- Daily - CERT.at

Tageszusammenfassung - 04.10.2022
by Daily end-of-shift report 04 Oct '22

04 Oct '22

===================== = End-of-Day report = ===================== Timeframe: Montag 03-10-2022 18:00 − Dienstag 04-10-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Live support service hacked to spread malware in supply chain attack ∗∗∗ --------------------------------------------- The official installer for the Comm100 Live Chat application, a widely deployed SaaS (software-as-a-service) that businesses use for customer communication and website visitors, was trojanized as part of a new supply-chain attack. --------------------------------------------- https://www.bleepingcomputer.com/news/security/live-support-service-hacked-… ∗∗∗ Fake Microsoft Exchange ProxyNotShell exploits for sale on GitHub ∗∗∗ --------------------------------------------- Scammers are impersonating security researchers to sell fake proof-of-concept ProxyNotShell exploits for newly discovered Microsoft Exchange zero-day vulnerabilities. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fake-microsoft-exchange-prox… ∗∗∗ OnionPoison: infected Tor Browser installer distributed through popular YouTube channel ∗∗∗ --------------------------------------------- Kaspersky researchers detected OnionPoison campaign: malicious Tor Browser installer spreading through a popular YouTube channel and targeting Chinese users. --------------------------------------------- https://securelist.com/onionpoison-infected-tor-browser-installer-youtube/1… ∗∗∗ CISA verdonnert US-Behörden zu besserer Netzwerkkontrolle ∗∗∗ --------------------------------------------- Die US-Cybersicherheitsbehörde CISA hat eine verbindliche Direktive erlassen. Nach der müssen alle Bundesbehörden ihre Netzwerke regelmäßig untersuchen. --------------------------------------------- https://heise.de/-7283699 ∗∗∗ Shining New Light on an Old ROM Vulnerability: Secure Boot Bypass via DCD and CSF Tampering on NXP i.MX Devices ∗∗∗ --------------------------------------------- NXP’s HABv4 API documentation references a now-mitigated defect in ROM-resident High Assurance Boot (HAB) functionality present in devices with HAB version < 4.3.7. I could find no further public documentation on whether this constituted a vulnerability or an otherwise “uninteresting” errata item, so I analyzed it myself! --------------------------------------------- https://research.nccgroup.com/2022/10/03/shining-new-light-on-an-old-rom-vu… ∗∗∗ Mit tragbaren Heizgeräten Strom sparen? Fallen Sie nicht auf dieses Fake-Produkt herein! ∗∗∗ --------------------------------------------- Online-Shops wie ultraheatpro.com und valty-heater.com bewerben aktuell einen Stecker, der Räume in weniger als 2 Minuten aufheizt. Die sehr kleinen und kabellosen Heizgeräte verbrauchen angeblich kaum Strom, reduzieren Heizkosten und verursachen keinen Lärm. Beim Kauf dieser „Wundergeräte“ verschwenden Sie aber Ihr Geld, denn Sie bekommen, wenn überhaupt, ein funktionsloses Gerät zugesendet. --------------------------------------------- https://www.watchlist-internet.at/news/mit-tragbaren-heizgeraeten-strom-spa… ∗∗∗ Developer account body snatchers pose risks to the software supply chain ∗∗∗ --------------------------------------------- Over the past several years, high-profile software supply chain attacks have increased in frequency. These attacks can be difficult to detect and source code repositories became a key focus of this research. Developer account takeovers present a substantial risk to the software supply chain because attackers who successfully compromise a developer account could conceal malicious code in software packages used by others. --------------------------------------------- http://blog.talosintelligence.com/2022/10/developer-account-body-snatchers-… ∗∗∗ Tracking Earth Aughisky’s Malware and Changes ∗∗∗ --------------------------------------------- For over 10 years, security researchers have been observing and keeping tabs of APT group Earth Aughisky’s malware families and the connections, including previously documented malware that have yet to be attributed. --------------------------------------------- https://www.trendmicro.com/en_us/research/22/j/tracking-earth-aughiskys-mal… ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins 2022-10-03 ∗∗∗ --------------------------------------------- IBM Robotic Process Automation, IBM WebSphere Application Server Liberty, IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize, IBM FlashSystem, Content Manager OnDemand z/OS, IBM Spectrum Copy Data Management, CloudPak for Watson AIOPs, IBM MaaS360, Tivoli Netcool/OMNIbus WebGUI, CP4D Match 360. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (barbican), Fedora (libdxfrw, librecad, and python-oauthlib), Oracle (bind), Red Hat (bind and rh-python38-python), SUSE (bind, chromium, colord, libcroco, libgit2, lighttpd, nodejs12, python, python3, slurm, slurm_20_02, and webkit2gtk3), and Ubuntu (linux-azure, python-django, strongswan, and wayland). --------------------------------------------- https://lwn.net/Articles/910300/ ∗∗∗ Aruba ArubaOS: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein Angreifer kann mehrere Schwachstellen in Aruba ArubaOS ausnutzen, um beliebigen Programmcode auszuführen, einen Denial-of-Service-Zustand herbeizuführen und einen Cross-Site-Scripting-Angriff durchzuführen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1606 ∗∗∗ MediaWiki: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein Angreifer kann mehrere Schwachstellen in MediaWiki ausnutzen, um Sicherheitsvorkehrungen zu umgehen und vertrauliche Informationen offenzulegen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1604 ∗∗∗ Hitachi Storage: Schwachstelle ermöglicht Privilegieneskalation ∗∗∗ --------------------------------------------- Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in Hitachi Storage ausnutzen, um seine Privilegien zu erhöhen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1601 ∗∗∗ FasterXML Jackson: Mehrere Schwachstellen ermöglichen Denial of Service ∗∗∗ --------------------------------------------- Ein Angreifer kann mehrere Schwachstellen in FasterXML Jackson ausnutzen, um einen Denial of Service Angriff durchzuführen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1608 ∗∗∗ Netgate pfSense: Schwachstelle ermöglicht Cross-Site Scripting ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Netgate pfSense ausnutzen, um einen Cross-Site Scripting Angriff durchzuführen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1609 ∗∗∗ Android-Sicherheitsbulletin – Oktober 2022 ∗∗∗ --------------------------------------------- https://source.android.com/docs/security/bulletin/2022-10-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.10.2022
by Daily end-of-shift report 03 Oct '22

03 Oct '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 30-09-2022 18:00 − Montag 03-10-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server ∗∗∗ --------------------------------------------- October 2, 2022 updates: Added to the Mitigations section: we strongly recommend Exchange Server customers to disable remote PowerShell access for non-admin users in your organization. Guidance on how to do this for single user or multiple users is here. Updated Detection section to refer to Analyzing attacks using the Exchange vulnerabilities CVE-2022-41040 and [...] --------------------------------------------- https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-z… ∗∗∗ Analyzing attacks using the Exchange vulnerabilities CVE-2022-41040 and CVE-2022-41082 ∗∗∗ --------------------------------------------- MSTIC observed activity related to a single activity group in August 2022 that achieved initial access and compromised Exchange servers by chaining CVE-2022-41040 and CVE-2022-41082 in a small number of targeted attacks. --------------------------------------------- https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-… ∗∗∗ Achtung, Phishing boomt! Security-Checkliste zu den 6 meist verbreiteten Methoden ∗∗∗ --------------------------------------------- Dass Phishing derzeit besonders häufig von Cyberkriminellen eingesetzt wird, um in IT-Systeme einzudringen, belegen viele aktuelle Statistiken. --------------------------------------------- https://sec-consult.com/de/blog/detail/6-common-types-of-phishing-attacks/ ∗∗∗ Sicherheitsupdate Drupal: Angreifer könnten auf Zugangsdaten zugreifen ∗∗∗ --------------------------------------------- Es gibt ein wichtiges Sicherheitsupdate für das Content Management System Drupal. --------------------------------------------- https://heise.de/-7282401 ∗∗∗ Jetzt patchen! Attacken auf Atlassian Bitbucket Server ∗∗∗ --------------------------------------------- Sicherheitsforscher und eine US-Sicherheitsbehörde warnen davor, dass Angreifer Bitbucket Server im Visier haben. --------------------------------------------- https://heise.de/-7282369 ∗∗∗ Backdoor in Windows-Logo versteckt ∗∗∗ --------------------------------------------- Eine Hackergruppe hat bei Angriffen auf Regierungen Steganografie verwendet, um Schadsoftware über harmlos aussehende Bitmaps nachzuladen. --------------------------------------------- https://heise.de/-7282730 ∗∗∗ Fake-Shops fälschen Klarna-Zahlungsprozess ∗∗∗ --------------------------------------------- Die Online-Shops schmitt-drogerie.com und ohnesorge-fachhandel.com sind betrügerisch. Produkte, die Sie hier bestellen, werden nicht geliefert. Die Bezahlung erfolgt angeblich per „Klarna Sofortüberweisung“. Doch Vorsicht: Der Zahlungsprozess wurde gefälscht. Sie sind nicht auf der echten Klarna-Zahlungsseite, sondern auf einer nachgebauten Website, mit der Ihre Bankdaten gestohlen werden. --------------------------------------------- https://www.watchlist-internet.at/news/fake-shops-faelschen-klarna-zahlungs… ∗∗∗ 11 old software bugs that took way too long to squash ∗∗∗ --------------------------------------------- In 2021, a vulnerability was revealed in a system that lay at the foundation of modern computing. An attacker could force the system to execute arbitrary code. Shockingly, the vulnerable code was almost 54 years old—and there was no patch available, and no expectation that one would be forthcoming. Fortunately, thats because the system in question was Marvin Minskys 1967 implementation of a Universal Turing Machine, [...] --------------------------------------------- https://www.csoonline.com/article/3620948/10-old-software-bugs-that-took-wa… ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins 2022-09-30 ∗∗∗ --------------------------------------------- IBM MQ, IBM Tivoli Monitoring Basic Services, IBM Event Streams, The IBM® Engineering Requirements Management, Rational Change Fix Pack, BM Tivoli Monitoring Data Provider, IBM Virtualization Engine, IBM Content Manager OnDemand, IBM Security Identity Governance and Intelligence, IBM Robotic Process Automation, IBM Jazz Technology, IBM Tivoli Composite Application Manager, IBM Case Manager, IBM Cloud Pak for Business Automation, Rational Synergy. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ macOS: Apps können Festplattenvollzugriff des Terminals missbrauchen ∗∗∗ --------------------------------------------- Programme, die nicht in einer Sandbox laufen, können den Systemschutz TCC von macOS umgehen, sobald man dem Terminal Festplattenvollzugriff gestattet. --------------------------------------------- https://heise.de/-7282104 ∗∗∗ Thunderbird: Angreifer könnten Absender verschlüsselter Nachrichten fälschen ∗∗∗ --------------------------------------------- Sicherheitslücken im Matrix-Chat-SDK machen den Mail-Client Thunderbird verwundbar. Eine aktualisierte Version schafft Abhilfe. --------------------------------------------- https://heise.de/-7282339 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, gdal, kernel, libdatetime-timezone-perl, libhttp-daemon-perl, lighttpd, mariadb-10.3, node-thenify, snakeyaml, tinyxml, and tzdata), Fedora (enlightenment, kitty, and thunderbird), Mageia (expat, firejail, libjpeg, nodejs, perl-HTTP-Daemon, python-mako, squid, and thunderbird), Scientific Linux (firefox and thunderbird), SUSE (buildah, connman, cosign, expat, ImageMagick, python36, python39, slurm, and webkit2gtk3), and Ubuntu (linux, [...] --------------------------------------------- https://lwn.net/Articles/910161/ ∗∗∗ K21600298: OpenSSL vulnerabilities CVE-2022-1292 and CVE-2022-2068 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K21600298?utm_source=f5support&utm_mediu… ∗∗∗ Update - 0-day Exploit Remote Code Execution in Microsoft Exchange On-Premise – Workaround verfügbar ∗∗∗ --------------------------------------------- https://cert.at/de/warnungen/2022/10/0-day-exploit-remote-code-execution-in… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.09.2022
by Daily end-of-shift report 30 Sep '22

30 Sep '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 29-09-2022 18:00 − Freitag 30-09-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Zero-Day-Attacken auf Microsoft Exchange Server – Sicherheitspatches fehlen ∗∗∗ --------------------------------------------- Aufgrund von Angriffen und bislang fehlenden Patches sollten Admins Exchange Server über einen Workaround absichern. --------------------------------------------- https://heise.de/-7280460 ∗∗∗ Microsoft warnt: Angriffe mit Linkedin und präparierter Open-Source-Software ∗∗∗ --------------------------------------------- Laut Microsoft führen staatliche Hacker derzeit Angriffe auf Linkedin durch. Dabei arbeiten sie mit um Schadfunktionen erweiterter Open-Source-Software. --------------------------------------------- https://www.golem.de/news/microsoft-warnt-angriffe-mit-linkedin-und-praepar… ∗∗∗ Hacking group hides backdoor malware inside Windows logo image ∗∗∗ --------------------------------------------- Security researchers have discovered a malicious campaign by the Witchetty hacking group, which uses steganography to hide a backdoor malware in a Windows logo. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hacking-group-hides-backdoor… ∗∗∗ Detecting Mimikatz with Busylight ∗∗∗ --------------------------------------------- In 2015 Raphael Mudge released an article [1] that detailed that versions of mimikatz released after 8th of October, 2015 had a new module that was utilising certain types of external USB devices to flash lights in different colours if mimikatz was executed. The technique presented in the article required certain kind of busylights that [...] --------------------------------------------- https://research.nccgroup.com/2022/09/30/detecting-mimikatz-with-busylight/ ∗∗∗ CISA Publishes User Guide to Prepare for Nov. 1 Move to TLP 2.0 ∗∗∗ --------------------------------------------- CISA has published its Traffic Light Protocol 2.0 User Guide and Traffic Light Protocol: Moving to Version 2.0 fact sheet in preparation for its November 1, 2022 move from Traffic Light Protocol (TLP) Version 1.0 to TLP 2.0. Managed by the Forum of Incident Response and Security Teams (FIRST), TLP is a system of markings that communicates information sharing permissions. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/09/29/cisa-publishes-us… ∗∗∗ Mandiant, VMware und US-CERT warnen vor Malware, die auf VMware ESXi Server zielt ∗∗∗ --------------------------------------------- Der von Google übernommene Sicherheitsanbieter Mandiant ist auf eine neue Malware-Familie (VirtualPITA, VirtualPIE und VirtualGATE) gestoßen, die es auf Virtualisierunglösungen wie VMware ESXi Server abgesehen hat und spezialisierte Techniken zum Eindringen verwendet. VMware hat einen entsprechenden Sicherheitshinweis veröffentlicht, [...] --------------------------------------------- https://www.borncity.com/blog/2022/09/30/mandiant-vmware-und-us-cert-warnen… ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-22-1325: SolarWinds Network Performance Monitor UpdateActionsDescriptions SQL Injection Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to escalate privileges on affected installations of SolarWinds Network Performance Monitor. Authentication is required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-1325/ ∗∗∗ IBM Security Bulletins 2022-09-29 ∗∗∗ --------------------------------------------- IBM Robotic Process Automation, Content Collector for Email, Content Collector for File Systems, Content Collector for Microsoft SharePoint, Content Collector for IBM Connections, IBM Spectrum Fusion HCI, IBM MQ, IBM MQ Blockchain bridge, IBM QRadar User Behavior Analytics. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libsndfile and libvncserver), Fedora (bash), Red Hat (httpd24-httpd, java-1.7.1-ibm, and java-1.8.0-ibm), and SUSE (krb5-appl, libjpeg-turbo, python310, and slurm_20_02). --------------------------------------------- https://lwn.net/Articles/909947/ ∗∗∗ GitLab: Mehrere Schwachstellen ermöglichen Cross-Site Scripting ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in GitLab ausnutzen, um einen Cross-Site Scripting Angriff durchzuführen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1582 ∗∗∗ vim: Mehrere Schwachstellen ermöglichen Codeausführung ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in vim ausnutzen, um beliebigen Programmcode auszuführen oder einen Denial of Service Zustand herbeizuführen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1584 ∗∗∗ F-Secure und WithSecure Produkte: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- Ein entfernter Angreifer kann eine Schwachstelle in F-Secure und WithSecure Produkten ausnutzen, um einen Denial of Service Angriff durchzuführen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1591 ∗∗∗ BookStack vulnerable to cross-site scripting ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN78862034/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.09.2022
by Daily end-of-shift report 29 Sep '22

29 Sep '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 28-09-2022 18:00 − Donnerstag 29-09-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ New Royal Ransomware emerges in multi-million dollar attacks ∗∗∗ --------------------------------------------- A new ransomware operation named Royal is quickly ramping up, targeting corporations with ransom demands ranging from $250,000 to over $2 million. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-royal-ransomware-emerges… ∗∗∗ The secrets of Schneider Electric’s UMAS protocol ∗∗∗ --------------------------------------------- Kaspersky ICS CERT report on vulnerabilities in Schneider Electrics engineering software that enables UMAS protocol abuse. --------------------------------------------- https://securelist.com/the-secrets-of-schneider-electrics-umas-protocol/107… ∗∗∗ Report Shows How Long It Takes Ethical Hackers to Execute Attacks ∗∗∗ --------------------------------------------- A survey of more than 300 ethical hackers conducted by cybersecurity companies Bishop Fox and SANS Institute found that many could execute an end-to-end attack in less than a day. --------------------------------------------- https://www.securityweek.com/report-shows-how-long-it-takes-ethical-hackers… ∗∗∗ Exchange Health Checker – Script-Erweiterungen von Frank Zöchling ∗∗∗ --------------------------------------------- Von Microsoft gibt es den Exchange Health Checker, ein PowerShell-Script zur Überprüfung von On-Premises Exchange-Installationen auf Probleme. Das Script wird durch Microsoft wohl kontinuierlich weiter entwickelt. Frank Zöchling hat sich das Thema jetzt mal vorgenommen und das Ganze um ein Script erweitert, um wichtige Einstellungen beim Prüfen einer Exchange-Installation automatisch vorzunehmen. --------------------------------------------- https://www.borncity.com/blog/2022/09/29/exchange-health-checker-script-erw… ===================== = Vulnerabilities = ===================== ∗∗∗ New malware backdoors VMware ESXi servers to hijack virtual machines ∗∗∗ --------------------------------------------- Hackers have found a new method to establish persistence on VMware ESXi hypervisors to control vCenter servers and virtual machines for Windows and Linux while avoiding detection. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-malware-backdoors-vmware… ∗∗∗ Root-Lücke: Selbstheilungsfunktion gefährdet Cisco-Netzwerkhardware ∗∗∗ --------------------------------------------- Wichtige Sicherheitsupdates schließen mehrere Lücken in Ciscos Netzwerkbetriebssystem IOS und weiterer Software. --------------------------------------------- https://heise.de/-7279116 ∗∗∗ Matrix chat encryption sunk by five now-patched holes ∗∗∗ --------------------------------------------- You take the green pill, youll spend six hours in a dont roll your own crypto debate. Four security researchers have identified five cryptographic vulnerabilities in code libraries that can be exploited to undermine Matrix encrypted chat clients. --------------------------------------------- https://www.theregister.com/2022/09/28/matrix_encryption_flaws/ ∗∗∗ IBM Security Bulletins 2022-09-28 ∗∗∗ --------------------------------------------- IBM Content Manager OnDemand, SPSS Collaboration and Deployment Services, IBM Decision Optimization Center, IBM Spectrum Protect Backup-Archive Client, IBM Spectrum Protect for Space Management, IBM Spectrum Protect for Virtual Environments, IBM MQ Operator and Queue manager container images, TXSeries, Rational Service Tester, IBM ILOG CPLEX Optimization Studio, IBM CICS TX Standard and Advanced, IBM SDK, Enterprise Content Management System Monitor, AIX, IBM Robotic Process Automation, IBM WebSphere Application Server Liberty. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, lighttpd, and webkit2gtk), Fedora (firefox, gajim, libofx, and python-nbxmpp), Gentoo (bluez, chromium, expat, firefox, go, graphicsmagick, kitty, php, poppler, redis, thunderbird, and zutty), Oracle (firefox and thunderbird), Red Hat (kernel), Slackware (xorg), SUSE (expat, libostree, lighttpd, python3-lxml, rust1.62, slurm, slurm_18_08, and vsftpd), and Ubuntu (libxi, linux-gcp, postgresql-9.5, and sqlite3). --------------------------------------------- https://lwn.net/Articles/909870/ ∗∗∗ Drupal Updates Patch Vulnerability in Twig Template Engine ∗∗∗ --------------------------------------------- Updates announced for Drupal this week address a severe vulnerability in Twig that could lead to the leakage of sensitive information. --------------------------------------------- https://www.securityweek.com/drupal-updates-patch-vulnerability-twig-templa… ∗∗∗ PHP: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein lokaler Angreifer kann mehrere Schwachstellen in PHP ausnutzen, um einen Denial of Service Angriff durchzuführen und um Sicherheitsmechanismen zu umgehen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1567 ∗∗∗ Notepad++: Schwachstelle ermöglicht Codeausführung ∗∗∗ --------------------------------------------- Ein lokaler Angreifer kann eine Schwachstelle in Notepad++ ausnutzen, um beliebigen Programmcode auszuführen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1559 ∗∗∗ Apache Tomcat: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Apache Tomcat ausnutzen, um Informationen offenzulegen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1558 ∗∗∗ xpdf: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann eine Schwachstelle in xpdf ausnutzen, um einen Denial of Service Angriff durchzuführen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1570 ∗∗∗ Thunderbird 102.3.1 freigegeben ∗∗∗ --------------------------------------------- Die Entwickler des Thunderbird haben zum 28. September 2022 ein weiteres Update des E-Mail Client auf die Version 102.3.1 freigegeben. Es ist ein Bug-Fix-Update, welches eine Reihe an Problemen und Schwachstellen beheben soll. --------------------------------------------- https://www.borncity.com/blog/2022/09/29/thunderbird-102-3-1-freigegeben/ ∗∗∗ CVE-2022-37461: Two Reflected XSS Vulnerabilities in Canon Medical’s Vitrea View ∗∗∗ --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/cve-2022-37… ∗∗∗ Hitachi Energy MicroSCADA Pro X SYS600_8DBD000107 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-272-02 ∗∗∗ Hitachi Energy MicroSCADA Pro X SYS600_8DBD000106 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-272-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.09.2022
by Daily end-of-shift report 28 Sep '22

28 Sep '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 27-09-2022 18:00 − Mittwoch 28-09-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Microsoft to retire Exchange Online client access rules in a year ∗∗∗ --------------------------------------------- Microsoft announced today that it will retire Client Access Rules (CARs) in Exchange Online within a year, by September 2023. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-to-retire-exchang… ∗∗∗ Leaked LockBit 3.0 builder used by ‘Bl00dy’ ransomware gang in attacks ∗∗∗ --------------------------------------------- The relatively new Bl00Dy Ransomware Gang has started to use a recently leaked LockBit ransomware builder in attacks against companies. --------------------------------------------- https://www.bleepingcomputer.com/news/security/leaked-lockbit-30-builder-us… ∗∗∗ Prilex: the pricey prickle credit card complex ∗∗∗ --------------------------------------------- Prilex is a Brazilian threat actor focusing on ATM and PoS attacks. In this report, we provide an overview of its PoS malware. --------------------------------------------- https://securelist.com/prilex-atm-pos-malware-evolution/107551/ ∗∗∗ New Malware Variants Serve Bogus CloudFlare DDoS Captcha ∗∗∗ --------------------------------------------- When attackers shift up their campaigns, change their payload or exfiltration domains, and put some extra effort into hiding their malware it’s usually a telltale sign that they are making some money off of their exploits. One such campaign is the fake CloudFlare DDoS pages which we reported on last month. --------------------------------------------- https://blog.sucuri.net/2022/09/new-malware-variants-serve-bogus-cloudflare… ∗∗∗ Researchers Warn of New Go-based Malware Targeting Windows and Linux Systems ∗∗∗ --------------------------------------------- A new, multi-functional Go-based malware dubbed Chaos has been rapidly growing in volume in recent months to ensnare a wide range of Windows, Linux, small office/home office (SOHO) routers, and enterprise servers into its botnet. --------------------------------------------- https://thehackernews.com/2022/09/researchers-warn-of-new-go-based.html ∗∗∗ Zielscheibe Open-Source-Paket: Angriffe 700 Prozent häufiger als vor drei Jahren ∗∗∗ --------------------------------------------- Open-Source-Repositories werden immer häufiger zum Angriffsziel Krimineller. Allein im letzten Jahr hat Sonatype über 55.000 infizierte Pakete identifiziert. --------------------------------------------- https://heise.de/-7278355 ∗∗∗ Attacking Encrypted HTTP Communications ∗∗∗ --------------------------------------------- The Reolink RLC-520A PoE camera obfuscates its HTTP communication by encrypting the POST body data. This level of security does defend against opportunistic attackers but falls short when defending against persistent attackers. --------------------------------------------- https://www.pentestpartners.com/security-blog/attacking-encrypted-http-comm… ∗∗∗ Decrypt “encrypted stub data” in Wireshark ∗∗∗ --------------------------------------------- I often use Wireshark to analyze Windows and Active Directory network protocols, especially those juicy RPC But I’m often interrupted in my enthusiasm by the payload dissected as “encrypted stub data”: Can we decrypt this “encrypted stub data?” --------------------------------------------- https://medium.com/tenable-techblog/decrypt-encrypted-stub-data-in-wireshar… ∗∗∗ Stories from the SOC - C2 over port 22 ∗∗∗ --------------------------------------------- The Mirai botnet is infamous for the impact and the everlasting effect it has had on the world. Since the inception and discovery of this malware in 2016, to present day and all the permutations that have spawned as a result, cybersecurity professionals have been keeping a keen eye on this form of Command and Control (C2 or CnC) malware and associated addresses. --------------------------------------------- https://cybersecurity.att.com/blogs/security-essentials/stories-from-the-so… ===================== = Vulnerabilities = ===================== ∗∗∗ VU#855201: L2 network security controls can be bypassed using VLAN 0 stacking and/or 802.3 headers ∗∗∗ --------------------------------------------- OverviewLayer-2 (L2) network security controls provided by various devices, such as switches, routers, and operating systems, can be bypassed by stacking Ethernet protocol headers. An attacker can send crafted packets through vulnerable devices to cause Denial-of-service (DoS) or to perform a man-in-the-middle (MitM) attack against a target network. This vulnerability exists within Ethernet encapsulation protocols that allow for stacking of Virtual Local Area Network (VLAN) headers. --------------------------------------------- https://kb.cert.org/vuls/id/855201 ∗∗∗ Cisco Security Advisories 2022-09-27 - 2022-09-28 ∗∗∗ --------------------------------------------- Cisco published 23 Security Advisories (13 High, 10 Medium Severity) --------------------------------------------- https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&first… ∗∗∗ Webbrowser Chrome 106: Neue Funktionen und 20 abgedichtete Sicherheitslecks ∗∗∗ --------------------------------------------- Google bessert 20 teils hochriskante Sicherheitslücken im Webbrowser Chrome aus. Zudem erhält der Browser neue Funktionen und Verbesserungen. --------------------------------------------- https://heise.de/-7277825 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (gdal, maven-shared-utils, thunderbird, webkit2gtk, and wpewebkit), Fedora (firefox and libofx), SUSE (dpdk, firefox, flatpak, grafana, kernel, libcaca, and opera), and Ubuntu (ghostscript and linux-gcp-5.15). --------------------------------------------- https://lwn.net/Articles/909676/ ∗∗∗ Octopus Deploy: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in Octopus Deploy ausnutzen, um Informationen offenzulegen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1552 ∗∗∗ Security Bulletin: A Security Vulnerability was fixed in IBM Application Gateway. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: IBM WebSphere Application Server is vulnerable to Server-Side Request Forgery (CVE-2022-35282) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application… ∗∗∗ Security Bulletin: Information disclosure vulnerability in IBM QRadar User Behavior Analytics (CVE-2022-36771) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-information-disclosure-vu… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM App Connect Enterprise and IBM Integration Bus ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM PowerVM Novalink is vulnerable because IBM WebSphere Application Server Liberty vulnerable to identity spoofing by an authenticated user using a specially crafted request. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-powervm-novalink-is-v… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect Rational Functional Tester ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM PowerVM Novalink is vulnerable because IBM WebSphere Application Server Liberty vulnerable to HTTP header injection, caused by improper validation. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-powervm-novalink-is-v… ∗∗∗ Security Bulletin: IBM MQ Appliance is vulnerable to cross-site scripting (CVE-2022-32750) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-vulne… ∗∗∗ Security Bulletin: A vulnerability in IBM Java SDK and IBM Java Runtime affect IBM Decision Optimization Center (CVE-2022-21299) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Security Bulletin: IBM Jazz for Service Management is vulnerable to stored cross-site scripting (CVE-2022-35721) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-jazz-for-service-mana… ∗∗∗ Security Bulletin: IBM Jazz for Service Management is vulnerable to stored cross-site scripting (CVE-2022-35722) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-jazz-for-service-mana… ∗∗∗ Security Bulletin: IBM MQ Appliance is vulnerable to an XML External Entity Injection attack (CVE-2022-31775) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-vulne… ∗∗∗ Security Bulletin: IBM App Connect Enterprise & IBM Integration Bus are vulnerable to a denial of service due to zlib (CVE-2018-25032) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin:IBM TRIRIGA Application Platform discloses possible path command execution(CVE-2021-41878) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletinibm-tririga-application-pl… ∗∗∗ Security Bulletin: IBM PowerVM Novalink is vulnerable because IBM WebSphere Application Server Liberty vulnerable, Eclipse Paho Java client could allow a remote attacker to bypass security restrictions. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-powervm-novalink-is-v… ∗∗∗ Autodesk AutoCAD: Mehrere Schwachstellen ermöglichen Codeausführung ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1549 ∗∗∗ Moodle: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1546 ∗∗∗ Check Point ZoneAlarm Extreme Security: Schwachstelle ermöglicht Privilegieneskalation ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1544 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.09.2022
by Daily end-of-shift report 27 Sep '22

27 Sep '22

===================== = End-of-Day report = ===================== Timeframe: Montag 26-09-2022 18:00 − Dienstag 27-09-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Hackers use PowerPoint files for mouseover malware delivery ∗∗∗ --------------------------------------------- The threat actor lures targets with a PowerPoint (.PPT) file allegedly linked to the Organization for Economic Co-operation and Development (OECD), an intergovernmental organization working towards stimulating economic progress and trade worldwide. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-use-powerpoint-files… ∗∗∗ New Erbium password-stealing malware spreads as game cracks, cheats ∗∗∗ --------------------------------------------- The new Erbium information-stealing malware is being distributed as fake cracks and cheats for popular video games to steal victims credentials and cryptocurrency wallets. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-erbium-password-stealing… ∗∗∗ Pass-the-Hash Attacks and How to Prevent them in Windows Domains ∗∗∗ --------------------------------------------- Hackers often start out with nothing more than a low-level user account and then work to gain additional privileges that will allow them to take over the network. One of the methods that is commonly used to acquire these privileges is a pass-the-hash attack. --------------------------------------------- https://www.bleepingcomputer.com/news/security/pass-the-hash-attacks-and-ho… ∗∗∗ Anlagebetrug: Vorsicht vor Diensten, die Ihnen helfen wollen, Ihr verlorenes Geld zurückzubekommen ∗∗∗ --------------------------------------------- Haben Sie bei einer betrügerischen Investmentplattform Geld verloren? Dann nehmen Sie sich vor Folgebetrug in Acht. Kriminelle bewerben Dienstleistung, die Ihnen angeblich dabei helfen, Ihr verlorenes Geld zurückzubekommen. Angebote von finanzaufsicht.com oder firstmoneyback.com sind aber Fake! Sie werden erneut betrogen! --------------------------------------------- https://www.watchlist-internet.at/news/anlagebetrug-vorsicht-vor-diensten-d… ∗∗∗ More Than Meets the Eye: Exposing a Polyglot File That Delivers IcedID ∗∗∗ --------------------------------------------- Polyglot files, such as the malicious CHM file analyzed here, can be abused to hide from anti-malware systems that rely on file format identification. --------------------------------------------- https://unit42.paloaltonetworks.com/polyglot-file-icedid-payload/ ∗∗∗ What happens with a hacked Instagram account – and how to recover it ∗∗∗ --------------------------------------------- Had your Instagram account stolen? Don’t panic – here’s how to get your account back and how to avoid getting hacked (again). --------------------------------------------- https://www.welivesecurity.com/2022/09/26/what-happens-hacked-instagram-acc… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (dovecot and firefox-esr), Fedora (firefox and grafana), Red Hat (firefox and thunderbird), Slackware (dnsmasq and vim), SUSE (dpdk, firefox, kernel, libarchive, libcaca, mariadb, openvswitch, opera, permissions, podofo, snakeyaml, sqlite3, unzip, and vsftpd), and Ubuntu (expat, libvpx, linux-azure-fde, linux-oracle, squid, squid3, and webkit2gtk). --------------------------------------------- https://lwn.net/Articles/909576/ ∗∗∗ SECURITY - ABB Central Licensing System Vulnerabilities, impact on ABB Ability SCADAvantage ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=9AKK108467A3198&Lan… ∗∗∗ Security Bulletin: A vulnerability in Apache Commons Fileupload affects IBM Tivoli Business Service Manager (CVE-2013-2186, CVE-2013-0248, CVE-2016-3092, CVE-2014-0050, 220723) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-apache… ∗∗∗ Security Bulletin: A vulnerability in FasterXML Woodstox affects IBM Tivoli Business Service Manager (220573) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-faster… ∗∗∗ Veritas NetBackup: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1541 ∗∗∗ Publish SBA-ADV-20220328-01: Vtiger CRM Stored Cross-Site Scripting ∗∗∗ --------------------------------------------- https://github.com/sbaresearch/advisories/commit/28e164f1cb73e4885a58616d1b… ∗∗∗ Hitachi Energy APM Edge ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-270-02 ∗∗∗ Rockwell Automation ThinManager ThinServer ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-270-03 ∗∗∗ Hitachi Energy AFS660/AFS665 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-270-01 ∗∗∗ September 23rd 2022 Security Releases ∗∗∗ --------------------------------------------- https://nodejs.org/en/blog/vulnerability/september-2022-security-releases -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.09.2022
by Daily end-of-shift report 26 Sep '22

26 Sep '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 23-09-2022 18:00 − Montag 26-09-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ NullMixer: oodles of Trojans in a single dropper ∗∗∗ --------------------------------------------- NullMixer is a dropper delivering a number of Trojans, such as RedLine Stealer, SmokeLoader, Satacom, and others. --------------------------------------------- https://securelist.com/nullmixer-oodles-of-trojans-in-a-single-dropper/1074… ∗∗∗ Maldoc Analysis Info On MalwareBazaar, (Sat, Sep 24th) ∗∗∗ --------------------------------------------- When you lookup a malicious document sample on MalwareBazaar, like this sample, you can see analysis data from olevba and oledump. --------------------------------------------- https://isc.sans.edu/diary/rss/29084 ∗∗∗ Downloading Samples From Takendown Domains, (Sun, Sep 25th) ∗∗∗ --------------------------------------------- Sometimes I want to download a sample from a malicious server, but the domain name no longer resolves (it has been taken down). --------------------------------------------- https://isc.sans.edu/diary/rss/29086 ∗∗∗ Easy Python Sandbox Detection , (Mon, Sep 26th) ∗∗∗ --------------------------------------------- Many malicious Python scripts implement a sandbox detection mechanism, I already wrote diaries about this, but it requires some extra code in the script. Because we are lazy (attackers too), why not try to automate this and easily detect the presence of such a security mechanism? --------------------------------------------- https://isc.sans.edu/diary/rss/29090 ∗∗∗ 13,8 Millionen Downloads: Malware-Apps unter Android und iOS ∗∗∗ --------------------------------------------- Ein IT-Sicherheitsunternehmen hat Werbebetrugs-Apps in Google Play und im Apple Store gefunden, die auf insgesamt 13,8 Millionen Downloads kommen. --------------------------------------------- https://heise.de/-7275295 ∗∗∗ Ransomware: Nach Verschlüsseln kommt jetzt Kopieren & Zerstören ∗∗∗ --------------------------------------------- Das mit dem Verschlüsseln ist aufwendig und fehleranfällig – das denken sich wohl auch Cybercrime-Banden, die zuvor kopierte Daten unbrauchbar machen. --------------------------------------------- https://heise.de/-7275667 ∗∗∗ Microsoft Edge mit SOCKS Proxy über PuTTY / SSH nutzen ∗∗∗ --------------------------------------------- Microsoft Edge (dzt. geprüfte Versionen bis v107) bietet in den Einstellungen leider keine Nutzung von SOCKS-Proxys an. Edge unterstützt dies aber (obwohl sich hierzu in der offiziellen Doku leider nichts findet) über das CmdLine-Argument “--proxy-server“. --------------------------------------------- https://hitco.at/blog/microsoft-edge-socks-proxy-putty-ssh/ ∗∗∗ Betrügerisches Post-Gewinnspiel auf WhatsApp ∗∗∗ --------------------------------------------- Vorsicht, wenn Sie auf WhatsApp ein Gewinnspiel mit dem Titel „Österreichische Post Staatliche Förderung“ erhalten. Dabei handelt es sich um Fake. Sie tappen entweder in eine Abo-Falle oder laden Schadsoftware herunter. Klicken Sie nicht auf den Link und löschen Sie die Nachricht. --------------------------------------------- https://www.watchlist-internet.at/news/betruegerisches-post-gewinnspiel-auf… ∗∗∗ Hunting for Unsigned DLLs to Find APTs ∗∗∗ --------------------------------------------- Hunting for the loading of unsigned DLLs can help you identify attacks and threat actors in your environment. Our examples include well-known APTs. --------------------------------------------- https://unit42.paloaltonetworks.com/unsigned-dlls/ ∗∗∗ BumbleBee: Round Two ∗∗∗ --------------------------------------------- In this intrusion from May 2022, the threat actors used BumbleBee as the initial access vector. BumbleBee has been identified as an initial access vector utilized by several ransomware affiliates. --------------------------------------------- https://thedfirreport.com/2022/09/26/bumblebee-round-two/ ∗∗∗ MISP 2.4.163 released with improved periodic notification system and many improvements ∗∗∗ --------------------------------------------- We are pleased to announce the immediate availability of MISP v2.4.163 with an updated periodic notification systemand many improvements. --------------------------------------------- https://github.com/MISP/MISP/releases/tag/v2.4.163 ∗∗∗ Tell Me Where You Live and I Will Tell You About Your P@ssw0rd: Understanding the Macrosocial Factors Influencing Password’s Strength ∗∗∗ --------------------------------------------- Free Person Holding World Globe Facing Mountain Stock PhotoTo explore how a user’s environment influences password creation strategies, we present a blogpost series in which we consider several different perspectives – the macrosocial influence of your country (where you live), the influence of your peers (who your friends are), and a technical understanding of how they are attacked – to improve password security and mitigate the risk of poorly secured passwords. --------------------------------------------- https://www.gosecure.net/blog/2022/09/26/tell-me-where-you-live-and-i-will-… ===================== = Vulnerabilities = ===================== ∗∗∗ Microsoft Windows Shift F10 Bypass and Autopilot privilge escalation ∗∗∗ --------------------------------------------- This post demonstrates full chained exploitation, and it contains two steps. The second step is a known vulnerability, but there are other ways. --------------------------------------------- https://k4m1ll0.com/ShiftF10Bypass-and-privesc.html ∗∗∗ Sophos Firewalls: Kritische Sicherheitslücke wird angegriffen ∗∗∗ --------------------------------------------- Angreifer nutzen eine Schwachstelle in Sophos Firewalls aus, durch die sie eigenen Code auf verwundbare Maschinen schieben. Softwareflicken dichten das Leck ab. --------------------------------------------- https://heise.de/-7275195 ∗∗∗ Angreifer nisten sich in Exchange Online ein – mit bösartigen OAuth-Apps ∗∗∗ --------------------------------------------- Microsoft hat Angriffe auf Cloud-Exchange analysiert, bei denen Angreifer mit bösartigen OAuth-Apps nachhaltig Zugang erlangten und ihn für Spam missbrauchen. --------------------------------------------- https://heise.de/-7275757 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (expat and poppler), Fedora (dokuwiki), Gentoo (fetchmail, grub, harfbuzz, libaacplus, logcheck, mrxvt, oracle jdk/jre, rizin, smarty, and smokeping), Mageia (tcpreplay, thunderbird, and webkit2), SUSE (dpdk, permissions, postgresql14, puppet, and webkit2gtk3), and Ubuntu (linux-gkeop and sosreport). --------------------------------------------- https://lwn.net/Articles/909439/ ∗∗∗ Trend Micro Deep Security Agent: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein lokaler Angreifer kann mehrere Schwachstellen in Trend Micro Deep Security Agent ausnutzen, um Informationen offenzulegen oder seine Rechte zu erweitern. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1534 ∗∗∗ QEMU: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in QEMU ausnutzen, um einen Denial of Service Angriff durchzuführen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1535 ∗∗∗ WhatsApp: Zwei Schwachstellen ermöglichen Remote Code-Ausführung ∗∗∗ --------------------------------------------- Meta-Tochter WhatsApp warnt vor zwei Schwachstellen in seinen Apps für Android und iOS, die die Sicherheit der Benutzer gefährden. Beide Schwachstellen ermöglichen eine Remote Code-Ausführung – die Apps sollten also zeitnah aktualisiert werden. --------------------------------------------- https://www.borncity.com/blog/2022/09/26/whatsapp-zwei-schwachstellen-ermgl… ∗∗∗ Security Bulletin: IBM Sterling Partner Engagement Manager vulnerable to denial of service due to Apache Shiro (CVE-2022-32532) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-partner-enga… ∗∗∗ Security Bulletin: IBM MQ Appliance is vulnerable to cross-site scripting (CVE-2022-31744) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-vulne… ∗∗∗ Security Bulletin: Due to RPM, AIX is vulnerable to arbitrary code execution (CVE-2021-20271), RPM database corruption (CVE-2021-3421), and denial of service (CVE-2021-20266) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-due-to-rpm-aix-is-vulnera… ∗∗∗ Security Bulletin: IBM Sterling Partner Engagement Manager is vulnerable to a denial of service due to Vmware Tanzu Spring Framework (CVE-2022-22971) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-partner-enga… ∗∗∗ Security Bulletin: Multiple vulnerabilities in Curl affect PowerSC ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Carlo Gavazzi Controls: Multiple Vulnerabilities in Controller UWP 3.0 ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-029/ ∗∗∗ CISA Has Added One Known Exploited Vulnerability to Catalog ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/09/23/cisa-has-added-on… ∗∗∗ Node.js: September 22nd 2022 Security Releases ∗∗∗ --------------------------------------------- https://nodejs.org/en/blog/vulnerability/september-2022-security-releases -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.09.2022
by Daily end-of-shift report 23 Sep '22

23 Sep '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 22-09-2022 18:00 − Freitag 23-09-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Schadsoftware: Betrüger verteilen Malware mit gefälschten Zoom-Webseiten ∗∗∗ --------------------------------------------- Die Webseiten geben sich als Downloadseite für Zoom aus, doch verteilen sie eine Schadsoftware, die es auf Bankdaten abgesehen hat. --------------------------------------------- https://www.golem.de/news/schadsoftware-betrueger-verteilen-malware-mit-gef… ∗∗∗ Google Play Store: Trojaner Harly kommt auf 4,8 Millionen Downloads ∗∗∗ --------------------------------------------- Im Google Play Store entdeckt Kaspersky zahlreiche trojanisierte Apps, die den Schädling Harly enthalten. Der schließt kostenpflichtige Dienste-Abos ab. --------------------------------------------- https://heise.de/-7273522 ∗∗∗ Fingerabdruck & Co. - Wie funktionieren biometrische Anmeldeverfahren? ∗∗∗ --------------------------------------------- Ihre Augen können das Fenster zu Ihrer Seele sein, aber sie können auch Ihre Bordkarte für das Flugzeug oder der Schlüssel zum Entsperren Ihres Telefons sein. Welche Vor- und Nachteile birgt die Verwendung biometrischer Merkmale für die Authentifizierung? --------------------------------------------- https://www.welivesecurity.com/deutsch/2022/09/22/fingerabdruck-co-wie-funk… ∗∗∗ Microsoft: Windows KB5017383 preview update added to WSUS by mistake ∗∗∗ --------------------------------------------- Microsoft says that KB5017383, this months Windows preview update, has been accidentally listed in Windows Server Update Services (WSUS) and may lead to security update install problems in some managed environments. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-windows-kb5017383… ∗∗∗ Malicious OAuth applications used to compromise email servers and spread spam ∗∗∗ --------------------------------------------- Microsoft discovered an attack where attackers installed a malicious OAuth application in compromised tenants and used their Exchange servers to launch spam runs. --------------------------------------------- https://www.microsoft.com/security/blog/2022/09/22/malicious-oauth-applicat… ∗∗∗ Kids Like Cookies, Malware Too!, (Fri, Sep 23rd) ∗∗∗ --------------------------------------------- Recently, a vulnerability has been disclosed by Vectra that affects Microsoft Teams[1], the very popular communication tool used daily by millions of people (me too). Security researchers found that Teams stores session tokens in clear text on the file system. I won't discuss the vulnerability here; read the blog post if you want to learn more. The critical element is that once the token has been stolen, an attacker can impersonate the user. --------------------------------------------- https://isc.sans.edu/diary/rss/29082 ∗∗∗ Hackers Using Fake CircleCI Notifications to Hack GitHub Accounts ∗∗∗ --------------------------------------------- GitHub has put out an advisory detailing what may be an ongoing phishing campaign targeting its users to steal credentials and two-factor authentication (2FA) codes by impersonating the CircleCI DevOps platform. The Microsoft-owned code hosting service said it learned of the attack on September 16, 2022, adding the campaign impacted "many victim organizations. --------------------------------------------- https://thehackernews.com/2022/09/hackers-using-fake-circleci.html ∗∗∗ WAF bypasses via 0days ∗∗∗ --------------------------------------------- In May, I participated in 1337up0522 from Intigriti which was about hacking OWASP ModSecurity Core Rule Set (CRS). I’ve got 13 findings accepted including 3 exceptional, 2 critical, and 8 high severity vulnerabilities. In this article, I will showcase a couple of interesting findings. --------------------------------------------- https://terjanq.medium.com/waf-bypasses-via-0days-d4ef1f212ec ∗∗∗ Surge in Magento 2 template attacks ∗∗∗ --------------------------------------------- The critical template vulnerability in Magento 2 (CVE-2022-24086) is gaining popularity among eCommerce cyber criminals. The majority of recent Sansec forensic cases concern this attack method. In this article we share our findings of 3 template hacks, and hope it will help you if you are confronted with a similar attack. --------------------------------------------- https://sansec.io/research/magento-2-template-attacks ∗∗∗ Cross-Site Scripting: The Real WordPress Supervillain ∗∗∗ --------------------------------------------- Vulnerabilities are a fact of life for anyone managing a website, even when using a well-established content management system like WordPress. Not all vulnerabilities are equal, with some allowing access to sensitive data that would normally be hidden from public view, while others could allow a malicious actor to take full control of an affected [...] --------------------------------------------- https://www.wordfence.com/blog/2022/09/cross-site-scripting-the-real-wordpr… ∗∗∗ CISA Warns of Zoho ManageEngine RCE Vulnerability Exploitation ∗∗∗ --------------------------------------------- The US Cybersecurity and Infrastructure Security Agency (CISA) on Thursday warned of cyberattacks targeting a recently addressed vulnerability in Zoho ManageEngine. --------------------------------------------- https://www.securityweek.com/cisa-warns-zoho-manageengine-rce-vulnerability… ∗∗∗ NSA and CISA: Heres how hackers are going after critical systems, and what you need to do about it ∗∗∗ --------------------------------------------- NSA and CISA offer some advice for critical infrastructure operators to protect their industrial control systems. --------------------------------------------- https://www.zdnet.com/article/nsa-and-cisa-heres-how-hackers-are-going-afte… ∗∗∗ Experts fear LockBit spread after ransomware builder leaked ∗∗∗ --------------------------------------------- A toolkit to create DIY versions of the LockBit ransomware has leaked, raising alarms among incident responders and cybersecurity experts warning of more widespread use in attacks. The leak, for the LockBit 3.0 ransomware encryptor, was announced on Wednesday by security researcher 3xp0rt. Several experts and researchers confirmed to The Record that the builder works [...] --------------------------------------------- https://therecord.media/experts-fear-lockbit-spread-after-ransomware-builde… ∗∗∗ FARGO Ransomware (Mallox) Being Distributed to Vulnerable MS-SQL Servers ∗∗∗ --------------------------------------------- The ASEC analysis team is constantly monitoring malware distributed to vulnerable MS-SQL servers. The analysis team has recently discovered the distribution of FARGO ransomware that is targeting vulnerable MS-SQL servers. Along with GlobeImposter, FARGO is one of the prominent ransomware that targets vulnerable MS-SQL servers. --------------------------------------------- https://asec.ahnlab.com/en/39152/ ===================== = Vulnerabilities = ===================== ∗∗∗ HP-Drucker: Kritische Lücke erlaubt Codeschmuggel in diversen Modellen ∗∗∗ --------------------------------------------- HP warnt vor Sicherheitslücken in zahlreichen Druckermodellen, die Angreifern das Einschleusen von Schadcode ermöglichen. Der Hersteller stellt Updates bereit. --------------------------------------------- https://heise.de/-7250538 ∗∗∗ IBM Security Bulletins 2022-09-22 ∗∗∗ --------------------------------------------- IBM CICS TX Advanced, IBM CICS TX Standard, IBM Common Cryptographic Architecture (CCA), IBM InfoSphere Information Server, IBM Jazz for Service Management, IBM Maximo Asset Management and the IBM Maximo Manage application in IBM Maximo Application Suite, IBM Partner Engagement Manager, IBM Security Guardium, IBM Spectrum Control, Operations Dashboard, TXSeries for Multiplatforms, Watson Explorer and Watson Explorer Content Analytics Studio, z/Transaction Processing Facility --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (bind9, expat, firefox-esr, mediawiki, and unzip), Fedora (qemu and thunderbird), Oracle (webkit2gtk3), SUSE (ardana-ansible, ardana-cobbler, ardana-tempest, grafana, openstack-heat-templates, openstack-horizon-plugin-gbp-ui, openstack-neutron-gbp, openstack-nova, python-Django1, rabbitmq-server, rubygem-puma, ardana-ansible, ardana-cobbler, grafana, openstack-heat-templates, openstack-murano, python-Django, rabbitmq-server, rubygem-puma, dpdk, [...] --------------------------------------------- https://lwn.net/Articles/909208/ ∗∗∗ New Firmware Vulnerabilities Affecting Millions of Devices Allow Persistent Access ∗∗∗ --------------------------------------------- Firmware security company Binarly has discovered another round of potentially serious firmware vulnerabilities that could allow an attacker to gain persistent access to any of the millions of affected devices. --------------------------------------------- https://www.securityweek.com/new-firmware-vulnerabilities-affecting-million… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.09.2022
by Daily end-of-shift report 22 Sep '22

22 Sep '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 21-09-2022 18:00 − Donnerstag 22-09-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ BlackCat ransomware’s data exfiltration tool gets an upgrade ∗∗∗ --------------------------------------------- The BlackCat ransomware (aka ALPHV) isnt showing any signs of slowing down, and the latest example of its evolution is a new version of the gangs data exfiltration tool used for double-extortion attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/blackcat-ransomware-s-data-e… ∗∗∗ Critical Magento vulnerability targeted in new surge of attacks ∗∗∗ --------------------------------------------- Researchers have observed a surge in hacking attempts targeting CVE-2022-24086, a critical Magento 2 vulnerability allowing unauthenticated attackers to execute code on unpatched sites. --------------------------------------------- https://www.bleepingcomputer.com/news/security/critical-magento-vulnerabili… ∗∗∗ RAT Delivered Through FODHelper , (Thu, Sep 22nd) ∗∗∗ --------------------------------------------- I found a simple batch file that drops a Remcos RAT through an old UAC Bypass technique. This technique is based on the "fodhelper" utility ("Features On Demand Helper"). --------------------------------------------- https://isc.sans.edu/diary/rss/29078 ∗∗∗ Researchers Disclose Critical Vulnerability in Oracle Cloud Infrastructure ∗∗∗ --------------------------------------------- Researchers have disclosed a new severe Oracle Cloud Infrastructure (OCI) vulnerability that could be exploited by users to access the virtual disks of other Oracle customers. --------------------------------------------- https://thehackernews.com/2022/09/researchers-disclose-critical.html ∗∗∗ Bypassing FileBlockExecutable in Sysmon 14.0: A Lesson In Analyzing Assumptions ∗∗∗ --------------------------------------------- Recently (in August of 2022), the Sysinternals team released Sysmon 14.0 – a notable update of a powerful and configurable tool for monitoring Windows machines. While Sysmon already included a few valuable detection capabilities, the update introduced the first preventive measure – the FileBlockExecutable event (ID 27). --------------------------------------------- https://www.huntandhackett.com/blog/bypassing-sysmon ∗∗∗ A technical analysis of the leaked LockBit 3.0 builder ∗∗∗ --------------------------------------------- This is our analysis of the LockBit 3.0 builder that was leaked online on September 21, 2022. --------------------------------------------- https://cybergeeks.tech/a-technical-analysis-of-the-leaked-lockbit-3-0-buil… ∗∗∗ You can’t stop me. MS Teams session hijacking and bypass ∗∗∗ --------------------------------------------- How cleartext session tokens are stored in an unsecured directory that can be stolen and used to impersonate a Teams user. --------------------------------------------- https://www.pentestpartners.com/security-blog/you-cant-stop-me-ms-teams-ses… ∗∗∗ Webinar: Love Scams im Internet erkennen ∗∗∗ --------------------------------------------- Am Mittwoch, den 28.09.2022 von 18:30 – 20:00 Uhr findet das kostenlose Webinar zum Thema „Love Scams" statt. --------------------------------------------- https://www.watchlist-internet.at/news/webinar-love-scams-im-internet-erken… ∗∗∗ Noberus Ransomware: Darkside and BlackMatter Successor Continues to Evolve its Tactics ∗∗∗ --------------------------------------------- New version of Exmatter, and Eamfo malware, used by attackers deploying the Rust-based ransomware. --------------------------------------------- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/no… ∗∗∗ AA22-265A: Control System Defense: Know the Opponent ∗∗∗ --------------------------------------------- This joint Cybersecurity Advisory, which builds on previous NSA and CISA guidance to stop malicious ICS activity and reduce OT exposure, describes TTPs that malicious actors use to compromise OT/ICS assets. --------------------------------------------- https://us-cert.cisa.gov/ncas/alerts/aa22-265a ∗∗∗ MindShaRE: Analyzing BSD Kernels for Uninitialized Memory Disclosures using Binary Ninja ∗∗∗ --------------------------------------------- Disclosure of uninitialized memory is one of the common problems faced when copying data across trust boundaries. This can happen between the hypervisor and guest OS, kernel and user space, or across the network. --------------------------------------------- https://www.thezdi.com/blog/2022/9/19/mindshare-analyzing-bsd-kernels-with-… ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins 2022-09-21 ∗∗∗ --------------------------------------------- IBM Security Guardium, IBM Cloud Pak for Multicloud Management Managed Services, IBM Tivoli Netcool Impact, IBM Maximo Asset Management, IBM Spectrum Protect Plus SQL. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Notfallpatch für Microsoft Endpoint Configuration Manager erschienen ∗∗∗ --------------------------------------------- Admins sollten die IT-Managementlösung Endpoint Configuration Manager von Microsoft aktualisieren. Es könnten Attacken bevorstehen. --------------------------------------------- https://heise.de/-7272195 ∗∗∗ Python: 15 Jahre alte Schwachstelle betrifft potenziell 350.000 Projekte ∗∗∗ --------------------------------------------- Das Issue zu der Directory-Traversal-Schwachstelle in dem Modul tarfile existiert seit 2007. Geschlossen wurde es mit einem Hinweis in der Dokumentation. --------------------------------------------- https://heise.de/-7272186 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (e17, fish, mako, and tinygltf), Fedora (mingw-poppler), Mageia (firefox, google-gson, libxslt, open-vm-tools, redis, and sofia-sip), Oracle (dbus-broker, kernel, kernel-container, mysql, and nodejs and nodejs-nodemon), Slackware (bind), SUSE (cdi-apiserver-container, cdi-cloner-container, cdi-controller-container, cdi-importer-container, cdi-operator-container, cdi-uploadproxy-container, cdi-uploadserver-container, containerized-data-importer, [...] --------------------------------------------- https://lwn.net/Articles/909051/ ∗∗∗ Technical Advisory – Multiple Vulnerabilities in Juplink RX4-1800 WiFi Router (CVE-2022-37413, CVE-2022-37414) ∗∗∗ --------------------------------------------- https://research.nccgroup.com/2022/09/22/technical-advisory-multiple-vulner… ∗∗∗ HP LaserJet: Mehrere Schwachstellen ermöglichen Codeausführung ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1499 ∗∗∗ Measuresoft ScadaPro Server ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-265-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.09.2022
by Daily end-of-shift report 21 Sep '22

21 Sep '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 20-09-2022 18:00 − Mittwoch 21-09-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Angreifer könnten eigenen Code im Kontext von Thunderbird und Firefox ausführen ∗∗∗ --------------------------------------------- Wichtige Sicherheitsupdates schließen mehrere Lücken im E-Mail-Client Thunderbird und den Webbrowsern Firefox und Firefox ESR. --------------------------------------------- https://heise.de/-7270944 ∗∗∗ Hinter Massenmails zu Paketzustellung und Lagergebühr steckt Betrug! ∗∗∗ --------------------------------------------- Aktuell erhalten unzählige Menschen eine personalisierte E-Mail zu einem Paket mit dem Betreff „Label/abgerissen/Zustellung“. Wegen unlesbarer Adresse sollen Sie einen Chat öffnen und Daten ergänzen, um eine Lagergebühr über 29,99 Euro zu vermeiden. Folgen Sie dem Link nicht, geben Sie keine Daten bekannt und bezahlen Sie nichts. Es handelt sich um eine Abo-Falle! --------------------------------------------- https://www.watchlist-internet.at/news/hinter-massenmails-zu-paketzustellun… ∗∗∗ Windows 11 22H2 adds kernel exploit protection to security baseline ∗∗∗ --------------------------------------------- Microsoft has released the final version of security configuration baseline settings for Windows 11, version 22H2, downloadable today using the Microsoft Security Compliance Toolkit. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/windows-11-22h2-adds-kernel… ∗∗∗ Identifying file manipulation in system files ∗∗∗ --------------------------------------------- Sometimes people send files to us that seem to be legitimate Microsoft system files at first glance, yet closer inspection reveals, that they have in fact been modified. Are those manipulations always malicious? And how can file manipulations be identified? Here are seven different ways to do that. --------------------------------------------- https://www.gdatasoftware.com/blog/2022/09/37511-detecting-file-manipulatio… ∗∗∗ New Windows 11 security features are designed for hybrid work ∗∗∗ --------------------------------------------- With Windows 11, you can protect your valuable data and enable secure hybrid work with the latest advanced security. Were proud to announce the new security features you heard about this spring are now available. --------------------------------------------- https://www.microsoft.com/security/blog/2022/09/20/new-windows-11-security-… ∗∗∗ Defense-in-Depth Updates for Azure Identity SDK and Azure Key Vault SDK plus Best Practice Implementation Guidance ∗∗∗ --------------------------------------------- Today, Microsoft released a new version of the Azure Key Vault Software Development Kit (SDK) and Azure Identity SDK that includes defense-in-depth feature improvements. We also published best practice guidance to help protect applications and services that allow externally controlled input into the Azure Key Vault client URI for processing. --------------------------------------------- https://msrc-blog.microsoft.com/2022/09/20/defense-in-depth-updates-for-azu… ∗∗∗ Exploiting a Seagate service to create a SYSTEM shell (CVE-2022-40286) ∗∗∗ --------------------------------------------- This post covers a slightly different topic than my usual content: application vulnerability discovery and exploit development. --------------------------------------------- https://www.x86matthew.com/view_post?id=windows_seagate_lpe ∗∗∗ Open Source Tool to Collect Volatile Data for Incident Response ∗∗∗ --------------------------------------------- Varc collects a snapshot of volatile data from a system. It tells you what is happening on a system, and is of particular use when investigating a security incident. --------------------------------------------- https://github.com/cado-security/varc ∗∗∗ How we Abused Repository Webhooks to Access Internal CI Systems at Scale ∗∗∗ --------------------------------------------- As adoption of CI systems and processes becomes more prevalent, organizations opt for a CI/CD architecture which combines SaaS-based source control management systems (like GitHub or GitLab) with an internal, self-hosted CI solution (e.g. Jenkins, TeamCity). [...] To allow the webhook requests to access the internally-hosted CI system, the SaaS-based SCM vendors provide IP ranges from which their webhooks requests arrive, so these ranges can be allowed in the organization’s firewall. In this blog post, we’ll dive into the potential security pitfalls of this control, and explain why it provides organizations with a false sense of security. --------------------------------------------- https://www.cidersecurity.io/blog/research/how-we-abused-repository-webhook… ∗∗∗ Securing Developer Tools: OneDev Remote Code Execution ∗∗∗ --------------------------------------------- OneDev is a self-hosted Git server that comes with a lot of development-oriented features such as CI/CD, code search, and static analysis integration. With almost 10,000 stars on GitHub, it is gaining popularity and becoming an open-source and low-maintenance alternative to GitHub, GitLab, and Bitbucket. [...] In this article, we describe the vulnerabilities we found in OneDev that could be used by attackers to take over vulnerable instances. --------------------------------------------- https://blog.sonarsource.com/onedev-remote-code-execution/ ∗∗∗ Hundreds of eCommerce Domains Infected With Google Tag Manager-Based Skimmers ∗∗∗ --------------------------------------------- Security researchers with Recorded Future have identified a total of 569 ecommerce domains infected with skimmers, 314 of which have been infected with web skimmers leveraging Google Tag Manager (GTM) containers. --------------------------------------------- https://www.securityweek.com/hundreds-ecommerce-domains-infected-google-tag… ∗∗∗ Penetration testing is in the eye of the beholder ∗∗∗ --------------------------------------------- "Beauty is in the eye of the beholder." A famous phrase known to all indicates that our perceptions influence our definitions. The same can be said about penetration testing. Often when clients approach us for what they believe to be a penetration test, their definition and needs do not necessarily meet the accepted approach of those within the security field. --------------------------------------------- https://cybersecurity.att.com/blogs/security-essentials/penetration-testing… ∗∗∗ Authentication methods: choosing the right type ∗∗∗ --------------------------------------------- Recommended authentication models for organisations looking to move beyond passwords. --------------------------------------------- https://www.ncsc.gov.uk/guidance/authentication-methods-choosing-the-right-… ∗∗∗ Native function and Assembly Code Invocation ∗∗∗ --------------------------------------------- For a reverse engineer, the ability to directly call a function from the analyzed binary can be a shortcut that bypasses a lot of grief. While in some cases it is just possible to understand the function logic and reimplement it in a higher-level language, this is not always feasible, and [...] --------------------------------------------- https://research.checkpoint.com/2022/native-function-and-assembly-code-invo… ∗∗∗ Atlassian Confluence Vulnerability CVE-2022-26134 Abused For Cryptocurrency Mining, Other Malware ∗∗∗ --------------------------------------------- Users are advised to patch immediately: We found exploit samples abusing the Atlassian Confluence vulnerability (CVE-2022-26134) in the wild for malicious cryptocurrency mining. --------------------------------------------- https://www.trendmicro.com/en_us/research/22/i/atlassian-confluence-vulnera… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (libconfuse, moodle, rizin, and thunderbird), Oracle (ELS kernel, gnupg2, ruby, and webkit2gtk3), Red Hat (booth, dbus-broker, gnupg2, kernel, kernel-rt, kpatch-patch, mysql, nodejs, nodejs-nodemon, ruby, and webkit2gtk3), Slackware (expat and mozilla), SUSE (kubevirt, virt-api-container, virt-controller-container, virt-handler-container, virt-launcher-container, virt-libguestfs-tools-container, virt-operator-container and vsftpd), and Ubuntu (bind9, ghostscript, linux, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15, linux-kvm, linux-lowlatency, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-bluefield, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux, linux-aws, linux-aws-hwe, linux-azure-4.15, linux-dell300x, linux-gcp, linux-gcp-4.15, lnux-hwe, inux-kvm, linux-oracle, linux-raspi2, linux-snapdragon, linux-hwe-5.15, linux-lowlatency-hwe-5.15, and mako). --------------------------------------------- https://lwn.net/Articles/908893/ ∗∗∗ Information Disclosure in VIDEOJET Decoder and Operator Client application in BVMS ∗∗∗ --------------------------------------------- BOSCH-SA-464066-BT: BVMS Operator Client application or the VIDEOJET Decoder VJD-7513 may receive an *unencrypted* live-stream from a camera which allows a man-in-the-middle attacker to compromise the confidential video streams. This happens only in combination with cameras of platform CPP13 or CPP14.x when encrypted UDP connection is configured. Please be aware that encrypted UDP connection is default setting («Secure Connection» setting) for all cameras added into BVMS. --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-464066-bt.html ∗∗∗ [R1] Nessus Network Monitor 6.1.0 Fixes Multiple Third-party Vulnerabilities ∗∗∗ --------------------------------------------- Nessus Network Monitor leverages third-party software to help provide underlying functionality. Several third-party components (OpenSSL and moment.js) were found to contain vulnerabilities, and updated versions have been made available by the providers. --------------------------------------------- https://www.tenable.com/security/tns-2022-19 ∗∗∗ Security Bulletin: Rational Performance Tester contains a vulnerability which could affect Eclipse Jetty. Rational Performance Tester has taken steps to mitigate this vulnerability. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-rational-performance-test… ∗∗∗ Security Bulletin: IBM Security Identity Governance and Intelligence is vulnerable to sensitive information exposure (CVE-2021-35550) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-identity-gov… ∗∗∗ Security Bulletin: This Power System update is being released to address CVE 2022-0778 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-this-power-system-update-… ∗∗∗ Security Bulletin: Operations Dashboard is vulnerable to multiple Golang Go vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-operations-dashboard-is-v… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a PolicyKit vulnerability (CVE-2021-4034) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Maximo Asset Management is vulnerable to authentication bypass (CVE-2022-40616) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-manageme… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a Missing HTTP Strict-Transport-Security Header vulnerability (CVE-2021-39072) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by FasterXML jackson-databind vulnerabilities (CVE-2020-25649, X-Force ID 217968) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by path traversal and crypto vulnerabilities (CVE-2021-29425, CVE-2021-39076) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Microsoft Endpoint Configuration Manager: Schwachstelle ermöglicht Umgehen von Sicherheitseinstellungen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1488 ∗∗∗ TIBCO Spotfire: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1487 ∗∗∗ Grafana: Mehrere Schwachstellen ermöglichen Privilegieneskalation ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1486 ∗∗∗ Hashicorp Vault: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1485 ∗∗∗ Internet Systems Consortium BIND: Mehrere Schwachstellen ermöglichen Denial of Service ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1492 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.09.2022
by Daily end-of-shift report 20 Sep '22

20 Sep '22

===================== = End-of-Day report = ===================== Timeframe: Montag 19-09-2022 18:00 − Dienstag 20-09-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ MFA Fatigue: Hackers’ new favorite tactic in high-profile breaches ∗∗∗ --------------------------------------------- Hackers are more frequently using social engineering attacks to gain access to corporate credentials and breach large networks. One component of these attacks that is becoming more popular with the rise of multi-factor authentication is a technique called MFA Fatigue. --------------------------------------------- https://www.bleepingcomputer.com/news/security/mfa-fatigue-hackers-new-favo… ∗∗∗ Handling WebAuthn over remote SSH connections ∗∗∗ --------------------------------------------- Being able to SSH into remote machines and do work there is great. Using hardware security tokens for 2FA is also great. But trying to use them both at the same time doesnt work super well, because if you hit a WebAuthn request on the remote machine it doesnt matter how much you mash your token - its not going to work. But could it? --------------------------------------------- https://mjg59.dreamwidth.org/61232.html ∗∗∗ LastPass source code breach – incident response report released ∗∗∗ --------------------------------------------- Wondering how youd handle a data breach report if the worst happened to you? Heres a useful example. --------------------------------------------- https://nakedsecurity.sophos.com/2022/09/19/lastpass-source-code-breach-inc… ∗∗∗ Chainsaw: Hunt, search, and extract event log records, (Mon, Sep 19th) ∗∗∗ --------------------------------------------- Chainsaw is a standalone tool that provides a simple and fast method to triage Windows event logs and identify interesting elements within the logs while applying detection logic (Sigma and Chainsaw) to detect malicious activity. --------------------------------------------- https://isc.sans.edu/diary/rss/29066 ∗∗∗ E-Mail von „GMX Sicherheit“ ist Fake ∗∗∗ --------------------------------------------- GMX-Nutzer:innen aufgepasst: Das E-Mail vom Absender „GMX Sicherheit“ ist nicht von GMX. Im betrügerischen E-Mail werden Sie aufgefordert, Ihre Kontoinformationen zu vervollständigen. Ansonsten wird angeblich Ihr Konto innerhalb von 24 Stunden gelöscht. Verschieben Sie das Mail in Ihren Spam-Ordner und klicken Sie nicht auf den Link! --------------------------------------------- https://www.watchlist-internet.at/news/e-mail-von-gmx-sicherheit-ist-fake/ ∗∗∗ Security Risks in Logistics APIs Used by E-Commerce Platforms ∗∗∗ --------------------------------------------- Our research examines the security flaws that we found in the logistics API implementation of e-commerce platforms that can potentially expose the consumers’ personal information. We discuss the security risks that such flaws present for software engineers, e-commerce platform providers, and consumers. --------------------------------------------- https://www.trendmicro.com/en_us/research/22/i/security-risks-in-logistics-… ===================== = Vulnerabilities = ===================== ∗∗∗ Most common SAP vulnerabilities attackers try to exploit ∗∗∗ --------------------------------------------- Unpatched vulnerabilities, common misconfigurations and hidden flaws in custom code continue to make enterprise SAP applications a target rich environment for attackers at a time when threats like ransomware and credential theft have emerged as major concerns for organizations. --------------------------------------------- https://www.csoonline.com/article/3674119/most-common-sap-vulnerabilities-a… ∗∗∗ Vulnerabilities Identified in EZVIZ Smart Cams ∗∗∗ --------------------------------------------- As the creator of the world’s first smart home cybersecurity hub, Bitdefender regularly audits popular IoT hardware for vulnerabilities that might affect customers if left unaddressed. This research paper is part of a broader program that aims to shed light on the security of the world’s best-sellers in the IoT space. --------------------------------------------- https://www.bitdefender.com/blog/labs/vulnerabilities-identified-in-ezviz-s… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (dokuwiki and rizin), SUSE (libcontainers-common, permissions, sqlite3, and wireshark), and Ubuntu (tiff, vim, and xen). --------------------------------------------- https://lwn.net/Articles/908779/ ∗∗∗ Moodle: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein Angreifer kann mehrere Schwachstellen in Moodle ausnutzen, um beliebigen Programmcode auszuführen, einen Cross-Site-Scripting-Angriff durchzuführen, Informationen offenzulegen, einen Denial of Service Zustand herbeizuführen oder Dateien zu manipulieren. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1475 ∗∗∗ Hitachi Energy PROMOD IV ICS Advisory (ICSA-22-263-01) ∗∗∗ --------------------------------------------- https://www.cisa.gov/uscert/ics/advisories/icsa-22-263-01 ∗∗∗ Hitachi Energy AFF660/665 Series ICS Advisory (ICSA-22-263-02) ∗∗∗ --------------------------------------------- https://www.cisa.gov/uscert/ics/advisories/icsa-22-263-02 ∗∗∗ Medtronic NGP 600 Series Insulin Pumps ICS Medical Advisory (ICSMA-22-263-01) ∗∗∗ --------------------------------------------- https://www.cisa.gov/uscert/ics/advisories/icsma-22-263-01 ∗∗∗ Dataprobe iBoot-PDU ICS Advisory (ICSA-22-263-03) ∗∗∗ --------------------------------------------- https://www.cisa.gov/uscert/ics/advisories/icsa-22-263-03 ∗∗∗ Host Engineering Communications Module ICS Advisory (ICSA-22-263-04) ∗∗∗ --------------------------------------------- https://www.cisa.gov/uscert/ics/advisories/icsa-22-263-04 ∗∗∗ Security Bulletin: A security vulnerability in react-scripts affects IBM Cloud Pak for Multicloud Management Managed Services ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: Due to use of Apache Commons, IBM Cloud PAK for Watson AI Ops is vulnerable to remote code execution (CVE-2022-33980) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-due-to-use-of-apache-comm… ∗∗∗ Security Bulletin: A security vulnerability in Nodejs marked affects IBM Cloud Pak for Multicloud Management Managed Services ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: Provision to add https and Secure Flag to bayeux_browser cookie for IBM Control Desk. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-provision-to-add-https-an… ∗∗∗ Security Bulletin: Vulnerabilities in libcurl affect IBM Spectrum Protect Plus SQL, File Indexing, and Windows Host agents ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-libcur… ∗∗∗ Security Bulletin: Multiple vulnerabilities in log4j-1.2.16.jar used by IBM Operations Analytics – Log Analysis ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A security vulnerability in Node.js dicer affects IBM Cloud Pak for Watson AIOps Infrastructure Automation Managed Services ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Vulnerabilities fixed in Thunderbird 91.13.1 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2022-39/ ∗∗∗ Security Vulnerabilities fixed in Firefox ESR 102.3 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2022-41/ ∗∗∗ Security Vulnerabilities fixed in Firefox 105 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2022-40/ ∗∗∗ Festo: CPX-CEC-C1 and CPX-CMXX, Missing Authentication for Critical Webpage Function ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-036/ ∗∗∗ JetBrains IntelliJ IDEA: Schwachstelle ermöglicht Codeausführung ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1474 ∗∗∗ Apache Kafka: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1473 ∗∗∗ Budibase: Schwachstelle ermöglicht Privilegieneskalation ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1472 ∗∗∗ Spring Data REST Vulnerability (CVE-2022-31679) ∗∗∗ --------------------------------------------- https://spring.io/blog/2022/09/19/spring-data-rest-vulnerability-cve-2022-3… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.09.2022
by Daily end-of-shift report 19 Sep '22

19 Sep '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 16-09-2022 18:00 − Montag 19-09-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Gratis-Entschlüsselungstool: Opfer von Ransomware LockerGoga können aufatmen ∗∗∗ --------------------------------------------- Wer sich den Erpressungstrojaner LockerGoga unter Windows eingefangen hat, kann seine Daten nun ohne Lösegeldzahlung entschlüsseln. --------------------------------------------- https://heise.de/-7268170 ∗∗∗ Umfrage zu Cyberattacken: Viele Unternehmen haben keinen Notfallplan ∗∗∗ --------------------------------------------- Cyberangriff auf ein Unternehmen - und nun? 46 Prozent der Unternehmen in Deutschland haben dafür keinen Plan, sagt eine Studie des Digitalverbands Bitkom. --------------------------------------------- https://heise.de/-7268938 ∗∗∗ Gold kaufen: Gold-Handel-sofort.de ist Fake ∗∗∗ --------------------------------------------- Sie überlegen sich, in Gold zu investieren und suchen nach einem passenden Anbieter? Vorsicht: Nicht jeder Gold-Händler ist seriös. Gold-Handel-sofort.de wirkt zwar professionell, ist aber Fake. Wenn Sie dort bestellen, erhalten Sie trotz Bezahlung keine Ware. Wir zeigen Ihnen, wie Sie einen Online-Shop für Gold überprüfen. --------------------------------------------- https://www.watchlist-internet.at/news/gold-kaufen-gold-handel-sofortde-ist… ∗∗∗ Chrome & Edge senden persönliche Daten (u.a. Passwörter) an Google bzw. Microsoft ∗∗∗ --------------------------------------------- Neue, und irgendwie unschöne, aber erwartbare Entdeckung, die ein Sicherheitsforscher die Tage öffentlich gemacht hat. Der Google Chrome-Browser, und auch der auf Chromium basierende Microsoft Edge-Browser, übermitteln persönliche Daten aus Formularen an Google bzw. Microsoft (beim Edge). --------------------------------------------- https://www.borncity.com/blog/2022/09/19/chrome-edge-senden-persnliche-date… ∗∗∗ Preventing ISO Malware , (Sun, Sep 18th) ∗∗∗ --------------------------------------------- In the last few weeks, Ive seen a significant uptick in systems infected with Chromeloader malware. This malware is a malicious extension for your browser, redirecting it to ad sites and hijacking searches. But with the success of this technique recently, I would not be surprised if others will take notice and switch to using it for other things. --------------------------------------------- https://isc.sans.edu/diary/rss/29062 ∗∗∗ Can reflections in eyeglasses actually leak info from Zoom calls? Heres a study into it ∗∗∗ --------------------------------------------- About time someone shone some light onto this Boffins at the University of Michigan in the US and Zhejiang University in China want to highlight how bespectacled video conferencing participants are inadvertently revealing sensitive on-screen information via reflections in their eyeglasses. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2022/09/17/glasses_refl… ∗∗∗ A Guide to Improving Security Through Infrastructure-as-Code ∗∗∗ --------------------------------------------- Modern organizations evolved and took the next step when they became digital. Organizations are using cloud and automation to build a dynamic infrastructure to support more frequent product release and faster innovation. This puts pressure on the IT department to do more and deliver faster. --------------------------------------------- https://research.nccgroup.com/2022/09/19/a-guide-to-improving-security-thro… ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins 2022-09-15 and 2022-09-16 ∗∗∗ --------------------------------------------- IBM Spectrum Protect Plus, IBM Spectrum Copy Data Management, IBM Spectrum Plus Container Backup, Restore for Kubernetes, Red Hat OpenShift, IBM Spectrum Protect Operations Center, Client Management Service, IBM Spectrum Protect Server, IBM Security QRadar Network Threat Analytics, IBM Sterling Control Center, Rational Test Control Panel, Rational Test Workbench. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ High severity vulnerabilities found in Harbor open-source artifact registry ∗∗∗ --------------------------------------------- Oxeye security researchers have uncovered several new high severity variants of the IDOR (Insecure Director Object Reference) vulnerabilities (CVE-2022-31671, CVE-2022-31666, CVE-2022-31670, CVE-2022-31669, CVE-2022-31667) in CNCF-graduated project Harbor, the popular open-source artifact registry by VMware. --------------------------------------------- https://www.helpnetsecurity.com/2022/09/19/vulnerabilities-harbor-open-sour… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (connman and e17), Fedora (curl, open-vm-tools, pcs, and python-lxml), Mageia (curl, dpkg, freecad, gimp, libtar, libtiff, mediawiki, ostree, python-lxml, schroot, SDL12, sdl2, wireshark, and zlib), Oracle (kernel and php:7.4), Red Hat (php:7.4), Slackware (vim), SUSE (chromium, kernel, libarchive, libtirpc, mupdf, python-rsa, ruby2.5, and virtualbox), and Ubuntu (linux-intel-iotg). --------------------------------------------- https://lwn.net/Articles/908627/ ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2022-0009 ∗∗∗ --------------------------------------------- CVE identifiers: CVE-2022-32886, CVE-2022-32891,CVE-2022-32912. Several vulnerabilities were discovered in WebKitGTK and WPE WebKit. --------------------------------------------- https://webkitgtk.org/security/WSA-2022-0009.html ∗∗∗ Lexmark Firmware-Update schließt Schwachstelle und korrigiert Windows-Druckerproblem ∗∗∗ --------------------------------------------- Gute Nachrichten für Besitzer von Lexmark-Druckern. Der Hersteller hat endlich die Firmware-Updates für diverse Modelle bereitgestellt. Diese sollen einerseits eine Schwachstelle in mehr als Hundert Lexmark-Druckermodellen beseitigen, vor der Lexmark bereits im Juni 2022 gewarnt hat [...] --------------------------------------------- https://www.borncity.com/blog/2022/09/19/lexmark-firmware-update-schliet-sc… ∗∗∗ Netgear Routers impacted by FunJSQ Game Acceleration Module flaw ∗∗∗ --------------------------------------------- https://securityaffairs.co/wordpress/135887/security/netgear-game-accelerat… ∗∗∗ Mattermost: Schwachstelle ermöglicht nicht spezifizierten Angriff ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1455 ∗∗∗ Kubernetes: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1458 ∗∗∗ WithSecure Produkte: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1464 ∗∗∗ Dell NetWorker: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1460 ∗∗∗ HPE Integrated Lights-Out: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1459 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.09.2022
by Daily end-of-shift report 16 Sep '22

16 Sep '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 15-09-2022 18:00 − Freitag 16-09-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Sicherheitslücke in WordPress-Plug-in WPGateway macht Angreifer zu Admins ∗∗∗ --------------------------------------------- Angreifer attackieren WordPress-Websites mit WPGateway. Sicherheitsupdates sind noch nicht verfügbar. --------------------------------------------- https://heise.de/-7265906 ∗∗∗ Update für Exchange Extended Protection-Script, aber weiterhin Fehler ∗∗∗ --------------------------------------------- Mit den Sicherheitsupdates vom August 2022 für Microsoft Exchange (On-Premises-Lösung) ist es erforderlich, Extended Protection (EP) zu aktivieren, um alle Schwachstellen zu schließen. Die Aktivierung erfolgt per Script, welches Microsoft bereitgestellt hat – was aber zu Problemen führte. --------------------------------------------- https://www.borncity.com/blog/2022/09/16/update-fr-exchange-extended-protec… ∗∗∗ PS2 Emulator: Exploit in PS4 und PS5 soll nicht behebbar sein ∗∗∗ --------------------------------------------- Eine Lücke im integrierten PS2-Emulator der Playstation 4 und 5 soll sich "grundsätzlich" nicht beheben lassen. Das reicht, um Code auszuführen. --------------------------------------------- https://www.golem.de/news/ps2-emulator-exploit-in-ps4-und-ps5-soll-nicht-be… ∗∗∗ Bitdefender releases free decryptor for LockerGoga ransomware ∗∗∗ --------------------------------------------- Romanian cybersecurity firm Bitdefender has released a free decryptor to help LockerGoga ransomware victims recover their files without paying a ransom. --------------------------------------------- https://www.bleepingcomputer.com/news/security/bitdefender-releases-free-de… ∗∗∗ Microsoft Edge’s News Feed ads abused for tech support scams ∗∗∗ --------------------------------------------- An ongoing malvertising campaign is injecting ads in the Microsoft Edge News Feed to redirect potential victims to websites pushing tech support scams. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-edge-s-news-feed-a… ∗∗∗ Water Tank Management System Used Worldwide Has Unpatched Security Hole ∗∗∗ --------------------------------------------- A water tank management system used by organizations worldwide is affected by a critical vulnerability that can be exploited remotely and the vendor does not appear to want to patch it.read more --------------------------------------------- https://www.securityweek.com/water-tank-management-system-used-worldwide-ha… ∗∗∗ Word Maldoc With CustomXML and Renamed VBAProject.bin, (Fri, Sep 16th) ∗∗∗ --------------------------------------------- Friend and colleague 0xThiebaut just gave me a heads up for this interesting sample: 2056b52f8c2f62e222107e6fb6ca82708cdae73a91671d40e61aef8698e3e139 --------------------------------------------- https://isc.sans.edu/diary/rss/29056 ∗∗∗ Hackers Targeting WebLogic Servers and Docker APIs for Mining Cryptocurrencies ∗∗∗ --------------------------------------------- Malicious actors such as Kinsing are taking advantage of both recently disclosed and older security flaws in Oracle WebLogic Server to deliver cryptocurrency-mining malware. --------------------------------------------- https://thehackernews.com/2022/09/hackers-targeting-weblogic-servers-and.ht… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (bzip2, chromium, glib2.0, libraw, mariadb-10.3, and mod-wsgi), Fedora (kdiskmark, wordpress, and zlib), Oracle (.NET 6.0, .NET Core 3.1, mariadb:10.3, nodejs:14, nodejs:16, ruby:2.7, and ruby:3.0), Red Hat (.NET 6.0, php:7.4, and webkit2gtk3), SUSE (389-ds, flatpak, kernel, libgit2, and thunderbird), and Ubuntu (sqlite3, vim, and wayland). --------------------------------------------- https://lwn.net/Articles/908297/ ∗∗∗ Synology-SA-22:15 GLPI ∗∗∗ --------------------------------------------- Multiple vulnerabilities allow remote attackers or remote authenticated users to obtain sensitive information, inject arbitrary web script or HTML or inject SQL command via a susceptible version of GLPI. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_22_15 ∗∗∗ CISA Adds Six Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- CISA has added six new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise. Note: to view the newly added vulnerabilities in the catalog, click on the arrow in the "Date Added to Catalog" column, which will sort by descending dates. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/09/15/cisa-adds-six-kno… ∗∗∗ Achtung: Backdoor in TechLogix Networx Power Delivery-Unit, vom Internet isolieren und patchen ∗∗∗ --------------------------------------------- In Stromversorgungskomponenten (Power Delivery-Units) des US-Herstellers TechLogix Networx gibt es eine gravierende Schwachstelle in deren Firmware. Die Firmware nimmt in älteren Versionen (vor Version 2.0.2a) keine Authentifizierung vor, d.h. man kann über Netzwerk die Power Delivery-Unit abschalten. --------------------------------------------- https://www.borncity.com/blog/2022/09/16/achtung-backdoor-in-techlogix-netw… ∗∗∗ Security Bulletin: IBM Security Identity Governance and Intelligence is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-identity-gov… ∗∗∗ Security Bulletin: IBM Security Identity Governance and Intelligence is vulnerable to sensitive information exposure (CVE-2021-35550) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-identity-gov… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct for UNIX container is vulnerable to obtain sensitive information due to OpenSSL (CVE-2022-2097) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: IBM Security Identity Governance and Intelligence is vulnerable to Denial of Service (CVE-2021-35578) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-identity-gov… ∗∗∗ Security Bulletin: IBM Security Identity Governance and Intelligence is vulnerable to exposure of sensitive information (CVE-2021-35603) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-identity-gov… ∗∗∗ Dell BSAFE: Mehrere Schwachstellen ermöglichen nicht spezifizierten Angriff ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1452 ∗∗∗ xpdf: Schwachstelle ermöglicht nicht spezifizierten Angriff ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1451 ∗∗∗ NGINX: Schwachstelle ermöglicht nicht spezifizierten Angriff ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1450 ∗∗∗ Nextcloud: Mehrere Schwachstellen ermöglichen Offenlegung von Informationen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1449 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.09.2022
by Daily end-of-shift report 15 Sep '22

15 Sep '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 14-09-2022 18:00 − Donnerstag 15-09-2022 18:00 Handler: Stephan Richter Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Gesetzentwurf: EU-Kommission will Sicherheitsupdates vorschreiben ∗∗∗ --------------------------------------------- Mit einem Entwurf für ein Cyberresilienzgesetz möchte die EU-Kommission für mehr IT-Sicherheit sorgen. --------------------------------------------- https://www.golem.de/news/gesetzentwurf-eu-kommission-will-sicherheitsupdat… ∗∗∗ Self-spreading stealer attacks gamers via YouTube ∗∗∗ --------------------------------------------- A malicious bundle containing the RedLine stealer and a miner is distributed on YouTube through cheats and cracks ads for popular games. --------------------------------------------- https://securelist.com/self-spreading-stealer-attacks-gamers-via-youtube/10… ∗∗∗ Supply-Chain-Attacke: Trojaner in FishPig-Software bedroht Onlineshops ∗∗∗ --------------------------------------------- Derzeit platzieren Angreifer Hintertüren über kompromittierte Shop-Software unter anderem auf WordPress-Websites. --------------------------------------------- https://heise.de/-7265052 ∗∗∗ SideWalk Backdoor mit neuer Linux‑Variante ∗∗∗ --------------------------------------------- ESET-Forscher haben ein weiteres Tool im bereits umfangreichen Arsenal der SparklingGoblin APT-Gruppe entdeckt: eine Linux-Variante der SideWalk-Backdoor. --------------------------------------------- https://www.welivesecurity.com/deutsch/2022/09/14/sidewalk-backdoor-mit-neu… ∗∗∗ Vorsicht vor Bitcoin-Scams auf Discord ∗∗∗ --------------------------------------------- Es scheint verlockend – reich werden nur mit ein paar Klicks. Kriminelle verwenden Schlagwörter wie Bitcoin“ oder „Crypto", um immer mehr Menschen abzuzocken. In einer Nachricht auf Discord wird behauptet, Sie hätten Bitcoin gewonnen? Finger weg, bei diesem Scam verlieren Sie Ihr Geld! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-bitcoin-scams-auf-disco… ∗∗∗ Change in Magniber Ransomware (*.cpl → *.jse) – September 8th ∗∗∗ --------------------------------------------- After Magniber changed its method of distribution from an MSI format to a CPL format on July 20th, it has been monitored to show decreased distribution activity as of mid-August. --------------------------------------------- https://asec.ahnlab.com/en/38808/ ===================== = Vulnerabilities = ===================== ∗∗∗ Schwerwiegende Sicherheitslücke in Microsoft Teams entdeckt ∗∗∗ --------------------------------------------- Angreifer*innen könnten die Login-Daten der Desktop-App stehlen, auch bei aktiver Multifaktor-Authentifizierung. --------------------------------------------- https://futurezone.at/digital-life/schwere-sicherheitsluecke-microsoft-team… ∗∗∗ IBM Security Bulletins 2022-09-14 ∗∗∗ --------------------------------------------- FileNet Content Manager, IBM Call Center, IBM Cloud PAK for Watson AI Ops, IBM SDK (Java Technology Edition), IBM Semeru Runtime, IBM Sterling Connect, IBM Sterling Control Center, IBM Sterling Order Management, IBM Tivoli Application Dependency Discovery Manager, Transaction Processing Facility --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ ZDI: (0Day) Vulnerabilities (RCE) in NIKON NIS-Elements Viewer ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-22-1211/ , https://www.zerodayinitiative.com/advisories/ZDI-22-1212/ , https://www.zerodayinitiative.com/advisories/ZDI-22-1213/ , https://www.zerodayinitiative.com/advisories/ZDI-22-1214/ , https://www.zerodayinitiative.com/advisories/ZDI-22-1215/ , https://www.zerodayinitiative.com/advisories/ZDI-22-1216/ , https://www.zerodayinitiative.com/advisories/ZDI-22-1217/ , https://www.zerodayinitiative.com/advisories/ZDI-22-1218/ --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-22-1219/ ∗∗∗ Sicherheitsupdates: BIOS-Lücken gefährden unzählige Lenovo-PCs ∗∗∗ --------------------------------------------- Lenovo hat BIOS-Updates für praktisch sein gesamtes PC-Modell-Portfolio bereitgestellt. Unter anderem werden Schadcode-Lücken geschlossen. --------------------------------------------- https://heise.de/-7264659 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (nova, pcs, and rails), Fedora (firejail, moby-engine, and pspp), Oracle (.NET 6.0, gnupg2, kernel, python3, and rsyslog rsyslog7), Red Hat (.NET 6.0 and .NET Core 3.1), SUSE (kernel), and Ubuntu (intel-microcode, poppler, and webkit2gtk). --------------------------------------------- https://lwn.net/Articles/908137/ ∗∗∗ ZDI-22-1210: (0Day) Ansys SpaceClaim X_T File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-1210/ ∗∗∗ Cisco IOS XR Software Broadband Network Gateway PPP over Ethernet Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco IOS XR Software Cisco Discovery Protocol Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Network Convergence System 4000 Series TL1 Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ (Non-US) DIR-2150 :: Rev Rx :: FW v4.0.1 :: Multiple Vulnerabiltiies ∗∗∗ --------------------------------------------- https://supportannouncement.us.dlink.com/announcement/publication.aspx?name… ∗∗∗ ffmpeg: Schwachstelle ermöglicht nicht spezifizierten Angriff ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1433 ∗∗∗ Google Chrome und Microsoft Edge: Mehrere Schwachstellen ermöglichen Codeausführung ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1432 ∗∗∗ ImageMagick: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1431 ∗∗∗ genua genugate: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1438 ∗∗∗ Denial of Service in Printanista Hub / Printscout (SYSS-2022-042) ∗∗∗ --------------------------------------------- https://www.syss.de/pentest-blog/codeausfuehrung-ueber-unsicheren-diagnosed… ∗∗∗ PAN-SA-2022-0005 Informational: Cortex XDR Agent: Product Disruption by Local Windows Administrator (Severity: NONE) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/PAN-SA-2022-0005 ∗∗∗ PAN-SA-2022-0004 Informational: Cortex XDR Agent: Allow List is Visible to Low Privileged Users (Severity: NONE) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/PAN-SA-2022-0004 ∗∗∗ CVE-2022-0029 Cortex XDR Agent: Improper Link Resolution Vulnerability When Generating a Tech Support File (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2022-0029 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.09.2022
by Daily end-of-shift report 14 Sep '22

14 Sep '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 13-09-2022 18:00 − Mittwoch 14-09-2022 18:00 Handler: Stephan Richter Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Securing your IoT devices against cyber attacks in 5 steps ∗∗∗ --------------------------------------------- How is IoT being used in the enterprise, and how can it be secured? We will demonstrate important security best practices and how a secure password policy is paramount to the security of devices. --------------------------------------------- https://www.bleepingcomputer.com/news/security/securing-your-iot-devices-ag… ∗∗∗ Easy Process Injection within Python, (Wed, Sep 14th) ∗∗∗ --------------------------------------------- Process injection is a common technique used by malware to cover their tracks. What looks more legit than a process called "notepad.exe" or "explorer.exe"? --------------------------------------------- https://isc.sans.edu/diary/rss/29048 ∗∗∗ Neue Phishing-Masche: Fake-Konversationen für mehr Glaubwürdigkeit ∗∗∗ --------------------------------------------- Sicherheitsforscher warnen vor einer neuen Taktik, die Phishing-Mails noch glaubhafter erscheinen lässt. --------------------------------------------- https://heise.de/-7263942 ∗∗∗ Passengers Exposed to Hacking via Vulnerabilities in Airplane Wi-Fi Devices ∗∗∗ --------------------------------------------- Researchers have discovered two potentially serious vulnerabilities in wireless LAN devices that they say are often used in airplanes. --------------------------------------------- https://www.securityweek.com/passengers-exposed-hacking-vulnerabilities-air… ∗∗∗ Malware Infects Magento-Powered Stores via FishPig Distribution Server ∗∗∗ --------------------------------------------- For the past several weeks, Magento stores have been injected with malware via a supply chain attack that targeted the FishPig distribution server. --------------------------------------------- https://www.securityweek.com/malware-infects-magento-powered-stores-fishpig… ∗∗∗ Mail „Energiekosten: Jetzt 475,00 Euro erhalten“ ist Betrug! ∗∗∗ --------------------------------------------- In Zeiten von 150 Euro Energiegutschein oder 500 Euro Klimabonus kann eine E-Mail mit dem Betreff „Energiekosten: Jetzt 475,00 Euro erhalten“ durchaus für echt gehalten werden. Doch Vorsicht: Die Nachricht leitet auf eine Website zum „Lars Meyer Geld-System“ weiter – eine betrügerische Investment-Plattform, auf der Sie nicht investieren dürfen. --------------------------------------------- https://www.watchlist-internet.at/news/mail-energiekosten-jetzt-47500-euro-… ∗∗∗ CISA Adds Two Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/09/14/cisa-adds-two-kno… ===================== = Vulnerabilities = ===================== ∗∗∗ Microsoft Teams stores auth tokens as cleartext in Windows, Linux, Macs ∗∗∗ --------------------------------------------- Security analysts have found a severe security vulnerability in the desktop app for Microsoft Teams that gives threat actors access to authentication tokens and accounts with multi-factor authentication (MFA) turned on. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-… ∗∗∗ IBM Security Bulletins 2022-09-13 ∗∗∗ --------------------------------------------- IBM WebSphere Application Server, IBM SPSS Statistics, IBM Maximo Asset Management, IBM Maximo Manage, IBM App Connect Enterprise, IBM Integration Bus, IBM App Connect Professional. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Patchday: Angreifer attackieren Windows 7 bis 11 ∗∗∗ --------------------------------------------- Kritische Lücken bedrohen Microsoft Dynamics 365 und Windows. Sicherheitsupdates stehen zur Installation bereit. --------------------------------------------- https://heise.de/-7263140 ∗∗∗ Patchday Adobe: Schadcode-Attacken auf InDesign, Photoshop & Co. möglich ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitsupdates für verschiedene Anwendungen von Adobe. Derzeit sind keine dokumentierten Attacken bekannt. --------------------------------------------- https://heise.de/-7263205 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (open-vm-tools), Debian (freecad and sqlite3), Fedora (qt5-qtwebengine and vim), SUSE (firefox, kernel, libzapojit, perl, postgresql14, and samba), and Ubuntu (dotnet6, dpdk, gdk-pixbuf, rust-regex, and systemd). --------------------------------------------- https://lwn.net/Articles/907983/ ∗∗∗ Zero-day in WPGateway Wordpress plugin actively exploited in attacks ∗∗∗ --------------------------------------------- https://www.bleepingcomputer.com/news/security/zero-day-in-wpgateway-wordpr… ∗∗∗ Atlassian Confluence: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1422 ∗∗∗ Delta Industrial Automation DIAEnergie ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-256-03 ∗∗∗ Kingspan TMS300 CS ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-256-04 ∗∗∗ Honeywell SoftMaster ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-256-02 ∗∗∗ Hitachi Energy TXpert Hub CoreTec 4 Sudo Vulnerability ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-256-01 ∗∗∗ Multi-Vendor BIOS Security Vulnerabilities (September 2022) ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500519-MULTI-VENDOR-BIOS-SECUR… ∗∗∗ Quectel Wireless WAN Driver Command Injection Vulnerability ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500515 ∗∗∗ genua genucenter: Mehrere Schwachstellen ermöglichen nicht spezifizierten Angriff ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1412 ∗∗∗ Zoom Video Communications On-Premise: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1420 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.09.2022
by Daily end-of-shift report 13 Sep '22

13 Sep '22

===================== = End-of-Day report = ===================== Timeframe: Montag 12-09-2022 18:00 − Dienstag 13-09-2022 18:00 Handler: Stephan Richter Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ New PsExec spinoff lets hackers bypass network security defenses ∗∗∗ --------------------------------------------- Security researchers have developed an implementation of the Sysinternals PsExec utility that allows moving laterally in a network using a less monitored port. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-psexec-spinoff-lets-hack… ∗∗∗ Security pros get ability to manually add incidents to Microsoft Sentinel ∗∗∗ --------------------------------------------- Microsoft is introducing a feature to Sentinel to enable security analysts to manually create an incident report and the ability to manually delete the incident if needed. --------------------------------------------- https://www.theregister.com/2022/09/12/microsoft_sentinel_manual_siem_repor… ∗∗∗ Letting off steam ∗∗∗ --------------------------------------------- In July alone, CERT-GIB specialists identified more than 150 fraudulent resources mimicking Steam, a major online gaming platform. To steal Steam credentials, hackers have been using a new phishing technique called browser-in-the-browser, which tricks users into thinking that a fake webpage is a legal resource. --------------------------------------------- https://blog.group-ib.com/steam ∗∗∗ Tool Release – Monkey365 ∗∗∗ --------------------------------------------- Monkey 365 is an Open Source security tool that can be used to easily conduct not only Microsoft 365, but also Azure subscriptions and Azure Active Directory security configuration reviews without the significant overhead of learning tool APIs or complex admin panels from the start. --------------------------------------------- https://research.nccgroup.com/2022/09/07/tool-release-monkey365/ ∗∗∗ OriginLogger: A Look at Agent Tesla’s Successor ∗∗∗ --------------------------------------------- We provide an overview of the OriginLogger keylogger, including info on a dropper lure and OriginLogger’s configuration and infrastructure. --------------------------------------------- https://unit42.paloaltonetworks.com/originlogger/ ∗∗∗ How to tighten your security in Microsoft Edge ∗∗∗ --------------------------------------------- Edge offers several options to help protect you from malicious websites and other online hazards. --------------------------------------------- https://www.zdnet.com/article/how-to-tighten-your-security-in-microsoft-edg… ∗∗∗ MISP 2.4.162 released with a new periodic notification system, workflow updates and many improvements ∗∗∗ --------------------------------------------- We are pleased to announce the immediate availability of MISP v2.4.162 with a new periodic notification system, workflow updates and many improvements. --------------------------------------------- https://github.com/MISP/MISP/releases/tag/v2.4.162 ===================== = Vulnerabilities = ===================== ∗∗∗ Trend Micro warns of actively exploited Apex One RCE vulnerability ∗∗∗ --------------------------------------------- Security software firm Trend Micro warned customers today to patch an actively exploited Apex One security vulnerability as soon as possible. --------------------------------------------- https://www.bleepingcomputer.com/news/security/trend-micro-warns-of-activel… ∗∗∗ Firmware: Etliche HP-Rechner mit Sicherheitslücken, aber ohne Patches ∗∗∗ --------------------------------------------- Gemeldet wurden die Sicherheitslücken vor vielen Monaten, doch etliche Businessgeräte von HP haben noch keine Updates erhalten. --------------------------------------------- https://www.golem.de/news/firmware-etliche-hp-rechner-mit-sicherheitsluecke… ∗∗∗ iPadOS, macOS Monterey und altes iOS: Apple patcht Lücken ∗∗∗ --------------------------------------------- iPadOS 16 ist noch nicht fertig, dafür kommt ein Sicherheitsupdate. Auf dem Mac gibts nun Safari 16 – und ebenfalls viele Patches. Auch iOS 15 wird bedacht. --------------------------------------------- https://heise.de/-7261410 ∗∗∗ Lorenz Ransomware nutzt VoIP-Telefone MiVoice Connect von Mitel als Sprungbrett ∗∗∗ --------------------------------------------- Angreifer nutzen derzeit eine kritische Sicherheitslücke in Telefonsystemen von Mitel aus. Sicherheitsupdates sind verfügbar. --------------------------------------------- https://heise.de/-7261947 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (connman and python-oslo.utils), Fedora (libapreq2), Red Hat (booth, gnupg2, kernel, kernel-rt, mariadb:10.3, nodejs:14, nodejs:16, python3, ruby:2.7, and ruby:3.0), SUSE (chromium, opera, python2-numpy, and rubygem-kramdown), and Ubuntu (poppler). --------------------------------------------- https://lwn.net/Articles/907869/ ∗∗∗ FBI warns of vulnerabilities in medical devices following several CISA alerts ∗∗∗ --------------------------------------------- The FBI on Monday warned that hundreds of vulnerabilities in widely used medical devices are leaving a door open for cyberattacks. --------------------------------------------- https://therecord.media/fbi-warns-of-vulnerabilities-in-medical-devices-fol… ∗∗∗ SSA-638652 V1.0: Authentication Bypass Vulnerability in Mendix SAML Module ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-638652.txt ∗∗∗ SSA-637483 V1.0: Third-Party Component Vulnerabilities in SINEC INS before V1.0 SP2 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-637483.txt ∗∗∗ SSA-589975 V1.0: Improper Access Control Vulnerability in CoreShield OWG Software ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-589975.txt ∗∗∗ SSA-518824 V1.0: Multiple File Parsing Vulnerabilities in Simcenter Femap and Parasolid ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-518824.txt ∗∗∗ SSA-459643 V1.0: Denial of Service Vulnerability in RUGGEDCOM ROS before V5.6.0 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-459643.txt ∗∗∗ Security Bulletin: IBM CICS TX Standard is vulnerable to identity spoofing due to IBM WebSphere Application Server Liberty (CVE-2022-22475) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cics-tx-standard-is-v… ∗∗∗ Security Bulletin: Vulnerability in MIT Kerberos 5 affects PowerSC (CVE-2021-37750) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-mit-kerb… ∗∗∗ Security Bulletin: AIX is vulnerable to a privilege escalation vulnerability due to invscout (CVE-2022-36768) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-aix-is-vulnerable-to-a-pr… ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to a denial of service after entering a specially crafted malformed SQL statement into the db2expln tool. (CVE-2022-35637) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… ∗∗∗ Security Bulletin: IBM WebSphere Application Server is vulnerable to cross-site scripting in the Admin Console (CVE-2022-34336) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application… ∗∗∗ Security Bulletin: Provision to add https and Secure Flag to bayeux_browser cookie for IBM Control Desk. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-provision-to-add-https-an… ∗∗∗ Security Bulletin: IBM WebSphere Application Server Liberty for IBM i is vulnerable to identity spoofing with authenticated user and ability to bypass security restrictions due to Eclipse Paho Java client (CVE-2019-11777, CVE-2022-22476) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application… ∗∗∗ Security Bulletin: IBM CICS TX Advanced is vulnerable to identity spoofing due to IBM WebSphere Application Server Liberty (CVE-2022-22475) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cics-tx-advanced-is-v… ∗∗∗ Security Bulletin: AIX is vulnerable to a denial of service due to libxml2 (CVE-2022-29824) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-aix-is-vulnerable-to-a-de… ∗∗∗ Security Bulletin: AIX is vulnerable to a privilege escalation vulnerability (CVE-2022-34356) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-aix-is-vulnerable-to-a-pr… ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to an information disclosure in some scenarios due to unauthorized access caused by improper privilege management when CREATE OR REPLACE command is used. (CVE-2022-22483) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… ∗∗∗ Security Bulletin: A vulnerability in IBM Java Runtime affects TXSeries for Multiplatforms ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ SAP Patchday September 2022 ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1400 ∗∗∗ TYPO3 Core: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1402 ∗∗∗ Citrix Hypervisor Security Bulletin for CVE-2020-35498 ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX463901/citrix-hypervisor-security-bul… ∗∗∗ AMI MegaRAC SP-X BMC Vulnerabilities ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500518-AMI-MEGARAC-SP-X-BMC-VU… ∗∗∗ Brocade Fabric OS - Security Update ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500517-BROCADE-FABRIC-OS-SECUR… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.09.2022
by Daily end-of-shift report 12 Sep '22

12 Sep '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 09-09-2022 18:00 − Montag 12-09-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Krypto-Malware Shikitega überlistet den herkömmlichen Linux-Schutz ∗∗∗ --------------------------------------------- AT&T Alien Labs hat eine Analyse zur neuen Linux-Malware Shikitega veröffentlicht. Der Schädling verschafft sich Root-Zugriff, seine Entdeckung ist schwierig. --------------------------------------------- https://heise.de/-7260803 ∗∗∗ Bericht: Um nicht erwischt zu werden, verschlüsselt Ransomware Daten partiell ∗∗∗ --------------------------------------------- Sicherheitsforscher beobachten bei Erpressungstrojanern einen Trend zur schnelleren Verschlüsselung. --------------------------------------------- https://heise.de/-7261001 ∗∗∗ SMS von der Post? Klicken Sie nicht auf den Link! ∗∗∗ --------------------------------------------- „Die Zustellung Ihres letzten Pakets hat sich aufgrund zusätzlicher Zollgebühren verzögert“ lautet eine SMS-Benachrichtigung von der Post. Im SMS ist ein Link, den Sie anklicken sollten, um das Problem zu lösen. Wir raten zur Vorsicht: Diese Nachricht ist nicht von der Post. Wer auf den Link klickt, tappt in eine Internetfalle! --------------------------------------------- https://www.watchlist-internet.at/news/sms-von-der-post-klicken-sie-nicht-a… ∗∗∗ SharkBot-Trojaner im Play Store – Risiko "Antivirus-Apps" ∗∗∗ --------------------------------------------- Im Google Play Store ist erneut der Banking-Trojaner SharkBot aufgetaucht und hat sich als Antiviren- und Cleaner-App getarnt. Sicherheitsforscher von CyberNews schreiben: Android-Nutzer sollten es sich zweimal überlegen, bevor sie kostenlose Apps zur Reinigung ihres Mobiltelefons und zum "Schutz" vor Viren herunterladen - denn viele von ihnen enthalten Daten-Tracker und einige scheinen sogar Links zu potenziell bösartigen Domains zu beinhalten. --------------------------------------------- https://www.borncity.com/blog/2022/09/12/sharkbot-trojaner-im-play-store-ri… ∗∗∗ Maldoc With Decoy BASE64, (Fri, Sep 9th) ∗∗∗ --------------------------------------------- There is also a video for this analysis: "Maldoc Analysis: Rehearsed vs. Unrehearsed". I analysed this maldoc. It contains an old exploit for the equation editor. Nothing special. And it's easy to analyze. But there is one more thing: it contains a very long BASE64 string, 800,000+ characters, and it turns out to be a decoy. --------------------------------------------- https://isc.sans.edu/diary/rss/29032 ∗∗∗ WMI Internals Part 3 ∗∗∗ --------------------------------------------- In a previous blog post of mine — WMI Internals Part 2: Reversing a WMI Provider I walked through how the WMI architecture is foundationally built upon COM and in turn how WMI classes can end up invoking COM methods to perform actions. I used the PS_ScheduledTask WMI class as an example and how when an instance of this class is created the COM method ITaskServices:NewTask is invoked. This blog will take this process a step further and look at what happens after the COM method ITaskServices:NewTask. --------------------------------------------- https://posts.specterops.io/wmi-internals-part-3-38e5dad016be?source=rss---… ∗∗∗ Dead or Alive? An Emotet Story ∗∗∗ --------------------------------------------- In this intrusion from May 2022, we observed a domain-wide compromise that started from a malware ridden Excel document containing the never-dying malware, Emotet. The post-exploitation started very soon after [...] --------------------------------------------- https://thedfirreport.com/2022/09/12/dead-or-alive-an-emotet-story/ ∗∗∗ Ransomware attacks on retail increase, average retail payment grows to more than $200K ∗∗∗ --------------------------------------------- More than 300 organizations in the retail industry said they were hit with ransomware attacks in 2021, according to a survey conducted by security company Sophos. Sophos researchers spoke to 422 IT workers at mid-sized organizations in the retail sector across 31 countries, finding startling increases in the number of respondents who said their organizations [...] --------------------------------------------- https://therecord.media/ransomware-attacks-on-retail-increase-average-retai… ∗∗∗ Security Breaks: TeamTNT’s DockerHub Credentials Leak ∗∗∗ --------------------------------------------- One of our honeypots based on exposed Docker REST APIs showed cybercriminal group TeamTNT’s potential attack scenario and leak of container registry credentials for docker-abuse malware. The full version of this research will be presented at the c0c0n XV Hacking and Cyber Security Conference in September 2022. --------------------------------------------- https://www.trendmicro.com/en_us/research/22/i/security-breaks-teamtnts-doc… ===================== = Vulnerabilities = ===================== ∗∗∗ Firmware bugs in many HP computer models left unfixed for over a year ∗∗∗ --------------------------------------------- A set of six high-severity firmware vulnerabilities impacting a broad range of HP devices used in enterprise environments are still waiting to be patched, although some of them were publicly disclosed since July 2021. --------------------------------------------- https://www.bleepingcomputer.com/news/security/firmware-bugs-in-many-hp-com… ∗∗∗ Patchday: Ansatzpunkte für Angreifer in Android 10, 11 und 12 geschlossen ∗∗∗ --------------------------------------------- Angreifer könnten sich auf Android-Geräten weitreichende Nutzerrechte erschleichen. In Googles Pixel-Serie wurden kritische Lücken ausgebessert. --------------------------------------------- https://heise.de/-7260572 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (gdk-pixbuf, libxslt, linux-5.10, paramiko, and zlib), Fedora (webkit2gtk3), Mageia (gstreamer1.0-plugins-good, jupyter-notebook, kernel, and rpm), Slackware (vim), SUSE (bluez, clamav, freetype2, frr, gdk-pixbuf, keepalived, libyang, nodejs16, python-PyYAML, qpdf, samba, and vim), and Ubuntu (linux-azure-fde and tiff). --------------------------------------------- https://lwn.net/Articles/907770/ ∗∗∗ Critical KEPServerEX Flaws Can Put Attackers in Powerful Position in OT Networks ∗∗∗ --------------------------------------------- Critical KEPServerEX vulnerabilities that impact the products of several major industrial automation vendors can put attackers in a powerful position in OT networks.read more --------------------------------------------- https://www.securityweek.com/critical-kepserverex-flaws-can-put-attackers-p… ∗∗∗ Octopus Deploy: Schwachstelle ermöglicht Codeausführung ∗∗∗ --------------------------------------------- Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in Octopus Deploy ausnutzen, um beliebigen Programmcode auszuführen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1376 ∗∗∗ JFrog Artifactory: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in JFrog Artifactory ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1375 ∗∗∗ Jenkins: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Jenkins ausnutzen, um einen Denial of Service Angriff durchzuführen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1373 ∗∗∗ Security Bulletin: IBM Maximo Asset Management and the IBM Maximo Manage application in IBM Maximo Application Suite may be vulnerable to arbitrary code execution due to Apache Log4j 1.2 (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-manageme… ∗∗∗ Security Bulletin: Multiple vulnerabilities in WebSphere Liberty affect SPSS Collaboration and Deployment Services ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: qs (QueryString) package in the Service Portal of IBM Control Desk is vulnerable (CVE-2014-7191 and CVE-2017-1000048) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-qs-querystring-package-in… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.09.2022
by Daily end-of-shift report 09 Sep '22

09 Sep '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 08-09-2022 18:00 − Freitag 09-09-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Bumblebee malware adds post-exploitation tool for stealthy infections ∗∗∗ --------------------------------------------- A new version of the Bumblebee malware loader has been spotted in the wild, featuring a new infection chain that uses the PowerSploit framework for stealthy reflective injection of a DLL payload into memory. --------------------------------------------- https://www.bleepingcomputer.com/news/security/bumblebee-malware-adds-post-… ∗∗∗ GIFShell attack creates reverse shell using Microsoft Teams GIFs ∗∗∗ --------------------------------------------- A new attack technique called GIFShell allows threat actors to abuse Microsoft Teams for novel phishing attacks and covertly executing commands to steal data using ... GIFs. --------------------------------------------- https://www.bleepingcomputer.com/news/security/gifshell-attack-creates-reve… ∗∗∗ What Is Clickjacking and How Do I Prevent It? ∗∗∗ --------------------------------------------- There are a plethora of techniques that attackers use to redirect site visitors and harvest sensitive information on compromised websites. But when most webmasters think about securing their website, they often don’t think about how attackers can inject clicks on it from another site. --------------------------------------------- https://blog.sucuri.net/2022/09/what-is-clickjacking-and-how-do-i-prevent-i… ∗∗∗ Credential Gathering From Third-Party Software ∗∗∗ --------------------------------------------- Users often store passwords in third-party software for convenience – but credential gathering techniques can target this behavior. --------------------------------------------- https://unit42.paloaltonetworks.com/credential-gathering-third-party-softwa… ===================== = Vulnerabilities = ===================== ∗∗∗ Hackers Exploit Zero-Day in WordPress BackupBuddy Plugin in ~5 Million Attempts ∗∗∗ --------------------------------------------- A zero-day flaw in a WordPress plugin called BackupBuddy is being actively exploited, WordPress security company Wordfence has disclosed. "This vulnerability makes it possible for unauthenticated users to download arbitrary files from the affected site which can include sensitive information," it said. --------------------------------------------- https://thehackernews.com/2022/09/hackers-exploit-zero-day-in-wordpress.html ∗∗∗ Sicherheitslücke in vorinstalliertem Tool HP Support Assistant geschlossen ∗∗∗ --------------------------------------------- HP Support Assistant ist standardmäßig auf HP-Computern installiert. Eine Schwachstelle gefährdet nun Systeme. --------------------------------------------- https://heise.de/-7258790 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (mediawiki), SUSE (libEMF, libnl-1_1, libnl3, mariadb, nodejs16, php8-pear, postgresql12, and rubygem-rake), and Ubuntu (linux-raspi, linux-raspi-5.4, and tiff). --------------------------------------------- https://lwn.net/Articles/907573/ ∗∗∗ CISA Adds Twelve Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- CISA has added twelve new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/09/08/cisa-adds-twelve-… ∗∗∗ Security Bulletin: Multiple vulnerabilities have been identified in Oracle April 2022 CPU for Java 8 shipped with IBM® Intelligent Operations Center(CVE-2022-21496, CVE-2022-21434, CVE-2022-21443) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A vulnerability foud in IBM Installation Manager which is shipped with IBM® Intelligent Operations Center(CVE-2021-36374) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-foud-in-i… ∗∗∗ Security Bulletin: A vulnerability have been identified in Java 8 shipped with IBM® Intelligent Operations Center (CVE-2021-35561) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-have-been… ∗∗∗ Security Bulletin: A vulneraqbility in Zlib affects IBM Cloud Application Performance Managment R esponse Time Monitoring Agent (CVE-2018-25032) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulneraqbility-in-zlib-… ∗∗∗ Security Bulletin: A vulnerability foud in IBM Installation Manager which is shipped with IBM® Intelligent Operations Center(CVE-2021-36373) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-foud-in-i… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct for i5/OS is vulnerable to denial of service due to Zlib (CVE-2018-25032) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: Multiple vulnerabilities found in IBM DB2 which is shipped with IBM® Intelligent Operations Center(CVE-2021-38931, CVE-2021-29678, CVE-2021-20373, CVE-2021-39002, CVE-2021-38926) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A vulnerability found in Apache HttpClient which is shipped with IBM® Intelligent Operations Center (CVE-2020-13956) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-found-in-… ∗∗∗ Security Bulletin: XML vulnerability found in IBM Java 8.0 which is shipped with IBM® Intelligent Operations Center (CVE-2022-21299) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-xml-vulnerability-found-i… ∗∗∗ Security Bulletin: A vulnerability found in XMLBeans which hipped with IBM® Intelligent Operations Center (CVE-2021-23926) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-found-in-… ∗∗∗ Security Bulletin: Multiple vulnerabilities found in IBM MQ and Java 8 which is shipped with IBM® Intelligent Operations Center(CVE-2021-2388, CVE-2021-2369, CVE-2021-2432) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A vulnerability have been identified in IBM Java 8 shipped with IBM® Intelligent Operations Center (CVE-2021-35603) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-have-been… ∗∗∗ Security Bulletin: A vulneraqbility in Zlib affects IBM Tivoli Composite Application Manager for Transactions Response Time agents (CVE-2018-25032) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulneraqbility-in-zlib-… ∗∗∗ Security Bulletin: A vulnerabilities have been identified in IBM WebSphere Application Server Liberty shipped with IBM® Intelligent Operations Center (CVE-2021-29842) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerabilities-have-be… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.09.2022
by Daily end-of-shift report 08 Sep '22

08 Sep '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 07-09-2022 18:00 − Donnerstag 08-09-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ RAID-Manager von Hitachi könnte Ansatzpunkt für Schadcode-Attacken sein ∗∗∗ --------------------------------------------- Für einige Versionen von Hitachi RAID Manager SRA sind Sicherheitsupdates erschienen. Für einige Ausgaben gibt es jedoch keinen Support mehr. --------------------------------------------- https://heise.de/-7257664 ∗∗∗ Threat landscape for industrial automation systems for H1 2022 ∗∗∗ --------------------------------------------- This report is based on an analysis of statistical data collected through the Kaspersky Security Network (KSN), a distributed antivirus network. --------------------------------------------- https://securelist.com/threat-landscape-for-industrial-automation-systems-f… ∗∗∗ Profiling DEV-0270: PHOSPHORUS’ ransomware operations ∗∗∗ --------------------------------------------- Microsoft threat intelligence teams have been tracking multiple ransomware campaigns and have tied these attacks to DEV-0270, also known as Nemesis Kitten, a sub-group of Iranian actor PHOSPHORUS. --------------------------------------------- https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosp… ∗∗∗ Analyzing Obfuscated VBS with CyberChef, (Thu, Sep 8th) ∗∗∗ --------------------------------------------- I took a closer look at this sample on MalwareBazaar, because it had no tags (now it has a VBS tag). --------------------------------------------- https://isc.sans.edu/diary/rss/29028 ∗∗∗ HTTPS-Zertifikate: Die Rückkehr der Sperrlisten ∗∗∗ --------------------------------------------- Zukünftig soll es endlich wieder möglich sein, kompromittierte Zertifikate einfach zu sperren. Apple und Mozilla preschen vor und Lets Encrypt zieht mit. --------------------------------------------- https://heise.de/-7257554 ∗∗∗ Tensel-markt.de ist Fake! ∗∗∗ --------------------------------------------- Vorsicht vor Fake-Elektronik und Technik-Shops! Tensel-markt.de, gohlke-shop.de und Techno-max.de locken mit ihrem professionellen Design zahlreiche Konsument:innen in die Falle. Bestellen Sie nicht bei diesen Shops, Sie verlieren Ihr Geld! --------------------------------------------- https://www.watchlist-internet.at/news/tensel-marktde-ist-fake/ ∗∗∗ Lazarus and the tale of three RATs ∗∗∗ --------------------------------------------- Cisco Talos has been tracking a new campaign operated by the Lazarus APT group, attributed to North Korea by the United States government. This campaign involved the exploitation of vulnerabilities in VMWare Horizon to gain an initial foothold into targeted organizations. --------------------------------------------- http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html ∗∗∗ How Malicious Actors Abuse Native Linux Tools in Attacks ∗∗∗ --------------------------------------------- Through our honeypots and telemetry, we were able to observe instances in which malicious actors abused native Linux tools to launch attacks on Linux environments. In this blog entry, we discuss how these utilities were used and provide recommendations on how to minimize their impact. --------------------------------------------- https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-n… ===================== = Vulnerabilities = ===================== ∗∗∗ HP fixes severe bug in pre-installed Support Assistant tool ∗∗∗ --------------------------------------------- HP issued a security advisory alerting users about a newly discovered vulnerability in HP Support Assistant, a software tool that comes pre-installed on all HP laptops and desktop computers, including the Omen sub-brand. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hp-fixes-severe-bug-in-pre-i… ∗∗∗ Cisco Security Advisories 2022-09-07 ∗∗∗ --------------------------------------------- Cisco published 4 security advisories (2 high, 2 medium severity) --------------------------------------------- https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&secur… ∗∗∗ VPN-Lücke in älteren Cisco-Routern wird nicht mehr geschlossen ∗∗∗ --------------------------------------------- Für einige Cisco-Router ist der Support ausgelaufen. Es gibt wichtige Sicherheitsupdates für unter anderem Webex. --------------------------------------------- https://heise.de/-7257206 ∗∗∗ IBM Security Bulletins 2022-09-07 ∗∗∗ --------------------------------------------- IBM Java 8, IBM Aspera Faspex, IBM WebSphere Application Server, IBM WebSphere Application Server Liberty, Enterprise Content Management System Monitor, IBM DB2, IBM Semeru Runtime, IBM Robotic Process Automation for Cloud Pak, IBM Intelligent Operations Center --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libgoogle-gson-java), Fedora (autotrace, insight, and open-vm-tools), Oracle (open-vm-tools), Red Hat (open-vm-tools, openvswitch2.13, openvswitch2.15, openvswitch2.16, openvswitch2.17, ovirt-host, and rh-nodejs14-nodejs and rh-nodejs14-nodejs-nodemon), Scientific Linux (open-vm-tools), Slackware (python3), SUSE (clamav, gdk-pixbuf, gpg2, icu, ImageMagick, java-1_8_0-ibm, libyajl, mariadb, udisks2, webkit2gtk3, and yast2-samba-provision), and Ubuntu (dnsmasq). --------------------------------------------- https://lwn.net/Articles/907508/ ∗∗∗ Nagios Enterprises Nagios XI: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Nagios Enterprises Nagios XI ausnutzen, um einen Cross-Site Scripting Angriff durchzuführen und Daten zu manipulieren. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1338 ∗∗∗ Xerox FreeFlow Print Server: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Xerox FreeFlow Print Server ausnutzen, um die Vertraulichkeit, Verfügbarkeit und Integrität des Systems zu gefährden. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1335 ∗∗∗ Drupal: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Drupal ausnutzen, um Sicherheitsvorkehrungen zu umgehen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1341 ∗∗∗ Aruba ClearPass Policy Manager: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein Angreifer kann mehrere Schwachstellen in Aruba ClearPass Policy Manager ausnutzen, um Daten zu manipulieren oder offenzulegen, seine Rechte zu erweitern, Code auszuführen oder einen Denial of Service zu verursachen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1340 ∗∗∗ MZ Automation libIEC61850 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-251-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.09.2022
by Daily end-of-shift report 07 Sep '22

07 Sep '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 06-09-2022 18:00 − Mittwoch 07-09-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ So schützen Sie sich vor Schadsoftware! ∗∗∗ --------------------------------------------- Auf dubiosen Websites, in betrügerischen E-Mails, in scheinbar harmlosen Chat-Nachrichten oder durch Sicherheitslücken in nicht aktualisierten Programmen: Schadsoftware kann auf unterschiedlichen Wegen auf Ihren Computer gelangen, um dort beispielsweise sensible Daten auszulesen und zu stehlen oder gar ganze Systeme lahmzulegen. --------------------------------------------- https://www.watchlist-internet.at/news/so-schuetzen-sie-sich-vor-schadsoftw… ∗∗∗ Worok: The big picture ∗∗∗ --------------------------------------------- Focused mostly on Asia, this new cyberespionage group uses undocumented tools, including steganographically extracting PowerShell payloads from PNG files. --------------------------------------------- https://www.welivesecurity.com/2022/09/06/worok-big-picture/ ∗∗∗ Wie Cyberkriminelle USB missbrauchen ∗∗∗ --------------------------------------------- Den Fluch des Universal Serial Bus (USB) und die Attraktion für Cyberkriminelle untersucht Andrew Rose, Resident CISO, EMEA bei Proofpoint, in einem Gastbeitrag. --------------------------------------------- https://www.zdnet.de/88403293/wie-cyberkriminelle-usb-missbrauchen/?utm_sou… ∗∗∗ AA22-249A: #StopRansomware: Vice Society ∗∗∗ --------------------------------------------- This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. --------------------------------------------- https://us-cert.cisa.gov/ncas/alerts/aa22-249a ∗∗∗ Multiple ransomware data leak sites experience DDoS attacks, facing intermittent outages and connectivity issues ∗∗∗ --------------------------------------------- Since Aug. 20, 2022, Cisco Talos has been monitoring suspected distributed denial-of-service (DDoS) attacks resulting in intermittent downtime and outages affecting several ransomware-as-a-service (RaaS) data leak sites. --------------------------------------------- http://blog.talosintelligence.com/2022/09/ransomware-leaksite-ddos.html ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins 2022-09-06 ∗∗∗ --------------------------------------------- IBM Elastic Storage System, IBM Planning Analytics Workspace, IBM Rational Asset analyzer, IBM App Connect Enterprise, IBM Integration Bus, IBM WebSphere Application Server Liberty, IBM Sterling Connect, IBM Spectrum Scale, IBM SPSS Analytic Server, IBM Business Automation Workflow. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Auf NAS-Systeme von Zyxel könnte Schadcode gelangen ∗∗∗ --------------------------------------------- Aktualisierte Firmware-Versionen schließen eine kritische Sicherheitslücke in mehreren NAS-Modellen des Herstellers Zyxel. --------------------------------------------- https://heise.de/-7255585 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (curl, protobuf-c, and vim) and SUSE (gimp, java-1_8_0-openj9, libostree, openvswitch, python-bottle, python-Flask-Security-Too, and zabbix). --------------------------------------------- https://lwn.net/Articles/907382/ ∗∗∗ K12055286: Intel CPU vulnerability CVE-2021-33060 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K12055286 ∗∗∗ Helmholz: Multiple vulnerabilites in myREX24 and myREX24.virtual ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-039/ ∗∗∗ Helmholz: Unauthenticated user enumeration in myREX24 and myREX24.virtual ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-017/ ∗∗∗ MB connect line: Unauthenticated user enumeration in mbCONNECT24 and mymbCONNECT24 ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-011/ ∗∗∗ [R1] Stand-alone Security Patch Available for Tenable.sc versions 5.19.0 to 5.21.0: Patch SC-202209.1 ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2022-18 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.09.2022
by Daily end-of-shift report 06 Sep '22

06 Sep '22

===================== = End-of-Day report = ===================== Timeframe: Montag 05-09-2022 18:00 − Dienstag 06-09-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ New EvilProxy service lets all hackers use advanced phishing tactics ∗∗∗ --------------------------------------------- A reverse-proxy Phishing-as-a-Service (PaaS) platform called EvilProxy has emerged, promising to steal authentication tokens to bypass multi-factor authentication (MFA) on Apple, Google, Facebook, Microsoft, Twitter, GitHub, GoDaddy, and even PyPI. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-evilproxy-service-lets-a… ∗∗∗ Mythic Case Study: Assessing Common Offensive Security Tools ∗∗∗ --------------------------------------------- Having covered the Sliver C2 framework in a previous post (May 2022), this blog will continue our examination of Cobalt Strike “alternatives”, focusing on the Mythic C2 framework. --------------------------------------------- https://team-cymru.com/blog/2022/09/06/mythic-case-study-assessing-common-o… ∗∗∗ Analysis of an Encoded Cobalt Strike Beacon, (Tue, Sep 6th) ∗∗∗ --------------------------------------------- Someone reached out to me for the analysis of a Cobalt Strike beacon. This is the sample. --------------------------------------------- https://isc.sans.edu/diary/rss/29014 ∗∗∗ TA505 Groups TeslaGun In-Depth Analysis ∗∗∗ --------------------------------------------- TA505 is a financially motivated threat group that has been active since 2014. The group frequently changes its malware attack strategies in response to global cybercrime trends. It opportunistically adopts new technologies in order to gain leverage over victims before the wider cybersecurity industry catches on. --------------------------------------------- https://www.prodaft.com/resource/detail/ta505-ta505-groups-tesla-gun-depth-… ∗∗∗ Vorsicht vor gefälschten PayPal-Nachrichten ∗∗∗ --------------------------------------------- Gefälschte PayPal-Nachrichten befinden sich momentan vermehrt im Umlauf. Sie haben eine angebliche Rechnung von PayPal erhalten, über ein Produkt, das Sie nicht bestellt haben? Oder es wird eine Vorabzahlung für eine angebliche Transaktion gefordert? Ignorieren Sie diese Nachrichten, sie sind Fake! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-gefaelschten-paypal-nac… ∗∗∗ Mirai Variant MooBot Targeting D-Link Devices ∗∗∗ --------------------------------------------- Attackers are leveraging known vulnerabilities in D-Link devices to deliver MooBot, a Mirai variant, potentially leading to further DDoS attacks. --------------------------------------------- https://unit42.paloaltonetworks.com/moobot-d-link-devices/ ∗∗∗ Shikitega - New stealthy malware targeting Linux ∗∗∗ --------------------------------------------- Alien Labs has discovered a new malware targeting endpoints and IoT devices that are running Linux operating systems. Shikitega is delivered in a multistage infection chain where each module responds to a part of the payload and downloads and executes the next one. An attacker can gain full control of the system, in addition to the cryptocurrency miner that will be executed and set to persist. --------------------------------------------- https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-ma… ∗∗∗ Over Half of Global Firms Supply Chains Compromised by Ransomware ∗∗∗ --------------------------------------------- Cybersecurity leader Trend Micro announced new research today that reveals global organizations are increasingly at risk of ransomware compromise via their extensive supply chains. --------------------------------------------- https://newsroom.trendmicro.com/2022-09-06-Over-Half-of-Global-Firms-Supply… ∗∗∗ Play Ransomwares Attack Playbook Similar to that of Hive, Nokoyawa ∗∗∗ --------------------------------------------- Play is a new ransomware that takes a page out of Hive and Nokoyawas playbook. The many similarities among them indicate that Play, like Nokoyawa, are operated by the same people. --------------------------------------------- https://www.trendmicro.com/en_us/research/22/i/play-ransomware-s-attack-pla… ===================== = Vulnerabilities = ===================== ∗∗∗ Fortinet Security Advisories 2022-09-06 ∗∗∗ --------------------------------------------- On Sep 06, 2022, Fortinet has released 12 advisories for issues resolved in Fortinet products. (Severity: Low (2), Medium (9), High (1)) --------------------------------------------- https://fortiguard.fortinet.com/psirt?date=09-2022 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Red Hat (pcs), SUSE (389-ds and firefox), and Ubuntu (linux-hwe-5.4 and linux-oracle). --------------------------------------------- https://lwn.net/Articles/907275/ ∗∗∗ Hitachi Storage: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein Angreifer kann mehrere Schwachstellen in Hitachi Storage ausnutzen, um Informationen offenzulegen und beliebigen Code zur Ausführung zu bringen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1292 ∗∗∗ Hitachi Energy TXpert Hub CoreTec 4 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-249-04 ∗∗∗ Triangle Microworks Libraries ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-249-01 ∗∗∗ AVEVA Edge 2020 R2 SP1 and all prior versions ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-249-02 ∗∗∗ Cognex 3D-A1000 Dimensioning System ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-249-03 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.09.2022
by Daily end-of-shift report 05 Sep '22

05 Sep '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 02-09-2022 18:00 − Montag 05-09-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Malware dev open-sources CodeRAT after being exposed ∗∗∗ --------------------------------------------- The source code of a remote access trojan (RAT) dubbed CodeRAT has been leaked on GitHub after malware analysts confronted the developer about attacks that used the tool. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malware-dev-open-sources-cod… ∗∗∗ Quickie: Grep & Tail -f With Notepad++, (Mon, Sep 5th) ∗∗∗ --------------------------------------------- Notepad++ is a free and open source text editor for Windows. You can simulate grep-like functionality with Notepad++ in 2 steps. --------------------------------------------- https://isc.sans.edu/diary/rss/29018 ∗∗∗ Prynt Stealer Contains a Backdoor to Steal Victims Data Stolen by Other Cybercriminals ∗∗∗ --------------------------------------------- Researchers discovered a private Telegram channel-based backdoor in the information stealing malware, dubbed Prynt Stealer, which its developer added with the intention of secretly stealing a copy of victims exfiltrated data when used by other cybercriminals. --------------------------------------------- https://thehackernews.com/2022/09/prynt-stealer-contains-backdoor-to.html ∗∗∗ Win32/Hive.ZY: Update stoppt Fehlalarmserie von Microsoft Defender unter Windows ∗∗∗ --------------------------------------------- Die Windows-Virenabwehr Defender hat fälschlicherweise Chrome, Edge & Co. als Trojaner eingestuft. --------------------------------------------- https://heise.de/-7253919 ∗∗∗ Ransomware: Der Trend geht zum Angriff auf Linux-Server ∗∗∗ --------------------------------------------- Trend Micro sieht im ersten Halbjahr 2022 ein Wachstum bei Ransomware-Angriffen. Linux-Umgebungen sind 75 Prozent häufiger ein Ziel als im Vorjahreszeitraum. --------------------------------------------- https://heise.de/-7254059 ∗∗∗ There’s Another Hole In Your SoC: Unisoc ROM Vulnerabilities ∗∗∗ --------------------------------------------- As part of this research, NCC Group focused on the secure boot chain implemented by UNISOC processors used in Android phones and tablets. Several vulnerabilities in the Boot ROM were discovered which could persistently undermine secure boot. --------------------------------------------- https://research.nccgroup.com/2022/09/02/theres-another-hole-in-your-soc-un… ∗∗∗ Was tun, wenn mein Gerät mit Schadsoftware infiziert wurde? ∗∗∗ --------------------------------------------- Schadsoftware (auch Malware) kann viele Formen annehmen und mit unterschiedlichen Bedrohungen für Sie und Ihr Gerät einhergehen. Schäden, die dabei entstehen können, bewegen sich vom Datendiebstahl, über das Zuspammen mit Werbung bis hin zu Lösegeldforderungen. --------------------------------------------- https://www.watchlist-internet.at/news/was-tun-wenn-mein-geraet-mit-schadso… ===================== = Vulnerabilities = ===================== ∗∗∗ Jetzt patchen! Google warnt vor möglichen Attacken auf Chrome ∗∗∗ --------------------------------------------- Ein wichtiges Sicherheitsupdate schließt eine Lücke im Webbrowser Chrome. --------------------------------------------- https://heise.de/-7253510 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (flac, ghostscript, libmodbus, qemu, rails, ruby-rack, and thunderbird), Fedora (kernel, kernel-headers, kernel-tools, libtar, qt5-qtwebengine, subscription-manager-cockpit, tcpreplay, and vim), Mageia (chromium-browser-stable, webkit2, and ytnef), SUSE (curl, firefox, freerdp, gdk-pixbuf, ImageMagick, json-c, libgda, php-composer2, and python-pyxdg), and Ubuntu (libzstd, linux-aws, linux-aws-5.4, linux-azure-5.4, and linux-oem-5.17). --------------------------------------------- https://lwn.net/Articles/907201/ ∗∗∗ DeadBolt Ransomware ∗∗∗ --------------------------------------------- QNAP detected a new DeadBolt ransomware campaign on the morning of September 3rd, 2022 (GMT+8). --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-22-24 ∗∗∗ Security Bulletin: DataStage on Cloud Pak for Data Is Vulnerable to Sensitive Information Disclosure Error (CVE-2022-38714) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-datastage-on-cloud-pak-fo… ∗∗∗ Security Bulletin: Information Disclosure and Denial of Service Vulnerabilities in the IBM Spectrum Protect Backup-Archive Client may affect IBM Spectrum Protect for Space Management (CVE-2022-22478, CVE-2022-22474) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-information-disclosure-an… ∗∗∗ Security Bulletin: Multiple security vulnerabilities are addressed with IBM Cloud Pak for Business Automation iFixes for August 2022 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Prototype pollution vulnerability affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) – [CVE-2021-23450] ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-prototype-pollution-vulne… ∗∗∗ Security Bulletin: Persistent Cross-Site scripting vulnerability affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) – CVE-2022-35644 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-persistent-cross-site-scr… ∗∗∗ OTRS: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1286 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.09.2022
by Daily end-of-shift report 02 Sep '22

02 Sep '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 01-09-2022 18:00 − Freitag 02-09-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Microsoft will disable Exchange Online basic auth next month ∗∗∗ --------------------------------------------- Microsoft warned customers today that it will finally disable basic authentication in random tenants worldwide to improve Exchange Online security starting October 1, 2022. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-will-disable-exch… ∗∗∗ Sharkbot is back in Google Play ∗∗∗ --------------------------------------------- This new dropper doesn’t rely Accessibility permissions to automatically perform the installation of the dropper Sharkbot malware. Instead, this new version ask the victim to install the malware as a fake update for the antivirus to stay protected against threats. --------------------------------------------- https://blog.fox-it.com/2022/09/02/sharkbot-is-back-in-google-play/ ∗∗∗ NSA gibt Sicherheitstipps gegen Supply-Chain-Attacken ∗∗∗ --------------------------------------------- Die Cybersecurity and Infrastructure Agency (CISA), die National Security Agency (NSA) und das Office of the Director of National Intelligence (ODNI) haben wichtige Tipps zum Entwickeln von sicherer Software veröffentlicht. --------------------------------------------- https://heise.de/-7251765 ∗∗∗ Unverschlüsselte Access Tokens: Sicherheitslücke in tausenden Apps ∗∗∗ --------------------------------------------- Sicherheitsforscher warnen vor unverschlüsselten Access Tokens in Apps. Oft holen sich Entwickler Probleme ungewollt ins Haus. Besonders betroffen: iOS-Apps. --------------------------------------------- https://heise.de/-7252134 ∗∗∗ When disclosure goes wrong. People ∗∗∗ --------------------------------------------- My experience of vulnerability disclosure is that it is rarely as easy or simple as it could be. I had hoped that bug bounty programmes and vulnerability disclosure programmes (VDPs) would help matters. Broadly that doesn’t seem to be the case, often for unexpected reasons. --------------------------------------------- https://www.pentestpartners.com/security-blog/when-disclosure-goes-wrong-pe… ∗∗∗ Ransomware auf IoT: Anderer Sicherheitsansatz bei IoT-Geräten erforderlich ∗∗∗ --------------------------------------------- Wir haben uns vermutlich an die täglichen Ransomware-Angriffe auf IT-Systeme gewöhnt. Aber mit der Zunahme von IoT-Geräten droht eine wachsende Gefahr für solche Sicherheitsvorfälle. CheckPoint meint, dass IoT-Geräte einen anderen Sicherheitsansatz brauchen, um dieser Gefahr (z.B. Infektionen durch Ransomware) zu begegnen. --------------------------------------------- https://www.borncity.com/blog/2022/09/02/ransomware-auf-iot-anderer-sicherh… ∗∗∗ Architecting for Extortion: Acting on the IST’s Blueprint for Ransomware Defense ∗∗∗ --------------------------------------------- Last month, the Institute for Security and Technology’s Ransomware Task Force launched the Blueprint for Ransomware Defense. --------------------------------------------- https://www.rapid7.com/blog/post/2022/09/02/architecting-for-extortion-acti… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (firefox, rsync, systemd, and thunderbird), Debian (chromium, dpdk, and sofia-sip), Fedora (kernel, thunderbird, and zlib), Red Hat (pcs and rh-mariadb103-galera and rh-mariadb103-mariadb), Slackware (poppler), SUSE (cifs-utils, curl, dwarves and elfutils, firefox, flatpak, gnutls, gpg2, harfbuzz, ignition, kernel, ldb, samba, libslirp, libsolv, libzypp, zypper, libtirpc, logrotate, mozilla-nss, ncurses, open-vm-tools, openssl-1_1, p11-kit, pcre, pcre2, podman, postgresql12, postgresql13, postgresql14, python-M2Crypto, python3, rsync, salt, spice, systemd-presets-common-SUSE, tiff, ucode-intel, xen, and zlib), and Ubuntu (curl, linux, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gke-5.15, linux-gkeop, linux-ibm, linux-kvm, linux-lowlatency, linux, linux-azure-4.15, linux-dell300x, linux-gcp-4.15, linux-kvm, linux-snapdragon, linux-aws, linux-azure, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-gke, linux-gkeop, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, and linux-aws-hwe). --------------------------------------------- https://lwn.net/Articles/906973/ ∗∗∗ NetApp ActiveIQ Unified Manager: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, authentisierter Angreifer kann mehrere Schwachstellen in NetApp ActiveIQ Unified Manager ausnutzen, um einen Cross-Site Scripting Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service zu verursachen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1263 ∗∗∗ Security Bulletin: Vulnerability in IBM® Java SDK affects IBM WebSphere Application Server and IBM WebSphere Application Server Liberty due to July 2022 CPU plus deferred CVE-2021-2163 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Security Bulletin: Vulnerabilities with Kernel, GnuTLS affect IBM Cloud Object Storage Systems (August 2022v1) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-with-kern… ∗∗∗ Security Bulletin: IBM DataPower Gateway vulnerable to CSRF attack ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-gateway-vul… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 01.09.2022
by Daily end-of-shift report 01 Sep '22

01 Sep '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 31-08-2022 18:00 − Donnerstag 01-09-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Apple backports fix for actively exploited iOS zero-day to older iPhones ∗∗∗ --------------------------------------------- Apple has released new security updates to backport patches released earlier this month to older iPhones and iPads addressing a remotely exploitable WebKit zero-day that allows attackers to execute arbitrary code on unpatched devices. --------------------------------------------- https://www.bleepingcomputer.com/news/apple/apple-backports-fix-for-activel… ∗∗∗ Underscores and DNS: The Privacy Story, (Wed, Aug 31st) ∗∗∗ --------------------------------------------- The use of underscores in DNS records can easily trigger DNS purists into a rage. Since the beginning of (DNS) time, only the letters a-z, numbers, and dashes are allowed in DNS labels (RFC 1035 section 2.3.1). After all, we want to remain compatible with ARPANET. --------------------------------------------- https://isc.sans.edu/diary/rss/29002 ∗∗∗ Jolokia Scans: Possible Hunt for Vulnerable Apache Geode Servers (CVE-2022-37021), (Thu, Sep 1st) ∗∗∗ --------------------------------------------- On Tuesday, the Apache project released an update for Geode. The update patches a typical deserialization issue we often see in Java software like Geode (CVE-2022-37021). [...] But the vulnerability has a few dependencies: [...] JMX and RMI are used for the attack. [...] And here comes Jolokia. "JMX on Capsaicin," as it calls itself. It provides a simple HTTP to JMX gateway. So it is somewhat interesting that I also saw some scans for Jol[o]kia starting yesterday. --------------------------------------------- https://isc.sans.edu/diary/rss/29006 ∗∗∗ Authority-Scam: Neue Welle von Fake-Mails der Polizei ∗∗∗ --------------------------------------------- Kriminelle geben dem Authority-Scam einen neuen Anstrich: Momentan befinden sich wieder viele gefälschte E-Mails der Polizei im Umlauf. Die Empfänger:innen werden beschuldigt eine Straftat begangen zu haben. Die Anschuldigungen umfassen Pädophilie, Cyberpornographie und Exhibitionismus. Antworten Sie nicht und ignorieren Sie das Schreiben, es ist Fake! --------------------------------------------- https://www.watchlist-internet.at/news/authority-scam-neue-welle-von-fake-m… ∗∗∗ Over 900K Kubernetes clusters are misconfigured! Is your cluster a target? ∗∗∗ --------------------------------------------- Kubernetes is an amazing platform for managing containers at scale. However, a recent study found that over 900,000 Kubernetes clusters are vulnerable to attack because they are misconfigured! This means that your Kubernetes cluster could be a target for malicious actors if it is not properly secured. In this blog post, we will discuss how to secure your Kubernetes cluster and protect it from attack. --------------------------------------------- https://grahamcluley.com/feed-sponsor-teleport-4/ ∗∗∗ Android TikTok-App: Microsoft findet 1-Klick-Schwachstelle, die Kontenübernahme erlaubte ∗∗∗ --------------------------------------------- Microsoft hat eine gefährliche Sicherheitslücke in der TikTok-App für Android entdeckt, die es ermöglichte, Benutzerkonten mit einem einzigen Klick zu kompromittieren. Inzwischen wurde diese Schwachstelle in der TikTok-App für Android geschlossen. --------------------------------------------- https://www.borncity.com/blog/2022/09/01/android-tiktok-app-microsoft-finde… ∗∗∗ RAT Tool Disguised as Solution File (*.sln) Being Distributed on Github ∗∗∗ --------------------------------------------- The ASEC analysis team has recently discovered the distribution of a RAT Tool disguised as a solution file (*.sln) on GitHub. As shown in Figure 1, the malware distributor is sharing a source code on GitHub titled “Jpg Png Exploit Downloader Fud Cryter Malware Builder Cve 2022”. The file composition looks normal, but the solution file (*.sln) is actually a RAT tool. It is through methods like this that the malware distributor lures users to run the RAT tool by disguising it as a solution file (*.sln). Generally, programmers who receive the code that includes the solution file run the file in order to open the project. Users should take caution against social engineering techniques that take advantage of such a thought process. --------------------------------------------- https://asec.ahnlab.com/en/38150/ ∗∗∗ Azure Synapse: Local Privilege Escalation Vulnerability in Spark ∗∗∗ --------------------------------------------- The story of a simple race condition leading to a Local Privilege Escalation, and how we discovered, in retrospect, that we crossed paths with another researcher and a previous Microsoft case. --------------------------------------------- https://orca.security/resources/blog/synapse-local-privilege-escalation-vul… ===================== = Vulnerabilities = ===================== ∗∗∗ Kritische Lücke in zlib-Bibliothek ermöglicht Codeschmuggel ∗∗∗ --------------------------------------------- In der weit verbreiteten Kompressionsbibliothek zlib könnten Angreifer unter Umständen Schadcode einschleusen und ausführen. Erste Patches sind verfügbar. --------------------------------------------- https://heise.de/-7250044 ∗∗∗ Sicherheitsupdate: Präparierte Mails könnten Thunderbird gefährlich werden ∗∗∗ --------------------------------------------- Es ist ein wichtiges Sicherheitsupdate für den Mailclient Thunderbird erschienen. Damit haben die Entwickler vier Lücken geschlossen. --------------------------------------------- https://heise.de/-7250566 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (pdns-recursor, thunderbird, and vim), Gentoo (firefox, thunderbird-bin, virtualbox, and webkit-gtk), Red Hat (convert2rhel), SUSE (gstreamer-plugins-good, open-vm-tools, postgresql12, rsync, and ucode-intel), and Ubuntu (linux-azure, linux-gcp, linux-hwe). --------------------------------------------- https://lwn.net/Articles/906778/ ∗∗∗ libTIFF: Mehrere Schwachstellen ermöglichen Denial of Service ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in libTIFF ausnutzen, um einen Denial of Service Angriff durchzuführen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1250 ∗∗∗ D-LINK Router: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, authentisierter Angreifer kann mehrere Schwachstellen in D-LINK Router ausnutzen, um Code auszuführen oder einen Denial of Service zu verursachen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1253 ∗∗∗ Xerox FreeFlow Print Server: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Xerox FreeFlow Print Server ausnutzen, um die Vertraulichkeit, Verfügbarkeit und Integrität des Systems zu gefährden. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1251 ∗∗∗ Security Advisory - Out-of-bounds Read and Write Vulnerability in Some Huawei Headset Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2022/huawei-sa-20220826-… ∗∗∗ Security Bulletin:IBM MQ Operator and Queue manager container images are vulnerable to multiple vulnerabilities from openssl, pcre2 and Golang Go ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletinibm-mq-operator-and-queue-… ∗∗∗ Security Bulletin: CVE-2021-2163 may affect IBM® SDK, Java™ Technology Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2021-2163-may-affect-… ∗∗∗ Security Bulletin: Netcool Operations Insight v1.6.5 contains fixes for multiple security vulnerabilities. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-netcool-operations-insigh… ∗∗∗ Security Bulletin: Liberty for Java for IBM Cloud is vulnerable to spoofing due to Eclipse Paho (CVE-2019-11777) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-liberty-for-java-for-ibm-… ∗∗∗ Security Bulletin: IBM Cognos Analytics has addressed multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cognos-analytics-has-… ∗∗∗ Security Bulletin: IBM Maximo Asset Management and the IBM Maximo Manage application in IBM Maximo Application Suite are vulnerable to cross-site scripting (CVE-2022-35714) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-manageme… ∗∗∗ Security Bulletin: Multiple vulnerabilities may affect IBM® SDK, Java™ Technology Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM® SDK Java™ Technology Edition, Version 8, affect IBM Workload Scheduler. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Delta Electronics DOPSoft ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-244-01 ∗∗∗ Contec Health CMS8000 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsma-22-244-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 31.08.2022
by Daily end-of-shift report 31 Aug '22

31 Aug '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 30-08-2022 18:00 − Mittwoch 31-08-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Hackers hide malware in James Webb telescope images ∗∗∗ --------------------------------------------- Threat analysts have spotted a new malware campaign dubbed GO#WEBBFUSCATOR that relies on phishing emails, malicious documents, and space images from the James Webb telescope to spread malware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-hide-malware-in-jame… ∗∗∗ Watering Hole Attacks Push ScanBox Keylogger ∗∗∗ --------------------------------------------- Researchers uncover a watering hole attack likely carried out by APT TA423, which attempts to plant the ScanBox JavaScript-based reconnaissance tool. --------------------------------------------- https://threatpost.com/watering-hole-attacks-push-scanbox-keylogger/180490/ ∗∗∗ Infoblox Threat Intelligence: IOCs related to the Russia-Ukraine conflict ∗∗∗ --------------------------------------------- This folder contains IOCs related to the Russian invasion of Ukraine. The majority of the content is based on Infoblox internal analytics and validation analysis, though some OSINT is also included. --------------------------------------------- https://github.com/infobloxopen/threat-intelligence/tree/main/ukraine ∗∗∗ Webinar: Betrugsfallen im Internet erkennen ∗∗∗ --------------------------------------------- Am Dienstag, den 06.09.2022 von 18:30 – 20:00 Uhr findet das kostenlose Webinar zum Thema „Betrugsfallen im Internet erkennen" statt. Melden Sie sich jetzt an! --------------------------------------------- https://www.watchlist-internet.at/news/webinar-betrugsfallen-im-internet-er… ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins 2022-08-30 ∗∗∗ --------------------------------------------- IBM TRIRIGA Application Platform, IBM b-type SAN directors and switches, IBM Integration Bus, IBM App Connect Enterprise, IBM Watson Assistant for IBM Cloud Pak for Data, IBM Engineering Lifecycle Engineering, IBM Cloud Transformation Advisor, IBM Cloud Object Storage Systems. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Sicherheitsupdate: Angreifer könnten WordPress-Websites attackieren ∗∗∗ --------------------------------------------- Die WordPress-Entwickler haben drei Lücken im Content-Management-System geschlossen. --------------------------------------------- https://heise.de/-7249431 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (dpdk, net-snmp, php-horde-mime-viewer, php-horde-turba, and webkit2gtk), Fedora (rsync), Oracle (openssl and systemd), Red Hat (booth, kernel, kernel-rt, and openssl), Slackware (vim), SUSE (bluez, java-1_8_0-ibm, postgresql10, and zlib), and Ubuntu (kernel, linux, linux-raspi, linux-aws, and linux-oem-5.14). --------------------------------------------- https://lwn.net/Articles/906579/ ∗∗∗ Security Advisory - Traffic Hijacking Vulnerability in Huawei Routers ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2022/huawei-sa-20220831-… ∗∗∗ Grafana: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1221 ∗∗∗ GitLab: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1239 ∗∗∗ ArubaOS: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1238 ∗∗∗ GNU libc: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1234 ∗∗∗ tribe29 checkmk: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1230 ∗∗∗ Xerox FreeFlow Print Server: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1228 ∗∗∗ Chrome 105.0.5195.5x fixt 24 Schwachstellen ∗∗∗ --------------------------------------------- https://www.borncity.com/blog/2022/08/31/chrome-105-0-5195-5x-fixt-24-schwa… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.08.2022
by Daily end-of-shift report 30 Aug '22

30 Aug '22

===================== = End-of-Day report = ===================== Timeframe: Montag 29-08-2022 18:00 − Dienstag 30-08-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Windows malware delays coinminer install by a month to evade detection ∗∗∗ --------------------------------------------- A new malware campaign disguised as Google Translate or MP3 downloader programs was found distributing cryptocurrency mining malware across 11 countries. --------------------------------------------- https://www.bleepingcomputer.com/news/security/windows-malware-delays-coinm… ∗∗∗ Two things that will never die: bash scripts and IRC!, (Tue, Aug 30th) ∗∗∗ --------------------------------------------- Last week, Brock Perry, one of our SANS.edu undergraduate students, came across a neat bash script uploaded to the honeypot as part of an attack. I am sure this isn't new, but I never quite saw something like this before myself. --------------------------------------------- https://isc.sans.edu/diary/rss/28998 ∗∗∗ Malicious Cookie Stuffing Chrome Extensions with 1.4 Million Users ∗∗∗ --------------------------------------------- A few months ago, we blogged about malicious extensions redirecting users to phishing sites and inserting affiliate IDs into cookies of eCommerce sites. Since that time, we have investigated several other malicious extensions and discovered 5 extensions with a total install base of over 1,400,000. --------------------------------------------- https://www.mcafee.com/blogs/other-blogs/mcafee-labs/malicious-cookie-stuff… ∗∗∗ Keine „Testzahlungen“ auf Kleinanzeigen-Plattformen durchführen! ∗∗∗ --------------------------------------------- Auf Kleinanzeigen-Plattformen wie Willhaben, Vinted, eBay Kleinanzeigen und Co finden Sie tolle Schnäppchen oder können Gebrauchtes zu Geld machen. Doch Vorsicht: Auch Kriminelle, die Ihnen das Geld aus der Tasche ziehen wollen, tummeln sich dort zuhauf. Bei einer aktuellen Masche fälschen diese die Zahlungsseiten der Plattformen und fordern zu Testzahlungen auf. Brechen Sie sofort den Kontakt ab. Man will Sie betrügen! --------------------------------------------- https://www.watchlist-internet.at/news/keine-testzahlungen-auf-kleinanzeige… ∗∗∗ ModernLoader delivers multiple stealers, cryptominers and RATs ∗∗∗ --------------------------------------------- Cisco Talos recently observed three separate, but related, campaigns between March and June 2022 delivering a variety of threats, including the ModernLoader bot, RedLine information-stealer and cryptocurrency-mining malware to victims. --------------------------------------------- http://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-st… ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitslücken in Foxit PDF Editor und Reader ermöglichen Codeschmuggel ∗∗∗ --------------------------------------------- Angreifer könnten etwa mit manipulierten Dokumenten in Foxit PDF Editor und Reader Schadcode einschleusen. Aktualisierte Software schließt die Sicherheitslücke. --------------------------------------------- https://heise.de/-7247760 ∗∗∗ Sicherheitslücke: Zwischenablage in Chromium-basierten Browsern frei zugreifbar ∗∗∗ --------------------------------------------- Webseiten können derzeit in aktuellen Chromium-basierten Webbrowsern beliebig auf die Zwischenablage zugreifen. Das ermöglicht etwa Angriffe auf Nutzer. --------------------------------------------- https://heise.de/-7248070 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (thunderbird), Fedora (ctk, dcmtk, OpenImageIO, and varnish-modules), Red Hat (systemd), SUSE (libslirp, open-vm-tools, and opera), and Ubuntu (jupyter-notebook, libsdl1.2, and systemd). --------------------------------------------- https://lwn.net/Articles/906461/ ∗∗∗ [20220801] - Core - Multiple Full Path Disclosures because of missing _JEXEC or die check ∗∗∗ --------------------------------------------- https://developer.joomla.org:443/security-centre/884-20220801-core-multiple… ∗∗∗ Security Bulletin: Tririga is vulnerable to remote hacker due to dom4j open source ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-tririga-is-vulnerable-to-… ∗∗∗ Security Bulletin: A security vulnerability has been fixed in IBM Security Identity Manager (CVE-2021-29864) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: glibc vulnerability affects IBM Elastic Storage System (CVE-2021-3999) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-glibc-vulnerability-affec… ∗∗∗ Security Bulletin: Linux Kernel vulnerability may affect IBM Elastic Storage System (CVE-2021-4203) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-linux-kernel-vulnerabilit… ∗∗∗ Security Bulletin: There are multiple vulnerabilities in the Linux Kernel used in IBM Elastic Storage System ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-there-are-multiple-vulner… ∗∗∗ Security Bulletin: Due to use of OpenSSL, IBM Virtualization Engine TS7700 is vulnerable to denial of service (CVE-2022-0778) and privilege escalation (CVE-2022-1292) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-due-to-use-of-openssl-ibm… ∗∗∗ Security Bulletin: A vulneraqbility in SQLite affects IBM Cloud Application Performance Managment R esponse Time Monitoring Agent (CVE-2021-45346) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulneraqbility-in-sqlit… ∗∗∗ Security Bulletin: There are multiple vulnerabilities in the Linux Kernel used in IBM Elastic Storage System ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-there-are-multiple-vulner… ∗∗∗ K00994461: GSON vulnerability CVE-2022-25647 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K00994461 ∗∗∗ poppler: Schwachstelle ermöglicht Codeausführung ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1214 ∗∗∗ Moodle: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1212 ∗∗∗ Hitachi Energy FACTS Control Platform (FCP) Product ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-242-01 ∗∗∗ Hitachi Energy Gateway Station (GWS) Product ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-242-02 ∗∗∗ Hitachi Energy MSM Product ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-242-03 ∗∗∗ Hitachi Energy RTU500 series ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-242-04 ∗∗∗ Fuji Electric D300win ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-242-05 ∗∗∗ Honeywell ControlEdge ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-242-06 ∗∗∗ Honeywell Experion LX ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-242-07 ∗∗∗ Honeywell Trend Controls Inter-Controller Protocol ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-242-08 ∗∗∗ Omron CX-Programmer ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-242-09 ∗∗∗ PTC Kepware KEPServerEX ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-242-10 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.08.2022
by Daily end-of-shift report 29 Aug '22

29 Aug '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 26-08-2022 18:00 − Montag 29-08-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Fake Cthulhu World P2E project used to push info-stealing malware ∗∗∗ --------------------------------------------- Hackers have created a fake Cthulhu World play-to-earn community, including websites, Discord groups, social accounts, and a Medium developer site, to distribute the Raccoon Stealer, AsyncRAT, and RedLine password-stealing malware infections on unsuspecting victims. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fake-cthulhu-world-p2e-proje… ∗∗∗ HTTP/2 Packet Analysis with Wireshark, (Fri, Aug 26th) ∗∗∗ --------------------------------------------- I have been getting these queries in my honeypot logs since end of December 2021 and decided to a diary on some of these packets using some basic analysis with Wireshark. --------------------------------------------- https://isc.sans.edu/diary/rss/28986 ∗∗∗ Sysinternals Updates: Sysmon v14.0 and ZoomIt v6.01, (Sun, Aug 28th) ∗∗∗ --------------------------------------------- Both Sysinternals utilities (Sysmon and ZoomIt) received updates that significantly extends their scope: Sysmon can now also block actions, and ZoomIt can record videos. --------------------------------------------- https://isc.sans.edu/diary/rss/28988 ∗∗∗ Dealing With False Positives when Scanning Memory Dumps for Cobalt Strike Beacons, (Sun, Aug 28th) ∗∗∗ --------------------------------------------- I updated my Cobalt Strike beacon analysis tool 1768.py to deal with false positives in Windows system's memory dumps. --------------------------------------------- https://isc.sans.edu/diary/rss/28990 ∗∗∗ Aggressive Adware: PDF-Reader für Android mit Millionen Downloads ∗∗∗ --------------------------------------------- Ein PDF-Reader im Google Play-Store kommt auf über eine Million Downloads. Es handelt sich jedoch um Adware, die sogar ungenutzt Vollbild-Werbung einblendet. --------------------------------------------- https://heise.de/-7246842 ∗∗∗ Fake Wohnungsinserate auf eBay und Co.! ∗∗∗ --------------------------------------------- Fake-Inserate finden Sie auf allen gängigen Portalen zur Wohnungssuche. Kriminelle kontaktieren Sie auch direkt, wenn Sie eine „Gesucht-Anzeige“ veröffentlicht haben. Gefälschte Wohnungsinserate erkennen Sie an zwei Merkmalen: Die gebotenen Wohnungen sind sehr günstig und Sie müssen noch vor der Besichtigung die Kaution und erste Monatsmiete bezahlen. --------------------------------------------- https://www.watchlist-internet.at/news/fake-wohnungsinserate-auf-ebay-und-c… ∗∗∗ Tor 101: How Tor Works and its Risks to the Enterprise ∗∗∗ --------------------------------------------- The Tor project provides one of the most well-known tools that users can leverage to stay anonymous on the internet. People use Tor for many different reasons, both benign and malicious. However, allowing Tor traffic on enterprise networks opens the door to a variety of potential abuses and security risks. --------------------------------------------- https://unit42.paloaltonetworks.com/tor-traffic-enterprise-networks/ ∗∗∗ Lookout: Wie man sich vor SMS-Phishing und ähnlichen Angriffen schützt ∗∗∗ --------------------------------------------- Momentan gibt fast jede Woche ein anderes bekanntes Unternehmen bekannt, dass es Opfer eines Hacks geworden ist, bei dem Daten abgeflossen sind. Für Administratoren in Unternehmen stellt sich die Frage, wie man die internen Systeme vor SMS-Phishing und ähnlichen Angriffen, die auf Mitarbeiter zielen, schützen kann. --------------------------------------------- https://www.borncity.com/blog/2022/08/28/lookout-wie-man-sich-vor-sms-phish… ===================== = Vulnerabilities = ===================== ∗∗∗ Atlassian Bitbucket Server vulnerable to critical RCE vulnerability ∗∗∗ --------------------------------------------- Atlassian has published a security advisory warning Bitbucket Server and Data Center users of a critical security flaw that attackers could leverage to execute arbitrary code on vulnerable instances. --------------------------------------------- https://www.bleepingcomputer.com/news/security/atlassian-bitbucket-server-v… ∗∗∗ Lexmark: Angreifer können sich durch Firmware-Lücke einnisten ∗∗∗ --------------------------------------------- In über 100 Drucker-Modellen von Lexmark steckt eine kritische Lücke in der Firmware. Angreifer könnten sich nach einem Einbruch in den Geräten einnisten. --------------------------------------------- https://heise.de/-7247068 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (curl, exim4, maven-shared-utils, ndpi, puma, webkit2gtk, and wpewebkit), Fedora (dotnet3.1, firefox, and webkit2gtk3), Mageia (clamav, mariadb, net-snmp, postgresql, python-ldap, and thunderbird), SUSE (freeciv, gnutls, keepalived, libyang, nim, python-Django, and varnish), and Ubuntu (schroot). --------------------------------------------- https://lwn.net/Articles/906355/ ∗∗∗ Security Bulletin: Custom "Execution States" names on IBM Engineering Test Management TCER pages are vulnerable to XSS ( CVE-2021-38934 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-custom-execution-states-n… ∗∗∗ D-LINK Router: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1203 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.08.2022
by Daily end-of-shift report 26 Aug '22

26 Aug '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 25-08-2022 18:00 − Freitag 26-08-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Living off the land, AD CS style ∗∗∗ --------------------------------------------- Unless you have been living under a rock for the last year or so, Active Directory Certificate Services (AD CS) abuse continues to be a hot topic in offensive security, ever since the excellent research released by Will Schroeder (@harmj0y) and Lee Christensen (@tifkin_). --------------------------------------------- https://www.pentestpartners.com/security-blog/living-off-the-land-ad-cs-sty… ∗∗∗ Threat Assessment: Black Basta Ransomware ∗∗∗ --------------------------------------------- Black Basta is ransomware as a service (RaaS) that first emerged in April 2022. However, evidence suggests that it has been in development since February. The Black Basta operator(s) use the double extortion technique, meaning that in addition to encrypting files on the systems of targeted organizations and demanding ransom to make decryption possible, they also maintain a dark web leak site where they threaten to post sensitive information if an organization chooses not to pay ransom. --------------------------------------------- https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomwar… ∗∗∗ Automatic Execution of Code Upon Package Download on Python Package Manager ∗∗∗ --------------------------------------------- Automatic code execution is triggered upon downloading approximately one third of the packages on PyPi. A worrying feature in pip/PyPi allows code to automatically run when developers are merely downloading a package. --------------------------------------------- https://checkmarx.com/blog/automatic-execution-of-code-upon-package-downloa… ===================== = Vulnerabilities = ===================== ∗∗∗ Lücken in Ciscos FXOS und NX-OS ermöglichen Übernahme der Kontrolle ∗∗∗ --------------------------------------------- In Ciscos Router- und Firewall-Betriebssystemen FXOS und NX-OS hätten Angreifer beliebigen Code mit root-Rechten ausführen können. Updates stehen bereit. --------------------------------------------- https://heise.de/-7244032 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (zlib), Fedora (dotnet3.1, firefox, java-1.8.0-openjdk-aarch32, thunderbird, and zlib), Mageia (canna, chromium-browser-stable, dovecot, firefox/nss, freeciv, freetype2, gnutls, kernel, kernel-linus, kicad, ldb/samba/sssd, libgsasl, microcode, nodejs, rsync, thunderbird, and unbound), Oracle (php:7.4 and systemd), Scientific Linux (firefox, rsync, systemd, and thunderbird), Slackware (vim), and SUSE (bluez, gstreamer-plugins-good, java-1_7_1-ibm, java-1_8_0-ibm, kernel, libcroco, postgresql10, postgresql13, python-lxml, and webkit2gtk3). --------------------------------------------- https://lwn.net/Articles/906232/ ∗∗∗ CISA Adds Ten Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- CISA has added ten new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/08/25/cisa-adds-ten-kno… ∗∗∗ [R1] Nessus Agent Version 8.3.4 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- Custom audit files bring tremendous power and flexibility when assessing the configuration of your assets. Two separate vulnerabilities that utilize this custom Audit functionality were identified, reported and fixed. With the release of Nessus Agent 8.3.4, Tenable has mitigated the reported issues by enabling the ability to sign and verify custom audit files. --------------------------------------------- https://www.tenable.com/security/tns-2022-17 ∗∗∗ ABB Security Advisory: ARM600 Cyber Security Notification: UEFI vulnerability ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=2NGA001477&Language… ∗∗∗ Security Bulletin: Vulnerability in IBM Java Runtime(CVE-2021-35603) affects DB2 Recovery Expert for Linux, Unix and Windows ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Security Bulletin: Multiple Security Vulnerabilities may affect IBM Robotic Process Automation for Cloud Pak ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: IBM MQ is vulnerable to issues with libcurl (CVE-2022-27780, CVE-2022-30115) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-is-vulnerable-to-i… ∗∗∗ Security Bulletin: IBM DataPower Gateway vulnerable to CSRF attack ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-gateway-vul… ∗∗∗ Security Bulletin: IBM Maximo Asset Management and the IBM Maximo Manage application in IBM Maximo Application Suite are vulnerable to cross-site scripting (CVE-2022-35714) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-manageme… ∗∗∗ Security Bulletin: Multiple vulnerabilities may affect IBM Robotic Process Automation for Cloud Pak ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Security Directory Integrator as shipped with IBM Security Directory Suite is affected by Apache Log4j vulnerability (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-directory-in… ∗∗∗ Security Bulletin: Enterprise Content Management System Monitor is affected by a vulnerability in Java SE related to the JSSE component ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-enterprise-content-manage… ∗∗∗ F5: K42795243: Apache Xalan Java Library vulnerability CVE-2022-34169 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K42795243 ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2022-0008 ∗∗∗ --------------------------------------------- https://webkitgtk.org/security/WSA-2022-0008.html ∗∗∗ vBulletin Connect: Schwachstelle ermöglicht nicht spezifizierten Angriff ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1190 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.08.2022
by Daily end-of-shift report 25 Aug '22

25 Aug '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 24-08-2022 18:00 − Donnerstag 25-08-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ PyPI packages hijacked after developers fall for phishing emails ∗∗∗ --------------------------------------------- A phishing campaign caught yesterday was seen targeting maintainers of Python packages published to the PyPI registry. Python packages exotel and spam are among hundreds seen laced with malware after attackers successfully compromised accounts of maintainers who fell for the phishing email. --------------------------------------------- https://www.bleepingcomputer.com/news/security/pypi-packages-hijacked-after… ∗∗∗ More hackers adopt Sliver toolkit as a Cobalt Strike alternative ∗∗∗ --------------------------------------------- Threat actors are dumping the Cobalt Strike penetration testing suite in favor of similar frameworks that are less known. After Brute Ratel, the open-source, cross-platform kit called Sliver is becoming an attractive alternative. --------------------------------------------- https://www.bleepingcomputer.com/news/security/more-hackers-adopt-sliver-to… ∗∗∗ Twilio hackers hit over 130 orgs in massive Okta phishing attack ∗∗∗ --------------------------------------------- Threat analysts have discovered the phishing kit responsible for thousands of attacks against 136 high-profile organizations that have compromised 9,931 accounts. --------------------------------------------- https://www.bleepingcomputer.com/news/security/twilio-hackers-hit-over-130-… ∗∗∗ MagicWeb: NOBELIUM’s post-compromise trick to authenticate as anyone ∗∗∗ --------------------------------------------- Microsoft security researchers have discovered a post-compromise capability we’re calling MagicWeb, which is used by a threat actor we track as NOBELIUM to maintain persistent access to compromised environments. --------------------------------------------- https://www.microsoft.com/security/blog/2022/08/24/magicweb-nobeliums-post-… ∗∗∗ whids - Open Source EDR for Windows ∗∗∗ --------------------------------------------- EDR with artifact collection driven by detection. The detection engine is built on top of a previous project Gene specially designed to match Windows events against user defined rules. --------------------------------------------- https://github.com/0xrawsec/whids ∗∗∗ EDR: Nachfolger der Antiviren-Software kämpfen mit altbekannten Problemen ∗∗∗ --------------------------------------------- Die Security-Industrie preist Endpoint Detection & Response als das bessere Antivirus an. Tests zeigen, dass es oft an den gleichen Problemen scheitert. --------------------------------------------- https://heise.de/-7241955 ∗∗∗ Firefox ESR, Thunderbird: Angreifer könnten Nutzereingaben abfangen ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitsupdates für den Mailclient Thunderbird und den Webbrowser Firefox ESR. --------------------------------------------- https://heise.de/-7242897 ∗∗∗ Doxing – was ist das und wie schützt man sich davor? ∗∗∗ --------------------------------------------- Doxing kann jeden treffen - hier erfahren Sie, wie Sie die Wahrscheinlichkeit verringern können, dass Ihre persönlichen Daten als Waffe gegen Sie eingesetzt werden. --------------------------------------------- https://www.welivesecurity.com/deutsch/2022/08/25/doxing-was-ist-das-und-wi… ∗∗∗ Vorsicht vor Coin-Fallen auf Dating-Portalen ∗∗∗ --------------------------------------------- Sie wollen herausfinden, ob es Ihrer Internetbekanntschaft wirklich ernst ist? Haben Sie Geld für Coins oder Guthaben investiert, um mit Ihrer Bekanntschaft zu chatten, es kommt aber nie zu einem persönlichen Treffen? Hier erfahren Sie alles über die Maschen von moderierten Dating-Portalen. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-coin-fallen-auf-dating-… ∗∗∗ Preparing Critical Infrastructure for Post-Quantum Cryptography ∗∗∗ --------------------------------------------- CISA has released CISA Insights: Preparing Critical Infrastructure for Post-Quantum Cryptography, which outlines the actions that critical infrastructure stakeholders should take now to prepare for their future migration to the post-quantum cryptographic standard that the National Institute of Standards and Technology (NIST) will publish in 2024. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/08/24/preparing-critica… ∗∗∗ Palo Alto warns of firewall vulnerability used in DDoS attack on service provider ∗∗∗ --------------------------------------------- Palo Alto Networks is urging customers to patch a line of firewall products after finding that the vulnerability was used in a distributed denial-of-service (DDoS) attack. On August 19, the company made all patches available for CVE-2022-0028 – which affects the PA-Series, VM-Series and CN-Series of the PAN-OS firewall software. --------------------------------------------- https://therecord.media/palo-alto-warns-of-firewall-vulnerability-used-in-d… ∗∗∗ New Golang Ransomware Agenda Customizes Attacks ∗∗∗ --------------------------------------------- A new piece of ransomware written in the Go language has been targeting healthcare and education enterprises in Asia and Africa. This ransomware is called Agenda and is customized per victim. --------------------------------------------- https://www.trendmicro.com/en_us/research/22/h/new-golang-ransomware-agenda… ===================== = Vulnerabilities = ===================== ∗∗∗ VU#309662: Signed third party UEFI bootloaders are vulnerable to Secure Boot bypass ∗∗∗ --------------------------------------------- The following vendor-specific bootloaders were found vulnerable: Inherently vulnerable bootloader to bypass Secure Boot New Horizon Datasys Inc (CVE-2022-34302) UEFI Shell execution to bypass Secure Boot CryptoPro Secure Disk (CVE-2022-34301) Eurosoft (UK) Ltd (CVE-2022-34303) Microsoft has provided details with their KB5012170 article released on August 9th 2022. Note, these updates can be delivered from your OEM vendor or the OS vendor to install an updated Secure Boot Forbidden Signature Database (DBX). --------------------------------------------- https://kb.cert.org/vuls/id/309662 ∗∗∗ Movable Type XMLRPC API vulnerable to command injection ∗∗∗ --------------------------------------------- Movable Type XMLRPC API provided by Six Apart Ltd. contains a command injection vulnerability. --------------------------------------------- https://jvn.jp/en/jp/JVN57728859/ ∗∗∗ Commerce Elavon - Moderately critical - Access bypass - SA-CONTRIB-2022-053 ∗∗∗ --------------------------------------------- Project: Commerce Elavon Security risk: Moderately critical Vulnerability: Access bypass Description: This module enables you to accept payments from the Elavon payment provider. [..] This vulnerability is mitigated by the fact that an attacker must be able to spoof the Elavon DNS received by your site. --------------------------------------------- https://www.drupal.org/sa-contrib-2022-053 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr, libxslt, and open-vm-tools), Fedora (dotnet6.0 and firefox), Oracle (curl, firefox, rsync, and thunderbird), Red Hat (curl, firefox, php:7.4, rsync, systemd, and thunderbird), SUSE (bluez, chromium, freerdp, glibc, gnutls, kernel, postgresql10, raptor, rubygem-rails-html-sanitizer, and spice), and Ubuntu (firefox, linux, linux-kvm, linux-lts-xenial, linux-aws, linux-azure-fde, open-vm-tools, and varnish). --------------------------------------------- https://lwn.net/Articles/906055/ ∗∗∗ Atlassian Bitbucket: Schwachstelle ermöglicht Codeausführung ∗∗∗ --------------------------------------------- Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in Atlassian Bitbucket ausnutzen, um beliebigen Programmcode auszuführen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1185 ∗∗∗ HCL Notes und Domino: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann eine Schwachstelle in HCL Notes und HCL Domino ausnutzen, um Sicherheitsvorkehrungen zu umgehen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1180 ∗∗∗ Mattermost security updates 7.1.3 (ESR), 7.0.2, 6.3.10 (ESR) released ∗∗∗ --------------------------------------------- We’re informing you about a Mattermost security update, which addresses a medium-level severity vulnerability. We highly recommend that you apply the update. The security update is available for Mattermost dot releases 7.1.3 (Extended Support Release), 7.0.2, and 6.3.10 (Extended Support Release) for both Team Edition and Enterprise Edition. --------------------------------------------- https://mattermost.com/blog/mattermost-security-updates-7-1-3-esr-7-0-2-6-3… ∗∗∗ Cisco Releases Security Updates for Multiple Products ∗∗∗ --------------------------------------------- Cisco has released security updates for vulnerabilities affecting ACI Multi-Site Orchestrator, FXOS, and NX-OS software. A remote attacker could exploit some of these vulnerabilities to take control of an affected system. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/08/25/cisco-releases-se… ∗∗∗ SMA100 Exposure of Sensitive Information to an Unauthorized Actor ∗∗∗ --------------------------------------------- A vulnerability in the SonicWall SMA100 appliance could potentially expose sensitive information i.e., third-party packages and library versions used in the appliance firmware to a pre-authenticated actor.IMPORTANT: SMA 1000 series products are not affected by this vulnerability. --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0020 ∗∗∗ SonicWall SMA100 Post-Auth Heap-based Buffer Overflow Vulnerability ∗∗∗ --------------------------------------------- A Heap-based Buffer Overflow vulnerability in the SonicWall SMA100 appliance allows a remote authenticated attacker to cause Denial of Service (DoS) on the appliance or potentially lead to code execution. This vulnerability impacts 10.2.1.5-34sv and earlier versions.IMPORTANT: SMA 1000 series products are not affected by this vulnerability. CVE: CVE-2022-2915 --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0019 ∗∗∗ Security Bulletin: IBM Connect:Direct Web Services vulnerable to remote security bypass due to PostgreSQL (CVE-2022-1552) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-connectdirect-web-ser… ∗∗∗ Security Bulletin: IBM MQ Appliance is vulnerable to a denial of service due to Linux Kernel (CVE-2020-35513) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-vulne… ∗∗∗ FATEK Automation FvDesigner ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-237-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.08.2022
by Daily end-of-shift report 24 Aug '22

24 Aug '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 23-08-2022 18:00 − Mittwoch 24-08-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Fake Chrome extension Internet Download Manager has 200,000 installs ∗∗∗ --------------------------------------------- Google Chrome extension Internet Download Manager installed by more than 200,000 users is adware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fake-chrome-extension-intern… ∗∗∗ Hackers use AiTM attack to monitor Microsoft 365 accounts for BEC scams ∗∗∗ --------------------------------------------- A new business email compromise (BEC) campaign has been discovered combining sophisticated spear-phishing with Adversary-in-The-Middle (AiTM) tactics to hack corporate executives Microsoft 365 accounts, even those protected by MFA. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-use-aitm-attack-to-m… ∗∗∗ Ransomware updates & 1-day exploits ∗∗∗ --------------------------------------------- In this report, we discuss the new multi-platform ransomware RedAlert (aka N13V) and Monster, as well as private 1-day exploits for the CVE-2022-24521 vulnerability. --------------------------------------------- https://securelist.com/ransomware-updates-1-day-exploits/107291/ ∗∗∗ Monster Libra (TA551/Shathak) --> IcedID (Bokbot) --> Cobalt Strike & DarkVNC, (Wed, Aug 24th) ∗∗∗ --------------------------------------------- On Monday, 2022-08-22, I generated an IcedID (Bokbot) infection based on Monster Libra (also known as TA551 or Shathak). --------------------------------------------- https://isc.sans.edu/diary/rss/28974 ∗∗∗ Bomber is an application that scans SBoMs for security vulnerabilities. ∗∗∗ --------------------------------------------- So youve asked a vendor for an Software Bill of Materials (SBOM) for one of their products, and they provided one to you in a JSON file... now what? --------------------------------------------- https://github.com/devops-kung-fu/bomber ∗∗∗ Cyber-Angriff: Griechischer Gasnetzbetreiber Desfa Opfer von Ransomware-Gang ∗∗∗ --------------------------------------------- Die Ransomware-Gang hinter Ragnar Locker ist in die Netze des Betreibers des griechischen Erdgas-Netzes Desfa eingebrochen. Die Versorgung bleibt gesichert. --------------------------------------------- https://heise.de/-7241322 ∗∗∗ Einbruch bei Plex: Daten abgezogen, Passwortänderung nötig ∗∗∗ --------------------------------------------- Bösartige Akteure sind offenbar in die Datenbanken des Streaming-Dienstes und Medienservers Plex eingebrochen. Dort konnten sie persönliche Daten stehlen. --------------------------------------------- https://heise.de/-7241975 ∗∗∗ Ethernet LEDs Can Be Used to Exfiltrate Data From Air-Gapped Systems ∗∗∗ --------------------------------------------- A researcher from the Ben-Gurion University of the Negev in Israel has published a paper describing a method that can be used to silently exfiltrate data from air-gapped systems using the LEDs of various types of networked devices. --------------------------------------------- https://www.securityweek.com/ethernet-leds-can-be-used-exfiltrate-data-air-… ∗∗∗ Old, Inconspicuous Vulnerabilities Commonly Targeted in OT Scanning Activity ∗∗∗ --------------------------------------------- Data collected by IBM shows that old and inconspicuous vulnerabilities affecting industrial products are commonly targeted in scanning activity seen by organizations that use operational technology (OT). --------------------------------------------- https://www.securityweek.com/old-inconspicuous-vulnerabilities-commonly-tar… ∗∗∗ HavanaCrypt Ransomware tarnt sich als Google Update ∗∗∗ --------------------------------------------- Die neu entdeckte HavanaCrypt Ransomware nutzt ausgefeilte Techniken und verkleidet sich als Google Update. Lösegeldforderungen gab es bisher nicht. --------------------------------------------- https://www.zdnet.de/88403049/havanacrypt-ransomware-tarnt-sich-als-google-… ∗∗∗ But You Told Me You Were Safe: Attacking the Mozilla Firefox Sandbox (Part 2) ∗∗∗ --------------------------------------------- In this blog post, we discuss a second prototype pollution vulnerability that allowed the execution of attacker-controlled JavaScript in the privileged parent process, escaping the sandbox. --------------------------------------------- https://www.thezdi.com/blog/2022/8/23/but-you-told-me-you-were-safe-attacki… ∗∗∗ BitRAT and XMRig CoinMiner Being Distributed via Windows License Verification Tool ∗∗∗ --------------------------------------------- The ASEC analysis team has recently discovered the distribution of BitRAT and XMRig CoinMiner disguised as a Windows license verification tool. --------------------------------------------- https://asec.ahnlab.com/en/37939/ ∗∗∗ AsyncRAT Being Distributed in Fileless Form ∗∗∗ --------------------------------------------- The ASEC analysis team has recently discovered that malicious AsyncRAT codes are being distributed in fileless form. --------------------------------------------- https://asec.ahnlab.com/en/37954/ ===================== = Vulnerabilities = ===================== ∗∗∗ Gefährliche Lücken bedrohen Sicherheit von kritischen Infrastrukturen ∗∗∗ --------------------------------------------- Angreifer könnten Industrie-Steuerungssysteme attackieren und im schlimmsten Fall die volle Kontrolle erlangen. Sicherheitsupdates sind verfügbar. --------------------------------------------- https://heise.de/-7241733 ∗∗∗ Updates für GitLab schließen kritische Sicherheitslücke ∗∗∗ --------------------------------------------- Für die GitLab Community- und Enterprise-Edition haben die Entwickler aktualisierte Versionen veröffentlicht, die eine kritische Sicherheitslücke schließen. --------------------------------------------- https://heise.de/-7241481 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (vim), SUSE (cosign, dpdk, freeciv, gfbgraph, kernel, nim, p11-kit, perl-HTTP-Daemon, python-lxml, and python-treq), and Ubuntu (linux-oem-5.14, open-vm-tools, and twisted). --------------------------------------------- https://lwn.net/Articles/905853/ ∗∗∗ Oracle SBC: Multiple Security Vulnerabilities Leading to Unauthorized Access and Denial of Service ∗∗∗ --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/oracle-sbc-… ∗∗∗ Security Bulletin: IBM Security Identity Governance and Intelligence is vulnerable to sensitive information exposure (CVE-2021-35550) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-identity-gov… ∗∗∗ Security Bulletin: A security vulnerability has been identified in in IBM Java SDK shipped with IBM Tivoli Business Service Manager (CVE-2021-35603) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: IBM Spectrum Discover is vulnerable to multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-spectrum-discover-is-… ∗∗∗ Security Bulletin: IBM Security Verify Governance is vulnerable to Denial of Service (CVE-2021-35578) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-gover… ∗∗∗ Security Bulletin: IBM Security Identity Governance and Intelligence is vulnerable to exposure of sensitive information (CVE-2021-35603) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-identity-gov… ∗∗∗ Security Bulletin: IBM Security Verify Governance is vulnerable to identity spoofing due to IBM WebSphere Application Server Liberty (CVE-2022-22475) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-gover… ∗∗∗ Security Bulletin: IBM QRadar SIEM includes components with multiple known vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-includes-… ∗∗∗ VMSA-2022-0024 ∗∗∗ --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2022-0024.html ∗∗∗ vim: Schwachstelle ermöglicht Codeausführung ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1157 ∗∗∗ Jenkins Plugins: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1166 ∗∗∗ F-Secure Produkte: Mehrere Schwachstellen ermöglichen Denial of Service ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1165 ∗∗∗ tribe29 checkmk: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1160 ∗∗∗ Mozilla Releases Security Updates for Firefox, Firefox ESR, and Thunderbird ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/08/23/mozilla-releases-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.08.2022
by Daily end-of-shift report 23 Aug '22

23 Aug '22

===================== = End-of-Day report = ===================== Timeframe: Montag 22-08-2022 18:00 − Dienstag 23-08-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Internet-Kernprotokoll: Das Transmission Control Protocol erhält Update ∗∗∗ --------------------------------------------- TCP ist der Motor des Internet. Mit einem gerade aktualisierten RFC bekommt er eine Generalüberholung. Aber kann er sich gegen neue Konkurrenz behaupten? --------------------------------------------- https://heise.de/-7239713 ∗∗∗ Cyber-Attacken: CISA warnt vor Angriffen auf neu entdeckte Sicherheitslücken ∗∗∗ --------------------------------------------- Die US-Cybersicherheitsbehörde CISA warnt vor einigen erst seit Kurzem bekannten Sicherheitslücken. Cyberkriminelle greifen diese bereits aktiv an. --------------------------------------------- https://heise.de/-7240372 ∗∗∗ Whos Looking at Your security.txt File? ∗∗∗ --------------------------------------------- In April 2022, the RFC related to the small file “security.txt” was released. It was already popular for a while, but an RFC is always a good way to “promote” some best practices! If you're unaware of this file, it helps to communicate security contacts (email addresses, phone, ...) to people who would like to contact you to report an issue with your website or your organization. --------------------------------------------- https://isc.sans.edu/diary/rss/28972 ∗∗∗ Researchers Find Counterfeit Phones with Backdoor to Hack WhatsApp Accounts ∗∗∗ --------------------------------------------- Budget Android device models that are counterfeit versions associated with popular smartphone brands are harboring multiple trojans designed to target WhatsApp and WhatsApp Business messaging apps. --------------------------------------------- https://thehackernews.com/2022/08/researchers-find-counterfeit-phones.html ∗∗∗ New Air-Gap Attack Uses MEMS Gyroscope Ultrasonic Covert Channel to Leak Data ∗∗∗ --------------------------------------------- A novel data exfiltration technique has been found to leverage a covert ultrasonic channel to leak sensitive information from isolated, air-gapped computers to a nearby smartphone that doesn't even require a microphone to pick up the sound waves. --------------------------------------------- https://thehackernews.com/2022/08/new-air-gap-attack-uses-mems-gyroscope.ht… ∗∗∗ If you havent patched Zimbra holes by now, assume youre toast ∗∗∗ --------------------------------------------- Heres how to detect an intrusion via vulnerable email systems Organizations that didnt immediately patch their Zimbra email systems should assume miscreants have already found and exploited the bugs, and should start hunting for malicious activity across IT networks, according to Uncle Sam. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2022/08/23/cisa_zimbra_… ∗∗∗ Ransomware Gang Leaks Data Allegedly Stolen From Greek Gas Supplier ∗∗∗ --------------------------------------------- The cybergang behind the Ragnar Locker ransomware has published more than 360 gigabytes of data allegedly stolen from Greece’s largest natural gas supplier Desfa.Established in 2007 as a subsidiary of Depa (Public Gas Corporation of Greece), Desfa operates both the country’s natural gas transmission system and its gas distribution networks. --------------------------------------------- https://www.securityweek.com/ransomware-gang-leaks-data-allegedly-stolen-gr… ∗∗∗ Online-Marktplatz: Vorsicht, wenn Käufer:innen Links zu Kurierdiensten und Zahlungsplattformen schicken ∗∗∗ --------------------------------------------- Sie verkaufen über willhaben, laendleanzeiger.at, shpock und Co? Nehmen Sie sich vor betrügerischen Käufer:innen in Acht. --------------------------------------------- https://www.watchlist-internet.at/news/online-marktplatz-vorsicht-wenn-kaeu… ∗∗∗ The Rise of Data Exfiltration and Why It Is a Greater Risk Than Ransomware ∗∗∗ --------------------------------------------- Threat actors have been searching for another opportunity – and found one. It's called data exfiltration, or exfil, a type of espionage causing headaches at organizations worldwide. Let's take a look. --------------------------------------------- https://thehackernews.com/2022/08/the-rise-of-data-exfiltration-and-why.html ===================== = Vulnerabilities = ===================== ∗∗∗ GitLab Critical Security Release: 15.3.1, 15.2.3, 15.1.5 ∗∗∗ --------------------------------------------- Today we are releasing versions 15.3.1, 15.2.3, 15.1.5 for GitLab Community Edition (CE) and Enterprise Edition (EE). These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. --------------------------------------------- https://about.gitlab.com/releases/2022/08/22/critical-security-release-gitl… ∗∗∗ SECURITY BULLETIN AVEVA-2022-005 ∗∗∗ --------------------------------------------- Multiple vulnerabilities in AVEVA Edge (formerly known as InduSoft Web Studio). Rating: High --------------------------------------------- https://www.aveva.com/content/dam/aveva/documents/support/cyber-security-up… ∗∗∗ [CVE-2020-2733] JD Edwards EnterpriseOne Tools admin password not adequately protected ∗∗∗ --------------------------------------------- JD Edwards EnterpriseOne Tools 9.2 or lower versions allow unauthenticated attackers to bypass the authentication and get Administrator rights on the system. --------------------------------------------- https://redrays.io/cve-2020-2733-jd-edwards/ ∗∗∗ Einbruchsgefahr: Über 80.000 Hikvision-Kameras verwundbar ∗∗∗ --------------------------------------------- Hikvision hat zwar Updates für die Kameras veröffentlicht, mehr als 2300 Firmen ignorieren diese jedoch. Angreifer könnten dadurch in deren Netze einbrechen. --------------------------------------------- https://heise.de/-7239986 ∗∗∗ Firefox 104: Verbesserungen am PDF-Viewer und Stromverbrauch-Profiler ∗∗∗ --------------------------------------------- Die neue Version von Firefox bringt neben sechs gefixten Sicherheitslücken auch Re-Snapping sowie die Möglichkeit, im PDF-Viewer zu unterschreiben. --------------------------------------------- https://heise.de/-7240408 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Oracle (kernel and kernel-container), SUSE (bluez, gimp, rubygem-rails-html-sanitizer, systemd-presets-common-SUSE, and u-boot), and Ubuntu (libxslt). --------------------------------------------- https://lwn.net/Articles/905730/ ∗∗∗ Security Bulletin: Vulnerability in SANNav Software used by IBM b-type SAN directors and switches. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-sannav-s… ∗∗∗ Security Bulletin: Multiple security vulnerabilities have been identified in dojo library shipped with IBM Security Guardium Key Lifecycle Manager (SKLM/GKLM) (CVE-2019-10785, CVE-2020-5259, CVE-2020-4051, CVE-2018-15494, CVE-2021-23450) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Verify Governance in response to a security vulnerability (CVE-2021-22931) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-relea… ∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Verify Governance in response to a security vulnerability (CVE-2022-21824) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-relea… ∗∗∗ Security Bulletin: IBM Security Verify Governance is vulnerable to multiple security issues due to Node.js ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-gover… ∗∗∗ Security Bulletin: IBM MQ is vulnerable to issues with libcurl (CVE-2022-27780, CVE-2022-30115) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-is-vulnerable-to-i… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct for UNIX is vulnerable to denial of service due to Google Gson (CVE-2022-25647) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: IBM Security Verify Governance is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-gover… ∗∗∗ Security Bulletin: IBM Sterling B2B Integrator vulnerable to multiple vulnerabilities due to Apache Commons Compress ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-b2b-integrat… ∗∗∗ D-LINK Router: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1151 ∗∗∗ Trellix Data Loss Prevention: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1149 ∗∗∗ xpdf: Schwachstelle ermöglicht Codeausführung ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1144 ∗∗∗ PowerDNS: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1152 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.08.2022
by Daily end-of-shift report 22 Aug '22

22 Aug '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 19-08-2022 18:00 − Montag 22-08-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ 241 npm and PyPI packages caught dropping Linux cryptominers ∗∗∗ --------------------------------------------- More than 200 malicious packages were discovered infiltrating the PyPI and npm open source registries this week. These packages are largely typosquats of widely used libraries and each one of them downloads a Bash script on Linux systems that run cryptominers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/241-npm-and-pypi-packages-ca… ∗∗∗ New tool checks if in-app mobile browsers inject risky code on sites ∗∗∗ --------------------------------------------- A new online tool named InAppBrowser lets you analyze the behavior of in-app browsers embedded within mobile apps and determine if they inject privacy-threatening JavaScript into websites you visit. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-tool-checks-if-in-app-mo… ∗∗∗ LockBit claims ransomware attack on security giant Entrust, leaks data ∗∗∗ --------------------------------------------- The LockBit ransomware gang has claimed responsibility for the June cyberattack on digital security giant Entrust. --------------------------------------------- https://www.bleepingcomputer.com/news/security/lockbit-claims-ransomware-at… ∗∗∗ Multi-Faktor-Authentisierung umgehen: Malware klaut automatisiert Cookies ∗∗∗ --------------------------------------------- Um Multi-Faktor-Authentisierung umgehen zu können, klauen Kriminelle vermehrt Browser-Cookies mittels Malware. --------------------------------------------- https://www.golem.de/news/multi-faktor-authentisierung-umgehen-malware-klau… ∗∗∗ Meet Borat RAT, a New Unique Triple Threat ∗∗∗ --------------------------------------------- Atlanta-based cyber risk intelligence company, Cyble discovered a new Remote Access Trojan (RAT) malware. What makes this particular RAT malware distinct enough to be named after the comic creation of Sacha Baron Cohen? --------------------------------------------- https://thehackernews.com/2022/08/meet-borat-rat-new-unique-triple-threat.h… ∗∗∗ Sicherer im Internet surfen: Obacht vor gefälschten DDoS-Check-Websites ∗∗∗ --------------------------------------------- Wer im Internet ohne Nachzudenken klickt, kann sich schnell einen Trojaner einfangen. Nun warnen Sicherheitsforscher vor einer weiteren Malware-Masche. --------------------------------------------- https://heise.de/-7238985 ∗∗∗ Bösartige Apps im Google Play Store: Mehr als zwei Millionen Downloads ∗∗∗ --------------------------------------------- Bitdefender hat 35 bösartige Apps in Googles Play Store entdeckt. Sie kommen zusammen auf mehr als zwei Millionen Downloads. --------------------------------------------- https://heise.de/-7239109 ∗∗∗ Kriminelle kapern Facebook-Konten und bewerben Fake-Investment-Plattformen ∗∗∗ --------------------------------------------- Tom und zahlreiche andere Personen wurden von Claudia auf Facebook bei einem Beitrag markiert. Der Beitrag ist ein Link zu einem Artikel, wie man mit einer Investment-Plattform in kurzer Zeit viel Geld verdienen kann. Vorsicht: Dabei handelt es sich um Betrug. --------------------------------------------- https://www.watchlist-internet.at/news/kriminelle-kapern-facebook-konten-un… ∗∗∗ Network Security Trends: Recent Exploits Observed in the Wild Include Remote Code Execution, Cross-Site Scripting and More ∗∗∗ --------------------------------------------- Recent exploits observed in the wild are highlighted based on the availability of proofs of concept, the severity of the vulnerabilities the exploits are based on and the ease of exploitation. --------------------------------------------- https://unit42.paloaltonetworks.com/recent-exploits-network-security-trends/ ∗∗∗ Hackers are using this sneaky exploit to bypass Microsofts multi-factor authentication ∗∗∗ --------------------------------------------- Attackers guessed the password of a dormant account and were able to apply their own MFA to it - providing access to the victims network. --------------------------------------------- https://www.zdnet.com/article/hackers-are-using-this-sneaky-trick-to-exploi… ∗∗∗ Sicherheitslücken - jetzt auch in deiner Appliance ∗∗∗ --------------------------------------------- Die Entwickler des quelloffenen Frameworks YARA haben vor knapp zwei Wochen fast schon heimlich still und leise eine neue Version veröffentlicht, v4.2.3, welche in der medialen Berichterstattung beinahe untergegangen ist. --------------------------------------------- https://cert.at/de/blog/2022/8/sicherheitslucken-jetzt-auch-in-deiner-appli… ∗∗∗ CISA Adds One Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- CISA has added a new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/08/22/cisa-adds-one-kno… ∗∗∗ Sicherheit: Wenn plötzlich ein (Fake-)"Office 365-Paket" per Post kommt ∗∗∗ --------------------------------------------- Kleine Warnung, die sich vor allem an unerfahrene Leser dieses Blogs bzw. Nutzer richtet. Kriminelle verschicken wohl Päckchen an (vorwiegend ältere Leute), in denen vorgeblich ein Microsoft Office enthalten ist. --------------------------------------------- https://www.borncity.com/blog/2022/08/21/sicherheit-wenn-pltzlich-ein-offic… ===================== = Vulnerabilities = ===================== ∗∗∗ Uncovering a ChromeOS remote memory corruption vulnerability ∗∗∗ --------------------------------------------- Microsoft discovered a memory corruption vulnerability in a ChromeOS component that could have been triggered remotely, allowing attackers to perform either a denial-of-service (DoS) or, in extreme cases, remote code execution (RCE). --------------------------------------------- https://www.microsoft.com/security/blog/2022/08/19/uncovering-a-chromeos-re… ∗∗∗ "As Nasty as Dirty Pipe" — 8 Year Old Linux Kernel Vulnerability Uncovered ∗∗∗ --------------------------------------------- Details of an eight-year-old security vulnerability in the Linux kernel have emerged that the researchers say is "as nasty as Dirty Pipe." Dubbed DirtyCred by a group of academics from Northwestern University, the security weakness exploits a previously unknown flaw (CVE-2022-2588) to escalate privileges to the maximum level. --------------------------------------------- https://thehackernews.com/2022/08/as-nasty-as-dirty-pipe-8-year-old-linux.h… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (jetty9 and kicad), Fedora (community-mysql and trafficserver), Gentoo (chromium, gettext, tomcat, and vim), Mageia (apache-mod_wsgi, libitrpc, libxml2, teeworlds, wavpack, and webkit2), Red Hat (podman), Slackware (vim), SUSE (java-1_8_0-openjdk, nodejs10, open-iscsi, rsync, and trivy), and Ubuntu (exim4). --------------------------------------------- https://lwn.net/Articles/905590/ ∗∗∗ YARA 4.2.3 Released, (Sat, Aug 20th) ∗∗∗ --------------------------------------------- https://isc.sans.edu/diary/rss/28964 ∗∗∗ Security Bulletin: This Power System update is being released to address CVE 2021-29891 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-this-power-system-update-… ∗∗∗ Security Bulletin: This Power System update is being released to address CVE-2019-16649 and CVE-2019-16650 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-this-power-system-update-… ∗∗∗ Security Bulletin: Vulnerabilities with OpenJDK affect IBM Cloud Object Storage Systems (August 2022v1) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-with-open… ∗∗∗ Security Bulletin: This Power System update is being released to address CVE 2022-0778 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-this-power-system-update-… ∗∗∗ Security Bulletin: A vulneraqbility in SQLite affects IBM Cloud Application Performance Managment R esponse Time Monitoring RRT Agent (CVE-2021-45346) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulneraqbility-in-sqlit… ∗∗∗ Security Bulletin: Multiple Security Vulnerabilities may affect IBM Robotic Process Automation for Cloud Pak ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Multiple Security Vulnerabilities may affect IBM Robotic Process Automation for Cloud Pak ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Multiple Security Vulnerabilities may affect IBM Robotic Process Automation for Cloud Pak ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.08.2022
by Daily end-of-shift report 19 Aug '22

19 Aug '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 18-08-2022 18:00 − Freitag 19-08-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Honeypot Attack Summaries with Python ∗∗∗ --------------------------------------------- We are lucky to have a variety of tools available to enrich existing honeypot data, but also automate that enrichment. I put together a script to try and help myself achieve a simple goal. --------------------------------------------- https://isc.sans.edu/diary/rss/28956 ∗∗∗ Fake DDoS Pages On WordPress Sites Lead to Drive-By-Downloads ∗∗∗ --------------------------------------------- Under normal circumstances, DDoS pages usually don’t affect users much — they simply perform a check or request a skill testing question in order to proceed to the desired webpage. However, a recent surge in JavaScript injections targeting WordPress sites has resulted in fake DDoS prevent prompts which lead victims to download remote access trojan malware. --------------------------------------------- https://blog.sucuri.net/2022/08/fake-ddos-pages-on-wordpress-lead-to-drive-… ∗∗∗ But You Told Me You Were Safe: Attacking the Mozilla Firefox Renderer (Part 1) ∗∗∗ --------------------------------------------- At Pwn2Own Vancouver 2022, Manfred Paul compromised the Mozilla Firefox browser using a full chain exploit that broke the mold. Although his exploit used some memory corruptions, the vulnerable code was written in a memory-safe programming language: JavaScript! --------------------------------------------- https://www.zerodayinitiative.com/blog/2022/8/17/but-you-told-me-you-were-s… ∗∗∗ Auch TikTok-App soll mit internem iPhone-Browser spionieren können ∗∗∗ --------------------------------------------- Nachdem das Problem bereits bei Facebook und Instagram aufgedeckt worden war, hat sich ein Sicherheitsforscher nun auch den chinesischen Videodienst angesehen. --------------------------------------------- https://heise.de/-7235891 ∗∗∗ Aktive Angriffe auf iPhones, iPads und Macs: Was Nutzer jetzt tun sollten ∗∗∗ --------------------------------------------- Erneut warnt Apple vor schweren Sicherheitslücken, die wohl aktiv ausgenutzt werden. Es gibt Patches, aber nicht für alle Systeme und Bugs. Ein Überblick. --------------------------------------------- https://heise.de/-7237518 ∗∗∗ Back in Black: Unlocking a LockBit 3.0 Ransomware Attack ∗∗∗ --------------------------------------------- This post explores some of the TTPs employed by a threat actor who were observed deploying LockBit 3.0 ransomware during an incident response engagement. --------------------------------------------- https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-… ∗∗∗ SAP Vulnerability Exploited in Attacks After Details Disclosed at Hacker Conferences ∗∗∗ --------------------------------------------- The US Cybersecurity and Infrastructure Security Agency (CISA) has added a critical SAP vulnerability to its Known Exploited Vulnerabilities Catalog less than one week after its details were disclosed at the Black Hat and Def Con hacker conferences. --------------------------------------------- https://www.securityweek.com/sap-vulnerability-exploited-attacks-after-deta… ∗∗∗ Fake-Shop-Alarm: getvoltplug.com hilft Ihnen nicht beim Stromsparen ∗∗∗ --------------------------------------------- In Zeiten der Energiekrise wirbt getvoltplug.com mit einem attraktiven Angebot: Ein Gerät soll Ihnen helfen bis zu 90% Ihrer Stromrechnung zu sparen. Aber Achtung! Dieses Gerät existiert gar nicht, es handelt sich um Betrug. --------------------------------------------- https://www.watchlist-internet.at/news/fake-shop-alarm-getvoltplugcom-hilft… ∗∗∗ Wissen: Webseite als kompromittiert gemeldet? Wie geht man vor? ∗∗∗ --------------------------------------------- Wer eine Webseite betreibt, wird möglicherweise gelegentlich mit dem Problem konfrontiert, dass diese von Sicherheitsportalen oder Benutzern als "riskant" gemeldet wird. Dann stellt sich die Frage, wie man vorgehen könnte, um herauszufinden, ob dies ein Fehlalarm ist oder die Webseite kompromittiert wurde. --------------------------------------------- https://www.borncity.com/blog/2022/08/19/wissen-webseite-als-kompromittiert… ∗∗∗ Ukraine war spotlights agriculture sectors vulnerability to cyber attack ∗∗∗ --------------------------------------------- The agriculture sector is highly vulnerable to cyber-attacks given its low downtime tolerance, insufficient cyber defenses, and far-reaching ripple effects of disruption. We assess those future threats to the agriculture section will mainly include financially motivated ransomware actors and disruptive attacks carried out by state-sponsored APTs. --------------------------------------------- http://blog.talosintelligence.com/2022/08/ukraine-and-fragility-of-agricult… ∗∗∗ Business Email Compromise Attack Tactics ∗∗∗ --------------------------------------------- Is BEC more damaging than ransomware? What tactics are BEC actors using? How can organizations bolster their defenses? --------------------------------------------- https://www.trendmicro.com/en_us/ciso/22/h/business-email-compromise-bec-at… ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-22-1076: PDF-XChange Editor submitForm Out-Of-Bounds Read Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of PDF-XChange Editor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-1076/ ∗∗∗ DSA-2022-241: Dell EMC PowerFlex Rack Security Update for Multiple Third-Party Component Vulnerabilities ∗∗∗ --------------------------------------------- Dell EMC PowerFlex Rack remediation is available for multiple security vulnerabilities that could be exploited by malicious users to compromise the affected system. --------------------------------------------- https://www.dell.com/support/kbdoc/de-at/000202540/dsa-2022-241-dell-emc-po… ∗∗∗ Virenscanner: Schwachstelle von McAfee erleichtert Angreifern das Einnisten ∗∗∗ --------------------------------------------- Angreifer hätten aufgrund einer Sicherheitslücke im Virenschutz McAfee Security Scan Plus ihre Rechte erhöhen können. Das erleichterte das Einnisten im System. --------------------------------------------- https://heise.de/-7235809 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ruby-tzinfo), Mageia (nvidia-current and nvidia390), SUSE (python-PyYAML, ucode-intel, and zlib), and Ubuntu (linux-aws, postgresql-10, postgresql-12, postgresql-14, and rsync). --------------------------------------------- https://lwn.net/Articles/905265/ ∗∗∗ vim: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in vim ausnutzen, um beliebigen Programmcode auszuführen, Dateien zu manipulieren oder einen Denial of Service Zustand herbeizuführen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1076 ∗∗∗ Security Advisory - JAD-AL50: Permission Bypass Vulnerability in Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2022/huawei-sa-20220819-… ∗∗∗ Security Bulletin: IBM MQ Explorer is vulnerable to an XML External Entity Injection (XXE) attack (CVE-2022-22489) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-explorer-is-vulner… ∗∗∗ Security Bulletin: Vulnerability in SANNav Software used by IBM b-type SAN directors and switches. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-sannav-s… ∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container DesignerAuthoring operands may be vulnerable to loss of confidentiality due to CVE-2022-35948 and CVE-2022-35949 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Spectrum Discover is vulnerable to Docker CLI (CVE-2021-41092) and Apache Log4j (CVE-2021-4104, CVE-2022-23302, CVE-2022-23305, CVE-2022-23307) weaknesses ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-spectrum-discover-is-… ∗∗∗ Security Bulletin: IBM Spectrum Control is vulnerable to multiple weaknesses related to IBM WebSphere Application Server Liberty and OpenSSL (CVE-2022-2068, CVE-2022-2097, CVE-2022-22475) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-spectrum-control-is-v… ∗∗∗ Security Bulletin: IBM DataPower Gateway affected by vulnerabilities in ICU [CVE-2017-14952 and CVE-2020-10531] ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-gateway-aff… ∗∗∗ Security Bulletin: Vulnerability in SANNav Software used by IBM b-type SAN directors and switches. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-sannav-s… ∗∗∗ Security Bulletin: Vulnerability in Eclipse Jetty affects IBM Process Mining . CVE-2022-2048 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-eclipse-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.08.2022
by Daily end-of-shift report 18 Aug '22

18 Aug '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 17-08-2022 18:00 − Donnerstag 18-08-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ BlackByte ransomware gang is back with new extortion tactics ∗∗∗ --------------------------------------------- The BlackByte ransomware is back with version 2.0 of their operation, including a new data leak site utilizing new extortion techniques borrowed from LockBit. --------------------------------------------- https://www.bleepingcomputer.com/news/security/blackbyte-ransomware-gang-is… ∗∗∗ Microsoft Sysmon can now block malicious EXEs from being created ∗∗∗ --------------------------------------------- Microsoft has released Sysmon 14 with a new FileBlockExecutable option that lets you block the creation of malicious executables, such as EXE, DLL, and SYS files, for better protection against malware. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-sysmon-can-now-bl… ∗∗∗ Schwere Lücken: Vorsicht bei VPN-Nutzung auf Apple-Geräten ∗∗∗ --------------------------------------------- Wer über Apples iOS einen VPN-Dienst nutzt, ist nicht so sicher unterwegs, wie man es eigentlich vermuten würde. --------------------------------------------- https://futurezone.at/produkte/schwere-luecken-vorsicht-vpn-apple-iphone-ip… ∗∗∗ Clop: Ransomwaregruppe erpresst wohl falsches Wasserwerk ∗∗∗ --------------------------------------------- Eine Ransomwaregruppe hat sich nach einem Hack eines Wasserversorgungsunternehmens in Großbritannien offenbar vertan und ein anderes Werk erpresst. --------------------------------------------- https://www.golem.de/news/clop-ransomwaregruppe-erpresst-scheinbar-falsches… ∗∗∗ Hacking: Der Bad-USB-Stick Rubber Ducky wird noch gefährlicher ∗∗∗ --------------------------------------------- Mit einer neuen Version des Bad-USB-Sticks Rubber Ducky lassen sich Rechner noch leichter angreifen und neuerdings auch heimlich Daten ausleiten. --------------------------------------------- https://www.golem.de/news/hacking-der-bad-usb-stick-rubber-ducky-wird-noch-… ∗∗∗ Hackers Using Bumblebee Loader to Compromise Active Directory Services ∗∗∗ --------------------------------------------- The malware loader known as Bumblebee is being increasingly co-opted by threat actors associated with BazarLoader, TrickBot, and IcedID in their campaigns to breach target networks for post-exploitation activities. --------------------------------------------- https://thehackernews.com/2022/08/hackers-using-bumblebee-loader-to.html ∗∗∗ Deluge of of entries to Spamhaus blocklists includes various household names ∗∗∗ --------------------------------------------- Nastymail tracking service blames sloppy sending practices for swelling lists of dangerous mailers Spam-tracking service Spamhaus reported Tuesday that some of the worlds biggest brands are getting loose with their email practices, causing its spam blocklists (SBL) to swell significantly. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2022/08/18/deluge_of_en… ∗∗∗ Real-Time Behavior-Based Detection on Android Reveals Dozens of Malicious Apps on Google Play Store ∗∗∗ --------------------------------------------- Cybersecurity researchers identify 35 apps, many downloaded over 100,000 times, that have been serving up malware to millions of Android users. --------------------------------------------- https://www.bitdefender.com/blog/labs/real-time-behavior-based-detection-on… ∗∗∗ PayPal Phishing Scam Uses Invoices Sent Via PayPal ∗∗∗ --------------------------------------------- Scammers are using invoices sent through PayPal.com to trick recipients into calling a number to dispute a pending charge. --------------------------------------------- https://krebsonsecurity.com/2022/08/paypal-phishing-scam-uses-invoices-sent… ∗∗∗ ASEC Weekly Malware Statistics (August 8th, 2022 – August 14th, 2022) ∗∗∗ --------------------------------------------- This post will list weekly statistics collected from August 8th, 2022 (Monday) to August 14th, 2022 (Sunday). --------------------------------------------- https://asec.ahnlab.com/en/37837/ ∗∗∗ Analyzing the Hidden Danger of Environment Variables for Keeping Secrets ∗∗∗ --------------------------------------------- While DevOps practitioners use environment variables to regularly keep secrets in applications, these could be conveniently abused by cybercriminals for their malicious activities, as our analysis shows. --------------------------------------------- https://www.trendmicro.com/en_us/research/22/h/analyzing-hidden-danger-of-e… ===================== = Vulnerabilities = ===================== ∗∗∗ Aktive Exploits: macOS 12.5.1, iOS 15.6.1 und iPadOS 15.6.1 verfügbar ∗∗∗ --------------------------------------------- Apple legt nochmals Aktualisierungen für seine 2021er Betriebssysteme vor. Grund sind wichtige Sicherheitsfixes. Für die Apple Watch kommt ein Extra-Update. --------------------------------------------- https://heise.de/-7223549 ∗∗∗ Cisco Secure Web Appliance Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the web management interface of Cisco AsyncOS for Cisco Secure Web Appliance, formerly Cisco Web Security Appliance (WSA), could allow an authenticated, remote attacker to perform a command injection and elevate privileges to root. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Webkonferenzen: Teils kritische Lücken in Zoom ∗∗∗ --------------------------------------------- In mehreren Zoom-Varianten stecken teilweise kritische Sicherheitslücken. Updates sollen sie abdichten. Mac-Nutzer müssen erneut aktualisieren. --------------------------------------------- https://heise.de/-7223873 ∗∗∗ TP-Link: Schadcode-Schmuggel durch Sicherheitslücke in Routern ∗∗∗ --------------------------------------------- Sicherheitsforscher aus Vietnam haben im WLAN-Router TL-WR841N von TP-Link einen kritischen Fehler festgestellt, der Code-Ausführung auf dem Gerät ermöglicht. --------------------------------------------- https://heise.de/-7224392 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, epiphany-browser, freecad, and schroot), Fedora (freeciv, microcode_ctl, qemu, and rsync), Oracle (httpd), SUSE (aws-efs-utils, python-ansi2html, python-py, python-pytest-html, python-pytest-metadata, python-pytest-rerunfailures, python-coverage, python-oniconfig, python-unittest-mixins, bluez, curl, gnutls, kernel, ntfs-3g_ntfsprogs, podman, and ucode-intel), and Ubuntu (zlib). --------------------------------------------- https://lwn.net/Articles/905072/ ∗∗∗ Apache ActiveMQ Artemis: Schwachstelle ermöglicht Darstellen falscher Informationen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Apache ActiveMQ Artemis ausnutzen, um falsche Informationen darzustellen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1069 ∗∗∗ TypeORM 0.3.7 Information Disclosure ∗∗∗ --------------------------------------------- TypeORM 0.3.7 Information Disclosure Risk: I found what I think is a vulnerability in the latest typeorm 0.3.7. --------------------------------------------- https://cxsecurity.com/issue/WLB-2022080057 ∗∗∗ DSA-2022-238: Dell Client BIOS Security Update for Multiple Tianocore EDK2 Vulnerabilities ∗∗∗ --------------------------------------------- https://www.dell.com/support/kbdoc/de-at/000202475/dsa-2022-238-dell-client… ∗∗∗ Security Bulletin: Vulnerability in Moment affects IBM Process Mining . CVE-2022-31129 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-moment-a… ∗∗∗ Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU – Apr 2022 – Includes Oracle April 2022 CPU (minus CVE-2022-21426)affects IBM Security Verify Governance, Identity Manager virtual appliance component ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-e… ∗∗∗ Security Bulletin: Vulnerability in FasterXML jackson-databind affects IBM Process Mining . CVE-2020-36518 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-fasterxm… ∗∗∗ Security Bulletin: AIX is vulnerable to arbitrary command execution (CVE-2022-1292 and CVE-2022-2068) or an attacker may obtain sensitive information (CVE-2022-2097) due to OpenSSL ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-aix-is-vulnerable-to-arbi… ∗∗∗ Security Bulletin: Multiple vulnerabilities due to OpenSSL and Node js which affect IBM App Connect Enterprise and IBM Integration Bus ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in Node.js affect IBM Cloud Pak System ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: An Eclipse Jetty vulnerability affects IBM Rational Functional Tester ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-an-eclipse-jetty-vulnerab… ∗∗∗ Security Bulletin: Samba for IBM i is vulnerable to attacker obtaining sensitive information due to a memory leak with SMB1 requests (CVE-2022-32742) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-samba-for-ibm-i-is-vulner… ∗∗∗ Security Bulletin: Vulnerability in Eclipse Jetty affects IBM Process Mining . CVE-2020-36518 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-eclipse-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.08.2022
by Daily end-of-shift report 17 Aug '22

17 Aug '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 16-08-2022 18:00 − Mittwoch 17-08-2022 18:00 Handler: Stephan Richter Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Malware devs already bypassed Android 13s new security feature ∗∗∗ --------------------------------------------- Android malware developers are already adjusting their tactics to bypass a new Restricted settings security feature introduced by Google in the newly released Android 13. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malware-devs-already-bypasse… ∗∗∗ SocGholish: 5+ Years of Massive Website Infections ∗∗∗ --------------------------------------------- Earlier this June, we shared information about the ongoing NDSW/NDSX malware campaign which has been one of the most common website infections detected and cleaned by our remediation team in the last few years.This NDSW/NDSX malware — also referred to as FakeUpdates or SocGholish by other research groups — is responsible for redirecting site visitors to malicious pages designed to trick victims into loading and installing fake browser updates. --------------------------------------------- https://blog.sucuri.net/2022/08/socgholish-5-years-of-massive-website-infec… ∗∗∗ RubyGems now requires multi-factor auth for top package maintainers ∗∗∗ --------------------------------------------- Sign-on you crazy diamond: RubyGems.org, the Ruby programming communitys software package registry, now requires maintainers of popular "gems" to secure their accounts using multi-factor authentication (MFA). --------------------------------------------- https://www.theregister.com/2022/08/16/rubygems_package_registry_mfa/ ∗∗∗ Phishing Site used to Spread Typhon Stealer ∗∗∗ --------------------------------------------- During a routine threat hunting exercise, Cyble Research Labs (CRL) came across a Twitter post wherein researchers mentioned a URL that hosts a Windows executable payload with the name systemupdate.exe. --------------------------------------------- https://blog.cyble.com/2022/08/16/phishing-site-used-to-spread-typhon-steal… ∗∗∗ Cisco-ASA-Firewalls hacken per Metasploit und Open-Source-Tools ∗∗∗ --------------------------------------------- Ein Forscher hat zahlreiche Tools und Metasploit-Module zum Hacken von Cisco-Firewalls veröffentlicht. Ein aktuelles Update hilft nicht gegen eines der Tools. --------------------------------------------- https://heise.de/-7222976 ∗∗∗ Achtung: Disney+ Phishing-Mails im Umlauf! ∗∗∗ --------------------------------------------- Besitzen Sie ein Disney+ Konto? Dann nehmen Sie sich vor betrügerischen Phishing-Nachrichten in Acht. Kriminelle versenden massenhaft E-Mails, in denen behauptet wird, Sie müssten Ihre Zahlungsinformationen aktualisieren, da Ihr Abonnement abgelaufen sei. --------------------------------------------- https://www.watchlist-internet.at/news/achtung-disney-phishing-mails-im-uml… ∗∗∗ How a spoofed email passed the SPF check and landed in my inbox ∗∗∗ --------------------------------------------- The Sender Policy Framework can’t help prevent spam and phishing if you allow billions of IP addresses to send as your domain. --------------------------------------------- https://www.welivesecurity.com/2022/08/16/spoofed-email-passed-spf-check-in… ∗∗∗ Los VMware, noch einmal! ∗∗∗ --------------------------------------------- In den Monaten April und Mai dieses Jahres veröffentlichte VMware zwei Security Advisories (VMSA-2022-0011 & VMSA-2022-0014) zu schwerwiegenden Sicherheitslücken in mehreren Produkten, zu denen teilweise bereits Patches zur Verfügung standen. Besagte Sicherheitsaktualisierungen wurden daraufhin von verschiedenen Bedrohungsakteuren untersucht und dienten als Basis für erste Exploits, welche wiederum bereits binnen 48 Stunden nach dem Erscheinen der Advisories genutzt wurden um großflächig Systeme zu kompromittieren. --------------------------------------------- https://cert.at/de/blog/2022/8/los-vmware-machs-nochmal ∗∗∗ GCP, therefore IAM ∗∗∗ --------------------------------------------- Managing access authorization for your cloud assets is a challenging task. Certainly, when dealing with multiple public/private resources, environments, services, providers, and users. --------------------------------------------- https://blog.checkpoint.com/2022/08/17/gcp-therefore-iam/ ∗∗∗ Vulnerability Spotlight: Vulnerabilities in WWBN AVideo web app could lead to command injection, authentication bypass ∗∗∗ --------------------------------------------- Cisco Talos recently discovered multiple vulnerabilities in the WWBN AVideo web application that could allow an attacker to carry out a wide range of malicious actions, including command injection and authentication bypass. --------------------------------------------- http://blog.talosintelligence.com/2022/08/vuln-spotlight-wwbn-avideo-stream… ∗∗∗ Top Five Patch Management & Process Best Practices ∗∗∗ --------------------------------------------- Explore the top patch management best practices to mitigate the growing threat of vulnerability exploits in your organization. --------------------------------------------- https://www.trendmicro.com/en_us/ciso/22/h/patch-management-process-best-pr… ===================== = Vulnerabilities = ===================== ∗∗∗ RTLS systems vulnerable to MiTM attacks, location manipulation ∗∗∗ --------------------------------------------- Security researchers have uncovered multiple vulnerabilities impacting UWB (ultra-wideband) RTLS (real-time locating systems), enabling threat actors to conduct man-in-the-middle attacks and manipulate tag geo-location data. --------------------------------------------- https://www.bleepingcomputer.com/news/security/rtls-systems-vulnerable-to-m… ∗∗∗ IBM Security Bulletins 2022-08-16 ∗∗∗ --------------------------------------------- IBM Cloud Pak System, BM Security Verify Governance, IBM Sterling Connect:Direct for Microsoft Windows, IBM InfoSphere Identity Insight, PowerVC. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Google Chrome-Update: Exploit im Umlauf ∗∗∗ --------------------------------------------- Google hat in Chrome mehrere Sicherheitslücken gestopft. Mindestens eine davon gilt dem Hersteller als kritisch. Für eine weitere kursiert bereits ein Exploit. --------------------------------------------- https://heise.de/-7222389 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (epiphany-browser, net-snmp, webkit2gtk, and wpewebkit), Fedora (python-yara and yara), Red Hat (kernel and kpatch-patch), SUSE (ceph, compat-openssl098, java-1_8_0-openjdk, kernel, python-Twisted, rsync, and webkit2gtk3), and Ubuntu (pyjwt and unbound). --------------------------------------------- https://lwn.net/Articles/904955/ ∗∗∗ Quarterly Security Patches Released for Splunk Enterprise ∗∗∗ --------------------------------------------- Splunk this week announced the release of a new set of quarterly patches, to address multiple vulnerabilities in Splunk Enterprise. --------------------------------------------- https://www.securityweek.com/quarterly-security-patches-released-splunk-ent… ∗∗∗ WAGO: Multiple Products Series affected by multiple CODESYS vulnerabilities ∗∗∗ --------------------------------------------- VDE-2022-031Vendor(s)WAGO GmbH & Co. KGProduct(s) Article No° Product Name Affected Version(s) 752-8303/8000-0002EC300 750-8100/xxx-xxxPFC 100 750-8102/xxx-xxxPFC 100 750-8101/xxx-xxxPFC 100 750-8217/xxx-xxxPFC 200 750-8216/xxx-xxxPFC 200 750-8215/xxx-xxxPFC 200 750-8214/xxx-xxxPFC 200 750-8213/xxx-xxxPFC 200 750-8212/xxx-xxxPFC 200 750-8211/xxx-xxxPFC 200 750-8210/xxx-xxxPFC 200 750-8207/xxx-xxxPFC 200 750-8206/xxx-xxxPFC 200 750-8204/xxx-xxxPFC 200 750-8203/xxx-xxxPFC 200 --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-031/ ∗∗∗ WAGO: Multiple product series affected by multiple CODESYS vulnerabilities ∗∗∗ --------------------------------------------- VDE-2022-035Vendor(s)WAGO GmbH & Co. KGProduct(s) Article No° Product Name Affected Version(s) 751-9301CC100 752-8303/8000-0002EC300 750-8100/xxx-xxxPFC 100 750-8102/xxx-xxxPFC 100 750-8101/xxx-xxxPFC 100 750-8216/xxx-xxxPFC 200 750-8215/xxx-xxxPFC 200 750-8214/xxx-xxxPFC 200 750-8213/xxx-xxxPFC 200 750-8212/xxx-xxxPFC 200 750-8211/xxx-xxxPFC 200 750-8210/xxx-xxxPFC 200 750-8207/xxx-xxxPFC 200 750-8206/xxx-xxxPFC 200 750-8204/xxx-xxxPFC 200 750-8203/xxx-xxxPFC 200 750-8202/xxx-xxxPFC --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-035/ ∗∗∗ Microsoft Windows Defender: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1053 ∗∗∗ Ansible Automation Platform: Schwachstelle ermöglicht Privilegieneskalation ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1058 ∗∗∗ Delta Industrial Automation DRAS ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-228-03 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.08.2022
by Daily end-of-shift report 16 Aug '22

16 Aug '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 12-08-2022 18:00 − Dienstag 16-08-2022 18:00 Handler: Stephan Richter Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ SOVA malware adds ransomware feature to encrypt Android devices ∗∗∗ --------------------------------------------- The SOVA Android banking trojan continues to evolve with new features, code improvements, and the addition of a new ransomware feature that encrypts files on mobile devices. --------------------------------------------- https://www.bleepingcomputer.com/news/security/sova-malware-adds-ransomware… ∗∗∗ John Deere: Hacker präsentiert Jailbreak für Traktoren ∗∗∗ --------------------------------------------- Nicht nur Telefonhersteller vernageln ihre Geräte. Der Hacker Sick Codes zeigt, wie Root-Zugriff auf die Systeme der Traktoren zu erlangen ist. --------------------------------------------- https://www.golem.de/news/john-deere-ein-hacker-praesentiert-ein-jailbreak-… ∗∗∗ Threat in your browser: what dangers innocent-looking extensions hold for users ∗∗∗ --------------------------------------------- In this research, we observed various types of threats that mimic useful web browser extensions, and the number of users attacked by them. --------------------------------------------- https://securelist.com/threat-in-your-browser-extensions/107181/ ∗∗∗ Two more malicious Python packages in the PyPI ∗∗∗ --------------------------------------------- We used our internal automated system for monitoring open-source repositories and discovered two other malicious Python packages in the PyPI. --------------------------------------------- https://securelist.com/two-more-malicious-python-packages-in-the-pypi/10721… ∗∗∗ Disrupting SEABORGIUM’s ongoing phishing operations ∗∗∗ --------------------------------------------- The Microsoft Threat Intelligence Center (MSTIC) has observed and taken actions to disrupt campaigns launched by SEABORGIUM in campaigns involve persistent phishing and credential theft campaigns leading to intrusions and data theft. --------------------------------------------- https://www.microsoft.com/security/blog/2022/08/15/disrupting-seaborgiums-o… ∗∗∗ Realtek SDK SIP ALG Vulnerability: A Big Deal, but not much you can do about it. CVE 2022-27255, (Sun, Aug 14th) ∗∗∗ --------------------------------------------- On Friday, Octavio Gianatiempo & Octavio Galland released details about a vulnerability in Realtek's eCos SDK. --------------------------------------------- https://isc.sans.edu/diary/rss/28940 ∗∗∗ Finanzsanierungen nicht mit Krediten verwechseln! ∗∗∗ --------------------------------------------- Kreditsuchende stoßen bei ihren Recherchen immer wieder auf Werbeanzeigen für Finanzsanierungsangebote. Achtung: Bei Finanzsanierungsangeboten handelt es sich um keine Kredite, sondern um eine sogenannte Schuldenregulierung. Diese ist in Österreich kostenlos erhältlich, weshalb bei kostenpflichtigen Angeboten zu Abstand zu raten ist! --------------------------------------------- https://www.watchlist-internet.at/news/finanzsanierungen-nicht-mit-krediten… ∗∗∗ Typosquatting Campaign Targeting Python’s Top Packages, Dropping GitHub Hosted Malware with DGA Capabilities ∗∗∗ --------------------------------------------- On Saturday, August 13th, Checkmarx’s Software Supply Chain Security Typosquatting engine detected a large-scale attack on the Python ecosystem with multi-stage persistent malware. --------------------------------------------- https://checkmarx.com/blog/typosquatting-campaign-targeting-pythons-top-pac… ∗∗∗ What Exposed OPA Servers Can Tell You About Your Applications ∗∗∗ --------------------------------------------- This blog entry discusses what an OPA is and what it’s for, what we’ve discovered after identifying 389 exposed OPA servers via Shodan, and how exposed OPAs can negatively impact your applications’ overall security. --------------------------------------------- https://www.trendmicro.com/en_us/research/22/h/what-exposed-opa-servers-can… ===================== = Vulnerabilities = ===================== ∗∗∗ Evil PLC Attack: Using a Controller as Predator Rather than Prey ∗∗∗ --------------------------------------------- Team82 has developed a novel attack that weaponizes programmable logic controllers (PLCs) in order to exploit engineering workstations and further invade OT and enterprise networks. --------------------------------------------- https://claroty.com/team82/blog/evil-plc-attack-using-a-controller-as-preda… ∗∗∗ Process injection: breaking all macOS security layers with a single vulnerability ∗∗∗ --------------------------------------------- In this post, we will first describe what process injection is, then the details of this vulnerability and finally how we abused it. --------------------------------------------- https://sector7.computest.nl/post/2022-08-process-injection-breaking-all-ma… ∗∗∗ Database Integrity Vulnerabilities in Boeing’s Onboard Performance Tool ∗∗∗ --------------------------------------------- Security gaps in older, unprotected Windows desktop versions of Boeing’s Onboard Performance Tool (OPT) could make certain Electronic Flight Bags (EFB) more susceptible to attack. --------------------------------------------- https://www.pentestpartners.com/security-blog/database-integrity-vulnerabil… ∗∗∗ IBM Security Bulletins 2022-08-15 ∗∗∗ --------------------------------------------- IBM Sterling B2B Integrator, IBM SPSS Modeler, IBM Cloud Pak System, IBM Sterling File Gateway --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Zoom für macOS: Update-Funktion reißt Sicherheitslücke ∗∗∗ --------------------------------------------- Die populäre Videokonferenz-App hat auf dem Mac einmal mehr ein Security-Problem. Nutzer sollten dringend aktualisieren. Perfekt ist der Fix noch nicht. --------------------------------------------- https://heise.de/-7219942 ∗∗∗ DefCon 30: Unsicherheiten durch Microsoft in UEFI Secure Boot ∗∗∗ --------------------------------------------- Microsofts ausschweifende Signier-Praxis produziert Schwachstellen der Secure-Boot-Umgebung. Das kritisierten Sicherheitsforscher auf der DefCon 30. --------------------------------------------- https://heise.de/-7221728 ∗∗∗ Fernwartung: Kritische Sicherheitslücken in HPE Integrated Lights-Out (iLO) ∗∗∗ --------------------------------------------- Die Fernverwaltung HPE Integrated Lights-Out ermöglichte Angreifern das Einschmuggeln von Schadcode. Aktualisierte Software behebt die Fehler. --------------------------------------------- https://heise.de/-7219923 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (trafficserver), Fedora (freeciv, gnutls, kernel, libldb, mingw-gdk-pixbuf, owncloud-client, rust-ffsend, samba, thunderbird, and zlib), Gentoo (apache, binutils, chromium, glibc, gstreamer, libarchive, libebml, nokogiri, puma, qemu, xen, and xterm), Mageia (golang, libtiff, poppler, python-django, and ruby-sinatra), Red Hat (.NET 6.0 and .NET Core 3.1), SUSE (chromium, cifs-utils, kernel, open-iscsi, and trousers), and Ubuntu (webkit2gtk). --------------------------------------------- https://lwn.net/Articles/904741/ ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (kernel), Debian (kernel), Fedora (webkit2gtk3), Oracle (.NET 6.0, .NET Core 3.1, kernel, and kernel-container), Slackware (rsync), and SUSE (canna, ceph, chromium, curl, kernel, opera, python-Twisted, and seamonkey). --------------------------------------------- https://lwn.net/Articles/904842/ ∗∗∗ Vulnerability Spotlight: Three vulnerabilities in HDF5 file format could lead to remote code execution ∗∗∗ --------------------------------------------- Cisco Talos recently discovered three vulnerabilities in a library that works with the HDF5 file format that could allow an attacker to execute remote code on a targeted device. --------------------------------------------- http://blog.talosintelligence.com/2022/08/vuln-spotlight-hdf5-library.html ∗∗∗ TRUMPF: Products prone to Unified Automation vulnerabilities ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-034/ ∗∗∗ Google Android: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1042 ∗∗∗ CoreDNS: Mehrere Schwachstellen ermöglichen Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1047 ∗∗∗ ESRI ArcGIS: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1046 ∗∗∗ npm: Schwachstelle ermöglicht Manipulation von Dateien ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1049 ∗∗∗ vim: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1048 ∗∗∗ Yokogawa CENTUM Controller FCS ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-228-01 ∗∗∗ LS ELECTRIC PLC and XG5000 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-228-02 ∗∗∗ Softing Secure Integration Server ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-228-04 ∗∗∗ B&R Industrial Automation Automation Studio 4 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-228-05 ∗∗∗ Emerson Proficy Machine Edition ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-228-06 ∗∗∗ Sequi PortBloque S ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-228-07 ∗∗∗ Two DoS vulnerabilities eliminated from Mitsubishi industrial controllers ∗∗∗ --------------------------------------------- https://www.ptsecurity.com/ww-en/about/news/two-dos-vulnerabilities-elimina… ∗∗∗ Multiple Vulnerabilities in Samba ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-22-22 ∗∗∗ Multiple Vulnerabilities in Apache HTTP Server ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-22-23 ∗∗∗ Remote Support Authentication Vulnerability in IBM Spectrum Virtualize and Lenovo Storage V Series ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500514-REMOTE-SUPPORT-AUTHENTI… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.08.2022
by Daily end-of-shift report 12 Aug '22

12 Aug '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 11-08-2022 18:00 − Freitag 12-08-2022 18:00 Handler: Stephan Richter Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ I’m a security reporter and got fooled by a blatant phish ∗∗∗ --------------------------------------------- Think youre too smart to be fooled by a phisher? Think again. --------------------------------------------- https://arstechnica.com/?p=1873356 ∗∗∗ The Importance of Website Logs ∗∗∗ --------------------------------------------- In this post, we’ll explain why logs are so important and help you understand how to use website logs to level up your security and maintain compliance. --------------------------------------------- https://blog.sucuri.net/2022/08/importance-of-website-logs-for-security.html ∗∗∗ Conti Cybercrime Cartel Using BazarCall Phishing Attacks as Initial Attack Vector ∗∗∗ --------------------------------------------- A trio of offshoots from the notorious Conti cybercrime cartel have resorted to the technique of call-back phishing as an initial access vector to breach targeted networks. --------------------------------------------- https://thehackernews.com/2022/08/conti-cybercrime-cartel-using-bazarcall.h… ∗∗∗ Sloppy Software Patches Are a ‘Disturbing Trend’ ∗∗∗ --------------------------------------------- The Zero Day Initiative has found a concerning uptick in security updates that fail to fix vulnerabilities. --------------------------------------------- https://www.wired.com/story/software-patch-flaw-uptick-zdi/ ∗∗∗ Monster Libra (TA551/Shathak) pushes IcedID (Bokbot) with Dark VNC and Cobalt Strike ∗∗∗ --------------------------------------------- Since 2019, threat actor Monster Libra (also known as TA551 or Shathak) has pushed different families of malware. --------------------------------------------- https://isc.sans.edu/diary/rss/28934 ∗∗∗ Details zum Einbruch bei Cisco – Einfallstor persönliches Google-Konto ∗∗∗ --------------------------------------------- Cisco wurde Opfer eines Cyber-Angriffs, bei dem Kriminelle Zugriff auf das interne Netz erlangten. Jetzt veröffentlicht das Unternehmen Details dazu. --------------------------------------------- https://heise.de/-7218236 ∗∗∗ Input-Device-Monitoring bei Windows: Finde die Wanze! ∗∗∗ --------------------------------------------- Für moderne Malware, die im Userland agiert, sind forensische Aufspürmethoden für Abhörversuche quasi nicht existent. Ein Forscherteam will Abhilfe schaffen. --------------------------------------------- https://heise.de/-7218864 ∗∗∗ O’Neill-Kleidung online kaufen? Nicht auf backmanboats.com! ∗∗∗ --------------------------------------------- Wir erhalten immer wieder Meldungen zu Online-Shops, die entweder gar keine Ware verschicken oder etwas, das nichts mit der Produktbeschreibung zu tun hat. Haben Sie ein teures Marken T-Shirt bestellt, aber eine billige Kopie erhalten? Solche Online-Shops nennt man Markenfälscher, da sie angeben, bekannte Marken wie O'Neill zu verkaufen. --------------------------------------------- https://www.watchlist-internet.at/news/oneill-kleidung-online-kaufen-nicht-… ∗∗∗ CISA Adds Two Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/08/11/cisa-adds-two-kno… ∗∗∗ Windows Sicherheitsupdate KB5012170 für Secure Boot DBX (9. August 2022) ∗∗∗ --------------------------------------------- Noch ein kurzer Nachtrag vom Patchday, 9. August 2022. Dort wurde auch ein Sicherheitsupdate für das Secure Boot Modul durch Microsoft bereitgestellt. --------------------------------------------- https://www.borncity.com/blog/2022/08/12/windows-sicherheitsupdate-kb501217… ===================== = Vulnerabilities = ===================== ∗∗∗ Researchers Find Vulnerability in Software Underlying Discord, Microsoft Teams, and Other Apps ∗∗∗ --------------------------------------------- The popular apps used by millions of users all run the same software, called Electron. --------------------------------------------- https://www.vice.com/en/article/m7gb7y/researchers-find-vulnerability-in-so… ∗∗∗ Groupware Zimbra "trivial angreifbar" – Admins sollten schnell updaten ∗∗∗ --------------------------------------------- Mit der Verkettung zweier Security-Bugs in der Groupware haben Angreifer seit Ende Juni tausende Zimbra-Installationen übernommen. --------------------------------------------- https://heise.de/-7218354 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (gnutls28, libtirpc, postgresql-11, and samba), Fedora (microcode_ctl, wpebackend-fdo, and xen), Oracle (.NET 6.0, galera, mariadb, and mysql-selinux, and kernel), SUSE (dbus-1 and python-numpy), and Ubuntu (booth). --------------------------------------------- https://lwn.net/Articles/904549/ ∗∗∗ OT Security Firm Warns of Safety Risks Posed by Alerton Building System Vulnerabilities ∗∗∗ --------------------------------------------- OT and IoT cybersecurity company SCADAfence has discovered potentially serious vulnerabilities in a widely used building management system made by Alerton, a brand of industrial giant Honeywell. --------------------------------------------- https://www.securityweek.com/ot-security-firm-warns-safety-risks-posed-aler… ∗∗∗ Realtek SDK Vulnerability Exposes Routers From Many Vendors to Remote Attacks ∗∗∗ --------------------------------------------- A serious vulnerability affecting the eCos SDK made by Taiwanese semiconductor company Realtek could expose the networking devices of many vendors to remote attacks. --------------------------------------------- https://www.securityweek.com/realtek-sdk-vulnerability-exposes-routers-many… ∗∗∗ Bitdefender: Schwachstelle in Device42 ∗∗∗ --------------------------------------------- Wegen einer mittlerweile behobenen Schwachstelle in Device42 gibt Bitdefender eine Empfehlung zum Update auf die Version 18.01.00 von Device42. --------------------------------------------- https://www.zdnet.de/88402845/bitdefender-schwachstelle-in-device42/ ∗∗∗ Vulnerabilities on Xiaomi’s mobile payment mechanism which could allow forged transactions : A Check Point Research analysis ∗∗∗ --------------------------------------------- Check Point Research (CPR) analyzed the payment system built into Xiaomi smartphones powered by MediaTek chips CPR found vulnerabilities that could allow forging of payment and disabling the payment system directly. --------------------------------------------- https://blog.checkpoint.com/2022/08/12/vulnerabilities-on-xiaomis-mobile-pa… ∗∗∗ VU#309662: Signed third party UEFI bootloaders are vulnerable to Secure Boot bypass ∗∗∗ --------------------------------------------- https://kb.cert.org/vuls/id/309662 ∗∗∗ Security Bulletin: Watson Knowledge Catalog InstaScan is vulnerable to an XML External Entity (XXE) Injection vulnerability due to IBM WebSphere Application Server Liberty ( CVE-2021-20492 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-watson-knowledge-catalog-… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct File Agent is vulnerable to remote code execution due to Apache Commons Configuration (CVE-2022-33980) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: Multiple security vulnerabilities are addressed with IBM Cloud Pak for Business Automation iFixes for July 2022 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Operations Dashboard is vulnerable to remote connection exploit by Go CVE-2022-30629 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-operations-dashboard-is-v… ∗∗∗ Security Bulletin: Automation Assets in IBM Cloud Pak for Integration is vulnerable to remote code execution due to ejs [CVE-2022-29078] ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-automation-assets-in-ibm-… ∗∗∗ Security Bulletin: IBM App Connect Enterprise and IBM Integration Bus are vulnerable to a remote authenticated attacker due to Node.js (CVE-2022-29244, CVE-2022-33987) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: IBM Java SDK and IBM Java Runtime for IBM i are vulnerable to unauthenticated attacker to cause a denial of service or low integrity impact due to multiple vulnerabilities. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-java-sdk-and-ibm-java… ∗∗∗ PostgreSQL: Schwachstelle ermöglicht Codeausführung ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1013 ∗∗∗ Emerson ROC800, ROC800L and DL8000 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-223-04 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.08.2022
by Daily end-of-shift report 11 Aug '22

11 Aug '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 10-08-2022 18:00 − Donnerstag 11-08-2022 18:00 Handler: Stephan Richter Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ OpenTIP, command line edition ∗∗∗ --------------------------------------------- We released Python-based command line tools for our OpenTIP service that also implement a client class that you can reuse in your own tools. --------------------------------------------- https://securelist.com/opentip-command-line-edition/107109/ ∗∗∗ InfoStealer Script Based on Curl and NSudo, (Thu, Aug 11th) ∗∗∗ --------------------------------------------- If sudo is a well known tool used daily by most UNIX system administrators, NSudo remains less below the radar. This is a tool running on Microsoft Windows which allows you to execute processes with different access tokens and privileges like System, TrustedInstaller and CurrentUser. --------------------------------------------- https://isc.sans.edu/diary/rss/28932 ∗∗∗ capa v4: casting a wider .NET ∗∗∗ --------------------------------------------- We are excited to announce version 4.0 of capa with support for analyzing .NET executables. This open-source tool automatically identifies capabilities in programs using an extensible rule set. The tool supports both malware triage and deep dive reverse engineering. --------------------------------------------- https://www.mandiant.com/resources/capa-v4-casting-wider-net ∗∗∗ Detecting DNS implants: Old kitten, new tricks – A Saitama Case Study ∗∗∗ --------------------------------------------- A recently uncovered malware sample dubbed ‘Saitama’ was uncovered by security firm Malwarebytes in a weaponized document, possibly targeted towards the Jordan government. This Saitama implant uses DNS as its sole Command and Control channel and utilizes long sleep times and (sub)domain randomization to evade detection. --------------------------------------------- https://research.nccgroup.com/2022/08/11/detecting-dns-implants-old-kitten-… ∗∗∗ Palo Alto Networks Firewalls Targeted for Reflected, Amplified DDoS Attacks ∗∗∗ --------------------------------------------- Palo Alto Networks is working on fixes for a reflected amplification denial-of-service (DoS) vulnerability that impacts PAN-OS, the platform powering its next-gen firewalls. --------------------------------------------- https://www.securityweek.com/palo-alto-networks-firewalls-targeted-reflecte… ∗∗∗ Years after claiming DogWalk wasn’t a vulnerability, Microsoft confirms flaw is being exploited and issues patch ∗∗∗ --------------------------------------------- This week Microsoft finally released a patch for a zero-day security flaw being exploited by hackers, that the company had claimed since 2019 was not actually a vulnerability. --------------------------------------------- https://www.bitdefender.com/blog/hotforsecurity/years-after-claiming-dogwal… ∗∗∗ BlueSky Ransomware: Fast Encryption via Multithreading ∗∗∗ --------------------------------------------- BlueSky ransomware is an emerging family that has adopted modern techniques to evade security defenses. --------------------------------------------- https://unit42.paloaltonetworks.com/bluesky-ransomware/ ∗∗∗ AA22-223A: #StopRansomware: Zeppelin Ransomware ∗∗∗ --------------------------------------------- The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint CSA to disseminate known Zeppelin ransomware IOCs and TTPs associated with ransomware variants identified through FBI investigations as recently as 21 June 2022. --------------------------------------------- https://us-cert.cisa.gov/ncas/alerts/aa22-223a ∗∗∗ Cisco Talos shares insights related to recent cyber attack on Cisco ∗∗∗ --------------------------------------------- On May 24, 2022, Cisco became aware of a potential compromise. Since that point, Cisco Security Incident Response (CSIRT) and Cisco Talos have been working to remediate. --------------------------------------------- http://blog.talosintelligence.com/2022/08/recent-cyber-attack.html ===================== = Vulnerabilities = ===================== ∗∗∗ Critical Flaws Disclosed in Device42 IT Asset Management Software ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed multiple severe security vulnerabilities asset management platform Device42 that, if successfully exploited, could enable a malicious actor to seize control of affected systems. --------------------------------------------- https://thehackernews.com/2022/08/critical-flaws-disclosed-in-device42-it.h… ∗∗∗ [R1] Nessus Version 8.15.6 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- Two separate vulnerabilities that utilize the Audit functionality in Nessus were discovered, reported and fixed. --------------------------------------------- https://www.tenable.com/security/tns-2022-16 ∗∗∗ Cisco: Angreifer könnten an private RSA-Schlüssel in ASA und Firepower gelangen ∗∗∗ --------------------------------------------- Der Netzwerkausrüster Cisco schließt mit aktualisierter Software eine Sicherheitslücke in ASA und Firepower. Angreifer könnten private RSA-Keys auslesen. --------------------------------------------- https://heise.de/-7216863 ∗∗∗ Kritische Sicherheitslücke in Zoho ManageEngine OpManager ∗∗∗ --------------------------------------------- Zoho hat Updates veröffentlicht, die eine kritische und weitere Sicherheitslücken in ManageEngine OpManager schließen. Angreifer könnten unbefugt zugreifen. --------------------------------------------- https://heise.de/-7217521 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Gentoo (aiohttp, faac, isync, motion, and nextcloud), Red Hat (.NET 6.0), SUSE (libnbd, oracleasm, python-codecov, rubygem-tzinfo, sssd, and thunderbird), and Ubuntu (http-parser, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-gke, linux-gke-5.4, linux-gkeop, linux-gkeop-5.4, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux, linux-hwe-5.15, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gke-5.15, linux-ibm, linux-kvm, linux-oracle, linux-raspi, linux-intel-iotg, linux-oem-5.14, linux-oem-5.17, and node-moment). --------------------------------------------- https://lwn.net/Articles/904457/ ∗∗∗ Organizations Warned of Critical Vulnerabilities in NetModule Routers ∗∗∗ --------------------------------------------- Flashpoint is warning organizations of two newly identified critical vulnerabilities in NetModule Router Software (NRSW) that could be exploited in attacks. --------------------------------------------- https://www.securityweek.com/organizations-warned-critical-vulnerabilities-… ∗∗∗ BOSCH-SA-463993: SafeLogic Designer vulnerabilities ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-463993.html ∗∗∗ Drupal: jQuery UI Checkboxradio - Moderately critical - Cross site scripting - SA-CONTRIB-2022-052 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2022-052 ∗∗∗ Security Bulletin: Vulnerability in the Node.js got module affects IBM Event Streams (CVE-2022-33987) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-the-node… ∗∗∗ Security Bulletin: Automation Assets in IBM Cloud Pak for Integration is vulnerable to denial of service due to CVE-2022-31129 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-automation-assets-in-ibm-… ∗∗∗ Security Bulletin: Multiple security vulnerabilities has been identified in IBM® DB2® shipped with IBM PureData System for Operational Analytics ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-platform-navigator-and-au… ∗∗∗ Security Bulletin: Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to remote access due to Go CVE-2022-29526 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-platform-navigator-and-au… ∗∗∗ Security Bulletin: Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to information disclosure CVE-2022-30629 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-platform-navigator-and-au… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.08.2022
by Daily end-of-shift report 10 Aug '22

10 Aug '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 09-08-2022 18:00 − Mittwoch 10-08-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ BSI warnt vor dem Einsatz unsicherer Funk-Türschlösser der Marke ABUS ∗∗∗ --------------------------------------------- Das Bundesamt für Sicherheit in der Informationstechnik (BSI) warnt nach §7 BSI-Gesetz vor dem Einsatz des digitalen Türschlosses "HomeTec Pro CFA3000" des Herstellers ABUS und empfiehlt, das Produkt zu ersetzen. --------------------------------------------- https://www.bsi.bund.de/DE/Service-Navi/Presse/Pressemitteilungen/Presse202… ∗∗∗ Achtung: Fake-Shops! Kaufen Sie nichts bei diesen Garten-Online-Shops ∗∗∗ --------------------------------------------- Online finden Sie viele Shops zu jedem Bereich. Auch Garten-Shops bilden da keine Ausnahme. Die Online-Shops gartenland-paradies.de, home-garten-shop.de und rasengarten.com sind allesamt Fake-Shops und versuchen, Sie zu betrügen. --------------------------------------------- https://www.watchlist-internet.at/news/achtung-fake-shops-kaufen-sie-nichts… ∗∗∗ Microsoft veröffentlicht Bedrohungsmatrix zu Azure für Sicherheits-Evaluierungen ∗∗∗ --------------------------------------------- Analog zum in Sicherheitskreisen vielgenutzten MITRE ATT&CK Framework hat Microsoft für Azure und Azure AD Informationen zu potenziellen Angriffen aufbereitet. --------------------------------------------- https://heise.de/-7216398 ∗∗∗ UnRAR Vulnerability Exploited in the Wild, Likely Against Zimbra Servers ∗∗∗ --------------------------------------------- The US Cybersecurity and Infrastructure Security Agency (CISA) revealed on Tuesday that a recently patched vulnerability affecting the UnRAR archive extraction tool is being exploited in the wild. --------------------------------------------- https://www.securityweek.com/unrar-vulnerability-exploited-wild-likely-agai… ∗∗∗ Novel News on Cuba Ransomware aka Greetings From Tropical Scorpius ∗∗∗ --------------------------------------------- Beginning in early May 2022, Unit 42 observed a threat actor deploying Cuba Ransomware using novel tools and techniques. Using our naming schema, Unit 42 tracks the threat actor as Tropical Scorpius. --------------------------------------------- https://unit42.paloaltonetworks.com/cuba-ransomware-tropical-scorpius/ ∗∗∗ 10 malicious PyPI packages found stealing developers credentials ∗∗∗ --------------------------------------------- Threat analysts have discovered ten malicious Python packages on the PyPI repository, used to infect developers systems with password-stealing malware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/10-malicious-pypi-packages-f… ∗∗∗ VileRAT: DeathStalker’s continuous strike at foreign and cryptocurrency exchanges ∗∗∗ --------------------------------------------- VileRAT is a Python implant, part of an evasive and highly intricate attack campaign against foreign exchange and cryptocurrency trading companies. --------------------------------------------- https://securelist.com/vilerat-deathstalkers-continuous-strike/107075/ ∗∗∗ Security Update Guide Notification System News: Create your profile now ∗∗∗ --------------------------------------------- Sharing information through the Security Update Guide (SUG) is an important part of our ongoing effort to help customers manage security risks and keep systems protected. --------------------------------------------- https://msrc-blog.microsoft.com/2022/08/09/security-update-guide-notificati… ∗∗∗ Attacking and Remediating Excessive Network Share Permissions in Active Directory Environments ∗∗∗ --------------------------------------------- In this blog, I’ll explain how to quickly inventory, exploit, and remediate network shares configured with excessive permissions at scale in Active Directory environments. Excessive share permissions represent a risk that can lead to data exposure, privilege escalation, and ransomware attacks within enterprise environments. --------------------------------------------- https://www.netspi.com/blog/technical/network-penetration-testing/network-s… ∗∗∗ Discovering Domains via a Timing Attack on Certificate Transparency ∗∗∗ --------------------------------------------- There is a flaw in a way that deployment of TLS certificates might be set up. It allows anyone to discover all domain names used by the same server. Sometimes, even when there is no HTTPS there! --------------------------------------------- https://swarm.ptsecurity.com/discovering-domains-via-timing-attack/ ∗∗∗ The Security Pros and Cons of Using Email Aliases ∗∗∗ --------------------------------------------- One way to tame your email inbox is to get in the habit of using unique email aliases when signing up for new accounts online. Adding a "+" character after the username portion of your email address -- followed by a notation specific to the site youre signing up at -- lets you create an infinite number of unique email addresses tied to the same account. --------------------------------------------- https://krebsonsecurity.com/2022/08/the-security-pros-and-cons-of-using-ema… ===================== = Vulnerabilities = ===================== ∗∗∗ Neue Sicherheitslücken in AMD- und Intel-Prozessoren: AEPIC & SQUIP ∗∗∗ --------------------------------------------- Internationale Expertenteams weisen Schwachstellen in zahlreichen aktuellen CPU-Typen von AMD und Intel nach, die auch künftige ARM-Chips treffen könnten. --------------------------------------------- https://heise.de/-7211904 ∗∗∗ Intel Patches Severe Vulnerabilities in Firmware, Management Software ∗∗∗ --------------------------------------------- Intel on Tuesday published 27 security advisories detailing roughly 60 vulnerabilities across firmware, software libraries, and endpoint and data center management products. --------------------------------------------- https://www.securityweek.com/intel-patches-severe-vulnerabilities-firmware-… ∗∗∗ Microsoft Security Update Summary (9. August 2022) ∗∗∗ --------------------------------------------- Am 9. August 2022 hat Microsoft Sicherheitsupdates für Windows-Clients und -Server, für Office usw. – sowie für weitere Produkte – veröffentlicht. Die Sicherheitsupdates beseitigen zudem 118 Schwachstellen, davon 17 kritisch und zwei 0-day-Schwachstellen. --------------------------------------------- https://www.borncity.com/blog/2022/08/10/microsoft-security-update-summary-… ∗∗∗ Exchange Server Sicherheitsupdates (9. August 2022) ∗∗∗ --------------------------------------------- Microsoft hat zum 9. August Sicherheitsupdates für Exchange Server 2013, Exchange Server 2016 und Exchange Server 2019 veröffentlicht. --------------------------------------------- https://www.borncity.com/blog/2022/08/10/exchange-server-sicherheitsupdates… ∗∗∗ Patchday: Adobe schließt kritische Lücken in Commerce und Kreativprogrammen ∗∗∗ --------------------------------------------- Adobe schließt zum August-Patchday mehrere, teils kritische Sicherheitslücken. Betroffen sind Adobe Commerce und Magento sowie PDF- und Kreativ-Software. --------------------------------------------- https://heise.de/-7215839 ∗∗∗ Jetzt handeln! Exploit-Code für VMware-Lücke aufgetaucht, neue Updates verfügbar ∗∗∗ --------------------------------------------- VMware hat für neu entdeckte Sicherheitslücken Updates bereitgestellt. Für eine ältere Schwachstelle ist jetzt Exploit-Code aufgetaucht, warnt der Hersteller. --------------------------------------------- https://heise.de/-7216296 ∗∗∗ IBM Security Bulletins 2022-08-09 ∗∗∗ --------------------------------------------- IBM Netezza, IBM Sterling Connect, IBM MQ Operator, IBM Queue manager, IBM Cloud Pak, IBM Sterling B2B Integrator, IBM Event Streams, IBM InfoSphere Information Server, IBM Process Mining. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Lenovo Product Security Advisories and Announcements 2022-08-09 ∗∗∗ --------------------------------------------- Lenovo published 9 security advisories. --------------------------------------------- https://support.lenovo.com/de/de/product_security/home ∗∗∗ Dell Security Advisories and Notices ∗∗∗ --------------------------------------------- Dell published 1 security advisory. --------------------------------------------- https://www.dell.com/support/security/en-us/ ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (gst-plugins-good1.0), Fedora (firefox and ghostscript), Gentoo (consul, firefox, libass, libraw, lxml, mdbtools, pam_u2f, spice, and thunderbird), Oracle (kernel, kernel-container, and vim), Red Hat (galera, mariadb, and mysql-selinux, kernel, and kernel-rt), Scientific Linux (kernel), SUSE (bind, java-11-openjdk, kernel, mokutil, ncurses, and u-boot), and Ubuntu (epiphany-browser, libcdio, linux, linux-aws, linux-azure-4.15, linux-dell300x, linux-gcp-4.15, linux-kvm, linux-oracle, linux-raspi2, linux-snapdragon, linux, linux-aws, linux-kvm, linux-lts-xenial, and linux-hwe, linux-aws-hwe, linux-azure, linux-gcp, linux-oracle). --------------------------------------------- https://lwn.net/Articles/904374/ ∗∗∗ PaloAlto Networks PAN-OS: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in PaloAlto Networks PAN-OS ausnutzen, um einen Cross-Site Scripting Angriff durchzuführen, Code zur Ausführung zu bringen, einen Denial of Service Angriff durchzuführen oder vertrauliche Daten einzusehen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0952 ∗∗∗ FreeBSD: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, authentisierter Angreifer kann mehrere Schwachstellen in FreeBSD ausnutzen, um einen Denial of Service Angriff durchzuführen, Informationen offenzulegen oder Code auszuführen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0995 ∗∗∗ F5: K21600298: OpenSSL vulnerability CVE-2022-1292 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K21600298 ∗∗∗ Red Hat Ceph Storage: Schwachstelle ermöglicht Manipulation von Dateien ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0979 ∗∗∗ Apache Traffic Server: Mehrere Schwachstellen ermöglichen Manipulation von Dateien ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0992 ∗∗∗ Atlassian Jira Software: Schwachstelle ermöglicht Cross-Site Scripting ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0989 ∗∗∗ Citrix Hypervisor Security Bulletin for CVE-2022-33745 ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX463455/citrix-hypervisor-security-bul… ∗∗∗ SonicWall SMA1000 CVE-2021-33909 and CVE-2022-0847 ∗∗∗ --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0015 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.08.2022
by Daily end-of-shift report 09 Aug '22

09 Aug '22

===================== = End-of-Day report = ===================== Timeframe: Montag 08-08-2022 18:00 − Dienstag 09-08-2022 18:00 Handler: Stephan Richter Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Kollaborationssoftware: Slack schließt jahrelanges Datenleck ∗∗∗ --------------------------------------------- Slack hat etliche Nutzer aufgefordert, ihr Passwort zu ändern. Über eine Sicherheitslücke wurden über Jahre Hashes der Passwörter versendet. --------------------------------------------- https://www.golem.de/news/kollaborationssoftware-slack-schliesst-jahrelange… ∗∗∗ The Truth About False Positives in Security ∗∗∗ --------------------------------------------- As weird as it might sound, seeing a few false positives reported by a security scanner is probably a good sign and certainly better than seeing none. Lets explain why. --------------------------------------------- https://thehackernews.com/2022/08/the-truth-about-false-positives-in.html ∗∗∗ Cyberangriffe auf Medizingeräte: Risikobewusstsein hoch, aber wenig Prävention ∗∗∗ --------------------------------------------- Seit 2020 fahren Cyberkriminelle ihre Angriffe verstärkt auf Gesundheitsinfrastrukturen. Schlecht gesicherte IoMT/IoT-Geräte erleichtern ihnen die Arbeit. --------------------------------------------- https://heise.de/-7206153 ∗∗∗ IT-Sicherheit: meistverbreitete Malware-Stämme im Jahr 2021 ∗∗∗ --------------------------------------------- Die US-IT-Sicherheitsbehörde CISA und das australische Cyber Security Center haben zusammengetragen, welche Malware-Stämme 2021 am häufigsten beobachtet wurden. --------------------------------------------- https://heise.de/-7206775 ∗∗∗ Twilio: Konten von Mitarbeitern und Kunden kompromittiert ∗∗∗ --------------------------------------------- Angestellte des Diensteanbieters Twilio sind Opfer von Phishing-Angriffen geworden. Die Angreifer konnten unbefugt auf Informationen zugreifen. --------------------------------------------- https://heise.de/-7207070 ∗∗∗ Open Redirect Flaws in American Express and Snapchat Exploited in Phishing Attacks ∗∗∗ --------------------------------------------- Open redirect vulnerabilities affecting American Express and Snapchat websites were exploited earlier this year as part of phishing campaigns targeting Microsoft 365 users, email security firm Inky reports. --------------------------------------------- https://www.securityweek.com/open-redirect-flaws-american-express-and-snapc… ∗∗∗ Günstiges Brennholz: Vorsicht vor Fake-Angeboten im Facebook Marketplace ∗∗∗ --------------------------------------------- Sie haben auf Facebook ein günstiges Angebot für Brennholz gefunden? Vorsicht: Möglicherweise handelt es sich um ein betrügerisches Inserat. Überprüfen Sie das Angebot und Verkäufer:innen sehr genau und zahlen Sie nicht vorab! --------------------------------------------- https://www.watchlist-internet.at/news/guenstiges-brennholz-vorsicht-vor-fa… ∗∗∗ Shodan Verified Vulns 2022-08-01 ∗∗∗ --------------------------------------------- Im Vergleich zum Juli gab es praktisch keine Veränderung. Die Schwachstellen FREAK (CVE-2015-0204) und Logjam (CVE-2015-4000) sind in den Daten für diesen Monat nicht enthalten (bzw. wird die Anzahl für beide mit 0 angegeben). Dabei handelt es sich aber offensichtlich um einen Fehler, auch bei den Shodan Trends ist für beide Schwachstellen ein plötzlicher Abfall zu sehen. Ob das seitens Shodan beabsichtig ist, da vielleicht nicht mehr nach diesen CVEs gescannt wird, wissen wir derzeit nicht; sachdienliche Hinweise dazu nehmen wir aber dankend entgegen. --------------------------------------------- https://cert.at/de/aktuelles/2022/8/shodan-verified-vulns-2022-08-01 ∗∗∗ SmarterTrack Full disclosure ∗∗∗ --------------------------------------------- On 27 October 2021 Wietse Boonstra found several vulnerabilities in the latest version of SmarterTrack. There were two XSS, an unauthenticated download and an upload / overwrite vulnerability. The researcher Wietse Boonstra and Finn van der Knaap, examined the vulnerability and made the proof of concept. --------------------------------------------- https://csirt.divd.nl/2022/08/09/Smartertrak-Full-Disclosure/ ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- Platform Navigator and Automation Assets in IBM Cloud Pak for Integration, IBM Netezza for Cloud Pak for Data, node.js, IBM® SDK Java Technology Edition (Version 8), IBM Security SiteProtector System, Spring Framework, IBM Workload Scheduler, Liberty for Java for IBM Cloud. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Siemens Security Advisories ∗∗∗ --------------------------------------------- 4 new, 38 updated --------------------------------------------- https://new.siemens.com/global/en/products/services/cert.html?d=2022-08#Sec… ∗∗∗ Schneider Electric Security Advisories ∗∗∗ --------------------------------------------- Schneider Electric released 11 security advisories. --------------------------------------------- https://www.se.com/ww/en/work/support/cybersecurity/security-notifications.… ∗∗∗ AUMA: Multiple Vulnerabilities in Automation Runtime NTP Service ∗∗∗ --------------------------------------------- The SIMA² Master Station features an NTP service based on ntpd, a reference implementation of the Network Time Protocol (NTP). --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-032/ ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (gnutls28 and unzip), Fedora (dovecot and net-snmp), Red Hat (kernel-rt and vim), and Ubuntu (gst-plugins-good1.0). --------------------------------------------- https://lwn.net/Articles/904271/ ∗∗∗ SAP Patchday August 2022 ∗∗∗ --------------------------------------------- Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in SAP Software ausnutzen, um Sicherheitsvorkehrungen zu umgehen und vertrauliche Informationen offenzulegen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0949 ∗∗∗ Keycloak: Schwachstelle ermöglicht Codeausführung ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0948 ∗∗∗ ImageMagick: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0946 ∗∗∗ NetApp StorageGRID: Schwachstelle ermöglicht Manipulation von Dateien ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0945 ∗∗∗ Red Hat OpenShift Service Mesh: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0944 ∗∗∗ Mitsubishi Electric GT SoftGOT2000 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-221-01 ∗∗∗ Emerson ControlWave ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-221-02 ∗∗∗ Emerson OpenBSI ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-221-03 ∗∗∗ Open Source Varnish Cache Denial of Service ∗∗∗ --------------------------------------------- https://docs.varnish-software.com/security/VSV00009/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.08.2022
by Daily end-of-shift report 08 Aug '22

08 Aug '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 05-08-2022 18:00 − Montag 08-08-2022 18:00 Handler: Stephan Richter Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ New GwisinLocker ransomware encrypts Windows and Linux ESXi servers ∗∗∗ --------------------------------------------- A new ransomware family called GwisinLocker targets South Korean healthcare, industrial, and pharmaceutical companies with Windows and Linux encryptors, including support for encrypting VMware ESXi servers and virtual machines. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-gwisinlocker-ransomware-… ∗∗∗ Microsoft Office to publish symbols starting August 2022 ∗∗∗ --------------------------------------------- We are excited to announce that Microsoft Office will begin publishing Office symbols for Windows via the Microsoft Public Symbol Server on August 9th 2022. The publication of Office symbols is a part of our continuing investment to improve security and performance for customers and partners. --------------------------------------------- https://msrc-blog.microsoft.com/2022/08/08/microsoft-office-to-publish-symb… ∗∗∗ BumbleBee Roasts Its Way to Domain Admin ∗∗∗ --------------------------------------------- In this intrusion from April 2022, the threat actors used BumbleBee as the initial access vector. BumbleBee is a malware loader that was first reported by Google Threat Analysis Group in March 2022. Google TAG attributes this malware to an initial access broker (IAB) dubbed EXOTIC LILY, working with the cybercrime group FIN12/WIZARD SPIDER/DEV-0193. --------------------------------------------- https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-adm… ∗∗∗ "Command&Control as a Service" – Cybercrime auf dem Weg in die Cloud ∗∗∗ --------------------------------------------- Ein neues As-a-Service-Angebot hat im Cybercrime-Untergrund innerhalb weniger Monate bereits tausende Kunden gewonnen. --------------------------------------------- https://heise.de/-7204112 ∗∗∗ Security-Informationen: Neues Ampel-Protokoll soll Vertraulichkeit vereinfachen ∗∗∗ --------------------------------------------- Das Trafic Light Protocol hat sich für die Kennzeichnung vertraulicher Informationen etabliert. TLP Version 2.0 soll die Absicht des Autors klarer machen. --------------------------------------------- https://heise.de/-7205920 ∗∗∗ Fake-Gewinnspiel für JBL-Lautsprecher auf Instagram ∗∗∗ --------------------------------------------- Zahlreiche Instagram-Nutzer:innen werden momentan von Fake-JBL-Profilen auf Beiträgen markiert: „Wenn du markiert wurdest, hast du einen tragbaren Lautsprecher von JBL gewonnen“ lautet der Beitrag. --------------------------------------------- https://www.watchlist-internet.at/news/fake-gewinnspiel-fuer-jbl-lautsprech… ∗∗∗ Ransomware-Attacken zurück im Geschäft ∗∗∗ --------------------------------------------- Doch keine Sommerpause: Nach einem leichten Rückgang zu Beginn des Jahres hat die Zahl der Ransomware-Angriffe im zweiten Quartal 2022 erneut zugelegt. --------------------------------------------- https://www.zdnet.de/88402769/ransomware-attacken-zurueck-im-geschaeft/ ∗∗∗ Google-Report von VirusTotal über Trends bei Malware ∗∗∗ --------------------------------------------- Auf seinem Dienst VirusTotal erhält Google täglich zahlreiche Einreichungen von Dateien zur Überprüfung, ob es sich um Malware handelt. In einem neuen Bericht "Deception at scale: Wie Malware Vertrauen missbraucht" hat ein Team von Google die Erkenntnisse zu verschiedene Techniken zusammengetragen, die Malware einsetzt, um Abwehrmechanismen zu umgehen und Social-Engineering-Angriffe effektiver zu gestalten. --------------------------------------------- https://www.borncity.com/blog/2022/08/07/google-report-von-virustotal-ber-t… ∗∗∗ Small-time cybercrime is about to explode — We arent ready ∗∗∗ --------------------------------------------- The cybersecurity industry tends to focus on extremely large-scale or sophisticated, state-sponsored attacks. Rightfully so, as it can be the most interesting, technically speaking. When most people think of cybercrime they think of large-scale breaches because thats what dominates the headlines. However, the problem is much bigger. --------------------------------------------- http://blog.talosintelligence.com/2022/08/smalltime-cybercrime.html ===================== = Vulnerabilities = ===================== ∗∗∗ Cross-Site Request Forgery Vulnerability Patched in Ecwid Ecommerce Shopping Cart Plugin ∗∗∗ --------------------------------------------- On June 24, 2022, the Wordfence Threat Intelligence team initiated the responsible disclosure process for a Cross-Site Request Forgery vulnerability we discovered in Ecwid Ecommerce Shopping Cart, a WordPress plugin installed on over 30,000 sites. This vulnerability made it possible for attackers to modify some of the plugin’s more advanced settings via a forged request. --------------------------------------------- https://www.wordfence.com/blog/2022/08/cross-site-request-forgery-vulnerabi… ∗∗∗ Webbrowser: Google Chrome und Microsoft Edge 104 schließen Sicherheitslücken ∗∗∗ --------------------------------------------- Die Version 104 der Webbrowser Chrome und Edge dichten zahlreiche Sicherheitslecks ab. Einige Features von Chrome haben zudem eine Politur erfahren. --------------------------------------------- https://heise.de/-7205970 ∗∗∗ Übernahme möglich: DrayTek-Router mit kritischer Sicherheitslücke ∗∗∗ --------------------------------------------- Eine Schwachstelle in den Routern von DrayTek ermöglicht Angreifern aus dem Netz die Kompromittierung der Geräte. Nicht einmal eine Anmeldung ist dafür nötig. --------------------------------------------- https://heise.de/-7206059 ∗∗∗ Patchday: F5 dichtet Schwachstellen in BIG IP und Nginx ab ∗∗∗ --------------------------------------------- Zum Schließen von 21 Sicherheitslücken liefert F5 Software-Updates aus. Die meisten Fehler mit hohem Risiko betreffen die BIG-IP-Systeme des Anbieters. --------------------------------------------- https://heise.de/-7205758 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, libtirpc, and xorg-server), Fedora (giflib, mingw-giflib, and teeworlds), Mageia (chromium-browser-stable, kernel, kernel-linus, mingw-giflib, osmo, python-m2crypto, and sqlite3), Oracle (httpd, php, vim, virt:ol and virt-devel:ol, and xorg-x11-server), SUSE (caddy, crash, dpkg, fwupd, python-M2Crypto, and trivy), and Ubuntu (gdk-pixbuf, libjpeg-turbo, and phpliteadmin). --------------------------------------------- https://lwn.net/Articles/904191/ ∗∗∗ Security Bulletin: Apache log4j vulnerabilities in Spark and Zookeeper affect QRadar User Behavior Analytics(CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit… ∗∗∗ Security Bulletin: Multiple vulnerabilities in Jquery-Ui, highcharts, and datatables are affecting QRadar User Behavior Analytics (CVE-2021-41182, CVE-2021-41183, CVE-2021-41184, CVE-2021-23445, CVE-2021-29489) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Nextcloud Talk: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0935 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.08.2022
by Daily end-of-shift report 05 Aug '22

05 Aug '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 04-08-2022 18:00 − Freitag 05-08-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ ENISA Threat Landscape for Ransomware Attacks ∗∗∗ --------------------------------------------- This report aims to bring new insights into the reality of ransomware incidents through mapping and studying ransomware incidents from May 2021 to June 2022. --------------------------------------------- https://www.enisa.europa.eu/publications/enisa-threat-landscape-for-ransomw… ∗∗∗ Kopieren mit rsync anfällig für Angriffe ∗∗∗ --------------------------------------------- Die angekündigte neue rsync-Version soll verhindern, dass ein Server gezielt Dateien auf dem Client überschreibt und diesen damit kompromittiert. --------------------------------------------- https://heise.de/-7202888 ∗∗∗ VMware-Updates: Schnelles Handeln "extrem wichtig" ∗∗∗ --------------------------------------------- Admin-Zugang ohne Passwort – und das ist nur eine der zehn Lücken, für die VMware dringliche Updates bringt. --------------------------------------------- https://heise.de/-7204524 ∗∗∗ Achtung vor falschen Polizeianrufen! ∗∗∗ --------------------------------------------- Werden Sie von einer unauffälligen Nummer angerufen, wo Ihnen angeblich die Polizei verwirft, ein Verbrechen begangen zu haben? Bekommen Sie viele Anrufe, Nachrichten oder Sprachboxnachrichten von fremden Personen, die auf ein Telefongespräch hinweisen, welches Sie nicht führten? Das ist alles Teil einer Betrugsmasche. --------------------------------------------- https://www.watchlist-internet.at/news/achtung-vor-falschen-polizeianrufen/ ∗∗∗ New Linux malware brute-forces SSH servers to breach networks ∗∗∗ --------------------------------------------- A new botnet called RapperBot has emerged in the wild since mid-June 2022, focusing on brute-forcing its way into Linux SSH servers and then establishing persistence. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-linux-malware-brute-forc… ∗∗∗ Facebook finds new Android malware used by APT hackers ∗∗∗ --------------------------------------------- Meta (Facebook) has released its Q2 2022 adversarial threat report, and among the highlights is the discovery of two cyber-espionage clusters connected to hacker groups known as Bitter APT and APT36 (aka Transparent Tribe) using new Android malware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/facebook-finds-new-android-m… ∗∗∗ Finding hooks with windbg ∗∗∗ --------------------------------------------- In this blogpost we are going to look into hooks, how to find them, and how to restore the original functions. --------------------------------------------- https://blog.nviso.eu/2022/08/05/finding-hooks-with-windbg/ ===================== = Vulnerabilities = ===================== ∗∗∗ Kritische Lücken in Ciscos SMB-Routern ∗∗∗ --------------------------------------------- Das Web-Interface der Cisco-Router der RV-Serie ermöglicht diverse unauthentifizierte Aktionen - Updates stellen das ab. --------------------------------------------- https://heise.de/-7203891 ∗∗∗ VU#495801: muhttpd versions 1.1.5 and earlier are vulnerable to path traversal ∗∗∗ --------------------------------------------- Versions 1.1.5 and earlier of the mu HTTP deamon (muhttpd) are vulnerable to path traversal via crafted HTTP request from an unauthenticated user. This vulnerability can allow unauthenticated users to download arbitrary files and collect private information on the target device. --------------------------------------------- https://kb.cert.org/vuls/id/495801 ∗∗∗ IBM Security Bulletins 2022-08-04 ∗∗∗ --------------------------------------------- IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data, IBM Security Identity Manager Virtual Appliance, IBM Robotic Process Automation, IBM Spectrum Scale Data Access Services, IBM Sterling Connect:Direct for UNIX Certified Container --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Security update available in Foxit Reader for Linux 2.4.5 ∗∗∗ --------------------------------------------- Addressed a potential issue where the application could be exposed to Use-After-Free vulnerability. This occurs as the application executes the destructor under png_safe_execute. (CVE-2019-7317) --------------------------------------------- https://www.foxit.com/support/security-bulletins.html ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (firefox, thunderbird, and xorg-x11-server), Debian (xorg-server), Gentoo (Babel, go, icingaweb2, lib3mf, and libmcpp), Oracle (389-ds:1.4, go-toolset:ol8, httpd, mariadb:10.5, microcode_ctl, and ruby:2.5), Red Hat (xorg-x11-server), Scientific Linux (xorg-x11-server), SUSE (buildah, go1.17, go1.18, harfbuzz, python-ujson, qpdf, u-boot, and wavpack), and Ubuntu (gnutls28, libxml2, mod-wsgi, openjdk-8, openjdk-8, openjdk-lts, openjdk-17, openjdk-18, [...] --------------------------------------------- https://lwn.net/Articles/903997/ ∗∗∗ Regarding vulnerability measure against buffer overflow for Laser Printers and Small Office Multifunction Printers – 04 August 2022 ∗∗∗ --------------------------------------------- Multiple cases of buffer overflow vulnerabilities have been identified with Canon Laser Printers and Small Office Multifunctional Printers. Related CVEs are: CVE-2022-24672, CVE-2022-24673 and CVE-2022-24674. A list of affected models is given below. --------------------------------------------- https://www.canon-europe.com/support/product-security-latest-news/ ∗∗∗ ZDI-22-1064: OPC Foundation UA .NET Standard BrowseRequest Missing Authentication Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-1064/ ∗∗∗ F-Secure Linux Security und Internet GateKeeper: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0928 ∗∗∗ vim: Schwachstelle ermöglicht Codeausführung ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0926 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.08.2022
by Daily end-of-shift report 04 Aug '22

04 Aug '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 03-08-2022 18:00 − Donnerstag 04-08-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ TLP 2.0 is here ∗∗∗ --------------------------------------------- Earlier this week, the global Forum of Incident Response and Security Teams – or FIRST, as it is commonly known – published a new version of its Traffic Light Protocol standard. The Traffic Light Protocol (TLP) is commonly used in the incident response community, as well as in the wider security space, to quickly and in a standardized way indicate any limitations on further sharing of any transferred information. --------------------------------------------- https://isc.sans.edu/diary/rss/28914 ∗∗∗ PersistenceSniper ∗∗∗ --------------------------------------------- PersistenceSniper is a Powershell script that can be used by Blue Teams, Incident Responders and System Administrators to hunt persistences implanted in Windows machines. --------------------------------------------- https://github.com/last-byte/PersistenceSniper ∗∗∗ Woody RAT: A new feature-rich malware spotted in the wild ∗∗∗ --------------------------------------------- The Malwarebytes Threat Intelligence team has identified a new Remote Access Trojan we are calling Woody Rat that has been in the wild for at least one year. --------------------------------------------- https://blog.malwarebytes.com/threat-intelligence/2022/08/woody-rat-a-new-f… ∗∗∗ Dreiecksbetrug beim Verkauf von Gaming-Accounts über Kleinanzeigen ∗∗∗ --------------------------------------------- Vorsicht beim Kauf und Verkauf von Gaming-Accounts. Abgesehen davon, dass Kauf und Verkauf häufig durch die Spieleentwickler:innen verboten werden, kommt es immer wieder zu einem Dreiecksbetrug. Verkaufende verlieren ihren Gaming-Account und bekommen kein Geld oder Kaufende bekommen keinen Account und buchen das Geld zurück. --------------------------------------------- https://www.watchlist-internet.at/news/dreiecksbetrug-beim-verkauf-von-gami… ∗∗∗ Flight of the Bumblebee: Email Lures and File Sharing Services Lead to Malware ∗∗∗ --------------------------------------------- This blog presents a case study from recent Bumblebee malware activity distributed through Projector Libra that led to Cobalt Strike. Information presented here should provide a clearer picture of the group’s tactics and help security professionals better defend their organizations against this threat. --------------------------------------------- https://unit42.paloaltonetworks.com/bumblebee-malware-projector-libra/ ∗∗∗ Attackers leveraging Dark Utilities "C2aaS" platform in malware campaigns ∗∗∗ --------------------------------------------- In early 2022, a new C2 platform called "Dark Utilities" was established, offering a variety of services such as remote system access, DDoS capabilities and cryptocurrency mining. The operators of the service also established Discord and Telegram communities where they provide technical support and assistance for customers on the platform. --------------------------------------------- http://blog.talosintelligence.com/2022/08/dark-utilities.html ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco fixes critical remote code execution bug in VPN routers ∗∗∗ --------------------------------------------- Cisco has fixed critical security vulnerabilities affecting Small Business VPN routers and enabling unauthenticated, remote attackers to execute arbitrary code or commands and trigger denial of service (DoS) conditions on vulnerable devices. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cisco-fixes-critical-remote-… ∗∗∗ Critical RCE Bug in DrayTek Routers Opens SMBs to Zero-Click Attacks ∗∗∗ --------------------------------------------- A critical, pre-authenticated remote code execution (RCE) vulnerability has cropped up in the widely used line of DrayTek Vigor routers for smaller businesses. If it's exploited, researchers warn that it could allow complete device takeover, along with access to the broader network. --------------------------------------------- https://www.darkreading.com/endpoint/critical-rce-bug-draytek-routers-smbs-… ∗∗∗ IBM Security Bulletins 2022-08-03 ∗∗∗ --------------------------------------------- IBM Watson Discovery for IBM Cloud Pak for Data, IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data, IBM Db2, IBM Sterling File Gateway, IBM Sterling B2B Integrator, IBM Data Risk Manager, IBM Tivoli Application Dependency Discovery Manager, IBM Java SDK Technology Edition. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Security Advisory - The input verification vulnerability of a Huawei Device product is involved. ∗∗∗ --------------------------------------------- A Huawei device has an input verification vulnerability. Successful exploitation of this vulnerability may lead to DoS attacks. (Vulnerability ID: HWPSIRT-2022-49379) Affected Product: CV81-WDM FW --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2022/huawei-sa-20220810-… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (lua), Oracle (kernel), Red Hat (389-ds:1.4, django, firefox, go-toolset and golang, go-toolset-1.17 and go-toolset-1.17-golang, go-toolset:rhel8, java-1.8.0-ibm, java-17-openjdk, kernel, kernel-rt, kpatch-patch, mariadb:10.5, openssl, pcre2, php, rh-mariadb105-galera and rh-mariadb105-mariadb, ruby:2.5, thunderbird, vim, and virt:rhel and virt-devel:rhel), Scientific Linux (firefox and thunderbird), SUSE (drbd, java-17-openjdk, java-1_8_0-ibm, keylime, ldb, samba, mokutil, oracleasm, pcre2, permissions, postgresql-jdbc, python-numpy, samba, tiff, u-boot, and xscreensaver), and Ubuntu (nvidia-graphics-drivers-390, nvidia-graphics-drivers-450-server, nvidia-graphics-drivers-470, nvidia-graphics-drivers-470-server, nvidia-graphics-drivers-510, nvidia-graphics-drivers-510-server, nvidia-graphics-drivers-515, nvidia-graphics-drivers-515-server). --------------------------------------------- https://lwn.net/Articles/903816/ ∗∗∗ genua genugate: Schwachstelle ermöglicht nicht spezifizierten Angriff ∗∗∗ --------------------------------------------- Ein Angreifer kann eine Schwachstelle in genua genugate ausnutzen, um einen nicht näher spezifizierten Angriff durchzuführen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0906 ∗∗∗ D-LINK Router: Mehrere Schwachstellen ermöglichen Codeausführung ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in D-LINK Router ausnutzen, um beliebigen Programmcode auszuführen oder einen Denial of Service Zustand herbeizuführen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0907 ∗∗∗ PostgreSQL: Schwachstelle ermöglicht SQL Injection ∗∗∗ --------------------------------------------- Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in PostgreSQL ausnutzen, um eine SQL Injection durchzuführen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0910 ∗∗∗ Nextcloud Server und Nextcloud Mail: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in Nextcloud ausnutzen, um Informationen offenzulegen, Sicherheitsmaßnahmen zu umgehen und einen Denial-of-Service-Zustand zu verursachen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0912 ∗∗∗ Cisco Security Advisories 2022-08-03 ∗∗∗ --------------------------------------------- Cisco published 5 security advisories (1 critical, 4 medium severity). --------------------------------------------- https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&secur… ∗∗∗ Red Hat JBoss Enterprise Application Platform: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0901 ∗∗∗ Digi ConnectPort X2D ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-216-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.08.2022
by Daily end-of-shift report 03 Aug '22

03 Aug '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 02-08-2022 18:00 − Mittwoch 03-08-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Wolf in sheep’s clothing: how malware tricks users and antivirus ∗∗∗ --------------------------------------------- One of the primary methods used by malware distributors to infect devices is by deceiving people into downloading and running malicious files, and to achieve this deception, malware authors are using a variety of tricks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/wolf-in-sheep-s-clothing-how… ∗∗∗ Open Source: Gut getarnte Malware-Kampagne in Tausenden Github Repos ∗∗∗ --------------------------------------------- Ein Sicherheitsforscher hat eine groß angelegte Malware-Kampagne entdeckt, die versucht, sich durch einfache Pull Requests einzuschmuggeln. --------------------------------------------- https://www.golem.de/news/open-source-gut-getarnte-malware-kampagne-in-taus… ∗∗∗ Creating Processes Using System Calls ∗∗∗ --------------------------------------------- When we think about EDR or AV evasion, one of the most widespread methods adopted by offensive teams is the use of system calls (syscalls) to carry out specific actions. --------------------------------------------- https://www.coresecurity.com/core-labs/articles/creating-processes-using-sy… ∗∗∗ EMBA v1.1.0: The security analyzer for embedded device firmware ∗∗∗ --------------------------------------------- EMBA is designed as the central firmware analysis tool for penetration testers. It supports the complete security analysis process starting with the firmware extraction process, doing static analysis and dynamic analysis via emulation and finally generating a report. --------------------------------------------- https://github.com/e-m-b-a/emba/releases ∗∗∗ PART 3: How I Met Your Beacon – Brute Ratel ∗∗∗ --------------------------------------------- In part three of this series, we will analyse Brute Ratel, a command and control framework developed by Dark Vortex. --------------------------------------------- https://www.mdsec.co.uk/2022/08/part-3-how-i-met-your-beacon-brute-ratel/ ∗∗∗ Ransomware in Python-Paketmanager PyPI: Die Rückkehr der Skriptkiddies ∗∗∗ --------------------------------------------- Eine Reihe von Paketen hat auf Typosquatting gesetzt und Code verbreitet, der unter Windows Dateien verschlüsselt. Die Motive sind schleierhaft. --------------------------------------------- https://heise.de/-7200335 ∗∗∗ Vorsicht vor Fake-Mails der bank99 ∗∗∗ --------------------------------------------- Kriminelle geben sich als bank99 aus und wollen, dass Sie die „Okay99 App“ herunterladen. Klicken Sie nicht auf „Aktivierung starten“, da sonst Ihre Daten in die Hände der Kriminellen kommen. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-fake-mails-der-bank99/ ∗∗∗ Detection Rules for Lightning Framework (and How to Make Them With Osquery) ∗∗∗ --------------------------------------------- On 21 July, 2022, we released a blog post about a new malware called Lightning Framework. Lightning is a modular malware framework targeting Linux. At the time of the publication, the Core module had one suspicious detection and the Downloader module was not detected by any scanning engines on VirusTotal. --------------------------------------------- https://www.intezer.com/blog/threat-hunting/lightning-framework-linux-detec… ===================== = Vulnerabilities = ===================== ∗∗∗ Forti Security Advisories 2022-08-02 ∗∗∗ --------------------------------------------- Forti published 3 Security Advisories (1 High, 2 Medium Severity). --------------------------------------------- https://fortiguard.fortinet.com/psirt?date=08-2022 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (389-ds-base, firefox, java-1.8.0-openjdk, java-11-openjdk, kernel, postgresql, python, python-twisted-web, python-virtualenv, squid, thunderbird, and xz), Fedora (ceph, firefox, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-latest-openjdk, and kubernetes), Oracle (firefox, go-toolset and golang, libvirt libvirt-python, openssl, pcre2, qemu, and thunderbird), SUSE (connman, drbd, kernel, python-jupyterlab, samba, and seamonkey), [...] --------------------------------------------- https://lwn.net/Articles/903676/ ∗∗∗ Android Patchday August 2022 ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Google Android ausnutzen, um seine Privilegien zu erweitern, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und beliebigen Code auszuführen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0887 ∗∗∗ Chrome 104.0.5112.x fixt Schwachstellen ∗∗∗ --------------------------------------------- Google hat zum 2. August 2022 das Update des Google Chrome 104.0.5112.79 für Linux und MacOS sowie 104.0.5112.79/80/81 für Windows auf dem Desktop im Stable Channel freigegeben. Mit dem Sicherheitsupdate werden zahlreiche Schwachstellen geschlossen. --------------------------------------------- https://www.borncity.com/blog/2022/08/03/chrome-104-0-5112-x-fixt-schwachst… ∗∗∗ Security Bulletin: IBM Security SOAR is using a component with multiple known vulnerabilities – IBM JDK 8.0.7.6 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-soar-is-usin… ∗∗∗ K14649763: Overview of F5 vulnerabilities (August 2022) ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K14649763 ∗∗∗ High Severity Vulnerability Patched in Download Manager Plugin ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2022/08/high-severity-vulnerability-patched-… ∗∗∗ Synology-SA-22:14 USB Copy ∗∗∗ --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_22_14 ∗∗∗ Synology-SA-22:13 SSO Server ∗∗∗ --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_22_13 ∗∗∗ Synology-SA-22:12 Synology Note Station Client ∗∗∗ --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_22_12 ∗∗∗ Synology-SA-22:11 Storage Analyzer ∗∗∗ --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_22_11 ∗∗∗ Ipswitch WS_FTP Server: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0895 ∗∗∗ Nvidia GPU Treiber und NVIDIA vGPU software: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0894 ∗∗∗ Rsync: Schwachstelle ermöglicht Manipulation von Dateien ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0891 ∗∗∗ 2022-13 Denial of Service Vulnerability in EagleSDV ∗∗∗ --------------------------------------------- https://dam.belden.com/dmm3bwsv3/assetstream.aspx?assetid=14662&mediaformat… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.08.2022
by Daily end-of-shift report 02 Aug '22

02 Aug '22

===================== = End-of-Day report = ===================== Timeframe: Montag 01-08-2022 18:00 − Dienstag 02-08-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Microsoft announces new solutions for threat intelligence and attack surface management ∗∗∗ --------------------------------------------- Defenders are up against the most sophisticated threat landscape we’ve ever seen. Today, we’re proud to execute our threat intelligence vision behind that acquisition and announce several new solutions to help security teams get ahead of adversaries and catch what others miss. --------------------------------------------- https://www.microsoft.com/security/blog/2022/08/02/microsoft-announces-new-… ∗∗∗ Raccoon Stealer v2: The Latest Generation of the Raccoon Family ∗∗∗ --------------------------------------------- In this blog, ThreatLabz will analyze Raccoon Stealer v2 in the exe format, and highlight key differences from its predecessors. --------------------------------------------- https://www.zscaler.com/blogs/security-research/raccoon-stealer-v2-latest-g… ∗∗∗ Analyzing Attack Data and Trends Targeting Log4J ∗∗∗ --------------------------------------------- The Log4j vulnerability, initially reported in November 2021, has affected millions of devices and applications around the world. --------------------------------------------- https://www.wordfence.com/blog/2022/08/analyzing-attack-data-and-trends-tar… ∗∗∗ Die Watchlist Internet ist jetzt auf Instagram ∗∗∗ --------------------------------------------- Wir versorgen Sie ab sofort auch auf Instagram mit Warnungen vor Internetbetrug. In den Beiträgen und Storys zeigen wir Ihnen, wie Sie sich vor Internetbetrug schützen, Fallen rasch erkennen und sicher im Internet surfen. --------------------------------------------- https://www.watchlist-internet.at/news/die-watchlist-internet-ist-jetzt-auf… ∗∗∗ giesler-drogerie.com ist Fake ∗∗∗ --------------------------------------------- Bei giesler-drogerie.com finden Sie günstige Parfums, Styling-Produkte und Kosmetikartikel. Das vollständige Impressum sowie die angeführten Kontaktmöglichkeiten vermitteln einen seriösen Eindruck. Die Angaben sind aber gefälscht. Wenn Sie dort einkaufen, verlieren Sie Ihr Geld und erhalten keine Lieferung. --------------------------------------------- https://www.watchlist-internet.at/news/giesler-drogeriecom-ist-fake/ ∗∗∗ Vulnerability Spotlight: How misusing properly serialized data opened TCL LinkHub Mesh Wi-Fi system to 17 vulnerabilities ∗∗∗ --------------------------------------------- The TCL LinkHub Mesh Wi-Fi system is a multi-device Wi-Fi system that allows users to expand access to their network over a large physical area. --------------------------------------------- http://blog.talosintelligence.com/2022/08/vulnerability-spotlight-how-misus… ∗∗∗ Manjusaka: A Chinese sibling of Sliver and Cobalt Strike ∗∗∗ --------------------------------------------- Cisco Talos recently discovered a new attack framework called "Manjusaka" being used in the wild that has the potential to become prevalent across the threat landscape. This framework is advertised as an imitation of the Cobalt Strike framework. --------------------------------------------- http://blog.talosintelligence.com/2022/08/manjusaka-offensive-framework.html ===================== = Vulnerabilities = ===================== ∗∗∗ VMware urges admins to patch critical auth bypass bug immediately ∗∗∗ --------------------------------------------- VMware has warned admins today to patch a critical authentication bypass security flaw affecting local domain users in multiple products and enabling unauthenticated attackers to gain admin privileges. --------------------------------------------- https://www.bleepingcomputer.com/news/security/vmware-urges-admins-to-patch… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (curl and jetty9), Fedora (dovecot), Gentoo (vault), Scientific Linux (java-1.8.0-openjdk, java-11-openjdk, and squid), SUSE (booth, dovecot22, dwarves and elfutils, firefox, gimp, java-11-openjdk, kernel, and oracleasm), and Ubuntu (linux, linux-hwe-5.15, linux-lowlatency, linux-lowlatency-hwe-5.15, net-snmp, and samba). --------------------------------------------- https://lwn.net/Articles/903555/ ∗∗∗ Go-Based Apps Vulnerable to Attacks Due to URL Parsing Issue ∗∗∗ --------------------------------------------- Israeli cloud-native application security testing firm Oxeye discovered that the way URL parsing is implemented in some Go-based applications creates vulnerabilities that could allow threat actors to conduct unauthorized actions. --------------------------------------------- https://www.securityweek.com/go-based-apps-vulnerable-attacks-due-url-parsi… ∗∗∗ GnuTLS patches memory mismanagement bug – update now! ∗∗∗ --------------------------------------------- https://nakedsecurity.sophos.com/2022/08/01/gnutls-patches-memory-mismanage… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct for UNIX Certified Container is affected by arbitrary code executiondue to GNU cpio (CVE-2021-38185) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ VMSA-2022-0021 ∗∗∗ --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2022-0021.html ∗∗∗ vim: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0880 ∗∗∗ FastStone ImageViewer: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit Benutzerrechten ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0883 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 01.08.2022
by Daily end-of-shift report 01 Aug '22

01 Aug '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 29-07-2022 18:00 − Montag 01-08-2022 18:00 Handler: Robert Waldner Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Sicherheitslücken als Türöffner in Nuki Smart Lock entdeckt und geschlossen ∗∗∗ --------------------------------------------- Angreifer könnten an zahlreichen Schwachstellen in verschiedenen smarten Türschlössern Nuki Smart Lock ansetzen. Die WLAN Bridge Nuki Bridge ist auch betroffen. --------------------------------------------- https://heise.de/-7194709 ∗∗∗ Adware-Apps aus Google Play tarnen sich auf Android-Geräten als Gestaltenwandler ∗∗∗ --------------------------------------------- Werbung auf Facebook für Fake-Apps zur Android-Systemoptimierung führt zu rund 7 Millionen Installationen. Opfer werden mit Werbeanzeigen belästigt. --------------------------------------------- https://heise.de/-7194655 ∗∗∗ Post-Quanten-Kryptographie: Verschlüsselung mit Isogenien ist unsicher ∗∗∗ --------------------------------------------- Ein Angriff auf den Schlüsselaustausch SIDH zeigt erneut, wie riskant experimentelle kryptographische Algorithmen sein können. --------------------------------------------- https://www.golem.de/news/post-quanten-kryptographie-verschluesselung-mit-i… ∗∗∗ BlackCat ransomware claims attack on European gas pipeline ∗∗∗ --------------------------------------------- The ransomware group known as ALPHV (aka BlackCat) has assumed over the weekend responsibility for the cyberattack that hit Creos Luxembourg last week, a natural gas pipeline and electricity network operator in the central European country. --------------------------------------------- https://www.bleepingcomputer.com/news/security/blackcat-ransomware-claims-a… ∗∗∗ A Detailed Analysis of the RedLine Stealer ∗∗∗ --------------------------------------------- RedLine is a stealer distributed as cracked games, applications, and services. The malware steals information from web browsers, cryptocurrency wallets, and applications such as FileZilla, Discord, Steam, Telegram, and VPN clients. The binary also gathers data about the infected machine, such as the running processes, antivirus products, installed programs, the Windows product name, the processor architecture, etc. --------------------------------------------- https://securityscorecard.com/research/detailed-analysis-redline-stealer ∗∗∗ Researchers Discover Nearly 3,200 Mobile Apps Leaking Twitter API Keys ∗∗∗ --------------------------------------------- Researchers have uncovered a list of 3,207 apps, some of which can be utilized to gain unauthorized access to Twitter accounts. The takeover is made possible, thanks to a leak of legitimate Consumer Key and Consumer Secret information, respectively, Singapore-based cybersecurity firm CloudSEK said in a report exclusively shared with The Hacker News. --------------------------------------------- https://thehackernews.com/2022/08/researchers-discover-nearly-3200-mobile.h… ∗∗∗ A Little DDoS In the Morning, (Mon, Aug 1st) ∗∗∗ --------------------------------------------- Friday morning (at least it wasn't Friday afternoon), we got an alert that our database and web servers exceeded the expected load. Sometimes, this "happens." Often it is just some user innocently flooding our API with requests. We do use quite a bit of caching and such for requests, but it can happen that things pile up at the wrong time. So I took a look at the logs. In these cases, I first look at the top IPs sending requests to our API. --------------------------------------------- https://isc.sans.edu/diary/rss/28900 ∗∗∗ Month of PowerShell - PowerShell Remoting, Part 2 ∗∗∗ --------------------------------------------- In this article we finish up our look at PowerShell remoting by examining several options to run PowerShell commands on multiple remote systems. --------------------------------------------- https://www.sans.org/blog/powershell-remoting-part-2/ ∗∗∗ Month of PowerShell - Offensive PowerShell with Metasploit Meterpreter ∗∗∗ --------------------------------------------- In this article we look at how Metasploit Meterpreter can integrate PowerShell for extensible attacks in a red team or pen test engagement. --------------------------------------------- https://www.sans.org/blog/offensive-powershell-metasploit-meterpreter/ ∗∗∗ Month of PowerShell - Keyboard Shortcuts Like a Boss ∗∗∗ --------------------------------------------- In this article we look at several keyboard shortcuts to speed up your PowerShell sessions. --------------------------------------------- https://www.sans.org/blog/keyboard-shortcuts-boss/ ===================== = Vulnerabilities = ===================== ∗∗∗ WordPress Vulnerabilities & Patch Roundup — July 2022 ∗∗∗ --------------------------------------------- Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises. To help educate website owners on emerging threats to their environments, we’ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this past month. --------------------------------------------- https://blog.sucuri.net/2022/07/wordpress-vulnerabilities-patch-roundup-jul… ∗∗∗ Arris / Arris-variant DSL/Fiber router critical vulnerability exposure ∗∗∗ --------------------------------------------- Multiple vulnerabilities exist in the MIT-licensed muhttpd web server. This web server is widely used in ISP customer premise equipment (CPE), most notably in Arris firmware used in router models (at least, possibly other) NVG443, NVG599, NVG589, NVG510, as well as ISP-customized variants such as BGW210 and BGW320 (Arris has declined to confirm affected models). --------------------------------------------- https://derekabdine.com/blog/2022-arris-advisory ∗∗∗ IBM Security Bulletins 2022-07-29 ∗∗∗ --------------------------------------------- IBM CICS TX Advanced, IBM CICS TX Standard, IBM PowerVM Novalink, IBM Sterling Secure Proxy, IBM DataPower Gateway, Rational Performance Tester, Rational Service Tester, Urbancode Deploy, IBM Robotic Process Automation, Cloud Pak System, IBM PowerVM Novalink, IBM Secure External Authentication Server. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Sicherheitsupdates: Schadcode-Attacken auf Thunderbird vorstellbar ∗∗∗ --------------------------------------------- Die Entwickler von Mozilla haben im E-Mail-Client Thunderbird mehrere Sicherheitslücken geschlossen. --------------------------------------------- https://heise.de/-7194671 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (booth, libpgjava, and thunderbird), Fedora (3mux, act, age, antlr4-project, apache-cloudstack-cloudmonkey, apptainer, aquatone, aron, asnip, assetfinder, astral, bettercap, buildah, butane, caddy, cadvisor, cheat, chisel, clash, clipman, commit-stream, containerd, cri-o, darkman, deepin-gir-generator, direnv, dnscrypt-proxy, dnsx, docker-distribution, doctl, douceur, duf, ffuf, fzf, geoipupdate, git-lfs, git-octopus, git-time-metric, glide, gmailctl, [...] --------------------------------------------- https://lwn.net/Articles/903455/ ∗∗∗ HPE ProLiant und HP Integrated Lights-Out: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein lokaler Angreifer oder ein Angreifer aus dem angrenzenden Netzwerk kann mehrere Schwachstellen in HPE ProLiant und HPE Integrated Lights-Out ausnutzen, um beliebigen Programmcode auszuführen, Daten zu manipulieren, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand zu verursachen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0870 ∗∗∗ D-LINK Router: Mehrere Schwachstellen ermöglichen Ausführen von beliebigem Programmcode mit Administratorrechten ∗∗∗ --------------------------------------------- Ein entfernter, authentisierter Angreifer kann mehrere Schwachstellen in D-LINK Router ausnutzen, um beliebigen Programmcode mit Administratorrechten auszuführen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0867 ∗∗∗ HCL Commerce: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- Ein lokaler Angreifer kann eine Schwachstelle in HCL Commerce ausnutzen, um Informationen offenzulegen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0866 ∗∗∗ Multiple Vulnerabilities in BF-OS ∗∗∗ --------------------------------------------- BOSCH-SA-013924-BT: Multiple vulnerabilities were identified in BF-OS version 3.x up to and including 3.83 used by Bigfish V3 and PR21 (Energy Platform) devices and Bigfish VM image, which are part of the data collection infrastructure of the Energy Platform solution. The most critical vulnerability may allow an unauthenticated remote attacker to gain administrative privileges to the device by brute-forcing a weak password. --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-013924-bt.html ∗∗∗ K21192332: Apache HTTP Server vulnerability CVE-2022-31813 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K21192332 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.07.2022
by Daily end-of-shift report 29 Jul '22

29 Jul '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 28-07-2022 18:00 − Freitag 29-07-2022 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Web-Portale: Seit sechs Jahren kostenlose Hilfe für Ransomware-Opfer ∗∗∗ --------------------------------------------- Mit etwas Glück findet man auf den Websites von ID Ransomware und No More Ransom Infos zu kostenlosen Entschlüsselungstools für einige Erpressungstrojaner. --------------------------------------------- https://heise.de/-7193953 ∗∗∗ Jetzt patchen! Attacken auf Atlassian Confluence ∗∗∗ --------------------------------------------- Nachdem ein Standard-Passwort auf Social-Media-Plattformen aufgetaucht ist, nehmen Angreifer Confluence ins Visier. Aber nicht alle Instanzen sind verwundbar. --------------------------------------------- https://heise.de/-7193458 ∗∗∗ LockBit operator abuses Windows Defender to load Cobalt Strike ∗∗∗ --------------------------------------------- Security analysts have observed an affiliate of the LockBit 3.0 ransomware operation abusing a Windows Defender command line tool to decrypt and load Cobalt Strike beacons on the target systems. --------------------------------------------- https://www.bleepingcomputer.com/news/security/lockbit-operator-abuses-wind… ∗∗∗ Month of PowerShell - Renaming Groups of Files ∗∗∗ --------------------------------------------- In this article we look at how to automate a massive file-rename task using PowerShell. --------------------------------------------- https://www.sans.org/blog/renaming-groups-files?msc=rss ∗∗∗ Researchers Warns of Increase in Phishing Attacks Using Decentralized IPFS Network ∗∗∗ --------------------------------------------- The decentralized file system solution known as IPFS is becoming the new "hotbed" for hosting phishing sites, researchers have warned. Cybersecurity firm Trustwave SpiderLabs, which disclosed specifics of the attack campaigns, said it identified no less than 3,000 emails containing IPFS phishing URLs as an attack vector in the last three months. --------------------------------------------- https://thehackernews.com/2022/07/researchers-warns-of-increase-in.html ∗∗∗ ENISA: Telecom Security Incidents 2021 ∗∗∗ --------------------------------------------- This report provides anonymised and aggregated information about major telecom security incidents in 2021. The 2021 annual summary contains reports of 168 incidents submitted by national authorities from 26 EU Member States (MS) and 2 EFTA countries. --------------------------------------------- https://www.enisa.europa.eu/publications/telecom-security-incidents-2021 ∗∗∗ UEFI rootkits and UEFI secure boot ∗∗∗ --------------------------------------------- Kaspersky describes a UEFI-implant used to attack Windows systems. Based on it appearing to require patching of the system firmware image, they hypothesise that its propagated by manually dumping the contents of the system flash, modifying it, and then reflashing it back to the board. [..] But lets think about why this is in the firmware at all. --------------------------------------------- https://mjg59.dreamwidth.org/60654.html ∗∗∗ Microsoft has blocked hackers favourite trick. So now they are looking for a new route of attack ∗∗∗ --------------------------------------------- Microsofts default block on Office macro malware is working, which means hackers need to find a new way to carry out their attacks. --------------------------------------------- https://www.zdnet.com/article/microsoft-has-blocked-hackers-favourite-trick… ∗∗∗ Vulnerability Spotlight: How a code re-use issue led to vulnerabilities across multiple products ∗∗∗ --------------------------------------------- Recently, I was performing some research on a wireless router and noticed the following piece of code: This unescape function will revert the URL encoded bytes to its original form. But something specifically caught my attention: There was no size check for the performed operations and the function assumes that after a ‘%’ there are always two bytes. So, what would happen if after ‘%’, only one character existed? --------------------------------------------- https://blog.talosintelligence.com/2022/07/vulnerability-spotlight-how-code… ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-22-1031: OPC Labs QuickOPC Connectivity Explorer Deserialization of Untrusted Data Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of OPC Labs QuickOPC. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-22-1031/ ∗∗∗ ABB Cyber Security Advisory: ABB Ability TM Operations Data Management Zenon Log Server file access control ∗∗∗ --------------------------------------------- These vulnerabilities affect the ABB Ability™ Operations Data Management Zenon. Subsequently, a successful exploit could allow attackers to log additional messages and access files from the Zenon system. While the passwords in the INI files are not stored in clear text, they can be subjected to further attacks against the hash algorithm. --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=2NGA001479&Language… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (xorg-x11-server and xorg-x11-server-Xwayland), SUSE (aws-iam-authenticator, ldb, samba, libguestfs, samba, and u-boot), and Ubuntu (firefox, intel-microcode, libtirpc, linux, linux-aws, linux-kvm, linux-lts-xenial, linux-azure, linux-bluefield, linux-gcp-5.4, linux-gke-5.4, mysql-5.7, and mysql-5.7, mysql-8.0). --------------------------------------------- https://lwn.net/Articles/902913/ ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2022-0007 ∗∗∗ --------------------------------------------- Several vulnerabilities were discovered in WebKitGTK and WPE WebKit. [...] Impact: Processing maliciously crafted web content may lead to arbitrary code execution. --------------------------------------------- https://webkitgtk.org/security/WSA-2022-0007.html ∗∗∗ Synology-SA-22:10 Samba ∗∗∗ --------------------------------------------- CVE-2022-32742 allows remote authenticated users to obtain sensitive information via a susceptible version of Synology DiskStation Manager (DSM), Synology Router Manager (SRM) and SMB Service. CVE-2022-2031, CVE-2022-32744, and CVE-2022-32746 allow remote authenticated users to bypass security constraint and conduct denial-of-service attacks via a susceptible version of Synology Directory Server. None of Synologys products are affected by CVE-2022-32745 as [...] --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_22_10 ∗∗∗ JetBrains IntelliJ IDEA: Mehrere Schwachstellen ermöglichen Codeausführung ∗∗∗ --------------------------------------------- Ein lokaler Angreifer kann mehrere Schwachstellen in JetBrains IntelliJ IDEA ausnutzen, um beliebigen Programmcode auszuführen oder Sicherheitsvorkehrungen zu umgehen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0860 ∗∗∗ Foxit Reader und Foxit PDF Editor: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Foxit Reader und Foxit PDF Editor ausnutzen, um beliebigen Code auszuführen, vertrauliche Informationen preiszugeben und einen Denial-of-Service-Zustand zu verursachen --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0862 ∗∗∗ GitLab: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in GitLab ausnutzen, um Sicherheitsmaßnahmen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuführen und vertrauliche Informationen offenzulegen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0861 ∗∗∗ Rockwell Products Impacted by Chromium Type Confusion ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-209-01 ∗∗∗ Security Bulletin: IBM App Connect Enterprise and IBM Integration Bus are vulnerable to arbitrary code execution due to node.js minimist module ( CVE-2021-44906) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: IBM PowerVM VIOS could allow a remote attacker to tamper with system configuration or cause a denial of service (CVE-2022-35643) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-powervm-vios-could-al… ∗∗∗ Security Bulletin: Multiple vulnerabilities affect IBM Tivoli Monitoring included WebSphere Application Server and IBM HTTP Server used by WebSphere Application Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Apache Log4j (CVE-2021-44228) vulnerability in IBM Engineering Systems Design Rhapsody (Rhapsody) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-cve-2021-442… ∗∗∗ Security Bulletin: IBM HTTP Server (powered by Apache) for IBM i is vulnerable to bypass security restrictions and obtain sensitive information due to multiple vulnerabilities. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-http-server-powered-b… ∗∗∗ Security Bulletin: AIX is affected by multiple vulnerabilities in Python ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-aix-is-affected-by-multip… ∗∗∗ Security Bulletin: Denial of service vulnerability in OpenSSL as shipped with IBM Security Verify Bridge Docker image (CVE-2022-0778) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-denial-of-service-vulnera… ∗∗∗ Security Bulletin: A Remote Attack Vulnerability in Apache Log4j affects IBM Engineering Lifecycle Optimization – Publishing ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-remote-attack-vulnerabi… ∗∗∗ Security Bulletin: AIX is vulnerable to cache poisoning due to ISC BIND (CVE-2021-25220) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-aix-is-vulnerable-to-cach… ∗∗∗ Security Bulletin: IBM Db2® Warehouse has released a fix in response to multiple vulnerabilities found in IBM Db2® ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-warehouse-has-rel… ∗∗∗ Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server Liberty shipped with IBM Tivoli Netcool Impact (CVE-2018-25031, CVE-2021-46708) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.07.2022
by Daily end-of-shift report 28 Jul '22

28 Jul '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 27-07-2022 18:00 − Donnerstag 28-07-2022 18:00 Handler: Stephan Richter Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ LofyLife: malicious npm packages steal Discord tokens and bank card data ∗∗∗ --------------------------------------------- This week, we identified four suspicious packages in the Node Package Manager (npm) repository. All these packages contained highly obfuscated malicious Python and JavaScript code. We dubbed this malicious campaign “LofyLife”. --------------------------------------------- https://securelist.com/lofylife-malicious-npm-packages/107014/ ∗∗∗ Month of PowerShell - PowerShell Remoting, Part 1 ∗∗∗ --------------------------------------------- In this article, we discuss perhaps the most immediately-valuable feature in PowerShell for Windows administrators, the ability to run PowerShell commands on remote systems. --------------------------------------------- https://www.sans.org/blog/powershell-remoting-part-1?msc=rss ∗∗∗ Looking at Patch Gap Vulnerabilities in the VMware ESXi TCP/IP Stack ∗∗∗ --------------------------------------------- In this blog post, we explore another remotely reachable attack surface: ESXi’s TCP/IP stack implemented as a VMkernel module. The most interesting outcome of this analysis is that ESXi’s TCP/IP stack is based on FreeBSD 8.2 and does not include security patches for the vulnerabilities disclosed over the years since that release of FreeBSD. This result also prompted us to analyze the nature of vulnerabilities disclosed in other open-source components used by VMware, such as OpenSLP and ISC-DHCP. --------------------------------------------- https://www.zerodayinitiative.com/blog/2022/7/25/looking-at-patch-gap-vulne… ∗∗∗ Vorsicht vor Fake Last-Minute-Angeboten auf Mallorca und Ibiza! ∗∗∗ --------------------------------------------- Die Hitze schlägt zu und Kurzentschlossene suchen nach den letzten verfügbaren Ferienhäusern, um ein paar Tage am Meer zu verbringen. Doch Vorsicht: Kriminelle versuchen Sie mit attraktiven Angeboten in die Falle zu locken! Wird eine Vorauszahlung für ein Ferienhaus verlangt, brechen Sie den Kontakt ab, Ihr Geld ist sonst verloren! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-fake-last-minute-angebo… ∗∗∗ MFA hilft gegen Ransomware ∗∗∗ --------------------------------------------- Die Multi-Faktor-Authentifizierung (MFA) funktioniert. Die europäische Polizeibehörde Europol erklärt, wie Ransomware-Banden ihre Angriffe aufgegeben haben, als sie auf die MFA-Sicherheit trafen. --------------------------------------------- https://www.zdnet.de/88402613/mfa-hilft-gegen-ransomware/ ∗∗∗ IIS-Attacken auf Exchange Server ∗∗∗ --------------------------------------------- Microsoft warnt vor heimlichen Backdoor-Angriffen auf Exchange Server mittels bösartiger IIS-Erweiterungen. --------------------------------------------- https://www.zdnet.de/88402615/iis-attacken-auf-exchange-server/ ∗∗∗ CISA Releases Log4Shell-Related MAR ∗∗∗ --------------------------------------------- >From May through June 2022, CISA responded to an organization that was compromised by an exploitation of an unpatched and unmitigated Log4Shell vulnerability in a VMware Horizon server. CISA analyzed five malware samples obtained from the organization’s network and released a Malware Analysis Report of the findings. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/07/28/cisa-releases-log… ∗∗∗ SharpTongue Deploys Clever Mail-Stealing Browser Extension “SHARPEXT” ∗∗∗ --------------------------------------------- One frequently encountered—that often results in forensics investigations on compromised systems—is tracked by Volexity as SharpTongue. [..] Volexity frequently observes SharpTongue targeting and victimizing individuals working for organizations in the United States, Europe and South Korea ... --------------------------------------------- https://www.volexity.com/blog/2022/07/28/sharptongue-deploys-clever-mail-st… ===================== = Vulnerabilities = ===================== ∗∗∗ "JustSystems JUST Online Update for J-License" starts a program with an unquoted file path ∗∗∗ --------------------------------------------- "JustSystems JUST Online Update for J-License" bundled with multiple JustSystems products for corporate users starts another program with an unquoted file path. --------------------------------------------- https://jvn.jp/en/jp/JVN57073973/ ∗∗∗ Tagify - Moderately critical - Access bypass - SA-CONTRIB-2022-051 ∗∗∗ --------------------------------------------- Project: Tagify Security risk: Moderately critical Description: This module provides a widget to transform entity reference fields into a more user-friendly tags input component with a great performance.The module doesnt sufficiently check access for the add operation. --------------------------------------------- https://www.drupal.org/sa-contrib-2022-051 ∗∗∗ PDF generator API - Moderately critical - Remote Code Execution - SA-CONTRIB-2022-050 ∗∗∗ --------------------------------------------- Project: PDF generator API Security risk: Moderately critical Description: This module enables you to generate PDF versions of content.Some installations of the module make use of the dompdf/dompdf third-party dependency.Security vulnerabilities exist for versions of dompdf/dompdf before 2.0.0 as described in the 2.0.0 release notes. --------------------------------------------- https://www.drupal.org/sa-contrib-2022-050 ∗∗∗ Context - Moderately critical - Cross Site Scripting - SA-CONTRIB-2022-049 ∗∗∗ --------------------------------------------- Project: Context Security risk: Moderately critical Description: This module enables you to conditionally display blocks in particular theme regions. The module doesn't sufficiently sanitize the title of a block as displayed in the admin UI when a site administrator edits a context block reaction. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer blocks". --------------------------------------------- https://www.drupal.org/sa-contrib-2022-049 ∗∗∗ Sicherheitsupdates: Angreifer könnten Veritas NetBackup vielfältig attackieren ∗∗∗ --------------------------------------------- Die Entwickler haben in aktuellen Versionen der Backuplösung NetBackup von Veritas unter anderem kritische Lücken geschlossen. --------------------------------------------- https://heise.de/-7192562 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr), Fedora (chromium, gnupg1, java-17-openjdk, osmo, and podman), Oracle (grafana and java-17-openjdk), Red Hat (389-ds:1.4, container-tools:rhel8, grafana, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, kernel, kernel-rt, kpatch-patch, pandoc, squid, and squid:4), Slackware (samba), and SUSE (crash, mariadb, pcre2, python-M2Crypto, virtualbox, and xen). --------------------------------------------- https://lwn.net/Articles/902795/ ∗∗∗ Trend Micro Produkte: Schwachstelle ermöglicht Privilegieneskalation ∗∗∗ --------------------------------------------- Ein lokaler Angreifer kann eine Schwachstelle in Trend Micro Apex One und Trend Micro Worry-Free Business Security ausnutzen, um seine Privilegien zu erhöhen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0850 ∗∗∗ Atlassian Jira Software: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in Atlassian Jira Software ausnutzen, um Informationen offenzulegen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0849 ∗∗∗ McAfee Agent: Schwachstelle ermöglicht Privilegieneskalation ∗∗∗ --------------------------------------------- Ein lokaler Angreifer kann eine Schwachstelle im McAfee Agent ausnutzen, um seine Privilegien zu erhöhen und beliebigen Code mit Administratorrechten auszuführen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0848 ∗∗∗ Jenkins: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Jenkins ausnutzen, um einen Cross Site Scripting oder CSRF Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen, Informationen offenzulegen oder Daten zu manipulieren --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0852 ∗∗∗ Security Bulletin: OpenSSL for IBM i is vulnerable to arbitrary command execution (CVE-2022-2068) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-openssl-for-ibm-i-is-vuln… ∗∗∗ Security Bulletin: IBM Cloud Transformation Advisor is vulnerable to multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-transformation-… ∗∗∗ Security Bulletin: Vulnerability in Golang Go affects IBM Spectrum Protect Plus Container Backup and Restore for Kubernetes and Red Hat OpenShift (CVE-2022-29526) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-golang-g… ∗∗∗ Security Bulletin: IBM WebSphere Application Server Liberty is vulnerable to Identity Spoofing (CVE-2022-22476) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.07.2022
by Daily end-of-shift report 27 Jul '22

27 Jul '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 26-07-2022 18:00 − Mittwoch 27-07-2022 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ 15 Minuten nach Bekanntwerden einer Lücke starten Scans nach verwundbaren PCs ∗∗∗ --------------------------------------------- Einem aktuellen Bericht über IT-Sicherheitsvorfälle zufolge verschärft sich das Katz-und-Maus-Spiel zwischen Admins und Cyberkriminellen. --------------------------------------------- https://heise.de/-7191301 ∗∗∗ Cyberkriminalität: Weniger Ransomware, aber wieder mehr Malware ∗∗∗ --------------------------------------------- 2022 stieg das Malware-Volumen erstmals wieder, bei gleichzeitig weniger Ransomware-Attacken - zumindest global, denn in Europa gilt der gegensätzliche Trend. --------------------------------------------- https://heise.de/-7191680 ∗∗∗ Student:innen aufgepasst: akademischeslektorat.com ist unseriös! ∗∗∗ --------------------------------------------- Wenn Sie auf der Suche nach einem Lektorat, einer Plagiatsprüfung oder Übersetzungsarbeiten für wissenschaftliche Arbeiten sind, stoßen Sie bei Ihrer Suche womöglich auf akademischeslektorat.com. Wir raten dazu, Abstand von den Angeboten zu nehmen, denn die Leistungen werden Erfahrungsberichten nach minderwertig oder gar nicht erbracht und auch frühere Mitarbeiter:innen sowie die Bewertungsseite Trustpilot warnen vor dem Angebot. --------------------------------------------- https://www.watchlist-internet.at/news/studentinnen-aufgepasst-akademisches… ∗∗∗ Untangling KNOTWEED: European private-sector offensive actor using 0-day exploits ∗∗∗ --------------------------------------------- MSTIC and MSRC disclose technical details of a private-sector offensive actor (PSOA) tracked as KNOTWEED using multiple Windows and Adobe 0-day exploits, including one for the recently patched CVE-2022-22047, in limited and targeted attacks against European and Central American customers. --------------------------------------------- https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-euro… ∗∗∗ Month of PowerShell: Fileless Malware with Get-Clipboard ∗∗∗ --------------------------------------------- In this article we look at using PowerShell maliciously while evading detection. --------------------------------------------- https://www.sans.org/blog/fileless-malware-get-clipboard/ ∗∗∗ DHL Phishing Page Uses Telegram Bot for Exfiltration ∗∗∗ --------------------------------------------- One of the quickest ways for an attacker to harvest financial data, credentials, and sensitive personal information is through phishing. These social engineering attacks can typically be found masquerading as a trusted or recognizable service, intent on tricking unsuspecting users into submitting sensitive information on the attacker’s customized web page. --------------------------------------------- https://blog.sucuri.net/2022/07/dhl-phishing-page-uses-telegram-bot-for-exf… ∗∗∗ Inside Matanbuchus: A Quirky Loader ∗∗∗ --------------------------------------------- This blog post will shed light on Matanbuchus’ main stage, the second stage of the loader. From our point of view, the second stage is the more interesting component of the loader, as it involves many payload loading techniques. By dissecting the loader’s features and capabilities, we will attempt to answer whether Matanbuchus is a loader malware, as it markets itself, or if it is more like a bot service. --------------------------------------------- https://www.cyberark.com/resources/threat-research-blog/inside-matanbuchus-… ∗∗∗ Top 10 Awesome Open-Source Adversary Simulation Tools ∗∗∗ --------------------------------------------- Cyberattack simulation, aka Threat Simulation, is an emerging IT security technology that can help discover gaps, vulnerabilities, and misconfigurations in your security infrastructure. We will take a look at the need for adversary simulation and the top ten open-source adversary simulation tools. --------------------------------------------- https://fourcore.io/blogs/top-10-open-source-adversary-emulation-tools ∗∗∗ Looking at Patch Gap Vulnerabilities in the VMware ESXi TCP/IP Stack ∗∗∗ --------------------------------------------- Over the last few years, multiple VMware ESXi remote, unauthenticated code execution vulnerabilities have been publicly disclosed. Some were also found to be exploited in the wild. Since these bugs were found in ESXi’s implementation of the SLP service, VMware provided workarounds to turn off the service. VMware also disabled the service by default starting with ESX 7.0 Update 2c. In this blog post, we explore another remotely reachable attack surface: ESXi’s TCP/IP stack --------------------------------------------- https://www.thezdi.com/blog/2022/7/25/looking-at-patch-gap-vulnerabilities-… ∗∗∗ What Talos Incident Response learned from a recent Qakbot attack hijacking old email threads ∗∗∗ --------------------------------------------- In a recent malspam campaign delivering the Qakbot banking trojan, Cisco Talos Incident Response (CTIR) observed the adversary using aggregated, old email threads from multiple organizations that we assess were likely harvested during the 2021 ProxyLogon-related compromises targeting vulnerable Microsoft Exchange servers. This campaign relies on external thread hijacking, whereby the adversary is likely using a bulk aggregation of multiple organizations’ harvested emails to launch focused phishing campaigns against previously uncompromised organizations. This differs from the more common approach to thread hijacking, in which attackers use a single compromised organization’s emails to deliver their threat. --------------------------------------------- http://blog.talosintelligence.com/2022/07/what-talos-incident-response-lear… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (kernel and openjdk-17), Fedora (ceph, lua, and moodle), Oracle (java-1.8.0-openjdk), Red Hat (grafana), SUSE (git, kernel, libxml2, nodejs16, and squid), and Ubuntu (imagemagick, protobuf-c, and vim). --------------------------------------------- https://lwn.net/Articles/902642/ ∗∗∗ Samba: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, authentisierter Angreifer kann mehrere Schwachstellen in Samba ausnutzen, um Sicherheitsvorkehrungen zu umgehen, Informationen offenzulegen, einen Denial of Service Zustand zu verursachen oder seine Rechte zu erweitern. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0842 ∗∗∗ MOXA NPort 5110 ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Out-of-bounds Write vulnerability in MOXA NPort 5110, a device server. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-207-04 ∗∗∗ Honeywell Saia Burgess PG5 PCD ∗∗∗ --------------------------------------------- This advisory contains mitigations for Authentication Bypass and Use of a Broken or Risky Cryptographic Algorithm vulnerabilities in Honeywell Saia Burgess PG5 PCD, a PLC. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-207-03 ∗∗∗ Honeywell Safety Manager ∗∗∗ --------------------------------------------- This advisory contains mitigations for Insufficient Verification of Data Authenticity, Missing Authentication for Critical Function, and Use of Hard-coded Credentials vulnerabilities in Honeywell Safety Manager, a safety solution of the Experion Process Knowledge System. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-207-02 ∗∗∗ Inductive Automation Ignition ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Improper Restriction of XML External Entity Reference vulnerability in versions of Inductive Automation Ignition software. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-207-01 ∗∗∗ CVE-2022-35629..35632 Velociraptor Multiple Vulnerabilities (FIXED) ∗∗∗ --------------------------------------------- This advisory covers a number of issues identified in Velociraptor and fixed as of Version 0.6.5-2, released July 26, 2022. --------------------------------------------- https://www.rapid7.com/blog/post/2022/07/26/cve-2022-35629-35632-velocirapt… ∗∗∗ Security Bulletin: Multiple vulnerabilities in the IBM Java Runtime affect IBM Rational ClearQuest (CVE-2021-35561, CVE-2022-21299, CVE-2022-21496) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple security vulnerabilities are addressed with IBM Cloud Pak for Business Automation iFixes for June 2022 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: IBM QRadar SIEM is vulnerable to local privilege escalation (CVE-2021-39088) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulner… ∗∗∗ Security Bulletin: Vulnerabilities in OpenSSL affect IBM Rational ClearQuest (CVE-2022-0778, CVE-2022-1292) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-openss… ∗∗∗ Security Bulletin: OpenSSL as used by IBM QRadar SIEM is vulnerable to denial of service (CVE-2022-0778) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-openssl-as-used-by-ibm-qr… ∗∗∗ Security Bulletin: Multiple vulnerabilities in the IBM Java Runtime affect IBM Rational ClearQuest ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM QRadar SIEM Application Framework Base Image is vulnerable to using components with Known Vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-applicati… ∗∗∗ Security Bulletin: Apache Commons Email as used by IBM QRadar SIEM is vulnerable to information disclosure (CVE-2017-9801, CVE-2018-1294) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-commons-email-as-u… ∗∗∗ Security Bulletin: IBM Integration Bus and IBM App Connect Enterprise are vulnerable to a denial of service due to jackson-databind (CVE-2020-36518) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-integration-bus-and-i… ∗∗∗ Security Bulletin: IBM Maximo Asset Management, IBM Maximo Manage in IBM Maximo Application Suite and IBM Maximo Manage in IBM Maximo Application Suite as a Service may be affected by XML External Entity (XXE) attacks (CVE-2021-33813) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-manageme… ∗∗∗ Security Bulletin: Multiple vulnerabilites affect IBM Engineering Test Management product due to XStream ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilites-a… ∗∗∗ Security Bulletin: Apache Derby security vulnerabilities in IBM System Dashboard for Enterprise Content Manager (affected, not vulnerable) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-derby-security-vul… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.07.2022
by Daily end-of-shift report 26 Jul '22

26 Jul '22

===================== = End-of-Day report = ===================== Timeframe: Montag 25-07-2022 18:00 − Dienstag 26-07-2022 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Betrugsmasche nimmt auf Willhaben zu: Konsumentenschützer warnen ∗∗∗ --------------------------------------------- Wer im auf Handelsplattformen wie Willhaben unterwegs ist, sollte vorsichtig mit seinen persönlichen Daten umgehen. --------------------------------------------- https://futurezone.at/digital-life/phishing-willhaben-betrug-opfer-sicherhe… ∗∗∗ Sicherheit: Forscher greifen Smartphones über Ladebuchse an ∗∗∗ --------------------------------------------- Ghost Touches sind erzwungene Berührungen auf Touchscreens von Smartphones und Tablets - Forscher konnten diese über ein Ladekabel auslösen. --------------------------------------------- https://www.golem.de/news/sicherheit-forscher-greifen-smartphones-ueber-lad… ∗∗∗ How is Your macOS Security Posture?, (Tue, Jul 26th) ∗∗∗ --------------------------------------------- Many people who use Apple devices daily often have a wrong sense of security. A few years ago, Apple devices were left aside of many security issues that Windows users faced for a long time. Also, based on a BSD layer, the OS wasn' a juicy target for attackers. Today, the landscape changed: Apple devices, especially Macbooks, are used not only by "creators" (musicians, designers, ...) and geeks but by many interesting profiles like managers and security researchers. --------------------------------------------- https://isc.sans.edu/diary/rss/28882 ∗∗∗ Month of PowerShell - PowerShell Version of Keeper (Save Useful Command Lines) ∗∗∗ --------------------------------------------- In this article we build a useful PowerShell function to save useful commands for later reference: Save-Keeper! --------------------------------------------- https://www.sans.org/blog/powershell-version-keeper?msc=rss ∗∗∗ How to analyze Linux malware – A case study of Symbiote ∗∗∗ --------------------------------------------- Symbiote is a Linux threat that hooks libc and libpcap functions to hide the malicious activity. The malware hides processes and files that are used during the activity by implementing two functions called hidden_proc and hidden_file. It can also hide network connections based on a list of ports and by hijacking any injected packet filtering bytecode. The malware’s purpose is to steal credentials from the SSH and SCP processes by hooking the libc read function. --------------------------------------------- https://cybergeeks.tech/how-to-analyze-linux-malware-a-case-study-of-symbio… ∗∗∗ CVE-2022-31813: Forwarding addresses is hard ∗∗∗ --------------------------------------------- A few weeks ago, version 2.4.54 of Apache HTTPD server was released. It includes a fix for CVE-2022-31813, a vulnerability we identified in mod_proxy that could affect unsuspecting applications served by an Apache reverse proxy. Lets see why it is rated as low in the software changelog and why it still matters. TL;DR: when in doubt, patch! --------------------------------------------- https://www.synacktiv.com/publications/cve-2022-31813-forwarding-addresses-… ∗∗∗ Brennholz, Pellets, Photovoltaik & Co: Vorsicht vor Fake-Shops ∗∗∗ --------------------------------------------- Zahlreichen Fake-Shops mit Brennholz, lassen Kriminelle nun Photovoltaik-Shops wie solanex.de und solarnetz.at folgen. Die aktuelle Energiekrise soll offenbar maximal ausgenützt werden. Wechselrichter, Solaranlagen und Stromspeicher – all jene Produkte, die am Markt momentan schwer zu erhalten sind, sind bei solanex.de und solarnetz.at nicht nur lagernd, sondern teils weit unter Marktpreis zu haben. Kaufen Sie hier nichts, denn die Vorkassezahlungen sind verloren! --------------------------------------------- https://www.watchlist-internet.at/news/brennholz-pellets-photovoltaik-co-vo… ∗∗∗ Ransomware: 1.5 million people have got their files back without paying the gangs. Heres how ∗∗∗ --------------------------------------------- No More Ransom project now offers free tools for decrypting 165 families of ransomware as the fight against extortion groups continues. --------------------------------------------- https://www.zdnet.com/article/ransomware-1-5-million-people-have-got-their-… ===================== = Vulnerabilities = ===================== ∗∗∗ Hackers Exploit PrestaShop Zero-Day to Steal Payment Data from Online Stores ∗∗∗ --------------------------------------------- The issue in question is an SQL injection vulnerability affecting versions 1.6.0.10 or greater, and is being tracked as CVE-2022-36408. ... The PrestaShop maintainers also said they found a zero-day flaw in its service that they said has been addressed in version 1.7.8.7, although they cautioned that "we cannot be sure that it's the only way for them to perform the attack." --------------------------------------------- https://thehackernews.com/2022/07/hackers-exploit-prestashop-zero-day-to.ht… ∗∗∗ Critical FileWave MDM Flaws Open Organization-Managed Devices to Remote Hackers ∗∗∗ --------------------------------------------- FileWaves mobile device management (MDM) system has been found vulnerable to two critical security flaws that could be leveraged to carry out remote attacks and seize control of a fleet of devices connected to it."The vulnerabilities are remotely exploitable and enable an attacker to bypass authentication mechanisms and gain full control over the MDM platform and its managed devices," Claroty security researcher Noam Moshe said in a Monday report. --------------------------------------------- https://thehackernews.com/2022/07/critical-filewave-mdm-flaws-open.html ∗∗∗ Xen XSA-408 - insufficient TLB flush for x86 PV guests in shadow mode ∗∗∗ --------------------------------------------- For migration as well as to work around kernels unaware of L1TF (see XSA-273), PV guests may be run in shadow paging mode. To address XSA-401, code was moved inside a function in Xen. This code movement missed a variable changing meaning / value between old and new code positions. The now wrong use of the variable did lead to a wrong TLB flush condition, omitting flushes where such are necessary. --------------------------------------------- https://xenbits.xen.org/xsa/advisory-408.html ∗∗∗ Weitere Lücken in Videokonferenz-Hardware Meeting Owl geschlossen ∗∗∗ --------------------------------------------- Owl Labs hat seine Geräte mit zusätzlichen Sicherheitsupdates gegen mögliche Attacken abgesichert. --------------------------------------------- https://heise.de/-7189904 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (spip), Mageia (libtiff and logrotate), Oracle (java-1.8.0-openjdk and java-11-openjdk), SUSE (gpg2, logrotate, and phpPgAdmin), and Ubuntu (python-bottle). --------------------------------------------- https://lwn.net/Articles/902547/ ∗∗∗ LibreOffice: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer oder lokaler Angreifer kann mehrere Schwachstellen in LibreOffice ausnutzen, um Sicherheitsvorkehrungen zu umgehen und vertrauliche Informationen offenzulegen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0821 ∗∗∗ Citrix ADC and Citrix Gateway Security Bulletin for CVE-2022-27509 ∗∗∗ --------------------------------------------- A vulnerability has been discovered in Citrix ADC and Citrix Gateway which enables an attacker to create a specially crafted URL that redirects to a malicious website. Pre-conditions: - Appliance must be configured as a VPN (Gateway) or AAA virtual server - A victim user must use an attacker-crafted link --------------------------------------------- https://support.citrix.com/article/CTX457836/citrix-adc-and-citrix-gateway-… ∗∗∗ Security Bulletin: Vulnerability in libcURL affect IBM Rational ClearCase ( CVE-2022-27778, CVE-2022-27779, CVE-2022-27780, CVE-2022-27782, CVE-2022-30115, CVE-2022-27774 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-libcurl-… ∗∗∗ Security Bulletin: IBM Security Verify Information Queue web UI is vulnerable to cross-site request forgery (CVE-2022-35286) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-infor… ∗∗∗ Security Bulletin: IBM Common Licensing is vulnerable by a remote code attack in Spring Framework and Apache Commons(CVE-2022-22970,CVE-2022-22971,CVE-2022-33980) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-common-licensing-is-v… ∗∗∗ Security Bulletin: IBM Robotic Process Automation is vulnerable to insufficiently protected access tokens (CVE-2022-22412) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-robotic-process-autom… ∗∗∗ Security Bulletin: A security vulnerability in Node.js nconf affects IBM Cloud Automation Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: IBM App Connect Enterprise and IBM Integration Bus are vulnerable to arbitrary code execution due to node.js minimist module ( CVE-2021-44906) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: A security vulnerability in Node.js node-forge affects IBM Cloud Automation Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in Expat component shipped with IBM Rational ClearCase ( CVE-2021-45960, CVE-2021-46143 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in Expat component shipped with IBM Rational ClearCase ( CVE-2022-23852, CVE-2022-23990, CVE-2022-25235, CVE-2022-25315 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM HTTP Server used by IBM WebSphere Application Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: WebSphere network security vulnerability in IBM Content Foundation on Cloud ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-network-securit… ∗∗∗ Security Bulletin: A security vulnerability in Node.js node-forge affects IBM Cloud Automation Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: IBM Sterling Partner Engagement Manager is vulnerable to Slowloris HTTP DOS attack (CVE-2022-35639) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-partner-enga… ∗∗∗ Security Bulletin: A security vulnerability in GO affects IBM Cloud Automation Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: A security vulnerability in GO affects IBM Cloud Automation Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in Expat component shipped with IBM Rational ClearCase ( CVE-2022-22822, CVE-2022-22823, CVE-2022-22824, CVE-2022-22825, CVE-2022-22826, CVE-2022-22827 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A security vulnerability in Node.js node-forge affects IBM Cloud Automation Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: Vulnerability in OpenSSL affects IBM Rational ClearCase (CVE-2022-1292, CVE-2022-0778) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-openssl-… ∗∗∗ Security Bulletin: IBM Cloud Pak for Security is vulnerable to Using Components with Known Vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-securit… ∗∗∗ Security Bulletin: Java SE as used by IBM Cloud Pak For Security is vulnerable to information disclosure and denial of service. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-java-se-as-used-by-ibm-cl… ∗∗∗ Security Bulletin: IBM Robotic Process Automation is vulnerable to arbitrary code execution due to async (CVE-2021-43138) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-robotic-process-autom… ∗∗∗ Security Bulletin: A security vulnerability in GO affects IBM Cloud Automation Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: IBM Sterling Control Center vulnerable to arbitrary file upload and sensitive information exposure due to IBM Cognos Analytics (CVE-2021-38945, CVE-2021-29768) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-control-cent… ∗∗∗ Security Bulletin: Vulnerability in Spring Framework affects IBM Process Mining and could allow a local attacker to execute arbitrary code on the system (CVE-2022-22965) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-spring-f… ∗∗∗ Security Bulletin: Multiple vulnerabilities in the IBM Java Runtime affect IBM Rational ClearCase ( CVE-2021-35578, CVE-2021-35603, CVE-2021-35550, CVE-2021-35561, CVE-2022-21299 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.07.2022
by Daily end-of-shift report 25 Jul '22

25 Jul '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 22-07-2022 18:00 − Montag 25-07-2022 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Windows-Sicherheit: Microsoft härtet RDP, MS-Office und geschützte Prozesse ∗∗∗ --------------------------------------------- Automatische Login-Sperren, Schutz vor Makros und Passwortklau - hinter den Kulissen tut sich einiges. Mit der Kommunikation tut sich Microsoft jedoch schwer. --------------------------------------------- https://heise.de/-7189313 ∗∗∗ Vorsicht vor gefälschten Post und DHL-Mails ∗∗∗ --------------------------------------------- Kriminelle geben sich als Post oder DHL aus und versenden wahllos betrügerische E-Mails. In den E-Mails mit dem Betreff „Ihr Paket wartet auf die Zustellung“ oder „Ihr Paket ist gerade bei der örtlichen Post angekommen“ wird behauptet, dass ein Paket angekommen sei, es aber nicht zugestellt werden kann, weil noch Zoll- bzw. Lieferkosten offen seien. Sie werden aufgefordert, auf einen Link zu klicken. Ignorieren Sie derartige E-Mails. Es handelt sich um Fake! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-gefaelschten-post-und-d… ∗∗∗ CosmicStrand: the discovery of a sophisticated UEFI firmware rootkit ∗∗∗ --------------------------------------------- In this report, we present a UEFI firmware rootkit that we called CosmicStrand and attribute to an unknown Chinese-speaking threat actor. --------------------------------------------- https://securelist.com/cosmicstrand-uefi-firmware-rootkit/106973/ ∗∗∗ Month of PowerShell: Process Threat Hunting, Part 1 ∗∗∗ --------------------------------------------- PowerShell is a powerful tool for threat hunting. Here we look at PowerShell threat hunting steps by assessing processes on Windows. --------------------------------------------- https://www.sans.org/blog/process-threat-hunting-part-1/ ∗∗∗ Month of PowerShell - The Curious Case of AD User Properties ∗∗∗ --------------------------------------------- Where are all of the user properties for Active Directory users for Get-ADUSer? --------------------------------------------- https://www.sans.org/blog/curious-case-ad-user-properties/ ∗∗∗ Month of PowerShell: Process Threat Hunting, Part 2 ∗∗∗ --------------------------------------------- We continue our look at PowerShell threat hunting through process analysis, identifying Command & Control/C2 threats on a Windows system. --------------------------------------------- https://www.sans.org/blog/process-threat-hunting-part-2/ ∗∗∗ Defeating Javascript Obfuscation ∗∗∗ --------------------------------------------- To make a long story short, I’m releasing a Javascript deobfuscation tool called REstringer. To make a short story long - I want to share my incentive for creating the tool, some design decisions, and the process through which I’m adding new capabilities to it - so you can join in on the fun! --------------------------------------------- https://www.perimeterx.com/tech-blog/2022/defeating-javascript-obfuscation/ ∗∗∗ A repository of Windows persistence mechanisms ∗∗∗ --------------------------------------------- The repository tries to gather an information about Windows persistence mechanisms to make the protection/detection more efficient. Most of the information is well known for years, being actively used within various scenarios. --------------------------------------------- https://persistence-info.github.io/ ∗∗∗ IAM-Deescalate: An Open Source Tool to Help Users Reduce the Risk of Privilege Escalation ∗∗∗ --------------------------------------------- We developed an open source tool, IAM-Deescalate, to help mitigate the privilege escalation risks of overly permissive identities in AWS. --------------------------------------------- https://unit42.paloaltonetworks.com/iam-deescalate/ ∗∗∗ Case closed: DIVD-2022-00009 - SolarMan backend administrator account/password ∗∗∗ --------------------------------------------- DIVD researcher Jelle Ursem found the password of the super user of the web backend for all SolarMan / Solis / Omnik / Ginlong inverters, loggers, and batteries. The password has been changed now, and the repository containing the password has been deleted. --------------------------------------------- https://csirt.divd.nl/cases/DIVD-2022-00009/ ∗∗∗ Cases of Attacks Targeting Vulnerable Atlassian Confluence Servers ∗∗∗ --------------------------------------------- The ASEC analysis team has been monitoring attacks that are targeting vulnerable systems. This post will discuss cases of attacks targeting vulnerable Atlassian Confluence Servers that are not patched. --------------------------------------------- https://asec.ahnlab.com/en/36820/ ===================== = Vulnerabilities = ===================== ∗∗∗ Google Chrome: Update schließt Hochrisiko-Sicherheitslöcher ∗∗∗ --------------------------------------------- Google veröffentlicht ein Update für Chrome, das elf potenzielle Sicherheitsschwachstellen schließt - fünf davon sind mit High Risk bewertet. --------------------------------------------- https://www.golem.de/news/google-chrome-update-schliesst-hochrisiko-sicherh… ∗∗∗ Angreifer könnten Scan-Engine von F-Secure und WithSecure crashen lassen ∗∗∗ --------------------------------------------- Patches schließen mehrere Lücken in Sicherheitsprodukten von WithSecure ehemals F-Secure. --------------------------------------------- https://heise.de/-7189082 ∗∗∗ Technical Advisory – Multiple vulnerabilities in Nuki smart locks (CVE-2022-32509, CVE-2022-32504, CVE-2022-32502, CVE-2022-32507, CVE-2022-32503, CVE-2022-32510, CVE-2022-32506, CVE-2022-32508, CVE-2022-32505) ∗∗∗ --------------------------------------------- The following vulnerabilities were found as part of a research project looking at the state of security of the different Nuki (smart lock) products. The main goal was to look for vulnerabilities which could affect to the availability, integrity or confidentiality of the different devices, from hardware to software. Eleven vulnerabilities were discovered. --------------------------------------------- https://research.nccgroup.com/2022/07/25/technical-advisory-multiple-vulner… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, djangorestframework, gsasl, and openjdk-11), Fedora (giflib, openssl, python-ujson, and xen), Mageia (virtualbox), SUSE (git, gpg2, java-1_7_1-ibm, java-1_8_0-ibm, java-1_8_0-openjdk, mozilla-nspr, mozilla-nss, mozilla-nss, python-M2Crypto, and s390-tools), and Ubuntu (php8.1). --------------------------------------------- https://lwn.net/Articles/902400/ ∗∗∗ WordPress Plugin "Newsletter" vulnerable to cross-site scripting ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN77850327/ ∗∗∗ Multiple vulnerabilities in untangle ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN30454777/ ∗∗∗ K08152433: Intel processors MMIO stale data vulnerability CVE-2022-21166 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K08152433/ ∗∗∗ Unify OpenScape Branch: Schwachstelle ermöglicht Codeausführung ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0814 ∗∗∗ Security Bulletin: A failed attempt to regenerate an IBM Security Verify Information Queue API token reveals sensitive data (CVE-2022-35288) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-failed-attempt-to-regen… ∗∗∗ Security Bulletin: A security vulnerability in Node.js node-forge affects IBM Cloud Pak for Multicloud Management Managed Services ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: Vulnerabilities from log4j affect IBM Operations Analytics – Log Analysis (CVE-2019-17571, CVE-2020-9488) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-from-log4… ∗∗∗ Security Bulletin: Multiple Security Vulnerabilities in Apache Struts Affect IBM Sterling File Gateway (CVE-2019-0233, CVE-2019-0230) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: IBM Security Verify Information Queue distributes configuration files with hard-coded credentials (CVE-2022-35287) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-infor… ∗∗∗ Security Bulletin: IBM OpenPages with Watson has addressed Apache Log4j vulnerability (CVE-2022-23307). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-openpages-with-watson… ∗∗∗ Security Bulletin: Vulnerabilities from log4j-core-2.16.0.jar affect IBM Operations Analytics – Log Analysis (CVE-2021-44832, CVE-2021-45105) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-from-log4… ∗∗∗ Security Bulletin: Multiple vulnerabilities in log4j-1.2.16.jar used by IBM Operations Analytics – Log Analysis ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Audit events query facility in IBM Security Verify Information Queue is vulnerable to SQL injection (CVE-2022-35285) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-audit-events-query-facili… ∗∗∗ Security Bulletin: Session cookie used by IBM Security Verify Information Queue is not properly secured (CVE-2022-35284) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-session-cookie-used-by-ib… ∗∗∗ Security Bulletin: A security vulnerability in Node.js node-forge affects IBM Cloud Pak for Multicloud Management Managed Services ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.07.2022
by Daily end-of-shift report 22 Jul '22

22 Jul '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 21-07-2022 18:00 − Freitag 22-07-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ SATAn-Attacke: Zweckentfremdetes SATA-Kabel funkt geheime Infos ∗∗∗ --------------------------------------------- Sicherheitsforscher, die auf Attacken auf abgeschottete Air-Gap-Systeme spezialisiert sind, haben eine neue Methode vorgestellt. --------------------------------------------- https://heise.de/-7186463 ∗∗∗ Confluence Security Advisory 2022-07-20 ∗∗∗ --------------------------------------------- Confluence hat zum 20. Juli 2022 das Security Advisory 2022-07-20 veröffentlicht und heute aktualisiert. Im Sicherheitshinweis geht es um Confluence-Konten mit fest kodierten Anmeldeinformationen, die von Questions for Confluence erstellt wurden. Das betrifft die Confluence-App für Confluence Server und Confluence Data Center. --------------------------------------------- https://www.borncity.com/blog/2022/07/21/confluence-security-advisory-2022-… ∗∗∗ Zero-day used to infect Chrome users could pose threat to Edge and Safari users, too ∗∗∗ --------------------------------------------- After laying low, exploit seller Candiru rears its ugly head once more. --------------------------------------------- https://arstechnica.com/?p=1868594 ∗∗∗ Maldoc: non-ASCII VBA Identifiers, (Thu, Jul 21st) ∗∗∗ --------------------------------------------- I found a malicious Office document with VBA code where most of the identifiers (variables, function names, ...) consist solely out of characters that are not ASCII (.e.g, these characters have values between 128 and 255). --------------------------------------------- https://isc.sans.edu/diary/rss/28866 ∗∗∗ An Analysis of a Discerning Phishing Website , (Fri, Jul 22nd) ∗∗∗ --------------------------------------------- Cybercriminals and adversaries have long used phishing websites to obtain credentials and access systems they usually would not have access to. Indeed, it could be more cost-effective than other methods, such as buying zero-day vulnerabilities and weaponizing them. I was alerted to a phishing attempt and requested further details. After doing some analysis, I observed several differences and technological improvements that the adversaries had made as compared to the usual phishing attempts. --------------------------------------------- https://isc.sans.edu/diary/rss/28870 ∗∗∗ Month of PowerShell - Recording Your Session with Start-Transcript ∗∗∗ --------------------------------------------- PowerShell allows us to create a transaction file of all commands entered and output received, perfect for pentests, incident response, and more! --------------------------------------------- https://www.sans.org/blog/recording-your-session-with-start-transcript ∗∗∗ Cryptominers & WebAssembly in Website Malware ∗∗∗ --------------------------------------------- WebAssembly (also referred to as Wasm) is a binary instruction format that runs in the browser to enable high-performance applications on web pages and can be executed much faster than traditional JavaScript. WebAssembly can be executed in a variety of environments, including servers, IoT devices, and mobile or desktop apps — but was originally designed to run on the web. --------------------------------------------- https://blog.sucuri.net/2022/07/cryptominers-webassembly-in-website-malware… ∗∗∗ An Easier Way to Keep Old Python Code Healthy and Secure ∗∗∗ --------------------------------------------- Python has its pros and cons, but its nonetheless used extensively. For example, Python is frequently used in data crunching tasks even when there are more appropriate languages to choose from. Why? Well, Python is relatively easy to learn. Someone with a science background can pick up Python much more quickly than, say, C. However, Pythons inherent approachability also creates a couple of problems. --------------------------------------------- https://thehackernews.com/2022/07/an-easier-way-to-keep-old-python-code.html ∗∗∗ Sh*Load Exploits (Episode V: Return of the Error) ∗∗∗ --------------------------------------------- Our first post in the Firmware Developers Need To Know blog series, Episode I: The Last Error, pointed out the benefits of adopting clean error codes. And then two weeks later, TLStorm, bam. Armis’ research engineers announced the discovery of three vulnerabilities in APC devices –the key problem – ignoring error codes! Unfortunately, little attention or thought is paid to error codes within firmware code (and many critical open source projects). --------------------------------------------- https://dellfer.com/shload-exploits-episode-v-return-of-the-error/ ∗∗∗ PART 1: How I Met Your Beacon – Overview ∗∗∗ --------------------------------------------- During this research we will outline a number of effective strategies for hunting for beacons, supported by our BeaconHunter tool that we developed to execute these strategies and which we intend to open source in due course. --------------------------------------------- https://www.mdsec.co.uk/2022/07/part-1-how-i-met-your-beacon-overview/ ∗∗∗ Cloud Threat Detection: To Agent or Not to Agent? ∗∗∗ --------------------------------------------- Should you be using agents to secure cloud applications, or not? The answer depends on what exactly youre trying to secure. --------------------------------------------- https://www.rapid7.com/blog/post/2022/07/22/cloud-threat-detection-to-agent… ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins 2022-07-21 ∗∗∗ --------------------------------------------- IBM Cloud App Management, IBM Cloud Pak for Multicloud Management Monitoring, IBM Rational Build Forge, IBM Rational Build Forge, IBM Cloud App Management, IBM Tivoli Netcool Manager. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (gnupg2, oci-seccomp-bpf-hook, suricata, and vim), Oracle (java-11-openjdk), Slackware (net), and SUSE (kernel, nodejs16, rubygem-rack, and webkit2gtk3). --------------------------------------------- https://lwn.net/Articles/902184/ ∗∗∗ Moodle: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, authentisierter Angreifer kann mehrere Schwachstellen in Moodle ausnutzen, um beliebigen Programmcode auszuführen, Dateien zu manipulieren, Informationen offenzulegen oder einen Cross-Site-Scripting-Angriff durchzuführen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0797 ∗∗∗ Veritas NetBackup: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, authentisierter Angreifer kann mehrere Schwachstellen in Veritas NetBackup ausnutzen, um beliebigen Programmcode auszuführen oder seine Privilegien zu erweitern. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0801 ∗∗∗ Veritas NetBackup: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann eine Schwachstelle in Veritas NetBackup ausnutzen, um beliebigen Code auszuführen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszulösen, seine Privilegien zu erweitern und Verzeichnisse zu manipulieren. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0802 ∗∗∗ F-Secure Linux Security: Mehrere Schwachstellen ermöglichen Denial of Service ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in F-Secure Linux Security und F-Secure Internet Gatekeeper ausnutzen, um einen Denial of Service Angriff durchzuführen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0803 ∗∗∗ AutomationDirect Stride Field I/O ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Cleartext Transmission of Sensitive Information vulnerability in AutomationDirect products. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-202-05 ∗∗∗ ICONICS Suite and Mitsubishi Electric MC Works64 Products ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Path Traversal, Deserialization of Untrusted Data, Inclusion of Functionality from Untrusted Control Sphere, Out-of-Bounds Read vulnerabilities in the SCADA products. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-202-04 ∗∗∗ Rockwell Automation ISaGRAF Workbench ∗∗∗ --------------------------------------------- This advisory contains mitigations for a Missing Authentication for Critical Function vulnerability in the ISaGRAF Workbench. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-202-03 ∗∗∗ Johnson Controls Metasys ADS, ADX, OAS ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Missing Authentication for Critical Function vulnerability in the Metasys ADS, ADX, OAS. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-202-02 ∗∗∗ ABB Drive Composer, Automation Builder, Mint Workbench ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Improper Privilege Management vulnerabilities in the ABB products. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-202-01 ∗∗∗ Unauthenticated SQL Injection in SonicWall GMS and Analytics ∗∗∗ --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0007 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.07.2022
by Daily end-of-shift report 21 Jul '22

21 Jul '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 20-07-2022 18:00 − Donnerstag 21-07-2022 18:00 Handler: Robert Waldner Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Apple Patches Everything Day, (Wed, Jul 20th) ∗∗∗ --------------------------------------------- Apple today released its usual "surprise patch day" in updating all of its operating systems. There may still be specific Safari updates, but for currently supported operating systems, the operating system upgrades should include respective Safari/WebKit fixes. --------------------------------------------- https://isc.sans.edu/diary/rss/28862 ∗∗∗ New Linux Malware Framework Lets Attackers Install Rootkit on Targeted Systems ∗∗∗ --------------------------------------------- A never-before-seen Linux malware has been dubbed a "Swiss Army Knife" for its modular architecture and its capability to install rootkits. This previously undetected Linux threat, called Lightning Framework by Intezer, is equipped with a plethora of features, making it one of the most intricate frameworks developed for targeting Linux systems. --------------------------------------------- https://thehackernews.com/2022/07/new-linux-malware-framework-let.html ∗∗∗ Outlook email users alerted to suspicious activity from Microsoft-owned IP address ∗∗∗ --------------------------------------------- People turn amateur sleuths to discover that the source of all those sign-ins seems to be in Redmond Strange things are afoot in the world of Microsoft email with multiple users reporting unusual sign-in notifications for their Outlook accounts. --------------------------------------------- https://www.theregister.com/2022/07/21/outlook_sign_ins/ ∗∗∗ [CVE-2022-34918] A crack in the Linux firewall ∗∗∗ --------------------------------------------- In our previous article Yet another bug into Netfilter, I presented a vulnerability found within the netfilter subsystem of the Linux kernel. During my investigation, I found a weird comparison that does not fully protect a copy within a buffer. It led to a heap buffer overflow that was exploited to obtain root privileges on Ubuntu 22.04. --------------------------------------------- https://www.randorisec.fr/crack-linux-firewall/ ∗∗∗ Gitlab Project Import RCE Analysis (CVE-2022-2185) ∗∗∗ --------------------------------------------- At the beginning of this month, GitLab released a security patch for versions 14->15. Interestingly in the advisory, there was a mention of a post-auth RCE bug with CVSS 9.9. The bug exists in GitLab’s Project Imports feature, which was found by @vakzz. Incidentally, when I rummaged in the author’s h1 profile. I discovered that four months ago, he also found a bug in the import project feature. --------------------------------------------- https://starlabs.sg/blog/2022/07-gitlab-project-import-rce-analysis-cve-202… ∗∗∗ Cybercrime: Industriesteuerungen im Visier ∗∗∗ --------------------------------------------- Ein Passwort-Cracker mit Trojaner an Bord liefert Passwörter für programmierbare Industrie-Steuersysteme frei Haus und wirft damit eine wichtige Frage auf. --------------------------------------------- https://heise.de/-7185890 ∗∗∗ Vorsicht vor Shops mit Abo-Fallen ∗∗∗ --------------------------------------------- Sie suchen nach einem Produkt online – sei es Make-Up, Sportkleidung oder Tiernahrung. Plötzlich stoßen Sie auf ein gutes Angebot und das Produkt ist sogar 60 % billiger, wenn Sie VIP-Mitglied werden. Doch im Kleingedruckten steht: Mit diesem Einkauf schließen Sie eine automatische Clubmitgliedschaft und ein teures Abo ab. Vorsicht vor diesen unseriösen Abo-Fallen! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-shops-mit-abo-fallen/ ∗∗∗ Shodan Verified Vulns 2022-07-01 ∗∗∗ --------------------------------------------- Mit Stand 2022-07-01 sieht Shodan in Österreich die folgenden Schwachstellen: Verglichen mit Juni 2022 ist durch die Bank ein leichter Abwärtstrend zu erkennen (insgesamt von 9355 auf 8987 verifizierte Schwachstellen). Spitzenreiter sind noch immer CVE-2015-0204 (SSL FREAK, 4090) und CVE-2015-4000 (Logjam, 3193). Davor schon relativ gering vertreten (35), jedoch auffällig gesunken ist die Schwachstelle CVE-2021-43798 (Grafana Path Traversal Vulnerability, -80%). Ausreißer nach oben oder Neuzugänge gibt es nicht. --------------------------------------------- https://cert.at/de/aktuelles/2022/7/shodan-verified-vulns-2022-07-01 ===================== = Vulnerabilities = ===================== ∗∗∗ Atlassian Rolls Out Security Patch for Critical Confluence Vulnerability ∗∗∗ --------------------------------------------- Atlassian has rolled out fixes to remediate a critical security vulnerability pertaining to the use of hard-coded credentials affecting the Questions For Confluence app for Confluence Server and Confluence Data Center. The flaw, tracked as CVE-2022-26138, arises when the app in question is enabled on either of two services, causing it to create a Confluence user account with the username "disabledsystemuser." --------------------------------------------- https://thehackernews.com/2022/07/atlassian-releases-patch-for-critical.html ∗∗∗ Schadcode-Attacken mit Root-Rechten auf Cisco Nexus Dashboard möglich ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitsupdates für Hard- und Software vom Netzwerkausrüster Cisco. --------------------------------------------- https://heise.de/-7185582 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Mageia (kernel and kernel-linus), SUSE (dovecot23), and Ubuntu (freetype, libxml-security-java, and linux-oem-5.17). --------------------------------------------- https://lwn.net/Articles/902011/ ∗∗∗ Request Tracker: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Request Tracker ausnutzen, um einen Cross-Site Scripting Angriff durchzuführen oder Sicherheitsmaßnahmen zu umgehen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0788 ∗∗∗ Security Bulletin: IBM Tivoli Network Manager is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2019-1757) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tivoli-network-manage… ∗∗∗ Security Bulletin: Security Vulnerabilities have been fixed in IBM Security Access Manager appliance (CVE-2022-24407, CVE-2020-25709, CVE-2020-25710) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Security Verify Information Queue uses an Oracle JDBC jar with multiple vulnerabilities (CVE-2019-2444, CVE-2019-2619, CVE-2017-10321, CVE-2017-10202) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-infor… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Security Verify Information Queue connect image (CVE-2020-9493, CVE-2022-23307) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple security vulnerabilities have been identified in IBM® DB2® shipped with IBM PureData System for Operational Analytics ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: IBM Security Verify Information Queue uses a Wire Schema jar with multiple vulnerabilities (CVE-2020-27853, CVE-2021-41093) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-infor… ∗∗∗ Security Bulletin: IBM Security Verify Information Queue uses a Google gRPC framework with multiple vulnerabilities (CVE-2017-7860, CVE-2017-7861, CVE-2017-9431) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-infor… ∗∗∗ Security Bulletin: IBM Security Guardium Insights is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-ins… ∗∗∗ Security Bulletin: IBM QRadar SIEM is vulnerable to information disclosure (CVE-2021-38936) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulner… ∗∗∗ Security Bulletin: Multiple security vulnerabilities found in open source code that is shipped with IBM Security Verify Governance, Identity Manager virtual appliance component ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: OpenSSL vulnerabilities in the IBM Security Verify Information Queue web server (CVE-2021-3711, CVE-2021-3712) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-openssl-vulnerabilities-i… ∗∗∗ Security Bulletin: Vulnerability in async opensource package affects IBM VM Recovery Manager HA & DR GUI ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-async-op… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ CVE-2022-0778: Sicherheitslücken mit Denial of Service-Potential in OpenSSL ∗∗∗ --------------------------------------------- https://www.sprecher-automation.com/it-sicherheit/security-alerts ∗∗∗ Drupal core - Moderately critical - Multiple vulnerabilities - SA-CORE-2022-015 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-core-2022-015 ∗∗∗ Drupal core - Critical - Arbitrary PHP code execution - SA-CORE-2022-014 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-core-2022-014 ∗∗∗ Drupal core - Moderately critical - Access Bypass - SA-CORE-2022-013 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-core-2022-013 *** Drupal core - Moderately critical - Information Disclosure - SA-CORE-2022-012 *** --------------------------------------------- https://www.drupal.org/sa-core-2022-012 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.07.2022
by Daily end-of-shift report 20 Jul '22

20 Jul '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 19-07-2022 18:00 − Mittwoch 20-07-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Sicherheitslücken in GPS-Tracker von MiCODUS können Menschenleben gefährden ∗∗∗ --------------------------------------------- Sicherheitsforscher warnen davor, dass Angreifer unter anderem PKWs der Regierung aus der Ferne stoppen könnten. Sicherheitspatches gibt es bislang nicht. --------------------------------------------- https://heise.de/-7184324 ∗∗∗ Phishing-Mail zu „unbefugten Aktivitäten“ ignorieren! ∗∗∗ --------------------------------------------- Aktuell kursiert eine Phishing Nachricht im Namen der Raiffeisen Bank, die nach einer Authentifizierung verlangt. Angeblich wurde eine Zahlung in Höhe von 1259,00 EUR vorgenommen, die blockiert wurde. Achtung: Es handelt sich lediglich um einen erfundenen Grund, mit dem Kriminelle Sie zum Klick auf eine Phishing-Seite bewegen wollen. Löschen Sie die Nachricht einfach! --------------------------------------------- https://www.watchlist-internet.at/news/phishing-mail-zu-unbefugten-aktivita… ∗∗∗ Breaking down CISs new software supply chain security guidance ∗∗∗ --------------------------------------------- Securing the software supply chain continues to be one of the most discussed topics currently among IT and cybersecurity leaders. A study by In-Q-Tel researchers shows a rapid rise in software supply chain attacks starting around 2016, going from almost none in 2015 to about 1,500 in 2020. The Cloud Native Computing Foundation’s (CNCF’s) catalog of software supply chain attacks also supports a rise in this attack vector. --------------------------------------------- https://www.csoonline.com/article/3666742/breaking-down-ciss-new-software-s… ∗∗∗ Luna and Black Basta — new ransomware for Windows, Linux and ESXi ∗∗∗ --------------------------------------------- This report discusses new ransomware, that targets Windows, Linux and ESXi systems: Luna written in Rust and Black Basta. --------------------------------------------- https://securelist.com/luna-black-basta-ransomware/106950/ ∗∗∗ PrestaShop Skimmer Concealed in One Page Checkout Module ∗∗∗ --------------------------------------------- PrestaShop is a popular freemium open source e-commerce platform used by hundreds of thousands of webmasters to sell products and services to website visitors. While PrestaShop’s CMS market share is only 0.8%, it should still come as no surprise that attackers have been crafting malware to specifically target environments who use this software. --------------------------------------------- https://blog.sucuri.net/2022/07/prestashop-skimmer-concealed-in-one-page-ch… ∗∗∗ LockBit: Ransomware Puts Servers in the Crosshairs ∗∗∗ --------------------------------------------- LockBit affiliates using servers to spread ransomware throughout networks. --------------------------------------------- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lo… ∗∗∗ Analysis of a trojanized jQuery script: GootLoader unleashed ∗∗∗ --------------------------------------------- In this blog post, we will perform a deep analysis into GootLoader, malware which is known to deliver several types of payloads, such as Kronos trojan, REvil, IcedID, GootKit payloads and in this case Cobalt Strike. --------------------------------------------- https://blog.nviso.eu/2022/07/20/analysis-of-a-trojanized-jquery-script-goo… ∗∗∗ 4 Strategies for Achieving Greater Visibility in the Cloud ∗∗∗ --------------------------------------------- Here are four ways to put visibility at the center of your cloud security approach and better understand whats going on in your environment. --------------------------------------------- https://www.rapid7.com/blog/post/2022/07/20/4-strategies-for-achieving-grea… ===================== = Vulnerabilities = ===================== ∗∗∗ Jetzt patchen! Oracle sichert seine Produkte mit 349 Updates ab ∗∗∗ --------------------------------------------- Wichtige Sicherheitspatches schließen unter anderem kritische Lücken in Oracle-Anwendungen. --------------------------------------------- https://heise.de/-7184179 ∗∗∗ Sicherheitsupdates: Root-Lücke bedroht Zyxel-Firewalls ∗∗∗ --------------------------------------------- Mehrere Firewall-Modelle von Zyxel sind über Sicherheitslücken attackierbar. --------------------------------------------- https://heise.de/-7184526 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (golang-github-gosexy-gettext, golang-github-hub, oci-seccomp-bpf-hook, and popub), Oracle (kernel and kernel-container), SUSE (python2-numpy), and Ubuntu (check-mk and pyjwt). --------------------------------------------- https://lwn.net/Articles/901879/ ∗∗∗ Chrome 103 Update Patches High-Severity Vulnerabilities ∗∗∗ --------------------------------------------- Google this week announced a Chrome update that resolves a total of 11 vulnerabilities in the browser, including six reported by external researchers. Of these, five are use-after-free issues, including four that are considered “high severity.” --------------------------------------------- https://www.securityweek.com/chrome-103-update-patches-high-severity-vulner… ∗∗∗ HCL BigFix: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, authentisierter Angreifer kann mehrere Schwachstellen in HCL BigFix ausnutzen, um Sicherheitsvorkehrungen zu umgehen oder Informationen offenzulegen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0733 ∗∗∗ OpenJDK: Mehrere Schwachstellen ermöglichen Codeausführung ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in OpenJDK ausnutzen, um beliebigen Programmcode auszuführen, Sicherheitsvorkehrungen zu umgehen oder Dateien zu manipulieren. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0746 ∗∗∗ Arista EOS: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Arista EOS ausnutzen, um Sicherheitsvorkehrungen zu umgehen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0761 ∗∗∗ Red Hat OpenShift (Logging Subsystem): Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Red Hat OpenShift (Logging Subsystem) ausnutzen, um einen Denial of Service Angriff durchzuführen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0707 ∗∗∗ Security Bulletin: IBM Resilient Platform could allow formula injection in Excel (CVE-2020-4633) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-resilient-platform-co… ∗∗∗ Security Bulletin: IBM InfoSphere Information Analyzer is affected by a cross-site scripting vulnerability in jQuery-UI(CVE-2021-41184) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-informatio… ∗∗∗ Security Bulletin: Multiple cross-site scripting vulnerabilities in JQuery affect IBM InfoSphere Information Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-cross-site-scrip… ∗∗∗ Security Bulletin: Apache log4j security vulnerability as it relates to IBM Maximo Scheduler Optimization – Apache Log4j – CVE-2021-45105 (affecting v2.16) and CVE-2021-45046 (affecting v2.15) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-security-vul… ∗∗∗ Security Bulletin: IBM QRadar Network Security is affected by multiple vulnerabilities in Expact library. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-network-securi… ∗∗∗ Security Bulletin: IBM WebSphere Application Server is vulnerable to Cross-site Scripting (CVE-2022-22477) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application… ∗∗∗ Security Bulletin: IBM QRadar SIEM is vulnerable to improper certificate validation (CVE-2021-29755) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulner… ∗∗∗ Security Bulletin: IBM QRadar Network Security is affected by multiple vulnerabilities. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-network-securi… ∗∗∗ Security Bulletin: IBM QRadar SIEM is vulnerable to infomation disclosured due to incorrect file permissions (CVE-2022-22424) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulner… ∗∗∗ Security Bulletin: A vulnerability in IBM Java SDK and IBM Java Runtime affects IBM QRadar SIEM ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Security Bulletin: IBM QRadar SIEM is vulnerable to infomarion discosure (CVE-2021-38936) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulner… ∗∗∗ Security Bulletin: Vulnerability in Java SE related to the JSSE component affects DB2 Recovery Expert for Linux, Unix and Windows ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-java-se-… ∗∗∗ Security Bulletin: A security vulnerability in Node.js nconf affects IBM Cloud Pak for Multicloud Management Managed Services ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: IBM Resilient SOAR is Using Components with Known Vulnerabilities – Java SE (CVE-2020-2773) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-resilient-soar-is-usi… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.07.2022
by Daily end-of-shift report 19 Jul '22

19 Jul '22

===================== = End-of-Day report = ===================== Timeframe: Montag 18-07-2022 18:00 − Dienstag 19-07-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Authentication Risks Discovered in Okta Platform ∗∗∗ --------------------------------------------- Four newly discovered attack paths could lead to PII exposure, account takeover, even organizational data destruction. --------------------------------------------- https://threatpost.com/risks-okta-sso/180249/ ∗∗∗ Requests For beacon.http-get. Help Us Figure Out What They Are Looking For, (Tue, Jul 19th) ∗∗∗ --------------------------------------------- Based on our First Seen URLs page, we started seeing more requests for 'beacon.http-get' these last few days. The requests are going back a while now but have been increasing. --------------------------------------------- https://isc.sans.edu/diary/rss/28856 ∗∗∗ Sicherheit bei Mac-Office: Microsoft fordert zur Systemaktualisierung auf ∗∗∗ --------------------------------------------- Nur mit den jüngsten Versionen von Monterey und Big Sur lassen sich Angriffe über Makro-Exploits verhindern, so der Konzern. --------------------------------------------- https://heise.de/-7182296 ∗∗∗ WhatsApp-Nachricht über einen Covid-19-Zuschuss von UNICEF ist Fake ∗∗∗ --------------------------------------------- Sie haben auf WhatsApp eine Nachricht von UNICEF erhalten? Man will Ihnen einen Covid-19-Zuschuss von 50.000 Euro überweisen? Vorsicht: Dabei handelt es sich um Betrug. Kriminelle geben sich als UNICEF aus und täuschen Spenden oder Gewinne vor. In Wirklichkeit will man Ihnen Geld stehlen! Antworten Sie nicht und blockieren Sie die Nummer! --------------------------------------------- https://www.watchlist-internet.at/news/whatsapp-nachricht-ueber-einen-covid… ∗∗∗ I see what you did there: A look at the CloudMensis macOS spyware ∗∗∗ --------------------------------------------- Previously unknown macOS malware uses cloud storage as its C&C channel and to exfiltrate documents, keystrokes, and screen captures from compromised Macs --------------------------------------------- https://www.welivesecurity.com/2022/07/19/i-see-what-you-did-there-look-clo… ∗∗∗ Riding the InfoRail to Exploit Ivanti Avalanche ∗∗∗ --------------------------------------------- I was able to quickly identify a chain of three vulnerabilities in the Ivanti Avalanche Web Application: [...] Even though this chain is powerful, its first part heavily depends on factors that are not within the attacker’s control. We can do better, right? --------------------------------------------- https://www.thezdi.com/blog/2022/7/19/riding-the-inforail-to-exploit-ivanti… ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins 2022-07-18 ∗∗∗ --------------------------------------------- IBM UrbanCode Build, IBM UrbanCode Release, IBM Sterling Partner Engagement Manager, IBM MQ, App Connect professional, IBM WebSphere Application Server Liberty, IBM Tivoli Netcool Configuration Manager, IBM UrbanCode Build. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Sicherheitsupdates: Angreifer könnten Juniper-Software mit Schadcode attackieren ∗∗∗ --------------------------------------------- Der Netzwerkausrüster Juniper hat unter anderem in Contrail Networking kritische Sicherheitslücken geschlossen. --------------------------------------------- https://heise.de/-7183158 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (buildah), SUSE (dovecot23 and nodejs12), and Ubuntu (harfbuzz, libhttp-daemon-perl, tiff, and webkit2gtk). --------------------------------------------- https://lwn.net/Articles/901787/ ∗∗∗ EMC Avamar: Mehrere Schwachstellen ermöglichen Privilegieneskalation ∗∗∗ --------------------------------------------- Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann mehrere Schwachstellen in EMC Avamar und EMC NetWorker ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0715 ∗∗∗ QEMU: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- Ein lokaler Angreifer kann eine Schwachstelle in QEMU ausnutzen, um einen Denial of Service Angriff durchzuführen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0713 ∗∗∗ Apache CloudStack: Schwachstelle ermöglicht Manipulation von Dateien ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Apache CloudStack ausnutzen, um vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszulösen und Serverdaten zu manipulieren. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0711 ∗∗∗ Redis: Schwachstelle ermöglicht Codeausführung ∗∗∗ --------------------------------------------- Ein entfernter Angreifer kann eine Schwachstelle in Redis ausnutzen, um beliebigen Programmcode auszuführen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0709 ∗∗∗ jQuery: Schwachstelle ermöglicht Cross-Site Scripting ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann eine Schwachstelle in jQuery ausnutzen, um einen Cross-Site Scripting Angriff durchzuführen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0708 ∗∗∗ CVE-2022-30526 (Fixed): Zyxel Firewall Local Privilege Escalation ∗∗∗ --------------------------------------------- Rapid7 discovered a local privilege escalation vulnerability affecting Zyxel firewalls. The vulnerability allows a low privileged user, such as `nobody`, to escalate to `root` on affected firewalls. --------------------------------------------- https://www.rapid7.com/blog/post/2022/07/19/cve-2022-30526-fixed-zyxel-fire… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.07.2022
by Daily end-of-shift report 18 Jul '22

18 Jul '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 15-07-2022 18:00 − Montag 18-07-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Cybercrime und Trickbot-Leaks: "Wir zahlen Krankengeld und 13. Monatsgehalt" ∗∗∗ --------------------------------------------- Cybercrime goes Business: Ein Bewerbungsgespräch im Cybercrime-Untergrund zeigt eindrucksvoll, wie sehr sich organisiertes Verbrechen schon "normalisiert" hat. --------------------------------------------- https://heise.de/-7182800 ∗∗∗ Fake-Shop für Pellets und Brennholz kontaktiert Kund:innen auf WhatsApp ∗∗∗ --------------------------------------------- Aktuell boomen Fake-Shops für Brennholz, Pellets, Photovoltaik-Anlagen und Öfen. Der betrügerische Shop wibois.com gibt sich besonders viel Mühe, um Ihnen Geld zu stehlen. Neben professionell gestalteten Werbeanzeigen auf Facebook und Instagram, senden die Kriminellen Ihnen Bestellbestätigung und Überweisungsaufforderung auf WhatsApp. Das stiftet Vertrauen und vermittelt das Gefühl von Erreichbarkeit. Zahlen Sie nicht und blockieren Sie die Nummer! --------------------------------------------- https://www.watchlist-internet.at/news/fake-shop-fuer-pellets-und-brennholz… ∗∗∗ Mit Sality-Malware infiziertes Passwort Cracking-Tool für Industrie-Steuerungen/Leitsysteme verteilt ∗∗∗ --------------------------------------------- Cyberkriminelle bewerben in sozialen Netzwerken wohl ein Tool, mit denen Kennwörter in Industriesteuerungen (ICS, PLCs) geknackt werden können. --------------------------------------------- https://www.borncity.com/blog/2022/07/16/mit-sality-malware-infiziertes-pas… ∗∗∗ Supply Chain Attack Technique Spoofs GitHub Commit Metadata ∗∗∗ --------------------------------------------- Security researchers at Checkmarx are warning of a new supply chain attack technique that relies on spoofed commit metadata to add legitimacy to malicious GitHub repositories. --------------------------------------------- https://www.securityweek.com/supply-chain-attack-technique-spoofs-github-co… ∗∗∗ Mitigation for Azure Storage SDK Client-Side Encryption Padding Oracle Vulnerability ∗∗∗ --------------------------------------------- Google informed Microsoft under Coordinated Vulnerability Disclosure (CVD) of a padding oracle vulnerability that may affect customers using Azure Storage SDK (for Python, .NET, Java) client-side encryption (CVE-2022-30187). To mitigate this vulnerability, we released a new General Availability (GA) version of the Azure Storage SDK client-side encryption feature (v2) on July 12, 2022. --------------------------------------------- https://msrc-blog.microsoft.com/2022/07/18/mitigation-for-azure-storage-sdk… ∗∗∗ Month of PowerShell - Working with the Event Log, Part 3 - Accessing Message Elements ∗∗∗ --------------------------------------------- In part 3 of Working with the Event Log we look at using a third-party function to make accessing event log data much easier. --------------------------------------------- https://www.sans.org/blog/working-with-the-event-log-part-3-accessing-messa… ∗∗∗ Month of PowerShell - Working with the Event Log, Part 4 - Tweaking Event Log Settings ∗∗∗ --------------------------------------------- In this final part of this series on working with the event log in PowerShell, we look at tips and commands for tweaking event log settings. --------------------------------------------- https://www.sans.org/blog/working-with-the-event-log-part-4-tweaking-event-… ∗∗∗ Genesis - The Birth of a Windows Process (Part 2) ∗∗∗ --------------------------------------------- In this second and final part of the series, we will go through the exact flow CreateProcess carries out to launch a process on Windows using the APIs and Data Structure we discussed in Part 1. --------------------------------------------- https://fourcore.io/blogs/how-a-windows-process-is-created-part-2 ===================== = Vulnerabilities = ===================== ∗∗∗ New Netwrix Auditor Bug Could Let Attackers Compromise Active Directory Domain ∗∗∗ --------------------------------------------- Researchers have disclosed details about a security vulnerability in the Netwrix Auditor application that, if successfully exploited, could lead to arbitrary code execution on affected devices. "Since this service is typically executed with extensive privileges in an Active Directory environment, the attacker would likely be able to compromise the Active Directory domain," [...] --------------------------------------------- https://thehackernews.com/2022/07/new-netwrix-auditor-bug-could-let.html ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (mat2 and xen), Fedora (butane, caddy, clash, direnv, geoipupdate, gitjacker, golang-bug-serial-1, golang-github-a8m-envsubst, golang-github-apache-beam-2, golang-github-aws-lambda, golang-github-cespare-xxhash, golang-github-chromedp, golang-github-cloudflare, golang-github-cloudflare-redoctober, golang-github-cockroachdb-pebble, golang-github-cucumber-godog, golang-github-dreamacro-shadowsocks2, golang-github-dustinkirkland-petname, [...] --------------------------------------------- https://lwn.net/Articles/901699/ ∗∗∗ Log4J-Schwachstelle: Mittelstand schläft, DHS sieht Problem für Jahre ∗∗∗ --------------------------------------------- Die in Java ausnutzbare Log4Shell-Schwachstelle in der Log4j-Bibliothek steckt mutmaßlich in vielen Systemen bzw. Software-Paketen. Das Problem dürfte uns noch für Jahre tangieren, schätzen Experten und im deutschen Mittelstand ist das noch nicht angekommen. Auch das Department of Homeland Security [...] --------------------------------------------- https://www.borncity.com/blog/2022/07/17/log4j-schwachstelle-mittelstand-sc… ∗∗∗ SonicWall Switch Post-Authenticated Remote Code Execution ∗∗∗ --------------------------------------------- A vulnerability in SonicWall Switch 1.1.1.0-2s and earlier allows an authenticated malicious user to perform remote code execution in the host system. --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0013 ∗∗∗ Festo: Controller CECC-S,LK,D family firmware 2.4.2.0 - multiple vulnerabilities in CODESYS V3 runtime system ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-027/ ∗∗∗ Festo: Controller CECC-S,LK,D family <= 2.3.8.1 - multiple vulnerabilities in CODESYS V3 runtime system ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-022/ ∗∗∗ Security Bulletin: IBM UrbanCode Deploy (UCD) could disclose sensitive database information to a local user in plain text. (CVE-2022-22367) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-deploy-ucd-… ∗∗∗ Security Bulletin: The CVE-2022-34305 vulnerability in Apache Tomcat affects App Connect Professional. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-the-cve-2022-34305-vulner… ∗∗∗ Security Bulletin: There are multiple vulnerabilites that affect IBM Engineering Requirements Quality Assistant On-Premises (CVE-2022-0778, CVE-2021-38868, CVE-2021-29799, CVE-2021-29790, CVE-2021-29788) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-there-are-multiple-vulner… ∗∗∗ Security Bulletin: IBM Cloud Pak for Multicloud Management Monitoring is vulnerable to multiple vulnerabilities due to its use of IBM JAVA (CVE-2021-35560, CVE-2021-35578, CVE-2021-35565, CVE-2021-35603) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-multicl… ∗∗∗ Security Bulletin: An attacker that gains service access to the FSP (POWER9 only) or gains admin authority to a partition can compromise partition firmware. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-an-attacker-that-gains-se… ∗∗∗ Security Bulletin: IBM Cloud Pak for Multicloud Management Monitoring is vulnerable to a denial server due to its use of Apache Xerces2 (CVE-2022-23437) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-multicl… ∗∗∗ Security Bulletin: Vulnerability in OpenSSL (CVE-2022-0778) affects PowerVM ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-openssl-… ∗∗∗ Security Bulletin: The vulnerability CVE-2022-21299 in IBM Java SDK affects IBM WebSphere Cast Iron Solution & App Connect Professional ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-the-vulnerability-cve-202… ∗∗∗ Security Bulletin: IBM Urbancode Deploy (UCD) vulnerable to information disclosure which can be read by a local user. (CVE-2022-22366) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-deploy-ucd-… ∗∗∗ Security Bulletin: IBM Cloud Pak for Multicloud Management Monitoring is vulnerable to multiple security vulnerabilities due to its use of NodeJS (CVE-2021-22918, CVE-2021-22960, CVE-2021-22959) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-multicl… ∗∗∗ Security Bulletin: Vulnerability in async opensource package affects IBM VM Recovery Manager HA & DR GUI ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-async-op… ∗∗∗ Security Bulletin: Vulnerability in the jackson-databind component affects IBM Event Streams ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-the-jack… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.07.2022
by Daily end-of-shift report 15 Jul '22

15 Jul '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 14-07-2022 18:00 − Freitag 15-07-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Callback-Phishing: Dringender Rückruf erbeten ∗∗∗ --------------------------------------------- Angreifer geben sich in E-Mails als Sicherheitsunternehmen aus und bitten um einen Rückruf. Doch statt einer Überprüfung wird der Rechner gehackt. --------------------------------------------- https://www.golem.de/news/callback-phishing-dringender-rueckruf-erbeten-220… ∗∗∗ Android-Malware mit 3 Millionen Installationen aus Google Play entfernt ∗∗∗ --------------------------------------------- Die Android-Malware Autolycos hat es auf insgesamt drei Millionen Installationen gebracht. Nach der Entdeckung hat Google die betroffenen Apps entfernt. --------------------------------------------- https://heise.de/-7180469 ∗∗∗ Windows Autopatch ab sofort allgemein verfügbar ∗∗∗ --------------------------------------------- Automatisch abgesicherte Updates für Windows verspricht Microsoft mit Autopatch – Administratoren steht so deutlich weniger händische Arbeit ins Haus. --------------------------------------------- https://heise.de/-7180876 ∗∗∗ Was kann ich bei Problemen mit Klarna tun? ∗∗∗ --------------------------------------------- „Das Produkt ist noch gar nicht gekommen, trotzdem will Klarna, das ich bezahle.“ „Klarna schickt trotz Rücksendung Mahnungen.“ „Ich habe Ramsch bekommen, Klarna fordert aber eine Zahlung.“ Immer wieder berichten uns Konsument:innen von Problemen mit Klarna und sind ratlos. Wir zeigen Ihnen, was Sie bei ungerechtfertigten Zahlungsaufforderungen und Mahnungen von Klarna tun können. --------------------------------------------- https://www.watchlist-internet.at/news/was-kann-ich-bei-problemen-mit-klarn… ∗∗∗ YouTuber-Cash: Vorsicht vor Abzocke ∗∗∗ --------------------------------------------- YouTube-Videos schauen und damit Geld verdienen? Angebote wie das von youtuber.ltd klingen verlockend, doch statt der Auszahlung warten Abzocke-Maschen auf Sie. Vertrauen Sie keinen Versprechen online, schnell viel Geld zu verdienen! Die Kriminellen, die hinter diesen Angeboten stecken sind lediglich auf Ihre Daten oder Ihr Geld aus. --------------------------------------------- https://www.watchlist-internet.at/news/youtuber-cash-vorsicht-vor-abzocke/ ∗∗∗ WordPress: Schwachstelle in Kaswara Modern WPBakery Page Builder wird angegriffen ∗∗∗ --------------------------------------------- WordPress-Nutzer, die das Kaswara Modern WPBakery Page Builder im Einsatz haben, sollten zügig handeln. In älteren Fassungen ist die Schwachstelle CVE-2021-24284 enthalten, die eine Übernahme der WordPress-Installation ermöglicht. --------------------------------------------- https://www.borncity.com/blog/2022/07/15/wordpress-schwachstelle-in-kaswara… ∗∗∗ New Phishing Kit Hijacks WordPress Sites for PayPal Scam ∗∗∗ --------------------------------------------- Attackers use scam security checks to steal victims government documents, photos, banking information, and email passwords, researchers warn. --------------------------------------------- https://www.darkreading.com/attacks-breaches/new-phishing-kit-hijacks-wordp… ∗∗∗ The real reason why malware detection is hard—and underestimated ∗∗∗ --------------------------------------------- Researchers develop an AI with a 98% malware detection rate and 5% false positive rate. If you think this is a splendid technology for antivirus software, this article might change your mind. --------------------------------------------- https://www.gdatasoftware.com/blog/2022/06/37445-malware-detection-is-hard ∗∗∗ Month of PowerShell: Working with Log Files ∗∗∗ --------------------------------------------- In this article we look at how we can leverage PowerShells object-passing pipeline to parse and retrieve data from an IIS web server log file. --------------------------------------------- https://www.sans.org/blog/powershell-working-with-log-files ∗∗∗ Software Vendors Start Patching Retbleed CPU Vulnerabilities ∗∗∗ --------------------------------------------- Vendors have started rolling out software updates to address the recently disclosed Retbleed speculative execution attack targeting Intel and AMD processors. --------------------------------------------- https://www.securityweek.com/software-vendors-start-patching-retbleed-cpu-v… ∗∗∗ Powerful Mantis DDoS Botnet Hits 1,000 Organizations in One Month ∗∗∗ --------------------------------------------- Web protection firm Cloudflare warns that a small but powerful botnet has launched distributed denial-of-service (DDoS) attacks on roughly 1,000 organizations over the past month alone. --------------------------------------------- https://www.securityweek.com/powerful-mantis-ddos-botnet-hits-1000-organiza… ∗∗∗ Digium Phones Under Attack: Insight Into the Web Shell Implant ∗∗∗ --------------------------------------------- We witnessed more than 500,000 unique samples of malicious traffic targeting Digium Asterisk software for VoIP phone devices. --------------------------------------------- https://unit42.paloaltonetworks.com/digium-phones-web-shell/ ∗∗∗ CVE-2022-30136: Microsoft Windows Network File System v4 Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- In this excerpt of a Trend Micro Vulnerability Research Service vulnerability report, Guy Lederfein and Quintin Crist of the Trend Micro Research Team detail a recently patched remote code execution vulnerability in the Microsoft Windows operating system, originally discovered and reported by Yuki Chen. The bug is found in the implementation of Network File System (NFS)and is due to improper handling of NFSv4 requests. An unauthenticated attacker could exploit this bug to execute arbitrary code in the context of SYSTEM. --------------------------------------------- https://www.thezdi.com/blog/2022/7/13/cve-2022-30136-microsoft-windows-netw… ===================== = Vulnerabilities = ===================== ∗∗∗ Security Update Available for Adobe InDesign APSB22-30 ∗∗∗ --------------------------------------------- Adobe has released a security update for Adobe InDesign. This update addresses multiple critical and an important vulnerability. Successful exploitation could lead to arbitrary code execution and memory leak. --------------------------------------------- https://helpx.adobe.com/security/products/indesign/apsb22-30.html ∗∗∗ Security Update Available for Adobe InCopy APSB22-29 ∗∗∗ --------------------------------------------- Adobe has released a security update for Adobe InCopy. This update addresses multiple  critical and an important vulnerability. Successful exploitation could lead to arbitrary code execution and memory leak. --------------------------------------------- https://helpx.adobe.com/security/products/incopy/apsb22-29.html ∗∗∗ ABB Flow Computer and Remote Controllers Path Traversal Vulnerability in Totalflow TCP protocol can lead to root access ∗∗∗ --------------------------------------------- ABB is aware of private reports of a vulnerability in the flow computer and remote controller product versions listed above. A flash update is available that resolves the vulnerability in the product versions listed above. Mitigation can be accomplished by proper network segmentation [...] --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=9AKK108467A0927&Lan… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (webkit2gtk and wpewebkit), Fedora (curl, kernel, openssl1.1, php, subversion, xorg-x11-server, and xorg-x11-server-Xwayland), Oracle (grub2), SUSE (gnutls, kernel, logrotate, oracleasm, p11-kit, and python-PyJWT), and Ubuntu (libhttp-daemon-perl and python2.7, python3.10, python3.4, python3.5, python3.6, python3.8, python3.9). --------------------------------------------- https://lwn.net/Articles/901412/ ∗∗∗ Grafana: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, authentisierter Angreifer kann mehrere Schwachstellen in Grafana ausnutzen, um einen Cross-Site Scripting Angriff durchzuführen und Sicherheitsmaßnahmen zu umgehen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0696 ∗∗∗ SonicWall Hosted Email Security Capture ATP Bypass ∗∗∗ --------------------------------------------- Improperly Implemented Security Check vulnerability in the SonicWall Hosted Email Security leads to bypass of Capture ATP security service in the appliance. --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0014 ∗∗∗ OpenSSL c_rehash script allows command injection CVE-2022-1292 ∗∗∗ --------------------------------------------- A critical vulnerability (CVE-2022-1292) was found in OpenSSL c_rehash script. This is due to shell metacharacters not being properly sanitized, resulting in command injection. An attacker could execute arbitrary commands with the privileges of the script. After review, it has been determined that vulnerability tracked as CVE-2022-1292 is not applicable to the SonicWall product suite. However, SonicWall has decided to update the impacted OpenSSL package to the fixed version (OpenSSL 1.1.1o) [...] --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0011 ∗∗∗ SolarWinds Dameware: Schwachstelle ermöglicht Nutzerzugriff ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0697 ∗∗∗ Mattermost: Mehrere Schwachstellen ermöglichen nicht spezifizierten Angriff ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0695 ∗∗∗ Autodesk AutoCAD: Schwachstelle ermöglicht Codeausführung ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0694 ∗∗∗ Security Bulletin: Denial of Service vulnerability affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) – CVE-2020-35618 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-denial-of-service-vulnera… ∗∗∗ Security Bulletin: IBM MQ Appliance is affected by FasterXML jackson-databind vulnerabilities (CVE-2020-36518) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-affec… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in Apache Commons Compress affect WebSphere Application Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Python (Publicly disclosed vulnerability) in IBM Tivoli Application Dependency Discovery Manager (CVE-2022-0391) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-python-publicly-disclosed… ∗∗∗ Security Bulletin: Vulnerability in Json-schema library affect Tivoli Netcool/OMNIbus WebGUI (CVE-2021-3918) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-json-sch… ∗∗∗ Security Bulletin: Vulnerability in Axios affects IBM Process Mining . CVE-2022-1214 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-axios-af… ∗∗∗ Security Bulletin: IBM MQ Appliance is affected by follow-redirects vulnerabilities (CVE-2022-0155 and CVE-2022-0536) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-affec… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.07.2022
by Daily end-of-shift report 14 Jul '22

14 Jul '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 13-07-2022 18:00 − Donnerstag 14-07-2022 18:00 Handler: Robert Waldner Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Month of PowerShell - Working with the Event Log, Part 2 - Threat Hunting with Event Logs ∗∗∗ --------------------------------------------- We continue our look at working with the Windows event log using PowerShell with 10 threat hunting techniques. --------------------------------------------- https://www.sans.org/blog/working-with-event-log-part-2-threat-hunting-with… ∗∗∗ Introducing Decompiler Explorer ∗∗∗ --------------------------------------------- Today, we’re releasing a little side project a few of our developers have been working with the community on: the Decompiler Explorer! This new (free, open source) web service lets you compare the output of different decompilers on small executables. In other words: It’s basically the same thing as Matt Godbolt’s awesome Compiler Explorer, but in reverse. --------------------------------------------- https://binary.ninja/2022/07/13/introducing-decompiler-explorer.html ∗∗∗ CVE-2022-29885 - Dont Open That Port - A Denial Of Service vulnerability on Apache Tomcat Cluster Service Listener ∗∗∗ --------------------------------------------- While performing the analysis I discovered that this was a part of a research made by 4ra1n, who reported the issue to the Apache Tomcat Security Team on 17 April 2022 and marked as CVE-2022-29885. Nonetheless, I had no luck finding a suitable PoC of the vulnerability. --------------------------------------------- https://voidzone.me/cve-2022-29885-apache-tomcat-cluster-service-dos/ ∗∗∗ Genesis - The Birth of a Windows Process (Part 1) ∗∗∗ --------------------------------------------- This is the first part of a two part series. In this post, I cover how Windows spawns a process, the various APIs and data structures involved and different types of processess available on Windows. The Windows API provides several functions for creating a process. We will go through some of the important APIs and structures Win32 offers before diving into the process creation procedure. --------------------------------------------- https://fourcore.io/blogs/how-a-windows-process-is-created-part-1 ∗∗∗ Exploiting Arbitrary Object Instantiations in PHP without Custom Classes ∗∗∗ --------------------------------------------- PHP’s Arbitrary Object Instantiation is a flaw in which an attacker can create arbitrary objects. This flaw can come in all shapes and sizes. --------------------------------------------- https://swarm.ptsecurity.com/exploiting-arbitrary-object-instantiations/ ∗∗∗ “RedAlert,” LILITH and 0mega leading a wave of Ransomware Campaigns ∗∗∗ --------------------------------------------- Multiple new ransomware groups have surfaced recently, highlighting the adoption of ransomware attacks by TAs for monetary gains. --------------------------------------------- https://blog.cyble.com/2022/07/12/new-ransomware-groups-on-the-rise/ ∗∗∗ Office-Nutzer im Visier: Phishing-Kampagne umgeht Multi-Faktor-Authentifizierung ∗∗∗ --------------------------------------------- Microsofts Sicherheitsforscher haben eine große Phishing-Kampagne aufgedeckt. Dabei stehlen Angreifer Session-Cookies, um MFA-Schutzmaßnahmen zu umgehen. --------------------------------------------- https://heise.de/-7179750 ∗∗∗ PSA: Sudden Increase In Attacks On Modern WPBakery Page Builder Addons Vulnerability ∗∗∗ --------------------------------------------- The Wordfence Threat Intelligence team has been monitoring a sudden increase in attack attempts targeting Kaswara Modern WPBakery Page Builder Addons. This ongoing campaign is attempting to take advantage of an arbitrary file upload vulnerability, tracked as CVE-2021-24284, which has been previously disclosed and has not been patched on the now closed plugin. --------------------------------------------- https://www.wordfence.com/blog/2022/07/attacks-on-modern-wpbakery-page-buil… ∗∗∗ YouTuber-Cash: Vorsicht vor Abzocke ∗∗∗ --------------------------------------------- YouTube-Videos schauen und damit Geld verdienen? Angebote wie das von youtuber.ltd klingen verlockend, doch statt der Auszahlung warten Abzocke-Maschen auf Sie. Vertrauen Sie keinen Versprechen online, schnell viel Geld zu verdienen! --------------------------------------------- https://www.watchlist-internet.at/news/youtuber-cash-vorsicht-vor-abzocke/ ===================== = Vulnerabilities = ===================== ∗∗∗ X.org servers update closes 2 security holes, adds neat component tweaks ∗∗∗ --------------------------------------------- Arbitrary code execution flaws in the X Keyboard Extension were bad news X.org has released a bunch of updates, which includes closing two security holes and, yes, this affects Wayland users too. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2022/07/13/xorg_servers… ∗∗∗ Tableau Server Leaks Sensitive Information From Reflected XSS ∗∗∗ --------------------------------------------- GoSecure Titan Labs has identified a vulnerability within the Tableau Server that could allow malicious actors to extract sensitive data from the application. Tableau Server is an analytics platform owned by Salesforce used to see and understand data. --------------------------------------------- https://www.gosecure.net/blog/2022/07/13/tableau-server-leaks-sensitive-inf… ∗∗∗ IBM Security Bulletins 2022-07-13 ∗∗∗ --------------------------------------------- IBM Db2, IBM MQ Appliance, IBM i, IBM WebSphere Application Server, IBM Engineering Lifecycle Optimization, IBM Cloud Pak, IBM Netezza Platform, IBM Security Verify Information Queue, IBM Security Verify Governance. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Lücke in VMware vCenter Server und Cloud Foundation zum Teil abgedichtet ∗∗∗ --------------------------------------------- In VMwares vCenter Server und der Cloud Foundation klafft eine Sicherheitslücke in der Integrated Windows Authentication. Nun gibt es ein Software-Update. --------------------------------------------- https://heise.de/-7179181 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (request-tracker4), Fedora (kernel and vim), Mageia (gerbv, gnupg2, pgadmin4, and python-coookiecutter), Slackware (xorg), SUSE (cifs-utils, gmp, gnutls, libnettle, kernel, libsolv, libzypp, zypper, logrotate, openssl-1_1, opera, squid, and virglrenderer), and Ubuntu (ca-certificates, git, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux-raspi2, linux-snapdragon, linux, linux-aws, linux-azure, linux-azure-5.4, linux-azure-fde, linux-gke, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-kvm, linux, linux-aws, linux-azure, linux-gcp, linux-gke, linux-ibm, linux-kvm, linux-lowlatency, linux-oracle, linux-aws, linux-oem-5.14, and vim). --------------------------------------------- https://lwn.net/Articles/901190/ ∗∗∗ UEFI-Firmware-Bug gefährdet über 70 Lenovo Notebooks (Juli 2022) ∗∗∗ --------------------------------------------- Hinweis für Blog-Leser und -Leserinnen, die Notebooks von Lenovo (und IBM) verwenden. Sicherheitsforscher von ESET haben gravierenden Schwachstellen in der UEFI-Firmware von Lenovo Notebooks gefunden, die eine Übernahme des Betriebssystems in der frühen Boot-Phase ermöglicht. --------------------------------------------- https://www.borncity.com/blog/2022/07/14/uefi-firmware-bug-gefhrdet-ber-70-… ∗∗∗ Internet Explorer 11: Update KB5015805 (12. Juli 2022) ∗∗∗ --------------------------------------------- Microsoft hat zum 12. Juli 2022 ein Sicherheitsupdate (KB5015805) für den Internet Explorer freigegeben. Dieses ist aber nur für ausgesuchte Windows-Versionen als kumulatives Update separat erhältlich. Hier ein Überblick über diesen Patch, der Schwachstellen im Browser schließen soll. --------------------------------------------- https://www.borncity.com/blog/2022/07/14/internet-explorer-11-update-kb5015… ∗∗∗ Entity Print - Moderately critical - Multiple: Remote Code Execution, Information disclosure - SA-CONTRIB-2022-048 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2022-048 ∗∗∗ K14335949: Intel processors vulnerability CVE-2022-24436 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K14335949 ∗∗∗ K43357358: AMD processors vulnerability CVE-2022-23823 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K43357358 ∗∗∗ Juniper JUNOS (EX, MX, PTX, QFX Series): Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0684 ∗∗∗ Juniper JUNOS (Verschiedene Plattformen): Mehrere Schwachstellen ermöglichen Denial of Service ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0683 ∗∗∗ Lenovo XClarity: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0687 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.07.2022
by Daily end-of-shift report 13 Jul '22

13 Jul '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 12-07-2022 18:00 − Mittwoch 13-07-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ From cookie theft to BEC: Attackers use AiTM phishing sites as entry point to further financial fraud ∗∗∗ --------------------------------------------- A large-scale phishing campaign that attempted to target over 10,000 organizations since September 2021 used adversary-in-the-middle (AiTM) phishing sites to steal passwords, hijack a user’s sign-in session, and skip the authentication process, even if the user had enabled multifactor authentication (MFA). --------------------------------------------- https://www.microsoft.com/security/blog/2022/07/12/from-cookie-theft-to-bec… ∗∗∗ Using Referers to Detect Phishing Attacks, (Wed, Jul 13th) ∗∗∗ --------------------------------------------- Referers are useful information for webmasters and system administrators that would like to have a better overview of the visitors browsing their websites. The referer is an HTTP header that identifies the address of the web page from which the resource has been requested. --------------------------------------------- https://isc.sans.edu/diary/rss/28836 ∗∗∗ Infected WordPress Site Reveals Malicious C&C Script ∗∗∗ --------------------------------------------- Cryptomining infections accounted for less than 4% of total detections last year. Despite the fact that CoinHive – one of the most popular JavaScript based miners – shut down its operations in 2019, we still find occasional infections on compromised environments during remote and server-side scans. --------------------------------------------- https://blog.sucuri.net/2022/07/infected-wordpress-site-reveals-malicious-c… ∗∗∗ Researchers Uncover New Attempts by Qakbot Malware to Evade Detection ∗∗∗ --------------------------------------------- The operators behind the Qakbot malware are transforming their delivery vectors in an attempt to sidestep detection. --------------------------------------------- https://thehackernews.com/2022/07/researchers-uncover-new-attempts-by.html ∗∗∗ Open-Source-Tool von Microsoft erstellt "Software Bill of Materials" ∗∗∗ --------------------------------------------- Das SBOM-Tool Salus listet alle Komponenten und Dependencies von Projekten auf, um potenzielle Schwachstellen in der Software Supply Chain aufzuspüren. --------------------------------------------- https://heise.de/-7177889 ∗∗∗ Vorsicht vor Fake-Shops am Energiesektor! ∗∗∗ --------------------------------------------- Zahlreichen Fake-Shops mit Brennholz, lassen Kriminelle nun Photovoltaik-Shops wie solanex.de und solarnetz.at folgen. Die aktuelle Energiekrise soll offenbar maximal ausgenützt werden. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-fake-shops-am-energiese… ∗∗∗ Cobalt Strike Analysis and Tutorial: CS Metadata Encryption and Decryption ∗∗∗ --------------------------------------------- We show how metadata encryption and decryption contributes to making Cobalt Strike an effective emulator that is difficult to defend against. --------------------------------------------- https://unit42.paloaltonetworks.com/cobalt-strike-metadata-encryption-decry… ===================== = Vulnerabilities = ===================== ∗∗∗ AMD Prozessoren: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein lokaler Angreifer kann mehrere Schwachstellen in AMD Prozessoren ausnutzen, um beliebigen Programmcode auszuführen oder Informationen offenzulegen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0665 ∗∗∗ Intel Prozessoren: Mehrere Schwachstellen ermöglichen Offenlegung von Informationen ∗∗∗ --------------------------------------------- Ein lokaler Angreifer kann mehrere Schwachstellen in Intel Prozessoren ausnutzen, um Informationen offenzulegen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0650 ∗∗∗ Microsoft Security Update Summary (12. Juli 2022) ∗∗∗ --------------------------------------------- Am 12. Juli 2022 hat Microsoft Sicherheitsupdates für Windows-Clients und -Server, für Office usw. – sowie für weitere Produkte – veröffentlicht. Die Sicherheitsupdates beseitigen zudem 84 Schwachstellen, davon einen 0-day. --------------------------------------------- https://www.borncity.com/blog/2022/07/12/microsoft-security-update-summary-… ∗∗∗ Adobe dichtet teils kritische Lücken ab ∗∗∗ --------------------------------------------- In Adobe Acrobat und Reader, Photoshop, RoboHelp und Character Animator schließt der Hersteller Sicherheitslücken. Einige sind kritisch. --------------------------------------------- https://heise.de/-7177696 ∗∗∗ IBM Security Bulletins 2022-07-12 ∗∗∗ --------------------------------------------- IBM Answer Retrieval for Watson Discovery, IBM Event Streams, IBM QRadar Network Security, IBM Cloud, Content Manager OnDemand, IBM Rational Build Forge, IBM App Connect Enterprise, IBM Sterling Connect, Digital Certificate Manager, Enterprise Content Management System Monitor. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (xen), Mageia (x11-server), SUSE (chromium, kernel, pcre, pcre2, squid, and xorg-x11-server), and Ubuntu (gnupg, gnupg2, uriparser, xorg-server, xorg-server-hwe-16.04, and xorg-server, xorg-server-hwe-18.04, xwayland). --------------------------------------------- https://lwn.net/Articles/901029/ ∗∗∗ Ruby on Rails: Schwachstelle ermöglicht Codeausführung ∗∗∗ --------------------------------------------- Ein entfernter Angreifer kann eine Schwachstelle in Ruby on Rails ausnutzen, um beliebigen Programmcode auszuführen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0662 ∗∗∗ ZDI-22-968: BMC Track-It! HTTP Module Improper Access Control Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-968/ ∗∗∗ ZDI-22-967: BMC Track-It! GetPopupSubQueryDetails SQL Injection Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-967/ ∗∗∗ VMSA-2022-0020 - VMware ESXi addresses Return-Stack-Buffer-Underflow and Branch Type Confusion vulnerabilities ∗∗∗ --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2022-0020.html ∗∗∗ VMSA-2022-0019 - VMware vRealize Log Insight contains multiple stored cross-site scripting vulnerabilities ∗∗∗ --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2022-0019.html ∗∗∗ VMSA-2022-0018 - VMware vCenter Server updates address a server-side request forgery vulnerability ∗∗∗ --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2022-0018.html ∗∗∗ Dahua ASI7213X-T1 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-193-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.07.2022
by Daily end-of-shift report 12 Jul '22

12 Jul '22

===================== = End-of-Day report = ===================== Timeframe: Montag 11-07-2022 18:00 − Dienstag 12-07-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ IBM-Middleware: Schwachstelle in MQ kann zu Rechtausweitung führen ∗∗∗ --------------------------------------------- Mehrere Sicherheitslücken in IBM MQ ermöglichen Angreifern, ihre Rechte an betroffenen Systemen auszuweiten oder diese lahmzulegen. Updates stehen bereit. --------------------------------------------- https://heise.de/-7169603 ∗∗∗ Wurm-Infektion: Malware-Kampagne Raspberry Robin befällt Windows und Qnap-NAS ∗∗∗ --------------------------------------------- IT-Forscher von Cybereason haben einen Netzwerkwurm entdeckt, der sich auf Windows- und Qnap-Geräten verbreitet. Sie nennen die Kampagne Raspberry Robin. --------------------------------------------- https://heise.de/-7170350 ∗∗∗ Month of PowerShell: Threat Hunting with PowerShell Differential Analysis ∗∗∗ --------------------------------------------- One of the most powerful techniques for threat hunting on Windows: differential analysis. --------------------------------------------- https://www.sans.org/blog/threat-hunting-with-powershell-differential-analy… ∗∗∗ CVE-2022-29593- Authentication Bypass by Capture Replay (Dingtian-DT-R002) ∗∗∗ --------------------------------------------- This blog post describes an authentication bypass within one such device, that allows an attacker with access to the IP network the ability to capture and subsequently replay discrete device commands, which allows for the switching on and off the physical relays on the device. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/cve-2022-29… ∗∗∗ Exploiting Authentication in AWS IAM Authenticator for Kubernetes ∗∗∗ --------------------------------------------- During my research on the AWS IAM Authenticator component, I found several flaws in the authentication process that could bypass the protection against replay attacks or allow an attacker to gain higher permissions in the cluster by impersonating other identities. --------------------------------------------- https://blog.lightspin.io/exploiting-eks-authentication-vulnerability-in-aw… ∗∗∗ Scanning for security.txt files ∗∗∗ --------------------------------------------- RFC 9116 was written by E. Foudil and Y. Shafranovich and left draft status in April 2022. This RFC formally defines the unofficial security.txt file that has been an unofficial standard for many years, initially created back in 2017 and documented at https://securitytxt.org/. --------------------------------------------- https://www.pentestpartners.com/security-blog/scanning-for-security-txt-fil… ∗∗∗ ChromeLoader: New Stubborn Malware Campaign ∗∗∗ --------------------------------------------- A malicious browser extension is the payload of the ChromeLoader malware family, serving as adware and an infostealer, leaking users’ search queries. --------------------------------------------- https://unit42.paloaltonetworks.com/chromeloader-malware/ ∗∗∗ Is exploiting a null pointer deref for LPE just a pipe dream? ∗∗∗ --------------------------------------------- A lot of blog posts I have read go over interesting vulnerabilities and exploits but do not typically share the process behind discovery. I want to show how sometimes just manually poking around can quickly uncover vulnerabilities you might miss with other approaches to vulnerability discovery. --------------------------------------------- https://www.thezdi.com/blog/2022/6/1/is-exploiting-a-null-pointer-deref-for… ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-22-962: Trend Micro Maximum Security Out-Of-Bounds Read Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows local attackers to disclose sensitive information on affected installations of Trend Micro Maximum Security. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-962/ ∗∗∗ Siemens ProductCERT published 19 and updated 15 advisories/bulletins ∗∗∗ --------------------------------------------- Opcenter Quality, SINAMICS PERFECT HARMONY GH180 Drives, EN100 Ethernet Module, RUGGEDCOM ROS, SIMATIC WinCC, Teamcenter Visualization, JT2Go, Industrial Products, TIA Administrator, Mendix Excel Importer Module, RUGGEDCOM ROX, SIMATIC eaSie Core Package, SCALANCE X Switches, SIMATIC CP Devices, Mendix Applications, SICAM A8000 Devicesm Simcenter Femap, PROFINET Stack, PADS Standard/Plus Viewer, SIMATIC S7-1500, Mendix, SIMATIC MV500 Devices, OPC Foundation Local Discovery Server, OPC-UA, Parasolid, SICAM GridEdge. --------------------------------------------- https://new.siemens.com/global/en/products/services/cert.html?d=2022-07#Sec… ∗∗∗ SAP-Patchday: 20 neue Sicherheitslücken im Juli abgedichtet ∗∗∗ --------------------------------------------- Mit den Updates zum Juli-Patchday schließt SAP 20 neue Sicherheitslücken. Zudem aktualisiert der Hersteller drei ältere Security-Bulletins. --------------------------------------------- https://heise.de/-7170698 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium), Mageia (openssl and webkit2), Slackware (seamonkey), SUSE (crash, curl, freerdp, ignition, libnbd, and python3), and Ubuntu (dovecot and python-ldap). --------------------------------------------- https://lwn.net/Articles/900855/ ∗∗∗ ICS Patch Tuesday: Siemens, Schneider Electric Address 59 Vulnerabilities ∗∗∗ --------------------------------------------- Industrial giants Siemens and Schneider Electric have released their Patch Tuesday security advisories for July 2022, with a total of 13 advisories describing 59 vulnerabilities. --------------------------------------------- https://www.securityweek.com/ics-patch-tuesday-siemens-schneider-electric-a… ∗∗∗ TYPO3-EXT-SA-2022-014: SQL Injection in extension "LUX - TYPO3 Marketing Automation" (lux) ∗∗∗ --------------------------------------------- https://typo3.org/security/advisory/typo3-ext-sa-2022-014 ∗∗∗ MariaDB: Mehrere Schwachstellen ermöglichen Denial of Service ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0641 ∗∗∗ Symantec Advanced Secure Gateway: Schwachstelle ermöglicht Manipulation und Offenlegung von Informationen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0638 ∗∗∗ Security Bulletin: Vulnerabilities in the Golang language affect IBM Event Streams (CVE-2022-24921) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-the-go… ∗∗∗ Security Bulletin: IBM Security SiteProtector System is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-siteprotecto… ∗∗∗ Security Bulletin: IBM OpenPages with Watson has addressed Apache Log4j vulnerability (CVE-2022-23305) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-openpages-with-watson… ∗∗∗ Security Bulletin: IBM Security Verify Governance is vulnerable to multiple security issues due to Node.js ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-gover… ∗∗∗ Security Bulletin: IBM QRadar SIEM is vulnerable to denial of service attack due to CVE-2021-39041 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulner… ∗∗∗ Security Bulletin: IBM Integration Bus is vulnerable to arbitrary code execution due to Node.js ejs module (CVE-2022-29078) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-integration-bus-is-vu… ∗∗∗ Security Bulletin: IBM MQ for HPE NonStop Server is affected by OpenSSL vulnerability CVE-2022-0778 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-for-hpe-nonstop-se… ∗∗∗ Security Bulletin: IBM Security Verify Information Queue uses Apache LDAP API with a known vulnerability (CVE-2018-1337) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-infor… ∗∗∗ Security Bulletin: IBM i Modernization Engine for Lifecycle Integration is vulnerable to multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-i-modernization-engin… ∗∗∗ Security Bulletin: A security vulnerability has been identified in Postgresql shipped with IBM Tivoli Netcool Impact (CVE-2022-26520, CVE-2022-21724, WS-2022-0080) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: Vulnerabilities in the Golang language affect IBM Event Streams (CVE-2022-29526) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-the-go… ∗∗∗ Security Bulletin: IBM WebSphere Application Server Liberty is vulnerable to Identity Spoofing (CVE-2022-22476) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application… ∗∗∗ Security Bulletin: IBM MQ for HPE NonStop Server is affected by OpenSSL vulnerability CVE-2021-4160 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-for-hpe-nonstop-se… ∗∗∗ Security Bulletin: IBM OpenPages with Watson has addressed Apache Log4j vulnerability (CVE-2022-23302) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-openpages-with-watson… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.07.2022
by Daily end-of-shift report 11 Jul '22

11 Jul '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 08-07-2022 18:00 − Montag 11-07-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ New 0mega ransomware targets businesses in double-extortion attacks ∗∗∗ --------------------------------------------- A new ransomware operation named 0mega targets organizations worldwide in double-extortion attacks and demands millions of dollars in ransoms. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-0mega-ransomware-targets… ∗∗∗ Hackers Exploiting Follina Bug to Deploy Rozena Backdoor ∗∗∗ --------------------------------------------- A newly observed phishing campaign is leveraging the recently disclosed Follina security vulnerability to distribute a previously undocumented backdoor on Windows systems. --------------------------------------------- https://thehackernews.com/2022/07/hackers-exploiting-follina-bug-to.html ∗∗∗ Raspberry Robin Windows Worm Abuses QNAP Devices ∗∗∗ --------------------------------------------- A recently discovered Windows worm is abusing compromised QNAP network-attached storage (NAS) devices as stagers to spread to new systems, according to Cybereason. Dubbed Raspberry Robin, the malware was initially spotted in September 2021, spreading mainly via removable devices, such as USB drives. --------------------------------------------- https://www.securityweek.com/raspberry-robin-windows-worm-abuses-qnap-devic… ∗∗∗ The History and Evolution of Zero Trust ∗∗∗ --------------------------------------------- “The term ‘zero trust’ is now used so much and so widely that it has almost lost its meaning”. --------------------------------------------- https://www.securityweek.com/history-and-evolution-zero-trust ∗∗∗ WhatsApp: Kriminelle geben sich als Ihr Kind aus ∗∗∗ --------------------------------------------- „Hallo Papa. Mein Handy ist kaputt. Das ist meine neue Nummer.“ Vorsicht: Diese Nachricht könnte von Kriminellen stammen. Werden Sie um eine Überweisung gebeten, handelt es sich eindeutig um Betrug! --------------------------------------------- https://www.watchlist-internet.at/news/whatsapp-kriminelle-geben-sich-als-i… ∗∗∗ SELECT XMRig FROM SQLServer ∗∗∗ --------------------------------------------- Over the month of March, we observed a cluster of activity targeting MSSQL servers. The activity started via password brute force attempts for the MSSQL SA account. These brute force attempts were observed repeatedly over the month. --------------------------------------------- https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/ ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitslücken in node.js abgedichtet ∗∗∗ --------------------------------------------- Neue Versionen der node.js-Laufzeitumgebung beheben sicherheitskritische Fehler mit hohem Risiko. Angreifer könnten Opfern dadurch Schadcode unterjubeln. --------------------------------------------- https://heise.de/-7167912 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (php7.4), Fedora (gerbv, kernel, openssl, and podman-tui), Oracle (squid:4), Slackware (wavpack), and SUSE (apache2, chafa, containerd, docker and runc, fwupd, fwupdate, libqt5-qtwebengine, oracleasm, and python). --------------------------------------------- https://lwn.net/Articles/900670/ ∗∗∗ vim: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in vim ausnutzen, um einen Denial of Service Angriff durchzuführen, beliebigen Code auszuführen, Speicher zu verändern und vertrauliche Informationen offenzulegen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0630 ∗∗∗ ZDI-22-959: (0Day) Vinchin Backup and Recovery MySQL Server Use of Hard-coded Credentials Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-959/ ∗∗∗ Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM Tivoli Netcool System Service Monitors/Application Service Monitors ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: CVE-2021-23337 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2021-23337/ ∗∗∗ Security Bulletin: CVE-2020-28500 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2020-28500/ ∗∗∗ Security Bulletin: CVE-2020-8203 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2020-8203-2/ ∗∗∗ Security Bulletin: IBM Content Manager Enterprise Edition is is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-content-manager-enter… ∗∗∗ Security Bulletin: IBM CICS TX Standard is vulnerable to HTML injection (CVE-2022-34160) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cics-tx-standard-is-v… ∗∗∗ Security Bulletin: IBM MQ Operator and Queue manager container images are vulnerable to vulnerabilities from Golang Go and IBM WebSphere Application Server Liberty (CVE-2021-39293 and CVE-2021-39038) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-operator-and-queue… ∗∗∗ Security Bulletin: IBM MQ Operator and Queue manager container images are vulnerable to an issue in OPM and Golang Go packages (CVE-2020-15257, CVE-2021-21334 and CVE-2021-41771) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-operator-and-queue… ∗∗∗ Security Bulletin: CVE-2020-8203 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2020-8203/ ∗∗∗ Security Bulletin: CVE-2021-23369 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2021-23369/ ∗∗∗ Security Bulletin: CVE-2020-7774 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2020-7774/ ∗∗∗ Security Bulletin: IBM CICS TX Advanced is vulnerable to HTML injection (CVE-2022-34160) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cics-tx-advanced-is-v… ∗∗∗ K40582331: Apache HTTP server vulnerability CVE-2022-28615 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K40582331 ∗∗∗ K08006936: Apache Commons Configuration vulnerability CVE-2022-33980 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K08006936 ∗∗∗ K74251611: Linux kernel vulnerability CVE-2021-38166 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K74251611 ∗∗∗ K36462841: Linux kernel vulnerability CVE-2018-18281 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K36462841 ∗∗∗ ILIAS: Schwachstelle ermöglicht Erlangen von Benutzerrechten ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0629 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.07.2022
by Daily end-of-shift report 08 Jul '22

08 Jul '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 07-07-2022 18:00 − Freitag 08-07-2022 18:00 Handler: Robert Waldner Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Gesundheitseinrichtungen im Visier nordkoreanischer Cyberkrimineller ∗∗∗ --------------------------------------------- US-amerikanische Sicherheitsbehörden warnen vor der Maui-Ransomware. Mit ihr greifen nordkoreanische Cybergangs Organisationen des Gesundheitswesens an. --------------------------------------------- https://heise.de/-7166692 ∗∗∗ Free decryptor released for AstraLocker, Yashma ransomware victims ∗∗∗ --------------------------------------------- New Zealand-based cybersecurity firm Emsisoft has released a free decryption tool to help AstraLocker and Yashma ransomware victims recover their files without paying a ransom. --------------------------------------------- https://www.bleepingcomputer.com/news/security/free-decryptor-released-for-… ∗∗∗ SiteCheck Malware Trends Report – Q2 2022 ∗∗∗ --------------------------------------------- Conducting an external website scan for indicators of compromise is one of the easiest ways to identify security issues. While remote scanners may not provide as comprehensive of a scan as server-side scanners, they allow users to instantly identify malicious code and detect security issues on their website without installing any software or applications. --------------------------------------------- https://blog.sucuri.net/2022/07/sitecheck-malware-trends-report-q2-2022.html ∗∗∗ Over 1,200 NPM Packages Found Involved in "CuteBoi" Cryptomining Campaign ∗∗∗ --------------------------------------------- Researchers have disclosed what they say could be an attempt to kick-off a new large-scale cryptocurrency mining campaign targeting the NPM JavaScript package repository. The malicious activity, attributed to a software supply chain threat actor dubbed CuteBoi, involves an array of 1,283 rogue modules that were published in an automated fashion from over 1,000 different user accounts. --------------------------------------------- https://thehackernews.com/2022/07/over-1200-npm-packages-found-involved.html ∗∗∗ Koh: The Token Stealer ∗∗∗ --------------------------------------------- In this post I will introduce a toolkit called Koh that can indefinitely (..) harvest and reuse tokens for accounts that connect to a machine you have administrative rights on. I’ll go over the motivation for this approach, the technical background of why it’s possible and what changed in 2016, and briefly show what Koh can do. --------------------------------------------- https://posts.specterops.io/koh-the-token-stealer-41ca07a40ed6 ∗∗∗ New HavanaCrypt Ransomware Distributed as Fake Google Software Update ∗∗∗ --------------------------------------------- Security researchers at Trend Micro have identified a new ransomware family that is being delivered as a fake Google Software Update application. --------------------------------------------- https://www.securityweek.com/new-havanacrypt-ransomware-distributed-fake-go… ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins 2022-07-07 ∗∗∗ --------------------------------------------- IBM QRadar Network Security, IBM Engineering Lifecycle Management, IBM Rational Build Forge, IBM Tivoli Netcool/Omnibus, IBM Tivoli Network Manager, IBM Engineering Lifecycle Management, IBM CICS TX Standard, IBM CICS TX Advanced, IBM WebSphere Application Server Liberty, IBM Security Verify Information Queue, IBM Event Streams. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Sicherheitsupdates: Root-Lücke in Dell-EMC-Software geschlossen ∗∗∗ --------------------------------------------- Angreifer könnten Systeme mit Dell PowerProtect Cyber Recovery oder Cloud Mobility for Dell EMC Storage attackieren. Hiergegen gibt es jetzt ein Update. --------------------------------------------- https://heise.de/-7166118 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (direnv, golang-github-mattn-colorable, matrix-synapse, pypy3.7, pypy3.8, and pypy3.9), Oracle (squid), SUSE (curl, openssl-1_1, pcre, python-ipython, resource-agents, and rsyslog), and Ubuntu (nss, php7.2, and vim). --------------------------------------------- https://lwn.net/Articles/900443/ ∗∗∗ NetApp ActiveIQ Unified Manager: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in NetApp ActiveIQ Unified Manager ausnutzen, um Informationen offenzulegen, Daten zu manipulieren oder zu verändern und einen Denial of Service Zustand auszulösen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0608 ∗∗∗ Red Hat FUSE: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann mehrere Schwachstellen in Red Hat FUSE ausnutzen, um vertrauliche Informationen offenzulegen, beliebigen Code auszuführen, einen Denial of Service Zustand herbeizuführen, Sicherheitsmaßnahmen zu umgehen, Daten und Informationen zu manipulieren und seine Privilegien zu erweitern. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0607 ∗∗∗ July 7th 2022 Security Releases ∗∗∗ --------------------------------------------- Updates are now available for the v18.x, v16.x, and v14.x Node.js release [...] --------------------------------------------- https://nodejs.org/en/blog/vulnerability/july-2022-security-releases ∗∗∗ Exploitation of Mitel MiVoice Connect SA CVE-2022-29499 ∗∗∗ --------------------------------------------- Mitel MiVoice Connect customers who use vulnerable versions of the Service Appliance in their deployments should update to a fixed version of the appliance immediately. Mitel released patches for CVE-2022-29499 in early June 2022; organizations that have not updated the firmware on their appliances since before that timeframe should apply fixes as soon as possible. Appliances should not be exposed to the open internet. --------------------------------------------- https://www.rapid7.com/blog/post/2022/07/07/exploitation-of-mitel-mivoice-c… ∗∗∗ ZDI-22-955: Sante PACS Server SQL Injection Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-955/ ∗∗∗ K06524534: Linux kernel vulnerability CVE-2021-22555 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K06524534 ∗∗∗ K49622415: Apache Tomcat vulnerability CVE-2022-25762 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K49622415 ∗∗∗ 10 Vulnerabilities Found in Widely Used Robustel Industrial Routers ∗∗∗ --------------------------------------------- https://www.securityweek.com/10-vulnerabilities-found-widely-used-robustel-… ∗∗∗ Eclipse Jetty: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0614 ∗∗∗ Foxit PDF Editor: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0613 ∗∗∗ tribe29 checkmk: Mehrere Schwachstellen ermöglichen nicht spezifizierten Angriff ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0622 ∗∗∗ Rockwell Automation MicroLogix ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-188-01 ∗∗∗ Bently Nevada ADAPT 3701/4X Series and 60M100 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-188-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.07.2022
by Daily end-of-shift report 07 Jul '22

07 Jul '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 06-07-2022 18:00 − Donnerstag 07-07-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Ransomware, hacking groups move from Cobalt Strike to Brute Ratel ∗∗∗ --------------------------------------------- Hacking groups and ransomware operations are moving away from Cobalt Strike to the newer Brute Ratel post-exploitation toolkit to evade detection by EDR and antivirus solutions. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ransomware-hacking-groups-mo… ∗∗∗ Online programming IDEs can be used to launch remote cyberattacks ∗∗∗ --------------------------------------------- Security researchers are warning that hackers can abuse online programming learning platforms to remotely launch cyberattacks, steal data, and scan for vulnerable devices, simply by using a web browser. --------------------------------------------- https://www.bleepingcomputer.com/news/security/online-programming-ides-can-… ∗∗∗ Automating binary vulnerability discovery with Ghidra and Semgrep ∗∗∗ --------------------------------------------- Semgrep is a static analysis tool that works on source code, but thanks to Haruspex we can leverage its power also against closed source binaries. --------------------------------------------- https://security.humanativaspa.it/automating-binary-vulnerability-discovery… ∗∗∗ Liste betrügerischer Investitionsplattformen ∗∗∗ --------------------------------------------- Betrügerische Investitionsplattformen versprechen hohe Gewinne – risikofrei und ohne Finanzwissen. Der Handel erfolgt automatisiert oder mit persönlicher Beratung. Bereits mit kleinen Investitionen können angeblich hohe Gewinne erzielt werden. Klingt sehr verlockend, ist aber Betrug! --------------------------------------------- https://www.watchlist-internet.at/news/liste-betruegerischer-investitionspl… ∗∗∗ AsyncRAT Being Distributed to Vulnerable MySQL Servers ∗∗∗ --------------------------------------------- The ShadowServer foundation has recently released a report showing that there are about 3.6 million MySQL servers exposed to outside. --------------------------------------------- https://asec.ahnlab.com/en/36315/ ===================== = Vulnerabilities = ===================== ∗∗∗ Jetzt aktualisieren! Codeschmuggel durch Lücke in OpenSSL möglich∗∗∗ --------------------------------------------- Die gravierendere Schwachstelle betrifft OpenSSL 3.0.4, das am 21. Juni veröffentlicht wurde. Darin haben die Entwickler laut eigener Beschreibung einen ernsthaften Fehler eingebaut, der die RSA-Implementierung auf Prozessoren mit Unterstützung für die AVX-512 IFMA-Befehlssatzerweiterung betrifft. Die Implementierung mit privaten Schlüsseln mit 2048-Bit ist nicht korrekt und ein Speicherfehler tritt bei der Berechnung auf. Ein Angreifer könnte als Folge davon aus dem Internet Code einschleusen und ausführen (CVE-2022-2274, noch kein CVSS-Score, Risiko "hoch"). --------------------------------------------- https://www.heise.de/news/Jetzt-aktualisieren-Codeschmuggel-durch-Luecke-in… ∗∗∗ Cisco Security Advisories 2022-07-06 ∗∗∗ --------------------------------------------- Cisco published 9 Security Advisories (1 Critical, 1 High, 7 Medium Severity) --------------------------------------------- https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&first… ∗∗∗ IBM Security Bulletins 2022-07-06 ∗∗∗ --------------------------------------------- IBM CICS TX Standard, IBM Tivoli Netcool Impact, IBM Security Verify Access Product, App Connect professional, IBM Engineering Lifecycle Management, IBM CICS TX Advanced, IBM CICS TX Standard, IBM Security Verify Access Appliance, IBM Tivoli Application Dependency Discovery Manager. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Patchday Android: Systemlücke lässt Schadcode passieren ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitsupdates für Android-Smartphones und -Tablets. Einige Lücken sind als kritisch eingestuft. --------------------------------------------- https://heise.de/-7164810 ∗∗∗ Schwachstellen in OpenVPN Access Server geschlossen ∗∗∗ --------------------------------------------- Version 2.11.0 des OpenVPN Access Server schließt einige Sicherheitslücken. Angreifer hätten die Server etwa für DDoS-Verstärkungs-Angriffe missbrauchen können. --------------------------------------------- https://heise.de/-7165442 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (intel-microcode), Fedora (dotnet3.1 and gnupg2), Oracle (grub2, kernel, php:7.4, php:8.0, and qemu-kvm), SUSE (389-ds, apache2, crash, curl, expat, firefox, fwupd, fwupdate, ImageMagick, ldb, samba, liblouis, librttopo, openssl, openssl-1_0_0, openssl-1_1, openssl-3, oracleasm, php7, php8, python-Twisted, python310, rsyslog, s390-tools, salt, thunderbird, and xen), and Ubuntu (linux-lts-xenial, linux-kvm and openssl). --------------------------------------------- https://lwn.net/Articles/900286/ ∗∗∗ Apache Commons: Schwachstelle ermöglicht Codeausführung ∗∗∗ --------------------------------------------- Ein entfernter Angreifer kann eine Schwachstelle in Apache Commons ausnutzen, um beliebigen Programmcode auszuführen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0590 ∗∗∗ ZDI-22-949: (0Day) xhyve e1000 Stack-based Buffer Overflow Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-949/ ∗∗∗ Dovecot: Schwachstelle ermöglicht Privilegieneskalation ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0589 ∗∗∗ Nextcloud Mail: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0594 ∗∗∗ HCL BigFix: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0606 ∗∗∗ XSS-Schwachstelle in Jira-App (SYSS-2022-039) ∗∗∗ --------------------------------------------- https://www.syss.de/pentest-blog/xss-schwachstelle-in-jira-app-syss-2022-039 ∗∗∗ QNAP: Checkmate Ransomware via SMB Services Exposed to the Internet ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-22-21 ∗∗∗ Microsoft Edge 103.0.1264.49 (6. Juli 2022) ∗∗∗ --------------------------------------------- https://www.borncity.com/blog/2022/07/07/microsoft-edge-103-0-1264-49-6-jul… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.07.2022
by Daily end-of-shift report 06 Jul '22

06 Jul '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 05-07-2022 18:00 − Mittwoch 06-07-2022 18:00 Handler: Robert Waldner Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Microsoft quietly fixes ShadowCoerce Windows NTLM Relay bug ∗∗∗ --------------------------------------------- Microsoft has confirmed it fixed a previously disclosed ShadowCoerce vulnerability as part of the June 2022 updates that enabled attackers to target Windows servers in NTLM relay attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-quietly-fixes-sha… ∗∗∗ NPM supply-chain attack impacts hundreds of websites and apps ∗∗∗ --------------------------------------------- An NPM supply-chain attack dating back to December 2021 used dozens of malicious NPM modules containing obfuscated Javascript code to compromise hundreds of downstream desktop apps and websites. --------------------------------------------- https://www.bleepingcomputer.com/news/security/npm-supply-chain-attack-impa… ∗∗∗ Kryptographie: NIST gibt Post-Quanten-Algorithmen bekannt ∗∗∗ --------------------------------------------- Nach einem Wettbewerb kürt die US-Behörde Verschlüsselungs- und Signaturalgorithmen, die vor Quantencomputern sicher sein sollen. --------------------------------------------- https://www.golem.de/news/kryptographie-nist-gibt-post-quanten-algorithmen-… ∗∗∗ Top 5 Most Common WordPress Malware Infections: An Anatomy Lesson ∗∗∗ --------------------------------------------- WordPress security is serious business – and an essential consideration for anyone using the world’s most popular CMS (Content Management System). While the WordPress team quickly addresses known security issues in WordPress’ core to protect the millions of website owners who rely and depend on the software, the reality is that the same cannot be said for all plugin and theme developers. --------------------------------------------- https://blog.sucuri.net/2022/07/top-5-most-common-wordpress-malware-infecti… ∗∗∗ Fake-Shop-Alarm: Vorsicht beim Online-Kauf von Brennholz! ∗∗∗ --------------------------------------------- Die aktuelle Energiekrise lässt die Preise für Brennholz steigen. Der befürchtete Gasmangel führt dazu, dass Holz gehamstert und dementsprechend knapper wird. Eine perfekte Ausgangslage für Kriminelle: Sie nutzen die Situation aus und erstellen Fake-Shops, auf denen sie günstiges Brennholz anbieten. --------------------------------------------- https://www.watchlist-internet.at/news/fake-shop-alarm-vorsicht-beim-online… ∗∗∗ Electric Vehicle Charging: a Survey on the Security Issues and Challenges of the Open Charge Point Protocol (OCPP) ∗∗∗ --------------------------------------------- The increased use of smart Electric Vehicles (EVs) and Plug-in ElectricVehicles (PEV) opened a new area of research and development. The number of EVcharging sites has considerably increased in residential as well as in publicareas. Within these EV charging sites, various entities need to communicate in a secure and efficient way. --------------------------------------------- http://arxiv.org/abs/2207.01950 ∗∗∗ OrBit: New Undetected Linux Threat Uses Unique Hijack of Execution Flow ∗∗∗ --------------------------------------------- Linux is a popular operating system for servers and cloud infrastructures, and as such it’s not a surprise that it attracts threat actors’ interest and we see a continued growth and innovation of malware that targets Linux, such as the recent Symbiote malware that was discovered by our research team. --------------------------------------------- https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-t… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ldap-account-manager), Fedora (openssl1.1, thunderbird, and yubihsm-connector), Mageia (curl, cyrus-imapd, firefox, ruby-git, ruby-rack, squid, and thunderbird), Oracle (firefox, kernel, and thunderbird), Slackware (openssl), SUSE (dpdk, haproxy, and php7), and Ubuntu (gnupg2 and openssl). --------------------------------------------- https://lwn.net/Articles/900172/ ∗∗∗ Security Bulletin: IBM Maximo Asset Management and the IBM Maximo Manage application in IBM Maximo Application Suite are vulnerable to cross-site scripting (CVE-2022-22436) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-manageme… ∗∗∗ Security Bulletin: IBM Maximo Asset Management and the IBM Maximo Manage application in IBM Maximo Application Suite are vulnerable to cross-site scripting (CVE-2022-22435) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-manageme… ∗∗∗ Security Bulletin: IBM Rational Build Forge is affected by Apache Tomcat version used in it. (CVE-2021-42340) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-rational-build-forge-… ∗∗∗ Security Bulletin: IBM Tivoli Netcool Impact is affected but not classified as vulnerable by a remote code execution in Spring Framework (CVE-2022-22965) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tivoli-netcool-impact… ∗∗∗ Security Bulletin: IBM Event Streams is vulnerable to arbitrary code execution due to the Fabric8 Kubernetes client (CVE-2021-4178) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-event-streams-is-vuln… ∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container DesignerAuthoring operands may be vulnerable to loss of confidentiality due to CVE-2022-32210 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: IBM QRadar Network Packet Capture includes multiple vulnerable components. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-network-packet… ∗∗∗ K58003591: Apache HTTP server vulnerability CVE-2022-28614 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K58003591 ∗∗∗ vim: Schwachstelle ermöglicht Manipulation von Speicher ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0583 ∗∗∗ tribe29 checkmk: Mehrere Schwachstellen ermöglichen nicht spezifizierten Angriff ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0581 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.07.2022
by Daily end-of-shift report 05 Jul '22

05 Jul '22

===================== = End-of-Day report = ===================== Timeframe: Montag 04-07-2022 18:00 − Dienstag 05-07-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Jetzt aktualisieren! Zero-Day-Lücke in Google Chrome geschlossen ∗∗∗ --------------------------------------------- Im Webbrowser Google Chrome hat der Hersteller mehrere Sicherheitslücken geschlossen. Angreifer missbrauchen eine davon bereits in freier Wildbahn. --------------------------------------------- https://heise.de/-7162462 ∗∗∗ Erpressungstrojaner AstraLocker ist Geschichte, Entschlüsselungstools verfügbar ∗∗∗ --------------------------------------------- Die Drahtzieher der Ransomware AstraLocker wollen die Cybercrime-Branche wechseln und veröffentlichen Tools, über die Opfer auf ihre Daten zugreifen können. --------------------------------------------- https://heise.de/-7163123 ∗∗∗ Memory Sanitizer: Neues Kernel-Werkzeug findet 300 Speicherfehler ∗∗∗ --------------------------------------------- Trotz Compilerwarnungen und -Werkzeuge gibt es weiter neue Speicherfehler im Linux-Kernel. Ein Memory Sanitizer soll das zum Teil verhindern. --------------------------------------------- https://www.golem.de/news/memory-sanitizer-neues-kernel-werkzeug-findet-300… ∗∗∗ Abo-Falle auf lebenslaufschreiben.com ∗∗∗ --------------------------------------------- Sie erstellen gerade einen Lebenslauf und suchen im Internet nach Vorlagen? Möglicherweise landen Sie bei lebenslaufschreiben.com – einem Lebenslaufgenerator. Online können alle Informationen eingetippt und ein sehr professioneller Lebenslauf gebastelt werden. Doch Vorsicht: Sie werden in eine Abo-Falle gelockt. --------------------------------------------- https://www.watchlist-internet.at/news/abo-falle-auf-lebenslaufschreibencom/ ∗∗∗ EternalBlue 5 years after WannaCry and NotPetya, (Tue, Jul 5th) ∗∗∗ --------------------------------------------- We are about two months past the 5-year anniversary of WannaCry outbreak[1] and about a week past the 5-year anniversary of NotPetya outbreak[2]. Since both WannaCry and NotPetya used the EternalBlue[3] exploit in order to spread, I thought that it might be interesting to take a look at how many internet-facing systems still remain vulnerable to it. --------------------------------------------- https://isc.sans.edu/diary/rss/28816 ∗∗∗ When Pentest Tools Go Brutal: Red-Teaming Tool Being Abused by Malicious Actors ∗∗∗ --------------------------------------------- Penetration testing and adversary emulation tool Brute Ratel C4 is effective at defeating modern detection capabilities – and malicious actors have begun to adopt it. --------------------------------------------- https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/ ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitsupdate für Django Web Framework ∗∗∗ --------------------------------------------- Eine Sicherheitslücke im Django Web-Framework ermöglichte Angreifern das Einschleusen von SQL-Befehlen. Aktualisierte Software bessert die Schwachstelle aus. --------------------------------------------- https://heise.de/-7163246 ∗∗∗ IBM Security Bulletins 2022-07-04 ∗∗∗ --------------------------------------------- IBM Tivoli Network Manager, IBM App Connect Enterprise, IBM Integration Bus, IBM Engineering Test Management, IBM WebSphere Cast Iron Solution, IBM App Connect Professional, IBM Cloud Pak, IBM Tivoli Netcool, IBM Netezza, IBM Operations Analytics, App Connect professional. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Fortinet Security Advisories 2022-07-05 ∗∗∗ --------------------------------------------- On Jul 05, 2022, Fortinet has released 11 advisories for issues resolved in Fortinet products. (Severity: Low (1), Medium (6), High (4)) --------------------------------------------- https://fortiguard.fortinet.com/psirt ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (blender and thunderbird), SUSE (ImageMagick, qemu, and sysstat), and Ubuntu (php7.0). --------------------------------------------- https://lwn.net/Articles/900064/ ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2022-0006 ∗∗∗ --------------------------------------------- Several vulnerabilities were discovered in WebKitGTK and WPE WebKit. CVE-2022-22662 Versions affected: WebKitGTK and WPE WebKit before 2.36.0. --------------------------------------------- https://webkitgtk.org/security/WSA-2022-0006.html ∗∗∗ OpenSSL: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- Ein Angreifer kann eine Schwachstelle in OpenSSL ausnutzen, um Informationen offenzulegen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0561 ∗∗∗ JFrog Artifactory: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in JFrog Artifactory ausnutzen, um Cross-Site Scripting- und Cross-Site Request Forgery Angriffe durchzuführen und um Informationen offenzulegen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0562 ∗∗∗ July 5th 2022 Security Releases ∗∗∗ --------------------------------------------- The Node.js project will release new versions of the 14.x, 16.x, and 18.x releases lines on or shortly after Tuesday, July 5th, 2022 in order to address: Three medium severity issues. Two high severity issues. --------------------------------------------- https://nodejs.org/en/blog/vulnerability/july-2022-security-releases ∗∗∗ LiteCart vulnerable to cross-site scripting ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN32625020/ ∗∗∗ Xen Security Advisory CVE-2022-33743 / XSA-405 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-405.html ∗∗∗ Xen Security Advisory CVE-2022-33744 / XSA-406 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-406.html ∗∗∗ Xen Security Advisory CVE-2022-26365,CVE-2022-33740,CVE-2022-33741,CVE-2022-33742 / XSA-403 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-403.html ∗∗∗ Nextcloud: Schwachstelle ermöglicht Injektion von Kommandos ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0558 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.07.2022
by Daily end-of-shift report 04 Jul '22

04 Jul '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 01-07-2022 18:00 − Montag 04-07-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Raspberry Robin: Microsoft warnt vor mysteriösem Wurm ∗∗∗ --------------------------------------------- Die Schadsoftware verbreitet sich über USB-Sticks. Unklar bleibt, wer die Urheber*innen sind und welches Ziel damit verfolgt wird. --------------------------------------------- https://futurezone.at/digital-life/raspberry-robin-wurm-windows-microsoft-w… ∗∗∗ Warnung vor Hackerangriffen auf Politiker ∗∗∗ --------------------------------------------- Das BSI und der Verfassungsschutz warnen vor Hackern, die durch einen einfachen Trick den Zugang zu Chats von hochrangigen Politikern erlangen könnten. --------------------------------------------- https://www.tagesschau.de/investigativ/ndr-wdr/hacker-angriffe-verfassungss… ∗∗∗ Gefälschtes ÖBB-Gewinnspiel auf WhatsApp ∗∗∗ --------------------------------------------- Viele WhatsApp-Nutzer:innen verbreiten unter ihren Kontakten unwissentlich ein Fake-ÖBB-Gewinnspiel. Die Nachricht lautet „ÖBB 100 Jahre Staatliche Verkehrsförderung! Jeder Bürger kann sich über…“. Darunter ist ein Link. Der Link führt zu einem gefälschten Gewinnspiel. Klicken Sie nicht auf den Link, Sie werden abgezockt. Ignorieren Sie die Nachricht und melden Sie sie an WhatsApp. --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschtes-oebb-gewinnspiel-auf-wh… ∗∗∗ CISA fordert US-Einrichtungen zum Patchen von CVE-2022-26925 in AD-Umgebungen auf ∗∗∗ --------------------------------------------- Zum 1. Juli 2022 hat die US Cybersecurity & Infrastructur Security Agency (CISA) erneut den Patch für die Schwachstelle CVE-2022-26925 (Active Directory) in die Liste der zu schließenden Schwachstellen aufgenommen (soll bis 22. 7. 2022 geschlossen werden). --------------------------------------------- https://www.borncity.com/blog/2022/07/04/cisa-fordert-us-einrichtungen-zum-… ∗∗∗ Cloud OSINT. Finding Interesting Resources ∗∗∗ --------------------------------------------- Locating sensitive information, personally identifiable information (PII) and questionable assets in the cloud. TL; DR I had a curiosity driven excursion into the public clouds of AWS and Azure to [...] --------------------------------------------- https://www.pentestpartners.com/security-blog/cloud-osint-finding-interesti… ===================== = Vulnerabilities = ===================== ∗∗∗ Django fixes SQL Injection vulnerability in new releases ∗∗∗ --------------------------------------------- Django, an open source Python-based web framework has patched a high severity vulnerability in its latest releases. Tracked as CVE-2022-34265, the potential SQL Injection vulnerability impacts Djangos main branch, and versions 4.1 (currently in beta), 4.0, and 3.2, with patches and new releases issued fixing the vulnerability. --------------------------------------------- https://www.bleepingcomputer.com/news/security/django-fixes-sql-injection-v… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (gnupg2 and kernel), Fedora (golang-github-apache-beam-2, golang-github-etcd-io-gofail, golang-github-intel-goresctrl, golang-github-spf13-cobra, golang-k8s-pod-security-admission, and vim), Oracle (.NET 6.0, compat-openssl10, compat-openssl11, cups, curl, expat, firefox, go-toolset:ol8, grub2,, gzip, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, kernel, libarchive, libgcrypt, libinput, libxml2, pcre2, postgresql, python, rsync, rsyslog, [...] --------------------------------------------- https://lwn.net/Articles/899963/ ∗∗∗ libTIFF: Mehrere Schwachstellen ermöglichen Denial of Service ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0544 ∗∗∗ xpdf: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0543 ∗∗∗ HPE FlexNetwork und FlexFabric Switches: Schwachstelle ermöglicht Cross-Site Scripting ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0542 ∗∗∗ Kyocera Drucker: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0551 ∗∗∗ Trend Micro Maximum Security: Schwachstelle ermöglicht Privilegieneskalation ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0550 ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects IBM WebSphere Cast Iron Solution & App Connect Professional. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple security vulnerabilities are addressed with IBM Cloud Pak for Business Automation iFixes for June 2022 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects IBM WebSphere Cast Iron Solution & App Connect Professional. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects IBM WebSphere Cast Iron Solution & App Connect Professional. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects IBM WebSphere Cast Iron Solution & App Connect Professional. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Remote code execution vulnerability affect IBM Business Automation Workflow – CVE-2021-43138 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-remote-code-execution-vul… ∗∗∗ Security Bulletin: junrar Denial of Service (DoS) security vulnerability in IBM FileNet Content Manager Content Search Services (CSS) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-junrar-denial-of-service-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect Rational Functional Tester ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: junrar v7.4.0 and prior Denial of Service (DoS) security vulnerability in IBM FileNet Content Manager Content Search Services (CSS) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-junrar-v7-4-0-and-prior-d… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 01.07.2022
by Daily end-of-shift report 01 Jul '22

01 Jul '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 30-06-2022 18:00 − Freitag 01-07-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Microsoft-Analyse: Linux-Malware-Kampagne erhält bemerkenswertes Update ∗∗∗ --------------------------------------------- Ein Sicherheitsteam von Microsoft hat beobachtet, dass die Malware-Gruppe "8220 Gang" ihre Kampagne signifikant aktualisiert hat. Im Visier: Linux-Systeme. --------------------------------------------- https://heise.de/-7159495 ∗∗∗ FBI and CISA warn: This ransomware is using RDP flaws to break into networks ∗∗∗ --------------------------------------------- US exposes MedusaLocker, one of the ransomware gangs that ramped up activity as the pandemic gripped the world. --------------------------------------------- https://www.zdnet.com/article/fbi-and-cisa-warn-this-ransomware-is-using-rd… ∗∗∗ RanSim: a ransomware simulation script written in PowerShell ∗∗∗ --------------------------------------------- You can use RanSim to test your defenses and backups against real ransomware-like activity in a controlled setting. The same script can be used to decrypt the files if needed. --------------------------------------------- https://github.com/lawndoc/RanSim ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitsupdates: Viele Jenkins-Plug-ins als Schlupflöcher für Angreifer ∗∗∗ --------------------------------------------- Software-Entwickler aufgepasst: Lücken in Plug-ins für den Automation-Server Jenkins geschlossen. Etliche Patches lassen aber noch auf sich warten. --------------------------------------------- https://heise.de/-7160083 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr, isync, kernel, and systemd), Fedora (chromium, curl, firefox, golang-github-vultr-govultr-2, and xen), Mageia (openssl, python-bottle, and python-pyjwt), Red Hat (compat-openssl10, curl, expat, firefox, go-toolset-1.17 and go-toolset-1.17-golang, go-toolset:rhel8, kernel, kpatch-patch, libarchive, libgcrypt, libinput, libxml2, pcre2, php:7.4, php:8.0, qemu-kvm, ruby:2.6, thunderbird, and vim), and Ubuntu (curl, libjpeg6b, and vim). --------------------------------------------- https://lwn.net/Articles/899701/ ∗∗∗ GitLab: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in GitLab ausnutzen, um Informationen offenzulegen, Sicherheitseinstellungen zu umgehen, einen Denial of Service zu verursachen, Daten zu manipulieren und Code zur Ausführung zu bringen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0531 ∗∗∗ Microsoft Edge 103.0.1264.44 fixt CVE-2022-33680 (30. Juni 2022) ∗∗∗ --------------------------------------------- Microsoft hat zum 30. Juni 2022 den Edge-Browser im Stable Channel auf die Version 103.0.1264.44 aktualisiert. Es ist ein Wartungsupdate, welches die als kritisch eingestufte Elevation of Privilege-Schwachstelle CVE-2022-33680 (Ausbruch aus der Sandbox) beseitigt. --------------------------------------------- https://www.borncity.com/blog/2022/07/01/microsoft-edge-103-0-1264-44-fixt-… ∗∗∗ ZDI-22-948: Parallels Access Agent Uncontrolled Search Path Element Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-948/ ∗∗∗ Carel pCOWeb HVAC BACnet Gateway 2.1.0 Unauthenticated Directory Traversal ∗∗∗ --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5709.php ∗∗∗ Security Bulletin: IBM UrbanCode Deploy (UCD) could disclose sensitive database information to a local user in plain text. (CVE-2022-22367) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-deploy-ucd-… ∗∗∗ Security Bulletin: IBM Urbancode Deploy (UCD) vulnerable to information disclosure which can be read by a local user. (CVE-2022-22366) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-deploy-ucd-… ∗∗∗ Security Bulletin: Vulnerabilities in Samba, OpenSSL, Python, and XStream affect IBM Spectrum Protect Plus (CVE-2021-20254, CVE-2021-3712, CVE-2021-43859, CVE-2022-0778, CVE-2020-25717, CVE-2021-23192, CVE-2021-3733) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-samba-… ∗∗∗ Security Bulletin: IBM InfoSphere Information Server Pack for SAP Apps and BW Packs is affected by an improper validation vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-informatio… ∗∗∗ Security Bulletin: UrbanCode Deploy is vulnerable to denial of service due to Jackson-databind (CVE-2020-36518) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-urbancode-deploy-is-vulne… ∗∗∗ Security Bulletin: Vulnerability in PostgreSQL may affect IBM Spectrum Protect Plus ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-postgres… ∗∗∗ Kibana: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0527 ∗∗∗ npm: Schwachstelle ermöglicht Cross-Site Scripting ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0524 ∗∗∗ Exemys RME1 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-181-01 ∗∗∗ Yokogawa Wide Area Communication Router ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-181-02 ∗∗∗ Emerson DeltaV Distributed Control System ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-181-03 ∗∗∗ Distributed Data Systems WebHMI ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-181-04 ∗∗∗ 2022-09 FragAttacks ProSoft RadioLinx RLX2 ∗∗∗ --------------------------------------------- https://dam.belden.com/dmm3bwsv3/assetstream.aspx?assetid=14521&mediaformat… ∗∗∗ Unauthorized RCE CVE-2022-28219 in Zoho ManageEngine ADAudit Plus ∗∗∗ --------------------------------------------- https://www.borncity.com/blog/2022/07/01/unauthorized-rce-cve-2022-28219-in… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.06.2022
by Daily end-of-shift report 30 Jun '22

30 Jun '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 29-06-2022 18:00 − Donnerstag 30-06-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Atlassian warnt vor Sicherheitslücke in Projektverwaltung Jira ∗∗∗ --------------------------------------------- Vor einer Sicherheitslücke mit hohem Risiko in Jira warnt Hersteller Atlassian. Updates stehen bereit. Auch ein Workaround bietet das Unternehmen an. --------------------------------------------- https://heise.de/-7157892 ∗∗∗ Recovery-Scams: Kriminelle geben sich als FMA und Börsenaufsicht aus! ∗∗∗ --------------------------------------------- Sind Sie Opfer einer unseriösen Trading-Plattform geworden? Anbieter wie börsenaufsicht.net, finanzmarktaufsicht.net und payback-ltd.com versprechen Ihr verlorenes Geld zurückzuholen. Vorsicht! Es handelt sich um betrügerische Dienste, die Sie noch weiter abzocken wollen. --------------------------------------------- https://www.watchlist-internet.at/news/recovery-scams-kriminelle-geben-sich… ∗∗∗ Microsoft Exchange Server: Remote Code Execution-Schwachstelle CVE-2022-23277 trotz Patch ausnutzbar? ∗∗∗ --------------------------------------------- Sind auf dem aktuellen Patch-Stand befindliche Microsoft Exchange Server über die Remote Code Execution-Schwachstelle CVE-2022-23277 immer noch angreifbar? Mir sind gerade einige Informationsfragmente unter die Augen gekommen, die dies zumindest nahelegen, dass der betreffende Patch die Möglichkeiten zur Ausnutzung nicht [...] --------------------------------------------- https://www.borncity.com/blog/2022/06/30/microsoft-exchange-server-remote-c… ∗∗∗ CISA warns of hackers exploiting PwnKit Linux vulnerability ∗∗∗ --------------------------------------------- The Cybersecurity and Infrastructure Security Agency (CISA) has added a high-severity Linux vulnerability known as PwnKit to its list of bugs exploited in the wild. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cisa-warns-of-hackers-exploi… ∗∗∗ AstraLocker 2.0 infects users directly from Word attachments ∗∗∗ --------------------------------------------- A lesser-known ransomware strain called AstraLocker has recently released its second major version, and according to threat analysts, its operators engage in rapid attacks that drop its payload directly from email attachments. --------------------------------------------- https://www.bleepingcomputer.com/news/security/astralocker-20-infects-users… ∗∗∗ XFiles info-stealing malware adds support for Follina delivery ∗∗∗ --------------------------------------------- The XFiles info-stealer malware has added a delivery module that exploits CVE-2022-30190, aka Follina, for dropping the payload on target computers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/xfiles-info-stealing-malware… ∗∗∗ The SessionManager IIS backdoor ∗∗∗ --------------------------------------------- In early 2022, we investigated an IIS backdoor called SessionManager. It has been used against NGOs, government, military and industrial organizations in Africa, South America, Asia, Europe, Russia and the Middle East. --------------------------------------------- https://securelist.com/the-sessionmanager-iis-backdoor/106868/ ∗∗∗ Toll fraud malware: How an Android application can drain your wallet ∗∗∗ --------------------------------------------- Toll fraud malware, a subcategory of billing fraud in which malicious applications subscribe users to premium services without their knowledge or consent, is one of the most prevalent types of Android malware - and it continues to evolve. --------------------------------------------- https://www.microsoft.com/security/blog/2022/06/30/toll-fraud-malware-how-a… ∗∗∗ Case Study: Cobalt Strike Server Lives on After Its Domain Is Suspended, (Thu, Jun 30th) ∗∗∗ --------------------------------------------- How do threat actors behind a Cobalt Strike server keep it running after its domain is taken down? If the server is not hosted through the domain registrar, it merely keeps running on the same IP address. Today's diary is a case study where Cobalt Strike remained active on the same IP address at least one week after its domain was suspended. --------------------------------------------- https://isc.sans.edu/diary/rss/28804 ∗∗∗ Flubot: the evolution of a notorious Android Banking Malware ∗∗∗ --------------------------------------------- Flubot is an Android based malware that has been distributed in the past 1.5 years in Europe, Asia and Oceania affecting thousands of devices of mostly unsuspecting victims. Like the majority of Android banking malware, Flubot abuses Accessibility Permissions and Services in order to steal the [...] --------------------------------------------- https://blog.fox-it.com/2022/06/29/flubot-the-evolution-of-a-notorious-andr… ∗∗∗ Amazon Photos vulnerability could have given attackers access to user files and data ∗∗∗ --------------------------------------------- The retail giant patched a serious flaw in its Amazon Photos app that left user access token exposed to potential attackers. --------------------------------------------- https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/06/amazon-p… ∗∗∗ Cloudy with a Chance of Risk: Managing Risks in Cloud-Managed OT Networks ∗∗∗ --------------------------------------------- In this blog, we'll examine the potential threats and risks of OT cloud migration, offering guidance on how to manage and mitigate them effectively. --------------------------------------------- https://claroty.com/2022/06/30/blog-research-cloudy-with-a-chance-of-risk/ ∗∗∗ Reducing data exfiltration by malicious insiders ∗∗∗ --------------------------------------------- Advice and recommendations for mitigating this type of insider behaviour. --------------------------------------------- https://www.ncsc.gov.uk/guidance/reducing-data-exfiltration-by-malicious-in… ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins 2022-06-29 ∗∗∗ --------------------------------------------- IBM Spectrum Protect, IBM Watson Discovery, IBM Sterling B2B Integrator, IBM Sterling Connect, IBM Cloud Pak, IBM Tivoli Netcool Impact, IBM Db2 --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr, firejail, and ublock-origin), Fedora (chromium, firefox, thunderbird, and vim), Mageia (kernel and kernel-linus), Oracle (389-ds-base and python-virtualenv), SUSE (chromium), and Ubuntu (cloud-init). --------------------------------------------- https://lwn.net/Articles/899483/ ∗∗∗ Mitsubishi Electric FA Engineering Software (Update A) ∗∗∗ --------------------------------------------- This updated advisory is a follow-up to the original advisory titled ICSA-21-350-05 Mitsubishi Electric FA Engineering Software that was published December 16, 2021, on the ICS webpage on cisa.gov/ics. This advisory contains mitigations for Out-of-bounds Read, and Integer Underflow vulnerabilities in Mitsubishi Electrics FA Engineering Software products. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-350-05 ∗∗∗ CODESYS Gateway Server (Update A) ∗∗∗ --------------------------------------------- This updated advisory is a follow-up to the original advisory titled ICSA-15-258-02 3S CODESYS Gateway Server Buffer overflow Vulnerability that was published September 15, 2015, on the ICS webpage at cisa.gov/ics. This advisory provides mitigation details for a heap-based buffer overflow vulnerability in CODESYS Gateway Server products. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/ICSA-15-258-02 ∗∗∗ Revision von CVE-2021-26414 (Windows DCOM Server Security Feature Bypass) vom 28. Juni 2022 ∗∗∗ --------------------------------------------- Microsoft hat seine Beschreibung von CVE-2021-26414 (Windows DCOM Server Security Feature Bypass) zum 28. Juni 2022 revidiert. Es wurden die Sicherheitsupdates für Windows 10 Version 21H2, Windows 11 und Windows Server 2022 hinzugefügt, da diese Windows-Versionen ebenfalls von dieser Sicherheitslücke [...] --------------------------------------------- https://www.borncity.com/blog/2022/06/29/revision-von-cve-2022-26414-window… ∗∗∗ Config Terms - Critical - Access bypass - SA-CONTRIB-2022-047 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2022-047 ∗∗∗ Lottiefiles Field - Moderately critical - Cross Site Scripting - SA-CONTRIB-2022-046 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2022-046 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.06.2022
by Daily end-of-shift report 29 Jun '22

29 Jun '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 28-06-2022 18:00 − Mittwoch 29-06-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ MITM at the Edge: Abusing Cloudflare Workers ∗∗∗ --------------------------------------------- Cloudflare Workers provide a powerful serverless solution to run code that sits between every HTTP request and response. In this post, we’ll see how an attacker compromising a Cloudflare account can abuse Workers to establish persistence and exfiltrate sensitive data. --------------------------------------------- https://blog.christophetd.fr/abusing-cloudflare-workers/ ∗∗∗ Achtung vor Fake-Shops mit Gartenmöbeln! ∗∗∗ --------------------------------------------- Kriminelle passen ihre Fake-Shops aktuell wieder an die Sommersaison an, indem sie vermehrt Gartenmöbel, Rasenmäher oder sonstige Gartengeräte anbieten. Beispiele sind waganu.de, bbvipanswer.shop, strandkorbia.com oder zzyha.shop. --------------------------------------------- https://www.watchlist-internet.at/news/achtung-vor-fake-shops-mit-gartenmoe… ∗∗∗ CISA Releases Guidance on Switching to Modern Auth in Exchange Online before October 1 ∗∗∗ --------------------------------------------- CISA has released guidance on switching from Basic Authentication (“Basic Auth”) in Microsoft Exchange Online to Modern Authentication ("Modern Auth") before Microsoft begins permanently disabling Basic Auth on October 1, 2022. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/06/28/cisa-releases-gui… ∗∗∗ YTStealer Malware: “YouTube Cookies! Om Nom Nom Nom” ∗∗∗ --------------------------------------------- YTStealer is a malware whose objective is to steal YouTube authentication cookies. --------------------------------------------- https://www.intezer.com/blog/research/ytstealer-malware-youtube-cookies/ ∗∗∗ Decryptor für Hive Ransomware v1 bis v4 verfügbar ∗∗∗ --------------------------------------------- Opfer der Hive Ransomware können ggf. hoffen, ihre verschlüsselten Dateien wieder entschlüsseln zu können. Denn koreanischen Sicherheitsforschern ist es gelungen, einen Decryptor für die Versionen 1 bis 4 dieser Hive Ransomware zu entwickeln. --------------------------------------------- https://www.borncity.com/blog/2022/06/29/decryptor-fr-hive-ransomware-v1-bi… ∗∗∗ Did You Know Your Browser’s Autofill Credentials Could Be Stolen via Cross-Site Scripting (XSS) ∗∗∗ --------------------------------------------- Cross-Site Scripting (XSS) is a well-known vulnerability that has been around for a long time and can be used to steal sessions, create fake logins and carry out actions as someone else, etc. In addition, many users are unaware of the potential dangers associated with their browser’s credential autofill feature. --------------------------------------------- https://www.gosecure.net/blog/2022/06/29/did-you-know-your-browsers-autofil… ===================== = Vulnerabilities = ===================== ∗∗∗ CVE-2022-30522 – Denial of Service (DoS) Vulnerability in Apache httpd “mod_sed” filter ∗∗∗ --------------------------------------------- This past March we posted an analysis of a vulnerability in the Apache HTTP Server mod_sed filter module, CVE-2022-23943, in which a Denial of Service (DoS) can be triggered due to a miscalculation of buffers’ sizes. While analyzing this Apache httpd vulnerability and its patch, we suspected that although the fix resolved the issue, it created a new unwanted behavior. --------------------------------------------- https://jfrog.com/blog/cve-2022-30522-denial-of-service-dos-vulnerability-i… ∗∗∗ Groupware: Präparierte E-Mails könnten zur Codeausführung in Zimbra führen ∗∗∗ --------------------------------------------- Angreifer könnten in Zimbra Backdoors per E-Mail hochladen. Schuld daran ist eine Lücke im Entpacker unrar, die die Erstellung beliebiger Dateien erlaubt. --------------------------------------------- https://heise.de/-7156812 ∗∗∗ Datenverwaltung: Kritische Lücke in Dell EMC PowerScale OneFS abgedichtet ∗∗∗ --------------------------------------------- Dell EMC PowerScale OneFS zur skalierbaren Datenspeicherung und -verwaltung enthält teils kritische Sicherheitslücken. Updates sollen sie schließen. --------------------------------------------- https://heise.de/-7156674 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (blender, libsndfile, and maven-shared-utils), Fedora (openssl), Red Hat (389-ds-base, kernel, kernel-rt, kpatch-patch, and python-virtualenv), Scientific Linux (389-ds-base, kernel, python, and python-virtualenv), and Slackware (curl, mozilla, and openssl). --------------------------------------------- https://lwn.net/Articles/899364/ ∗∗∗ FabricScape: Escaping Service Fabric and Taking Over the Cluster ∗∗∗ --------------------------------------------- Unit 42 researchers identified FabricScape (CVE-2022-30137), a vulnerability of important severity in Microsoft’s Service Fabric – commonly used with Azure – that allows Linux containers to escalate their privileges in order to gain root privileges on the node, and then compromise all of the nodes in the cluster. The vulnerability could be exploited on containers that are configured to have runtime access, which is granted by default to every container. --------------------------------------------- https://unit42.paloaltonetworks.com/fabricscape-cve-2022-30137/ ∗∗∗ Security Bulletin: IBM Netezza as a Service is vulnerable to denial of service due to Golang net package (CVE-2021-33194, CVE-2021-44716, CVE-2021-31525) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-netezza-as-a-service-… ∗∗∗ Security Bulletin: OpenSSL for IBM i is vulnerable to command injection due to a flaw in c_rehash script (CVE-2022-1292) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-openssl-for-ibm-i-is-vuln… ∗∗∗ Security Bulletin: Zlib for IBM i is vulnerable to a denial of service attack due to memory corruption (CVE-2018-25032) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-zlib-for-ibm-i-is-vulnera… ∗∗∗ Security Vulnerabilities fixed in Thunderbird 91.11 and Thunderbird 102 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2022-26/ ∗∗∗ Security Vulnerabilities fixed in Firefox for iOS 102 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2022-27/ ∗∗∗ Advantech iView ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-179-03 ∗∗∗ Motorola Solutions MOSCAD IP and ACE IP Gateways ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-179-04 ∗∗∗ Motorola Solutions MDLC ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-179-05 ∗∗∗ Motorola Solutions ACE1000 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-179-06 ∗∗∗ Omron SYSMAC CS/CJ/CP Series and NJ/NX Series ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-179-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.06.2022
by Daily end-of-shift report 28 Jun '22

28 Jun '22

===================== = End-of-Day report = ===================== Timeframe: Montag 27-06-2022 18:00 − Dienstag 28-06-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Over 900,000 Kubernetes instances found exposed online ∗∗∗ --------------------------------------------- Over 900,000 misconfigured Kubernetes clusters were found exposed on the Internet to potentially malicious scans, some even vulnerable to data-exposing cyberattacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/over-900-000-kubernetes-inst… ∗∗∗ Raccoon Stealer is back with a new version to steal your passwords ∗∗∗ --------------------------------------------- The Raccoon Stealer malware is back with a second major version circulating on cybercrime forums, offering hackers elevated password-stealing functionality and upgraded operational capacity. --------------------------------------------- https://www.bleepingcomputer.com/news/security/raccoon-stealer-is-back-with… ∗∗∗ ZuoRAT Malware Hijacking Home-Office Routers to Spy on Targeted Networks ∗∗∗ --------------------------------------------- A never-before-seen remote access trojan dubbed ZuoRAT has been singling out small office/home office (SOHO) routers as part of a sophisticated campaign targeting North American and European networks. --------------------------------------------- https://thehackernews.com/2022/06/zuorat-malware-hijacking-home-office.html ∗∗∗ Microsoft: Support-Ende von Exchange 2013 naht - jetzt Migration planen ∗∗∗ --------------------------------------------- Der Exchange-Server 2013 erreicht in neun Monaten sein absolutes Support-Ende. Daran erinnert Microsofts Exchange-Team und empfiehlt die zügige Migration. --------------------------------------------- https://heise.de/-7155579 ∗∗∗ Lockbit-Ransomware-Gruppe stellt sich professioneller auf ∗∗∗ --------------------------------------------- Die Erpresserbande hinter der Ransomware Lockbit hebt den Professionalisierungsgrad auf eine neue Stufe. Sogar ein Bug-Bounty-Programm hat sie aufgelegt. --------------------------------------------- https://heise.de/-7155742 ∗∗∗ Krypto-Lovescam: Wenn Tinder-Matches Investment-Tipps geben ∗∗∗ --------------------------------------------- Betrügerische Internetbekanntschaften zielen nicht darauf ab, Sie näher kennenzulernen. Sie bauen Vertrauen auf, um Sie später auf gefälschte Investitionsplattformen zu locken. --------------------------------------------- https://www.watchlist-internet.at/news/krypto-lovescam-wenn-tinder-matches-… ∗∗∗ Understanding the Function Call Stack ∗∗∗ --------------------------------------------- That thread was inspired by a series of tweets by inversecos who shared how malware authors will often use Native APIs instead of Win32 APIs as a mechanism to evade naive detections that assume every application will use the Win32 API function. --------------------------------------------- https://posts.specterops.io/understanding-the-function-call-stack-f08b5341e… ∗∗∗ De-anonymizing ransomware domains on the dark web ∗∗∗ --------------------------------------------- We have developed three techniques to identify ransomware operators dark websites hosted on public IP addresses, allowing us to uncover previously unknown infrastructure for the DarkAngels, Snatch, Quantum and Nokoyawa ransomware groups. --------------------------------------------- http://blog.talosintelligence.com/2022/06/de-anonymizing-ransomware-domains… ===================== = Vulnerabilities = ===================== ∗∗∗ Firefox 102: Mehrere Sicherheitslücken geschlossen ∗∗∗ --------------------------------------------- Mozilla hat Version 102 von Firefox veröffentlicht. Diese Major-Version des Browsers ist die neue Basis für Firefox ESR und behebt einige Sicherheitsprobleme. --------------------------------------------- https://heise.de/-7156179 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (nodejs and squid), Fedora (uboot-tools), Red Hat (kernel-rt, kpatch-patch, and python), SUSE (drbd, openssl-1_0_0, oracleasm, and rubygem-rack), and Ubuntu (curl). --------------------------------------------- https://lwn.net/Articles/899239/ ∗∗∗ 2022 CWE Top 25 Most Dangerous Software Weaknesses ∗∗∗ --------------------------------------------- The Homeland Security Systems Engineering and Development Institute, sponsored by CISA and operated by MITRE, has released the 2022 Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software Weaknesses list. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/06/28/2022-cwe-top-25-m… ∗∗∗ Security Advisory - Password Verification Vulnerability of Huawei Router ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2022/huawei-sa-20220628-… ∗∗∗ Security Bulletin: IBM Cloud Transformation Advisor is vulnerable to multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-transformation-… ∗∗∗ Security Bulletin: IBM SDK, Java Technology Edition, Security Update October 2021 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-e… ∗∗∗ Security Bulletin: A Remote Attack Vulnerability in Apache Log4j affects IBM Common Licensing's License Key Server (LKS) Administration And Reporting Tool (ART) and its Agent(CVE-2021-4104,CVE-2021-44832,CVE-2021-3100,CVE-2022-33915). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-remote-attack-vulnerabi… ∗∗∗ Security Bulletin: Vulnerabilities in the Java JDK affect IBM Event Streams (CVE-2022-21365, CVE-2022-21360, CVE-2022-21349, CVE-2022-21341, CVE-2022-21340, CVE-2022-21305, CVE-2022-21294, CVE-2022-21293, CVE-2022-21291, CVE-2022-21248) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-the-ja… ∗∗∗ Security Bulletin: Vulnerabilities in lodash library affect Tivoli Netcool/OMNIbus WebGUI (CVE-2019-1010266, CVE-2020-28500, CVE-2018-16487, CVE-2018-3721, CVE-2020-8203, CVE-2021-23337, CVE-2019-10744) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-lodash… ∗∗∗ Security Bulletin: IBM Robotic Process Automation may be affected by multiple vulnerabilities in open source components (CVE-2019-0820, CVE-2020-15522, CVE-2021-43569) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-robotic-process-autom… ∗∗∗ Security Bulletin: IBM SDK, Java Technology Edition, Security Update October 2021 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-e… ∗∗∗ Security Bulletin: Vulnerability in Apache Struts library affect Tivoli Netcool/OMNIbus WebGUI (CVE-2021-31805) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-s… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a Cross-Site Scripting vulnerability (CVE-2021-39074) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM Java SDK affect IBM Virtualization Engine TS7700 – October 2021 & January 2022 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ K01311313: Linux kernel vulnerability CVE-2021-3612 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K01311313 ∗∗∗ Long Term Support Channel Update for ChromeOS ∗∗∗ --------------------------------------------- http://chromereleases.googleblog.com/2022/06/long-term-support-channel-upda… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.06.2022
by Daily end-of-shift report 27 Jun '22

27 Jun '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 24-06-2022 18:00 − Montag 27-06-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Fake copyright infringement emails install LockBit ransomware ∗∗∗ --------------------------------------------- LockBit ransomware affiliates are using an interesting trick to get people into infecting their devices by disguising their malware as copyright claims. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fake-copyright-infringement-… ∗∗∗ Clever phishing method bypasses MFA using Microsoft WebView2 apps ∗∗∗ --------------------------------------------- A clever, new phishing technique uses Microsoft Edge WebView2 applications to steal victims authentication cookies, allowing threat actors to bypass multi-factor authentication when logging into stolen accounts. --------------------------------------------- https://www.bleepingcomputer.com/news/security/clever-phishing-method-bypas… ∗∗∗ NetSec Goggle shows search results only from cybersecurity sites ∗∗∗ --------------------------------------------- A new Brave Search Goggle modifies Brave Search results to only show reputable cybersecurity sites, making it easier to search for and find security information. --------------------------------------------- https://www.bleepingcomputer.com/news/security/netsec-goggle-shows-search-r… ∗∗∗ LockBit 3.0 introduces the first ransomware bug bounty program ∗∗∗ --------------------------------------------- The LockBit ransomware operation has released LockBit 3.0, introducing the first ransomware bug bounty program and leaking new extortion tactics and Zcash cryptocurrency payment options. --------------------------------------------- https://www.bleepingcomputer.com/news/security/lockbit-30-introduces-the-fi… ∗∗∗ Malicious Code Passed to PowerShell via the Clipboard, (Sat, Jun 25th) ∗∗∗ --------------------------------------------- Another day, another malicious script was found! Today, the script is a Windows bat file that executes malicious PowerShell code but the way it works is interesting. --------------------------------------------- https://isc.sans.edu/diary/rss/28784 ∗∗∗ Encrypted Client Hello: Anybody Using it Yet?, (Mon, Jun 27th) ∗∗∗ --------------------------------------------- The first payload sent by a TLS client to a TLS server is a "Client Hello." It includes several parameters supported by the client, such as available cipher suites, to start negotiating a compatible set of TLS parameters with the server. --------------------------------------------- https://isc.sans.edu/diary/rss/28792 ∗∗∗ Ransomware-Gang Conti schließt Leak- und Verhandlungsplattform ∗∗∗ --------------------------------------------- Die Conti-Gruppe hinter dem gleichnamigen Erpressungstrojaner finalisiert ihren Rückzug und teilt sich weiter in kleinere Gangs auf. --------------------------------------------- https://heise.de/-7154035 ∗∗∗ Flut von Angriffen auf Paketmanager PyPI schleust Backdoor in Python-Pakete ein ∗∗∗ --------------------------------------------- Nachdem zunächst Sonatype einen Angriff auf fünf Pakete im Python-Paketmanager entdeckt hat, füllt sich die CVE-Schwachstellendatenbank mit weiteren Vorfällen. --------------------------------------------- https://heise.de/-7154405 ∗∗∗ Ransomware: Unternehmen im Gesundheitswesen zahlen am häufigsten Lösegeld ∗∗∗ --------------------------------------------- Verschlüsselungsangriffe haben vor allem in der Gesundheitsbranche in den vergangenen Monaten stark zugenommen. Die Daten sind bei Angreifern beliebt. --------------------------------------------- https://heise.de/-7154906 ∗∗∗ NIST Releases New macOS Security Guidance for Organizations ∗∗∗ --------------------------------------------- The National Institute of Standards and Technology (NIST) has published the final version of its guidance on securing macOS endpoints and assessing their security. --------------------------------------------- https://www.securityweek.com/nist-releases-new-macos-security-guidance-orga… ∗∗∗ Vorsicht vor Fake-E-Mails der Wiener Polizei ∗∗∗ --------------------------------------------- In einem gefälschten E-Mail der Polizei werden Sie beschuldigt, eine Straftat begangen zu haben. Es geht um Kinderpornografie, Pädophilie, Cyberpornografie und Exhibitionismus. Sie werden aufgefordert, per E-Mail eine Rechtfertigung zu schicken. Antworten Sie nicht und ignorieren Sie dieses Schreiben. Es ist Fake! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-fake-e-mails-der-wiener… ∗∗∗ CISA Adds Eight Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- CISA has added eight new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/06/27/cisa-adds-eight-k… ===================== = Vulnerabilities = ===================== ∗∗∗ Citrix dichtet Sicherheitslücken in Hypervisor ab ∗∗∗ --------------------------------------------- Der Hypervisor von Citrix enthält mehrere Schwachstellen. Angreifer könnten die Kontrolle übernehmen. Aktualisierte Pakete dichten die Lücken ab. --------------------------------------------- https://heise.de/-7154435 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (openssl), Fedora (dotnet6.0, mediawiki, and python2.7), Mageia (389-ds-base, chromium-browser-stable, exo, and libtiff), Oracle (httpd:2.4 and microcode_ctl), SUSE (dbus-broker, drbd, kernel, liblouis, mariadb, openssl, openssl-1_1, openSUSE kernel modules, oracleasm, php7, php72, python39, salt, and wdiff), and Ubuntu (linux, linux-hwe, mozjs91, and vim). --------------------------------------------- https://lwn.net/Articles/899158/ ∗∗∗ Security Bulletin: Multiple Vulnerabilities found in Apache Tika used by Content Collector for Email, Content Collector for File Systems, Content Collector for Microsoft SharePoint and Content Collector for IBM Connections ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct for Microsoft Windows is vulnerable to an unspecified vulnerability due to IBM Java Runtime (CVE-2021-35603) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: Vulnerability in IBM Java SDK and IBM Java Runtime affects Rational Business Developer ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect Rational Business Developer ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerability in IBM Java SDK and IBM Java Runtime affects Rational Business Developer ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct for Microsoft Windows is vulnerable to an unspecified vulnerability due to IBM Java Runtime (CVE-2021-35550) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: IBM MQ is vulnerable to an issue within Jackson ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-is-vulnerable-to-a… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct for Microsoft Windows is vulnerable to denial of service due to zlib (CVE-2018-25032) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM® Runtime Environment Java™ Technology Edition affects WebSphere eXtreme Scale ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM QRadar SIEM is affected by a remote code execution in Spring Framework (CVE-2022-22963, CVE-2022-22965, CVE-2022-22950) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-affect… ∗∗∗ Spring Function Cloud DoS (CVE-2022-22979) and Unintended Function Invocation ∗∗∗ --------------------------------------------- https://checkmarx.com/blog/spring-function-cloud-dos-cve-2022-22979-and-uni… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.06.2022
by Daily end-of-shift report 24 Jun '22

24 Jun '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 23-06-2022 18:00 − Freitag 24-06-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ 2FA: Wie sicher sind TOTP, Fido, SMS und Push-Apps? ∗∗∗ --------------------------------------------- Zwei- oder Multi-Faktor-Authentifizierung soll uns sicherer machen. Wir erklären, wie TOTP, Fido & Co. funktionieren und wovor sie schützen. --------------------------------------------- https://www.golem.de/news/2fa-wie-sicher-sind-totp-fido-sms-und-push-apps-2… ∗∗∗ Multiple Backdoored Python Libraries Caught Stealing AWS Secrets and Keys ∗∗∗ --------------------------------------------- Researchers have discovered a number of malicious Python packages in the official third-party software repository that are engineered to exfiltrate AWS credentials and environment variables to a publicly exposed endpoint. --------------------------------------------- https://thehackernews.com/2022/06/multiple-backdoored-python-libraries.html ∗∗∗ Black Basta Ransomware Becomes Major Threat in Two Months ∗∗∗ --------------------------------------------- Black Basta ransomware has become a major new threat in just a couple months. Evidence suggests it was still in development in February 2022, and only became operational in April 2022. --------------------------------------------- https://www.securityweek.com/black-basta-ransomware-becomes-major-threat-tw… ∗∗∗ There Is More Than One Way to Sleep: Dive Deep Into the Implementations of API Hammering by Various Malware Families ∗∗∗ --------------------------------------------- Learn about the unique implementations of API Hammering malware samples and how to mitigate them. --------------------------------------------- https://unit42.paloaltonetworks.com/api-hammering-malware-families/ ===================== = Vulnerabilities = ===================== ∗∗∗ Angreifer nutzen kontinuierlich Log4Shell-Lücke in VMware Horizon aus ∗∗∗ --------------------------------------------- Die Cybersecurity & Infrastructure Security Agency warnt vor Attacken auf die Virtualisierungslösung VMware Horizon. Admins sollten zügig handeln. --------------------------------------------- https://heise.de/-7152258 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (ntfs-3g and ntfs-3g-system-compression), SUSE (389-ds, chafa, containerd, mariadb, php74, python3, salt, and xen), and Ubuntu (apache2). --------------------------------------------- https://lwn.net/Articles/898925/ ∗∗∗ Codesys Patches 11 Flaws Likely Affecting Controllers From Several ICS Vendors ∗∗∗ --------------------------------------------- Codesys this week announced patches for nearly a dozen vulnerabilities discovered in the company’s products by researchers at Chinese cybersecurity firm NSFocus. --------------------------------------------- https://www.securityweek.com/codesys-patches-11-flaws-likely-affecting-cont… ∗∗∗ ZDI-22-872: DevExpress SafeBinaryFormatter Deserialization of Untrusted Data Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-872/ ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to a denial of service (CVE-2022-22389) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… ∗∗∗ Security Bulletin: One or more security vulnerabilities has been identified in IBM® DB2® shipped with IBM PureData System for Operational Analytics (CVE-2020-4230,CVE-2020-4135,CVE-2020-4204,CVE-2020-4200) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-one-or-more-security-vuln… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities (CVE-2019-10086, CVE-2021-41617) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Robotic Process Automation is vulnerable to configuration credentials unencrypted in system memory (CVE-2022-22414) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-robotic-process-autom… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM® Db2® is affected by multiple vulnerabilities due to the consumed Expat library ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-affected-by-mu… ∗∗∗ Security Bulletin: CVE-2021-35603 may affect IBM® SDK, Java™ Technology Edition for IBM Content Collector for SAP Applications ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2021-35603-may-affect… ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to an information disclosure caused by improper privilege management when table function is used. (CVE-2022-22390) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… ∗∗∗ Security Bulletin: Multiple vulnerabilities has been identified in IBM® DB2® shipped with IBM PureData System for Operational Analytics ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by an information leak vulnerability within Kafka (CVE-2021-38153) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: A vulnerability in zlib affects IBM Common Inventory Technology (CIT). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-zlib-a… ∗∗∗ Security Bulletin: CVE-2020-35550 may affect IBM® SDK, Java™ Technology Edition for IBM Content Collector for SAP Applications ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2020-35550-may-affect… ∗∗∗ K26314875: Apache vulnerability CVE-2022-26377 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K26314875 ∗∗∗ Citrix Hypervisor Security Update ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX460064/citrix-hypervisor-security-upd… ∗∗∗ OFFIS DCMTK ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsma-22-174-01 ∗∗∗ Yokogawa STARDOM ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-174-01 ∗∗∗ Yokogawa CAMS for HIS ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-174-02 ∗∗∗ Secheron SEPCOS Control and Protection Relay ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-174-03 ∗∗∗ Pyramid Solutions EtherNet/IP Adapter Development Kit ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-174-04 ∗∗∗ Elcomplus SmartICS ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-174-05 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.06.2022
by Daily end-of-shift report 23 Jun '22

23 Jun '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 22-06-2022 18:00 − Donnerstag 23-06-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Conti ransomware hacking spree breaches over 40 orgs in a month ∗∗∗ --------------------------------------------- The Conti cybercrime syndicate runs one of the most aggressive ransomware operations and has grown highly organized, to the point that affiliates were able to hack more than 40 companies in a little over a month. --------------------------------------------- https://www.bleepingcomputer.com/news/security/conti-ransomware-hacking-spr… ∗∗∗ Malicious Windows LNK attacks made easy with new Quantum builder ∗∗∗ --------------------------------------------- Malware researchers have noticed a new tool that helps cybercriminals build malicious .LNK files to deliver payloads for the initial stages of an attack. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malicious-windows-lnk-attack… ∗∗∗ The hateful eight: Kaspersky’s guide to modern ransomware groups’ TTPs ∗∗∗ --------------------------------------------- We want to familiarize the reader with the different stages of ransomware deployment and provide a visual guide to defending against targeted ransomware attacks. --------------------------------------------- https://securelist.com/modern-ransomware-groups-ttps/106824/ ∗∗∗ Understanding the Compound File Binary Format and OLE Structures to Mess with CVE-2022-30190 ∗∗∗ --------------------------------------------- Initially, I began this research to generate weaponized RTF files delivering the CVE-2022-30190(Follina) exploit. --------------------------------------------- https://cymulate.com/blog/cve-2022-30190-2/ ∗∗∗ Miracle - One Vulnerability To Rule Them All ∗∗∗ --------------------------------------------- As mentioned in Jang blog, We (me and Jang) found a mega 0-day. After April Critical Patch, finally the vulnerability was patched properly. If you never known about this vulnerability, please patch your system ASAP! --------------------------------------------- https://peterjson.medium.com/miracle-one-vulnerability-to-rule-them-all-c3a… ∗∗∗ Vorsicht vor betrügerischen „Remote Jobs“ auf LinkedIn ∗∗∗ --------------------------------------------- “Work from Home Jobs No Experience Required” – von zuhause aus arbeiten, dabei bis zu 2.000€ pro Woche verdienen und das alles ohne Berufserfahrung? Laut der massenhaft geschaltenen Stellenanzeigen von KADANSE ist das möglich. Was nicht erwähnt wird: Für diesen scheinbar lukrativen Job müssen Sie erst Geld bezahlen, der Job existiert so nicht. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-betruegerischen-remote-… ∗∗∗ Schwachstellen in Programmierschnittstellen ∗∗∗ --------------------------------------------- Weltweit sind 4,1 bis 7,5 Prozent der Cybersecurity-Vorfälle und -schäden auf Schwachstellen in Programmierschnittstellen (Application Programming Interfaces, APIs) zurückzuführen und verursachen Kosten in Milliardenhöhe. --------------------------------------------- https://www.zdnet.de/88402008/schwachstellen-in-programmierschnittstellen/ ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins 2022-06-22 ∗∗∗ --------------------------------------------- IBM App Connect Enterprise, IBM Engineering Lifecycle Management, WebSphere Liberty, CICS Transaction Gateway, Watson Knowledge Catalog for IBM Cloud Pak for Data, IBM Robotic Process Automation, IBM Tivoli Business Service Manager, IBM MQ Internet Pass-Thru, IBM Cognos Analytics, IBM Sterling Global Mailbox. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Synology: Aktualisierte Firmware dichtet Sicherheitslecks in Routern ab ∗∗∗ --------------------------------------------- In Firmware von Synology-Geräten hat der Hersteller Sicherheitslücken gefunden. Angreifer könnten unter anderem unberechtigt auf Dateien zugreifen. --------------------------------------------- https://heise.de/-7151202 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, firejail, and request-tracker4), Fedora (ghex, golang-github-emicklei-restful, and openssl1.1), Oracle (postgresql), Scientific Linux (postgresql), Slackware (openssl), SUSE (salt and tor), and Ubuntu (apache2 and squid, squid3). --------------------------------------------- https://lwn.net/Articles/898720/ ∗∗∗ Cisco Adaptive Security Device Manager and Adaptive Security Appliance Software Client-side Arbitrary Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco FirePOWER Software for ASA FirePOWER Module Command Injection Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ K55051330: Intel BIOS vulnerability CVE-2021-33123 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K55051330 ∗∗∗ K87351324: Intel BIOS vulnerability CVE-2021-33124 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K87351324 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.06.2022
by Daily end-of-shift report 22 Jun '22

22 Jun '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 21-06-2022 18:00 − Mittwoch 22-06-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Newly Discovered Magecart Infrastructure Reveals the Scale of Ongoing Campaign ∗∗∗ --------------------------------------------- A newly discovered Magecart skimming campaign has its roots in a previous attack activity going all the way back to November 2021. --------------------------------------------- https://thehackernews.com/2022/06/newly-discovered-magecart.html ∗∗∗ Du kommst hier nicht rein: Adobes PDF-Tools blockieren Antivirenschutz ∗∗∗ --------------------------------------------- Adobe Acrobat und Reader legen einen Registry-Eintrag an. Dieser hält über Chromiums libcef.dll Sicherheitsprogramm-DLLs aus den PDF-Programmen fern. --------------------------------------------- https://heise.de/-7147804 ∗∗∗ Sharehoster Mega: Sicherheitsforscher entschlüsseln eigentlich geschützte Daten ∗∗∗ --------------------------------------------- Eine problematische Kryptografie-Implementierung kann verschlüsselte Dateien für den Betreiber oder Angreifer lesbar machen. --------------------------------------------- https://heise.de/-7148227 ∗∗∗ Machen Sie mit bei unserer Studie zum Fake-Shop-Detector! ∗∗∗ --------------------------------------------- Fake-Shops stellen Konsument:innen vor große Herausforderungen: Sie werden immer zahlreicher und sind gleichzeitig schwieriger zu erkennen. Um das Einkaufen im Internet sicherer zu machen, haben wir den Fake-Shop Detector entwickelt. --------------------------------------------- https://www.watchlist-internet.at/news/machen-sie-mit-bei-unserer-studie-zu… ∗∗∗ Keeping PowerShell: Measures to Use and Embrace ∗∗∗ --------------------------------------------- Cybersecurity authorities from the United States, New Zealand, and the United Kingdom have released a joint Cybersecurity Information Sheet (CIS) on PowerShell. The CIS provides recommendations for proper configuration and monitoring of PowerShell, as opposed to removing or disabling it entirely due to its use by malicious actors after gaining access into victim networks. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/06/22/keeping-powershel… ===================== = Vulnerabilities = ===================== ∗∗∗ Webbrowser: Google schließt 14 Sicherheitslücken in Chrome ∗∗∗ --------------------------------------------- Mit dem Sprung auf das 103er-Release dichtet Google im Webbrowser Chrome 14 Schwachstellen ab. Auch für Android und iOS steht die neue Version bereit. --------------------------------------------- https://heise.de/-7147522 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (exo and ntfs-3g), Fedora (collectd, golang-github-cli-gh, grub2, qemu, and xen), Red Hat (httpd:2.4, kernel, and postgresql), SUSE (drbd, fwupdate, neomutt, and trivy), and Ubuntu (apache2, openssl, openssl1.0, and qemu). --------------------------------------------- https://lwn.net/Articles/898605/ ∗∗∗ JTEKT TOYOPUC ∗∗∗ --------------------------------------------- This advisory contains mitigations for a Missing Authentication for Critical Function vulnerability in the JTEKT TOYOPUC programmable logic controller. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-172-02 ∗∗∗ VU#142546: SMA Technologies OpCon UNIX agent adds the same SSH key to all installations ∗∗∗ --------------------------------------------- https://kb.cert.org/vuls/id/142546 ∗∗∗ Security Bulletin: June 2022 :Multiple vulnerabilities in IBM Java Runtime affect CICS Transaction Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-june-2022-multiple-vulner… ∗∗∗ Security Bulletin: A vulnerability (CVE-2021-35550) in IBM Java Runtime affects CICS Transaction Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-cve-2021-… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct Browser User Interface is vulnerable to multiple vulnerabilities due to Jetty ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct File Agent is vulnerable to an unspecified vulnerability due to IBM Java Runtime (CVE-2021-35603) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: Rational Team Concert (RTC) and IBM Engineering Workflow Management (EWM) OpenSSL vulnerability CVE-2021-4044 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-rational-team-concert-rtc… ∗∗∗ Security Bulletin: Security vulnerability has been identified in IBM DB2 used by IBM Security Verify Governance, Identity Manager virtual appliance component ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerability-ha… ∗∗∗ Security Bulletin: Vulnerabilities in IBM WebSphere Application Server and WebSphere Application Server Liberty affect IBM Watson Explorer (CVE-2022-22475, CVE-2021-39038) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-we… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct FTP+ is vulnerable to unauthorized sensitive information access due to IBM Java vulnerability (CVE-2021-35603) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: Vulnerability in Spring Framework affects IBM Watson Explorer (CVE-2022-22971, CVE-2022-22968, CVE-2022-22970) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-spring-f… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct File Agent is vulnerable to an unspecified vulnerability due to IBM Java Runtime (CVE-2021-35550) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects IBM WebSphere Application Server January 2022 CPU that is bundled with IBM WebSphere Application Server Patterns ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct FTP+ is vulnerable to unauthorized data access due to IBM Java (CVE-2021-35550) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: Vulnerability in OpenSSL affects IBM Watson Explorer (CVE-2022-0778) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-openssl-… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct Browser User Interface has multiple vulnerabilities due to IBM Java ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU – Jan 2022 – Includes Oracle® January 2022 CPU affects IBM Tivoli Composite Application Manager for Transactions-Robotic Response Time ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-e… ∗∗∗ K53252134: Intel BIOS vulnerability CVE-2021-0155 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K53252134 ∗∗∗ K16162257: Intel BIOS vulnerability CVE-2021-0154 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K16162257 ∗∗∗ K14454359: Intel BIOS vulnerability CVE-2021-0153 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K14454359 ∗∗∗ K04303225: Intel BIOS vulnerability CVE-2021-0190 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K04303225 ∗∗∗ Multiple Vulnerabilities PRA-ES8P2S Ethernet-Switch ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-247052-bt.html ∗∗∗ PHP Vulnerability ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-22-20 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.06.2022
by Daily end-of-shift report 21 Jun '22

21 Jun '22

===================== = End-of-Day report = ===================== Timeframe: Montag 20-06-2022 18:00 − Dienstag 21-06-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ New DFSCoerce NTLM Relay attack allows Windows domain takeover ∗∗∗ --------------------------------------------- A new Windows NTLM relay attack called DFSCoerce has been discovered that uses MS-DFSNM, Microsofts Distributed File System, to completely take over a Windows domain. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/new-dfscoerce-ntlm-relay-at… ∗∗∗ APT ToddyCat ∗∗∗ --------------------------------------------- ToddyCat is a relatively new APT actor responsible for multiple sets of attacks against high-profile entities in Europe and Asia. Its main distinctive signs are two formerly unknown tools that we call ‘Samurai backdoor’ and ‘Ninja Trojan’. --------------------------------------------- https://securelist.com/toddycat/106799/ ∗∗∗ Office 365 Config Loophole Opens OneDrive, SharePoint Data to Ransomware Attack ∗∗∗ --------------------------------------------- A reported a "potentially dangerous piece of functionality" allows an attacker to launch an attack on cloud infrastructure and ransom files stored in SharePoint and OneDrive. --------------------------------------------- https://threatpost.com/office-365-opens-ransomware-attacks-on-onedrive-shar… ∗∗∗ Bestellen Sie nicht bei funkelnmarkt.de ∗∗∗ --------------------------------------------- Der Online-Shop funkelnmarkt.de bietet Laptops, Waschmaschinen, Konsolen und Co. Die Preise sind teilweise etwas günstiger als bei anderen Shops und die Webseite wirkt professionell. Grund genug dort zu bestellen. Oder? Lieber nicht! Wenn Sie dort bestellen, erhalten Sie keine Ware und verlieren Ihr Geld! --------------------------------------------- https://www.watchlist-internet.at/news/bestellen-sie-nicht-bei-funkelnmarkt… ===================== = Vulnerabilities = ===================== ∗∗∗ Icefall: 56 flaws impact thousands of exposed industrial devices ∗∗∗ --------------------------------------------- A security report has been published on a set of 56 vulnerabilities that are collectively called Icefall and affect operational technology (OT) equipment used in various critical infrastructure environments. --------------------------------------------- https://www.bleepingcomputer.com/news/security/icefall-56-flaws-impact-thou… ∗∗∗ OpenSSL Security Advisory [21 June 2022] ∗∗∗ --------------------------------------------- When the CVE-2022-1292 was fixed it was not discovered that there are other places in the script where the file names of certificates being hashed were possibly passed to a command executed through the shell. --------------------------------------------- https://openssl.org/news/secadv/20220621.txt ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (tzdata), Oracle (cups), and SUSE (atheme, golang-github-prometheus-alertmanager, golang-github-prometheus-node_exporter, node_exporter, python36, release-notes-susemanager, release-notes-susemanager-proxy, SUSE Manager 4.1.15 Release Notes, SUSE Manager Client Tools, and SUSE Manager Server 4.2). --------------------------------------------- https://lwn.net/Articles/898504/ ∗∗∗ SSA-111512: Client-side Authentication in SIMATIC WinCC OA ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-111512.txt ∗∗∗ ABB Security Advisory: ABB Relion REX640 Insufficient file access control ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=2NGA001421 ∗∗∗ Security Bulletin: Multiple security vulnerabilities are addressed with IBM Cloud Pak for Business Automation iFixes for May 2022 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Flaw in Go may affect DataPower Operator (CVE-2021-44717) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-flaw-in-go-may-affect-dat… ∗∗∗ Security Bulletin: An Unspecified Vulnerability in Java runtime affects IBM SPSS Statistics (CVE-2021-35603) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-an-unspecified-vulnerabil… ∗∗∗ Security Bulletin: An Unspecified Vulnerability in Java runtime affects IBM SPSS (CVE-2022-21496) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-an-unspecified-vulnerabil… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities in Apache Thrift ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: An Unspecified Vulnerability in Java runtime affects IBM SPSS Statistics (CVE-2022-21496) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-an-unspecified-vulnerabil… ∗∗∗ Security Bulletin: IBM DataPower Operator affected by flaw in Go (CVE-2022-23773) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-operator-af… ∗∗∗ Security Bulletin: IBM Spectrum Symphony is affected but not classified as vulnerable by a remote code execution in Spring Framework (CVE-2022-22965) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-spectrum-symphony-is-… ∗∗∗ Security Bulletin: IBM Spectrum Conductor is affected but not classified as vulnerable by a remote code execution in Spring Framework (CVE-2022-22965) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-spectrum-conductor-is… ∗∗∗ Security Bulletin: IBM DataPower Gateway affected by prototype pollution in DOJO (CVE-2021-23450) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-gateway-aff… ∗∗∗ Security Bulletin: IBM DataPower Operator potentially vulnerable to Denial of Service (CVE-2021-44716) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-operator-po… ∗∗∗ Security Bulletin: IBM QRadar Wincollect agent is vulnerable to information disclosure ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-wincollect-age… ∗∗∗ Security Bulletin: DataPower Operator vulnerable to a Denial of Service (CVE-2022-23806) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-datapower-operator-vulner… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a postgresql-42.0.0.jar vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a mongodb-driver-legacy-4.1.1.jar vulnerability (CVE-2021-20328) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ PHOENIX CONTACT: Missing Authentication in ProConOS/ProConOS eCLR SDK and MULTIPROG Engineering tool ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-028/ ∗∗∗ PHOENIX CONTACT: Vulnerability in ProConOS/ProConOS eCLR SDK and MULTIPROG Engineering tool ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-026/ ∗∗∗ PHOENIX CONTACT: Vulnerability in classic line industrial controllers ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-025/ ∗∗∗ WEIDMUELLER: EtherNet/IP Fieldbus Coupler out-of-bounds write ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2021-004/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.06.2022
by Daily end-of-shift report 20 Jun '22

20 Jun '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 17-06-2022 18:00 − Montag 20-06-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Kritische CVE-2022-20825 in Cisco Small-Business-Routern wird nicht gefixt ∗∗∗ --------------------------------------------- In den Small-Business-Routern RV110W, RV130, RV130W und RV215W gibt es eine kritische Schwachstelle CVE-2022-20825, die mit dem CVE-Wert von 9.8 bewertet wurde. Auf Grund einer fehlenden Authentifizierung ermöglicht die Schwachstelle sowohl eine Remote Command Execution als auch Denial of Service-Angriffe. --------------------------------------------- https://www.borncity.com/blog/2022/06/20/kritische-cve-2022-20825-in-cisco-… ∗∗∗ New phishing attack infects devices with Cobalt Strike ∗∗∗ --------------------------------------------- Security researchers have noticed a new malicious spam campaign that delivers the Matanbuchus malware to drop Cobalt Strike beacons on compromised machines. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-phishing-attack-infects-… ∗∗∗ Android-wiping BRATA malware is evolving into a persistent threat ∗∗∗ --------------------------------------------- The threat actors operating the BRATA banking trojan have evolved their tactics and incorporated new information-stealing features into their malware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/android-wiping-brata-malware… ∗∗∗ Decoding Obfuscated BASE64 Statistically ∗∗∗ --------------------------------------------- In diary entry "Houdini is Back Delivered Through a JavaScript Dropper", Xavier mentions that he had to deal with an obfuscated BASE64 string. --------------------------------------------- https://isc.sans.edu/diary/rss/28758 ∗∗∗ The Importance of White-Box Testing: A Dive into CVE-2022-21662 ∗∗∗ --------------------------------------------- When CVE-2022-21662 came out there wasn’t a much-published material regarding this vulnerability. I want to take some time to explain the importance of using a white-box approach when testing applications for vulnerabilities. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/the-importa… ∗∗∗ Cerber2021 Ransomware Back in Action ∗∗∗ --------------------------------------------- In December 2021, researchers identified a new version of Cerber ransomware targeting both Linux and Windows users. In this infection, Cerber2021 was delivered by targeting the vulnerabilities in the Confluence and Gitlab servers. These vulnerabilities are tracked as CVE-2021-26084 and CVE-2021-22205, respectively. --------------------------------------------- https://blog.cyble.com/2022/06/17/cerber2021-ransomware-back-in-action/ ∗∗∗ Europol-Masche: Neue Welle betrügerischer Anrufe ∗∗∗ --------------------------------------------- Die Telefonbetrugsmasche, bei der sich die Kriminellen als Ermittlungsbehörde ausgeben, ist nicht neu. Dennoch rollt aktuell wieder eine Welle solcher Anrufe. --------------------------------------------- https://heise.de/-7146013 ∗∗∗ Erpressung per E-Mail: Hacker fordert die Überweisung von Bitcoins ∗∗∗ --------------------------------------------- Sie haben ein E-Mail von einem Hacker bekommen? Er schreibt, dass er Ihren Computer gehackt hat und Sie beim Masturbieren gefilmt hat? Er droht damit das Video zu verbreiten, wenn Sie keine Bitcoins überweisen? Im E-Mail wird sogar eines Ihrer Passwörter genannt? Machen Sie sich keine Sorgen! Dieses E-Mail ist Fake. Lassen Sie sich nicht erpressen und überweisen Sie keinesfalls Bitcoins. Ändern Sie aber umgehend Ihr Passwort! --------------------------------------------- https://www.watchlist-internet.at/news/erpressung-per-e-mail-hacker-fordert… ∗∗∗ Azure Attack Paths: Common Findings and Fixes (Part 1) ∗∗∗ --------------------------------------------- This post will walk through various services within the Azure catalogue and look at potential attack paths. --------------------------------------------- https://blog.zsec.uk/azure-fundamentals-pt1/ ===================== = Vulnerabilities = ===================== ∗∗∗ AWS: Amazon-Hotpatch für log4j-Lücke ermöglicht Rechteausweitung ∗∗∗ --------------------------------------------- In einem Skript zum Absichern vor der log4j-Lücke von Amazon findet sich eine Sicherheitslücke. Angreifer könnten ihre Rechte damit ausweiten. --------------------------------------------- https://heise.de/-7145383 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (cyrus-imapd, exo, sleuthkit, slurm-wlm, vim, and vlc), Fedora (golang-github-docker-libnetwork, kernel, moby-engine, ntfs-3g-system-compression, python-cookiecutter, python2.7, python3.6, python3.7, python3.8, python3.9, rubygem-mechanize, and webkit2gtk3), Mageia (bluez, dnsmasq, exempi, halibut, and php), Oracle (.NET 6.0, .NET Core 3.1, and xz), SUSE (chafa, firejail, kernel, python-Twisted, and tensorflow2), and Ubuntu (intel-microcode). --------------------------------------------- https://lwn.net/Articles/898413/ ∗∗∗ Security Advisory - Input Verification Vulnerability Involving Huawei Printer Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2022/huawei-sa-20220620-… ∗∗∗ Security Bulletin: An Unspecified Vulnerability in Java runtime affects IBM SPSS (CVE-2021-35550) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-an-unspecified-vulnerabil… ∗∗∗ Security Bulletin: StoredIQ Is Vulnerable To Arbitrary Code Execution Due to Apache Log4j (CVE-2021-44228). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-storediq-is-vulnerable-to… ∗∗∗ Security Bulletin: StoredIQ Is Vulnerable To Arbitrary Code Execution Due To Apache Log4j (CVE-2021-4104). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-storediq-is-vulnerable-to… ∗∗∗ Security Bulletin: Potential module resolution error in DataPower Operator ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-potential-module-resoluti… ∗∗∗ Security Bulletin: Cúram Social Program Management may be affected by Denial of Service vulnerability in jackson-databind (217968) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cram-social-program-manag… ∗∗∗ Security Bulletin: StoredIQ is vulnerable to denial of service and remote code execution in Apache Log4j (CVE-2021-44228, CVE-2021-45046). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-storediq-is-vulnerable-to… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities in Apache Thrift ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Robotic Process Automation is vulnerable to configuration credentials unencrypted in system memory (CVE-2022-22414) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-robotic-process-autom… ∗∗∗ Security Bulletin: IBM QRadar WinCollect is vulnerable to using components with known vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-wincollect-is-… ∗∗∗ Security Bulletin: Potential Denial of Service in IBM DataPower Gateway (CVE-2022-23806) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-potential-denial-of-servi… ∗∗∗ Security Bulletin: IBM Integration Bus is vulnerable to arbitrary code execution due to json-schema (CVE-2021-3918) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-integration-bus-is-vu… ∗∗∗ Security Bulletin: IBM Analytic Accelerator Framework for Communication Service Providers & IBM Customer and Network Analytics for Communications Service Providers and Datasets Impacted by Log4j Vulnerabilities ( CVE-2021-44832) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-analytic-accelerator-… ∗∗∗ Security Bulletin: Cúram Social Program Management may be affected by Denial of Service vulnerability in JDOM (CVE-2021-33813) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cram-social-program-manag… ∗∗∗ Security Bulletin: AIX is vulnerable to a denial of service due to lpd (CVE-2022-22444) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-aix-is-vulnerable-to-a-de… ∗∗∗ Security Bulletin: Vulnerabilities with Kernel, Eclipse Jetty, and OpenJDK affect IBM Cloud Object Storage Systems (June 2022) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-with-kern… ∗∗∗ Security Bulletin: Cúram Social Program Management is affected by session timeout issues (CVE-2022-22318, CVE-2022-22317) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cram-social-program-manag… ∗∗∗ Spring Data MongoDB SpEL Expression Injection Vulnerability (CVE-2022-22980) ∗∗∗ --------------------------------------------- https://spring.io/blog/2022/06/20/spring-data-mongodb-spel-expression-injec… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.06.2022
by Daily end-of-shift report 17 Jun '22

17 Jun '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 15-06-2022 18:00 − Freitag 17-06-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Security: Github informiert über Malware im Open-Source-Ökosystem ∗∗∗ --------------------------------------------- Nicht nur Sicherheitslücken machen Open-Source-Software anfällig. Auch Malware bereitet viele Probleme, die Github jetzt sammeln möchte. --------------------------------------------- https://www.golem.de/news/security-github-informiert-ueber-malware-im-open-… ∗∗∗ Zügig aktualisieren: Angreifer könnten Citrix ADM übernehmen ∗∗∗ --------------------------------------------- In Citrix Application Delivery Management-Software könnten Angreifer aus dem Netz eine Sicherheitslücke ausnutzen. Sie können damit volle Kontrolle erlangen. --------------------------------------------- https://heise.de/-7142301 ∗∗∗ NAS: Qnap warnt vor Angriffswelle mit DeadBolt-Ransomware ∗∗∗ --------------------------------------------- Der Hersteller Qnap warnt vor derzeit laufenden Angriffen auf die NAS-Systeme mit der DeadBolt-Ransomware. Administratoren sollen den Update-Stand überprüfen. --------------------------------------------- https://heise.de/-7144383 ∗∗∗ Kritische Sicherheitslücke in WordPress-Plug-in Ninja Forms behoben ∗∗∗ --------------------------------------------- WordPress-Admins, die das Plug-in Ninja Forms einsetzen, sollten unverzüglich dessen Aktualität sicherstellen. Angreifer könnten sonst eigenen Code ausführen. --------------------------------------------- https://heise.de/-7143515 ∗∗∗ Zahlreiche betrügerische Nachrichten im Namen der Post im Umlauf! ∗∗∗ --------------------------------------------- Sie warten auf ein Paket. Plötzlich werden Sie per SMS oder E-Mail benachrichtigt, dass es ein Problem mit Ihrer Lieferung gäbe. Immer wieder berichten wir von dieser Betrugsmasche, bei der Kriminelle willkürlich Nachrichten versenden und behaupten, dass ein Paket nicht geliefert werden könnte. Wer tatsächlich gerade auf ein Paket wartet, kann leicht in diese Falle tappen. Meist wollen die Kriminellen an Ihre Kreditkartendaten oder an Ihr Geld. Dieses Mal wird aber auch versucht Ihr Post-Konto zu kapern. --------------------------------------------- https://www.watchlist-internet.at/news/zahlreiche-betruegerische-nachrichte… ∗∗∗ Anatomie eines Hive Ransomware-Angriffs auf Exchange per ProxyShell ∗∗∗ --------------------------------------------- Häufig bleiben ja die Details einer Ransomware-Infektion für Außenstehende im Dunkeln. Mir ist diese Woche eine Information vom Sicherheitsdienstleister Varonis zugegangen, deren Sicherheitsteam den Ablauf eines Angriffs mit der Hive-Ransomware aufbereitet haben. --------------------------------------------- https://www.borncity.com/blog/2022/06/17/anatomie-eines-hive-ransomware-ang… ∗∗∗ Hackers exploit three-year-old Telerik flaws to deploy Cobalt Strike ∗∗∗ --------------------------------------------- The threat actor known as Blue Mockingbird has been observed by analysts targeting Telerik UI vulnerabilities to compromise servers, install Cobalt Strike beacons, and mine Monero by hijacking system resources. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-exploit-three-year-o… ∗∗∗ New MaliBot Android banking malware spreads as a crypto miner ∗∗∗ --------------------------------------------- Threat analysts have discovered a new Android malware strain named MaliBot, which poses as a cryptocurrency mining app or the Chrome web browser to target users in Italy and Spain. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-malibot-android-banking-… ∗∗∗ Facebook Messenger Scam Duped Millions ∗∗∗ --------------------------------------------- One well crafted phishing message sent via Facebook Messenger ensnared 10 million Facebook users and counting. --------------------------------------------- https://threatpost.com/acebook-messenger-scam/179977/ ∗∗∗ WooCommerce Credit Card Skimmer Uses Telegram Bot to Exfiltrate Stolen Data ∗∗∗ --------------------------------------------- Our story starts like many others told on this blog: A new client came to us with reported cases of credit card theft on their eCommerce website. The website owner had received complaints from several customers who reported bogus transactions on their cards shortly after purchasing from their webstore, so the webmaster suspected that something could be amiss. --------------------------------------------- https://blog.sucuri.net/2022/06/woocommerce-credit-card-skimmer-uses-telegr… ∗∗∗ Difference Between Agent-Based and Network-Based Internal Vulnerability Scanning ∗∗∗ --------------------------------------------- For years, the two most popular methods for internal scanning: agent-based and network-based were considered to be about equal in value, each bringing its own strengths to bear. However, with remote working now the norm in most if not all workplaces, it feels a lot more like agent-based scanning is a must, while network-based scanning is an optional extra. --------------------------------------------- https://thehackernews.com/2022/06/difference-between-agent-based-and.html ∗∗∗ Details of Twice-Patched Windows RDP Vulnerability Disclosed ∗∗∗ --------------------------------------------- Researchers at identity security firm CyberArk this week shared technical information on an RDP named pipe vulnerability in Windows for which Microsoft had to release two rounds of patches. --------------------------------------------- https://www.securityweek.com/details-twice-patched-windows-rdp-vulnerabilit… ∗∗∗ DriftingCloud: Zero-Day Sophos Firewall Exploitation and an Insidious Breach ∗∗∗ --------------------------------------------- [...] This particular attack leveraged a zero-day exploit to compromise the customer's firewall. Volexity observed the attacker implement an interesting webshell backdoor, create a secondary form of persistence, and ultimately launch attacks against the customer's staff. These attacks aimed to further breach cloud-hosted web servers hosting the organization's public-facing websites. This type of attack is rare and difficult to detect. This blog post serves to share what highly targeted organizations are up against and ways to defend against attacks of this nature. --------------------------------------------- https://www.volexity.com/blog/2022/06/15/driftingcloud-zero-day-sophos-fire… ===================== = Vulnerabilities = ===================== ∗∗∗ High-Severity RCE Vulnerability Reported in Popular Fastjson Library ∗∗∗ --------------------------------------------- Cybersecurity researchers have detailed a recently patched high-severity security vulnerability in the popular Fastjson library that could be potentially exploited to achieve remote code execution. Tracked as CVE-2022-25845 (CVSS score: 8.1), the issue relates to a case of deserialization of untrusted data in a supported feature called "AutoType." --------------------------------------------- https://thehackernews.com/2022/06/high-severity-rce-vulnerability.html ∗∗∗ IBM Security Bulletins 2022-06-15 - 2022-06-16 ∗∗∗ --------------------------------------------- IBM Spectrum Protect Server, IBM Disconnected Log Collector, IBM Cloud Application Business Insights, IBM Tivoli Application Dependency Discovery Manager, IBM CICS TX Advanced, IBM Analytic Accelerator Framework, IBM Customer and Network Analytics, IBM QRadar SIEM, IBM QRadar Use Case Manager App, Rational Test Virtualization Server and Rational Test Workbench, IBM Robotic Process Automation, IBM Security QRadar Event and Flow Exporter App, IBM WebSphere Application Server Liberty, IBM TXSeries, IBM CICS TX Standard, IBM CICS TX Advanced, IBM Java Runtime, ISC BIND and IBM HTTP Server. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Cisco Security Advisories 2022-06-15 ∗∗∗ --------------------------------------------- Cisco published 7 Security Advisories (2 Critical, 1 High, 4 Medium Severity) --------------------------------------------- https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&first… ∗∗∗ Kritische Lücke mit Höchstwertung in Smart-Home-Zentrale Anker Eufy Homebase 2 ∗∗∗ --------------------------------------------- Angreifer könnten sich über drei Sicherheitslücken in Eufy Homebase 2 Zugang zum Smart Home verschaffen. Ein Sicherheitsupdate ist verfügbar. --------------------------------------------- https://heise.de/-7143710 ∗∗∗ VMSA-2022-0017 ∗∗∗ --------------------------------------------- VMware HCX update addresses an information disclosure vulnerability (CVE-2022-22953) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2022-0017.html ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (containerd, golang-github-containerd-cni, golang-github-containernetworking-cni, golang-x-sys, kernel, and qt5-qtbase), Oracle (kernel, kernel-container, microcode_ctl, subversion:1.14, and xz), Red Hat (.NET 6.0, .NET Core 3.1, cups, and xz), Scientific Linux (xz), SUSE (caddy, chromium, librecad, libredwg, varnish, and webkit2gtk3), and Ubuntu (bluez). --------------------------------------------- https://lwn.net/Articles/898121/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (kernel, liblouis, ntfs-3g, php, shim, shim-unsigned-aarch64, shim-unsigned-x64, thunderbird, and vim), Mageia (chromium-browser-stable and golang), Red Hat (grub2, mokutil, and shim and grub2, mokutil, shim, and shim-unsigned-x64), SUSE (389-ds, apache2, kernel, mariadb, openssl, openssl-1_0_0, rubygem-actionpack-5_1, rubygem-activesupport-5_1, and vim), and Ubuntu (exempi, kernel, linux, linux-aws, linux-aws-hwe, linux-aws-5.13, linux-aws-5.4, [...] --------------------------------------------- https://lwn.net/Articles/898234/ ∗∗∗ Hillrom Medical Device Management ∗∗∗ --------------------------------------------- This advisory contains mitigations for Use of Hard-coded Password, and Improper Access Control vulnerability in Welch Allyn resting electrocardiograph devices. Hillrom Medical. Welch Allyn, and ELI are registered trademarks of Baxter International, Inc., or its subsidiaries. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsma-22-167-01 ∗∗∗ AutomationDirect C-More EA9 HMI ∗∗∗ --------------------------------------------- This advisory contains mitigations for Uncontrolled Search Path Element, Cleartext Transmission of Sensitive Information vulnerabilities in AutomationDirect C-More EA9 human-machine interface products. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-167-01 ∗∗∗ AutomationDirect DirectLOGIC with Serial Communication ∗∗∗ --------------------------------------------- This advisory contains mitigations for a Cleartext Transmission of Sensitive Information vulnerability in DirectLOGIC programmable controllers with serial communication. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-167-02 ∗∗∗ AutomationDirect DirectLOGIC with Ethernet ∗∗∗ --------------------------------------------- This advisory contains mitigations for Uncontrolled Resource Consumption, and Cleartext Transmission of Sensitive Information vulnerabilities in AutomationDirect DirectLOGIC programmable logic Ethernet controllers. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-167-03 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.06.2022
by Daily end-of-shift report 15 Jun '22

15 Jun '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 14-06-2022 18:00 − Mittwoch 15-06-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Security baseline for Microsoft 365 Apps for enterprise v2206 ∗∗∗ --------------------------------------------- Microsoft is pleased to announce the release of the recommended security configuration baseline settings for Microsoft 365 Apps for enterprise, version 2206. --------------------------------------------- https://techcommunity.microsoft.com/t5/microsoft-security-baselines/securit… ∗∗∗ Panchan: A New Golang-based Peer-To-Peer Botnet Targeting Linux Servers ∗∗∗ --------------------------------------------- A new Golang-based peer-to-peer (P2P) botnet has been spotted actively targeting Linux servers in the education sector since its emergence in March 2022. --------------------------------------------- https://thehackernews.com/2022/06/panchan-new-golang-based-peer-to-peer.html ∗∗∗ TPM Sniffing Attacks Against Non-Bitlocker Targets ∗∗∗ --------------------------------------------- Last year, during an uptick in media attention for Trusted Platform Module (TPM) security triggered by a blog post from the Dolos Group describing a sniffing attack on Windows Bitlocker relying on a TPM, a customer asked us to investigate their TPM-based Full Disk Encryption (FDE) set up in light of this type of attack. --------------------------------------------- https://www.secura.com/blog/tpm-sniffing-attacks-against-non-bitlocker-targ… ∗∗∗ Bypassing CSP with dangling iframes ∗∗∗ --------------------------------------------- Our Web Security Academy has a topic on dangling markup injection - a technique for exploiting sites protected by CSP. --------------------------------------------- https://portswigger.net/research/bypassing-csp-with-dangling-iframes ∗∗∗ A tiny botnet launched the largest DDoS attack on record ∗∗∗ --------------------------------------------- A small but powerful army of just 5,000 devices generated a record-breaking web attack. --------------------------------------------- https://www.zdnet.com/article/a-tiny-botnet-launched-the-largest-ddos-attac… ===================== = Vulnerabilities = ===================== ∗∗∗ Citrix warns critical bug can let attackers reset admin passwords ∗∗∗ --------------------------------------------- Citrix warned customers to deploy security updates that address a critical Citrix Application Delivery Management (ADM) vulnerability that can let attackers reset admin passwords. --------------------------------------------- https://www.bleepingcomputer.com/news/security/citrix-warns-critical-bug-ca… ∗∗∗ Patchday: Updates bessern zehn SAP-Schwachstellen aus ∗∗∗ --------------------------------------------- Am Juni-Patchday hat SAP zehn Sicherheitslücken geschlossen. Für zwei ältere Sicherheitsmeldungen aktualisiert der Hersteller die Sicherheitsmeldungen. --------------------------------------------- https://heise.de/-7141579 ∗∗∗ Patchday: Microsoft schließt MSDT-Lücke, die auch ohne Makros funktioniert ∗∗∗ --------------------------------------------- Windows ist unter anderem über Word verwundbar, wobei auch RTF-Formate genutzt werden können. Aber auch Azure, Edge & Co. bekommen wichtige Sicherheitsupdates. --------------------------------------------- https://heise.de/-7141070 ∗∗∗ Patchday Adobe: Schadcode-Lücken in InDesign, Illustrator & Co. geschlossen ∗∗∗ --------------------------------------------- Mehrere Adobe-Anwendungen sind über als kritisch eingestufte Schwachstellen attackierbar. Sicherheitsupdates schaffen Abhilfe. --------------------------------------------- https://heise.de/-7141175 ∗∗∗ Sicherheitslücke Hertzbleed: x86-Prozessortaktung verrät Geheimnisse ∗∗∗ --------------------------------------------- Ein Forscherteam belauscht kryptografische Berechnungen auf modernen x86-CPUs anhand charakteristischer Taktfrequenzänderungen. --------------------------------------------- https://heise.de/-7141221 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Red Hat (.NET 6.0 and log4j), SUSE (389-ds, grub2, kernel, openssl-1_1, python-Twisted, webkit2gtk3, and xen), and Ubuntu (php7.2, php7.4, php8.0, php8.1 and util-linux). --------------------------------------------- https://lwn.net/Articles/897992/ ∗∗∗ Critical Code Execution Vulnerability Patched in Splunk Enterprise ∗∗∗ --------------------------------------------- Splunk this week announced the release of out-of-band patches that address multiple vulnerabilities across Splunk Enterprise, including a critical issue that could lead to arbitrary code execution. --------------------------------------------- https://www.securityweek.com/critical-code-execution-vulnerability-patched-… ∗∗∗ Schneider Electric Advisories 2022-06-15 ∗∗∗ --------------------------------------------- https://www.se.com/ww/en/work/support/cybersecurity/security-notifications.… ∗∗∗ Security Bulletin: IBM Financial Transaction Manager for Digital Payments for Multi-Platform is vulnerable to SQL injection. (CVE-2019-4575) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-financial-transaction… ∗∗∗ Security Bulletin: Operations Dashboard is vulnerable to denial of service by Go vulnerability CVE-2022-28327 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-operations-dashboard-is-v… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect AIX ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Netcool Operations Insight v1.6.4 contains fixes for multiple security vulnerabilities. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-netcool-operations-insigh… ∗∗∗ Security Bulletin: Financial Transaction Manager for Digital Payments is affected by a potential Cross-Site Scripting (Reflected) vulnerability (CVE-2020-4560) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-financial-transaction-man… ∗∗∗ Security Bulletin: Vulnerabilities in Java affects IBM Cloud Application Business Insights – Quaterly Java update, CVE-2021-35603 and CVE-2021-35550 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-java-a… ∗∗∗ Security Bulletin: Vulnerability in PostgreSQL may affect IBM Spectrum Copy Data Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-postgres… ∗∗∗ Security Bulletin: AIX is vulnerable to a denial of service due to lpd (CVE-2022-22444) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-aix-is-vulnerable-to-a-de… ∗∗∗ Security Bulletin: Operations Dashboard is vulnerable to denial of service by Go vulnerability CVE-2022-24675 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-operations-dashboard-is-v… ∗∗∗ Security Bulletin: Financial Transaction Manager for Digital Payments is affected by a potential SQL Injection CVE-2020-4328 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-financial-transaction-man… ∗∗∗ VMSA-2022-0016 ∗∗∗ --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2022-0016.html ∗∗∗ AUMA: SIMA² Master Station Denial of Service Vulnerability on Automation Runtime Webserver ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-024/ ∗∗∗ Johnson Controls Metasys ADS ADX OAS Servers ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-165-01 ∗∗∗ Hardkodierte Backdoor Benutzer und veraltete Software Komponenten in der Nexans FTTO GigaSwitch Serie ∗∗∗ --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/nexans-ftto-gigaswitc… ∗∗∗ Synaptics Fingerprint Driver Vulnerability ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500494-SYNAPTICS-FINGERPRINT-D… ∗∗∗ Intel Processors MMIO Stale Data Advisory ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500497-INTEL-PROCESSORS-MMIO-S… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.06.2022
by Daily end-of-shift report 14 Jun '22

14 Jun '22

===================== = End-of-Day report = ===================== Timeframe: Montag 13-06-2022 18:00 − Dienstag 14-06-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ The many lives of BlackCat ransomware ∗∗∗ --------------------------------------------- The use of an unconventional programming language, multiple target devices and possible entry points, and affiliation with prolific threat activity groups have made the BlackCat ransomware a prevalent threat and a prime example of the growing ransomware-as-a-service (RaaS) gig economy. --------------------------------------------- https://www.microsoft.com/security/blog/2022/06/13/the-many-lives-of-blackc… ∗∗∗ Researchers Detail PureCrypter Loader Cyber Criminals Using to Distribute Malware ∗∗∗ --------------------------------------------- Cybersecurity researchers have detailed the workings of a fully-featured malware loader dubbed PureCrypter thats being purchased by cyber criminals to deliver remote access trojans (RATs) and information stealers. --------------------------------------------- https://thehackernews.com/2022/06/researchers-detail-purecrypter-loader.html ∗∗∗ Public Travis CI Logs (Still) Expose Users to Cyber Attacks ∗∗∗ --------------------------------------------- In our latest research, we at Team Nautilus found that tens of thousands of user tokens are exposed via the Travis CI API, which allows anyone to access historical clear-text logs. More than 770 million logs of free tier users are available. --------------------------------------------- https://blog.aquasec.com/travis-ci-security ∗∗∗ Sicherheitslücke im Apple M1 Chip: Pacman-Attacke umgeht Schutzschicht ∗∗∗ --------------------------------------------- Angriffe auf den M1-Prozessor sind durch ein Zusammenspiel von Hard- und Software möglich. Apple sieht allerdings keine unmittelbare Gefahr. --------------------------------------------- https://heise.de/-7140316 ∗∗∗ Vorsicht vor gefälschten Zahlungsaufforderungen per WhatsApp ∗∗∗ --------------------------------------------- Ihre Chefin bittet Sie, eine Rechnung zu begleichen. Sie fragen nach den Details und bekommen die Rechnung mit Zahlungsanweisungen zugesendet. Sie überweisen. Erst später bemerken Sie, dass es gar nicht Ihre Chefin war – sondern Kriminelle. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-gefaelschten-zahlungsau… ∗∗∗ Internet Explorer 11 erreicht am 15. Juni 2022 End-of-Life (EOL) ∗∗∗ --------------------------------------------- Noch eine kurze Information an die Blog-Leserschaft, die ggf. noch den Internet Explorer 11 von Microsoft unter Windows im Einsatz haben. Zum heutigen Patchday, 14. Juni 2022, erhält der Browser letztmalig Sicherheitsupdates für verschiedene Windows-Versionen und fällt dann (zum 15. Juni 2022) aus dem Support. --------------------------------------------- https://www.borncity.com/blog/2022/06/14/internet-explorer-11-erreicht-am-1… ∗∗∗ CHM Malware Types with Anti-Sandbox Technique and Targeting Companies ∗∗∗ --------------------------------------------- Among CHM strains that are recently being distributed in Korea, the ASEC analysis team has discovered those applied with the anti-sandbox technique and targeting companies. --------------------------------------------- https://asec.ahnlab.com/en/35268/ ∗∗∗ NPM Replicator Remote Code Execution Deserialization ∗∗∗ --------------------------------------------- NPM, the package manager for Node.js, is an open source project that serves as a critical part of the JavaScript community and helps support one of the largest developer ecosystems. --------------------------------------------- https://checkmarx.com/blog/npm-replicator-remote-code-execution-deserializa… ∗∗∗ Supply Chain Attack: CTX Account Takeover and PHPass Hijack Explained ∗∗∗ --------------------------------------------- A threat actor recently hacked a popular PyPi repo on GitHub, setting off a supply chain attack that could have impacted millions of users. --------------------------------------------- https://orca.security/resources/blog/python-supply-chain-attack-ctx-phpass/ ∗∗∗ SynLapse – Technical Details for Critical Azure Synapse Vulnerability ∗∗∗ --------------------------------------------- Recently, the Orca Security research team discovered SynLapse, a tenant separation violation vulnerability in the Microsoft Azure Synapse environment. --------------------------------------------- https://orca.security/resources/blog/synlapse-critical-azure-synapse-analyt… ===================== = Vulnerabilities = ===================== ∗∗∗ New Zimbra Email Vulnerability Could Let Attackers Steal Your Login Credentials ∗∗∗ --------------------------------------------- A new high-severity vulnerability has been disclosed in the Zimbra email suite that, if successfully exploited, enables an unauthenticated attacker to steal cleartext passwords of users sans any user interaction. --------------------------------------------- https://thehackernews.com/2022/06/new-zimbra-email-vulnerability-could.html ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (golang-github-docker-libnetwork and moby-engine), Mageia (apache, docker-containerd, kernel, kernel-linus, nats-server, and php-smarty), Slackware (php), SUSE (gimp, grub2, thunderbird, u-boot, and xen), and Ubuntu (firefox, liblouis, ncurses, and rsync). --------------------------------------------- https://lwn.net/Articles/897847/ ∗∗∗ JM-DATA ONU JF511-TV Multiple Remote Vulnerabilities ∗∗∗ --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5708.php ∗∗∗ SSA-988345 V1.0: Local Privilege Escalation Vulnerability in Xpedition Designer ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-988345.txt ∗∗∗ SSA-911567 V1.0: Missing HTTP headers in SINEMA Remote Connect Server before V3.0 SP2 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-911567.txt ∗∗∗ SSA-740594 V1.0: Privilege Escalation Vulnerability in Mendix SAML Module ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-740594.txt ∗∗∗ SSA-712929 V1.0: Denial of Service Vulnerability in OpenSSL (CVE-2022-0778) Affecting Industrial Products ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-712929.txt ∗∗∗ SSA-693555 V1.0: Memory Corruption Vulnerability in EN100 Ethernet Module ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-693555.txt ∗∗∗ SSA-685781 V1.0: Multiple Vulnerabilities in Apache HTTP Server Affecting Siemens Products ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-685781.txt ∗∗∗ SSA-631336 V1.0: Multiple Web Server Vulnerabilities in SICAM GridEdge Software ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-631336.txt ∗∗∗ SSA-484086 V1.0: Multiple Vulnerabilities in SINEMA Remote Connect Server before V3.1 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-484086.txt ∗∗∗ SSA-401167 V1.0: Cross-site scripting Vulnerability in Teamcenter Active Workspace ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-401167.txt ∗∗∗ SSA-388239 V1.0: Default Password Leakage affecting the Component Shared HIS used in Spectrum Power Systems ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-388239.txt ∗∗∗ SSA-330556 V1.0: PwnKit Vulnerability in SCALANCE LPE9403 and SINUMERIK Edge Products (CVE-2021-4034) ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-330556.txt ∗∗∗ SSA-222547 V1.0: Third-Party Component Vulnerabilities in SCALANCE LPE9403 before V2.0 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-222547.txt ∗∗∗ SSA-220589 V1.0: Hard Coded Default Credential Vulnerability in Teamcenter ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-220589.txt ∗∗∗ SSA-145224 V1.0: Vulnerability in OSPF Packet Handling of SCALANCE XM-400 and XR-500 Devices ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-145224.txt ∗∗∗ IBM Security Bulletins 2022-06-13 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ TYPO3 CORE: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://typo3.org/help/security-advisories/typo3-cms ∗∗∗ ABB Security Advisory: Link Following Local Privilege Escalation Vulnerabilities in ABB Automation Builder, Drive Composer and Mint WorkBench ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=9AKK108467A0305&Lan… ∗∗∗ Citrix Application Delivery Management Security Bulletin for CVE-2022-27511 and CVE-2022-27512 ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX460016/citrix-application-delivery-ma… ∗∗∗ Meridian Cooperative Meridian ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-165-02 ∗∗∗ Mitsubishi Electric MELSEC-Q/L and MELSEC iQ-R ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-165-03 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.06.2022
by Daily end-of-shift report 13 Jun '22

13 Jun '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 10-06-2022 18:00 − Montag 13-06-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Krypto-Miner und Verschlüsselungstrojaner schlüpfen durch Confluence-Lücke ∗∗∗ --------------------------------------------- Es häufen sich Attacken auf ungepatchte Instanzen von Confluence und Data Center. Sicherheitspatches sind verfügbar. --------------------------------------------- https://heise.de/-7138563 ∗∗∗ Buchen Sie Ihr Hotel nicht über hotels-in-tyrol.com ∗∗∗ --------------------------------------------- Die Buchungsplattform hotels-in-tyrol.com vermittelt Unterkünfte in Tirol. Wir raten zur Vorsicht. Auf der Plattform gibt es weder Informationen zum Betreiber noch Kontaktdaten. Im Reiter „Über uns“ wird lediglich ein Unternehmen namens „LocalHotels Ltd“ angeführt. Wir gehen aber davon aus, dass dieses Unternehmen gar nicht existiert. --------------------------------------------- https://www.watchlist-internet.at/news/buchen-sie-ihr-hotel-nicht-ueber-hot… ∗∗∗ Massenhafte Kontenübernahme bei smarten Yunmai Waagen möglich ∗∗∗ --------------------------------------------- Vom chinesischen Hersteller Yunmai wurden auch in Deutschland smarte Körperfettwaagen angeboten. Diese lassen sich per Bluetooth mit einer App auf dem Smartphone koppeln, so dass die persönlichen Daten mehrerer Personen in persönlichen Profilen gespeichert werden können. Leider hapert es mit der Sicherheit, wie Sicherheitsexperten festgestellt haben. Das Yunmai API ermöglicht die massenhafte Kontenübernahme oder die Umgehung der Hersteller-Restriktionen. --------------------------------------------- https://www.borncity.com/blog/2022/06/11/massenhafte-kontenbernahme-bei-sma… ∗∗∗ PyPI package keep mistakenly included a password stealer ∗∗∗ --------------------------------------------- PyPI packages keep, pyanxdns, api-res-py were found to contain a password-stealer and a backdoor due to the presence of malicious request dependency within some versions. --------------------------------------------- https://www.bleepingcomputer.com/news/security/pypi-package-keep-mistakenly… ∗∗∗ New Syslogk Linux rootkit uses magic packets to trigger backdoor ∗∗∗ --------------------------------------------- A new rootkit malware named Syslogk has been spotted in the wild, and it features advanced process and file hiding techniques that make detection highly unlikely. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-syslogk-linux-rootkit-us… ∗∗∗ EPSScall: An Exploit Prediction Scoring System App, (Fri, Jun 10th) ∗∗∗ --------------------------------------------- If you follow Cyentia Institute’s Jay Jacobs via social media you may FIRST ;-) have learned about the Exploit Prediction Scoring System (EPSS) from him, as I did. I quickly learned that FIRST offers an API for the EPSS Model, which immediately piqued my interest. Per FIRST, EPSS provides a fundamentally new capability for efficient, data-driven vulnerability management. While EPSS predicts the probability (threat) of a specific vulnerability being exploited, it can scale to estimate the threat for multiple vulnerabilities on a server, a subnet, mobile device, or at an enterprise level (Jacobs, 2022). --------------------------------------------- https://isc.sans.edu/diary/rss/28732 ∗∗∗ Translating Saitamas DNS tunneling messages, (Mon, Jun 13th) ∗∗∗ --------------------------------------------- Saitama is a backdoor that uses the DNS protocol to encapsulate its command and control (C2) messages - a technique known as DNS Tunneling (MITRE ATT&CK T1071). Spotted and documented by MalwareBytes in two articles posted last month (How the Saitama backdoor uses DNS tunneling and APT34 targets Jordan Government using new Saitama backdoor), Saitama was used in a phishing e-mail targeted to a government official from Jordans foreign ministry on an attack [...] --------------------------------------------- https://isc.sans.edu/diary/rss/28738 ∗∗∗ ModBus 101: One Protocol to Rule the OT World ∗∗∗ --------------------------------------------- Ever wondered how large-scale power plants monitor or control the myriad of systems that fill their environment? Have you thought about how some of the world’s greatest industrial hacks were enacted? This post will look to illuminate how one tiny legacy protocol, namely "ModBus" could help to understand just how straight forward this could be. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/modbus-101-… ∗∗∗ Smilodon Credit Card Skimming Malware Shifts to WordPress ∗∗∗ --------------------------------------------- WordPress’ massive market share has come with an unsurprising side effect: As more and more site admins turn to popular plugins like WooCommerce to turn a profit on their website and set up online stores we’ve seen a significant increase in the number of attacks targeting WordPress eCommerce sites. What’s more, bad actors are repurposing their old Magento credit card stealing malware for use against WordPress. --------------------------------------------- https://blog.sucuri.net/2022/06/smilodon-credit-card-skimming-malware-shift… ∗∗∗ MIT Researchers Discover New Flaw in Apple M1 CPUs That Cant Be Patched ∗∗∗ --------------------------------------------- A novel hardware attack dubbed PACMAN has been demonstrated against Apples M1 processor chipsets, potentially arming a malicious actor with the capability to gain arbitrary code execution on macOS systems. It leverages "speculative execution attacks to bypass an important memory protection mechanism, ARM Pointer Authentication, a security feature that is used to enforce pointer integrity," [...] --------------------------------------------- https://thehackernews.com/2022/06/mit-researchers-discover-new-flaw-in.html ∗∗∗ Extracting Clear-Text Credentials Directly From Chromium’s Memory ∗∗∗ --------------------------------------------- Credential data (URL/username/password) is stored in Chrome’s memory in clear-text format. In addition to data that is dynamically entered when signing into specific web applications, an attacker can cause the browser to load into memory all the passwords that are stored in the password manager (“Login Data” file). --------------------------------------------- https://www.cyberark.com/resources/threat-research-blog/extracting-clear-te… ∗∗∗ Researchers: Wi-Fi Probe Requests Expose User Data ∗∗∗ --------------------------------------------- A group of academic researchers from the University of Hamburg in Germany has discovered that mobile devices leak identifying information about their owners via Wi-Fi probe requests. Mobile devices use these probe requests to receive information about nearby Wi-Fi access points and establish connections to them when a probe response is received. --------------------------------------------- https://www.securityweek.com/researchers-wi-fi-probe-requests-expose-user-d… ∗∗∗ Exposing HelloXD Ransomware and x4k ∗∗∗ --------------------------------------------- HelloXD is a ransomware family in its initial stages - but already seeking to impact organizations. We analyze samples and hunt for attribution. --------------------------------------------- https://unit42.paloaltonetworks.com/helloxd-ransomware/ ∗∗∗ GALLIUM Expands Targeting Across Telecommunications, Government and Finance Sectors With New PingPull Tool ∗∗∗ --------------------------------------------- A new, difficult-to-detect remote access trojan named PingPull is being used by GALLIUM, an advanced persistent threat (APT) group. --------------------------------------------- https://unit42.paloaltonetworks.com/pingpull-gallium/ ∗∗∗ Microsoft Azure Synapse Pwnalytics ∗∗∗ --------------------------------------------- [...] Synapse Analytics utilizes Apache Spark for the underlying provisioning of clusters that user code is run on. User code in these environments is run with intentionally limited privileges because the environments are managed by internal Microsoft subscription IDs, which is generally indicative of a multi-tenant environment. Tenable Research has discovered a privilege escalation flaw that allows a user to escalate privileges to that of the root user within the context of a Spark VM. We have also discovered a flaw that allows a user to poison the hosts file on all nodes in their Spark pool, which allows one to redirect subsets of traffic and snoop on services users generally do not have access to. The full privilege escalation flaw has been adequately addressed. However, the hosts file poisoning flaw remains unpatched at the time of this writing. --------------------------------------------- https://medium.com/tenable-techblog/microsoft-azure-synapse-pwnalytics-87c9… ===================== = Vulnerabilities = ===================== ∗∗∗ QTS 5.0.0-Sicherheitsupdates für QNAP-NAS Geräte (8. Juni 2022) ∗∗∗ --------------------------------------------- Kurzer Hinweis an Leser und Leserinnen, die NAS-Laufwerke von QNAP im Einsatz haben. In der QTS 5.0.0-Software gibt es in älteren Versionen gravierende Schwachstellen, die am 8. Juni 2022 mit einem Update der Firmware auf QTS 5.0.0.2055 build 20220531 beseitigt wurden. --------------------------------------------- https://www.borncity.com/blog/2022/06/11/qts-5-sicherheitsupdates-fr-qnap-n… ∗∗∗ Technical Advisory – Multiple Vulnerabilities in Trendnet TEW-831DR WiFi Router (CVE-2022-30325, CVE-2022-30326, CVE-2022-30327, CVE-2022-30328, CVE-2022-30329) ∗∗∗ --------------------------------------------- The Trendnet TEW-831DR WiFi Router was found to have multiple vulnerabilities exposing the owners of the router to potential intrusion of their local WiFi network and possible takeover of the device. Five vulnerabilities were discovered. Below are links to the associated technical advisories: [...] --------------------------------------------- https://research.nccgroup.com/2022/06/10/technical-advisory-multiple-vulner… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, containerd, kernel, ntfs-3g, and vlc), Fedora (buildah and logrotate), Red Hat (xz), and SUSE (google-gson, netty3, rubygem-sinatra, and u-boot). --------------------------------------------- https://lwn.net/Articles/897711/ ∗∗∗ Drupal Releases Security Updates ∗∗∗ --------------------------------------------- Drupal has released security updates to address a Guzzle third-party library vulnerability that does not affect Drupal core but may affect some contributed projects or custom code on Drupal sites. Exploitation of this vulnerability could allow a remote attacker to take control of an affected website. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/06/13/drupal-releases-s… ∗∗∗ Screams of Power vulnerabilities (Powertek-based PDUs) ∗∗∗ --------------------------------------------- Even if the PDUs you use in your data center aren't branded "Powertek", please keep reading. Powertek is a company that makes datacenter class smart PDUs (Power Distribution Units - i.e. heavy duty power cords) for server racks. They sell both directly (or at least used to in the past I think?) and through their resellers. There is one reseller per country and they commonly rebrand their PDUs (e.g. mine has a logo of the Swiss reseller - schneikel). Anyway, in March I've done a quick 3h review of the firmware and found multiple vulnerabilities and weaknesses in Powertek PDU's firmware v3.30.23 and possibly prior (details below). So, if you're using a PDU that is running Powertek firmware, you might want to patch now. --------------------------------------------- https://gynvael.coldwind.pl/?id=748 ∗∗∗ OTRS: Mehrere Schwachstellen ermöglichen Offenlegung von Informationen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0702 ∗∗∗ Security Bulletin: A vulnerability in OpenSSL affects IBM InfoSphere Information Server (CVE-2022-0778) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-openss… ∗∗∗ Security Bulletin: A Unspecified Java Vulnerability is affecting Watson Knowledge Catalog for IBM Cloud Pak for Data (CVE-2021-35550) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-unspecified-java-vulner… ∗∗∗ Security Bulletin: IBM Event Streams is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-44832) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-event-streams-is-vuln… ∗∗∗ Security Bulletin: Due to use of Spring Framework, IBM Db2 Web Query for i is vulnerable to unprotected fields (CVE-2022-22968), remote code execution (CVE-2022-22965), and denial of service (CVE-2022-22950). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-due-to-use-of-spring-fram… ∗∗∗ Security Bulletin: IBM App Connect Enterprise & IBM Integration Bus are vulnerable to a denial of service, due to OpenSSL (CVE-2022-0778) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: IBM Java XML vulnerability affects Liberty for Java for IBM Cloud due to CVE-2022-21299 deferred from Oracle Jan 2022 CPU ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-java-xml-vulnerabilit… ∗∗∗ Security Bulletin: Vulnerability in PostgreSQL may affect IBM Spectrum Copy Data Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-postgres… ∗∗∗ Security Bulletin: Liberty for Java for IBM Cloud is vulnerable to Identity Spoofing (CVE-2022-22475) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-liberty-for-java-for-ibm-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.06.2022
by Daily end-of-shift report 10 Jun '22

10 Jun '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 09-06-2022 18:00 − Freitag 10-06-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Cyber Europe 2022 – europaweite Cyber-Sicherheitsübung ∗∗∗ --------------------------------------------- Im Zuge der 2-tägigen Cyber-Sicherheitsübung „Cyber Europe“ arbeiteten Behörden und nationale Computer-Notfallteams in ganz Europa intensiv an Schutz und Abwehr der angegriffenen IT-Bereiche. Über 800 Teilnehmer:innen waren dazu EU-weit an der Übung beteiligt. In Österreich war für die Koordination das Bundeskanzleramt zuständig. Das Gesundheitsministerium, das Innenministerium, das Außenministerium, das Verteidigungsministerium und die zuständigen Computernotfallteams waren in die Übung eingebunden. --------------------------------------------- https://www.ots.at/presseaussendung/OTS_20220609_OTS0200/cyber-europe-2022-… ∗∗∗ Phishing Campaigns featuring Ursnif Trojan on the Rise ∗∗∗ --------------------------------------------- McAfee Labs have been observing a spike in phishing campaigns that utilize Microsoft office macro capabilities. These malicious documents reach victims via mass spam E-mail campaigns and generally invoke urgency, fear, or similar emotions, leading unsuspecting users to promptly open them. --------------------------------------------- https://www.mcafee.com/blogs/other-blogs/mcafee-labs/phishing-campaigns-fea… ∗∗∗ Neue Linux-Malware aufgespürt ∗∗∗ --------------------------------------------- Eine gemeinsame Forschungsarbeit hat zur Entdeckung von Symbiote geführt, einer neuen Form von Linux-Malware, die nur schwer zu erkennen ist. Hacker erhalten damit Rootkit-Zugriff. --------------------------------------------- https://www.zdnet.de/88401771/neue-linux-malware-aufgespuert/ ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins 2022-06-09 - 2022-06-10 ∗∗∗ --------------------------------------------- IBM TXSeries, IBM Connections, IBM Watson, IBM Spectrum, IBM SDK, IBM Cloud Pak, IBM Db2 Mirror for i and IBM StoredIQ. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Schwachstellen in Infiray IRAY-A8Z3 Wärmebildkamera ∗∗∗ --------------------------------------------- Die IRAY A8Z3 Wärmebildkamera für Industrieapplikationen von Infiray/IRay Technologies ist anfällig auf verschiedene Schwachstellen, welche sich aus unsicherer Programmierung, unsicherer Konfiguration sowie veralteten eingebetteten Softwarekomponenten ergeben. Mehrere Angriffsmöglichkeiten für Remote Code Execution (RCE) wurden gefunden. Der Hersteller hat sich im Zuge unserer Responsible Disclosure nicht mehr gemeldet, weshalb unklar ist, ob Patches verfügbar sind. --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/schwachstellen-infira… ∗∗∗ PHP: Updates verhindern Einschleusen von Schadcode ∗∗∗ --------------------------------------------- Fehler in PHP-Modulen zur Verbindung mit SQL-Datenbanken erlauben die Ausführung beliebigen Codes. Admins von Shared-Hosting-Servern sollten schnell updaten. --------------------------------------------- https://heise.de/-7136766 ∗∗∗ Fortinet entfernt hartcodierten Schlüssel und verhindert unberechtigte Zugriffe ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitsupdates für mehrere Produkte von Fortinet. Einige Lücken gelten als kritisch. --------------------------------------------- https://heise.de/-7136620 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (python-bottle), Fedora (grub2 and kernel), Mageia (python-pypdf2, python-ujson, and vim), and SUSE (fribidi, grub2, mozilla-nss, and webkit2gtk3). --------------------------------------------- https://lwn.net/Articles/897518/ ∗∗∗ Vulnerabilities in HID Mercury Access Controllers Allow Hackers to Unlock Doors ∗∗∗ --------------------------------------------- https://www.securityweek.com/vulnerabilities-hid-mercury-access-controllers… ∗∗∗ Mitsubishi Electric Air Conditioning Systems ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-160-01 ∗∗∗ "Undocumented Functionality" (Backdoor) in Mitel Desk Phones (SYSS-2022-021) ∗∗∗ --------------------------------------------- https://www.syss.de/pentest-blog/undocumented-functionality-backdoor-in-mit… ∗∗∗ Kritische Schwachstelle in Crypto USB Flash Drive Lepin EP-KP001 (SYSS-2022-024) ∗∗∗ --------------------------------------------- https://www.syss.de/pentest-blog/kritische-schwachstelle-in-crypto-usb-flas… ∗∗∗ Chrome 102.0.5005.115 fixt Schwachstellen ∗∗∗ --------------------------------------------- https://www.borncity.com/blog/2022/06/10/chrome-102-0-5005-115-fixt-schwach… ∗∗∗ Microsoft Edge: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0697 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.06.2022
by Daily end-of-shift report 09 Jun '22

09 Jun '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 08-06-2022 18:00 − Donnerstag 09-06-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ New Emotet Variant Stealing Users Credit Card Information from Google Chrome ∗∗∗ --------------------------------------------- The notorious Emotet malware has turned to deploy a new module designed to siphon credit card information stored in the Chrome web browser. --------------------------------------------- https://thehackernews.com/2022/06/new-emotet-variant-stealing-users.html ∗∗∗ MakeMoney malvertising campaign adds fake update template ∗∗∗ --------------------------------------------- We catch up with some old acquaintances that just arent ready to hang up the towel just yet. The post MakeMoney malvertising campaign adds fake update template appeared first on Malwarebytes Labs. --------------------------------------------- https://blog.malwarebytes.com/threat-intelligence/2022/06/makemoney-malvert… ∗∗∗ ASyncRat surpasses Dridex, TrickBot and Emotet to become dominant email threat ∗∗∗ --------------------------------------------- A review of whats changed in malware in 2022, and what hasnt, based on Adam Kujawas talk at RSAC 2022. The post ASyncRat surpasses Dridex, TrickBot and Emotet to become dominant email threat appeared first on Malwarebytes Labs. --------------------------------------------- https://blog.malwarebytes.com/threat-analysis/2022/06/asyncrat-surpasses-dr… ∗∗∗ Nebenjob als Betrugshelfer:in – Vorsicht vor europost-eu.biz ∗∗∗ --------------------------------------------- Ein vielversprechender Nebenjob als Paketempfänger:in lockt mit Home-Office und guten Arbeitsbedingungen. Für 25 € pro Stunde müssen Sie Pakete empfangen und weiterversenden. Was nicht erwähnt wird: Nehmen Sie den Job an, beteiligen Sie sich möglicherweise an Bestellbetrug und machen sich strafbar! --------------------------------------------- https://www.watchlist-internet.at/news/nebenjob-als-betrugshelferin-vorsich… ∗∗∗ LockBit 2.0: How This RaaS Operates and How to Protect Against It ∗∗∗ --------------------------------------------- LockBit 2.0 has so far been this years most active ransomware gang on double-extortion leak sites. Learn about their tactics. --------------------------------------------- https://unit42.paloaltonetworks.com/lockbit-2-ransomware/ ∗∗∗ How to audit Node.js modules ∗∗∗ --------------------------------------------- Node.js is one of the best and most widely used Javascript runtimes used for building APIs. But, this popularity status has led to many hackers distributing insecure modules that exploit the Node.js application or provide a weak point for exploitation. --------------------------------------------- https://mattermost.com/blog/how-to-audit-nodejs-modules/ ∗∗∗ Follina-Schwachstelle (CVE-2022-30190): Neue Erkenntnisse, neue Risiken (9.6.2022) ∗∗∗ --------------------------------------------- Die seit Ende Mai 2022 bekannt gewordene Schwachstelle CVE-2022-30190 (Follina) in Windows entwickelt sich langsam zum Problembär. Die von Microsoft und hier im Blog beschriebenen Gegenmaßnahmen erscheinen nicht ausreichend. --------------------------------------------- https://www.borncity.com/blog/2022/06/09/follina-schwachstelle-cve-2022-301… ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitslücken in veralteten Zyxel-Firewalls: Neukauf als Fix ∗∗∗ --------------------------------------------- Der Netzwerkausrüster Zyxel warnt vor Sicherheitslücken in älteren Firewalls, deren Support ausgelaufen ist. Abhilfe schaffe der Austausch mit neueren Geräten. --------------------------------------------- https://heise.de/-7135405 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (mailman and python-bottle), Red Hat (java-1.7.1-ibm, java-1.8.0-ibm, subversion:1.14, and xz), Scientific Linux (python-twisted-web), Slackware (httpd), and Ubuntu (ca-certificates, ffmpeg, ghostscript, and varnish). --------------------------------------------- https://lwn.net/Articles/897372/ ∗∗∗ Symbiote Deep-Dive: Analysis of a New, Nearly-Impossible-to-Detect Linux Threat ∗∗∗ --------------------------------------------- Symbiote is a new Linux malware we discovered that acts in a parasitic nature, infecting other running processes to inflict damage on machines. --------------------------------------------- https://www.intezer.com/blog/research/new-linux-threat-symbiote/ ∗∗∗ Security Bulletin: IBM Db2 Mirror for i is vulnerable to directory traversal due to Moment.js (CVE-2022-24785) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-mirror-for-i-is-v… ∗∗∗ Security Bulletin: IBM Security Identity Governance and Intelligence is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-identity-gov… ∗∗∗ Security Bulletin: IBM Db2 Mirror for i is vulnerable to cross-site scripting due to Angular (220414) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-mirror-for-i-is-v… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK (January 2022) affects IBM InfoSphere Information Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Rational Software Architect RealTime Edition (RSA RT) is vulnerable to Apache Log4j2 – CVE-2021-44832 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-rational-software-arc… ∗∗∗ Security Bulletin: IBM Db2 Mirror for i is vulnerable to denial of service due to gson 217225 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-mirror-for-i-is-v… ∗∗∗ Security Bulletin: IBM Security Identity Governance and Intelligence is vulnerable to exposure of sensitive information (CVE-2021-35603) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-identity-gov… ∗∗∗ Security Bulletin: Vulnerability in jackson-databind affects IBM Process Mining (Multiple CVEs) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-jackson-… ∗∗∗ K13559191: Linux kernel vulnerability CVE-2022-25636 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K13559191?utm_source=f5support&utm_mediu… ∗∗∗ Xen Security Advisory CVE-2022-26363, CVE-2022-26364 / XSA-402 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-402.html ∗∗∗ Xen Security Advisory CVE-2022-26362 / XSA-401 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-401.html ∗∗∗ Case opened: DIVD-2021-00037 - Critical vulnerabilities in ITarian MSP platform and on-premise solution ∗∗∗ --------------------------------------------- https://csirt.divd.nl/cases/DIVD-2021-00037/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.06.2022
by Daily end-of-shift report 08 Jun '22

08 Jun '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 07-06-2022 18:00 − Mittwoch 08-06-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Linux version of Black Basta ransomware targets VMware ESXi servers ∗∗∗ --------------------------------------------- Black Basta is the latest ransomware gang to add support for encrypting VMware ESXi virtual machines running on enterprise Linux servers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/linux-version-of-black-basta… ∗∗∗ Poisoned CCleaner search results spread information-stealing malware ∗∗∗ --------------------------------------------- Malware that steals your passwords, credit cards, and crypto wallets is being promoted through search results for a pirated copy of the CCleaner Pro Windows optimization program. --------------------------------------------- https://www.bleepingcomputer.com/news/security/poisoned-ccleaner-search-res… ∗∗∗ Cuba ransomware returns to extorting victims with updated encryptor ∗∗∗ --------------------------------------------- The Cuba ransomware operation has returned to regular operations with a new version of its malware found used in recent attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cuba-ransomware-returns-to-e… ∗∗∗ Targeted phishing past defender ∗∗∗ --------------------------------------------- Signature based detections has shortcomings that matter in real scenarios. Depending only on prevention through an EDR like Defender is not enough in a modern attack scenario. --------------------------------------------- https://www.derant.com/network%20monitoring/2022/06/07/Targetted-phishing-p… ∗∗∗ New Technique Used by Attackers in NPM to Avoid Detection ∗∗∗ --------------------------------------------- Checkmarx SCS team recently detected several malicious NPM packages using a new evasion technique, enhancing dependency confusion attacks to help malicious packages avoid detection. --------------------------------------------- https://checkmarx.com/blog/new-technique-used-by-attackers-in-npm-to-avoid-… ===================== = Vulnerabilities = ===================== ∗∗∗ Researchers Warn of Unpatched "DogWalk" Microsoft Windows Vulnerability ∗∗∗ --------------------------------------------- An unofficial security patch has been made available for a new Windows zero-day vulnerability in the Microsoft Support Diagnostic Tool (MSDT), even as the Follina flaw continues to be exploited in the wild. --------------------------------------------- https://thehackernews.com/2022/06/researchers-warn-of-unpatched-dogwalk.html ∗∗∗ Zero-Day-Lücke: Cybergangs missbrauchen MSDT-Leck für Qakbot-Infektionen ∗∗∗ --------------------------------------------- Die Cybergang hinter der Malware Quakbot missbraucht in Phishing-Kampagnen die MSDT-Zero-Day-Lücke. Infizierte Rechner verkauft sie meist an Ransomware-Banden. --------------------------------------------- https://heise.de/-7134949 ∗∗∗ Fehler in Linux-Kernel ermöglicht Rechteausweitung ∗∗∗ --------------------------------------------- Ein Fehler im Firewall-Code des Linux-Kernels ermöglicht es Nutzern, Befehle als Root auszuführen. Administratoren können einen Workaround anwenden. --------------------------------------------- https://heise.de/-7134791 ∗∗∗ Kritische Schadcode-Lücke bedroht Universal Boot Loader U-Boot ∗∗∗ --------------------------------------------- Die Entwickler von U-Boot haben zwei gefährliche Sicherheitslücken geschlossen. --------------------------------------------- https://heise.de/-7134785 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (avahi), Fedora (firefox), Oracle (grub2, python-twisted-web, shim, shim-signed, and thunderbird), Red Hat (kernel and python-twisted-web), SUSE (gcc48, go1.17, go1.18, and mariadb), and Ubuntu (e2fsprogs, linux, linux-aws, linux-aws-5.13, linux-azure, linux-azure-5.13, linux-gcp, linux-gcp-5.13, linux-hwe-5.13, linux-intel-5.13, linux-kvm, linux-oracle, linux-oracle-5.13, linux-raspi, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, [...] --------------------------------------------- https://lwn.net/Articles/897297/ ∗∗∗ Technical Details Released for Recently Patched Zyxel Firewall Vulnerabilities ∗∗∗ --------------------------------------------- Security researchers with HN Security have published technical details on two vulnerabilities affecting many Zyxel products. --------------------------------------------- https://www.securityweek.com/technical-details-released-recently-patched-zy… ∗∗∗ Owl Labs Patches Severe Vulnerability in Video Conferencing Devices ∗∗∗ --------------------------------------------- Video conferencing company Owl Labs has released patches for a severe vulnerability affecting its Meeting Owl Pro and Whiteboard Owl devices. --------------------------------------------- https://www.securityweek.com/owl-labs-patches-severe-vulnerability-video-co… ∗∗∗ Attackers Exploit MSDT Follina Bug to Drop RAT, Infostealer ∗∗∗ --------------------------------------------- Symantec has observed threat actors exploiting remote code execution flaw to drop AsyncRAT and information stealer. --------------------------------------------- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/fo… ∗∗∗ Security Bulletin: A vulnerability in Apache Log4j affects some features of IBM® Db2® (CVE-2021-44832) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-apache… ∗∗∗ Security Bulletin: IBM Cognos Command Center is affected but not classified as vulnerable by a remote code execution in Spring Framework (CVE-2022-22965) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cognos-command-center… ∗∗∗ Security Bulletin: IBM WebSphere Application Server is vulnerable to Spoofing (CVE-2022-22365) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects some features of IBM® Db2® (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects some features of IBM® Db2® (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct Web Services is affected but not classified as vulnerable by a remote code execution in Spring Framework (CVE-2022-22965) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: Vulnerabilities have been identified in Spring Framework, OpenSSL and Apache HTTP Server shipped with the DS8000 Hardware Management Console (HMC) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-have-been… ∗∗∗ Security Bulletin: Multiple vulnerabilities in Apache Log4j affects some features of IBM® Db2® (CVE-2021-45046, CVE-2021-45105) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Cognos Command Center is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cognos-command-center… ∗∗∗ FESTO: CECC-X-M1 - command injection vulnerabilities ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-020/ ∗∗∗ Apache HTTP Server: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0692 ∗∗∗ Mehrere Schwachstellen in "sicheren" mobilen Festplatten und Crypto-USB-Sticks von Verbatim (SYSS-2022-001/-017) ∗∗∗ --------------------------------------------- https://www.syss.de/pentest-blog/mehrere-schwachstellen-in-sicheren-mobilen… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.06.2022
by Daily end-of-shift report 07 Jun '22

07 Jun '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 03-06-2022 18:00 − Dienstag 07-06-2022 18:15 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ WatchDog hacking group launches new Docker cryptojacking campaign ∗∗∗ --------------------------------------------- The WatchDog hacking group is conducting a new cryptojacking campaign with advanced techniques for intrusion, worm-like propagation, and evasion of security software. --------------------------------------------- https://www.bleepingcomputer.com/news/security/watchdog-hacking-group-launc… ∗∗∗ QBot now pushes Black Basta ransomware in bot-powered attacks ∗∗∗ --------------------------------------------- The Black Basta ransomware gang has partnered with the QBot malware operation to gain spread laterally through hacked corporate environments. --------------------------------------------- https://www.bleepingcomputer.com/news/security/qbot-now-pushes-black-basta-… ∗∗∗ Researchers Warn of Spam Campaign Targeting Victims with SVCReady Malware ∗∗∗ --------------------------------------------- A new wave of phishing campaigns has been observed spreading a previously documented malware called SVCReady. --------------------------------------------- https://thehackernews.com/2022/06/researchers-warn-of-spam-campaign.html ∗∗∗ Neues Phishing-E-Mail der Erste Bank und Sparkasse ∗∗∗ --------------------------------------------- Aktuell kursiert ein neues Phishing-E-Mail im Namen der Erste Bank und Sparkasse. Im Schreiben werden Sie über eine angebliche Abbuchung von 1 259 Euro informiert. --------------------------------------------- https://www.watchlist-internet.at/news/neues-phishing-e-mail-der-erste-bank… ===================== = Vulnerabilities = ===================== ∗∗∗ Fortiguard June 2022 Vulnerability Advisories ∗∗∗ --------------------------------------------- FortiAP-U, FortiDDoS, FortiOS, FortiAnalyzer, FortiManager, FortiSandbox, FortiTokenMobile, FortiAuthenticator, Apache Airflow and FortiClient. --------------------------------------------- https://www.fortiguard.com/psirt-monthly-advisory/june-2022-vulnerability-a… ∗∗∗ Jetzt patchen! Lage um Attacken auf Atlassian Confluence spitzt sich zu ∗∗∗ --------------------------------------------- Aufgrund von öffentlich verfügbarem Exploit-Code steigen die Attacken auf Confluence-Instanzen. Patches sind jetzt verfügbar. --------------------------------------------- https://heise.de/-7132633 ∗∗∗ Patchday: Google schließt Kernel- und Software-Lücken in Android ∗∗∗ --------------------------------------------- Besitzer von Android-Hardware sollte ihre Geräte aus Sicherheitsgründen auf den aktuellen Stand bringen. --------------------------------------------- https://heise.de/-7133294 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (clamav, firefox-esr, pidgin, and thunderbird), Fedora (dotnet3.1, firefox, kernel, vim, and webkit2gtk3), Mageia (firefox/nss/nspr, gimp, logrotate, mariadb, thunderbird, trojita, webkit2, and webmin), Oracle (thunderbird), Red Hat (compat-openssl11, postgresql:10, postgresql:12, and thunderbird), Slackware (pidgin), and SUSE (openvpn). --------------------------------------------- https://lwn.net/Articles/897163/ ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (glib2.0, librecad, and php-horde-mime-viewer), Fedora (vim), and Ubuntu (freerdp2, ruby2.3, ruby2.5, ruby2.7, ruby3.0, and vim). --------------------------------------------- https://lwn.net/Articles/897226/ ∗∗∗ Critical U-Boot Vulnerability Allows Rooting of Embedded Systems ∗∗∗ --------------------------------------------- A critical vulnerability in the U-Boot boot loader could be exploited to write arbitrary data, which can allow an attacker to root Linux-based embedded systems, according to NCC Group. --------------------------------------------- https://www.securityweek.com/critical-u-boot-vulnerability-allows-rooting-e… ∗∗∗ Security Advisory -Input Verification Vulnerabilities Involved in Huawei Printer Product ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2022/huawei-sa-20220608-… ∗∗∗ Security Bulletin: IBM Cognos Controller is affected but not vulnerable to arbitrary code execution and SQL injection due to Apache Log4j v1 vulnerabilities (CVE-2022-23305, CVE-2022-23302, CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cognos-controller-is-… ∗∗∗ Security Bulletin: Publicly disclosed vulnerabilities from Kernel affect IBM Netezza Host Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-publicly-disclosed-vulner… ∗∗∗ Security Bulletin: Public disclosed vulnerability from OpenSSL affects IBM Netezza Host Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-public-disclosed-vulnerab… ∗∗∗ Security Bulletin: IBM DataPower Gateway affected by prototype pollution in DOJO (CVE-2021-23450) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-gateway-aff… ∗∗∗ Security Bulletin: IBM InfoSphere Information Server is vulnerable to SQL Injection (CVE-2022-31768) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-informatio… ∗∗∗ Security Bulletin: Apache Commons as used by IBM QRadar SIEM is vulnerable to denial of service (CVE-2021-35515, CVE-2021-35516, CVE-2021-36090, CVE-2021-35517) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-commons-as-used-by… ∗∗∗ Security Bulletin: CP4D Match 360 is vulnerable to remote attacker executing arbitrary code within IBM WebSphere Application Server Liberty (CVE-2021-23450) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cp4d-match-360-is-vulnera… ∗∗∗ Security Bulletin: Vulnerabilities have been identified in Apache Log4j and the application code shipped with the DS8000 Hardware Management Console (HMC) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-have-been… ∗∗∗ Security Bulletin: IBM Security SiteProtector System is affected by multiple Apache HTTP Server Vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-siteprotecto… ∗∗∗ Security Bulletin: IBM Cloud Pak for Data System 1.0 is vulnerable to denial of service due to Apache Log4j (CVE-2021-45105) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-data-sy… ∗∗∗ Security Bulletin: Multiple vulnerabilities in multiple dependencies affect IBM MessageGateway/ MessageSight ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM MaaS360 Mobile Enterprise Gateway uses Eclipse Jetty with multiple known vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maas360-mobile-enterp… ∗∗∗ Security Bulletin: IBM MaaS360 Cloud Extender Agent, Mobile Enterprise Gateway and VPN module have multiple vulnerabilities (CVE-2021-22060, CVE-2022-22950, CVE-2022-0547, CVE-2022-0778, CVE-2022-22965) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maas360-cloud-extende… ∗∗∗ Security Bulletin: IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to a denial of service in NumPy. (CVE-2021-33430). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-speech-service… ∗∗∗ K29421535: Intel processor vulnerability CVE-2021-33117 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K29421535 ∗∗∗ K95204515: Intel CPU vulnerability CVE-2022-21151 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K95204515 ∗∗∗ Grafana: Mehrere Schwachstellen ermöglichen Offenlegung von Informationen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0690 ∗∗∗ Case update: DIVD-2022-00032 - Exchange backdoor ∗∗∗ --------------------------------------------- https://csirt.divd.nl/cases/DIVD-2022-00032/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.06.2022
by Daily end-of-shift report 03 Jun '22

03 Jun '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 02-06-2022 18:00 − Freitag 03-06-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Chinese LuoYu hackers deploy cyber-espionage malware via app updates ∗∗∗ --------------------------------------------- A Chinese-speaking hacking group known as LuoYu is infecting victims WinDealer information stealer malware deployed by switching legitimate app updates with malicious payloads in man-on-the-side attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/chinese-luoyu-hackers-deploy… ∗∗∗ Evil Corp switches to LockBit ransomware to evade sanctions ∗∗∗ --------------------------------------------- The Evil Corp cybercrime group has now switched to deploying LockBit ransomware on targets networks to evade sanctions imposed by the U.S. Treasury Departments Office of Foreign Assets Control (OFAC). --------------------------------------------- https://www.bleepingcomputer.com/news/security/evil-corp-switches-to-lockbi… ∗∗∗ Analysis of the Massive NDSW/NDSX Malware Campaign ∗∗∗ --------------------------------------------- Recently, Avast’s researchers Pavel Novák and Jan Rubín posted a detailed writeup about the “Parrot TDS” campaign involving more than 16,500 infected websites. Such massive infections don’t go unnoticed by Sucuri and we immediately recognized that the infection in their writeup belonged to the campaign we internally refer to as “ndsw/ndsx” malware. --------------------------------------------- https://blog.sucuri.net/2022/06/analysis-massive-ndsw-ndsx-malware-campaign… ∗∗∗ Reich mit Öl? Vorsicht vor der betrügerischen Investment-Plattform „Öl-Profit“! ∗∗∗ --------------------------------------------- Noch nie war der Online-Ölhandel so einfach wie heute. Jede Person könne hier reich werden – ohne etwas über Öl oder Wirtschaft zu wissen. So heißt es in einem angeblichen Artikel der deutschen Tageszeitung BILD. --------------------------------------------- https://www.watchlist-internet.at/news/reich-mit-oel-vorsicht-vor-der-betru… ∗∗∗ Popping Eagle: How We Leveraged Global Analytics to Discover a Sophisticated Threat Actor ∗∗∗ --------------------------------------------- We observed a specially crafted DLL hijacking attack used by a previously unknown piece of malware that we dubbed Popping Eagle. --------------------------------------------- https://unit42.paloaltonetworks.com/popping-eagle-malware/ ===================== = Vulnerabilities = ===================== ∗∗∗ Angriffe auf Code-Execution-Lücke bedrohen Confluence-Installationen ∗∗∗ --------------------------------------------- Seit Anfang der Woche installieren Angreifer Backdoors über eine neue Lücke in Confluence. Admins sollten noch vor dem langen Wochenende Maßnahmen ergreifen. --------------------------------------------- https://heise.de/-7131081 ∗∗∗ GitLab Issues Security Patch for Critical Account Takeover Vulnerability ∗∗∗ --------------------------------------------- GitLab has moved to address a critical security flaw in its service that, if successfully exploited, could result in an account takeover. Tracked as CVE-2022-1680, the issue has a CVSS severity score of 9.9 and was discovered internally by the company. --------------------------------------------- https://thehackernews.com/2022/06/gitlab-issues-security-patch-for.html ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (cifs-utils, debian-security-support, and pypdf2), Fedora (fapolicyd, mariadb, openssl, and qt5-qtbase), Oracle (firefox, maven:3.5, maven:3.6, postgresql:10, postgresql:12, and postgresql:13), Red Hat (.NET 6.0, firefox, gzip, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, pcs, rsync, subversion, thunderbird, and zlib), Scientific Linux (thunderbird), Slackware (mozilla), SUSE (firefox, hdf5, suse-hpc, kernel-firmware, libarchive, patch, php8, and redis), and Ubuntu (cifs-utils and vim). --------------------------------------------- https://lwn.net/Articles/897016/ ∗∗∗ Security Bulletin: IBM Edge Application Manager is affected but not classified as vulnerable by a remote code execution in Spring Framework (CVE-2022-22965)) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-edge-application-mana… ∗∗∗ Security Bulletin: IBM DataPower Gateway Virtual Edition uses out of date ICU libraries in open-vm-tools ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-gateway-vir… ∗∗∗ Security Bulletin: IBM Telco Network Cloud Manager – Performance is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-44832,CVE-2022-23302 and CVE-2022-23305) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-telco-network-cloud-m… ∗∗∗ Security Bulletin: IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to improper input validation in Spring Framework (CVE-2022-22950) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-speech-service… ∗∗∗ Security Bulletin: IBM DataPower Gateway affected by vulnerabilities in Kerberos ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-gateway-aff… ∗∗∗ Security Bulletin: IBM Flex System switch firmware products are affected by a vulnerability in glibc (CVE-2021-35942) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-flex-system-switch-fi… ∗∗∗ Security Bulletin: IBM RackSwitch firmware products are affected by a vulnerability in glibc (CVE-2021-35942) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-rackswitch-firmware-p… ∗∗∗ Security Bulletin: IBM Java SDK and IBM Java Runtime for IBM i are vulnerable to unauthenticated attacker obtaining sensitive information and other attacks due to multiple vulnerabilities. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-java-sdk-and-ibm-java… ∗∗∗ Security Bulletin: IBM Spectrum Protect Plus may disclose sensitive information in virgo log file (CVE-2022-22396) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-spectrum-protect-plus… ∗∗∗ D-LINK Router: Schwachstelle ermöglicht Codeausführung ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0682 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.06.2022
by Daily end-of-shift report 02 Jun '22

02 Jun '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 01-06-2022 18:00 − Donnerstag 02-06-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Conti ransomware targeted Intel firmware for stealthy attacks ∗∗∗ --------------------------------------------- Researchers analyzing the leaked chats of the notorious Conti ransomware operation have discovered that teams inside the Russian cybercrime group were actively developing firmware hacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/conti-ransomware-targeted-in… ∗∗∗ Researchers Demonstrate Ransomware for IoT Devices That Targets IT and OT Networks ∗∗∗ --------------------------------------------- As ransomware infections have evolved from purely encrypting data to schemes such as double and triple extortion, a new attack vector is likely to set the stage for future campaigns. --------------------------------------------- https://thehackernews.com/2022/06/researchers-demonstrate-ransomware-for.ht… ∗∗∗ Europol: FluBot-Infrastruktur unter Kontrolle von Strafverfolgern ∗∗∗ --------------------------------------------- Internationale Strafverfolger konnten die SMS-basierte Android-Spyware FluBot einbremsen. Dies gelang durch die Übernahme der FluBot-Infrastruktur. --------------------------------------------- https://heise.de/-7130270 ∗∗∗ Warnung vor Spoofing mit BSI-Rufnummer ∗∗∗ --------------------------------------------- Das BSI erhält derzeit Meldungen, dass vermehrte Anrufe mit der Rufnummer des BSI und einer zweistelligen Durchwahl erfolgen. Es handelt sich nicht um Anrufe des BSI. --------------------------------------------- https://www.bsi.bund.de/DE/Service-Navi/Presse/Alle-Meldungen-News/Meldunge… ∗∗∗ Vorsicht Telefon-Betrug: Tonbandstimme lockt in die Falle! ∗∗∗ --------------------------------------------- Zahlreiche Meldungen berichten von Anrufen einer Tonbandstimme, die dazu auffordert auf die Taste 1 zu drücken. Folgen Sie den Anweisungen nicht! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-telefon-betrug-tonbandstimm… ===================== = Vulnerabilities = ===================== ∗∗∗ SearchNightmare: Windows 10 search-ms: URI Handler 0-day Exploit mit Office 2019 ∗∗∗ --------------------------------------------- Nach der Entdeckung des Missbrauchs der Follina-Schwachstelle (CVE-2022-30190) über das Windows ms-msdt-Protokolls wird diese Bastion "sturmreif" geschossen. Ein Hacker hat sich den search-ms: URI Handler in Windows 10 angesehen und einen ähnlichen Exploit wie Follina entwickelt. --------------------------------------------- https://www.borncity.com/blog/2022/06/02/searchnightmare-windows-10-search-… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr), Fedora (thunderbird and vim), Red Hat (firefox, postgresql:10, postgresql:12, and postgresql:13), Scientific Linux (firefox and rsyslog), SUSE (hdf5, hdf5, suse-hpc, postgresql14, rubygem-yajl-ruby, and udisks2), and Ubuntu (imagemagick and influxdb). --------------------------------------------- https://lwn.net/Articles/896896/ ∗∗∗ Millions of Budget Smartphones With UNISOC Chips Vulnerable to Remote DoS Attacks ∗∗∗ --------------------------------------------- Millions of budget smartphones that use UNISOC chipsets could have their communications remotely disrupted by hackers due to a critical vulnerability discovered recently by researchers at cybersecurity firm Check Point. --------------------------------------------- https://www.securityweek.com/millions-budget-smartphones-unisoc-chips-vulne… ∗∗∗ Security Bulletin: IBM Security SOAR is using a component with known vulnerabilities (CVE-2022-0391) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-soar-is-usin… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in Node.js affects IBM Netcool Agile Service Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Enterprise Content Management System Monitor is affected by a vulnerability CVE-2021-35550 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-enterprise-content-manage… ∗∗∗ Security Bulletin: IBM Db2 Mirror for i is vulnerable to directory traversal due to Moment.js (CVE-2022-24785) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-mirror-for-i-is-v… ∗∗∗ Security Bulletin: IBM Common Licensing is vulnerable by a remote code attack in Spring Framework (CVE-2021-22096,CVE-2021-22060,CVE-2022-22950,CVE-2022-22968) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-common-licensing-is-v… ∗∗∗ Security Bulletin: Multiple vulnerabilities in Java SE that could allow an unauthenticated attacker to obtain sensitive information affect IBM® Db2®. (CVE-2021-35603, CVE-2021-35550, CVE-2021-2341) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by OpenSSL denial of service vulnerabilities (CVE-2021-23840, CVE-2021-23841) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: Vulnerability in Nginx affects IBM Cloud Private and could allow a remote attacker to obtain sensitive information (177988) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-nginx-af… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct Web Service is vulnerable to multiple vulnerabilities due to IBM Java ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct Web Services is vulnerable to multiple vulnerabilities due to Eclipse Jetty ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: Watson Machine Learning Accelerator is affected but not classified as vulnerable by a remote code execution in Spring Framework (CVE-2022-22965) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-watson-machine-learning-a… ∗∗∗ Security Bulletin: CVE-2022-21299 may affect IBM® SDK, Java™ Technology Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2022-21299-may-affect… ∗∗∗ Security Bulletin: HMC is affected but not classified as vulnerable by a remote code execution in Spring Framework (CVE-2022-22965) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-hmc-is-affected-but-not-c… ∗∗∗ Security Bulletin: IBM Db2 Mirror for i is vulnerable to cross-site scripting due to Angular (220414) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-mirror-for-i-is-v… ∗∗∗ Security Bulletin: Enterprise Content Management System Monitor is affected by a vulnerability in IBM® SDK Java™ Technology Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-enterprise-content-manage… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct Web Services is vulnerable to denial of service due to FasterXML jackson-databind ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: IBM Db2 Mirror for i is vulnerable to denial of service due to gson 217225 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-mirror-for-i-is-v… ∗∗∗ Security Bulletin: IBM Security SOAR is using a component with multiple known vulnerabilities – IBM JDK 8.0.7.0 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-soar-is-usin… ∗∗∗ Security Bulletin: IBM Robotic Process Automation is vulnerable to cross tenant information exposure (CVE-2022-22506) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-robotic-process-autom… ∗∗∗ Security Bulletin: Multiple vulnerabilities may affect IBM® SDK, Java™ Technology Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: CVE-2021-35561 may affect IBM® SDK, Java™ Technology Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2021-35561-may-affect… ∗∗∗ Long Term Support Channel Update for ChromeOS ∗∗∗ --------------------------------------------- http://chromereleases.googleblog.com/2022/05/long-term-support-channel-upda… ∗∗∗ Security Vulnerabilities fixed in Firefox for iOS 101 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2022-23/ ∗∗∗ Autodesk AutoCAD: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit Benutzerrechten ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0677 ∗∗∗ Illumina Local Run Manager ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-153-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 01.06.2022
by Daily end-of-shift report 01 Jun '22

01 Jun '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 31-05-2022 18:00 − Mittwoch 01-06-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Zero-Day-Lücke: Erste Cybergangs greifen MSDT-Sicherheitslücke an ∗∗∗ --------------------------------------------- Die Zero-Day-Lücke von Microsoft wird inzwischen von Cybergangs für Angriffe missbraucht. Der Hersteller ordnete das Problem erst falsch als irrelevant ein. --------------------------------------------- https://heise.de/-7128265 ∗∗∗ FluBot Android malware operation shutdown by law enforcement ∗∗∗ --------------------------------------------- Europol has announced the takedown of the FluBot operation, one of the largest and fastest-growing Android malware operations in existence. --------------------------------------------- https://www.bleepingcomputer.com/news/security/flubot-android-malware-opera… ∗∗∗ New XLoader Botnet Version Using Probability Theory to Hide its C&C Servers ∗∗∗ --------------------------------------------- An enhanced version of the XLoader malware has been spotted adopting a probability-based approach to camouflage its command-and-control (C&C) infrastructure, according to the latest research. --------------------------------------------- https://thehackernews.com/2022/06/new-xloader-botnet-version-using.html ∗∗∗ New Unpatched Horde Webmail Bug Lets Hackers Take Over Server by Sending Email ∗∗∗ --------------------------------------------- A new unpatched security vulnerability has been disclosed in the open-source Horde Webmail client that could be exploited to achieve remote code execution on the email server simply by sending a specially crafted email to a victim. --------------------------------------------- https://thehackernews.com/2022/06/new-unpatched-horde-webmail-bug-lets.html ∗∗∗ Watch out for phishing emails that inject spyware trio ∗∗∗ --------------------------------------------- You wait for one infection and then three come along at once. An emailed report seemingly about a payment will, when opened in Excel on a Windows system, attempt to inject three pieces of file-less malware that steal sensitive information. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2022/06/01/phishing-rat… ∗∗∗ Certificate Transparency data is used to compromise WordPress before installation ∗∗∗ --------------------------------------------- Recently in the community forums of WordPress and Lets Encrypt, reports have shown up about webshells on freshly installed WordPress blogs that were later used for DDoS attacks. --------------------------------------------- https://www.feistyduck.com/bulletproof-tls-newsletter/issue_89_certificate_… ∗∗∗ AA22-152A: Karakurt Data Extortion Group ∗∗∗ --------------------------------------------- The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Department of the Treasury (Treasury), and the Financial Crimes Enforcement Network (FinCEN) are releasing this joint Cybersecurity Advisory (CSA) to provide information on the Karakurt data extortion group, also known as the Karakurt Team and Karakurt Lair. --------------------------------------------- https://us-cert.cisa.gov/ncas/alerts/aa22-152a ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libjpeg-turbo, webkit2gtk, and wpewebkit), Fedora (golang-github-opencontainers-runc, mingw-pcre2, python-jwt, python-ujson, and weechat), Oracle (nodejs:16 and rsyslog), Red Hat (container-tools:3.0, expat, fapolicyd, kernel, kernel-rt, kpatch-patch, mariadb:10.3, postgresql:12, rsyslog and rsyslog7, and zlib), Slackware (mozilla), SUSE (bind, dpdk, fribidi, hdf5, librelp, php74, postgresql12, and postgresql13), and Ubuntu (cups, linux-gcp-5.13, linux-oracle, linux-oracle-5.13, linux-gcp-5.4, linux-gkeop, linux-gkeop-5.4, linux-ibm-5.4, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, and webkit2gtk). --------------------------------------------- https://lwn.net/Articles/896803/ ∗∗∗ T&D Data Server and THERMO RECORDER DATA SERVER vulnerable to directory traversal ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN28659051/ ∗∗∗ Security Advisory - Insufficient Input Verification Vulnerability In Huawei Product ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2022/huawei-sa-20220601-… ∗∗∗ Security Bulletin: IBM® PureData System for Operational Analytics is vulnerable to arbitrary code execution, remote code execution and denial of service due to Apache Log4j (CVE-2021-44228, CVE-2021-45046, CVE-2021-45105) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-puredata-system-for-o… ∗∗∗ Security Bulletin: IBM CICS TX Standard is vulnerable to arbitrary code execution due to IBM WebSphere Application Server Liberty (CVE-2021-23450) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cics-tx-standard-is-v… ∗∗∗ Security Bulletin: Vulnerability in bind (CVE-2021-25214) affects Power HMC ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-bind-cve… ∗∗∗ Security Bulletin: Publicly disclosed vulnerabilities from Kernel affect IBM Netezza Host Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-publicly-disclosed-vulner… ∗∗∗ Security Bulletin: IBM CICS TX Advanced is vulnerable to arbitrary code execution due to IBM WebSphere Application Server Liberty (CVE-2021-23450) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cics-tx-advanced-is-v… ∗∗∗ Security Bulletin: Multiple vulnerabilities affect IBM Tivoli Monitoring included WebSphere Application Server and IBM HTTP Server used by WebSphere Application Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect Rational Service Tester ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container DesignerAuthoring and IntegrationServer operands may be vulnerable to code injection due to CVE-2022-29078 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: IBM QRadar Data Synchronization App for IBM QRadar SIEM is vulnerable to using components with known vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-data-synchroni… ∗∗∗ Security Bulletin: A vulnerability has been identified in IBM Spectrum Scale that could allow an attacker to decrypt highly sensitive information(CVE-2022-22368) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-has-been-… ∗∗∗ Security Bulletin: Vulnerability in Apache HTTP (CVE-2022-22720) affects Power HMC ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-h… ∗∗∗ K43541501: Intel CPU vulnerabilities CVE-2022-21131 and CVE-2022-21136 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K43541501 ∗∗∗ Security Vulnerabilities fixed in Thunderbird 91.10 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2022-22/ ∗∗∗ BD Pyxis ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsma-22-151-01 ∗∗∗ BD Synapsys ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsma-22-151-02 ∗∗∗ Fuji Electric Alpha7 PC Loader ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-151-01 ∗∗∗ SSRF-Schwachstelle in Canto Cumulus (SYSS-2022-023) ∗∗∗ --------------------------------------------- https://www.syss.de/pentest-blog/ssrf-schwachstelle-in-canto-cumulus-syss-2… ∗∗∗ Microsoft Edge 102.0.1245.30 schließt Schwachstellen ∗∗∗ --------------------------------------------- https://www.borncity.com/blog/2022/06/01/microsoft-edge-102-0-1245-30-schli… ∗∗∗ Security Advisory: Multiple Vulnerabilities Impact 3CX Phone System ∗∗∗ --------------------------------------------- https://www.gosecure.net/blog/2022/05/31/security-advisory-multiple-vulnera… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 31.05.2022
by Daily end-of-shift report 31 May '22

31 May '22

===================== = End-of-Day report = ===================== Timeframe: Montag 30-05-2022 18:00 − Dienstag 31-05-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Meeting Owl Pro: Konferenzeule hat viele Sicherheitslücken ∗∗∗ --------------------------------------------- Das Konferenzsystem Meeting Owl Pro sieht putzig aus, hat aber viele Sicherheitslücken, die auch nach vier Monaten nicht geschlossen wurden. --------------------------------------------- https://www.golem.de/news/meeting-owl-pro-konferenzeule-hat-viele-sicherhei… ∗∗∗ GSM-Codes: Whatsapp-Konten per Anruf übernehmen ∗∗∗ --------------------------------------------- Mit einer neuen Masche können Betrüger Whatsapp-Konten übernehmen. Nutzer sollen zum Anrufen dubioser Telefonnummern verleitet werden. --------------------------------------------- https://www.golem.de/news/gsm-codes-whatsapp-konten-per-anruf-uebernehmen-2… ∗∗∗ Over 3.6 million exposed MySQL servers on IPv4 and IPv6 ∗∗∗ --------------------------------------------- We have recently began scanning for accessible MySQL server instances on port 3306/TCP. These are instances that respond to our MySQL connection request with a Server Greeting. Surprisingly to us, we found around 2.3M IPv4 addresses responding with such a greeting to our queries. Even more surprisingly, we found over 1.3M IPv6 devices responding as well (though mostly associated with a single AS). IPv4 and IPv6 scans together uncover 3.6M accessible MySQL servers worldwide. --------------------------------------------- https://www.shadowserver.org/news/over-3-6m-exposed-mysql-servers-on-ipv4-a… ∗∗∗ Buchen Sie Ihre Unterkunft nicht auf ferienhaeuser-porec.de ∗∗∗ --------------------------------------------- ferienhaeuser-porec.de ist eine betrügerische Buchungswebseite für „Exklusive Villen und Ferienhäuser“ in Porec, Kroatien. Auf den ersten Blick wirkt die Webseite professionell. Das Impressum sowie das Foto der deutschen Inhaber stiften Vertrauen. Aber: Wer dort bucht und bezahlt verliert sein Geld und hat keine Unterkunft. --------------------------------------------- https://www.watchlist-internet.at/news/buchen-sie-ihre-unterkunft-nicht-auf… ∗∗∗ Nächste Runde: FluBot-Banking-Malware (Mai 2022) ∗∗∗ --------------------------------------------- Kleines Update in Sachen Flubot. Die Cyberkriminellen hinter FluBot greifen Smartphone-Nutzer in Europa mit einer Neuauflage ihrer Smishing-Kampagne an, um die Malware zum Stehlen persönlicher Banking-Daten auf mobilen Telefonen in Europa zu verbreiten. --------------------------------------------- https://www.borncity.com/blog/2022/05/31/nchste-rund-flubot-banking-malware… ∗∗∗ CVE Farming through Software Center – A group effort to flush out zero-day privilege escalations ∗∗∗ --------------------------------------------- In this blogpost we discuss a zero-day topic for finding privilege escalation vulnerabilities discovered by Ahmad Mahfouz. It abuses applications like Software Center, which are typically used in large-scale environments for automated software deployment performed on demand by regular (i.e. unprivileged) users. --------------------------------------------- https://blog.nviso.eu/2022/05/31/cve-farming-through-software-center-a-grou… ===================== = Vulnerabilities = ===================== ∗∗∗ Zero-Day-Lücke in MS Office: Microsoft gibt Empfehlungen ∗∗∗ --------------------------------------------- Microsoft gibt Handlungsempfehlungen gegen die Zero-Day-Schwachstelle in Office. Angreifer könnten diese zum Einschleusen von Schadcode missbrauchen. --------------------------------------------- https://heise.de/-7126993 ∗∗∗ Content Management System: Sicherheitslücke in Drupal erlaubt Website-Übernahme ∗∗∗ --------------------------------------------- Die Sicherheitslücke findet sich nicht im eigentlichen Drupal-Code, sondern in der Drittherstellerbibliothek Guzzle. Darüber wickelt Drupal HTTP-Anfragen und -Antworten an externe Dienste ab. Das Guzzle-Projekt hat ein Update veröffentlicht, dass zwar nicht den Drupal-Core betreffe, jedoch Auswirkungen auf beigesteuerte Projekte oder individuell angepassten Code von Drupal-Seiten haben könnte. --------------------------------------------- https://heise.de/-7127268 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (haproxy, libdbi-perl, pjproject, spip, and trafficserver), Oracle (firefox, kernel, kernel-container, libvirt libvirt-python, and thunderbird), Red Hat (maven:3.5, maven:3.6, nodejs:16, postgresql, postgresql:10, and rsyslog), SUSE (gimp, helm-mirror, ImageMagick, mailman, openstack-neutron, pcmanfm, pcre2, postgresql10, and tiff), and Ubuntu (dpkg and freetype). --------------------------------------------- https://lwn.net/Articles/896721/ ∗∗∗ Siemens Healthineers SHSA-455016: Deserialization Vulnerability in Healthcare Products ∗∗∗ --------------------------------------------- https://www.siemens-healthineers.com/support-documentation/cybersecurity/sh… ∗∗∗ Security Bulletin: Multiple vulnerabilities in Apache Log4j affect IBM Cloud Pak System ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerability in OpenSSL (CVE-2022-0778) affects Power HMC ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-openssl-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in Spring Framework affect SPSS Collaboration and Deployment Services ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerabilities in Apache HTTP (CVE-2021-34798 and CVE-2021-39275) affects Power HMC ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-apache… ∗∗∗ Security Bulletin:IBM Common Licensing is affected but not classified as vulnerable by a remote code execution in Spring Framework (220575,CVE-2022-22965) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletinibm-common-licensing-is-af… ∗∗∗ Security Bulletin: Vulnerability in IBM SDK, Java Technology (CVE-2022-21341, CVE-2022-21294, CVE-2022-21293 and CVE-2022-21248) affects Power HMC ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-sdk-… ∗∗∗ Security Bulletin: Vulnerability in OpenSSL (CVE-2021-3712) affects Power HMC ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-openssl-… ∗∗∗ Security Vulnerabilities fixed in Firefox ESR 91.10 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2022-21/ ∗∗∗ Security Vulnerabilities fixed in Firefox 101 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2022-20/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.05.2022
by Daily end-of-shift report 30 May '22

30 May '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 27-05-2022 18:00 − Montag 30-05-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Clop ransomware gang is back, hits 21 victims in a single month ∗∗∗ --------------------------------------------- After effectively shutting down their entire operation for several months, between November and February, the Clop ransomware is now back according to NCC Group researchers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/clop-ransomware-gang-is-back… ∗∗∗ New Windows Subsystem for Linux malware steals browser auth cookies ∗∗∗ --------------------------------------------- Hackers are showing an increased interest in the Windows Subsystem for Linux (WSL) as an attack surface as they build new malware, the more advanced samples being suitable for espionage and downloading additional malicious modules. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-windows-subsystem-for-li… ∗∗∗ New GoodWill Ransomware Forces Victims to Donate Money and Clothes to the Poor ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed a new ransomware strain called GoodWill that compels victims into donating for social causes and provide financial assistance to people in need. --------------------------------------------- https://thehackernews.com/2022/05/new-goodwill-ransomware-forces-victims.ht… ∗∗∗ Understanding CVE-2022-22972 (VMWare Workspace One Access Auth Bypass) ∗∗∗ --------------------------------------------- We’ve got a copy of the vulnerable version of VMWare Workspace One Access, and we’ve gone through the extremely boring process of setting it up (oh the joys of vulnerability research). At this stage, we want to try and narrow down exactly where this vulnerability exists in code. --------------------------------------------- https://blog.assetnote.io/2022/05/27/understanding-cve-2022-22972-vmware-wo… ∗∗∗ Bösartige Browser-Erweiterung: ChromeLoader kommt als ISO getarnt ∗∗∗ --------------------------------------------- Eine bösartige Erweiterung kann allen Browserverkehr über unerwünschte Server leiten und so Daten abschöpfen. ChromeLoader geht dabei trickreich vor. --------------------------------------------- https://heise.de/-7126317 ∗∗∗ Probleme mit Ihrer Lebensversicherung? Vorsicht vor Beratungsleistungen von konsumentenschuetzer.com ∗∗∗ --------------------------------------------- Im Internet finden Sie die Beratungsagentur „Konsumentenschützer“, die Ihren Vertrag prüft und bei Bedarf eine Klage bei Ihrer Versicherung einbringt. Wir raten zur Vorsicht. --------------------------------------------- https://www.watchlist-internet.at/news/probleme-mit-ihrer-lebensversicherun… ∗∗∗ Microsoft findet Schwachstellen in Apps großer Mobilfunkprovider (Mai 2022) ∗∗∗ --------------------------------------------- Das Microsoft 365 Defender Research Team hat in einem mobilen Framework von mce Systems einige Schwachstellen gefunden. --------------------------------------------- https://www.borncity.com/blog/2022/05/30/microsoft-findet-schwachstellen-in… ∗∗∗ Detecting BCD Changes To Inhibit System Recovery ∗∗∗ --------------------------------------------- Earlier this year, we observed a rise in malware that inhibits system recovery. This tactic is mostly used by ransomware and wiper malware. One notable example of such malware is “Hermetic wiper”. To inhibit recovery an attacker has many possibilities, one of which is changing the Boot Configuration Database (BCD). --------------------------------------------- https://blog.nviso.eu/2022/05/30/detecting-bcd-changes-to-inhibit-system-re… ∗∗∗ Rapidly evolving IoT malware EnemyBot now targeting Content Management System servers and Android devices ∗∗∗ --------------------------------------------- Alien Labs has discovered that EnemyBot is expanding its capabilities, exploiting recently identified vulnerabilities (2022), and now targeting IoT devices, web servers, Android devices and content management system (CMS) servers. --------------------------------------------- https://cybersecurity.att.com/blogs/labs-research/rapidly-evolving-iot-malw… ∗∗∗ GitHub RepoJacking Weakness Exploited in the Wild by Attackers ∗∗∗ --------------------------------------------- A logical flaw in GitHub allows attackers to take control over thousands of repositories, enabling the poisoning of popular open-source packages. This flaw is yet to be fixed and the steps to exploit it were recently published. --------------------------------------------- https://checkmarx.com/blog/github-repojacking-weakness-exploited-in-the-wil… ===================== = Vulnerabilities = ===================== ∗∗∗ New Microsoft Office Attack Vector via "ms-msdt" Protocol Scheme, (Mon, May 30th) ∗∗∗ --------------------------------------------- It was a long weekend for many European countries and it’s an off-day in the US but we were aware of a new attack vector for Microsoft Office documents. --------------------------------------------- https://isc.sans.edu/diary/rss/28694 ∗∗∗ Zero-Day-Lücke in Microsoft Office ermöglicht Codeschmuggel ∗∗∗ --------------------------------------------- Sicherheitsforscher haben ein Word-Dokument entdeckt, das beim Öffnen Schadcode nachladen und ausführen kann. Aktuelle Software scheint davor zu schützen. --------------------------------------------- https://heise.de/-7125635 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (modsecurity-apache, pngcheck, rsyslog, and smarty3), Fedora (firefox, golang-github-opencontainers-runc, gron, kernel, kernel-headers, kernel-tools, logrotate, mingw-pcre2, and rubygem-git), Mageia (admesh, chromium-browser-stable, golang, kernel, kernel-linus, and pidgin), Red Hat (firefox, openvswitch2.13, openvswitch2.15, openvswitch2.16, rsyslog, and thunderbird), SUSE (bind, curl, opera, pcp, postgresql12, and postgresql14), [...] --------------------------------------------- https://lwn.net/Articles/896640/ ∗∗∗ Security Bulletin: PowerVC installation on RHEL is vulnerable to MariaDB with CVE-2021-46669, CVE-2022-24048, MariaDB – 219814, MariaDB – 219815, CVE-2022-24050, CVE-2022-24052 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-powervc-installation-on-r… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a number of security vulnerabilities in Netty, which is used by Guardium (CVE-2021-21290, CVE-2021-21295, CVE-2021-21409, CVE-2021-37136, CVE-2021-37137) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities in Apache Thrift ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: A vulnerability exists in golang x/crypto (CVE-2020-9283) which is consumed by IBM CICS TX Standard ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-exists-in… ∗∗∗ Security Bulletin: A vulnerability exists in golang x/crypto (CVE-2020-9283) which is consumed by IBM CICS TX Advanced ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-exists-in… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by FasterXML jackson-databind vulnerabilities (CVE-2020-25649, X-Force ID 217968) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: Automation Assets in IBM Cloud Pak for Integration is vulnerable to remote attack due to Moment.js CVE-2022-24785 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-automation-assets-in-ibm-… ∗∗∗ Security Bulletin: Cross-Site Request Forgery vulnerability affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) – CVE-2022-22361 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-request-forger… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by path traversal and crypto vulnerabilities (CVE-2021-29425, CVE-2021-39076) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ MariaDB: Mehrere Schwachstellen ermöglichen Denial of Service ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0665 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.05.2022
by Daily end-of-shift report 27 May '22

27 May '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 25-05-2022 18:00 − Freitag 27-05-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ New ChromeLoader malware surge threatens browsers worldwide ∗∗∗ --------------------------------------------- The ChromeLoader malware is seeing an uptick in detections this month, following a relatively stable operation volume since the start of the year, which means that the malvertiser is now becoming a widespread threat. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-chromeloader-malware-sur… ∗∗∗ New ‘Cheers’ Linux ransomware targets VMware ESXi servers ∗∗∗ --------------------------------------------- A new ransomware named Cheers has appeared in the cybercrime space and has started its operations by targeting vulnerable VMware ESXi servers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-cheers-linux-ransomware-… ∗∗∗ New ERMAC 2.0 Android malware steals accounts, wallets from 467 apps ∗∗∗ --------------------------------------------- The ERMAC Android banking trojan has released version 2.0, increasing the number of applications targeted from 378 to 467, covering a much wider range of apps to steal account credentials and crypto wallets. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-ermac-20-android-malware… ∗∗∗ Microsoft shares mitigation for Windows KrbRelayUp LPE attacks ∗∗∗ --------------------------------------------- Microsoft has shared guidance to help admins defend their Windows enterprise environments against KrbRelayUp attacks that enable attackers to gain SYSTEM privileges on Windows systems with default configurations. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-shares-mitigation-… ∗∗∗ Windows 11 KB5014019 breaks Trend Micro ransomware protection ∗∗∗ --------------------------------------------- This weeks Windows optional cumulative update previews have introduced a compatibility issue with some of Trend Micros security products that breaks some of their capabilities, including the ransomware protection feature. --------------------------------------------- https://www.bleepingcomputer.com/news/security/windows-11-kb5014019-breaks-… ∗∗∗ Warten auf abgesicherte Version: Anonymes Surfen unter Tails gefährdet ∗∗∗ --------------------------------------------- Wer mit dem Tor Browser des Tails-Systems surft, könnte Passwörter an Angreifer preisgeben. --------------------------------------------- https://heise.de/-7123771 ∗∗∗ Sie sollen Zollgebühren mit einer Paysafecard bezahlen? Achtung, Betrug! ∗∗∗ --------------------------------------------- Kriminelle versenden betrügerische E-Mails im Namen des Zolls und behaupten, dass Sie Zollgebühren bezahlen müssen, und zwar in Form einer Paysafecard. Nur so könne Ihr Paket zugestellt werden. Ignorieren Sie solche E-Mails, Kriminelle versuchen nur an Ihr Geld zu kommen. --------------------------------------------- https://www.watchlist-internet.at/news/sie-sollen-zollgebuehren-mit-einer-p… ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins 2022-05-26 - 2022-05-27 ∗∗∗ --------------------------------------------- IBM MQ Internet Pass-Thru, IBM MQ Operator, IBM MQ Appliance, IBM MQ trace, IBM Semeru Runtime, IBM Sterling Control Center, IBM App Connect Enterprise, IBM Watson Discovery, IBM Spectrum Control, IBM Netezza Host Management, IBM Tivoli Netcool/OMNIbus Probe Integrations, IBM DataPower. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Sicherheitsupdates: Angreifer könnten Netzwerk-Hardware von Citrix lahmlegen ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitspatches für Citritx ADC und Citrix Gateway. Angreifer könnten die Netzwerk-Hardware lahmlegen. --------------------------------------------- https://heise.de/-7123795 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, dpkg, filezilla, irssi, puma, and python-django), Fedora (firefox, ignition, and pcre2), Mageia (cockpit, firefox/thunderbird, openldap, supertux, unrar, and vim), Oracle (firefox and thunderbird), Red Hat (rh-varnish6-varnish), SUSE (cups, fribidi, kernel-firmware, redis, and wpa_supplicant), and Ubuntu (dpkg, logrotate, and subversion). --------------------------------------------- https://lwn.net/Articles/896346/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (atftp, cups, neutron, and zipios++), Fedora (clash, moodle, python-jwt, and thunderbird), Red Hat (thunderbird), Slackware (cups), SUSE (go1.17, libredwg, opera, seamonkey, and varnish), and Ubuntu (libxv, ncurses, openssl, and subversion). --------------------------------------------- https://lwn.net/Articles/896465/ ∗∗∗ ABB Cyber Security Advisory: e-Design - Multiple vulnerabilities ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=2%20CMT%200%200%206… ∗∗∗ K32760744: libxml2 vulnerability CVE-2022-23308 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K32760744 ∗∗∗ K54724312: Linux kernel vulnerability CVE-2022-0492 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K54724312 ∗∗∗ Drupal: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0661 ∗∗∗ Drupal CORE: Schwachstelle ermöglicht nicht spezifizierten Angriff ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0662 ∗∗∗ Keysight N6854A Geolocation server and N6841A RF Sensor software ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-146-01 ∗∗∗ Horner Automation Cscape Csfont ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-146-02 ∗∗∗ Cross-Site Request Forgery Vulnerability in Proxy Server ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-22-18 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.05.2022
by Daily end-of-shift report 25 May '22

25 May '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 24-05-2022 18:00 − Mittwoch 25-05-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Vorsicht vor unseriösen Spendenaufrufen für krebskranke Kinder ∗∗∗ --------------------------------------------- Immer wieder stoßen Watchlist Internet Leser:innen auf betrügerische Spendenaufrufe für krebskranke Kinder. Insbesondere in Werbeeinschaltungen auf YouTube werden häufig derartige Kampagnen angezeigt. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-unserioesen-spendenaufr… ∗∗∗ Bablosoft; Lowering the Barrier of Entry for Malicious Actors ∗∗∗ --------------------------------------------- Summary Evidence suggests an increasing number of threat actor groups are making use of a free-to-use browser automation framework. The framework contains numerous features which we assess may be utilized in the enablement of malicious activities. --------------------------------------------- https://team-cymru.com/blog/2022/05/25/bablosoft-lowering-the-barrier-of-en… ∗∗∗ How the Saitama backdoor uses DNS tunnelling ∗∗∗ --------------------------------------------- A walkthrough of one of the stealthy communication techniques employed in a recent attack using APT34s Saitama backdoor. --------------------------------------------- https://blog.malwarebytes.com/threat-intelligence/2022/05/how-the-saitama-b… ∗∗∗ Vulnerability Spotlight: Vulnerabilities in Open Automation Software Platform could lead to information disclosure, denial of service ∗∗∗ --------------------------------------------- Cisco Talos recently discovered eight vulnerabilities in the Open Automation Software Platform that could allow an adversary to carry out a variety of malicious actions, including improperly authenticating into the targeted device and causing a denial of service. --------------------------------------------- http://blog.talosintelligence.com/2022/05/vuln-spotlight-open-automation-pl… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (lrzip and puma), Fedora (plantuml and plib), Oracle (kernel and kernel-container), Red Hat (firefox, kernel, kpatch-patch, subversion:1.14, and thunderbird), Scientific Linux (firefox and thunderbird), SUSE (kernel-firmware, libxml2, pcre2, and postgresql13), and Ubuntu (accountsservice, postgresql-10, postgresql-12, postgresql-13, postgresql-14, and rsyslog). --------------------------------------------- https://lwn.net/Articles/896216/ ∗∗∗ CISA Adds 34 Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- CISA has added 34 new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/05/25/cisa-adds-34-know… ∗∗∗ Chrome 102.0.5005.61/62/63 fixen kritische Schwachstellen ∗∗∗ --------------------------------------------- Google hat zum 24. Mai 2022 die Updates des 102.0.5005.61/62/63 Google Chrome Browsers für Windows und Mac auf dem Desktop im Stable Channel freigegeben (Chrome 102 wird auch im Stable Channel für Windows und Mac aufgenommen). --------------------------------------------- https://www.borncity.com/blog/2022/05/25/chrome-102-0-5005-61-62-63-fixen-s… ∗∗∗ Security Bulletin: IBM Aspera Faspex is vulnerable to exposing data improperly (CVE-2022-22497) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-aspera-faspex-is-vuln… ∗∗∗ Security Bulletin: Node.js as used by IBM Security QRadar Analyst Workflow App for IBM QRadar SIEM is vulnerable to multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-node-js-as-used-by-ibm-se… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct for UNIX is affected but not classified as vulnerable by a remote code execution in Spring Framework (CVE-2022-22965) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: IBM QRadar Deployment Intelligence app for IBM QRadar SIEM is vulnerable to using components with known vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-deployment-int… ∗∗∗ Security Bulletin: IBM Aspera Faspex is vulnerable to exposing data improperly (CVE-2022-22497) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-aspera-faspex-is-vuln… ∗∗∗ Security Bulletin: IBM Aspera Faspex is vulnerable to exposing data improperly (CVE-2022-22497) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-aspera-faspex-is-vuln… ∗∗∗ VMSA-2022-0015 ∗∗∗ --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2022-0015.html ∗∗∗ Citrix ADC and Citrix Gateway Security Bulletin for CVE-2022-27507 and CVE-2022-27508 ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX457048 ∗∗∗ Rockwell Automation Logix Controllers ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-144-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.05.2022
by Daily end-of-shift report 24 May '22

24 May '22

===================== = End-of-Day report = ===================== Timeframe: Montag 23-05-2022 18:00 − Dienstag 24-05-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Researchers to release exploit for new VMware auth bypass, patch now ∗∗∗ --------------------------------------------- Proof-of-concept exploit code is about to be published for a vulnerability that allows administrative access without authentication in several VMware products. --------------------------------------------- https://www.bleepingcomputer.com/news/security/researchers-to-release-explo… ∗∗∗ Beneath the surface: Uncovering the shift in web skimming ∗∗∗ --------------------------------------------- Web skimming campaigns now employ various obfuscation techniques to deliver and hide the skimming scripts. It’s a shift from earlier tactics where attackers conspicuously injected the malicious scripts into e-commerce platforms and content management systems (CMSs) via vulnerability exploitation, making this threat highly evasive to traditional security solutions. --------------------------------------------- https://www.microsoft.com/security/blog/2022/05/23/beneath-the-surface-unco… ∗∗∗ Anatomy of a DDoS amplification attack ∗∗∗ --------------------------------------------- Amplification attacks are one of the most common distributed denial of service (DDoS) attack vectors. These attacks are typically categorized as flooding or volumetric attacks, where the attacker succeeds in generating more traffic than the target can process, resulting in exhausting its resources due to the amount of traffic it receives. --------------------------------------------- https://www.microsoft.com/security/blog/2022/05/23/anatomy-of-ddos-amplific… ∗∗∗ New Research Paper: Pre-hijacking Attacks on Web User Accounts ∗∗∗ --------------------------------------------- In 2020, MSRC awarded two Identity Project Research Grants to support external researchers working to further strengthen the security of identity protocols and systems. Today we are pleased to release the results of the first of these projects. --------------------------------------------- https://msrc-blog.microsoft.com/2022/05/23/pre-hijacking-attacks/ ∗∗∗ Cybersecurity Community Warned of Fake PoC Exploits Delivering Malware ∗∗∗ --------------------------------------------- Researchers have spotted fake proof-of-concept (PoC) exploits that appear to have been created by threat actors in an effort to deliver malware to members of the cybersecurity community. --------------------------------------------- https://www.securityweek.com/cybersecurity-community-warned-fake-poc-exploi… ∗∗∗ Die wichtigsten Einstellungen für ein sicheres Smartphone ∗∗∗ --------------------------------------------- Das Smartphone ist mittlerweile ein treuer Begleiter. Kontaktinformationen, Termine, Fotos, Bankdaten und Nachrichten befinden sich auf unseren Geräten. Kein Wunder, dass uns ein ungutes Gefühl überkommt, wenn das Smartphone nicht auffindbar und möglicherweise verloren gegangen ist. Am Smartphone sind viele persönliche Daten gespeichert und diese gilt es zu schützen. --------------------------------------------- https://www.watchlist-internet.at/news/die-wichtigsten-einstellungen-fuer-e… ∗∗∗ Breaking out of Windows Kiosks using only Microsoft Edge ∗∗∗ --------------------------------------------- I will take you through the steps that I performed to get code execution on a Windows kiosk host using ONLY Microsoft Edge. --------------------------------------------- https://blog.nviso.eu/2022/05/24/breaking-out-of-windows-kiosks-using-only-… ===================== = Vulnerabilities = ===================== ∗∗∗ Zyxel: Lücken in Access-Points, Access-Point-Controllern und Firewalls ∗∗∗ --------------------------------------------- Der Netzwerkausrüster Zyxel warnt vor mehreren Sicherheitslücken in den Access-Points, Access-Point-Controllern sowie Firewalls. Updates sind verfügbar. --------------------------------------------- https://heise.de/-7108626 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr and openldap), Fedora (curl), Oracle (kernel and kernel-container), Red Hat (maven:3.5), SUSE (cacti, cacti-spine, firefox, go1.18, openldap2, python-requests, rsyslog, and slurm_20_11), and Ubuntu (firefox, htmldoc, libpng, libxfixes, libxrender, thunderbird, and vim). --------------------------------------------- https://lwn.net/Articles/896114/ ∗∗∗ CVE-2022-25237: Bonitasoft Authorization Bypass and RCE ∗∗∗ --------------------------------------------- https://rhinosecuritylabs.com/application-security/cve-2022-25237-bonitasof… ∗∗∗ Security Bulletin: A vulnerability has been identified in IBM Spectrum Scale which is packaged in IBM ESS (CVE-2022-22368) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-has-been-… ∗∗∗ Security Bulletin: IBM DataPower Gateway Operand affected by vulnerabilities in Go (CVE-2021-44716, CVE-2021-44717) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-gateway-ope… ∗∗∗ Security Bulletin: IBM DataPower Gateway potentially vulnerable to DNS spoofing ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-gateway-pot… ∗∗∗ Security Bulletin: A vulnerability has been identified in IBM Spectrum Scale where an unauthorized user can send arbitrary data to the CLI commands and daemon (CVE-2020-4926) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-has-been-… ∗∗∗ Security Bulletin: This Power System update is being released to address CVE 2022-22309 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-this-power-system-update-… ∗∗∗ Security Bulletin: A vulnerability in IBM WebSphere Application Server Liberty affects IBM Spectrum Scale packaged in IBM ESS ( CVE-2021-39031) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-we… ∗∗∗ Security Bulletin: Linux Kernel vulnerability may affect IBM Elastic Storage System (CVE-2021-4083) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-linux-kernel-vulnerabilit… ∗∗∗ Security Bulletin: A vulnerability in IBM JAVA JDK affects IBM Spectrum Scale packaged in IBM Elastic Storage System (CVE-2022-21291) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Security Bulletin: A vulnerability in IBM WebSphere Application Server Liberty affects IBM Spectrum Scale packaged in IBM Elastic Storage System (CVE-2021-39031) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-we… ∗∗∗ Security Bulletin: This Power System update is being released to address CVE-2020-1968 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-this-power-system-update-… ∗∗∗ Security Bulletin: IBM Security Verify Adapters are vulnerable to denial of service and bypass security restrictions due to OpenSSL (CVE-2021-3449, CVE-2021-3450) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-adapt… ∗∗∗ Security Bulletin: IBM Navigator for i is vulnerable to an SQL injection (CVE-2022-22495) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-navigator-for-i-is-vu… ∗∗∗ Security Bulletin: IBM DataPower Gateway affected by vulnerability in JRE ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-gateway-aff… ∗∗∗ Security Bulletin: A vulnerability has been identified in IBM Spectrum Scale that could allow an attacker to decrypt highly sensitive information(CVE-2022-22368) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-has-been-… ∗∗∗ Security Bulletin: A vulnerability has been identified in IBM Spectrum Scale which is packaged in IBM ESS (CVE-2020-4926) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-has-been-… ∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container Operator may be vulnerable to denial of service due to CVE-2021-38561 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ F-Secure Produkte: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0646 ∗∗∗ Matrikon OPC Server ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-144-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.05.2022
by Daily end-of-shift report 23 May '22

23 May '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 20-05-2022 18:00 − Montag 23-05-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Malicious PyPI package opens backdoors on Windows, Linux, and Macs ∗∗∗ --------------------------------------------- Yet another malicious Python package has been spotted in the PyPI registry performing supply chain attacks to drop Cobalt Strike beacons and backdoors on Windows, Linux, and macOS systems. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malicious-pypi-package-opens… ∗∗∗ How to find NPM dependencies vulnerable to account hijacking ∗∗∗ --------------------------------------------- Following the recent disclosure of a technique for hijacking certain NPM packages, security engineer Danish Tariq has proposed a defensive strategy for those looking to assess whether their web apps include dependencies tied to subvertable email domains. --------------------------------------------- https://www.theregister.com/2022/05/23/npm_dependencies_vulnerable/ ∗∗∗ Conti Ransomware Operation Shut Down After Brand Becomes Toxic ∗∗∗ --------------------------------------------- The Conti brand’s downfall appears to have started in late February, after Russia launched an invasion of Ukraine. --------------------------------------------- https://www.securityweek.com/conti-ransomware-operation-shut-down-after-bra… ∗∗∗ Wenn nach einer Bestellung auf Vinted ein Zalando-Paket ankommt… ∗∗∗ --------------------------------------------- Sie haben etwas auf Vinted gekauft aber ein Zalando-Paket erhalten? Dann sollten Sie rasch handeln. Dabei handelt es sich nämlich um eine Betrugsmasche. --------------------------------------------- https://www.watchlist-internet.at/news/wenn-nach-einer-bestellung-auf-vinte… ∗∗∗ Botnet bedroht Linux-Server ∗∗∗ --------------------------------------------- Schützen Sie Ihre Linux-Server vor XorDdoS, einem Botnet, das im Internet nach SSH-Servern mit schwachen Passwörtern sucht, warnt Microsoft. --------------------------------------------- https://www.zdnet.de/88401426/botnet-bedroht-linux-server/ ∗∗∗ Windows Defender Application Control: Empfohlene Blockierungsregeln (Mai 2022) ∗∗∗ --------------------------------------------- In Windows 10 und Windows 11 sind Windows Defender Application Control (WDAC) und AppLocker als Features in den Unternehmensvarianten (Windows 10/11 Enterprise) als Sicherheitsfunktionen verfügbar. Nun hat Microsoft Mitte Mai 2022 eine Liste der empfohlenen Blockierungsregeln veröffentlicht. --------------------------------------------- https://www.borncity.com/blog/2022/05/22/windows-defender-application-contr… ===================== = Vulnerabilities = ===================== ∗∗∗ PDF smuggles Microsoft Word doc to drop Snake Keylogger malware ∗∗∗ --------------------------------------------- Threat analysts have discovered a recent malware distribution campaign using PDF attachments to smuggle malicious Word documents that infect users with malware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/pdf-smuggles-microsoft-word-… ∗∗∗ Jetzt patchen! Angreifer attackieren Cisco 8000 Series Router ∗∗∗ --------------------------------------------- Der Netzwerkausrüster Cisco hat Sicherheitsupdates für verschiedene Netzwerk-Komponenten veröffentlicht. --------------------------------------------- https://heise.de/-7102828 ∗∗∗ Oracle warnt vor Sicherheitslücke in E-Business Suite ∗∗∗ --------------------------------------------- Oracle veröffentlicht Updates eigentlich quartalsweise zum Critical-Patch-Update-Termin. Ein Patch schließt bereits jetzt eine Lücke in der E-Business-Suite. --------------------------------------------- https://heise.de/-7102875 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (admesh, condor, firefox-esr, libpgjava, libxml2, rsyslog, and thunderbird), Fedora (dotnet6.0, libarchive, php-openpsa-universalfeedcreator, thunderbird, and vim), Mageia (ffmpeg, kernel, kernel-linus, microcode, netatalk, nvidia-current, nvidia390, opencontainers-runc, postgresql, and ruby-nokogiri), Slackware (mariadb and mozilla), and SUSE (curl, firefox, libarchive, librecad, libxls, openldap2, php7, and postgresql10). --------------------------------------------- https://lwn.net/Articles/896032/ ∗∗∗ Password policy guidance ∗∗∗ --------------------------------------------- Why do we need strong passwords? Passwords are stored by using a one-way hashing algorithm to generate a representation of the original password on a securely designed system. --------------------------------------------- https://www.pentestpartners.com/security-blog/password-policy-guidance/ ∗∗∗ Denial of Service Vulnerability in some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2022/huawei-sa-20220601-… ∗∗∗ Security Bulletin: IBM Tivoli Monitoring is vulnerable to remote code execution and denial of service due to multiple Expat CVEs ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tivoli-monitoring-is-… ∗∗∗ Security Bulletin: IBM MQ for HPE NonStop Server is affected by OpenSSL vulnerability CVE-2022-0778 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-for-hpe-nonstop-se… ∗∗∗ Security Bulletin: IBM Cloud Private is vulnerable to server-side request forgery due to Python (CVE-2021-29921) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-private-is-vuln… ∗∗∗ Security Bulletin: TXSeries for Multiplatforms is vulnerable to arbitrary code execution due to IBM WebSphere Application Server Liberty (CVE-2021-23450) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-txseries-for-multiplatfor… ∗∗∗ Security Bulletin: Vulnerability in Curl affects IBM Cloud Private and could allow a remote attacker to bypass security restrictions (CVE-2021-22926) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-curl-aff… ∗∗∗ Security Bulletin: IBM Tivoli Monitoring is affected but not classified as vulnerable by a remote code execution in Spring Framework (CVE-2022-22965) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tivoli-monitoring-is-… ∗∗∗ Security Bulletin: IBM MQ for HPE NonStop Server is affected by OpenSSL vulnerability CVE-2021-4160 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-for-hpe-nonstop-se… ∗∗∗ K08832573: DHCP vulnerability CVE-2021-25217 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K08832573 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.05.2022
by Daily end-of-shift report 20 May '22

20 May '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 19-05-2022 18:00 − Freitag 20-05-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Rise in XorDdos: A deeper look at the stealthy DDoS malware targeting Linux devices ∗∗∗ --------------------------------------------- Observing a 254% increase in activity over the last six months from a versatile Linux trojan called XorDdos, the Microsoft 365 Defender research team provides in-depth analysis into this stealthy malwares capabilities and key infection signs. --------------------------------------------- https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper… ∗∗∗ Hackers Trick Users with Fake Windows 11 Downloads to Distribute Vidar Malware ∗∗∗ --------------------------------------------- Fraudulent domains masquerading as Microsofts Windows 11 download portal are attempting to trick users into deploying trojanized installation files to infect systems with the Vidar information stealer malware. --------------------------------------------- https://thehackernews.com/2022/05/hackers-trick-users-with-fake-windows.html ∗∗∗ Cytroxs Predator Spyware Targeted Android Users with Zero-Day Exploits ∗∗∗ --------------------------------------------- Googles Threat Analysis Group (TAG) on Thursday pointed fingers at a North Macedonian spyware developer named Cytrox for developing exploits against five zero-day (aka 0-day) flaws, four in Chrome and one in Android, to target Android users. --------------------------------------------- https://thehackernews.com/2022/05/cytroxs-predator-spyware-target-android.h… ∗∗∗ Metastealer – filling the Racoon void ∗∗∗ --------------------------------------------- MetaStealer is a new information stealer variant designed to fill the void following Racoon stealer suspending operations in March of this year. --------------------------------------------- https://research.nccgroup.com/2022/05/20/metastealer-filling-the-racoon-voi… ∗∗∗ Emotet Being Distributed Using Various Files ∗∗∗ --------------------------------------------- The ASEC analysis team has recently discovered the distribution of Emotet through link files (.lnk). The malware has been steadily distributed in the past, but starting from April, it was found that the Emotet downloader uses Excel files as well as link files (.lnk). --------------------------------------------- https://asec.ahnlab.com/en/34556/ ===================== = Vulnerabilities = ===================== ∗∗∗ Oracle Security Alert for CVE-2022-21500 - 19 May 2022 ∗∗∗ --------------------------------------------- This Security Alert addresses vulnerability CVE-2022-21500, which affects some deployments of Oracle E-Business Suite. --------------------------------------------- https://www.oracle.com/security-alerts/alert-cve-2022-21500.html ∗∗∗ Angreifer könnten mit DNS-Software BIND erstellte TLS-Sessions "zerstören" ∗∗∗ --------------------------------------------- Es gibt ein wichtiges Sicherheitsupdate für BIND, welches Admins zeitnah installieren sollten. --------------------------------------------- https://heise.de/-7101032 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (kernel), Debian (ark, openldap, and thunderbird), Fedora (freetype and vim), Oracle (.NET 5.0, .NET 6.0, .NET Core 3.1, container-tools:3.0, glibc, kernel, rsync, and subversion:1.10), Scientific Linux (kernel), SUSE (dcraw, firefox, glib2, ImageMagick, kernel-firmware, libxml2, libyajl, php7, ucode-intel, and unrar), and Ubuntu (openldap). --------------------------------------------- https://lwn.net/Articles/895862/ ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Process Designer in IBM Business Automation Workflow and IBM Business Process Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Rational Asset Analyzer is affected by two WebSphere Application Server vulnerabilities. (CVE-2021-23450, CVE-1999-0001) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-rational-asset-analyzer-i… ∗∗∗ Security Bulletin: IBM WebSphere Application Server is vulnerable to Spoofing (CVE-2022-22365) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application… ∗∗∗ Security Bulletin: IBM Robotic Process Automation with Automation Anywhere is affected but not classified as vulnerable by a remote code execution in Spring Framework (CVE-2022-22965) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-robotic-process-autom… ∗∗∗ Security Bulletin: Rational Asset Analyzer is affected by two WebSphere Application Server vulnerabilities. (CVE-2021-39038, CVE-1999-0002) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-rational-asset-analyzer-i… ∗∗∗ Security Bulletin: IBM Engineering Lifecycle Management is vulnerable to Cross-site Scripting (XSS) vulnerability (CVE-2021-39043) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-engineering-lifecycle… ∗∗∗ Galleon NTS-6002-GPS Command Injection vulnerability (CVE-2022-27224) ∗∗∗ --------------------------------------------- https://www.pentestpartners.com/security-blog/galleon-nts-6002-gps-command-… ∗∗∗ Security Vulnerabilities fixed in Firefox 100.0.2, Firefox for Android 100.3.0, Firefox ESR 91.9.1, Thunderbird 91.9.1 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2022-19/ ∗∗∗ Grafana: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0639 ∗∗∗ Trend Micro Security Produkte: Mehrere Schwachstellen ermöglichen Offenlegung von Informationen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0638 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.05.2022
by Daily end-of-shift report 19 May '22

19 May '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 18-05-2022 18:00 − Donnerstag 19-05-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Lazarus hackers target VMware servers with Log4Shell exploits ∗∗∗ --------------------------------------------- The North Korean hacking group known as Lazarus is exploiting the Log4J remote code execution vulnerability to inject backdoors that fetch information-stealing payloads on VMware Horizon servers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/lazarus-hackers-target-vmwar… ∗∗∗ iPhone aus, Funk bleibt an: Sicherheitsforscher sehen neue Angriffsfläche ∗∗∗ --------------------------------------------- Auf einem abgeschalteten iPhone kann Malware laufen, warnt ein Forschungsteam der TU Darmstadt. Apples Low-Power-Mode fehlen Schutzvorkehrungen. --------------------------------------------- https://heise.de/-7099330 ∗∗∗ Qnap warnt vor Ransomware-Angriffen auf Netzwerkspeicher ∗∗∗ --------------------------------------------- Der Hersteller Qnap warnt vor neuen Angriffen mit Ransomware auf die Netzwerkspeicher des Unternehmens. Admins sollen bereitstehende Updates zügig installieren. --------------------------------------------- https://heise.de/-7099676 ∗∗∗ „Domain ist abgelaufen“: Ignorieren Sie die E-Mail im Namen von domaintechnik.at ∗∗∗ --------------------------------------------- Sie besitzen eine Website? Dann sollten Sie sich vor betrügerischen Phishing-Mails in Acht nehmen, die derzeit im Namen von domaintechnik.at versendet werden. Darin behaupten Kriminelle, dass sie eine Bestellung nicht bearbeiten konnten und daher Ihre Domain sperren mussten. Um die Domain zu verlängern, werden Sie dazu aufgefordert auf einen Link zu klicken und Ihre Kreditkartendaten einzugeben. --------------------------------------------- https://www.watchlist-internet.at/news/domain-ist-abgelaufen-ignorieren-sie… ===================== = Vulnerabilities = ===================== ∗∗∗ Attacken auf VMware-Sicherheitslücken: Jetzt updaten! ∗∗∗ --------------------------------------------- Die US-amerikanische CISA warnt vor Angriffen auf mehrere Sicherheitslücken in VMware-Produkten. VMware dichtet zudem neu entdeckte Schwachstellen ab. --------------------------------------------- https://heise.de/-7099531 ∗∗∗ iTunes 12.12.4 for Windows ∗∗∗ --------------------------------------------- This document describes the security content of iTunes 12.12.4 for Windows. --------------------------------------------- https://support.apple.com/kb/HT213259 ∗∗∗ Cisco Security Advisories 2022-05-18 ∗∗∗ --------------------------------------------- Cisco published 5 Security Advisories (5 Medium Severity) --------------------------------------------- https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&first… ∗∗∗ Sicherheitsupdates: Admin-Lücke bedroht WordPress-Websites mit Jupiter Theme ∗∗∗ --------------------------------------------- Mit dem Theme-Builder Jupiter Theme oder Jupiter X Core Plugin erstellte WordPress-Websites sind verwundbar. --------------------------------------------- https://heise.de/-7099655 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (microcode_ctl, rubygem-nokogiri, and vim), Mageia (htmldoc, python-django, and python-oslo-utils), Red Hat (container-tools:2.0, kernel, kernel-rt, kpatch-patch, and pcs), SUSE (ardana-barbican, grafana, openstack-barbican, openstack-cinder, openstack-heat-gbp, openstack-horizon-plugin-gbp-ui, openstack-ironic, openstack-keystone, openstack-neutron-gbp, python-lxml, release-notes-suse-openstack-cloud, autotrace, curl, firefox, libslirp, php7, poppler, slurm_20_11, and ucode-intel), and Ubuntu (bind9, gnome-control-center, and libxrandr). --------------------------------------------- https://lwn.net/Articles/895771/ ∗∗∗ Zoom Video Communications Zoom Client: Mehrere Schwachstellen ermöglichen Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- CB-K22/0632: Zoom Video Communications Zoom Client: Mehrere Schwachstellen ermöglichen Umgehen von Sicherheitsvorkehrungen. Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in Zoom Video Communications Zoom Client ausnutzen, um Sicherheitsvorkehrungen zu umgehen. --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0632 ∗∗∗ Wingsuit - Storybook for UI Patterns - Critical - Access bypass - SA-CONTRIB-2022-040 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2022-040 ∗∗∗ Security Bulletin: IBM Security Identity Governance and Intelligence is vulnerable to Denial of Service (CVE-2021-35578) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-identity-gov… ∗∗∗ Security Bulletin: IBM Security Identity Governance and Intelligence is vulnarable to exposure of sensitive information (CVE-20204970) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-identity-gov… ∗∗∗ Security Bulletin: IBM Security Identity Governance and Intelligence is vulnerable to exposure of sensitive information (CVE-2021-35603) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-identity-gov… ∗∗∗ Security Bulletin: PowerVC installation on RHEL is vulnerable to MariaDB with CVE-2021-27928 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-powervc-installation-on-r… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in Apache Commons Compress affect WebSphere Application Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Due to use of IBM SDK, Java Technology Edition, IBM Tivoli Application Dependency Discovery Manager (TADDM) is vulnerable to denial of service ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-due-to-use-of-ibm-sdk-jav… ∗∗∗ K18484125: Eclipse Jetty vulnerability CVE-2020-27216 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K18484125 ∗∗∗ K82896488: Cyrus SASL vulnerability CVE-2022-24407 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K82896488 ∗∗∗ K21548854: zlib vulnerability CVE-2018-25032 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K21548854 ∗∗∗ K83120834: Diffie-Hellman key agreement protocol vulnerability CVE-2002-20001 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K83120834 ∗∗∗ Mitsubishi Electric MELSEC iQ-F Series ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-139-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.05.2022
by Daily end-of-shift report 18 May '22

18 May '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 17-05-2022 18:00 − Mittwoch 18-05-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Microsoft warns of brute-force attacks targeting MSSQL servers ∗∗∗ --------------------------------------------- Microsoft warned of brute-forcing attacks targeting Internet-exposed and poorly secured Microsoft SQL Server (MSSQL) database servers using weak passwords. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-warns-of-brute-for… ∗∗∗ Researchers Expose Inner Workings of Billion-Dollar Wizard Spider Cybercrime Gang ∗∗∗ --------------------------------------------- The inner workings of a cybercriminal group known as the Wizard Spider have been exposed, shedding light on its organizational structure and motivations. --------------------------------------------- https://thehackernews.com/2022/05/researchers-expose-inner-working-of.html ∗∗∗ We Love Relaying Credentials: A Technical Guide to Relaying Credentials Everywhere ∗∗∗ --------------------------------------------- A guide to relaying credentials everywhere in 2022. --------------------------------------------- https://www.secureauth.com/blog/we-love-relaying-credentials-a-technical-gu… ∗∗∗ Gefährliche PayPal-Phishing-Nachricht in Umlauf ∗∗∗ --------------------------------------------- In einer gefährlichen PayPal-Phishing-Mail wird behauptet „Aktion fur Ihr PayPal-Konto erforderlich“. Die Nachricht ist im PayPal-Design gehalten und spielt vor, dass eine Transaktion für Glücksspiel aufgehalten und Ihr Konto deshalb eingeschränkt wurde. Schenken Sie dem keinen Glauben und geben Sie keine Daten bekannt! Man versucht Ihre PayPal-Login-Daten und Ihre Kreditkartendaten zu stehlen! --------------------------------------------- https://www.watchlist-internet.at/news/gefaehrliche-paypal-phishing-nachric… ∗∗∗ EntropyCapture: Simple Extraction of DPAPI Optional Entropy ∗∗∗ --------------------------------------------- During a short application assessment, enumeration and decryption of a third-party application’s Windows Data Protection API (DPAPI) blobs using SharpDPAPI produced non-readable data because optional entropy was being used. --------------------------------------------- https://posts.specterops.io/entropycapture-simple-extraction-of-dpapi-optio… ===================== = Vulnerabilities = ===================== ∗∗∗ BIND: Destroying a TLS session early causes assertion failure (CVE-2022-1183) ∗∗∗ --------------------------------------------- An assertion failure can be triggered if a TLS connection to a configured http TLS listener with a defined endpoint is destroyed too early. --------------------------------------------- https://kb.isc.org/docs/cve-2022-1183 ∗∗∗ VMSA-2022-0014 ∗∗∗ --------------------------------------------- VMware Workspace ONE Access, Identity Manager and vRealize Automation updates address multiple vulnerabilities. --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2022-0014.html ∗∗∗ Sicherheitsupdates: Schadcode-Lücken in GPU-Treibern von Nvidia geschlossen ∗∗∗ --------------------------------------------- Berechnen Nvidia-Grafikkarten von Angreifern präparierte Shader, kann es zu Sicherheitsproblemen kommen. --------------------------------------------- https://heise.de/-7097875 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (elog, needrestart, openssl, and waitress), Fedora (curl, libxml2, slurm, and vim), Scientific Linux (zlib), SUSE (e2fsprogs, nodejs10, php72, and thunderbird), and Ubuntu (apport, clamav, needrestart, and pcre3). --------------------------------------------- https://lwn.net/Articles/895642/ ∗∗∗ Security Bulletin: OpenSSL publicly disclosed vulnerability affects IBM MobileFirst Platform Foundation ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-openssl-publicly-disclose… ∗∗∗ Security Bulletin: IBM DataPower Gateway vulnerable to HTTP header injection ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-gateway-vul… ∗∗∗ Security Bulletin: IBM DataPower Gateway vulnerable to temporary DoS ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-gateway-vul… ∗∗∗ Security Bulletin: Heap-Based Buffer Overflow in Mozilla Network Security Services (NSS) may affect IBM Spectrum Protect Plus (CVE-2021-43527) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-heap-based-buffer-overflo… ∗∗∗ Security Bulletin: Vulnerabilities in IBM HTTP Server affect IBM Netezza Performance Portal ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-ht… ∗∗∗ Security Bulletin: IBM Planning Analytics Workspace is affected but not classified as vulnerable by a remote code execution in Spring Framework (CVE-2022-22965) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-planning-analytics-wo… ∗∗∗ Security Bulletin: IBM Sterling Connect:Express for UNIX is vulnerable to denial of service due to OpenSSL (CVE-2022-0778) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectexpre… ∗∗∗ Security Bulletin: IBM DataPower Gateway: Update Redis to remediate two CVEs ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-gateway-upd… ∗∗∗ Synology-SA-22:07 Synology Calendar ∗∗∗ --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_22_07 ∗∗∗ GIMP: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0623 ∗∗∗ SMA100 post-authentication Remote Command Execution vulnerability ∗∗∗ --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0010 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.05.2022
by Daily end-of-shift report 17 May '22

17 May '22

===================== = End-of-Day report = ===================== Timeframe: Montag 16-05-2022 18:00 − Dienstag 17-05-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Hackers target Tatsu WordPress plugin in millions of attacks ∗∗∗ --------------------------------------------- All users of the Tatsu Builder plugin are strongly recommended to upgrade to version 3.3.13 to avoid attack risks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-target-tatsu-wordpre… ∗∗∗ Over 380 000 open Kubernetes API servers ∗∗∗ --------------------------------------------- We have recently started scanning for accessible Kubernetes API instances that respond with a 200 OK HTTP response to our probes. Kubernetes is an open-source system for automating deployment, scaling, and management of containerized applications. We find over 380 000 Kubernetes API daily that allow for some form of access, out of over 450 000 that we are able to identify. Data on these is shared daily in our Accessible Kubernetes API Server Report. --------------------------------------------- https://www.shadowserver.org/news/over-380-000-open-kubernetes-api-servers/ ∗∗∗ UpdateAgent Returns with New macOS Malware Dropper Written in Swift ∗∗∗ --------------------------------------------- A new variant of the macOS malware tracked as UpdateAgent has been spotted in the wild, indicating ongoing attempts on the part of its authors to upgrade its functionalities. --------------------------------------------- https://thehackernews.com/2022/05/updateagent-returns-with-new-macos.html ∗∗∗ Weak Security Controls and Practices Routinely Exploited for Initial Access ∗∗∗ --------------------------------------------- This joint Cybersecurity Advisory identifies commonly exploited controls and practices and includes best practices to mitigate the issues. --------------------------------------------- https://www.cisa.gov/uscert/ncas/alerts/aa22-137a ∗∗∗ Fahrräder im Internet kaufen: Vorsicht vor Fake-Shops ∗∗∗ --------------------------------------------- Im Internet gibt es zahlreiche Fake-Shops für Fahrräder und Zubehör. vandeyk-sport.com, motaza.shop oder nemino.net sind nur einige wenige Beispiele. Diese Fake-Shops bieten Fahrräder, die sonst schon überall ausverkauft sind – auch noch zu einem günstigeren Preis als andere Online-Shops! Außerdem können Sie nur vorab bezahlen. Finger weg: Sie erhalten keine Lieferung! --------------------------------------------- https://www.watchlist-internet.at/news/fahrraeder-im-internet-kaufen-vorsic… ===================== = Vulnerabilities = ===================== ∗∗∗ iOS und iPadOS 15.5 sind da: Bugfixes und kleinere Verbesserungen ∗∗∗ --------------------------------------------- Apple hat in der Nacht zum Dienstag iOS 15.5 und iPadOS 15.5 freigegeben. Es handelt sich um kleinere Aktualisierungen, die Fehler beheben und minimale Verbesserungen bringen. --------------------------------------------- https://heise.de/-7096570 ∗∗∗ macOS 12.4 und Sicherheitsupdates für Big Sur und Catalina erhältlich ∗∗∗ --------------------------------------------- Neben iOS 15.5 liefert Apple auch neue Betriebssysteme für Mac, Apple TV, Apple Watch, HomePod und das Studio Display. --------------------------------------------- https://heise.de/-7096585 ∗∗∗ Zugangskontrolle: Aruba schließt Sicherheitslücken in ClearPass Policy Manager ∗∗∗ --------------------------------------------- Mit Arubas ClearPass Policy Manager können Administratoren die Zugangskontrolle regeln. Sicherheitslücken darin ermöglichen Angreifern die komplette Übernahme. --------------------------------------------- https://heise.de/-7097151 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (cifs-utils, ffmpeg, libxml2, and vim), Fedora (rsyslog), Mageia (chromium-browser-stable), SUSE (chromium, containerd, docker, e2fsprogs, gzip, jackson-databind, jackson-dataformats-binary, jackson-annotations, jackson-bom, jackson-core, kernel, nodejs8, openldap2, pidgin, podofo, slurm, and tiff), and Ubuntu (clamav, containerd, libxml2, and openldap). --------------------------------------------- https://lwn.net/Articles/895521/ ∗∗∗ Apache Releases Security Advisory for Tomcat ∗∗∗ --------------------------------------------- Original release date: May 16, 2022The Apache Software Foundation has released a security advisory to address a vulnerability in multiple versions of Tomcat. An attacker could exploit this vulnerability to obtain sensitive information. CISA encourages users and administrators to review Apache’s security advisory and apply the necessary updates. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/05/16/apache-releases-s… ∗∗∗ Nvidia Sicherheitsupdates für Kepler GTX 700/600 GPU WHQL-Treiber (473.47) freigegeben ∗∗∗ --------------------------------------------- Hersteller Nvidia hat zum 16. Mai 2022 ein Sicherheitsupdate für den Grafiktreiber der Kepler GeForce GPUs freigegeben. --------------------------------------------- https://www.borncity.com/blog/2022/05/17/nvidia-sicherheitsupdates-fr-keple… ∗∗∗ Vulnerability Spotlight: Multiple memory corruption vulnerabilities in NVIDIA GPU driver ∗∗∗ --------------------------------------------- Piotr Bania of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw. Cisco Talos recently discovered four vulnerabilities in the NVIDIA D3D10 driver for graphics cards that could allow an attacker to corrupt memory and write arbitrary memory on the card. --------------------------------------------- http://blog.talosintelligence.com/2022/05/vuln-spotlight-nvidia-driver-memo… ∗∗∗ Spring Security 5.7.0, 5.6.4, 5.5.7 Released - Fixes CVE-2022-22975 & CVE-2022-22976 ∗∗∗ --------------------------------------------- Spring Security 5.7.0 (release notes), 5.6.4 (release notes), 5.5.7 (release notes) have been released which fix CVE-2022-22978, CVE-2022-22976. Please update as soon as possible. --------------------------------------------- https://spring.io/blog/2022/05/15/spring-security-5-7-0-5-6-4-5-5-7-release… ∗∗∗ Security Bulletin: IBM MQ Operator and IBM supplied MQ Advanced container images are vulnerable to multiple issues from Red Hat UBI packages and the IBM WebSphere Application Server Liberty ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-operator-and-ibm-s… ∗∗∗ Security Bulletin: Potential Denial of Service in IBM DataPower Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-potential-denial-of-servi… ∗∗∗ Security Bulletin: IBM Security Identity Governance and Intelligence is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-identity-gov… ∗∗∗ Security Bulletin: IBM Sterling External Authentication Server is vulnerable to multiple vulnerabilities due to IBM Java Runtime ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-external-aut… ∗∗∗ Security Bulletin: IBM Process Mining is vulnerable to cross-site scripting due to Select2 CVE-2016-10744 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-process-mining-is-vul… ∗∗∗ Security Bulletin: IBM Security Verify Governance is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-gover… ∗∗∗ Security Bulletin: OpenSSL (Publicly disclosed vulnerability) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-openssl-publicly-disclose… ∗∗∗ Security Bulletin: IBM DataPower vulnerable to DoS ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-vulnerable-… ∗∗∗ Security Bulletin: IBM DataPower Gateway API Gateway component potentially vulnerable to a Denial of Service ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-gateway-api… ∗∗∗ Security Bulletin: IBM MQ Operator and Queue manager container images are vulnerable to multiple vulnerabilities from expat, Golang Go, gcc, openssl and libxml. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-operator-and-queue… ∗∗∗ Security Bulletin: IBM Sterling External Authentication Server is vulnerable to improper validation of certificates ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-external-aut… ∗∗∗ Security Bulletin: IBM WebSphere Application Server Liberty is vulnerable to Identity Spoofing (CVE-2022-22475) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application… ∗∗∗ Security Bulletin: IBM Sterling Secure Proxy is vulnerable to multiple vulnerabilities due to IBM Java Runtime ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-secure-proxy… ∗∗∗ Security Bulletin: IBM Process Mining is vulnerable to DOS due to Eclipse Jetty CVE-2018-12545 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-process-mining-is-vul… ∗∗∗ Security Bulletin: IBM Sterling B2B Integrator is vulnerable to permission control vulnerability (CVE-2022-22482) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-b2b-integrat… ∗∗∗ Security Bulletin: IBM Sterling Secure Proxy is vulnerable to improper validation of certificates (CVE-2021-29726) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-secure-proxy… ∗∗∗ Security Bulletin: IBM Process Mining is vulnerable to phishing attacks due to URI.js. CVE-2022-0868 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-process-mining-is-vul… ∗∗∗ QEMU: Schwachstelle ermöglicht Denial of Service und Codeausführung ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0618 ∗∗∗ Circutor COMPACT DC-S BASIC ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-137-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.05.2022
by Daily end-of-shift report 16 May '22

16 May '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 13-05-2022 18:00 − Montag 16-05-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Microsoft warnt vor Sysrv-Botnet ∗∗∗ --------------------------------------------- Eine neue Variante des Sysrv-Botnets hat Microsoft beobachtet, die Windows- und Linux-Systeme befällt, um Kryptowährungen zu schürfen. --------------------------------------------- https://heise.de/-7095053 ∗∗∗ HTML attachments in phishing e-mails ∗∗∗ --------------------------------------------- In this article we review phishing HTML attachments, explaining common tricks the attackers use, and give statistics on HTML attachments detected by Kaspersky solutions. --------------------------------------------- https://securelist.com/html-attachments-in-phishing-e-mails/106481/ ∗∗∗ Fake Mobile Apps Steal Facebook Credentials, Cryptocurrency-Related Keys ∗∗∗ --------------------------------------------- We recently observed a number of apps on Google Play designed to perform malicious activities such as stealing user credentials and other sensitive user information, including private keys. Because of the number and popularity of these apps — some of them have been installed over a hundred thousand times — we decided to shed some light on what these apps actually do by focusing on some of the more notable examples. --------------------------------------------- https://www.trendmicro.com/en_us/research/22/e/fake-mobile-apps-steal-faceb… ∗∗∗ SIP Digest Leak: Angriff auf SIP-Konten ∗∗∗ --------------------------------------------- Im Fachartikel "SIP Digest Leak" beschreibt IT Security Consultant Moritz Abrell einen SIP-spezifischen Angriff auf VoIP-Systeme. --------------------------------------------- https://www.syss.de/pentest-blog/sip-digest-leak-angriff-auf-sip-konten ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitslücken in Sonicwall SMA 1000 und SSL-VPN erlauben unbefugten Zugriff ∗∗∗ --------------------------------------------- Sonicwall schließt mehrere Sicherheitslücken in Firmwares von SMA-1000-Geräten und in SSL-VPN NetExtender. Angreifer könnten sich etwa Zugriff verschaffen. --------------------------------------------- https://heise.de/-7092533 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (gzip, java-1.8.0-openjdk, java-11-openjdk, and zlib), Debian (adminer, htmldoc, imagemagick, libgoogle-gson-java, lrzip, openjdk-8, openssl, and ruby-nokogiri), Fedora (ecdsautils, et, libxml2, podman, and supertux), Mageia (cairo, clamav, curl, fish, freetype2, golang-github-prometheus-client, python-django-registration, python-nbxmpp, python-waitress, and xmlrpc-c), Red Hat (pcs), SUSE (curl, kernel, pidgin, and webkit2gtk3), and Ubuntu (tiff). --------------------------------------------- https://lwn.net/Articles/895392/ ∗∗∗ Security Bulletin: IBM Maximo Asset Management may be vulnerable to arbitrary code execution due to Apache Log4j 1.2 (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-manageme… ∗∗∗ Security Bulletin: Information Disclosure in IBM Spectrum Protect Operations Center Browser's History (CVE-2022-22484) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-information-disclosure-in… ∗∗∗ Security Bulletin: IBM Planning Analytics Workspace is affected by multiple vulnerabilities (CVE-2022-22950, XFID:217968) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-planning-analytics-wo… ∗∗∗ Security Bulletin: AIX is vulnerable to a denial of service due to OpenSSL (CVE-2022-0778) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-aix-is-vulnerable-to-a-de… ∗∗∗ Security Bulletin: IBM Security Identity Governance and Intelligence is vulnerable to sensitive information disclosure (CVE-2020-4957) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-identity-gov… ∗∗∗ Security Bulletin: IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to a potential issue in jackson-databind – fasterxml-jackson (217968) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-speech-service… ∗∗∗ Security Bulletin: IBM Case Manager is vulnerable to cross-site scripting – CVE-2020-4768 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-case-manager-is-vulne… ∗∗∗ Security Bulletin: Vulnerabilities with OpenSSL affect IBM Cloud Object Storage Systems (May 2022 V1) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-with-open… ∗∗∗ Security Bulletin: Multiple Vulnerabilities have been identified in IBM Cloud Pak System ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Technical Advisory – BLE Proximity Authentication Vulnerable to Relay Attacks ∗∗∗ --------------------------------------------- https://research.nccgroup.com/2022/05/15/technical-advisory-ble-proximity-a… ∗∗∗ Pepperl+Fuchs: RSM-EX devices - Multiple Bluetooth vulnerabilities ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-021/ ∗∗∗ Webmin: Schwachstelle ermöglicht Codeausführung ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0609 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.05.2022
by Daily end-of-shift report 13 May '22

13 May '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 12-05-2022 18:00 − Freitag 13-05-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Jetzt patchen! Zyxel Firewalls als Schlupfloch in Firmen-Netzwerke ∗∗∗ --------------------------------------------- Ein wichtiges Sicherheitsupdate schließt eine kritische Lücke in mehreren Firewall-Modellen von Zyxel. --------------------------------------------- https://heise.de/-7090269 ∗∗∗ Desktop-Firewall ZoneAlarm: Kritische Lücke ermöglicht Rechteausweitung ∗∗∗ --------------------------------------------- Eine Sicherheitslücke in der Desktop-Firewall ZoneAlarm könnte Angreifern ermöglichen, ihre Rechte im System auszuweiten und somit die Kontrolle zu übernehmen. --------------------------------------------- https://heise.de/-7090411 ∗∗∗ Crypto-Betrug: Vorsicht vor Yuan Pay Group ∗∗∗ --------------------------------------------- Investitionsplattformen für Crypto-Währungen gibt es wie Sand am Meer. Sie locken mit dem großen Geld bei nur 250€ Investment. Der Haken: Haben Sie einmal investiert, sehen Sie ihr Geld oft nie wieder. Hier finden Sie eine Anleitung wie Sie Crypto-Scams erkennen. --------------------------------------------- https://www.watchlist-internet.at/news/crypto-betrug-vorsicht-vor-yuan-pay-… ∗∗∗ BIOS-Updates fixen kritische Schwachstellen in HPs Business- und Consumer-Modellen sowie in Intel-CPUs (Mai 2022) ∗∗∗ --------------------------------------------- Der Hersteller Hewlett Packard (HP) hat die Tage einen Sicherheitshinweis (Security Advisory) veröffentlicht. Diese Warnung adressiert zwei Schwachstellen in der Firmware von über 200 HP-Modellen (Business- und Consumer-Varianten), die ein Überschreiben der Firmware ermöglichen. Die Schwachstellen wurden mit einem Sicherheits-Score von 8.8 eingestuft – Updates stehen zur Verfügung. Weiterhin hat Intel einen Sicherheitshinweis auf eine Schwachstelle im BIOS von Intel-Systemen hingewiesen, die ebenfalls mit dem Score von 8.2 versehen sind und eine Privilegien-Ausweitung ermöglichen. --------------------------------------------- https://www.borncity.com/blog/2022/05/13/bios-updates-fixen-kritische-schwa… ∗∗∗ Eternity malware kit offers stealer, miner, worm, ransomware tools ∗∗∗ --------------------------------------------- Threat actors have launched the Eternity Project, a new malware-as-a-service where threat actors can purchase a malware toolkit that can be customized with different modules depending on the attack being conducted. --------------------------------------------- https://www.bleepingcomputer.com/news/security/eternity-malware-kit-offers-… ∗∗∗ Harmful Help: Analyzing a Malicious Compiled HTML Help File Delivering Agent Tesla ∗∗∗ --------------------------------------------- We analyze a malicious compiled HTML help file delivering Agent Tesla, following the chain of attack through JavaScript and multiple stages of PowerShell. --------------------------------------------- https://unit42.paloaltonetworks.com/malicious-compiled-html-help-file-agent… ===================== = Vulnerabilities = ===================== ∗∗∗ DSA-2022-068: Dell iDRAC9 Security Update for an Improper Authentication Vulnerability ∗∗∗ --------------------------------------------- Dell iDRAC9 versions 5.00.00.00 and later but before 5.10.10.00, contain an improper authentication vulnerability. A remote unauthenticated attacker may potentially exploit this vulnerability to gain access to the VNC Console. --------------------------------------------- https://www.dell.com/support/kbdoc/en-us/000199267/dsa-2022-068-dell-idrac9… ∗∗∗ CVE-2022-1552 Autovacuum, REINDEX, and others omit "security restricted operation" sandbox ∗∗∗ --------------------------------------------- Autovacuum, REINDEX, CREATE INDEX, REFRESH MATERIALIZED VIEW, CLUSTER, and pg_amcheck made incomplete efforts to operate safely when a privileged user is maintaining another users objects. Those commands activated relevant protections too late or not at all. An attacker having permission to create non-temp objects in at least one schema could execute arbitrary SQL functions under a superuser identity. --------------------------------------------- https://www.postgresql.org/support/security/CVE-2022-1552/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, postgresql-11, postgresql-13, and waitress), Fedora (curl, java-1.8.0-openjdk-aarch32, keylime, and pcre2), Oracle (gzip and zlib), Red Hat (subversion:1.10), SUSE (clamav, documentation-suse-openstack-cloud, kibana, openstack-keystone, openstack-monasca-notification, e2fsprogs, gzip, and kernel), and Ubuntu (libvorbis and rsyslog). --------------------------------------------- https://lwn.net/Articles/895202/ ∗∗∗ Vulnerability Spotlight: How an attacker could chain several vulnerabilities in an industrial wireless router to gain root access ∗∗∗ --------------------------------------------- Cisco Talos recently discovered several vulnerabilities in InHand Networks’ InRouter302 that could allow an attacker to escalate their privileges on the targeted device from a non-privileged user to a privileged one. There are also multiple vulnerabilities that could allow an adversary to reach unconstrained root privileges. The router has one privileged user and several non-privileged ones. --------------------------------------------- https://blog.talosintelligence.com/2022/05/blog-post-.html ∗∗∗ Delta Electronics CNCSoft ∗∗∗ --------------------------------------------- This advisory contains mitigations for Stack-based Buffer Overflow, and Out-of-bounds Read vulnerabilities in the Delta Electronics CNCSoft software management platform. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-132-01 ∗∗∗ Mitsubishi Electric MELSOFT iQ AppPortal ∗∗∗ --------------------------------------------- This advisory contains mitigations for Missing Authorization, Out-of-bounds Write, NULL Pointer Dereference, Classic Buffer Overflow, HTTP Request Smuggling, and Infinite Loop vulnerabilities in Mitsubishi Electric MELSOFT iQ AppPortal products. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-132-02 ∗∗∗ Cambium Networks cnMaestro ∗∗∗ --------------------------------------------- This advisory contains mitigations for OS Command Injection, SQL Injection, Path Traversal, and Use of Potentially Dangerous Function vulnerabilities in the Cambium Networks cnMaestro network management system. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-132-04 ∗∗∗ SonicWall SSLVPN SMA1000 series affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- SonicWall SSLVPN SMA1000 series appliances are affected by the below listed multiple vulnerabilities, organizations running previous versions of SSLVPN SMA1000 series firmware should upgrade to new firmware release versions. --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0009 ∗∗∗ ZDI-CAN-15739 Trend Micro Maximum Security Link Following Arbitrary File Deletion Vulnerability ∗∗∗ --------------------------------------------- https://helpcenter.trendmicro.com/en-us/article/TMKA-11017 ∗∗∗ K67090077: Apache HTTP Server vulnerability CVE-2022-22720 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K67090077 ∗∗∗ HP Computer: Schwachstelle ermöglicht Privilegieneskalation ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0606 ∗∗∗ Security Bulletin: IBM MQ for HP NonStop Server is affected by vulnerability CVE-2022-22316 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-for-hp-nonstop-ser… ∗∗∗ Security Bulletin: WebSphere MQ for HP NonStop Server is affected by OpenSSL vulnerability CVE-2021-4160 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-mq-for-hp-nonst… ∗∗∗ Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU – Oct 2021and Jan 2022 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-e… ∗∗∗ Security Bulletin: Vulnerabilities in Node.js affect IBM App Connect Enterprise & IBM Integration Bus (CVE-2021-4160) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-node-j… ∗∗∗ Security Bulletin: WebSphere MQ for HP NonStop Server is affected by OpenSSL vulnerability CVE-2022-0778 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-mq-for-hp-nonst… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by OpenSSL denial of service vulnerabilities (CVE-2021-23840, CVE-2021-23841) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: Operations Dashboard is vulnerable to denial of service by Go CVE-2021-43565 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-operations-dashboard-is-v… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities in Apache Thrift ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: A vulnerability in Samba affects IBM Spectrum Scale SMB protocol access method (CVE-2021-44142) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-samba-… ∗∗∗ Security Bulletin: Multiple Security vulnerabilities may affect IBM Robotic Process Automation ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to stack exhaustion by Go CVE-2022-24921 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-platform-navigator-and-au… ∗∗∗ Security Bulletin: IBM Robotic Process Automation is vulnerable to SQL Injection (CVE-2022-22413) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-robotic-process-autom… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a PolicyKit vulnerability (CVE-2021-4034) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: Vulnerabilities in Node.js affect IBM App Connect Enterprise & IBM Integration Bus (CVE-2022-0155 & CVE-2022-0536) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-node-j… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM MQ for HP NonStop Server is affected by vulnerability CVE-2022-22325 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-for-hp-nonstop-ser… ∗∗∗ Security Bulletin: IBM WebSphere Application Server Liberty is vulnerable to an Information Disclosure (CVE-2022-22393) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: A vulnerability in Spring Framework affects IBM Tivoli Application Dependency Discovery Manager (CVE-2022-22950, CVE-2021-22096, CVE-2022-22968, CVE-2021-22060). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-spring… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.05.2022
by Daily end-of-shift report 12 May '22

12 May '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 11-05-2022 18:00 − Donnerstag 12-05-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Backdoor in public repository used new form of attack to target big firms ∗∗∗ --------------------------------------------- A backdoor that researchers found hiding inside open source code targeting four German companies was the work of a professional penetration tester. The tester was checking clients’ resilience against a new class of attacks that exploit public repositories used by millions of software projects worldwide. But it could have been bad. Very bad. --------------------------------------------- https://arstechnica.com/?p=1853739 ∗∗∗ "Ive Found Some Bad Domains—Now What?" ∗∗∗ --------------------------------------------- When we talk about investigating bad domains, the focus of the story is usually the starting clues, but what about after you’ve identified bad domains? This blog discusses the approaches to take once a bad domain has been identified. --------------------------------------------- https://www.domaintools.com/resources/blog/ive-found-some-bad-domains-now-w… ∗∗∗ Massive WordPress JavaScript Injection Campaign Redirects to Ads ∗∗∗ --------------------------------------------- As outlined in our latest hacked website report, we’ve been tracking a long-lasting campaign responsible for injecting malicious scripts into compromised WordPress websites. This campaign leverages known vulnerabilities in WordPress themes and plugins and has impacted an enormous number of websites over the year — for example, according to PublicWWW, the April wave for this campaign was responsible for nearly 6,000 infected websites alone. --------------------------------------------- https://blog.sucuri.net/2022/05/massive-wordpress-javascript-injection-camp… ∗∗∗ Everything We Learned From the LAPSUS$ Attacks ∗∗∗ --------------------------------------------- There are two major takeaways from the LAPSUS$ attacks that organizations must pay attention to. First, the LAPSUS$ attacks clearly illustrate that gangs of cybercriminals are no longer content to perform run-of-the-mill ransomware attacks. Rather than just encrypting data as has so often been done in the past, LAPSUS$ seems far more focused on cyber extortion. LAPSUS$ gains access to an organization's most valuable intellectual property and threatens to leak that information unless a ransom is paid. --------------------------------------------- https://thehackernews.com/2022/05/everything-we-learned-from-lapsus.html ∗∗∗ Spoofing SaaS Vanity URLs for Social Engineering Attacks ∗∗∗ --------------------------------------------- While vanity URLs provide a custom, easy-to-remember link, Varonis Threat Labs discovered that some applications do not validate the legitimacy of the vanity URL’s subdomain (e.g., yourcompany.example.com), but instead only validate the URI (e.g., /s/1234). As a result, threat actors can use their own SaaS accounts to generate links to malicious content (files, folders, landing pages, forms, etc.) that appears to be hosted by your company’s sanctioned SaaS account. --------------------------------------------- https://www.varonis.com/blog/url-spoofing ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-22-759: Trend Micro Password Manager Link Following Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows local attackers to escalate privileges on affected installations of Trend Micro Password Manager. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-759/ ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (microcode_ctl, mingw-SDL2_ttf, seamonkey, and thunderbird), Mageia (cifs-utils, gerbv, golang, libcaca, libxml2, openssl, python-pillow, python-rencode, python-twisted, python-ujson, slurm, and sqlite3), Red Hat (gzip, kernel, kpatch-patch, podman, rsync, subversion:1.10, and zlib), Scientific Linux (gzip), Slackware (curl), SUSE (clamav), and Ubuntu (curl, firefox, linux, linux-aws, linux-aws-5.13, linux-azure, linux-azure-5.13, linux-gcp, linux-gcp-5.13, linux-hwe-5.13, linux-kvm, linux-oracle, linux-raspi, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-dell300x, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux-snapdragon, linux, linux-aws, linux-azure, linux-azure-5.4, linux-azure-fde, linux-gcp, linux-gcp-5.4, linux-gke, linux-gkeop, linux-gkeop-5.4, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux, linux-aws, linux-kvm, linux-lts-xenial, and linux-oem-5.14) --------------------------------------------- https://lwn.net/Articles/895063/ ∗∗∗ Sandbox Escape mit Root Access & Klartext-Passwörtern in zahlreichen Konica Minolta bizhub MFP Drucker Terminals ∗∗∗ --------------------------------------------- Zahlreiche Konica Minolta MFP bizhub Geräte, sowie Geräte anderer Hersteller mit derselben Firmware, sind anfällig für einen Sandbox Breakout über den internen Browser, der die Hilfe-Menüs anzeigt. Der Browser selbst ist mit root-Rechten gestartet, was einen Zugriff auf das komplette Dateisystem ermöglicht. In einer Datei des Dateisystems befand sich das Administratorpasswort für das Webinterface des Druckers im Klartext. --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/sandbox-escape-with-r… ∗∗∗ CVE-2022-0024 PAN-OS: Improper Neutralization Vulnerability Leads to Unintended Program Execution During Configuration Commit (Severity: HIGH) ∗∗∗ --------------------------------------------- A vulnerability exists in Palo Alto Networks PAN-OS software that enables an authenticated network-based PAN-OS administrator to upload a specifically created configuration that disrupts system processes and potentially execute arbitrary code with root privileges when the configuration is committed on both hardware and virtual firewalls. --------------------------------------------- https://security.paloaltonetworks.com/CVE-2022-0024 ∗∗∗ CVE-2022-30525 (FIXED): Zyxel Firewall Unauthenticated Remote Command Injection ∗∗∗ --------------------------------------------- Rapid7 discovered and reported a vulnerability that affects Zyxel firewalls supporting Zero Touch Provisioning (ZTP), which includes the ATP series, VPN series, and the USG FLEX series (including USG20-VPN and USG20W-VPN). The vulnerability, identified as CVE-2022-30525, allows an unauthenticated and remote attacker to achieve arbitrary code execution as the nobody user on the affected device. --------------------------------------------- https://www.rapid7.com/blog/post/2022/05/12/cve-2022-30525-fixed-zyxel-fire… ∗∗∗ Intel: May 2022 Patchday ∗∗∗ --------------------------------------------- https://www.intel.com/content/www/us/en/security-center/default.html ∗∗∗ Security Bulletin: IBM Security Guardium is vulnerable to arbitrary code execution due to Apache log4j (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: Vulnerability in IBM SDK Java affects IBM Cloud Pak System (CVE-2020-27221) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-sdk-… ∗∗∗ Security Bulletin: IBM Security Verify Password Synchronization Plug-in for Windows AD affected by multiple vulnerabilities (CVE-2021-20488, CVE-2021-20494, CVE-2021-20572, CVE-2021-20573, CVE-2021-20574) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-passw… ∗∗∗ Security Bulletin: Crypto Hardware Initialization and Maintenance is vulnerable to arbitrary code execution due to Apache Log4j (CVE 2021-4104, CVE 2022-23302, CVE 2022-23305, CVE 2022-23307) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-crypto-hardware-initializ… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities (CVE-2018-10237, CVE-2020-8908) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a Missing HTTP Strict-Transport-Security Header vulnerability (CVE-2021-39072) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by FasterXML jackson-databind vulnerabilities (CVE-2020-25649, X-Force ID 217968) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM MQ is vulnerable to multiple issues in IBM® Runtime Environment Java™ Technology Edition, Version 8 and Version 7 (CVE-2021-35578, CVE-2021-35588, CVE-2021-41035) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-is-vulnerable-to-m… ∗∗∗ Security Bulletin: IBM MQ is vulnerable to multiple Eclipse Jetty issues ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-is-vulnerable-to-m… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by path traversal and crypto vulnerabilities (CVE-2021-29425, CVE-2021-39076) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct for Microsoft Windows is affected but not classified as vulnerable by a remote code execution in Spring Framework (CVE-2022-22965) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a jsoup vulnerability (CVE-2021-37714) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM MQ WebConsole and REST API are affected by CVE-2021-39031. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-webconsole-and-res… ∗∗∗ Check Point Zone Alarm: Schwachstelle ermöglicht Privilegieneskalation ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0595 ∗∗∗ CVE-2022-0025 Cortex XDR Agent: An Uncontrolled Search Path Element Leads to Local Privilege Escalation (PE) Vulnerability (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2022-0025 ∗∗∗ CVE-2022-0026 Cortex XDR Agent: Unintended Program Execution Leads to Local Privilege Escalation (PE) Vulnerability (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2022-0026 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0