARN servers to recruit devices into DDoS (distributed denial of service) swarm with the potential for massive attacks.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-hinatabot-botnet-could-l…
∗∗∗ Google: Bearbeitete Pixel-Screenshots lassen sich wiederherstellen ∗∗∗
---------------------------------------------
Wer Teile von Screenshots unkenntlich macht, verlässt sich darauf, dass dies auch so bleibt. Bei Pixel-Smartphones war das bisher nicht so.
---------------------------------------------
https://www.golem.de/news/google-bearbeitete-pixel-screenshots-lassen-sich-…
∗∗∗ Ransomware: Emotet kehrt zurück – als OneNote-E-Mail-Anhang ∗∗∗
---------------------------------------------
Die hochentwickelte Schadsoftware Emotet ist wieder aktiv. Sie findet in Form von bösartigen OneNote-Dateien ihren Weg in den E-Mail-Eingang potenzieller Opfer.
---------------------------------------------
https://heise.de/-7551285
∗∗∗ Malware-Masche: Acrobat Sign-Dienst zum Unterschieben von Malware missbraucht ∗∗∗
---------------------------------------------
Avast hat eine neue Masche beobachtet, mit der Cyberkriminelle Opfern Malware unterjubeln wollten. Sie missbrauchen dazu den Adobe-Sign-Dienst.
---------------------------------------------
https://heise.de/-7557288
∗∗∗ Researchers Shed Light on CatB Ransomwares Evasion Techniques ∗∗∗
---------------------------------------------
The threat actors behind the CatB ransomware operation have been observed using a technique called DLL search order hijacking to evade detection and launch the payload. CatB, also referred to as CatB99 and Baxtoy, emerged late last year and is said to be an "evolution or direct rebrand" of another ransomware strain known as Pandora based on code-level similarities.
---------------------------------------------
https://thehackernews.com/2023/03/researchers-shed-light-on-catb.html
∗∗∗ Bypassing CloudTrail in AWS Service Catalog, and Other Logging Research ∗∗∗
---------------------------------------------
In this blog post, we’ll share some of our latest research into bypassing CloudTrail. We’ll cover a method that allowed CloudTrail bypass with both read and write API actions for the Service Catalog service. This now-fixed vulnerability is noteworthy, because it was the first publicly known CloudTrail bypass that could permit an attacker to alter an AWS environment.
---------------------------------------------
https://securitylabs.datadoghq.com/articles/bypass-cloudtrail-aws-service-c…
∗∗∗ IcedID’s VNC Backdoors: Dark Cat, Anubis & Keyhole ∗∗∗
---------------------------------------------
In this post we introduce Dark Cat, Anubis and Keyhole, three IcedID VNC backdoor variants NVISO observed. Well follow by exposing common TTPs before revealing information leaked through the attackers clipboard data.
---------------------------------------------
https://blog.nviso.eu/2023/03/20/icedids-vnc-backdoors-dark-cat-anubis-keyh…
=====================
= Vulnerabilities =
=====================
∗∗∗ Drupal-Sicherheitslücke könnte Angreifern die Systemübernahme ermöglichen ∗∗∗
---------------------------------------------
Die US-Cyber-Sicherheitsbehörde CISA warnt vor einer Sicherheitslücke im Content-Management-System Drupal. Angreifer könnten verwundbare Systeme kapern.
---------------------------------------------
https://heise.de/-7550599
∗∗∗ OpenSSH 9.3 dichtet Sicherheitslecks ab ∗∗∗
---------------------------------------------
Die Entwickler von OpenSSH haben Version 9.3 der Verschlüsselungssuite veröffentlicht. Sie schließt Sicherheitslücken und behebt kleinere Fehler.
---------------------------------------------
https://heise.de/-7550738
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (firefox-esr, imagemagick, sox, thunderbird, and xapian-core), Fedora (chromium, containernetworking-plugins, guile-gnutls, mingw-python-OWSLib, pack, pypy3.7, sudo, thunderbird, tigervnc, and vim), Mageia (apache, epiphany, heimdal, jasper, libde265, libtpms, liferea, mysql-connector-c++, perl-HTML-StripScripts, protobuf, ruby-git, sqlite3, woodstox-core, and xfig), Oracle (kernel), Red Hat (firefox, nss, and openssl), SUSE (apache2, docker, drbd, kernel, and oracleasm), and Ubuntu (curl, python2.7, python3.10, python3.5, python3.6, python3.8, and vim).
---------------------------------------------
https://lwn.net/Articles/926636/
∗∗∗ IBM Security Bulletins 2023-03-20 ∗∗∗
---------------------------------------------
* Vulnerabilities in IBM Db2, IBM Java Runtime, and Golang Go may affect IBM Spectrum Protect Server (CVE-2022-21626, CVE-2022-41717, CVE-2022-43929, CVE-2022-43927, CVE-2022-43930)
* Watson AI Gateway for Cloud Pak for Data is vulnerable to an OpenSSL denial of service caused by a type confusion error (CVE-2023-0286)
* IBM Aspera Faspex 5.0.4 can be vulnerable to improperly authorized password changes
* Watson AI Gateway for Cloud Pak for Data is vulnerable to Ansible Runner code execution and could allow a local authenticated attacker to execute arbitrary code on the system, caused by improper shell escaping of the shell command.
* IBM Aspera Faspex can be vulnerable to improperly authorized password changes
* Vulnerability in EFS affects AIX (CVE-2021-29861)
* Vulnerability in libc affects AIX (CVE-2021-29860)
* Vulnerabilites in OpenSSL may affect IBM Spectrum Protect Backup-Archive Client (CVE-2022-4304, CVE-2023-0215, CVE-2023-0286)
* Vulnerabilites in OpenSSL may affect IBM Spectrum Protect Backup-Archive Client (CVE-2022-4450, CVE-2023-0216, CVE-2023-0401, CVE-2022-4203, CVE-2023-0217)
* A denial of service vulnerability in JDOM affects IBM Spectrum Protect Backup-Archive Client, IBM Spectrum Protect for Virtual Environments and IBM Spectrum Protect for Space Management (CVE CVE-2021-33813)
* Vulnerabilites in Java SE affect IBM Spectrum Protect Backup-Archive Client, IBM Spectrum Protect for Virtual Environments and IBM Spectrum Protect for Space Management (CVE-2022-21628, CVE-2022-21626, CVE-2022-21624, CVE-2022-21619)
* Vulnerability in IBM WebSphere Application Server (CVE-2023-23477) shipped with IBM Workload Scheduler 9.4
* Vulnerability in Node.js affects IBM Voice Gateway
* IBM Aspera Faspex 5.0.4 can be vulnerable to improperly unauthorized password changes
* Multiple Vulnerabilities in IBM Security Guardium Key Lifecycle Manager (CVE-2023-25921, CVE-2023-25926, CVE-2023-25685, CVE-2023-25922, CVE-2023-25925)
* Multiple vulnerabilities in IBM SDK Java Technology Edition affect IBM Workload Scheduler.
* IBM Jazz for Service Management is vulnerable to commons-fileupload-1.4.jar (Publicly disclosed vulnerability found by Mend) (CVE-2023-24998)
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/
∗∗∗ Spring Framework 5.2.23 fixes cve-2023-20861 ∗∗∗
---------------------------------------------
https://spring.io/blog/2023/03/20/spring-framework-5-2-23-fixes-cve-2023-20…
∗∗∗ Spring Framework 6.0.7 and 5.3.26 fix cve-2023-20860 and cve-2023-20861 ∗∗∗
---------------------------------------------
https://spring.io/blog/2023/03/20/spring-framework-6-0-7-and-5-3-26-fix-cve…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 16-03-2023 18:00 − Freitag 17-03-2023 18:00
Handler: Michael Schlagenhaufer
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Adobe Acrobat Sign abused to push Redline info-stealing malware ∗∗∗
---------------------------------------------
Cybercriminals are abusing Adobe Acrobat Sign, an online document signing service, to distribute info-stealing malware to unsuspecting users.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/adobe-acrobat-sign-abused-to…
∗∗∗ Hitachi Energy confirms data breach after Clop GoAnywhere attacks ∗∗∗
---------------------------------------------
Hitachi Energy confirmed it suffered a data breach after the Clop ransomware gang stole data using a zero-day GoAnyway zero-day vulnerability.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/hitachi-energy-confirms-data…
∗∗∗ How to Google Dork a Specific Website for Hacking ∗∗∗
---------------------------------------------
You might pride yourself on being savvy in cyber security but be prepared for surprises if you test the Google dorks provided. Done right, these Google dorks can identify high-priority vulnerabilities you can investigate further using penetration testing tools.
---------------------------------------------
https://www.stationx.net/how-to-google-dork-a-specific-website/
∗∗∗ Chaos Malware Quietly Evolves Persistence and Evasion Techniques ∗∗∗
---------------------------------------------
The name Chaos is being used for a ransomware strain, a remote access trojan (RAT), and now a DDoS malware variant too. Talk about chaos! In this case, Sysdig’s Threat Research Team captured attacks using the Chaos variant of the Kaiji botnet malware. There is very little reported information on this malware since September 2022, perhaps because of the unfortunately chaotic naming, or simply because it is relatively new.
---------------------------------------------
https://sysdig.com/blog/chaos-malware-persistence-evasion-techniques/
∗∗∗ Free decryptor released for Conti-based ransomware following data leak ∗∗∗
---------------------------------------------
Security researchers have released a new decryption tool that should come to the rescue of some victims of a modified version of the Conti ransomware, helping them to recover their encrypted data for free.
---------------------------------------------
https://www.tripwire.com/state-of-security/free-decryptor-released-conti-ba…
∗∗∗ Phishing-Welle: Vorsicht vor Fake Disney+ Mails ∗∗∗
---------------------------------------------
Sie haben ein E-Mail erhalten, in dem Disney+ Sie darauf hinweist, dass eine Zahlung fehlgeschlagen ist? Löschen Sie die Nachricht oder schieben Sie sie in den SPAM-Ordner – es handelt sich um einen Phishing-Versuch! Die E-Mails werden mit dem Betreff „Aussetzung Ihres Disney+ Kontos“ oder „Sperrung Ihres Disney+ Kontos“ massenhaft verschickt!
---------------------------------------------
https://www.watchlist-internet.at/news/phishing-welle-vorsicht-vor-fake-dis…
∗∗∗ #StopRansomware: LockBit 3.0 ∗∗∗
---------------------------------------------
This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware.
---------------------------------------------
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-075a
∗∗∗ Windows 10/11: Microsoft veröffentlicht Script für den WinRE BitLocker Bypass-Fix ∗∗∗
---------------------------------------------
Seit November 2022 ist bekannt, dass es eine Bitlocker-Bypass-Schwachstelle CVE-2022-41099 im Windows Recovery Environment (WinRE) gibt. Das Patchen ist aber alles andere als einfach.
---------------------------------------------
https://www.borncity.com/blog/2023/03/17/windows-10-11-microsoft-verffentli…
∗∗∗ ShellBot Malware Being Distributed to Linux SSH Servers ∗∗∗
---------------------------------------------
AhnLab Security Emergency response Center (ASEC) has recently discovered the ShellBot malware being installed on poorly managed Linux SSH servers. ShellBot, also known as PerlBot, is a DDoS Bot malware developed in Perl and characteristically uses IRC protocol to communicate with the C&C server.
---------------------------------------------
https://asec.ahnlab.com/en/49769/
∗∗∗ Debugging D-Link: Emulating firmware and hacking hardware ∗∗∗
---------------------------------------------
GreyNoise researchers explain the process of gaining a foothold in firmware or a physical device for vulnerability research and achieving a debuggable interface.
---------------------------------------------
https://www.greynoise.io/blog/debugging-d-link-emulating-firmware-and-hacki…
=====================
= Vulnerabilities =
=====================
∗∗∗ Exynos: Google findet schwerwiegende Zero Days in Samsung-Chips ∗∗∗
---------------------------------------------
Die betroffenen Geräte lassen sich über das Internet hacken, darunter Smartphones von Samsung, Google und Vivo sowie Wearables und Autos.
---------------------------------------------
https://www.golem.de/news/exynos-google-findet-schwerwiegende-zero-days-in-…
∗∗∗ Honeywell OneWireless Wireless Device Manager ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-23-075-06
∗∗∗ Rockwell Automation Modbus TCP AOI Server ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-23-075-07
∗∗∗ Omron CJ1M PLC ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-23-073-01
∗∗∗ AVEVA Plant SCADA and AVEVA Telemetry Server ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-23-073-04
∗∗∗ Autodesk FBX SDK ∗∗∗
---------------------------------------------
https://www.cisa.gov/news-events/ics-advisories/icsa-23-073-02
∗∗∗ [R1] Sensor Proxy Version 1.0.7 Fixes Multiple Vulnerabilities ∗∗∗
---------------------------------------------
https://www.tenable.com/security/tns-2023-15
∗∗∗ IBM Planning Analytics Workspace is affected by vulnerabilties (CVE-2022-43548, CVE-2020-7676, CVE-2021-42550, CVE-2021-38561, CVE-2022-32149) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6957836
∗∗∗ IBM Cognos Command Center is affected by multiple vulnerabilities ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6555376
∗∗∗ InfoSphere Identity Insight vulnerable to server-side request forgery due to Apache CXF (CVE-2022-46364) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6963974
∗∗∗ Security Vulnerabilities in moment, ansi-regex, Node.js, and minimatch may affect IBM Spectrum Protect Client and IBM Spectrum Protect for Space Management (CVE-2022-31129, CVE-2022-24785, CVE-2021-3807, CVE-2022-29244, CVE-2022-3517) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6956237
∗∗∗ IBM App Connect Enterprise & IBM Integration Bus are vulnerable to a denial of service due to node.js module qs [CVE-2022-24999] ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6964166
∗∗∗ Vulnerabilities in IBM Db2, IBM Java Runtime, and Golang Go may affect IBM Spectrum Protect Server (CVE-2022-21626, CVE-2022-41717, CVE-2022-43929, CVE-2022-43927, CVE-2022-43930) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6963640
∗∗∗ Vulnerability in Java SE may affect IBM Spectrum Protect Operations Center (CVE-2022-21626) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6963642
∗∗∗ IBM Sterling Control Center is vulnerable to denial of service due to Node.js Angular (CVE-2022-25844) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6964174
∗∗∗ IBM Sterling Control Center is vulnerable to denial of service due to Apache commons-fileupload (CVE-2023-24998) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6964176
∗∗∗ AIX is vulnerable to denial of service vulnerabilities ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6847947
∗∗∗ IBM Planning Analytics Workspace is affected by vulnerabilties (CVE-2022-43548, CVE-2020-7676, CVE-2021-42550, CVE-2021-38561, CVE-2022-32149) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6957836
∗∗∗ AIX is vulnerable to a denial of service due to lpd (CVE-2022-43382) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6848309
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 15-03-2023 18:00 − Donnerstag 16-03-2023 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ CVE-2023-23397 - der (interessante) Teufel steckt im Detail ∗∗∗
---------------------------------------------
Im Regelfall veröffentlichen wir zu Sicherheitslücken, die durch den Hersteller im Rahmen eines regulären Patchzyklus behoben werden, keine Warnung. Die Motivation dahinter ist, dass wir unsere Warnungen als Werkzeug betrachten, Informationen über kritische Schwachstellen mit entsprechender Urgenz an die jeweiligen Adressat:innen bringen wollen. Dementsprechend entscheiden wir relativ konservativ, wovor oder worüber wir warnen, um die Wirkung selbiger nicht zu verwässern. Aber, wie so oft, bestätigen Ausnahmen die Regel [...]
---------------------------------------------
https://cert.at/de/blog/2023/3/cve-2023-23397-der-teufel-steckt-im-detail
∗∗∗ CISA warns of Adobe ColdFusion bug exploited as a zero-day ∗∗∗
---------------------------------------------
CISA has added a critical vulnerability impacting Adobe ColdFusion versions 2021 and 2018 to its catalog of security bugs exploited in the wild.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/cisa-warns-of-adobe-coldfusi…
∗∗∗ Winter Vivern APT hackers use fake antivirus scans to install malware ∗∗∗
---------------------------------------------
An advanced hacking group named Winter Vivern targets European government organizations and telecommunication service providers to conduct espionage.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/winter-vivern-apt-hackers-us…
∗∗∗ BianLian Ransomware Pivots From Encryption to Pure Data-Theft Extortion ∗∗∗
---------------------------------------------
The ransomware group has already claimed 116 victim organizations so far on its site, and it continues to mature as a thriving cybercriminal business, researchers said.
---------------------------------------------
https://www.darkreading.com/risk/bianlian-ransomware-pivots-encryption-pure…
∗∗∗ Simple Shellcode Dissection, (Thu, Mar 16th) ∗∗∗
---------------------------------------------
Most people will never execute a suspicious program or “executable”. Also, most of them cannot be delivered directly via email. Most antispam and antivirus solutions block them. But, then, how could people be so easily infected? I’ll explain with the help of a file I found in a phishing campaign.
---------------------------------------------
https://isc.sans.edu/diary/rss/29642
∗∗∗ Multiple Hacker Groups Exploit 3-Year-Old Vulnerability to Breach U.S. Federal Agency ∗∗∗
---------------------------------------------
Multiple threat actors, including a nation-state group, exploited a critical three-year-old security flaw in Progress Telerik to break into an unnamed federal entity in the U.S. The disclosure comes from a joint advisory issued by the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and Multi-State Information Sharing and Analysis Center (MS-ISAC).
---------------------------------------------
https://thehackernews.com/2023/03/multiple-hacker-groups-exploit-3-year.html
∗∗∗ SSRF Cross Protocol Redirect Bypass ∗∗∗
---------------------------------------------
Server Side Request Forgery (SSRF) is a fairly known vulnerability with established prevention methods. So imagine my surprise when I bypassed an SSRF mitigation during a routine retest. Even worse, I have bypassed a filter that we have recommended ourselves!
---------------------------------------------
https://blog.doyensec.com/2023/03/16/ssrf-remediation-bypass.html
∗∗∗ Falsche WhatsApp und Telegram Apps auf der Jagd nach Krypto‑Wallets ∗∗∗
---------------------------------------------
ESET-Forscher analysierten Android- und Windows-Clipper, die Sofortnachrichten manipulieren und OCR verwenden können, um Kryptowährungen zu stehlen.
---------------------------------------------
https://www.welivesecurity.com/deutsch/2023/03/16/falsche-whatsapp-und-tele…
∗∗∗ Bee-Ware of Trigona, An Emerging Ransomware Strain ∗∗∗
---------------------------------------------
Trigona ransomware is a relatively new strain that security researchers first discovered in late October 2022. By analyzing Trigona ransomware binaries and ransom notes obtained from VirusTotal, as well as information from Unit 42 incident response, we determined that Trigona was very active during December 2022, with at least 15 potential victims being compromised. Affected organizations are in the manufacturing, finance, construction, agriculture, marketing and high technology industries.
---------------------------------------------
https://unit42.paloaltonetworks.com/trigona-ransomware-update/
∗∗∗ DotRunpeX – demystifying new virtualized .NET injector used in the wild ∗∗∗
---------------------------------------------
ImplMap2x64dbgInvoke-DotRunpeXextractThe post DotRunpeX – demystifying new virtualized .NET injector used in the wild appeared first on Check Point Research.
---------------------------------------------
https://research.checkpoint.com/2023/dotrunpex-demystifying-new-virtualized…
=====================
= Vulnerabilities =
=====================
∗∗∗ Webkonferenzen: Hochriskante Lücken in Zoom ∗∗∗
---------------------------------------------
In der Online-Konferenzsoftware Zoom haben die Entwickler mehrere Schwachstellen geschlossen. Einige gelten als hochriskant und könnten Codeschmuggel erlauben.
---------------------------------------------
https://heise.de/-7547291
∗∗∗ Kritisches Leck in SSL-VPN-Gateway von Array Networks ∗∗∗
---------------------------------------------
Die SSL-VPN-Gateways von Array Networks haben eine kritische Sicherheitslücke. Angreifer könnten aus dem Netz ohne Authentifizierung Code einschleusen.
---------------------------------------------
https://heise.de/-7548009
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (firefox-esr and pcre2), Oracle (nss), Red Hat (kpatch-patch and nss), SUSE (java-11-openjdk, kernel, and python310), and Ubuntu (emacs24, ffmpeg, firefox, imagemagick, libphp-phpmailer, librecad, and openjpeg2).
---------------------------------------------
https://lwn.net/Articles/926289/
∗∗∗ Drupal core - Moderately critical - Access bypass - SA-CORE-2023-004 ∗∗∗
---------------------------------------------
https://www.drupal.org/sa-core-2023-004
∗∗∗ Drupal core - Moderately critical - Information Disclosure - SA-CORE-2023-003 ∗∗∗
---------------------------------------------
https://www.drupal.org/sa-core-2023-003
∗∗∗ Drupal core - Moderately critical - Information Disclosure - SA-CORE-2023-002 ∗∗∗
---------------------------------------------
https://www.drupal.org/sa-core-2023-002
∗∗∗ Responsive media Image Formatter - Critical - Unsupported - SA-CONTRIB-2023-011 ∗∗∗
---------------------------------------------
https://www.drupal.org/sa-contrib-2023-011
∗∗∗ Media Responsive Thumbnail - Moderately critical - Information disclosure - SA-CONTRIB-2023-010 ∗∗∗
---------------------------------------------
https://www.drupal.org/sa-contrib-2023-010
∗∗∗ Multiple vulnerabilities within OpenSSL and Node.js affect IBM App Connect Enterprise and IBM Integration Bus ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6963634
∗∗∗ EBICs client of IBM Sterling B2B Integrator vulnerable to multiple issues due to Dojo Toolkit ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6963652
∗∗∗ IBM HTTP Server is vulnerable to HTTP request splitting due to the included Apache HTTP Server (CVE-2023-25690) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6963650
∗∗∗ IBM Watson Assistant for Cloud pak for Data is affected by vulnerabilities in Pallets Werkzeug . ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6963668
∗∗∗ IBM Aspera Faspex can be vulnerable to improperly authorized password changes ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6963662
∗∗∗ Security Vulnerabilities in moment, ansi-regex, Node.js, and minimatch may affect IBM Spectrum Protect Plus Microsoft File Systems Backup and Restore (CVE-2022-31129, CVE-2022-24785, CVE-2021-3807, CVE-2022-29244, CVE-2022-3517) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6955067
∗∗∗ Vulnerability in PyPI cryptography and Python may affect IBM Spectrum Protect Plus File Systems Agent (CVE-2023-23931, CVE-2023-0286, CVE-2023-24329) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6957718
∗∗∗ Vulnerabilities in Linux Kernel may affect IBM Spectrum Protect Plus ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6963936
∗∗∗ Multiple Vulnerabilities in Intel Firmware affect Cloud Pak System ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6611963
∗∗∗ CVE-2022-2879, CVE-2022-41715, CVE-2022-2880, CVE-2022-41717, CVE-2022-41716 may affect IBM CICS TX Advanced ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6963940
∗∗∗ CVE-2022-2879, CVE-2022-41715, CVE-2022-2880, CVE-2022-41717, CVE-2022-41716 may affect IBM CICS TX Standard ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6963942
∗∗∗ Vulnerabilities in Golang Go and Java SE might affect IBM Spectrum Copy Data Management (CVE-2022-41717, CVE-2023-21830, CVE-2023-21835, CVE-2023-21843) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6960739
∗∗∗ Vulnerabilities in Linux Kernel might affect IBM Spectrum Copy Data Management (CVE-2022-2964, CVE-2022-2601, CVE-2020-36557) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6960747
∗∗∗ IBM Sterling B2B Integrator vulnerable to sensitive information exposure due to IBM MQ (CVE-2022-42436) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6963954
∗∗∗ IBM Sterling Global Mailbox is vulnerable to denial of service due to WebSphere Liberty Server ( CVE-2022-3509, CVE-2022-3171) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6963956
∗∗∗ IBM Sterling Global Mailbox is vulnerable to arbitrary command execution due to com.ibm.ws.org.apache.commons.collections (CVE-2015-7501) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6963962
∗∗∗ IBM Sterling Global Mailbox is vulnerable to server-side request forgery due to Apache CXF (CVE-2022-46364) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6963958
∗∗∗ IBM Sterling Global Mailbox is vulnerable to sensitive data exposure due to Apache CXF (CVE-2022-46363) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6963960
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 14-03-2023 18:00 − Mittwoch 15-03-2023 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ IPFS phishing and the need for correctly set HTTP security headers, (Wed, Mar 15th) ∗∗∗
---------------------------------------------
In the last couple of weeks, Ive noticed a small spike in the number of phishing messages that carried links to fake HTML login pages hosted on the InterPlanetary File System (IPFS)- an interesting web-based decentralized/peer-to-peer data storage system. Unfortunately, pretty much any type of internet-connected data storage solution is used to host malicious content by threat actors these days, and the IPFS is no exception.
---------------------------------------------
https://isc.sans.edu/diary/rss/29638
∗∗∗ How to Find & Fix: WordPress Pharma Hack ∗∗∗
---------------------------------------------
Finding bogus content and unexpected links for prescription drugs on your WordPress website can be a frustrating experience. But don’t blame your site: it just got caught up in a bad crowd of black hat SEO spammers and fell victim to a pharma hack. Pharma spam occurs when bad actors inject a website with keywords for pharmaceutical products. Their end goal is to use an innocent site’s good reputation to lure traffic to a scam.
---------------------------------------------
https://blog.sucuri.net/2023/03/find-fix-wordpress-pharma-hack.html
∗∗∗ New Cryptojacking Operation Targeting Kubernetes Clusters for Dero Mining ∗∗∗
---------------------------------------------
Cybersecurity researchers have discovered the first-ever illicit cryptocurrency mining campaign used to mint Dero since the start of February 2023. "The novel Dero cryptojacking operation concentrates on locating Kubernetes clusters with anonymous access enabled on a Kubernetes API and listening on non-standard ports accessible from the internet," CrowdStrike said in a new report [...]
---------------------------------------------
https://thehackernews.com/2023/03/new-cryptojacking-operation-targeting.html
∗∗∗ Exploiting CVE-2023-23397: Microsoft Outlook Elevation of Privilege Vulnerability ∗∗∗
---------------------------------------------
At MDSec, we’re continually looking to weaponise both private and public vulnerabilities to assist us during our red team operations. Having recently given a talk on leveraging NTLM relaying during red team engagements at FiestaCon, this vulnerability particularly stood out to me and warranted further analysis.
---------------------------------------------
https://www.mdsec.co.uk/2023/03/exploiting-cve-2023-23397-microsoft-outlook…
∗∗∗ Apple räumt ein: iOS-Dienste können VPN-Tunnel umgehen ∗∗∗
---------------------------------------------
iOS schleust bestimmten Datenverkehr an einer aktiven VPN-Verbindung vorbei, warnen Sicherheitsforscher seit Längerem. Das ist laut Apple so gewollt.
---------------------------------------------
https://heise.de/-7545702
∗∗∗ Patchday: Microsoft dichtet aktiv angegriffene Sicherheitslücken ab ∗∗∗
---------------------------------------------
Neben zwei aktiv missbrauchten Sicherheitslücken liefert Microsoft zum März-Patchday Aktualisierungen für zahlreiche Produkte. Sie schließen zig Schwachstellen.
---------------------------------------------
https://heise.de/-7545903
∗∗∗ Gefälschtes SMS von DHL stiehlt Ihre Kreditkartendaten ∗∗∗
---------------------------------------------
In der betrügerischen DHL-Nachricht steht, dass Ihr Paket Lieferprobleme hat. Das Problem kann gelöst werden, indem Sie auf den Link klicken. Klicken Sie nicht auf den Link. Sie werden auf eine nachgebaute DHL-Website gelockt, wo persönliche Infos und Kreditkartendaten abgefragt werden. In weiterer Folge wird Ihre Kreditkarte auf einem fremden Gerät für Apple Pay aktiviert.
---------------------------------------------
https://www.watchlist-internet.at/news/gefaelschtes-sms-von-dhl-stiehlt-ihr…
∗∗∗ Uncovering Windows Events ∗∗∗
---------------------------------------------
Not all manifest-based Event Tracing for Windows (ETW) providers that are exposed through Windows are ingested into telemetry sensors/EDR’s. One provider commonly that is leveraged by vendors is the Threat-Intelligence ETW provider. Due to how often it is used, I wanted to map out how its events are being written within TelemetrySource. This post will focus on the process I followed to understand the events the Threat-Intelligence ETW provider logs and how to uncover the underlying mechanisms. One can use a similar process when trying to reverse other manifest-based ETW providers. This post isn’t a deep dive into how ETW works, [...]
---------------------------------------------
https://posts.specterops.io/uncovering-windows-events-b4b9db7eac54?source=r…
∗∗∗ Released: March 2023 Exchange Server Security Updates ∗∗∗
---------------------------------------------
Microsoft has released Security Updates (SUs) for vulnerabilities found in: Exchange Server 2013 Exchange Server 2016 Exchange Server 2019
---------------------------------------------
https://techcommunity.microsoft.com/t5/exchange-team-blog/released-march-20…
∗∗∗ How does malware spread? Top 5 ways malware gets into your network ∗∗∗
---------------------------------------------
Threat actors use a variety of channels to distribute malware. Discover the most common attack vectors and how to protect your organization from malware.
---------------------------------------------
https://www.emsisoft.com/en/blog/43733/how-does-malware-spread-top-5-ways-m…
∗∗∗ A look at CVE-2023–23415 — a Windows ICMP vulnerability + mitigations which is not a cyber meltdown ∗∗∗
---------------------------------------------
Yesterday Microsoft dropped a patch for a vulnerability found by @hexnomad@infosec.exchange. It’s a great vuln, in theory allowing code execution over ICMP. It also sounds really scary, as it’s a high CVSS score in Windows OS on a commonly used protocol.
---------------------------------------------
https://doublepulsar.com/a-look-at-cve-2023-23415-a-windows-icmp-vulnerabil…
=====================
= Vulnerabilities =
=====================
∗∗∗ Patchday: Adobe schließt Zero-Day-Lücke und mehr als 100 Schwachstellen ∗∗∗
---------------------------------------------
Adobe dichtet am März-Patchday 106 Sicherheitslecks ab. Eine davon in Adobe ColdFusion missbrauchen Cyberkriminelle bereits in Angriffen.
---------------------------------------------
https://heise.de/-7546150
∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (node-sqlite3 and qemu), Fedora (libmemcached-awesome, manifest-tool, sudo, and vim), Red Hat (gnutls, kernel, kernel-rt, lua, and openssl), Slackware (mozilla), SUSE (amanda, firefox, go1.19, go1.20, jakarta-commons-fileupload, java-1_8_0-openjdk, nodejs18, peazip, perl-Net-Server, python, python-cryptography, python-Django, python3, rubygem-rack, and xorg-x11-server), and Ubuntu (ipython, linux-ibm, linux-ibm-5.4, and linux-kvm).
---------------------------------------------
https://lwn.net/Articles/926205/
∗∗∗ SAP-Patchday enthält Updates für kritische Sicherheitslücken ∗∗∗
---------------------------------------------
Der aktuelle Patchday von SAP beinhaltet mehrere Schwachstellen mit einem CVSS-Score >9.0. Insbesondere eine kritische Sicherheitslücke in SAP NetWeaver AS for Java (CVE-2023-23857) ist trivial ausnutzbar; sie erlaubt Angreifer:innen aufgrund unzureichender Authentifizierungsprüfungen weitreichenden Systemzugriff ohne jegliche Form von Authentifizierung. Weitere Schwachstellen (unter anderem CVE-2023-25616, CVE-2023-25617) ermöglichen entfernte Codeausführung.
---------------------------------------------
https://cert.at/de/aktuelles/2023/3/sap-patchday-enthalt-updates-fur-kritis…
∗∗∗ ZDI-23-245: TP-Link Archer AX21 tdpServer Logging Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-23-245/
∗∗∗ ZDI-23-244: TP-Link Archer AX21 tmpServer Command 0x422 Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-23-244/
∗∗∗ ThinkPad BIOS Vulnerabilities ∗∗∗
---------------------------------------------
http://support.lenovo.com/product_security/PS500554-THINKPAD-BIOS-VULNERABI…
∗∗∗ AIX is affected by a denial of service (CVE-2022-45061) due to Python ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6963342
∗∗∗ Security vulnerabilities have been identified in IBM DB2 used by IBM Security Verify Governance, Identity Manager software component ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6963372
∗∗∗ Multiple Vulnerabilities (CVE-2022-45693, CVE-2022-4568) affects CICS Transaction Gateway for Multiplatforms. ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6963612
∗∗∗ Multiple vulnerabilities present in IBM Answer Retrieval for Watson Discovery versions 2.10 and earlier ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6963632
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 10-03-2023 18:00 − Montag 13-03-2023 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ Clop-Ransomware: Opfer der GoAnywhere-Attacken müssen jetzt zahlen ∗∗∗
---------------------------------------------
Aufgrund einer Sicherheitslücke in der Dateiübertragungslösung GoAnywhere MFT konnten Angreifer zuschlagen und erpressen nun Firmen.
---------------------------------------------
https://heise.de/-7543629
∗∗∗ Banking-Trojaner: 400 Einrichtungen im Visier von Android-Malware ∗∗∗
---------------------------------------------
IT-Forscher beobachten die Weiterentwicklung des Banking-Trojaners Xenomorph für Android. Inzwischen versteht er sich auf 400 Finanzinstitutionen.
---------------------------------------------
https://heise.de/-7543682
∗∗∗ Das Finanzamt versendet keine Pfändungsandrohung per SMS! ∗∗∗
---------------------------------------------
Aktuell werden erneut massenhaft Betrugs-SMS im Namen des Finanzamts versendet. Angeblich hätten Sie trotz mehrerer Mahnungen eine offene Forderung gegen Sie nicht bezahlt. Daher würde nun ein Gerichtsvollzieher Ihren Hausrat pfänden. Achtung: Bezahlen Sie die Forderung nicht! Die Nachricht stammt nicht vom Finanzamt und Ihr Geld landet bei Kriminellen.
---------------------------------------------
https://www.watchlist-internet.at/news/das-finanzamt-versendet-keine-pfaend…
∗∗∗ Security researchers targeted with new malware via job offers on LinkedIn ∗∗∗
---------------------------------------------
A suspected North Korean hacking group is targeting security researchers and media organizations in the U.S. and Europe with fake job offers that lead to the deployment of three new, custom malware families.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/security-researchers-targete…
∗∗∗ Medusa ransomware gang picks up steam as it targets companies worldwide ∗∗∗
---------------------------------------------
A ransomware operation known as Medusa has begun to pick up steam in 2023, targeting corporate victims worldwide with million-dollar ransom demands.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/medusa-ransomware-gang-picks…
∗∗∗ DEV-1101 enables high-volume AiTM campaigns with open-source phishing kit ∗∗∗
---------------------------------------------
DEV-1101 is an actor tracked by Microsoft responsible for the development, support, and advertising of several AiTM phishing kits, including an open-source kit capable of circumventing MFA through reverse-proxy functionality.
---------------------------------------------
https://www.microsoft.com/en-us/security/blog/2023/03/13/dev-1101-enables-h…
∗∗∗ Overview of a Mirai Payload Generator, (Sat, Mar 11th) ∗∗∗
---------------------------------------------
The Mirai[1] botnet is active for years. It was the first botnet targeting devices running Linux like camera recorders. Our first diary about it was in 2016![2]. Still today, my honeypot is hit by hundreds of Mirai requests every day! I found a Python script that generates a Mirai payload (SHA256:f56391e9645df1058847e28af6918c64ddc344d9f328b3dde9015213d5efdc7e[3]) and deploys networking services to serve it via FTP, HTTP, and TFTP. Nothing very fancy but it will give you a good idea about how Linux hosts are abused to deliver malicious payloads.
---------------------------------------------
https://isc.sans.edu/diary/rss/29624
∗∗∗ BATLOADER Malware Uses Google Ads to Deliver Vidar Stealer and Ursnif Payloads ∗∗∗
---------------------------------------------
The malware downloader known as BATLOADER has been observed abusing Google Ads to deliver secondary payloads like Vidar Stealer and Ursnif. According to cybersecurity company eSentire, the malicious ads are used to spoof a wide range of legitimate apps and services such as Adobe, OpenAPIs ChatGPT, Spotify, Tableau, and Zoom.
---------------------------------------------
https://thehackernews.com/2023/03/batloader-malware-uses-google-ads-to.html
∗∗∗ "FakeGPT": New Variant of Fake-ChatGPT Chrome Extension Stealing Facebook Ad Accounts with Thousands of Daily Installs ∗∗∗
---------------------------------------------
A Chrome Extension propelling quick access to fake ChatGPT functionality was found to be hijacking Facebook accounts and installing hidden account backdoors. Particularly noticeable is the use of a malevolent silently forced Facebook app “backdoor” giving the threat actors super-admin permissions.
---------------------------------------------
https://labs.guard.io/fakegpt-new-variant-of-fake-chatgpt-chrome-extension-…
∗∗∗ Threat Actors Abuse AI-Generated Youtube Videos to Spread Stealer Malware ∗∗∗
---------------------------------------------
Since November 2022 there has been a 200-300% month-on-month increase in Youtube videos containing links to stealer malware such as Vidar, RedLine, and Raccoon in their descriptions. The videos lure users by pretending to be tutorials on how to download cracked versions of software such as Photoshop, Premiere Pro, Autodesk 3ds Max, AutoCAD, and other products that are licensed products available only to paid users.
---------------------------------------------
https://cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-t…
∗∗∗ Persistence - Context Menu ∗∗∗
---------------------------------------------
Context menu provides shortcuts to the user in order to perform a number of actions. The context menu is invoked with a right mouse click and it is a very common action for every Windows user. In offensive operations this action could be weaponized for persistence by executing shellcode every time the user attempts to use the context menu.
---------------------------------------------
https://pentestlab.blog/2023/03/13/persistence-context-menu/
∗∗∗ CISA Warns of Plex Vulnerability Linked to LastPass Hack ∗∗∗
---------------------------------------------
CISA has added vulnerabilities in Plex Media Server and VMware NSX-V to its Known Exploited Vulnerabilities catalog.
---------------------------------------------
https://www.securityweek.com/cisa-warns-of-plex-vulnerability-linked-to-las…
=====================
= Vulnerabilities =
=====================
∗∗∗ Clipchamp ( Microsoft Office Product) - Google IAP Authorization bypass allowed access to Internal Environment Leading to Zero Interaction Account takeover ∗∗∗
---------------------------------------------
[...] After further research it was discovered that the authorization checks are only at the front end https://app.*.clipchamp.com/ and not while invoking the /v2/ API endpoints with the expected parameters. Enumerating all the internal endpoints it was found that the https://app.smoke.clipchamp.com/v2 was leaking the JWT Authentication Bearer Token for any attacker-provided user on the platform leading to Zero Interaction Account takeover for any ClipChamp user on the Smoke Env.
---------------------------------------------
https://blog.agilehunt.com/blogs/security/msrc-critical-google-iap-authoriz…
∗∗∗ Kritische Sicherheitslücken: Lexmark aktualisiert Firmware für viele Drucker ∗∗∗
---------------------------------------------
Diverse Drucker von Lexmark haben kritische Sicherheitslücken, die Angreifern das Ausführen von Schadcode ermöglichen. Updates stehen schon bereit.
---------------------------------------------
https://heise.de/-7543959
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (imagemagick, libapache2-mod-auth-mellon, mpv, rails, and ruby-sidekiq), Fedora (chromium, dcmtk, and strongswan), Mageia (chromium-browser-stable, dcmtk, kernel, kernel-linus, libreswan, microcode, redis, and tmux), SUSE (postgresql14 and python39), and Ubuntu (linux-kvm, linux-raspi-5.4, and thunderbird).
---------------------------------------------
https://lwn.net/Articles/925987/
∗∗∗ Shodan Verified Vulns 2023-03-01 ∗∗∗
---------------------------------------------
Mit Stand 2023-03-01 sieht Shodan in Österreich die folgenden Schwachstellen: [...] Die Schwachstellen CVE-2021-43798 (Grafana Path Traversal Vulnerability) und CVE-2022-32548 (DrayTek Authentication Bypass Vulnerability) sind nun wieder in den Daten von Shodan enthalten. Im Vormonat fehlten diese Daten. Verglichen mit den Daten von Jänner 2023 sind keine auffälligen Änderungen zu erkennen. Ähnlich verhält sich die Schwachstelle CVE-2022-36804 [...]
---------------------------------------------
https://cert.at/de/aktuelles/2023/3/shodan-verified-vulns-2023-03-01
∗∗∗ IBM Security Bulletins 2023-03-13 ∗∗∗
---------------------------------------------
* A vulnerability (CVE-2022-21299) in IBM Java Runtime affects CICS Transaction Gateway for Multiplatforms and CICS Transaction Gateway Desktop Edition
* A vulnerability has been identified in IBM Spectrum Scale which could allow unauthorized access to user data or injection of arbitrary data in the communication protocol (CVE-2020-4927)
* EBICS Client of IBM Sterling B2B Interator vulnerable to multiple issues due to jQuery
* IBM Cognos Analytics has addressed multiple vulnerabilities (CVE-2021-29469, CVE-2022-39160, CVE-2022-38708, CVE-2022-42003, CVE-2022-42004, CVE-2022-43883, CVE-2022-43887, CVE-2022-25647, CVE-2022-36364)
* IBM Cognos Analytics has addressed multiple vulnerabilities (CVE-2022-34339, CVE-2021-3712, CVE-2021-3711, CVE-2021-4160, CVE-2021-29425, CVE-2021-3733, CVE-2021-3737, CVE-2022-0391, CVE-2021-43138, CVE-2022-24758)
* IBM Security Guardium is affected by a denial of service vulnerability (CVE-2022-3171, CVE-2022-3510, CVE-2022-3509)
* IBM Security Guardium is affected by multiple vulnerabilities
* IBM Sterling B2B Integrator vulnerable to security bypass due to Apache Santuario XML Security for Java (CVE-2021-40690, CVE-2014-8152)
* IBM Sterling B2B Integrator vulnerable to security bypass due to Spring Security (CVE-2022-31692, CVE-2022-22978)
* June 2022 : Multiple vulnerabilities in IBM Java Runtime affect CICS Transaction Gateway for Multiplatforms and CICS Transaction Gateway Desktop Edition
* Multiple Vulnerabilities (CVE-2022-21628, CVE-2022-21626, CVE-2022-21624, CVE-2022-21619) affects CICS Transaction Gateway for Multiplatforms and CICS Transaction Gateway Desktop Edition.
* Multiple vulnerabilities in IBM Java Runtime affect CICS Transaction Gateway for Multiplatforms and CICS Transaction Gateway Desktop Edition
* Multiple Vulnerabilities in Java affecting Watson Knowledge Catalog for IBM Cloud Pak for Data (CVE-2022-21628, CVE-2022-21626)
* Security vulnerabilities are addressed with IBM Cloud Pak for Business Automation iFixes for Febuary 2023
* SNMPv3 server credentials are exposed in log files in IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products
* The dashboard UI of IBM Sterling B2B Integrator is vulnerable to information disclosure (CVE-2023-22876)
* There is a vulnerability in Apache Commons BCEL used by IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2022-42920)
* Vulnerabilities with kernel, MariaDB, Gnu GnuTLS, OpenJDK, commons-fileupload affect IBM Cloud Object Storage Systems (Mar 2023v1)
* Vulnerabilities with MariaDB affect IBM Cloud Object Storage Systems (Nov 2022v1)
* Vulnerability in WebSphere Liberty affecting Watson Knowledge Catalog for IBM Cloud Pak for Data (CVE-2022-3509, CVE-2022-3171)
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/
∗∗∗ [R1] Tenable Plugin Feed ID #202212081952 Fixes Arbitrary Code Execution Vulnerability ∗∗∗
---------------------------------------------
https://www.tenable.com/security/tns-2023-14
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 09-03-2023 18:00 − Freitag 10-03-2023 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ Security: Github führt verpflichtende 2FA ein ∗∗∗
---------------------------------------------
Wer von Github ausgewählt wurde, muss die Zwei-Faktor-Authentifizierung (2FA) innerhalb von 45 Tagen einrichten.
---------------------------------------------
https://www.golem.de/news/security-github-fuehrt-verpflichtende-2fa-ein-230…
∗∗∗ Schwachstellen in Bitwarden Password-Manager-Browserweiterung können Passwörter verraten ∗∗∗
---------------------------------------------
Nutzer des Passwort-Managers Bitwarden laufen in das Risiko, dass die Auto-Fill-Funktion beim Besuch von Webseiten Anmeldeinformationen leckt. Bösartige Webseiten könnten über ein in vertrauenswürdigen Seiten eingebettetes IFRAME Anmeldeinformation stehlen und an einen Angreifer senden.
---------------------------------------------
https://www.borncity.com/blog/2023/03/10/schwachstellen-in-bitwarden-passwo…
∗∗∗ New ScrubCrypt Crypter Used in Cryptojacking Attacks Targeting Oracle WebLogic ∗∗∗
---------------------------------------------
The infamous cryptocurrency miner group called 8220 Gang has been observed using a new crypter called ScrubCrypt to carry out cryptojacking operations. According to Fortinet FortiGuard Labs, the attack chain commences with the successful exploitation of susceptible Oracle WebLogic servers to download a PowerShell script that contains ScrubCrypt.
---------------------------------------------
https://thehackernews.com/2023/03/new-scrubcrypt-crypter-used-in.html
∗∗∗ EJS - Server Side Prototype Pollution gadgets to RCE ∗∗∗
---------------------------------------------
Last month (February 2023), I took a look into NodeJS HTML templating libraries. During my research, I found an interesting Server Side Prototype Pollution (SSPP) gadget in the EJS library which can be leveraged to RCE. After finding this issue, I spent a week searching for an SSPP in express core or dependencies, but I didnt find any issue. Thats why, after reporting this issue to the repository maintainer, Im making an article to explain technical details.
---------------------------------------------
https://mizu.re/post/ejs-server-side-prototype-pollution-gadgets-to-rce
∗∗∗ How to Avoid LDAP Injection Attacks ∗∗∗
---------------------------------------------
The key vulnerability that puts an application at risk of LDAP injection is improperly processed user input. Applications that don’t sanitize or validate user input are open to LDAP injection attacks because of the structure of LDAP statements and queries.
---------------------------------------------
https://www.trendmicro.com/en_us/devops/23/c/avoid-ldap-injection-attacks.h…
∗∗∗ The Silent Spy Among Us: Modern Attacks Against Smart Intercoms ∗∗∗
---------------------------------------------
What started out as a journey to learn more about a new smart intercom inside the Claroty offices turned into an expansive Team82 research project that uncovered 13 vulnerabilities in the popular Akuvox E11. The vulnerabilities could allow attackers to execute code remotely in order to activate and control the device’s camera and microphone, steal video and images, or gain a network foothold.
---------------------------------------------
https://claroty.com/team82/research/the-silent-spy-among-us-modern-attacks-…
∗∗∗ Multi-Technology Script Leading to Browser Hijacking ∗∗∗
---------------------------------------------
[..] in the real world, malware samples use multiple technologies to perform malicious actions. I spotted a VBScript file (I don’t know where it’s coming from, probably a phishing campaign). The script has been flagged by only one(!) AV product on VT
---------------------------------------------
https://isc.sans.edu/diary/rss/29620
∗∗∗ The oldest privesc: injecting careless administrators terminals using TTY pushback ∗∗∗
---------------------------------------------
This trick is possibly the oldest security bug that still exists today, it’s been traced as far back as 1985. It’s been discovered and rediscovered and re-rediscovered by sysadmins, developpers and pentesters every few years for close to 4 decades now. It’s been subject to multiple developper battles, countless posts, but still remains largely forgotten. This is just another attempt at shedding light on it, for both attackers and defenders.
---------------------------------------------
https://www.errno.fr/TTYPushback.html
∗∗∗ When Partial Protection is Zero Protection: The MFA Blind Spots No One Talks About ∗∗∗
---------------------------------------------
Multi-factor Authentication (MFA) has long ago become a standard security practice. [..] While compatible with RDP connection and local desktop logins, they offer no protection to remote command line access tools like PsExec, Remote PowerShell and their likes. [..] In this article well explore this blind spot, understand its root cause and implications, and view the different options security teams can overcome it to maintain their environments protected.
---------------------------------------------
https://thehackernews.com/2023/03/when-partial-protection-is-zero.html
∗∗∗ Leveraging ssh-keygen for Arbitrary Execution (and Privilege Escalation) ∗∗∗
---------------------------------------------
The ssh-keygen command can be used to load a shared library with the -D flag. This can be useful for privilege escalation (described in this blog post), or to translate to arbitrary code execution from argument injection, file overwrites, etc.
---------------------------------------------
https://seanpesce.blogspot.com/2023/03/leveraging-ssh-keygen-for-arbitrary.…
∗∗∗ Unauthorized access to Codespace secrets in GitHub ∗∗∗
---------------------------------------------
We identified a security issue in GitHub’s Repository Security Advisory feature (https://docs.github.com/en/code-security/security-advisories/repository-sec…) that allowed us to retrieve plaintext Codespace secrets of any organization including GitHub.
---------------------------------------------
https://ophionsecurity.com/blog/access-organization-secrets-in-github
∗∗∗ Pirated copies of Final Cut Pro infect Macs with cryptojacking malware ∗∗∗
---------------------------------------------
Torrents on The Pirate Bay which claim to contain Final Cut Pro are instead being used to distribute malware, designed to infect your Mac with cryptojacking malware.
---------------------------------------------
https://grahamcluley.com/pirated-copies-of-final-cut-pro-infect-macs-with-c…
∗∗∗ GoBruteforcer: Golang-Based Botnet Actively Harvests Web Servers ∗∗∗
---------------------------------------------
New Golang-based malware we have dubbed GoBruteforcer targets web servers. Golang is becoming popular with malware programmers due to its versatility.
---------------------------------------------
https://unit42.paloaltonetworks.com/gobruteforcer-golang-botnet/
∗∗∗ Netcat Attack Cases Targeting MS-SQL Servers (LOLBins) ∗∗∗
---------------------------------------------
ASEC (AhnLab Security Emergency response Center) has recently discovered the distribution of the Netcat malware targeting poorly managed MS-SQL servers. Netcat is a utility that allows users to send and receive data from specific destinations on a network connected by the TCP/UDP protocol. Due to its various features and ability to be used on both Linux and Windows, it is utilized by network managers and threat actors alike.
---------------------------------------------
https://asec.ahnlab.com/en/49249/
∗∗∗ Everything You Didn’t Know About Cross-Account and Cross-Cloud Provider Attacks ∗∗∗
---------------------------------------------
Wait, did you say ‘Cross-Cloud Provider Attacks’? Yes, this is actually a growing type of attack path: As organizations increasingly adopt multiple cloud platforms, their lack of security visibility across the clouds makes them a sitting target for these types of attacks.
---------------------------------------------
https://orca.security/resources/blog/cross-account-cross-provider-attack-pa…
∗∗∗ Suspected Chinese Campaign to Persist on SonicWall Devices, Highlights Importance of Monitoring Edge Devices ∗∗∗
---------------------------------------------
Mandiant, working in partnership with SonicWall Product Security and Incident Response Team (PSIRT), has identified a suspected Chinese campaign that involves maintaining long term persistence by running malware on an unpatched SonicWall Secure Mobile Access (SMA) appliance. The malware has functionality to steal user credentials, provide shell access, and persist through firmware upgrades.
---------------------------------------------
https://www.mandiant.com/resources/blog/suspected-chinese-persist-sonicwall
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (chromium and wireless-regdb), Fedora (caddy, python-cryptography, and redis), Oracle (gnutls), SUSE (hdf5, opera, python-Django, redis, tomcat, and xen), and Ubuntu (apache2 and snakeyaml).
---------------------------------------------
https://lwn.net/Articles/925840/
∗∗∗ IBM Security Bulletins 2023-03-10 ∗∗∗
---------------------------------------------
* Apache Commons Beanutils (Publicly disclosed vulnerability) affects IBM eDiscovery Manager (CVE-2019-10086, CVE-2014-0114)
* Apache Commons FileUpload (Publicly disclosed vulnerability) affects IBM eDiscovery Manager (CVE-2023-24998)
* Apache Commons IO (Publicly disclosed vulnerability) Affects IBM eDiscovery Manager (CVE-2021-29425)
* IBM MQ is affected by a vulnerability in Apache Commons Net (CVE-2021-37533)
* IBM QRadar WinCollect agent has multiple vulnerabilities
* IBM QRadar Wincollect agent is vulnerable to server side request forgery (SSRF) (CVE-2022-43879)
* IBM SDK, Java Technology Edition, Security Update February 2023
* multiple vulnerabilities in Java SE may affect CICS TX Advanced
* multiple vulnerabilities in Java SE may affect CICS TX Standard
* multiple vulnerabilities in Java SE may affect TXSeries for Multiplatforms
* server-side request forgery vulnerability in Apache CXF (CVE-2022-46364) may affect CICS TX Advanced
* server-side request forgery vulnerability in Apache CXF (CVE-2022-46364) may affect CICS TX Standard
* server-side request forgery vulnerability in Apache CXF (CVE-2022-46364) may affect TXSeries for Multiplatforms
* vulnerability in Apache James MIME4J (CVE-2022-45787) may affect CICS TX Advanced
* vulnerability in Apache James MIME4J (CVE-2022-45787) may affect CICS TX Standard
* vulnerability in Apache James MIME4J (CVE-2022-45787) may affect TXSeries for Multiplatforms
* Watson CP4D Data Stores is vulnerable to jackson-databind due to FasterXML jackson-databind before 2.14.0-rc1 ( CVE-2022-42003 )
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/
∗∗∗ [R1] Nessus Agent Version 10.3.2 Fixes Multiple Vulnerabilities ∗∗∗
---------------------------------------------
https://www.tenable.com/security/tns-2023-12
∗∗∗ [R1] Nessus Agent Version 8.3.5 Fixes Multiple Vulnerabilities ∗∗∗
---------------------------------------------
https://www.tenable.com/security/tns-2023-13
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 08-03-2023 18:00 − Donnerstag 09-03-2023 18:00
Handler: Robert Waldner
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ Microsoft Word RCE-Lücke könnte auch Microsoft Outlook betreffen ∗∗∗
---------------------------------------------
Laut einem Bericht bei borncity könnte die mit dem Februar-Patchday gefixte Remote Code Execution - Lücke in Microsoft Word auch Microsoft Outlook (zumindest 2013) betreffen - auch wenn die Februar-Patches eingespielt wurden. Noch sind nicht alle Details dazu klar, wir raten Outlook-Nutzer:innen momentan aber trotzdem dringend dazu die Empfehlungen von Microsoft dazu umzusetzen, und Outlook so zu konfigurieren, dass Mails als reiner Text dargestellt werden.
---------------------------------------------
https://cert.at/de/aktuelles/2023/3/microsoft-word-rce-lucke-konnte-auch-mi…
∗∗∗ IceFire Ransomware Exploits IBM Aspera Faspex to Attack Linux-Powered Enterprise Networks ∗∗∗
---------------------------------------------
A previously known Windows-based ransomware strain known as IceFire has expanded its focus to target Linux enterprise networks belonging to several media and entertainment sector organizations across the world.
---------------------------------------------
https://thehackernews.com/2023/03/icefire-linux-ransomware.html
∗∗∗ Hackers Exploiting Remote Desktop Software Flaws to Deploy PlugX Malware ∗∗∗
---------------------------------------------
Security vulnerabilities in remote desktop programs such as Sunlogin and AweSun are being exploited by threat actors to deploy the PlugX malware. AhnLab Security Emergency Response Center (ASEC), in a new analysis, said it marks the continued abuse of the flaws to deliver a variety of payloads on compromised systems.
---------------------------------------------
https://thehackernews.com/2023/03/hackers-exploiting-remote-desktop.html
=====================
= Vulnerabilities =
=====================
∗∗∗ Drupal: Gutenberg - Less critical - Denial of Service - SA-CONTRIB-2023-009 ∗∗∗
---------------------------------------------
This vulnerability is mitigated by the fact an attacker must have "use gutenberg" permission to exploit it. If you use the Gutenberg module versions 8.x-2.x, upgrade to Gutenberg 8.x-2.7
---------------------------------------------
https://www.drupal.org/sa-contrib-2023-009
∗∗∗ Oracle Database Vault Protected Table With Realm Data Extraction Vulnerability ∗∗∗
---------------------------------------------
This security issue is fixed from 21c on-wards [ I think back-port patch was released in October 2022 CPU cycle]. Still Exists in 19c (so far from version 19.18 and below). DB Vault is a security feature in Oracle that attempts to restrict “SYS” account power , in addition DB Vault will ensure seperation of duties in place such as account management and authorization can’t be performed by the DBA through SYS account anymore.
---------------------------------------------
https://databasesecurityninja.wordpress.com/2023/03/07/oracle-database-vaul…
∗∗∗ Ivanti Avalanche: Security Alert - CVE-2022-44574 – Authentication Bypass for Remote Control RCServlet ∗∗∗
---------------------------------------------
This vulnerability enables an attacker to overwrite credentials which gives access to a Web Panel. This vulnerability affects all Avalanche Premise versions 6.3.x and below. This vulnerability has a CVE score of 6.5.
---------------------------------------------
https://forums.ivanti.com/s/article/Avalanche-ZDI-CAN-19513-Security-Adviso…
∗∗∗ Foxit PDF Editor: Lücken erlauben einschleusen von Schadcode ∗∗∗
---------------------------------------------
Sicherheitslücken in Foxit PDF Editor ermöglichen Angreifern, mit manipulierten PDF-Dateien Schadcode einzuschmuggeln und auszuführen. Ein Update steht bereit.
---------------------------------------------
https://heise.de/-7540068
∗∗∗ Home Assistant: Sicherheitslücke entdeckt und geschlossen ∗∗∗
---------------------------------------------
Wer den Home Assistant mit Supervisor benutzt, sollte sein System jetzt aktualisieren. Ansonsten könnten Eindringlinge sich daran zu schaffen machen.
---------------------------------------------
https://heise.de/-7540500
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by CentOS (kernel, pesign, samba, and zlib), Oracle (kernel), Slackware (httpd), SUSE (emacs, libxslt, nodejs12, nodejs14, nodejs16, openssl, poppler, python-py, python-wheel, xen, and xorg-x11-server), and Ubuntu (linux-gcp-5.4, linux-gkeop, opusfile, and samba).
---------------------------------------------
https://lwn.net/Articles/925723/
∗∗∗ Cloud Pak for Security uses packages that are vulnerable to multiple CVEs ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6551876
∗∗∗ IBM Liberty for Java for IBM Cloud is vulnerable to server-side request forgery due to Apache CXF (CVE-2022-46364) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6962195
∗∗∗ Docker based datastores for IBM Instana do not currently require authentication ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6959969
∗∗∗ Multiple Security Vulnerabilities may affect IBM Robotic Process Automation for Cloud Pak. ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6962201
∗∗∗ A vulnerability exists in IBM Robotic Process Automation where Queue Provider credentials are not obfuscated during editing (CVE-2023-25680) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6962207
∗∗∗ IBM Robotic Process Automation for Cloud Pak may be vulnerable to a denial of service due to ISC BIND (CVE-2022-38177, CVE-2022-38178). ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6962223
∗∗∗ Vulnerability in Apache Log4j may affect IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data (CVE-2021-44228) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6536732
∗∗∗ Multiple Vulnerabilities in IBM HTTP Server affect WebSphere Application Server shipped with IBM Security Access Manager for Enterprise Single Sign-On ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6962383
∗∗∗ Multiple Vulnerabilities (CVE-2022-21628, CVE-2022-21626, CVE-2022-21624, CVE-2022-21619) affects CICS Transaction Gateway for Multiplatforms and CICS Transaction Gateway Desktop Edition. ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6962407
∗∗∗ June 2022 : Multiple vulnerabilities in IBM Java Runtime affect CICS Transaction Gateway for Multiplatforms and CICS Transaction Gateway Desktop Edition ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6962411
∗∗∗ z\/Transaction Processing Facility is affected by vulnerabilities in the Apache Kafka (kafka-clients) and cryptography packages ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6962437
∗∗∗ IBM Liberty for Java for IBM Cloud is vulnerable to server-side request forgery due to Apache CXF (CVE-2022-46364) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6962195
∗∗∗ IBM Maximo Manage application in IBM Maximo Application Suite is vulnerable to incorrect default permissions (CVE-2022-46774) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6962455
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 07-03-2023 18:00 − Mittwoch 08-03-2023 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Robert Waldner
=====================
= News =
=====================
∗∗∗ What is a Website Defacement? ∗∗∗
---------------------------------------------
Defacement is easily one the most obvious signs of a hacked website. In these attacks, bad actors gain unauthorized access to an environment and leave their mark through digital vandalism, altering its visual appearance or content in the process.
---------------------------------------------
https://blog.sucuri.net/2023/03/what-is-website-defacement.html
∗∗∗ Persistence – Event Log Online Help ∗∗∗
---------------------------------------------
Event viewer is a component of Microsoft Windows that displays information related to application, security, system and setup events. Even though that Event Viewer is used mainly for troubleshooting windows errors by administrators could be also used as a form a persistence during red team operations.
---------------------------------------------
https://pentestlab.blog/2023/03/07/persistence-event-log-online-help/
∗∗∗ „Lidl Frauentagsgeschenk“: Fake-Gewinnspiel zum Frauentag ∗∗∗
---------------------------------------------
Derzeit verbreiten WhatsApp-, Messenger- oder Viber-Nutzer:innen unwissentlich einen Link mit einem betrügerischen Gewinnspiel unter ihren Kontakten. Angeblich verlost die Supermarktkette „Lidl“ anlässlich des Frauentags am 8.März „viele Geldgeschenke“, wie es in der Nachricht heißt. Klicken Sie nicht auf den Link. Kriminelle versuchen Schadsoftware auf Ihrem Gerät zu installieren!
---------------------------------------------
https://www.watchlist-internet.at/news/lidl-frauentagsgeschenk-fake-gewinns…
∗∗∗ GlobeImposter Ransomware Being Distributed with MedusaLocker via RDP ∗∗∗
---------------------------------------------
ASEC (AhnLab Security Emergency response Center) has recently discovered the active distribution of the GlobeImposter ransomware. This attack is being carried out by the threat actors behind MedusaLocker. While the specific route could not be ascertained, it is assumed that the ransomware is being distributed through RDP due to the various pieces of evidence gathered from the infection logs.
---------------------------------------------
https://asec.ahnlab.com/en/48940/
=====================
= Vulnerabilities =
=====================
∗∗∗ Authentication Bypass Vulnerability in Mura CMS and Masa CMS (CVE-2022-47003 and CVE-2022-47002) ∗∗∗
---------------------------------------------
Multiple versions of Mura CMS and Masa CMS contain an authentication bypass vulnerability that can allow an unauthenticated attacker to login as any Site Member or System User.
---------------------------------------------
https://hoyahaxa.blogspot.com/2023/03/authentication-bypass-mura-masa.html
∗∗∗ ABB Substation management unit COM600 IEC-104 protocol stack vulnerability ∗∗∗
---------------------------------------------
Hitachi Energy disclosed a vulnerability (CVE-2022-29492) that affects certain HE products. This vulnerability also affects the IEC 68070-5-104 (IEC-104) protocol stack of ABB Substation Management Unit COM600. Subsequently, a successful exploit could allow attackers to cause a denial-of-service attack against the COM600 product.
---------------------------------------------
https://web.apsis.one/wve/68c20aba-1b85-416f-bf3f-ce8b1779c260
∗∗∗ CorePlague: Severe Vulnerabilities in Jenkins Server Lead to RCE ∗∗∗
---------------------------------------------
Aqua Nautilus researchers have discovered a chain of vulnerabilities, dubbed CorePlague, in the widely used Jenkins Server and Update Center (CVE-2023-27898, CVE-2023-27905). Exploiting these vulnerabilities could allow an unauthenticated attacker to execute arbitrary code on the victims Jenkins server, potentially leading to a complete compromise of the Jenkins server.
---------------------------------------------
https://blog.aquasec.com/jenkins-server-vulnerabilities
∗∗∗ Problematische Sicherheitslücke in Apples GarageBand ∗∗∗
---------------------------------------------
Die kostenlose Musikproduktionssoftware von Apple lässt sich offenbar angreifen. Nutzer unter macOS sollten schnell aktualisieren.
---------------------------------------------
https://heise.de/-7538801
∗∗∗ Patchday: Fortinet dichtet 15 Schwachstellen ab, davon eine kritische ∗∗∗
---------------------------------------------
Der Patchday bei Fortinet bringt IT-Verantwortlichen Updates zum Schließen von 15 Sicherheitslücken. Eine davon ist kritisch und erlaubt Einschleusen von Code.
---------------------------------------------
https://heise.de/-7538910
∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (apr), Fedora (c-ares), Oracle (curl, kernel, pesign, samba, and zlib), Red Hat (curl, gnutls, kernel, kernel-rt, and pesign), Scientific Linux (kernel, pesign, samba, and zlib), SUSE (libX11, python-rsa, python3, python36, qemu, rubygem-rack, xorg-x11-server, and xwayland), and Ubuntu (libtpms, linux-ibm, linux-raspi, linux-raspi, python3.7, python3.8, and sofia-sip).
---------------------------------------------
https://lwn.net/Articles/925606/
IBM Security Bulletins 2023-03-08
---------------------------------------------
IBM Robotic Process Automation, IBM WebSphere, IBM MQ, Financial Transaction Manager, IBM VM Recovery Manager, IBM Aspera faspio Gateway, IBM Security Verify Bridge, IBM Spectrum Scale, IBM Security Guardium.
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/
∗∗∗ Veeam fixt kritische Schwachstelle CVE-2023-27532 in Backup & Replication V11a/V12 ∗∗∗
---------------------------------------------
Kleiner Hinweis für Nutzer der Backup-Software des Herstellers Veeam. Dieser hat zum 7. März 2023 eine kritische Schwachstelle (CVE-2023-27532) in seinem Produkt Backup & Replication in den Versionen V11a/V12 per Update behoben.
---------------------------------------------
https://www.borncity.com/blog/2023/03/08/veeam-fixt-kritische-schwachstelle…
∗∗∗ Multiple vulnerabilities in SEIKO EPSON printers/network interface Web Config ∗∗∗
---------------------------------------------
https://jvn.jp/en/jp/JVN82424996/
∗∗∗ Cisco IOS XR Software for ASR 9000 Series Routers Bidirectional Forwarding Detection Denial of Service Vulnerability ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso…
∗∗∗ Cisco IOS XR Software Bootloader Unauthenticated Information Disclosure Vulnerability ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso…
∗∗∗ [R1] Nessus Version 10.4.3 Fixes Multiple Vulnerabilities ∗∗∗
---------------------------------------------
https://www.tenable.com/security/tns-2023-11
∗∗∗ [R1] Nessus Version 8.15.9 Fixes Multiple Vulnerabilities ∗∗∗
---------------------------------------------
https://www.tenable.com/security/tns-2023-10
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Montag 06-03-2023 18:00 − Dienstag 07-03-2023 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Robert Waldner
=====================
= News =
=====================
∗∗∗ Proof-of-Concept released for critical Microsoft Word RCE bug ∗∗∗
---------------------------------------------
A proof-of-concept for CVE-2023-21716, a critical vulnerability in Microsoft Word that allows remote code execution, has been published over the weekend. The vulnerability was assigned a 9.8 out of 10 severity score, with Microsoft addressing it in the February Patch Tuesday security updates along with a couple of workarounds.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/proof-of-concept-released-fo…
∗∗∗ Old Windows ‘Mock Folders’ UAC bypass used to drop malware ∗∗∗
---------------------------------------------
A new phishing campaign targets organizations in Eastern European countries with the Remcos RAT malware with aid from an old Windows User Account Control bypass discovered over two years ago.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/old-windows-mock-folders-uac…
∗∗∗ Sheins Android App Caught Transmitting Clipboard Data to Remote Servers ∗∗∗
---------------------------------------------
An older version of Sheins Android application suffered from a bug that periodically captured and transmitted clipboard contents to a remote server.The Microsoft 365 Defender Research Team said it discovered the problem in version 7.9.2 of the app that was released on December 16, 2021. The issue has since been addressed as of May 2022.
---------------------------------------------
https://thehackernews.com/2023/03/sheins-android-app-caught-transmitting.ht…
∗∗∗ SYS01stealer: New Threat Using Facebook Ads to Target Critical Infrastructure Firms ∗∗∗
---------------------------------------------
Cybersecurity researchers have discovered a new information stealer dubbed SYS01stealer targeting critical government infrastructure employees, manufacturing companies, and other sectors."The threat actors behind the campaign are targeting Facebook business accounts by using Google ads and fake Facebook profiles that promote things like games, adult content, and cracked software, etc. to lure victims into downloading a malicious file," Morphisec said in a report [..]
---------------------------------------------
https://thehackernews.com/2023/03/sys01stealer-new-threat-using-facebook.ht…
∗∗∗ Exploitation of Critical Vulnerability in End-of-Life VMware Product Ongoing ∗∗∗
---------------------------------------------
Wallarm Detect warns of ongoing exploitation of a critical vulnerability in VMware Cloud Foundation and NSX Data Center for vSphere (NSX-V).
---------------------------------------------
https://www.securityweek.com/exploitation-of-critical-vulnerability-in-end-…
∗∗∗ Werbung für neue Fake-Investment-Plattform "TradeGPT" auf Facebook, Instagram & Co. ∗∗∗
---------------------------------------------
Kriminelle bewerben auf Instagram, Facebook und Co. betrügerische Investitionsplattformen wie trade-gpt.ai oder financialpronews.com. In den Fake-Beiträgen wird eine neue Trading-Plattform, entwickelt von Elon Musk und OpenAI, vorgestellt. Die Plattform mit dem Namen "TradeGPT" erleichtert angeblich „einfachen Menschen“ den Einstieg in den Aktien- und Rohstoffhandel. Die Plattform hat nichts mit Elon Musk oder OpenAI zu tun und ist betrügerisch!
---------------------------------------------
https://www.watchlist-internet.at/news/werbung-fuer-neue-fake-investment-pl…
∗∗∗ Betrugsmasche gegen Verrechnung ∗∗∗
---------------------------------------------
Certitude nimmt eine Häufung von Online-Betrug gegen die Verrechnungsabteilungen von österreichischen Unternehmen wahr. Angreifer erwirken die Änderungen der Kontodaten von Lieferanten bei deren Kunden durch Social Engineering per E-Mail. Häufig betragen die Schadenssummen mehrere hunderttausend Euro und führen zu Rechtsstreitigkeiten zwischen den betroffenen Unternehmen.
---------------------------------------------
https://certitude.consulting/blog/de/betrugsmasche-gegen-verrechnung/
∗∗∗ Using Memory Analysis to Detect EDR-Nullifying Malware ∗∗∗
---------------------------------------------
One tool Trend Micro described, dubbed “AVBurner”, used a technique to patch process-creation callbacks in kernel memory to nullify security software running on a victim system. [..] Volexity conducted research and testing to determine ways this technique of attacking endpoint detection and response (EDR) and antivirus (AV) software could reliably be detected through memory analysis.
---------------------------------------------
https://www.volexity.com/blog/2023/03/07/using-memory-analysis-to-detect-ed…
=====================
= Vulnerabilities =
=====================
∗∗∗ Benutzt hier jemand SHA-3? Die Referenzimplementation ... ∗∗∗
---------------------------------------------
Benutzt hier jemand SHA-3? Die Referenzimplementation hat einen Integer Overflow.
---------------------------------------------
http://blog.fefe.de/?ts=9af9c7a3
∗∗∗ Multiple vulnerabilities in PostgreSQL extension module pg_ivm ∗∗∗
---------------------------------------------
* Exposure of sensitive information to an unauthorized actor - CVE-2023-22847
* Uncontrolled search path element - CVE-2023-23554
---------------------------------------------
https://jvn.jp/en/jp/JVN19872280/
∗∗∗ ZDI-23-212: Open Design Alliance (ODA) Drawing SDK DWG File Parsing Use-After-Free Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Open Design Alliance (ODA) Drawing SDK. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-23-212/
∗∗∗ ZDI-23-214: NETGEAR CAX30S SSO Command Injection Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR CAX30S routers. Authentication is not required to exploit this vulnerability.
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-23-214/
∗∗∗ Patchday: Kritische System-Lücken bedrohen Android 11, 12 und 13 ∗∗∗
---------------------------------------------
Google hat wichtige Sicherheitsupdates für Android-Geräte veröffentlicht. Im schlimmsten Fall könnten Angreifer Schadcode ausführen.
---------------------------------------------
https://heise.de/-7537197
∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (kopanocore), Fedora (golang-github-projectdiscovery-chaos-client, rust-sequoia-octopus-librnp, rust-sequoia-sop, rust-sequoia-sq, and usd), Oracle (libjpeg-turbo and pesign), Red Hat (kernel, kernel-rt, kpatch-patch, osp-director-downloader-container, pesign, rh-mysql80-mysql, samba, and zlib), SUSE (mariadb), and Ubuntu (fribidi, gmp, linux, linux-aws, linux-kvm, linux-lts-xenial, linux-azure, linux-azure-4.15, linux-kvm, linux-raspi2, linux-snapdragon, linux-raspi, nss, python3.6, rsync, systemd, and tiff).
---------------------------------------------
https://lwn.net/Articles/925469/
∗∗∗ Cisco IP Phone 6800, 7800, 7900, and 8800 Series Web UI Vulnerabilities ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso…
∗∗∗ PHOENIX CONTACT: Advisory for TC ROUTER and CLOUD CLIENT ∗∗∗
---------------------------------------------
https://cert.vde.com/de/advisories/VDE-2022-053/
∗∗∗ WordPress BuddyForms Plugin — Unauthenticated Insecure Deserialization (CVE-2023–26326) ∗∗∗
---------------------------------------------
https://medium.com/tenable-techblog/wordpress-buddyforms-plugin-unauthentic…
∗∗∗ Docker based datastores for IBM Instana do not currently require authentication ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6959969
∗∗∗ IBM Aspera Faspex 4.4.2 PL2 has addressed multiple vulnerabilities (CVE-2022-28330, CVE-2023-22868, CVE-2022-30556, CVE-2022-31813, CVE-2022-30522, CVE-2022-47986, CVE-2022-28615, CVE-2022-26377, CVE-2018-25032, CVE-2022-2068) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6952319
∗∗∗ IBM Spectrum Symphony is vulnerable to Host header injection ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6959369
∗∗∗ IBM Data Risk Manager is affected by multiple vulnerabilities ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6960473
∗∗∗ IBM Spectrum Control is vulnerable to multiple weaknesses related to Apache Groovy ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6960481
∗∗∗ IBM Spectrum Control is vulnerable to multiple weaknesses related to Apache Camel ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6960485
∗∗∗ IBM Cloud Transformation Advisor is vulnerable to multiple vulnerabilities ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6960493
∗∗∗ IBM Observability with Instana (OnPrem) affected by OpenSSL vulnerabilities. ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6960495
∗∗∗ IBM DataPower Gateway potentially vulnerable to Denial of Service (CVE-2022-4450) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6960511
∗∗∗ IBM Security Guardium is affected by a kernel vulnerability (CVE-2021-3715) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6828569
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 03-03-2023 18:00 − Montag 06-03-2023 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ Fake-Shops fälschen Zahlung mit Klarna ∗∗∗
---------------------------------------------
Die Fake-Shops scheubner.net und profibikes.de wirken sehr professionell. Vor allem die Möglichkeit mit Klarna zu bezahlen, wiegt viele in Sicherheit. Die Shops fälschen aber den Klarna-Zahlungsprozess. Geben Sie Ihre Zugangsdaten auf der nachgebauten Klarna-Zahlungsseite ein, landen diese bei Kriminellen.
---------------------------------------------
https://www.watchlist-internet.at/news/fake-shops-faelschen-zahlung-mit-kla…
∗∗∗ DCOM-Härtung (CVE-2021-26414) zum 14. März 2023-Patchday für Windows 10/11 und Server ∗∗∗
---------------------------------------------
Kleine Erinnerung für Administratoren von Windows in Unternehmensumgebungen. In Microsofts Windows DCOM-Implementierung gibt es eine Schwachstelle (Windows DCOM Server Security Feature Bypass, CVE-2021-26414), die eine Umgehung der Sicherheitsfunktionen ermöglichte. Microsoft hat das 2021 dokumentiert, und dann auch gepatcht, wobei das Schließen dieser Schwachstelle in mehreren Stufen erfolgt. Kürzlich wurde ich erinnert, dass Microsoft am 14. März 2023 einen letzten Patch freigeben wird, der die Möglichkeit zum Abschalten dieser DCOM-Härtung entfernt.
---------------------------------------------
https://www.borncity.com/blog/2023/03/05/dcom-hrtung-cve-2021-26414-zum-14-…
∗∗∗ Magbo Spam Injection Encoded with hex2bin ∗∗∗
---------------------------------------------
We recently had a new client come to us with a rather peculiar issue on their WordPress website: They were receiving unwanted popup advertisements but only when the website was accessed through links posted on FaceBook. Initially we thought that this must be a rogue ad coming through an otherwise legitimate advertising network but it turned out to be a very well crafted and hidden spam injection.
---------------------------------------------
https://blog.sucuri.net/2023/03/magbo-spam-injection-encoded-with-hex2bin.h…
∗∗∗ New HiatusRAT Malware Targets Business-Grade Routers to Covertly Spy on Victims ∗∗∗
---------------------------------------------
A never-before-seen complex malware is targeting business-grade routers to covertly spy on victims in Latin America, Europe, and North America at least since July 2022. The elusive campaign, dubbed Hiatus by Lumen Black Lotus Labs, has been found to deploy two malicious binaries, a remote access trojan dubbed HiatusRAT and a variant of tcpdump that makes it possible to capture packet [...]
---------------------------------------------
https://thehackernews.com/2023/03/new-hiatusrat-malware-targets-business.ht…
∗∗∗ How to prevent Microsoft OneNote files from infecting Windows with malware ∗∗∗
---------------------------------------------
The best way to prevent malicious Microsoft OneNote attachments from infecting Windows is to block the .one file extension at your secure mail gateways or mail servers. However, if that is not possible for your environment, you can also use Microsoft Office group policies to restrict the launching of embedded file attachments in Microsoft OneNote files.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/how-to-prevent-microsoft-one…
∗∗∗ Polynonce: A Tale of a Novel ECDSA Attack and Bitcoin Tears ∗∗∗
---------------------------------------------
In this blog post, we tell a tale of how we discovered a novel attack against ECDSA and how we applied it to datasets we found in the wild, including the Bitcoin and Ethereum networks. [...] We cover our journey, findings, and the rabbit holes we explored. We also provide an academic paper with the details of the attack and open-source code implementing it, so people building software and products using ECDSA can ensure they do not have this vulnerability in their systems.
---------------------------------------------
https://research.kudelskisecurity.com/2023/03/06/polynonce-a-tale-of-a-nove…
=====================
= Vulnerabilities =
=====================
∗∗∗ strongSwan Vulnerability (CVE-2023-26463) ∗∗∗
---------------------------------------------
A vulnerability related to certificate verification in TLS-based EAP methods was discovered in strongSwan that results in a denial of service but possibly even remote code execution. Versions 5.9.8 and 5.9.9 may be affected. [...] The just released strongSwan 5.9.10 fixes this vulnerability. For older releases, we provide a patch that fixes the vulnerability and should apply with appropriate hunk offsets.
---------------------------------------------
https://www.strongswan.org/blog/2023/03/02/strongswan-vulnerability-(cve-20…
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (apache2, libde265, libreswan, spip, syslog-ng, and xfig), Fedora (edk2, libtpms, python-django3, stb, sudo, vim, and xen), Red Hat (libjpeg-turbo and pesign), SUSE (kernel, python36, samba, and trivy), and Ubuntu (linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gke, linux-gkeop, linux-hwe-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux, linux-aws, linux-dell300x, linux-gcp-4.15, linux-oracle, linux-aws-hwe, linux-oracle, and linux-bluefield).
---------------------------------------------
https://lwn.net/Articles/925323/
∗∗∗ Multiple Vulnerabilities in Arris DG3450 Cable Gateway ∗∗∗
---------------------------------------------
https://sec-consult.com/vulnerability-lab/advisory/multiple-vulnerabilities…
∗∗∗ Multiple Vulnerabilities in Json4j Affects Watson Machine Learning Accelerator ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6959963
∗∗∗ Docker based datastores for IBM Instana do not currently require authentication ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6959969
∗∗∗ IBM Sterling Connect:Express for UNIX is vulnerable to denial of service due to OpenSSL (CVE-2022-4450) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6959973
∗∗∗ IBM Aspera Faspex 4.4.2 PL2 has addressed multiple vulnerabilities (CVE-2022-28330, CVE-2023-22868, CVE-2022-30556, CVE-2022-31813, CVE-2022-30522, CVE-2022-47986, CVE-2022-28615, CVE-2022-26377, CVE-2018-25032, CVE-2022-2068) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6952319
∗∗∗ A security vulnerability has been identified in IBM HTTP Server shipped with IBM WebSphere Remote Server (CVE-2023-26281) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6960159
∗∗∗ Vulnerability in the Golang language affects IBM Event Streams (CVE-2022-3064) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6960175
∗∗∗ IBM App Connect Enterprise Certified Container Dashboard and DesignerAuthoring operands may be vulnerable to cross-site scripting due to IBM X-Force ID 239963 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6960189
∗∗∗ Insufficient authorization check in IBM supplied MQ Advanced for Integration container image (CVE-2023-26284) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6960201
∗∗∗ IBM Security Guardium is affected by remote code execution and sensitive information vulnerabilities (CVE-2022-31684, CVE-2022-41853) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6960211
∗∗∗ IBM Security Guardium is affected by an AWS SDK vulnerability ( CVE-2022-31159) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6960215
∗∗∗ IBM Security Guardium is affected by an out-of-bounds access issue vulnerability (CVE-2022-2319, CVE-2022-2320) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6960213
∗∗∗ Vulnerabilities in OpenSSL affect Bluemix Workflow (CVE-2014-3570, CVE-2014-3571, CVE-2014-3572, CVE-2014-8275, CVE-2015-204, CVE-2015-205, CVE-2015-206) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/258535
∗∗∗ Multiple vulnerabilities in IBM Java SDK affect Bluemix Workflow ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/258547
∗∗∗ Multiple vulnerabilities in IBM\u00ae SDK, Java\u2122 Technology Edition affected IBM Workflow for Bluemix October 2015 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/273103
∗∗∗ Multiple vulnerabilities in IBM\u00ae SDK, Java\u2122 Technology Edition affected IBM Workflow for Bluemix April 2016 (CVE-2016-3426) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/278361
∗∗∗ Multiple vulnerabilities in IBM\u00ae SDK, Java\u2122 Technology Edition affected IBM Workflow for Bluemix January 2016 (CVE-2015-7575, CVE-2016-0466, CVE-2016-0475) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/541019
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 02-03-2023 18:00 − Freitag 03-03-2023 18:00
Handler: Robert Waldner
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ FBI and CISA warn of increasing Royal ransomware attack risks ∗∗∗
---------------------------------------------
CISA and the FBI have issued a joint advisory highlighting the increasing threat behind ongoing Royal ransomware attacks targeting many U.S. critical infrastructure sectors, including healthcare, communications, and education.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/fbi-and-cisa-warn-of-increas…
∗∗∗ Persistence Techniques That Persist ∗∗∗
---------------------------------------------
In this blog post, we will focus on how malware can achieve persistence by abusing the Windows Registry. Specifically, we will focus on lesser-known techniques, many of which have been around since the days of Windows XP and are just as effective today on Windows 10 and 11.
---------------------------------------------
https://www.cyberark.com/resources/threat-research-blog/persistence-techniq…
∗∗∗ NIST Cybersecurity Framework 2.0: Aktualisierte Leitlinien gegen Cybercrime ∗∗∗
---------------------------------------------
Weil sich die IT-Angriffslandschaft stetig ändert, hat das US-amerikanische Institute of Standards and Technology sein Cybersecurity-Framework aktualisiert.
---------------------------------------------
https://heise.de/-7534206
∗∗∗ FAQ: Welche Cyberangriffe es gibt und wie sich Risiken vermeiden lassen ∗∗∗
---------------------------------------------
Cyberangriffe können jeden betreffen, doch mit ein paar einfachen Maßnahmen können Sie Ihr persönliches Risiko zumindest minimieren.
---------------------------------------------
https://heise.de/-7523370
∗∗∗ Thousands of Websites Hijacked Using Compromised FTP Credentials ∗∗∗
---------------------------------------------
Cybersecurity startup Wiz warns of a widespread redirection campaign in which thousands of websites have been compromised using legitimate FTP credentials.
---------------------------------------------
https://www.securityweek.com/thousands-of-websites-hijacked-using-compromis…
∗∗∗ Of Degens and Defrauders: Using Open-Source Investigative Tools to Investigate Decentralized Finance Frauds and Money Laundering. (arXiv:2303.00810v1 [cs.CR]) ∗∗∗
---------------------------------------------
This study demonstrates how open-source investigative tools can extract transaction-based evidence that could be used in a court of law to prosecute DeFi frauds. Additionally, we investigate how these funds are subsequently laundered.
---------------------------------------------
http://arxiv.org/abs/2303.00810
=====================
= Vulnerabilities =
=====================
∗∗∗ IBM Security Bulletins 2023-03-03 ∗∗∗
---------------------------------------------
IBM Cloud Pak, IBM Financial Transaction Manager, Operations Dashboard, IBM App Connect Enterprise Certified Container, IBM Sterling Connect:Express, IBM HTTP Server, IBM Spectrum Control, IBM Aspera Faspex, IBM SAN, IBM Storwize, IBM Spectrum Virtualize, IBM FlashSystem, IBM Maximo, IBM WebSphere Remote Server, IBM Business Automation Workflow, Rational Functional Tester.
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/
∗∗∗ Schadcode-Attacken auf HPE Serviceguard unter Linux möglich ∗∗∗
---------------------------------------------
Die Entwickler haben in Serviceguard for Linux von HPE drei Sicherheitslücken geschlossen. Abgesicherte Version stehen zum Download bereit.
---------------------------------------------
https://heise.de/-7534361
∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (linux-5.10 and node-css-what), SUSE (gnutls, google-guest-agent, google-osconfig-agent, nodejs10, nodejs14, nodejs16, opera, pkgconf, python-cryptography, python-cryptography-vectors, rubygem-activesupport-4_2, thunderbird, and tpm2-0-tss), and Ubuntu (git, kernel, linux, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15, linux-azure-fde, linux-gcp, linux-gcp-5.15, linux-gke, linux-gke-5.15, linux-hwe-5.15, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-oracle, linux-oracle-5.15, linux, linux-aws, linux-azure, linux-gcp, linux-hwe-5.19, linux-ibm, linux-lowlatency, linux-oracle, linux-azure-fde, linux-oem-5.14, linux-oem-5.17, linux-oem-6.0, linux-oem-6.1, php7.0, python-pip, ruby-rack, spip, and sudo).
---------------------------------------------
https://lwn.net/Articles/925060/
∗∗∗ Lücken in Intel-CPUs: Microsoft veröffentlicht außerplanmäßiges Sicherheitsupdate ∗∗∗
---------------------------------------------
Es soll insgesamt vier Lücken stopfen. Die Schwachstellen sind allerdings schon seit Juni 2022 bekannt. Betroffen sind Windows 10, Windows 11 und Windows Server.
---------------------------------------------
https://www.zdnet.de/88407530/luecken-in-intel-cpus-microsoft-veroeffentlic…
∗∗∗ [R1] Nessus Version 10.5.0 Fixes Multiple Vulnerabilities ∗∗∗
---------------------------------------------
https://www.tenable.com/security/tns-2023-09
∗∗∗ BOSCH-SA-931197: Vulnerability in routers FL MGUARD and TC MGUARD ∗∗∗
---------------------------------------------
https://psirt.bosch.com/security-advisories/bosch-sa-931197.html
∗∗∗ SonicOS SSLVPN Improper Restriction of Excessive MFA Attempts Vulnerability ∗∗∗
---------------------------------------------
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2023-0005
∗∗∗ SonicOS Unauthenticated Stack-Based Buffer Overflow Vulnerability ∗∗∗
---------------------------------------------
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2023-0004
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 01-03-2023 18:00 − Donnerstag 02-03-2023 18:00
Handler: Robert Waldner
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ YARA: Detect The Unexpected ..., (Thu, Mar 2nd) ∗∗∗
---------------------------------------------
He has strings to detected any embedded file, and strings to detect embedded PNG files, JPEG files, ...
So, in YARA, how can you use this to detect OneNote files that contain embedded files, but are not images? The trick is to count and compare string occurrences.
---------------------------------------------
https://isc.sans.edu/diary/rss/29598
∗∗∗ SysUpdate Malware Strikes Again with Linux Version and New Evasion Tactics ∗∗∗
---------------------------------------------
The threat actor known as Lucky Mouse has developed a Linux version of a malware toolkit called SysUpdate, expanding on its ability to target devices running the operating system.
---------------------------------------------
https://thehackernews.com/2023/03/sysupdate-malware-strikes-again-with.html
∗∗∗ This Hacker Tool Can Pinpoint a DJI Drone Operators Exact Location ∗∗∗
---------------------------------------------
Every DJI quadcopter broadcasts its operators position via radio—unencrypted. Now, a group of researchers has learned to decode those coordinates.
---------------------------------------------
https://www.wired.com/story/dji-droneid-operator-location-hacker-tool/
∗∗∗ Helping Cyber Defenders “Decide” to Use MITRE ATT&CK ∗∗∗
---------------------------------------------
Since the Cybersecurity and Infrastructure Security Agency (CISA) announced its first edition of Best Practices for MITRE ATT&CK Mapping nearly two years ago, the ATT&CK framework has evolved, expanded, and improved its ability to support more than just optimized cyber threat intelligence to the cybersecurity community. To match these advances, CISA recently published a second edition of our mapping guide and today announces a new accompaniment to the guide, CISA’s Decider tool.
---------------------------------------------
https://www.cisa.gov/news-events/news/helping-cyber-defenders-decide-use-mi…
∗∗∗ Application SecurityCase StudiesCloud Native SecurityVulnerabilities Gitpod remote code execution 0-day vulnerability via WebSockets ∗∗∗
---------------------------------------------
This article walks us through a current Snyk Security Labs research project focusing on cloud based development environments (CDEs) — which resulted in a full workspace takeover on the Gitpod platform and extended to the user’s SCM account. The issues here have been responsibly disclosed to Gitpod and were resolved within a single working day
---------------------------------------------
https://snyk.io/blog/gitpod-remote-code-execution-vulnerability-websockets/
∗∗∗ CISA Red Team Shares Key Findings to Improve Monitoring and Hardening of Networks ∗∗∗
---------------------------------------------
The Cybersecurity and Infrastructure Security Agency (CISA) is releasing this Cybersecurity Advisory (CSA) detailing activity and key findings from a recent CISA red team assessment—in coordination with the assessed organization—to provide network defenders recommendations for improving their organizations cyber posture.
---------------------------------------------
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-059a
∗∗∗ Tainted Love: A Systematic Review of Online Romance Fraud. (arXiv:2303.00070v1 [cs.HC]) ∗∗∗
---------------------------------------------
Romance fraud involves cybercriminals engineering a romantic relationship ononline dating platforms. It is a cruel form of cybercrime whereby victims areleft heartbroken, often facing financial ruin. We characterise the literarylandscape on romance fraud, advancing the understanding of researchers andpractitioners by systematically reviewing and synthesising contemporaryqualitative and quantitative evidence.
---------------------------------------------
http://arxiv.org/abs/2303.00070
∗∗∗ Dishing Out DoS: How to Disable and Secure the Starlink User Terminal. (arXiv:2303.00582v1 [cs.CR]) ∗∗∗
---------------------------------------------
Satellite user terminals are a promising target for adversaries seeking totarget satellite communication networks. Despite this, many protectionscommonly found in terrestrial routers are not present in some user terminals.As a case study we audit the attack surface presented by the Starlinkrouters admin interface, using fuzzing to uncover a denial of service attackon the Starlink user terminal.
---------------------------------------------
http://arxiv.org/abs/2303.00582
=====================
= Vulnerabilities =
=====================
∗∗∗ Group control for forums - Critical - Access bypass - SA-CONTRIB-2023-008 ∗∗∗
---------------------------------------------
Project: Group control for forums
Security risk: Critical
Description: This module enables you to associate Forums as Group 1.x content and use Group access permissions. Previous versions of the module incorrectly set node access on creation, and did not correctly restrict access to lists of forum topics. Solution: Install the latest version
---------------------------------------------
https://www.drupal.org/sa-contrib-2023-008
∗∗∗ Thunder - Moderately critical - Access bypass - SA-CONTRIB-2023-007 ∗∗∗
---------------------------------------------
Project: Thunder
Security risk: Moderately critical
Description: Thunder is a Drupal distribution for professional publishing. The thunder distribution ships the thunder_gqls module which provides a graphql interface.The module doesnt sufficiently check access when serving user data via graphql leading to an access bypass vulnerability
---------------------------------------------
https://www.drupal.org/sa-contrib-2023-007
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by CentOS (git), Debian (spip), Fedora (epiphany), Mageia (binwalk, chromium-browser-stable, crmsh, emacs, libraw, libtiff, nodejs, pkgconf, tar, and vim), Oracle (kernel and systemd), SUSE (emacs, kernel, nrpe, and rubygem-activerecord-4_2), and Ubuntu (c-ares, git, postgresql-12, postgresql-14, and sox).
---------------------------------------------
https://lwn.net/Articles/924922/
∗∗∗ Kritische Sicherheitslücken in ArubaOS - Updates teilweise verfügbar ∗∗∗
---------------------------------------------
Da Angreifende auf betroffenen Geräten beliebigen Code ausführen können, sind alle auf diesen Geräten befindlichen und darüber erreichbaren Daten gefährdet. Da es sich um Netzwerkkomponenten handelt, sind auch Szenarien denkbar wo darüber fliessende Daten gelesen, beeinträchtigt und/oder verändert werden können.
---------------------------------------------
https://cert.at/de/warnungen/2023/3/kritische-sicherheitslucken-in-arubaos-…
∗∗∗ Better Social Sharing Buttons - Less critical - Cross Site Scripting - SA-CONTRIB-2023-006 ∗∗∗
---------------------------------------------
https://www.drupal.org/sa-contrib-2023-006
∗∗∗ ABB: Improper authentication vulnerability in S+ Operations (CVE ID: CVE-2023-0228) ∗∗∗
---------------------------------------------
https://search.abb.com/library/Download.aspx?Action=Launch&DocumentID=7PAA0…
∗∗∗ IBM Cognos Command Center is affected but not classified as vulnerable by a remote code execution in Spring Framework (CVE-2022-22965) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6590487
∗∗∗ IBM Maximo Asset Management is vulnerable to stored cross-site scripting (CVE-2022-35645) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6959353
∗∗∗ IBM Maximo Manage application in IBM Maximo Application Suite is vulnerable to stored cross-site scripting (CVE-2022-35645) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6959355
∗∗∗ IBM Spectrum Symphony is vulnerable to Host header injection ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6959369
∗∗∗ IBM Planning Analytics Workspace is affected by vulnerabilties (CVE-2022-43548, CVE-2020-7676, CVE-2021-42550, CVE-2021-38561, CVE-2022-32149) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6957836
∗∗∗ There is a vulnerability in Apache SOAP used by IBM Maximo Asset Management (CVE-2022-40705) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6959357
∗∗∗ There is a security vulnerability in Apache SOAP used by IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2022-40705) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6959359
∗∗∗ Persistent cross-site scripting vulnerability affect IBM Business Automation Workflow - CVE-2023-22860 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6958691
∗∗∗ Vulnerability in bind affects IBM Integrated Analytics System [CVE-2022-2795] ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6959567
∗∗∗ IBM Cloud Pak for Network Automation v2.4.4 fixes multiple security vulnerabilities ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6959583
∗∗∗ There is a vulnerability in Eclipse Jetty used by IBM Maximo Asset Management (CVE-2022-2047) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6959601
∗∗∗ IBM SDK, Java Technology Edition Quarterly CPU - Oct 2022 - Includes Oracle October 2022 CPU and IBM Java - OpenJ9 CVE-2022-3676 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6959625
∗∗∗ IBM Security Guardium is affected by the following vulnerabilities [CVE-2022-39166, CVE-2022-34917, CVE-2022-42889] ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6848317
∗∗∗ IBM Security Guardium is affected by a redshift-jdbc42-2.0.0.3.jar vulnerability (CVE-2022-41828) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6956299
∗∗∗ Operations Dashboard is vulnerable to denial of service and response splitting due to vulnerabilities in Netty (CVE-2022-41881 and CVE-2022-41915) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6959639
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 28-02-2023 18:00 − Mittwoch 01-03-2023 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ TPM-2.0-Spezifikationen: Angreifer könnten Schadcode auf TPM schmuggeln ∗∗∗
---------------------------------------------
In die Spezifikation der TPM-2.0-Referenzbibliothek haben sich Fehler eingeschlichen. Angreifer könnten verwundbaren Implementierungen eigenen Code unterjubeln.
---------------------------------------------
https://heise.de/-7531171
∗∗∗ Finish him! Kostenloses Entschlüsselungstool besiegt MortalKombat-Ransomware ∗∗∗
---------------------------------------------
Kaum hat der Erpressungstrojaner MortalKombat das Licht der Welt erblickt, holen Sicherheitsforscher zum finalen Schlag aus.
---------------------------------------------
https://heise.de/-7531337
∗∗∗ Gefälschter PayLife-Login in Anzeigen bei Google-Suche! ∗∗∗
---------------------------------------------
PayLife-User:innen aufgepasst: Kriminelle schalten aktuell Werbung auf Google, welche auf eine gefälschte PayLife-Website führt. Ein kleiner Tippfehler reicht aus, um die betrügerische Werbung als erstes Ergebnis angezeigt zu bekommen. Wer die eigenen Login-Daten auf der Phishing-Seite eingibt, ermöglicht es den Kriminellen, Zahlungen zu tätigen. Das Geld ist verloren!
---------------------------------------------
https://www.watchlist-internet.at/news/gefaelschter-paylife-login-in-anzeig…
∗∗∗ The dangers from across browser-windows ∗∗∗
---------------------------------------------
Beim Durchsuchen des Webs versucht Ihr Browser, Sie bestmöglich zu schützen, aber manchmal scheitert er daran, wenn er nicht ordnungsgemäß von der Website angewiesen wird, die Sie besuchen. Einer der wichtigsten Sicherheitsmechanismen des Browsers ist die Same-Origin Policy [1][2][3] (SOP), die einschränkt, wie Skripte und Dokumente aus einer Ursprungsquelle mit Ressourcen und Dokumenten aus einer [...]
---------------------------------------------
https://certitude.consulting/blog/de/the-dangers-from-across-browser-window…
∗∗∗ BlackLotus UEFI-Bootkit überwindet Secure Boot in Windows 11 ∗∗∗
---------------------------------------------
Sicherheitsforscher von ESET haben eine BlackLotus getaufte Malware in freier Wildbahn entdeckt, die sich des UEFI bemächtigt. BlackLotus dürfte die erste UEFI-Bootkit-Malware in freier Wildbahn sein, die Secure Boot unter Windows 11 (und wohl auch Windows 10) aushebeln kann.
---------------------------------------------
https://www.borncity.com/blog/2023/03/01/blacklotus-uefi-bootkit-berwindet-…
∗∗∗ CISA: ZK Java Framework RCE Flaw Under Active Exploit ∗∗∗
---------------------------------------------
The flaw, which drew attention in October when it was found in ConnectWise products, could pose a significant risk to the supply chain if not patched immediately.
---------------------------------------------
https://www.darkreading.com/risk/cisa-zk-java-framework-rce-flaw-under-acti…
∗∗∗ SCARLETEEL: Operation leveraging Terraform, Kubernetes, and AWS for data theft ∗∗∗
---------------------------------------------
The Sysdig Threat Research Team recently discovered a sophisticated cloud operation in a customer environment, dubbed SCARLETEEL, that resulted in stolen proprietary data. The attacker exploited a containerized workload and then leveraged it to perform privilege escalation into an AWS account in order to steal proprietary software and credentials.
---------------------------------------------
https://sysdig.com/blog/cloud-breach-terraform-data-theft/
∗∗∗ DNS abuse: Advice for incident responders ∗∗∗
---------------------------------------------
What DNS abuse techniques are employed by cyber adversaries and which organizations can help incident responders and security teams detect, mitigate and prevent them? The DNS Abuse Techniques Matrix published by FIRST provides answers.
---------------------------------------------
https://www.helpnetsecurity.com/2023/03/01/dns-abuse-advice-for-incident-re…
∗∗∗ Google Cloud Platform allows data exfiltration without a (forensic) trace ∗∗∗
---------------------------------------------
Attackers can exfiltrate company data stored in Google Cloud Platform (GCP) storage buckets without leaving obvious forensic traces of the malicious activity in GCP’s storage access logs, Mitiga researchers have discovered. [...] In short, the main problem is that GCP’s basic storage logs – which are, by the way, not enabled by default – use the same description/event (objects.get) for [...]
---------------------------------------------
https://www.helpnetsecurity.com/2023/03/01/gcp-data-exfiltration/
∗∗∗ Making New Connections – Leveraging Cisco AnyConnect Client to Drop and Run Payloads ∗∗∗
---------------------------------------------
The Cisco AnyConnect client has received a fair amount of scrutiny from the security community over the years, with a particular focus on leveraging the vpnagent.exe service for privilege escalation. A while ago, we started to look at whether AnyConnect could be used to deliver payloads during red team engagements [...]
---------------------------------------------
https://research.nccgroup.com/2023/03/01/making-new-connections-leveraging-…
∗∗∗ The Level of Human Engagement Behind Automated Attacks ∗∗∗
---------------------------------------------
Even automated attacks are driven by humans, but the level of engagement we observed may surprise you! When the human or an organization behind an automated attack shows higher levels of innovation and sophistication in their attack tactics, the danger increases dramatically as they are no longer simply employing an opportunistic “spray and pray” strategy, but rather more highly evolved strategies that are closer to a so-called targeted attack.
---------------------------------------------
https://www.gosecure.net/blog/2023/02/28/the-level-of-human-engagement-behi…
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (multipath-tools and syslog-ng), Fedora (gnutls and guile-gnutls), Oracle (git, httpd, lua, openssl, php, python-setuptools, python3.9, sudo, tar, and vim), Red Hat (kpatch-patch), Scientific Linux (git), SUSE (compat-openssl098, glibc, openssl, postgresql13, python-Django, webkit2gtk3, and xterm), and Ubuntu (awstats, expat, firefox, gnutls28, lighttpd, php7.2, php7.4, php8.1, python-pip, and tar).
---------------------------------------------
https://lwn.net/Articles/924794/
∗∗∗ Critical Vulnerabilities Patched in ThingWorx, Kepware IIoT Products ∗∗∗
---------------------------------------------
Several ThingWorx and Kepware products are affected by two vulnerabilities that can be exploited for DoS attacks and unauthenticated remote code execution. The post Critical Vulnerabilities Patched in ThingWorx, Kepware IIoT Products appeared first on SecurityWeek.
---------------------------------------------
https://www.securityweek.com/critical-vulnerabilities-patched-in-thingworx-…
∗∗∗ Cisco Prime Infrastructure and Evolved Programmable Network Manager Stored Cross-Site Scripting Vulnerability ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso…
∗∗∗ Cisco Webex App for Web Cross-Site Scripting Vulnerability ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso…
∗∗∗ Cisco IP Phone 6800, 7800, 7900, and 8800 Series Web UI Vulnerabilities ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso…
∗∗∗ Cisco Finesse Reverse Proxy VPN-less Access to Finesse Desktop Denial of Service Vulnerability ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso…
∗∗∗ Cisco Unified Intelligence Center Vulnerabilities ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso…
∗∗∗ TPM 2.0 Vulnerabilities ∗∗∗
---------------------------------------------
https://support.lenovo.com/product_security/PS500551-TPM-20-VULNERABILITIES
∗∗∗ Nuvoton TPM Denial of Service Vulnerability ∗∗∗
---------------------------------------------
https://support.lenovo.com/product_security/PS500550-NUVOTON-TPM-DENIAL-OF-…
∗∗∗ Malicious IKEv2 packet by authenticated peer can cause libreswan to restart ∗∗∗
---------------------------------------------
https://libreswan.org/security/CVE-2023-23009/CVE-2023-23009.txt
∗∗∗ [R1] Stand-alone Security Patch Available for Tenable.sc version 5.23.1: SC-202303.1-5 ∗∗∗
---------------------------------------------
https://www.tenable.com/security/tns-2023-08
∗∗∗ [R1] Stand-alone Security Patch Available for Tenable.sc version 6.0.0: SC-202303.1-6 ∗∗∗
---------------------------------------------
https://www.tenable.com/security/tns-2023-07
∗∗∗ IBM Planning Analytics and IBM Planning Analytics Workspace are affected by a security vulnerability in IBM WebSphere Application Server Liberty (CVE-2022-34165) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6856457
∗∗∗ DataPower Operator vulnerable to Denial of Service (CVE-2022-41724) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6958490
∗∗∗ Financial Transaction Manager for Digital Payments, High Value Payments and Corporate Payment Services are impacted by multiple vulnerabilities. ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6958504
∗∗∗ Security vulnerabilities have been identified in IBM Db2 shipped with IBM Security Guardium Key Lifecycle Manager (CVE-2022-22389, CVE-2022-25313, CVE-2022-25236, CVE-2022-25314, CVE-2022-25315, CVE-2022-25235 and CVE-2022-22390) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6959019
∗∗∗ Multiple vulnerabilities in IBM SDK for Node.js and packaged modules affect IBM Business Automation Workflow Configuration Editor ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6959033
∗∗∗ IBM Sterling Connect:Express for UNIX is affected by multiple vulnerabilities in OpenSSL ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6958701
∗∗∗ IBM MQ Blockchain bridge is vulnerable to multiple issues within protobuf-java-core (CVE-2022-3510, CVE-2022-3509) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6957688
∗∗∗ IBM MQ is vulnerable to a denial of service attack caused by specially crafted PCF or MQSC messages. (CVE-2022-43902) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6957686
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Montag 27-02-2023 18:00 − Dienstag 28-02-2023 18:00
Handler: Michael Schlagenhaufer
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Critical flaws in WordPress Houzez theme exploited to hijack websites ∗∗∗
---------------------------------------------
Hackers are actively exploiting two critical-severity vulnerabilities in the Houzez theme and plugin for WordPress, two premium add-ons used primarily in real estate websites.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/critical-flaws-in-wordpress-…
∗∗∗ New Exfiltrator-22 post-exploitation kit linked to LockBit ransomware ∗∗∗
---------------------------------------------
Threat actors are promoting a new Exfiltrator-22 post-exploitation framework designed to spread ransomware in corporate networks while evading detection.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-exfiltrator-22-post-expl…
∗∗∗ Passwortmanager: Lastpass teilt weitere Details zum Dezember-Hack mit ∗∗∗
---------------------------------------------
Über einen Keylogger auf einem Privatrechner konnten Angreifer Adminzugriff auf diverse Lastpass-Kundendaten und dessen Quellcode erhalten.
---------------------------------------------
https://www.golem.de/news/passwortmanager-lastpass-teilt-weitere-details-zu…
∗∗∗ Side-Channel Attack against CRYSTALS-Kyber ∗∗∗
---------------------------------------------
CRYSTALS-Kyber is one of the public-key algorithms currently recommended by NIST as part of its post-quantum cryptography standardization process. Researchers have just published a side-channel attack—using power consumption—against an implementation of the algorithm that was supposed to be resistant against that sort of attack. The algorithm is not “broken” or “cracked”—despite headlines to the contrary—this is just a side-channel attack.
---------------------------------------------
https://www.schneier.com/blog/archives/2023/02/side-channel-attack-against-…
∗∗∗ CISA Issues Warning on Active Exploitation of ZK Java Web Framework Vulnerability ∗∗∗
---------------------------------------------
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a high-severity flaw affecting the ZK Framework to its Known Exploited Vulnerabilities (KEV) catalog based on evidence of active exploitation. Tracked as CVE-2022-36537 (CVSS score: 7.5), the issue impacts ZK Framework versions 9.6.1, 9.6.0.1, 9.5.1.3, 9.0.1.2, and 8.6.4.1, and allows threat actors to retrieve sensitive information via specially crafted requests.
---------------------------------------------
https://thehackernews.com/2023/02/cisa-issues-warning-on-active.html
∗∗∗ A Complete Kubernetes Config Review Methodology ∗∗∗
---------------------------------------------
The are many resources out there that tap into the subject of Kubernetes Pentesting or Configuration Review, however, they usually detail specific topics and misconfigurations and don’t offer a broad perspective on how to do a complete Security Review. That is why in this article I want to cover a more complete overview on all the possible aspects that should be reviewed when dealing with a Kubernetes Security Assessment.
---------------------------------------------
https://securitycafe.ro/2023/02/27/a-complete-kubernetes-config-review-meth…
∗∗∗ Vulnerabilities Being Exploited Faster Than Ever: Analysis ∗∗∗
---------------------------------------------
The time from vulnerability disclosure to exploitation is decreasing, according to a new intelligence report from Rapid7.
---------------------------------------------
https://www.securityweek.com/vulnerabilities-being-exploited-faster-than-ev…
∗∗∗ Konzertkarten auf Facebook kaufen: Vorsicht vor Betrug ∗∗∗
---------------------------------------------
Facebook ist eine beliebte Anlaufstelle, um Karten für ausverkaufte Konzerte zu ergattern. Bedenken Sie aber, dass hinter vielen Angeboten Fake-Profile stecken. Überprüfen Sie das Profil der Verkäufer:innen sehr genau und bezahlen Sie niemals mit der PayPal-Funktion „Geld an Freunde & Familie senden“. Wir zeigen Ihnen, wie Sie betrügerische Angebote auf Facebook erkennen.
---------------------------------------------
https://www.watchlist-internet.at/news/konzertkarten-auf-facebook-kaufen-vo…
∗∗∗ Gefälschtes E-Mail von FinanzOnline über Sicherheitsaktualisierung im Umlauf ∗∗∗
---------------------------------------------
Nehmen Sie E-Mails vom Finanzamt bzw. von FinanzOnline sehr genau unter die Lupe. Im Moment sind unzählige betrügerische Schreiben im Umlauf.
---------------------------------------------
https://www.watchlist-internet.at/news/gefaelschtes-e-mail-von-finanzonline…
∗∗∗ Sicherheitsanbieter Cyren geht in Liquidation – NoSpamProxy betroffen ∗∗∗
---------------------------------------------
Kurze Information für Nutzer, die Sicherheitsfunktionen des Anbieters Cyren einsetzen (z. B. NoSpamProxy). Der Anbieter Cyren steckt in wirtschaftlichen Schwierigkeiten und wird wohl liquidiert – die betreffenden Dienste werden eingestellt.
---------------------------------------------
https://www.borncity.com/blog/2023/02/28/sicherheitsanbieter-cyren-geht-in-…
∗∗∗ Bitdefender Releases Free MortalKombat Ransomware Decryptor ∗∗∗
---------------------------------------------
The free Mortal Kombat ransomware decryptor is now available for victims to recover their encrypted files without having to pay the ransom.
---------------------------------------------
https://www.hackread.com/bitdefender-mortalkombat-ransomware-decryptor/
=====================
= Vulnerabilities =
=====================
∗∗∗ VMSA-2023-0006 ∗∗∗
---------------------------------------------
CVSSv3 Range: 6.3
CVE(s): CVE-2023-20857
Synopsis: VMware Workspace ONE Content update addresses a passcode bypass vulnerability (CVE-2023-20857)
---------------------------------------------
https://www.vmware.com/security/advisories/VMSA-2023-0006.html
∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (curl, python-werkzeug, and spip), Fedora (curl), Mageia (apache-commons-fileupload, apr, c-ares, clamav, git, gnutls, ipython, jupyter-core, php, postgresql, python-cryptography, python-jupyterlab, python-twisted, sofia-sip, and sox), Red Hat (git, httpd, kernel, kernel-rt, kpatch-patch, lua, openssl, pcs, php, python-setuptools, python3.9, systemd, tar, vim, and zlib), SUSE (libxslt, php8, postgresql15, python3, tpm2-0-tss, and ucode-intel), and
---------------------------------------------
https://lwn.net/Articles/924690/
∗∗∗ IBM Security Bulletins 2023-02-23 ∗∗∗
---------------------------------------------
IBM VM Recovery Manager, IBM MQ Appliance, Red Hat OpenShift on IBM Cloud, IBM Business Automation Workflow, WebSphere Application Server, IBM SAN b-type switch, IBM FlashSystem, TMS RAMSAN, IBM HTTP Server, IBM CloudPak, Operations Dashboard, IBM QRadar SIEM Application Framework Base Image.
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/
∗∗∗ CVE-2022-38108: RCE in SolarWinds Network Performance Monitor ∗∗∗
---------------------------------------------
In this excerpt of a Trend Micro Vulnerability Research Service vulnerability report, Justin Hong and Lucas Miller of the Trend Micro Research Team detail a recently patched remote code execution vulnerability in the SolarWinds Network Performance Monitor. This bug was originally discovered and reported by ZDI Vulnerability Research Piotr Bazydło. The vulnerability results from the lack of proper validation of user-supplied data, which can result in the deserialization of untrusted data.
---------------------------------------------
https://www.thezdi.com/blog/2023/2/27/cve-2022-38108-rce-in-solarwinds-netw…
∗∗∗ ASUS ASMB8 iKVM 1.14.51 SNMP Remote Root ∗∗∗
---------------------------------------------
https://cxsecurity.com/issue/WLB-2023020047
∗∗∗ ABUS Security Camera TVIP 20000-21150 LFI / Remote Code Execution ∗∗∗
---------------------------------------------
https://cxsecurity.com/issue/WLB-2023020046
∗∗∗ web2py development tool vulnerable to open redirect ∗∗∗
---------------------------------------------
https://jvn.jp/en/jp/JVN78253670/
∗∗∗ Osprey Pump Controller 1.0.1 Exploit Code released ∗∗∗
---------------------------------------------
https://www.zeroscience.mk/en/vulnerabilities/
∗∗∗ OS Command Injection in Barracuda CloudGen WAN ∗∗∗
---------------------------------------------
https://sec-consult.com/de/vulnerability-lab/advisory/os-command-injection-…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 24-02-2023 18:00 − Montag 27-02-2023 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ QUICforge - Client-seitige Request-Forgery-Angriffe im QUIC Protokoll ∗∗∗
---------------------------------------------
Ein Überblick warum das QUIC Protokoll ein für die Sicherheit relevantes und besonders aktuelles Forschungsgebiet ist und welche Herausforderung die Nutzung von QUIC birgt.
---------------------------------------------
https://sec-consult.com/de/blog/detail/quicforge-client-seitige-request-for…
∗∗∗ Exchange Server: Microsoft empfiehlt Aktualisierung der Antivirus-Ausnahmen (Feb. 2023) ∗∗∗
---------------------------------------------
Microsofts Exchange Server-Team hat seine Empfehlungen in Bezug auf Ausnahmen für Antivirus-Scans überarbeitet und bittet Administratoren die Einstellungen der Antivirus-Software zu überprüfen und gegebenenfalls anzupassen.
---------------------------------------------
https://www.borncity.com/blog/2023/02/27/exchange-server-microsoft-empfiehl…
∗∗∗ Bösartige Authenticator-Apps auch im Google-Play-Store ∗∗∗
---------------------------------------------
Vergangene Woche haben App-Entwickler bösartige Authenticator-Apps in Apples App-Store entdeckt. Jetzt wurden sie auch im Google-Play-Store fündig.
---------------------------------------------
https://heise.de/-7528469
∗∗∗ Nur mit iPhone-PIN: Diebe räumen Apple-ID und Bankkonten ab ∗∗∗
---------------------------------------------
iPhone-Diebstähle können zu einer vollständigen Apple-ID- und Bankkonten-Übernahme führen. Schuld ist Apples (zu) einfache Passwort-Recovery per PIN.
---------------------------------------------
https://heise.de/-7527961
∗∗∗ Kleinanzeigenplattformen: Betrügerische Käufer:innen täuschen Zahlung auf gefälschter PayPal-Website vor ∗∗∗
---------------------------------------------
Willhaben, Ebay, Shpock und Co.: Nehmen Sie sich vor betrügerischen Interessent:innen in Acht! Betrügerische Interessent:innen auf Kleinanzeigenplattformen behaupten, den Kaufbetrag inklusive Versandkosten an den Zahlungsdienst PayPal überwiesen zu haben. Sie schicken Ihnen einen personalisierten Link, über den Sie das Geld angeblich anfordern können. Brechen Sie den Kontakt ab, Sie werden auf eine gefälschte PayPal-Seite gelockt. Kriminelle stehlen damit Ihre Zugangsdaten und Geld von Ihrem PayPal-Konto!
---------------------------------------------
https://www.watchlist-internet.at/news/neue-betrugsmasche-auf-kleinanzeigen…
∗∗∗ PureCrypter malware hits govt orgs with ransomware, info-stealers ∗∗∗
---------------------------------------------
A threat actor has been targeting government entities with PureCrypter malware downloader that has been seen delivering multiple information stealers and ransomware strains.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/purecrypter-malware-hits-gov…
∗∗∗ RIG Exploit Kit still infects enterprise users via Internet Explorer ∗∗∗
---------------------------------------------
The RIG Exploit Kit is undergoing its most successful period, attempting roughly 2,000 intrusions daily and succeeding in about 30% of cases, the highest ratio in the services long operational history.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/rig-exploit-kit-still-infect…
∗∗∗ Is My Site Hacked? (13 Signs) ∗∗∗
---------------------------------------------
Symptoms of a hack can vary wildly. A concerning security alert from Google, a browser warning when you visit your site, or even a notice from your hosting provider that they’ve taken down your website - all of these events may indicate that your site has been hacked. Fortunately, there are a number of quick (and free) ways you can check and find out if your website has been compromised.
---------------------------------------------
https://blog.sucuri.net/2023/02/is-my-website-hacked.html
∗∗∗ Open Source Security and Risk Analysis Report ∗∗∗
---------------------------------------------
In its 8 th edition this year, the 2023 “Open Source Security and Risk Analysis” (OSSRA) report delivers our annual in-depth look at the current state of open source security, compliance, licensing, and code quality risks in commercial software.
https://www.synopsys.com/content/dam/synopsys/sig-assets/reports/rep-ossra-…
---------------------------------------------
https://www.synopsys.com/software-integrity/resources/analyst-reports/open-…
=====================
= Vulnerabilities =
=====================
∗∗∗ Sicherheitsupdate: Zoho ManageEngine ServiceDesk Plus ist verwundbar ∗∗∗
---------------------------------------------
Angreifer könnten Systeme mit dem IT-Verwaltungssystem ManageEngine ServiceDesk Plus von Zoho attackieren. Eine ältere Zoho-Lücke wird derweil angegriffen.
---------------------------------------------
https://heise.de/-7528332
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (apr-util, freeradius, mono, nodejs, php7.3, php7.4, and python-cryptography), Fedora (epiphany, haproxy, and podman), SUSE (chromium, libraw, php7, php74, python-pip, and rubygem-activerecord-4_2), and Ubuntu (apr, clamav, curl, intel-microcode, nss, openvswitch, webkit2gtk, and zoneminder).
---------------------------------------------
https://lwn.net/Articles/924546/
∗∗∗ Windows: Microsoft liefert cURL-Bibliothek weiterhin mit Schwachstellen aus (Feb. 2023) ∗∗∗
---------------------------------------------
Es ist eine unschöne Geschichte, die ich erneut hier im Blog einstelle. Microsoft gelingt es nicht, cURL mit Windows so auszuliefern, dass die Software auf dem aktuellen Stand ist und keine bekannte Sicherheitslücken mehr aufweist.
---------------------------------------------
https://www.borncity.com/blog/2023/02/25/windows-microsoft-liefert-curl-bib…
∗∗∗ WAGO: Multiple vulnerabilities in web-based management of multiple products ∗∗∗
---------------------------------------------
https://cert.vde.com/de/advisories/VDE-2022-060/
∗∗∗ Advisory: Vulnerable TigerVNC Version used in B&R Products ∗∗∗
---------------------------------------------
https://www.br-automation.com/downloads_br_productcatalogue/assets/16769091…
∗∗∗ AIX is vulnerable to denial of service due to ISC BIND (CVE-2022-38178, CVE-2022-3080, CVE-2022-38177, CVE-2022-2795) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6851445
∗∗∗ IBM MQ for HPE NonStop Server is affected by channel CCDT vulnerability CVE-2022-40237 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6958136
∗∗∗ Multiple Vulnerabilities in CloudPak for Watson AIOPs ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6958146
∗∗∗ IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to denial of service in Pypa Setuptools (CVE-2022-40897) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6958142
∗∗∗ IBM Security Verify Bridge (windows and docker versions) affected by a denial of service issue in Go (CVE-2022-32149) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6958156
∗∗∗ Certifi package as used by IBM QRadar User Behavior Analytics is vulnerable to improper certificate validation (CVE-2022-23491) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6958452
∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Rational ClearCase (CVE-2023-23477) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6958458
∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server traditional shipped with IBM Operations Analytics Predictive Insights (CVE-2022-38712) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6958478
∗∗∗ A security vulnerability ( CVE-2022-3509, CVE-2022-3171 ) has been identified in IBM WebSphere Application Server Liberty shipped with IBM Operations Analytics Predictive Insights ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6958474
∗∗∗ FasterXML-jackson-databinds vulnerabilities affect IBM Operations Analytics Predictive Insights (CVE-2022-42004,CVE-2022-42003) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6958482
∗∗∗ IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in LibTIFF ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6955937
∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server traditional shipped with IBM Operations Analytics Predictive Insights (CVE-2023-23477) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6958476
∗∗∗ Multiple vulnerabilities in IBM SDK, Java Technology Edition affect IBM Operations Analytics Predictive Insights ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6958484
∗∗∗ Multiple vulnerabilities in IBM SDK, Java Technology Edition affect IBM Operations Analytics Predictive Insights ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6958486
∗∗∗ IBM b-type SAN switches and directors affected by Open Source OpenSSL Vulnerabilities (CVE-2016-2177, CVE-2016-2178). ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/697949
∗∗∗ IBM b-type SAN switches and directors affected by Open Source OpenSSL Vulnerabilities (CVE-2016-2180). ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/697951
∗∗∗ IBM b-type SAN switches and directors affected by OpenSSL Security Advisory [22 Sep 2016] and [26 Sep 2016]. ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/697953
∗∗∗ IBM b-type SAN switches and directors affected by XSS vulnerabilities CVE-2017-6225. ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/650695
∗∗∗ IBM b-type SAN Network\/Storage switches is affected by a denial of service vulnerability, caused by a CPU consumption in the IPv6 stack (CVE-2017-6227). ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/650699
∗∗∗ IBM b-type SAN directors and switches is affected by privilege escalation vulnerability (CVE-2016-8202). ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/697803
∗∗∗ Vulnerabilities in OpenSSL affect IBM b-type SAN switches and directors (CVE-2016-2108) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/697943
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 23-02-2023 18:00 − Freitag 24-02-2023 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ Vorsicht: ChatGPT-Scams nehmen stark zu ∗∗∗
---------------------------------------------
Im Internet gibt es viele Seiten, die vorgeben, der intelligente Chatbot zu sein. In Wahrheit verbreiten sie Schadsoftware.
---------------------------------------------
https://futurezone.at/produkte/chatgpt-scam-malware-apps-android-chatbot-vo…
∗∗∗ KI: Journalist überlistet Bank mit künstlicher Intelligenz ∗∗∗
---------------------------------------------
Einem Journalisten ist es gelungen, die Stimmauthentifizierung einer Bank mit KI zu umgehen. Das könnten auch Betrüger.
---------------------------------------------
https://www.golem.de/news/ki-journalist-ueberlistet-bank-mit-kuenstlicher-i…
∗∗∗ Privatsphäre: Chrome-Extensions können noch immer eine Menge anrichten ∗∗∗
---------------------------------------------
Eine Analyse zeigt, was sich trotz Googles Chrome Extension Manifest V3 alles ausspähen lässt, wenn Nutzer bei der Installation nicht vorsichtig sind.
---------------------------------------------
https://www.golem.de/news/privatsphaere-chrome-extensions-koennen-noch-imme…
∗∗∗ The code that wasn’t there: Reading memory on an Android device by accident ∗∗∗
---------------------------------------------
CVE-2022-25664, a vulnerability in the Qualcomm Adreno GPU, can be used to leak large amounts of information to a malicious Android application. Learn more about how the vulnerability can be used to leak information in both the user space and kernel space level of pages, and how the GitHub Security Lab used the kernel space information leak to construct a KASLR bypass.
---------------------------------------------
https://github.blog/2023-02-23-the-code-that-wasnt-there-reading-memory-on-…
∗∗∗ In Final Cut & Co: Warnung vor Cryptojacking durch gecrackte Mac-Apps ∗∗∗
---------------------------------------------
Malware für Cryptomining wird über gecrackte Mac-Apps verbreitet und verbirgt sich dabei immer besser, warnen Sicherheitsforscher. Apple reagiert.
---------------------------------------------
https://heise.de/-7527273
∗∗∗ Update on the Exchange Server Antivirus Exclusions ∗∗∗
---------------------------------------------
For years we have been saying how running antivirus (AV) software on your Exchange Servers can enhance the security and health of your Exchange organization. We’ve also said that if you are deploying file-level scanners on Exchange servers, make sure that the appropriate exclusions, such as directory exclusions, process exclusions, and file name extension exclusions, are in place for both scheduled and real-time scanning. But times have changed, and so has the cybersecurity landscape.
---------------------------------------------
https://techcommunity.microsoft.com/t5/exchange-team-blog/update-on-the-exc…
∗∗∗ Investigating the PlugX Trojan Disguised as a Legitimate Windows Debugger Tool ∗∗∗
---------------------------------------------
Trend Micro’s Managed Extended Detection and Response (MxDR) team discovered that a file called x32dbg.exe was used to sideload a malicious DLL we identified as a variant of PlugX.
---------------------------------------------
https://www.trendmicro.com/en_us/research/23/b/investigating-the-plugx-troj…
=====================
= Vulnerabilities =
=====================
∗∗∗ Cisco stopft teils hochriskante Schwachstellen ∗∗∗
---------------------------------------------
Für mehrere Produkte stellt Netzwerkausrüster Cisco Sicherheitsupdates bereit. Sie schließen teils als hohe Bedrohung eingestufte Schwachstellen.
---------------------------------------------
https://heise.de/-7526208
∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (binwalk, chromium, curl, emacs, frr, git, libgit2, and tiff), Fedora (qt5-qtbase), SUSE (c-ares, kernel, openssl-1_1-livepatches, pesign, poppler, rubygem-activerecord-5_1, and webkit2gtk3), and Ubuntu (linux-aws).
---------------------------------------------
https://lwn.net/Articles/924358/
∗∗∗ Ineffective Cross Site Request Forgery (CSRF) protection in IBM Business Process Manager (BPM) (CVE-2017-1769) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/301273
∗∗∗ IBM Maximo Manage application in IBM Maximo Application Suite is vulnerable to information disclosure (CVE-2022-43923) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6957654
∗∗∗ AIX is vulnerable to denial of service due to ISC BIND (CVE-2022-38178, CVE-2022-3080, CVE-2022-38177, CVE-2022-2795) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6851445
∗∗∗ A vulnerability in Node.js affects IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2022-21681, CVE-2022-21680) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6958016
∗∗∗ A vulnerability has been identified in IBM WebSphere Application Server used by IBM Rational ClearQuest (CVE-2023-23477) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6958024
∗∗∗ A vulnerability in Node.js affects IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2022-21681, CVE-2022-21680) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6958016
∗∗∗ Vulnerabilities found within Apache Storm that is used by IBM Tivoli Network Manager (ITNM) IP Edition ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6958056
∗∗∗ Security vulnerabilities are addressed with IBM Cloud Pak for Business Automation iFixes for Febuary 2023 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6958062
∗∗∗ Multiple vulnerabilities in IBM HTTP Server used by WebSphere Application Server affect IBM Business Automation Workflow ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6958064
∗∗∗ CVE-2022-32149 may affect IBM CICS TX Advanced ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6958066
∗∗∗ CVE-2022-32149 may affect IBM CICS TX Standard ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6958072
∗∗∗ Multiple vulnerabilities in Go may affect IBM CICS TX Standard ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6958068
∗∗∗ CVE-2022-3676 may affect IBM CICS TX Advanced ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6958086
∗∗∗ CVE-2022-3676 may affect IBM CICS TX Standard ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6958074
∗∗∗ IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Go ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6855111
∗∗∗ IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Golang Go ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6955929
∗∗∗ CVE-2022-37734 may affect IBM CICS TX Advanced ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6958076
∗∗∗ CVE-2022-37734 may affect IBM CICS TX Standard ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6958084
∗∗∗ IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in LibTIFF ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6955937
∗∗∗ CVE-2018-1099, CVE-2018-1098 may affect IBM CICS TX Advanced ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6958080
∗∗∗ CVE-2018-1099, CVE-2018-1098 may affect IBM CICS TX Standard ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6958082
∗∗∗ IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by a vulnerability in JSON Web Token ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6955935
∗∗∗ Vulnerability in moment-timezone affects IBM VM Recovery Manager DR GUI ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6957710
∗∗∗ Multiple vulnerabilities in IBM Semeru Runtime affect z/Transaction Processing Facility ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6957822
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 22-02-2023 18:00 − Donnerstag 23-02-2023 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ New S1deload Stealer malware hijacks Youtube, Facebook accounts ∗∗∗
---------------------------------------------
An ongoing malware campaign targets YouTube and Facebook users, infecting their computers with a new information stealer that will hijack their social media accounts and use their devices to mine for cryptocurrency.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-s1deload-stealer-malware…
∗∗∗ Python Developers Warned of Trojanized PyPI Packages Mimicking Popular Libraries ∗∗∗
---------------------------------------------
Cybersecurity researchers are warning of "imposter packages" mimicking popular libraries available on the Python Package Index (PyPI) repository. The 41 malicious PyPI packages have been found to pose as typosquatted variants of legitimate modules such as HTTP, AIOHTTP, requests, urllib, and urllib3.
---------------------------------------------
https://thehackernews.com/2023/02/python-developers-warned-of-trojanized.ht…
∗∗∗ Experts Sound Alarm Over Growing Attacks Exploiting Zoho ManageEngine Products ∗∗∗
---------------------------------------------
Multiple threat actors have been observed opportunistically weaponizing a now-patched critical security vulnerability impacting several Zoho ManageEngine products since January 20, 2023. Tracked as CVE-2022-47966 (CVSS score: 9.8), the remote code execution flaw allows a complete takeover of the susceptible systems by unauthenticated attackers.
---------------------------------------------
https://thehackernews.com/2023/02/experts-sound-alarm-over-growing.html
∗∗∗ OffSec Tools ∗∗∗
---------------------------------------------
This repository is intended for pentesters and red teamers using a variety of offensive security tools during their assessments. The repository is a collection of useful tools suitable for assessments in internal environments.
---------------------------------------------
https://github.com/Syslifters/offsec-tools
∗∗∗ Technical Analysis of BlackBasta Ransomware 2.0 ∗∗∗
---------------------------------------------
Zscaler ThreatLabz has been tracking prominent ransomware families and their tactics, techniques and procedures (TTPs) including the BlackBasta ransomware family. On November 16, 2022, ThreatLabz identified new samples of the BlackBasta ransomware that had significantly lower antivirus detection rates.
---------------------------------------------
https://www.zscaler.com/blogs/security-research/back-black-basta
∗∗∗ Users looking for ChatGPT apps get malware instead ∗∗∗
---------------------------------------------
The massive popularity of OpenAI’s chatbot ChatGPT has not gone unnoticed by cyber criminals: they are exploiting the public’s eagerness to experiment with it to trick users into downloading Windows and Android malware and visit phishing pages.
---------------------------------------------
https://www.helpnetsecurity.com/2023/02/23/chatgpt-windows-android/
∗∗∗ Stealthy Mac Malware Delivered via Pirated Apps ∗∗∗
---------------------------------------------
Cybercriminals are delivering stealthy cryptojacking malware to Macs using pirated apps and they could use the same method for other malware.
---------------------------------------------
https://www.securityweek.com/stealthy-mac-malware-delivered-via-pirated-app…
∗∗∗ Anti-Forensic Techniques Used By Lazarus Group ∗∗∗
---------------------------------------------
Since approximately a year ago, the Lazarus group’s malware has been discovered in various Korean companies related to national defense, satellites, software, and media press. The AhnLab ASEC analysis team has been continuously tracking the Lazarus threat group’s activities and other related TTPs. Among the recent cases, this post aims to share the anti-forensic traces and details found in the systems that were infiltrated by the Lazarus group.
---------------------------------------------
https://asec.ahnlab.com/en/48223/
∗∗∗ ChromeLoader Disguised as Illegal Game Programs Being Distributed ∗∗∗
---------------------------------------------
Since the previous year, there has been a steady increase in cases where disk image files, such as ISO and VHD, have been used in malware distribution. These have been covered several times in previous ASEC blog posts. This post will cover a recent discovery of ChromeLoader being distributed using VHD files.
---------------------------------------------
https://asec.ahnlab.com/en/48211/
=====================
= Vulnerabilities =
=====================
∗∗∗ Vulnerability Spotlight: EIP Stack Group OpENer open to two remote code execution vulnerabilities ∗∗∗
---------------------------------------------
Two of the vulnerabilities are considered to be considered of critical importance, with a CVSS score of a maximum 10 out of 10.
---------------------------------------------
https://blog.talosintelligence.com/vuln-spotlight-eip-stack-group-feb-2023/
∗∗∗ BIOS-Sicherheitsupdates: HP-Computer für Schadcode-Attacken anfällig ∗∗∗
---------------------------------------------
In aktualisierten BIOS-Versionen für HP-Computer haben die Entwickler mehrere Sicherheitslücken geschlossen.
---------------------------------------------
https://heise.de/-7524562
∗∗∗ Firewall-Distribution: pfSense 23.01 schließt Sicherheitslücken ∗∗∗
---------------------------------------------
In der Firewall-Distribution pfSense 23.01 haben die Entwickler mehrere Sicherheitslücken geschlossen. Die Basis haben sie auch auf aktuellen Stand gehievt.
---------------------------------------------
https://heise.de/-7525432
∗∗∗ Wordfence Intelligence CE Weekly Vulnerability Report (Feb 13, 2023 to Feb 19, 2023) ∗∗∗
---------------------------------------------
Last week, there were 104 vulnerabilities disclosed in WordPress based software that have been added to the Wordfence Intelligence Community Edition Vulnerability Database. You can find those vulnerabilities below.
---------------------------------------------
https://www.wordfence.com/blog/2023/02/wordfence-intelligence-ce-weekly-vul…
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by CentOS (firefox and thunderbird), Debian (asterisk, git, mariadb-10.3, node-url-parse, python-cryptography, and sofia-sip), Fedora (c-ares, golang-github-need-being-tree, golang-helm-3, golang-oras, golang-oras-1, and golang-oras-2), Oracle (httpd:2.4, kernel, php:8.0, python-setuptools, python3, samba, systemd, tar, and webkit2gtk3), Red Hat (webkit2gtk3), SUSE (phpMyAdmin, poppler, and postgresql12), and Ubuntu (dcmtk and linux-hwe).
---------------------------------------------
https://lwn.net/Articles/924236/
∗∗∗ Case update: DIVD-2022-00052 - Multiple vulnerabilities is Cloudflow software ∗∗∗
---------------------------------------------
https://csirt.divd.nl/cases/DIVD-2022-00052/
∗∗∗ Vulnerability in sqlite affects IBM VM Recovery Manager HA GUI ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6957680
∗∗∗ Vulnerability in sqlite affects IBM VM Recovery Manager DR GUI ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6957708
∗∗∗ Vulnerability in moment-timezone affects IBM VM Recovery Manager DR GUI ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6957710
∗∗∗ Vulnerability in moment-timezone affects IBM VM Recovery Manager HA GUI ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6957714
∗∗∗ CVE-2022-3509, CVE-2022-3171 may affect IBM CICS TX Advanced ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6957754
∗∗∗ CVE-2022-3509, CVE-2022-3171 may affect IBM CICS TX Standard ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6957758
∗∗∗ CVE-2022-3509 and CVE-2022-3171 may affect IBM TXSeries for Multiplatforms ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6957764
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 21-02-2023 18:00 − Mittwoch 22-02-2023 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ Warnung vor Angriffen auf IBM Aspera Faspex und Mitel MiVoice ∗∗∗
---------------------------------------------
Die US-IT-Sicherheitsbehörde CISA warnt davor, dass Cyberkriminelle Sicherheitslücken in IBM Aspera Faspex und Mitel MiVoice angreifen. Updates stehen bereit.
---------------------------------------------
https://heise.de/-7523870
∗∗∗ Jetzt patchen! Exploit-Code für kritische Fortinet FortiNAC-Lücke in Umlauf ∗∗∗
---------------------------------------------
Da Exploit-Code veröffentlicht wurde, könnten Angreifer Fortinets Netzwerk-Zugangskontrolllösung FortiNAC ins Visier nehmen.
---------------------------------------------
https://heise.de/-7523427
∗∗∗ Fake Give-Aways und Geschenkaktionen im Namen von ‚MrBeast‘! ∗∗∗
---------------------------------------------
Wer sich regelmäßig YouTube-Videos ansieht, kommt kaum an MrBeast vorbei. Der Youtuber mit über 134 Millionen Abonnent:innen ist für seine Give-Away-Videos bekannt, bei denen er Tausende oder gar Millionen von Dollar verschenkt. Diesen Ruf machen sich auch Kriminelle zunutze, indem sie betrügerische Gewinnversprechen und Geschenkaktionen im Namen von MrBeast verbreiten.
---------------------------------------------
https://www.watchlist-internet.at/news/fake-give-aways-und-geschenkaktionen…
∗∗∗ Hydrochasma hackers target medical research labs, shipping firms ∗∗∗
---------------------------------------------
A previously unknown threat actor named Hydrochasma has been targeting shipping and medical laboratories involved in COVID-19 vaccine development and treatments.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/hydrochasma-hackers-target-m…
∗∗∗ WhatsApp ignoriert seit Jahren ein Sicherheitsproblem, das alle betrifft ∗∗∗
---------------------------------------------
Fremde können das eigene Profil übernehmen und sich für euch ausgeben - ganz ohne Hacking oder Phishing.
---------------------------------------------
https://futurezone.at/apps/whatsapp-sicherheit-problem-konto-telefonnummer-…
∗∗∗ Attackers Abuse Cron Jobs to Reinfect Websites ∗∗∗
---------------------------------------------
Malicious cron jobs are nothing new; we’ve seen attackers use them quite frequently to reinfect websites. However, in recent months we’ve noticed a distinctive new wave of these infections that appears to be closely related to this article about a backdoor that we’ve been tracking.
---------------------------------------------
https://blog.sucuri.net/2023/02/attackers-abuse-cron-jobs-to-reinfect-websi…
∗∗∗ Threat Actors Adopt Havoc Framework for Post-Exploitation in Targeted Attacks ∗∗∗
---------------------------------------------
An open source command-and-control (C2) framework known as Havoc is being adopted by threat actors as an alternative to other well-known legitimate toolkits like Cobalt Strike, Sliver, and Brute Ratel. Cybersecurity firm Zscaler said it observed a new campaign in the beginning of January 2023 targeting an unnamed government organization that utilized Havoc.
---------------------------------------------
https://thehackernews.com/2023/02/threat-actors-adopt-havoc-framework-for.h…
∗∗∗ Lets build a Chrome extension that steals everything ∗∗∗
---------------------------------------------
Manifest v3 may have taken some of the juice out of browser extensions, but I think there is still plenty left in the tank. To prove it, let’s build a Chrome extension that steals as much data as possible.
---------------------------------------------
https://mattfrisbie.substack.com/p/spy-chrome-extension
∗∗∗ How NPM Packages Were Used to Spread Phishing Links ∗∗∗
---------------------------------------------
[...] On Monday, 20th of February, Checkmarx Labs discovered an anomaly in the NPM ecosystem when we cross-referenced new information with our databases. Clusters of packages had been published in large quantities to the NPM package manager. Further investigation revealed that the packages were part of a trending new attack vector, with attackers spamming the open-source ecosystem with packages containing links to phishing campaigns.
---------------------------------------------
https://checkmarx.com/blog/how-npm-packages-were-used-to-spread-phishing-li…
∗∗∗ Android voice chat app with 5m installs leaked user chats ∗∗∗
---------------------------------------------
The voice chat app under discussion is OyeTalk, which is available for Android and iOS devices and is operated from Pakistan.
---------------------------------------------
https://www.hackread.com/android-voice-chat-app-data-leak/
=====================
= Vulnerabilities =
=====================
∗∗∗ Sicherheitsupdates: VMware dichtet kritisches Sicherheitsleck ab ∗∗∗
---------------------------------------------
VMware schließt mit Updates für Carbon Black App Control und vRealize sowie Cloud Foundation eine kritische und eine hochriskante Schwachstelle.
---------------------------------------------
https://heise.de/-7523335
∗∗∗ Foxit PDF-Updates dichten hochriskante Schwachstellen ab ∗∗∗
---------------------------------------------
In der PDF-Software Foxit klafften Sicherheitslücken, durch die Angreifer etwa mit manipulierten PDF-Dateien Schadcode einschleusen und ausführen hätten können.
---------------------------------------------
https://heise.de/-7523313
∗∗∗ Multiple vulnerabilities in Nokia BTS Airscale ASIKA [PDF] ∗∗∗
---------------------------------------------
Synacktiv performed an audit on the base transceiver station Nokia Airscale ASIKA, running the firmware version btsmed_5G19B_GNB_0007_001836_000863, and discovered multiple vulnerabilities.
---------------------------------------------
https://www.synacktiv.com/sites/default/files/2023-02/Synacktiv-Nokia-BTS-A…
∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (amanda, apr-util, and tiff), Fedora (apptainer, git, gssntlmssp, OpenImageIO, openssl, webkit2gtk3, xorg-x11-server, and xorg-x11-server-Xwayland), Oracle (firefox and thunderbird), Red Hat (python3), SUSE (gnutls, php7, and python-Django), and Ubuntu (chromium-browser, libxpm, and mariadb-10.3, mariadb-10.6).
---------------------------------------------
https://lwn.net/Articles/924070/
∗∗∗ Synology-SA-23:01 ClamAV ∗∗∗
---------------------------------------------
Multiple vulnerabilities allow remote attackers to possibly execute arbitrary code or local users to obtain sensitive information via a susceptible version of Antivirus Essential, Synology Mail Server, and Synology MailPlus Server.
---------------------------------------------
https://www.synology.com/en-global/support/security/Synology_SA_23_01
∗∗∗ IBM Security Bulletins 2023-02-22 ∗∗∗
---------------------------------------------
* A vulnerability in IBM Java affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products * A vulnerability in the GUI affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products * BM Sterling B2B Integrator is vulnerable to cross-site scripting (CVE-2022-43578) * IBM Sterling Global Mailbox is vulnerable to arbitrary code execution due to Apache Commons Collections [CVE-2015-6420, CVE-2017-15708] * IBM WebSphere Application Server, which is bundled with IBM Cloud Pak for Applications, is vulnerable to a remote code execution vulnerability (CVE-2023-23477) * IBM WebSphere Application Server, which is bundled with IBM WebSphere Hybrid Edition, is vulnerable to a remote code execution vulnerability (CVE-2023-23477) * Multiple vulnerabilities in the Linux kernel affect IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products * SNMPv3 server credentials are exposed in log files in IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products * The dasboard UI of IBM Sterling B2B Integrator is vulnerable to improper permission control (CVE-2022-40231) * Vulnerabilities in jsonwebtoken affects IBM Watson Assistant for IBM Cloud Pak for Data * Vulnerability in Apache Tomcat affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products * Vulnerability in IBM WebSphere Application Server Liberty may affect IBM Spectrum Protect Plus (CVE-2019-11777) * Vulnerability in Log4j affects IBM Integrated Analytics System [CVE-2022-23305]
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/
∗∗∗ Cisco Nexus 9000 Series Fabric Switches in ACI Mode Link Layer Discovery Protocol Memory Leak Denial of Service Vulnerability ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso…
∗∗∗ Cisco FXOS Software and UCS Manager Software Configuration Backup Static Key Vulnerability ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso…
∗∗∗ Cisco NX-OS Software SSH X.509v3 Certificate Authentication with Unsupported Remote Authorization Method Privilege Escalation Issues ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso…
∗∗∗ Cisco NX-OS Software CLI Command Injection Vulnerability ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso…
∗∗∗ Cisco Firepower 4100 Series, Firepower 9300 Security Appliances, and UCS Fabric Interconnects Command Injection Vulnerability ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso…
∗∗∗ Cisco Nexus 9300-FX3 Series Fabric Extender for UCS Fabric Interconnects Authentication Bypass Vulnerability ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso…
∗∗∗ Cisco Application Policy Infrastructure Controller and Cisco Cloud Network Controller Cross-Site Request Forgery Vulnerability ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso…
∗∗∗ [R1] Stand-alone Security Patch Available for Tenable.sc versions 5.22.0 to 6.0.0: SC-202302.2 ∗∗∗
---------------------------------------------
https://www.tenable.com/security/tns-2023-06
∗∗∗ [R1] Stand-alone Security Patch Available for Tenable.sc versions 5.22.0 to 5.23.1: SC-202302.3 ∗∗∗
---------------------------------------------
https://www.tenable.com/security/tns-2023-05
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Montag 20-02-2023 18:00 − Dienstag 21-02-2023 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ Kriminalität: Ransomware will Versicherungspolice ∗∗∗
---------------------------------------------
Die Ransomware Hardbit 2.0 verlangt die Versicherungspolice der Unternehmen, um die Lösegeldforderung anzupassen. Nicht ungefährlich für die Betroffenen.
---------------------------------------------
https://www.golem.de/news/kriminalitaet-ransomware-will-versicherungspolice…
∗∗∗ Researchers Discover Dozens Samples of Information Stealer Stealc in the Wild ∗∗∗
---------------------------------------------
A new information stealer called Stealc thats being advertised on the dark web could emerge as a worthy competitor to other malware of its ilk. "The threat actor presents Stealc as a fully featured and ready-to-use stealer, whose development relied on Vidar, Raccoon, Mars, and RedLine stealers," SEKOIA said in a Monday report.
---------------------------------------------
https://thehackernews.com/2023/02/researchers-discover-dozens-samples-of.ht…
∗∗∗ Fortinet FortiNAC CVE-2022-39952 Deep-Dive and IOCs ∗∗∗
---------------------------------------------
On Thursday, 16 February 2022, Fortinet released a PSIRT that details CVE-2022-39952, a critical vulnerability affecting its FortiNAC product. This vulnerability, discovered by Gwendal Guégniaud of Fortinet, allows an unauthenticated attacker to write arbitrary files on the system and as a result obtain remote code execution in the context of the root user.
---------------------------------------------
https://www.horizon3.ai/fortinet-fortinac-cve-2022-39952-deep-dive-and-iocs/
∗∗∗ A Deep Dive Into a PoshC2 Implant ∗∗∗
---------------------------------------------
PoshC2 is an open-source C2 framework used by penetration testers and threat actors. It can generate a Powershell-based implant, a C#.NET implant that we analyze in this paper, and a Python3 implant.
---------------------------------------------
https://resources.securityscorecard.com/research/poshc2-implant
∗∗∗ ClamAV Critical Patch Review ∗∗∗
---------------------------------------------
The description of those bugs got our attention since we have format handlers in unblob for both DMG and HFS+. We therefore decided to spend some time trying to understand them and learn if we may be affected by similar bugs.
---------------------------------------------
https://onekey.com/blog/clamav-critical-patch-review/
∗∗∗ OWASP Kubernetes Top 10 ∗∗∗
---------------------------------------------
The OWASP Kubernetes Top 10 is aimed at helping security practitioners, system administrators, and software developers prioritize risks around the Kubernetes ecosystem. The Top 10 is a prioritized list of common risks backed by data collected from organizations varying in maturity and complexity.
---------------------------------------------
https://sysdig.com/blog/top-owasp-kubernetes/
∗∗∗ iOS 16.3 und 16.3.1: Apple räumt weitere schwere Lücken ein ∗∗∗
---------------------------------------------
Apple neigt seit längerem dazu, nicht alle gestopften Löcher in seinen Betriebssystemen sofort zu kommunizieren. Nun wurden Infos zu iOS 16.3 nachgereicht.
---------------------------------------------
https://heise.de/-7522282
∗∗∗ What can we learn from the latest Coinbase cyberattack? ∗∗∗
---------------------------------------------
Cryptocurrency exchange Coinbase has fended off a cyberattack that might have been mounted by the same attackers that targeted Twillio, Cloudflare and many other companies last year.
---------------------------------------------
https://www.helpnetsecurity.com/2023/02/21/coinbase-cyberattack/
∗∗∗ Keine Pellets auf ferberpainting.de bestellen! ∗∗∗
---------------------------------------------
Auf der Suche nach Pellets für die Beheizung des Eigenheims stoßen aktuell zahlreiche Personen auf ferberpainting.de bzw. ferberpainting.com. Für 199,90 Euro werden dort 40 Säcke mit 25 KG Pellets abgebildet und angeboten. Wer hier bestellt erlebt eine böse Überraschung, denn geliefert werden 40 leere Säcke.
---------------------------------------------
https://www.watchlist-internet.at/news/keine-pellets-auf-ferberpaintingde-b…
∗∗∗ Ihre Bank ruft an? Es könnte sich um Betrug handeln! ∗∗∗
---------------------------------------------
Sie erhalten einen Anruf. Angeblich eine Mitarbeiterin Ihrer Bank. Die Anruferin erklärt, dass sie ungewöhnliche Abbuchungen von Ihrem Konto festgestellt hat. Sie hilft Ihnen dabei, das Geld zurückzubekommen und Ihr Konto zu schützen. Vorsicht: Es handelt sich um Betrug.
---------------------------------------------
https://www.watchlist-internet.at/news/ihre-bank-ruft-an-es-koennte-sich-um…
∗∗∗ HWP Malware Using the Steganography Technique: RedEyes (ScarCruft) ∗∗∗
---------------------------------------------
In January, the ASEC (AhnLab Security Emergency response Center) analysis team discovered that the RedEyes threat group (also known as APT37, ScarCruft) had been distributing malware by exploiting the HWP EPS (Encapsulated PostScript) vulnerability (CVE-2017-8291). This report will share the RedEyes group’s latest activity in Korea.
---------------------------------------------
https://asec.ahnlab.com/en/48063/
=====================
= Vulnerabilities =
=====================
∗∗∗ VMSA-2023-0004 ∗∗∗
---------------------------------------------
CVSSv3 Range: 9.1
CVE(s): CVE-2023-20858
Synopsis: VMware Carbon Black App Control updates address an injection vulnerability (CVE-2023-20858)
---------------------------------------------
https://www.vmware.com/security/advisories/VMSA-2023-0004.html
∗∗∗ VMSA-2023-0005 ∗∗∗
---------------------------------------------
CVSSv3 Range: 8.8
CVE(s): CVE-2023-20855
Synopsis: VMware vRealize Orchestrator update addresses an XML External Entity (XXE) vulnerability (CVE-2023-20855)
---------------------------------------------
https://www.vmware.com/security/advisories/VMSA-2023-0005.html
∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by CentOS (libksba, thunderbird, and tigervnc and xorg-x11-server), Debian (clamav, nss, python-django, and sox), Fedora (kernel and thunderbird), Mageia (curl, firefox, nodejs-qs, qtbase5, thunderbird, upx, and webkit2), Red Hat (httpd:2.4, kernel, kernel-rt, kpatch-patch, pcs, php:8.0, python-setuptools, Red Hat build of Cryostat, Red Hat Virtualization Host 4.4.z SP 1, samba, systemd, tar, and thunderbird), Scientific Linux (firefox and thunderbird), and SUSE (clamav, firefox, jhead, mozilla-nss, prometheus-ha_cluster_exporter, tar, and ucode-intel).
---------------------------------------------
https://lwn.net/Articles/923942/
∗∗∗ TYPO3-EXT-SA-2023-002: Persisted Cross-Site Scripting in extension "Forms Export" (frp_form_answers) ∗∗∗
---------------------------------------------
https://typo3.org/security/advisory/typo3-ext-sa-2023-002
∗∗∗ Mitsubishi Electric MELSOFT iQ AppPortal ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-23-052-01
∗∗∗ IBM FlashSystem 710, 720, 810, and 820 systems and RamSan 710, 720, 810, and 820 systems are not affected by the Bash vulnerabilities (CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, and CVE-2014-6278)\nFlash ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/690011
∗∗∗ Six (6) Vulnerabilities in Network Security Services (NSS) & Netscape Portable Runtime (NSPR) affect IBM FlashSystem and TMS RAMSAN 710, 720, 810, and 820 systems (CVE-2013-1740, CVE-2014-1490, CVE-2014-1491, CVE-2014-1492, CVE-2014-154 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/690125
∗∗∗ Two (2) Vulnerabilities in glibc affect IBM FlashSystem (and TMS RAMSAN) 710, 720, 810, and 820 systems (CVE-2014-5119 and CVE-2014-0475) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/690127
∗∗∗ Sixteen (16) Vulnerabilities in OpenSSL affect IBM FlashSystem (and TMS RAMSAN) 710, 720, 810, and 820 systems ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/690129
∗∗∗ Four (4) Vulnerabilities in OpenSSL affect IBM FlashSystem (and TMS RAMSAN) 710, 720, 810, and 820 systems ( CVE-2014-3513, CVE-2014-3566, CVE-2014-3567, and CVE-2014-3568) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/690131
∗∗∗ Four (4) Vulnerabilities in OpenSSL affect IBM FlashSystem (and TMS RAMSAN) 710, 720, 810, and 820 systems ( CVE-2014-3513, CVE-2014-3566, CVE-2014-3567, and CVE-2014-3568) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/690149
∗∗∗ IBM InfoSphere Information Server is vulnerable to cross-site scripting (CVE-2023-25928) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6956598
∗∗∗ Multiple vulnerabilities in IBM Java Runtime affect Rational Directory Server (Tivoli) & Rational Directory Administrator. ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6328143
∗∗∗ IBM Db2 is vulnerable to an information disclosure vulnerability as sensitive information may be included in a log file. (CVE-2022-43930) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6953755
∗∗∗ IBM MQ is affected by multiple vulnerabilities in IBM Runtime Environment Java Technology Edition, Version 8 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6957066
∗∗∗ IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to JSON5 code execution (CVE-2022-46175) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6957134
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 17-02-2023 18:00 − Montag 20-02-2023 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ CISA warnt: Mögliche System-Kompromittierung durch Lücken in Thunderbird ∗∗∗
---------------------------------------------
Die Version 102.8 von Thunderbird schließt Schwachstellen, durch die Angreifer die Kontrolle über ein System erlangen könnten. Davor warnt die CISA.
---------------------------------------------
https://heise.de/-7521002
∗∗∗ Microsoft-Updates: Nebenwirkungen für VMware und Windows Server 2022 ∗∗∗
---------------------------------------------
Die Februar-Updates zum Microsoft-Patchdays haben ungewollte Nebenwirkungen. Sie betreffen Windows Server 2022 unter VMware und die Windows-11-Updateverteilung.
---------------------------------------------
https://heise.de/-7521199
∗∗∗ Nach Cyber-Einbruch: Angreifer leiten GoDaddy-Webseiten um ∗∗∗
---------------------------------------------
Beim Webhoster GoDaddy konnten Angreifer Anfang Dezember 2022 Schadcode einschleusen, der dort gehostete Webseiten auf Malware-Seiten umleitete.
---------------------------------------------
https://heise.de/-7521325
∗∗∗ Achtung: Finanzamt schickt kein SMS ∗∗∗
---------------------------------------------
Kriminelle versenden im Namen des Finanzamtes gefälschte Nachrichten. Im SMS wird behauptet, dass Sie einen Betrag von € 286, 93 erhalten. Um das Geld zu bekommen, müssen Sie sich verifizieren und auf einen Link klicken. Klicken Sie nicht auf den Link, Sie landen auf einer Phishing-Seite.
---------------------------------------------
https://www.watchlist-internet.at/news/achtung-finanzamt-schickt-kein-sms/
∗∗∗ New WhiskerSpy malware delivered via trojanized codec installer ∗∗∗
---------------------------------------------
Security researchers have discovered a new backdoor called WhiskerSpy used in a campaign from a relatively new advanced threat actor tracked as Earth Kitsune, known for targeting individuals showing an interest in North Korea.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-whiskerspy-malware-deliv…
∗∗∗ OneNote Suricata Rules, (Sun, Feb 19th) ∗∗∗
---------------------------------------------
I end my diary entry "Detecting (Malicious) OneNote Files" with a set of Suricata rules to detect various OneNote files.
---------------------------------------------
https://isc.sans.edu/diary/rss/29564
∗∗∗ The Dangers of Installing Nulled WordPress Themes and Plugins ∗∗∗
---------------------------------------------
Nulled WordPress themes and plugins are a controversial topic for many in the web development world - and arguably one of the bigger threats to WordPress security. Essentially modified versions of official WordPress themes and plugins with their licensing restrictions removed, these nulled software copies are often touted as premium functionality packaged in a free download.
---------------------------------------------
https://blog.sucuri.net/2023/02/the-dangers-of-installing-nulled-wordpress-…
∗∗∗ NimPlant - A light first-stage C2 implant written in Nim and Python ∗∗∗
---------------------------------------------
NimPlant was developed as a learning project and released to the public for transparency and educational purposes. For a large part, it makes no effort to hide its intentions. Additionally, protections have been put in place to prevent abuse. In other words, do NOT use NimPlant in production engagements as-is without thorough source code review and modifications!
---------------------------------------------
https://github.com/chvancooten/NimPlant
∗∗∗ Finding forensics breadcrumbs in Android image storage ∗∗∗
---------------------------------------------
[...] In this post I’ll be talking about image scanning apps, and how to reverse engineer them to pinpoint user activity and tie a user to a particular image’s creation from a source file e.g. pages from a PDF.
---------------------------------------------
https://www.pentestpartners.com/security-blog/finding-forensics-breadcrumbs…
∗∗∗ Royal Ransomware Expands Attacks by Targeting Linux ESXi Servers ∗∗∗
---------------------------------------------
Ransomware actors have been observed to expand their targets by increasingly developing Linux-based versions. Royal ransomware is following in the same path, a new variant targeting Linux systems emerged and we will provide a technical analysis on this variant in this blog.
---------------------------------------------
https://www.trendmicro.com/en_us/research/23/b/royal-ransomware-expands-att…
∗∗∗ QR code generator My QR Code leaks users’ login data and addresses ∗∗∗
---------------------------------------------
My QR Code was informed about the leak almost two weeks ago, yet it failed to respond or secure its server.
---------------------------------------------
https://www.hackread.com/qr-code-generator-my-qr-code-data-leak/
=====================
= Vulnerabilities =
=====================
∗∗∗ Patchday: Fortinet schließt 40 Sicherheitslücken, PoC-Exploit angekündigt ∗∗∗
---------------------------------------------
Fortinet hat im Februar Updates für diverse Produkte veröffentlicht, die insgesamt 40 Sicherheitslücken schließen. Davon gelten zwei als kritisch.
---------------------------------------------
https://heise.de/-7520937
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (c-ares, gnutls28, golang-github-opencontainers-selinux, isc-dhcp, nss, openssl, snort, and thunderbird), Fedora (clamav, curl, phpMyAdmin, thunderbird, vim, webkitgtk, and xen), Red Hat (firefox), Slackware (kernel), SUSE (apache2-mod_security2, gssntlmssp, postgresql-jdbc, postgresql12, and timescaledb), and Ubuntu (firefox).
---------------------------------------------
https://lwn.net/Articles/923803/
∗∗∗ Newly Disclosed Vulnerability Exposes EOL Arris Routers to Attacks ∗∗∗
---------------------------------------------
Malwarebytes warns of a remote code execution vulnerability impacting Arris G2482A, TG2492, and SBG10 routers, which have reached end-of-life (EOL).
---------------------------------------------
https://www.securityweek.com/newly-disclosed-vulnerability-exposes-eol-arri…
∗∗∗ Critical SQL injection vulnerabilities in MISP (fixed in v2.4.166 and v2.4.167) ∗∗∗
---------------------------------------------
As of the past 2 months, we’ve received two separate reports of two unrelated SQLi vector vulnerabilities in MISP that can lead to any authenticated user being able to execute arbitrary SQL queries in MISP.
---------------------------------------------
https://www.misp-project.org/2023/02/20/Critical_SQL_Injection_Vulnerabilit…
∗∗∗ IBM Security Bulletins 2023-02-20 ∗∗∗
---------------------------------------------
Flash Storage->RamSan-710, Flash Storage->RamSan-720, Flash Storage->RamSan-810, Flash Storage->RamSan-820, IBM Cloud Object Storage System, IBM Cloud Pak for Applications, IBM FlashSystem 720, IBM FlashSystem 900, IBM Multi-Enterprise Integration Gateway, IBM Multi-Enterprise Integration Gateway, IBM Power E1050 (9043-MRX), IBM Power L1022 (9786-22H), IBM Power L1024 (9786-42H), IBM Power S1014 (9105-41B), IBM Power S1022 (9105-22A), IBM Power S1022s (9105-22B), IBM Power S1024 (9105-42A), IBM WebSphere Hybrid Edition, Tivoli System Automation Application Manager
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 16-02-2023 18:00 − Freitag 17-02-2023 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ New Mirai Botnet Variant V3G4 Exploiting 13 Flaws to Target Linux and IoT Devices ∗∗∗
---------------------------------------------
A new variant of the notorious Mirai botnet has been found leveraging several security vulnerabilities to propagate itself to Linux and IoT devices. Observed during the second half of 2022, the new version has been dubbed V3G4 by Palo Alto Networks Unit 42, which identified three different campaigns likely conducted by the same threat actor.
---------------------------------------------
https://thehackernews.com/2023/02/new-mirai-botnet-variant-v3g4.html
∗∗∗ Massenhaft SMS im Namen des Finanzamts im Umlauf ∗∗∗
---------------------------------------------
Wir erhalten derzeit zahlreiche Meldungen zu einer SMS, die im Namen des Finanzamtes versendet wird. Angeblich besteht eine offene Forderung, die trotz mehrfacher Mahnungen nicht beglichen wurde. Bei Nichtzahlung bis zum 18. Februar drohe der Gerichtsvollzieher und die Pfändung. Lassen Sie sich nicht unter Druck setzen. Es handelt sich um Betrug!
---------------------------------------------
https://www.watchlist-internet.at/news/massenhaft-sms-im-namen-des-finanzam…
∗∗∗ Kritische Sicherheitslücken in ClamAV - Updates verfügbar ∗∗∗
---------------------------------------------
17. Februar 2023
Beschreibung
Zwei kritische Schwachstellen in ClamAV erlauben es unauthentisierten Angreifenden, beliebigen Code auszuführen.
CVE-Nummer(n): CVE-2023-20032, CVE-2023-20052
Auswirkungen
Die Lücken in ClamAV können durch präparierte HFS+ bzw. DMG Images ausgelöst werden. Da ClamAV oft als Virenscanner in Mailservern eingesetzt wird, können durch den Versand entsprechender Files per Email verwundbare Installationen kompromittiert werden. [...]
---------------------------------------------
https://cert.at/de/warnungen/2023/2/kritische-sicherheitslucken-in-clamav
=====================
= Vulnerabilities =
=====================
∗∗∗ Fortinet Security Advisories ∗∗∗
---------------------------------------------
Secerity Critical: * FortiNAC - External Control of File Name or Path in keyUpload scriptlet * FortiWeb - Stack-based buffer overflows in Proxyd Severity High: 15 Advisories * FortiADC, FortiExtender, FortiNAC, FortiOS, FortiProxy, FortiSwitchManager, FortiWAN, FortiWeb Severity Medium/Low: 23 Advisories
---------------------------------------------
https://fortiguard.fortinet.com/psirt?date=02-2023
∗∗∗ Node.js Thursday February 16 2023 Security Releases ∗∗∗
---------------------------------------------
* OpenSSL Security updates * Node.js Permissions policies can be bypassed via process.mainModule * Node.js OpenSSL error handling issues in nodejs crypto library * Fetch API in Node.js did not protect against CRLF injection in host headers * Regular Expression Denial of Service in Headers in Node.js fetch API * Node.js insecure loading of ICU data through ICU_DATA environment variable * npm update for Node.js 14
---------------------------------------------
https://nodejs.org/en/blog/vulnerability/february-2023-security-releases/
∗∗∗ CISA Releases Fifteen Industrial Control Systems Advisories ∗∗∗
---------------------------------------------
* Siemens Solid Edge * Siemens SCALANCE X-200 IRT * Siemens Brownfield Connectivity Client * Siemens Brownfield Connectivity Gateway * Siemens SiPass integrated AC5102/ACC-G2 and ACC-AP * Siemens Simcenter Femap * Siemens TIA Project Server * Siemens RUGGEDCOM APE1808 * Siemens SIMATIC Industrial Products * Siemens COMOS * Siemens Mendix * Siemens JT Open, JT Utilities, and Parasolid * Sub-IoT DASH 7 Alliance Protocol * Delta Electronic DIAEnergie (Update B) * BD Alaris Infusion Central
---------------------------------------------
https://www.cisa.gov/uscert/ncas/current-activity/2023/02/16/cisa-releases-…
∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (webkit2gtk and wpewebkit), Fedora (firefox, phpMyAdmin, tpm2-tools, and tpm2-tss), Slackware (mozilla), SUSE (mozilla-nss, rubygem-actionpack-4_2, rubygem-actionpack-5_1, and tar), and Ubuntu (linux-azure and linux-hwe-5.19).
---------------------------------------------
https://lwn.net/Articles/923644/
∗∗∗ Vulnerability in IP Quorum affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products ∗∗∗
---------------------------------------------
* IBM Decision Optimization in IBM Cloud Pak for Data is vulnerable to jsonwebtoken CVEs * IBM FlashSystem 9100 family and IBM Storwize V7000 2076-724 (Gen3) systems are NOT affected by security vulnerabilities CVE-2018-12037 and CVE-2018-12038 * IBM MQ Operator and Queue Manager container images are vulnerable to vulnerabilities from libksba and sqlite (CVE-2022-47629 and CVE-2022-35737) * IBM Security Guardium Data Encryption is using Components with Known Vulnerabilities (CVE-2022-31129, CVE-2022-24785) * IBM Security Guardium is affected by a redshift-jdbc42-2.0.0.3.jar vulnerability (CVE-2022-41828) * IBM Security Guardium is affected by the following vulnerabilities [CVE-2022-39166, CVE-2022-34917, CVE-2022-42889] * Java vulnerabilities affect IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products * LDAP vulnerability affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products * Multiple Vulnerabilities in Multicloud Management Security Services * Multiple vulnerabilities found with third-party libraries used by IBM® MobileFirst Platform * Multiple vulnerabilities in Golang Go affect IBM Decision Optimization in IBM Cloud Pak for Data * Multiple vulnerabilities in IBM Java SDK affect IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products * Multiple vulnerabilities in IBM Java SDK affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products * Multiple vulnerabilities in the Linux kernel affect IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products * Multiple vulnerabilities in the Linux kernel affect IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products * Network Security (NSS) vulnerability affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products * OpenSLP vulnerability affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products * Vulnerabilities in IBM Java affect IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products * Vulnerabilities in IBM Java and Apache Tomcat affect IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem V9000 products * Vulnerabilities in the Linux kernel affect IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem V9000 products* Vulnerability in Apache Struts affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products (CVE-2018-11776) * Vulnerability in Apache Tomcat affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem V9000 products * Vulnerability in Apache Tomcat affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products * Vulnerability in Apache Tomcat affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products * Vulnerability in Apache Tomcat affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products ( CVE-2018-11784) * Vulnerability in DHCP affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products (CVE-2018-5732) * Vulnerability in IBM Java SDK affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products (CVE-2019-2602) * Vulnerability in IP Quorum affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products * Vulnerability in OpenSLP affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products ( CVE-2017-17833) * Vulnerability in OpenSSL affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products * Vulnerability in SSH protocols affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products (CVE-2008-5161) * Vulnerability in Service Assistant affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products (CVE-2018-1775) * Vulnerability in sed affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem V9000 products * Vulnerability in the Linux kernel affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products (CVE-2018-5391) * Vulnerability in zlib affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/
∗∗∗ Atrocore 1.5.25 Shell Upload ∗∗∗
---------------------------------------------
https://cxsecurity.com/issue/WLB-2023020029
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 15-02-2023 18:00 − Donnerstag 16-02-2023 18:00
Handler: Robert Waldner
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Emsisoft says hackers are spoofing its certs to breach networks ∗∗∗
---------------------------------------------
A hacker is using fake code-signing certificates impersonating cybersecurity firm Emsisoft to target customers using its security products, hoping to bypass their defenses.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/emsisoft-says-hackers-are-sp…
∗∗∗ Hackers backdoor Microsoft IIS servers with new Frebniis malware ∗∗∗
---------------------------------------------
Hackers are deploying a new malware named Frebniss on Microsofts Internet Information Services (IIS) that stealthily executes commands sent via web requests.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/hackers-backdoor-microsoft-i…
∗∗∗ „Fake Customer Trick“: Kriminelle ergaunern hochwertige Produkte ∗∗∗
---------------------------------------------
Der Name des Halbleiterherstellers Infineon wird derzeit für kriminelle Zwecke missbraucht: Per Mail geben sich Betrüger:innen als Infineon-Mitarbeiter Marcus Schlenker aus und bekunden Interesse an einer Großbestellung. Für die Empfänger:innen klingt das nach einem unkomplizierten und schnellen Geschäft. Doch tatsächlich landen die versendeten Produkte in den Händen von Kriminellen, auf die Bezahlung warten die Opfer vergeblich.
---------------------------------------------
https://www.watchlist-internet.at/news/fake-customer-trick-kriminelle-ergau…
∗∗∗ Malware Reverse Engineering for Beginners – Part 2 ∗∗∗
---------------------------------------------
Often, malware targeting Windows will be packed and delivered as a second stage. There are different ways to “deliver” malware to the endpoint. This blog will cover key concepts and examples regarding how malware is packed, obfuscated, delivered, and executed on the endpoint.
---------------------------------------------
https://www.intezer.com/blog/incident-response/malware-reverse-engineering-…
=====================
= Vulnerabilities =
=====================
∗∗∗ Patchday bei Intel: Angreifer könnten Server über Root-Lücke attackieren ∗∗∗
---------------------------------------------
Intel hat für verschiedene Firm- und Software wichtige Sicherheitsupdates veröffentlicht. In vielen Fällen könnten sich Angreifer höhere Rechte verschaffen.
---------------------------------------------
https://heise.de/-7517141
∗∗∗ Jetzt patchen! Entwickler des CMS Joomla warnen vor kritischer Sicherheitslücke ∗∗∗
---------------------------------------------
Es ist ein "sehr wichtiger" Sicherheitspatch für Joomla erscheinen.
---------------------------------------------
https://heise.de/-7517312
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (firefox-esr), Fedora (community-mysql, edk2, firefox, and git), Slackware (curl and git), SUSE (apache2-mod_security2, aws-efs-utils, bind, curl, git, ImageMagick, java-11-openjdk, java-17-openjdk, java-1_8_0-openjdk, kernel, libksba, and mozilla-nss), and Ubuntu (golang-golang-x-text, golang-x-text, linux-aws, linux-intel-iotg, linux-aws-5.4, linux-gcp, linux-gcp-5.4, linux-hwe-5.4, linux linux-ibm-5.4, linux-oracle-5.4, linux-gke, linux-gke-5.15, nss, and xorg-server, xorg-server-hwe-16.04).
---------------------------------------------
https://lwn.net/Articles/923503/
∗∗∗ Splunk Enterprise Updates Patch High-Severity Vulnerabilities ∗∗∗
---------------------------------------------
Splunk updates for Enterprise products resolve multiple high-severity vulnerabilities, including several in third-party packages.
---------------------------------------------
https://www.securityweek.com/splunk-enterprise-updates-patch-high-severity-…
∗∗∗ Security Vulnerabilities fixed in Thunderbird 102.8 ∗∗∗
---------------------------------------------
CVE-2023-0616: User Interface lockup with messages combining S/MIME and OpenPGP
CVE-2023-25728: Content security policy leak in violation reports using iframes
CVE-2023-25730: Screen hijack via browser fullscreen mode
CVE-2023-0767: Arbitrary memory write via PKCS 12 in NSS
CVE-2023-25735: Potential use-after-free from compartment mismatch in SpiderMonkey
CVE-2023-25737: Invalid downcast in SVGUtils::SetupStrokeGeometry
CVE-2023-25738: Printing on Windows could potentially crash Thunderbird with some device drivers
CVE-2023-25739: Use-after-free in mozilla::dom::ScriptLoadContext::~ScriptLoadContext
CVE-2023-25746: Memory safety bugs fixed in Thunderbird 102.8
...
---------------------------------------------
https://www.mozilla.org/en-US/security/advisories/mfsa2023-07/
∗∗∗ MISP 2.4.168 released with bugs fixed, security fixes and major improvements in STIX support. ∗∗∗
---------------------------------------------
We are pleased to announce the immediate availability of MISP v2.4.168 with bugs fixed and various security fixes.
---------------------------------------------
https://github.com/MISP/MISP/releases/tag/v2.4.168
∗∗∗ ClamAV DMG File Parsing XML Entity Expansion Vulnerability Affecting Cisco Products: February 2023 ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso…
∗∗∗ ClamAV HFS+ Partition Scanning Buffer Overflow Vulnerability Affecting Cisco Products: February 2023 ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso…
∗∗∗ WAGO: Exposure of configuration interface in unmanaged switches ∗∗∗
---------------------------------------------
https://cert.vde.com/de/advisories/VDE-2022-055/
∗∗∗ IBM App Connect Enterprise is affected by a remote attacker due to the zip4j library [CVE-2023-22899] ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6955913
∗∗∗ Multiple vulnerabilities in moment.js affect IBM Maximo Asset Management and the IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2022-31129, CVE-2022-24785) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6852667
∗∗∗ IBM Navigator for i is vulnerable to log file access, obtaining file attributes, and SQL Injection attacks due to multiple vulnerabilities. ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6850801
∗∗∗ WebSphere Application Server Liberty is vulnerable to server-side request forgery due to Apache CXF ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6956223
∗∗∗ Intel Ethernet controllers as used in IBM QRadar SIEM are vulnerable to a denial of service (CVE-2021-0197, CVE-2021-0198, CVE-2021-0199, CVE-2021-0200) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6956287
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 14-02-2023 18:00 − Mittwoch 15-02-2023 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ Adobe Patchday: Schadcode-Attacken auf After Effects & Co. möglich ∗∗∗
---------------------------------------------
Adobe hat unter anderem für After Effects, InDesign und Photoshop Sicherheitsupdates veröffentlicht.
---------------------------------------------
https://heise.de/-7496102
∗∗∗ Bluetooth-Fehler in Android 13 kann Diabetiker gefährden ∗∗∗
---------------------------------------------
Ein Fehler in Android 13 kann die Kommunikation zwischen Blutzuckersensor und zugehöriger App stören. Dann warnt die App nicht vor gefährlicher Unterzuckerung.
---------------------------------------------
https://heise.de/-7496644
∗∗∗ Angreifer attackieren Microsoft 365 und Windows - Mehrere kritische Lücken ∗∗∗
---------------------------------------------
Es sind wichtige Sicherheitsupdates für unter anderem Azure, Exchange Server und Windows erschienen. Mehrere Lücken sind als "kritisch" eingestuft.
---------------------------------------------
https://heise.de/-7496015
∗∗∗ Abo-Falle beim Kauf von Handyhüllen auf puffcase-official.com ∗∗∗
---------------------------------------------
Wenn Sie auf der Suche nach einer Schutzhülle für Ihr Smartphone sind, nehmen Sie sich vor puffcase-official.com in Acht. Während die „Puffcases“ auf den ersten Blick günstig wirken und zu einem schnellen Kauf verleiten, stellt sich die Seite als Abo-Falle heraus. Davon erfahren Sie erst, wenn die neuerliche Abbuchung auf Ihrer Kreditkarte auftaucht. Bestellen Sie hier nicht!
---------------------------------------------
https://www.watchlist-internet.at/news/abo-falle-beim-kauf-von-handyhuellen…
∗∗∗ NPM packages posing as speed testers install crypto miners instead ∗∗∗
---------------------------------------------
A new set of 16 malicious NPM packages are pretending to be internet speed testers but are, in reality, coinminers that hijack the compromised computers resources to mine cryptocurrency for the threat actors.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/npm-packages-posing-as-speed…
∗∗∗ Hyundai and Kia issue software upgrades to thwart killer TikTok car theft hack ∗∗∗
---------------------------------------------
Gone in 60 seconds using a USB-A plug and brute force instead of a key Korean car-makers Hyundai and Kia will issue software updates to some of their models after a method of stealing them circulated on TikTok, leading to many thefts and even some deaths.
---------------------------------------------
https://go.theregister.com/feed/www.theregister.com/2023/02/15/hyundai_kia_…
∗∗∗ PYbot DDoS Malware Being Distributed Disguised as a Discord Nitro Code Generator ∗∗∗
---------------------------------------------
The ASEC analysis team has recently discovered Pybot DDoS being distributed with illegal software. The program used as bait by the threat actor is a token generator called Nitro Generator. Nitro is a paid Discord service with various benefits which can be seen below in Figure 1. Nitro Generator is a tool that generates codes that can be used for free access to Nitro.
---------------------------------------------
https://asec.ahnlab.com/en/47789/
∗∗∗ cURL audit: How a joke led to significant findings ∗∗∗
---------------------------------------------
In fall 2022, Trail of Bits audited cURL, a widely-used command-line utility that transfers data between a server and supports various protocols. [..] the fuzzer quickly uncovered memory corruption bugs, specifically use-after-free issues, double-free issues, and memory leaks. Because the bugs are in libcurl, a cURL development library, they have the potential to affect the many software applications that use libcurl. This blog post describes how we found the following vulnerabilities
---------------------------------------------
https://blog.trailofbits.com/2023/02/14/curl-audit-fuzzing-libcurl-command-…
∗∗∗ ICS Patch Tuesday: 100 Vulnerabilities Addressed by Siemens, Schneider Electric ∗∗∗
---------------------------------------------
Siemens has published 13 new advisories covering a total of 86 vulnerabilities. [..] Schneider Electric has published three advisories covering 10 vulnerabilities.
---------------------------------------------
https://www.securityweek.com/ics-patch-tuesday-100-vulnerabilities-addresse…
∗∗∗ DNS Abuse Techniques Matrix ∗∗∗
---------------------------------------------
The FIRST DNS Abuse SIG has been working on a document for some time, which has now finally been published: a matrix of DNS abuse techniques and their stakeholders. Its intended to help people experiencing DNS abuse, particularly incident responders and security teams.
---------------------------------------------
https://www.first.org/global/sigs/dns/DNS-Abuse-Techniques-Matrix_v1.1.pdf
∗∗∗ Sustained Activity by Threat Actors ∗∗∗
---------------------------------------------
The European Union Agency for Cybersecurity (ENISA) and the CERT of the EU institutions, bodies and agencies (CERT-EU) jointly published a report to alert on sustained activity by particular threat actors. The malicious cyber activities of the presented threat actors pose a significant and ongoing threat to the European Union.
---------------------------------------------
https://www.enisa.europa.eu/news/sustained-activity-by-threat-actors
∗∗∗ Abusing Azure App Service Managed Identity Assignments ∗∗∗
---------------------------------------------
[...] Managed Identities are great and admins should absolutely use them. But admins also need to understand the risks that come with Managed Identities and how to deal with those risks. In this blog post I will explain those risks, demonstrate how an attacker can abuse App Service Managed Identity assignments, and show you how to identify and deal with those risks yourself.
---------------------------------------------
https://posts.specterops.io/abusing-azure-app-service-managed-identity-assi…
=====================
= Vulnerabilities =
=====================
∗∗∗ AMD: Cross-Thread Return Address Predictions ∗∗∗
---------------------------------------------
AMD internally discovered a potential vulnerability where certain AMD processors may speculatively execute instructions at an incorrect return site after an SMT mode switch that may potentially lead to information disclosure. AMD believes that due to existing mitigations applied to address other speculation-based issues, theoretical avenues for potential exploit of CVE-2022-27672 may be limited only to select virtualization environments where a virtual machine is given special privileges.
---------------------------------------------
https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1045
∗∗∗ HAProxy Security Update (CVE-2023-25725) ∗∗∗
---------------------------------------------
A team of security researchers notified me on Thursday evening that they had found a dirty bug in HAProxys headers processing, and that, when properly exploited, this bug allows to build an HTTP content smuggling attack. [..] The issue was fixed in all versions and all modes (HTX and legacy), and all versions were upgraded. [..] Distros were notified (not very long ago admittedly, the delay was quite short for them) and updated packages will appear soon.
---------------------------------------------
https://www.mail-archive.com/haproxy@formilux.org/msg43229.html
∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (gnutls28 and haproxy), Fedora (syslog-ng), Mageia (apr-util, chromium-browser-stable, editorconfig-core-c, ffmpeg, libzen, phpmyadmin, tpm2-tss, and webkit2), Oracle (kernel and kernel-container), Slackware (mozilla and php), SUSE (git, haproxy, kernel, nodejs18, phpMyAdmin, and timescaledb), and Ubuntu (APR-util, git, and haproxy).
---------------------------------------------
https://lwn.net/Articles/923364/
∗∗∗ Lenovo Product Security Advisories ∗∗∗
---------------------------------------------
* AMI MegaRAC SP-X BMC Redfish Vulnerabilities
* AMI MegaRAC SP-X BMC Vulnerabilities
* Crypto API Toolkit for Intel SGX Advisory
* Intel Ethernet Controllers and Adapters Advisory
* Intel Ethernet VMware Drivers Advisory
* Intel Integrated Sensor Solution Advisory
* Intel Server Platform Services (SPS) Vulnerabilities
* Intel SGX SDK Advisory
* Multi-Vendor BIOS Security Vulnerabilities (February 2023)
---------------------------------------------
https://support.lenovo.com/at/en/product_security/home
∗∗∗ Released: February 2023 Exchange Server Security Updates ∗∗∗
---------------------------------------------
Microsoft has released Security Updates (SUs) for vulnerabilities found in:Exchange Server 2013Exchange Server 2016Exchange Server 2019SUs are available in a self-extracting auto-elevating .exe package, as well as the original update packages (.msp files), which can be downloaded from the Microsoft Update Catalog.SUs are available for the following specific versions of Exchange Server:Exchange Server 2013 CU23 (note that support and availability of SUs end on April 11, 2023)Exchange Server 2016
---------------------------------------------
https://techcommunity.microsoft.com/t5/exchange-team-blog/released-february…
∗∗∗ IBM Security Bulletins ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/
∗∗∗ XSA-426 ∗∗∗
---------------------------------------------
https://xenbits.xen.org/xsa/advisory-426.html
∗∗∗ Advisory: Impact of Insyde UEFI Boot Issues on B&R Products ∗∗∗
---------------------------------------------
https://www.br-automation.com/downloads_br_productcatalogue/assets/16759315…
∗∗∗ ClamAV HFS+ Partition Scanning Buffer Overflow Vulnerability Affecting Cisco Products: February 2023 ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso…
∗∗∗ Cisco Nexus Dashboard Cross-Site Scripting Vulnerability ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso…
∗∗∗ Cisco Nexus Dashboard Denial of Service Vulnerability ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso…
∗∗∗ Cisco Identity Services Engine Stored Cross-Site Scripting Vulnerability ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso…
∗∗∗ Cisco Email Security Appliance and Cisco Secure Email and Web Manager Vulnerabilities ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso…
∗∗∗ ClamAV DMG File Parsing XML Entity Expansion Vulnerability Affecting Cisco Products: February 2023 ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Montag 13-02-2023 18:00 − Dienstag 14-02-2023 18:00
Handler: Robert Waldner
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ New stealthy Beep malware focuses heavily on evading detection ∗∗∗
---------------------------------------------
A new stealthy malware named Beep was discovered last week, featuring many features to evade analysis and detection by security software.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-stealthy-beep-malware-fo…
∗∗∗ Exploiting a remote heap overflow with a custom TCP stack ∗∗∗
---------------------------------------------
In November 2021 our team took part in the ZDI Pwn2Own Austin 2021 competition with multiple entries. One of them successfully compromised the Western Digital MyCloudHome connected hard drive via a 0-day in the Netatalk daemon. Our exploit was unusual because triggering the vulnerability required to mess with the remote TCP stack, so we wrote our own. This blog post will provide some technical details about it.
---------------------------------------------
https://www.synacktiv.com/publications/exploiting-a-remote-heap-overflow-wi…
∗∗∗ Securing Open-Source Solutions: A Study of osTicket Vulnerabilities ∗∗∗
---------------------------------------------
One of the applications assessed was osTicket, an open-source ticketing system. With distinctive features and plugins, osTicket gives users the ability to “Manage, organize, and archive all your support requests and responses (...).” During our assessment, the Checkmarx Labs team found some interesting vulnerabilities. In this blog/report, not only will we disclose some of the identified vulnerabilities but also elaborate on the team’s approach to identifying them.
---------------------------------------------
https://checkmarx.com/blog/securing-open-source-solutions-a-study-of-ostick…
∗∗∗ Amazon: Vorsicht vor Fake-Anrufen ∗∗∗
---------------------------------------------
Aktuell geben sich Kriminelle als Mitarbeiter:innen von Amazon aus und täuschen ein Problem mit Ihrer Bestellung vor. Sie werden aufgefordert Zahlungsdaten zu übermitteln, Zahlungen freizugeben und eine Wartungssoftware wie TeamViewer zu installieren. Legen Sie auf und blockieren Sie die Nummer.
---------------------------------------------
https://www.watchlist-internet.at/news/amazon-vorsicht-vor-fake-anrufen/
∗∗∗ A Deep Dive into Reversing CODESYS ∗∗∗
---------------------------------------------
This white paper offers a technical deep dive into PLC protocols and how to safely scan CODESYS-based ICS networking stacks.
---------------------------------------------
https://www.rapid7.com/blog/post/2023/02/14/a-deep-dive-into-reversing-code…
∗∗∗ Typosquatting: Legit Abquery Package Duped with Malicious Aabquerys ∗∗∗
---------------------------------------------
Aabquerys use the typosquatting technique to encourage downloading malicious components, as it has been cleverly named to make it sound like the legitimate NPM module Abquery.
---------------------------------------------
https://www.hackread.com/typosquatting-abquery-package-aabquerys/
=====================
= Vulnerabilities =
=====================
∗∗∗ Serious Security: GnuTLS follows OpenSSL, fixes timing attack bug ∗∗∗
---------------------------------------------
Conditional code considered cryptographically counterproductive.
---------------------------------------------
https://nakedsecurity.sophos.com/2023/02/13/serious-security-gnutls-follows…
∗∗∗ Patch Now: Apples iOS, iPadOS, macOS, and Safari Under Attack with New Zero-Day Flaw ∗∗∗
---------------------------------------------
Apple on Monday rolled out security updates for iOS, iPadOS, macOS, and Safari to address a zero-day flaw that it said has been actively exploited in the wild.Tracked as CVE-2023-23529, the issue relates to a type confusion bug in the WebKit browser engine that could be activated when processing maliciously crafted web content, culminating in arbitrary code execution.
---------------------------------------------
https://thehackernews.com/2023/02/patch-now-apples-ios-ipados-macos-and.html
∗∗∗ Patchday: SAP schützt seine Software vor möglichen Attacken ∗∗∗
---------------------------------------------
Es sind unter anderem für SAP BusinessObjects und SAP Start Service wichtige Sicherheitsupdates erschienen.
---------------------------------------------
https://heise.de/-7494856
∗∗∗ Bestimmte auf HP-Computern vorinstallierte Windows-10-Versionen sind verwundbar ∗∗∗
---------------------------------------------
Wer einen PC von HP mit einer älteren Windows-10-Ausgabe nutzt, sollte einen Sicherheitspatch installieren.
---------------------------------------------
https://heise.de/-7494955
∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (imagemagick), Fedora (xml-security-c), Red Hat (grub2), SUSE (chromium, freerdp, libbpf, and python-setuptools), and Ubuntu (fig2dev and python-django).
---------------------------------------------
https://lwn.net/Articles/923267/
∗∗∗ Citrix Virtual Apps and Desktops Security Bulletin for CVE-2023-24483 ∗∗∗
---------------------------------------------
A vulnerability has been identified that, if exploited, could result in a local user elevating their privilege level to NT AUTHORITY\SYSTEM on a Citrix Virtual Apps and Desktops Windows VDA.
CVE-2023-24483
---------------------------------------------
https://support.citrix.com/article/CTX477616/citrix-virtual-apps-and-deskto…
∗∗∗ Citrix Workspace app for Windows Security Bulletin for CVE-2023-24484 & CVE-2023-24485 ∗∗∗
---------------------------------------------
A vulnerability has been identified that, if exploited, could result in a local user elevating their privilege level to NT AUTHORITY\SYSTEM on a Citrix Virtual Apps and Desktops Windows VDA.
CVE-2023-24484 & CVE-2023-24485
---------------------------------------------
https://support.citrix.com/article/CTX477617/citrix-workspace-app-for-windo…
∗∗∗ Citrix Workspace app for Linux Security Bulletin for CVE-2023-24486 ∗∗∗
---------------------------------------------
A vulnerability has been identified in Citrix Workspace app for Linux that, if exploited, may result in a malicious local user being able to gain access to the Citrix Virtual Apps and Desktops session of another user who is using the same computer from which the ICA session is launched.
CVE-2023-24486
---------------------------------------------
https://support.citrix.com/article/CTX477618/citrix-workspace-app-for-linux…
∗∗∗ SonicWall Email Security Information Discloser Vulnerability ∗∗∗
---------------------------------------------
SonicWall Email Security contains a vulnerability that could permit a remote unauthenticated attacker access to an error page that includes sensitive information about users email addresses.
CVE: CVE-2023-0655
---------------------------------------------
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2023-0002
∗∗∗ The installers of ELECOM Camera Assistant and QuickFileDealer may insecurely load Dynamic Link Libraries ∗∗∗
---------------------------------------------
The installers of ELECOM Camera Assistant and QuickFileDealer provided by ELECOM CO.,LTD. may insecurely load Dynamic Link Libraries.
---------------------------------------------
https://jvn.jp/en/jp/JVN60263237/
∗∗∗ Improper restriction of XML external entity reference (XXE) vulnerability in tsClinical Define.xml Generator and tsClinical Metadata Desktop Tools ∗∗∗
---------------------------------------------
tsClinical Define.xml Generator and tsClinical Metadata Desktop Tools provided by FUJITSU LIMITED contain an improper restriction of XML external entity reference (XXE) vulnerability.
---------------------------------------------
https://jvn.jp/en/jp/JVN00712821/
∗∗∗ 101news By Mayuri K 1.0 SQL Injection ∗∗∗
---------------------------------------------
https://cxsecurity.com/issue/WLB-2023020025
∗∗∗ Developed by Ameya Computers LOGIN SQL INJECTİON ∗∗∗
---------------------------------------------
https://cxsecurity.com/issue/WLB-2023020024
∗∗∗ SSA-953464 V1.0: Multiple Vulnerabilites in Siemens Brownfield Connectivity - Client before V2.15 ∗∗∗
---------------------------------------------
https://cert-portal.siemens.com/productcert/pdf/ssa-953464.pdf
∗∗∗ SSA-847261 V1.0: Multiple SPP File Parsing Vulnerabilities in Tecnomatix Plant Simulation ∗∗∗
---------------------------------------------
https://cert-portal.siemens.com/productcert/pdf/ssa-847261.pdf
∗∗∗ SSA-836777 V1.0: JT File Parsing Vulnerabilities in JT Open, JT Utilities and Parasolid ∗∗∗
---------------------------------------------
https://cert-portal.siemens.com/productcert/pdf/ssa-836777.pdf
∗∗∗ SSA-744259 V1.0: Golang Vulnerabilities in Brownfield Connectivity - Gateway before V1.10.1 ∗∗∗
---------------------------------------------
https://cert-portal.siemens.com/productcert/pdf/ssa-744259.pdf
∗∗∗ SSA-693110 V1.0: Buffer Overflow Vulnerability in COMOS ∗∗∗
---------------------------------------------
https://cert-portal.siemens.com/productcert/pdf/ssa-693110.pdf
∗∗∗ SSA-686975 V1.0: IPU 2022.3 Vulnerabilities in Siemens Industrial Products using Intel CPUs ∗∗∗
---------------------------------------------
https://cert-portal.siemens.com/productcert/pdf/ssa-686975.pdf
∗∗∗ SSA-658793 V1.0: Command Injection Vulnerability in SiPass integrated AC5102 / ACC-G2 and ACC-AP ∗∗∗
---------------------------------------------
https://cert-portal.siemens.com/productcert/pdf/ssa-658793.pdf
∗∗∗ SSA-640968 V1.0: Untrusted Search Path Vulnerability in TIA Project-Server formerly known as TIA Multiuser Server ∗∗∗
---------------------------------------------
https://cert-portal.siemens.com/productcert/pdf/ssa-640968.pdf
∗∗∗ SSA-617755 V1.0: Denial of Service Vulnerability in the SNMP Agent of SCALANCE X-200IRT Products ∗∗∗
---------------------------------------------
https://cert-portal.siemens.com/productcert/pdf/ssa-617755.pdf
∗∗∗ SSA-565356 V1.0: X_T File Parsing Vulnerabilities in Simcenter Femap before V2023.1 ∗∗∗
---------------------------------------------
https://cert-portal.siemens.com/productcert/pdf/ssa-565356.pdf
∗∗∗ SSA-491245 V1.0: Multiple File Parsing Vulnerabilities in Solid Edge ∗∗∗
---------------------------------------------
https://cert-portal.siemens.com/productcert/pdf/ssa-491245.pdf
∗∗∗ SSA-450613 V1.0: Insyde BIOS Vulnerabilities in RUGGEDCOM APE1808 Product Family ∗∗∗
---------------------------------------------
https://cert-portal.siemens.com/productcert/pdf/ssa-450613.pdf
∗∗∗ SSA-252808 V1.0: XPath Constraint Vulnerability in Mendix Runtime ∗∗∗
---------------------------------------------
https://cert-portal.siemens.com/productcert/pdf/ssa-252808.pdf
∗∗∗ PHOENIX CONTACT: Multiple Vulnerabilities in PLCnext Firmware ∗∗∗
---------------------------------------------
https://cert.vde.com/de/advisories/VDE-2023-001/
∗∗∗ Weintek EasyBuilder Pro cMT Series ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-23-045-01
∗∗∗ Advisory: Reflected Cross-Site Scripting Vulnerabitities in SDM ∗∗∗
---------------------------------------------
https://www.br-automation.com/downloads_br_productcatalogue/assets/16756072…
∗∗∗ IBM Db2 Web Query for i is vulnerable to arbitrary code execution due to Apache Commons Text [CVE-2022-42889] ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6955251
∗∗∗ IBM App Connect Enterprise Certified Container operands may be vulnerable to security restrictions bypass due to [CVE-2021-25743] ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6955255
∗∗∗ IBM Sterling Control Center is vulnerable to a denial of service due to Jave SE (CVE-2022-21626) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6955277
∗∗∗ IBM Sterling Control Center is vulnerable to security bypass due to Eclipse Openj9 (CVE-2022-3676) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6955281
∗∗∗ CVE-2022-21624 may affect IBM\u00ae SDK, Java\u2122 Technology Edition for Content Collector for Email, Content Collector for File Systems and Content Collector for Microsoft SharePoint ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6955493
∗∗∗ CVE-2022-3676 may affect Eclipse Openj9 used by Content Collector for Email, Content Collector for File Systems and Content Collector for Microsoft SharePoint ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6955497
∗∗∗ IBM QRadar SIEM is vulnerable to possible information disclosure [CVE-2023-22875] ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6855643
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 10-02-2023 18:00 − Montag 13-02-2023 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ Erpressungstrojaner Play infiltriert Systeme von A10 Networks ∗∗∗
---------------------------------------------
Angreifer konnten auf interne Daten des Herstellers von Netzwerkgeräten A10 Networks zugreifen. Kundendaten sollen nicht betroffen sein.
---------------------------------------------
https://heise.de/-7493748
∗∗∗ Gefälschtes Therme Wien-Gewinnspiel auf Facebook ∗∗∗
---------------------------------------------
Auf Facebook kursiert momentan ein betrügerisches Gewinnspiel für einen Tagesurlaub inklusive Massage in der Therme Wien. Das Gewinnspiel, das von der Facebook-Seite „Freizeit-Helden“ beworben wird, steht aber in keinem Zusammenhang mit der Therme Wien und sammelt Daten. Nehmen Sie nicht teil und melden Sie das Posting.
---------------------------------------------
https://www.watchlist-internet.at/news/gefaelschtes-therme-wien-gewinnspiel…
∗∗∗ Details zur LocalPotato NTLM Authentication-Schwachstelle (CVE-2023-21746) ∗∗∗
---------------------------------------------
Mitte Januar 2023 Monat hatte ich im Blog-Beitrag Nach RemotePotato0 kommt die Windows Local Potato NTLM-Schwachstelle (CVE-2023-21746) auf eine lokale NTLM-Authentifizierungsschwachstelle (CVE-2023-21746) hingewiesen. Die Entdecker bezeichnen diese als LocalPotator, hatten seinerzeit aber keine Details offen gelegt. Jetzt wurde dies nachgeholt.
---------------------------------------------
https://www.borncity.com/blog/2023/02/11/details-zur-localpotato-ntlm-authe…
∗∗∗ We had a security incident. Here’s what we know. ∗∗∗
---------------------------------------------
TL:DR Based on our investigation so far, Reddit user passwords and accounts are safe, but on Sunday night (pacific time), Reddit systems were hacked as a result of a sophisticated and highly-targeted phishing attack. They gained access to some internal documents, code, and some internal business systems.
---------------------------------------------
https://www.reddit.com/r/netsec/comments/10y59q2/we_had_a_security_incident…
∗∗∗ Devs targeted by W4SP Stealer malware in malicious PyPi packages ∗∗∗
---------------------------------------------
Five malicious packages were found on the Python Package Index (PyPI), stealing passwords, Discord authentication cookies, and cryptocurrency wallets from unsuspecting developers.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/devs-targeted-by-w4sp-steale…
∗∗∗ Security baseline for Microsoft Edge version 110 ∗∗∗
---------------------------------------------
We are pleased to announce the security review for Microsoft Edge, version 110! We have reviewed the new settings in Microsoft Edge version 110 and determined that there are no additional security settings that require enforcement. The Microsoft Edge version 107 security baseline continues to be our recommended configuration which can be downloaded from the Microsoft Security Compliance Toolkit. Microsoft Edge version 110 introduced 13 new computer settings and 13 new user settings.
---------------------------------------------
https://techcommunity.microsoft.com/t5/microsoft-security-baselines/securit…
∗∗∗ PCAP Data Analysis with Zeek, (Sun, Feb 12th) ∗∗∗
---------------------------------------------
Having full packet captures of a device or an entire network can be extremely useful. It is also a lot of data to go through and process manually. Zeek [1] can help to simplify network traffic analysis. It can also help save a lot of storage space. I'll be going through and processing some PCAP data collected from my honeypot.
---------------------------------------------
https://isc.sans.edu/diary/rss/29530
∗∗∗ Linux auditd for Threat Hunting [Part 2] ∗∗∗
---------------------------------------------
In this part, I will highlight only 1 technique (process/command execution) and explain the fields. In Part 3, I will show you tests I ran for several other behaviors.
---------------------------------------------
https://izyknows.medium.com/linux-auditd-for-threat-hunting-part-2-c75500f5…
∗∗∗ Crypto Wallet Address Replacement Attack ∗∗∗
---------------------------------------------
At around 17:49 UTC on 9 February 2023, Phylum’s automated risk detection platform began alerting us to a long series of suspicious publications which appear to be a revived attempt to deliver the same crypto wallet clipboard replacing malware. This time, however, the attacker changed the obfuscation technique and radically increased the volume of attacks. [..] over 451 unique packages. These targeted some very popular packages, many of them in the crypto/finance and web development space
---------------------------------------------
https://blog.phylum.io/phylum-discovers-revived-crypto-wallet-address-repla…
∗∗∗ The Linux Kernel and the Cursed Driver (CVE-2022-4842) ∗∗∗
---------------------------------------------
TL;DR: We found a bug in the not-so-well-maintained NTFS3 driver in Linux. Abusing the vulnerability could lead to a denial-of-service (DoS) attack on machines with a mounted NTFS filesystem.
---------------------------------------------
https://www.cyberark.com/resources/threat-research-blog/the-linux-kernel-an…
=====================
= Vulnerabilities =
=====================
∗∗∗ Monitorr 1.7.6 Shell Upload ∗∗∗
---------------------------------------------
Topic: Monitorr 1.7.6 Shell Upload Risk: High Text:# Exploit Title: Monitorr v1.7.6 - Unauthenticated File upload to Remote Code Execution # Exploit Author: Achuth V P (retrymp3...
---------------------------------------------
https://cxsecurity.com/issue/WLB-2023020021
∗∗∗ Cisco Email Security Appliance URL Filtering Bypass Vulnerability ∗∗∗
---------------------------------------------
On January 18, 2023, Cisco disclosed the following: A vulnerability in the URL filtering mechanism of Cisco AsyncOS Software for Cisco Email Security Appliance (ESA) could allow an unauthenticated, remote attacker to bypass the URL reputation filters on an affected device. [...] After additional investigation, it was determined that this vulnerability is not exploitable. For more information, see the Workarounds section of this advisory.
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso…
∗∗∗ ABB Cyber Security Advisory: Drive Composer multiple vulnerabilities ∗∗∗
---------------------------------------------
Affected products: CVE-2018-1285, CVE-2022-35737, CVE-2021-27293, CVE-2022-37434: - Drive Composer entry 2.8 and earlier - Drive Composer pro 2.8 and earlier. CVE-2018-1002205: - Drive Composer entry 2.4 and earlier - Drive Composer pro 2.4 and earlier An attacker who successfully exploited these vulnerabilities could cause the product to stop, make the product inaccessible or insert and run arbitrary code.
---------------------------------------------
https://search.abb.com/library/Download.aspx?Action=Launch&DocumentID=9AKK1…
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (libde265 and snort), Fedora (chromium, openssl, php-symfony4, qt5-qtbase, qt6-qtbase, tigervnc, vim, wireshark, xorg-x11-server, and xorg-x11-server-Xwayland), Slackware (gnutls), SUSE (apr-util, grafana, java-1_8_0-ibm, kernel, less, libksba, opera, postgresql12, postgresql13, postgresql14, postgresql15, python-py, webkit2gtk3, wireshark, and xrdp), and Ubuntu (nova and webkit2gtk).
---------------------------------------------
https://lwn.net/Articles/923163/
∗∗∗ Wordpress Multiple themes - Unauthenticated Arbitrary File Upload ∗∗∗
---------------------------------------------
https://cxsecurity.com/issue/WLB-2023020022
∗∗∗ NEC PC Settings Tool vulnerable to missing authentication for critical function ∗∗∗
---------------------------------------------
https://jvn.jp/en/jp/JVN60320736/
∗∗∗ Multiple vulnerabilities in PLANEX COMMUNICATIONS Network Camera CS-WMV02G ∗∗∗
---------------------------------------------
https://jvn.jp/en/jp/JVN98612206/
∗∗∗ IBM Security Bulletins 2023-02-13 ∗∗∗
---------------------------------------------
* AIX is vulnerable to denial of service vulnerabilities
* IBM Cloud Pak for Network Automation v2.4.3 addresses multiple security vulnerabilities
* IBM MQ Appliance is vulnerable to an unspecified Java SE vulnerability (CVE-2022-21626)
* IBM PowerVM Novalink is vulnerable because Apache Commons IO could allow a remote attacker to traverse directories on the system
* IBM PowerVM Novalink is vulnerable because IBM WebSphere Application Server Liberty vulnerable to protobuf-java core and lite are vulnerable to a denial of service. (CVE-2022-3509)
* IBM PowerVM Novalink is vulnerable because Java SE is vulnerable to a denial of service, caused by a flaw in the Lightweight HTTP Server. (CVE-2022-21628)
* IBM QRadar SIEM includes multiple components with known vulnerabilities
* IBM QRadar SIEM is vulnerable to information exposure (CVE-2022-34351)
* IBM Security Directory Integrator is affected by multiple security vulnerabilities
* IBM Sterling B2B Integrator is vulnerable to cross-site scripting (CVE-2022-43579)
* IBM Sterling B2B Integrator is vulnerable to denial of service due to Spring Framework (CVE-2022-22970)
* IBM Sterling B2B Integrator is vulnerable to http header injection due to IBM WebSphere Application Server (CVE-2022-34165)
* IBM Sterling Connect:Direct FTP+ is vulnerable to denial of service due to IBM Java (CVE-2022-21626)
* IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to Node.js bunyan module command execution
* The dasboard UI of IBM Sterling B2B Integrator is vulnerable to improper permission control (CVE-2022-40231)
* Vulnerabilities with ca-certificates, OpenJDK, Sudo affect IBM Cloud Object Storage Systems (Feb 2023v1)
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 09-02-2023 18:00 − Freitag 10-02-2023 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ Obfuscated Deactivation of Script Block Logging, (Fri, Feb 10th) ∗∗∗
---------------------------------------------
PowerShell has a great built-in feature called "Script Block Logging"[1]. It helps to record all activities performed by a script and is a goldmine for incident handlers. That's the reason why attackers tend to try to disable this feature. There are many ways to achieve this, but I found an interesting one.
---------------------------------------------
https://isc.sans.edu/diary/rss/29538
∗∗∗ Bogus URL Shorteners Redirect Thousands of Hacked Sites in AdSense Fraud Campaign ∗∗∗
---------------------------------------------
Late last year we reported on a malware campaign targeting thousands of WordPress websites to redirect visitors to bogus Q&A websites. The sites themselves contained very little useful information to a regular visitor, but — more importantly — also contained Google Adsense advertisements. It appeared to be an attempt to artificially pump ad views to generate revenue. Since September, our SiteCheck remote scanner has detected this campaign on 10,890 infected sites.
---------------------------------------------
https://blog.sucuri.net/2023/02/bogus-url-shorteners-redirect-thousands-of-…
∗∗∗ Cracking the Odd Case of Randomness in Java ∗∗∗
---------------------------------------------
During a recent white-box assessment, we came across the use of RandomStringUtils.randomAlphanumeric being used in a security sensitive context. We knew it used Java’s weak java.util.Random class but were interested in seeing how practically exploitable it actually was, so we decided to dig into it and see how it worked under the hood.
---------------------------------------------
https://www.elttam.com/blog/cracking-randomness-in-java/
∗∗∗ What are the writable shares in this big domain? ∗∗∗
---------------------------------------------
RSMBI is a python tool that answers to the question: What are the writable shares in this big domain? RSMBI connect to each target and it mounts the available shares in the /tmp folder (but that can also be changed). Once the shares are successfully mounted the threads (or the solo one) would start (os.)walking recursively all the folders, trying get a file handle with writing rights.
---------------------------------------------
https://github.com/oldboy21/RSMBI
∗∗∗ 0Day Avalanche Blockchain API DoS ∗∗∗
---------------------------------------------
This is a remote API DoS/crash that should OOM chain P and render a vulnerable node mostly or entirely useless.
---------------------------------------------
https://g.livejournal.com/15852.html
∗∗∗ Fake-Spendenaufrufe: Kriminelle missbrauchen Erdbebenkatastrophe ∗∗∗
---------------------------------------------
Das Erdbeben in der Türkei und in Nordsyrien löste eine Welle der Hilfsbereitschaft aus. Es gibt zahlreiche Möglichkeiten, um Überlebende finanziell zu unterstützen. Kriminelle missbrauchen die humanitäre Krise und versuchen auf verschiedenen Wegen die Solidarität durch Fake-Spendenaufrufe auszunutzen.
---------------------------------------------
https://www.watchlist-internet.at/news/fake-spendenaufrufe-kriminelle-missb…
=====================
= Vulnerabilities =
=====================
∗∗∗ CKSource CKEditor5 35.4.0 Cross Site Scripting ∗∗∗
---------------------------------------------
CKSource CKEditor5 35.4.0 was discovered to contain a cross-site scripting (XSS) vulnerability via Full Featured CKEditor5 Widget as the editor failsto sanitize user provided data.
---------------------------------------------
https://cxsecurity.com/issue/WLB-2023020019
∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (postgresql-11 and sox), Fedora (opusfile), SUSE (bind, jasper, libapr-util1, pkgconf, tiff, and xrdp), and Ubuntu (cinder, imagemagick, less, linux, linux-aws, linux-azure, linux-azure-5.4, linux-gkeop, linux-kvm, linux-oracle, linux-raspi, linux-raspi-5.4, linux, linux-aws, linux-gcp, linux-ibm, linux-kvm, linux-lowlatency, linux-oracle, linux-raspi, linux, linux-aws, linux-gcp-4.15, linux-kvm, linux-oracle, linux-raspi2, linux, linux-azure, linux-azure-5.15, linux-gkeop, linux-hwe-5.15, linux-ibm, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-oracle, linux-oracle-5.15, linux-raspi, linux-azure, linux-azure-4.15, linux-dell300x, linux-gke, linux-oem-5.14, linux-oem-5.17, linux-oem-6.0, linux-oem-6.1, linux-snapdragon, nova, and swift).
---------------------------------------------
https://lwn.net/Articles/922929/
∗∗∗ Statement About the DoS Vulnerability in the E5573Cs-322 ∗∗∗
---------------------------------------------
https://www.huawei.com/en/psirt/security-notices/2021/huawei-sn-20230210-01…
∗∗∗ Multiple vulnerabilities in IBM Java Runtime affects SPSS Collaboration and Deployment Services (CVE-2022-21628, CVE-2022-21626, CVE-2022-21624, CVE-2022-21619) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6954671
∗∗∗ Vulnerabilities in IBM Semeru Runtime affect SPSS Collaboration and Deployment Services (CVE-2022-21628, CVE-2022-21626, CVE-2022-21618, CVE-2022-39399, CVE-2022-21624, CVE-2022-21619, CVE-2022-3676) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6954673
∗∗∗ Vulnerability in IBM Java Runtime affect SPSS Collaboration and Deployment Services (CVE-2022-3676) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6954675
∗∗∗ Vulnerability in IBM Java (CVE-2022-3676) affects Power HMC ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6954681
∗∗∗ Vulnerability in IBM Java (CVE-2022-21628, CVE-2022-21626, CVE-2022-21624 and CVE-2022-21619) affects Power HMC ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6954683
∗∗∗ Vulnerability in Firefox (CVE-2022-43926) affects Power HMC ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6954679
∗∗∗ A security vulnerability has been identified in WebSphere Application Server traditional shipped with IBM Intelligent Operations Center (CVE-2023-23477) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6954685
∗∗∗ IBM App Connect Enterprise Certified Container DesignerAuthoring operands that use mapping assistance may be vulnerable to arbitrary code execution due to [CVE-2022-45907] ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6954691
∗∗∗ Multiple Vulnerabilities (CVE-2022-21628, CVE-2022-21626, CVE-2022-21624, CVE-2022-21619) affects CICS Transaction Gateway. ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6954695
∗∗∗ CVE-2022-3676 may affect IBM TXSeries for Multiplatforms ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6954701
∗∗∗ IBM MQ Appliance is vulnerable to identity spoofing (CVE-2022-22476) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6823807
∗∗∗ IBM MQ Appliance is affected by kernel vulnerabilities (CVE-2021-45485, CVE-2021-45486 and CVE-2022-1012) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6851373
∗∗∗ IBM MQ Appliance is vulnerable to HTTP header injection (CVE-2022-34165) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6622055
∗∗∗ IBM MQ Appliance is vulnerable to cross-site scripting (CVE-2022-32750) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6622053
∗∗∗ IBM MQ Appliance is vulnerable to improper session invalidation (CVE-2022-40230) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6622051
∗∗∗ IBM MQ Appliance is vulnerable to an XML External Entity Injection attack (CVE-2022-31775) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6622041
∗∗∗ IBM MQ Appliance is vulnerable to cross-site scripting (CVE-2022-31744) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6622047
∗∗∗ IBM Sterling Connect:Direct for UNIX is vulnerable to denial of servce due to IBM Java (CVE-2022-21626) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6954727
∗∗∗ A security vulnerability has been identified in WebSphere Application Server shipped with IBM Security Guardium Key Lifecycle Manager (SKLM\/GKLM) (CVE-2023-23477) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6954723
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 08-02-2023 18:00 − Donnerstag 09-02-2023 18:00
Handler: Robert Waldner
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ New ESXiArgs ransomware version prevents VMware ESXi recovery ∗∗∗
---------------------------------------------
New ESXiArgs ransomware attacks are now encrypting more extensive amounts of data, making it much harder, if not impossible, to recover encrypted VMware ESXi virtual machines.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-esxiargs-ransomware-vers…
∗∗∗ Solving one of NOBELIUM’s most novel attacks: Cyberattack Series ∗∗∗
---------------------------------------------
This is the first in an ongoing series exploring some of the most notable cases of the Microsoft Detection and Response Team (DART), which investigates cyberattacks on behalf of our customers. The Cyberattack Series takes you behind the scenes for an inside look at the investigation and share lessons that you can apply to better protect your own organization.
---------------------------------------------
https://www.microsoft.com/en-us/security/blog/2023/02/08/solving-one-of-nob…
∗∗∗ [SANS ISC] A Backdoor with Smart Screenshot Capability ∗∗∗
---------------------------------------------
Today, everything is “smart” or “intelligent”. We have smartphones, smart cars, smart doorbells, etc. Being “smart” means performing actions depending on the context, the environment, or user actions.
For a while, backdoors and trojans have implemented screenshot capabilities. From an attacker’s point of view, it’s interesting to “see” what’s displayed on the victim’s computer.
---------------------------------------------
https://blog.rootshell.be/2023/02/09/sans-isc-a-backdoor-with-smart-screens…
∗∗∗ Exploit Vector Analysis of Emerging ESXiArgs Ransomware ∗∗∗
---------------------------------------------
In recent days CVE-2021-21974, a heap-overflow vulnerability in VMWare ESXi’s OpenSLP service has been prominently mentioned in the news in relation to a wave of ransomware effecting numerous organizations. The relationship between CVE-2021-21974 and the ransomware campaign may be blown out of proportion. We do not currently know what the initial access vector is, and it is possible it could be any of the vulnerabilities related to ESXi’s OpenSLP service.
---------------------------------------------
https://www.greynoise.io/blog/exploit-vector-analysis-of-emerging-esxiargs-…
∗∗∗ Passwort-Manager: Umstrittene Sicherheitslücke in KeePass beseitigt ∗∗∗
---------------------------------------------
Eine viel diskutierte Sicherheitslücke, die Einbrechern im System den Passwort-Export erleichterte, hat der Entwickler nun mit einem Update geschlossen.
---------------------------------------------
https://heise.de/-7489944
∗∗∗ Datenleck: Deezer informiert Kunden jetzt per E-Mail ∗∗∗
---------------------------------------------
230 Millionen Deezer-Datensätze wurden entwendet und etwa beim Have-I-been-pwned-Projekt hinzugefügt. Jetzt informiert Deezer betroffene Kunden darüber.
---------------------------------------------
https://heise.de/-7490760
∗∗∗ Teures Visum bei asia-visa.com ∗∗∗
---------------------------------------------
Sie möchten ein Visum für Thailand oder Vietnam beantragen? Bei einer Internetrecherche stoßen Sie möglicherweise auf asia-visa.com – ein Anbieter, der Ihnen den „Papierkram“ abnimmt. Wir raten Ihnen ab, das überteuerte Angebot zu nutzen und empfehlen, die Einreisegenehmigung über die offizielle Stelle zu beantragen.
---------------------------------------------
https://www.watchlist-internet.at/news/teures-visum-bei-asia-visacom/
∗∗∗ CISA and FBI Release ESXiArgs Ransomware Recovery Guidance ∗∗∗
---------------------------------------------
Today, CISA and the Federal Bureau of Investigation (FBI) released a joint Cybersecurity Advisory, ESXiArgs Ransomware Virtual Machine Recovery Guidance. This advisory describes the ongoing ransomware campaign known as “ESXiArgs.” Malicious cyber actors may be exploiting known vulnerabilities in unpatched and out-of-service or out-of-date versions of VMware ESXi software to gain access to ESXi servers and deploy ESXiArgs ransomware.
---------------------------------------------
https://us-cert.cisa.gov/ncas/current-activity/2023/02/08/cisa-and-fbi-rele…
∗∗∗ Neue PayPal-Betrugsmasche – mit echten Push-Benachrichtigungen (Feb. 2023) ∗∗∗
---------------------------------------------
Über Twitter bin ich auf eine neue Betrugsmasche hingewiesen worden, die Leute schon mal ins Boxhorn jagen kann. Denn die Masche beginnt, dass das Opfer eine Push-Benachrichtigung von PayPal über eine Zahlung (per Einzug) bekommt. Aber die Nachricht ist trotzdem Betrug und hat das Ziel, an Daten des Opfers heranzukommen. Ich habe die Hinweise auf Twitter mal in diesem Beitrag zusammen gefasst.
---------------------------------------------
https://www.borncity.com/blog/2023/02/08/neue-paypal-betrugsmasche-mit-echt…
∗∗∗ Sicherheitsvorfall bei wargaming.net (Feb. 2023)? ∗∗∗
---------------------------------------------
Ein Leser hat mich auf einen Sicherheitsvorfall beim Spieleentwickler wargaming.net aufmerksam gemacht. Ich habe dann ein wenig recherchiert, ist nicht der erste Vorfall bei diesem Anbieter. Es könnte aber auch ein Phishing-Versuch sein (das versuche ich noch zu klären). Hier einige Informationen, was mir bekannt ist.
---------------------------------------------
https://www.borncity.com/blog/2023/02/09/sicherheitsvorfall-bei-wargaming-n…
∗∗∗ Evasion Techniques Uncovered: An Analysis of APT Methods ∗∗∗
---------------------------------------------
DLL search order hijacking and DLL sideloading are commonly used by nation state sponsored attackers to evade detection.
---------------------------------------------
https://www.rapid7.com/blog/post/2023/02/09/evasion-techniques-uncovered-an…
=====================
= Vulnerabilities =
=====================
∗∗∗ Zoho ManageEngine ServiceDesk Plus 14003 Remote Code Execution ∗∗∗
---------------------------------------------
This exploits an unauthenticated remote code execution vulnerability that affects Zoho ManageEngine ServiceDesk Plus versions 14003 and below (CVE-2022-47966). Due to a dependency to an outdated library (Apache Santuario version 1.4.1), it is possible to execute arbitrary code by providing a crafted `samlResponse` XML to the ServiceDesk Plus SAML endpoint. Note that the target is only vulnerable if it has been configured with SAML-based SSO at least once in the past, regardless of the current SAML-based SSO status.
---------------------------------------------
https://cxsecurity.com/issue/WLB-2023020017
∗∗∗ SOUND4 LinkAndShare Transmitter 1.1.2 Format String Stack Buffer Overflow ∗∗∗
---------------------------------------------
The application suffers from a format string memory leak and stack buffer overflow vulnerability because it fails to properly sanitize user supplied input when calling the getenv() function from MSVCR120.DLL resulting in a crash overflowing the memory stack and leaking sensitive information. The attacker can abuse the username environment variable to trigger and potentially execute code on the affected system.
---------------------------------------------
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5744.php
∗∗∗ Angreifer könnten über Nvidia GeForce Experience Daten manipulieren ∗∗∗
---------------------------------------------
In der aktuellen Version das Grafikkarten-Tools GeForce Experience von Nvidia haben die Entwickler drei Sicherheitslücken geschlossen.
---------------------------------------------
https://heise.de/-7490068
∗∗∗ Notfallpatch für Dateiübertragungslösung GoAnywhere MFT erschienen ∗∗∗
---------------------------------------------
Admins können ihre GoAnywhere-MFT-Server (On-Premises) nun mit einem Sicherheitsupdate gegen aktuelle laufende Attacken absichern.
---------------------------------------------
https://heise.de/-7490040
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (chromium, libsdl2, and wireshark), Fedora (pesign, tpm2-tss, and webkitgtk), Oracle (hsqldb, krb5, libksba, tigervnc, and tigervnc and xorg-x11-server), Red Hat (openvswitch2.13, openvswitch2.15, openvswitch2.16, openvswitch2.17, rh-varnish6-varnish, tigervnc, and tigervnc and xorg-x11-server), Scientific Linux (tigervnc and xorg-x11-server), and SUSE (apache2, apache2-mod_security2, apr-util, netatalk, podman, python-swift3, rubygem-globalid, syslog-ng, and thunderbird).
---------------------------------------------
https://lwn.net/Articles/922756/
∗∗∗ Vulnerability Allows Hackers to Remotely Tamper With Dahua Security Cameras ∗∗∗
---------------------------------------------
A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time. [...] Dahua device vulnerabilities may be targeted by DDoS botnets, but in the case of CVE-2022-30564, it would most likely be exploited in highly targeted attacks whose goal is to tamper with evidence, rather than cybercrime operations. The issue was reported to the vendor in the fall of 2022. Dahua has released patches for each of the impacted devices.
---------------------------------------------
https://www.securityweek.com/vulnerability-allows-hackers-to-remotely-tampe…
∗∗∗ CVE-2023-0003 Cortex XSOAR: Local File Disclosure Vulnerability in the Cortex XSOAR Server (Severity: MEDIUM) ∗∗∗
---------------------------------------------
A file disclosure vulnerability in the Palo Alto Networks Cortex XSOAR server software enables an authenticated user with access to the web interface to read local files from the server.
---------------------------------------------
https://security.paloaltonetworks.com/CVE-2023-0003
∗∗∗ CVE-2023-0002 Cortex XDR Agent: Product Disruption by Local Windows User (Severity: MEDIUM) ∗∗∗
---------------------------------------------
A problem with a protection mechanism in the Palo Alto Networks Cortex XDR agent on Windows devices allows a local user to execute privileged cytool commands that disable or uninstall the agent.
---------------------------------------------
https://security.paloaltonetworks.com/CVE-2023-0002
∗∗∗ CVE-2023-0001 Cortex XDR Agent: Cleartext Exposure of Agent Admin Password (Severity: MEDIUM) ∗∗∗
---------------------------------------------
An information exposure vulnerability in the Palo Alto Networks Cortex XDR agent on Windows devices allows a local system administrator to disclose the admin password for the agent in cleartext, which bad actors can then use to execute privileged cytool commands that disable or uninstall the agent.
---------------------------------------------
https://security.paloaltonetworks.com/CVE-2023-0001
∗∗∗ IBM InfoSphere Information Server is affected by an information disclosure vulnerability (CVE-2023-24964) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6953519
∗∗∗ IBM WebSphere Application Server is vulnerable to a remote code execution vulnerability (CVE-2023-23477) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6891111
∗∗∗ IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to Eclipse Openj9 security bypass (CVE-2022-3676) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6953807
∗∗∗ AIX is vulnerable to arbitrary code execution due to libxml2 (CVE-2022-40303 and CVE-2022-40304) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6953825
∗∗∗ Vulnerabilities in IBM Java SDK and IBM Java Runtime affects Rational Business Developer ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6953873
∗∗∗ Vulnerability in IBM Java SDK and IBM Java Runtime affects Rational Business Developer ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6953879
∗∗∗ IBM SDK, Java Technology Edition Quarterly CPU - Oct 2022 - Includes Oracle October 2022 CPU ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6953641
∗∗∗ IBM Sterling Connect:Direct for Microsoft Windows is vulnerable to denial of service due to FasterXML jackson-databind (217968) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6953593
∗∗∗ Vulnerability in Axios affects IBM Process Mining . IBM X-Force ID: 232247 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6611183
∗∗∗ Vulnerability in bpmn affects IBM Process Mining . WS-2019-0208 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6852405
∗∗∗ Vulnerability in bpmn affects IBM Process Mining . WS-2019-0148 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6852407
∗∗∗ Vulnerability in d3-color affects IBM Process Mining . WS-2022-0322 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6856473
∗∗∗ IBM Cloud Pak for Multicloud Management Monitoring has applied security fixes for user privilege escalation ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6909427
∗∗∗ IBM Tivoli Composite Application Manager for Application Diagnostics Installed WebSphere Application Server traditional is vulnerable to a remote code execution vulnerability ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6954391
∗∗∗ IBM Sterling Global Mailbox is vulnerable to HTTP header injection due WebSphere Liberty Server (CVE-2022-34165) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6954401
∗∗∗ IBM Sterling Global Mailbox is vulnerable to denial of service due to FasterXML jackson-databind (CVE-2022-42003) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6954403
∗∗∗ IBM Sterling Global Mailbox is vulnerable to security bypass due to Apache HttpClient (CVE-2020-13956) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6954405
∗∗∗ Vulnerability in Apache Commons Text affects IBM Process Mining . CVE-2022-42889 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6954409
∗∗∗ Vulnerability in IBM WebSphere Application Server Liberty and Open Liberty 17.0.0.3 through 22.0.0.5 affects CICS Transaction Gateway ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6954411
∗∗∗ Vulnerability (CVE-2022-3676) in Eclipse Openj9 affects CICS Transaction Gateway Desktop Edition ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6954421
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 07-02-2023 18:00 − Mittwoch 08-02-2023 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ Ransomware-Attacke: CISA veröffentlicht Wiederherstellungsskript für VMware ESXi ∗∗∗
---------------------------------------------
Die US-amerikanische Cyber-Sicherheitsbehörde CISA hat ein Wiederherstellungsskript bereitgestellt, mit dem betroffene Server gerettet werden könnten.
---------------------------------------------
https://heise.de/-7488498
∗∗∗ Achtung: Betrügerische Rechnungen in E-Mails und PayPal-App! ∗∗∗
---------------------------------------------
PayPal-User:innen aufgepasst: Kriminelle stellen aktuell Coinbase-Rechnungen über PayPal. Diese Rechnungen landen dadurch sowohl in Ihrem Mail-Postfach, als auch Ihrer PayPal-App und können dadurch für echt gehalten werden! Ignorieren Sie die Rechnungen und setzen Sie sich bei Unklarheiten mit PayPal in Verbindung. Bezahlen Sie nichts und befolgen Sie keinesfalls die Händler-Anweisungen aus der Rechnung.
---------------------------------------------
https://www.watchlist-internet.at/news/achtung-betruegerische-rechnungen-in…
∗∗∗ Sicherheitsupdate: Acht Sicherheitslücken in OpenSSL geschlossen ∗∗∗
---------------------------------------------
Angreifer könnten Systeme mit der Softwarebibliothek für verschlüsselte Verbindungen OpenSSL attackieren. Der Bedrohungsgrad hält sich aber in Grenzen.
---------------------------------------------
https://heise.de/-7489560
∗∗∗ Medusa botnet returns as a Mirai-based variant with ransomware sting ∗∗∗
---------------------------------------------
A new version of the Medusa DDoS (distributed denial of service) botnet, based on Mirai code, has appeared in the wild, featuring a ransomware module and a Telnet brute-forcer.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/medusa-botnet-returns-as-a-m…
∗∗∗ Simple HTML Phishing via Telegram Bot, (Wed, Feb 8th) ∗∗∗
---------------------------------------------
Monday, I wrote about the use of IP lookup APIs by bots. It turns out that it is not just bots using these APIs, but phishing e-mails are also taking advantage of them.
---------------------------------------------
https://isc.sans.edu/diary/rss/29528
∗∗∗ Post-Exploitation: Abusing the KeePass Plugin Cache ∗∗∗
---------------------------------------------
This blog post presents a post-exploitation approach to inject code into KeePass without process injection. It is performed by abusing the cache resulting from the compilation of PLGX plugin.
---------------------------------------------
https://blog.quarkslab.com/post-exploitation-abusing-the-keepass-plugin-cac…
∗∗∗ A Detailed Analysis of a New Stealer Called Stealerium ∗∗∗
---------------------------------------------
Stealerium is an open-source stealer available on GitHub. The malware steals information from browsers, cryptocurrency wallets, and applications such as Discord, Pidgin, Outlook, Telegram, Skype, Element, Signal, Tox, Steam, Minecraft, and VPN clients. The binary also gathers data about the infected host, such as the running processes, Desktop and webcam screenshots, Wi-Fi networks, the Windows product key, and the public and private IP address.
---------------------------------------------
https://securityscorecard.com/research/a-detailed-analysis-of-a-new-stealer…
∗∗∗ Rustproofing Linux (nccgroup) ∗∗∗
---------------------------------------------
The nccgroup blog is carrying afour-part series by Domen Puncer Kugler on how vulnerabilities can maketheir way into device drivers written in Rust. In other words, the CONFIG_INIT_STACK_ALL_ZERO build option does nothing for Rust code! Developers must be cautious to avoid shooting themselves in the foot when porting a driver from C to Rust, especially if they previously relied on this config option to mitigate this class of vulnerability. It seems that kernel info leaks and KASLR bypasses might be here to stay, at least, for a little while longer.
---------------------------------------------
https://lwn.net/Articles/922638/
∗∗∗ Pwn2Owning Two Hosts at the Same Time: Abusing Inductive Automation Ignition’s Custom Deserialization ∗∗∗
---------------------------------------------
Pwn2Own Miami 2022 was a fine competition. At the contest, I successfully exploited three different targets. In this blog post, I would like to show you my personal best research of the competition: the custom deserialization issue in Inductive Automation Ignition.
---------------------------------------------
https://www.thezdi.com/blog/2023/2/6/pwn2owning-two-hosts-at-the-same-time-…
∗∗∗ CVE-2022-21587: Rapid7 Observed Exploitation of Oracle E-Business Suite Vulnerability ∗∗∗
---------------------------------------------
Emergent threats evolve quickly, and as we learn more about this vulnerability, this blog post will evolve, too.
---------------------------------------------
https://www.rapid7.com/blog/post/2023/02/07/etr-cve-2022-21587-rapid7-obser…
∗∗∗ How to Use Cloud Access Security Brokers for Data Protection ∗∗∗
---------------------------------------------
A cloud access security broker is a security policy enforcement point that can be located on-premises or in the cloud. Its purpose is to aggregate and implement an enterprise’s security policies whenever cloud-based resources are accessed.
---------------------------------------------
https://www.hackread.com/cloud-access-security-brokers-data-protection/
=====================
= Vulnerabilities =
=====================
∗∗∗ PMASA-2023-1 ∗∗∗
---------------------------------------------
XSS vulnerability in drag-and-drop upload
Affected Versions: phpMyAdmin versions prior to 4.9.11 and 5.2.1 are affected.
The vulnerability has existed since release version 4.3.0.
---------------------------------------------
https://www.phpmyadmin.net/security/PMASA-2023-1/
∗∗∗ Webbrowser: Google Chrome dichtet Sicherheitslecks ab und ändert Release-Zyklus ∗∗∗
---------------------------------------------
Der Webbrowser Google Chrome 110 schließt 15 teils hochriskante Schwachstellen. Der Hersteller stellt zudem auf ein neues Release-System um.
---------------------------------------------
https://heise.de/-7488524
∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (heimdal, openssl, shim, and xorg-server), Oracle (kernel and thunderbird), Red Hat (git, libksba, samba, and tigervnc), Scientific Linux (thunderbird), Slackware (openssl and xorg), SUSE (EternalTerminal, openssl-1_0_0, openssl-1_1, openssl-3, openssl1, polkit, and sssd), and Ubuntu (git, grunt, heimdal, openssl, openssl1.0, and xorg-server, xorg-server-hwe-18.04, xwayland).
---------------------------------------------
https://lwn.net/Articles/922626/
∗∗∗ Tuesday February 14 2023 Security Releases ∗∗∗
---------------------------------------------
The Node.js project will release new versions of the 14.x, 16.x, 18.x and 19.x releases lines on or shortly after, Tuesday February 14 2023 in order to address: 2 low severity issues. 2 medium severity issues. 1 high severity issues.
---------------------------------------------
https://nodejs.org/en/blog/vulnerability/february-2023-security-releases
∗∗∗ Security Advisory - Identity Authentication Bypass Vulnerability in The Huawei Children Smart Watch (Simba-AL00) ∗∗∗
---------------------------------------------
https://www.huawei.com/en/psirt/security-advisories/2023/huawei-sa-iabvithc…
∗∗∗ IBM Security Bulletins 2023-02-08 ∗∗∗
---------------------------------------------
* A Security Vulnerability has been identified in the IBM Java SDK as shipped with IBM Security Verify Access.
* IBM Aspera Orchestrator affected by vulnerability (CVE-2022-28615)
* IBM® Db2® Connect Server is vulnerable due to the use of Apache HttpComponents. (CVE-2014-3577)
* IBM® Db2® is vulnerable to an information disclosure vulnerabilitiy due to improper privilege management when a specially crafted table access is used. (CVE-2022-43927)
* IBM® Db2® is vulnerable to an information disclosure vulnerability as sensitive information may be included in a log file. (CVE-2022-43930)
* IBM® Db2® may be vulnerable to a denial of service when executing a specially crafted Load command. (CVE-2022-43929)
* IBM Jazz for Service Management is vulnerable to All XStream (Publicly disclosed vulnerability) (CVE-2022-41966)
* IBM MQ is affected by an identity spoofing issue in IBM WebSphere Application Server Liberty (CVE-2022-22475)
* IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to Express.js Express denial of service (CVE-2022-24999)
* IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to Moment denial of service (CVE-2022-31129)
* IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to Node.js follow-redirects module information disclosure vulnerabilities (CVE-2022-0536, CVE-2022-0155)
* IBM WebSphere Application Server Liberty is vulnerable to information disclosure due to Apache James MIME4J (CVE-2022-45787)
* IBM WebSphere Application Server Liberty is vulnerable to server-side request forgery due to Apache CXF (CVE-2022-46364)
* Multiple security vulnerabilities are addressed with IBM Business Automation Manager Open Editions 8.0.2
* Multiple vulnerabilities in the Expat library affect IBM® Db2® Net Search Extender may lead to denial of service or arbitrary code execution.
* Security Vulnerabilities have been identifed in the IBM WebSphere Liberty product as shipped with the IBM Security Verify Access products.
* Unspecified vulnerability in Java Affects IBM Infosphere Global Name Management (CVE-2022-21496)
* Vulnerabilities in IBM WebSphere Liberty affects IBM InfoSphere Global Name Management (CVE-2022-22475, CVE-2022-22476)
* Vulnerability in IBM WebSphere Liberty affects IBM InfoSphere Global Name Management (CVE-2022-34165)
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Montag 06-02-2023 18:00 − Dienstag 07-02-2023 18:00
Handler: Robert Waldner
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Researcher breaches Toyota supplier portal with info on 14,000 partners ∗∗∗
---------------------------------------------
The issues were responsibly disclosed to Toyota on November 3, 2022, and the Japanese car maker confirmed they had been fixed by November 23, 2022.
EatonWorks published a detailed writeup about the discoveries today after 90 days disclosure process had passed.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/researcher-breaches-toyota-s…
∗∗∗ APIs Used by Bots to Detect Public IP address, (Mon, Feb 6th) ∗∗∗
---------------------------------------------
Many of the bots I am observing attempt to detect the infected system&#;x26;#;39;s public ("WAN") IP address. Most of these systems are assumed to be behind NAT. To detect the external IP address, these bots use various public APIs. It may be helpful to detect these requests. Many use unique host names. This will make detecting the request in DNS logs easy even if TLS is not intercepted.
---------------------------------------------
https://isc.sans.edu/diary/rss/29516
∗∗∗ Android Security Bulletin—February 2023 ∗∗∗
---------------------------------------------
The Android Security Bulletin contains details of security vulnerabilities affecting Android devices. Security patch levels of 2023-02-05 or later address all of these issues. [..] The most severe of these issues is a high security vulnerability in the Framework component that could lead to local escalation of privilege with no additional execution privileges needed.
---------------------------------------------
https://source.android.com/docs/security/bulletin/2023-02-01
∗∗∗ Discovering a weakness leading to a partial bypass of the login rate limiting in the AWS Console ∗∗∗
---------------------------------------------
AWS applies a rate limit to authentication requests made to the AWS Console, in an effort to prevent brute-force and credential stuffing attacks. In this post, we discuss a weakness we discovered in the AWS Console authentication flow that allowed us to partially bypass this rate limit and continuously attempt more than 280 passwords per minute (4.6 per second). The weakness was since mitigated by AWS.
---------------------------------------------
https://securitylabs.datadoghq.com/articles/aws-console-rate-limit-bypass/
∗∗∗ Smishing: Vorsicht vor Fake Magenta-SMS ∗∗∗
---------------------------------------------
Momentan sind vermehrt gefälschte Magenta-SMS im Umlauf. In der Nachricht wird behauptet, dass Ihre Rechnung nicht beglichen werden konnte. Klicken Sie nicht auf den Link – dieser führt zu einer gefälschten Magenta-Seite, wo Kriminelle Ihre Daten und Ihr Geld stehlen.
---------------------------------------------
https://www.watchlist-internet.at/news/smishing-vorsicht-vor-diesem-fake-ma…
∗∗∗ Saferinternet.at-Studie: Jugendliche und Falschinformationen im Internet ∗∗∗
---------------------------------------------
Anlässlich des heutigen Safer Internet Day führte Saferinternet.at eine Studie zum Thema „Jugendliche und Falschinformationen im Internet“ durch. Die Studienergebnisse zeigen, dass Österreichs Jugendliche beim Umgang mit Informationen im Internet in einem Dilemma stecken: Die Jugendlichen informieren sich zu Alltagsthemen vor allem über soziale Medien, vertrauen den dort bezogenen Informationen jedoch kaum.
---------------------------------------------
https://www.watchlist-internet.at/news/studie-jugendliche-und-falschinforma…
∗∗∗ Safer Internet Day: FAQ Internetsicherheit für Kinder und Jugendliche ∗∗∗
---------------------------------------------
Im Internet lauern für Heranwachsende viele Gefahren, die sie noch nicht einschätzen können. Mit Wissensvermittlung und Tools können sie geschützt werden.
---------------------------------------------
https://heise.de/-7333482
∗∗∗ This notorious ransomware has now found a new target ∗∗∗
---------------------------------------------
The authors of Clop ransomware are experimenting with a Linux variant - a warning that multiple different platforms are in the sights of cyber extortionists.
---------------------------------------------
https://www.zdnet.com/article/this-notorious-ransomware-is-now-targeting-li…
=====================
= Vulnerabilities =
=====================
∗∗∗ ZDI-23-094: Netatalk dsi_writeinit Heap-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Netatalk. Authentication is not required to exploit this vulnerability.
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-23-094/
∗∗∗ TYPO3-CORE-SA-2023-001: Persisted Cross-Site Scripting in Frontend Rendering ∗∗∗
---------------------------------------------
Subcomponent: Frontend Rendering (ext:frontend, ext:core)
Affected Versions: 8.7.0-8.7.50, 9.0.0-9.5.39, 10.0.0-10.4.34, 11.0.0-11.5.22, 12.0.0-12.1.3
Severity: High
References: CVE-2023-24814, CWE-79
---------------------------------------------
https://typo3.org/security/advisory/typo3-core-sa-2023-001
∗∗∗ Multiple DMS XSS (CVE-2022-47412 through CVE-20222-47419) ∗∗∗
---------------------------------------------
Through the course of routine security testing and analysis, Rapid7 has discovered several issues in on-premises installations of open source and freemium Document Management System (DMS) offerings from four vendors. ONLYOFFICE, OpenKM, LogicalDOC, Mayan
[..] Unfortunately, none of these vendors were able to respond to Rapid7's disclosure outreach
---------------------------------------------
https://www.rapid7.com/blog/post/2023/02/07/multiple-dms-xss-cve-2022-47412…
∗∗∗ OpenSSL Security Advisory [7th February 2023] ∗∗∗
---------------------------------------------
* Severity: High - X.400 address type confusion in X.509 GeneralName (CVE-2023-0286): [...] this vulnerability is most likely to only affect applications which have implemented their own functionality for retrieving CRLs over a network.
* Severity: Moderate - CVE-2022-4304, CVE-2022-4203, CVE-2023-0215, CVE-2022-4450, CVE-2023-0216, CVE-2023-0217, CVE-2023-0401
---------------------------------------------
https://www.openssl.org/news/secadv/20230207.txt
∗∗∗ Dateiübertragungslösung: Zero-Day-Lücke in GoAnywhere-MFT-Servern ∗∗∗
---------------------------------------------
Angreifer haben es derzeit auf Server mit GoAnywhere MFT abgesehen. Bislang gibt es kein Sicherheitsupdate. Eine temporäre Übergangslösung sichert Systeme ab.
---------------------------------------------
https://heise.de/-7487393
∗∗∗ VMSA-2023-0003 ∗∗∗
---------------------------------------------
CVSSv3 Range: 7.8
CVE(s): CVE-2023-20854
Synopsis: VMware Workstation update addresses an arbitrary file deletion vulnerability (CVE-2023-20854)
---------------------------------------------
https://www.vmware.com/security/advisories/VMSA-2023-0003.html
∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (graphite-web, openjdk-11, webkit2gtk, wpewebkit, and xorg-server), Mageia (advancecomp, apache, dojo, git, java/timezone, libtiff, libxpm, netatalk, nodejs-minimist, opusfile, python-django, python-future, python-mechanize, ruby-sinatra, sofia-sip, thunderbird, and tigervnc), Oracle (git and thunderbird), Red Hat (git, libksba, rh-git227-git, rh-nodejs14-nodejs and rh-nodejs14-nodejs-nodemon, and thunderbird), SUSE (apache2, nginx, php8-pear, redis, rubygem-activesupport-5_1, rubygem-rack, sssd, xorg-x11-server, and xwayland), and Ubuntu (tmux).
---------------------------------------------
https://lwn.net/Articles/922519/
∗∗∗ Ichiran App vulnerable to improper server certificate verification ∗∗∗
---------------------------------------------
https://jvn.jp/en/jp/JVN11257333/
∗∗∗ Cisco IOx Application Hosting Environment Command Injection Vulnerability ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso…
∗∗∗ EnOcean SmartServer ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-23-037-01
∗∗∗ IBM Security Verify Governance, Identity Manager software component is affected by a vulnerabilitiy CVE-2023-23477 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6953461
∗∗∗ Multiple Vulnerabilities in IBM\u00ae Java SDK affect IBM WebSphere Application Server and IBM WebSphere Application Server Liberty due to the October 2022 CPU ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6839565
∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with Tivoli Netcool\/OMNIbus WebGUI (CVE-2023-23477) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6953483
∗∗∗ A vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Buinses Automation Workflow (CVE-2023-23477) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6953497
∗∗∗ Denial of Service vulnerability affects IBM Business Automation Workflow - CVE-2022-25887 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6952745
∗∗∗ A vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Business Automation Workflow (CVE-2023-23477) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6953497
∗∗∗ Apache POI is vulnerable to a denial of service, caused by an out of memory exception flaw in the HMEF package(CVE-2022-26336) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6953525
∗∗∗ Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation Application Manager Oct 2022 CPU (CVE-2022-21628, CVE-2022-21626, CVE-2022-21624, CVE-2022-21619) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6953557
∗∗∗ Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation for Multiplatforms Oct 2022 CPU (CVE-2022-21628, CVE-2022-21626, CVE-2022-21624, CVE-2022-21619) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6953559
∗∗∗ IBM Java SDK and IBM Java Runtime for IBM i are vulnerable to bypassing security restrictions, denial of service attacks, and data integrity impacts due to multiple vulnerabilities. ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6953579
∗∗∗ IBM Sterling Connect:Direct for Microsoft Windows is vulnerable to denial of service due to IBM Runtime Environment Java Technology Edition (CVE-2022-21626) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6953583
∗∗∗ IBM Sterling Connect:Direct for Microsoft Windows is vulnerable to denial of service due to FasterXML jackson-databind (CVE-2022-42003) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6953587
∗∗∗ IBM Sterling Connect:Direct for Microsoft Windows is vulnerable to denial of service due to FasterXML jackson-databind (CVE-2022-42004) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6953589
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 03-02-2023 18:00 − Montag 06-02-2023 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ Weltweiter Ransomware-Angriff ∗∗∗
---------------------------------------------
Bei einem weltweit breit gestreuten Ransomware-Angriff wurden laut Medienberichten tausende ESXi-Server, die u. a. zur Virtualisierung von IT-Fachverfahren genutzt werden, verschlüsselt. Der regionale Schwerpunkt der Angriffe lag dabei auf Frankreich, den USA, Deutschland und Kanada, auch weitere Länder sind betroffen.
---------------------------------------------
https://www.bsi.bund.de/DE/Service-Navi/Presse/Pressemitteilungen/Presse202…
∗∗∗ Downloads via Google Ads: "Tsunami" an Malvertising verbreitet Schadsoftware ∗∗∗
---------------------------------------------
Immer mehr Angreifer versuchen, Geräte von Nutzern mit Malware zu infizieren. Forscher beobachten einen massiven Anstieg auf Google bei der Suche nach Software.
---------------------------------------------
https://heise.de/-7485196
∗∗∗ Tiere zu verschenken: Vorsicht vor betrügerischen Inseraten auf Facebook ∗∗∗
---------------------------------------------
In Facebook-Gruppen tauchen immer wieder betrügerische Inserate für abzugebende Hunde oder Pferde auf. Angeblich sei der Besitzer bzw. die Besitzerin plötzlich verstorben. Daher suchen die Angehörigen dringend einen guten Platz für das Tier. Sie müssen lediglich die Transportkosten bezahlen, da sich das Tier im Ausland befindet. Dahinter steckt aber Betrug, das Tier gibt es gar nicht und Sie verlieren viel Geld!
---------------------------------------------
https://www.watchlist-internet.at/news/tiere-zu-verschenken-vorsicht-vor-be…
∗∗∗ Assemblyline as a Malware Analysis Sandbox, (Sat, Feb 4th) ∗∗∗
---------------------------------------------
If you are looking for a malware sandbox that is easy to install and maintain, Assenblyline (AL) [1] is likely the system you want to be part of your toolbox. "Once a file is submitted to Assemblyline, the system will automatically perform multiple checks to determine how to best process the file. One of Assemblyline's most powerful functionalities is its recursive analysis model."[2]
---------------------------------------------
https://isc.sans.edu/diary/rss/29510
∗∗∗ Royal Ransomware adds support for encrypting Linux, VMware ESXi systems ∗∗∗
---------------------------------------------
Royal Ransomware operators added support for encrypting Linux devices and target VMware ESXi virtual machines. The Royal Ransomware gang is the latest extortion group in order of time to add support for encrypting Linux devices and target VMware ESXi virtual machines. Other ransomware operators already support Linux encrypting, including AvosLocker, Black Basta, BlackMatter, HelloKitty, Hive, [...]
---------------------------------------------
https://securityaffairs.com/141876/cyber-crime/royal-ransomware-vmware-esxi…
∗∗∗ FormBook Malware Spreads via Malvertising Using MalVirt Loader to Evade Detection ∗∗∗
---------------------------------------------
An ongoing malvertising campaign is being used to distribute virtualized .NET loaders that are designed to deploy the FormBook information-stealing malware. "The loaders, dubbed MalVirt, use obfuscated virtualization for anti-analysis and evasion along with the Windows Process Explorer driver for terminating processes," SentinelOne researchers Aleksandar Milenkoski and Tom Hegel said [...]
---------------------------------------------
https://thehackernews.com/2023/02/formbook-malware-spreads-via.html
∗∗∗ GuLoader Malware Using Malicious NSIS Executables to Target E-Commerce Industry ∗∗∗
---------------------------------------------
E-commerce industries in South Korea and the U.S. are at the receiving end of an ongoing GuLoader malware campaign, cybersecurity firm Trellix disclosed late last month. The malspam activity is notable for transitioning away from malware-laced Microsoft Word documents to NSIS executable files for loading the malware. Other countries targeted as part of the campaign include Germany, Saudi Arabia, [...]
---------------------------------------------
https://thehackernews.com/2023/02/guloader-malware-using-malicious-nsis.html
∗∗∗ ImageMagick: The hidden vulnerability behind your online images ∗∗∗
---------------------------------------------
In a recent APT Simulation engagement, the Ocelot team identified that ImageMagick was used to process images in a Drupal-based website, and hence, the team decided to try to find new vulnerabilities in this component, proceeding to download the latest version of ImageMagick, 7.1.0-49 at that time. As a result, two zero days were identified: [...]
---------------------------------------------
https://www.metabaseq.com/imagemagick-zero-days/
∗∗∗ The Defenders Guide to OneNote MalDocs ∗∗∗
---------------------------------------------
With the heyday of macro-enabled spreadsheets and documents behind us, threat actors have experimented with novel ways to deliver their payloads, including disk image files (.iso, .vhd files), HTML Smuggling (.hta files with embedded scripts), and now OneNote files.
---------------------------------------------
https://opalsec.substack.com/p/the-defenders-guide-to-onenote-maldocs
∗∗∗ How the CISA catalog of vulnerabilities can help your organization ∗∗∗
---------------------------------------------
The CISA catalog of known exploited vulnerabilities is designed for the federal government and useful to everyone.
---------------------------------------------
https://www.malwarebytes.com/blog/news/2023/02/how-the-cisa-catalog-can-hel…
∗∗∗ Collect, Exfiltrate, Sleep, Repeat ∗∗∗
---------------------------------------------
In this intrusion from August 2022, we observed a compromise that was initiated with a Word document containing a malicious VBA macro, which established persistence and communication to a command [...]
---------------------------------------------
https://thedfirreport.com/2023/02/06/collect-exfiltrate-sleep-repeat/
∗∗∗ Solving a VM-based CTF challenge without solving it properly ∗∗∗
---------------------------------------------
A pretty common reverse-engineering CTF challenge genre for the hard/very-hard bucket are virtual machines. There are several flavors to this*, but the most common one is to implement a custom VM in a compiled language and provide it together with bytecode of a flag checker. This was the case for the More Control task from Byte Bandits CTF 2023 - the task this entry is about.
---------------------------------------------
https://gynvael.coldwind.pl/?id=763
∗∗∗ Sliver Malware With BYOVD Distributed Through Sunlogin Vulnerability Exploitations ∗∗∗
---------------------------------------------
Sliver is an open-source penetration testing tool developed in the Go programming language. Cobalt Strike and Metasploit are major examples of penetration testing tools used by many threat actors, and various attack cases involving these tools have been covered here on the ASEC blog. Recently, there have been cases of threat actors using Sliver in addition to Cobalt Strike and Metasploit.
---------------------------------------------
https://asec.ahnlab.com/en/47088/
=====================
= Vulnerabilities =
=====================
∗∗∗ High-Severity XSS Vulnerability in Metform Elementor Contact Form Builder ∗∗∗
---------------------------------------------
On January 4, 2023, independent security researcher Mohammed Chemouri reached out to the Wordfence Vulnerability Disclosure program to responsibly disclose and request a CVE ID for a vulnerability in Metform Elementor Contact Form Builder, a WordPress plugin with over 100,000 installations. The vulnerability, an unauthenticated stored cross-site scripting vulnerability, is arguably the most dangerous variant [...]
---------------------------------------------
https://www.wordfence.com/blog/2023/02/high-severity-xss-vulnerability-in-m…
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (libhtml-stripscripts-perl), Fedora (binwalk, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-latest-openjdk, kernel, sudo, and syncthing), SUSE (syslog-ng), and Ubuntu (editorconfig-core, firefox, pam, and thunderbird).
---------------------------------------------
https://lwn.net/Articles/922337/
∗∗∗ CISA adds Oracle, SugarCRM bugs to exploited vulnerabilities list ∗∗∗
---------------------------------------------
The Cybersecurity and Infrastructure Security Agency (CISA) said two vulnerabilities from Oracle and SugarCRM are actively being exploited and ordered federal civilian agencies to patch them before February 23.
---------------------------------------------
https://therecord.media/cisa-adds-oracle-sugarcrm-bugs-to-exploited-vulnera…
∗∗∗ Vulnerabilities have been identified in Apache Log4j and the application code shipped with the DS8000 Hardware Management Console (HMC) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6570741
∗∗∗ Vulnerabilities have been identified in Spring Framework, OpenSSL and Apache HTTP Server shipped with the DS8000 Hardware Management Console (HMC) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6592963
∗∗∗ Security Bulletin: Multiple vulnerabilities may affect IBM® SDK, Java™ Technology Edition for IBM Content Collector for SAP Applications ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6953401
∗∗∗ Multiple vulnerabilities in IBM Java - OpenJ9 affect IBM Tivoli System Automation for Multiplatforms (CVE-2022-3676) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6953433
∗∗∗ IBM InfoSphere Information Server is vulnerable to cross-site scripting (CVE-2022-47983) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6857695
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 02-02-2023 18:00 − Freitag 03-02-2023 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Robert Waldner
=====================
= News =
=====================
∗∗∗ Hackers weaponize Microsoft Visual Studio add-ins to push malware ∗∗∗
---------------------------------------------
Security researchers warn that hackers may start using Microsoft Visual Studio Tools for Office (VSTO) more often as method to achieve persistence and execute code on a target machine via malicious Office add-ins.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/hackers-weaponize-microsoft-…
∗∗∗ Anker: Eufy-Kameras waren nicht so sicher wie beworben ∗∗∗
---------------------------------------------
Nach anfänglichem Abstreiten gibt Anker zu, dass die Werbeversprechen zur Sicherheit der Eufy-Überwachungskameras nicht eingehalten wurden.
---------------------------------------------
https://www.golem.de/news/anker-eufy-kameras-waren-nicht-so-sicher-wie-bewo…
∗∗∗ Konami Code Backdoor Concealed in Image ∗∗∗
---------------------------------------------
Attackers are always looking for new ways to conceal their malware and evade detection, whether it’s through new forms of obfuscation, concatenation, or — in this case — unorthodox use of image file extensions. One of the most common backdoors that we have observed over the last few months has been designed to evade detection by placing the payload in an image file and requiring some additional tricks to unlock it.
---------------------------------------------
https://blog.sucuri.net/2023/02/konami-code-backdoor-concealed-in-image.html
∗∗∗ Pre-Auth RCE in Aspera Faspex: Case Guide for Auditing Ruby on Rails ∗∗∗
---------------------------------------------
IBM Aspera Faspex promises security to end users by offering encryption options for the files being uploaded through its application. This security model is broken through the pre-authentication RCE vulnerability we discovered, that allowed us to execute arbitrary commands on the Aspera Faspex server.
---------------------------------------------
https://blog.assetnote.io/2023/02/02/pre-auth-rce-aspera-faspex/
∗∗∗ Cisco patcht mehrere Produkte - potenzielle Backdoor-Lücke ∗∗∗
---------------------------------------------
Cisco hat Updates zum Schließen von Sicherheitslücken in mehreren Produkten veröffentlicht. Die gravierendste klafft in der IOx Application Hosting Environment.
---------------------------------------------
https://heise.de/-7483079
∗∗∗ Zwei Sicherheitsprobleme in OpenSSH 9.2 gelöst ∗∗∗
---------------------------------------------
Der OpenSSH-Client ist in einer aktualisierten Version erschienen. Informationen über die geschlossenen Sicherheitslücken sind noch rar.
---------------------------------------------
https://heise.de/-7483316
∗∗∗ Erneute Phishing-Welle mit E-Mails im Namen der WKO ∗∗∗
---------------------------------------------
„Aktualisierung Ihrer Firmendaten“: Haben Sie eine E-Mail vom „WKO Serviceteam“ mit diesem Betreff erhalten, sollten Sie genau hinsehen. Denn derzeit versenden Cyberkriminelle willkürlich solche Phishing-Mails an österreichische Unternehmer:innen und geben sich dabei als Wirtschaftskammer Österreich aus.
---------------------------------------------
https://www.watchlist-internet.at/news/erneute-phishing-welle-mit-e-mails-i…
∗∗∗ OneNote Dokumente als neues Hilfsmittel für Spammer und Co. ∗∗∗
---------------------------------------------
Nachdem Microsoft im Juli letzten Jahres die Hürde für Spammer deutlich höher gelegt hat - eingebettete Makros in heruntergeladenen Office Dokumente wurden per Default disabled - musste aus Sicht der Angreifer entsprechender Ersatz gefunden werden. Neuen Erkenntnissen zufolge, wurde dieser auch erfolgreich in Form von OneNote Dokumenten gefunden.
---------------------------------------------
https://cert.at/de/aktuelles/2023/2/onenote-dokumente-als-neues-hilfsmittel…
∗∗∗ What is an OSINT Tool – Best OSINT Tools 2023 ∗∗∗
---------------------------------------------
An OSINT tool is a must for every researcher - In this article, we will explore the 15 best OSINT tools that you can use for your investigations.
---------------------------------------------
https://www.hackread.com/what-is-osint-tool-best-osint-tools-2023/
=====================
= Vulnerabilities =
=====================
∗∗∗ K000130496: Overview of F5 vulnerabilities (February 2023) ∗∗∗
---------------------------------------------
On February 1, 2023, F5 announced the following security issues. This document is intended to serve as an overview of these vulnerabilities and security exposures to help determine the impact to your F5 devices. You can find the details of each issue in the associated articles.
---------------------------------------------
https://my.f5.com/manage/s/article/K000130496
∗∗∗ Angreifer könnten Windows-PCs mit VMware Workstation attackieren ∗∗∗
---------------------------------------------
Ein Sicherheitsupdate schließt eine Lücke in der Virtualisierungslösung VMware Workstation. Angreifer brauchten lokale Benutzerrechte auf dem PC des Opfers.
---------------------------------------------
https://heise.de/-7483515
∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Fedora (chromium and vim), Slackware (openssh), and Ubuntu (lrzip and tiff).
---------------------------------------------
https://lwn.net/Articles/922112/
∗∗∗ CISA Releases Six Industrial Control Systems Advisories ∗∗∗
---------------------------------------------
ICSA-23-033-01 Delta Electronics DIAScreen, ICSA-23-033-02 Mitsubishi Electric GOT2000 Series and GT SoftGOT2000, ICSA-23-033-03 Baicells Nova, ICSA-23-033-04 Delta Electronics DVW-W02W2-E2, ICSA-23-033-05 Delta Electronics DX-2100-L1-CN, ICSA-22-221-01 Mitsubishi Electric Multiple Factory Automation Products (Update D).
---------------------------------------------
https://us-cert.cisa.gov/ncas/current-activity/2023/02/02/cisa-releases-six…
∗∗∗ B&R Advisory: Several Issues in APROL Database ∗∗∗
---------------------------------------------
Several Issues in ARPOL database, CVE ID: CVE-2022-43761, CVE-2022-43762, CVE-2022-43763, CVE-2022-43764, CVE-2022-43765
---------------------------------------------
https://www.br-automation.com/downloads_br_productcatalogue/assets/16748230…
*** IBM Security Bulletins 2023-02-01 ***
---------------------------------------------
Tivoli System Automation Application Manager, IBM MQ, IBM FlashSystem 5000, IBM FlashSystem 7200, IBM FlashSystem 7300, IBM FlashSystem 9100, IBM FlashSystem 9200, IBM FlashSystem 9500, IBM FlashSystem V9000, IBM Spectrum Virtualize as Software Only, IBM Spectrum Virtualize for Public Cloud, IBM Storwize V5000, V5000E, V7000 and V5100, Jazz for Service Management, SAN Volume Controller, IBM App Connect Enterprise, IBM Voice Gateway, IBM Aspera, IBM MQ, IBM Business Automation Workflow, IBM Control Desk, IBM Maximo, IBM Sterling Connect:Direct File Agent.
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/
∗∗∗ Exploitation of GoAnywhere MFT zero-day vulnerability ∗∗∗
---------------------------------------------
A warning has been issued about an actively exploited zero-day vulnerability affecting on-premise instances of Fortra’s GoAnywhere MFT.
---------------------------------------------
https://www.rapid7.com/blog/post/2023/02/03/exploitation-of-goanywhere-mft-…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 01-02-2023 18:00 − Donnerstag 02-02-2023 18:00
Handler: Thomas Pribitzer
Co-Handler: Robert Waldner
=====================
= News =
=====================
∗∗∗ New DDoS-as-a-Service platform used in recent attacks on hospitals ∗∗∗
---------------------------------------------
A new DDoS-as-a-Service (DDoSaaS) platform named Passion was seen used in recent attacks by pro-Russian hacktivists against medical institutions in the United States and Europe.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-ddos-as-a-service-platfo…
∗∗∗ New Nevada Ransomware targets Windows and VMware ESXi systems ∗∗∗
---------------------------------------------
A relatively new ransomware operation known as Nevada seems to grow its capabilities quickly as security researchers noticed improved functionality for the locker targeting Windows and VMware ESXi systems.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-nevada-ransomware-target…
∗∗∗ LockBit ransomware goes Green, uses new Conti-based encryptor ∗∗∗
---------------------------------------------
The LockBit ransomware gang has again started using encryptors based on other operations, this time switching to one based on the leaked source code for the Conti ransomware.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/lockbit-ransomware-goes-gree…
∗∗∗ Password-stealing “vulnerability” reported in KeePass – bug or feature? ∗∗∗
---------------------------------------------
Is it a vulnerability if someone with control over your account can mess with files that your account is allowed to access anyway?
---------------------------------------------
https://nakedsecurity.sophos.com/2023/02/01/password-stealing-vulnerability…
∗∗∗ Rotating Packet Captures with pfSense, (Wed, Feb 1st) ∗∗∗
---------------------------------------------
Having a new pfSense firewall in place gives some opportunities to do a bit more with the device. Maintaining some full packet captures was an item on my "to do" list. The last 24 hours is usually sufficient for me since I'm usually looking at alerts within the same day. I decided to do rotating packet captures based on file size. This allows me to capture packets, saving files of a specific size and keeping a specified number of files.
---------------------------------------------
https://isc.sans.edu/diary/rss/29500
∗∗∗ What SOCs Need to Know About Water Dybbuk, A BEC Actor Using Open-Source Toolkits ∗∗∗
---------------------------------------------
We analyze a BEC campaign targeting large companies around the world that was leveraging open-source tools to stay under the radar.
---------------------------------------------
https://www.trendmicro.com/en_us/research/23/b/what-socs-need-to-know-about…
∗∗∗ OpenSSH 9.2 released ∗∗∗
---------------------------------------------
OpenSSH9.2 has been released. It includes a number of security fixes,including one for a pre-authenticationdouble-free vulnerability that the project does not believe is exploitable.
---------------------------------------------
https://lwn.net/Articles/922006/
=====================
= Vulnerabilities =
=====================
∗∗∗ Vulnerability Causing Deletion of All Users in CrushFTP Admin Area ∗∗∗
---------------------------------------------
During a recent penetration test, Trustwave SpiderLabs researchers discovered a weak input validation vulnerability in the CrushFTP application which caused the deletion of all users.
---------------------------------------------
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/vulnerabili…
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (cinder, glance, nova, openjdk-17, and python-django), Fedora (caddy, git-credential-oauth, mingw-opusfile, and pgadmin4), Slackware (apr and mozilla), and Ubuntu (apache2 and python-django).
---------------------------------------------
https://lwn.net/Articles/921957/
∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2023-0001 ∗∗∗
---------------------------------------------
CVE identifiers: CVE-2023-23517, CVE-2023-23518,CVE-2022-42826.
Several vulnerabilities were discovered in WebKitGTK and WPE WebKit.
---------------------------------------------
https://webkitgtk.org/security/WSA-2023-0001.html
∗∗∗ Jira Service Management Server and Data Center Advisory (CVE-2023-22501) ∗∗∗
---------------------------------------------
This advisory discloses a critical severity security vulnerability which was introduced in version 5.3.0 of Jira Service Management Server and Data Center. The following versions are affected by this vulnerability: 5.3.0, 5.3.1, 5.3.2, 5.4.0, 5.4.1, 5.5.0
---------------------------------------------
https://confluence.atlassian.com/jira/jira-service-management-server-and-da…
∗∗∗ Drupal Releases Security Update to Address a Vulnerability in Apigee Edge ∗∗∗
---------------------------------------------
Drupal released a security update to address a vulnerability affecting the Apigee Edge module for Drupal 9.x. An attacker could exploit this vulnerability to bypass access authorization or disclose sensitive information. CISA encourages users and administrators to review Drupal’s security advisory SA-CONTRIB-2023-005 and apply the necessary update.
---------------------------------------------
https://us-cert.cisa.gov/ncas/current-activity/2023/02/02/drupal-releases-s…
∗∗∗ Cisco Prime Infrastructure Reflected Cross-Site Scripting Vulnerability ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso…
∗∗∗ Cisco RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers Arbitrary File Upload Vulnerability ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso…
∗∗∗ Cisco Identity Services Engine Privilege Escalation Vulnerabilities ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso…
∗∗∗ Cisco IOx Application Hosting Environment Command Injection Vulnerability ∗∗∗
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso…
∗∗∗ Multiple vulnerabilities in IBM Java SDK affects IBM WebSphere Application Server October 2022 CPU that is bundled with IBM WebSphere Application Server Patterns ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6912697
∗∗∗ IBM API Connect is impacted by an external service interaction vulnerability (CVE-2022-34350) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6921243
∗∗∗ IBM WebSphere Application Server Liberty for IBM i is vulnerable to HTTP header injection and affected by denial of services due to multiple vulnerabilities. ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6921285
∗∗∗ IBM MQ is affected by FasterXML jackson-databind vulnerabilities (CVE-2022-42003, CVE-2022-42004) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6952181
∗∗∗ IBM MQ Managed File Transfer could allow a local user to obtain sensitive information from diagnostic files. (CVE-2022-42436) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6909467
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 31-01-2023 18:00 − Mittwoch 01-02-2023 18:00
Handler: Thomas Pribitzer
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ Jetzt patchen! Zehntausende Qnap-NAS hängen verwundbar am Internet ∗∗∗
---------------------------------------------
Angreifer könnten direkt über das Internet an einer kritischen Sicherheitslücke in Netzwerkspeichern von Qnap ansetzen.
---------------------------------------------
https://heise.de/-7477826
∗∗∗ Microsoft Defender for Endpoint schickt nun auch Linux-Rechner in die Isolation ∗∗∗
---------------------------------------------
Weil auch Linux-Geräte als Einfallstor für Cyber-Angreifer dienen können, isoliert Microsofts Security-Software künftig bei Bedarf auch sie aus dem Firmennetz.
---------------------------------------------
https://heise.de/-7477878
∗∗∗ Diskussion um Schwachstelle in KeePass ∗∗∗
---------------------------------------------
Eine Schwachstelle erlaubt das Ändern der KeePass-Konfiguration, wenn Nutzer bestimmte Rechte haben. Mit denen können sie jedoch viel mehr anstellen.
---------------------------------------------
https://heise.de/-7478396
∗∗∗ Neue Vinted-Verkäufer:innen aufgepasst: Keine Zahlungen freigeben! ∗∗∗
---------------------------------------------
Auf der Second-Hand-Plattform vinted.at kommt es aktuell vermehrt zu einer Betrugsmasche, die sich an neue Verkäufer:innen richtet. Die ersten Interessent:innen melden sich schnell und verlangen eine Telefonnummer. Anschließend folgen SMS im Namen von Vinted, die eine Bestätigung der Kreditkartendaten zum Erhalt der Zahlung fordern. Achtung: Die SMS stammen nicht von vinted.at, sondern von Kriminellen und die vermeintlichen Bestätigungen führen zu Abbuchungen [...]
---------------------------------------------
https://www.watchlist-internet.at/news/neue-vinted-verkaeuferinnen-aufgepas…
∗∗∗ Hackers use new IceBreaker malware to breach gaming companies ∗∗∗
---------------------------------------------
Hackers have been targeting online gaming and gambling companies with what appears to be a previously unseen backdoor that researchers have named IceBreaker.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/hackers-use-new-icebreaker-m…
∗∗∗ DShield Honeypot Setup with pfSense, (Tue, Jan 31st) ∗∗∗
---------------------------------------------
Setting up a DShield honeypot is well guided by the installation script [1]. After several minutes of following the instructions and adding some custom details, the honeypot is up and running. What's needed after that is to expose the honeypot to the internet. I recently decided to update my home router and thought it was a great opportunity to dig into using pfSense [2].
---------------------------------------------
https://isc.sans.edu/diary/rss/29490
∗∗∗ Detecting (Malicious) OneNote Files, (Wed, Feb 1st) ∗∗∗
---------------------------------------------
We are starting to see malicious OneNote documents (cfr. Xavier's diary entry "A First Malicious OneNote Document").
---------------------------------------------
https://isc.sans.edu/diary/rss/29494
∗∗∗ Vulnerability in Cisco industrial appliances is a potential nightmare (CVE-2023-20076) ∗∗∗
---------------------------------------------
Cisco has released patches for a high-severity vulnerability (CVE-2023-20076) found in some of its industrial routers, gateways and enterprise wireless access points, which may allow attackers to insert malicious code that can’t be deleted by simply rebooting the device or updating its firmware. “In this case, the command injection bypasses mitigations Cisco has in place to ensure vulnerabilities do not persist in a system.
---------------------------------------------
https://www.helpnetsecurity.com/2023/02/01/cve-2023-20076/
∗∗∗ Google sponsored ads malvertising targets password manager ∗∗∗
---------------------------------------------
Our reserachers found a more direct way to go after your password by using Google sponsored ads campaigns
---------------------------------------------
https://www.malwarebytes.com/blog/threat-intelligence/2023/01/google-sponso…
∗∗∗ Unpatched Econolite Traffic Controller Vulnerabilities Allow Remote Hacking ∗∗∗
---------------------------------------------
Serious vulnerabilities found in Econolite EOS traffic controller software can be exploited to control traffic lights, but the flaws remain unpatched.
---------------------------------------------
https://www.securityweek.com/unpatched-econolite-traffic-controller-vulnera…
∗∗∗ Microsoft: We are tracking these 100 active ransomware gangs using 50 types of malware ∗∗∗
---------------------------------------------
Microsoft warns that phishing, fake software updates and unpatched vulnerabilities are being exploited for ransomware attacks.
---------------------------------------------
https://www.zdnet.com/article/microsoft-we-are-tracking-these-100-active-ra…
∗∗∗ Password Nightmare Explained ∗∗∗
---------------------------------------------
This blog post belongs to a series in which we examine various influences on password strategies. The first post in the series analyzed the macrosocial influence of a country on its citizens’ passwords. The second post was focused on the analysis of the influence of a community on password choice. In this last post, we aim to increase the strength of our readers’ passwords by influencing their password strategies using knowledge and insights from our research.
---------------------------------------------
https://www.gosecure.net/blog/2023/01/31/password-nightmare-explained/
=====================
= Vulnerabilities =
=====================
∗∗∗ Vulnerability in Driver Distributor where passwords are stored in a recoverable format ∗∗∗
---------------------------------------------
Driver Distributor provided by FUJIFILM Business Innovation Corp. contains a vulnerability where passwords are stored in a recoverable format.
---------------------------------------------
https://jvn.jp/en/jp/JVN22830348/
∗∗∗ Additional Supply Chain Vulnerabilities Uncovered in AMI MegaRAC BMC Software ∗∗∗
---------------------------------------------
Two more supply chain security flaws have been disclosed in AMI MegaRAC Baseboard Management Controller (BMC) software, nearly two months after three security vulnerabilities were brought to light in the same product. Firmware security firm Eclypsium said the two shortcomings were held back until now to provide AMI additional time to engineer appropriate mitigations.
---------------------------------------------
https://thehackernews.com/2023/02/additional-supply-chain-vulnerabilities.h…
∗∗∗ Virenschutz: Datei-Upload bis Exitus durch Trend Micro Apex One-Schwachstelle ∗∗∗
---------------------------------------------
Eine hochriskante Sicherheitslücke im Trend Micro Apex One Server könnten Angreifer missbrauchen, um den Server mit Dateien zu fluten und damit lahmzulegen.
---------------------------------------------
https://heise.de/-7477479
∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (fig2dev and libstb), Fedora (seamonkey), SUSE (ctags, python-setuptools, samba, tmux, and xterm), and Ubuntu (advancecomp, apache2, python-django, slurm-llnl, and vim).
---------------------------------------------
https://lwn.net/Articles/921848/
∗∗∗ CVE-2023-22374: F5 BIG-IP Format String Vulnerability ∗∗∗
---------------------------------------------
Rapid7 found an additional vulnerability in the appliance-mode REST interface. We reported it to F5 and are now disclosing it in accordance with our vulnerability disclosure policy.
---------------------------------------------
https://www.rapid7.com/blog/post/2023/02/01/cve-2023-22374-f5-big-ip-format…
∗∗∗ IBM Security Bulletins 2023-02-01 ∗∗∗
---------------------------------------------
App Connect Professional is affected by JsonErrorReportValve in Apache Tomcat.
A security vulnerability has been identified in IBM WebSphere Application Server shipped with Asset and Service Management (CVE-2023-23477)
A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Business Monitor (CVE-2023-23477)
A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM WebSphere Remote Server (CVE-2023-23477)
A vulnerability in the IBM Java Runtime affects IBM Rational ClearQuest (CVE-2022-21626)
A vulnerability may affect the IBM Elastic Storage System GUI (CVE-2022-43869)
HTTP header injection vulnerability in Watson Knowledge Catalog for IBM Cloud Pak for Data (CVE-2022-34165)
IBM App Connect Enterprise is vulnerable to a remote authenticated attacker due to json5 (CVE-2022-46175)
IBM Cloud Pak for Multicloud Management has applied security fixes for its use of Apache Commons [CVE-2022-42889 and CVE-2022-33980]
IBM Cloud Pak for Multicloud Management is vulnerable to denial of service attacks due to snakeYAML
IBM Cloud Pak for Multicloud Management is vulnerable to denial of service due to protobuf-java core and lite
IBM Cloud Pak for Multicloud Management Monitoring has applied security fixes for its use of FasterXML Jackson (CVE-2022-42003)
IBM Cloud Pak for Multicloud Management Monitoring has applied security fixes for its use of Golang Go
IBM Cloud Pak for Multicloud Management Monitoring is vulnerable to multiple security vulnerabilities due to its use of NodeJS
IBM Infosphere Information Server is vulnerable to cross-site scripting (CVE-2023-23475)
IBM Spectrum Scale GUI is vulnerable to Format string attack (CVE-2022-43869)
IBM Sterling B2B Integrator is vulnerable to denial of service due to Netty (CVE-2021-37136, CVE-2021-37137)
IBM Sterling Connect:Direct File Agent is vulnerable to a denial of service due to IBM Runtime Environment Java Technology Edition (CVE-2022-21626)
IBM Sterling Connect:Direct File Agent is vulnerable to a memory exploit due to Eclipse Openj9 (CVE-2022-3676)
IBM Sterling External Authentication Server vulnerable to denial of service due to Apache Xerces2 (CVE-2022-23437)
IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to a buffer overflow in GNU glibc (CVE-2021-3999)
IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to a denial of service in Golang Go (CVE-2022-27664)
IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to a denial of service in protobuf (CVE-2022-1941)
IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to arbitrary command execution in OpenSSL (CVE-2022-2068)
IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to a security bypass in GNU gzip (CVE-2022-1271)
IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to issues in OpenSSL (CVE-2022-1434, CVE-2022-1343, CVE-2022-1292, CVE-2022-1473 )
IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to query parameter smuggling in Golang Go (CVE-2022-2880)
IBM WebSphere Application Server Liberty used by IBM Cloud Pak for Watson AIOps is vulnerable to HTTP header injection (CVE-2022-34165)
Multiple vulnerabilities in IBM Java SDK affects App Connect Professional.
Vulnerabilities in Certifi, Setuptools and Python may affect IBM Spectrum Protect Plus Microsoft File Systems Backup and Restore (CVE-2022-23491, CVE-2022-40897, CVE-2022-45061)
Vulnerabilities in OpenSSL affect IBM Rational ClearQuest (CVE-2022-2068, CVE-2022-2097)
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/
∗∗∗ Security Advisory - Incorrect Privilege Assignment Vulnerability in Huawei Whole-Home Intelligence Software ∗∗∗
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2023/huawei-sa-ipavihwhi…
∗∗∗ Security Advisory - Incorrect Privilege Assignment Vulnerability in Huawei Whole-Home Intelligence Software ∗∗∗
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2023/huawei-sa-ipavihwhi…
∗∗∗ Multiple Vulnerabilities Patched in Quick Restaurant Menu Plugin ∗∗∗
---------------------------------------------
https://www.wordfence.com/blog/2023/02/multiple-vulnerabilities-patched-in-…
∗∗∗ SA45653 - Cross-site Request Forgery in Login Form ∗∗∗
---------------------------------------------
https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/Cross-site-Re…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Montag 30-01-2023 18:00 − Dienstag 31-01-2023 18:00
Handler: Thomas Pribitzer
Co-Handler: Robert Waldner
=====================
= News =
=====================
∗∗∗ Exploit released for critical VMware vRealize RCE vulnerability ∗∗∗
---------------------------------------------
Horizon3 security researchers have released proof-of-concept (PoC) code for a VMware vRealize Log Insight vulnerability chain that allows attackers to gain remote code execution on unpatched appliances.
VMware patched four security vulnerabilities in its vRealize log analysis tool last week, two being critical and allowing remote attackers to execute code on compromised devices.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/exploit-released-for-critica…
∗∗∗ Github Desktop & Atom: Signaturschlüssel von Github entwendet ∗∗∗
---------------------------------------------
Auf Github wurden Signaturschlüssel entwendet, die bald zurückgerufen werden. Betroffen sind Github Desktop und Atom für Mac, die den Dienst einstellen. (Github, Security)
---------------------------------------------
https://www.golem.de/news/github-desktop-atom-signaturschluessel-von-github…
∗∗∗ Prilex modification now targeting contactless credit card transactions ∗∗∗
---------------------------------------------
Kaspersky discovers three new variants of the Prilex PoS malware capable of blocking contactless NFC transactions on an infected device.
---------------------------------------------
https://securelist.com/prilex-modification-now-targeting-contactless-credit…
∗∗∗ Microsoft Investigation – Threat actor consent phishing campaign abusing the verified publisher process ∗∗∗
---------------------------------------------
On December 15th, 2022, Microsoft became aware of a consent phishing campaign involving threat actors fraudulently impersonating legitimate companies when enrolling in the Microsoft Cloud Partner Program (MCPP) (formerly known as Microsoft Partner Network (MPN)).
---------------------------------------------
https://msrc-blog.microsoft.com/2023/01/31/threat-actor-consent-phishing-ca…
∗∗∗ Decoding DNS over HTTP(s) Requests, (Mon, Jan 30th) ∗∗∗
---------------------------------------------
I have written before about scans for DNS over HTTP(s) (DoH) servers. DoH is now widely supported in different browsers and recursive resolvers. It has been an important piece in the puzzle to evade various censorship regimes, in particular, the "Big Chinese Firewall". Malware has at times used DoH, but often uses its own HTTP(s) based resolvers that do not necessarily comply with the official DoH standard.
---------------------------------------------
https://isc.sans.edu/diary/rss/29488
∗∗∗ Researchers Uncover Packer Used by Several Malware to Evade Detection for 6 Years ∗∗∗
---------------------------------------------
A shellcode-based packer dubbed TrickGate has been successfully operating without attracting notice for over six years, while enabling threat actors to deploy a wide range of malware such as TrickBot, Emotet, AZORult, Agent Tesla, FormBook, Cerber, Maze, and REvil over the years."TrickGate managed to stay under the radar for years because it is transformative – it undergoes changes periodically
---------------------------------------------
https://thehackernews.com/2023/01/researchers-uncover-packer-that-helped.ht…
∗∗∗ Chromebook SH1MMER exploit promises admin jailbreak ∗∗∗
---------------------------------------------
Schools laptops are out if this one gets around, but beware bricking Users of enterprise-managed Chromebooks now, for better or worse, have a way to break the shackles of administrative control through an exploit called SHI1MMER.…
---------------------------------------------
https://go.theregister.com/feed/www.theregister.com/2023/01/30/chromebook_e…
∗∗∗ Forthcoming OpenSSL Releases ∗∗∗
---------------------------------------------
The OpenSSL project team would like to announce the forthcoming release of OpenSSL versions 3.0.8, 1.1.1t and 1.0.2zg.[..] These releases will be made available on Tuesday 7th February 2023 between 1300-1700 UTC. These are security-fix releases. The highest severity issue fixed in each of these three releases is High
---------------------------------------------
https://mta.openssl.org/pipermail/openssl-announce/2023-January/000248.html
∗∗∗ Abstandhalten zu undurchsichtigen Multi-Level-Marketing-Angeboten wie shopwithme.biz ∗∗∗
---------------------------------------------
Wer sich aktuell auf sozialen Medien wie Facebook, YouTube oder TikTok bewegt, kommt an Werbevideos, die das große Geld versprechen, kaum vorbei. Mit minimalem Aufwand und revolutionären Methoden sollen Sie ganz einfach Unsummen an Geld verdienen können. Ähnliches verspricht man beispielsweise bei shopwithme.biz. Ein genauerer Blick lässt vermuten: Hier verdient man nicht durch den Verkauf von Produkten, sondern durch die Anwerbung neuer Kundschaft. Wir raten hier
---------------------------------------------
https://www.watchlist-internet.at/news/abstandhalten-zu-undurchsichtigen-mu…
∗∗∗ A Phishing Page that Changes According to the User’s Email Address (Using Favicon) ∗∗∗
---------------------------------------------
The ASEC analysis team continuously monitors phishing emails, and we have been detecting multiple phishing emails that are distributed with a changing icon to reflect the mail account service entered by the user.
---------------------------------------------
https://asec.ahnlab.com/en/46786/
=====================
= Vulnerabilities =
=====================
∗∗∗ [20230101] - Core - CSRF within post-installation messages ∗∗∗
---------------------------------------------
Severity: Low
Versions: 4.0.0-4.2.6
Exploit type: CSRF
Description: A missing token check causes a CSRF vulnerability in the handling of post-installation messages. Affected Installs Joomla! CMS versions 4.0.0-4.2.6
Solution: Upgrade to version 4.2.7
---------------------------------------------
https://developer.joomla.org:443/security-centre/890-20230101-core-csrf-wit…
∗∗∗ [20230102] - Core - Missing ACL checks for com_actionlogs ∗∗∗
---------------------------------------------
Severity: Low
Versions: 4.0.0-4.2.6
Exploit type: Incorrect Access Control
Description: A missing ACL check allows non super-admin users to access com_actionlogs.
Solution: Upgrade to version 4.2.7
---------------------------------------------
https://developer.joomla.org:443/security-centre/891-20230102-core-missing-…
∗∗∗ VMSA-2023-0002 ∗∗∗
---------------------------------------------
CVSSv3 Range: 6.5
CVE(s): CVE-2023-20856
Synopsis: VMware vRealize Operations (vROps) update addresses a CSRF bypass vulnerability
---------------------------------------------
https://www.vmware.com/security/advisories/VMSA-2023-0002.html
∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by CentOS (bind, firefox, java-1.8.0-openjdk, java-11-openjdk, kernel, libXpm, pki-core, sssd, sudo, thunderbird, tigervnc, and xorg-x11-server), Debian (cinder, glance, libarchive, libhtml-stripscripts-perl, modsecurity-crs, node-moment, node-qs, nova, ruby-git, ruby-rack, and tiff), Fedora (java-17-openjdk, rust-bat, rust-cargo-c, rust-git-delta, rust-gitui, rust-pore, rust-silver, rust-tokei, and seamonkey), Oracle (libksba), Red Hat (kernel, kernel-rt, kpatch-patch, libksba, and pcs), Scientific Linux (libksba), SUSE (apache2-mod_auth_openidc, ghostscript, libarchive, nginx, python, vim, and xen), and Ubuntu (cinder, glance, linux-raspi, nova, python-future, and sudo).
---------------------------------------------
https://lwn.net/Articles/921765/
∗∗∗ [R1] Tenable Plugin Feed ID #202212212055 Fixes Privilege Escalation Vulnerability ∗∗∗
---------------------------------------------
As part of our Security Development Lifecycle, a potential privilege escalation issue was identified internally. This could allow a malicious actor with sufficient permissions to modify environment variables and abuse an impacted plugin in order to escalate privileges. We have resolved the issue and also made several defense-in-depth fixes alongside.
---------------------------------------------
https://www.tenable.com/security/tns-2023-04
∗∗∗ WordPress Vulnerability & Patch Roundup January 2023 ∗∗∗
---------------------------------------------
* SiteGround Security – SQL injection
* ExactMetrics – Cross Site Scripting (XSS)
* Enable Media Replace – Arbitrary File Upload
* Spectra WordPress Gutenberg Blocks – Stored Cross Site Scripting
* GiveWP – SQL Injection
* Better Font Awesome – Cross Site Scripting (XSS)
* LearnPress – SQL Injection
* Royal Elementor Addons and Templates – Cross Site Scripting (XSS)
* Strong Testimonials – Stored Cross Site Scripting (XSS)
* HUSKY (formerly WOOF) – PHP Object Injection
* WP Show Posts – Cross Site Scripting (XSS)
* Widgets for Google Reviews – Cross Site Scripting (XSS)
* Strong Testimonials – Cross Site Scripting (XSS)
* Simple Sitemap – Cross Site Scripting (XSS)
* Contextual Related Posts – Stored Cross Site Scripting (XSS)
* Stream – Broken Access Control
* Customer Reviews for WooCommerce – Cross Site Scripting (XSS)
* Themify Portfolio Post – Stored Cross Site Scripting
* Spotlight Social Media Feeds – Stored Cross Site Scripting (XSS)
* RSS Aggregator by Feedzy – Stored Cross Site Scripting (XSS)
---------------------------------------------
https://blog.sucuri.net/2023/01/wordpress-vulnerability-patch-roundup-janua…
∗∗∗ IBM Security Bulletins) ∗∗∗
---------------------------------------------
* IBM UrbanCode Deploy (UCD) is vulnerable to cross-site scripting ( CVE-2022-46771 )
* IBM Cloud Pak for Multicloud Management Monitoring has applied security fixes for its use of Golang Go (CVE-2022-24921, CVE-2022-28327, CVE-2022-24675)
* IBM WebSphere Application Server is vulnerable to a remote code execution vulnerability (CVE-2023-23477)
* Multiple vulnerabilities affect IBM Sterling External Authentication Server
* Multiple vulnerabilities in Mozilla Firefox affect IBM Cloud Pak for Multicloud Management Monitoring.
* Multiple vulnerabilities in libcURL affect IBM Rational ClearCase ( CVE-2022-42915, CVE-2022-42916, CVE-2022-32221, CVE-2022-35252, * * CVE-2022-32205, CVE-2022-32206, CVE-2022-32207 )
* IBM Sterling Secure Proxy vulnerable to multiple issues
* Multiple vulnerabilities in OpenSSL affects IBM Rational ClearCase (CVE-2022-2097, CVE-2022-2068)
* A vulnerability in the IBM Java Runtime affects IBM Rational ClearCase (CVE-2022-21626)
* Automation Assets in IBM Cloud Pak for Integration is vulnerable to remote code execution due to jsonwebtoken CVE-2022-23529
* Automation Assets in IBM Cloud Pak for Integration is vulnerable to CSS injection due to Swagger CVE-2019-17495
* Automation Assets in IBM Cloud Pak for Integration is vulnerable to denial of service due to protobuf CVE-2022-1941
* Platform Navigator and Automation Assets in IBM Cloud Pak for Integration is vulnerable to multiple Go vulnerabilities
* IBM Watson Knowledge Catalog on Cloud Pak for Data is vulnerable to SQL injection (CVE-2022-41731)
* IBM Virtualization Engine TS7700 is vulnerable to a denial of service threat due to use of IBM\u00ae SDK Java\u2122 Technology Edition, Version 8 (CVE-2022-21626)
* Multiple vulnerabilities affect IBM Db2\u00ae on Cloud Pak for Data and Db2 Warehouse\u00ae on Cloud Pak for Data
* IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in XStream
* IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in PyPA Wheel
* IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Node.js json5
* IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Node.js
* IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Certifi
* IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Node.js decode-uri-component
* IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in PostgreSQL
* IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in WebSphere Application Server Liberty
* IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Apache Tomcat
* IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Apache Spark
* Multiple Vulnerabilities in Java packages affect IBM Voice Gateway
* IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in HSQLDB
* IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Google Protocol Buffers
* IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Java
* IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in TensorFlow
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/
∗∗∗ Delta Electronics DOPSoft ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-23-031-01
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 27-01-2023 18:00 − Montag 30-01-2023 18:00
Handler: Thomas Pribitzer
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ Jetzt patchen! Sicherheitsforscher kombinieren Lücken in VMware vRealize Log ∗∗∗
---------------------------------------------
Angreifer könnten zeitnah vRealize Log von VMware ins Visier nehmen und Schadcode mit Root-Rechten ausführen. Sicherheitsupdates sind verfügbar.
---------------------------------------------
https://heise.de/-7474931
∗∗∗ Vorsicht vor gefälschten FinanzOnline-Benachrichtigungen ∗∗∗
---------------------------------------------
Kriminelle versenden gefälschte FinanzOnline-E-Mails. Aktuell sind uns zwei Varianten bekannt: In einem Mail wird behauptet, dass Sie eine Erstattung aus dem Sozialfonds erhalten. In einem anderen Mail steht, dass Sie eine Rückerstattung erhalten und einen QR-Code scannen müssen. Folgen Sie nicht den Anweisungen, es handelt sich um Betrug.
---------------------------------------------
https://www.watchlist-internet.at/news/vorsicht-vor-gefaelschten-finanzonli…
∗∗∗ Malware PlugX infiziert USB-Geräte ∗∗∗
---------------------------------------------
Sicherheitsforscher der Unit 42 von Palo Alto Networks haben Cyberangriffe mit neuer Variante der altbekannten Schadsoftware beobachtet. Die mutmaßlich aus China stammende PlugX-Malware ist aufgefallen, weil diese Variante alle angeschlossenen USB-Wechselmediengeräte wie Disketten-, Daumen- oder Flash-Laufwerke sowie alle weiteren Systeme [...]
---------------------------------------------
https://www.borncity.com/blog/2023/01/28/malware-plugx-infiziert-usb-gerte/
∗∗∗ Laufwerksverschlüsselung per BitLocker: Das sollten Sie beachten ∗∗∗
---------------------------------------------
Die Geräteverschlüsselung von Microsoft schützt Ihre Daten vor unerwünschten Zugriffen. Zuweilen greift BitLocker automatisch, oft muss man selbst Hand anlegen.
---------------------------------------------
https://heise.de/-7467041
∗∗∗ Shady reward apps on Google Play amass 20 million downloads ∗∗∗
---------------------------------------------
A new category of activity tracking applications has been having massive success recently on Google Play, Androids official app store, having been downloaded on over 20 million devices.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/shady-reward-apps-on-google-…
∗∗∗ SaaS Rootkit Exploits Hidden Rules in Microsoft 365 ∗∗∗
---------------------------------------------
A vulnerability within Microsofts OAuth application registration allows an attacker to create hidden forwarding rules that act as a malicious SaaS rootkit.
---------------------------------------------
https://www.darkreading.com/vulnerabilities-threats/saas-rootkit-exploits-h…
∗∗∗ Gootkit Malware Continues to Evolve with New Components and Obfuscations ∗∗∗
---------------------------------------------
The threat actors associated with the Gootkit malware have made "notable changes" to their toolset, adding new components and obfuscations to their infection chains. Google-owned Mandiant is monitoring the activity cluster under the moniker UNC2565, noting that the usage of the malware is "exclusive to this group.
---------------------------------------------
https://thehackernews.com/2023/01/gootkit-malware-continues-to-evolve.html
∗∗∗ Titan Stealer: A New Golang-Based Information Stealer Malware Emerges ∗∗∗
---------------------------------------------
A new Golang-based information stealer malware dubbed Titan Stealer is being advertised by threat actors through their Telegram channel. "The stealer is capable of stealing a variety of information from infected Windows machines, including credential data from browsers and crypto wallets, FTP client details, screenshots, system information, and grabbed files," [...]
---------------------------------------------
https://thehackernews.com/2023/01/titan-stealer-new-golang-based.html
∗∗∗ Asking MEMORY.DMP and Volatility to make up ∗∗∗
---------------------------------------------
A few days ago Ive posted RE category write-ups from the KnightCTF 2023. Another category Ive looked at – quite intensely at that – was forensics. While this blog post isnt a write-up for that category, I still wanted (and well, was asked to actually) write down some steps I took to make Volatility work with MEMORY.DMP file provided in the "Take care of this" challenge series. Or actually steps I took to convert MEMORY.DMP into something volatility could work with.
---------------------------------------------
https://gynvael.coldwind.pl/?id=762
∗∗∗ Analysis Report on Malware Distributed via Microsoft OneNote ∗∗∗
---------------------------------------------
This document is an analysis report on malware that is being actively distributed using Microsoft OneNote. The ASEC analysis team identified the rapidly increasing trend of OneNote malware distribution from November 2022 and has classified the malware according to the level of intricacy based on the screen that appears when the file is actually opened.
---------------------------------------------
https://asec.ahnlab.com/en/46457/
=====================
= Vulnerabilities =
=====================
∗∗∗ Qnap-NAS: Kritische Sicherheitslücke ermöglicht Unterjubeln von Schadcode ∗∗∗
---------------------------------------------
In Qnap-Netzwerkgeräten mit QTS- und QuTS-hero-Betriebssystem könnten Angreifer Schadcode einschleusen und ausführen. Updates schließen die kritische Lücke.
---------------------------------------------
https://heise.de/-7475288
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (curl, dojo, git, lemonldap-ng, libapache-session-browseable-perl, libapache-session-ldap-perl, libzen, node-object-path, openjdk-11, sofia-sip, tiff, tor, and varnish), Fedora (libgit2, open62541, pgadmin4, rubygem-git, rust-bat, rust-cargo-c, rust-git-delta, rust-gitui, rust-libgit2-sys, rust-libgit2-sys0.12, rust-pore, rust-pretty-git-prompt, rust-rd-agent, rust-rd-hashd, rust-resctl-bench, rust-resctl-demo, rust-silver, and rust-tokei), Scientific
---------------------------------------------
https://lwn.net/Articles/921620/
∗∗∗ CERT-Warnung: Standard KeePass-Setup ermöglicht Passwort-Klau (CVE-2023-24055) ∗∗∗
---------------------------------------------
Kurzer Hinweis bzw. Warnung an Nutzer des KeePass Password Safe zur Verwaltung von Kennwörtern und Zugangsdaten. Das Cyber Emergency Response Team aus Belgien (CERT.be) hat am 27. Januar 2023 eine Warnung zu KeePass veröffentlicht. Im Standard-Setup sind Schreibzugriffe auf die [...]
---------------------------------------------
https://www.borncity.com/blog/2023/01/30/cert-warnung-standard-keepass-setu…
∗∗∗ IBM Planning Analytics Workspace is affected by vulnerabilties ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6848023
∗∗∗ Enterprise Content Management System Monitor is affected by a vulnerability in Eclipse Openj9 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6890603
∗∗∗ Due to the use of XStream, IBM Tivoli Netcool Configuration Manager is vulnerable to Denial of Service (DoS) attacks (CVE-2022-40153) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6890629
∗∗∗ IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in LibTIFF ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6855093
∗∗∗ IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Go ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6855105
∗∗∗ IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in LibTIFF ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6855099
∗∗∗ IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in LibTIFF ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6855097
∗∗∗ IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in FasterXML jackson-databind ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6855101
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 26-01-2023 18:00 − Freitag 27-01-2023 18:00
Handler: Thomas Pribitzer
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ ProxyShell & Co.: Microsoft gibt Tipps, um Exchange Server abzusichern ∗∗∗
---------------------------------------------
Vor dem Hintergrund mehrerer kritischer Sicherheitslücken und Attacken auf Exchange Server zeigt Microsoft, welche Updates Admins dringend installieren müssen.
---------------------------------------------
https://heise.de/-7472639
∗∗∗ CPUs von Intel und ARM: Linux und der Umgang mit datenabhängigem Timing ∗∗∗
---------------------------------------------
Wenn die Dauer von Operationen von den Daten abhängt, ermöglicht dies Timing-Attacken auf Informationen. Wie geht Linux damit um?
---------------------------------------------
https://www.golem.de/news/cpus-von-intel-und-arm-linux-und-der-umgang-mit-d…
∗∗∗ Bitwarden password vaults targeted in Google ads phishing attack ∗∗∗
---------------------------------------------
Bitwarden and other password managers are being targeted in Google ads phishing campaigns to steal users password vault credentials.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/bitwarden-password-vaults-ta…
∗∗∗ Live Linux IR with UAC, (Thu, Jan 26th) ∗∗∗
---------------------------------------------
The other day, I was looking for Linux IR scripts and ran across the tool Unix-like Artifacts Collector or UAC(1) created by Thiago Lahr. As you would expect, it gathers most live stats but also collects Virtual box and Docker info and other data on the system. [...] With any tool, you should always test to understand how it affects your system. I ran a simple file timeline collection before and after to see what changes were made.
---------------------------------------------
https://isc.sans.edu/diary/rss/29480
∗∗∗ WhatsApp hijackers take over your account while you sleep ∗∗∗
---------------------------------------------
Theres an easy way to protect yourself. Heres how.
---------------------------------------------
https://www.malwarebytes.com/blog/news/2023/01/protect-your-whatsapp-accoun…
∗∗∗ "2.6 million DuoLingo account entries" up for sale ∗∗∗
---------------------------------------------
We take a look at claims of large amounts of DuoLingo user data up for sale, supposedly scraped from publicly available sources.
---------------------------------------------
https://www.malwarebytes.com/blog/news/2023/01/2.6-million-duolingo-account…
∗∗∗ Tourismusbranche im Visier von Kriminellen: Cyberangriffe über booking.com ∗∗∗
---------------------------------------------
Der Hotelverband Deutschland, der französische Hotelverband GNI und die Wirtschaftskammer Österreich warnen vor zwei unterschiedlichen Betrugsversuchen über die Kommunikationskanäle von booking.com. Die Angriffe zielen darauf ab, das Computer-System der Unterkünfte mit Schadsoftware zu infizieren oder Kunden:innendaten abzugreifen.
---------------------------------------------
https://www.watchlist-internet.at/news/tourismusbranche-im-visier-von-krimi…
∗∗∗ Mitigating RBAC-Based Privilege Escalation in Popular Kubernetes Platforms ∗∗∗
---------------------------------------------
We recap our research on privilege escalation and powerful permissions in Kubernetes and analyze the ways various platforms have addressed it.
---------------------------------------------
https://unit42.paloaltonetworks.com/kubernetes-privilege-escalation/
∗∗∗ A Blog with NoName ∗∗∗
---------------------------------------------
Further Insight into the Hacktivist Operation Targeting NATO and Affiliated Nations
---------------------------------------------
https://www.team-cymru.com/post/a-blog-with-noname
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (bind9, chromium, and modsecurity-apache), Fedora (libgit2, mediawiki, and redis), Oracle (go-toolset:ol8, java-1.8.0-openjdk, systemd, and thunderbird), Red Hat (java-1.8.0-openjdk and redhat-ds:12), SUSE (apache2, bluez, chromium, ffmpeg-4, glib2, haproxy, kernel, libXpm, podman, python-py, python-setuptools, samba, xen, xrdp, and xterm), and Ubuntu (samba).
---------------------------------------------
https://lwn.net/Articles/921477/
∗∗∗ CISA Releases Eight Industrial Control Systems Advisories ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ncas/current-activity/2023/01/26/cisa-releases-eig…
∗∗∗ IBM InfoSphere Information Server is vulnerable to cross-site scripting (CVE-2022-47983) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6857695
∗∗∗ Security vulnerabilities are addressed with IBM Cloud Pak for Business Automation iFixes for January 2023 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6857999
∗∗∗ IBM App Connect Enterprise Certified Container may be vulnerable to denial of service due to [CVE-2022-42898] ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6858007
∗∗∗ IBM App Connect Enterprise Certified Container operator and operands may be vulnerable to denial of service due to [CVE-2022-27664] ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6858011
∗∗∗ IBM App Connect Enterprise Certified Container operator and operands may be vulnerable to denial of service due to [CVE-2022-32189] ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6858009
∗∗∗ IBM App Connect Enterprise Certified Container DesignerAuthoring operands that use mapping assistance may be vulnerable to [CVE-2022-23491] ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6858005
∗∗∗ TADDM affected by multiple vulnerabilities due to IBM Java and its runtime ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6858015
∗∗∗ Multiple vulnerabilities in IBM Java Runtime affect Watson Explorer and Watson Explorer Content Analytics Studio (CVE-2022-21626) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6847951
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 25-01-2023 18:00 − Donnerstag 26-01-2023 18:00
Handler: Thomas Pribitzer
Co-Handler: Robert Waldner
=====================
= News =
=====================
∗∗∗ Exploit released for critical Windows CryptoAPI spoofing bug ∗∗∗
---------------------------------------------
Proof of concept exploit code has been released by Akamai researchers for a critical Windows CryptoAPI vulnerability discovered by the NSA and U.K.s NCSC allowing MD5-collision certificate spoofing. Tracked as CVE-2022-34689, this security flaw was addressed with security updates released in August 2022 [...]
---------------------------------------------
https://www.bleepingcomputer.com/news/security/exploit-released-for-critica…
∗∗∗ PY#RATION: New Python-based RAT Uses WebSocket for C2 and Data Exfiltration ∗∗∗
---------------------------------------------
Cybersecurity researchers have unearthed a new Python-based attack campaign that leverages a Python-based remote access trojan (RAT) to gain control over compromised systems since at least August 2022."This malware is unique in its utilization of WebSockets to avoid detection and for both command-and-control (C2) communication and exfiltration," Securonix said in a report [..]
---------------------------------------------
https://thehackernews.com/2023/01/pyration-new-python-based-rat-utilizes.ht…
∗∗∗ Massive Supply-Chain-Attacke auf Router von Asus, D-Link & Co. beobachtet ∗∗∗
---------------------------------------------
Angreifer haben derzeit weltweit eine kritische Schwachstelle in Wireless-SoCs von Realtek im Visier. In Deutschland soll es Millionen Attacken gegeben haben. [...] Von der Lücke sind rund 190 IoT-Modelle von 66 Herstellern betroffen. Eine Auflistung von betroffenen Geräten findet man in der ursprünglichen Warnmeldung am Ende des Beitrags. Sicherheitspatches von Realtek sind schon seit Sommer 2021 verfügbar.
---------------------------------------------
https://heise.de/-7471324
∗∗∗ Cybercrime: Polizei zerschlägt Ransomware-Gruppe "Hive" ∗∗∗
---------------------------------------------
Deutsche Ermittler haben in Zusammenarbeit mit den Behörden in den Niederlanden und den USA die Kontrolle über das Ransomware-Netzwerk "Hive" übernommen.
---------------------------------------------
https://heise.de/-7472192
∗∗∗ Chinese PlugX Malware Hidden in Your USB Devices? ∗∗∗
---------------------------------------------
The PlugX malware stood out to us as this variant infects any attached removable USB media devices such as floppy, thumb or flash drives and any additional systems the USB is later plugged into.
This PlugX malware also hides actor files in a USB device using a novel technique that works even on the most recent Windows operating systems (OS) at the time of writing this post.
---------------------------------------------
https://unit42.paloaltonetworks.com/plugx-variants-in-usbs/
∗∗∗ AA23-025A: Protecting Against Malicious Use of Remote Monitoring and Management Software ∗∗∗
---------------------------------------------
The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Multi-State Information Sharing and Analysis Center (MS-ISAC) (hereafter referred to as the “authoring organizations”) are releasing this joint Cybersecurity Advisory (CSA) to warn network defenders about malicious use of legitimate remote monitoring and management (RMM) software.
---------------------------------------------
https://us-cert.cisa.gov/ncas/alerts/aa23-025a
∗∗∗ Achtung: Phishing zur Kontensperrung zielt auf Ing-Banking-Kunden (Jan. 2023) ∗∗∗
---------------------------------------------
us gegebenem Anlass greife ich die nächste Phishing-Kampagne hier im Blog auf, die sich an Kunden von Banken richtet. Kunden der Online-Bank Ing erhalten in einer Kampagne eine Phishing-Mail mit dem Hinweis, dass das Konto gesperrt worden sei, weil nicht auf eine Nachricht der Bank reagiert worden sei.
---------------------------------------------
https://www.borncity.com/blog/2023/01/26/achtung-phishing-zur-kontensperrun…
∗∗∗ New Mimic Ransomware Abuses Everything APIs for its Encryption Process ∗∗∗
---------------------------------------------
Trend Micro researchers discovered a new ransomware that abuses the APIs of a legitimate tool called Everything, a Windows filename search engine developed by Voidtools that offers quick searching and real-time updates for minimal resource usage.
---------------------------------------------
https://www.trendmicro.com/en_us/research/23/a/new-mimic-ransomware-abuses-…
=====================
= Vulnerabilities =
=====================
∗∗∗ Sicherheitsupdate BIND: Angreifer könnten DNS-Server mit Anfragen überfluten ∗∗∗
---------------------------------------------
Die Entwickler haben in der DNS-Software auf Open-Source-Basis BIND drei DoS-Lücken geschlossen.
---------------------------------------------
https://heise.de/-7471773
∗∗∗ Wordpress-Plug-in: Kritische Lücke in Learnpress auf 75.000 Webseiten ∗∗∗
---------------------------------------------
Das Wordpress-Plug-in Learnpress kommt auf über 100.000 Webseiten zum Einsatz. Mangels installierter Updates sind 75.000 davon für Kompromittierung anfällig.
---------------------------------------------
https://heise.de/-7471283
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (git), Fedora (libXpm and redis), Oracle (bind, firefox, grub2, java-1.8.0-openjdk, java-11-openjdk, kernel, libtasn1, libXpm, and sssd), Red Hat (thunderbird), SUSE (freeradius-server, kernel, libzypp-plugin-appdata, python-certifi, and xen), and Ubuntu (bind9, krb5, linux-raspi, linux-raspi-5.4, and privoxy).
---------------------------------------------
https://lwn.net/Articles/921345/
∗∗∗ libcurl as used by IBM QRadar Wincollect agent is vulnerable to denial of service (CVE-2022-43552, CVE-2022-43551) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6857685
∗∗∗ IBM App Connect Enterprise Certified Container operator and operands may be vulnerable to query parameter smuggling due to [CVE-2022-2880] ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6857849
∗∗∗ IBM App Connect Enterprise Certified Container operator and operands may be vulnerable to denial of service due to [CVE-2022-2879] ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6857851
∗∗∗ IBM App Connect Enterprise Certified Container operator and operands may be vulnerable to denial of service due to [CVE-2022-41715] ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6857853
∗∗∗ IBM App Connect Enterprise Certified Container DesignerAuthoring operands that use mapping assistance may be vulnerable to elevated privileges due to [CVE-2022-42919] ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6857847
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 24-01-2023 18:00 − Mittwoch 25-01-2023 18:00
Handler: Thomas Pribitzer
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ Vorsicht vor Phishing-Mails von FinanzOnline und ID Austria ∗∗∗
---------------------------------------------
Betrüger*innen versuchen mit gefälschten Mails an sensible Daten zu kommen.
---------------------------------------------
https://futurezone.at/digital-life/phishing-mails-finanzonline-id-austria-v…
∗∗∗ GoTo-Hacker erbeuten verschlüsselte Backups inklusive Schlüssel ∗∗∗
---------------------------------------------
GoTo, ein Anbieter für Software-as-a-Service und Remote-Work-Tools, veröffentlicht weitere Erkenntnisse über einen IT-Sicherheitsvorfall.
---------------------------------------------
https://heise.de/-7470609
∗∗∗ OTORIO DCOM Hardening Toolkit für Windows für OT-Systeme veröffentlicht ∗∗∗
---------------------------------------------
In Microsofts Windows DCOM-Implementierung gibt es eine Schwachstelle, die eine Umgehung der Sicherheitsfunktionen ermöglicht. Microsoft hat das dokumentiert und gepatcht, und will im März 2023 aber einen letzten einen Patch freigeben. Sicherheitsanbieter OTORIO hat im Vorfeld ein OpenSource DCOM Hardening Toolkit für OT-Systeme veröffentlicht, mit dem Unternehmen ihre DCOM-Umgebungen analysieren und ggf. härten können.
---------------------------------------------
https://www.borncity.com/blog/2023/01/25/otorio-dcom-hardening-toolkit-fr-w…
∗∗∗ Recovery-Scam durch betrugsdezernat.com und betrugsdezernat.org! ∗∗∗
---------------------------------------------
Wer auf betrügerischen Investment-Plattformen Geld verloren hat, wünscht sich meist nichts mehr, als sämtliche Einzahlungen zurückerhalten zu können. Darauf setzen auch die Kriminellen, die schon hinter dem Investitionsbetrug steckten. Sie geben sich als (häufig erfundene) Behörden aus und behaupten, das verlorene Geld festgesetzt zu haben. Eine kleine Vorauszahlung der Opfer soll zur Rückbuchung aller Verluste führen.
---------------------------------------------
https://www.watchlist-internet.at/news/recovery-scam-durch-betrugsdezernatc…
∗∗∗ Senden Sie Ihre Daten nicht an gewerbe-datenanzeiger.at! ∗∗∗
---------------------------------------------
Haben auch Sie eine Nachricht von Gewerbe Datenanzeiger bekommen, die Sie auffordert, Ihre Firmendaten preiszugeben? Ignorieren Sie die Nachricht, wenn Sie antworten, schließen Sie ein teures Abo in Höhe von 1.992 € ab!
---------------------------------------------
https://www.watchlist-internet.at/news/senden-sie-ihre-daten-nicht-an-gewer…
∗∗∗ Ransomware access brokers use Google ads to breach your network ∗∗∗
---------------------------------------------
A threat actor tracked as DEV-0569 uses Google Ads in widespread, ongoing advertising campaigns to distribute malware, steal victims passwords, and ultimately breach networks for ransomware attacks.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/ransomware-access-brokers-us…
∗∗∗ New stealthy Python RAT malware targets Windows in attacks ∗∗∗
---------------------------------------------
A new Python-based malware has been spotted in the wild featuring remote access trojan (RAT) capabilities to give its operators control over the breached systems.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-stealthy-python-rat-malw…
∗∗∗ Lessons Learned from the Windows Remote Desktop Honeypot Report ∗∗∗
---------------------------------------------
Over several weeks in October of 2022, Specops collected 4.6 million attempted passwords on their Windows Remote Desktop honeypot system. Here is what they learned.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/lessons-learned-from-the-win…
∗∗∗ A First Malicious OneNote Document, (Wed, Jan 25th) ∗∗∗
---------------------------------------------
Attackers are always trying to find new ways to deliver malware to victims. They recently started sending Microsoft OneNote files in massive phishing campaigns[1].
---------------------------------------------
https://isc.sans.edu/diary/rss/29470
∗∗∗ Massive Campaign Uses Hacked WordPress Sites as Platform for Black Hat Ad Network ∗∗∗
---------------------------------------------
Every so often attackers register a new domain to host their malware. In many cases, these new domains are associated with specific malware campaigns, often related to redirecting legitimate website traffic to third party sites of their choosing - including tech support scams, adult dating, phishing, or drive-by-downloads. Since late December, our team has been tracking a new spike in WordPress website infections related to the following malicious domain: [...]
---------------------------------------------
https://blog.sucuri.net/2023/01/massive-campaign-uses-hacked-wordpress-site…
∗∗∗ At the Edge of Tier Zero: The Curious Case of the RODC ∗∗∗
---------------------------------------------
The read-only Domain Controller (RODC) is a solution that Microsoft introduced for physical locations that don’t have adequate security to host a Domain Controller but still require directory services for resources in those locations. A branch office is the classic use case. While RODCs, by definition, are not part of the set of resources that can control “enterprise identities”, known as Tier Zero, we have seen cases where there is a privilege escalation path from an RODC to domain dominance.
---------------------------------------------
https://posts.specterops.io/at-the-edge-of-tier-zero-the-curious-case-of-th…
∗∗∗ Vulnerability of Zyxel switches posed serious risk for business processes of many companies ∗∗∗
---------------------------------------------
The issue received a CVSSv3 score of 8.2, qualifying it as high severity
---------------------------------------------
https://www.ptsecurity.com/ww-en/about/news/vulnerability-of-zyxel-switches…
∗∗∗ Attacking The Supply Chain: Developer ∗∗∗
---------------------------------------------
In this proof of concept, we look into one of several attack vectors that can be abused to attack the supply chain: targeting the developer. With a focus on the local integrated developer environment (IDE), this proof considers the execution of malicious build scripts via injecting commands when the project or build is incorrectly “trusted”.
---------------------------------------------
https://www.trendmicro.com/en_us/research/23/a/attacking-the-supply-chain-d…
=====================
= Vulnerabilities =
=====================
∗∗∗ Xen Security Advisory CVE-2022-42330 / XSA-425 ∗∗∗
---------------------------------------------
Guests can cause Xenstore crash via soft reset
---------------------------------------------
https://xenbits.xen.org/xsa/advisory-425.html
∗∗∗ Kritische Schadcode-Lücken in Logging-Tool VMware vRealize Log geschlossen ∗∗∗
---------------------------------------------
Netzwerk-Admins sollten ihre Systeme mit VMware vRealize Log auf den aktuellen Stand bringen, um Angreifer auszusperren.
---------------------------------------------
https://heise.de/-7470157
∗∗∗ Kritische Sicherheitslücke: Neuere Lexmark-Drucker ermöglichen Codeschmuggel ∗∗∗
---------------------------------------------
Lexmark warnt vor Sicherheitslücken in seinen Druckern. Neuere Modelle ermöglichten Angreifern, Schadcode einzuschleusen und auszuführen. Updates stehen bereit.
---------------------------------------------
https://heise.de/-7470640
∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (libde265, nodejs, and swift), Fedora (nautilus), Oracle (bash, bind, curl, dbus, expat, firefox, go-toolset, golang, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, libreoffice, libtiff, libxml2, libXpm, nodejs, nodejs-nodemon, postgresql-jdbc, qemu, ruby:2.5, sqlite, sssd, sudo, and usbguard), Red Hat (bind, go-toolset-1.18, go-toolset:rhel8, kernel, kernel-rt, kpatch-patch, pcs, sssd, and virt:rhel, virt-devel:rhel), Scientific Linux (bind,
---------------------------------------------
https://lwn.net/Articles/921194/
∗∗∗ [R1] Tenable.sc 6.0.0 Fixes Multiple Vulnerabilities ∗∗∗
---------------------------------------------
https://www.tenable.com/security/tns-2023-03
∗∗∗ IBM Security Verify Governance, Identity Manager virtual appliance component uses weaker than expected cryptography (CVE-2022-22462) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6857339
∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Tivoli System Automation Application Manager (CVE-2022-40750) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6857579
∗∗∗ IBM MQ could allow an authenticated and authorized user to cause a denial of service to the MQTT channels. (CVE-2022-31772) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6833806
∗∗∗ IBM MQ Operator and Queue manager container images are vulnerable to multiple vulnerabilities from libxml2, expat, libtasn1 and systemd ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6857613
∗∗∗ Multiple vulnerabilities in OpenSSL affect IBM InfoSphere Information Server ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6857607
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Montag 23-01-2023 18:00 − Dienstag 24-01-2023 18:00
Handler: Thomas Pribitzer
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Hackers use Golang source code interpreter to evade detection ∗∗∗
---------------------------------------------
A Chinese-speaking hacking group tracked as DragonSpark was observed employing Golang source code interpretation to evade detection while launching espionage attacks against organizations in East Asia.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/hackers-use-golang-source-co…
∗∗∗ Microsoft 365 to block downloaded Excel XLL add-ins to boost security ∗∗∗
---------------------------------------------
Microsoft is working on adding XLL add-in protection for Microsoft 365 customers by including automated blocking of all such files downloaded from the Internet.
---------------------------------------------
https://www.bleepingcomputer.com/news/microsoft/microsoft-365-to-block-down…
∗∗∗ Emotet Malware Makes a Comeback with New Evasion Techniques ∗∗∗
---------------------------------------------
The Emotet malware operation has continued to refine its tactics in an effort to fly under the radar, while also acting as a conduit for other dangerous malware such as Bumblebee and IcedID.
---------------------------------------------
https://thehackernews.com/2023/01/emotet-malware-makes-comeback-with-new.ht…
∗∗∗ Identitätsdiebstahl: Erste Hilfe bei Onlinebetrug unter Ihrem Namen ∗∗∗
---------------------------------------------
Kriminelle kaufen mit illegal erworbenen Login-Daten auf Ihre Rechnung ein oder posten Beschimpfungen in Ihrem Namen? Das sollten Sie jetzt tun.
---------------------------------------------
https://heise.de/-7452745
∗∗∗ A security audit of Git ∗∗∗
---------------------------------------------
The Open Source Technology Improvement Fund has announced the completion of a security audit of the Git source.
---------------------------------------------
https://lwn.net/Articles/921067/
∗∗∗ OSINT your OT suppliers ∗∗∗
---------------------------------------------
There is much talk about supply chain security and reviewing your suppliers for cyber security. But how much information do they intentionally and unintentionally leak about your organisation online?
---------------------------------------------
https://www.pentestpartners.com/security-blog/osint-your-ot-suppliers/
∗∗∗ Facebook: E-Bike-Gewinnspiele sind Fake ∗∗∗
---------------------------------------------
Mit „Danke“ kommentieren und E-Bike gewinnen: Dieses Gewinnspiel macht gerade auf Facebook die Runde. Angeblich haben die Fahrräder kleine Kratzer, die Motoren funktionieren aber einwandfrei. Vorsicht: Das Gewinnspiel ist Fake.
---------------------------------------------
https://www.watchlist-internet.at/news/facebook-e-bike-gewinnspiele-sind-fa…
∗∗∗ Realtek SDK Vulnerability Attacks Highlight IoT Supply Chain Threats ∗∗∗
---------------------------------------------
We observed a recent spate of supply chain attacks attempting to exploit CVE-2021-35394, affecting IoT devices with chipsets made by Realtek.
---------------------------------------------
https://unit42.paloaltonetworks.com/realtek-sdk-vulnerability/
∗∗∗ Vice Society Ransomware Group Targets Manufacturing Companies ∗∗∗
---------------------------------------------
In this blog entry, we’d like to highlight our findings on Vice Society, which includes an end-to-end infection diagram that we were able to create using Trend Micro internal telemetry.
---------------------------------------------
https://www.trendmicro.com/en_us/research/23/a/vice-society-ransomware-grou…
∗∗∗ A step-by-step introduction to the use of ROP gadgets to bypass DEP ∗∗∗
---------------------------------------------
DEP (Data Execution Prevention) is a memory protection feature that allows the system to mark memory pages as non-executable. ROP (Return-oriented programming) is an exploit technique that allows an attacker to execute shellcode with protections such as DEP enabled.
---------------------------------------------
https://cybergeeks.tech/a-step-by-step-introduction-to-the-use-of-rop-gadge…
=====================
= Vulnerabilities =
=====================
∗∗∗ Sicherheitsupdate: Symantec Endpoint Protection als Sprungbrett für Angreifer ∗∗∗
---------------------------------------------
Aufgrund einer Schwachstelle könnten Angreifer Windows-PCs mit Sicherheitssoftware von Symantec attackieren.
---------------------------------------------
https://heise.de/-7468961
∗∗∗ iOS 16.3, iPadOS 16.3 und macOS 13.2: Welche Lücken Apple stopft ∗∗∗
---------------------------------------------
Erneut bekommen Macs, iPhones und iPads jede Menge Sicherheitsfixes. Zu den Details schweigt sich Apple teilweise mal wieder aus.
---------------------------------------------
https://heise.de/-7469023
∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (kernel and spip), Fedora (kernel), Mageia (chromium-browser-stable, docker, firefox, jpegoptim, nautilus, net-snmp, phoronix-test-suite, php, php-smarty, samba, sdl2, sudo, tor, viewvc, vim, virtualbox, and x11-server), Red Hat (bash, curl, dbus, expat, firefox, go-toolset, golang, java-1.8.0-openjdk, java-17-openjdk, kernel, kernel-rt, kpatch-patch, libreoffice, libtasn1, libtiff, libxml2, libXpm, nodejs, nodejs-nodemon, pcs, postgresql-jdbc, [...]
---------------------------------------------
https://lwn.net/Articles/921024/
∗∗∗ Critical Vulnerabilities Patched in OpenText Enterprise Content Management System ∗∗∗
---------------------------------------------
Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.
---------------------------------------------
https://www.securityweek.com/critical-vulnerabilities-patched-opentext-ente…
∗∗∗ Pgpool-II vulnerable to information disclosure ∗∗∗
---------------------------------------------
https://jvn.jp/en/jp/JVN72418815/
∗∗∗ pgAdmin 4 vulnerable to directory traversal ∗∗∗
---------------------------------------------
https://jvn.jp/en/jp/JVN01398015/
∗∗∗ VMSA-2023-0001 ∗∗∗
---------------------------------------------
https://www.vmware.com/security/advisories/VMSA-2023-0001.html
∗∗∗ XINJE XD ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-23-024-01
∗∗∗ SOCOMEC MODULYS GP ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-23-024-02
∗∗∗ IBM WebSphere Application Server traditional container is vulnerable to information disclosure (CVE-2022-43917) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6857007
∗∗∗ Vulnerability in NX-OS Firmware used by IBM c-type SAN directors and switches. ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6857039
∗∗∗ FileNet Content Manager GraphQL jackson-databind security vulnerabilities, affected but not vulnerable ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6857047
∗∗∗ Multiple vulnerabilities in OpenSSL affect AIX ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6857295
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 20-01-2023 18:00 − Montag 23-01-2023 18:00
Handler: Thomas Pribitzer
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ Anmeldung bei ManageEngine ServiceDesk Plus MSP mit beliebigem Passwort möglich ∗∗∗
---------------------------------------------
Es gibt wichtige Sicherheitsupdates für die Helpdesk-Software ManageEngine ServiceDesk Plus MSP von Zoho.
---------------------------------------------
https://heise.de/-7467650
∗∗∗ "Cyberkriminelle" verschaffen sich Zugang zu Sky-Kundenkonten ∗∗∗
---------------------------------------------
Der Pay-TV-Anbieter Sky bestätigt, dass sich bösartige Akteure Zugriff zu Kundenkonten verschafft haben. Details gibt es noch nicht, der Schaden ist unklar.
---------------------------------------------
https://heise.de/-7468078
∗∗∗ Vorsicht vor Betrug bei der Wohnungssuche im Ausland ∗∗∗
---------------------------------------------
Sie planen ein Auslandssemester oder suchen für einen befristeten Zeitraum eine Wohnung oder ein WG-Zimmer? Nehmen Sie sich vor günstigen Traumwohnungen in Acht! Dahinter könnte eine Betrugsmasche stecken. Finger weg, wenn Sie ohne Besichtigung eine Zahlung leisten müssen, die angeblich von TripAdvisor, Airbnb oder Booking.com verwaltet wird. Sie verlieren Ihr Geld und stehen ohne Wohnung da.
---------------------------------------------
https://www.watchlist-internet.at/news/vorsicht-bei-der-wohnungssuche-fuer-…
∗∗∗ Massive ad-fraud op dismantled after hitting millions of iOS devices ∗∗∗
---------------------------------------------
A massive ad fraud operation dubbed Vastflux that spoofed more than 1,700 applications from 120 publishers, mostly for iOS, has been disrupted by security researchers at cybersecurity company HUMAN.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/massive-ad-fraud-op-dismantl…
∗∗∗ Whos Resolving This Domain?, (Mon, Jan 23rd) ∗∗∗
---------------------------------------------
Challenge of the day: To find the process that resolved a specific domain. And this is not always easy!
---------------------------------------------
https://isc.sans.edu/diary/rss/29462
∗∗∗ Threat Actors Turn to Sliver as Open Source Alternative to Popular C2 Frameworks ∗∗∗
---------------------------------------------
The legitimate command-and-control (C2) framework known as Sliver is gaining more traction from threat actors as it emerges as an open source alternative to Cobalt Strike and Metasploit. The findings come from Cybereason, which detailed its inner workings in an exhaustive analysis last week.
---------------------------------------------
https://thehackernews.com/2023/01/threat-actors-turn-to-sliver-as-open.html
∗∗∗ ShareFinder: How Threat Actors Discover File Shares ∗∗∗
---------------------------------------------
Many of our reports focus on adversarial Tactics, Techniques, and Procedures (TTPs) along with the tools associated with them. After gaining a foothold in an environment, one challenge for all [...]
---------------------------------------------
https://thedfirreport.com/2023/01/23/sharefinder-how-threat-actors-discover…
∗∗∗ Activation Context Cache Poisoning: Exploiting CSRSS for Privilege Escalation ∗∗∗
---------------------------------------------
Starting in July of 2022, the Windows CSRSS process entered the consciousness of the infosec community as the source of several local privilege escalation vulnerabilities in Microsoft Windows. The first public information appeared on July 12 with the release of the patch for CVE-2022-22047, which was being actively exploited. Shortly thereafter, Microsoft published an article providing some technical details [...]
---------------------------------------------
https://www.thezdi.com/blog/2023/1/23/activation-context-cache-poisoning-ex…
∗∗∗ Inglourious Drivers - A Journey of Finding Vulnerabilities in Drivers ∗∗∗
---------------------------------------------
TL;DR I discovered multiple bugs in OEM vendors for peripheral devices, which affected many users of these OEM vendors (Razer, EVGA, MSI, AMI). Many of the vulnerabilities originated in a [...]
---------------------------------------------
https://www.cyberark.com/resources/threat-research-blog/inglourious-drivers…
=====================
= Vulnerabilities =
=====================
∗∗∗ Unter Attacke: Sicherheitsleck in GTA V ermöglicht Codeschmuggel ∗∗∗
---------------------------------------------
Angreifer missbrauchen eine Sicherheitslücke im Spiel GTA V, um die Statistiken von Opfern zu verändern. Sie könnten jedoch Schadcode unterzuschieben.
---------------------------------------------
https://heise.de/-7467685
∗∗∗ Technical Advisory – U-Boot – Unchecked Download Size and Direction in USB DFU (CVE-2022-2347) ∗∗∗
---------------------------------------------
U-Boot is a popular and feature-rich bootloader for embedded systems. It includes optional support for the USB Device Firmware Update (DFU) protocol, which can be used by devices to download new firmware, or upload their current firmware. The U-Boot DFU implementation does not bound the length field in USB DFU download setup packets, and [...]
---------------------------------------------
https://research.nccgroup.com/2023/01/20/technical-advisory-u-boot-unchecke…
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (powerline-gitstatus, tiff, and trafficserver), Fedora (dotnet6.0, firefox, git, kernel, libXpm, rust, sudo, upx, and yarnpkg), Mageia (kernel and kernel-linus), Red Hat (firefox, java-11-openjdk, and sudo), Slackware (mozilla and seamonkey), SUSE (cacti, cacti-spine, samba, and tor), and Ubuntu (firefox, php7.2, php7.4, php8.1, and python-setuptools, setuptools).
---------------------------------------------
https://lwn.net/Articles/920829/
∗∗∗ A CVE-2022-21626 vulnerability in IBM Java Runtime affects IBM Process Designer 8.5.7 shipped with IBM Business Automation Workflow ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6856759
∗∗∗ Multiple vulnerability affect IBM Business Automation Workflow - CVE-2022-42003, CVE-2022-42004 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6856761
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 19-01-2023 18:00 − Freitag 20-01-2023 18:00
Handler: Thomas Pribitzer
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ Exploit released for critical ManageEngine RCE bug, patch now ∗∗∗
---------------------------------------------
Proof-of-concept exploit code is now available for a remote code execution (RCE) vulnerability in multiple Zoho ManageEngine products.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/exploit-released-for-critica…
∗∗∗ Exploiting null-dereferences in the Linux kernel ∗∗∗
---------------------------------------------
While the null-dereference bug itself was fixed in October 2022, the more important fix was the introduction of an oops limit which causes the kernel to panic if too many oopses occur. While this patch is already upstream, it is important that distributed kernels also inherit this oops limit and backport it to LTS releases if we want to avoid treating such null-dereference bugs as full-fledged security issues in the future.
---------------------------------------------
https://googleprojectzero.blogspot.com/2023/01/exploiting-null-dereferences…
∗∗∗ Importance of signing in Windows environments, (Fri, Jan 20th) ∗∗∗
---------------------------------------------
NTLM relaying has been a plague in Windows environments for many years and we have witnessed many exploits that rely on the fact that it is possible to relay NTLM authentication attempts to various target services.
---------------------------------------------
https://isc.sans.edu/diary/rss/29456
∗∗∗ Vulnerable WordPress Sites Compromised with Different Database Infections ∗∗∗
---------------------------------------------
Vulnerabilities within WordPress can lead to compromise, and oftentimes known vulnerabilities are utilized to infect WordPress sites with more than one infection. It is common for out of date websites to be attacked by multiple threat actors or targeted by the same attacker using multiple different channels. We recently came across a database injection that has two different pieces of malware accomplishing two unrelated goals.
---------------------------------------------
https://blog.sucuri.net/2023/01/vulnerable-wordpress-sites-compromised-with…
∗∗∗ New Chinese Malware Spotted Exploiting Recent Fortinet Firewall Vulnerability ∗∗∗
---------------------------------------------
Earlier this month, Fortinet disclosed that unknown hacking groups have capitalized on the shortcoming to target governments and other large organizations with a generic Linux implant capable of delivering additional payloads and executing commands sent by a remote server.
---------------------------------------------
https://thehackernews.com/2023/01/new-chinese-malware-spotted-exploiting.ht…
∗∗∗ Neue Love-Scam Masche: Wenn die Internetbekanntschaft Sie zum Online-Handel überredet ∗∗∗
---------------------------------------------
Betrügerische Internetbekanntschaften versuchen auf unterschiedlichsten Wegen an Ihr Geld zu kommen. Bei einer neuen Masche erschleichen sich die Kriminellen Ihr Vertrauen, um Sie später auf den Online-Marktplatz haremark.
---------------------------------------------
https://www.watchlist-internet.at/news/neue-love-scam-masche-wenn-die-inter…
∗∗∗ CVE-2022-35690: Unauthenticated RCE in Adobe ColdFusion ∗∗∗
---------------------------------------------
n this excerpt of a Trend Micro Vulnerability Research Service vulnerability report, Lucas Miller and Dusan Stevanovic of the Trend Micro Research Team detail a recently patched remote code execution vulnerability in Adobe ColdFusion.
---------------------------------------------
https://www.thezdi.com/blog/2023/1/18/cve-2022-35690-unauthenticated-rce-in…
∗∗∗ NCSC to retire Logging Made Easy ∗∗∗
---------------------------------------------
The NCSC is retiring Logging Made Easy (LME). After 31 March 2023, we will no longer support LME, and the GitHub page will close shortly after.
---------------------------------------------
https://www.ncsc.gov.uk/blog-post/ncsc-to-retire-logging-made-easy
=====================
= Vulnerabilities =
=====================
∗∗∗ Cisco: Hochriskantes Sicherheitsleck in Unified Communications Manager ∗∗∗
---------------------------------------------
In der Unified Communications Manager-Software von Cisco klafft eine Sicherheitslücke mit hohem Risiko. Der Hersteller stellt Updates zum Schließen bereit.
---------------------------------------------
https://heise.de/-7465203
∗∗∗ Technical Advisory – Multiple Vulnerabilities in the Galaxy App Store (CVE-2023-21433, CVE-2023-21434) ∗∗∗
---------------------------------------------
The Galaxy App Store is an alternative application store that comes pre-installed on Samsung Android devices. Several Android applications are available on both the Galaxy App Store and Google App Store, and users have the option to use either store to install specific applications.
---------------------------------------------
https://research.nccgroup.com/2023/01/20/technical-advisory-multiple-vulner…
∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (lava and libitext5-java), Oracle (java-11-openjdk, java-17-openjdk, and libreoffice), SUSE (firefox, git, mozilla-nss, postgresql-jdbc, and sudo), and Ubuntu (git, linux-aws-5.4, linux-gkeop, linux-hwe-5.4, linux-oracle, linux-snapdragon, linux-azure, linux-gkeop, linux-intel-iotg, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-oracle-5.15, and linux-bluefield).
---------------------------------------------
https://lwn.net/Articles/920646/
∗∗∗ Vulnerability Spotlight: XSS vulnerability in Ghost CMS ∗∗∗
---------------------------------------------
The TALOS-2022-1686 (CVE-2022-47194-CVE-2022-47197) shows that several XSS vulnerabilities could lead to privilege escalation.
---------------------------------------------
https://blog.talosintelligence.com/vulnerability-spotlight-xss-vulnerabilit…
∗∗∗ Hitachi Energy PCU400 ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-23-019-01
∗∗∗ ;">uniFLOW MOM Tech Support Potential Data Exposure Vulnerability – 20 January 2023 ∗∗∗
---------------------------------------------
https://www.canon-europe.com/support/product-security-latest-news/
∗∗∗ Vulnerability in minimatch affects IBM Process Mining . CVE-2022-3517 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6856471
∗∗∗ Content Manager Enterprise Edition is affected by a vulnerability in FasterXML jackson ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6856659
∗∗∗ Content Manager Enterprise Edition is affected by a vulnerability in FasterXML jackson ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6856661
∗∗∗ Liberty is vulnerable to denial of service due to GraphQL Java affecting IBM TXSeries for Multiplatforms ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6856687
∗∗∗ IBM UrbanCode Release is affected by CVE-2022-42252 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6856719
∗∗∗ IBM UrbanCode Release is affected by CVE-2022-42252 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6856717
∗∗∗ IBM UrbanCode Release is affected by CVE-2022-34305 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6856713
∗∗∗ IBM UrbanCode Release is affected by CVE-2022-45143 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6856721
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 18-01-2023 18:00 − Donnerstag 19-01-2023 18:00
Handler: Thomas Pribitzer
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Illegal Solaris darknet market hijacked by competitor Kraken ∗∗∗
---------------------------------------------
Solaris, a large darknet marketplace focused on drugs and illegal substances, has been taken over by a smaller competitor named Kraken, who claims to have hacked it on January 13, 2022.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/illegal-solaris-darknet-mark…
∗∗∗ Microsoft investigates bug behind unresponsive Windows Start Menu ∗∗∗
---------------------------------------------
Microsoft is investigating an issue causing the Windows taskbar and Start Menu to become unresponsive and triggering Outlook and Teams login problems.
---------------------------------------------
https://www.bleepingcomputer.com/news/microsoft/microsoft-investigates-bug-…
∗∗∗ PayPal accounts breached in large-scale credential stuffing attack ∗∗∗
---------------------------------------------
PayPal is sending out notices of a data breach to thousands of users who had their accounts accessed by credential stuffing actors, resulting in the compromise of some personal data.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/paypal-accounts-breached-in-…
∗∗∗ New Blank Image attack hides phishing scripts in SVG files ∗∗∗
---------------------------------------------
An unusual phishing technique has been observed in the wild, hiding empty SVG files inside HTML attachments pretending to be DocuSign documents.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-blank-image-attack-hides…
∗∗∗ Roaming Mantis implements new DNS changer in its malicious mobile app in 2022 ∗∗∗
---------------------------------------------
Roaming Mantis (a.k.a Shaoye) is a long-term cyberattack campaign that uses malicious Android package (APK) files to control infected Android devices and steal data.
---------------------------------------------
https://securelist.com/roaming-mantis-dns-changer-in-malicious-mobile-app/1…
∗∗∗ SPF and DMARC use on 100k most popular domains, (Thu, Jan 19th) ∗∗∗
---------------------------------------------
Not too long ago, I wrote a diary discussing SPF and DMARC use on GOV subdomains in different ccTLDs around the world. The results werent too optimistic, it turned out that only about 42% of gov.cctld domains had a valid SPF record published and only about 19% of such domains had a valid DMARC record published.
---------------------------------------------
https://isc.sans.edu/diary/rss/29452
∗∗∗ Android Users Beware: New Hook Malware with RAT Capabilities Emerges ∗∗∗
---------------------------------------------
The threat actor behind the BlackRock and ERMAC Android banking trojans has unleashed yet another malware for rent called Hook that introduces new capabilities to access files stored in the devices and create a remote interactive session.
---------------------------------------------
https://thehackernews.com/2023/01/android-users-beware-new-hook-malware.html
∗∗∗ CircleCI: Malware stole GitHub OAuth keys, bypassing 2FA ∗∗∗
---------------------------------------------
CircleCI, a big name in the DevOps space, has released an incident report about a data breach it experienced early this month.
---------------------------------------------
https://www.malwarebytes.com/blog/news/2023/01/circleci-malware-stole-githu…
∗∗∗ Pwned or Bot ∗∗∗
---------------------------------------------
Its fascinating to see how creative people can get with breached data. Of course theres all the nasty stuff (phishing, identity theft, spam), but there are also some amazingly positive uses for data illegally taken from someone elses system.
---------------------------------------------
https://www.troyhunt.com/pwned-or-bot/
∗∗∗ LockBit ransomware – what you need to know ∗∗∗
---------------------------------------------
It is the worlds most active ransomware group - responsible for an estimated 40% of all ransomware infections worldwide. Find out what you need to know about LockBit in my article on the Tripwire State of Security blog.
---------------------------------------------
https://www.tripwire.com/state-of-security/lockbit-ransomware-what-you-need…
∗∗∗ Windows 11 22H2: Systemwiederherstellung verursacht "This app can’t open"-Fehler ∗∗∗
---------------------------------------------
Ich höre zwar immer wieder "läuft ohne Probleme", aber für den Fall der Fälle, also falls Windows 11 22H2 mal Schluckauf haben sollte und den Fehler "Diese App kann nicht geöffnet werden" zeigt, da hätte ich was zur Ursache. Hochoffiziell von Microsoft als Fehler bestätigt.
---------------------------------------------
https://www.borncity.com/blog/2023/01/19/windows-11-22h2-systemwiederherste…
∗∗∗ Windows 10: "Schlagloch" Windows PE-Patch zum Fix der Bitlocker-Bypass-Schwachstelle CVE-2022-41099 ∗∗∗
---------------------------------------------
Nachtrag zum Januar 2023 Patchday für Windows. Es gibt in der Windows PE-Umgebung von Windows 10 eine Schwachstelle (CVE-2022-41099), die eine Umgehung der Bitlocker-Verschlüsselung umgeht. Zum Fixen muss die Windows PE-Umgebung der Clients manuell aktualisiert werden.
---------------------------------------------
https://www.borncity.com/blog/2023/01/19/windows-10-schlagloch-windows-pe-p…
∗∗∗ Improve your AWS security posture, Step 3: Encrypt AWS data in transit and at rest ∗∗∗
---------------------------------------------
In this blog, we’ll tackle encrypting AWS in transit and at rest.
---------------------------------------------
https://cybersecurity.att.com/blogs/security-essentials/improve-your-aws-se…
∗∗∗ Following the LNK metadata trail ∗∗∗
---------------------------------------------
While tracking some prevalent commodity malware threat actors, Talos observed the popularization of malicious LNK files as their initial access method to download and execute payloads.
---------------------------------------------
https://blog.talosintelligence.com/following-the-lnk-metadata-trail/
∗∗∗ Darth Vidar: The Dark Side of Evolving Threat Infrastructure ∗∗∗
---------------------------------------------
Vidar is an info-stealer malware, which was first spotted in the wild in late 2018 by the security researcher Fumik0. Upon initial inspection, the identified sample appeared to be Arkei (another info-stealer), however differences in both the sample’s code and C2 communications were observed.
---------------------------------------------
https://www.team-cymru.com/post/darth-vidar-the-dark-side-of-evolving-threa…
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (firefox-esr, libitext5-java, sudo, and webkit2gtk), Fedora (firefox and qemu), Red Hat (java-11-openjdk and java-17-openjdk), Slackware (sudo), SUSE (sudo), and Ubuntu (python-urllib3 and sudo).
---------------------------------------------
https://lwn.net/Articles/920478/
∗∗∗ Cisco Patches High-Severity SQL Injection Vulnerability in Unified CM ∗∗∗
---------------------------------------------
Cisco on Wednesday announced patches for a high-severity SQL injection vulnerability in Unified Communications Manager (CM) and Unified Communications Manager Session Management Edition (CM SME).
---------------------------------------------
https://www.securityweek.com/cisco-patches-high-severity-sql-injection-vuln…
∗∗∗ CSRF Vulnerability in Kudu SCM Allowed Code Execution in Azure Services ∗∗∗
---------------------------------------------
A cross-site request forgery (CSRF) vulnerability impacting the source control management (SCM) service Kudu could be exploited to achieve remote code execution (RCE) in multiple Azure services, cloud infrastructure security firm Ermetic has discovered.
---------------------------------------------
https://www.securityweek.com/csrf-vulnerability-kudu-scm-allowed-code-execu…
∗∗∗ Drupal core - Moderately critical - Information Disclosure - SA-CORE-2023-001 ∗∗∗
---------------------------------------------
https://www.drupal.org/sa-core-2023-001
∗∗∗ [R1] Nessus Version 8.15.8 Fixes One Vulnerability ∗∗∗
---------------------------------------------
https://www.tenable.com/security/tns-2023-02
∗∗∗ Vulnerability in SANNav Software used by IBM b-type SAN directors and switches. ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6856209
∗∗∗ IBM Security Guardium is affected by a gson-1.7.1.jar vulnerability ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6856221
∗∗∗ IBM Security Guardium is affected by a denial of service vulnerability (CVE-2022-25647) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6856221
∗∗∗ IBM Cloud Pak for Security includes components with multiple known vulnerabilities (CVE-2022-48195, CVE-2022-29577, CVE-2022-28367, CVE-2015-6420) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6856401
∗∗∗ IBM Cloud Pak for Security includes components with multiple known vulnerabilities ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6856409
∗∗∗ IBM Cloud Pak for Security (CP4S) is vulnerable to information disclosure (CVE-2021-39011) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6856403
∗∗∗ IBM Cloud Pak for Security (CP4S) is vulnerable to information disclosure (CVE-2021-39089) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6856405
∗∗∗ IBM Cloud Pak for Security (CP4S) is vulnerable to information disclosure (CVE-2021-39090) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6856407
∗∗∗ Multiple vulnerabilities in IBM Java - OpenJ9 affect IBM Tivoli System Automation for Multiplatforms (CVE-2021-28167) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6856439
∗∗∗ Multiple vulnerabilities in IBM Java - OpenJ9 affect IBM Tivoli System Automation Application Manager (CVE-2021-28167) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6856443
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 17-01-2023 18:00 − Mittwoch 18-01-2023 18:00
Handler: Thomas Pribitzer
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ RC4 Is Still Considered Harmful ∗∗∗
---------------------------------------------
Ive been spending a lot of time researching Windows authentication implementations, specifically Kerberos. In June 2022 I found an interesting issue number 2310 with the handling of RC4 encryption that allowed you to authenticate as another user if you could either interpose on the Kerberos network traffic to and from the KDC or directly if the user was configured to disable typical pre-authentication requirements. This blog post goes into more detail [...]
---------------------------------------------
https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harm…
∗∗∗ Malicious Google Ad --> Fake Notepad++ Page --> Aurora Stealer malware, (Wed, Jan 18th) ∗∗∗
---------------------------------------------
https://isc.sans.edu/diary/rss/29448
∗∗∗ Is WordPress Secure? ∗∗∗
---------------------------------------------
According to W3Techs, 43.2% of all websites on the internet use WordPress. And of all websites that use a CMS (Content Management System) more than half (64%) leverage WordPress to power their blog or website. Unfortunately, since WordPress has such a large market share it has also become a prime target for attackers. You might be wondering whether WordPress is safe to use. And the short answer is yes - WordPress core is safe to use, but only if you maintain it to the latest version and [...]
---------------------------------------------
https://blog.sucuri.net/2023/01/is-wordpress-secure.html
∗∗∗ CISA Warns of Flaws in Siemens, GE Digital, and Contec Industrial Control Systems ∗∗∗
---------------------------------------------
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published four Industrial Control Systems (ICS) advisories, calling out several security flaws affecting products from Siemens, GE Digital, and Contec. The most critical of the issues have been identified in Siemens SINEC INS that could lead to remote code execution via a path traversal flaw (CVE-2022-45092, CVSS score: 9.9)
---------------------------------------------
https://thehackernews.com/2023/01/cisa-warns-of-flaws-in-siemens-ge.html
∗∗∗ Jetzt patchen! Tausende Firewalls von Sophos angreifbar ∗∗∗
---------------------------------------------
Sicherheitsforscher haben das Internet auf verwundbare Sophos-Firewalls gescannt und sind fündig geworden. Sicherheitspatches gibt es seit Dezember 2022.
---------------------------------------------
https://heise.de/-7462565
∗∗∗ MSI-Motherboards sollen trotz aktivem Secure Boot manipulierte Systeme starten ∗∗∗
---------------------------------------------
Ein Sicherheitsforscher hat herausgefunden, dass der Schutzmechanismus Secure Boot auf MSI-Motherboards standardmäßig aktiv ist, aber trotzdem alles durchwinkt.
---------------------------------------------
https://heise.de/-7462913
∗∗∗ Hochriskante Sicherheitslücken in Qt "nur ein Bug" ∗∗∗
---------------------------------------------
IT-Sicherheitsforscher von Cisco Thalos haben hochriskante Sicherheitslücken in Qt-QML gefunden. Qt sieht App-Entwickler am Zuge und stuft sie nur als Bug ein.
---------------------------------------------
https://heise.de/-7462956
∗∗∗ Vendors Actively Bypass Security Patch for Year-Old Magento Vulnerability ∗∗∗
---------------------------------------------
Vendors and agencies are actively bypassing the security patch that Adobe released in February 2022 to address CVE-2022-24086, a critical mail template vulnerability in Adobe Commerce and Magento stores, ecommerce security firm Sansec warns.
---------------------------------------------
https://www.securityweek.com/vendors-actively-bypass-security-patch-year-ol…
∗∗∗ The Defender’s Guide to Windows Services ∗∗∗
---------------------------------------------
This is the second installment of the Defender’s Guide series. In keeping with the theme, we are discussing Windows Services, the underlying technology, common attack vectors, and methods of securing/monitoring them.
---------------------------------------------
https://posts.specterops.io/the-defenders-guide-to-windows-services-67c1711…
∗∗∗ Silo, or not silo, that is the question ∗∗∗
---------------------------------------------
As we (security folks) were working on the hardening of WSUS update servers, we had to answer an interesting question dealing with how to best isolate a sensitive server like WSUS on on-premises Active Directory. The question was: should I put my WSUS server into my T0 silo?
---------------------------------------------
https://medium.com/tenable-techblog/silo-or-not-silo-that-is-the-question-d…
∗∗∗ Elastic IP Transfer: Identifying and Mitigating Risks from a New Attack-Vector on AWS ∗∗∗
---------------------------------------------
Elastic IPs (EIPs) are public and static IPv4 addresses provided by AWS. EIPs can be viewed as a pool of IPv4 addresses, accessible from the internet, that can be used in numerous ways. Once an EIP is allocated to an AWS account, it can be associated with a single compute instance or an elastic network [...]
---------------------------------------------
https://orca.security/resources/blog/elastic-ip-transfer-attack-vector-on-a…
∗∗∗ An in-depth HTTP Strict Transport Security Tutorial ∗∗∗
---------------------------------------------
HSTS is an Internet standard and policy that tells the browser to only interact with a website using a secure HTTPS connection. Check out this article to learn how to leverage the security of your website and customers’ data and the security benefits you’ll gain from doing so.
---------------------------------------------
https://www.trendmicro.com/en_us/devops/23/a/http-strict-transport-security…
∗∗∗ Kriminelle versprechen Geld für Haarspenden auf Job-Börsen, aber zahlen nicht! ∗∗∗
---------------------------------------------
Wenn Sie auf Facebook in diversen Job-Börsen nach einer Beschäftigung suchen, stoßen Sie womöglich auf ein verlockendes Angebot für Ihre Haare. Um für Krebskranke Perücken anzufertigen, ist man bereit, Ihnen bis zu 2000 Euro für Ihre Haare zu bezahlen. Achtung: Wenn Sie hier Kontakt aufnehmen, gibt man Ihnen genaue Anweisungen zum Abschneiden Ihrer Haare und verspricht eine Bezahlung bei Abholung. Doch dann sind Ihre Haare ab, Sie werden blockiert und [...]
---------------------------------------------
https://www.watchlist-internet.at/news/kriminelle-versprechen-geld-fuer-haa…
=====================
= Vulnerabilities =
=====================
∗∗∗ Patchday: Sicherheitslücken in über 100 Oracle-Produkten ∗∗∗
---------------------------------------------
Das erste Oracle Critical Patch Update des Jahres 2023 liefert Beschreibungen und Updates für Sicherheitslücken in mehr als 100 Produkten des Unternehmens.
---------------------------------------------
https://heise.de/-7462438
∗∗∗ Versionsverwaltung: Git schließt zwei kritische Lücken in Version 2.39 ∗∗∗
---------------------------------------------
Sicherheitsforscher haben Lücken in Git entdeckt, durch die beliebiger Code ausgeführt werden konnte. Patches stehen bereit, Nutzer sollten umgehend updaten.
---------------------------------------------
https://heise.de/-7462680
∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Fedora (awstats), Oracle (dpdk, libxml2, postgresql:10, systemd, and virt:ol and virt-devel:rhel), Red Hat (kernel), Slackware (git, httpd, libXpm, and mozilla), SUSE (libzypp-plugin-appdata), and Ubuntu (git, libxpm, linux-ibm-5.4, linux-oem-5.14, and ruby2.3).
---------------------------------------------
https://lwn.net/Articles/920318/
∗∗∗ Remote Code Execution Vulnerabilities Found in TP-Link, NetComm Routers ∗∗∗
---------------------------------------------
Vulnerabilities identified in TP-Link and NetComm router models could be exploited to achieve remote code execution (RCE).Two security defects were identified in TP-Link WR710N-V1-151022 and Archer-C5-V2-160201 SOHO (small office/home office) routers, allowing attackers to execute code, crash devices, or guess login credentials.
---------------------------------------------
https://www.securityweek.com/remote-code-execution-vulnerabilities-found-tp…
∗∗∗ IBM Navigator for i is vulnerable to log file access, obtaining file attributes, and SQL Injection attacks due to multiple vulnerabilities. ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6850801
∗∗∗ Security Advisory - System Command Injection Vulnerability in a Huawei Printer Product ∗∗∗
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2023/huawei-sa-sciviahpp…
∗∗∗ Security Advisory - Misinterpretation of Input in a Huawei Printer Product ∗∗∗
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2023/huawei-sa-moiiahpp-…
∗∗∗ Security Advisory - Data Processing Error Vulnerability in a Huawei Band ∗∗∗
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2023/huawei-sa-dpeviahb-…
∗∗∗ Security Advisory - Buffer Overflow Vulnerability in a Huawei Printer Product ∗∗∗
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2023/huawei-sa-boviahpp-…
∗∗∗ Security Advisory - System Command Injection Vulnerability in a Huawei Printer Product ∗∗∗
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2023/huawei-sa-sciviahpp…
∗∗∗ Security Advisory - Misinterpretation of Input Vulnerability in Huawei Printer ∗∗∗
---------------------------------------------
http://www.huawei.com/en/psirt/security-advisories/2023/huawei-sa-moivihp-5…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Montag 16-01-2023 18:00 − Dienstag 17-01-2023 18:00
Handler: Stephan Richter
Co-Handler: Thomas Pribitzer
=====================
= News =
=====================
∗∗∗ Finding that one GPO Setting in a Pool of Hundreds of GPOs, (Tue, Jan 17th) ∗∗∗
---------------------------------------------
I had a call recently from a client, they were looking for which Group Policy in their AD had a specific setting in it.
---------------------------------------------
https://isc.sans.edu/diary/rss/29442
∗∗∗ The misadventures of an SPF record ∗∗∗
---------------------------------------------
I ran a scan against the three million most visited domains and discovered that the Ukrainian MoD, MIT, University, University of Miami, along with 1000+ other domains had mistakenly used the “+all” SPF mechanism at the end of their respective SPF records - effectively meaning any public IP address can send SPF authenticated emails on their behalf.
---------------------------------------------
https://caniphish.com/phishing-resources/blog/scanning-spf-records
∗∗∗ Windows: Verschwundene Start-Menüs und Taskbars sorgen für Verwirrung ∗∗∗
---------------------------------------------
Update 16.01.2023 07:44 Uhr: Microsoft hat inzwischen einen Support-Artikel in der Techcommunity herausgegeben, der PowerShell-Skripte und Anleitungen zur automatischen Ausführung für IT-Verantwortliche enthält, die zumindest einen Teil von gelöschten Verknüpfungen wiederherstellen können sollen.
---------------------------------------------
https://www.heise.de/news/Windows-Verschwundene-Start-Menues-und-Taskbars-s…
∗∗∗ Beware of DDosia, a botnet created to facilitate DDoS attacks ∗∗∗
---------------------------------------------
The DDosia project is a successor of the Bobik botnet linked to the pro-Russian hacker group called NoName(057)16, as revealed in a recent analysis by Avast researcher Martin Chlumecky.
---------------------------------------------
https://blog.avast.com/ddosia-project
∗∗∗ The prevalence of RCE exploits and what you should know about RCEs ∗∗∗
---------------------------------------------
Recent headlines have indicated that some major companies were affected by Remote Code Execution (RCE) vulnerabilities, just in the month of October. RCE flaws are largely exploited in the wild, and organizations are continually releasing patches to mitigate the problem.
---------------------------------------------
https://www.tripwire.com/state-of-security/prevalence-rce-exploits-and-what…
∗∗∗ Attackers Can Abuse GitHub Codespaces for Malware Delivery ∗∗∗
---------------------------------------------
A GitHub Codespaces feature meant to help with code development and collaboration can be abused for malware delivery, Trend Micro reports.
---------------------------------------------
https://www.securityweek.com/attackers-can-abuse-github-codespaces-malware-…
∗∗∗ Gefälschtes Post-SMS im Umlauf ∗∗∗
---------------------------------------------
Kriminelle versenden per SMS gefälschte Paket-Benachrichtigungen. Darin steht, dass Ihr Paket im Sortierzentrum angekommen ist und Sie noch Importkosten zahlen müssen. Klicken Sie nicht auf den Link. Sie werden auf eine gefälschte Post-Seite geführt, wo Kriminelle Ihre Daten stehlen.
---------------------------------------------
https://www.watchlist-internet.at/news/gefaelschtes-post-sms-im-umlauf/
∗∗∗ Batloader Malware Abuses Legitimate Tools, Uses Obfuscated JavaScript Files in Q4 2022 Attacks ∗∗∗
---------------------------------------------
We discuss the Batloader malware campaigns we observed in the last quarter of 2022, including our analysis of Water Minyades-related events.
---------------------------------------------
https://www.trendmicro.com/en_us/research/23/a/batloader-malware-abuses-leg…
=====================
= Vulnerabilities =
=====================
∗∗∗ Microsoft resolves four SSRF vulnerabilities in Azure cloud services ∗∗∗
---------------------------------------------
Microsoft recently fixed a set of Server-Side Request Forgery (SSRF) vulnerabilities in four Azure services (Azure API Management, Azure Functions, Azure Machine Learning, and Azure Digital Twins) reported by Orca Security.
---------------------------------------------
https://msrc-blog.microsoft.com/2023/01/17/microsoft-resolves-four-ssrf-vul…
∗∗∗ Attacken auf kritische Lücke in ManageEngine-Produkte von Zoho bald möglich ∗∗∗
---------------------------------------------
Angreifer könnten ManageEngine-Produkte wie Access Manager Plus und Password Manager Pro mit Schadcode attackieren.
---------------------------------------------
https://heise.de/-7461118
∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (tor) and SUSE (python-setuptools, python36-setuptools, and tor).
---------------------------------------------
https://lwn.net/Articles/920217/
∗∗∗ Schwere Sicherheitslücke in InRouter-Firmware von InHand Networks bedroht Roboter, Stromzähler, med. Geräte etc. ∗∗∗
---------------------------------------------
Sicherheitsforscher sind auf eine schwere Sicherheitslücke Schwachstelle CVE-2023-22598 in der InRouter-Firmware des Herstellers InHand Networks GmbH gestoßen.
---------------------------------------------
https://www.borncity.com/blog/2023/01/17/schwere-sicherheitslcken-inrouter-…
∗∗∗ LDAP-Schwachstellen: Domain Controller mit Januar 2023-Updates patchen ∗∗∗
---------------------------------------------
Noch ein kleiner Nachtrag zum Januar 2023-Patchday (10. Januar 2023). Administratoren sollten sich darum kümmern, dass ihre als Domain Controller fungierenden Windows Server auf dem aktuellen Patchstand sind. Denn mit den Januar 2023-Updates wurden zwei gravierende Schwachstellen im Lightweight Directory Access Protocol (LDAP) geschlossen.
---------------------------------------------
https://www.borncity.com/blog/2023/01/17/ldap-schwachstellen-domain-control…
∗∗∗ Security Vulnerabilities fixed in Firefox ESR 102.7 ∗∗∗
---------------------------------------------
https://www.mozilla.org/en-US/security/advisories/mfsa2023-02/
∗∗∗ Security Vulnerabilities fixed in Firefox 109 ∗∗∗
---------------------------------------------
https://www.mozilla.org/en-US/security/advisories/mfsa2023-01/
∗∗∗ A vulnerability in IBM Java Runtime affects SPSS Collaboration and Deployment Services (CVE-2021-28167) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6855731
∗∗∗ There are multiple vulnerabilites that affect IBM Engineering Requirements Quality Assistant On-Premises (CVE-2021-22939, CVE-2021-22931, CVE-2020-7598) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6855777
∗∗∗ Due to the use of XStream, IBM Tivoli Netcool Configuration Manager is vulnerable to denial of service (CVE-2021-43859) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6855831
∗∗∗ AIX is vulnerable to a buffer overflow due to X11 (CVE-2022-47990) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6855827
∗∗∗ IBM Robotic Process Automation is vulnerable to Cross-Site Scripting. ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6855835
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 13-01-2023 18:00 − Montag 16-01-2023 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ Jetzt patchen! Viele Cacti-Server öffentlich erreichbar und verwundbar ∗∗∗
---------------------------------------------
Sicherheitsforscher stoßen auf tausende über das Internet erreichbare Server mit dem IT-Monitoring-Tool Cacti. Zahlreiche Instanzen wurden noch nicht gepatcht.
---------------------------------------------
https://heise.de/-7459904
∗∗∗ CircleCI-Hack: 2FA-Zugangsdaten von Mitarbeiter ergaunert ∗∗∗
---------------------------------------------
Die Betreiber der Cloud-basierten Continuous-Integration-Plattform CircleCI haben ihren Bericht über den Sicherheitsvorfall veröffentlicht.
---------------------------------------------
https://heise.de/-7460123
∗∗∗ Gefälschte Job-Angebote im Namen der Wirtschafskammer auf Facebook ∗∗∗
---------------------------------------------
Auf Facebook kursieren gefälschte Jobangebote im Namen der Wirtschaftskammer Österreich. Die Anzeigen versprechen Gehälter zwischen 50 und 200 Euro pro Stunde. Die Wirtschaftskammern selbst warnen bereits auf Facebook vor den gefälschten Stellenangeboten. Bewerben Sie sich nicht und klicken Sie nicht auf den Link!
---------------------------------------------
https://www.watchlist-internet.at/news/gefaelschte-job-angebote-im-namen-de…
∗∗∗ Avast releases free BianLian ransomware decryptor ∗∗∗
---------------------------------------------
Security software company Avast has released a free decryptor for the BianLian ransomware strain to help victims of the malware recover locked files without paying the hackers.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/avast-releases-free-bianlian…
∗∗∗ Malicious ‘Lolip0p’ PyPi packages install info-stealing malware ∗∗∗
---------------------------------------------
A threat actor has uploaded to the PyPI (Python Package Index) repository three malicious packages that carry code to drop info-stealing malware on developers systems.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/malicious-lolip0p-pypi-packa…
∗∗∗ PSA: Why you must run an ad blocker when using Google, (Mon, Jan 16th) ∗∗∗
---------------------------------------------
Today, I just have a short public service announcement: You MUST run an adblocker while using Google. It may be best just to keep the adblocker enabled all the time.
---------------------------------------------
https://isc.sans.edu/diary/rss/29438
∗∗∗ Beware: Tainted VPNs Being Used to Spread EyeSpy Surveillanceware ∗∗∗
---------------------------------------------
Tainted VPN installers are being used to deliver a piece of surveillanceware dubbed EyeSpy as part of a malware campaign that started in May 2022.
---------------------------------------------
https://thehackernews.com/2023/01/beware-tainted-vpns-being-used-to.html
∗∗∗ Raccoon and Vidar Stealers Spreading via Massive Network of Fake Cracked Software ∗∗∗
---------------------------------------------
A "large and resilient infrastructure" comprising over 250 domains is being used to distribute information-stealing malware such as Raccoon and Vidar since early 2020.
---------------------------------------------
https://thehackernews.com/2023/01/raccoon-and-vidar-stealers-spreading.html
∗∗∗ Hacked! My Twitter user data is out on the dark web -- now what? ∗∗∗
---------------------------------------------
Your Twitter user data may now be out there too, including your phone number. Heres how to check and what you can do about it.
---------------------------------------------
https://www.zdnet.com/article/hacked-my-twitter-user-data-is-out-on-the-dar…
∗∗∗ Vulnerability Spotlight: Integer and buffer overflow vulnerabilities found in QT QML ∗∗∗
---------------------------------------------
Cisco ASIG and Cisco Talos recently discovered code execution vulnerabilities in QT QML. Qt is a popular software suite primarily used to create graphical user interfaces. It also contains several supporting libraries which all [...]
---------------------------------------------
https://blog.talosintelligence.com/vulnerability-spotlight-integer-and-buff…
=====================
= Vulnerabilities =
=====================
∗∗∗ PoC exploits released for critical bugs in popular WordPress plugins ∗∗∗
---------------------------------------------
Three popular WordPress plugins with tens of thousands of active installations are vulnerable to high-severity or critical SQL injection vulnerabilities, with proof-of-concept exploits now publicly available.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/poc-exploits-released-for-cr…
∗∗∗ Webbrowser: Microsoft Edge-Update schließt hochriskante Lücken ∗∗∗
---------------------------------------------
Microsoft hat in einem Update des Webbrowsers Edge Sicherheitslücken aus dem Chromium-Projekt abgedichtet. Sie schließt auch weitere hochriskante Lücken.
---------------------------------------------
https://heise.de/-7459742
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (chromium, lava, libapreq2, net-snmp, node-minimatch, and openvswitch), Fedora (jpegoptim, kernel, kernel-headers, kernel-tools, and python2.7), Mageia (ctags, ffmpeg, minetest, python-gitpython, w3m, and xrdp), Oracle (kernel), Red Hat (dpdk and libxml2), Slackware (netatalk), SUSE (apptainer, chromium, libheimdal, python-wheel, python310-setuptools, and SDL2), and Ubuntu (linux-aws, linux-gcp-4.15, maven, and net-snmp).
---------------------------------------------
https://lwn.net/Articles/920120/
∗∗∗ Nach RemotePotato0 kommt die Windows Local Potato NTLM-Schwachstelle (CVE-2023-21746) ∗∗∗
---------------------------------------------
Im April 2021 hatten Sicherheitsforscher eine Privilege Escalation Schwachstelle im Windows RPC-Protokoll entdeckt, der eine lokale Privilegienerweiterung durch NTLM-Relay-Angriffe ermöglichte. Nun scheint ein Sicherheitsforscher auf eine nicht so bekannte Möglichkeit zur Durchführung von NTLM Reflection-Angriffen gestoßen zu sein, die er [...]
---------------------------------------------
https://www.borncity.com/blog/2023/01/15/nach-remotepotato0-kommt-die-windo…
∗∗∗ IBM Security Bulletins 2023-01-16 ∗∗∗
---------------------------------------------
IBM App Connect Enterprise, IBM® Engineering Lifecycle Engineering products, IBM Integration Bus, IBM Maximo Asset Management, IBM MQ Internet Pass-Thru, IBM QRadar SIEM, IBM Sterling Partner Engagement Manager, IBM Tivoli Application Dependency Discovery Manager (TADDM), IBM Tivoli Netcool Configuration Manager, IBM Tivoli Network Manager (ITNM), IBM WebSphere Application Server shipped with Jazz for Service Management (JazzSM), Rational Functional Tester
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/
∗∗∗ HIMA: unquoted path vulnerabilities in X-OPC and X-OTS ∗∗∗
---------------------------------------------
https://cert.vde.com/de/advisories/VDE-2022-059/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 12-01-2023 18:00 − Freitag 13-01-2023 18:00
Handler: Robert Waldner
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ Fortinet says hackers exploited critical vulnerability to infect VPN customers ∗∗∗
---------------------------------------------
Remote code-execution bug was exploited to backdoor vulnerable servers.
---------------------------------------------
https://arstechnica.com/?p=1909594
∗∗∗ NortonLifeLock warns that hackers breached Password Manager accounts ∗∗∗
---------------------------------------------
Gen Digital, formerly Symantec Corporation and NortonLifeLock, is sending data breach notifications to customers, informing them that hackers have successfully breached Norton Password Manager accounts in credential-stuffing attacks.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/nortonlifelock-warns-that-ha…
∗∗∗ Malware: Android-TV-Box mit vorinstallierter Schadsoftware gekauft ∗∗∗
---------------------------------------------
Auf Amazon hat ein Sicherheitsforscher eine Android-TV-Box gekauft - und entdeckte eine tief ins System integrierte Schadsoftware.
---------------------------------------------
https://www.golem.de/news/malware-android-tv-box-mit-vorinstallierter-schad…
∗∗∗ Cybercriminals Using Polyglot Files in Malware Distribution to Fly Under the Radar ∗∗∗
---------------------------------------------
Remote access trojans such as StrRAT and Ratty are being distributed as a combination of polyglot and malicious Java archive (JAR) files, once again highlighting how threat actors are continuously finding new ways to fly under the radar.
---------------------------------------------
https://thehackernews.com/2023/01/cybercriminals-using-polyglot-files-in.ht…
∗∗∗ Keeping the wolves out of wolfSSL ∗∗∗
---------------------------------------------
Trail of Bits is publicly disclosing four vulnerabilities that affect wolfSSL: CVE-2022-38152, CVE-2022-38153, CVE-2022-39173, and CVE-2022-42905. The four issues, which have CVSS scores ranging from medium to critical, can all result in a denial of service (DoS).
---------------------------------------------
https://blog.trailofbits.com/2023/01/12/wolfssl-vulnerabilities-tlspuffin-f…
∗∗∗ Bad things come in large packages: .pkg signature verification bypass on macOS ∗∗∗
---------------------------------------------
Besides signing applications, it is also possible to sign installer packages (.pkg files). During a short review of the xar source code, we found a vulnerability (CVE-2022-42841) that could be used to modify a signed installer package without invalidating its signature. This vulnerability could be abused to bypass Gatekeeper, SIP and under certain conditions elevate privileges to root. [..] This was fixed by Apple with a 2 character fix: changing uint32_t to uint64_t in macOS 13.1.
---------------------------------------------
https://sector7.computest.nl/post/2023-01-xar/
∗∗∗ Crassus Windows privilege escalation discovery tool ∗∗∗
---------------------------------------------
Accenture made a tool called Spartacus, which finds DLL hijacking opportunities on Windows. Using Spartacus as a starting point, we created Crassus to extend Windows privilege escalation finding capabilities beyond simply looking for missing files. The ACLs used by files and directories of privileged processes can find more than just looking for missing files to achieve the goal.
---------------------------------------------
https://github.com/vullabs/Crassus
∗∗∗ Cyber-Attacken auf kritische Lücke in Control Web Panel ∗∗∗
---------------------------------------------
Cyberkriminelle greifen eine kritische Sicherheitslücke in CWP (Control Web Panel, ehemals CentOS Web Panel) an. Sie kompromittieren die verwundbaren Systeme.
---------------------------------------------
https://heise.de/-7458440
∗∗∗ Red Hat ergänzt Malware-Erkennungsdienst für RHEL ∗∗∗
---------------------------------------------
Im Rahmen von Red Hat Insights ergänzt das Unternehmen nun einen Malware-Erkennungsdienst. Der ist für RHEL 8 und 9 verfügbar.
---------------------------------------------
https://heise.de/-7458189
∗∗∗ Most Cacti Installations Unpatched Against Exploited Vulnerability ∗∗∗
---------------------------------------------
Most internet-exposed Cacti installations have not been patched against a critical-severity command injection vulnerability that is being exploited in attacks.
---------------------------------------------
https://www.securityweek.com/most-cacti-installations-unpatched-against-exp…
∗∗∗ Bestellen Sie nicht auf Cardione.at! ∗∗∗
---------------------------------------------
Cardione ist ein Nahrungsergänzungsmittel, das angeblich bei Bluthochdruck helfen soll. Cardione.at wirbt mit gefälschten Empfehlungen eines Arztes, es gibt keine Impressums- oder sonstige Unternehmensdaten. Wir raten: Bestellen Sie keine Cardione Tabletten!
---------------------------------------------
https://www.watchlist-internet.at/news/vorsicht-vor-bestellung-auf-cardione…
∗∗∗ Fake-Shop alvensleben.net imitiert Sofortüberweisung und fragt TANs ab! ∗∗∗
---------------------------------------------
Nehmen Sie sich vor Fake-Shops wie alvensleben.net in Acht. Der Shop hat insbesondere Kinderspielzeug, Brettspiele und Sportgeräte im Sortiment, bietet aber auch Gartenmöbel und Klettergerüste sowie Bettwäsche an. Bezahlt werden soll per Sofortüberweisung. Achtung: Die Daten werden nicht an den Zahlungsdienstleister weitergeleitet, sondern von den Kriminellen abgegriffen. Später werden Sie zur Übermittlung von TAN-Codes überredet und dadurch um Ihr Geld gebracht!
---------------------------------------------
https://www.watchlist-internet.at/news/fake-shop-alvenslebennet-imitiert-so…
∗∗∗ Microsoft ASR/Defender Update kann Desktop-/Startmenü-Verknüpfungen löschen ∗∗∗
---------------------------------------------
Wie aktuell in mehreren Medien berichtet wird, scheint das letzte Update von MS ASR/Defender Auswirkungen auf Desktop-/Startmenüverknüpfungen zu haben, und kann unter anderem dazu führen dass O365 Applikationen nicht mehr gestartet werden können. Gängiger Workaround scheint momentan zu sein, die entsprechenden Regeln auf "Audit" zu setzen. Microsoft hat die Regel wieder entfernt, es kann aber noch dauern, bis das global wirksam wird. Inzwischen wird empfohlen, im Admin Center auf SI MO497128 zu schauen.
---------------------------------------------
https://cert.at/de/aktuelles/2023/1/microsoft-asrdefender-update-kann-deskt…
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Fedora (cacti, cacti-spine, mbedtls, postgresql-jdbc, and rust), Oracle (.NET 6.0, dbus, expat, grub2, kernel, kernel-container, libtasn1, libtiff, sqlite, and usbguard), Red Hat (rh-postgresql10-postgresql), SUSE (php7), and Ubuntu (heimdal, linux, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15, linux-gcp, linux-gcp-5.15, linux-hwe-5.15, linux-ibm, linux-kvm, linux-oracle, linux-raspi,, linux, linux-aws, linux-aws-hwe, linux-azure, [...]
---------------------------------------------
https://lwn.net/Articles/919907/
∗∗∗ IBM Security Bulletins 2023-01-13 ∗∗∗
---------------------------------------------
IBM Cloud Pak for Data, IBM Cloud Pak for Security, IBM Security Verify Access Appliance, IBM Watson Speech Services, IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data, IBM Watson Text to Speech and Speech to Text (IBM Watson™ Speech Services 1.1), ICP Speech to Text and Text to Speech
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/
∗∗∗ CISA Releases Twelve Industrial Control Systems Advisories ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ncas/current-activity/2023/01/12/cisa-releases-twe…
∗∗∗ Juniper Networks Releases Security Updates for Multiple Products ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ncas/current-activity/2023/01/12/juniper-networks-…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 11-01-2023 18:00 − Donnerstag 12-01-2023 18:00
Handler: Thomas Pribitzer
Co-Handler: Robert Waldner
=====================
= News =
=====================
∗∗∗ Konten leergeräumt: Neue Phishing-Welle mit Apple Pay ∗∗∗
---------------------------------------------
Mit einem ausgeklügelten Trick versuchen Kriminelle an Kreditkartendaten zu kommen. Wer Grundlegendes beachtet, ist allerdings ausreichend geschützt.
---------------------------------------------
https://futurezone.at/digital-life/apple-pay-phishing-welle-mail-kreditkart…
∗∗∗ Hack: Sicherheitslücke in SugarCRM-Servern wird aktiv ausgenutzt ∗∗∗
---------------------------------------------
Etliche SugarCRM-Server in den USA und Deutschland wurden schon gehackt. Ein Hotfix wurde bereits veröffentlicht.
---------------------------------------------
https://www.golem.de/news/hack-sicherheitsluecke-in-sugarcrm-servern-wird-a…
∗∗∗ Alert: Hackers Actively Exploiting Critical "Control Web Panel" RCE Vulnerability ∗∗∗
---------------------------------------------
Malicious actors are actively attempting to exploit a recently patched critical vulnerability in Control Web Panel (CWP) that enables elevated privileges and unauthenticated remote code execution (RCE) on susceptible servers.
---------------------------------------------
https://thehackernews.com/2023/01/alert-hackers-actively-exploiting.html
∗∗∗ New Analysis Reveals Raspberry Robin Can be Repurposed by Other Threat Actors ∗∗∗
---------------------------------------------
A new analysis of Raspberry Robins attack infrastructure has revealed that its possible for other threat actors to repurpose the infections for their own malicious activities, making it an even more potent threat.
---------------------------------------------
https://thehackernews.com/2023/01/new-analysis-reveals-raspberry-robin.html
∗∗∗ IcedID Malware Strikes Again: Active Directory Domain Compromised in Under 24 Hours ∗∗∗
---------------------------------------------
A recent IcedID malware attack enabled the threat actor to compromise the Active Directory domain of an unnamed target less than 24 hours after gaining initial access.
---------------------------------------------
https://thehackernews.com/2023/01/icedid-malware-strikes-again-active.html
∗∗∗ Prowler v3: AWS & Azure security assessments ∗∗∗
---------------------------------------------
Prowler is an open source security tool to perform AWS and Azure security best practices assessments, audits, incident response, continuous monitoring, hardening and forensics readiness. Prowler v3 is now multi-cloud with Azure added as the second supported cloud provider.
---------------------------------------------
https://isc.sans.edu/diary/rss/29430
∗∗∗ Exfiltration Over a Blocked Port on a Next-Gen Firewall ∗∗∗
---------------------------------------------
[..] all successfully exfiltrated data packets were in small formats [..], smaller than the MTU (maximum transmit unit). This meant that these data types could only be exfiltrated in single packets, rather than multiple, to avoid exceeding the MTU size. When asked about this finding, the NG-FW vendor acknowledged that "to determine which application is being used, and whether the session aligned with the protocol’s standard, the NG-FW must allow at least one packet to pass."
---------------------------------------------
https://cymulate.com/blog/data-exfiltration-firewall/
∗∗∗ Kritische Sicherheitslücke bedroht End-of-Life-Router von Cisco ∗∗∗
---------------------------------------------
Der Netzwerkausrüster Cisco hat wichtige Sicherheitsupdates für etwa verschiedene Router, IP-Telefone und Webex veröffentlicht.
---------------------------------------------
https://heise.de/-7456480
∗∗∗ AI-generated phishing attacks are becoming more convincing ∗∗∗
---------------------------------------------
Its time for you and your colleagues to become more skeptical about what you read. Thats a takeaway from a series of experiments undertaken using GPT-3 AI text-generating interfaces to create malicious messages designed to spear-phish, scam, harrass, and spread fake news. Experts at WithSecure have described their investigations into just how easy it is to automate the creation of credible yet malicious content at incredible speed.
---------------------------------------------
https://www.tripwire.com/state-of-security/ai-generated-phishing-attacks-ar…
∗∗∗ Threema Under Fire After Downplaying Security Research ∗∗∗
---------------------------------------------
The developers of the open source secure messaging app Threema have come under fire over their public response to a security analysis conducted by researchers at the Swiss university ETH Zurich.
---------------------------------------------
https://www.securityweek.com/threema-under-fire-after-downplaying-security-…
∗∗∗ SCCM Site Takeover via Automatic Client Push Installation ∗∗∗
---------------------------------------------
tl;dr: Install hotfix KB15599094 and disable NTLM for client push installation.
---------------------------------------------
https://posts.specterops.io/sccm-site-takeover-via-automatic-client-push-in…
∗∗∗ Gefährliche Fehlkonfigurationen von Active Directory-Dienstkonten ∗∗∗
---------------------------------------------
Das Identifizieren von Schwachstellen in der AD-Konfiguration kann sich als Albtraum erweisen, warnt Gastautor Guido Grillenmeier von Semperis.
---------------------------------------------
https://www.zdnet.de/88406475/gefaehrliche-fehlkonfigurationen-von-active-d…
∗∗∗ Microsoft Exchange Januar 2023 Patchday-Nachlese: Dienste starten nicht etc. ∗∗∗
---------------------------------------------
Zum 10. Januar 2023 (Patchday) hat Microsoft Sicherheitsupdates für Exchange Server 2013, Exchange Server 2016 und Exchange Server 2019 veröffentlicht. Diese Sicherheitsupdates schließen zwei Schwachstellen (Elevation of Privilege und Spoofing) in dieser Software, haben aber bekannte Fehler und verursachen neue neue Probleme bei der Installation. Hier ein kurzer Überblick über den Sachstand.
---------------------------------------------
https://www.borncity.com/blog/2023/01/12/microsoft-exchange-januar-2023-pat…
∗∗∗ What is Red Teaming & How it Benefits Orgs ∗∗∗
---------------------------------------------
Running real-world attack simulations can help improve organizations cybersecurity resilience
---------------------------------------------
https://www.trendmicro.com/en_us/research/23/a/what-is-red-teaming.html
∗∗∗ Shodan Verified Vulns 2023-01-01 ∗∗∗
---------------------------------------------
Mit Stand 2023-01-01 sieht Shodan in Österreich die folgenden Schwachstellen: [...]
---------------------------------------------
https://cert.at/de/aktuelles/2023/1/shodan-verified-vulns-2023-01-01
=====================
= Vulnerabilities =
=====================
∗∗∗ Private Taxonomy Terms - Moderately critical - Access bypass - SA-CONTRIB-2023-001 ∗∗∗
---------------------------------------------
Description: This module enables users to create private vocabularies. The module doesnt enforce permissions appropriately for the taxonomy overview page and overview form.
---------------------------------------------
https://www.drupal.org/sa-contrib-2023-001
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (emacs, libxstream-java, and netty), Fedora (mingw-binutils, pgadmin4, phoronix-test-suite, vim, and yarnpkg), Red Hat (.NET 6.0, dbus, expat, java-1.8.0-ibm, kernel, kernel-rt, kpatch-patch, libreoffice, libtasn1, libtiff, postgresql:10, sqlite, systemd, usbguard, and virt:rhel and virt-devel:rhel), and SUSE (net-snmp, openstack-barbican, openstack-barbican, openstack-heat-gbp, openstack-horizon-plugin-gbp-ui, openstack-neutron, [...]
---------------------------------------------
https://lwn.net/Articles/919785/
∗∗∗ TP-Link SG105PE vulnerable to authentication bypass ∗∗∗
---------------------------------------------
https://jvn.jp/en/jp/JVN78481846/
∗∗∗ WAGO: Unauthenticated Configuration Export in web-based management in multiple devices ∗∗∗
---------------------------------------------
https://cert.vde.com/de/advisories/VDE-2022-054/
∗∗∗ Visual Studio Code Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21779
∗∗∗ Security vulnerability in Apache CXF affects IBM InfoSphere Master Data Management ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6854685
∗∗∗ Multiple Vulnerabilities in Java and Node.js packages affect IBM Voice Gateway ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6854713
∗∗∗ Vulnerabilities in IBM Java included with IBM Tivoli Monitoring. ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6854647
∗∗∗ Vulnerabilities in IBM Java Runtime affect IBM WebSphere Application Servers used by IBM Master Data Management (CVE-2022-21496, CVE-2022-21434, CVE-2022-21443) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6854595
∗∗∗ The IBM\u00ae Engineering Lifecycle Engineering products using IBM Java - Eclipse OpenJ9 is vulnerable to CVE-2022-3676 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6851835
∗∗∗ IBM Security Verify Governance is vulnerable to arbitrary code execution, sensitive information exposure and unauthorized access due to PostgreSQL ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6854915
∗∗∗ Multiple vulnerabilities in IBM Java - OpenJ9 affect IBM Tivoli System Automation Application Manager (CVE-2021-41041) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6854927
∗∗∗ IBM App Connect Enterprise Certified Container DesignerAuthoring and IntegrationServer operands may be vulnerable to arbitrary code execution due to [CVE-2022-25893] ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6854929
∗∗∗ Multiple vulnerabilities in IBM Java - OpenJ9 affect IBM Tivoli System Automation for Multiplatforms (CVE-2021-41041) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6854931
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 10-01-2023 18:00 − Mittwoch 11-01-2023 18:00
Handler: Robert Waldner
Co-Handler: Thomas Pribitzer
=====================
= News =
=====================
∗∗∗ Lorenz ransomware gang plants backdoors to use months later ∗∗∗
---------------------------------------------
Security researchers are warning that patching critical vulnerabilities allowing access to the network is insufficient to defend against ransomware attacks.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/lorenz-ransomware-gang-plant…
∗∗∗ Bad Paths & The Importance of Using Valid URL Characters ∗∗∗
---------------------------------------------
To ensure that your web files and pages are accessible to a wide range of users with various different devices and operating systems, it’s important to use valid URL characters. Unsafe characters are known to cause compatibility issues with various browser clients, web servers, and even lead to incompatibility issues with web application firewalls.
---------------------------------------------
https://blog.sucuri.net/2023/01/bad-paths-the-importance-of-using-valid-url…
∗∗∗ Gefälschte Telegram-App spioniert unter Android ∗∗∗
---------------------------------------------
IT-Forscher von Eset haben eine gefälschte Telegram-App aufgespürt, die ihre Opfer umfassend ausspioniert. Sie wird jedoch außerhalb von Google Play verteilt.
---------------------------------------------
https://heise.de/-7455996
∗∗∗ Cybercrime Group Exploiting Old Windows Driver Vulnerability to Bypass Security Products ∗∗∗
---------------------------------------------
A cybercrime group tracked as Scattered Spider has been observed exploiting an old vulnerability in an Intel Ethernet diagnostics driver for Windows in recent attacks on telecom and BPO firms.
---------------------------------------------
https://www.securityweek.com/cybercrime-group-exploiting-old-windows-driver…
∗∗∗ SMB “Access is denied” caused by anti-NTLM relay protection ∗∗∗
---------------------------------------------
We investigated a situation where an SMB client could not connect to an SMB server. The SMB server returned an “Access Denied” during the NTLM authentication, even though the credentials were correct and there were no restrictions on both the server-side share and client-side (notably UNC Hardened Access).
---------------------------------------------
https://medium.com/tenable-techblog/smb-access-is-denied-caused-by-anti-ntl…
∗∗∗ Dark Pink ∗∗∗
---------------------------------------------
New APT hitting Asia-Pacific, Europe that goes deeper and darker
---------------------------------------------
https://blog.group-ib.com/dark-pink-apt
=====================
= Vulnerabilities =
=====================
∗∗∗ Webbrowser: 17 Sicherheitslücken in Google Chrome gestopft ∗∗∗
---------------------------------------------
Das erste Update des Jahres hievt den Webbrowser Chrome auf Stand 109. Die Entwickler schließen darin 17 Schwachstellen, von denen einige hochriskant sind.
---------------------------------------------
https://heise.de/-7455130
∗∗∗ Patchday: Schadcode-Attacken auf Adobe InCopy und InDesign möglich ∗∗∗
---------------------------------------------
Die Entwickler von Adobe haben in mehreren Anwendungen gefährliche Sicherheitslücken geschlossen.
---------------------------------------------
https://heise.de/-7455222
∗∗∗ Patchday: Angreifer verschaffen sich unter Windows System-Rechte ∗∗∗
---------------------------------------------
Microsoft hat wichtige Sicherheitsupdates für unter anderem Exchange Server, Office und Windows veröffentlicht.
---------------------------------------------
https://heise.de/-7455122
∗∗∗ Exploit-Code gesichtet: Attacken auf IT-Monitoring-Tool Cacti möglich ∗∗∗
---------------------------------------------
Angreifer könnten an einer kritischen Sicherheitslücke in Cacti ansetzen und Schadcode auf Servern ausführen.
---------------------------------------------
https://heise.de/-7455833
∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (exiv2, hsqldb, libjettison-java, ruby-sinatra, and viewvc), Fedora (golang-github-docker, mbedtls, and vim), Gentoo (alpine, commons-text, jupyter_core, liblouis, mbedtls, ntfs3g, protobuf-java, scikit-learn, and twisted), Red Hat (kernel and kpatch-patch), SUSE (rubygem-activerecord-5.2, tiff, and webkit2gtk3), and Ubuntu (dotnet6, linux-azure-5.4, linux-azure-fde, linux-gcp, linux-oracle, linux-ibm, and linux-oem-5.17, linux-oem-6.0).
---------------------------------------------
https://lwn.net/Articles/919649/
∗∗∗ Unpatchable Hardware Vulnerability Allows Hacking of Siemens PLCs ∗∗∗
---------------------------------------------
Researchers at firmware security company Red Balloon Security have discovered a potentially serious vulnerability affecting many of Siemens’ programmable logic controllers (PLCs).
---------------------------------------------
https://www.securityweek.com/unpatchable-hardware-vulnerability-allows-hack…
∗∗∗ Exchange Server Sicherheitsupdates (10. Januar 2023), dringend patchen ∗∗∗
---------------------------------------------
Microsoft hat zum 10. Januar 2023 Sicherheitsupdates für Exchange Server 2013, Exchange Server 2016 und Exchange Server 2019 veröffentlicht. Diese Sicherheitsupdates schließen zwei Schwachstellen (Elevation of Privilege und Spoofing) in dieser Software.
---------------------------------------------
https://www.borncity.com/blog/2023/01/11/exchange-server-sicherheitsupdates…
∗∗∗ AMD Client Vulnerabilities - January 2023 ∗∗∗
---------------------------------------------
http://support.lenovo.com/product_security/PS500539-AMD-CLIENT-VULNERABILIT…
∗∗∗ AMD Server Vulnerabilities - January 2023 ∗∗∗
---------------------------------------------
http://support.lenovo.com/product_security/PS500538-AMD-SERVER-VULNERABILIT…
∗∗∗ Multiple Vulnerabilities in IBM Java SDK affects Liberty for Java for IBM Cloud due to the October 2022 CPU plus CVE-2022-3676 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6854413
∗∗∗ Vulnerability in IBM WebSphere Liberty Profile affects IBM InfoSphere Identity Insight (CVE-2022-34165) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6854451
∗∗∗ IBM Security Verify Governance is vulnerable to denial of service due to an OpenSSL vulnerability ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6854571
∗∗∗ IBM Security Verify Governance is vulnerable to denial of service due to OpenSSL as a part of Node.js ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6854575
∗∗∗ IBM Security Verify Governance is vulnerable to multiple vulnerabilities due to Eclipse Jetty ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6854577
∗∗∗ The IBM Engineering System Design Rhapsody products on IBM Jazz Technology contains additional security fixes for Log4j vulnerabilities CVE-2021-4104 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6825215
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Montag 09-01-2023 18:00 − Dienstag 10-01-2023 18:00
Handler: Stephan Richter
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Interview: Sönke Huster über Lücken im WLAN-Stack des Linux-Kernels ∗∗∗
---------------------------------------------
Sönke Huster hat Sicherheitslücken im WLAN-Stack des Linux-Kernels gefunden, die einen Angriff theoretisch ermöglichen, nur weil das WLAN eingeschaltet ist.
---------------------------------------------
https://heise.de/-7447684
∗∗∗ Meeting-Client Zoom unter Android, macOS und Windows angreifbar ∗∗∗
---------------------------------------------
Nach erfolgreichen Attacken auf Zoom Rooms könnten sich Angreifer etwa unter macOS Root-Rechte verschaffen. Sicherheitsupdates sind verfügbar.
---------------------------------------------
https://heise.de/-7453606
∗∗∗ Sourcecode-Editor Visual Studio Code: Fake Extensions lassen sich leicht tarnen ∗∗∗
---------------------------------------------
Sicherheitsforscher haben eine als Prettier getarnte Erweiterung im Marktplatz veröffentlicht, die es auf gut 1000 Downloads innerhalb von 48 Stunden brachte.
---------------------------------------------
https://heise.de/-7453534
∗∗∗ Patchday: SAP behandelt vier kritische Schwachstellen ∗∗∗
---------------------------------------------
SAP liefert Updates zum Beheben von teils kritischen Sicherheitslücken in den Produkten des Herstellers. IT-Verantwortliche sollten sie rasch installieren.
---------------------------------------------
https://heise.de/-7454402
∗∗∗ Heads up! Xdr33, A Variant Of CIA’s HIVE Attack Kit Emerges ∗∗∗
---------------------------------------------
On Oct 21, 2022, 360Netlabs honeypot system captured a suspicious ELF file ee07a74d12c0bb3594965b51d0e45b6f, which propagated via F5 vulnerability with zero VT detection, our system observces that it communicates with IP 45.9.150.144 using SSL with forged Kaspersky certificates, this caught our attention.
---------------------------------------------
https://blog.netlab.360.com/headsup_xdr33_variant_of_ciahive_emeerges/
∗∗∗ New year, old tricks: Hunting for CircleCI configuration files, (Mon, Jan 9th) ∗∗∗
---------------------------------------------
I have written before about attackers looking for exposed configuration files. Configuration files often include credentials or other sensitive information. Today, I noticed some scans for a files called "/.circleci/config.yml". Given the recent breach at CircleCI, I dug in a bit deeper.
---------------------------------------------
https://isc.sans.edu/diary/rss/29416
∗∗∗ ChatGPT-Written Malware ∗∗∗
---------------------------------------------
I don’t know how much of a thing this will end up being, but we are seeing ChatGPT-written malware in the wild.…within a few weeks of ChatGPT going live, participants in cybercrime forums—some with little or no coding experience—were using it to write software and emails that could be used for espionage, ransomware, malicious spam, and other malicious tasks.
---------------------------------------------
https://www.schneier.com/blog/archives/2023/01/chatgpt-written-malware.html
∗∗∗ Kinsing Crypto Malware Hits Kubernetes Clusters via Misconfigured PostgreSQL ∗∗∗
---------------------------------------------
The threat actors behind the Kinsing cryptojacking operation have been spotted exploiting misconfigured and exposed PostgreSQL servers to obtain initial access to Kubernetes environments. A second initial access vector technique entails the use of vulnerable images, Sunders Bruskin, security researcher at Microsoft Defender for Cloud, said in a report last week.
---------------------------------------------
https://thehackernews.com/2023/01/kinsing-cryptojacking-hits-kubernetes.html
∗∗∗ The Dark Side of Gmail ∗∗∗
---------------------------------------------
Behind one of Gmail’s lesser-known features lies a potential threat to websites and platforms managers.
---------------------------------------------
https://osintmatter.com/the-dark-side-of-gmail/
∗∗∗ Crypto-inspired Magecart skimmer surfaces via digital crime haven ∗∗∗
---------------------------------------------
One criminal scheme often leads to another. This blog digs into a credit card skimmer and its ties with other malicious services.
---------------------------------------------
https://www.malwarebytes.com/blog/threat-intelligence/2023/01/crypto-inspir…
∗∗∗ Malware-based attacks on ATMs - A summary ∗∗∗
---------------------------------------------
Today we will take a first look at malware-based attacks on ATMs in general, while future articles will go into more detail on the individual subtopics.
---------------------------------------------
https://blog.nviso.eu/2023/01/10/malware-based-attacks-on-atms-a-summary/
=====================
= Vulnerabilities =
=====================
∗∗∗ Securepoint UTM: Hotfix schließt kritische Sicherheitslücke ∗∗∗
---------------------------------------------
In den Securepoint UTM klafft eine kritische Sicherheitslücke. Das Unternehmen hat einen Hotfix bereitgestellt, der die Schwachstelle abdichtet.
---------------------------------------------
https://heise.de/-7453560
∗∗∗ UEFI-Sicherheitslücken bedrohen ARM-Geräte wie Microsoft Surface ∗∗∗
---------------------------------------------
Supply-Chain-Attacken möglich: Angreifer könnten auf Lenovo ThinkPads und Microsoft Surface den Schutzmechanismus Secure Boot umgehen.
---------------------------------------------
https://heise.de/-7454141
∗∗∗ Eleven Vulnerabilities Patched in Royal Elementor Addons ∗∗∗
---------------------------------------------
On December 23, 2022, the Wordfence Threat Intelligence team initiated the responsible disclosure process for a set of 11 vulnerabilities in Royal Elementor Addons, a WordPress plugin with over 100,000 installations. The plugin developers responded on December 26, and we sent over the full disclosure that day.
---------------------------------------------
https://www.wordfence.com/blog/2023/01/eleven-vulnerabilities-patched-in-ro…
∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (libtasn1-6), Fedora (nautilus), Oracle (kernel, kernel-container, nodejs:14, tigervnc, and xorg-x11-server), Red Hat (grub2, nodejs:14, tigervnc, and xorg-x11-server), Scientific Linux (tigervnc and xorg-x11-server), SUSE (systemd), and Ubuntu (firefox, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure, w3m, and webkit2gtk).
---------------------------------------------
https://lwn.net/Articles/919543/
∗∗∗ 2023 ICS Patch Tuesday Debuts With 12 Security Advisories From Siemens, Schneider ∗∗∗
---------------------------------------------
The first ICS Patch Tuesday of 2023 brings a dozen security advisories from Siemens and Schneider Electric, addressing a total of 27 vulnerabilities.
---------------------------------------------
https://www.securityweek.com/2023-ics-patch-tuesday-debuts-12-security-advi…
∗∗∗ CISA Releases Two Industrial Control Systems Advisories ∗∗∗
---------------------------------------------
CISA released two Industrial Control Systems (ICS) advisories on January 10, 2023. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. CISA encourages users and administrators to review the newly released ICS advisories for technical details and mitigations: ICSA-23-010-01 Black Box KVM ICSA-22-298-07 Delta Electronics InfraSuite Device Master (Update A)
---------------------------------------------
https://us-cert.cisa.gov/ncas/current-activity/2023/01/10/cisa-releases-two…
∗∗∗ Vulnerability Spotlight: Asus router access, information disclosure, denial of service vulnerabilities discovered ∗∗∗
---------------------------------------------
Cisco Talos recently discovered three vulnerabilities in Asus router software. The Asus RT-AX82U router is one of the newer Wi-Fi 6 (802.11ax)-enabled routers that also supports mesh networking with other Asus routers.
---------------------------------------------
https://blog.talosintelligence.com/vulnerability-spotlight-asus-router-acce…
∗∗∗ IBM Maximo Asset Management, IBM Maximo Manage in IBM Maximo Application Suite and IBM Maximo Manage in IBM Maximo Application Suite as a Service may be affected by XML External Entity (XXE) attacks (CVE-2021-33813) ∗∗∗
---------------------------------------------
CICS Transaction Gateway, IBM Answer Retrieval for Watson Discovery, IBM Business Automation Workflow, IBM Cloud Object Storage Systems, IBM Master Data Management, IBM Maximo Application Suite, IBM Sterling Partner Engagement Manager, IBM WebSphere Application Server, TADDM
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/
∗∗∗ Siemens Security Advisories (7 new, 15 updated) ∗∗∗
---------------------------------------------
SSA-997779 V1.0: File Parsing Vulnerability in Solid Edge before V2023 MP1
SSA-936212 V1.0: JT File Parsing Vulnerabilities in JT Open, JT Utilities and Solid Edge
SSA-712929 V1.6 (Last Update: 2023-01-10): Denial of Service Vulnerability in OpenSSL (CVE-2022-0778) Affecting Industrial Products
SSA-710008 V1.2 (Last Update: 2023-01-10): Multiple Web Vulnerabilities in SCALANCE Products
SSA-697140 V1.1 (Last Update: 2023-01-10): Denial of Service Vulnerability in the TCP Event Service of SCALANCE and RUGGEDCOM Products
SSA-593272 V1.9 (Last Update: 2023-01-10): SegmentSmack in Interniche IP-Stack based Industrial Devices
SSA-592007 V1.9 (Last Update: 2023-01-10): Denial of Service Vulnerability in Industrial Products
SSA-552702 V1.3 (Last Update: 2023-01-10): Privilege Escalation Vulnerability in the Web Interface of SCALANCE and RUGGEDCOM Products
SSA-547714 V1.1 (Last Update: 2023-01-10): Argument Injection Vulnerability in SIMATIC WinCC OA Ultralight Client
SSA-496604 V1.0: Cross-Site Scripting Vulnerability in Mendix SAML Module
SSA-482757 V1.0: Missing Immutable Root of Trust in S7-1500 CPU devices
SSA-480230 V2.5 (Last Update: 2023-01-10): Denial of Service Vulnerability in Webserver of Industrial Products
SSA-478960 V1.2 (Last Update: 2023-01-10): Missing CSRF Protection in the Web Server Login Page of Industrial Controllers
SSA-476715 V1.0: Two Vulnerabilities in Automation License Manager
SSA-473245 V2.5 (Last Update: 2023-01-10): Denial-of-Service Vulnerability in Profinet Devices
SSA-446448 V1.6 (Last Update: 2023-01-10): Denial of Service Vulnerability in PROFINET Stack Integrated on Interniche Stack
SSA-431678 V1.4 (Last Update: 2023-01-10): Denial of Service Vulnerability in SIMATIC S7 CPU Families
SSA-382653 V1.1 (Last Update: 2023-01-10): Multiple Denial of Service Vulnerabilities in Industrial Products
SSA-349422 V1.8 (Last Update: 2023-01-10): Denial of Service Vulnerability in Industrial Real-Time (IRT) Devices
SSA-332410 V1.0: Multiple Vulnerabilities in SINEC INS before V1.0 SP2 Update 1
SSA-210822 V1.1 (Last Update: 2023-01-10): Improper Access Control Vulnerability in Mendix Workflow Commons Module
SSA-113131 V1.4 (Last Update: 2023-01-10): Denial of Service Vulnerabilities in SIMATIC S7-400 CPUs
---------------------------------------------
https://new.siemens.com/global/en/products/services/cert.html?d=2023-01#Sec…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 05-01-2023 18:00 − Montag 09-01-2023 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Thomas Pribitzer
=====================
= News =
=====================
∗∗∗ Security: Kunden-Secrets von CircleCI wohl komplett kompromittiert ∗∗∗
---------------------------------------------
CircleCI warnt Kunden dringend, sämtliche Secrets zu tauschen. Builds und Netzwerke könnten über zwei Wochen lang kompromittiert worden sein.
---------------------------------------------
https://www.golem.de/news/security-kunden-secrets-von-circleci-wohl-komplet…
∗∗∗ Verschlüsselung: RSA zerstört? Experten zweifeln ∗∗∗
---------------------------------------------
Ein neuer Algorithmus knackt die Verschlüsselung RSA angeblich schneller als jemals zuvor - diesmal mit einem Quantencomputer. Experten zweifeln daran.
---------------------------------------------
https://heise.de/-7449806
∗∗∗ Rust: bis zu 2500 Projekte durch Bibliothek Hyper für DoS verwundbar ∗∗∗
---------------------------------------------
Enthält die to_bytes-Funktion von Hyper keine Längenbeschränkung, so lassen sich schnell DoS-Attacken ausführen. Abhilfe schafft die offizielle Doku.
---------------------------------------------
https://heise.de/-7451019
∗∗∗ BaFin warnt vor "Godfather"-Banking-Trojaner ∗∗∗
---------------------------------------------
Die BaFin warnt vor einem Banking-Trojaner, der Android-Geräte angreift. Die "Godfather" genannte Malware kann 400 internationale Finanzinstitutionen ausspähen.
---------------------------------------------
https://heise.de/-7453238
∗∗∗ Android-Malware: Neue Version von SpyNote stiehlt Banking-Daten ∗∗∗
---------------------------------------------
Die Verbreitung erfolgt über Phishing-E-Mails. Seit Oktober 2022 ist der Quellcode von SpyNote frei verfügbar. Seitdem nehmen die Aktivitäten von SpyNote deutlich zu.
---------------------------------------------
https://www.zdnet.de/88406317/android-malware-neue-version-von-spynote-stie…
∗∗∗ Kostenloses Entschlüsselungs-Tool für Ransomware MegaCortex veröffentlicht ∗∗∗
---------------------------------------------
Das Tool ist eine gemeinsame Entwicklung von Bitdefender und No More Ransom. Es funktioniert mit allen Varianten von MegaCortex.
---------------------------------------------
https://www.zdnet.de/88406357/kostenloses-entschluesselungs-tool-fuer-ranso…
∗∗∗ Windows 11 GPO "Enable MPR notifications ..." zur Sicherheit setzen ∗∗∗
---------------------------------------------
Kleiner Tipp für Administratoren, die so langsam Windows 11 in Unternehmensumgebungen einführen. In den Standardeinstellungen des Betriebssystems lassen sich mittels einer einfachen DLL die Winlogon-Anmeldeinformationen im Klartext auslesen. Die neue Gruppenrichtlinie "Enable MPR notifications" soll dies nun verhindern.
---------------------------------------------
https://www.borncity.com/blog/2023/01/08/windows-11-gpo-enable-mpr-notifica…
∗∗∗ VSCode Marketplace can be abused to host malicious extensions ∗∗∗
---------------------------------------------
Threat analysts at AquaSec have experimented with the security of VSCode Marketplace and found that its surprisingly easy to upload malicious extensions from accounts that appear verified on the platform.
---------------------------------------------
https://www.bleepingcomputer.com/news/microsoft/vscode-marketplace-can-be-a…
∗∗∗ Malicious PyPi packages create CloudFlare Tunnels to bypass firewalls ∗∗∗
---------------------------------------------
Six malicious packages on PyPI, the Python Package Index, were found installing information-stealing and RAT (remote access trojan) malware while using Cloudflare Tunnel to bypass firewall restrictions for remote access.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/malicious-pypi-packages-crea…
∗∗∗ Unraveling the techniques of Mac ransomware ∗∗∗
---------------------------------------------
Understanding how Mac ransomware works is critical in protecting today’s hybrid environments. We analyzed several known Mac ransomware families and highlighted these families’ techniques, which defenders can study further to prevent attacks.
---------------------------------------------
https://www.microsoft.com/en-us/security/blog/2023/01/05/unraveling-the-tec…
∗∗∗ Finding & Removing Malware From Weebly Sites ∗∗∗
---------------------------------------------
Weebly is an easy-to-use website builder that allows admins to quickly create and publish responsive blogs and sites. Website builder environments are usually considered to be very safe and not prone to malware infections, but during a recent investigation I found some malicious behavior which revealed that even closed proprietary systems for WYSIWYG website builders like Weebly can be abused.
---------------------------------------------
https://blog.sucuri.net/2023/01/finding-removing-malware-from-weebly-sites.…
∗∗∗ Dridex Malware Now Attacking macOS Systems with Novel Infection Method ∗∗∗
---------------------------------------------
A variant of the infamous Dridex banking malware has set its sights on Apples macOS operating system using a previously undocumented infection method, according to latest research.
---------------------------------------------
https://thehackernews.com/2023/01/dridex-malware-now-attacking-macos.html
∗∗∗ LummaC2 Stealer: A Potent Threat to Crypto Users ∗∗∗
---------------------------------------------
During a threat-hunting exercise, Cyble Research and Intelligence Labs (CRIL) discovered a post on the cybercrime forum about an information stealer targeting both Chromium and Mozilla-based browsers. This stealer was named LummaC2 Stealer, which targets crypto wallets, extensions, and two-factor authentication (2FA) and steals sensitive information from the victim’s machine.
---------------------------------------------
https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto…
∗∗∗ Unwrapping Ursnifs Gifts ∗∗∗
---------------------------------------------
In late August 2022, we investigated an incident involving Ursnif malware, which resulted in Cobalt Strike being deployed. This was followed by the threat actors moving laterally throughout the environment [...]
---------------------------------------------
https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/
∗∗∗ Distribution of NetSupport RAT Malware Disguised as a Pokemon Game ∗∗∗
---------------------------------------------
NetSupport Manager is a remote control tool that can be installed and used by ordinary or corporate users for the purpose of remotely controlling systems. However, it is being abused by many threat actors because it allows external control over specific systems.
---------------------------------------------
https://asec.ahnlab.com/en/45312/
=====================
= Vulnerabilities =
=====================
∗∗∗ Kritische Sicherheitslücke in MatrixSSL ermöglicht Codeschmuggel ∗∗∗
---------------------------------------------
In der IoT-Bibliothek MatrixSSL haben IT-Forscher eine als kritisch eingestufte Sicherheitslücke entdeckt. Angreifer könnten dadurch Code einschleusen.
---------------------------------------------
https://heise.de/-7453087
∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (libetpan and smarty3), SUSE (libksba, rpmlint-mini, tcl, and xrdp), and Ubuntu (curl, firefox, and linux-oem-5.14).
---------------------------------------------
https://lwn.net/Articles/919202/
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Fedora (python2.7), SUSE (ca-certificates-mozilla, libksba, and ovmf), and Ubuntu (linux, linux-aws, linux-aws-5.4, linux-gcp, linux-gcp-5.4, linux-gke, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-dell300x, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux-raspi2, linux-snapdragon, linux, [...]
---------------------------------------------
https://lwn.net/Articles/919422/
∗∗∗ Kritische Sicherheitslücke in Open-Source-Projekt JsonWebToken entdeckt ∗∗∗
---------------------------------------------
Die Schwachstelle erlaubt unter Umständen eine Remotecodeausführung. Nutzer sollten auf die fehlerbereinigte Version 9.0.0 von JsonWebToken umsteigen.
---------------------------------------------
https://www.zdnet.de/88406385/kritische-sicherheitsluecke-in-open-source-pr…
∗∗∗ ThinkPad X13s: BIOS-Update schließt Schwachstellen ∗∗∗
---------------------------------------------
Der Hersteller Lenovo hat in einer Sicherheitsmeldung auf eine Reihe Schwachstellen im BIOS des ThinkPad X13s hingewiesen. Diese ermöglichen eine Speicherbeschädigung (Memory Corruption) und die Offenlegung von Informationen. Es steht ein BIOS-Update zum Schließen der Schwachstellen bereit.
---------------------------------------------
https://www.borncity.com/blog/2023/01/07/thinkpad-x13s-bios-update-schliet-…
∗∗∗ IBM Security Bulletins 2023-01-06 - 2023-01-09 ∗∗∗
---------------------------------------------
AIX, CICS Transaction Gateway, Enterprise Content Management System Monitor, IBM App Connect Enterprise, IBM Business Automation Workflow, IBM Connect:Direct Web Services, IBM InfoSphere Information Server, IBM Integration Bus, IBM Maximo Application Suite, IBM MQ, IBM Process Mining, IBM Robotic Process Automation for Cloud Pak, IBM Spectrum Protect Server, IBM SPSS Analytic Server, IBM Sterling B2B Integrator, IBM Sterling Connect:Direct Web Services, IBM Tivoli Netcool Impact, Power HMC
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/
∗∗∗ Centos Web Panel 7 Unauthenticated Remote Code Execution - CVE-2022-44877 ∗∗∗
---------------------------------------------
https://github.com/numanturle/CVE-2022-44877
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 04-01-2023 18:00 − Donnerstag 05-01-2023 18:00
Handler: Stephan Richter
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ Bluebottle hackers used signed Windows driver in attacks on banks ∗∗∗
---------------------------------------------
A signed Windows driver has been used in attacks on banks in French-speaking countries, likely from a threat actor that stole more than $11 million from various banks.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/bluebottle-hackers-used-sign…
∗∗∗ SpyNote Android malware infections surge after source code leak ∗∗∗
---------------------------------------------
The Android malware family tracked as SpyNote (or SpyMax) has had a sudden increase in detections in the final quarter of 2022, which is attributed to a source code leak of one of its latest, known as CypherRat.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/spynote-android-malware-infe…
∗∗∗ PurpleUrchin Bypasses CAPTCHA and Steals Cloud Platform Resources ∗∗∗
---------------------------------------------
We take a deep dive into Automated Libra, the cloud threat actor group behind the freejacking campaign PurpleUrchin.
---------------------------------------------
https://unit42.paloaltonetworks.com/purpleurchin-steals-cloud-resources/
∗∗∗ ProxyNotShell Mitigations K.O. ∗∗∗
---------------------------------------------
Warum ist ProxyNotShell noch ein Thema? Die Schwachstellen wurden doch von Microsoft Anfang November geschlossen? Kurz gesagt, weil sich viele auf die letzte Mitigation von Microsoft verlassen haben, anstatt auf den November-Patch.
---------------------------------------------
https://cert.at/de/blog/2023/1/proxynotshell-mitigations-ko
∗∗∗ The dos and don’ts of ransomware negotiations ∗∗∗
---------------------------------------------
Has your organization suddenly been attacked by a ransomware virus? Take a deep breath and try to remain composed. It can be easy to panic or become overwhelmed in the face of an attack, but it is vital to remain calm and focused in order to make the best decisions for your organization.
---------------------------------------------
https://cybersecurity.att.com/blogs/security-essentials/the-dos-and-donts-o…
∗∗∗ Dridex Returns, Targets MacOS Using New Entry Method ∗∗∗
---------------------------------------------
The Dridex variant we analyzed targets MacOS platforms with a new technique to deliver documents embedded with malicious macros to users.
---------------------------------------------
https://www.trendmicro.com/en_us/research/23/a/-dridex-targets-macos-using-…
=====================
= Vulnerabilities =
=====================
∗∗∗ IBM Security Bulletins 2023-01-05 ∗∗∗
---------------------------------------------
AIX, IBM Content Navigator, IBM Maximo Application Suite, IBM Robotic Process Automation, IBM Robotic Process Automation for Cloud Pak, IBM Security Verify Governance, IBM Sterling B2B Integrator, IBM TXSeries for Multiplatforms, IBM Tivoli Network Manager, ITNM, Operations Dashboard, TADDM, IBM Cloud Object Storage Systems
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/
∗∗∗ Zoho fixt Datenbank-Lücke in Password Manager Pro und Zugriffskontroll-Software ∗∗∗
---------------------------------------------
Es gibt wichtige Sicherheitsupdates für die ManageEngine-Produkte Access Manager Plus, PAM360 und Password Manager Pro.
---------------------------------------------
https://heise.de/-7449108
∗∗∗ Patchday: Kritische Kernel-Lücken bedrohen Android ∗∗∗
---------------------------------------------
Google stellt gegen mögliche Attacken abgesicherte Android-Versionen 10, 11, 12, 12L und 13 zum Download bereit. Angreifer können sich Nutzerrechte verschaffen.
---------------------------------------------
https://heise.de/-7449147
∗∗∗ Fortinet stopft Schadcode-Lücken in Netzwerk-Produkten ∗∗∗
---------------------------------------------
Angreifer könnten unberechtigt unter anderem auf FortiManager zugreifen. Sicherheitsupdates stehen zum Download bereit.
---------------------------------------------
https://heise.de/-7449288
∗∗∗ Sicherheitspatch: Angreifer könnten Systeme mit IBM Tivoli Monitoring übernehmen ∗∗∗
---------------------------------------------
Schwachstellen in mehreren Komponenten bedrohen die System- und Netzwerküberwachungslösung IBM Tivoli Monitoring.
---------------------------------------------
https://heise.de/-7449768
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Fedora (binwalk), Oracle (kernel and webkit2gtk3), Red Hat (webkit2gtk3), Slackware (vim), and Ubuntu (libksba and nautilus).
---------------------------------------------
https://lwn.net/Articles/919112/
∗∗∗ Hitachi Energy UNEM ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-23-005-01
∗∗∗ Hitachi Energy FOXMAN-UN ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-23-005-02
∗∗∗ Hitachi Energy Lumada Asset Performance Management ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-23-005-03
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 03-01-2023 18:00 − Mittwoch 04-01-2023 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ Jetzt patchen! Noch 60.000 Exchange-Server für ProxyNotShell-Attacken anfällig ∗∗∗
---------------------------------------------
Sicherheitsforscher warnen vor verwundbaren Exchange-Servern. 30.000 davon sind in Europa – der Großteil in Deutschland. Sicherheitspatches sind verfügbar.
---------------------------------------------
https://heise.de/-7448029
∗∗∗ l+f: Flipper Zero – Delfin auf Phishing-Tour ∗∗∗
---------------------------------------------
Vorsicht beim Kauf des beliebten Hacking-Gadgets Flipper Zero. Cyberkriminelle haben Fake-Shops eingerichtet, um Interessierte abzukassieren.
---------------------------------------------
https://heise.de/-7448371
∗∗∗ Nur noch eine Woche Zeit: Support-Ende von Windows 8.1 ∗∗∗
---------------------------------------------
Die letzten Stunden für Windows 8.1 haben geschlagen. In nicht einmal einer Woche stellt Microsoft die Unterstützung für Windows 8.1 endgültig ein.
---------------------------------------------
https://heise.de/-7448516
∗∗∗ Update to RTRBK - Diff and File Dates in PowerShell, (Wed, Jan 4th) ∗∗∗
---------------------------------------------
I use my RTRBK script pretty much every week, every single time that I work with a client that doesn't have their network gear in a backup cycle in fact. (for a review of this tool, see the original post https://isc.sans.edu/diary/RTRBK+Router+Switch+Firewall+Backups+in+PowerShe… ) Anyway, I was considering how I could improve this script, aside from adding more and more device types to the backups. A "diff" report was my obvious first thought - [...]
---------------------------------------------
https://isc.sans.edu/diary/rss/29400
∗∗∗ Breaking RSA with a Quantum Computer ∗∗∗
---------------------------------------------
A group of Chinese researchers have just published a paper claiming that they can—although they have not yet done so—break 2048-bit RSA. This is something to take seriously. It might not be correct, but it’s not obviously wrong. We have long known from Shor’s algorithm that factoring with a quantum computer is easy. But it takes a big quantum computer, on the orders of millions of qbits, to factor anything resembling the key sizes we use today. What the researchers have done is combine classical lattice reduction factoring techniques with a quantum approximate optimization algorithm.
---------------------------------------------
https://www.schneier.com/blog/archives/2023/01/breaking-rsa-with-a-quantum-…
∗∗∗ Androids First Security Updates for 2023 Patch 60 Vulnerabilities ∗∗∗
---------------------------------------------
Google announced on Tuesday the first Android security updates for 2023, which patch a total of 60 vulnerabilities. The first part of the update, which arrives on devices as the 2023-01-01 security patch level, addresses 19 security defects in the Framework and System components.
---------------------------------------------
https://www.securityweek.com/androids-first-security-updates-2023-patch-60-…
∗∗∗ Ransomware predictions in 2023: more gov’t action and a pivot to data extortion ∗∗∗
---------------------------------------------
There were thousands of ransomware attacks in 2022, from breaches targeting militaries to incidents that brought entire governments to a standstill. Ransomware giants like Conti closed shop, while groups like LockBit and Hive took their place, attacking thousands of hospitals, governments, businesses and schools across the world. So what does 2023 have in store for us?
---------------------------------------------
https://therecord.media/ransomware-predictions-in-2023-more-govt-action-and…
∗∗∗ DeTT&CT: Automate your detection coverage with dettectinator ∗∗∗
---------------------------------------------
Last year, I published an article on mapping detection to the MITRE ATT&CK framework using DeTT&CT. In the article, we introduced DeTT&CT and explored its features and usage. If you missed it, you can find the article here. Although, after writing that article, I encountered some challenges. For instance, I considered using DeTT&CT in a production environment but there were hundreds of existing detection rules to consider, and it would have been a tedious process to manually create the necessary YAML file for building a detection coverage layer.
---------------------------------------------
https://blog.nviso.eu/2023/01/04/dettct-automate-your-detection-coverage-wi…
∗∗∗ Shc Linux Malware Installing CoinMiner ∗∗∗
---------------------------------------------
The ASEC analysis team recently discovered that a Linux malware developed with Shc has been installing a CoinMiner. It is presumed that after successful authentication through a dictionary attack on inadequately managed Linux SSH servers, various malware were installed on the target system. Among those installed were the Shc downloader, XMRig CoinMiner installed through the former, and DDoS IRC Bot, developed with Perl.
---------------------------------------------
https://asec.ahnlab.com/en/45182/
∗∗∗ Three easy steps to dramatically improve your AWS security posture: Step 1, set up IAM properly ∗∗∗
---------------------------------------------
Have you ever heard the saying that the greatest benefit of the cloud is that limitless resources can be spun-up with just a few clicks of the mouse? If so, you would be best served by forgetting that saying altogether. Just because cloud resources can be spun-up with a few clicks of the mouse does not mean that they should be. Rather, prior to launching anything in the cloud, careful consideration and planning are a necessity.
---------------------------------------------
https://cybersecurity.att.com/blogs/security-essentials/three-easy-steps-to…
=====================
= Vulnerabilities =
=====================
∗∗∗ January 2023 Vulnerability Advisories ∗∗∗
---------------------------------------------
FortiTester (CVSS Score: 7.6), FortiPortal (CVSS Score: 6.6), FortiWeb (CVSS Score: 5.3), FortiManager (CVSS Score: 6), FortiADC (CVSS Score: 8.6)
---------------------------------------------
https://fortiguard.fortinet.com/psirt-monthly-advisory/january-2023-vulnera…
∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Fedora (xorg-x11-server-Xwayland), Red Hat (webkit2gtk3), SUSE (rmt-server), and Ubuntu (freeradius).
---------------------------------------------
https://lwn.net/Articles/919051/
∗∗∗ IBM Security Bulletins 2023-01-04 ∗∗∗
---------------------------------------------
IBM Common Licensings Administration And Reporting Tool (ART), IBM DataPower Gateway, IBM Global Mailbox, IBM Integration Bus, IBM MQ, IBM Security Verify Governance, IBM Sterling Global Mailbox, IBM WebSphere MQ, IBM WebSphere Message Broker, ITNM
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Montag 02-01-2023 18:00 − Dienstag 03-01-2023 18:00
Handler: Stephan Richter
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ BMW, Mercedes, Kia, Porsche: Sicherheitsforscher hacken etliche Autohersteller ∗∗∗
---------------------------------------------
Forschern ist es gelungen die API-Endpunkte etlicher Autohersteller wie BMW oder Kia zu hacken - von der Konten- bis zur Autoübernahme war alles möglich.
---------------------------------------------
https://www.golem.de/news/bmw-mercedes-kia-porsche-sicherheitsforscher-hack…
∗∗∗ Schadcode auf PyPI: Supply-Chain-Angriff auf PyTorch Nightly Builds ∗∗∗
---------------------------------------------
Wer kürzlich PyTorch-nightly unter Linux via pip installiert hat, erhielt Schadcode. Das PyTorch-Team hat Gegenmaßnahmen eingeleitet.
---------------------------------------------
https://heise.de/-7447195
∗∗∗ Its about time: OS Fingerprinting using NTP, (Tue, Jan 3rd) ∗∗∗
---------------------------------------------
Most current operating systems, including many small systems like IoT devices, use some form of NTP to sync time. NTP is lightweight and reasonably accurate in most use cases to synchronize time across the internet with millisecond accuracy [1]. Some protocols, like PTP, are more accurate but are designed for local networks and may require special hardware on the host [2]. Smaller systems with less stringent accuracy requirements sometimes use SNTP, a variant of NTP.
---------------------------------------------
https://isc.sans.edu/diary/rss/29394
∗∗∗ Raspberry Robin Worm Evolves to Attack Financial and Insurance Sectors in Europe ∗∗∗
---------------------------------------------
Financial and insurance sectors in Europe have been targeted by the Raspberry Robin worm, as the malware continues to evolve its post-exploitation capabilities while remaining under the radar. "What is unique about the malware is that it is heavily obfuscated and highly complex to statically disassemble," Security Joes said in a new report published Monday.
---------------------------------------------
https://thehackernews.com/2023/01/raspberry-robin-worm-evolves-to-attack.ht…
∗∗∗ Cloud Metadata - AWS IAM Credential Abuse ∗∗∗
---------------------------------------------
[...] In this run through we have a vulnerable AWS EC2 instance configured to use IMDSv1 (Instance Metadata Service) which we will exploit, escalate our privileges and carry out post-compromise activities. While not every AWS EC2 instance has an associated IAM role (AWS Identity and Access Management), when they do these role profiles contain credentials/keys.
---------------------------------------------
https://sneakymonkey.net/cloud-credential-abuse/
∗∗∗ SSRF vulnerabilities caused by SNI proxy misconfigurations ∗∗∗
---------------------------------------------
SNI proxies are load balancers that use the SNI extension field to select backend systems. When misconfigured, SNI proxies can be vulnerable to SSRF attacks that provide access to web application backends.
---------------------------------------------
https://www.invicti.com/blog/web-security/ssrf-vulnerabilities-caused-by-sn…
∗∗∗ Exploiting GraphQL Query Depth ∗∗∗
---------------------------------------------
GraphQL was created and developed with flexibility in mind: clients should be given the power to ask for exactly what they need and nothing more. Much of this flexibility involves allowing customers to execute multiple queries in a single request, [...]
---------------------------------------------
https://checkmarx.com/blog/exploiting-graphql-query-depth/
=====================
= Vulnerabilities =
=====================
∗∗∗ IBM Security Bulletins 2023-01-03 ∗∗∗
---------------------------------------------
IBM Business Automation Workflow, IBM InfoSphere Information Server, IBM Integrated Analytics System, IBM Process Mining, IBM Security SOAR, IBM Security Verify Governance, IBM Sterling B2B Integrator, Platform Navigator and Automation Assets in IBM Cloud Pak for Integration, Rational Directory Server (Tivoli) & Rational Directory Administrator
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/
∗∗∗ Trend Micros Sicherheitslösung Maximum Security benötigt einen Sicherheitspatch ∗∗∗
---------------------------------------------
Angreifer könnten Windows-PCs mit Sicherheitssoftware von Trend Micro attackieren. Ein Sicherheitspatch ist verfügbar.
---------------------------------------------
https://heise.de/-7446553
∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Oracle (bcel), SUSE (ca-certificates-mozilla, glibc, minetest, multimon-ng, nautilus, ovmf, python-Django, samba, saphanabootstrap-formula, and xrdp), and Ubuntu (usbredir).
---------------------------------------------
https://lwn.net/Articles/918965/
∗∗∗ ThinkPad X13s BIOS Vulnerabilities ∗∗∗
---------------------------------------------
http://support.lenovo.com/product_security/PS500537
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 30-12-2022 18:00 − Montag 02-01-2023 18:00
Handler: Thomas Pribitzer
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ EarSpy-Lauschangriff auf Smartphones: Forschern gelingt Abhören aus der Ferne ∗∗∗
---------------------------------------------
In Mobiltelefone integrierte Ohrlautsprecher werden immer leistungsstärker. Dies hat den Nachteil, dass die verursachten Mini-Vibrationen verräterischer sind.
---------------------------------------------
https://heise.de/-7444910
∗∗∗ Rund 230 Millionen Deezer-Datensätze zu Have I been pwned hinzugefügt ∗∗∗
---------------------------------------------
Bei einem Einbruch in einen Deezer-Dienstleister konnten offenbar rund 230 Millionen Datensätze kopiert werden. Have I been pwned hat sie jetzt hinzugefügt.
---------------------------------------------
https://heise.de/-7445237
∗∗∗ Sicherheitsrisiko Microsoft Outlook App: Überträgt Anmeldedaten und Mails in die Cloud ∗∗∗
---------------------------------------------
Ich hole zum Jahresanfang 2023 nochmals ein Thema hoch, welches ich hier im Blog bereits 2015 und im Januar 2021 angesprochen habe. Es geht um die Microsoft Outlook App, die für Android- und iOS-Geräte angeboten und meines Erachtens breit eingesetzt [...]
---------------------------------------------
https://www.borncity.com/blog/2023/01/01/sicherheitsrisiko-microsoft-outloo…
∗∗∗ Ransomware gang cloned victim’s website to leak stolen data ∗∗∗
---------------------------------------------
The ALPHV ransomware operators have gotten creative with their extortion tactic and, in at least one case, created a replica of the victims site to publish stolen data on it.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/ransomware-gang-cloned-victi…
∗∗∗ NetworkMiner 2.8 Released, (Mon, Jan 2nd) ∗∗∗
---------------------------------------------
First of all, happy new year to all our Readers! There exist tools that are very popular for a long time because they are regularly updated and... just make the job! NetworkMiner is one of them (the first release was in 2007). I don't use it regularly but it is part of my forensic toolbox for a while and already helped me in many investigations.
---------------------------------------------
https://isc.sans.edu/diary/rss/29390
∗∗∗ WordPress Security Alert: New Linux Malware Exploiting Over Two Dozen CMS Flaws ∗∗∗
---------------------------------------------
WordPress sites are being targeted by a previously unknown strain of Linux malware that exploits flaws in over two dozen plugins and themes to compromise vulnerable systems. "If sites use outdated versions of such add-ons, lacking crucial fixes, the targeted web pages are injected with malicious JavaScripts," Russian security vendor Doctor Web said in a report published last week.
---------------------------------------------
https://thehackernews.com/2023/01/wordpress-security-alert-new-linux.html
∗∗∗ Python developers, uninstall this malicious package right now ∗∗∗
---------------------------------------------
If youre a Python developer and one who is accustomed to installed the latest preview builds of libraries, you might want to take immediate mitigative action. PyTorch, an open-source machine learning framework initially developed by Meta and now under the Linux Foundation, has seemingly been the target of a supply chain attack, which has potentially led to many users installing a malicious package.
---------------------------------------------
https://www.neowin.net/news/python-developers-uninstall-this-malicious-pack…
=====================
= Vulnerabilities =
=====================
∗∗∗ IBM Security Bulletins 2022-12-30 ∗∗∗
---------------------------------------------
IBM Content Collector, IBM Tivoli Monitoring
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/
∗∗∗ Jetzt patchen: Netgear schließt hochriskante Lücke in mehreren Routern ∗∗∗
---------------------------------------------
Netgear empfiehlt ein dringendes Sicherheitsupdate für mehrere seiner Router-Modelle. Betroffen sind von der Lücke auch Modelle der Nighthawk-Reihe.
---------------------------------------------
https://heise.de/-7444672
∗∗∗ Synology warnt vor kritischer Lücke in VPN-Plus-Server ∗∗∗
---------------------------------------------
Wer Synology-Router als VPN-Server einsetzt, muss die Software zügig aktualisieren. Eine kritische Sicherheitslücke ermöglicht Angreifern sonst Codeschmuggel.
---------------------------------------------
https://heise.de/-7444783
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (cacti, emacs, exuberant-ctags, libjettison-java, mplayer, node-loader-utils, node-xmldom, openvswitch, ruby-image-processing, webkit2gtk, wpewebkit, and xorg-server), Fedora (OpenImageIO, systemd, w3m, and webkit2gtk3), Mageia (curl, freeradius, libksba, libtar, python-ujson, sogo, thunderbird, and webkit2), Red Hat (bcel), and SUSE (ffmpeg, ffmpeg-4, mbedtls, opera, saphanabootstrap-formula, sbd, vlc, and webkit2gtk3).
---------------------------------------------
https://lwn.net/Articles/918883/
∗∗∗ Vulnerabilities in Java and IBM WebSphere Application Server Liberty affects IBM Cloud Application Business Insights - CVE-2022-34165, CVE-2022-21628, CVE-2022-21626, CVE-2022-21624, CVE-2022-21619 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6852357
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 29-12-2022 18:00 − Freitag 30-12-2022 18:00
Handler: Thomas Pribitzer
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ Netgear warns users to patch recently fixed WiFi router bug ∗∗∗
---------------------------------------------
Netgear has fixed a high-severity vulnerability affecting multiple WiFi router models and advised customers to update their devices to the latest available firmware as soon as possible.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/netgear-warns-users-to-patch…
∗∗∗ New Linux malware uses 30 plugin exploits to backdoor WordPress sites ∗∗∗
---------------------------------------------
A previously unknown Linux malware has been exploiting 30 vulnerabilities in multiple outdated WordPress plugins and themes to inject malicious JavaScript.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-linux-malware-uses-30-pl…
∗∗∗ Security Update Guide Improvement – Representing Hotpatch Updates ∗∗∗
---------------------------------------------
Today we are updating the way Microsoft Security Update Guide (SUG) represents the Windows Hotpatch feature to make it easier for users to identify the hotpatch and security updates.
---------------------------------------------
https://msrc-blog.microsoft.com/2022/12/29/security-update-guide-improvemen…
∗∗∗ Opening the Door for a Knock: Creating a Custom DShield Listener, (Thu, Dec 29th) ∗∗∗
---------------------------------------------
There are a variety of services listening for connections on DShield honeypots. Different systems scanning the internet can connect to these listening services due to exceptions in the firewall. Any attempted connections blocked by the firewall are logged and can be analyzed later. This can be useful to see TCP port connection attempts, but it usefulness is limited.
---------------------------------------------
https://isc.sans.edu/diary/rss/29382
∗∗∗ SPF and DMARC use on GOV domains in different ccTLDs, (Fri, Dec 30th) ∗∗∗
---------------------------------------------
Although e-mail is one of the cornerstones of modern interpersonal communication, its underlying Simple Mail Transfer Protocol (SMTP) is far from what we might call robust or secure. By itself, the protocol lacks any security features related to ensuring (among other factors) integrity or authenticity of transferred data or the identity of their sender, and creating a “spoofed” e-mail is therefore quite easy.
---------------------------------------------
https://isc.sans.edu/diary/rss/29384
∗∗∗ CISA Warns of Active exploitation of JasperReports Vulnerabilities ∗∗∗
---------------------------------------------
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two-years-old security flaws impacting TIBCO Softwares JasperReports product to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. The flaws, tracked as CVE-2018-5430 (CVSS score: 7.7) and CVE-2018-18809 (CVSS score: 9.9), were addressed by TIBCO in April 2018 and March 2019, respectively.
---------------------------------------------
https://thehackernews.com/2022/12/cisa-warns-of-active-exploitation-of.html
∗∗∗ ENLBufferPwn (CVE-2022-47949) ∗∗∗
---------------------------------------------
ENLBufferPwn is a vulnerability in the common network code of several first party Nintendo games since the Nintendo 3DS that allows an attacker to execute code remotely in the victims console by just having an online game with them (remote code execution).
---------------------------------------------
https://github.com/PabloMK7/ENLBufferPwn
∗∗∗ Chrome Browser Exploitation, Part 3: Analyzing and Exploiting CVE-2018-17463 ∗∗∗
---------------------------------------------
Welcome to the third and final installment of the “Chrome Browser Exploitation” series. The main objective of this series has been to provide an introduction to browser internals and delve into the topic of Chrome browser exploitation on Windows in greater depth.
---------------------------------------------
https://jhalon.github.io/chrome-browser-exploitation-3/
∗∗∗ EU-Regeln für Cybersicherheit bald in Kraft: Rund 20.000 Betriebe betroffen ∗∗∗
---------------------------------------------
Die EU hat die novellierte Richtlinie zur Netz- und Informationssicherheit (NIS2) im Amtsblatt veröffentlicht. Der Countdown zur Umsetzung in Deutschland läuft.
---------------------------------------------
https://heise.de/-7444366
=====================
= Vulnerabilities =
=====================
∗∗∗ IBM Security Bulletins 2022-12-30 ∗∗∗
---------------------------------------------
IBM Cloud Pak for Automation, IBM Cloud Pak for Business Automation, IBM Cloud Application Business Insights, IBM Cloud Transformation Advisor, Tivoli Netcool/OMNIbus, Netcool/System Service Monitor
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/
∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (libcommons-net-java), Fedora (python3.6), and SUSE (conmon, polkit-default-privs, thunderbird, and webkit2gtk3).
---------------------------------------------
https://lwn.net/Articles/918778/
∗∗∗ Synology-SA-22:26 VPN Plus Server ∗∗∗
---------------------------------------------
A vulnerability allows remote attackers to possible execute arbitrary command via a susceptible version of Synology VPN Plus Server.
---------------------------------------------
https://www.synology.com/en-global/support/security/Synology_SA_22_26
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 28-12-2022 18:00 − Donnerstag 29-12-2022 18:00
Handler: Stephan Richter
Co-Handler: Thomas Pribitzer
=====================
= News =
=====================
∗∗∗ Google Home speakers allowed hackers to snoop on conversations ∗∗∗
---------------------------------------------
A bug in Google Home smart speaker allowed installing a backdoor account that could be used to control it remotely and to turn it into a snooping device by accessing the microphone feed.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/google-home-speakers-allowed…
∗∗∗ WordPress Vulnerability & Patch Roundup December 2022 ∗∗∗
---------------------------------------------
Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises.
---------------------------------------------
https://blog.sucuri.net/2022/12/wordpress-vulnerability-patch-roundup-decem…
∗∗∗ The Worst Hacks of 2022 ∗∗∗
---------------------------------------------
The year was marked by sinister new twists on cybersecurity classics, including phishing, breaches, and ransomware attacks.
---------------------------------------------
https://www.wired.com/story/worst-hacks-2022/
∗∗∗ New CatB Ransomware Employs 2-Year Old DLL Hijacking Technique To Evade Detection ∗∗∗
---------------------------------------------
We recently discovered ransomware, which performs MSDTC service DLL Hijacking to silently execute its payload. We have named this ransomware CatB, based on the contact email that the ransomware group uses.
---------------------------------------------
https://minerva-labs.com/blog/new-catb-ransomware-employs-2-year-old-dll-hi…
∗∗∗ One Bad Apple Spoils the Barrel: Understanding the Security Risks Introduced by Third-Party Components in IoT Firmware. (arXiv:2212.13716v1 [cs.CR]) ∗∗∗
---------------------------------------------
Currently, the development of IoT firmware heavily depends on third-partycomponents (TPCs) to improve development efficiency. Nevertheless, TPCs are notsecure, and the vulnerabilities in TPCs will influence the security of IoTf irmware.
---------------------------------------------
http://arxiv.org/abs/2212.13716
∗∗∗ A survey and analysis of TLS interception mechanisms and motivations. (arXiv:2010.16388v2 [cs.CR] UPDATED) ∗∗∗
---------------------------------------------
TLS is an end-to-end protocol designed to provide confidentiality andintegrity guarantees that improve end-user security and privacy. While TLShelps defend against pervasive surveillance of intercepted unencrypted traffic,it also hinders several common beneficial operations typically performed bymiddleboxes on the network traffic.
---------------------------------------------
http://arxiv.org/abs/2010.16388
∗∗∗ HardCIDR – Network CIDR and Range Discovery Tool ∗∗∗
---------------------------------------------
HardCIDR is a Linux Bash script to discover the netblocks, or ranges, (in CIDR notation) owned by the target organization during the intelligence gathering phase of a penetration test.
---------------------------------------------
https://www.darknet.org.uk/2022/12/hardcidr-network-cidr-and-range-discover…
=====================
= Vulnerabilities =
=====================
∗∗∗ Hughes Satellite Router Remote File Inclusion Cross-Frame Scripting ∗∗∗
---------------------------------------------
The router contains a cross-frame scripting via remote file inclusion vulnerability that may potentially be exploited by malicious users to compromise an affected system.
---------------------------------------------
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5743.php
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (multipath-tools), Fedora (containerd and trafficserver), Gentoo (libksba and openssh), and SUSE (webkit2gtk3).
---------------------------------------------
https://lwn.net/Articles/918715/
∗∗∗ Several DoS, Code Execution Vulnerabilities Found in Rockwell Automation Controllers ∗∗∗
---------------------------------------------
Organizations using controllers made by Rockwell Automation have been informed recently about several potentially serious vulnerabilities.
---------------------------------------------
https://www.securityweek.com/several-dos-code-execution-vulnerabilities-fou…
∗∗∗ Ungepatchte Citrix-Server zu Tausenden über kritische Schwachstellen angreifbar ∗∗∗
---------------------------------------------
Citrix hat in den letzten Monaten Sicherheitsupdates für kritische Schwachstellen in Citrix ADC- und Gateway-Produkten freigegeben und entsprechende Sicherheitswarnungen veröffentlicht.
---------------------------------------------
https://www.borncity.com/blog/2022/12/29/ungepatchte-citrix-server-zu-tause…
∗∗∗ (Non-US) DIR-825/EE : H/W Rev. R2 & DIR-825/AC Rev. G1A:: F/W 1.0.9 :: Multiple Vulnerabilities by Trend Micro, the Zero Day Initiative (ZDI) ∗∗∗
---------------------------------------------
https://supportannouncement.us.dlink.com/announcement/publication.aspx?name…
∗∗∗ AIX is vulnerable to denial of service due to ISC BIND (CVE-2022-38178, CVE-2022-3080, CVE-2022-38177, CVE-2022-2795) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6851445
∗∗∗ IBM Synthetic Playback Agent is vulnerable due to its use of Apache Commons Text [CVE-2022-42889] ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6852105
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 27-12-2022 18:00 − Mittwoch 28-12-2022 18:00
Handler: Thomas Pribitzer
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ KI-Wunder ChatGPT kann bösartige E-Mails und Code generieren ∗∗∗
---------------------------------------------
Check Point Research (CPR) warnt vor Hackern, die ChatGPT und Codex von OpenAI nutzen könnten, um gezielte Cyberangriffe durchzuführen.
https://research.checkpoint.com/2022/opwnai-ai-that-can-save-the-day-or-hac…
---------------------------------------------
https://www.zdnet.de/88406214/ki-wunder-chatgpt-kann-boesartige-e-mails-und…
∗∗∗ Droht eine Exchange ProxyNotShell-Katastrophe zum Jahreswechsel 2022/2023? ∗∗∗
---------------------------------------------
Beunruhigende Informationen, die mich gerade erreicht haben. Nicht auf dem aktuellen Patchstand befindliche Microsoft Exchange On-Premises-Server sind anfällig für Angriffe über die ProxyNotShell-Schwachstellen. Vor Weihnachten gab es dann die Information, dass die Hackergruppe FIN7 seit längerem eine automatisierte Angriffsplattform zum [...]
---------------------------------------------
https://www.borncity.com/blog/2022/12/28/droht-eine-exchange-proxynotshell-…
∗∗∗ Why Attackers Target GitHub, and How You Can Secure It ∗∗∗
---------------------------------------------
The unfettered collaboration of the GitHub model creates a security headache. Follow these seven principles to help relieve the pain.
---------------------------------------------
https://www.darkreading.com/edge-articles/why-attackers-target-github-and-h…
∗∗∗ Playing with Powershell and JSON (and Amazon and Firewalls), (Wed, Dec 28th) ∗∗∗
---------------------------------------------
In this post we'll take a look at parsing and manipulating JSON in Powershell.
---------------------------------------------
https://isc.sans.edu/diary/rss/29380
∗∗∗ CVE-2022-27510, CVE-2022-27518 - Measuring Citrix ADC & Gateway version adoption on the Internet ∗∗∗
---------------------------------------------
Recently, two critical vulnerabilities were reported in Citrix ADC and Citrix Gateway; where one of them was being exploited in the wild by a threat actor. Due to these vulnerabilities being exploitable remotely and given the situation of past Citrix vulnerabilities, RIFT started to research on how to identify the [...]
---------------------------------------------
https://blog.fox-it.com/2022/12/28/cve-2022-27510-cve-2022-27518-measuring-…
∗∗∗ EarSpy: Spying on Phone Calls via Ear Speaker Vibrations Captured by Accelerometer ∗∗∗
---------------------------------------------
As smartphone manufacturers are improving the ear speakers in their devices, it can become easier for malicious actors to leverage a particular side-channel for eavesdropping on a targeted user’s conversations, according to a team of researchers from several universities in the United States.
---------------------------------------------
https://www.securityweek.com/earspy-spying-phone-calls-ear-speaker-vibratio…
∗∗∗ Alias and Directive Overloading in GraphQL ∗∗∗
---------------------------------------------
Denial of Service (DoS) attacks in GraphQL APIs are nothing new. It turns out that when you let clients control what data they want to receive from the server, malicious users try to abuse this flexibility to exhaust resources.
---------------------------------------------
https://checkmarx.com/blog/alias-and-directive-overloading-in-graphql/
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Fedora (curl) and SUSE (curl, freeradius-server, sqlite3, systemd, and vim).
---------------------------------------------
https://lwn.net/Articles/918655/
∗∗∗ Microsoft Patches Azure Cross-Tenant Data Access Flaw ∗∗∗
---------------------------------------------
Microsoft has silently fixed an important-severity security flaw in its Azure Cognitive Search (ACS) after an external researcher warned that a buggy feature allowed cross-tenant network bypass attacks.
---------------------------------------------
https://www.securityweek.com/microsoft-patches-azure-cross-tenant-data-acce…
∗∗∗ ABB Security Advisory: NE843 Pulsar Plus Controller ∗∗∗
---------------------------------------------
https://search.abb.com/library/Download.aspx?DocumentID=9AKK108467A6732&Lan…
∗∗∗ A security vulnerability has been identified in WebSphere Liberty Profile shipped with IBM License Metric Tool v9 (CVE-2022-34165). ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6851953
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily