- Daily - CERT.at

Tageszusammenfassung - 28.02.2023
by Daily end-of-shift report 28 Feb '23

28 Feb '23

===================== = End-of-Day report = ===================== Timeframe: Montag 27-02-2023 18:00 − Dienstag 28-02-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Critical flaws in WordPress Houzez theme exploited to hijack websites ∗∗∗ --------------------------------------------- Hackers are actively exploiting two critical-severity vulnerabilities in the Houzez theme and plugin for WordPress, two premium add-ons used primarily in real estate websites. --------------------------------------------- https://www.bleepingcomputer.com/news/security/critical-flaws-in-wordpress-… ∗∗∗ New Exfiltrator-22 post-exploitation kit linked to LockBit ransomware ∗∗∗ --------------------------------------------- Threat actors are promoting a new Exfiltrator-22 post-exploitation framework designed to spread ransomware in corporate networks while evading detection. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-exfiltrator-22-post-expl… ∗∗∗ Passwortmanager: Lastpass teilt weitere Details zum Dezember-Hack mit ∗∗∗ --------------------------------------------- Über einen Keylogger auf einem Privatrechner konnten Angreifer Adminzugriff auf diverse Lastpass-Kundendaten und dessen Quellcode erhalten. --------------------------------------------- https://www.golem.de/news/passwortmanager-lastpass-teilt-weitere-details-zu… ∗∗∗ Side-Channel Attack against CRYSTALS-Kyber ∗∗∗ --------------------------------------------- CRYSTALS-Kyber is one of the public-key algorithms currently recommended by NIST as part of its post-quantum cryptography standardization process. Researchers have just published a side-channel attack—using power consumption—against an implementation of the algorithm that was supposed to be resistant against that sort of attack. The algorithm is not “broken” or “cracked”—despite headlines to the contrary—this is just a side-channel attack. --------------------------------------------- https://www.schneier.com/blog/archives/2023/02/side-channel-attack-against-… ∗∗∗ CISA Issues Warning on Active Exploitation of ZK Java Web Framework Vulnerability ∗∗∗ --------------------------------------------- The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a high-severity flaw affecting the ZK Framework to its Known Exploited Vulnerabilities (KEV) catalog based on evidence of active exploitation. Tracked as CVE-2022-36537 (CVSS score: 7.5), the issue impacts ZK Framework versions 9.6.1, 9.6.0.1, 9.5.1.3, 9.0.1.2, and 8.6.4.1, and allows threat actors to retrieve sensitive information via specially crafted requests. --------------------------------------------- https://thehackernews.com/2023/02/cisa-issues-warning-on-active.html ∗∗∗ A Complete Kubernetes Config Review Methodology ∗∗∗ --------------------------------------------- The are many resources out there that tap into the subject of Kubernetes Pentesting or Configuration Review, however, they usually detail specific topics and misconfigurations and don’t offer a broad perspective on how to do a complete Security Review. That is why in this article I want to cover a more complete overview on all the possible aspects that should be reviewed when dealing with a Kubernetes Security Assessment. --------------------------------------------- https://securitycafe.ro/2023/02/27/a-complete-kubernetes-config-review-meth… ∗∗∗ Vulnerabilities Being Exploited Faster Than Ever: Analysis ∗∗∗ --------------------------------------------- The time from vulnerability disclosure to exploitation is decreasing, according to a new intelligence report from Rapid7. --------------------------------------------- https://www.securityweek.com/vulnerabilities-being-exploited-faster-than-ev… ∗∗∗ Konzertkarten auf Facebook kaufen: Vorsicht vor Betrug ∗∗∗ --------------------------------------------- Facebook ist eine beliebte Anlaufstelle, um Karten für ausverkaufte Konzerte zu ergattern. Bedenken Sie aber, dass hinter vielen Angeboten Fake-Profile stecken. Überprüfen Sie das Profil der Verkäufer:innen sehr genau und bezahlen Sie niemals mit der PayPal-Funktion „Geld an Freunde & Familie senden“. Wir zeigen Ihnen, wie Sie betrügerische Angebote auf Facebook erkennen. --------------------------------------------- https://www.watchlist-internet.at/news/konzertkarten-auf-facebook-kaufen-vo… ∗∗∗ Gefälschtes E-Mail von FinanzOnline über Sicherheitsaktualisierung im Umlauf ∗∗∗ --------------------------------------------- Nehmen Sie E-Mails vom Finanzamt bzw. von FinanzOnline sehr genau unter die Lupe. Im Moment sind unzählige betrügerische Schreiben im Umlauf. --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschtes-e-mail-von-finanzonline… ∗∗∗ Sicherheitsanbieter Cyren geht in Liquidation – NoSpamProxy betroffen ∗∗∗ --------------------------------------------- Kurze Information für Nutzer, die Sicherheitsfunktionen des Anbieters Cyren einsetzen (z. B. NoSpamProxy). Der Anbieter Cyren steckt in wirtschaftlichen Schwierigkeiten und wird wohl liquidiert – die betreffenden Dienste werden eingestellt. --------------------------------------------- https://www.borncity.com/blog/2023/02/28/sicherheitsanbieter-cyren-geht-in-… ∗∗∗ Bitdefender Releases Free MortalKombat Ransomware Decryptor ∗∗∗ --------------------------------------------- The free Mortal Kombat ransomware decryptor is now available for victims to recover their encrypted files without having to pay the ransom. --------------------------------------------- https://www.hackread.com/bitdefender-mortalkombat-ransomware-decryptor/ ===================== = Vulnerabilities = ===================== ∗∗∗ VMSA-2023-0006 ∗∗∗ --------------------------------------------- CVSSv3 Range: 6.3 CVE(s): CVE-2023-20857 Synopsis: VMware Workspace ONE Content update addresses a passcode bypass vulnerability (CVE-2023-20857) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2023-0006.html ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (curl, python-werkzeug, and spip), Fedora (curl), Mageia (apache-commons-fileupload, apr, c-ares, clamav, git, gnutls, ipython, jupyter-core, php, postgresql, python-cryptography, python-jupyterlab, python-twisted, sofia-sip, and sox), Red Hat (git, httpd, kernel, kernel-rt, kpatch-patch, lua, openssl, pcs, php, python-setuptools, python3.9, systemd, tar, vim, and zlib), SUSE (libxslt, php8, postgresql15, python3, tpm2-0-tss, and ucode-intel), and --------------------------------------------- https://lwn.net/Articles/924690/ ∗∗∗ IBM Security Bulletins 2023-02-23 ∗∗∗ --------------------------------------------- IBM VM Recovery Manager, IBM MQ Appliance, Red Hat OpenShift on IBM Cloud, IBM Business Automation Workflow, WebSphere Application Server, IBM SAN b-type switch, IBM FlashSystem, TMS RAMSAN, IBM HTTP Server, IBM CloudPak, Operations Dashboard, IBM QRadar SIEM Application Framework Base Image. --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ CVE-2022-38108: RCE in SolarWinds Network Performance Monitor ∗∗∗ --------------------------------------------- In this excerpt of a Trend Micro Vulnerability Research Service vulnerability report, Justin Hong and Lucas Miller of the Trend Micro Research Team detail a recently patched remote code execution vulnerability in the SolarWinds Network Performance Monitor. This bug was originally discovered and reported by ZDI Vulnerability Research Piotr Bazydło. The vulnerability results from the lack of proper validation of user-supplied data, which can result in the deserialization of untrusted data. --------------------------------------------- https://www.thezdi.com/blog/2023/2/27/cve-2022-38108-rce-in-solarwinds-netw… ∗∗∗ ASUS ASMB8 iKVM 1.14.51 SNMP Remote Root ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2023020047 ∗∗∗ ABUS Security Camera TVIP 20000-21150 LFI / Remote Code Execution ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2023020046 ∗∗∗ web2py development tool vulnerable to open redirect ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN78253670/ ∗∗∗ Osprey Pump Controller 1.0.1 Exploit Code released ∗∗∗ --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ ∗∗∗ OS Command Injection in Barracuda CloudGen WAN ∗∗∗ --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/os-command-injection-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.02.2023
by Daily end-of-shift report 27 Feb '23

27 Feb '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 24-02-2023 18:00 − Montag 27-02-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ QUICforge - Client-seitige Request-Forgery-Angriffe im QUIC Protokoll ∗∗∗ --------------------------------------------- Ein Überblick warum das QUIC Protokoll ein für die Sicherheit relevantes und besonders aktuelles Forschungsgebiet ist und welche Herausforderung die Nutzung von QUIC birgt. --------------------------------------------- https://sec-consult.com/de/blog/detail/quicforge-client-seitige-request-for… ∗∗∗ Exchange Server: Microsoft empfiehlt Aktualisierung der Antivirus-Ausnahmen (Feb. 2023) ∗∗∗ --------------------------------------------- Microsofts Exchange Server-Team hat seine Empfehlungen in Bezug auf Ausnahmen für Antivirus-Scans überarbeitet und bittet Administratoren die Einstellungen der Antivirus-Software zu überprüfen und gegebenenfalls anzupassen. --------------------------------------------- https://www.borncity.com/blog/2023/02/27/exchange-server-microsoft-empfiehl… ∗∗∗ Bösartige Authenticator-Apps auch im Google-Play-Store ∗∗∗ --------------------------------------------- Vergangene Woche haben App-Entwickler bösartige Authenticator-Apps in Apples App-Store entdeckt. Jetzt wurden sie auch im Google-Play-Store fündig. --------------------------------------------- https://heise.de/-7528469 ∗∗∗ Nur mit iPhone-PIN: Diebe räumen Apple-ID und Bankkonten ab ∗∗∗ --------------------------------------------- iPhone-Diebstähle können zu einer vollständigen Apple-ID- und Bankkonten-Übernahme führen. Schuld ist Apples (zu) einfache Passwort-Recovery per PIN. --------------------------------------------- https://heise.de/-7527961 ∗∗∗ Kleinanzeigenplattformen: Betrügerische Käufer:innen täuschen Zahlung auf gefälschter PayPal-Website vor ∗∗∗ --------------------------------------------- Willhaben, Ebay, Shpock und Co.: Nehmen Sie sich vor betrügerischen Interessent:innen in Acht! Betrügerische Interessent:innen auf Kleinanzeigenplattformen behaupten, den Kaufbetrag inklusive Versandkosten an den Zahlungsdienst PayPal überwiesen zu haben. Sie schicken Ihnen einen personalisierten Link, über den Sie das Geld angeblich anfordern können. Brechen Sie den Kontakt ab, Sie werden auf eine gefälschte PayPal-Seite gelockt. Kriminelle stehlen damit Ihre Zugangsdaten und Geld von Ihrem PayPal-Konto! --------------------------------------------- https://www.watchlist-internet.at/news/neue-betrugsmasche-auf-kleinanzeigen… ∗∗∗ PureCrypter malware hits govt orgs with ransomware, info-stealers ∗∗∗ --------------------------------------------- A threat actor has been targeting government entities with PureCrypter malware downloader that has been seen delivering multiple information stealers and ransomware strains. --------------------------------------------- https://www.bleepingcomputer.com/news/security/purecrypter-malware-hits-gov… ∗∗∗ RIG Exploit Kit still infects enterprise users via Internet Explorer ∗∗∗ --------------------------------------------- The RIG Exploit Kit is undergoing its most successful period, attempting roughly 2,000 intrusions daily and succeeding in about 30% of cases, the highest ratio in the services long operational history. --------------------------------------------- https://www.bleepingcomputer.com/news/security/rig-exploit-kit-still-infect… ∗∗∗ Is My Site Hacked? (13 Signs) ∗∗∗ --------------------------------------------- Symptoms of a hack can vary wildly. A concerning security alert from Google, a browser warning when you visit your site, or even a notice from your hosting provider that they’ve taken down your website - all of these events may indicate that your site has been hacked. Fortunately, there are a number of quick (and free) ways you can check and find out if your website has been compromised. --------------------------------------------- https://blog.sucuri.net/2023/02/is-my-website-hacked.html ∗∗∗ Open Source Security and Risk Analysis Report ∗∗∗ --------------------------------------------- In its 8 th edition this year, the 2023 “Open Source Security and Risk Analysis” (OSSRA) report delivers our annual in-depth look at the current state of open source security, compliance, licensing, and code quality risks in commercial software. https://www.synopsys.com/content/dam/synopsys/sig-assets/reports/rep-ossra-… --------------------------------------------- https://www.synopsys.com/software-integrity/resources/analyst-reports/open-… ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitsupdate: Zoho ManageEngine ServiceDesk Plus ist verwundbar ∗∗∗ --------------------------------------------- Angreifer könnten Systeme mit dem IT-Verwaltungssystem ManageEngine ServiceDesk Plus von Zoho attackieren. Eine ältere Zoho-Lücke wird derweil angegriffen. --------------------------------------------- https://heise.de/-7528332 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (apr-util, freeradius, mono, nodejs, php7.3, php7.4, and python-cryptography), Fedora (epiphany, haproxy, and podman), SUSE (chromium, libraw, php7, php74, python-pip, and rubygem-activerecord-4_2), and Ubuntu (apr, clamav, curl, intel-microcode, nss, openvswitch, webkit2gtk, and zoneminder). --------------------------------------------- https://lwn.net/Articles/924546/ ∗∗∗ Windows: Microsoft liefert cURL-Bibliothek weiterhin mit Schwachstellen aus (Feb. 2023) ∗∗∗ --------------------------------------------- Es ist eine unschöne Geschichte, die ich erneut hier im Blog einstelle. Microsoft gelingt es nicht, cURL mit Windows so auszuliefern, dass die Software auf dem aktuellen Stand ist und keine bekannte Sicherheitslücken mehr aufweist. --------------------------------------------- https://www.borncity.com/blog/2023/02/25/windows-microsoft-liefert-curl-bib… ∗∗∗ WAGO: Multiple vulnerabilities in web-based management of multiple products ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-060/ ∗∗∗ Advisory: Vulnerable TigerVNC Version used in B&R Products ∗∗∗ --------------------------------------------- https://www.br-automation.com/downloads_br_productcatalogue/assets/16769091… ∗∗∗ AIX is vulnerable to denial of service due to ISC BIND (CVE-2022-38178, CVE-2022-3080, CVE-2022-38177, CVE-2022-2795) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6851445 ∗∗∗ IBM MQ for HPE NonStop Server is affected by channel CCDT vulnerability CVE-2022-40237 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958136 ∗∗∗ Multiple Vulnerabilities in CloudPak for Watson AIOPs ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958146 ∗∗∗ IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to denial of service in Pypa Setuptools (CVE-2022-40897) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958142 ∗∗∗ IBM Security Verify Bridge (windows and docker versions) affected by a denial of service issue in Go (CVE-2022-32149) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958156 ∗∗∗ Certifi package as used by IBM QRadar User Behavior Analytics is vulnerable to improper certificate validation (CVE-2022-23491) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958452 ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Rational ClearCase (CVE-2023-23477) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958458 ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server traditional shipped with IBM Operations Analytics Predictive Insights (CVE-2022-38712) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958478 ∗∗∗ A security vulnerability ( CVE-2022-3509, CVE-2022-3171 ) has been identified in IBM WebSphere Application Server Liberty shipped with IBM Operations Analytics Predictive Insights ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958474 ∗∗∗ FasterXML-jackson-databinds vulnerabilities affect IBM Operations Analytics Predictive Insights (CVE-2022-42004,CVE-2022-42003) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958482 ∗∗∗ IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in LibTIFF ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6955937 ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server traditional shipped with IBM Operations Analytics Predictive Insights (CVE-2023-23477) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958476 ∗∗∗ Multiple vulnerabilities in IBM SDK, Java Technology Edition affect IBM Operations Analytics Predictive Insights ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958484 ∗∗∗ Multiple vulnerabilities in IBM SDK, Java Technology Edition affect IBM Operations Analytics Predictive Insights ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958486 ∗∗∗ IBM b-type SAN switches and directors affected by Open Source OpenSSL Vulnerabilities (CVE-2016-2177, CVE-2016-2178). ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/697949 ∗∗∗ IBM b-type SAN switches and directors affected by Open Source OpenSSL Vulnerabilities (CVE-2016-2180). ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/697951 ∗∗∗ IBM b-type SAN switches and directors affected by OpenSSL Security Advisory [22 Sep 2016] and [26 Sep 2016]. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/697953 ∗∗∗ IBM b-type SAN switches and directors affected by XSS vulnerabilities CVE-2017-6225. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/650695 ∗∗∗ IBM b-type SAN Network\/Storage switches is affected by a denial of service vulnerability, caused by a CPU consumption in the IPv6 stack (CVE-2017-6227). ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/650699 ∗∗∗ IBM b-type SAN directors and switches is affected by privilege escalation vulnerability (CVE-2016-8202). ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/697803 ∗∗∗ Vulnerabilities in OpenSSL affect IBM b-type SAN switches and directors (CVE-2016-2108) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/697943 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.02.2023
by Daily end-of-shift report 24 Feb '23

24 Feb '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 23-02-2023 18:00 − Freitag 24-02-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Vorsicht: ChatGPT-Scams nehmen stark zu ∗∗∗ --------------------------------------------- Im Internet gibt es viele Seiten, die vorgeben, der intelligente Chatbot zu sein. In Wahrheit verbreiten sie Schadsoftware. --------------------------------------------- https://futurezone.at/produkte/chatgpt-scam-malware-apps-android-chatbot-vo… ∗∗∗ KI: Journalist überlistet Bank mit künstlicher Intelligenz ∗∗∗ --------------------------------------------- Einem Journalisten ist es gelungen, die Stimmauthentifizierung einer Bank mit KI zu umgehen. Das könnten auch Betrüger. --------------------------------------------- https://www.golem.de/news/ki-journalist-ueberlistet-bank-mit-kuenstlicher-i… ∗∗∗ Privatsphäre: Chrome-Extensions können noch immer eine Menge anrichten ∗∗∗ --------------------------------------------- Eine Analyse zeigt, was sich trotz Googles Chrome Extension Manifest V3 alles ausspähen lässt, wenn Nutzer bei der Installation nicht vorsichtig sind. --------------------------------------------- https://www.golem.de/news/privatsphaere-chrome-extensions-koennen-noch-imme… ∗∗∗ The code that wasn’t there: Reading memory on an Android device by accident ∗∗∗ --------------------------------------------- CVE-2022-25664, a vulnerability in the Qualcomm Adreno GPU, can be used to leak large amounts of information to a malicious Android application. Learn more about how the vulnerability can be used to leak information in both the user space and kernel space level of pages, and how the GitHub Security Lab used the kernel space information leak to construct a KASLR bypass. --------------------------------------------- https://github.blog/2023-02-23-the-code-that-wasnt-there-reading-memory-on-… ∗∗∗ In Final Cut & Co: Warnung vor Cryptojacking durch gecrackte Mac-Apps ∗∗∗ --------------------------------------------- Malware für Cryptomining wird über gecrackte Mac-Apps verbreitet und verbirgt sich dabei immer besser, warnen Sicherheitsforscher. Apple reagiert. --------------------------------------------- https://heise.de/-7527273 ∗∗∗ Update on the Exchange Server Antivirus Exclusions ∗∗∗ --------------------------------------------- For years we have been saying how running antivirus (AV) software on your Exchange Servers can enhance the security and health of your Exchange organization. We’ve also said that if you are deploying file-level scanners on Exchange servers, make sure that the appropriate exclusions, such as directory exclusions, process exclusions, and file name extension exclusions, are in place for both scheduled and real-time scanning. But times have changed, and so has the cybersecurity landscape. --------------------------------------------- https://techcommunity.microsoft.com/t5/exchange-team-blog/update-on-the-exc… ∗∗∗ Investigating the PlugX Trojan Disguised as a Legitimate Windows Debugger Tool ∗∗∗ --------------------------------------------- Trend Micro’s Managed Extended Detection and Response (MxDR) team discovered that a file called x32dbg.exe was used to sideload a malicious DLL we identified as a variant of PlugX. --------------------------------------------- https://www.trendmicro.com/en_us/research/23/b/investigating-the-plugx-troj… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco stopft teils hochriskante Schwachstellen ∗∗∗ --------------------------------------------- Für mehrere Produkte stellt Netzwerkausrüster Cisco Sicherheitsupdates bereit. Sie schließen teils als hohe Bedrohung eingestufte Schwachstellen. --------------------------------------------- https://heise.de/-7526208 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (binwalk, chromium, curl, emacs, frr, git, libgit2, and tiff), Fedora (qt5-qtbase), SUSE (c-ares, kernel, openssl-1_1-livepatches, pesign, poppler, rubygem-activerecord-5_1, and webkit2gtk3), and Ubuntu (linux-aws). --------------------------------------------- https://lwn.net/Articles/924358/ ∗∗∗ Ineffective Cross Site Request Forgery (CSRF) protection in IBM Business Process Manager (BPM) (CVE-2017-1769) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/301273 ∗∗∗ IBM Maximo Manage application in IBM Maximo Application Suite is vulnerable to information disclosure (CVE-2022-43923) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6957654 ∗∗∗ AIX is vulnerable to denial of service due to ISC BIND (CVE-2022-38178, CVE-2022-3080, CVE-2022-38177, CVE-2022-2795) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6851445 ∗∗∗ A vulnerability in Node.js affects IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2022-21681, CVE-2022-21680) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958016 ∗∗∗ A vulnerability has been identified in IBM WebSphere Application Server used by IBM Rational ClearQuest (CVE-2023-23477) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958024 ∗∗∗ A vulnerability in Node.js affects IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2022-21681, CVE-2022-21680) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958016 ∗∗∗ Vulnerabilities found within Apache Storm that is used by IBM Tivoli Network Manager (ITNM) IP Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958056 ∗∗∗ Security vulnerabilities are addressed with IBM Cloud Pak for Business Automation iFixes for Febuary 2023 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958062 ∗∗∗ Multiple vulnerabilities in IBM HTTP Server used by WebSphere Application Server affect IBM Business Automation Workflow ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958064 ∗∗∗ CVE-2022-32149 may affect IBM CICS TX Advanced ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958066 ∗∗∗ CVE-2022-32149 may affect IBM CICS TX Standard ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958072 ∗∗∗ Multiple vulnerabilities in Go may affect IBM CICS TX Standard ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958068 ∗∗∗ CVE-2022-3676 may affect IBM CICS TX Advanced ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958086 ∗∗∗ CVE-2022-3676 may affect IBM CICS TX Standard ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958074 ∗∗∗ IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Go ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6855111 ∗∗∗ IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Golang Go ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6955929 ∗∗∗ CVE-2022-37734 may affect IBM CICS TX Advanced ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958076 ∗∗∗ CVE-2022-37734 may affect IBM CICS TX Standard ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958084 ∗∗∗ IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in LibTIFF ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6955937 ∗∗∗ CVE-2018-1099, CVE-2018-1098 may affect IBM CICS TX Advanced ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958080 ∗∗∗ CVE-2018-1099, CVE-2018-1098 may affect IBM CICS TX Standard ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958082 ∗∗∗ IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by a vulnerability in JSON Web Token ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6955935 ∗∗∗ Vulnerability in moment-timezone affects IBM VM Recovery Manager DR GUI ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6957710 ∗∗∗ Multiple vulnerabilities in IBM Semeru Runtime affect z/Transaction Processing Facility ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6957822 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.02.2023
by Daily end-of-shift report 23 Feb '23

23 Feb '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 22-02-2023 18:00 − Donnerstag 23-02-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ New S1deload Stealer malware hijacks Youtube, Facebook accounts ∗∗∗ --------------------------------------------- An ongoing malware campaign targets YouTube and Facebook users, infecting their computers with a new information stealer that will hijack their social media accounts and use their devices to mine for cryptocurrency. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-s1deload-stealer-malware… ∗∗∗ Python Developers Warned of Trojanized PyPI Packages Mimicking Popular Libraries ∗∗∗ --------------------------------------------- Cybersecurity researchers are warning of "imposter packages" mimicking popular libraries available on the Python Package Index (PyPI) repository. The 41 malicious PyPI packages have been found to pose as typosquatted variants of legitimate modules such as HTTP, AIOHTTP, requests, urllib, and urllib3. --------------------------------------------- https://thehackernews.com/2023/02/python-developers-warned-of-trojanized.ht… ∗∗∗ Experts Sound Alarm Over Growing Attacks Exploiting Zoho ManageEngine Products ∗∗∗ --------------------------------------------- Multiple threat actors have been observed opportunistically weaponizing a now-patched critical security vulnerability impacting several Zoho ManageEngine products since January 20, 2023. Tracked as CVE-2022-47966 (CVSS score: 9.8), the remote code execution flaw allows a complete takeover of the susceptible systems by unauthenticated attackers. --------------------------------------------- https://thehackernews.com/2023/02/experts-sound-alarm-over-growing.html ∗∗∗ OffSec Tools ∗∗∗ --------------------------------------------- This repository is intended for pentesters and red teamers using a variety of offensive security tools during their assessments. The repository is a collection of useful tools suitable for assessments in internal environments. --------------------------------------------- https://github.com/Syslifters/offsec-tools ∗∗∗ Technical Analysis of BlackBasta Ransomware 2.0 ∗∗∗ --------------------------------------------- Zscaler ThreatLabz has been tracking prominent ransomware families and their tactics, techniques and procedures (TTPs) including the BlackBasta ransomware family. On November 16, 2022, ThreatLabz identified new samples of the BlackBasta ransomware that had significantly lower antivirus detection rates. --------------------------------------------- https://www.zscaler.com/blogs/security-research/back-black-basta ∗∗∗ Users looking for ChatGPT apps get malware instead ∗∗∗ --------------------------------------------- The massive popularity of OpenAI’s chatbot ChatGPT has not gone unnoticed by cyber criminals: they are exploiting the public’s eagerness to experiment with it to trick users into downloading Windows and Android malware and visit phishing pages. --------------------------------------------- https://www.helpnetsecurity.com/2023/02/23/chatgpt-windows-android/ ∗∗∗ Stealthy Mac Malware Delivered via Pirated Apps ∗∗∗ --------------------------------------------- Cybercriminals are delivering stealthy cryptojacking malware to Macs using pirated apps and they could use the same method for other malware. --------------------------------------------- https://www.securityweek.com/stealthy-mac-malware-delivered-via-pirated-app… ∗∗∗ Anti-Forensic Techniques Used By Lazarus Group ∗∗∗ --------------------------------------------- Since approximately a year ago, the Lazarus group’s malware has been discovered in various Korean companies related to national defense, satellites, software, and media press. The AhnLab ASEC analysis team has been continuously tracking the Lazarus threat group’s activities and other related TTPs. Among the recent cases, this post aims to share the anti-forensic traces and details found in the systems that were infiltrated by the Lazarus group. --------------------------------------------- https://asec.ahnlab.com/en/48223/ ∗∗∗ ChromeLoader Disguised as Illegal Game Programs Being Distributed ∗∗∗ --------------------------------------------- Since the previous year, there has been a steady increase in cases where disk image files, such as ISO and VHD, have been used in malware distribution. These have been covered several times in previous ASEC blog posts. This post will cover a recent discovery of ChromeLoader being distributed using VHD files. --------------------------------------------- https://asec.ahnlab.com/en/48211/ ===================== = Vulnerabilities = ===================== ∗∗∗ Vulnerability Spotlight: EIP Stack Group OpENer open to two remote code execution vulnerabilities ∗∗∗ --------------------------------------------- Two of the vulnerabilities are considered to be considered of critical importance, with a CVSS score of a maximum 10 out of 10. --------------------------------------------- https://blog.talosintelligence.com/vuln-spotlight-eip-stack-group-feb-2023/ ∗∗∗ BIOS-Sicherheitsupdates: HP-Computer für Schadcode-Attacken anfällig ∗∗∗ --------------------------------------------- In aktualisierten BIOS-Versionen für HP-Computer haben die Entwickler mehrere Sicherheitslücken geschlossen. --------------------------------------------- https://heise.de/-7524562 ∗∗∗ Firewall-Distribution: pfSense 23.01 schließt Sicherheitslücken ∗∗∗ --------------------------------------------- In der Firewall-Distribution pfSense 23.01 haben die Entwickler mehrere Sicherheitslücken geschlossen. Die Basis haben sie auch auf aktuellen Stand gehievt. --------------------------------------------- https://heise.de/-7525432 ∗∗∗ Wordfence Intelligence CE Weekly Vulnerability Report (Feb 13, 2023 to Feb 19, 2023) ∗∗∗ --------------------------------------------- Last week, there were 104 vulnerabilities disclosed in WordPress based software that have been added to the Wordfence Intelligence Community Edition Vulnerability Database. You can find those vulnerabilities below. --------------------------------------------- https://www.wordfence.com/blog/2023/02/wordfence-intelligence-ce-weekly-vul… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (firefox and thunderbird), Debian (asterisk, git, mariadb-10.3, node-url-parse, python-cryptography, and sofia-sip), Fedora (c-ares, golang-github-need-being-tree, golang-helm-3, golang-oras, golang-oras-1, and golang-oras-2), Oracle (httpd:2.4, kernel, php:8.0, python-setuptools, python3, samba, systemd, tar, and webkit2gtk3), Red Hat (webkit2gtk3), SUSE (phpMyAdmin, poppler, and postgresql12), and Ubuntu (dcmtk and linux-hwe). --------------------------------------------- https://lwn.net/Articles/924236/ ∗∗∗ Case update: DIVD-2022-00052 - Multiple vulnerabilities is Cloudflow software ∗∗∗ --------------------------------------------- https://csirt.divd.nl/cases/DIVD-2022-00052/ ∗∗∗ Vulnerability in sqlite affects IBM VM Recovery Manager HA GUI ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6957680 ∗∗∗ Vulnerability in sqlite affects IBM VM Recovery Manager DR GUI ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6957708 ∗∗∗ Vulnerability in moment-timezone affects IBM VM Recovery Manager DR GUI ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6957710 ∗∗∗ Vulnerability in moment-timezone affects IBM VM Recovery Manager HA GUI ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6957714 ∗∗∗ CVE-2022-3509, CVE-2022-3171 may affect IBM CICS TX Advanced ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6957754 ∗∗∗ CVE-2022-3509, CVE-2022-3171 may affect IBM CICS TX Standard ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6957758 ∗∗∗ CVE-2022-3509 and CVE-2022-3171 may affect IBM TXSeries for Multiplatforms ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6957764 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.02.2023
by Daily end-of-shift report 22 Feb '23

22 Feb '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 21-02-2023 18:00 − Mittwoch 22-02-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Warnung vor Angriffen auf IBM Aspera Faspex und Mitel MiVoice ∗∗∗ --------------------------------------------- Die US-IT-Sicherheitsbehörde CISA warnt davor, dass Cyberkriminelle Sicherheitslücken in IBM Aspera Faspex und Mitel MiVoice angreifen. Updates stehen bereit. --------------------------------------------- https://heise.de/-7523870 ∗∗∗ Jetzt patchen! Exploit-Code für kritische Fortinet FortiNAC-Lücke in Umlauf ∗∗∗ --------------------------------------------- Da Exploit-Code veröffentlicht wurde, könnten Angreifer Fortinets Netzwerk-Zugangskontrolllösung FortiNAC ins Visier nehmen. --------------------------------------------- https://heise.de/-7523427 ∗∗∗ Fake Give-Aways und Geschenkaktionen im Namen von ‚MrBeast‘! ∗∗∗ --------------------------------------------- Wer sich regelmäßig YouTube-Videos ansieht, kommt kaum an MrBeast vorbei. Der Youtuber mit über 134 Millionen Abonnent:innen ist für seine Give-Away-Videos bekannt, bei denen er Tausende oder gar Millionen von Dollar verschenkt. Diesen Ruf machen sich auch Kriminelle zunutze, indem sie betrügerische Gewinnversprechen und Geschenkaktionen im Namen von MrBeast verbreiten. --------------------------------------------- https://www.watchlist-internet.at/news/fake-give-aways-und-geschenkaktionen… ∗∗∗ Hydrochasma hackers target medical research labs, shipping firms ∗∗∗ --------------------------------------------- A previously unknown threat actor named Hydrochasma has been targeting shipping and medical laboratories involved in COVID-19 vaccine development and treatments. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hydrochasma-hackers-target-m… ∗∗∗ WhatsApp ignoriert seit Jahren ein Sicherheitsproblem, das alle betrifft ∗∗∗ --------------------------------------------- Fremde können das eigene Profil übernehmen und sich für euch ausgeben - ganz ohne Hacking oder Phishing. --------------------------------------------- https://futurezone.at/apps/whatsapp-sicherheit-problem-konto-telefonnummer-… ∗∗∗ Attackers Abuse Cron Jobs to Reinfect Websites ∗∗∗ --------------------------------------------- Malicious cron jobs are nothing new; we’ve seen attackers use them quite frequently to reinfect websites. However, in recent months we’ve noticed a distinctive new wave of these infections that appears to be closely related to this article about a backdoor that we’ve been tracking. --------------------------------------------- https://blog.sucuri.net/2023/02/attackers-abuse-cron-jobs-to-reinfect-websi… ∗∗∗ Threat Actors Adopt Havoc Framework for Post-Exploitation in Targeted Attacks ∗∗∗ --------------------------------------------- An open source command-and-control (C2) framework known as Havoc is being adopted by threat actors as an alternative to other well-known legitimate toolkits like Cobalt Strike, Sliver, and Brute Ratel. Cybersecurity firm Zscaler said it observed a new campaign in the beginning of January 2023 targeting an unnamed government organization that utilized Havoc. --------------------------------------------- https://thehackernews.com/2023/02/threat-actors-adopt-havoc-framework-for.h… ∗∗∗ Lets build a Chrome extension that steals everything ∗∗∗ --------------------------------------------- Manifest v3 may have taken some of the juice out of browser extensions, but I think there is still plenty left in the tank. To prove it, let’s build a Chrome extension that steals as much data as possible. --------------------------------------------- https://mattfrisbie.substack.com/p/spy-chrome-extension ∗∗∗ How NPM Packages Were Used to Spread Phishing Links ∗∗∗ --------------------------------------------- [...] On Monday, 20th of February, Checkmarx Labs discovered an anomaly in the NPM ecosystem when we cross-referenced new information with our databases. Clusters of packages had been published in large quantities to the NPM package manager. Further investigation revealed that the packages were part of a trending new attack vector, with attackers spamming the open-source ecosystem with packages containing links to phishing campaigns. --------------------------------------------- https://checkmarx.com/blog/how-npm-packages-were-used-to-spread-phishing-li… ∗∗∗ Android voice chat app with 5m installs leaked user chats ∗∗∗ --------------------------------------------- The voice chat app under discussion is OyeTalk, which is available for Android and iOS devices and is operated from Pakistan. --------------------------------------------- https://www.hackread.com/android-voice-chat-app-data-leak/ ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitsupdates: VMware dichtet kritisches Sicherheitsleck ab ∗∗∗ --------------------------------------------- VMware schließt mit Updates für Carbon Black App Control und vRealize sowie Cloud Foundation eine kritische und eine hochriskante Schwachstelle. --------------------------------------------- https://heise.de/-7523335 ∗∗∗ Foxit PDF-Updates dichten hochriskante Schwachstellen ab ∗∗∗ --------------------------------------------- In der PDF-Software Foxit klafften Sicherheitslücken, durch die Angreifer etwa mit manipulierten PDF-Dateien Schadcode einschleusen und ausführen hätten können. --------------------------------------------- https://heise.de/-7523313 ∗∗∗ Multiple vulnerabilities in Nokia BTS Airscale ASIKA [PDF] ∗∗∗ --------------------------------------------- Synacktiv performed an audit on the base transceiver station Nokia Airscale ASIKA, running the firmware version btsmed_5G19B_GNB_0007_001836_000863, and discovered multiple vulnerabilities. --------------------------------------------- https://www.synacktiv.com/sites/default/files/2023-02/Synacktiv-Nokia-BTS-A… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (amanda, apr-util, and tiff), Fedora (apptainer, git, gssntlmssp, OpenImageIO, openssl, webkit2gtk3, xorg-x11-server, and xorg-x11-server-Xwayland), Oracle (firefox and thunderbird), Red Hat (python3), SUSE (gnutls, php7, and python-Django), and Ubuntu (chromium-browser, libxpm, and mariadb-10.3, mariadb-10.6). --------------------------------------------- https://lwn.net/Articles/924070/ ∗∗∗ Synology-SA-23:01 ClamAV ∗∗∗ --------------------------------------------- Multiple vulnerabilities allow remote attackers to possibly execute arbitrary code or local users to obtain sensitive information via a susceptible version of Antivirus Essential, Synology Mail Server, and Synology MailPlus Server. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_23_01 ∗∗∗ IBM Security Bulletins 2023-02-22 ∗∗∗ --------------------------------------------- * A vulnerability in IBM Java affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products * A vulnerability in the GUI affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products * BM Sterling B2B Integrator is vulnerable to cross-site scripting (CVE-2022-43578) * IBM Sterling Global Mailbox is vulnerable to arbitrary code execution due to Apache Commons Collections [CVE-2015-6420, CVE-2017-15708] * IBM WebSphere Application Server, which is bundled with IBM Cloud Pak for Applications, is vulnerable to a remote code execution vulnerability (CVE-2023-23477) * IBM WebSphere Application Server, which is bundled with IBM WebSphere Hybrid Edition, is vulnerable to a remote code execution vulnerability (CVE-2023-23477) * Multiple vulnerabilities in the Linux kernel affect IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products * SNMPv3 server credentials are exposed in log files in IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products * The dasboard UI of IBM Sterling B2B Integrator is vulnerable to improper permission control (CVE-2022-40231) * Vulnerabilities in jsonwebtoken affects IBM Watson Assistant for IBM Cloud Pak for Data * Vulnerability in Apache Tomcat affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products * Vulnerability in IBM WebSphere Application Server Liberty may affect IBM Spectrum Protect Plus (CVE-2019-11777) * Vulnerability in Log4j affects IBM Integrated Analytics System [CVE-2022-23305] --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Cisco Nexus 9000 Series Fabric Switches in ACI Mode Link Layer Discovery Protocol Memory Leak Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco FXOS Software and UCS Manager Software Configuration Backup Static Key Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco NX-OS Software SSH X.509v3 Certificate Authentication with Unsupported Remote Authorization Method Privilege Escalation Issues ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco NX-OS Software CLI Command Injection Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Firepower 4100 Series, Firepower 9300 Security Appliances, and UCS Fabric Interconnects Command Injection Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Nexus 9300-FX3 Series Fabric Extender for UCS Fabric Interconnects Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Application Policy Infrastructure Controller and Cisco Cloud Network Controller Cross-Site Request Forgery Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ [R1] Stand-alone Security Patch Available for Tenable.sc versions 5.22.0 to 6.0.0: SC-202302.2 ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2023-06 ∗∗∗ [R1] Stand-alone Security Patch Available for Tenable.sc versions 5.22.0 to 5.23.1: SC-202302.3 ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2023-05 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.02.2023
by Daily end-of-shift report 21 Feb '23

21 Feb '23

===================== = End-of-Day report = ===================== Timeframe: Montag 20-02-2023 18:00 − Dienstag 21-02-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Kriminalität: Ransomware will Versicherungspolice ∗∗∗ --------------------------------------------- Die Ransomware Hardbit 2.0 verlangt die Versicherungspolice der Unternehmen, um die Lösegeldforderung anzupassen. Nicht ungefährlich für die Betroffenen. --------------------------------------------- https://www.golem.de/news/kriminalitaet-ransomware-will-versicherungspolice… ∗∗∗ Researchers Discover Dozens Samples of Information Stealer Stealc in the Wild ∗∗∗ --------------------------------------------- A new information stealer called Stealc thats being advertised on the dark web could emerge as a worthy competitor to other malware of its ilk. "The threat actor presents Stealc as a fully featured and ready-to-use stealer, whose development relied on Vidar, Raccoon, Mars, and RedLine stealers," SEKOIA said in a Monday report. --------------------------------------------- https://thehackernews.com/2023/02/researchers-discover-dozens-samples-of.ht… ∗∗∗ Fortinet FortiNAC CVE-2022-39952 Deep-Dive and IOCs ∗∗∗ --------------------------------------------- On Thursday, 16 February 2022, Fortinet released a PSIRT that details CVE-2022-39952, a critical vulnerability affecting its FortiNAC product. This vulnerability, discovered by Gwendal Guégniaud of Fortinet, allows an unauthenticated attacker to write arbitrary files on the system and as a result obtain remote code execution in the context of the root user. --------------------------------------------- https://www.horizon3.ai/fortinet-fortinac-cve-2022-39952-deep-dive-and-iocs/ ∗∗∗ A Deep Dive Into a PoshC2 Implant ∗∗∗ --------------------------------------------- PoshC2 is an open-source C2 framework used by penetration testers and threat actors. It can generate a Powershell-based implant, a C#.NET implant that we analyze in this paper, and a Python3 implant. --------------------------------------------- https://resources.securityscorecard.com/research/poshc2-implant ∗∗∗ ClamAV Critical Patch Review ∗∗∗ --------------------------------------------- The description of those bugs got our attention since we have format handlers in unblob for both DMG and HFS+. We therefore decided to spend some time trying to understand them and learn if we may be affected by similar bugs. --------------------------------------------- https://onekey.com/blog/clamav-critical-patch-review/ ∗∗∗ OWASP Kubernetes Top 10 ∗∗∗ --------------------------------------------- The OWASP Kubernetes Top 10 is aimed at helping security practitioners, system administrators, and software developers prioritize risks around the Kubernetes ecosystem. The Top 10 is a prioritized list of common risks backed by data collected from organizations varying in maturity and complexity. --------------------------------------------- https://sysdig.com/blog/top-owasp-kubernetes/ ∗∗∗ iOS 16.3 und 16.3.1: Apple räumt weitere schwere Lücken ein ∗∗∗ --------------------------------------------- Apple neigt seit längerem dazu, nicht alle gestopften Löcher in seinen Betriebssystemen sofort zu kommunizieren. Nun wurden Infos zu iOS 16.3 nachgereicht. --------------------------------------------- https://heise.de/-7522282 ∗∗∗ What can we learn from the latest Coinbase cyberattack? ∗∗∗ --------------------------------------------- Cryptocurrency exchange Coinbase has fended off a cyberattack that might have been mounted by the same attackers that targeted Twillio, Cloudflare and many other companies last year. --------------------------------------------- https://www.helpnetsecurity.com/2023/02/21/coinbase-cyberattack/ ∗∗∗ Keine Pellets auf ferberpainting.de bestellen! ∗∗∗ --------------------------------------------- Auf der Suche nach Pellets für die Beheizung des Eigenheims stoßen aktuell zahlreiche Personen auf ferberpainting.de bzw. ferberpainting.com. Für 199,90 Euro werden dort 40 Säcke mit 25 KG Pellets abgebildet und angeboten. Wer hier bestellt erlebt eine böse Überraschung, denn geliefert werden 40 leere Säcke. --------------------------------------------- https://www.watchlist-internet.at/news/keine-pellets-auf-ferberpaintingde-b… ∗∗∗ Ihre Bank ruft an? Es könnte sich um Betrug handeln! ∗∗∗ --------------------------------------------- Sie erhalten einen Anruf. Angeblich eine Mitarbeiterin Ihrer Bank. Die Anruferin erklärt, dass sie ungewöhnliche Abbuchungen von Ihrem Konto festgestellt hat. Sie hilft Ihnen dabei, das Geld zurückzubekommen und Ihr Konto zu schützen. Vorsicht: Es handelt sich um Betrug. --------------------------------------------- https://www.watchlist-internet.at/news/ihre-bank-ruft-an-es-koennte-sich-um… ∗∗∗ HWP Malware Using the Steganography Technique: RedEyes (ScarCruft) ∗∗∗ --------------------------------------------- In January, the ASEC (AhnLab Security Emergency response Center) analysis team discovered that the RedEyes threat group (also known as APT37, ScarCruft) had been distributing malware by exploiting the HWP EPS (Encapsulated PostScript) vulnerability (CVE-2017-8291). This report will share the RedEyes group’s latest activity in Korea. --------------------------------------------- https://asec.ahnlab.com/en/48063/ ===================== = Vulnerabilities = ===================== ∗∗∗ VMSA-2023-0004 ∗∗∗ --------------------------------------------- CVSSv3 Range: 9.1 CVE(s): CVE-2023-20858 Synopsis: VMware Carbon Black App Control updates address an injection vulnerability (CVE-2023-20858) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2023-0004.html ∗∗∗ VMSA-2023-0005 ∗∗∗ --------------------------------------------- CVSSv3 Range: 8.8 CVE(s): CVE-2023-20855 Synopsis: VMware vRealize Orchestrator update addresses an XML External Entity (XXE) vulnerability (CVE-2023-20855) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2023-0005.html ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (libksba, thunderbird, and tigervnc and xorg-x11-server), Debian (clamav, nss, python-django, and sox), Fedora (kernel and thunderbird), Mageia (curl, firefox, nodejs-qs, qtbase5, thunderbird, upx, and webkit2), Red Hat (httpd:2.4, kernel, kernel-rt, kpatch-patch, pcs, php:8.0, python-setuptools, Red Hat build of Cryostat, Red Hat Virtualization Host 4.4.z SP 1, samba, systemd, tar, and thunderbird), Scientific Linux (firefox and thunderbird), and SUSE (clamav, firefox, jhead, mozilla-nss, prometheus-ha_cluster_exporter, tar, and ucode-intel). --------------------------------------------- https://lwn.net/Articles/923942/ ∗∗∗ TYPO3-EXT-SA-2023-002: Persisted Cross-Site Scripting in extension "Forms Export" (frp_form_answers) ∗∗∗ --------------------------------------------- https://typo3.org/security/advisory/typo3-ext-sa-2023-002 ∗∗∗ Mitsubishi Electric MELSOFT iQ AppPortal ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-23-052-01 ∗∗∗ IBM FlashSystem 710, 720, 810, and 820 systems and RamSan 710, 720, 810, and 820 systems are not affected by the Bash vulnerabilities (CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, and CVE-2014-6278)\nFlash ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/690011 ∗∗∗ Six (6) Vulnerabilities in Network Security Services (NSS) & Netscape Portable Runtime (NSPR) affect IBM FlashSystem and TMS RAMSAN 710, 720, 810, and 820 systems (CVE-2013-1740, CVE-2014-1490, CVE-2014-1491, CVE-2014-1492, CVE-2014-154 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/690125 ∗∗∗ Two (2) Vulnerabilities in glibc affect IBM FlashSystem (and TMS RAMSAN) 710, 720, 810, and 820 systems (CVE-2014-5119 and CVE-2014-0475) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/690127 ∗∗∗ Sixteen (16) Vulnerabilities in OpenSSL affect IBM FlashSystem (and TMS RAMSAN) 710, 720, 810, and 820 systems ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/690129 ∗∗∗ Four (4) Vulnerabilities in OpenSSL affect IBM FlashSystem (and TMS RAMSAN) 710, 720, 810, and 820 systems ( CVE-2014-3513, CVE-2014-3566, CVE-2014-3567, and CVE-2014-3568) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/690131 ∗∗∗ Four (4) Vulnerabilities in OpenSSL affect IBM FlashSystem (and TMS RAMSAN) 710, 720, 810, and 820 systems ( CVE-2014-3513, CVE-2014-3566, CVE-2014-3567, and CVE-2014-3568) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/690149 ∗∗∗ IBM InfoSphere Information Server is vulnerable to cross-site scripting (CVE-2023-25928) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6956598 ∗∗∗ Multiple vulnerabilities in IBM Java Runtime affect Rational Directory Server (Tivoli) & Rational Directory Administrator. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6328143 ∗∗∗ IBM Db2 is vulnerable to an information disclosure vulnerability as sensitive information may be included in a log file. (CVE-2022-43930) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6953755 ∗∗∗ IBM MQ is affected by multiple vulnerabilities in IBM Runtime Environment Java Technology Edition, Version 8 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6957066 ∗∗∗ IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to JSON5 code execution (CVE-2022-46175) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6957134 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.02.2023
by Daily end-of-shift report 20 Feb '23

20 Feb '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 17-02-2023 18:00 − Montag 20-02-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ CISA warnt: Mögliche System-Kompromittierung durch Lücken in Thunderbird ∗∗∗ --------------------------------------------- Die Version 102.8 von Thunderbird schließt Schwachstellen, durch die Angreifer die Kontrolle über ein System erlangen könnten. Davor warnt die CISA. --------------------------------------------- https://heise.de/-7521002 ∗∗∗ Microsoft-Updates: Nebenwirkungen für VMware und Windows Server 2022 ∗∗∗ --------------------------------------------- Die Februar-Updates zum Microsoft-Patchdays haben ungewollte Nebenwirkungen. Sie betreffen Windows Server 2022 unter VMware und die Windows-11-Updateverteilung. --------------------------------------------- https://heise.de/-7521199 ∗∗∗ Nach Cyber-Einbruch: Angreifer leiten GoDaddy-Webseiten um ∗∗∗ --------------------------------------------- Beim Webhoster GoDaddy konnten Angreifer Anfang Dezember 2022 Schadcode einschleusen, der dort gehostete Webseiten auf Malware-Seiten umleitete. --------------------------------------------- https://heise.de/-7521325 ∗∗∗ Achtung: Finanzamt schickt kein SMS ∗∗∗ --------------------------------------------- Kriminelle versenden im Namen des Finanzamtes gefälschte Nachrichten. Im SMS wird behauptet, dass Sie einen Betrag von € 286, 93 erhalten. Um das Geld zu bekommen, müssen Sie sich verifizieren und auf einen Link klicken. Klicken Sie nicht auf den Link, Sie landen auf einer Phishing-Seite. --------------------------------------------- https://www.watchlist-internet.at/news/achtung-finanzamt-schickt-kein-sms/ ∗∗∗ New WhiskerSpy malware delivered via trojanized codec installer ∗∗∗ --------------------------------------------- Security researchers have discovered a new backdoor called WhiskerSpy used in a campaign from a relatively new advanced threat actor tracked as Earth Kitsune, known for targeting individuals showing an interest in North Korea. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-whiskerspy-malware-deliv… ∗∗∗ OneNote Suricata Rules, (Sun, Feb 19th) ∗∗∗ --------------------------------------------- I end my diary entry "Detecting (Malicious) OneNote Files" with a set of Suricata rules to detect various OneNote files. --------------------------------------------- https://isc.sans.edu/diary/rss/29564 ∗∗∗ The Dangers of Installing Nulled WordPress Themes and Plugins ∗∗∗ --------------------------------------------- Nulled WordPress themes and plugins are a controversial topic for many in the web development world - and arguably one of the bigger threats to WordPress security. Essentially modified versions of official WordPress themes and plugins with their licensing restrictions removed, these nulled software copies are often touted as premium functionality packaged in a free download. --------------------------------------------- https://blog.sucuri.net/2023/02/the-dangers-of-installing-nulled-wordpress-… ∗∗∗ NimPlant - A light first-stage C2 implant written in Nim and Python ∗∗∗ --------------------------------------------- NimPlant was developed as a learning project and released to the public for transparency and educational purposes. For a large part, it makes no effort to hide its intentions. Additionally, protections have been put in place to prevent abuse. In other words, do NOT use NimPlant in production engagements as-is without thorough source code review and modifications! --------------------------------------------- https://github.com/chvancooten/NimPlant ∗∗∗ Finding forensics breadcrumbs in Android image storage ∗∗∗ --------------------------------------------- [...] In this post I’ll be talking about image scanning apps, and how to reverse engineer them to pinpoint user activity and tie a user to a particular image’s creation from a source file e.g. pages from a PDF. --------------------------------------------- https://www.pentestpartners.com/security-blog/finding-forensics-breadcrumbs… ∗∗∗ Royal Ransomware Expands Attacks by Targeting Linux ESXi Servers ∗∗∗ --------------------------------------------- Ransomware actors have been observed to expand their targets by increasingly developing Linux-based versions. Royal ransomware is following in the same path, a new variant targeting Linux systems emerged and we will provide a technical analysis on this variant in this blog. --------------------------------------------- https://www.trendmicro.com/en_us/research/23/b/royal-ransomware-expands-att… ∗∗∗ QR code generator My QR Code leaks users’ login data and addresses ∗∗∗ --------------------------------------------- My QR Code was informed about the leak almost two weeks ago, yet it failed to respond or secure its server. --------------------------------------------- https://www.hackread.com/qr-code-generator-my-qr-code-data-leak/ ===================== = Vulnerabilities = ===================== ∗∗∗ Patchday: Fortinet schließt 40 Sicherheitslücken, PoC-Exploit angekündigt ∗∗∗ --------------------------------------------- Fortinet hat im Februar Updates für diverse Produkte veröffentlicht, die insgesamt 40 Sicherheitslücken schließen. Davon gelten zwei als kritisch. --------------------------------------------- https://heise.de/-7520937 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (c-ares, gnutls28, golang-github-opencontainers-selinux, isc-dhcp, nss, openssl, snort, and thunderbird), Fedora (clamav, curl, phpMyAdmin, thunderbird, vim, webkitgtk, and xen), Red Hat (firefox), Slackware (kernel), SUSE (apache2-mod_security2, gssntlmssp, postgresql-jdbc, postgresql12, and timescaledb), and Ubuntu (firefox). --------------------------------------------- https://lwn.net/Articles/923803/ ∗∗∗ Newly Disclosed Vulnerability Exposes EOL Arris Routers to Attacks ∗∗∗ --------------------------------------------- Malwarebytes warns of a remote code execution vulnerability impacting Arris G2482A, TG2492, and SBG10 routers, which have reached end-of-life (EOL). --------------------------------------------- https://www.securityweek.com/newly-disclosed-vulnerability-exposes-eol-arri… ∗∗∗ Critical SQL injection vulnerabilities in MISP (fixed in v2.4.166 and v2.4.167) ∗∗∗ --------------------------------------------- As of the past 2 months, we’ve received two separate reports of two unrelated SQLi vector vulnerabilities in MISP that can lead to any authenticated user being able to execute arbitrary SQL queries in MISP. --------------------------------------------- https://www.misp-project.org/2023/02/20/Critical_SQL_Injection_Vulnerabilit… ∗∗∗ IBM Security Bulletins 2023-02-20 ∗∗∗ --------------------------------------------- Flash Storage->RamSan-710, Flash Storage->RamSan-720, Flash Storage->RamSan-810, Flash Storage->RamSan-820, IBM Cloud Object Storage System, IBM Cloud Pak for Applications, IBM FlashSystem 720, IBM FlashSystem 900, IBM Multi-Enterprise Integration Gateway, IBM Multi-Enterprise Integration Gateway, IBM Power E1050 (9043-MRX), IBM Power L1022 (9786-22H), IBM Power L1024 (9786-42H), IBM Power S1014 (9105-41B), IBM Power S1022 (9105-22A), IBM Power S1022s (9105-22B), IBM Power S1024 (9105-42A), IBM WebSphere Hybrid Edition, Tivoli System Automation Application Manager --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.02.2023
by Daily end-of-shift report 17 Feb '23

17 Feb '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 16-02-2023 18:00 − Freitag 17-02-2023 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ New Mirai Botnet Variant V3G4 Exploiting 13 Flaws to Target Linux and IoT Devices ∗∗∗ --------------------------------------------- A new variant of the notorious Mirai botnet has been found leveraging several security vulnerabilities to propagate itself to Linux and IoT devices. Observed during the second half of 2022, the new version has been dubbed V3G4 by Palo Alto Networks Unit 42, which identified three different campaigns likely conducted by the same threat actor. --------------------------------------------- https://thehackernews.com/2023/02/new-mirai-botnet-variant-v3g4.html ∗∗∗ Massenhaft SMS im Namen des Finanzamts im Umlauf ∗∗∗ --------------------------------------------- Wir erhalten derzeit zahlreiche Meldungen zu einer SMS, die im Namen des Finanzamtes versendet wird. Angeblich besteht eine offene Forderung, die trotz mehrfacher Mahnungen nicht beglichen wurde. Bei Nichtzahlung bis zum 18. Februar drohe der Gerichtsvollzieher und die Pfändung. Lassen Sie sich nicht unter Druck setzen. Es handelt sich um Betrug! --------------------------------------------- https://www.watchlist-internet.at/news/massenhaft-sms-im-namen-des-finanzam… ∗∗∗ Kritische Sicherheitslücken in ClamAV - Updates verfügbar ∗∗∗ --------------------------------------------- 17. Februar 2023 Beschreibung Zwei kritische Schwachstellen in ClamAV erlauben es unauthentisierten Angreifenden, beliebigen Code auszuführen. CVE-Nummer(n): CVE-2023-20032, CVE-2023-20052 Auswirkungen Die Lücken in ClamAV können durch präparierte HFS+ bzw. DMG Images ausgelöst werden. Da ClamAV oft als Virenscanner in Mailservern eingesetzt wird, können durch den Versand entsprechender Files per Email verwundbare Installationen kompromittiert werden. [...] --------------------------------------------- https://cert.at/de/warnungen/2023/2/kritische-sicherheitslucken-in-clamav ===================== = Vulnerabilities = ===================== ∗∗∗ Fortinet Security Advisories ∗∗∗ --------------------------------------------- Secerity Critical: * FortiNAC - External Control of File Name or Path in keyUpload scriptlet * FortiWeb - Stack-based buffer overflows in Proxyd Severity High: 15 Advisories * FortiADC, FortiExtender, FortiNAC, FortiOS, FortiProxy, FortiSwitchManager, FortiWAN, FortiWeb Severity Medium/Low: 23 Advisories --------------------------------------------- https://fortiguard.fortinet.com/psirt?date=02-2023 ∗∗∗ Node.js Thursday February 16 2023 Security Releases ∗∗∗ --------------------------------------------- * OpenSSL Security updates * Node.js Permissions policies can be bypassed via process.mainModule * Node.js OpenSSL error handling issues in nodejs crypto library * Fetch API in Node.js did not protect against CRLF injection in host headers * Regular Expression Denial of Service in Headers in Node.js fetch API * Node.js insecure loading of ICU data through ICU_DATA environment variable * npm update for Node.js 14 --------------------------------------------- https://nodejs.org/en/blog/vulnerability/february-2023-security-releases/ ∗∗∗ CISA Releases Fifteen Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- * Siemens Solid Edge * Siemens SCALANCE X-200 IRT * Siemens Brownfield Connectivity Client * Siemens Brownfield Connectivity Gateway * Siemens SiPass integrated AC5102/ACC-G2 and ACC-AP * Siemens Simcenter Femap * Siemens TIA Project Server * Siemens RUGGEDCOM APE1808 * Siemens SIMATIC Industrial Products * Siemens COMOS * Siemens Mendix * Siemens JT Open, JT Utilities, and Parasolid * Sub-IoT DASH 7 Alliance Protocol * Delta Electronic DIAEnergie (Update B) * BD Alaris Infusion Central --------------------------------------------- https://www.cisa.gov/uscert/ncas/current-activity/2023/02/16/cisa-releases-… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (webkit2gtk and wpewebkit), Fedora (firefox, phpMyAdmin, tpm2-tools, and tpm2-tss), Slackware (mozilla), SUSE (mozilla-nss, rubygem-actionpack-4_2, rubygem-actionpack-5_1, and tar), and Ubuntu (linux-azure and linux-hwe-5.19). --------------------------------------------- https://lwn.net/Articles/923644/ ∗∗∗ Vulnerability in IP Quorum affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products ∗∗∗ --------------------------------------------- * IBM Decision Optimization in IBM Cloud Pak for Data is vulnerable to jsonwebtoken CVEs * IBM FlashSystem 9100 family and IBM Storwize V7000 2076-724 (Gen3) systems are NOT affected by security vulnerabilities CVE-2018-12037 and CVE-2018-12038 * IBM MQ Operator and Queue Manager container images are vulnerable to vulnerabilities from libksba and sqlite (CVE-2022-47629 and CVE-2022-35737) * IBM Security Guardium Data Encryption is using Components with Known Vulnerabilities (CVE-2022-31129, CVE-2022-24785) * IBM Security Guardium is affected by a redshift-jdbc42-2.0.0.3.jar vulnerability (CVE-2022-41828) * IBM Security Guardium is affected by the following vulnerabilities [CVE-2022-39166, CVE-2022-34917, CVE-2022-42889] * Java vulnerabilities affect IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products * LDAP vulnerability affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products * Multiple Vulnerabilities in Multicloud Management Security Services * Multiple vulnerabilities found with third-party libraries used by IBM® MobileFirst Platform * Multiple vulnerabilities in Golang Go affect IBM Decision Optimization in IBM Cloud Pak for Data * Multiple vulnerabilities in IBM Java SDK affect IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products * Multiple vulnerabilities in IBM Java SDK affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products * Multiple vulnerabilities in the Linux kernel affect IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products * Multiple vulnerabilities in the Linux kernel affect IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products * Network Security (NSS) vulnerability affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products * OpenSLP vulnerability affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products * Vulnerabilities in IBM Java affect IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products * Vulnerabilities in IBM Java and Apache Tomcat affect IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem V9000 products * Vulnerabilities in the Linux kernel affect IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem V9000 products* Vulnerability in Apache Struts affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products (CVE-2018-11776) * Vulnerability in Apache Tomcat affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem V9000 products * Vulnerability in Apache Tomcat affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products * Vulnerability in Apache Tomcat affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products * Vulnerability in Apache Tomcat affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products ( CVE-2018-11784) * Vulnerability in DHCP affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products (CVE-2018-5732) * Vulnerability in IBM Java SDK affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products (CVE-2019-2602) * Vulnerability in IP Quorum affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products * Vulnerability in OpenSLP affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products ( CVE-2017-17833) * Vulnerability in OpenSSL affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products * Vulnerability in SSH protocols affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products (CVE-2008-5161) * Vulnerability in Service Assistant affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products (CVE-2018-1775) * Vulnerability in sed affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem V9000 products * Vulnerability in the Linux kernel affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products (CVE-2018-5391) * Vulnerability in zlib affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Atrocore 1.5.25 Shell Upload ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2023020029 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.02.2023
by Daily end-of-shift report 16 Feb '23

16 Feb '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 15-02-2023 18:00 − Donnerstag 16-02-2023 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Emsisoft says hackers are spoofing its certs to breach networks ∗∗∗ --------------------------------------------- A hacker is using fake code-signing certificates impersonating cybersecurity firm Emsisoft to target customers using its security products, hoping to bypass their defenses. --------------------------------------------- https://www.bleepingcomputer.com/news/security/emsisoft-says-hackers-are-sp… ∗∗∗ Hackers backdoor Microsoft IIS servers with new Frebniis malware ∗∗∗ --------------------------------------------- Hackers are deploying a new malware named Frebniss on Microsofts Internet Information Services (IIS) that stealthily executes commands sent via web requests. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-backdoor-microsoft-i… ∗∗∗ „Fake Customer Trick“: Kriminelle ergaunern hochwertige Produkte ∗∗∗ --------------------------------------------- Der Name des Halbleiterherstellers Infineon wird derzeit für kriminelle Zwecke missbraucht: Per Mail geben sich Betrüger:innen als Infineon-Mitarbeiter Marcus Schlenker aus und bekunden Interesse an einer Großbestellung. Für die Empfänger:innen klingt das nach einem unkomplizierten und schnellen Geschäft. Doch tatsächlich landen die versendeten Produkte in den Händen von Kriminellen, auf die Bezahlung warten die Opfer vergeblich. --------------------------------------------- https://www.watchlist-internet.at/news/fake-customer-trick-kriminelle-ergau… ∗∗∗ Malware Reverse Engineering for Beginners – Part 2 ∗∗∗ --------------------------------------------- Often, malware targeting Windows will be packed and delivered as a second stage. There are different ways to “deliver” malware to the endpoint. This blog will cover key concepts and examples regarding how malware is packed, obfuscated, delivered, and executed on the endpoint. --------------------------------------------- https://www.intezer.com/blog/incident-response/malware-reverse-engineering-… ===================== = Vulnerabilities = ===================== ∗∗∗ Patchday bei Intel: Angreifer könnten Server über Root-Lücke attackieren ∗∗∗ --------------------------------------------- Intel hat für verschiedene Firm- und Software wichtige Sicherheitsupdates veröffentlicht. In vielen Fällen könnten sich Angreifer höhere Rechte verschaffen. --------------------------------------------- https://heise.de/-7517141 ∗∗∗ Jetzt patchen! Entwickler des CMS Joomla warnen vor kritischer Sicherheitslücke ∗∗∗ --------------------------------------------- Es ist ein "sehr wichtiger" Sicherheitspatch für Joomla erscheinen. --------------------------------------------- https://heise.de/-7517312 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr), Fedora (community-mysql, edk2, firefox, and git), Slackware (curl and git), SUSE (apache2-mod_security2, aws-efs-utils, bind, curl, git, ImageMagick, java-11-openjdk, java-17-openjdk, java-1_8_0-openjdk, kernel, libksba, and mozilla-nss), and Ubuntu (golang-golang-x-text, golang-x-text, linux-aws, linux-intel-iotg, linux-aws-5.4, linux-gcp, linux-gcp-5.4, linux-hwe-5.4, linux linux-ibm-5.4, linux-oracle-5.4, linux-gke, linux-gke-5.15, nss, and xorg-server, xorg-server-hwe-16.04). --------------------------------------------- https://lwn.net/Articles/923503/ ∗∗∗ Splunk Enterprise Updates Patch High-Severity Vulnerabilities ∗∗∗ --------------------------------------------- Splunk updates for Enterprise products resolve multiple high-severity vulnerabilities, including several in third-party packages. --------------------------------------------- https://www.securityweek.com/splunk-enterprise-updates-patch-high-severity-… ∗∗∗ Security Vulnerabilities fixed in Thunderbird 102.8 ∗∗∗ --------------------------------------------- CVE-2023-0616: User Interface lockup with messages combining S/MIME and OpenPGP CVE-2023-25728: Content security policy leak in violation reports using iframes CVE-2023-25730: Screen hijack via browser fullscreen mode CVE-2023-0767: Arbitrary memory write via PKCS 12 in NSS CVE-2023-25735: Potential use-after-free from compartment mismatch in SpiderMonkey CVE-2023-25737: Invalid downcast in SVGUtils::SetupStrokeGeometry CVE-2023-25738: Printing on Windows could potentially crash Thunderbird with some device drivers CVE-2023-25739: Use-after-free in mozilla::dom::ScriptLoadContext::~ScriptLoadContext CVE-2023-25746: Memory safety bugs fixed in Thunderbird 102.8 ... --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2023-07/ ∗∗∗ MISP 2.4.168 released with bugs fixed, security fixes and major improvements in STIX support. ∗∗∗ --------------------------------------------- We are pleased to announce the immediate availability of MISP v2.4.168 with bugs fixed and various security fixes. --------------------------------------------- https://github.com/MISP/MISP/releases/tag/v2.4.168 ∗∗∗ ClamAV DMG File Parsing XML Entity Expansion Vulnerability Affecting Cisco Products: February 2023 ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ ClamAV HFS+ Partition Scanning Buffer Overflow Vulnerability Affecting Cisco Products: February 2023 ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ WAGO: Exposure of configuration interface in unmanaged switches ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-055/ ∗∗∗ IBM App Connect Enterprise is affected by a remote attacker due to the zip4j library [CVE-2023-22899] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6955913 ∗∗∗ Multiple vulnerabilities in moment.js affect IBM Maximo Asset Management and the IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2022-31129, CVE-2022-24785) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6852667 ∗∗∗ IBM Navigator for i is vulnerable to log file access, obtaining file attributes, and SQL Injection attacks due to multiple vulnerabilities. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6850801 ∗∗∗ WebSphere Application Server Liberty is vulnerable to server-side request forgery due to Apache CXF ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6956223 ∗∗∗ Intel Ethernet controllers as used in IBM QRadar SIEM are vulnerable to a denial of service (CVE-2021-0197, CVE-2021-0198, CVE-2021-0199, CVE-2021-0200) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6956287 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.02.2023
by Daily end-of-shift report 15 Feb '23

15 Feb '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 14-02-2023 18:00 − Mittwoch 15-02-2023 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Adobe Patchday: Schadcode-Attacken auf After Effects & Co. möglich ∗∗∗ --------------------------------------------- Adobe hat unter anderem für After Effects, InDesign und Photoshop Sicherheitsupdates veröffentlicht. --------------------------------------------- https://heise.de/-7496102 ∗∗∗ Bluetooth-Fehler in Android 13 kann Diabetiker gefährden ∗∗∗ --------------------------------------------- Ein Fehler in Android 13 kann die Kommunikation zwischen Blutzuckersensor und zugehöriger App stören. Dann warnt die App nicht vor gefährlicher Unterzuckerung. --------------------------------------------- https://heise.de/-7496644 ∗∗∗ Angreifer attackieren Microsoft 365 und Windows - Mehrere kritische Lücken ∗∗∗ --------------------------------------------- Es sind wichtige Sicherheitsupdates für unter anderem Azure, Exchange Server und Windows erschienen. Mehrere Lücken sind als "kritisch" eingestuft. --------------------------------------------- https://heise.de/-7496015 ∗∗∗ Abo-Falle beim Kauf von Handyhüllen auf puffcase-official.com ∗∗∗ --------------------------------------------- Wenn Sie auf der Suche nach einer Schutzhülle für Ihr Smartphone sind, nehmen Sie sich vor puffcase-official.com in Acht. Während die „Puffcases“ auf den ersten Blick günstig wirken und zu einem schnellen Kauf verleiten, stellt sich die Seite als Abo-Falle heraus. Davon erfahren Sie erst, wenn die neuerliche Abbuchung auf Ihrer Kreditkarte auftaucht. Bestellen Sie hier nicht! --------------------------------------------- https://www.watchlist-internet.at/news/abo-falle-beim-kauf-von-handyhuellen… ∗∗∗ NPM packages posing as speed testers install crypto miners instead ∗∗∗ --------------------------------------------- A new set of 16 malicious NPM packages are pretending to be internet speed testers but are, in reality, coinminers that hijack the compromised computers resources to mine cryptocurrency for the threat actors. --------------------------------------------- https://www.bleepingcomputer.com/news/security/npm-packages-posing-as-speed… ∗∗∗ Hyundai and Kia issue software upgrades to thwart killer TikTok car theft hack ∗∗∗ --------------------------------------------- Gone in 60 seconds using a USB-A plug and brute force instead of a key Korean car-makers Hyundai and Kia will issue software updates to some of their models after a method of stealing them circulated on TikTok, leading to many thefts and even some deaths. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2023/02/15/hyundai_kia_… ∗∗∗ PYbot DDoS Malware Being Distributed Disguised as a Discord Nitro Code Generator ∗∗∗ --------------------------------------------- The ASEC analysis team has recently discovered Pybot DDoS being distributed with illegal software. The program used as bait by the threat actor is a token generator called Nitro Generator. Nitro is a paid Discord service with various benefits which can be seen below in Figure 1. Nitro Generator is a tool that generates codes that can be used for free access to Nitro. --------------------------------------------- https://asec.ahnlab.com/en/47789/ ∗∗∗ cURL audit: How a joke led to significant findings ∗∗∗ --------------------------------------------- In fall 2022, Trail of Bits audited cURL, a widely-used command-line utility that transfers data between a server and supports various protocols. [..] the fuzzer quickly uncovered memory corruption bugs, specifically use-after-free issues, double-free issues, and memory leaks. Because the bugs are in libcurl, a cURL development library, they have the potential to affect the many software applications that use libcurl. This blog post describes how we found the following vulnerabilities --------------------------------------------- https://blog.trailofbits.com/2023/02/14/curl-audit-fuzzing-libcurl-command-… ∗∗∗ ICS Patch Tuesday: 100 Vulnerabilities Addressed by Siemens, Schneider Electric ∗∗∗ --------------------------------------------- Siemens has published 13 new advisories covering a total of 86 vulnerabilities. [..] Schneider Electric has published three advisories covering 10 vulnerabilities. --------------------------------------------- https://www.securityweek.com/ics-patch-tuesday-100-vulnerabilities-addresse… ∗∗∗ DNS Abuse Techniques Matrix ∗∗∗ --------------------------------------------- The FIRST DNS Abuse SIG has been working on a document for some time, which has now finally been published: a matrix of DNS abuse techniques and their stakeholders. Its intended to help people experiencing DNS abuse, particularly incident responders and security teams. --------------------------------------------- https://www.first.org/global/sigs/dns/DNS-Abuse-Techniques-Matrix_v1.1.pdf ∗∗∗ Sustained Activity by Threat Actors ∗∗∗ --------------------------------------------- The European Union Agency for Cybersecurity (ENISA) and the CERT of the EU institutions, bodies and agencies (CERT-EU) jointly published a report to alert on sustained activity by particular threat actors. The malicious cyber activities of the presented threat actors pose a significant and ongoing threat to the European Union. --------------------------------------------- https://www.enisa.europa.eu/news/sustained-activity-by-threat-actors ∗∗∗ Abusing Azure App Service Managed Identity Assignments ∗∗∗ --------------------------------------------- [...] Managed Identities are great and admins should absolutely use them. But admins also need to understand the risks that come with Managed Identities and how to deal with those risks. In this blog post I will explain those risks, demonstrate how an attacker can abuse App Service Managed Identity assignments, and show you how to identify and deal with those risks yourself. --------------------------------------------- https://posts.specterops.io/abusing-azure-app-service-managed-identity-assi… ===================== = Vulnerabilities = ===================== ∗∗∗ AMD: Cross-Thread Return Address Predictions ∗∗∗ --------------------------------------------- AMD internally discovered a potential vulnerability where certain AMD processors may speculatively execute instructions at an incorrect return site after an SMT mode switch that may potentially lead to information disclosure. AMD believes that due to existing mitigations applied to address other speculation-based issues, theoretical avenues for potential exploit of CVE-2022-27672 may be limited only to select virtualization environments where a virtual machine is given special privileges. --------------------------------------------- https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1045 ∗∗∗ HAProxy Security Update (CVE-2023-25725) ∗∗∗ --------------------------------------------- A team of security researchers notified me on Thursday evening that they had found a dirty bug in HAProxys headers processing, and that, when properly exploited, this bug allows to build an HTTP content smuggling attack. [..] The issue was fixed in all versions and all modes (HTX and legacy), and all versions were upgraded. [..] Distros were notified (not very long ago admittedly, the delay was quite short for them) and updated packages will appear soon. --------------------------------------------- https://www.mail-archive.com/haproxy@formilux.org/msg43229.html ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (gnutls28 and haproxy), Fedora (syslog-ng), Mageia (apr-util, chromium-browser-stable, editorconfig-core-c, ffmpeg, libzen, phpmyadmin, tpm2-tss, and webkit2), Oracle (kernel and kernel-container), Slackware (mozilla and php), SUSE (git, haproxy, kernel, nodejs18, phpMyAdmin, and timescaledb), and Ubuntu (APR-util, git, and haproxy). --------------------------------------------- https://lwn.net/Articles/923364/ ∗∗∗ Lenovo Product Security Advisories ∗∗∗ --------------------------------------------- * AMI MegaRAC SP-X BMC Redfish Vulnerabilities * AMI MegaRAC SP-X BMC Vulnerabilities * Crypto API Toolkit for Intel SGX Advisory * Intel Ethernet Controllers and Adapters Advisory * Intel Ethernet VMware Drivers Advisory * Intel Integrated Sensor Solution Advisory * Intel Server Platform Services (SPS) Vulnerabilities * Intel SGX SDK Advisory * Multi-Vendor BIOS Security Vulnerabilities (February 2023) --------------------------------------------- https://support.lenovo.com/at/en/product_security/home ∗∗∗ Released: February 2023 Exchange Server Security Updates ∗∗∗ --------------------------------------------- Microsoft has released Security Updates (SUs) for vulnerabilities found in:Exchange Server 2013Exchange Server 2016Exchange Server 2019SUs are available in a self-extracting auto-elevating .exe package, as well as the original update packages (.msp files), which can be downloaded from the Microsoft Update Catalog.SUs are available for the following specific versions of Exchange Server:Exchange Server 2013 CU23 (note that support and availability of SUs end on April 11, 2023)Exchange Server 2016 --------------------------------------------- https://techcommunity.microsoft.com/t5/exchange-team-blog/released-february… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ XSA-426 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-426.html ∗∗∗ Advisory: Impact of Insyde UEFI Boot Issues on B&R Products ∗∗∗ --------------------------------------------- https://www.br-automation.com/downloads_br_productcatalogue/assets/16759315… ∗∗∗ ClamAV HFS+ Partition Scanning Buffer Overflow Vulnerability Affecting Cisco Products: February 2023 ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Nexus Dashboard Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Nexus Dashboard Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Identity Services Engine Stored Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Email Security Appliance and Cisco Secure Email and Web Manager Vulnerabilities ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ ClamAV DMG File Parsing XML Entity Expansion Vulnerability Affecting Cisco Products: February 2023 ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.02.2023
by Daily end-of-shift report 14 Feb '23

14 Feb '23

===================== = End-of-Day report = ===================== Timeframe: Montag 13-02-2023 18:00 − Dienstag 14-02-2023 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ New stealthy Beep malware focuses heavily on evading detection ∗∗∗ --------------------------------------------- A new stealthy malware named Beep was discovered last week, featuring many features to evade analysis and detection by security software. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-stealthy-beep-malware-fo… ∗∗∗ Exploiting a remote heap overflow with a custom TCP stack ∗∗∗ --------------------------------------------- In November 2021 our team took part in the ZDI Pwn2Own Austin 2021 competition with multiple entries. One of them successfully compromised the Western Digital MyCloudHome connected hard drive via a 0-day in the Netatalk daemon. Our exploit was unusual because triggering the vulnerability required to mess with the remote TCP stack, so we wrote our own. This blog post will provide some technical details about it. --------------------------------------------- https://www.synacktiv.com/publications/exploiting-a-remote-heap-overflow-wi… ∗∗∗ Securing Open-Source Solutions: A Study of osTicket Vulnerabilities ∗∗∗ --------------------------------------------- One of the applications assessed was osTicket, an open-source ticketing system. With distinctive features and plugins, osTicket gives users the ability to “Manage, organize, and archive all your support requests and responses (...).” During our assessment, the Checkmarx Labs team found some interesting vulnerabilities. In this blog/report, not only will we disclose some of the identified vulnerabilities but also elaborate on the team’s approach to identifying them. --------------------------------------------- https://checkmarx.com/blog/securing-open-source-solutions-a-study-of-ostick… ∗∗∗ Amazon: Vorsicht vor Fake-Anrufen ∗∗∗ --------------------------------------------- Aktuell geben sich Kriminelle als Mitarbeiter:innen von Amazon aus und täuschen ein Problem mit Ihrer Bestellung vor. Sie werden aufgefordert Zahlungsdaten zu übermitteln, Zahlungen freizugeben und eine Wartungssoftware wie TeamViewer zu installieren. Legen Sie auf und blockieren Sie die Nummer. --------------------------------------------- https://www.watchlist-internet.at/news/amazon-vorsicht-vor-fake-anrufen/ ∗∗∗ A Deep Dive into Reversing CODESYS ∗∗∗ --------------------------------------------- This white paper offers a technical deep dive into PLC protocols and how to safely scan CODESYS-based ICS networking stacks. --------------------------------------------- https://www.rapid7.com/blog/post/2023/02/14/a-deep-dive-into-reversing-code… ∗∗∗ Typosquatting: Legit Abquery Package Duped with Malicious Aabquerys ∗∗∗ --------------------------------------------- Aabquerys use the typosquatting technique to encourage downloading malicious components, as it has been cleverly named to make it sound like the legitimate NPM module Abquery. --------------------------------------------- https://www.hackread.com/typosquatting-abquery-package-aabquerys/ ===================== = Vulnerabilities = ===================== ∗∗∗ Serious Security: GnuTLS follows OpenSSL, fixes timing attack bug ∗∗∗ --------------------------------------------- Conditional code considered cryptographically counterproductive. --------------------------------------------- https://nakedsecurity.sophos.com/2023/02/13/serious-security-gnutls-follows… ∗∗∗ Patch Now: Apples iOS, iPadOS, macOS, and Safari Under Attack with New Zero-Day Flaw ∗∗∗ --------------------------------------------- Apple on Monday rolled out security updates for iOS, iPadOS, macOS, and Safari to address a zero-day flaw that it said has been actively exploited in the wild.Tracked as CVE-2023-23529, the issue relates to a type confusion bug in the WebKit browser engine that could be activated when processing maliciously crafted web content, culminating in arbitrary code execution. --------------------------------------------- https://thehackernews.com/2023/02/patch-now-apples-ios-ipados-macos-and.html ∗∗∗ Patchday: SAP schützt seine Software vor möglichen Attacken ∗∗∗ --------------------------------------------- Es sind unter anderem für SAP BusinessObjects und SAP Start Service wichtige Sicherheitsupdates erschienen. --------------------------------------------- https://heise.de/-7494856 ∗∗∗ Bestimmte auf HP-Computern vorinstallierte Windows-10-Versionen sind verwundbar ∗∗∗ --------------------------------------------- Wer einen PC von HP mit einer älteren Windows-10-Ausgabe nutzt, sollte einen Sicherheitspatch installieren. --------------------------------------------- https://heise.de/-7494955 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (imagemagick), Fedora (xml-security-c), Red Hat (grub2), SUSE (chromium, freerdp, libbpf, and python-setuptools), and Ubuntu (fig2dev and python-django). --------------------------------------------- https://lwn.net/Articles/923267/ ∗∗∗ Citrix Virtual Apps and Desktops Security Bulletin for CVE-2023-24483 ∗∗∗ --------------------------------------------- A vulnerability has been identified that, if exploited, could result in a local user elevating their privilege level to NT AUTHORITY\SYSTEM on a Citrix Virtual Apps and Desktops Windows VDA. CVE-2023-24483 --------------------------------------------- https://support.citrix.com/article/CTX477616/citrix-virtual-apps-and-deskto… ∗∗∗ Citrix Workspace app for Windows Security Bulletin for CVE-2023-24484 & CVE-2023-24485 ∗∗∗ --------------------------------------------- A vulnerability has been identified that, if exploited, could result in a local user elevating their privilege level to NT AUTHORITY\SYSTEM on a Citrix Virtual Apps and Desktops Windows VDA. CVE-2023-24484 & CVE-2023-24485 --------------------------------------------- https://support.citrix.com/article/CTX477617/citrix-workspace-app-for-windo… ∗∗∗ Citrix Workspace app for Linux Security Bulletin for CVE-2023-24486 ∗∗∗ --------------------------------------------- A vulnerability has been identified in Citrix Workspace app for Linux that, if exploited, may result in a malicious local user being able to gain access to the Citrix Virtual Apps and Desktops session of another user who is using the same computer from which the ICA session is launched. CVE-2023-24486 --------------------------------------------- https://support.citrix.com/article/CTX477618/citrix-workspace-app-for-linux… ∗∗∗ SonicWall Email Security Information Discloser Vulnerability ∗∗∗ --------------------------------------------- SonicWall Email Security contains a vulnerability that could permit a remote unauthenticated attacker access to an error page that includes sensitive information about users email addresses. CVE: CVE-2023-0655 --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2023-0002 ∗∗∗ The installers of ELECOM Camera Assistant and QuickFileDealer may insecurely load Dynamic Link Libraries ∗∗∗ --------------------------------------------- The installers of ELECOM Camera Assistant and QuickFileDealer provided by ELECOM CO.,LTD. may insecurely load Dynamic Link Libraries. --------------------------------------------- https://jvn.jp/en/jp/JVN60263237/ ∗∗∗ Improper restriction of XML external entity reference (XXE) vulnerability in tsClinical Define.xml Generator and tsClinical Metadata Desktop Tools ∗∗∗ --------------------------------------------- tsClinical Define.xml Generator and tsClinical Metadata Desktop Tools provided by FUJITSU LIMITED contain an improper restriction of XML external entity reference (XXE) vulnerability. --------------------------------------------- https://jvn.jp/en/jp/JVN00712821/ ∗∗∗ 101news By Mayuri K 1.0 SQL Injection ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2023020025 ∗∗∗ Developed by Ameya Computers LOGIN SQL INJECTİON ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2023020024 ∗∗∗ SSA-953464 V1.0: Multiple Vulnerabilites in Siemens Brownfield Connectivity - Client before V2.15 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/pdf/ssa-953464.pdf ∗∗∗ SSA-847261 V1.0: Multiple SPP File Parsing Vulnerabilities in Tecnomatix Plant Simulation ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/pdf/ssa-847261.pdf ∗∗∗ SSA-836777 V1.0: JT File Parsing Vulnerabilities in JT Open, JT Utilities and Parasolid ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/pdf/ssa-836777.pdf ∗∗∗ SSA-744259 V1.0: Golang Vulnerabilities in Brownfield Connectivity - Gateway before V1.10.1 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/pdf/ssa-744259.pdf ∗∗∗ SSA-693110 V1.0: Buffer Overflow Vulnerability in COMOS ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/pdf/ssa-693110.pdf ∗∗∗ SSA-686975 V1.0: IPU 2022.3 Vulnerabilities in Siemens Industrial Products using Intel CPUs ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/pdf/ssa-686975.pdf ∗∗∗ SSA-658793 V1.0: Command Injection Vulnerability in SiPass integrated AC5102 / ACC-G2 and ACC-AP ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/pdf/ssa-658793.pdf ∗∗∗ SSA-640968 V1.0: Untrusted Search Path Vulnerability in TIA Project-Server formerly known as TIA Multiuser Server ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/pdf/ssa-640968.pdf ∗∗∗ SSA-617755 V1.0: Denial of Service Vulnerability in the SNMP Agent of SCALANCE X-200IRT Products ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/pdf/ssa-617755.pdf ∗∗∗ SSA-565356 V1.0: X_T File Parsing Vulnerabilities in Simcenter Femap before V2023.1 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/pdf/ssa-565356.pdf ∗∗∗ SSA-491245 V1.0: Multiple File Parsing Vulnerabilities in Solid Edge ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/pdf/ssa-491245.pdf ∗∗∗ SSA-450613 V1.0: Insyde BIOS Vulnerabilities in RUGGEDCOM APE1808 Product Family ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/pdf/ssa-450613.pdf ∗∗∗ SSA-252808 V1.0: XPath Constraint Vulnerability in Mendix Runtime ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/pdf/ssa-252808.pdf ∗∗∗ PHOENIX CONTACT: Multiple Vulnerabilities in PLCnext Firmware ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-001/ ∗∗∗ Weintek EasyBuilder Pro cMT Series ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-23-045-01 ∗∗∗ Advisory: Reflected Cross-Site Scripting Vulnerabitities in SDM ∗∗∗ --------------------------------------------- https://www.br-automation.com/downloads_br_productcatalogue/assets/16756072… ∗∗∗ IBM Db2 Web Query for i is vulnerable to arbitrary code execution due to Apache Commons Text [CVE-2022-42889] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6955251 ∗∗∗ IBM App Connect Enterprise Certified Container operands may be vulnerable to security restrictions bypass due to [CVE-2021-25743] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6955255 ∗∗∗ IBM Sterling Control Center is vulnerable to a denial of service due to Jave SE (CVE-2022-21626) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6955277 ∗∗∗ IBM Sterling Control Center is vulnerable to security bypass due to Eclipse Openj9 (CVE-2022-3676) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6955281 ∗∗∗ CVE-2022-21624 may affect IBM\u00ae SDK, Java\u2122 Technology Edition for Content Collector for Email, Content Collector for File Systems and Content Collector for Microsoft SharePoint ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6955493 ∗∗∗ CVE-2022-3676 may affect Eclipse Openj9 used by Content Collector for Email, Content Collector for File Systems and Content Collector for Microsoft SharePoint ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6955497 ∗∗∗ IBM QRadar SIEM is vulnerable to possible information disclosure [CVE-2023-22875] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6855643 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.02.2023
by Daily end-of-shift report 13 Feb '23

13 Feb '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 10-02-2023 18:00 − Montag 13-02-2023 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Erpressungstrojaner Play infiltriert Systeme von A10 Networks ∗∗∗ --------------------------------------------- Angreifer konnten auf interne Daten des Herstellers von Netzwerkgeräten A10 Networks zugreifen. Kundendaten sollen nicht betroffen sein. --------------------------------------------- https://heise.de/-7493748 ∗∗∗ Gefälschtes Therme Wien-Gewinnspiel auf Facebook ∗∗∗ --------------------------------------------- Auf Facebook kursiert momentan ein betrügerisches Gewinnspiel für einen Tagesurlaub inklusive Massage in der Therme Wien. Das Gewinnspiel, das von der Facebook-Seite „Freizeit-Helden“ beworben wird, steht aber in keinem Zusammenhang mit der Therme Wien und sammelt Daten. Nehmen Sie nicht teil und melden Sie das Posting. --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschtes-therme-wien-gewinnspiel… ∗∗∗ Details zur LocalPotato NTLM Authentication-Schwachstelle (CVE-2023-21746) ∗∗∗ --------------------------------------------- Mitte Januar 2023 Monat hatte ich im Blog-Beitrag Nach RemotePotato0 kommt die Windows Local Potato NTLM-Schwachstelle (CVE-2023-21746) auf eine lokale NTLM-Authentifizierungsschwachstelle (CVE-2023-21746) hingewiesen. Die Entdecker bezeichnen diese als LocalPotator, hatten seinerzeit aber keine Details offen gelegt. Jetzt wurde dies nachgeholt. --------------------------------------------- https://www.borncity.com/blog/2023/02/11/details-zur-localpotato-ntlm-authe… ∗∗∗ We had a security incident. Here’s what we know. ∗∗∗ --------------------------------------------- TL:DR Based on our investigation so far, Reddit user passwords and accounts are safe, but on Sunday night (pacific time), Reddit systems were hacked as a result of a sophisticated and highly-targeted phishing attack. They gained access to some internal documents, code, and some internal business systems. --------------------------------------------- https://www.reddit.com/r/netsec/comments/10y59q2/we_had_a_security_incident… ∗∗∗ Devs targeted by W4SP Stealer malware in malicious PyPi packages ∗∗∗ --------------------------------------------- Five malicious packages were found on the Python Package Index (PyPI), stealing passwords, Discord authentication cookies, and cryptocurrency wallets from unsuspecting developers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/devs-targeted-by-w4sp-steale… ∗∗∗ Security baseline for Microsoft Edge version 110 ∗∗∗ --------------------------------------------- We are pleased to announce the security review for Microsoft Edge, version 110! We have reviewed the new settings in Microsoft Edge version 110 and determined that there are no additional security settings that require enforcement. The Microsoft Edge version 107 security baseline continues to be our recommended configuration which can be downloaded from the Microsoft Security Compliance Toolkit. Microsoft Edge version 110 introduced 13 new computer settings and 13 new user settings. --------------------------------------------- https://techcommunity.microsoft.com/t5/microsoft-security-baselines/securit… ∗∗∗ PCAP Data Analysis with Zeek, (Sun, Feb 12th) ∗∗∗ --------------------------------------------- Having full packet captures of a device or an entire network can be extremely useful. It is also a lot of data to go through and process manually. Zeek [1] can help to simplify network traffic analysis. It can also help save a lot of storage space. I'll be going through and processing some PCAP data collected from my honeypot. --------------------------------------------- https://isc.sans.edu/diary/rss/29530 ∗∗∗ Linux auditd for Threat Hunting [Part 2] ∗∗∗ --------------------------------------------- In this part, I will highlight only 1 technique (process/command execution) and explain the fields. In Part 3, I will show you tests I ran for several other behaviors. --------------------------------------------- https://izyknows.medium.com/linux-auditd-for-threat-hunting-part-2-c75500f5… ∗∗∗ Crypto Wallet Address Replacement Attack ∗∗∗ --------------------------------------------- At around 17:49 UTC on 9 February 2023, Phylum’s automated risk detection platform began alerting us to a long series of suspicious publications which appear to be a revived attempt to deliver the same crypto wallet clipboard replacing malware. This time, however, the attacker changed the obfuscation technique and radically increased the volume of attacks. [..] over 451 unique packages. These targeted some very popular packages, many of them in the crypto/finance and web development space --------------------------------------------- https://blog.phylum.io/phylum-discovers-revived-crypto-wallet-address-repla… ∗∗∗ The Linux Kernel and the Cursed Driver (CVE-2022-4842) ∗∗∗ --------------------------------------------- TL;DR: We found a bug in the not-so-well-maintained NTFS3 driver in Linux. Abusing the vulnerability could lead to a denial-of-service (DoS) attack on machines with a mounted NTFS filesystem. --------------------------------------------- https://www.cyberark.com/resources/threat-research-blog/the-linux-kernel-an… ===================== = Vulnerabilities = ===================== ∗∗∗ Monitorr 1.7.6 Shell Upload ∗∗∗ --------------------------------------------- Topic: Monitorr 1.7.6 Shell Upload Risk: High Text:# Exploit Title: Monitorr v1.7.6 - Unauthenticated File upload to Remote Code Execution # Exploit Author: Achuth V P (retrymp3... --------------------------------------------- https://cxsecurity.com/issue/WLB-2023020021 ∗∗∗ Cisco Email Security Appliance URL Filtering Bypass Vulnerability ∗∗∗ --------------------------------------------- On January 18, 2023, Cisco disclosed the following: A vulnerability in the URL filtering mechanism of Cisco AsyncOS Software for Cisco Email Security Appliance (ESA) could allow an unauthenticated, remote attacker to bypass the URL reputation filters on an affected device. [...] After additional investigation, it was determined that this vulnerability is not exploitable. For more information, see the Workarounds section of this advisory. --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ ABB Cyber Security Advisory: Drive Composer multiple vulnerabilities ∗∗∗ --------------------------------------------- Affected products: CVE-2018-1285, CVE-2022-35737, CVE-2021-27293, CVE-2022-37434: - Drive Composer entry 2.8 and earlier - Drive Composer pro 2.8 and earlier. CVE-2018-1002205: - Drive Composer entry 2.4 and earlier - Drive Composer pro 2.4 and earlier An attacker who successfully exploited these vulnerabilities could cause the product to stop, make the product inaccessible or insert and run arbitrary code. --------------------------------------------- https://search.abb.com/library/Download.aspx?Action=Launch&DocumentID=9AKK1… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libde265 and snort), Fedora (chromium, openssl, php-symfony4, qt5-qtbase, qt6-qtbase, tigervnc, vim, wireshark, xorg-x11-server, and xorg-x11-server-Xwayland), Slackware (gnutls), SUSE (apr-util, grafana, java-1_8_0-ibm, kernel, less, libksba, opera, postgresql12, postgresql13, postgresql14, postgresql15, python-py, webkit2gtk3, wireshark, and xrdp), and Ubuntu (nova and webkit2gtk). --------------------------------------------- https://lwn.net/Articles/923163/ ∗∗∗ Wordpress Multiple themes - Unauthenticated Arbitrary File Upload ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2023020022 ∗∗∗ NEC PC Settings Tool vulnerable to missing authentication for critical function ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN60320736/ ∗∗∗ Multiple vulnerabilities in PLANEX COMMUNICATIONS Network Camera CS-WMV02G ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN98612206/ ∗∗∗ IBM Security Bulletins 2023-02-13 ∗∗∗ --------------------------------------------- * AIX is vulnerable to denial of service vulnerabilities * IBM Cloud Pak for Network Automation v2.4.3 addresses multiple security vulnerabilities * IBM MQ Appliance is vulnerable to an unspecified Java SE vulnerability (CVE-2022-21626) * IBM PowerVM Novalink is vulnerable because Apache Commons IO could allow a remote attacker to traverse directories on the system * IBM PowerVM Novalink is vulnerable because IBM WebSphere Application Server Liberty vulnerable to protobuf-java core and lite are vulnerable to a denial of service. (CVE-2022-3509) * IBM PowerVM Novalink is vulnerable because Java SE is vulnerable to a denial of service, caused by a flaw in the Lightweight HTTP Server. (CVE-2022-21628) * IBM QRadar SIEM includes multiple components with known vulnerabilities * IBM QRadar SIEM is vulnerable to information exposure (CVE-2022-34351) * IBM Security Directory Integrator is affected by multiple security vulnerabilities * IBM Sterling B2B Integrator is vulnerable to cross-site scripting (CVE-2022-43579) * IBM Sterling B2B Integrator is vulnerable to denial of service due to Spring Framework (CVE-2022-22970) * IBM Sterling B2B Integrator is vulnerable to http header injection due to IBM WebSphere Application Server (CVE-2022-34165) * IBM Sterling Connect:Direct FTP+ is vulnerable to denial of service due to IBM Java (CVE-2022-21626) * IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to Node.js bunyan module command execution * The dasboard UI of IBM Sterling B2B Integrator is vulnerable to improper permission control (CVE-2022-40231) * Vulnerabilities with ca-certificates, OpenJDK, Sudo affect IBM Cloud Object Storage Systems (Feb 2023v1) --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.02.2023
by Daily end-of-shift report 10 Feb '23

10 Feb '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 09-02-2023 18:00 − Freitag 10-02-2023 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Obfuscated Deactivation of Script Block Logging, (Fri, Feb 10th) ∗∗∗ --------------------------------------------- PowerShell has a great built-in feature called "Script Block Logging"[1]. It helps to record all activities performed by a script and is a goldmine for incident handlers. That's the reason why attackers tend to try to disable this feature. There are many ways to achieve this, but I found an interesting one. --------------------------------------------- https://isc.sans.edu/diary/rss/29538 ∗∗∗ Bogus URL Shorteners Redirect Thousands of Hacked Sites in AdSense Fraud Campaign ∗∗∗ --------------------------------------------- Late last year we reported on a malware campaign targeting thousands of WordPress websites to redirect visitors to bogus Q&A websites. The sites themselves contained very little useful information to a regular visitor, but — more importantly — also contained Google Adsense advertisements. It appeared to be an attempt to artificially pump ad views to generate revenue. Since September, our SiteCheck remote scanner has detected this campaign on 10,890 infected sites. --------------------------------------------- https://blog.sucuri.net/2023/02/bogus-url-shorteners-redirect-thousands-of-… ∗∗∗ Cracking the Odd Case of Randomness in Java ∗∗∗ --------------------------------------------- During a recent white-box assessment, we came across the use of RandomStringUtils.randomAlphanumeric being used in a security sensitive context. We knew it used Java’s weak java.util.Random class but were interested in seeing how practically exploitable it actually was, so we decided to dig into it and see how it worked under the hood. --------------------------------------------- https://www.elttam.com/blog/cracking-randomness-in-java/ ∗∗∗ What are the writable shares in this big domain? ∗∗∗ --------------------------------------------- RSMBI is a python tool that answers to the question: What are the writable shares in this big domain? RSMBI connect to each target and it mounts the available shares in the /tmp folder (but that can also be changed). Once the shares are successfully mounted the threads (or the solo one) would start (os.)walking recursively all the folders, trying get a file handle with writing rights. --------------------------------------------- https://github.com/oldboy21/RSMBI ∗∗∗ 0Day Avalanche Blockchain API DoS ∗∗∗ --------------------------------------------- This is a remote API DoS/crash that should OOM chain P and render a vulnerable node mostly or entirely useless. --------------------------------------------- https://g.livejournal.com/15852.html ∗∗∗ Fake-Spendenaufrufe: Kriminelle missbrauchen Erdbebenkatastrophe ∗∗∗ --------------------------------------------- Das Erdbeben in der Türkei und in Nordsyrien löste eine Welle der Hilfsbereitschaft aus. Es gibt zahlreiche Möglichkeiten, um Überlebende finanziell zu unterstützen. Kriminelle missbrauchen die humanitäre Krise und versuchen auf verschiedenen Wegen die Solidarität durch Fake-Spendenaufrufe auszunutzen. --------------------------------------------- https://www.watchlist-internet.at/news/fake-spendenaufrufe-kriminelle-missb… ===================== = Vulnerabilities = ===================== ∗∗∗ CKSource CKEditor5 35.4.0 Cross Site Scripting ∗∗∗ --------------------------------------------- CKSource CKEditor5 35.4.0 was discovered to contain a cross-site scripting (XSS) vulnerability via Full Featured CKEditor5 Widget as the editor failsto sanitize user provided data. --------------------------------------------- https://cxsecurity.com/issue/WLB-2023020019 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (postgresql-11 and sox), Fedora (opusfile), SUSE (bind, jasper, libapr-util1, pkgconf, tiff, and xrdp), and Ubuntu (cinder, imagemagick, less, linux, linux-aws, linux-azure, linux-azure-5.4, linux-gkeop, linux-kvm, linux-oracle, linux-raspi, linux-raspi-5.4, linux, linux-aws, linux-gcp, linux-ibm, linux-kvm, linux-lowlatency, linux-oracle, linux-raspi, linux, linux-aws, linux-gcp-4.15, linux-kvm, linux-oracle, linux-raspi2, linux, linux-azure, linux-azure-5.15, linux-gkeop, linux-hwe-5.15, linux-ibm, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-oracle, linux-oracle-5.15, linux-raspi, linux-azure, linux-azure-4.15, linux-dell300x, linux-gke, linux-oem-5.14, linux-oem-5.17, linux-oem-6.0, linux-oem-6.1, linux-snapdragon, nova, and swift). --------------------------------------------- https://lwn.net/Articles/922929/ ∗∗∗ Statement About the DoS Vulnerability in the E5573Cs-322 ∗∗∗ --------------------------------------------- https://www.huawei.com/en/psirt/security-notices/2021/huawei-sn-20230210-01… ∗∗∗ Multiple vulnerabilities in IBM Java Runtime affects SPSS Collaboration and Deployment Services (CVE-2022-21628, CVE-2022-21626, CVE-2022-21624, CVE-2022-21619) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6954671 ∗∗∗ Vulnerabilities in IBM Semeru Runtime affect SPSS Collaboration and Deployment Services (CVE-2022-21628, CVE-2022-21626, CVE-2022-21618, CVE-2022-39399, CVE-2022-21624, CVE-2022-21619, CVE-2022-3676) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6954673 ∗∗∗ Vulnerability in IBM Java Runtime affect SPSS Collaboration and Deployment Services (CVE-2022-3676) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6954675 ∗∗∗ Vulnerability in IBM Java (CVE-2022-3676) affects Power HMC ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6954681 ∗∗∗ Vulnerability in IBM Java (CVE-2022-21628, CVE-2022-21626, CVE-2022-21624 and CVE-2022-21619) affects Power HMC ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6954683 ∗∗∗ Vulnerability in Firefox (CVE-2022-43926) affects Power HMC ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6954679 ∗∗∗ A security vulnerability has been identified in WebSphere Application Server traditional shipped with IBM Intelligent Operations Center (CVE-2023-23477) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6954685 ∗∗∗ IBM App Connect Enterprise Certified Container DesignerAuthoring operands that use mapping assistance may be vulnerable to arbitrary code execution due to [CVE-2022-45907] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6954691 ∗∗∗ Multiple Vulnerabilities (CVE-2022-21628, CVE-2022-21626, CVE-2022-21624, CVE-2022-21619) affects CICS Transaction Gateway. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6954695 ∗∗∗ CVE-2022-3676 may affect IBM TXSeries for Multiplatforms ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6954701 ∗∗∗ IBM MQ Appliance is vulnerable to identity spoofing (CVE-2022-22476) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6823807 ∗∗∗ IBM MQ Appliance is affected by kernel vulnerabilities (CVE-2021-45485, CVE-2021-45486 and CVE-2022-1012) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6851373 ∗∗∗ IBM MQ Appliance is vulnerable to HTTP header injection (CVE-2022-34165) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6622055 ∗∗∗ IBM MQ Appliance is vulnerable to cross-site scripting (CVE-2022-32750) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6622053 ∗∗∗ IBM MQ Appliance is vulnerable to improper session invalidation (CVE-2022-40230) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6622051 ∗∗∗ IBM MQ Appliance is vulnerable to an XML External Entity Injection attack (CVE-2022-31775) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6622041 ∗∗∗ IBM MQ Appliance is vulnerable to cross-site scripting (CVE-2022-31744) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6622047 ∗∗∗ IBM Sterling Connect:Direct for UNIX is vulnerable to denial of servce due to IBM Java (CVE-2022-21626) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6954727 ∗∗∗ A security vulnerability has been identified in WebSphere Application Server shipped with IBM Security Guardium Key Lifecycle Manager (SKLM\/GKLM) (CVE-2023-23477) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6954723 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.02.2023
by Daily end-of-shift report 09 Feb '23

09 Feb '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 08-02-2023 18:00 − Donnerstag 09-02-2023 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ New ESXiArgs ransomware version prevents VMware ESXi recovery ∗∗∗ --------------------------------------------- New ESXiArgs ransomware attacks are now encrypting more extensive amounts of data, making it much harder, if not impossible, to recover encrypted VMware ESXi virtual machines. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-esxiargs-ransomware-vers… ∗∗∗ Solving one of NOBELIUM’s most novel attacks: Cyberattack Series ∗∗∗ --------------------------------------------- This is the first in an ongoing series exploring some of the most notable cases of the Microsoft Detection and Response Team (DART), which investigates cyberattacks on behalf of our customers. The Cyberattack Series takes you behind the scenes for an inside look at the investigation and share lessons that you can apply to better protect your own organization. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2023/02/08/solving-one-of-nob… ∗∗∗ [SANS ISC] A Backdoor with Smart Screenshot Capability ∗∗∗ --------------------------------------------- Today, everything is “smart” or “intelligent”. We have smartphones, smart cars, smart doorbells, etc. Being “smart” means performing actions depending on the context, the environment, or user actions. For a while, backdoors and trojans have implemented screenshot capabilities. From an attacker’s point of view, it’s interesting to “see” what’s displayed on the victim’s computer. --------------------------------------------- https://blog.rootshell.be/2023/02/09/sans-isc-a-backdoor-with-smart-screens… ∗∗∗ Exploit Vector Analysis of Emerging ESXiArgs Ransomware ∗∗∗ --------------------------------------------- In recent days CVE-2021-21974, a heap-overflow vulnerability in VMWare ESXi’s OpenSLP service has been prominently mentioned in the news in relation to a wave of ransomware effecting numerous organizations. The relationship between CVE-2021-21974 and the ransomware campaign may be blown out of proportion. We do not currently know what the initial access vector is, and it is possible it could be any of the vulnerabilities related to ESXi’s OpenSLP service. --------------------------------------------- https://www.greynoise.io/blog/exploit-vector-analysis-of-emerging-esxiargs-… ∗∗∗ Passwort-Manager: Umstrittene Sicherheitslücke in KeePass beseitigt ∗∗∗ --------------------------------------------- Eine viel diskutierte Sicherheitslücke, die Einbrechern im System den Passwort-Export erleichterte, hat der Entwickler nun mit einem Update geschlossen. --------------------------------------------- https://heise.de/-7489944 ∗∗∗ Datenleck: Deezer informiert Kunden jetzt per E-Mail ∗∗∗ --------------------------------------------- 230 Millionen Deezer-Datensätze wurden entwendet und etwa beim Have-I-been-pwned-Projekt hinzugefügt. Jetzt informiert Deezer betroffene Kunden darüber. --------------------------------------------- https://heise.de/-7490760 ∗∗∗ Teures Visum bei asia-visa.com ∗∗∗ --------------------------------------------- Sie möchten ein Visum für Thailand oder Vietnam beantragen? Bei einer Internetrecherche stoßen Sie möglicherweise auf asia-visa.com – ein Anbieter, der Ihnen den „Papierkram“ abnimmt. Wir raten Ihnen ab, das überteuerte Angebot zu nutzen und empfehlen, die Einreisegenehmigung über die offizielle Stelle zu beantragen. --------------------------------------------- https://www.watchlist-internet.at/news/teures-visum-bei-asia-visacom/ ∗∗∗ CISA and FBI Release ESXiArgs Ransomware Recovery Guidance ∗∗∗ --------------------------------------------- Today, CISA and the Federal Bureau of Investigation (FBI) released a joint Cybersecurity Advisory, ESXiArgs Ransomware Virtual Machine Recovery Guidance. This advisory describes the ongoing ransomware campaign known as “ESXiArgs.” Malicious cyber actors may be exploiting known vulnerabilities in unpatched and out-of-service or out-of-date versions of VMware ESXi software to gain access to ESXi servers and deploy ESXiArgs ransomware. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2023/02/08/cisa-and-fbi-rele… ∗∗∗ Neue PayPal-Betrugsmasche – mit echten Push-Benachrichtigungen (Feb. 2023) ∗∗∗ --------------------------------------------- Über Twitter bin ich auf eine neue Betrugsmasche hingewiesen worden, die Leute schon mal ins Boxhorn jagen kann. Denn die Masche beginnt, dass das Opfer eine Push-Benachrichtigung von PayPal über eine Zahlung (per Einzug) bekommt. Aber die Nachricht ist trotzdem Betrug und hat das Ziel, an Daten des Opfers heranzukommen. Ich habe die Hinweise auf Twitter mal in diesem Beitrag zusammen gefasst. --------------------------------------------- https://www.borncity.com/blog/2023/02/08/neue-paypal-betrugsmasche-mit-echt… ∗∗∗ Sicherheitsvorfall bei wargaming.net (Feb. 2023)? ∗∗∗ --------------------------------------------- Ein Leser hat mich auf einen Sicherheitsvorfall beim Spieleentwickler wargaming.net aufmerksam gemacht. Ich habe dann ein wenig recherchiert, ist nicht der erste Vorfall bei diesem Anbieter. Es könnte aber auch ein Phishing-Versuch sein (das versuche ich noch zu klären). Hier einige Informationen, was mir bekannt ist. --------------------------------------------- https://www.borncity.com/blog/2023/02/09/sicherheitsvorfall-bei-wargaming-n… ∗∗∗ Evasion Techniques Uncovered: An Analysis of APT Methods ∗∗∗ --------------------------------------------- DLL search order hijacking and DLL sideloading are commonly used by nation state sponsored attackers to evade detection. --------------------------------------------- https://www.rapid7.com/blog/post/2023/02/09/evasion-techniques-uncovered-an… ===================== = Vulnerabilities = ===================== ∗∗∗ Zoho ManageEngine ServiceDesk Plus 14003 Remote Code Execution ∗∗∗ --------------------------------------------- This exploits an unauthenticated remote code execution vulnerability that affects Zoho ManageEngine ServiceDesk Plus versions 14003 and below (CVE-2022-47966). Due to a dependency to an outdated library (Apache Santuario version 1.4.1), it is possible to execute arbitrary code by providing a crafted `samlResponse` XML to the ServiceDesk Plus SAML endpoint. Note that the target is only vulnerable if it has been configured with SAML-based SSO at least once in the past, regardless of the current SAML-based SSO status. --------------------------------------------- https://cxsecurity.com/issue/WLB-2023020017 ∗∗∗ SOUND4 LinkAndShare Transmitter 1.1.2 Format String Stack Buffer Overflow ∗∗∗ --------------------------------------------- The application suffers from a format string memory leak and stack buffer overflow vulnerability because it fails to properly sanitize user supplied input when calling the getenv() function from MSVCR120.DLL resulting in a crash overflowing the memory stack and leaking sensitive information. The attacker can abuse the username environment variable to trigger and potentially execute code on the affected system. --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5744.php ∗∗∗ Angreifer könnten über Nvidia GeForce Experience Daten manipulieren ∗∗∗ --------------------------------------------- In der aktuellen Version das Grafikkarten-Tools GeForce Experience von Nvidia haben die Entwickler drei Sicherheitslücken geschlossen. --------------------------------------------- https://heise.de/-7490068 ∗∗∗ Notfallpatch für Dateiübertragungslösung GoAnywhere MFT erschienen ∗∗∗ --------------------------------------------- Admins können ihre GoAnywhere-MFT-Server (On-Premises) nun mit einem Sicherheitsupdate gegen aktuelle laufende Attacken absichern. --------------------------------------------- https://heise.de/-7490040 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, libsdl2, and wireshark), Fedora (pesign, tpm2-tss, and webkitgtk), Oracle (hsqldb, krb5, libksba, tigervnc, and tigervnc and xorg-x11-server), Red Hat (openvswitch2.13, openvswitch2.15, openvswitch2.16, openvswitch2.17, rh-varnish6-varnish, tigervnc, and tigervnc and xorg-x11-server), Scientific Linux (tigervnc and xorg-x11-server), and SUSE (apache2, apache2-mod_security2, apr-util, netatalk, podman, python-swift3, rubygem-globalid, syslog-ng, and thunderbird). --------------------------------------------- https://lwn.net/Articles/922756/ ∗∗∗ Vulnerability Allows Hackers to Remotely Tamper With Dahua Security Cameras ∗∗∗ --------------------------------------------- A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time. [...] Dahua device vulnerabilities may be targeted by DDoS botnets, but in the case of CVE-2022-30564, it would most likely be exploited in highly targeted attacks whose goal is to tamper with evidence, rather than cybercrime operations. The issue was reported to the vendor in the fall of 2022. Dahua has released patches for each of the impacted devices. --------------------------------------------- https://www.securityweek.com/vulnerability-allows-hackers-to-remotely-tampe… ∗∗∗ CVE-2023-0003 Cortex XSOAR: Local File Disclosure Vulnerability in the Cortex XSOAR Server (Severity: MEDIUM) ∗∗∗ --------------------------------------------- A file disclosure vulnerability in the Palo Alto Networks Cortex XSOAR server software enables an authenticated user with access to the web interface to read local files from the server. --------------------------------------------- https://security.paloaltonetworks.com/CVE-2023-0003 ∗∗∗ CVE-2023-0002 Cortex XDR Agent: Product Disruption by Local Windows User (Severity: MEDIUM) ∗∗∗ --------------------------------------------- A problem with a protection mechanism in the Palo Alto Networks Cortex XDR agent on Windows devices allows a local user to execute privileged cytool commands that disable or uninstall the agent. --------------------------------------------- https://security.paloaltonetworks.com/CVE-2023-0002 ∗∗∗ CVE-2023-0001 Cortex XDR Agent: Cleartext Exposure of Agent Admin Password (Severity: MEDIUM) ∗∗∗ --------------------------------------------- An information exposure vulnerability in the Palo Alto Networks Cortex XDR agent on Windows devices allows a local system administrator to disclose the admin password for the agent in cleartext, which bad actors can then use to execute privileged cytool commands that disable or uninstall the agent. --------------------------------------------- https://security.paloaltonetworks.com/CVE-2023-0001 ∗∗∗ IBM InfoSphere Information Server is affected by an information disclosure vulnerability (CVE-2023-24964) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6953519 ∗∗∗ IBM WebSphere Application Server is vulnerable to a remote code execution vulnerability (CVE-2023-23477) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6891111 ∗∗∗ IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to Eclipse Openj9 security bypass (CVE-2022-3676) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6953807 ∗∗∗ AIX is vulnerable to arbitrary code execution due to libxml2 (CVE-2022-40303 and CVE-2022-40304) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6953825 ∗∗∗ Vulnerabilities in IBM Java SDK and IBM Java Runtime affects Rational Business Developer ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6953873 ∗∗∗ Vulnerability in IBM Java SDK and IBM Java Runtime affects Rational Business Developer ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6953879 ∗∗∗ IBM SDK, Java Technology Edition Quarterly CPU - Oct 2022 - Includes Oracle October 2022 CPU ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6953641 ∗∗∗ IBM Sterling Connect:Direct for Microsoft Windows is vulnerable to denial of service due to FasterXML jackson-databind (217968) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6953593 ∗∗∗ Vulnerability in Axios affects IBM Process Mining . IBM X-Force ID: 232247 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6611183 ∗∗∗ Vulnerability in bpmn affects IBM Process Mining . WS-2019-0208 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6852405 ∗∗∗ Vulnerability in bpmn affects IBM Process Mining . WS-2019-0148 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6852407 ∗∗∗ Vulnerability in d3-color affects IBM Process Mining . WS-2022-0322 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6856473 ∗∗∗ IBM Cloud Pak for Multicloud Management Monitoring has applied security fixes for user privilege escalation ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6909427 ∗∗∗ IBM Tivoli Composite Application Manager for Application Diagnostics Installed WebSphere Application Server traditional is vulnerable to a remote code execution vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6954391 ∗∗∗ IBM Sterling Global Mailbox is vulnerable to HTTP header injection due WebSphere Liberty Server (CVE-2022-34165) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6954401 ∗∗∗ IBM Sterling Global Mailbox is vulnerable to denial of service due to FasterXML jackson-databind (CVE-2022-42003) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6954403 ∗∗∗ IBM Sterling Global Mailbox is vulnerable to security bypass due to Apache HttpClient (CVE-2020-13956) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6954405 ∗∗∗ Vulnerability in Apache Commons Text affects IBM Process Mining . CVE-2022-42889 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6954409 ∗∗∗ Vulnerability in IBM WebSphere Application Server Liberty and Open Liberty 17.0.0.3 through 22.0.0.5 affects CICS Transaction Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6954411 ∗∗∗ Vulnerability (CVE-2022-3676) in Eclipse Openj9 affects CICS Transaction Gateway Desktop Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6954421 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.02.2023
by Daily end-of-shift report 08 Feb '23

08 Feb '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 07-02-2023 18:00 − Mittwoch 08-02-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Ransomware-Attacke: CISA veröffentlicht Wiederherstellungsskript für VMware ESXi ∗∗∗ --------------------------------------------- Die US-amerikanische Cyber-Sicherheitsbehörde CISA hat ein Wiederherstellungsskript bereitgestellt, mit dem betroffene Server gerettet werden könnten. --------------------------------------------- https://heise.de/-7488498 ∗∗∗ Achtung: Betrügerische Rechnungen in E-Mails und PayPal-App! ∗∗∗ --------------------------------------------- PayPal-User:innen aufgepasst: Kriminelle stellen aktuell Coinbase-Rechnungen über PayPal. Diese Rechnungen landen dadurch sowohl in Ihrem Mail-Postfach, als auch Ihrer PayPal-App und können dadurch für echt gehalten werden! Ignorieren Sie die Rechnungen und setzen Sie sich bei Unklarheiten mit PayPal in Verbindung. Bezahlen Sie nichts und befolgen Sie keinesfalls die Händler-Anweisungen aus der Rechnung. --------------------------------------------- https://www.watchlist-internet.at/news/achtung-betruegerische-rechnungen-in… ∗∗∗ Sicherheitsupdate: Acht Sicherheitslücken in OpenSSL geschlossen ∗∗∗ --------------------------------------------- Angreifer könnten Systeme mit der Softwarebibliothek für verschlüsselte Verbindungen OpenSSL attackieren. Der Bedrohungsgrad hält sich aber in Grenzen. --------------------------------------------- https://heise.de/-7489560 ∗∗∗ Medusa botnet returns as a Mirai-based variant with ransomware sting ∗∗∗ --------------------------------------------- A new version of the Medusa DDoS (distributed denial of service) botnet, based on Mirai code, has appeared in the wild, featuring a ransomware module and a Telnet brute-forcer. --------------------------------------------- https://www.bleepingcomputer.com/news/security/medusa-botnet-returns-as-a-m… ∗∗∗ Simple HTML Phishing via Telegram Bot, (Wed, Feb 8th) ∗∗∗ --------------------------------------------- Monday, I wrote about the use of IP lookup APIs by bots. It turns out that it is not just bots using these APIs, but phishing e-mails are also taking advantage of them. --------------------------------------------- https://isc.sans.edu/diary/rss/29528 ∗∗∗ Post-Exploitation: Abusing the KeePass Plugin Cache ∗∗∗ --------------------------------------------- This blog post presents a post-exploitation approach to inject code into KeePass without process injection. It is performed by abusing the cache resulting from the compilation of PLGX plugin. --------------------------------------------- https://blog.quarkslab.com/post-exploitation-abusing-the-keepass-plugin-cac… ∗∗∗ A Detailed Analysis of a New Stealer Called Stealerium ∗∗∗ --------------------------------------------- Stealerium is an open-source stealer available on GitHub. The malware steals information from browsers, cryptocurrency wallets, and applications such as Discord, Pidgin, Outlook, Telegram, Skype, Element, Signal, Tox, Steam, Minecraft, and VPN clients. The binary also gathers data about the infected host, such as the running processes, Desktop and webcam screenshots, Wi-Fi networks, the Windows product key, and the public and private IP address. --------------------------------------------- https://securityscorecard.com/research/a-detailed-analysis-of-a-new-stealer… ∗∗∗ Rustproofing Linux (nccgroup) ∗∗∗ --------------------------------------------- The nccgroup blog is carrying afour-part series by Domen Puncer Kugler on how vulnerabilities can maketheir way into device drivers written in Rust. In other words, the CONFIG_INIT_STACK_ALL_ZERO build option does nothing for Rust code! Developers must be cautious to avoid shooting themselves in the foot when porting a driver from C to Rust, especially if they previously relied on this config option to mitigate this class of vulnerability. It seems that kernel info leaks and KASLR bypasses might be here to stay, at least, for a little while longer. --------------------------------------------- https://lwn.net/Articles/922638/ ∗∗∗ Pwn2Owning Two Hosts at the Same Time: Abusing Inductive Automation Ignition’s Custom Deserialization ∗∗∗ --------------------------------------------- Pwn2Own Miami 2022 was a fine competition. At the contest, I successfully exploited three different targets. In this blog post, I would like to show you my personal best research of the competition: the custom deserialization issue in Inductive Automation Ignition. --------------------------------------------- https://www.thezdi.com/blog/2023/2/6/pwn2owning-two-hosts-at-the-same-time-… ∗∗∗ CVE-2022-21587: Rapid7 Observed Exploitation of Oracle E-Business Suite Vulnerability ∗∗∗ --------------------------------------------- Emergent threats evolve quickly, and as we learn more about this vulnerability, this blog post will evolve, too. --------------------------------------------- https://www.rapid7.com/blog/post/2023/02/07/etr-cve-2022-21587-rapid7-obser… ∗∗∗ How to Use Cloud Access Security Brokers for Data Protection ∗∗∗ --------------------------------------------- A cloud access security broker is a security policy enforcement point that can be located on-premises or in the cloud. Its purpose is to aggregate and implement an enterprise’s security policies whenever cloud-based resources are accessed. --------------------------------------------- https://www.hackread.com/cloud-access-security-brokers-data-protection/ ===================== = Vulnerabilities = ===================== ∗∗∗ PMASA-2023-1 ∗∗∗ --------------------------------------------- XSS vulnerability in drag-and-drop upload Affected Versions: phpMyAdmin versions prior to 4.9.11 and 5.2.1 are affected. The vulnerability has existed since release version 4.3.0. --------------------------------------------- https://www.phpmyadmin.net/security/PMASA-2023-1/ ∗∗∗ Webbrowser: Google Chrome dichtet Sicherheitslecks ab und ändert Release-Zyklus ∗∗∗ --------------------------------------------- Der Webbrowser Google Chrome 110 schließt 15 teils hochriskante Schwachstellen. Der Hersteller stellt zudem auf ein neues Release-System um. --------------------------------------------- https://heise.de/-7488524 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (heimdal, openssl, shim, and xorg-server), Oracle (kernel and thunderbird), Red Hat (git, libksba, samba, and tigervnc), Scientific Linux (thunderbird), Slackware (openssl and xorg), SUSE (EternalTerminal, openssl-1_0_0, openssl-1_1, openssl-3, openssl1, polkit, and sssd), and Ubuntu (git, grunt, heimdal, openssl, openssl1.0, and xorg-server, xorg-server-hwe-18.04, xwayland). --------------------------------------------- https://lwn.net/Articles/922626/ ∗∗∗ Tuesday February 14 2023 Security Releases ∗∗∗ --------------------------------------------- The Node.js project will release new versions of the 14.x, 16.x, 18.x and 19.x releases lines on or shortly after, Tuesday February 14 2023 in order to address: 2 low severity issues. 2 medium severity issues. 1 high severity issues. --------------------------------------------- https://nodejs.org/en/blog/vulnerability/february-2023-security-releases ∗∗∗ Security Advisory - Identity Authentication Bypass Vulnerability in The Huawei Children Smart Watch (Simba-AL00) ∗∗∗ --------------------------------------------- https://www.huawei.com/en/psirt/security-advisories/2023/huawei-sa-iabvithc… ∗∗∗ IBM Security Bulletins 2023-02-08 ∗∗∗ --------------------------------------------- * A Security Vulnerability has been identified in the IBM Java SDK as shipped with IBM Security Verify Access. * IBM Aspera Orchestrator affected by vulnerability (CVE-2022-28615) * IBM® Db2® Connect Server is vulnerable due to the use of Apache HttpComponents. (CVE-2014-3577) * IBM® Db2® is vulnerable to an information disclosure vulnerabilitiy due to improper privilege management when a specially crafted table access is used. (CVE-2022-43927) * IBM® Db2® is vulnerable to an information disclosure vulnerability as sensitive information may be included in a log file. (CVE-2022-43930) * IBM® Db2® may be vulnerable to a denial of service when executing a specially crafted Load command. (CVE-2022-43929) * IBM Jazz for Service Management is vulnerable to All XStream (Publicly disclosed vulnerability) (CVE-2022-41966) * IBM MQ is affected by an identity spoofing issue in IBM WebSphere Application Server Liberty (CVE-2022-22475) * IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to Express.js Express denial of service (CVE-2022-24999) * IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to Moment denial of service (CVE-2022-31129) * IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to Node.js follow-redirects module information disclosure vulnerabilities (CVE-2022-0536, CVE-2022-0155) * IBM WebSphere Application Server Liberty is vulnerable to information disclosure due to Apache James MIME4J (CVE-2022-45787) * IBM WebSphere Application Server Liberty is vulnerable to server-side request forgery due to Apache CXF (CVE-2022-46364) * Multiple security vulnerabilities are addressed with IBM Business Automation Manager Open Editions 8.0.2 * Multiple vulnerabilities in the Expat library affect IBM® Db2® Net Search Extender may lead to denial of service or arbitrary code execution. * Security Vulnerabilities have been identifed in the IBM WebSphere Liberty product as shipped with the IBM Security Verify Access products. * Unspecified vulnerability in Java Affects IBM Infosphere Global Name Management (CVE-2022-21496) * Vulnerabilities in IBM WebSphere Liberty affects IBM InfoSphere Global Name Management (CVE-2022-22475, CVE-2022-22476) * Vulnerability in IBM WebSphere Liberty affects IBM InfoSphere Global Name Management (CVE-2022-34165) --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.02.2023
by Daily end-of-shift report 07 Feb '23

07 Feb '23

===================== = End-of-Day report = ===================== Timeframe: Montag 06-02-2023 18:00 − Dienstag 07-02-2023 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Researcher breaches Toyota supplier portal with info on 14,000 partners ∗∗∗ --------------------------------------------- The issues were responsibly disclosed to Toyota on November 3, 2022, and the Japanese car maker confirmed they had been fixed by November 23, 2022. EatonWorks published a detailed writeup about the discoveries today after 90 days disclosure process had passed. --------------------------------------------- https://www.bleepingcomputer.com/news/security/researcher-breaches-toyota-s… ∗∗∗ APIs Used by Bots to Detect Public IP address, (Mon, Feb 6th) ∗∗∗ --------------------------------------------- Many of the bots I am observing attempt to detect the infected system&#;x26;#;39;s public ("WAN") IP address. Most of these systems are assumed to be behind NAT. To detect the external IP address, these bots use various public APIs. It may be helpful to detect these requests. Many use unique host names. This will make detecting the request in DNS logs easy even if TLS is not intercepted. --------------------------------------------- https://isc.sans.edu/diary/rss/29516 ∗∗∗ Android Security Bulletin—February 2023 ∗∗∗ --------------------------------------------- The Android Security Bulletin contains details of security vulnerabilities affecting Android devices. Security patch levels of 2023-02-05 or later address all of these issues. [..] The most severe of these issues is a high security vulnerability in the Framework component that could lead to local escalation of privilege with no additional execution privileges needed. --------------------------------------------- https://source.android.com/docs/security/bulletin/2023-02-01 ∗∗∗ Discovering a weakness leading to a partial bypass of the login rate limiting in the AWS Console ∗∗∗ --------------------------------------------- AWS applies a rate limit to authentication requests made to the AWS Console, in an effort to prevent brute-force and credential stuffing attacks. In this post, we discuss a weakness we discovered in the AWS Console authentication flow that allowed us to partially bypass this rate limit and continuously attempt more than 280 passwords per minute (4.6 per second). The weakness was since mitigated by AWS. --------------------------------------------- https://securitylabs.datadoghq.com/articles/aws-console-rate-limit-bypass/ ∗∗∗ Smishing: Vorsicht vor Fake Magenta-SMS ∗∗∗ --------------------------------------------- Momentan sind vermehrt gefälschte Magenta-SMS im Umlauf. In der Nachricht wird behauptet, dass Ihre Rechnung nicht beglichen werden konnte. Klicken Sie nicht auf den Link – dieser führt zu einer gefälschten Magenta-Seite, wo Kriminelle Ihre Daten und Ihr Geld stehlen. --------------------------------------------- https://www.watchlist-internet.at/news/smishing-vorsicht-vor-diesem-fake-ma… ∗∗∗ Saferinternet.at-Studie: Jugendliche und Falschinformationen im Internet ∗∗∗ --------------------------------------------- Anlässlich des heutigen Safer Internet Day führte Saferinternet.at eine Studie zum Thema „Jugendliche und Falschinformationen im Internet“ durch. Die Studienergebnisse zeigen, dass Österreichs Jugendliche beim Umgang mit Informationen im Internet in einem Dilemma stecken: Die Jugendlichen informieren sich zu Alltagsthemen vor allem über soziale Medien, vertrauen den dort bezogenen Informationen jedoch kaum. --------------------------------------------- https://www.watchlist-internet.at/news/studie-jugendliche-und-falschinforma… ∗∗∗ Safer Internet Day: FAQ Internetsicherheit für Kinder und Jugendliche ∗∗∗ --------------------------------------------- Im Internet lauern für Heranwachsende viele Gefahren, die sie noch nicht einschätzen können. Mit Wissensvermittlung und Tools können sie geschützt werden. --------------------------------------------- https://heise.de/-7333482 ∗∗∗ This notorious ransomware has now found a new target ∗∗∗ --------------------------------------------- The authors of Clop ransomware are experimenting with a Linux variant - a warning that multiple different platforms are in the sights of cyber extortionists. --------------------------------------------- https://www.zdnet.com/article/this-notorious-ransomware-is-now-targeting-li… ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-23-094: Netatalk dsi_writeinit Heap-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Netatalk. Authentication is not required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-094/ ∗∗∗ TYPO3-CORE-SA-2023-001: Persisted Cross-Site Scripting in Frontend Rendering ∗∗∗ --------------------------------------------- Subcomponent: Frontend Rendering (ext:frontend, ext:core) Affected Versions: 8.7.0-8.7.50, 9.0.0-9.5.39, 10.0.0-10.4.34, 11.0.0-11.5.22, 12.0.0-12.1.3 Severity: High References: CVE-2023-24814, CWE-79 --------------------------------------------- https://typo3.org/security/advisory/typo3-core-sa-2023-001 ∗∗∗ Multiple DMS XSS (CVE-2022-47412 through CVE-20222-47419) ∗∗∗ --------------------------------------------- Through the course of routine security testing and analysis, Rapid7 has discovered several issues in on-premises installations of open source and freemium Document Management System (DMS) offerings from four vendors. ONLYOFFICE, OpenKM, LogicalDOC, Mayan [..] Unfortunately, none of these vendors were able to respond to Rapid7's disclosure outreach --------------------------------------------- https://www.rapid7.com/blog/post/2023/02/07/multiple-dms-xss-cve-2022-47412… ∗∗∗ OpenSSL Security Advisory [7th February 2023] ∗∗∗ --------------------------------------------- * Severity: High - X.400 address type confusion in X.509 GeneralName (CVE-2023-0286): [...] this vulnerability is most likely to only affect applications which have implemented their own functionality for retrieving CRLs over a network. * Severity: Moderate - CVE-2022-4304, CVE-2022-4203, CVE-2023-0215, CVE-2022-4450, CVE-2023-0216, CVE-2023-0217, CVE-2023-0401 --------------------------------------------- https://www.openssl.org/news/secadv/20230207.txt ∗∗∗ Dateiübertragungslösung: Zero-Day-Lücke in GoAnywhere-MFT-Servern ∗∗∗ --------------------------------------------- Angreifer haben es derzeit auf Server mit GoAnywhere MFT abgesehen. Bislang gibt es kein Sicherheitsupdate. Eine temporäre Übergangslösung sichert Systeme ab. --------------------------------------------- https://heise.de/-7487393 ∗∗∗ VMSA-2023-0003 ∗∗∗ --------------------------------------------- CVSSv3 Range: 7.8 CVE(s): CVE-2023-20854 Synopsis: VMware Workstation update addresses an arbitrary file deletion vulnerability (CVE-2023-20854) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2023-0003.html ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (graphite-web, openjdk-11, webkit2gtk, wpewebkit, and xorg-server), Mageia (advancecomp, apache, dojo, git, java/timezone, libtiff, libxpm, netatalk, nodejs-minimist, opusfile, python-django, python-future, python-mechanize, ruby-sinatra, sofia-sip, thunderbird, and tigervnc), Oracle (git and thunderbird), Red Hat (git, libksba, rh-git227-git, rh-nodejs14-nodejs and rh-nodejs14-nodejs-nodemon, and thunderbird), SUSE (apache2, nginx, php8-pear, redis, rubygem-activesupport-5_1, rubygem-rack, sssd, xorg-x11-server, and xwayland), and Ubuntu (tmux). --------------------------------------------- https://lwn.net/Articles/922519/ ∗∗∗ Ichiran App vulnerable to improper server certificate verification ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN11257333/ ∗∗∗ Cisco IOx Application Hosting Environment Command Injection Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ EnOcean SmartServer ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-23-037-01 ∗∗∗ IBM Security Verify Governance, Identity Manager software component is affected by a vulnerabilitiy CVE-2023-23477 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6953461 ∗∗∗ Multiple Vulnerabilities in IBM\u00ae Java SDK affect IBM WebSphere Application Server and IBM WebSphere Application Server Liberty due to the October 2022 CPU ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6839565 ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with Tivoli Netcool\/OMNIbus WebGUI (CVE-2023-23477) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6953483 ∗∗∗ A vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Buinses Automation Workflow (CVE-2023-23477) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6953497 ∗∗∗ Denial of Service vulnerability affects IBM Business Automation Workflow - CVE-2022-25887 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6952745 ∗∗∗ A vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Business Automation Workflow (CVE-2023-23477) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6953497 ∗∗∗ Apache POI is vulnerable to a denial of service, caused by an out of memory exception flaw in the HMEF package(CVE-2022-26336) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6953525 ∗∗∗ Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation Application Manager Oct 2022 CPU (CVE-2022-21628, CVE-2022-21626, CVE-2022-21624, CVE-2022-21619) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6953557 ∗∗∗ Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation for Multiplatforms Oct 2022 CPU (CVE-2022-21628, CVE-2022-21626, CVE-2022-21624, CVE-2022-21619) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6953559 ∗∗∗ IBM Java SDK and IBM Java Runtime for IBM i are vulnerable to bypassing security restrictions, denial of service attacks, and data integrity impacts due to multiple vulnerabilities. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6953579 ∗∗∗ IBM Sterling Connect:Direct for Microsoft Windows is vulnerable to denial of service due to IBM Runtime Environment Java Technology Edition (CVE-2022-21626) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6953583 ∗∗∗ IBM Sterling Connect:Direct for Microsoft Windows is vulnerable to denial of service due to FasterXML jackson-databind (CVE-2022-42003) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6953587 ∗∗∗ IBM Sterling Connect:Direct for Microsoft Windows is vulnerable to denial of service due to FasterXML jackson-databind (CVE-2022-42004) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6953589 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.02.2023
by Daily end-of-shift report 06 Feb '23

06 Feb '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 03-02-2023 18:00 − Montag 06-02-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Weltweiter Ransomware-Angriff ∗∗∗ --------------------------------------------- Bei einem weltweit breit gestreuten Ransomware-Angriff wurden laut Medienberichten tausende ESXi-Server, die u. a. zur Virtualisierung von IT-Fachverfahren genutzt werden, verschlüsselt. Der regionale Schwerpunkt der Angriffe lag dabei auf Frankreich, den USA, Deutschland und Kanada, auch weitere Länder sind betroffen. --------------------------------------------- https://www.bsi.bund.de/DE/Service-Navi/Presse/Pressemitteilungen/Presse202… ∗∗∗ Downloads via Google Ads: "Tsunami" an Malvertising verbreitet Schadsoftware ∗∗∗ --------------------------------------------- Immer mehr Angreifer versuchen, Geräte von Nutzern mit Malware zu infizieren. Forscher beobachten einen massiven Anstieg auf Google bei der Suche nach Software. --------------------------------------------- https://heise.de/-7485196 ∗∗∗ Tiere zu verschenken: Vorsicht vor betrügerischen Inseraten auf Facebook ∗∗∗ --------------------------------------------- In Facebook-Gruppen tauchen immer wieder betrügerische Inserate für abzugebende Hunde oder Pferde auf. Angeblich sei der Besitzer bzw. die Besitzerin plötzlich verstorben. Daher suchen die Angehörigen dringend einen guten Platz für das Tier. Sie müssen lediglich die Transportkosten bezahlen, da sich das Tier im Ausland befindet. Dahinter steckt aber Betrug, das Tier gibt es gar nicht und Sie verlieren viel Geld! --------------------------------------------- https://www.watchlist-internet.at/news/tiere-zu-verschenken-vorsicht-vor-be… ∗∗∗ Assemblyline as a Malware Analysis Sandbox, (Sat, Feb 4th) ∗∗∗ --------------------------------------------- If you are looking for a malware sandbox that is easy to install and maintain, Assenblyline (AL) [1] is likely the system you want to be part of your toolbox. "Once a file is submitted to Assemblyline, the system will automatically perform multiple checks to determine how to best process the file. One of Assemblyline's most powerful functionalities is its recursive analysis model."[2] --------------------------------------------- https://isc.sans.edu/diary/rss/29510 ∗∗∗ Royal Ransomware adds support for encrypting Linux, VMware ESXi systems ∗∗∗ --------------------------------------------- Royal Ransomware operators added support for encrypting Linux devices and target VMware ESXi virtual machines. The Royal Ransomware gang is the latest extortion group in order of time to add support for encrypting Linux devices and target VMware ESXi virtual machines. Other ransomware operators already support Linux encrypting, including AvosLocker, Black Basta, BlackMatter, HelloKitty, Hive, [...] --------------------------------------------- https://securityaffairs.com/141876/cyber-crime/royal-ransomware-vmware-esxi… ∗∗∗ FormBook Malware Spreads via Malvertising Using MalVirt Loader to Evade Detection ∗∗∗ --------------------------------------------- An ongoing malvertising campaign is being used to distribute virtualized .NET loaders that are designed to deploy the FormBook information-stealing malware. "The loaders, dubbed MalVirt, use obfuscated virtualization for anti-analysis and evasion along with the Windows Process Explorer driver for terminating processes," SentinelOne researchers Aleksandar Milenkoski and Tom Hegel said [...] --------------------------------------------- https://thehackernews.com/2023/02/formbook-malware-spreads-via.html ∗∗∗ GuLoader Malware Using Malicious NSIS Executables to Target E-Commerce Industry ∗∗∗ --------------------------------------------- E-commerce industries in South Korea and the U.S. are at the receiving end of an ongoing GuLoader malware campaign, cybersecurity firm Trellix disclosed late last month. The malspam activity is notable for transitioning away from malware-laced Microsoft Word documents to NSIS executable files for loading the malware. Other countries targeted as part of the campaign include Germany, Saudi Arabia, [...] --------------------------------------------- https://thehackernews.com/2023/02/guloader-malware-using-malicious-nsis.html ∗∗∗ ImageMagick: The hidden vulnerability behind your online images ∗∗∗ --------------------------------------------- In a recent APT Simulation engagement, the Ocelot team identified that ImageMagick was used to process images in a Drupal-based website, and hence, the team decided to try to find new vulnerabilities in this component, proceeding to download the latest version of ImageMagick, 7.1.0-49 at that time. As a result, two zero days were identified: [...] --------------------------------------------- https://www.metabaseq.com/imagemagick-zero-days/ ∗∗∗ The Defenders Guide to OneNote MalDocs ∗∗∗ --------------------------------------------- With the heyday of macro-enabled spreadsheets and documents behind us, threat actors have experimented with novel ways to deliver their payloads, including disk image files (.iso, .vhd files), HTML Smuggling (.hta files with embedded scripts), and now OneNote files. --------------------------------------------- https://opalsec.substack.com/p/the-defenders-guide-to-onenote-maldocs ∗∗∗ How the CISA catalog of vulnerabilities can help your organization ∗∗∗ --------------------------------------------- The CISA catalog of known exploited vulnerabilities is designed for the federal government and useful to everyone. --------------------------------------------- https://www.malwarebytes.com/blog/news/2023/02/how-the-cisa-catalog-can-hel… ∗∗∗ Collect, Exfiltrate, Sleep, Repeat ∗∗∗ --------------------------------------------- In this intrusion from August 2022, we observed a compromise that was initiated with a Word document containing a malicious VBA macro, which established persistence and communication to a command [...] --------------------------------------------- https://thedfirreport.com/2023/02/06/collect-exfiltrate-sleep-repeat/ ∗∗∗ Solving a VM-based CTF challenge without solving it properly ∗∗∗ --------------------------------------------- A pretty common reverse-engineering CTF challenge genre for the hard/very-hard bucket are virtual machines. There are several flavors to this*, but the most common one is to implement a custom VM in a compiled language and provide it together with bytecode of a flag checker. This was the case for the More Control task from Byte Bandits CTF 2023 - the task this entry is about. --------------------------------------------- https://gynvael.coldwind.pl/?id=763 ∗∗∗ Sliver Malware With BYOVD Distributed Through Sunlogin Vulnerability Exploitations ∗∗∗ --------------------------------------------- Sliver is an open-source penetration testing tool developed in the Go programming language. Cobalt Strike and Metasploit are major examples of penetration testing tools used by many threat actors, and various attack cases involving these tools have been covered here on the ASEC blog. Recently, there have been cases of threat actors using Sliver in addition to Cobalt Strike and Metasploit. --------------------------------------------- https://asec.ahnlab.com/en/47088/ ===================== = Vulnerabilities = ===================== ∗∗∗ High-Severity XSS Vulnerability in Metform Elementor Contact Form Builder ∗∗∗ --------------------------------------------- On January 4, 2023, independent security researcher Mohammed Chemouri reached out to the Wordfence Vulnerability Disclosure program to responsibly disclose and request a CVE ID for a vulnerability in Metform Elementor Contact Form Builder, a WordPress plugin with over 100,000 installations. The vulnerability, an unauthenticated stored cross-site scripting vulnerability, is arguably the most dangerous variant [...] --------------------------------------------- https://www.wordfence.com/blog/2023/02/high-severity-xss-vulnerability-in-m… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libhtml-stripscripts-perl), Fedora (binwalk, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-latest-openjdk, kernel, sudo, and syncthing), SUSE (syslog-ng), and Ubuntu (editorconfig-core, firefox, pam, and thunderbird). --------------------------------------------- https://lwn.net/Articles/922337/ ∗∗∗ CISA adds Oracle, SugarCRM bugs to exploited vulnerabilities list ∗∗∗ --------------------------------------------- The Cybersecurity and Infrastructure Security Agency (CISA) said two vulnerabilities from Oracle and SugarCRM are actively being exploited and ordered federal civilian agencies to patch them before February 23. --------------------------------------------- https://therecord.media/cisa-adds-oracle-sugarcrm-bugs-to-exploited-vulnera… ∗∗∗ Vulnerabilities have been identified in Apache Log4j and the application code shipped with the DS8000 Hardware Management Console (HMC) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6570741 ∗∗∗ Vulnerabilities have been identified in Spring Framework, OpenSSL and Apache HTTP Server shipped with the DS8000 Hardware Management Console (HMC) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6592963 ∗∗∗ Security Bulletin: Multiple vulnerabilities may affect IBM® SDK, Java™ Technology Edition for IBM Content Collector for SAP Applications ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6953401 ∗∗∗ Multiple vulnerabilities in IBM Java - OpenJ9 affect IBM Tivoli System Automation for Multiplatforms (CVE-2022-3676) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6953433 ∗∗∗ IBM InfoSphere Information Server is vulnerable to cross-site scripting (CVE-2022-47983) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6857695 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.02.2023
by Daily end-of-shift report 03 Feb '23

03 Feb '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 02-02-2023 18:00 − Freitag 03-02-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Hackers weaponize Microsoft Visual Studio add-ins to push malware ∗∗∗ --------------------------------------------- Security researchers warn that hackers may start using Microsoft Visual Studio Tools for Office (VSTO) more often as method to achieve persistence and execute code on a target machine via malicious Office add-ins. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-weaponize-microsoft-… ∗∗∗ Anker: Eufy-Kameras waren nicht so sicher wie beworben ∗∗∗ --------------------------------------------- Nach anfänglichem Abstreiten gibt Anker zu, dass die Werbeversprechen zur Sicherheit der Eufy-Überwachungskameras nicht eingehalten wurden. --------------------------------------------- https://www.golem.de/news/anker-eufy-kameras-waren-nicht-so-sicher-wie-bewo… ∗∗∗ Konami Code Backdoor Concealed in Image ∗∗∗ --------------------------------------------- Attackers are always looking for new ways to conceal their malware and evade detection, whether it’s through new forms of obfuscation, concatenation, or — in this case — unorthodox use of image file extensions. One of the most common backdoors that we have observed over the last few months has been designed to evade detection by placing the payload in an image file and requiring some additional tricks to unlock it. --------------------------------------------- https://blog.sucuri.net/2023/02/konami-code-backdoor-concealed-in-image.html ∗∗∗ Pre-Auth RCE in Aspera Faspex: Case Guide for Auditing Ruby on Rails ∗∗∗ --------------------------------------------- IBM Aspera Faspex promises security to end users by offering encryption options for the files being uploaded through its application. This security model is broken through the pre-authentication RCE vulnerability we discovered, that allowed us to execute arbitrary commands on the Aspera Faspex server. --------------------------------------------- https://blog.assetnote.io/2023/02/02/pre-auth-rce-aspera-faspex/ ∗∗∗ Cisco patcht mehrere Produkte - potenzielle Backdoor-Lücke ∗∗∗ --------------------------------------------- Cisco hat Updates zum Schließen von Sicherheitslücken in mehreren Produkten veröffentlicht. Die gravierendste klafft in der IOx Application Hosting Environment. --------------------------------------------- https://heise.de/-7483079 ∗∗∗ Zwei Sicherheitsprobleme in OpenSSH 9.2 gelöst ∗∗∗ --------------------------------------------- Der OpenSSH-Client ist in einer aktualisierten Version erschienen. Informationen über die geschlossenen Sicherheitslücken sind noch rar. --------------------------------------------- https://heise.de/-7483316 ∗∗∗ Erneute Phishing-Welle mit E-Mails im Namen der WKO ∗∗∗ --------------------------------------------- „Aktualisierung Ihrer Firmendaten“: Haben Sie eine E-Mail vom „WKO Serviceteam“ mit diesem Betreff erhalten, sollten Sie genau hinsehen. Denn derzeit versenden Cyberkriminelle willkürlich solche Phishing-Mails an österreichische Unternehmer:innen und geben sich dabei als Wirtschaftskammer Österreich aus. --------------------------------------------- https://www.watchlist-internet.at/news/erneute-phishing-welle-mit-e-mails-i… ∗∗∗ OneNote Dokumente als neues Hilfsmittel für Spammer und Co. ∗∗∗ --------------------------------------------- Nachdem Microsoft im Juli letzten Jahres die Hürde für Spammer deutlich höher gelegt hat - eingebettete Makros in heruntergeladenen Office Dokumente wurden per Default disabled - musste aus Sicht der Angreifer entsprechender Ersatz gefunden werden. Neuen Erkenntnissen zufolge, wurde dieser auch erfolgreich in Form von OneNote Dokumenten gefunden. --------------------------------------------- https://cert.at/de/aktuelles/2023/2/onenote-dokumente-als-neues-hilfsmittel… ∗∗∗ What is an OSINT Tool – Best OSINT Tools 2023 ∗∗∗ --------------------------------------------- An OSINT tool is a must for every researcher - In this article, we will explore the 15 best OSINT tools that you can use for your investigations. --------------------------------------------- https://www.hackread.com/what-is-osint-tool-best-osint-tools-2023/ ===================== = Vulnerabilities = ===================== ∗∗∗ K000130496: Overview of F5 vulnerabilities (February 2023) ∗∗∗ --------------------------------------------- On February 1, 2023, F5 announced the following security issues. This document is intended to serve as an overview of these vulnerabilities and security exposures to help determine the impact to your F5 devices. You can find the details of each issue in the associated articles. --------------------------------------------- https://my.f5.com/manage/s/article/K000130496 ∗∗∗ Angreifer könnten Windows-PCs mit VMware Workstation attackieren ∗∗∗ --------------------------------------------- Ein Sicherheitsupdate schließt eine Lücke in der Virtualisierungslösung VMware Workstation. Angreifer brauchten lokale Benutzerrechte auf dem PC des Opfers. --------------------------------------------- https://heise.de/-7483515 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (chromium and vim), Slackware (openssh), and Ubuntu (lrzip and tiff). --------------------------------------------- https://lwn.net/Articles/922112/ ∗∗∗ CISA Releases Six Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- ICSA-23-033-01 Delta Electronics DIAScreen, ICSA-23-033-02 Mitsubishi Electric GOT2000 Series and GT SoftGOT2000, ICSA-23-033-03 Baicells Nova, ICSA-23-033-04 Delta Electronics DVW-W02W2-E2, ICSA-23-033-05 Delta Electronics DX-2100-L1-CN, ICSA-22-221-01 Mitsubishi Electric Multiple Factory Automation Products (Update D). --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2023/02/02/cisa-releases-six… ∗∗∗ B&R Advisory: Several Issues in APROL Database ∗∗∗ --------------------------------------------- Several Issues in ARPOL database, CVE ID: CVE-2022-43761, CVE-2022-43762, CVE-2022-43763, CVE-2022-43764, CVE-2022-43765 --------------------------------------------- https://www.br-automation.com/downloads_br_productcatalogue/assets/16748230… *** IBM Security Bulletins 2023-02-01 *** --------------------------------------------- Tivoli System Automation Application Manager, IBM MQ, IBM FlashSystem 5000, IBM FlashSystem 7200, IBM FlashSystem 7300, IBM FlashSystem 9100, IBM FlashSystem 9200, IBM FlashSystem 9500, IBM FlashSystem V9000, IBM Spectrum Virtualize as Software Only, IBM Spectrum Virtualize for Public Cloud, IBM Storwize V5000, V5000E, V7000 and V5100, Jazz for Service Management, SAN Volume Controller, IBM App Connect Enterprise, IBM Voice Gateway, IBM Aspera, IBM MQ, IBM Business Automation Workflow, IBM Control Desk, IBM Maximo, IBM Sterling Connect:Direct File Agent. --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Exploitation of GoAnywhere MFT zero-day vulnerability ∗∗∗ --------------------------------------------- A warning has been issued about an actively exploited zero-day vulnerability affecting on-premise instances of Fortra’s GoAnywhere MFT. --------------------------------------------- https://www.rapid7.com/blog/post/2023/02/03/exploitation-of-goanywhere-mft-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.02.2023
by Daily end-of-shift report 02 Feb '23

02 Feb '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 01-02-2023 18:00 − Donnerstag 02-02-2023 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ New DDoS-as-a-Service platform used in recent attacks on hospitals ∗∗∗ --------------------------------------------- A new DDoS-as-a-Service (DDoSaaS) platform named Passion was seen used in recent attacks by pro-Russian hacktivists against medical institutions in the United States and Europe. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-ddos-as-a-service-platfo… ∗∗∗ New Nevada Ransomware targets Windows and VMware ESXi systems ∗∗∗ --------------------------------------------- A relatively new ransomware operation known as Nevada seems to grow its capabilities quickly as security researchers noticed improved functionality for the locker targeting Windows and VMware ESXi systems. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-nevada-ransomware-target… ∗∗∗ LockBit ransomware goes Green, uses new Conti-based encryptor ∗∗∗ --------------------------------------------- The LockBit ransomware gang has again started using encryptors based on other operations, this time switching to one based on the leaked source code for the Conti ransomware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/lockbit-ransomware-goes-gree… ∗∗∗ Password-stealing “vulnerability” reported in KeePass – bug or feature? ∗∗∗ --------------------------------------------- Is it a vulnerability if someone with control over your account can mess with files that your account is allowed to access anyway? --------------------------------------------- https://nakedsecurity.sophos.com/2023/02/01/password-stealing-vulnerability… ∗∗∗ Rotating Packet Captures with pfSense, (Wed, Feb 1st) ∗∗∗ --------------------------------------------- Having a new pfSense firewall in place gives some opportunities to do a bit more with the device. Maintaining some full packet captures was an item on my "to do" list. The last 24 hours is usually sufficient for me since I'm usually looking at alerts within the same day. I decided to do rotating packet captures based on file size. This allows me to capture packets, saving files of a specific size and keeping a specified number of files. --------------------------------------------- https://isc.sans.edu/diary/rss/29500 ∗∗∗ What SOCs Need to Know About Water Dybbuk, A BEC Actor Using Open-Source Toolkits ∗∗∗ --------------------------------------------- We analyze a BEC campaign targeting large companies around the world that was leveraging open-source tools to stay under the radar. --------------------------------------------- https://www.trendmicro.com/en_us/research/23/b/what-socs-need-to-know-about… ∗∗∗ OpenSSH 9.2 released ∗∗∗ --------------------------------------------- OpenSSH9.2 has been released. It includes a number of security fixes,including one for a pre-authenticationdouble-free vulnerability that the project does not believe is exploitable. --------------------------------------------- https://lwn.net/Articles/922006/ ===================== = Vulnerabilities = ===================== ∗∗∗ Vulnerability Causing Deletion of All Users in CrushFTP Admin Area ∗∗∗ --------------------------------------------- During a recent penetration test, Trustwave SpiderLabs researchers discovered a weak input validation vulnerability in the CrushFTP application which caused the deletion of all users. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/vulnerabili… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (cinder, glance, nova, openjdk-17, and python-django), Fedora (caddy, git-credential-oauth, mingw-opusfile, and pgadmin4), Slackware (apr and mozilla), and Ubuntu (apache2 and python-django). --------------------------------------------- https://lwn.net/Articles/921957/ ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2023-0001 ∗∗∗ --------------------------------------------- CVE identifiers: CVE-2023-23517, CVE-2023-23518,CVE-2022-42826. Several vulnerabilities were discovered in WebKitGTK and WPE WebKit. --------------------------------------------- https://webkitgtk.org/security/WSA-2023-0001.html ∗∗∗ Jira Service Management Server and Data Center Advisory (CVE-2023-22501) ∗∗∗ --------------------------------------------- This advisory discloses a critical severity security vulnerability which was introduced in version 5.3.0 of Jira Service Management Server and Data Center. The following versions are affected by this vulnerability: 5.3.0, 5.3.1, 5.3.2, 5.4.0, 5.4.1, 5.5.0 --------------------------------------------- https://confluence.atlassian.com/jira/jira-service-management-server-and-da… ∗∗∗ Drupal Releases Security Update to Address a Vulnerability in Apigee Edge ∗∗∗ --------------------------------------------- Drupal released a security update to address a vulnerability affecting the Apigee Edge module for Drupal 9.x. An attacker could exploit this vulnerability to bypass access authorization or disclose sensitive information. CISA encourages users and administrators to review Drupal’s security advisory SA-CONTRIB-2023-005 and apply the necessary update. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2023/02/02/drupal-releases-s… ∗∗∗ Cisco Prime Infrastructure Reflected Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers Arbitrary File Upload Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Identity Services Engine Privilege Escalation Vulnerabilities ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco IOx Application Hosting Environment Command Injection Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Multiple vulnerabilities in IBM Java SDK affects IBM WebSphere Application Server October 2022 CPU that is bundled with IBM WebSphere Application Server Patterns ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6912697 ∗∗∗ IBM API Connect is impacted by an external service interaction vulnerability (CVE-2022-34350) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6921243 ∗∗∗ IBM WebSphere Application Server Liberty for IBM i is vulnerable to HTTP header injection and affected by denial of services due to multiple vulnerabilities. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6921285 ∗∗∗ IBM MQ is affected by FasterXML jackson-databind vulnerabilities (CVE-2022-42003, CVE-2022-42004) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6952181 ∗∗∗ IBM MQ Managed File Transfer could allow a local user to obtain sensitive information from diagnostic files. (CVE-2022-42436) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6909467 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 01.02.2023
by Daily end-of-shift report 01 Feb '23

01 Feb '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 31-01-2023 18:00 − Mittwoch 01-02-2023 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Jetzt patchen! Zehntausende Qnap-NAS hängen verwundbar am Internet ∗∗∗ --------------------------------------------- Angreifer könnten direkt über das Internet an einer kritischen Sicherheitslücke in Netzwerkspeichern von Qnap ansetzen. --------------------------------------------- https://heise.de/-7477826 ∗∗∗ Microsoft Defender for Endpoint schickt nun auch Linux-Rechner in die Isolation ∗∗∗ --------------------------------------------- Weil auch Linux-Geräte als Einfallstor für Cyber-Angreifer dienen können, isoliert Microsofts Security-Software künftig bei Bedarf auch sie aus dem Firmennetz. --------------------------------------------- https://heise.de/-7477878 ∗∗∗ Diskussion um Schwachstelle in KeePass ∗∗∗ --------------------------------------------- Eine Schwachstelle erlaubt das Ändern der KeePass-Konfiguration, wenn Nutzer bestimmte Rechte haben. Mit denen können sie jedoch viel mehr anstellen. --------------------------------------------- https://heise.de/-7478396 ∗∗∗ Neue Vinted-Verkäufer:innen aufgepasst: Keine Zahlungen freigeben! ∗∗∗ --------------------------------------------- Auf der Second-Hand-Plattform vinted.at kommt es aktuell vermehrt zu einer Betrugsmasche, die sich an neue Verkäufer:innen richtet. Die ersten Interessent:innen melden sich schnell und verlangen eine Telefonnummer. Anschließend folgen SMS im Namen von Vinted, die eine Bestätigung der Kreditkartendaten zum Erhalt der Zahlung fordern. Achtung: Die SMS stammen nicht von vinted.at, sondern von Kriminellen und die vermeintlichen Bestätigungen führen zu Abbuchungen [...] --------------------------------------------- https://www.watchlist-internet.at/news/neue-vinted-verkaeuferinnen-aufgepas… ∗∗∗ Hackers use new IceBreaker malware to breach gaming companies ∗∗∗ --------------------------------------------- Hackers have been targeting online gaming and gambling companies with what appears to be a previously unseen backdoor that researchers have named IceBreaker. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-use-new-icebreaker-m… ∗∗∗ DShield Honeypot Setup with pfSense, (Tue, Jan 31st) ∗∗∗ --------------------------------------------- Setting up a DShield honeypot is well guided by the installation script [1]. After several minutes of following the instructions and adding some custom details, the honeypot is up and running. What's needed after that is to expose the honeypot to the internet. I recently decided to update my home router and thought it was a great opportunity to dig into using pfSense [2]. --------------------------------------------- https://isc.sans.edu/diary/rss/29490 ∗∗∗ Detecting (Malicious) OneNote Files, (Wed, Feb 1st) ∗∗∗ --------------------------------------------- We are starting to see malicious OneNote documents (cfr. Xavier's diary entry "A First Malicious OneNote Document"). --------------------------------------------- https://isc.sans.edu/diary/rss/29494 ∗∗∗ Vulnerability in Cisco industrial appliances is a potential nightmare (CVE-2023-20076) ∗∗∗ --------------------------------------------- Cisco has released patches for a high-severity vulnerability (CVE-2023-20076) found in some of its industrial routers, gateways and enterprise wireless access points, which may allow attackers to insert malicious code that can’t be deleted by simply rebooting the device or updating its firmware. “In this case, the command injection bypasses mitigations Cisco has in place to ensure vulnerabilities do not persist in a system. --------------------------------------------- https://www.helpnetsecurity.com/2023/02/01/cve-2023-20076/ ∗∗∗ Google sponsored ads malvertising targets password manager ∗∗∗ --------------------------------------------- Our reserachers found a more direct way to go after your password by using Google sponsored ads campaigns --------------------------------------------- https://www.malwarebytes.com/blog/threat-intelligence/2023/01/google-sponso… ∗∗∗ Unpatched Econolite Traffic Controller Vulnerabilities Allow Remote Hacking ∗∗∗ --------------------------------------------- Serious vulnerabilities found in Econolite EOS traffic controller software can be exploited to control traffic lights, but the flaws remain unpatched. --------------------------------------------- https://www.securityweek.com/unpatched-econolite-traffic-controller-vulnera… ∗∗∗ Microsoft: We are tracking these 100 active ransomware gangs using 50 types of malware ∗∗∗ --------------------------------------------- Microsoft warns that phishing, fake software updates and unpatched vulnerabilities are being exploited for ransomware attacks. --------------------------------------------- https://www.zdnet.com/article/microsoft-we-are-tracking-these-100-active-ra… ∗∗∗ Password Nightmare Explained ∗∗∗ --------------------------------------------- This blog post belongs to a series in which we examine various influences on password strategies. The first post in the series analyzed the macrosocial influence of a country on its citizens’ passwords. The second post was focused on the analysis of the influence of a community on password choice. In this last post, we aim to increase the strength of our readers’ passwords by influencing their password strategies using knowledge and insights from our research. --------------------------------------------- https://www.gosecure.net/blog/2023/01/31/password-nightmare-explained/ ===================== = Vulnerabilities = ===================== ∗∗∗ Vulnerability in Driver Distributor where passwords are stored in a recoverable format ∗∗∗ --------------------------------------------- Driver Distributor provided by FUJIFILM Business Innovation Corp. contains a vulnerability where passwords are stored in a recoverable format. --------------------------------------------- https://jvn.jp/en/jp/JVN22830348/ ∗∗∗ Additional Supply Chain Vulnerabilities Uncovered in AMI MegaRAC BMC Software ∗∗∗ --------------------------------------------- Two more supply chain security flaws have been disclosed in AMI MegaRAC Baseboard Management Controller (BMC) software, nearly two months after three security vulnerabilities were brought to light in the same product. Firmware security firm Eclypsium said the two shortcomings were held back until now to provide AMI additional time to engineer appropriate mitigations. --------------------------------------------- https://thehackernews.com/2023/02/additional-supply-chain-vulnerabilities.h… ∗∗∗ Virenschutz: Datei-Upload bis Exitus durch Trend Micro Apex One-Schwachstelle ∗∗∗ --------------------------------------------- Eine hochriskante Sicherheitslücke im Trend Micro Apex One Server könnten Angreifer missbrauchen, um den Server mit Dateien zu fluten und damit lahmzulegen. --------------------------------------------- https://heise.de/-7477479 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (fig2dev and libstb), Fedora (seamonkey), SUSE (ctags, python-setuptools, samba, tmux, and xterm), and Ubuntu (advancecomp, apache2, python-django, slurm-llnl, and vim). --------------------------------------------- https://lwn.net/Articles/921848/ ∗∗∗ CVE-2023-22374: F5 BIG-IP Format String Vulnerability ∗∗∗ --------------------------------------------- Rapid7 found an additional vulnerability in the appliance-mode REST interface. We reported it to F5 and are now disclosing it in accordance with our vulnerability disclosure policy. --------------------------------------------- https://www.rapid7.com/blog/post/2023/02/01/cve-2023-22374-f5-big-ip-format… ∗∗∗ IBM Security Bulletins 2023-02-01 ∗∗∗ --------------------------------------------- App Connect Professional is affected by JsonErrorReportValve in Apache Tomcat. A security vulnerability has been identified in IBM WebSphere Application Server shipped with Asset and Service Management (CVE-2023-23477) A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Business Monitor (CVE-2023-23477) A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM WebSphere Remote Server (CVE-2023-23477) A vulnerability in the IBM Java Runtime affects IBM Rational ClearQuest (CVE-2022-21626) A vulnerability may affect the IBM Elastic Storage System GUI (CVE-2022-43869) HTTP header injection vulnerability in Watson Knowledge Catalog for IBM Cloud Pak for Data (CVE-2022-34165) IBM App Connect Enterprise is vulnerable to a remote authenticated attacker due to json5 (CVE-2022-46175) IBM Cloud Pak for Multicloud Management has applied security fixes for its use of Apache Commons [CVE-2022-42889 and CVE-2022-33980] IBM Cloud Pak for Multicloud Management is vulnerable to denial of service attacks due to snakeYAML IBM Cloud Pak for Multicloud Management is vulnerable to denial of service due to protobuf-java core and lite IBM Cloud Pak for Multicloud Management Monitoring has applied security fixes for its use of FasterXML Jackson (CVE-2022-42003) IBM Cloud Pak for Multicloud Management Monitoring has applied security fixes for its use of Golang Go IBM Cloud Pak for Multicloud Management Monitoring is vulnerable to multiple security vulnerabilities due to its use of NodeJS IBM Infosphere Information Server is vulnerable to cross-site scripting (CVE-2023-23475) IBM Spectrum Scale GUI is vulnerable to Format string attack (CVE-2022-43869) IBM Sterling B2B Integrator is vulnerable to denial of service due to Netty (CVE-2021-37136, CVE-2021-37137) IBM Sterling Connect:Direct File Agent is vulnerable to a denial of service due to IBM Runtime Environment Java Technology Edition (CVE-2022-21626) IBM Sterling Connect:Direct File Agent is vulnerable to a memory exploit due to Eclipse Openj9 (CVE-2022-3676) IBM Sterling External Authentication Server vulnerable to denial of service due to Apache Xerces2 (CVE-2022-23437) IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to a buffer overflow in GNU glibc (CVE-2021-3999) IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to a denial of service in Golang Go (CVE-2022-27664) IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to a denial of service in protobuf (CVE-2022-1941) IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to arbitrary command execution in OpenSSL (CVE-2022-2068) IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to a security bypass in GNU gzip (CVE-2022-1271) IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to issues in OpenSSL (CVE-2022-1434, CVE-2022-1343, CVE-2022-1292, CVE-2022-1473 ) IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to query parameter smuggling in Golang Go (CVE-2022-2880) IBM WebSphere Application Server Liberty used by IBM Cloud Pak for Watson AIOps is vulnerable to HTTP header injection (CVE-2022-34165) Multiple vulnerabilities in IBM Java SDK affects App Connect Professional. Vulnerabilities in Certifi, Setuptools and Python may affect IBM Spectrum Protect Plus Microsoft File Systems Backup and Restore (CVE-2022-23491, CVE-2022-40897, CVE-2022-45061) Vulnerabilities in OpenSSL affect IBM Rational ClearQuest (CVE-2022-2068, CVE-2022-2097) --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Security Advisory - Incorrect Privilege Assignment Vulnerability in Huawei Whole-Home Intelligence Software ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2023/huawei-sa-ipavihwhi… ∗∗∗ Security Advisory - Incorrect Privilege Assignment Vulnerability in Huawei Whole-Home Intelligence Software ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2023/huawei-sa-ipavihwhi… ∗∗∗ Multiple Vulnerabilities Patched in Quick Restaurant Menu Plugin ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2023/02/multiple-vulnerabilities-patched-in-… ∗∗∗ SA45653 - Cross-site Request Forgery in Login Form ∗∗∗ --------------------------------------------- https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/Cross-site-Re… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 31.01.2023
by Daily end-of-shift report 31 Jan '23

31 Jan '23

===================== = End-of-Day report = ===================== Timeframe: Montag 30-01-2023 18:00 − Dienstag 31-01-2023 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Exploit released for critical VMware vRealize RCE vulnerability ∗∗∗ --------------------------------------------- Horizon3 security researchers have released proof-of-concept (PoC) code for a VMware vRealize Log Insight vulnerability chain that allows attackers to gain remote code execution on unpatched appliances. VMware patched four security vulnerabilities in its vRealize log analysis tool last week, two being critical and allowing remote attackers to execute code on compromised devices. --------------------------------------------- https://www.bleepingcomputer.com/news/security/exploit-released-for-critica… ∗∗∗ Github Desktop & Atom: Signaturschlüssel von Github entwendet ∗∗∗ --------------------------------------------- Auf Github wurden Signaturschlüssel entwendet, die bald zurückgerufen werden. Betroffen sind Github Desktop und Atom für Mac, die den Dienst einstellen. (Github, Security) --------------------------------------------- https://www.golem.de/news/github-desktop-atom-signaturschluessel-von-github… ∗∗∗ Prilex modification now targeting contactless credit card transactions ∗∗∗ --------------------------------------------- Kaspersky discovers three new variants of the Prilex PoS malware capable of blocking contactless NFC transactions on an infected device. --------------------------------------------- https://securelist.com/prilex-modification-now-targeting-contactless-credit… ∗∗∗ Microsoft Investigation – Threat actor consent phishing campaign abusing the verified publisher process ∗∗∗ --------------------------------------------- On December 15th, 2022, Microsoft became aware of a consent phishing campaign involving threat actors fraudulently impersonating legitimate companies when enrolling in the Microsoft Cloud Partner Program (MCPP) (formerly known as Microsoft Partner Network (MPN)). --------------------------------------------- https://msrc-blog.microsoft.com/2023/01/31/threat-actor-consent-phishing-ca… ∗∗∗ Decoding DNS over HTTP(s) Requests, (Mon, Jan 30th) ∗∗∗ --------------------------------------------- I have written before about scans for DNS over HTTP(s) (DoH) servers. DoH is now widely supported in different browsers and recursive resolvers. It has been an important piece in the puzzle to evade various censorship regimes, in particular, the "Big Chinese Firewall". Malware has at times used DoH, but often uses its own HTTP(s) based resolvers that do not necessarily comply with the official DoH standard. --------------------------------------------- https://isc.sans.edu/diary/rss/29488 ∗∗∗ Researchers Uncover Packer Used by Several Malware to Evade Detection for 6 Years ∗∗∗ --------------------------------------------- A shellcode-based packer dubbed TrickGate has been successfully operating without attracting notice for over six years, while enabling threat actors to deploy a wide range of malware such as TrickBot, Emotet, AZORult, Agent Tesla, FormBook, Cerber, Maze, and REvil over the years."TrickGate managed to stay under the radar for years because it is transformative – it undergoes changes periodically --------------------------------------------- https://thehackernews.com/2023/01/researchers-uncover-packer-that-helped.ht… ∗∗∗ Chromebook SH1MMER exploit promises admin jailbreak ∗∗∗ --------------------------------------------- Schools laptops are out if this one gets around, but beware bricking Users of enterprise-managed Chromebooks now, for better or worse, have a way to break the shackles of administrative control through an exploit called SHI1MMER.… --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2023/01/30/chromebook_e… ∗∗∗ Forthcoming OpenSSL Releases ∗∗∗ --------------------------------------------- The OpenSSL project team would like to announce the forthcoming release of OpenSSL versions 3.0.8, 1.1.1t and 1.0.2zg.[..] These releases will be made available on Tuesday 7th February 2023 between 1300-1700 UTC. These are security-fix releases. The highest severity issue fixed in each of these three releases is High --------------------------------------------- https://mta.openssl.org/pipermail/openssl-announce/2023-January/000248.html ∗∗∗ Abstandhalten zu undurchsichtigen Multi-Level-Marketing-Angeboten wie shopwithme.biz ∗∗∗ --------------------------------------------- Wer sich aktuell auf sozialen Medien wie Facebook, YouTube oder TikTok bewegt, kommt an Werbevideos, die das große Geld versprechen, kaum vorbei. Mit minimalem Aufwand und revolutionären Methoden sollen Sie ganz einfach Unsummen an Geld verdienen können. Ähnliches verspricht man beispielsweise bei shopwithme.biz. Ein genauerer Blick lässt vermuten: Hier verdient man nicht durch den Verkauf von Produkten, sondern durch die Anwerbung neuer Kundschaft. Wir raten hier --------------------------------------------- https://www.watchlist-internet.at/news/abstandhalten-zu-undurchsichtigen-mu… ∗∗∗ A Phishing Page that Changes According to the User’s Email Address (Using Favicon) ∗∗∗ --------------------------------------------- The ASEC analysis team continuously monitors phishing emails, and we have been detecting multiple phishing emails that are distributed with a changing icon to reflect the mail account service entered by the user. --------------------------------------------- https://asec.ahnlab.com/en/46786/ ===================== = Vulnerabilities = ===================== ∗∗∗ [20230101] - Core - CSRF within post-installation messages ∗∗∗ --------------------------------------------- Severity: Low Versions: 4.0.0-4.2.6 Exploit type: CSRF Description: A missing token check causes a CSRF vulnerability in the handling of post-installation messages. Affected Installs Joomla! CMS versions 4.0.0-4.2.6 Solution: Upgrade to version 4.2.7 --------------------------------------------- https://developer.joomla.org:443/security-centre/890-20230101-core-csrf-wit… ∗∗∗ [20230102] - Core - Missing ACL checks for com_actionlogs ∗∗∗ --------------------------------------------- Severity: Low Versions: 4.0.0-4.2.6 Exploit type: Incorrect Access Control Description: A missing ACL check allows non super-admin users to access com_actionlogs. Solution: Upgrade to version 4.2.7 --------------------------------------------- https://developer.joomla.org:443/security-centre/891-20230102-core-missing-… ∗∗∗ VMSA-2023-0002 ∗∗∗ --------------------------------------------- CVSSv3 Range: 6.5 CVE(s): CVE-2023-20856 Synopsis: VMware vRealize Operations (vROps) update addresses a CSRF bypass vulnerability --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2023-0002.html ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (bind, firefox, java-1.8.0-openjdk, java-11-openjdk, kernel, libXpm, pki-core, sssd, sudo, thunderbird, tigervnc, and xorg-x11-server), Debian (cinder, glance, libarchive, libhtml-stripscripts-perl, modsecurity-crs, node-moment, node-qs, nova, ruby-git, ruby-rack, and tiff), Fedora (java-17-openjdk, rust-bat, rust-cargo-c, rust-git-delta, rust-gitui, rust-pore, rust-silver, rust-tokei, and seamonkey), Oracle (libksba), Red Hat (kernel, kernel-rt, kpatch-patch, libksba, and pcs), Scientific Linux (libksba), SUSE (apache2-mod_auth_openidc, ghostscript, libarchive, nginx, python, vim, and xen), and Ubuntu (cinder, glance, linux-raspi, nova, python-future, and sudo). --------------------------------------------- https://lwn.net/Articles/921765/ ∗∗∗ [R1] Tenable Plugin Feed ID #202212212055 Fixes Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- As part of our Security Development Lifecycle, a potential privilege escalation issue was identified internally. This could allow a malicious actor with sufficient permissions to modify environment variables and abuse an impacted plugin in order to escalate privileges. We have resolved the issue and also made several defense-in-depth fixes alongside. --------------------------------------------- https://www.tenable.com/security/tns-2023-04 ∗∗∗ WordPress Vulnerability & Patch Roundup January 2023 ∗∗∗ --------------------------------------------- * SiteGround Security – SQL injection * ExactMetrics – Cross Site Scripting (XSS) * Enable Media Replace – Arbitrary File Upload * Spectra WordPress Gutenberg Blocks – Stored Cross Site Scripting * GiveWP – SQL Injection * Better Font Awesome – Cross Site Scripting (XSS) * LearnPress – SQL Injection * Royal Elementor Addons and Templates – Cross Site Scripting (XSS) * Strong Testimonials – Stored Cross Site Scripting (XSS) * HUSKY (formerly WOOF) – PHP Object Injection * WP Show Posts – Cross Site Scripting (XSS) * Widgets for Google Reviews – Cross Site Scripting (XSS) * Strong Testimonials – Cross Site Scripting (XSS) * Simple Sitemap – Cross Site Scripting (XSS) * Contextual Related Posts – Stored Cross Site Scripting (XSS) * Stream – Broken Access Control * Customer Reviews for WooCommerce – Cross Site Scripting (XSS) * Themify Portfolio Post – Stored Cross Site Scripting * Spotlight Social Media Feeds – Stored Cross Site Scripting (XSS) * RSS Aggregator by Feedzy – Stored Cross Site Scripting (XSS) --------------------------------------------- https://blog.sucuri.net/2023/01/wordpress-vulnerability-patch-roundup-janua… ∗∗∗ IBM Security Bulletins) ∗∗∗ --------------------------------------------- * IBM UrbanCode Deploy (UCD) is vulnerable to cross-site scripting ( CVE-2022-46771 ) * IBM Cloud Pak for Multicloud Management Monitoring has applied security fixes for its use of Golang Go (CVE-2022-24921, CVE-2022-28327, CVE-2022-24675) * IBM WebSphere Application Server is vulnerable to a remote code execution vulnerability (CVE-2023-23477) * Multiple vulnerabilities affect IBM Sterling External Authentication Server * Multiple vulnerabilities in Mozilla Firefox affect IBM Cloud Pak for Multicloud Management Monitoring. * Multiple vulnerabilities in libcURL affect IBM Rational ClearCase ( CVE-2022-42915, CVE-2022-42916, CVE-2022-32221, CVE-2022-35252, * * CVE-2022-32205, CVE-2022-32206, CVE-2022-32207 ) * IBM Sterling Secure Proxy vulnerable to multiple issues * Multiple vulnerabilities in OpenSSL affects IBM Rational ClearCase (CVE-2022-2097, CVE-2022-2068) * A vulnerability in the IBM Java Runtime affects IBM Rational ClearCase (CVE-2022-21626) * Automation Assets in IBM Cloud Pak for Integration is vulnerable to remote code execution due to jsonwebtoken CVE-2022-23529 * Automation Assets in IBM Cloud Pak for Integration is vulnerable to CSS injection due to Swagger CVE-2019-17495 * Automation Assets in IBM Cloud Pak for Integration is vulnerable to denial of service due to protobuf CVE-2022-1941 * Platform Navigator and Automation Assets in IBM Cloud Pak for Integration is vulnerable to multiple Go vulnerabilities * IBM Watson Knowledge Catalog on Cloud Pak for Data is vulnerable to SQL injection (CVE-2022-41731) * IBM Virtualization Engine TS7700 is vulnerable to a denial of service threat due to use of IBM\u00ae SDK Java\u2122 Technology Edition, Version 8 (CVE-2022-21626) * Multiple vulnerabilities affect IBM Db2\u00ae on Cloud Pak for Data and Db2 Warehouse\u00ae on Cloud Pak for Data * IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in XStream * IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in PyPA Wheel * IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Node.js json5 * IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Node.js * IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Certifi * IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Node.js decode-uri-component * IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in PostgreSQL * IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in WebSphere Application Server Liberty * IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Apache Tomcat * IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Apache Spark * Multiple Vulnerabilities in Java packages affect IBM Voice Gateway * IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in HSQLDB * IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Google Protocol Buffers * IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Java * IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in TensorFlow --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Delta Electronics DOPSoft ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-23-031-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.01.2023
by Daily end-of-shift report 30 Jan '23

30 Jan '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 27-01-2023 18:00 − Montag 30-01-2023 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Jetzt patchen! Sicherheitsforscher kombinieren Lücken in VMware vRealize Log ∗∗∗ --------------------------------------------- Angreifer könnten zeitnah vRealize Log von VMware ins Visier nehmen und Schadcode mit Root-Rechten ausführen. Sicherheitsupdates sind verfügbar. --------------------------------------------- https://heise.de/-7474931 ∗∗∗ Vorsicht vor gefälschten FinanzOnline-Benachrichtigungen ∗∗∗ --------------------------------------------- Kriminelle versenden gefälschte FinanzOnline-E-Mails. Aktuell sind uns zwei Varianten bekannt: In einem Mail wird behauptet, dass Sie eine Erstattung aus dem Sozialfonds erhalten. In einem anderen Mail steht, dass Sie eine Rückerstattung erhalten und einen QR-Code scannen müssen. Folgen Sie nicht den Anweisungen, es handelt sich um Betrug. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-gefaelschten-finanzonli… ∗∗∗ Malware PlugX infiziert USB-Geräte ∗∗∗ --------------------------------------------- Sicherheitsforscher der Unit 42 von Palo Alto Networks haben Cyberangriffe mit neuer Variante der altbekannten Schadsoftware beobachtet. Die mutmaßlich aus China stammende PlugX-Malware ist aufgefallen, weil diese Variante alle angeschlossenen USB-Wechselmediengeräte wie Disketten-, Daumen- oder Flash-Laufwerke sowie alle weiteren Systeme [...] --------------------------------------------- https://www.borncity.com/blog/2023/01/28/malware-plugx-infiziert-usb-gerte/ ∗∗∗ Laufwerksverschlüsselung per BitLocker: Das sollten Sie beachten ∗∗∗ --------------------------------------------- Die Geräteverschlüsselung von Microsoft schützt Ihre Daten vor unerwünschten Zugriffen. Zuweilen greift BitLocker automatisch, oft muss man selbst Hand anlegen. --------------------------------------------- https://heise.de/-7467041 ∗∗∗ Shady reward apps on Google Play amass 20 million downloads ∗∗∗ --------------------------------------------- A new category of activity tracking applications has been having massive success recently on Google Play, Androids official app store, having been downloaded on over 20 million devices. --------------------------------------------- https://www.bleepingcomputer.com/news/security/shady-reward-apps-on-google-… ∗∗∗ SaaS Rootkit Exploits Hidden Rules in Microsoft 365 ∗∗∗ --------------------------------------------- A vulnerability within Microsofts OAuth application registration allows an attacker to create hidden forwarding rules that act as a malicious SaaS rootkit. --------------------------------------------- https://www.darkreading.com/vulnerabilities-threats/saas-rootkit-exploits-h… ∗∗∗ Gootkit Malware Continues to Evolve with New Components and Obfuscations ∗∗∗ --------------------------------------------- The threat actors associated with the Gootkit malware have made "notable changes" to their toolset, adding new components and obfuscations to their infection chains. Google-owned Mandiant is monitoring the activity cluster under the moniker UNC2565, noting that the usage of the malware is "exclusive to this group. --------------------------------------------- https://thehackernews.com/2023/01/gootkit-malware-continues-to-evolve.html ∗∗∗ Titan Stealer: A New Golang-Based Information Stealer Malware Emerges ∗∗∗ --------------------------------------------- A new Golang-based information stealer malware dubbed Titan Stealer is being advertised by threat actors through their Telegram channel. "The stealer is capable of stealing a variety of information from infected Windows machines, including credential data from browsers and crypto wallets, FTP client details, screenshots, system information, and grabbed files," [...] --------------------------------------------- https://thehackernews.com/2023/01/titan-stealer-new-golang-based.html ∗∗∗ Asking MEMORY.DMP and Volatility to make up ∗∗∗ --------------------------------------------- A few days ago Ive posted RE category write-ups from the KnightCTF 2023. Another category Ive looked at – quite intensely at that – was forensics. While this blog post isnt a write-up for that category, I still wanted (and well, was asked to actually) write down some steps I took to make Volatility work with MEMORY.DMP file provided in the "Take care of this" challenge series. Or actually steps I took to convert MEMORY.DMP into something volatility could work with. --------------------------------------------- https://gynvael.coldwind.pl/?id=762 ∗∗∗ Analysis Report on Malware Distributed via Microsoft OneNote ∗∗∗ --------------------------------------------- This document is an analysis report on malware that is being actively distributed using Microsoft OneNote. The ASEC analysis team identified the rapidly increasing trend of OneNote malware distribution from November 2022 and has classified the malware according to the level of intricacy based on the screen that appears when the file is actually opened. --------------------------------------------- https://asec.ahnlab.com/en/46457/ ===================== = Vulnerabilities = ===================== ∗∗∗ Qnap-NAS: Kritische Sicherheitslücke ermöglicht Unterjubeln von Schadcode ∗∗∗ --------------------------------------------- In Qnap-Netzwerkgeräten mit QTS- und QuTS-hero-Betriebssystem könnten Angreifer Schadcode einschleusen und ausführen. Updates schließen die kritische Lücke. --------------------------------------------- https://heise.de/-7475288 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (curl, dojo, git, lemonldap-ng, libapache-session-browseable-perl, libapache-session-ldap-perl, libzen, node-object-path, openjdk-11, sofia-sip, tiff, tor, and varnish), Fedora (libgit2, open62541, pgadmin4, rubygem-git, rust-bat, rust-cargo-c, rust-git-delta, rust-gitui, rust-libgit2-sys, rust-libgit2-sys0.12, rust-pore, rust-pretty-git-prompt, rust-rd-agent, rust-rd-hashd, rust-resctl-bench, rust-resctl-demo, rust-silver, and rust-tokei), Scientific --------------------------------------------- https://lwn.net/Articles/921620/ ∗∗∗ CERT-Warnung: Standard KeePass-Setup ermöglicht Passwort-Klau (CVE-2023-24055) ∗∗∗ --------------------------------------------- Kurzer Hinweis bzw. Warnung an Nutzer des KeePass Password Safe zur Verwaltung von Kennwörtern und Zugangsdaten. Das Cyber Emergency Response Team aus Belgien (CERT.be) hat am 27. Januar 2023 eine Warnung zu KeePass veröffentlicht. Im Standard-Setup sind Schreibzugriffe auf die [...] --------------------------------------------- https://www.borncity.com/blog/2023/01/30/cert-warnung-standard-keepass-setu… ∗∗∗ IBM Planning Analytics Workspace is affected by vulnerabilties ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6848023 ∗∗∗ Enterprise Content Management System Monitor is affected by a vulnerability in Eclipse Openj9 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6890603 ∗∗∗ Due to the use of XStream, IBM Tivoli Netcool Configuration Manager is vulnerable to Denial of Service (DoS) attacks (CVE-2022-40153) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6890629 ∗∗∗ IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in LibTIFF ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6855093 ∗∗∗ IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Go ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6855105 ∗∗∗ IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in LibTIFF ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6855099 ∗∗∗ IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in LibTIFF ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6855097 ∗∗∗ IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in FasterXML jackson-databind ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6855101 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.01.2023
by Daily end-of-shift report 27 Jan '23

27 Jan '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 26-01-2023 18:00 − Freitag 27-01-2023 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ ProxyShell & Co.: Microsoft gibt Tipps, um Exchange Server abzusichern ∗∗∗ --------------------------------------------- Vor dem Hintergrund mehrerer kritischer Sicherheitslücken und Attacken auf Exchange Server zeigt Microsoft, welche Updates Admins dringend installieren müssen. --------------------------------------------- https://heise.de/-7472639 ∗∗∗ CPUs von Intel und ARM: Linux und der Umgang mit datenabhängigem Timing ∗∗∗ --------------------------------------------- Wenn die Dauer von Operationen von den Daten abhängt, ermöglicht dies Timing-Attacken auf Informationen. Wie geht Linux damit um? --------------------------------------------- https://www.golem.de/news/cpus-von-intel-und-arm-linux-und-der-umgang-mit-d… ∗∗∗ Bitwarden password vaults targeted in Google ads phishing attack ∗∗∗ --------------------------------------------- Bitwarden and other password managers are being targeted in Google ads phishing campaigns to steal users password vault credentials. --------------------------------------------- https://www.bleepingcomputer.com/news/security/bitwarden-password-vaults-ta… ∗∗∗ Live Linux IR with UAC, (Thu, Jan 26th) ∗∗∗ --------------------------------------------- The other day, I was looking for Linux IR scripts and ran across the tool Unix-like Artifacts Collector or UAC(1) created by Thiago Lahr. As you would expect, it gathers most live stats but also collects Virtual box and Docker info and other data on the system. [...] With any tool, you should always test to understand how it affects your system. I ran a simple file timeline collection before and after to see what changes were made. --------------------------------------------- https://isc.sans.edu/diary/rss/29480 ∗∗∗ WhatsApp hijackers take over your account while you sleep ∗∗∗ --------------------------------------------- Theres an easy way to protect yourself. Heres how. --------------------------------------------- https://www.malwarebytes.com/blog/news/2023/01/protect-your-whatsapp-accoun… ∗∗∗ "2.6 million DuoLingo account entries" up for sale ∗∗∗ --------------------------------------------- We take a look at claims of large amounts of DuoLingo user data up for sale, supposedly scraped from publicly available sources. --------------------------------------------- https://www.malwarebytes.com/blog/news/2023/01/2.6-million-duolingo-account… ∗∗∗ Tourismusbranche im Visier von Kriminellen: Cyberangriffe über booking.com ∗∗∗ --------------------------------------------- Der Hotelverband Deutschland, der französische Hotelverband GNI und die Wirtschaftskammer Österreich warnen vor zwei unterschiedlichen Betrugsversuchen über die Kommunikationskanäle von booking.com. Die Angriffe zielen darauf ab, das Computer-System der Unterkünfte mit Schadsoftware zu infizieren oder Kunden:innendaten abzugreifen. --------------------------------------------- https://www.watchlist-internet.at/news/tourismusbranche-im-visier-von-krimi… ∗∗∗ Mitigating RBAC-Based Privilege Escalation in Popular Kubernetes Platforms ∗∗∗ --------------------------------------------- We recap our research on privilege escalation and powerful permissions in Kubernetes and analyze the ways various platforms have addressed it. --------------------------------------------- https://unit42.paloaltonetworks.com/kubernetes-privilege-escalation/ ∗∗∗ A Blog with NoName ∗∗∗ --------------------------------------------- Further Insight into the Hacktivist Operation Targeting NATO and Affiliated Nations --------------------------------------------- https://www.team-cymru.com/post/a-blog-with-noname ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (bind9, chromium, and modsecurity-apache), Fedora (libgit2, mediawiki, and redis), Oracle (go-toolset:ol8, java-1.8.0-openjdk, systemd, and thunderbird), Red Hat (java-1.8.0-openjdk and redhat-ds:12), SUSE (apache2, bluez, chromium, ffmpeg-4, glib2, haproxy, kernel, libXpm, podman, python-py, python-setuptools, samba, xen, xrdp, and xterm), and Ubuntu (samba). --------------------------------------------- https://lwn.net/Articles/921477/ ∗∗∗ CISA Releases Eight Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2023/01/26/cisa-releases-eig… ∗∗∗ IBM InfoSphere Information Server is vulnerable to cross-site scripting (CVE-2022-47983) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6857695 ∗∗∗ Security vulnerabilities are addressed with IBM Cloud Pak for Business Automation iFixes for January 2023 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6857999 ∗∗∗ IBM App Connect Enterprise Certified Container may be vulnerable to denial of service due to [CVE-2022-42898] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6858007 ∗∗∗ IBM App Connect Enterprise Certified Container operator and operands may be vulnerable to denial of service due to [CVE-2022-27664] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6858011 ∗∗∗ IBM App Connect Enterprise Certified Container operator and operands may be vulnerable to denial of service due to [CVE-2022-32189] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6858009 ∗∗∗ IBM App Connect Enterprise Certified Container DesignerAuthoring operands that use mapping assistance may be vulnerable to [CVE-2022-23491] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6858005 ∗∗∗ TADDM affected by multiple vulnerabilities due to IBM Java and its runtime ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6858015 ∗∗∗ Multiple vulnerabilities in IBM Java Runtime affect Watson Explorer and Watson Explorer Content Analytics Studio (CVE-2022-21626) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6847951 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.01.2023
by Daily end-of-shift report 26 Jan '23

26 Jan '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 25-01-2023 18:00 − Donnerstag 26-01-2023 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Exploit released for critical Windows CryptoAPI spoofing bug ∗∗∗ --------------------------------------------- Proof of concept exploit code has been released by Akamai researchers for a critical Windows CryptoAPI vulnerability discovered by the NSA and U.K.s NCSC allowing MD5-collision certificate spoofing. Tracked as CVE-2022-34689, this security flaw was addressed with security updates released in August 2022 [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/exploit-released-for-critica… ∗∗∗ PY#RATION: New Python-based RAT Uses WebSocket for C2 and Data Exfiltration ∗∗∗ --------------------------------------------- Cybersecurity researchers have unearthed a new Python-based attack campaign that leverages a Python-based remote access trojan (RAT) to gain control over compromised systems since at least August 2022."This malware is unique in its utilization of WebSockets to avoid detection and for both command-and-control (C2) communication and exfiltration," Securonix said in a report [..] --------------------------------------------- https://thehackernews.com/2023/01/pyration-new-python-based-rat-utilizes.ht… ∗∗∗ Massive Supply-Chain-Attacke auf Router von Asus, D-Link & Co. beobachtet ∗∗∗ --------------------------------------------- Angreifer haben derzeit weltweit eine kritische Schwachstelle in Wireless-SoCs von Realtek im Visier. In Deutschland soll es Millionen Attacken gegeben haben. [...] Von der Lücke sind rund 190 IoT-Modelle von 66 Herstellern betroffen. Eine Auflistung von betroffenen Geräten findet man in der ursprünglichen Warnmeldung am Ende des Beitrags. Sicherheitspatches von Realtek sind schon seit Sommer 2021 verfügbar. --------------------------------------------- https://heise.de/-7471324 ∗∗∗ Cybercrime: Polizei zerschlägt Ransomware-Gruppe "Hive" ∗∗∗ --------------------------------------------- Deutsche Ermittler haben in Zusammenarbeit mit den Behörden in den Niederlanden und den USA die Kontrolle über das Ransomware-Netzwerk "Hive" übernommen. --------------------------------------------- https://heise.de/-7472192 ∗∗∗ Chinese PlugX Malware Hidden in Your USB Devices? ∗∗∗ --------------------------------------------- The PlugX malware stood out to us as this variant infects any attached removable USB media devices such as floppy, thumb or flash drives and any additional systems the USB is later plugged into. This PlugX malware also hides actor files in a USB device using a novel technique that works even on the most recent Windows operating systems (OS) at the time of writing this post. --------------------------------------------- https://unit42.paloaltonetworks.com/plugx-variants-in-usbs/ ∗∗∗ AA23-025A: Protecting Against Malicious Use of Remote Monitoring and Management Software ∗∗∗ --------------------------------------------- The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Multi-State Information Sharing and Analysis Center (MS-ISAC) (hereafter referred to as the “authoring organizations”) are releasing this joint Cybersecurity Advisory (CSA) to warn network defenders about malicious use of legitimate remote monitoring and management (RMM) software. --------------------------------------------- https://us-cert.cisa.gov/ncas/alerts/aa23-025a ∗∗∗ Achtung: Phishing zur Kontensperrung zielt auf Ing-Banking-Kunden (Jan. 2023) ∗∗∗ --------------------------------------------- us gegebenem Anlass greife ich die nächste Phishing-Kampagne hier im Blog auf, die sich an Kunden von Banken richtet. Kunden der Online-Bank Ing erhalten in einer Kampagne eine Phishing-Mail mit dem Hinweis, dass das Konto gesperrt worden sei, weil nicht auf eine Nachricht der Bank reagiert worden sei. --------------------------------------------- https://www.borncity.com/blog/2023/01/26/achtung-phishing-zur-kontensperrun… ∗∗∗ New Mimic Ransomware Abuses Everything APIs for its Encryption Process ∗∗∗ --------------------------------------------- Trend Micro researchers discovered a new ransomware that abuses the APIs of a legitimate tool called Everything, a Windows filename search engine developed by Voidtools that offers quick searching and real-time updates for minimal resource usage. --------------------------------------------- https://www.trendmicro.com/en_us/research/23/a/new-mimic-ransomware-abuses-… ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitsupdate BIND: Angreifer könnten DNS-Server mit Anfragen überfluten ∗∗∗ --------------------------------------------- Die Entwickler haben in der DNS-Software auf Open-Source-Basis BIND drei DoS-Lücken geschlossen. --------------------------------------------- https://heise.de/-7471773 ∗∗∗ Wordpress-Plug-in: Kritische Lücke in Learnpress auf 75.000 Webseiten ∗∗∗ --------------------------------------------- Das Wordpress-Plug-in Learnpress kommt auf über 100.000 Webseiten zum Einsatz. Mangels installierter Updates sind 75.000 davon für Kompromittierung anfällig. --------------------------------------------- https://heise.de/-7471283 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (git), Fedora (libXpm and redis), Oracle (bind, firefox, grub2, java-1.8.0-openjdk, java-11-openjdk, kernel, libtasn1, libXpm, and sssd), Red Hat (thunderbird), SUSE (freeradius-server, kernel, libzypp-plugin-appdata, python-certifi, and xen), and Ubuntu (bind9, krb5, linux-raspi, linux-raspi-5.4, and privoxy). --------------------------------------------- https://lwn.net/Articles/921345/ ∗∗∗ libcurl as used by IBM QRadar Wincollect agent is vulnerable to denial of service (CVE-2022-43552, CVE-2022-43551) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6857685 ∗∗∗ IBM App Connect Enterprise Certified Container operator and operands may be vulnerable to query parameter smuggling due to [CVE-2022-2880] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6857849 ∗∗∗ IBM App Connect Enterprise Certified Container operator and operands may be vulnerable to denial of service due to [CVE-2022-2879] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6857851 ∗∗∗ IBM App Connect Enterprise Certified Container operator and operands may be vulnerable to denial of service due to [CVE-2022-41715] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6857853 ∗∗∗ IBM App Connect Enterprise Certified Container DesignerAuthoring operands that use mapping assistance may be vulnerable to elevated privileges due to [CVE-2022-42919] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6857847 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.01.2023
by Daily end-of-shift report 25 Jan '23

25 Jan '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 24-01-2023 18:00 − Mittwoch 25-01-2023 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Vorsicht vor Phishing-Mails von FinanzOnline und ID Austria ∗∗∗ --------------------------------------------- Betrüger*innen versuchen mit gefälschten Mails an sensible Daten zu kommen. --------------------------------------------- https://futurezone.at/digital-life/phishing-mails-finanzonline-id-austria-v… ∗∗∗ GoTo-Hacker erbeuten verschlüsselte Backups inklusive Schlüssel ∗∗∗ --------------------------------------------- GoTo, ein Anbieter für Software-as-a-Service und Remote-Work-Tools, veröffentlicht weitere Erkenntnisse über einen IT-Sicherheitsvorfall. --------------------------------------------- https://heise.de/-7470609 ∗∗∗ OTORIO DCOM Hardening Toolkit für Windows für OT-Systeme veröffentlicht ∗∗∗ --------------------------------------------- In Microsofts Windows DCOM-Implementierung gibt es eine Schwachstelle, die eine Umgehung der Sicherheitsfunktionen ermöglicht. Microsoft hat das dokumentiert und gepatcht, und will im März 2023 aber einen letzten einen Patch freigeben. Sicherheitsanbieter OTORIO hat im Vorfeld ein OpenSource DCOM Hardening Toolkit für OT-Systeme veröffentlicht, mit dem Unternehmen ihre DCOM-Umgebungen analysieren und ggf. härten können. --------------------------------------------- https://www.borncity.com/blog/2023/01/25/otorio-dcom-hardening-toolkit-fr-w… ∗∗∗ Recovery-Scam durch betrugsdezernat.com und betrugsdezernat.org! ∗∗∗ --------------------------------------------- Wer auf betrügerischen Investment-Plattformen Geld verloren hat, wünscht sich meist nichts mehr, als sämtliche Einzahlungen zurückerhalten zu können. Darauf setzen auch die Kriminellen, die schon hinter dem Investitionsbetrug steckten. Sie geben sich als (häufig erfundene) Behörden aus und behaupten, das verlorene Geld festgesetzt zu haben. Eine kleine Vorauszahlung der Opfer soll zur Rückbuchung aller Verluste führen. --------------------------------------------- https://www.watchlist-internet.at/news/recovery-scam-durch-betrugsdezernatc… ∗∗∗ Senden Sie Ihre Daten nicht an gewerbe-datenanzeiger.at! ∗∗∗ --------------------------------------------- Haben auch Sie eine Nachricht von Gewerbe Datenanzeiger bekommen, die Sie auffordert, Ihre Firmendaten preiszugeben? Ignorieren Sie die Nachricht, wenn Sie antworten, schließen Sie ein teures Abo in Höhe von 1.992 € ab! --------------------------------------------- https://www.watchlist-internet.at/news/senden-sie-ihre-daten-nicht-an-gewer… ∗∗∗ Ransomware access brokers use Google ads to breach your network ∗∗∗ --------------------------------------------- A threat actor tracked as DEV-0569 uses Google Ads in widespread, ongoing advertising campaigns to distribute malware, steal victims passwords, and ultimately breach networks for ransomware attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ransomware-access-brokers-us… ∗∗∗ New stealthy Python RAT malware targets Windows in attacks ∗∗∗ --------------------------------------------- A new Python-based malware has been spotted in the wild featuring remote access trojan (RAT) capabilities to give its operators control over the breached systems. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-stealthy-python-rat-malw… ∗∗∗ Lessons Learned from the Windows Remote Desktop Honeypot Report ∗∗∗ --------------------------------------------- Over several weeks in October of 2022, Specops collected 4.6 million attempted passwords on their Windows Remote Desktop honeypot system. Here is what they learned. --------------------------------------------- https://www.bleepingcomputer.com/news/security/lessons-learned-from-the-win… ∗∗∗ A First Malicious OneNote Document, (Wed, Jan 25th) ∗∗∗ --------------------------------------------- Attackers are always trying to find new ways to deliver malware to victims. They recently started sending Microsoft OneNote files in massive phishing campaigns[1]. --------------------------------------------- https://isc.sans.edu/diary/rss/29470 ∗∗∗ Massive Campaign Uses Hacked WordPress Sites as Platform for Black Hat Ad Network ∗∗∗ --------------------------------------------- Every so often attackers register a new domain to host their malware. In many cases, these new domains are associated with specific malware campaigns, often related to redirecting legitimate website traffic to third party sites of their choosing - including tech support scams, adult dating, phishing, or drive-by-downloads. Since late December, our team has been tracking a new spike in WordPress website infections related to the following malicious domain: [...] --------------------------------------------- https://blog.sucuri.net/2023/01/massive-campaign-uses-hacked-wordpress-site… ∗∗∗ At the Edge of Tier Zero: The Curious Case of the RODC ∗∗∗ --------------------------------------------- The read-only Domain Controller (RODC) is a solution that Microsoft introduced for physical locations that don’t have adequate security to host a Domain Controller but still require directory services for resources in those locations. A branch office is the classic use case. While RODCs, by definition, are not part of the set of resources that can control “enterprise identities”, known as Tier Zero, we have seen cases where there is a privilege escalation path from an RODC to domain dominance. --------------------------------------------- https://posts.specterops.io/at-the-edge-of-tier-zero-the-curious-case-of-th… ∗∗∗ Vulnerability of Zyxel switches posed serious risk for business processes of many companies ∗∗∗ --------------------------------------------- The issue received a CVSSv3 score of 8.2, qualifying it as high severity --------------------------------------------- https://www.ptsecurity.com/ww-en/about/news/vulnerability-of-zyxel-switches… ∗∗∗ Attacking The Supply Chain: Developer ∗∗∗ --------------------------------------------- In this proof of concept, we look into one of several attack vectors that can be abused to attack the supply chain: targeting the developer. With a focus on the local integrated developer environment (IDE), this proof considers the execution of malicious build scripts via injecting commands when the project or build is incorrectly “trusted”. --------------------------------------------- https://www.trendmicro.com/en_us/research/23/a/attacking-the-supply-chain-d… ===================== = Vulnerabilities = ===================== ∗∗∗ Xen Security Advisory CVE-2022-42330 / XSA-425 ∗∗∗ --------------------------------------------- Guests can cause Xenstore crash via soft reset --------------------------------------------- https://xenbits.xen.org/xsa/advisory-425.html ∗∗∗ Kritische Schadcode-Lücken in Logging-Tool VMware vRealize Log geschlossen ∗∗∗ --------------------------------------------- Netzwerk-Admins sollten ihre Systeme mit VMware vRealize Log auf den aktuellen Stand bringen, um Angreifer auszusperren. --------------------------------------------- https://heise.de/-7470157 ∗∗∗ Kritische Sicherheitslücke: Neuere Lexmark-Drucker ermöglichen Codeschmuggel ∗∗∗ --------------------------------------------- Lexmark warnt vor Sicherheitslücken in seinen Druckern. Neuere Modelle ermöglichten Angreifern, Schadcode einzuschleusen und auszuführen. Updates stehen bereit. --------------------------------------------- https://heise.de/-7470640 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libde265, nodejs, and swift), Fedora (nautilus), Oracle (bash, bind, curl, dbus, expat, firefox, go-toolset, golang, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, libreoffice, libtiff, libxml2, libXpm, nodejs, nodejs-nodemon, postgresql-jdbc, qemu, ruby:2.5, sqlite, sssd, sudo, and usbguard), Red Hat (bind, go-toolset-1.18, go-toolset:rhel8, kernel, kernel-rt, kpatch-patch, pcs, sssd, and virt:rhel, virt-devel:rhel), Scientific Linux (bind, --------------------------------------------- https://lwn.net/Articles/921194/ ∗∗∗ [R1] Tenable.sc 6.0.0 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2023-03 ∗∗∗ IBM Security Verify Governance, Identity Manager virtual appliance component uses weaker than expected cryptography (CVE-2022-22462) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6857339 ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Tivoli System Automation Application Manager (CVE-2022-40750) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6857579 ∗∗∗ IBM MQ could allow an authenticated and authorized user to cause a denial of service to the MQTT channels. (CVE-2022-31772) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6833806 ∗∗∗ IBM MQ Operator and Queue manager container images are vulnerable to multiple vulnerabilities from libxml2, expat, libtasn1 and systemd ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6857613 ∗∗∗ Multiple vulnerabilities in OpenSSL affect IBM InfoSphere Information Server ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6857607 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.01.2023
by Daily end-of-shift report 24 Jan '23

24 Jan '23

===================== = End-of-Day report = ===================== Timeframe: Montag 23-01-2023 18:00 − Dienstag 24-01-2023 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Hackers use Golang source code interpreter to evade detection ∗∗∗ --------------------------------------------- A Chinese-speaking hacking group tracked as DragonSpark was observed employing Golang source code interpretation to evade detection while launching espionage attacks against organizations in East Asia. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-use-golang-source-co… ∗∗∗ Microsoft 365 to block downloaded Excel XLL add-ins to boost security ∗∗∗ --------------------------------------------- Microsoft is working on adding XLL add-in protection for Microsoft 365 customers by including automated blocking of all such files downloaded from the Internet. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-365-to-block-down… ∗∗∗ Emotet Malware Makes a Comeback with New Evasion Techniques ∗∗∗ --------------------------------------------- The Emotet malware operation has continued to refine its tactics in an effort to fly under the radar, while also acting as a conduit for other dangerous malware such as Bumblebee and IcedID. --------------------------------------------- https://thehackernews.com/2023/01/emotet-malware-makes-comeback-with-new.ht… ∗∗∗ Identitätsdiebstahl: Erste Hilfe bei Onlinebetrug unter Ihrem Namen ∗∗∗ --------------------------------------------- Kriminelle kaufen mit illegal erworbenen Login-Daten auf Ihre Rechnung ein oder posten Beschimpfungen in Ihrem Namen? Das sollten Sie jetzt tun. --------------------------------------------- https://heise.de/-7452745 ∗∗∗ A security audit of Git ∗∗∗ --------------------------------------------- The Open Source Technology Improvement Fund has announced the completion of a security audit of the Git source. --------------------------------------------- https://lwn.net/Articles/921067/ ∗∗∗ OSINT your OT suppliers ∗∗∗ --------------------------------------------- There is much talk about supply chain security and reviewing your suppliers for cyber security. But how much information do they intentionally and unintentionally leak about your organisation online? --------------------------------------------- https://www.pentestpartners.com/security-blog/osint-your-ot-suppliers/ ∗∗∗ Facebook: E-Bike-Gewinnspiele sind Fake ∗∗∗ --------------------------------------------- Mit „Danke“ kommentieren und E-Bike gewinnen: Dieses Gewinnspiel macht gerade auf Facebook die Runde. Angeblich haben die Fahrräder kleine Kratzer, die Motoren funktionieren aber einwandfrei. Vorsicht: Das Gewinnspiel ist Fake. --------------------------------------------- https://www.watchlist-internet.at/news/facebook-e-bike-gewinnspiele-sind-fa… ∗∗∗ Realtek SDK Vulnerability Attacks Highlight IoT Supply Chain Threats ∗∗∗ --------------------------------------------- We observed a recent spate of supply chain attacks attempting to exploit CVE-2021-35394, affecting IoT devices with chipsets made by Realtek. --------------------------------------------- https://unit42.paloaltonetworks.com/realtek-sdk-vulnerability/ ∗∗∗ Vice Society Ransomware Group Targets Manufacturing Companies ∗∗∗ --------------------------------------------- In this blog entry, we’d like to highlight our findings on Vice Society, which includes an end-to-end infection diagram that we were able to create using Trend Micro internal telemetry. --------------------------------------------- https://www.trendmicro.com/en_us/research/23/a/vice-society-ransomware-grou… ∗∗∗ A step-by-step introduction to the use of ROP gadgets to bypass DEP ∗∗∗ --------------------------------------------- DEP (Data Execution Prevention) is a memory protection feature that allows the system to mark memory pages as non-executable. ROP (Return-oriented programming) is an exploit technique that allows an attacker to execute shellcode with protections such as DEP enabled. --------------------------------------------- https://cybergeeks.tech/a-step-by-step-introduction-to-the-use-of-rop-gadge… ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitsupdate: Symantec Endpoint Protection als Sprungbrett für Angreifer ∗∗∗ --------------------------------------------- Aufgrund einer Schwachstelle könnten Angreifer Windows-PCs mit Sicherheitssoftware von Symantec attackieren. --------------------------------------------- https://heise.de/-7468961 ∗∗∗ iOS 16.3, iPadOS 16.3 und macOS 13.2: Welche Lücken Apple stopft ∗∗∗ --------------------------------------------- Erneut bekommen Macs, iPhones und iPads jede Menge Sicherheitsfixes. Zu den Details schweigt sich Apple teilweise mal wieder aus. --------------------------------------------- https://heise.de/-7469023 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (kernel and spip), Fedora (kernel), Mageia (chromium-browser-stable, docker, firefox, jpegoptim, nautilus, net-snmp, phoronix-test-suite, php, php-smarty, samba, sdl2, sudo, tor, viewvc, vim, virtualbox, and x11-server), Red Hat (bash, curl, dbus, expat, firefox, go-toolset, golang, java-1.8.0-openjdk, java-17-openjdk, kernel, kernel-rt, kpatch-patch, libreoffice, libtasn1, libtiff, libxml2, libXpm, nodejs, nodejs-nodemon, pcs, postgresql-jdbc, [...] --------------------------------------------- https://lwn.net/Articles/921024/ ∗∗∗ Critical Vulnerabilities Patched in OpenText Enterprise Content Management System ∗∗∗ --------------------------------------------- Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product. --------------------------------------------- https://www.securityweek.com/critical-vulnerabilities-patched-opentext-ente… ∗∗∗ Pgpool-II vulnerable to information disclosure ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN72418815/ ∗∗∗ pgAdmin 4 vulnerable to directory traversal ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN01398015/ ∗∗∗ VMSA-2023-0001 ∗∗∗ --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2023-0001.html ∗∗∗ XINJE XD ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-23-024-01 ∗∗∗ SOCOMEC MODULYS GP ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-23-024-02 ∗∗∗ IBM WebSphere Application Server traditional container is vulnerable to information disclosure (CVE-2022-43917) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6857007 ∗∗∗ Vulnerability in NX-OS Firmware used by IBM c-type SAN directors and switches. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6857039 ∗∗∗ FileNet Content Manager GraphQL jackson-databind security vulnerabilities, affected but not vulnerable ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6857047 ∗∗∗ Multiple vulnerabilities in OpenSSL affect AIX ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6857295 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.01.2023
by Daily end-of-shift report 23 Jan '23

23 Jan '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 20-01-2023 18:00 − Montag 23-01-2023 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Anmeldung bei ManageEngine ServiceDesk Plus MSP mit beliebigem Passwort möglich ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitsupdates für die Helpdesk-Software ManageEngine ServiceDesk Plus MSP von Zoho. --------------------------------------------- https://heise.de/-7467650 ∗∗∗ "Cyberkriminelle" verschaffen sich Zugang zu Sky-Kundenkonten ∗∗∗ --------------------------------------------- Der Pay-TV-Anbieter Sky bestätigt, dass sich bösartige Akteure Zugriff zu Kundenkonten verschafft haben. Details gibt es noch nicht, der Schaden ist unklar. --------------------------------------------- https://heise.de/-7468078 ∗∗∗ Vorsicht vor Betrug bei der Wohnungssuche im Ausland ∗∗∗ --------------------------------------------- Sie planen ein Auslandssemester oder suchen für einen befristeten Zeitraum eine Wohnung oder ein WG-Zimmer? Nehmen Sie sich vor günstigen Traumwohnungen in Acht! Dahinter könnte eine Betrugsmasche stecken. Finger weg, wenn Sie ohne Besichtigung eine Zahlung leisten müssen, die angeblich von TripAdvisor, Airbnb oder Booking.com verwaltet wird. Sie verlieren Ihr Geld und stehen ohne Wohnung da. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-bei-der-wohnungssuche-fuer-… ∗∗∗ Massive ad-fraud op dismantled after hitting millions of iOS devices ∗∗∗ --------------------------------------------- A massive ad fraud operation dubbed Vastflux that spoofed more than 1,700 applications from 120 publishers, mostly for iOS, has been disrupted by security researchers at cybersecurity company HUMAN. --------------------------------------------- https://www.bleepingcomputer.com/news/security/massive-ad-fraud-op-dismantl… ∗∗∗ Whos Resolving This Domain?, (Mon, Jan 23rd) ∗∗∗ --------------------------------------------- Challenge of the day: To find the process that resolved a specific domain. And this is not always easy! --------------------------------------------- https://isc.sans.edu/diary/rss/29462 ∗∗∗ Threat Actors Turn to Sliver as Open Source Alternative to Popular C2 Frameworks ∗∗∗ --------------------------------------------- The legitimate command-and-control (C2) framework known as Sliver is gaining more traction from threat actors as it emerges as an open source alternative to Cobalt Strike and Metasploit. The findings come from Cybereason, which detailed its inner workings in an exhaustive analysis last week. --------------------------------------------- https://thehackernews.com/2023/01/threat-actors-turn-to-sliver-as-open.html ∗∗∗ ShareFinder: How Threat Actors Discover File Shares ∗∗∗ --------------------------------------------- Many of our reports focus on adversarial Tactics, Techniques, and Procedures (TTPs) along with the tools associated with them. After gaining a foothold in an environment, one challenge for all [...] --------------------------------------------- https://thedfirreport.com/2023/01/23/sharefinder-how-threat-actors-discover… ∗∗∗ Activation Context Cache Poisoning: Exploiting CSRSS for Privilege Escalation ∗∗∗ --------------------------------------------- Starting in July of 2022, the Windows CSRSS process entered the consciousness of the infosec community as the source of several local privilege escalation vulnerabilities in Microsoft Windows. The first public information appeared on July 12 with the release of the patch for CVE-2022-22047, which was being actively exploited. Shortly thereafter, Microsoft published an article providing some technical details [...] --------------------------------------------- https://www.thezdi.com/blog/2023/1/23/activation-context-cache-poisoning-ex… ∗∗∗ Inglourious Drivers - A Journey of Finding Vulnerabilities in Drivers ∗∗∗ --------------------------------------------- TL;DR I discovered multiple bugs in OEM vendors for peripheral devices, which affected many users of these OEM vendors (Razer, EVGA, MSI, AMI). Many of the vulnerabilities originated in a [...] --------------------------------------------- https://www.cyberark.com/resources/threat-research-blog/inglourious-drivers… ===================== = Vulnerabilities = ===================== ∗∗∗ Unter Attacke: Sicherheitsleck in GTA V ermöglicht Codeschmuggel ∗∗∗ --------------------------------------------- Angreifer missbrauchen eine Sicherheitslücke im Spiel GTA V, um die Statistiken von Opfern zu verändern. Sie könnten jedoch Schadcode unterzuschieben. --------------------------------------------- https://heise.de/-7467685 ∗∗∗ Technical Advisory – U-Boot – Unchecked Download Size and Direction in USB DFU (CVE-2022-2347) ∗∗∗ --------------------------------------------- U-Boot is a popular and feature-rich bootloader for embedded systems. It includes optional support for the USB Device Firmware Update (DFU) protocol, which can be used by devices to download new firmware, or upload their current firmware. The U-Boot DFU implementation does not bound the length field in USB DFU download setup packets, and [...] --------------------------------------------- https://research.nccgroup.com/2023/01/20/technical-advisory-u-boot-unchecke… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (powerline-gitstatus, tiff, and trafficserver), Fedora (dotnet6.0, firefox, git, kernel, libXpm, rust, sudo, upx, and yarnpkg), Mageia (kernel and kernel-linus), Red Hat (firefox, java-11-openjdk, and sudo), Slackware (mozilla and seamonkey), SUSE (cacti, cacti-spine, samba, and tor), and Ubuntu (firefox, php7.2, php7.4, php8.1, and python-setuptools, setuptools). --------------------------------------------- https://lwn.net/Articles/920829/ ∗∗∗ A CVE-2022-21626 vulnerability in IBM Java Runtime affects IBM Process Designer 8.5.7 shipped with IBM Business Automation Workflow ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6856759 ∗∗∗ Multiple vulnerability affect IBM Business Automation Workflow - CVE-2022-42003, CVE-2022-42004 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6856761 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.01.2023
by Daily end-of-shift report 20 Jan '23

20 Jan '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 19-01-2023 18:00 − Freitag 20-01-2023 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Exploit released for critical ManageEngine RCE bug, patch now ∗∗∗ --------------------------------------------- Proof-of-concept exploit code is now available for a remote code execution (RCE) vulnerability in multiple Zoho ManageEngine products. --------------------------------------------- https://www.bleepingcomputer.com/news/security/exploit-released-for-critica… ∗∗∗ Exploiting null-dereferences in the Linux kernel ∗∗∗ --------------------------------------------- While the null-dereference bug itself was fixed in October 2022, the more important fix was the introduction of an oops limit which causes the kernel to panic if too many oopses occur. While this patch is already upstream, it is important that distributed kernels also inherit this oops limit and backport it to LTS releases if we want to avoid treating such null-dereference bugs as full-fledged security issues in the future. --------------------------------------------- https://googleprojectzero.blogspot.com/2023/01/exploiting-null-dereferences… ∗∗∗ Importance of signing in Windows environments, (Fri, Jan 20th) ∗∗∗ --------------------------------------------- NTLM relaying has been a plague in Windows environments for many years and we have witnessed many exploits that rely on the fact that it is possible to relay NTLM authentication attempts to various target services. --------------------------------------------- https://isc.sans.edu/diary/rss/29456 ∗∗∗ Vulnerable WordPress Sites Compromised with Different Database Infections ∗∗∗ --------------------------------------------- Vulnerabilities within WordPress can lead to compromise, and oftentimes known vulnerabilities are utilized to infect WordPress sites with more than one infection. It is common for out of date websites to be attacked by multiple threat actors or targeted by the same attacker using multiple different channels. We recently came across a database injection that has two different pieces of malware accomplishing two unrelated goals. --------------------------------------------- https://blog.sucuri.net/2023/01/vulnerable-wordpress-sites-compromised-with… ∗∗∗ New Chinese Malware Spotted Exploiting Recent Fortinet Firewall Vulnerability ∗∗∗ --------------------------------------------- Earlier this month, Fortinet disclosed that unknown hacking groups have capitalized on the shortcoming to target governments and other large organizations with a generic Linux implant capable of delivering additional payloads and executing commands sent by a remote server. --------------------------------------------- https://thehackernews.com/2023/01/new-chinese-malware-spotted-exploiting.ht… ∗∗∗ Neue Love-Scam Masche: Wenn die Internetbekanntschaft Sie zum Online-Handel überredet ∗∗∗ --------------------------------------------- Betrügerische Internetbekanntschaften versuchen auf unterschiedlichsten Wegen an Ihr Geld zu kommen. Bei einer neuen Masche erschleichen sich die Kriminellen Ihr Vertrauen, um Sie später auf den Online-Marktplatz haremark. --------------------------------------------- https://www.watchlist-internet.at/news/neue-love-scam-masche-wenn-die-inter… ∗∗∗ CVE-2022-35690: Unauthenticated RCE in Adobe ColdFusion ∗∗∗ --------------------------------------------- n this excerpt of a Trend Micro Vulnerability Research Service vulnerability report, Lucas Miller and Dusan Stevanovic of the Trend Micro Research Team detail a recently patched remote code execution vulnerability in Adobe ColdFusion. --------------------------------------------- https://www.thezdi.com/blog/2023/1/18/cve-2022-35690-unauthenticated-rce-in… ∗∗∗ NCSC to retire Logging Made Easy ∗∗∗ --------------------------------------------- The NCSC is retiring Logging Made Easy (LME). After 31 March 2023, we will no longer support LME, and the GitHub page will close shortly after. --------------------------------------------- https://www.ncsc.gov.uk/blog-post/ncsc-to-retire-logging-made-easy ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco: Hochriskantes Sicherheitsleck in Unified Communications Manager ∗∗∗ --------------------------------------------- In der Unified Communications Manager-Software von Cisco klafft eine Sicherheitslücke mit hohem Risiko. Der Hersteller stellt Updates zum Schließen bereit. --------------------------------------------- https://heise.de/-7465203 ∗∗∗ Technical Advisory – Multiple Vulnerabilities in the Galaxy App Store (CVE-2023-21433, CVE-2023-21434) ∗∗∗ --------------------------------------------- The Galaxy App Store is an alternative application store that comes pre-installed on Samsung Android devices. Several Android applications are available on both the Galaxy App Store and Google App Store, and users have the option to use either store to install specific applications. --------------------------------------------- https://research.nccgroup.com/2023/01/20/technical-advisory-multiple-vulner… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (lava and libitext5-java), Oracle (java-11-openjdk, java-17-openjdk, and libreoffice), SUSE (firefox, git, mozilla-nss, postgresql-jdbc, and sudo), and Ubuntu (git, linux-aws-5.4, linux-gkeop, linux-hwe-5.4, linux-oracle, linux-snapdragon, linux-azure, linux-gkeop, linux-intel-iotg, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-oracle-5.15, and linux-bluefield). --------------------------------------------- https://lwn.net/Articles/920646/ ∗∗∗ Vulnerability Spotlight: XSS vulnerability in Ghost CMS ∗∗∗ --------------------------------------------- The TALOS-2022-1686 (CVE-2022-47194-CVE-2022-47197) shows that several XSS vulnerabilities could lead to privilege escalation. --------------------------------------------- https://blog.talosintelligence.com/vulnerability-spotlight-xss-vulnerabilit… ∗∗∗ Hitachi Energy PCU400 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-23-019-01 ∗∗∗ ;">uniFLOW MOM Tech Support Potential Data Exposure Vulnerability – 20 January 2023 ∗∗∗ --------------------------------------------- https://www.canon-europe.com/support/product-security-latest-news/ ∗∗∗ Vulnerability in minimatch affects IBM Process Mining . CVE-2022-3517 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6856471 ∗∗∗ Content Manager Enterprise Edition is affected by a vulnerability in FasterXML jackson ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6856659 ∗∗∗ Content Manager Enterprise Edition is affected by a vulnerability in FasterXML jackson ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6856661 ∗∗∗ Liberty is vulnerable to denial of service due to GraphQL Java affecting IBM TXSeries for Multiplatforms ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6856687 ∗∗∗ IBM UrbanCode Release is affected by CVE-2022-42252 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6856719 ∗∗∗ IBM UrbanCode Release is affected by CVE-2022-42252 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6856717 ∗∗∗ IBM UrbanCode Release is affected by CVE-2022-34305 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6856713 ∗∗∗ IBM UrbanCode Release is affected by CVE-2022-45143 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6856721 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.01.2023
by Daily end-of-shift report 19 Jan '23

19 Jan '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 18-01-2023 18:00 − Donnerstag 19-01-2023 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Illegal Solaris darknet market hijacked by competitor Kraken ∗∗∗ --------------------------------------------- Solaris, a large darknet marketplace focused on drugs and illegal substances, has been taken over by a smaller competitor named Kraken, who claims to have hacked it on January 13, 2022. --------------------------------------------- https://www.bleepingcomputer.com/news/security/illegal-solaris-darknet-mark… ∗∗∗ Microsoft investigates bug behind unresponsive Windows Start Menu ∗∗∗ --------------------------------------------- Microsoft is investigating an issue causing the Windows taskbar and Start Menu to become unresponsive and triggering Outlook and Teams login problems. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-investigates-bug-… ∗∗∗ PayPal accounts breached in large-scale credential stuffing attack ∗∗∗ --------------------------------------------- PayPal is sending out notices of a data breach to thousands of users who had their accounts accessed by credential stuffing actors, resulting in the compromise of some personal data. --------------------------------------------- https://www.bleepingcomputer.com/news/security/paypal-accounts-breached-in-… ∗∗∗ New Blank Image attack hides phishing scripts in SVG files ∗∗∗ --------------------------------------------- An unusual phishing technique has been observed in the wild, hiding empty SVG files inside HTML attachments pretending to be DocuSign documents. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-blank-image-attack-hides… ∗∗∗ Roaming Mantis implements new DNS changer in its malicious mobile app in 2022 ∗∗∗ --------------------------------------------- Roaming Mantis (a.k.a Shaoye) is a long-term cyberattack campaign that uses malicious Android package (APK) files to control infected Android devices and steal data. --------------------------------------------- https://securelist.com/roaming-mantis-dns-changer-in-malicious-mobile-app/1… ∗∗∗ SPF and DMARC use on 100k most popular domains, (Thu, Jan 19th) ∗∗∗ --------------------------------------------- Not too long ago, I wrote a diary discussing SPF and DMARC use on GOV subdomains in different ccTLDs around the world. The results werent too optimistic, it turned out that only about 42% of gov.cctld domains had a valid SPF record published and only about 19% of such domains had a valid DMARC record published. --------------------------------------------- https://isc.sans.edu/diary/rss/29452 ∗∗∗ Android Users Beware: New Hook Malware with RAT Capabilities Emerges ∗∗∗ --------------------------------------------- The threat actor behind the BlackRock and ERMAC Android banking trojans has unleashed yet another malware for rent called Hook that introduces new capabilities to access files stored in the devices and create a remote interactive session. --------------------------------------------- https://thehackernews.com/2023/01/android-users-beware-new-hook-malware.html ∗∗∗ CircleCI: Malware stole GitHub OAuth keys, bypassing 2FA ∗∗∗ --------------------------------------------- CircleCI, a big name in the DevOps space, has released an incident report about a data breach it experienced early this month. --------------------------------------------- https://www.malwarebytes.com/blog/news/2023/01/circleci-malware-stole-githu… ∗∗∗ Pwned or Bot ∗∗∗ --------------------------------------------- Its fascinating to see how creative people can get with breached data. Of course theres all the nasty stuff (phishing, identity theft, spam), but there are also some amazingly positive uses for data illegally taken from someone elses system. --------------------------------------------- https://www.troyhunt.com/pwned-or-bot/ ∗∗∗ LockBit ransomware – what you need to know ∗∗∗ --------------------------------------------- It is the worlds most active ransomware group - responsible for an estimated 40% of all ransomware infections worldwide. Find out what you need to know about LockBit in my article on the Tripwire State of Security blog. --------------------------------------------- https://www.tripwire.com/state-of-security/lockbit-ransomware-what-you-need… ∗∗∗ Windows 11 22H2: Systemwiederherstellung verursacht "This app can’t open"-Fehler ∗∗∗ --------------------------------------------- Ich höre zwar immer wieder "läuft ohne Probleme", aber für den Fall der Fälle, also falls Windows 11 22H2 mal Schluckauf haben sollte und den Fehler "Diese App kann nicht geöffnet werden" zeigt, da hätte ich was zur Ursache. Hochoffiziell von Microsoft als Fehler bestätigt. --------------------------------------------- https://www.borncity.com/blog/2023/01/19/windows-11-22h2-systemwiederherste… ∗∗∗ Windows 10: "Schlagloch" Windows PE-Patch zum Fix der Bitlocker-Bypass-Schwachstelle CVE-2022-41099 ∗∗∗ --------------------------------------------- Nachtrag zum Januar 2023 Patchday für Windows. Es gibt in der Windows PE-Umgebung von Windows 10 eine Schwachstelle (CVE-2022-41099), die eine Umgehung der Bitlocker-Verschlüsselung umgeht. Zum Fixen muss die Windows PE-Umgebung der Clients manuell aktualisiert werden. --------------------------------------------- https://www.borncity.com/blog/2023/01/19/windows-10-schlagloch-windows-pe-p… ∗∗∗ Improve your AWS security posture, Step 3: Encrypt AWS data in transit and at rest ∗∗∗ --------------------------------------------- In this blog, we’ll tackle encrypting AWS in transit and at rest. --------------------------------------------- https://cybersecurity.att.com/blogs/security-essentials/improve-your-aws-se… ∗∗∗ Following the LNK metadata trail ∗∗∗ --------------------------------------------- While tracking some prevalent commodity malware threat actors, Talos observed the popularization of malicious LNK files as their initial access method to download and execute payloads. --------------------------------------------- https://blog.talosintelligence.com/following-the-lnk-metadata-trail/ ∗∗∗ Darth Vidar: The Dark Side of Evolving Threat Infrastructure ∗∗∗ --------------------------------------------- Vidar is an info-stealer malware, which was first spotted in the wild in late 2018 by the security researcher Fumik0. Upon initial inspection, the identified sample appeared to be Arkei (another info-stealer), however differences in both the sample’s code and C2 communications were observed. --------------------------------------------- https://www.team-cymru.com/post/darth-vidar-the-dark-side-of-evolving-threa… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr, libitext5-java, sudo, and webkit2gtk), Fedora (firefox and qemu), Red Hat (java-11-openjdk and java-17-openjdk), Slackware (sudo), SUSE (sudo), and Ubuntu (python-urllib3 and sudo). --------------------------------------------- https://lwn.net/Articles/920478/ ∗∗∗ Cisco Patches High-Severity SQL Injection Vulnerability in Unified CM ∗∗∗ --------------------------------------------- Cisco on Wednesday announced patches for a high-severity SQL injection vulnerability in Unified Communications Manager (CM) and Unified Communications Manager Session Management Edition (CM SME). --------------------------------------------- https://www.securityweek.com/cisco-patches-high-severity-sql-injection-vuln… ∗∗∗ CSRF Vulnerability in Kudu SCM Allowed Code Execution in Azure Services ∗∗∗ --------------------------------------------- A cross-site request forgery (CSRF) vulnerability impacting the source control management (SCM) service Kudu could be exploited to achieve remote code execution (RCE) in multiple Azure services, cloud infrastructure security firm Ermetic has discovered. --------------------------------------------- https://www.securityweek.com/csrf-vulnerability-kudu-scm-allowed-code-execu… ∗∗∗ Drupal core - Moderately critical - Information Disclosure - SA-CORE-2023-001 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-core-2023-001 ∗∗∗ [R1] Nessus Version 8.15.8 Fixes One Vulnerability ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2023-02 ∗∗∗ Vulnerability in SANNav Software used by IBM b-type SAN directors and switches. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6856209 ∗∗∗ IBM Security Guardium is affected by a gson-1.7.1.jar vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6856221 ∗∗∗ IBM Security Guardium is affected by a denial of service vulnerability (CVE-2022-25647) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6856221 ∗∗∗ IBM Cloud Pak for Security includes components with multiple known vulnerabilities (CVE-2022-48195, CVE-2022-29577, CVE-2022-28367, CVE-2015-6420) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6856401 ∗∗∗ IBM Cloud Pak for Security includes components with multiple known vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6856409 ∗∗∗ IBM Cloud Pak for Security (CP4S) is vulnerable to information disclosure (CVE-2021-39011) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6856403 ∗∗∗ IBM Cloud Pak for Security (CP4S) is vulnerable to information disclosure (CVE-2021-39089) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6856405 ∗∗∗ IBM Cloud Pak for Security (CP4S) is vulnerable to information disclosure (CVE-2021-39090) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6856407 ∗∗∗ Multiple vulnerabilities in IBM Java - OpenJ9 affect IBM Tivoli System Automation for Multiplatforms (CVE-2021-28167) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6856439 ∗∗∗ Multiple vulnerabilities in IBM Java - OpenJ9 affect IBM Tivoli System Automation Application Manager (CVE-2021-28167) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6856443 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.01.2023
by Daily end-of-shift report 18 Jan '23

18 Jan '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 17-01-2023 18:00 − Mittwoch 18-01-2023 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ RC4 Is Still Considered Harmful ∗∗∗ --------------------------------------------- Ive been spending a lot of time researching Windows authentication implementations, specifically Kerberos. In June 2022 I found an interesting issue number 2310 with the handling of RC4 encryption that allowed you to authenticate as another user if you could either interpose on the Kerberos network traffic to and from the KDC or directly if the user was configured to disable typical pre-authentication requirements. This blog post goes into more detail [...] --------------------------------------------- https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harm… ∗∗∗ Malicious Google Ad --> Fake Notepad++ Page --> Aurora Stealer malware, (Wed, Jan 18th) ∗∗∗ --------------------------------------------- https://isc.sans.edu/diary/rss/29448 ∗∗∗ Is WordPress Secure? ∗∗∗ --------------------------------------------- According to W3Techs, 43.2% of all websites on the internet use WordPress. And of all websites that use a CMS (Content Management System) more than half (64%) leverage WordPress to power their blog or website. Unfortunately, since WordPress has such a large market share it has also become a prime target for attackers. You might be wondering whether WordPress is safe to use. And the short answer is yes - WordPress core is safe to use, but only if you maintain it to the latest version and [...] --------------------------------------------- https://blog.sucuri.net/2023/01/is-wordpress-secure.html ∗∗∗ CISA Warns of Flaws in Siemens, GE Digital, and Contec Industrial Control Systems ∗∗∗ --------------------------------------------- The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published four Industrial Control Systems (ICS) advisories, calling out several security flaws affecting products from Siemens, GE Digital, and Contec. The most critical of the issues have been identified in Siemens SINEC INS that could lead to remote code execution via a path traversal flaw (CVE-2022-45092, CVSS score: 9.9) --------------------------------------------- https://thehackernews.com/2023/01/cisa-warns-of-flaws-in-siemens-ge.html ∗∗∗ Jetzt patchen! Tausende Firewalls von Sophos angreifbar ∗∗∗ --------------------------------------------- Sicherheitsforscher haben das Internet auf verwundbare Sophos-Firewalls gescannt und sind fündig geworden. Sicherheitspatches gibt es seit Dezember 2022. --------------------------------------------- https://heise.de/-7462565 ∗∗∗ MSI-Motherboards sollen trotz aktivem Secure Boot manipulierte Systeme starten ∗∗∗ --------------------------------------------- Ein Sicherheitsforscher hat herausgefunden, dass der Schutzmechanismus Secure Boot auf MSI-Motherboards standardmäßig aktiv ist, aber trotzdem alles durchwinkt. --------------------------------------------- https://heise.de/-7462913 ∗∗∗ Hochriskante Sicherheitslücken in Qt "nur ein Bug" ∗∗∗ --------------------------------------------- IT-Sicherheitsforscher von Cisco Thalos haben hochriskante Sicherheitslücken in Qt-QML gefunden. Qt sieht App-Entwickler am Zuge und stuft sie nur als Bug ein. --------------------------------------------- https://heise.de/-7462956 ∗∗∗ Vendors Actively Bypass Security Patch for Year-Old Magento Vulnerability ∗∗∗ --------------------------------------------- Vendors and agencies are actively bypassing the security patch that Adobe released in February 2022 to address CVE-2022-24086, a critical mail template vulnerability in Adobe Commerce and Magento stores, ecommerce security firm Sansec warns. --------------------------------------------- https://www.securityweek.com/vendors-actively-bypass-security-patch-year-ol… ∗∗∗ The Defender’s Guide to Windows Services ∗∗∗ --------------------------------------------- This is the second installment of the Defender’s Guide series. In keeping with the theme, we are discussing Windows Services, the underlying technology, common attack vectors, and methods of securing/monitoring them. --------------------------------------------- https://posts.specterops.io/the-defenders-guide-to-windows-services-67c1711… ∗∗∗ Silo, or not silo, that is the question ∗∗∗ --------------------------------------------- As we (security folks) were working on the hardening of WSUS update servers, we had to answer an interesting question dealing with how to best isolate a sensitive server like WSUS on on-premises Active Directory. The question was: should I put my WSUS server into my T0 silo? --------------------------------------------- https://medium.com/tenable-techblog/silo-or-not-silo-that-is-the-question-d… ∗∗∗ Elastic IP Transfer: Identifying and Mitigating Risks from a New Attack-Vector on AWS ∗∗∗ --------------------------------------------- Elastic IPs (EIPs) are public and static IPv4 addresses provided by AWS. EIPs can be viewed as a pool of IPv4 addresses, accessible from the internet, that can be used in numerous ways. Once an EIP is allocated to an AWS account, it can be associated with a single compute instance or an elastic network [...] --------------------------------------------- https://orca.security/resources/blog/elastic-ip-transfer-attack-vector-on-a… ∗∗∗ An in-depth HTTP Strict Transport Security Tutorial ∗∗∗ --------------------------------------------- HSTS is an Internet standard and policy that tells the browser to only interact with a website using a secure HTTPS connection. Check out this article to learn how to leverage the security of your website and customers’ data and the security benefits you’ll gain from doing so. --------------------------------------------- https://www.trendmicro.com/en_us/devops/23/a/http-strict-transport-security… ∗∗∗ Kriminelle versprechen Geld für Haarspenden auf Job-Börsen, aber zahlen nicht! ∗∗∗ --------------------------------------------- Wenn Sie auf Facebook in diversen Job-Börsen nach einer Beschäftigung suchen, stoßen Sie womöglich auf ein verlockendes Angebot für Ihre Haare. Um für Krebskranke Perücken anzufertigen, ist man bereit, Ihnen bis zu 2000 Euro für Ihre Haare zu bezahlen. Achtung: Wenn Sie hier Kontakt aufnehmen, gibt man Ihnen genaue Anweisungen zum Abschneiden Ihrer Haare und verspricht eine Bezahlung bei Abholung. Doch dann sind Ihre Haare ab, Sie werden blockiert und [...] --------------------------------------------- https://www.watchlist-internet.at/news/kriminelle-versprechen-geld-fuer-haa… ===================== = Vulnerabilities = ===================== ∗∗∗ Patchday: Sicherheitslücken in über 100 Oracle-Produkten ∗∗∗ --------------------------------------------- Das erste Oracle Critical Patch Update des Jahres 2023 liefert Beschreibungen und Updates für Sicherheitslücken in mehr als 100 Produkten des Unternehmens. --------------------------------------------- https://heise.de/-7462438 ∗∗∗ Versionsverwaltung: Git schließt zwei kritische Lücken in Version 2.39 ∗∗∗ --------------------------------------------- Sicherheitsforscher haben Lücken in Git entdeckt, durch die beliebiger Code ausgeführt werden konnte. Patches stehen bereit, Nutzer sollten umgehend updaten. --------------------------------------------- https://heise.de/-7462680 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (awstats), Oracle (dpdk, libxml2, postgresql:10, systemd, and virt:ol and virt-devel:rhel), Red Hat (kernel), Slackware (git, httpd, libXpm, and mozilla), SUSE (libzypp-plugin-appdata), and Ubuntu (git, libxpm, linux-ibm-5.4, linux-oem-5.14, and ruby2.3). --------------------------------------------- https://lwn.net/Articles/920318/ ∗∗∗ Remote Code Execution Vulnerabilities Found in TP-Link, NetComm Routers ∗∗∗ --------------------------------------------- Vulnerabilities identified in TP-Link and NetComm router models could be exploited to achieve remote code execution (RCE).Two security defects were identified in TP-Link WR710N-V1-151022 and Archer-C5-V2-160201 SOHO (small office/home office) routers, allowing attackers to execute code, crash devices, or guess login credentials. --------------------------------------------- https://www.securityweek.com/remote-code-execution-vulnerabilities-found-tp… ∗∗∗ IBM Navigator for i is vulnerable to log file access, obtaining file attributes, and SQL Injection attacks due to multiple vulnerabilities. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6850801 ∗∗∗ Security Advisory - System Command Injection Vulnerability in a Huawei Printer Product ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2023/huawei-sa-sciviahpp… ∗∗∗ Security Advisory - Misinterpretation of Input in a Huawei Printer Product ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2023/huawei-sa-moiiahpp-… ∗∗∗ Security Advisory - Data Processing Error Vulnerability in a Huawei Band ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2023/huawei-sa-dpeviahb-… ∗∗∗ Security Advisory - Buffer Overflow Vulnerability in a Huawei Printer Product ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2023/huawei-sa-boviahpp-… ∗∗∗ Security Advisory - System Command Injection Vulnerability in a Huawei Printer Product ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2023/huawei-sa-sciviahpp… ∗∗∗ Security Advisory - Misinterpretation of Input Vulnerability in Huawei Printer ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2023/huawei-sa-moivihp-5… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.01.2023
by Daily end-of-shift report 17 Jan '23

17 Jan '23

===================== = End-of-Day report = ===================== Timeframe: Montag 16-01-2023 18:00 − Dienstag 17-01-2023 18:00 Handler: Stephan Richter Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Finding that one GPO Setting in a Pool of Hundreds of GPOs, (Tue, Jan 17th) ∗∗∗ --------------------------------------------- I had a call recently from a client, they were looking for which Group Policy in their AD had a specific setting in it. --------------------------------------------- https://isc.sans.edu/diary/rss/29442 ∗∗∗ The misadventures of an SPF record ∗∗∗ --------------------------------------------- I ran a scan against the three million most visited domains and discovered that the Ukrainian MoD, MIT, University, University of Miami, along with 1000+ other domains had mistakenly used the “+all” SPF mechanism at the end of their respective SPF records - effectively meaning any public IP address can send SPF authenticated emails on their behalf. --------------------------------------------- https://caniphish.com/phishing-resources/blog/scanning-spf-records ∗∗∗ Windows: Verschwundene Start-Menüs und Taskbars sorgen für Verwirrung ∗∗∗ --------------------------------------------- Update 16.01.2023 07:44 Uhr: Microsoft hat inzwischen einen Support-Artikel in der Techcommunity herausgegeben, der PowerShell-Skripte und Anleitungen zur automatischen Ausführung für IT-Verantwortliche enthält, die zumindest einen Teil von gelöschten Verknüpfungen wiederherstellen können sollen. --------------------------------------------- https://www.heise.de/news/Windows-Verschwundene-Start-Menues-und-Taskbars-s… ∗∗∗ Beware of DDosia, a botnet created to facilitate DDoS attacks ∗∗∗ --------------------------------------------- The DDosia project is a successor of the Bobik botnet linked to the pro-Russian hacker group called NoName(057)16, as revealed in a recent analysis by Avast researcher Martin Chlumecky. --------------------------------------------- https://blog.avast.com/ddosia-project ∗∗∗ The prevalence of RCE exploits and what you should know about RCEs ∗∗∗ --------------------------------------------- Recent headlines have indicated that some major companies were affected by Remote Code Execution (RCE) vulnerabilities, just in the month of October. RCE flaws are largely exploited in the wild, and organizations are continually releasing patches to mitigate the problem. --------------------------------------------- https://www.tripwire.com/state-of-security/prevalence-rce-exploits-and-what… ∗∗∗ Attackers Can Abuse GitHub Codespaces for Malware Delivery ∗∗∗ --------------------------------------------- A GitHub Codespaces feature meant to help with code development and collaboration can be abused for malware delivery, Trend Micro reports. --------------------------------------------- https://www.securityweek.com/attackers-can-abuse-github-codespaces-malware-… ∗∗∗ Gefälschtes Post-SMS im Umlauf ∗∗∗ --------------------------------------------- Kriminelle versenden per SMS gefälschte Paket-Benachrichtigungen. Darin steht, dass Ihr Paket im Sortierzentrum angekommen ist und Sie noch Importkosten zahlen müssen. Klicken Sie nicht auf den Link. Sie werden auf eine gefälschte Post-Seite geführt, wo Kriminelle Ihre Daten stehlen. --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschtes-post-sms-im-umlauf/ ∗∗∗ Batloader Malware Abuses Legitimate Tools, Uses Obfuscated JavaScript Files in Q4 2022 Attacks ∗∗∗ --------------------------------------------- We discuss the Batloader malware campaigns we observed in the last quarter of 2022, including our analysis of Water Minyades-related events. --------------------------------------------- https://www.trendmicro.com/en_us/research/23/a/batloader-malware-abuses-leg… ===================== = Vulnerabilities = ===================== ∗∗∗ Microsoft resolves four SSRF vulnerabilities in Azure cloud services ∗∗∗ --------------------------------------------- Microsoft recently fixed a set of Server-Side Request Forgery (SSRF) vulnerabilities in four Azure services (Azure API Management, Azure Functions, Azure Machine Learning, and Azure Digital Twins) reported by Orca Security. --------------------------------------------- https://msrc-blog.microsoft.com/2023/01/17/microsoft-resolves-four-ssrf-vul… ∗∗∗ Attacken auf kritische Lücke in ManageEngine-Produkte von Zoho bald möglich ∗∗∗ --------------------------------------------- Angreifer könnten ManageEngine-Produkte wie Access Manager Plus und Password Manager Pro mit Schadcode attackieren. --------------------------------------------- https://heise.de/-7461118 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (tor) and SUSE (python-setuptools, python36-setuptools, and tor). --------------------------------------------- https://lwn.net/Articles/920217/ ∗∗∗ Schwere Sicherheitslücke in InRouter-Firmware von InHand Networks bedroht Roboter, Stromzähler, med. Geräte etc. ∗∗∗ --------------------------------------------- Sicherheitsforscher sind auf eine schwere Sicherheitslücke Schwachstelle CVE-2023-22598 in der InRouter-Firmware des Herstellers InHand Networks GmbH gestoßen. --------------------------------------------- https://www.borncity.com/blog/2023/01/17/schwere-sicherheitslcken-inrouter-… ∗∗∗ LDAP-Schwachstellen: Domain Controller mit Januar 2023-Updates patchen ∗∗∗ --------------------------------------------- Noch ein kleiner Nachtrag zum Januar 2023-Patchday (10. Januar 2023). Administratoren sollten sich darum kümmern, dass ihre als Domain Controller fungierenden Windows Server auf dem aktuellen Patchstand sind. Denn mit den Januar 2023-Updates wurden zwei gravierende Schwachstellen im Lightweight Directory Access Protocol (LDAP) geschlossen. --------------------------------------------- https://www.borncity.com/blog/2023/01/17/ldap-schwachstellen-domain-control… ∗∗∗ Security Vulnerabilities fixed in Firefox ESR 102.7 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2023-02/ ∗∗∗ Security Vulnerabilities fixed in Firefox 109 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2023-01/ ∗∗∗ A vulnerability in IBM Java Runtime affects SPSS Collaboration and Deployment Services (CVE-2021-28167) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6855731 ∗∗∗ There are multiple vulnerabilites that affect IBM Engineering Requirements Quality Assistant On-Premises (CVE-2021-22939, CVE-2021-22931, CVE-2020-7598) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6855777 ∗∗∗ Due to the use of XStream, IBM Tivoli Netcool Configuration Manager is vulnerable to denial of service (CVE-2021-43859) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6855831 ∗∗∗ AIX is vulnerable to a buffer overflow due to X11 (CVE-2022-47990) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6855827 ∗∗∗ IBM Robotic Process Automation is vulnerable to Cross-Site Scripting. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6855835 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.01.2023
by Daily end-of-shift report 16 Jan '23

16 Jan '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 13-01-2023 18:00 − Montag 16-01-2023 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Jetzt patchen! Viele Cacti-Server öffentlich erreichbar und verwundbar ∗∗∗ --------------------------------------------- Sicherheitsforscher stoßen auf tausende über das Internet erreichbare Server mit dem IT-Monitoring-Tool Cacti. Zahlreiche Instanzen wurden noch nicht gepatcht. --------------------------------------------- https://heise.de/-7459904 ∗∗∗ CircleCI-Hack: 2FA-Zugangsdaten von Mitarbeiter ergaunert ∗∗∗ --------------------------------------------- Die Betreiber der Cloud-basierten Continuous-Integration-Plattform CircleCI haben ihren Bericht über den Sicherheitsvorfall veröffentlicht. --------------------------------------------- https://heise.de/-7460123 ∗∗∗ Gefälschte Job-Angebote im Namen der Wirtschafskammer auf Facebook ∗∗∗ --------------------------------------------- Auf Facebook kursieren gefälschte Jobangebote im Namen der Wirtschaftskammer Österreich. Die Anzeigen versprechen Gehälter zwischen 50 und 200 Euro pro Stunde. Die Wirtschaftskammern selbst warnen bereits auf Facebook vor den gefälschten Stellenangeboten. Bewerben Sie sich nicht und klicken Sie nicht auf den Link! --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschte-job-angebote-im-namen-de… ∗∗∗ Avast releases free BianLian ransomware decryptor ∗∗∗ --------------------------------------------- Security software company Avast has released a free decryptor for the BianLian ransomware strain to help victims of the malware recover locked files without paying the hackers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/avast-releases-free-bianlian… ∗∗∗ Malicious ‘Lolip0p’ PyPi packages install info-stealing malware ∗∗∗ --------------------------------------------- A threat actor has uploaded to the PyPI (Python Package Index) repository three malicious packages that carry code to drop info-stealing malware on developers systems. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malicious-lolip0p-pypi-packa… ∗∗∗ PSA: Why you must run an ad blocker when using Google, (Mon, Jan 16th) ∗∗∗ --------------------------------------------- Today, I just have a short public service announcement: You MUST run an adblocker while using Google. It may be best just to keep the adblocker enabled all the time. --------------------------------------------- https://isc.sans.edu/diary/rss/29438 ∗∗∗ Beware: Tainted VPNs Being Used to Spread EyeSpy Surveillanceware ∗∗∗ --------------------------------------------- Tainted VPN installers are being used to deliver a piece of surveillanceware dubbed EyeSpy as part of a malware campaign that started in May 2022. --------------------------------------------- https://thehackernews.com/2023/01/beware-tainted-vpns-being-used-to.html ∗∗∗ Raccoon and Vidar Stealers Spreading via Massive Network of Fake Cracked Software ∗∗∗ --------------------------------------------- A "large and resilient infrastructure" comprising over 250 domains is being used to distribute information-stealing malware such as Raccoon and Vidar since early 2020. --------------------------------------------- https://thehackernews.com/2023/01/raccoon-and-vidar-stealers-spreading.html ∗∗∗ Hacked! My Twitter user data is out on the dark web -- now what? ∗∗∗ --------------------------------------------- Your Twitter user data may now be out there too, including your phone number. Heres how to check and what you can do about it. --------------------------------------------- https://www.zdnet.com/article/hacked-my-twitter-user-data-is-out-on-the-dar… ∗∗∗ Vulnerability Spotlight: Integer and buffer overflow vulnerabilities found in QT QML ∗∗∗ --------------------------------------------- Cisco ASIG and Cisco Talos recently discovered code execution vulnerabilities in QT QML. Qt is a popular software suite primarily used to create graphical user interfaces. It also contains several supporting libraries which all [...] --------------------------------------------- https://blog.talosintelligence.com/vulnerability-spotlight-integer-and-buff… ===================== = Vulnerabilities = ===================== ∗∗∗ PoC exploits released for critical bugs in popular WordPress plugins ∗∗∗ --------------------------------------------- Three popular WordPress plugins with tens of thousands of active installations are vulnerable to high-severity or critical SQL injection vulnerabilities, with proof-of-concept exploits now publicly available. --------------------------------------------- https://www.bleepingcomputer.com/news/security/poc-exploits-released-for-cr… ∗∗∗ Webbrowser: Microsoft Edge-Update schließt hochriskante Lücken ∗∗∗ --------------------------------------------- Microsoft hat in einem Update des Webbrowsers Edge Sicherheitslücken aus dem Chromium-Projekt abgedichtet. Sie schließt auch weitere hochriskante Lücken. --------------------------------------------- https://heise.de/-7459742 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, lava, libapreq2, net-snmp, node-minimatch, and openvswitch), Fedora (jpegoptim, kernel, kernel-headers, kernel-tools, and python2.7), Mageia (ctags, ffmpeg, minetest, python-gitpython, w3m, and xrdp), Oracle (kernel), Red Hat (dpdk and libxml2), Slackware (netatalk), SUSE (apptainer, chromium, libheimdal, python-wheel, python310-setuptools, and SDL2), and Ubuntu (linux-aws, linux-gcp-4.15, maven, and net-snmp). --------------------------------------------- https://lwn.net/Articles/920120/ ∗∗∗ Nach RemotePotato0 kommt die Windows Local Potato NTLM-Schwachstelle (CVE-2023-21746) ∗∗∗ --------------------------------------------- Im April 2021 hatten Sicherheitsforscher eine Privilege Escalation Schwachstelle im Windows RPC-Protokoll entdeckt, der eine lokale Privilegienerweiterung durch NTLM-Relay-Angriffe ermöglichte. Nun scheint ein Sicherheitsforscher auf eine nicht so bekannte Möglichkeit zur Durchführung von NTLM Reflection-Angriffen gestoßen zu sein, die er [...] --------------------------------------------- https://www.borncity.com/blog/2023/01/15/nach-remotepotato0-kommt-die-windo… ∗∗∗ IBM Security Bulletins 2023-01-16 ∗∗∗ --------------------------------------------- IBM App Connect Enterprise, IBM® Engineering Lifecycle Engineering products, IBM Integration Bus, IBM Maximo Asset Management, IBM MQ Internet Pass-Thru, IBM QRadar SIEM, IBM Sterling Partner Engagement Manager, IBM Tivoli Application Dependency Discovery Manager (TADDM), IBM Tivoli Netcool Configuration Manager, IBM Tivoli Network Manager (ITNM), IBM WebSphere Application Server shipped with Jazz for Service Management (JazzSM), Rational Functional Tester --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ HIMA: unquoted path vulnerabilities in X-OPC and X-OTS ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-059/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.01.2023
by Daily end-of-shift report 13 Jan '23

13 Jan '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 12-01-2023 18:00 − Freitag 13-01-2023 18:00 Handler: Robert Waldner Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Fortinet says hackers exploited critical vulnerability to infect VPN customers ∗∗∗ --------------------------------------------- Remote code-execution bug was exploited to backdoor vulnerable servers. --------------------------------------------- https://arstechnica.com/?p=1909594 ∗∗∗ NortonLifeLock warns that hackers breached Password Manager accounts ∗∗∗ --------------------------------------------- Gen Digital, formerly Symantec Corporation and NortonLifeLock, is sending data breach notifications to customers, informing them that hackers have successfully breached Norton Password Manager accounts in credential-stuffing attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/nortonlifelock-warns-that-ha… ∗∗∗ Malware: Android-TV-Box mit vorinstallierter Schadsoftware gekauft ∗∗∗ --------------------------------------------- Auf Amazon hat ein Sicherheitsforscher eine Android-TV-Box gekauft - und entdeckte eine tief ins System integrierte Schadsoftware. --------------------------------------------- https://www.golem.de/news/malware-android-tv-box-mit-vorinstallierter-schad… ∗∗∗ Cybercriminals Using Polyglot Files in Malware Distribution to Fly Under the Radar ∗∗∗ --------------------------------------------- Remote access trojans such as StrRAT and Ratty are being distributed as a combination of polyglot and malicious Java archive (JAR) files, once again highlighting how threat actors are continuously finding new ways to fly under the radar. --------------------------------------------- https://thehackernews.com/2023/01/cybercriminals-using-polyglot-files-in.ht… ∗∗∗ Keeping the wolves out of wolfSSL ∗∗∗ --------------------------------------------- Trail of Bits is publicly disclosing four vulnerabilities that affect wolfSSL: CVE-2022-38152, CVE-2022-38153, CVE-2022-39173, and CVE-2022-42905. The four issues, which have CVSS scores ranging from medium to critical, can all result in a denial of service (DoS). --------------------------------------------- https://blog.trailofbits.com/2023/01/12/wolfssl-vulnerabilities-tlspuffin-f… ∗∗∗ Bad things come in large packages: .pkg signature verification bypass on macOS ∗∗∗ --------------------------------------------- Besides signing applications, it is also possible to sign installer packages (.pkg files). During a short review of the xar source code, we found a vulnerability (CVE-2022-42841) that could be used to modify a signed installer package without invalidating its signature. This vulnerability could be abused to bypass Gatekeeper, SIP and under certain conditions elevate privileges to root. [..] This was fixed by Apple with a 2 character fix: changing uint32_t to uint64_t in macOS 13.1. --------------------------------------------- https://sector7.computest.nl/post/2023-01-xar/ ∗∗∗ Crassus Windows privilege escalation discovery tool ∗∗∗ --------------------------------------------- Accenture made a tool called Spartacus, which finds DLL hijacking opportunities on Windows. Using Spartacus as a starting point, we created Crassus to extend Windows privilege escalation finding capabilities beyond simply looking for missing files. The ACLs used by files and directories of privileged processes can find more than just looking for missing files to achieve the goal. --------------------------------------------- https://github.com/vullabs/Crassus ∗∗∗ Cyber-Attacken auf kritische Lücke in Control Web Panel ∗∗∗ --------------------------------------------- Cyberkriminelle greifen eine kritische Sicherheitslücke in CWP (Control Web Panel, ehemals CentOS Web Panel) an. Sie kompromittieren die verwundbaren Systeme. --------------------------------------------- https://heise.de/-7458440 ∗∗∗ Red Hat ergänzt Malware-Erkennungsdienst für RHEL ∗∗∗ --------------------------------------------- Im Rahmen von Red Hat Insights ergänzt das Unternehmen nun einen Malware-Erkennungsdienst. Der ist für RHEL 8 und 9 verfügbar. --------------------------------------------- https://heise.de/-7458189 ∗∗∗ Most Cacti Installations Unpatched Against Exploited Vulnerability ∗∗∗ --------------------------------------------- Most internet-exposed Cacti installations have not been patched against a critical-severity command injection vulnerability that is being exploited in attacks. --------------------------------------------- https://www.securityweek.com/most-cacti-installations-unpatched-against-exp… ∗∗∗ Bestellen Sie nicht auf Cardione.at! ∗∗∗ --------------------------------------------- Cardione ist ein Nahrungsergänzungsmittel, das angeblich bei Bluthochdruck helfen soll. Cardione.at wirbt mit gefälschten Empfehlungen eines Arztes, es gibt keine Impressums- oder sonstige Unternehmensdaten. Wir raten: Bestellen Sie keine Cardione Tabletten! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-bestellung-auf-cardione… ∗∗∗ Fake-Shop alvensleben.net imitiert Sofortüberweisung und fragt TANs ab! ∗∗∗ --------------------------------------------- Nehmen Sie sich vor Fake-Shops wie alvensleben.net in Acht. Der Shop hat insbesondere Kinderspielzeug, Brettspiele und Sportgeräte im Sortiment, bietet aber auch Gartenmöbel und Klettergerüste sowie Bettwäsche an. Bezahlt werden soll per Sofortüberweisung. Achtung: Die Daten werden nicht an den Zahlungsdienstleister weitergeleitet, sondern von den Kriminellen abgegriffen. Später werden Sie zur Übermittlung von TAN-Codes überredet und dadurch um Ihr Geld gebracht! --------------------------------------------- https://www.watchlist-internet.at/news/fake-shop-alvenslebennet-imitiert-so… ∗∗∗ Microsoft ASR/Defender Update kann Desktop-/Startmenü-Verknüpfungen löschen ∗∗∗ --------------------------------------------- Wie aktuell in mehreren Medien berichtet wird, scheint das letzte Update von MS ASR/Defender Auswirkungen auf Desktop-/Startmenüverknüpfungen zu haben, und kann unter anderem dazu führen dass O365 Applikationen nicht mehr gestartet werden können. Gängiger Workaround scheint momentan zu sein, die entsprechenden Regeln auf "Audit" zu setzen. Microsoft hat die Regel wieder entfernt, es kann aber noch dauern, bis das global wirksam wird. Inzwischen wird empfohlen, im Admin Center auf SI MO497128 zu schauen. --------------------------------------------- https://cert.at/de/aktuelles/2023/1/microsoft-asrdefender-update-kann-deskt… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (cacti, cacti-spine, mbedtls, postgresql-jdbc, and rust), Oracle (.NET 6.0, dbus, expat, grub2, kernel, kernel-container, libtasn1, libtiff, sqlite, and usbguard), Red Hat (rh-postgresql10-postgresql), SUSE (php7), and Ubuntu (heimdal, linux, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15, linux-gcp, linux-gcp-5.15, linux-hwe-5.15, linux-ibm, linux-kvm, linux-oracle, linux-raspi,, linux, linux-aws, linux-aws-hwe, linux-azure, [...] --------------------------------------------- https://lwn.net/Articles/919907/ ∗∗∗ IBM Security Bulletins 2023-01-13 ∗∗∗ --------------------------------------------- IBM Cloud Pak for Data, IBM Cloud Pak for Security, IBM Security Verify Access Appliance, IBM Watson Speech Services, IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data, IBM Watson Text to Speech and Speech to Text (IBM Watson™ Speech Services 1.1), ICP Speech to Text and Text to Speech --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ CISA Releases Twelve Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2023/01/12/cisa-releases-twe… ∗∗∗ Juniper Networks Releases Security Updates for Multiple Products ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2023/01/12/juniper-networks-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.01.2023
by Daily end-of-shift report 12 Jan '23

12 Jan '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 11-01-2023 18:00 − Donnerstag 12-01-2023 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Konten leergeräumt: Neue Phishing-Welle mit Apple Pay ∗∗∗ --------------------------------------------- Mit einem ausgeklügelten Trick versuchen Kriminelle an Kreditkartendaten zu kommen. Wer Grundlegendes beachtet, ist allerdings ausreichend geschützt. --------------------------------------------- https://futurezone.at/digital-life/apple-pay-phishing-welle-mail-kreditkart… ∗∗∗ Hack: Sicherheitslücke in SugarCRM-Servern wird aktiv ausgenutzt ∗∗∗ --------------------------------------------- Etliche SugarCRM-Server in den USA und Deutschland wurden schon gehackt. Ein Hotfix wurde bereits veröffentlicht. --------------------------------------------- https://www.golem.de/news/hack-sicherheitsluecke-in-sugarcrm-servern-wird-a… ∗∗∗ Alert: Hackers Actively Exploiting Critical "Control Web Panel" RCE Vulnerability ∗∗∗ --------------------------------------------- Malicious actors are actively attempting to exploit a recently patched critical vulnerability in Control Web Panel (CWP) that enables elevated privileges and unauthenticated remote code execution (RCE) on susceptible servers. --------------------------------------------- https://thehackernews.com/2023/01/alert-hackers-actively-exploiting.html ∗∗∗ New Analysis Reveals Raspberry Robin Can be Repurposed by Other Threat Actors ∗∗∗ --------------------------------------------- A new analysis of Raspberry Robins attack infrastructure has revealed that its possible for other threat actors to repurpose the infections for their own malicious activities, making it an even more potent threat. --------------------------------------------- https://thehackernews.com/2023/01/new-analysis-reveals-raspberry-robin.html ∗∗∗ IcedID Malware Strikes Again: Active Directory Domain Compromised in Under 24 Hours ∗∗∗ --------------------------------------------- A recent IcedID malware attack enabled the threat actor to compromise the Active Directory domain of an unnamed target less than 24 hours after gaining initial access. --------------------------------------------- https://thehackernews.com/2023/01/icedid-malware-strikes-again-active.html ∗∗∗ Prowler v3: AWS & Azure security assessments ∗∗∗ --------------------------------------------- Prowler is an open source security tool to perform AWS and Azure security best practices assessments, audits, incident response, continuous monitoring, hardening and forensics readiness. Prowler v3 is now multi-cloud with Azure added as the second supported cloud provider. --------------------------------------------- https://isc.sans.edu/diary/rss/29430 ∗∗∗ Exfiltration Over a Blocked Port on a Next-Gen Firewall ∗∗∗ --------------------------------------------- [..] all successfully exfiltrated data packets were in small formats [..], smaller than the MTU (maximum transmit unit). This meant that these data types could only be exfiltrated in single packets, rather than multiple, to avoid exceeding the MTU size. When asked about this finding, the NG-FW vendor acknowledged that "to determine which application is being used, and whether the session aligned with the protocol’s standard, the NG-FW must allow at least one packet to pass." --------------------------------------------- https://cymulate.com/blog/data-exfiltration-firewall/ ∗∗∗ Kritische Sicherheitslücke bedroht End-of-Life-Router von Cisco ∗∗∗ --------------------------------------------- Der Netzwerkausrüster Cisco hat wichtige Sicherheitsupdates für etwa verschiedene Router, IP-Telefone und Webex veröffentlicht. --------------------------------------------- https://heise.de/-7456480 ∗∗∗ AI-generated phishing attacks are becoming more convincing ∗∗∗ --------------------------------------------- Its time for you and your colleagues to become more skeptical about what you read. Thats a takeaway from a series of experiments undertaken using GPT-3 AI text-generating interfaces to create malicious messages designed to spear-phish, scam, harrass, and spread fake news. Experts at WithSecure have described their investigations into just how easy it is to automate the creation of credible yet malicious content at incredible speed. --------------------------------------------- https://www.tripwire.com/state-of-security/ai-generated-phishing-attacks-ar… ∗∗∗ Threema Under Fire After Downplaying Security Research ∗∗∗ --------------------------------------------- The developers of the open source secure messaging app Threema have come under fire over their public response to a security analysis conducted by researchers at the Swiss university ETH Zurich. --------------------------------------------- https://www.securityweek.com/threema-under-fire-after-downplaying-security-… ∗∗∗ SCCM Site Takeover via Automatic Client Push Installation ∗∗∗ --------------------------------------------- tl;dr: Install hotfix KB15599094 and disable NTLM for client push installation. --------------------------------------------- https://posts.specterops.io/sccm-site-takeover-via-automatic-client-push-in… ∗∗∗ Gefährliche Fehlkonfigurationen von Active Directory-Dienstkonten ∗∗∗ --------------------------------------------- Das Identifizieren von Schwachstellen in der AD-Konfiguration kann sich als Albtraum erweisen, warnt Gastautor Guido Grillenmeier von Semperis. --------------------------------------------- https://www.zdnet.de/88406475/gefaehrliche-fehlkonfigurationen-von-active-d… ∗∗∗ Microsoft Exchange Januar 2023 Patchday-Nachlese: Dienste starten nicht etc. ∗∗∗ --------------------------------------------- Zum 10. Januar 2023 (Patchday) hat Microsoft Sicherheitsupdates für Exchange Server 2013, Exchange Server 2016 und Exchange Server 2019 veröffentlicht. Diese Sicherheitsupdates schließen zwei Schwachstellen (Elevation of Privilege und Spoofing) in dieser Software, haben aber bekannte Fehler und verursachen neue neue Probleme bei der Installation. Hier ein kurzer Überblick über den Sachstand. --------------------------------------------- https://www.borncity.com/blog/2023/01/12/microsoft-exchange-januar-2023-pat… ∗∗∗ What is Red Teaming & How it Benefits Orgs ∗∗∗ --------------------------------------------- Running real-world attack simulations can help improve organizations cybersecurity resilience --------------------------------------------- https://www.trendmicro.com/en_us/research/23/a/what-is-red-teaming.html ∗∗∗ Shodan Verified Vulns 2023-01-01 ∗∗∗ --------------------------------------------- Mit Stand 2023-01-01 sieht Shodan in Österreich die folgenden Schwachstellen: [...] --------------------------------------------- https://cert.at/de/aktuelles/2023/1/shodan-verified-vulns-2023-01-01 ===================== = Vulnerabilities = ===================== ∗∗∗ Private Taxonomy Terms - Moderately critical - Access bypass - SA-CONTRIB-2023-001 ∗∗∗ --------------------------------------------- Description: This module enables users to create private vocabularies. The module doesnt enforce permissions appropriately for the taxonomy overview page and overview form. --------------------------------------------- https://www.drupal.org/sa-contrib-2023-001 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (emacs, libxstream-java, and netty), Fedora (mingw-binutils, pgadmin4, phoronix-test-suite, vim, and yarnpkg), Red Hat (.NET 6.0, dbus, expat, java-1.8.0-ibm, kernel, kernel-rt, kpatch-patch, libreoffice, libtasn1, libtiff, postgresql:10, sqlite, systemd, usbguard, and virt:rhel and virt-devel:rhel), and SUSE (net-snmp, openstack-barbican, openstack-barbican, openstack-heat-gbp, openstack-horizon-plugin-gbp-ui, openstack-neutron, [...] --------------------------------------------- https://lwn.net/Articles/919785/ ∗∗∗ TP-Link SG105PE vulnerable to authentication bypass ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN78481846/ ∗∗∗ WAGO: Unauthenticated Configuration Export in web-based management in multiple devices ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-054/ ∗∗∗ Visual Studio Code Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21779 ∗∗∗ Security vulnerability in Apache CXF affects IBM InfoSphere Master Data Management ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6854685 ∗∗∗ Multiple Vulnerabilities in Java and Node.js packages affect IBM Voice Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6854713 ∗∗∗ Vulnerabilities in IBM Java included with IBM Tivoli Monitoring. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6854647 ∗∗∗ Vulnerabilities in IBM Java Runtime affect IBM WebSphere Application Servers used by IBM Master Data Management (CVE-2022-21496, CVE-2022-21434, CVE-2022-21443) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6854595 ∗∗∗ The IBM\u00ae Engineering Lifecycle Engineering products using IBM Java - Eclipse OpenJ9 is vulnerable to CVE-2022-3676 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6851835 ∗∗∗ IBM Security Verify Governance is vulnerable to arbitrary code execution, sensitive information exposure and unauthorized access due to PostgreSQL ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6854915 ∗∗∗ Multiple vulnerabilities in IBM Java - OpenJ9 affect IBM Tivoli System Automation Application Manager (CVE-2021-41041) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6854927 ∗∗∗ IBM App Connect Enterprise Certified Container DesignerAuthoring and IntegrationServer operands may be vulnerable to arbitrary code execution due to [CVE-2022-25893] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6854929 ∗∗∗ Multiple vulnerabilities in IBM Java - OpenJ9 affect IBM Tivoli System Automation for Multiplatforms (CVE-2021-41041) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6854931 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.01.2023
by Daily end-of-shift report 11 Jan '23

11 Jan '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 10-01-2023 18:00 − Mittwoch 11-01-2023 18:00 Handler: Robert Waldner Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Lorenz ransomware gang plants backdoors to use months later ∗∗∗ --------------------------------------------- Security researchers are warning that patching critical vulnerabilities allowing access to the network is insufficient to defend against ransomware attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/lorenz-ransomware-gang-plant… ∗∗∗ Bad Paths & The Importance of Using Valid URL Characters ∗∗∗ --------------------------------------------- To ensure that your web files and pages are accessible to a wide range of users with various different devices and operating systems, it’s important to use valid URL characters. Unsafe characters are known to cause compatibility issues with various browser clients, web servers, and even lead to incompatibility issues with web application firewalls. --------------------------------------------- https://blog.sucuri.net/2023/01/bad-paths-the-importance-of-using-valid-url… ∗∗∗ Gefälschte Telegram-App spioniert unter Android ∗∗∗ --------------------------------------------- IT-Forscher von Eset haben eine gefälschte Telegram-App aufgespürt, die ihre Opfer umfassend ausspioniert. Sie wird jedoch außerhalb von Google Play verteilt. --------------------------------------------- https://heise.de/-7455996 ∗∗∗ Cybercrime Group Exploiting Old Windows Driver Vulnerability to Bypass Security Products ∗∗∗ --------------------------------------------- A cybercrime group tracked as Scattered Spider has been observed exploiting an old vulnerability in an Intel Ethernet diagnostics driver for Windows in recent attacks on telecom and BPO firms. --------------------------------------------- https://www.securityweek.com/cybercrime-group-exploiting-old-windows-driver… ∗∗∗ SMB “Access is denied” caused by anti-NTLM relay protection ∗∗∗ --------------------------------------------- We investigated a situation where an SMB client could not connect to an SMB server. The SMB server returned an “Access Denied” during the NTLM authentication, even though the credentials were correct and there were no restrictions on both the server-side share and client-side (notably UNC Hardened Access). --------------------------------------------- https://medium.com/tenable-techblog/smb-access-is-denied-caused-by-anti-ntl… ∗∗∗ Dark Pink ∗∗∗ --------------------------------------------- New APT hitting Asia-Pacific, Europe that goes deeper and darker --------------------------------------------- https://blog.group-ib.com/dark-pink-apt ===================== = Vulnerabilities = ===================== ∗∗∗ Webbrowser: 17 Sicherheitslücken in Google Chrome gestopft ∗∗∗ --------------------------------------------- Das erste Update des Jahres hievt den Webbrowser Chrome auf Stand 109. Die Entwickler schließen darin 17 Schwachstellen, von denen einige hochriskant sind. --------------------------------------------- https://heise.de/-7455130 ∗∗∗ Patchday: Schadcode-Attacken auf Adobe InCopy und InDesign möglich ∗∗∗ --------------------------------------------- Die Entwickler von Adobe haben in mehreren Anwendungen gefährliche Sicherheitslücken geschlossen. --------------------------------------------- https://heise.de/-7455222 ∗∗∗ Patchday: Angreifer verschaffen sich unter Windows System-Rechte ∗∗∗ --------------------------------------------- Microsoft hat wichtige Sicherheitsupdates für unter anderem Exchange Server, Office und Windows veröffentlicht. --------------------------------------------- https://heise.de/-7455122 ∗∗∗ Exploit-Code gesichtet: Attacken auf IT-Monitoring-Tool Cacti möglich ∗∗∗ --------------------------------------------- Angreifer könnten an einer kritischen Sicherheitslücke in Cacti ansetzen und Schadcode auf Servern ausführen. --------------------------------------------- https://heise.de/-7455833 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (exiv2, hsqldb, libjettison-java, ruby-sinatra, and viewvc), Fedora (golang-github-docker, mbedtls, and vim), Gentoo (alpine, commons-text, jupyter_core, liblouis, mbedtls, ntfs3g, protobuf-java, scikit-learn, and twisted), Red Hat (kernel and kpatch-patch), SUSE (rubygem-activerecord-5.2, tiff, and webkit2gtk3), and Ubuntu (dotnet6, linux-azure-5.4, linux-azure-fde, linux-gcp, linux-oracle, linux-ibm, and linux-oem-5.17, linux-oem-6.0). --------------------------------------------- https://lwn.net/Articles/919649/ ∗∗∗ Unpatchable Hardware Vulnerability Allows Hacking of Siemens PLCs ∗∗∗ --------------------------------------------- Researchers at firmware security company Red Balloon Security have discovered a potentially serious vulnerability affecting many of Siemens’ programmable logic controllers (PLCs). --------------------------------------------- https://www.securityweek.com/unpatchable-hardware-vulnerability-allows-hack… ∗∗∗ Exchange Server Sicherheitsupdates (10. Januar 2023), dringend patchen ∗∗∗ --------------------------------------------- Microsoft hat zum 10. Januar 2023 Sicherheitsupdates für Exchange Server 2013, Exchange Server 2016 und Exchange Server 2019 veröffentlicht. Diese Sicherheitsupdates schließen zwei Schwachstellen (Elevation of Privilege und Spoofing) in dieser Software. --------------------------------------------- https://www.borncity.com/blog/2023/01/11/exchange-server-sicherheitsupdates… ∗∗∗ AMD Client Vulnerabilities - January 2023 ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500539-AMD-CLIENT-VULNERABILIT… ∗∗∗ AMD Server Vulnerabilities - January 2023 ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500538-AMD-SERVER-VULNERABILIT… ∗∗∗ Multiple Vulnerabilities in IBM Java SDK affects Liberty for Java for IBM Cloud due to the October 2022 CPU plus CVE-2022-3676 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6854413 ∗∗∗ Vulnerability in IBM WebSphere Liberty Profile affects IBM InfoSphere Identity Insight (CVE-2022-34165) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6854451 ∗∗∗ IBM Security Verify Governance is vulnerable to denial of service due to an OpenSSL vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6854571 ∗∗∗ IBM Security Verify Governance is vulnerable to denial of service due to OpenSSL as a part of Node.js ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6854575 ∗∗∗ IBM Security Verify Governance is vulnerable to multiple vulnerabilities due to Eclipse Jetty ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6854577 ∗∗∗ The IBM Engineering System Design Rhapsody products on IBM Jazz Technology contains additional security fixes for Log4j vulnerabilities CVE-2021-4104 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6825215 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.01.2023
by Daily end-of-shift report 10 Jan '23

10 Jan '23

===================== = End-of-Day report = ===================== Timeframe: Montag 09-01-2023 18:00 − Dienstag 10-01-2023 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Interview: Sönke Huster über Lücken im WLAN-Stack des Linux-Kernels ∗∗∗ --------------------------------------------- Sönke Huster hat Sicherheitslücken im WLAN-Stack des Linux-Kernels gefunden, die einen Angriff theoretisch ermöglichen, nur weil das WLAN eingeschaltet ist. --------------------------------------------- https://heise.de/-7447684 ∗∗∗ Meeting-Client Zoom unter Android, macOS und Windows angreifbar ∗∗∗ --------------------------------------------- Nach erfolgreichen Attacken auf Zoom Rooms könnten sich Angreifer etwa unter macOS Root-Rechte verschaffen. Sicherheitsupdates sind verfügbar. --------------------------------------------- https://heise.de/-7453606 ∗∗∗ Sourcecode-Editor Visual Studio Code: Fake Extensions lassen sich leicht tarnen ∗∗∗ --------------------------------------------- Sicherheitsforscher haben eine als Prettier getarnte Erweiterung im Marktplatz veröffentlicht, die es auf gut 1000 Downloads innerhalb von 48 Stunden brachte. --------------------------------------------- https://heise.de/-7453534 ∗∗∗ Patchday: SAP behandelt vier kritische Schwachstellen ∗∗∗ --------------------------------------------- SAP liefert Updates zum Beheben von teils kritischen Sicherheitslücken in den Produkten des Herstellers. IT-Verantwortliche sollten sie rasch installieren. --------------------------------------------- https://heise.de/-7454402 ∗∗∗ Heads up! Xdr33, A Variant Of CIA’s HIVE Attack Kit Emerges ∗∗∗ --------------------------------------------- On Oct 21, 2022, 360Netlabs honeypot system captured a suspicious ELF file ee07a74d12c0bb3594965b51d0e45b6f, which propagated via F5 vulnerability with zero VT detection, our system observces that it communicates with IP 45.9.150.144 using SSL with forged Kaspersky certificates, this caught our attention. --------------------------------------------- https://blog.netlab.360.com/headsup_xdr33_variant_of_ciahive_emeerges/ ∗∗∗ New year, old tricks: Hunting for CircleCI configuration files, (Mon, Jan 9th) ∗∗∗ --------------------------------------------- I have written before about attackers looking for exposed configuration files. Configuration files often include credentials or other sensitive information. Today, I noticed some scans for a files called "/.circleci/config.yml". Given the recent breach at CircleCI, I dug in a bit deeper. --------------------------------------------- https://isc.sans.edu/diary/rss/29416 ∗∗∗ ChatGPT-Written Malware ∗∗∗ --------------------------------------------- I don’t know how much of a thing this will end up being, but we are seeing ChatGPT-written malware in the wild.…within a few weeks of ChatGPT going live, participants in cybercrime forums—some with little or no coding experience—were using it to write software and emails that could be used for espionage, ransomware, malicious spam, and other malicious tasks. --------------------------------------------- https://www.schneier.com/blog/archives/2023/01/chatgpt-written-malware.html ∗∗∗ Kinsing Crypto Malware Hits Kubernetes Clusters via Misconfigured PostgreSQL ∗∗∗ --------------------------------------------- The threat actors behind the Kinsing cryptojacking operation have been spotted exploiting misconfigured and exposed PostgreSQL servers to obtain initial access to Kubernetes environments. A second initial access vector technique entails the use of vulnerable images, Sunders Bruskin, security researcher at Microsoft Defender for Cloud, said in a report last week. --------------------------------------------- https://thehackernews.com/2023/01/kinsing-cryptojacking-hits-kubernetes.html ∗∗∗ The Dark Side of Gmail ∗∗∗ --------------------------------------------- Behind one of Gmail’s lesser-known features lies a potential threat to websites and platforms managers. --------------------------------------------- https://osintmatter.com/the-dark-side-of-gmail/ ∗∗∗ Crypto-inspired Magecart skimmer surfaces via digital crime haven ∗∗∗ --------------------------------------------- One criminal scheme often leads to another. This blog digs into a credit card skimmer and its ties with other malicious services. --------------------------------------------- https://www.malwarebytes.com/blog/threat-intelligence/2023/01/crypto-inspir… ∗∗∗ Malware-based attacks on ATMs - A summary ∗∗∗ --------------------------------------------- Today we will take a first look at malware-based attacks on ATMs in general, while future articles will go into more detail on the individual subtopics. --------------------------------------------- https://blog.nviso.eu/2023/01/10/malware-based-attacks-on-atms-a-summary/ ===================== = Vulnerabilities = ===================== ∗∗∗ Securepoint UTM: Hotfix schließt kritische Sicherheitslücke ∗∗∗ --------------------------------------------- In den Securepoint UTM klafft eine kritische Sicherheitslücke. Das Unternehmen hat einen Hotfix bereitgestellt, der die Schwachstelle abdichtet. --------------------------------------------- https://heise.de/-7453560 ∗∗∗ UEFI-Sicherheitslücken bedrohen ARM-Geräte wie Microsoft Surface ∗∗∗ --------------------------------------------- Supply-Chain-Attacken möglich: Angreifer könnten auf Lenovo ThinkPads und Microsoft Surface den Schutzmechanismus Secure Boot umgehen. --------------------------------------------- https://heise.de/-7454141 ∗∗∗ Eleven Vulnerabilities Patched in Royal Elementor Addons ∗∗∗ --------------------------------------------- On December 23, 2022, the Wordfence Threat Intelligence team initiated the responsible disclosure process for a set of 11 vulnerabilities in Royal Elementor Addons, a WordPress plugin with over 100,000 installations. The plugin developers responded on December 26, and we sent over the full disclosure that day. --------------------------------------------- https://www.wordfence.com/blog/2023/01/eleven-vulnerabilities-patched-in-ro… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libtasn1-6), Fedora (nautilus), Oracle (kernel, kernel-container, nodejs:14, tigervnc, and xorg-x11-server), Red Hat (grub2, nodejs:14, tigervnc, and xorg-x11-server), Scientific Linux (tigervnc and xorg-x11-server), SUSE (systemd), and Ubuntu (firefox, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure, w3m, and webkit2gtk). --------------------------------------------- https://lwn.net/Articles/919543/ ∗∗∗ 2023 ICS Patch Tuesday Debuts With 12 Security Advisories From Siemens, Schneider ∗∗∗ --------------------------------------------- The first ICS Patch Tuesday of 2023 brings a dozen security advisories from Siemens and Schneider Electric, addressing a total of 27 vulnerabilities. --------------------------------------------- https://www.securityweek.com/2023-ics-patch-tuesday-debuts-12-security-advi… ∗∗∗ CISA Releases Two Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- CISA released two Industrial Control Systems (ICS) advisories on January 10, 2023. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. CISA encourages users and administrators to review the newly released ICS advisories for technical details and mitigations: ICSA-23-010-01 Black Box KVM ICSA-22-298-07 Delta Electronics InfraSuite Device Master (Update A) --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2023/01/10/cisa-releases-two… ∗∗∗ Vulnerability Spotlight: Asus router access, information disclosure, denial of service vulnerabilities discovered ∗∗∗ --------------------------------------------- Cisco Talos recently discovered three vulnerabilities in Asus router software. The Asus RT-AX82U router is one of the newer Wi-Fi 6 (802.11ax)-enabled routers that also supports mesh networking with other Asus routers. --------------------------------------------- https://blog.talosintelligence.com/vulnerability-spotlight-asus-router-acce… ∗∗∗ IBM Maximo Asset Management, IBM Maximo Manage in IBM Maximo Application Suite and IBM Maximo Manage in IBM Maximo Application Suite as a Service may be affected by XML External Entity (XXE) attacks (CVE-2021-33813) ∗∗∗ --------------------------------------------- CICS Transaction Gateway, IBM Answer Retrieval for Watson Discovery, IBM Business Automation Workflow, IBM Cloud Object Storage Systems, IBM Master Data Management, IBM Maximo Application Suite, IBM Sterling Partner Engagement Manager, IBM WebSphere Application Server, TADDM --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Siemens Security Advisories (7 new, 15 updated) ∗∗∗ --------------------------------------------- SSA-997779 V1.0: File Parsing Vulnerability in Solid Edge before V2023 MP1 SSA-936212 V1.0: JT File Parsing Vulnerabilities in JT Open, JT Utilities and Solid Edge SSA-712929 V1.6 (Last Update: 2023-01-10): Denial of Service Vulnerability in OpenSSL (CVE-2022-0778) Affecting Industrial Products SSA-710008 V1.2 (Last Update: 2023-01-10): Multiple Web Vulnerabilities in SCALANCE Products SSA-697140 V1.1 (Last Update: 2023-01-10): Denial of Service Vulnerability in the TCP Event Service of SCALANCE and RUGGEDCOM Products SSA-593272 V1.9 (Last Update: 2023-01-10): SegmentSmack in Interniche IP-Stack based Industrial Devices SSA-592007 V1.9 (Last Update: 2023-01-10): Denial of Service Vulnerability in Industrial Products SSA-552702 V1.3 (Last Update: 2023-01-10): Privilege Escalation Vulnerability in the Web Interface of SCALANCE and RUGGEDCOM Products SSA-547714 V1.1 (Last Update: 2023-01-10): Argument Injection Vulnerability in SIMATIC WinCC OA Ultralight Client SSA-496604 V1.0: Cross-Site Scripting Vulnerability in Mendix SAML Module SSA-482757 V1.0: Missing Immutable Root of Trust in S7-1500 CPU devices SSA-480230 V2.5 (Last Update: 2023-01-10): Denial of Service Vulnerability in Webserver of Industrial Products SSA-478960 V1.2 (Last Update: 2023-01-10): Missing CSRF Protection in the Web Server Login Page of Industrial Controllers SSA-476715 V1.0: Two Vulnerabilities in Automation License Manager SSA-473245 V2.5 (Last Update: 2023-01-10): Denial-of-Service Vulnerability in Profinet Devices SSA-446448 V1.6 (Last Update: 2023-01-10): Denial of Service Vulnerability in PROFINET Stack Integrated on Interniche Stack SSA-431678 V1.4 (Last Update: 2023-01-10): Denial of Service Vulnerability in SIMATIC S7 CPU Families SSA-382653 V1.1 (Last Update: 2023-01-10): Multiple Denial of Service Vulnerabilities in Industrial Products SSA-349422 V1.8 (Last Update: 2023-01-10): Denial of Service Vulnerability in Industrial Real-Time (IRT) Devices SSA-332410 V1.0: Multiple Vulnerabilities in SINEC INS before V1.0 SP2 Update 1 SSA-210822 V1.1 (Last Update: 2023-01-10): Improper Access Control Vulnerability in Mendix Workflow Commons Module SSA-113131 V1.4 (Last Update: 2023-01-10): Denial of Service Vulnerabilities in SIMATIC S7-400 CPUs --------------------------------------------- https://new.siemens.com/global/en/products/services/cert.html?d=2023-01#Sec… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.01.2023
by Daily end-of-shift report 09 Jan '23

09 Jan '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 05-01-2023 18:00 − Montag 09-01-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Security: Kunden-Secrets von CircleCI wohl komplett kompromittiert ∗∗∗ --------------------------------------------- CircleCI warnt Kunden dringend, sämtliche Secrets zu tauschen. Builds und Netzwerke könnten über zwei Wochen lang kompromittiert worden sein. --------------------------------------------- https://www.golem.de/news/security-kunden-secrets-von-circleci-wohl-komplet… ∗∗∗ Verschlüsselung: RSA zerstört? Experten zweifeln ∗∗∗ --------------------------------------------- Ein neuer Algorithmus knackt die Verschlüsselung RSA angeblich schneller als jemals zuvor - diesmal mit einem Quantencomputer. Experten zweifeln daran. --------------------------------------------- https://heise.de/-7449806 ∗∗∗ Rust: bis zu 2500 Projekte durch Bibliothek Hyper für DoS verwundbar ∗∗∗ --------------------------------------------- Enthält die to_bytes-Funktion von Hyper keine Längenbeschränkung, so lassen sich schnell DoS-Attacken ausführen. Abhilfe schafft die offizielle Doku. --------------------------------------------- https://heise.de/-7451019 ∗∗∗ BaFin warnt vor "Godfather"-Banking-Trojaner ∗∗∗ --------------------------------------------- Die BaFin warnt vor einem Banking-Trojaner, der Android-Geräte angreift. Die "Godfather" genannte Malware kann 400 internationale Finanzinstitutionen ausspähen. --------------------------------------------- https://heise.de/-7453238 ∗∗∗ Android-Malware: Neue Version von SpyNote stiehlt Banking-Daten ∗∗∗ --------------------------------------------- Die Verbreitung erfolgt über Phishing-E-Mails. Seit Oktober 2022 ist der Quellcode von SpyNote frei verfügbar. Seitdem nehmen die Aktivitäten von SpyNote deutlich zu. --------------------------------------------- https://www.zdnet.de/88406317/android-malware-neue-version-von-spynote-stie… ∗∗∗ Kostenloses Entschlüsselungs-Tool für Ransomware MegaCortex veröffentlicht ∗∗∗ --------------------------------------------- Das Tool ist eine gemeinsame Entwicklung von Bitdefender und No More Ransom. Es funktioniert mit allen Varianten von MegaCortex. --------------------------------------------- https://www.zdnet.de/88406357/kostenloses-entschluesselungs-tool-fuer-ranso… ∗∗∗ Windows 11 GPO "Enable MPR notifications ..." zur Sicherheit setzen ∗∗∗ --------------------------------------------- Kleiner Tipp für Administratoren, die so langsam Windows 11 in Unternehmensumgebungen einführen. In den Standardeinstellungen des Betriebssystems lassen sich mittels einer einfachen DLL die Winlogon-Anmeldeinformationen im Klartext auslesen. Die neue Gruppenrichtlinie "Enable MPR notifications" soll dies nun verhindern. --------------------------------------------- https://www.borncity.com/blog/2023/01/08/windows-11-gpo-enable-mpr-notifica… ∗∗∗ VSCode Marketplace can be abused to host malicious extensions ∗∗∗ --------------------------------------------- Threat analysts at AquaSec have experimented with the security of VSCode Marketplace and found that its surprisingly easy to upload malicious extensions from accounts that appear verified on the platform. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/vscode-marketplace-can-be-a… ∗∗∗ Malicious PyPi packages create CloudFlare Tunnels to bypass firewalls ∗∗∗ --------------------------------------------- Six malicious packages on PyPI, the Python Package Index, were found installing information-stealing and RAT (remote access trojan) malware while using Cloudflare Tunnel to bypass firewall restrictions for remote access. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malicious-pypi-packages-crea… ∗∗∗ Unraveling the techniques of Mac ransomware ∗∗∗ --------------------------------------------- Understanding how Mac ransomware works is critical in protecting today’s hybrid environments. We analyzed several known Mac ransomware families and highlighted these families’ techniques, which defenders can study further to prevent attacks. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2023/01/05/unraveling-the-tec… ∗∗∗ Finding & Removing Malware From Weebly Sites ∗∗∗ --------------------------------------------- Weebly is an easy-to-use website builder that allows admins to quickly create and publish responsive blogs and sites. Website builder environments are usually considered to be very safe and not prone to malware infections, but during a recent investigation I found some malicious behavior which revealed that even closed proprietary systems for WYSIWYG website builders like Weebly can be abused. --------------------------------------------- https://blog.sucuri.net/2023/01/finding-removing-malware-from-weebly-sites.… ∗∗∗ Dridex Malware Now Attacking macOS Systems with Novel Infection Method ∗∗∗ --------------------------------------------- A variant of the infamous Dridex banking malware has set its sights on Apples macOS operating system using a previously undocumented infection method, according to latest research. --------------------------------------------- https://thehackernews.com/2023/01/dridex-malware-now-attacking-macos.html ∗∗∗ LummaC2 Stealer: A Potent Threat to Crypto Users ∗∗∗ --------------------------------------------- During a threat-hunting exercise, Cyble Research and Intelligence Labs (CRIL) discovered a post on the cybercrime forum about an information stealer targeting both Chromium and Mozilla-based browsers. This stealer was named LummaC2 Stealer, which targets crypto wallets, extensions, and two-factor authentication (2FA) and steals sensitive information from the victim’s machine. --------------------------------------------- https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto… ∗∗∗ Unwrapping Ursnifs Gifts ∗∗∗ --------------------------------------------- In late August 2022, we investigated an incident involving Ursnif malware, which resulted in Cobalt Strike being deployed. This was followed by the threat actors moving laterally throughout the environment [...] --------------------------------------------- https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/ ∗∗∗ Distribution of NetSupport RAT Malware Disguised as a Pokemon Game ∗∗∗ --------------------------------------------- NetSupport Manager is a remote control tool that can be installed and used by ordinary or corporate users for the purpose of remotely controlling systems. However, it is being abused by many threat actors because it allows external control over specific systems. --------------------------------------------- https://asec.ahnlab.com/en/45312/ ===================== = Vulnerabilities = ===================== ∗∗∗ Kritische Sicherheitslücke in MatrixSSL ermöglicht Codeschmuggel ∗∗∗ --------------------------------------------- In der IoT-Bibliothek MatrixSSL haben IT-Forscher eine als kritisch eingestufte Sicherheitslücke entdeckt. Angreifer könnten dadurch Code einschleusen. --------------------------------------------- https://heise.de/-7453087 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libetpan and smarty3), SUSE (libksba, rpmlint-mini, tcl, and xrdp), and Ubuntu (curl, firefox, and linux-oem-5.14). --------------------------------------------- https://lwn.net/Articles/919202/ ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (python2.7), SUSE (ca-certificates-mozilla, libksba, and ovmf), and Ubuntu (linux, linux-aws, linux-aws-5.4, linux-gcp, linux-gcp-5.4, linux-gke, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-dell300x, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux-raspi2, linux-snapdragon, linux, [...] --------------------------------------------- https://lwn.net/Articles/919422/ ∗∗∗ Kritische Sicherheitslücke in Open-Source-Projekt JsonWebToken entdeckt ∗∗∗ --------------------------------------------- Die Schwachstelle erlaubt unter Umständen eine Remotecodeausführung. Nutzer sollten auf die fehlerbereinigte Version 9.0.0 von JsonWebToken umsteigen. --------------------------------------------- https://www.zdnet.de/88406385/kritische-sicherheitsluecke-in-open-source-pr… ∗∗∗ ThinkPad X13s: BIOS-Update schließt Schwachstellen ∗∗∗ --------------------------------------------- Der Hersteller Lenovo hat in einer Sicherheitsmeldung auf eine Reihe Schwachstellen im BIOS des ThinkPad X13s hingewiesen. Diese ermöglichen eine Speicherbeschädigung (Memory Corruption) und die Offenlegung von Informationen. Es steht ein BIOS-Update zum Schließen der Schwachstellen bereit. --------------------------------------------- https://www.borncity.com/blog/2023/01/07/thinkpad-x13s-bios-update-schliet-… ∗∗∗ IBM Security Bulletins 2023-01-06 - 2023-01-09 ∗∗∗ --------------------------------------------- AIX, CICS Transaction Gateway, Enterprise Content Management System Monitor, IBM App Connect Enterprise, IBM Business Automation Workflow, IBM Connect:Direct Web Services, IBM InfoSphere Information Server, IBM Integration Bus, IBM Maximo Application Suite, IBM MQ, IBM Process Mining, IBM Robotic Process Automation for Cloud Pak, IBM Spectrum Protect Server, IBM SPSS Analytic Server, IBM Sterling B2B Integrator, IBM Sterling Connect:Direct Web Services, IBM Tivoli Netcool Impact, Power HMC --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Centos Web Panel 7 Unauthenticated Remote Code Execution - CVE-2022-44877 ∗∗∗ --------------------------------------------- https://github.com/numanturle/CVE-2022-44877 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.01.2023
by Daily end-of-shift report 05 Jan '23

05 Jan '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 04-01-2023 18:00 − Donnerstag 05-01-2023 18:00 Handler: Stephan Richter Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Bluebottle hackers used signed Windows driver in attacks on banks ∗∗∗ --------------------------------------------- A signed Windows driver has been used in attacks on banks in French-speaking countries, likely from a threat actor that stole more than $11 million from various banks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/bluebottle-hackers-used-sign… ∗∗∗ SpyNote Android malware infections surge after source code leak ∗∗∗ --------------------------------------------- The Android malware family tracked as SpyNote (or SpyMax) has had a sudden increase in detections in the final quarter of 2022, which is attributed to a source code leak of one of its latest, known as CypherRat. --------------------------------------------- https://www.bleepingcomputer.com/news/security/spynote-android-malware-infe… ∗∗∗ PurpleUrchin Bypasses CAPTCHA and Steals Cloud Platform Resources ∗∗∗ --------------------------------------------- We take a deep dive into Automated Libra, the cloud threat actor group behind the freejacking campaign PurpleUrchin. --------------------------------------------- https://unit42.paloaltonetworks.com/purpleurchin-steals-cloud-resources/ ∗∗∗ ProxyNotShell Mitigations K.O. ∗∗∗ --------------------------------------------- Warum ist ProxyNotShell noch ein Thema? Die Schwachstellen wurden doch von Microsoft Anfang November geschlossen? Kurz gesagt, weil sich viele auf die letzte Mitigation von Microsoft verlassen haben, anstatt auf den November-Patch. --------------------------------------------- https://cert.at/de/blog/2023/1/proxynotshell-mitigations-ko ∗∗∗ The dos and don’ts of ransomware negotiations ∗∗∗ --------------------------------------------- Has your organization suddenly been attacked by a ransomware virus? Take a deep breath and try to remain composed. It can be easy to panic or become overwhelmed in the face of an attack, but it is vital to remain calm and focused in order to make the best decisions for your organization. --------------------------------------------- https://cybersecurity.att.com/blogs/security-essentials/the-dos-and-donts-o… ∗∗∗ Dridex Returns, Targets MacOS Using New Entry Method ∗∗∗ --------------------------------------------- The Dridex variant we analyzed targets MacOS platforms with a new technique to deliver documents embedded with malicious macros to users. --------------------------------------------- https://www.trendmicro.com/en_us/research/23/a/-dridex-targets-macos-using-… ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins 2023-01-05 ∗∗∗ --------------------------------------------- AIX, IBM Content Navigator, IBM Maximo Application Suite, IBM Robotic Process Automation, IBM Robotic Process Automation for Cloud Pak, IBM Security Verify Governance, IBM Sterling B2B Integrator, IBM TXSeries for Multiplatforms, IBM Tivoli Network Manager, ITNM, Operations Dashboard, TADDM, IBM Cloud Object Storage Systems --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Zoho fixt Datenbank-Lücke in Password Manager Pro und Zugriffskontroll-Software ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitsupdates für die ManageEngine-Produkte Access Manager Plus, PAM360 und Password Manager Pro. --------------------------------------------- https://heise.de/-7449108 ∗∗∗ Patchday: Kritische Kernel-Lücken bedrohen Android ∗∗∗ --------------------------------------------- Google stellt gegen mögliche Attacken abgesicherte Android-Versionen 10, 11, 12, 12L und 13 zum Download bereit. Angreifer können sich Nutzerrechte verschaffen. --------------------------------------------- https://heise.de/-7449147 ∗∗∗ Fortinet stopft Schadcode-Lücken in Netzwerk-Produkten ∗∗∗ --------------------------------------------- Angreifer könnten unberechtigt unter anderem auf FortiManager zugreifen. Sicherheitsupdates stehen zum Download bereit. --------------------------------------------- https://heise.de/-7449288 ∗∗∗ Sicherheitspatch: Angreifer könnten Systeme mit IBM Tivoli Monitoring übernehmen ∗∗∗ --------------------------------------------- Schwachstellen in mehreren Komponenten bedrohen die System- und Netzwerküberwachungslösung IBM Tivoli Monitoring. --------------------------------------------- https://heise.de/-7449768 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (binwalk), Oracle (kernel and webkit2gtk3), Red Hat (webkit2gtk3), Slackware (vim), and Ubuntu (libksba and nautilus). --------------------------------------------- https://lwn.net/Articles/919112/ ∗∗∗ Hitachi Energy UNEM ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-23-005-01 ∗∗∗ Hitachi Energy FOXMAN-UN ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-23-005-02 ∗∗∗ Hitachi Energy Lumada Asset Performance Management ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-23-005-03 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.01.2023
by Daily end-of-shift report 04 Jan '23

04 Jan '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 03-01-2023 18:00 − Mittwoch 04-01-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Jetzt patchen! Noch 60.000 Exchange-Server für ProxyNotShell-Attacken anfällig ∗∗∗ --------------------------------------------- Sicherheitsforscher warnen vor verwundbaren Exchange-Servern. 30.000 davon sind in Europa – der Großteil in Deutschland. Sicherheitspatches sind verfügbar. --------------------------------------------- https://heise.de/-7448029 ∗∗∗ l+f: Flipper Zero – Delfin auf Phishing-Tour ∗∗∗ --------------------------------------------- Vorsicht beim Kauf des beliebten Hacking-Gadgets Flipper Zero. Cyberkriminelle haben Fake-Shops eingerichtet, um Interessierte abzukassieren. --------------------------------------------- https://heise.de/-7448371 ∗∗∗ Nur noch eine Woche Zeit: Support-Ende von Windows 8.1 ∗∗∗ --------------------------------------------- Die letzten Stunden für Windows 8.1 haben geschlagen. In nicht einmal einer Woche stellt Microsoft die Unterstützung für Windows 8.1 endgültig ein. --------------------------------------------- https://heise.de/-7448516 ∗∗∗ Update to RTRBK - Diff and File Dates in PowerShell, (Wed, Jan 4th) ∗∗∗ --------------------------------------------- I use my RTRBK script pretty much every week, every single time that I work with a client that doesn't have their network gear in a backup cycle in fact. (for a review of this tool, see the original post https://isc.sans.edu/diary/RTRBK+Router+Switch+Firewall+Backups+in+PowerShe… ) Anyway, I was considering how I could improve this script, aside from adding more and more device types to the backups. A "diff" report was my obvious first thought - [...] --------------------------------------------- https://isc.sans.edu/diary/rss/29400 ∗∗∗ Breaking RSA with a Quantum Computer ∗∗∗ --------------------------------------------- A group of Chinese researchers have just published a paper claiming that they can—although they have not yet done so—break 2048-bit RSA. This is something to take seriously. It might not be correct, but it’s not obviously wrong. We have long known from Shor’s algorithm that factoring with a quantum computer is easy. But it takes a big quantum computer, on the orders of millions of qbits, to factor anything resembling the key sizes we use today. What the researchers have done is combine classical lattice reduction factoring techniques with a quantum approximate optimization algorithm. --------------------------------------------- https://www.schneier.com/blog/archives/2023/01/breaking-rsa-with-a-quantum-… ∗∗∗ Androids First Security Updates for 2023 Patch 60 Vulnerabilities ∗∗∗ --------------------------------------------- Google announced on Tuesday the first Android security updates for 2023, which patch a total of 60 vulnerabilities. The first part of the update, which arrives on devices as the 2023-01-01 security patch level, addresses 19 security defects in the Framework and System components. --------------------------------------------- https://www.securityweek.com/androids-first-security-updates-2023-patch-60-… ∗∗∗ Ransomware predictions in 2023: more gov’t action and a pivot to data extortion ∗∗∗ --------------------------------------------- There were thousands of ransomware attacks in 2022, from breaches targeting militaries to incidents that brought entire governments to a standstill. Ransomware giants like Conti closed shop, while groups like LockBit and Hive took their place, attacking thousands of hospitals, governments, businesses and schools across the world. So what does 2023 have in store for us? --------------------------------------------- https://therecord.media/ransomware-predictions-in-2023-more-govt-action-and… ∗∗∗ DeTT&CT: Automate your detection coverage with dettectinator ∗∗∗ --------------------------------------------- Last year, I published an article on mapping detection to the MITRE ATT&CK framework using DeTT&CT. In the article, we introduced DeTT&CT and explored its features and usage. If you missed it, you can find the article here. Although, after writing that article, I encountered some challenges. For instance, I considered using DeTT&CT in a production environment but there were hundreds of existing detection rules to consider, and it would have been a tedious process to manually create the necessary YAML file for building a detection coverage layer. --------------------------------------------- https://blog.nviso.eu/2023/01/04/dettct-automate-your-detection-coverage-wi… ∗∗∗ Shc Linux Malware Installing CoinMiner ∗∗∗ --------------------------------------------- The ASEC analysis team recently discovered that a Linux malware developed with Shc has been installing a CoinMiner. It is presumed that after successful authentication through a dictionary attack on inadequately managed Linux SSH servers, various malware were installed on the target system. Among those installed were the Shc downloader, XMRig CoinMiner installed through the former, and DDoS IRC Bot, developed with Perl. --------------------------------------------- https://asec.ahnlab.com/en/45182/ ∗∗∗ Three easy steps to dramatically improve your AWS security posture: Step 1, set up IAM properly ∗∗∗ --------------------------------------------- Have you ever heard the saying that the greatest benefit of the cloud is that limitless resources can be spun-up with just a few clicks of the mouse? If so, you would be best served by forgetting that saying altogether. Just because cloud resources can be spun-up with a few clicks of the mouse does not mean that they should be. Rather, prior to launching anything in the cloud, careful consideration and planning are a necessity. --------------------------------------------- https://cybersecurity.att.com/blogs/security-essentials/three-easy-steps-to… ===================== = Vulnerabilities = ===================== ∗∗∗ January 2023 Vulnerability Advisories ∗∗∗ --------------------------------------------- FortiTester (CVSS Score: 7.6), FortiPortal (CVSS Score: 6.6), FortiWeb (CVSS Score: 5.3), FortiManager (CVSS Score: 6), FortiADC (CVSS Score: 8.6) --------------------------------------------- https://fortiguard.fortinet.com/psirt-monthly-advisory/january-2023-vulnera… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (xorg-x11-server-Xwayland), Red Hat (webkit2gtk3), SUSE (rmt-server), and Ubuntu (freeradius). --------------------------------------------- https://lwn.net/Articles/919051/ ∗∗∗ IBM Security Bulletins 2023-01-04 ∗∗∗ --------------------------------------------- IBM Common Licensings Administration And Reporting Tool (ART), IBM DataPower Gateway, IBM Global Mailbox, IBM Integration Bus, IBM MQ, IBM Security Verify Governance, IBM Sterling Global Mailbox, IBM WebSphere MQ, IBM WebSphere Message Broker, ITNM --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.01.2023
by Daily end-of-shift report 03 Jan '23

03 Jan '23

===================== = End-of-Day report = ===================== Timeframe: Montag 02-01-2023 18:00 − Dienstag 03-01-2023 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ BMW, Mercedes, Kia, Porsche: Sicherheitsforscher hacken etliche Autohersteller ∗∗∗ --------------------------------------------- Forschern ist es gelungen die API-Endpunkte etlicher Autohersteller wie BMW oder Kia zu hacken - von der Konten- bis zur Autoübernahme war alles möglich. --------------------------------------------- https://www.golem.de/news/bmw-mercedes-kia-porsche-sicherheitsforscher-hack… ∗∗∗ Schadcode auf PyPI: Supply-Chain-Angriff auf PyTorch Nightly Builds ∗∗∗ --------------------------------------------- Wer kürzlich PyTorch-nightly unter Linux via pip installiert hat, erhielt Schadcode. Das PyTorch-Team hat Gegenmaßnahmen eingeleitet. --------------------------------------------- https://heise.de/-7447195 ∗∗∗ Its about time: OS Fingerprinting using NTP, (Tue, Jan 3rd) ∗∗∗ --------------------------------------------- Most current operating systems, including many small systems like IoT devices, use some form of NTP to sync time. NTP is lightweight and reasonably accurate in most use cases to synchronize time across the internet with millisecond accuracy [1]. Some protocols, like PTP, are more accurate but are designed for local networks and may require special hardware on the host [2]. Smaller systems with less stringent accuracy requirements sometimes use SNTP, a variant of NTP. --------------------------------------------- https://isc.sans.edu/diary/rss/29394 ∗∗∗ Raspberry Robin Worm Evolves to Attack Financial and Insurance Sectors in Europe ∗∗∗ --------------------------------------------- Financial and insurance sectors in Europe have been targeted by the Raspberry Robin worm, as the malware continues to evolve its post-exploitation capabilities while remaining under the radar. "What is unique about the malware is that it is heavily obfuscated and highly complex to statically disassemble," Security Joes said in a new report published Monday. --------------------------------------------- https://thehackernews.com/2023/01/raspberry-robin-worm-evolves-to-attack.ht… ∗∗∗ Cloud Metadata - AWS IAM Credential Abuse ∗∗∗ --------------------------------------------- [...] In this run through we have a vulnerable AWS EC2 instance configured to use IMDSv1 (Instance Metadata Service) which we will exploit, escalate our privileges and carry out post-compromise activities. While not every AWS EC2 instance has an associated IAM role (AWS Identity and Access Management), when they do these role profiles contain credentials/keys. --------------------------------------------- https://sneakymonkey.net/cloud-credential-abuse/ ∗∗∗ SSRF vulnerabilities caused by SNI proxy misconfigurations ∗∗∗ --------------------------------------------- SNI proxies are load balancers that use the SNI extension field to select backend systems. When misconfigured, SNI proxies can be vulnerable to SSRF attacks that provide access to web application backends. --------------------------------------------- https://www.invicti.com/blog/web-security/ssrf-vulnerabilities-caused-by-sn… ∗∗∗ Exploiting GraphQL Query Depth ∗∗∗ --------------------------------------------- GraphQL was created and developed with flexibility in mind: clients should be given the power to ask for exactly what they need and nothing more. Much of this flexibility involves allowing customers to execute multiple queries in a single request, [...] --------------------------------------------- https://checkmarx.com/blog/exploiting-graphql-query-depth/ ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins 2023-01-03 ∗∗∗ --------------------------------------------- IBM Business Automation Workflow, IBM InfoSphere Information Server, IBM Integrated Analytics System, IBM Process Mining, IBM Security SOAR, IBM Security Verify Governance, IBM Sterling B2B Integrator, Platform Navigator and Automation Assets in IBM Cloud Pak for Integration, Rational Directory Server (Tivoli) & Rational Directory Administrator --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Trend Micros Sicherheitslösung Maximum Security benötigt einen Sicherheitspatch ∗∗∗ --------------------------------------------- Angreifer könnten Windows-PCs mit Sicherheitssoftware von Trend Micro attackieren. Ein Sicherheitspatch ist verfügbar. --------------------------------------------- https://heise.de/-7446553 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Oracle (bcel), SUSE (ca-certificates-mozilla, glibc, minetest, multimon-ng, nautilus, ovmf, python-Django, samba, saphanabootstrap-formula, and xrdp), and Ubuntu (usbredir). --------------------------------------------- https://lwn.net/Articles/918965/ ∗∗∗ ThinkPad X13s BIOS Vulnerabilities ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500537 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.01.2023
by Daily end-of-shift report 02 Jan '23

02 Jan '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 30-12-2022 18:00 − Montag 02-01-2023 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ EarSpy-Lauschangriff auf Smartphones: Forschern gelingt Abhören aus der Ferne ∗∗∗ --------------------------------------------- In Mobiltelefone integrierte Ohrlautsprecher werden immer leistungsstärker. Dies hat den Nachteil, dass die verursachten Mini-Vibrationen verräterischer sind. --------------------------------------------- https://heise.de/-7444910 ∗∗∗ Rund 230 Millionen Deezer-Datensätze zu Have I been pwned hinzugefügt ∗∗∗ --------------------------------------------- Bei einem Einbruch in einen Deezer-Dienstleister konnten offenbar rund 230 Millionen Datensätze kopiert werden. Have I been pwned hat sie jetzt hinzugefügt. --------------------------------------------- https://heise.de/-7445237 ∗∗∗ Sicherheitsrisiko Microsoft Outlook App: Überträgt Anmeldedaten und Mails in die Cloud ∗∗∗ --------------------------------------------- Ich hole zum Jahresanfang 2023 nochmals ein Thema hoch, welches ich hier im Blog bereits 2015 und im Januar 2021 angesprochen habe. Es geht um die Microsoft Outlook App, die für Android- und iOS-Geräte angeboten und meines Erachtens breit eingesetzt [...] --------------------------------------------- https://www.borncity.com/blog/2023/01/01/sicherheitsrisiko-microsoft-outloo… ∗∗∗ Ransomware gang cloned victim’s website to leak stolen data ∗∗∗ --------------------------------------------- The ALPHV ransomware operators have gotten creative with their extortion tactic and, in at least one case, created a replica of the victims site to publish stolen data on it. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ransomware-gang-cloned-victi… ∗∗∗ NetworkMiner 2.8 Released, (Mon, Jan 2nd) ∗∗∗ --------------------------------------------- First of all, happy new year to all our Readers! There exist tools that are very popular for a long time because they are regularly updated and... just make the job! NetworkMiner is one of them (the first release was in 2007). I don't use it regularly but it is part of my forensic toolbox for a while and already helped me in many investigations. --------------------------------------------- https://isc.sans.edu/diary/rss/29390 ∗∗∗ WordPress Security Alert: New Linux Malware Exploiting Over Two Dozen CMS Flaws ∗∗∗ --------------------------------------------- WordPress sites are being targeted by a previously unknown strain of Linux malware that exploits flaws in over two dozen plugins and themes to compromise vulnerable systems. "If sites use outdated versions of such add-ons, lacking crucial fixes, the targeted web pages are injected with malicious JavaScripts," Russian security vendor Doctor Web said in a report published last week. --------------------------------------------- https://thehackernews.com/2023/01/wordpress-security-alert-new-linux.html ∗∗∗ Python developers, uninstall this malicious package right now ∗∗∗ --------------------------------------------- If youre a Python developer and one who is accustomed to installed the latest preview builds of libraries, you might want to take immediate mitigative action. PyTorch, an open-source machine learning framework initially developed by Meta and now under the Linux Foundation, has seemingly been the target of a supply chain attack, which has potentially led to many users installing a malicious package. --------------------------------------------- https://www.neowin.net/news/python-developers-uninstall-this-malicious-pack… ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins 2022-12-30 ∗∗∗ --------------------------------------------- IBM Content Collector, IBM Tivoli Monitoring --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Jetzt patchen: Netgear schließt hochriskante Lücke in mehreren Routern ∗∗∗ --------------------------------------------- Netgear empfiehlt ein dringendes Sicherheitsupdate für mehrere seiner Router-Modelle. Betroffen sind von der Lücke auch Modelle der Nighthawk-Reihe. --------------------------------------------- https://heise.de/-7444672 ∗∗∗ Synology warnt vor kritischer Lücke in VPN-Plus-Server ∗∗∗ --------------------------------------------- Wer Synology-Router als VPN-Server einsetzt, muss die Software zügig aktualisieren. Eine kritische Sicherheitslücke ermöglicht Angreifern sonst Codeschmuggel. --------------------------------------------- https://heise.de/-7444783 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (cacti, emacs, exuberant-ctags, libjettison-java, mplayer, node-loader-utils, node-xmldom, openvswitch, ruby-image-processing, webkit2gtk, wpewebkit, and xorg-server), Fedora (OpenImageIO, systemd, w3m, and webkit2gtk3), Mageia (curl, freeradius, libksba, libtar, python-ujson, sogo, thunderbird, and webkit2), Red Hat (bcel), and SUSE (ffmpeg, ffmpeg-4, mbedtls, opera, saphanabootstrap-formula, sbd, vlc, and webkit2gtk3). --------------------------------------------- https://lwn.net/Articles/918883/ ∗∗∗ Vulnerabilities in Java and IBM WebSphere Application Server Liberty affects IBM Cloud Application Business Insights - CVE-2022-34165, CVE-2022-21628, CVE-2022-21626, CVE-2022-21624, CVE-2022-21619 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6852357 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.12.2022
by Daily end-of-shift report 30 Dec '22

30 Dec '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 29-12-2022 18:00 − Freitag 30-12-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Netgear warns users to patch recently fixed WiFi router bug ∗∗∗ --------------------------------------------- Netgear has fixed a high-severity vulnerability affecting multiple WiFi router models and advised customers to update their devices to the latest available firmware as soon as possible. --------------------------------------------- https://www.bleepingcomputer.com/news/security/netgear-warns-users-to-patch… ∗∗∗ New Linux malware uses 30 plugin exploits to backdoor WordPress sites ∗∗∗ --------------------------------------------- A previously unknown Linux malware has been exploiting 30 vulnerabilities in multiple outdated WordPress plugins and themes to inject malicious JavaScript. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-linux-malware-uses-30-pl… ∗∗∗ Security Update Guide Improvement – Representing Hotpatch Updates ∗∗∗ --------------------------------------------- Today we are updating the way Microsoft Security Update Guide (SUG) represents the Windows Hotpatch feature to make it easier for users to identify the hotpatch and security updates. --------------------------------------------- https://msrc-blog.microsoft.com/2022/12/29/security-update-guide-improvemen… ∗∗∗ Opening the Door for a Knock: Creating a Custom DShield Listener, (Thu, Dec 29th) ∗∗∗ --------------------------------------------- There are a variety of services listening for connections on DShield honeypots. Different systems scanning the internet can connect to these listening services due to exceptions in the firewall. Any attempted connections blocked by the firewall are logged and can be analyzed later. This can be useful to see TCP port connection attempts, but it usefulness is limited. --------------------------------------------- https://isc.sans.edu/diary/rss/29382 ∗∗∗ SPF and DMARC use on GOV domains in different ccTLDs, (Fri, Dec 30th) ∗∗∗ --------------------------------------------- Although e-mail is one of the cornerstones of modern interpersonal communication, its underlying Simple Mail Transfer Protocol (SMTP) is far from what we might call robust or secure. By itself, the protocol lacks any security features related to ensuring (among other factors) integrity or authenticity of transferred data or the identity of their sender, and creating a “spoofed” e-mail is therefore quite easy. --------------------------------------------- https://isc.sans.edu/diary/rss/29384 ∗∗∗ CISA Warns of Active exploitation of JasperReports Vulnerabilities ∗∗∗ --------------------------------------------- The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two-years-old security flaws impacting TIBCO Softwares JasperReports product to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. The flaws, tracked as CVE-2018-5430 (CVSS score: 7.7) and CVE-2018-18809 (CVSS score: 9.9), were addressed by TIBCO in April 2018 and March 2019, respectively. --------------------------------------------- https://thehackernews.com/2022/12/cisa-warns-of-active-exploitation-of.html ∗∗∗ ENLBufferPwn (CVE-2022-47949) ∗∗∗ --------------------------------------------- ENLBufferPwn is a vulnerability in the common network code of several first party Nintendo games since the Nintendo 3DS that allows an attacker to execute code remotely in the victims console by just having an online game with them (remote code execution). --------------------------------------------- https://github.com/PabloMK7/ENLBufferPwn ∗∗∗ Chrome Browser Exploitation, Part 3: Analyzing and Exploiting CVE-2018-17463 ∗∗∗ --------------------------------------------- Welcome to the third and final installment of the “Chrome Browser Exploitation” series. The main objective of this series has been to provide an introduction to browser internals and delve into the topic of Chrome browser exploitation on Windows in greater depth. --------------------------------------------- https://jhalon.github.io/chrome-browser-exploitation-3/ ∗∗∗ EU-Regeln für Cybersicherheit bald in Kraft: Rund 20.000 Betriebe betroffen ∗∗∗ --------------------------------------------- Die EU hat die novellierte Richtlinie zur Netz- und Informationssicherheit (NIS2) im Amtsblatt veröffentlicht. Der Countdown zur Umsetzung in Deutschland läuft. --------------------------------------------- https://heise.de/-7444366 ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins 2022-12-30 ∗∗∗ --------------------------------------------- IBM Cloud Pak for Automation, IBM Cloud Pak for Business Automation, IBM Cloud Application Business Insights, IBM Cloud Transformation Advisor, Tivoli Netcool/OMNIbus, Netcool/System Service Monitor --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libcommons-net-java), Fedora (python3.6), and SUSE (conmon, polkit-default-privs, thunderbird, and webkit2gtk3). --------------------------------------------- https://lwn.net/Articles/918778/ ∗∗∗ Synology-SA-22:26 VPN Plus Server ∗∗∗ --------------------------------------------- A vulnerability allows remote attackers to possible execute arbitrary command via a susceptible version of Synology VPN Plus Server. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_22_26 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.12.2022
by Daily end-of-shift report 29 Dec '22

29 Dec '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 28-12-2022 18:00 − Donnerstag 29-12-2022 18:00 Handler: Stephan Richter Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Google Home speakers allowed hackers to snoop on conversations ∗∗∗ --------------------------------------------- A bug in Google Home smart speaker allowed installing a backdoor account that could be used to control it remotely and to turn it into a snooping device by accessing the microphone feed. --------------------------------------------- https://www.bleepingcomputer.com/news/security/google-home-speakers-allowed… ∗∗∗ WordPress Vulnerability & Patch Roundup December 2022 ∗∗∗ --------------------------------------------- Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises. --------------------------------------------- https://blog.sucuri.net/2022/12/wordpress-vulnerability-patch-roundup-decem… ∗∗∗ The Worst Hacks of 2022 ∗∗∗ --------------------------------------------- The year was marked by sinister new twists on cybersecurity classics, including phishing, breaches, and ransomware attacks. --------------------------------------------- https://www.wired.com/story/worst-hacks-2022/ ∗∗∗ New CatB Ransomware Employs 2-Year Old DLL Hijacking Technique To Evade Detection ∗∗∗ --------------------------------------------- We recently discovered ransomware, which performs MSDTC service DLL Hijacking to silently execute its payload. We have named this ransomware CatB, based on the contact email that the ransomware group uses. --------------------------------------------- https://minerva-labs.com/blog/new-catb-ransomware-employs-2-year-old-dll-hi… ∗∗∗ One Bad Apple Spoils the Barrel: Understanding the Security Risks Introduced by Third-Party Components in IoT Firmware. (arXiv:2212.13716v1 [cs.CR]) ∗∗∗ --------------------------------------------- Currently, the development of IoT firmware heavily depends on third-partycomponents (TPCs) to improve development efficiency. Nevertheless, TPCs are notsecure, and the vulnerabilities in TPCs will influence the security of IoTf irmware. --------------------------------------------- http://arxiv.org/abs/2212.13716 ∗∗∗ A survey and analysis of TLS interception mechanisms and motivations. (arXiv:2010.16388v2 [cs.CR] UPDATED) ∗∗∗ --------------------------------------------- TLS is an end-to-end protocol designed to provide confidentiality andintegrity guarantees that improve end-user security and privacy. While TLShelps defend against pervasive surveillance of intercepted unencrypted traffic,it also hinders several common beneficial operations typically performed bymiddleboxes on the network traffic. --------------------------------------------- http://arxiv.org/abs/2010.16388 ∗∗∗ HardCIDR – Network CIDR and Range Discovery Tool ∗∗∗ --------------------------------------------- HardCIDR is a Linux Bash script to discover the netblocks, or ranges, (in CIDR notation) owned by the target organization during the intelligence gathering phase of a penetration test. --------------------------------------------- https://www.darknet.org.uk/2022/12/hardcidr-network-cidr-and-range-discover… ===================== = Vulnerabilities = ===================== ∗∗∗ Hughes Satellite Router Remote File Inclusion Cross-Frame Scripting ∗∗∗ --------------------------------------------- The router contains a cross-frame scripting via remote file inclusion vulnerability that may potentially be exploited by malicious users to compromise an affected system. --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5743.php ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (multipath-tools), Fedora (containerd and trafficserver), Gentoo (libksba and openssh), and SUSE (webkit2gtk3). --------------------------------------------- https://lwn.net/Articles/918715/ ∗∗∗ Several DoS, Code Execution Vulnerabilities Found in Rockwell Automation Controllers ∗∗∗ --------------------------------------------- Organizations using controllers made by Rockwell Automation have been informed recently about several potentially serious vulnerabilities. --------------------------------------------- https://www.securityweek.com/several-dos-code-execution-vulnerabilities-fou… ∗∗∗ Ungepatchte Citrix-Server zu Tausenden über kritische Schwachstellen angreifbar ∗∗∗ --------------------------------------------- Citrix hat in den letzten Monaten Sicherheitsupdates für kritische Schwachstellen in Citrix ADC- und Gateway-Produkten freigegeben und entsprechende Sicherheitswarnungen veröffentlicht. --------------------------------------------- https://www.borncity.com/blog/2022/12/29/ungepatchte-citrix-server-zu-tause… ∗∗∗ (Non-US) DIR-825/EE : H/W Rev. R2 & DIR-825/AC Rev. G1A:: F/W 1.0.9 :: Multiple Vulnerabilities by Trend Micro, the Zero Day Initiative (ZDI) ∗∗∗ --------------------------------------------- https://supportannouncement.us.dlink.com/announcement/publication.aspx?name… ∗∗∗ AIX is vulnerable to denial of service due to ISC BIND (CVE-2022-38178, CVE-2022-3080, CVE-2022-38177, CVE-2022-2795) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6851445 ∗∗∗ IBM Synthetic Playback Agent is vulnerable due to its use of Apache Commons Text [CVE-2022-42889] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6852105 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.12.2022
by Daily end-of-shift report 28 Dec '22

28 Dec '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 27-12-2022 18:00 − Mittwoch 28-12-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ KI-Wunder ChatGPT kann bösartige E-Mails und Code generieren ∗∗∗ --------------------------------------------- Check Point Research (CPR) warnt vor Hackern, die ChatGPT und Codex von OpenAI nutzen könnten, um gezielte Cyberangriffe durchzuführen. https://research.checkpoint.com/2022/opwnai-ai-that-can-save-the-day-or-hac… --------------------------------------------- https://www.zdnet.de/88406214/ki-wunder-chatgpt-kann-boesartige-e-mails-und… ∗∗∗ Droht eine Exchange ProxyNotShell-Katastrophe zum Jahreswechsel 2022/2023? ∗∗∗ --------------------------------------------- Beunruhigende Informationen, die mich gerade erreicht haben. Nicht auf dem aktuellen Patchstand befindliche Microsoft Exchange On-Premises-Server sind anfällig für Angriffe über die ProxyNotShell-Schwachstellen. Vor Weihnachten gab es dann die Information, dass die Hackergruppe FIN7 seit längerem eine automatisierte Angriffsplattform zum [...] --------------------------------------------- https://www.borncity.com/blog/2022/12/28/droht-eine-exchange-proxynotshell-… ∗∗∗ Why Attackers Target GitHub, and How You Can Secure It ∗∗∗ --------------------------------------------- The unfettered collaboration of the GitHub model creates a security headache. Follow these seven principles to help relieve the pain. --------------------------------------------- https://www.darkreading.com/edge-articles/why-attackers-target-github-and-h… ∗∗∗ Playing with Powershell and JSON (and Amazon and Firewalls), (Wed, Dec 28th) ∗∗∗ --------------------------------------------- In this post we'll take a look at parsing and manipulating JSON in Powershell. --------------------------------------------- https://isc.sans.edu/diary/rss/29380 ∗∗∗ CVE-2022-27510, CVE-2022-27518 - Measuring Citrix ADC & Gateway version adoption on the Internet ∗∗∗ --------------------------------------------- Recently, two critical vulnerabilities were reported in Citrix ADC and Citrix Gateway; where one of them was being exploited in the wild by a threat actor. Due to these vulnerabilities being exploitable remotely and given the situation of past Citrix vulnerabilities, RIFT started to research on how to identify the [...] --------------------------------------------- https://blog.fox-it.com/2022/12/28/cve-2022-27510-cve-2022-27518-measuring-… ∗∗∗ EarSpy: Spying on Phone Calls via Ear Speaker Vibrations Captured by Accelerometer ∗∗∗ --------------------------------------------- As smartphone manufacturers are improving the ear speakers in their devices, it can become easier for malicious actors to leverage a particular side-channel for eavesdropping on a targeted user’s conversations, according to a team of researchers from several universities in the United States. --------------------------------------------- https://www.securityweek.com/earspy-spying-phone-calls-ear-speaker-vibratio… ∗∗∗ Alias and Directive Overloading in GraphQL ∗∗∗ --------------------------------------------- Denial of Service (DoS) attacks in GraphQL APIs are nothing new. It turns out that when you let clients control what data they want to receive from the server, malicious users try to abuse this flexibility to exhaust resources. --------------------------------------------- https://checkmarx.com/blog/alias-and-directive-overloading-in-graphql/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (curl) and SUSE (curl, freeradius-server, sqlite3, systemd, and vim). --------------------------------------------- https://lwn.net/Articles/918655/ ∗∗∗ Microsoft Patches Azure Cross-Tenant Data Access Flaw ∗∗∗ --------------------------------------------- Microsoft has silently fixed an important-severity security flaw in its Azure Cognitive Search (ACS) after an external researcher warned that a buggy feature allowed cross-tenant network bypass attacks. --------------------------------------------- https://www.securityweek.com/microsoft-patches-azure-cross-tenant-data-acce… ∗∗∗ ABB Security Advisory: NE843 Pulsar Plus Controller ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=9AKK108467A6732&Lan… ∗∗∗ A security vulnerability has been identified in WebSphere Liberty Profile shipped with IBM License Metric Tool v9 (CVE-2022-34165). ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6851953 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.12.2022
by Daily end-of-shift report 27 Dec '22

27 Dec '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 23-12-2022 18:00 − Dienstag 27-12-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ EarSpy attack eavesdrops on Android phones via motion sensors ∗∗∗ --------------------------------------------- A team of researchers has developed an eavesdropping attack for Android devices that can, to various degrees, recognize the callers gender and identity, and even discern private speech. --------------------------------------------- https://www.bleepingcomputer.com/news/security/earspy-attack-eavesdrops-on-… ∗∗∗ Container Verification Bug Allows Malicious Images to Cloud Up Kubernetes ∗∗∗ --------------------------------------------- A complete bypass of the Kyverno security mechanism for container image imports allows cyberattackers to completely take over a Kubernetes pod to steal data and inject malware. --------------------------------------------- https://www.darkreading.com/cloud/container-verification-bug-malicious-imag… ∗∗∗ BlueNoroff introduces new methods bypassing MoTW ∗∗∗ --------------------------------------------- We continue to track the BlueNoroff group’s activities and this October we observed the adoption of new malware strains in its arsenal. --------------------------------------------- https://securelist.com/bluenoroff-methods-bypass-motw/108383/ ∗∗∗ DShield Sensor Setup in Azure, (Wed, Dec 21st) ∗∗∗ --------------------------------------------- In November I setup the DShield sensor in my Azure tenant using Ubuntu version 20.04. Here are the steps I followed. --------------------------------------------- https://isc.sans.edu/diary/rss/29370 ∗∗∗ GuLoader Malware Utilizing New Techniques to Evade Security Software ∗∗∗ --------------------------------------------- Cybersecurity researchers have exposed a wide variety of techniques adopted by an advanced malware downloader called GuLoader to evade security software. --------------------------------------------- https://thehackernews.com/2022/12/guloader-malware-utilizing-new.html ∗∗∗ Navigating the Vast Ocean of Sandbox Evasions ∗∗∗ --------------------------------------------- After creating a bespoke sandbox environment, we discuss techniques used to target malware evasions with memory detection and more. --------------------------------------------- https://unit42.paloaltonetworks.com/sandbox-evasion-memory-detection/ ∗∗∗ Erinnerung: Basic Authentication in Exchange Online wird 2023 abgeschaltet ∗∗∗ --------------------------------------------- Microsoft hat die Tage daran erinnert, dass die sogenannte Basic Authentication in Exchange Online ausläuft und im kommenden Jahr abgeschaltet wird. --------------------------------------------- https://www.borncity.com/blog/2022/12/27/erinnerung-basic-authentication-in… ∗∗∗ Caution! Malware Signed With Microsoft Certificate ∗∗∗ --------------------------------------------- Microsoft announced details on the distribution of malware signed with a Microsoft certificate. According to the announcement, a driver authenticated with the Windows Hardware Developer Program had been abused due to the leakage of multiple Windows developer accounts. To prevent damage, Microsoft blocked the related accounts and applied a security update (Microsoft Defender 1.377.987.0 or later). --------------------------------------------- https://asec.ahnlab.com/en/44726/ ∗∗∗ Distribution of Magniber Ransomware Stops (Since November 29th) ∗∗∗ --------------------------------------------- Through a continuous monitoring process, the AhnLab ASEC analysis team is swiftly responding to Magniber, the main malware that is actively being distributed using the typosquatting method which exploits typos in domain address input. Through such continuous responses, we have detected that as of November 29th, the distribution of the Magniber ransomware has halted. --------------------------------------------- https://asec.ahnlab.com/en/43858/ ∗∗∗ Inside the IcedID BackConnect Protocol ∗∗∗ --------------------------------------------- As part of our ongoing tracking of IcedID / BokBot, we wanted to share some insights derived from infrastructure associated with IcedID’s BackConnect (BC) protocol. --------------------------------------------- https://www.team-cymru.com/post/inside-the-icedid-backconnect-protocol ===================== = Vulnerabilities = ===================== ∗∗∗ Ksmbd: Kritische Lücke im SMB-Dienst des Linux-Kernels ∗∗∗ --------------------------------------------- Der Linux-Kernel verfügt seit vergangenem Jahr über eine eigene SMB-Implementierung. Diese enthält eine sehr gefährliche Lücke - Updates stehen bereit. --------------------------------------------- https://www.golem.de/news/ksmbd-kritische-luecke-im-smb-dienst-des-linux-ke… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (kernel, libksba, and mbedtls), Fedora (containerd, curl, firefox, kernel, mod_auth_openidc, and xorg-x11-server), and Mageia (chromium-browser-stable). --------------------------------------------- https://lwn.net/Articles/918607/ ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (gerbv), Fedora (webkitgtk), and SUSE (ca-certificates-mozilla, freeradius-server, multimon-ng, vim, and vlc). --------------------------------------------- https://lwn.net/Articles/918631/ ∗∗∗ Critical Vulnerability in Premium Gift Cards WordPress Plugin Exploited in Attacks ∗∗∗ --------------------------------------------- Defiant’s Wordfence team warns of a critical-severity vulnerability in the YITH WooCommerce Gift Cards premium WordPress plugin being exploited in attacks. --------------------------------------------- https://www.securityweek.com/critical-vulnerability-premium-gift-cards-word… ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2022-0011 ∗∗∗ --------------------------------------------- Several vulnerabilities were discovered in WebKitGTK and WPE WebKit. --------------------------------------------- https://webkitgtk.org/security/WSA-2022-0011.html ∗∗∗ Cross-Site Scripting im Admin-Panel von Lucee Server (SYSS-2022-051) ∗∗∗ --------------------------------------------- Im Admin-Panel von Lucee Server besteht eine Cross-Site Scripting (XSS)-Schwachstelle. Angreifende können somit JavaScript-Code im Browser ausführen. --------------------------------------------- https://www.syss.de/pentest-blog/cross-site-scripting-im-admin-panel-von-lu… ∗∗∗ MISP 2.4.167 released with many improvements, bugs fixed and security fixes. ∗∗∗ --------------------------------------------- https://github.com/MISP/MISP/releases/tag/v2.4.167 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.12.2022
by Daily end-of-shift report 23 Dec '22

23 Dec '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 22-12-2022 18:00 − Freitag 23-12-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Vice Society ransomware gang switches to new custom encryptor ∗∗∗ --------------------------------------------- The Vice Society ransomware operation has switched to using a custom ransomware encrypt that implements a strong, hybrid encryption scheme based on NTRUEncrypt and ChaCha20-Poly1305. --------------------------------------------- https://www.bleepingcomputer.com/news/security/vice-society-ransomware-gang… ∗∗∗ Google ad traffic leads to stealer packages based on free software, (Thu, Dec 22nd) ∗∗∗ --------------------------------------------- Earlier this month, I wrote a diary about Google ad traffic leading to a fake AnyDesk page pushing IcedID malware. This week, the same type of ad traffic led to a fake TeamViewer page, and that page led to a different type of malware. --------------------------------------------- https://isc.sans.edu/diary/rss/29376 ∗∗∗ Passwortmanager: LastPass-Hacker haben Zugriff auf Kennworttresore von Kunden ∗∗∗ --------------------------------------------- Bei einem IT-Sicherheitsvorfall beim Anbieter des Passwortmanagers LastPass konnten Angreifer doch auf Kundendaten inklusive gespeicherter Passwörter zugreifen. --------------------------------------------- https://heise.de/-7441929 ∗∗∗ Sourcecode vom Zugriffsmanagementdienst Okta geleakt ∗∗∗ --------------------------------------------- Unbekannte Angreifer konnten auf das Github-Repository von Okta zugreifen und Code kopieren. Die Sicherheit des Dienstes soll dadurch nicht gefährdet sein. --------------------------------------------- https://heise.de/-7442131 ∗∗∗ IcedID Botnet Distributors Abuse Google PPC to Distribute Malware ∗∗∗ --------------------------------------------- We analyze the latest changes in IcedID botnet from a campaign that abuses Google pay per click (PPC) ads to distribute IcedID via malvertising attacks. --------------------------------------------- https://www.trendmicro.com/en_us/research/22/l/icedid-botnet-distributors-a… ===================== = Vulnerabilities = ===================== ∗∗∗ Is this CVSS 10 Linux Kernel vuln going to ruin your Christmas? ∗∗∗ --------------------------------------------- Before Linux users worldwide get panties in a panicked bunch, there appears to be more positive news however: At first glance the vulnerability only appears to affect ksmbd, an in-kernel SMB file server that was merged to mainline in the Linux 5.15 release in August 2021; i.e. users running SMB servers via the much more widely deployed Samba, rather than ksmbd can more likely than not get back their mince pies unpurturbed. --------------------------------------------- https://thestack.technology/is-this-cvss-10-linux-kernel-vulnerability-ksmb… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (node-hawk and node-trim-newlines), Fedora (insight, ntfs-3g, and suricata), and SUSE (conmon, helm, kernel, and mbedtls). --------------------------------------------- https://lwn.net/Articles/918486/ ∗∗∗ Threat Brief: OWASSRF Vulnerability Exploitation ∗∗∗ --------------------------------------------- We analyze the new exploit method for Microsoft Exchange Server, OWASSRF, noting that all exploit attempts weve observed use the same PowerShell backdoor, which we track as SilverArrow. --------------------------------------------- https://unit42.paloaltonetworks.com/threat-brief-owassrf/ ∗∗∗ CVE-2022-42889 Text4shell Apache Commons Text RCE Vulnerability ∗∗∗ --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0022 ∗∗∗ PSA: YITH WooCommerce Gift Cards Premium Plugin Exploited in the Wild ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2022/12/psa-yith-woocommerce-gift-cards-prem… ∗∗∗ Multiple vulnerabilities in IBM Java SDK affect AIX ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6851437 ∗∗∗ AIX is vulnerable to denial of service due to ISC BIND (CVE-2022-38178, CVE-2022-3080, CVE-2022-38177, CVE-2022-2795) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6851445 ∗∗∗ AIX is affected by a denial of service (CVE-2022-43680) due to Python ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6851439 ∗∗∗ Security vulnerability is addressed with IBM Cloud Pak for Business Automation iFixes for November 2022 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6848295 ∗∗∗ IBM Integration Designer is vulnerable to denial of service ( CVE-2022-21626) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6851449 ∗∗∗ Multiple vulnerabilities in IBM Java SDK affects IBM WebSphere Application Server April and July 2022 CPU that is bundled with IBM WebSphere Application Server Patterns ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6851613 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.12.2022
by Daily end-of-shift report 22 Dec '22

22 Dec '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 21-12-2022 18:00 − Donnerstag 22-12-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ FIN7 hackers create auto-attack platform to breach Exchange servers ∗∗∗ --------------------------------------------- The notorious FIN7 hacking group uses an auto-attack system that exploits Microsoft Exchange and SQL injection vulnerabilities to breach corporate networks, steal data, and select targets for ransomware attacks based on financial size. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fin7-hackers-create-auto-att… ∗∗∗ Ransomware and wiper signed with stolen certificates ∗∗∗ --------------------------------------------- In this report, we compare the ROADSWEEP ransomware and ZEROCLEARE wiper versions used in two waves of attacks against Albanian government organizations. --------------------------------------------- https://securelist.com/ransomware-and-wiper-signed-with-stolen-certificates… ∗∗∗ Microsoft research uncovers new Zerobot capabilities ∗∗∗ --------------------------------------------- The Microsoft Defender for IoT research team details information on the recent distribution of a Go-based botnet, known as Zerobot, that spreads primarily through IoT and web-application vulnerabilities. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2022/12/21/microsoft-research… ∗∗∗ “Suspicious login” scammers up their game – take care at Christmas ∗∗∗ --------------------------------------------- A picture is worth 1024 words - we clicked through so you dont have to. --------------------------------------------- https://nakedsecurity.sophos.com/2022/12/21/suspicious-login-scammers-up-th… ∗∗∗ Neuer Android-Trojaner zielt auf Banking-Apps und Krypto-Plattformen ab ∗∗∗ --------------------------------------------- Eine neue Banking-Malware namens Godfather hat 16 Länder im Visier. Deutschland fällt darunter. Sie zeichnet Eingaben in über 415 Banking- und Krypto-Apps auf. --------------------------------------------- https://heise.de/-7441440 ∗∗∗ Exploiting WordPress Plugin Vulnerabilities to Steal AWS Metadata ∗∗∗ --------------------------------------------- If the site is hosted on an Amazon Web Services (AWS) server, then collecting the AWS metadata is relatively simple. This exploit only requires calling the appropriate REST API endpoint with the right payload in the ‘url’ parameter to achieve a successful exploit. --------------------------------------------- https://www.wordfence.com/blog/2022/12/exploiting-wordpress-plugin-vulnerab… ∗∗∗ Qakbot Being Distributed via Virtual Disk Files (*.vhd) ∗∗∗ --------------------------------------------- There’s been a recent increase in the distribution of malware using disk image files. --------------------------------------------- https://asec.ahnlab.com/en/44662/ ∗∗∗ Vidar Stealer Exploiting Various Platforms ∗∗∗ --------------------------------------------- Vidar Malware is one of the active Infostealers, and its distribution has been significantly increasing. Its characteristics include the use of famous platforms such as Telegram and Mastodon as an intermediary C2. --------------------------------------------- https://asec.ahnlab.com/en/44554/ ===================== = Vulnerabilities = ===================== ∗∗∗ Critical Windows code-execution vulnerability went undetected until now ∗∗∗ --------------------------------------------- Like EternalBlue, CVE-2022-37958, as the latest vulnerability is tracked, allows attackers to execute malicious code with no authentication required. Also, like EternalBlue, it’s wormable, meaning that a single exploit can trigger a chain reaction of self-replicating follow-on exploits on other vulnerable systems. --------------------------------------------- https://arstechnica.com/information-technology/2022/12/critical-windows-cod… ∗∗∗ Sicherheitsupdates: Angreifer könnten Synology-Router kompromittieren ∗∗∗ --------------------------------------------- Aktuelle Versionen von Synology Router Manager schließen mehrere Sicherheitslücken. Der Hersteller stuft den Schweregrad als kritisch ein. --------------------------------------------- https://heise.de/-7440888 ∗∗∗ Wichtige Sicherheitsupdates für Avira Security, AVG Antivirus & Co. ∗∗∗ --------------------------------------------- Norton hat in seinem Portfolio von Anti-Viren-Software mehrere Sicherheitslücken geschlossen. Angreifer könnten sich höhere Nutzerrechte verschaffen. --------------------------------------------- https://heise.de/-7441040 ∗∗∗ Puckungfu: A NETGEAR WAN Command Injection ∗∗∗ --------------------------------------------- This blog post describes a command injection vulnerability found and exploited in November 2022 by NCC Group in the Netgear RAX30 router’s WAN interface. --------------------------------------------- https://research.nccgroup.com/2022/12/22/puckungfu-a-netgear-wan-command-in… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libksba and linux-5.10), Slackware (mozilla), and SUSE (curl, java-1_8_0-ibm, and sqlite3). --------------------------------------------- https://lwn.net/Articles/918379/ ∗∗∗ Vulnerability Spotlight: OpenImageIO file processing issues could lead to arbitrary code execution, sensitive information leak and denial of service ∗∗∗ --------------------------------------------- Cisco Talos recently discovered nineteen vulnerabilities in OpenImageIO, an image processing library, which could lead to sensitive information disclosure, denial of service and heap buffer overflows which could further lead to code execution. --------------------------------------------- https://blog.talosintelligence.com/vulnerability-spotlight-openimageio-file… ∗∗∗ Two New Security Flaws Reported in Ghost CMS Blogging Software ∗∗∗ --------------------------------------------- https://thehackernews.com/2022/12/two-new-security-flaws-reported-in.html ∗∗∗ Security Vulnerabilities fixed in Thunderbird 102.6.1 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2022-54/ ∗∗∗ Priva TopControl Suite ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-356-01 ∗∗∗ Rockwell Automation Studio 5000 Logix Emulate ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-356-02 ∗∗∗ Mitsubishi Electric MELSEC iQ-R, iQ-L Series and MELIPC Series ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-356-03 ∗∗∗ Omron CX-Programmer ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-356-04 ∗∗∗ IBM Content Navigator is vulnerable to missing authorization. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6844453 ∗∗∗ Vulnerability (CVE-2022-3676) in Eclipse Openj9 affects CICS Transaction Gateway Desktop Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6851347 ∗∗∗ Vulnerabilities (CVE-2022-21541 and CVE-2022-21540 ) in IBM Java Runtime affects CICS Transaction Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6851337 ∗∗∗ Vulnerabilities (CVE-2022-21541 and CVE-2022-21540) in IBM Java Runtime affects CICS Transaction Gateway Desktop Editon ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6851351 ∗∗∗ Vulnerability (CVE-2021-41041) in Eclipse Openj9 affects CICS Transaction Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6851339 ∗∗∗ Vulnerability (CVE-2021-41041) in Eclipse Openj9 affects CICS Transaction Gateway Desktop Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6851345 ∗∗∗ Vulnerability (CVE-2021-2163) in IBM Java Runtime affects CICS Transaction Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6851343 ∗∗∗ Vulnerability (CVE-2021-2163) in IBM Java Runtime affects CICS Transaction Gateway Desktop Editon ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6851349 ∗∗∗ Vulnerability (CVE-2021-28167) in Eclipse Openj9 affects CICS Transaction Gateway Desktop Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6851341 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.12.2022
by Daily end-of-shift report 21 Dec '22

21 Dec '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 20-12-2022 18:00 − Mittwoch 21-12-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Hackers bombard PyPi platform with information-stealing malware ∗∗∗ --------------------------------------------- The PyPi python package repository is being bombarded by a wave of information-stealing malware hiding inside malicious packages uploaded to the platform to steal software developers data. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-bombard-pypi-platfor… ∗∗∗ VirusTotal cheat sheet makes it easy to search for specific results ∗∗∗ --------------------------------------------- VirusTotal has published a cheat sheet to help researchers create queries leading to more specific results from the malware intelligence platform. --------------------------------------------- https://www.bleepingcomputer.com/news/security/virustotal-cheat-sheet-makes… ∗∗∗ FBI warns of search engine ads pushing malware, phishing ∗∗∗ --------------------------------------------- The FBI warns that threat actors are using search engine advertisements to promote websites distributing ransomware or stealing login credentials for financial institutions and crypto exchanges. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fbi-warns-of-search-engine-a… ∗∗∗ Malicious Macros Adapt to Use Microsoft Publisher to Push Ekipa RAT ∗∗∗ --------------------------------------------- After Microsoft announced this year that macros from the Internet will be blocked by default in Office , many threat actors have switched to different file types such as Windows Shortcut (LNK), ISO or ZIP files, to distribute their malware. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/malicious-m… ∗∗∗ Fake jQuery Domain Redirects Site Visitors to Scam Pages ∗∗∗ --------------------------------------------- A recent infection has been making its rounds across vulnerable WordPress sites, detected on over 160 websites so far at the time of writing. --------------------------------------------- https://blog.sucuri.net/2022/12/fake-jquery-domain-redirects-site-visitors-… ∗∗∗ Kindersicherungs-Apps: Smarte Kids könnten Eltern attackieren ∗∗∗ --------------------------------------------- Sicherheitsforscher haben Android-Apps untersucht, über die Eltern Internetzugriffe von Kindern einschränken können. Doch Schwachstellen weichen den Schutz auf. --------------------------------------------- https://heise.de/-7435146 ∗∗∗ Adult popunder campaign used in mainstream ad fraud scheme ∗∗∗ --------------------------------------------- Taking advantage of cost effective and high traffic adult portals, a threat actor is secretly defrauding advertisers by displaying Google ads under the disguise of an XXX page. --------------------------------------------- https://www.malwarebytes.com/blog/threat-intelligence/2022/12/adult-popunde… ∗∗∗ Meddler-in-the-Middle Phishing Attacks Explained ∗∗∗ --------------------------------------------- Meddler-in-the-Middle (MitM) phishing attacks show how threat actors find ways to get around traditional defenses and advice. --------------------------------------------- https://unit42.paloaltonetworks.com/meddler-phishing-attacks/ ∗∗∗ Godfather: A banking Trojan that is impossible to refuse ∗∗∗ --------------------------------------------- Group-IB discovers banking Trojan targeting users of more than 400 apps in 16 countries. --------------------------------------------- https://blog.group-ib.com/godfather-trojan ∗∗∗ Didn’t Notice Your Rate Limiting: GraphQL Batching Attack ∗∗∗ --------------------------------------------- In this article, we will discuss how allowing multiple queries or requesting multiple object instances in a single network call can be abused leading to massive data leaks or Denial of Service (DoS). --------------------------------------------- https://checkmarx.com/blog/didnt-notice-your-rate-limiting-graphql-batching… ∗∗∗ A Technical Analysis of CVE-2022-22583 and CVE-2022-32800 ∗∗∗ --------------------------------------------- This blog entry discusses the technical details of how we exploited CVE-2022-22583 using a different method. We also tackle the technical details of CVE-2022-32800, another SIP-bypass that we discovered more recently, in this report. --------------------------------------------- https://www.trendmicro.com/en_us/research/22/l/a-technical-analysis-of-cve-… ∗∗∗ Conti Team One Splinter Group Resurfaces as Royal Ransomware with Callback Phishing Attacks ∗∗∗ --------------------------------------------- In this blog entry, we discuss findings from our investigation of this ransomware and the tools that Royal ransomware actors used to carry out their attacks. --------------------------------------------- https://www.trendmicro.com/en_us/research/22/l/conti-team-one-splinter-grou… ===================== = Vulnerabilities = ===================== ∗∗∗ Jetzt patchen! Attacken auf Exchange Server im ProxyNotShell-Kontext gesichtet ∗∗∗ --------------------------------------------- Sicherheitsforscher warnen vor einem neuen Exploit, der ProxyNotShell-Schutzkonzepte umgeht. Es gibt aber Sicherheitsupdates. --------------------------------------------- https://heise.de/-7434860 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (xorg-server), Fedora (samba, snakeyaml, thunderbird, xorg-x11-server, and xrdp), Slackware (libksba and sdl), and SUSE (cni, cni-plugins, java-1_7_1-ibm, kernel, openssl-3, and supportutils). --------------------------------------------- https://lwn.net/Articles/918313/ ∗∗∗ Passwordless Persistence and Privilege Escalation in Azure ∗∗∗ --------------------------------------------- Adversaries are always looking for stealthy means of maintaining long-term and stealthy persistence and privilege in a target environment. Certificate-Based Authentication (CBA) is an extremely attractive persistence option in Azure for three big reasons. --------------------------------------------- https://posts.specterops.io/passwordless-persistence-and-privilege-escalati… ∗∗∗ Installers generated by Squirrel.Windows may insecurely load Dynamic Link Libraries ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN29902403/ ∗∗∗ Critical Vulnerability in Hikvision Wireless Bridges Allows CCTV Hacking ∗∗∗ --------------------------------------------- https://www.securityweek.com/critical-vulnerability-hikvision-wireless-brid… ∗∗∗ Mattermost security updates 7.5.2, 7.4.1, 7.1.5 (ESR) released ∗∗∗ --------------------------------------------- https://mattermost.com/blog/mattermost-security-updates-7-5-2-7-4-1-7-1-5-e… ∗∗∗ Rechteausweitung in Razer Synapse (SYSS-2022-047) ∗∗∗ --------------------------------------------- https://www.syss.de/pentest-blog/rechteausweitung-in-razer-synapse-syss-202… ∗∗∗ IBM App Connect Enterprise and IBM Integration Bus are vulnerable to denial of service due to the package org.yaml:snakeyaml and jackson-databind ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6849213 ∗∗∗ GraphQL Denial of Service security vulnerability CVE-2022-37734 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6828663 ∗∗∗ IBM App Connect Enterprise and IBM Integration Bus are vulnerable to a remote attacker due to Node.js (CVE-2022-43548 & CVE-2022-35256) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6849223 ∗∗∗ Security vulnerabilities have been fixed in IBM Security Verify Governance, Identity Manager virtual appliance component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6849249 ∗∗∗ OpenSSH as used by IBM Cloud Pak for Security is vulnerable to privilege escalation (CVE-2021-41617) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6850775 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.12.2022
by Daily end-of-shift report 20 Dec '22

20 Dec '22

===================== = End-of-Day report = ===================== Timeframe: Montag 19-12-2022 18:00 − Dienstag 20-12-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Linux File System Monitoring & Actions, (Tue, Dec 20th) ∗∗∗ --------------------------------------------- There can be multiple reasons to keep an eye on a critical/suspicious file or directory. For example, you could track an attacker and wait for some access to the captured credentials in a phishing kit installed on a compromised server. You could deploy an EDR solution or an OSSEC agent that implements an FIM (File Integrity Monitoring). Upon a file change, an action can be triggered. Nice, but what if you would like a quick solution but agentless? --------------------------------------------- https://isc.sans.edu/diary/rss/29362 ∗∗∗ ChatGPT: Emerging AI Threat Landscape ∗∗∗ --------------------------------------------- ChatGPT is a prototype chatbot released by OpenAI. The chatbot is powered by AI and is gaining more traction than previous chatbots because it not only interacts in a conversational manner but has the capability to create code and many other complex questions and requests. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chatgpt-eme… ∗∗∗ Microsoft Details Gatekeeper Bypass Vulnerability in Apple macOS Systems ∗∗∗ --------------------------------------------- Microsoft has disclosed details of a now-patched security flaw in Apple macOS that could be exploited by an attacker to get around security protections imposed to prevent the execution of malicious applications. --------------------------------------------- https://thehackernews.com/2022/12/microsoft-details-gatekeeper-bypass.html ∗∗∗ Linux Kernel: Exploiting a Netfilter Use-after-Free in kmalloc-cg ∗∗∗ --------------------------------------------- We describe a method to exploit a use-after-free in the Linux kernel when objects are allocated in a specific slab cache, namely the kmalloc-cg series of SLUB caches used for cgroups. This vulnerability is assigned CVE-2022-32250 and exists in Linux kernel versions 5.18.1 and prior. --------------------------------------------- https://blog.exodusintel.com/2022/12/19/linux-kernel-exploiting-a-netfilter… ∗∗∗ clif - simple command-line application fuzzer ∗∗∗ --------------------------------------------- clif is a command-line application fuzzer, pretty much what a wfuzz or ffuf are for web. It was inspired by sudo vulnerability CVE-2021-3156 and the fact that, for some reasons, Googles alf-fuzz doesnt allow for unlimited argument or option specification. --------------------------------------------- https://andy.codes/content/blog/2022-12-20-clif.html ∗∗∗ Better Make Sure Your Password Manager Is Secure ∗∗∗ --------------------------------------------- As part of a security analysis, our colleagues kuekerino, ubahnverleih and parzel examined the password management solution Passwordstate of Click Studios and identified multiple high severity vulnerabilities (CVE-2022-3875, CVE-2022-3876, CVE-2022-3877). Successful exploitation allows an unauthenticated attacker to exfiltrate passwords from an instance, overwrite all stored passwords within the database, or elevate their privileges within the application. --------------------------------------------- https://www.modzero.com/modlog/archives/2022/12/19/better_make_sure_your_pa… ∗∗∗ New RisePro Infostealer Increasingly Popular Among Cybercriminals ∗∗∗ --------------------------------------------- A recently identified information stealer named ‘RisePro’ is being distributed by pay-per-install malware downloader service ‘PrivateLoader’, cyberthreat firm Flashpoint reports. Written in C++, RisePro harvests potentially sensitive information from the compromised machines and then attempts to exfiltrate it as logs. --------------------------------------------- https://www.securityweek.com/new-risepro-infostealer-increasingly-popular-a… ∗∗∗ Threat Spotlight: XLLing in Excel - threat actors using malicious add-ins ∗∗∗ --------------------------------------------- As more and more users adopt new versions of Microsoft Office, it is likely that threat actors will turn away from VBA-based malicious documents to other formats such as XLLs or rely on exploiting newly discovered vulnerabilities to launch malicious code. --------------------------------------------- https://blog.talosintelligence.com/xlling-in-excel-malicious-add-ins/ ∗∗∗ Diving into an Old Exploit Chain and Discovering 3 new SIP-Bypass Vulnerabilities ∗∗∗ --------------------------------------------- More than two years ago, a researcher, A2nkF demonstrated the exploit chain from root privilege escalation to SIP-Bypass up to arbitrary kernel extension loading. In this blog entry, we will discuss how we discovered 3 more vulnerabilities from the old exploit chain. --------------------------------------------- https://www.trendmicro.com/en_us/research/22/l/diving-into-an-old-exploit-c… ∗∗∗ Raspberry Robin Malware Targets Telecom, Governments ∗∗∗ --------------------------------------------- We found samples of the Raspberry Robin malware spreading in telecommunications and government office systems beginning September. The main payload itself is packed with more than 10 layers for obfuscation and is capable of delivering a fake payload once it detects sandboxing and security analytics tools. --------------------------------------------- https://www.trendmicro.com/en_us/research/22/l/raspberry-robin-malware-targ… ∗∗∗ Web3 IPFS Only Used for Phishing - So Far ∗∗∗ --------------------------------------------- We discuss the use of the InterPlanetary File System (IPFS) in phishing attacks. --------------------------------------------- https://www.trendmicro.com/en_us/research/22/l/web3-ipfs-only-used-for-phis… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (mujs) and SUSE (kernel and thunderbird). --------------------------------------------- https://lwn.net/Articles/918268/ ∗∗∗ FoxIt Patches Code Execution Flaws in PDF Tools ∗∗∗ --------------------------------------------- Foxit Software has rolled out a critical-severity patch to cover a dangerous remote code execution flaw in its flagship PDF Reader and PDF Editor products. --------------------------------------------- https://www.securityweek.com/foxit-patches-code-execution-flaws-pdf-tools ∗∗∗ [R1] Nessus Network Monitor Version 6.2.0 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2022-28 ∗∗∗ Fuji Electric Tellus Lite V-Simulator ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-354-01 ∗∗∗ Rockwell Automation GuardLogix and ControlLogix controllers ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-354-02 ∗∗∗ ARC Informatique PcVue ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-354-03 ∗∗∗ Rockwell Automation MicroLogix 1100 and 1400 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-354-04 ∗∗∗ Delta 4G Router DX-3021 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-354-05 ∗∗∗ Multiple vulnerabilities of Mozilla Firefox (less than Firefox 102.5ESR) have affected Synthetic Playback Agent 8.1.4.0-8.1.4 IF16 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6849101 ∗∗∗ IBM UrbanCode Build is affected by CVE-2022-42252 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6849111 ∗∗∗ IBM UrbanCode Build is affected by CVE-2021-43980 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6849109 ∗∗∗ IBM UrbanCode Build is affected by CVE-2022-34305 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6849107 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.12.2022
by Daily end-of-shift report 19 Dec '22

19 Dec '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 16-12-2022 18:00 − Montag 19-12-2022 18:00 Handler: Robert Waldner Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Infostealer Malware with Double Extension, (Sun, Dec 18th) ∗∗∗ --------------------------------------------- Got this file attachment this week pretending to be from HSBC Global Payments and Cash Management. The attachment payment_copy.pdf.z is a rar archive, kind of unusual with this type of file archive but when extracted, it comes out as a double extension with pdf.exe. The file is a trojan infostealer and detected by multiple scanning engines. --------------------------------------------- https://isc.sans.edu/diary/rss/29354 ∗∗∗ Day 3 — Next Level Font Obfuscation ∗∗∗ --------------------------------------------- Today I learned how to obfuscate text using custom fonts. I made a program to automatically create deceptive fonts to demonstrate their danger. Using a custom font, I was able to make a letter look like a different letter to trick a plagiarism checker while still being human-readable. --------------------------------------------- https://medium.com/@doctoreww/day-3-next-level-font-obfuscation-7a6cd978c7a5 ∗∗∗ Venom ∗∗∗ --------------------------------------------- Venom is a C++ library that is meant to give an alternative way to communicate, instead of creating a socket that could be traced back to the process, it creates a new "hidden" (there is no window shown) detached edge process (edge was chosen because it is a browser that is installed on every Windows 10+ and wont raise suspicious) and stealing one of its sockets to perform the network operations. --------------------------------------------- https://github.com/Idov31/Venom ∗∗∗ Exploiting API Framework Flexibility ∗∗∗ --------------------------------------------- The modern frameworks are often very flexible with what they accept, and will happily treat a POST with a JSON body as interchangeable with a URL encoded body, or even with query parameters. Due to this, an unexploitable JSON XSS vector can sometimes be made exploitable by flipping it to one of these alternative approaches. --------------------------------------------- https://attackshipsonfi.re/p/exploiting-api-framework-flexibility ∗∗∗ Fake Shops und Phishing-SMS: Die Betrugsmaschen im Online-Weihnachtsgeschäft ∗∗∗ --------------------------------------------- Weihnachten bedeutet auch wieder Hochsaison für Betrüger, die mit gefälschten Shops und irreführenden SMS auf das Geld ihrer Opfer aus sind. --------------------------------------------- https://www.derstandard.at/story/2000141845543/fake-shops-und-phishing-sms-… ∗∗∗ BSI legt 19 IT-Grundschutz-Bausteine als Final Draft vor ∗∗∗ --------------------------------------------- Kurzer Hinweis für Administratoren und IT-Dienstleister, die im Unternehmensumfeld aktiv sind. Das Bundesamt für Sicherheit in der Informationstechnik (BSI) hat diese Woche 19 sogenannte IT-Grundschutz-Bausteine als sogenannte Final Drafts vorgelegt. Das reicht von .NET über Active Directory Domain Services bis hin zu Windows Server. --------------------------------------------- https://www.borncity.com/blog/2022/12/18/bsi-legt-19-it-grundschutz-baustei… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Security Advisories 2022-12-16 - 2022-12-18 ∗∗∗ --------------------------------------------- Cisco has updated 9 security advisories: (1x Critical, 5x High, 3x Medium) --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/Search.x?publicationTypeIDs… ∗∗∗ HP kümmert sich mit BIOS-Updates um Schadcode-Lücken ∗∗∗ --------------------------------------------- Sicherheitsupdates schließen mehrere Schwachstellen in HP-Computern. Einige Lücken betreffen ausschließlich AMD-Systeme. --------------------------------------------- https://heise.de/-7398783 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium and thunderbird), Fedora (keylime, libarchive, libtasn1, pgadmin4, rubygem-nokogiri, samba, thunderbird, wireshark, and xorg-x11-server-Xwayland), Gentoo (curl, libreoffice, nss, unbound, and virtualbox), Mageia (advancecomp, couchdb, firefox, freerdp, golang, heimdal, kernel, kernel linus, krb5, leptonica, libetpan, python-slixmpp, thunderbird, and xfce4-settings), Oracle (firefox, nodejs:16, and thunderbird), Scientific Linux (firefox and thunderbird), Slackware (samba), SUSE (chromium and kernel), and Ubuntu (linux-oem-5.17). --------------------------------------------- https://lwn.net/Articles/918203/ ∗∗∗ Synology-SA-22:24 Samba AD DC ∗∗∗ --------------------------------------------- Multiple vulnerabilities allow remote attackers or remote authenticated users to bypass security constraint via a susceptible version of Synology Directory Server. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_22_24 ∗∗∗ Citrix Hypervisor Security Bulletin for CVE-2022-3643, CVE-2022-42328 & CVE-2022-42329 ∗∗∗ --------------------------------------------- Several security issues have been identified in Citrix Hypervisor 8.2 LTSR CU1, each of which may allow a privileged user in a guest VM to cause the host to become unresponsive or crash. --------------------------------------------- https://support.citrix.com/article/CTX473048/citrix-hypervisor-security-bul… ∗∗∗ Zenphoto vulnerable to cross-site scripting ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN06093462/ ∗∗∗ Corel Roxio Creator LJB starts a program with an unquoted file path ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN13075438/ ∗∗∗ ZDI-22-1681: Autodesk 3DS Max SKP File Parsing Use-After-Free Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-1681/ ∗∗∗ DLL Search Order Hijacking Vulnerability in the DWG TrueView™ Desktop Software ∗∗∗ --------------------------------------------- https://www.autodesk.com/trust/security-advisories/adsk-sa-2022-0024 ∗∗∗ Vulnerabilities in PHP may affect IBM Spectrum Sentinel Anomaly Scan Engine (CVE-2021-21703, CVE-2021-21708, CVE-2021-21707, CVE-2022-31629, CVE-2022-31628) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6845928 ∗∗∗ IBM Cognos Analytics has addressed multiple vulnerabilities (CVE-2021-29469, CVE-2022-39160, CVE-2022-38708, CVE-2022-42003, CVE-2022-42004, CVE-2022-43883, CVE-2022-43887, CVE-2022-25647, CVE-2022-36364) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6841801 ∗∗∗ IBM DataPower Gateway vulnerable to HTTP request smuggling (CVE-2022-35256) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6848587 ∗∗∗ IBM DataPower Gateway potentially affected by CPU side-channel (CVE-2022-21166) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6848585 ∗∗∗ IBM DataPower Gateway subject to a memory leak in TCP source port generation (CVE-2022-1012) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6848583 ∗∗∗ IBM DataPower Gateway vulnerable to network state information leakage (CVE-2021-20322, CVE-2021-45485, CVE-2021-45486) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6848577 ∗∗∗ UDP source port randomization flaw in IBM DataPower Gateway (CVE-2020-25705) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6848581 ∗∗∗ Multiple vulnerabilities in IBM Java Runtime affect Rational Directory Server (Tivoli) & Rational Directory Administrator ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6848847 ∗∗∗ IBM i Modernization Engine for Lifecycle Integration is vulnerable to multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6848879 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.12.2022
by Daily end-of-shift report 16 Dec '22

16 Dec '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 15-12-2022 18:00 − Freitag 16-12-2022 18:00 Handler: Robert Waldner Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Phishing attack uses Facebook posts to evade email security ∗∗∗ --------------------------------------------- A new phishing campaign uses Facebook posts as part of its attack chain to trick users into giving away their account credentials and personally identifiable information (PII). --------------------------------------------- https://www.bleepingcomputer.com/news/security/phishing-attack-uses-faceboo… ∗∗∗ Backdoor Targets FreePBX Asterisk Management Portal ∗∗∗ --------------------------------------------- Written in PHP and JavaScript, FreePBX is a web-based open-source GUI that manages Asterisk, a voice over IP and telephony server. This open-source software allows users to build customer phone systems. During a recent investigation, I came across a simple piece of malware targeting FreePBX’s Asterisk Management portal which allowed attackers to arbitrarily add and delete users, as well as modify the website’s .htaccess file. Let’s take a closer look at this backdoor. --------------------------------------------- https://blog.sucuri.net/2022/12/backdoor-targets-freepbx-asterisk-managemen… ∗∗∗ Decentralized Identity Attack Surface – Part 2 ∗∗∗ --------------------------------------------- This is the second part of our Decentralized Identity (DID) blog series. In case you’re not familiar with DID concepts, we highly encourage you to start with the first part. This time we will cover a different DID implementation — Sovrin. We will also see what a critical (CVSS 10) DID vulnerability looks like by reviewing the one we found in this popular implementation. --------------------------------------------- https://www.cyberark.com/resources/threat-research-blog/decentralized-ident… ∗∗∗ Das Ende vom unsicheren Hash-Algorithmus SHA-1 zieht sich wie Kaugummi ∗∗∗ --------------------------------------------- Das National Institute of Standards and Technology schickt das längst geknackte SHA-1-Verfahren in Rente – endgültig aber erst in acht Jahren. --------------------------------------------- https://heise.de/-7396973 ∗∗∗ Codeschmuggel möglich: Microsoft stuft Sicherheitslücke auf "kritisch" herauf ∗∗∗ --------------------------------------------- Eine Sicherheitslücke, für die Microsoft ein Update bereitgestellt hat, ermöglicht unerwartet Angreifern ohne Anmeldung, Schadcode einzuschleusen. --------------------------------------------- https://heise.de/-7396879 ∗∗∗ The Data Protection Officer, an ubiquitous role nobody really knows. (arXiv:2212.07712v1 [cs.CR]) ∗∗∗ --------------------------------------------- Among all cybersecurity and privacy workers, the Data Protection Officer (DPO) stands between those auditing a company's compliance and those acting as management advisors. A person that must be somehow versed in legal, management, and cybersecurity technical skills. We describe how this role tackles socio-technical risks in everyday scenarios. --------------------------------------------- http://arxiv.org/abs/2212.07712 ∗∗∗ FBI, FDA OCI, and USDA Release Joint Cybersecurity Advisory Regarding Business Email Compromise Schemes Used to Steal Food ∗∗∗ --------------------------------------------- The joint CSA analyzes the common tactics, techniques, and procedures (TTPs) utilized by criminal actors to spoof emails and domains to impersonate legitimate employees and order goods that went unpaid and were possibly resold at devalued prices with labeling that lacked industry standard “need-to-knows” (i.e., necessary information about ingredients, allergens, or expiration dates). --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/12/16/fbi-fda-oci-and-u… ∗∗∗ Agenda Ransomware Uses Rust to Target More Vital Industries ∗∗∗ --------------------------------------------- This year, various ransomware-as-a-service groups have developed versions of their ransomware in Rust, including Agenda. Agendas Rust variant has targeted vital industries like its Go counterpart. In this blog, we will discuss how the Rust variant works. --------------------------------------------- https://www.trendmicro.com/en_us/research/22/l/agenda-ransomware-uses-rust-… ===================== = Vulnerabilities = ===================== ∗∗∗ VMSA-2022-0034 ∗∗∗ --------------------------------------------- vRealize Operations (vROps) contains a privilege escalation vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.2. --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2022-0034.html *** Cisco Security Advisories 2022-12-16 *** --------------------------------------------- Cisco has updated 18 security advisories: (4x Critical, 11x High, 3x Medium) --------------------------------------------- https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&lastP… *** Vulnerabilities in Autodesk Image Processing component used by Autodesk products II *** --------------------------------------------- Applications and services that utilize Image Processing component used by Autodesk products may be impacted by Out-of-bound Read, Heap-based Overflow, Out-of-bound Write, Memory corruption, and Use-after-free vulnerabilities. --------------------------------------------- https://www.autodesk.com/trust/security-advisories/adsk-sa-2022-0025 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr, libde265, php7.3, and thunderbird), Fedora (firefox, freeradius, freerdp, and xorg-x11-server), Oracle (firefox, prometheus-jmx-exporter, and thunderbird), Red Hat (firefox, nodejs:16, prometheus-jmx-exporter, and thunderbird), and SUSE (ceph and chromium). --------------------------------------------- https://lwn.net/Articles/918047/ ∗∗∗ Samba Releases Security Updates ∗∗∗ --------------------------------------------- The Samba Team has released security updates to address vulnerabilities in multiple versions of Samba. An attacker could exploit some of these vulnerabilities to take control of an affected system. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/12/16/samba-releases-se… ∗∗∗ Remote code execution bypass in Eclipse Business Intelligence Reporting Tool (BiRT) ∗∗∗ --------------------------------------------- https://sec-consult.com/vulnerability-lab/advisory/remote-code-execution-by… ∗∗∗ IBM Security Guardium is affected by the following vulnerabilities [CVE-2022-39166, CVE-2022-34917, CVE-2022-42889] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6848317 ∗∗∗ Multiple Vulnerabilities in base image packages affect IBM Voice Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6848319 ∗∗∗ Multiple vulnerabilities affect IBM Tivoli Monitoring included WebSphere Application Server and IBM HTTP Server used by WebSphere Application Server ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6848279 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.12.2022
by Daily end-of-shift report 15 Dec '22

15 Dec '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 14-12-2022 18:00 − Donnerstag 15-12-2022 18:00 Handler: Robert Waldner Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ LEGO BrickLink bugs let hackers hijack accounts, breach servers ∗∗∗ --------------------------------------------- Security analysts have discovered two API security vulnerabilities in BrickLink.com, LEGO Groups official second-hand and vintage marketplace for LEGO bricks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/lego-bricklink-bugs-let-hack… ∗∗∗ Hacking Using SVG Files to Smuggle QBot Malware onto Windows Systems ∗∗∗ --------------------------------------------- Phishing campaigns involving the Qakbot malware are using Scalable Vector Graphics (SVG) images embedded in HTML email attachments. --------------------------------------------- https://thehackernews.com/2022/12/hacking-using-svg-files-to-smuggle-qbot.h… ∗∗∗ Technical Review: A Deep Analysis of the Dirty Pipe Vulnerability ∗∗∗ --------------------------------------------- Dirty Pipe (CVE-2022-0847) proved that there is a new way to exploit Linux syscalls to write to files with a read-only privileges. --------------------------------------------- https://blog.aquasec.com/deep-analysis-of-the-dirty-pipe-vulnerability ∗∗∗ Digging Inside Azure Functions: HyperV Is the Last Line of Defense ∗∗∗ --------------------------------------------- We investigated Azures serverless architecture and found that a HyperV VM was the remaining defense after a container breakout. --------------------------------------------- https://unit42.paloaltonetworks.com/azure-serverless-functions-security/ ∗∗∗ Patch Tuesday: (zur Abwechslung) Augen auf! ∗∗∗ --------------------------------------------- Manchmal gelangen wir die verzwickte Lage, dass sich in den Patchnotes Updates für Schwachstellen verbergen, aufgrund derer wir zwar keine Warnung veröffentlichen, aber auf die wir dennoch explizit hinweisen wollen. Diesen Monat ist es wieder einmal soweit. --------------------------------------------- https://cert.at/de/blog/2022/12/patch-tuesday-zur-abwechslung-augen-auf ∗∗∗ Windows Server 2019/2022: Dezember 2022-Sicherheitsupdates verursachen Hyper-V-Probleme ∗∗∗ --------------------------------------------- Die zum Dezember 2022 Patchday von Microsoft ausgerollten Sicherheitsupdates führen in bestimmten Konstellationen zum Problemen mit Hyper-V. --------------------------------------------- https://www.borncity.com/blog/2022/12/15/windows-server-2019-2022-dezember-… ∗∗∗ Microsoft-Zertifikate zur Signatur von Malware missbraucht (Dez. 2022) ∗∗∗ --------------------------------------------- Sicherheitsforscher sind auf Fälle gestoßen, wo es Cyberkriminellen gelungen ist, Malware durch gültige digitale Zertifikate von Microsoft zu signieren. --------------------------------------------- https://www.borncity.com/blog/2022/12/15/microsoft-zertifikate-zur-signatur… ===================== = Vulnerabilities = ===================== ∗∗∗ Microsoft Reclassifies SPNEGO Extended Negotiation Security Vulnerability as Critical ∗∗∗ --------------------------------------------- Microsoft has revised the severity of a security vulnerability it originally patched in September 2022, upgrading it to "Critical" after it emerged that it could be exploited to achieve remote code execution. --------------------------------------------- https://thehackernews.com/2022/12/microsoft-reclassifies-spnego-extended.ht… ∗∗∗ Typo3: Neue Fassungen schließen hochriskante Sicherheitslücke ∗∗∗ --------------------------------------------- Angreifer könnten in Typo3 etwa eigenen PHP-Code einschleusen. Mit neuen Versionen schließen die Entwickler diese und weitere Sicherheitslücken. --------------------------------------------- https://heise.de/-7395790 ∗∗∗ Microsoft Patch Tuesday, December 2022 Edition ∗∗∗ --------------------------------------------- Microsoft has released its final monthly batch of security updates for 2022, fixing more than four dozen security holes in its various Windows operating systems and related software. --------------------------------------------- https://krebsonsecurity.com/2022/12/microsoft-patch-tuesday-december-2022-e… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr and git), Slackware (mozilla and xorg), SUSE (apache2-mod_wsgi, capnproto, xorg-x11-server, xwayland, and zabbix), and Ubuntu (emacs24, firefox, linux-azure, linux-azure-5.15, linux-azure-fde, linux-oem-6.0, and xorg-server, xorg-server-hwe-18.04, xwayland). --------------------------------------------- https://lwn.net/Articles/917947/ ∗∗∗ Der unsichtbare Feind: Buffer Overflow Schwachstellen in Zyxel Routern nach wie vor problematisch ∗∗∗ --------------------------------------------- https://sec-consult.com/de/blog/detail/enemy-within-unauthenticated-buffer-… ∗∗∗ Drupal Releases Security Updates to Address Vulnerabilities in H5P and File (Field) Paths ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/12/15/drupal-releases-s… ∗∗∗ [R1] Tenable.ad Versions 3.29.4, 3.19.12 and 3.11.9 Fix One Vulnerability ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2022-27 ∗∗∗ Multiple Vulnerabilities in CloudPak for Watson AIOPs ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6848189 ∗∗∗ Multiple Vulnerabilities in CloudPak for Watson AIOPs ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6848195 ∗∗∗ Multiple vulnerabilities in IBM Java SDK affect IBM License Metric Tool v9. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6848221 ∗∗∗ Netcool Operations Insight v1.6.7 contains fixes for multiple security vulnerabilities. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6848225 ∗∗∗ A vulnerability in Python affects IBM Elastic Storage System (CVE-2022-0391) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6848229 ∗∗∗ IBM Spectrum Control is vulnerable to multiple weaknesses related to Node [CVE-2022-39353] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6848213 ∗∗∗ Vulnerabilities in IBM Java SDK affect IBM Spectrum Control ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6847605 ∗∗∗ IBM Spectrum Control is vulnerable to multiple weaknesses related IBM WebSphere Application Server Liberty and FasterXML jackson-databind ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6847541 ∗∗∗ Security vulnerability is addressed with IBM Cloud Pak for Business Automation iFixes for November 2022 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6848295 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.12.2022
by Daily end-of-shift report 14 Dec '22

14 Dec '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 13-12-2022 18:00 − Mittwoch 14-12-2022 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Microsoft-signed malicious Windows drivers used in ransomware attacks ∗∗∗ --------------------------------------------- Microsoft has revoked several Microsoft hardware developer accounts after drivers signed through their profiles were used in cyberattacks, including ransomware incidents. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-signed-malicious-… ∗∗∗ Open-source repositories flooded by 144,000 phishing packages ∗∗∗ --------------------------------------------- Unknown threat actors have uploaded a total of 144,294 phishing-related packages on the open-source package repositories NuGet, PyPI, and NPM. --------------------------------------------- https://www.bleepingcomputer.com/news/security/open-source-repositories-flo… ∗∗∗ Input Validation for Website Security ∗∗∗ --------------------------------------------- Web forms are incredibly useful tools. They allow you to gather important information about potential clients and site visitors, collect comments and feedback, upload files, subscribe new users to your blog, or even collect payment details. But if your forms aren’t properly validating user inputs, you might be in for a nasty surprise: a variety of issues can occur if data is uploaded to your site’s environment without specific controls. --------------------------------------------- https://blog.sucuri.net/2022/12/input-validation-for-website-security.html ∗∗∗ Google Launches OSV-Scanner Tool to Identify Open Source Vulnerabilities ∗∗∗ --------------------------------------------- Google on Tuesday announced the open source availability of OSV-Scanner, a scanner that aims to offer easy access to vulnerability information about various projects.The Go-based tool, powered by the Open Source Vulnerabilities (OSV) database, is designed to connect "a projects list of dependencies with the vulnerabilities that affect them," [..] --------------------------------------------- https://thehackernews.com/2022/12/google-launches-largest-distributed.html ∗∗∗ New GoTrim Botnet Attempting to Break into WordPress Sites Admin Accounts ∗∗∗ --------------------------------------------- A new Go-based botnet has been spotted scanning and brute-forcing self-hosted websites using the WordPress content management system (CMS) to seize control of the targeted systems."This new brute forcer is part of a new campaign we have named GoTrim because it was written in Go and uses :::trim::: to split data communicated to and from the C2 server," --------------------------------------------- https://thehackernews.com/2022/12/new-gotrim-botnet-attempting-to-break.html ∗∗∗ Ade iOS 15: Apple stellt Support auf neueren iPhones offenbar ein ∗∗∗ --------------------------------------------- iPhones ab Baujahr 2017 erhalten Sicherheits-Updates nur noch nach Upgrade auf iOS 16. Lücken in iOS 15 werden laut Apple aktiv ausgenutzt. --------------------------------------------- https://heise.de/-7394913 ∗∗∗ BSI-Magazin mit Schwerpunkt "Ransomware" veröffentlicht ∗∗∗ --------------------------------------------- Die zweite Ausgabe des BSI-Magazins "Mit Sicherheit" in diesem Jahr ist erschienen. Das BSI stellt in diesem BSI-Magazin eine der aktuell größten Bedrohungen für die IT-Sicherheit in einem Sonderteil in den Mittelpunkt: Ransomware. [..] Weitere Themen sind Automotive Security, der Digitale Verbraucherschutz sowie die Zusammenarbeit von BSI und NATO zur Gestaltung der Cloud-Sicherheit im Bündnis. Außerdem gibt es im neuen BSI-Magazin eine neue Checkliste mit Tipps für ein sicheres Heimnetzwerk. --------------------------------------------- https://www.bsi.bund.de/DE/Service-Navi/Presse/Alle-Meldungen-News/Meldunge… ∗∗∗ NSA, CISA, and ODNI Release Guidance on Potential Threats to 5G Network Slicing ∗∗∗ --------------------------------------------- Original release date: December 13, 2022Today, the National Security Agency (NSA), CISA, and the Office of the Director of National Intelligence (ODNI), published Potential Threats to 5G Network Slicing. This guidance—created by the Enduring Security Framework (ESF), a public-private cross-sector working group led by the NSA and CISA—presents both the benefits and risks associated with 5G network slicing. It also provides mitigation strategies that address potential threats to 5G network slicing. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/12/13/nsa-cisa-and-odni… ===================== = Vulnerabilities = ===================== ∗∗∗ Vulnerabilities found on Arcadyan Routers ∗∗∗ --------------------------------------------- The two vulnerabilities were found by Asher Davila L. in Arcadyan wireless modems with model number VRV9506JAC23. It is probable that they are also present in other Arcadyan models as well because their web interfaces are similar and they have common features. The following are the two found vulnerabilities: * CVE-2020-9420: Cleartext transmission of sensitive information * CVE-2020-9419: Stored cross-site scripting --------------------------------------------- https://gist.github.com/AsherDLL/03d0762b5a535e300f1121caebe333ce ∗∗∗ Webbrowser: Chrome-Update dichtet acht Sicherheitslecks ab ∗∗∗ --------------------------------------------- Google hat eine aktualisierte Version des Webbrowsers Chrome bereitgestellt. Sie schließt mindestens vier hochriskante Sicherheitslücken. --------------------------------------------- https://heise.de/-7394554 ∗∗∗ VMSA-2022-0032: VMware Workspace ONE Access (Access), VMware Identity Manager (vIDM), VMware Cloud Foundation (Cloud Foundation) ∗∗∗ --------------------------------------------- Synopsis: VMware Workspace ONE Access and Identity Manager updates address multiple vulnerabilities (CVE-2022-31700, CVE-2022-31701). --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2022-0032.html ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (pngcheck), Fedora (qemu), Mageia (admesh, busybox, emacs, libarchive, netkit-telnet, ruby, rxvt-unicode, and shadowutils), Oracle (bcel and kernel), Red Hat (389-ds-base, bcel, dbus, firefox, grub2, kernel, kernel-rt, kpatch-patch, thunderbird, and usbguard), Scientific Linux (bcel), SUSE (containerd, firefox, grafana, java-1_8_0-openjdk, libtpms, net-snmp, and wireshark), and Ubuntu (pillow). --------------------------------------------- https://lwn.net/Articles/917839/ ∗∗∗ Adobe Patches 38 Flaws in Enterprise Software Products ∗∗∗ --------------------------------------------- After skipping last month, Adobe returned to its scheduled Patch Tuesday cadence with the release of fixes for at least 38 vulnerabilities in multiple enterprise-facing products.The San Jose, California software maker said the flaws could expose users to code execution and privilege escalation attacks across all computer platforms. --------------------------------------------- https://www.securityweek.com/adobe-patches-38-flaws-enterprise-software-pro… ∗∗∗ ICS Patch Tuesday: Siemens Fixes 80 OpenSSL, OpenSSH Flaws in Switches ∗∗∗ --------------------------------------------- Industrial giants Siemens and Schneider Electric have addressed over 140 vulnerabilities with their December 2022 Patch Tuesday updates.Siemensread more --------------------------------------------- https://www.securityweek.com/ics-patch-tuesday-siemens-fixes-80-openssl-ope… ∗∗∗ Apple Releases Security Updates for Multiple Products ∗∗∗ --------------------------------------------- Original release date: December 13, 2022Apple has released security updates to address vulnerabilities in multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected device.CISA encourages users and administrators to review the Apple security updates page for the following products and apply the necessary updates as soon as possible: iCloud for Windows 14.1 Safari 16.2 macOS Monterey 12.6.2 macOS Big Sur 11.7.2 tvOS 16.2 watchOS 9.2 iOS 15.7.2 and iPadOS 15.7.2 iOS 16.2 and iPadOS 16.2 macOS Ventura 13.1 --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/12/13/apple-releases-se… ∗∗∗ Sonicwall Capture Client Local Privilege Escalation via SentinelOne Agent (Aikido) ∗∗∗ --------------------------------------------- An arbitrary file deletion vulnerability (Aikido) in Sonicwall Capture Client via SentinelOne Agent could allow a local attacker to escalate privileges and delete files. The exploit was confirmed to work with 6 vulnerable EDR products, including the SentinelOne Agent for Windows.Please note: an attacker must first obtain low-privileged access on the target system in order to exploit this vulnerability. --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0025 ∗∗∗ Cisco Identity Services Engine Unauthorized File Access Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Weidmueller: Multiple IoT and control products affected by JavaScript injection vulnerability ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-056/ ∗∗∗ NVIDIA GPU Display Driver Advisory - November 2022 ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500536-NVIDIA-GPU-DISPLAY-DRIV… ∗∗∗ Vulnerabilities in Linux Kernel, Golang Go, and cURL libcurl may affect IBM Spectrum Protect Plus ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6847643 ∗∗∗ Vulnerability in IBM WebSphere Application Server Liberty may affect IBM Spectrum Protect Operations Center and Client Management Service (CVE-2022-34165) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6847655 ∗∗∗ Vulnerabilities in zlib and Golang Go may affect the IBM Spectrum Protect Server (CVE-2018-25032, CVE-2022-27664) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6847653 ∗∗∗ IBM Copy Services Manager is vulnerable to a remote attack vulnerabilities due to IBM WebSphere Application Server Liberty vulnerabilities (CVE-2022-22476) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6847789 ∗∗∗ IBM Tivoli Netcool\/OMNIbus Transport Module Common Integration Library is affected by vulnerability in Apache Kafka (CVE-2022-34917) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6847829 ∗∗∗ IBM Tivoli Netcool\/OMNIbus Probe and Integrations Library are affected by vulnerabilities in FasterXML jackson-databind (CVE-2022-42004, CVE-2022-42003) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6846525 ∗∗∗ IBM Sterling Connect:Direct for UNIX is vulnerable to denial of service due to FasterXML jackson-databind (CVE-2022-42003) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6847939 ∗∗∗ IBM Sterling Connect:Direct for UNIX is vulnerable to denial of service due to FasterXML jackson-databind (CVE-2022-42004) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6847945 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.12.2022
by Daily end-of-shift report 13 Dec '22

13 Dec '22

===================== = End-of-Day report = ===================== Timeframe: Montag 12-12-2022 18:00 − Dienstag 13-12-2022 18:00 Handler: Stephan Richter Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Amazon ECR Public Gallery flaw could have wiped or poisoned any image ∗∗∗ --------------------------------------------- The researcher reported the vulnerability to AWS Security on November 15, 2022, and Amazon rolled out a fix in under 24 hours. While there are no signs of this flaw being abused in the wild, threat actors could have used it in massive-scale supply chain attacks against many users. --------------------------------------------- https://www.bleepingcomputer.com/news/security/amazon-ecr-public-gallery-fl… ∗∗∗ IIS modules: The evolution of web shells and how to detect them ∗∗∗ --------------------------------------------- This blog aims to provide further guidance on detecting malicious IIS modules and other capabilities that you can use during your own incident response investigations. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-ev… ∗∗∗ A Deep Dive into BianLian Ransomware ∗∗∗ --------------------------------------------- BianLian ransomware is a Golang malware that performed targeted attacks across multiple industries in 2022. The ransomware employed anti-analysis techniques consisting of API calls that would likely crash some sandboxes/automated analysis systems. The malware targets all drives identified on the machine and deletes itself after the encryption is complete. --------------------------------------------- https://resources.securityscorecard.com/research/bian-lian-deep-dive ∗∗∗ New Python-Based Backdoor Targeting VMware ESXi Servers ∗∗∗ --------------------------------------------- Security researchers with Juniper Networks’ Threat Labs warn of a new Python-based backdoor targeting VMware ESXi virtualization servers. The targeted servers were impacted by known security defects (such as CVE-2019-5544 and CVE-2020-3992) that were likely used for initial compromise, but what caught the researchers’ attention was the simplicity, persistence, and capabilities of the deployed backdoor. --------------------------------------------- https://www.securityweek.com/new-python-based-backdoor-targeting-vmware-esx… ∗∗∗ What’s My Name Again? Reolink camera command injection ∗∗∗ --------------------------------------------- TL;DR Research on Reolink’s RLC-520A smart motion detection camera has turned up an authenticated command injection vulnerability. Exploiting this vulnerability with an injected system command can render the device useless. --------------------------------------------- https://www.pentestpartners.com/security-blog/whats-my-name-again-reolink-c… ∗∗∗ Aktuelle Welle an DDoS Angriffen auf staatsnahe und kritische Infrastruktur in Österreich ∗∗∗ --------------------------------------------- Seit ca. zwei Wochen sehen sich vermehrt österreichische staatliche/staatsnahe Organisationen sowie Unternehmen der kritischen Infrastruktur mit DDoS Angriffen konfrontiert. Die genauen Hintergründe und Motive der Attacken sind uns zurzeit nicht bekannt. Die Täter:innen greifen hierbei zu verschiedenen Methoden und versuchen auch, sich an getroffene Gegenmaßnahmen anzupassen. --------------------------------------------- https://cert.at/de/aktuelles/2022/12/aktuelle-welle-an-ddos-angriffen-auf-s… ∗∗∗ REPORT: A new trick from Facebook scammers and Sharkbot Android malware returns ∗∗∗ --------------------------------------------- A new wave of scams utilizes Facebook’s tagging feature to trick Page owners into believing they’ve violated Facebook’s terms and conditions. Several variations of the attack exist, but all lead to phishing sites designed to steal Page owner’s credentials. --------------------------------------------- https://blog.f-secure.com/f-alert-report-a-new-trick-from-facebook-scammers… ===================== = Vulnerabilities = ===================== ∗∗∗ Redmine vulnerable to cross-site scripting ∗∗∗ --------------------------------------------- Redmine contains a cross-site scripting vulnerability. --------------------------------------------- https://jvn.jp/en/jp/JVN60211811/ ∗∗∗ Announcing TYPO3 12.1.1 [12.1.2], 11.5.20 and 10.4.33 security releases ∗∗∗ --------------------------------------------- today weve released TYPO3 12.1.1, 11.5.20 LTS and 10.4.33 LTS, which are ready for you to download. All versions are security releases and contain important security fixes [unfortunately TYPO3 v12.1.1 contained a regression, which has been fixed in TYPO3 v12.1.2.] --------------------------------------------- https://lists.typo3.org/pipermail/typo3-announce/2022/000523.html ∗∗∗ Vulnerabilities in multiple third party TYPO3 CMS extensions ∗∗∗ --------------------------------------------- several vulnerabilities have been found in the following third party TYPO3 extensions: * "Change password for frontend users" (fe_change_pwd) * "Newsletter subscriber management" (fp_newsletter) * "Master-Quiz" (fp_masterquiz) For further information on the issues, please read the related advisories TYPO3-EXT-SA-2022-016, TYPO3-EXT-SA-2022-017 and TYPO3-EXT-SA-2022-018 which were published today --------------------------------------------- https://lists.typo3.org/pipermail/typo3-announce/2022/000524.html ∗∗∗ OpenSSL: X.509 Policy Constraints Double Locking (CVE-2022-3996) ∗∗∗ --------------------------------------------- Severity: Low If an X.509 certificate contains a malformed policy constraint and policy processing is enabled, then a write lock will be taken twice recursively. On some operating systems (most widely: Windows) this results in a denial of service when the affected process hangs. Policy processing being enabled on a publicly facing server is not considered to be a common setup. --------------------------------------------- https://www.openssl.org/news/secadv/20221213.txt ∗∗∗ Patchday SAP: 14 neue Sicherheitsmeldungen im Dezember ∗∗∗ --------------------------------------------- Zum Jahresende behandelt SAP in 14 Sicherheitsnotizen Schwachstellen in der Software des Unternehmens. IT-Verantwortliche sollten die Updates rasch anwenden. --------------------------------------------- https://heise.de/-7392718 ∗∗∗ Jetzt patchen! Kritische Zero-Day-Lücke in FortiOS wird angegriffen ∗∗∗ --------------------------------------------- Fortinet meldet eine kritische Sicherheitslücke in FortiOS. Cyberkriminelle missbrauchen diese bereits für Angriffe. Updates stehen bereit. --------------------------------------------- https://heise.de/-7392455 ∗∗∗ VMSA-2022-0031 ∗∗∗ --------------------------------------------- Synopsis: VMware vRealize Network Insight (vRNI) updates address command injection and directory traversal security vulnerabilities (CVE-2022-31702, CVE-2022-31703) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2022-0031.html ∗∗∗ VMSA-2022-0033 ∗∗∗ --------------------------------------------- Synopsis: VMware ESXi, Workstation, and Fusion updates address a heap out-of-bounds write vulnerability (CVE-2022-31705) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2022-0033.html ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (node-tar and pngcheck), SUSE (colord, containerd, and tiff), and Ubuntu (containerd, linux-azure, linux-azure, linux-azure-5.4, linux-oem-5.17, and vim). --------------------------------------------- https://lwn.net/Articles/917749/ ∗∗∗ Security Vulnerabilities fixed in Thunderbird 102.6 ∗∗∗ --------------------------------------------- In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts. --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2022-53/ ∗∗∗ Security Vulnerabilities fixed in Firefox ESR 102.6 ∗∗∗ --------------------------------------------- CVE-2022-46880: Use-after-free in WebGL CVE-2022-46872: Arbitrary file read from a compromised content process CVE-2022-46881: Memory corruption in WebGL CVE-2022-46874: Drag and Dropped Filenames could have been truncated to malicious extensions CVE-2022-46875: Download Protections were bypassed by .atloc and .ftploc files on Mac OS CVE-2022-46882: Use-after-free in WebGL CVE-2022-46878: Memory safety bugs fixed in Firefox 108 and Firefox ESR 102.6 --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2022-52/ ∗∗∗ Security Vulnerabilities fixed in Firefox 108 ∗∗∗ --------------------------------------------- CVE-2022-46871: libusrsctp library out of date CVE-2022-46872: Arbitrary file read from a compromised content process CVE-2022-46873: Firefox did not implement the CSP directive unsafe-hashes CVE-2022-46874: Drag and Dropped Filenames could have been truncated to malicious extensions CVE-2022-46875: Download Protections were bypassed by .atloc and .ftploc files on Mac OS CVE-2022-46877: Fullscreen notification bypass CVE-2022-46878: Memory safety bugs fixed in Firefox 108 and Firefox ESR 102.6 CVE-2022-46879: Memory safety bugs fixed in Firefox 108 --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2022-51/ ∗∗∗ Citrix ADC and Citrix Gateway Security Bulletin for CVE-2022-27518 ∗∗∗ --------------------------------------------- A vulnerability has been discovered in Citrix Gateway and Citrix ADC, listed below, that, if exploited, could allow an unauthenticated remote attacker to perform arbitrary code execution on the appliance. CVE-ID: CVE-2022-27518 --------------------------------------------- https://support.citrix.com/article/CTX474995/citrix-adc-and-citrix-gateway-… ∗∗∗ Privilege Escalation Schwachstellen (UNIX Insecure File Handling) in SAP® Host Agent (saposcol) ∗∗∗ --------------------------------------------- Due to insecure file handling issues of the SAP® Host Agent, a local attacker can exploit the helper binary saposcol to escalate privileges on UNIX systems. Successful exploitation leads to full system compromise with root access. --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/privilege-escalation-… ∗∗∗ ICS Advisory (ICSA-22-347-03): Contec CONPROSSYS HMI System (CHS) ∗∗∗ --------------------------------------------- https://www.cisa.gov/uscert/ics/advisories/icsa-22-347-03 ∗∗∗ ICS Advisory (ICSA-22-347-02): Schneider Electric APC Easy UPS Online ∗∗∗ --------------------------------------------- https://www.cisa.gov/uscert/ics/advisories/icsa-22-347-02 ∗∗∗ ICS Advisory (ICSA-22-347-01): ICONICS and Mitsubishi Electric Products ∗∗∗ --------------------------------------------- https://www.cisa.gov/uscert/ics/advisories/icsa-22-347-01 ∗∗∗ Wiesemann & Theis multiple products prone to web interface vulnerability ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-057/ ∗∗∗ Festo: Vulnerable WIBU-SYSTEMS CodeMeter Runtime in multiple products ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-038/ ∗∗∗ A vulnerability in IBM WebSphere Application Server Liberty affects IBM Spectrum Scale packaged in IBM Elastic Storage Server ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6847315 ∗∗∗ AIX is vulnerable to a denial of service due to libxml2 (CVE-2022-29824) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6619729 ∗∗∗ IBM QRadar Network Packet Capture has released 7.3.1 Patch 1, and 7.2.8 Patch 1 in response to the vulnerabilities known as Spectre and Meltdown. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/571419 ∗∗∗ Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli Netcool Impact (CVE-2021-41041, CVE-2022-3676) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6847341 ∗∗∗ Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli Netcool Impact ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6847351 ∗∗∗ Multiple vulnerabilities have been identified in IBM WebSphere Application Server Liberty shipped with IBM Tivoli Netcool Impact (CVE-2022-24839, CVE-2022-37734, CVE-2022-34165) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6847349 ∗∗∗ Multiple vulnerabilities have been identified in Smack API shipped with IBM Tivoli Netcool Impact (CVE-2014-0363, CVE-2014-0364) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6847337 ∗∗∗ Multiple Linux Kernel vulnerabilities may affect IBM Elastic Storage System ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6847563 ∗∗∗ WebSphere Application Server is vulnerable to SOAPAction spoofing when processing JAX-WS Web Services requests which affects Content Collector for Email ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6847593 ∗∗∗ Content Collector for Email is affected by a vulnerability found in embedded WebSphere Application Server ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6847591 ∗∗∗ Content Collector for Email is affected by a vulnerability found in embedded WebSphere Application Server ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6847587 ∗∗∗ Content Collector for Email is affected by a vulnerability found in embedded WebSphere Application Server ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6847595 ∗∗∗ Vulnerability in OAuthlib affects IBM Spectrum Protect Plus Container backup and restore for Kubernetes and OpenShift (CVE-2022-36087) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6842215 ∗∗∗ Vulnerabilities in Redis affect IBM Spectrum Protect Plus Container backup and restore for Kubernetes and OpenShift (CVE-2022-24736, CVE-2022-24735) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6842235 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.12.2022
by Daily end-of-shift report 12 Dec '22

12 Dec '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 09-12-2022 18:00 − Montag 12-12-2022 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Clop ransomware partners with TrueBot malware for access to networks ∗∗∗ --------------------------------------------- Security researchers have noticed a spike in devices infected with the TrueBot malware downloader created by a Russian-speaking hacking group known as Silence. --------------------------------------------- https://www.bleepingcomputer.com/news/security/clop-ransomware-partners-wit… ∗∗∗ Popular WAFs Subverted by JSON Bypass ∗∗∗ --------------------------------------------- Web application firewalls from AWS, Cloudflare, F5, Imperva, and Palo Alto Networks are vulnerable to a database attack using the popular JavaScript Object Notation (JSON) format. --------------------------------------------- https://www.darkreading.com/application-security/popular-wafs-json-bypass ∗∗∗ On-device WebAuthn and what makes it hard to do well ∗∗∗ --------------------------------------------- WebAuthn improves login security a lot by making it significantly harder for a users credentials to be misused - a WebAuthn token will only respond to a challenge if its issued by the site a secret was issued to, and in general will only do so if the user provides proof of physical presence[1]. But giving people tokens is tedious and also I have a new laptop which only has USB-C but does have a working fingerprint reader and I [...] --------------------------------------------- https://mjg59.dreamwidth.org/62746.html ∗∗∗ Hack-for-Hire Group Targets Travel and Financial Entities with New Janicab Malware Variant ∗∗∗ --------------------------------------------- Travel agencies have emerged as the target of a hack-for-hire group dubbed Evilnum as part of a broader campaign aimed at legal and financial investment institutions in the Middle East and Europe. The attacks, which took place during 2020 and 2021 and likely went as far back as 2015, involved a revamped variant of a malware called Janicab that leverages a number of public services like WordPress [...] --------------------------------------------- https://thehackernews.com/2022/12/hack-for-hire-group-targets-travel-and.ht… ∗∗∗ Log4j’s Log4Shell Vulnerability: One Year Later, It’s Still Lurking ∗∗∗ --------------------------------------------- Despite mitigation, one of the worst bugs in internet history is still prevalent—and being exploited. --------------------------------------------- https://www.wired.com/story/log4j-log4shell-one-year-later/ ∗∗∗ Practically-exploitable Cryptographic Vulnerabilities in Matrix ∗∗∗ --------------------------------------------- We report several practically-exploitable cryptographic vulnerabilities in the end-to-end encryption in Matrix and describe proof-of-concept attacks exploiting these vulnerabilities. [...] Whilst the language of the paper and this website is in present tense, many of the vulnerabilities disclosed have been fixed. See our paper (or Matrix’ website) for more details. --------------------------------------------- https://nebuchadnezzar-megolm.github.io/ ∗∗∗ Cisco Working on Patch for Publicly Disclosed IP Phone Vulnerability ∗∗∗ --------------------------------------------- Cisco informed customers on Thursday that it’s working on patches for a high-severity vulnerability affecting some of its IP phones. --------------------------------------------- https://www.securityweek.com/cisco-working-patch-publicly-disclosed-ip-phon… ∗∗∗ So schützen Sie sich vor problematischen Online-Shops ∗∗∗ --------------------------------------------- Immer wieder werden uns Online-Shops gemeldet, die zwar keine Fake-Shops, aber trotzdem problematisch sind. Lieferzeiten werden nicht eingehalten, die Qualität der Produkte lässt zu wünschen übrig, oder es kommt zu hohen Zoll- oder Retourenkosten. Wir zeigen Ihnen, worauf Sie achten müssen, um keine bösen Überraschungen beim Online-Shopping zu erleben! --------------------------------------------- https://www.watchlist-internet.at/news/so-schuetzen-sie-sich-vor-problemati… ∗∗∗ So schützen Sie sich vor Abo-Fallen im Internet ∗∗∗ --------------------------------------------- Auch im Internet hat niemand etwas zu verschenken! Lassen Sie Vorsicht walten bei Angeboten, die zu gut sind, um wahr zu sein. Diese „Angebote“ nutzen Kriminelle, um Sie in die Falle zu locken. Wenn Sie bemerken, dass Geldbeträge ohne Ihre Zustimmung von Ihrem Konto abgebucht werden, handelt es sich möglicherweise um eine Abo-Falle! --------------------------------------------- https://www.watchlist-internet.at/news/so-schuetzen-sie-sich-vor-abo-fallen… ∗∗∗ Was tun, wenn Sie in eine Abo-Falle getappt sind? ∗∗∗ --------------------------------------------- Auf der Suche nach kostenlosen Angeboten und gratis Testversionen werden Sie im Internet schnell fündig. Doch Vorsicht: Hier ist nicht alles Gold, was glänzt! Oft handelt es sich nämlich um Abo-Fallen, bei denen Ihnen unbegründet Rechnungen zugeschickt oder Geldbeträge vom Konto abgebucht werden und man Ihnen mit Inkassobüros oder Rechtsanwaltsschreiben droht. Die Lösung? Auf keinen Fall bezahlen! --------------------------------------------- https://www.watchlist-internet.at/news/was-tun-wenn-sie-in-eine-abo-falle-g… ∗∗∗ Precious Gemstones: The New Generation of Kerberos Attacks ∗∗∗ --------------------------------------------- Unit 42 researchers show new methods to improve detection of a next-gen line of Kerberos attacks, which allow attackers to modify Kerberos tickets to maintain privileged access. --------------------------------------------- https://unit42.paloaltonetworks.com/next-gen-kerberos-attacks/ ===================== = Vulnerabilities = ===================== ∗∗∗ FortiOS - heap-based buffer overflow in sslvpnd ∗∗∗ --------------------------------------------- A heap-based buffer overflow vulnerability [CWE-122] in FortiOS SSL-VPN may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests. Fortinet is aware of an instance where this vulnerability was exploited in the wild, and recommends immediately validating your systems against the following indicators of compromise: [...] --------------------------------------------- https://www.fortiguard.com/psirt/FG-IR-22-398 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (cacti, grub2, hsqldb, node-eventsource, and openexr), Fedora (bcel, keylime, rust-capnp, rust-sequoia-octopus-librnp, xfce4-screenshooter, and xfce4-settings), Oracle (nodejs:18), Scientific Linux (grub2), Slackware (libarchive), SUSE (go1.18, go1.19, nautilus, opera, python-slixmpp, and samba), and Ubuntu (python2.7, python3.5, qemu, and squid3). --------------------------------------------- https://lwn.net/Articles/917690/ ∗∗∗ IFM: weak password recovery vulnerability in moneo appliance ∗∗∗ --------------------------------------------- Summary: An unauthenticated remote attacker could reset the administrators password with information from the default, self-signed certificate. Impact: An unathenticated attacker can remotely reset the administrator password. Solution: Mitigation: The certificate is renewed by adjusting the hostname to an own customer-specific, so it does not contain the serial number. Remediation: The password-reset mechanism will be updated in a future version. --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-050/ ∗∗∗ IBM Security Bulletins 2022-12-09 - 2022-12-12 ∗∗∗ --------------------------------------------- Apache Commons HttpClient 3.x (and few others), Apache POI, IBM App Connect Enterprise, IBM® Db2® Net Search Extender, IBM Elastic Storage System, IBM Engineering Workflow Management (EWM), IBM InfoSphere Information Server, IBM Spectrum Copy Data Management, IBM Spectrum Protect Backup-Archive Client, IBM Spectrum Protect for Virtual Environments, IBM Spectrum Scale packaged in IBM Elastic Storage Server, IBM Spectrum Scale packaged in IBM Elastic Storage System, IBM Tivoli Application Dependency Discovery Manager (TADDM), Rational Team Concert (RTC), z/Transaction Processing Facility --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Intel Data Center Manager 5.1 Local Privilege Escalation ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2022120027 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.12.2022
by Daily end-of-shift report 09 Dec '22

09 Dec '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 07-12-2022 18:00 − Freitag 09-12-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Unsichtbare npm-Malware umgeht Sicherheitsprüfungen mit manipulierten Versionen ∗∗∗ --------------------------------------------- JFrog hat ein unerwartetes Verhalten der npm-Werkzeuge entdeckt: Für Pakete bestimmter Versionsformate zeigen sie wohl keine sicherheitsrelevanten Hinweise an. --------------------------------------------- https://heise.de/-7372357 ∗∗∗ So schützen Sie sich vor Fake-Shops ∗∗∗ --------------------------------------------- Fake-Shops locken mit gutem Design und unschlagbaren Preisen in die Falle. Doch wie erkennen Sie Fake-Shops und andere betrügerische Online-Shops, bevor es zu spät ist? Hier beschreiben wir hier die gängigsten Formen von Fake-Shops und ihre Erkennungsmerkmale. Ein Einkauf in einem Fake-Shop kann Sie nämlich wahrlich teuer zu stehen kommen. --------------------------------------------- https://www.watchlist-internet.at/news/so-schuetzen-sie-sich-vor-fake-shops/ ∗∗∗ Ransomware: Löschen statt entschlüsseln ∗∗∗ --------------------------------------------- Die defekte Ransomware Cryptonite kann Ihre Dateien nicht entschlüsseln, selbst wenn Sie das Lösegeld bezahlen. Stattdessen werden alle Daten einfach gelöscht. --------------------------------------------- https://www.zdnet.de/88405737/ransomware-loeschen-statt-entschluesseln/ ∗∗∗ New Zombinder platform binds Android malware with legitimate apps ∗∗∗ --------------------------------------------- A darknet platform dubbed Zombinder allows threat actors to bind malware to legitimate Android apps, causing victims to infect themselves while still having the full functionality of the original app to evade suspicion. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-zombinder-platform-binds… ∗∗∗ Hacked corporate email accounts used to send MSP remote access tool ∗∗∗ --------------------------------------------- MuddyWater hackers, a group associated with Irans Ministry of Intelligence and Security (MOIS), used compromised corporate email accounts to deliver phishing messages to their targets. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hacked-corporate-email-accou… ∗∗∗ DeathStalker targets legal entities with new Janicab variant ∗∗∗ --------------------------------------------- While hunting for less common Deathstalker intrusions, we identified a new Janicab variant used in targeting legal entities in the Middle East throughout 2020. --------------------------------------------- https://securelist.com/deathstalker-targets-legal-entities-with-new-janicab… ∗∗∗ How to train your Ghidra ∗∗∗ --------------------------------------------- Brief introduction to setting up Ghidra, and then configuring it with a familiar UI and shortcuts, so that you would not need to re-learn all the key sequences you have got used to over the years. --------------------------------------------- https://securelist.com/how-to-train-your-ghidra/108272/ ∗∗∗ Finding Gaps in Syslog - How to find when nothing happened, (Wed, Dec 7th) ∗∗∗ --------------------------------------------- I recently got a call from a client, they had an outage that required a firewall reboot, but couldn't give me an exact clock time. They were looking for anything in the logs just prior to that reboot that might indicate a carrier issue, as they had experienced a few outages like this recently. --------------------------------------------- https://isc.sans.edu/diary/rss/29314 ∗∗∗ Port Scanning in Powershell Redux: Speeding Up the Results (challenge accepted!), (Fri, Dec 9th) ∗∗∗ --------------------------------------------- In the story I wrote in October about using PowerShell for Port Scanning (https://isc.sans.edu/diary/29202), I noted that the basic "test-connect" operation made for a pretty slow port scanner, which seems to be the message that everyone latched onto. Of course, my immediate response was "challenge accepted!", so let's go - let's make that operation faster! --------------------------------------------- https://isc.sans.edu/diary/rss/29324 ∗∗∗ Trojanized OneNote Document Leads to Formbook Malware ∗∗∗ --------------------------------------------- Cybercriminals have long used Microsoft documents to pass along malware and they are always experimenting with new ways to deliver malicious packages. As defenders, Trustwave SpiderLabs’ researchers are always looking out for new or unusual file types, and through this ongoing research, we uncovered threat actors using a OneNote document to move Formbook malware, an information stealing trojan sold on an underground hacking forum since mid-2016 as malware-as-a-service. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-… ∗∗∗ Compromised Cloud Compute Credentials: Case Studies From the Wild ∗∗∗ --------------------------------------------- A walk-through of attacks in the wild that abuse stolen cloud compute credentials in the cloud environment. Unit 42 researchers highlight two case studies. --------------------------------------------- https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/ ∗∗∗ Fantasy - a new Agrius wiper deployed through a supply‑chain attack ∗∗∗ --------------------------------------------- ESET researchers analyzed a supply-chain attack abusing an Israeli software developer to deploy Fantasy, Agrius’s new wiper, with victims including the diamond industry --------------------------------------------- https://www.welivesecurity.com/2022/12/07/fantasy-new-agrius-wiper-supply-c… ∗∗∗ On hacking forums, even the scammers aren’t safe ∗∗∗ --------------------------------------------- Cybercriminals use a range of techniques to steal victims’ money — from developing malicious software to siphon financial data to old-fashioned “rip-and-runs” — but that doesn’t mean they’re immune to falling for these scams themselves. Scammers scamming scammers, including sometimes the scammers who have scammed them, is “an entire sub-economy” on darknet marketplaces, according to [...] --------------------------------------------- https://therecord.media/on-hacking-forums-even-the-scammers-arent-safe/ ∗∗∗ OpenSSL CVE-2022-3786: Food for Thought on the Importance of Security Scanning ∗∗∗ --------------------------------------------- After a CVE on open source software has been discovered and a fix has been released, a fruitful practice for security researchers is to go deep into the nature of the CVE and the fix. --------------------------------------------- https://checkmarx.com/blog/openssl-cve-2022-3786-food-for-thought-on-the-im… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco IP Phone 7800 and 8800 Series Cisco Discovery Protocol Stack Overflow Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the Cisco Discovery Protocol processing feature of Cisco IP Phone 7800 and 8800 Series firmware could allow an unauthenticated, adjacent attacker to cause a stack overflow on an affected device. This vulnerability is due to insufficient input validation of received Cisco Discovery Protocol packets. An attacker could exploit this vulnerability by sending crafted Cisco Discovery Protocol traffic to an affected device. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ IBM Security Bulletins 2022-12-05 ∗∗∗ --------------------------------------------- IBM App Connect Enterprise, IBM Cloud Transformation Advisor, IBM Event Streams, IBM InfoSphere Information Server, IBM Power System, IBM QRadar SIEM, IBM Rational Functional Tester, IBM Rational Test Automation Server, IBM Spectrum Scale, IBM Sterling Secure Proxy, IBM Watson Developer Cloud --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ IBM Security Bulletins 2022-12-06 ∗∗∗ --------------------------------------------- IBM Business Automation Workflow, IBM Content Navigator, IBM Operations Analytics, IBM Rational Business Developer, IBM SPSS Collaboration and Deployment Services, IBM Security SiteProtector System, IBM Sterling External Authentication Server, IBM Tivoli Application Dependency Discovery Manager, IBM Tivoli Business Service Manager, IBM Tivoli Composite Application Manager for Transactions, IBM WebSphere Application Server --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ IBM Security Bulletins 2022-12-07 ∗∗∗ --------------------------------------------- AIX, HMC, IBM Business Automation Workflow Event Emitters, IBM CICS TX Advanced, IBM CICS TX Standard, IBM Data Risk Manager, IBM Enterprise Content Management System Monitor, IBM Match 360, IBM PowerVM Novalink, IBM Virtualization Engine TS7700, IBM Watson Assistant for IBM Cloud Pak for Data --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ IBM Security Bulletins 2022-12-08 ∗∗∗ --------------------------------------------- AIX, IBM API Connect, IBM CICS Transaction Gateway, IBM Cloud Transformation Advisor, IBM InfoSphere Information Server, IBM MQ, IBM PowerVM Novalink, IBM Security Verify --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ IBM Security Bulletins 2022-12-09 ∗∗∗ --------------------------------------------- IBM App Connect Enterprise Certified Container, IBM Security Verify Governance, IBM Spectrum Copy Data Management, IBM Spectrum Protect for Space Management Client, IBM Tivoli Application Dependency Discovery Manager, z/Transaction Processing Facility --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ VMSA-2022-0030 ∗∗∗ --------------------------------------------- VMware ESXi and vCenter Server updates address multiple security vulnerabilities (CVE-2022-31696, CVE-2022-31697, CVE-2022-31698, CVE-2022-31699) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2022-0030.html ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (dlt-daemon, jqueryui, and virglrenderer), Fedora (firefox, vim, and woff), Oracle (kernel and nodejs:18), Red Hat (java-1.8.0-ibm and redhat-ds:11), Slackware (python3), SUSE (buildah, matio, and osc), and Ubuntu (heimdal and postgresql-9.5). --------------------------------------------- https://lwn.net/Articles/917398/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (leptonlib), Fedora (woff), Red Hat (grub2), Slackware (emacs), SUSE (busybox, chromium, java-1_8_0-openjdk, netatalk, and rabbitmq-server), and Ubuntu (gcc-5, gccgo-6, glibc, protobuf, and python2.7, python3.10, python3.6, python3.8). --------------------------------------------- https://lwn.net/Articles/917530/ ∗∗∗ Synology-SA-22:23 PWN2OWN TORONTO 2022 ∗∗∗ --------------------------------------------- Multiple vulnerabilities reported by PWN2OWN TORONTO 2022 have been addressed. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_22_23 ∗∗∗ AMI MegaRAC SP-X BMC Vulnerabilities ∗∗∗ --------------------------------------------- https://support.lenovo.com/product_security/PS500535-AMI-MEGARAC-SP-X-BMC-V… ∗∗∗ Security Advisory - Denial of Service Vulnerability in Huawei Smart WiFi Router ∗∗∗ --------------------------------------------- https://www.huawei.com/en/psirt/security-advisories/2022/huawei-sa-dosvihsw… ∗∗∗ K87046687: VMware Tools vulnerability CVE-2022-31676 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K87046687 ∗∗∗ Advantech iView ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-342-01 ∗∗∗ AVEVA InTouch Access Anywhere ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-342-02 ∗∗∗ Rockwell Automation Logix controllers ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-342-03 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.12.2022
by Daily end-of-shift report 07 Dec '22

07 Dec '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 06-12-2022 18:00 − Mittwoch 07-12-2022 18:00 Handler: Stephan Richter Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ For Cyberattackers, Popular EDR Tools Can Turn into Destructive Data Wipers ∗∗∗ --------------------------------------------- Microsoft, three others release patches to fix a vulnerability in their respective products that enables such manipulation. Other EDR products potentially are affected as well. --------------------------------------------- https://www.darkreading.com/vulnerabilities-threats/cyberattackers-popular-… ∗∗∗ DEV-0139 launches targeted attacks against the cryptocurrency industry ∗∗∗ --------------------------------------------- Microsoft security researchers investigate an attack where the threat actor, tracked DEV-0139, used chat groups to target specific cryptocurrency investment companies and run a backdoor within their network. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2022/12/06/dev-0139-launches-… ∗∗∗ New Go-based Botnet Exploiting Exploiting Dozens of IoT Vulnerabilities to Expand its Network ∗∗∗ --------------------------------------------- A novel Go-based botnet called Zerobot has been observed in the wild proliferating by taking advantage of nearly two dozen security vulnerabilities in the internet of things (IoT) devices and other software. --------------------------------------------- https://thehackernews.com/2022/12/new-go-based-zerobot-botnet-exploiting.ht… ∗∗∗ ChatGPT shows promise of using AI to write malware ∗∗∗ --------------------------------------------- For even the most skilled hackers, it can take at least an hour to write a script to exploit a software vulnerability and infiltrate their target. Soon, a machine may be able to do it in mere seconds. --------------------------------------------- https://www.cyberscoop.com/chatgpt-ai-malware/ ∗∗∗ So schützen Sie sich vor Scams ∗∗∗ --------------------------------------------- Beim Scamming - auch Vorschussbetrug genannt - versuchen Kriminelle, Sie zu einer Vorauszahlung zu drängen. Sie werden beispielsweise mit einem Millionengewinn, einer Erbschaft oder einem günstigen Kreditangebot geködert. --------------------------------------------- https://www.watchlist-internet.at/news/so-schuetzen-sie-sich-vor-scams/ ∗∗∗ OpenSSL punycode – with hindsight ∗∗∗ --------------------------------------------- The next Heartbleeds were about to be announced, two critical vulnerabilities that affect everyone and everything, everywhere. And then they were released. And everyone was let down. --------------------------------------------- https://blog.checkpoint.com/2022/12/07/openssl-punycode-with-hindsight/ ∗∗∗ Malware Distributed with Disguised Filenames (RIGHT-TO-LEFT OVERRIDE) ∗∗∗ --------------------------------------------- In August, the ASEC analysis team made a post on the malware being distributed with filenames that utilize RTLO (Right-To-Left Override). --------------------------------------------- https://asec.ahnlab.com/en/43518/ ∗∗∗ Industry 4.0: CNC Machine Security Risks Part 3 ∗∗∗ --------------------------------------------- This three-part blog series explores the risks associated with CNC machines --------------------------------------------- https://www.trendmicro.com/en_us/research/22/l/cnc-machine-security-risks-p… ===================== = Vulnerabilities = ===================== ∗∗∗ Fortinet schließt Sicherheitslücken in mehreren Produkten ∗∗∗ --------------------------------------------- Für zahlreiche Produkte aus dem Portfolio hat Fortinet Sicherheitsupdates herausgegeben. Sie schließen teils hochriskante Schwachstellen. --------------------------------------------- https://heise.de/-7368520 ∗∗∗ Dienste-Monitoring: Angreifer können Cacti beliebigen Code unterschieben ∗∗∗ --------------------------------------------- In der Webanwendung Cacti, die etwa zur Diensteüberwachung dient, könnten Angreifer beliebigen Code einschleusen und ausführen. Ein Patch ist verfügbar. --------------------------------------------- https://heise.de/-7369455 ∗∗∗ Jetzt patchen: Fehlkonfiguration in Netgear-Router lässt Angreifer auf das Gerät ∗∗∗ --------------------------------------------- Forscher warnen vor Fremdzugriffen auf den Nighthawk WiFi 6 Router von Netgear. Ein Update ist verfügbar, soll sich aber nicht automatisch installieren. --------------------------------------------- https://heise.de/-7369071 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (cgal, ruby-rails-html-sanitizer, and xfce4-settings), Red Hat (dbus, grub2, kernel, pki-core, and usbguard), Scientific Linux (pki-core), SUSE (bcel, LibVNCServer, and xen), and Ubuntu (ca-certificates and u-boot). --------------------------------------------- https://lwn.net/Articles/917208/ ∗∗∗ Cross-Site Scripting in Handy Macros for Confluence (SYSS-2022-049) ∗∗∗ --------------------------------------------- Durch eine Cross-Site Scripting-Schwachstelle im "Handy Tip"-Makro in Handy Macros for Confluence kann ausführbarer Schadcode in Seiten eingebaut werden. --------------------------------------------- https://www.syss.de/pentest-blog/cross-site-scripting-in-handy-macros-for-c… ∗∗∗ K35253541: Java vulnerabilities CVE-2020-14779, CVE-2020-14781, CVE-2020-14782, CVE-2020-14797 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K35253541 ∗∗∗ K71522481: Java vulnerability CVE-2021-2163 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K71522481 ∗∗∗ Sprecher SPRECON-E-C/-E-P/-E-T3: Schwachstelle in der Firmwareverifikation ∗∗∗ --------------------------------------------- https://www.sprecher-automation.com/it-sicherheit/security-alerts -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.12.2022
by Daily end-of-shift report 06 Dec '22

06 Dec '22

===================== = End-of-Day report = ===================== Timeframe: Montag 05-12-2022 18:00 − Dienstag 06-12-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Hackers hijack Linux devices using PRoot isolated filesystems ∗∗∗ --------------------------------------------- Hackers are abusing the open-source Linux PRoot utility in BYOF (Bring Your Own Filesystem) attacks to provide a consistent repository of malicious tools that work on many Linux distributions. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-hijack-linux-devices… ∗∗∗ Sneaky hackers reverse defense mitigations when detected ∗∗∗ --------------------------------------------- A financially motivated threat actor is hacking telecommunication service providers and business process outsourcing firms, actively reversing defensive mitigations applied when the breach is detected. --------------------------------------------- https://www.bleepingcomputer.com/news/security/sneaky-hackers-reverse-defen… ∗∗∗ Mirai Botnet and Gafgyt DDoS Team Up Against SOHO Routers., (Tue, Dec 6th) ∗∗∗ --------------------------------------------- Since 2014, self-replicating variants of DDoS attacks against routers and Linux-based IoT devices have been rampant. Gafgyt botnets target vulnerable IoT devices and use them to launch large-scale distributed denial-of-service attacks. SOHO and IoT devices are ubiquitous, less likely to have secure configurations or routine patches, and more likely to be at the internet edge. --------------------------------------------- https://isc.sans.edu/diary/rss/29304 ∗∗∗ Building A Virtual Machine inside ChatGPT ∗∗∗ --------------------------------------------- Did you know, that you can run a whole virtual machine inside of ChatGPT? --------------------------------------------- https://www.engraved.blog/building-a-virtual-machine-inside/ ∗∗∗ Exploring Prompt Injection Attacks ∗∗∗ --------------------------------------------- Prompt Injection is a new vulnerability that is affecting some AI/ML models and, in particular, certain types of language models using prompt-based learning. --------------------------------------------- https://research.nccgroup.com/2022/12/05/exploring-prompt-injection-attacks/ ∗∗∗ Phishing-Mail „Erneut identifizieren“ im Namen der WKO ignorieren! ∗∗∗ --------------------------------------------- Unternehmerinnen und Unternehmer aufgepasst: Aktuell versenden Kriminelle Phishing-Mails im Namen der Wirtschaftskammer Österreich. Man spielt Ihnen vor, dass eine neuerliche Identifikation notwendig wäre. Ignorieren Sie die Nachricht, denn auf der verlinkten Website eingegebene Daten landen in den Händen Krimineller. --------------------------------------------- https://www.watchlist-internet.at/news/phishing-mail-erneut-identifizieren-… ∗∗∗ Vice Society: Profiling a Persistent Threat to the Education Sector ∗∗∗ --------------------------------------------- Vice Society, a ransomware gang, has been involved in high-profile activity against schools this year. --------------------------------------------- https://unit42.paloaltonetworks.com/vice-society-targets-education-sector/ ∗∗∗ Tractors vs. threat actors: How to hack a farm ∗∗∗ --------------------------------------------- Forget pests for a minute. Modern farms also face another – and more insidious – breed of threat. --------------------------------------------- https://www.welivesecurity.com/2022/12/05/tractors-threat-actors-how-hack-f… ===================== = Vulnerabilities = ===================== ∗∗∗ NETGEAR Nighthawk WiFi6 Router Network Misconfiguration ∗∗∗ --------------------------------------------- A network misconfiguration is present in versions prior to 1.0.9.90 of the NETGEAR RAX30 AX2400 series of routers. --------------------------------------------- https://www.tenable.com/security/research/tra-2022-36 ∗∗∗ Patchday: Schadcode über Bluetooth auf Android-Geräte schieben ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitsupdates für Android 10, 11, 12, 12L und 13. Google hat unter anderem vier kritische Lücken geschlossen. --------------------------------------------- https://heise.de/-7367211 ∗∗∗ Virenschutz: Rechteausweitung durch Schwachstelle in AVG und Avast ∗∗∗ --------------------------------------------- Die Virenscanner von AVG und Avast hätten Angreifern ermöglichen können, ihre Rechte im System auszuweiten. Updates zum Beheben des Fehlers sind verfügbar. --------------------------------------------- https://heise.de/-7367529 ∗∗∗ Schwachstelle in Trend Micros Apex One ermöglicht Rechteausweitung ∗∗∗ --------------------------------------------- Der Virenschutz Apex One von Trend Micro enthält Sicherheitslücken, durch die Angreifer ihre Rechte ausweiten oder Dateien auf dem System löschen lassen können. --------------------------------------------- https://heise.de/-7367824 ∗∗∗ Server-Wartung: Gefährliche BMC-Lücken könnte Supply-Chain-Attacken auslösen ∗∗∗ --------------------------------------------- Sicherheitsforscher sind unter anderem auf eine kritische Sicherheitslücke in Baseboard Management Controllern von American Megatrend gestoßen. --------------------------------------------- https://heise.de/-7367963 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Ubuntu (binutils and ca-certificates). --------------------------------------------- https://lwn.net/Articles/917080/ ∗∗∗ Schwachstelle in Citrix Workspace App for Windows ermöglicht Passwort-Klau ∗∗∗ --------------------------------------------- Der Hersteller Citrix warnt seit September 2022 vor einiger Schwachstelle in seiner Citrix Workspace App. --------------------------------------------- https://www.borncity.com/blog/2022/12/06/schwachstelle-in-citrix-workspace-… ∗∗∗ Vulnerability Spotlight: NVIDIA driver memory corruption vulnerabilities discovered ∗∗∗ --------------------------------------------- Cisco Talos recently discovered two memory corruption vulnerabilities in shader functionality of an NVIDIA driver. --------------------------------------------- https://blog.talosintelligence.com/vulnerability-spotlight-nvidia-driver-me… ∗∗∗ Multiple critical vulnerabilities in ILIAS eLearning platform ∗∗∗ --------------------------------------------- https://sec-consult.com/vulnerability-lab/advisory/multiple-critical-vulner… ∗∗∗ XSA-424 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-424.html ∗∗∗ XSA-423 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-423.html ∗∗∗ Edge 108.0.1462.42 als Sicherheitsupdate ∗∗∗ --------------------------------------------- https://www.borncity.com/blog/2022/12/06/edge-108-0-1462-41-42-als-sicherhe… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.12.2022
by Daily end-of-shift report 05 Dec '22

05 Dec '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 02-12-2022 18:00 − Montag 05-12-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ BlackProxies proxy service increasingly popular among hackers ∗∗∗ --------------------------------------------- A new residential proxy market is becoming popular among hackers, cybercriminals, phishers, scalpers, and scammers, selling access to a million claimed proxy IP addresses worldwide. --------------------------------------------- https://www.bleepingcomputer.com/news/security/blackproxies-proxy-service-i… ∗∗∗ Hackers use new, fake crypto app to breach networks, steal cryptocurrency ∗∗∗ --------------------------------------------- The North Korean Lazarus hacking group is linked to a new attack spreading fake cryptocurrency apps under the made-up brand, "BloxHolder," to install the AppleJeus malware for initial access to networks and steal crypto assets. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-use-new-fake-crypto-… ∗∗∗ If one sheep leaps over the ditch… ∗∗∗ --------------------------------------------- In this report, Kaspersky researchers discuss propagation methods of several ransomware families, and a vulnerable driver abuse case that may become a trend. --------------------------------------------- https://securelist.com/crimeware-report-ransomware-tactics-vulnerable-drive… ∗∗∗ OWASP Top 10 CI/CD Security Risks ∗∗∗ --------------------------------------------- This document helps defenders identify focus areas for securing their CI/CD ecosystem. It is the result of extensive research into attack vectors associated with CI/CD, and the analysis of high profile breaches and security flaws. --------------------------------------------- https://owasp.org/www-project-top-10-ci-cd-security-risks/ ∗∗∗ #StopRansomware: Cuba Ransomware Alert (AA22-335A) ∗∗∗ --------------------------------------------- This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. --------------------------------------------- https://www.cisa.gov/uscert/ncas/alerts/aa22-335a ∗∗∗ CryWiper: Fake-Ransomware zerstört Daten insbesondere in Russland ∗∗∗ --------------------------------------------- Die Virenanalysten von Kaspersky haben den Schädling CryWiper entdeckt, der sich als Ransomware ausgibt, Daten aber unwiderbringlich zerstört. --------------------------------------------- https://heise.de/-7366160 ===================== = Vulnerabilities = ===================== ∗∗∗ Severe AMI MegaRAC flaws impact servers from AMD, ARM, HPE, Dell, others ∗∗∗ --------------------------------------------- Three vulnerabilities in the American Megatrends MegaRAC Baseboard Management Controller (BMC) software impact server equipment used in many cloud service and data center providers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/severe-ami-megarac-flaws-imp… ∗∗∗ Sicherheitsupdate: Schadcode könnte durch Sophos-Firewalls schlüpfen ∗∗∗ --------------------------------------------- Die Entwickler des Sicherheitssoftware-Anbieters Sophos haben in hauseigenen Firewalls sieben Sicherheitslücken geschlossen. Eine gilt als kritisch. --------------------------------------------- https://heise.de/-7366076 ∗∗∗ Sicherheitslücke: Codeschmuggel mit Ping in FreeBSD ∗∗∗ --------------------------------------------- Angreifer könnten FreeBSD mit manipulierten Ping-Anfragen zum Ausführen untergejubelten Schadcodes bringen. Aktualisierungen stehen bereit. --------------------------------------------- https://heise.de/-7366590 ∗∗∗ Notfall-Update: Zero-Day-Sicherheitslücke in Google Chrome unter Beschuss ∗∗∗ --------------------------------------------- Google hat ein ungeplantes Update für Chrome herausgegeben. Damit schließt der Hersteller eine Sicherheitslücke im Webbrowser, die derzeit angegriffen wird. --------------------------------------------- https://heise.de/-7365415 ∗∗∗ Veritas NetBackup: Update schließt teils kritische Scherheitslücken ∗∗∗ --------------------------------------------- In Veritas NetBackup Flex Scale und Access Appliance könnten Angreifer aus dem Netz ohne Anmeldung Befehle einschleusen. Hotfixes beheben die Fehler. --------------------------------------------- https://heise.de/-7365984 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (awstats, chromium, clamav, g810-led, giflib, http-parser, jhead, libpgjava, node-cached-path-relative, node-fetch, and vlc), Fedora (fastnetmon, kernel, librime, qpress, rr, thunderbird, and wireshark), Red Hat (kernel, kernel-rt, and kpatch-patch), Slackware (mozilla), SUSE (cherrytree and chromium), and Ubuntu (libbpf, libxml2, linux-gcp-5.15, linux-gke, linux-gke-5.15, and linux-gke). --------------------------------------------- https://lwn.net/Articles/916979/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.12.2022
by Daily end-of-shift report 02 Dec '22

02 Dec '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 01-12-2022 18:00 − Freitag 02-12-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Unpatched Redis servers targeted in new Redigo malware attacks ∗∗∗ --------------------------------------------- A new Go-based malware threat that researchers call Redigo has been targeting Redis servers vulnerable to CVE-2022-0543 to plant a stealthy backdoor and allow command execution. --------------------------------------------- https://www.bleepingcomputer.com/news/security/unpatched-redis-servers-targ… ∗∗∗ Samsung, Mediatek, LG: Android-Malware mit OEM-Zertifikaten signiert ∗∗∗ --------------------------------------------- Google hat Malware gefunden, die mit den Zertifikaten von Android-Herstellern signiert sind. Das kann für Systemberechtigungen genutzt werden. --------------------------------------------- https://www.golem.de/news/samsung-mediatek-lg-android-malware-mit-oem-zerti… ∗∗∗ obama224 distribution Qakbot tries .vhd (virtual hard disk) images, (Fri, Dec 2nd) ∗∗∗ --------------------------------------------- Qakbot (also called Qbot) is a long-running malware family that has seen wide-spread distribution through malicious spam (malspam) in recent years. During an infection, Qakbot performs different functions as an information stealer, backdoor, and malware downloader. --------------------------------------------- https://isc.sans.edu/diary/rss/29294 ∗∗∗ Researchers Find a Way Malicious NPM Libraries Can Evade Vulnerability Detection ∗∗∗ --------------------------------------------- New findings from cybersecurity firm JFrog show that malware targeting the npm ecosystem can evade security checks by taking advantage of an "unexpected behavior" in the npm command line interface (CLI) tool. --------------------------------------------- https://thehackernews.com/2022/11/researchers-find-way-malicious-npm.html ∗∗∗ Flaws in GX Works3 Threaten Mitsubishi Electric Safety PLC Security ∗∗∗ --------------------------------------------- In this blog, we uncover three additional vulnerabilities that affect Mitsubishi Electric GX Works3, tracked under CVE-2022-29831, CVE-2022-29832, and CVE-2022-29833 (Mitsubishi Electric advisory 2022-015, CISA advisory ICSA-22-333-05), and that, in the worst-case scenario, may lead to the compromise of safety PLCs with the only requirement being the possession of associated GX Works3 project files. --------------------------------------------- https://www.nozominetworks.com/blog/flaws-in-gx-works3-threaten-mitsubishi-… ∗∗∗ Jetzt patchen! Angreifer attackieren Firewalls und Proxies von Fortinet ∗∗∗ --------------------------------------------- Sicherheitsforscher warnen vor Attacken auf Firmen. Der Grund ist eine kritische Lücke in Fortinet-Produkten. --------------------------------------------- https://heise.de/-7364286 ∗∗∗ Wordpress: Attackiert schon während der Installation ∗∗∗ --------------------------------------------- Noch bevor das System live geht, haben Angreifer es oft unbemerkt mit Hintertüren versehen. Die stehen nämlich schon nach wenigen Minuten auf der Matte. --------------------------------------------- https://heise.de/-7364588 ∗∗∗ IBM Cloud Vulnerability Exposed Users to Supply Chain Attacks ∗∗∗ --------------------------------------------- IBM recently patched a vulnerability in IBM Cloud Databases for PostgreSQL that could have exposed users to supply chain attacks. The vulnerability has been named Hell’s Keychain by cloud security firm Wiz, whose researchers discovered the issue. It has been described by the company as a “first-of-its-kind supply-chain attack vector impacting a cloud provider’s infrastructure”. --------------------------------------------- https://www.securityweek.com/ibm-cloud-vulnerability-exposed-users-supply-c… ∗∗∗ Three Innocuous Linux Vulnerabilities Chained to Obtain Full Root Privileges ∗∗∗ --------------------------------------------- Qualys’ Threat Research Unit has shown how a new Linux vulnerability could be chained with two other apparently harmless flaws to gain full root privileges on an affected system. --------------------------------------------- https://www.securityweek.com/three-innocuous-linux-vulnerabilities-chained-… ∗∗∗ Blowing Cobalt Strike Out of the Water With Memory Analysis ∗∗∗ --------------------------------------------- Unit 42 researchers examine several malware samples that incorporate Cobalt Strike components, and discuss some of the ways that we catch these samples by analyzing artifacts from the deltas in process memory at key points of execution. We will also discuss the evasion tactics used by these threats, and other issues that make their analysis problematic. --------------------------------------------- https://unit42.paloaltonetworks.com/cobalt-strike-memory-analysis/ ∗∗∗ Protecting major events: an incident response blueprint ∗∗∗ --------------------------------------------- Cisco Talos Incident Response (Talos IR) is sharing a white paper on the steps organizations should follow to secure any major event. These ten focus areas should help guide any organizing committee or participating businesses in preparation for securing such events. --------------------------------------------- https://blog.talosintelligence.com/protecting-major-events-an-incident-resp… ∗∗∗ Industry 4.0: CNC Machine Security Risks Part 2 ∗∗∗ --------------------------------------------- This three-part blog series explores the risks associated with CNC machines --------------------------------------------- https://www.trendmicro.com/en_us/research/22/l/cnc-machine-security-risks-p… ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins 2022-12-01 ∗∗∗ --------------------------------------------- IBM Watson, IBM App Connect, Rational Functional Tester, IBM Security Guardium, IBM Cloud Object Storage Systems, IBM API Connect. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (snapd), Fedora (firefox, libetpan, ntfs-3g, samba, thunderbird, and xen), SUSE (busybox, emacs, and virt-v2v), and Ubuntu (linux, linux-aws, linux-aws-5.15, linux-gcp, linux-gkeop, linux-hwe-5.15, linux-ibm, linux-intel-iotg, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-oracle, linux-oracle-5.15, linux-raspi, linux, linux-aws, linux-aws-5.4, linux-gcp, linux-gcp-5.4, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux, linux-aws, linux-dell300x, linux-gcp-4.15, linux-kvm, linux-oracle, linux-raspi2, linux-snapdragon, linux, linux-aws, linux-gcp, linux-ibm, linux-kvm, linux-lowlatency, linux-oracle, linux-raspi, linux, linux-aws, linux-kvm, linux-lts-xenial, linux-aws-hwe, linux-gcp, linux-hwe, linux-oracle, and tiff). --------------------------------------------- https://lwn.net/Articles/916658/ ∗∗∗ BD BodyGuard Pumps ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsma-22-335-01 ∗∗∗ Mitsubishi Electric MELSEC iQ-R Series ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-335-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 01.12.2022
by Daily end-of-shift report 01 Dec '22

01 Dec '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 30-11-2022 18:00 − Donnerstag 01-12-2022 18:00 Handler: Stephan Richter Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ New Windows malware scans victims’ mobile phones for data to steal ∗∗∗ --------------------------------------------- Security researchers found a previously unknown backdoor they call Dophin thats been used by North Korean hackers in highly targeted operations for more than a year to steal files and send them to Google Drive storage. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-windows-malware-scans-vi… ∗∗∗ New DuckLogs malware service claims having thousands of ‘customers’ ∗∗∗ --------------------------------------------- A new malware-as-a-service (MaaS) operation named DuckLogs has emerged, giving low-skilled attackers easy access to multiple modules to steal information, log key strokes, access clipboard data, and remote access to the compromised host. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-ducklogs-malware-service… ∗∗∗ Making unphishable 2FA phishable ∗∗∗ --------------------------------------------- One of the huge benefits of WebAuthn is that it makes traditional phishing attacks impossible. But what if there was a mechanism for an attacker to direct a user to a legitimate login page, resulting in a happy WebAuthn flow, and obtain valid credentials for that user anyway? --------------------------------------------- https://mjg59.dreamwidth.org/62175.html ∗∗∗ Whats the deal with these router vulnerabilities?, (Thu, Dec 1st) ∗∗∗ --------------------------------------------- Earlier today, I was browser recently made public vulnerabilities for tomorrow's version of our @Risk newsletter. What stuck out was a set of about twenty vulnerabilities in Netgear and DLink routers. --------------------------------------------- https://isc.sans.edu/diary/rss/29288 ∗∗∗ Sirius XM flaw unlocks so-called smart cars thanks to code flaw ∗∗∗ --------------------------------------------- Telematics program doesn't just give you music, but a big security flaw Sirius XMs Connected Vehicle Services has fixed an authorization flaw that would have allowed an attacker to remotely unlock doors and start engines on connected cars knowing only the vehicle identification number (VIN). --------------------------------------------- https://www.theregister.com/2022/11/30/siriusxm_connected_cars_hacking/ ∗∗∗ l+f: Sicherheitsforscher legen aus Versehen gesamtes Botnet KmsdBot lahm ∗∗∗ --------------------------------------------- Wie ein Typo kriminellen Machenschaften das Handwerk legt. --------------------------------------------- https://heise.de/-7363007 ∗∗∗ Vorsicht, wenn Sie ein SMS von Amazon erhalten ∗∗∗ --------------------------------------------- Kriminelle geben sich als Amazon aus und versenden gefälschte Benachrichtigungen. Im SMS steht, dass Ihr Amazon-Konto vorübergehend gesperrt wurde und Sie Informationen aktualisieren müssen. Dafür sollten Sie auf einen Link klicken. Achtung: Der Link führt zu einer gefälschten Login-Seite. Kriminelle stehlen damit Ihre Benutzer- und Kreditkartendaten! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-wenn-sie-ein-sms-von-amazon… ∗∗∗ LastPass-Kundendaten nach Hack eines Cloud-Speicherdiensts abgezogen (Nov. 2022) ∗∗∗ --------------------------------------------- Der Dienst LastPass informierte vor einigen Stunden seine Kunden, dass kürzlich "ungewöhnliche Aktivitäten" bei einem Cloud-Speicherdienst eines Drittanbieters entdeckt wurden. --------------------------------------------- https://www.borncity.com/blog/2022/12/01/lastpass-kundendaten-nach-hack-ein… ∗∗∗ Vulnerability Spotlight: Lansweeper directory traversal and cross-site scripting vulnerabilities ∗∗∗ --------------------------------------------- Cisco Talos recently discovered several directory traversal and cross-site scripting vulnerabilities in Lansweeper. --------------------------------------------- https://blog.talosintelligence.com/vulnerability-spotlight-lansweeper-direc… ===================== = Vulnerabilities = ===================== ∗∗∗ Critical RCE bugs in Android remote keyboard apps with 2M installs ∗∗∗ --------------------------------------------- Three Android applications that allow users to use devices as remote keyboards for their computers have critical vulnerabilities that could expose key presses and enable remote code execution. --------------------------------------------- https://www.bleepingcomputer.com/news/security/critical-rce-bugs-in-android… ∗∗∗ IBM Security Bulletins 2022-11-30 ∗∗∗ --------------------------------------------- IBM API Connect, IBM MQ Operator and Queue manager container images, IBM Security Guardium, IBM Sterling Control Center, IBM Watson Discovery for IBM Cloud Pak for Data, IBM WebSphere Automation for IBM Cloud Pak for Watson AIOps, IBM Db2® on Cloud Pak for Data and Db2 Warehouse® on Cloud Pak for Data. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (device-mapper-multipath, firefox, hsqldb, krb5, thunderbird, and xorg-x11-server), Debian (libraw), Fedora (freerdp and grub2), SUSE (bcel, emacs, glib2, glibc, grub2, nodejs10, and tomcat), and Ubuntu (linux-azure-fde and snapd). --------------------------------------------- https://lwn.net/Articles/916443/ ∗∗∗ Open Social - Moderately critical - Access bypass - SA-CONTRIB-2022-062 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2022-062 ∗∗∗ Open Social - Moderately critical - Access bypass - SA-CONTRIB-2022-061 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2022-061 ∗∗∗ Social Base - Moderately critical - Access bypass - SA-CONTRIB-2022-060 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2022-060 ∗∗∗ Horner Automation Remote Compact Controller ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-335-02 ∗∗∗ Replay Angriffe & Darstellung beliebiger Inhalte in Zhuhai Suny Technology ESL Tag / ETAG-TECH protocol (electronic shelf labels) ∗∗∗ --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/replay-attacks-displa… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.11.2022
by Daily end-of-shift report 30 Nov '22

30 Nov '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 29-11-2022 18:00 − Mittwoch 30-11-2022 18:00 Handler: Robert Waldner Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ How Stuff Gets eXposed ∗∗∗ --------------------------------------------- Intel's Software Guard Extension (SGX) promises an isolated execution environment, protected from all software running on the machine. In the past few years, however, SGX has come under heavy fire, threatened by numerous side channel attacks. --------------------------------------------- https://sgx.fail/ ∗∗∗ Looting Microsoft Configuration Manager ∗∗∗ --------------------------------------------- Microsoft Endpoint Configuration Manager (CM), also known as System Center Configuration Manager (SCCM), is widely deployed by companies to manage their Windows environments. It enables simple enrollment of servers and workstations, distributing software and generic management of the Windows systems in the environment. --------------------------------------------- https://labs.withsecure.com/publications/looting-microsoft-configuration-ma… ∗∗∗ Was tun, wenn Sie in einem Fake-Shop bestellt haben? ∗∗∗ --------------------------------------------- Sie haben im Internet eingekauft. Das bestellte Produkt kommt aber nicht an, E-Mails an den vermeintlichen Shop bleiben unbeantwortet. Kommt Ihnen das bekannt vor, haben Sie wahrscheinlich in einem Fake-Shop eingekauft. Wir zeigen Ihnen, was Sie tun können, wenn Sie in die Shopping-Falle getappt sind. --------------------------------------------- https://www.watchlist-internet.at/news/was-tun-wenn-sie-in-einem-fake-shop-… ∗∗∗ Industry 4.0: CNC Machine Security Risks Part 1 ∗∗∗ --------------------------------------------- This three-part blog series explores the risks associated with CNC machines. --------------------------------------------- https://www.trendmicro.com/en_us/research/22/k/cnc-machine-security-risks-p… ===================== = Vulnerabilities = ===================== ∗∗∗ NVIDIA releases GPU driver update to fix 29 security flaws ∗∗∗ --------------------------------------------- NVIDIA has released a security update for its GPU display driver for Windows, containing a fix for a high-severity flaw that threat actors can exploit to perform, among other things, code execution and privilege escalation. --------------------------------------------- https://www.bleepingcomputer.com/news/security/nvidia-releases-gpu-driver-u… ∗∗∗ CISA Releases Seven Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- * ICSA-22-333-01 Mitsubishi Electric GOT2000 * ICSA-22-333-02 Hitachi Energys IED Connectivity Packages and PCM600 Products * ICSA-22-333-03 Hitachi Energys MicroSCADA ProX SYS600 Products * ICSA-22-333-04 Moxa UC Series * ICSA-22-333-05 Mitsubishi Electric FA Engineering Software * ICSA-21-334-02 Mitsubishi MELSEC and MELIPC Series (Update E) * ICSA-19-346-02 Omron PLC CJ --------------------------------------------- https://www.cisa.gov/uscert/ncas/current-activity/2022/11/29/cisa-releases-… ∗∗∗ Kritische Sicherheitslücke in VLC Media Player ∗∗∗ --------------------------------------------- Ein Update steht für den VLC Media Player bereit, mit dem die Entwickler unter anderem eine kritische Sicherheitslücke schließen. --------------------------------------------- https://heise.de/-7362049 ∗∗∗ Webbrowser Chrome 108 dichtet 28 Sicherheitslücken ab ∗∗∗ --------------------------------------------- Das Update auf den Webbrowser Chrome 108 liefert im Wesentlichen Fehlerkorrekturen, die 28 Schwachstellen schließen. --------------------------------------------- https://heise.de/-7361154 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (krb5), Fedora (galera, mariadb, and mingw-python3), Red Hat (389-ds:1.4, kernel, kernel-rt, kpatch-patch, krb5, and usbguard), Scientific Linux (krb5), Slackware (kernel), SUSE (binutils, dbus-1, exiv2, freerdp, git, java-1_8_0-ibm, kernel, libarchive, libdb-4_8, libmspack, nginx, opencc, python, python3, rxvt-unicode, sudo, supportutils, systemd, vim, and webkit2gtk3), and Ubuntu (bind9, gnutls28, libsamplerate, linux-gcp-5.4, perl, pixman, shadow, [...] --------------------------------------------- https://lwn.net/Articles/916346/ ∗∗∗ Delta Electronics Patches Serious Flaws in Industrial Networking Devices ∗∗∗ --------------------------------------------- Taiwan-based Delta Electronics has patched potentially serious vulnerabilities in two of its industrial networking products. The flaws were identified by researchers at CyberDanube, a new industrial cybersecurity company based in Austria, in Delta’s DX-2100-L1-CN 3G cloud router and the DVW-W02W2-E2 industrial wireless access point. --------------------------------------------- https://www.securityweek.com/delta-electronics-patches-serious-flaws-indust… ∗∗∗ Developers Warned of Critical Remote Code Execution Flaw in Quarkus Java Framework ∗∗∗ --------------------------------------------- Developers have been warned that the popular Quarkus framework is affected by a critical vulnerability that could lead to remote code execution. --------------------------------------------- https://www.securityweek.com/developers-warned-critical-remote-code-executi… ∗∗∗ Anker Eufy Door Bell Sicherheitskameras mit Schwachstellen, Daten werden in die Cloud übertragen, Homebase 2 hat auch Schwachstellen ∗∗∗ --------------------------------------------- Anker Eufy Door Bell-Sicherheitskameras werden auch in Deutschland verkauft. Ein Sicherheitsforscher hat nun verschiedene Sicherheitslücken in der Firmware der Eufy-Kameras gefunden. --------------------------------------------- https://www.borncity.com/blog/2022/11/30/anker-eufy-door-bell-sicherheitska… ∗∗∗ Drop What Youre Doing and Update iOS, Android, and Windows ∗∗∗ --------------------------------------------- https://www.wired.com/story/ios-android-windows-vulnerability-patches-novem… ∗∗∗ Security Advisory - Improper Authorization Vulnerability in a Huawei Childrens Watch ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2022/huawei-sa-iaviahcw-… ∗∗∗ Security Bulletin: A Kafka vulnerability affects IBM Operations Analytics Predictive Insights (CVE-2022-34917 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-kafka-vulnerability-aff… ∗∗∗ Security Bulletin: Multiple vulnerabilities of Mozilla Firefox (less than Firefox 102.4ESR) have affected Synthetic Playback Agent 8.1.4.0-8.1.4 IF16 – 2022.4.0 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A vulnerability in IBM WebSphere Application Server Liberty profile affects IBM Operations Analytics Predictive Insights(CVE-2022-22393 CVE-2022-22476 CVE-2022-22475) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-we… ∗∗∗ Security Bulletin: Multiple vulnerabilities in Netty libraries affect IBM Operations Analytics Predictive Insights (CVE-2021-43797 CVE-2022-24823) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM SDK, Java Technology Edition affect IBM Operations Analytics Predictive Insights ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct Web Services is vulnerable to remote authenticated attacker to execute arbitrary code on the system due to PostgreSQL (CVE-2022-2625) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Zahlreiche kritische Schwachstellen in Planet Enterprises Ltd - Planet eStream ∗∗∗ --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/multiple-critical-vul… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.11.2022
by Daily end-of-shift report 29 Nov '22

29 Nov '22

===================== = End-of-Day report = ===================== Timeframe: Montag 28-11-2022 18:00 − Dienstag 29-11-2022 18:00 Handler: Stephan Richter Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Malicious Android app found powering account creation service ∗∗∗ --------------------------------------------- A fake Android SMS application, with 100,000 downloads on the Google Play store, has been discovered to secretly act as an SMS relay for an account creation service for sites like Microsoft, Google, Instagram, Telegram, and Facebook [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/malicious-android-app-found-… ∗∗∗ Cyber-Threat Group Targets Critical RCE Vulnerability in Bleed You Campaign ∗∗∗ --------------------------------------------- More than 1,000 systems are exposed to a campaign hunting weak Windows servers and more. --------------------------------------------- https://www.darkreading.com/threat-intelligence/cyber-threat-weak-windows-s… ∗∗∗ Subdomain Enumeration with DNSSEC ∗∗∗ --------------------------------------------- In my previous blog post I described how subdomain enumeration and subdomain bruteforce in particular could be enhanced by taking DNS status code into account, rather than relying on the existence of A or AAAA records only. This follow-up post describes what techniques exist to enumerate subdomains in a DNSSEC-enabled zone and what countermeasures exist to prevent it. --------------------------------------------- https://www.securesystems.de/blog/subdomain-enumeration-with-DNSSEC/ ∗∗∗ Angreifer könnten Secure Boot auf bestimmten Acer-Notebooks deaktivieren ∗∗∗ --------------------------------------------- Acers Entwickler haben eine Sicherheitslücke geschlossen. Unter bestimmten Umständen könnten Angreifer UEFI-Einstellungen manipulieren. Updates sind in Sicht. --------------------------------------------- https://heise.de/-7359874 ∗∗∗ #InvisibleChallenge: Malware sucht Opfer mit TikTok-Challenge ∗∗∗ --------------------------------------------- Cyberkriminelle missbrauchen eine Nackt-Tanz-Challenge auf TikTok, um Opfer zum Installieren ihrer Malware zu bewegen. Diese solle einen Filter entfernen. --------------------------------------------- https://heise.de/-7360626 ∗∗∗ Pre-auth RCE in Oracle Fusion Middleware exploited in the wild (CVE-2021-35587) ∗∗∗ --------------------------------------------- A pre-authentication RCE flaw (CVE-2021-35587) in Oracle Access Manager (OAM) that has been fixed in January 2022 is being exploited by attackers in the wild, the Cybersecurity and Infrastructure Security Agency has confirmed by adding the vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog. --------------------------------------------- https://www.helpnetsecurity.com/2022/11/29/cve-2021-35587-exploited/ ∗∗∗ Project Zero Flags Patch Gap Problems on Android ∗∗∗ --------------------------------------------- Vulnerability researchers at Google Project Zero are calling attention to the ongoing “patch-gap” problem in the Android ecosystem, warning that downstream vendors continue to be tardy at delivering security fixes to Android-powered devices. --------------------------------------------- https://www.securityweek.com/project-zero-flags-patch-gap-problems-android ∗∗∗ Booking.com: Vorsicht vor gefälschten Angeboten ∗∗∗ --------------------------------------------- Sie haben auf Booking.com eine verlockende Unterkunft gefunden? Der Buchungsprozess verläuft aber nicht wie gewohnt? Vorsicht! Möglicherweise sind Sie auf ein betrügerisches Angebot gestoßen. Wenn Unterkunftgeber:innen Sie von Booking.com auf eine andere Website verweisen, handelt es sich um eine Betrugsmasche. Wir erklären Ihnen, worauf Sie achten sollten! --------------------------------------------- https://www.watchlist-internet.at/news/bookingcom-vorsicht-vor-gefaelschten… ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins 2022-11-28 ∗∗∗ --------------------------------------------- Digital Certificate Manager for IBM i, IBM App Connect Enterprise Certified Container IntegrationServer operands, IBM Operations Analytics Predictive Insights, IBM Planning Analytics Workspace, IBM Sterling Connect:Direct for UNIX, IBM UrbanCode Deploy (UCD), IBM UrbanCode Deploy (UCD) Agents on zOS, IBM WebSphere Application Server Liberty, ISC BIND on IBM i --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ VMSA-2022-0029 ∗∗∗ --------------------------------------------- CVSSv3 Range: 3.3 CVE(s): CVE-2022-31693 Synopsis: VMware Tools for Windows update addresses a denial-of-service vulnerability --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2022-0029.html ∗∗∗ K11742512: BIND vulnerability CVE-2022-2795 ∗∗∗ --------------------------------------------- By flooding the target resolver with queries exploiting this flaw an attacker can significantly impair the resolver's performance, effectively denying legitimate clients access to the DNS resolution service. --------------------------------------------- https://support.f5.com/csp/article/K11742512 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (frr, gerbv, mujs, and twisted), Fedora (nodejs and python-virtualbmc), Oracle (dotnet7.0, kernel, kernel-container, krb5, varnish, and varnish:6), SUSE (busybox, python3, tiff, and tomcat), and Ubuntu (harfbuzz). --------------------------------------------- https://lwn.net/Articles/916189/ ∗∗∗ Edge 107.0.1418.62 ∗∗∗ --------------------------------------------- Kurzer Nachtrag: Microsoft hat zum 28. November 2022 den Edge-Browser im Stable Stable Channel auf die Version 107.0.1418.52 aktualisiert. Ist ein Sicherheits-Update, welches gemäß den Release Notes die vom Chromium-Team berichtete Schwachstelle CVE-2022-4135 schließt. --------------------------------------------- https://www.borncity.com/blog/2022/11/29/edge-107-0-1418-62/ ∗∗∗ Festo: Incomplete documentation of remote accessible functions and protocols in Festo products ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-041/ ∗∗∗ Festo: Multiple Festo products contain an unsafe default Codesys configuration ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-037/ ∗∗∗ Mitsubishi Electric GOT2000 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-333-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.11.2022
by Daily end-of-shift report 28 Nov '22

28 Nov '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 25-11-2022 18:00 − Montag 28-11-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Win32.Ransom.Conti / Crypto Logic Flaw ∗∗∗ --------------------------------------------- Conti ransomware FAILS to encrypt non PE files that have a ".exe" in the filename. --------------------------------------------- https://cxsecurity.com/issue/WLB-2022110044 ∗∗∗ Bring Your Own Key — A Placebo? ∗∗∗ --------------------------------------------- BYOK was envisioned to reduce the risk of using a cloud service provider processing sensitive data, yet there are several deficiencies. --------------------------------------------- https://www.darkreading.com/cloud/bring-your-own-key-a-placebo- ∗∗∗ All You Need to Know About Emotet in 2022 ∗∗∗ --------------------------------------------- For 6 months, the infamous Emotet botnet has shown almost no activity, and now its distributing malicious spam. Lets dive into details and discuss all you need to know about the notorious malware to combat it. --------------------------------------------- https://thehackernews.com/2022/11/all-you-need-to-know-about-emotet-in.html ∗∗∗ Hacking Smartwatches for Spear Phishing ∗∗∗ --------------------------------------------- In this article we explain how to hack into a SmartWatch and show a custom text message. --------------------------------------------- https://cybervelia.com/?p=1380 ∗∗∗ Exploiting an N-day vBulletin PHP Object Injection Vulnerability ∗∗∗ --------------------------------------------- vBulletin is one of the most popular proprietary forum solutions over the Internet. It is used by some major websites, and according to the BuildWith website, vBulletin currently ranks at the second place on the Forum Software Usage Distribution in the Top 1 Million Sites, with over 2.000 websites using it among the “top 1 million”. --------------------------------------------- https://karmainsecurity.com/exploiting-an-nday-vbulletin-php-object-injecti… ∗∗∗ Poking a mobile hotspot ∗∗∗ --------------------------------------------- Ive been playing with an Orbic Speed, a relatively outdated device that only speaks LTE Cat 4, but the towers I can see from here are, uh, not well provisioned so throughput really isnt a concern (and refurbs are $18, so). As usual Im pretty terrible at just buying devices and using them for their intended purpose, and in this case it has the irritating behaviour that if theres a power cut and the battery runs out it doesnt boot again when power returns, so heres what Ive learned so far. --------------------------------------------- https://mjg59.dreamwidth.org/61725.html ∗∗∗ Vorsicht vor gefälschtem FinanzOnline-E-Mail ∗∗∗ --------------------------------------------- „Sie erhalten einen Betrag“ lautet der Betreff eines betrügerischen E-Mail, das angeblich von FinanzOnline kommt. Sie werden informiert, dass Sie eine Rückerstattung von 578,99 Euro erhalten. Um das Geld zu bekommen, müssen Sie auf den Link im E-Mail klicken. Vorsicht: Dieser führt auf eine gefälschte FinanzOnline-Seite. Kriminelle stehlen Ihre Daten. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-gefaelschtem-finanzonli… ∗∗∗ Emotet Strikes Again – LNK File Leads to Domain Wide Ransomware ∗∗∗ --------------------------------------------- The intrusion began when a user double clicked a LNK file, which then executed encoded Powershell commands to download an Emotet DLL onto the computer. Once executed, Emotet setup a Registry Run Key to maintain persistence on the beachhead host. --------------------------------------------- https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to… ∗∗∗ LockBit Ransomware Being Mass-distributed With Similar Filenames ∗∗∗ --------------------------------------------- The ASEC analysis team had written about LockBit ransomware being distributed through emails over three blog posts. Through consistent monitoring, we hereby let you know that LockBit 2.0 and LockBit 3.0 are being distributed again with only a change to their filenames. --------------------------------------------- https://asec.ahnlab.com/en/42890/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, commons-configuration2, graphicsmagick, heimdal, inetutils, ini4j, jackson-databind, and varnish), Fedora (drupal7-i18n, grub2, kubernetes, and python-slixmpp), Mageia (botan, golang, kernel, kernel-linus, radare2/rizin, and xterm), Red Hat (krb5, varnish, and varnish:6), SUSE (busybox, chromium, erlang, exiv2, firefox, freerdp, ganglia-web, java-1_8_0-openj9, nodejs12, nodejs14, opera, pixman, python3, sudo, tiff, and xen), [...] --------------------------------------------- https://lwn.net/Articles/916135/ ∗∗∗ Cisco ISE Vulnerabilities Can Be Chained in One-Click Exploit ∗∗∗ --------------------------------------------- Multiple vulnerabilities in Cisco Identity Services Engine (ISE) could allow remote attackers to inject arbitrary commands, bypass existing security protections, or perform cross-site scripting (XSS) attacks. --------------------------------------------- https://www.securityweek.com/cisco-ise-vulnerabilities-can-be-chained-one-c… ∗∗∗ Google Projekt Zero legt Schwachstelle in Mali GPU offen, Millionen Android-Geräte betroffen ∗∗∗ --------------------------------------------- Google Sicherheitsforscher haben im Project Zero eine Schwachstelle (CVE-2022-33917) im Kerneltreiber der in vielen Android-Geräten mit ARM CPU verwendeten Mali GPU offen gelegt. --------------------------------------------- https://www.borncity.com/blog/2022/11/27/google-projekt-zero-legt-schwachst… ∗∗∗ Security Bulletin: IBM Maximo Mobile is vulnerable to Information Disclosure (CVE-2022-41732) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-mobile-is-vuln… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect App Connect Professional. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container operands may be vulnerable to arbitrary code execution due to X-Force 237819 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ MISP v2.4.166 ∗∗∗ --------------------------------------------- https://github.com/MISP/MISP/releases/tag/v2.4.166 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.11.2022
by Daily end-of-shift report 25 Nov '22

25 Nov '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 24-11-2022 18:00 − Freitag 25-11-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Docker Hub repositories hide over 1,650 malicious containers ∗∗∗ --------------------------------------------- Over 1,600 publicly available Docker Hub images hide malicious behavior, including cryptocurrency miners, embedded secrets that can be used as backdoors, DNS hijackers, and website redirectors. --------------------------------------------- https://www.bleepingcomputer.com/news/security/docker-hub-repositories-hide… ∗∗∗ Redacted Documents Are Not as Secure as You Think ∗∗∗ --------------------------------------------- Popular redaction tools don’t always work as promised, and new attacks can reveal hidden information, researchers say. --------------------------------------------- https://www.wired.com/story/redact-pdf-online-privacy/ ∗∗∗ Alte Social-Media-Konten löschen: Sicherheit durch weniger eigener Daten im Netz ∗∗∗ --------------------------------------------- Ungenutzte Social-Media-Accounts beinhalten persönliche Daten und bergen Sicherheitsrisiken. Unser Ratgeber zeigt, wie Sie veraltete Konten finden und löschen. --------------------------------------------- https://heise.de/-7321954 ∗∗∗ UEFI-BIOS mit bekannt unsicherem Code gespickt ∗∗∗ --------------------------------------------- In einem BIOS-Update fanden Experten mehrere OpenSSL-Versionen, teils mit uralten Sicherheitslücken. Das wirft ein Schlaglicht auf Risiken von PC-Firmware. --------------------------------------------- https://heise.de/-7351884 ∗∗∗ Word Documents Disguised as Normal MS Office URLs Being Distributed ∗∗∗ --------------------------------------------- Recently, there has been a case of malware disguised as a Word document being distributed through certain paths (e.g. KakaoTalk group chats). The ASEC analysis team has discovered during our additional monitoring process that the URL used in the fake Word document is becoming very cleverly disguised to closely resemble the normal URL, and we wish to advise caution on the part of users. --------------------------------------------- https://asec.ahnlab.com/en/42554/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (firefox), Mageia (dropbear, freerdp, java, libx11, and tumbler), Slackware (ruby), SUSE (erlang, grub2, libdb-4_8, and tomcat), and Ubuntu (exim4, jbigkit, and tiff). --------------------------------------------- https://lwn.net/Articles/915984/ ∗∗∗ Chrome 107.0.5304.121/122 Sicherheitsupdates ∗∗∗ --------------------------------------------- Google hat zum 24. November 2022 einen Schwung an Sicherheitsupdates des Google Chrome im 107er Zweig im Stable Channel für Mac, Linux und Windows sowie für Android freigegeben. Es werden dabei bereits ausgenutzte Schwachstellen geschlossen. --------------------------------------------- https://www.borncity.com/blog/2022/11/25/chrome-107-0-5304-121-122-sicherhe… ∗∗∗ Canon: Regarding vulnerability measure against buffer overflow for Laser Printers and Small Office Multifunction Printers (CVE-2022-43608) – 25 November 2022 ∗∗∗ --------------------------------------------- Multiple cases of buffer overflow vulnerabilities have been identified with Canon Laser Printers and Small Office Multifunctional Printers. A list of affected models is given below. --------------------------------------------- https://www.canon-europe.com/support/product-security-latest-news/ ∗∗∗ Security Bulletin: A vulnerability in IBM Java Runtime affects IBM ILOG CPLEX Optimization Studio (CVE-2022-3676) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to a denial of service after entering a specially crafted malformed SQL statement into the db2expln tool. (CVE-2022-35637) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… ∗∗∗ Security Bulletin: A vulnerability in IBM Java Runtime affects IBM ILOG CPLEX Optimization Studio (CVE-2021-28167) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Security Bulletin: A vulnerability in IBM Java Runtime affects IBM ILOG CPLEX Optimization Studio (CVE-2021-41041) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.11.2022
by Daily end-of-shift report 24 Nov '22

24 Nov '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 23-11-2022 18:00 − Donnerstag 24-11-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Investigating a backdoored PyPi package targeting FastAPI applications ∗∗∗ --------------------------------------------- On November 23rd, 2022, the Datadog Security Labs team identified a utility Python package on PyPI related to FastAPI, fastapi-toolkit, that has likely been compromised by a malicious actor. --------------------------------------------- https://securitylabs.datadoghq.com/articles/malicious-pypi-package-fastapi-… ∗∗∗ THREAT ALERT: Aggressive Qakbot Campaign and the Black Basta Ransomware Group Targeting U.S. Companies ∗∗∗ --------------------------------------------- In this threat alert, the Cybereason team describes one attack scenario that started from a QBot infection, resulting in multiple key machines loading Cobalt Strike, which finally led to the global deployment of Black Basta ransomware. --------------------------------------------- https://www.cybereason.com/blog/threat-alert-aggressive-qakbot-campaign-and… ∗∗∗ MSI Afterburner: Vorsicht vor Fake-Software mit Trojaner im Gepäck ∗∗∗ --------------------------------------------- Immer wieder versuchen Kriminelle Opfern Schadcode unter dem Deckmantel von legitimen Tools, wie aktuell dem GPU-Tool MSI Afterburner, unterzuschieben. --------------------------------------------- https://heise.de/-7351380 ∗∗∗ In eine Phishing-Falle getappt? Das können Sie tun: ∗∗∗ --------------------------------------------- Wurden Sie über ein betrügerisches E-Mail oder SMS auf eine gefälschte Login-Seiten gelockt? Haben Sie dort Ihre Daten eingetippt? Dann haben Kriminelle Zugriff auf Ihr Konto. Wir zeigen Ihnen, was Sie tun können, wenn Sie Ihre Benutzerdaten preisgegeben haben. --------------------------------------------- https://www.watchlist-internet.at/news/in-eine-phishing-falle-getappt-das-k… ∗∗∗ Neue Betrugsmasche: Kriminelle stehlen Kreditkartendaten und hinterlegen sie für Apple Pay ∗∗∗ --------------------------------------------- Kriminelle erschleichen sich mit Phishing-Nachrichten per SMS oder E-Mail Kreditkartendaten und hinterlegen diese für Apple Pay. Betroffene werden dann unter falschen Vorwänden verleitet, den Aktivierungscode für Apple Pay an die Kriminellen weiterzugeben. --------------------------------------------- https://www.watchlist-internet.at/news/neue-betrugsmasche-kriminelle-stehle… ∗∗∗ Bahamut cybermercenary group targets Android users with fake VPN apps ∗∗∗ --------------------------------------------- Malicious apps used in this active campaign exfiltrate contacts, SMS messages, recorded phone calls, and even chat messages from apps such as Signal, Viber, and Telegram. --------------------------------------------- https://www.welivesecurity.com/2022/11/23/bahamut-cybermercenary-group-targ… ∗∗∗ IBM: RansomExx becomes latest ransomware group to create Rust variant ∗∗∗ --------------------------------------------- The RansomExx ransomware group has become the latest gang to create a variant in the Rust programming language, according to IBM Security X-Force Threat researchers. --------------------------------------------- https://therecord.media/ibm-ransomexx-becomes-latest-ransomware-group-to-cr… ===================== = Vulnerabilities = ===================== ∗∗∗ TP-Link RE300 V1 tdpServer vulnerable to improper processing of its input ∗∗∗ --------------------------------------------- tdpServer of TP-Link RE300 V1 improperly processes its input, possibly resulting to crash. --------------------------------------------- https://jvn.jp/en/jp/JVN29657972/ ∗∗∗ Security update available in Foxit PDF Editor for Mac 11.1.4 ∗∗∗ --------------------------------------------- Foxit has released Foxit PDF Editor for Mac 11.1.4, which addresses potential security and stability issues. --------------------------------------------- https://www.foxit.com/support/security-bulletins.html ∗∗∗ SolarWinds Security Advisories 2022-11-22 ∗∗∗ --------------------------------------------- SolarWinds published 7 Security Advisories (3 High, 1 Medium, 3 Low Severity). --------------------------------------------- https://www.solarwinds.com/trust-center/security-advisories ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (vim), Fedora (drupal7-context, drupal7-link, firefox, xen, xorg-x11-server, and xorg-x11-server-Xwayland), Oracle (container-tools:ol8, device-mapper-multipath, dotnet7.0, firefox, hsqldb, keylime, podman, python3.9, python39:3.9, thunderbird, and xorg-x11-server), SUSE (exiv2-0_26, keylime, libarchive, net-snmp, nginx, opensc, pixman, python-joblib, strongswan, and webkit2gtk3), and Ubuntu (expat, imagemagick, mariadb-10.3, mariadb-10.6, [...] --------------------------------------------- https://lwn.net/Articles/915929/ ∗∗∗ Security Bulletin: IBM Sterling Control Center vulnerable to multiple issues to due IBM Cognos Analystics (CVE-2022-4160, CVE-2021-3733) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-control-cent… ∗∗∗ Security Bulletin: IBM Sterling Control Center is vulnerable to denial of service due to Websphere Liberty (CVE-2022-24839) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-control-cent… ∗∗∗ Security Bulletin: IBM Sterling Control Center is vulnerable to HTTP header injection due to Websphere Liberty (CVE-2022-34165) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-control-cent… ∗∗∗ Security Bulletin: Vulnerability in IBM Java SDK affects Cloud Pak System [CVE-2021-28167] ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Security Bulletin: IBM Sterling Control Center is vulnerable to unauthenticated data manipulation due to Java SE (CVE-2021-2163) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-control-cent… ∗∗∗ Security Bulletin: For IBM Cloudpak for Watson AIOPS 3.5.1 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-for-ibm-cloudpak-for-wats… ∗∗∗ Security Bulletin: Vulnerabilities with MariaDB affect IBM Cloud Object Storage Systems (Nov 2022v1) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-with-mari… ∗∗∗ Pilz: PAS 4000 prone to ZipSlip ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-045/ ∗∗∗ Pilz: Multiple products affected by ZipSlip ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-044/ ∗∗∗ Pilz: PASvisu and PMI affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-033/ ∗∗∗ 2022-18Multiple vulnerabilities in BAT-C2 ∗∗∗ --------------------------------------------- https://www.belden.com/dfsmedia/f1e38517e0cd4caa8b1acb6619890f5e/15087-sour… ∗∗∗ 2022-21Authenticated Command Injection in Hirschmann BAT-C2 ∗∗∗ --------------------------------------------- https://www.belden.com/dfsmedia/f1e38517e0cd4caa8b1acb6619890f5e/15088-sour… ∗∗∗ 2022-20TinyXML vulnerability in Hirschmann HiLCOS products ∗∗∗ --------------------------------------------- https://www.belden.com/dfsmedia/f1e38517e0cd4caa8b1acb6619890f5e/15089-sour… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.11.2022
by Daily end-of-shift report 23 Nov '22

23 Nov '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 22-11-2022 18:00 − Mittwoch 23-11-2022 18:00 Handler: Robert Waldner Co-Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Backdoored Chrome extension installed by 200,000 Roblox players ∗∗∗ --------------------------------------------- Chrome browser extension SearchBlox installed by more than 200,000 users has been discovered to contain a backdoor that can steal your Roblox credentials as well as your assets on Rolimons, a Roblox trading platform. --------------------------------------------- https://www.bleepingcomputer.com/news/security/backdoored-chrome-extension-… ∗∗∗ Ducktail Malware Operation Evolves with New Malicious Capabilities ∗∗∗ --------------------------------------------- The operators of the Ducktail information stealer have demonstrated a "relentless willingness to persist" and continued to update their malware as part of an ongoing financially driven campaign."The malware is designed to steal browser cookies and take advantage of authenticated Facebook sessions to steal information from the victims Facebook account," ... --------------------------------------------- https://thehackernews.com/2022/11/ducktail-malware-operation-evolves-with.h… ∗∗∗ Mind the Gap ∗∗∗ --------------------------------------------- Note: The vulnerabilities discussed in this blog post (CVE-2022-33917) are fixed by the upstream vendor, but at the time of publication, these fixes have not yet made it downstream to affected Android devices (including Pixel, Samsung, Xiaomi, Oppo and others). Devices with a Mali GPU are currently vulnerable. --------------------------------------------- https://googleprojectzero.blogspot.com/2022/11/mind-the-gap.html ∗∗∗ Nighthawk: An Up-and-Coming Pentest Tool Likely to Gain Threat Actor Notice ∗∗∗ --------------------------------------------- In September 2022, Proofpoint researchers identified initial delivery of a penetration testing framework called Nighthawk. Launched in late 2021 by MDSec, Nighthawk is similar to other frameworks such as Brute Ratel and Cobalt Strike and, like those, could see rapid adoption by threat actors wanting to diversify their methods and add a relatively unknown framework to their arsenal. --------------------------------------------- https://www.proofpoint.com/us/blog/threat-insight/nighthawk-and-coming-pent… ∗∗∗ Kritische Infrastruktur: EU-Richtlinie nimmt Betreiber in die Pflicht ∗∗∗ --------------------------------------------- Das EU-Parlament hat eine Richtlinie zur Resilienz kritischer Einrichtungen beschlossen. Sie gilt für elf Branchen. Manche Betreiber sind besonders wichtig. --------------------------------------------- https://heise.de/-7349574 ∗∗∗ Google will Missbrauch des Pentesting-Tools Cobalt Strike eindämmen ∗∗∗ --------------------------------------------- Damit Admins Netzwerk-Attacken durch Cobalt-Strike-Missbrauch besser erkennen können, hat Google unter anderem Erkennungsregeln auf Yara-Basis veröffentlicht. --------------------------------------------- https://heise.de/-7349813 ∗∗∗ Standard für maschinenlesbare Sicherheitshinweise verabschiedet ∗∗∗ --------------------------------------------- Das Common Security Advisory Framework soll Administratoren die Arbeit erleichtern und aktuelle Sicherheitsinformationen leichter auffindbar machen. --------------------------------------------- https://heise.de/-7350491 ∗∗∗ Angriffe auf Boa Web Server gefährden IoT ∗∗∗ --------------------------------------------- Anfällige SDK-Komponenten führen zu Lieferkettenrisiken in IoT- und OT-Umgebungen, insbesondere durch den veralteten Boa Web Server, warnt Microsoft Security Threat Intelligence (MSTI). --------------------------------------------- https://www.zdnet.de/88405186/angriffe-auf-boa-web-server-gefaehrden-iot/ ∗∗∗ Web Application Firewalls umgehen ∗∗∗ --------------------------------------------- Web Application Firewalls (WAFs) sind beliebte Infrastrukturkomponenten, die verwendet werden, um Angriffe auf Webanwendungen zu erschweren. Was bieten WAFs wirklich? Können sie auch nur theoretisch perfekt sein, um jede Art von Webangriff zu verhindern? Lassen Sie uns WAFs entmystifizieren! --------------------------------------------- https://certitude.consulting/blog/de/web-application-firewalls-umgehen/ ∗∗∗ CVE-2022-23088: Exploiting a Heap Overflow in the FreeBSD Wi-Fi Stack ∗∗∗ --------------------------------------------- In April of this year, FreeBSD patched a 13-year-old heap overflow in the Wi-Fi stack that could allow network-adjacent attackers to execute arbitrary code on affected installations of FreeBSD Kernel. [..] The researcher has graciously provided this detailed write-up of the vulnerability and a proof-of-concept exploit demonstrating the bug. --------------------------------------------- https://www.thezdi.com/blog/2022/6/15/cve-2022-23088-exploiting-a-heap-over… ∗∗∗ CVE-2022-40300: SQL Injection in ManageEngine Privileged Access Management ∗∗∗ --------------------------------------------- In this excerpt of a Trend Micro Vulnerability Research Service vulnerability report, Justin Hung and Dusan Stevanovic of the Trend Micro Research Team detail a recently patched SQL injection vulnerability in Zoho ManageEngine products. --------------------------------------------- https://www.thezdi.com/blog/2022/11/22/cve-2022-40300-sql-injection-in-mana… ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins 2022-11-22 ∗∗∗ --------------------------------------------- IBM Operations Analytics, IBM QRadar, IBM SDK, IBM Sterling Connect, Rational Service Tester, Rational Performance Tester, IBM HTTP Server, IBM Security Verify Governance, IBM InfoSphere DataStage, IBM Cloud Pak for Security --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Sicherheitslücke in HPE-Switches OfficeConnect gefährdet Netzwerke ∗∗∗ --------------------------------------------- Angreifer könnten Switches von Hewlett Packard Enterprise attackieren. Sicherheitsupdates stehen zum Download bereit. --------------------------------------------- https://heise.de/-7350116 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (heimdal, libarchive, and nginx), Fedora (varnish-modules and xterm), Red Hat (firefox), Scientific Linux (firefox, hsqldb, and thunderbird), SUSE (Botan, colord, containerized-data-importer, ffmpeg-4, java-1_8_0-ibm, krb5, nginx, redis, strongswan, tomcat, and xtrabackup), and Ubuntu (apr-util, freerdp2, and sysstat). --------------------------------------------- https://lwn.net/Articles/915802/ ∗∗∗ CISA Releases Eight Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- Original release date: November 22, 2022CISA has released eight (8) Industrial Control Systems (ICS) advisories on 22 November 2022. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. - ICSA-22-326-01 AVEVA Edge - ICSA-22-326-02 Digital Alert Systems DASDEC - ICSA-22-326-03 Phoenix Contact Automation Worx - ICSA-22-326-04 GE Cimplicity - ICSA-22-326-05 Moxa Multiple ARM-Based Computers - ICSMA-21-152-01 Hillrom Medical Device Management (Update C) - ICSA-20-212-04 Mitsubishi Electric Factory Automation Engineering Products (Update I) - ICSA-21-049-02 Mitsubishi Electric FA Engineering Software Products (Update G) --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/11/22/cisa-releases-eig… ∗∗∗ WordPress BeTheme 26.5.1.4 PHP Object Injection ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2022110040 ∗∗∗ Security Advisory - Improper Input Validation Vulnerability in a Huawei Childrens Watch ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2022/huawei-sa-iivviahcw… ∗∗∗ Security Advisory - Insufficient Authentication Vulnerability in some Huawei Band Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2022/huawei-sa-20221130-… ∗∗∗ Multiple Vulnerabilities PRA-ES8P2S Ethernet-Switch ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-247053-bt.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.11.2022
by Daily end-of-shift report 22 Nov '22

22 Nov '22

===================== = End-of-Day report = ===================== Timeframe: Montag 21-11-2022 18:00 − Dienstag 22-11-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Google Chrome extension used to steal cryptocurrency, passwords ∗∗∗ --------------------------------------------- An information-stealing Google Chrome browser extension named VenomSoftX is being deployed by Windows malware to steal cryptocurrency and clipboard contents as users browse the web. --------------------------------------------- https://www.bleepingcomputer.com/news/security/google-chrome-extension-used… ∗∗∗ Android file manager apps infect thousands with Sharkbot malware ∗∗∗ --------------------------------------------- A new collection of malicious Android apps posing as harmless file managers had infiltrated the official Google Play app store, infecting users with the Sharkbot banking trojan. --------------------------------------------- https://www.bleepingcomputer.com/news/security/android-file-manager-apps-in… ∗∗∗ ICS cyberthreats in 2023 – what to expect ∗∗∗ --------------------------------------------- The coming year looks to be much more complicated. In the post we share some of our thoughts on potential developments of 2023, though we cannot claim to be providing either a complete picture or a high degree of precision. --------------------------------------------- https://securelist.com/ics-cyberthreats-in-2023/108011/ ∗∗∗ Crimeware and financial cyberthreats in 2023 ∗∗∗ --------------------------------------------- This report assesses how accurately we predicted the developments in the financial threats landscape in 2022 and ponder at what to expect in 2023. --------------------------------------------- https://securelist.com/crimeware-financial-cyberthreats-2023/108005/ ∗∗∗ Log4Shell campaigns are using Nashorn to get reverse shell on victims machines, (Mon, Nov 21st) ∗∗∗ --------------------------------------------- Almost one year later, Log4Shell attacks are still alive and making victims. --------------------------------------------- https://isc.sans.edu/diary/rss/29266 ∗∗∗ Researchers Warn of Cyber Criminals Using Go-based Aurora Stealer Malware ∗∗∗ --------------------------------------------- A nascent Go-based malware known as Aurora Stealer is being increasingly deployed as part of campaigns designed to steal sensitive information from compromised hosts. --------------------------------------------- https://thehackernews.com/2022/11/researchers-warn-of-cyber-criminals.html ∗∗∗ Werbung für beheizbare Jacken auf TikTok ∗∗∗ --------------------------------------------- Haben Sie beim Durchscrollen von TikTok Werbung für eine beheizbare Jacke gesehen? Dann sind Sie wohl über die Marke „Mont Gerrard“ gestolpert. Die Jacken dürften bei TikTok-Nutzer:innen sehr beliebt sein, denn es gibt bereits Fake-Shops, die die Jacken zu einem günstigeren Preis anbieten und auf TikTok und Instagram bewerben. --------------------------------------------- https://www.watchlist-internet.at/news/werbung-fuer-beheizbare-jacken-auf-t… ∗∗∗ Vulnerability Spotlight: Callback Technologies CBFS Filter denial-of-service vulnerabilities ∗∗∗ --------------------------------------------- Cisco Talos recently discovered three denial-of-service vulnerabilities in Callback Technologies CBFS Filter. --------------------------------------------- https://blog.talosintelligence.com/vulnerability-spotlight-callback-technol… ∗∗∗ What is EPSS? A new rating system for vulnerabilities to replace CVSS. ∗∗∗ --------------------------------------------- LunaSec Security Researchers give a quick look at the EPSS scoring system, a new rating system for vulnerabilities that aims to replace CVSS. --------------------------------------------- https://www.lunasec.io/docs/blog/what-is-epss ===================== = Vulnerabilities = ===================== ∗∗∗ Attacken auf Backuplösung IBM Spectrum Protect Plus Container Backup möglich ∗∗∗ --------------------------------------------- Sicherheitslücken in der Programmiersprache Golang Go bedrohen IBM-Software. Sicherheitsupdates sind verfügbar. --------------------------------------------- https://heise.de/-7348556 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ntfs-3g), Fedora (krb5 and samba), Gentoo (firefox-bin, ghostscript-gpl, pillow, sudo, sysstat, thunderbird-bin, and xterm), Red Hat (firefox, hsqldb, and thunderbird), SUSE (cni, cni-plugins, and krb5), and Ubuntu (isc-dhcp and sqlite3). --------------------------------------------- https://lwn.net/Articles/915708/ ∗∗∗ BMC Firmware Vulnerabilities Expose OT, IoT Devices to Remote Attacks ∗∗∗ --------------------------------------------- Researchers at industrial cybersecurity firm Nozomi Networks have discovered more than a dozen vulnerabilities in baseboard management controller (BMC) firmware. --------------------------------------------- https://www.securityweek.com/bmc-firmware-vulnerabilities-expose-ot-iot-dev… ∗∗∗ ZDI-22-1615: TP-Link TL-WR940N httpd Incorrect Implementation of Authentication Algorithm Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-1615/ ∗∗∗ ZDI-22-1614: TP-Link TL-WR940N httpd Use of Insufficiently Random Values Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-1614/ ∗∗∗ Security Bulletin: IBM Security Verify Governance is vulnerable to arbitrary code execution due to use of dom4j (CVE-2018-1000632) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-gover… ∗∗∗ Security Bulletin: Potential Vulnerability in Apache HttpClient used by Logstash shipped with IBM Operations Analytics – Log Analysis (CVE-2020-13956) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-potential-vulnerability-i… ∗∗∗ Security Bulletin: Vulnerability from Apache Kafka affect IBM Operations Analytics – Log Analysis (CVE-2018-17196) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-from-apache… ∗∗∗ Security Bulletin: IBM Operations Analytics – Log Analysis susceptible to vulnerability in Apache Tika (CVE-2022-25169) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-operations-analytics-… ∗∗∗ Security Bulletin: Vulnerabilities in SnakeYAML used by Logstash affects IBM Operations Analytics – Log Analysis (CVE-2022-25857, CVE-2017-18640) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-snakey… ∗∗∗ Security Bulletin: IBM DataPower Gateway does not invalidate active sessions on a password change (CVE-2022-40228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-gateway-doe… ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to an information disclosure in some scenarios due to unauthorized access caused by improper privilege management when CREATE OR REPLACE command is used. (CVE-2022-22483) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… ∗∗∗ Security Bulletin: IBM DataPower Gateway potentially vulnerable to HTTP request smuggling ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-gateway-pot… ∗∗∗ Security Bulletin: Vulnerability in Bouncy Castle used by Logstash shipped with IBM Operations Analytics – Log Analysis (CVE-2017-13098) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-bouncy-c… ∗∗∗ Vulnerability Summary for the Week of November 14, 2022 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ncas/bulletins/sb22-325 ∗∗∗ Advisory: Impact of Vulnerability in WIBU CodeMeter Runtime to B&R Products ∗∗∗ --------------------------------------------- https://www.br-automation.com/downloads_br_productcatalogue/assets/16677451… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.11.2022
by Daily end-of-shift report 21 Nov '22

21 Nov '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 18-11-2022 18:00 − Montag 21-11-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ New AxLocker ransomware encrypts files, then steals your Discord account ∗∗∗ --------------------------------------------- The new AXLocker ransomware family is not only encrypting victims files and demanding a ransom payment but also stealing the Discord accounts of infected users. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-axlocker-ransomware-encr… ∗∗∗ Apps with over 3 million installs leak Admin search API keys ∗∗∗ --------------------------------------------- Researchers discovered 1,550 mobile apps leaking Algolia API keys, risking the exposure of sensitive internal services and stored user information. --------------------------------------------- https://www.bleepingcomputer.com/news/security/apps-with-over-3-million-ins… ∗∗∗ Google releases 165 YARA rules to detect Cobalt Strike attacks ∗∗∗ --------------------------------------------- The Google Cloud Threat Intelligence team has open-sourced YARA Rules and a VirusTotal Collection of indicators of compromise (IOCs) to help defenders detect Cobalt Strike components in their networks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/google-releases-165-yara-rul… ∗∗∗ McAfee Fake Antivirus Phishing Campaign is Back!, (Sat, Nov 19th) ∗∗∗ --------------------------------------------- Yesterday I received this email that my McAfee antivirus subscription is expired and that my computer is already infected with 5 viruses (how do they know?). --------------------------------------------- https://isc.sans.edu/diary/rss/29264 ∗∗∗ Vulnerable Code Snippets ∗∗∗ --------------------------------------------- YesWeHack present code snippets containing several different vulnerabilities to practice your code analysis. The code snippets are beginner friendly but suitable for all levels! --------------------------------------------- https://github.com/yeswehack/vulnerable-code-snippets ∗∗∗ A Confused Deputy Vulnerability in AWS AppSync ∗∗∗ --------------------------------------------- We have identified a cross-tenant vulnerability in Amazon Web Services (AWS) that exploits AWS AppSync. This attack abuses the AppSync service to assume IAM roles in other AWS accounts, which allows an attacker to pivot into a victim organization and access resources in those accounts. --------------------------------------------- https://securitylabs.datadoghq.com/articles/appsync-vulnerability-disclosur… ∗∗∗ 5 free resources from the Cybersecurity and Infrastructure Security Agency (CISA) ∗∗∗ --------------------------------------------- To assist businesses in enhancing their security capabilities, CISA offers free cybersecurity products and services. --------------------------------------------- https://www.helpnetsecurity.com/2022/11/21/5-free-resources-cybersecurity-a… ∗∗∗ Gefälschtes SMS von Netflix droht mit Kontosperrung ∗∗∗ --------------------------------------------- Aktuell macht ein Netflix-SMS die Runde. Darin steht, dass Sie eine Rechnung nicht bezahlt haben. Daher droht man Ihnen mit einer Kontosperrung. Im SMS befindet sich auch ein Link. Klicken Sie nicht auf den Link, Kriminelle stehlen Ihre Netflix-Zugangsdaten. --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschtes-sms-von-netflix-droht-m… ∗∗∗ An AI Based Solution to Detecting the DoubleZero .NET Wiper ∗∗∗ --------------------------------------------- Unit 42 presents a machine learning model to predict maliciousness of .NET samples based on file structures, by analyzing the DoubleZero .NET wiper. --------------------------------------------- https://unit42.paloaltonetworks.com/doublezero-net-wiper/ ∗∗∗ Reputationsverlust durch Cyberangriffe ∗∗∗ --------------------------------------------- Die am meisten befürchteten Schäden durch Cyberangriffe sind finanzielle Schäden sowie Verlust von Reputation und Kundenvertrauen. Bei der Umsetzung von Cybersicherheitsmaßnahmen stehen jedoch Schutz von Geschäftskontinuität, Daten und Kunden im Vordergrund. --------------------------------------------- https://www.zdnet.de/88405082/reputationsverlust-durch-cyberangriffe/ ∗∗∗ Luna Moth: Erfolg mit Callback-Phishing ∗∗∗ --------------------------------------------- Die Luna Moth/Silent Ransom Kriminellen erbeuteten durch Callback-Phishing Hunderttausende von Euro, wie eine Analyse von Palo Alto Networks aufdeckt. --------------------------------------------- https://www.zdnet.de/88405109/luna-moth-erfolg-mit-callback-phishing/ ===================== = Vulnerabilities = ===================== ∗∗∗ Exploit released for actively abused ProxyNotShell Exchange bug ∗∗∗ --------------------------------------------- Proof-of-concept exploit code has been released online for two actively exploited and high-severity vulnerabilities in Microsoft Exchange, collectively known as ProxyNotShell. --------------------------------------------- https://www.bleepingcomputer.com/news/security/exploit-released-for-activel… ∗∗∗ New attacks use Windows security bypass zero-day to drop malware ∗∗∗ --------------------------------------------- New phishing attacks use a Windows zero-day vulnerability to drop the Qbot malware without displaying Mark of the Web security warnings. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-attacks-use-windows-secu… ∗∗∗ IBM Security Bulletins 2022-11-18 ∗∗∗ --------------------------------------------- Power HMC, InfoSphere Information Server, IBM Operations Analytics, IBM i Access Client Solutions, IBM DataPower Gateway, IBM Tivoli, IBM Spectrum Protect Plus --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (graphicsmagick and krb5), Fedora (dotnet6.0, js-jquery-ui, kubernetes, and xterm), Gentoo (php and postgresql), Mageia (php-pear-CAS, sysstat, varnish, vim, and x11-server), Red Hat (thunderbird), SUSE (389-ds, binutils, dpkg, firefox, frr, grub2, java-11-openjdk, java-17-openjdk, kernel, kubevirt stack, libpano, nodejs16, openjpeg, php7, php74, pixman, python-Twisted, python39, rubygem-loofah, sccache, sudo, thunderbird, tor, and tumbler), [...] --------------------------------------------- https://lwn.net/Articles/915623/ ∗∗∗ PoC Code Published for High-Severity macOS Sandbox Escape Vulnerability ∗∗∗ --------------------------------------------- A security researcher has published details and proof-of-concept (PoC) code for a macOS vulnerability that could be exploited to escape a sandbox and execute code within Terminal. --------------------------------------------- https://www.securityweek.com/poc-code-published-high-severity-macos-sandbox… ∗∗∗ Typora fails to properly neutralize JavaScript code ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN26044739/ ∗∗∗ MISP 2.4.165 released with many improvements, bugs fixed and security fixes. ∗∗∗ --------------------------------------------- https://www.misp-project.org/2022/11/21/MISP.2.4.165.released.html/ ∗∗∗ Miele: Vulnerability in ease2pay cloud service used by appWash ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-052/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.11.2022
by Daily end-of-shift report 18 Nov '22

18 Nov '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 17-11-2022 18:00 − Freitag 18-11-2022 18:00 Handler: Robert Waldner Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Zeppelin: Heimlich die Schlüssel einer Ransomware geknackt ∗∗∗ --------------------------------------------- Eine Sicherheitsfirma ist es gelungen die Ransomware Zeppelin zu knacken. Sie half heimlich mehreren Organisationen, wieder an ihre Daten zu gelangen. --------------------------------------------- https://www.golem.de/news/zeppelin-heimlich-die-schluessel-einer-ransomware… ∗∗∗ Security baseline for Microsoft Edge v107 ∗∗∗ --------------------------------------------- We have reviewed the settings in Microsoft Edge version 107 and updated our guidance with the addition of one new setting. We’re also highlighting three settings we would like you to consider based on your organizational needs. --------------------------------------------- https://techcommunity.microsoft.com/t5/microsoft-security-baselines/securit… ∗∗∗ Successful Hack of Time-Triggered Ethernet ∗∗∗ --------------------------------------------- Time-triggered Ethernet (TTE) is used in spacecraft, basically to use the same hardware to process traffic with different timing and criticality. Researchers have defeated it. --------------------------------------------- https://www.schneier.com/blog/archives/2022/11/successful-hack-of-time-trig… ∗∗∗ Microsoft Warns of Cybercrime Group Delivering Royal Ransomware, Other Malware ∗∗∗ --------------------------------------------- A threat actor tracked as DEV-0569 and known for the distribution of various malicious payloads was recently observed updating its delivery methods, Microsoft warns. --------------------------------------------- https://www.securityweek.com/microsoft-warns-cybercrime-group-delivering-ro… ∗∗∗ CISA, NSA, and ODNI Release Guidance for Customers on Securing the Software Supply Chain ∗∗∗ --------------------------------------------- Today, CISA, the National Security Agency (NSA), and the Office of the Director of National Intelligence (ODNI), published the third of a three-part series on securing the software supply chain: Securing Software Supply Chain Series - Recommended Practices Guide for Customers. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/11/17/cisa-nsa-and-odni… *** #StopRansomware: Hive Ransomware *** --------------------------------------------- The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Health and Human Services (HHS) are releasing this joint CSA to disseminate known Hive IOCs and TTPs identified through FBI investigations as recently as November 2022. --------------------------------------------- https://www.cisa.gov/uscert/ncas/alerts/aa22-321a ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (asterisk, firefox-esr, php-phpseclib, phpseclib, python-django, and thunderbird), Fedora (grub2, samba, and thunderbird), Mageia (firefox, sudo, systemd, and thunderbird), Slackware (freerdp), SUSE (firefox, go1.18, go1.19, kernel, openvswitch, python-Twisted, systemd, and xen), and Ubuntu (expat, git, multipath-tools, unbound, and webkit2gtk). --------------------------------------------- https://lwn.net/Articles/915378/ ∗∗∗ WordPress Plugin "WordPress Popular Posts" accepts untrusted external inputs to update certain internal variables ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN13927745/ ∗∗∗ Security Bulletin: IBM Operations Analytics – Log Analysis vulnerable to multiple vulnerabilities in Apache Tika (CVE-2022-30126, CVE-2022-33879, CVE-2022-30973) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-operations-analytics-… ∗∗∗ Security Bulletin: Vulnerabilities with Kernel affect IBM Cloud Object Storage Systems (August 2022v2) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-with-kern… ∗∗∗ Security Bulletin: Rational Asset Analyzer is vulnerable to HTTP header injection (CVE-2022-34165) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-rational-asset-analyzer-i… ∗∗∗ Security Bulletin: Vulnerabilities from log4j affect IBM Operations Analytics – Log Analysis (CVE-2019-17571, CVE-2020-9488) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-from-log4… ∗∗∗ Security Bulletin: This Power System update is being released to address CVE 2022-22488 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-this-power-system-update-… ∗∗∗ Security Bulletin: Vulnerabilities from log4j-core-2.16.0.jar affect IBM Operations Analytics – Log Analysis (CVE-2021-44832, CVE-2021-45105) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-from-log4… ∗∗∗ Security Bulletin: Rational Asset Analyzer is vulnerable to denial of service due to GraphQL Java (CVE-2022-37734) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-rational-asset-analyzer-i… ∗∗∗ Security Bulletin: Potential vulnerability in Eclipse Jetty affects IBM Operations Analytics – Log Analysis (CVE-2022-2047) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-potential-vulnerability-i… ∗∗∗ Security Bulletin: The Community Edition of IBM ILOG CPLEX Optimization Studio is affected by multiple vulnerabilities in libcurl (CVE-2022-42915, CVE-2022-42916, CVE-2022-32221) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-the-community-edition-of-… ∗∗∗ Security Bulletin: IBM Transform Services for IBM i is vulnerable to denial of service, buffer overflow, and allowing attacker to obtain sensitive information due to multiple vulnerabilities. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-transform-services-fo… ∗∗∗ Security Bulletin: IBM Operations Analytics Predictive Insights impacted by Apache Log4j vulnerabilities (CVE-2022-23305) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-operations-analytics-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.11.2022
by Daily end-of-shift report 17 Nov '22

17 Nov '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 16-11-2022 18:00 − Donnerstag 17-11-2022 18:00 Handler: Robert Waldner Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Evil Maid Attacks - Remediation for the Cheap, (Wed, Nov 16th) ∗∗∗ --------------------------------------------- The so-called evil maid attack is an attack against hardware devices utilizing hard- and/or software. It is carried out when the hardware is left unattended, e.g., in a hotel room when you're out for breakfast. The attacker manipulates the device in a malicious way. --------------------------------------------- https://isc.sans.edu/diary/rss/29256 ∗∗∗ WASP malware stings Python developers ∗∗∗ --------------------------------------------- Researchers from Phylum and Check Point earlier this month reported seeing new malicious packages on PyPI, a package index for Python developers. Analysts at Checkmarx this week connected the same attacker to both reports and said the operator is still releasing malicious packages. --------------------------------------------- https://www.theregister.com/2022/11/16/wasp_python_malware_checkmarx/ ∗∗∗ Disneyland Malware Team: It’s a Puny World After All ∗∗∗ --------------------------------------------- A financial cybercrime group calling itself the Disneyland Team has been making liberal use of visually confusing phishing domains that spoof popular bank brands using Punycode, an Internet standard that allows web browsers to render domain names with non-Latin alphabets like Cyrillic and Ukrainian. --------------------------------------------- https://krebsonsecurity.com/2022/11/disneyland-malware-team-its-a-puny-worl… ∗∗∗ Onlinebetrug-Simulator: Testen Sie Ihr Wissen zu Betrugsmaschen im Internet ∗∗∗ --------------------------------------------- Um Sie für die Gefahren von Fake-Shops und Phishing-Emails zu sensibilisieren und Sie im Bereich der Cyber-Sicherheit zu schulen, hat die AK Niederösterreich in Kooperation mit der Universität Wien den Onlinebetrug-Simulator ins Leben gerufen. --------------------------------------------- https://www.watchlist-internet.at/news/onlinebetrug-simulator-testen-sie-ih… ∗∗∗ Domain Controller gegen Angriffe absichern ∗∗∗ --------------------------------------------- Active Directory ist eine kritische Infrastruktur und sollte als solche behandelt werden. Aber wie sichert man als Administrator seine Domain Controller gegen Angriffe? --------------------------------------------- https://www.borncity.com/blog/2022/11/17/domain-controller-gegen-angriffe-a… ∗∗∗ Get a Loda This: LodaRAT meets new friends ∗∗∗ --------------------------------------------- LodaRAT samples were deployed alongside other malware families, including RedLine and Neshta. Cisco Talos identified several variants and altered versions of LodaRAT with updated functionality have been seen in the wild. --------------------------------------------- https://blog.talosintelligence.com/get-a-loda-this/ ===================== = Vulnerabilities = ===================== ∗∗∗ Schadcode-Attacken auf Bitbucket Server und Data Center möglich ∗∗∗ --------------------------------------------- Eine Sicherheitslücke bedroht mehrere Versionen von Atlassians Versionsverwaltungssoftware. --------------------------------------------- https://heise.de/-7343226 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr and thunderbird), Fedora (expat, xen, and xorg-x11-server), Oracle (kernel, kernel-container, qemu, xorg-x11-server, and zlib), Scientific Linux (xorg-x11-server), Slackware (firefox, krb5, samba, and thunderbird), SUSE (ant, apache2-mod_wsgi, jsoup, rubygem-nokogiri, samba, and tomcat), and Ubuntu (firefox and linux, linux-aws, linux-aws-hwe, linux-dell300x, linux-hwe, linux-kvm, linux-oracle, linux-raspi2, linux-snapdragon). --------------------------------------------- https://lwn.net/Articles/915245/ ∗∗∗ Samba Releases Security Updates ∗∗∗ --------------------------------------------- The Samba Team has released security updates to address vulnerabilities in multiple versions of Samba. An attacker could exploit some of these vulnerabilities to take control of an affected system. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/11/16/samba-releases-se… ∗∗∗ Security Bulletin: IBM Partner Engagement Manager is vulnerable to sensitive data exposure (CVE-2022-34354) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-partner-engagement-ma… ∗∗∗ Security Bulletin: IBM Planning Analytics Workspace is affected by a vulnerability [CVE-2022-31129] ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-planning-analytics-wo… ∗∗∗ Security Bulletin: CVE-2022-3676 may affect IBM® SDK, Java™ Technology Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2022-3676-may-affect-… ∗∗∗ Security Bulletin: Cross-Site Scripting vulnerability affect IBM Business Automation Workflow – CVE-2022-38390 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-vuln… ∗∗∗ Security Bulletin: IBM InfoSphere DataStage is vulnerable to a command injection vulnerability [CVE-2022-40752] ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-datastage-… ∗∗∗ Security Bulletin: Tivoli Business Service Manager is vulnerable to cross-site scripting due to improper validation in Angular (CVE-2022-25869) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-tivoli-business-service-m… ∗∗∗ Security Bulletin: IBM Jazz for Service Management is vulnerable to stored cross-site scripting (CVE-2022-35721) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-jazz-for-service-mana… ∗∗∗ Security Bulletin: IBM Jazz for Service Management is vulnerable to stored cross-site scripting (CVE-2022-35722) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-jazz-for-service-mana… ∗∗∗ Security Bulletin: IBM Urbancode Deploy (UCD) is vulnerable to Insufficiently Protected LDAP Search Credentials ( CVE-2022-40751 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-deploy-ucd-… ∗∗∗ Security Bulletin: Apache Tomcat could allow a remote attacker to obtain sensitive information (CVE-2021-43980) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-tomcat-could-allow… ∗∗∗ Technical Advisory – NXP i.MX SDP_READ_DISABLE Fuse Bypass (CVE-2022-45163) ∗∗∗ --------------------------------------------- https://research.nccgroup.com/2022/11/17/cve-2022-45163/ ∗∗∗ Red Lion Crimson ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-321-01 ∗∗∗ Cradlepoint IBR600 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-321-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.11.2022
by Daily end-of-shift report 16 Nov '22

16 Nov '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 15-11-2022 18:00 − Mittwoch 16-11-2022 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Forscher erraten Passwörter via Wärmebild mit Machine Learning und KI ∗∗∗ --------------------------------------------- In einem Versuchsaufbau haben Sicherheitsforscher auf einer Tastatur eingetippte zwölfstellige Passwörter mit einer Erfolgsquote von 83 Prozent rekonstruiert. --------------------------------------------- https://heise.de/-7341957 ∗∗∗ ESET APT Activity Report T2 2022 ∗∗∗ --------------------------------------------- Ein Überblick über die Aktivitäten ausgewählter APT-Gruppen, die von ESET Research in T2 2022 untersucht und analysiert wurden. --------------------------------------------- https://www.welivesecurity.com/deutsch/2022/11/16/apt-activity-report-t2-20… ∗∗∗ Fake Black Friday Gewinnspiele auf WhatsApp und Instagram im Umlauf ∗∗∗ --------------------------------------------- Vorsicht vor betrügerischen Gewinnspielen rund um den Black Friday. Zahlreiche WhatsApp- und Instagram-Nutzer:innen erhalten aktuell betrügerische Nachrichten von Unbekannten, aber auch eigenen Kontakten, die beispielsweise Gewinnspiele im Namen Amazons bewerben. Achtung: Es handelt sich um einen Versuch, Sie in eine Abo-Falle zu locken. Folgen Sie keinen Links in solchen Nachrichten und geben Sie keine Kreditkartendaten bekannt! --------------------------------------------- https://www.watchlist-internet.at/news/fake-black-friday-gewinnspiele-auf-w… ∗∗∗ Control Your Types or Get Pwned: Remote Code Execution in Exchange PowerShell Backend ∗∗∗ --------------------------------------------- By now you have likely already heard about the in-the-wild exploitation of Exchange Server, chaining CVE-2022-41040 and CVE-2022-41082. It was originally submitted to the ZDI program by the researcher known as “DA-0x43-Dx4-DA-Hx2-Tx2-TP-S-Q from GTSC”. After successful validation, it was immediately submitted to Microsoft. They patched both bugs along with several other Exchange vulnerabilities in the November Patch Tuesday release. It is a beautiful chain, with an ingenious vector [...] --------------------------------------------- https://www.thezdi.com/blog/2022/11/14/control-your-types-or-get-pwned-remo… ∗∗∗ CVE-2022-41622 and CVE-2022-41800 (FIXED): F5 BIG-IP and iControl REST Vulnerabilities and Exposures ∗∗∗ --------------------------------------------- Rapid7 discovered several vulnerabilities and exposures in specific F5 BIG-IP and BIG-IQ devices in August 2022. Since then, members of our research team have worked with the vendor to discuss impact, resolution, and a coordinated response. --------------------------------------------- https://www.rapid7.com/blog/post/2022/11/16/cve-2022-41622-and-cve-2022-418… ∗∗∗ Magento stores targeted in massive surge of TrojanOrders attacks ∗∗∗ --------------------------------------------- At least seven hacking groups are behind a massive surge in TrojanOrders attacks targeting Magento 2 websites, exploiting a vulnerability that allows the threat actors to compromise vulnerable servers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/magento-stores-targeted-in-m… ∗∗∗ Token tactics: How to prevent, detect, and respond to cloud token theft ∗∗∗ --------------------------------------------- As organizations increase their coverage of multifactor authentication (MFA), threat actors have begun to move to more sophisticated techniques to allow them to compromise corporate resources without needing to satisfy MFA. Recently, the Microsoft Detection and Response Team (DART) has seen an increase in attackers utilizing token theft for this purpose. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2022/11/16/token-tactics-how-… ∗∗∗ Packet Tuesday: Network Traffic Analysis for the Whole Family, (Tue, Nov 15th) ∗∗∗ --------------------------------------------- A short while ago, I floated the idea of a weekly video series with short lessons about packets, protocols, and networks. Today, we are kicking of "Packet Tuesday". Packet Tuesday, as the name implies, will release a new video each Tuesday. We will discuss packets in detail. See the first two videos below. --------------------------------------------- https://isc.sans.edu/diary/rss/29252 ∗∗∗ New SocGholish Malware Variant Uses Zip Compression & Evasive Techniques ∗∗∗ --------------------------------------------- Readers of this blog should already be familiar with SocGholish: a widespread, years-long malware campaign aimed at pushing fake browser updates to unsuspecting web users. Once installed, fake browser updates infect the victim’s computer with various types of malware including remote access trojans (RATs). SocGholish malware is often the first step in severe targeted ransomware attacks against corporations and other organizations. --------------------------------------------- https://blog.sucuri.net/2022/11/new-socgholish-malware-variant-uses-zip-com… ∗∗∗ Researchers Discover Hundreds of Amazon RDS Instances Leaking Users Personal Data ∗∗∗ --------------------------------------------- "Make sure when sharing a snapshot as public that none of your private information is included in the public snapshot," Amazon cautions in its documentation. "When a snapshot is shared publicly, it gives all AWS accounts permission both to copy the snapshot and to create DB instances from it." --------------------------------------------- https://thehackernews.com/2022/11/researchers-discover-hundreds-of-amazon.h… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Secure Email Gateway Malware Detection Evasion ∗∗∗ --------------------------------------------- This report is being published within a coordinated disclosure procedure. The researcher has been in contact with the vendor but not received a satisfactory response within a given time frame. As the attack complexity is low and exploits have already been published by a third party there must be no further delay in making the threads publicly known. --------------------------------------------- https://cxsecurity.com/issue/WLB-2022110021 ∗∗∗ Cisco Identity Services Engine Vulnerabilities ∗∗∗ --------------------------------------------- Multiple vulnerabilities in Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to inject arbitrary operating system commands, bypass security protections, and conduct cross-site scripting attacks. For more information about these vulnerabilities, see the Details section of this advisory. Cisco plans to release software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (grub2, nginx, and wordpress), Red Hat (389-ds-base, bind, buildah, curl, device-mapper-multipath, dnsmasq, dotnet7.0, dpdk, e2fsprogs, grafana-pcp, harfbuzz, ignition, Image Builder, kernel, keylime, libguestfs, libldb, libtiff, libvirt, logrotate, mingw-zlib, mutt, openjpeg2, podman, poppler, python-lxml, qt5, rsync, runc, samba, skopeo, toolbox, unbound, virt-v2v, wavpack, webkit2gtk3, xorg-x11-server, xorg-x11-server-Xwayland, and yajl), SUSE (389-ds, bluez, dhcp, freerdp, jackson-databind, kernel, LibVNCServer, libX11, nodejs12, nodejs16, php7, php8, python-Mako, python-Twisted, python310, sudo, systemd, and xen), and Ubuntu (mako). --------------------------------------------- https://lwn.net/Articles/915097/ ∗∗∗ RICOH Aficio SP 4210N vulnerable to cross-site scripting ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN24659622/ ∗∗∗ Multiple vulnerabilities in Movable Type ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN37014768/ ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM® Java SDK affect IBM WebSphere Application Server and IBM WebSphere Application Server Liberty due to the October 2022 CPU ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM SDK, Java Technology Edition, Security Update July 2022 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-e… ∗∗∗ Security Bulletin: Multiple vulnerabilities of Mozilla Firefox (less than Firefox 102.2ESR) have affected Synthetic Playback Agent 8.1.4.0-8.1.4 IF16 – 2022.4.0 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.11.2022
by Daily end-of-shift report 15 Nov '22

15 Nov '22

===================== = End-of-Day report = ===================== Timeframe: Montag 14-11-2022 18:00 − Dienstag 15-11-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ DTrack activity targeting Europe and Latin America ∗∗∗ --------------------------------------------- DTrack is a backdoor used by the Lazarus group. Initially discovered in 2019, the backdoor remains in use three years later. It is used by the Lazarus group against a wide variety of targets. [..] So, what’s new? DTrack itself hasn’t changed much over the course of time. Nevertheless, there are some interesting modifications that we want to highlight in this blogpost. Dtrack hides itself inside an executable that looks like a legitimate program, and there are several stages of decryption before the malware payload starts. --------------------------------------------- https://securelist.com/dtrack-targeting-europe-latin-america/107798/ ∗∗∗ ABI compatibility in Python: How hard could it be? ∗∗∗ --------------------------------------------- This post will cover just one tiny piece of Python packaging’s complexity: the CPython stable ABI. We’ll see what the stable ABI is, why it exists, how it’s integrated into Python packaging, and how each piece goes terribly wrong to make accidental ABI violations easy. --------------------------------------------- https://blog.trailofbits.com/2022/11/15/python-wheels-abi-abi3audit/ ∗∗∗ Checkmk: Remote Code Execution by Chaining Multiple Bugs ∗∗∗ --------------------------------------------- Within the series of articles, we take a detailed look at multiple vulnerabilities we identified in Checkmk and its NagVis integration, which can be chained together by an unauthenticated, remote attacker to fully take over the server running a vulnerable version of Checkmk. --------------------------------------------- https://blog.sonarsource.com/checkmk-rce-chain-3/ ∗∗∗ Organizations Warned of Critical Vulnerability in Backstage Developer Portal Platform ∗∗∗ --------------------------------------------- Backstage is affected by a critical vulnerability related to a security hole found earlier this year by Oxeye in the popular sandbox library VM2. The VM2 flaw, dubbed SandBreak and tracked as CVE-2022-36067, can allow a remote attacker to escape the sandbox and execute arbitrary code on the host. Backstage has been using VM2 and Oxeye researchers discovered that CVE-2022-36067 can be exploited for unauthenticated remote code execution in Backstage by abusing its software templates. --------------------------------------------- https://www.securityweek.com/organizations-warned-critical-vulnerability-ba… ∗∗∗ Kreditbetrug: Vorsicht vor darlehenexpert.com ∗∗∗ --------------------------------------------- darlehenexpert.com gibt sich als Kreditgeber aus und ermöglicht angeblich Privat- und Autokredite, Hypotheken sowie Darlehen. Interessierte füllen online ein Kreditantragsformular aus und erhalten nach kurzer Zeit eine Zusage. Doch Vorsicht: darlehenexpert.com ist betrügerisch. Sie werden aufgefordert, vorab unterschiedliche Gebühren zu überweisen. Wenn Sie überweisen, verlieren Sie Ihr Geld und erhalten keinen Kredit! --------------------------------------------- https://www.watchlist-internet.at/news/kreditbetrug-vorsicht-vor-darlehenex… ∗∗∗ Android malware: A million people downloaded these malicious apps before they were finally removed from Google Play ∗∗∗ --------------------------------------------- Cybersecurity researchers identify an aggressive adware campaign. The developer is now banned from Google Play - but if youve not uninstalled the apps, youre still infected. [..] The four apps that have been identified as malicious were from a developer called Mobile apps Group and were called 'Bluetooth Auto Connect', 'Bluetooth App Sender', 'Mobile transfer: smart switch', and 'Driver: Bluetooth, Wi-Fi, USB'. --------------------------------------------- https://www.zdnet.com/article/android-warning-these-malicious-apps-had-over… ∗∗∗ Windows Server 2012 R2: Sophos User-Authentifizierung mittels Heartbeat auf RDS-Servern abgeschaltet ∗∗∗ --------------------------------------------- Kurzer Hinweis für Administratoren, die Windows Server 2012 R2 einsetzen und sich auf die Sophos User-Authentifizierung per Sophos Security Heartbeats verlassen. Sophos hat ein Update verteilt, welches die Funktion auf Windows Server 2012 R2 stillschweigend außer Kraft setzt. --------------------------------------------- https://www.borncity.com/blog/2022/11/15/windows-server-2012-r2-sophos-user… ∗∗∗ LKA warnt vor Betrugsmasche mit digitalen Kreditkarten (Nov. 2022) ∗∗∗ --------------------------------------------- Das LKA Niedersachsen warnt vor einer neue Betrugsmasche, die Cyber-Kriminelle erdacht haben. Mittels Phishing-E-Mails, gefälschten Webseiten und digitalen Kreditkarten versuchen sie an Zahlungsdaten der Opfer heranzukommen. Die Daten der digitalen Kreditkarte werden dann für eigene Einkäufe auf Kosten des Opfers missbraucht. --------------------------------------------- https://www.borncity.com/blog/2022/11/15/lka-warnt-vor-betrugsmasche-mit-di… ∗∗∗ Firmware- und BIOS-Updates: AMD, Intel, Lenovo, HP (Nov. 2022) ∗∗∗ --------------------------------------------- Die Hersteller Lenovo und HP stopfen mit Firmware-Updates entdeckte Schwachstellen im BIOS (und in der Software) ihrer Systeme. Und die Prozessorhersteller AMD sowie Intel haben ebenfalls Sicherheitslücken in ihrer Firmware per Update im November 2022 geschlossen. Hier ein kompakter Überblick über diese Updates. --------------------------------------------- https://www.borncity.com/blog/2022/11/15/firmware-und-bios-updates-amd-inte… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (kernel and webkit2gtk3), Red Hat (dhcp, dovecot, flac, freetype, fribidi, frr, gimp, grafana, guestfs-tools, httpd, kernel-rt, libtirpc, mingw-gcc, mingw-glib2, pcs, php, protobuf, python3.9, qemu-kvm, redis, speex, and swtpm), SUSE (chromium, containerized-data-importer, jhead, kubevirt stack, nodejs14, nodejs16, python-Werkzeug, and xen), and Ubuntu (golang-1.13, nginx, and vim). --------------------------------------------- https://lwn.net/Articles/914952/ ∗∗∗ Security Vulnerabilities fixed in Thunderbird 102.5 ∗∗∗ --------------------------------------------- In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts. --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2022-49/ ∗∗∗ Security Vulnerabilities fixed in Firefox ESR 102.5 ∗∗∗ --------------------------------------------- CVE-2022-45403: Service Workers might have learned size of cross-origin media files CVE-2022-45404: Fullscreen notification bypass CVE-2022-45405: Use-after-free in InputStream implementation CVE-2022-45406: Use-after-free of a JavaScript Realm CVE-2022-45408: Fullscreen notification bypass via windowName CVE-2022-45409: Use-after-free in Garbage Collection CVE-2022-45421: Memory safety bugs fixed in Firefox 107 and Firefox ESR 102.5 --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2022-48/ ∗∗∗ Security Vulnerabilities fixed in Firefox 107 ∗∗∗ --------------------------------------------- CVE-2022-45407: Loading fonts on workers was not thread-safe CVE-2022-45403: Service Workers might have learned size of cross-origin media files CVE-2022-45404: Fullscreen notification bypass CVE-2022-45405: Use-after-free in InputStream implementation CVE-2022-45406: Use-after-free of a JavaScript Realm CVE-2022-45408: Fullscreen notification bypass via windowName CVE-2022-45409: Use-after-free in Garbage Collection CVE-2022-45421: Memory safety bugs fixed in Firefox 107 and Firefox ESR 102.5 --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2022-47/ ∗∗∗ TERASOLUNA Global Framework and TERASOLUNA Server Framework for Java (Rich) vulnerable to ClassLoader manipulation ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN54728399/ ∗∗∗ ZDI-22-1592: Parse Server _expandResultOnKeyPath Prototype Pollution Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-1592/ ∗∗∗ ZDI-22-1591: Parse Server buildUpdatedObject Prototype Pollution Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-1591/ ∗∗∗ ZDI-22-1590: Parse Server transformUpdate Prototype Pollution Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-1590/ ∗∗∗ ABB PCM600 Cleartext Credentials Vulnerability ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=2NGA001518 ∗∗∗ Security Bulletin: Multiple vulnerabilities may affect IBM® SDK, Java™ Technology Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM HTTP Server is vulnerable to denial of service due to libexpat (CVE-2022-43680, CVE-2013-0340, CVE-2017-9233) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-http-server-is-vulner… ∗∗∗ Security Bulletin: Vulnerability from Apache Kafka affect IBM Operations Analytics – Log Analysis (CVE-2021-38153) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-from-apache… ∗∗∗ PHOENIX CONTACT: Denial-of-Service vulnerability in mGuard product family ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-051/ ∗∗∗ Mitsubishi Electric GT SoftGOT2000 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-319-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.11.2022
by Daily end-of-shift report 14 Nov '22

14 Nov '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 11-11-2022 18:00 − Montag 14-11-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Jetzt deinstallieren! Sicherheitslücken, aber keine Patches für VMware Hyperic ∗∗∗ --------------------------------------------- Der Support für die IT-Managementsoftware VMware Hyperic ist ausgelaufen. Admins sollten umsteigen. --------------------------------------------- https://heise.de/-7339160 ∗∗∗ Neue Betrugsmasche auf Amazon: Betrügerische Marketplace-Händler stornieren Bestellungen und empfehlen Kauf bei „Amazon-Partnershops“ ∗∗∗ --------------------------------------------- Sabine sucht auf Amazon nach einer Kaffeemaschine. Bei einem Marketplace-Händler findet sie ein günstiges Angebot. Sie bestellt und wartet nun auf die Lieferung. Kurz nach der Bestellung wird der Kauf aber vom Händler storniert. Sie bekommt ein Mail, indem sich der Händler entschuldigt und ihr einen Shop nennt, bei dem sie die Kaffeemaschine zum gleichen Preis bestellen kann. Vorsicht: Dabei handelt es sich um Betrug! --------------------------------------------- https://www.watchlist-internet.at/news/neue-betrugsmasche-auf-amazon-betrue… ∗∗∗ Extracting HTTP CONNECT Requests with Python, (Mon, Nov 14th) ∗∗∗ --------------------------------------------- Seeing abnormal Suricata alerts isnt too unusual in my home environment. In many cases it may be a TLD being resolved that at one point in time was very suspicious. With the increased legitimate adoption of some of these domains, these alerts have been less useful, although still interesting to investigate. I ran into a few of these alerts one night and when diving deeper there was an unusual amount, frequency, and source of the alerts. --------------------------------------------- https://isc.sans.edu/diary/rss/29246 ∗∗∗ Extracting Information From "logfmt" Files With CyberChef, (Sat, Nov 12th) ∗∗∗ --------------------------------------------- https://isc.sans.edu/diary/rss/29244 ∗∗∗ KmsdBot: The Attack and Mine Malware ∗∗∗ --------------------------------------------- Akamai Security Research has observed a new malware that infected our honeypot, which we have dubbed KmsdBot. The botnet infects systems via an SSH connection that uses weak login credentials. --------------------------------------------- https://www.akamai.com/blog/security-research/kmdsbot-the-attack-and-mine-m… ∗∗∗ Discover 2022’s Nastiest Malware ∗∗∗ --------------------------------------------- For the past year, hackers have been following close behind businesses and families just waiting for the right time to strike. In other words, 2022 has been an eventful year in the threat landscape, with malware continuing to take center stage. The 6 Nastiest Malware of 2022 Since the mainstreaming of ransomware payloads and the [...] --------------------------------------------- https://www.webroot.com/blog/2022/10/14/discover-2022s-nastiest-malware/ ∗∗∗ Typhon Reborn With New Capabilities ∗∗∗ --------------------------------------------- Typhon Stealer, a crypto miner/stealer for hire that was discovered in August 2022, now has an updated version called Typhon Reborn. --------------------------------------------- https://unit42.paloaltonetworks.com/typhon-reborn-stealer/ ∗∗∗ BumbleBee Zeros in on Meterpreter ∗∗∗ --------------------------------------------- In this intrusion from May 2022, the threat actors used BumbleBee as the initial access vector from a Contact Forms campaign. --------------------------------------------- https://thedfirreport.com/2022/11/14/bumblebee-zeros-in-on-meterpreter/ ∗∗∗ Stories from the SOC: Fortinet authentication bypass observed in the wild ∗∗∗ --------------------------------------------- Fortinet’s newest vulnerability, CVE-2022-40684, allowing for authentication bypass to manipulate admin SSH keys, unauthorized downloading of configuration files, and creating of super admin accounts, is put a big target on the back’s of unpatched and exposed Fortinet devices. --------------------------------------------- https://cybersecurity.att.com/blogs/security-essentials/stories-from-the-so… ===================== = Vulnerabilities = ===================== ∗∗∗ HP-BIOS: Pufferüberlauf ermöglicht Rechteausweitung, Update ist verfügbar ∗∗∗ --------------------------------------------- HP warnt vor einer Sicherheitslücke im BIOS zahlreicher Notebooks und PC. Angreifer könnten dadurch ihre Rechte ausweiten oder beliebigen Code ausführen. --------------------------------------------- https://heise.de/-7339122 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (dropbear, php7.4, pixman, sysstat, and xorg-server), Fedora (mingw-expat, mingw-libtasn1, and mingw-pixman), Mageia (binutils/gdb, chromium-browser-stable, exiv2, libtiff, nodejs, pcre, pixman, wayland, and webkit2), Red Hat (device-mapper-multipath and libksba), SUSE (autotrace, busybox, libmodbus, php72, python-numpy, rustup, samba, varnish, xen, and xterm), and Ubuntu (thunderbird). --------------------------------------------- https://lwn.net/Articles/914811/ ∗∗∗ Path Traversal Schwachstelle in Payara Platform ∗∗∗ --------------------------------------------- Aufgrund einer fehlerhaften Pfadüberprüfung in der Payara Software ist es möglich, die Konfigurations- oder Sourcecode-Dateien von Webanwendungen in den Verzeichnissen WEB-INF und META-INF über eine Path Traversal Schwachstelle zu lesen. --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/path-traversal-vulner… ∗∗∗ Vielfältige Schwachstellen in BACKCLICK Professional (SYSS-2022-026 bis -037) ∗∗∗ --------------------------------------------- https://www.syss.de/pentest-blog/vielfaeltige-schwachstellen-in-backclick-p… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct File Agent is vulnerable to denial of service due to FasterXML jackson-databind (CVE-2022-42003) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: A vulnerability in Apache Log4j affects some features of IBM® Db2® (CVE-2021-44832) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-apache… ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to a denial of service after entering a specially crafted malformed SQL statement into the db2expln tool. (CVE-2022-35637) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct File Agent is vulnerable to denial of service due to FasterXML jackson-databind ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects some features of IBM® Db2® (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct File Agent is vulnerable to denial of service due to FasterXML jackson-databind (CVE-2022-42004) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to an information disclosure in some scenarios due to unauthorized access caused by improper privilege management when CREATE OR REPLACE command is used. (CVE-2022-22483) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in Apache Log4j affects some features of IBM® Db2® (CVE-2021-45046, CVE-2021-45105) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to an information disclosure caused by improper privilege management when table function is used. (CVE-2022-22390) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… ∗∗∗ Security Bulletin: IBM MQ Internet Pass-Thru traces sensitive data (CVE-2022-35719) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-internet-pass-thru… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.11.2022
by Daily end-of-shift report 11 Nov '22

11 Nov '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 10-11-2022 18:00 − Freitag 11-11-2022 18:00 Handler: Stephan Richter Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ US Health Dept warns of Venus ransomware targeting healthcare orgs ∗∗∗ --------------------------------------------- The U.S. Department of Health and Human Services (HHS) warned today that Venus ransomware attacks are also targeting the countrys healthcare organizations. --------------------------------------------- https://www.bleepingcomputer.com/news/security/us-health-dept-warns-of-venu… ∗∗∗ Microsoft fixes Windows zero-day bug exploited to push malware ∗∗∗ --------------------------------------------- Windows has fixed a bug that prevented Mark of the Web flags from propagating to files within downloaded ISO files, dealing a massive blow to malware distributors and developers. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-fixes-windows-zer… ∗∗∗ NIS2-Richtlinie: Domaininhaber müssen künftig Adressdaten hinterlegen ∗∗∗ --------------------------------------------- Die neue EU-Richtlinie zur IT-Sicherheit (NIS2) untersagt die anonyme Registrierung von Domains. --------------------------------------------- https://www.golem.de/news/nis2-richtlinie-domaininhaber-muessen-kuenftig-ad… ∗∗∗ Sicherheitslücke: Sperrbildschirm von Pixel-Smartphones ließ sich umgehen ∗∗∗ --------------------------------------------- Einem Forscher ist es gelungen, ein Pixel-Smartphone von Google ohne PIN zu entsperren. Doch Fix und Bug Bounty ließen lange auf sich warten. --------------------------------------------- https://www.golem.de/news/sicherheitsluecke-sperrbildschirm-von-pixel-smart… ∗∗∗ Cisco dichtet Sicherheitslecks in ASA und Firepower ab ∗∗∗ --------------------------------------------- Cisco dichtet teils hochriskante Sicherheitslücken in der Software der Adaptive Security Appliance und Firepower Threat Defense. Admins sollten aktiv werden. --------------------------------------------- https://heise.de/-7336757 ∗∗∗ Digitalbarometer 2022: Weiter leichtes Spiel für Cyber-Kriminelle ∗∗∗ --------------------------------------------- BSI und Polizeiliche Kriminalprävention der Länder und des Bundes (ProPK) veröffentlichen die vierte gemeinsame Bürgerbefragung: Viele Bürgerinnen und Bürger vernachlässigen grundlegende Maßnahmen, um sich vor Angriffen im Netz zu schützen. --------------------------------------------- https://www.bsi.bund.de/DE/Service-Navi/Presse/Pressemitteilungen/Presse202… ∗∗∗ CISA Releases Decision Tree Model to Help Companies Prioritize Vulnerability Patching ∗∗∗ --------------------------------------------- The US Cybersecurity and Infrastructure Security Agency (CISA) on Thursday announced the release of a Stakeholder-Specific Vulnerability Categorization (SSVC) guide that can help organizations prioritize vulnerability patching using a decision tree model. --------------------------------------------- https://www.securityweek.com/cisa-releases-decision-tree-model-help-compani… ∗∗∗ Phishing-resistente Multifaktor Authentifizierung ∗∗∗ --------------------------------------------- Multifaktor Authentifizierung (MFA) kann durch Phishing ausgehebelt werden. Es kommt darauf an, MFA widerstandsfähiger zu machen, betont Lance Spitzner, SANS Security Awareness Director, in einem Gastbeitrag. --------------------------------------------- https://www.zdnet.de/88404820/phishing-resistente-multifaktor-authentifizie… ∗∗∗ HackHound IRC Bot Being Distributed via Webhards ∗∗∗ --------------------------------------------- Webhards are the main platforms that the attackers targeting Korean users exploit to distribute malware. The ASEC analysis team has been monitoring malware types distributed through webhards and uploaded multiple blog posts about them in the past. --------------------------------------------- https://asec.ahnlab.com/en/41806/ ∗∗∗ CVE-2019-8561: A Hard-to-Banish PackageKit Framework Vulnerability in macOS ∗∗∗ --------------------------------------------- This blog entry details our investigation of CVE-2019-8561, a vulnerability that exists in the macOS PackageKit framework, a component used to install software installer packages (PKG files). --------------------------------------------- https://www.trendmicro.com/en_us/research/22/k/cve-2019-8561-a-hard-to-bani… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium and exiv2), Fedora (curl, device-mapper-multipath, dotnet6.0, mediawiki, mingw-gcc, and php-pear-CAS), Gentoo (lesspipe), Slackware (php), SUSE (git, glibc, kernel, libarchive, python, python-rsa, python3-lxml, rpm, sudo, xen, and xwayland), and Ubuntu (wavpack). --------------------------------------------- https://lwn.net/Articles/914571/ ∗∗∗ Preisgabe von sensiblen Informationen in Zoom (SYSS-2022-048) ∗∗∗ --------------------------------------------- Bei einer Videokonferenz über Zoom werden Chatnachrichten im Installationsverzeichnis gespeichert. Ein Angreifer kann diese Nachrichten entschlüsseln. --------------------------------------------- https://www.syss.de/pentest-blog/preisgabe-von-sensiblen-informationen-in-z… ∗∗∗ Rapid7’s Impact from OpenSSL Buffer Overflow Vulnerabilities (CVE-2022-3786 & CVE-2022-3602) ∗∗∗ --------------------------------------------- CVE-2022-3786 & CVE-2022-3602 vulnerabilities affecting OpenSSL’s 3.0.x versions both rely on a maliciously crafted email address in a certificate. --------------------------------------------- https://www.rapid7.com/blog/post/2022/11/11/rapid7s-impact-from-openssl-buf… ∗∗∗ Security Bulletin: Multiple vulnerabilities may affect IBM® Semeru Runtime ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM InfoSphere DataStage is vulnerable to a command injection vulnerability [CVE-2022-40752] ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-datastage-… ∗∗∗ Security Bulletin: A vulnerability in IBM Java Runtime used by the IBM Installation Manager and IBM Packaging Utility – CVE-2021-2163 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Omron NJ/NX-series Machine Automation Controllers ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-314-07 ∗∗∗ Omron NJNX-series ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-314-08 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.11.2022
by Daily end-of-shift report 10 Nov '22

10 Nov '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 09-11-2022 18:00 − Donnerstag 10-11-2022 18:00 Handler: Stephan Richter Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ New StrelaStealer malware steals your Outlook, Thunderbird accounts ∗∗∗ --------------------------------------------- A new information-stealing malware named StrelaStealer is actively stealing email account credentials from Outlook and Thunderbird, two widely used email clients. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-strelastealer-malware-st… ∗∗∗ VU#434994: Multiple race conditions due to TOCTOU flaws in various UEFI Implementations ∗∗∗ --------------------------------------------- Multiple Unified Extensible Firmware Interface (UEFI) implementations are vulnerable to code execution in System Management Mode (SMM) by an attacker who gains administrative privileges on the local machine. An attacker can corrupt the memory using Direct Memory Access (DMA) timing attacks that can lead to code execution. These threats are collectively referred to as RingHopper attacks. --------------------------------------------- https://kb.cert.org/vuls/id/434994 ∗∗∗ Windows breaks under upgraded IceXLoader malware ∗∗∗ --------------------------------------------- Were the malware of Nim! A malware loader deemed in June to be a "work in progress" is now fully functional and infecting thousands of Windows corporate and home PCs.… --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2022/11/10/icexloader_m… ∗∗∗ [SANS ISC] Do you collect “Observables” or “IOCs”? ∗∗∗ --------------------------------------------- Indicators of Compromise, or IOCs, are key elements in blue team activities. IOCs are mainly small pieces of technical information that have been collected during investigations, threat hunting activities or malware analysis. --------------------------------------------- https://blog.rootshell.be/2022/11/10/sans-isc-do-you-collect-observables-or… ∗∗∗ Phishing-Resistant MFA Does Not Mean Un-Phishable ∗∗∗ --------------------------------------------- Human societies have a bad habit of taking a specific, limited-in-scope fact and turning it into an overly broad generalization that gets incorrectly believed and perpetuated as if it were as comprehensively accurate as the original, more-limited fact it was based on. Anything can be hacked. Do not confuse “phishing-resistant” with being impossible to phish or socially engineer. --------------------------------------------- https://www.linkedin.com/pulse/phishing-resistant-mfa-does-mean-un-phishabl… ∗∗∗ The Case of Cloud9 Chrome Botnet ∗∗∗ --------------------------------------------- The Zimperium zLabs team recently discovered a malicious browser extension, which not only steals the information available during the browser session but can also install malware on a user’s device and subsequently assume control of the entire device. In this blog, we will take a deeper look into the architecture and modus operandi of this malicious browser extension, originally called Cloud9, by the malware author. --------------------------------------------- https://www.zimperium.com/blog/the-case-of-cloud9-chrome-botnet/ ∗∗∗ Certificates and Pwnage and Patches, Oh My! ∗∗∗ --------------------------------------------- A lot has happened since we released the “Certified Pre-Owned” blog post and whitepaper in June of last year. [...] A lot of organizations (and a lot of pentesters ;) definitely realized how pervasive misconfigurations in Active Directory Certificate Service are and how easy it is now to enumerate and abuse these issues. [...] With all of these changes, we wanted to revisit some of the offensive AD CS attacks, detail how the patch has affected some of the existing escalations, and --------------------------------------------- https://posts.specterops.io/certificates-and-pwnage-and-patches-oh-my-8ae0f… ∗∗∗ The November 2022 Security Update Review ∗∗∗ --------------------------------------------- Welcome to the penultimate Patch Tuesday of 2021. As expected, Adobe and Microsoft have released their latest security updates and fixes to the world. Take a break from your regularly scheduled activities and join us as we review the details of their latest security offerings. --------------------------------------------- https://www.thezdi.com/blog/2022/11/8/the-november-2022-security-update-rev… ∗∗∗ How LNK Files Are Abused by Threat Actors ∗∗∗ --------------------------------------------- LNK files are based on the Shell Link Binary file format, also known as Windows shortcuts. But what seems a relatively simple ability to execute other binaries on the system can inflict great harm when abused by threat actors. --------------------------------------------- https://www.intezer.com/blog/malware-analysis/how-threat-actors-abuse-lnk-f… ∗∗∗ Penetration and Distribution Method of Gwisin Attacker ∗∗∗ --------------------------------------------- The attacker of Gwisin ransomware targets and penetrates the publicly available servers of companies. They then use the server as their foothold for distributing the ransomware into the internal infrastructure. It is known that the attacker uses various means such as SFTP, WMI, integrated management solution, and IIS web service to distribute the ransomware into the internal infrastructure. In this confirmed case, they used the IIS web service to distribute Gwisin ransomware. --------------------------------------------- https://asec.ahnlab.com/en/41565/ ===================== = Vulnerabilities = ===================== ∗∗∗ Bios: Sicherheitslücken im UEFI etlicher Lenovo-Laptops ∗∗∗ --------------------------------------------- Lenovo hat Treiber verwendet, die nur für die Produktion vorgesehen waren. Dadurch lässt sich Secure Boot aus dem Betriebssystem heraus deaktivieren. --------------------------------------------- https://www.golem.de/news/bios-sicherheitsluecken-im-uefi-etlicher-lenovo-l… ∗∗∗ Aiphone Video Multi-Tenant System Entrance Stations vulnerable to information disclosure ∗∗∗ --------------------------------------------- Video Multi-Tenant System Entrance Stations provided by AIPHONE CO., LTD. contain an information disclosure vulnerability. --------------------------------------------- https://jvn.jp/en/jp/JVN75437943/ ∗∗∗ Cisco Security Advisories 2022-11-09 ∗∗∗ --------------------------------------------- Cisco Adaptive Security Appliance Software, Cisco FXOS Software, Cisco FirePOWER Software for ASA FirePOWER Module, Cisco Firepower Management Center Software, Cisco Firepower Threat Defense Software, Cisco NGIPS Software, Cisco Secure Firewall 3100 Series, Multiple Cisco Products Snort SMB2 Detection Engine --------------------------------------------- https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&first… ∗∗∗ IBM Security Bulletins 2022-11-09 ∗∗∗ --------------------------------------------- IBM Cloud Pak for Security, IBM Master Data Management, IBM Planning Analytics, IBM Planning Analytics Workspace, IBM QRadar, IBM Tivoli Business Service Manager --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ HTML Injection in BMC Remedy ITSM-Suite ∗∗∗ --------------------------------------------- Die Anwendung BMC Remedy erlaubt es Benutzern Incidents über Email weiterzuleiten. Im Email Editor ist es möglich HTML-Code in das "To" Feld einzufügen. Danach zeigt die Anwendung an, dass der Incident an Empfänger weitergeleitet wurde. Durch Klicken auf die Anzahl der Empfänger wird der eingefügte HTML-Code geladen und ausgeführt. --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/html-injection-in-bmc… ∗∗∗ CVE-2022-0031 Cortex XSOAR: Local Privilege Escalation (PE) Vulnerability in Cortex XSOAR Engine ∗∗∗ --------------------------------------------- A local privilege escalation (PE) vulnerability in the Palo Alto Networks Cortex XSOAR engine software running on a Linux operating system allows a local attacker with shell access to the engine to execute programs with elevated privileges. --------------------------------------------- https://security.paloaltonetworks.com/CVE-2022-0031 ∗∗∗ Bugfix-Updates: Apple stellt macOS 13.0.1, iPadOS 16.1.1 und iOS 16.1.1 bereit ∗∗∗ --------------------------------------------- Fehlerbehebungen und gestopfte Sicherheitslücken außer der Reihe: Apple legt macOS 13.0.1, iPadOS 16.1.1 und iOS 16.1.1 für Mac, iPad und iPhone vor. --------------------------------------------- https://heise.de/-7335516 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libjettison-java and xorg-server), Slackware (sysstat and xfce4), SUSE (python3 and xen), and Ubuntu (firefox). --------------------------------------------- https://lwn.net/Articles/914347/ ∗∗∗ Unit 42 Finds Three Vulnerabilities in OpenLiteSpeed Web Server ∗∗∗ --------------------------------------------- Unit 42 discovered three vulnerabilities in OpenLiteSpeed Web Server and LiteSpeed Web Server that could be used together for remote code execution. --------------------------------------------- https://unit42.paloaltonetworks.com/openlitespeed-vulnerabilities/ ∗∗∗ [R1] Nessus Version 8.15.7 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- Nessus leverages third-party software to help provide underlying functionality. Several of the third-party components (expat, libxml2, zlib) were found to contain vulnerabilities, and updated versions have been made available by the providers.Out of caution and in line with good practice, Tenable has opted to upgrade these components to address the potential impact of the issues. --------------------------------------------- https://www.tenable.com/security/tns-2022-26 ∗∗∗ 2022-12 Multiple Java SE vulnerabilities in Belden/Hirschmann software products ∗∗∗ --------------------------------------------- https://dam.belden.com/dmm3bwsv3/assetstream.aspx?assetid=14996&mediaformat…" target="_blank -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.11.2022
by Daily end-of-shift report 09 Nov '22

09 Nov '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 08-11-2022 18:00 − Mittwoch 09-11-2022 18:00 Handler: Stephan Richter Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Intel, AMD Address Many Vulnerabilities With Patch Tuesday Advisories ∗∗∗ --------------------------------------------- Intel and AMD have announced fixes for many vulnerabilities on this Patch Tuesday, including for flaws that have been assigned a ‘high severity’ rating. --------------------------------------------- https://www.securityweek.com/intel-amd-address-many-vulnerabilities-patch-t… ∗∗∗ Microsoft: Windows 10 21H1 reaches end of service next month ∗∗∗ --------------------------------------------- Microsoft has reminded customers today that all editions of Windows 10 21H1 (also known as the May 2021 Update) are reaching the end of service (EOS) next month. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-windows-10-21h1-r… ∗∗∗ Lenovo fixes flaws that can be used to disable UEFI Secure Boot ∗∗∗ --------------------------------------------- Lenovo has fixed two high-severity vulnerabilities impacting various ThinkBook, IdeaPad, and Yoga laptop models that could allow an attacker to deactivate UEFI Secure Boot. --------------------------------------------- https://www.bleepingcomputer.com/news/security/lenovo-fixes-flaws-that-can-… ∗∗∗ Phishing-Resistant MFA Does Not Mean Un-Phishable ∗∗∗ --------------------------------------------- Human societies have a bad habit of taking a specific, limited-in-scope fact and turning it into an overly broad generalization that gets incorrectly believed and perpetuated as if it were as comprehensively accurate as the original, more-limited fact it was based on. Anything can be hacked. Do not confuse “phishing-resistant” with being impossible to phish or socially engineer. --------------------------------------------- https://www.linkedin.com/pulse/phishing-resistant-mfa-does-mean-un-phishabl… ∗∗∗ SMS „Hallo Mama, mein Handy ist kaputt“ ist betrügerisch! ∗∗∗ --------------------------------------------- Eine großangelegte SMS-Betrugsmasche sorgt aktuell für Verunsicherung bei Empfänger:innen. Der Inhalt der „Hallo Mama“ oder „Hallo Papa“ SMS soll vermitteln, dass das eigene Kind eine neue Nummer hätte. Das Kind bittet deshalb um Kontaktaufnahme über WhatsApp. Wer hier antwortet, wird schon bald vom vermeintlichen Kind zu Zahlungen aufgefordert. Ignorieren Sie die Nachrichten und führen Sie auf keinen Fall Überweisungen durch. --------------------------------------------- https://www.watchlist-internet.at/news/sms-hallo-mama-mein-handy-ist-kaputt… ∗∗∗ Massive ois[.]is Black Hat Redirect Malware Campaign ∗∗∗ --------------------------------------------- Since September 2022, our research team has tracked a surge in WordPress malware redirecting website visitors to fake Q&A sites via ois[.]is. These malicious redirects appear to be designed to increase the authority of the attacker’s sites for search engines. PublicWWW results show nearly 15,000 websites have been affected by this malware so far. --------------------------------------------- https://blog.sucuri.net/2022/11/massive-ois-is-black-hat-redirect-malware-c… ∗∗∗ Threat Spotlight: Cyber Criminal Adoption of IPFS for Phishing, Malware Campaigns ∗∗∗ --------------------------------------------- The InterPlanetary File System (IPFS) is an emerging Web3 technology that is currently seeing widespread abuse by threat actors. Cisco Talos has observed multiple ongoing campaigns that leverage the IPFS network to host their malware payloads and phishing kit infrastructure while facilitating other attacks. --------------------------------------------- https://blog.talosintelligence.com/ipfs-abuse/ ∗∗∗ Check Point CloudGuard Spectral exposes new obfuscation techniques for malicious packages on PyPI ∗∗∗ --------------------------------------------- Check Point Research (CPR) detects a new and unique malicious package on PyPI, the leading package index used by developers for the Python programming language The new malicious package was designed to hide code in images and infect through open-source projects on Github CPR responsibly disclosed this information to PyPI, who removed the packages. --------------------------------------------- https://research.checkpoint.com/2022/check-point-cloudguard-spectral-expose… ===================== = Vulnerabilities = ===================== ∗∗∗ Microsoft fixes ProxyNotShell Exchange zero-days exploited in attacks ∗∗∗ --------------------------------------------- Microsoft has released security updates to address two high-severity Microsoft Exchange zero-day vulnerabilities collectively known as ProxyNotShell and exploited in the wild. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-fixes-proxynotshe… ∗∗∗ Kritische Sicherheitslücken in VMware Workspace ONE - Updates verfügbar ∗∗∗ --------------------------------------------- VMware hat Updates für drei kritische Authentication Bypass Sicherheitslücken im Remote-Access-Tool VMware Workspace ONE veröffentlicht. Entfernte, anonyme Angreifer:innen können die Authentifizierung in erreichbaren VMware Workspace ONE Instanzen umgehen und Administratorrechte auf den betroffenen Systemen erlangen. --------------------------------------------- https://cert.at/de/warnungen/2022/11/kritische-sicherheitslucken-in-vmware-… ∗∗∗ Citrix Gateway und ADC: Kritische Lücke ermöglicht unbefugten Zugriff ∗∗∗ --------------------------------------------- Citrix schließt Sicherheitslücken, durch die Angreifer etwa unberechtigt auf die Gerätefunktionen zugreifen können. Administratoren sollten zügig aktualisieren. --------------------------------------------- https://heise.de/-7334851 ∗∗∗ Multiple vulnerabilities in WordPress ∗∗∗ --------------------------------------------- WordPress contains multiple vulnerabilities listed below which are to the WordPress Post by Email Feature. --------------------------------------------- https://jvn.jp/en/jp/JVN09409909/ ∗∗∗ IBM Security Bulletins 2022-11-08 ∗∗∗ --------------------------------------------- IBM App Connect Enterprise, IBM Cloud Application Business Insights, IBM Security Guardium, IBM Security Verify Access --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Lenovo Product Security Advisories 2022-11-08 ∗∗∗ --------------------------------------------- AMD Graphics Driver, AMD IBPB Return Branch Predictions, Brocade EZSwitch, Elan UltraNav and MiniPort Driver, Intel AMT SDK, Intel EMA, Intel MC, Intel Chipset Firmware, Intel PROSet Wireless WiFi, Intel vPro CSME WiFi, Killer WiFi, Intel SGX SDK, Lenovo Diagnostics, Lenovo Notebook BIOS, Lenovo Vantage Component, Multi-Vendor BIOS --------------------------------------------- https://support.lenovo.com/at/en/product_security/home ∗∗∗ Cisco Security Advisories 2022-11-09 ∗∗∗ --------------------------------------------- Cisco Adaptive Security Appliance Software, Cisco FXOS Software, Cisco FirePOWER Software for ASA FirePOWER Module, Cisco Firepower Management Center Software, Cisco Firepower Threat Defense Software, Cisco NGIPS Software, Cisco Secure Firewall 3100 Series, Multiple Cisco Products Snort SMB2 Detection Engine --------------------------------------------- https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&first… ∗∗∗ Webbrowser: Zehn Sicherheitslücken weniger in Google Chrome ∗∗∗ --------------------------------------------- In dem jetzt verfügbaren Update für den Webbrowser Chrome schließt Google 10 Sicherheitslücken. Mit manipulierten Webseiten könnten Angreifer Code ausführen. --------------------------------------------- https://heise.de/-7334255 ∗∗∗ Foxit PDF Reader: Schadcode-Attacken über präparierte PDFs möglich ∗∗∗ --------------------------------------------- Die Foxit-Entwickler haben in ihren PDF-Anwendungen unter macOS und Windows Sicherheitslücken geschlossen. --------------------------------------------- https://heise.de/-7334993 ∗∗∗ Patchday: SAP stopft neun zum Teil kritische Schwachstellen ∗∗∗ --------------------------------------------- Am November-Patchday dichtet SAP teils kritische Sicherheitslücken in mehreren Produkten ab. Administratoren sollten sie zügig auf den aktuellen Stand bringen. --------------------------------------------- https://heise.de/-7334573 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (vim, webkit2gtk, and wpewebkit), Fedora (mingw-python3, vim, webkit2gtk3, webkitgtk, and xen), Mageia (389-ds-base, bluez, ffmpeg, libtasn1, libtiff, libxml2, and mbedtls), Red Hat (kpatch-patch and linux-firmware), SUSE (conmon, containerized data importer, exim, expat, ganglia-web, gstreamer-0_10-plugins-base, gstreamer-0_10-plugins-good, gstreamer-plugins-base, gstreamer-plugins-good, kernel, kubevirt, protobuf, sendmail, and vsftpd), and Ubuntu (libzstd, openjdk-8, openjdk-lts, openjdk-17, openjdk-19, php7.2, php7.4, php8.1, and pixman). --------------------------------------------- https://lwn.net/Articles/914221/ ∗∗∗ Zahlreiche kritische Schwachstellen in Simmeth System GmbH Lieferantenmanager ∗∗∗ --------------------------------------------- Die Software Lieferantenmanager der Simmeth System GmbH ist von mehreren kritischen Schwachstellen betroffen. Durch diese lassen sich beliebige Befehle ohne Authentifizierung auf dem SQL Server ausführen. Des Weiteren können beliebige Dateien auf dem Webserver gelesen und Nutzersessions gestohlen werden. Außerdem wurde das E-Mail Passwort der Firma Simmeth mithilfe eines unauthentifizierten Requests ausgelesen. --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/multiple-critical-vul… ∗∗∗ [R1] Nessus Network Monitor Version 6.1.1 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- Nessus Network Monitor leverages third-party software to help provide underlying functionality. One of the third-party components (OpenSSL) was found to contain vulnerabilities, and updated versions have been made available by the providers. --------------------------------------------- https://www.tenable.com/security/tns-2022-25 ∗∗∗ Xen Security Advisory CVE-2022-23824 / XSA-422 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-422.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.11.2022
by Daily end-of-shift report 08 Nov '22

08 Nov '22

===================== = End-of-Day report = ===================== Timeframe: Montag 07-11-2022 18:00 − Dienstag 08-11-2022 18:00 Handler: Stephan Richter Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ How to mimic Kerberos protocol transition using reflective RBCD ∗∗∗ --------------------------------------------- We know that a delegation is dangerous if an account allows delegating third-party user authentication to a privileged resource. In the case of constrained delegation, all it takes is to find a privileged account in one of the SPN (Service Principal Name) set in the msDS-AllowedToDelegateTo attribute of a compromised service account. --------------------------------------------- https://medium.com/tenable-techblog/how-to-mimic-kerberos-protocol-transiti… ∗∗∗ Azov-Malware zerstört Dateien in 666-Byte-Schritten ∗∗∗ --------------------------------------------- Der Windows-Schädling Azov ist ein Wiper und vernichtet Dateien unwiderruflich. Sicherheitsforscher beobachten ein erhöhtes Aufkommen. --------------------------------------------- https://heise.de/-7333231 ∗∗∗ Open Bug Bounty: Eine Million Sicherheitslücken im Web behoben ∗∗∗ --------------------------------------------- Eine offene Plattform für das Offenlegen von Sicherheitslücken im Web hat einen Meilenstein erreicht. Open Bug Bounty verzeichnet über 1,3 Mio. Entdeckungen. --------------------------------------------- https://heise.de/-7333872 ∗∗∗ Achtung Fake-Shop: marktstores.com gibt sich als Media Markt aus ∗∗∗ --------------------------------------------- Die Playstation 5 ist momentan überall ausverkauft. Vorsicht, wenn Sie im Internet dennoch einen Anbieter finden, der sie angeblich liefern kann. Dieser könnte sich als Fake-Shop herausstellen. --------------------------------------------- https://www.watchlist-internet.at/news/achtung-fake-shop-marktstorescom-gib… ∗∗∗ LockBit 3.0 Being Distributed via Amadey Bot ∗∗∗ --------------------------------------------- The ASEC analysis team has confirmed that attackers are using Amadey Bot to install LockBit. Amadey Bot, a malware that was first discovered in 2018, is capable of stealing information and installing additional malware by receiving commands from the attacker. --------------------------------------------- https://asec.ahnlab.com/en/41450/ ∗∗∗ Prepare, respond & recover: Battling complex Cybersecurity threats with fundamentals ∗∗∗ --------------------------------------------- The cybersecurity industry has seen a lot of recent trends. For example, the proliferation of multifactor authentication (MFA) to fight against credential harvesting is a common thread. --------------------------------------------- https://cybersecurity.att.com/blogs/security-essentials/prepare-respond-rec… ∗∗∗ Cracking 2.3M Attackers-Supplied Credentials: What Can We Learn from RDP Attacks ∗∗∗ --------------------------------------------- To study credentials attacks on RDP, we operate high-interaction honeypots on the Internet. We analyzed over 2.3 million connections that supplied hashed credentials and attempted to crack them. --------------------------------------------- https://www.gosecure.net/blog/2022/11/08/cracking-2-3m-attackers-supplied-c… ∗∗∗ DeimosC2: What SOC Analysts and Incident Responders Need to Know About This C&C Framework ∗∗∗ --------------------------------------------- This report provides defenders and security operations center teams with the technical details they need to know should they encounter the DeimosC2 C&C framework. --------------------------------------------- https://www.trendmicro.com/en_us/research/22/k/deimosc2-what-soc-analysts-a… ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins 2022-11-07 ∗∗∗ --------------------------------------------- IBM Tivoli Monitoring, IBM App Connect Enterprise Certified Container, IBM Operations Analytics - Log Analysis --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Siemens Security Advisories 2022-11-08 ∗∗∗ --------------------------------------------- Siemens released 9 new and 8 updated Advisories. (CVSS Scores 5.3-9.9) --------------------------------------------- https://new.siemens.com/global/en/products/services/cert.html?d=2022-11#Sec… ∗∗∗ Patchday: Angreifer könnten Android-Geräte über Attacken lahmlegen ∗∗∗ --------------------------------------------- Google hat wichtige Sicherheitsupdates für Android 10 bis 13 veröffentlicht. Einige andere Hersteller bieten ebenfalls Patches an. --------------------------------------------- https://heise.de/-7333334 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (pixman and sudo), Fedora (mingw-binutils and mingw-gdb), Red Hat (bind, bind9.16, container-tools:3.0, container-tools:4.0, container-tools:rhel8, dnsmasq, dotnet7.0, dovecot, e2fsprogs, flatpak-builder, freetype, fribidi, gdisk, grafana, grafana-pcp, gstreamer1-plugins-good, httpd:2.4, kernel, kernel-rt, libldb, libreoffice, libtiff, libxml2, mingw-expat, mingw-zlib, mutt, nodejs:14, nodejs:18, openblas, openjpeg2, osbuild, pcs, php:7.4, php:8.0, [...] --------------------------------------------- https://lwn.net/Articles/914119/ ∗∗∗ ICS Patch Tuesday: Siemens Addresses Critical Vulnerabilities ∗∗∗ --------------------------------------------- Siemens and Schneider Electric have released their Patch Tuesday advisories for November 2022. Siemens has released nine new security advisories covering a total of 30 vulnerabilities, but Schneider has only published one new advisory. --------------------------------------------- https://www.securityweek.com/ics-patch-tuesday-siemens-addresses-critical-v… ∗∗∗ Varnish HTTP/2 Request Forgery ∗∗∗ --------------------------------------------- https://docs.varnish-software.com/security/VSV00011/ ∗∗∗ Open Source Varnish Request Smuggling ∗∗∗ --------------------------------------------- https://docs.varnish-software.com/security/VSV00010/ ∗∗∗ PHOENIX CONTACT: Automationworx BCP File Parsing Vulnerabilities ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-048/ ∗∗∗ Citrix Gateway and Citrix ADC Security Bulletin for CVE-2022-27510 CVE-2022-27513 and CVE-2022-27516 ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX463706/citrix-gateway-and-citrix-adc-… ∗∗∗ McAfee Total Protection: Update fixt Schwachstelle CVE-2022-43751 ∗∗∗ --------------------------------------------- https://www.borncity.com/blog/2022/11/08/mcafee-total-protection-update-fix… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.11.2022
by Daily end-of-shift report 07 Nov '22

07 Nov '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 04-11-2022 18:00 − Montag 07-11-2022 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Windows Malware with VHD Extension, (Sat, Nov 5th) ∗∗∗ --------------------------------------------- Windows 10 supports various virtual drives natively and can recognize and use ISO, VHD and VHDX files. The file included as an attachment with this email, when extracted appears in the email as a PDF but is is in fact a VHD file. --------------------------------------------- https://isc.sans.edu/diary/rss/29222 ∗∗∗ IPv4 Address Representations, (Sun, Nov 6th) ∗∗∗ --------------------------------------------- A reader asked for help with this maldoc. Not with the analysis itself, but how to understand where the URL is pointing to. --------------------------------------------- https://isc.sans.edu/diary/rss/29224 ∗∗∗ Experts Find URLScan Security Scanner Inadvertently Leaks Sensitive URLs and Data ∗∗∗ --------------------------------------------- Security researchers are warning of "a trove of sensitive information" leaking through urlscan.io, a website scanner for suspicious and malicious URLs. "Sensitive URLs to shared documents, password reset pages, team invites, payment invoices and more are publicly listed and searchable," Positive Security co-founder, Fabian Bräunlein, said in a report published on November 2, 2022. --------------------------------------------- https://thehackernews.com/2022/11/experts-find-urlscan-security-scanner.html ∗∗∗ AWS Organizations Defaults ∗∗∗ --------------------------------------------- [...] These things combined mean that, should an attacker compromise the management account, the default behavior of AWS Organizations provides a path to compromise every account in the organization as an administrator. For offensive security professionals, identifying paths into the management account can be an incredibly fruitful exercise, and may result in an entire organization compromise. --------------------------------------------- https://hackingthe.cloud/aws/general-knowledge/aws_organizations_defaults/ ∗∗∗ Kommentar: Angriffe lassen sich nicht vermeiden – übernehmt die Verantwortung! ∗∗∗ --------------------------------------------- Shit happens, ebenso wie Sicherheitsvorfälle. Die Frage kann also nur sein, wie damit umzugehen ist - vorher wie nachher. --------------------------------------------- https://heise.de/-7328918 ∗∗∗ Versteckte Kosten für Kündigungen auf stornierenbei.de ∗∗∗ --------------------------------------------- Wenn Sie einen Vertrag kündigen wollen und dazu über Ihre Suchmaschine recherchieren, stoßen Sie womöglich auf stornierenbei.de. Dort wird eine einfache Kündigung von Verträgen unterschiedlichster Anbieter als Dienstleistung angeboten. Achtung: Statt der Kündigung des angegebenen Vertrages, kommen versteckte Kosten auf Sie zu, die auch eingemahnt werden! Bezahlen Sie nichts. Es besteht kein gültiger Vertrag mit stornierenbei.de. --------------------------------------------- https://www.watchlist-internet.at/news/versteckte-kosten-fuer-kuendigungen-… ∗∗∗ BYODC - Bring Your Own Domain Controller ∗∗∗ --------------------------------------------- BYODC or bring your own domain controller is a post-exploitation technique and another option for performing a DCSync in a more opsec safe manner. --------------------------------------------- https://blog.zsec.uk/byodc-attack/ ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins 2022-11-04 ∗∗∗ --------------------------------------------- AIX LPARs in IBM PureData System for Operational Analytics, IBM App Connect Enterprise, IBM MQ, IBM WebSphere Application Server Liberty / CICS Transaction Gateway --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ffmpeg, libxml2, python-django, python-scciclient, and xen), Fedora (ghc-cmark-gfm, java-latest-openjdk, and vim), Mageia (expat, ntfs-3g, and wkhtmltopdf), Oracle (kernel), Slackware (sudo), and SUSE (expat, libxml2, rubygem-loofah, and xmlbeans). --------------------------------------------- https://lwn.net/Articles/914012/ ∗∗∗ Shodan Verified Vulns 2022-11-01 ∗∗∗ --------------------------------------------- Mit Stand 2022-11-01 sieht Shodan in Österreich die folgenden Schwachstellen: [...] --------------------------------------------- https://cert.at/de/aktuelles/2022/11/shodan-verified-vulns-2022-11-01 ∗∗∗ Nov 3 2022 Security Releases ∗∗∗ --------------------------------------------- (Update 04-November-2022) Security releases available Updates are now available for v14,x, v16.x, v18.x and v19.x Node.jsrelease lines for the following issues. [...] --------------------------------------------- https://nodejs.org/en/blog/vulnerability/november-2022-security-releases ∗∗∗ WebKit HTMLSelectElement Use-After-Free ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2022110007 ∗∗∗ TRUMPF: Multiple products prone to X.Org server vulnerabilities ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-049/ ∗∗∗ Wiesemann &Theis: Multiple Vulnerabilities in the Com-Server Family ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-043/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.11.2022
by Daily end-of-shift report 04 Nov '22

04 Nov '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 03-11-2022 18:00 − Freitag 04-11-2022 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ WLAN-Sicherheitslücke: Für Spezialdrohnen sind Wände wie Glas ∗∗∗ --------------------------------------------- Kanadische Forscher haben eine Funktion entdeckt, die es Angreifern ermöglicht, durch Wände zu sehen - trotz Passwortschutz. --------------------------------------------- https://www.golem.de/news/wlan-sicherheitsluecke-fuer-eine-spezialdrohne-si… ∗∗∗ A Very Powerful Clipboard: Analysis of a Samsung in-the-wild exploit chain ∗∗∗ --------------------------------------------- Note: The three vulnerabilities discussed in this blog were all fixed in Samsung’s March 2021 release. They were fixed as CVE-2021-25337, CVE-2021-25369, CVE-2021-25370. To ensure your Samsung device is up-to-date under settings you can check that your device is running SMR Mar-2021 or later. As defenders, in-the-wild exploit samples give us important insight into what attackers are really doing. We get the “ground truth” data about the vulnerabilities and exploit techniques they’re using, which then informs our further research and guidance to security teams on what could have the biggest impact or return on investment. To do this, we need to know that the vulnerabilities and exploit samples were found in-the-wild. --------------------------------------------- https://googleprojectzero.blogspot.com/2022/11/a-very-powerful-clipboard-sa… ∗∗∗ What Is Cross-Origin Resource Sharing (CORS)? ∗∗∗ --------------------------------------------- Thanks to the rapid growth of JavaScript frameworks like Angular, React, and Vue, Cross-Origin Resource Sharing (CORS) has become a popular word in the developer’s vocabulary — and for good reason. It’s common practice for modern web applications to load resources from multiple domains. But accessing these website resources from different origins requires a thorough understanding of CORS. In this post, we’ll take a look at what CORS is and why proper implementation is an important component of building secure websites and applications. We’ll also examine some common examples of how to use CORS, dive into preflight requests, and discuss how to protect your website against attacks. --------------------------------------------- https://blog.sucuri.net/2022/11/what-is-cross-origin-resource-sharing-cors.… ∗∗∗ Multi-factor auth fatigue is real – and its why you may be in the headlines next ∗∗∗ --------------------------------------------- Overwhelmed by waves of push notifications, worn-down users inadvertently let the bad guys in Analysis The September cyberattack on ride-hailing service Uber began when a criminal bought the stolen credentials of a company contractor on the dark web. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2022/11/03/mfa_fatigue_… ∗∗∗ Inside the V1 Raccoon Stealer’s Den ∗∗∗ --------------------------------------------- Team Cymru’s S2 Research Team has blogged previously on the initial Raccoon stealer command and control methodology (Raccoon Stealer - An Insight into Victim “Gates”), which utilized “gate” IP addresses to proxy victim traffic / data to static threat actor-controlled infrastructure. Since the publication of our previous blog, the following timeline of events has occurred: [...] --------------------------------------------- https://www.team-cymru.com/post/inside-the-v1-raccoon-stealer-s-den ∗∗∗ Cisco-Sicherheitsupdates: Angreifer könnten durch Lücken in Netzwerke eindringen ∗∗∗ --------------------------------------------- Die Softwareentwickler von Cisco haben unter anderem in Identity Services Engine und Email Security Appliance Schwachstellen geschlossen. --------------------------------------------- https://heise.de/-7329978 ∗∗∗ UK-Cybersicherheitsbehörde startet landesweites Schwachstellen-Scanning ∗∗∗ --------------------------------------------- Die IT-Sicherheitsbehörde des Vereinigten Königreichs startet einen Schwachstellen-Scanner-Dienst. Der untersucht alle Systeme des Landes auf Sicherheitslücken. --------------------------------------------- https://heise.de/-7330532 ∗∗∗ Apple Rolls Out Xcode Update Patching Git Vulnerabilities ∗∗∗ --------------------------------------------- Apple this week announced a security update for the Xcode macOS development environment, to resolve three Git vulnerabilities, including one leading to arbitrary code execution. --------------------------------------------- https://www.securityweek.com/apple-rolls-out-xcode-update-patching-git-vuln… ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins 2022-11-03 ∗∗∗ --------------------------------------------- IBM App Connect Enterprise Certified Container, IBM InfoSphere Information server, IBM Operations Analytics - Log Analysis, IBM Security Verify Governance, IBM WebSphere Application Server Liberty --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Patchday: Big-Data-Spezialist Splunk dichtet zwölf Schwachstellen ab ∗∗∗ --------------------------------------------- Der Big-Data-Experte Splunk aktualisiert die gleichnamige Software Splunk Enterprise und Cloud. Nach den Updates klaffen darin zwölf Schwachstellen weniger. --------------------------------------------- https://heise.de/-7329933 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (pypy3), Fedora (drupal7, git, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, and php), Oracle (kernel, lua, openssl, pcs, php-pear, pki-core, python3.9, and zlib), Red Hat (kernel, kernel-rt, kpatch-patch, lua, openssl-container, pcs, php-pear, pki-core, python3.9, and zlib), Scientific Linux (kernel, pcs, and php-pear), SUSE (EternalTerminal, hsqldb, ntfs-3g_ntfsprogs, privoxy, rubygem-actionview-4_2, sqlite3, and xorg-x11-server), and Ubuntu [...] --------------------------------------------- https://lwn.net/Articles/913771/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (clickhouse, distro-info-data, and ntfs-3g), Fedora (firefox), Oracle (kernel), Slackware (mozilla), and SUSE (python-Flask-Security-Too). --------------------------------------------- https://lwn.net/Articles/913849/ ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2022-0010 ∗∗∗ --------------------------------------------- Several vulnerabilities were discovered in WebKitGTK and WPE WebKit. CVE-2022-32888 Versions affected: WebKitGTK and WPE WebKit before 2.38.0. Credit to P1umer (@p1umer). Impact: Processing maliciously crafted web content may lead toarbitrary code execution. --------------------------------------------- https://webkitgtk.org/security/WSA-2022-0010.html ∗∗∗ CVE Report Published for Spring Tools ∗∗∗ --------------------------------------------- We have released STS 4.16.1 for Eclipse and Spring VSCode extensions 1.40.0 to address the following CVE report: - CVE-2022-31691: Remote Code Execution via YAML editors in STS4 extensions for Eclipse and VSCode Please review the information in the CVE report and upgrade immediately. --------------------------------------------- https://spring.io/blog/2022/11/03/cve-report-published-for-spring-tools -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.11.2022
by Daily end-of-shift report 03 Nov '22

03 Nov '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 02-11-2022 18:00 − Donnerstag 03-11-2022 18:00 Handler: Stephan Richter Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Emotet botnet starts blasting malware again after 5 month break ∗∗∗ --------------------------------------------- The Emotet malware operation is again spamming malicious emails after almost a five-month "vacation" that saw little activity from the notorious cybercrime operation. --------------------------------------------- https://www.bleepingcomputer.com/news/security/emotet-botnet-starts-blastin… ∗∗∗ Hundreds of U.S. news sites push malware in supply-chain attack ∗∗∗ --------------------------------------------- The compromised infrastructure of an undisclosed media company is being used by threat actors to deploy the SocGholish JavaScript malware framework (also known as FakeUpdates) on the websites of hundreds of newspapers across the U.S. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hundreds-of-us-news-sites-pu… ∗∗∗ Was tun, wenn ich Opfer von Cybercrime geworden bin? ∗∗∗ --------------------------------------------- Die Online-Identität kann schnell gestohlen werden, wenn jemand seine Daten auf unseriösen Websites eingibt. Dann kann es zu weiteren Konsequenzen kommen. --------------------------------------------- https://futurezone.at/digital-life/cybercrime-identitaetsdiebstahl-phishing… ∗∗∗ The OpenSSL security update story – how can you tell what needs fixing? ∗∗∗ --------------------------------------------- How to Hack! Finding OpenSSL library files and accurately identifying their version numbers... --------------------------------------------- https://nakedsecurity.sophos.com/2022/11/03/the-openssl-security-update-sto… ∗∗∗ P2P Botnets: Review - Status - Continuous Monitoring ∗∗∗ --------------------------------------------- P2P networks are more scalable and robust than traditional C/S structures, and these advantages were recognized by the botnet authors early on and used in their botnets. --------------------------------------------- https://blog.netlab.360.com/p2p-botnets-review-status-continuous-monitoring/ ∗∗∗ Breakpoints in Burp, (Wed, Nov 2nd) ∗∗∗ --------------------------------------------- No, this is not a story about the Canadian Thanksgiving long weekend, it's about web application testing. I recently had a web application to assess, and I used Burp Suite Pro as part of that project. --------------------------------------------- https://isc.sans.edu/diary/rss/29214 ∗∗∗ Hackers Using Rogue Versions of KeePass and SolarWinds Software to Distribute RomCom RAT ∗∗∗ --------------------------------------------- The operators of RomCom RAT are continuing to evolve their campaigns with rogue versions of software such as SolarWinds Network Performance Monitor, KeePass password manager, and PDF Reader Pro. --------------------------------------------- https://thehackernews.com/2022/11/hackers-using-rogue-versions-of-keepass.h… ∗∗∗ Researchers discover security loophole allowing attackers to use Wi-Fi to see through walls ∗∗∗ --------------------------------------------- The Wi-Peep exploits a loophole the researchers call polite Wi-Fi. Even if a network is password protected, smart devices will automatically respond to contact attempts from any device within range. The Wi-Peep sends several messages to a device as it flies and then measures the response time on each, enabling it to identify the devices location to within a meter. --------------------------------------------- https://techxplore.com/news/2022-11-loophole-wi-fi-walls.html ∗∗∗ Passwörter: 64 Prozent der User verwenden Kennwörter mehrmals ∗∗∗ --------------------------------------------- Eine Umfrage unter 3750 Angestellten auch aus deutschen Organisationen fördert bedenkliche Passwortnutzung zutage. Und das trotz besseren Wissens. --------------------------------------------- https://heise.de/-7328871 ∗∗∗ BSI-Lagebericht 2022: Gefährdungslage im Cyber-Raum hoch wie nie ∗∗∗ --------------------------------------------- Im Berichtszeitraum hat sich die bereits zuvor angespannte Lage weiter zugespitzt. Grund dafür sind anhaltende Aktivitäten im Bereich der Cyber-Kriminalität, Cyber-Angriffe im Kontext des russischen Angriffs auf die Ukraine und eine unzureichende Produktqualität von IT- und Software-Produkten. --------------------------------------------- https://www.bsi.bund.de/DE/Service-Navi/Presse/Pressemitteilungen/Presse202… ∗∗∗ A new crop of malicious modules found on PyPI ∗∗∗ --------------------------------------------- Phylum has posted anarticle with a detailed look at a set of malicious packages discoveredby an automated system they have developed. Similar to this attacker’s previous attempts, this particular attack starts by copying existing popular libraries and simply injecting a malicious __import__ statement into an otherwise healthy codebase. --------------------------------------------- https://lwn.net/Articles/913555/ ∗∗∗ Vorsicht vor Scam-Versuchen auf Telegram ∗∗∗ --------------------------------------------- Eine Nachricht auf Telegram erreicht Sie aus heiterem Himmel: Jemand, den Sie nicht kennen bietet Ihnen eine lukrative Investment-Möglichkeit an, oder sogar eine große Summe Geld. Vorsicht, bei diesen Nachrichten handelt es sich um Betrugsversuche! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-scam-versuchen-auf-tele… ∗∗∗ Cobalt Strike Analysis and Tutorial: Identifying Beacon Team Servers in the Wild ∗∗∗ --------------------------------------------- We present new techniques that leverage active probing and network fingerprint technology to help you detect Cobalt Strike’s Team Servers. --------------------------------------------- https://unit42.paloaltonetworks.com/cobalt-strike-team-server/ ∗∗∗ ASEC Weekly Malware Statistics (October 24th, 2022 – October 30th, 2022) ∗∗∗ --------------------------------------------- This post will list weekly statistics collected from October 24th, 2022 (Monday) to October 30th (Sunday). --------------------------------------------- https://asec.ahnlab.com/en/41139/ ===================== = Vulnerabilities = ===================== ∗∗∗ Awareness and guidance related to OpenSSL 3.0 – 3.0.6 risk (CVE-2022-3786 and CVE-2202-3602) ∗∗∗ --------------------------------------------- Microsoft is aware and actively addressing the impact associated with the recent OpenSSL vulnerabilities announced on October 25th 2022, fixed in version 3.0.7. As part of our standard processes, we are rolling out fixes for impacted services. --------------------------------------------- https://msrc-blog.microsoft.com/2022/11/02/microsoft-guidance-related-to-op… ∗∗∗ IBM Security Bulletins 2022-11-02 ∗∗∗ --------------------------------------------- Content Collector for Email in Content Search Services container, IBM Business Automation Workflow, IBM Business Process Manager (BPM), IBM InfoSphere DataStage, IBM MQ, IBM Operations Analytics - Log Analysis, IBM SPSS Modeler, IBM Security SOAR, Platform Navigator and Automation Assets in IBM Cloud Pak for Integration --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Schwachstellenscanner Nessus: Updates schließen mehrere Sicherheitslücken ∗∗∗ --------------------------------------------- Der Netzwerk-Schwachstellenscanner Nessus behebt mit neuen Versionen mehrere Schwachstellen in Drittherstellerkomponenten. Admins sollten sie installieren. --------------------------------------------- https://heise.de/-7328440 ∗∗∗ Patchday Fortinet: FortiSIEM speichert Log-in-Daten unverschlüsselt ∗∗∗ --------------------------------------------- Es gibt wichtige Updates für Sicherheitsprodukte von Fortinet. Darunter etwa FortiADC und FortiOS. Keine Lücke gilt als kritisch. --------------------------------------------- https://heise.de/-7328476 ∗∗∗ (Non-US) DIR-1935 : Rev. Ax : F/W v1.03b02 :: Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://supportannouncement.us.dlink.com/announcement/publication.aspx?name… ∗∗∗ Splunk Patches 9 High-Severity Vulnerabilities in Enterprise Product ∗∗∗ --------------------------------------------- https://www.securityweek.com/splunk-patches-9-high-severity-vulnerabilities… ∗∗∗ ETIC Telecom Remote Access Server (RAS) ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-307-01 ∗∗∗ Nokia ASIK AirScale System Module ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-307-02 ∗∗∗ Delta Industrial Automation DIALink ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-307-03 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.11.2022
by Daily end-of-shift report 02 Nov '22

02 Nov '22

===================== = End-of-Day report = ===================== Timeframe: Montag 31-10-2022 18:00 − Mittwoch 02-11-2022 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Sicherheitslücken: OpenSSL korrigiert Fehler im Zertifikatsparser ∗∗∗ --------------------------------------------- Zwei Buffer Overflows bei der Verarbeitung von Punycode können OpenSSL zum Absturz bringen - und möglicherweise Codeausführung ermöglichen. --------------------------------------------- https://www.golem.de/news/sicherheitsluecken-openssl-korrigiert-fehler-im-z… ∗∗∗ Lenovo kündigt gegen Schadcode-Attacken abgesicherte BIOS-Versionen an ∗∗∗ --------------------------------------------- Der Computer-Hersteller Lenovo will mehrere BIOS-Lücken in verschiedenen Laptop-Modellen schließen. Einige Updates sind aber erst für Anfang 2023 angekündigt. --------------------------------------------- https://heise.de/-7327115 ∗∗∗ Eine Million Downloads: Bösartige Android-Apps leiten auf Phishing-Seiten ∗∗∗ --------------------------------------------- Ein App-Entwickler fällt wiederholt auf, verseuchte Apps in Google Play anzubieten. Die derzeitig problematischen Apps kommen auf über eine Million Downloads. --------------------------------------------- https://heise.de/-7327239 ∗∗∗ Ausweiskopien mit Wasserzeichen versehen ∗∗∗ --------------------------------------------- Zahlreiche Betrugsmaschen zielen auf eine Kopie Ihres Ausweises ab. Damit können Kriminelle sich bei anderen Betrugsmaschen als Sie ausgeben, in Ihrem Namen Verträge abschließen oder andere Straftaten begehen. Versenden Sie Ausweiskopien daher nur, wenn es unbedingt notwendig ist. Gibt es keine andere Möglichkeit, sollten Sie die Ausweiskopie mit einem Wasserzeichen versehen. Wir zeigen Ihnen, wie Sie unkompliziert ein Wasserzeichen erstellen. --------------------------------------------- https://www.watchlist-internet.at/news/ausweiskopien-mit-wasserzeichen-vers… ∗∗∗ Raspberry Robin Wurm transportiert Malware ∗∗∗ --------------------------------------------- Laut den Sicherheitsforschern von Microsoft verbreitet die bisher vor allem auf USB-Laufwerken bekannte Malware Raspberry Robin jetzt auch die Ransomware Clop. --------------------------------------------- https://www.zdnet.de/88404569/raspberry-robin-wurm-transportiert-malware/ ∗∗∗ Windows PowerShell-Backdoor entdeckt; gibt sich als Teil des Windows Update-Prozesses aus ∗∗∗ --------------------------------------------- Sicherheitsforscher von SafeBreach sind kürzlich auf eine bisher unbekannte PowerShell-Backdoor in Windows gestoßen. Diese verwendet ein bösasartiges Word-Dokument, um die PowerShell-Scripte einzuschleusen. Die Backdoor kann Active Directory-Benutzer und Remote-Desktops auflisten und soll vermutlich zu einem späteren Zeitpunkt zur Ausbreitung in [...] --------------------------------------------- https://www.borncity.com/blog/2022/11/01/windows-powershell-backdoor-als-te… ∗∗∗ Gregor Samsa: Exploiting Javas XML Signature Verification ∗∗∗ --------------------------------------------- Earlier this year, I discovered a surprising attack surface hidden deep inside Java’s standard library: A custom JIT compiler processing untrusted XSLT programs, exposed to remote attackers during XML signature verification. This post discusses CVE-2022-34169, an integer truncation bug in this JIT compiler resulting in arbitrary code execution in many Java-based web applications and identity providers that support the SAML single-sign-on standard. --------------------------------------------- https://googleprojectzero.blogspot.com/2022/11/gregor-samsa-exploiting-java… ∗∗∗ Server-side attacks, C&C in public clouds and other MDR cases we observed ∗∗∗ --------------------------------------------- This report describes several interesting incidents observed by the Kaspersky Managed Detection and Response (MDR) team. We hope that it helps you to stay up to date on the modern threat landscape and to be better prepared for attacks. --------------------------------------------- https://securelist.com/server-side-attacks-cc-in-public-clouds-mdr-cases/10… ∗∗∗ SHA-3 code execution bug patched in PHP – check your version! ∗∗∗ --------------------------------------------- As everyone waits for news of a bug in OpenSSL, heres a reminder that other cryptographic code in your life may also need patching! --------------------------------------------- https://nakedsecurity.sophos.com/2022/11/01/sha-3-code-execution-bug-patche… ∗∗∗ Ransomware: Not enough victims are reporting attacks, and thats a problem for everyone ∗∗∗ --------------------------------------------- The true impact of ransomware is unclear because some victims arent disclosing that theyve been attacked. --------------------------------------------- https://www.zdnet.com/article/ransomware-not-enough-victims-are-reporting-a… ∗∗∗ A technical analysis of Pegasus for Android – Part 3 ∗∗∗ --------------------------------------------- Pegasus is a spyware developed by the NSO group that was repeatedly analyzed by Amnesty International and CitizenLab. In this article, we dissect the Android version that was initially analyzed by Lookout in this paper, and we recommend reading it along with this post. During our research about Pegasus for Android, we’ve found out that vendors wrongly attributed [...] --------------------------------------------- https://cybergeeks.tech/a-technical-analysis-of-pegasus-for-android-part-3/ ===================== = Vulnerabilities = ===================== ∗∗∗ Microsoft Mitigates Vulnerability in Jupyter Notebooks for Azure Cosmos DB ∗∗∗ --------------------------------------------- Microsoft recently fixed an authentication bypass vulnerability in Jupyter Notebooks for Azure Cosmos DB (currently in preview) reported by Orca Security. Customers not using Jupyter Notebooks (99.8% of Azure Cosmos DB customers do NOT use Jupyter notebooks) were not susceptible to this vulnerability. The bug was introduced on August 12th and fully patched worldwide [...] --------------------------------------------- https://msrc-blog.microsoft.com/2022/11/01/microsoft-mitigates-vulnerabilit… ∗∗∗ Multiple Vulnerabilities Reported in Checkmk IT Infrastructure Monitoring Software ∗∗∗ --------------------------------------------- Multiple vulnerabilities have been disclosed in Checkmk IT Infrastructure monitoring software that could be chained together by an unauthenticated, remote attacker to fully take over affected servers. --------------------------------------------- https://thehackernews.com/2022/11/multiple-vulnerabilities-reported-in.html ∗∗∗ Xcode 14.1 ∗∗∗ --------------------------------------------- This document describes the security content of Xcode 14.1. --------------------------------------------- https://support.apple.com/kb/HT213496 ∗∗∗ Cisco Security Advisories 2022-11-02 ∗∗∗ --------------------------------------------- Security Impact Rating: 4x High, 7x Medium --------------------------------------------- https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&first… ∗∗∗ Vulnerabilities in OpenSSL Affecting Cisco Products: November 2022 ∗∗∗ --------------------------------------------- On November 1, 2022, the OpenSSL Project announced the following vulnerabilities: CVE-2022-3602 - X.509 Email Address 4-byte Buffer Overflow CVE-2022-3786 - X.509 Email Address Variable Length Buffer Overflow For a description of these vulnerabilities, see OpenSSL Security Advisory [Nov 1 2022]. This advisory will be updated as additional information becomes available. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- AIX, IBM CICS TX Advanced, IBM CICS TX Standard, IBM Cloud Object Storage Systems, IBM Cloud Pak for Integration, IBM Cloud Pak for Security, IBM DataPower Gateway, IBM Elastic Storage System, IBM Event Streams, IBM FlashSystem, IBM FlashSystem models FS900 and V9000, IBM InfoSphere Information Server, IBM MQ, IBM QRadar SIEM, IBM SAN Volume Controller, IBM Security Guardium, IBM Security Verify Access, IBM Spectrum Virtualize, IBM Storwize, IBM Voice Gateway, IBM WebSphere Application Server, IBM WebSphere Application Server used by IBM Master Data Management, Platform Navigator and Automation Assets in IBM Cloud Pak for Integration, Power System, Zlib for IBM i --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ An Update on the OpenSSL vulnerability CVE-2022-3602 ∗∗∗ --------------------------------------------- November 1, 2022: IBM is responding to the reported buffer overflow vulnerability that the OpenSSL open-source community disclosed for OpenSSL versions 3.0.0 – 3.0.6. We are taking action as an enterprise, and for IBM products and services that may potentially be impacted, as we do for all vulnerabilities rated High. --------------------------------------------- https://www.ibm.com/blogs/psirt/ibm-preparing-to-respond-to-the-upcoming-op… ∗∗∗ FortiGuard PSIRT Advisories 2022-11-01 ∗∗∗ --------------------------------------------- AV Engine, FortiADC, FortiClient (MAC), FortiDeceptor, FortiEDR CollectorWindows, FortiMail, FortiManager/FortiAnalyzer, FortiOS, FortiSIEM, FortiSOAR, FortiTester --------------------------------------------- https://fortiguard.fortinet.com/psirt ∗∗∗ Xen Security Advisories 2022-11-01 ∗∗∗ --------------------------------------------- Xen released 10 Security Advisories. --------------------------------------------- https://xenbits.xen.org/xsa/ ∗∗∗ Bitdefender: Löschen von Registry-Keys durch Sicherheitslücke möglich ∗∗∗ --------------------------------------------- Eine Sicherheitslücke in den Virenscannern von Bitdefender ermöglicht Angreifern, Registry-Schlüssel zu löschen. Bitdefender verteilt Aktualisierungen dagegen. --------------------------------------------- https://heise.de/-7327061 ∗∗∗ Kritische Sicherheitslücke in IT-Managementsoftware von Hitachi geschlossen ∗∗∗ --------------------------------------------- Admins sollten die aktuellen Versionen von Hitachi Infrastructure Analytics Advisor, Hitachi Ops Center Analyzer und Hitachi Ops Center Viewpoint installieren. --------------------------------------------- https://heise.de/-7327825 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (batik, chromium, expat, libxml2, ncurses, openvswitch, pysha3, python-django, thunderbird, and tomcat9), Fedora (cacti, cacti-spine, curl, mbedtls, mingw-expat, and xen), Gentoo (apptainer, bind, chromium, exif, freerdp, gdal, gitea, hiredis, jackson-databind, jhead, libgcrypt, libksba, libtirpc, lighttpd, net-snmp, nicotine+, open-vm-tools, openexr, rpm, schroot, shadow, sofia-sip, tiff, and xorg-server), Mageia (libreoffice), Oracle (expat), Red [...] --------------------------------------------- https://lwn.net/Articles/913261/ ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (python3.7), Gentoo (android-tools, expat, firefox, libjxl, libxml2, pjproject, sqlite, thunderbird, and zlib), Oracle (compat-expat1), Slackware (php8 and vim), SUSE (kernel, libtasn1, podman, and pyenv), and Ubuntu (libtasn1-6). --------------------------------------------- https://lwn.net/Articles/913352/ ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ffmpeg and linux-5.10), Fedora (libksba, openssl, and php), Gentoo (openssl), Mageia (curl, gdk-pixbuf2.0, libksba, nbd, php, and virglrenderer), Red Hat (kernel, kernel-rt, libksba, and openssl), SUSE (gnome-desktop, hdf5, hsqldb, kernel, nodejs10, openssl-3, php7, podofo, python-Flask-Security, python-lxml, and xorg-x11-server), and Ubuntu (backport-iwlwifi-dkms, firefox, ntfs-3g, and openssl). --------------------------------------------- https://lwn.net/Articles/913504/ ∗∗∗ Nov 3 2022 Security Releases ∗∗∗ --------------------------------------------- The Node.js project will release new versions of the 14.x, 16.x, 18.x, 19.xreleases lines on or shortly after Thursday, November 3, 2022 in order to address: One medium severity issues. Two high severity issues that affect OpenSSL as per secadv/20221101.txt These security releases are driven by the OpenSSL security release as announced in OpenSSL November Security Release as well as an additional vulnerability that affects all supported release lines. --------------------------------------------- https://nodejs.org/en/blog/vulnerability/november-2022-security-releases ∗∗∗ Chromium: CVE-2022-3723 Type Confusion in V8 ∗∗∗ --------------------------------------------- This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. Google is aware of reports that an exploit for CVE-2022-3723 exists in the wild. --------------------------------------------- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-3723 ∗∗∗ Multiple vulnerabilities in the web interfaces of Kyocera Document Solutions MFPs and printers ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN46345126/ ∗∗∗ Security Advisory - Path Traversal Vulnerability in a Huawei Childrens Watch ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2022/huawei-sa-20221102-… ∗∗∗ K44454157: Expat vulnerability CVE-2022-40674 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K44454157 ∗∗∗ Citrix Hypervisor Security Bulletin for CVE-2022-42316, CVE-2022-42317 & CVE-2022-42318 ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX472851/citrix-hypervisor-security-bul… ∗∗∗ [R1] Nessus Agent Version 10.2.1 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2022-22 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 31.10.2022
by Daily end-of-shift report 31 Oct '22

31 Oct '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 28-10-2022 18:00 − Montag 31-10-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Jetzt patchen! Es könnten Attacken auf VMware Cloud Foundation bevorstehen ∗∗∗ --------------------------------------------- Für eine kritische Sicherheitslücke in Cloud Foundation von VMware ist Exploit-Code in Umlauf. --------------------------------------------- https://heise.de/-7324777 ∗∗∗ Apple räumt ein: Nur aktuelles macOS stopft alle bekannten Sicherheitslücken ∗∗∗ --------------------------------------------- Apple hat zum ersten Mal bestätigt, dass der Hersteller in früheren macOS-Versionen nicht alle Schwachstellen beseitigt. Dasselbe gilt offensichtlich für iOS. --------------------------------------------- https://heise.de/-7324991 ∗∗∗ Backup-Software von ConnectWise für Ransomware-Attacken anfällig ∗∗∗ --------------------------------------------- Angreifer könnten Systeme mit Recover oder R1Soft Server Backup Manager von ConnectWise attackieren. Sicherheitsupdates sind verfügbar. --------------------------------------------- https://heise.de/-7324856 ∗∗∗ Gefälschtes A1-Mail im Umlauf ∗∗∗ --------------------------------------------- In einem gefälschten E-Mail von A1 behaupten Kriminelle, dass Sie bereits 80% Ihres Postfach-Speicherplatzes aufgebraucht haben. Sie werden aufgefordert, auf einen Link zu klicken, um zusätzlichen Speicherplatz freizuschalten. Klicken Sie nicht auf den Link, Sie landen auf einer manipulierten Login-Seite. --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschtes-a1-mail-im-umlauf/ ∗∗∗ 2022 OpenSSL vulnerability ∗∗∗ --------------------------------------------- This repo contains operational information regarding the recently announced vulnerability in OpenSSL 3. [...] Currently no complete overview of vulnerable products is available. Please see https://github.com/NCSC-NL/OpenSSL-2022/blob/main/software/README.md for a list of products that are known to be vulnerable. The list is a work in progress. --------------------------------------------- https://github.com/NCSC-NL/OpenSSL-2022 ∗∗∗ Upcoming Critical OpenSSL Vulnerability: What will be Affected?, (Thu, Oct 27th) ∗∗∗ --------------------------------------------- Some here may still remember Heartbleed. Heartbleed was a critical OpenSSL vulnerability that surprised many organizations, and patching the issue was a major undertaking. Heartbleed caused OpenSSL and other open-source projects to rethink how they address security issues and communicate with their users. OpenSSL started to pre-announce any security updates about a week ahead of time. This week, OpenSSL announced they would release OpenSSL 3.0.7 this coming Tuesday. It will fix a critical vulnerability [1]. --------------------------------------------- https://isc.sans.edu/diary/rss/29192 ∗∗∗ APT10: Tracking down LODEINFO 2022, part I ∗∗∗ --------------------------------------------- The first part of this report will provide technical analysis of the new infection methods such as SFX files and DOWNIISSA, a new downloader shellcode used to deploy the LODEINFO backdoor. --------------------------------------------- https://securelist.com/apt10-tracking-down-lodeinfo-2022-part-i/107742/ ∗∗∗ APT10: Tracking down LODEINFO 2022, part II ∗∗∗ --------------------------------------------- In the second part of this report, we discuss improvements made to the LODEINFO backdoor shellcode in 2022. --------------------------------------------- https://securelist.com/apt10-tracking-down-lodeinfo-2022-part-ii/107745/ ∗∗∗ NMAP without NMAP - Port Testing and Scanning with PowerShell, (Mon, Oct 31st) ∗∗∗ --------------------------------------------- Ever needed to do a portscan and didn't have nmap installed? I've had this more than once on an internal pentest or more often just on run-rate "is that port open? / is there a host firewall in the way?" testing. --------------------------------------------- https://isc.sans.edu/diary/rss/29202 ∗∗∗ WordPress Vulnerability & Patch Roundup October 2022 ∗∗∗ --------------------------------------------- [...] To help educate website owners on emerging threats to their environments, we’ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this past month. --------------------------------------------- https://blog.sucuri.net/2022/10/wordpress-vulnerability-patch-roundup-octob… ∗∗∗ Hardware Trojans Under a Microscope ∗∗∗ --------------------------------------------- While the security industry generally focuses on software cyber attacks, we can’t forget the security impact of lower level hardware flaws, such as those that affect semiconductors. --------------------------------------------- https://ryancor.medium.com/hardware-trojans-under-a-microscope-bf542acbcc29 ∗∗∗ What I learnt from reading 217* Subdomain Takeover bug reports. ∗∗∗ --------------------------------------------- My two prior blogs, What I Learnt From Reading 220 IDOR bug reports, and What I Learnt From Reading 126 Information Disclosure Writeups*, were well received, so I’m continuing the series. I once more scraped ALL 143 SDTO bug reports from hackerone, and 74 detailed write-ups, then went into hiding as I read and took notes on them. I’m here to show you my actionable findings, and show you how to properly hunt for SDTOs. --------------------------------------------- https://medium.com/@nynan/what-i-learnt-from-reading-217-subdomain-takeover… ∗∗∗ Free Micropatches For Bypassing MotW Security Warning with Invalid Signature (0day) ∗∗∗ --------------------------------------------- Nine days ago we issued micropatches for a vulnerability that allows attackers to bypass the warning Windows normally present to users when they try to open a document or executable obtained from an untrusted source (Internet, email, USB key, network drive). That vulnerability, affecting all supported and many legacy Windows versions, still has no official patch from Microsoft so our (free!) patches are the only actual patches in existence as of this writing. On the very same day we issued these micropatches, Will Dormann - who researched said vulnerability - replied to a tweet by another security researcher, Patrick Schläpfer. Patrick works at HP Wolf Security where they analyzed the Magniber Ransomware and wrote a detailed analysis of its working. Will asked Patrick about the ZIP files used in the malware campaign to see if they were exploiting the same vulnerability or employing some other trick to bypass the "Mark of the Web". [...] And so a new 0day - already exploited in the wild - was revealed. --------------------------------------------- https://blog.0patch.com/2022/10/free-micropatches-for-bypassing-motw.html ∗∗∗ The Defender’s Guide to the Windows Registry ∗∗∗ --------------------------------------------- Welcome to the Defender’s Guide. This is a series of blog posts designed to give you a ground-up start to defending a specific technology from potential attackers. While a lot of this information may be redundant to a more seasoned information security personnel, even the best of us rely on Google and blog posts to get information. These posts are designed to be a one-stop shop, bringing a lot of that information together. --------------------------------------------- https://posts.specterops.io/the-defenders-guide-to-the-windows-registry-feb… ∗∗∗ Banking Trojan Techniques: How Financially Motivated Malware Became Infrastructure ∗∗∗ --------------------------------------------- Learning about the variety of techniques used by banking Trojans can help us detect other activities of financially motivated threat groups. --------------------------------------------- https://unit42.paloaltonetworks.com/banking-trojan-techniques/ ∗∗∗ Follina Exploit Leads to Domain Compromise ∗∗∗ --------------------------------------------- In early June 2022, we observed an intrusion where a threat actor gained initial access by exploiting the CVE-2022-30190 (Follina) vulnerability which triggered a Qbot infection chain. --------------------------------------------- https://thedfirreport.com/2022/10/31/follina-exploit-leads-to-domain-compro… ∗∗∗ Vulnerabilities in Apache Batik Default Security Controls – SSRF and RCE Through Remote Class Loading ∗∗∗ --------------------------------------------- I stumbled upon the Apache Batik library while researching other Java-based products. It immediately caught my attention, as this library parses Scalable Vector Graphics (SVG) files and transforms them into different raster graphics formats (i.e., PNG, PDF, or JPEG). I was even more encouraged when I looked at the Batik documentation. It was obvious that such a library could be prone to Server-Side Request Forgery (SSRF) issues (e.g., loading of images from remote resources). --------------------------------------------- https://www.thezdi.com/blog/2022/10/28/vulnerabilities-in-apache-batik-defa… ∗∗∗ AgentTesla Being Distributed via VBS ∗∗∗ --------------------------------------------- The ASEC analysis team has recently identified that AgentTesla is being distributed through malicious VBS. The script file has multiple codes that have been obfuscated multiple times. AgentTesla has been found to be distributed last May through a Windows Help file (*.chm), and it seems that its distribution method is continuously changing. --------------------------------------------- https://asec.ahnlab.com/en/40890/ ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- App Connect Professional, IBM Business Automation Manager Open Editions 8.0.1, IBM CICS TX Advanced, IBM CICS TX Standard, IBM Cloud Pak for Business Automation, IBM Cloud Pak for Security, IBM Event Streams, IBM Host Access Transformation Services, IBM MQ Appliance --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ CVE-2022-31690: Privilege Escalation in spring-security-oauth2-client ∗∗∗ --------------------------------------------- Spring Security 5.6.9 and 5.7.5 released on October 31st, 2022 included a fix for CVE-2022-31690 affecting the mapping of authorized scopes in spring-security-oauth2-client. Users are encouraged to update as soon as possible. --------------------------------------------- https://spring.io/blog/2022/10/31/cve-2022-31690-privilege-escalation-in-sp… ∗∗∗ CVE-2022-31692: Authorization rules can be bypassed via forward or include in Spring Security ∗∗∗ --------------------------------------------- Spring Security 5.6.9 and 5.7.5 released on October 31st, 2022 included a fix for [CVE-2022-31692](https://tanzu.vmware.com/security/cve-2022-31692) affecting the AuthorizationFilter. Users are encouraged to update as soon as possible. --------------------------------------------- https://spring.io/blog/2022/10/31/cve-2022-31692-authorization-rules-can-be… ∗∗∗ CISA Has Added One Known Exploited Vulnerability to Catalog ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/10/28/cisa-has-added-on… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.10.2022
by Daily end-of-shift report 28 Oct '22

28 Oct '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 27-10-2022 18:00 − Freitag 28-10-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Windows: Gefährliche, IE-basierende Schwachstellen ∗∗∗ --------------------------------------------- Sicherheitsforscher der Varonis Threat Labs haben zwei Windows-Sicherheitslücken aufgedeckt, die große blinde Flecken für Sicherheits-Software erzeugen und Rechner mittels DoS-Angriffe außer Betrieb setzen können. LogCrusher und OverLog nutzen dabei das Internet Explorer-spezifische Ereignisprotokoll MS-EVEN, das auf allen aktuellen Windows-Betriebssystemen vorhanden ist, unabhängig davon, ob der Browser genutzt wurde oder wird. Während OverLog mittlerweile gefixt ist, hat Microsoft für LogCrusher kürzlich nur einen partiellen Patch herausgegeben: Cyberkriminelle können deshalb immer noch Angriffe durchführen, wenn sie sich einen Administrator-Zugang zum Netzwerk des Opfers verschaffen. --------------------------------------------- https://www.borncity.com/blog/2022/10/28/windows-gefhrliche-ie-basierende-s… ∗∗∗ Neue Website: Apple erleichtert Sicherheitsforschung ∗∗∗ --------------------------------------------- Ein zentrales neues Portal erklärt das Bug–Bounty-Programm und ermöglicht es, schneller und direkter mit dem Security-Team des Konzerns in Kontakt zu kommen. --------------------------------------------- https://heise.de/-7323634 ∗∗∗ macOS 13: Anti-Malware-Tools nach Upgrade zahnlos ∗∗∗ --------------------------------------------- Antivirus-Software und andere Sicherheits-Tools funktionieren durch einen Apple-Bug in macOS Ventura nicht mehr richtig. Das Problem kann behoben werden. --------------------------------------------- https://heise.de/-7322669 ∗∗∗ Vorsicht vor dieser Fake-Raiffeisen Investmentfalle ∗∗∗ --------------------------------------------- Geld verdienen mit Raiffeisen, angeboten werden angeblich Aktien einer der größten Banken Österreichs. Das Versprechen klingt gut, doch es handelt sich um eine gut getarnte Phishing-Seite. Investieren Sie nicht auf lps.snowgross.com, Sie tappen in eine Anlagebetrugsfalle! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-dieser-fake-raiffeisen-… ∗∗∗ One-Time Programs ∗∗∗ --------------------------------------------- One of the things I like to do on this blog is write about new research that has a practical angle. Most of the time (I swear) this involves writing about other folks’ research: it’s not that often that I write about work that comes out of my own lab. Today I’m going make an [...] --------------------------------------------- https://blog.cryptographyengineering.com/2022/10/27/one-time-programs/ ∗∗∗ Apple clarifies security update policy: Only the latest OSes are fully patched ∗∗∗ --------------------------------------------- New document confirms what security researchers have observed for a few years. --------------------------------------------- https://arstechnica.com/?p=1893235 ∗∗∗ Android malware droppers with 130K installs found on Google Play ∗∗∗ --------------------------------------------- A set of Android malware droppers were found infiltrating the Google Play store to install malicious programs by pretending to be app updates. --------------------------------------------- https://www.bleepingcomputer.com/news/security/android-malware-droppers-wit… ∗∗∗ Exploit released for critical VMware RCE vulnerability, patch now ∗∗∗ --------------------------------------------- Proof-of-concept exploit code is now available for a pre-authentication remote code execution (RCE) vulnerability allowing attackers to execute arbitrary code remotely with root privileges on unpatched Cloud Foundation and NSX Manager appliances. --------------------------------------------- https://www.bleepingcomputer.com/news/security/exploit-released-for-critica… ∗∗∗ Researchers Expose Over 80 ShadowPad Malware C2 Servers ∗∗∗ --------------------------------------------- As many as 85 command-and-control (C2) servers have been discovered supported by the ShadowPad malware since September 2021, with infrastructure detected as recently as October 16, 2022. Thats according to VMwares Threat Analysis Unit (TAU), which studied three ShadowPad variants using TCP, UDP, and HTTP(S) protocols for C2 communications. --------------------------------------------- https://thehackernews.com/2022/10/researchers-expose-over-80-shadowpad.html ∗∗∗ Raspberry Robin Operators Selling Cybercriminals Access to Thousands of Endpoints ∗∗∗ --------------------------------------------- The Raspberry Robin worm is becoming an access-as-a-service malware for deploying other payloads, including IcedID, Bumblebee, TrueBot (aka Silence), and Clop ransomware. It is "part of a complex and interconnected malware ecosystem, with links to other malware families and alternate infection methods beyond its original USB drive spread," the Microsoft Security Threat Intelligence Center (MSTIC) said in a detailed write-up. --------------------------------------------- https://thehackernews.com/2022/10/raspberry-robin-operators-selling.html ∗∗∗ TCP/IP Vulnerability CVE-2022–34718 PoC Restoration and Analysis ∗∗∗ --------------------------------------------- The patch released by Microsoft last month contained a vulnerability in the TCP/IP protocol that allowed for code execution. To ascertain the impact of the vulnerability, Numen’s security research team conducted an in-depth analysis of the vulnerability and restored the PoC through patch comparison. --------------------------------------------- https://medium.com/numen-cyber-labs/analysis-and-summary-of-tcp-ip-protocol… ∗∗∗ Defeating Guloader Anti-Analysis Technique ∗∗∗ --------------------------------------------- Unit 42 is providing a script to deobfuscate a recently discovered Guloader variant that uses anti-analysis techniques, and other samples like it. --------------------------------------------- https://unit42.paloaltonetworks.com/guloader-variant-anti-analysis/ ∗∗∗ Cranefly: Threat Actor Uses Previously Unseen Techniques and Tools in Stealthy Campaign ∗∗∗ --------------------------------------------- Group uses novel method of reading commands from legitimate IIS logs. --------------------------------------------- https://symantec-enterprise-blogs.security.com/threat-intelligence/cranefly… ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitsupdates für älteres iOS und iPadOS ∗∗∗ --------------------------------------------- iPadOS 15.7.1 und iOS 15.7.1 stopfen problematische Sicherheitslücken für alle, die nicht auf iPadOS 16 und iOS 16 aktualisieren wollen - oder können. --------------------------------------------- https://heise.de/-7323199 ∗∗∗ Webbrowser: Entwickler schließen hochriskante Sicherheitslücke in Chrome ∗∗∗ --------------------------------------------- Google hat ein Update für den Webbrowser Chrome veröffentlicht. Darin dichten die Programmierer eine Schwachstelle mit hohem Risiko ab. --------------------------------------------- https://heise.de/-7322963 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- CP4D Match 360, IBM Answer Retrieval for Watson Discovery versions 2.8 and earlier, IBM Cloud Pak System, IBM Db2 On Openshift, IBM Db2® on Cloud Pak for Data, Db2 Warehouse® on Cloud Pak for Data, IBM Maximo Asset Management and the IBM Maximo Manage application in IBM Maximo Application Suite, IBM QRadar SIEM, IBM TXSeries for Multiplatforms, IBM Voice Gateway, IBM Watson Assistant for IBM Cloud Pak for Data, IBM® SDK, Java™ Technology Edition, Liberty for Java for IBM Cloud, node.js --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (expat, ruby-sinatra, and thunderbird), Fedora (glances), Mageia (cups, firefox, git, heimdal, http-parser, krb5-appl, minidlna, nginx, and thunderbird), Oracle (389-ds:1.4, device-mapper-multipath, firefox, mysql:8.0, postgresql:12, and thunderbird), SUSE (dbus-1, libconfuse0, libtasn1, openjpeg2, qemu, and thunderbird), and Ubuntu (dbus, linux-azure-fde, and tiff). --------------------------------------------- https://lwn.net/Articles/912873/ ∗∗∗ Corel Coreldraw graphics suite vulnerabilities ∗∗∗ --------------------------------------------- https://secalerts.co/vulnerabilities/corel/coreldraw_graphics_suite ∗∗∗ Case update: DIVD-2022-00020 - Multiple injection vulnerabilities identified within Feathers.js ∗∗∗ --------------------------------------------- https://csirt.divd.nl/cases/DIVD-2022-00020/ ∗∗∗ Case update: DIVD-2022-00045 - Injection vulnerability found within Socket.io ∗∗∗ --------------------------------------------- https://csirt.divd.nl/cases/DIVD-2022-00045/ ∗∗∗ [R1] Nessus Version 10.4.0 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2022-21 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.10.2022
by Daily end-of-shift report 27 Oct '22

27 Oct '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 25-10-2022 18:00 − Donnerstag 27-10-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Microsoft fixes Windows vulnerable driver blocklist sync issue ∗∗∗ --------------------------------------------- Microsoft says it addressed an issue preventing the Windows kernel vulnerable driver blocklist from being synced to systems running older Windows versions. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-fixes-windows-vul… ∗∗∗ Fodcha DDoS botnet reaches 1Tbps in power, injects ransoms in packets ∗∗∗ --------------------------------------------- A new version of the Fodcha DDoS botnet has emerged, featuring ransom demands embedded in packets and new features to evade detection of its infrastructure. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fodcha-ddos-botnet-reaches-1… ∗∗∗ How to prevent lateral movement attacks using Microsoft 365 Defender ∗∗∗ --------------------------------------------- Learn how Microsoft 365 Defender can enhance mitigations against lateral movement paths in your environment, stopping attackers from gaining access to privileged and sensitive accounts. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2022/10/26/how-to-prevent-lat… ∗∗∗ Malware vs Virus: What’s the Difference? ∗∗∗ --------------------------------------------- In today’s article, we’ll be clarifying the difference between viruses and malware while helping to identify the most common types of malware. --------------------------------------------- https://blog.sucuri.net/2022/10/whats-the-difference-malware-virus.html ∗∗∗ New Cryptojacking Campaign Targeting Vulnerable Docker and Kubernetes Instances ∗∗∗ --------------------------------------------- A new cryptojacking campaign has been uncovered targeting vulnerable Docker and Kubernetes infrastructures as part of opportunistic attacks designed to illicitly mine cryptocurrency. --------------------------------------------- https://thehackernews.com/2022/10/new-cryptojacking-campaign-targeting.html ∗∗∗ Hijacking AUR Packages by Searching for Expired Domains ∗∗∗ --------------------------------------------- The Arch User Repository (AUR) is a software repository for Arch Linux. It differs from the official Arch Linux repositories in that its packages are provided by its users and not officially supported by Arch Linux. --------------------------------------------- https://blog.nietaanraken.nl/posts/aur-packages-expired-domains/ ∗∗∗ Industrial Ransomware Attacks: New Groups Emerge, Manufacturing Pays Highest Ransom ∗∗∗ --------------------------------------------- Industrial organizations continue to be a top target for ransomware attacks, and reports published by cybersecurity companies this week reveal some recent trends. --------------------------------------------- https://www.securityweek.com/industrial-ransomware-attacks-new-groups-emerg… ∗∗∗ Trends in Web Threats in CY Q2 2022: Malicious JavaScript Downloaders Are Evolving ∗∗∗ --------------------------------------------- We examine trends in web threats for the second calendar year quarter of 2022, including how a malicious JavaScript downloader is evolving to evade detection. --------------------------------------------- https://unit42.paloaltonetworks.com/web-threats-malicious-javascript-downlo… ∗∗∗ FormBook Malware Being Distributed as .NET ∗∗∗ --------------------------------------------- FormBook is an info-stealer that aims to steal the user’s web browser login information, keyboard input, clipboard, and screenshots. It targets random individuals, and is usually distributed through spam mails or uploaded to infiltrated websites. --------------------------------------------- https://asec.ahnlab.com/en/40663/ ===================== = Vulnerabilities = ===================== ∗∗∗ Upcoming Critical OpenSSL Vulnerability: What will be Affected?, (Thu, Oct 27th) ∗∗∗ --------------------------------------------- This week, OpenSSL announced that they will release OpenSSL 3.0.7 this coming Tuesday. It will fix a critical vulnerability. The update will only affect OpenSSL 3.0.x, not 1.1.1. Now is the time to figure out where and how you are using OpenSSL 3.0.x. --------------------------------------------- https://isc.sans.edu/diary/rss/29192 ∗∗∗ IBM Security Bulletins 2022-10-26 and 2022-10-25 ∗∗∗ --------------------------------------------- IBM SDK, IBM WebSphere Application Server Liberty, IBM QRadar SIEM, IBM i, IBM Robotic Process Automation, IBM Cloud Transformation Advisor, CloudPak for Watson, Netcool Operations Insight. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Cisco AnyConnect: Alte Sicherheitslücken im Visier von Angreifern ∗∗∗ --------------------------------------------- Allerhöchste Zeit, um alte Lücken in Cisco AnyConnect abzudichten: Cisco warnt vor derzeitigen Cyber-Angriffen auf Schwachstellen aus dem Jahr 2020. --------------------------------------------- https://heise.de/-7320917 ∗∗∗ Sicherheitsupdate ArubaOS: Schadcode-Attacken durch präparierte Anfragen möglich ∗∗∗ --------------------------------------------- Die Entwickler des Netzwerkbetriebssystems ArubaOS haben unter anderem eine kritische Lücke geschlossen. --------------------------------------------- https://heise.de/-7321787 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (tomcat9), Oracle (389-ds-base, device-mapper-multipath, firefox, git-lfs, gnutls, kernel, kernel-container, libksba, pki-core, samba, sqlite, and zlib), Red Hat (device-mapper-multipath, kernel, kpatch-patch, libksba, and thunderbird), Slackware (expat and samba), SUSE (bind, buildah, curl, firefox, golang-github-prometheus-node_exporter, grafana, icinga2, python-paramiko, python-waitress, SUSE Manager Client Tools, telnet, and xen), [...] --------------------------------------------- https://lwn.net/Articles/912495/ ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (389-ds-base, bind, expat, java-1.8.0-openjdk, java-11-openjdk, libksba, and squid), Debian (chromium, libdatetime-timezone-perl, tzdata, and wordpress), Fedora (dbus, dhcp, dotnet3.1, jhead, samba, and strongswan), Mageia (virtualbox), Oracle (device-mapper-multipath), Scientific Linux (device-mapper-multipath and thunderbird), Slackware (curl), SUSE (container-suseconnect, curl, kernel, libmad, libtasn1, libtirpc, qemu, rubygem-puppet, [...] --------------------------------------------- https://lwn.net/Articles/912688/ ∗∗∗ Windows (Mark of the Web) 0-day per JavaScript für Ransomware-Angriffe genutzt ∗∗∗ --------------------------------------------- Die Tage hatte ich über eine ungefixte 0-day-Schwachstelle, Mark of the Web (MOTOW), in Windows berichtet, für die es einen inoffiziellen Fix gibt. Nun ist mir ein Bericht unter die Augen gekommen, dass eine 0-day-Schwachstelle in diesem Bereich von Cyberkriminellen per JavaScript ausgenutzt werden kann, um Web-Sicherheitswarnungen zu umgehen und Ransomware-Angriffe zu verschleiern. --------------------------------------------- https://www.borncity.com/blog/2022/10/27/exploited-windows-0-day-mark-of-th… ∗∗∗ ZDI-22-1467: (0Day) IronCAD STP File Parsing Uninitialized Pointer Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-1467/ ∗∗∗ VMSA-2022-0027 ∗∗∗ --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2022-0027.html ∗∗∗ K11601010: Intel Processor vulnerability CVE-2021-33149 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K11601010 ∗∗∗ Synology-SA-22:20 Samba ∗∗∗ --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_22_20 ∗∗∗ Hitachi Energy MicroSCADA X DMS600 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-298-04 ∗∗∗ Johnson Controls CKS CEVAS ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-298-05 ∗∗∗ Delta Electronics DIAEnergie ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-298-06 ∗∗∗ AliveCor KardiaMobile ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsma-22-298-01 ∗∗∗ Haas Controller ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-298-01 ∗∗∗ HEIDENHAIN Controller TNC on HARTFORD Machine ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-298-02 ∗∗∗ Rockwell Automation FactoryTalk Alarm and Events Server ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-300-01 ∗∗∗ SAUTER Controls moduWeb ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-300-02 ∗∗∗ Rockwell Automation Stratix Devices Containing Cisco IOS ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-300-03 ∗∗∗ Trihedral VTScada ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-300-04 ∗∗∗ Samba Releases Security Updates ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/10/26/samba-releases-se… ∗∗∗ [R1] Nessus Version 10.3.1 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2022-20 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.10.2022
by Daily end-of-shift report 25 Oct '22

25 Oct '22

===================== = End-of-Day report = ===================== Timeframe: Montag 24-10-2022 18:00 − Dienstag 25-10-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Zero-Day-Fehler im Kernel von iOS und iPadOS wird ausgenutzt ∗∗∗ --------------------------------------------- iOS und iPadOS 16.1 beheben einen schwerwiegenden Kernel-Bug in den Betriebssystemen für iPhone und iPad. Apple hat Berichte über laufende Angriffe. --------------------------------------------- https://heise.de/-7319500 ∗∗∗ Chrome extensions with 1 million installs hijack targets’ browsers ∗∗∗ --------------------------------------------- Researchers at Guardio Labs have discovered a new malvertizing campaign pushing Google Chrome and Microsoft Edge extensions that hijack searches and insert affiliate links into webpages. --------------------------------------------- https://www.bleepingcomputer.com/news/security/chrome-extensions-with-1-mil… ∗∗∗ How the Software Supply Chain Security is Threatened by Hackers ∗∗∗ --------------------------------------------- In many ways, the software supply chain is similar to that of manufactured goods, which we all know has been largely impacted by a global pandemic and shortages of raw materials. However, in the IT world, it is not shortages or pandemics that have been the main obstacles to overcome in recent years, but rather attacks aimed at using them to harm hundreds or even thousands of victims simultaneously. --------------------------------------------- https://thehackernews.com/2022/10/how-software-supply-chain-security-is.html ∗∗∗ Researchers Detail Windows Event Log Vulnerabilities: LogCrusher and OverLog ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed details about a pair of vulnerabilities in Microsoft Windows, one of which could be exploited to result in a denial-of-service (DoS). --------------------------------------------- https://thehackernews.com/2022/10/researchers-detail-windows-event-log.html ∗∗∗ Chapter 1 - From Gozi to ISFB: The history of a mythical malware family. ∗∗∗ --------------------------------------------- Disclaimer: This article does not contain any IOCs or infrastructure details. Instead, the aim is to explain the whole business dynamic of a long-lasting malware family. This work is based on almost 10 years of research and intel gatherings and tries its best to stick to the truth and the facts observed around ISFB. Hopefully, it will give some insight on how the top cyber crime groups have been working over the years. --------------------------------------------- https://medium.com/csis-techblog/chapter-1-from-gozi-to-isfb-the-history-of… ∗∗∗ Stranger Strings: An exploitable flaw in SQLite ∗∗∗ --------------------------------------------- Trail of Bits is publicly disclosing CVE-2022-35737, which affects applications that use the SQLite library API. CVE-2022-35737 was introduced in SQLite version 1.0.12 (released on October 17, 2000) and fixed in release 3.39.2 (released on July 21, 2022). CVE-2022-35737 is exploitable on 64-bit systems, and exploitability depends on how the program is compiled [...] --------------------------------------------- https://blog.trailofbits.com/2022/10/25/sqlite-vulnerability-july-2022-libr… ∗∗∗ E-Mail von WhatsApp: Gewinn über 900.600,00 USD ist Fake ∗∗∗ --------------------------------------------- Aktuell kursiert ein E-Mail von WhatsApp, in dem Sie über den Gewinn von 900.600,00 USD informiert werden. Um den Gewinn zu erhalten, müssen Sie Ihre Kontaktdaten an account.whatsapp(a)mail.com senden. --------------------------------------------- https://www.watchlist-internet.at/news/e-mail-von-whatsapp-gewinn-ueber-900… ∗∗∗ Windows 10 22H2, Windows 11 22H2: Administrative Vorlagen (.admx); Windows 10 22H2 Security Baseline ∗∗∗ --------------------------------------------- Kleiner Hinweis für Administratoren von Windows-Systemen in Unternehmensumgebungen. Microsoft hat die Security Baseline für das Windows 10 October 2022 Update (Version 22H2) freigegeben. --------------------------------------------- https://www.borncity.com/blog/2022/10/25/windows-10-22h2-windows-11-22h2-ad… ∗∗∗ Rapidly Evolving Magniber Ransomware ∗∗∗ --------------------------------------------- The Magniber ransomware has recently been evolving rapidly. From changing its file extension, injection and to UAC bypassing techniques, the Magniber ransomware has been rapidly changing to bypass the detection of anti-malware software. This article summarizes the evolution of the Magniber ransomware in the last few months based on the analysis that had been previously performed. --------------------------------------------- https://asec.ahnlab.com/en/40422/ ∗∗∗ Analysis on Attack Techniques and Cases Using RDP ∗∗∗ --------------------------------------------- Overview One of the previous ASEC blog posts discussed cases where attackers abused various remote control tools that are originally used for system management purposes to gain control over infected systems. This post will cover cases where RDP (Remote Desktop Protocol), a default service provided by baseline Windows OS, was used. --------------------------------------------- https://asec.ahnlab.com/en/40394/ ===================== = Vulnerabilities = ===================== ∗∗∗ Webkonferenzen: Sicherheitslücke in Zoom ermöglicht Sitzungsübernahme ∗∗∗ --------------------------------------------- Zoom warnt vor einer Sicherheitslücke, durch die Angreifer Opfer etwa auf falsche Server locken und so Sitzungen übernehmen könnten. Updates stehen bereit. --------------------------------------------- https://heise.de/-7319974 ∗∗∗ VMSA-2022-00031 ∗∗∗ --------------------------------------------- VMware Cloud Foundation contains a remote code execution vulnerability via XStream open source library. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8. --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2022-00031.html ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libbluray and wkhtmltopdf), Fedora (firefox, libksba, libmodsecurity, libxml2, qemu, and xmlsec1), Red Hat (389-ds-base, 389-ds:1.4, git-lfs, gnutls, java-1.8.0-ibm, kernel, kernel-rt, kpatch-patch, libksba, mysql:8.0, pki-core, postgresql:12, samba, sqlite, and zlib), Scientific Linux (389-ds-base, libksba, and pki-core), SUSE (bluez, firefox, jdom, kernel, libosip2, libxml2, multipath-tools, and python-Mako), and Ubuntu (barbican, mysql-5.7, mysql-8.0, openvswitch, and pillow). --------------------------------------------- https://lwn.net/Articles/912324/ ∗∗∗ Synology-SA-22:19 Presto File Server ∗∗∗ --------------------------------------------- Multiple vulnerabilities allow remote attackers to write arbitrary files or remote authenticated users to bypass security constraint via a susceptible version of Presto File Server. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_22_19 ∗∗∗ Synology-SA-22:18 DSM ∗∗∗ --------------------------------------------- Multiple vulnerabilities allow remote attackers to read or write arbitrary files or remote authenticated users to access intranet resources via a susceptible version of Synology DiskStation Manager (DSM). --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_22_18 ∗∗∗ Node.js: OpenSSL and zlib update assessment, and Node.js Assessment workflow ∗∗∗ --------------------------------------------- https://nodejs.org/en/blog/vulnerability/openssl-and-zlib-vulnerability-ass… ∗∗∗ Security Bulletin: IBM Robotic Process Automation is vulnerable to disclosure of information that could aid in further system attacks. (CVD-2022-38710) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-robotic-process-autom… ∗∗∗ Security Bulletin: Multiple Security Vulnerabilities may affect IBM Robotic Process Automation for Cloud Pak ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: IBM InfoSphere Information Server is potentially vulnerable to CSV Injection (CVE-2022-22425) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-informatio… ∗∗∗ Security Bulletin: IBM Robotic Process Automation is vulnerable to incorrect permission assignment ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-robotic-process-autom… ∗∗∗ Security Bulletin: IBM Java SDK and IBM Java Runtime for IBM i are vulnerable to unauthorized attacker causing integrity impact (CVE-2021-2163) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-java-sdk-and-ibm-java… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Delta Electronics InfraSuite Device Master ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-298-07 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.10.2022
by Daily end-of-shift report 24 Oct '22

24 Oct '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 21-10-2022 18:00 − Montag 24-10-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Thousands of GitHub repositories deliver fake PoC exploits with malware ∗∗∗ --------------------------------------------- Researchers at the Leiden Institute of Advanced Computer Science found thousands of repositories on GitHub that offer fake proof-of-concept (PoC) exploits for various vulnerabilities, some of them including malware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/thousands-of-github-reposito… ∗∗∗ Typosquat campaign mimics 27 brands to push Windows, Android malware ∗∗∗ --------------------------------------------- A massive, malicious campaign is underway using over 200 typosquatting domains that impersonate twenty-seven brands to trick visitors into downloading various Windows and Android malware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/typosquat-campaign-mimics-27… ∗∗∗ Kriminalität: Eltern durch Whatsapp-Betrug um Tausende Euro gebracht ∗∗∗ --------------------------------------------- Die Polizei warnt vor Trickbetrügern, die mit einer angeblichen Notlage des Kindes Eltern um ihr Geld bringen. --------------------------------------------- https://www.golem.de/news/kriminalitaet-eltern-durch-whatsapp-betrug-um-tau… ∗∗∗ Securing IoT devices against attacks that target critical infrastructure ∗∗∗ --------------------------------------------- South Staffordshire PLC, a company that supplies water to over one million customers in the United Kingdom, notified its customers in August of being a target of a criminal cyberattack. This incident highlights the sophisticated threats that critical industries face today. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2022/10/21/securing-iot-devic… ∗∗∗ rtfdumps Find Option, (Sat, Oct 22nd) ∗∗∗ --------------------------------------------- Due to the nature of the RTF language, malicious RTF files can be very obfuscated. To the point that my tool rtfdump.py and Philippe's tool rtfobj don't find embedded objects. --------------------------------------------- https://isc.sans.edu/diary/rss/29174 ∗∗∗ C2 Communications Through outlook.com, (Mon, Oct 24th) ∗∗∗ --------------------------------------------- Most malware implements communication with their C2 server over HTTP(S). Why? Just because it works! But they are multiple ways to implement C2 communications: DNS, P2P, Layer 7 (Twitter), ... Another one that has become less popular with time is SMTP (email communications). I spotted a malicious Python script that exchanges information with its C2 server through emails. --------------------------------------------- https://isc.sans.edu/diary/rss/29180 ∗∗∗ SCuBA M365 Security Baseline Assessment Tool ∗∗∗ --------------------------------------------- Developed by CISA, this assessment tool verifies that an M365 tenant’s configuration conforms to the policies described in the SCuBA Minimum Viable Secure Configuration Baseline documents. --------------------------------------------- https://github.com/cisagov/ScubaGear ∗∗∗ Cisco ISE: Angreifer könnten Kontrolle übernehmen ∗∗∗ --------------------------------------------- Cisco warnt, dass Angreifer Dateien in der Identity Services Engine lesen und löschen könnten. Die Übernahme der Kontrolle über die Geräte könnte möglich sein. --------------------------------------------- https://heise.de/-7317442 ∗∗∗ Gebrauchtwagen-Kauf: Abwicklung über Treuhandunternehmen ist Betrug ∗∗∗ --------------------------------------------- Sie sind gerade auf der Suche nach einem Gebrauchtwagen? Bedenken Sie: Nicht jedes Inserat ist seriös. Auch Kriminelle nutzen gängige Verkaufsplattformen, um betrügerische Lockangebote zu platzieren. Ein betrügerisches Angebot erkennen Sie an der Kommunikation und der Forderung, Geld an ein Treuhandkonto zu überweisen. --------------------------------------------- https://www.watchlist-internet.at/news/gebrauchtwagen-kauf-abwicklung-ueber… ∗∗∗ So funktioniert Domain Shadowing ∗∗∗ --------------------------------------------- Cyberkriminelle nutzen schwer auffindbare Shadow Domains für verschiedene illegale Aktivitäten, einschließlich Phishing und Botnet-Operationen. --------------------------------------------- https://www.zdnet.de/88404347/so-funktioniert-domain-shadowing/ ∗∗∗ AA22-294A: #StopRansomware: Daixin Team ∗∗∗ --------------------------------------------- The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and Department of Health and Human Services (HHS) are releasing this joint CSA to provide information on the “Daixin Team,” a cybercrime group that is actively targeting U.S. businesses, predominantly in the Healthcare and Public Health (HPH) Sector, with ransomware and data extortion operations. --------------------------------------------- https://us-cert.cisa.gov/ncas/alerts/aa22-294a ∗∗∗ Treasure trove. Alive and well point-of-sale malware ∗∗∗ --------------------------------------------- Analysis of months-long MajikPOS and Treasure Hunter campaign that infected dozens of terminals. --------------------------------------------- https://blog.group-ib.com/majikpos_treasurehunter_malware ∗∗∗ Attacking Very Weak RC4-Like Ciphers the Hard Way ∗∗∗ --------------------------------------------- RC4 is a popular encryption algorithm. The way it works is that a “Key Scheduling Algorithm” (KSA) takes your key and generates a 256-byte array, and then a “Pseudo-Random Generation Algorithm” (PRGA) uses that byte array to output an endless stream of bytes (the “key stream”), which look like random noise unless you know what the original byte array was. --------------------------------------------- https://research.checkpoint.com/2022/attacking-very-weak-rc4-like-ciphers-t… ∗∗∗ Uncovering Security Blind Spots in CNC Machines ∗∗∗ --------------------------------------------- Industry 4.0 has given rise to smart factories that have markedly improved machining processes, but it has also opened the doors for cybercriminals looking to abuse networked industrial equipment such as CNC machines. Our research investigates potential cyberthreats to CNC machines and how manufacturers can mitigate the associated risks. --------------------------------------------- https://www.trendmicro.com/en_us/research/22/j/uncovering-security-blind-sp… ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins 2022-10-21 and 2022-10-22 ∗∗∗ --------------------------------------------- IBM Cloud Pak for Watson, API Connect, IBM Cloud Pak for Multicloud Management, IBM MQ Appliance, IBM Voice Gateway, Infrastructure Automation, IBM Security Identity Manager. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (bluez, kernel, and lava), Fedora (ckeditor, drupal7, moby-engine, php-Smarty, and wavpack), Mageia (bind, e2fsprogs, epiphany, freerdp, kernel, kernel-linus, libconfuse, libosip2, ntfs-3g, perl-Image-ExifTool, and poppler), Oracle (firefox, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, kernel, kernel-container, and thunderbird), Scientific Linux (firefox, java-1.8.0-openjdk, and java-11-openjdk), SUSE (bluez, firefox, kernel, libxml2, and Ubuntu (linux-gcp). --------------------------------------------- https://lwn.net/Articles/912178/ ∗∗∗ Missing Authentication in ZKTeco ZEM/ZMM Web Interface ∗∗∗ --------------------------------------------- The ZKTeco time attendance device does not require authentication to use theweb interface, exposing the database of employees and their credentials. --------------------------------------------- https://www.redteam-pentesting.de/en/advisories/rt-sa-2021-003/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.10.2022
by Daily end-of-shift report 21 Oct '22

21 Oct '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 20-10-2022 18:00 − Freitag 21-10-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Synology: Kritische Lücken in NAS erlauben Angreifern Ausführen von Schadcode ∗∗∗ --------------------------------------------- Synology warnt vor kritischen Sicherheitslücken in der DSM-Software einiger NAS. Angreifer könnten Schadode ausführen und unbefugt an Informationen gelangen. --------------------------------------------- https://heise.de/-7316623 ∗∗∗ F5 BIG-IP und Nginx: Hersteller stopft teils kritische Sicherheitslücken ∗∗∗ --------------------------------------------- Mehrere Sicherheitslücken in den BIG-IP- und Nginx-Systemen von F5 könnten Angreifern etwa das Ausführen von Schadcode ermöglichen. Updates stehen bereit. --------------------------------------------- https://heise.de/-7316039 ∗∗∗ Gefahren für kritische Infrastrukturen: "Uns fehlt eine Schwachstellenanalyse" ∗∗∗ --------------------------------------------- Prof. Norbert Gebbeken, Gründer und Sprecher des Forschungszentrums RISK, über die Gefahren, die unserer kritischen Infrastruktur drohen – und was man tun kann. --------------------------------------------- https://heise.de/-7315119 ∗∗∗ Your Microsoft Exchange Server Is a Security Liability ∗∗∗ --------------------------------------------- Endless vulnerabilities. Massive hacking campaigns. Slow and technically tough patching. Its time to say goodbye to on-premise Exchange. --------------------------------------------- https://www.wired.com/story/microsoft-exchange-server-vulnerabilities/ ∗∗∗ sczriptzzbn inject pushes malware for NetSupport RAT, (Fri, Oct 21st) ∗∗∗ --------------------------------------------- A campaign nicknamed "sczriptzzbn inject" can be identified by script using a variable named sczriptzzbn injected into files returned from a compromised website. This injected script causes a fake browser update page to appear in the victim's browser. The fake browser update page presents the malware payload for download. More information on the campaign can be found here. In previous weeks, this campaign pushed SolarMarker malware. I ran across one such example on 2022-09-27. This month, we've started seeing a payload for NetSupport RAT from the sczriptzzbn inject. --------------------------------------------- https://isc.sans.edu/diary/rss/29170 ∗∗∗ Archive Sidestepping: Emotet Botnet Pushing Self-Unlocking Password-Protected RAR ∗∗∗ --------------------------------------------- Trustwave SpiderLabs’ spam traps have identified an increase in threats packaged in password-protected archives with about 96% of these being spammed by the Emotet Botnet. In the first half of 2022, we identified password-protected ZIP files as the third most popular archive format used by cybercriminals to conceal malware. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/archive-sid… ∗∗∗ Wordfence Evasion Malware Conceals Backdoors ∗∗∗ --------------------------------------------- Malware authors, with some notable exceptions, tend to design their malicious code to hide from sight. The techniques they use help their malware stay on the victim’s website for as long as possible and ensure execution. For example — obfuscation techniques, fake code comments, naming conventions for injections that deploy SEO spam, redirect visitors to malicious third party websites, or steal credit card information from eCommerce stores. --------------------------------------------- https://blog.sucuri.net/2022/10/wordfence-evasion-malware-conceals-backdoor… ∗∗∗ Multiple Campaigns Exploit VMware Vulnerability to Deploy Crypto Miners and Ransomware ∗∗∗ --------------------------------------------- A now-patched vulnerability in VMware Workspace ONE Access has been observed being exploited to deliver both cryptocurrency miners and ransomware on affected machines. "The attacker intends to utilize a victims resources as much as possible, not only to install RAR1Ransom for extortion, but also to spread GuardMiner to collect cryptocurrency," Fortinet FortiGuard Labs researcher Cara Lin said in a Thursday report. --------------------------------------------- https://thehackernews.com/2022/10/multiple-campaigns-exploit-vmware.html ∗∗∗ Threat Advisory: Monitoring CVE-2022-42889 “Text4Shell” Exploit Attempts ∗∗∗ --------------------------------------------- On October 17, 2022, the Wordfence Threat Intelligence team began monitoring for activity targeting CVE-2022-42889, or “Text4Shell” on our network of 4 million websites. We started seeing activity targeting this vulnerability on October 18, 2022. Text4Shell is a vulnerability in the Apache Commons Text library versions 1.5 through 1.9 that can be used to achieve [...] --------------------------------------------- https://www.wordfence.com/blog/2022/10/threat-advisory-monitoring-cve-2022-… ∗∗∗ CISA Tells Organizations to Patch Linux Kernel Vulnerability Exploited by Malware ∗∗∗ --------------------------------------------- The US Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a Linux kernel flaw to its Known Exploited Vulnerabilities Catalog and instructed federal agencies to address it within three weeks. --------------------------------------------- https://www.securityweek.com/cisa-tells-organizations-patch-linux-kernel-vu… ∗∗∗ Exbyte: BlackByte Ransomware Attackers Deploy New Exfiltration Tool ∗∗∗ --------------------------------------------- Exbyte is the latest tool developed by ransomware attackers to expedite data theft from victims. --------------------------------------------- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bl… ∗∗∗ Attackers Abusing Various Remote Control Tools ∗∗∗ --------------------------------------------- Ordinarily, attackers install malware through various methods such as spear phishing emails with a malicious attachment, malvertising, vulnerabilities, and disguising the malware as normal software and uploading them to websites. The malware that is installed include infostealers which steal information from the infected system, ransomware which encrypts files to demand ransom, and DDoS Bots which are used in DDoS attacks. In addition to these, backdoor and RAT are also major programs used by attackers. --------------------------------------------- https://asec.ahnlab.com/en/40263/ ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins 2022-10-20 ∗∗∗ --------------------------------------------- IBM Security Verify Gateway/Bridge, IBM Enterprise Records, IBM Sterling Order Management Netty, IBM WebSphere Application Server, IBM MQ Operator, IBM Sterling Order Management, IBM Enterprise Records, IBM Netezza Host Management. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ SolarWinds Security Advisories 2022-10-19 ∗∗∗ --------------------------------------------- SolarWinds released 4 new Security Advisories (3 high, 1 medium) for SolarWinds Platform 2022.4 RC1. --------------------------------------------- https://www.solarwinds.com/trust-center/security-advisories ∗∗∗ SSA-640732 V1.0: Authentication Bypass Vulnerability in Siveillance Video Mobile Server ∗∗∗ --------------------------------------------- The mobile server component of Siveillance Video 2022 R2 contains an authentication bypass vulnerability that could allow an unauthenticated remote attacker to access the application without a valid account.Siemens has released a hotfix for Siveillance Video 2022 R2 and recommends to apply the hotfix on all installations of the mobile server. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-640732.txt ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (poppler), Oracle (firefox and thunderbird), Red Hat (firefox, java-1.8.0-openjdk, java-11-openjdk, and java-17-openjdk), SUSE (bind, clone-master-clean-up, grafana, libksba, python3, tiff, and v4l2loopback), and Ubuntu (libreoffice). --------------------------------------------- https://lwn.net/Articles/911989/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.10.2022
by Daily end-of-shift report 20 Oct '22

20 Oct '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 19-10-2022 18:00 − Donnerstag 20-10-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Forensic Value of Prefetch, (Thu, Oct 20th) ∗∗∗ --------------------------------------------- When a program executes on a Windows system there are many artifacts that are generated which can assist digital forensic investigations. One of particular note is the Windows Prefetch file. Found in C:\Windows\Prefetch by default, prefetch files (.pf) contain a wealth of information that can prove vital to any investigation. --------------------------------------------- https://isc.sans.edu/diary/rss/29168 ∗∗∗ Fantastic Rootkits: And Where to Find Them (Part 1) ∗∗∗ --------------------------------------------- In this blog series, we will cover the topic of rootkits — how they are built and the basics of kernel driver analysis — specifically on the Windows platform. In this first part, we will focus on some implementation examples of basic rootkit functionality and the basics of kernel driver development, as well as Windows Internals background needed to understand the inner workings of rootkits. --------------------------------------------- https://www.cyberark.com/resources/threat-research-blog/fantastic-rootkits-… ∗∗∗ Microsoft liefert Updates gegen SSL-/TLS-Probleme durch Windows-Updates ∗∗∗ --------------------------------------------- Die aktuellen Windows-Updates für Windows 10, 11 und Server könnten Probleme bei SSL- und TLS-Verschlüsselung verursachen. Teils helfen weitere Patches dagegen. --------------------------------------------- https://heise.de/-7314906 ∗∗∗ New Malicious Clicker found in apps installed by 20M+ users ∗∗∗ --------------------------------------------- Cybercriminals are always after illegal advertising revenue. As we have previously reported, we have seen many mobile malwares masquerading as a useful tool or utility, and automatically crawling ads in the background. Recently the McAfee Mobile Research Team has identified new Clicker malware that sneaked into Google Play. --------------------------------------------- https://www.mcafee.com/blogs/other-blogs/mcafee-labs/new-malicious-clicker-… ∗∗∗ Social Engineering dos and don’ts ∗∗∗ --------------------------------------------- It got me thinking, again, about what makes for good social engineering (SE), and what advice would I give my younger self. These are my thoughts. --------------------------------------------- https://www.pentestpartners.com/security-blog/social-engineering-dos-and-do… ∗∗∗ E-Mail-Konto wird migriert: Kriminelle senden betrügerische Mail an Mitarbeiter:innen ∗∗∗ --------------------------------------------- Kriminelle versenden betrügerische E-Mails und geben sich dabei als „Outlook-E-Mail-Administrator“ Ihres Unternehmens aus. Angeblich sollen die E-Mail-Konten aller Mitarbeiter:innen migriert werden. Klicken Sie nicht auf den Link. --------------------------------------------- https://www.watchlist-internet.at/news/e-mail-konto-wird-migriert-kriminell… ∗∗∗ Datenleck bei Microsoft, Kundendaten betroffen (Okt. 2022) ∗∗∗ --------------------------------------------- Bei Microsoft hat es ein größeres Datenleck gegeben, bei dem Kundendaten wohl öffentlich zugreifbar waren. Eine Sicherheitsfirma hat einen fehlkonfigurierten Server mit den Daten im Internet gefunden und Microsoft im September informiert. --------------------------------------------- https://www.borncity.com/blog/2022/10/20/datenleck-bei-microsoft-kundendate… ∗∗∗ Vulnerability Spotlight: Vulnerabilities in Abode Systems home security kit could allow attacker to take over cameras, remotely disable them ∗∗∗ --------------------------------------------- Cisco Talos recently discovered several vulnerabilities in the Abode Systems iota All-In-One Security Kit. This kit includes a main security camera and hub that can alert users of unwanted movement in their homes. It also includes several motion sensors that can be attached to windows and doors. --------------------------------------------- http://blog.talosintelligence.com/2022/10/vuln-spotlight-abode-.html ∗∗∗ LofyGang – Software Supply Chain Attackers; Organized, Persistent, and Operating for Over a Year ∗∗∗ --------------------------------------------- Checkmarx discovered ~200 malicious NPM packages with thousands of installations linked to an attack group called “LofyGang”. --------------------------------------------- https://checkmarx.com/blog/lofygang-software-supply-chain-attackers-organiz… ∗∗∗ New Research: We’re Still Terrible at Passwords; Making it Easy for Attackers ∗∗∗ --------------------------------------------- We look at two of the most popular protocols used for remote administration, SSH and RDP, to get a sense of how attackers are taking advantage of weaker password management to gain access to systems. --------------------------------------------- https://www.rapid7.com/blog/post/2022/10/20/new-research-were-still-terribl… ∗∗∗ Black Basta and the Unnoticed Delivery ∗∗∗ --------------------------------------------- As reported by Check Point at the end of H1 2022, 1 out of 40 organizations worldwide were impacted by ransomware attacks, which constitutes a worrying 59% increase over the past year. The ransomware business continues to grow in gargantuan proportions due to the lucrative payments demanded – and often received – by cybercrime gangs. --------------------------------------------- https://research.checkpoint.com/2022/black-basta-and-the-unnoticed-delivery/ ===================== = Vulnerabilities = ===================== ∗∗∗ Patchday: Oracle liefert 370 Sicherheitsupdates im Oktober ∗∗∗ --------------------------------------------- Zum Patchday, Critical Patch Update genannt, liefert Oracle eine lange Liste an Produkten mit Sicherheitslücken. 370 Updates schließen die Schwachstellen. --------------------------------------------- https://heise.de/-7314209 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr), Red Hat (java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, OpenShift Container Platform 4.9.50 bug fix and, and rh-nodejs14-nodejs), SUSE (buildah, clone-master-clean-up, go1.18, go1.19, helm, jasper, libostree, nodejs16, php8, qemu, and xen), and Ubuntu (libxdmcp, linux, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gke-5.15, linux-gkeop, linux-hwe-5.15, linux-ibm, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-oem-5.14, linux-oracle, linux-raspi, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-gke, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux-oem-5.17, and perl). --------------------------------------------- https://lwn.net/Articles/911879/ ∗∗∗ Drupal: Search API - Moderately critical - Information Disclosure - SA-CONTRIB-2022-059 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2022-059 ∗∗∗ Security Bulletin: IBM MQ is affected by an identity spoofing issue in IBM WebSphere Application Server Liberty (CVE-2022-22475) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-is-affected-by-an-… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct Web Service is vulnerable to multiple vulnerabilities due to IBM Java ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct Web Services is vulnerable to multiple vulnerabilities due to Eclipse Jetty ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: IBM Sterling B2B Integrator B2B API vulnerable to multiple issues due to Apache Zookeeper (CVE-2019-0201, CVE-2021-21409) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-b2b-integrat… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects IBM WebSphere Application Server April 2022 CPU that is bundled with IBM WebSphere Application Server Patterns ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Apache log4j security vulnerability as it relates to IBM Maximo Scheduler Optimization – Apache Log4j – [CVE-2021-45105] (affecting v2.16) and [CVE-2021-45046] (affecting v2.15) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-security-vul… ∗∗∗ F5: K24823443: Apache Commons Text vulnerability CVE-2022-42889 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K24823443 ∗∗∗ F5: K27155546: BIND vulnerability CVE-2022-38177 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K27155546 ∗∗∗ F5: K04712583: Linux kernel vulnerability CVE-2021-40490 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K04712583 ∗∗∗ F5: K32615023: Linux kernel vulnerability CVE-2022-2588 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K32615023 ∗∗∗ Bentley Systems MicroStation Connect ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-293-01 ∗∗∗ Spring: CVE-2022-31684: Reactor Netty HTTP Server may log request headers ∗∗∗ --------------------------------------------- https://spring.io/blog/2022/10/20/cve-2022-31684-reactor-netty-http-server-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.10.2022
by Daily end-of-shift report 19 Oct '22

19 Oct '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 18-10-2022 18:00 − Mittwoch 19-10-2022 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Adobe patcht Illustrator außer der Reihe ∗∗∗ --------------------------------------------- Nach dem großen Patchday letzte Woche legt Adobe nun zwei Updates gegen kritische Lücken im Illustrator nach. --------------------------------------------- https://heise.de/-7314003 ∗∗∗ AMD, Google, Microsoft, Nvidia: Offengelegter Sicherheitsprozessor Caliptra ∗∗∗ --------------------------------------------- Branchenschwergewichte setzen auf RISC-V-Technik für offengelegte Hardware-Security. Sie könnte Black-Box-Umsetzungen wie Microsofts Pluton ersetzen. --------------------------------------------- https://heise.de/-7313272 ∗∗∗ Achtung Betrug: Bewerben Sie sich nicht als „Process Tester“ bei page-rangers.de ∗∗∗ --------------------------------------------- page-rangers.de bietet einen gut bezahlten Minijob als „App-Tester“. Die Arbeit wird von zu Hause aus erledigt und benötigt keine speziellen Anforderungen. Sie erhalten täglich kleine Aufträge, z. B. die Benutzerfreundlichkeit bei der Eröffnung eines Bankkontos zu testen. Doch Vorsicht: Mit diesem Job stehlen Kriminelle Ihre Identität. Mit dem erstellten Bankkonto wird in Ihrem Namen Geld gewaschen! --------------------------------------------- https://www.watchlist-internet.at/news/achtung-betrug-bewerben-sie-sich-nic… ∗∗∗ Defenders beware: A case for post-ransomware investigations ∗∗∗ --------------------------------------------- The Microsoft Detection and Response Team (DART) details a recent ransomware incident in which the attacker used a collection of commodity tools and techniques, such as using living-off-the-land binaries, to launch their malicious code. --------------------------------------------- https://www.microsoft.com/security/blog/2022/10/18/defenders-beware-a-case-… ∗∗∗ Awareness and guidance related to potential Service Fabric Explorer (SFX) v1 web client risk ∗∗∗ --------------------------------------------- Microsoft was recently made aware of a Cross-Site Scripting (XSS) vulnerability (CVE-2022-35829), that under limited circumstances, affects older versions of Service Fabric Explorer (SFX). The current default SFX web client (SFXv2) is not vulnerable to this attack. However, customers can manually switch from the default web client (SFXv2) to an older vulnerable SFX web [...] --------------------------------------------- https://msrc-blog.microsoft.com/2022/10/19/awareness-and-guidance-related-t… ∗∗∗ Are Internet Scanning Services Good or Bad for You?, (Wed, Oct 19th) ∗∗∗ --------------------------------------------- I'm in Luxembourg to attend the first edition of the CTI Summit[1]. There was an interesting keynote performed by Patrice Auffret[2], the founder of Onyphe, about "Ethical Internet Scanning in 2022". They are plenty of online scanners that work 24x7 to build a map of the Internet. They scan the entire IP addresses space and look for interesting devices, vulnerabilities, etc. Big players are Shodan, Onyphe, Censys, ZoomEye, etc. --------------------------------------------- https://isc.sans.edu/diary/rss/29164 ∗∗∗ Fully undetectable Windows backdoor gets detected ∗∗∗ --------------------------------------------- SafeBreach Labs says it has detected a novel fully undetectable (FUD) PowerShell backdoor, which calls into question the accuracy of threat naming. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2022/10/18/fully_undete… ∗∗∗ A New Attack Surface on MS Exchange Part 4 - ProxyRelay! ∗∗∗ --------------------------------------------- Hi, this is a long-time-pending article. We could have published this article earlier (the original bug was reported to MSRC in June 2021 with a 90-days Public Disclosure Policy). However, during communications with MSRC, they explained that since this is an architectural design issue, lots of code changes and testings are expected and required, so they hope to resolve this problem with a one-time CU (Cumulative Update) instead of the regular Patch Tuesday. --------------------------------------------- https://devco.re/blog/2022/10/19/a-new-attack-surface-on-MS-exchange-part-4… ∗∗∗ Warning: "FaceStealer" iOS and Android apps steal your Facebook login ∗∗∗ --------------------------------------------- FaceStealer is back. As a seasoned threat to legitimate app stores, expect it to be gone and then back again. --------------------------------------------- https://www.malwarebytes.com/blog/news/2022/10/warning-facestealer-ios-and-… ∗∗∗ TeamTNT Returns – or Does It? ∗∗∗ --------------------------------------------- Our honeypots caught malicious cryptocurrency miner samples targeting the cloud and containers, and its routines are reminiscent of the routines employed by cybercriminal group TeamTNT, which was said to have quit in November 2021. Our investigation shows that another threat actor group, WatchDog, might be mimicking TeamTNT’s arsenal. --------------------------------------------- https://www.trendmicro.com/en_us/research/22/j/teamtnt-returns-or-does-it.h… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (bcel, kernel, node-xmldom, and squid), Mageia (chromium-browser-stable, dhcp, dokuwiki, firefox, golang, python-joblib, sos, and unzip), Oracle (nodejs and nodejs:16), Red Hat (firefox, kernel, kernel-rt, nodejs, nodejs:14, and thunderbird), Scientific Linux (firefox and thunderbird), Slackware (git and mozilla), SUSE (amazon-ssm-agent, caasp-release, cri-o, patchinfo, release-notes-caasp, skuba, enlightenment, libreoffice, netty, nodejs12, nodejs14, [...] --------------------------------------------- https://lwn.net/Articles/911723/ ∗∗∗ Oracle Releases 370 New Security Patches With October 2022 CPU ∗∗∗ --------------------------------------------- Oracle on Tuesday announced the release of 370 patches as part of its quarterly set of security updates. The October 2022 Critical Patch Update (CPU) resolves over 50 critical-severity vulnerabilities. More than 200 of the newly released security patches deal with vulnerabilities that are remotely exploitable without authentication. --------------------------------------------- https://www.securityweek.com/oracle-releases-370-new-security-patches-octob… ∗∗∗ Festo: CPX-CEC-C1 and CPX-CMXX, Missing Authentication for Critical Webpage Function UPDATE A ∗∗∗ --------------------------------------------- UPDATE A (19.10.2022): Added Control block-Set CPX-CEC-C1 and Control block-SETCPX-CMXX to affected products. Unauthenticated access to critical webpage functions (e.g. reboot) may cause a denial of service --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-036/ ∗∗∗ K30425568: Overview of F5 vulnerabilities (October 2022) ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K30425568 ∗∗∗ CVE-2021-3772 Linux Kernel Vulnerability in NetApp DSA E2800 series ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-609377-bt.html ∗∗∗ Multiple Cross Site Scripting vulnerabilities in Bosch VIDEOJET multi 4000 ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-454166-bt.html ∗∗∗ Cisco Identity Services Engine Unauthorized File Access Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco TelePresence Collaboration Endpoint and RoomOS Software Vulnerabilities ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Meraki MX and Z3 Teleworker Gateway VPN Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Identity Services Engine Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Security Bulletin: Operations Dashboard is vulnerable to Golang Go vulnerabilities (CVE-2022-27664 and CVE-2022-32190) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-operations-dashboard-is-v… ∗∗∗ Security Bulletin: QRadar Pulse application add on to IBM QRadar SIEM is vulnerable to using components with known vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-qradar-pulse-application-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in Spark affecting IBM QRadar User Behavior Analytics ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple security vulnerabilities may affect IBM Robotic Process Automation for Cloud Pak ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Enterprise Content Management System Monitor is affected by vulnerability in Dojo [CVE-2021-23450] ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-enterprise-content-manage… ∗∗∗ Security Bulletin: IBM Cognos Analytics has addressed multiple vulnerabilities (CVE-2022-34339, CVE-2021-3712, CVE-2021-3711, CVE-2021-4160, CVE-2021-29425, CVE-2021-3733, CVE-2021-3737, CVE-2022-0391, CVE-2021-43138, CVE-2022-24758) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cognos-analytics-has-… ∗∗∗ Security Bulletin: CMIS is affected since it uses Spring Framework, but not vulnerable to [CVE-2022-22965] and [CVE-2022-22963] ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cmis-is-affected-since-it… ∗∗∗ Security Bulletin: IBM Sterling B2B Integrator is vulnerable to information disclosure due to JUnit4 (CVE-2020-15250) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-b2b-integrat… ∗∗∗ Security Bulletin: IBM Operations Analytics Predictive Insights impacted by Apache Log4j vulnerabilities (CVE-2022-23302) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-operations-analytics-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.10.2022
by Daily end-of-shift report 18 Oct '22

18 Oct '22

===================== = End-of-Day report = ===================== Timeframe: Montag 17-10-2022 18:00 − Dienstag 18-10-2022 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ CVE-2022-42889: Keep Calm and Stop Saying "4Shell" ∗∗∗ --------------------------------------------- [...] The vulnerability has been compared to Log4Shell since it is an open-source library-level vulnerability that is likely to impact a wide variety of software applications that use the relevant object. However, initial analysis indicates that this is a bad comparison. The nature of the vulnerability means that unlike Log4Shell, it will be rare that an application uses the vulnerable component of Commons Text to process untrusted, potentially malicious input. In summary, much like with Spring4Shell, there are significant caveats to practical exploitability for CVE-2022-42889. With that said, we still recommend patching any relevant impacted software according to your normal, hair-not-on-fire patch cycle. --------------------------------------------- https://www.rapid7.com/blog/post/2022/10/17/cve-2022-42889-keep-calm-and-st… ∗∗∗ Europol: Festgenommene Autodiebe stahlen Fahrzeuge mittels Software ∗∗∗ --------------------------------------------- In Frankreich wurden 31 Mitglieder einer Diebesbande festgenommen, die Autos mit schlüssellosen Zugangssystemen per Software gestohlen haben sollen. --------------------------------------------- https://www.golem.de/news/europol-festgenommene-autodiebe-stahlen-fahrzeuge… ∗∗∗ Sicherheit: Antivirensoftware blockiert Thunderbird-Updates ∗∗∗ --------------------------------------------- Statt für Sicherheit zu sorgen, blockieren Avast und AVG Thunderbird-Updates. Das soll bereits seit dreieinhalb Monaten der Fall sein. --------------------------------------------- https://www.golem.de/news/sicherheit-antivirensoftware-blockiert-thunderbir… ∗∗∗ Fake-Shop Alarm: Vorsicht vor betrügerischen Solar- und Photovoltaik-Shops ∗∗∗ --------------------------------------------- Shops wie elektrox-solar.at und horizon-shot.com täuschen mit professionellem Design und gestohlenen Impressumsdaten. Lassen Sie sich von diesen Fake-Shops nicht in die Falle locken! So erkennen Sie Fake-Solar-Shops online. --------------------------------------------- https://www.watchlist-internet.at/news/fake-shop-alarm-vorsicht-vor-betrueg… ∗∗∗ Das Salz in der Suppe: Salts als unverzichtbare Zutat bei der Passwortspeicherung für Applikationen ∗∗∗ --------------------------------------------- Die Verwendung eines Salt bei der Passwortspeicherung verhindert die Vorberechnung des Hash. Als zusätzliches Geheimnis kann ein Pepper verwendet werden. --------------------------------------------- https://www.syss.de/pentest-blog/das-salz-in-der-suppe-salts-als-unverzicht… ∗∗∗ WordPress 6.0.3 erschienen ∗∗∗ --------------------------------------------- Gerade habe ich die Meldung erhalten, dass ein Wartungsupdate auf WordPress 6.0.3 erschienen ist. Dieses Update schließt einige Sicherheitslücken, die hier beschrieben sind. --------------------------------------------- https://www.borncity.com/blog/2022/10/18/wordpress-6-0-3-erschienen/ ∗∗∗ FLEXlm and Citrix ADM Denial of Service Vulnerability ∗∗∗ --------------------------------------------- On June 27, 2022, Citrix released an advisory for CVE-2022-27511 and CVE-2022-27512, which affect Citrix ADM (Application Delivery Management). Rapid7 investigated these issues to better understand their impact, and found that the patch is not sufficient to prevent exploitation. We also determined that the worst outcome of this vulnerability is a denial of service - the licensing server can be told to shut down (even with the patch). --------------------------------------------- https://www.rapid7.com/blog/post/2022/10/18/flexlm-and-citrix-adm-denial-of… ∗∗∗ Python Obfuscation for Dummies, (Tue, Oct 18th) ∗∗∗ --------------------------------------------- Recently, I found several malicious Python scripts that looked the same. They all contained the same strings at the end: [...] --------------------------------------------- https://isc.sans.edu/diary/rss/29160 ∗∗∗ I’m in your hypervisor, collecting your evidence ∗∗∗ --------------------------------------------- Data acquisition during incident response engagements is always a big exercise, both for us and our clients. It’s rarely smooth sailing, and we usually encounter a hiccup or two. Fox-IT’s approach to enterprise scale incident response for the past few years has been to collect small forensic artefact packages using our internal data collection utility, “acquire”, usually deployed using the clients’ preferred method of software deployment. While this method works fine in most cases, we often encounter scenarios where deploying our software is tricky or downright impossible. --------------------------------------------- https://blog.fox-it.com/2022/10/18/im-in-your-hypervisor-collecting-your-ev… ∗∗∗ Zoom for macOS Contains High-Risk Security Flaw ∗∗∗ --------------------------------------------- Video messaging technology powerhouse Zoom has rolled out a high-priority patch for macOS users alongside a warning that hackers could abuse the software flaw to connect to and control Zoom Apps. --------------------------------------------- https://www.securityweek.com/zoom-macos-contains-high-risk-security-flaw ∗∗∗ Dutch Police obtain 155 decryption keys for Deadbolt ransomware victims ∗∗∗ --------------------------------------------- Police in the Netherlands said they were able to trick the group behind the Deadbolt ransomware to hand over the decryption keys for 155 victims during a police operation announced last week. In a statement, the Dutch National Police said on Friday that they conducted a targeted operation where they effectively paid a ransom in [...] --------------------------------------------- https://therecord.media/dutch-police-obtain-155-decryption-keys-for-deadbol… ∗∗∗ Alchimist: A new attack framework in Chinese for Mac, Linux and Windows ∗∗∗ --------------------------------------------- Cisco Talos discovered a new attack framework including a command and control (C2) tool called "Alchimist" and a new malware "Insekt" with remote administration capabilities. The Alchimist has a web interface in Simplified Chinese with remote administration features. The attack framework is designed to target Windows, Linux and Mac machines. --------------------------------------------- http://blog.talosintelligence.com/2022/10/alchimist-offensive-framework.html ∗∗∗ Software Patch Management Policy Best Practices ∗∗∗ --------------------------------------------- Explore the top risk-based patch management policy best practices to mitigate the growing threat of vulnerability exploits in your organization. --------------------------------------------- https://www.trendmicro.com/en_us/ciso/22/j/software-patch-management-policy… ===================== = Vulnerabilities = ===================== ∗∗∗ Critical RCE Vulnerability Discovered in Popular Cobalt Strike Hacking Software ∗∗∗ --------------------------------------------- HelpSystems, the company behind the Cobalt Strike software platform, has released an out-of-band security update to address a remote code execution vulnerability that could allow an attacker to take control of targeted systems. --------------------------------------------- https://thehackernews.com/2022/10/critical-rce-vulnerability-discovered.html ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (glibc and libksba), Fedora (dhcp and kernel), Red Hat (.NET 6.0, .NET Core 3.1, compat-expat1, kpatch-patch, and nodejs:16), Slackware (xorg), SUSE (exiv2, expat, kernel, libreoffice, python, python-numpy, squid, and virtualbox), and Ubuntu (linux-azure and zlib). --------------------------------------------- https://lwn.net/Articles/911562/ ∗∗∗ Advantech R-SeeNet ∗∗∗ --------------------------------------------- Successful exploitation of these vulnerabilities could result in an unauthorized attacker remotely deleting files on the system or allowing remote code execution. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-291-01 ∗∗∗ Security Bulletin: IBM WebSphere Application Server is vulnerable to SOAPAction spoofing (CVE-2022-38712) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application… ∗∗∗ Security Bulletin: IBM Sterling B2B Integrator vulnerable to denial of service due to XStream (CVE-2021-43859) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-b2b-integrat… ∗∗∗ Security Bulletin: IBM Sterling B2B Integrator vulnerable to security bypass due to Spring Framework (CVE-2021-22060) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-b2b-integrat… ∗∗∗ Security Bulletin: IBM Sterling B2B Integrator vulnerable to remove traversal due to Apache Commons IO (CVE-2021-29425) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-b2b-integrat… ∗∗∗ Security Bulletin: QRadar Pulse application add on to IBM QRadar SIEM is vulnerable to using components with known vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-qradar-pulse-application-… ∗∗∗ Security Bulletin: IBM Security QRadar Analyst Workflow app for IBM QRadar SIEM is vulnerable to using components with known vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-qradar-analy… ∗∗∗ Security Bulletin: Information disclosure vulnerability affect IBM Business Automation Workflow – CVE-2022-35279 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-information-disclosure-vu… ∗∗∗ Security Bulletin: IBM Sterling B2B Integrator vulnerable due to Eclipse Jetty ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-b2b-integrat… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.10.2022
by Daily end-of-shift report 17 Oct '22

17 Oct '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 14-10-2022 18:00 − Montag 17-10-2022 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Prestige: Microsoft findet neue Ransomware in Polen und Ukraine ∗∗∗ --------------------------------------------- Das Sicherheitsteam von Microsoft hat eine komplett neue Ransomware-Kampagne gegen den Logistik- und Transportsektor in der Ukraine und Polen entdeckt. --------------------------------------------- https://www.golem.de/news/prestige-microsoft-findet-neue-ransomware-in-pole… ∗∗∗ Office 365: Microsofts E-Mail-Verschlüsselung ist unsicher ∗∗∗ --------------------------------------------- Die E-Mail-Verschlüsselung von Microsoft 365 setzt auf AES in einem unsicheren Modus. Dadurch können Rückschlüsse auf die Inhalte gezogen werden. --------------------------------------------- https://www.golem.de/news/office-365-microsofts-e-mail-verschluesselung-ist… ∗∗∗ Schwachstelle im Linux-Kernel ermöglicht Codeschmuggel via WLAN ∗∗∗ --------------------------------------------- Ein IT-Sicherheitsforscher hat Schwachstellen im Linux-Kernel gefunden. Angreifer könnten durch manipulierte WLAN-Pakete beliebigen Code einschleusen. --------------------------------------------- https://heise.de/-7309762 ∗∗∗ Support-Ende für VMware ESXi 6.5 und 6.7 - noch viele Alt-Systeme aktiv ∗∗∗ --------------------------------------------- Am 15. Oktober hat VMware den Support für VMware ESXi 6.5 und 6.7 eingestellt. Aktuellen Zahlen zufolge sind noch viele veraltete Systeme im Einsatz. --------------------------------------------- https://heise.de/-7310412 ∗∗∗ Neue Ransomware-Gang „Ransom Cartel“ ∗∗∗ --------------------------------------------- Der IT-Sicherheitsanbieter Palo Alto Networks und dessen Malware-Analyseteam Unit42 haben Erkenntnisse zu „Ransom Cartel“ gewonnen. Es handelt sich um eine Ransomware as a Service (RaaS)-Anbieter, der Mitte Dezember 2021 erstmals aufgetaucht ist. --------------------------------------------- https://www.zdnet.de/88404159/neue-ransomware-gang-ransom-cartel/ ∗∗∗ Microsoft bestätigt: Windows patzt bei der Erkennung gefährlicher Treiber – Blocklisten nicht verteilt ∗∗∗ --------------------------------------------- Eigentlich sollte Windows bekannte, bösartige Treiber beim Laden blockieren, so dass diese keinen Schaden anrichten können. Zumindest hat Microsoft dies seit Jahren behauptet. Nun hat Microsoft unter der Hand zugegeben, dass man dort gepatzt hat. --------------------------------------------- https://www.borncity.com/blog/2022/10/17/microsoft-besttigt-windows-patzt-b… ∗∗∗ Unseriöse Werbung auf Pinterest ∗∗∗ --------------------------------------------- Wie in jedem Sozialen Netzwerk gibt es auch auf Pinterest Werbung. In letzter Zeit vermehrt von unseriösen Online-Shops für Haar-Styling-Geräte und Shaping-Hosen. Die Produkte von zevoon.de, valurabeauty.de oder lusto.de wirken zwar vielversprechend, erfahrungsgemäß werden Sie aber enttäuscht und erhalten minderwertigen Schrott aus China. Wir zeigen Ihnen, bei welchen Shops Sie lieber nicht bestellen sollten. --------------------------------------------- https://www.watchlist-internet.at/news/unserioese-werbung-auf-pinterest/ ∗∗∗ New PHP information-stealing malware targets Facebook accounts ∗∗∗ --------------------------------------------- Threat analysts have spotted a new Ducktail campaign using a new infostealer variant and novel TTPs (tactics, techniques, and procedures), while the Facebook users it targets are no longer limited to holders of business accounts. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-php-information-stealing… ∗∗∗ Black Basta Ransomware Hackers Infiltrates Networks via Qakbot to Deploy Brute Ratel C4 ∗∗∗ --------------------------------------------- The threat actors behind the Black Basta ransomware family have been observed using the Qakbot trojan to deploy the Brute Ratel C4 framework as a second-stage payload in recent attacks. The development marks the first time the nascent adversary simulation software is being delivered via a Qakbot infection, cybersecurity firm Trend Micro said in a technical analysis released last week. --------------------------------------------- https://thehackernews.com/2022/10/black-basta-ransomware-hackers.html ∗∗∗ Technical Analysis of Windows CLFS Zero-Day Vulnerability CVE-2022-37969 - Part 1: Root Cause Analysis ∗∗∗ --------------------------------------------- On September 2, 2022, Zscaler Threatlabz captured an in-the-wild 0-day exploit in the Windows Common Log File System Driver (CLFS.sys) and reported this discovery to Microsoft. In the September Tuesday patch, Microsoft fixed this vulnerability that was identified as CVE-2022-37969, which is a Windows Common Log File System Driver elevation of privilege vulnerability. An attacker who successfully exploits this vulnerability may gain SYSTEM privileges. --------------------------------------------- https://www.zscaler.com/blogs/security-research/technical-analysis-windows-… ∗∗∗ Free Micropatches For Bypassing "Mark of the Web" on Unzipped Files (0day) ∗∗∗ --------------------------------------------- In May, security researcher Will Dormann found a vulnerability in Windows that allows an attacker to prevent Windows from setting the "Mark of the Web" flag on files extracted from a ZIP archive, even if the ZIP archive came from an untrusted source such as Internet, email, or a USB key. Mark of the Web (MOTW) is an important security mechanism in Windows: Windows will show a security warning before launching an executable file with MOTW; --------------------------------------------- https://blog.0patch.com/2022/10/free-micropatches-for-bypassing-mark-of.html ∗∗∗ New Black Lotus UEFI Rootkit Provides APT-Level Capabilities to Cybercriminals ∗∗∗ --------------------------------------------- A threat actor is promoting on underground criminal forums a vendor-independent UEFI rootkit that can disable security software and controls, cybersecurity veteran Scott Scheferman warns. --------------------------------------------- https://www.securityweek.com/new-black-lotus-uefi-rootkit-provides-apt-leve… ∗∗∗ Detecting Emerging Network Threats From Newly Observed Domains ∗∗∗ --------------------------------------------- We discuss how to discover potential threats among newly observed domains at the time they begin to carry attack traffic. --------------------------------------------- https://unit42.paloaltonetworks.com/malicious-newly-observed-domains/ ∗∗∗ CISA Releases RedEye: Red Team Campaign Visualization and Reporting Tool ∗∗∗ --------------------------------------------- CISA has released RedEye, an interactive open-source analytic tool to visualize and report Red Team command and control activities. RedEye allows an operator to quickly assess complex data, evaluate mitigation strategies, and enable effective decision making. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/10/14/cisa-releases-red… ∗∗∗ Stories from the SOC: Feeling so foolish – SocGholish drive by compromise ∗∗∗ --------------------------------------------- SocGholish, also known as FakeUpdate, is a JavaScript framework leveraged in social engineering drive by compromises that has been a thorn in cybersecurity professionals’ and organizations’ sides for at least 5 years now. Upon visiting a compromised website, users are redirected to a page for a browser update and a zip archive file containing a malicious JavaScript file is downloaded and unfortunately often opened and executed by the fooled end user. --------------------------------------------- https://cybersecurity.att.com/blogs/security-essentials/stories-from-the-so… ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins 2022-10-14 ∗∗∗ --------------------------------------------- IBM InfoSphere Information Server, IBM Sterling B2B Integrator, IBM Sterling Connect:Direct for HP NonStop, IBM Sterling File Gateway --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ MiniDVBLinux 5.4 Multiple Vulnerabilities ∗∗∗ --------------------------------------------- Arbitrary File Read Vulnerability, Remote Root Command Execution Vulnerability, Remote Root Command Injection Vulnerability, Unauthenticated Stream Disclosure Vulnerability, Change Root Password PoC, Simple VideoDiskRecorder Protocol SVDRP (svdrpsend.sh) Exploit, Config Download Exploit --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ ∗∗∗ CVE-2022-42889: Apache Commons Text prior to 1.10.0 allows RCE when applied to untrusted input due to insecure interpolation defaults ∗∗∗ --------------------------------------------- Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with [...] --------------------------------------------- https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (kernel, linux-hardened, linux-lts, and linux-zen), Debian (python-django), Fedora (apptainer, kernel, python3.6, and vim), Gentoo (assimp, deluge, libvirt, libxml2, openssl, rust, tcpreplay, virglrenderer, and wireshark), Slackware (zlib), SUSE (chromium, python3, qemu, roundcubemail, and seamonkey), and Ubuntu (linux-aws-5.4 and linux-ibm). --------------------------------------------- https://lwn.net/Articles/911461/ ∗∗∗ WAGO: Multiple products - Loss of MAC-Address-Filtering after reboot ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-042/ ∗∗∗ WAGO: Multiple Vulnerabilities in Controller with WAGO I/O-Pro / CODESYS 2.3 Runtime ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-040/ ∗∗∗ TRUMPF TruTops prone to improper access control ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-023/ ∗∗∗ Gitea: Mehrere Schwachstellen ermöglichen nicht spezifizierten Angriff ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1742 ∗∗∗ Linux Kernel: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1741 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.10.2022
by Daily end-of-shift report 14 Oct '22

14 Oct '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 13-10-2022 18:00 − Freitag 14-10-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Infostealer: Was ist das, wie werden sie verbreitet und wie lassen sie sich aufhalten? ∗∗∗ --------------------------------------------- Infostealer sind eine schädliche Software, die darauf ausgelegt ist, Ihre vertraulichen Daten zu stehlen. Hier erfahren Sie, was genau sie sind, wie sie verbreitet werden und wie sie sich aufhalten lassen. --------------------------------------------- https://blog.emsisoft.com/de/41944/infostealer-was-ist-das-wie-werden-sie-v… ∗∗∗ Magniber ransomware now infects Windows users via JavaScript files ∗∗∗ --------------------------------------------- A recent malicious campaign delivering Magniber ransomware has been targeting Windows home users with fake security updates. --------------------------------------------- https://www.bleepingcomputer.com/news/security/magniber-ransomware-now-infe… ∗∗∗ What the Uber Hack can teach us about navigating IT Security ∗∗∗ --------------------------------------------- The recent Uber cyberattack shows us the myriad tactics employed by threat actors to breach corporate networks. Learn more about these tactics used and how to navigate IT Security. --------------------------------------------- https://www.bleepingcomputer.com/news/security/what-the-uber-hack-can-teach… ∗∗∗ Microsoft 365 Message Encryption Can Leak Sensitive Info ∗∗∗ --------------------------------------------- The default email encryption used in Microsoft Offices cloud version is leaky, which the company acknowledged but said it wouldnt fix. --------------------------------------------- https://www.darkreading.com/application-security/microsoft-365-message-encr… ∗∗∗ Hunting for Cobalt Strike: Mining and plotting for fun and profit ∗∗∗ --------------------------------------------- Cobalt Strike is a commercial Command and Control framework built by Helpsystems. You can find out more about Cobalt Strike on the MITRE ATT&CK page. But it can also be used by real adversaries. In this post we describe how to use RiskIQ and other Microsoft technologies to see if you have Cobalt Strike [...] --------------------------------------------- https://msrc-blog.microsoft.com/2022/10/13/hunting-for-cobalt-strike-mining… ∗∗∗ Improvements in Security Update Notifications Delivery - And a New Delivery Method ∗∗∗ --------------------------------------------- At MSRC, we are passionate about ensuring our customers have a positive experience when they use the Microsoft Security Update Guide (SUG). A big part of improving that experience is ensuring that customers have timely and easily accessible notifications. As such we have two important announcements to share about changes to the way we provide notifications. --------------------------------------------- https://msrc-blog.microsoft.com/2022/10/12/14921/ ∗∗∗ Analysis of a Malicious HTML File (QBot), (Thu, Oct 13th) ∗∗∗ --------------------------------------------- Reader Eric submitted a malicious HTML page that contains BASE64 images with malware. --------------------------------------------- https://isc.sans.edu/diary/rss/29146 ∗∗∗ Firefoxs New Service Gives You a Burner Phone Number To Cut Down on Spam ∗∗∗ --------------------------------------------- Firefox Relay, a Mozilla service designed to hide your "real" email address by giving you virtual ones to hand out, is expanding to offer virtual phone numbers. From a report: In a blog post Mozilla product manager Tony Amaral-Cinotto explains that the relay service generates a phone number for you to give out to companies if you suspect they might use it to send you spam messages in the future, or if you think they might share it with others who will. --------------------------------------------- https://news.slashdot.org/story/22/10/13/1124240/firefoxs-new-service-gives… ∗∗∗ PiRogue Tool Suite Mobile forensic & network analysis on a Raspberry Pie ∗∗∗ --------------------------------------------- PiRogue tool suite (PTS) is an open-source tool suite that provides a comprehensive mobile forensic and network traffic analysis platform targeting mobile devices both Android and iOS, internet of things devices (devices that are connected to the user mobile apps), and in general any device using wi-fi to connect to the Internet. --------------------------------------------- https://pts-project.org/ ∗∗∗ PoC Published for Fortinet Vulnerability as Mass Exploitation Attempts Begin ∗∗∗ --------------------------------------------- Details and a proof-of-concept (PoC) exploit have been published for the recent Fortinet vulnerability tracked as CVE-2022-40684, just as cybersecurity firms are seeing what appears to be the start of mass exploitation attempts. --------------------------------------------- https://www.securityweek.com/poc-published-fortinet-vulnerability-mass-expl… ∗∗∗ Ransom Cartel Ransomware: A Possible Connection With REvil ∗∗∗ --------------------------------------------- Ransom Cartel is ransomware as a service (RaaS) that exhibits several similarities to and technical overlaps with REvil ransomware. Read our overview. --------------------------------------------- https://unit42.paloaltonetworks.com/ransom-cartel-ransomware/ ∗∗∗ Seven tips to run effective security awareness campaigns ∗∗∗ --------------------------------------------- Planning large-scale security awareness campaigns throws up many questions to grapple with. How can you make sure your campaign reaches the right people? What’s the best way to inspire them to take action? And how do you run a security awareness campaign so realistic it gets banned by the national post office? --------------------------------------------- https://connect.geant.org/2022/10/14/seven-tips-to-run-effective-security-a… ∗∗∗ Shodan Verified Vulns 2022-10-01 ∗∗∗ --------------------------------------------- Mit Stand 2022-10-01 sieht Shodan in Österreich die folgenden Schwachstellen: [...] --------------------------------------------- https://cert.at/de/aktuelles/2022/10/shodan-verified-vulns-2022-10-01 ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- IBM Performance Management, IBM Watson Discovery for IBM Cloud Pak for Data, IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data, IBM Cloud Pak System --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium), Fedora (dbus, dhcp, expat, kernel, thunderbird, vim, and weechat), Mageia (libofx, lighttpd, mediawiki, and python), Oracle (.NET 6.0 and .NET Core 3.1), Slackware (python3), SUSE (chromium, kernel, libosip2, python-Babel, and python-waitress), and Ubuntu (gThumb, heimdal, linux-aws, linux-gcp-4.15, linux-aws-hwe, linux-gcp, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, postgresql-9.5, and xmlsec1). --------------------------------------------- https://lwn.net/Articles/911168/ ∗∗∗ Hitachi Energy Lumada Asset Performance Management Prognostic Model Executor Service ∗∗∗ --------------------------------------------- This advisory contains mitigations for Allocation of Resources Without Limits or Throttling and Code Injection vulnerabilities in versions of Hitachi Energy Lumada Asset Performance Manager (APM) software. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-286-05 ∗∗∗ OpenSSL Infinite loop when parsing certificates CVE-2022-0778 ∗∗∗ --------------------------------------------- Version: 1.7, Date: 14-Oct-2022, Description: Fixed product(s) lists are updated: GMS, Analytics, SonicWave, SonicSwitch, Connect Tunnel Client. --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0002 ∗∗∗ Joomla KSAdvertiser 2.5.37 Cross Site Scripting ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2022100035 ∗∗∗ Android App "IIJ SmartKey" vulnerable to information disclosure ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN74534998/ ∗∗∗ Pulse Secure Pulse Connect Secure: Mehrere Schwachstellen ermöglichen Denial of Service ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1717 ∗∗∗ Red Hat Enterprise Linux (Advanced Cluster Management): Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1715 ∗∗∗ Atlassian Jira Software: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1719 ∗∗∗ Octopus Deploy: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1720 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.10.2022
by Daily end-of-shift report 13 Oct '22

13 Oct '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 12-10-2022 18:00 − Donnerstag 13-10-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ New Alchimist attack framework targets Windows, macOS, Linux ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered a new attack and C2 framework called Alchimist, which appears to be actively used in attacks targeting Windows, Linux, and macOS systems. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-alchimist-attack-framewo… ∗∗∗ SiteCheck Malware Trends Report – Q3 2022 ∗∗∗ --------------------------------------------- Our free SiteCheck remote website scanner provides immediate insights about malware infections, blocklisting, website anomalies, and errors for millions of webmasters every month. Best of all, conducting a remote website scan is one of the easiest ways to identify security issues. --------------------------------------------- https://blog.sucuri.net/2022/10/sitecheck-malware-trends-report-2022-q3.html ∗∗∗ Researchers Uncover Custom Backdoors and Spying Tools Used by Polonium Hackers ∗∗∗ --------------------------------------------- Core to the attacks has been the use of implants coined CreepyDrive and CreepyBox for their ability to exfiltrate sensitive data to actor-controlled OneDrive and Dropbox accounts. Also deployed is a PowerShell backdoor dubbed CreepySnail. --------------------------------------------- https://thehackernews.com/2022/10/researchers-uncover-custom-backdoors.html ∗∗∗ VPN-Problem: Apple-Apps leaken Daten unter iOS ∗∗∗ --------------------------------------------- Der iPhone-VPN-Dienst scheint noch immer nicht sauber zu laufen. Ein Sicherheitsforscher warnt vor Leaks insbesondere aus Apple-eigenen Apps. --------------------------------------------- https://heise.de/-7307198 ∗∗∗ Top 5 ransomware detection techniques: Pros and cons of each ∗∗∗ --------------------------------------------- In the fight against ransomware, much of the discussion revolves around prevention and response. Actually detecting the ransomware, however, is just as important to securing your business. To understand why, just consider the following example. --------------------------------------------- https://www.malwarebytes.com/blog/business/2022/10/top-5-ransomware-detecti… ∗∗∗ MS Enterprise app management service RCE. CVE-2022-35841 ∗∗∗ --------------------------------------------- TL;DR A remote command execution and local privilege escalation vulnerability has been fixed by Microsoft as part of September’s patch Tuesday. The vulnerability, filed under CVE-2022-35841, affects the Enterprise App Management Service which handles the installation of enterprise applications deployed via MDM. --------------------------------------------- https://www.pentestpartners.com/security-blog/ms-enterprise-app-management-… ∗∗∗ Some Vulnerabilities Don’t Have a Name ∗∗∗ --------------------------------------------- There is a common assumption that all open source vulnerabilities hold a CVE. Still, others believe that the National Vulnerability Database (NVD) has the final word when deciding what is a vulnerability and what is not. However, can a vulnerability exist that isn’t tracked by a CVE, or is not in the NVD? --------------------------------------------- https://checkmarx.com/blog/some-vulnerabilities-dont-have-a-name/ ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitsupdates: Kritische Lücken in WAN-Managementsystem von Aruba ∗∗∗ --------------------------------------------- Zwei kritische Schwachstellen in Aruba EdgeConnect Orchestrator gefährden Netzwerke. --------------------------------------------- https://heise.de/-7307059 ∗∗∗ CVE-2022-0030 PAN-OS: Authentication Bypass in Web Interface ∗∗∗ --------------------------------------------- An authentication bypass vulnerability in the Palo Alto Networks PAN-OS 8.1 web interface allows a network-based attacker with specific knowledge of the target firewall or Panorama appliance to impersonate an existing PAN-OS administrator and perform privileged actions. --------------------------------------------- https://security.paloaltonetworks.com/CVE-2022-0030 ∗∗∗ Juniper Security Bulletins 2022-10-12 ∗∗∗ --------------------------------------------- Juniper has released 37 security advisories. --------------------------------------------- https://supportportal.juniper.net/s/global-search/%40uri?language=en_US#sor… ∗∗∗ Schwachstelle in JavaScript-Sandbox vm2 erlaubt Ausbruch aus der Isolation ∗∗∗ --------------------------------------------- Wer eine Version kleiner 3.9.11 von vm2 verwendet, sollte die Sandbox aktualisieren, da eine Schwachstelle das Ausführen von Remote-Code auf dem Host erlaubt. --------------------------------------------- https://heise.de/-7306752 ∗∗∗ Groupware Zimbra: Updates stopfen mehrere Sicherheitslecks ∗∗∗ --------------------------------------------- In der Groupware Zimbra beheben die Entwickler mehrere sicherheitsrelevante Fehler. Angreifer könnten die Instanz kompromittieren oder ihre Rechte ausweiten. --------------------------------------------- https://heise.de/-7307521 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libreoffice, rexical, ruby-nokogiri, and squid), Fedora (wavpack), Red Hat (expat), SUSE (gdcm, orthanc, orthanc-gdcm, orthanc-webviewer and rubygem-puma), and Ubuntu (GMP and unzip). --------------------------------------------- https://lwn.net/Articles/911042/ ∗∗∗ Trellix ePolicy Orchestrator: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Trellix ePolicy Orchestrator ausnutzen, um Dateien zu manipulieren oder einen Cross-Site-Scripting-Angriff durchzuführen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1700 ∗∗∗ Vulnerability Spotlight: Multiple issues in Robustel R1510 cellular router could lead to code execution, denial of service ∗∗∗ --------------------------------------------- Cisco Talos recently discovered nine vulnerabilities in the Robustel R1510 industrial cellular router, several of which could allow an adversary to inject operating system code remotely. --------------------------------------------- http://blog.talosintelligence.com/2022/10/vuln-spotlight-robustel-router.ht… ∗∗∗ Sonicwall: GMS File Path Manipulation ∗∗∗ --------------------------------------------- An unauthenticated attacker can gain access to web directory containing applications binaries and configuration files through file path manipulation vulnerability. --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0021 ∗∗∗ Drupal: Twig Field Value - Moderately critical - Access bypass - SA-CONTRIB-2022-058 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2022-058 ∗∗∗ Security Bulletin: IBM Operations Analytics Predictive Insights impacted by Apache Log4j vulnerabilities (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-operations-analytics-… ∗∗∗ Security Bulletin: Hortonworks DataFlow product has log messages vulnerable to arbitrary code execution, denial of service, and remote code execution due to Apache Log4j vulnerabilities [CVE-2021-44228], [CVE-2021-45105], and [CVE-2021-45046] ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-hortonworks-dataflow-prod… ∗∗∗ Security Bulletin: IBM Operations Analytics Predictive Insights impacted by Apache Log4j vulnerabilities (CVE-2021-44832) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-operations-analytics-… ∗∗∗ Security Bulletin: Vulnerabilities in Java affect IBM WIoTP MessageGateway (CVE-2021-213) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-java-a… ∗∗∗ Dell BIOS: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1705 ∗∗∗ Grafana: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1702 ∗∗∗ Mitel MiVoice Connect: Mehrere Schwachstellen ermöglichen Codeausführung ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1706 ∗∗∗ Pulse Secure SA45520 - CVEs (CVE-2022-35254,CVE-2022-35258) may lead to DoS attack ∗∗∗ --------------------------------------------- https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA45520 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.10.2022
by Daily end-of-shift report 12 Oct '22

12 Oct '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 11-10-2022 18:00 − Mittwoch 12-10-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Ein guter Tag für Freund:innen von Adobe Software und gepflegtem Patchen ∗∗∗ --------------------------------------------- Da kann man sich nicht beschweren: nicht nur eine kritische Lücke in Adobe Commerce und Magento Open Source (CVSS 10.0 - Highscore-verdächtig), sondern auch gleich deren mehrere in Adobe ColdFusion (unter Anderem 4x mit CVSS 9.8 und 1x mit 8.1). Nutzer:innen von Adobe Acrobat/Acrobat Reader kommen ebenfalls nicht zu kurz, auch wenn man dort dank Auto-Updates vielleicht nicht selbst so viel Spass mit dem Patchen hat. Und auch wenn ich nicht weiß, was (eine) Adobe Dimension ist: Admins haben dort 4x CVSS 7.8 - Freude. --------------------------------------------- https://cert.at/de/blog/2022/10/ein-guter-tag-fur-freundinnen-von-adobe-sof… ∗∗∗ New npm timing attack could lead to supply chain attacks ∗∗∗ --------------------------------------------- Security researchers have discovered an npm timing attack that reveals the names of private packages so threat actors can release malicious clones publicly to trick developers into using them instead. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-npm-timing-attack-could-… ∗∗∗ Malicious WhatsApp mod distributed through legitimate apps ∗∗∗ --------------------------------------------- The malicious version of YoWhatsApp messenger, containing Triada trojan, was spreading through ads in the popular Snaptube app and the Vidmate apps internal store. --------------------------------------------- https://securelist.com/malicious-whatsapp-mod-distributed-through-legitimat… ∗∗∗ Userland Execution of Binaries Directly from Python ∗∗∗ --------------------------------------------- TL;DR: If you are familiar with what a userland binary execution tool does and you just want to see the code and/or test it, skip the rest of this post and go to the project GitHubs page. --------------------------------------------- https://www.anvilsecure.com/blog/userland-execution-of-binaries-directly-fr… ∗∗∗ A deep dive into CVE-2021–42847 - arbitrary file write and XXE in ManageEngine ADAudit Plus before 7006 ∗∗∗ --------------------------------------------- After coming across a vulnerable instance during a pentest, and discovering that no root cause analysis or PoC has ever been made available for this vulnerability, I decided to have a closer look myself. --------------------------------------------- https://medium.com/@erik.wynter/pwning-manageengine-from-endpoint-to-exploi… ∗∗∗ Brute-Force-Angriffe: Microsoft rüstet Schutzmechanismus nach ∗∗∗ --------------------------------------------- Die Windows-Updates zum Oktober-Patchday haben auch eine neue Funktion mitgebracht. Sie sperrt lokale Administratorkonten bei fehlerhaften Log-in-Versuchen. --------------------------------------------- https://heise.de/-7306276 ∗∗∗ Abo-Falle bei der Wohnungssuche auf rentola.at ∗∗∗ --------------------------------------------- Sind Sie gerade auf Wohnungssuche? Dann nehmen Sie sich vor einem undurchsichtigen Abo-Vertrag auf rentola.at in Acht. Geworben wird mit unzähligen Wohnungen in ganz Österreich und auf der ganzen Welt. Für eine erste Nachricht an Vermieter:innen müssen Sie jedoch 1 Euro bezahlen. Ein versteckter Kostenhinweis verrät: Hier landen Sie in einem teuren Abonnement! --------------------------------------------- https://www.watchlist-internet.at/news/abo-falle-bei-der-wohnungssuche-auf-… ∗∗∗ Qakbot Being Distributed as ISO Files Instead of Excel Macro ∗∗∗ --------------------------------------------- There is a recent increase in the distribution method of malware through ISO files. Among the malware, it has been identified that Qakbot, an online banking malware, has had its distribution method changed from Excel 4.0 Macro to ISO files. --------------------------------------------- https://asec.ahnlab.com/en/39537/ ∗∗∗ VMware vCenter Server bug disclosed last year still not patched ∗∗∗ --------------------------------------------- VMware informed customers today that vCenter Server 8.0 (the latest version) is still waiting for a patch to address a high-severity privilege escalation vulnerability disclosed in November 2021. --------------------------------------------- https://www.bleepingcomputer.com/news/security/vmware-vcenter-server-bug-di… ===================== = Vulnerabilities = ===================== ∗∗∗ Kritische Sicherheitslücke in Magento Open Source und Adobe Commerce - Updates verfügbar ∗∗∗ --------------------------------------------- Adobe hat Updates für die E-Commerce Software Suites Magento Open Source und Adobe Commerce herausgegeben. CVE-Nummer(n): CVE-2022-35698 CVSS Base Score: 10.0. Angreifer:innen können beliebigen Code auf betroffenen Systemen ausführen (vermutlich mit den Rechten des Webservers), und haben Zugriff auf alle Daten die im E-Commerce System gespeichert sind. --------------------------------------------- https://cert.at/de/warnungen/2022/10/kritische-sicherheitslucke-in-magento-… ∗∗∗ Microsoft Security Update Summary (11. Oktober 2022) ∗∗∗ --------------------------------------------- Am 11. Oktober 2022 hat Microsoft Sicherheitsupdates für Windows-Clients und -Server, für Office usw. – sowie für weitere Produkte – veröffentlicht. Die Sicherheitsupdates beseitigen 84 Schwachstellen … --------------------------------------------- https://www.borncity.com/blog/2022/10/11/microsoft-security-update-summary-… ∗∗∗ Exchange Server Sicherheitsupdates (11. Oktober 2022) ∗∗∗ --------------------------------------------- Microsoft hat zum 11. Oktober 2022 Sicherheitsupdates für Exchange Server 2013, Exchange Server 2016 und Exchange Server 2019 veröffentlicht. Diese Updates sollen Schwachstellen, die von externen Sicherheitspartnern gemeldet oder durch Microsoft gefunden wurden, schließen. Die seit Ende September 2022 bekannten 0-day-Schwachstellen (ProxyNotShell) werden aber nicht beseitigt. --------------------------------------------- https://www.borncity.com/blog/2022/10/12/exchange-server-sicherheitsupdates… ∗∗∗ IBM Security Bulletins 2022-10-11 ∗∗∗ --------------------------------------------- IBM Robotic Process Automation, IBM App Connect Enterprise, IBM Security Identity Management, IBM Security Guardium, IBM Cloud Pak, Rational Change, IBM Navigator Mobile Android, Rational Synergy. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Schneider Elecronic Security Advisories 2022-10-11 ∗∗∗ --------------------------------------------- 4 new, 8 updated --------------------------------------------- https://www.se.com/ww/en/work/support/cybersecurity/security-notifications.… ∗∗∗ Webbrowser: Google schließt sechs Sicherheitslücken in Chrome ∗∗∗ --------------------------------------------- Google hat ein Update für den Webbrowser Chrome veröffentlicht. Es schließt insgesamt sechs Sicherheitslücken, von denen ein hohes Risiko ausgeht. --------------------------------------------- https://heise.de/-7305732 ∗∗∗ Fortinet-Patchday: Mehrere kritische Lücken geschlossen ∗∗∗ --------------------------------------------- Nachdem am Wochenende eine kritische Sicherheitslücke in Fortinet-Produkten bekannt wurde, hat das Unternehmen nun weitere Updates bereitgestellt. --------------------------------------------- https://heise.de/-7306400 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (mediawiki and twig), Oracle (expat, gnutls and nettle, and kernel), Red Hat (expat, kernel, and kpatch-patch), and Ubuntu (advancecomp and dotnet6). --------------------------------------------- https://lwn.net/Articles/910953/ ∗∗∗ Zoom Video Communications: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, authentisierter oder lokalerAngreifer kann mehrere Schwachstellen in Zoom Video Communications Zoom Client und Zoom Video Communications On-Premise ausnutzen, um einen Denial of Service Angriff durchzuführen und Sicherheitsmaßnahmen zu umgehen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1677 ∗∗∗ LibreOffice: Schwachstelle ermöglicht Codeausführung ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann eine Schwachstelle in LibreOffice ausnutzen, um beliebigen Programmcode auszuführen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1679 ∗∗∗ bingo!CMS vulnerable to authentication bypass ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN74592196/ ∗∗∗ The installer of Sony Content Transfer may insecurely load Dynamic Link Libraries ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN40620121/ ∗∗∗ VMSA-2022-0026 ∗∗∗ --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2022-0026.html ∗∗∗ WAGO: FTP-Server - Denial-of-Service ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-047/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.10.2022
by Daily end-of-shift report 11 Oct '22

11 Oct '22

===================== = End-of-Day report = ===================== Timeframe: Montag 10-10-2022 18:00 − Dienstag 11-10-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Your Publicly Accessible Google API Key Could Be Giving Hackers Access to Your Files and Photos! ∗∗∗ --------------------------------------------- We’ve all seen them before, those long, seemingly random strings of characters starting with AIza. Yes, that’s right, the ubiquitous Google API key. --------------------------------------------- https://spidersilk.com/news/your-publicly-accessible-google-api-key-could-b… ∗∗∗ Fortinet Confirms Zero-Day Vulnerability Exploited in One Attack ∗∗∗ --------------------------------------------- Fortinet has confirmed that the critical vulnerability whose existence came to light last week is a zero-day flaw that has been exploited in at least one attack. --------------------------------------------- https://www.securityweek.com/fortinet-confirms-zero-day-vulnerability-explo… ∗∗∗ Siemens Not Ruling Out Future Attacks Exploiting Global Private Keys for PLC Hacking ∗∗∗ --------------------------------------------- Researchers have demonstrated that threat actors could obtain global private keys that protect some of Siemens’ industrial devices, and the vendor says it cannot rule out malicious exploitation in the future. --------------------------------------------- https://www.securityweek.com/siemens-not-ruling-out-future-attacks-exploiti… ∗∗∗ Living off the Cloud. Cloudy with a Chance of Exfiltration ∗∗∗ --------------------------------------------- Unless default settings are changed, typical Office 365 (O365) licences come loaded with various services that are all usable by end users without special permissions. Power Automate can be used maliciously by compromised users or insider threats to systematically capture and exfiltrate data without having to contend with network safeguards. --------------------------------------------- https://www.pentestpartners.com/security-blog/living-off-the-cloud-cloudy-w… ∗∗∗ Betrügerisches Jobangebot auf santo-vermoegen.com ∗∗∗ --------------------------------------------- Auf „santo-vermoegen.com/infofolder“ sind aktuell freie Stellen als „Back Office Mitarbeiter“ ausgeschrieben. Der Job ist auch auf diversen Jobportalen inseriert. Die Beschreibung der Tätigkeit ist vage. Es geht lediglich hervor, dass Sie auf Ihrem privaten Bankkonto Zahlungen empfangen, protokollieren und weiterleiten. Vorsicht: Dabei handelt es sich um Geldwäsche, Sie machen sich strafbar! --------------------------------------------- https://www.watchlist-internet.at/news/betruegerisches-jobangebot-auf-santo… ∗∗∗ Exchange Server: Neue 0-day (nicht NotProxyShell, CVE-2022-41040, CVE-2022-41082) ∗∗∗ --------------------------------------------- AhnLabs schreibt, dass theoretisch die Möglichkeit besteht, dass die von dem vietnamesischen Sicherheitsunternehmen GTSC am 28. September offengelegten Schwachstellen von Microsoft Exchange Server(CVE-2022-41040, CVE-2022-41082) für die Infektion ausgenutzt wurden. Aber die Angriffsmethode, der generierte WebShell-Dateiname, und nachfolgende Angriffe nach der Installation der WebShell lassen vermuten, dass ein anderer Angreifer eine andere Zero-Day-Schwachstelle ausgenutzt hat. --------------------------------------------- https://www.borncity.com/blog/2022/10/11/exchange-server-neue-0-day-nicht-n… ∗∗∗ Persistent PHP payloads in PNGs: How to inject PHP code in an image – and keep it there ! ∗∗∗ --------------------------------------------- During the assessment of a PHP application, we recently came across a file upload vulnerability allowing the interpretation of PHP code inserted into valid PNG files. However, the image processing performed by the application forced us to dig deeper into the different techniques available to inject PHP payloads into this particular file format - and to make it persist through image transformations. --------------------------------------------- https://www.synacktiv.com/publications/persistent-php-payloads-in-pngs-how-… ===================== = Vulnerabilities = ===================== ∗∗∗ Siemens Security Advisories ∗∗∗ --------------------------------------------- 16 new, 11 updated --------------------------------------------- https://new.siemens.com/global/en/products/services/cert.html?d=2022-10#Sec… ∗∗∗ IBM Security Bulletins 2022-10-10 ∗∗∗ --------------------------------------------- IBM Process Mining, z/Transaction Processing Facility, Content Manager OnDemand z/OS, IBM Sterling Connect. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Exchange Zero-Day-Lücke: Nochmals nachgebesserter Workaround ∗∗∗ --------------------------------------------- Microsoft bessert den Workaround für die Zero-Day-Lücke in Exchange noch mal nach. Admins bleibt nur zu hoffen, dass die jetzige Regel bis zum Update hält. --------------------------------------------- https://heise.de/-7304522 ∗∗∗ SAP-Patchday: 15 neue Sicherheitswarnungen im Oktober ∗∗∗ --------------------------------------------- Die von SAP zum Oktober-Patchday verfügbaren Updates schließen unter anderem zwei kritische Sicherheitslücken. --------------------------------------------- https://heise.de/-7305149 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (connman, dbus, git, isc-dhcp, strongswan, and wordpress), Fedora (rubygem-pdfkit and seamonkey), Red Hat (gnutls, nettle, rh-ruby27-ruby, and rh-ruby30-ruby), SUSE (libgsasl, python, and snakeyaml), and Ubuntu (graphite2, linux, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15, linux-gcp, linux-gke, linux-gkeop, linux-hwe-5.15, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-oracle, linux-raspi, linux, linux-aws, linux-bluefield, linux-gke, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux, linux-dell300x, linux-kvm, linux-oracle, linux-raspi2, linux-snapdragon, linux-hwe, linux-oracle, openssh, and pcre3). --------------------------------------------- https://lwn.net/Articles/910828/ ∗∗∗ iOS 16.0.3 freigegeben ∗∗∗ --------------------------------------------- Apple hat zum 10. Oktober 2022 iOS 16.0.3 für neuere iPhone-Modelle freigegeben. Es handelt sich um ein Sicherheitsupdate, welches die Sicherheitslücke CVE-2022-22658 in Mail beseitigen soll. --------------------------------------------- https://www.borncity.com/blog/2022/10/11/ios-16-0-3-freigegeben/ ∗∗∗ OpenSSL Security Advisory [11 October 2022] ∗∗∗ --------------------------------------------- https://www.openssl.org/news/secadv/20221011.txt ∗∗∗ Xen Security Advisory CVE-2022-33749 / XSA-413 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-413.html ∗∗∗ Xen Security Advisory CVE-2022-33748 / XSA-411 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-411.html ∗∗∗ Xen Security Advisory CVE-2022-33746 / XSA-410 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-410.html ∗∗∗ Xen Security Advisory CVE-2022-33747 / XSA-409 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-409.html ∗∗∗ PHOENIX CONTACT: Multiple Linux component vulnerabilities in PLCnext Firmware ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-046/ ∗∗∗ Hashicorp Vagrant: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit Administratorrechten ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1669 ∗∗∗ Octopus Deploy: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1663 ∗∗∗ Citrix Hypervisor Security Bulletin for CVE-2022-33748 & CVE-2022-33749 ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX465146/citrix-hypervisor-security-bul… ∗∗∗ Altair HyperView Player ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-284-01 ∗∗∗ Daikin Holdings Singapore Pte Ltd. SVMPC1 and SVMPC2 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-284-02 ∗∗∗ Sensormatic Electronics C-CURE 9000 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-284-03 ∗∗∗ Lenovo: IPV6 VLAN Stacking Vulnerability ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500520-IPV6-VLAN-STACKING-VULN… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.10.2022
by Daily end-of-shift report 10 Oct '22

10 Oct '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 07-10-2022 18:00 − Montag 10-10-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Fake adult sites push data wipers disguised as ransomware ∗∗∗ --------------------------------------------- Malicious adult websites push fake ransomware which, in reality, acts as a wiper that quietly tries to delete almost all of the data on your device. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fake-adult-sites-push-data-w… ∗∗∗ Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server ∗∗∗ --------------------------------------------- A correction was made to the string in step 6 and step 9 in the URL Rewrite rule mitigation Option 3. Steps 8, 9, and 10 have updated images. --------------------------------------------- https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-z… ∗∗∗ That thing to help protect internet traffic from hijacking? Its broken ∗∗∗ --------------------------------------------- RPKI is supposed to verify network routes. Instead, heres how it could be subverted. An internet security mechanism called Resource Public Key Infrastructure (RPKI), intended to safeguard the routing of data traffic, is broken, according to security experts from Germanys ATHENE, the National Research Center for Applied Cybersecurity. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2022/10/09/internet_tra… ∗∗∗ Groupware: Kritische Codeschmuggel-Lücke in Zimbra wird angegriffen ∗∗∗ --------------------------------------------- Eine Sicherheitslücke in der Groupware Zimbra erlaubt Angreifern, Schadcode einzuschleusen. Die Schwachstelle wird inzwischen angegriffen. Ein Workaround hilft. --------------------------------------------- https://heise.de/-7289104 ∗∗∗ Intel-CPU "Alder Lake": BIOS-Quellcode-Leak öffnet potenzielle Einfallstore ∗∗∗ --------------------------------------------- Rund 6 GByte BIOS-Daten für die CPU-Generation Core i-12000 sind Intel abhandengekommen. Darin enthalten ist Code für Sicherheitsmechanismen wie Boot Guard. --------------------------------------------- https://heise.de/-7289262 ∗∗∗ How to protect your Firefox saved passwords with a Primary Password ∗∗∗ --------------------------------------------- For better security, dont rely on browser syncing to manage your passwords. Heres a better way. --------------------------------------------- https://www.zdnet.com/article/how-to-protect-your-firefox-saved-passwords-w… ===================== = Vulnerabilities = ===================== ∗∗∗ Kritische Sicherheitslücke in Fortinet Produkten - Updates verfügbar ∗∗∗ --------------------------------------------- Kritische Schwachstellen in Fortinet Produkten erlauben es Angreifenden, die Authentisierung zu umgehen und Aktionen mit Admin-Rechten auszuführen. CVE-Nummer(n): CVE-2022-40684 CVSS Base Score: 9.6. --------------------------------------------- https://cert.at/de/warnungen/2022/10/kritische-sicherheitslucken-in-fortine… ∗∗∗ IBM Security Bulletins 2022-10-07 and 2022-10-08 ∗∗∗ --------------------------------------------- IBM Partner Engagement Manager, IBM CICS TX Standard, IBM CICS TX Advanced, IBM Cloud, IBM Business Automation Workflow, IBM Security Verify Governance, IBM TXSeries, IBM Security Network Threat Analytics, IBM Security Verify Governance, IBM Jazz. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (knot-resolver and libpgjava), Fedora (booth, dotnet3.1, expat, nheko, php-twig, php-twig2, php-twig3, poppler, python-joblib, and seamonkey), Mageia (colord, dbus, enlightenment, kitty, libvncserver, php, python3, and unbound), Slackware (libksba), SUSE (cyrus-sasl, ImageMagick, and xmlgraphics-commons), and Ubuntu (nginx and thunderbird). --------------------------------------------- https://lwn.net/Articles/910724/ ∗∗∗ Critical Remote Code Execution Vulnerability Found in vm2 Sandbox Library ∗∗∗ --------------------------------------------- A critical vulnerability in vm2 may allow a remote attacker to escape the sandbox and execute arbitrary code on the host. A highly popular JavaScript sandbox library with more than 16 million monthly downloads, vm2 supports the execution of untrusted code synchronously in a single process. --------------------------------------------- https://www.securityweek.com/critical-remote-code-execution-vulnerability-f… ∗∗∗ MISP 2.4.164 released with new tag relationship feature, improvements and a security fix ∗∗∗ --------------------------------------------- We are pleased to announce the immediate availability of MISP v2.4.164 with a new tag relationship features, many improvements and a security fix. --------------------------------------------- https://www.misp-project.org/2022/10/10/MISP.2.4.164.released.html/ ∗∗∗ Trend Micro Apex One: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein lokaler oder entfernter, authentisierter Angreifer kann mehrere Schwachstellen in Trend Micro Apex One ausnutzen, um seine Privilegien zu erhöhen und Sicherheitsmaßnahmen zu umgehen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1649 ∗∗∗ ZDI-22-1399: Centreon Poller Broker SQL Injection Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-1399/ ∗∗∗ ZDI-22-1398: Centreon Contact Group SQL Injection Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-1398/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.10.2022
by Daily end-of-shift report 07 Oct '22

07 Oct '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 06-10-2022 18:00 − Freitag 07-10-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Powershell Backdoor with DGA Capability, (Fri, Oct 7th) ∗∗∗ --------------------------------------------- DGA ("Domain Generation Algorithm") is a popular tactic used by malware to make connections with their C2 more stealthy and difficult to block. The idea is to generate domain names periodically and use them during the defined period. An alternative is to generate a lot of domains and loop across them to find an available C2 server. Attackers just register a few domain names and can change them very quickly. --------------------------------------------- https://isc.sans.edu/diary/rss/29122 ∗∗∗ What is a Malware Attack? ∗∗∗ --------------------------------------------- A malware attack is the act of injecting malicious software to infiltrate and execute unauthorized commands within a victim’s system without their knowledge or authorization. The objectives of such an attack can vary – from stealing client information to sell as lead sources, obtaining system information for personal gain, bringing a site down to stop business or even just placing the mark of a cyber-criminal on a public domain. --------------------------------------------- https://blog.sucuri.net/2022/10/what-is-a-malware-attack.html ∗∗∗ Loads of PostgreSQL systems are sitting on the internet without SSL encryption ∗∗∗ --------------------------------------------- They probably shouldnt be connected in the first place, says database expert. Only a third of PostgreSQL databases connected to the internet use SSL for encrypted messaging, according to a cloud database provider. --------------------------------------------- https://www.theregister.com/2022/10/07/postgresql_no_ssl/ ∗∗∗ Top CVEs Actively Exploited By [..] State-Sponsored Cyber Actors ∗∗∗ --------------------------------------------- This joint Cybersecurity Advisory (CSA) provides the top Common Vulnerabilities and Exposures (CVEs) used since 2020 by [..] state-sponsored cyber actors as assessed by the National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), and Federal Bureau of Investigation (FBI). --------------------------------------------- https://www.cisa.gov/uscert/ncas/alerts/aa22-279a ∗∗∗ So schützen Sie sich vor Kleinanzeigen-Betrug ∗∗∗ --------------------------------------------- Egal ob Sie kaufen oder verkaufen: Schützen Sie sich auf Kleinanzeigen-Plattformen wie Willhaben, ebay, Vinted und Co. vor Kriminellen. Mit Fake-Profilen, gefälschten Zahlungsbestätigungen oder unechten Zahlungsplattformen zocken Kriminelle immer wieder Nutzer:innen ab. Wir geben Ihnen Tipps zum sicheren Kaufen und Verkaufen. --------------------------------------------- https://www.watchlist-internet.at/news/so-schuetzen-sie-sich-vor-kleinanzei… ∗∗∗ Exchange Hacks: Achtung, gut gemachte, bösartige Mails im Umlauf (7. Oktober 2022) ∗∗∗ --------------------------------------------- Die Woche wurden Administratoren von Exchange-Servern ja durch die Ende September 2022 bekannt gewordene 0-day-Schwachstellen und die Workarounds von Microsoft ziemlich gefordert. Inzwischen versuchen Cyber-Kriminelle aus dieser Situation Kapital zu schlagen. --------------------------------------------- https://www.borncity.com/blog/2022/10/07/exchange-hacks-achtung-gut-gemacht… ===================== = Vulnerabilities = ===================== ∗∗∗ Remote Code Execution in Zimbra Collaboration Suite - Workaround verfügbar ∗∗∗ --------------------------------------------- Eine kritische Schwachstelle in Zimbra Collaboration Suite erlaubt potentiell entfernten, unauthorisierten Angreifer:innen das Ausführen von beliebigem Code. Laut diversen Berichten wird diese Schwachstelle bereits aktiv ausgenutzt. Das Ausnützen der Schwachstelle durch senden einer Email mit speziell präparierten Anhängen in den Formaten .cpio, .tar, .rpm kann zu einer vollständigen Kompromittierung des Systems führen. --------------------------------------------- https://cert.at/de/warnungen/2022/10/remote-code-execution-in-zimbra-collab… ∗∗∗ Fortinet warns admins to patch critical auth bypass bug immediately ∗∗∗ --------------------------------------------- Fortinet has warned administrators to update FortiGate firewalls and FortiProxy web proxies to the latest versions, which address a critical severity vulnerability. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fortinet-warns-admins-to-pat… ∗∗∗ Technical Advisory – OpenJDK – Weak Parsing Logic in java.net.InetAddress and Related Classes ∗∗∗ --------------------------------------------- An attacker may trivially bypass the use of InetAddress::getAllByName to validate inputs. Note: As input validation is not an appropriate mechanism to protect against injection attacks — as opposed to output encoding and Harvard architecture-style APIs — this issue is itself considered to be of Low risk as code relying on the documented validation for such purposes should be considered insecure regardless of this issue. --------------------------------------------- https://research.nccgroup.com/2022/10/06/technical-advisory-openjdk-weak-pa… ∗∗∗ Angreifer könnten Cisco-Admins manipulierte Updates unterschieben ∗∗∗ --------------------------------------------- Es sind wichtige Sicherheitsupdates für unter anderem Cisco Expressway Series und TelePresence Video Communication Server erschienen. --------------------------------------------- https://heise.de/-7286880 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (dbus, isc-dhcp, and strongswan), Fedora (booth, php, php-twig, php-twig2, and php-twig3), Oracle (expat, prometheus-jmx-exporter, and squid), Red Hat (expat, openvswitch2.11, and squid), Scientific Linux (expat and squid), SUSE (exiv2, LibVNCServer, postgresql-jdbc, protobuf, python-PyJWT, python3, slurm, squid, and webkit2gtk3), and Ubuntu (libreoffice). --------------------------------------------- https://lwn.net/Articles/910606/ ∗∗∗ VMware Patches Code Execution Vulnerability in vCenter Server ∗∗∗ --------------------------------------------- Virtualization giant VMware on Thursday announced patches for a vCenter Server vulnerability that could lead to arbitrary code execution. A centralized management utility, the vCenter Server is used for controlling virtual machines and ESXi hosts, along with their dependent components. Tracked as CVE-2022-31680 (CVSS score of 7.2), the security bug is described as an unsafe deserialization vulnerability in the platform services controller (PSC). --------------------------------------------- https://www.securityweek.com/vmware-patches-code-execution-vulnerability-vc… ∗∗∗ Growi vulnerable to improper access control ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN00845253/ ∗∗∗ IPFire WebUI vulnerable to cross-site scripting ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN15411362/ ∗∗∗ Security Bulletin: IBM InfoSphere Information Server Low Level Authenticated User Can View Higher Level User And Group Listing (CVE-2022-36772) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-informatio… ∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Verify Governance in response to a security vulnerability (CVE-2022-21824) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-relea… ∗∗∗ Security Bulletin: IBM InfoSphere Information Server is affected by a session management vulnerability (CVE-2022-41291) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-informatio… ∗∗∗ Security Bulletin: IBM Security QRadar Analyst Workflow app for IBM QRadar SIEM is vulnerable to using components with known vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-qradar-analy… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct Browser User Interface vulnerable to multiple issues due to IBM Runtime Environment Java ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Nagios Enterprises Nagios XI: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1638 ∗∗∗ Avaya Aura Application Enablement Services: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit Administratorrechten ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1645 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.10.2022
by Daily end-of-shift report 06 Oct '22

06 Oct '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 05-10-2022 18:00 − Donnerstag 06-10-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Ikea Smart Light System Flaw Lets Attackers Turn Bulbs on Full Blast ∗∗∗ --------------------------------------------- With just one malformed Zigbee frame, attackers could take over certain Ikea smart lightbulbs, leaving users unable to turn the lights down. --------------------------------------------- https://www.darkreading.com/application-security/ikea-smart-light-system-fl… ∗∗∗ Ransomware: Sicherheitssoftware mit legitimem Treiber deaktiviert ∗∗∗ --------------------------------------------- Die Ransomware Blackbyte nutzt die Angriffstechnik Bring your own vulnerable Driver, um Antivirensoftware zu deaktivieren. --------------------------------------------- https://www.golem.de/news/ransomware-sicherheitssoftware-mit-legitimem-trei… ∗∗∗ A look at the 2020–2022 ATM/PoS malware landscape ∗∗∗ --------------------------------------------- We looked at the number of affected ATMs and PoS terminals, geography of attacks and threat families used by cybercriminals to target victims in 2020-2022. --------------------------------------------- https://securelist.com/atm-pos-malware-landscape-2020-2022/107656/ ∗∗∗ Detecting and preventing LSASS credential dumping attacks ∗∗∗ --------------------------------------------- In this blog, we share examples of various threat actors that we’ve recently observed using the LSASS credential dumping technique. [..] Finally, we offer additional recommendations to further harden systems and prevent attackers from taking advantage of possible misconfigurations should they fail to leverage credential dumping. --------------------------------------------- https://www.microsoft.com/security/blog/2022/10/05/detecting-and-preventing… ∗∗∗ MSSQL, meet Maggie ∗∗∗ --------------------------------------------- Continuing our monitoring of signed binaries, DCSO CyTec recently found a novel backdoor malware targeting Microsoft SQL servers. [Keine kompromittierten Systeme in AT angeführt, Anm. d. Red.] --------------------------------------------- https://medium.com/@DCSO_CyTec/mssql-meet-maggie-898773df3b01 ∗∗∗ CVE-2022–36635 — A SQL Injection in ZKSecurityBio to RCE ∗∗∗ --------------------------------------------- This is a write-up of CVE-2022–36635: SQLInjection found in a platform of physical security (access control, elevator control, guest management, patrol and parking management) called ZKSecurity Bio v4.1.3 and how it was used to obtain a RCE. --------------------------------------------- https://medium.com/stolabs/cve-2022-36635-a-sql-injection-in-zksecuritybio-… ∗∗∗ Exchange Zero-Day: Microsoft bessert Workaround erneut nach ∗∗∗ --------------------------------------------- Nachdem der erste Workaround für eine Exchange Zero-Day-Lücke wirkungslos war und Microsoft nachbesserte, hat der Hersteller abermals eine Korrektur vorgelegt. --------------------------------------------- https://heise.de/-7285558 ∗∗∗ Gratis Entschlüsselungstool: Lücke in Ransomwares der Hades-Familie entdeckt ∗∗∗ --------------------------------------------- Opfer einiger Erpressungstrojan der der Hades-Familie wie MafiaWare666 können unter bestimmten Voraussetzungen wieder auf ihre Daten zugreifen. --------------------------------------------- https://heise.de/-7285784 ∗∗∗ Melting the DNS Iceberg: Taking over your infrastructure Kaminsky style ∗∗∗ --------------------------------------------- Hidden DNS resolvers and how to compromise your infrastructure --------------------------------------------- https://sec-consult.com/blog/detail/melting-the-dns-iceberg-taking-over-you… ∗∗∗ ESET Threat Report T2 2022 ∗∗∗ --------------------------------------------- Ein Blick auf die Bedrohungslandschaft im zweiten Drittel des Jahres 2022 aus Sicht der ESET-Telemetrie und aus der Perspektive der ESET-Experten. --------------------------------------------- https://www.welivesecurity.com/deutsch/2022/10/05/eset-threat-report-t2-202… ===================== = Vulnerabilities = ===================== ∗∗∗ CVE-2022-41343 - RCE via Phar Deserialisation (Dompdf) ∗∗∗ --------------------------------------------- Dompdf is a popular library in PHP used for rendering PDF files from HTML. Tanto Security disclosed a vulnerability in Dompdf affecting version 2.0.0 and below. The vulnerability was patched in Dompdf v2.0.1. We recommend all Dompdf users update to the latest version as soon as possible. --------------------------------------------- https://tantosec.com/blog/cve-2022-41343/ ∗∗∗ Cisco Security Advisories 2022-10-05 ∗∗∗ --------------------------------------------- Cisco published 9 Security Advisories (2 High, 7 Medium Severity) --------------------------------------------- https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&first… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (bind9 and nodejs), Red Hat (prometheus-jmx-exporter and squid), Slackware (dhcp), SUSE (pngcheck and sendmail), and Ubuntu (isc-dhcp, kitty, and linux-gcp-5.4). --------------------------------------------- https://lwn.net/Articles/910492/ ∗∗∗ Internet Systems Consortium DHCP: Mehrere Schwachstellen ermöglichen Denial of Service ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Internet Systems Consortium DHCP ausnutzen, um einen Denial of Service Angriff durchzuführen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1634 ∗∗∗ Security Bulletin: IBM Cloud Pak for Business Automation is affected but not classified as vulnerable by a remote code execution in Spring Framework [CVE-2022-22965] ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-busines… ∗∗∗ Security Bulletin: IBM QRadar DNS Analyzer App for IBM QRadar SIEM is vulnerable to using components with known vulnerabilities (CVE-2022-31129, CVE-2022-24785, CVE-2017-18214) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-dns-analyzer-a… ∗∗∗ Security Bulletin: IBM Planning Analytics Workspace is affected by multiple vulnerabilities (CVE-2021-40690, CVE-2022-25647, XFID: 233967) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-planning-analytics-wo… ∗∗∗ Security Bulletin: IBM HTTP Server is vulnerable to arbitrary code execution due to Expat (CVE-2022-40674) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-http-server-is-vulner… ∗∗∗ K10812540: OpenJDK vulnerability CVE-2019-18197 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K10812540?utm_source=f5support&utm_mediu… ∗∗∗ Rockwell Automation FactoryTalk VantagePoint ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-279-01 ∗∗∗ HIWIN Robot System Software (HRSS) ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-279-02 ∗∗∗ Schwachstelle in SPRECON-V460 Visualisierungssoftware ∗∗∗ --------------------------------------------- https://www.sprecher-automation.com/it-sicherheit/security-alerts -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.10.2022
by Daily end-of-shift report 05 Oct '22

05 Oct '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 04-10-2022 18:00 − Mittwoch 05-10-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Exchange Zero-Day: Microsoft korrigiert Workaround ∗∗∗ --------------------------------------------- Der zuerst vorgeschlagene Workaround für die Zero-Day-Lücke ProxyNotShell in Exchange ließ sich einfach umgehen. Microsoft liefert eine korrigierte Fassung. --------------------------------------------- https://heise.de/-7284241 ∗∗∗ Ende von Basic Auth: Brute-Force-Angriffe auf Microsoft Exchange nehmen zu ∗∗∗ --------------------------------------------- Microsoft berichtet von vielen Angriffen auf E-Mail-Konten, die noch die einfache Authentifizierung nutzen. Kunden sollen rasch handeln. --------------------------------------------- https://www.golem.de/news/ende-von-basic-auth-brute-force-angriffe-auf-micr… ∗∗∗ Post-Exploitation Persistent Email Forwarder in Outlook Desktop ∗∗∗ --------------------------------------------- There is an exploitation method that can automatically forward emails CC’d to external addresses via an Outlook Desktop rule, even when this action is prevented on the corporate Exchange server. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/post-exploi… ∗∗∗ GandCrab bedroht Deutschland ∗∗∗ --------------------------------------------- Die Ransomware GandCrab dominiert in Deutschland, Österreich und der Schweiz die ESET Erkennungsstatistiken. Nahezu jeder vierte Ransomware-Fund geht auf GandCrab zurück. --------------------------------------------- https://www.zdnet.de/88403902/gandcrab-bedroht-deutschland/ ∗∗∗ Vorsicht vor Blackout-Shops wie dyn-amo.de und dynamos.at! ∗∗∗ --------------------------------------------- Immer wieder wird aktuell von der Möglichkeit kurzzeitiger Blackouts, also großflächiger Strom-, Internet- oder Heizungsausfälle berichtet. Unseriöse Online-Shops wie jene von ECOM4YOU, HAPPY SHOPPING oder Shopfactory24 GmbH bauen auf die Ängste ihrer Kundinnen und Kunden und bieten Notfall-Sets für Blackouts an. Vorsicht, wir haben es getestet: Die Produkte sind überteuert, die Lieferzeiten lang, die Qualität teils minderwertig und [...] --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-blackout-shops-wie-dyn-… ∗∗∗ Shadowserver Alliance Launch ∗∗∗ --------------------------------------------- The Shadowserver Foundation today launched its new Alliance to Continue to Build a Safer, More Secure Internet. The new Shadowserver Alliance partner program will accelerate growth and scale up delivery of no cost cybersecurity and cyber threat intelligence services to internet defender organizations and law enforcement. The Alliance represents a significant expansion to Shadowservers freely provided internet security services and enables partners, [...] --------------------------------------------- https://www.shadowserver.org/news/shadowserver-alliance-launch/ ∗∗∗ Credential Harvesting with Telegram API, (Tue, Oct 4th) ∗∗∗ --------------------------------------------- Phishing emails are a daily occurrence and many times it ends with credential harvesting. An email initially lures a user to a website that promised an anticipated file. The landing page taunts a user to click on an additional link and enter their credentials. In this case, the credentials entered by the user are not sent back to the bad actor using a simple web form but using the Telegram API [1]. --------------------------------------------- https://isc.sans.edu/diary/rss/29112 ∗∗∗ How to Secure & Harden Your Joomla! Website in 12 Steps ∗∗∗ --------------------------------------------- At Sucuri, we’re often asked how website owners and webmasters can secure their websites. However, advice can often be too broad; different content management systems (CMS) exist in this ecosystem and each require a unique security configuration. --------------------------------------------- https://blog.sucuri.net/2022/10/how-to-secure-harden-your-joomla-website-in… ∗∗∗ Securing Developer Tools: A New Supply Chain Attack on PHP ∗∗∗ --------------------------------------------- Supply chain attacks are a hot topic for development organizations today. Last year, in the largest ever software supply chain attack, a backdoor infected 18,000 SolarWinds customers. Earlier this year, a security researcher was able to breach Apple, Microsoft, Paypal, and other tech giants using a new supply chain attack technique. --------------------------------------------- https://blog.sonarsource.com/securing-developer-tools-a-new-supply-chain-at… ∗∗∗ Our Fox-IT Dissect framework for forensic data collection, now open source ∗∗∗ --------------------------------------------- Dissect is a framework for collecting and analysing large amounts of forensic data. A game changer in cyber incident response, it enables data acquisition on thousands of systems within hours, regardless of the nature and size of the IT environment to be investigated after an attack. --------------------------------------------- https://www.mynewsdesk.com/nccgroup/pressreleases/our-fox-it-dissect-framew… ∗∗∗ Change in Magniber Ransomware (*.js → *.wsf) – September 28th ∗∗∗ --------------------------------------------- The ASEC analysis team has explained through the blog post on September 8th that the Magniber ransomware has changed from having a CPL extension to a JSE extension. The attacker made another change after September 8th, changing the file extension from JSE to JS on September 16th. And on September 28th, the attacker changed the distribution method once again, changing the file extension from JS to WSF. It seems the attacker is continuously distributing variations to bypass various detection [...] --------------------------------------------- https://asec.ahnlab.com/en/39489/ ∗∗∗ How Water Labbu Exploits Electron-Based Applications ∗∗∗ --------------------------------------------- In the second part of our Water Labbu blog series, we explore how the threat actor exploits Electron-based applications using Cobalt Strike to deploy backdoors. --------------------------------------------- https://www.trendmicro.com/en_us/research/22/j/how-water-labbu-exploits-ele… ===================== = Vulnerabilities = ===================== ∗∗∗ Patchday: Angreifer könnten ihre Rechte unter Android 10 bis 13 hochstufen ∗∗∗ --------------------------------------------- Wichtige Sicherheitsupdates schließen zum Teil kritische Lücken in verschiedenen Android-Versionen. --------------------------------------------- https://heise.de/-7284409 ∗∗∗ Aruba: Kritische Sicherheitslücke in Access Points ∗∗∗ --------------------------------------------- Aruba warnt vor kritischen Sicherheitslücken in den eigenen Access Points. --------------------------------------------- https://heise.de/-7284335 ∗∗∗ IBM Security Bulletins 2022-10-04 ∗∗∗ --------------------------------------------- IBM Tivoli Netcool Impact, IBM Tivoli Business Service Manage, IBM Tivoli Monitoring, IBM WebSphere Application Server Liberty, IBM QRadar SIEM, IBM Security Guardium, Rational Business Developer, IBM Cloud Pak for Watson, IBM i Modernization Engine, IBM CICS TX Advanced, IBM Planning Analytics Workspace, IBM Security Guardium. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (barbican, mediawiki, and php-twig), Fedora (bash, chromium, lighttpd, postgresql-jdbc, and scala), Mageia (bash, chromium-browser-stable, and golang), Oracle (bind, bind9.16, and squid:4), Red Hat (bind, bind9.16, RHSSO, and squid:4), Scientific Linux (bind), SUSE (cifs-utils, libjpeg-turbo, nodejs14, and nodejs16), and Ubuntu (jackd2, linux-gke, and linux-intel-iotg). --------------------------------------------- https://lwn.net/Articles/910395/ ∗∗∗ SA45476 - Client Side Desync Attack (Informational) ∗∗∗ --------------------------------------------- The deprecated Pulse Collaboration feature is vulnerable to Client-Side Desync attacks on versions of PCS 9.1R15 and below. --------------------------------------------- https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/Client-Side-D… ∗∗∗ OpenSSH: Mehrere Schwachstellen ermöglichen Denial of Service ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1621 ∗∗∗ Keycloak: Schwachstelle ermöglicht Cross-Site Scripting ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1624 ∗∗∗ Octopus Deploy: Schwachstelle ermöglicht nicht spezifizierten Angriff ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1625 ∗∗∗ Matomo: Schwachstellen ermöglichen Cross-Site Scripting ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1626 ∗∗∗ BD Totalys MultiProcessor ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsma-22-277-01 ∗∗∗ Johnson Controls Metasys ADX Server ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-277-01 ∗∗∗ Hitachi Energy Modular Switchgear Monitoring (MSM) ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-277-02 ∗∗∗ Horner Automation Cscape ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-277-03 ∗∗∗ OMRON CX-Programmer ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-277-04 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily