- Daily - CERT.at

Tageszusammenfassung - 25.07.2023
by Daily end-of-shift report 25 Jul '23

25 Jul '23

===================== = End-of-Day report = ===================== Timeframe: Montag 24-07-2023 18:00 − Dienstag 25-07-2023 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Casbaneiro Banking Malware Goes Under the Radar with UAC Bypass Technique ∗∗∗ --------------------------------------------- The financially motivated threat actors behind the Casbaneiro banking malware family have been observed making use of a User Account Control (UAC) bypass technique to gain full administrative privileges on a machine, a sign that the threat actor is evolving their tactics to avoid detection and execute malicious code on compromised assets. --------------------------------------------- https://thehackernews.com/2023/07/casbaneiro-banking-malware-goes-under.html ∗∗∗ Rooting the Amazon Echo Dot ∗∗∗ --------------------------------------------- Thanks to a debug feature implemented by Lab126 (Amazons hardware development company) it is now possible to obtain a tethered root on the device. Thanks to strong security practices enforced by the company such as a chain of trust from the beginning of the boot process, this should not be a major issue. --------------------------------------------- https://dragon863.github.io/blog/echoroot.html ∗∗∗ Will the real Citrix CVE-2023-3519 please stand up? ∗∗∗ --------------------------------------------- While the most recent Citrix Security Advisory identifies CVE-2023-3519 as the only vulnerability resulting in unauthenticated remote code execution, there are at least two vulnerabilities that were patched during the most recent version upgrade. --------------------------------------------- https://www.greynoise.io/blog/will-the-real-citrix-cve-2023-3519-please-sta… ∗∗∗ Forthcoming OpenSSL Releases ∗∗∗ --------------------------------------------- The OpenSSL project team would like to announce the forthcoming release of OpenSSL versions 3.1.2, 3.0.10 and 1.1.1v. These releases will be made available on Tuesday 1st August 2023 between 1300-1700 UTC. These are security-fix releases. The highest severity issue fixed in each of these three releases is Low --------------------------------------------- https://mta.openssl.org/pipermail/openssl-announce/2023-July/000266.html ∗∗∗ Phishing-Alarm: Unsere Liste mit aktuellen Phishing-Nachrichten ∗∗∗ --------------------------------------------- In Phishing-Nachrichten fordern Kriminelle per E-Mail oder SMS dazu auf, Links zu folgen oder Dateianhänge zu öffnen. So versuchen Kriminelle an Ihre Login-, Bank- oder Kreditkartendaten zu kommen. Jeden Tag werden uns zahlreiche Phishing-Nachrichten gemeldet. Sobald wir neue Phishing-Nachrichten entdecken, ergänzen wir sie in unserem Phishing-Alarm! --------------------------------------------- https://www.watchlist-internet.at/news/phishing-alarm-unsere-liste-mit-aktu… ===================== = Vulnerabilities = ===================== ∗∗∗ Atlassian Releases Patches for Critical Flaws in Confluence and Bamboo ∗∗∗ --------------------------------------------- Atlassian has released updates to address three security flaws impacting its Confluence Server, Data Center, and Bamboo Data Center products that, if successfully exploited, could result in remote code execution on susceptible systems. - CVE-2023-22505 (CVSS score: 8.0) - RCE (Remote Code Execution) in Confluence Data Center and Server (Fixed in versions 8.3.2 and 8.4.0) - CVE-2023-22508 (CVSS score: 8.5) - RCE (Remote Code Execution) in Confluence Data Center and Server (Fixed in versions 7.19.8 and 8.2.0) - CVE-2023-22506 (CVSS score: 7.5) - Injection, RCE (Remote Code Execution) in Bamboo (Fixed in versions 9.2.3 and 9.3.1) --------------------------------------------- https://thehackernews.com/2023/07/atlassian-releases-patches-for-critical.h… ∗∗∗ CVE-2023-35078 - Remote Unauthenticated API Access Vulnerability (CVSS: 10.0) ∗∗∗ --------------------------------------------- A vulnerability has been discovered in Ivanti Endpoint Manager Mobile (EPMM), formerly known as MobileIron Core. This vulnerability impacts all supported versions – Version 11.4 releases 11.10, 11.9 and 11.8. Older versions/releases are also at risk. [..] Upon learning of the vulnerability, we immediately mobilized resources to fix the problem and have a patch available now. --------------------------------------------- https://forums.ivanti.com/s/article/CVE-2023-35078-Remote-unauthenticated-A… ∗∗∗ F5 Security Advisory K000135555: Java vulnerabilities CVE-2020-2756 and CVE-2020-2757 ∗∗∗ --------------------------------------------- This vulnerability may allow an attacker with network access to compromise the affected component. Successful exploit can result in unauthorized ability to cause a partial denial-of-service (DoS) of the affected component. BIG-IP and BIG-IQ Versions known to be vulnerable: BIG-IP (all modules) 13.x-17.x, BIG-IQ Centralized Management 8.0.0-8.3.0 --------------------------------------------- https://my.f5.com/manage/s/article/K000135555 ∗∗∗ Citrix Hypervisor Security Update for CVE-2023-20593 ∗∗∗ --------------------------------------------- AMD has released updated microcode to address an issue with certain AMD CPUs. Although this is not an issue in the Citrix Hypervisor product itself, we have released a hotfix that includes this microcode to mitigate this CPU hardware issue. --------------------------------------------- https://support.citrix.com/article/CTX566835/citrix-hypervisor-security-upd… ∗∗∗ Xen Security Advisory XSA-433 x86/AMD: Zenbleed ∗∗∗ --------------------------------------------- This issue can be mitigated by disabling AVX, either by booting Xen with `cpuid=no-avx` on the command line, or by specifying `cpuid="host:avx=0"` in the vm.cfg file of all untrusted VMs. However, this will come with a significant impact on the system and is not recommended for anyone able to deploy the microcode or patch described below. [..] In cases where microcode is not available, the appropriate attached patch updates Xen to use a control register to avoid the issue. --------------------------------------------- https://xenbits.xen.org/xsa/advisory-433.html ∗∗∗ VMWare VMSA-2023-0016 (CVE-2023-20891) ∗∗∗ --------------------------------------------- CVSSv3 Range: 6.5 Synopsis: VMware Tanzu Application Service for VMs and Isolation Segment updates address information disclosure vulnerability Known Attack Vectors: A malicious non-admin user who has access to the platform system audit logs can access hex encoded CF API admin credentials and can push new malicious versions of an application. In a default deployment non-admin users do not have access to the platform system audit logs. --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2023-0016.html ∗∗∗ TYPO3 12.4.4 and 11.5.30 security releases published ∗∗∗ --------------------------------------------- All versions are security releases and contain important security fixes - read the corresponding security advisories: - TYPO3-CORE-SA-2023-002: By-passing Cross-Site Scripting Protection in HTML Sanitizer (CVE-2023-38500) - TYPO3-CORE-SA-2023-003: Information Disclosure due to Out-of-scope Site Resolution (CVE-2023-38499) - TYPO3-CORE-SA-2023-004: Cross-Site Scripting in CKEditor4 WordCount Plugin (CVE-2023-37905) --------------------------------------------- https://typo3.org/article/typo3-1244-and-11530-security-releases-published ∗∗∗ Lücken gestopft: Apple bringt iOS 16.6, macOS 13.5, watchOS 9.6 und tvOS 16.6 ∗∗∗ --------------------------------------------- Fehlerbehebungen und vor allem sicherheitsrelevante Fixes liefern frische Apple-Updates vom Montagabend. Es gab auch Zero-Day-Löcher. --------------------------------------------- https://heise.de/-9225677 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (python-git and renderdoc), Red Hat (edk2, kernel, kernel-rt, and kpatch-patch), Slackware (kernel), SUSE (firefox, libcap, openssh, openssl-1_1, python39, and zabbix), and Ubuntu (cinder, ironic, nova, python-glance-store, python-os-brick, frr, graphite-web, and openssh). --------------------------------------------- https://lwn.net/Articles/939179/ ∗∗∗ Security Vulnerabilities fixed in Thunderbird 102.13.1 ∗∗∗ --------------------------------------------- CVE-2023-3417: File Extension Spoofing using the Text Direction Override Character ilenames. An email attachment could be incorrectly shown as being a document file, while in fact it was an executable file. Newer versions of Thunderbird will strip the character and show the correct file extension. --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2023-28/ ∗∗∗ Spring Security 5.6.12, 5.7.10, 5.8.5, 6.0.5, and 6.1.2 are available now, including fixes for CVE-2023-34034 and CVE-2023-34035 ∗∗∗ --------------------------------------------- Those versions fix the following CVEs: - CVE-2023-34034: WebFlux Security Bypass With Un-Prefixed Double Wildcard Pattern - CVE-2023-34035: Authorization rules can be misconfigured when using multiple servlets --------------------------------------------- https://spring.io/blog/2023/07/24/spring-security-5-6-12-5-7-10-5-8-5-6-0-5… ∗∗∗ CISA Releases Four Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- CISA released four Industrial Control Systems (ICS) advisories on July 25, 2023. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. - ICSA-23-206-01 AXIS A1001 - ICSA-23-206-02 Rockwell Automation ThinManager ThinServer - ICSA-23-206-03 Emerson ROC800 Series RTU and DL8000 Preset Controller - ICSA-23-206-04 Johnson Controls IQ Wifi 6 --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/07/25/cisa-releases-four-indus… ∗∗∗ 2023-07-24: Cyber Security Advisory - ABB Ability Zenon directory permission and internal issues ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=2NGA001801&Language… ∗∗∗ AMD Cross-Process Information Leak ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500571-AMD-CROSS-PROCESS-INFOR… ∗∗∗ [R1] Stand-alone Security Patch Available for Security Center versions 6.0.0, 6.1.0 and 6.1.1: SC-202307.1-6.x ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2023-26 ∗∗∗ [R1] Stand-alone Security Patch Available for Security Center version 5.23.1: SC-202307.1-5.23.1 ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2023-25 ∗∗∗ OAuthlib is vulnerable to CVE-2022-36087 used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014235 ∗∗∗ SnakeYaml is vulnerable to security CVEs used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014243 ∗∗∗ Node.js http-cache-semantics module is vulnerable to CVE-2022-25881 used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014237 ∗∗∗ Wekzeug is vulnerable to CVE-2023-25577 and CVE-2023-23934 used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014239 ∗∗∗ Cisco node-jose is vulnerable to CVE-2023-25653 used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014241 ∗∗∗ Apache Commons FileUpload and Tomcat are vulnerable to CVE-2023-24998 used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014245 ∗∗∗ Xml2js is vulnerable to CVE-2023-0842 used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014247 ∗∗∗ Flask is vulnerable to CVE-2023-30861 used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014251 ∗∗∗ Apache Commons Codec is vulnerable to PRISMA-2021-0055 used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014255 ∗∗∗ IBM QRadar Wincollect is vulnerable to using components with known vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014253 ∗∗∗ IBM GSKit as shipped with IBM Security Verify Access has fixed a reported vulnerability (CVE-2023-32342) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014259 ∗∗∗ IBM Security Verify Access product is vulnerable to Open Redirects (AAC module ) (CVE-2023-30433) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012613 ∗∗∗ Postgresql JDBC drivers shipped with IBM Security Verify Access have a vulnerability (CVE-2022-41946) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014261 ∗∗∗ json-20220320.jar is vulnerable to CVE-2022-45688 used in IBM Maximo Application Suite ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014269 ∗∗∗ Apache Kafka is vulnerable to CVE-2022-34917 and CVE-2023-25194 used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014273 ∗∗∗ Netplex json-smart-v2 is vulnerable to CVE-2023-1370 used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014271 ∗∗∗ Netty is vulnerable to CVE-2022-41915 used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014281 ∗∗∗ VMware Tanzu Spring Security is vulnerable to CVE-2022-31692 and CVE-2023-20862 used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014361 ∗∗∗ VMware Tanzu Spring Framework is vulnerable to CVE-2023-20861 and CVE-2023-20863 used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014353 ∗∗∗ Netty is vulnerable to CVE-2023-34462 used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014357 ∗∗∗ VMware Tanzu Spring Framework is vulnerable to CVE-2023-20860 used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014363 ∗∗∗ Apache Commons FileUpload and Apache Tomcat are vulnerable to CVE-2023-24998, CVE-2022-45143, and CVE-2023-28708 used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014365 ∗∗∗ VMware Tanzu Spring Boot is vulnerable to CVE-2023-20883 used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014369 ∗∗∗ Vulnerabilities in Node.js affects IBM Voice Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7013909 ∗∗∗ Python-requests is vulnerable to CVE-2023-32681 used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014371 ∗∗∗ Google Guava is vulnerable to CVE-2023-2976 used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014373 ∗∗∗ Snappy-java is vulnerable to security CVEs used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014375 ∗∗∗ The Bouncy Castle Crypto Package For Java is vulnerable to CVE-2023-33201 used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014377 ∗∗∗ Multiple vulnerabilities affect IBM Data Virtualization on Cloud Pak for Data ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014379 ∗∗∗ Vulnerabilities in Python, OpenSSH, Golang Go, Minio and Redis may affect IBM Spectrum Protect Plus Container backup and restore for Kubernetes and OpenShift ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7011697 ∗∗∗ Multiple vulnerabilities in Apache Log4j affects IBM Security Access Manager for Enterprise Single Sign-On ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014395 ∗∗∗ IBM Event Streams is affected by multiple Golang Go vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014403 ∗∗∗ IBM WebSphere Application Server, used in IBM Security Verify Governance Identity Manager, could provide weaker than expected security (CVE-2023-35890) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014401 ∗∗∗ The IBM\u00ae Engineering System Design Rhapsody products on IBM Jazz Technology contains additional security fixes for X-Force ID 220800 and CVE-2017-12626 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014413 ∗∗∗ A security vulnerability has been identified in IBM DB2 shipped with IBM Intelligent Operations Center(CVEs - Remediation\/Fixes) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014429 ∗∗∗ Multiple vulnerabilities affect IBM Data Virtualization on Cloud Pak for Data ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014379 ∗∗∗ IBM App Connect Enterprise Certified Container Dashboard operands are vulnerable to arbitrary code execution due to [CVE-2022-28805] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014459 ∗∗∗ IBM App Connect Enterprise Certified Container Dashboard operands are vulnerable to denial of service due to [CVE-2021-27212] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014457 ∗∗∗ IBM App Connect Enterprise Certified Container IntegrationServer operands are vulnerable to denial of service due to [CVE-2022-21349] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014455 ∗∗∗ IBM App Connect Enterprise Certified Container Dashboard operands are vulnerable to denial of service and loss of confidentiality due to multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014451 ∗∗∗ IBM App Connect Enterprise Certified Container operands are vulnerable to denial of service due to [CVE-2022-40897] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014453 ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Tivoli System Automation Application Manager (CVE-2023-24966) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014473 ∗∗∗ IBM WebSphere Application Server traditional is vulnerable to spoofing when using Web Server Plug-ins (CVE-2022-39161) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014475 ∗∗∗ Multiple vulnerabilities in IBM Java SDK affect IBM Decision Optimization for IBM Cloud Private for Data (ICP4Data) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/876830 ∗∗∗ Watson Query potentially exposes adminstrators key under some conditions due to CVE-2022-22410 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6569235 ∗∗∗ Security Vulnerabilities affect IBM Cloud Pak for Data - OpenSSL ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6453431 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.07.2023
by Daily end-of-shift report 24 Jul '23

24 Jul '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 21-07-2023 18:00 − Montag 24-07-2023 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Eine einfache Aktion beugt Telefonbetrug vor ∗∗∗ --------------------------------------------- Betrüger*innen nutzen gezielt Telefonbücher, um ihre Opfer zu identifizieren. In Visier rücken dabei vor allem ältere Menschen. --------------------------------------------- https://futurezone.at/digital-life/telefonbetrug-vorbeugen-spam-sperren-blo… ∗∗∗ Security baseline for Microsoft Edge version 115 ∗∗∗ --------------------------------------------- We are pleased to announce the security review for Microsoft Edge, version 115! We have reviewed the new settings in Microsoft Edge version 115 and determined that there are no additional security settings that require enforcement. The Microsoft Edge version 114 security baseline continues to be our recommended configuration which can be downloaded from the Microsoft Security Compliance Toolkit. --------------------------------------------- https://techcommunity.microsoft.com/t5/microsoft-security-baselines/securit… ∗∗∗ Critical Zero-Days in Atera Windows Installers Expose Users to Privilege Escalation Attacks ∗∗∗ --------------------------------------------- Zero-day vulnerabilities in Windows Installers for the Atera remote monitoring and management software could act as a springboard to launch privilege escalation attacks. The flaws, discovered by Mandiant on February 28, 2023, have been assigned the identifiers CVE-2023-26077 and CVE-2023-26078, with the issues remediated in versions 1.8.3.7 and 1.8.4.9 released by Atera on April 17, 2023, [...] --------------------------------------------- https://thehackernews.com/2023/07/critical-zero-days-in-atera-windows.html ∗∗∗ TETRA Radio Code Encryption Has a Flaw: A Backdoor ∗∗∗ --------------------------------------------- A secret encryption cipher baked into radio systems used by critical infrastructure workers, police, and others around the world is finally seeing sunlight. Researchers say it isn’t pretty. --------------------------------------------- https://www.wired.com/story/tetra-radio-encryption-backdoor/ ∗∗∗ Microsofts gestohlener Schlüssel mächtiger als vermutet ∗∗∗ --------------------------------------------- Ein gestohlener Schlüssel funktionierte möglicherweise nicht nur bei Exchange Online, sondern war eine Art Masterkey für große Teile der Mircrosoft-Cloud. --------------------------------------------- https://heise.de/-9224640 ∗∗∗ Achtung Fake-Shop: vailia-parfuemerie.com ∗∗∗ --------------------------------------------- Bei Vailia Parfümerie finden Sie günstige Kosmetikprodukte und Parfüms. Der Online-Shop macht zwar einen professionellen Eindruck, liefert aber keine Ware. Wenn Sie Ihre Kreditkartendaten als Zahlungsmethode angegeben haben, kommt es entweder zu nicht genehmigten Abbuchungen oder Ihre Daten werden für einen Betrugsversuch zu einem späteren Zeitpunkt missbraucht. --------------------------------------------- https://www.watchlist-internet.at/news/achtung-fake-shop-vailia-parfuemerie… ∗∗∗ Palo Alto Networks warnt vor P2P-Wurm für Cloud-Container-Umgebungen ∗∗∗ --------------------------------------------- Die neue Malware ist mindestens seit rund zwei Wochen im Umlauf. Sie nimmt eine bekannte Schwachstelle in der Datenbankanwendung Redis ins Visier. --------------------------------------------- https://www.zdnet.de/88410715/palo-alto-networks-warnt-vor-p2p-wurm-fuer-cl… ∗∗∗ Sicherheit: Die AES 128/128 Cipher Suite sollte am IIS deaktiviert werden ∗∗∗ --------------------------------------------- Kurzer Informationssplitter aus dem Bereich der Sicherheit, der Administratoren eines Internet Information-Server (IIS) im Windows-Umfeld interessieren könnte. --------------------------------------------- https://www.borncity.com/blog/2023/07/22/sicherheit-die-aes-128-128-cipher-… ===================== = Vulnerabilities = ===================== ∗∗∗ Zenbleed (CVE-2023-20593) - If you remove the first word from the string "hello world", what should the result be? ∗∗∗ --------------------------------------------- This is the story of how we discovered that the answer could be your root password! [..] AMD have released an microcode update for affected processors. Your BIOS or Operating System vendor may already have an update available that includes it. Workaround: It is highly recommended to use the microcode update. If you can’t apply the update for some reason, there is a software workaround: you can set the chicken bit DE_CFG. This may have some performance cost. --------------------------------------------- https://lock.cmpxchg8b.com/zenbleed.html ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (webkit2gtk), Fedora (curl, dotnet6.0, dotnet7.0, ghostscript, kernel-headers, kernel-tools, libopenmpt, openssh, and samba), Mageia (virtualbox), Red Hat (java-1.8.0-openjdk and java-11-openjdk), and Scientific Linux (java-1.8.0-openjdk and java-11-openjdk). --------------------------------------------- https://lwn.net/Articles/939059/ ∗∗∗ Atlassian Patches Remote Code Execution Vulnerabilities in Confluence, Bamboo ∗∗∗ --------------------------------------------- Atlassian patches high-severity remote code execution vulnerabilities in Confluence and Bamboo products. --------------------------------------------- https://www.securityweek.com/atlassian-patches-remote-code-execution-vulner… ∗∗∗ AMI MegaRAC SP-X BMC Redfish Vulnerabilities ∗∗∗ --------------------------------------------- https://support.lenovo.com/product_security/PS500570-AMI-MEGARAC-SP-X-BMC-R… ∗∗∗ Multiple vulnerabilities affect the embedded Content Navigator in Business Automation Workflow - CVE-2023-24998, 254437 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7013897 ∗∗∗ Vulnerability in IBM Java Runtime affects Host On-Demand ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014039 ∗∗∗ Vulnerability in IBM Java Runtime affects Host On-Demand ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014057 ∗∗∗ IBM App Connect for Manufacturing is vulnerable to a denial of service due to FasterXML jackson-databind (CVE-2022-42004, CVE-2022-42003) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014181 ∗∗∗ IBM App Connect Enterprise is vulnerable to a remote authenticated attacker due to Node.js (CVE-2023-23920) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014193 ∗∗∗ IBM Sterling Connect:Direct File Agent is vulnerable to a buffer overflow and unspecified vulnerabilities in IBM Runtime Environment Java Technology Edition (CVE-2023-21930, CVE-2023-21939, CVE-2023-21967, CVE-2023-21968) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7009987 ∗∗∗ Multiple security vulnerabilities have been identified in IBM WebSphere Application Server which is a component of IBM Operations Analytics Predictive Insights ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7013889 ∗∗∗ IBM Storage Protect Server is vulnerable to denial of service due to Golang Go ( CVE-2023-24534 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014223 ∗∗∗ IBM Storage Protect Server is vulnerable to sensitive information disclosure due to IBM GSKit ( CVE-2023-32342 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014225 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.07.2023
by Daily end-of-shift report 21 Jul '23

21 Jul '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 20-07-2023 18:00 − Freitag 21-07-2023 18:00 Handler: Robert Waldner Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ GitHub warns of Lazarus hackers targeting devs with malicious projects ∗∗∗ --------------------------------------------- GitHub is warning of a social engineering campaign targeting the accounts of developers in the blockchain, cryptocurrency, online gambling, and cybersecurity sectors to infect their devices with malware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/github-warns-of-lazarus-hack… ∗∗∗ Sophisticated BundleBot Malware Disguised as Google AI Chatbot and Utilities ∗∗∗ --------------------------------------------- A new malware strain known as BundleBot has been stealthily operating under the radar by taking advantage of .NET single-file deployment techniques, enabling threat actors to capture sensitive information from compromised hosts. --------------------------------------------- https://thehackernews.com/2023/07/sophisticated-bundlebot-malware.html ∗∗∗ Supply chain security for Go, Part 3: Shifting left ∗∗∗ --------------------------------------------- Previously in our Supply chain security for Go series, we covered dependency and vulnerability management tools and how Go ensures package integrity and availability as part of the commitment to countering the rise in supply chain attacks in recent years. In this final installment, we’ll discuss how “shift left” security can help make sure you have the security information you need, when you need it, to avoid unwelcome surprises. --------------------------------------------- http://security.googleblog.com/2023/07/supply-chain-security-for-go-part-3.… ===================== = Vulnerabilities = ===================== ∗∗∗ VU#653767: Perimeter81 macOS Application Multiple Vulnerabilities ∗∗∗ --------------------------------------------- At the time, the latest Perimeter81 MacOS application (10.0.0.19) suffers from local privilege escalation vulnerability inside its com.perimeter81.osx.HelperTool. This HelperTool allows main application to setup things which require administrative privileges such as VPN connection, changing routing table, etc. --------------------------------------------- https://kb.cert.org/vuls/id/653767 ∗∗∗ Schwachstellen in AMI-Firmware: Gigabyte-Hack gefährdet unzählige Serversysteme ∗∗∗ --------------------------------------------- Nach einem Hackerangriff auf Gigabyte ist unter anderem eine AMI-Firmware geleakt, in der Forscher nun äußerst brisante Schwachstellen fanden. --------------------------------------------- https://www.golem.de/news/schwachstellen-in-ami-firmware-gigabyte-hack-gefa… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (golang, nodejs16, nodejs18, and R-jsonlite), Red Hat (java-1.8.0-openjdk and java-17-openjdk), SUSE (container-suseconnect, redis, and redis7), and Ubuntu (wkhtmltopdf). --------------------------------------------- https://lwn.net/Articles/938878/ ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2023-0006 ∗∗∗ --------------------------------------------- Several vulnerabilities were discovered in WebKitGTK and WPE WebKit. CVE identifiers: CVE-2023-37450, CVE-2023-32393. --------------------------------------------- https://webkitgtk.org/security/WSA-2023-0006.html ∗∗∗ Foxit PDF Reader und PDF Editor 12.1.3 als Sicherheitsupdates ∗∗∗ --------------------------------------------- Kurze Information für Leute, die noch den Foxit PDF Reader und/oder den PDF Editor einsetzen sollten. In älteren Versionen gibt es Sicherheitslücken, die durch ein Sicherheitsupdate auf die Version 12.1.3.15356 beseitigt werden [...] --------------------------------------------- https://www.borncity.com/blog/2023/07/20/foxit-pdf-reader-und-pdf-editor-12… ∗∗∗ GBrowse vulnerable to unrestricted upload of files with dangerous types ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN35897618/ ∗∗∗ Security Vulnerabilities fixed in Thunderbird 115.0.1 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2023-27/ ∗∗∗ Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect Rational Business Developer ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7013595 ∗∗∗ IBM Sterling Connect:Direct for Microsoft Windows is vulnerable to unspecified vulnerabilities in IBM Runtime Environment Java Technology Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7010095 ∗∗∗ IBM Sterling Global Mailbox is vulnerable to arbitrary command execution due to com.ibm.ws.org.apache.commons.collections (CVE-2015-7501) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6963962 ∗∗∗ IBM App Connect Enterprise and IBM Integration Bus are vulnerable to SOAPAction spoofing when processing JAX-WS Web Services requests (CVE-2022-38712) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6855661 ∗∗∗ IBM Sterling Global Mailbox is vulnerable to denial of service due to WebSphere Liberty Server ( CVE-2022-3509, CVE-2022-3171) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6963956 ∗∗∗ IBM Sterling Global Mailbox is vulnerable to arbitrary code execution due to Apache Commons Collections [CVE-2015-6420, CVE-2017-15708] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6957392 ∗∗∗ IBM Sterling Global Mailbox is vulnerable to server-side request forgery due to Apache CXF (CVE-2022-46364) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6963958 ∗∗∗ IBM Sterling Global Mailbox is vulnerable to sensitive data exposure due to Apache CXF (CVE-2022-46363) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6963960 ∗∗∗ IBM Sterling Global Mailbox is vulnerable to HTTP header injection due WebSphere Liberty Server (CVE-2022-34165) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6954401 ∗∗∗ IBM Sterling Global Mailbox is vulnerable to denial of service due to FasterXML jackson-databind (CVE-2022-42003) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6954403 ∗∗∗ IBM Global Mailbox is vulnerable to remote code execution due to Apache Cassandra (CVE-2021-44521) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6852565 ∗∗∗ IBM Sterling Global Mailbox is vulnerable to security bypass due to Apache HttpClient (CVE-2020-13956) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6954405 ∗∗∗ IBM App Connect Enterprise and IBM Integration Bus are vulnerable to a denial of service due to IBM MQ (CVE-2023-26285, CVE-2023-28950) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7011767 ∗∗∗ Multiple vulnerabilities in IBM SDK, Java Technology Edition affect IBM Operations Analytics Predictive Insights ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7013887 ∗∗∗ Vulnerability in Google gson 2.2.4 libraries (CVE-2022-25647) affects IBM Operations Analytics Predictive Insights ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7013881 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.07.2023
by Daily end-of-shift report 20 Jul '23

20 Jul '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 19-07-2023 18:00 − Donnerstag 20-07-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Citrix-Zero-Days: Angriffsspuren auf Netscaler ADC und Gateway aufspüren ∗∗∗ --------------------------------------------- Vor der Verfügbarkeit von Updates wurden CItrix-Lücken bereits in freier Wildbahn angegriffen. Daher ist eine Überprüfung auf Angriffsspuren sinnvoll. --------------------------------------------- https://heise.de/-9221655 ∗∗∗ Microsoft Relents, Offers Free Critical Logging to All 365 Customers ∗∗∗ --------------------------------------------- Industry pushback prompts Microsoft to drop premium pricing for access to cloud logging data. --------------------------------------------- https://www.darkreading.com/application-security/microsoft-relents-offers-f… ∗∗∗ Docker Hub images found to expose secrets and private keys ∗∗∗ --------------------------------------------- Numerous Docker images shared on Docker Hub are exposing sensitive data, according to a study conducted by researchers at the German university RWTH Aachen. Needless to say, this poses a significant security risk. --------------------------------------------- https://www.malwarebytes.com/blog/news/2023/07/docker-hub-images-found-to-e… ∗∗∗ Vorab bezahlen, um arbeiten zu können? Finger weg von Jobs der Nice Tech GmbH ∗∗∗ --------------------------------------------- Auf nice102.com, nice02.com, unice688.com, nicetechmax.com und vermutlich zahlreichen weiteren Domains betreibt die Nice Tech GmbH ein undurchsichtiges Pyramidensystem, bei dem Sie angeblich Geld von zu Hause aus verdienen können. Die Aufgabenbeschreibungen sind aber äußerst vage, um loslegen zu können, sollen Sie vorab Geld bezahlen und das meiste Geld gibt es für die Anwerbung neuer Mitglieder. --------------------------------------------- https://www.watchlist-internet.at/news/vorab-bezahlen-um-arbeiten-zu-koenne… ∗∗∗ P2PInfect: The Rusty Peer-to-Peer Self-Replicating Worm ∗∗∗ --------------------------------------------- A novel peer-to-peer worm written in Rust is uniquely scalable. It targets open-source database Redis and can infect multiple platforms. --------------------------------------------- https://unit42.paloaltonetworks.com/peer-to-peer-worm-p2pinfect/ ∗∗∗ Announcing New DMARC Policy Handling Defaults for Enhanced Email Security ∗∗∗ --------------------------------------------- For our consumer service (live.com / outlook.com / hotmail.com), we have changed our DMARC policy handling to honor the sender’s DMARC policy. If an email fails DMARC validation and the sender’s policy is set to p=reject or p=quarantine, we will reject the email. --------------------------------------------- https://techcommunity.microsoft.com/t5/exchange-team-blog/announcing-new-dm… ∗∗∗ The SOC Toolbox: Analyzing AutoHotKey compiled executables ∗∗∗ --------------------------------------------- A quick post on how to extract AutoHotKey scripts from an AutoHotKey script compiled executable. --------------------------------------------- https://blog.nviso.eu/2023/07/20/the-soc-toolbox-analyzing-autohotkey-compi… ∗∗∗ Escalating Privileges via Third-Party Windows Installers ∗∗∗ --------------------------------------------- In this blog post, we will share how Mandiant’s red team researches and exploits zero-day vulnerabilities in third-party Windows Installers, what software developers should do to reduce risk of exploitation, and introduce a new tool to simplify enumeration of cached Microsoft Software Installer (MSI). --------------------------------------------- https://www.mandiant.com/resources/blog/privileges-third-party-windows-inst… ===================== = Vulnerabilities = ===================== ∗∗∗ VMware Tanzu Spring: Update schließt kritische Lücke ∗∗∗ --------------------------------------------- Aktualisierte Versionen von VMware Tanzu Spring schließen Sicherheitslücken. Eine davon gilt als kritisch. --------------------------------------------- https://heise.de/-9221869 ∗∗∗ CVE-2023-38205: Adobe ColdFusion Access Control Bypass [FIXED] ∗∗∗ --------------------------------------------- Rapid7 discovered that the initial patch for CVE-2023-29298 (Adobe ColdFusion access control bypass vulnerability) did not successfully remediate the issue. --------------------------------------------- https://www.rapid7.com/blog/post/2023/07/19/cve-2023-38205-adobe-coldfusion… ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (July 10, 2023 to July 16, 2023) ∗∗∗ --------------------------------------------- Last week, there were 69 vulnerabilities disclosed in 68 WordPress Plugins and 1 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 29 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected. --------------------------------------------- https://www.wordfence.com/blog/2023/07/wordfence-intelligence-weekly-wordpr… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium), Fedora (sysstat), Gentoo (openssh), Mageia (firefox/nss, kernel, kernel-linus, maven, mingw-nsis, mutt/neomutt, php, qt4/qtsvg5, and texlive), Red Hat (java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, and kpatch-patch), Slackware (curl and openssh), SUSE (curl, grafana, kernel, mariadb, MozillaFirefox, MozillaFirefox-branding-SLE, poppler, python-Flask, python310, samba, SUSE Manager Client Tools, and texlive), and Ubuntu (curl, ecdsautils, and samba). --------------------------------------------- https://lwn.net/Articles/938711/ ∗∗∗ Apache OpenMeetings Wide Open to Account Takeover, Code Execution ∗∗∗ --------------------------------------------- Researcher discovers vulnerabilities in the open source Web application, which were fixed in the latest Apache OpenMeeting update. --------------------------------------------- https://www.darkreading.com/remote-workforce/apache-openmeetings-account-ta… ∗∗∗ CVE-2023-38408: Remote Code Execution in OpenSSH's forwarded ssh-agent ∗∗∗ --------------------------------------------- In this advisory, we present our research, experiments, reproducible results, and further ideas to exploit this "dlopen() then dlclose()" primitive. We will also publish the source code of our crude fuzzer at https://www.qualys.com/research/security-advisories/. --------------------------------------------- https://www.qualys.com/2023/07/19/cve-2023-38408/rce-openssh-forwarded-ssh-… ∗∗∗ Sicherheitsschwachstellen in Omnis Studio (SYSS-2023-005/-006) ∗∗∗ --------------------------------------------- Implementierungsfehler erlauben Angreifern, private Omnis-Bibliotheken und gesperrte Klassen im Omnis Studio Browser zu öffnen und zu bearbeiten. --------------------------------------------- https://www.syss.de/pentest-blog/sicherheitsschwachstellen-in-omnis-studio-… ∗∗∗ TP-LINK TL-WR840N: Schwachstelle ermöglicht Stack Buffer Overflow DOS ∗∗∗ --------------------------------------------- In der Firmware des TP-Link Routers TP-LINK TL-WR840N gibt es eine Schwachstelle, die es einem Remote-Angreifer ermöglicht, einen Stack Buffer Overflow DOS-Angriff durchzuführen. TP-Link will keinen Sicherheitshinweis dazu veröffentlichen, hat aber eine neue Firmware (TL-WR840N(KR)_V6.2_230702) auf dieser Webseite bereitgestellt. --------------------------------------------- https://www.borncity.com/blog/2023/07/20/tp-link-tl-wr84-schwachstelle-ermg… ∗∗∗ Cisco BroadWorks Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Small Business SPA500 Series IP Phones Web UI Vulnerabilities ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ IBM Security Guardium is affected by several vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7007815 ∗∗∗ IBM Db2 Web Query for i is vulnerable to arbitrary code execution due to SnakeYaml [CVE-2022-1471] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7013297 ∗∗∗ IBM Cognos Analytics has addressed multiple vulnerabilities (CVE-2023-28530, XFID: 212233, CVE-2022-24999, CVE-2023-28530, CVE-2023-25929) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012621 ∗∗∗ IBM Workload Scheduler is potentially affected by multiple vulnerabilities in OpenSSL (CVE-2022-4304, CVE-2023-0215, CVE-2023-0286) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7003501 ∗∗∗ IBM App Connect Enterprise Certified Container Dashboard operands are vulnerable to security restrictions bypass due to [CVE-2022-32221], [CVE-2023-27533], [CVE-2023-28322] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7013517 ∗∗∗ Security Vulnerabilities in hazelcast client affect IBM Voice Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7013527 ∗∗∗ IBM InfoSphere Information Server is affected by a vulnerability in VMware Tanzu Spring Framework (CVE-2023-20863) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7003899 ∗∗∗ IBM InfoSphere Information Server is affected by a vulnerability in VMware Tanzu Spring Security (CVE-2023-20862) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7003901 ∗∗∗ IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to VMware Tanzu Spring Framework denial of service vulnerabilitiy [CVE-2023-20863] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012251 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.07.2023
by Daily end-of-shift report 19 Jul '23

19 Jul '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 18-07-2023 18:00 − Mittwoch 19-07-2023 18:00 Handler: Robert Waldner Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Neue Ransomware: Kriminelle verschlüsseln Systeme im Namen von Sophos ∗∗∗ --------------------------------------------- Eine vermeintliche Verschlüsselungssoftware von Sophos entpuppt sich als Bitcoin einspielender Ransomware-Dienst für kriminelle Akteure. --------------------------------------------- https://www.golem.de/news/neue-ransomware-kriminelle-verschluesseln-systeme… ∗∗∗ Comprehensive analysis of initial attack samples exploiting CVE-2023-23397 vulnerability ∗∗∗ --------------------------------------------- On March 14, 2023, Microsoft published a blogpost describing an Outlook Client Elevation of Privilege Vulnerability (CVSS: 9.8 CRITICAL). The publication generated a lot of activity among white, grey and black hat researchers, as well as lots of publications and tweets about the vulnerability and its exploitation. Below, we will highlight the key points and then focus on the initial use of this vulnerability by attackers before it became public. --------------------------------------------- https://securelist.com/analysis-of-attack-samples-exploiting-cve-2023-23397… ∗∗∗ Massive Google Colaboratory Abuse: Gambling and Subscription Scam ∗∗∗ --------------------------------------------- While Google’s free and open tools are undeniably valuable for collaboration (and innovation), it’s evident that complications arise when they become a haven for bad actors. Millions of documents with spam content on the Google Colab platform reveal that spammers have found yet another method to host doorways that they actively promote via spam link injections on compromised websites. --------------------------------------------- https://blog.sucuri.net/2023/07/massive-google-colaboratory-abuse-gambling-… ∗∗∗ LKA Niedersachsen warnt vor Phishing und Abofallen mit iCloud- und Google-Mails ∗∗∗ --------------------------------------------- Derzeit versenden Betrüger Mails, laut denen Apple iCloud- oder Google-Speicherplatz volllaufe. Davor warnt das LKA Niedersachsen. --------------------------------------------- https://heise.de/-9220688 ∗∗∗ Network and Information Systems Security (NIS2): recommendations for NRENs ∗∗∗ --------------------------------------------- GÉANT worked with Stratix, an independent consultancy firm specialised in communication infrastructures and services, to go through the steps that NRENs need to follow and the questions that need to be answered during the NIS2 implementation phase. --------------------------------------------- https://connect.geant.org/2023/07/19/network-and-information-systems-securi… ∗∗∗ HotRat: The Risks of Illegal Software Downloads and Hidden AutoHotkey Script Within ∗∗∗ --------------------------------------------- Despite risks to their own data and devices, some users continue to be lured into downloading illegal versions of popular paid-for software, disregarding the potentially more severe repercussions than legitimate alternatives. We have analyzed how cybercriminals deploy HotRat, a remote access trojan (RAT), through an AutoHotkey script attached to cracked software. --------------------------------------------- https://decoded.avast.io/martinchlumecky/hotrat-the-risks-of-illegal-softwa… ===================== = Vulnerabilities = ===================== ∗∗∗ OpenSSL Security Advisory: Excessive time spent checking DH keys and parameters (CVE-2023-3446) ∗∗∗ --------------------------------------------- Severity: Low Impact summary: Applications that use the functions DH_check(), DH_check_ex() or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source this may lead to a Denial of Service. --------------------------------------------- https://www.openssl.org/news/secadv/20230714.txt ∗∗∗ Webbrowser: Google stopft 20 Sicherheitslecks in Chrome 115 ∗∗∗ --------------------------------------------- Google hat den Webbrowser Chrome in Version 115 vorgelegt. Darin bessern die Entwickler 20 Schwachstellen aus. --------------------------------------------- https://heise.de/-9220438 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (bind9, libapache2-mod-auth-openidc, and python-django), Fedora (nodejs18 and redis), Red Hat (python3.9 and webkit2gtk3), Scientific Linux (bind and kernel), SUSE (cni, cni-plugins, cups-filters, curl, dbus-1, ImageMagick, kernel, libheif, and python-requests), and Ubuntu (bind9, connman, curl, libwebp, and yajl). --------------------------------------------- https://lwn.net/Articles/938596/ ∗∗∗ Session Token Enumeration in RWS WorldServer ∗∗∗ --------------------------------------------- Session tokens in RWS WorldServer have a low entropy and can be enumerated, leading to unauthorised access to user sessions. --------------------------------------------- https://www.redteam-pentesting.de/en/advisories/rt-sa-2023-001/ ∗∗∗ Oracle Releases Security Updates ∗∗∗ --------------------------------------------- Oracle has released its Critical Patch Update Advisory, Solaris Third Party Bulletin, and Linux Bulletin for July 2023 to address vulnerabilities affecting multiple products. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/07/18/oracle-releases-security… ∗∗∗ Vulnerability with guava (CVE-2023-2976) affect IBM Cloud Object Storage Systems (July 2023) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012815 ∗∗∗ IBM WebSphere Application Server shipped with Jazz for Service Management (JazzSM) is vulnerable to spoofing when using Web Server Plug-ins (CVE-2022-39161) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7010311 ∗∗∗ IBM WebSphere Application Server shipped with Jazz for Service Management (JazzSM) is vulnerable to cross-site scripting in the Admin Console (CVE-2023-24966) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7010313 ∗∗∗ Multiple Vulnerabilities have been identified in IBM Db2 shipped with IBM WebSphere Remote Server ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012979 ∗∗∗ IBM WebSphere Application Server is vulnerable to an XML External Entity (XXE) Injection vulnerability (CVE-2023-27554) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6989451 ∗∗∗ IBM Edge Application Manager 4.5.1 addresses security vulnerability listed in CVE below. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7013037 ∗∗∗ IBM Edge Application Manager 4.5.1 addresses security vulnerability listed in CVE below. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7013035 ∗∗∗ IBM WebSphere Application Server shipped with Jazz for Service Management (JazzSM) is vulnerable to SOAPAction spoofing (CVE-2022-38712) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6855613 ∗∗∗ WebSphere Application Server shipped with Jazz for Service Management (JazzSM) is vulnerable to a server-side request forgery vulnerability(CVE-2022-35282). ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6827807 ∗∗∗ IBM WebSphere Application Server shipped with Jazz for Service Management (JazzSM) is vulnerable to a remote code execution vulnerability (CVE-2023-23477) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6953111 ∗∗∗ IBM Jazz for Service Management is vulnerable to commons-fileupload-1.4.jar (Publicly disclosed vulnerability found by Mend) (CVE-2023-24998) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6964530 ∗∗∗ IBM WebSphere Application Server shipped with Jazz for Service Management (JazzSM) is vulnerable to cross-site scripting in the Admin Console (CVE-2023-26283) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6983186 ∗∗∗ IBM WebSphere Application Server shipped with Jazz for Service Management (JazzSM) is vulnerable to a denial of service due to Apache Commons FileUpload (CVE-2023-24998) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6983188 ∗∗∗ CVE-2023-32342 may affect GSKit shipped with IBM CICS TX Standard ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7013135 ∗∗∗ CVE-2023-32342 may affect GSKit shipped with IBM CICS TX Advanced ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7013139 ∗∗∗ IBM MQ as used by IBM QRadar SIEM contains multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7013143 ∗∗∗ Weintek Weincloud ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-199-04 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.07.2023
by Daily end-of-shift report 18 Jul '23

18 Jul '23

===================== = End-of-Day report = ===================== Timeframe: Montag 17-07-2023 18:00 − Dienstag 18-07-2023 18:00 Handler: Robert Waldner Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ FIN8 Group Using Modified Sardonic Backdoor for BlackCat Ransomware Attacks ∗∗∗ --------------------------------------------- The financially motivated threat actor known as FIN8 has been observed using a "revamped" version of a backdoor called Sardonic to deliver the BlackCat ransomware. According to the Symantec Threat Hunter Team, part of Broadcom, the development is an attempt on the part of the e-crime group to diversify its focus and maximize profits from infected entities. --------------------------------------------- https://thehackernews.com/2023/07/fin8-group-using-modified-sardonic.html ∗∗∗ Uncovering drIBAN fraud operations. Chapter 3: Exploring the drIBAN web inject kit ∗∗∗ --------------------------------------------- So far, we have discussed the malspam campaign that started spreading sLoad. Then, we discovered that sLoad is a dropper for Ramnit [..] After that, we also described Ramnit’s capabilities, focusing mainly on its injection and persistence techniques. As a final step, we will discuss drIBAN, a sophisticated and modular web-inject kit that can hide resources, masquerade its presence, and perform large-scale ATS attacks. --------------------------------------------- https://www.cleafy.com/cleafy-labs/uncovering-driban-fraud-operations-chapt… ∗∗∗ Wordpress: Angriffswelle auf Woocommerce Payments läuft derzeit ∗∗∗ --------------------------------------------- Die IT-Forscher von Wordfence beobachten eine Angriffswelle auf das Woocommerce Payments-Plug-in. Es ist auf mehr als 600.000 Websites installiert. --------------------------------------------- https://heise.de/-9219114 ∗∗∗ JavaScript-Sandbox vm2: Neue kritische Schwachstelle, kein Update mehr ∗∗∗ --------------------------------------------- Für die jüngste kritische Sicherheitslücke im Open-Source-Projekt vm2 gibt es keinen Bugfix, sondern der Betreiber rät zum Umstieg auf isolated-vm. --------------------------------------------- https://heise.de/-9219087 ∗∗∗ Verkaufen auf Shpock: Vorsicht, wenn Sie den Kaufbetrag in Ihrer Banking-App "bestätigen" müssen ∗∗∗ --------------------------------------------- Sie verkaufen etwas auf Shpock. Sofort meldet sich jemand und möchte es kaufen. Zeitgleich erhalten Sie ein E-Mail von „TeamShpock“ mit der Information, dass die Ware bezahlt wurde und Sie das Geld anfordern können. Sie werden auf eine "Auszahlungsseite" verlinkt. Vorsicht, diese Vorgehensweise ist Betrug. Wir zeigen Ihnen, wie die Betrugsmasche abläuft und wie Sie sicher auf Shpock verkaufen! --------------------------------------------- https://www.watchlist-internet.at/news/verkaufen-auf-shpock-vorsicht-wenn-s… ∗∗∗ NSA, CISA Release Guidance on Security Considerations for 5G Network Slicing ∗∗∗ --------------------------------------------- This guidance—created by the Enduring Security Framework (ESF), a public-private cross-sector working group led by the NSA and CISA—presents recommendations to address some identified threats to 5G standalone network slicing, and provides industry recognized practices for the design, deployment, operation, and maintenance of a hardened 5G standalone network slice(s). --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/07/17/nsa-cisa-release-guidanc… ===================== = Vulnerabilities = ===================== ∗∗∗ Role-based Access Control and Privilege Management in OpenEdge Management (OEM) and in OpenEdge Explorer (OEE) (CVE-2023-34203) ∗∗∗ --------------------------------------------- Using a local or remote admin service, a logged-in OpenEdge Management (OEM) or OpenEdge Explorer (OEE) user could perform a URL injection attack to change identity or role membership. Only users that are already authorized members of OEM or OEE user roles were able to perform this exploit. Non-admin role members were able to obtain unauthorized escalation to admin role privileges where unrestricted OEM and OEE capabilities were available to the user. --------------------------------------------- https://community.progress.com/s/article/Role-based-Access-Control-and-Priv… ∗∗∗ Bad.Build: A Critical Privilege Escalation Design Flaw in Google Cloud Build Enables a Supply Chain Attack ∗∗∗ --------------------------------------------- The flaw presents a significant supply chain risk since it allows attackers to maliciously tamper with application images, which can then infect users and customers when they install the application. [..] Orca Security immediately reported the findings to the Google Security Team, who investigated the issue and deployed a partial fix. However, Google’s fix doesn’t revoke the discovered Privilege Escalation (PE) vector. It only limits it – turning it into a design flaw that still leaves organizations vulnerable to the larger supply chain risk. --------------------------------------------- https://orca.security/resources/blog/bad-build-google-cloud-build-potential… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (java-1.8.0-openjdk), Red Hat (bind, bind9.16, curl, edk2, java-1.8.0-ibm, kernel, kernel-rt, and kpatch-patch), SUSE (iniparser, installation-images, java-1_8_0-ibm, kernel, libqt5-qtbase, nodejs16, openvswitch, and ucode-intel), and Ubuntu (linux-oem-6.0 and linux-xilinx-zynqmp). --------------------------------------------- https://lwn.net/Articles/938488/ ∗∗∗ Sicherheitslücken, teils kritisch, in Citrix/Netscaler ADC und Gateway - aktiv ausgenützt - Updates verfügbar ∗∗∗ --------------------------------------------- Eine kritische Schwachstelle in Citrix/Netscaler ADC und Citrix Gateway erlaubt es unauthentisierten Angreifenden, beliebigen Code auszuführen. Diese Schwachstelle wird auch bereits aktiv ausgenützt. Weitere mit diesen Updates geschlossene Sicherheitslücken betreffen Reflected Cross Site Scripting (XSS) sowie Privilege Escalation. --------------------------------------------- https://cert.at/de/warnungen/2023/7/sicherheitslucken-teil-kritisch-in-citr… ∗∗∗ Zyxel security advisory for multiple vulnerabilities in firewalls and WLAN controllers ∗∗∗ --------------------------------------------- Zyxel has released patches addressing multiple vulnerabilities in some firewall and WLAN controller versions. Users are advised to install the patches for optimal protection. --------------------------------------------- https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-… ∗∗∗ IBM Security Verify Access product is vulnerable to Open Redirects (AAC module ) (CVE-2023-30433) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012613 ∗∗∗ Vulnerability in bottle-0.12.16 affects IBM Cloud Pak for Data System 1.0(CPDS 1.0) [CVE-2020-28473] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012387 ∗∗∗ IBM Security Verify Governance has multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012649 ∗∗∗ IBM Security Verify Governance has multiple vulnerabilities (CVE-2022-41946, CVE-2022-46364, CVE-2023-24998) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012647 ∗∗∗ Vulnerabilities in httpclient library affects IBM Engineering Test Management (ETM) (CVE-2020-13956) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012659 ∗∗∗ Vulnerabilities in Commons Codec library affects IBM Engineering Test Management (ETM) (IBM X-Force ID:177835) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012657 ∗∗∗ Vulberability in Apache commons io library affects IBM Engineering Test Management (ETM) (CVE-2021-29425) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012661 ∗∗∗ Vulnerability in Junit library affects IBM Engineering Test Management (ETM) ( CVE-2020-15250) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012663 ∗∗∗ IBM App Connect Enterprise and IBM Integration Bus are vulnerable to a denial of service due to IBM MQ (CVE-2023-26285, CVE-2023-28950) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7011767 ∗∗∗ Netcool Operations Insights 1.6.9 addresses multiple security vulnerabilities. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012675 ∗∗∗ AIX is vulnerable to denial of service due to ISC BIND (CVE-2022-3094, CVE-2022-3736, CVE-2022-3924) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012711 ∗∗∗ Daeja ViewONE may be affected by Bouncy Castle Vulnerability (CVE-2023-33201) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012809 ∗∗∗ Rockwell Automation Kinetix 5700 DC Bus Power Supply ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-199-01 ∗∗∗ Weintek Weincloud ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-199-04 ∗∗∗ Keysight N6845A Geolocation Server ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-199-02 ∗∗∗ GeoVision GV-ADR2701 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-199-05 ∗∗∗ WellinTech KingHistorian ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-199-07 ∗∗∗ Iagona ScrutisWeb ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-199-03 ∗∗∗ GE Digital CIMPLICITY ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-199-06 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.07.2023
by Daily end-of-shift report 17 Jul '23

17 Jul '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 14-07-2023 18:00 − Montag 17-07-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Meet NoEscape: Avaddon ransomware gangs likely successor ∗∗∗ --------------------------------------------- The new NoEscape ransomware operation is believed to be a rebrand of Avaddon, a ransomware gang that shut down and released its decryption keys in 2021. --------------------------------------------- https://www.bleepingcomputer.com/news/security/meet-noescape-avaddon-ransom… ∗∗∗ Analysis of Storm-0558 techniques for unauthorized email access ∗∗∗ --------------------------------------------- Analysis of the techniques used by the threat actor tracked as Storm-0558 for obtaining unauthorized access to email data, tools, and unique infrastructure characteristics. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2023/07/14/analysis-of-storm-… ∗∗∗ Xen Security Notice 1: winpvdrvbuild.xenproject.org potentially compromised ∗∗∗ --------------------------------------------- Software running on the Xen Project hosted subdomain winpvdrvbuild.xenproject.org is outdated and vulnerable to several CVEs. Some of the reported issues include remote code execution. [..] Since the list of CVEs reported include remote code execution we no longer have confidence that binaries previously available at https://xenbits.xen.org/pvdrivers/win/ are trustworthy. [..] A new set of drivers based on the current master branch and built on a trusted environment have been uploaded --------------------------------------------- https://seclists.org/oss-sec/2023/q3/37 ∗∗∗ Exploitation of ColdFusion Vulnerability Reported as Adobe Patches Another Critical Flaw ∗∗∗ --------------------------------------------- Adobe patches critical code execution vulnerability in ColdFusion for which a proof-of-concept (PoC) blog exists. --------------------------------------------- https://www.securityweek.com/exploitation-of-coldfusion-vulnerability-repor… ∗∗∗ Last Minute Bikini-Shopping: Nicht in diesen Shops ∗∗∗ --------------------------------------------- Sind Sie auf der Suche nach Bademode? Dann werden Ihnen möglicherweise auch auf Facebook und Instagram Werbeanzeigen angezeigt. Wir sehen aktuell viele Werbeanzeigen von unseriösen Shops, die auf der Webseite zwar schöne Bademode präsentieren, aber minderwertige Ware versenden. Wir zeigen Ihnen, wo Sie lieber nicht bestellen sollen. --------------------------------------------- https://www.watchlist-internet.at/news/last-minute-bikini-shopping-nicht-in… ===================== = Vulnerabilities = ===================== ∗∗∗ AIOS WordPress Plugin Faces Backlash for Storing User Passwords in Plaintext ∗∗∗ --------------------------------------------- All-In-One Security (AIOS), a WordPress plugin installed on over one million sites, has issued a security update after a bug introduced in version 5.1.9 of the software caused users passwords being added to the database in plaintext format."A malicious site administrator (i.e. a user already logged into the site as an admin) could then have read them," --------------------------------------------- https://thehackernews.com/2023/07/aios-wordpress-plugin-faces-backlash.html ∗∗∗ Wireshark 4.0.7 Released, (Sat, Jul 15th) ∗∗∗ --------------------------------------------- Wireshark version 4.0.7 was released with 2 vulnerabilities and 22 bugs fixed. --------------------------------------------- https://isc.sans.edu/diary/rss/30030 ∗∗∗ PoC-Exploit verfügbar: Adobe legt Patch für Coldfusion nach ∗∗∗ --------------------------------------------- Kurz nach dem Juli-Patchday legt Adobe weitere Updates nach, um eine kritische Schwachstelle in Coldfusion abzudichten. PoC-Exploitcode wurde entdeckt. --------------------------------------------- https://heise.de/-9217427 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (gpac, iperf3, kanboard, kernel, and pypdf2), Fedora (ghostscript), SUSE (bind, bouncycastle, ghostscript, go1.19, go1.20, installation-images, kernel, mariadb, MozillaFirefox, MozillaFirefox-branding-SLE, php74, poppler, and python-Django), and Ubuntu (cups, linux-oem-6.1, and ruby2.3, ruby2.5, ruby2.7, ruby3.0, ruby3.1). --------------------------------------------- https://lwn.net/Articles/938375/ ∗∗∗ IBM InfoSphere Information Server is affected but not vulnerable to multiple vulnerabilities in Undertow ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7007051 ∗∗∗ IBM InfoSphere Information Server is affected but not classified as vulnerable to multiple vulnerabilities in snakeYAML ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6988677 ∗∗∗ IBM InfoSphere Information Server is affected by multiple vulnerabilities in VMware Tanzu Spring Framework [CVE-2023-2861, CVE-2023-20860] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6988683 ∗∗∗ IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to RubyGems commonmarker gem denial of service vulnerabilitiy [IBM X-Force ID: 252809] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012231 ∗∗∗ IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to VMware Tanzu Spring Framework denial of service vulnerabilitiy [CVE-2023-20863] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012235 ∗∗∗ IBM InfoSphere Information Server is affected by a denial of service vulnerability in netplex json-smart-v2 (CVE-2023-1370) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6988679 ∗∗∗ IBM InfoSphere Information Server is affected by a denial of service vulnerability in Apache Commons FileUpload and Tomcat (CVE-2023-24998) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7008447 ∗∗∗ Watson CP4D Data Stores is vulnerable to SAP NetWeaver AS Java for Deploy Service information disclosure vulnerability ( CVE-2023-24527) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012297 ∗∗∗ IBM i is vulnerable to an attacker executing CL commands due to an exploitation of DDM architecture (CVE-2023-30990) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7008573 ∗∗∗ IBM InfoSphere Information Server is affected but not vulnerable to a vulnerability in jose.4j ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7007055 ∗∗∗ IBM InfoSphere Information Server is affected by multiple vulnerabilities in VMware Tanzu Spring Boot ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7008437 ∗∗∗ IBM InfoSphere Information Server is affected by a vulnerability in Apache Cassandra (CVE-2023-30601) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7003915 ∗∗∗ IBM InfoSphere Information Server is affected by multiple vulnerabilities in Apache Tomcat (CVE-2023-28708, CVE-2023-24998) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7007057 ∗∗∗ IBM InfoSphere Information Server is affected by an information disclosure vulnerability (CVE-2023-33857) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7007059 ∗∗∗ IBM InfoSphere Information Server is affected by a vulnerability in Google Guava (CVE-2023-2976) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012025 ∗∗∗ IBM InfoSphere Information Server is affected by multiple vulnerabilities in snappy-java ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7011483 ∗∗∗ IBM Robotic Process Automation is vulnerable to client side validation bypass (CVE-2023-35901) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012317 ∗∗∗ IBM Performance Tools for i is vulnerable to local privilege escalation (CVE-2023-30989) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012353 ∗∗∗ IBM Facsimile Support for i is vulnerable to local privilege escalation (CVE-2023-30988) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012355 ∗∗∗ IBM InfoSphere Information Server is affected by an information disclosure vulnerability (CVE-2023-35898) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7009205 ∗∗∗ IBM InfoSphere Information Server is affected by a vulnerability in Eclipse Jetty (CVE-2023-26048) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7008445 ∗∗∗ Multiple vulnerabilities of Apache common collections (commons-collections-3.2.jar) have affected APM WebSphere Application Server Agent ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012397 ∗∗∗ Multiple Vulnerabilities in IBM Sterling Connect:Direct Browser User Interface due to Java and Eclipse ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012395 ∗∗∗ Security vulnerabilities have been identified in IBM DB2 shipped with IBM License Metric Tool v9. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012409 ∗∗∗ A vulnerability in OpenStack Swift affects IBM Storage Scale environments with the S3 capability of Object protocol enabled (CVE-2022-47950) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012419 ∗∗∗ Mulitple vulnerabilities in Dojo dojox repo may affect IBM Storage Scale ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012427 ∗∗∗ Vulnerability in bottle-0.12.16 affects IBM Cloud Pak for Data System 1.0(CPDS 1.0) [CVE-2020-28473] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012387 ∗∗∗ Vulnerability in paramiko-2.4.2-py2.py3 affects IBM Cloud Pak for Data System 1.0(CPDS 1.0) [CVE-2022-24302] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012433 ∗∗∗ IBM i Modernization Engine for Lifecycle Integration is vulnerable to execution of arbitrary code on the system (CVE-2022-1471) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012437 ∗∗∗ IBM Performance Tools for i is vulnerable to local privilege escalation (CVE-2023-30989) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012353 ∗∗∗ IBM Facsimile Support for i is vulnerable to local privilege escalation (CVE-2023-30988) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012355 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.07.2023
by Daily end-of-shift report 14 Jul '23

14 Jul '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 13-07-2023 18:00 − Freitag 14-07-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ AVrecon malware infects 70,000 Linux routers to build botnet ∗∗∗ --------------------------------------------- Since at least May 2021, stealthy Linux malware called AVrecon was used to infect over 70,000 Linux-based small office/home office (SOHO) routers and add them to a botnet designed to steal bandwidth and provide a hidden residential proxy service. --------------------------------------------- https://www.bleepingcomputer.com/news/security/avrecon-malware-infects-70-0… ∗∗∗ WormGPT Cybercrime Tool Heralds an Era of AI Malware vs. AI Defenses ∗∗∗ --------------------------------------------- A black-hat alternative to GPT models specifically designed for malicious activities like BEC, malware, and phishing attacks is here, and will push organizations to level up with generative AI themselves. --------------------------------------------- https://www.darkreading.com/attacks-breaches/wormgpt-heralds-an-era-of-usin… ∗∗∗ Security: Schwachstellen-Scanner für Google Go geht an den Start ∗∗∗ --------------------------------------------- Das Tool Govulncheck untersucht Go-Projekte auf bekannte Schwachstellen in den Dependencies. Eine Extension integriert die Überprüfung in Visual Studio Code. --------------------------------------------- https://heise.de/-9216187 ∗∗∗ Hackers Target Reddit Alternative Lemmy via Zero-Day Vulnerability ∗∗∗ --------------------------------------------- Several instances of the Reddit alternative Lemmy were hacked in recent days by attackers who had exploited a zero-day vulnerability. --------------------------------------------- https://www.securityweek.com/hackers-target-reddit-alternative-lemmy-via-ze… ∗∗∗ Meta-Werbekonto gehackt? So handeln Sie richtig! ∗∗∗ --------------------------------------------- Ob Fake-Shop, betrügerische Trading-Plattform oder unseriöse Coaching-Angebote: Kriminelle nutzen Social Media, um unterschiedliche Betrugsmaschen zu bewerben. Häufig werden solche Anzeigen von Unternehmensseiten geschaltet, die mit dem beworbenen Produkt nichts zu tun haben. Manchmal sind es auch private Profile, von denen aus betrügerische Anzeigen verbreitet werden. --------------------------------------------- https://www.watchlist-internet.at/news/meta-werbekonto-gehackt-so-handeln-s… ∗∗∗ The danger within: 5 steps you can take to combat insider threats ∗∗∗ --------------------------------------------- Some threats may be closer than you think. Are security risks that originate from your own trusted employees on your radar? --------------------------------------------- https://www.welivesecurity.com/2023/07/13/danger-within-5-steps-combat-insi… ∗∗∗ What is session hijacking and how do you prevent it? ∗∗∗ --------------------------------------------- Attackers use session hijacking to take control of your sessions and impersonate you online. Discover how session hijacking works and how to protect yourself. --------------------------------------------- https://www.emsisoft.com/en/blog/44071/what-is-session-hijacking-and-how-do… ∗∗∗ Attack Surface Management (ASM) – What You Need to Know ∗∗∗ --------------------------------------------- This is the third post in our series on technologies to test your organization’s resilience to cyberattacks. In this installment, we dive into attack surface management (ASM). --------------------------------------------- https://www.safebreach.com/blog/attack-surface-management-asm-what-you-need… ∗∗∗ Old Blackmoon Trojan, NEW Monetization Approach ∗∗∗ --------------------------------------------- Rapid7 is tracking a new, more sophisticated and staged campaign using the Blackmoon trojan, which appears to have originated in November 2022. --------------------------------------------- https://www.rapid7.com/blog/post/2023/07/13/old-blackmoon-trojan-new-moneti… ∗∗∗ PenTales: Old Vulns, New Tricks ∗∗∗ --------------------------------------------- At Rapid7 we love a good pentest story. So often they show the cleverness, skill, resilience, and dedication to our customer’s security that can only come from actively trying to break it! In this series, we’re going to share some of our favorite tales from the pen test desk and hopefully highlight some ways you can improve your own organization’s security. --------------------------------------------- https://www.rapid7.com/blog/post/2023/07/13/pentales-old-vulns-new-tricks/ ===================== = Vulnerabilities = ===================== ∗∗∗ Groupware Zimbra: Zero-Day-Lücke macht manuelles Patchen nötig ∗∗∗ --------------------------------------------- Zimbra hat einen manuell anzuwendenden Patch veröffentlicht, der eine Zero-Day-Sicherheitslücke in der Groupware schließt. --------------------------------------------- https://heise.de/-9216179 ∗∗∗ ZDI-23-970: (0Day) Sante DICOM Viewer Pro DCM File Parsing Use-After-Free Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to disclose sensitive information on affected installations of Sante DICOM Viewer Pro. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-23-970/ ∗∗∗ Security Advisory for Multiple Vulnerabilities on the ProSAFE® Network Management System, PSV-2023-0024 & PSV-2023-0025 ∗∗∗ --------------------------------------------- NETGEAR is aware of multiple security vulnerabilities on the NMS300. NETGEAR strongly recommends that you download the latest version as soon as possible. --------------------------------------------- https://kb.netgear.com/000065707/Security-Advisory-for-Multiple-Vulnerabili… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (lemonldap-ng and php-dompdf), Red Hat (.NET 6.0, .NET 7.0, firefox, and thunderbird), Scientific Linux (firefox and thunderbird), SUSE (ghostscript, installation-images, kernel, php7, python, and python-Django), and Ubuntu (linux-azure, linux-gcp, linux-ibm, linux-oracle, mozjs102, postgresql-9.5, and tiff). --------------------------------------------- https://lwn.net/Articles/938233/ ∗∗∗ CVE-2023-24936 .NET, .NET Framework, and Visual Studio Elevation of Privilege Vulnerability ∗∗∗ --------------------------------------------- In the Security Updates table, added all supported versions of all supported versions of .NET Framework, Visual Studio 2022 version 17.0, Visual Studio 2022 version 17.2, and Visual Studio 2022 version 17.4 because these products are also affected by this vulnerability. --------------------------------------------- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24936 ∗∗∗ CVE-2023-36883 Microsoft Edge for iOS Spoofing Vulnerability ∗∗∗ --------------------------------------------- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36883 ∗∗∗ CVE-2023-36887 Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36887 ∗∗∗ CVE-2023-36888 Microsoft Edge for Android (Chromium-based) Tampering Vulnerability ∗∗∗ --------------------------------------------- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36888 ∗∗∗ There is a vulnerability in Apache Commons Net used by IBM Maximo Asset Management (CVE-2021-37533) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7009539 ∗∗∗ IBM InfoSphere Information Server is affected by multiple vulnerabilities in Progress DataDirect Connect for ODBC ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7010743 ∗∗∗ Multiple vulnerabilities in IBM Java SDK (April 2023) affect IBM InfoSphere Information Server ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7007675 ∗∗∗ Enterprise Content Management System Monitor is affected by a vulnerability in Oracle Java SE ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7011963 ∗∗∗ IBM Security SOAR is using a component with multiple known vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7011965 ∗∗∗ CVE-2023-28867 may affect IBM WebSphere Application Server Liberty shipped with IBM CICS TX Advanced ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7011975 ∗∗∗ CVE-2023-28867 may affect IBM WebSphere Application Server Liberty shipped with IBM CICS TX Standard ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7011979 ∗∗∗ Timing Oracle in RSA Decryption vulnerability might affect GSKit supplied with IBM TXSeries for Multiplatforms. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7010369 ∗∗∗ CVE-2023-28867 may affect IBM WebSphere Application Server Liberty shipped with IBM TXSeries for Multiplatforms ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7011977 ∗∗∗ Vulnerability of Apache Thrift (libthrift-0.12.0.jar ) have affected APM WebSphere Application Server Agent , APM SAP NetWeaver Agent and APM WebLogic Agent ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7003479 ∗∗∗ Vulnerability of Google Gson (gson-2.8.2.jar ) have affected APM WebSphere Application Server Agent , APM SAP NetWeaver Agent and APM WebLogic Agent ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7003477 ∗∗∗ TADDM affected by multiple vulnerabilities due to IBM Java and its runtime ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7009499 ∗∗∗ InfoSphere Identity Insight is vulnerable to a denial of service due to Apache Commons FileUpload (CVE-2023-24998) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012011 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.07.2023
by Daily end-of-shift report 13 Jul '23

13 Jul '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 12-07-2023 18:00 − Donnerstag 13-07-2023 18:00 Handler: Stephan Richter Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Update fürs Update: Apple überholt letzte "Rapid Security Response" ∗∗∗ --------------------------------------------- Eigentlich sollte ein schneller Fix für den Safari-Browser für mehr Sicherheit sorgen. Aufgrund eines Fehlers musste Apple diesen nun neu auflegen. --------------------------------------------- https://heise.de/-9214819 ∗∗∗ Source code for BlackLotus Windows UEFI malware leaked on GitHub ∗∗∗ --------------------------------------------- The source code for the BlackLotus UEFI bootkit has leaked online, allowing greater insight into a malware that has caused great concern among the enterprise, governments, and the cybersecurity community. --------------------------------------------- https://www.bleepingcomputer.com/news/security/source-code-for-blacklotus-w… ∗∗∗ Fake PoC for Linux Kernel Vulnerability on GitHub Exposes Researchers to Malware ∗∗∗ --------------------------------------------- In a sign that cybersecurity researchers continue to be under the radar of malicious actors, a proof-of-concept (PoC) has been discovered on GitHub, concealing a backdoor with a "crafty" persistence method. --------------------------------------------- https://thehackernews.com/2023/07/blog-post.html ∗∗∗ An introduction to the benefits and risks of Packet Sniffing ∗∗∗ --------------------------------------------- Packet sniffing is both a very beneficial and, sadly, a malicious technique used to capture and analyze data packets. It serves as a useful tool for network administrators to identify network issues and fix them. Meanwhile, threat actors use it for malicious purposes such as data theft and to distribute malware. Organizations need to be aware of the benefits and uses of packet sniffing while also implementing security controls to prevent malicious sniffing activity. --------------------------------------------- https://www.tripwire.com/state-of-security/introduction-benefits-and-risks-… ∗∗∗ Popular WordPress Security Plugin Caught Logging Plaintext Passwords ∗∗∗ --------------------------------------------- The All-In-One Security (AIOS) WordPress plugin was found to be writing plaintext passwords to log files. --------------------------------------------- https://www.securityweek.com/popular-wordpress-security-plugin-caught-loggi… ∗∗∗ CISA warns of dangerous Rockwell industrial bug being exploited by gov’t group ∗∗∗ --------------------------------------------- The Cybersecurity and Infrastructure Security Agency (CISA) warned on Wednesday of a vulnerability affecting industrial technology from Rockwell Automation that is being exploited by government hackers. --------------------------------------------- https://therecord.media/cisa-warns-of-bug-affecting-rockwell ∗∗∗ Detecting BPFDoor Backdoor Variants Abusing BPF Filters ∗∗∗ --------------------------------------------- An analysis of advanced persistent threat (APT) group Red Menshen’s different variants of backdoor BPFDoor as it evolves since it was first documented in 2021. --------------------------------------------- https://www.trendmicro.com/en_us/research/23/g/detecting-bpfdoor-backdoor-v… ∗∗∗ A Deep Dive into Penetration Testing of macOS Applications (Part 1) ∗∗∗ --------------------------------------------- We created this blog to share our experience and provide a valuable resource for other security researchers and penetration testers facing similar challenges when testing macOS applications. This blog is the first part of an “A Deep Dive into Penetration Testing of macOS Applications” series. Part 1 is intended for penetration testers who may not have prior experience working with macOS. --------------------------------------------- https://www.cyberark.com/resources/threat-research-blog/a-deep-dive-into-pe… ∗∗∗ TeamTNT Reemerged with New Aggressive Cloud Campaign ∗∗∗ --------------------------------------------- In part one of this two-part blog series, titled "The Anatomy of Silentbobs Cloud Attack," we provided an overview of the preliminary stages of an aggressive botnet campaign that aimed at cloud native environments. This post will dive into the full extent of the campaign and provide a more comprehensive exploration of an extensive botnet infestation campaign. --------------------------------------------- https://blog.aquasec.com/teamtnt-reemerged-with-new-aggressive-cloud-campai… ===================== = Vulnerabilities = ===================== ∗∗∗ Ghostscript: Sicherheitslücke plagt Libreoffice, Gimp, Inkscape und Linux ∗∗∗ --------------------------------------------- Durch eine kritische Sicherheitslücke in Ghostscript können Angreifer auf unzähligen Rechnern schadhaften Code ausführen. --------------------------------------------- https://www.golem.de/news/ghostscript-sicherheitsluecke-plagt-libreoffice-g… ∗∗∗ Cisco SD-WAN vManage Unauthenticated REST API Access Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the request authentication validation for the REST API of Cisco SD-WAN vManage software could allow an unauthenticated, remote attacker to gain read permissions or limited write permissions to the configuration of an affected Cisco SD-WAN vManage instance. --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Urgent Security Notice: SonicWall GMS/Analytics Impacted by suite of vulnerabilities ∗∗∗ --------------------------------------------- GMS/Analytics is remediating a suite of 15 security vulnerabilities, disclosed in a Coordinated Vulnerability Disclosure (CVD) report in conjunction with NCCGroup. This suite of vulnerabililtes, which was responsibility disclosed, includes four (4) vulnerabilities with a CVSSv3 rating of CRITICAL, that allows an attacker to bypass authentication and could potentially result in exposure of sensitive information to an unauthorized actor. SonicWall PSIRT is not aware of active exploitation [...] --------------------------------------------- https://www.sonicwall.com/support/knowledge-base/urgent-security-notice-son… ∗∗∗ Webkonferenzen: Zoom schließt mehrere Sicherheitslücken ∗∗∗ --------------------------------------------- Vor allem in Zoom Rooms und im Zoom Desktop-Client für Windows schlummern hochriskante Sicherheitslücken. Updates stehen bereit. --------------------------------------------- https://heise.de/-9214929 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ruby-doorkeeper), Fedora (mingw-nsis and thunderbird), Red Hat (bind9.16, nodejs, nodejs:16, nodejs:18, python38:3.8 and python38-devel:3.8, and rh-nodejs14-nodejs), Slackware (krb5), SUSE (geoipupdate, installation-images, libqt5-qtbase, python-Django1, and skopeo), and Ubuntu (knot-resolver, lib3mf, linux, linux-aws, linux-kvm, linux-lowlatency, linux-raspi, linux, linux-aws, linux-kvm, linux-lts-xenial, linux-azure, linux-gcp, linux-ibm, linux-oracle, linux-azure-fde, linux-xilinx-zynqmp, and scipy). --------------------------------------------- https://lwn.net/Articles/938108/ ∗∗∗ Juniper Networks Patches High-Severity Vulnerabilities in Junos OS ∗∗∗ --------------------------------------------- Juniper Networks has patched multiple high-severity vulnerabilities in Junos OS, Junos OS Evolved, and Junos Space. --------------------------------------------- https://www.securityweek.com/juniper-networks-patches-high-severity-vulnera… ∗∗∗ Microsoft Office Updates (11. Juli 2023) ∗∗∗ --------------------------------------------- Am 11. Juli 2023 (zweiter Dienstag im Monat, Microsoft Patchday) hat Microsoft mehrere sicherheitsrelevante Updates für noch unterstützte Microsoft Office Versionen und andere Produkte veröffentlicht. Mit dem April 2023-Patchday endete der Support für Office 2013 – aber es wurden auch im Juli noch Schwachstellen geschlossen. Nachfolgend finden Sie eine Übersicht über die verfügbaren Updates. --------------------------------------------- https://www.borncity.com/blog/2023/07/13/microsoft-office-updates-11-juli-2… *** IBM Security Bulletins *** --------------------------------------------- IBM SDK, IBM Db2, IBM Match 360, IBM Wattson, IBM Jazz Technology, IBM, Storage Protect, IBM WebSphere, IBM Storage Protect, IBM App Connect Enterprise, IBM Integration Bus, IBM i, IBM Event Streams and IBM Security Directory Integrator. --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ *** ZDI: Dassault Systèmes SolidWorks (CVE-2023-2763) *** --------------------------------------------- ZDI-23-908 bis ZDI-23911 --------------------------------------------- https://www.zerodayinitiative.com/advisories/published/ ∗∗∗ Drupal: Two-factor Authentication (TFA) - Critical - Access bypass - SA-CONTRIB-2023-030 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2023-030 ∗∗∗ Rockwell Automation PowerMonitor 1000 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-194-05 ∗∗∗ Honeywell Experion PKS, LX and PlantCruise ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-194-06 ∗∗∗ Case update: DIVD-2021-00020 - OSNexsus QuantaStor limited disclosure and product warning ∗∗∗ --------------------------------------------- https://csirt.divd.nl/cases/DIVD-2021-00020/ ∗∗∗ CVE-2023-38046 PAN-OS: Read System Files and Resources During Configuration Commit (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2023-38046 ∗∗∗ CISA Adds Two Known Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/07/13/cisa-adds-two-known-vuln… ∗∗∗ BD Alaris System with Guardrails Suite MX ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-medical-advisories/icsma-23-194-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.07.2023
by Daily end-of-shift report 12 Jul '23

12 Jul '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 11-07-2023 18:00 − Mittwoch 12-07-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Patchday: Microsoft meldet fünf Zero-Days, teils ohne Update ∗∗∗ --------------------------------------------- Der Juli-Patchday von Microsoft liefert viele Updates: 130 Lücken behandelt das Unternehmen. Darunter fünf Zero-Days. Eine Sicherheitslücke bleibt aber offen. --------------------------------------------- https://heise.de/-9213685 ∗∗∗ Teils kritische Sicherheitslücken in Citrix Secure Access Clients ∗∗∗ --------------------------------------------- Citrix hat Aktualisierungen für die Secure Access Clients veröffentlicht, die teils kritische Schwachstellen ausbessern. --------------------------------------------- https://heise.de/-9214076 ∗∗∗ Update gegen kritische Lücke in FortiOS/FortiProxy ∗∗∗ --------------------------------------------- Fortinet verteilt Sicherheitsupdates für FortiOS/FortiProxy. Sie schließen eine kritische Sicherheitslücke. --------------------------------------------- https://heise.de/-9214207 ∗∗∗ Patchday: Kritische Schwachstellen in Adobe Indesign und Coldfusion abgedichtet ∗∗∗ --------------------------------------------- Der Juli-Patchday von Adobe bringt Sicherheitsupdates für Indesign und Coldfusion. Sie schließen Lücken, die der Hersteller als kritisches Risiko einstuft. --------------------------------------------- https://heise.de/-9213920 ∗∗∗ Kernel-Treiber: Hacker überlisten Windows-Richtlinie durch alte Zertifikate ∗∗∗ --------------------------------------------- Indem sie ihre böswilligen Kerneltreiber mit alten Zertifikaten signierten, konnten Angreifer auf Windows-Systemen Vollzugriff erlangen. --------------------------------------------- https://www.golem.de/news/kernel-treiber-hacker-ueberlisten-windows-richtli… ∗∗∗ vm2 Project Discontinued ∗∗∗ --------------------------------------------- TL;DR The library contains critical security issues and should not be used for production! The maintenance of the project has been discontinued. Consider migrating your code to isolated-vm. --------------------------------------------- https://github.com/patriksimek/vm2/blob/master/README.md ∗∗∗ How to Harden WordPress With WP-Config & Avoid Data Exposure ∗∗∗ --------------------------------------------- What is wp-config.php?The wp-config.php file is a powerful core WordPress file that is vital for running your website. It contains important configuration settings for WordPress, including details on where to find the database, login credentials, name and host. This config file is also used to define advanced options for database elements, security keys, and developer options. In this post, we’ll outline some important website hardening recommendations for your wp-config file [...] --------------------------------------------- https://blog.sucuri.net/2023/07/tips-for-wp-config-how-to-avoid-sensitive-d… ∗∗∗ Python-Based PyLoose Fileless Attack Targets Cloud Workloads for Cryptocurrency Mining ∗∗∗ --------------------------------------------- A new fileless attack dubbed PyLoose has been observed striking cloud workloads with the goal of delivering a cryptocurrency miner, new findings from Wiz reveal. "The attack consists of Python code that loads an XMRig Miner directly into memory using memfd, a known Linux fileless technique," security researchers Avigayil Mechtinger, Oren Ofer, and Itamar Gilad said. --------------------------------------------- https://thehackernews.com/2023/07/python-based-pyloose-fileless-attack.html ∗∗∗ Dissecting a Clever Malware Sample for Optimized Detection and Protection ∗∗∗ --------------------------------------------- As part of our product lineup, we offer security monitoring and malware removal services to our Wordfence Care and Response customers. In case of a security incident, our incident response team will investigate the root cause, find and remove malware from your site, and help with other complications that may arise as a result of [...] --------------------------------------------- https://www.wordfence.com/blog/2023/07/dissecting-a-clever-malware-sample-f… ∗∗∗ Qbot, Guloader und SpinOk führen Mobile Malware-Ranking an ∗∗∗ --------------------------------------------- Bedrohungsindex von Checkpoint für Juni 2023 zeigt: Qbot ist noch immer die am meisten verbreitete Malware in Deutschland. --------------------------------------------- https://www.zdnet.de/88410517/qbot-guloader-und-spinok-fuehren-mobile-malwa… ∗∗∗ Security Flaws unraveled in Popular QuickBlox Chat and Video Framework could exposed sensitive data of millions ∗∗∗ --------------------------------------------- Check Point Research (CPR) in collaboration with Claroty Team82 uncovered major security vulnerabilities in the popular QuickBlox platform, used for telemedicine, finance and smart IoT devices If exploited, the vulnerabilities could allow threat actors to access applications’ user databases and expose sensitive data of millions. QuickBlox worked closely with Team82 and CPR to address our disclosure and has fixed the vulnerabilities via a new secure architecture design [...] --------------------------------------------- https://blog.checkpoint.com/security/security-flaws-unraveled-in-popular-qu… ∗∗∗ The Spies Who Loved You: Infected USB Drives to Steal Secrets ∗∗∗ --------------------------------------------- In the first half of 2023, Mandiant Managed Defense has observed a threefold increase in the number of attacks using infected USB drives to steal secrets. Mandiant tracked all of the cases and found that the majority of the incidents could be attributed to several active USB-based operation campaigns affecting both the public and private sectors globally. --------------------------------------------- https://www.mandiant.com/resources/blog/infected-usb-steal-secrets ∗∗∗ CISA and FBI Release Cybersecurity Advisory on Enhanced Monitoring to Detect APT Activity Targeting Outlook Online ∗∗∗ --------------------------------------------- The Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) have released a joint Cybersecurity Advisory (CSA), Enhanced Monitoring to Detect APT Activity Targeting Outlook Online, to provide guidance to agencies and critical infrastructure organizations on enhancing monitoring in Microsoft Exchange Online environments. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/07/12/cisa-and-fbi-release-cyb… ===================== = Vulnerabilities = ===================== ∗∗∗ FortiOS/FortiProxy - Proxy mode with deep inspection - Stack-based buffer overflow ∗∗∗ --------------------------------------------- A stack-based overflow vulnerability [CWE-124] in FortiOS & FortiProxy may allow a remote attacker to execute arbitrary code or command via crafted packets reaching proxy policies or firewall policies with proxy mode alongside SSL deep packet inspection. Workaround: Disable deep inspection on proxy policies or firewall policies with proxy mode. --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-23-183 ∗∗∗ FortiAnalyzer & FortiManager - Path traversal in history downloadzip ∗∗∗ --------------------------------------------- An improper limitation of a pathname to a restricted directory (Path Traversal) vulnerability [CWE-23] in FortiAnalyzer and FortiManager management interface may allow a remote and authenticated attacker to retrieve arbitrary files from the underlying filesystem via specially crafted web requests. --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-22-471 ∗∗∗ FortiExtender - Path Traversal vulnerability ∗∗∗ --------------------------------------------- An improper limitation of a pathname to a restricted directory (Path Traversal) vulnerability [CWE-22] in FortiExtender management interface may allow an unauthenticated and remote attacker to retrieve arbitrary files from the underlying filesystem via specially crafted web requests. --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-22-039 ∗∗∗ FortiOS - Existing websocket connection persists after deleting API admin ∗∗∗ --------------------------------------------- An insufficient session expiration [CWE-613] vulnerability in FortiOS REST API may allow an attacker to reuse the session of a deleted user, should the attacker manage to obtain the API token. --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-23-028 ∗∗∗ Interesting Arbitrary File Upload Vulnerability Patched in User Registration WordPress Plugin ∗∗∗ --------------------------------------------- On June 19, 2023, the Wordfence Threat Intelligence team identified and began the responsible disclosure process for an Arbitrary File Upload vulnerability in WPEverest’s User Registration plugin, which is actively installed on more than 60,000 WordPress websites. This vulnerability makes it possible for an authenticated attacker with minimal permissions, such as a subscriber, to upload [...] --------------------------------------------- https://www.wordfence.com/blog/2023/07/interesting-arbitrary-file-upload-vu… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (erlang, symfony, thunderbird, and yajl), Fedora (cutter-re, kernel, rizin, and yt-dlp), Red Hat (grafana), SUSE (kernel and python-Django), and Ubuntu (dotnet6, dotnet7 and firefox). --------------------------------------------- https://lwn.net/Articles/937972/ ∗∗∗ ICS Patch Tuesday: Siemens, Schneider Electric Fix 50 Vulnerabilities ∗∗∗ --------------------------------------------- ICS Patch Tuesday: Siemens and Schneider Electric release nine new security advisories and fix 50 vulnerabilities in their industrial products. --------------------------------------------- https://www.securityweek.com/ics-patch-tuesday-siemens-schneider-electric-f… ∗∗∗ Mattermost security updates 7.10.4 / 7.9.6 / 7.8.8 (ESR) released ∗∗∗ --------------------------------------------- We’re informing you about a Mattermost security update, which addresses medium-level severity vulnerabilities. We highly recommend that you apply the update. The security update is available for Mattermost dot releases 7.10.4, 7.9.6 and 7.8.8 (Extended Support Release), for both Team Edition and Enterprise Edition. --------------------------------------------- https://mattermost.com/blog/mattermost-security-updates-7-10-4-7-9-6-7-8-8-… ∗∗∗ Windows 7/Server 2008 R2; Server 2012 R2: Updates (11. Juli 2023) ∗∗∗ --------------------------------------------- Zum 11. Juli 2023 wurden diverse Sicherheitsupdates für Windows Server 2008 R2 (im 4. ESU Jahr) sowie für Windows Server 2012/R2 veröffentlicht (die Updates lassen sich ggf. auch noch unter Windows 7 SP1 installieren). Hier ein Überblick über diese Updates --------------------------------------------- https://www.borncity.com/blog/2023/07/12/windows-7-server-2008-r2-server-20… ∗∗∗ Sandbox Escape ∗∗∗ --------------------------------------------- In vm2 for versions up to 3.9.19, Node.js custom inspect function allows attackers to escape the sandbox and run arbitrary code. --------------------------------------------- https://github.com//patriksimek/vm2/security/advisories/GHSA-g644-9gfx-q4q4 ∗∗∗ Sandbox Escape ∗∗∗ --------------------------------------------- In vm2 for versions up to 3.9.19, Promise handler sanitization can be bypassed, allowing attackers to escape the sandbox and run arbitrary code. --------------------------------------------- https://github.com//patriksimek/vm2/security/advisories/GHSA-cchq-frgv-rjh5 ∗∗∗ Citrix Secure Access client for Ubuntu Security Bulletin for CVE-2023-24492 ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX564169/citrix-secure-access-client-fo… ∗∗∗ Citrix Secure Access client for Windows Security Bulletin for CVE-2023-24491 ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX561480/citrix-secure-access-client-fo… ∗∗∗ Lenovo UDC Vulnerability ∗∗∗ --------------------------------------------- https://support.lenovo.com/product_security/PS500567-LENOVO-UDC-VULNERABILI… ∗∗∗ AMD SEV VM Power Side Channel Security Notice ∗∗∗ --------------------------------------------- https://support.lenovo.com/product_security/PS500569-AMD-SEV-VM-POWER-SIDE-… ∗∗∗ AMI MegaRAC SP-X BMC Vulnerabilities ∗∗∗ --------------------------------------------- https://support.lenovo.com/product_security/PS500568-AMI-MEGARAC-SP-X-BMC-V… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Rockwell Automation Select Communication Modules ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-193-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.07.2023
by Daily end-of-shift report 11 Jul '23

11 Jul '23

===================== = End-of-Day report = ===================== Timeframe: Montag 10-07-2023 18:00 − Dienstag 11-07-2023 18:00 Handler: Stephan Richter Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Exploit für Root-Lücke in VMware Aria Operations for Logs aufgetaucht ∗∗∗ --------------------------------------------- Teils kritische Sicherheitslücken in VMware Aria Operations for Logs stopfen Updates aus dem April. Jetzt ist Exploit-Code aufgetaucht, der eine Lücke angreift. --------------------------------------------- https://heise.de/-9212276 ∗∗∗ Fake-E-Mail einer EU-Förderung über 850.000 Euro im Umlauf ∗∗∗ --------------------------------------------- Aktuell kursiert ein gefälschtes E-Mail über eine EU-Förderung von 850.000 Euro. Der Zuschuss wurde angeblich für Unternehmen, Start-ups und Einzelpersonen mit innovativen Ideen entwickelt. Wer das Geld beantragen will, muss persönliche Daten an eine E-Mail-Adresse senden. Das Angebot ist aber Fake, antworten Sie nicht und verschieben Sie das E-Mail in Ihren Spam-Ordner. --------------------------------------------- https://www.watchlist-internet.at/news/fake-e-mail-einer-eu-foerderung-uebe… ∗∗∗ Roots of Trust are difficult ∗∗∗ --------------------------------------------- The phrase "Root of Trust" turns up at various points in discussions about verified boot and measured boot, and to a first approximation nobody is able to give you a coherent explanation of what it means[1]. The Trusted Computing Group has a fairly wordy definition, but (a) its a lot of words and (b) I dont like it, so instead Im going to start by defining a root of trust as "A thing that has to be trustworthy for anything else on your computer to be trustworthy". --------------------------------------------- https://mjg59.dreamwidth.org/66907.html ∗∗∗ It’s Raining Phish and Scams – How Cloudflare Pages.dev and Workers.dev Domains Get Abused ∗∗∗ --------------------------------------------- As they say, when it rains, it pours. Recently, we observed more than 3,000 phishing emails containing phishing URLs abusing services at workers.dev and pages.dev domains. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/its-raining… ∗∗∗ Critical Foswiki Vulnerablities: A Logic Error Turned Remote Code Execution ∗∗∗ --------------------------------------------- We love open-source software. In context of our mission #moresecurity, Christian Pöschl, security consultant and penetration tester at usd HeroLab had a look at Foswiki as a research project. In this blog post, we summarize the journey to discover the functionality of Foswiki and identify multiple vulnerabilities, which ultimately allowed us to elevate privileges from a freshly registered user to full remote code execution on the server. All vulnerabilities were reported to the developers according to our Responsible Disclosure Policy. --------------------------------------------- https://herolab.usd.de/en/critical-foswiki-vulnerablities-a-logic-error-tur… ∗∗∗ Cybercriminals Evolve Antidetect Tooling for Mobile OS-Based Fraud ∗∗∗ --------------------------------------------- Cybercriminals continue to evolve their tactics, techniques, and procedures (TTPs) to defraud the customers of online banking, payment systems, advertising networks, and online marketplaces worldwide. Resecurity has observed a rising trend involving threat actors increased use of specialized mobile Android OS device spoofing tools. These tools enable fraudsters to impersonate compromised account holders and bypass anti-fraud controls effectively. --------------------------------------------- https://www.resecurity.com/blog/article/cybercriminals-evolve-antidetect-to… ∗∗∗ Lowering the Bar(d)? Check Point Research’s security analysis spurs concerns over Google Bard’s limitations ∗∗∗ --------------------------------------------- Check Point Research (CPR) releases an analysis of Google’s generative AI platform ‘Bard’, surfacing several scenarios where the platform permits cybercriminals’ malicious efforts. Check Point Researchers were able to generate phishing emails, malware keyloggers and basic ransomware code. --------------------------------------------- https://blog.checkpoint.com/security/lowering-the-bard-check-point-research… ∗∗∗ MISP 2.4.173 released with various bugfixes and improvements ∗∗∗ --------------------------------------------- We have added a new functionality allowing administrators to enable user self-service for forgotten passwords. When enabled, users will have an additional link below the login screen, allowing them to enter their e-mails and receive a token that can be used to reset their passwords. --------------------------------------------- https://github.com/MISP/MISP/releases/tag/v2.4.173 ∗∗∗ Unveiling the secrets: Exploring whitespace steganography for secure communication ∗∗∗ --------------------------------------------- In the realm of data security, there exists a captivating technique known as whitespace steganography. Unlike traditional methods of encryption, whitespace steganography allows for the hiding of sensitive information within whitespace characters, such as spaces, tabs, and line breaks. --------------------------------------------- https://cybersecurity.att.com/blogs/security-essentials/unveiling-the-secre… ∗∗∗ Defend Against the Latest Active Directory Certificate Services Threats ∗∗∗ --------------------------------------------- To help security professionals understand the complexities of AD CS and how to mitigate its abuse, Mandiant has published a hardening guide that focuses on the most impactful AD CS attack techniques and abuse scenarios we are seeing on the frontlines of the latest breaches and attacks. --------------------------------------------- https://www.mandiant.com/blog/resources/defend-ad-cs-threats ===================== = Vulnerabilities = ===================== ∗∗∗ Zero-Day für Safari geschlossen - Update: Zurückgezogen ∗∗∗ --------------------------------------------- Apple hat Montagabend eine schnelle Aktualisierung für seinen Browser ausgespielt. Betroffen von der offenbar bereits ausgenutzten Lücke: Macs und Mobilgeräte. [...] Apple hat die RSR-Updates für Mac, iPhone und iPad mittlerweile zurückgezogen. Grund ist offenbar, dass es verschiedene Websites gab, die nach dem Update Warnmeldungen ausspucken, dass der aktualisierte Safari-Browser "nicht mehr" unterstützt werde. Apple hat im User-Agent-String ein --------------------------------------------- https://heise.de/-9212228 ∗∗∗ Patchday: SAP warnt vor 16 Sicherheitslücken in der Business-Software ∗∗∗ --------------------------------------------- Am Juli-Patchday hat SAP 16 Sicherheitsmeldungen zur Geschäfts-Software aus dem Unternehmen veröffentlicht. Updates dichten auch eine kritische Lücke ab. --------------------------------------------- https://heise.de/-9213319 ∗∗∗ ABB: 2023-02-10 (**Updated 2023-07-10**) - Cyber Security Advisory - Drive Composer multiple vulnerabilities ∗∗∗ --------------------------------------------- Updated to reflect the latest version 2.8.2 of Drive Composer (both Entry and pro) where vulnerability CVE-2022-35737 has been resolved. Originally this vulnerability had not been resolved when this advisory was published alongside Drive Composer 2.8.1. --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=9AKK108467A7957 ∗∗∗ Siemens Security Advisories ∗∗∗ --------------------------------------------- Siemens has released 5 new and 12 updated Security Advisories. (CVSS Scores ranging from 5.3 to 10) --------------------------------------------- https://new.siemens.com/global/en/products/services/cert.html?d=2023-07 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (mediawiki and node-tough-cookie), Red Hat (bind, kernel, kpatch-patch, and python38:3.8, python38-devel:3.8), SUSE (kernel, nextcloud-desktop, and python-tornado), and Ubuntu (dwarves-dfsg and thunderbird). --------------------------------------------- https://lwn.net/Articles/937879/ ∗∗∗ CVE-2023-29298: Adobe ColdFusion Access Control Bypass ∗∗∗ --------------------------------------------- Rapid7 discovered an access control bypass vulnerability affecting Adobe ColdFusion that allows an attacker to access the administration endpoints. --------------------------------------------- https://www.rapid7.com/blog/post/2023/07/11/cve-2023-29298-adobe-coldfusion… ∗∗∗ Technicolor: VU#913565: Hard-coded credentials in Technicolor TG670 DSL gateway router ∗∗∗ --------------------------------------------- https://kb.cert.org/vuls/id/913565 ∗∗∗ Mozilla: Security Vulnerabilities fixed in Firefox 115.0.2 and Firefox ESR 115.0.2 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2023-26/ ∗∗∗ Lenovo: NVIDIA Display Driver Advisory - June 2023 ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500566-NVIDIA-DISPLAY-DRIVER-A… ∗∗∗ Panasonic Control FPWin Pro7 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-192-03 ∗∗∗ Rockwell Automation Enhanced HIM ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-192-01 ∗∗∗ Sensormatic Electronics iSTAR ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-192-02 ∗∗∗ TADDM affected by multiple vulnerabilities due to IBM Java and its runtime ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7009499 ∗∗∗ IBM Db2 with Federated configuration is vulnerable to arbitrary code execution. (CVE-2023-35012) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7010747 ∗∗∗ IBM Robotic Process Automation is vulnerable to disclosure of server version information (CVE-2023-35900) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7010895 ∗∗∗ IBM Sterling Connect:Express for UNIX browser UI is vulnerable to attacks that rely on the use of cookies without the SameSite attribute ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7010921 ∗∗∗ IBM Sterling Connect:Express for UNIX is vulnerable to server-side request forgery (SSRF) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7010923 ∗∗∗ IBM Sterling Connect:Express uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7010925 ∗∗∗ Vulnerability of System.Text.Encodings.Web.4.5.0 .dll has afftected to .NET Agent ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7010945 ∗∗∗ IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to multiple vulnerabilities in Python ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7011035 ∗∗∗ IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to multiple vulnerabilities in Perl ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7011033 ∗∗∗ IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to GNU Libtasn1 information disclosure vulnerability [CVE-2021-46848] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7011037 ∗∗∗ Vulnerabilities have been identified in OpenSSL, Apache HTTP Server and other system libraries shipped with the DS8000 Hardware Management Console (HMC) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7006449 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.07.2023
by Daily end-of-shift report 10 Jul '23

10 Jul '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 07-07-2023 18:00 − Montag 10-07-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ 1,5 Millionen Installationen: Android-Malware im Google-Play-Store entdeckt ∗∗∗ --------------------------------------------- IT-Sicherheitsforscher haben zwei vermeintliche Dateimanager mit mehr als 1,5 Millionen Downloads im Google Play Store entdeckt. Es handelt sich um Spyware. --------------------------------------------- https://heise.de/-9211287 ∗∗∗ ARM-Grafikeinheit: Warnung vor Angriffen auf Sicherheitslücle in Treibern ∗∗∗ --------------------------------------------- Cyberkriminelle missbrauchen eine Sicherheitslücke in Treibern für ARMs Mali-Grafikeinheiten, um ihre Rechte auszuweiten oder Informationen abzugreifen. --------------------------------------------- https://heise.de/-9211310 ∗∗∗ BSI veröffentlicht Positionspapier zu Secured Applications for Mobile ∗∗∗ --------------------------------------------- Das Bundesamt für Sicherheit in der Informationstechnik (BSI) veröffentlicht ein aktuelles Positionspapier zum Thema „Secured Applications for Mobile“ (SAM). --------------------------------------------- https://www.bsi.bund.de/DE/Service-Navi/Presse/Alle-Meldungen-News/Meldunge… ∗∗∗ PoC Exploit Published for Recent Ubiquiti EdgeRouter Vulnerability ∗∗∗ --------------------------------------------- PoC exploit has been published for a recently patched Ubiquiti EdgeRouter vulnerability leading to arbitrary code execution. --------------------------------------------- https://www.securityweek.com/poc-exploit-published-for-recent-ubiquiti-edge… ∗∗∗ Was tun, wenn Sie bei einem problematischen Online-Shop bestellt haben? ∗∗∗ --------------------------------------------- Ihre Bestellung entspricht nicht Ihren Erwartungen? Die Qualität ist minderwertig, das Produkt etwas vollkommen anderes oder einfach Schrott? Eine Rücksendung ist teuer und nur nach China möglich? Dann haben Sie in einem problematischen bzw. unseriösen Online-Shop bestellt. Wir zeigen Ihnen, was Sie tun können. --------------------------------------------- https://www.watchlist-internet.at/news/was-tun-wenn-sie-bei-einem-problemat… ∗∗∗ Vorsicht: ‘Big Head’ Ransomware zeigt "Windows Update"-Benachrichtigung an ∗∗∗ --------------------------------------------- Ich nehme das Thema mal hier zur Vorsicht im Blog mit auf, vielleicht bewahrt es Einzelne aus der Leserschaft vor einem fatalen Fehler. Eine Big Head genannte Ransomware-Familie nutzt einen neuen Trick, um potentielle Opfer zu übertölpeln. --------------------------------------------- https://www.borncity.com/blog/2023/07/10/vorsicht-big-head-ransomware-zeigt… ∗∗∗ Advanced Vishing Attack Campaign “LetsCall” Targets Andriod Users ∗∗∗ --------------------------------------------- In a newly detected muli-stage vishing campaign attackers are using an advanced toolset dubbed LetsCall, featuring strong evasion tactics. --------------------------------------------- https://www.hackread.com/advanced-vishing-attack-letscall-andriod-users/ ===================== = Vulnerabilities = ===================== ∗∗∗ Ateme TITAN File 3.9 Job Callbacks SSRF File Enumeration ∗∗∗ --------------------------------------------- Authenticated Server-Side Request Forgery (SSRF) vulnerability exists in the Titan File video transcoding software. The application parses user supplied data in the job callback url GET parameter. Since no validation is carried out on the parameter, an attacker can specify an external domain and force the application to make an HTTP/DNS/File request to an arbitrary destination. --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5781.php ∗∗∗ SSD Advisory – EdgeRouters and AirCube miniupnpd Heap Overflow ∗∗∗ --------------------------------------------- A vulnerability in EdgeRouters’s and AirCube’s miniupnpd allows LAN attackers to cause the service to overflow an internal heap and potentially execute arbitrary code. --------------------------------------------- https://ssd-disclosure.com/ssd-advisory-edgerouters-and-aircube-miniupnpd-h… ∗∗∗ Codeschmuggel möglich: Hochriskante Sicherheitslücken in ArubaOS-Firmware ∗∗∗ --------------------------------------------- Die HPE-Tochter Aruba hat Aktualisierungen für die ArubaOS-Firmware veröffentlicht. Sie schließen hochriskante Sicherheitslücken, die Codeschmuggel erlauben. --------------------------------------------- https://heise.de/-9211464 ∗∗∗ Minecraft: Virtuelle Computer reißen Sicherheitslücken auf ∗∗∗ --------------------------------------------- In zwei Minecraft-Mods, die tatsächlich programmierbare Computer oder Roboter für das Spiel bereitstellen, klaffen kritische Sicherheitslücken. --------------------------------------------- https://heise.de/-9211864 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr, fusiondirectory, ocsinventory-server, php-cas, and thunderbird), Fedora (dav1d, perl-CPAN, and yt-dlp), Red Hat (python39:3.9 and python39-devel:3.9), Slackware (mozilla), SUSE (prometheus-ha_cluster_exporter and prometheus-sap_host_exporter), and Ubuntu (ghostscript, linux-azure, linux-intel-iotg, linux-intel-iotg-5.15, and ruby-doorkeeper). --------------------------------------------- https://lwn.net/Articles/937803/ ∗∗∗ Limited disclosure of 6 vulnerabilities in OSNexus Quantastor ∗∗∗ --------------------------------------------- The story of DIVD case DIVD-2021-00020 is a story that started more then 1.5 years ago, when DIVD researcher Wietse Boondsta discovered six vulnerabilities ( CVE-2021-42079, CVE-2021-42080, CVE-2021-42080, CVE-2021-42080, CVE-2021-42080, and CVE-2021-4066 ) in OSNexus Quantastor. As per our CNA policy we tried to contact the vendor and this was not a smooth ride. We started the process in November 2021 and it took us a lot of effort, and help from NCSC-NL and its US partners [...] --------------------------------------------- https://csirt.divd.nl/2023/07/10/Limited-disclosure-OSNexus-vulnerabilities/ ∗∗∗ Festo: Several vulnerabilities in FactoryViews ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-013/ ∗∗∗ IBM Db2 JDBC driver is vulnerable to remote code execution. (CVE-2023-27869, CVE-2023-27867, CVE-2023-27868) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7010029 ∗∗∗ IBM Db2 has multiple denial of service vulnerablities with a specially crafted query ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7010557 ∗∗∗ IBM Db2 federated server is vulnerable to a denial of service when using a specially crafted wrapper using certain options. (CVE-2023-30442) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7010561 ∗∗∗ IBM Db2 db2set is vulnerable to arbitrary code execution. (CVE-2023-30431) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7010565 ∗∗∗ IBM Db2 is vulnerable to insufficient audit logging. (CVE-2023-23487) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7010567 ∗∗∗ IBM Db2 on Windows is vulnerable to privilege escalation. (CVE-2023-27558) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7010571 ∗∗∗ IBM Db2 is vulnerable to information disclosure due to improper privilege management when certain federation features are used. (CVE-2023-29256) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7010573 ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM WebSphere Remote Server (CVE-2023-35890) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7010577 ∗∗∗ Multiple Vulnerabilities in IBM Runtime Environment Java Technology Edition affects WebSphere eXtreme Scale ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7010585 ∗∗∗ The IBM Engineering Lifecycle Engineering product using IBM WebSphere Application Server Liberty is vulnerable to GraphQL - CVE-2023-28867 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7010655 ∗∗∗ The IBM Engineering Lifecycle Engineering product using IBM WebSphere Application Server Liberty is vulnerable to spoofing - CVE-2022-39161 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7010659 ∗∗∗ The IBM Engineering Lifecycle Engineering product using IBM WebSphere Application Server Liberty is vulnerable to spoofing - CVE-2022-39161 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7010665 ∗∗∗ IBM App Connect Enterprise Certified Container DesignerAuthoring operands that use mapping assistance are vulnerable to denial of service due to [CVE-2023-25399] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7010711 ∗∗∗ A vulnerability in Apache Commons Code affects IBM Robotic Process Automation and may result in a disclosure of sensitive information. (IBM X-Force ID: 177834) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7010725 ∗∗∗ IBM Db2 JDBC driver is vulnerable to remote code execution. (CVE-2023-27869, CVE-2023-27867, CVE-2023-27868) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7010029 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.07.2023
by Daily end-of-shift report 07 Jul '23

07 Jul '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 06-07-2023 18:00 − Freitag 07-07-2023 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Google Play apps with 1.5 million installs send your data to China ∗∗∗ --------------------------------------------- Security researchers discovered two malicious file management applications on Google Play with a collective installation count of over 1.5 million that collected excessive user data that goes well beyond whats needed to offer the promised functionality. [..] File Recovery and Data Recovery, identified as "com.spot.music.filedate" on devices, has at least 1 million installs. The install count for File Manager reads at least 500,000 and it can be identified on devices as "com.file.box.master.gkd." --------------------------------------------- https://www.bleepingcomputer.com/news/security/google-play-apps-with-15-mil… ∗∗∗ Iranian Hackers Sophisticated Malware Targets Windows and macOS Users ∗∗∗ --------------------------------------------- The Iranian nation-state actor known as TA453 has been linked to a new set of spear-phishing attacks that infect both Windows and macOS operating systems with malware."TA453 eventually used a variety of cloud hosting providers to deliver a novel infection chain that deploys the newly identified PowerShell backdoor GorjolEcho," Proofpoint said in a new report. --------------------------------------------- https://thehackernews.com/2023/07/iranian-hackers-sophisticated-malware.html ∗∗∗ BlackByte 2.0 Ransomware: Infiltrate, Encrypt, and Extort in Just 5 Days ∗∗∗ --------------------------------------------- Recently, Microsoft's Incident Response team investigated the BlackByte 2.0 ransomware attacks and exposed these cyber strikes' terrifying velocity and damaging nature. The findings indicate that hackers can complete the entire attack process, from gaining initial access to causing significant damage, in just five days. They waste no time infiltrating systems, encrypting important data, and demanding a ransom to release it. --------------------------------------------- https://thehackernews.com/2023/07/blackbyte-20-ransomware-infiltrate.html ∗∗∗ StackRot (CVE-2023-3269): Linux kernel privilege escalation vulnerability ∗∗∗ --------------------------------------------- A flaw was found in the handling of stack expansion in the Linux kernel 6.1 through 6.4, aka "Stack Rot". The maple tree, responsible for managing virtual memory areas, can undergo node replacement without properly acquiring the MM write lock, leading to use-after-free issues. An unprivileged local user could use this flaw to compromise the kernel and escalate their privileges. --------------------------------------------- https://github.com/lrh2000/StackRot ∗∗∗ Sie sollen eine „Erstattung aus dem Sozialfonds erhalten“? Ignorieren Sie diese SMS! ∗∗∗ --------------------------------------------- Unsere Leser:innen melden uns aktuell SMS, die im Namen des „Staates“ verschickt werden. Angeblich sollen Sie eine „Erstattung aus dem Sozialfonds“ erhalten. Achtung, Phishing-Alarm! Löschen Sie die SMS und geben Sie auf keinen Fall Ihre Kontodaten an. --------------------------------------------- https://www.watchlist-internet.at/news/sie-sollen-eine-erstattung-aus-dem-s… ∗∗∗ A Network of SOCs? ∗∗∗ --------------------------------------------- I wrote most of this text quickly in January 2021 when the European Commission asked me to apply my lessons learned from the CSIRTs Network to a potential European Network of SOCs. During 2022, the plans for SOC collaboration have been toned down a bit, the DIGITAL Europe funding scheme proposes multiple platforms where SOCs can work together. In 2023, the newly proposed “Cyber Solidarity Act” builds upon this and codifies the concept of a “national SOC” and “cross-border SOC platforms” into an EU regulation. --------------------------------------------- https://cert.at/en/blog/2023/7/a-network-of-socs ∗∗∗ Cybererpresser: Ransomware-Gruppe BianLian verzichtet auf Verschlüsselung ∗∗∗ --------------------------------------------- Die Hintermänner konzentrieren sich auf die Exfiltration von Daten. Sie reagieren auf die Veröffentlichung eines kostenlosen Entschlüsselungstools für die Ransomware BianLian. --------------------------------------------- https://www.zdnet.de/88410380/cybererpresser-ransomware-gruppe-bianlian-ver… ∗∗∗ CISA and Partners Release Joint Cybersecurity Advisory on Newly Identified Truebot Malware Variants ∗∗∗ --------------------------------------------- Today, the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigations (FBI), the Multi-State Information Sharing and Analysis Center (MS-ISAC), and the Canadian Centre for Cyber Security (CCCS) released a joint Cybersecurity Advisory (CSA), Increased Truebot Activity Infects U.S. and Canada Based Networks, to help organizations detect and protect against newly identified Truebot malware variants. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/07/06/cisa-and-partners-releas… ===================== = Vulnerabilities = ===================== ∗∗∗ Google Releases Android Patch Update for 3 Actively Exploited Vulnerabilities ∗∗∗ --------------------------------------------- Google has released its monthly security updates for the Android operating system, addressing 46 new software vulnerabilities. Among these, three vulnerabilities have been identified as actively exploited in targeted attacks. --------------------------------------------- https://thehackernews.com/2023/07/google-releases-android-patch-update.html ∗∗∗ Mastodon Social Network Patches Critical Flaws Allowing Server Takeover ∗∗∗ --------------------------------------------- Mastodon, a popular decentralized social network, has released a security update to fix critical vulnerabilities that could expose millions of users to potential attacks.Mastodon is known for its federated model, consisting of thousands of separate servers called "instances," and it has over 14 million users across more than 20,000 instances. The most critical vulnerability, CVE-2023-36460, [..] --------------------------------------------- https://thehackernews.com/2023/07/mastodon-social-network-patches.html ∗∗∗ CISA Releases Three Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- * ICSA-23-187-01 PiiGAB M-Bus * ICSA-23-187-02 ABUS TVIP * ICSA-23-143-03 Mitsubishi Electric MELSEC Series CPU module (Update A) --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/07/06/cisa-releases-three-indu… ∗∗∗ VMSA-2023-0015 ∗∗∗ --------------------------------------------- CVSSv3 Range: 5.3 CVE(s): CVE-2023-20899 VMware SD-WAN contains a bypass authentication vulnerability. VMware has evaluated the severity of this issue to be in the moderate severity range with a maximum CVSSv3 base score of 5.3. Known Attack Vectors: An unauthenticated attacker can download the Diagnostic bundle of the application under VMware SD-WAN Management. --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2023-0015.html ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (debian-archive-keyring, libusrsctp, nsis, ruby-redcloth, and webkit2gtk), Fedora (firefox), Mageia (apache-ivy, cups, curaengine, glances, golang, keepass, libreoffice, minidlna, nodejs, opensc, perl-DBD-SQLite, python-setuptools, python-wheel, skopeo/buildah/podman, systemd, testng, and webkit2), SUSE (bind), and Ubuntu (Gerbv, golang-websocket, linux-gke, linux-intel-iotg, and linux-oem-5.17). --------------------------------------------- https://lwn.net/Articles/937616/ ∗∗∗ [R1] Nessus Agent Version 10.4.1 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- Nessus Agent leverages third-party software to help provide underlying functionality. One of the third-party components (OpenSSL) was found to contain vulnerabilities, and updated versions have been made available by the provider.Out of caution and in line with best practice, Tenable has opted to upgrade these components to address the potential impact of the issues. --------------------------------------------- https://www.tenable.com/security/tns-2023-24 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.07.2023
by Daily end-of-shift report 06 Jul '23

06 Jul '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 05-07-2023 18:00 − Donnerstag 06-07-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Silentbob Campaign: Cloud-Native Environments Under Attack ∗∗∗ --------------------------------------------- The activity, dubbed Silentbob in reference to an AnonDNS domain set up by the attacker, is said to be linked to the infamous cryptojacking group tracked as TeamTNT, citing overlaps in tactics, techniques, and procedures (TTPs). Alternatively, it could be the work of an "advanced copycat." --------------------------------------------- https://thehackernews.com/2023/07/silentbob-campaign-cloud-native.html ∗∗∗ Flutter Restrictions Bypass ∗∗∗ --------------------------------------------- This article investigates the Flutter framework (Google, n.d.) and the methods for bypassing its detections on iOS. CyberCX have also published the scripts used for this bypass for other mobile application security researchers to use in their workflow on our GitHub. --------------------------------------------- https://blog.cybercx.co.nz/flutter-restrictions-bypass ∗∗∗ TeamsPhisher: Tool automatisiert Angriffe auf Teams-Schwachstelle ∗∗∗ --------------------------------------------- Über eine Schwachstelle in Teams können Angreifer Malware unterjubeln. Ein jetzt veröffentlichtes Tool macht diese Attacken noch einfacher. --------------------------------------------- https://heise.de/-9208677 ∗∗∗ Wie steht’s eigentlich um Emotet? ∗∗∗ --------------------------------------------- Eine kurze Zusammenfassung zur aktuellen Situation um Emotet seit dessen "Comeback". --------------------------------------------- https://www.welivesecurity.com/deutsch/2023/07/06/wie-stehts-eigentlich-um-… ∗∗∗ How to delete saved addresses and credit cards in Firefox for improved security and privacy ∗∗∗ --------------------------------------------- If youre looking to get the most out of Firefox security and privacy, you might consider not only deleting all saved addresses and credit cards but also disabling the autofill option. --------------------------------------------- https://www.zdnet.com/article/how-to-delete-saved-addresses-and-credit-card… ===================== = Vulnerabilities = ===================== ∗∗∗ MOVEit Transfer: Service Pack schließt weitere kritische Lücke ∗∗∗ --------------------------------------------- Mit dem Service Pack für MOVEit Transfer im Juli schließt Progress weitere Sicherheitslücken. Eine davon stuft der Hersteller als kritisch ein. (CVE-2023-36932, CVE-2023-36933, CVE-2023-36934) --------------------------------------------- https://heise.de/-9208451 ∗∗∗ MOVEit Transfer 2020.1 (12.1) Service Pack (July 2023) ∗∗∗ --------------------------------------------- CVE-2023-36934 (CRITICAL): SQL Injection CVE-2023-36932 (HIGH): multiple SQL injections CVE-2023-36933 (HIGH): unhandled exception --------------------------------------------- https://community.progress.com/s/article/MOVEit-Transfer-2020-1-Service-Pac… ∗∗∗ Stackrot: Kernel-Schwachstelle ermöglicht Rechteausweitung unter Linux ∗∗∗ --------------------------------------------- Durch eine Sicherheitslücke im Speichermanagement-Subsystem des Linux-Kernels können Angreifer potenziell erweiterte Rechte erlangen. --------------------------------------------- https://www.golem.de/news/stackrot-kernel-schwachstelle-erlaubt-rechteauswe… ∗∗∗ Patchday: Vielfältige Attacken auf Android 11, 12 und 13 möglich ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitsupdates für verschiedene Android-Versionen. Im schlimmsten Fall könnte Schadcode auf Geräte gelangen. --------------------------------------------- https://heise.de/-9208524 ∗∗∗ Taking over Milesight UR32L routers behind a VPN: 22 vulnerabilities and a full chain ∗∗∗ --------------------------------------------- In all, Cisco Talos is releasing 22 security advisories today, nine of which have a CVSS score greater than 8, associated with 69 CVEs. --------------------------------------------- https://blog.talosintelligence.com/talos-discovers-17-vulnerabilities-in-mi… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (golang-yaml.v2, kernel, and mediawiki), Fedora (kernel and picocli), SUSE (bind and python-sqlparse), and Ubuntu (cpdb-libs). --------------------------------------------- https://lwn.net/Articles/937481/ *** IBM Security Bulletins *** --------------------------------------------- IBM i, IBM Rational Functional Tester, IBM Security Verify Access, IBM Cloud Pak, IBM Match 360, IBM Watson, IBM Integration Designer, IBM Sterling Connect:Direct File Agent, IBM Operations Analytics and TADDM. --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Vulnerability in Cisco Enterprise Switches Allows Attackers to Modify Encrypted Traffic ∗∗∗ --------------------------------------------- Cisco says a high-severity vulnerability in Nexus 9000 series switches could allow attackers to intercept and modify encrypted traffic. Tracked as CVE-2023-20185, the issue impacts the ACI multi-site CloudSec encryption feature of the Nexus 9000 switches that are configured in application centric infrastructure (ACI) mode – typically used in data centers for controlling physical and virtual networks. --------------------------------------------- https://www.securityweek.com/vulnerability-in-cisco-enterprise-switches-all… ∗∗∗ Cisco ACI Multi-Site CloudSec Encryption Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Webex Meetings Web UI Vulnerabilities ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Duo Authentication Proxy Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco BroadWorks Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ ZDI-23-896: D-Link DAP-2622 DDP Change ID Password Auth Password Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-896/ ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (June 26, 2023 to July 2, 2023) ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2023/07/wordfence-intelligence-weekly-wordpr… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.07.2023
by Daily end-of-shift report 05 Jul '23

05 Jul '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 04-07-2023 18:00 − Mittwoch 05-07-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Email crypto phishing scams: stealing from hot and cold crypto wallets ∗∗∗ --------------------------------------------- Here is how email phishing scams targeting hot and cold crypto wallets, such as Trezor and Ledger, work. --------------------------------------------- https://securelist.com/hot-and-cold-cryptowallet-phishing/110136/ ∗∗∗ Jetzt patchen! Über 335.000 SSL-VPN-Interfaces von Fortinet attackierbar ∗∗∗ --------------------------------------------- Sicherheitsforscher warnen vor weiteren Attacken auf eine kritische Lücke in FortiOS. Patches zum Schließen der Schwachstelle sind seit Wochen verfügbar. --------------------------------------------- https://heise.de/-9206478 ∗∗∗ Verbaucherzentralen warnen vor personalisiertem Phishing ∗∗∗ --------------------------------------------- Seit Anfang der Woche landen viele Phishingmails mit persönlicher Anrede betreffend der ING in Postfächern von Internetnutzern, warnen die Verbraucherzentralen. --------------------------------------------- https://heise.de/-9207386 ∗∗∗ TEMU Shopping App und temu.com: Problematische Angebote aus China ∗∗∗ --------------------------------------------- Wer sich aktuell durch Social Media bewegt, kommt kaum an Werbeschaltungen für die Shopping App TEMU vorbei. Die Plattform mit Sitz in Dublin und ihrem Ursprung in China startet aktuell eine Offensive auf den österreichischen und deutschen Markt. Die Produkte bei TEMU sind teils unfassbar günstig und für viele verlockend. Möglich ist das aber vor allem durch fragwürdige Geschäftspraktiken, teils mangelhafte Produkte und Nicht-Einhaltung rechtlicher Vorgaben. --------------------------------------------- https://www.watchlist-internet.at/news/temu-shopping-app-und-temucom-proble… ===================== = Vulnerabilities = ===================== ∗∗∗ Path traversal bypass & Denial of service in Kyocera TASKalfa 4053ci printer ∗∗∗ --------------------------------------------- CVE Number: CVE-2023-34259, CVE-2023-34260, CVE-2023-34261 Kyocera TASKalfa 4053ci printers are vulnerable to multiple vulnerabilities. The path traversal vulnerability can be used to access arbitrary files on the filesystem, even files that require root privileges. Also, the path traversal vulnerability can be used to conduct a denial-of-service (DoS). Due the username enumeration vulnerability, it is possible to identify valid user accounts. --------------------------------------------- https://sec-consult.com/vulnerability-lab/advisory/path-traversal-bypass-de… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (firefox and python-reportlab), Slackware (mozilla), SUSE (dnsdist, grpc, protobuf, python-Deprecated, python-PyGithub, python-aiocontextvars, python-avro, python-bcrypt, python-cryptography, python- cryptography-vectors, python-google-api-core, pyt, kernel, kubernetes1.18, libdwarf, python311, qt6-base, rmt-server, and virtualbox), and Ubuntu (containerd, firefox, and python-django). --------------------------------------------- https://lwn.net/Articles/937368/ ∗∗∗ The "StackRot" kernel vulnerability ∗∗∗ --------------------------------------------- Ruihan Li has discloseda significant vulnerability introduced into the 6.1 kernel: A flaw was found in the handling of stack expansion in the Linux kernel 6.1 through 6.4, aka "Stack Rot". The maple tree, responsible for managing virtual memory areas, can undergo node replacement without properly acquiring the MM write lock, leading to use-after-free issues. An unprivileged local user could use this flaw to compromise the kernel and escalate their privileges. --------------------------------------------- https://lwn.net/Articles/937377/ ∗∗∗ Frauscher: Diagnostic System FDS001 for FAdC/FAdCi Path Traversal vulnerability ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-011/ ∗∗∗ IBM App Connect Enterprise and IBM Integration Bus are vulnerable to a remote attacker and denial of service due to Guava (CVE-2020-8908, CVE-2018-10237). ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7009535 ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with Asset and Service Management (CVE-2023-35890) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7009537 ∗∗∗ IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to xml2js abitrary code execution vulnerability(CVE-2023-0842) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7009049 ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with Tivoli Netcool\/OMNIbus WebGUI (CVE-2023-35890) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7009625 ∗∗∗ Multiple security vulnerabilities has been identified in IBM WebSphere Application Server shipped with Tivoli Netcool\/OMNIbus WebGUI - April 2023 CPU ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7009627 ∗∗∗ A security vulnerability has been identified in WebSphere Application Server traditional shipped with IBM Intelligent Operations Center(CVE-2023-35890) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7009635 ∗∗∗ IBM App Connect Enterprise and IBM Integration Bus are vulnerable to a remote attacker and denial of service due to Guava (CVE-2020-8908, CVE-2018-10237). ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7009535 ∗∗∗ IBM WebSphere Application Server could provide weaker than expected security (CVE-2023-35890) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7007857 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.07.2023
by Daily end-of-shift report 04 Jul '23

04 Jul '23

===================== = End-of-Day report = ===================== Timeframe: Montag 03-07-2023 18:00 − Dienstag 04-07-2023 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ DDoSia Attack Tool Evolves with Encryption, Targeting Multiple Sectors ∗∗∗ --------------------------------------------- The threat actors behind the DDoSia attack tool have come up with a new version that incorporates a new mechanism to retrieve the list of targets to be bombarded with junk HTTP requests in an attempt to bring them down.The updated variant, written in Golang, "implements an additional security mechanism to conceal the list of targets, which is transmitted from the [command-and-control] to the users," cybersecurity company Sekoia said in a technical write-up. --------------------------------------------- https://thehackernews.com/2023/07/ddosia-attack-tool-evolves-with.html ∗∗∗ Hunting for Bitwarden master passwords stored in memory ∗∗∗ --------------------------------------------- A blog post on how I was able to identify unknown master passwords stored in the memory of the Bitwarden web extension and desktop client, after a vault has been locked. I also cover the decisions made for developing a proof of concept to automate the process of extracting potential passwords. --------------------------------------------- https://redmaple.tech/blogs/2023/extract-bitwarden-vault-passwords/ ∗∗∗ Achtung Fake-Shop: sharkos.de ∗∗∗ --------------------------------------------- Sharkos – „Ihr Experte für Garten, Pools und Haushalt“. Das sehen wir anders. Der Online-Shop sieht zwar vielversprechend aus, wenn Sie dort bestellen, bekommen Sie aber trotz Zahlung keine Ware. Wir zeigen Ihnen, wie Sie Fake-Shops erkennen. --------------------------------------------- https://www.watchlist-internet.at/news/achtung-fake-shop-sharkosde/ ===================== = Vulnerabilities = ===================== ∗∗∗ Geräteverwaltung: hochriskante Schwachstelle in Ivanti Endpoint Manager ∗∗∗ --------------------------------------------- Eine Sicherheitslücke in der Geräte- und Softwareverwaltung von Ivanti für ChromeOS, Linux, macOS und Windows ermöglicht Angreifern aus dem Netz Codeschmuggel. --------------------------------------------- https://heise.de/-9206574 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ghostscript), Fedora (apache-ivy, chromium, golang-github-schollz-croc, golang-github-schollz-mnemonicode, and webkitgtk), SUSE (amazon-ecs-init, dnsdist, libcap, python-tornado, terraform, and xmltooling), and Ubuntu (imagemagick, openldap, php7.4, php8.1, and screen). --------------------------------------------- https://lwn.net/Articles/937292/ ∗∗∗ CISA issues warning for cardiac device system vulnerability ∗∗∗ --------------------------------------------- The Cybersecurity and Infrastructure Security Agency (CISA) warned of a severe vulnerability in a cardiac device from medical device company Medtronic. The issue – tracked as CVE-2023-31222 – carries a “critical” CVSS score of 9.8 out of 10 and affects the company’s Paceart Optima software that runs on a healthcare organization’s Windows server. --------------------------------------------- https://therecord.media/cisa-warning-for-cardiac-device-system-vulnerability ∗∗∗ Zyxel security advisory for buffer overflow vulnerability in 4G LTE and 5G NR outdoor routers ∗∗∗ --------------------------------------------- A buffer overflow vulnerability in the CGI program of some Zyxel 4G LTE and 5G NR outdoor routers could allow a remote authenticated attacker to cause denial of service (DoS) conditions by sending a crafted HTTP request to a vulnerable device. (CVE: CVE-2023-27989) --------------------------------------------- https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-… ∗∗∗ Security Vulnerabilities fixed in Thunderbird 102.13 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2023-24/ ∗∗∗ Security Vulnerabilities fixed in Firefox ESR 102.13 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2023-23/ ∗∗∗ Security Vulnerabilities fixed in Firefox 115 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2023-22/ ∗∗∗ Vulnerability in the interface module SLC-0-GPNT00300 ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-894143.html ∗∗∗ Security Advisory for the FL MGUARD family of devices ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-833074.html ∗∗∗ IBM Integration Bus is vulnerable to a remote attack due to Apache Jena (CVE-2021-39239, CVE-2022-28890, CVE-2023-22665). ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7009371 ∗∗∗ Vulnerability in Spring Framework affects IBM Process Mining [CVE-2016-1000027] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7009383 ∗∗∗ IBM Content Navigator is vulnerable to DoS due to Apache Commons FileUpload (CVE-2023-24998) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7002807 ∗∗∗ Vulnerability in IBM SDK Java Technology affects IBM Cloud Pak System (CVE-2021-35561) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7009441 ∗∗∗ Vulnerabilities in OpenSSL affect Cloud Pak System (CVE-2021-23840, CVE-2021-23841) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7005857 ∗∗∗ Multiple vulnerabilities in IBM Java SDK affect IBM License Metric Tool v9. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7009457 ∗∗∗ Vulnerability of Newtonsoft.Json-12.0.1.22727.dll has afftected to .NET Agent ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7009459 ∗∗∗ Multiple CVEs may affect IBM\u00ae SDK, Java\u2122 Technology Edition shipped with IBM CICS TX Standard ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7009483 ∗∗∗ Multiple CVEs may affect IBM\u00ae SDK, Java\u2122 Technology Edition shipped with IBM CICS TX Advanced ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7009485 ∗∗∗ Multiple CVEs may affect IBM\u00ae SDK, Java\u2122 Technology Edition shipped with IBM TXSeries for Multiplatforms ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7009487 ∗∗∗ Vulnerabilities in Apache Struts affect IBM Tivoli Application Dependency Discovery Manager. (CVE-2023-34396, CVE-2023-34149) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7009497 ∗∗∗ TADDM affected by multiple vulnerabilities due to IBM Java and its runtime ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7009499 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.07.2023
by Daily end-of-shift report 03 Jul '23

03 Jul '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 30-06-2023 18:00 − Montag 03-07-2023 18:00 Handler: Robert Waldner Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Beware: New RustBucket Malware Variant Targeting macOS Users ∗∗∗ --------------------------------------------- "This variant of RustBucket, a malware family that targets macOS systems, adds persistence capabilities not previously observed," Elastic Security Labs researchers said in a report published this week, adding it's "leveraging a dynamic network infrastructure methodology for command-and-control." --------------------------------------------- https://thehackernews.com/2023/07/beware-new-rustbucket-malware-variant.html ∗∗∗ Entschlüsselungstool: Sicherheitsforscher knacken Akira-Ransomware ∗∗∗ --------------------------------------------- Stimmten die Voraussetzungen, können Opfer des Erpressungstrojaner Akira ohne Lösegeld zu zahlen auf ihre Daten zugreifen. --------------------------------------------- https://heise.de/-9204932 ∗∗∗ Vorsicht vor Malvertising: Fake-WinSCP-Tool verbreitet BackCat-Ransomware ∗∗∗ --------------------------------------------- Die Hintermänner des Verschlüsselungstrojaners BlackCat (aka ALPHV) setzen auf einen weiteren Verbreitungsweg. --------------------------------------------- https://heise.de/-9204958 ∗∗∗ Vorsicht vor gefälschten Polizei-Mails ∗∗∗ --------------------------------------------- Aktuell geben sich Kriminelle per E-Mail als Polizei aus. Im Mail steht, dass Sie in der Anlage Ihre Einberufung finden und innerhalb von 48 Stunden antworten müssen. Ansonsten droht Ihnen eine Festnahme. Ignorieren Sie dieses E-Mail, es handelt sich um Betrug! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-gefaelschten-polizei-ma… ∗∗∗ CVE-2023-20864: Remote Code Execution in VMware Aria Operations for Logs ∗∗∗ --------------------------------------------- In this excerpt of a Trend Micro Vulnerability Research Service vulnerability report, Jonathan Lein and Dusan Stevanovic of the Trend Micro Research Team detail a recently patched remote code execution vulnerability in VMware Aria Operations for Logs (formerly vRealize). --------------------------------------------- https://www.zerodayinitiative.com/blog/2023/6/29/cve-2023-20864-remote-code… ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitsupdates: Schadcode-Attacken auf HP-LaserJet-Pro-Drucker möglich ∗∗∗ --------------------------------------------- Mehrere LaserJet-Pro-Modelle von HP sind verwundbar. Sicherheitsupdates schaffen Abhilfe. --------------------------------------------- https://heise.de/-9205846 ∗∗∗ WP AutoComplete 1.0.4 - Unauthenticated SQLi ∗∗∗ --------------------------------------------- The WP AutoComplete Search WordPress plugin through 1.0.4 does not sanitise and escape a parameter before using it in a SQL statement via an AJAX available to unauthenticated users, leading to an unauthenticated SQL injection. --------------------------------------------- https://www.exploit-db.com/exploits/51560 ∗∗∗ Sicherheitsupdate: Attacken auf WordPress-Plug-in Ultimate Member ∗∗∗ --------------------------------------------- Derzeit nutzen Angreifer eine kritische Lücke im WordPress-Plug-in Ultimate Member aus. Der Anbieter rät zu einem zügigen Update. --------------------------------------------- https://heise.de/-9204916 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (cups, gst-plugins-bad1.0, gst-plugins-base1.0, gst-plugins-good1.0, python3.7, and yajl), Fedora (chromium, kubernetes, pcs, and webkitgtk), Scientific Linux (open-vm-tools), SUSE (iniparser, keepass, libvirt, prometheus-ha_cluster_exporter, prometheus-sap_host_exporter, rekor, terraform-provider-aws, terraform-provider-helm, and terraform-provider-null), and Ubuntu (python-reportlab and vim). --------------------------------------------- https://lwn.net/Articles/937189/ ∗∗∗ Root-Zugang zu Smarthome-Server Loxone Miniserver Go Gen. 2 (SySS-2023-004/-012/-013) ∗∗∗ --------------------------------------------- Durch verschiedene Schwachstellen kann ein Administrator Betriebssystemzugriff auf dem Loxone Miniserver Go im Kontext des root-Benutzers erreichen. --------------------------------------------- https://www.syss.de/pentest-blog/root-zugang-zu-smarthome-server-loxone-min… ∗∗∗ Multiple Vulnerabilities including Unauthenticated Remote Code Execution in Siemens A8000 ∗∗∗ --------------------------------------------- The vendor provides a patch which should be installed immediately. Customers should update to CPCI85 V05 or later version (https://support.industry.siemens.com/cs/ww/en/view/109804985/). - Unauthenticated Remote Code Execution (CVE-2023-28489) - Authenticated Command Injection (CVE-2023-33919) - Hard-coded Root Password (CVE-2023-33920) - Console Login via UART (CVE-2023-33921) --------------------------------------------- https://sec-consult.com/vulnerability-lab/advisory/multiple-vulnerabilities… ∗∗∗ Multiple vulnerabilities in SoftEther VPN and PacketiX VPN ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN64316789/ ∗∗∗ ZDI-23-894: NETGEAR RAX30 UPnP Command Injection Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-894/ ∗∗∗ ZDI-23-893: NETGEAR Multiple Routers curl_post Improper Certificate Validation Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-893/ ∗∗∗ WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn) <= 7.6.4 – Authentication Bypass ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2023070002 ∗∗∗ Watson CP4D Data Stores is vulnerable to Golang Go to a denial of service (CVE-2022-1962) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7009053 ∗∗∗ Watson CP4D Data Stores is vulnerable to Golang Go is vulnerable to HTTP request smuggling(CVE-2022-1705) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7009055 ∗∗∗ Watson AI Gateway for Cloud Pak for Data is vulnerable to an Ajv (aka Another JSON Schema Validator) could allow a remote attacker to execute arbitrary code on the system (CVE-2020-15366) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7009061 ∗∗∗ IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to xml2js abitrary code execution vulnerability(CVE-2023-0842) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7009049 ∗∗∗ IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to Node.js http-cache-semantics module denial of service ( CVE-2022-25881) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7009051 ∗∗∗ IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to Envoy security bypass ( CVE-2023-27488) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7009057 ∗∗∗ IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable ConfigObj denial of service ( CVE-2023-26112) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7009059 ∗∗∗ IBM Connect:Direct Web Services vulnerable to sensitive information exposure due to PostgreSQL (CVE-2023-2455) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7009293 ∗∗∗ IBM Connect:Direct Web Services vulnerable to sensitive information exposure due to PostgreSQL (CVE-2022-41862) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7009295 ∗∗∗ IBM Security Key Lifecycle Manager is vulnerable to Incorrect Permission Assignment for Critical Resource (CVE-2018-1750) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/733311 ∗∗∗ Multiple Vulnerabilities in CloudPak for Watson AIOPs ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7007837 ∗∗∗ Multiple vulnerabilities of Apache Groovy (groovy-all-2.3.11.jar) have affected APM JBoss and APM WebLogic Agent [CVE-202-17521, CVE-2016-6814, CVE-2015-3253] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7009323 ∗∗∗ Multiple vulnerabilities of Apache Ant (ant-1.7.0.jar, ant-1.8.4.jar) have affected APM JBoss, APM WebLogic and APM SAP NetWeaver Java Stack Agents. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7009321 ∗∗∗ Multiple vulnerabilities in the IBM SDK, Java Technology Edition affects APM Agents for Monitoring ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7009327 ∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container DesignerAuthoring operand is vulnerable to DOS/loss of integrity/confidentiality [CVE-2023-21930 CVE-2023-21937 CVE-2023-21938 CVE-2023-21939 CVE-2023-21954 CVE-2023-21967 CVE-2023-21968] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7009333 ∗∗∗ Watson CP4D Data Stores is vulnerable to Golang Go to a denial of service (CVE-2022-1962) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7009053 ∗∗∗ Multiple vulnerabilities in IBM Java SDK affects IBM WebSphere Application Server April 2023 CPU that is bundled with IBM WebSphere Application Server Patterns ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7009353 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.06.2023
by Daily end-of-shift report 30 Jun '23

30 Jun '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 29-06-2023 18:00 − Freitag 30-06-2023 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Torrent of image-based phishing emails are harder to detect and more convincing ∗∗∗ --------------------------------------------- The arms race between scammers and defenders continues. --------------------------------------------- https://arstechnica.com/?p=1951208 ∗∗∗ Spamdexing: What is SEO Spam & How to Remove It ∗∗∗ --------------------------------------------- Ever had an uninvited guest crash your party, resulting in chaos, confusion, and some unhappy visitors? Well, SEO spam is that party crasher - just for websites. Why should you care, you ask? Well, just imagine your meticulously crafted website content being replaced with unsolicited ads for services and products that would make your grandma blush. Or even worse, your loyal site visitors being redirected to shady third party websites. Not the picture of ideal user experience, --------------------------------------------- https://blog.sucuri.net/2023/06/spamdexing-what-is-seo-spam.html ∗∗∗ Cybercriminals Hijacking Vulnerable SSH Servers in New Proxyjacking Campaign ∗∗∗ --------------------------------------------- An active financially motivated campaign is targeting vulnerable SSH servers to covertly ensnare them into a proxy network. "This is an active campaign in which the attacker leverages SSH for remote access, running malicious scripts that stealthily enlist victim servers into a peer-to-peer (P2P) proxy network, such as Peer2Profit or Honeygain," Akamai researcher Allen West said [...] --------------------------------------------- https://thehackernews.com/2023/06/cybercriminals-hijacking-vulnerable-ssh.h… ∗∗∗ Its 2023 and memory overwrite bugs are not just a thing, theyre still number one ∗∗∗ --------------------------------------------- Cough, cough, use Rust. Plus: Eight more exploited bugs added to CISAs must-patch list The most dangerous type of software bug is the out-of-bounds write, according to MITRE this week. This type of flaw is responsible for 70 CVE-tagged holes in the US governments list of known vulnerabilities that are under active attack and need to be patched, we note. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2023/06/29/cwe_top_25_2… ∗∗∗ Router-Malware: Aktuelle Kampagne des Mirai-Botnet greift viele Lücken an ∗∗∗ --------------------------------------------- Das Mirari-Botnet ist weiter aktiv. Die Drahtzieher nutzen in einer aktuellen Kampagne zahlreiche Sicherheitslücken, um diverse Internetrouter zu infizieren. --------------------------------------------- https://heise.de/-9203406 ∗∗∗ 200,000 WordPress Sites Exposed to Attacks Exploiting Flaw in ‘Ultimate Member’ Plugin ∗∗∗ --------------------------------------------- Attackers exploit critical vulnerability in the Ultimate Member plugin to create administrative accounts on WordPress websites. --------------------------------------------- https://www.securityweek.com/200000-wordpress-sites-exposed-to-attacks-expl… ∗∗∗ Neue browserbasierte Social-Engineering-Trends ∗∗∗ --------------------------------------------- Report von WatchGuard Threat Lab: Angreifer nutzen neue Wege, um im Internet surfende Anwender auszutricksen. --------------------------------------------- https://www.zdnet.de/88410262/neue-browserbasierte-social-engineering-trend… ∗∗∗ Malware Execution Method Using DNS TXT Record ∗∗∗ --------------------------------------------- AhnLab Security Emergency response Center (ASEC) has confirmed instances where DNS TXT records were being utilized during the execution process of malware. This is considered meaningful from various perspectives, including analysis and detection as this method has not been widely utilized as a means of executing malware. --------------------------------------------- https://asec.ahnlab.com/en/54916/ ∗∗∗ Malvertising Used as Entry Vector for BlackCat, Actors Also Leverage SpyBoy Terminator ∗∗∗ --------------------------------------------- We found that malicious actors used malvertising to distribute malware via cloned webpages of legitimate organizations. The distribution involved a webpage of the well-known application WinSCP, an open-source Windows application for file transfer. We were able to identify that this activity led to a BlackCat (aka ALPHV) infection, and actors also used SpyBoy, a terminator that tampers with protection provided by agents. --------------------------------------------- https://www.trendmicro.com/en_us/research/23/f/malvertising-used-as-entry-v… ∗∗∗ Decrypted: Akira Ransomware ∗∗∗ --------------------------------------------- Researchers for Avast have developed a decryptor for the Akira ransomware and released it for public download. The Akira ransomware appeared in March 2023 and since then, the gang claims successful attacks on various organizations in the education, finance and real estate industries, amongst others. --------------------------------------------- https://decoded.avast.io/threatresearch/decrypted-akira-ransomware/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (docker-registry, flask, systemd, and trafficserver), Fedora (moodle, python-reportlab, suricata, and vim), Red Hat (go-toolset and golang, go-toolset-1.19 and go-toolset-1.19-golang, go-toolset:rhel8, open-vm-tools, python27:2.7, and python3), SUSE (buildah, chromium, gifsicle, libjxl, sqlite3, and xonotic), and Ubuntu (linux, linux-allwinner, linux-allwinner-5.19, linux-aws, linux-aws-5.19, linux-azure, linux-gcp, linux-gcp-5.19, linux-hwe-5.19, linux-ibm, linux-kvm, linux-lowlatency, linux-oracle, linux-raspi, linux-starfive, linux-starfive-5.19, linux, linux-aws, linux-aws-5.15, linux-aws-5.4, linux-azure, linux-azure-5.15, linux-azure-5.4, linux-azure-fde-5.15, linux-bluefield, linux-gcp, linux-gcp-5.15, linux-gcp-5.4, linux-gke, linux-gke-5.15, linux-gkeop, linux-gkeop-5.15, linux-hwe-5.15, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-oracle, linux-oracle-5.15, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, and linux-oem-6.1). --------------------------------------------- https://lwn.net/Articles/936949/ ∗∗∗ Nessus Network Monitor 6.2.2 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2023-23 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.06.2023
by Daily end-of-shift report 29 Jun '23

29 Jun '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 28-06-2023 18:00 − Donnerstag 29-06-2023 18:00 Handler: Robert Waldner Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Linux version of Akira ransomware targets VMware ESXi servers ∗∗∗ --------------------------------------------- The Akira ransomware operation uses a Linux encryptor to encrypt VMware ESXi virtual machines in double-extortion attacks against companies worldwide. --------------------------------------------- https://www.bleepingcomputer.com/news/security/linux-version-of-akira-ranso… ∗∗∗ Exploit released for new Arcserve UDP auth bypass vulnerability ∗∗∗ --------------------------------------------- Data protection vendor Arcserve has addressed a high-severity security flaw in its Unified Data Protection (UDP) backup software that can let attackers bypass authentication and gain admin privileges. --------------------------------------------- https://www.bleepingcomputer.com/news/security/exploit-released-for-new-arc… ∗∗∗ Security Baseline for M365 Apps for enterprise v2306 ∗∗∗ --------------------------------------------- Microsoft is pleased to announce the release of the recommended security configuration baseline settings for Microsoft 365 Apps for enterprise, version 2306. --------------------------------------------- https://techcommunity.microsoft.com/t5/microsoft-security-baselines/securit… ∗∗∗ GuLoader- or DBatLoader/ModiLoader-style infection for Remcos RAT, (Thu, Jun 29th) ∗∗∗ --------------------------------------------- On Monday 2023-06-26, I received an email in one of my honeypot accounts, and the email led to a loader-based infection for Remcos RAT. The loader seems to be a GuLoader- or ModiLoader (DBatLoader)-style malware, but it's not like the GuLoader or ModiLoader samples I've run across so far. --------------------------------------------- https://isc.sans.edu/diary/rss/29990 ∗∗∗ Fluhorse: Flutter-Based Android Malware Targets Credit Cards and 2FA Codes ∗∗∗ --------------------------------------------- Cybersecurity researchers have shared the inner workings of an Android malware family called Fluhorse. The malware "represents a significant shift as it incorporates the malicious components directly within the Flutter code," Fortinet FortiGuard Labs researcher Axelle Apvrille said in a report published last week. --------------------------------------------- https://thehackernews.com/2023/06/fluhorse-flutter-based-android-malware.ht… ∗∗∗ Finding Gadgets for CPU Side-Channels with Static Analysis Tools ∗∗∗ --------------------------------------------- We have recently begun research on using static analysis tools to find Spectre-v1 gadgets. During this research, we discovered two gadgets, one in do_prlimit (CVE-2023-0458) and one in copy_from_user (CVE-2023-0459). In this writeup, we explain these issues and how we found them. --------------------------------------------- https://github.com/google/security-research/blob/master/pocs/cpus/spectre-g… ∗∗∗ Verantwortungsvolle Veröffentlichung einer Exploit-Kette, die auf die Implementierung der RFC-Schnittstelle im SAP Application Server für ABAP abzielt ∗∗∗ --------------------------------------------- In einer unabhängigen Analyse der serverseitigen Implementierung der proprietären Remote Function Call (RFC)-Schnittstelle in SAP NetWeaver Application Server ABAP und ABAP Platform (beide im Folgenden als AS ABAP bezeichnet) wurden von Fabian Hagg, Sicherheitsforscher im SEC Consult Vulnerability Lab und SAP Security Experte, eine Reihe von schwerwiegenden Implementierungs- und Designfehlern identifiziert. --------------------------------------------- https://sec-consult.com/de/blog/detail/verantwortungsvolle-veroeffentlichun… ∗∗∗ Das können Sie tun, wenn Kriminelle Ihren Online-Shop kopieren ∗∗∗ --------------------------------------------- Fake-Shops bieten im Internet Markenprodukte zu Spottpreisen an. Kriminelle bauen dabei die echten Webseiten einfach nach, sodass die Fälschung auf den ersten Blick oft gar nicht ersichtlich ist. Wir zeigen Ihnen, was Sie tun können, wenn Ihr Online-Shop betroffen ist und wie Sie Ihre Kund:innen schützen können. --------------------------------------------- https://www.watchlist-internet.at/news/das-koennen-sie-tun-wenn-kriminelle-… ∗∗∗ CISA and NSA Release Joint Guidance on Defending Continuous Integration/Continuous Delivery (CI/CD) Environments ∗∗∗ --------------------------------------------- Recognizing the various types of security threats that could affect CI/CD operations and taking steps to defend against each one is critical in securing a CI/CD environment. Organizations will find in this guide a list of common risks found in CI/CD pipelines and attack surfaces that could be exploited and threaten network security. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/06/28/cisa-and-nsa-release-joi… ∗∗∗ Detection, Containment, and Hardening Opportunities for Privileged Guest Operations, Anomalous Behavior, and VMCI Backdoors on Compromised VMware Hosts ∗∗∗ --------------------------------------------- In Mandiant’s initial publication of this vulnerability, we covered the attackers’ exploitation of CVE-2023-20867, the harvesting of ESXi service account credentials on vCenter machines, and the implications of backdoor communications over VMCI socket. In this blog post, we will focus on the artifacts, logging options, and hardening steps to detect and prevent the following tactics and techniques seen being used by UNC3886. --------------------------------------------- https://www.mandiant.com/resources/blog/vmware-detection-containment-harden… ∗∗∗ Introducing KBOM – Kubernetes Bill of Materials ∗∗∗ --------------------------------------------- SBOM (Software Bill of Materials) is an accepted best practice to map the components and dependencies of your applications in order to better understand your applications’ risks. SBOMs are used as a basis for vulnerability assessment, licensing compliance, and more. There are plenty of available tools, such as Aqua Trivy, that help you easily generate SBOM for your applications. --------------------------------------------- https://blog.aquasec.com/introducing-kbom-kubernetes-bill-of-materials ===================== = Vulnerabilities = ===================== ∗∗∗ Drupal Security advisories 2023-06-28 ∗∗∗ --------------------------------------------- Drupal released 7 new security advisories. (1x Critical, 5x Moderatly Critical, 1x Less Critical) --------------------------------------------- https://www.drupal.org/security ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium and maradns), SUSE (iniparser, kubernetes1.23, python-reportlab, and python-sqlparse), and Ubuntu (accountsservice and linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-dell300x, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux-raspi2, linux-snapdragon). --------------------------------------------- https://lwn.net/Articles/936752/ *** IBM Security Bulletins *** --------------------------------------------- AIX, IBM QRadar SIEM, WebSphere Application Server, IBM Security SOAR, IBM Cloud Pak, CICS, IBM SDK, IBM Tivoli, FileNet Content Manager, Db2 Graph, IBM OpenPages and IBM Semeru Runtime. --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2023-0005 ∗∗∗ --------------------------------------------- https://webkitgtk.org/security/WSA-2023-0005.html ∗∗∗ F5: K000135262 : Apache Tomcat vulnerability CVE-2023-28709 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000135262 ∗∗∗ Stable Channel Update for ChromeOS/ChromeOS Flex ∗∗∗ --------------------------------------------- http://chromereleases.googleblog.com/2023/06/stable-channel-update-for_28.h… ∗∗∗ [R1] Nessus Version 10.5.3 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2023-22 ∗∗∗ Delta Electronics InfraSuite Device Master ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-180-01 ∗∗∗ Ovarro TBox RTUs ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-180-03 ∗∗∗ Mitsubishi Electric MELSEC-F Series ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-180-04 ∗∗∗ Medtronic Paceart Optima System ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-medical-advisories/icsma-23-180-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.06.2023
by Daily end-of-shift report 28 Jun '23

28 Jun '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 27-06-2023 18:00 − Mittwoch 28-06-2023 18:00 Handler: Stephan Richter Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Andariel’s silly mistakes and a new malware family ∗∗∗ --------------------------------------------- In this crimeware report, Kaspersky researchers provide insights into Andariel’s activity targeting organizations: clumsy commands executed manually, off-the-shelf tools and EasyRat malware. --------------------------------------------- https://securelist.com/lazarus-andariel-mistakes-and-easyrat/110119/ ∗∗∗ Warning: JavaScript registry npm vulnerable to manifest confusion abuse ∗∗∗ --------------------------------------------- Failure to match metadata with packaged files is perfect for supply chain attacks. The npm Public Registry, a database of JavaScript packages, fails to compare npm package manifest data with the archive of files that data describes, creating an opportunity for the installation and execution of malicious files. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2023/06/27/javascript_r… ∗∗∗ Black Basta Ransomware ∗∗∗ --------------------------------------------- What is Black Basta Ransomware? Black Basta is a threat group that provides ransomware-as-a-service (RaaS). The service is maintained by dedicated developers and is a highly efficient and professionally run operation; there’s a TOR website that provides a victim login portal, a chat room, and a wall of company’s names who’s data has been leaked. --------------------------------------------- https://www.pentestpartners.com/security-blog/black-basta-ransomware/ ∗∗∗ Manic Menagerie 2.0: The Evolution of a Highly Motivated Threat Actor ∗∗∗ --------------------------------------------- Manic Menagerie 2.0 is a campaign deploying coin miners and web shells, among other tactics. Hijacked machines could be used as C2 for further operations. --------------------------------------------- https://unit42.paloaltonetworks.com/manic-menagerie-targets-web-hosting-and… ∗∗∗ Charming Kitten Updates POWERSTAR with an InterPlanetary Twist ∗∗∗ --------------------------------------------- Volexity works with many individuals and organizations often subjected to sophisticated and highly targeted spear-phishing campaigns from a variety of nation-state-level threat actors. In the last few years, Volexity has observed threat actors dramatically increase the level of effort they put into compromising credentials or systems of individual targets. --------------------------------------------- https://www.volexity.com/blog/2023/06/28/charming-kitten-updates-powerstar-… ∗∗∗ Hackers Hiding DcRAT Malware in Fake OnlyFans Content ∗∗∗ --------------------------------------------- A malicious campaign targeting smartphone users has been uncovered, utilizing fake OnlyFans content to distribute a dangerous Remote Access Trojan (RAT) known as DcRAT malware. --------------------------------------------- https://www.hackread.com/hackers-dcrat-malware-fake-onlyfans-content/ ∗∗∗ Newly Surfaced ThirdEye Infostealer Targeting Windows Devices ∗∗∗ --------------------------------------------- FortiGuard Labs uncovered a not-so-sophisticated but highly malicious infostealer while analyzing suspicious files during a cursory review. They named this ThirdEye Infostealer. --------------------------------------------- https://www.hackread.com/thirdeye-infostealer-windows-devices/ ===================== = Vulnerabilities = ===================== ∗∗∗ Critical SQL Injection Flaws Expose Gentoo Soko to Remote Code Execution ∗∗∗ --------------------------------------------- Multiple SQL injection vulnerabilities have been disclosed in Gentoo Soko that could lead to remote code execution (RCE) on vulnerable systems. --------------------------------------------- https://thehackernews.com/2023/06/critical-sql-injection-flaws-expose.html ∗∗∗ App Bypass und andere Schwachstellen in Boomerang Parental Control App ∗∗∗ --------------------------------------------- Die Kinderüberwachungs-App "Boomerang" von National Education Technologies ist von Schwachstellen mit hohem Risiko betroffen. Angreifer können ein lokales ADB Backup erzeugen, über welches Zugang zu API Token erlangt werden kann. Dadurch kann ein Angreifer Privilege Escalation durchführen oder auch Cross-Site Scripting im Web Dashboard der Eltern. Des weiteren können Kinder die Beschränkungen der Eltern auf einfache Weise umgehen. --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/app-bypass-und-andere… ∗∗∗ Nvidia: Treiber-Update schließt Codeschmuggel-Schwachstellen ∗∗∗ --------------------------------------------- Nvidias Grafikkartentreiber für Linux und Windows haben hochriskante Sicherheitslücken. Der Hersteller liefert jetzt Aktualisierungen zum Abdichten der Lecks. --------------------------------------------- https://heise.de/-9200904 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Mageia (docker-docker-registry, libcap, libx11, mediawiki, python-requests, python-tornado, sofia-sip, sqlite, and xonotic), Red Hat (kernel, kernel-rt, kpatch-patch, libssh, libtiff, python27:2.7, python39:3.9, python39-devel:3.9, ruby:2.7, sqlite, systemd, and virt:rhel, virt-devel:rhel), SUSE (bind, cosign, guile1, lilypond, keepass, kubernetes1.24, nodejs16, nodejs18, phpMyAdmin, and sqlite3), and Ubuntu (etcd). --------------------------------------------- https://lwn.net/Articles/936671/ *** IBM Security Bulletins *** --------------------------------------------- IBM App Connect Enterprise, IBM Security Guardium, CloudPak for Watson, IBM MQ, IBM Maximo Manage application, IBM TXSeries, IBM CICS TX, IBM Cloud Object Storage Systems, IBM Tivoli Netcool Impact, IBM Tivoli Business Service Manager, IBM Informix JDBC Driver, IBM i, IBM Tivoli Netcool Impact, IBM Robotic Process Automation, IBM WebSphere Application Server and FileNet Content Manager. --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Path Traversal / Cross-Site Scripting im Gira KNX IP-Router (SYSS-2023-015/-016) ∗∗∗ --------------------------------------------- Das Webinterface des Gira KNX IP-Routers ermöglicht ein Path Traversal (Zugriff auf Systemdateien) und ist anfällig für Cross-Site Scripting-Angriffe. --------------------------------------------- https://www.syss.de/pentest-blog/path-traversal-/-cross-site-scripting-im-g… ∗∗∗ Information Disclosure Vulnerability in Bosch IP cameras ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-839739-bt.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.06.2023
by Daily end-of-shift report 27 Jun '23

27 Jun '23

===================== = End-of-Day report = ===================== Timeframe: Montag 26-06-2023 18:00 − Dienstag 27-06-2023 18:00 Handler: Stephan Richter Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Prominent cryptocurrency exchange infected with previously unseen Mac malware ∗∗∗ --------------------------------------------- Its not yet clear how the full-featured JokerSpy backdoor gets installed. --------------------------------------------- https://arstechnica.com/?p=1950160 ∗∗∗ New Mockingjay process injection technique evades EDR detection ∗∗∗ --------------------------------------------- A new process injection technique named Mockingjay could allow threat actors to bypass EDR (Endpoint Detection and Response) and other security products to stealthily execute malicious code on compromised systems. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-mockingjay-process-injec… ∗∗∗ The Importance of Malware Triage, (Tue, Jun 27th) ∗∗∗ --------------------------------------------- When dealing with malware analysis, you like to get "fresh meat". Just for hunting purposes or when investigating incidents in your organization, its essential to have a triage process to reduce the noise and focus on really interesting files. For example, if you detect a new sample of Agent Tesla, you dont need to take time to investigate it deeply. Just extract IOCs to share with your colleagues. From a business point of view, you dont have time to analyze all samples! --------------------------------------------- https://isc.sans.edu/diary/rss/29984 ∗∗∗ Smartwatches Are Being Used To Distribute Malware ∗∗∗ --------------------------------------------- "Smartwatches are being sent to random military members loaded with malware, much like malware distribution via USB drives in the past," writes longtime Slashdot reader frdmfghtr. "Recipients are advised not to turn them on and report the incident to their local security office." --------------------------------------------- https://it.slashdot.org/story/23/06/27/0641253/smartwatches-are-being-used-… ∗∗∗ SNAPPY: Detecting Rogue and Fake 802.11 Wireless Access Points Through Fingerprinting Beacon Management Frames ∗∗∗ --------------------------------------------- I’ve found a novel technique to detect both rogue and fake 802.11 wireless access points through fingerprinting Beacon Management Frames, and created a tool to do so, called snap.py (Snappy) – the blog post title doesn’t lie! --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/snappy-dete… ∗∗∗ New Ongoing Campaign Targets npm Ecosystem with Unique Execution Chain ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered a new ongoing campaign aimed at the npm ecosystem that leverages a unique execution chain to deliver an unknown payload to targeted systems."The packages in question seem to be published in pairs, each pair working in unison to fetch additional resources which are subsequently decoded and/or executed," [..] --------------------------------------------- https://thehackernews.com/2023/06/new-ongoing-campaign-targets-npm.html ∗∗∗ Anatsa banking Trojan hits UK, US and DACH with new campaign ∗∗∗ --------------------------------------------- As of March 2023, ThreatFabric’s cyber fraud analysts have been monitoring multiple ongoing Google Play Store dropper campaigns delivering the Android banking Trojan Anatsa, with over 30.000 installations. The threat actors behind this new wave of Anatsa showed interest in new institutions from the US, UK, and DACH region. Our fraud intelligence platform was able to confirm this dangerous malware family adding multiple Android banking apps from these regions as new targets. --------------------------------------------- https://www.threatfabric.com/blogs/anatsa-hits-uk-and-dach-with-new-campaign ∗∗∗ Rowpress: DRAM-Angriff Rowhammer hat einen jüngeren Bruder ∗∗∗ --------------------------------------------- Ein neuer Seitenkanalangriff manipuliert vermeintlich geschützte Bereiche des Arbeitsspeichers und funktioniert unabhängig von der eingesetzten CPU. --------------------------------------------- https://heise.de/-9199330 ∗∗∗ Malvertising: A stealthy precursor to infostealers and ransomware attacks ∗∗∗ --------------------------------------------- Malvertising, the practice of using online ads to spread malware, can have dire consequences—and the problem only seems to be growing. --------------------------------------------- https://www.malwarebytes.com/blog/business/2023/06/malvertising-a-stealthy-… ∗∗∗ „Hallo Mama, mein Handy ist kaputt“ ∗∗∗ --------------------------------------------- Eine unbekannte Nummer schreibt Ihnen. Angeblich ist es Ihr Kind. In der Nachricht steht, dass das Handy kaputt ist und das jetzt die neue Nummer sei. Antworten Sie nicht, dahinter steckt Betrug. Wenn Sie zurückschreiben, bitten Kriminelle Sie um eine dringende Überweisung und Sie verlieren Geld. --------------------------------------------- https://www.watchlist-internet.at/news/hallo-mama-mein-handy-ist-kaputt/ ∗∗∗ Breaking GPT-4 Bad: Check Point Research Exposes How Security Boundaries Can Be Breached as Machines Wrestle with Inner Conflicts ∗∗∗ --------------------------------------------- Highlights Check Point Research examines security and safety aspects of GPT-4 and reveals how limitations can be bypassed Researchers present a new mechanism dubbed “double bind bypass”, colliding GPT-4s internal motivations against itself --------------------------------------------- https://blog.checkpoint.com/artificial-intelligence/breaking-gpt-4-bad-chec… ∗∗∗ A technical analysis of the SALTWATER backdoor used in Barracuda 0-day vulnerability (CVE-2023-2868) exploitation ∗∗∗ --------------------------------------------- SALTWATER is a backdoor that has been used in the exploitation of the Barracuda 0-day vulnerability CVE-2023-2868. It is a module for the Barracuda SMTP daemon called bsmtpd. The malware hooked the recv, send, and close functions using an open-source hooking library called funchook. The following functionalities are implemented: execute arbitrary commands, download and [..] --------------------------------------------- https://cybergeeks.tech/a-technical-analysis-of-the-saltwater-backdoor-used… ∗∗∗ CISA Releases SCuBA TRA and eVRF Guidance Documents ∗∗∗ --------------------------------------------- CISA has released several documents as part of the Secure Cloud Business Applications (SCuBA) project: - The Technical Reference Architecture (TRA) document [..] is [..] a security guide that agencies can use to adopt technology for cloud deployment, adaptable solutions, secure architecture, and zero trust frameworks. - The extensible Visibility Reference Framework (eVRF) guidebook provides an overview of the eVRF framework, which enables organizations to identify visibility data that can be used to mitigate threats, understand the extent to which specific products and services provide that visibility data, and identify potential visibility gaps. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/06/27/cisa-releases-scuba-tra-… ===================== = Vulnerabilities = ===================== ∗∗∗ Security Bulletin: NVIDIA Jetson AGX Xavier Series, Jetson Xavier NX, Jetson TX1, Jetson TX2 Series (including Jetson TX2 NX), and Jetson Nano (including Jetson Nano 2GB) - June 2023 ∗∗∗ --------------------------------------------- NVIDIA has released a software update for NVIDIA Jetson AGX Xavier series, Jetson Xavier NX, Jetson TX1, Jetson TX2 series (including Jetson TX2 NX), and Jetson Nano devices (including Jetson Nano 2GB) in the NVIDIA JetPack software development kit (SDK). The update addresses security issues that may lead to code execution, denial of service, information disclosure, and loss of integrity. --------------------------------------------- https://nvidia.custhelp.com/app/answers/detail/a_id/5466 ∗∗∗ Security Bulletin: NVIDIA GPU Display Driver - June 2023 ∗∗∗ --------------------------------------------- NVIDIA has released a software security update for NVIDIA GPU Display Driver. This update addresses issues that may lead to code execution, denial of service, escalation of privileges, data tampering, or information disclosure. --------------------------------------------- https://nvidia.custhelp.com/app/answers/detail/a_id/5468 ∗∗∗ Webbrowser: Update für Google Chrome dichtet hochriskante Sicherheitslücken ab ∗∗∗ --------------------------------------------- Google hat den Webbrowser Chrome in aktualisierter Fassung veröffentlicht. In der neuen Version dichten die Entwickler hochriskante Sicherheitslecks ab. --------------------------------------------- https://heise.de/-9199157 ∗∗∗ Sicherheitsupdates: Dell-BIOS gegen verschiedene Attacken gerüstet ∗∗∗ --------------------------------------------- Wer einen Computer von Dell besitzt, sollte das BIOS aus Sicherheitsgründen auf den aktuellen Stand bringen. --------------------------------------------- https://heise.de/-9199274 ∗∗∗ Arbitrary User Password Change Vulnerability in LearnDash LMS WordPress Plugin ∗∗∗ --------------------------------------------- On June 5, 2023, our Wordfence Threat Intelligence team identified, and began the responsible disclosure process, for an Arbitrary User Password Change vulnerability in LearnDash LMS plugin, a WordPress plugin that is actively installed on more than 100,000 WordPress websites according to our estimates. --------------------------------------------- https://www.wordfence.com/blog/2023/06/arbitrary-user-password-change-vulne… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (c-ares and libx11), Fedora (chromium and kubernetes), Red Hat (python3 and python38:3.8, python38-devel:3.8), and SUSE (amazon-ssm-agent, kernel, kubernetes1.24, libvirt, nodejs16, openssl-1_1, and webkit2gtk3). --------------------------------------------- https://lwn.net/Articles/936549/ ∗∗∗ Synology-SA-23:09 Mail Station ∗∗∗ --------------------------------------------- Multiple vulnerabilities allow remote attackers to potentially inject SQL commands and inject arbitrary web scripts or HTML via a susceptible version of Mail Station. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_23_09 ∗∗∗ Zahlreiche Schwachstellen mit hohem Risiko in ILIAS eLearning platform ∗∗∗ --------------------------------------------- Es wurden Sicherheitslücken mit hohem Risiko in der ILIAS eLearning Plattform identifiziert, welche es einem Angreifer über mehrere Angriffspfade ermöglichen, beliebigen Code auszuführen. Zum einen werden Eingaben in einer "unserialize" Funktion nicht ausreichend gefiltert, zum anderen können beliebige PHP Dateien durch Umgehen eines Filters hochgeladen werden. Des weiteren können Cross-Site Scripting Angriffe durchgeführt werden. --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/zahlreiche-schwachste… ∗∗∗ [R1] Tenable Plugin Feed ID #202306261202 Fixes Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- As a part of Tenable’s vulnerability disclosure program, a vulnerability in a Nessus plugin was identified and reported. This vulnerability could allow a malicious actor with sufficient permissions on a scan target to place a binary in a specific filesystem location, and abuse the impacted plugin in order to escalate privileges. --------------------------------------------- https://www.tenable.com/security/tns-2023-21 ∗∗∗ A vulnerability in the IBM Spectrum Protect Backup-Archive Client on Microsoft Windows Workstation operating systems can lead to local user escalated privileges (CVE-2023-28956) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7005519 ∗∗∗ Security vulnerabilities have been identified in IBM WebSphere Application Server used by IBM Master Data Management ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7007069 ∗∗∗ A vulnerabbility exists in the IBM\u00ae SDK, Java\u2122 Technology Edition affect IBM Tivoli Network Configuration Manager (CVE-2022-21426). ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7007317 ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server, which is a required product for IBM Tivoli Netcool Configuration Manager (CVE-2022-39161) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7007313 ∗∗∗ A security vulnerability has been identified in embedded IBM WebSphere Application Server which is shipped with IBM Tivoli Netcool Configuration Manager (CVE-2022-39161) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7007315 ∗∗∗ Vulnerability in Spring Security affects IBM Process Mining . Multiple CVEs ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7007351 ∗∗∗ Vulnerability in Spring Security affects IBM Process Mining . CVE-2022-22978 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7007363 ∗∗∗ Vulnerability in Spring Security affects IBM Process Mining . CVE-2021-22119 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7007359 ∗∗∗ Vulnerability in Pallets Flask affects IBM Process Mining . CVE-2023-30861 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7007345 ∗∗∗ Vulnerability in Spring Boot affects IBM Process Mining . CVE-2023-20883 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7007349 ∗∗∗ Vulnerability in netplex json-smart affects IBM Process Mining . CVE-2023-1370 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7007357 ∗∗∗ Vulnerability in Spring Framework affects IBM Process Mining . CVE-2023-20863 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7007365 ∗∗∗ A vulnerability exists in the IBM\u00ae SDK, Java\u2122 Technology Edition affect IBM Tivoli Network Configuration Manager (CVE-2023-21830, CVE-2023-21843). ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7007353 ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server, which is a required product for IBM Tivoli Netcool Configuration Manager (CVE-2023-24998) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7007355 ∗∗∗ IBM App Connect Enterprise Certified Container DesignerAuthoring operands are vulnerable to denial of service due to [CVE-2023-32695] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7007367 ∗∗∗ Vulnerability in Spring Security affects IBM Process Mining . CVE-2023-20862 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7007371 ∗∗∗ Vulnerability in Spring Framework affects IBM Process Mining . CVE-2023-20873 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7007373 ∗∗∗ Vulnerability in Apache Tomcat affects IBM Process Mining . Multiple CVEs ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7007375 ∗∗∗ CVE-2022-21426 may affect JAXP component in Java SE used by Content Collector for Email, Content Collector for File Systems and Content Collector for Microsoft SharePoint ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7007387 ∗∗∗ A vulnerability has been identified in IBM Storage Scale System which could allow unauthorized access to user data or injection of arbitrary data in the communication protocol (CVE-2020-4927) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7007405 ∗∗∗ Hitachi Energy FOXMAN-UN and UNEM Products ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-178-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.06.2023
by Daily end-of-shift report 26 Jun '23

26 Jun '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 23-06-2023 18:00 − Montag 26-06-2023 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ FortiNAC: Kritische Sicherheitslücke erlaubt Codeschmuggel, Update vergfügbar ∗∗∗ --------------------------------------------- Fortinet stellt Softwareupdates bereit, die unter anderem eine kritische Sicherheitslücke in FortiNAC schließen. Angreifer können Schadcode einschleusen. --------------------------------------------- https://heise.de/-9197438 ∗∗∗ Teams-Lücke vereinfacht Unterjubeln von Malware ∗∗∗ --------------------------------------------- In Microsoft Teams können Angreifer potenziellen Opfern einfach Malware zukommen lassen. Herkömmlicher Phishing-Schutz hilft nicht dagegen. --------------------------------------------- https://heise.de/-9197620 ∗∗∗ DNS Analyzer - Finden von DNS-Schwachstellen mit Burp Suite ∗∗∗ --------------------------------------------- Ein brandneues Plugin für Burp Suite zum Aufspüren von DNS-Schwachstellen in Webanwendungen! --------------------------------------------- https://sec-consult.com/de/blog/detail/dns-analyzer-finden-von-dns-schwachs… ∗∗∗ Betrug bei der Wohnungssuche: Kriminelle führen in gemieteten Airbnb-Wohnungen Besichtigungen durch ∗∗∗ --------------------------------------------- Es ist kaum zu glauben: Sie haben gerade Ihre Traumwohnung besichtigt, noch dazu ist sie sehr günstig! In diesem Fall raten wir aber, Verträge nicht voreilig zu unterschreiben und auch keine Kaution zu überweisen, denn aktuell mieten Kriminelle Airbnb-Wohnungen und stellen diese dann zur Vermietung ins Internet. Sie besichtigen eine nicht verfügbare Wohnung, unterschreiben einen ungültigen Vertrag und überweisen Kriminellen die Kaution! --------------------------------------------- https://www.watchlist-internet.at/news/betrug-bei-der-wohnungssuche-krimine… ∗∗∗ Grafana warns of critical auth bypass due to Azure AD integration ∗∗∗ --------------------------------------------- Grafana has released security fixes for multiple versions of its application, addressing a vulnerability that enables attackers to bypass authentication and take over any Grafana account that uses Azure Active Directory for authentication. --------------------------------------------- https://www.bleepingcomputer.com/news/security/grafana-warns-of-critical-au… ∗∗∗ 5 facts to know about the Royal ransomware gang ∗∗∗ --------------------------------------------- A quick look the cybercriminal group known as Royal—one of the fastest growing ransomware gangs today. --------------------------------------------- https://www.malwarebytes.com/blog/business/2023/06/5-facts-to-know-about-th… ∗∗∗ Exploiting Noisy Oracles with Bayesian Inference ∗∗∗ --------------------------------------------- In cryptographic attacks, we often rely on abstracted information sources which we call “oracles”. [...] In practice, however, not all oracles are created equal: an oracle that comes from error messages may well be perfectly reliable, whereas one which relies on (say) timing side channels may have to deal with a non-negligible amount of noise. In this post, we’ll look at how to deal with noisy oracles, and how to mount attacks using them. --------------------------------------------- https://research.nccgroup.com/2023/06/23/exploiting-noisy-oracles-with-baye… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (bind9 and owslib), Fedora (dav1d, dotnet6.0, dotnet7.0, mingw-dbus, vim, and wabt), and SUSE (cloud-init and golang-github-vpenso-prometheus_slurm_exporter). --------------------------------------------- https://lwn.net/Articles/936332/ ∗∗∗ Multiple Vulnerabilities in Autodesk® InfraWorks software ∗∗∗ --------------------------------------------- Autodesk InfraWorks has been affected by multiple vulnerabilities detailed below. Exploitation of these vulnerabilities may lead to remote code execution and/or denial-of-service to the software and user devices. Hotfixes are available in the Autodesk Desktop App or the Accounts Portal to help resolve these vulnerabilities --------------------------------------------- https://www.autodesk.com/trust/security-advisories/adsk-sa-2023-0012 ∗∗∗ WAGO: Controller with CODESYS 2.3 Runtime Denial-of-Service ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-006/ ∗∗∗ WAGO: Series 750-3x/-8x prone to MODBUS server DoS ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-005/ ∗∗∗ A vulnerability in containerd affects IBM Robotic Process Automation for Cloud Pak and may result in a denial of service (CVE-2022-23471) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7006699 ∗∗∗ IBM Spectrum Scale Transparent Cloud Tiering is affected by a vulnerability which can allow an attacker to execute arbitrary code ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7006819 ∗∗∗ Security vulnerabilities are addressed with IBM Cloud Pak for Business Automation iFixes for May 2023 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6998727 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.06.2023
by Daily end-of-shift report 23 Jun '23

23 Jun '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 22-06-2023 18:00 − Freitag 23-06-2023 18:00 Handler: Robert Waldner Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Microsoft: Hackers hijack Linux systems using trojanized OpenSSH version ∗∗∗ --------------------------------------------- Microsoft says Internet-exposed Linux and Internet of Things (IoT) devices are being hijacked in brute-force attacks as part of a recently observed cryptojacking campaign. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-hackers-hijack-lin… ∗∗∗ NSA shares tips on blocking BlackLotus UEFI malware attacks ∗∗∗ --------------------------------------------- The U.S. National Security Agency (NSA) released today guidance on how to defend against BlackLotus UEFI bootkit malware attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/nsa-shares-tips-on-blocking-… ∗∗∗ Powerful JavaScript Dropper PindOS Distributes Bumblebee and IcedID Malware ∗∗∗ --------------------------------------------- A new strain of JavaScript dropper has been observed delivering next-stage payloads like Bumblebee and IcedID. Cybersecurity firm Deep Instinct is tracking the malware as PindOS, which contains the name in its "User-Agent" string. Both Bumblebee and IcedID serve as loaders, acting as a vector for other malware on compromised hosts, including ransomware. --------------------------------------------- https://thehackernews.com/2023/06/powerful-javascript-dropper-pindos.html ∗∗∗ Security: RepoJacking auf GitHub betrifft auch große Firmen wie Google ∗∗∗ --------------------------------------------- Durch die Übernahme von Repositories hinter umbenannten Organisationen auf GitHub können Angreifer Schadcode verbreiten. --------------------------------------------- https://heise.de/-9195575 ∗∗∗ Fake-Umfrage im Namen der ÖBB im Umlauf! ∗∗∗ --------------------------------------------- Sie gehören zu den „500 glücklichen Kunden“, die von der ÖBB kontaktiert wurden, um an einer Umfrage teilzunehmen? Für das Ausfüllen der Umfrage erhalten Sie 55 Euro? Das klingt zwar verlockend, es handelt sich aber um Betrug. Nachdem Sie die Umfrage ausgefüllt haben, sollen Sie Ihre Kreditkartendaten angeben und eine Zahlung freigeben! Ignorieren Sie diese E-Mail daher. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-fake-umfrage-im-namen-der-o… ===================== = Vulnerabilities = ===================== ∗∗∗ Microsoft Teams: Sicherheitslücke lässt Malware von externen Konten durch ∗∗∗ --------------------------------------------- Eine Sicherheitslücke in Microsoft Teams erlaubt es Angreifern, Malware direkt in den internen Posteingang zu senden. --------------------------------------------- https://www.golem.de/news/microsoft-teams-sicherheitsluecke-laesst-malware-… ∗∗∗ Fortinet fixes critical FortiNAC RCE, install updates asap ∗∗∗ --------------------------------------------- Fortinet addressed a critical remote command execution vulnerability, tracked as CVE-2023-33299, affecting FortiNAC solution. FortiNAC is a network access control (NAC) solution designed by Fortinet that is used by organizations to secure and control access to networks by enforcing security policies, monitoring devices, and managing their access privileges. --------------------------------------------- https://securityaffairs.com/147770/security/fortinet-fortinac-critical-flaw… ∗∗∗ Role-based Access Control and Privilege Management in OpenEdge Management (OEM) and in OpenEdge Explorer (OEE) ∗∗∗ --------------------------------------------- Using a local or remote admin service, a logged-in OpenEdge Management (OEM) or OpenEdge Explorer (OEE) user could perform a URL injection attack to change identity or role membership. Only users that are already authorized members of OEM or OEE user roles were able to perform this exploit. [..] We have addressed the issue and updated the product for customers to remediate it. --------------------------------------------- https://community.progress.com/s/article/Role-based-Access-Control-and-Priv… ∗∗∗ Junos OS and Junos OS Evolved: A BGP session will flap upon receipt of a specific, optional transitive attribute (CVE-2023-0026) ∗∗∗ --------------------------------------------- An Improper Input Validation vulnerability in the Routing Protocol Daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated, network-based attacker to cause a Denial of Service (DoS). When a BGP update message is received over an established BGP session, and that message contains a specific, optional transitive attribute, this session will be torn down with an update message error. --------------------------------------------- https://supportportal.juniper.net/s/article/2023-06-Out-of-Cycle-Security-B… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (asterisk, lua5.3, and trafficserver), Fedora (tang and trafficserver), Oracle (.NET 7.0, c-ares, firefox, openssl, postgresql, python3, texlive, and thunderbird), Red Hat (python27:2.7 and python39:3.9 and python39-devel:3.9), Scientific Linux (c-ares), Slackware (cups), SUSE (cups, dav1d, google-cloud-sap-agent, java-1_8_0-openjdk, libX11, openssl-1_0_0, openssl-1_1, openssl-3, openvswitch, and python-sqlparse), and Ubuntu (cups, dotnet6, dotnet7, and openssl). --------------------------------------------- https://lwn.net/Articles/936040/ ∗∗∗ High-severity vulnerabilities patched in popular domain name software BIND ∗∗∗ --------------------------------------------- With the recently discovered vulnerabilities remote attackers could launch denial-of-service attacks, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said in an advisory released Friday. BIND stands for Berkeley Internet Name Domain. --------------------------------------------- https://therecord.media/bind-9-patches-internet-dns-vulnerabilities ∗∗∗ VMware schließt Schwachstellen in vCenter Server (22. Juni 2023) ∗∗∗ --------------------------------------------- Der Anbieter VMware hat Updates seiner vCenter-Server veröffentlicht, um gravierende (Einstufung als important) Schwachstellen (CVE-2023-20892, CVE-2023-20893, CVE-2023-20894, CVE-2023-20895 und CVE-2023-20896) zu schließen. --------------------------------------------- https://www.borncity.com/blog/2023/06/23/vmware-schliet-schwachstellen-in-v… ∗∗∗ Multiple Vulnerabilities in Fortra Globalscape EFT Administration Server [FIXED] ∗∗∗ --------------------------------------------- Rapid7 has uncovered four issues in Fortra Globalscape EFT, the worst of which can lead to remote code execution. --------------------------------------------- https://www.rapid7.com/blog/post/2023/06/22/multiple-vulnerabilities-in-for… ∗∗∗ FortiNAC - argument injection in XML interface on port tcp/5555 ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-23-096 ∗∗∗ FortiNAC - java untrusted object deserialization RCE ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-23-074 ∗∗∗ F5: K000135178 : OpenSSL vulnerability CVE-2023-2650 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000135178 ∗∗∗ CISA Adds Five Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/06/23/cisa-adds-five-known-exp… ∗∗∗ Enphase Envoy ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-171-01 ∗∗∗ Enphase Installer Toolkit Android App ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-171-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.06.2023
by Daily end-of-shift report 22 Jun '23

22 Jun '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 21-06-2023 18:00 − Donnerstag 22-06-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ IoT Under Siege: The Anatomy of the Latest Mirai Campaign Leveraging Multiple IoT Exploits ∗∗∗ --------------------------------------------- Mirai is a still-active botnet with new variants. We highlight observed exploitation of IoT vulnerabilities — due to low complexity and high impact. --------------------------------------------- https://unit42.paloaltonetworks.com/mirai-variant-targets-iot-exploits/ ∗∗∗ Alert: Million of GitHub Repositories Likely Vulnerable to RepoJacking Attack ∗∗∗ --------------------------------------------- Millions of software repositories on GitHub are likely vulnerable to an attack called RepoJacking, a new study has revealed. This includes repositories from organizations such as Google, Lyft, and several others, Massachusetts-based cloud-native security firm Aqua said in a Wednesday report. --------------------------------------------- https://thehackernews.com/2023/06/alert-million-of-github-repositories.html ∗∗∗ LibreOffice Arbitrary File Write (CVE-2023-1883) ∗∗∗ --------------------------------------------- While performing a cursory inspection of the LibreOffice Base desktop database, we stumbled across an (arbitrary) file write issue. The fine folks at LibreOffice immediately addressed the vulnerability. --------------------------------------------- https://secfault-security.com/blog/libreoffice.html ∗∗∗ Virenschutz: Avast dreht alten Scannern Signaturnachschub ab ∗∗∗ --------------------------------------------- Avast beendet die Unterstützung älterer Virenscanner. Die Versionen Avast 9, 10 und 11 erhalten ab Sommerende keine Updates mehr, auch keine neuen Signaturen. --------------------------------------------- https://heise.de/-9194464 ∗∗∗ PoC-Exploit für Cisco AnyConnect-Schwachstelle CVE-2023-20178 ermöglicht SYSTEM-Privilegien ∗∗∗ --------------------------------------------- In der Cisco AnyConnect Secure Mobility Client Software gibt es eine Schwachstelle, über die Angreifer sich SYSTEM-Privilegien unter Windows verschaffen können. Nun ist ein Proof of Concept für einen Exploit zum Ausnutzen dieser Schwachstelle (CVE-2023-20178) verfügbar. --------------------------------------------- https://www.borncity.com/blog/2023/06/22/poc-exploit-fr-cisco-anyconnect-sc… ===================== = Vulnerabilities = ===================== ∗∗∗ iOS 16.5.1 & Co: Apple beseitigt Zero-Day-Lücken in allen Systemen ∗∗∗ --------------------------------------------- Die gravierenden Schwachstellen wurden offenbar ausgenutzt, um Überwachungs-Tools auf Apple-Hardware einzuschleusen. Patches gibt es auch für ältere Hardware. --------------------------------------------- https://heise.de/-9194404 ∗∗∗ VMSA-2023-0014 ∗∗∗ --------------------------------------------- The vCenter Server contains a heap overflow vulnerability due to the usage of uninitialized memory in the implementation of the DCERPC protocol. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.1. --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2023-0014.html ∗∗∗ Critical Flaw Found in WordPress Plugin for WooCommerce Used by 30,000 Websites ∗∗∗ --------------------------------------------- A critical security flaw has been disclosed in the WordPress "Abandoned Cart Lite for WooCommerce" plugin thats installed on more than 30,000 websites. --------------------------------------------- https://thehackernews.com/2023/06/critical-flaw-found-in-wordpress-plugin.h… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (avahi, hsqldb, hsqldb1.8.0, minidlna, trafficserver, and xmltooling), Oracle (.NET 6.0, .NET 7.0, 18, c-ares, firefox, kernel, less, libtiff, libvirt, python, python3.11, texlive, and thunderbird), Red Hat (c-ares, kernel, kernel-rt, kpatch-patch, less, libtiff, libvirt, openssl, and postgresql), Slackware (bind and kernel), SUSE (bluez, curl, geoipupdate, kernel, netty, netty-tcnative, ntp, open-vm-tools, php8, python-reportlab, rustup, Salt, salt, terraform-provider-aws, terraform-provider-null, and webkit2gtk3), and Ubuntu (bind9, linux-aws, linux-azure, linux-bluefield, linux-gcp, linux-gke, linux-gkeop, linux-ibm, linux-kvm, linux-oracle, linux-raspi, linux-azure, linux-gcp, linux-ibm, linux-kvm, linux-oracle, and linux-ibm). --------------------------------------------- https://lwn.net/Articles/935872/ ∗∗∗ CISA Adds Six Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- CVE-2023-20887 VMware Aria Operations for Networks Command Injection Vulnerability CVE-2020-35730 Roundcube Webmail Cross-Site Scripting (XSS) Vulnerability CVE-2020-12641 Roundcube Webmail Remote Code Execution Vulnerability CVE-2021-44026 Roundcube Webmail SQL Injection Vulnerability CVE-2016-9079 Mozilla Firefox, Firefox ESR, and Thunderbird Use-After-Free Vulnerability CVE-2016-0165 Microsoft Win32k Privilege Escalation Vulnerability --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/06/22/cisa-adds-six-known-expl… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- IBM App Connect Enterprise, IBM Security Directory Integrator, IBM Security QRadar SIEM, CICS TX, IBM InfoSphere Information Server, IBM MQ, IBM Integration Bus for z/OS, IBM Spectrum Protect, IBM Robotic Process Automation. --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ ZDI-23-891: (0Day) ManageEngine ADSelfService Plus GINA Client Insufficient Verification of Data Authenticity Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-891/ ∗∗∗ Drupal: Album Photos - Critical - Access bypass - SA-CONTRIB-2023-022 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2023-022 ∗∗∗ Drupal: Civic Cookie Control - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-021 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2023-021 ∗∗∗ Cisco Duo Two-Factor Authentication for macOS Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Secure Email Gateway, Cisco Secure Email and Web Manager, and Cisco Secure Web Appliance Cross-Site Scripting Vulnerabilities ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ BIND 9: CVE-2023-2828: nameds configured cache size limit can be significantly exceeded ∗∗∗ --------------------------------------------- https://kb.isc.org/docs/cve-2023-2828 ∗∗∗ BIND 9: CVE-2023-2829: Malformed NSEC records can cause named to terminate unexpectedly when synth-from-dnssec is enabled ∗∗∗ --------------------------------------------- https://kb.isc.org/docs/cve-2023-2829 ∗∗∗ BIND 9: CVE-2023-2911: Exceeding the recursive-clients quota may cause named to terminate unexpectedly when stale-answer-client-timeout is set to 0 ∗∗∗ --------------------------------------------- https://kb.isc.org/docs/cve-2023-2911 ∗∗∗ F5: K000134942 : Intel CPU vulnerability CVE-2022-33972 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000134942 ∗∗∗ SpiderControl SCADAWebServer ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-173-03 ∗∗∗ Advantech R-SeeNet ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-173-02 ∗∗∗ Nextcloud: End-to-End encrypted file-drops can be made inaccessible ∗∗∗ --------------------------------------------- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-x… ∗∗∗ Nextcloud: Password reset endpoint is not brute force protected ∗∗∗ --------------------------------------------- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-m… ∗∗∗ Nextcloud: Open redirect on "Unsupported browser" warning ∗∗∗ --------------------------------------------- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-h… ∗∗∗ Nextcloud: Brute force protection allows to send more requests than intended ∗∗∗ --------------------------------------------- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-q… ∗∗∗ Nextcloud: User scoped external storage can be used to gather credentials of other users ∗∗∗ --------------------------------------------- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-6… ∗∗∗ Nextcloud: System addressbooks can be modified by malicious trusted server ∗∗∗ --------------------------------------------- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-h… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.06.2023
by Daily end-of-shift report 21 Jun '23

21 Jun '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 20-06-2023 18:00 − Mittwoch 21-06-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Sicherheitsupdates: Angreifer können Zyxel NAS ins Visier nehmen ∗∗∗ --------------------------------------------- Aktualisierte Firmware-Versionen für verschiedene NAS-Modelle von Zyxel schließen eine kritische Schwachstelle. --------------------------------------------- https://heise.de/-9193271 ∗∗∗ Zielgerichtete Angriffe auf iPhones: Neue Details zu Spyware ∗∗∗ --------------------------------------------- iPhone-Spyware kommt per iMessage und kann laut einer Analyse etwa Dateien manipulieren und den Standort tracken. Möglicherweise zählen auch Macs zu den Zielen. --------------------------------------------- https://heise.de/-9193906 ∗∗∗ VMware Aria: Angriffe auf kritische Sicherheitslücke – Update installieren! ∗∗∗ --------------------------------------------- VMware hat seine Sicherheitsmeldung zu einer kritischen Schwachstelle in der Monitoring-Software Aria Operations aktualisiert. Demnach wird sie angegriffen. --------------------------------------------- https://heise.de/-9193354 ∗∗∗ Hilfe, Kriminelle imitieren meine Telefonnummer für betrügerische Anrufe! ∗∗∗ --------------------------------------------- Dass Kriminelle auch gerne zum Telefon greifen, um Menschen zu betrügen, ist wohl allseits bekannt. Häufig setzen sie dabei allerdings auf „Spoofing“, wodurch bei den Angerufenen nicht die tatsächliche Nummer angezeigt wird, die hinter dem Scam-Anruf steckt. Immer häufiger wenden sich Personen an uns, deren Nummer simuliert und für Spam-Anrufe genutzt wird, weil sie ständig Rückrufe verärgerter Personen erhalten, [...] --------------------------------------------- https://www.watchlist-internet.at/news/hilfe-kriminelle-imitieren-meine-tel… ∗∗∗ Microsoft fixes Azure AD auth flaw enabling account takeover ∗∗∗ --------------------------------------------- Microsoft has addressed an Azure Active Directory (Azure AD) authentication flaw that could allow threat actors to escalate privileges and potentially fully take over the targets account. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-fixes-azure-ad-aut… ∗∗∗ New Condi malware builds DDoS botnet out of TP-Link AX21 routers ∗∗∗ --------------------------------------------- A new DDoS-as-a-Service botnet called "Condi" emerged in May 2023, exploiting a vulnerability in TP-Link Archer AX21 (AX1800) Wi-Fi routers to build an army of bots to conduct attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-condi-malware-builds-ddo… ∗∗∗ Critical WordPress Plugin Vulnerabilities Impact Thousands of Sites ∗∗∗ --------------------------------------------- Two critical-severity authentication bypass vulnerabilities in WordPress plugins with tens of thousands of installations. --------------------------------------------- https://www.securityweek.com/critical-wordpress-plugin-vulnerabilities-impa… ∗∗∗ Enphase Ignores CISA Request to Fix Remotely Exploitable Flaws ∗∗∗ --------------------------------------------- Enphase Energy has ignored CISA requests to fix remotely exploitable vulnerabilities in Enphase products. --------------------------------------------- https://www.securityweek.com/enphase-ignores-cisa-request-to-fix-remotely-e… ∗∗∗ Graphican: Flea Uses New Backdoor in Attacks Targeting Foreign Ministries ∗∗∗ --------------------------------------------- Backdoor leverages Microsoft Graph API for C&C communication. --------------------------------------------- https://symantec-enterprise-blogs.security.com/threat-intelligence/flea-bac… ∗∗∗ Analysis of Ransomware With BAT File Extension Attacking MS-SQL Servers (Mallox) ∗∗∗ --------------------------------------------- AhnLab Security Emergency response Center (ASEC) has recently discovered the Mallox ransomware with the BAT file extension being distributed to poorly managed MS-SQL servers. Extensions of files distributed to poorly managed MS-SQL servers include not only EXE but also BAT, which is a fileless format. The files distributed with the BAT file extension that has been discovered so far are Remcos RAT and Mallox. The distributions include cases that use PowerShell and sqlps. --------------------------------------------- https://asec.ahnlab.com/en/54704/ ∗∗∗ AWS WAF Clients Left Vulnerable to SQL Injection Due to Unorthodox MSSQL Design Choice ∗∗∗ --------------------------------------------- While doing research on Microsoft SQL (MSSQL) Server, a GoSecure ethical hacker found an unorthodox design choice that ultimately led to a web application firewall (WAF) bypass. --------------------------------------------- https://www.gosecure.net/blog/2023/06/21/aws-waf-clients-left-vulnerable-to… ∗∗∗ MOVEIt Vulnerability: A Painful Reminder That Threat Actors Aren’t the Only Ones Responsible for a Data Breach ∗∗∗ --------------------------------------------- The MOVEIt data breach continues to impact a number of both private and government groups across the US and Europe by exposing confidential data. With breaches like this becoming increasingly common, it can be easy to blame advanced persistent threat (APT) groups and other malicious actors; however, there is a valuable lesson to learn from the MOVEit breach: it is essential to be proactive about these threats, Not doing so may lead to a breach. I’ve put together this blog post as a reminder that security organizations—and quite frankly, boards and executive leadership—should view internal security threats just as seriously as external ones when it comes time to protecting their organization’s sensitive information. --------------------------------------------- https://www.safebreach.com/moveit-vulnerability-a-painful-reminder-that-thr… ∗∗∗ Gaps in Azure Service Fabric’s Security Call for User Vigilance ∗∗∗ --------------------------------------------- In this blog post, we discuss different configuration scenarios that may lead to security issues with Azure Service Fabric, a distributed platform for deploying, managing, and scaling microservices and container applications. --------------------------------------------- https://www.trendmicro.com/en_us/research/23/f/gaps-in-azure-service-fabric… ∗∗∗ GitHub Dataset Research Reveals Millions Potentially Vulnerable to RepoJacking ∗∗∗ --------------------------------------------- Millions of GitHub repositories are potentially vulnerable to RepoJacking. New research by Aqua Nautilus sheds light on the extent of RepoJacking, which if exploited may lead to code execution on organizations’ internal environments or on their customers’ environments. As part of our research, we found an enormous source of data that allowed us to sample a dataset and find some highly popular targets. --------------------------------------------- https://blog.aquasec.com/github-dataset-research-reveals-millions-potential… ===================== = Vulnerabilities = ===================== ∗∗∗ Heap-based buffer over-read in Autodesk® Desktop Licensing Service ∗∗∗ --------------------------------------------- Autodesk® Desktop Licensing Installer has been affected by privilege escalation vulnerabilities. Exploitation of these vulnerabilities could lead to code execution due to weak permissions. --------------------------------------------- https://www.autodesk.com/trust/security-advisories/adsk-sa-2023-0011 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libfastjson, libx11, opensc, python-mechanize, and wordpress), SUSE (salt and terraform-provider-helm), and Ubuntu (firefox, libx11, pngcheck, python-werkzeug, ruby3.1, and vlc). --------------------------------------------- https://lwn.net/Articles/935552/ ∗∗∗ K000135122 : Linux kernel vulnerability CVE-2023-0461 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000135122 ∗∗∗ Multiple vulnerabilities in Open JDK affecting Rational Functional Tester ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7005601 ∗∗∗ IBM Storage Protect is vulnerable to a denial of service attack due to Google Gson (CVE-2022-25647) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7005605 ∗∗∗ Multiple vulnerabilities in IBM® Java SDK affects IBM WebSphere Application Server January 2023 CPU that is bundled with IBM WebSphere Application Server Patterns ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7005623 ∗∗∗ Python Cryptographic Authority cryptography is vulnerable to IBM X-Force ID: 239927 used in IBM Maximo Application Suite ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7005639 ∗∗∗ There is a vulnerability in Apache Commons BCEL used by IBM Maximo Asset Management (CVE-2022-42920) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6991671 ∗∗∗ IBM Aspera Faspex 4.4.2 PL3 has addressed multiple vulnerabilities (CVE-2023-27871, CVE-2023-27873, CVE-2023-27874) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6964694 ∗∗∗ Multiple Vulnerabilities in IBM Java SDK affect Cloud Pak System (CVE-2023-21830, 2023-21843) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7005573 ∗∗∗ Vulnerability in Apache Tomcat Server (CVE-2023-28709 ) affects Power HMC ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7005499 ∗∗∗ IBM Operational Decision Manager June 2023 - Multiple CVEs ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7005851 ∗∗∗ Operations Dashboard is vulnerable to multiple vulnerabilities in Golang ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7005869 ∗∗∗ SnakeYaml is vulnerable to CVE-2022-1471 used by IBM Maximo Application Suite ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7005873 ∗∗∗ A security vulnerability has been identified in FasterXML jackson-databind shipped with IBM Tivoli Netcool Impact (CVE-2021-46877) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7005907 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.06.2023
by Daily end-of-shift report 20 Jun '23

20 Jun '23

===================== = End-of-Day report = ===================== Timeframe: Montag 19-06-2023 18:00 − Dienstag 20-06-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ SeroXen Mechanisms: Exploring Distribution, Risks, and Impact ∗∗∗ --------------------------------------------- This is the third installment of a three-part technical analysis of the fully undetectable (FUD) obfuscation engine BatCloak and SeroXen malware. In this entry, we document the techniques used to spread and abuse SeroXen, as well as the security risks, impact, implications of, and insights into highly evasive FUD batch obfuscators. --------------------------------------------- https://www.trendmicro.com/en_us/research/23/f/seroxen-mechanisms-exploring… ∗∗∗ New RDStealer malware steals from drives shared over Remote Desktop ∗∗∗ --------------------------------------------- A cyberespionage and hacking campaign tracked as RedClouds uses the custom RDStealer malware to automatically steal data from drives shared through Remote Desktop connections. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-rdstealer-malware-steals… ∗∗∗ Honeypot Recon: MSSQL Server – Database Threat Overview 22’/23’ ∗∗∗ --------------------------------------------- In this article, well reveal botnet behavior before and after a successful attack. These bots have one job: to install malicious software that can mine digital coins or create backdoors into systems. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/honeypot-re… ∗∗∗ Wie wir ein Bahnticket buchen wollten und am Ende 245.000 Datensätze hatten ∗∗∗ --------------------------------------------- Um die deutsch-französische Freundschaft zu feiern, haben sich Bundesverkehrsminister Wissing und sein französischer Kollege Beaune etwas Besonderes ausgedacht: Je Land 30.000 kostenlose Interrail-Tickets für Reisen in Deutschland und Frankreich für junge Erwachsene zwischen 18 und 27. Allerdings lief beim Verteilen der Interrail-Pässe einiges schief. --------------------------------------------- https://zerforschung.org/posts/freundschaftspass-de/ ∗∗∗ "iCloud-Speicher ist voll": Phishing-Kampagne zielt auf Apple-Nutzer ∗∗∗ --------------------------------------------- iCloud-Gratisspeicherplatz ist schnell gefüllt, Mails mit Upgrade-Hinweisen sind für viele Nutzer ein vertrauter Anblick. Darauf setzen erneut auch Kriminelle. --------------------------------------------- https://heise.de/-9192454 ∗∗∗ OT:Icefall: Vulnerabilities Identified in Wago Controllers ∗∗∗ --------------------------------------------- Forescout Technologies has disclosed the details of vulnerabilities impacting operational technology (OT) products from Wago and Schneider Electric. --------------------------------------------- https://www.securityweek.com/oticefall-vulnerabilities-identified-in-wago-c… ∗∗∗ Vorsicht vor gefälschten Gymshark-Shops ∗∗∗ --------------------------------------------- Sie suchen nach günstigen Angeboten der Marke Gymshark? Fündig werden Sie bei den Fake-Shops gymsharkwien.com, gym-shark-osterreich.com oder gymsharkosterreichsale.com. Die Shops vermitteln durch den Zusatz „Wien“ oder „Österreich“ in der Internetadresse den Eindruck, dass es sich um österreichische Shops handelt. Tatsächlich sind Sie aber in einem Fake-Shop gelandet. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-gefaelschten-gymshark-s… ∗∗∗ RecordBreaker Infostealer Disguised as a .NET Installer ∗∗∗ --------------------------------------------- Malware that are being distributed disguised as cracks are evolving. In the past, malware was simply distributed as the executable itself. However, there was a gradual shift towards also including normal files within a compressed file. More recently, there was a sample where a normal installer was downloaded and executed. If the malware is executed in an ordinary user environment, the encrypted malware file is downloaded from the threat actor’s server and executed. --------------------------------------------- https://asec.ahnlab.com/en/54658/ ∗∗∗ Tsunami DDoS Malware Distributed to Linux SSH Servers ∗∗∗ --------------------------------------------- AhnLab Security Emergency response Center (ASEC) has recently discovered an attack campaign that consists of the Tsunami DDoS Bot being installed on inadequately managed Linux SSH servers. Not only did the threat actor install Tsunami, but they also installed various other malware such as ShellBot, XMRig CoinMiner, and Log Cleaner. When looking at the attack cases against poorly managed Linux SSH servers, most of them involve the installation of DDoS bots or CoinMiners. --------------------------------------------- https://asec.ahnlab.com/en/54647/ ===================== = Vulnerabilities = ===================== ∗∗∗ Router-Firmware: Asus rät aufgrund kritischer Lücken dringend zum Update ∗∗∗ --------------------------------------------- Asus hat in der Firmware für mehrere Router-Modelle kritische Schwachstellen geschlossen, die Angreifer potenziell bösartigen Code ausführen lassen. --------------------------------------------- https://www.golem.de/news/router-firmware-asus-raet-aufgrund-kritischer-lue… ∗∗∗ Zyxel security advisory for pre-authentication command injection vulnerability in NAS products ∗∗∗ --------------------------------------------- The pre-authentication command injection vulnerability in some Zyxel NAS devices could allow an unauthenticated attacker to execute some operating system (OS) commands remotely by sending a crafted HTTP request. After a thorough investigation, we have identified the vulnerable products that are within their vulnerability support period, with their firmware patches shown in the table below. --------------------------------------------- https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- IBM Storage Protect Server, IBM Spectrum Protect Backup-Archive Client, IBM Spectrum Protect Plus, ICP - IBM Answer Retrieval for Watson Discovery, IBM Watson Speech Services, IBM Robotic Process Automation, IBM dashDB Local, HMC, IBM Operations Analytics Predictive Insights, IBM Cloud Pak for Network Automation, IBM Spectrum Discover, IBM Copy Services Manager, IBM SDK and IBM Maximo. --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libxpm and php7.3), Fedora (chromium), Mageia (kernel, kernel-linus, and sysstat), Red Hat (c-ares), SUSE (libwebp), and Ubuntu (cups-filters, libjettison-java, and libsvgpp-dev). --------------------------------------------- https://lwn.net/Articles/935353/ ∗∗∗ Enphase Envoy ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-171-01 ∗∗∗ Enphase Installer Toolkit Android App ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-171-02 ∗∗∗ 2023-06-20: OXAS-ADV-2023-0002 ∗∗∗ --------------------------------------------- https://documentation.open-xchange.com/security/advisories/txt/oxas-adv-202… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.06.2023
by Daily end-of-shift report 19 Jun '23

19 Jun '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 16-06-2023 18:00 − Montag 19-06-2023 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Android spyware camouflaged as VPN, chat apps on Google Play ∗∗∗ --------------------------------------------- Three Android apps on Google Play were used by state-sponsored threat actors to collect intelligence from targeted devices, such as location data and contact lists. --------------------------------------------- https://www.bleepingcomputer.com/news/security/android-spyware-camouflaged-… ∗∗∗ Security Expert Defeats Lenovo Laptop BIOS Password With a Screwdriver ∗∗∗ --------------------------------------------- Cybersecurity experts at CyberCX have demonstrated a simple method for consistently accessing older BIOS-locked laptops by shorting pins on the EEPROM chip with a screwdriver, enabling full access to the BIOS settings and bypassing the password. --------------------------------------------- https://it.slashdot.org/story/23/06/16/2322255/security-expert-defeats-leno… ∗∗∗ From Cryptojacking to DDoS Attacks: Diicot Expands Tactics with Cayosin Botnet ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered previously undocumented payloads associated with a Romanian threat actor named Diicot, revealing its potential for launching distributed denial-of-service (DDoS) attacks. "The Diicot name is significant, as its also the name of the Romanian organized crime and anti-terrorism policing unit," Cado Security said in a technical report. --------------------------------------------- https://thehackernews.com/2023/06/from-cryptojacking-to-ddos-attacks.html ∗∗∗ New Mystic Stealer Malware Targets 40 Web Browsers and 70 Browser Extensions ∗∗∗ --------------------------------------------- A new information-stealing malware called Mystic Stealer has been found to steal data from about 40 different web browsers and over 70 web browser extensions. First advertised on April 25, 2023, for $150 per month, the malware also targets cryptocurrency wallets, Steam, and Telegram, and employs extensive mechanisms to resist analysis. --------------------------------------------- https://thehackernews.com/2023/06/new-mystic-stealer-malware-targets-40.html ∗∗∗ [SANS ISC] Malware Delivered Through .inf File ∗∗∗ --------------------------------------------- Today, I published the following diary on isc.sans.edu: “Malware Delivered Through .inf File“: Microsoft has used “.inf” files for a while. They are simple text files and contain setup information in a driver package. They describe what must be performed to install a driver package on a device. When you read them, the syntax is straightforward to understand. The file is based on sections that describe what must be performed. One of them is very interesting for attackers: [RunPreSetupCommandsSection]. --------------------------------------------- https://blog.rootshell.be/2023/06/19/sans-isc-malware-delivered-through-inf… ∗∗∗ The Phantom Menace: Exposing hidden risks through ACLs in Active Directory (Part 1) ∗∗∗ --------------------------------------------- The abuse of misconfigured Access Control Lists is nothing new. However, it is still one of the main ways of lateral movement and privilege escalation within an active directory domain. [..] In this post, we will discuss, in a general overview, some concepts that will help us understand how Windows handles access relationships and privileges between objects and how to enumerate these relationships. --------------------------------------------- https://labs.lares.com/securing-active-directory-via-acls/ ∗∗∗ Speculative Denial-of-Service Attacks in Ethereum ∗∗∗ --------------------------------------------- Block proposers speculatively execute transactions when creating blocks to maximize their profits. How can this go wrong? In “Speculative Denial-of-Service Attacks in Ethereum”, we show how speculative execution allows attackers to cheaply DoS the network. --------------------------------------------- https://medium.com/@aviv.yaish/speculative-denial-of-service-attacks-in-eth… ∗∗∗ Warning: Malware Disguised as a Security Update Installer Being Distributed ∗∗∗ --------------------------------------------- AhnLab, in collaboration with the National Cyber Security Center (NCSC) Joint Analysis and Consultation Council, has recently uncovered the attack of a hacking group that is supported by a certain government. The discovered malware disguised itself as a security update installer and was developed using the Inno Setup software. --------------------------------------------- https://asec.ahnlab.com/en/54375/ ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-23-889: Schneider Electric IGSS DashFiles Deserialization of Untrusted Data Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Schneider Electric IGSS. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-23-889/ ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (golang-go.crypto, maradns, requests, sofia-sip, and xmltooling), Fedora (chromium, iaito, iniparser, libX11, matrix-synapse, radare2, and thunderbird), Red Hat (c-ares, jenkins and jenkins-2-plugins, and texlive), SUSE (bluez, chromium, go1.19, go1.20, jetty-minimal, kernel, kubernetes1.18, kubernetes1.23, kubernetes1.24, libX11, open-vm-tools, openvswitch3, opera, syncthing, and xen), and Ubuntu (libcap2, libpod, linux, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15, linux-azure-fde-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gke-5.15, linux-gkeop, linux-hwe-5.15, linux-ibm, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-oracle, linux-oracle-5.15, linux-raspi, linux, linux-aws, linux-azure, linux-gcp, linux-hwe-5.19, linux-kvm, linux-lowlatency, linux-oracle, linux-raspi, linux, linux-aws, linux-lowlatency, linux-raspi, linux-oem-5.17, linux-oem-6.1, pypdf2, and qemu). --------------------------------------------- https://lwn.net/Articles/935184/ ∗∗∗ Vulnerability in Apache Commons FileUpload may affect IBM Spectrum Sentinel Anomaly Scan Engine (CVE-2023-24998) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6998653 ∗∗∗ Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect Rational Performance Tester ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7004699 ∗∗∗ Vulnerability in Eclipse OpenJ9 affects Rational Performance Tester (CVE-2022-3676) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7004703 ∗∗∗ Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect Rational Service Tester ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7004701 ∗∗∗ Vulnerability in Eclipse OpenJ9 affects Rational Service Tester (CVE-2022-3676) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7004705 ∗∗∗ Vulnerabilities in Golang, Python, postgresql, cURL libcurl might affect IBM Spectrum Copy Data Management ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6995589 ∗∗∗ Vulnerabilities with OpenSSL, Apache HTTP Server, Python affect IBM Cloud Object Storage Systems (June 2023v1) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7004661 ∗∗∗ A vulnerability in IBM Java SDK and IBM Java Runtime affects Rational Performance Tester. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7004709 ∗∗∗ A vulnerability in IBM Java SDK and IBM Java Runtime affect Rational Service Tester. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7004711 ∗∗∗ Vulnerabilities in Linux Kernel might affect IBM Spectrum Copy Data Management (CVE-2022-1280, CVE-2023-0386, CVE-2022-4269, CVE-2022-2873, CVE-2022-4378) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6995585 ∗∗∗ Vulnerabilities with Linux Kernel, OpenJDK affect IBM Cloud Object Storage Systems (June 2023) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7002711 ∗∗∗ Vulnerabilities in Golang Go might affect IBM Spectrum Copy Data Management ( CVE-2023-24536, CVE-2023-24537, CVE-2023-24538) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6998399 ∗∗∗ IBM Sterling Control Center is vulnerable to denial of service attack due to Java SE (CVE-2022-21426) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7004723 ∗∗∗ IBM Sterling Control Center is vulnerable to denial of service due to Java SE (CVE-2023-21830, CVE-2023-21843) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7004721 ∗∗∗ Vulnerabilities in OpenSSL might affect IBM Spectrum Copy Data Management (CVE-2022-4450, CVE-2023-0216, CVE-2023-0401, CVE-2022-4203, CVE-2023-0217) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6995593 ∗∗∗ IBM Aspera Shares is vulnerable to cross-site scripting due to JQuery-UI (CVE-2021-41184, CVE-2021-41183, CVE-2021-41182) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7004731 ∗∗∗ Vulnerabilities in Oracle Java SE might affect IBM Spectrum Copy Data Management (CVE-2023-21968, CVE-2023-21938, CVE-2023-21939, CVE-2023-21954, CVE-2023-21967, CVE-2023-21937, CVE-2023-21930) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6995595 ∗∗∗ IBM MQ Operator and Queue manager container images are vulnerable to multiple vulnerabilities from Kubernetes, curl and systemd ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7004197 ∗∗∗ Vulnerabilities in Flask and Pallets Werkzeug may affect IBM Spectrum Protect Plus Microsoft File Systems Backup and Restore (CVE-2023-30861, CVE-2023-25577, CVE-2023-23934) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6999973 ∗∗∗ IBM MQ Operator and Queue manager container images are vulnerable to multiple vulnerabilities from libcurl, openssl, gnutls, libarchive and libsepol ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6986323 ∗∗∗ Multiple vulnerabilities may affect IBM® SDK, Java™ Technology Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7001663 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.06.2023
by Daily end-of-shift report 16 Jun '23

16 Jun '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 15-06-2023 18:00 − Freitag 16-06-2023 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Another RAT Delivered Through VBS, (Fri, Jun 16th) ∗∗∗ --------------------------------------------- VBS looks popular these days. After the last Didier's diary, I found another interesting script. It started with an email that referenced a fake due invoice. The invoice icon pointed to a URL. Usually, such URLs display a fake login page asking for credentials. Not this time. --------------------------------------------- https://isc.sans.edu/diary/rss/29956 ∗∗∗ Demystifying Website Hacktools: Types, Threats, and Detection ∗∗∗ --------------------------------------------- When we think about website malware, visible infection symptoms most often come to mind: unwanted ads or pop-ups, redirects to third party sites, or spam keywords in search results. However, in some cases these very symptoms are the results of hacktools, a diverse and often insidious category of software designed to exploit vulnerabilities and compromise website security. --------------------------------------------- https://blog.sucuri.net/2023/06/demystifying-website-hacktools-types-threat… ∗∗∗ ChamelDoH: New Linux Backdoor Utilizing DNS-over-HTTPS Tunneling for Covert CnC ∗∗∗ --------------------------------------------- The threat actor known as ChamelGang has been observed using a previously undocumented implant to backdoor Linux systems, marking a new expansion of the threat actors capabilities.The malware, dubbed ChamelDoH by Stairwell, is a C++-based tool for communicating via DNS-over-HTTPS (DoH) tunneling. --------------------------------------------- https://thehackernews.com/2023/06/chameldoh-new-linux-backdoor-utilizing.ht… ===================== = Vulnerabilities = ===================== ∗∗∗ FortiOS & FortiProxy: authenticated user null pointer dereference in SSL-VPN ∗∗∗ --------------------------------------------- A NULL pointer dereference vulnerability in SSL-VPN may allow an authenticated remote attacker to trigger a crash of the SSL-VPN service via crafted requests. CVE: CVE-2023-33306 --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-23-015 ∗∗∗ Microsoft ODBC and OLE DB Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- An attacker could exploit the vulnerability by tricking an authenticated user into attempting to connect to a malicious SQL server via a connection driver (for example: ODBC and / or OLEDB as applicable). --------------------------------------------- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-29349 ∗∗∗ Microsoft OLE DB Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- An attacker could exploit the vulnerability by tricking an authenticated user into attempting to connect to a malicious SQL server via OLEDB, which could result in the server receiving a malicious networking packet. This could allow the attacker to execute code remotely on the client. --------------------------------------------- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-32028 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, openjdk-17, and wireshark), Fedora (iniparser, mariadb, mingw-glib2, perl-HTML-StripScripts, php, python3.7, and syncthing), Oracle (.NET 6.0, c-ares, kernel, nodejs, and python3.9), Slackware (libX11), SUSE (amazon-ssm-agent and chromium), and Ubuntu (gsasl, libx11, and sssd). --------------------------------------------- https://lwn.net/Articles/934939/ ∗∗∗ Mattermost security updates 7.10.3 / 7.9.5 / 7.8.7 (ESR) released ∗∗∗ --------------------------------------------- We’re informing you about a Mattermost security update, which addresses low- to medium-level severity vulnerabilities. --------------------------------------------- https://mattermost.com/blog/mattermost-security-updates-7-10-3-7-9-5-7-8-7-… ∗∗∗ Weitere kritische Sicherheitslücke in MOVEit Transfer - Workaround und Patches verfügbar ∗∗∗ --------------------------------------------- In MOVEit Transfer wurde eine weitere kritische Sicherheitslücke entdeckt. Auswirkungen Da es sich um eine SQL-Injection - Schwachstelle handelt, ist davon auszugehen dass alle auf betroffenen Systemen hinterlegten Daten gefährdet sind. --------------------------------------------- https://cert.at/de/warnungen/2023/6/weitere-kritische-sicherheitslucke-in-m… ∗∗∗ CISA Releases Fourteen Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- * SUBNET PowerSYSTEM Center * Advantech WebAccessSCADA * Siemens SICAM Q200 Devices * Siemens SIMOTION * Siemens SIMATIC WinCC * Siemens TIA Portal * Siemens SIMATIC WinCC V7 * Siemens SIMATIC STEP 7 and Derived Products * Siemens Solid Edge * Siemens SIMATIC S7-1500 TM MFP BIOS * Siemens SIMATIC S7-1500 TM MFP Linux Kernel * Siemens SINAMICS Medium Voltage Products * Siemens SICAM A8000 Devices * Siemens Teamcenter Visualization and JT2Go --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/06/15/cisa-releases-fourteen-i… ∗∗∗ Multiple vulnerabilities in Panasonic AiSEG2 ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN19748237/ ∗∗∗ ZDI-23-879: (0Day) Ashlar-Vellum Cobalt AR File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-879/ ∗∗∗ ZDI-23-878: (0Day) Ashlar-Vellum Cobalt AR File Parsing Uninitialized Memory Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-878/ ∗∗∗ ZDI-23-877: (0Day) Ashlar-Vellum Cobalt IGS File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-877/ ∗∗∗ ZDI-23-876: (0Day) Ashlar-Vellum Cobalt XE File Parsing Uninitialized Memory Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-876/ ∗∗∗ ZDI-23-875: (0Day) Ashlar-Vellum Cobalt XE File Parsing Uninitialized Memory Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-875/ ∗∗∗ ZDI-23-874: (0Day) Ashlar-Vellum Cobalt XE File Parsing Untrusted Pointer Dereference Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-874/ ∗∗∗ ZDI-23-873: (0Day) Ashlar-Vellum Cobalt Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-873/ ∗∗∗ ZDI-23-872: (0Day) Ashlar-Vellum Cobalt Heap-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-872/ ∗∗∗ ZDI-23-871: (0Day) Ashlar-Vellum Cobalt Untrusted Pointer Dereference Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-871/ ∗∗∗ ZDI-23-870: (0Day) Ashlar-Vellum Cobalt Uninitialized Memory Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-870/ ∗∗∗ ZDI-23-869: (0Day) Ashlar-Vellum Cobalt Untrusted Pointer Dereference Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-869/ ∗∗∗ ZDI-23-868: (0Day) Ashlar-Vellum Graphite VC6 File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-868/ ∗∗∗ ZDI-23-867: (0Day) Ashlar-Vellum Graphite VC6 File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-867/ ∗∗∗ ZDI-23-866: (0Day) Ashlar-Vellum Graphite VC6 File Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-866/ ∗∗∗ ZDI-23-865: (0Day) Ashlar-Vellum Cobalt Out-Of-Bounds Write Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-865/ ∗∗∗ ZDI-23-864: (0Day) Ashlar-Vellum Cobalt Out-Of-Bounds Access Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-864/ ∗∗∗ ZDI-23-863: (0Day) Ashlar-Vellum Cobalt Out-Of-Bounds Read Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-863/ ∗∗∗ ZDI-23-862: (0Day) Ashlar-Vellum Cobalt CO File Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-862/ ∗∗∗ ZDI-23-861: (0Day) Ashlar-Vellum Cobalt CO File Parsing Untrusted Pointer Dereference Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-861/ ∗∗∗ ZDI-23-860: (0Day) Ashlar-Vellum Cobalt XE File Parsing Untrusted Pointer Dereference Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-860/ ∗∗∗ ZDI-23-859: (0Day) Ashlar-Vellum Cobalt CO File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-859/ ∗∗∗ CVE-2023-32027 Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-32027 ∗∗∗ CVE-2023-29356 Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-29356 ∗∗∗ CVE-2023-32025 Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-32025 ∗∗∗ CVE-2023-32026 Microsoft ODBC Driver for SQL Server Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-32026 ∗∗∗ Multiple vulnerabilities in Curl affect PowerSC ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7004263 ∗∗∗ There is a security vulnerability in AWS SDK for Java used by Maximo Asset Management (CVE-2022-31159) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7002345 ∗∗∗ IBM SPSS Modeler is vulnerabile to SSL private key exposure (CVE-2023-33842) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7004299 ∗∗∗ Vulnerability of xmlbeans-2.6.0.jar has affected APM DataPower agent. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7004599 ∗∗∗ Vulnerabilities of Apache commons codec (commons-codec-1.6.jar) have affected APM NetApp Storage and APM File Gateway Agent ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7004597 ∗∗∗ IBM Cloud Pak for Security includes components with multiple known vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7004655 ∗∗∗ IBM Cloud Pak for Security includes components with multiple known vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7004653 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.06.2023
by Daily end-of-shift report 15 Jun '23

15 Jun '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 14-06-2023 18:00 − Donnerstag 15-06-2023 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Microsoft: Windows Kernel CVE-2023-32019 fix is disabled by default ∗∗∗ --------------------------------------------- Microsoft has released an optional fix to address a Kernel information disclosure vulnerability affecting systems running multiple Windows versions, including the latest Windows 10, Windows Server, and Windows 11 releases. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-windows-kernel-cve… ∗∗∗ Chinese UNC4841 Group Exploits Zero-Day Flaw in Barracuda Email Security Gateway ∗∗∗ --------------------------------------------- A suspected China-nexus threat actor dubbed UNC4841 has been linked to the exploitation of a recently patched zero-day flaw in Barracuda Email Security Gateway (ESG) appliances since October 2022."UNC4841 is an espionage actor behind this wide-ranging campaign in support of the Peoples Republic of China," Google-owned Mandiant said in a new report published today, [...] --------------------------------------------- https://thehackernews.com/2023/06/chinese-unc4841-group-exploits-zero-day.h… ∗∗∗ Hardware Hacking to Bypass BIOS Passwords ∗∗∗ --------------------------------------------- This article serves as a beginner’s hardware hacking journey, performing a BIOS password bypass on Lenovo laptops. We identify what the problem is, how to identify a vulnerable chip, how to bypass a vulnerable chip, and finally, analyse why this attack works and ways that it can be prevented. --------------------------------------------- https://blog.cybercx.co.nz/bypassing-bios-password ∗∗∗ Reverse Engineering Terminator aka Zemana AntiMalware/AntiLogger Driver ∗∗∗ --------------------------------------------- Recently, a threat actor (TA) known as SpyBot posted a tool, on a Russian hacking forum, that can terminate any antivirus/Endpoint Detection & Response (EDR/XDR) software. [..] While I’ve seen a lot of material from the defensive community (they were fast on this one) about the detection mechanism, IOCs, prevention policies and intelligence, I feel some other, perhaps more interesting vulnerable code paths in this driver were not explored nor discussed. --------------------------------------------- https://voidsec.com/reverse-engineering-terminator-aka-zemana-antimalware-a… ∗∗∗ Sicherheitsupdates: Attacken auf Pixel-Smartphones von Google gesichtet ∗∗∗ --------------------------------------------- Google hat etliche Sicherheitslücken in Pixel-Smartphones mit Android 13 geschlossen. Eine Lücke gilt als kritisch. --------------------------------------------- https://heise.de/-9188302 ∗∗∗ Eset schließt Sicherheitslücken in Virenscannern für Linux und Mac ∗∗∗ --------------------------------------------- Aufgrund einer hochriskanten Sicherheitslücke in Esets Virenschutz für Linux und Mac können Angreifer ihre Rechte ausweiten. Updates stehen bereit. --------------------------------------------- https://heise.de/-9188823 ∗∗∗ Kritisches Leck: Codeschmuggel auf mehr als 50 HP Laserjet MFP-Modelle möglich ∗∗∗ --------------------------------------------- HP warnt vor einer kritischen Sicherheitslücke in mehr als 50 HP (Enterprise) Laserjet MFP-Modellen. Angreifer aus dem Netz können Schadcode einschleusen. --------------------------------------------- https://heise.de/-9188162 ∗∗∗ WhatsApp Backups im Visier von Android GravityRAT ∗∗∗ --------------------------------------------- ESET-Forscher analysierten eine aktualisierte Version der Android-Spyware GravityRAT, die WhatsApp-Backup-Dateien stiehlt und Befehle zum Löschen von Dateien empfangen kann. --------------------------------------------- https://www.welivesecurity.com/deutsch/2023/06/15/whatsapp-backups-im-visie… ∗∗∗ Android Malware Impersonates ChatGPT-Themed Applications ∗∗∗ --------------------------------------------- Android malware posing as ChatGPT-themed apps targets mobile users. We report on instances of this attack vector, identifying two distinct types. --------------------------------------------- https://unit42.paloaltonetworks.com/android-malware-poses-as-chatgpt/ ∗∗∗ Unternehmen von LinkedIn-Betrugsfällen betroffen ∗∗∗ --------------------------------------------- Beliebteste Betrugsform sind Kontaktanfragen von einer unbekannten Person mit einem verdächtigen Link in der Nachricht. --------------------------------------------- https://www.zdnet.de/88409942/unternehmen-von-linkedin-betrugsfaellen-betro… ∗∗∗ CISA and NSA Release Joint Guidance on Hardening Baseboard Management Controllers (BMCs) ∗∗∗ --------------------------------------------- Today, CISA, together with the National Security Agency (NSA), released a Cybersecurity Information Sheet (CSI), highlighting threats to Baseboard Management Controller (BMC) implementations and detailing actions organizations can use to harden them. BMCs are trusted components designed into a computers hardware that operate separately from the operating system (OS) and firmware to allow for remote management and control, even when the system is shut down. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/06/14/cisa-and-nsa-release-joi… ∗∗∗ Gut gemachter Phishing-Versuch mit Malware im Namen Microsofts ∗∗∗ --------------------------------------------- Ein Blog-Leser hat mich auf einen gut gemachten Phishing-Versuch per E-Mail aufmerksam gemacht, der das Thema Multifactor-Authentifizierung (MFA) aufgreift. Dabei wird suggeriert, dass die Mail von Microsoft selbst stammt (es wird eine Sub-Domain von Microsoft benutzt) und die Leute agieren [...] --------------------------------------------- https://www.borncity.com/blog/2023/06/15/gut-gemachter-phishing-versuch-mit… ∗∗∗ Hijacking S3 Buckets: New Attack Technique Exploited in the Wild by Supply Chain Attackers ∗∗∗ --------------------------------------------- Without altering a single line of code, attackers poisoned the NPM package “bignum” by hijacking the S3 bucket serving binaries necessary for its function and replacing them with malicious ones. --------------------------------------------- https://checkmarx.com/blog/hijacking-s3-buckets-new-attack-technique-exploi… ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-23-858: (0Day) Pulse Secure Client SetupService Directory Traversal Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows local attackers to escalate privileges on affected installations of Pulse Secure Client. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-23-858/ ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (webkit2gtk), Fedora (python-django-filter and qt), Mageia (cups, firefox/nss, httpie, thunderbird, and webkit2), Red Hat (.NET 6.0, .NET 7.0, c-ares, firefox, jenkins and jenkins-2-plugins, nodejs, nodejs:18, python3, python3.11, python3.9, and thunderbird), Scientific Linux (firefox and thunderbird), SUSE (frr, opensc, python3, and rekor), and Ubuntu (c-ares, glib2.0, libcap2, linux-intel-iotg-5.15, pano13, and requests). --------------------------------------------- https://lwn.net/Articles/934802/ ∗∗∗ Vulnerabilities in Samba ∗∗∗ --------------------------------------------- The Samba Team has released security updates to address vulnerabilities in multiple versions of Samba, including vulnerabilities related to RC4 encryption. If exploited, some of these vulnerabilities allow an attacker to take control of an affected system. --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-23-05 ∗∗∗ Windows PowerShell PS1 Trojan File RCE ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2023060031 ∗∗∗ Office Hours - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-020 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2023-020 ∗∗∗ CVE-2023-0010 PAN-OS: Reflected Cross-Site Scripting (XSS) Vulnerability in Captive Portal Authentication (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2023-0010 ∗∗∗ CVE-2023-0009 GlobalProtect App: Local Privilege Escalation (PE) Vulnerability (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2023-0009 ∗∗∗ IBM Sterling Partner Engagement Manager is vulnerable to CSS injection due to Swagger UI (CVE-2019-17495) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7004151 ∗∗∗ IBM Sterling Partner Engagement Manager vulnerable to buffer overflow due to OpenJDK (CVE-2023-2597) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7004153 ∗∗∗ IBM Sterling Connect:Direct for Microsoft Windows is vulnerable to remote sensitive information exposure due to IBM GSKit (CVE-2023-32342) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7004175 ∗∗∗ A security vulnerability has been identified in IBM HTTP Server shipped with IBM Rational ClearCase [CVE-2022-39161] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7004183 ∗∗∗ Multiple security vulnerabilities have been identified in IBM WebSphere Application Server shipped with IBM Rational ClearCase ( CVE-2023-24966, CVE-2022-39161, CVE-2023-27554, CVE-2023-24998) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7004187 ∗∗∗ A vulnerability in IBM WebSphere Application Server Liberty affects IBM Storage Scale (CVE-2023-24998) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7004199 ∗∗∗ IBM MQ Operator and Queue manager container images are vulnerable to multiple vulnerabilities from Kubernetes, curl and systemd ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7004197 ∗∗∗ IBM MQ Operator and Queue manager container images are vulnerable to multiple vulnerabilities from curl, go and apr-util ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6999605 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.06.2023
by Daily end-of-shift report 14 Jun '23

14 Jun '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 13-06-2023 18:00 − Mittwoch 14-06-2023 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Microsoft: Windows 10 21H2 has reached end of servicing ∗∗∗ --------------------------------------------- Multiple editions of Windows 10 21H2 have reached their end of service (EOS) in this months Patch Tuesday, as Microsoft reminded customers today. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-windows-10-21h2-h… ∗∗∗ Fake Researcher Profiles Spread Malware through GitHub Repositories as PoC Exploits ∗∗∗ --------------------------------------------- At least half of dozen GitHub accounts from fake researchers associated with a fraudulent cybersecurity company have been observed pushing malicious repositories on the code hosting service.All seven repositories, which are still available as of writing, claim to be a proof-of-concept (PoC) exploit for purported zero-day flaws in Discord, Google Chrome, and Microsoft Exchange Server, --------------------------------------------- https://thehackernews.com/2023/06/fake-researcher-profiles-spread-malware.h… ∗∗∗ Shampoo: A New ChromeLoader Campaign ∗∗∗ --------------------------------------------- Recently HP Wolf Security detected a new malware campaign built around a new malicious ChromeLoader extension called Shampoo. [..] Its goal is to install a malicious extension in Google Chrome that is used for advertising. Older versions of ChromeLoader have a particularly complex infection chain, starting with the victim downloading malicious ISO files from websites hosting illegal content. --------------------------------------------- https://www.bromium.com/shampoo-a-new-chromeloader-campaign/ ∗∗∗ VMware ESXi Zero-Day Used [..] to Perform Privileged Guest Operations on Compromised Hypervisors ∗∗∗ --------------------------------------------- This blog post describes an expanded understanding of the attack path seen in Figure 1 and highlights the implications of both the zero-day vulnerability (CVE-2023-20867) and VMCI communication sockets the attacker leveraged to complete their goal. [Note: Patch verfügbar, siehe VMSA-2023-0013: "VMware Tools update addresses Authentication Bypass vulnerability"] --------------------------------------------- https://www.mandiant.com/resources/blog/vmware-esxi-zero-day-bypass ∗∗∗ Pre-announcement of BIND 9 security issues scheduled for disclosure 21 June 2023 ∗∗∗ --------------------------------------------- As part of our policy of pre-notification of upcoming security releases, we are writing to inform you that the June 2023 BIND 9 maintenance releases that will be published on Wednesday, 21 June will contain patches for security vulnerabilities affecting stable BIND 9 release branches. --------------------------------------------- https://lists.isc.org/pipermail/bind-announce/2023-June/001234.html ∗∗∗ Booking.com-Betrug: Unterkünfte stornieren Buchungen und verlangen externe Zahlungen! ∗∗∗ --------------------------------------------- Auf booking.com scheinen Kriminelle eine neue Betrugsmethode für sich entdeckt zu haben. Sie bieten eine Unterkunft mit Zahlung vor Ort und kostenloser Stornierung an. Bucht jemand die Unterkunft, wird diese kurz darauf storniert. Außerhalb der booking.com-Kommunikationskanäle verspricht man nach „Verifikation des Zahlungsmittels“ einen neuerlichen Buchungsabschluss. --------------------------------------------- https://www.watchlist-internet.at/news/bookingcom-betrug-unterkuenfte-storn… ∗∗∗ U.S. and International Partners Release Comprehensive Cyber Advisory on LockBit Ransomware ∗∗∗ --------------------------------------------- This joint advisory is a comprehensive resource with common tools; exploitations; and tactics, techniques, and procedures (TTPs) used by LockBit affiliates, along with recommended mitigations for organizations to reduce the likelihood and impact of future ransomware incidents. --------------------------------------------- https://www.cisa.gov/news-events/news/us-and-international-partners-release… ===================== = Vulnerabilities = ===================== ∗∗∗ WordPress Stripe payment plugin bug leaks customer order details ∗∗∗ --------------------------------------------- The WooCommerce Stripe Gateway plugin for WordPress was found to be vulnerable to a bug that allows any unauthenticated user to view order details placed through the plugin. --------------------------------------------- https://www.bleepingcomputer.com/news/security/wordpress-stripe-payment-plu… ∗∗∗ Webbrowser: Neue Chrome-Version schließt kritische Schwachstelle ∗∗∗ --------------------------------------------- Im Webbrowser Chrome von Google klafft eine kritische Sicherheitslücke. Updates zum Schließen stehen bereit. Chrome-Nutzer sollten sie zügig installieren. --------------------------------------------- https://heise.de/-9186834 ∗∗∗ Webkonferenz-Software: Mehrere hochriskante Lücken in Zoom gestopft ∗∗∗ --------------------------------------------- Die Entwickler der Webkonferenz-Software Zoom haben zwölf Sicherheitsmeldungen veröffentlicht. Zum Abdichten der Schwachstellen liefern sie Aktualisierungen. --------------------------------------------- https://heise.de/-9186898 ∗∗∗ WordPress-Shops mit WooCommerce-Plug-in: Angreifer könnten Kundendaten einsehen ∗∗∗ --------------------------------------------- Aufgrund einer Schwachstelle sind persönliche Kundendaten in WordPress-Shopwebsites nicht optimal geschützt. Admins sollten zügig handeln. --------------------------------------------- https://heise.de/-9187447 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ffmpeg, owslib, php7.4, and php8.2), Fedora (ntp-refclock, php, and python3.7), Red Hat (c-ares, firefox, and thunderbird), SUSE (kernel, openldap2, and tomcat), and Ubuntu (binutils, dotnet6, dotnet7, node-fetch, and python-tornado). --------------------------------------------- https://lwn.net/Articles/934619/ ∗∗∗ SAP Patches High-Severity Vulnerabilities With June 2023 Security Updates ∗∗∗ --------------------------------------------- SAP has released eight new security notes on June 2023 Security Patch Day, including two that address high-severity vulnerabilities.The post SAP Patches High-Severity Vulnerabilities With June 2023 Security Updates appeared first on SecurityWeek. --------------------------------------------- https://www.securityweek.com/sap-patches-high-severity-vulnerabilities-with… ∗∗∗ ICS Patch Tuesday: Siemens Addresses Over 180 Third-Party Component Vulnerabilities ∗∗∗ --------------------------------------------- ICS Patch Tuesday: Siemens and Schneider Electric have published more than a dozen advisories addressing over 200 vulnerabilities.The post ICS Patch Tuesday: Siemens Addresses Over 180 Third-Party Component Vulnerabilities appeared first on SecurityWeek. --------------------------------------------- https://www.securityweek.com/ics-patch-tuesday-siemens-addresses-over-180-t… ∗∗∗ Windows and Linux Virtual Delivery Agent for CVAD and Citrix DaaS Security Bulletin CVE-2023-24490 ∗∗∗ --------------------------------------------- CTX559370 NewWindows and Linux Virtual Delivery Agent for CVAD and Citrix DaaS Security Bulletin CVE-2023-24490Applicable Products : Citrix Virtual Apps and Desktops --------------------------------------------- https://support.citrix.com/article/CTX559370/windows-and-linux-virtual-deli… ∗∗∗ Fortinet Releases June 2023 Vulnerability Advisories ∗∗∗ --------------------------------------------- Fortinet has released its June 2023 Vulnerability Advisories to address vulnerabilities affecting multiple products. An attacker could exploit one of these vulnerabilities to take control of an affected system.CISA encourages users and administrators to review the Fortinet June 2023 Vulnerability Advisories page for more information and apply the necessary updates. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/06/13/fortinet-releases-june-2… ∗∗∗ Adobe Releases Security Updates for Multiple Products ∗∗∗ --------------------------------------------- Adobe has released security updates to address multiple vulnerabilities in Adobe software. An attacker can exploit these vulnerabilities to take control of an affected system.CISA encourages users and administrators to review the following Adobe Security Bulletins and apply the necessary updates.Experience Manager APSB23-31Commerce APSB23-35Animate APSB23-36Substance 3D Designer APSB23-39 --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/06/13/adobe-releases-security-… ∗∗∗ Tuesday June 20 2023 Security Releases ∗∗∗ --------------------------------------------- The Node.js project will release new versions of the 16.x, 18.x and 20.x releases lines on or shortly after, Tuesday June 20 2023 in order to address: 7 medium severity issues, 3 high severity issues, OpenSSL security updates, c-ares 22th May security updates --------------------------------------------- https://nodejs.org/en/blog/vulnerability/june-2023-security-releases ∗∗∗ Microsoft Releases June 2023 Security Updates ∗∗∗ --------------------------------------------- Microsoft has released updates to address multiple vulnerabilities in Microsoft software. An attacker can exploit some of these vulnerabilities to take control of an affected system.CISA encourages users and administrators to review Microsoft’s June 2023 Security Update Guide and Deployment Information and apply the necessary updates. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/06/13/microsoft-releases-june-… ∗∗∗ IBM Security Guardium is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6999317 ∗∗∗ IBM Security Guardium is affected by multiple Oracle\u00ae MySQL vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6981105 ∗∗∗ IBM Security Guardium is affected by a denial of service vulnerability in MIT keb5 (CVE-2022-42898) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6981101 ∗∗∗ IBM Security Guardium is affected by a multiple vulnerabilities (CVE-2023-22809, CVE-2019-12490, CVE-2023-0041) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7000021 ∗∗∗ IBM Security Guardium is affected by FasterXML jackson-databind vulnerabilities (CVE-2020-25649, X-Force ID 217968) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6573001 ∗∗∗ IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to HTTP request smuggling in Apache Tomcat (CVE-2022-42252). ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7003581 ∗∗∗ IBM Cloud Pak for Security includes components with multiple known vulnerabilities (CVE-2023-0286, CVE-2023-23931) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7003815 ∗∗∗ A vulnerability in Certifi package may affect IBM Storage Scale (CVE-2022-23491) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7003817 ∗∗∗ IBM App Connect for Healthcare is affected by multiple Apache vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6999671 ∗∗∗ Apache Commons FileUpload vulnerability affects IBM Financial Transaction Manager (CVE-2023-24998) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7003827 ∗∗∗ TADDM is vulnerable to a denial of service due to vulnerability in Castor Library ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7003861 ∗∗∗ Multiple Vulnerabilities of Apache HttpClient have affected APM Linux KVM Agent ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7003887 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.06.2023
by Daily end-of-shift report 13 Jun '23

13 Jun '23

===================== = End-of-Day report = ===================== Timeframe: Montag 12-06-2023 18:00 − Dienstag 13-06-2023 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Hackers can steal cryptographic keys by video-recording power LEDs 60 feet away ∗∗∗ --------------------------------------------- Key-leaking side channels are a fact of life. Now they can be done by video-recording power LEDs. --------------------------------------------- https://arstechnica.com/?p=1947319 ∗∗∗ Passwort-Manager Bitwarden: Master-Schlüssel war für alle lesbar ∗∗∗ --------------------------------------------- Der Passwort-Manager Bitwarden unterstützt die Authentifizierung mit Windows Hello. Bis vor Kurzem war darüber der Master-Schlüssel für alle auslesbar. --------------------------------------------- https://heise.de/-9184586 ∗∗∗ BSI veröffentlicht Version 1.0.1 des TLS-Testtools TaSK ∗∗∗ --------------------------------------------- Nach der Veröffentlichung einer Beta-Version im Januar hat das BSI in der neuen Version weitere Funktionalitäten eingefügt. Die Version ist funktionsfähig für TLS-Server, TLS-Clients sowie für weitere Fachanwendungen wie beispielsweise eID-Clients, eID-Server oder auch E-Mail-Server. --------------------------------------------- https://www.bsi.bund.de/DE/Service-Navi/Presse/Alle-Meldungen-News/Meldunge… ∗∗∗ Vorsicht vor zu günstigen „La Sportiva“-Produkten ∗∗∗ --------------------------------------------- Der Berg und die Fake-Angebote im Internet rufen. Aktuell werden uns vermehrt Fake-Shops der Outdoor-Marke „La Sportiva“ gemeldet. Aufmerksam auf die Schnäppchen werden Kund:innen vor allem durch Werbung auf Facebook, Instagram und Co. Ist der Preis zu schön, um wahr zu sein, handelt es sich um Fake. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-zu-guenstigen-la-sporti… ∗∗∗ Inside Win32k Exploitation: Background on Implementations of Win32k and Exploitation Methodologies ∗∗∗ --------------------------------------------- This is part one of a series that will cover Win32k internals and exploitation in general using these two vulnerabilities (CVE-2022-21882, CVE-2021-1732) and their related proof-of-concept (PoC) exploits as examples. --------------------------------------------- https://unit42.paloaltonetworks.com/win32k-analysis-part-1/ ∗∗∗ Are smartphone thermal cameras sensitive enough to uncover PIN codes? ∗∗∗ --------------------------------------------- I started out thinking that these cameras were gimmicks, but theyve become an important tool in the toolbox. Heres why - and a little test. --------------------------------------------- https://www.zdnet.com/home-and-office/are-smartphone-thermal-cameras-sensit… ===================== = Vulnerabilities = ===================== ∗∗∗ Dynamic Linq Injection Remote Code Execution Vulnerability (CVE-2023-32571) ∗∗∗ --------------------------------------------- Product Name: System.Linq.Dynamic.Core Affected versions 1.0.7.10 to 1.2.25 CVE: CVE-2023-32571 CVSSv3.1 base score 9.1 Users can execute arbitrary code and commands where user input is passed to Dynmic Linq methods such as .Where(...), .All(...), .Any(...) and .OrderBy(...). --------------------------------------------- https://research.nccgroup.com/2023/06/13/dynamic-linq-injection-remote-code… ∗∗∗ TYPO3 Security Advisories ∗∗∗ --------------------------------------------- several vulnerabilities have been found in the following third party TYPO3 extensions: "Faceted Search" (ke_search) "ipandlanguageredirect" (ipandlanguageredirect) "Canto Extension" (canto_extension) For further information on the issues, please read the related advisories TYPO3-EXT-SA-2023-004, TYPO3-EXT-SA-2023-005 and TYPO3-EXT-SA-2023-006 --------------------------------------------- https://typo3.org/help/security-advisories ∗∗∗ New Siemens Security Advisories ∗∗∗ --------------------------------------------- TIA Portal, SIMOTION, SIMATIC WinCC, Teamcenter Visualization and JT2Go, CPCI85 Firmware of SICAM A8000 Devices, SIMATIC S7-1500 TM MFP V1.0, SICAM Q200 Devices, SIMATIC WinCC V7, Integrated SCALANCE S615 of SINAMICS Medium Voltage Products, in SIMATIC STEP 7 V5.x and Derived Products, Solid Edge --------------------------------------------- https://new.siemens.com/global/en/products/services/cert.html#SecurityPubli… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (vim), Fedora (kernel), Oracle (emacs, firefox, python3, and qemu), SUSE (firefox, java-1_8_0-ibm, and libwebp), and Ubuntu (firefox, glusterfs, and sniproxy). --------------------------------------------- https://lwn.net/Articles/934492/ ∗∗∗ Synology-SA-23:08 SRM ∗∗∗ --------------------------------------------- A vulnerability allows remote attackers to obtain user credential via a susceptible version of Synology Router Manager (SRM). --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_23_08 ∗∗∗ Synology-SA-23:07 DSM ∗∗∗ --------------------------------------------- A vulnerability allows remote attackers to obtain user credential via a susceptible version of Synology DiskStation Manager (DSM). --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_23_07 ∗∗∗ Synology-SA-23:06 SRM ∗∗∗ --------------------------------------------- A vulnerability allows remote authenticated users to read arbitrary files via a susceptible version of Synology Router Manager (SRM). --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_23_06 ∗∗∗ Synology-SA-23:05 DSM ∗∗∗ --------------------------------------------- A vulnerability allows remote authenticated users to read arbitrary files via a susceptible version of Synology DiskStation Manager (DSM). --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_23_05 ∗∗∗ ShareFile StorageZones Controller Security Update for CVE-2023-24489 ∗∗∗ --------------------------------------------- A vulnerability has been discovered in the customer-managed ShareFile storage zones controller which, if exploited, could allow an unauthenticated attacker to remotely compromise the customer-managed ShareFile storage zones controller. This vulnerability affects all currently supported versions of customer-managed ShareFile storage zones controller before version 5.11.24. [..] All customer-managed ShareFile storage zones controllers versions prior to the latest version 5.11.24 have been blocked to protect our customers. Customers will be able to reinstate the storage zones controller once the update to 5.11.24 is applied. --------------------------------------------- https://support.citrix.com/article/CTX559517/sharefile-storagezones-control… ∗∗∗ Kritische Sicherheitslücke in Fortinet FortiOS und FortiProxy SSL-VPN Produkten - aktiv ausgenutzt, Updates verfügbar ∗∗∗ --------------------------------------------- 13. Juni 2023 Beschreibung Fortinet hat eine Warnung herausgegeben, dass in den SSL-VPN - Komponenten der Produkte FortiOS und FortiProxy eine kritische Sicherheitslücke besteht, die auch bereits aktiv ausgenutzt wird, und stellt erste entsprechende Updates bereit. CVE-Nummer(n): CVE-2023-27997 CVSSv3 Score: 9.2 Auswirkungen Unauthentisierte Angreifer:innen können durch Ausnutzen der Lücke beliebigen Code auf betroffenen Geräten ausführen. Da diese Geräte --------------------------------------------- https://cert.at/de/warnungen/2023/6/kritische-sicherheitslucke-in-fortinet-… ∗∗∗ CISA Releases Four Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- - ICSA-23-164-01 Datalogics Library Third-Party - ICSA-23-164-02 Rockwell Automation FactoryTalk Services Platform - ICSA-23-164-03 Rockwell Automation FactoryTalk Edge Gateway - ICSA-23-164-04 Rockwell Automation FactoryTalk Transaction Manager --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/06/13/cisa-releases-four-indus… ∗∗∗ Chatwork Desktop Application (Mac) vulnerable to code injection ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN96828492/ ∗∗∗ PHOENIX CONTACT: FL MGUARD affected by two vulnerabilities ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-010/ ∗∗∗ 2023-06-12: Cyber Security Advisory - ABB Relion REX640 Cyber Security Improvements ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=2NGA001423&Language… ∗∗∗ VMSA-2023-0013 ∗∗∗ --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2023-0013.html ∗∗∗ System Management Module (SMM) v1 and v2 / Fan Power Controller (FPC) Vulnerabilities ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500565-SYSTEM-MANAGEMENT-MODUL… ∗∗∗ Lenovo XClarity Administrator (LXCA) Vulnerabilities ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500564-LENOVO-XCLARITY-ADMINIS… ∗∗∗ IBM Content Navigator is vulnerable to DoS due to Apache Commons FileUpload (CVE-2023-24998) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7002807 ∗∗∗ Multiple vulnerabilities in IBM Semeru Runtime affect z\/Transaction Processing Facility ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7003337 ∗∗∗ Vulnerability of Apache Thrift (libthrift-0.12.0.jar ) have affected APM WebSphere Application Server Agent and APM SAP NetWeaver Agent ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7003479 ∗∗∗ Vulnerability of Google Gson (gson-2.8.2.jar ) have affected APM WebSphere Application Server Agent and APM SAP NetWeaver Agent ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7003477 ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Tivoli System Automation Application Manager (CVE-2023-26283) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7003495 ∗∗∗ Multiple Vulnerabilities of Jackson-Mapper-asl have affected APM Linux KVM Agent ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7003497 ∗∗∗ IBM Workload Scheduler is potentially affected by multiple vulnerabilities in OpenSSL (CVE-2022-4304, CVE-2023-0215, CVE-2023-0286) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7003501 ∗∗∗ IBM Workload Scheduler is potentially affected by a vulnerability in OpenSSL causing system crash (CVE-2022-4450) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7003511 ∗∗∗ IBM Workload Scheduler potentially affected by a vulnerability in SnakeYaml (CVE-2022-1471) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7003513 ∗∗∗ OpenPages with Watson has addressed Node.js vulnerability (CVE-2022-32213) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7003313 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.06.2023
by Daily end-of-shift report 12 Jun '23

12 Jun '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 09-06-2023 18:00 − Montag 12-06-2023 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Fortinet: SSL-VPN-Lücke ermöglicht Codeschmuggel ∗∗∗ --------------------------------------------- Fortinet hat Updates für das FortiOS-Betriebssystem veröffentlicht. Sie schließen eine Sicherheitslücke im SSL-VPN, die das Einschleusen von Schadcode erlaubt. --------------------------------------------- https://heise.de/-9184284 ∗∗∗ Passwort-Manager Bitwarden: Biometrischer Schlüssel war für alle lesbar ∗∗∗ --------------------------------------------- Der Passwort-Manager Bitwarden unterstützt die Authentifizierung mit Windows Hello. Bis vor kurzem war der biometrische Schlüssel in Windows für alle auslesbar. --------------------------------------------- https://heise.de/-9184586 ∗∗∗ New MOVEit Vulnerabilities Found as More Zero-Day Attack Victims Come Forward ∗∗∗ --------------------------------------------- Researchers discover new MOVEit vulnerabilities related to the zero-day, just as more organizations hit by the attack are coming forward. --------------------------------------------- https://www.securityweek.com/new-moveit-vulnerabilities-found-as-more-zero-… ∗∗∗ Exploit released for MOVEit RCE bug used in data theft attacks ∗∗∗ --------------------------------------------- Horizon3 security researchers have released proof-of-concept (PoC) exploit code for a remote code execution (RCE) bug in the MOVEit Transfer managed file transfer (MFT) solution abused by the Clop ransomware gang in data theft attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/exploit-released-for-moveit-… ∗∗∗ Strava heatmap feature can be abused to find home addresses ∗∗∗ --------------------------------------------- Researchers at the North Carolina State University Raleigh have discovered a privacy risk in the Strava apps heatmap feature that could lead to identifying users home addresses. --------------------------------------------- https://www.bleepingcomputer.com/news/security/strava-heatmap-feature-can-b… ∗∗∗ Sneaky DoubleFinger loads GreetingGhoul targeting your cryptocurrency ∗∗∗ --------------------------------------------- Kaspersky researchers share insight into multistage DoubleFinger loader attack delivering GreetingGhoul cryptocurrency stealer and Remcos RAT. --------------------------------------------- https://securelist.com/doublefinger-loader-delivering-greetingghoul-cryptoc… ∗∗∗ Researchers Uncover Publisher Spoofing Bug in Microsoft Visual Studio Installer ∗∗∗ --------------------------------------------- Security researchers have warned about an "easily exploitable" flaw in the Microsoft Visual Studio installer that could be abused by a malicious actor to impersonate a legitimate publisher and distribute malicious extensions."A threat actor could impersonate a popular publisher and issue a malicious extension to compromise a targeted system," Varonis researcher Dolev Taler said. --------------------------------------------- https://thehackernews.com/2023/06/researchers-uncover-publisher-spoofing.ht… ∗∗∗ Bypassing Android Biometric Authentication ∗∗∗ --------------------------------------------- Cryptography and authentication issues are not only present in apps with a low number of downloads, but also in very popular apps. Furthermore, this affects also apps that aim to provide a high level of data protection, since they handle sensitive data that should be kept safe. [..] However, it is important to stress that to be able to perform a bypass, an attacker needs root permissions on the device of the victim or is able to talk the victim into installing a modified version of an app [..] --------------------------------------------- https://sec-consult.com/blog/detail/bypassing-android-biometric-authenticat… ∗∗∗ Circumventing inotify Watchdogs ∗∗∗ --------------------------------------------- Recently I’ve been building rudimentary file monitoring tools to get better at Golang, and build faux-watchdog programs for research at Arch Cloud Labs. Through this experimentation, I’ve identified some interesting gaps in the inotify subsystem that are new to me, but are well documented in the Linux man pages. This blog post will explore how to circumvent read detections implemented by inotify. --------------------------------------------- https://www.archcloudlabs.com/projects/inotify/ ∗∗∗ Every Signature is Broken: On the Insecurity of Microsoft Office’s OOXML Signatures ∗∗∗ --------------------------------------------- We are the first to provide an in-depth analysis of Office Open XML (OOXML) Signatures, the Ecma/ISO standard that all Microsoft Office applications use. Our analysis reveals major discrepancies between the structure of office documents and the way digital signatures are verified. These discrepancies lead to serious security flaws in the specification and in the implementation. As a result, we discovered five new attack classes. --------------------------------------------- https://www.usenix.org/system/files/sec23summer_235-rohlmann-prepub.pdf ∗∗∗ Defeating Windows DEP With A Custom ROP Chain ∗∗∗ --------------------------------------------- This article explains how to write a custom ROP (Return Oriented Programming) chain to bypass Data Execution Prevention (DEP) on a Windows 10 system. DEP makes certain parts of memory (e.g., the stack) used by an application non-executable. This means that overwriting EIP with a “JMP ESP” (or similar) instruction and then freely executing [...] --------------------------------------------- https://research.nccgroup.com/2023/06/12/defeating-windows-dep-with-a-custo… ∗∗∗ Instagram: Vorsicht vor gefälschter „Meta“-Nachricht ∗∗∗ --------------------------------------------- Ein Fake-Profil von Meta schreibt Ihnen auf Instagram. Angeblich haben Sie gegen das Urheberrecht verstoßen. Sie werden aufgefordert, ein Widerrufsformular auszufüllen, sonst wird das Konto gesperrt. Der Link zum Formular befindet sich gleich in der Nachricht. Vorsicht: Diese Nachricht ist Fake. Kriminelle stehlen Ihre Zugangsdaten und erpressen Sie im Anschluss. --------------------------------------------- https://www.watchlist-internet.at/news/instagram-vorsicht-vor-gefaelschter-… ∗∗∗ Varonis warnt vor nicht mehr genutzten Salesforce-Sites ∗∗∗ --------------------------------------------- Sicherheitsforscher von Varonis sind auf ein Problem in Verbindung mit Salesforce-Sites gestoßen, die verwaist sind und nicht mehr genutzt werden. Die Sicherheitsforscher der Varonis Threat Labs haben entdeckt, dass unsachgemäß deaktivierte Salesforce-Sites, sogenannte Ghost Sites, weiterhin aktuelle Daten abrufen und für Angreifer zugänglich sind: Durch Manipulation des Host-Headers können Cyberkriminelle Zugang zu sensiblen personenbezogenen Daten und Geschäftsinformationen erhalten. --------------------------------------------- https://www.borncity.com/blog/2023/06/10/varonis-warnt-vor-nicht-mehr-genut… ∗∗∗ OAuth2 Security Best Current Practices ∗∗∗ --------------------------------------------- Die IETF hat zum 6. Juni 2023 ein Dokument "OAuth2 Security Best Current Practices" aktualisiert. Das Dokument beschreibt die derzeit beste Sicherheitspraxis für OAuth 2.0. Es aktualisiert und erweitert das OAuth 2.0-Sicherheitsbedrohungsmodell. --------------------------------------------- https://www.borncity.com/blog/2023/06/11/oauth2-security-best-current-pract… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco AnyConnect Secure Mobility Client Software for Windows and Cisco Secure Client Software for Windows Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the client update process of Cisco AnyConnect Secure Mobility Client Software for Windows and Cisco Secure Client Software for Windows could allow a low-privileged, authenticated, local attacker to elevate privileges to those of SYSTEM. The client update process is executed after a successful VPN connection is established. --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (pypdf2 and thunderbird), Fedora (chromium, dbus, mariadb, matrix-synapse, sympa, and thunderbird), Scientific Linux (python and python3), SUSE (chromium, gdb, and openldap2), and Ubuntu (jupyter-core, requests, sssd, and vim). --------------------------------------------- https://lwn.net/Articles/934456/ ∗∗∗ WordPress Theme Workreap 2.2.2 Unauthenticated Upload Leading to Remote Code Execution ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2023060012 ∗∗∗ ASUS Router RT-AX3000 vulnerable to using sensitive cookies without Secure attribute ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN34232595/ ∗∗∗ Security Vulnerabilities fixed in Thunderbird 102.12 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2023-21/ ∗∗∗ This Power System update is being released to address CVE-2023-25683 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7002721 ∗∗∗ IBM Content Navigator is vulnerable to DoS due to Apache Commons FileUpload (CVE-2023-24998) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7002807 ∗∗∗ IBMid credentials may be exposed when directly downloading code onto IBM SAN Volume Controller, IBM Storwize, IBM FlashSystem and IBM Spectrum Virtualize products [CVE-2023-27870] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6985697 ∗∗∗ Vulnerability in requests-2.27.1.tar.gz affects IBM Integrated Analytics System [CVE-2023-32681] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7003185 ∗∗∗ Vulnerability in bottle-0.12.16 affects IBM Integrated Analytics System [CVE-2020-28473] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7003195 ∗∗∗ Vulnerability in bottle-0.12.16 affects IBM Integrated Analytics System [CVE-2022-31799] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7003201 ∗∗∗ Vulnerability in certifi-2018.4.16 affects IBM Integrated Analytics System [ CVE-2022-23491] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7003205 ∗∗∗ IBM Cloud Kubernetes Service is affected by two containerd security vulnerabilities (CVE-2023-28642) (CVE-2023-27561) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7001317 ∗∗∗ Multiple vulnerabilities in IBM DB2 affect IBM Operations Analytics Predictive Insights ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7000903 ∗∗∗ IBM WebSphere Application Server Liberty, which is bundled with IBM Cloud Pak for Applications, is vulnerable to a denial of service due to GraphQL Java (CVE-2023-28867) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7003247 ∗∗∗ IBM WebSphere Application Server Liberty, which is bundled with IBM WebSphere Hybrid Edition, is vulnerable to a denial of service due to GraphQL Java (CVE-2023-28867) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7003245 ∗∗∗ IBM App Connect Enterprise Certified Container operands that use the Snowflake connector are vulnerable to arbitrary code execution due to [CVE-2023-34232] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7003259 ∗∗∗ IBM Sterling Connect:Direct for Microsoft Windows is vulnerable to arbitrary code execution due to PostgreSQL (CVE-2023-2454) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7003279 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.06.2023
by Daily end-of-shift report 09 Jun '23

09 Jun '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 07-06-2023 18:00 − Freitag 09-06-2023 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Barracuda Email Security Gateway Appliance (ESG) sofort austauschen! ∗∗∗ --------------------------------------------- Noch ein kurzes Thema, welche wegen Feiertag etwas liegen geblieben ist. Der Hersteller Barracuda fordert Administratoren seiner Email Security Gateway Appliance (ESG) auf, die Geräte sofort auszutauschen. Hintergrund ist eine Schwachstelle in den ESG-Modellen, die zwar Ende Mai 2025 gepatcht werden sollte. Das scheint aber nicht zu wirken und der Hersteller ruft zum Austausch auf. --------------------------------------------- https://www.borncity.com/blog/2023/06/08/barracuda-email-security-gateway-a… ∗∗∗ CVE-2023-2868: Total Compromise of Physical Barracuda ESG Appliances ∗∗∗ --------------------------------------------- Rapid7 incident response teams are investigating exploitation of physical Barracuda Networks Email Security Gateway (ESG) appliances. --------------------------------------------- https://www.rapid7.com/blog/post/2023/06/08/etr-cve-2023-2868-total-comprom… ∗∗∗ Royal ransomware gang adds BlackSuit encryptor to their arsenal ∗∗∗ --------------------------------------------- The Royal ransomware gang has begun testing a new encryptor called BlackSuit that shares many similarities with the operations usual encryptor. --------------------------------------------- https://www.bleepingcomputer.com/news/security/royal-ransomware-gang-adds-b… ∗∗∗ Detecting and mitigating a multi-stage AiTM phishing and BEC campaign ∗∗∗ --------------------------------------------- Microsoft Defender Experts observed a multi-stage adversary-in-the-middle (AiTM) and business email compromise (BEC) attack targeting banking and financial services organizations over two days. This attack originated from a compromised trusted vendor, involved AiTM and BEC attacks across multiple supplier/partner organizations for financial fraud, and did not use a reverse proxy like typical AiTM attacks. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2023/06/08/detecting-and-miti… ∗∗∗ Undetected PowerShell Backdoor Disguised as a Profile File, (Fri, Jun 9th) ∗∗∗ --------------------------------------------- PowerShell remains an excellent way to compromise computers. Many PowerShell scripts found in the wild are usually obfuscated. Most of the time, this helps to have the script detected by fewer antivirus vendors. Yesterday, I found a script that scored 0/59 on VT! Lets have a look at it. --------------------------------------------- https://isc.sans.edu/diary/rss/29930 ∗∗∗ Clop Ransomware Likely Sitting on MOVEit Transfer Vulnerability (CVE-2023-34362) Since 2021 ∗∗∗ --------------------------------------------- On June 5, 2023, the Clop ransomware group publicly claimed responsibility for exploitation of a zero-day vulnerability in the MOVEit Transfer secure file transfer web application (CVE-2023-34362). [...] Kroll forensic review has also identified activity indicating that the Clop threat actors were likely experimenting with ways to exploit this particular vulnerability as far back as 2021. --------------------------------------------- https://www.kroll.com/en/insights/publications/cyber/clop-ransomware-moveit… ∗∗∗ MSSQL linked servers: abusing ADSI for password retrieval ∗∗∗ --------------------------------------------- When we talk about Microsoft SQL Server linked servers, we usually think of links to another SQL Server instances. However, this is only one of the multiple available options, so today we are going to delve into the Active Directory Service Interfaces (ADSI) provider, which allows querying the AD using the LDAP protocol. --------------------------------------------- https://www.tarlogic.com/blog/linked-servers-adsi-passwords/ ∗∗∗ Sicherheitsupdates Cisco: Angreifer könnten Passwörter beliebiger Nutzer ändern ∗∗∗ --------------------------------------------- Unter anderem Cisco Expressway Series und Adaptive Security Appliance sind verwundbar. Admins sollten die Software aktualisieren. --------------------------------------------- https://heise.de/-9180829 ∗∗∗ Minecraft-Modifikationspakete mit Fractureiser-Malware verseucht ∗∗∗ --------------------------------------------- Minecraftspieler aufgepasst: Auf den legitimen Portalen Bukkit und CurseForge sind infizierte Modifikationen aufgetaucht. --------------------------------------------- https://heise.de/-9182068 ∗∗∗ Schadcode-Attacken auf Netzwerk-Monitoringlösung von VMware möglich ∗∗∗ --------------------------------------------- Es gibt ein wichtiges Sicherheitsupdate für VMware Aria Operations for Networks. Admins sollten zeitnah handeln. --------------------------------------------- https://heise.de/-9181036 ∗∗∗ Android-Viren: Trickreich vor Nutzern versteckt ∗∗∗ --------------------------------------------- Die Virenanalysten von Bitdefender sind beim Test einer Schutzkomponente auf Android-Malware gestoßen, die sich trickreich auf dem Smartphone versteckt. --------------------------------------------- https://heise.de/-9182008 ∗∗∗ Asylum Ambuscade: Crimeware oder Cyberspionage? ∗∗∗ --------------------------------------------- Ein seltsamer Fall eines Bedrohungsakteurs an der Grenze zwischen Crimeware und Cyberspionage. --------------------------------------------- https://www.welivesecurity.com/deutsch/2023/06/08/asylum-ambuscade-crimewar… ∗∗∗ SaaS Ransomware Attack Hit Sharepoint Online Without Using a Compromised Endpoint ∗∗∗ --------------------------------------------- A SaaS ransomware attack against a company’s Sharepoint Online was done without using a compromised endpoint. --------------------------------------------- https://www.securityweek.com/saas-ransomware-attack-hit-sharepoint-online-w… ∗∗∗ Shodan Verified Vulns 2023-06-01 ∗∗∗ --------------------------------------------- Mit Stand 2023-06-01 sieht Shodan in Österreich die folgenden Schwachstellen: [...] Auch diesen Monat ist ein Abfall bei fast allen Einträgen zu verzeichnen. Die einzige verhältnismäßig größere Ausnahme ist die Sicherheitslücke CVE-2015-2080 (Jetleak). --------------------------------------------- https://cert.at/de/aktuelles/2023/6/shodan-verified-vulns-2023-06-01 ∗∗∗ Adventures in Disclosure: When Reporting Bugs Goes Wrong ∗∗∗ --------------------------------------------- The Zero Day Initiative (ZDI) is the world’s largest vendor-agnostic bug bounty program. That means we purchase bug reports from independent security researchers around the world in Microsoft applications, Adobe, Cisco, Apple, IBM, Dell, Trend Micro, SCADA systems, etc. We don’t buy every bug report submitted, but we buy a lot of bugs. Of course, this means we disclose a lot of bugs. And not every disclosure goes according to plan. Why Disclose at All? This is a fine place to start. --------------------------------------------- https://www.thezdi.com/blog/2023/6/7/adventures-in-disclosure-when-reportin… ∗∗∗ May 2023’s Most Wanted Malware: New Version of Guloader Delivers Encrypted Cloud-Based Payloads ∗∗∗ --------------------------------------------- Check Point Research reported on a new version of shellcode-based downloader GuLoader featuring fully encrypted payloads for cloud-based delivery. Our latest Global Threat Index for May 2023 saw researchers report on a new version of shellcode-based downloader GuLoader, which was the fourth most prevalent malware. With fully encrypted payloads and anti-analysis techniques, the latest form can be stored undetected in well-known public cloud services, including Google Drive. --------------------------------------------- https://blog.checkpoint.com/security/may-2023s-most-wanted-malware-new-vers… ∗∗∗ Analyzing the FUD Malware Obfuscation Engine BatCloak ∗∗∗ --------------------------------------------- We look into BatCloak engine, its modular integration into modern malware, proliferation mechanisms, and interoperability implications as malicious actors take advantage of its fully undetectable (FUD) capabilities. --------------------------------------------- https://www.trendmicro.com/en_us/research/23/f/analyzing-the-fud-malware-ob… ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-23-818: (0Day) ZTE MF286R goahead Command Injection Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of ZTE MF286R routers. Authentication is required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-818/ ∗∗∗ ZDI: Sante DICOM Viewer Pro Vulnerabilities ∗∗∗ --------------------------------------------- * ZDI-23-853: Sante DICOM Viewer Pro DCM File Parsing Use-After-Free Information Disclosure Vulnerability: https://www.zerodayinitiative.com/advisories/ZDI-23-853/ * ZDI-23-854: Sante DICOM Viewer Pro DCM File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability: https://www.zerodayinitiative.com/advisories/ZDI-23-854/ * ZDI-23-855: Sante DICOM Viewer Pro DCM File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability: https://www.zerodayinitiative.com/advisories/ZDI-23-855/ * ZDI-23-856: Sante DICOM Viewer Pro JP2 File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability: https://www.zerodayinitiative.com/advisories/ZDI-23-856/ --------------------------------------------- https://www.santesoft.com/win/sante-dicom-viewer-pro/download.html ∗∗∗ Virenschutz: Hochriskante Sicherheitslücken in Trend Micros Apex One ∗∗∗ --------------------------------------------- In der Schutzsoftware Trend Micro Apex One können Angreifer Schwachstellen missbrauchen, um ihre Rechte am System auszuweiten. Aktualisierungen stehen bereit. --------------------------------------------- https://heise.de/-9180965 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, firefox-esr, and ruby2.5), Fedora (curl, dbus, pypy, pypy3.8, pypy3.9, python3.10, and python3.8), Red Hat (python and python-flask), Scientific Linux (emacs), SUSE (firefox, google-cloud-sap-agent, libwebp, opensc, openssl, openssl-3, openssl1, python-sqlparse, python310, and supportutils), and Ubuntu (libxml2, netatalk, and sysstat). --------------------------------------------- https://lwn.net/Articles/934245/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (jupyter-core, openssl, and ruby2.5), Fedora (firefox), Mageia (libreoffice, openssl, and python-flask), Red Hat (python and python3), Slackware (mozilla, php8, and python3), SUSE (java-1_8_0-ibm, libcares2, mariadb, and python36), and Ubuntu (linux, linux-aws, linux-kvm, linux-lts-xenial, linux-gke, linux-intel-iotg, linux-raspi, linux-xilinx-zynqmp, and mozjs102). --------------------------------------------- https://lwn.net/Articles/934316/ ∗∗∗ Delta Electronics CNCSoft-B DOPSoft ∗∗∗ --------------------------------------------- Vulnerabilities: Stack-based Buffer Overflow, Heap-based Buffer Overflow --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-157-01 ∗∗∗ CISA Releases Two Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- CISA released two Industrial Control Systems (ICS) advisories on June 8, 2023. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. ICSA-23-159-01 Atlas Copco Power Focus 6000 ICSA-23-159-02 Sensormatic Electronics Illustra Pro Gen 4 CISA encourages users and administrators to review the newly released ICS advisories for technical details and mitigations. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/06/08/cisa-releases-two-indust… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.06.2023
by Daily end-of-shift report 07 Jun '23

07 Jun '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 06-06-2023 18:00 − Mittwoch 07-06-2023 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Patchday: Schadcode könnte via Bluetooth-Lücke auf Android-Geräten landen ∗∗∗ --------------------------------------------- Google und weitere Hersteller haben wichtige Sicherheitsupdates für Android-Geräte veröffentlicht. Eine GPU-Lücke nutzen Angreifer bereits aus. --------------------------------------------- https://heise.de/-9179937 ∗∗∗ MOVEit: Ransomware-Gang "Clop" erpresst Unternehmen nach Sicherheitslücke ∗∗∗ --------------------------------------------- Ransomware-Gang erpresst Unternehmen wegen Sicherheitslücke in der Datenübertragungssoftware MOVEit. Unter den potenziellen Opfern sind auch prominente Firmen. --------------------------------------------- https://heise.de/-9179875 ∗∗∗ SpinOk: Weitere infizierte Android-Apps mit 30 Millionen Installationen entdeckt ∗∗∗ --------------------------------------------- Die Android-Malware SpinOk schlägt immer größere Wellen und Sicherheitsforscher sind auf fast 200 weitere damit infizierte Apps in Google Play gestoßen. --------------------------------------------- https://heise.de/-9180094 ∗∗∗ Wieso mich Cybersecurity-Awareness auch als KMU interessieren sollte… ∗∗∗ --------------------------------------------- „Wieso sollte ausgerechnet uns jemand angreifen?“ Geht es um Cyberkriminalität glauben nach wie vor viele kleine und mittlere Unternehmen, dass sie kein interessantes Ziel für Kriminelle sind. Doch Zahlen zeigen etwas anderes: Cybercrime nimmt zu und wird zur wachsenden Bedrohung für Unternehmen – und zwar auch für kleine und mittlere Unternehmen. Wir geben einen Überblick über die Cybercrime-Lage in österreichischen Unternehmen und KMU und [...] --------------------------------------------- https://www.watchlist-internet.at/news/wieso-mich-cybersecurity-awareness-a… ∗∗∗ Aufgebrochene Postkästen wegen Bestellbetrug ∗∗∗ --------------------------------------------- Ein aufgebrochener Postkasten lässt im ersten Moment nicht auf einen tiefergreifenden Betrug schließen. Man könnte vermuten, dass es jemand lediglich auf den Postkasteninhalt abgesehen hatte. Tatsächlich handelt es sich häufig um den letzten Schritt eines Bestellbetrugs, bei dem Kriminelle den gelben Zettel der Post aus dem Postkasten stehlen, um die dazugehörige Postempfangsbox öffnen und ein zuvor an die Adresse ihrer Opfer bestelltes Paket stehlen zu können. Opfer müssen spätere Rechnungen und Mahnungen nicht bezahlen! --------------------------------------------- https://www.watchlist-internet.at/news/aufgebrochene-postkaesten-wegen-best… ∗∗∗ 2023 Vulnerabilities and Threat Trends ∗∗∗ --------------------------------------------- Understanding and monitoring vulnerability trends is crucial in maintaining robust cybersecurity practices. The evolving threat landscape demands constant vigilance and proactive measures from organizations and individuals alike. --------------------------------------------- https://www.prio-n.com/2023-vulnerabilities-and-threat-trends/ ∗∗∗ Tens of Thousands of Compromised Android Apps Found by Bitdefender Anomaly Detection Technology ∗∗∗ --------------------------------------------- Here are some of the types of apps mimicked by the malware: Game cracks, Games with unlocked features, Free VPN, Fake videos, Netflix, Fake tutorials, YouTube/TikTok without ads, Cracked utility programs: weather, pdf viewers, etc, Fake security programs --------------------------------------------- https://www.bitdefender.com/blog/labs/tens-of-thousands-of-compromised-andr… ∗∗∗ High-risk vulnerabilities patched in ABB Aspect building management system ∗∗∗ --------------------------------------------- Prism Infosec has identified two high-risk vulnerabilities within the Aspect Control Engine building management system (BMS) developed by ABB. ABB’s Aspect BMS enables users to monitor a building’s performance and combines real-time integrated control, supervision, data logging, alarming, scheduling and network management functions with internet connectivity and web serving capabilities. Consequently, users can view system status, override setpoints and schedules, and more over [...] --------------------------------------------- https://www.helpnetsecurity.com/2023/06/07/cve-2023-0635-cve-2023-0636/ ===================== = Vulnerabilities = ===================== ∗∗∗ B&R APROL Abuse SLP based traffic for amplification attack CVE ID: CVE-2023-29552 ∗∗∗ --------------------------------------------- An attacker who successfully exploited this vulnerability could use affected products to cause 3rd party components to become temporarily inaccessible --------------------------------------------- https://www.br-automation.com/downloads_br_productcatalogue/assets/16834661… ∗∗∗ Sicherheitsupdates: Firefox und Firefox ESR gegen mögliche Attacken gerüstet ∗∗∗ --------------------------------------------- Aufgrund einer Schwachstelle in Firefox könnten Angreifer Opfer noch effektiver auf unverschlüsselte Fake-Websites locken. --------------------------------------------- https://heise.de/-9180185 ∗∗∗ VMSA-2023-0012 ∗∗∗ --------------------------------------------- VMware Aria Operations for Networks updates address multiple vulnerabilities. (CVE-2023-20887, CVE-2023-20888, CVE-2023-20889) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2023-0012.html ∗∗∗ Critical Security Update: Directorist WordPress Plugin Patches Two High-risk Vulnerabilities ∗∗∗ --------------------------------------------- On April 3, 2023, our team uncovered two significant vulnerabilities – an Arbitrary User Password Reset to Privilege Escalation, and an Insecure Direct Object Reference leading to Arbitrary Post Deletion. Both vulnerabilities were found to affect Directorist versions 7.5.4 and earlier. --------------------------------------------- https://www.wordfence.com/blog/2023/06/critical-security-update-directorist… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (c-ares), Fedora (curl and firefox), Oracle (cups-filters, kernel, and webkit2gtk3), Red Hat (emacs and kpatch-patch), Slackware (mozilla), SUSE (kernel and openssl-1_0_0), and Ubuntu (firefox and libreoffice). --------------------------------------------- https://lwn.net/Articles/934132/ ∗∗∗ Edge 114.0.1823.41 ∗∗∗ --------------------------------------------- Microsoft hat (nach dem Chrome-Sicherheitsupdate) den Edge-Browser am 6. Juni 2023 im Stable Channel auf die Version 114.0.1823.41 aktualisiert (Sicherheits- und Bug-Fixes). Laut Release Notes wird die Schwachstelle CVE-2023-3079 aus dem Chromium-Projekt geschlossen. --------------------------------------------- https://www.borncity.com/blog/2023/06/07/edge-114-0-1823-41/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Cisco AnyConnect Secure Mobility Client Software for Windows and Cisco Secure Client Software for Windows Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Small Business 200, 300, and 500 Series Switches Web-Based Management Stored Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Expressway Series and Cisco TelePresence Video Communication Server Privilege Escalation Vulnerabilities ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Unified Communications Manager IM & Presence Service Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Unified Communications Manager Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Secure Workload Authenticated OpenAPI Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software for Firepower 2100 Series Appliances SSL/TLS Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.06.2023
by Daily end-of-shift report 06 Jun '23

06 Jun '23

===================== = End-of-Day report = ===================== Timeframe: Montag 05-06-2023 18:00 − Dienstag 06-06-2023 18:00 Handler: Stephan Richter Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ SSD Advisory - Roundcube markasjunk RCE ∗∗∗ --------------------------------------------- A vulnerability in Roundcube’s markasjunk plugin allows attackers that send a specially crafted identity email address to cause the plugin to execute arbitrary code. --------------------------------------------- https://ssd-disclosure.com/ssd-advisory-roundcube-markasjunk-rce/ ∗∗∗ Cyclops Ransomware and Stealer Combo: Exploring a Dual Threat ∗∗∗ --------------------------------------------- The Cyclops group is particularly proud of having created ransomware capable of infecting all three major platforms: Windows, Linux, and macOS. In an unprecedented move, it has also shared a separate binary specifically geared to steal sensitive data, such as an infected computer name and a number of processes. The latter targets specific files in both Windows and Linux. --------------------------------------------- https://www.uptycs.com/blog/cyclops-ransomware-stealer-combo ∗∗∗ Gmail spoofing vulnerability sparks Google ‘Priority 1’ probe ∗∗∗ --------------------------------------------- Google launched a “Priority 1” investigation into a Gmail security vulnerability after initially dismissing it as “intended behavior” that did not require a fix. The vulnerability relates to the Brand Indicators for Message Identification (BIMI) email authentication method, a feature Google introduced to Gmail in 2021 but only recently rolled out to all 1.8 billion users of its email services. --------------------------------------------- https://www.scmagazine.com/news/email-security/gmail-spoofing-google-priori… ∗∗∗ Unsichere Firmware: Gigabyte liefert BIOS-Updates für Mainboards ∗∗∗ --------------------------------------------- Gigabyte sichert mit BIOS-Updates unsichere Mainboard-Update-Funktionen ab. Diese wurden Ende vergangene Woche entdeckt und betreffen rund 270 Modelle. --------------------------------------------- https://heise.de/-9178747 ∗∗∗ KeePass: Lücke zum Auslesen des Master-Passworts geschlossen ∗∗∗ --------------------------------------------- Eine Sicherheitslücke im Passwort-Manager KeePass ermöglichte die Rekonstruktion des Master-Passworts aus Speicherabbildern. Ein Update schließt sie jetzt. --------------------------------------------- https://heise.de/-9179419 ∗∗∗ Dozens of Malicious Extensions Found in Chrome Web Store ∗∗∗ --------------------------------------------- Security researchers recently identified more than 30 malicious extensions that had made their way into the Chrome web store, potentially infecting millions. --------------------------------------------- https://www.securityweek.com/dozens-of-malicious-extensions-found-in-chrome… ∗∗∗ Webinar: Sicher bezahlen im Internet ∗∗∗ --------------------------------------------- Bei Online-Bestellungen im Internet gibt es inzwischen eine Vielzahl an Zahlungsmöglichkeiten. Worauf sollte ich bei der Auswahl achten und welche Zahlungsarten sollte ich lieber nicht nutzen? In diesem Webinar zeigen wir Ihnen, wie Sie im Internet sicher bezahlen. Nehmen Sie kostenlos teil: Dienstag 13. Juni 2023, 18:30 - 20:00 Uhr via zoom --------------------------------------------- https://www.watchlist-internet.at/news/webinar-sicher-bezahlen-im-internet/ ∗∗∗ Online-Banking: Vorsicht vor gefälschten Login-Seiten in Suchmaschinen-Ergebnissen ∗∗∗ --------------------------------------------- Kriminellen fälschen Online-Banking-Login-Seiten und bewerben sie in Suchmaschinen. Bei einer Bing- oder Google-Suche nach der gewünschten Login-Seite werden die Fake-Seiten häufig als erstes Ergebnis angezeigt, wie uns ein Bank-Austria-Kunde gemeldet hat. Wenn Sie dort Ihre Daten eintippen, landen sie direkt bei Kriminellen. Wir zeigen Ihnen, wie Sie sich davor schützen. --------------------------------------------- https://www.watchlist-internet.at/news/online-banking-vorsicht-vor-gefaelsc… ∗∗∗ Xollam, the Latest Face of TargetCompany ∗∗∗ --------------------------------------------- This blog talks about the latest TargetCompany ransomware variant, Xollam, and the new initial access technique it uses. We also investigate previous variants behaviors and the ransomware familys extortion scheme. --------------------------------------------- https://www.trendmicro.com/en_us/research/23/f/xollam-the-latest-face-of-ta… ∗∗∗ Impulse Team’s Massive Years-Long Mostly-Undetected Cryptocurrency Scam ∗∗∗ --------------------------------------------- We have been able to uncover a massive cryptocurrency scam involving more than a thousand websites handled by different affiliates linked to a program called Impulse Project, run by a threat actor named Impulse Team. --------------------------------------------- https://www.trendmicro.com/en_us/research/23/f/impulse-team-massive-cryptoc… ∗∗∗ Hackers Leak i2VPN Admin Credentials on Telegram ∗∗∗ --------------------------------------------- In a recent cybersecurity incident, hackers have claimed to have successfully breached the admin credentials of i2VPN, a popular freemium VPN proxy server app available for download on Google Play and the App Store. --------------------------------------------- https://www.hackread.com/hackers-i2vpn-admin-credentials-telegram-leak/ ===================== = Vulnerabilities = ===================== ∗∗∗ Google Chrome 114.0.5735.106/.110 Sicherheitsupdates für 0-day ∗∗∗ --------------------------------------------- Es sind Sicherheitsupdates, welche eine kritische Schwachstelle (0-day) beseitigen. --------------------------------------------- https://www.borncity.com/blog/2023/06/06/google-chrome-114-0-5735-106-110-s… ∗∗∗ Android security update fixes Mali GPU flaw exploited by spyware ∗∗∗ --------------------------------------------- Google has released the monthly security update for the Android platform, adding fixes for 56 vulnerabilities, five of them with a critical severity rating and one exploited since at least last December. --------------------------------------------- https://www.bleepingcomputer.com/news/security/android-security-update-fixe… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- Multi-Enterprise Relationship Management, CICS TX, TXSeries for Multiplatforms, Tivoli Netcool Configuration Manager, IBM Control Desk, IBM Maximo, System Networking Switch Center, Tivoli System Automation for Multiplatforms, IBM SDK, IBM Business Automation, IBM Cloud Pak, IBM Operations Analytics, IBM Security Guardium and IBM Semeru Runtimes. --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ CISA Adds Two Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- CVE-2023-33009 Zyxel Multiple Firewalls Buffer Overflow Vulnerability CVE-2023-33010 Zyxel Multiple Firewalls Buffer Overflow Vulnerability --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/06/05/cisa-adds-two-known-expl… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (linux-5.10), Red Hat (cups-filters, curl, kernel, kernel-rt, kpatch-patch, and webkit2gtk3), SUSE (apache-commons-fileupload, openstack-heat, openstack-swift, python-Werkzeug, and openstack-heat, python-Werkzeug), and Ubuntu (frr, go, libraw, libssh, nghttp2, python2.7, python3.10, python3.11, python3.5, python3.6, python3.8, and xfce4-settings). --------------------------------------------- https://lwn.net/Articles/934010/ ∗∗∗ Security Vulnerabilities fixed in Firefox 114 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2023-20/ ∗∗∗ Security Vulnerabilities fixed in Firefox ESR 102.12 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2023-19/ ∗∗∗ Mitsubishi Electric MELSEC iQ-R Series/iQ-F Series ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-157-02 ∗∗∗ Zyxel security advisory for privilege escalation vulnerability in GS1900 series switches ∗∗∗ --------------------------------------------- https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-… ∗∗∗ Zyxel security advisory for buffer overflow vulnerability in 4G LTE and 5G NR outdoor routers ∗∗∗ --------------------------------------------- https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.06.2023
by Daily end-of-shift report 05 Jun '23

05 Jun '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 02-06-2023 18:00 − Montag 05-06-2023 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ KeePass v2.54 fixes bug that leaked cleartext master password ∗∗∗ --------------------------------------------- KeePass has released version 2.54, fixing the CVE-2023-3278 vulnerability that allows the extraction of the cleartext master password from the applications memory. --------------------------------------------- https://www.bleepingcomputer.com/news/security/keepass-v254-fixes-bug-that-… ∗∗∗ Satacom delivers browser extension that steals cryptocurrency ∗∗∗ --------------------------------------------- A recent campaign by Satacom downloader is delivering a cryptocurrency-stealing extension for Chromium-based browsers, such as Chrome, Brave and Opera. --------------------------------------------- https://securelist.com/satacom-delivers-cryptocurrency-stealing-browser-ext… ∗∗∗ Magento, WooCommerce, WordPress, and Shopify Exploited in Web Skimmer Attack ∗∗∗ --------------------------------------------- Cybersecurity researchers have unearthed a new ongoing Magecart-style web skimmer campaign thats designed to steal personally identifiable information (PII) and credit card data from e-commerce websites. A noteworthy aspect that sets it apart from other Magecart campaigns is that the hijacked sites further serve as "makeshift" command-and-control (C2) servers, using the cover to facilitate the distribution of malicious code without the knowledge of the victim sites. --------------------------------------------- https://thehackernews.com/2023/06/magento-woocommerce-wordpress-and.html ∗∗∗ Storing Passwords - A Journey of Common Pitfalls ∗∗∗ --------------------------------------------- [..] we recently discovered a vulnerability in the web interface of STARFACE PBX allowing login using the password hash rather than the cleartext password (see advisory). We want to use this as an opportunity to discuss how we analyse such login mechanisms and talk about the misconceptions in security concepts that result in such pitfalls along the way. --------------------------------------------- https://blog.redteam-pentesting.de/2023/storing-passwords/ ∗∗∗ Big-Data-Unternehmen Splunk schließt teils kritische Sicherheitslücken ∗∗∗ --------------------------------------------- Der Big-Data-Spezialist Splunk korrigiert in der gleichnamigen Software zahlreiche Sicherheitslücken, die teils als kritisches Risiko eingestuft werden. --------------------------------------------- https://heise.de/-9164194 ∗∗∗ Gigabyte Rolls Out BIOS Updates to Remove Backdoor From Motherboards ∗∗∗ --------------------------------------------- Gigabyte has announced BIOS updates that remove a recently identified backdoor feature in hundreds of its motherboards. --------------------------------------------- https://www.securityweek.com/gigabyte-rolls-out-bios-updates-to-remove-back… ∗∗∗ Kriminelle missbrauchen Spenden-Funktion von PayPal ∗∗∗ --------------------------------------------- Aktuell beobachten wir, dass Fake-Shops PayPal-Zahlungen mit der Funktion „Geld spenden“ abwickeln. Brechen Sie die Zahlung sofort ab, wenn die PayPal-Zahlung nicht wie gewohnt abläuft, sondern als Spende bezeichnet wird! Wenn Sie mit der Funktion „Geld spenden“ bezahlen, entfällt der Käuferschutz und eine Rückerstattung ist nicht möglich. Schauen Sie genau, wie Ihre PayPal-Zahlung erfolgt! --------------------------------------------- https://www.watchlist-internet.at/news/kriminelle-missbrauchen-spenden-funk… ∗∗∗ Vice Society mit eigener Ransomware unterwegs ∗∗∗ --------------------------------------------- Ransomware-Gruppe führt immer wieder gezielte Angriffe auf Bildungseinrichtungen und Krankenhäuser durch. --------------------------------------------- https://www.zdnet.de/88409649/vice-society-mit-eigener-ransomware-unterwegs/ ∗∗∗ Trojaner Pikabot treibt sein Unwesen ∗∗∗ --------------------------------------------- Neue Malware-Familie setzt Anti-Analyse-Techniken ein und bietet Backdoor-Funktionen zum Laden von Shellcode und Ausführen zweistufiger Binärdateien. --------------------------------------------- https://www.zdnet.de/88409646/trojaner-pikabot-treibt-sein-unwesen/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, cpio, mariadb-10.3, nbconvert, sofia-sip, and wireshark), Fedora (ImageMagick, mingw-python-requests, openssl, python3.6, texlive-base, and webkitgtk), Red Hat (apr-util, git, gnutls, kernel, kernel-rt, and kpatch-patch), Slackware (cups and ntp), and Ubuntu (linux-azure-fde, linux-azure-fde-5.15 and perl). --------------------------------------------- https://lwn.net/Articles/933904/ ∗∗∗ IBM Aspera Connect and IBM Aspera Cargo has addressed multiple vulnerabilities (CVE-2023-22862, CVE-2023-27285) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7001053 ∗∗∗ Vulnerability in libexpat (CVE-2022-43680) affects Power HMC ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6985561 ∗∗∗ Security vulnerabilities are addressed with IBM Cloud Pak for Business Automation iFixes for May 2023 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6998727 ∗∗∗ Multiple vulnerabilities may affect IBM® Semeru Runtime ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7001271 ∗∗∗ There is a vulnerability in Apache SOAP used by IBM Maximo Asset Management (CVE-2022-40705) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6959357 ∗∗∗ There are several vulnerabilities in AntiSamy used by IBM Maximo Asset Management (CVE-2022-28367, CVE-2022-29577) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6966080 ∗∗∗ There is a vulnerability in Prism used by IBM Maximo Asset Management (CVE-2022-23647) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6959695 ∗∗∗ IBM Security Guardium is affected by a multiple vulnerabilities (CVE-2023-22809, CVE-2019-12490, CVE-2023-0041) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7000021 ∗∗∗ Multiple vulnerabilities in IBM® Java SDK and WebSphere Application Server Liberty profile affect IBM Business Automation Workflow containers ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7001287 ∗∗∗ A vulnerability has been identified in IBM HTTP Server shipped with IBM Businses Automation Workflow (CVE-2023-32342) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7001289 ∗∗∗ Cross-Site scripting vulnerability affect IBM Business Automation Workflow - CVE-2023-32339 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7001291 ∗∗∗ Vulnerability in spring-expressions may affect IBM Business Automation Workflow - CVE-2023-20863 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7001295 ∗∗∗ Multiple vulnerabilities in IBM Java XML affect IBM Tivoli System Automation for Multiplatforms deferred from Oracle Apr 2022 CPU (CVE-2022-21426) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7000999 ∗∗∗ Multiple vulnerabilities in VMware Tanzu Spring Framework affect IBM Process Designer 8.5.7 shipped with IBM Business Automation Workflow ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7001309 ∗∗∗ There is a vulnerability in jQuery UI used by IBM Maximo Asset Management (CVE-2022-31160) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6966428 ∗∗∗ There are several vulnerabilities with TinyMCE used by IBM Maximo Asset Management ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6966710 ∗∗∗ IBM Maximo Asset Management is vulnerable to stored cross-site scripting (CVE-2022-35645) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6959353 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.06.2023
by Daily end-of-shift report 02 Jun '23

02 Jun '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 01-06-2023 18:00 − Freitag 02-06-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Attackers use Python compiled bytecode to evade detection ∗∗∗ --------------------------------------------- Attackers who are targeting open-source package repositories like PyPI (Python Package Index) have devised a new technique for hiding their malicious code from security scanners, manual reviews, and other forms of security analysis. In one incident, researchers have found malware code hidden inside a Python bytecode (PYC) file that can be directly executed as opposed to source code files that get interpreted by the Python runtime. --------------------------------------------- https://www.csoonline.com/article/3698472/attackers-use-python-compiled-byt… ∗∗∗ Cybercriminals use legitimate websites to obfuscate malicious payloads ∗∗∗ --------------------------------------------- According to Egress, the evolving attack methodologies currently used by cybercriminals are designed to get through traditional perimeter security. “The evolution of phishing emails continues to pose a major threat to organizations, emphasizing the need to enhance defenses to prevent attacks,” said Jack Chapman, VP of Threat Intelligence, Egress. --------------------------------------------- https://www.helpnetsecurity.com/2023/06/02/evolving-attack-methodologies/ ∗∗∗ Authority Scam: Angebliche E-Mails der FCA sind Fake! ∗∗∗ --------------------------------------------- Kriminelle geben sich als Mitarbeiter:innen der britischen Finanzaufsichtsbehörde FCA aus und behaupten per E-Mail, dass eine „Online-Investitionsplattform“ geschlossen wurde. Nun gehe es darum die „rechtmäßigen Eigentümer der im Blockchain-Netzwerk eingefrorenen Vermögenswerte zu identifizieren“, so heißt es in der E-Mail. --------------------------------------------- https://www.watchlist-internet.at/news/authority-scam-angebliche-e-mails-de… ∗∗∗ Zyxel’s guidance for the recent attacks on the ZyWALL devices ∗∗∗ --------------------------------------------- Zyxel recently became aware of a cyberattack targeting our ZyWALL devices. These vulnerabilities already have patches - we took immediate action as soon as we become aware of them, and have released patches, as well as security advisories for CVE-2023-28771, CVE-2023-33009, and CVE-2023-33010. --------------------------------------------- https://www.zyxel.com/global/en/support/security-advisories/zyxels-guidance… ===================== = Vulnerabilities = ===================== ∗∗∗ Delta Electronics CNCSoft-B DOPSoft DPA File Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- Published: 2023-06-01 Affected Vendor: Delta Electronics ZDI ID: ZDI-23-781 bis ZDI-23-817 --------------------------------------------- https://www.zerodayinitiative.com/advisories/published/ ∗∗∗ Sicherheitsupdates: Schwachstellen machen Schutzsoftware von Symantec angreifbar ∗∗∗ --------------------------------------------- Symantecs Entwickler haben in Advanced Secure Gateway und Content Analysis mehrere Sicherheitslücken geschlossen. --------------------------------------------- https://heise.de/-9162943 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (cups and netatalk), SUSE (cups, ImageMagick, installation-images, libvirt, openvswitch, and qemu), and Ubuntu (avahi, cups, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux-snapdragon, linux, linux-aws, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-gke, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-aws-5.4, linux-bluefield, linux-intel-iotg, and linux-intel-iotg-5.15). --------------------------------------------- https://lwn.net/Articles/933576/ ∗∗∗ High-Severity Vulnerabilities Patched in Splunk Enterprise ∗∗∗ --------------------------------------------- Splunk has resolved multiple high-severity vulnerabilities in Splunk Enterprise, including bugs in third-party packages used by the product.The post High-Severity Vulnerabilities Patched in Splunk Enterprise appeared first on SecurityWeek. --------------------------------------------- https://www.securityweek.com/high-severity-vulnerabilities-patched-in-splun… ∗∗∗ Kritische Sicherheitslücke in MOVEit Transfer - Updates verfügbar ∗∗∗ --------------------------------------------- In MOVEit Transfer existiert eine kritische Sicherheitslücke, die eine Rechteausweitung und potentiell unautorisierten Zugriff ermöglicht. Bis jetzt wurde die Lücke für Datendiebstahl ausgenutzt. Das volle Potential der Lücke ist jedoch noch nicht bekannt. --------------------------------------------- https://cert.at/de/warnungen/2023/6/kritische-sicherheitslucke-in-moveit-tr… ∗∗∗ IBM Edge Application Manager has a vulnerability listed in CVE 2023-28154. IBM has addressed this vulnerability. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7000057 ∗∗∗ Multiple vulnerabilities in IBM DB2 affect IBM Operations Analytics Predictive Insights ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7000903 ∗∗∗ A vulnerability exists in the IBM\u00ae SDK, Java\u2122 Technology Edition affect IBM Tivoli Network Configuration Manager (CVE-2022-3676). ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7000941 ∗∗∗ A security vulnerability has been identified in embedded IBM WebSphere Application Server which is shipped with IBM Tivoli Netcool Configuration Manager (CVE-2023-23477) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7000959 ∗∗∗ A vulnerability exists in the IBM\u00ae SDK, Java\u2122 Technology Edition affecting IBM Tivoli Network Configuration Manager (CVE-2023-30441). ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7000969 ∗∗∗ Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation Application Manager - Includes Oracle January 2023 CPU (CVE-2023-21830, CVE-2023-21843) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7000991 ∗∗∗ Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation for Multiplatforms - Includes Oracle January 2023 CPU (CVE-2023-21830, CVE-2023-21843) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7000989 ∗∗∗ A security vulnerability has been identified in IBM HTTP Server shipped with IBM WebSphere Remote Server (CVE-2023-32342) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7000993 ∗∗∗ Vulnerabilities in OpenSSL affect QLogic 8Gb Intelligent Pass-thru Module and SAN Switch Module for IBM BladeCenter and QLogic Virtual Fabric Extension Module for IBM BladeCenter ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/888295 ∗∗∗ Multiple vulnerabilities in IBM Java XML affect IBM Tivoli System Automation Application Manager deferred from Oracle Apr 2022 CPU (CVE-2022-21426) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7000997 ∗∗∗ Apache commons fileupload vulnerability affect embedded Case Forms in IBM Business Automation Workflow and IBM Case Manager - CVE-2023-24998 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7001009 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 01.06.2023
by Daily end-of-shift report 01 Jun '23

01 Jun '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 31-05-2023 18:00 − Donnerstag 01-06-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Terminator antivirus killer is a vulnerable Windows driver in disguise ∗∗∗ --------------------------------------------- A threat actor known as Spyboy is promoting a Windows defense evasion tool called "Terminator" [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/terminator-antivirus-killer-… ∗∗∗ Exploit released for RCE flaw in popular ReportLab PDF library ∗∗∗ --------------------------------------------- A researcher has published a working exploit for a remote code execution (RCE) flaw impacting ReportLab, a popular Python library used by numerous projects to generate PDF files from HTML input. --------------------------------------------- https://www.bleepingcomputer.com/news/security/exploit-released-for-rce-fla… ∗∗∗ Polizei warnt vor neuer Betrugsmasche mit NFC-Smartphone-Bezahlung ∗∗∗ --------------------------------------------- Kriminellen ist es gelungen, Bankkarten der Opfer auf ihre Handys zu laden. Anschließend wurde kräftig eingekauft und Konten leergeräumt. --------------------------------------------- https://futurezone.at/digital-life/betrug-phishing-mobile-payment-nfc-smart… ∗∗∗ Serious Security: That KeePass “master password crack”, and what we can learn from it ∗∗∗ --------------------------------------------- Here, in an admittedly discursive nutshell, is the fascinating story of CVE-2023-32784. (Short version: Dont panic.) --------------------------------------------- https://nakedsecurity.sophos.com/2023/05/31/serious-security-that-keepass-m… ∗∗∗ XSS vulnerability in the ASP.NET application: examining CVE-2023-24322 in mojoPortal CMS ∗∗∗ --------------------------------------------- In this article, we will thoroughly examine the XSS vulnerability in a CMS written in C#. Lets recall the theory, figure out how the security defect looks from a users perspective and in code, and also practice writing exploits. --------------------------------------------- https://pvs-studio.com/en/blog/posts/csharp/1054/ ∗∗∗ Angriff auf iPhones: Kaspersky macht ausgeklügelte Attacke publik ∗∗∗ --------------------------------------------- Kaspersky hat nach eigenen Angaben in iPhone-Backups Spuren eines komplexen Angriffs entdeckt. Gegenwehr sei nur mit rabiaten Mitteln möglich. --------------------------------------------- https://heise.de/-9159301 ∗∗∗ STARFACE: Authentication with Password Hash Possible ∗∗∗ --------------------------------------------- RedTeam Pentesting discovered that the web interface of STARFACE as well as its REST API allows authentication using the SHA512 hash of the password instead of the cleartext password. While storing password hashes instead of cleartext passwords in an applications database generally has become best practice to protect users passwords in case of a database compromise, this is rendered ineffective when allowing to authenticate using the password hash. --------------------------------------------- https://www.redteam-pentesting.de/en/advisories/rt-sa-2022-004/ ∗∗∗ Malware Spotlight: Camaro Dragon’s TinyNote Backdoor ∗∗∗ --------------------------------------------- In this report, we analyze another previously undisclosed backdoor associated with this cluster of activity which shares with it not only a common infrastructure but also the same high-level intelligence-gathering goal. --------------------------------------------- https://research.checkpoint.com/2023/malware-spotlight-camaro-dragons-tinyn… ===================== = Vulnerabilities = ===================== ∗∗∗ Rapid7 Observed Exploitation of Critical MOVEit Transfer Vulnerability ∗∗∗ --------------------------------------------- Rapid7 managed services teams are observing exploitation of a critical vulnerability in Progress Software’s MOVEit Transfer solution across multiple customer environments. --------------------------------------------- https://www.rapid7.com/blog/post/2023/06/01/rapid7-observed-exploitation-of… ∗∗∗ Unified Automation: New UaGateway V1.5.14 Service Release ∗∗∗ --------------------------------------------- This version contains security bug fixes including improvements in KeyUsage check. --------------------------------------------- https://documentation.unified-automation.com/uagateway/1.5.14/CHANGELOG.txt ∗∗∗ (0Day) Fatek Automation FvDesigner FPJ File Parsing Out-Of-Bounds Write/Pointer Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- Published: 2023-05-31 Affected Vendor: Fatek Automation ZDI ID: ZDI-23-760 bis ZDI-23-771 --------------------------------------------- https://www.zerodayinitiative.com/advisories/published/ ∗∗∗ (0Day) VIPRE Antivirus Plus ∗∗∗ --------------------------------------------- Published: 2023-05-31 Affected Vendor: VIPRE ZDI ID: ZDI-23-755 bis ZDI-23-759 --------------------------------------------- https://www.zerodayinitiative.com/advisories/published/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- IBM App Connect, IBM Business Automation Manager Open Editions, IBM Business Automation Workflow, IBM Control Desk, IBM Maximo, IBM Edge Application Manager, IBM MQ, IBM Spectrum Protect Plus, IBM Control Desk, IBM Data Risk Manager, Tivoli, Hardware Management Console, IBM Cloud Pak, IBM Power Systems, IBM Security Directory Server, WebSphere Application Server, Rational Developer for i, IBM Security Guardium --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libwebp, openssl, sssd, and texlive-bin), Fedora (bitcoin-core, editorconfig, edk2, mod_auth_openidc, pypy, pypy3.9, python3.10, and python3.8), Red Hat (kernel, openssl, pcs, pki-core:10.6, and qatzip), SUSE (chromium, ImageMagick, openssl-1_1, and tiff), and Ubuntu (cups, libvirt, and linux, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gke-5.15, linux-gkeop, linux-hwe-5.15, linux-hwe-5.19, linux-ibm, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-oracle, linux-oracle-5.15, linux-raspi). --------------------------------------------- https://lwn.net/Articles/933465/ ∗∗∗ AddToAny Share Buttons - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-019 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2023-019 ∗∗∗ AddToAny Share Buttons - Moderately critical - Access bypass - SA-CONTRIB-2023-018 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2023-018 ∗∗∗ Consent Popup - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-017 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2023-017 ∗∗∗ Iubenda Integration - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-016 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2023-016 ∗∗∗ Advantech WebAccess/SCADA ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-152-01 ∗∗∗ HID Global SAFE ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-152-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 31.05.2023
by Daily end-of-shift report 31 May '23

31 May '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 30-05-2023 18:00 − Mittwoch 31-05-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Zero-Day-Lücke: Leck in Barracudas ESG bereits seit 7 Monaten missbraucht ∗∗∗ --------------------------------------------- Barracuda hat vergangene Woche eine Zero-Day-Lücke in den ESG-Appliances abgedichtet. Untersuchungen ergeben, dass sie bereits seit Oktober missbraucht wurden. --------------------------------------------- https://heise.de/-9083222 ∗∗∗ Android-Spyware SpinOk kommt auf mehr als 421 Millionen Installationen ∗∗∗ --------------------------------------------- Ein Android-Software-Modul mit Spyware-Funktionen hat Doctor Web in Apps auf Google Play mit mehr als 421 Millionen Downloads aufgespürt. Google ist informiert. --------------------------------------------- https://heise.de/-9069832 ∗∗∗ Ransomware: Schutzkonzept gegen Angriffe ∗∗∗ --------------------------------------------- Trotz Maßnahmen gegen Cyber-Angriffe und Ransomware gelingen viele Attacken. Die Daten sind verschlüsselt. Einige Punkte verhelfen zu brauchbaren Backups. --------------------------------------------- https://heise.de/-9069092 ∗∗∗ RomCom malware spread via Google Ads for ChatGPT, GIMP, more ∗∗∗ --------------------------------------------- A new campaign distributing the RomCom backdoor malware is impersonating the websites of well-known or fictional software, tricking users into downloading and launching malicious installers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/romcom-malware-spread-via-go… ∗∗∗ Mirai Variant Opens Tenda, Zyxel Gear to RCE, DDoS ∗∗∗ --------------------------------------------- Researchers have observed several cyberattacks leveraging a botnet called IZ1H9, which exploits vulnerabilities in exposed devices and servers running on Linux. --------------------------------------------- https://www.darkreading.com/endpoint/mirai-variant-tenda-zyxel-rce-ddos ∗∗∗ Millions of Gigabyte Motherboards Were Sold With a Firmware Backdoor ∗∗∗ --------------------------------------------- Hidden code in hundreds of models of Gigabyte motherboards invisibly and insecurely downloads programs—a feature ripe for abuse, researchers say. --------------------------------------------- https://www.wired.com/story/gigabyte-motherboard-firmware-backdoor/ ∗∗∗ Netflix-Phishing-Nachrichten aktuell besonders gefährlich! ∗∗∗ --------------------------------------------- Netflix hat mit Mai 2023 das Account-Sharing – also das Teilen von Netflix-Konten – unterbunden, wodurch zahlreiche Userinnen und User ihren Zugriff verloren haben, oder weitere Gebühren zu bezahlen haben. Gleichzeitig sind unzählige Netflix-Phishing-Mails im Umlauf, die zwar in keinem Zusammenhang mit den neuen Account-Sharing-Richtlinien stehen, aber durch die Umstellungen schneller für echt gehalten werden. Achtung: Hier dürfen keine Daten bekanntgegeben werden! --------------------------------------------- https://www.watchlist-internet.at/news/netflix-phishing-nachrichten-aktuell… ∗∗∗ Investigating BlackSuit Ransomware’s Similarities to Royal ∗∗∗ --------------------------------------------- In this blog entry, we analyze BlackSuit ransomware and how it compares to Royal Ransomware. --------------------------------------------- https://www.trendmicro.com/en_us/research/23/e/investigating-blacksuit-rans… ===================== = Vulnerabilities = ===================== ∗∗∗ New macOS vulnerability, Migraine, could bypass System Integrity Protection ∗∗∗ --------------------------------------------- A new vulnerability, which we refer to as “Migraine” for its involvement with macOS migration, could allow an attacker with root access to automatically bypass System Integrity Protection (SIP) in macOS and perform arbitrary operations on a device. We shared these findings with Apple through Coordinated Vulnerability Disclosure (CVD) via Microsoft Security Vulnerability Research (MSVR). A fix for this vulnerability, now identified as CVE-2023-32369, was included in the security updates released by Apple on May 18, 2023. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2023/05/30/new-macos-vulnerab… ∗∗∗ Barracuda Email Security Gateway Appliance (ESG) Vulnerability ∗∗∗ --------------------------------------------- Barracuda Networks priorities throughout this incident have been transparency and to use this as an opportunity to strengthen our policies, practices, and technology to further protect against future attacks. Although our investigation is ongoing, the purpose of this document is to share preliminary findings, provide the known Indicators of Compromise (IOCs), and share YARA rules to aid our customers in their investigations, including with respect to their own environments. --------------------------------------------- https://www.barracuda.com/company/legal/esg-vulnerability ∗∗∗ CVE-2023-34152: Shell Command Injection Bug Affecting ImageMagick ∗∗∗ --------------------------------------------- [...] recent findings have brought to light a trio of security vulnerabilities that could transform this useful tool into a potential weapon in the hands of malicious entities. * CVE-2023-34151: Undefined behaviors of casting double to size_t in svg, mvg, and other coders * CVE-2023-34152: RCE (shell command injection) vulnerability * CVE-2023-34153: Shell command injection vulnerability --------------------------------------------- https://securityonline.info/cve-2023-34152-shell-command-injection-bug-affe… ∗∗∗ Webbrowser: Google Chrome 114 schließt 16 Lücken und verbessert Sicherheit ∗∗∗ --------------------------------------------- Neben den üblichen geschlossenen Sicherheitslücken, derer 16 an der Zahl, liefert Google Chrome 114 auch teils neue oder verbesserte Sicherheitsfunktionen. --------------------------------------------- https://heise.de/-9069705 ∗∗∗ Zwangsupdate: WordPress-Websites über Jetpack-Lücke manipulierbar ∗∗∗ --------------------------------------------- Die Jetpack-Entwickler haben 102 fehlerbereinigte Versionen ihres WordPress-Plug-ins veröffentlicht. --------------------------------------------- https://heise.de/-9069974 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (connman and kamailio), Fedora (texlive-base), Mageia (cups-filters, postgresql, qtbase5, tcpreplay, tomcat, and vim), Slackware (openssl), SUSE (amazon-ssm-agent, cni, cni-plugins, compat-openssl098, installation-images, libaom, openssl, openssl-1_0_0, openssl-1_1, terraform, terraform-provider-helm, tiff, tomcat, and wireshark), and Ubuntu (batik, flask, linux-oem-5.17, linux-oem-6.0, linux-oem-6.1, linux-oracle, linux-oracle-5.4, mozjs102, nanopb, openssl, openssl1.0, snapd, and texlive-bin). --------------------------------------------- https://lwn.net/Articles/933360/ ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2023-0004 ∗∗∗ --------------------------------------------- Date Reported: May 30, 2023 Advisory ID: WSA-2023-0004 CVE identifiers: CVE-2023-28204, CVE-2023-32373. --------------------------------------------- https://webkitgtk.org/security/WSA-2023-0004.html ∗∗∗ Possible damage of secure element in Bosch IP cameras ∗∗∗ --------------------------------------------- BOSCH-SA-435698-BT: Due to an error in the software interface to the secure element chip on the cameras, the chip can be **permanently damaged** leading to an unusable camera when enabling the Stream security option (signing of the video stream) on Bosch CPP13 and CPP14 cameras. The default setting for this option is "off". --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-435698-bt.html ∗∗∗ DataSpider Servista uses a hard-coded cryptographic key ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN38222042/ ∗∗∗ [20230501] - Core - Open Redirects and XSS within the mfa selection ∗∗∗ --------------------------------------------- https://developer.joomla.org:443/security-centre/899-20230501-core-open-red… ∗∗∗ [20230502] - Core - Bruteforce prevention within the mfa screen ∗∗∗ --------------------------------------------- https://developer.joomla.org:443/security-centre/900-20230502-core-brutefor… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.05.2023
by Daily end-of-shift report 30 May '23

30 May '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 26-05-2023 18:00 − Dienstag 30-05-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ QBot malware abuses Windows WordPad EXE to infect devices ∗∗∗ --------------------------------------------- The QBot malware operation has started to abuse a DLL hijacking flaw in the Windows 10 WordPad program to infect computers, using the legitimate program to evade detection by security software. --------------------------------------------- https://www.bleepingcomputer.com/news/security/qbot-malware-abuses-windows-… ∗∗∗ Hot Pixels attack checks CPU temp, power changes to steal data ∗∗∗ --------------------------------------------- A team of researchers at Georgia Tech, the University of Michigan, and Ruhr University Bochum have developed a novel attack called "Hot Pixels," which can retrieve pixels from the content displayed in the targets browser and infer the navigation history. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hot-pixels-attack-checks-cpu… ∗∗∗ Android apps with spyware installed 421 million times from Google Play ∗∗∗ --------------------------------------------- A new Android malware distributed as an advertisement SDK has been discovered in multiple apps, many previously on Google Play and collectively downloaded over 400 million times. --------------------------------------------- https://www.bleepingcomputer.com/news/security/android-apps-with-spyware-in… ∗∗∗ Analyzing Office Documents Embedded Inside PPT (PowerPoint) Files, (Mon, May 29th) ∗∗∗ --------------------------------------------- I was asked how to analyze Office Documents that are embedded inside PPT files. PPT is the "standard" binary format for PowerPoint, it's an olefile. You can analyze it with oledump.py --------------------------------------------- https://isc.sans.edu/diary/rss/29894 ∗∗∗ Malspam pushes ModiLoader (DBatLoader) infection for Remcos RAT, (Tue, May 30th) ∗∗∗ --------------------------------------------- Also known as DBatLoader, ModiLoader is malware that retreives and runs payloads like Formbook, Warzone RAT, Remcos RAT, or other types of malware. Today's diary reviews a ModiLoader infection for Remcos RAT on Monday 2023-05-29. --------------------------------------------- https://isc.sans.edu/diary/rss/29896 ∗∗∗ Beware of the new phishing technique “file archiver in the browser” that exploits zip domains ∗∗∗ --------------------------------------------- “file archiver in the browser” is a new phishing technique that can be exploited by phishers when victims visit a .ZIP domain. --------------------------------------------- https://securityaffairs.com/146828/cyber-crime/file-archiver-in-the-browser… ∗∗∗ Severe Flaw in Google Clouds Cloud SQL Service Exposed Confidential Data ∗∗∗ --------------------------------------------- A new security flaw has been disclosed in the Google Cloud Platforms (GCP) Cloud SQL service that could be potentially exploited to obtain access to confidential data. --------------------------------------------- https://thehackernews.com/2023/05/severe-flaw-in-google-clouds-cloud-sql.ht… ∗∗∗ Vorsicht vor Fake-Service-Telefonnummern beim Googeln! ∗∗∗ --------------------------------------------- Die Suche nach einer Service-Telefonnummer stellt sich bei manchen Web-Angeboten als kompliziertes Unterfangen heraus. Deshalb ist es oft einfacher, nicht auf den jeweiligen Unternehmens-Websites sondern direkt über die Suchmaschine nach den Kontaktdaten zu suchen. Doch Vorsicht: Unter echte Kontaktdaten mischen Kriminelle auch Fake-Seiten und -Nummern, über die Ihnen Geld und Daten gestohlen werden. Ein aktuelles Beispiel sind Fake-Nummern der Fluglinie Ryanair! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-fake-service-telefonnum… ===================== = Vulnerabilities = ===================== ∗∗∗ OpenSSL 3.0 Series Release Notes [30 May 2023] ∗∗∗ --------------------------------------------- * Mitigate for very slow `OBJ_obj2txt()` performance with gigantic OBJECT IDENTIFIER sub-identities. ([CVE-2023-2650]) * Fixed buffer overread in AES-XTS decryption on ARM 64 bit platforms ([CVE-2023-1255]) * Fixed documentation of X509_VERIFY_PARAM_add0_policy() ([CVE-2023-0466]) * Fixed handling of invalid certificate policies in leaf certificates ([CVE-2023-0465]) * Limited the number of nodes created in a policy tree ([CVE-2023-0464]) --------------------------------------------- https://www.openssl.org/news/openssl-3.0-notes.html ∗∗∗ OpenSSL 1.1.1 Series Release Notes [30th May 2023] ∗∗∗ --------------------------------------------- * Mitigate for very slow `OBJ_obj2txt()` performance with gigantic OBJECT IDENTIFIER sub-identities. (CVE-2023-2650) * Fixed documentation of X509_VERIFY_PARAM_add0_policy() (CVE-2023-0466) * Fixed handling of invalid certificate policies in leaf certificates (CVE-2023-0465) * Limited the number of nodes created in a policy tree ([CVE-2023-0464]) --------------------------------------------- https://www.openssl.org/news/openssl-1.1.1-notes.html ∗∗∗ Sicherheitslücke in Moxa MXsecurity Series gefährdet kritische Infrastrukturen ∗∗∗ --------------------------------------------- Eine kritische Sicherheitslücke in der Netzwerküberwachungslösung MXsecurity bringt Industrieanlagen in Gefahr. --------------------------------------------- https://heise.de/-9068382 ∗∗∗ Angreifer könnten Netzwerkanalysetool Wireshark crashen lassen ∗∗∗ --------------------------------------------- In der aktuellen Wireshark-Version haben die Entwickler mehrere Sicherheitsprobleme gelöst. --------------------------------------------- https://heise.de/-9069031 ∗∗∗ Kollaborations-Suite Nextcloud: Teils hochriskante Lücken geschlossen ∗∗∗ --------------------------------------------- In der Kollaborations-Software Nextcloud klaffen Sicherheitslücken mit teils hohem Risiko. Aktualisierte Software steht bereit. --------------------------------------------- https://heise.de/-9068654 ∗∗∗ VMSA-2023-0011 ∗∗∗ --------------------------------------------- VMware Workspace ONE Access and VMware Identity Manager contain an insecure redirect vulnerability. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 6.1. --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2023-0011.html ∗∗∗ Many Vulnerabilities Found in PrinterLogic Enterprise Software ∗∗∗ --------------------------------------------- Vulnerabilities identified in PrinterLogic’s enterprise management printer solution could expose organizations to authentication bypass, SQL injection, cross-site scripting (XSS) and other types of attacks. --------------------------------------------- https://www.securityweek.com/many-vulnerabilities-found-in-printerlogic-ent… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (docker-registry, gpac, libraw, libreoffice, rainloop, and sysstat), Fedora (bottles, c-ares, edk2, libssh, microcode_ctl, python-vkbasalt-cli, rust-buffered-reader, rust-nettle, rust-nettle-sys, rust-rpm-sequoia, rust-sequoia-keyring-linter, rust-sequoia-octopus-librnp, rust-sequoia-openpgp, rust-sequoia-policy-config, rust-sequoia-sop, rust-sequoia-sq, rust-sequoia-sqv, rust-sequoia-wot, and xen), SUSE (opera), and Ubuntu (Jhead, linuxptp, and sudo). --------------------------------------------- https://lwn.net/Articles/933165/ ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libssh and sssd), Fedora (microcode_ctl and python3.6), Gentoo (cgal, firefox firefox-bin, openimageio, squashfs-tools, thunderbird thunderbird-bin, tiff, tomcat, webkit-gtk, and xorg-server xwayland), SUSE (c-ares and go1.18-openssl), and Ubuntu (Jhead, node-hawk, node-nth-check, and perl). --------------------------------------------- https://lwn.net/Articles/933246/ ∗∗∗ Advantech WebAccess/SCADA ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-150-01 ∗∗∗ Zyxel security advisory for post-authentication command injection vulnerability in NAS products ∗∗∗ --------------------------------------------- https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-… ∗∗∗ Starlette vulnerable to directory traversal ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN95981715/ ∗∗∗ Technical Advisory – Multiple Vulnerabilities in Faronics Insight (CVE-2023-28344, CVE-2023-28345, CVE-2023-28346, CVE-2023-28347, CVE-2023-28348, CVE-2023-28349, CVE-2023-28350, CVE-2023-28351, CVE-2023-28352, CVE-2023-28353) ∗∗∗ --------------------------------------------- https://research.nccgroup.com/2023/05/30/technical-advisory-multiple-vulner… ∗∗∗ Memory corruption vulnerability in Mitsubishi PLC could lead to DoS, code execution ∗∗∗ --------------------------------------------- https://blog.talosintelligence.com/vulnerability-in-mitsubishi-plc-could-le… ∗∗∗ Vulnerabilities in IBM Java SDK and IBM Java Runtime affects Rational Business Developer ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6998795 ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Case Manager (CVE-2022-39161) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6998811 ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Case Manager (CVE-2023-27554) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6998813 ∗∗∗ A security vulnerability has been identified in WebSphere Application Server traditional shipped with IBM Intelligent Operations Center (CVE-2023-24966) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6999091 ∗∗∗ A vulnerability exists in the IBM\u00ae SDK, Java\u2122 Technology Edition affecting IBM Tivoli Network Manager (CVE-2023-30441). ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6999115 ∗∗∗ Vulnerability in Spring Framework affects IBM Process Mining [CVE-2023-20860] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6999119 ∗∗∗ Apache Commons Text vulnerability affects Netcool Operations Insight [CVE-2022-42889] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6999133 ∗∗∗ A security vulnerability has been identified in WebSphere Application Server traditional shipped with IBM Intelligent Operations Center(CVE-2023-27554) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6999213 ∗∗∗ A security vulnerability has been identified in IBM DB2 shipped with IBM Intelligent Operations Center (CVE-2023-29257, CVE-2023-29255, CVE-2023-27555, CVE-2023-26021, CVE-2023-25930, CVE-2023-26022, CV) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6999215 ∗∗∗ [All] Expat - CVE-2022-43680 (Publicly disclosed vulnerability) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6999237 ∗∗∗ Apache HTTP Server as used by IBM QRadar SIEM is vulnerable to HTTP request splitting attacks (CVE-2023-25690) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6999241 ∗∗∗ IBM Copy Services Manager is vulnerable to crypto attack vulnerabilities due to IBM Java 8 vulnerabilities. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6999269 ∗∗∗ IBM Db2 Mirror for i is vulnerable to attacker obtaining sensitive information due to Java string processing in IBM Toolbox for Java (CVE-2022-43928) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6981113 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.05.2023
by Daily end-of-shift report 26 May '23

26 May '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 25-05-2023 18:00 − Freitag 26-05-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Microsoft 365 phishing attacks use encrypted RPMSG messages ∗∗∗ --------------------------------------------- Attackers are now using encrypted RPMSG attachments sent via compromised Microsoft 365 accounts to steal Microsoft credentials in targeted phishing attacks designed to evade detection by email security gateways. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-365-phishing-attac… ∗∗∗ Dark Frost Botnet targets the gaming sector with powerful DDoS ∗∗∗ --------------------------------------------- Researchers from Akamai discovered a new botnet called Dark Frost that was employed in distributed denial-of-service (DDoS) attacks. The botnet borrows code from several popular bot families, including Mirai, Gafgyt, and Qbot. --------------------------------------------- https://securityaffairs.com/146683/malware/dark-frost-botnet.html ∗∗∗ New COSMICENERGY Malware Exploits ICS Protocol to Sabotage Power Grids ∗∗∗ --------------------------------------------- A new strain of malicious software thats engineered to penetrate and disrupt critical systems in industrial environments has been unearthed. Google-owned threat intelligence firm Mandiant dubbed the malware COSMICENERGY, [...] --------------------------------------------- https://thehackernews.com/2023/05/new-cosmicenergy-malware-exploits-ics.html ∗∗∗ Sicherheitslücken in Gesundheits-App: Datendiebstahl wäre möglich gewesen ∗∗∗ --------------------------------------------- Lücken in Gesundheits-Apps haben den schlechten Zustand der Digitalisierung im Gesundheitswesen offengelegt. Es fehle eine "sichere Basisinfrastruktur". --------------------------------------------- https://heise.de/-9064935 ∗∗∗ Cold as Ice: Unit 42 Wireshark Quiz for IcedID ∗∗∗ --------------------------------------------- IcedID is a known vector for ransomware. Analyze infection traffic from this banking trojan in our latest Wireshark tutorial. --------------------------------------------- https://unit42.paloaltonetworks.com/wireshark-quiz-icedid/ ∗∗∗ Exploiting the Sonos One Speaker Three Different Ways: A Pwn2Own Toronto Highlight ∗∗∗ --------------------------------------------- During Pwn2Own Toronto 2022, three different teams successfully exploited the Sonos One Speaker. In total, $105,000 was awarded to the three teams, with the team of Toan Pham and Tri Dang from Qrious Secure winning $60,000 since their entry was first on the schedule. --------------------------------------------- https://www.thezdi.com/blog/2023/5/24/exploiting-the-sonos-one-speaker-thre… ∗∗∗ What is a web shell? ∗∗∗ --------------------------------------------- What are web shells? And why are attackers increasingly using them in their campaigns? We break it down in this blog. --------------------------------------------- https://blog.talosintelligence.com/what-is-a-web-shell/ ∗∗∗ New Info Stealer Bandit Stealer Targets Browsers, Wallets ∗∗∗ --------------------------------------------- This is an analysis of Bandit Stealer, a new Go-based information-stealing malware capable of evading detection as it targets multiple browsers and cryptocurrency wallets. --------------------------------------------- https://www.trendmicro.com/en_us/research/23/e/new-info-stealer-bandit-stea… ===================== = Vulnerabilities = ===================== ∗∗∗ LibreOffice-Lücken: Risiko von Codeschmuggel mit präparierten Dokumenten ∗∗∗ --------------------------------------------- Neue LibreOffice-Versionen stopfen teils hochriskante Sicherheitslücken. Mit manipulierten Spreadsheets könnten Angreifer Schadcode einschleusen. --------------------------------------------- https://heise.de/-9066277 ∗∗∗ Kritische Lücken in Netzwerkverwaltungssoftware D-Link D-View 8 geschlossen ∗∗∗ --------------------------------------------- D-Link hat offensichtlich knapp fünf Monate gebraucht, um einen Sicherheitspatch für D-View 8 zu entwickeln, der sich aber immer noch im Beta-Stadium befindet. --------------------------------------------- https://heise.de/-9066361 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (sniproxy), Fedora (c-ares), Oracle (apr-util, curl, emacs, git, go-toolset and golang, go-toolset:ol8, gssntlmssp, libreswan, mysql:8.0, thunderbird, and webkit2gtk3), Red Hat (go-toolset-1.19 and go-toolset-1.19-golang and go-toolset:rhel8), Slackware (ntfs), SUSE (rmt-server), and Ubuntu (linux-raspi, linux-raspi-5.4 and python-django). --------------------------------------------- https://lwn.net/Articles/933071/ ∗∗∗ K000134793 : OpenJDK vulnerability CVE-2018-2952 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000134793 ∗∗∗ IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to a heap-based buffer overflow in Perl (CVE-2020-10543) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6998419 ∗∗∗ IBM MQ is affected by a vulnerability in the IBM Runtime Environment, Java Technology Edition (CVE-2023-30441) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6998353 ∗∗∗ : IBM Sterling Connect:Direct Browser User Interface vulnerable to multiple issues due to IBM Runtime Environment Java ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6998677 ∗∗∗ IBM Sterling Connect:Direct Web Services is vulnerable to multiple vulnerabilities due to IBM Java ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6998685 ∗∗∗ IBM Sterling Connect:Direct Browser User Interface vulnerable to multiple issues due to IBM Runtime Environment Java ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6998673 ∗∗∗ IBM Sterling Connect:Direct Browser User Interface vulnerable to multiple issues due to IBM Runtime Environment Java ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6998679 ∗∗∗ IBM Sterling Connect:Direct Web Services is vulnerable to multiple vulnerabilities due to IBM Java ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6998675 ∗∗∗ IBM Sterling Connect:Direct Web Services is vulnerable to multiple vulnerabilities due to IBM Java ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6998681 ∗∗∗ Vulnerability in IBM Java (CVE-2022-21426) affects Power HMC ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6998705 ∗∗∗ Vulnerability in OpenSSL (CVE-2022-4304, CVE-2022-4450, CVE-2023-0215 and CVE-2023-0286 ) affects Power HMC ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6998707 ∗∗∗ Security vulnerabilities are addressed with IBM Cloud Pak for Business Automation iFixes for May 2023 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6998727 ∗∗∗ IBM Cloud Transformation Advisor is vulnerable to multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6998753 ∗∗∗ AIX is vulnerable to security restrictions bypass due to curl (CVE-2022-32221) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6998763 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.05.2023
by Daily end-of-shift report 25 May '23

25 May '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 24-05-2023 18:00 − Donnerstag 25-05-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Hackers target 1.5M WordPress sites with cookie consent plugin exploit ∗∗∗ --------------------------------------------- Ongoing attacks are targeting an Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability in a WordPress cookie consent plugin named Beautiful Cookie Consent Banner with more than 40,000 active installs. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-target-15m-wordpress… ∗∗∗ A new OAuth vulnerability that may impact hundreds of online services ∗∗∗ --------------------------------------------- This post details issues identified in Expo, a popular framework used by many online services to implement OAuth (as well as other functionality). The vulnerability in the expo-auth-session library warranted a CVE assignment – CVE-2023-28131. Expo created a hotfix within the day that automatically provided mitigation, but Expo recommends that customers update their deployment to deprecate this service to fully remove the risk (see the Expo security advisory on the topic). --------------------------------------------- https://salt.security/blog/a-new-oauth-vulnerability-that-may-impact-hundre… ∗∗∗ codeexplain.vim: A nvim plugin Powered by GPT4ALL for Real-time Code Explanation and Vulnerability Detection (no internet necessary) ∗∗∗ --------------------------------------------- codeexplain.nvim is a NeoVim plugin that uses the powerful GPT4ALL language model to provide on-the-fly, line-by-line explanations and potential security vulnerabilities for selected code directly in your NeoVim editor. Its like having your personal code assistant right inside your editor without leaking your codebase to any company. --------------------------------------------- https://github.com/mthbernardes/codeexplain.nvim ∗∗∗ Google Authenticator: Geräteverschlüsselung versprochen, aber nicht geliefert ∗∗∗ --------------------------------------------- Google hat dem Authenticator eine Backup-Funktion spendiert, die Geheimnisse jedoch nicht verschlüsselt. Ein Update soll das ändern. Das tut es aber nicht. --------------------------------------------- https://heise.de/-9065547 ∗∗∗ Buhti: New Ransomware Operation Relies on Repurposed Payloads ∗∗∗ --------------------------------------------- Attackers use rebranded variants of leaked LockBit and Babuk ransomware payloads but use own custom exfiltration tool. --------------------------------------------- https://symantec-enterprise-blogs.security.com/threat-intelligence/buhti-ra… ∗∗∗ Mercenary mayhem: A technical analysis of Intellexas PREDATOR spyware ∗∗∗ --------------------------------------------- Commercial spyware use is on the rise, with actors leveraging these sophisticated tools to conduct surveillance operations against a growing number of targets. Cisco Talos has new details of a commercial spyware product sold by the spyware firm Intellexa (formerly known as Cytrox). --------------------------------------------- https://blog.talosintelligence.com/mercenary-intellexa-predator/ ∗∗∗ Abusing Web Services Using Automated CAPTCHA-Breaking Services and Residential Proxies ∗∗∗ --------------------------------------------- This blog entry features three case studies that show how malicious actors evade the antispam, antibot, and antiabuse measures of online web services via residential proxies and CAPTCHA-breaking services. --------------------------------------------- https://www.trendmicro.com/en_us/research/23/e/abusing-web-services-using-a… ===================== = Vulnerabilities = ===================== ∗∗∗ Teils kritische Sicherheitslücken in Mitel MiVoice Connect ∗∗∗ --------------------------------------------- In Mitels MiVoice Connect und Connect Mobility Router klaffen teils kritische Sicherheitslücken. Updates zum Schließen stehen bereit. --------------------------------------------- https://heise.de/-9064992 ∗∗∗ Kritisches Sicherheitsupdate (24. Mai 2023) für alle Zyxel-Firewall-Produkte – Angriffe laufen bereits ∗∗∗ --------------------------------------------- Der taiwanesische Hersteller Zyxel hat ein sehr kritisches Security Update für sämtliche Security Produkte veröffentlicht. Die Sicherheitswarnung gibt an, dass gleich mehrere Buffer Overflow-Schwachstellen (CVE-2023-33009, CVE-2023-33010) betroffen seien. --------------------------------------------- https://www.borncity.com/blog/2023/05/25/kritisches-sicherheitsupdate-24-ma… ∗∗∗ Kritische Sicherheitslücke mit Höchstwertung bedroht GitLab ∗∗∗ --------------------------------------------- Es gibt eine wichtiges Sicherheitsupdate für die Versionsverwaltung GitLab. Entwickler sollten jetzt reagieren. --------------------------------------------- https://heise.de/-9065150 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (python2.7), Fedora (maradns), Red Hat (devtoolset-12-binutils, go-toolset and golang, httpd24-httpd, jenkins and jenkins-2-plugins, rh-ruby27-ruby, and sudo), Scientific Linux (git), Slackware (texlive), SUSE (cups-filters, poppler, texlive, distribution, golang-github-vpenso-prometheus_slurm_exporter, kubernetes1.18, kubernetes1.23, openvswitch, rmt-server, and ucode-intel), and Ubuntu (ca-certificates, calamares-settings-ubuntu, Jhead, libhtml-stripscripts-perl, and postgresql-10, postgresql-12, postgresql-14, postgresql-15). --------------------------------------------- https://lwn.net/Articles/932994/ ∗∗∗ Wacom Tablet Driver installer for macOS vulnerable to improper link resolution before file access ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN90278893/ ∗∗∗ D-Link D-View 8 : v2.0.1.27 and below : TrendMicro (ZDI) Reported Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://supportannouncement.us.dlink.com/announcement/publication.aspx?name… ∗∗∗ Autodesk: Multiple Vulnerabilities in PSKernel component used by specific Autodesk products ∗∗∗ --------------------------------------------- https://www.autodesk.com/trust/security-advisories/adsk-sa-2023-0009 ∗∗∗ Autodesk: Privilege Escalation Vulnerability in the Autodesk Installer Software ∗∗∗ --------------------------------------------- https://www.autodesk.com/trust/security-advisories/adsk-sa-2023-0010 ∗∗∗ F5: K000134768 : Linux kernel vulnerability CVE-2022-4378 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000134768 ∗∗∗ F5: K000134770 : Linux kernel vulnerability CVE-2022-42703 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000134770 ∗∗∗ Moxa MXsecurity Series ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-145-01 ∗∗∗ Nextcloud: Blind SSRF in the Mail app on avatar endpoint ∗∗∗ --------------------------------------------- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-8… ∗∗∗ Nextcloud: Contacts - PHOTO svg only sanitized if mime type is all lower case ∗∗∗ --------------------------------------------- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-h… ∗∗∗ Nextcloud: Error in calendar when booking an appointment reveals the full path of the website ∗∗∗ --------------------------------------------- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-2… ∗∗∗ Multiple Security Vulnerabilities may affect IBM Robotic Process Automation for Cloud Pak. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6987493 ∗∗∗ IBM HTTP Server is vulnerable to information disclosure due to IBM GSKit (CVE-2023-32342) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6998037 ∗∗∗ IBM Planning Analytics Workspace has addressed a vulnerability in SnakeYaml (CVE-2022-1471) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6998025 ∗∗∗ Vulnerability from log4j-1.2.16.jar affect IBM Operations Analytics - Log Analysis (CVE-2023-26464) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6998333 ∗∗∗ IBM App Connect Enterprise Certified Container IntegrationServer operands that run Designer flows is vulnerable to arbitrary code execution due to [CVE-2022-37614] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6998341 ∗∗∗ IBM App Connect Enterprise Certified Container DesignerAuthoring operands are vulnerable to denial of service due to [CVE-2023-2251] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6998357 ∗∗∗ A vulnerability in Etcd-io could affect IBM CICS TX Standard [CVE-2021-28235] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6998361 ∗∗∗ A vulnerability in Etcd-io could affect IBM CICS TX Advanced [CVE-2021-28235] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6998367 ∗∗∗ IBM App Connect Enterprise Certified Container DesignerAuthoring operands is vulnerable to arbitrary code execution due to [CVE-2023-30547] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6998381 ∗∗∗ Due to the use of Apache spring-web, IBM ECM Content Management Interoperability Services (CMIS) is affected by remote code execution (RCE) security vulnerability CVE-2016-1000027 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6998405 ∗∗∗ Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to multiple vulnerabilities in Go ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6998391 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.05.2023
by Daily end-of-shift report 24 May '23

24 May '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 23-05-2023 18:00 − Mittwoch 24-05-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Barracuda warns of email gateways breached via zero-day flaw ∗∗∗ --------------------------------------------- Barracuda, a company known for its email and network security solutions, warned customers today that some of their Email Security Gateway (ESG) appliances were breached last week by targeting a now-patched zero-day vulnerability. --------------------------------------------- https://www.bleepingcomputer.com/news/security/barracuda-warns-of-email-gat… ∗∗∗ Legion Malware Upgraded to Target SSH Servers and AWS Credentials ∗∗∗ --------------------------------------------- An updated version of the commodity malware called Legion comes with expanded features to compromise SSH servers and Amazon Web Services (AWS) credentials associated with DynamoDB and CloudWatch. --------------------------------------------- https://thehackernews.com/2023/05/legion-malware-upgraded-to-target-ssh.html ∗∗∗ Malvertising via brand impersonation is back again ∗∗∗ --------------------------------------------- In recent months, numerous incidents have shown that malvertising is on the rise again and affecting the user experience and trust in their favorite search engine. Indeed, Search Engine Results Pages (SERPs) include paid Google ads that in some cases lead to scams or malware. --------------------------------------------- https://www.malwarebytes.com/blog/threat-intelligence/2023/05/malvertising-… ∗∗∗ Von legitim zu bösartig: Die Verwandlung einer Android‑App innerhalb eines Jahres ∗∗∗ --------------------------------------------- ESET-Forscher entdecken AhRat - ein neuer Android-RAT auf der Basis von AhMyth - der Dateien exfiltriert und Audio aufzeichnet. --------------------------------------------- https://www.welivesecurity.com/deutsch/2023/05/23/von-legitim-zu-bosartig-a… ∗∗∗ Mikrotik Belatedly Patches RouterOS Flaw Exploited at Pwn2Own ∗∗∗ --------------------------------------------- MikroTik patches a major security defect in its RouterOS product a full five months after it was exploited at Pwn2Own Toronto. --------------------------------------------- https://www.securityweek.com/mikrotik-belatedly-patches-routeros-flaw-explo… ∗∗∗ Zahlreiche World4You Phishing-Mails im Umlauf! ∗∗∗ --------------------------------------------- Website-Betreiber:innen aufgepasst: Kriminelle versenden aktuell vermehrt E-Mails im Namen des österreichischen Hosting-Providers World4You. Darin wird meist fälschlicherweise behauptet, dass Rechnungen nicht beglichen oder Webadressen gesperrt wurden. --------------------------------------------- https://www.watchlist-internet.at/news/zahlreiche-world4you-phishing-mails-… ∗∗∗ CISA and Partners Update the #StopRansomware Guide, Developed through the Joint Ransomware Task Force (JRTF) ∗∗∗ --------------------------------------------- Today, CISA, the Federal Bureau of Investigation (FBI), the National Security Agency (NSA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) published an updated version of the #StopRansomware Guide, as ransomware actors have accelerated their tactics and techniques since its initial release in 2020. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/05/23/cisa-and-partners-update… ===================== = Vulnerabilities = ===================== ∗∗∗ VMSA-2023-0010 ∗∗∗ --------------------------------------------- NSX-T contains a reflected cross-site scripting vulnerability due to a lack of input validation. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 4.3. --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2023-0010.html ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libssh and sofia-sip), Fedora (cups-filters, dokuwiki, qt5-qtbase, and vim), Oracle (git, python-pip, and python3-setuptools), Red Hat (git, kernel, kpatch-patch, rh-git227-git, and sudo), SUSE (openvswitch, rmt-server, and texlive), and Ubuntu (binutils, cinder, cloud-init, firefox, golang-1.13, Jhead, liblouis, ncurses, node-json-schema, node-xmldom, nova, python-glance-store, python-os-brick, and runc). --------------------------------------------- https://lwn.net/Articles/932827/ ∗∗∗ Nextcloud: user_oidc app is missing bruteforce protection ∗∗∗ --------------------------------------------- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-x… ∗∗∗ Nextcloud: User session not correctly destroyed on logout ∗∗∗ --------------------------------------------- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-q… ∗∗∗ Nextcloud: Basic auth header on WebDAV requests is not brute-force protected ∗∗∗ --------------------------------------------- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-m… ∗∗∗ Apple security updates: iTunes 12.12.9 for Windows ∗∗∗ --------------------------------------------- https://support.apple.com/kb/HT213763 ∗∗∗ F5: K000134744 : Intel BIOS vulnerability CVE-2022-38087 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000134744 ∗∗∗ F5: K000134747 : PHP vulnerability CVE-2023-0568 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000134747 ∗∗∗ Bosch: Unrestricted SSH port forwarding in BVMS ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-025794-bt.html ∗∗∗ Bosch: Vulnerability in Wiegand card data interpretation ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-391095-bt.html ∗∗∗ Bosch: .NET Remote Code Execution Vulnerability in BVMS, BIS and AMS ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-110112-bt.html ∗∗∗ IBM App Connect Enterprise and IBM Integration Bus are vulnerable to a remote attacker due to the module xml2js (CVE-2023-0842) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6997617 ∗∗∗ IBM App Connect Enterprise is vulnerable to a denial of service due to cURL libcurl and Google protobuf-java. (CVE-2022-42915, CVE-2021-22569, CVE-2022-3509, CVE-2022-3171, CVE-2022-3510) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6997631 ∗∗∗ IBM InfoSphere Information Server is affected by a remote code execution vulnerability (CVE-2023-32336) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6995879 ∗∗∗ This Power System update is being released to address CVE 2023-30438 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6993021 ∗∗∗ TADDM affected by multiple vulnerabilities due to IBM Java and its runtime ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6997919 ∗∗∗ Vulnerability in IBM\u00ae Runtime Environment Java\u2122 Version 8 \u00a0affect Cloud Pak System. [CVE-2023-30441] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6997913 ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server used by IBM Rational ClearQuest (CVE-2023-27554) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6997097 ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server used by IBM Rational ClearQuest (CVE-2022-39161) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6997921 ∗∗∗ A security vulnerability has been identified in IBM HTTP Server shipped with IBM WebSphere Application Server used by IBM Rational ClearQuest (CVE-2022-39161) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6997923 ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server used by IBM Rational ClearQuest (CVE-2023-24966) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6997925 ∗∗∗ Red Hat OpenShift on IBM Cloud is affected by a Kubernetes API server security vulnerability (CVE-2022-3172) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6997115 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.05.2023
by Daily end-of-shift report 23 May '23

23 May '23

===================== = End-of-Day report = ===================== Timeframe: Montag 22-05-2023 18:00 − Dienstag 23-05-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Malicious Windows kernel drivers used in BlackCat ransomware attacks ∗∗∗ --------------------------------------------- The ALPHV ransomware group (aka BlackCat) was observed employing signed malicious Windows kernel drivers to evade detection by security software during attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malicious-windows-kernel-dri… ∗∗∗ Sicherheitslücke in Samsung-Smartphones wird angegriffen ∗∗∗ --------------------------------------------- Eine Sicherheitslücke in Samsung-Smartphones, die das Unternehmen mit den Mai-Updates schließt, wird von Angreifern missbraucht. Einige Details sind unklar. --------------------------------------------- https://heise.de/-9062566 ∗∗∗ BrutePrint: Attacke knackt Schutz mit Fingerabdrucksensoren ∗∗∗ --------------------------------------------- IT-Sicherheitsforscher haben einen Angriff namens BrutePrint auf den Zugangsschutz von Smartphones mit Fingerabdrucksensoren vorgestellt. --------------------------------------------- https://heise.de/-9062997 ∗∗∗ OffensiveCon 2023 – Exploit Engineering – Attacking the Linux Kernel ∗∗∗ --------------------------------------------- Cedric Halbronn and Alex Plaskett presented at OffensiveCon on the 19th of May 2023 on Exploit Engineering – Attacking the Linux kernel. --------------------------------------------- https://research.nccgroup.com/2023/05/23/offensivecon-2023-exploit-engineer… ∗∗∗ Willhaben: Betrug mit PayLivery erkennen ∗∗∗ --------------------------------------------- Betrügerische Käufer:innen fälschen den PayLivery-Dienst von Willhaben und täuschen Ihnen vor, dass sie bereits bezahlt haben. Sie locken Sie auf eine Fake-Zahlungsplattform, wo Sie Ihre Kreditkartendaten zur Anforderung der Zahlung angeben müssen. Anschließend fordert man Sie auf, den Zahlungseingang in Ihrer Bank-App zu bestätigen. In Wirklichkeit geben Sie aber eine Zahlung frei und verlieren Ihr Geld. --------------------------------------------- https://www.watchlist-internet.at/news/willhaben-betrug-mit-paylivery-erken… ∗∗∗ Android app breaking bad: From legitimate screen recording to file exfiltration within a year ∗∗∗ --------------------------------------------- ESET researchers discover AhRat – a new Android RAT based on AhMyth – that exfiltrates files and records audio --------------------------------------------- https://www.welivesecurity.com/2023/05/23/android-app-breaking-bad-legitima… ∗∗∗ Hacker nutzen Dropbox für betrügerische E-Mails ∗∗∗ --------------------------------------------- Aufgrund der Verbindung zu Dropbox scheinen die Nachrichten harmlos zu sein. Auch Sicherheitslösungen beanstanden unter Umständen die URLs zu Dropbox nicht. Nutzer laufen indes Gefahr, ihre Anmeldedaten an Hacker weiterzugeben. --------------------------------------------- https://www.zdnet.de/88409355/hacker-nutzen-dropbox-fuer-betruegerische-e-m… ∗∗∗ DarkCloud Infostealer Being Distributed via Spam Emails ∗∗∗ --------------------------------------------- AhnLab Security Emergency response Center (ASEC) has recently discovered the DarkCloud malware being distributed via spam email. DarkCloud is an Infostealer that steals account credentials saved on infected systems, and the threat actor installed ClipBanker alongside DarkCloud. --------------------------------------------- https://asec.ahnlab.com/en/53128/ ∗∗∗ Lazarus Group Targeting Windows IIS Web Servers ∗∗∗ --------------------------------------------- AhnLab Security Emergency response Center (ASEC) has recently confirmed the Lazarus group, a group known to receive support on a national scale, carrying out attacks against Windows IIS web servers. --------------------------------------------- https://asec.ahnlab.com/en/53132/ ∗∗∗ Info Stealer Abusing Codespaces Puts Discord Users at Risk ∗∗∗ --------------------------------------------- In this entry, we detail our research findings on how an info stealer is able to achieve persistence on a victim’s machine by modifying the victim’s Discord client. --------------------------------------------- https://www.trendmicro.com/en_us/research/23/e/info-stealer-abusing-codespa… ===================== = Vulnerabilities = ===================== ∗∗∗ WordPress 6.2.2: Durch Sicherheitspatch ausgelösten Fehler ausgebügelt ∗∗∗ --------------------------------------------- Die WordPress-Entwickler haben ein Sicherheitsupdate korrigiert. Die aktuelle Version steht ab sofort zum Download bereit. --------------------------------------------- https://heise.de/-9062515 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (node-nth-check), Mageia (mariadb and python-reportlab), Slackware (c-ares), SUSE (geoipupdate and qt6-svg), and Ubuntu (linux, linux-aws, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-gke, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-bluefield, linux-gcp, linux-hwe, linux-raspi2, linux-snapdragon, and linux-gcp, linux-hwe-5.19). --------------------------------------------- https://lwn.net/Articles/932693/ ∗∗∗ CISA Releases Four Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- CISA released four Industrial Control Systems (ICS) advisories on May 23, 2023. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. * ICSA-23-143-01 Hitachi Energy AFS65x, AFS67x, AFR67x and AFF66x Products * ICSA-23-143-02 Hitachi Energy RTU500 * ICSA-23-143-03 Mitsubishi Electric MELSEC Series CPU module * ICSA-23-143-04 Horner Automation Cscape --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/05/23/cisa-releases-four-indus… ∗∗∗ This Power System update is being released to address CVE 2023-30440 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6997133 ∗∗∗ IBM® MobileFirst Platform is vulnerable to CVE-2023-24998 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6997293 ∗∗∗ Vulnerabilities in Python may affect IBM Spectrum Protect Plus Container backup and restore for Kubernetes and OpenShift ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6997507 ∗∗∗ IBM Java SDK and IBM Java Runtime for IBM i are vulnerable to exposing sensitive information due to flaws and configurations (CVE-2023-30441). ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6997499 ∗∗∗ IBM App Connect Enterprise Certified Container DesignerAuthoring and IntegrationServer operands may be vulnerable to denial of service due to [CVE-2012-0881], [CVE-2013-4002] and [CVE-2022-23437] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6985605 ∗∗∗ Multiple Security Vulnerabilities have been fixed in the IBM Directory Server and IBM Directory Suite products (CVE-2022-22476, CVE-2022-34165) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6997581 ∗∗∗ Multiple Security Vulnerabilities have been fixed in the IBM Directory Server and IBM Directory Suite products (CVE-2022-22473. CVE-2021-38951) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6997587 ∗∗∗ Multiple Security Vulnerabilities have been fixed in IBM Security Directory Server, IBM Security Directory Suite and IBM Security Verify Directory. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6997593 ∗∗∗ Multiple Security Vulnerabilities have been fixed in the IBM Directory Server and IBM Directory Suite products (CVE-2022-21496, CVE-2021-35550, CVE-2021-2163, CVE-2021-35603) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6997585 ∗∗∗ A vulnerability in IBM SDK, Java Technology Edition affect IBM Operations Analytics Predictive Insights ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6997589 ∗∗∗ CVE-2022-41723 and CVE-2022-41721 may affect IBM CICS TX Advanced ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6997601 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.05.2023
by Daily end-of-shift report 22 May '23

22 May '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 19-05-2023 18:00 − Montag 22-05-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Aktuelle Qakbot/Pikabot-Welle in Österreich ∗∗∗ --------------------------------------------- Aktuell ist neben anderen Ländern auch Österreich wieder von einer Phishing/Malspam-Welle durch Qakbot/Pikabot betroffen. Die aktuelle Kampagne läuft unter dem Namen BB28 und führt nach einer erfolgten Infektion zum Nachladen von Cobalt Strike und in weiterer Folge oft zu Ransomware - hier im Speziellen häufig BlackBasta. Eine Besonderheit dieser Kampagne ist das Auftreten eines potentiellen Nachfolgers oder Mitstreiters von Qakbot namens Pikabot. --------------------------------------------- https://cert.at/de/aktuelles/2023/5/aktuelle-qakbotpikabot-welle-in-osterre… ∗∗∗ CISA warns of Samsung ASLR bypass flaw exploited in attacks ∗∗∗ --------------------------------------------- CISA warned today of a security vulnerability affecting Samsung devices used in attacks to bypass Android address space layout randomization (ASLR) protection. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cisa-warns-of-samsung-aslr-b… ∗∗∗ Cloned CapCut websites push information stealing malware ∗∗∗ --------------------------------------------- A new malware distribution campaign is underway impersonating the CapCut video editing tool to push various malware strains to unsuspecting victims. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cloned-capcut-websites-push-… ∗∗∗ Notorious Cyber Gang FIN7 Returns Cl0p Ransomware in New Wave of Attacks ∗∗∗ --------------------------------------------- The notorious cybercrime group known as FIN7 has been observed deploying Cl0p (aka Clop) ransomware, marking the threat actor's first ransomware campaign since late 2021. Microsoft, which detected the activity in April 2023, is tracking the financially motivated actor under its new taxonomy Sangria Tempest. --------------------------------------------- https://thehackernews.com/2023/05/notorious-cyber-gang-fin7-returns-cl0p.ht… ∗∗∗ IcedID Macro Ends in Nokoyawa Ransomware ∗∗∗ --------------------------------------------- In this case we document an incident taking place during Q4 of 2022 consisting of threat actors targeting Italian organizations with Excel maldocs that deploy IcedID. The threat actors deploying such a campaign may hope to target organizations who have not updated their Microsoft Office deployments after the newly released patches to block macros on documents downloaded from the internet. --------------------------------------------- https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomwa… ∗∗∗ Microsoft: BEC Scammers Use Residential IPs to Evade Detection ∗∗∗ --------------------------------------------- BEC scammers use residential IP addresses in attacks to make them seem locally generated and evade detection. --------------------------------------------- https://www.securityweek.com/microsoft-bec-scammers-use-residential-ips-to-… ∗∗∗ Webinar: Wie schütze ich mich vor Love Scams? ∗∗∗ --------------------------------------------- Sie täuschen die große Liebe vor und bringen ihr Gegenüber damit um hohe Geldsummen: Beim Love-Scamming erschleichen sich Betrüger:innen auf Online-Partnerbörsen und in Sozialen Netzwerken das Vertrauen ihrer Opfer, um an deren Geld zu kommen. Nehmen Sie kostenlos teil: Dienstag 30. Mai 2023, 18:30 - 20:00 Uhr via zoom --------------------------------------------- https://www.watchlist-internet.at/news/webinar-wie-schuetze-ich-mich-vor-lo… ∗∗∗ Gratis-Testangebot einer Lichttherapie nur ein Verkaufsgespräch ∗∗∗ --------------------------------------------- Um Kund:innen zu gewinnen, verspricht Lumina Vital Ihnen Gratis-Anwendungen. Telefonisch wird auf einen Besuch bei Ihnen zu Hause gedrängt. Auch wenn Sie keinem Datum zusagen, bekommen Sie einen Brief mit einem fixierten Termin zugeschickt. Lassen Sie sich nicht unter Druck setzen, wenn Sie nichts kaufen möchten! --------------------------------------------- https://www.watchlist-internet.at/news/gratis-testangebot-einer-lichttherap… ∗∗∗ Threat Hunting mit PowerShell – Sicherheit auch mit kleinem Budget ∗∗∗ --------------------------------------------- [English]IT-Sicherheit sollte keine Frage des Geldes sein – das sind oft vorgeschobene Ausreden. MVP Tom Wechsler hat sich einige Gedanken um das Thema gemacht und zeigt, wie man sogar mit der PowerShell und wenigen Zeilen Code nach Problemen in der … Weiterlesen → --------------------------------------------- https://www.borncity.com/blog/2023/05/22/threat-hunting-mit-powershell-sich… ∗∗∗ Distribution of Remcos RAT Exploiting sqlps.exe Utility of MS-SQL Servers ∗∗∗ --------------------------------------------- AhnLab Security Emergency response Center (ASEC) has recently discovered the case of Remcos RAT being installed on poorly managed MS-SQL servers. Unlike the past attack, the recent case showed the threat actor using sqlps to distribute the malware. --------------------------------------------- https://asec.ahnlab.com/en/52920/ ∗∗∗ Cloud-Based Malware Delivery: The Evolution of GuLoader ∗∗∗ --------------------------------------------- Antivirus products are constantly evolving to become more sophisticated and better equipped to handle complex threats. As a result, malware developers strive to create new threats that can bypass the defenses of antivirus products. “Packing” and “crypting” services are specifically designed to resist analysis. GuLoader is one of the most prominent services cybercriminals use to evade antivirus detection. --------------------------------------------- https://research.checkpoint.com/2023/cloud-based-malware-delivery-the-evolu… ===================== = Vulnerabilities = ===================== ∗∗∗ CUPS: Sicherheitslücke in Drucksystem ermöglicht Schadcodeausführung ∗∗∗ --------------------------------------------- Im Drucksystem CUPS können Angreifer im Netz eine Sicherheitslücke missbrauchen, um beliebigen Code einzuschmuggeln und auszuführen. --------------------------------------------- https://heise.de/-9061315 ∗∗∗ Angreifer könnten Entwicklungsumgebungen mit Jenkins attackieren ∗∗∗ --------------------------------------------- Softwareentwickler aufgepasst: Es gibt wichtige Sicherheitsupdates für mehrere Jenkins-Plug-ins. Angreifer könnten auf Log-in-Daten zugreifen. --------------------------------------------- https://heise.de/-9061545 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (cups-filters, imagemagick, libwebp, sqlite, and texlive-bin), Fedora (chromium and vim), Gentoo (librecad, mediawiki, modsecurity-crs, snakeyaml, and tinyproxy), Mageia (apache-mod_security, cmark, dmidecode, freetype2, glib2.0, libssh, patchelf, python-sqlparse, sniproxy, suricata, and webkit2), Oracle (apr-util and firefox), Red Hat (git), SUSE (containerd, openvswitch, python-Flask, runc, terraform-provider-aws, and terraform-provider-null), and Ubuntu (tar). --------------------------------------------- https://lwn.net/Articles/932625/ ∗∗∗ Tornado vulnerable to open redirect ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN45127776/ ∗∗∗ WordPress 6.2.2 Security Release ∗∗∗ --------------------------------------------- https://wordpress.org/news/2023/05/wordpress-6-2-2-security-release/ ∗∗∗ F5: K000134681 : Spring Framework vulnerability CVE-2023-20861 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000134681 ∗∗∗ F5: K000134706 : Python IDNA vulnerability CVE-2022-45061 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000134706 ∗∗∗ CISA Adds Three Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/05/22/cisa-adds-three-known-ex… ∗∗∗ Vulnerability in IBM Java SDK affects IBM Tivoli Business Service Manager (CVE-2023-30441) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6995893 ∗∗∗ Security vulnerability in IBM Java SDK affect IBM Tivoli Netcool Impact (CVE-2023-30441) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6995895 ∗∗∗ Multiple vulnerabilities in IBM Java SDK affect AIX ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6995887 ∗∗∗ IBM Security Guardium is affected by an AWS SDK vulnerability (CVE-2022-31159) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6960215 ∗∗∗ IBM Operational Decision Manager April 2023 - Multiple CVEs ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6997063 ∗∗∗ Multiple vulnerabilities of Mozilla Firefox (less than Firefox 102.9ESR) have affected APM Synthetic Playback Agent ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6997069 ∗∗∗ A vulnerability in IBM Java SDK affects IBM Tivoli Monitoring for Virtual Environments Base(CVE-2023-30441) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6997075 ∗∗∗ A vulnerability in IBM Java SDK affects IBM Tivoli Monitoring for Virtual Environments Agent for Linux Kernel-based Virtual Machines (CVE-2023-30441) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6997083 ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server used by IBM Rational ClearQuest (CVE-2023-27554) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6997097 ∗∗∗ There are multiple vulnerabilites that affect IBM Engineering Requirements Quality Assistant On-Premises ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6997107 ∗∗∗ IBM App Connect Enterprise and IBM Integration Bus are affected by a vulnerability in the IBM SDK, Java Technology Edition [CVE-2023-30441] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6997131 ∗∗∗ IBM b-type SAN switches and directors affected by XSS vulnerabilities CVE-2017-6225. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/650695 ∗∗∗ IBM b-type SAN Network\/Storage switches is affected by a denial of service vulnerability, caused by a CPU consumption in the IPv6 stack (CVE-2017-6227). ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/650699 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.05.2023
by Daily end-of-shift report 19 May '23

19 May '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 17-05-2023 18:00 − Freitag 19-05-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Attacken könnten bevorstehen: Kritische Root-Lücken bedrohen Cisco-Switches ∗∗∗ --------------------------------------------- Cisco hat unter anderem mehrere kritische Sicherheitslücken in verschiedenen Small-Business-Switches geschlossen. Aber nicht alle Modelle bekommen Updates. --------------------------------------------- https://heise.de/-9059775 ∗∗∗ Passwortmanager KeePass: Sicherheitsforscher liest Master-Passwort aus ∗∗∗ --------------------------------------------- Einem Sicherheitsforscher ist es gelungen, Master-Passwörter von KeePass auszulesen. Entsprechende Angriffe sind allerdings aufwendig. --------------------------------------------- https://heise.de/-9059945 ∗∗∗ Zero-Days und mehr: Ein Blick auf Apples jüngste Sicherheitspatches ∗∗∗ --------------------------------------------- iOS 16.5, macOS 13.4 und die anderen Updates patchen wie üblich auch Sicherheitsfehler. Auch bereits ausgenutzte Fehler sind dabei. --------------------------------------------- https://heise.de/-9059799 ∗∗∗ Malware infizierte fast 10 Millionen Android-Handys ∗∗∗ --------------------------------------------- Zahlreiche Smartphones wurden mit vorinstallierter, schädlicher Software ausgeliefert. --------------------------------------------- https://futurezone.at/produkte/android-schadsoftware-infiziert-10-millionen… ∗∗∗ MalasLocker ransomware targets Zimbra servers, demands charity donation ∗∗∗ --------------------------------------------- A new ransomware operation is hacking Zimbra servers to steal emails and encrypt files. However, instead of demanding a ransom payment, the threat actors claim to require a donation to charity to provide an encryptor and prevent data leaking. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malaslocker-ransomware-targe… ∗∗∗ Hackers target vulnerable Wordpress Elementor plugin after PoC released ∗∗∗ --------------------------------------------- Hackers are now actively probing for vulnerable Essential Addons for Elementor plugin versions on thousands of WordPress websites in massive Internet scans, attempting to exploit a critical account password reset flaw disclosed earlier in the month. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-target-vulnerable-wo… ∗∗∗ Playing for the Wrong Team: Dangerous Functionalities in Microsoft Teams Enable Phishing and Malware Delivery by Attackers ∗∗∗ --------------------------------------------- Microsoft is a major productivity partner for many organizations and enterprises. These organizations widely trust Microsoft Office’s suite of products as a reliable foundation for their daily cloud ecosystem needs. However, as Proofpoint has shown in the past, this migration to the cloud also introduces new kinds of threats. --------------------------------------------- https://www.proofpoint.com/us/blog/threat-insight/dangerous-functionalities… ∗∗∗ RATs found hiding in the npm attic ∗∗∗ --------------------------------------------- ReversingLabs researchers discovered two malicious packages that contained TurkoRat, an open source infostealer that lurked on npm for two months before being detected. --------------------------------------------- https://www.reversinglabs.com/blog/rats-found-hiding-in-the-npm-attic ∗∗∗ The Paillier Cryptosystem with Applications to Threshold ECDSA ∗∗∗ --------------------------------------------- You may have heard of RSA (b. 1977), but have you heard of its cousin, Paillier (b. 1999)? In this post, we provide a close look at the Paillier homomorphic encryption scheme [Paillier1999], what it offers, how it’s used in complex protocols, and how to implement it securely. --------------------------------------------- https://research.nccgroup.com/2023/05/19/the-paillier-cryptosystem-with-app… ∗∗∗ All your building are belong to us ∗∗∗ --------------------------------------------- TL;DR: Building Management Systems (BMS) bring new risks to businesses that haven’t had previous experience of securing Operational Technology (OT). While there might not be direct financial gain from hacking BMS, these systems can be a soft target for attackers to pivot into your business operations. IoT offerings in this space can help manage risk within your networks, but can also provide unintended access to sensitive information. --------------------------------------------- https://www.pentestpartners.com/security-blog/all-your-building-are-belong-… ∗∗∗ CVE-2023-20869/20870: Exploiting VMware Workstation at Pwn2Own Vancouver ∗∗∗ --------------------------------------------- This post covers an exploit chain demonstrated by Nguyễn Hoàng Thạch (@hi_im_d4rkn3ss) of STAR Labs SG Pte. Ltd. during the Pwn2Own Vancouver event in 2023. During the contest, he used an uninitialized variable bug and a stack-based buffer overflow in VMware to escalate from a guest OS to execute code on the underlying hypervisor. --------------------------------------------- https://www.thezdi.com/blog/2023/5/17/cve-2023-2086920870-exploiting-vmware… ∗∗∗ VSCode Security: Malicious Extensions Detected- More Than 45,000 Downloads- PII Exposed, and Backdoors Enabled ∗∗∗ --------------------------------------------- Highlights: CloudGuard Spectral detected malicious extensions on the VSCode marketplace Users installing these extensions were enabling attackers to steal PII records and to set remote shell to their machines Once detected, we’ve alerted VSCode on these extensions. Soon after notification, they were removed by the VSCode marketplace team. VSCode (short for Visual Studio Code) is a popular and free source code editor developed by Microsoft. --------------------------------------------- https://blog.checkpoint.com/securing-the-cloud/malicious-vscode-extensions-… ∗∗∗ Visualizing QakBot Infrastructure ∗∗∗ --------------------------------------------- This blog post seeks to draw out some high-level trends and anomalies based on our ongoing tracking of QakBot command and control (C2) infrastructure. By looking at the data with a broader scope, we hope to supplement other research into this particular threat family, which in general focuses on specific infrastructure elements; e.g., daily alerting on active C2 servers. --------------------------------------------- https://www.team-cymru.com/post/visualizing-qakbot-infrastructure ===================== = Vulnerabilities = ===================== ∗∗∗ File Chooser Field - Moderately critical - Server Side Request Forgery, Information Disclosure - SA-CONTRIB-2023-015 ∗∗∗ --------------------------------------------- The File Chooser Field allows users to upload files using 3rd party plugins such as Google Drive and Dropbox. This module fails to validate user input sufficiently which could under certain circumstances lead to a Server Side Request Forgery (SSRF) vulnerability [...] --------------------------------------------- https://www.drupal.org/sa-contrib-2023-015 ∗∗∗ SECURITY BULLETIN: May 2023 Security Bulletin for Trend Micro Apex Central ∗∗∗ --------------------------------------------- Trend Micro has released a new build for Trend Micro Apex Central that resolves several known vulnerabilities. --------------------------------------------- https://success.trendmicro.com/dcx/s/solution/000293107?language=en_US ∗∗∗ SECURITY BULLETIN: May 2023 Security Bulletin for Trend Micro Apex One ∗∗∗ --------------------------------------------- Trend Micro has released a new Critical Patch (CP) for Trend Micro Apex One and Trend Micro Apex One as a Service that resolves several known vulnerabilities. --------------------------------------------- https://success.trendmicro.com/dcx/s/solution/000293108?language=en_US ∗∗∗ Cisco Security Advisories 2023-05-17 ∗∗∗ --------------------------------------------- Cisco has published 9 security advisories: (1x Critical, 8x Medium) --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/Search.x?publicationTypeIDs… ∗∗∗ CISA Releases Five Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- * ICSA-23-138-04 Johnson Controls OpenBlue Enterprise Manager Data Collector * ICSA-23-138-03 Hitachi Energy’s MicroSCADA Pro/X SYS600 Products * ICSA-23-138-02 Mitsubishi Electric MELSEC WS Series * ICSA-23-138-01 Carlo Gavazzi Powersoft * ICSA-20-051-02 Rockwell Automation FactoryTalk Diagnostics (Update B) --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/05/18/cisa-releases-five-indus… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium and libapache2-mod-auth-openidc), Fedora (clevis-pin-tpm2, greetd, keyring-ima-signer, libkrun, mirrorlist-server, nispor, nmstate, qt5-qtbase, rust-afterburn, rust-below, rust-bodhi-cli, rust-cargo-c, rust-coreos-installer, rust-fedora-update-feedback, rust-git-delta, rust-gst-plugin-reqwest, rust-pore, rust-rpm-sequoia, rust-sequoia-octopus-librnp, rust-sequoia-policy-config, rust-sequoia-sq, rust-sevctl, rust-tealdeer, and rust-ybaas), Oracle (apr-util, curl, emacs, firefox, kernel, libreswan, mysql, nodejs and nodejs-nodemon, openssh, thunderbird, and webkit2gtk3), Red Hat (apr-util, emacs, firefox, git, jenkins and jenkins-2-plugins, kernel, kpatch-patch, and thunderbird), Scientific Linux (apr-util, firefox, and thunderbird), Slackware (curl), SUSE (cups-filters, curl, java-1_8_0-openjdk, kernel, mysql-connector-java, and ovmf), and Ubuntu (cups-filters, git, linux-gcp-4.15, linux-oracle, linux-raspi, node-minimatch, ruby2.3, ruby2.5, ruby2.7, and runc). --------------------------------------------- https://lwn.net/Articles/932371/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (cups-filters, kitty, mingw-LibRaw, nispor, rust-ybaas, and rust-yubibomb), Mageia (kernel-linus), Red Hat (jenkins and jenkins-2-plugins), SUSE (openvswitch and ucode-intel), and Ubuntu (linux-azure, linux-azure-4.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gke-5.15, linux-gkeop, linux-oracle-5.15, linux-ibm, linux-oracle, and linux-oem-6.0). --------------------------------------------- https://lwn.net/Articles/932464/ ∗∗∗ Path Traversal in SymBox, SymOS (SYSS-2023-014) ∗∗∗ --------------------------------------------- Das Webinterface von SymBox, SymOS ermöglicht ein Path Traversal, wodurch Zugriff auf Systemdateien außerhalb des Web Root erlangt werden kann. --------------------------------------------- https://www.syss.de/pentest-blog/path-traversal-in-symbox-symos-syss-2023-0… ∗∗∗ Spring Boot available now, fixing CVE-2023-20883 ∗∗∗ --------------------------------------------- https://spring.io/security/cve-2023-20883 ∗∗∗ Mattermost security updates 7.10.1 / 7.9.4 / 7.8.5 (ESR) released ∗∗∗ --------------------------------------------- https://mattermost.com/blog/mattermost-security-updates-7-10-1-7-9-4-7-8-5-… ∗∗∗ CPE2023-002 Vulnerabilities of IJ Network Tool regarding Wi-Fi connection setup – 18 May 2023 ∗∗∗ --------------------------------------------- https://www.canon-europe.com/support/product-security-latest-news/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.05.2023
by Daily end-of-shift report 17 May '23

17 May '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 16-05-2023 18:00 − Mittwoch 17-05-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Hackers use Azure Serial Console for stealthy access to VMs ∗∗∗ --------------------------------------------- A financially motivated cybergang tracked by Mandiant as UNC3944 is using phishing and SIM swapping attacks to hijack Microsoft Azure admin accounts and gain access to virtual machines. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-use-azure-serial-con… ∗∗∗ Phishing: Streit um Google-TLDs .zip und .mov ∗∗∗ --------------------------------------------- IT- und Sicherheitsexperten streiten sich um die Sinnhaftigkeit und Risiken neuer gTLD. Neu sind die Probleme allerdings nicht. --------------------------------------------- https://www.golem.de/news/phishing-streit-um-google-tlds-zip-und-mov-2305-1… ∗∗∗ Minas – on the way to complexity ∗∗∗ --------------------------------------------- Kaspersky analysis of a complicated multi-stage attack dubbed Minas that features a number of detection evasion and persistence techniques and results in a cryptocurrency miner infection. --------------------------------------------- https://securelist.com/minas-miner-on-the-way-to-complexity/109692/ ∗∗∗ Wemo Wont Fix Smart Plug Vulnerability Allowing Remote Operation ∗∗∗ --------------------------------------------- IoT security research firm Sternum has discovered (and disclosed) a buffer overflow vulnerability in the Wemo Mini Smart Plug V2. The firms blog post is full of interesting details about how this device works (and doesnt), but a key takeaway is that you can predictably trigger a buffer overflow by passing the device a name longer than its 30-character limit -- a limit enforced solely by Wemos own apps -- with third-party tools. --------------------------------------------- https://it.slashdot.org/story/23/05/17/141200/wemo-wont-fix-smart-plug-vuln… ∗∗∗ Respawning Malware Persists on PyPI ∗∗∗ --------------------------------------------- A bad actor on GitHub laces his repositories with malware written in Python and hosted on PyPI. Minutes after his malware is taken down from PyPI, the same malware respawns on PyPI under a slightly different name. He then immediately updates all of his repositories to point to this new package. Most of his GitHub projects are bots or some variety of a stealer. --------------------------------------------- https://blog.phylum.io/respawning-malware-persists-on-pypi/ ∗∗∗ Neue Scam-Website im Umlauf: finanavas.com ∗∗∗ --------------------------------------------- Investmentbetrüger versuchen mit einer neuen Website Leuten Geld aus der Tasche zu ziehen. Sie nutzen Telegram, um "Investoren" um den Finger zu wickeln. --------------------------------------------- https://heise.de/-9058909 ∗∗∗ Abo-Falle statt Informationen zu Telefonnummern auf reversera.com/de ∗∗∗ --------------------------------------------- In einer Zeit ständiger betrügerischer Anrufe und „Cold-Calls“ ist ein Service, der einem Informationen zu Telefonnummern und den Besitzer:innen liefert, äußerst nützlich. Reversera.com/de der АLРНАСLІС LТD bietet angeblich genau das an. Tatsächlich spielte man uns im Test bei erfundenen Nummern ein Ergebnis vor. Um dieses einsehen zu können, hätten wir 50 Cent per Kreditkarte bezahlen müssen, doch die Zahlung führt in eine Abo-Falle! --------------------------------------------- https://www.watchlist-internet.at/news/abo-falle-statt-informationen-zu-tel… ∗∗∗ How to encrypt your email (and why you should) ∗∗∗ --------------------------------------------- If you send emails with sensitive or private info inside, you should consider email encryption. Heres what to know. --------------------------------------------- https://www.zdnet.com/article/how-to-encrypt-your-email-and-why-you-should/ ∗∗∗ WordPress 6.2.1 freigegeben ∗∗∗ --------------------------------------------- Die Entwickler haben zum 16. Mai 2023 WordPress Version 6.2.1 veröffentlicht. Es handelt sich um ein Wartungs- und Sicherheitsupdate, welches 30 Fehler behebt. Details lassen sich in den Veröffentlichungsmitteilungen nachlesen. --------------------------------------------- https://www.borncity.com/blog/2023/05/16/wordpress-6-2-1-freigegeben/ ∗∗∗ SIM Swapping and Abuse of the Microsoft Azure Serial Console: Serial Is Part of a Well Balanced Attack ∗∗∗ --------------------------------------------- In 2022, Mandiant identified attacker activity centered in Microsoft Azure that Mandiant attributed to UNC3944. Mandiant’s investigation revealed that the attacker employed malicious use of the Serial Console on Azure Virtual Machines (VM) to install third-party remote management software within client environments. This method of attack was unique in that it avoided many of the traditional detection methods employed within Azure and provided the attacker with full administrative access to the VM. Unfortunately, cloud resources are often poorly misunderstood, leading to misconfigurations that can leave these assets vulnerable to attackers. While methods of initial access, lateral movement, and persistence vary from one attacker to another, one thing is clear: Attackers have their eyes on the cloud. --------------------------------------------- https://www.mandiant.com/resources/blog/sim-swapping-abuse-azure-serial ∗∗∗ CISA and Partners Release BianLian Ransomware Cybersecurity Advisory ∗∗∗ --------------------------------------------- CISA, the Federal Bureau of Investigation (FBI), and the Australian Cyber Security Centre (ACSC) have released a joint Cybersecurity Advisory (CSA) with known BianLian ransomware and data extortion group technical details. Microsoft and Sophos contributed to the advisory. To reduce the likelihood and impact of BianLian and other ransomware incidents, CISA encourages organizations to implement mitigations recommended in this advisory. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/05/16/cisa-and-partners-releas… ===================== = Vulnerabilities = ===================== ∗∗∗ Webbrowser: Kritische Sicherheitslücke in Google Chrome ∗∗∗ --------------------------------------------- Google hat ein Update für den Chrome-Webbrowser herausgegeben. Es schließt mindestens eine kritische Sicherheitslücke. Angreifer könnten Schadcode einschleusen. --------------------------------------------- https://heise.de/-9057932 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (netatalk), Mageia (connman, firefox/nss/rootcerts, freeimage, golang, indent, kernel, python-django, python-pillow, and thunderbird), Red Hat (apr-util, firefox, java-1.8.0-ibm, libreswan, and thunderbird), SUSE (conmon, curl, java-11-openjdk, and libheif), and Ubuntu (libwebp, linux, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15, linux-hwe-5.15, linux-ibm, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-oracle, linux, linux-aws, linux-aws-hwe, linux-kvm, linux, linux-aws, linux-azure, linux-azure-5.19, linux-kvm, linux-lowlatency, linux-raspi, node-eventsource, and openjdk-8, openjdk-lts, openjdk-17, openjdk-20). --------------------------------------------- https://lwn.net/Articles/932130/ ∗∗∗ Vulnerability Summary for the Week of May 8, 2023 ∗∗∗ --------------------------------------------- The CISA Vulnerability Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. NVD is sponsored by CISA. In some cases, the vulnerabilities in the bulletin may not yet have assigned CVSS scores. Please visit NVD for updated vulnerability entries, which include CVSS scores once they are available. --------------------------------------------- https://www.cisa.gov/news-events/bulletins/sb23-135 ∗∗∗ Path Traversal in IP-Symcon (SYSS-2023-014) ∗∗∗ --------------------------------------------- Das Webinterface von IP-Symcon ermöglicht ein Path Traversal, wodurch Zugriff auf Systemdateien außerhalb des Web Root erlangt werden kann. --------------------------------------------- https://www.syss.de/pentest-blog/path-traversal-in-ip-symcon-syss-2023-014 ∗∗∗ Security Advisory - Traffic Hijacking Vulnerability in Huawei Routers ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2023/huawei-sa-thvihr-70… ∗∗∗ Stored XSS Schwachstelle in der Umbenennen Funktionalität von Wekan (Open-Source Kanban) ∗∗∗ --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/stored-xss-schwachste… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.05.2023
by Daily end-of-shift report 16 May '23

16 May '23

===================== = End-of-Day report = ===================== Timeframe: Montag 15-05-2023 18:00 − Dienstag 16-05-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ VirusTotal AI code analysis expands Windows, Linux script support ∗∗∗ --------------------------------------------- Google has added support for more scripting languages to VirusTotal Code Insight, a recently introduced artificial intelligence-based code analysis feature. --------------------------------------------- https://www.bleepingcomputer.com/news/security/virustotal-ai-code-analysis-… ∗∗∗ Open-source Cobalt Strike port Geacon used in macOS attacks ∗∗∗ --------------------------------------------- Geacon, a Go-based implementation of the beacon from the widely abused penetration testing suite Cobalt Strike, is being used more and more to target macOS devices. --------------------------------------------- https://www.bleepingcomputer.com/news/security/open-source-cobalt-strike-po… ∗∗∗ Signals Defense With Faraday Bags & Flipper Zero, (Tue, May 16th) ∗∗∗ --------------------------------------------- There are situations where it is desired to block signals between devices. Commonly scenarios are when traveling, in a location of uncertain safety, or otherwise concerned with data privacy and geolocation. I was curious how well a faraday bags and similar products protected wireless communications. --------------------------------------------- https://isc.sans.edu/diary/rss/29840 ∗∗∗ Triple Threat: Breaking Teltonika Routers Three Ways ∗∗∗ --------------------------------------------- Comprehensive research was conducted on Teltonika Networks’ IIoT products, with a focus on industrial cellular devices widely used in various industries, specifically, the Teltonika Remote Management System, and RUT model routers. --------------------------------------------- https://claroty.com/team82/research/triple-threat-breaking-teltonika-router… ∗∗∗ You’ve been kept in the dark (web): exposing Qilin’s RaaS program ∗∗∗ --------------------------------------------- All you need to know about Qilin ransomware and its operations targeting critical sectors. --------------------------------------------- https://www.group-ib.com/blog/qilin-ransomware/ ∗∗∗ Seitenkanalangriff auf Cortex-M: Zugriff auf sensible Informationen ∗∗∗ --------------------------------------------- Auf der Blackhat Asia haben IT-Forscher Seitenkanalangriffe auf ARM-Cortex-M-Mikroprozessoren vorgestellt. Sie ermöglichen Zugriff auf sensible Informationen. --------------------------------------------- https://heise.de/-9057108 ∗∗∗ It’s always DNS, here’s why… ∗∗∗ --------------------------------------------- There’s an old adage in network and Internet support: When something breaks in any network “it was DNS”. Sadly it’s usually true. --------------------------------------------- https://www.pentestpartners.com/security-blog/its-always-dns-heres-why/ ∗∗∗ Vorsicht vor Anrufen von „austriamegachance.com“ ∗∗∗ --------------------------------------------- Ihr Telefon klingelt. Austria Mega Chance meldet sich, eine Lotto-Tipp-Dienstleistung. Ihnen werden hohe Gewinnchancen beim Lotto versprochen und eine Dienstleistung für Gemeinschaftstipps angeboten. Die aufdringliche Person entlockt Ihnen Kontodaten. Einige Zeit später werden Ihnen dann monatlich, ohne schriftliche Infos oder einen Vertrag unterschieben zu haben, knapp 70 Euro von Ihrem Konto abgebucht. Wir zeigen Ihnen, was Sie tun können! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-anrufen-von-austriamega… ∗∗∗ Microsoft SharePoint scannt Password-geschützte ZIP-Archive ∗∗∗ --------------------------------------------- Es sieht so aus, dass Microsoft in seinen Cloud-Speichern auch ZIP-Archive auf schädliche Inhalte (und ggf. weitere Inhalte) scannt – auch Archive, die vom Benutzer mit einem Kennwort vor der Einsichtnahme geschützt sind. --------------------------------------------- https://www.borncity.com/blog/2023/05/16/microsoft-sharepoint-scannt-passwo… ∗∗∗ The Dragon Who Sold His Camaro: Analyzing Custom Router Implant ∗∗∗ --------------------------------------------- Through our investigation, we have gained a deeper comprehension of the ways in which attackers are employing malware to target edge devices, particularly routers. Our efforts have led us to uncover several of the tactics and tools utilized by Camaro Dragon in their attacks. --------------------------------------------- https://research.checkpoint.com/2023/the-dragon-who-sold-his-camaro-analyzi… ∗∗∗ 8220 Gang Evolves With New Strategies ∗∗∗ --------------------------------------------- We observed the threat actor group known as “8220 Gang” employing new strategies for their respective campaigns, including exploits for the Linux utility “lwp-download” and CVE-2017-3506, an Oracle WebLogic vulnerability. --------------------------------------------- https://www.trendmicro.com/en_us/research/23/e/8220-gang-evolution-new-stra… ∗∗∗ How to Write a PoC for an Uninitialized Smart Contract Vulnerability in BadgerDAO Using Foundry ∗∗∗ --------------------------------------------- In this post, we’re going to learn how Foundry can be used to write a proof of concept (PoC) for uninitialized smart contract vulnerabilities. --------------------------------------------- https://www.cyberark.com/resources/threat-research-blog/how-to-write-a-poc-… ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- IBM Cloud Pak for Network Automation, IBM Control Desk, IBM Maximo, IBM Edge Application Manager, IBM Cloud Automation Manager, Tivoli Monitoring, IBM Business Monitor, IBM Business Automation Workflow Enterprise Service Bus, WebSphere Application Server, Tivoli Application Dependency Discovery Manager, IBM Operations Analytics - Predictive Insights, IBM Security Verify Information Queue. --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ CISA Releases Three Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- * ICSA-23-136-02 Rockwell ArmorStart * ICSA-23-136-03 Rockwell Automation FactoryTalk Vantagepoint * ICSA-23-136-01 Snap One OvrC Cloud --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/05/16/cisa-releases-three-indu… ∗∗∗ JavaScript-Sandbox vm2: PoC zeigt neuen Sandbox-Ausbruch ∗∗∗ --------------------------------------------- Eine kritische Lücke in der JavaScript-Sandbox vm2 können Angreifer zum Ausbruch missbrauchen. Aktualisierte Software steht bereit, die die Lücken schließt. --------------------------------------------- https://heise.de/-9056842 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (epiphany-browser, python-ipaddress, and sqlparse), Fedora (python-django3 and qemu), Red Hat (apr-util, autotrace, bind, bind9.16, container-tools:4.0, container-tools:rhel8, ctags, curl, device-mapper-multipath, dhcp, edk2, emacs, freeradius:3.0, freerdp, frr, gcc-toolset-12-binutils, git, git-lfs, go-toolset:rhel8, grafana, grafana-pcp, gssntlmssp, Image Builder, kernel, kernel-rt, libarchive, libreswan, libtar, libtiff, mingw-expat, mysql:8.0, net-snmp, pcs, php:7.4, poppler, postgresql-jdbc, python-mako, python27:2.7, python38:3.8 and python38-devel:3.8, python39:3.9 and python39-devel:3.9, samba, sysstat, tigervnc, unbound, virt:rhel and virt-devel:rhel, wayland, webkit2gtk3, xorg-x11-server, and xorg-x11-server-Xwayland), SUSE (dmidecode, postgresql13, prometheus-sap_host_exporter, python-cryptography, rekor, and thunderbird), and Ubuntu (firefox, matrix-synapse, and mysql-8.0). --------------------------------------------- https://lwn.net/Articles/932033/ ∗∗∗ D-Link DIR-2150 DIR-2150 Firmware Release Notes v1.06 ∗∗∗ --------------------------------------------- https://support.dlink.com.au/Download/download.aspx?product=DIR-2150 ∗∗∗ XSA-431 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-431.html ∗∗∗ Zahlreiche Schwachstellen in Serenity and StartSharp Software ∗∗∗ --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/zahlreiche-schwachste… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.05.2023
by Daily end-of-shift report 15 May '23

15 May '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 12-05-2023 18:00 − Montag 15-05-2023 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ The .zip gTLD: Risks and Opportunities, (Fri, May 12th) ∗∗∗ --------------------------------------------- About ten years ago, ICANN started the "gTLD" program. "Generic TLDs" allows various brands to register their own trademark as a TLD. Instead of "google.com", you now can have ".google"! Applying for a gTLD isn't cheap, and success isn't guaranteed. But since its inception, dozens of new gTLDs have been approved and started to be used [1]. The reputation of these new gTLDs has been somewhat mixed. --------------------------------------------- https://isc.sans.edu/diary/rss/29838 ∗∗∗ XWorm Malware Exploits Follina Vulnerability in New Wave of Attacks ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered an ongoing phishing campaign that makes use of a unique attack chain to deliver the XWorm malware on targeted systems. Securonix, which is tracking the activity cluster under the name MEME#4CHAN, said some of the attacks have primarily targeted manufacturing firms and healthcare clinics located in Germany. --------------------------------------------- https://thehackernews.com/2023/05/xworm-malware-exploits-follina.html ∗∗∗ CLR SqlShell Malware Targets MS SQL Servers for Crypto Mining and Ransomware ∗∗∗ --------------------------------------------- Poorly managed Microsoft SQL (MS SQL) servers are the target of a new campaign thats designed to propagate a category of malware called CLR SqlShell that ultimately facilitates the deployment of cryptocurrency miners and ransomware. --------------------------------------------- https://thehackernews.com/2023/05/clr-sqlshell-malware-targets-ms-sql.html ∗∗∗ New MichaelKors Ransomware-as-a-Service Targeting Linux and VMware ESXi Systems ∗∗∗ --------------------------------------------- A new ransomware-as-service (RaaS) operation called MichaelKors has become the latest file-encrypting malware to target Linux and VMware ESXi systems as of April 2023. The development points to cybercriminal actors increasingly setting their eyes on the ESXi, cybersecurity firm CrowdStrike said in a report shared with The Hacker News. --------------------------------------------- https://thehackernews.com/2023/05/new-michaelkors-ransomware-as-service.html ∗∗∗ WordPress Field Builder Plugin Vulnerability Exploited in Attacks Two Days After Patch ∗∗∗ --------------------------------------------- PoC exploit targeting an XSS vulnerability in the Advanced Custom Fields WordPress plugin started being used in malicious attacks two days after patch. --------------------------------------------- https://www.securityweek.com/wordpress-field-builder-plugin-vulnerability-e… ∗∗∗ Webinar: Smartphone, Tablet & Co. sicher nutzen ∗∗∗ --------------------------------------------- Wie kann ich meine persönlichen Daten am Smartphone, Tablet & Co. schützen? In diesem Webinar zeigen wir Ihnen die wichtigsten Sicherheitseinstellungen – von Berechtigungen über Datenschutz bis hin zu Nutzungszeiten. Nehmen Sie kostenlos teil: Dienstag 23. Mai 2023, 18:30 - 20:00 Uhr via zoom --------------------------------------------- https://www.watchlist-internet.at/news/webinar-smartphone-tablet-co-sicher-… ∗∗∗ Mit diesen 3 Einstellungen schützen Sie Ihr Smartphone ∗∗∗ --------------------------------------------- Sie denken Ihr Smartphone ist mit einer Bildschirmsperre vor fremden Zugriffen gut geschützt? Falsch! Kriminelle finden Wege, um in gestohlene oder verlorene Smartphones einzudringen. Im schlimmsten Fall greifen sie auf Ihre Banking-App zu und räumen Ihr Konto ab. Wir zeigen Ihnen 3 wichtige Einstellungen, um Ihr Smartphone bei Verlust oder Diebstahl zu schützen. --------------------------------------------- https://www.watchlist-internet.at/news/mit-diesen-3-einstellungen-schuetzen… ∗∗∗ Ransomware tracker: The latest figures [May 2023] ∗∗∗ --------------------------------------------- Note: this Ransomware Tracker is updated on the second Sunday of each month to stay current Although ransomware attacks overall were down in April compared to the prior month, attacks against healthcare organizations shot up to one of its highest levels in years as hospitals and doctors offices increasingly find themselves targeted by hackers. --------------------------------------------- https://therecord.media/ransomware-tracker-the-latest-figures ===================== = Vulnerabilities = ===================== ∗∗∗ Industrial Cellular Routers at Risk: 11 New Vulnerabilities Expose OT Networks ∗∗∗ --------------------------------------------- Several security vulnerabilities have been disclosed in cloud management platforms associated with three industrial cellular router vendors that could expose operational technology (OT) networks to external attacks. The findings were presented by Israeli industrial cybersecurity firm OTORIO at the Black Hat Asia 2023 conference last week. The 11 vulnerabilities allow "remote code execution and full control over hundreds of thousands of devices and OT networks - in some cases, even those not actively configured to use the cloud." --------------------------------------------- https://thehackernews.com/2023/05/industrial-cellular-routers-at-risk-11.ht… ∗∗∗ Screen SFT DAB 600/C: Multiple Vulnerabilities ∗∗∗ --------------------------------------------- * Authentication Bypass Account Creation Exploit * Authentication Bypass Password Change Exploit * Authentication Bypass Erase Account Exploit * Authentication Bypass Admin Password Change Exploit * Authentication Bypass Reset Board Config Exploit * Unauthenticated Information Disclosure (userManager.cgx) --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ ∗∗∗ SECURITY BULLETIN: May 2023 Security Bulletin for Trend Micro Mobile Security (Enterprise) ∗∗∗ --------------------------------------------- CVE Identifier(s): CVE-2023-32521 through CVE-2023-32528 Trend Micro has released a new build for Trend Micro Mobile Security (Enterprise) that resolves several vulnerabilities. --------------------------------------------- https://success.trendmicro.com/dcx/s/solution/000293106?language=en_US ∗∗∗ Multiple Vulnerabilities in Kiddoware Kids Place Parental Control Android App ∗∗∗ --------------------------------------------- Multiple vulnerabilities have been identified in the Kiddoware Kids Place Parental Control Android App. Users of the parent's web dashboard can be attacked via cross site scripting or cross site request forgery vulnerabilities, or attackers may upload arbitrary files to the children's devices. Furthermore, children are able to bypass any restrictions without the parents noticing. --------------------------------------------- https://sec-consult.com/vulnerability-lab/advisory/multiple-vulnerabilities… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (golang-websocket, kernel, postgresql-11, and thunderbird), Fedora (firefox, kernel, libreswan, libssh, tcpreplay, and thunderbird), SUSE (dcmtk, gradle, libraw, postgresql12, postgresql13, postgresql14, and postgresql15), and Ubuntu (firefox, nova, and thunderbird). --------------------------------------------- https://lwn.net/Articles/931892/ ∗∗∗ VM2 Security Advisory: Inspect Manipulation ∗∗∗ --------------------------------------------- A threat actor can edit options for console.log. --------------------------------------------- https://github.com//patriksimek/vm2/security/advisories/GHSA-p5gc-c584-jj6v ∗∗∗ VM2 Security Advisory: Sandbox Escape ∗∗∗ --------------------------------------------- A threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. --------------------------------------------- https://github.com//patriksimek/vm2/security/advisories/GHSA-whpj-8f3w-67p5 ∗∗∗ WAGO: Unauthenticated command execution via Web-based-management ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-007/ ∗∗∗ Helmholz: Multiple vulnerabilites in myREX24 and myREX24.virtual ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-008/ ∗∗∗ MB Connect Line: Multiple vulnerabilities in mbConnect24 and mymbConnect24 ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-002/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.05.2023
by Daily end-of-shift report 12 May '23

12 May '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 11-05-2023 18:00 − Freitag 12-05-2023 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Windows: Windows-Sicherheitspatch kann Bootmedien unbrauchbar machen ∗∗∗ --------------------------------------------- Aktuell lässt sich Secure Boot in Windows durch eine Lücke umgehen. Bis die gefixt ist, wird es wohl noch bis 2024 dauern - aus Gründen. --------------------------------------------- https://www.golem.de/news/windows-windows-sicherheitspatch-kann-bootmedien-… ∗∗∗ New Stealthy Variant of Linux Backdoor BPFDoor Emerges from the Shadows ∗∗∗ --------------------------------------------- A previously undocumented and mostly undetected variant of a Linux backdoor called BPFDoor has been spotted in the wild, cybersecurity firm Deep Instinct said in a technical report published this week. "BPFDoor retains its reputation as an extremely stealthy and difficult-to-detect malware with this latest iteration," security researchers Shaul Vilkomir-Preisman and Eliran Nissan said. --------------------------------------------- https://thehackernews.com/2023/05/new-variant-of-linux-backdoor-bpfdoor.html ∗∗∗ Malicious Actors Exploit CVE-2023-27350 in PaperCut MF and NG ∗∗∗ --------------------------------------------- This joint advisory provides detection methods for exploitation of CVE-2023-27350 as well and indicators of compromise (IOCs) associated with Bl00dy Ransomware Gang activity. FBI and CISA strongly encourage users and administrators to immediately apply patches, and workarounds if unable to patch. FBI and CISA especially encourage organizations who did not patch immediately to assume compromise and hunt for malicious activity using the detection signatures in this CSA. --------------------------------------------- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-131a ∗∗∗ Mehrere Sicherheitslücken in VMwares Cloud-Management Aria Operations ∗∗∗ --------------------------------------------- Patches schließen mehrere Sicherheitslücken, die die Ausweitung von Rechten innerhalb von VMwares Cloud-Management Aria Operationse erlauben. --------------------------------------------- https://heise.de/-9012909 ∗∗∗ Verschlüsselungstrojaner: Es gibt Hoffnung für BlackCat-Opfer ∗∗∗ --------------------------------------------- Stimmen die Voraussetzungen, können Opfer des Verschlüsselungstrojaner BlackCat wieder auf ihre Daten zugreifen. --------------------------------------------- https://heise.de/-9010373 ∗∗∗ Shopsystem: Kritische Sicherheitslücke in Prestashop wird angegriffen ∗∗∗ --------------------------------------------- Eine kritische Sicherheitslücke klafft im Shopping-System Prestashop. Angreifer missbrauchen sie bereits. Ein aktueller Softwarestand schützt. --------------------------------------------- https://heise.de/-9010286 ∗∗∗ Cisco: SD-WAN-Zertifikate abgelaufen, jetzt updaten! ∗∗∗ --------------------------------------------- Cisco Systems weist seine Kundschaft darauf hin, dass einige SD-WAN Appliances der vEdge-Reihe dringende Updates benötigen. --------------------------------------------- https://heise.de/-9014471 ∗∗∗ Enforce Zero Trust in Microsoft 365 – Part 2: Protect against external users and applications ∗∗∗ --------------------------------------------- In the first blog post of this series, we have seen how strong authentication, i.e., Multi-Factor Authentication (MFA), could be enforced for users using a free Azure Active Directory subscription within the Microsoft 365 environment. In this blog post, we will continue to harden the configuration of our Azure AD tenant to enforce Zero Trust [...] --------------------------------------------- https://blog.nviso.eu/2023/05/12/enforce-zero-trust-in-microsoft-365-part-2… ===================== = Vulnerabilities = ===================== ∗∗∗ Severe Security Flaw Exposes Over a Million WordPress Sites to Hijack ∗∗∗ --------------------------------------------- The issue, tracked as CVE-2023-32243, has been addressed by the plugin maintainers in version 5.7.2 that was shipped on May 11, 2023. Essential Addons for Elementor has over one million active installations. --------------------------------------------- https://thehackernews.com/2023/05/severe-security-flaw-exposes-over.html ∗∗∗ VMSA-2023-0009: VMware Aria Operations (formerly vRealize Operations) ∗∗∗ --------------------------------------------- CVSSv3 Range: 6.4-8.8 CVE(s): CVE-2023-20877, CVE-2023-20878, CVE-2023-20879, CVE-2023-20880 VMware Aria Operations update addresses multiple Local Privilege Escalations and a Deserialization issue --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2023-0009.html ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (postgresql-13 and webkit2gtk), Fedora (git), SUSE (helm and skopeo), and Ubuntu (cinder, nova, python-glance-store, and python-os-brick). --------------------------------------------- https://lwn.net/Articles/931760/ ∗∗∗ Case update: DIVD-2022-00068 - Multiple vulnerabilities identified within White Rabbit Switch from CERN ∗∗∗ --------------------------------------------- Last event: 11 Apr 2023 - CERN released White Rabbit Switch 6.0.2, which contains a fix for CVE-2023-22577 and CVE-2023-22581. --------------------------------------------- https://csirt.divd.nl/cases/DIVD-2022-00068/ ∗∗∗ Beekeeper Studio vulnerable to code injection ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN11705010/ ∗∗∗ [R1] Nessus Version 10.5.2 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2023-20 ∗∗∗ IBM WebSphere Application Server, which is bundled with IBM Cloud Pak for Applications, is vulnerable to an XML External Entity (XXE) Injection vulnerability (CVE-2023-27554) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6989667 ∗∗∗ IBM WebSphere Application Server, which is bundled with IBM WebSphere Hybrid Edition, is vulnerable to an XML External Entity (XXE) Injection vulnerability (CVE-2023-27554) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6989665 ∗∗∗ Deserialization vulnerability affect IBM Business Automation Workflow BPM Event Emitters - CVE-2022-1471 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6988027 ∗∗∗ Multiple Vulnerabilities in Multicloud Management Security Services ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6991215 ∗∗∗ IBM i Modernization Engine for Lifecycle Integration is vulnerable to cross-site scripting (CVE-2022-0225) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6991217 ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM WebSphere Remote Server (CVE-2023-27554) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6991213 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.05.2023
by Daily end-of-shift report 11 May '23

11 May '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 10-05-2023 18:00 − Donnerstag 11-05-2023 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Interview: Hacker Witold Waligóra über Seitenkanalangriffe ∗∗∗ --------------------------------------------- Wir haben beim Hacker Witold Waligóra nachgehakt, was man mit Seitenkanalattacken erreichen kann und wie man sich dagegen schützt. --------------------------------------------- https://heise.de/-8983428 ∗∗∗ Smishing: Vorsicht vor betrügerischer Reisepass-SMS! ∗∗∗ --------------------------------------------- Haben Sie ein SMS bekommen, in dem behauptet wird Ihr Reisepass wäre fertig? Klicken Sie nicht auf den Link "oesterreich.at-anmelden.net", es handelt sich um einen Betrugsversuch! --------------------------------------------- https://www.watchlist-internet.at/news/smishing-vorsicht-vor-betruegerische… ∗∗∗ Fake in-browser Windows updates push Aurora info-stealer malware ∗∗∗ --------------------------------------------- A recently spotted malvertising campaign tricked users with an in-browser Windows update simulation to deliver the Aurora information stealing malware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fake-in-browser-windows-upda… ∗∗∗ RapperBot DDoS malware adds cryptojacking as new revenue stream ∗∗∗ --------------------------------------------- New samples of the RapperBot botnet malware have added cryptojacking capabilites to mine for cryptocurrency on compromised Intel x64 machines. --------------------------------------------- https://www.bleepingcomputer.com/news/security/rapperbot-ddos-malware-adds-… ∗∗∗ Multiple Ransomware Groups Adapt Babuk Code to Target ESXi VMs ∗∗∗ --------------------------------------------- Two years ago, a popular ransomware-as-a-service groups source code got leaked. Now other ransomware groups are using it for their own purposes. --------------------------------------------- https://www.darkreading.com/cloud/multiple-ransomware-groups-adapt-babuk-co… ∗∗∗ New ransomware trends in 2023 ∗∗∗ --------------------------------------------- On the eve of the global Anti-Ransomware Day, Kaspersky researchers share an overview of the key trends observed among ransomware groups. --------------------------------------------- https://securelist.com/new-ransomware-trends-in-2023/109660/ ∗∗∗ Analysis of CLR SqlShell Used to Attack MS-SQL Servers ∗∗∗ --------------------------------------------- This blog post will analyze the CLR SqlShell malware that is being used to target MS-SQL servers. Similar to WebShell, which can be installed on web servers, SqlShell is a malware strain that supports various features after being installed on an MS-SQL server, such as executing commands from threat actors and carrying out all sorts of malicious behavior. --------------------------------------------- https://asec.ahnlab.com/en/52479/ ===================== = Vulnerabilities = ===================== ∗∗∗ Experts share details of five flaws that can be chained to hack Netgear RAX30 Routers ∗∗∗ --------------------------------------------- Researchers disclosed the details of five vulnerabilities that can be chained to take over some Netgear router models. --------------------------------------------- https://securityaffairs.com/146111/hacking/netgear-router-exploit-2.html ∗∗∗ Zyxel Chained Remote Code Execution ∗∗∗ --------------------------------------------- This module exploits multiple vulnerabilities in the `zhttpd` binary (/bin/zhttpd) and `zcmd` binary (/bin/zcmd). It is present on more than 40 Zyxel routers and CPE devices. The remote code execution vulnerability can be exploited by chaining the local file disclosure vulnerability in the zhttpd binary that allows an unauthenticated attacker to read the entire configuration of the router [..] --------------------------------------------- https://cxsecurity.com/issue/WLB-2023050030 ∗∗∗ Multiple vulnerabilities in Danfoss EM100 ∗∗∗ --------------------------------------------- Multiple injection-related vulnerabilities exist in a set of Danfoss products, among which the EM100. These vulnerabilities should be considered serious and could lead to the full compromise of your system. It is advised to phase out the EM100, as its vendor Danfoss confirms the EM100 to be End of Life and that it will not be releasing a patch for this product. [..] If this is not possible, ensure it is not connected to the public Internet. --------------------------------------------- https://csirt.divd.nl/cases/DIVD-2023-00021/ ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (May 1, 2023 to May 7, 2023) ∗∗∗ --------------------------------------------- Last week, there were 58 vulnerabilities disclosed in 43 WordPress Plugins and 3 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database [..] Review those vulnerabilities in this report now to ensure your site is not affected. --------------------------------------------- https://www.wordfence.com/blog/2023/05/wordfence-intelligence-weekly-wordpr… ∗∗∗ CISA Releases Fifteen Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- * ICSA-23-131-01 Siemens Solid Edge * ICSA-23-131-02 Siemens SCALANCE W1750D * ICSA-23-131-03 Siemens Siveillance * ICSA-23-131-04 Siemens SIMATIC Cloud Connect 7 * ICSA-23-131-05 Siemens SINEC NMS Third-Party * ICSA-23-131-06 Siemens SCALANCE LPE9403 * ICSA-23-131-07 Sierra Wireless AirVantage * ICSA-23-131-08 Teltonika Remote Management System and RUT Model Routers * ICSA-23-131-09 Rockwell Automation Kinetix 5500 EtherNetIP Servo Drive * ICSA-23-131-10 Rockwell Automation Arena Simulation Software * ICSA-23-131-11 BirdDog Cameras & Encoders * ICSA-23-131-12 SDG PnPSCADA * ICSA-23-131-13 PTC Vuforia Studio * ICSA-23-131-14 Rockwell PanelView 800 * ICSA-23-131-15 Rockwell ThinManager --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/05/11/cisa-releases-fifteen-in… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr and nvidia-graphics-drivers-legacy-390xx), Fedora (firefox, java-11-openjdk, LibRaw, moodle, python-django3, and vtk), Slackware (mozilla), SUSE (buildah, cloud-init, container-suseconnect, firefox, golang-github-prometheus-prometheus, kernel, and ntp), and Ubuntu (heat, linux-azure-fde-5.15, linux-raspi, linux-oem-5.17, linux-oem-6.0, linux-raspi, linux-raspi-5.4, linux-raspi2, neutron, openvswitch, and sqlparse). --------------------------------------------- https://lwn.net/Articles/931638/ ∗∗∗ ThinkPad Dock Firmware Update Tool Elevation of Privilege Vulnerability ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500562-THINKPAD-DOCK-DRIVER-EL… ∗∗∗ CVE-2023-0008 PAN-OS: Local File Disclosure Vulnerability in the PAN-OS Web Interface (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2023-0008 ∗∗∗ CVE-2023-0007 PAN-OS: Stored Cross-Site Scripting (XSS) Vulnerability in the Panorama Web Interface (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2023-0007 ∗∗∗ Security vulnerabilities have been identified in IBM Db2 shipped with IBM Security Guardium Key Lifecycle Manager (CVE-2022-43930, CVE-2014-3577, CVE-2022-43927, CVE-2022-43929) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6989465 ∗∗∗ IBM Content Manager Enterprise Edition is affected by a vulnerability in Eclipse Openj9 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6987029 ∗∗∗ Content Manager Enterprise Edition is affected by a vulnerability in FasterXML jackson ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6856659 ∗∗∗ Content Manager Enterprise Edition is affected by a vulnerability in FasterXML jackson ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6856661 ∗∗∗ Content Manager Enterprise Edition is affected by a vulnerability in FasterXML jackson ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6856663 ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with Tivoli Netcool\/OMNIbus WebGUI - IBM\u00ae Java SDK CVE-2023-30441 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6989589 ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with Tivoli Netcool\/OMNIbus WebGUI (CVE-2023-24966) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6989591 ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with Tivoli Netcool\/OMNIbus WebGUI (CVE-2022-39161) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6989593 ∗∗∗ Vega Vulnerabilities affect IBM Decision Optimization in IBM Cloud Pak for Data (CVE-2023-26486, CVE-2023-26487) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6989625 ∗∗∗ IBM WebSphere Application Server is vulnerable to an XML External Entity (XXE) Injection vulnerability (CVE-2023-27554) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6989451 ∗∗∗ Multiple Security Vulnerabilities have been fixed in IBM Security Verify Access ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6989653 ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with Asset and Service Management (CVE-2023-27554) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6989657 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.05.2023
by Daily end-of-shift report 10 May '23

10 May '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 09-05-2023 18:00 − Mittwoch 10-05-2023 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Patchday: Adobe schließt Schadcode-Lücke in Substance 3D Painter ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitsupdates für Adobe Substance 3D Painter. Wer damit 3D-Modelle bearbeitet, sollte die Anwendung aktualisieren. --------------------------------------------- https://heise.de/-8991973 ∗∗∗ Microsoft Patchday: Angreifer verschaffen sich System-Rechte unter Windows ∗∗∗ --------------------------------------------- Microsoft schließt unter anderem in Windows mehrere kritische Schadcode-Lücken. Attacken laufen bereits, weitere könnten bevorstehen. --------------------------------------------- https://heise.de/-8991967 ∗∗∗ Kritische Schwachstellen ermöglichen Übernahme von Aruba Access Points ∗∗∗ --------------------------------------------- Die HPE-Tochter Aruba schließt mehrere, zum Teil kritische Sicherheitslücken in den Access Points. Angreifer aus dem Netz könnten Schadcode einschleusen. --------------------------------------------- https://heise.de/-8992292 ∗∗∗ Patchday: 18 Sicherheitsnotizen zu teils kritischen Lücken in SAP-Software ∗∗∗ --------------------------------------------- Am Mai-Patchday dichtet SAP zum Teil kritische Sicherheitslücken in der Software des Unternehmens ab. IT-Verantwortliche sollten die Updates zügig anwenden. --------------------------------------------- https://heise.de/-8992005 ∗∗∗ Root-Rechte für lokale Angreifer dank Lücken im Linux-Kernel ∗∗∗ --------------------------------------------- In zwei Komponenten des Linuxkernels verstecken sich Sicherheitslücken, die lokalen Angreifern eine Rootshell spendieren. Ein erster Exploit ist öffentlich. --------------------------------------------- https://heise.de/-8992648 ∗∗∗ Easily bypassed patch makes zero-click Outlook flaw exploitable again (CVE-2023-29324) ∗∗∗ --------------------------------------------- Among the vulnerabilities fixed by Microsoft on May 2023 Patch Tuesday is CVE-2023-29324, a bug in the Windows MSHTML platform that Microsoft rates as “important.” Akamai’s research team and Ben Barnea, the researcher who’s credited with finding the flaw, disagree with that assessment, because “the new vulnerability [CVE-2023-29324] re-enables the exploitation of a critical vulnerability [CVE-2023-23397] that was seen in the wild and used by APT operators.” --------------------------------------------- https://www.helpnetsecurity.com/2023/05/10/cve-2023-29324/ ∗∗∗ Vorsicht vor betrügerischem Tier-, Welpen- und Katzenhandel im Internet ∗∗∗ --------------------------------------------- Vermehrt werden der Watchlist Internet aktuell betrügerische Tierangebote aus dem Internet und auf Social Media wie Facebook gemeldet. Süße Bilder junger Kätzchen und Hunde auf Websites, die Vertrauen schaffen sollen, verleiten zu einer unüberlegten Bestellung und Vorabzahlung. Eine Lieferung erfolgt nie – egal wie vielen Zahlungsaufforderungen der kriminellen Züchter:innen nachgekommen wird! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-betruegerischem-tier-we… ∗∗∗ Free Tool Unlocks Some Encrypted Data in Ransomware Attacks ∗∗∗ --------------------------------------------- "White Phoenix" automated tool for recovering data on partially encrypted files hit with ransomware is available on GitHub. --------------------------------------------- https://www.darkreading.com/attacks-breaches/free-tool-unlocks-some-encrypt… ∗∗∗ PwnAssistant - Controlling /homes via a Home Assistant RCE ∗∗∗ --------------------------------------------- [..] we decided to look into the very established and known open-source automation ecosystem known as Home Assistant. [..] So without further ado, come with us on this journey to understanding the Home Assistant architecture, enumerating the attack surface and trawling for pre-authentication vulnerabilities within the code base. --------------------------------------------- https://www.elttam.com/blog/pwnassistant/ ∗∗∗ Xjquery Wave of WordPress SocGholish Injections ∗∗∗ --------------------------------------------- By the end of March, 2023, we started noticing a new wave of SocGholish injections that used the intermediary xjquery[.]com domain. It appeared to be another evolution of the same malware. This time, however, attackers were using the same tricks in a different way. --------------------------------------------- https://blog.sucuri.net/2023/05/xjquery-wave-of-wordpress-socgholish-inject… ∗∗∗ ESET APT Activity Report Q4 2022–Q1 2023 ∗∗∗ --------------------------------------------- An overview of the activities of selected APT groups investigated and analyzed by ESET Research in Q4 2022 and Q1 2023 --------------------------------------------- https://www.welivesecurity.com/2023/05/09/eset-apt-activity-report-q42022-q… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (emacs), Fedora (chromium, community-mysql, and LibRaw), Red Hat (nodejs nodejs-nodemon, nodejs:18, and webkit2gtk3), Slackware (mozilla), SUSE (amazon-ssm-agent, conmon, distribution, docker-distribution, google-cloud-sap-agent, ignition, kernel, ntp, prometheus-ha_cluster_exporter, protobuf-c, python-cryptography, runc, and shim), and Ubuntu (ceph, freetype, and node-css-what). --------------------------------------------- https://lwn.net/Articles/931488/ ∗∗∗ ICS Patch Tuesday: Siemens, Schneider Electric Address Few Dozen Vulnerabilities ∗∗∗ --------------------------------------------- Siemens and Schneider Electric’s Patch Tuesday advisories for May 2023 address a few dozen vulnerabilities found in their products. --------------------------------------------- https://www.securityweek.com/ics-patch-tuesday-siemens-schneider-electric-a… ∗∗∗ Chipmaker Patch Tuesday: Intel, AMD Address Over 100 Vulnerabilities ∗∗∗ --------------------------------------------- Intel and AMD have informed their customers about a total of more than 100 vulnerabilities found in their products. --------------------------------------------- https://www.securityweek.com/chipmaker-patch-tuesday-intel-amd-address-over… ∗∗∗ Hitachi Energy MSM ∗∗∗ --------------------------------------------- CVSS v3 9.8 ATTENTION: Exploitable remotely/low attack complexity Vendor: Hitachi Energy Equipment: Modular Switchgear Monitoring (MSM) Vulnerabilities: Improper Restriction of Excessive Authentication Attempts, Authentication Bypass by Capture-replay, Code Injection, Improper Restriction of Operations within the Bounds of a Memory Buffer, NULL Pointer Dereference, Insufficient Entropy --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-129-02 ∗∗∗ Vulnerability Spotlight: Authentication bypass, use-after-free vulnerabilities found in a library for the µC/OS open-source operating system ∗∗∗ --------------------------------------------- TALOS-2022-1680 (CVE-2022-41985) could allow an attacker to bypass the authentication protocol on the operating system, or cause a denial-of-service, by sending the targeted machine a specially crafted set of network packets. --------------------------------------------- https://blog.talosintelligence.com/vulnerability-spotlight-authentication-b… ∗∗∗ SLP Protocol Denial-of-Service Guidance ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500563-SLP-PROTOCOL-DENIAL-OF-… ∗∗∗ Multi-vendor BIOS Security Vulnerabilities (May 2023) ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500559-MULTI-VENDOR-BIOS-SECUR… ∗∗∗ ThinkPad Dock Driver Elevation of Privilege Vulnerability ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500562-THINKPAD-DOCK-DRIVER-EL… ∗∗∗ [R1] Nessus Network Monitor Version 6.2.1 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2023-19 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.05.2023
by Daily end-of-shift report 09 May '23

09 May '23

===================== = End-of-Day report = ===================== Timeframe: Montag 08-05-2023 18:00 − Dienstag 09-05-2023 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ A new, stealthier type of Typosquatting attack spotted targeting NPM ∗∗∗ --------------------------------------------- Attackers have been using lowercase letters in package names on the Node Package Manager (NPM) registry for potential malicious package impersonation. This deceptive tactic presents a dangerous twist on a well-known attack method -- "Typosquatting." --------------------------------------------- https://checkmarx.com/blog/a-new-stealthier-type-of-typosquatting-attack-sp… ∗∗∗ AndoryuBot DDoS Botnet Exploiting Ruckus AP Vulnerability ∗∗∗ --------------------------------------------- Owners of Ruckus access points (APs) have been warned that a DDoS botnet named AndoryuBot has been exploiting a recently patched vulnerability to hack devices. The vulnerability in question is tracked as CVE-2023-25717 and it was patched by Ruckus in February in many of its wireless APs. --------------------------------------------- https://www.securityweek.com/andoryubot-ddos-botnet-exploiting-ruckus-ap-vu… ∗∗∗ Building Automation System Exploit Brings KNX Security Back in Spotlight ∗∗∗ --------------------------------------------- A public exploit targeting building automation systems has brought KNX security back into the spotlight, with industrial giant Schneider Electric releasing a security bulletin to warn customers about the potential risks. --------------------------------------------- https://www.securityweek.com/building-automation-system-exploit-brings-knx-… ∗∗∗ Buchen Sie Ihre Unterkunft nicht über booked.net oder hotel-mix.de ∗∗∗ --------------------------------------------- Sie suchen eine Unterkunft? Buchen Sie lieber nicht auf booked.net oder hotel-mix.de, denn die beiden Buchungsplattformen listen Unterkünfte, die keinen Vertrag mit der Plattform haben. In der gebuchten Unterkunft angekommen, kann es Ihnen passieren, dass die Betreiber:innen gar nichts von Ihrer Buchung wissen und Sie kurzfristig eine neue Schlafmöglichkeit suchen müssen. --------------------------------------------- https://www.watchlist-internet.at/news/buchen-sie-ihre-unterkunft-nicht-ueb… ∗∗∗ New phishing-as-a-service tool “Greatness” already seen in the wild ∗∗∗ --------------------------------------------- A previously unreported phishing-as-a-service (PaaS) offering named “Greatness” has been used in several phishing campaigns since at least mid-2022. Greatness incorporates features seen in some of the most advanced PaaS offerings, such as multi-factor authentication (MFA) bypass, IP filtering and integration with Telegram bots. --------------------------------------------- https://blog.talosintelligence.com/new-phishing-as-a-service-tool-greatness… ===================== = Vulnerabilities = ===================== ∗∗∗ WordPress Plugin "Newsletter" vulnerable to cross-site scripting ∗∗∗ --------------------------------------------- WordPress Plugin "Newsletter" provided by Stefano Lissa & The Newsletter Team contains a cross-site scripting vulnerability (CWE-79). An arbitrary script may be executed on the web browser of the user who is logging in to the WordPress using the plugin. --------------------------------------------- https://jvn.jp/en/jp/JVN59341308/ ∗∗∗ WordPress Plugin "VK Blocks" and "VK All in One Expansion Unit" vulnerable to cross-site scripting ∗∗∗ --------------------------------------------- * An arbitrary script may be executed on the web browser of the user who is logging in to the product - CVE-2023-27923, CVE-2023-28367 * An arbitrary script may be executed on the web browser of the user who is accessing the site using the product - CVE-2023-27925, CVE-2023-27926 --------------------------------------------- https://jvn.jp/en/jp/JVN95792402/ ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (java-11-openjdk-portable and rubygem-redcarpet), Red Hat (autotrace, bind, buildah, butane, conmon, containernetworking-plugins, curl, device-mapper-multipath, dhcp, edk2, emacs, fence-agents, freeradius, freerdp, frr, fwupd, gdk-pixbuf2, git, git-lfs, golang-github-cpuguy83-md2man, grafana, grafana-pcp, gstreamer1-plugins-good, Image Builder, jackson, kernel, kernel-rt, krb5, libarchive, libguestfs-winsupport, libreswan, libtiff, libtpms, lua, mysql, net-snmp, openssh, openssl, pcs, php:8.1, pki-core, podman, poppler, postgresql-jdbc, python-mako, qemu-kvm, samba, skopeo, sysstat, tigervnc, toolbox, unbound, webkit2gtk3, wireshark, xorg-x11-server, and xorg-x11-server-Xwayland), SUSE (cfengine, cfengine-masterfiles, go1.19, go1.20, libfastjson, python-cryptography, and python-ujson), and Ubuntu (mysql-5.7). --------------------------------------------- https://lwn.net/Articles/931384/ ∗∗∗ Citrix ADC and Citrix Gateway Security Bulletin ∗∗∗ --------------------------------------------- * CVE-2023-24488, Cross site scripting, CVSS 6.1 * CVE-2023-24487, Arbitrary file read, CVSS 6.3 --------------------------------------------- https://support.citrix.com/article/CTX477714/citrix-adc-and-citrix-gateway-… ∗∗∗ SSA-932528 V1.0: Multiple File Parsing Vulnerabilities in Solid Edge ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-932528.html ∗∗∗ SSA-892048 V1.0: Third-Party Component Vulnerabilities in SINEC NMS before V1.0.3.1 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-892048.html ∗∗∗ SSA-789345 V1.0: Code Execution Vulnerabilities in Siveillance Video Event and Management Servers ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-789345.html ∗∗∗ SSA-555292 V1.0: Security Vulnerabilities Fixed in SIMATIC Cloud Connect 7 V2.1 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-555292.html ∗∗∗ SSA-516174 V1.0: Wi-Fi Encryption Bypass Vulnerabilities in SCALANCE W1750D ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-516174.html ∗∗∗ SSA-325383 V1.0: Multiple Vulnerabilities in SCALANCE LPE9403 before V2.1 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-325383.html ∗∗∗ F5: K000133759 : Python vulnerability CVE-2020-26116 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000133759 ∗∗∗ F5: K000134496 : Jettison vulnerability CVE-2022-45685 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000134496 ∗∗∗ Security vulnerabilities have been identified in IBM DB2 shipped with IBM License Metric Tool v9. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6988953 ∗∗∗ Tensorflow is vulnerable to security CVEs used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6988959 ∗∗∗ IBM WebSphere Application Server is vulnerable to cross-site scripting in the Admin Console (CVE-2023-24966) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6986333 ∗∗∗ TensorFlow is vulnerable to security CVEs used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6988979 ∗∗∗ Ansi-html is vulnerable to CVE-2021-23424 used in IBM Maximo Application Suite ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6988981 ∗∗∗ Node-forge is vulnerable to security CVEs used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6988969 ∗∗∗ Apache Log4j is vulnerable to CVE-2021-45105 and CVE-2021-45046 used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6988975 ∗∗∗ Vulnerabilities in OpenSSL affect QLogic 8Gb Intelligent Pass-thru Module and SAN Switch Module for IBM BladeCenter and QLogic Virtual Fabric Extension Module for IBM BladeCenter ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/888295 ∗∗∗ IBM Cloud Pak for Network Automation 2.4.6 fixes multiple security vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6989099 ∗∗∗ CVE-2023-24536, CVE-2023-24537 and CVE-2023-24534 may affect IBM CICS TX Standard ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6989115 ∗∗∗ CVE-2023-24536, CVE-2023-24537, CVE-2023-24534 may affect IBM CICS TX Advanced ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6989117 ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM WebSphere Remote Server (CVE-2022-39161) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6989119 ∗∗∗ WebSphere Application Server Liberty is vulnerable to CVE-2022-3509 and CVE-2022-3171 used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6989133 ∗∗∗ IBM WebSphere Application Server Liberty and Open Liberty is vulnerable to CVE-2022-22475 used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6989131 ∗∗∗ IBM WebSphere Application Server Liberty is vulnerable to CVE-2022-22393 used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6989127 ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with Asset and Service Management (CVE-2022-39161) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6989145 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.05.2023
by Daily end-of-shift report 08 May '23

08 May '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 05-05-2023 18:00 − Montag 08-05-2023 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Meet Akira — A new ransomware operation targeting the enterprise ∗∗∗ --------------------------------------------- The new Akira ransomware operation has slowly been building a list of victims as they breach corporate networks worldwide, encrypt files, and then demand million-dollar ransoms. --------------------------------------------- https://www.bleepingcomputer.com/news/security/meet-akira-a-new-ransomware-… ∗∗∗ Datenleck: Firmware- und Bootguard-Schlüssel von MSI veröffentlicht ∗∗∗ --------------------------------------------- Eine Ransomwaregruppe hat nach einem Hack etliche interne Daten von MSI veröffentlicht. Darunter auch private Schlüssel zum Signieren. --------------------------------------------- https://www.golem.de/news/datenleck-firmware-und-bootguard-schluessel-von-m… ∗∗∗ New Cactus ransomware encrypts itself to evade antivirus ∗∗∗ --------------------------------------------- While the new threat actor adopted the usual tactics seen in ransomware attacks - file encryption and data theft - it added its own touch to avoid detection. [..] Researchers at Kroll corporate investigation and risk consulting firm believe that Cactus obtains initial access into the victim network by exploiting known vulnerabilities in Fortinet VPN appliances. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-cactus-ransomware-encryp… ∗∗∗ Breaking down Reverse shell commands ∗∗∗ --------------------------------------------- In pentesting assessments and CTFs we always need reverse shells to execute commands on target machine once we have exploited a system and have a command injection at some point in our engagement. For that we have an awesome project: revshells.com or reverse-shell-generator where we have a ton of reverse shell payloads listed. This blog post tries to explain their working. --------------------------------------------- https://adityatelange.in/blog/revshells/ ∗∗∗ Quickly Finding Encoded Payloads in Office Documents ∗∗∗ --------------------------------------------- Malicious documents like this RevengeRAT ppam file found on MalwareBazaar contain VBA code that you can analyze with oledump.py. Some shortcuts can be used [..] But there is a quicker method: let zipdump.py produce JSON output that contains the decompressed content of each file, and then let base64dump.py consume this JSON output. --------------------------------------------- https://isc.sans.edu/diary/rss/29818 ∗∗∗ Dependabot Confusion: Gaining Access to Private GitHub Repositories using Dependabot ∗∗∗ --------------------------------------------- Dependabot is one of the most widely deployed tools to improve software supply chain security. But like all other software, it is not immune to security vulnerabilities. By using it, users take on the risk that any vulnerabilities in Dependabot itself may lead to the compromise of the very supply chain they are trying to secure. This article is about a vulnerability in Dependabot that allowed arbitrary user to gain access to a subset of GitHub repositories that have Dependabot enabled. --------------------------------------------- https://giraffesecurity.dev/posts/dependabot-confusion/ ∗∗∗ Microsoft-Webbrowser: Edge 113 schließt Sicherheitslücken ∗∗∗ --------------------------------------------- Microsoft hat den Webbrowser Edge in Version 113 veröffentlicht. Einige Funktionen haben die Entwickler darin verbessert sowie Schwachstellen abgedichtet. --------------------------------------------- https://heise.de/-8990437 ∗∗∗ Achtung! Diese Kosmetika sind gesundheitsschädigend! ∗∗∗ --------------------------------------------- Derzeit warnen die Agentur für Gesundheit und Ernährungssicherheit (AGES) und das Bundesamt für Verbrauchergesundheit (BAVG) vor kosmetischen Produkten, die verbotene und gesundheitsschädigende Duftstoffe enthalten. Die Produkte werden vor allem online verkauft. Wir zeigen Ihnen, von welchen Produkten Sie lieber die Finger lassen sollten. --------------------------------------------- https://www.watchlist-internet.at/news/achtung-diese-kosmetika-sind-gesundh… ∗∗∗ Webinar: Sicher (ver)kaufen über Willhaben, Shpock & Co. ∗∗∗ --------------------------------------------- Was muss ich beachten, wenn ich auf Kleinanzeigenplattformen wie Willhaben, Shpock, Vinted & Co. etwas als Privatperson kaufen oder verkaufen möchte? Unser Rechtsexperte der Internet Ombudsstelle gibt Tipps für die sichere Abwicklung solcher Online-Geschäfte. Nehmen Sie kostenlos teil: Dienstag 16. Mai 2023, 18:30 - 20:00 Uhr via zoom --------------------------------------------- https://www.watchlist-internet.at/news/webinar-sicher-verkaufen-ueber-willh… ∗∗∗ PRFs, PRPs and other fantastic things ∗∗∗ --------------------------------------------- A few weeks ago I ran into a conversation on Twitter about the weaknesses of applied cryptography textbooks, and how they tend to spend way too much time lecturing people about Feistel networks and the boring details of AES. Some of the folks in this conversation suggested that instead of these things, we should be into more fundamental topics like “what is a pseudorandom function.” --------------------------------------------- https://blog.cryptographyengineering.com/2023/05/08/prfs-prps-and-other-fan… ∗∗∗ WordPress plugin vulnerability puts two million websites at risk ∗∗∗ --------------------------------------------- Millions of WordPress-powered websites are using the Advanced Custom Fields and Advanced Custom Fields Pro plugins, which security researchers say have been vulnerable to cross-site scripting (XSS) attacks. --------------------------------------------- https://grahamcluley.com/wordpress-plugin-vulnerability-puts-two-million-we… ∗∗∗ Cisco SPA112 2-Port Telefonadapter unsicher, es bleibt nur noch entsorgen ∗∗∗ --------------------------------------------- Die US-Anbieter Cisco warnt in eine Meldung vor einer kritischen Schwachstelle in einem seiner Telefonadapter. Diese Schwachstelle ermöglicht einem Angreifer die Kontrolle über das Gerät zu übernehmen. Leider bleibt betroffenen Nutzern nur, diesen Telefonadapter zu entsorgen [...] --------------------------------------------- https://www.borncity.com/blog/2023/05/06/cisco-spa112-2-port-telefonadapter… ===================== = Vulnerabilities = ===================== ∗∗∗ ads-tec: Multiple Vulnerabilities in IRF1000, IRF2000 and IRF3000 ∗∗∗ --------------------------------------------- Vendor: ads-tec Industrial IT GmbH Product name: IRF1000, IRF3000, IRF3000 CVE Numbers: CVE-2014-3669, CVE-2014-8142, CVE-2014-9425, CVE-2015-0231, CVE-2015-2348, CVE-2015-2787, CVE-2015-3414, CVE-2015-3415, CVE-2015-4602, CVE-2015-6835, CVE-2015-8876, CVE-2016-10161, CVE-2016-7124, CVE-2016-7411, CVE-2016-9138, CVE-2017-11142, CVE-2017-12933, CVE-2017-8923 CVSS Score: up to 9.8 --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-009/ ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (rust-cargo-c, rust-coreos-installer, rust-fedora-update-feedback, rust-git-delta, rust-gst-plugin-reqwest, rust-pore, rust-rpm-sequoia, rust-sequoia-octopus-librnp, rust-sequoia-policy-config, rust-sequoia-sq, rust-sevctl, rust-tealdeer, and rust-ybaas), Mageia (avahi, git, imagemagick, libfastjson, libxml2, parcellite, and virtualbox), SUSE (containerd, dnsmasq, ffmpeg, git, indent, installation-images, java-17-openjdk, maven and recommended update for antlr3, minlog, sbt, xmvn, ncurses, netty, netty-tcnative, openssl-1_0_0, python-Django1, redis, shim, terraform-provider-helm, and zstd), and Ubuntu (erlang, mysql-5.7, mysql-8.0, ruby2.3, ruby2.5, ruby2.7, and webkit2gtk). --------------------------------------------- https://lwn.net/Articles/931259/ ∗∗∗ 3 Schwachstellen in MS Azure API-Management entdeckt ∗∗∗ --------------------------------------------- Sicherheitsforscher des israelischen Sicherheitsanbieters Ermetic haben drei Schwachstellen in Microsofts Azure API-Management entdeckt. Zwei SSRF-Schwachstellen (Server-Side Request Forgery) und ein Problem beim uneingeschränkten Datei-Upload schaffen Risiken für die Microsoft Cloud-Umgebung. Die Schwachstellen können von böswilligen Akteuren missbraucht werden [...] --------------------------------------------- https://www.borncity.com/blog/2023/05/06/3-schwachstellen-in-ms-azure-api-m… ∗∗∗ Multiple vulnerabilities in IBM Java SDK (January 2023) affect IBM InfoSphere Information Server ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6988347 ∗∗∗ Security Vulnerabilities in IBM WebSphere Liberty and xml2js affect IBM Voice Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6988603 ∗∗∗ Vulnerability in Jettison affects IBM Process Mining . CVE-2023-1436 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6988673 ∗∗∗ Vulnerabilities have been identified in IBM WebSphere Application Server traditional and Liberty profile shipped with IBM Business Automation Workflow (CVE-2023-24966, CVE-2022-39161) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6988885 ∗∗∗ Atlas eDiscovery Process Management is affected by a vulnerable dom4j-1.6.1.jar ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6988889 ∗∗∗ Atlas eDiscovery Process Management is affected by a vulnerable xstream-1.4.17.jar ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6988899 ∗∗∗ Atlas eDiscovery Process Management is affected by a vulnerable poi-ooxml-3.9.jar ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6988895 ∗∗∗ Atlas eDiscovery Process Management is affected by a vulnerable org.apache.xerces_2.9.0.v201101211617-4.8.0.jar ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6988893 ∗∗∗ Atlas eDiscovery Process Management is affected by a vulnerable xmlbeans-2.3.0.jar ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6988897 ∗∗∗ Vulnerability in paramiko affects IBM Cloud Pak for Data System 2.0 (CPDS 2.0) [CVE-2022-24302] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6988909 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.05.2023
by Daily end-of-shift report 05 May '23

05 May '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 04-05-2023 18:00 − Freitag 05-05-2023 18:00 Handler: Robert Waldner Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ What is XML-RPC? Security Risks & How to Disable ∗∗∗ --------------------------------------------- In this article, we will discuss what xmlrpc.php is, why disabling it can improve your website’s security, and how to determine if it’s currently active on your WordPress site. --------------------------------------------- https://blog.sucuri.net/2023/05/what-is-xml-rpc-security-risks-how-to-disab… ∗∗∗ Fleckpe Android Malware Sneaks onto Google Play Store with Over 620,000 Downloads ∗∗∗ --------------------------------------------- The list of the offending apps is as follows: - Beauty Camera Plus - Beauty Photo Camera - Beauty Slimming Photo Editor - Fingertip Graffiti - GIF Camera Editor - HD 4K Wallpaper - Impressionism Pro Camera - Microclip Video Editor - Night Mode Camera Pro - Photo Camera Editor - Photo Effect Editor --------------------------------------------- https://thehackernews.com/2023/05/fleckpe-android-malware-sneaks-onto.html ∗∗∗ Packagist Repository Hacked: Over a Dozen PHP Packages with 500 Million Compromised ∗∗∗ --------------------------------------------- PHP software package repository Packagist revealed that an "attacker" gained access to four inactive accounts on the platform to hijack over a dozen packages with over 500 million installs to date. "The attacker forked each of the packages and replaced the package description in composer.json with their own message but did not otherwise make any malicious changes," [..] --------------------------------------------- https://thehackernews.com/2023/05/packagist-repository-hacked-over-dozen.ht… ∗∗∗ An overview of the OSI model and its security threats ∗∗∗ --------------------------------------------- The OSI model is a representation of how communications between devices occur. The conceptual model makes it easier to understand how data is transmitted. In its complex process, threat actors have found ways to exploit and compromise systems. It is very important to identify the kind of attacks and vulnerabilities available on each layer and implement proper defense strategies to protect a network. --------------------------------------------- https://www.tripwire.com/state-of-security/overview-osi-model-and-its-secur… ∗∗∗ „Login mit neuem Gerät“: Kriminelle versenden personalisierte E-Mail im Namen der BAWAG ∗∗∗ --------------------------------------------- Kriminelle versenden derzeit betrügerische Nachrichten im Namen der BAWAG. Die E-Mails sind personalisiert und daher besonders glaubwürdig. Sie werden zwar nicht mit Ihrem Namen, allerdings mit ihrer E-Mail-Adresse angesprochen. In der Nachricht behaupten die Kriminellen, dass mit einem neuen Gerät auf Ihr Konto zugegriffen wurde. --------------------------------------------- https://www.watchlist-internet.at/news/login-mit-neuem-geraet-kriminelle-ve… ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-23-547: (0Day) Linux Kernel IPv6 RPL Protocol Reachable Assertion Denial-of-Service Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of Linux Kernel. Authentication is not required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-547/ ∗∗∗ Sante DICOM Viewer Vulnerabilites ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-23-523/ https://www.zerodayinitiative.com/advisories/ZDI-23-524/ https://www.zerodayinitiative.com/advisories/ZDI-23-525/ https://www.zerodayinitiative.com/advisories/ZDI-23-526/ https://www.zerodayinitiative.com/advisories/ZDI-23-527/ --------------------------------------------- https://www.zerodayinitiative.com/advisories/published/ ∗∗∗ Synology-SA-23:04 VPN Plus Server ∗∗∗ --------------------------------------------- A vulnerability allows remote attackers to inject SQL commands via a susceptible version of Synology VPN Plus Server. Affected Products: VPN Plus Server for SRM 1.3, VPN Plus Server for SRM 1.2 --------------------------------------------- https://www.synology.com/en-global/security/advisory/Synology_SA_23_04 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- IBM Elastic Storage System, IBM Spectrum Scale, IBM Maximo Application Suite, IBM Cognos Command Center, AIX, IBMid, IBM SAN Volume Controller, IBM CICS TX, IBM PowerVM Novalink, IBM Process Mining, IBM Cognos Analytics, IBM Planning Analytics. --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, evolution, and odoo), Fedora (java-11-openjdk), Oracle (samba), Red Hat (libreswan and samba), Slackware (libssh), SUSE (amazon-ssm-agent, apache2-mod_auth_openidc, cmark, containerd, editorconfig-core-c, ffmpeg, go1.20, harfbuzz, helm, java-11-openjdk, java-1_8_0-ibm, liblouis, podman, and vim), and Ubuntu (linux-aws, linux-aws-hwe, linux-intel-iotg, and linux-oem-6.1). --------------------------------------------- https://lwn.net/Articles/931050/ ∗∗∗ K000134469 : MySQL vulnerability CVE-2023-21963 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000134469 ∗∗∗ Spring Cloud Data Flow 2.10.3 Released ∗∗∗ --------------------------------------------- https://spring.io/blog/2023/05/05/spring-cloud-data-flow-2-10-3-released -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.05.2023
by Daily end-of-shift report 04 May '23

04 May '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 03-05-2023 18:00 − Donnerstag 04-05-2023 18:00 Handler: Robert Waldner Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Windows admins can now sign up for ‘known issue’ email alerts ∗∗∗ --------------------------------------------- Microsoft announced today that Windows admins can now choose to be emailed when new known issues are added to the Windows release health section of the Microsoft 365 admin center. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/windows-admins-can-now-sign… ∗∗∗ Infostealer Embedded in a Word Document, (Thu, May 4th) ∗∗∗ --------------------------------------------- hen attackers design malicious documents, one of their challenges is to make the potential victim confident to perform dangerous actions: click on a link, disable a security feature, etc. The best example is probably VBA macros in Microsoft Office documents. Disabled by default, the attacker must make the user confident to enable them by clicking on the “yellow ribbon” on top of the document. Yesterday I found a malicious document that implements another approach. --------------------------------------------- https://isc.sans.edu/diary/rss/29810 ∗∗∗ How to Analyze Java Malware – A Case Study of STRRAT ∗∗∗ --------------------------------------------- STRRAT is a Java-based malware that executes multiple commands transmitted by the C2 server. The JAR file was obfuscated using the Allatori obfuscator. It establishes persistence on the host by copying to the Startup folder and creating a scheduled task and a Run registry entry. The functionalities of the implemented commands include: reboot the machine, uninstall the malware and delete all its traces, download and execute files [..] --------------------------------------------- https://resources.securityscorecard.com/cybersecurity/analyze-java-malware-… ===================== = Vulnerabilities = ===================== ∗∗∗ S3 File System - Moderately critical - Access bypass - SA-CONTRIB-2023-014 ∗∗∗ --------------------------------------------- S3 File System (s3fs) provides an additional file system to your Drupal site, which stores files in Amazon's Simple Storage Service (S3) or any other S3-compatible storage service. This module may fail to validate that a file being requested to be moved to storage was uploaded during the same web request, possibly allowing an attacker to move files that should normally be inaccessible to them. --------------------------------------------- https://www.drupal.org/sa-contrib-2023-014 ∗∗∗ Cisco SPA112 2-Port Phone Adapters Remote Command Execution Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the web-based management interface of Cisco SPA112 2-Port Phone Adapters could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device. This vulnerability is due to a missing authentication process within the firmware upgrade function. --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Patchday Fortinet: Angreifer könnten eigene Befehle ausführen ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitsupdates für verschiedene Produkte von Fortinet. Keine Lücke gilt als kritisch. --------------------------------------------- https://heise.de/-8986618 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (python-sentry-sdk) and Ubuntu (python-django and ruby2.3, ruby2.5, ruby2.7). --------------------------------------------- https://lwn.net/Articles/930903/ ∗∗∗ Malicious IKEv1 packet by unauthenticated peer can cause libreswan to restart ∗∗∗ --------------------------------------------- The Libreswan Project was notified by github user "XU-huai" of an issue with receiving a malformed IKEv1 Aggressive Mode packet that would cause a crash and restart of the libreswan pluto daemon. When sent continuously, this could lead to a denial of service attack. --------------------------------------------- https://libreswan.org/security/CVE-2023-30570/CVE-2023-30570.txt ∗∗∗ Apple: Beats Firmware Update 5B66 ∗∗∗ --------------------------------------------- http://support.apple.com/kb/HT213752 ∗∗∗ Apple: AirPods Firmware Update 5E133 ∗∗∗ --------------------------------------------- http://support.apple.com/kb/HT213752 ∗∗∗ IBM ECM Content Management Interoperability Services (CMIS) spring-expression security vulnerability CVE-2023-20861 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6988109 ∗∗∗ IBM ECM Content Management Interoperability Services (CMIS) cfx-core security vulnerabilities CVE-2022-46363, CVE-2022-46364 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6988115 ∗∗∗ IBM ECM Content Management Interoperability Services (CMIS) woodstox\/XStream security vulnerability CVE-2022-40152 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6988117 ∗∗∗ IBM InfoSphere Information Server is affected but not classified as vulnerable to a denial of service vulnerability in NumPy (CVE-2021-34141) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6988125 ∗∗∗ A vulnerability has been identified in IBM HTTP Server used by IBM Rational ClearQuest (CVE-2023-25690) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6988293 ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server used by IBM Rational ClearQuest (CVE-2023-26283) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6988295 ∗∗∗ IBM Virtualization Engine TS7700 is vulnerable to a privilege escalation threat (CVE-2023-24958) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6980845 ∗∗∗ IBM ECM Content Management Interoperability Services (CMIS) spring-expression\/spring-core security vulnerability [CVE-2023-20863] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6988341 ∗∗∗ IBM Cloud Transformation Advisor is vulnerable to multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6988351 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.05.2023
by Daily end-of-shift report 03 May '23

03 May '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 02-05-2023 18:00 − Mittwoch 03-05-2023 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Firmware-TPM: faulTPM knackt AMD-CPUs nach drei Stunden lokalem Zugriff ∗∗∗ --------------------------------------------- TPMs sollen Geheimnisse wie kryptographische Schlüssel schützen. IT-Forscher haben jetzt mit "faulTPM" unbefugten Zugriff auf AMDs Firmware-TPM erlangt. --------------------------------------------- https://heise.de/-8985704 ∗∗∗ OpenCore: Apples erste Sicherheitsmaßnahme macht gepatchten Macs Probleme ∗∗∗ --------------------------------------------- Mit OpenCore auf macOS Ventura aktualisierte Macs starten nach der Installation von Apples jüngstem Update unter Umständen nicht mehr. Es gibt einen Workaround. --------------------------------------------- https://heise.de/-8986252 ∗∗∗ Exploitation of BGP Implementation Vulnerabilities Can Lead to Disruptions ∗∗∗ --------------------------------------------- Open source BGP implementation FRRouting is affected by three vulnerabilities that can be exploited to cause disruption via DoS attacks. --------------------------------------------- https://www.securityweek.com/exploitation-of-bgp-implementation-vulnerabili… ∗∗∗ Betrügerische Werbung auf Microsoft Edge Startseite! ∗∗∗ --------------------------------------------- Wer Microsoft Windows nützt, bekommt automatisch auch den Edge Browser fürs Surfen im Internet mitgeliefert. Die Startseite bietet neben der Suche per Bing auch eine Auflistung zahlreicher Newsartikel, unter die sich auch Werbeanzeigen mischen. Ein genauer Blick auf die Werbungen zeigt: Fast alle Werbeschaltungen führen zu Trading-Betrug oder anderen dubiosen Seiten. Vorsicht! --------------------------------------------- https://www.watchlist-internet.at/news/betruegerische-werbung-auf-microsoft… ∗∗∗ CVE-2023-28231: RCE in the Microsoft Windows DHCPv6 Service ∗∗∗ --------------------------------------------- In this excerpt of a Trend Micro Vulnerability Research Service vulnerability report, Guy Lederfein and Lucas Miller of the Trend Micro Research Team detail a recently patched remote code execution vulnerability in the Microsoft Windows DHCPv6 Service. This bug was originally discovered by YanZiShuang@BigCJTeam of cyberkl. The vulnerability results from the improper processing of DHCPv6 Relay-forward messages. A network-adjacent attacker can leverage this vulnerability to execute code [...] --------------------------------------------- https://www.thezdi.com/blog/2023/5/1/cve-2023-28231-rce-in-the-microsoft-wi… ===================== = Vulnerabilities = ===================== ∗∗∗ Google Chrome 113: Sicherheitsupdate für den Webbrowser ∗∗∗ --------------------------------------------- Die Entwickler haben in Google Chrome 113 insgesamt 15 Schwachstellen ausgebessert. Für die Zukunft kündigen sie an, dass das Schlosssymbol ausgetauscht wird. --------------------------------------------- https://heise.de/-8985368 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (avahi, kernel, linux-5.10, nodejs, webkit2gtk, and wpewebkit), Gentoo (chromium, google-chrome, microsoft-edge, dbus, dbus-broker, dhcp, firefox, firejail-lts, libapreq2, libsdl, libsdl2, lua, proftpd, python, PyPy3, sudo, syslog-ng, systemd, tor, uptimed, vim, and xfce4-settings), Oracle (emacs and libwebp), Red Hat (libwebp), Scientific Linux (libwebp), and SUSE (ceph, ffmpeg-4, git, pdns-recursor, and shim). --------------------------------------------- https://lwn.net/Articles/930775/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ K000132719 : BIG-IQ iControl REST vulnerability CVE-2023-29240 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000132719 ∗∗∗ K000133417 : NGINX Management Suite vulnerability CVE-2023-28656 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000133417 ∗∗∗ K000132522 : BIG-IP Edge Client for Windows and macOS vulnerability CVE-2023-22372 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000132522 ∗∗∗ K000133132 : BIG-IP TMM SSL vulnerability CVE-2023-24594 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000133132 ∗∗∗ K000132768 : BIG-IP Configuration utility vulnerability CVE-2023-28406 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000132768 ∗∗∗ K000132972 : BIG-IP iQuery mesh vulnerability CVE-2023-28742 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000132972 ∗∗∗ K000132726 : BIG-IP Configuration utility XSS vulnerability CVE-2023-27378 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000132726 ∗∗∗ K000133233 : NGINX Management Suite vulnerability CVE-2023-28724 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000133233 ∗∗∗ K000132539 : BIG-IP Edge Client for Windows and macOS vulnerability CVE-2023-24461 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000132539 ∗∗∗ K20145107 : BIG-IP UDP profile vulnerability CVE-2023-29163 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K20145107? -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.05.2023
by Daily end-of-shift report 02 May '23

02 May '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 28-04-2023 18:00 − Dienstag 02-05-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Hackers target vulnerable Veeam backup servers exposed online ∗∗∗ --------------------------------------------- Veeam backup servers are being targeted by at least one group of threat actors known to work with multiple high-profile ransomware gangs. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-target-vulnerable-ve… ∗∗∗ New LOBSHOT malware gives hackers hidden VNC access to Windows devices ∗∗∗ --------------------------------------------- A new malware known as LOBSHOT distributed using Google ads allows threat actors to stealthily take over infected Windows devices using hVNC. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-lobshot-malware-gives-ha… ∗∗∗ Researchers Uncover New BGP Flaws in Popular Internet Routing Protocol Software ∗∗∗ --------------------------------------------- Cybersecurity researchers have uncovered weaknesses in a software implementation of the Border Gateway Protocol (BGP) that could be weaponized to achieve a denial-of-service (DoS) condition on vulnerable BGP peers. --------------------------------------------- https://thehackernews.com/2023/05/researchers-uncover-new-bgp-flaws-in.html ∗∗∗ trawler: Dredging Windows for Persistence ∗∗∗ --------------------------------------------- Trawler is a PowerShell script designed to help Incident Responders discover potential indicators of compromise on Windows hosts, primarily focused on persistence mechanisms including Scheduled Tasks, Services, Registry Modifications, Startup Items, Binary Modifications and more. --------------------------------------------- https://github.com/joeavanzato/Trawler ∗∗∗ Angriffe auf Lücken in TP-Link Archer, Apache Log4j2 und Oracle Weblogic ∗∗∗ --------------------------------------------- Angreifer nutzen Sicherheitslücken in TP-Link Archer, Apache Log4j2 und Oracle Weblogic aus, um Zugriff auf Netzwerke von Opfern zu erlangen. --------------------------------------------- https://heise.de/-8984237 ∗∗∗ Medizin-Geräte: Warnung vor kritischer Sicherheitslücke in Illumina-Software ∗∗∗ --------------------------------------------- Die US-IT-Sicherheitsbehörde CISA warnt vor kritischen Sicherheitslücken in den medizinischen Geräten von Illumina. Angreifer könnten die Kontrolle übernehmen. --------------------------------------------- https://heise.de/-8983960 ∗∗∗ Exploitation of 5-Year-Old TBK DVR Vulnerability Spikes ∗∗∗ --------------------------------------------- Fortinet warns of a massive spike in malicious attacks targeting a five-year-old authentication bypass vulnerability in TBK DVR devices. --------------------------------------------- https://www.securityweek.com/exploitation-of-5-year-old-tbk-dvr-vulnerabili… ∗∗∗ Critical Infrastructure Organizations Urged to Identify Risky Communications Equipment ∗∗∗ --------------------------------------------- CISA urges organizations to review FCC’s Covered List of risky communications equipment and incorporate it in their supply chain risk management efforts. --------------------------------------------- https://www.securityweek.com/critical-infrastructure-organizations-urged-to… ∗∗∗ Webinar: Recherchetools im Internet richtig nutzen ∗∗∗ --------------------------------------------- Wie kann ich Google, aber auch andere Suchmaschinen richtig nutzen? Welche Recherchetools und Suchmethoden gibt es noch? In diesem Webinar zeigen wir Ihnen, wie eine gute und effiziente Onlinerecherche aussehen kann. Nehmen Sie kostenlos teil: Dienstag 09. Mai 2023, 18:30 - 20:00 Uhr via zoom. --------------------------------------------- https://www.watchlist-internet.at/news/webinar-recherchetools-im-internet-r… ∗∗∗ Online-Shopping: Bezahlen Sie nicht mit der PayPal-Funktion „Geld an einen Freund senden“ ∗∗∗ --------------------------------------------- Neuerdings missbrauchen Fake-Shops die PayPal-Funktion „Geld an Freunde und Familie senden“. Die Kriminellen hinter den Fake-Shops erstellen PayPal.Me-Zahlungslinks. Durch kleine Anpassungen der Kriminellen ist der Kaufbetrag dort hinterlegt und die Zahlungsart „Geld an einen Freund senden“ voreingestellt. Wenn Sie mit dieser Zahlungsart bezahlen, entfällt der Käuferschutz. Ihr Geld ist dann weg und kann nicht zurückgeholt werden. --------------------------------------------- https://www.watchlist-internet.at/news/online-shopping-bezahlen-sie-nicht-m… ∗∗∗ Apple veröffentlicht „schnelle Sicherheitsmaßnahme“ für iOS, iPadOS und macOS ∗∗∗ --------------------------------------------- Die neue Updatemethode verkürzt den Installationsvorgang deutlich. Apple will mit schnellen Sicherheitsmaßnahmen künftig beispielsweise Bedrohungen wie Zero-Day-Lücken schneller beseitigen. --------------------------------------------- https://www.zdnet.de/88408872/apple-veroeffentlicht-schnelle-sicherheitsmas… ∗∗∗ Enforce Zero Trust in Microsoft 365 – Part 1: Setting the basics ∗∗∗ --------------------------------------------- This first blog post is part of a series of blog posts related to the implementation of Zero Trust approach in Microsoft 365. This series will first cover the basics and then deep dive into the different features such as Azure Active Directory (Azure AD) Conditional Access policies, Microsoft Defender for Cloud Apps policies, Information Protection and Microsoft Endpoint Manager, to only cite a few. --------------------------------------------- https://blog.nviso.eu/2023/05/02/enforce-zero-trust-in-microsoft-365-part-1… ∗∗∗ CoinMiner (KONO DIO DA) Distributed to Linux SSH Servers ∗∗∗ --------------------------------------------- AhnLab Security Emergency response Center (ASEC) has recently discovered XMRig CoinMiner being installed on poorly managed Linux SSH servers. --------------------------------------------- https://asec.ahnlab.com/en/51908/ ∗∗∗ A LNK Between Browsers: Hunting Methodologies and Extension Abusing Actors ∗∗∗ --------------------------------------------- Two pillars in sleight of hand magic are User Initiated Action, where the target needs to believe their actions are their own, and Hidden Action, the trick needs to be concealed behind something ordinary and nonthreatening. Mandiant became aware of a chain of adversary methodologies that leverage these two pillars to achieve persistence. --------------------------------------------- https://www.mandiant.com/resources/blog/lnk-between-browsers ===================== = Vulnerabilities = ===================== ∗∗∗ Wireshark 4.0.5 Released, (Sat, Apr 29th) ∗∗∗ --------------------------------------------- Wireshark version 4.0.5 was released with 11 bugs and 3 vulnerabilities fixed. --------------------------------------------- https://isc.sans.edu/diary/rss/29790 ∗∗∗ Azure DevOps CICD Pipelines - Command Injection with Parameters, Variables and a discussion on Runner hijacking ∗∗∗ --------------------------------------------- This article discusses a vulnerability with Azure DevOps that can be exploited by users able to run pipelines with user-controlled variables. The vulnerability allows malicious users with access to edit runtime parameter values to inject shell commands that execute on the pipeline runner. This can compromise the runner and allow access to sensitive information such as secrets used for deployments and Azure service principal credentials. --------------------------------------------- https://pulsesecurity.co.nz/advisories/Azure-Devops-Command-Injection ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (distro-info-data, ffmpeg, jackson-databind, jruby, libapache2-mod-auth-openidc, libxml2, openvswitch, sniproxy, and wireshark), Fedora (git, libsignal-protocol-c, php-nyholm-psr7, python-setuptools, rust-askama, rust-askama_shared, rust-comrak, thunderbird, and webkitgtk), SUSE (git, glib2, shadow, thunderbird, and webkit2gtk3), and Ubuntu (Apache Commons Net, git, linux-azure-5.15, linux-azure-fde, linux-kvm, linux-ibm-5.4, linux-snapdragon, netty, and ZenLib). --------------------------------------------- https://lwn.net/Articles/930588/ ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libdatetime-timezone-perl and tzdata), Fedora (chromium), Red Hat (emacs and libwebp), Slackware (netatalk), and Ubuntu (php7.0). --------------------------------------------- https://lwn.net/Articles/930649/ ∗∗∗ IBM Security Bulletins 2023-04-28 - 2023-05-02 ∗∗∗ --------------------------------------------- IBM Engineering Test Management, IBM Spectrum Scale, IBM DataPower Gateway, IBM i, Rational ClearQuest, IBM Business Automation Workflow, IBM Business Automation Workflow Enterprise Service Bus, IBM Case Manager, BladeCenter, PureFlex System and Flex System, System x, IBM Maximo, IBM Control Desk, Db2 for Linux, UNIX and Windows, IBM Robotic Process Automation, Tivoli Business Service Manager, Content Manager Client, IBM Sterling Secure Proxy, IBM App Connect Enterprise, IBM Security Key Lifecycle Manager, IBM MQ, IBM MQ Appliance, Tivoli Application Dependency Discovery Manager, IBM Cloud Pak, IBM InfoSphere Information, WebSphere Remote Server, IBM Workload Scheduler. --------------------------------------------- ∗∗∗ ZDI-23-503: (Pwn2Own) NETGEAR RAX30 logCtrl Command Injection Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-503/ ∗∗∗ ZDI-23-502: (Pwn2Own) NETGEAR RAX30 SOAP Request SQL Injection Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-502/ ∗∗∗ ZDI-23-501: (Pwn2Own) NETGEAR RAX30 Device Configuration Cleartext Storage Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-501/ ∗∗∗ ZDI-23-496: NETGEAR RAX30 lighttpd Misconfiguration Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-496/ ∗∗∗ ZDI-23-495: NETGEAR RAX30 rex_cgi JSON Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-495/ ∗∗∗ Android-Sicherheitsbulletin – Mai 2023 ∗∗∗ --------------------------------------------- https://source.android.com/docs/security/bulletin/2023-05-01?hl=de ∗∗∗ F5: K000133706 : OpenSSL vulnerability CVE-2023-0464 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000133706 ∗∗∗ F5: K000133615 : device-mapper-multipath vulnerability CVE-2022-41974 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000133615 ∗∗∗ F5: K000133753 : PHP vulnerability CVE-2023-0662 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000133753 ∗∗∗ Securing Databricks cluster init scripts ∗∗∗ --------------------------------------------- https://sec-consult.com/blog/detail/securing-databricks-cluster-init-script… ∗∗∗ Vulnerabilities in the Autodesk® 3ds Max® USD plugin ∗∗∗ --------------------------------------------- https://www.autodesk.com/trust/security-advisories/adsk-sa-2023-0008 ∗∗∗ Mitsubishi Electric Factory Automation Products ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-122-01 ∗∗∗ Zyxel security advisory for post-authentication command injection vulnerability in NBG6604 home router ∗∗∗ --------------------------------------------- https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-… ∗∗∗ Zyxel security advisory for multiple vulnerabilities in NBG-418N v2 home router ∗∗∗ --------------------------------------------- https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.04.2023
by Daily end-of-shift report 28 Apr '23

28 Apr '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 27-04-2023 18:00 − Freitag 28-04-2023 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ CISA warns of critical bugs in Illumina DNA sequencing systems ∗∗∗ --------------------------------------------- The U.S. Cybersecurity Infrastructure Security Agency (CISA) and the FDA have issued an urgent alert about two vulnerabilities that impact Illuminas Universal Copy Service (UCS), used for DNA sequencing in medical facilities and labs worldwide. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cisa-warns-of-critical-bugs-… ∗∗∗ Quick IOC Scan With Docker, (Fri, Apr 28th) ∗∗∗ --------------------------------------------- When investigating an incident, you must perform initial tasks quickly. There is one tool in my arsenal that I'm using to quickly scan for interesting IOCs ("Indicators of Compromise"). This tool is called Loki[1], the free version of the Thor scanner. I like this tool because you can scan for a computer (processes & files) or a specific directory (only files) for suspicious content. --------------------------------------------- https://isc.sans.edu/diary/rss/29788 ∗∗∗ WordPress Vulnerability & Patch Roundup April 2023 ∗∗∗ --------------------------------------------- Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises. To help educate website owners on emerging threats to their environments, we’ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this past month. --------------------------------------------- https://blog.sucuri.net/2023/04/wordpress-vulnerability-patch-roundup-april… ∗∗∗ Attention Online Shoppers: Dont Be Fooled by Their Sleek, Modern Looks — Its Magecart! ∗∗∗ --------------------------------------------- An ongoing Magecart campaign has attracted the attention of cybersecurity researchers for leveraging realistic-looking fake payment screens to capture sensitive data entered by unsuspecting users. --------------------------------------------- https://thehackernews.com/2023/04/attention-online-shoppers-dont-be.html ∗∗∗ New Atomic macOS Malware Steals Keychain Passwords and Crypto Wallets ∗∗∗ --------------------------------------------- Threat actors are advertising a new information stealer for the Apple macOS operating system called Atomic macOS Stealer (or AMOS) on Telegram for $1,000 per month, joining the likes of MacStealer. "The Atomic macOS Stealer can steal various types of information from the victims machine, including Keychain passwords, complete system information, files from the desktop and documents folder, and [...] --------------------------------------------- https://thehackernews.com/2023/04/new-atomic-macos-stealer-can-steal-your.h… ∗∗∗ Microsoft Exchange Powershell Remoting Deserialization leading to RCE (CVE-2023-21707) ∗∗∗ --------------------------------------------- While analyzing CVE-2022-41082, also known as ProxyNotShell, we discovered this vulnerability which we have detailed in this blog. However, for a comprehensive understanding, we highly recommend reading the thorough analysis written by team ZDI. --------------------------------------------- https://starlabs.sg/blog/2023/04-microsoft-exchange-powershell-remoting-des… ∗∗∗ Many Public Salesforce Sites are Leaking Private Data ∗∗∗ --------------------------------------------- A shocking number of organizations -- including banks and healthcare providers -- are leaking private and sensitive information from their public Salesforce Community websites, KrebsOnSecurity has learned. The data exposures all stem from a misconfiguration in Salesforce Community that allows an unauthenticated user to access records that should only be available after logging in. --------------------------------------------- https://krebsonsecurity.com/2023/04/many-public-salesforce-sites-are-leakin… ∗∗∗ Rapture, a Ransomware Family With Similarities to Paradise ∗∗∗ --------------------------------------------- In March and April 2023, we observed a type of ransomware targeting its victims via a minimalistic approach with tools that leave only a minimal footprint behind. Our findings revealed many of the preparations made by the perpetrators and how quickly they managed to carry out the ransomware attack. --------------------------------------------- https://www.trendmicro.com/en_us/research/23/d/rapture-a-ransomware-family-… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco IP Phone 7800 and 8800 Series Cisco Discovery Protocol Stack Overflow Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the Cisco Discovery Protocol processing feature of Cisco IP Phone 7800 and 8800 Series firmware could allow an unauthenticated, adjacent attacker to cause a stack overflow on an affected device. This vulnerability is due to insufficient input validation of received Cisco Discovery Protocol packets. An attacker could exploit this vulnerability by sending crafted Cisco Discovery Protocol traffic to an affected device. --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Grafana: Update schließt hochriskante Schwachstelle im Datenvisualisierungs-Tool ∗∗∗ --------------------------------------------- Grafana hat Updates für zahlreiche Versionszweige veröffentlicht. Sie schließen unter anderem eine Denial-of-Service-Lücke, die als hochriskant gilt. --------------------------------------------- https://heise.de/-8981605 ∗∗∗ Long Term Support Channel Update for ChromeOS ∗∗∗ --------------------------------------------- LTS-108 is being updated in the LTS channel to 108.0.5359.230 (Platform Version: 15183.93.0) for most ChromeOS devices. [...] This update contains multiple Security fixes [...] --------------------------------------------- https://chromereleases.googleblog.com/2023/04/long-term-support-channel-upd… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (git, libpcap, php-laminas-diactoros2, php-nyholm-psr7, tcpdump, and xen), Oracle (cloud-init), Scientific Linux (kernel), SUSE (conmon, docker, glib2, glibc, libmicrohttpd, libX11, liferea, python3, qemu, rubygem-actionview-5_1, s390-tools, stellarium, vim, and xen), and Ubuntu (linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-4.15, linux-azure-5.4, linux-gcp, linux-gcp-4.15, linux-gcp-5.4, linux-gke, linux-gkeop, linux-hwe, linux-hwe-5.4, linux-ibm, linux-kvm, linux-oracle, linux-oracle-5.4 and openssl-ibmca). --------------------------------------------- https://lwn.net/Articles/930462/ ∗∗∗ Use of Telnet in the interface module SLC-0-GPNT00300 ∗∗∗ --------------------------------------------- BOSCH-SA-387640: The SLC-0-GPNT00300 from Bosch Rexroth contains technology from SICK AG. The manufacturer has published a security bulletin [1] regarding the availability of a Telnet interface for debugging.The SLC-0-GPNT00300 provides a Telnet interface for debugging, which is enabled by factory default. No password is set in the default configuration. If the password is not set by the customer, a remote unauthorized adversary could connect via Telnet. --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-387640.html ∗∗∗ SonicOS SSLVPN: Schwachstelle CVE-2023-1101 bei MFA – neue Firmware für Gen6-Firewalls (6.5.4.12-101n) ∗∗∗ --------------------------------------------- Kleine Erinnerung für Administratoren, die Produkte von Sonic Wall verwenden. In SonicOS SSLVPN gibt es eine kritische Schwachstelle, die einem authentifizierten Angreifer ermöglicht, exzessive MFA-Codes zu verwenden. Die Schwachstelle CVE-2023-1101 hat von SonicWall [...] --------------------------------------------- https://www.borncity.com/blog/2023/04/27/sonicos-sslvpn-schwachstelle-cve-2… ∗∗∗ Illumina Universal Copy Service ∗∗∗ --------------------------------------------- [...] Successful exploitation of these vulnerabilities could allow an attacker to take any action at the operating system level. A threat actor could impact settings, configurations, software, or data on the affected product; [...] --------------------------------------------- https://www.cisa.gov/news-events/ics-medical-advisories/icsma-23-117-01 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.04.2023
by Daily end-of-shift report 27 Apr '23

27 Apr '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 26-04-2023 18:00 − Donnerstag 27-04-2023 18:00 Handler: Stephan Richter Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Google disrupts the CryptBot info-stealing malware operation ∗∗∗ --------------------------------------------- Google is taking down malware infrastructure linked to the Cryptbot info stealer after suing those using it to infect Google Chrome users and steal their data. --------------------------------------------- https://www.bleepingcomputer.com/news/security/google-disrupts-the-cryptbot… ∗∗∗ Cisco discloses XSS zero-day flaw in server management tool ∗∗∗ --------------------------------------------- Cisco disclosed today a zero-day vulnerability in the companys Prime Collaboration Deployment (PCD) software that can be exploited for cross-site scripting attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cisco-discloses-xss-zero-day… ∗∗∗ LimeRAT Malware Analysis: Extracting the Config ∗∗∗ --------------------------------------------- ANY.RUN researchers have recently conducted an in-depth analysis of a LimeRAT sample and successfully extracted its configuration. In this article, we'll provide a brief overview of that analysis. --------------------------------------------- https://thehackernews.com/2023/04/limerat-malware-analysis-extracting.html ∗∗∗ Healthy security habits to fight credential breaches: Cyberattack Series ∗∗∗ --------------------------------------------- This is the second in an ongoing series exploring some of the most notable cases of the Microsoft Incident Response Team. In this story, we’ll explore how organizations can adopt a defense-in-depth security posture to help protect against credential breaches and ransomware attacks. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2023/04/26/healthy-security-h… ∗∗∗ Microsoft Confirms PaperCut Servers Used to Deliver LockBit and Cl0p Ransomware ∗∗∗ --------------------------------------------- Microsoft has confirmed that the active exploitation of PaperCut servers is linked to attacks designed to deliver Cl0p and LockBit ransomware families. The tech giant's threat intelligence team is attributing a subset of the intrusions to a financially motivated actor it tracks under the name Lace Tempest (formerly DEV-0950), which overlaps with other hacking groups like FIN11, TA505, and Evil Corp. --------------------------------------------- https://thehackernews.com/2023/04/microsoft-confirms-papercut-servers.html ∗∗∗ RTM Lockers First Linux Ransomware Strain Targeting NAS and ESXi Hosts ∗∗∗ --------------------------------------------- The threat actors behind RTM Locker have developed a ransomware strain thats capable of targeting Linux machines, marking the groups first foray into the open source operating system. --------------------------------------------- https://thehackernews.com/2023/04/rtm-lockers-first-linux-ransomware.html ∗∗∗ LUKS: Alte verschlüsselte Container unsicher? Ein Ratgeber für Updates ∗∗∗ --------------------------------------------- Angeblich konnte die französische Polizei einen LUKS-Container knacken. Kein Grund zur Panik, aber ein Anlass, Passwörter und LUKS-Parameter zu hinterfragen. --------------------------------------------- https://heise.de/-8981054 ∗∗∗ State of DNS Rebinding in 2023 ∗∗∗ --------------------------------------------- This update documents the state of DNS rebinding for April 2023. We describe Local Network Access, a new draft W3C specification currently implemented in some browsers that aims to prevent DNS rebinding, and show two potential ways to bypass these restrictions. --------------------------------------------- https://research.nccgroup.com/2023/04/27/state-of-dns-rebinding-in-2023/ ∗∗∗ Bringing IT & OT Security Together: Part 1 ∗∗∗ --------------------------------------------- Learn about the evolution of converged IT/OT environments and the impact on security control validation in this new blog series. --------------------------------------------- https://www.safebreach.com/resources/blog/bringing-it-and-ot-security-toget… ===================== = Vulnerabilities = ===================== ∗∗∗ Onlineshop-System PrestaShop: Angreifer könnten Datenbank manipulieren ∗∗∗ --------------------------------------------- Eine kritische Sicherheitslücke bedroht mit PrestaShop erstellte Onlineshops. Abgesicherte Versionen sind verfügbar. --------------------------------------------- https://heise.de/-8980645 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (chromium, perl-Alien-ProtoBuf, and redis), Oracle (kernel), SUSE (dmidecode, fwupd, libtpms, libxml2, openssl-ibmca, and webkit2gtk3), and Ubuntu (cloud-init, ghostscript, linux, linux-aws, linux-aws-5.15, linux-azure, linux-gke, linux-gke-5.15, linux-gkeop, linux-hwe-5.15, linux-ibm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-oracle, linux-oracle-5.15, linux, linux-aws, linux-azure, linux-gcp, linux-hwe-5.19, linux-ibm, linux-kvm, linux-lowlatency, linux-oracle, linux-raspi, and linux, linux-aws, linux-kvm, linux-lts-xenial). --------------------------------------------- https://lwn.net/Articles/930367/ ∗∗∗ Apache Superset: Schwachstelle CVE-2023-27524 ermöglicht Remote Code Execution (RCE) ∗∗∗ --------------------------------------------- Kurzer Hinweis für Nutzer, die Apache Superset in ihrem Umfeld einsetzen. Es gibt in der Standardkonfiguration das Problem, dass die Software per Remote Code Execution-Schwachstelle angegriffen werden kann. Das wird zum Problem, wenn der Server per Internet erreichbar ist. --------------------------------------------- https://www.borncity.com/blog/2023/04/27/apache-superset-schwachstelle-cve-… ∗∗∗ F5: K000133673 : Bootstrap vulnerability CVE-2016-10735 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000133673 ∗∗∗ F5: K000133652 : Python vulnerability CVE-2018-18074 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000133652 ∗∗∗ F5: K000133448 : Python urllib3 vulnerability CVE-2019-11324 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000133448 ∗∗∗ F5: K000133668 : Python urllib3 vulnerability CVE-2018-20060 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000133668 ∗∗∗ IBM WebSphere Application Server, which is bundled with IBM Cloud Pak for Applications, is vulnerable to cross-site scripting in the Admin Console (CVE-2023-24966) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6986343 ∗∗∗ IBM WebSphere Application Server, which is bundled with IBM WebSphere Hybrid Edition, is vulnerable to cross-site scripting in the Admin Console (CVE-2023-24966) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6986341 ∗∗∗ Multiple Security Vulnerabilities may affect IBM Robotic Process Automation for Cloud Pak. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6986361 ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with Asset and Service Management (CVE-2023-24966) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6986365 ∗∗∗ IBM Planning Analytics Workspace is affected by vulnerabilities in Node,js (CVE-2022-43548, CVE-2020-7676, CVE-2021-42550, CVE-2021-38561, CVE-2022-32149) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6985675 ∗∗∗ IBM Integration Designer is vulnerable to a denial of service due to commons-fileupload-1.4.jar (CVE-2023-24998) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6986509 ∗∗∗ Vulnerability in libXpm (CVE-2022-4883, CVE-2022-44617 and CVE-2022-46285) affects Power HMC ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6986543 ∗∗∗ Vulnerability in libtasn1 (CVE-2021-46848) affects Power HMC ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6986547 ∗∗∗ Multiple publicly disclosed Libcurl vulnerabilities affect IBM Safer Payments ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6986573 ∗∗∗ IBM App Connect Enterprise Certified Container DesignerAuthoring operands may be vulnerable to arbitrary code execution due to [CVE-2022-37601] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6986575 ∗∗∗ Multiple Vulnerabilities in CloudPak for Watson AIOPs ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6986577 ∗∗∗ IBM MQ Operator and Queue manager container images are vulnerable to multiple vulnerabilities from libcurl, openssl, gnutls, libarchive and libsepol ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6986323 ∗∗∗ Multiple vulnerabilities in Spring Framework affects IBM Tivoli Application Dependency Discovery Manager (CVE-2023-20860, CVE-2023-20861). ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6986585 ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Business Monitor (CVE-2023-24966) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6986619 ∗∗∗ Vulnerability in IBM\u00ae Java SDK affects IBM WebSphere Application Server and IBM WebSphere Application Server Liberty due to CVE-2023-30441 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6986617 ∗∗∗ IBM App Connect Enterprise Certified Container IntegrationServer and Integration Runtime operands that run Designer flows containing a Box node may be vulnerable to arbitrary code execution due to [CVE-2023-29017] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6986625 ∗∗∗ IBM App Connect Enterprise Certified Container IntegrationServer and Integration Runtime operands that run Designer flows containing a Box node may be vulnerable to arbitrary code execution due to [CVE-2023-29199] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6986629 ∗∗∗ IBM App Connect Enterprise & IBM Integration Bus are vulnerable to a denial of service due to Eclipse Mosquitto (CVE-2021-41039, CVE-2021-34432, CVE-2021-34431) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6986627 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.04.2023
by Daily end-of-shift report 26 Apr '23

26 Apr '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 25-04-2023 18:00 − Mittwoch 26-04-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Never Connect to RDP Servers Over Untrusted Networks ∗∗∗ --------------------------------------------- In this article, we will demonstrate why connecting using the Remote Desktop Protocol (RDP) must be avoided on untrusted networks like in hotels, conferences, or public Wi-Fi. Protecting the connection with a VPN or a Remote Desktop Gateway is the only safe alternative. --------------------------------------------- https://www.gosecure.net/blog/2023/04/26/never-connect-to-rdp-servers-over-… ∗∗∗ So you think you can block Macros? ∗∗∗ --------------------------------------------- For the purpose of securing Microsoft Office installs we see many of our customers moving to a macro signing strategy. Furthermore, Microsoft is trying to battle macro malware by enforcing Mark-of-the-Web (MotW) control on macro-enabled documents. In this blog we will dive into some of the quirks of Microsoft Office macro security, various commonly used configuration options and their bypasses. --------------------------------------------- https://outflank.nl/blog/2023/04/25/so-you-think-you-can-block-macros/ ∗∗∗ Google Authenticator: Warnung - Backup der geheimen "Saat" im Klartext ∗∗∗ --------------------------------------------- Google spendierte dem Authenticator ein Backup der Geheimnisse, die zur Erstellung der Einmalpasswörter nötig sind. Google bekommt diese Daten aber im Klartext. --------------------------------------------- https://heise.de/-8979932 ∗∗∗ VMware Workstation und Fusion: Hersteller stopft kritische Zero-Day-Lücke ∗∗∗ --------------------------------------------- VMware stopft teils kritische Sicherheitslücken in Workstation und Fusion. Da sie auf der Pwn2Own-Konferenz vorgeführt wurden, handelt es sich um Zero-Days. --------------------------------------------- https://heise.de/-8979106 ∗∗∗ GuLoader returns with a rotten shipment ∗∗∗ --------------------------------------------- We take a look at a GuLoader campaign which comes bundled with an Italian language fake shipment email. --------------------------------------------- https://www.malwarebytes.com/blog/news/2023/04/guloader-returns-with-a-rott… ∗∗∗ So bleiben Sie mit der Watchlist Internet am Laufenden! ∗∗∗ --------------------------------------------- Das Angebot der Watchlist Internet wächst stetig: Wir geben Ihnen einen Überblick, wie Sie mit uns in puncto Internetbetrug up to date bleiben, welche Angebote Sie wo finden und auf welchen Kanälen wir vertreten sind. --------------------------------------------- https://www.watchlist-internet.at/news/so-bleiben-sie-mit-der-watchlist-int… ∗∗∗ Hacker greifen kritische Sicherheitslücke in Druckersoftware PaperCut an ∗∗∗ --------------------------------------------- Sie können die Kontrolle über einen PaperCut-Server übernehmen. Zudem steht nun auch Beispielcode für einen Exploit öffentlich zur Verfügung. --------------------------------------------- https://www.zdnet.de/88408703/hacker-greifen-kritische-sicherheitsluecke-in… ∗∗∗ Attackers Use Containers for Profit via TrafficStealer ∗∗∗ --------------------------------------------- We found TrafficStealer abusing open container APIs in order to redirect traffic to specific websites and manipulate engagement with ads. --------------------------------------------- https://www.trendmicro.com/en_us/research/23/d/attackers-use-containers-for… ===================== = Vulnerabilities = ===================== ∗∗∗ VMSA-2023-0008 ∗∗∗ --------------------------------------------- VMware Workstation and Fusion updates address multiple security vulnerabilities (CVE-2023-20869, CVE-2023-20870, CVE-2023-20871, CVE-2023-20872) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2023-0008.html ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (chromium, lilypond, and lilypond-doc), Oracle (java-1.8.0-openjdk), Red Hat (emacs, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, kernel, kernel-rt, pesign, and virt:rhel, virt-devel:rhel), Scientific Linux (java-1.8.0-openjdk and java-11-openjdk), Slackware (git), SUSE (fwupd, git, helm, and runc), and Ubuntu (firefox, golang-1.18, linux-hwe-5.15, and openssl, openssl1.0). --------------------------------------------- https://lwn.net/Articles/930258/ ∗∗∗ Insecure authentication in B420 legacy communication module ∗∗∗ --------------------------------------------- BOSCH-SA-341298-BT: An authentication vulnerability was found in the B420 Ethernet communication module from Bosch Security Systems. This is a legacy product which is currently obsolete and was announced to reach End on Life (EoL) on 2013. The B420 was last sold in July 2013 and was replaced by the B426. An EoL notice was provided to customers. --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-341298-bt.html ∗∗∗ Scada-LTS Third Party Component ∗∗∗ --------------------------------------------- Successful exploitation of this vulnerability could allow loss of sensitive information and execution of arbitrary code. --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-115-02 ∗∗∗ Keysight N8844A Data Analytics Web Service ∗∗∗ --------------------------------------------- Successful exploitation of this vulnerability could lead to remote code execution. --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-115-01 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Security Advisory - Misinterpretation of Input Vulnerability in Huawei Printer ∗∗∗ --------------------------------------------- https://www.huawei.com/en/psirt/security-advisories/2023/huawei-sa-moivihp-… ∗∗∗ Security Advisory - Identity Authentication Bypass Vulnerability in Huawei HiLink AI Life Product ∗∗∗ --------------------------------------------- https://www.huawei.com/en/psirt/security-advisories/2023/huawei-sa-iabvihha… ∗∗∗ Security Advisory - Misinterpretation of Input Vulnerability in Huawei Printer ∗∗∗ --------------------------------------------- https://www.huawei.com/en/psirt/security-advisories/2023/huawei-sa-moivihp-… ∗∗∗ Security Advisory - System Command Injection Vulnerability in a Huawei Printer Product ∗∗∗ --------------------------------------------- https://www.huawei.com/en/psirt/security-advisories/2023/huawei-sa-sciviahp… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.04.2023
by Daily end-of-shift report 25 Apr '23

25 Apr '23

===================== = End-of-Day report = ===================== Timeframe: Montag 24-04-2023 18:00 − Dienstag 25-04-2023 18:00 Handler: Stephan Richter Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Intel CPUs vulnerable to new transient execution side-channel attack ∗∗∗ --------------------------------------------- A new side-channel attack impacting multiple generations of Intel CPUs has been discovered, allowing data to be leaked through the EFLAGS register. --------------------------------------------- https://www.bleepingcomputer.com/news/security/intel-cpus-vulnerable-to-new… ∗∗∗ New .NET Malware “WhiteSnake” Targets Python Developers, Uses Tor for C&C Communication ∗∗∗ --------------------------------------------- The JFrog Security Research team recently discovered a new malware payload in the PyPI repository, written in C#. This is uncommon since PyPI is primarily a repository for Python packages, and its codebase consists mostly of Python code, or natively compiled libraries used by Python programs. This finding raised our concerns about the potential for cross-language malware attacks. Our team identified 22 malicious packages, containing the same payload, targeting both Windows and Linux systems[...] --------------------------------------------- https://jfrog.com/blog/new-malware-targets-python-developers-uses-tor-for-c… ∗∗∗ Release of a Technical Report into Intel Trust Domain Extensions ∗∗∗ --------------------------------------------- Today, members of Google Project Zero and Google Cloud are releasing a report on a security review of Intels Trust Domain Extensions (TDX). [...] The result of the review was the discovery of 10 confirmed security vulnerabilities which were fixed before the final release of products with the TDX feature. The final report highlights the most interesting of these issues and provides an overview of the features architecture. 5 additional areas were identified for defense-in-depth changes [...] --------------------------------------------- https://googleprojectzero.blogspot.com/2023/04/technical-report-into-intel-… ∗∗∗ New high-severity vulnerability (CVE-2023-29552) discovered in the Service Location Protocol (SLP) ∗∗∗ --------------------------------------------- Researchers from Bitsight and Curesec have jointly discovered a high-severity vulnerability — tracked as CVE-2023-29552 — in the Service Location Protocol (SLP), a legacy Internet protocol. Attackers exploiting this vulnerability could leverage vulnerable instances to launch massive Denial-of-Service (DoS) amplification attacks with a factor as high as 2200 times, potentially making it one of the largest amplification attacks ever reported. --------------------------------------------- https://www.bitsight.com/blog/new-high-severity-vulnerability-cve-2023-2955… ∗∗∗ PoC for Pre-Auth RCE in Sophos Web Appliance (CVE-2023-1671) Published ∗∗∗ --------------------------------------------- The cybersecurity community is buzzing with the recent publication of a Proof-of-Concept (PoC) for CVE-2023-1671, a critical code execution vulnerability in Sophos Web Appliance with a CVSS score of 9.8. This high-risk vulnerability, caused by a pre-auth command injection flaw in the warn-proceed handler, poses significant risks to users. --------------------------------------------- https://securityonline.info/poc-for-pre-auth-rce-in-sophos-web-appliance-cv… ∗∗∗ Attackers are logging in instead of breaking in ∗∗∗ --------------------------------------------- Cyberattackers leveraged more than 500 unique tools and tactics in 2022, according to Sophos. The data, analyzed from more than 150 Sophos Incident Response (IR) cases, identified more than 500 unique tools and techniques, including 118 “Living off the Land” binaries (LOLBins). Unlike malware, LOLBins are executables naturally found on operating systems, making them much more difficult for defenders to block when attackers exploit them for malicious activity. --------------------------------------------- https://www.helpnetsecurity.com/2023/04/25/attacks-dwell-time/ ∗∗∗ Gefälschte Facebook-Seite vom Tiergarten Schönbrunn verbreitet Fake-Gewinnspiel ∗∗∗ --------------------------------------------- Die gefälschte Facebook-Seite „ZooPark Wien“ verbreitet ein betrügerisches Gewinnspiel. Im Posting werden 4 Eintrittskarten verlost. Teilnehmer:innen müssen den Beitrag nur mit „Alles Gute zum Geburtstag“ kommentieren. Mit diesem Gewinnspiel versuchen Kriminelle aber an Ihre Kreditkartendaten zu kommen und Sie in eine Abo-Falle zu locken. --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschte-facebook-seite-vom-tierg… ===================== = Vulnerabilities = ===================== ∗∗∗ CVE-2023-27524: Insecure Default Configuration in Apache Superset Leads to Remote Code Execution ∗∗∗ --------------------------------------------- Apache Superset is an open source data visualization and exploration tool. [...] there are more than 3000 instances of it exposed to the Internet. [...] at least 2000 (two-thirds of all servers) – are running with a dangerous default configuration. As a result, many of these servers are effectively open to the public. Any attacker can “log in” to these servers with administrative privileges, access and modify data connected to these servers, harvest credentials, and execute remote code. --------------------------------------------- https://www.horizon3.ai/cve-2023-27524-insecure-default-configuration-in-ap… ∗∗∗ Xen Security Advisory CVE-2022-42335 / XSA-430 - x86 shadow paging arbitrary pointer dereference ∗∗∗ --------------------------------------------- Guests running in shadow mode and having a PCI device passed through may be able to cause Denial of Service and other problems, escalation of privilege cannot be ruled out. --------------------------------------------- https://xenbits.xen.org/xsa/advisory-430.html ∗∗∗ Zyxel schließt teils kritische Sicherheitslücken in Firewalls und Access Points ∗∗∗ --------------------------------------------- Zyxel hat Warnungen vor Sicherheitslücken in Firewalls und Access Points herausgegeben. Firmware-Updates zum Abdichten der Lecks stehen bereit. --------------------------------------------- https://heise.de/-8977831 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (firefox, java-11-openjdk, and thunderbird), Debian (apache2), Fedora (kernel), Oracle (emacs), Red Hat (emacs, haproxy, java-1.8.0-openjdk, kernel, kernel-rt, kpatch-patch, pcs, pki-core:10.6, and qatzip), and SUSE (avahi, cdi-apiserver-container, cdi-cloner-container, cdi- controller-container, cdi-importer-container, cdi-operator-container, cdi- uploadproxy-container, cdi-uploadserver-container, cont, giflib, kernel, kubevirt, virt-api-container, virt-controller-container, virt-handler-container, virt-launcher-container, virt-libguestfs-tools- container, virt-operator-container, ovmf, and protobuf-c). --------------------------------------------- https://lwn.net/Articles/930128/ ∗∗∗ WordPress Plugin "Appointment and Event Booking Calendar for WordPress - Amelia" vulnerable to cross-site scripting ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN00971105/ ∗∗∗ ZDI-23-458: SolarWinds Network Performance Monitor TFTP Link Following Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-458/ ∗∗∗ ZDI-23-457: SolarWinds Network Performance Monitor ExecuteExternalProgram Command Injection Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-457/ ∗∗∗ F5: K000133630 : Intel processor vulnerability CVE-2022-26343 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000133630 ∗∗∗ F5: K000133633 : Intel BIOS firmware vulnerability CVE-2022-32231 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000133633 ∗∗∗ Multiple Vulnerabilities Patched in Shield Security ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2023/04/multiple-vulnerabilities-patched-in-… ∗∗∗ Belden: 2022-26 Multiple libexpat vulnerabilities in HiOS, Classic, HiSecOS, Wireless BAT-C2, Lite Managed, Edge ∗∗∗ --------------------------------------------- https://assets.belden.com/m/6f2d4e1f6bbaeb54/original/BSECV-2022-26.pdf ∗∗∗ Belden: 2022-29 strongSwan: integer overflow when replacing certificates in cache ∗∗∗ --------------------------------------------- https://assets.belden.com/m/25e4130e915c61a1/original/Belden_Security_Bulle… ∗∗∗ [R1] Stand-alone Security Patch Available for Tenable.sc versions 5.22.0, 5.23.1, and 6.0.0: SC-202304.1 ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2023-18 ∗∗∗ Nextcloud: Missing brute force protection for passwords of password protected share links ∗∗∗ --------------------------------------------- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-r… ∗∗∗ Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect Rational Functional Tester ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6985649 ∗∗∗ IBM Tivoli Composite Application Manager for Application Diagnostics Installed WebSphere Application Server is vulnerable to cross-site scripting in the Admin Console (CVE-2023-26283) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6985651 ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to a denial of service as the server may crash when using a specially crafted subquery. (CVE-2023-27559)) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6985667 ∗∗∗ IBM® Db2® is vulnerable to a denial of service as the server may crash when an Out of Memory occurs. (CVE-2023-26022) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6985669 ∗∗∗ IBM® Db2® is vulnerable to a denial of service. Under rare conditions, setting a special register may cause the Db2 server to terminate abnormally. (CVE-2023-25930) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6985677 ∗∗∗ IBM® Db2® is vulnerable to a denial of service as the server may crash when compiling a specially crafted SQL query using a LIMIT clause. (CVE-2023-26021) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6985681 ∗∗∗ IBM® Db2® is vulnerable to a denial of service as the server may crash when when attempting to use ACR client affinity for unfenced DRDA federation wrappers. (CVE-2023-27555) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6985683 ∗∗∗ IBM® Db2® is vulnerable to a denial of service as as it may trap when compiling a variation of an anonymous block. (CVE-2023-29255) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6985687 ∗∗∗ IBM® Db2® is vulnerable to remote code execution as a database administrator of one database may execute code or read\/write files from another database within the same instance. (CVE-2023-29257) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6985691 ∗∗∗ IBM Maximo Asset Management is vulnerable to cross-site scripting (CVE-2023-27860) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6985679 ∗∗∗ Multiple vulnerabilities affect IBM Db2\u00ae Graph ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6985689 ∗∗∗ IBM WebSphere Application Server shipped with IBM Security Access Manager for Enterprise Single Sign-On is vulnerable to a denial of service due to IBM HTTP Server (CVE-2023-26281) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6985851 ∗∗∗ Docker based datastores for IBM Instana do not currently require authentication ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6959969 ∗∗∗ IBM® Engineering Requirements Management DOORS/DWA vulnerabilities fixed in 9.7.2.7 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6984347 ∗∗∗ IBM Safer Payments is vulnerable to OpenSSL Denial of Sevice Attack (CVE-2022-0778) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6985865 ∗∗∗ TADDM is vulnerable to a denial of service due to vulnerabilities in Apache HttpClient ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6985905 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.04.2023
by Daily end-of-shift report 24 Apr '23

24 Apr '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 21-04-2023 18:00 − Montag 24-04-2023 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Decoy Dog malware toolkit found after analyzing 70 billion DNS queries ∗∗∗ --------------------------------------------- A new enterprise-targeting malware toolkit called Decoy Dog has been discovered after inspecting anomalous DNS traffic that is distinctive from regular internet activity. --------------------------------------------- https://www.bleepingcomputer.com/news/security/decoy-dog-malware-toolkit-fo… ∗∗∗ Open Source: Gelöschte Curl-Instanz zerschießt Windows-Updates ∗∗∗ --------------------------------------------- Auch wenn Security-Scanner vor ungepatchter Software warnen, sollten Windows-Systemkomponenten wie Curl nicht manipuliert werden. --------------------------------------------- https://www.golem.de/news/open-source-geloeschte-curl-instanz-zerschiesst-w… ∗∗∗ New All-in-One "EvilExtractor" Stealer for Windows Systems Surfaces on the Dark Web ∗∗∗ --------------------------------------------- A new "all-in-one" stealer malware named EvilExtractor (also spelled Evil Extractor) is being marketed for sale for other threat actors to steal data and files from Windows systems. "It includes several modules that all work via an FTP service," Fortinet FortiGuard Labs researcher Cara Lin said. --------------------------------------------- https://thehackernews.com/2023/04/new-all-in-one-evilextractor-stealer.html ∗∗∗ XWorm RAT: Avira-Sicherheitsexperten warnen vor Malware ∗∗∗ --------------------------------------------- Sicherheitsexperten von Avira warnen vor der Malware XWorm RAT --------------------------------------------- https://heise.de/-8976282 ∗∗∗ "Notstart" über CAN-Bus-Hack: Altes Nokia-Handy erlaubt Auto-Diebstahl per Klick ∗∗∗ --------------------------------------------- Der jüngst aufgezeigte CAN-Injection-Angriff auf das Bussystem Controller Area Network zieht weitere Kreise. Es tauchen immer mehr Kits zum "Notstarten" auf. --------------------------------------------- https://heise.de/-8976444 ∗∗∗ Bumblebee-Malware: Opfersuche mit Malvertising für trojanisierte Installer ∗∗∗ --------------------------------------------- IT-Forscher haben trojanisierte Installer für professionelle Software entdeckt. Sie würden mit Malvertising beworben und enthielten den Schädling Bumblebee. --------------------------------------------- https://heise.de/-8977016 ∗∗∗ Fake-Shops für Autoreifen boomen ∗∗∗ --------------------------------------------- Sie suchen im Internet nach günstigen Autoreifen? Nehmen Sie den Online-Shop genau unter die Lupe, es kursieren unzählige Fake-Shops! Die betrügerischen Shops wirken sehr professionell, haben ein Impressum und unschlagbare Preise. Wir zeigen Ihnen, wie Sie Shops überprüfen. --------------------------------------------- https://www.watchlist-internet.at/news/fake-shops-fuer-autoreifen-boomen/ ∗∗∗ TP-Link WAN-side Vulnerability CVE-2023-1389 Added to the Mirai Botnet Arsenal ∗∗∗ --------------------------------------------- Last week, the Zero Day Initiative (ZDI) threat-hunting team observed new exploit attempts coming from our telemetry system in Eastern Europe indicating that the Mirai botnet has updated its arsenal to include CVE-2023-1389, also known as ZDI-CAN-19557/ZDI-23-451. --------------------------------------------- https://www.thezdi.com/blog/2023/4/21/tp-link-wan-side-vulnerability-cve-20… ∗∗∗ Updates and Timeline for 3CX and X_Trader Hacks ∗∗∗ --------------------------------------------- Mandiant revealed this week that the hack of 3CX was actually a double supply-chain hack that first involved hacking and compromising another companys software. Heres a timeline of the events. --------------------------------------------- https://zetter.substack.com/p/updates-and-timeline-for-3cx-and ∗∗∗ Knapp zwei Drittel der XIoT-Schwachstellen remote ausnutzbar ∗∗∗ --------------------------------------------- Sicherheitstechnisch droht uns wohl ein Desaster - ich habe den State of XIoT Security Report: 2H 2022 von Claroty bereits einige Tage vorliegen. Dieser zeigt zwar die positiven Auswirkungen verstärkter Schwachstellen-Forschung und höheren Investitionen der Anbieter im Hinblick auf die XIoT-Sicherheit. Aber die Botschaft ist auch, dass Zahl der entdeckten Schwachstellen in diesem Bereit um 80 % zugenommen hat. Viele XIoT-Schwachstellen sind zudem remote ausnutzbar. --------------------------------------------- https://www.borncity.com/blog/2023/04/23/knapp-zwei-drittel-der-xiot-schwac… ∗∗∗ ViperSoftX Updates Encryption, Steals Data ∗∗∗ --------------------------------------------- We observed cryptocurrency and information stealer ViperSoftX evading initial loader detection and making its lure more believable by making the initial package loader via cracks, keygens, activators, and packers non-malicious. We also noted more sophisticated encryption and basic anti-analysis techniques, such as byte remapping and web browser communication blocking. --------------------------------------------- https://www.trendmicro.com/en_us/research/23/d/vipersoftx-updates-encryptio… ∗∗∗ Fortune 500 at Risk: 250M Artifacts Exposed via Misconfigured Registries ∗∗∗ --------------------------------------------- What if you were told that you had a misconfigured registry with hundreds of millions of software artifacts containing highly confidential and sensitive proprietary code and secrets exposed in your environment right now? This would be what you’d call a really bad day for security. Recently, the Aqua Nautilus research team found just that in some of the world’s largest organizations, including five Fortune 500 companies. --------------------------------------------- https://blog.aquasec.com/250m-artifacts-exposed-via-misconfigured-registries ===================== = Vulnerabilities = ===================== ∗∗∗ Vulnerability Spotlight: Vulnerabilities in IBM AIX could lead to command injection with elevated privileges ∗∗∗ --------------------------------------------- The issue could then allow the malicious actor to generate arbitrary logs which can trigger malicious commands to be run with elevated privileges. --------------------------------------------- https://blog.talosintelligence.com/vuln-spotlight-ibm-aix-privilege-escalat… ∗∗∗ APC warns of critical unauthenticated RCE flaws in UPS software ∗∗∗ --------------------------------------------- APCs Easy UPS Online Monitoring Software is vulnerable to unauthenticated arbitrary remote code execution, allowing hackers to take over devices and, in a worst-case scenario, disabling its functionality altogether. --------------------------------------------- https://www.bleepingcomputer.com/news/security/apc-warns-of-critical-unauth… ∗∗∗ Jetzt patchen! Angreifer attackieren Druck-Management-Lösung Papercut MF/NG ∗∗∗ --------------------------------------------- Eine kritische Sicherheitslücke gefährdet Systeme, auf denen Papercut läuft. Sicherheitsupdates sind verfügbar. --------------------------------------------- https://heise.de/-8976755 ∗∗∗ Solarwinds-Update dichtet zwei hochriskante Sicherheitslücken ab ∗∗∗ --------------------------------------------- Solarwinds stopft mit Software-Updates mehrere Sicherheitslücken, zwei davon gelten als hochriskant. IT-Verantwortliche sollten zügig aktualisieren. --------------------------------------------- https://heise.de/-8976832 ∗∗∗ Sicherheitspatches: Angreifer könnten Nvidia Cuda, DGX-1 & Co. attackieren ∗∗∗ --------------------------------------------- Nvidia hat wichtige Sicherheitsupdates für verschiedene Produkte veröffentlicht. Admins sollten schnell handeln. --------------------------------------------- https://heise.de/-8976961 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (389-ds-base, chromium, connman, curl, redis, and thunderbird), Fedora (ceph, doctl, dr_libs, ffmpeg, freeimage, golang-github-digitalocean-godo, insight, libreswan, mingw-binutils, mingw-freeimage, mingw-freetype, openvswitch, rnp, suricata, webkitgtk, and wireshark), Mageia (dnsmasq, emacs, openimageio, php-smarty, redis, squirrel/supertux, and tcpdump), Red Hat (emacs), and SUSE (avahi, chromium, dmidecode, indent, jettison, openssl, openstack-cinder, openstack-nova, python-oslo.utils, and ovmf). --------------------------------------------- https://lwn.net/Articles/930052/ ∗∗∗ Multiple Vulnerabilities in Autodesk® InfraWorks® Software ∗∗∗ --------------------------------------------- Autodesk® InfraWorks® has been affected by multiple vulnerabilities detailed below. Exploitation of these vulnerabilities may lead to remote code execution and/or denial-of-service to the software and user devices. Hotfixes are available in the Autodesk Desktop App or the Accounts Portal to help resolve these vulnerabilities. --------------------------------------------- https://www.autodesk.com/trust/security-advisories/adsk-sa-2023-0007 ∗∗∗ ZDI-23-451: (Pwn2Own) TP-Link Archer AX21 merge_country_config Command Injection Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-451/ ∗∗∗ ZDI-23-452: (Pwn2Own) TP-Link AX1800 hotplugd Firewall Rule Race Condition Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-452/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.04.2023
by Daily end-of-shift report 21 Apr '23

21 Apr '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 20-04-2023 18:00 − Freitag 21-04-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ GhostToken Flaw Could Let Attackers Hide Malicious Apps in Google Cloud Platform ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed details of a now-patched zero-day flaw in Google Cloud Platform (GCP) that could have enabled threat actors to conceal an unremovable, malicious application inside a victims Google account. --------------------------------------------- https://thehackernews.com/2023/04/ghosttoken-flaw-could-let-attackers.html ∗∗∗ Kubernetes RBAC Exploited in Large-Scale Campaign for Cryptocurrency Mining ∗∗∗ --------------------------------------------- A large-scale attack campaign discovered in the wild has been exploiting Kubernetes (K8s) Role-Based Access Control (RBAC) to create backdoors and run cryptocurrency miners. "The attackers also deployed DaemonSets to take over and hijack resources of the K8s clusters they attack," cloud security firm Aqua said in a report shared with The Hacker News. --------------------------------------------- https://thehackernews.com/2023/04/kubernetes-rbac-exploited-in-large.html ∗∗∗ VoIP-Anbieter 3CX: Die doppelte Supply-Chain-Attacke ∗∗∗ --------------------------------------------- Eine Analyse zeigt, dass die Verteilung des kompromittierten VoIP-Clients von 3CX auf einen vorausgehenden Lieferketten-Angriff zurückgeht. --------------------------------------------- https://heise.de/-8974948 ∗∗∗ CVE-2022-29844: A Classic Buffer Overflow on the Western Digital My Cloud Pro Series PR4100 ∗∗∗ --------------------------------------------- This post covers an exploit chain demonstrated by Luca Moro (@johncool__) during Pwn2Own Toronto 2022. At the contest, he used a classic buffer overflow to gain code execution on the My Cloud Pro Series PR4100 Network Attached Storage (NAS) device. He also displayed a nifty message on the device. --------------------------------------------- https://www.zerodayinitiative.com/blog/2023/4/19/cve-2022-29844-a-classic-b… ∗∗∗ GitHub Announces New Security Improvements ∗∗∗ --------------------------------------------- GitHub this week introduced NPM package provenance and deployment protection rules and announced general availability of private vulnerability reporting. --------------------------------------------- https://www.securityweek.com/github-announces-new-security-improvements/ ∗∗∗ Abandoned WordPress Plugin Abused for Backdoor Deployment ∗∗∗ --------------------------------------------- Attackers are installing the abandoned Eval PHP plugin on compromised WordPress sites to inject PHP code into web pages. --------------------------------------------- https://www.securityweek.com/abandoned-wordpress-plugin-abused-for-backdoor… ∗∗∗ Online-Händler:innen aufgepasst: Kriminelle machen Fake-Bestellungen und holen sich per SEPA-Lastschrift das Geld zurück ∗∗∗ --------------------------------------------- Mit vermeintlichen Bestellungen versuchen Kriminelle derzeit an das Geld von Online-Händler:innen zu kommen: Kriminellen bestellen „unabsichtlich“ zu viel, verlangen anschließend den bereits bezahlten Betrag von den Händler:innen zurück. Gleichzeitig nutzen die Betrüger:innen die Funktion der SEPA-Lastschrift, bei der Zahlungsanfechtungen in einem bestimmten Zeitraum automatisch anerkannt werden. --------------------------------------------- https://www.watchlist-internet.at/news/online-haendlerinnen-aufgepasst-krim… ===================== = Vulnerabilities = ===================== ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2023-0003 ∗∗∗ --------------------------------------------- CVE identifiers: CVE-2023-25358, CVE-2022-0108, CVE-2022-32885, CVE-2023-27932, CVE-2023-27954, CVE-2023-28205. Several vulnerabilities were discovered in WebKitGTK and WPE WebKit. --------------------------------------------- https://webkitgtk.org/security/WSA-2023-0003.html ∗∗∗ VMSA-2023-0007 ∗∗∗ --------------------------------------------- VMware Aria Operations for Logs contains a deserialization vulnerability. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8. --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2023-0007.html ∗∗∗ OpenSSL: Input buffer over-read in AES-XTS implementation on 64 bit ARM (CVE-2023-1255) ∗∗∗ --------------------------------------------- Severity: Low Issue summary: The AES-XTS cipher decryption implementation for 64 bit ARM platform contains a bug that could cause it to read past the input buffer, leading to a crash. --------------------------------------------- https://www.openssl.org/news/secadv/20230420.txt ∗∗∗ Kritische Lücken bedrohen Cisco Industrial Network Director und Modeling Labs ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitsupdates für mehrere Cisco-Produkte. Zwei Schwachstellen gelten als kritisch. --------------------------------------------- https://heise.de/-8975027 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (golang-1.11 and libxml2), Fedora (chromium, dr_libs, frr, ruby, and runc), Oracle (java-11-openjdk and java-17-openjdk), Red Hat (emacs, httpd and mod_http2, kpatch-patch, and webkit2gtk3), SUSE (libmicrohttpd, nodejs16, ovmf, and wireshark), and Ubuntu (kauth and patchelf). --------------------------------------------- https://lwn.net/Articles/929828/ ∗∗∗ CISA Adds Three Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/04/21/cisa-adds-three-known-ex… ∗∗∗ IBM InfoSphere DataStage Flow Designer is vulnerable to Server-Side Request Forgery ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6509084 ∗∗∗ Python is vulnerable to CVE-2022-26488 used in IBM Maximo Application Suite ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6985049 ∗∗∗ iText.jar in Tom Sawyer Perspective is vulnerable to XML External Entity ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6985225 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.04.2023
by Daily end-of-shift report 20 Apr '23

20 Apr '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 19-04-2023 18:00 − Donnerstag 20-04-2023 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Schwachstelle ermöglicht es Dieben, iPhones zu übernehmen ∗∗∗ --------------------------------------------- Über eine Sicherheitslücke verschaffen sich Kriminelle Zugang zu den Apple-IDs ihrer Opfer. --------------------------------------------- https://futurezone.at/produkte/schwachstelle-diebstahl-iphones-uebernehmen-… ∗∗∗ Goldoson Android Malware Infects Over 100 Million Google Play Store Downloads ∗∗∗ --------------------------------------------- hA new Android malware strain named Goldoson has been detected in the official Google Play Store spanning more than 60 legitimate apps that collectively have over 100 million downloads. [..] Following responsible disclosure to Google, 36 of the 63 offending apps have been pulled from the Google Play Store. The remaining 27 apps have been updated to remove the malicious library. --------------------------------------------- https://thehackernews.com/2023/04/goldoson-android-malware-infects-over.html ∗∗∗ The Huge 3CX Breach Was Actually 2 Linked Supply Chain Attacks ∗∗∗ --------------------------------------------- The mass compromise of the VoIP firms customers is the first confirmed incident where one software supply chain attack enabled another, researchers say. --------------------------------------------- https://www.wired.com/story/3cx-supply-chain-attack-times-two/ ∗∗∗ ‘AuKill’ EDR killer malware abuses Process Explorer driver ∗∗∗ --------------------------------------------- The AuKill tool abuses an outdated version of the driver used by version 16.32 of the Microsoft utility, Process Explorer, to disable EDR processes before deploying either a backdoor or ransomware on the target system. --------------------------------------------- https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-p… ∗∗∗ Breaking Docker Named Pipes SYSTEMatically: Docker Desktop Privilege Escalation – Part 2 ∗∗∗ --------------------------------------------- In the previous blog post, we described how the Docker research started and showed how we could gain a full privilege escalation through a vulnerability in Docker Desktop. In this follow-up blog post, we will show the other vulnerable functions we were able to exploit. --------------------------------------------- https://www.cyberark.com/resources/threat-research-blog/breaking-docker-nam… ∗∗∗ Vermehrte Angriffe auf Cisco Router und Switche mit Cisco IOS und IOS-XE ∗∗∗ --------------------------------------------- Mehrere Sicherheitsbehörden und Cisco selbst warnen vor der gehäuften Ausnutzung alter Schwachstellen in Cisco IOS und IOS-XE. --------------------------------------------- https://heise.de/-8973626 ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (Apr 10, 2023 to Apr 16, 2023) ∗∗∗ --------------------------------------------- Last week, there were 69 vulnerabilities disclosed in 60 WordPress plugins and 4 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 32 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected. --------------------------------------------- https://www.wordfence.com/blog/2023/04/wordfence-intelligence-weekly-wordpr… ∗∗∗ LockBit-Ransomware bereitet Angriffe auf Apple vor ∗∗∗ --------------------------------------------- Hacker haben ihre Malware offenbar weiterentwickelt und eine neue Variante in Umlauf gebracht, die es auf Apple-Computer abgesehen hat. --------------------------------------------- https://www.zdnet.de/88408574/lockbit-ransomware-bereitet-angriffe-auf-appl… ∗∗∗ CISA and Partners Release Cybersecurity Best Practices for Smart Cities ∗∗∗ --------------------------------------------- Today, CISA, NSA, FBI, NCSC-UK, ACSC, CCCS and NCSC-NZ released a joint guide: Cybersecurity Best Practices for Smart Cities. Smart cities may create safer, more efficient, resilient communities through technological innovation and data-driven decision making. However, this opportunity also introduces potential vulnerabilities and weaknesses that—if exploited—could impact national security, economic security, public health and safety, and critical infrastructure operations. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/04/19/cisa-and-partners-releas… ===================== = Vulnerabilities = ===================== ∗∗∗ Drupal core - Moderately critical - Access bypass - SA-CORE-2023-005 ∗∗∗ --------------------------------------------- Security risk: Moderately critical The file download facility doesnt sufficiently sanitize file paths in certain situations. This may result in users gaining access to private files that they should not have access to.Some sites may require configuration changes following this security release. --------------------------------------------- https://www.drupal.org/sa-core-2023-005 ∗∗∗ Cisco Security Advisories Published on April 19, 2023 - 2 Critical, 2 High, 2 Medium ∗∗∗ --------------------------------------------- * StarOS Software Key-Based SSH Authentication Privilege Escalation Vulnerability * SD-WAN vManage Software Arbitrary File Deletion Vulnerability * TelePresence Collaboration Endpoint and RoomOS Arbitrary File Write Vulnerabilities * Industrial Network Director Vulnerabilities * Modeling Labs External Authentication Bypass Vulnerability * BroadWorks Network Server TCP Denial of Service Vulnerability --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/Search.x?publicationTypeIDs… ∗∗∗ Mehrere Schadcode-Lücken in Foxit PDF geschlossen ∗∗∗ --------------------------------------------- Wer Foxit PDF Reader oder PDF Editor unter Windows nutzt, ist angreifbar. --------------------------------------------- https://heise.de/-8974063 ∗∗∗ Stable Channel Update for Desktop ∗∗∗ --------------------------------------------- The Stable and extended stable channel has been updated to 112.0.5615.137/138 for Windows and 112.0.5615.137 for Mac and 112.0.5615.165 for Linux which will roll out over the coming days/weeks. [..] Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. --------------------------------------------- http://chromereleases.googleblog.com/2023/04/stable-channel-update-for-desk… ∗∗∗ Blubrry Addresses Authenticated Stored XSS Vulnerability in PowerPress WordPress Plugin ∗∗∗ --------------------------------------------- On April 5, 2023, our Wordfence Threat Intelligence team identified and began the responsible disclosure process for a stored Cross-Site Scripting (XSS) vulnerability in Blubrry’s PowerPress plugin, which is actively installed on more than 50,000 WordPress websites. --------------------------------------------- https://www.wordfence.com/blog/2023/04/blubrry-addresses-authenticated-stor… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (golang-1.11), Fedora (chromium, golang-github-cenkalti-backoff, golang-github-cli-crypto, golang-github-cli-gh, golang-github-cli-oauth, golang-github-gabriel-vasile-mimetype, libpcap, lldpd, parcellite, tcpdump, thunderbird, and zchunk), Red Hat (java-11-openjdk, java-17-openjdk, and kernel), SUSE (chromium, dnsmasq, ImageMagick, nodejs16, openssl-1_0_0, openssl1, ovmf, and python-Flask), and Ubuntu (dnsmasq, libxml2, linux, linux-aws, linux-aws-5.4, linux-azure, linu linux-raspi-5.4, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15 linux-oracle, linux-raspi2, linux-oem-5.17, linux-oem-6.0, linux-oem-6.1, and linux-snapdragon). --------------------------------------------- https://lwn.net/Articles/929671/ ∗∗∗ Chromium: CVE-2023-2136 Integer overflow in Skia ∗∗∗ --------------------------------------------- This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. Google is aware that an exploit for CVE-2023-2136 exists in the wild. --------------------------------------------- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-2136 ∗∗∗ Spring Boot 2.7.11 available now fixing CVE-2023-20873 ∗∗∗ --------------------------------------------- https://spring.io/blog/2023/04/20/spring-boot-2-7-11-available-now-fixing-c… ∗∗∗ Spring Boot 3.0.6 available now fixing CVE-2023-20873 ∗∗∗ --------------------------------------------- https://spring.io/blog/2023/04/20/spring-boot-3-0-6-available-now-fixing-cv… ∗∗∗ Security Vulnerabilities have been identifed in the IBM WebSphere Liberty product as shipped with the IBM Security Verify Access products. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6953617 ∗∗∗ Unprivileged GPU access vulnerability - CVE-2013-5987 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/864038 ∗∗∗ Multiple vulnerabilities found in third party libraries used by IBM\u00ae MobileFirst Platform ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6984763 ∗∗∗ Multiple Vulnerabilities in Apache Commons Compress affect WebSphere Application Server used by IBM Maximo Application Suite ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6984785 ∗∗∗ IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to Node.js npm module information disclosure (CVE-2022-29244) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6984799 ∗∗∗ IBM WebSphere Application Server shipped with IBM Security Access Manager for Enterprise Single Sign-On is vulnerable to a denial of service due to Apache Commons FileUpload (CVE-2023-24998) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6984945 ∗∗∗ Unprivileged GPU access vulnerability - CVE-2013-5987 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/864038 ∗∗∗ IBM Security Verify Governance is vulnerable to sensitive information exposure (CVE-2021-31403) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6984957 ∗∗∗ IBM Security Verify Governance is vulnerable to denial of service and security bypass (CVE-2018-10237, CVE-2020-8908) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6984959 ∗∗∗ IBM Security Verify Governance is vulnerable to a denial of service (CVE-2022-42004, CVE-2022-42003) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6984967 ∗∗∗ IBM Security Verify Governance is vulnerable to sensitive information exposure and denial of service (CVE-2021-31403, CVE-2021-33609) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6984971 ∗∗∗ IBM Security Verify Governance is vulnerable to denial of service (CVE-2022-24839) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6984973 ∗∗∗ IBM Security Verify Governance is vulnerable to arbitrary code execution (CVE-2020-10650) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6984963 ∗∗∗ IBM Security Verify Governance is vulnerable to denial of service ( CVE-2023-24998) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6984969 ∗∗∗ Security vulnerability has been identified in WebSphere Application Server shipped with WebSphere Service Registry and Repository (CVE-2023-24998) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6984965 ∗∗∗ IBM Rational Build Forge is vulnerable and could allow an unauthenticated attacker to obtain sensitive information due to the use of JSSE component (CVE-2021-35603) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6984975 ∗∗∗ IBM App Connect Enterprise is vulnerable to a denial of service due to the ua-parser-js module (CVE-2022-25927) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6984987 ∗∗∗ Multiple vulnerabilities may affect IBM\u00ae SDK, Java\u2122 Technology Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6839127 ∗∗∗ Multiple vulnerabilities may affect IBM\u00ae SDK, Java\u2122 Technology Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6967213 ∗∗∗ CVE-2022-3676 may affect IBM\u00ae SDK, Java\u2122 Technology Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6839777 ∗∗∗ IBM Rational Build Forge is vulnerable and could allow attacker to obtain sensitive information due to the use of JSSE component(CVE-2021-35550) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6985007 ∗∗∗ CVE-2023-30441 affects IBM\u00ae SDK, Java\u2122 Technology Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6985011 ∗∗∗ AIX is vulnerable to arbitrary command execution (CVE-2023-26286) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6983236 ∗∗∗ INEA ME RTU ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-110-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.04.2023
by Daily end-of-shift report 19 Apr '23

19 Apr '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 18-04-2023 18:00 − Mittwoch 19-04-2023 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Critical Patch Update: Oracle kümmert sich um 433 Sicherheitslücken ∗∗∗ --------------------------------------------- Der Softwarehersteller Oracle hat für seine Anwendungen zahlreiche Sicherheitsupdates veröffentlicht. Einige Lücken gelten als kritisch. --------------------------------------------- https://heise.de/-8971485 ∗∗∗ Sicherheitsupdates: Dell sichert seit 2022 verwundbare Laptops erst jetzt ab ∗∗∗ --------------------------------------------- BIOS-Updates für unter anderem Dell-Modelle der Alienware- und Inspiron-Serien schließen zwei Sicherheitslücken. --------------------------------------------- https://heise.de/-8971821 ∗∗∗ Wenn alte Router Firmengeheimnisse preisgeben ∗∗∗ --------------------------------------------- Bei der Stilllegung ihrer alten Hardware schütten viele Unternehmen das Kind mit dem Bade aus. --------------------------------------------- https://www.welivesecurity.com/deutsch/2023/04/18/wenn-alte-router-firmenge… ∗∗∗ Hackers actively exploit critical RCE bug in PaperCut servers ∗∗∗ --------------------------------------------- Print management software developer PaperCut is warning customers to update their software immediately, as hackers are actively exploiting flaws to gain access to vulnerable servers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-actively-exploit-cri… ∗∗∗ Zaraza Bot Targets Google Chrome to Extract Login Credentials ∗∗∗ --------------------------------------------- The data-stealing malware threatens the cyber safety of individual and organizational privacy by infecting a range of Web browsers. --------------------------------------------- https://www.darkreading.com/remote-workforce/zaraza-bot-targets-google-chro… ∗∗∗ SecurePwn Part 1: Bypassing SecurePoint UTM’s Authentication (CVE-2023-22620) ∗∗∗ --------------------------------------------- While working on a recent customer penetration test, I discovered two fascinating and somewhat weird bugs in SecurePoint’s UTM firewall solution. The first one, aka CVE-2023-22620, is rated critical for an attacker to bypass the entire authentication and gain access to the firewall’s administrative panel. [...] The second one, aka CVE-2023-22897 is a heartbleed-like bug that allows the leaking of remote memory contents and is discussed in a second blog post. --------------------------------------------- https://www.rcesecurity.com/2023/04/securepwn-part-1-bypassing-securepoint-… ∗∗∗ SecurePwn Part 2: Leaking Remote Memory Contents (CVE-2023-22897) ∗∗∗ --------------------------------------------- While my last finding affecting SecurePoint’s UTM was quite interesting already, I was hit by a really hard OpenSSL Heartbleed flashback with this one. [...] I’ve responsibly coordinated both vulnerabilities with the vendor SecurePoint and notified them about both issues on 5th January 2023. They did an amazing job acknowledging the vulnerability and providing a fix within a single business day. I barely see (hardware) vendors reacting so fast. Well done! --------------------------------------------- https://www.rcesecurity.com/2023/04/securepwn-part-2-leaking-remote-memory-… ∗∗∗ Threat Actors Rapidly Adopt Web3 IPFS Technology ∗∗∗ --------------------------------------------- Web3 technologies are seeing widespread adoption — including by TAs. We discuss Web3 technology InterPlanetary File System (IPFS), and malicious use of it. --------------------------------------------- https://unit42.paloaltonetworks.com/ipfs-used-maliciously/ ∗∗∗ Play Ransomware Group Using New Custom Data-Gathering Tools ∗∗∗ --------------------------------------------- Tools allow attackers to harvest data typically locked by the operating system. --------------------------------------------- https://symantec-enterprise-blogs.security.com/threat-intelligence/play-ran… ∗∗∗ Raspberry Robin: Anti-Evasion How-To & Exploit Analysis ∗∗∗ --------------------------------------------- During the last year, Raspberry Robin has evolved to be one of the most distributed malware currently active. During this time, it is likely to be used by many actors to distribute their own malware such as IcedID, Clop ransomware and more. --------------------------------------------- https://research.checkpoint.com/2023/raspberry-robin-anti-evasion-how-to-ex… ∗∗∗ Breaking Docker Named Pipes SYSTEMatically: Docker Desktop Privilege Escalation – Part 2 ∗∗∗ --------------------------------------------- In the previous blog post, we described how the Docker research started and showed how we could gain a full privilege escalation through a vulnerability in Docker Desktop. In this follow-up blog [...] --------------------------------------------- https://www.cyberark.com/resources/threat-research-blog/breaking-docker-nam… ∗∗∗ DDosia Project: How NoName057(16) is trying to improve the efficiency of DDoS attacks ∗∗∗ --------------------------------------------- NoName057(16) is still conducting DDoS attacks on the websites of institutions and companies in European countries. The new Go variant of bots implemented an authentication mechanism to communicate with C2 servers and their proxies. Moreover, the mechanism also provides IP address blocklisting, presumably to hinder the tracking of the project. --------------------------------------------- https://decoded.avast.io/martinchlumecky/ddosia-project-how-noname05716-is-… ===================== = Vulnerabilities = ===================== ∗∗∗ Webbrowser: Neue Zero-Day-Lücke in Google Chrome ∗∗∗ --------------------------------------------- Im Webbrowser Chrome greifen Cyberkriminelle eine neue Zero-Day-Lücke in freier Wildbahn an. Google verteilt Software-Updates, um die Lücke zu schließen. --------------------------------------------- https://heise.de/-8971427 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (asterisk), Fedora (lldpd and openssh), Red Hat (curl, kernel, and openvswitch2.13), SUSE (compat-openssl098, glib2, grafana, helm, libgit2, openssl, and openssl-1_1), and Ubuntu (linux, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15, linux-azure-fde, linux-gcp, linux-gcp-5.15, linux-gke, linux-gke-5.15, linux-gkeop, linux-ibm, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-oracle, linux-oracle-5.15, linux-raspi, linux, linux-aws, linux-azure, linux-gcp, linux-hwe-5.19, linux-kvm, linux-lowlatency, linux-oracle, linux-raspi, and vim). --------------------------------------------- https://lwn.net/Articles/929533/ ∗∗∗ Research by Positive Technologies helps to fix vulnerabilities in Nokia NetAct network management system ∗∗∗ --------------------------------------------- Nokia has fixed five vulnerabilities in Nokia NetAct found by Positive Technologies experts Vladimir Razov and Alexander Ustinov. Nokia NetAct is used by more than 500 communications service providers to monitor and control telecommunication networks, base stations, and other systems. The vendor was notified of the threat as part of standard responsible disclosure and has fixed the vulnerabilities in new versions of the software. --------------------------------------------- https://www.ptsecurity.com/ww-en/about/news/research-by-positive-technologi… ∗∗∗ WordPress plugin "LIQUID SPEECH BALLOON” vulnerable to cross-site request forgery ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN99657911/ ∗∗∗ Oracle Critical Patch Update Advisory - April 2023 ∗∗∗ --------------------------------------------- https://www.oracle.com/security-alerts/cpuapr2023.html ∗∗∗ K000133390 : Apache Tomcat vulnerability CVE-2022-45143 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000133390 ∗∗∗ K000133547 : Python urllib3 vulnerability CVE-2020-26137 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000133547 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.04.2023
by Daily end-of-shift report 18 Apr '23

18 Apr '23

===================== = End-of-Day report = ===================== Timeframe: Montag 17-04-2023 18:00 − Dienstag 18-04-2023 18:00 Handler: Stephan Richter Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Recycled Core Routers Exposed Sensitive Corporate Network Info ∗∗∗ --------------------------------------------- Researchers warn about a dangerous wave of unwiped, secondhand core-routers found containing corporate network configurations, credentials, and application and customer data. --------------------------------------------- https://www.darkreading.com/vulnerabilities-threats/recycled-core-routers-e… ∗∗∗ YouTube Videos Distributing Aurora Stealer Malware via Highly Evasive Loader ∗∗∗ --------------------------------------------- Cybersecurity researchers have detailed the inner workings of a highly evasive loader named "in2al5d p3in4er" (read: invalid printer) thats used to deliver the Aurora information stealer malware. --------------------------------------------- https://thehackernews.com/2023/04/youtube-videos-distributing-aurora.html ∗∗∗ Memory corruption in JCRE: An unpatchable HSM may swallow your private key ∗∗∗ --------------------------------------------- The key has always been a core target of security protection. Due to the limitation of key slots, most cryptocurrency hardware wallets use MCU chips (such as STM32F205RE) to implement. However, people who have higher security requirements to safeguarding the private keys are often interested in Java cards [...] --------------------------------------------- https://hardenedvault.net/blog/2023-04-18-java-card-runtime-memory-corrupti… ∗∗∗ Living Off the Land (LOTL) attacks: Detecting ransomware gangs hiding in plain sight ∗∗∗ --------------------------------------------- [...] In order to truly protect ourselves from RaaS gangs, we have to ‘peel back the onion’, so to speak, and get a closer look at how, exactly, they behave. If we know how RaaS gangs evade detection once in a network, for example, we may be able to kick them out before they can do any damage. One of the most concerning behaviors we’ve observed from RaaS gangs is their use of Living off the Land (LOTL) attacks, where attackers leverage legitimate tools to evade detection, steal data, and more. --------------------------------------------- https://www.malwarebytes.com/blog/business/2023/04/living-off-the-land-lotl… ∗∗∗ New Captcha Protected Phishing Attack Targets Access to Payroll Files ∗∗∗ --------------------------------------------- We have discovered a new phishing attack that specifically targets individuals who need access to payroll files through Microsoft Teams. --------------------------------------------- https://cyberwarzone.com/new-captcha-protected-phishing-attack-targets-acce… ∗∗∗ Sicherheitsupdates: Trend Micro Security macht Windows-PCs verwundbar ∗∗∗ --------------------------------------------- Es gibt ein wichtiges Update für die Anti-Viren-Anwendung Trend Micro Security für Windows. --------------------------------------------- https://heise.de/-8969449 ∗∗∗ US-Behörde: Schwachstelle in altem macOS wird für Angriffe ausgenutzt ∗∗∗ --------------------------------------------- Nach Informationen der Cyber-Sicherheitsbehörde gibt es Hinweise auf aktiv durchgeführte Angriffe. Für sehr alte Macs liegen keine Patches vor. --------------------------------------------- https://heise.de/-8970903 ∗∗∗ Kleinanzeigenbetrug: Vorsicht, wenn jemand per Scheck bezahlen möchte ∗∗∗ --------------------------------------------- Sie verkaufen ein Fahrrad auf Ländleanzeiger.at. Ein Interessent meldet sich und möchte es kaufen. Weil der Interessent gerade keinen Zugriff auf sein Bankkonto hat, möchte er es per Scheck bezahlen. Nach einigen Tagen kommt tatsächlich ein Scheck an – aber mit einem viel zu hohen Betrag. Vorsicht: Der Scheck ist Fake. Brechen Sie den Kontakt ab, Sie werden betrogen. --------------------------------------------- https://www.watchlist-internet.at/news/kleinanzeigenbetrug-vorsicht-wenn-je… ∗∗∗ Shodan Verified Vulns 2023-04-01 ∗∗∗ --------------------------------------------- Mit Stand 2023-04-01 sieht Shodan in Österreich die folgenden Schwachstellen: Dieses Monat stechen keine wirklich nennenswerten Veränderungen ins Auge. --------------------------------------------- https://cert.at/de/aktuelles/2023/4/shodan-verified-vulns-2023-04-01 ∗∗∗ APT28 Exploits Known Vulnerability to Carry Out Reconnaissance and Deploy Malware on Cisco Routers ∗∗∗ --------------------------------------------- APT28 accesses poorly maintained Cisco routers and deploys malware on unpatched devices using CVE-2017-6742. --------------------------------------------- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-108 ∗∗∗ Windows 10/11: Microsoft veröffentlicht Fix für OOBE-Bitlocker-Ausfall-Bug ∗∗∗ --------------------------------------------- Microsoft propagiert zwar Bitlocker zur Verschlüsselung von Laufwerken unter Windows. Aber es gibt immer wieder Bugs, die die Verschlüsselung verhindern oder Dritten unbefugten Zugriff auf verschlüsselte Laufwerke ermöglichen. Ein Microsoft Supporter hat jetzt einen Fall enthüllt, bei dem Bitlocker in der Out-of-the-Box (OOBE) Phase der Windows-Installation nicht aktiviert wird. --------------------------------------------- https://www.borncity.com/blog/2023/04/18/windows-10-11-microsoft-verffentli… ∗∗∗ Automating Qakbot Detection at Scale With Velociraptor ∗∗∗ --------------------------------------------- This blog offers a practical methodology to extract configuration data from recent Qakbot samples. --------------------------------------------- https://www.rapid7.com/blog/post/2023/04/18/automating-qakbot-detection-at-… ===================== = Vulnerabilities = ===================== ∗∗∗ Garrett: PSA: upgrade your LUKS key derivation function ∗∗∗ --------------------------------------------- [...] the LUKS1 header format, and the only KDF supported in this format is PBKDF2. This is not a memory expensive KDF, and so is vulnerable to GPU-based attacks. But even so, systems using the LUKS2 header format used to default to argon2i, again not a memory expensive KDF. New versions default to argon2id, which is. You want to be using argon2id. --------------------------------------------- https://lwn.net/Articles/929343/ ∗∗∗ New sandbox escape PoC exploit available for VM2 library, patch now ∗∗∗ --------------------------------------------- Security researchers have released yet another sandbox escape proof of concept (PoC) exploit that makes it possible to execute unsafe code on the host running the VM2 sandbox. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-sandbox-escape-poc-explo… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (protobuf), Fedora (libpcap, libxml2, openssh, and tcpdump), Mageia (kernel and kernel-linus), Oracle (firefox, kernel, kernel-container, and thunderbird), Red Hat (thunderbird), Scientific Linux (thunderbird), SUSE (gradle, kernel, nodejs10, nodejs12, nodejs14, openssl-3, pgadmin4, rubygem-rack, and wayland), and Ubuntu (firefox). --------------------------------------------- https://lwn.net/Articles/929389/ ∗∗∗ Multiple critical vulnerabilities in Strapi versions <=4.7.1 ∗∗∗ --------------------------------------------- Strapi had multiple critical vulnerabilities that could be chained together to gain unauthenticated remote code execution. This is my public disclosure of the vulnerabilities i found in strapi, how they were patched and some nonsensical ramblings. --------------------------------------------- https://www.ghostccamm.com/blog/multi_strapi_vulns/ ∗∗∗ Hiding in Plain Sight: Cross-Site Scripting Vulnerabilities Patched in Weaver Products ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2023/04/hiding-in-plain-sight-cross-site-scr… ∗∗∗ Omron CS/CJ Series ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-108-01 ∗∗∗ Spring Security 6.1.0-RC1, 6.0.3, 5.8.3 and 5.7.8 released, fix CVE-2023-20862 ∗∗∗ --------------------------------------------- https://spring.io/blog/2023/04/17/spring-security-6-1-0-rc1-6-0-3-5-8-3-and… ∗∗∗ Kubernetes kube-apiserver vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6982927 ∗∗∗ IBM Sterling Order Management Golang Go Vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/search?q=IBM%20Sterling%20Order%… ∗∗∗ Security Bulletin: Multiple vulnerabilities affect IBM Db2® REST ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6984199 ∗∗∗ IBM InfoSphere Information Server is affected by a vulnerability in libcurl (CVE-2022-32221) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6984203 ∗∗∗ Vulnerabilities in IBM Java included with IBM Tivoli Monitoring. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6854647 ∗∗∗ Security Bulletin: A security vulnerability has been identified in WebSphere Application Server and Websphere Liberty shipped with IBM Security Guardium Key Lifecycle Manager (SKLM/GKLM) (CVE-2023-24998)) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6984345 ∗∗∗ Security Bulletin: The IBM® Engineering Requirements Management DOORS/DWA vulnerabilities fixes for 9.7.2.6 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6984347 ∗∗∗ Vulnerabilities in Apache Shiro (CVE-2022-40664) and Apache Commons FileUpload (CVE-2023-24998) affect IBM WebSphere Service Registry and Repository. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6962169 ∗∗∗ Security Bulletin: Multiple vulnerabilities affect IBM Db2® REST ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6984413 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.04.2023
by Daily end-of-shift report 17 Apr '23

17 Apr '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 14-04-2023 18:00 − Montag 17-04-2023 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Juice Jacking: FBI warnt ohne Anlass vor öffentlichen USB-Ladestationen ∗∗∗ --------------------------------------------- Angreifer könnten USB-Ladestationen an Flughäfen & Co. kompromittieren, um so Malware auf Smartphones zu schieben. Das ist jedoch nicht wirklich aktuell. --------------------------------------------- https://heise.de/-8966067 ∗∗∗ Zero-Day: Pinduoduo konnte Daten stehlen und Malware installieren ∗∗∗ --------------------------------------------- Die chinesische Android-App Pinduoduo konnte eine Zero-Day-Lücke in Android missbrauchen. Die CISA mahnt zum Anwenden des Android-Updates. --------------------------------------------- https://heise.de/-8968204 ∗∗∗ Sonderupdate: Google Chrome 112.0.5615.121 und Edge 112.0.1722.48 ∗∗∗ --------------------------------------------- Google hat zum 14. April 2023 außerplanmäßig Updates des Google Chrome Browsers 112 im Extended und Stable Channel für Mac, Linux und Windows freigegeben. Microsoft hat gleichzeitig den Edge Version 112 aktualisiert. Es sind Sicherheitsupdates, welche die als hoch eingestufte Schwachstelle CVE-2023-2033 schließen. --------------------------------------------- https://www.borncity.com/blog/2023/04/16/google-chrome-112-0-5615-121-sonde… ∗∗∗ Dating: Auf live-treffen.com & royacca.com chatten Sie kostenpflichtig mit Fake-Profilen ∗∗∗ --------------------------------------------- Auf den Dating-Plattformen live-treffen.com & royacca.com finden Sie schnell interessante Menschen. Ob es sich dabei um echte Personen handelt, ist unklar, denn die Plattformen nutzen „professionelle Animateure“, die mit Ihnen chatten. Das Problem dabei: Jede Nachricht kostet und Sie wissen nicht, ob Sie mit echten oder fiktiven Profilen schreiben. --------------------------------------------- https://www.watchlist-internet.at/news/dating-auf-live-treffencom-royaccaco… ∗∗∗ Android malware infiltrates 60 Google Play apps with 100M installs ∗∗∗ --------------------------------------------- A new Android malware named Goldoson has infiltrated the platforms official app store, Google Play, through 60 apps that collectively have 100 million downloads. --------------------------------------------- https://www.bleepingcomputer.com/news/security/android-malware-infiltrates-… ∗∗∗ Hackers start abusing Action1 RMM in ransomware attacks ∗∗∗ --------------------------------------------- Security researchers are warning that cybercriminals are increasingly using the Action1 remote access software for persistence on compromised networks and to execute commands, scripts, and binaries. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-start-abusing-action… ∗∗∗ QBot banker delivered through business correspondence ∗∗∗ --------------------------------------------- In early April, we detected a significant increase in attacks that use banking Trojans of the QBot family (aka QakBot, QuackBot, and Pinkslipbot). The malware would be delivered through e-mails that were based on real business letters the attackers had gotten access to. --------------------------------------------- https://securelist.com/qbot-banker-business-correspondence/109535/ ∗∗∗ FIN7 and Ex-Conti Cybercrime Gangs Join Forces in Domino Malware Attacks ∗∗∗ --------------------------------------------- A new strain of malware developed by threat actors likely affiliated with the FIN7 cybercrime group has been put to use by the members of the now-defunct Conti ransomware gang, indicating collaboration between the two crews. The malware, dubbed Domino, is primarily designed to facilitate follow-on exploitation on compromised systems, including delivering a lesser-known information stealer [...] --------------------------------------------- https://thehackernews.com/2023/04/fin7-and-ex-conti-cybercrime-gangs-join.h… ∗∗∗ Bypassing Windows Defender (10 Ways) ∗∗∗ --------------------------------------------- In this article I will be explaining 10 ways/techniques to bypass a fully updated Windows system with up-to-date Windows Defender intel in order to execute unrestricted code (other than permissions/ACLs, that is). --------------------------------------------- https://www.fo-sec.com/articles/10-defender-bypass-methods ∗∗∗ LockBit Ransomware Group Developing Malware to Encrypt Files on macOS ∗∗∗ --------------------------------------------- The LockBit ransomware gang is developing malware designed to encrypt files on macOS systems and researchers have analyzed if it poses a real threat. --------------------------------------------- https://www.securityweek.com/lockbit-ransomware-group-developing-malware-to… ∗∗∗ Trigona Ransomware Attacking MS-SQL Servers ∗∗∗ --------------------------------------------- AhnLab Security Emergency response Center (ASEC) has recently discovered the Trigona ransomware being installed on poorly managed MS-SQL servers. Trigona is a relatively recent ransomware that was first discovered in October 2022, and Unit 42 has recently published a report based on the similarity between Trigona and the CryLock ransomware. --------------------------------------------- https://asec.ahnlab.com/en/51343/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, rails, and ruby-rack), Fedora (firefox, ghostscript, libldb, samba, and tigervnc), Mageia (ceph, davmail, firefox, golang, jpegoptim, libheif, python-certifi, python-flask-restx, thunderbird, and tomcat), Oracle (firefox), Red Hat (firefox), Scientific Linux (firefox), SUSE (apache2-mod_auth_openidc, aws-nitro-enclaves-cli, container-suseconnect, firefox, golang-github-prometheus-prometheus, harfbuzz, java-1_8_0-ibm, kernel, liblouis, php7, tftpboot-installation images, tomcat, and wayland), and Ubuntu (chromium-browser, imagemagick, kamailio, and libreoffice). --------------------------------------------- https://lwn.net/Articles/929303/ ∗∗∗ K000133522 : Apache mod_proxy_wstunnel vulnerability CVE-2019-17567 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000133522?utm_source=f5support&utm_medi… ∗∗∗ Microsoft Defender Security Feature Bypass Vulnerability ∗∗∗ --------------------------------------------- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24934 ∗∗∗ Vulnerabilities in Samba shipped with IBM OS Image for Red Hat Enterprise Linux System (CVE-2022-32742) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6983851 ∗∗∗ IBM Workload Scheduler potentially affected by a vulnerability found in Json-smart library (CVE-2023-1370) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6984157 ∗∗∗ There is a security vulnerability in Node.js http-cache-semantics module used by IBM Maximo for Civil Infrastructure in Maximo Application Suite (CVE-2022-25881) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6984165 ∗∗∗ IBM Cloud Pak for Network Automation 2.4.5 addresses multiple security vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6984171 ∗∗∗ IBM Db2\u00ae Graph is vulnerable to remote execution of arbitrary commands due to Node.js CVE-2022-43548 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6984185 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.04.2023
by Daily end-of-shift report 14 Apr '23

14 Apr '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 13-04-2023 18:00 − Freitag 14-04-2023 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ VoIP-Software von 3CX: Erste Analyse-Ergebnisse ∗∗∗ --------------------------------------------- 3CX hat erste Ergebnisse der IT-Sicherheitsspezialisten von Mandiant bezüglich des Einbruchs und Lieferkettenangriffs auf die VoIP-Software herausgegeben. --------------------------------------------- https://heise.de/-8962595 ∗∗∗ Netzwerkausrüster Juniper verteilt viele Sicherheits-Aktualisierungen ∗∗∗ --------------------------------------------- In diversen Produkten des Netzwerkausrüsters Juniper klaffen Sicherheitslücken, die der Hersteller mit Updates schließt. Sie sollten zügig installiert werden. --------------------------------------------- https://heise.de/-8951334 ∗∗∗ Jetzt patchen! QueueJumper-Lücke gefährdet hunderttausende Windows-Systeme ∗∗∗ --------------------------------------------- Sicherheitsforscher haben nach weltweiten Scans über 400.000 potenziell angreifbare Windows-Systeme entdeckt. Sicherheitspatches sind verfügbar. --------------------------------------------- https://heise.de/-8961420 ∗∗∗ Passwortschutz umgehbar: Drupal-Modul Protected Pages verwundbar ∗∗∗ --------------------------------------------- Angreifer könnten auf eigentlich durch Passwörter abgeschottete Drupal-Websites zugreifen. Ein Sicherheitsupdate ist verfügbar. --------------------------------------------- https://heise.de/-8959518 ∗∗∗ Cloudflare: Botnetzwerke setzen auf gehackte VPS statt auf IoT ∗∗∗ --------------------------------------------- Laut Cloudflare setzen Botnetze auf gehackte Virtual Private Server (VPS), beispielsweise von Start-ups, die deutlich mehr Leistung für DDoS-Angriffe bieten. --------------------------------------------- https://www.golem.de/news/cloudflare-botnetzwerke-setzen-auf-gehackte-vps-s… ∗∗∗ HTTP: Whats Left of it and the OCSP Problem, (Thu, Apr 13th) ∗∗∗ --------------------------------------------- It has been well documented that most "web" traffic these days uses TLS, either as traditional HTTPS or the more modern QUIC protocol. So it is always interesting to see what traffic remains as HTTP. --------------------------------------------- https://isc.sans.edu/diary/rss/29744 ∗∗∗ How to Set Up a Content Security Policy (CSP) in 3 Steps ∗∗∗ --------------------------------------------- What is a Content Security Policy (CSP)? A Content Security Policy (CSP) is a security feature used to help protect websites and web apps from clickjacking, cross-site scripting (XSS), and other malicious code injection attacks. At the most basic level, a CSP is a set of rules that restricts or green lights what content loads onto your website. It is a widely-supported security standard recommended to anyone who operates a website. --------------------------------------------- https://blog.sucuri.net/2023/04/how-to-set-up-a-content-security-policy-csp… ∗∗∗ RTM Locker: Emerging Cybercrime Group Targeting Businesses with Ransomware ∗∗∗ --------------------------------------------- Cybersecurity researchers have detailed the tactics of a "rising" cybercriminal gang called "Read The Manual" (RTM) Locker that functions as a private ransomware-as-a-service (RaaS) provider and carries out opportunistic attacks to generate illicit profit. --------------------------------------------- https://thehackernews.com/2023/04/rtm-locker-emerging-cybercrime-group.html ∗∗∗ Google, CISA Warn of Android Flaw After Reports of Chinese App Zero-Day Exploitation ∗∗∗ --------------------------------------------- The Android vulnerability CVE-2023-20963, reportedly exploited as a zero-day by a Chinese app against millions of devices, was added to CISA’s KEV catalog. --------------------------------------------- https://www.securityweek.com/google-cisa-warn-of-android-flaw-after-reports… ∗∗∗ Automating Qakbot decode at scale ∗∗∗ --------------------------------------------- This is a technical post covering methodology to extract configuration data from recent Qakbot samples. I will provide background on Qakbot, walk through decode themes in an easy to visualize manner. I will then share a Velociraptor artifact to detect and automate the decode process at scale. --------------------------------------------- https://www.rapid7.com/blog/post/2023/04/14/automating-qakbot-decode/ ===================== = Vulnerabilities = ===================== ∗∗∗ CISA Releases Sixteen Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- CISA released sixteen Industrial Control Systems (ICS) advisories on April 13, 2023. * B. Braun Battery Pack SP with Wi-Fi * 13x Siemens * Datakit CrossCAD-WARE * Mitsubishi Electric GOC35 Series --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/04/13/cisa-releases-sixteen-in… ∗∗∗ Advisory SA23P002: Several Issues in B&R VC4 Visualization ∗∗∗ --------------------------------------------- An unauthenticated network-based attacker who successfully exploits these vulnerabilities could bypass the authentication mechanism of the VC4 visualization, read stack memory or execute code on an affected device. --------------------------------------------- https://www.br-automation.com/downloads_br_productcatalogue/assets/16810468… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (haproxy and openvswitch), Fedora (bzip3, libyang, mingw-glib2, thunderbird, xorg-x11-server, and xorg-x11-server-Xwayland), and Ubuntu (apport, ghostscript, linux-bluefield, node-thenify, and python-flask-cors). --------------------------------------------- https://lwn.net/Articles/929107/ ∗∗∗ Cross-Site Scripting in Timesheet Tracking for Jira (SYSS-2022-050) ∗∗∗ --------------------------------------------- Über Cross-Site Scripting-Schwachstellen im Plug-in "Timesheet Tracking for Jira" kann Schadcode eingebaut werden, der von allen Besuchern ausgeführt wird. --------------------------------------------- https://www.syss.de/pentest-blog/cross-site-scripting-in-timesheet-tracking… ∗∗∗ CPE2023-001 – Regarding vulnerabilities for Office/Small Office Multifunction Printers, Laser Printers and Inkjet Printers – 14 April 2023 ∗∗∗ --------------------------------------------- Several vulnerabilities have been identified for certain Office/Small Office Multifunction Printers, Laser Printers and Inkjet Printers. --------------------------------------------- https://www.canon-europe.com/support/product-security-latest-news/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.04.2023
by Daily end-of-shift report 13 Apr '23

13 Apr '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 12-04-2023 18:00 − Donnerstag 13-04-2023 18:00 Handler: Stephan Richter Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ (Gepatchte aber dennoch) üble Sicherheitslücke in (einer optionalen Komponente von) Microsoft Windows ∗∗∗ --------------------------------------------- Es entbehrt nicht einer gewissen Ironie, dass die meisten Blogeinträge, welche sich in den letzten Monaten mit Sicherheitslücken in Produkten von Microsoft beschäftigt haben, von dem Mitarbeiter des CERT stammen, dessen Kenntnisse rund um Windows, Office und den ganzen Rest wohl mit Abstand am schwächsten sind - und damit herzlich willkommen zu einem weiteren Beitrag, welcher diese Kriterien vollständig erfüllt. --------------------------------------------- https://cert.at/de/blog/2023/4/gepatchte-aber-dennoch-uble-sicherheitslucke… ∗∗∗ NTP-Schwachstelle: Offenbar weniger bedrohlich als zunächst vermutet ∗∗∗ --------------------------------------------- Entwarnung: Nach der BSI-Warnung vor einer kritischen Lücke in NTP kommen IT-Experten bei der Analyse auf eine geringere Bedrohung. NTP will Patches liefern. --------------------------------------------- https://heise.de/-8949340 ∗∗∗ Uncommon infection methods—part 2 ∗∗∗ --------------------------------------------- Kaspersky researchers discuss infection methods used by Mirai-based RapperBot, Rhadamantys stealer, and CUEMiner: smart brute forcing, malvertising, and distribution through BitTorrent and OneDrive. --------------------------------------------- https://securelist.com/crimeware-report-uncommon-infection-methods-2/109522/ ∗∗∗ New Python-Based "Legion" Hacking Tool Emerges on Telegram ∗∗∗ --------------------------------------------- An emerging Python-based credential harvester and a hacking tool named Legion is being marketed via Telegram as a way for threat actors to break into various online services for further exploitation. --------------------------------------------- https://thehackernews.com/2023/04/new-python-based-legion-hacking-tool.html ∗∗∗ Indirect Prompt Injection Threats ∗∗∗ --------------------------------------------- If allowed by the user, Bing Chat can see currently open websites. We show that an attacker can plant an injection in a website the user is visiting, which silently turns Bing Chat into a Social Engineer who seeks out and exfiltrates personal information. The user doesnt have to ask about the website or do anything except interact with Bing Chat while the website is opened in the browser. --------------------------------------------- https://greshake.github.io/ ∗∗∗ Malware Disguised as Document from Ukraines Energoatom Delivers Havoc Demon Backdoor ∗∗∗ --------------------------------------------- [...] FortiGuard Labs has encountered a malicious spoofed document pretending to be from the Ukrainian company, Energoatom, a state-owned enterprise that operates Ukraine’s nuclear power plants. [...] Aside from highlighting the technical details of this latest multi-staged attack [...] this article also discusses some strange artifacts that make us think this could be a work-in-progress or part of a red-team exercise. --------------------------------------------- https://www.fortinet.com/blog/threat-research/malware-disguised-as-document… ∗∗∗ BSI-Studie: Gängige Mikrocontroller sind für Hardware-Angriffe anfällig ∗∗∗ --------------------------------------------- Bei Hardware-Sicherheitstoken und Krypto-Wallets, smarten Schlössern und Kassensystemen haben Hacker leichtes Spiel, warnen Fraunhofer-Forscher im BSI-Auftrag. --------------------------------------------- https://heise.de/-8949244 ∗∗∗ Vorsicht vor Fake Urlaubsangeboten! ∗∗∗ --------------------------------------------- Die Urlaubszeit rückt langsam aber sicher näher, das treibt auch Kriminelle auf den Plan. Betrügerische Anbieter wie Kofi Vermittlung (kofireisen.com) versuchen Sie mit angeblich günstigen Angeboten abzuzocken! Achten Sie bei der Urlaubsbuchung auf folgende Warnsignale für entspannte Ferien statt einer Kostenfalle! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-fake-urlaubsangeboten/ ∗∗∗ Vice Society: A Tale of Victim Data Exfiltration via PowerShell, aka Stealing off the Land ∗∗∗ --------------------------------------------- The Vice Society ransomware gang exfiltrated victim network data using a custom Microsoft PowerShell script. We dissect how each function of it works. --------------------------------------------- https://unit42.paloaltonetworks.com/vice-society-ransomware-powershell/ ===================== = Vulnerabilities = ===================== ∗∗∗ Softwareentwicklung: Jenkins-Plug-ins verwundbar, viele Updates stehen noch aus ∗∗∗ --------------------------------------------- Software-Entwicklungsumgebungen mit Jenkins sind attackierbar. Bislang sind nur wenige betroffene Plug-ins abgesichert. --------------------------------------------- https://heise.de/-8949204 ∗∗∗ Sicherheitsupdates: Netzwerkanalysetool Wireshark anfällig für DoS-Attacken ∗∗∗ --------------------------------------------- Die Wireshark-Entwickler haben zwei neue Versionen des Tools veröffentlicht. Darin haben sie unter anderem drei Sicherheitslücken geschlossen. --------------------------------------------- https://heise.de/-8949661 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, firefox-esr, lldpd, and zabbix), Fedora (ffmpeg, firefox, pdns-recursor, polkit, and thunderbird), Oracle (kernel and nodejs:14), Red Hat (nodejs:14, openvswitch2.17, openvswitch3.1, and pki-core:10.6), Slackware (mozilla), SUSE (nextcloud-desktop), and Ubuntu (exo, linux, linux-kvm, linux-lts-xenial, linux-aws, smarty3, and thunderbird). --------------------------------------------- https://lwn.net/Articles/928976/ ∗∗∗ Windows 7/Server 2008 R2; Server 2012 R2: Updates (11. April 2023) ∗∗∗ --------------------------------------------- Zum 11. April 2023 wurden diverse Sicherheitsupdates für Windows Server 2008 R2 (im 4. ESU Jahr) sowie für Windows Server 2012/R2 veröffentlicht (die Updates lassen sich ggf. auch noch unter Windows 7 SP1). --------------------------------------------- https://www.borncity.com/blog/2023/04/13/windows-7-server-2008-r2-server-20… ∗∗∗ Patchday: Microsoft Office Updates (11. April 2023) ∗∗∗ --------------------------------------------- Am 11. April 2023 (zweiter Dienstag im Monat, Microsoft Patchday) hat Microsoft mehrere sicherheitsrelevante Updates für noch unterstützte Microsoft Office Versionen und andere Produkte veröffentlicht. Mit dem April 2023-Patchday endet der Support für Office 2013. --------------------------------------------- https://www.borncity.com/blog/2023/04/13/patchday-microsoft-office-updates-… ∗∗∗ Drupal: Protected Pages - Critical - Access bypass - SA-CONTRIB-2023-013 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2023-013 ∗∗∗ Critical Vulnerability in Hikvision Storage Solutions Exposes Video Security Data ∗∗∗ --------------------------------------------- https://www.securityweek.com/critical-vulnerability-in-hikvision-storage-so… ∗∗∗ Mattermost security updates 7.9.2 / 7.8.3 (ESR) / 7.7.4 / 7.1.8 (ESR) released ∗∗∗ --------------------------------------------- https://mattermost.com/blog/mattermost-security-updates-7-9-2-7-8-3-esr-7-7… ∗∗∗ Multiple Vulnerabilities in the Autodesk® AutoCAD® Desktop Software ∗∗∗ --------------------------------------------- https://www.autodesk.com/trust/security-advisories/adsk-sa-2023-0005 ∗∗∗ MISP 2.4.170 released with new features, workflow improvements and bugs fixed ∗∗∗ --------------------------------------------- https://github.com/MISP/MISP/releases/tag/v2.4.170 ∗∗∗ CVE-2023-0004 PAN-OS: Local File Deletion Vulnerability (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2023-0004 ∗∗∗ CVE-2023-0005 PAN-OS: Exposure of Sensitive Information Vulnerability (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2023-0005 ∗∗∗ CVE-2023-0006 GlobalProtect App: Local File Deletion Vulnerability (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2023-0006 ∗∗∗ Spring Framework 6.0.8, 5.3.27 and 5.2.24.RELEASE fix cve-2023-20863 ∗∗∗ --------------------------------------------- https://spring.io/blog/2023/04/13/spring-framework-6-0-8-5-3-27-and-5-2-24-… ∗∗∗ B. Braun Battery Pack SP with Wi-Fi ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-medical-advisories/icsma-23-103-01 ∗∗∗ DataPower Operations Dashboard vulnerable to multiple CVEs ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6983234 ∗∗∗ AIX is vulnerable to arbitrary command execution due to invscout (CVE-2023-28528) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6983232 ∗∗∗ AIX is vulnerable to arbitrary command execution (CVE-2023-26286) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6983236 ∗∗∗ Multiple Security Vulnerabilities may affect IBM Robotic Process Automation for Cloud Pak. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6983270 ∗∗∗ A CVE-2021-28165 vulnerability in Eclipse Jetty affects IBM Process Designer 8.5.7 shipped with IBM Business Automation Workflow ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6983272 ∗∗∗ Multiple security vulnerabilities has been identified in IBM WebSphere Application Server shipped with Tivoli Netcool\/OMNIbus WebGUI - January 2023 CPU plus deferred CVE-2022-21426 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6983454 ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with Tivoli Netcool\/OMNIbus WebGUI (CVE-2023-24998) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6983456 ∗∗∗ IBM Maximo Asset Management is vulnerable to HTML injection (CVE-2023-27864) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6983460 ∗∗∗ IBM Security Verify Governance is vulnerable to remote attacks to execute arbitrary code on the system [CVE-2013-4521, CVE-2013-2165 and CVE-2018-14667] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6983480 ∗∗∗ IBM Security Verify Governance is vulnerable to a denial of service caused by multiple vulnerabilities. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6983482 ∗∗∗ IBM App Connect Enterprise Certified Container DesignerAuthoring operands may be vulnerable to denial of service due to [CVE-2022-37603] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6983484 ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server and IBM WebSphere Application Server Liberty profile shipped with IBM Business Automation Workflow (CVE-2023-24998) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6983486 ∗∗∗ A vulnerability has been identified in IBM WebSphere Application Server Liberty profile shipped with IBM Business Automation Workflow (CVE-2023-0482) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6983490 ∗∗∗ A vulnerability has been identified in IBM WebSphere Application Server traditional and Liberty profile shipped with IBM Business Automation Workflow (IBM\u00ae Java SDK CPU January 2023) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6983492 ∗∗∗ AIX is vulnerable to arbitrary command execution (CVE-2023-26286) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6983236 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.04.2023
by Daily end-of-shift report 12 Apr '23

12 Apr '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 11-04-2023 18:00 − Mittwoch 12-04-2023 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Patchday: Angreifer infizieren Windows mit Nokoyawa-Ransomware ∗∗∗ --------------------------------------------- Microsoft hat wichtige Sicherheitsupdates für etwa Azure, Dynamics 365 und Windows veröffentlicht. --------------------------------------------- https://heise.de/-8935888 ∗∗∗ BSI warnt vor kritischen Zero-Day-Lücken im NTP-Server ∗∗∗ --------------------------------------------- Ein IT-Forscher hat fünf Sicherheitslücken im Zeitserver NTP gemeldet. Das BSI stuft die Lücken als kritisch ein. Ein Update steht bislang noch nicht bereit. --------------------------------------------- https://heise.de/-8948528 ∗∗∗ Warten auf Sicherheitspatches: BIOS-Lücken gefährden Lenovo-Laptops ∗∗∗ --------------------------------------------- Angreifer könnten Lenovo-Laptops attackieren und im schlimmsten Fall Schadcode ausführen. Updates sind noch nicht verfügbar. --------------------------------------------- https://heise.de/-8948481 ∗∗∗ Phishing-Alarm: „New Fax Document(s) has been received” ∗∗∗ --------------------------------------------- Derzeit werden willkürlich E-Mails an Unternehmen versendet, in denen behauptet wird, dass die Empfänger:innen ein neues Fax-Dokument erhalten hätten. Um das Dokument anzusehen, muss ein Link angeklickt werden. Achtung: Kriminelle versuchen das Microsoft-Konto der betroffenen Mitarbeiter:innen zu kapern. --------------------------------------------- https://www.watchlist-internet.at/news/phishing-alarm-new-fax-documents-has… ∗∗∗ Abo-Falle statt Kaffeemaschinen-Gewinnspiel im Namen von MediaMarkt ∗∗∗ --------------------------------------------- Auf Facebook wird ein betrügerisches Gewinnspiel im Namen von MediaMarkt durch Kriminelle beworben. Versprochen werden Kaffeemaschinen von DeLonghi für nur 1,95 Euro wegen einer angeblichen Vertragsauflösung zwischen dem Hersteller und MediaMarkt. Tatsächlich landen Sie hier aber in einer teuren Abo-Falle. Die Kaffeemaschinen gibt es nicht. --------------------------------------------- https://www.watchlist-internet.at/news/abo-falle-statt-kaffeemaschinen-gewi… ∗∗∗ Remote Code Execution (RCE) in Hashicorp Vault ∗∗∗ --------------------------------------------- Hashicorp's Vault is a secure, open-source secrets management tool that stores and provides access to sensitive information like API keys, passwords, and certificates. This vulnerability, in certain conditions, allows attackers to execute code remotely on the target system through a SQL injection attack. --------------------------------------------- https://www.oxeye.io/blog/rce-through-sql-injection-vulnerability-in-hashic… ∗∗∗ Hacked sites caught spreading malware via fake Chrome updates ∗∗∗ --------------------------------------------- Hackers are compromising websites to inject scripts that display fake Google Chrome automatic update errors that distribute malware to unaware visitors. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hacked-sites-caught-spreadin… ∗∗∗ Guidance for investigating attacks using CVE-2022-21894: The BlackLotus campaign ∗∗∗ --------------------------------------------- This guide provides steps that organizations can take to assess whether users have been targeted or compromised by threat actors exploiting CVE-2022-21894 via a Unified Extensible Firmware Interface (UEFI) bootkit called BlackLotus. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-inves… ∗∗∗ The Service Accounts Challenge: Cant See or Secure Them Until Its Too Late ∗∗∗ --------------------------------------------- Heres a hard question to answer: How many service accounts do you have in your environment?. A harder one is: Do you know what these accounts are doing?. And the hardest is probably: If any of your service account was compromised and used to access resources would you be able to detect and stop that in real-time? --------------------------------------------- https://thehackernews.com/2023/04/the-service-accounts-challenge-cant-see.h… ∗∗∗ Another zero-click Apple spyware maker just popped up on the radar again ∗∗∗ --------------------------------------------- Malware reportedly developed by a little-known Israeli commercial spyware maker has been found on devices of journalists, politicians, and an NGO worker in multiple countries, say researchers. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2023/04/12/quadream_spy… ∗∗∗ Recent IcedID (Bokbot) activity ∗∗∗ --------------------------------------------- This week, weve seen IcedID (Bokbot) distributed through thread-hijacked emails with PDF attachments. The PDF files have links that redirect to Google Firebase Storage URLs hosting password-protected zip archives. The password for the downloaded zip archive is shown in the PDF file. The downloaded zip archives contain EXE files that are digitally-signed using a certificate issued by SSL.com. --------------------------------------------- https://isc.sans.edu/diary/rss/29740 ∗∗∗ BumbleBee hunting with a Velociraptor ∗∗∗ --------------------------------------------- The various detection opportunities described in the report can be useful for organizations to detect an infection in its first stages and, therefore, prevent further malicious activity starting from BumbleBee. The detection opportunities rely on open-source tools (e.g., Velociraptor) and rules (e.g., Yara, Sigma) so they can be used by any company or the wider community. --------------------------------------------- https://sec-consult.com/blog/detail/bumblebee-hunting-with-a-velociraptor/ ∗∗∗ Cryptocurrency Stealer Malware Distributed via 13 NuGet Packages ∗∗∗ --------------------------------------------- Cybersecurity researchers have detailed the inner workings of the cryptocurrency stealer malware that was distributed via 13 malicious NuGet packages as part of a supply chain attack targeting .NET developers. The sophisticated typosquatting campaign, which was uncovered by JFrog late last month, impersonated legitimate packages to execute PowerShell code designed to retrieve a follow-on binary from a hard-coded server. --------------------------------------------- https://thehackernews.com/2023/04/cryptocurrency-stealer-malware.html ∗∗∗ Update Now! Severe Vulnerability Impacting 600,000 Sites Patched in Limit Login Attempts ∗∗∗ --------------------------------------------- On January 26, 2023, the Wordfence team responsibly disclosed an unauthenticated stored Cross-Site Scripting vulnerability in Limit Login Attempts, a WordPress plugin installed on over 600,000 sites that provides site owners with the ability to block IP addresses that have made repeated failed login attempts. --------------------------------------------- https://www.wordfence.com/blog/2023/04/update-now-severe-vulnerability-impa… ∗∗∗ On self-healing code and the obvious issue ∗∗∗ --------------------------------------------- While browsing the news in the morning Ive found an article on Ars Technica titles "Developer creates “self-healing” programs that fix themselves thanks to AI". Its about Wolverine, which is an automated extension of what was demoed during the GPT-4 reveal, i.e. the perceived ability of GPT-4 to understand error messages and suggest fixes. --------------------------------------------- https://gynvael.coldwind.pl/?id=766 ===================== = Vulnerabilities = ===================== ∗∗∗ Patchday: Fortinet schließt kritische und hochriskante Lücken ∗∗∗ --------------------------------------------- Am April-Patchday liefert Fortinet für zahlreiche Produkte Sicherheitsupdates aus. Eine der damit geschlossenen Lücken stuft der Hersteller als kritisch ein. --------------------------------------------- https://heise.de/-8939457 ∗∗∗ Patchday: Kritische Schadcode-Lücken in Adobe-Anwendungen geschlossen ∗∗∗ --------------------------------------------- Wer Anwendungen von Adobe nutzt, sollte diese aus Sicherheitsgründen auf den aktuellen Stand bringen. --------------------------------------------- https://heise.de/-8935948 ∗∗∗ Privilege Escalation Vulnerability Patched Promptly in WP Data Access WordPress Plugin ∗∗∗ --------------------------------------------- On April 5, 2023 the Wordfence Threat Intelligence team initiated the responsible disclosure process for a vulnerability we discovered in WP Data Access, a WordPress plugin that is installed on over 10,000 sites. This flaw makes it possible for an authenticated attacker to grant themselves administrative privileges via a profile update, [...] --------------------------------------------- https://www.wordfence.com/blog/2023/04/privilege-escalation-vulnerability-p… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (chromium, ghostscript, glusterfs, netatalk, php-Smarty, and skopeo), Mageia (ghostscript, imgagmagick, ipmitool, openssl, sudo, thunderbird, tigervnc/x11-server, and vim), Oracle (curl, haproxy, and postgresql), Red Hat (curl, haproxy, httpd:2.4, kernel, kernel-rt, kpatch-patch, and postgresql), Slackware (mozilla), SUSE (firefox), and Ubuntu (dotnet6, dotnet7, firefox, json-smart, linux-gcp, linux-intel-iotg, and sudo). --------------------------------------------- https://lwn.net/Articles/928870/ ∗∗∗ Patchday: Windows 11/Server 2022-Updates (11. April 2023) ∗∗∗ --------------------------------------------- Am 11. April 2023 (zweiter Dienstag im Monat, Patchday bei Microsoft) hat Microsoft auch kumulative Updates für Windows 11 22H1 und 22H2 veröffentlicht. Zudem erhielt Windows Server 2022 ein Update. Hier einige Details zu diesen Updates, die Schwachstellen sowie Probleme [...] --------------------------------------------- https://www.borncity.com/blog/2023/04/12/patchday-windows-11-server-2022-up… ∗∗∗ FANUC ROBOGUIDE-HandlingPRO ∗∗∗ --------------------------------------------- Successful exploitation of this vulnerability could allow an attacker to read and/or overwrite files on the system running the affected software. --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-101-01 ∗∗∗ NVIDIA Display Driver Advisory - March 2023 ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500558-NVIDIA-DISPLAY-DRIVER-A… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.04.2023
by Daily end-of-shift report 11 Apr '23

11 Apr '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 07-04-2023 18:00 − Dienstag 11-04-2023 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ YouTube warnt vor täuschend echter Betrugsmasche ∗∗∗ --------------------------------------------- Derzeit werden Phishing-E-Mails im Namen von YouTube versandt, die eine glaubwürdige Mailadresse verwenden. --------------------------------------------- https://futurezone.at/digital-life/youtube-warnt-vor-taeuschend-echter-betr… ∗∗∗ Hijacking Arch Linux Packages by Repo Jacking GitHub Repositories ∗∗∗ --------------------------------------------- Repo jacking is an attack on GitHub repositories, where attackers are able to hijack GitHub repositories by reregistering previously used usernames. In this blog post, we discuss how many AUR packages (use GitHub packages that) are vulnerable to repo jacking attacks. --------------------------------------------- https://blog.nietaanraken.nl/posts/aur-packages-github-repo-jacking/ ∗∗∗ Stepping Insyde System Management Mode ∗∗∗ --------------------------------------------- In October of 2022, Intel’s Alder Lake BIOS source code was leaked online. [..] I obtained a copy of the leaked code and began to hunt for vulnerabilities. [..] All these vulnerabilities share a common root cause (insufficient input validation) and a common impact (SMRAM corruption). Their details are summarized in the following table [..] --------------------------------------------- https://research.nccgroup.com/2023/04/11/stepping-insyde-system-management-… ∗∗∗ Jetzt patchen! ALPHV-Ransomware schlüpft durch Veritas-Backup-Lücken ∗∗∗ --------------------------------------------- Angreifer nehmen derzeit drei Sicherheitslücken in Veritas Backup Exec ins Visier. Patches sind verfügbar. --------------------------------------------- https://heise.de/-8875233 ∗∗∗ MSI-Hack: Hardware-Hersteller warnt vor Fake-BIOS-Updates ∗∗∗ --------------------------------------------- Bei MSI ist es zu einem IT-Sicherheitsvorfall gekommen. Die Angreifer sollen Zugriff auf interne Daten gehabt haben. --------------------------------------------- https://heise.de/-8875303 ∗∗∗ Studie: Kriminelle schmuggeln Trojaner-Apps ab 2000 US-Dollar in Google Play ∗∗∗ --------------------------------------------- Für die Abzocke von Android-Nutzern bieten Kriminelle in Untergrundforen All-in-one-Trojaner-Pakete zum Verkauf an. --------------------------------------------- https://heise.de/-8927162 ∗∗∗ Microsoft Azure Users Warned of Potential Shared Key Authorization Abuse ∗∗∗ --------------------------------------------- An exploitation path involving Azure shared key authorization could allow full access to accounts and business data and ultimately lead to remote code execution (RCE), cloud security company Orca warns. --------------------------------------------- https://www.securityweek.com/microsoft-azure-users-warned-of-potential-shar… ∗∗∗ Webinar: Sicher unterwegs in Sozialen Netzwerken ∗∗∗ --------------------------------------------- Soziale Netzwerke sind längst unsere täglichen Begleiter geworden. Doch worauf muss ich eigentlich achten, wenn ich Plattformen wie Facebook oder Instagram sicher nutzen will? Das Webinar gibt Tipps zum verantwortungsvollen Umgang mit Sozialen Netzwerken. Nehmen Sie kostenlos teil: Dienstag 18. April 2023, 18:30 - 20:00 Uhr via zoom --------------------------------------------- https://www.watchlist-internet.at/news/webinar-sicher-unterwegs-in-sozialen… ∗∗∗ Amazon ruft an? Legen Sie auf! ∗∗∗ --------------------------------------------- Am Telefon stellen sich Kriminelle als Amazon-Mitarbeiter:innen vor und behaupten, dass Ihr Amazon-Konto gehackt wurde. Sie hätten verdächtige Bestellungen entdeckt. Die „Amazon-Mitarbeiter:innen“ bieten Ihnen an, die Bestellung zu stornieren und Ihr Konto zu schützen. Dabei handelt es sich aber um Betrug! Kriminelle versuchen Ihnen Geld, Ausweiskopien und Amazon-Zugangsdaten zu stehlen! --------------------------------------------- https://www.watchlist-internet.at/news/amazon-ruft-an-legen-sie-auf/ ∗∗∗ AlienFox: Toolkit zur Kompromittierung von E-Mail- und Webhosting-Diensten in der Cloud ∗∗∗ --------------------------------------------- [English]AlienFox ist ein Toolkit zur Kompromittierung von E-Mail- und Webhosting-Diensten. Dieses Toolkit ist hochgradig modular, liegt in mehreren Versionen vor und versucht Fehlkonfigurationen in der Cloud auszunutzen, um die Anmeldedaten für Dienste wie AWS, Microsoft 365, Google Workspace, 1und1 etc. abzugreifen. --------------------------------------------- https://www.borncity.com/blog/2023/04/11/alienfox-toolkit-zur-kompromittier… ∗∗∗ WinVerifyTrust Signature Validation Vulnerability ∗∗∗ --------------------------------------------- Why is Microsoft republishing a CVE from 2013? We are republishing CVE-2013-3900 in the Security Update Guide to update the Security Updates table and to inform customers that the EnableCertPaddingCheck is available in all currently supported versions of Windows 10 and Windows 11. While the format is different from the original CVE published in 2013, the information herein remains unchanged from the original text published on December 10, 2013. --------------------------------------------- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2013-3900 ===================== = Vulnerabilities = ===================== ∗∗∗ Security Vulnerabilities fixed in Firefox 112, Firefox for Android 112, Focus for Android 112 ∗∗∗ --------------------------------------------- CVE-2023-29531, CVE-2023-29532, CVE-2023-29533, CVE-2023-29534, CVE-2023-29535, CVE-2023-29536, CVE-2023-29537, CVE-2023-29538, CVE-2023-29539, CVE-2023-29540, CVE-2023-29541, CVE-2023-29542, CVE-2023-29543, CVE-2023-29544, CVE-2023-29545, CVE-2023-29546, CVE-2023-29547, CVE-2023-29548, CVE-2023-29549, CVE-2023-29550, CVE-2023-29551 Davon 11x "Severity: high". --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2023-13/ ∗∗∗ Exploit-Code: Schadcode könnte aus JavaScript-Sandbox vm2 ausbrechen ∗∗∗ --------------------------------------------- Die populäre vm2-Sandbox hat eine kritische Sicherheitslücke und Exploit-Code ist bereits im Umlauf. --------------------------------------------- https://heise.de/-8875269 ∗∗∗ Patchday: SAP meldet 19 teils kritische Sicherheitslücken ∗∗∗ --------------------------------------------- Im April hat SAP 19 Schwachstellen in den eigenen Produkten mit Sicherheitsmeldungen bedacht. Davon stuft der Hersteller zwei als kritisch ein. --------------------------------------------- https://heise.de/-8931365 ∗∗∗ iOS 15, macOS 11 und 12: Apple schiebt Notfallfix nach ∗∗∗ --------------------------------------------- Nachdem iOS 16 und macOS 13 bereits voll gepatcht worden waren, legt Apple auch einen Fix für eine bereits ausgenutzte Lücke für ältere Betriebssysteme nach. --------------------------------------------- https://heise.de/-8922448 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (openimageio and udisks2), Fedora (chromium, curl, kernel, mediawiki, and seamonkey), Oracle (httpd:2.4), Red Hat (httpd and mod_http2 and tigervnc), SUSE (ghostscript and kernel), and Ubuntu (irssi). --------------------------------------------- https://lwn.net/Articles/928667/ ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (keepalived and lldpd), Oracle (kernel), and SUSE (kernel, podman, seamonkey, and upx). --------------------------------------------- https://lwn.net/Articles/928736/ ∗∗∗ ICS Patch Tuesday: Siemens, Schneider Electric Address Dozens of Vulnerabilities ∗∗∗ --------------------------------------------- Siemens and Schneider Electric’s Patch Tuesday advisories for April 2023 address a total of 38 vulnerabilities found in their products. --------------------------------------------- https://www.securityweek.com/ics-patch-tuesday-siemens-schneider-electric-a… ∗∗∗ PHOENIX CONTACT: Directory Traversal Vulnerability in ENERGY AXC PU Web service ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-004/ ∗∗∗ Insyde BIOS Vulnerabilities ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500557 ∗∗∗ Lenovo XClarity Controller (XCC) Vulnerabilities ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500556-LENOVO-XCLARITY-CONTROL… ∗∗∗ Lenovo Smart Clock Essential Vulnerability ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500555-LENOVO-SMART-CLOCK-ESSE… ∗∗∗ IBM WebSphere Application Server and IBM WebSphere Application Server Liberty, which are bundled with IBM Cloud Pak for Applications, are vulnerable to a denial of service due to Apache Commons FileUpload (CVE-2023-24998) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6982187 ∗∗∗ IBM i components are affected by CVE-2021-4104 (log4j version 1.x) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6539162 ∗∗∗ IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Apache Lucene ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6982359 ∗∗∗ IBM Watson Explorer affected by vulnerability in Apache Commons. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6964808 ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM WebSphere Remote Server (CVE-2023-24998) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6982539 ∗∗∗ Vulnerabilities in OpenSSL affect QLogic 8Gb Intelligent Pass-thru Module and SAN Switch Module for IBM BladeCenter and QLogic Virtual Fabric Extension Module for IBM BladeCenter ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/888295 ∗∗∗ Vulnerabilities in cURL affect QLogic Virtual Fabric Extension Module for IBM BladeCenter ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/888299 ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Business Monitor (CVE-2023-24998) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6982833 ∗∗∗ Netcool Operations Insight v1.6.8 addresses multiple security vulnerabilities. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6982841 ∗∗∗ The IBM\u00ae Engineering Lifecycle Engineering product using IBM Java - Eclipse OpenJ9 is vulnerable to CVE-2022-3676 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6982847 ∗∗∗ Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to Webpack (CVE-2023-28154) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6982851 ∗∗∗ IBM Engineering Requirements Management DOORS Next is vulnerable to XML external entity (XXE) attacks due to a vulnerability in XML processing in Apache Jena, in versions up to 4.1.0 (CVE-2021-39239) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6981111 ∗∗∗ IBM Operational Decision Manager March 2023 - CVE-2014-0114, CVE-2019-10086, CVE-2023-24998 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6982881 ∗∗∗ IBM WebSphere Application Server Liberty is vulnerable to a privilege escalation due to RESTEasy (CVE-2023-0482) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6982895 ∗∗∗ IBM WebSphere Application Server Liberty, which is bundled with IBM Cloud Pak for Applications, is vulnerable to a privilege escalation due to RESTEasy (CVE-2023-0482) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6982903 ∗∗∗ IBM WebSphere Application Server Liberty, which is bundled with IBM WebSphere Hybrid Edition, is vulnerable to a privilege escalation due to RESTEasy (CVE-2023-0482) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6982905 ∗∗∗ IBM WebSphere Application Server and IBM WebSphere Application Server Liberty are vulnerable to a denial of service due to Apache Commons FileUpload (CVE-2023-24998) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6982047 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.04.2023
by Daily end-of-shift report 07 Apr '23

07 Apr '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 06-04-2023 18:00 − Freitag 07-04-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Security baseline for Microsoft Edge v112 ∗∗∗ --------------------------------------------- Microsoft is pleased to announce the release of the security baseline for Microsoft Edge, version 112! We have reviewed the settings in Microsoft Edge version 112 and updated our guidance with the removal of three obsolete settings. A new Microsoft Edge security baseline package was just released to the Download Center. --------------------------------------------- https://techcommunity.microsoft.com/t5/microsoft-security-baselines/securit… ∗∗∗ Security headers you should add into your application to increase cyber risk protection, (Thu, Apr 6th) ∗∗∗ --------------------------------------------- Web applications are a wide world that is currently the object of numerous cyberattacks, mostly seeking to compromise the information directly in the clients that use them. --------------------------------------------- https://isc.sans.edu/diary/rss/29720 ∗∗∗ Detecting Suspicious API Usage with YARA Rules, (Fri, Apr 7th) ∗∗∗ --------------------------------------------- YARA is a beautiful tool for malware researchers and incident responders. No need to present it again. It became a standard tool to add to your arsenal. While teaching FOR610 (Malware Analysis & Reverse Engineering), a student asked me how to detect specific API calls with dangerous parameters during the triage phase. This phase will help you quickly assess the malware sample and help you decide how to perform the following steps. --------------------------------------------- https://isc.sans.edu/diary/rss/29724 ∗∗∗ Balada Injector: Synopsis of a Massive Ongoing WordPress Malware Campaign ∗∗∗ --------------------------------------------- Our team at Sucuri has been tracking a massive WordPress infection campaign since 2017 — but up until recently never bothered to give it a proper name. Typically, we refer to it as an ongoing long lasting massive WordPress infection campaign that leverages all known and recently discovered theme and plugin vulnerabilities. --------------------------------------------- https://blog.sucuri.net/2023/04/balada-injector-synopsis-of-a-massive-ongoi… ∗∗∗ With ICMP magic, you can snoop on vulnerable HiSilicon, Qualcomm-powered Wi-Fi ∗∗∗ --------------------------------------------- WPA stands for will-provide-access, if you can successfully exploit a targets setup. A vulnerability identified in at least 55 Wi-Fi router models can be exploited by miscreants to spy on victims data as its sent over a wireless network. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2023/04/07/wifi_access_… ∗∗∗ Pwning Pixel 6 with a leftover patch ∗∗∗ --------------------------------------------- In this post, I’ll look at a security-related change in version r40p0 of the Arm Mali driver that was AWOL in the January update of the Pixel bulletin, where other patches from r40p0 was applied, and how these two lines of changes can be exploited to gain arbitrary kernel code execution and root from a malicious app. This highlights how treacherous it can be when backporting security changes. --------------------------------------------- https://github.blog/2023-04-06-pwning-pixel-6-with-a-leftover-patch/ ∗∗∗ Umfrage: Softwarebedingte Schwachstellen sind das größte Sicherheitsproblem ∗∗∗ --------------------------------------------- Hacker setzen vermehrt auf bekannte Sicherheitslücken. Ransomware ist der Umfrage zufolge nur die viertgrößte Bedrohung. Ein weiteres Problem: viele Unternehmen weisen Mitarbeiter an, meldepflichtige Vorfälle zu verschweigen. --------------------------------------------- https://www.zdnet.de/88408311/umfrage-softwarebedingte-schwachstellen-sind-… ===================== = Vulnerabilities = ===================== ∗∗∗ Release notes for Microsoft Edge Security Updates (CVE-2023-28284, CVE-2023-24935, CVE-2023-28301) ∗∗∗ --------------------------------------------- April 6, 2023: Microsoft has released the latest Microsoft Edge Stable Channel (Version 112.0.1722.34) which incorporates the latest Security Updates of the Chromium project. --------------------------------------------- https://learn.microsoft.com/en-us/DeployEdge/microsoft-edge-relnotes-securi… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Mageia (ldb/samba, libapreq2, opencontainers-runc, peazip, python-cairosvg, stellarium, and zstd), Oracle (httpd and mod_http2, kernel, and nss), SUSE (conmon, go1.19, go1.20, libgit2, openssl-1_1, and openvswitch), and Ubuntu (emacs24). --------------------------------------------- https://lwn.net/Articles/928559/ ∗∗∗ F5: K000133432 : Intel CPU vulnerability CVE-2022-21216 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000133432 ∗∗∗ CISA Adds Five Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/04/07/cisa-adds-five-known-exp… ∗∗∗ IBM Informix Dynamic Server is affected when a specific function in the Spatial Datablade is called with an out-of-range parameter ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6343587 ∗∗∗ IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to arbitrary code execution in GnuPG Libksba [CVE-2022-3515] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6981855 ∗∗∗ IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to an arbitrary code execution in libexpat [CVE-2022-40674] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6981859 ∗∗∗ IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to arbitrary code execution in SQlite [CVE-2020-35527] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6981851 ∗∗∗ IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to an arbitrary commands execution in Python (CVE-2015-20107) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6981849 ∗∗∗ IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to a security restrictions bypass in GNU Libtasn1 [CVE-2021-46848] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6981853 ∗∗∗ IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to arbitrary code execution in Git [CVE-2022-23521] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6981857 ∗∗∗ IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to arbitrary code execution in Git [CVE-2022-41903] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6981861 ∗∗∗ Privilege Escalation vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6981911 ∗∗∗ Improper Error Handling ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6981917 ∗∗∗ IBM WebSphere Application Server and IBM WebSphere Application Server Liberty are vulnerable to a denial of service due to Apache Commons FileUpload (CVE-2023-24998) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6982047 ∗∗∗ Vulnerabilities in OpenSSL affect IBM InfoSphere Information Server ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/286971 ∗∗∗ IBM WebSphere Application Server and IBM WebSphere Application Server Liberty, which are bundled with IBM WebSphere Hybrid Edition, are vulnerable to a denial of service due to Apache Commons FileUpload (CVE-2023-24998) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6982141 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.04.2023
by Daily end-of-shift report 06 Apr '23

06 Apr '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 05-04-2023 18:00 − Donnerstag 06-04-2023 18:00 Handler: Stephan Richter Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Telegram now the go-to place for selling phishing tools and services ∗∗∗ --------------------------------------------- Telegram has become the working ground for the creators of phishing bots and kits looking to market their products to a larger audience or to recruit unpaid helpers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/telegram-now-the-go-to-place… ∗∗∗ CAN do attitude: How thieves steal cars using network bus ∗∗∗ --------------------------------------------- It starts with a headlamp and fake smart speaker, and ends in an injection attack and a vanished motor. Automotive security experts say they have uncovered a method of car theft relying on direct access to the vehicles system bus via a smart headlamps wiring. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2023/04/06/can_injectio… ∗∗∗ Technical analysis of the Genesis Market ∗∗∗ --------------------------------------------- [...] In case you are unfamiliar with this market, it was used to sell stolen login credentials, browser cookies and online fingerprints (in order to prevent ‘risky sign-in’ detections), by some referred to as IMPaas, or Impersonation-as-a-Service. [...] its activities have resulted in approximately two million victims. If you want to know more about this operation, you can read our other blog post. You can also check if your data has been compromised [...] --------------------------------------------- https://sector7.computest.nl/post/2023-04-technical-analysis-genesis-market/ ∗∗∗ CyberGhostVPN - the story of finding MITM, RCE, LPE in the Linux client ∗∗∗ --------------------------------------------- This article discloses the vulnerabilities that were present in the CyberGhostVPN Linux 1.3.5 client (and versions below). The latest version of the CyberGhostVPN Linux client is now free from these vulnerabilities. --------------------------------------------- https://mmmds.pl/cyberghostvpn-mitm-rce-lpe/ ∗∗∗ Cisco: Teils hochriskante Lücken in mehreren Produkten abgedichtet ∗∗∗ --------------------------------------------- Cisco-Administratoren bekommen über die Ostertage Arbeit: Der Hersteller hat in diversen Produkten Sicherheitslücken entdeckt. Updates sollen sie schließen. --------------------------------------------- https://heise.de/-8644498 ∗∗∗ Nexx Garagentorsteuerung: Schwachstelle erlaubt Zugriff für Hacker ∗∗∗ --------------------------------------------- Wer eine Home-Automatisierung von Nexx besitzt und diese per Fernsteuerung seiner Garagentore benutzt, hat nun ein fettes Problem. Eine Schwachstelle in der Nexx-Fernsteuerung ermöglicht Hackern den nicht autorisierten Zugriff auf die Garagentore. --------------------------------------------- https://www.borncity.com/blog/2023/04/06/nexx-garagentorsteuerung-schwachst… ∗∗∗ Beware of new YouTube phishing scam using authentic email address ∗∗∗ --------------------------------------------- Watch out for a new YouTube phishing scam and ignore any email from YouTube that claims to provide details about "Changes in YouTube rules and policies | Check the Description. --------------------------------------------- https://www.hackread.com/youtube-phishing-scam-authentic-email-address/ ===================== = Vulnerabilities = ===================== *** Cisco Security Advisories 2023-04-05 *** --------------------------------------------- Cisco has released 13 security advisories: (3x High, 9x Medium, 1x Informational) --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/Search.x?publicationTypeIDs… ∗∗∗ Trellix-Agent ermöglicht Rechteausweitung am System ∗∗∗ --------------------------------------------- Der Agent von Trellix – dem Zusammenschluss von McAfee und FireEye – ermöglicht Angreifern, ihre Rechte im System auszuweiten. Ein Update schließt die Lücke. --------------------------------------------- https://heise.de/-8645652 ∗∗∗ Datenleck: Mastodon-Lücke erlaubt Informationsabfluss ∗∗∗ --------------------------------------------- Aktualisierte Mastodon-Pakete dichten ein Datenleck in der LDAP-Authentifizierung ab. Administratorinnen und Administratoren sollten die Updates zügig anwenden. --------------------------------------------- https://heise.de/-8645580 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (cairosvg, ghostscript, grunt, tomcat9, and trafficserver), Fedora (golang, podman, xen, and zchunk), Red Hat (kpatch-patch), SUSE (systemd), and Ubuntu (apache-log4j1.2, liblouis, linux-aws, and linux-bluefield). --------------------------------------------- https://lwn.net/Articles/928476/ ∗∗∗ Celery as used by IBM QRadar Advisor With Watson App is vulnerable to arbitrary command execution (CVE-2021-23727) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6981595 ∗∗∗ Node.js passport is vulnerable to CVE-2022-25896 used in IBM Maximo Application Suite ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6966086 ∗∗∗ IBM TRIRIGA Application Platform discloses XML external entities injection (CVE-2023-27876) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6981115 ∗∗∗ IBM TRIRIGA Application Platform discloses Stored Cross Site Scripting (CVE-2022-43914) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6981597 ∗∗∗ AIX is vulnerable to denial of service due to ISC BIND (CVE-2022-38178, CVE-2022-3080, CVE-2022-38177, CVE-2022-2795) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6851445 ∗∗∗ decode-uri-component is vulnerable to CVE-2022-38900 used in IBM Maximo Application Suite ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6981607 ∗∗∗ AIX is vulnerable to arbitrary code execution due to libxml2 (CVE-2022-40303 and CVE-2022-40304) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6953825 ∗∗∗ AIX is vulnerable to denial of service vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6847947 ∗∗∗ Vulnerability in Apache Tomcat affects App Connect Professional. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6981763 ∗∗∗ IBM Security Verify Governance is vulnerable to cross-site scripting, caused by improper validation of user-supplied input related to the HtmlResponseWriter (CVE-2013-5855) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6981781 ∗∗∗ IBM Watson Explorer affected by vulnerability in OpenSSL. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6963622 ∗∗∗ IBM Watson Explorer affected by vulnerability in Apache Commons. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6964808 ∗∗∗ Korenix Jetwave ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-096-04 ∗∗∗ mySCADA myPRO ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-096-06 ∗∗∗ JTEKT ELECTRONICS Kostac PLC Programming Software ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-096-03 ∗∗∗ Hitachi Energy MicroSCADA System Data Manager SDM600 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-096-05 ∗∗∗ JTEKT ELECTRONICS Screen Creator Advance 2 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-096-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.04.2023
by Daily end-of-shift report 05 Apr '23

05 Apr '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 04-04-2023 18:00 − Mittwoch 05-04-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Open garage doors anywhere in the world by exploiting this “smart” device ∗∗∗ --------------------------------------------- A universal password. Unencrypted user data and commands. What could go wrong? A market-leading garage door controller is so riddled with severe security and privacy vulnerabilities that the researcher who discovered them, Sam Sabetan, is advising anyone using one to immediately disconnect it until they are fixed. Each $80 device, used to open and close garage doors and control home security alarms and smart power plugs, employs the same easy-to-find universal password to communicate with Nexx servers. The controllers also broadcast the unencrypted email address, device ID, first name, and last initial corresponding to each one, along with the message required to open or shut a door or turn on or off a smart plug or schedule such a command for a later time. Immediately unplug all Nexx devices --------------------------------------------- https://arstechnica.com/?p=1929120 ∗∗∗ Exploration of DShield Cowrie Data with jq, (Wed, Apr 5th) ∗∗∗ --------------------------------------------- There have been other diaries [1][2] showing how to explore JSON data with jq [3]. We'll review some options to understand unfamiliar JSON data and ways to filter that information. Using tools like Security Information and Event Management (SIEM) systems can help aggregate data and make it more easily searched and visualized. There are still times where being able to quickly search JSON data can be useful, especially if a SIEM option is not immediately available. --------------------------------------------- https://isc.sans.edu/diary/rss/29714 ∗∗∗ ALPHV/BlackCat ransomware affiliate targets Veritas Backup solution bugs ∗∗∗ --------------------------------------------- An ALPHV/BlackCat ransomware affiliate was spotted exploiting vulnerabilities in the Veritas Backup solution. An affiliate of the ALPHV/BlackCat ransomware gang, tracked as UNC4466, was observed exploiting three vulnerabilities in the Veritas Backup solution to gain initial access to the target network. Unlike other ALPHV affiliates, UNC4466 doesn’t rely on stolen credentials for initial access to victim environments. Mandiant [...] --------------------------------------------- https://securityaffairs.com/144438/cyber-crime/alphv-blackcat-ransomware-ve… ∗∗∗ Deobfuscating the Recent Emotet Epoch 4 Macro ∗∗∗ --------------------------------------------- This analysis is intended to help the cybersecurity community better understand the wider obfuscation and padding tricks Emotet is using. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/deobfuscati… ∗∗∗ Cyber-Betrüger: Zahlungsaufforderung für Lösegeld – jedoch ohne Ransomware ∗∗∗ --------------------------------------------- Auf die aktuell häufigen Cyber-Attacken stürzen sich weitere Betrüger. Sie verschicken Mails mit Zahlungsaufforderungen, ohne Ransomware eingeschleust zu haben. --------------------------------------------- https://heise.de/-8587724 ∗∗∗ Pre-ransomware notifications are paying off right from the bat ∗∗∗ --------------------------------------------- CISA (Cybersecurity and Infrastructure Security Agency) has published the first results of its pre-ransomware notifications that were introduced at the start of 2023. Even though this initiative is relatively young, CISA says it has notified over 60 entities across the energy, healthcare, water/wastewater, education, and other sectors about potential pre-ransomware intrusions, and we’ve confirmed that many of them identified and remediated the intrusion before encryption or data loss occurred. --------------------------------------------- https://www.malwarebytes.com/blog/news/2023/04/pre-ransomware-notifications… ∗∗∗ Detecting Karakurt – an extortion focused threat actor ∗∗∗ --------------------------------------------- NCC Group’s Cyber Incident Response Team (CIRT) have responded to several extortion cases recently involving the threat actor Karakurt. During these investigations NCC Group CIRT have identified some key indicators that the threat actor has breached an environment and want to share this information to assist the cyber security community. --------------------------------------------- https://research.nccgroup.com/2023/04/05/detecting-karakurt-an-extortion-fo… ∗∗∗ Markenfälschungen im Online-Handel – So schützen Sie sich! ∗∗∗ --------------------------------------------- Wer im Internet nach Markenkleidung, Uhren, Accessoires oder aber Medikamenten sucht, stößt häufig auf unseriöse Angebote. In einigen Fällen führt eine Bestellung günstiger Markenprodukte zum Erhalt eines gefälschten Produkts, manchmal erhält man gar nichts und insbesondere bei Medikamenten kann das Produkt sogar gefährlich sein. Worauf man in Online-Shops und auf Plattformen wie Amazon achten kann, um sich zu schützen [...] --------------------------------------------- https://www.watchlist-internet.at/news/markenfaelschungen-im-online-handel-… ∗∗∗ How we’re protecting users from government-backed attacks from North Korea ∗∗∗ --------------------------------------------- Googles Threat Analysis Group shares information on ARCHIPELAGO as well as the work to stop government-backed attackers. --------------------------------------------- https://blog.google/threat-analysis-group/how-were-protecting-users-from-go… ∗∗∗ MS OneNote soll künftig 120 gefährliche Filetypen blockieren ∗∗∗ --------------------------------------------- Microsoft reagiert wohl auf den Umstand, dass OneNote inzwischen als Malware-Schleuder für Systeme missbraucht wird. Die Anwendung soll zukünftig 120 gefährliche Filetypen blockieren, so dass diese durch Downloads aus dem Internet nicht mehr für Malware-Angriffe missbraucht werden können. --------------------------------------------- https://www.borncity.com/blog/2023/04/05/ms-onenote-soll-knftig-120-gefhrli… ===================== = Vulnerabilities = ===================== ∗∗∗ Multiple Vulnerabilities in Autodesk® InfoWorks® software ∗∗∗ --------------------------------------------- Autodesk® InfoWorks® WS Pro and InfoWorks® ICM have been affected by multiple vulnerabilities detailed below. Exploitation of these vulnerabilities may lead to remote code execution and/or denial-of-service to the software and user devices. Patch releases are available in Autodesk Access or the Accounts Portal or the Innovyze Web Portal to help resolve these vulnerabilities. The patch versions are listed below. --------------------------------------------- https://www.autodesk.com/trust/security-advisories/adsk-sa-2023-0001 ∗∗∗ Chrome 112: 16 Sicherheitslücken gestopft ∗∗∗ --------------------------------------------- Google hat den Webbrowser Chrome in Version 112 freigegeben. Die Entwickler dichten 16 Schwachstellen ab. Chromium-basierte Browser dürften bald nachziehen. --------------------------------------------- https://heise.de/-8572482 ∗∗∗ Technical Advisory – play-pac4j Authentication rule bypass ∗∗∗ --------------------------------------------- Regular expressions used for path-based authentication by the play-pac4j library are evaluated against the full URI provided in a user’s HTTP request. If a requested URI matches one of these expressions, the associated authentication rule will be applied. These rules are only intended to validate the path and query string section of a URL. --------------------------------------------- https://research.nccgroup.com/2023/04/05/technical-advisory-play-pac4j-auth… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ghostscript and openimageio), Fedora (kernel, rubygem-actioncable, rubygem-actionmailbox, rubygem-actionmailer, rubygem-actionpack, rubygem-actiontext, rubygem-actionview, rubygem-activejob, rubygem-activemodel, rubygem-activerecord, rubygem-activestorage, rubygem-activesupport, rubygem-rails, and rubygem-railties), Oracle (gnutls, httpd, kernel, nodejs:16, nodejs:18, pesign, postgresql:13, tigervnc, and tigervnc, xorg-x11-server), Red Hat (gnutls, httpd, httpd:2.4, kernel, kpatch-patch, pcs, pesign, postgresql:13, tigervnc, and tigervnc, xorg-x11-server), Scientific Linux (httpd and tigervnc, xorg-x11-server), SUSE (aws-efs-utils.11048, libheif, liblouis, openssl, python-cryptography, python-Werkzeug, skopeo, tomcat, and wireshark), and Ubuntu (imagemagick, ipmitool, and node-trim-newlines). --------------------------------------------- https://lwn.net/Articles/928408/ ∗∗∗ Kritische Schwachstelle CVE-2023-1707 in HP-Drucker-Firmware, kein Patch verfügbar ∗∗∗ --------------------------------------------- Die Firmware von verschiedenen Laser-Drucker ist gegenüber der Schwachstelle CVE-2023-1707 anfällig. Bestimmte HP Enterprise LaserJet und HP LaserJet sind in verwalteten Umgebungen potenziell anfällig für die Offenlegung von Informationen, wenn IPsec mit FutureSmart Version 5.6 aktiviert ist. --------------------------------------------- https://www.borncity.com/blog/2023/04/05/kritische-schwachstelle-cve-2023-1… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.04.2023
by Daily end-of-shift report 04 Apr '23

04 Apr '23

===================== = End-of-Day report = ===================== Timeframe: Montag 03-04-2023 18:00 − Dienstag 04-04-2023 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ WinRAR SFX archives can run PowerShell without being detected ∗∗∗ --------------------------------------------- Hackers are adding malicious functionality to WinRAR self-extracting archives that contain harmless decoy files, allowing them to plant backdoors without triggering the security agent on the target system. --------------------------------------------- https://www.bleepingcomputer.com/news/security/winrar-sfx-archives-can-run-… ∗∗∗ Analyzing the efile.com Malware "efail", (Tue, Apr 4th) ∗∗∗ --------------------------------------------- Yesterday, I wrote about efile.com serving malicious ake "Browser Updates" to some of its users. This morning, efile.com finally removed the malicious code from its site. The attacker reacted a bit faster and removed some of the additional malware. But luckily, I was able to retrieve some of the malware last evening before it was removed. --------------------------------------------- https://isc.sans.edu/diary/rss/29712 ∗∗∗ Rilide: A New Malicious Browser Extension for Stealing Cryptocurrencies ∗∗∗ --------------------------------------------- Trustwave SpiderLabs uncovered a new strain of malware that it dubbed Rilide, which targets Chromium-based browsers such as Google Chrome, Microsoft Edge, Brave, and Opera. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/rilide-a-ne… ∗∗∗ Microsoft Tightens OneNote Security by Auto-Blocking 120 Risky File Extensions ∗∗∗ --------------------------------------------- Microsoft has announced plans to automatically block embedded files with "dangerous extensions" in OneNote following reports that the note-taking service is being increasingly abused for malware delivery. Up until now, users were shown a dialog warning them that opening such attachments could harm their computer and data, but it was possible to dismiss the prompt and open the files That's going to change going forward. --------------------------------------------- https://thehackernews.com/2023/04/microsoft-tightens-onenote-security-by.ht… ∗∗∗ A fresh look at user enumeration in Microsoft Teams ∗∗∗ --------------------------------------------- The technique to enumerate user details and presence information via Microsoft Teams is not new and was described in a blog post by immunit.ch and their tool "TeamsUserEnum". This blog post adds more information related to user enumeration via Teams and covers different endpoints used by different account types. --------------------------------------------- https://www.securesystems.de/blog/a-fresh-look-at-user-enumeration-in-micro… ∗∗∗ Internationaler Monat zur Betrugsbekämpfung: Vorsicht vor Dark Patterns ∗∗∗ --------------------------------------------- Im März 2023 jährt sich der internationale Monat zur Betrugsbekämpfung („ICPEN Fraud Prevention Month"). Das diesjährige Schwerpunktthema sind Dark Patterns. Dark Patterns sind irreführende Designelemente und Webseiten-Gestaltungen, mit denen versucht wird, User:innen zu Entscheidungen zu verleiten, die nicht in ihrem besten Interesse liegen. Was Dark Patterns genau sind, wie Sie diese erkennen und sich am besten schützen, erfahren Sie hier! --------------------------------------------- https://www.watchlist-internet.at/news/fraud-prevention-month-vorsicht-vor-… ∗∗∗ Lebenslauf-Editor auf zety.de führt in Abo-Falle ∗∗∗ --------------------------------------------- Auf zety.de können Sie angeblich professionelle Lebensläufe und Bewerbungen erstellen. Per Klick wählen Sie eine gewünschte Vorlage und befüllen sie mit Ihren Daten – scheinbar kostenlos. Erst wenn Sie Ihr Dokument herunterladen möchten, erfahren Sie, dass der Dienst doch nicht gratis ist. Wenn Sie überweisen, schließen Sie ein Abo ab! --------------------------------------------- https://www.watchlist-internet.at/news/lebenslauf-editor-auf-zetyde-fuehrt-… ∗∗∗ Weitere Informationen zu Angriffen gegen 3CX Desktop App ∗∗∗ --------------------------------------------- Seit der Veröffentlichung unserer letzten Meldung zu den Angriffen gegen die bzw. durch Missbrauch der 3CX Desktop App sind inzwischen weitere Details und neue Informationen bekannt geworden. Die wichtigsten Details in dieser Hinsicht sind: [...] --------------------------------------------- https://cert.at/de/aktuelles/2023/4/weitere-informationen-zu-angriffen-gege… ∗∗∗ Typhon Reborn V2: Updated stealer features enhanced anti-analysis and evasion capabilities ∗∗∗ --------------------------------------------- The developer of the Typhon Reborn information stealer released version 2 (V2) in January, which included significant updates to its codebase and improved capabilities. Most notably, the new version features additional anti-analysis and anti-virtual machine (VM) capabilities to evade detection and make analysis more difficult. --------------------------------------------- https://blog.talosintelligence.com/typhon-reborn-v2-features-enhanced-anti-… ∗∗∗ Rorschach – A New Sophisticated and Fast Ransomware ∗∗∗ --------------------------------------------- Rorschach ransomware appears to be unique, sharing no overlaps that could easily attribute it to any known ransomware strain. In addition, it does not bear any kind of branding which is a common practice among ransomware groups. The ransomware is partly autonomous, carrying out tasks that are usually manually performed during enterprise-wide ransomware deployment, such as creating a domain group policy (GPO). --------------------------------------------- https://research.checkpoint.com/2023/rorschach-a-new-sophisticated-and-fast… ===================== = Vulnerabilities = ===================== ∗∗∗ VU#473698: uClibc, uClibc-ng libraries have monotonically increasing DNS transaction ID ∗∗∗ --------------------------------------------- The uClibc and uClibc-ng libraries, prior to uClibc-ng 1.0.41, are vulnerable to DNS cache poisoning due to the use of predicatble DNS transaction IDs when making DNS requests. This vulnerability can allow an attacker to perform DNS cache poisoning attacks against a vulnerable environment.[..] The uClibc library has not been updated since May of 2012. --------------------------------------------- https://kb.cert.org/vuls/id/473698 ∗∗∗ Pentah0wnage: Pre-Auth RCE in Pentaho Business Analytics Server (CVE-2022-43769, CVE-2022-43939, CVE-2022-43773, CVE-2022-43938) ∗∗∗ --------------------------------------------- A few months ago I was working on an engagement where Pentaho was used to collect data and generate reports. [..] I found a total of eight vulnerabilties, three of which enable command execution on the residing host. [..] 31 March 2023: Vendor released patches, but no public CVE disclosure. --------------------------------------------- https://research.aurainfosec.io/pentest/pentah0wnage/ ∗∗∗ Nexx Smart Home Device ∗∗∗ --------------------------------------------- AFFECTED PRODUCTS - Nexx Garage Door Controller (NXG-100B, NXG-200): Version nxg200v-p3-4-1 and prior - Nexx Smart Plug (NXPG-100W): Version nxpg100cv4-0-0 and prior - Nexx Smart Alarm (NXAL-100): Version nxal100v-p1-9-1and prior --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-094-01 ∗∗∗ Patchday: Android-Lücken mit kritischem Risiko gestopft ∗∗∗ --------------------------------------------- Zum April-Patchday hat Google Sicherheitslücken im Android-Betriebssystem geschlossen, die die Entwickler teils als kritisch einstufen. --------------------------------------------- https://heise.de/-8522365 ∗∗∗ Sophos: Kritische Sicherheitslücke in Web-Appliance ermöglicht Codeschmuggel ∗∗∗ --------------------------------------------- Sophos hat in der Web Appliance (SWA) Sicherheitslücken geschlossen, die Angreifern etwa das Ausführen beliebigen Codes ermöglichen. --------------------------------------------- https://heise.de/-8525279 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (openbgpd and seamonkey), Red Hat (httpd:2.4, kernel, kernel-rt, and pesign), SUSE (compat-openssl098, dpdk, drbd, ImageMagick, nextcloud, openssl, openssl-1_1, openssl-3, openssl1, oracleasm, pgadmin4, terraform-provider-helm, and yaml-cpp), and Ubuntu (haproxy, ldb, samba, and vim). --------------------------------------------- https://lwn.net/Articles/928294/ ∗∗∗ Netty Vulnerabilites 4.0.37 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6980407 ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Case Manager (CVE-2023-26283) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6980411 ∗∗∗ IBM Sterling Order Management Golang Go Vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6980457 ∗∗∗ Vulnerabilities with kernel, MariaDB, Gnu GnuTLS, OpenJDK, commons-fileupload affect IBM Cloud Object Storage Systems (Mar 2023v1) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6962855 ∗∗∗ IBM Aspera Faspex 5.0.5 has addressed CVE-2022-4304 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6980501 ∗∗∗ IBM Security Verify Access Appliance includes components with known vulnerabilities (CVE-2022-29154, CVE-2022-0391) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6980521 ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Case Manager (CVE-2023-23477) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6980519 ∗∗∗ Vulnerability in py library affects IBM Cloud Pak for Data System 1.0(CPDS 1.0) [CVE-2022-42969] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6980723 ∗∗∗ Vulnerability in cryptography affects IBM Cloud Pak for Data System 1.0(CPDS 1.0) [CVE-2023-0286] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6980351 ∗∗∗ A security vulnerability has been identified in WebSphere\u00ae Application Server shipped with IBM\u00ae Intelligent Operations Center (CVE-2023-26283) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6980725 ∗∗∗ IBM Event Streams is affected by vulnerabilities in the jsonwebtoken package (CVE-2022-23529, CVE-2022-23539, CVE-2022-23540, CVE-2022-23541) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6980727 ∗∗∗ IBM Event Streams is affected by vulnerabilities in Node.js (CVE-2022-25927 and CVE-2022-25881) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6980735 ∗∗∗ IBM Event Streams is affected by a vulnerability in Apache Kafka (CVE-2023-25194) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6980743 ∗∗∗ IBM Event Streams is vulnerable to a denial of service due to Redis (CVE-2023-25155) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6980747 ∗∗∗ Multiple vulnerabilities have been identified in IBM HTTP Server used by IBM Rational ClearQuest ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6980737 ∗∗∗ IBM Security Verify Governance is vulnerable to sensitive information exposure (CVE-2021-31403) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6956289 ∗∗∗ CVE-2022-41721 may affect IBM CICS TX Standard ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6980755 ∗∗∗ IBM Security Guardium is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6963075 ∗∗∗ IBM Security Guardium is affected by an AWS SDK vulnerability (CVE-2022-31159) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6960215 ∗∗∗ IBM HTTP Server is vulnerable to HTTP request splitting due to the included Apache HTTP Server (CVE-2023-25690) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6963650 ∗∗∗ IBM Security Guardium is affected by a denial of service vulnerability (CVE-2022-3171, CVE-2022-3510, CVE-2022-3509) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6963077 ∗∗∗ IBM Security Guardium is affected by remote code execution and sensitive information vulnerabilities (CVE-2022-31684, CVE-2022-41853) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6960211 ∗∗∗ There are several vulnerabilities in Bootstrap used by IBM Maximo Asset Management ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6980757 ∗∗∗ IBM Security Guardium is affected by a kernel vulnerability (CVE-2021-3715) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6828569 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.04.2023
by Daily end-of-shift report 03 Apr '23

03 Apr '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 31-03-2023 18:00 − Montag 03-04-2023 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ New Money Message ransomware demands million dollar ransoms ∗∗∗ --------------------------------------------- A new ransomware gang named Money Message has appeared, targeting victims worldwide and demanding million-dollar ransoms not to leak data and release a decryptor. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-money-message-ransomware… ∗∗∗ Hacken ist für alle: Die Austria Cyber Security Challenge startet ∗∗∗ --------------------------------------------- Der Hackerwettbewerb will heuer verstärkt Frauen für die IT-Security begeistern. --------------------------------------------- https://futurezone.at/digital-life/austria-cyber-security-challenge-acsc-be… ∗∗∗ With KEYPLUG, China’s RedGolf Spies On, Steals From Wide Field of Targets ∗∗∗ --------------------------------------------- The group remains highly active within a wide range of geographies and industry verticals, targeting aviation, automotive, education, government, media, information technology, and religious organizations. [..] Insikt Group has identified a wider cluster of KEYPLUG samples and infrastructure used by RedGolf from at least 2021 to 2023. (Anm.: das Paper enthält etliche beobachtenswerte IOCs). --------------------------------------------- https://go.recordedfuture.com/hubfs/reports/cta-2023-0330.pdf ∗∗∗ Angriffe auf hochriskante Sicherheitslücke in Wordpress-Plug-in Elementor Pro ∗∗∗ --------------------------------------------- Angreifer missbrauchen eine Sicherheitslücke im Wordpress-Plug-in Elementor Pro zum Einbrechen in Webseiten. Admins sollten die Updates umgehend installieren. --------------------------------------------- https://heise.de/-8384344 ∗∗∗ IT-Forscher: Mehr als 15 Millionen verwundbare Systeme offen im Netz ∗∗∗ --------------------------------------------- IT-Forscher haben den Known-Exploited-Vulnerabilities-Catalog der CISA mit der Datenbank Sh0dan abgeglichen und Millionen verwundbarer Systeme gefunden. --------------------------------------------- https://heise.de/-8511852 ∗∗∗ Jetzt updaten: Kritische Schwachstelle in Nextcloud ∗∗∗ --------------------------------------------- Eine als kritisch eingestufte Sicherheitslücke in der Kollaborationssoftware Nextcloud könnte Angreifern das Ausführen von Schadcode ermöglichen. --------------------------------------------- https://heise.de/-8515005 ∗∗∗ Microsoft OneNote Starts Blocking Dangerous File Extensions ∗∗∗ --------------------------------------------- Microsoft is boosting the security of OneNote users by blocking embedded files with extensions that are considered dangerous. --------------------------------------------- https://www.securityweek.com/microsoft-onenote-starts-blocking-dangerous-fi… ∗∗∗ Money Mule: Geldwäsche-Jobs über WhatsApp ∗∗∗ --------------------------------------------- Nehmen Sie sich vor betrügerischen Job-Angeboten auf WhatsApp in Acht. Kriminelle kontaktieren teils wahllos, teils gezielt Menschen auf Job-Suche über die bekannte Chat-Plattform. Ein Tageslohn von 50 bis 300 Euro täglich bei Arbeit aus dem Home-Office mag verlockend klingen. Doch Vorsicht: Sie werden hier zum Money Mule, helfen Kriminellen bei der Geldwäsche und machen sich womöglich selbst strafbar! --------------------------------------------- https://www.watchlist-internet.at/news/money-mule-geldwaesche-jobs-ueber-wh… ∗∗∗ Malicious ISO File Leads to Domain Wide Ransomware ∗∗∗ --------------------------------------------- IcedID continues to deliver malspam emails to facilitate a compromise. This case covers the activity from a campaign in late September of 2022. --------------------------------------------- https://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wid… ∗∗∗ Bi(n)gBang: Microsoft Azure-Schwachstelle ermöglicht Bing Search Hijacking und Office 365-Datenklau ∗∗∗ --------------------------------------------- Unschöne Geschichte, auf die alle gewartet haben, und die die Gefahren der Cloud aufzeigt. Microsoftsd Azure-Cloud-Dienste ermöglichten eine Fehlkonfigurierung, die dann eine Sicherheitslücke schuf. In der Folge konnten Angreifer potentiell Schadcode in die Suchergebnisseiten von Bing einschleusen, um diese zu [...] --------------------------------------------- https://www.borncity.com/blog/2023/03/30/bigbang-microsoft-azure-schwachste… ∗∗∗ Design-Schwäche im WiFi-Protokoll ermöglicht Angreifern das Abfangen des Netzwerkverkehrs ∗∗∗ --------------------------------------------- Noch ein kleiner Nachtrag von Ende März 2023. Sicherheitsforscher sind auf eine gravierende Design-Schwäche im IEEE 802.11 WiFi-Protokollstandards gestoßen. Diese Schwäche könnte es Angreifern ermöglichen, WLAN-Zugangspunkte abzuhören und Netzwerk-Frames im Klartext zu übermitteln. --------------------------------------------- https://www.borncity.com/blog/2023/04/02/design-schwche-im-wifi-protokoll-e… ===================== = Vulnerabilities = ===================== ∗∗∗ Multiple vulnerabilities in Aten PE8108 power distribution unit (CVE-2023-25413, CVE-2023-25415, CVE-2023-25407, CVE-2023-25409, CVE-2023-25414, CVE-2023-25411) ∗∗∗ --------------------------------------------- Pentagrid identified several vulnerabilities in the PE8108 rack power distribution unit (PDU) manufactured by Aten. [..] At the time of publication, the most recent firmware is version v2.4.232 from 2022-11-22 and there is no new firmware available via Atens website. --------------------------------------------- https://www.pentagrid.ch/en/blog/multiple-vulnerabilities-in-aten-PE8108-po… ∗∗∗ Nvidia schließt Sicherheitslücken in Treibern und Verwaltungssoftware ∗∗∗ --------------------------------------------- Nvidia hat zum Monatswechsel aktualisierte Treiber und Verwaltungssoftware veröffentlicht. Damit schließt der Hersteller teils hochriskante Sicherheitslecks. --------------------------------------------- https://heise.de/-8511759 ∗∗∗ Geräteverwaltung HCL Bigfix dichtet DoS-Lücke ab ∗∗∗ --------------------------------------------- Die Geräteverwaltungssoftware HCL Bigfix enthält eine Schwachstelle, die Angreifern das Lahmlegen der Software auf Endpoints ermöglicht. --------------------------------------------- https://heise.de/-8514805 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (duktape, firmware-nonfree, intel-microcode, svgpp, and systemd), Fedora (amanda, dino, flatpak, golang, libldb, netconsd, samba, tigervnc, and vim), Red Hat (nodejs:14), Slackware (ruby and seamonkey), SUSE (drbd, flatpak, glibc, grub2, ImageMagick, kernel, runc, thunderbird, and xwayland), and Ubuntu (amanda). --------------------------------------------- https://lwn.net/Articles/928204/ ∗∗∗ Multiple Vulnerabilities in the Autodesk® FBX® SDK software ∗∗∗ --------------------------------------------- Applications and services utilizing the Autodesk® FBX® SDK software have been affected by an Out-Of-Bounds Write and Stack Buffer Overflow vulnerabilities. Exploitation of these vulnerabilities may lead to information disclosure, code execution and/or denial-of-service. --------------------------------------------- https://www.autodesk.com/trust/security-advisories/adsk-sa-2023-0004 ∗∗∗ Vulnerabilities for Autodesk® Maya® USD plugin ∗∗∗ --------------------------------------------- USD (Universal Scene Description) plugin for Autodesk® Maya® has been affected by a file uninitialized variable, out-of-bounds read, and out-of-bounds write vulnerabilities. --------------------------------------------- https://www.autodesk.com/trust/security-advisories/adsk-sa-2023-0003 ∗∗∗ Vulnerability Spotlight: Buffer overflow vulnerability in ADMesh library ∗∗∗ --------------------------------------------- https://blog.talosintelligence.com/vulnerability-spotlight-buffer-overflow-… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ HAProxy vulnerable to HTTP request/response smuggling ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN38170084/ ∗∗∗ Multiple vulnerabilities in Seiko Solutions SkyBridge MB-A100/A110/A200/A130 SkySpider MB-R210 ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN40604023/ ∗∗∗ Cisco Identity Services Engine Vulnerabilities ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Identity Services Engine Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Secure Web Appliance Content Encoding Filter Bypass Vulnerabilities ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ ZDI-23-348: Bentley View SKP File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-23-348/ ∗∗∗ ZDI-23-347: Bentley View SKP File Parsing Use-After-Free Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-23-347/ ∗∗∗ ZDI-23-346: Bentley View SKP File Parsing Use-After-Free Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-23-346/ ∗∗∗ ZDI-23-345: Bentley View FBX File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-23-345/ ∗∗∗ ZDI-23-344: Bentley View FBX File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-23-344/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 31.03.2023
by Daily end-of-shift report 31 Mar '23

31 Mar '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 30-03-2023 18:00 − Freitag 31-03-2023 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ 10-year-old Windows bug with opt-in fix exploited in 3CX attack ∗∗∗ --------------------------------------------- A 10-year-old Windows vulnerability is still being exploited in attacks to make it appear that executables are legitimately signed, with the fix from Microsoft still "opt-in" after all these years. Even worse, the fix is removed after upgrading to Windows 11. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/10-year-old-windows-bug-wit… ∗∗∗ Realtek and Cacti flaws now actively exploited by malware botnets ∗∗∗ --------------------------------------------- Multiple malware botnets actively target Cacti and Realtek vulnerabilities in campaigns detected between January and March 2023, spreading ShellBot and Moobot malware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/realtek-and-cacti-flaws-now-… ∗∗∗ Hackers exploit bug in Elementor Pro WordPress plugin with 11M installs ∗∗∗ --------------------------------------------- Hackers are actively exploiting a high-severity vulnerability in the popular Elementor Pro WordPress plugin used by over eleven million websites. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-exploit-bug-in-eleme… ∗∗∗ Use of X-Frame-Options and CSP frame-ancestors security headers on 1 million most popular domains, (Fri, Mar 31st) ∗∗∗ --------------------------------------------- In my last Diary[1], I shortly mentioned the need for correctly set Content Security Policy and/or the obsolete[2] X-Frame-Options HTTP security headers (not just) in order to prevent phishing pages, which overlay a fake login prompt over a legitimate website, from functioning correctly. Or, to be more specific, to prevent them from dynamically loading a legitimate page in an iframe under the fake login prompt, since this makes such phishing websites look much less like a legitimate login page and thus much less effective. --------------------------------------------- https://isc.sans.edu/diary/rss/29698 ∗∗∗ WordPress Vulnerability & Patch Roundup March 2023 ∗∗∗ --------------------------------------------- Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises. To help educate website owners on emerging threats to their environments, we’ve compiled a list of important security updates and patches for the WordPress ecosystem this past month. --------------------------------------------- https://blog.sucuri.net/2023/03/wordpress-vulnerability-patch-roundup-march… ∗∗∗ Booby Trapping IBM i ∗∗∗ --------------------------------------------- In our first post about IBM i we noted that the operating system includes a database engine, Db2. This level of integration means that practically all objects of the system are accessible via SQL, a powerful tool to discover and analyze system configuration, and also to identify potential vulnerabilities. However, the “database view” of the operating system not only allows us to read data, but lets us insert additional data that can affect the behavior of the system too. --------------------------------------------- https://blog.silentsignal.eu/2023/03/30/booby-trapping-ibm-i/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (joblib, json-smart, libmicrohttpd, and xrdp), Fedora (thunderbird and xorg-x11-server-Xwayland), Mageia (dino, perl-Cpanel-JSON-XS, perl-Net-Server, snort, tigervnc/x11-server, and xapian), SUSE (curl, kernel, openssl-1_0_0, and shim), and Ubuntu (glusterfs, linux-gcp-4.15, musl, and xcftools). --------------------------------------------- https://lwn.net/Articles/928013/ ∗∗∗ Samba Releases Security Updates for Multiple Versions of Samba ∗∗∗ --------------------------------------------- The Samba Team has released security updates addressing vulnerabilities in multiple versions of Samba. An attacker could exploit these vulnerabilities to take control of an affected system. CISA encourages users and administrators to review the following announcements and apply the necessary updates: CVE-2023-0225 CVE-2023-0922 CVE-2023-0614 --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/03/31/samba-releases-security-… ∗∗∗ Vulnerability Spotlight: Specially crafted files could lead to denial of service, information disclosure in OpenImageIO parser ∗∗∗ --------------------------------------------- OpenImageIO is a library that converts, compares and processes various image files. Blender and AliceVision, two often used computer imaging services, utilize the library, among other software offerings. --------------------------------------------- https://blog.talosintelligence.com/vulnerability-spotlight-specially-crafte… ∗∗∗ Xcode 14.3 ∗∗∗ --------------------------------------------- https://support.apple.com/kb/HT213679 ∗∗∗ [webapps] WooCommerce v7.1.0 - Remote Code Execution(RCE) ∗∗∗ --------------------------------------------- https://www.exploit-db.com/exploits/51156 ∗∗∗ IBM Security Bulletins 2023-03-31 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.03.2023
by Daily end-of-shift report 30 Mar '23

30 Mar '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 29-03-2023 18:00 − Donnerstag 30-03-2023 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Cyberkriminelle versenden Schadsoftware im Namen von DocuSign ∗∗∗ --------------------------------------------- Elektronische Signaturdienste wie DocuSign sind spätestens seit der Covid19-Pandemie beliebt, um Verträge oder andere Dokumente zeitsparend und unkompliziert zu unterzeichnen. Ein Trend, der auch von Betrüger:innen aufgegriffen wird: So geben sich Cyberkriminelle per E-Mail als DocuSign aus, um Schadsoftware zu verbreiten. --------------------------------------------- https://www.watchlist-internet.at/news/cyberkriminelle-versenden-schadsoftw… ∗∗∗ Internationaler Monat zur Betrugsbekämpfung: Vorsicht vor Dark Patterns ∗∗∗ --------------------------------------------- Im März 2023 jährt sich der internationale Monat zur Betrugsbekämpfung („ICPEN Fraud Prevention Month"). Das diesjährige Schwerpunktthema ist Dark Patterns. Dark Patterns sind irreführende Designelemente und Webseiten-Gestaltungen, die versuchen User:innen zu verleiten Entscheidungen zu treffen, die nicht in Ihrem besten Interesse liegen. Was Dark Patterns sind, wie Sie diese erkennen und sich am besten schützen, erfahren Sie hier! --------------------------------------------- https://www.watchlist-internet.at/news/fraud-prevention-month-vorsicht-vor-… ∗∗∗ EDR Product Analysis of an Infostealer ∗∗∗ --------------------------------------------- As mentioned in the report, an Infostealer is being distributed through various platforms, and the leaked information is causing both direct and indirect harm to users. Understanding what information has been stolen and where it is being sent is crucial in order to minimize the damage caused by an Infostealer --------------------------------------------- https://asec.ahnlab.com/en/50685/ ===================== = Vulnerabilities = ===================== ∗∗∗ QNAP warns customers to patch Linux Sudo flaw in NAS devices ∗∗∗ --------------------------------------------- Taiwanese hardware vendor QNAP warns customers to secure their Linux-powered network-attached storage (NAS) devices against a high-severity Sudo privilege escalation vulnerability. --------------------------------------------- https://www.bleepingcomputer.com/news/security/qnap-warns-customers-to-patc… ∗∗∗ Xray Audit - Moderately critical - Cross site scripting - SA-CONTRIB-2023-012 ∗∗∗ --------------------------------------------- Security risk: Moderately critical Description: This module is a tool for developers, analysts, and administrators that allows them to generate reports on a given Drupal installation.The module does not sufficiently sanitize some data presented in its reports. --------------------------------------------- https://www.drupal.org/sa-contrib-2023-012 ∗∗∗ CVE-2022-37734: graphql-java Denial-of-Service ∗∗∗ --------------------------------------------- graphql-java is the most popular GraphQL server written in Java. It was found to be vulnerable to DoS attacks through the directive overload. [..] The vulnerability was fixed in two stages. The first fix introduced a security control, whereas the second one targeted the root cause. The first fix is presented in the versions of graphql-java 19.0 and later, 18.3, and 17.4. The second fix has been applied in the version 20.1 [..] --------------------------------------------- https://checkmarx.com/blog/cve-2022-37734-graphql-java-denial-of-service/ ∗∗∗ Vulnerability Spotlight: SNIProxy contains remote code execution vulnerability (CVE-2023-25076) ∗∗∗ --------------------------------------------- Talos discovered a remote code execution vulnerability that exists if the user is utilizing wildcard backend hosts when configuring SNIProxy. An attacker could exploit this vulnerability by sending a specially crafted HTTP, TLS or DTLS packet to the target machine, potentially causing a denial of service or gaining the ability to execute remote code. Cisco Talos worked with the managers of SNIProxy to ensure that these issues are resolved and an update is available [..] --------------------------------------------- https://blog.talosintelligence.com/vulnerability-spotlight-sniproxy-contain… ∗∗∗ X.org vulnerability and releases (CVE-2023-1393) ∗∗∗ --------------------------------------------- The X.Org project has announced a vulnerability in its X server and Xwayland. This issue can lead to local privileges elevation on systems where the X server is running privileged and remote code execution for ssh X forwarding sessions. [..] That has led to the release of xorg-server 21.1.8, xwayland 22.1.9, and xwayland 23.1.1. --------------------------------------------- https://lwn.net/Articles/927887/ ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (xorg-server and xrdp), Fedora (mingw-python-certifi, mingw-python3, mingw-zstd, moodle, python-cairosvg, python-markdown-it-py, redis, xorg-x11-server, and yarnpkg), Slackware (mozilla and xorg), SUSE (grub2, ldb, samba, libmicrohttpd, python-Werkzeug, rubygem-rack, samba, sudo, testng, tomcat, webkit2gtk3, xorg-x11-server, xstream, and zstd), and Ubuntu (linux, linux-aws, linux-dell300x, linux-kvm, linux-oracle, linux-raspi2, linux-aws-5.4, linux-azure-5.4, linux-gcp- linux-ibm-5.4, linux-oracle-5.4, linux-raspi-5.4, linux-gke, linux-gke-5.15, linux-ibm, linux-kvm, php-nette, and xorg-server, xorg-server-hwe-18.04, xwayland). --------------------------------------------- https://lwn.net/Articles/927855/ ∗∗∗ Synology-SA-23:02 Sudo ∗∗∗ --------------------------------------------- A vulnerability allows local users to conduct privilege escalation attacks via a susceptible version of Synology DiskStation Manager (DSM) and Synology Router Manager (SRM). --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_23_02 ∗∗∗ Popular PABX platform, 3CX Desktop App suffers supply chain attack ∗∗∗ --------------------------------------------- CrowdStrike and SentinelOne cybersecurity researchers identified an unusual spike in malicious activity from a single, legitimate binary, 3CX Voice Over Internet Protocol (VOIP) desktop App (3CX Desktop App). --------------------------------------------- https://www.hackread.com/3cx-desktop-app-supply-chain-attack/ ∗∗∗ Cisco Application Policy Infrastructure Controller and Cisco Cloud Network Controller Cross-Site Request Forgery Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Hitachi Energy IEC 61850 MMS-Server ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-089-01 ∗∗∗ Multiple vulnerabilities in the mongo-tools utility affect IBM WebSphere Automation ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6966998 ∗∗∗ IBM Maximo Asset Management is vulnerable to stored cross-site scripting (CVE-2022-35645) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6959353 ∗∗∗ IBM Maximo Manage application in IBM Maximo Application Suite is vulnerable to stored cross-site scripting (CVE-2022-35645) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6959355 ∗∗∗ IBM QRadar SIEM is vulnerable to using components with known vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6967016 ∗∗∗ Multiple Vulnerabilities in CloudPak for Watson AIOPs ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6967012 ∗∗∗ CVE-2022-27664, CVE-2022-21698, CVE-2021-43565 and CVE-2022-27191 may affect IBM CICS TX Standard ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6967018 ∗∗∗ CVE-2022-41723 may affect IBM CICS TX Advanced ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6967026 ∗∗∗ CVE-2022-41723 may affect IBM CICS TX Standard ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6967022 ∗∗∗ Multiple vulnerabilities may affect IBM SDK, Java Technology Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6967213 ∗∗∗ CVE-2022-21426 may affect IBM SDK, Java Technology Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6967221 ∗∗∗ Multiple Vulnerabilities in CloudPak for Watson AIOPs ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6967243 ∗∗∗ IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to an information exposure in WebSphere Application Server Liberty (CVE-2016-0378 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6967241 ∗∗∗ IBM QRadar User Behavior Analytics is vulnerable to components with known vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6967283 ∗∗∗ Vulnerabilities in PostgreSQL may affect IBM Spectrum Protect Plus (CVE-2022-2625, CVE-2022-1552, CVE-2021-3677) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6967285 ∗∗∗ A vulnerability in GNU Tar affects IBM MQ Operator and Queue manager container images (CVE-2022-48303) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6966198 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.03.2023
by Daily end-of-shift report 29 Mar '23

29 Mar '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 28-03-2023 18:00 − Mittwoch 29-03-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ WiFi protocol flaw allows attackers to hijack network traffic ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered a fundamental security flaw in the design of the IEEE 802.11 WiFi protocol standard, allowing attackers to trick access points into leaking network frames in plaintext form. --------------------------------------------- https://www.bleepingcomputer.com/news/security/wifi-protocol-flaw-allows-at… ∗∗∗ H26Forge: Mehrheit der Video-Decoder wohl systematisch angreifbar ∗∗∗ --------------------------------------------- Immer wieder sorgen Bugs in Video-Decodern für Sicherheitslücken bis hin zu Zero Days. Wissenschaftler zeigen nun eine riesige Angriffsfläche. --------------------------------------------- https://www.golem.de/news/h26forge-mehrheit-der-video-decoder-wohl-systemat… ∗∗∗ Network Data Collector Placement Makes a Difference, (Tue, Mar 28th) ∗∗∗ --------------------------------------------- A previous diary [1] described processing some local PCAP data with Zeek. This data was collected using tcpdump on a DShield Honeypot. When looking at the Zeek connection logs, the connection state information was unexpected. To help understand why, we will compare data from different locations on the network and process the data in a similar way. This will help narrow down where the discrepancies might be coming from, or at least where they are not coming from. --------------------------------------------- https://isc.sans.edu/diary/rss/29664 ∗∗∗ MacStealer: Mac-Malware will Passwörter und Krypto-Wallets klauen ∗∗∗ --------------------------------------------- Eine im Dark Web günstig angebotene Malware soll sensible Daten von Macs extrahieren und über den Messenger Telegram an Angreifer übermitteln. --------------------------------------------- https://heise.de/-8153293 ∗∗∗ Remote PowerShell: Einfallstor bei Exchange Online jetzt mit Gnadenfrist ∗∗∗ --------------------------------------------- Ein halbes Jahr länger bleibt Administratoren, bis sie sich von ihren unsicheren PowerShell-cmdlets für Exchange Online verabschieden müssen. --------------------------------------------- https://heise.de/-8186790 ∗∗∗ Kriminelle erfinden Behörden wie „finanzaufsichtsbehoerde.com“ für Authority-Scams ∗∗∗ --------------------------------------------- Um ihren Opfern das Geld aus der Tasche zu ziehen, greifen Kriminelle häufig zu kreativen Methoden. Aktuell erfinden sie Behörden wie zum Beispiel auf „finanzaufsichtsbehoerde.com“ und „betrugsdezernat.com“ oder imitieren echte Behörden und Institutionen. Egal, was man Ihnen hier verspricht, übermitteln Sie keine Daten und bezahlen Sie kein Geld an derartige Plattformen! --------------------------------------------- https://www.watchlist-internet.at/news/kriminelle-erfinden-behoerden-wie-fi… ∗∗∗ Spyware vendors use 0-days and n-days against popular platforms ∗∗∗ --------------------------------------------- [...] In this blog, we’re sharing details about two distinct campaigns we’ve recently discovered which used various 0-day exploits against Android, iOS and Chrome and were both limited and highly targeted. The 0-day exploits were used alongside n-day exploits and took advantage of the large time gap between the fix release and when it was fully deployed on end-user devices. Our findings underscore the extent to which commercial surveillance vendors have proliferated capabilities historically only used by governments with the technical expertise to develop and operationalize exploits. --------------------------------------------- https://blog.google/threat-analysis-group/spyware-vendors-use-0-days-and-n-… ∗∗∗ Active Exploitation of IBM Aspera Faspex CVE-2022-47986 ∗∗∗ --------------------------------------------- Rapid7 is aware of at least one incident where a customer was compromised via CVE-2022-47986. We strongly recommend patching on an emergency basis. --------------------------------------------- https://www.rapid7.com/blog/post/2023/03/28/etr-active-exploitation-of-ibm-… ∗∗∗ New OpcJacker Malware Distributed via Fake VPN Malvertising ∗∗∗ --------------------------------------------- We discovered a new malware, which we named “OpcJacker” (due to its opcode configuration design and its cryptocurrency hijacking ability), that has been distributed in the wild since the second half of 2022. --------------------------------------------- https://www.trendmicro.com/en_us/research/23/c/new-opcjacker-malware-distri… ∗∗∗ In eigener Sache: CERT.at sucht Verstärkung ∗∗∗ --------------------------------------------- Für unsere täglichen Routineaufgaben suchen wir derzeit 1 Berufsein- oder -umsteiger:in mit ausgeprägtem Interesse an IT-Security, welche:r uns bei den täglich anfallenden Standard-Aufgaben unterstützt. Details finden sich auf unserer Jobs-Seite. --------------------------------------------- https://cert.at/de/blog/2023/3/in-eigener-sache-certat-sucht-verstarkung-20… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (unbound and xorg-server), Fedora (stellarium), Oracle (kernel), SUSE (apache2, oracleasm, python-Werkzeug, rubygem-loofah, sudo, and tomcat), and Ubuntu (git, kernel, and linux-hwe-5.19). --------------------------------------------- https://lwn.net/Articles/927666/ ∗∗∗ Multiple Vulnerabilities in Rocket Software UniRPC server (Fixed) ∗∗∗ --------------------------------------------- In early 2023, Rapid7 discovered several vulnerabilities in Rocket Software UniData UniRPC. We worked with the company to fix issues and coordinate this disclosure. --------------------------------------------- https://www.rapid7.com/blog/post/2023/03/29/multiple-vulnerabilities-in-roc… ∗∗∗ [R1] Stand-alone Security Patches Available for Tenable.sc versions 5.22.0, 5.23.1, and 6.0.0: SC-202303.2 ∗∗∗ --------------------------------------------- [R1] Stand-alone Security Patches Available for Tenable.sc versions 5.22.0, 5.23.1, and 6.0.0: SC-202303.2Arnie CabralTue, 03/28/2023 - 11:10 Tenable.sc leverages third-party software to help provide underlying functionality. One of the third-party components in use (Apache) was found to contain vulnerabilities, and updated versions have been made available by the providers. --------------------------------------------- https://www.tenable.com/security/tns-2023-17 ∗∗∗ Security Advisory 2023-02 for PowerDNS Recursor up to and including 4.6.5, 4.7.4 and 4.8.3 ∗∗∗ --------------------------------------------- Hello, Today we have released PowerDNS Recursor 4.6.6, 4.7.5 and 4.8.4 due to a low severity security issue found. Please find the full text of the advisory below. The 4.6, 4.7 and 4.8 changelogs are available. The 4.6.6 (signature), 4.7.5 (signature) and 4.8.4 (signature) tarballs are available from our download server. Patches are available at patches. --------------------------------------------- https://blog.powerdns.com/2023/03/29/security-advisory-2023-02-for-powerdns… ∗∗∗ IBM Security Bulletins 2023-03-29 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ K000133135: NGINX Agent vulnerability CVE-2023-1550 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000133135 ∗∗∗ Security Vulnerabilities fixed in Thunderbird 102.9.1 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2023-12/ ∗∗∗ Buffer Overflow Vulnerabilities in Samba ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-23-02 ∗∗∗ Buffer Overflow Vulnerability in Samba ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-23-03 ∗∗∗ Vulnerabilities in QTS, QuTS hero, QuTScloud, and QVP ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-23-06 ∗∗∗ Vulnerability in QTS, QuTS hero, QuTScloud, QVP, and QVR ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-23-10 ∗∗∗ Vulnerability in sudo ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-23-11 ∗∗∗ Multiple Vulnerabilities in OpenSSL ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-23-15 ∗∗∗ Sielco Analog FM Transmitter 2.12 id Cookie Brute Force Session Hijacking ∗∗∗ --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5758.php ∗∗∗ Sielco Analog FM Transmitter 2.12 Cross-Site Request Forgery ∗∗∗ --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5757.php ∗∗∗ Sielco Analog FM Transmitter 2.12 Improper Access Control Change Admin Password ∗∗∗ --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5756.php ∗∗∗ Sielco Analog FM Transmitter 2.12 Remote Privilege Escalation ∗∗∗ --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5755.php -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.03.2023
by Daily end-of-shift report 28 Mar '23

28 Mar '23

===================== = End-of-Day report = ===================== Timeframe: Montag 27-03-2023 18:00 − Dienstag 28-03-2023 18:00 Handler: Robert Waldner Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ New MacStealer macOS malware steals passwords from iCloud Keychain ∗∗∗ --------------------------------------------- A new info-stealing malware named MacStealer is targeting Mac users, stealing their credentials stored in the iCloud KeyChain and web browsers, cryptocurrency wallets, and potentially sensitive files. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-macstealer-macos-malware… ∗∗∗ Exchange Online to block emails from vulnerable on-prem servers ∗∗∗ --------------------------------------------- Microsoft is introducing a new Exchange Online security feature that will automatically start throttling and eventually block all emails sent from "persistently vulnerable Exchange servers" 90 days after the admins are pinged to secure them. --------------------------------------------- https://www.bleepingcomputer.com/news/security/exchange-online-to-block-ema… ∗∗∗ Cybersecurity Challenges of Power Transformers ∗∗∗ --------------------------------------------- To the best of our knowledge, there is no study in the literature that systematically investigate the cybersecurity challenges against the newly emerged smart transformers. This paper addresses this shortcoming by exploring the vulnerabilities and the attack vectors of power transformers within electricity networks, the possible attack scenarios and the risks associated with these attacks. --------------------------------------------- https://arxiv.org/abs/2302.13161 ∗∗∗ OpenSSL 1.1.1 End of Life ∗∗∗ --------------------------------------------- We are now less than 6 months away from the End Of Life (EOL) date for the OpenSSL 1.1.1 series. Users of OpenSSL 1.1.1 should consider their options and plan any actions they might need to take. [..] OpenSSL 1.1.1 was released on 11th September 2018, and so it will be considered EOL on 11th September 2023. It will no longer be receiving publicly available security fixes after that date. --------------------------------------------- https://www.openssl.org/blog/blog/2023/03/28/1.1.1-EOL/ ∗∗∗ The curl quirk that exposed Burp Suite & Google Chrome ∗∗∗ --------------------------------------------- Although this feature took us (and Chrome) by surprise, it is fully documented so we dont consider it to be a vulnerability in curl itself. It reminds me of server-side template injection, where a sandbox escape can be as easy as reading a manual page everyone else overlooked. --------------------------------------------- https://portswigger.net/research/the-curl-quirk-that-exposed-burp-suite-amp… ∗∗∗ Abo-Falle auf produkttester-werden.org ∗∗∗ --------------------------------------------- Produkttester-werden.org wirbt mit der Möglichkeit, regelmäßig und gratis Produkte testen zu können und dafür bis zu 25 Euro Aufwandsentschädigung zu erhalten. Schon bei der Erstregistrierung werden aber persönliche Daten inklusive IBAN abgefragt, eine Einzugsermächtigung verlangt und ein kostenpflichtiges Abonnement über einen versteckten Kostenhinweis abgeschlossen. Wir raten zu Abstand! --------------------------------------------- https://www.watchlist-internet.at/news/abo-falle-auf-produkttester-werdenor… ∗∗∗ Emotet Being Distributed via OneNote ∗∗∗ --------------------------------------------- AhnLab Security Emergency response Center (ASEC) has recently discovered the distribution of Emotet being distributed via OneNote. A spear phishing email as below attached with a OneNote file prompts the reader to open the attachment which contains a malicious script file (JS file). Upon running the OneNote file, it directs the user to click the button to connect to the cloud to open the document. --------------------------------------------- https://asec.ahnlab.com/en/50564/ ===================== = Vulnerabilities = ===================== ∗∗∗ Apple patches everything, including a zero-day fix for iOS 15 users ∗∗∗ --------------------------------------------- Got an older iPhone that cant run iOS 16? Youve got a zero-day to deal with! That super-cool Studio Display monitor needs patching, too. --------------------------------------------- https://nakedsecurity.sophos.com/2023/03/28/apple-patches-everything-includ… ∗∗∗ FortiOS / FortiProxy - Unauthenticated access to static files containing logging information (CVE-2022-41329) ∗∗∗ --------------------------------------------- An exposure of sensitive information to an unauthorized actor vulnerability in FortiOS and FortiProxy administrative interface may allow an unauthenticated attacker to obtain sensitive logging information on the device via crafted HTTP or HTTPs GET requests. --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-22-364 ∗∗∗ OpenSSL Security Advisory: Invalid certificate policies in leaf certificates are silently ignored (CVE-2023-0465) ∗∗∗ --------------------------------------------- Severity: Low Applications that use a non-default option when verifying certificates may be vulnerable to an attack from a malicious CA to circumvent certain checks. nvalid certificate policies in leaf certificates are silently ignored by OpenSSL and other certificate policy checks are skipped for that certificate. [..] Policy processing is disabled by default --------------------------------------------- https://www.openssl.org/news/secadv/20230328.txt ∗∗∗ [webapps] Moodle LMS 4.0 - Cross-Site Scripting (XSS) ∗∗∗ --------------------------------------------- A Cross Site Scripting (XSS) vulnerability exists in Moodle is a free and open-source Learning Management System (LMS) written in PHP [..] --------------------------------------------- https://www.exploit-db.com/exploits/51115 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (dino-im and runc), Fedora (qemu), Red Hat (firefox), SUSE (chromium, containerd, docker, kernel, and systemd), and Ubuntu (graphicsmagick, linux-azure, linux-gcp, linux-oem-5.14, linux-oem-5.17, linux-oem-6.0, linux-oem-6.1, and node-url-parse). --------------------------------------------- https://lwn.net/Articles/927548/ ∗∗∗ Cisco SD-WAN vManage Software Cluster Mode Cross-Site Request Forgery Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ IBM Engineering Workflow Management (EWM) vulnerabilities CVE-2021-41182, CVE-2022-31160, CVE-2021-41184, CVE-2021-41183 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6966410 ∗∗∗ IBM Engineering Workflow Management (EWM) vulnerability CVE-2021-43138 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6966400 ∗∗∗ IBM Engineering Workflow Management (EWM) vulnerabilities CVE-2022-31129, CVE-2022-24785 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6966418 ∗∗∗ IBM Engineering Workflow Management (EWM) vulnerability CVE-2021-21252 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6966412 ∗∗∗ IBM Engineering Workflow Management (EWM) vulnerabilities CVE-2020-28500, CVE-2021-23337, CVE-2020-8203 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6966416 ∗∗∗ IBM Engineering Workflow Management (EWM) vulnerability CVE-2022-24999 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6966420 ∗∗∗ IBM WebSphere Application Server is vulnerable to cross-site scripting in the Admin Console (CVE-2023-26283) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6964836 ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server Liberty shipped with IBM Tivoli Netcool Impact(CVE-2022-3509, CVE-2022-3171) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6966436 ∗∗∗ There is a vulnerability in jQuery UI used by IBM Maximo Asset Management (CVE-2022-31160) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6966428 ∗∗∗ Maximo Application Suite is vulnerable to CVE-2022-40897 per setuptools dependency ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6966084 ∗∗∗ Maximo Application Suite uses jsonwebtoken package which is vulnerable to CVE-2022-23541, CVE-2022-23539, CVE-2022-23529 and CVE-2022-23540 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6966434 ∗∗∗ IBM Tivoli Netcool Impact is vulnerable to remote code execution from Apache Commons Net (CVE-2021-37533) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6966438 ∗∗∗ IBM Tivoli Netcool Impact is vulnerable to denial of service attack due to Apache Commons FileUpload (CVE-2023-24998) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6966440 ∗∗∗ There is a vulnerability in jQuery UI used by IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2022-31160) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6966442 ∗∗∗ IBM Aspera Cargo 4.2.5 and IBM Aspera Connect 4.2.5 have addressed multiple buffer overflow vulnerabilities (CVE-2023-27286, CVE-2023-27284) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6966588 ∗∗∗ A security vulnerability has been identified in IBM HTTP Server shipped with IBM Rational ClearCase [CVE-2023-26281] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6966600 ∗∗∗ A security vulnerability has been identified in IBM HTTP Server shipped with IBM Rational ClearCase [CVE-2023-25690] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6966602 ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Rational ClearCase (CVE-2023-26283) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6966604 ∗∗∗ IBM App Connect Enterprise Certified Container images may be vulnerable to denial of service due to libarchive [CVE-2017-14166] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6966610 ∗∗∗ IBM App Connect Enterprise Certified Container DesignerAuthoring operands that use mapping assistance may be vulnerable to denial of service due to [X-Force 247595] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6966612 ∗∗∗ IBM Cloud Pak for Data System (CPDS) is vulnerable to arbitrary code execution due to Apache Log4j [CVE-2022-23307] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6966636 ∗∗∗ There is a security vulnerability in snakeYAML used by IBM Maximo Data Loader (CVE-2022-41854) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6966646 ∗∗∗ There is a security vulnerability in TinyMCE used by IBM Maximo for Civil Infrastructure in Maximo Application Suite (CVE-2022-23494) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6966644 ∗∗∗ Vulnerability in jetty-http affects IBM Cloud Pak for Data System 2.0(CPDS 2.0) [CVE-2022-2047] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6966652 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.03.2023
by Daily end-of-shift report 27 Mar '23

27 Mar '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 24-03-2023 18:00 − Montag 27-03-2023 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Guidance for investigating attacks using CVE-2023-23397 ∗∗∗ --------------------------------------------- This guide provides steps organizations can take to assess whether users have been targeted or compromised by threat actors exploiting CVE-2023-23397. A successful exploit of this vulnerability can result in unauthorized access to an organization’s environment by triggering a Net-NTLMv2 hash leak. Understanding the vulnerability and how it has been leveraged by threat actors can help guide the overall investigative process. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-inves… ∗∗∗ WooCommerce Credit Card Skimmer Reveals Tampered Plugin ∗∗∗ --------------------------------------------- Disclaimer: The malware infection described in this article does not affect the software plugin as a whole and does not indicate any vulnerabilities or security flaws within WooCommerce or any associated WooCommerce plugin extensions. Overall they are both robust and secure payment platforms that are perfectly safe to use. Instead, this article highlights the importance of maintaining good security posture and keeping environments locked down to prevent tampering from threat actors. --------------------------------------------- https://blog.sucuri.net/2023/03/woocommerce-skimmer-reveals-tampered-plugin… ∗∗∗ Framing Frames: Bypassing Wi-Fi Encryption by Manipulating Transmit Queues Affecting Multiple Cisco Products ∗∗∗ --------------------------------------------- On March 27, 2023, the research paper Framing Frames: Bypassing Wi-Fi Encryption by Manipulating Transmit Queues was made public. This paper discusses vulnerabilities in the 802.11 standard that could allow an attacker to spoof a targeted wireless client and redirect frames that are present in the transmit queues in an access point to an attacker-controlled device. This attack is seen as an opportunistic attack and the information gained by the attacker would be of minimal value in a securely configured network. --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Visual Signature Spoofing in PDFs ∗∗∗ --------------------------------------------- Visual Signature Spoofing was partially successful in forging signed documents. Due to the limited support of JavaScript in the other PDF applications, it was only possible to create visual signature spoofs for Adobe Acrobat Reader DC. Other PDF applications may also become vulnerable in the future if they add support for the necessary JavaScript functions. --------------------------------------------- https://sec-consult.com/blog/detail/visual-signature-spoofing-in-pdfs/ ∗∗∗ Using an Undocumented Amplify API to Leak AWS Account IDs ∗∗∗ --------------------------------------------- In a previous blog post I mentioned that I was getting back into AWS vulnerability research in my free time. I’ve been taking a closer look at undocumented AWS APIs, trying to find hidden functionality that may be useful for an attacker or cross tenant boundaries. [...] I reported this API to AWS who responded that it did not “represent a security issue”, however, 3 days later, the API was disabled. --------------------------------------------- https://frichetten.com/blog/undocumented-amplify-api-leak-account-id/ ∗∗∗ Microsoft verteilt Sicherheitsupdate für Windows Snipping Tool ∗∗∗ --------------------------------------------- Microsoft hat ein außerplanmäßiges Sicherheitsupdate veröffentlicht. Es soll eine Schwachstelle im Windows Snipping Tool beseitigen – der in Windows 10 und Windows 11 integrierten Screenshot-App. Ähnlich wie zuletzt auch unter Android entfernt das Tool „gelöschte“ Bereiche von zugeschnittenen Screenshots nicht vollständig, sodass sie nachträglich wiederhergestellt werden können. --------------------------------------------- https://www.zdnet.de/88408044/microsoft-verteilt-sicherheitsupdate-fuer-win… ∗∗∗ Deprecation of Remote PowerShell in Exchange Online – Re-enabling or Extending RPS support ∗∗∗ --------------------------------------------- PowerShell (PS) cmdlets in Exchange Online use Remote PowerShell (RPS) for client to server communication. Unfortunately, RPS is legacy technology that is outdated and can pose security risks. As such, we recommend all customers move to the new more secure REST-based v3 PowerShell module, which will help us improve security – together. --------------------------------------------- https://techcommunity.microsoft.com/t5/exchange-team-blog/deprecation-of-re… ∗∗∗ OneNote Embedded URL Abuse ∗∗∗ --------------------------------------------- Whilst Microsoft is fixing the embedded files feature in OneNote I decided to abuse a whole other feature. Embedded URLs. Turns out this is something they may also have to fix. --------------------------------------------- https://blog.nviso.eu/2023/03/27/onenote-embedded-url-abuse/ ∗∗∗ Rhadamanthys: The “Everything Bagel” Infostealer ∗∗∗ --------------------------------------------- Key Takeaways: * Rhadamanthys is an advanced infostealer which debuted on the dark web in September of last year to a warm critical reception by cybercriminals. * A maximalist approach to features: functionality is added for its own sake, never mind the effort required or expected payoff. * Campaigns by default target countries indiscriminately, excluding the commonwealth of independent states. This is typical of this kind of malware. * Multiple-stage loader/shellcode execution has been researched in prior publications and has made it difficult to reach a proper interactive disassembly workflow with the actual information-stealing logic. --------------------------------------------- https://research.checkpoint.com/2023/rhadamanthys-the-everything-bagel-info… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco IOS XE Software Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the Cloud Management for Catalyst migration feature of Cisco IOS XE Software could allow an authenticated, local attacker to gain root-level privileges on an affected device. This vulnerability is due to insufficient memory protection in the Cisco IOS XE Meraki migration feature of an affected device. An attacker could exploit this vulnerability by modifying the Meraki registration parameters. A successful exploit could allow the attacker to elevate privileges to root. --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ ABB RCCMD – Use of default password (CVE-2022-4126) ∗∗∗ --------------------------------------------- A software update is available that resolves a privately reported vulnerability [...] An attacker who successfully exploited this vulnerability could take control of the computer the software runs on and possibly insert and run arbitrary code. --------------------------------------------- https://search.abb.com/library/Download.aspx?Action=Launch&DocumentID=2CMT0… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libreoffice and xen), Fedora (chromium, curl, and xen), Red Hat (kernel, kernel-rt, kpatch-patch, and thunderbird), Scientific Linux (thunderbird), Slackware (tar), SUSE (apache2, ceph, curl, dpdk, helm, libgit2, and php7), and Ubuntu (firefox and thunderbird). --------------------------------------------- https://lwn.net/Articles/927451/ ∗∗∗ baserCMS vulnerable to arbitrary file uploads ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN61105618/ ∗∗∗ IBM Security Bulletins 2023-03-25 - 2023-03-27 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.03.2023
by Daily end-of-shift report 24 Mar '23

24 Mar '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 23-03-2023 18:00 − Freitag 24-03-2023 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Critical WooCommerce Payments Plugin Flaw Patched for 500,000+ WordPress Sites ∗∗∗ --------------------------------------------- Patches have been released for a critical security flaw impacting the WooCommerce Payments plugin for WordPress, which is installed on over 500,000 websites. The flaw, if left unresolved, could enable a bad actor to gain unauthorized admin access to impacted stores, the company said in an advisory on March 23, 2023. It impacts versions 4.8.0 through 5.6.1. --------------------------------------------- https://thehackernews.com/2023/03/critical-woocommerce-payments-plugin.html ∗∗∗ GitHub publishes RSA SSH host keys by mistake, issues update ∗∗∗ --------------------------------------------- Getting connection failures? Dont panic. Get new keys GitHub has updated its SSH keys after accidentally publishing the private part to the world. Whoops. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2023/03/24/github_chang… ∗∗∗ ChinaZ DDoS Bot Malware Distributed to Linux SSH Servers ∗∗∗ --------------------------------------------- AhnLab Security Emergency response Center (ASEC) has recently discovered the ChinaZ DDoS Bot malware being installed on inadequately managed Linux SSH servers. [..] The threat group most likely scanned port 22, the area where SSH services operate, before finding an active SSH service and performing a dictionary attack using commonly used SSH account credentials. --------------------------------------------- https://asec.ahnlab.com/en/50316/ ∗∗∗ Hacking AI: System and Cloud Takeover via MLflow Exploit ∗∗∗ --------------------------------------------- Protect AI tested the security of MLflow and found a combined Local File Inclusion/Remote File Inclusion vulnerability which can lead to a complete system or cloud provider takeover. Organizations running an MLflow server are urged to update to the latest release immediately. --------------------------------------------- https://protectai.com/blog/hacking-ai-system-takeover-exploit-in-mlflow ∗∗∗ JavaScript-Runtime: Deno 1.32 schließt kritische Sicherheitslücke ∗∗∗ --------------------------------------------- Die JS-Runtime Deno 1.32 liefert weitere Verbesserungen für die Kompatibilität mit Node.js und neue Funktionen für den Befehl deno compile. --------------------------------------------- https://heise.de/-7971810 ∗∗∗ CISA Ships ‘Untitled Goose Tool’ to Hunt for Microsoft Azure Cloud Infections ∗∗∗ --------------------------------------------- The U.S. government’s cybersecurity agency ships a new tool to help network defenders hunt for signs of compromise in Microsoft’s Azure and M365 cloud deployments. --------------------------------------------- https://www.securityweek.com/cisa-ships-untitled-goose-tool-to-hunt-for-mic… ∗∗∗ APT attacks on industrial organizations in H2 2022 ∗∗∗ --------------------------------------------- This summary provides an overview of APT attacks on industrial enterprises and activity of groups that have been observed attacking industrial organizations and critical infrastructure facilities. --------------------------------------------- https://ics-cert.kaspersky.com/publications/apt-attacks-on-industrial-organ… ∗∗∗ Outlook-Schwachstelle CVE-2023-23397 nicht vollständig gepatcht – Absicherung erforderlich ∗∗∗ --------------------------------------------- Noch ein kurzer Nachtrag zum März 2023-Patchday. Microsoft hat zum 14. März 2023 die kritische RCE-Schwachstelle CVE-2023-23397 in Outlook zwar mit einem Sicherheitsupdate versehen. Aber der Patch ist unvollständig, der Angriff kann weiterhin mit etwas modifizierten E-Mails immer noch ausgelöst werden. Und inzwischen ist ein Proof of Concept öffentlich, was demonstriert, wie die Schwachstelle ausgenutzt wird. --------------------------------------------- https://www.borncity.com/blog/2023/03/24/outlook-schwachstelle-cve-2023-233… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco DNA Center Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the implementation of the Cisco Network Plug-and-Play (PnP) agent of Cisco DNA Center could allow an authenticated, remote attacker to view sensitive information in clear text. The attacker must have valid low-privileged user credentials. This vulnerability is due to improper role-based access control (RBAC) with the integration of PnP. An attacker could exploit this vulnerability by authenticating to the device and sending a query to an internal API. --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, libdatetime-timezone-perl, and tzdata), Fedora (flatpak and gmailctl), Mageia (firefox, flatpak, golang, gssntlmssp, libmicrohttpd, libtiff, python-flask-security, python-owslib, ruby-rack, thunderbird, unarj, and vim), Red Hat (firefox, kpatch-patch, nss, openssl, and thunderbird), SUSE (containerd, hdf5, qt6-base, and squirrel), and Ubuntu (amanda, gif2apng, graphviz, and linux, linux-aws, linux-azure, linux-gcp, linux-ibm, linux-kvm, linux-lowlatency, linux-oracle, linux-raspi). --------------------------------------------- https://lwn.net/Articles/927198/ ∗∗∗ Drupal core - Moderately critical - Information Disclosure - SA-CORE-2023-003 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-core-2023-003 ∗∗∗ ELECOM WAB-MAT registers its windows service executable with an unquoted file path ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN35246979/ ∗∗∗ TADDM is vulnerable to a denial of service vulnerability in Apache-Log4j (CVE-2023-26464) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6965790 ∗∗∗ IBM Tivoli Application Dependency Discovery Manager is vulnerable to a bypass vulnerability due to the use of Python (CVE-2023-24329) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6965792 ∗∗∗ IBM API Connect is impacted by an improper access control vulnerability (CVE-2023-28522) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6965612 ∗∗∗ Vulnerabilities in Node.js, libcurl, Golang Go, Jetty, Guava, Netty, OpenSSL, Linux kernel may affect IBM Spectrum Protect Plus ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6965816 ∗∗∗ Stored SMB credentials may allow access to vSnap after oracle backup in IBM Spectrum Protect Plus for Db2 and Oracle (CVE-2023-27863) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6965812 ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM WebSphere Remote Server (CVE-2023-26283) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6965822 ∗∗∗ Multiple vulnerabilies in Java affect IBM Robotic Process Automation for Cloud Pak which may result in a denial of service (CVE-2023-21830, CVE-2023-21835, CVE-2023-21843) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6965846 ∗∗∗ A vulnerability in Luxon may affect IBM Robotic Process Automation and result in a denial of service (CVE-2023-22467) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6965848 ∗∗∗ Multiple vulnerabilities in IBM Content Navigator may affect IBM Business Automation Workflow ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6965908 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.03.2023
by Daily end-of-shift report 23 Mar '23

23 Mar '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 22-03-2023 18:00 − Donnerstag 23-03-2023 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Developing an incident response playbook ∗∗∗ --------------------------------------------- Incident response playbooks help optimize the SOC processes, and are a major step forward to SOC maturity, but can be challenging for a company to develop. In this article, I want to share some insights on how to create the (almost) perfect playbook. --------------------------------------------- https://securelist.com/developing-an-incident-response-playbook/109145/ ∗∗∗ Cropping and Redacting Images Safely, (Thu, Mar 23rd) ∗∗∗ --------------------------------------------- The recent "acropalypse" vulnerabilities in Android and Windows 11 showed yet again the dangers of relying on image processing tools to redact images. [..] Here are some approaches to make image redaction safer. But please use them with caution. --------------------------------------------- https://isc.sans.edu/diary/rss/29666 ∗∗∗ German and South Korean Agencies Warn of Kimsukys Expanding Cyber Attack Tactics ∗∗∗ --------------------------------------------- German and South Korean government agencies have warned about cyber attacks mounted by a threat actor tracked as Kimsuky using rogue browser extensions to steal users Gmail inboxes. --------------------------------------------- https://thehackernews.com/2023/03/german-and-south-korean-agencies-warn.html ∗∗∗ AIIPot: Adaptive Intelligent-Interaction Honeypot for IoT Devices ∗∗∗ --------------------------------------------- In this paper, we propose a honeypot for IoT devices that uses machine learning techniques to learn and interact with attackers automatically. The evaluation of the proposed model indicates that our system can improve the session length with attackers and capture more attacks on the IoT network. --------------------------------------------- https://arxiv.org/abs/2303.12367 ∗∗∗ Memory Forensics R&D Illustrated: Detecting Hidden Windows Services ∗∗∗ --------------------------------------------- To begin the series, this post discusses a new detection technique for hidden services on Windows 7 through 11. Since not all readers will be familiar with hidden services and the danger they pose on live systems, we will start with some brief background. --------------------------------------------- https://volatility-labs.blogspot.com/2023/03/memory-forensics-r-d-illustrat… ∗∗∗ Malicious Actors Use Unicode Support in Python to Evade Detection ∗∗∗ --------------------------------------------- Phylum’s automated platform recently detected the onyxproxy package on PyPI, a malicious package that harvests and exfiltrates credentials and other sensitive data. In many ways, this package typifies other token stealers that we have found prevalent in PyPI. However, one feature of this particular package caught our eye: an obfuscation technique that was foreseen in 2007 during a discussion about Python’s support for Unicode [..] --------------------------------------------- https://blog.phylum.io/malicious-actors-use-unicode-support-in-python-to-ev… ∗∗∗ Joomla! CVE-2023-23752 to Code Execution ∗∗∗ --------------------------------------------- On February 16, 2023, Joomla! published a security advisory for CVE-2023-23752. [..] disclosure was followed by a stream of exploits hitting GitHub, and multiple indicators of exploitation in the wild. The public exploits focus on leaking the victim’s MySQL database credentials – an unexciting prospect (we thought), because exposing the database to the internet is a dangerous misconfiguration. Nonetheless, attackers seemed interested in the vulnerability, so we sought to find out why. --------------------------------------------- https://vulncheck.com/blog/joomla-for-rce ∗∗∗ Fehlalarm: Microsoft-Defender-Warnung vor deaktiviertem Schutz führt in die Irre ∗∗∗ --------------------------------------------- Unter Windows 11 zeigt Microsoft Defender auf vielen Systemen einen deaktivieren Schutz durch "die lokalen Sicherheitsautorität". Das ist ein Fehlalarm. --------------------------------------------- https://heise.de/-7659972 ∗∗∗ Technische Richtlinie zu Public Key Infrastrukturen für Technische Sicherheitseinrichtungen veröffentlicht ∗∗∗ --------------------------------------------- Das BSI hat am 23. März 2023 die neue Technische Richtlinie BSI TR-03145-5 für den sicheren Betrieb einer Public Key Infrastruktur für Technische Sicherheitseinrichtungen veröffentlicht. --------------------------------------------- https://www.bsi.bund.de/DE/Service-Navi/Presse/Alle-Meldungen-News/Meldunge… ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (Mar 13, 2023 to Mar 19, 2023) ∗∗∗ --------------------------------------------- Last week, there were 92 vulnerabilities disclosed in 76 WordPress Plugins and 7 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database [..] --------------------------------------------- https://www.wordfence.com/blog/2023/03/wordfence-intelligence-weekly-wordpr… ∗∗∗ Pack it Secretly: Earth Preta’s Updated Stealthy Strategies ∗∗∗ --------------------------------------------- After months of investigation, we found that several undisclosed malware and interesting tools used for exfiltration purposes were being used by Earth Preta. We also observed that the threat actors were actively changing their tools, tactics, and procedures (TTPs) to bypass security solutions. In this blog entry, we will introduce and analyze the other tools and malware used by the threat actor. --------------------------------------------- https://www.trendmicro.com/en_us/research/23/c/earth-preta-updated-stealthy… ===================== = Vulnerabilities = ===================== ∗∗∗ Virenschutz: Malwarebytes ermöglicht Rechteausweitung ∗∗∗ --------------------------------------------- Der Virenschutz von Malwarebytes ermöglicht Angreifern, beliebige Dateien zu löschen oder ihre Rechte im System auszuweiten. Ein Update schließt die Lücke. --------------------------------------------- https://heise.de/-7674565 ∗∗∗ Sicherheitslücke: Angreifer könnten Switches von Aruba kompromittieren (CVE-2023-1168) ∗∗∗ --------------------------------------------- Aufgrund einer Schwachstelle sind bestimmte Switches von Aruba verwundbar. Admins sollten Geräte jetzt absichern. Die Lücke betrifft die Network Analytics Engine. Dort könnte ein authentifizierter Angreifer für eine Schadcode-Attacke ansetzen, um Geräte vollständig zu kompromittieren. Wie eine Attacke ablaufen könnte, ist bislang nicht bekannt. --------------------------------------------- https://heise.de/-7658264 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (firefox, nss, and openssl), Fedora (firefox, liferea, python-cairosvg, and tar), Oracle (openssl and thunderbird), Scientific Linux (firefox, nss, and openssl), SUSE (container-suseconnect, grub2, libplist, and qemu), and Ubuntu (amanda, apache2, node-object-path, and python-git). --------------------------------------------- https://lwn.net/Articles/926972/ ∗∗∗ VARTA: Multiple devices prone to hard-coded credentials (CVE-2022-22512) ∗∗∗ --------------------------------------------- VARTA energy storage systems have a web user interface via which users and installers can access live data measurements and configure the system to their needs. It has been discovered that the corresponding credentials are hard-coded within the frontend and thus potentially exploitable. --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-061/ ∗∗∗ Warning for Asset Management Program (TCO!Stream) Vulnerability and Update Recommendation ∗∗∗ --------------------------------------------- Solution: Users must check their program version by following the steps below and update their program to the latest version (versions 8.0.23.215 or above). – Service operator: Replace with the latest version through MLsoft – Service user: Updated automatically when the operator switches to the latest version --------------------------------------------- https://asec.ahnlab.com/en/50213/ ∗∗∗ SAUTER EY-modulo 5 Building Automation Stations ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-082-03 ∗∗∗ RoboDK ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-082-01 ∗∗∗ Schneider Electric IGSS ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-082-04 ∗∗∗ CP Plus KVMS Pro ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-082-02 ∗∗∗ ABB Pulsar Plus Controller ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-082-05 ∗∗∗ ProPump and Controls Osprey Pump Controller ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-082-06 ∗∗∗ IBM Integration Bus is vulnerable to a remote attack & denial of service due to Apache Thrift & Apache Commons Codec (CVE-2018-1320, CVE-2019-0205, IBM X-Force ID: 177835) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6965298 ∗∗∗ IBM Watson CloudPak for Data Data Stores are vulnerable to web pages stored locally which can be read by another user on the system ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6965446 ∗∗∗ IBM Watson CloudPak for Data Data Stores is vulnerable to allowing a user with physical access and specific knowledge of the system to modify files or data on the system.(CVE-2023-26282) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6965452 ∗∗∗ IBM Watson CloudPak for Data Data Stores is vulnerable to an attacker with specific knowledge about the system to manipulate data due to improper input validation(CVE-2023-28512) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6965456 ∗∗∗ Security Bulletin: Watson CP4D Data Stores for Cloud Pak for Data does not encypt sensitive information before storage or transmission (CVE-2023-27291) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6965458 ∗∗∗ IBM API Connect is impacted by an improper access control vulnerability (CVE-2023-28522) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6965612 ∗∗∗ Vulnerabilities found within Java collectors used by IBM Tivoli Network Manager (ITNM) IP Edition. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6965698 ∗∗∗ WebSphere Application Server traditional is vulnerable to a remote code execution vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6965702 ∗∗∗ A vulnerability has been identified in IBM Spectrum Scale Data Access Services (DAS) which can cause denial of service. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6964532 ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with Asset and Service Management (CVE-2023-26283) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6965732 ∗∗∗ Vulnerabilites in OpenSSL may affect IBM Spectrum Protect Backup-Archive Client NetApp Services (CVE-2022-4304, CVE-2023-0215, CVE-2023-0286) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6963786 ∗∗∗ Stored cross-site vulnerability when performing a document upload using Responsive Document Explorer affect IBM Business Automation Workflow - CVE-2023-24957 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6965776 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.03.2023
by Daily end-of-shift report 22 Mar '23

22 Mar '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 21-03-2023 18:00 − Mittwoch 22-03-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ PoC exploits released for Netgear Orbi router vulnerabilities ∗∗∗ --------------------------------------------- Proof-of-concept exploits for vulnerabilities in Netgears Orbi 750 series router and extender satellites have been released, with one flaw a critical severity remote command execution bug. --------------------------------------------- https://www.bleepingcomputer.com/news/security/poc-exploits-released-for-ne… ∗∗∗ Windows Snipping-Tool anfällig für "Acropalypse" ∗∗∗ --------------------------------------------- Anfang der Woche wurde eine "Acropalypse" genannte Lücke im Screenshot-Tool von Google Pixel-Phones bekannt. Das Windows 11 Snipping-Tool verhält sich ebenso. --------------------------------------------- https://heise.de/-7619561 ∗∗∗ Cyber-Sicherheit für das Management ∗∗∗ --------------------------------------------- Das international erscheinende Handbuch „Management von Cyber-Risiken“, das durch das BSI in Zusammenarbeit mit der Internet Security Alliance entwickelt wurde, erhält ein weitreichendes Update --------------------------------------------- https://www.bsi.bund.de/DE/Service-Navi/Presse/Pressemitteilungen/Presse202… ∗∗∗ Blackmail Roulette: The Risks of Electronic Shelf Labels for Retail and Critical Infrastructure ∗∗∗ --------------------------------------------- During our research, we analyzed the unknown micro-controller (MCU) of the SUNY ESL tag, which is a common Chinese ESL tag vendor, gained debug access and reverse engineered the proprietary 433 MHz radio-frequency (RF) protocol. As no authentication is used, we were able to update any ESL tag within RF range with arbitrary content. --------------------------------------------- https://sec-consult.com/blog/detail/blackmail-roulette-the-risks-of-electro… ∗∗∗ Erpressungsmail: „Ich weiß von Ihrem sexuellen Interesse an kleinen Kindern“ ∗∗∗ --------------------------------------------- Aktuell wird uns vermehrt ein Erpressungsmail gemeldet, in dem Empfänger:innen beschuldigt werden, sexuelle Interessen an Kindern zu haben. Angeblich wurde beim Pornoschauen ein Programm heruntergeladen, welches die Kamera aktivierte und die Person beim Masturbieren filmte. Dieses Video wird verbreitet, wenn nicht innerhalb einer Woche Bitcoins überwiesen werden. Alles frei erfunden! Löschen Sie dieses E-Mail, es handelt sich um Fake. --------------------------------------------- https://www.watchlist-internet.at/news/erpressungsmail-ich-weiss-von-ihrem-… ===================== = Vulnerabilities = ===================== ∗∗∗ TYPO3-EXT-SA-2023-003: Cross-Site Scripting in extension "Fluid Components" (fluid_components) ∗∗∗ --------------------------------------------- The extension is vulnerable to cross-site scripting if user-controlled data is used as a component argument parameter. A detailed description of the issue as well as some examples are provided in the extension documentation. --------------------------------------------- https://typo3.org/security/advisory/typo3-ext-sa-2023-003 ∗∗∗ Java-Plattform: Kritische Lücke in VMware Tanzu Spring Framework geschlossen ∗∗∗ --------------------------------------------- Zwei Schwachstellen bedrohen das Spring Framework. Eine Lücke gilt als kritisch. Updates zum Schließen des Sicherheitslecks stehen bereit. --------------------------------------------- https://heise.de/-7614914 ∗∗∗ Webbrowser: Chrome-Update dichtet acht Sicherheitslücken ab ∗∗∗ --------------------------------------------- Der Webbrowser Chrome schließt acht Sicherheitslücken mit Updates. Angreifer können durch sie etwa mit manipulierten Webseiten Schadcode einschmuggeln. --------------------------------------------- https://heise.de/-7611326 ∗∗∗ OpenSSL Security Advisory: Excessive Resource Usage Verifying X.509 Policy Constraints (CVE-2023-0464) ∗∗∗ --------------------------------------------- Severity: Low A security vulnerability has been identified in all supported versions of OpenSSL related to the verification of X.509 certificate chains that include policy constraints. [..] Policy processing is disabled by default --------------------------------------------- https://www.openssl.org/news/secadv/20230322.txt ∗∗∗ Multiple Reflected Cross-Site Scripting Vulnerabilities in Three WordPress Plugins Patched ∗∗∗ --------------------------------------------- The Wordfence Threat Intelligence Team recently disclosed several Reflected Cross-Site Scripting vulnerabilities that we discovered in three different plugins – Watu Quiz (installed on 5,000 sites), GN-Publisher (installed on 40,000 sites), and Japanized For WooCommerce (installed on 10,000 sites). --------------------------------------------- https://www.wordfence.com/blog/2023/03/multiple-reflected-cross-site-script… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (firefox), Oracle (kernel, kernel-container, and nss), and SUSE (curl, dpdk, drbd, go1.18, kernel, openstack-cinder, openstack-glance, openstack-neutron-gbp, openstack-nova, python-oslo.utils, oracleasm, python3, slirp4netns, and xen). --------------------------------------------- https://lwn.net/Articles/926843/ ∗∗∗ [R1] Tenable.sc Version 6.1.0 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- Tenable.sc 6.1.0 updates Apache to version 2.4.56 and PHP to 8.1.16 to address the identified vulnerabilities. --------------------------------------------- https://www.tenable.com/security/tns-2023-16 ∗∗∗ CVE-2023-0391: MGT-COMMERCE CloudPanel Shared Certificate Vulnerability and Weak Installation Procedures ∗∗∗ --------------------------------------------- Rapid7 has discovered three security concerns in CloudPanel from MGT-COMMERCE, a self-hosted web administration solution. --------------------------------------------- https://www.rapid7.com/blog/post/2023/03/21/cve-2023-0391-mgt-commerce-clou… ∗∗∗ Cisco Access Point Software Command Injection Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco IOS XE Software Web UI Path Traversal Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco SD-WAN vManage Software Cross-Site Request Forgery Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco IOS XE Software Virtual Fragmentation Reassembly Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco IOS XE Software IOx Application Hosting Environment Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco IOS XE Software Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco IOS XE SD-WAN Software Command Injection Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco IOS XE Software Fragmented Tunnel Protocol Packet Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco IOS and IOS XE Software IPv6 DHCP (DHCPv6) Relay and Server Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco IOS XE Software for Wireless LAN Controllers HTTP Client Profiling Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco DNA Center Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco DNA Center Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco IOS XE Software for Wireless LAN Controllers CAPWAP Join Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco IOS XE Software for Cisco Catalyst 9300 Series Switches Secure Boot Bypass Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Adaptive Security Appliance Software, Firepower Threat Defense Software, IOS Software, and IOS XE Software IPv6 DHCP (DHCPv6) Client Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Low-Entropy Keys Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Access Point Software Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Access Point Software Association Request Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Security vulnerabilities have been identified in IBM DB2 used by IBM Security Verify Governance, Identity Manager virtual appliance component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6964832 ∗∗∗ Multiple vulnerabilities in IBM WebSphere eXtreme Scale Liberty Deployment. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6964844 ∗∗∗ IBM WebSphere Application Server is vulnerable to cross-site scripting in the Admin Console (CVE-2023-26283) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6964836 ∗∗∗ Multiple vulnerabilities in OpenSSL affect AIX ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6964854 ∗∗∗ IBM QRadar SIEM is vulnerable to privilege escalation (CVE-2022-43863) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6964862 ∗∗∗ Multiple vulnerabilities in Golang Go affect Cloud Pak System ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6612805 ∗∗∗ IBM Workload Scheduler is vulnerable to XML External Entity Injection (XXE) attack ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6890697 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.03.2023
by Daily end-of-shift report 21 Mar '23

21 Mar '23

===================== = End-of-Day report = ===================== Timeframe: Montag 20-03-2023 18:00 − Dienstag 21-03-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Windows 11 bug warns Local Security Authority protection is off ∗∗∗ --------------------------------------------- Windows 11 users report seeing widespread Windows Security warnings that Local Security Authority (LSA) Protection has been disabled even though it shows as being toggled on. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/windows-11-bug-warns-local-… ∗∗∗ From Phishing Kit To Telegram... or Not!, (Mon, Mar 20th) ∗∗∗ --------------------------------------------- Today, I spotted a phishing campaign that stores collected credentials via a Telegram bot! Telegram bots are common in malicious Python scripts but less common in Phishing campaigns! --------------------------------------------- https://isc.sans.edu/diary/rss/29650 ∗∗∗ Google Cloud Log Extraction ∗∗∗ --------------------------------------------- In this blog post, we review the methods through which we can extract logs from Google Cloud. --------------------------------------------- https://www.sans.org/blog/google-cloud-log-extraction/ ∗∗∗ Find Threats in Event Logs with Hayabusa ∗∗∗ --------------------------------------------- Hayabusa is a Windows event log fast forensics timeline generator and threat hunting tool created by the Yamato Security group in Japan. Hayabusa means "peregrine falcon" in Japanese and was chosen as peregrine falcons are the fastest animal in the world, great at hunting and highly trainable. --------------------------------------------- https://blog.ecapuano.com/p/find-threats-in-event-logs-with-hayabusa ∗∗∗ Black Angel Rootkit ∗∗∗ --------------------------------------------- Black Angel is a Windows 11/10 x64 kernel mode rootkit. Rootkit can be loaded with enabled DSE while maintaining its full functionality. Designed for Red Teams. --------------------------------------------- https://github.com/XaFF-XaFF/Black-Angel-Rootkit ∗∗∗ Linux auditd for Threat Detection [Final] ∗∗∗ --------------------------------------------- The focus of this article will be to describe what behaviors allow for which events to be recorded by auditd. Additionally, you will see where auditd is not capable of recording certain events, despite verbose settings. --------------------------------------------- https://izyknows.medium.com/linux-auditd-for-threat-detection-final-9d51737… ∗∗∗ Nexus: a new Android botnet? ∗∗∗ --------------------------------------------- On January 2023, a new Android banking trojan appeared on multiple hacking forums under the name of Nexus. However, Cleafy’s Threat Intelligence & Response Team traced the first Nexus infections way before the public announcement in June 2022. --------------------------------------------- https://www.cleafy.com/cleafy-labs/nexus-a-new-android-botnet ∗∗∗ Mitigating SSRF in 2023 ∗∗∗ --------------------------------------------- Server-Side Request Forgery (SSRF) is a vulnerability that allows an attacker to trick a server-side application to make a request to an unintended location. SSRF, unlike most other specific vulnerabilities, has gained its own spot on the OWASP Top 10 2021. This reflects both how common and how impactful this type of vulnerability has become. --------------------------------------------- https://blog.includesecurity.com/2023/03/mitigating-ssrf-in-2023/ ∗∗∗ Malicious NuGet Packages Used to Target .NET Developers ∗∗∗ --------------------------------------------- Software developers have been targeted in a new attack via malicious packages in the NuGet repository. --------------------------------------------- https://www.securityweek.com/malicious-nuget-packages-used-to-target-net-de… ∗∗∗ Achtung: Betrügerische Anrufe zu Eurojackpot-Gewinn! ∗∗∗ --------------------------------------------- Nehmen Sie sich vor angeblichen Gewinnbenachrichtigungen per Anruf, E-Mail, Post und Social Media im Namen von Eurojackpot in Acht. Kriminelle geben sich als die Lotterie aus und behaupten, dass Sie Geld gewonnen haben. Im weiteren Verlauf sollen Sie vorab Geld bezahlen, um die Auszahlung zu erhalten. --------------------------------------------- https://www.watchlist-internet.at/news/achtung-betruegerische-anrufe-zu-eur… ∗∗∗ Patch CVE-2023-23397 Immediately: What You Need To Know and Do ∗∗∗ --------------------------------------------- We break down the basic information of CVE-2023-23397, the zero-day, zero-touch vulnerability that was rated 9.8 on the Common Vulnerability Scoring System (CVSS) scale. --------------------------------------------- https://www.trendmicro.com/en_us/research/23/c/patch-cve-2023-23397-immedia… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (apache2), Oracle (firefox, nss, and openssl), Slackware (curl and vim), SUSE (dpdk, firefox, grafana, oracleasm, python-cffi, python-Django, and qemu), and Ubuntu (ruby2.7, sox, and tigervnc). --------------------------------------------- https://lwn.net/Articles/926759/ ∗∗∗ XSA-429 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-429.html ∗∗∗ XSA-428 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-428.html ∗∗∗ XSA-427 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-427.html ∗∗∗ Keysight N6845A Geolocation Server ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-080-01 ∗∗∗ Delta Electronics InfraSuite Device Master ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-080-02 ∗∗∗ VISAM VBASE Automation Base ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-080-05 ∗∗∗ Siemens RUGGEDCOM APE1808 Product Family ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-080-03 ∗∗∗ Rockwell Automation ThinManager ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-22-080-06 ∗∗∗ Vulnerability Spotlight: WellinTech ICS platform vulnerable to information disclosure, buffer overflow vulnerabilities ∗∗∗ --------------------------------------------- https://blog.talosintelligence.com/vulnerability-spotlight-wellintech-ics-p… ∗∗∗ Spring Vault 3.0.2 and 2.3.3 fix CVE-2023-20859 ∗∗∗ --------------------------------------------- https://spring.io/blog/2023/03/20/spring-vault-3-0-2-and-2-3-3-fix-cve-2023… ∗∗∗ Automation Assets in IBM Cloud Pak for Integration is vulnerable to denial of service due to Moment CVE-2023-22467 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6964588 ∗∗∗ A vulnerability in protobuf may affect IBM Robotic Process Automation and result in a denial of service (CVE-2022-1941) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6852651 ∗∗∗ IBM Aspera Faspex 4.4.2 PL3 has addressed multiple vulnerabilities (CVE-2023-27871, CVE-2023-27873, CVE-2023-27874) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6964694 ∗∗∗ IBM Aspera Faspex 5.0.4 can be vulnerable to improperly unauthorized password changes ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6963662 ∗∗∗ Vulnerability in Apache Commons FileUpload library affect Tivoli Netcool\/OMNIbus WebGUI (CVE-2023-24998) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6964742 ∗∗∗ Multiple vulnerabilities in IBM HTTP Server used by WebSphere Application Server affect IBM Business Automation Workflow (CVE-2023-25690) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6964752 ∗∗∗ Multiple vulnerabilities of Mozilla Firefox ESR have affected APM Synthetic Playback Agent ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6964754 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.03.2023
by Daily end-of-shift report 20 Mar '23

20 Mar '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 17-03-2023 18:00 − Montag 20-03-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ New ‘HinataBot’ botnet could launch massive 3.3 Tbps DDoS attacks ∗∗∗ --------------------------------------------- A new malware botnet was discovered targeting Realtek SDK, Huawei routers, and Hadoop YARN servers to recruit devices into DDoS (distributed denial of service) swarm with the potential for massive attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-hinatabot-botnet-could-l… ∗∗∗ Google: Bearbeitete Pixel-Screenshots lassen sich wiederherstellen ∗∗∗ --------------------------------------------- Wer Teile von Screenshots unkenntlich macht, verlässt sich darauf, dass dies auch so bleibt. Bei Pixel-Smartphones war das bisher nicht so. --------------------------------------------- https://www.golem.de/news/google-bearbeitete-pixel-screenshots-lassen-sich-… ∗∗∗ Ransomware: Emotet kehrt zurück – als OneNote-E-Mail-Anhang ∗∗∗ --------------------------------------------- Die hochentwickelte Schadsoftware Emotet ist wieder aktiv. Sie findet in Form von bösartigen OneNote-Dateien ihren Weg in den E-Mail-Eingang potenzieller Opfer. --------------------------------------------- https://heise.de/-7551285 ∗∗∗ Malware-Masche: Acrobat Sign-Dienst zum Unterschieben von Malware missbraucht ∗∗∗ --------------------------------------------- Avast hat eine neue Masche beobachtet, mit der Cyberkriminelle Opfern Malware unterjubeln wollten. Sie missbrauchen dazu den Adobe-Sign-Dienst. --------------------------------------------- https://heise.de/-7557288 ∗∗∗ Researchers Shed Light on CatB Ransomwares Evasion Techniques ∗∗∗ --------------------------------------------- The threat actors behind the CatB ransomware operation have been observed using a technique called DLL search order hijacking to evade detection and launch the payload. CatB, also referred to as CatB99 and Baxtoy, emerged late last year and is said to be an "evolution or direct rebrand" of another ransomware strain known as Pandora based on code-level similarities. --------------------------------------------- https://thehackernews.com/2023/03/researchers-shed-light-on-catb.html ∗∗∗ Bypassing CloudTrail in AWS Service Catalog, and Other Logging Research ∗∗∗ --------------------------------------------- In this blog post, we’ll share some of our latest research into bypassing CloudTrail. We’ll cover a method that allowed CloudTrail bypass with both read and write API actions for the Service Catalog service. This now-fixed vulnerability is noteworthy, because it was the first publicly known CloudTrail bypass that could permit an attacker to alter an AWS environment. --------------------------------------------- https://securitylabs.datadoghq.com/articles/bypass-cloudtrail-aws-service-c… ∗∗∗ IcedID’s VNC Backdoors: Dark Cat, Anubis & Keyhole ∗∗∗ --------------------------------------------- In this post we introduce Dark Cat, Anubis and Keyhole, three IcedID VNC backdoor variants NVISO observed. Well follow by exposing common TTPs before revealing information leaked through the attackers clipboard data. --------------------------------------------- https://blog.nviso.eu/2023/03/20/icedids-vnc-backdoors-dark-cat-anubis-keyh… ===================== = Vulnerabilities = ===================== ∗∗∗ Drupal-Sicherheitslücke könnte Angreifern die Systemübernahme ermöglichen ∗∗∗ --------------------------------------------- Die US-Cyber-Sicherheitsbehörde CISA warnt vor einer Sicherheitslücke im Content-Management-System Drupal. Angreifer könnten verwundbare Systeme kapern. --------------------------------------------- https://heise.de/-7550599 ∗∗∗ OpenSSH 9.3 dichtet Sicherheitslecks ab ∗∗∗ --------------------------------------------- Die Entwickler von OpenSSH haben Version 9.3 der Verschlüsselungssuite veröffentlicht. Sie schließt Sicherheitslücken und behebt kleinere Fehler. --------------------------------------------- https://heise.de/-7550738 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr, imagemagick, sox, thunderbird, and xapian-core), Fedora (chromium, containernetworking-plugins, guile-gnutls, mingw-python-OWSLib, pack, pypy3.7, sudo, thunderbird, tigervnc, and vim), Mageia (apache, epiphany, heimdal, jasper, libde265, libtpms, liferea, mysql-connector-c++, perl-HTML-StripScripts, protobuf, ruby-git, sqlite3, woodstox-core, and xfig), Oracle (kernel), Red Hat (firefox, nss, and openssl), SUSE (apache2, docker, drbd, kernel, and oracleasm), and Ubuntu (curl, python2.7, python3.10, python3.5, python3.6, python3.8, and vim). --------------------------------------------- https://lwn.net/Articles/926636/ ∗∗∗ IBM Security Bulletins 2023-03-20 ∗∗∗ --------------------------------------------- * Vulnerabilities in IBM Db2, IBM Java Runtime, and Golang Go may affect IBM Spectrum Protect Server (CVE-2022-21626, CVE-2022-41717, CVE-2022-43929, CVE-2022-43927, CVE-2022-43930) * Watson AI Gateway for Cloud Pak for Data is vulnerable to an OpenSSL denial of service caused by a type confusion error (CVE-2023-0286) * IBM Aspera Faspex 5.0.4 can be vulnerable to improperly authorized password changes * Watson AI Gateway for Cloud Pak for Data is vulnerable to Ansible Runner code execution and could allow a local authenticated attacker to execute arbitrary code on the system, caused by improper shell escaping of the shell command. * IBM Aspera Faspex can be vulnerable to improperly authorized password changes * Vulnerability in EFS affects AIX (CVE-2021-29861) * Vulnerability in libc affects AIX (CVE-2021-29860) * Vulnerabilites in OpenSSL may affect IBM Spectrum Protect Backup-Archive Client (CVE-2022-4304, CVE-2023-0215, CVE-2023-0286) * Vulnerabilites in OpenSSL may affect IBM Spectrum Protect Backup-Archive Client (CVE-2022-4450, CVE-2023-0216, CVE-2023-0401, CVE-2022-4203, CVE-2023-0217) * A denial of service vulnerability in JDOM affects IBM Spectrum Protect Backup-Archive Client, IBM Spectrum Protect for Virtual Environments and IBM Spectrum Protect for Space Management (CVE CVE-2021-33813) * Vulnerabilites in Java SE affect IBM Spectrum Protect Backup-Archive Client, IBM Spectrum Protect for Virtual Environments and IBM Spectrum Protect for Space Management (CVE-2022-21628, CVE-2022-21626, CVE-2022-21624, CVE-2022-21619) * Vulnerability in IBM WebSphere Application Server (CVE-2023-23477) shipped with IBM Workload Scheduler 9.4 * Vulnerability in Node.js affects IBM Voice Gateway * IBM Aspera Faspex 5.0.4 can be vulnerable to improperly unauthorized password changes * Multiple Vulnerabilities in IBM Security Guardium Key Lifecycle Manager (CVE-2023-25921, CVE-2023-25926, CVE-2023-25685, CVE-2023-25922, CVE-2023-25925) * Multiple vulnerabilities in IBM SDK Java Technology Edition affect IBM Workload Scheduler. * IBM Jazz for Service Management is vulnerable to commons-fileupload-1.4.jar (Publicly disclosed vulnerability found by Mend) (CVE-2023-24998) --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Spring Framework 5.2.23 fixes cve-2023-20861 ∗∗∗ --------------------------------------------- https://spring.io/blog/2023/03/20/spring-framework-5-2-23-fixes-cve-2023-20… ∗∗∗ Spring Framework 6.0.7 and 5.3.26 fix cve-2023-20860 and cve-2023-20861 ∗∗∗ --------------------------------------------- https://spring.io/blog/2023/03/20/spring-framework-6-0-7-and-5-3-26-fix-cve… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.03.2023
by Daily end-of-shift report 17 Mar '23

17 Mar '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 16-03-2023 18:00 − Freitag 17-03-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Adobe Acrobat Sign abused to push Redline info-stealing malware ∗∗∗ --------------------------------------------- Cybercriminals are abusing Adobe Acrobat Sign, an online document signing service, to distribute info-stealing malware to unsuspecting users. --------------------------------------------- https://www.bleepingcomputer.com/news/security/adobe-acrobat-sign-abused-to… ∗∗∗ Hitachi Energy confirms data breach after Clop GoAnywhere attacks ∗∗∗ --------------------------------------------- Hitachi Energy confirmed it suffered a data breach after the Clop ransomware gang stole data using a zero-day GoAnyway zero-day vulnerability. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hitachi-energy-confirms-data… ∗∗∗ How to Google Dork a Specific Website for Hacking ∗∗∗ --------------------------------------------- You might pride yourself on being savvy in cyber security but be prepared for surprises if you test the Google dorks provided. Done right, these Google dorks can identify high-priority vulnerabilities you can investigate further using penetration testing tools. --------------------------------------------- https://www.stationx.net/how-to-google-dork-a-specific-website/ ∗∗∗ Chaos Malware Quietly Evolves Persistence and Evasion Techniques ∗∗∗ --------------------------------------------- The name Chaos is being used for a ransomware strain, a remote access trojan (RAT), and now a DDoS malware variant too. Talk about chaos! In this case, Sysdig’s Threat Research Team captured attacks using the Chaos variant of the Kaiji botnet malware. There is very little reported information on this malware since September 2022, perhaps because of the unfortunately chaotic naming, or simply because it is relatively new. --------------------------------------------- https://sysdig.com/blog/chaos-malware-persistence-evasion-techniques/ ∗∗∗ Free decryptor released for Conti-based ransomware following data leak ∗∗∗ --------------------------------------------- Security researchers have released a new decryption tool that should come to the rescue of some victims of a modified version of the Conti ransomware, helping them to recover their encrypted data for free. --------------------------------------------- https://www.tripwire.com/state-of-security/free-decryptor-released-conti-ba… ∗∗∗ Phishing-Welle: Vorsicht vor Fake Disney+ Mails ∗∗∗ --------------------------------------------- Sie haben ein E-Mail erhalten, in dem Disney+ Sie darauf hinweist, dass eine Zahlung fehlgeschlagen ist? Löschen Sie die Nachricht oder schieben Sie sie in den SPAM-Ordner – es handelt sich um einen Phishing-Versuch! Die E-Mails werden mit dem Betreff „Aussetzung Ihres Disney+ Kontos“ oder „Sperrung Ihres Disney+ Kontos“ massenhaft verschickt! --------------------------------------------- https://www.watchlist-internet.at/news/phishing-welle-vorsicht-vor-fake-dis… ∗∗∗ #StopRansomware: LockBit 3.0 ∗∗∗ --------------------------------------------- This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. --------------------------------------------- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-075a ∗∗∗ Windows 10/11: Microsoft veröffentlicht Script für den WinRE BitLocker Bypass-Fix ∗∗∗ --------------------------------------------- Seit November 2022 ist bekannt, dass es eine Bitlocker-Bypass-Schwachstelle CVE-2022-41099 im Windows Recovery Environment (WinRE) gibt. Das Patchen ist aber alles andere als einfach. --------------------------------------------- https://www.borncity.com/blog/2023/03/17/windows-10-11-microsoft-verffentli… ∗∗∗ ShellBot Malware Being Distributed to Linux SSH Servers ∗∗∗ --------------------------------------------- AhnLab Security Emergency response Center (ASEC) has recently discovered the ShellBot malware being installed on poorly managed Linux SSH servers. ShellBot, also known as PerlBot, is a DDoS Bot malware developed in Perl and characteristically uses IRC protocol to communicate with the C&C server. --------------------------------------------- https://asec.ahnlab.com/en/49769/ ∗∗∗ Debugging D-Link: Emulating firmware and hacking hardware ∗∗∗ --------------------------------------------- GreyNoise researchers explain the process of gaining a foothold in firmware or a physical device for vulnerability research and achieving a debuggable interface. --------------------------------------------- https://www.greynoise.io/blog/debugging-d-link-emulating-firmware-and-hacki… ===================== = Vulnerabilities = ===================== ∗∗∗ Exynos: Google findet schwerwiegende Zero Days in Samsung-Chips ∗∗∗ --------------------------------------------- Die betroffenen Geräte lassen sich über das Internet hacken, darunter Smartphones von Samsung, Google und Vivo sowie Wearables und Autos. --------------------------------------------- https://www.golem.de/news/exynos-google-findet-schwerwiegende-zero-days-in-… ∗∗∗ Honeywell OneWireless Wireless Device Manager ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-075-06 ∗∗∗ Rockwell Automation Modbus TCP AOI Server ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-075-07 ∗∗∗ Omron CJ1M PLC ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-073-01 ∗∗∗ AVEVA Plant SCADA and AVEVA Telemetry Server ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-073-04 ∗∗∗ Autodesk FBX SDK ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-073-02 ∗∗∗ [R1] Sensor Proxy Version 1.0.7 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2023-15 ∗∗∗ IBM Planning Analytics Workspace is affected by vulnerabilties (CVE-2022-43548, CVE-2020-7676, CVE-2021-42550, CVE-2021-38561, CVE-2022-32149) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6957836 ∗∗∗ IBM Cognos Command Center is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6555376 ∗∗∗ InfoSphere Identity Insight vulnerable to server-side request forgery due to Apache CXF (CVE-2022-46364) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6963974 ∗∗∗ Security Vulnerabilities in moment, ansi-regex, Node.js, and minimatch may affect IBM Spectrum Protect Client and IBM Spectrum Protect for Space Management (CVE-2022-31129, CVE-2022-24785, CVE-2021-3807, CVE-2022-29244, CVE-2022-3517) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6956237 ∗∗∗ IBM App Connect Enterprise & IBM Integration Bus are vulnerable to a denial of service due to node.js module qs [CVE-2022-24999] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6964166 ∗∗∗ Vulnerabilities in IBM Db2, IBM Java Runtime, and Golang Go may affect IBM Spectrum Protect Server (CVE-2022-21626, CVE-2022-41717, CVE-2022-43929, CVE-2022-43927, CVE-2022-43930) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6963640 ∗∗∗ Vulnerability in Java SE may affect IBM Spectrum Protect Operations Center (CVE-2022-21626) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6963642 ∗∗∗ IBM Sterling Control Center is vulnerable to denial of service due to Node.js Angular (CVE-2022-25844) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6964174 ∗∗∗ IBM Sterling Control Center is vulnerable to denial of service due to Apache commons-fileupload (CVE-2023-24998) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6964176 ∗∗∗ AIX is vulnerable to denial of service vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6847947 ∗∗∗ IBM Planning Analytics Workspace is affected by vulnerabilties (CVE-2022-43548, CVE-2020-7676, CVE-2021-42550, CVE-2021-38561, CVE-2022-32149) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6957836 ∗∗∗ AIX is vulnerable to a denial of service due to lpd (CVE-2022-43382) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6848309 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.03.2023
by Daily end-of-shift report 16 Mar '23

16 Mar '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 15-03-2023 18:00 − Donnerstag 16-03-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ CVE-2023-23397 - der (interessante) Teufel steckt im Detail ∗∗∗ --------------------------------------------- Im Regelfall veröffentlichen wir zu Sicherheitslücken, die durch den Hersteller im Rahmen eines regulären Patchzyklus behoben werden, keine Warnung. Die Motivation dahinter ist, dass wir unsere Warnungen als Werkzeug betrachten, Informationen über kritische Schwachstellen mit entsprechender Urgenz an die jeweiligen Adressat:innen bringen wollen. Dementsprechend entscheiden wir relativ konservativ, wovor oder worüber wir warnen, um die Wirkung selbiger nicht zu verwässern. Aber, wie so oft, bestätigen Ausnahmen die Regel [...] --------------------------------------------- https://cert.at/de/blog/2023/3/cve-2023-23397-der-teufel-steckt-im-detail ∗∗∗ CISA warns of Adobe ColdFusion bug exploited as a zero-day ∗∗∗ --------------------------------------------- CISA has added a critical vulnerability impacting Adobe ColdFusion versions 2021 and 2018 to its catalog of security bugs exploited in the wild. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cisa-warns-of-adobe-coldfusi… ∗∗∗ Winter Vivern APT hackers use fake antivirus scans to install malware ∗∗∗ --------------------------------------------- An advanced hacking group named Winter Vivern targets European government organizations and telecommunication service providers to conduct espionage. --------------------------------------------- https://www.bleepingcomputer.com/news/security/winter-vivern-apt-hackers-us… ∗∗∗ BianLian Ransomware Pivots From Encryption to Pure Data-Theft Extortion ∗∗∗ --------------------------------------------- The ransomware group has already claimed 116 victim organizations so far on its site, and it continues to mature as a thriving cybercriminal business, researchers said. --------------------------------------------- https://www.darkreading.com/risk/bianlian-ransomware-pivots-encryption-pure… ∗∗∗ Simple Shellcode Dissection, (Thu, Mar 16th) ∗∗∗ --------------------------------------------- Most people will never execute a suspicious program or “executable”. Also, most of them cannot be delivered directly via email. Most antispam and antivirus solutions block them. But, then, how could people be so easily infected? I’ll explain with the help of a file I found in a phishing campaign. --------------------------------------------- https://isc.sans.edu/diary/rss/29642 ∗∗∗ Multiple Hacker Groups Exploit 3-Year-Old Vulnerability to Breach U.S. Federal Agency ∗∗∗ --------------------------------------------- Multiple threat actors, including a nation-state group, exploited a critical three-year-old security flaw in Progress Telerik to break into an unnamed federal entity in the U.S. The disclosure comes from a joint advisory issued by the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and Multi-State Information Sharing and Analysis Center (MS-ISAC). --------------------------------------------- https://thehackernews.com/2023/03/multiple-hacker-groups-exploit-3-year.html ∗∗∗ SSRF Cross Protocol Redirect Bypass ∗∗∗ --------------------------------------------- Server Side Request Forgery (SSRF) is a fairly known vulnerability with established prevention methods. So imagine my surprise when I bypassed an SSRF mitigation during a routine retest. Even worse, I have bypassed a filter that we have recommended ourselves! --------------------------------------------- https://blog.doyensec.com/2023/03/16/ssrf-remediation-bypass.html ∗∗∗ Falsche WhatsApp und Telegram Apps auf der Jagd nach Krypto‑Wallets ∗∗∗ --------------------------------------------- ESET-Forscher analysierten Android- und Windows-Clipper, die Sofortnachrichten manipulieren und OCR verwenden können, um Kryptowährungen zu stehlen. --------------------------------------------- https://www.welivesecurity.com/deutsch/2023/03/16/falsche-whatsapp-und-tele… ∗∗∗ Bee-Ware of Trigona, An Emerging Ransomware Strain ∗∗∗ --------------------------------------------- Trigona ransomware is a relatively new strain that security researchers first discovered in late October 2022. By analyzing Trigona ransomware binaries and ransom notes obtained from VirusTotal, as well as information from Unit 42 incident response, we determined that Trigona was very active during December 2022, with at least 15 potential victims being compromised. Affected organizations are in the manufacturing, finance, construction, agriculture, marketing and high technology industries. --------------------------------------------- https://unit42.paloaltonetworks.com/trigona-ransomware-update/ ∗∗∗ DotRunpeX – demystifying new virtualized .NET injector used in the wild ∗∗∗ --------------------------------------------- ImplMap2x64dbgInvoke-DotRunpeXextractThe post DotRunpeX – demystifying new virtualized .NET injector used in the wild appeared first on Check Point Research. --------------------------------------------- https://research.checkpoint.com/2023/dotrunpex-demystifying-new-virtualized… ===================== = Vulnerabilities = ===================== ∗∗∗ Webkonferenzen: Hochriskante Lücken in Zoom ∗∗∗ --------------------------------------------- In der Online-Konferenzsoftware Zoom haben die Entwickler mehrere Schwachstellen geschlossen. Einige gelten als hochriskant und könnten Codeschmuggel erlauben. --------------------------------------------- https://heise.de/-7547291 ∗∗∗ Kritisches Leck in SSL-VPN-Gateway von Array Networks ∗∗∗ --------------------------------------------- Die SSL-VPN-Gateways von Array Networks haben eine kritische Sicherheitslücke. Angreifer könnten aus dem Netz ohne Authentifizierung Code einschleusen. --------------------------------------------- https://heise.de/-7548009 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr and pcre2), Oracle (nss), Red Hat (kpatch-patch and nss), SUSE (java-11-openjdk, kernel, and python310), and Ubuntu (emacs24, ffmpeg, firefox, imagemagick, libphp-phpmailer, librecad, and openjpeg2). --------------------------------------------- https://lwn.net/Articles/926289/ ∗∗∗ Drupal core - Moderately critical - Access bypass - SA-CORE-2023-004 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-core-2023-004 ∗∗∗ Drupal core - Moderately critical - Information Disclosure - SA-CORE-2023-003 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-core-2023-003 ∗∗∗ Drupal core - Moderately critical - Information Disclosure - SA-CORE-2023-002 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-core-2023-002 ∗∗∗ Responsive media Image Formatter - Critical - Unsupported - SA-CONTRIB-2023-011 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2023-011 ∗∗∗ Media Responsive Thumbnail - Moderately critical - Information disclosure - SA-CONTRIB-2023-010 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2023-010 ∗∗∗ Multiple vulnerabilities within OpenSSL and Node.js affect IBM App Connect Enterprise and IBM Integration Bus ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6963634 ∗∗∗ EBICs client of IBM Sterling B2B Integrator vulnerable to multiple issues due to Dojo Toolkit ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6963652 ∗∗∗ IBM HTTP Server is vulnerable to HTTP request splitting due to the included Apache HTTP Server (CVE-2023-25690) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6963650 ∗∗∗ IBM Watson Assistant for Cloud pak for Data is affected by vulnerabilities in Pallets Werkzeug . ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6963668 ∗∗∗ IBM Aspera Faspex can be vulnerable to improperly authorized password changes ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6963662 ∗∗∗ Security Vulnerabilities in moment, ansi-regex, Node.js, and minimatch may affect IBM Spectrum Protect Plus Microsoft File Systems Backup and Restore (CVE-2022-31129, CVE-2022-24785, CVE-2021-3807, CVE-2022-29244, CVE-2022-3517) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6955067 ∗∗∗ Vulnerability in PyPI cryptography and Python may affect IBM Spectrum Protect Plus File Systems Agent (CVE-2023-23931, CVE-2023-0286, CVE-2023-24329) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6957718 ∗∗∗ Vulnerabilities in Linux Kernel may affect IBM Spectrum Protect Plus ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6963936 ∗∗∗ Multiple Vulnerabilities in Intel Firmware affect Cloud Pak System ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6611963 ∗∗∗ CVE-2022-2879, CVE-2022-41715, CVE-2022-2880, CVE-2022-41717, CVE-2022-41716 may affect IBM CICS TX Advanced ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6963940 ∗∗∗ CVE-2022-2879, CVE-2022-41715, CVE-2022-2880, CVE-2022-41717, CVE-2022-41716 may affect IBM CICS TX Standard ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6963942 ∗∗∗ Vulnerabilities in Golang Go and Java SE might affect IBM Spectrum Copy Data Management (CVE-2022-41717, CVE-2023-21830, CVE-2023-21835, CVE-2023-21843) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6960739 ∗∗∗ Vulnerabilities in Linux Kernel might affect IBM Spectrum Copy Data Management (CVE-2022-2964, CVE-2022-2601, CVE-2020-36557) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6960747 ∗∗∗ IBM Sterling B2B Integrator vulnerable to sensitive information exposure due to IBM MQ (CVE-2022-42436) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6963954 ∗∗∗ IBM Sterling Global Mailbox is vulnerable to denial of service due to WebSphere Liberty Server ( CVE-2022-3509, CVE-2022-3171) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6963956 ∗∗∗ IBM Sterling Global Mailbox is vulnerable to arbitrary command execution due to com.ibm.ws.org.apache.commons.collections (CVE-2015-7501) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6963962 ∗∗∗ IBM Sterling Global Mailbox is vulnerable to server-side request forgery due to Apache CXF (CVE-2022-46364) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6963958 ∗∗∗ IBM Sterling Global Mailbox is vulnerable to sensitive data exposure due to Apache CXF (CVE-2022-46363) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6963960 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.03.2023
by Daily end-of-shift report 15 Mar '23

15 Mar '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 14-03-2023 18:00 − Mittwoch 15-03-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ IPFS phishing and the need for correctly set HTTP security headers, (Wed, Mar 15th) ∗∗∗ --------------------------------------------- In the last couple of weeks, Ive noticed a small spike in the number of phishing messages that carried links to fake HTML login pages hosted on the InterPlanetary File System (IPFS)- an interesting web-based decentralized/peer-to-peer data storage system. Unfortunately, pretty much any type of internet-connected data storage solution is used to host malicious content by threat actors these days, and the IPFS is no exception. --------------------------------------------- https://isc.sans.edu/diary/rss/29638 ∗∗∗ How to Find & Fix: WordPress Pharma Hack ∗∗∗ --------------------------------------------- Finding bogus content and unexpected links for prescription drugs on your WordPress website can be a frustrating experience. But don’t blame your site: it just got caught up in a bad crowd of black hat SEO spammers and fell victim to a pharma hack. Pharma spam occurs when bad actors inject a website with keywords for pharmaceutical products. Their end goal is to use an innocent site’s good reputation to lure traffic to a scam. --------------------------------------------- https://blog.sucuri.net/2023/03/find-fix-wordpress-pharma-hack.html ∗∗∗ New Cryptojacking Operation Targeting Kubernetes Clusters for Dero Mining ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered the first-ever illicit cryptocurrency mining campaign used to mint Dero since the start of February 2023. "The novel Dero cryptojacking operation concentrates on locating Kubernetes clusters with anonymous access enabled on a Kubernetes API and listening on non-standard ports accessible from the internet," CrowdStrike said in a new report [...] --------------------------------------------- https://thehackernews.com/2023/03/new-cryptojacking-operation-targeting.html ∗∗∗ Exploiting CVE-2023-23397: Microsoft Outlook Elevation of Privilege Vulnerability ∗∗∗ --------------------------------------------- At MDSec, we’re continually looking to weaponise both private and public vulnerabilities to assist us during our red team operations. Having recently given a talk on leveraging NTLM relaying during red team engagements at FiestaCon, this vulnerability particularly stood out to me and warranted further analysis. --------------------------------------------- https://www.mdsec.co.uk/2023/03/exploiting-cve-2023-23397-microsoft-outlook… ∗∗∗ Apple räumt ein: iOS-Dienste können VPN-Tunnel umgehen ∗∗∗ --------------------------------------------- iOS schleust bestimmten Datenverkehr an einer aktiven VPN-Verbindung vorbei, warnen Sicherheitsforscher seit Längerem. Das ist laut Apple so gewollt. --------------------------------------------- https://heise.de/-7545702 ∗∗∗ Patchday: Microsoft dichtet aktiv angegriffene Sicherheitslücken ab ∗∗∗ --------------------------------------------- Neben zwei aktiv missbrauchten Sicherheitslücken liefert Microsoft zum März-Patchday Aktualisierungen für zahlreiche Produkte. Sie schließen zig Schwachstellen. --------------------------------------------- https://heise.de/-7545903 ∗∗∗ Gefälschtes SMS von DHL stiehlt Ihre Kreditkartendaten ∗∗∗ --------------------------------------------- In der betrügerischen DHL-Nachricht steht, dass Ihr Paket Lieferprobleme hat. Das Problem kann gelöst werden, indem Sie auf den Link klicken. Klicken Sie nicht auf den Link. Sie werden auf eine nachgebaute DHL-Website gelockt, wo persönliche Infos und Kreditkartendaten abgefragt werden. In weiterer Folge wird Ihre Kreditkarte auf einem fremden Gerät für Apple Pay aktiviert. --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschtes-sms-von-dhl-stiehlt-ihr… ∗∗∗ Uncovering Windows Events ∗∗∗ --------------------------------------------- Not all manifest-based Event Tracing for Windows (ETW) providers that are exposed through Windows are ingested into telemetry sensors/EDR’s. One provider commonly that is leveraged by vendors is the Threat-Intelligence ETW provider. Due to how often it is used, I wanted to map out how its events are being written within TelemetrySource. This post will focus on the process I followed to understand the events the Threat-Intelligence ETW provider logs and how to uncover the underlying mechanisms. One can use a similar process when trying to reverse other manifest-based ETW providers. This post isn’t a deep dive into how ETW works, [...] --------------------------------------------- https://posts.specterops.io/uncovering-windows-events-b4b9db7eac54?source=r… ∗∗∗ Released: March 2023 Exchange Server Security Updates ∗∗∗ --------------------------------------------- Microsoft has released Security Updates (SUs) for vulnerabilities found in: Exchange Server 2013 Exchange Server 2016 Exchange Server 2019 --------------------------------------------- https://techcommunity.microsoft.com/t5/exchange-team-blog/released-march-20… ∗∗∗ How does malware spread? Top 5 ways malware gets into your network ∗∗∗ --------------------------------------------- Threat actors use a variety of channels to distribute malware. Discover the most common attack vectors and how to protect your organization from malware. --------------------------------------------- https://www.emsisoft.com/en/blog/43733/how-does-malware-spread-top-5-ways-m… ∗∗∗ A look at CVE-2023–23415 — a Windows ICMP vulnerability + mitigations which is not a cyber meltdown ∗∗∗ --------------------------------------------- Yesterday Microsoft dropped a patch for a vulnerability found by @hexnomad@infosec.exchange. It’s a great vuln, in theory allowing code execution over ICMP. It also sounds really scary, as it’s a high CVSS score in Windows OS on a commonly used protocol. --------------------------------------------- https://doublepulsar.com/a-look-at-cve-2023-23415-a-windows-icmp-vulnerabil… ===================== = Vulnerabilities = ===================== ∗∗∗ Patchday: Adobe schließt Zero-Day-Lücke und mehr als 100 Schwachstellen ∗∗∗ --------------------------------------------- Adobe dichtet am März-Patchday 106 Sicherheitslecks ab. Eine davon in Adobe ColdFusion missbrauchen Cyberkriminelle bereits in Angriffen. --------------------------------------------- https://heise.de/-7546150 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (node-sqlite3 and qemu), Fedora (libmemcached-awesome, manifest-tool, sudo, and vim), Red Hat (gnutls, kernel, kernel-rt, lua, and openssl), Slackware (mozilla), SUSE (amanda, firefox, go1.19, go1.20, jakarta-commons-fileupload, java-1_8_0-openjdk, nodejs18, peazip, perl-Net-Server, python, python-cryptography, python-Django, python3, rubygem-rack, and xorg-x11-server), and Ubuntu (ipython, linux-ibm, linux-ibm-5.4, and linux-kvm). --------------------------------------------- https://lwn.net/Articles/926205/ ∗∗∗ SAP-Patchday enthält Updates für kritische Sicherheitslücken ∗∗∗ --------------------------------------------- Der aktuelle Patchday von SAP beinhaltet mehrere Schwachstellen mit einem CVSS-Score >9.0. Insbesondere eine kritische Sicherheitslücke in SAP NetWeaver AS for Java (CVE-2023-23857) ist trivial ausnutzbar; sie erlaubt Angreifer:innen aufgrund unzureichender Authentifizierungsprüfungen weitreichenden Systemzugriff ohne jegliche Form von Authentifizierung. Weitere Schwachstellen (unter anderem CVE-2023-25616, CVE-2023-25617) ermöglichen entfernte Codeausführung. --------------------------------------------- https://cert.at/de/aktuelles/2023/3/sap-patchday-enthalt-updates-fur-kritis… ∗∗∗ ZDI-23-245: TP-Link Archer AX21 tdpServer Logging Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-245/ ∗∗∗ ZDI-23-244: TP-Link Archer AX21 tmpServer Command 0x422 Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-244/ ∗∗∗ ThinkPad BIOS Vulnerabilities ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500554-THINKPAD-BIOS-VULNERABI… ∗∗∗ AIX is affected by a denial of service (CVE-2022-45061) due to Python ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6963342 ∗∗∗ Security vulnerabilities have been identified in IBM DB2 used by IBM Security Verify Governance, Identity Manager software component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6963372 ∗∗∗ Multiple Vulnerabilities (CVE-2022-45693, CVE-2022-4568) affects CICS Transaction Gateway for Multiplatforms. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6963612 ∗∗∗ Multiple vulnerabilities present in IBM Answer Retrieval for Watson Discovery versions 2.10 and earlier ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6963632 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.03.2023
by Daily end-of-shift report 14 Mar '23

14 Mar '23

===================== = End-of-Day report = ===================== Timeframe: Montag 13-03-2023 18:00 − Dienstag 14-03-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Cybercriminals exploit SVB collapse to steal money and data ∗∗∗ --------------------------------------------- The collapse of the Silicon Valley Bank (SVB) on March 10, 2023, has sent ripples of turbulence throughout the global financial system, but for hackers, scammers, and phishing campaigns, its becoming an excellent opportunity. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cybercriminals-exploit-svb-c… ∗∗∗ HUNT_RTF_CVE_2023_21716.yar ∗∗∗ --------------------------------------------- Detects RTF documents with an inflated fonttable. Hunting for CVE-2023-21716 --------------------------------------------- https://github.com/SIFalcon/Detection/blob/main/Yara/Hunting/HUNT_RTF_CVE_2… ∗∗∗ Kali Purple: Die Linux-Distribution für Sicherheitsforscher wird defensiver ∗∗∗ --------------------------------------------- Kali Linux feiert Geburtstag und ist in der neuen Version 2023.1 erschienen. Das neue Kali Purple ist auf defensive Sicherheitstests spezialisiert. --------------------------------------------- https://heise.de/-7544725 ∗∗∗ Fortinet Finds Zero-Day Exploit in Government Attacks After Devices Detect Integrity Breach ∗∗∗ --------------------------------------------- Fortinet says recently patched FortiOS vulnerability was exploited in sophisticated attacks targeting government entities. --------------------------------------------- https://www.securityweek.com/fortinet-finds-zero-day-exploit-in-government-… ∗∗∗ Kaufen Sie keine Amazon-Paletten oder Mystery-Boxen ∗∗∗ --------------------------------------------- Auf Facebook und Instagram bewirbt der gefälschte Amazon-Shop „datinted.com“ „Amazon-Paletten“. Die Paletten, sogenannte Mystery-Boxen, beinhalten angeblich unterschiedliche Produkte wie Kopfhörer, Drohnen und Spielkonsolen – und das für weniger als 50 Euro. Wer bestellt, bekommt aber keine Ware und verliert sein Geld! --------------------------------------------- https://www.watchlist-internet.at/news/kaufen-sie-keine-amazon-paletten-ode… ∗∗∗ Verbesserte Office-Makrosicherheit führt zu neuen Angriffsmethoden über OneNote & Co. ∗∗∗ --------------------------------------------- Seit Microsoft und Administratoren von Windows-Systemen mehr in die Makrosicherheit investieren, werden Angriffe über diesen Vektor schwieriger. Cyberkriminelle suchen nach neuen Wegen, um Malware an die Nutzer zu bringen. OneNote nimmt da eine prominente Position als Einfallstor ein – aber auch andere Dateien und die Mark of the Web-Schwachstelle in Windows werden neuerdings vermehr für Angriffe genutzt. --------------------------------------------- https://www.borncity.com/blog/2023/03/14/verbesserte-office-makrosicherheit… ∗∗∗ Talos uncovers espionage campaigns targeting CIS countries, embassies and EU health care agency ∗∗∗ --------------------------------------------- Cisco Talos has identified a new espionage oriented threat actor, which we are naming “YoroTrooper,” targeting a multitude of entities in Europe and Turkey. --------------------------------------------- https://blog.talosintelligence.com/yorotrooper-espionage-campaign-cis-turke… ∗∗∗ ZTNA vs VPN: Secure Remote Work and Access ∗∗∗ --------------------------------------------- Explore the drivers behind switching from VPN to Zero Trust Network Access (ZTNA) for any device access from anywhere. --------------------------------------------- https://www.trendmicro.com/en_us/ciso/22/h/ztna-vs-vpn-secure-remote-work.h… ===================== = Vulnerabilities = ===================== ∗∗∗ Siemens Security Advisories 2023-03-14 ∗∗∗ --------------------------------------------- * SSA-847261 V1.1 (Last Update: 2023-03-14): Multiple SPP File Parsing Vulnerabilities in Tecnomatix Plant Simulation * https://cert-portal.siemens.com/productcert/html/ssa-847261.html * SSA-840800 V1.2 (Last Update: 2023-03-14): Code Injection Vulnerability in RUGGEDCOM ROS * https://cert-portal.siemens.com/productcert/html/ssa-840800.html * SSA-787941 V1.1 (Last Update: 2023-03-14): Denial of Service Vulnerability in RUGGEDCOM ROS V4 * https://cert-portal.siemens.com/productcert/html/ssa-787941.html * SSA-772220 V2.2 (Last Update: 2023-03-14): OpenSSL Vulnerabilities in Industrial Products * https://cert-portal.siemens.com/productcert/html/ssa-772220.html * SSA-764417 V1.7 (Last Update: 2023-03-14): Weak Encryption Vulnerability in RUGGEDCOM ROS Devices * https://cert-portal.siemens.com/productcert/html/ssa-764417.html * SSA-726834 V1.0: Denial of Service Vulnerability in the RADIUS Client of SIPROTEC 5 Devices * https://cert-portal.siemens.com/productcert/html/ssa-726834.html * SSA-712929 V1.8 (Last Update: 2023-03-14): Denial of Service Vulnerability in OpenSSL (CVE-2022-0778) Affecting Industrial Products * https://cert-portal.siemens.com/productcert/html/ssa-712929.html * SSA-700053 V1.1 (Last Update: 2023-03-14): Multiple File Parsing Vulnerabilities in Teamcenter Visualization and JT2Go * https://cert-portal.siemens.com/productcert/html/ssa-700053.html * SSA-697140 V1.2 (Last Update: 2023-03-14): Denial of Service Vulnerability in the TCP Event Service of SCALANCE and RUGGEDCOM Products * https://cert-portal.siemens.com/productcert/html/ssa-697140.html * SSA-565386 V1.0: Third-Party Component Vulnerabilities in SCALANCE W-700 IEEE 802.11ax devices before V2.0 * https://cert-portal.siemens.com/productcert/html/ssa-565386.html * SSA-552702 V1.4 (Last Update: 2023-03-14): Privilege Escalation Vulnerability in the Web Interface of SCALANCE and RUGGEDCOM Products * https://cert-portal.siemens.com/productcert/html/ssa-552702.html * SSA-539476 V1.4 (Last Update: 2023-03-14): Siemens SIMATIC NET CP, SINEMA and SCALANCE Products Affected by Vulnerabilities in Third-Party Component strongSwan * https://cert-portal.siemens.com/productcert/html/ssa-539476.html * SSA-517377 V1.2 (Last Update: 2023-03-14): Multiple Vulnerabilities in the SRCS VPN Feature in SIMATIC CP Devices * https://cert-portal.siemens.com/productcert/html/ssa-517377.html * SSA-491245 V1.1 (Last Update: 2023-03-14): Multiple File Parsing Vulnerabilities in Solid Edge * https://cert-portal.siemens.com/productcert/html/ssa-491245.html * SSA-482757 V1.2 (Last Update: 2023-03-14): Missing Immutable Root of Trust in S7-1500 CPU devices * https://cert-portal.siemens.com/productcert/html/ssa-482757.html * SSA-476715 V1.1 (Last Update: 2023-03-14): Two Vulnerabilities in Automation License Manager * https://cert-portal.siemens.com/productcert/html/ssa-476715.html * SSB-439005 V5.1 (Last Update: 2023-03-14): Vulnerabilities in the additional GNU/Linux subsystem of the SIMATIC S7-1500 CPU 1518(F)-4 PN/DP MFP * https://cert-portal.siemens.com/productcert/html/ssb-439005.html * SSA-419740 V1.0: Multiple Third-Party Component Vulnerabilities in RUGGEDCOM and SCALANCE Products before V7.2 * https://cert-portal.siemens.com/productcert/html/ssa-419740.html * SSA-413565 V1.1 (Last Update: 2023-03-14): Multiple Vulnerabilities in SCALANCE Products * https://cert-portal.siemens.com/productcert/html/ssa-413565.html * SSA-324955 V2.0 (Last Update: 2023-03-14): SAD DNS Attack in Linux Based Products * https://cert-portal.siemens.com/productcert/html/ssa-324955.html * SSA-321292 V1.4 (Last Update: 2023-03-14): Denial of Service in the OPC Foundation Local Discovery Server (LDS) in Industrial Products * https://cert-portal.siemens.com/productcert/html/ssa-321292.html * SSA-320629 V1.0: Security Vulnerabilities Fixed in RUGGEDCOM CROSSBOW V5.3 * https://cert-portal.siemens.com/productcert/html/ssa-320629.html * SSA-260625 V1.0: Security Vulnerabilities Fixed in RUGGEDCOM CROSSBOW V5.2 * https://cert-portal.siemens.com/productcert/html/ssa-260625.html * SSA-256353 V1.3 (Last Update: 2023-03-14): Third-Party Component Vulnerabilities in RUGGEDCOM ROS * https://cert-portal.siemens.com/productcert/html/ssa-256353.html * SSA-250085 V1.2 (Last Update: 2023-03-14): Multiple Vulnerabilities in SINEC NMS and SINEMA Server * https://cert-portal.siemens.com/productcert/html/ssa-250085.html * SSA-244969 V1.9 (Last Update: 2023-03-14): OpenSSL Vulnerability in Industrial Products * https://cert-portal.siemens.com/productcert/html/ssa-244969.html * SSA-223771 V1.2 (Last Update: 2023-03-14): SISCO Stack Vulnerability in SIPROTEC 5 Devices * https://cert-portal.siemens.com/productcert/html/ssa-223771.html * SSA-203374 V1.0: Multiple OpenSSL Vulnerabilities in SCALANCE W1750D Devices * https://cert-portal.siemens.com/productcert/html/ssa-203374.html * SSA-941426 V1.4 (Last Update: 2023-03-14): Multiple LLDP Vulnerabilities in Industrial Products * https://cert-portal.siemens.com/productcert/html/ssa-941426.html * SSA-851884 V1.0: Authentication Bypass Vulnerability in Mendix SAML Module * https://cert-portal.siemens.com/productcert/html/ssa-851884.html --------------------------------------------- https://new.siemens.com/global/en/products/services/cert.html?d=2023-03#Sec… ∗∗∗ Dolibarr : unauthenticated contacts database theft ∗∗∗ --------------------------------------------- Our pentester discovered a critical vulnerability exploitable by an unauthenticated attacker. It provides access to a competitor’s entire customer file, prospects, suppliers, and potentially employee information if a contact file exists. Both public and private notes can also be retrieved. Very easy to exploit, it affects Dolibarr 16.x versions. --------------------------------------------- https://www.dsecbypass.com/en/dolibarr-pre-auth-contact-database-dump/ ∗∗∗ PaperCut MF/NG vulnerability bulletin (March 2023) ∗∗∗ --------------------------------------------- We have received two vulnerability reports from a 3rd party cyber security company (Trend Micro), for high/critical severity security issues in PaperCut MF/NG. We do not have any evidence of these vulnerabilities being used against customers at this point. --------------------------------------------- https://www.papercut.com/kb/Main/PO-1216-and-PO-1219 ∗∗∗ Schneider Elecronic Security Advisories 2023-03-14 ∗∗∗ --------------------------------------------- 3 new, 15 updated --------------------------------------------- https://www.se.com/ww/en/work/support/cybersecurity/security-notifications.… ∗∗∗ Patchday: SAP schließt 19 teils kritische Sicherheitslücken ∗∗∗ --------------------------------------------- Zum März-Patchday hat SAP Sicherheitsnotizen zu 19 Sicherheitslücken veröffentlicht. Davon stuft der Hersteller fünf als kritisch ein. Updates stehen bereit. --------------------------------------------- https://heise.de/-7544782 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (redis), Fedora (cairo, freetype, harfbuzz, and qt6-qtwebengine), Red Hat (kpatch-patch), SUSE (chromium, java-1_8_0-openj9, and nodejs18), and Ubuntu (chromium-browser, libxstream-java, php-twig, twig, protobuf, and python-werkzeug). --------------------------------------------- https://lwn.net/Articles/926083/ ∗∗∗ Android App "Wolt Delivery: Food and more" uses a hard-coded API key for an external service ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN64453490/ ∗∗∗ TXONE SECURITY BULLETIN: TXOne StellarOne Improper Access Control Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- https://success.trendmicro.com/dcx/s/solution/000292486?language=en_US ∗∗∗ PHOENIX CONTACT: Multiple vulnerabilities in ENERGY AXC PU ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-003/ ∗∗∗ Lenovo System Update Elevation of Privileges Vulnerability ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500553-LENOVO-SYSTEM-UPDATE-EL… ∗∗∗ Lenovo XClarity Controller (XCC) Vulnerabilities ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500552-LENOVO-XCLARITY-CONTROL… ∗∗∗ A security vulnerability has been identified in IBM HTTP Server, which is a required product for IBM Tivoli Network Manager IP Edition (CVE-2023-26281) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6963268 ∗∗∗ Multiple Vulnerabilities in IBM\u00ae Runtime Environment Java\u2122 Technology Edition affects WebSphere eXtreme Scale ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6963278 ∗∗∗ Multiple vulnerabilities in Curl affect PowerSC ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6963308 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.03.2023
by Daily end-of-shift report 13 Mar '23

13 Mar '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 10-03-2023 18:00 − Montag 13-03-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Clop-Ransomware: Opfer der GoAnywhere-Attacken müssen jetzt zahlen ∗∗∗ --------------------------------------------- Aufgrund einer Sicherheitslücke in der Dateiübertragungslösung GoAnywhere MFT konnten Angreifer zuschlagen und erpressen nun Firmen. --------------------------------------------- https://heise.de/-7543629 ∗∗∗ Banking-Trojaner: 400 Einrichtungen im Visier von Android-Malware ∗∗∗ --------------------------------------------- IT-Forscher beobachten die Weiterentwicklung des Banking-Trojaners Xenomorph für Android. Inzwischen versteht er sich auf 400 Finanzinstitutionen. --------------------------------------------- https://heise.de/-7543682 ∗∗∗ Das Finanzamt versendet keine Pfändungsandrohung per SMS! ∗∗∗ --------------------------------------------- Aktuell werden erneut massenhaft Betrugs-SMS im Namen des Finanzamts versendet. Angeblich hätten Sie trotz mehrerer Mahnungen eine offene Forderung gegen Sie nicht bezahlt. Daher würde nun ein Gerichtsvollzieher Ihren Hausrat pfänden. Achtung: Bezahlen Sie die Forderung nicht! Die Nachricht stammt nicht vom Finanzamt und Ihr Geld landet bei Kriminellen. --------------------------------------------- https://www.watchlist-internet.at/news/das-finanzamt-versendet-keine-pfaend… ∗∗∗ Security researchers targeted with new malware via job offers on LinkedIn ∗∗∗ --------------------------------------------- A suspected North Korean hacking group is targeting security researchers and media organizations in the U.S. and Europe with fake job offers that lead to the deployment of three new, custom malware families. --------------------------------------------- https://www.bleepingcomputer.com/news/security/security-researchers-targete… ∗∗∗ Medusa ransomware gang picks up steam as it targets companies worldwide ∗∗∗ --------------------------------------------- A ransomware operation known as Medusa has begun to pick up steam in 2023, targeting corporate victims worldwide with million-dollar ransom demands. --------------------------------------------- https://www.bleepingcomputer.com/news/security/medusa-ransomware-gang-picks… ∗∗∗ DEV-1101 enables high-volume AiTM campaigns with open-source phishing kit ∗∗∗ --------------------------------------------- DEV-1101 is an actor tracked by Microsoft responsible for the development, support, and advertising of several AiTM phishing kits, including an open-source kit capable of circumventing MFA through reverse-proxy functionality. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2023/03/13/dev-1101-enables-h… ∗∗∗ Overview of a Mirai Payload Generator, (Sat, Mar 11th) ∗∗∗ --------------------------------------------- The Mirai[1] botnet is active for years. It was the first botnet targeting devices running Linux like camera recorders. Our first diary about it was in 2016![2]. Still today, my honeypot is hit by hundreds of Mirai requests every day! I found a Python script that generates a Mirai payload (SHA256:f56391e9645df1058847e28af6918c64ddc344d9f328b3dde9015213d5efdc7e[3]) and deploys networking services to serve it via FTP, HTTP, and TFTP. Nothing very fancy but it will give you a good idea about how Linux hosts are abused to deliver malicious payloads. --------------------------------------------- https://isc.sans.edu/diary/rss/29624 ∗∗∗ BATLOADER Malware Uses Google Ads to Deliver Vidar Stealer and Ursnif Payloads ∗∗∗ --------------------------------------------- The malware downloader known as BATLOADER has been observed abusing Google Ads to deliver secondary payloads like Vidar Stealer and Ursnif. According to cybersecurity company eSentire, the malicious ads are used to spoof a wide range of legitimate apps and services such as Adobe, OpenAPIs ChatGPT, Spotify, Tableau, and Zoom. --------------------------------------------- https://thehackernews.com/2023/03/batloader-malware-uses-google-ads-to.html ∗∗∗ "FakeGPT": New Variant of Fake-ChatGPT Chrome Extension Stealing Facebook Ad Accounts with Thousands of Daily Installs ∗∗∗ --------------------------------------------- A Chrome Extension propelling quick access to fake ChatGPT functionality was found to be hijacking Facebook accounts and installing hidden account backdoors. Particularly noticeable is the use of a malevolent silently forced Facebook app “backdoor” giving the threat actors super-admin permissions. --------------------------------------------- https://labs.guard.io/fakegpt-new-variant-of-fake-chatgpt-chrome-extension-… ∗∗∗ Threat Actors Abuse AI-Generated Youtube Videos to Spread Stealer Malware ∗∗∗ --------------------------------------------- Since November 2022 there has been a 200-300% month-on-month increase in Youtube videos containing links to stealer malware such as Vidar, RedLine, and Raccoon in their descriptions. The videos lure users by pretending to be tutorials on how to download cracked versions of software such as Photoshop, Premiere Pro, Autodesk 3ds Max, AutoCAD, and other products that are licensed products available only to paid users. --------------------------------------------- https://cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-t… ∗∗∗ Persistence - Context Menu ∗∗∗ --------------------------------------------- Context menu provides shortcuts to the user in order to perform a number of actions. The context menu is invoked with a right mouse click and it is a very common action for every Windows user. In offensive operations this action could be weaponized for persistence by executing shellcode every time the user attempts to use the context menu. --------------------------------------------- https://pentestlab.blog/2023/03/13/persistence-context-menu/ ∗∗∗ CISA Warns of Plex Vulnerability Linked to LastPass Hack ∗∗∗ --------------------------------------------- CISA has added vulnerabilities in Plex Media Server and VMware NSX-V to its Known Exploited Vulnerabilities catalog. --------------------------------------------- https://www.securityweek.com/cisa-warns-of-plex-vulnerability-linked-to-las… ===================== = Vulnerabilities = ===================== ∗∗∗ Clipchamp ( Microsoft Office Product) - Google IAP Authorization bypass allowed access to Internal Environment Leading to Zero Interaction Account takeover ∗∗∗ --------------------------------------------- [...] After further research it was discovered that the authorization checks are only at the front end https://app.*.clipchamp.com/ and not while invoking the /v2/ API endpoints with the expected parameters. Enumerating all the internal endpoints it was found that the https://app.smoke.clipchamp.com/v2 was leaking the JWT Authentication Bearer Token for any attacker-provided user on the platform leading to Zero Interaction Account takeover for any ClipChamp user on the Smoke Env. --------------------------------------------- https://blog.agilehunt.com/blogs/security/msrc-critical-google-iap-authoriz… ∗∗∗ Kritische Sicherheitslücken: Lexmark aktualisiert Firmware für viele Drucker ∗∗∗ --------------------------------------------- Diverse Drucker von Lexmark haben kritische Sicherheitslücken, die Angreifern das Ausführen von Schadcode ermöglichen. Updates stehen schon bereit. --------------------------------------------- https://heise.de/-7543959 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (imagemagick, libapache2-mod-auth-mellon, mpv, rails, and ruby-sidekiq), Fedora (chromium, dcmtk, and strongswan), Mageia (chromium-browser-stable, dcmtk, kernel, kernel-linus, libreswan, microcode, redis, and tmux), SUSE (postgresql14 and python39), and Ubuntu (linux-kvm, linux-raspi-5.4, and thunderbird). --------------------------------------------- https://lwn.net/Articles/925987/ ∗∗∗ Shodan Verified Vulns 2023-03-01 ∗∗∗ --------------------------------------------- Mit Stand 2023-03-01 sieht Shodan in Österreich die folgenden Schwachstellen: [...] Die Schwachstellen CVE-2021-43798 (Grafana Path Traversal Vulnerability) und CVE-2022-32548 (DrayTek Authentication Bypass Vulnerability) sind nun wieder in den Daten von Shodan enthalten. Im Vormonat fehlten diese Daten. Verglichen mit den Daten von Jänner 2023 sind keine auffälligen Änderungen zu erkennen. Ähnlich verhält sich die Schwachstelle CVE-2022-36804 [...] --------------------------------------------- https://cert.at/de/aktuelles/2023/3/shodan-verified-vulns-2023-03-01 ∗∗∗ IBM Security Bulletins 2023-03-13 ∗∗∗ --------------------------------------------- * A vulnerability (CVE-2022-21299) in IBM Java Runtime affects CICS Transaction Gateway for Multiplatforms and CICS Transaction Gateway Desktop Edition * A vulnerability has been identified in IBM Spectrum Scale which could allow unauthorized access to user data or injection of arbitrary data in the communication protocol (CVE-2020-4927) * EBICS Client of IBM Sterling B2B Interator vulnerable to multiple issues due to jQuery * IBM Cognos Analytics has addressed multiple vulnerabilities (CVE-2021-29469, CVE-2022-39160, CVE-2022-38708, CVE-2022-42003, CVE-2022-42004, CVE-2022-43883, CVE-2022-43887, CVE-2022-25647, CVE-2022-36364) * IBM Cognos Analytics has addressed multiple vulnerabilities (CVE-2022-34339, CVE-2021-3712, CVE-2021-3711, CVE-2021-4160, CVE-2021-29425, CVE-2021-3733, CVE-2021-3737, CVE-2022-0391, CVE-2021-43138, CVE-2022-24758) * IBM Security Guardium is affected by a denial of service vulnerability (CVE-2022-3171, CVE-2022-3510, CVE-2022-3509) * IBM Security Guardium is affected by multiple vulnerabilities * IBM Sterling B2B Integrator vulnerable to security bypass due to Apache Santuario XML Security for Java (CVE-2021-40690, CVE-2014-8152) * IBM Sterling B2B Integrator vulnerable to security bypass due to Spring Security (CVE-2022-31692, CVE-2022-22978) * June 2022 : Multiple vulnerabilities in IBM Java Runtime affect CICS Transaction Gateway for Multiplatforms and CICS Transaction Gateway Desktop Edition * Multiple Vulnerabilities (CVE-2022-21628, CVE-2022-21626, CVE-2022-21624, CVE-2022-21619) affects CICS Transaction Gateway for Multiplatforms and CICS Transaction Gateway Desktop Edition. * Multiple vulnerabilities in IBM Java Runtime affect CICS Transaction Gateway for Multiplatforms and CICS Transaction Gateway Desktop Edition * Multiple Vulnerabilities in Java affecting Watson Knowledge Catalog for IBM Cloud Pak for Data (CVE-2022-21628, CVE-2022-21626) * Security vulnerabilities are addressed with IBM Cloud Pak for Business Automation iFixes for Febuary 2023 * SNMPv3 server credentials are exposed in log files in IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products * The dashboard UI of IBM Sterling B2B Integrator is vulnerable to information disclosure (CVE-2023-22876) * There is a vulnerability in Apache Commons BCEL used by IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2022-42920) * Vulnerabilities with kernel, MariaDB, Gnu GnuTLS, OpenJDK, commons-fileupload affect IBM Cloud Object Storage Systems (Mar 2023v1) * Vulnerabilities with MariaDB affect IBM Cloud Object Storage Systems (Nov 2022v1) * Vulnerability in WebSphere Liberty affecting Watson Knowledge Catalog for IBM Cloud Pak for Data (CVE-2022-3509, CVE-2022-3171) --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ [R1] Tenable Plugin Feed ID #202212081952 Fixes Arbitrary Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2023-14 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.03.2023
by Daily end-of-shift report 10 Mar '23

10 Mar '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 09-03-2023 18:00 − Freitag 10-03-2023 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Security: Github führt verpflichtende 2FA ein ∗∗∗ --------------------------------------------- Wer von Github ausgewählt wurde, muss die Zwei-Faktor-Authentifizierung (2FA) innerhalb von 45 Tagen einrichten. --------------------------------------------- https://www.golem.de/news/security-github-fuehrt-verpflichtende-2fa-ein-230… ∗∗∗ Schwachstellen in Bitwarden Password-Manager-Browserweiterung können Passwörter verraten ∗∗∗ --------------------------------------------- Nutzer des Passwort-Managers Bitwarden laufen in das Risiko, dass die Auto-Fill-Funktion beim Besuch von Webseiten Anmeldeinformationen leckt. Bösartige Webseiten könnten über ein in vertrauenswürdigen Seiten eingebettetes IFRAME Anmeldeinformation stehlen und an einen Angreifer senden. --------------------------------------------- https://www.borncity.com/blog/2023/03/10/schwachstellen-in-bitwarden-passwo… ∗∗∗ New ScrubCrypt Crypter Used in Cryptojacking Attacks Targeting Oracle WebLogic ∗∗∗ --------------------------------------------- The infamous cryptocurrency miner group called 8220 Gang has been observed using a new crypter called ScrubCrypt to carry out cryptojacking operations. According to Fortinet FortiGuard Labs, the attack chain commences with the successful exploitation of susceptible Oracle WebLogic servers to download a PowerShell script that contains ScrubCrypt. --------------------------------------------- https://thehackernews.com/2023/03/new-scrubcrypt-crypter-used-in.html ∗∗∗ EJS - Server Side Prototype Pollution gadgets to RCE ∗∗∗ --------------------------------------------- Last month (February 2023), I took a look into NodeJS HTML templating libraries. During my research, I found an interesting Server Side Prototype Pollution (SSPP) gadget in the EJS library which can be leveraged to RCE. After finding this issue, I spent a week searching for an SSPP in express core or dependencies, but I didnt find any issue. Thats why, after reporting this issue to the repository maintainer, Im making an article to explain technical details. --------------------------------------------- https://mizu.re/post/ejs-server-side-prototype-pollution-gadgets-to-rce ∗∗∗ How to Avoid LDAP Injection Attacks ∗∗∗ --------------------------------------------- The key vulnerability that puts an application at risk of LDAP injection is improperly processed user input. Applications that don’t sanitize or validate user input are open to LDAP injection attacks because of the structure of LDAP statements and queries. --------------------------------------------- https://www.trendmicro.com/en_us/devops/23/c/avoid-ldap-injection-attacks.h… ∗∗∗ The Silent Spy Among Us: Modern Attacks Against Smart Intercoms ∗∗∗ --------------------------------------------- What started out as a journey to learn more about a new smart intercom inside the Claroty offices turned into an expansive Team82 research project that uncovered 13 vulnerabilities in the popular Akuvox E11. The vulnerabilities could allow attackers to execute code remotely in order to activate and control the device’s camera and microphone, steal video and images, or gain a network foothold. --------------------------------------------- https://claroty.com/team82/research/the-silent-spy-among-us-modern-attacks-… ∗∗∗ Multi-Technology Script Leading to Browser Hijacking ∗∗∗ --------------------------------------------- [..] in the real world, malware samples use multiple technologies to perform malicious actions. I spotted a VBScript file (I don’t know where it’s coming from, probably a phishing campaign). The script has been flagged by only one(!) AV product on VT --------------------------------------------- https://isc.sans.edu/diary/rss/29620 ∗∗∗ The oldest privesc: injecting careless administrators terminals using TTY pushback ∗∗∗ --------------------------------------------- This trick is possibly the oldest security bug that still exists today, it’s been traced as far back as 1985. It’s been discovered and rediscovered and re-rediscovered by sysadmins, developpers and pentesters every few years for close to 4 decades now. It’s been subject to multiple developper battles, countless posts, but still remains largely forgotten. This is just another attempt at shedding light on it, for both attackers and defenders. --------------------------------------------- https://www.errno.fr/TTYPushback.html ∗∗∗ When Partial Protection is Zero Protection: The MFA Blind Spots No One Talks About ∗∗∗ --------------------------------------------- Multi-factor Authentication (MFA) has long ago become a standard security practice. [..] While compatible with RDP connection and local desktop logins, they offer no protection to remote command line access tools like PsExec, Remote PowerShell and their likes. [..] In this article well explore this blind spot, understand its root cause and implications, and view the different options security teams can overcome it to maintain their environments protected. --------------------------------------------- https://thehackernews.com/2023/03/when-partial-protection-is-zero.html ∗∗∗ Leveraging ssh-keygen for Arbitrary Execution (and Privilege Escalation) ∗∗∗ --------------------------------------------- The ssh-keygen command can be used to load a shared library with the -D flag. This can be useful for privilege escalation (described in this blog post), or to translate to arbitrary code execution from argument injection, file overwrites, etc. --------------------------------------------- https://seanpesce.blogspot.com/2023/03/leveraging-ssh-keygen-for-arbitrary.… ∗∗∗ Unauthorized access to Codespace secrets in GitHub ∗∗∗ --------------------------------------------- We identified a security issue in GitHub’s Repository Security Advisory feature (https://docs.github.com/en/code-security/security-advisories/repository-sec…) that allowed us to retrieve plaintext Codespace secrets of any organization including GitHub. --------------------------------------------- https://ophionsecurity.com/blog/access-organization-secrets-in-github ∗∗∗ Pirated copies of Final Cut Pro infect Macs with cryptojacking malware ∗∗∗ --------------------------------------------- Torrents on The Pirate Bay which claim to contain Final Cut Pro are instead being used to distribute malware, designed to infect your Mac with cryptojacking malware. --------------------------------------------- https://grahamcluley.com/pirated-copies-of-final-cut-pro-infect-macs-with-c… ∗∗∗ GoBruteforcer: Golang-Based Botnet Actively Harvests Web Servers ∗∗∗ --------------------------------------------- New Golang-based malware we have dubbed GoBruteforcer targets web servers. Golang is becoming popular with malware programmers due to its versatility. --------------------------------------------- https://unit42.paloaltonetworks.com/gobruteforcer-golang-botnet/ ∗∗∗ Netcat Attack Cases Targeting MS-SQL Servers (LOLBins) ∗∗∗ --------------------------------------------- ASEC (AhnLab Security Emergency response Center) has recently discovered the distribution of the Netcat malware targeting poorly managed MS-SQL servers. Netcat is a utility that allows users to send and receive data from specific destinations on a network connected by the TCP/UDP protocol. Due to its various features and ability to be used on both Linux and Windows, it is utilized by network managers and threat actors alike. --------------------------------------------- https://asec.ahnlab.com/en/49249/ ∗∗∗ Everything You Didn’t Know About Cross-Account and Cross-Cloud Provider Attacks ∗∗∗ --------------------------------------------- Wait, did you say ‘Cross-Cloud Provider Attacks’? Yes, this is actually a growing type of attack path: As organizations increasingly adopt multiple cloud platforms, their lack of security visibility across the clouds makes them a sitting target for these types of attacks. --------------------------------------------- https://orca.security/resources/blog/cross-account-cross-provider-attack-pa… ∗∗∗ Suspected Chinese Campaign to Persist on SonicWall Devices, Highlights Importance of Monitoring Edge Devices ∗∗∗ --------------------------------------------- Mandiant, working in partnership with SonicWall Product Security and Incident Response Team (PSIRT), has identified a suspected Chinese campaign that involves maintaining long term persistence by running malware on an unpatched SonicWall Secure Mobile Access (SMA) appliance. The malware has functionality to steal user credentials, provide shell access, and persist through firmware upgrades. --------------------------------------------- https://www.mandiant.com/resources/blog/suspected-chinese-persist-sonicwall ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium and wireless-regdb), Fedora (caddy, python-cryptography, and redis), Oracle (gnutls), SUSE (hdf5, opera, python-Django, redis, tomcat, and xen), and Ubuntu (apache2 and snakeyaml). --------------------------------------------- https://lwn.net/Articles/925840/ ∗∗∗ IBM Security Bulletins 2023-03-10 ∗∗∗ --------------------------------------------- * Apache Commons Beanutils (Publicly disclosed vulnerability) affects IBM eDiscovery Manager (CVE-2019-10086, CVE-2014-0114) * Apache Commons FileUpload (Publicly disclosed vulnerability) affects IBM eDiscovery Manager (CVE-2023-24998) * Apache Commons IO (Publicly disclosed vulnerability) Affects IBM eDiscovery Manager (CVE-2021-29425) * IBM MQ is affected by a vulnerability in Apache Commons Net (CVE-2021-37533) * IBM QRadar WinCollect agent has multiple vulnerabilities * IBM QRadar Wincollect agent is vulnerable to server side request forgery (SSRF) (CVE-2022-43879) * IBM SDK, Java Technology Edition, Security Update February 2023 * multiple vulnerabilities in Java SE may affect CICS TX Advanced * multiple vulnerabilities in Java SE may affect CICS TX Standard * multiple vulnerabilities in Java SE may affect TXSeries for Multiplatforms * server-side request forgery vulnerability in Apache CXF (CVE-2022-46364) may affect CICS TX Advanced * server-side request forgery vulnerability in Apache CXF (CVE-2022-46364) may affect CICS TX Standard * server-side request forgery vulnerability in Apache CXF (CVE-2022-46364) may affect TXSeries for Multiplatforms * vulnerability in Apache James MIME4J (CVE-2022-45787) may affect CICS TX Advanced * vulnerability in Apache James MIME4J (CVE-2022-45787) may affect CICS TX Standard * vulnerability in Apache James MIME4J (CVE-2022-45787) may affect TXSeries for Multiplatforms * Watson CP4D Data Stores is vulnerable to jackson-databind due to FasterXML jackson-databind before 2.14.0-rc1 ( CVE-2022-42003 ) --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ [R1] Nessus Agent Version 10.3.2 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2023-12 ∗∗∗ [R1] Nessus Agent Version 8.3.5 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2023-13 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.03.2023
by Daily end-of-shift report 09 Mar '23

09 Mar '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 08-03-2023 18:00 − Donnerstag 09-03-2023 18:00 Handler: Robert Waldner Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Microsoft Word RCE-Lücke könnte auch Microsoft Outlook betreffen ∗∗∗ --------------------------------------------- Laut einem Bericht bei borncity könnte die mit dem Februar-Patchday gefixte Remote Code Execution - Lücke in Microsoft Word auch Microsoft Outlook (zumindest 2013) betreffen - auch wenn die Februar-Patches eingespielt wurden. Noch sind nicht alle Details dazu klar, wir raten Outlook-Nutzer:innen momentan aber trotzdem dringend dazu die Empfehlungen von Microsoft dazu umzusetzen, und Outlook so zu konfigurieren, dass Mails als reiner Text dargestellt werden. --------------------------------------------- https://cert.at/de/aktuelles/2023/3/microsoft-word-rce-lucke-konnte-auch-mi… ∗∗∗ IceFire Ransomware Exploits IBM Aspera Faspex to Attack Linux-Powered Enterprise Networks ∗∗∗ --------------------------------------------- A previously known Windows-based ransomware strain known as IceFire has expanded its focus to target Linux enterprise networks belonging to several media and entertainment sector organizations across the world. --------------------------------------------- https://thehackernews.com/2023/03/icefire-linux-ransomware.html ∗∗∗ Hackers Exploiting Remote Desktop Software Flaws to Deploy PlugX Malware ∗∗∗ --------------------------------------------- Security vulnerabilities in remote desktop programs such as Sunlogin and AweSun are being exploited by threat actors to deploy the PlugX malware. AhnLab Security Emergency Response Center (ASEC), in a new analysis, said it marks the continued abuse of the flaws to deliver a variety of payloads on compromised systems. --------------------------------------------- https://thehackernews.com/2023/03/hackers-exploiting-remote-desktop.html ===================== = Vulnerabilities = ===================== ∗∗∗ Drupal: Gutenberg - Less critical - Denial of Service - SA-CONTRIB-2023-009 ∗∗∗ --------------------------------------------- This vulnerability is mitigated by the fact an attacker must have "use gutenberg" permission to exploit it. If you use the Gutenberg module versions 8.x-2.x, upgrade to Gutenberg 8.x-2.7 --------------------------------------------- https://www.drupal.org/sa-contrib-2023-009 ∗∗∗ Oracle Database Vault Protected Table With Realm Data Extraction Vulnerability ∗∗∗ --------------------------------------------- This security issue is fixed from 21c on-wards [ I think back-port patch was released in October 2022 CPU cycle]. Still Exists in 19c (so far from version 19.18 and below). DB Vault is a security feature in Oracle that attempts to restrict “SYS” account power , in addition DB Vault will ensure seperation of duties in place such as account management and authorization can’t be performed by the DBA through SYS account anymore. --------------------------------------------- https://databasesecurityninja.wordpress.com/2023/03/07/oracle-database-vaul… ∗∗∗ Ivanti Avalanche: Security Alert - CVE-2022-44574 – Authentication Bypass for Remote Control RCServlet ∗∗∗ --------------------------------------------- This vulnerability enables an attacker to overwrite credentials which gives access to a Web Panel. This vulnerability affects all Avalanche Premise versions 6.3.x and below. This vulnerability has a CVE score of 6.5. --------------------------------------------- https://forums.ivanti.com/s/article/Avalanche-ZDI-CAN-19513-Security-Adviso… ∗∗∗ Foxit PDF Editor: Lücken erlauben einschleusen von Schadcode ∗∗∗ --------------------------------------------- Sicherheitslücken in Foxit PDF Editor ermöglichen Angreifern, mit manipulierten PDF-Dateien Schadcode einzuschmuggeln und auszuführen. Ein Update steht bereit. --------------------------------------------- https://heise.de/-7540068 ∗∗∗ Home Assistant: Sicherheitslücke entdeckt und geschlossen ∗∗∗ --------------------------------------------- Wer den Home Assistant mit Supervisor benutzt, sollte sein System jetzt aktualisieren. Ansonsten könnten Eindringlinge sich daran zu schaffen machen. --------------------------------------------- https://heise.de/-7540500 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (kernel, pesign, samba, and zlib), Oracle (kernel), Slackware (httpd), SUSE (emacs, libxslt, nodejs12, nodejs14, nodejs16, openssl, poppler, python-py, python-wheel, xen, and xorg-x11-server), and Ubuntu (linux-gcp-5.4, linux-gkeop, opusfile, and samba). --------------------------------------------- https://lwn.net/Articles/925723/ ∗∗∗ Cloud Pak for Security uses packages that are vulnerable to multiple CVEs ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6551876 ∗∗∗ IBM Liberty for Java for IBM Cloud is vulnerable to server-side request forgery due to Apache CXF (CVE-2022-46364) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6962195 ∗∗∗ Docker based datastores for IBM Instana do not currently require authentication ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6959969 ∗∗∗ Multiple Security Vulnerabilities may affect IBM Robotic Process Automation for Cloud Pak. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6962201 ∗∗∗ A vulnerability exists in IBM Robotic Process Automation where Queue Provider credentials are not obfuscated during editing (CVE-2023-25680) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6962207 ∗∗∗ IBM Robotic Process Automation for Cloud Pak may be vulnerable to a denial of service due to ISC BIND (CVE-2022-38177, CVE-2022-38178). ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6962223 ∗∗∗ Vulnerability in Apache Log4j may affect IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6536732 ∗∗∗ Multiple Vulnerabilities in IBM HTTP Server affect WebSphere Application Server shipped with IBM Security Access Manager for Enterprise Single Sign-On ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6962383 ∗∗∗ Multiple Vulnerabilities (CVE-2022-21628, CVE-2022-21626, CVE-2022-21624, CVE-2022-21619) affects CICS Transaction Gateway for Multiplatforms and CICS Transaction Gateway Desktop Edition. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6962407 ∗∗∗ June 2022 : Multiple vulnerabilities in IBM Java Runtime affect CICS Transaction Gateway for Multiplatforms and CICS Transaction Gateway Desktop Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6962411 ∗∗∗ z\/Transaction Processing Facility is affected by vulnerabilities in the Apache Kafka (kafka-clients) and cryptography packages ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6962437 ∗∗∗ IBM Liberty for Java for IBM Cloud is vulnerable to server-side request forgery due to Apache CXF (CVE-2022-46364) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6962195 ∗∗∗ IBM Maximo Manage application in IBM Maximo Application Suite is vulnerable to incorrect default permissions (CVE-2022-46774) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6962455 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.03.2023
by Daily end-of-shift report 08 Mar '23

08 Mar '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 07-03-2023 18:00 − Mittwoch 08-03-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ What is a Website Defacement? ∗∗∗ --------------------------------------------- Defacement is easily one the most obvious signs of a hacked website. In these attacks, bad actors gain unauthorized access to an environment and leave their mark through digital vandalism, altering its visual appearance or content in the process. --------------------------------------------- https://blog.sucuri.net/2023/03/what-is-website-defacement.html ∗∗∗ Persistence – Event Log Online Help ∗∗∗ --------------------------------------------- Event viewer is a component of Microsoft Windows that displays information related to application, security, system and setup events. Even though that Event Viewer is used mainly for troubleshooting windows errors by administrators could be also used as a form a persistence during red team operations. --------------------------------------------- https://pentestlab.blog/2023/03/07/persistence-event-log-online-help/ ∗∗∗ „Lidl Frauentagsgeschenk“: Fake-Gewinnspiel zum Frauentag ∗∗∗ --------------------------------------------- Derzeit verbreiten WhatsApp-, Messenger- oder Viber-Nutzer:innen unwissentlich einen Link mit einem betrügerischen Gewinnspiel unter ihren Kontakten. Angeblich verlost die Supermarktkette „Lidl“ anlässlich des Frauentags am 8.März „viele Geldgeschenke“, wie es in der Nachricht heißt. Klicken Sie nicht auf den Link. Kriminelle versuchen Schadsoftware auf Ihrem Gerät zu installieren! --------------------------------------------- https://www.watchlist-internet.at/news/lidl-frauentagsgeschenk-fake-gewinns… ∗∗∗ GlobeImposter Ransomware Being Distributed with MedusaLocker via RDP ∗∗∗ --------------------------------------------- ASEC (AhnLab Security Emergency response Center) has recently discovered the active distribution of the GlobeImposter ransomware. This attack is being carried out by the threat actors behind MedusaLocker. While the specific route could not be ascertained, it is assumed that the ransomware is being distributed through RDP due to the various pieces of evidence gathered from the infection logs. --------------------------------------------- https://asec.ahnlab.com/en/48940/ ===================== = Vulnerabilities = ===================== ∗∗∗ Authentication Bypass Vulnerability in Mura CMS and Masa CMS (CVE-2022-47003 and CVE-2022-47002) ∗∗∗ --------------------------------------------- Multiple versions of Mura CMS and Masa CMS contain an authentication bypass vulnerability that can allow an unauthenticated attacker to login as any Site Member or System User. --------------------------------------------- https://hoyahaxa.blogspot.com/2023/03/authentication-bypass-mura-masa.html ∗∗∗ ABB Substation management unit COM600 IEC-104 protocol stack vulnerability ∗∗∗ --------------------------------------------- Hitachi Energy disclosed a vulnerability (CVE-2022-29492) that affects certain HE products. This vulnerability also affects the IEC 68070-5-104 (IEC-104) protocol stack of ABB Substation Management Unit COM600. Subsequently, a successful exploit could allow attackers to cause a denial-of-service attack against the COM600 product. --------------------------------------------- https://web.apsis.one/wve/68c20aba-1b85-416f-bf3f-ce8b1779c260 ∗∗∗ CorePlague: Severe Vulnerabilities in Jenkins Server Lead to RCE ∗∗∗ --------------------------------------------- Aqua Nautilus researchers have discovered a chain of vulnerabilities, dubbed CorePlague, in the widely used Jenkins Server and Update Center (CVE-2023-27898, CVE-2023-27905). Exploiting these vulnerabilities could allow an unauthenticated attacker to execute arbitrary code on the victims Jenkins server, potentially leading to a complete compromise of the Jenkins server. --------------------------------------------- https://blog.aquasec.com/jenkins-server-vulnerabilities ∗∗∗ Problematische Sicherheitslücke in Apples GarageBand ∗∗∗ --------------------------------------------- Die kostenlose Musikproduktionssoftware von Apple lässt sich offenbar angreifen. Nutzer unter macOS sollten schnell aktualisieren. --------------------------------------------- https://heise.de/-7538801 ∗∗∗ Patchday: Fortinet dichtet 15 Schwachstellen ab, davon eine kritische ∗∗∗ --------------------------------------------- Der Patchday bei Fortinet bringt IT-Verantwortlichen Updates zum Schließen von 15 Sicherheitslücken. Eine davon ist kritisch und erlaubt Einschleusen von Code. --------------------------------------------- https://heise.de/-7538910 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (apr), Fedora (c-ares), Oracle (curl, kernel, pesign, samba, and zlib), Red Hat (curl, gnutls, kernel, kernel-rt, and pesign), Scientific Linux (kernel, pesign, samba, and zlib), SUSE (libX11, python-rsa, python3, python36, qemu, rubygem-rack, xorg-x11-server, and xwayland), and Ubuntu (libtpms, linux-ibm, linux-raspi, linux-raspi, python3.7, python3.8, and sofia-sip). --------------------------------------------- https://lwn.net/Articles/925606/ IBM Security Bulletins 2023-03-08 --------------------------------------------- IBM Robotic Process Automation, IBM WebSphere, IBM MQ, Financial Transaction Manager, IBM VM Recovery Manager, IBM Aspera faspio Gateway, IBM Security Verify Bridge, IBM Spectrum Scale, IBM Security Guardium. --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Veeam fixt kritische Schwachstelle CVE-2023-27532 in Backup & Replication V11a/V12 ∗∗∗ --------------------------------------------- Kleiner Hinweis für Nutzer der Backup-Software des Herstellers Veeam. Dieser hat zum 7. März 2023 eine kritische Schwachstelle (CVE-2023-27532) in seinem Produkt Backup & Replication in den Versionen V11a/V12 per Update behoben. --------------------------------------------- https://www.borncity.com/blog/2023/03/08/veeam-fixt-kritische-schwachstelle… ∗∗∗ Multiple vulnerabilities in SEIKO EPSON printers/network interface Web Config ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN82424996/ ∗∗∗ Cisco IOS XR Software for ASR 9000 Series Routers Bidirectional Forwarding Detection Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco IOS XR Software Bootloader Unauthenticated Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ [R1] Nessus Version 10.4.3 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2023-11 ∗∗∗ [R1] Nessus Version 8.15.9 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2023-10 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.03.2023
by Daily end-of-shift report 07 Mar '23

07 Mar '23

===================== = End-of-Day report = ===================== Timeframe: Montag 06-03-2023 18:00 − Dienstag 07-03-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Proof-of-Concept released for critical Microsoft Word RCE bug ∗∗∗ --------------------------------------------- A proof-of-concept for CVE-2023-21716, a critical vulnerability in Microsoft Word that allows remote code execution, has been published over the weekend. The vulnerability was assigned a 9.8 out of 10 severity score, with Microsoft addressing it in the February Patch Tuesday security updates along with a couple of workarounds. --------------------------------------------- https://www.bleepingcomputer.com/news/security/proof-of-concept-released-fo… ∗∗∗ Old Windows ‘Mock Folders’ UAC bypass used to drop malware ∗∗∗ --------------------------------------------- A new phishing campaign targets organizations in Eastern European countries with the Remcos RAT malware with aid from an old Windows User Account Control bypass discovered over two years ago. --------------------------------------------- https://www.bleepingcomputer.com/news/security/old-windows-mock-folders-uac… ∗∗∗ Sheins Android App Caught Transmitting Clipboard Data to Remote Servers ∗∗∗ --------------------------------------------- An older version of Sheins Android application suffered from a bug that periodically captured and transmitted clipboard contents to a remote server.The Microsoft 365 Defender Research Team said it discovered the problem in version 7.9.2 of the app that was released on December 16, 2021. The issue has since been addressed as of May 2022. --------------------------------------------- https://thehackernews.com/2023/03/sheins-android-app-caught-transmitting.ht… ∗∗∗ SYS01stealer: New Threat Using Facebook Ads to Target Critical Infrastructure Firms ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered a new information stealer dubbed SYS01stealer targeting critical government infrastructure employees, manufacturing companies, and other sectors."The threat actors behind the campaign are targeting Facebook business accounts by using Google ads and fake Facebook profiles that promote things like games, adult content, and cracked software, etc. to lure victims into downloading a malicious file," Morphisec said in a report [..] --------------------------------------------- https://thehackernews.com/2023/03/sys01stealer-new-threat-using-facebook.ht… ∗∗∗ Exploitation of Critical Vulnerability in End-of-Life VMware Product Ongoing ∗∗∗ --------------------------------------------- Wallarm Detect warns of ongoing exploitation of a critical vulnerability in VMware Cloud Foundation and NSX Data Center for vSphere (NSX-V). --------------------------------------------- https://www.securityweek.com/exploitation-of-critical-vulnerability-in-end-… ∗∗∗ Werbung für neue Fake-Investment-Plattform "TradeGPT" auf Facebook, Instagram & Co. ∗∗∗ --------------------------------------------- Kriminelle bewerben auf Instagram, Facebook und Co. betrügerische Investitionsplattformen wie trade-gpt.ai oder financialpronews.com. In den Fake-Beiträgen wird eine neue Trading-Plattform, entwickelt von Elon Musk und OpenAI, vorgestellt. Die Plattform mit dem Namen "TradeGPT" erleichtert angeblich „einfachen Menschen“ den Einstieg in den Aktien- und Rohstoffhandel. Die Plattform hat nichts mit Elon Musk oder OpenAI zu tun und ist betrügerisch! --------------------------------------------- https://www.watchlist-internet.at/news/werbung-fuer-neue-fake-investment-pl… ∗∗∗ Betrugsmasche gegen Verrechnung ∗∗∗ --------------------------------------------- Certitude nimmt eine Häufung von Online-Betrug gegen die Verrechnungsabteilungen von österreichischen Unternehmen wahr. Angreifer erwirken die Änderungen der Kontodaten von Lieferanten bei deren Kunden durch Social Engineering per E-Mail. Häufig betragen die Schadenssummen mehrere hunderttausend Euro und führen zu Rechtsstreitigkeiten zwischen den betroffenen Unternehmen. --------------------------------------------- https://certitude.consulting/blog/de/betrugsmasche-gegen-verrechnung/ ∗∗∗ Using Memory Analysis to Detect EDR-Nullifying Malware ∗∗∗ --------------------------------------------- One tool Trend Micro described, dubbed “AVBurner”, used a technique to patch process-creation callbacks in kernel memory to nullify security software running on a victim system. [..] Volexity conducted research and testing to determine ways this technique of attacking endpoint detection and response (EDR) and antivirus (AV) software could reliably be detected through memory analysis. --------------------------------------------- https://www.volexity.com/blog/2023/03/07/using-memory-analysis-to-detect-ed… ===================== = Vulnerabilities = ===================== ∗∗∗ Benutzt hier jemand SHA-3? Die Referenzimplementation ... ∗∗∗ --------------------------------------------- Benutzt hier jemand SHA-3? Die Referenzimplementation hat einen Integer Overflow. --------------------------------------------- http://blog.fefe.de/?ts=9af9c7a3 ∗∗∗ Multiple vulnerabilities in PostgreSQL extension module pg_ivm ∗∗∗ --------------------------------------------- * Exposure of sensitive information to an unauthorized actor - CVE-2023-22847 * Uncontrolled search path element - CVE-2023-23554 --------------------------------------------- https://jvn.jp/en/jp/JVN19872280/ ∗∗∗ ZDI-23-212: Open Design Alliance (ODA) Drawing SDK DWG File Parsing Use-After-Free Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Open Design Alliance (ODA) Drawing SDK. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-212/ ∗∗∗ ZDI-23-214: NETGEAR CAX30S SSO Command Injection Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR CAX30S routers. Authentication is not required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-214/ ∗∗∗ Patchday: Kritische System-Lücken bedrohen Android 11, 12 und 13 ∗∗∗ --------------------------------------------- Google hat wichtige Sicherheitsupdates für Android-Geräte veröffentlicht. Im schlimmsten Fall könnten Angreifer Schadcode ausführen. --------------------------------------------- https://heise.de/-7537197 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (kopanocore), Fedora (golang-github-projectdiscovery-chaos-client, rust-sequoia-octopus-librnp, rust-sequoia-sop, rust-sequoia-sq, and usd), Oracle (libjpeg-turbo and pesign), Red Hat (kernel, kernel-rt, kpatch-patch, osp-director-downloader-container, pesign, rh-mysql80-mysql, samba, and zlib), SUSE (mariadb), and Ubuntu (fribidi, gmp, linux, linux-aws, linux-kvm, linux-lts-xenial, linux-azure, linux-azure-4.15, linux-kvm, linux-raspi2, linux-snapdragon, linux-raspi, nss, python3.6, rsync, systemd, and tiff). --------------------------------------------- https://lwn.net/Articles/925469/ ∗∗∗ Cisco IP Phone 6800, 7800, 7900, and 8800 Series Web UI Vulnerabilities ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ PHOENIX CONTACT: Advisory for TC ROUTER and CLOUD CLIENT ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-053/ ∗∗∗ WordPress BuddyForms Plugin — Unauthenticated Insecure Deserialization (CVE-2023–26326) ∗∗∗ --------------------------------------------- https://medium.com/tenable-techblog/wordpress-buddyforms-plugin-unauthentic… ∗∗∗ Docker based datastores for IBM Instana do not currently require authentication ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6959969 ∗∗∗ IBM Aspera Faspex 4.4.2 PL2 has addressed multiple vulnerabilities (CVE-2022-28330, CVE-2023-22868, CVE-2022-30556, CVE-2022-31813, CVE-2022-30522, CVE-2022-47986, CVE-2022-28615, CVE-2022-26377, CVE-2018-25032, CVE-2022-2068) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6952319 ∗∗∗ IBM Spectrum Symphony is vulnerable to Host header injection ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6959369 ∗∗∗ IBM Data Risk Manager is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6960473 ∗∗∗ IBM Spectrum Control is vulnerable to multiple weaknesses related to Apache Groovy ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6960481 ∗∗∗ IBM Spectrum Control is vulnerable to multiple weaknesses related to Apache Camel ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6960485 ∗∗∗ IBM Cloud Transformation Advisor is vulnerable to multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6960493 ∗∗∗ IBM Observability with Instana (OnPrem) affected by OpenSSL vulnerabilities. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6960495 ∗∗∗ IBM DataPower Gateway potentially vulnerable to Denial of Service (CVE-2022-4450) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6960511 ∗∗∗ IBM Security Guardium is affected by a kernel vulnerability (CVE-2021-3715) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6828569 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.03.2023
by Daily end-of-shift report 06 Mar '23

06 Mar '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 03-03-2023 18:00 − Montag 06-03-2023 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Fake-Shops fälschen Zahlung mit Klarna ∗∗∗ --------------------------------------------- Die Fake-Shops scheubner.net und profibikes.de wirken sehr professionell. Vor allem die Möglichkeit mit Klarna zu bezahlen, wiegt viele in Sicherheit. Die Shops fälschen aber den Klarna-Zahlungsprozess. Geben Sie Ihre Zugangsdaten auf der nachgebauten Klarna-Zahlungsseite ein, landen diese bei Kriminellen. --------------------------------------------- https://www.watchlist-internet.at/news/fake-shops-faelschen-zahlung-mit-kla… ∗∗∗ DCOM-Härtung (CVE-2021-26414) zum 14. März 2023-Patchday für Windows 10/11 und Server ∗∗∗ --------------------------------------------- Kleine Erinnerung für Administratoren von Windows in Unternehmensumgebungen. In Microsofts Windows DCOM-Implementierung gibt es eine Schwachstelle (Windows DCOM Server Security Feature Bypass, CVE-2021-26414), die eine Umgehung der Sicherheitsfunktionen ermöglichte. Microsoft hat das 2021 dokumentiert, und dann auch gepatcht, wobei das Schließen dieser Schwachstelle in mehreren Stufen erfolgt. Kürzlich wurde ich erinnert, dass Microsoft am 14. März 2023 einen letzten Patch freigeben wird, der die Möglichkeit zum Abschalten dieser DCOM-Härtung entfernt. --------------------------------------------- https://www.borncity.com/blog/2023/03/05/dcom-hrtung-cve-2021-26414-zum-14-… ∗∗∗ Magbo Spam Injection Encoded with hex2bin ∗∗∗ --------------------------------------------- We recently had a new client come to us with a rather peculiar issue on their WordPress website: They were receiving unwanted popup advertisements but only when the website was accessed through links posted on FaceBook. Initially we thought that this must be a rogue ad coming through an otherwise legitimate advertising network but it turned out to be a very well crafted and hidden spam injection. --------------------------------------------- https://blog.sucuri.net/2023/03/magbo-spam-injection-encoded-with-hex2bin.h… ∗∗∗ New HiatusRAT Malware Targets Business-Grade Routers to Covertly Spy on Victims ∗∗∗ --------------------------------------------- A never-before-seen complex malware is targeting business-grade routers to covertly spy on victims in Latin America, Europe, and North America at least since July 2022. The elusive campaign, dubbed Hiatus by Lumen Black Lotus Labs, has been found to deploy two malicious binaries, a remote access trojan dubbed HiatusRAT and a variant of tcpdump that makes it possible to capture packet [...] --------------------------------------------- https://thehackernews.com/2023/03/new-hiatusrat-malware-targets-business.ht… ∗∗∗ How to prevent Microsoft OneNote files from infecting Windows with malware ∗∗∗ --------------------------------------------- The best way to prevent malicious Microsoft OneNote attachments from infecting Windows is to block the .one file extension at your secure mail gateways or mail servers. However, if that is not possible for your environment, you can also use Microsoft Office group policies to restrict the launching of embedded file attachments in Microsoft OneNote files. --------------------------------------------- https://www.bleepingcomputer.com/news/security/how-to-prevent-microsoft-one… ∗∗∗ Polynonce: A Tale of a Novel ECDSA Attack and Bitcoin Tears ∗∗∗ --------------------------------------------- In this blog post, we tell a tale of how we discovered a novel attack against ECDSA and how we applied it to datasets we found in the wild, including the Bitcoin and Ethereum networks. [...] We cover our journey, findings, and the rabbit holes we explored. We also provide an academic paper with the details of the attack and open-source code implementing it, so people building software and products using ECDSA can ensure they do not have this vulnerability in their systems. --------------------------------------------- https://research.kudelskisecurity.com/2023/03/06/polynonce-a-tale-of-a-nove… ===================== = Vulnerabilities = ===================== ∗∗∗ strongSwan Vulnerability (CVE-2023-26463) ∗∗∗ --------------------------------------------- A vulnerability related to certificate verification in TLS-based EAP methods was discovered in strongSwan that results in a denial of service but possibly even remote code execution. Versions 5.9.8 and 5.9.9 may be affected. [...] The just released strongSwan 5.9.10 fixes this vulnerability. For older releases, we provide a patch that fixes the vulnerability and should apply with appropriate hunk offsets. --------------------------------------------- https://www.strongswan.org/blog/2023/03/02/strongswan-vulnerability-(cve-20… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (apache2, libde265, libreswan, spip, syslog-ng, and xfig), Fedora (edk2, libtpms, python-django3, stb, sudo, vim, and xen), Red Hat (libjpeg-turbo and pesign), SUSE (kernel, python36, samba, and trivy), and Ubuntu (linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gke, linux-gkeop, linux-hwe-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux, linux-aws, linux-dell300x, linux-gcp-4.15, linux-oracle, linux-aws-hwe, linux-oracle, and linux-bluefield). --------------------------------------------- https://lwn.net/Articles/925323/ ∗∗∗ Multiple Vulnerabilities in Arris DG3450 Cable Gateway ∗∗∗ --------------------------------------------- https://sec-consult.com/vulnerability-lab/advisory/multiple-vulnerabilities… ∗∗∗ Multiple Vulnerabilities in Json4j Affects Watson Machine Learning Accelerator ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6959963 ∗∗∗ Docker based datastores for IBM Instana do not currently require authentication ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6959969 ∗∗∗ IBM Sterling Connect:Express for UNIX is vulnerable to denial of service due to OpenSSL (CVE-2022-4450) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6959973 ∗∗∗ IBM Aspera Faspex 4.4.2 PL2 has addressed multiple vulnerabilities (CVE-2022-28330, CVE-2023-22868, CVE-2022-30556, CVE-2022-31813, CVE-2022-30522, CVE-2022-47986, CVE-2022-28615, CVE-2022-26377, CVE-2018-25032, CVE-2022-2068) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6952319 ∗∗∗ A security vulnerability has been identified in IBM HTTP Server shipped with IBM WebSphere Remote Server (CVE-2023-26281) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6960159 ∗∗∗ Vulnerability in the Golang language affects IBM Event Streams (CVE-2022-3064) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6960175 ∗∗∗ IBM App Connect Enterprise Certified Container Dashboard and DesignerAuthoring operands may be vulnerable to cross-site scripting due to IBM X-Force ID 239963 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6960189 ∗∗∗ Insufficient authorization check in IBM supplied MQ Advanced for Integration container image (CVE-2023-26284) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6960201 ∗∗∗ IBM Security Guardium is affected by remote code execution and sensitive information vulnerabilities (CVE-2022-31684, CVE-2022-41853) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6960211 ∗∗∗ IBM Security Guardium is affected by an AWS SDK vulnerability ( CVE-2022-31159) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6960215 ∗∗∗ IBM Security Guardium is affected by an out-of-bounds access issue vulnerability (CVE-2022-2319, CVE-2022-2320) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6960213 ∗∗∗ Vulnerabilities in OpenSSL affect Bluemix Workflow (CVE-2014-3570, CVE-2014-3571, CVE-2014-3572, CVE-2014-8275, CVE-2015-204, CVE-2015-205, CVE-2015-206) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/258535 ∗∗∗ Multiple vulnerabilities in IBM Java SDK affect Bluemix Workflow ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/258547 ∗∗∗ Multiple vulnerabilities in IBM\u00ae SDK, Java\u2122 Technology Edition affected IBM Workflow for Bluemix October 2015 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/273103 ∗∗∗ Multiple vulnerabilities in IBM\u00ae SDK, Java\u2122 Technology Edition affected IBM Workflow for Bluemix April 2016 (CVE-2016-3426) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/278361 ∗∗∗ Multiple vulnerabilities in IBM\u00ae SDK, Java\u2122 Technology Edition affected IBM Workflow for Bluemix January 2016 (CVE-2015-7575, CVE-2016-0466, CVE-2016-0475) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/541019 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.03.2023
by Daily end-of-shift report 03 Mar '23

03 Mar '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 02-03-2023 18:00 − Freitag 03-03-2023 18:00 Handler: Robert Waldner Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ FBI and CISA warn of increasing Royal ransomware attack risks ∗∗∗ --------------------------------------------- CISA and the FBI have issued a joint advisory highlighting the increasing threat behind ongoing Royal ransomware attacks targeting many U.S. critical infrastructure sectors, including healthcare, communications, and education. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fbi-and-cisa-warn-of-increas… ∗∗∗ Persistence Techniques That Persist ∗∗∗ --------------------------------------------- In this blog post, we will focus on how malware can achieve persistence by abusing the Windows Registry. Specifically, we will focus on lesser-known techniques, many of which have been around since the days of Windows XP and are just as effective today on Windows 10 and 11. --------------------------------------------- https://www.cyberark.com/resources/threat-research-blog/persistence-techniq… ∗∗∗ NIST Cybersecurity Framework 2.0: Aktualisierte Leitlinien gegen Cybercrime ∗∗∗ --------------------------------------------- Weil sich die IT-Angriffslandschaft stetig ändert, hat das US-amerikanische Institute of Standards and Technology sein Cybersecurity-Framework aktualisiert. --------------------------------------------- https://heise.de/-7534206 ∗∗∗ FAQ: Welche Cyberangriffe es gibt und wie sich Risiken vermeiden lassen ∗∗∗ --------------------------------------------- Cyberangriffe können jeden betreffen, doch mit ein paar einfachen Maßnahmen können Sie Ihr persönliches Risiko zumindest minimieren. --------------------------------------------- https://heise.de/-7523370 ∗∗∗ Thousands of Websites Hijacked Using Compromised FTP Credentials ∗∗∗ --------------------------------------------- Cybersecurity startup Wiz warns of a widespread redirection campaign in which thousands of websites have been compromised using legitimate FTP credentials. --------------------------------------------- https://www.securityweek.com/thousands-of-websites-hijacked-using-compromis… ∗∗∗ Of Degens and Defrauders: Using Open-Source Investigative Tools to Investigate Decentralized Finance Frauds and Money Laundering. (arXiv:2303.00810v1 [cs.CR]) ∗∗∗ --------------------------------------------- This study demonstrates how open-source investigative tools can extract transaction-based evidence that could be used in a court of law to prosecute DeFi frauds. Additionally, we investigate how these funds are subsequently laundered. --------------------------------------------- http://arxiv.org/abs/2303.00810 ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins 2023-03-03 ∗∗∗ --------------------------------------------- IBM Cloud Pak, IBM Financial Transaction Manager, Operations Dashboard, IBM App Connect Enterprise Certified Container, IBM Sterling Connect:Express, IBM HTTP Server, IBM Spectrum Control, IBM Aspera Faspex, IBM SAN, IBM Storwize, IBM Spectrum Virtualize, IBM FlashSystem, IBM Maximo, IBM WebSphere Remote Server, IBM Business Automation Workflow, Rational Functional Tester. --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Schadcode-Attacken auf HPE Serviceguard unter Linux möglich ∗∗∗ --------------------------------------------- Die Entwickler haben in Serviceguard for Linux von HPE drei Sicherheitslücken geschlossen. Abgesicherte Version stehen zum Download bereit. --------------------------------------------- https://heise.de/-7534361 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (linux-5.10 and node-css-what), SUSE (gnutls, google-guest-agent, google-osconfig-agent, nodejs10, nodejs14, nodejs16, opera, pkgconf, python-cryptography, python-cryptography-vectors, rubygem-activesupport-4_2, thunderbird, and tpm2-0-tss), and Ubuntu (git, kernel, linux, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15, linux-azure-fde, linux-gcp, linux-gcp-5.15, linux-gke, linux-gke-5.15, linux-hwe-5.15, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-oracle, linux-oracle-5.15, linux, linux-aws, linux-azure, linux-gcp, linux-hwe-5.19, linux-ibm, linux-lowlatency, linux-oracle, linux-azure-fde, linux-oem-5.14, linux-oem-5.17, linux-oem-6.0, linux-oem-6.1, php7.0, python-pip, ruby-rack, spip, and sudo). --------------------------------------------- https://lwn.net/Articles/925060/ ∗∗∗ Lücken in Intel-CPUs: Microsoft veröffentlicht außerplanmäßiges Sicherheitsupdate ∗∗∗ --------------------------------------------- Es soll insgesamt vier Lücken stopfen. Die Schwachstellen sind allerdings schon seit Juni 2022 bekannt. Betroffen sind Windows 10, Windows 11 und Windows Server. --------------------------------------------- https://www.zdnet.de/88407530/luecken-in-intel-cpus-microsoft-veroeffentlic… ∗∗∗ [R1] Nessus Version 10.5.0 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2023-09 ∗∗∗ BOSCH-SA-931197: Vulnerability in routers FL MGUARD and TC MGUARD ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-931197.html ∗∗∗ SonicOS SSLVPN Improper Restriction of Excessive MFA Attempts Vulnerability ∗∗∗ --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2023-0005 ∗∗∗ SonicOS Unauthenticated Stack-Based Buffer Overflow Vulnerability ∗∗∗ --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2023-0004 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.03.2023
by Daily end-of-shift report 02 Mar '23

02 Mar '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 01-03-2023 18:00 − Donnerstag 02-03-2023 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ YARA: Detect The Unexpected ..., (Thu, Mar 2nd) ∗∗∗ --------------------------------------------- He has strings to detected any embedded file, and strings to detect embedded PNG files, JPEG files, ... So, in YARA, how can you use this to detect OneNote files that contain embedded files, but are not images? The trick is to count and compare string occurrences. --------------------------------------------- https://isc.sans.edu/diary/rss/29598 ∗∗∗ SysUpdate Malware Strikes Again with Linux Version and New Evasion Tactics ∗∗∗ --------------------------------------------- The threat actor known as Lucky Mouse has developed a Linux version of a malware toolkit called SysUpdate, expanding on its ability to target devices running the operating system. --------------------------------------------- https://thehackernews.com/2023/03/sysupdate-malware-strikes-again-with.html ∗∗∗ This Hacker Tool Can Pinpoint a DJI Drone Operators Exact Location ∗∗∗ --------------------------------------------- Every DJI quadcopter broadcasts its operators position via radio—unencrypted. Now, a group of researchers has learned to decode those coordinates. --------------------------------------------- https://www.wired.com/story/dji-droneid-operator-location-hacker-tool/ ∗∗∗ Helping Cyber Defenders “Decide” to Use MITRE ATT&CK ∗∗∗ --------------------------------------------- Since the Cybersecurity and Infrastructure Security Agency (CISA) announced its first edition of Best Practices for MITRE ATT&CK Mapping nearly two years ago, the ATT&CK framework has evolved, expanded, and improved its ability to support more than just optimized cyber threat intelligence to the cybersecurity community. To match these advances, CISA recently published a second edition of our mapping guide and today announces a new accompaniment to the guide, CISA’s Decider tool. --------------------------------------------- https://www.cisa.gov/news-events/news/helping-cyber-defenders-decide-use-mi… ∗∗∗ Application SecurityCase StudiesCloud Native SecurityVulnerabilities Gitpod remote code execution 0-day vulnerability via WebSockets ∗∗∗ --------------------------------------------- This article walks us through a current Snyk Security Labs research project focusing on cloud based development environments (CDEs) — which resulted in a full workspace takeover on the Gitpod platform and extended to the user’s SCM account. The issues here have been responsibly disclosed to Gitpod and were resolved within a single working day --------------------------------------------- https://snyk.io/blog/gitpod-remote-code-execution-vulnerability-websockets/ ∗∗∗ CISA Red Team Shares Key Findings to Improve Monitoring and Hardening of Networks ∗∗∗ --------------------------------------------- The Cybersecurity and Infrastructure Security Agency (CISA) is releasing this Cybersecurity Advisory (CSA) detailing activity and key findings from a recent CISA red team assessment—in coordination with the assessed organization—to provide network defenders recommendations for improving their organizations cyber posture. --------------------------------------------- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-059a ∗∗∗ Tainted Love: A Systematic Review of Online Romance Fraud. (arXiv:2303.00070v1 [cs.HC]) ∗∗∗ --------------------------------------------- Romance fraud involves cybercriminals engineering a romantic relationship ononline dating platforms. It is a cruel form of cybercrime whereby victims areleft heartbroken, often facing financial ruin. We characterise the literarylandscape on romance fraud, advancing the understanding of researchers andpractitioners by systematically reviewing and synthesising contemporaryqualitative and quantitative evidence. --------------------------------------------- http://arxiv.org/abs/2303.00070 ∗∗∗ Dishing Out DoS: How to Disable and Secure the Starlink User Terminal. (arXiv:2303.00582v1 [cs.CR]) ∗∗∗ --------------------------------------------- Satellite user terminals are a promising target for adversaries seeking totarget satellite communication networks. Despite this, many protectionscommonly found in terrestrial routers are not present in some user terminals.As a case study we audit the attack surface presented by the Starlinkrouters admin interface, using fuzzing to uncover a denial of service attackon the Starlink user terminal. --------------------------------------------- http://arxiv.org/abs/2303.00582 ===================== = Vulnerabilities = ===================== ∗∗∗ Group control for forums - Critical - Access bypass - SA-CONTRIB-2023-008 ∗∗∗ --------------------------------------------- Project: Group control for forums Security risk: Critical Description: This module enables you to associate Forums as Group 1.x content and use Group access permissions. Previous versions of the module incorrectly set node access on creation, and did not correctly restrict access to lists of forum topics. Solution: Install the latest version --------------------------------------------- https://www.drupal.org/sa-contrib-2023-008 ∗∗∗ Thunder - Moderately critical - Access bypass - SA-CONTRIB-2023-007 ∗∗∗ --------------------------------------------- Project: Thunder Security risk: Moderately critical Description: Thunder is a Drupal distribution for professional publishing. The thunder distribution ships the thunder_gqls module which provides a graphql interface.The module doesnt sufficiently check access when serving user data via graphql leading to an access bypass vulnerability --------------------------------------------- https://www.drupal.org/sa-contrib-2023-007 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (git), Debian (spip), Fedora (epiphany), Mageia (binwalk, chromium-browser-stable, crmsh, emacs, libraw, libtiff, nodejs, pkgconf, tar, and vim), Oracle (kernel and systemd), SUSE (emacs, kernel, nrpe, and rubygem-activerecord-4_2), and Ubuntu (c-ares, git, postgresql-12, postgresql-14, and sox). --------------------------------------------- https://lwn.net/Articles/924922/ ∗∗∗ Kritische Sicherheitslücken in ArubaOS - Updates teilweise verfügbar ∗∗∗ --------------------------------------------- Da Angreifende auf betroffenen Geräten beliebigen Code ausführen können, sind alle auf diesen Geräten befindlichen und darüber erreichbaren Daten gefährdet. Da es sich um Netzwerkkomponenten handelt, sind auch Szenarien denkbar wo darüber fliessende Daten gelesen, beeinträchtigt und/oder verändert werden können. --------------------------------------------- https://cert.at/de/warnungen/2023/3/kritische-sicherheitslucken-in-arubaos-… ∗∗∗ Better Social Sharing Buttons - Less critical - Cross Site Scripting - SA-CONTRIB-2023-006 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2023-006 ∗∗∗ ABB: Improper authentication vulnerability in S+ Operations (CVE ID: CVE-2023-0228) ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?Action=Launch&DocumentID=7PAA0… ∗∗∗ IBM Cognos Command Center is affected but not classified as vulnerable by a remote code execution in Spring Framework (CVE-2022-22965) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6590487 ∗∗∗ IBM Maximo Asset Management is vulnerable to stored cross-site scripting (CVE-2022-35645) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6959353 ∗∗∗ IBM Maximo Manage application in IBM Maximo Application Suite is vulnerable to stored cross-site scripting (CVE-2022-35645) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6959355 ∗∗∗ IBM Spectrum Symphony is vulnerable to Host header injection ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6959369 ∗∗∗ IBM Planning Analytics Workspace is affected by vulnerabilties (CVE-2022-43548, CVE-2020-7676, CVE-2021-42550, CVE-2021-38561, CVE-2022-32149) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6957836 ∗∗∗ There is a vulnerability in Apache SOAP used by IBM Maximo Asset Management (CVE-2022-40705) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6959357 ∗∗∗ There is a security vulnerability in Apache SOAP used by IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2022-40705) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6959359 ∗∗∗ Persistent cross-site scripting vulnerability affect IBM Business Automation Workflow - CVE-2023-22860 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958691 ∗∗∗ Vulnerability in bind affects IBM Integrated Analytics System [CVE-2022-2795] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6959567 ∗∗∗ IBM Cloud Pak for Network Automation v2.4.4 fixes multiple security vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6959583 ∗∗∗ There is a vulnerability in Eclipse Jetty used by IBM Maximo Asset Management (CVE-2022-2047) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6959601 ∗∗∗ IBM SDK, Java Technology Edition Quarterly CPU - Oct 2022 - Includes Oracle October 2022 CPU and IBM Java - OpenJ9 CVE-2022-3676 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6959625 ∗∗∗ IBM Security Guardium is affected by the following vulnerabilities [CVE-2022-39166, CVE-2022-34917, CVE-2022-42889] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6848317 ∗∗∗ IBM Security Guardium is affected by a redshift-jdbc42-2.0.0.3.jar vulnerability (CVE-2022-41828) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6956299 ∗∗∗ Operations Dashboard is vulnerable to denial of service and response splitting due to vulnerabilities in Netty (CVE-2022-41881 and CVE-2022-41915) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6959639 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 01.03.2023
by Daily end-of-shift report 01 Mar '23

01 Mar '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 28-02-2023 18:00 − Mittwoch 01-03-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ TPM-2.0-Spezifikationen: Angreifer könnten Schadcode auf TPM schmuggeln ∗∗∗ --------------------------------------------- In die Spezifikation der TPM-2.0-Referenzbibliothek haben sich Fehler eingeschlichen. Angreifer könnten verwundbaren Implementierungen eigenen Code unterjubeln. --------------------------------------------- https://heise.de/-7531171 ∗∗∗ Finish him! Kostenloses Entschlüsselungstool besiegt MortalKombat-Ransomware ∗∗∗ --------------------------------------------- Kaum hat der Erpressungstrojaner MortalKombat das Licht der Welt erblickt, holen Sicherheitsforscher zum finalen Schlag aus. --------------------------------------------- https://heise.de/-7531337 ∗∗∗ Gefälschter PayLife-Login in Anzeigen bei Google-Suche! ∗∗∗ --------------------------------------------- PayLife-User:innen aufgepasst: Kriminelle schalten aktuell Werbung auf Google, welche auf eine gefälschte PayLife-Website führt. Ein kleiner Tippfehler reicht aus, um die betrügerische Werbung als erstes Ergebnis angezeigt zu bekommen. Wer die eigenen Login-Daten auf der Phishing-Seite eingibt, ermöglicht es den Kriminellen, Zahlungen zu tätigen. Das Geld ist verloren! --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschter-paylife-login-in-anzeig… ∗∗∗ The dangers from across browser-windows ∗∗∗ --------------------------------------------- Beim Durchsuchen des Webs versucht Ihr Browser, Sie bestmöglich zu schützen, aber manchmal scheitert er daran, wenn er nicht ordnungsgemäß von der Website angewiesen wird, die Sie besuchen. Einer der wichtigsten Sicherheitsmechanismen des Browsers ist die Same-Origin Policy [1][2][3] (SOP), die einschränkt, wie Skripte und Dokumente aus einer Ursprungsquelle mit Ressourcen und Dokumenten aus einer [...] --------------------------------------------- https://certitude.consulting/blog/de/the-dangers-from-across-browser-window… ∗∗∗ BlackLotus UEFI-Bootkit überwindet Secure Boot in Windows 11 ∗∗∗ --------------------------------------------- Sicherheitsforscher von ESET haben eine BlackLotus getaufte Malware in freier Wildbahn entdeckt, die sich des UEFI bemächtigt. BlackLotus dürfte die erste UEFI-Bootkit-Malware in freier Wildbahn sein, die Secure Boot unter Windows 11 (und wohl auch Windows 10) aushebeln kann. --------------------------------------------- https://www.borncity.com/blog/2023/03/01/blacklotus-uefi-bootkit-berwindet-… ∗∗∗ CISA: ZK Java Framework RCE Flaw Under Active Exploit ∗∗∗ --------------------------------------------- The flaw, which drew attention in October when it was found in ConnectWise products, could pose a significant risk to the supply chain if not patched immediately. --------------------------------------------- https://www.darkreading.com/risk/cisa-zk-java-framework-rce-flaw-under-acti… ∗∗∗ SCARLETEEL: Operation leveraging Terraform, Kubernetes, and AWS for data theft ∗∗∗ --------------------------------------------- The Sysdig Threat Research Team recently discovered a sophisticated cloud operation in a customer environment, dubbed SCARLETEEL, that resulted in stolen proprietary data. The attacker exploited a containerized workload and then leveraged it to perform privilege escalation into an AWS account in order to steal proprietary software and credentials. --------------------------------------------- https://sysdig.com/blog/cloud-breach-terraform-data-theft/ ∗∗∗ DNS abuse: Advice for incident responders ∗∗∗ --------------------------------------------- What DNS abuse techniques are employed by cyber adversaries and which organizations can help incident responders and security teams detect, mitigate and prevent them? The DNS Abuse Techniques Matrix published by FIRST provides answers. --------------------------------------------- https://www.helpnetsecurity.com/2023/03/01/dns-abuse-advice-for-incident-re… ∗∗∗ Google Cloud Platform allows data exfiltration without a (forensic) trace ∗∗∗ --------------------------------------------- Attackers can exfiltrate company data stored in Google Cloud Platform (GCP) storage buckets without leaving obvious forensic traces of the malicious activity in GCP’s storage access logs, Mitiga researchers have discovered. [...] In short, the main problem is that GCP’s basic storage logs – which are, by the way, not enabled by default – use the same description/event (objects.get) for [...] --------------------------------------------- https://www.helpnetsecurity.com/2023/03/01/gcp-data-exfiltration/ ∗∗∗ Making New Connections – Leveraging Cisco AnyConnect Client to Drop and Run Payloads ∗∗∗ --------------------------------------------- The Cisco AnyConnect client has received a fair amount of scrutiny from the security community over the years, with a particular focus on leveraging the vpnagent.exe service for privilege escalation. A while ago, we started to look at whether AnyConnect could be used to deliver payloads during red team engagements [...] --------------------------------------------- https://research.nccgroup.com/2023/03/01/making-new-connections-leveraging-… ∗∗∗ The Level of Human Engagement Behind Automated Attacks ∗∗∗ --------------------------------------------- Even automated attacks are driven by humans, but the level of engagement we observed may surprise you! When the human or an organization behind an automated attack shows higher levels of innovation and sophistication in their attack tactics, the danger increases dramatically as they are no longer simply employing an opportunistic “spray and pray” strategy, but rather more highly evolved strategies that are closer to a so-called targeted attack. --------------------------------------------- https://www.gosecure.net/blog/2023/02/28/the-level-of-human-engagement-behi… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (multipath-tools and syslog-ng), Fedora (gnutls and guile-gnutls), Oracle (git, httpd, lua, openssl, php, python-setuptools, python3.9, sudo, tar, and vim), Red Hat (kpatch-patch), Scientific Linux (git), SUSE (compat-openssl098, glibc, openssl, postgresql13, python-Django, webkit2gtk3, and xterm), and Ubuntu (awstats, expat, firefox, gnutls28, lighttpd, php7.2, php7.4, php8.1, python-pip, and tar). --------------------------------------------- https://lwn.net/Articles/924794/ ∗∗∗ Critical Vulnerabilities Patched in ThingWorx, Kepware IIoT Products ∗∗∗ --------------------------------------------- Several ThingWorx and Kepware products are affected by two vulnerabilities that can be exploited for DoS attacks and unauthenticated remote code execution. The post Critical Vulnerabilities Patched in ThingWorx, Kepware IIoT Products appeared first on SecurityWeek. --------------------------------------------- https://www.securityweek.com/critical-vulnerabilities-patched-in-thingworx-… ∗∗∗ Cisco Prime Infrastructure and Evolved Programmable Network Manager Stored Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Webex App for Web Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco IP Phone 6800, 7800, 7900, and 8800 Series Web UI Vulnerabilities ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Finesse Reverse Proxy VPN-less Access to Finesse Desktop Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Unified Intelligence Center Vulnerabilities ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ TPM 2.0 Vulnerabilities ∗∗∗ --------------------------------------------- https://support.lenovo.com/product_security/PS500551-TPM-20-VULNERABILITIES ∗∗∗ Nuvoton TPM Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://support.lenovo.com/product_security/PS500550-NUVOTON-TPM-DENIAL-OF-… ∗∗∗ Malicious IKEv2 packet by authenticated peer can cause libreswan to restart ∗∗∗ --------------------------------------------- https://libreswan.org/security/CVE-2023-23009/CVE-2023-23009.txt ∗∗∗ [R1] Stand-alone Security Patch Available for Tenable.sc version 5.23.1: SC-202303.1-5 ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2023-08 ∗∗∗ [R1] Stand-alone Security Patch Available for Tenable.sc version 6.0.0: SC-202303.1-6 ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2023-07 ∗∗∗ IBM Planning Analytics and IBM Planning Analytics Workspace are affected by a security vulnerability in IBM WebSphere Application Server Liberty (CVE-2022-34165) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6856457 ∗∗∗ DataPower Operator vulnerable to Denial of Service (CVE-2022-41724) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958490 ∗∗∗ Financial Transaction Manager for Digital Payments, High Value Payments and Corporate Payment Services are impacted by multiple vulnerabilities. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958504 ∗∗∗ Security vulnerabilities have been identified in IBM Db2 shipped with IBM Security Guardium Key Lifecycle Manager (CVE-2022-22389, CVE-2022-25313, CVE-2022-25236, CVE-2022-25314, CVE-2022-25315, CVE-2022-25235 and CVE-2022-22390) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6959019 ∗∗∗ Multiple vulnerabilities in IBM SDK for Node.js and packaged modules affect IBM Business Automation Workflow Configuration Editor ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6959033 ∗∗∗ IBM Sterling Connect:Express for UNIX is affected by multiple vulnerabilities in OpenSSL ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958701 ∗∗∗ IBM MQ Blockchain bridge is vulnerable to multiple issues within protobuf-java-core (CVE-2022-3510, CVE-2022-3509) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6957688 ∗∗∗ IBM MQ is vulnerable to a denial of service attack caused by specially crafted PCF or MQSC messages. (CVE-2022-43902) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6957686 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0