- Daily - CERT.at

Tageszusammenfassung - 02.08.2022
by Daily end-of-shift report 02 Aug '22

02 Aug '22

===================== = End-of-Day report = ===================== Timeframe: Montag 01-08-2022 18:00 − Dienstag 02-08-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Microsoft announces new solutions for threat intelligence and attack surface management ∗∗∗ --------------------------------------------- Defenders are up against the most sophisticated threat landscape we’ve ever seen. Today, we’re proud to execute our threat intelligence vision behind that acquisition and announce several new solutions to help security teams get ahead of adversaries and catch what others miss. --------------------------------------------- https://www.microsoft.com/security/blog/2022/08/02/microsoft-announces-new-… ∗∗∗ Raccoon Stealer v2: The Latest Generation of the Raccoon Family ∗∗∗ --------------------------------------------- In this blog, ThreatLabz will analyze Raccoon Stealer v2 in the exe format, and highlight key differences from its predecessors. --------------------------------------------- https://www.zscaler.com/blogs/security-research/raccoon-stealer-v2-latest-g… ∗∗∗ Analyzing Attack Data and Trends Targeting Log4J ∗∗∗ --------------------------------------------- The Log4j vulnerability, initially reported in November 2021, has affected millions of devices and applications around the world. --------------------------------------------- https://www.wordfence.com/blog/2022/08/analyzing-attack-data-and-trends-tar… ∗∗∗ Die Watchlist Internet ist jetzt auf Instagram ∗∗∗ --------------------------------------------- Wir versorgen Sie ab sofort auch auf Instagram mit Warnungen vor Internetbetrug. In den Beiträgen und Storys zeigen wir Ihnen, wie Sie sich vor Internetbetrug schützen, Fallen rasch erkennen und sicher im Internet surfen. --------------------------------------------- https://www.watchlist-internet.at/news/die-watchlist-internet-ist-jetzt-auf… ∗∗∗ giesler-drogerie.com ist Fake ∗∗∗ --------------------------------------------- Bei giesler-drogerie.com finden Sie günstige Parfums, Styling-Produkte und Kosmetikartikel. Das vollständige Impressum sowie die angeführten Kontaktmöglichkeiten vermitteln einen seriösen Eindruck. Die Angaben sind aber gefälscht. Wenn Sie dort einkaufen, verlieren Sie Ihr Geld und erhalten keine Lieferung. --------------------------------------------- https://www.watchlist-internet.at/news/giesler-drogeriecom-ist-fake/ ∗∗∗ Vulnerability Spotlight: How misusing properly serialized data opened TCL LinkHub Mesh Wi-Fi system to 17 vulnerabilities ∗∗∗ --------------------------------------------- The TCL LinkHub Mesh Wi-Fi system is a multi-device Wi-Fi system that allows users to expand access to their network over a large physical area. --------------------------------------------- http://blog.talosintelligence.com/2022/08/vulnerability-spotlight-how-misus… ∗∗∗ Manjusaka: A Chinese sibling of Sliver and Cobalt Strike ∗∗∗ --------------------------------------------- Cisco Talos recently discovered a new attack framework called "Manjusaka" being used in the wild that has the potential to become prevalent across the threat landscape. This framework is advertised as an imitation of the Cobalt Strike framework. --------------------------------------------- http://blog.talosintelligence.com/2022/08/manjusaka-offensive-framework.html ===================== = Vulnerabilities = ===================== ∗∗∗ VMware urges admins to patch critical auth bypass bug immediately ∗∗∗ --------------------------------------------- VMware has warned admins today to patch a critical authentication bypass security flaw affecting local domain users in multiple products and enabling unauthenticated attackers to gain admin privileges. --------------------------------------------- https://www.bleepingcomputer.com/news/security/vmware-urges-admins-to-patch… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (curl and jetty9), Fedora (dovecot), Gentoo (vault), Scientific Linux (java-1.8.0-openjdk, java-11-openjdk, and squid), SUSE (booth, dovecot22, dwarves and elfutils, firefox, gimp, java-11-openjdk, kernel, and oracleasm), and Ubuntu (linux, linux-hwe-5.15, linux-lowlatency, linux-lowlatency-hwe-5.15, net-snmp, and samba). --------------------------------------------- https://lwn.net/Articles/903555/ ∗∗∗ Go-Based Apps Vulnerable to Attacks Due to URL Parsing Issue ∗∗∗ --------------------------------------------- Israeli cloud-native application security testing firm Oxeye discovered that the way URL parsing is implemented in some Go-based applications creates vulnerabilities that could allow threat actors to conduct unauthorized actions. --------------------------------------------- https://www.securityweek.com/go-based-apps-vulnerable-attacks-due-url-parsi… ∗∗∗ GnuTLS patches memory mismanagement bug – update now! ∗∗∗ --------------------------------------------- https://nakedsecurity.sophos.com/2022/08/01/gnutls-patches-memory-mismanage… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct for UNIX Certified Container is affected by arbitrary code executiondue to GNU cpio (CVE-2021-38185) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ VMSA-2022-0021 ∗∗∗ --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2022-0021.html ∗∗∗ vim: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0880 ∗∗∗ FastStone ImageViewer: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit Benutzerrechten ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0883 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 01.08.2022
by Daily end-of-shift report 01 Aug '22

01 Aug '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 29-07-2022 18:00 − Montag 01-08-2022 18:00 Handler: Robert Waldner Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Sicherheitslücken als Türöffner in Nuki Smart Lock entdeckt und geschlossen ∗∗∗ --------------------------------------------- Angreifer könnten an zahlreichen Schwachstellen in verschiedenen smarten Türschlössern Nuki Smart Lock ansetzen. Die WLAN Bridge Nuki Bridge ist auch betroffen. --------------------------------------------- https://heise.de/-7194709 ∗∗∗ Adware-Apps aus Google Play tarnen sich auf Android-Geräten als Gestaltenwandler ∗∗∗ --------------------------------------------- Werbung auf Facebook für Fake-Apps zur Android-Systemoptimierung führt zu rund 7 Millionen Installationen. Opfer werden mit Werbeanzeigen belästigt. --------------------------------------------- https://heise.de/-7194655 ∗∗∗ Post-Quanten-Kryptographie: Verschlüsselung mit Isogenien ist unsicher ∗∗∗ --------------------------------------------- Ein Angriff auf den Schlüsselaustausch SIDH zeigt erneut, wie riskant experimentelle kryptographische Algorithmen sein können. --------------------------------------------- https://www.golem.de/news/post-quanten-kryptographie-verschluesselung-mit-i… ∗∗∗ BlackCat ransomware claims attack on European gas pipeline ∗∗∗ --------------------------------------------- The ransomware group known as ALPHV (aka BlackCat) has assumed over the weekend responsibility for the cyberattack that hit Creos Luxembourg last week, a natural gas pipeline and electricity network operator in the central European country. --------------------------------------------- https://www.bleepingcomputer.com/news/security/blackcat-ransomware-claims-a… ∗∗∗ A Detailed Analysis of the RedLine Stealer ∗∗∗ --------------------------------------------- RedLine is a stealer distributed as cracked games, applications, and services. The malware steals information from web browsers, cryptocurrency wallets, and applications such as FileZilla, Discord, Steam, Telegram, and VPN clients. The binary also gathers data about the infected machine, such as the running processes, antivirus products, installed programs, the Windows product name, the processor architecture, etc. --------------------------------------------- https://securityscorecard.com/research/detailed-analysis-redline-stealer ∗∗∗ Researchers Discover Nearly 3,200 Mobile Apps Leaking Twitter API Keys ∗∗∗ --------------------------------------------- Researchers have uncovered a list of 3,207 apps, some of which can be utilized to gain unauthorized access to Twitter accounts. The takeover is made possible, thanks to a leak of legitimate Consumer Key and Consumer Secret information, respectively, Singapore-based cybersecurity firm CloudSEK said in a report exclusively shared with The Hacker News. --------------------------------------------- https://thehackernews.com/2022/08/researchers-discover-nearly-3200-mobile.h… ∗∗∗ A Little DDoS In the Morning, (Mon, Aug 1st) ∗∗∗ --------------------------------------------- Friday morning (at least it wasn't Friday afternoon), we got an alert that our database and web servers exceeded the expected load. Sometimes, this "happens." Often it is just some user innocently flooding our API with requests. We do use quite a bit of caching and such for requests, but it can happen that things pile up at the wrong time. So I took a look at the logs. In these cases, I first look at the top IPs sending requests to our API. --------------------------------------------- https://isc.sans.edu/diary/rss/28900 ∗∗∗ Month of PowerShell - PowerShell Remoting, Part 2 ∗∗∗ --------------------------------------------- In this article we finish up our look at PowerShell remoting by examining several options to run PowerShell commands on multiple remote systems. --------------------------------------------- https://www.sans.org/blog/powershell-remoting-part-2/ ∗∗∗ Month of PowerShell - Offensive PowerShell with Metasploit Meterpreter ∗∗∗ --------------------------------------------- In this article we look at how Metasploit Meterpreter can integrate PowerShell for extensible attacks in a red team or pen test engagement. --------------------------------------------- https://www.sans.org/blog/offensive-powershell-metasploit-meterpreter/ ∗∗∗ Month of PowerShell - Keyboard Shortcuts Like a Boss ∗∗∗ --------------------------------------------- In this article we look at several keyboard shortcuts to speed up your PowerShell sessions. --------------------------------------------- https://www.sans.org/blog/keyboard-shortcuts-boss/ ===================== = Vulnerabilities = ===================== ∗∗∗ WordPress Vulnerabilities & Patch Roundup — July 2022 ∗∗∗ --------------------------------------------- Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises. To help educate website owners on emerging threats to their environments, we’ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this past month. --------------------------------------------- https://blog.sucuri.net/2022/07/wordpress-vulnerabilities-patch-roundup-jul… ∗∗∗ Arris / Arris-variant DSL/Fiber router critical vulnerability exposure ∗∗∗ --------------------------------------------- Multiple vulnerabilities exist in the MIT-licensed muhttpd web server. This web server is widely used in ISP customer premise equipment (CPE), most notably in Arris firmware used in router models (at least, possibly other) NVG443, NVG599, NVG589, NVG510, as well as ISP-customized variants such as BGW210 and BGW320 (Arris has declined to confirm affected models). --------------------------------------------- https://derekabdine.com/blog/2022-arris-advisory ∗∗∗ IBM Security Bulletins 2022-07-29 ∗∗∗ --------------------------------------------- IBM CICS TX Advanced, IBM CICS TX Standard, IBM PowerVM Novalink, IBM Sterling Secure Proxy, IBM DataPower Gateway, Rational Performance Tester, Rational Service Tester, Urbancode Deploy, IBM Robotic Process Automation, Cloud Pak System, IBM PowerVM Novalink, IBM Secure External Authentication Server. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Sicherheitsupdates: Schadcode-Attacken auf Thunderbird vorstellbar ∗∗∗ --------------------------------------------- Die Entwickler von Mozilla haben im E-Mail-Client Thunderbird mehrere Sicherheitslücken geschlossen. --------------------------------------------- https://heise.de/-7194671 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (booth, libpgjava, and thunderbird), Fedora (3mux, act, age, antlr4-project, apache-cloudstack-cloudmonkey, apptainer, aquatone, aron, asnip, assetfinder, astral, bettercap, buildah, butane, caddy, cadvisor, cheat, chisel, clash, clipman, commit-stream, containerd, cri-o, darkman, deepin-gir-generator, direnv, dnscrypt-proxy, dnsx, docker-distribution, doctl, douceur, duf, ffuf, fzf, geoipupdate, git-lfs, git-octopus, git-time-metric, glide, gmailctl, [...] --------------------------------------------- https://lwn.net/Articles/903455/ ∗∗∗ HPE ProLiant und HP Integrated Lights-Out: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein lokaler Angreifer oder ein Angreifer aus dem angrenzenden Netzwerk kann mehrere Schwachstellen in HPE ProLiant und HPE Integrated Lights-Out ausnutzen, um beliebigen Programmcode auszuführen, Daten zu manipulieren, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand zu verursachen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0870 ∗∗∗ D-LINK Router: Mehrere Schwachstellen ermöglichen Ausführen von beliebigem Programmcode mit Administratorrechten ∗∗∗ --------------------------------------------- Ein entfernter, authentisierter Angreifer kann mehrere Schwachstellen in D-LINK Router ausnutzen, um beliebigen Programmcode mit Administratorrechten auszuführen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0867 ∗∗∗ HCL Commerce: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- Ein lokaler Angreifer kann eine Schwachstelle in HCL Commerce ausnutzen, um Informationen offenzulegen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0866 ∗∗∗ Multiple Vulnerabilities in BF-OS ∗∗∗ --------------------------------------------- BOSCH-SA-013924-BT: Multiple vulnerabilities were identified in BF-OS version 3.x up to and including 3.83 used by Bigfish V3 and PR21 (Energy Platform) devices and Bigfish VM image, which are part of the data collection infrastructure of the Energy Platform solution. The most critical vulnerability may allow an unauthenticated remote attacker to gain administrative privileges to the device by brute-forcing a weak password. --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-013924-bt.html ∗∗∗ K21192332: Apache HTTP Server vulnerability CVE-2022-31813 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K21192332 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.07.2022
by Daily end-of-shift report 29 Jul '22

29 Jul '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 28-07-2022 18:00 − Freitag 29-07-2022 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Web-Portale: Seit sechs Jahren kostenlose Hilfe für Ransomware-Opfer ∗∗∗ --------------------------------------------- Mit etwas Glück findet man auf den Websites von ID Ransomware und No More Ransom Infos zu kostenlosen Entschlüsselungstools für einige Erpressungstrojaner. --------------------------------------------- https://heise.de/-7193953 ∗∗∗ Jetzt patchen! Attacken auf Atlassian Confluence ∗∗∗ --------------------------------------------- Nachdem ein Standard-Passwort auf Social-Media-Plattformen aufgetaucht ist, nehmen Angreifer Confluence ins Visier. Aber nicht alle Instanzen sind verwundbar. --------------------------------------------- https://heise.de/-7193458 ∗∗∗ LockBit operator abuses Windows Defender to load Cobalt Strike ∗∗∗ --------------------------------------------- Security analysts have observed an affiliate of the LockBit 3.0 ransomware operation abusing a Windows Defender command line tool to decrypt and load Cobalt Strike beacons on the target systems. --------------------------------------------- https://www.bleepingcomputer.com/news/security/lockbit-operator-abuses-wind… ∗∗∗ Month of PowerShell - Renaming Groups of Files ∗∗∗ --------------------------------------------- In this article we look at how to automate a massive file-rename task using PowerShell. --------------------------------------------- https://www.sans.org/blog/renaming-groups-files?msc=rss ∗∗∗ Researchers Warns of Increase in Phishing Attacks Using Decentralized IPFS Network ∗∗∗ --------------------------------------------- The decentralized file system solution known as IPFS is becoming the new "hotbed" for hosting phishing sites, researchers have warned. Cybersecurity firm Trustwave SpiderLabs, which disclosed specifics of the attack campaigns, said it identified no less than 3,000 emails containing IPFS phishing URLs as an attack vector in the last three months. --------------------------------------------- https://thehackernews.com/2022/07/researchers-warns-of-increase-in.html ∗∗∗ ENISA: Telecom Security Incidents 2021 ∗∗∗ --------------------------------------------- This report provides anonymised and aggregated information about major telecom security incidents in 2021. The 2021 annual summary contains reports of 168 incidents submitted by national authorities from 26 EU Member States (MS) and 2 EFTA countries. --------------------------------------------- https://www.enisa.europa.eu/publications/telecom-security-incidents-2021 ∗∗∗ UEFI rootkits and UEFI secure boot ∗∗∗ --------------------------------------------- Kaspersky describes a UEFI-implant used to attack Windows systems. Based on it appearing to require patching of the system firmware image, they hypothesise that its propagated by manually dumping the contents of the system flash, modifying it, and then reflashing it back to the board. [..] But lets think about why this is in the firmware at all. --------------------------------------------- https://mjg59.dreamwidth.org/60654.html ∗∗∗ Microsoft has blocked hackers favourite trick. So now they are looking for a new route of attack ∗∗∗ --------------------------------------------- Microsofts default block on Office macro malware is working, which means hackers need to find a new way to carry out their attacks. --------------------------------------------- https://www.zdnet.com/article/microsoft-has-blocked-hackers-favourite-trick… ∗∗∗ Vulnerability Spotlight: How a code re-use issue led to vulnerabilities across multiple products ∗∗∗ --------------------------------------------- Recently, I was performing some research on a wireless router and noticed the following piece of code: This unescape function will revert the URL encoded bytes to its original form. But something specifically caught my attention: There was no size check for the performed operations and the function assumes that after a ‘%’ there are always two bytes. So, what would happen if after ‘%’, only one character existed? --------------------------------------------- https://blog.talosintelligence.com/2022/07/vulnerability-spotlight-how-code… ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-22-1031: OPC Labs QuickOPC Connectivity Explorer Deserialization of Untrusted Data Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of OPC Labs QuickOPC. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-22-1031/ ∗∗∗ ABB Cyber Security Advisory: ABB Ability TM Operations Data Management Zenon Log Server file access control ∗∗∗ --------------------------------------------- These vulnerabilities affect the ABB Ability™ Operations Data Management Zenon. Subsequently, a successful exploit could allow attackers to log additional messages and access files from the Zenon system. While the passwords in the INI files are not stored in clear text, they can be subjected to further attacks against the hash algorithm. --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=2NGA001479&Language… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (xorg-x11-server and xorg-x11-server-Xwayland), SUSE (aws-iam-authenticator, ldb, samba, libguestfs, samba, and u-boot), and Ubuntu (firefox, intel-microcode, libtirpc, linux, linux-aws, linux-kvm, linux-lts-xenial, linux-azure, linux-bluefield, linux-gcp-5.4, linux-gke-5.4, mysql-5.7, and mysql-5.7, mysql-8.0). --------------------------------------------- https://lwn.net/Articles/902913/ ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2022-0007 ∗∗∗ --------------------------------------------- Several vulnerabilities were discovered in WebKitGTK and WPE WebKit. [...] Impact: Processing maliciously crafted web content may lead to arbitrary code execution. --------------------------------------------- https://webkitgtk.org/security/WSA-2022-0007.html ∗∗∗ Synology-SA-22:10 Samba ∗∗∗ --------------------------------------------- CVE-2022-32742 allows remote authenticated users to obtain sensitive information via a susceptible version of Synology DiskStation Manager (DSM), Synology Router Manager (SRM) and SMB Service. CVE-2022-2031, CVE-2022-32744, and CVE-2022-32746 allow remote authenticated users to bypass security constraint and conduct denial-of-service attacks via a susceptible version of Synology Directory Server. None of Synologys products are affected by CVE-2022-32745 as [...] --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_22_10 ∗∗∗ JetBrains IntelliJ IDEA: Mehrere Schwachstellen ermöglichen Codeausführung ∗∗∗ --------------------------------------------- Ein lokaler Angreifer kann mehrere Schwachstellen in JetBrains IntelliJ IDEA ausnutzen, um beliebigen Programmcode auszuführen oder Sicherheitsvorkehrungen zu umgehen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0860 ∗∗∗ Foxit Reader und Foxit PDF Editor: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Foxit Reader und Foxit PDF Editor ausnutzen, um beliebigen Code auszuführen, vertrauliche Informationen preiszugeben und einen Denial-of-Service-Zustand zu verursachen --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0862 ∗∗∗ GitLab: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in GitLab ausnutzen, um Sicherheitsmaßnahmen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuführen und vertrauliche Informationen offenzulegen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0861 ∗∗∗ Rockwell Products Impacted by Chromium Type Confusion ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-209-01 ∗∗∗ Security Bulletin: IBM App Connect Enterprise and IBM Integration Bus are vulnerable to arbitrary code execution due to node.js minimist module ( CVE-2021-44906) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: IBM PowerVM VIOS could allow a remote attacker to tamper with system configuration or cause a denial of service (CVE-2022-35643) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-powervm-vios-could-al… ∗∗∗ Security Bulletin: Multiple vulnerabilities affect IBM Tivoli Monitoring included WebSphere Application Server and IBM HTTP Server used by WebSphere Application Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Apache Log4j (CVE-2021-44228) vulnerability in IBM Engineering Systems Design Rhapsody (Rhapsody) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-cve-2021-442… ∗∗∗ Security Bulletin: IBM HTTP Server (powered by Apache) for IBM i is vulnerable to bypass security restrictions and obtain sensitive information due to multiple vulnerabilities. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-http-server-powered-b… ∗∗∗ Security Bulletin: AIX is affected by multiple vulnerabilities in Python ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-aix-is-affected-by-multip… ∗∗∗ Security Bulletin: Denial of service vulnerability in OpenSSL as shipped with IBM Security Verify Bridge Docker image (CVE-2022-0778) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-denial-of-service-vulnera… ∗∗∗ Security Bulletin: A Remote Attack Vulnerability in Apache Log4j affects IBM Engineering Lifecycle Optimization – Publishing ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-remote-attack-vulnerabi… ∗∗∗ Security Bulletin: AIX is vulnerable to cache poisoning due to ISC BIND (CVE-2021-25220) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-aix-is-vulnerable-to-cach… ∗∗∗ Security Bulletin: IBM Db2® Warehouse has released a fix in response to multiple vulnerabilities found in IBM Db2® ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-warehouse-has-rel… ∗∗∗ Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server Liberty shipped with IBM Tivoli Netcool Impact (CVE-2018-25031, CVE-2021-46708) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.07.2022
by Daily end-of-shift report 28 Jul '22

28 Jul '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 27-07-2022 18:00 − Donnerstag 28-07-2022 18:00 Handler: Stephan Richter Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ LofyLife: malicious npm packages steal Discord tokens and bank card data ∗∗∗ --------------------------------------------- This week, we identified four suspicious packages in the Node Package Manager (npm) repository. All these packages contained highly obfuscated malicious Python and JavaScript code. We dubbed this malicious campaign “LofyLife”. --------------------------------------------- https://securelist.com/lofylife-malicious-npm-packages/107014/ ∗∗∗ Month of PowerShell - PowerShell Remoting, Part 1 ∗∗∗ --------------------------------------------- In this article, we discuss perhaps the most immediately-valuable feature in PowerShell for Windows administrators, the ability to run PowerShell commands on remote systems. --------------------------------------------- https://www.sans.org/blog/powershell-remoting-part-1?msc=rss ∗∗∗ Looking at Patch Gap Vulnerabilities in the VMware ESXi TCP/IP Stack ∗∗∗ --------------------------------------------- In this blog post, we explore another remotely reachable attack surface: ESXi’s TCP/IP stack implemented as a VMkernel module. The most interesting outcome of this analysis is that ESXi’s TCP/IP stack is based on FreeBSD 8.2 and does not include security patches for the vulnerabilities disclosed over the years since that release of FreeBSD. This result also prompted us to analyze the nature of vulnerabilities disclosed in other open-source components used by VMware, such as OpenSLP and ISC-DHCP. --------------------------------------------- https://www.zerodayinitiative.com/blog/2022/7/25/looking-at-patch-gap-vulne… ∗∗∗ Vorsicht vor Fake Last-Minute-Angeboten auf Mallorca und Ibiza! ∗∗∗ --------------------------------------------- Die Hitze schlägt zu und Kurzentschlossene suchen nach den letzten verfügbaren Ferienhäusern, um ein paar Tage am Meer zu verbringen. Doch Vorsicht: Kriminelle versuchen Sie mit attraktiven Angeboten in die Falle zu locken! Wird eine Vorauszahlung für ein Ferienhaus verlangt, brechen Sie den Kontakt ab, Ihr Geld ist sonst verloren! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-fake-last-minute-angebo… ∗∗∗ MFA hilft gegen Ransomware ∗∗∗ --------------------------------------------- Die Multi-Faktor-Authentifizierung (MFA) funktioniert. Die europäische Polizeibehörde Europol erklärt, wie Ransomware-Banden ihre Angriffe aufgegeben haben, als sie auf die MFA-Sicherheit trafen. --------------------------------------------- https://www.zdnet.de/88402613/mfa-hilft-gegen-ransomware/ ∗∗∗ IIS-Attacken auf Exchange Server ∗∗∗ --------------------------------------------- Microsoft warnt vor heimlichen Backdoor-Angriffen auf Exchange Server mittels bösartiger IIS-Erweiterungen. --------------------------------------------- https://www.zdnet.de/88402615/iis-attacken-auf-exchange-server/ ∗∗∗ CISA Releases Log4Shell-Related MAR ∗∗∗ --------------------------------------------- >From May through June 2022, CISA responded to an organization that was compromised by an exploitation of an unpatched and unmitigated Log4Shell vulnerability in a VMware Horizon server. CISA analyzed five malware samples obtained from the organization’s network and released a Malware Analysis Report of the findings. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/07/28/cisa-releases-log… ∗∗∗ SharpTongue Deploys Clever Mail-Stealing Browser Extension “SHARPEXT” ∗∗∗ --------------------------------------------- One frequently encountered—that often results in forensics investigations on compromised systems—is tracked by Volexity as SharpTongue. [..] Volexity frequently observes SharpTongue targeting and victimizing individuals working for organizations in the United States, Europe and South Korea ... --------------------------------------------- https://www.volexity.com/blog/2022/07/28/sharptongue-deploys-clever-mail-st… ===================== = Vulnerabilities = ===================== ∗∗∗ "JustSystems JUST Online Update for J-License" starts a program with an unquoted file path ∗∗∗ --------------------------------------------- "JustSystems JUST Online Update for J-License" bundled with multiple JustSystems products for corporate users starts another program with an unquoted file path. --------------------------------------------- https://jvn.jp/en/jp/JVN57073973/ ∗∗∗ Tagify - Moderately critical - Access bypass - SA-CONTRIB-2022-051 ∗∗∗ --------------------------------------------- Project: Tagify Security risk: Moderately critical Description: This module provides a widget to transform entity reference fields into a more user-friendly tags input component with a great performance.The module doesnt sufficiently check access for the add operation. --------------------------------------------- https://www.drupal.org/sa-contrib-2022-051 ∗∗∗ PDF generator API - Moderately critical - Remote Code Execution - SA-CONTRIB-2022-050 ∗∗∗ --------------------------------------------- Project: PDF generator API Security risk: Moderately critical Description: This module enables you to generate PDF versions of content.Some installations of the module make use of the dompdf/dompdf third-party dependency.Security vulnerabilities exist for versions of dompdf/dompdf before 2.0.0 as described in the 2.0.0 release notes. --------------------------------------------- https://www.drupal.org/sa-contrib-2022-050 ∗∗∗ Context - Moderately critical - Cross Site Scripting - SA-CONTRIB-2022-049 ∗∗∗ --------------------------------------------- Project: Context Security risk: Moderately critical Description: This module enables you to conditionally display blocks in particular theme regions. The module doesn't sufficiently sanitize the title of a block as displayed in the admin UI when a site administrator edits a context block reaction. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer blocks". --------------------------------------------- https://www.drupal.org/sa-contrib-2022-049 ∗∗∗ Sicherheitsupdates: Angreifer könnten Veritas NetBackup vielfältig attackieren ∗∗∗ --------------------------------------------- Die Entwickler haben in aktuellen Versionen der Backuplösung NetBackup von Veritas unter anderem kritische Lücken geschlossen. --------------------------------------------- https://heise.de/-7192562 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr), Fedora (chromium, gnupg1, java-17-openjdk, osmo, and podman), Oracle (grafana and java-17-openjdk), Red Hat (389-ds:1.4, container-tools:rhel8, grafana, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, kernel, kernel-rt, kpatch-patch, pandoc, squid, and squid:4), Slackware (samba), and SUSE (crash, mariadb, pcre2, python-M2Crypto, virtualbox, and xen). --------------------------------------------- https://lwn.net/Articles/902795/ ∗∗∗ Trend Micro Produkte: Schwachstelle ermöglicht Privilegieneskalation ∗∗∗ --------------------------------------------- Ein lokaler Angreifer kann eine Schwachstelle in Trend Micro Apex One und Trend Micro Worry-Free Business Security ausnutzen, um seine Privilegien zu erhöhen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0850 ∗∗∗ Atlassian Jira Software: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in Atlassian Jira Software ausnutzen, um Informationen offenzulegen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0849 ∗∗∗ McAfee Agent: Schwachstelle ermöglicht Privilegieneskalation ∗∗∗ --------------------------------------------- Ein lokaler Angreifer kann eine Schwachstelle im McAfee Agent ausnutzen, um seine Privilegien zu erhöhen und beliebigen Code mit Administratorrechten auszuführen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0848 ∗∗∗ Jenkins: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Jenkins ausnutzen, um einen Cross Site Scripting oder CSRF Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen, Informationen offenzulegen oder Daten zu manipulieren --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0852 ∗∗∗ Security Bulletin: OpenSSL for IBM i is vulnerable to arbitrary command execution (CVE-2022-2068) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-openssl-for-ibm-i-is-vuln… ∗∗∗ Security Bulletin: IBM Cloud Transformation Advisor is vulnerable to multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-transformation-… ∗∗∗ Security Bulletin: Vulnerability in Golang Go affects IBM Spectrum Protect Plus Container Backup and Restore for Kubernetes and Red Hat OpenShift (CVE-2022-29526) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-golang-g… ∗∗∗ Security Bulletin: IBM WebSphere Application Server Liberty is vulnerable to Identity Spoofing (CVE-2022-22476) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.07.2022
by Daily end-of-shift report 27 Jul '22

27 Jul '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 26-07-2022 18:00 − Mittwoch 27-07-2022 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ 15 Minuten nach Bekanntwerden einer Lücke starten Scans nach verwundbaren PCs ∗∗∗ --------------------------------------------- Einem aktuellen Bericht über IT-Sicherheitsvorfälle zufolge verschärft sich das Katz-und-Maus-Spiel zwischen Admins und Cyberkriminellen. --------------------------------------------- https://heise.de/-7191301 ∗∗∗ Cyberkriminalität: Weniger Ransomware, aber wieder mehr Malware ∗∗∗ --------------------------------------------- 2022 stieg das Malware-Volumen erstmals wieder, bei gleichzeitig weniger Ransomware-Attacken - zumindest global, denn in Europa gilt der gegensätzliche Trend. --------------------------------------------- https://heise.de/-7191680 ∗∗∗ Student:innen aufgepasst: akademischeslektorat.com ist unseriös! ∗∗∗ --------------------------------------------- Wenn Sie auf der Suche nach einem Lektorat, einer Plagiatsprüfung oder Übersetzungsarbeiten für wissenschaftliche Arbeiten sind, stoßen Sie bei Ihrer Suche womöglich auf akademischeslektorat.com. Wir raten dazu, Abstand von den Angeboten zu nehmen, denn die Leistungen werden Erfahrungsberichten nach minderwertig oder gar nicht erbracht und auch frühere Mitarbeiter:innen sowie die Bewertungsseite Trustpilot warnen vor dem Angebot. --------------------------------------------- https://www.watchlist-internet.at/news/studentinnen-aufgepasst-akademisches… ∗∗∗ Untangling KNOTWEED: European private-sector offensive actor using 0-day exploits ∗∗∗ --------------------------------------------- MSTIC and MSRC disclose technical details of a private-sector offensive actor (PSOA) tracked as KNOTWEED using multiple Windows and Adobe 0-day exploits, including one for the recently patched CVE-2022-22047, in limited and targeted attacks against European and Central American customers. --------------------------------------------- https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-euro… ∗∗∗ Month of PowerShell: Fileless Malware with Get-Clipboard ∗∗∗ --------------------------------------------- In this article we look at using PowerShell maliciously while evading detection. --------------------------------------------- https://www.sans.org/blog/fileless-malware-get-clipboard/ ∗∗∗ DHL Phishing Page Uses Telegram Bot for Exfiltration ∗∗∗ --------------------------------------------- One of the quickest ways for an attacker to harvest financial data, credentials, and sensitive personal information is through phishing. These social engineering attacks can typically be found masquerading as a trusted or recognizable service, intent on tricking unsuspecting users into submitting sensitive information on the attacker’s customized web page. --------------------------------------------- https://blog.sucuri.net/2022/07/dhl-phishing-page-uses-telegram-bot-for-exf… ∗∗∗ Inside Matanbuchus: A Quirky Loader ∗∗∗ --------------------------------------------- This blog post will shed light on Matanbuchus’ main stage, the second stage of the loader. From our point of view, the second stage is the more interesting component of the loader, as it involves many payload loading techniques. By dissecting the loader’s features and capabilities, we will attempt to answer whether Matanbuchus is a loader malware, as it markets itself, or if it is more like a bot service. --------------------------------------------- https://www.cyberark.com/resources/threat-research-blog/inside-matanbuchus-… ∗∗∗ Top 10 Awesome Open-Source Adversary Simulation Tools ∗∗∗ --------------------------------------------- Cyberattack simulation, aka Threat Simulation, is an emerging IT security technology that can help discover gaps, vulnerabilities, and misconfigurations in your security infrastructure. We will take a look at the need for adversary simulation and the top ten open-source adversary simulation tools. --------------------------------------------- https://fourcore.io/blogs/top-10-open-source-adversary-emulation-tools ∗∗∗ Looking at Patch Gap Vulnerabilities in the VMware ESXi TCP/IP Stack ∗∗∗ --------------------------------------------- Over the last few years, multiple VMware ESXi remote, unauthenticated code execution vulnerabilities have been publicly disclosed. Some were also found to be exploited in the wild. Since these bugs were found in ESXi’s implementation of the SLP service, VMware provided workarounds to turn off the service. VMware also disabled the service by default starting with ESX 7.0 Update 2c. In this blog post, we explore another remotely reachable attack surface: ESXi’s TCP/IP stack --------------------------------------------- https://www.thezdi.com/blog/2022/7/25/looking-at-patch-gap-vulnerabilities-… ∗∗∗ What Talos Incident Response learned from a recent Qakbot attack hijacking old email threads ∗∗∗ --------------------------------------------- In a recent malspam campaign delivering the Qakbot banking trojan, Cisco Talos Incident Response (CTIR) observed the adversary using aggregated, old email threads from multiple organizations that we assess were likely harvested during the 2021 ProxyLogon-related compromises targeting vulnerable Microsoft Exchange servers. This campaign relies on external thread hijacking, whereby the adversary is likely using a bulk aggregation of multiple organizations’ harvested emails to launch focused phishing campaigns against previously uncompromised organizations. This differs from the more common approach to thread hijacking, in which attackers use a single compromised organization’s emails to deliver their threat. --------------------------------------------- http://blog.talosintelligence.com/2022/07/what-talos-incident-response-lear… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (kernel and openjdk-17), Fedora (ceph, lua, and moodle), Oracle (java-1.8.0-openjdk), Red Hat (grafana), SUSE (git, kernel, libxml2, nodejs16, and squid), and Ubuntu (imagemagick, protobuf-c, and vim). --------------------------------------------- https://lwn.net/Articles/902642/ ∗∗∗ Samba: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, authentisierter Angreifer kann mehrere Schwachstellen in Samba ausnutzen, um Sicherheitsvorkehrungen zu umgehen, Informationen offenzulegen, einen Denial of Service Zustand zu verursachen oder seine Rechte zu erweitern. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0842 ∗∗∗ MOXA NPort 5110 ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Out-of-bounds Write vulnerability in MOXA NPort 5110, a device server. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-207-04 ∗∗∗ Honeywell Saia Burgess PG5 PCD ∗∗∗ --------------------------------------------- This advisory contains mitigations for Authentication Bypass and Use of a Broken or Risky Cryptographic Algorithm vulnerabilities in Honeywell Saia Burgess PG5 PCD, a PLC. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-207-03 ∗∗∗ Honeywell Safety Manager ∗∗∗ --------------------------------------------- This advisory contains mitigations for Insufficient Verification of Data Authenticity, Missing Authentication for Critical Function, and Use of Hard-coded Credentials vulnerabilities in Honeywell Safety Manager, a safety solution of the Experion Process Knowledge System. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-207-02 ∗∗∗ Inductive Automation Ignition ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Improper Restriction of XML External Entity Reference vulnerability in versions of Inductive Automation Ignition software. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-207-01 ∗∗∗ CVE-2022-35629..35632 Velociraptor Multiple Vulnerabilities (FIXED) ∗∗∗ --------------------------------------------- This advisory covers a number of issues identified in Velociraptor and fixed as of Version 0.6.5-2, released July 26, 2022. --------------------------------------------- https://www.rapid7.com/blog/post/2022/07/26/cve-2022-35629-35632-velocirapt… ∗∗∗ Security Bulletin: Multiple vulnerabilities in the IBM Java Runtime affect IBM Rational ClearQuest (CVE-2021-35561, CVE-2022-21299, CVE-2022-21496) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple security vulnerabilities are addressed with IBM Cloud Pak for Business Automation iFixes for June 2022 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: IBM QRadar SIEM is vulnerable to local privilege escalation (CVE-2021-39088) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulner… ∗∗∗ Security Bulletin: Vulnerabilities in OpenSSL affect IBM Rational ClearQuest (CVE-2022-0778, CVE-2022-1292) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-openss… ∗∗∗ Security Bulletin: OpenSSL as used by IBM QRadar SIEM is vulnerable to denial of service (CVE-2022-0778) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-openssl-as-used-by-ibm-qr… ∗∗∗ Security Bulletin: Multiple vulnerabilities in the IBM Java Runtime affect IBM Rational ClearQuest ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM QRadar SIEM Application Framework Base Image is vulnerable to using components with Known Vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-applicati… ∗∗∗ Security Bulletin: Apache Commons Email as used by IBM QRadar SIEM is vulnerable to information disclosure (CVE-2017-9801, CVE-2018-1294) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-commons-email-as-u… ∗∗∗ Security Bulletin: IBM Integration Bus and IBM App Connect Enterprise are vulnerable to a denial of service due to jackson-databind (CVE-2020-36518) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-integration-bus-and-i… ∗∗∗ Security Bulletin: IBM Maximo Asset Management, IBM Maximo Manage in IBM Maximo Application Suite and IBM Maximo Manage in IBM Maximo Application Suite as a Service may be affected by XML External Entity (XXE) attacks (CVE-2021-33813) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-manageme… ∗∗∗ Security Bulletin: Multiple vulnerabilites affect IBM Engineering Test Management product due to XStream ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilites-a… ∗∗∗ Security Bulletin: Apache Derby security vulnerabilities in IBM System Dashboard for Enterprise Content Manager (affected, not vulnerable) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-derby-security-vul… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.07.2022
by Daily end-of-shift report 26 Jul '22

26 Jul '22

===================== = End-of-Day report = ===================== Timeframe: Montag 25-07-2022 18:00 − Dienstag 26-07-2022 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Betrugsmasche nimmt auf Willhaben zu: Konsumentenschützer warnen ∗∗∗ --------------------------------------------- Wer im auf Handelsplattformen wie Willhaben unterwegs ist, sollte vorsichtig mit seinen persönlichen Daten umgehen. --------------------------------------------- https://futurezone.at/digital-life/phishing-willhaben-betrug-opfer-sicherhe… ∗∗∗ Sicherheit: Forscher greifen Smartphones über Ladebuchse an ∗∗∗ --------------------------------------------- Ghost Touches sind erzwungene Berührungen auf Touchscreens von Smartphones und Tablets - Forscher konnten diese über ein Ladekabel auslösen. --------------------------------------------- https://www.golem.de/news/sicherheit-forscher-greifen-smartphones-ueber-lad… ∗∗∗ How is Your macOS Security Posture?, (Tue, Jul 26th) ∗∗∗ --------------------------------------------- Many people who use Apple devices daily often have a wrong sense of security. A few years ago, Apple devices were left aside of many security issues that Windows users faced for a long time. Also, based on a BSD layer, the OS wasn' a juicy target for attackers. Today, the landscape changed: Apple devices, especially Macbooks, are used not only by "creators" (musicians, designers, ...) and geeks but by many interesting profiles like managers and security researchers. --------------------------------------------- https://isc.sans.edu/diary/rss/28882 ∗∗∗ Month of PowerShell - PowerShell Version of Keeper (Save Useful Command Lines) ∗∗∗ --------------------------------------------- In this article we build a useful PowerShell function to save useful commands for later reference: Save-Keeper! --------------------------------------------- https://www.sans.org/blog/powershell-version-keeper?msc=rss ∗∗∗ How to analyze Linux malware – A case study of Symbiote ∗∗∗ --------------------------------------------- Symbiote is a Linux threat that hooks libc and libpcap functions to hide the malicious activity. The malware hides processes and files that are used during the activity by implementing two functions called hidden_proc and hidden_file. It can also hide network connections based on a list of ports and by hijacking any injected packet filtering bytecode. The malware’s purpose is to steal credentials from the SSH and SCP processes by hooking the libc read function. --------------------------------------------- https://cybergeeks.tech/how-to-analyze-linux-malware-a-case-study-of-symbio… ∗∗∗ CVE-2022-31813: Forwarding addresses is hard ∗∗∗ --------------------------------------------- A few weeks ago, version 2.4.54 of Apache HTTPD server was released. It includes a fix for CVE-2022-31813, a vulnerability we identified in mod_proxy that could affect unsuspecting applications served by an Apache reverse proxy. Lets see why it is rated as low in the software changelog and why it still matters. TL;DR: when in doubt, patch! --------------------------------------------- https://www.synacktiv.com/publications/cve-2022-31813-forwarding-addresses-… ∗∗∗ Brennholz, Pellets, Photovoltaik & Co: Vorsicht vor Fake-Shops ∗∗∗ --------------------------------------------- Zahlreichen Fake-Shops mit Brennholz, lassen Kriminelle nun Photovoltaik-Shops wie solanex.de und solarnetz.at folgen. Die aktuelle Energiekrise soll offenbar maximal ausgenützt werden. Wechselrichter, Solaranlagen und Stromspeicher – all jene Produkte, die am Markt momentan schwer zu erhalten sind, sind bei solanex.de und solarnetz.at nicht nur lagernd, sondern teils weit unter Marktpreis zu haben. Kaufen Sie hier nichts, denn die Vorkassezahlungen sind verloren! --------------------------------------------- https://www.watchlist-internet.at/news/brennholz-pellets-photovoltaik-co-vo… ∗∗∗ Ransomware: 1.5 million people have got their files back without paying the gangs. Heres how ∗∗∗ --------------------------------------------- No More Ransom project now offers free tools for decrypting 165 families of ransomware as the fight against extortion groups continues. --------------------------------------------- https://www.zdnet.com/article/ransomware-1-5-million-people-have-got-their-… ===================== = Vulnerabilities = ===================== ∗∗∗ Hackers Exploit PrestaShop Zero-Day to Steal Payment Data from Online Stores ∗∗∗ --------------------------------------------- The issue in question is an SQL injection vulnerability affecting versions 1.6.0.10 or greater, and is being tracked as CVE-2022-36408. ... The PrestaShop maintainers also said they found a zero-day flaw in its service that they said has been addressed in version 1.7.8.7, although they cautioned that "we cannot be sure that it's the only way for them to perform the attack." --------------------------------------------- https://thehackernews.com/2022/07/hackers-exploit-prestashop-zero-day-to.ht… ∗∗∗ Critical FileWave MDM Flaws Open Organization-Managed Devices to Remote Hackers ∗∗∗ --------------------------------------------- FileWaves mobile device management (MDM) system has been found vulnerable to two critical security flaws that could be leveraged to carry out remote attacks and seize control of a fleet of devices connected to it."The vulnerabilities are remotely exploitable and enable an attacker to bypass authentication mechanisms and gain full control over the MDM platform and its managed devices," Claroty security researcher Noam Moshe said in a Monday report. --------------------------------------------- https://thehackernews.com/2022/07/critical-filewave-mdm-flaws-open.html ∗∗∗ Xen XSA-408 - insufficient TLB flush for x86 PV guests in shadow mode ∗∗∗ --------------------------------------------- For migration as well as to work around kernels unaware of L1TF (see XSA-273), PV guests may be run in shadow paging mode. To address XSA-401, code was moved inside a function in Xen. This code movement missed a variable changing meaning / value between old and new code positions. The now wrong use of the variable did lead to a wrong TLB flush condition, omitting flushes where such are necessary. --------------------------------------------- https://xenbits.xen.org/xsa/advisory-408.html ∗∗∗ Weitere Lücken in Videokonferenz-Hardware Meeting Owl geschlossen ∗∗∗ --------------------------------------------- Owl Labs hat seine Geräte mit zusätzlichen Sicherheitsupdates gegen mögliche Attacken abgesichert. --------------------------------------------- https://heise.de/-7189904 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (spip), Mageia (libtiff and logrotate), Oracle (java-1.8.0-openjdk and java-11-openjdk), SUSE (gpg2, logrotate, and phpPgAdmin), and Ubuntu (python-bottle). --------------------------------------------- https://lwn.net/Articles/902547/ ∗∗∗ LibreOffice: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer oder lokaler Angreifer kann mehrere Schwachstellen in LibreOffice ausnutzen, um Sicherheitsvorkehrungen zu umgehen und vertrauliche Informationen offenzulegen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0821 ∗∗∗ Citrix ADC and Citrix Gateway Security Bulletin for CVE-2022-27509 ∗∗∗ --------------------------------------------- A vulnerability has been discovered in Citrix ADC and Citrix Gateway which enables an attacker to create a specially crafted URL that redirects to a malicious website. Pre-conditions: - Appliance must be configured as a VPN (Gateway) or AAA virtual server - A victim user must use an attacker-crafted link --------------------------------------------- https://support.citrix.com/article/CTX457836/citrix-adc-and-citrix-gateway-… ∗∗∗ Security Bulletin: Vulnerability in libcURL affect IBM Rational ClearCase ( CVE-2022-27778, CVE-2022-27779, CVE-2022-27780, CVE-2022-27782, CVE-2022-30115, CVE-2022-27774 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-libcurl-… ∗∗∗ Security Bulletin: IBM Security Verify Information Queue web UI is vulnerable to cross-site request forgery (CVE-2022-35286) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-infor… ∗∗∗ Security Bulletin: IBM Common Licensing is vulnerable by a remote code attack in Spring Framework and Apache Commons(CVE-2022-22970,CVE-2022-22971,CVE-2022-33980) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-common-licensing-is-v… ∗∗∗ Security Bulletin: IBM Robotic Process Automation is vulnerable to insufficiently protected access tokens (CVE-2022-22412) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-robotic-process-autom… ∗∗∗ Security Bulletin: A security vulnerability in Node.js nconf affects IBM Cloud Automation Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: IBM App Connect Enterprise and IBM Integration Bus are vulnerable to arbitrary code execution due to node.js minimist module ( CVE-2021-44906) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: A security vulnerability in Node.js node-forge affects IBM Cloud Automation Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in Expat component shipped with IBM Rational ClearCase ( CVE-2021-45960, CVE-2021-46143 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in Expat component shipped with IBM Rational ClearCase ( CVE-2022-23852, CVE-2022-23990, CVE-2022-25235, CVE-2022-25315 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM HTTP Server used by IBM WebSphere Application Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: WebSphere network security vulnerability in IBM Content Foundation on Cloud ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-network-securit… ∗∗∗ Security Bulletin: A security vulnerability in Node.js node-forge affects IBM Cloud Automation Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: IBM Sterling Partner Engagement Manager is vulnerable to Slowloris HTTP DOS attack (CVE-2022-35639) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-partner-enga… ∗∗∗ Security Bulletin: A security vulnerability in GO affects IBM Cloud Automation Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: A security vulnerability in GO affects IBM Cloud Automation Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in Expat component shipped with IBM Rational ClearCase ( CVE-2022-22822, CVE-2022-22823, CVE-2022-22824, CVE-2022-22825, CVE-2022-22826, CVE-2022-22827 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A security vulnerability in Node.js node-forge affects IBM Cloud Automation Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: Vulnerability in OpenSSL affects IBM Rational ClearCase (CVE-2022-1292, CVE-2022-0778) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-openssl-… ∗∗∗ Security Bulletin: IBM Cloud Pak for Security is vulnerable to Using Components with Known Vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-securit… ∗∗∗ Security Bulletin: Java SE as used by IBM Cloud Pak For Security is vulnerable to information disclosure and denial of service. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-java-se-as-used-by-ibm-cl… ∗∗∗ Security Bulletin: IBM Robotic Process Automation is vulnerable to arbitrary code execution due to async (CVE-2021-43138) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-robotic-process-autom… ∗∗∗ Security Bulletin: A security vulnerability in GO affects IBM Cloud Automation Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: IBM Sterling Control Center vulnerable to arbitrary file upload and sensitive information exposure due to IBM Cognos Analytics (CVE-2021-38945, CVE-2021-29768) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-control-cent… ∗∗∗ Security Bulletin: Vulnerability in Spring Framework affects IBM Process Mining and could allow a local attacker to execute arbitrary code on the system (CVE-2022-22965) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-spring-f… ∗∗∗ Security Bulletin: Multiple vulnerabilities in the IBM Java Runtime affect IBM Rational ClearCase ( CVE-2021-35578, CVE-2021-35603, CVE-2021-35550, CVE-2021-35561, CVE-2022-21299 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.07.2022
by Daily end-of-shift report 25 Jul '22

25 Jul '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 22-07-2022 18:00 − Montag 25-07-2022 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Windows-Sicherheit: Microsoft härtet RDP, MS-Office und geschützte Prozesse ∗∗∗ --------------------------------------------- Automatische Login-Sperren, Schutz vor Makros und Passwortklau - hinter den Kulissen tut sich einiges. Mit der Kommunikation tut sich Microsoft jedoch schwer. --------------------------------------------- https://heise.de/-7189313 ∗∗∗ Vorsicht vor gefälschten Post und DHL-Mails ∗∗∗ --------------------------------------------- Kriminelle geben sich als Post oder DHL aus und versenden wahllos betrügerische E-Mails. In den E-Mails mit dem Betreff „Ihr Paket wartet auf die Zustellung“ oder „Ihr Paket ist gerade bei der örtlichen Post angekommen“ wird behauptet, dass ein Paket angekommen sei, es aber nicht zugestellt werden kann, weil noch Zoll- bzw. Lieferkosten offen seien. Sie werden aufgefordert, auf einen Link zu klicken. Ignorieren Sie derartige E-Mails. Es handelt sich um Fake! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-gefaelschten-post-und-d… ∗∗∗ CosmicStrand: the discovery of a sophisticated UEFI firmware rootkit ∗∗∗ --------------------------------------------- In this report, we present a UEFI firmware rootkit that we called CosmicStrand and attribute to an unknown Chinese-speaking threat actor. --------------------------------------------- https://securelist.com/cosmicstrand-uefi-firmware-rootkit/106973/ ∗∗∗ Month of PowerShell: Process Threat Hunting, Part 1 ∗∗∗ --------------------------------------------- PowerShell is a powerful tool for threat hunting. Here we look at PowerShell threat hunting steps by assessing processes on Windows. --------------------------------------------- https://www.sans.org/blog/process-threat-hunting-part-1/ ∗∗∗ Month of PowerShell - The Curious Case of AD User Properties ∗∗∗ --------------------------------------------- Where are all of the user properties for Active Directory users for Get-ADUSer? --------------------------------------------- https://www.sans.org/blog/curious-case-ad-user-properties/ ∗∗∗ Month of PowerShell: Process Threat Hunting, Part 2 ∗∗∗ --------------------------------------------- We continue our look at PowerShell threat hunting through process analysis, identifying Command & Control/C2 threats on a Windows system. --------------------------------------------- https://www.sans.org/blog/process-threat-hunting-part-2/ ∗∗∗ Defeating Javascript Obfuscation ∗∗∗ --------------------------------------------- To make a long story short, I’m releasing a Javascript deobfuscation tool called REstringer. To make a short story long - I want to share my incentive for creating the tool, some design decisions, and the process through which I’m adding new capabilities to it - so you can join in on the fun! --------------------------------------------- https://www.perimeterx.com/tech-blog/2022/defeating-javascript-obfuscation/ ∗∗∗ A repository of Windows persistence mechanisms ∗∗∗ --------------------------------------------- The repository tries to gather an information about Windows persistence mechanisms to make the protection/detection more efficient. Most of the information is well known for years, being actively used within various scenarios. --------------------------------------------- https://persistence-info.github.io/ ∗∗∗ IAM-Deescalate: An Open Source Tool to Help Users Reduce the Risk of Privilege Escalation ∗∗∗ --------------------------------------------- We developed an open source tool, IAM-Deescalate, to help mitigate the privilege escalation risks of overly permissive identities in AWS. --------------------------------------------- https://unit42.paloaltonetworks.com/iam-deescalate/ ∗∗∗ Case closed: DIVD-2022-00009 - SolarMan backend administrator account/password ∗∗∗ --------------------------------------------- DIVD researcher Jelle Ursem found the password of the super user of the web backend for all SolarMan / Solis / Omnik / Ginlong inverters, loggers, and batteries. The password has been changed now, and the repository containing the password has been deleted. --------------------------------------------- https://csirt.divd.nl/cases/DIVD-2022-00009/ ∗∗∗ Cases of Attacks Targeting Vulnerable Atlassian Confluence Servers ∗∗∗ --------------------------------------------- The ASEC analysis team has been monitoring attacks that are targeting vulnerable systems. This post will discuss cases of attacks targeting vulnerable Atlassian Confluence Servers that are not patched. --------------------------------------------- https://asec.ahnlab.com/en/36820/ ===================== = Vulnerabilities = ===================== ∗∗∗ Google Chrome: Update schließt Hochrisiko-Sicherheitslöcher ∗∗∗ --------------------------------------------- Google veröffentlicht ein Update für Chrome, das elf potenzielle Sicherheitsschwachstellen schließt - fünf davon sind mit High Risk bewertet. --------------------------------------------- https://www.golem.de/news/google-chrome-update-schliesst-hochrisiko-sicherh… ∗∗∗ Angreifer könnten Scan-Engine von F-Secure und WithSecure crashen lassen ∗∗∗ --------------------------------------------- Patches schließen mehrere Lücken in Sicherheitsprodukten von WithSecure ehemals F-Secure. --------------------------------------------- https://heise.de/-7189082 ∗∗∗ Technical Advisory – Multiple vulnerabilities in Nuki smart locks (CVE-2022-32509, CVE-2022-32504, CVE-2022-32502, CVE-2022-32507, CVE-2022-32503, CVE-2022-32510, CVE-2022-32506, CVE-2022-32508, CVE-2022-32505) ∗∗∗ --------------------------------------------- The following vulnerabilities were found as part of a research project looking at the state of security of the different Nuki (smart lock) products. The main goal was to look for vulnerabilities which could affect to the availability, integrity or confidentiality of the different devices, from hardware to software. Eleven vulnerabilities were discovered. --------------------------------------------- https://research.nccgroup.com/2022/07/25/technical-advisory-multiple-vulner… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, djangorestframework, gsasl, and openjdk-11), Fedora (giflib, openssl, python-ujson, and xen), Mageia (virtualbox), SUSE (git, gpg2, java-1_7_1-ibm, java-1_8_0-ibm, java-1_8_0-openjdk, mozilla-nspr, mozilla-nss, mozilla-nss, python-M2Crypto, and s390-tools), and Ubuntu (php8.1). --------------------------------------------- https://lwn.net/Articles/902400/ ∗∗∗ WordPress Plugin "Newsletter" vulnerable to cross-site scripting ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN77850327/ ∗∗∗ Multiple vulnerabilities in untangle ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN30454777/ ∗∗∗ K08152433: Intel processors MMIO stale data vulnerability CVE-2022-21166 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K08152433/ ∗∗∗ Unify OpenScape Branch: Schwachstelle ermöglicht Codeausführung ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0814 ∗∗∗ Security Bulletin: A failed attempt to regenerate an IBM Security Verify Information Queue API token reveals sensitive data (CVE-2022-35288) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-failed-attempt-to-regen… ∗∗∗ Security Bulletin: A security vulnerability in Node.js node-forge affects IBM Cloud Pak for Multicloud Management Managed Services ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: Vulnerabilities from log4j affect IBM Operations Analytics – Log Analysis (CVE-2019-17571, CVE-2020-9488) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-from-log4… ∗∗∗ Security Bulletin: Multiple Security Vulnerabilities in Apache Struts Affect IBM Sterling File Gateway (CVE-2019-0233, CVE-2019-0230) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: IBM Security Verify Information Queue distributes configuration files with hard-coded credentials (CVE-2022-35287) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-infor… ∗∗∗ Security Bulletin: IBM OpenPages with Watson has addressed Apache Log4j vulnerability (CVE-2022-23307). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-openpages-with-watson… ∗∗∗ Security Bulletin: Vulnerabilities from log4j-core-2.16.0.jar affect IBM Operations Analytics – Log Analysis (CVE-2021-44832, CVE-2021-45105) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-from-log4… ∗∗∗ Security Bulletin: Multiple vulnerabilities in log4j-1.2.16.jar used by IBM Operations Analytics – Log Analysis ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Audit events query facility in IBM Security Verify Information Queue is vulnerable to SQL injection (CVE-2022-35285) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-audit-events-query-facili… ∗∗∗ Security Bulletin: Session cookie used by IBM Security Verify Information Queue is not properly secured (CVE-2022-35284) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-session-cookie-used-by-ib… ∗∗∗ Security Bulletin: A security vulnerability in Node.js node-forge affects IBM Cloud Pak for Multicloud Management Managed Services ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.07.2022
by Daily end-of-shift report 22 Jul '22

22 Jul '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 21-07-2022 18:00 − Freitag 22-07-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ SATAn-Attacke: Zweckentfremdetes SATA-Kabel funkt geheime Infos ∗∗∗ --------------------------------------------- Sicherheitsforscher, die auf Attacken auf abgeschottete Air-Gap-Systeme spezialisiert sind, haben eine neue Methode vorgestellt. --------------------------------------------- https://heise.de/-7186463 ∗∗∗ Confluence Security Advisory 2022-07-20 ∗∗∗ --------------------------------------------- Confluence hat zum 20. Juli 2022 das Security Advisory 2022-07-20 veröffentlicht und heute aktualisiert. Im Sicherheitshinweis geht es um Confluence-Konten mit fest kodierten Anmeldeinformationen, die von Questions for Confluence erstellt wurden. Das betrifft die Confluence-App für Confluence Server und Confluence Data Center. --------------------------------------------- https://www.borncity.com/blog/2022/07/21/confluence-security-advisory-2022-… ∗∗∗ Zero-day used to infect Chrome users could pose threat to Edge and Safari users, too ∗∗∗ --------------------------------------------- After laying low, exploit seller Candiru rears its ugly head once more. --------------------------------------------- https://arstechnica.com/?p=1868594 ∗∗∗ Maldoc: non-ASCII VBA Identifiers, (Thu, Jul 21st) ∗∗∗ --------------------------------------------- I found a malicious Office document with VBA code where most of the identifiers (variables, function names, ...) consist solely out of characters that are not ASCII (.e.g, these characters have values between 128 and 255). --------------------------------------------- https://isc.sans.edu/diary/rss/28866 ∗∗∗ An Analysis of a Discerning Phishing Website , (Fri, Jul 22nd) ∗∗∗ --------------------------------------------- Cybercriminals and adversaries have long used phishing websites to obtain credentials and access systems they usually would not have access to. Indeed, it could be more cost-effective than other methods, such as buying zero-day vulnerabilities and weaponizing them. I was alerted to a phishing attempt and requested further details. After doing some analysis, I observed several differences and technological improvements that the adversaries had made as compared to the usual phishing attempts. --------------------------------------------- https://isc.sans.edu/diary/rss/28870 ∗∗∗ Month of PowerShell - Recording Your Session with Start-Transcript ∗∗∗ --------------------------------------------- PowerShell allows us to create a transaction file of all commands entered and output received, perfect for pentests, incident response, and more! --------------------------------------------- https://www.sans.org/blog/recording-your-session-with-start-transcript ∗∗∗ Cryptominers & WebAssembly in Website Malware ∗∗∗ --------------------------------------------- WebAssembly (also referred to as Wasm) is a binary instruction format that runs in the browser to enable high-performance applications on web pages and can be executed much faster than traditional JavaScript. WebAssembly can be executed in a variety of environments, including servers, IoT devices, and mobile or desktop apps — but was originally designed to run on the web. --------------------------------------------- https://blog.sucuri.net/2022/07/cryptominers-webassembly-in-website-malware… ∗∗∗ An Easier Way to Keep Old Python Code Healthy and Secure ∗∗∗ --------------------------------------------- Python has its pros and cons, but its nonetheless used extensively. For example, Python is frequently used in data crunching tasks even when there are more appropriate languages to choose from. Why? Well, Python is relatively easy to learn. Someone with a science background can pick up Python much more quickly than, say, C. However, Pythons inherent approachability also creates a couple of problems. --------------------------------------------- https://thehackernews.com/2022/07/an-easier-way-to-keep-old-python-code.html ∗∗∗ Sh*Load Exploits (Episode V: Return of the Error) ∗∗∗ --------------------------------------------- Our first post in the Firmware Developers Need To Know blog series, Episode I: The Last Error, pointed out the benefits of adopting clean error codes. And then two weeks later, TLStorm, bam. Armis’ research engineers announced the discovery of three vulnerabilities in APC devices –the key problem – ignoring error codes! Unfortunately, little attention or thought is paid to error codes within firmware code (and many critical open source projects). --------------------------------------------- https://dellfer.com/shload-exploits-episode-v-return-of-the-error/ ∗∗∗ PART 1: How I Met Your Beacon – Overview ∗∗∗ --------------------------------------------- During this research we will outline a number of effective strategies for hunting for beacons, supported by our BeaconHunter tool that we developed to execute these strategies and which we intend to open source in due course. --------------------------------------------- https://www.mdsec.co.uk/2022/07/part-1-how-i-met-your-beacon-overview/ ∗∗∗ Cloud Threat Detection: To Agent or Not to Agent? ∗∗∗ --------------------------------------------- Should you be using agents to secure cloud applications, or not? The answer depends on what exactly youre trying to secure. --------------------------------------------- https://www.rapid7.com/blog/post/2022/07/22/cloud-threat-detection-to-agent… ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins 2022-07-21 ∗∗∗ --------------------------------------------- IBM Cloud App Management, IBM Cloud Pak for Multicloud Management Monitoring, IBM Rational Build Forge, IBM Rational Build Forge, IBM Cloud App Management, IBM Tivoli Netcool Manager. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (gnupg2, oci-seccomp-bpf-hook, suricata, and vim), Oracle (java-11-openjdk), Slackware (net), and SUSE (kernel, nodejs16, rubygem-rack, and webkit2gtk3). --------------------------------------------- https://lwn.net/Articles/902184/ ∗∗∗ Moodle: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, authentisierter Angreifer kann mehrere Schwachstellen in Moodle ausnutzen, um beliebigen Programmcode auszuführen, Dateien zu manipulieren, Informationen offenzulegen oder einen Cross-Site-Scripting-Angriff durchzuführen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0797 ∗∗∗ Veritas NetBackup: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, authentisierter Angreifer kann mehrere Schwachstellen in Veritas NetBackup ausnutzen, um beliebigen Programmcode auszuführen oder seine Privilegien zu erweitern. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0801 ∗∗∗ Veritas NetBackup: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann eine Schwachstelle in Veritas NetBackup ausnutzen, um beliebigen Code auszuführen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszulösen, seine Privilegien zu erweitern und Verzeichnisse zu manipulieren. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0802 ∗∗∗ F-Secure Linux Security: Mehrere Schwachstellen ermöglichen Denial of Service ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in F-Secure Linux Security und F-Secure Internet Gatekeeper ausnutzen, um einen Denial of Service Angriff durchzuführen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0803 ∗∗∗ AutomationDirect Stride Field I/O ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Cleartext Transmission of Sensitive Information vulnerability in AutomationDirect products. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-202-05 ∗∗∗ ICONICS Suite and Mitsubishi Electric MC Works64 Products ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Path Traversal, Deserialization of Untrusted Data, Inclusion of Functionality from Untrusted Control Sphere, Out-of-Bounds Read vulnerabilities in the SCADA products. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-202-04 ∗∗∗ Rockwell Automation ISaGRAF Workbench ∗∗∗ --------------------------------------------- This advisory contains mitigations for a Missing Authentication for Critical Function vulnerability in the ISaGRAF Workbench. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-202-03 ∗∗∗ Johnson Controls Metasys ADS, ADX, OAS ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Missing Authentication for Critical Function vulnerability in the Metasys ADS, ADX, OAS. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-202-02 ∗∗∗ ABB Drive Composer, Automation Builder, Mint Workbench ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Improper Privilege Management vulnerabilities in the ABB products. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-202-01 ∗∗∗ Unauthenticated SQL Injection in SonicWall GMS and Analytics ∗∗∗ --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0007 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.07.2022
by Daily end-of-shift report 21 Jul '22

21 Jul '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 20-07-2022 18:00 − Donnerstag 21-07-2022 18:00 Handler: Robert Waldner Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Apple Patches Everything Day, (Wed, Jul 20th) ∗∗∗ --------------------------------------------- Apple today released its usual "surprise patch day" in updating all of its operating systems. There may still be specific Safari updates, but for currently supported operating systems, the operating system upgrades should include respective Safari/WebKit fixes. --------------------------------------------- https://isc.sans.edu/diary/rss/28862 ∗∗∗ New Linux Malware Framework Lets Attackers Install Rootkit on Targeted Systems ∗∗∗ --------------------------------------------- A never-before-seen Linux malware has been dubbed a "Swiss Army Knife" for its modular architecture and its capability to install rootkits. This previously undetected Linux threat, called Lightning Framework by Intezer, is equipped with a plethora of features, making it one of the most intricate frameworks developed for targeting Linux systems. --------------------------------------------- https://thehackernews.com/2022/07/new-linux-malware-framework-let.html ∗∗∗ Outlook email users alerted to suspicious activity from Microsoft-owned IP address ∗∗∗ --------------------------------------------- People turn amateur sleuths to discover that the source of all those sign-ins seems to be in Redmond Strange things are afoot in the world of Microsoft email with multiple users reporting unusual sign-in notifications for their Outlook accounts. --------------------------------------------- https://www.theregister.com/2022/07/21/outlook_sign_ins/ ∗∗∗ [CVE-2022-34918] A crack in the Linux firewall ∗∗∗ --------------------------------------------- In our previous article Yet another bug into Netfilter, I presented a vulnerability found within the netfilter subsystem of the Linux kernel. During my investigation, I found a weird comparison that does not fully protect a copy within a buffer. It led to a heap buffer overflow that was exploited to obtain root privileges on Ubuntu 22.04. --------------------------------------------- https://www.randorisec.fr/crack-linux-firewall/ ∗∗∗ Gitlab Project Import RCE Analysis (CVE-2022-2185) ∗∗∗ --------------------------------------------- At the beginning of this month, GitLab released a security patch for versions 14->15. Interestingly in the advisory, there was a mention of a post-auth RCE bug with CVSS 9.9. The bug exists in GitLab’s Project Imports feature, which was found by @vakzz. Incidentally, when I rummaged in the author’s h1 profile. I discovered that four months ago, he also found a bug in the import project feature. --------------------------------------------- https://starlabs.sg/blog/2022/07-gitlab-project-import-rce-analysis-cve-202… ∗∗∗ Cybercrime: Industriesteuerungen im Visier ∗∗∗ --------------------------------------------- Ein Passwort-Cracker mit Trojaner an Bord liefert Passwörter für programmierbare Industrie-Steuersysteme frei Haus und wirft damit eine wichtige Frage auf. --------------------------------------------- https://heise.de/-7185890 ∗∗∗ Vorsicht vor Shops mit Abo-Fallen ∗∗∗ --------------------------------------------- Sie suchen nach einem Produkt online – sei es Make-Up, Sportkleidung oder Tiernahrung. Plötzlich stoßen Sie auf ein gutes Angebot und das Produkt ist sogar 60 % billiger, wenn Sie VIP-Mitglied werden. Doch im Kleingedruckten steht: Mit diesem Einkauf schließen Sie eine automatische Clubmitgliedschaft und ein teures Abo ab. Vorsicht vor diesen unseriösen Abo-Fallen! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-shops-mit-abo-fallen/ ∗∗∗ Shodan Verified Vulns 2022-07-01 ∗∗∗ --------------------------------------------- Mit Stand 2022-07-01 sieht Shodan in Österreich die folgenden Schwachstellen: Verglichen mit Juni 2022 ist durch die Bank ein leichter Abwärtstrend zu erkennen (insgesamt von 9355 auf 8987 verifizierte Schwachstellen). Spitzenreiter sind noch immer CVE-2015-0204 (SSL FREAK, 4090) und CVE-2015-4000 (Logjam, 3193). Davor schon relativ gering vertreten (35), jedoch auffällig gesunken ist die Schwachstelle CVE-2021-43798 (Grafana Path Traversal Vulnerability, -80%). Ausreißer nach oben oder Neuzugänge gibt es nicht. --------------------------------------------- https://cert.at/de/aktuelles/2022/7/shodan-verified-vulns-2022-07-01 ===================== = Vulnerabilities = ===================== ∗∗∗ Atlassian Rolls Out Security Patch for Critical Confluence Vulnerability ∗∗∗ --------------------------------------------- Atlassian has rolled out fixes to remediate a critical security vulnerability pertaining to the use of hard-coded credentials affecting the Questions For Confluence app for Confluence Server and Confluence Data Center. The flaw, tracked as CVE-2022-26138, arises when the app in question is enabled on either of two services, causing it to create a Confluence user account with the username "disabledsystemuser." --------------------------------------------- https://thehackernews.com/2022/07/atlassian-releases-patch-for-critical.html ∗∗∗ Schadcode-Attacken mit Root-Rechten auf Cisco Nexus Dashboard möglich ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitsupdates für Hard- und Software vom Netzwerkausrüster Cisco. --------------------------------------------- https://heise.de/-7185582 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Mageia (kernel and kernel-linus), SUSE (dovecot23), and Ubuntu (freetype, libxml-security-java, and linux-oem-5.17). --------------------------------------------- https://lwn.net/Articles/902011/ ∗∗∗ Request Tracker: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Request Tracker ausnutzen, um einen Cross-Site Scripting Angriff durchzuführen oder Sicherheitsmaßnahmen zu umgehen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0788 ∗∗∗ Security Bulletin: IBM Tivoli Network Manager is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2019-1757) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tivoli-network-manage… ∗∗∗ Security Bulletin: Security Vulnerabilities have been fixed in IBM Security Access Manager appliance (CVE-2022-24407, CVE-2020-25709, CVE-2020-25710) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Security Verify Information Queue uses an Oracle JDBC jar with multiple vulnerabilities (CVE-2019-2444, CVE-2019-2619, CVE-2017-10321, CVE-2017-10202) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-infor… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Security Verify Information Queue connect image (CVE-2020-9493, CVE-2022-23307) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple security vulnerabilities have been identified in IBM® DB2® shipped with IBM PureData System for Operational Analytics ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: IBM Security Verify Information Queue uses a Wire Schema jar with multiple vulnerabilities (CVE-2020-27853, CVE-2021-41093) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-infor… ∗∗∗ Security Bulletin: IBM Security Verify Information Queue uses a Google gRPC framework with multiple vulnerabilities (CVE-2017-7860, CVE-2017-7861, CVE-2017-9431) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-infor… ∗∗∗ Security Bulletin: IBM Security Guardium Insights is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-ins… ∗∗∗ Security Bulletin: IBM QRadar SIEM is vulnerable to information disclosure (CVE-2021-38936) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulner… ∗∗∗ Security Bulletin: Multiple security vulnerabilities found in open source code that is shipped with IBM Security Verify Governance, Identity Manager virtual appliance component ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: OpenSSL vulnerabilities in the IBM Security Verify Information Queue web server (CVE-2021-3711, CVE-2021-3712) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-openssl-vulnerabilities-i… ∗∗∗ Security Bulletin: Vulnerability in async opensource package affects IBM VM Recovery Manager HA & DR GUI ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-async-op… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ CVE-2022-0778: Sicherheitslücken mit Denial of Service-Potential in OpenSSL ∗∗∗ --------------------------------------------- https://www.sprecher-automation.com/it-sicherheit/security-alerts ∗∗∗ Drupal core - Moderately critical - Multiple vulnerabilities - SA-CORE-2022-015 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-core-2022-015 ∗∗∗ Drupal core - Critical - Arbitrary PHP code execution - SA-CORE-2022-014 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-core-2022-014 ∗∗∗ Drupal core - Moderately critical - Access Bypass - SA-CORE-2022-013 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-core-2022-013 *** Drupal core - Moderately critical - Information Disclosure - SA-CORE-2022-012 *** --------------------------------------------- https://www.drupal.org/sa-core-2022-012 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.07.2022
by Daily end-of-shift report 20 Jul '22

20 Jul '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 19-07-2022 18:00 − Mittwoch 20-07-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Sicherheitslücken in GPS-Tracker von MiCODUS können Menschenleben gefährden ∗∗∗ --------------------------------------------- Sicherheitsforscher warnen davor, dass Angreifer unter anderem PKWs der Regierung aus der Ferne stoppen könnten. Sicherheitspatches gibt es bislang nicht. --------------------------------------------- https://heise.de/-7184324 ∗∗∗ Phishing-Mail zu „unbefugten Aktivitäten“ ignorieren! ∗∗∗ --------------------------------------------- Aktuell kursiert eine Phishing Nachricht im Namen der Raiffeisen Bank, die nach einer Authentifizierung verlangt. Angeblich wurde eine Zahlung in Höhe von 1259,00 EUR vorgenommen, die blockiert wurde. Achtung: Es handelt sich lediglich um einen erfundenen Grund, mit dem Kriminelle Sie zum Klick auf eine Phishing-Seite bewegen wollen. Löschen Sie die Nachricht einfach! --------------------------------------------- https://www.watchlist-internet.at/news/phishing-mail-zu-unbefugten-aktivita… ∗∗∗ Breaking down CISs new software supply chain security guidance ∗∗∗ --------------------------------------------- Securing the software supply chain continues to be one of the most discussed topics currently among IT and cybersecurity leaders. A study by In-Q-Tel researchers shows a rapid rise in software supply chain attacks starting around 2016, going from almost none in 2015 to about 1,500 in 2020. The Cloud Native Computing Foundation’s (CNCF’s) catalog of software supply chain attacks also supports a rise in this attack vector. --------------------------------------------- https://www.csoonline.com/article/3666742/breaking-down-ciss-new-software-s… ∗∗∗ Luna and Black Basta — new ransomware for Windows, Linux and ESXi ∗∗∗ --------------------------------------------- This report discusses new ransomware, that targets Windows, Linux and ESXi systems: Luna written in Rust and Black Basta. --------------------------------------------- https://securelist.com/luna-black-basta-ransomware/106950/ ∗∗∗ PrestaShop Skimmer Concealed in One Page Checkout Module ∗∗∗ --------------------------------------------- PrestaShop is a popular freemium open source e-commerce platform used by hundreds of thousands of webmasters to sell products and services to website visitors. While PrestaShop’s CMS market share is only 0.8%, it should still come as no surprise that attackers have been crafting malware to specifically target environments who use this software. --------------------------------------------- https://blog.sucuri.net/2022/07/prestashop-skimmer-concealed-in-one-page-ch… ∗∗∗ LockBit: Ransomware Puts Servers in the Crosshairs ∗∗∗ --------------------------------------------- LockBit affiliates using servers to spread ransomware throughout networks. --------------------------------------------- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lo… ∗∗∗ Analysis of a trojanized jQuery script: GootLoader unleashed ∗∗∗ --------------------------------------------- In this blog post, we will perform a deep analysis into GootLoader, malware which is known to deliver several types of payloads, such as Kronos trojan, REvil, IcedID, GootKit payloads and in this case Cobalt Strike. --------------------------------------------- https://blog.nviso.eu/2022/07/20/analysis-of-a-trojanized-jquery-script-goo… ∗∗∗ 4 Strategies for Achieving Greater Visibility in the Cloud ∗∗∗ --------------------------------------------- Here are four ways to put visibility at the center of your cloud security approach and better understand whats going on in your environment. --------------------------------------------- https://www.rapid7.com/blog/post/2022/07/20/4-strategies-for-achieving-grea… ===================== = Vulnerabilities = ===================== ∗∗∗ Jetzt patchen! Oracle sichert seine Produkte mit 349 Updates ab ∗∗∗ --------------------------------------------- Wichtige Sicherheitspatches schließen unter anderem kritische Lücken in Oracle-Anwendungen. --------------------------------------------- https://heise.de/-7184179 ∗∗∗ Sicherheitsupdates: Root-Lücke bedroht Zyxel-Firewalls ∗∗∗ --------------------------------------------- Mehrere Firewall-Modelle von Zyxel sind über Sicherheitslücken attackierbar. --------------------------------------------- https://heise.de/-7184526 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (golang-github-gosexy-gettext, golang-github-hub, oci-seccomp-bpf-hook, and popub), Oracle (kernel and kernel-container), SUSE (python2-numpy), and Ubuntu (check-mk and pyjwt). --------------------------------------------- https://lwn.net/Articles/901879/ ∗∗∗ Chrome 103 Update Patches High-Severity Vulnerabilities ∗∗∗ --------------------------------------------- Google this week announced a Chrome update that resolves a total of 11 vulnerabilities in the browser, including six reported by external researchers. Of these, five are use-after-free issues, including four that are considered “high severity.” --------------------------------------------- https://www.securityweek.com/chrome-103-update-patches-high-severity-vulner… ∗∗∗ HCL BigFix: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, authentisierter Angreifer kann mehrere Schwachstellen in HCL BigFix ausnutzen, um Sicherheitsvorkehrungen zu umgehen oder Informationen offenzulegen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0733 ∗∗∗ OpenJDK: Mehrere Schwachstellen ermöglichen Codeausführung ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in OpenJDK ausnutzen, um beliebigen Programmcode auszuführen, Sicherheitsvorkehrungen zu umgehen oder Dateien zu manipulieren. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0746 ∗∗∗ Arista EOS: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Arista EOS ausnutzen, um Sicherheitsvorkehrungen zu umgehen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0761 ∗∗∗ Red Hat OpenShift (Logging Subsystem): Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Red Hat OpenShift (Logging Subsystem) ausnutzen, um einen Denial of Service Angriff durchzuführen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0707 ∗∗∗ Security Bulletin: IBM Resilient Platform could allow formula injection in Excel (CVE-2020-4633) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-resilient-platform-co… ∗∗∗ Security Bulletin: IBM InfoSphere Information Analyzer is affected by a cross-site scripting vulnerability in jQuery-UI(CVE-2021-41184) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-informatio… ∗∗∗ Security Bulletin: Multiple cross-site scripting vulnerabilities in JQuery affect IBM InfoSphere Information Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-cross-site-scrip… ∗∗∗ Security Bulletin: Apache log4j security vulnerability as it relates to IBM Maximo Scheduler Optimization – Apache Log4j – CVE-2021-45105 (affecting v2.16) and CVE-2021-45046 (affecting v2.15) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-security-vul… ∗∗∗ Security Bulletin: IBM QRadar Network Security is affected by multiple vulnerabilities in Expact library. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-network-securi… ∗∗∗ Security Bulletin: IBM WebSphere Application Server is vulnerable to Cross-site Scripting (CVE-2022-22477) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application… ∗∗∗ Security Bulletin: IBM QRadar SIEM is vulnerable to improper certificate validation (CVE-2021-29755) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulner… ∗∗∗ Security Bulletin: IBM QRadar Network Security is affected by multiple vulnerabilities. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-network-securi… ∗∗∗ Security Bulletin: IBM QRadar SIEM is vulnerable to infomation disclosured due to incorrect file permissions (CVE-2022-22424) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulner… ∗∗∗ Security Bulletin: A vulnerability in IBM Java SDK and IBM Java Runtime affects IBM QRadar SIEM ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Security Bulletin: IBM QRadar SIEM is vulnerable to infomarion discosure (CVE-2021-38936) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulner… ∗∗∗ Security Bulletin: Vulnerability in Java SE related to the JSSE component affects DB2 Recovery Expert for Linux, Unix and Windows ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-java-se-… ∗∗∗ Security Bulletin: A security vulnerability in Node.js nconf affects IBM Cloud Pak for Multicloud Management Managed Services ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: IBM Resilient SOAR is Using Components with Known Vulnerabilities – Java SE (CVE-2020-2773) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-resilient-soar-is-usi… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.07.2022
by Daily end-of-shift report 19 Jul '22

19 Jul '22

===================== = End-of-Day report = ===================== Timeframe: Montag 18-07-2022 18:00 − Dienstag 19-07-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Authentication Risks Discovered in Okta Platform ∗∗∗ --------------------------------------------- Four newly discovered attack paths could lead to PII exposure, account takeover, even organizational data destruction. --------------------------------------------- https://threatpost.com/risks-okta-sso/180249/ ∗∗∗ Requests For beacon.http-get. Help Us Figure Out What They Are Looking For, (Tue, Jul 19th) ∗∗∗ --------------------------------------------- Based on our First Seen URLs page, we started seeing more requests for 'beacon.http-get' these last few days. The requests are going back a while now but have been increasing. --------------------------------------------- https://isc.sans.edu/diary/rss/28856 ∗∗∗ Sicherheit bei Mac-Office: Microsoft fordert zur Systemaktualisierung auf ∗∗∗ --------------------------------------------- Nur mit den jüngsten Versionen von Monterey und Big Sur lassen sich Angriffe über Makro-Exploits verhindern, so der Konzern. --------------------------------------------- https://heise.de/-7182296 ∗∗∗ WhatsApp-Nachricht über einen Covid-19-Zuschuss von UNICEF ist Fake ∗∗∗ --------------------------------------------- Sie haben auf WhatsApp eine Nachricht von UNICEF erhalten? Man will Ihnen einen Covid-19-Zuschuss von 50.000 Euro überweisen? Vorsicht: Dabei handelt es sich um Betrug. Kriminelle geben sich als UNICEF aus und täuschen Spenden oder Gewinne vor. In Wirklichkeit will man Ihnen Geld stehlen! Antworten Sie nicht und blockieren Sie die Nummer! --------------------------------------------- https://www.watchlist-internet.at/news/whatsapp-nachricht-ueber-einen-covid… ∗∗∗ I see what you did there: A look at the CloudMensis macOS spyware ∗∗∗ --------------------------------------------- Previously unknown macOS malware uses cloud storage as its C&C channel and to exfiltrate documents, keystrokes, and screen captures from compromised Macs --------------------------------------------- https://www.welivesecurity.com/2022/07/19/i-see-what-you-did-there-look-clo… ∗∗∗ Riding the InfoRail to Exploit Ivanti Avalanche ∗∗∗ --------------------------------------------- I was able to quickly identify a chain of three vulnerabilities in the Ivanti Avalanche Web Application: [...] Even though this chain is powerful, its first part heavily depends on factors that are not within the attacker’s control. We can do better, right? --------------------------------------------- https://www.thezdi.com/blog/2022/7/19/riding-the-inforail-to-exploit-ivanti… ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins 2022-07-18 ∗∗∗ --------------------------------------------- IBM UrbanCode Build, IBM UrbanCode Release, IBM Sterling Partner Engagement Manager, IBM MQ, App Connect professional, IBM WebSphere Application Server Liberty, IBM Tivoli Netcool Configuration Manager, IBM UrbanCode Build. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Sicherheitsupdates: Angreifer könnten Juniper-Software mit Schadcode attackieren ∗∗∗ --------------------------------------------- Der Netzwerkausrüster Juniper hat unter anderem in Contrail Networking kritische Sicherheitslücken geschlossen. --------------------------------------------- https://heise.de/-7183158 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (buildah), SUSE (dovecot23 and nodejs12), and Ubuntu (harfbuzz, libhttp-daemon-perl, tiff, and webkit2gtk). --------------------------------------------- https://lwn.net/Articles/901787/ ∗∗∗ EMC Avamar: Mehrere Schwachstellen ermöglichen Privilegieneskalation ∗∗∗ --------------------------------------------- Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann mehrere Schwachstellen in EMC Avamar und EMC NetWorker ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0715 ∗∗∗ QEMU: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- Ein lokaler Angreifer kann eine Schwachstelle in QEMU ausnutzen, um einen Denial of Service Angriff durchzuführen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0713 ∗∗∗ Apache CloudStack: Schwachstelle ermöglicht Manipulation von Dateien ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Apache CloudStack ausnutzen, um vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszulösen und Serverdaten zu manipulieren. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0711 ∗∗∗ Redis: Schwachstelle ermöglicht Codeausführung ∗∗∗ --------------------------------------------- Ein entfernter Angreifer kann eine Schwachstelle in Redis ausnutzen, um beliebigen Programmcode auszuführen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0709 ∗∗∗ jQuery: Schwachstelle ermöglicht Cross-Site Scripting ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann eine Schwachstelle in jQuery ausnutzen, um einen Cross-Site Scripting Angriff durchzuführen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0708 ∗∗∗ CVE-2022-30526 (Fixed): Zyxel Firewall Local Privilege Escalation ∗∗∗ --------------------------------------------- Rapid7 discovered a local privilege escalation vulnerability affecting Zyxel firewalls. The vulnerability allows a low privileged user, such as `nobody`, to escalate to `root` on affected firewalls. --------------------------------------------- https://www.rapid7.com/blog/post/2022/07/19/cve-2022-30526-fixed-zyxel-fire… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.07.2022
by Daily end-of-shift report 18 Jul '22

18 Jul '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 15-07-2022 18:00 − Montag 18-07-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Cybercrime und Trickbot-Leaks: "Wir zahlen Krankengeld und 13. Monatsgehalt" ∗∗∗ --------------------------------------------- Cybercrime goes Business: Ein Bewerbungsgespräch im Cybercrime-Untergrund zeigt eindrucksvoll, wie sehr sich organisiertes Verbrechen schon "normalisiert" hat. --------------------------------------------- https://heise.de/-7182800 ∗∗∗ Fake-Shop für Pellets und Brennholz kontaktiert Kund:innen auf WhatsApp ∗∗∗ --------------------------------------------- Aktuell boomen Fake-Shops für Brennholz, Pellets, Photovoltaik-Anlagen und Öfen. Der betrügerische Shop wibois.com gibt sich besonders viel Mühe, um Ihnen Geld zu stehlen. Neben professionell gestalteten Werbeanzeigen auf Facebook und Instagram, senden die Kriminellen Ihnen Bestellbestätigung und Überweisungsaufforderung auf WhatsApp. Das stiftet Vertrauen und vermittelt das Gefühl von Erreichbarkeit. Zahlen Sie nicht und blockieren Sie die Nummer! --------------------------------------------- https://www.watchlist-internet.at/news/fake-shop-fuer-pellets-und-brennholz… ∗∗∗ Mit Sality-Malware infiziertes Passwort Cracking-Tool für Industrie-Steuerungen/Leitsysteme verteilt ∗∗∗ --------------------------------------------- Cyberkriminelle bewerben in sozialen Netzwerken wohl ein Tool, mit denen Kennwörter in Industriesteuerungen (ICS, PLCs) geknackt werden können. --------------------------------------------- https://www.borncity.com/blog/2022/07/16/mit-sality-malware-infiziertes-pas… ∗∗∗ Supply Chain Attack Technique Spoofs GitHub Commit Metadata ∗∗∗ --------------------------------------------- Security researchers at Checkmarx are warning of a new supply chain attack technique that relies on spoofed commit metadata to add legitimacy to malicious GitHub repositories. --------------------------------------------- https://www.securityweek.com/supply-chain-attack-technique-spoofs-github-co… ∗∗∗ Mitigation for Azure Storage SDK Client-Side Encryption Padding Oracle Vulnerability ∗∗∗ --------------------------------------------- Google informed Microsoft under Coordinated Vulnerability Disclosure (CVD) of a padding oracle vulnerability that may affect customers using Azure Storage SDK (for Python, .NET, Java) client-side encryption (CVE-2022-30187). To mitigate this vulnerability, we released a new General Availability (GA) version of the Azure Storage SDK client-side encryption feature (v2) on July 12, 2022. --------------------------------------------- https://msrc-blog.microsoft.com/2022/07/18/mitigation-for-azure-storage-sdk… ∗∗∗ Month of PowerShell - Working with the Event Log, Part 3 - Accessing Message Elements ∗∗∗ --------------------------------------------- In part 3 of Working with the Event Log we look at using a third-party function to make accessing event log data much easier. --------------------------------------------- https://www.sans.org/blog/working-with-the-event-log-part-3-accessing-messa… ∗∗∗ Month of PowerShell - Working with the Event Log, Part 4 - Tweaking Event Log Settings ∗∗∗ --------------------------------------------- In this final part of this series on working with the event log in PowerShell, we look at tips and commands for tweaking event log settings. --------------------------------------------- https://www.sans.org/blog/working-with-the-event-log-part-4-tweaking-event-… ∗∗∗ Genesis - The Birth of a Windows Process (Part 2) ∗∗∗ --------------------------------------------- In this second and final part of the series, we will go through the exact flow CreateProcess carries out to launch a process on Windows using the APIs and Data Structure we discussed in Part 1. --------------------------------------------- https://fourcore.io/blogs/how-a-windows-process-is-created-part-2 ===================== = Vulnerabilities = ===================== ∗∗∗ New Netwrix Auditor Bug Could Let Attackers Compromise Active Directory Domain ∗∗∗ --------------------------------------------- Researchers have disclosed details about a security vulnerability in the Netwrix Auditor application that, if successfully exploited, could lead to arbitrary code execution on affected devices. "Since this service is typically executed with extensive privileges in an Active Directory environment, the attacker would likely be able to compromise the Active Directory domain," [...] --------------------------------------------- https://thehackernews.com/2022/07/new-netwrix-auditor-bug-could-let.html ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (mat2 and xen), Fedora (butane, caddy, clash, direnv, geoipupdate, gitjacker, golang-bug-serial-1, golang-github-a8m-envsubst, golang-github-apache-beam-2, golang-github-aws-lambda, golang-github-cespare-xxhash, golang-github-chromedp, golang-github-cloudflare, golang-github-cloudflare-redoctober, golang-github-cockroachdb-pebble, golang-github-cucumber-godog, golang-github-dreamacro-shadowsocks2, golang-github-dustinkirkland-petname, [...] --------------------------------------------- https://lwn.net/Articles/901699/ ∗∗∗ Log4J-Schwachstelle: Mittelstand schläft, DHS sieht Problem für Jahre ∗∗∗ --------------------------------------------- Die in Java ausnutzbare Log4Shell-Schwachstelle in der Log4j-Bibliothek steckt mutmaßlich in vielen Systemen bzw. Software-Paketen. Das Problem dürfte uns noch für Jahre tangieren, schätzen Experten und im deutschen Mittelstand ist das noch nicht angekommen. Auch das Department of Homeland Security [...] --------------------------------------------- https://www.borncity.com/blog/2022/07/17/log4j-schwachstelle-mittelstand-sc… ∗∗∗ SonicWall Switch Post-Authenticated Remote Code Execution ∗∗∗ --------------------------------------------- A vulnerability in SonicWall Switch 1.1.1.0-2s and earlier allows an authenticated malicious user to perform remote code execution in the host system. --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0013 ∗∗∗ Festo: Controller CECC-S,LK,D family firmware 2.4.2.0 - multiple vulnerabilities in CODESYS V3 runtime system ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-027/ ∗∗∗ Festo: Controller CECC-S,LK,D family <= 2.3.8.1 - multiple vulnerabilities in CODESYS V3 runtime system ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-022/ ∗∗∗ Security Bulletin: IBM UrbanCode Deploy (UCD) could disclose sensitive database information to a local user in plain text. (CVE-2022-22367) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-deploy-ucd-… ∗∗∗ Security Bulletin: The CVE-2022-34305 vulnerability in Apache Tomcat affects App Connect Professional. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-the-cve-2022-34305-vulner… ∗∗∗ Security Bulletin: There are multiple vulnerabilites that affect IBM Engineering Requirements Quality Assistant On-Premises (CVE-2022-0778, CVE-2021-38868, CVE-2021-29799, CVE-2021-29790, CVE-2021-29788) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-there-are-multiple-vulner… ∗∗∗ Security Bulletin: IBM Cloud Pak for Multicloud Management Monitoring is vulnerable to multiple vulnerabilities due to its use of IBM JAVA (CVE-2021-35560, CVE-2021-35578, CVE-2021-35565, CVE-2021-35603) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-multicl… ∗∗∗ Security Bulletin: An attacker that gains service access to the FSP (POWER9 only) or gains admin authority to a partition can compromise partition firmware. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-an-attacker-that-gains-se… ∗∗∗ Security Bulletin: IBM Cloud Pak for Multicloud Management Monitoring is vulnerable to a denial server due to its use of Apache Xerces2 (CVE-2022-23437) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-multicl… ∗∗∗ Security Bulletin: Vulnerability in OpenSSL (CVE-2022-0778) affects PowerVM ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-openssl-… ∗∗∗ Security Bulletin: The vulnerability CVE-2022-21299 in IBM Java SDK affects IBM WebSphere Cast Iron Solution & App Connect Professional ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-the-vulnerability-cve-202… ∗∗∗ Security Bulletin: IBM Urbancode Deploy (UCD) vulnerable to information disclosure which can be read by a local user. (CVE-2022-22366) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-deploy-ucd-… ∗∗∗ Security Bulletin: IBM Cloud Pak for Multicloud Management Monitoring is vulnerable to multiple security vulnerabilities due to its use of NodeJS (CVE-2021-22918, CVE-2021-22960, CVE-2021-22959) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-multicl… ∗∗∗ Security Bulletin: Vulnerability in async opensource package affects IBM VM Recovery Manager HA & DR GUI ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-async-op… ∗∗∗ Security Bulletin: Vulnerability in the jackson-databind component affects IBM Event Streams ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-the-jack… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.07.2022
by Daily end-of-shift report 15 Jul '22

15 Jul '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 14-07-2022 18:00 − Freitag 15-07-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Callback-Phishing: Dringender Rückruf erbeten ∗∗∗ --------------------------------------------- Angreifer geben sich in E-Mails als Sicherheitsunternehmen aus und bitten um einen Rückruf. Doch statt einer Überprüfung wird der Rechner gehackt. --------------------------------------------- https://www.golem.de/news/callback-phishing-dringender-rueckruf-erbeten-220… ∗∗∗ Android-Malware mit 3 Millionen Installationen aus Google Play entfernt ∗∗∗ --------------------------------------------- Die Android-Malware Autolycos hat es auf insgesamt drei Millionen Installationen gebracht. Nach der Entdeckung hat Google die betroffenen Apps entfernt. --------------------------------------------- https://heise.de/-7180469 ∗∗∗ Windows Autopatch ab sofort allgemein verfügbar ∗∗∗ --------------------------------------------- Automatisch abgesicherte Updates für Windows verspricht Microsoft mit Autopatch – Administratoren steht so deutlich weniger händische Arbeit ins Haus. --------------------------------------------- https://heise.de/-7180876 ∗∗∗ Was kann ich bei Problemen mit Klarna tun? ∗∗∗ --------------------------------------------- „Das Produkt ist noch gar nicht gekommen, trotzdem will Klarna, das ich bezahle.“ „Klarna schickt trotz Rücksendung Mahnungen.“ „Ich habe Ramsch bekommen, Klarna fordert aber eine Zahlung.“ Immer wieder berichten uns Konsument:innen von Problemen mit Klarna und sind ratlos. Wir zeigen Ihnen, was Sie bei ungerechtfertigten Zahlungsaufforderungen und Mahnungen von Klarna tun können. --------------------------------------------- https://www.watchlist-internet.at/news/was-kann-ich-bei-problemen-mit-klarn… ∗∗∗ YouTuber-Cash: Vorsicht vor Abzocke ∗∗∗ --------------------------------------------- YouTube-Videos schauen und damit Geld verdienen? Angebote wie das von youtuber.ltd klingen verlockend, doch statt der Auszahlung warten Abzocke-Maschen auf Sie. Vertrauen Sie keinen Versprechen online, schnell viel Geld zu verdienen! Die Kriminellen, die hinter diesen Angeboten stecken sind lediglich auf Ihre Daten oder Ihr Geld aus. --------------------------------------------- https://www.watchlist-internet.at/news/youtuber-cash-vorsicht-vor-abzocke/ ∗∗∗ WordPress: Schwachstelle in Kaswara Modern WPBakery Page Builder wird angegriffen ∗∗∗ --------------------------------------------- WordPress-Nutzer, die das Kaswara Modern WPBakery Page Builder im Einsatz haben, sollten zügig handeln. In älteren Fassungen ist die Schwachstelle CVE-2021-24284 enthalten, die eine Übernahme der WordPress-Installation ermöglicht. --------------------------------------------- https://www.borncity.com/blog/2022/07/15/wordpress-schwachstelle-in-kaswara… ∗∗∗ New Phishing Kit Hijacks WordPress Sites for PayPal Scam ∗∗∗ --------------------------------------------- Attackers use scam security checks to steal victims government documents, photos, banking information, and email passwords, researchers warn. --------------------------------------------- https://www.darkreading.com/attacks-breaches/new-phishing-kit-hijacks-wordp… ∗∗∗ The real reason why malware detection is hard—and underestimated ∗∗∗ --------------------------------------------- Researchers develop an AI with a 98% malware detection rate and 5% false positive rate. If you think this is a splendid technology for antivirus software, this article might change your mind. --------------------------------------------- https://www.gdatasoftware.com/blog/2022/06/37445-malware-detection-is-hard ∗∗∗ Month of PowerShell: Working with Log Files ∗∗∗ --------------------------------------------- In this article we look at how we can leverage PowerShells object-passing pipeline to parse and retrieve data from an IIS web server log file. --------------------------------------------- https://www.sans.org/blog/powershell-working-with-log-files ∗∗∗ Software Vendors Start Patching Retbleed CPU Vulnerabilities ∗∗∗ --------------------------------------------- Vendors have started rolling out software updates to address the recently disclosed Retbleed speculative execution attack targeting Intel and AMD processors. --------------------------------------------- https://www.securityweek.com/software-vendors-start-patching-retbleed-cpu-v… ∗∗∗ Powerful Mantis DDoS Botnet Hits 1,000 Organizations in One Month ∗∗∗ --------------------------------------------- Web protection firm Cloudflare warns that a small but powerful botnet has launched distributed denial-of-service (DDoS) attacks on roughly 1,000 organizations over the past month alone. --------------------------------------------- https://www.securityweek.com/powerful-mantis-ddos-botnet-hits-1000-organiza… ∗∗∗ Digium Phones Under Attack: Insight Into the Web Shell Implant ∗∗∗ --------------------------------------------- We witnessed more than 500,000 unique samples of malicious traffic targeting Digium Asterisk software for VoIP phone devices. --------------------------------------------- https://unit42.paloaltonetworks.com/digium-phones-web-shell/ ∗∗∗ CVE-2022-30136: Microsoft Windows Network File System v4 Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- In this excerpt of a Trend Micro Vulnerability Research Service vulnerability report, Guy Lederfein and Quintin Crist of the Trend Micro Research Team detail a recently patched remote code execution vulnerability in the Microsoft Windows operating system, originally discovered and reported by Yuki Chen. The bug is found in the implementation of Network File System (NFS)and is due to improper handling of NFSv4 requests. An unauthenticated attacker could exploit this bug to execute arbitrary code in the context of SYSTEM. --------------------------------------------- https://www.thezdi.com/blog/2022/7/13/cve-2022-30136-microsoft-windows-netw… ===================== = Vulnerabilities = ===================== ∗∗∗ Security Update Available for Adobe InDesign APSB22-30 ∗∗∗ --------------------------------------------- Adobe has released a security update for Adobe InDesign. This update addresses multiple critical and an important vulnerability. Successful exploitation could lead to arbitrary code execution and memory leak. --------------------------------------------- https://helpx.adobe.com/security/products/indesign/apsb22-30.html ∗∗∗ Security Update Available for Adobe InCopy APSB22-29 ∗∗∗ --------------------------------------------- Adobe has released a security update for Adobe InCopy. This update addresses multiple  critical and an important vulnerability. Successful exploitation could lead to arbitrary code execution and memory leak. --------------------------------------------- https://helpx.adobe.com/security/products/incopy/apsb22-29.html ∗∗∗ ABB Flow Computer and Remote Controllers Path Traversal Vulnerability in Totalflow TCP protocol can lead to root access ∗∗∗ --------------------------------------------- ABB is aware of private reports of a vulnerability in the flow computer and remote controller product versions listed above. A flash update is available that resolves the vulnerability in the product versions listed above. Mitigation can be accomplished by proper network segmentation [...] --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=9AKK108467A0927&Lan… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (webkit2gtk and wpewebkit), Fedora (curl, kernel, openssl1.1, php, subversion, xorg-x11-server, and xorg-x11-server-Xwayland), Oracle (grub2), SUSE (gnutls, kernel, logrotate, oracleasm, p11-kit, and python-PyJWT), and Ubuntu (libhttp-daemon-perl and python2.7, python3.10, python3.4, python3.5, python3.6, python3.8, python3.9). --------------------------------------------- https://lwn.net/Articles/901412/ ∗∗∗ Grafana: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, authentisierter Angreifer kann mehrere Schwachstellen in Grafana ausnutzen, um einen Cross-Site Scripting Angriff durchzuführen und Sicherheitsmaßnahmen zu umgehen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0696 ∗∗∗ SonicWall Hosted Email Security Capture ATP Bypass ∗∗∗ --------------------------------------------- Improperly Implemented Security Check vulnerability in the SonicWall Hosted Email Security leads to bypass of Capture ATP security service in the appliance. --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0014 ∗∗∗ OpenSSL c_rehash script allows command injection CVE-2022-1292 ∗∗∗ --------------------------------------------- A critical vulnerability (CVE-2022-1292) was found in OpenSSL c_rehash script. This is due to shell metacharacters not being properly sanitized, resulting in command injection. An attacker could execute arbitrary commands with the privileges of the script. After review, it has been determined that vulnerability tracked as CVE-2022-1292 is not applicable to the SonicWall product suite. However, SonicWall has decided to update the impacted OpenSSL package to the fixed version (OpenSSL 1.1.1o) [...] --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0011 ∗∗∗ SolarWinds Dameware: Schwachstelle ermöglicht Nutzerzugriff ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0697 ∗∗∗ Mattermost: Mehrere Schwachstellen ermöglichen nicht spezifizierten Angriff ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0695 ∗∗∗ Autodesk AutoCAD: Schwachstelle ermöglicht Codeausführung ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0694 ∗∗∗ Security Bulletin: Denial of Service vulnerability affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) – CVE-2020-35618 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-denial-of-service-vulnera… ∗∗∗ Security Bulletin: IBM MQ Appliance is affected by FasterXML jackson-databind vulnerabilities (CVE-2020-36518) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-affec… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in Apache Commons Compress affect WebSphere Application Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Python (Publicly disclosed vulnerability) in IBM Tivoli Application Dependency Discovery Manager (CVE-2022-0391) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-python-publicly-disclosed… ∗∗∗ Security Bulletin: Vulnerability in Json-schema library affect Tivoli Netcool/OMNIbus WebGUI (CVE-2021-3918) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-json-sch… ∗∗∗ Security Bulletin: Vulnerability in Axios affects IBM Process Mining . CVE-2022-1214 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-axios-af… ∗∗∗ Security Bulletin: IBM MQ Appliance is affected by follow-redirects vulnerabilities (CVE-2022-0155 and CVE-2022-0536) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-affec… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.07.2022
by Daily end-of-shift report 14 Jul '22

14 Jul '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 13-07-2022 18:00 − Donnerstag 14-07-2022 18:00 Handler: Robert Waldner Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Month of PowerShell - Working with the Event Log, Part 2 - Threat Hunting with Event Logs ∗∗∗ --------------------------------------------- We continue our look at working with the Windows event log using PowerShell with 10 threat hunting techniques. --------------------------------------------- https://www.sans.org/blog/working-with-event-log-part-2-threat-hunting-with… ∗∗∗ Introducing Decompiler Explorer ∗∗∗ --------------------------------------------- Today, we’re releasing a little side project a few of our developers have been working with the community on: the Decompiler Explorer! This new (free, open source) web service lets you compare the output of different decompilers on small executables. In other words: It’s basically the same thing as Matt Godbolt’s awesome Compiler Explorer, but in reverse. --------------------------------------------- https://binary.ninja/2022/07/13/introducing-decompiler-explorer.html ∗∗∗ CVE-2022-29885 - Dont Open That Port - A Denial Of Service vulnerability on Apache Tomcat Cluster Service Listener ∗∗∗ --------------------------------------------- While performing the analysis I discovered that this was a part of a research made by 4ra1n, who reported the issue to the Apache Tomcat Security Team on 17 April 2022 and marked as CVE-2022-29885. Nonetheless, I had no luck finding a suitable PoC of the vulnerability. --------------------------------------------- https://voidzone.me/cve-2022-29885-apache-tomcat-cluster-service-dos/ ∗∗∗ Genesis - The Birth of a Windows Process (Part 1) ∗∗∗ --------------------------------------------- This is the first part of a two part series. In this post, I cover how Windows spawns a process, the various APIs and data structures involved and different types of processess available on Windows. The Windows API provides several functions for creating a process. We will go through some of the important APIs and structures Win32 offers before diving into the process creation procedure. --------------------------------------------- https://fourcore.io/blogs/how-a-windows-process-is-created-part-1 ∗∗∗ Exploiting Arbitrary Object Instantiations in PHP without Custom Classes ∗∗∗ --------------------------------------------- PHP’s Arbitrary Object Instantiation is a flaw in which an attacker can create arbitrary objects. This flaw can come in all shapes and sizes. --------------------------------------------- https://swarm.ptsecurity.com/exploiting-arbitrary-object-instantiations/ ∗∗∗ “RedAlert,” LILITH and 0mega leading a wave of Ransomware Campaigns ∗∗∗ --------------------------------------------- Multiple new ransomware groups have surfaced recently, highlighting the adoption of ransomware attacks by TAs for monetary gains. --------------------------------------------- https://blog.cyble.com/2022/07/12/new-ransomware-groups-on-the-rise/ ∗∗∗ Office-Nutzer im Visier: Phishing-Kampagne umgeht Multi-Faktor-Authentifizierung ∗∗∗ --------------------------------------------- Microsofts Sicherheitsforscher haben eine große Phishing-Kampagne aufgedeckt. Dabei stehlen Angreifer Session-Cookies, um MFA-Schutzmaßnahmen zu umgehen. --------------------------------------------- https://heise.de/-7179750 ∗∗∗ PSA: Sudden Increase In Attacks On Modern WPBakery Page Builder Addons Vulnerability ∗∗∗ --------------------------------------------- The Wordfence Threat Intelligence team has been monitoring a sudden increase in attack attempts targeting Kaswara Modern WPBakery Page Builder Addons. This ongoing campaign is attempting to take advantage of an arbitrary file upload vulnerability, tracked as CVE-2021-24284, which has been previously disclosed and has not been patched on the now closed plugin. --------------------------------------------- https://www.wordfence.com/blog/2022/07/attacks-on-modern-wpbakery-page-buil… ∗∗∗ YouTuber-Cash: Vorsicht vor Abzocke ∗∗∗ --------------------------------------------- YouTube-Videos schauen und damit Geld verdienen? Angebote wie das von youtuber.ltd klingen verlockend, doch statt der Auszahlung warten Abzocke-Maschen auf Sie. Vertrauen Sie keinen Versprechen online, schnell viel Geld zu verdienen! --------------------------------------------- https://www.watchlist-internet.at/news/youtuber-cash-vorsicht-vor-abzocke/ ===================== = Vulnerabilities = ===================== ∗∗∗ X.org servers update closes 2 security holes, adds neat component tweaks ∗∗∗ --------------------------------------------- Arbitrary code execution flaws in the X Keyboard Extension were bad news X.org has released a bunch of updates, which includes closing two security holes and, yes, this affects Wayland users too. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2022/07/13/xorg_servers… ∗∗∗ Tableau Server Leaks Sensitive Information From Reflected XSS ∗∗∗ --------------------------------------------- GoSecure Titan Labs has identified a vulnerability within the Tableau Server that could allow malicious actors to extract sensitive data from the application. Tableau Server is an analytics platform owned by Salesforce used to see and understand data. --------------------------------------------- https://www.gosecure.net/blog/2022/07/13/tableau-server-leaks-sensitive-inf… ∗∗∗ IBM Security Bulletins 2022-07-13 ∗∗∗ --------------------------------------------- IBM Db2, IBM MQ Appliance, IBM i, IBM WebSphere Application Server, IBM Engineering Lifecycle Optimization, IBM Cloud Pak, IBM Netezza Platform, IBM Security Verify Information Queue, IBM Security Verify Governance. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Lücke in VMware vCenter Server und Cloud Foundation zum Teil abgedichtet ∗∗∗ --------------------------------------------- In VMwares vCenter Server und der Cloud Foundation klafft eine Sicherheitslücke in der Integrated Windows Authentication. Nun gibt es ein Software-Update. --------------------------------------------- https://heise.de/-7179181 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (request-tracker4), Fedora (kernel and vim), Mageia (gerbv, gnupg2, pgadmin4, and python-coookiecutter), Slackware (xorg), SUSE (cifs-utils, gmp, gnutls, libnettle, kernel, libsolv, libzypp, zypper, logrotate, openssl-1_1, opera, squid, and virglrenderer), and Ubuntu (ca-certificates, git, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux-raspi2, linux-snapdragon, linux, linux-aws, linux-azure, linux-azure-5.4, linux-azure-fde, linux-gke, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-kvm, linux, linux-aws, linux-azure, linux-gcp, linux-gke, linux-ibm, linux-kvm, linux-lowlatency, linux-oracle, linux-aws, linux-oem-5.14, and vim). --------------------------------------------- https://lwn.net/Articles/901190/ ∗∗∗ UEFI-Firmware-Bug gefährdet über 70 Lenovo Notebooks (Juli 2022) ∗∗∗ --------------------------------------------- Hinweis für Blog-Leser und -Leserinnen, die Notebooks von Lenovo (und IBM) verwenden. Sicherheitsforscher von ESET haben gravierenden Schwachstellen in der UEFI-Firmware von Lenovo Notebooks gefunden, die eine Übernahme des Betriebssystems in der frühen Boot-Phase ermöglicht. --------------------------------------------- https://www.borncity.com/blog/2022/07/14/uefi-firmware-bug-gefhrdet-ber-70-… ∗∗∗ Internet Explorer 11: Update KB5015805 (12. Juli 2022) ∗∗∗ --------------------------------------------- Microsoft hat zum 12. Juli 2022 ein Sicherheitsupdate (KB5015805) für den Internet Explorer freigegeben. Dieses ist aber nur für ausgesuchte Windows-Versionen als kumulatives Update separat erhältlich. Hier ein Überblick über diesen Patch, der Schwachstellen im Browser schließen soll. --------------------------------------------- https://www.borncity.com/blog/2022/07/14/internet-explorer-11-update-kb5015… ∗∗∗ Entity Print - Moderately critical - Multiple: Remote Code Execution, Information disclosure - SA-CONTRIB-2022-048 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2022-048 ∗∗∗ K14335949: Intel processors vulnerability CVE-2022-24436 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K14335949 ∗∗∗ K43357358: AMD processors vulnerability CVE-2022-23823 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K43357358 ∗∗∗ Juniper JUNOS (EX, MX, PTX, QFX Series): Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0684 ∗∗∗ Juniper JUNOS (Verschiedene Plattformen): Mehrere Schwachstellen ermöglichen Denial of Service ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0683 ∗∗∗ Lenovo XClarity: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0687 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.07.2022
by Daily end-of-shift report 13 Jul '22

13 Jul '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 12-07-2022 18:00 − Mittwoch 13-07-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ From cookie theft to BEC: Attackers use AiTM phishing sites as entry point to further financial fraud ∗∗∗ --------------------------------------------- A large-scale phishing campaign that attempted to target over 10,000 organizations since September 2021 used adversary-in-the-middle (AiTM) phishing sites to steal passwords, hijack a user’s sign-in session, and skip the authentication process, even if the user had enabled multifactor authentication (MFA). --------------------------------------------- https://www.microsoft.com/security/blog/2022/07/12/from-cookie-theft-to-bec… ∗∗∗ Using Referers to Detect Phishing Attacks, (Wed, Jul 13th) ∗∗∗ --------------------------------------------- Referers are useful information for webmasters and system administrators that would like to have a better overview of the visitors browsing their websites. The referer is an HTTP header that identifies the address of the web page from which the resource has been requested. --------------------------------------------- https://isc.sans.edu/diary/rss/28836 ∗∗∗ Infected WordPress Site Reveals Malicious C&C Script ∗∗∗ --------------------------------------------- Cryptomining infections accounted for less than 4% of total detections last year. Despite the fact that CoinHive – one of the most popular JavaScript based miners – shut down its operations in 2019, we still find occasional infections on compromised environments during remote and server-side scans. --------------------------------------------- https://blog.sucuri.net/2022/07/infected-wordpress-site-reveals-malicious-c… ∗∗∗ Researchers Uncover New Attempts by Qakbot Malware to Evade Detection ∗∗∗ --------------------------------------------- The operators behind the Qakbot malware are transforming their delivery vectors in an attempt to sidestep detection. --------------------------------------------- https://thehackernews.com/2022/07/researchers-uncover-new-attempts-by.html ∗∗∗ Open-Source-Tool von Microsoft erstellt "Software Bill of Materials" ∗∗∗ --------------------------------------------- Das SBOM-Tool Salus listet alle Komponenten und Dependencies von Projekten auf, um potenzielle Schwachstellen in der Software Supply Chain aufzuspüren. --------------------------------------------- https://heise.de/-7177889 ∗∗∗ Vorsicht vor Fake-Shops am Energiesektor! ∗∗∗ --------------------------------------------- Zahlreichen Fake-Shops mit Brennholz, lassen Kriminelle nun Photovoltaik-Shops wie solanex.de und solarnetz.at folgen. Die aktuelle Energiekrise soll offenbar maximal ausgenützt werden. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-fake-shops-am-energiese… ∗∗∗ Cobalt Strike Analysis and Tutorial: CS Metadata Encryption and Decryption ∗∗∗ --------------------------------------------- We show how metadata encryption and decryption contributes to making Cobalt Strike an effective emulator that is difficult to defend against. --------------------------------------------- https://unit42.paloaltonetworks.com/cobalt-strike-metadata-encryption-decry… ===================== = Vulnerabilities = ===================== ∗∗∗ AMD Prozessoren: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein lokaler Angreifer kann mehrere Schwachstellen in AMD Prozessoren ausnutzen, um beliebigen Programmcode auszuführen oder Informationen offenzulegen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0665 ∗∗∗ Intel Prozessoren: Mehrere Schwachstellen ermöglichen Offenlegung von Informationen ∗∗∗ --------------------------------------------- Ein lokaler Angreifer kann mehrere Schwachstellen in Intel Prozessoren ausnutzen, um Informationen offenzulegen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0650 ∗∗∗ Microsoft Security Update Summary (12. Juli 2022) ∗∗∗ --------------------------------------------- Am 12. Juli 2022 hat Microsoft Sicherheitsupdates für Windows-Clients und -Server, für Office usw. – sowie für weitere Produkte – veröffentlicht. Die Sicherheitsupdates beseitigen zudem 84 Schwachstellen, davon einen 0-day. --------------------------------------------- https://www.borncity.com/blog/2022/07/12/microsoft-security-update-summary-… ∗∗∗ Adobe dichtet teils kritische Lücken ab ∗∗∗ --------------------------------------------- In Adobe Acrobat und Reader, Photoshop, RoboHelp und Character Animator schließt der Hersteller Sicherheitslücken. Einige sind kritisch. --------------------------------------------- https://heise.de/-7177696 ∗∗∗ IBM Security Bulletins 2022-07-12 ∗∗∗ --------------------------------------------- IBM Answer Retrieval for Watson Discovery, IBM Event Streams, IBM QRadar Network Security, IBM Cloud, Content Manager OnDemand, IBM Rational Build Forge, IBM App Connect Enterprise, IBM Sterling Connect, Digital Certificate Manager, Enterprise Content Management System Monitor. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (xen), Mageia (x11-server), SUSE (chromium, kernel, pcre, pcre2, squid, and xorg-x11-server), and Ubuntu (gnupg, gnupg2, uriparser, xorg-server, xorg-server-hwe-16.04, and xorg-server, xorg-server-hwe-18.04, xwayland). --------------------------------------------- https://lwn.net/Articles/901029/ ∗∗∗ Ruby on Rails: Schwachstelle ermöglicht Codeausführung ∗∗∗ --------------------------------------------- Ein entfernter Angreifer kann eine Schwachstelle in Ruby on Rails ausnutzen, um beliebigen Programmcode auszuführen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0662 ∗∗∗ ZDI-22-968: BMC Track-It! HTTP Module Improper Access Control Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-968/ ∗∗∗ ZDI-22-967: BMC Track-It! GetPopupSubQueryDetails SQL Injection Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-967/ ∗∗∗ VMSA-2022-0020 - VMware ESXi addresses Return-Stack-Buffer-Underflow and Branch Type Confusion vulnerabilities ∗∗∗ --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2022-0020.html ∗∗∗ VMSA-2022-0019 - VMware vRealize Log Insight contains multiple stored cross-site scripting vulnerabilities ∗∗∗ --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2022-0019.html ∗∗∗ VMSA-2022-0018 - VMware vCenter Server updates address a server-side request forgery vulnerability ∗∗∗ --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2022-0018.html ∗∗∗ Dahua ASI7213X-T1 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-193-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.07.2022
by Daily end-of-shift report 12 Jul '22

12 Jul '22

===================== = End-of-Day report = ===================== Timeframe: Montag 11-07-2022 18:00 − Dienstag 12-07-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ IBM-Middleware: Schwachstelle in MQ kann zu Rechtausweitung führen ∗∗∗ --------------------------------------------- Mehrere Sicherheitslücken in IBM MQ ermöglichen Angreifern, ihre Rechte an betroffenen Systemen auszuweiten oder diese lahmzulegen. Updates stehen bereit. --------------------------------------------- https://heise.de/-7169603 ∗∗∗ Wurm-Infektion: Malware-Kampagne Raspberry Robin befällt Windows und Qnap-NAS ∗∗∗ --------------------------------------------- IT-Forscher von Cybereason haben einen Netzwerkwurm entdeckt, der sich auf Windows- und Qnap-Geräten verbreitet. Sie nennen die Kampagne Raspberry Robin. --------------------------------------------- https://heise.de/-7170350 ∗∗∗ Month of PowerShell: Threat Hunting with PowerShell Differential Analysis ∗∗∗ --------------------------------------------- One of the most powerful techniques for threat hunting on Windows: differential analysis. --------------------------------------------- https://www.sans.org/blog/threat-hunting-with-powershell-differential-analy… ∗∗∗ CVE-2022-29593- Authentication Bypass by Capture Replay (Dingtian-DT-R002) ∗∗∗ --------------------------------------------- This blog post describes an authentication bypass within one such device, that allows an attacker with access to the IP network the ability to capture and subsequently replay discrete device commands, which allows for the switching on and off the physical relays on the device. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/cve-2022-29… ∗∗∗ Exploiting Authentication in AWS IAM Authenticator for Kubernetes ∗∗∗ --------------------------------------------- During my research on the AWS IAM Authenticator component, I found several flaws in the authentication process that could bypass the protection against replay attacks or allow an attacker to gain higher permissions in the cluster by impersonating other identities. --------------------------------------------- https://blog.lightspin.io/exploiting-eks-authentication-vulnerability-in-aw… ∗∗∗ Scanning for security.txt files ∗∗∗ --------------------------------------------- RFC 9116 was written by E. Foudil and Y. Shafranovich and left draft status in April 2022. This RFC formally defines the unofficial security.txt file that has been an unofficial standard for many years, initially created back in 2017 and documented at https://securitytxt.org/. --------------------------------------------- https://www.pentestpartners.com/security-blog/scanning-for-security-txt-fil… ∗∗∗ ChromeLoader: New Stubborn Malware Campaign ∗∗∗ --------------------------------------------- A malicious browser extension is the payload of the ChromeLoader malware family, serving as adware and an infostealer, leaking users’ search queries. --------------------------------------------- https://unit42.paloaltonetworks.com/chromeloader-malware/ ∗∗∗ Is exploiting a null pointer deref for LPE just a pipe dream? ∗∗∗ --------------------------------------------- A lot of blog posts I have read go over interesting vulnerabilities and exploits but do not typically share the process behind discovery. I want to show how sometimes just manually poking around can quickly uncover vulnerabilities you might miss with other approaches to vulnerability discovery. --------------------------------------------- https://www.thezdi.com/blog/2022/6/1/is-exploiting-a-null-pointer-deref-for… ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-22-962: Trend Micro Maximum Security Out-Of-Bounds Read Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows local attackers to disclose sensitive information on affected installations of Trend Micro Maximum Security. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-962/ ∗∗∗ Siemens ProductCERT published 19 and updated 15 advisories/bulletins ∗∗∗ --------------------------------------------- Opcenter Quality, SINAMICS PERFECT HARMONY GH180 Drives, EN100 Ethernet Module, RUGGEDCOM ROS, SIMATIC WinCC, Teamcenter Visualization, JT2Go, Industrial Products, TIA Administrator, Mendix Excel Importer Module, RUGGEDCOM ROX, SIMATIC eaSie Core Package, SCALANCE X Switches, SIMATIC CP Devices, Mendix Applications, SICAM A8000 Devicesm Simcenter Femap, PROFINET Stack, PADS Standard/Plus Viewer, SIMATIC S7-1500, Mendix, SIMATIC MV500 Devices, OPC Foundation Local Discovery Server, OPC-UA, Parasolid, SICAM GridEdge. --------------------------------------------- https://new.siemens.com/global/en/products/services/cert.html?d=2022-07#Sec… ∗∗∗ SAP-Patchday: 20 neue Sicherheitslücken im Juli abgedichtet ∗∗∗ --------------------------------------------- Mit den Updates zum Juli-Patchday schließt SAP 20 neue Sicherheitslücken. Zudem aktualisiert der Hersteller drei ältere Security-Bulletins. --------------------------------------------- https://heise.de/-7170698 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium), Mageia (openssl and webkit2), Slackware (seamonkey), SUSE (crash, curl, freerdp, ignition, libnbd, and python3), and Ubuntu (dovecot and python-ldap). --------------------------------------------- https://lwn.net/Articles/900855/ ∗∗∗ ICS Patch Tuesday: Siemens, Schneider Electric Address 59 Vulnerabilities ∗∗∗ --------------------------------------------- Industrial giants Siemens and Schneider Electric have released their Patch Tuesday security advisories for July 2022, with a total of 13 advisories describing 59 vulnerabilities. --------------------------------------------- https://www.securityweek.com/ics-patch-tuesday-siemens-schneider-electric-a… ∗∗∗ TYPO3-EXT-SA-2022-014: SQL Injection in extension "LUX - TYPO3 Marketing Automation" (lux) ∗∗∗ --------------------------------------------- https://typo3.org/security/advisory/typo3-ext-sa-2022-014 ∗∗∗ MariaDB: Mehrere Schwachstellen ermöglichen Denial of Service ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0641 ∗∗∗ Symantec Advanced Secure Gateway: Schwachstelle ermöglicht Manipulation und Offenlegung von Informationen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0638 ∗∗∗ Security Bulletin: Vulnerabilities in the Golang language affect IBM Event Streams (CVE-2022-24921) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-the-go… ∗∗∗ Security Bulletin: IBM Security SiteProtector System is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-siteprotecto… ∗∗∗ Security Bulletin: IBM OpenPages with Watson has addressed Apache Log4j vulnerability (CVE-2022-23305) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-openpages-with-watson… ∗∗∗ Security Bulletin: IBM Security Verify Governance is vulnerable to multiple security issues due to Node.js ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-gover… ∗∗∗ Security Bulletin: IBM QRadar SIEM is vulnerable to denial of service attack due to CVE-2021-39041 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulner… ∗∗∗ Security Bulletin: IBM Integration Bus is vulnerable to arbitrary code execution due to Node.js ejs module (CVE-2022-29078) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-integration-bus-is-vu… ∗∗∗ Security Bulletin: IBM MQ for HPE NonStop Server is affected by OpenSSL vulnerability CVE-2022-0778 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-for-hpe-nonstop-se… ∗∗∗ Security Bulletin: IBM Security Verify Information Queue uses Apache LDAP API with a known vulnerability (CVE-2018-1337) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-infor… ∗∗∗ Security Bulletin: IBM i Modernization Engine for Lifecycle Integration is vulnerable to multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-i-modernization-engin… ∗∗∗ Security Bulletin: A security vulnerability has been identified in Postgresql shipped with IBM Tivoli Netcool Impact (CVE-2022-26520, CVE-2022-21724, WS-2022-0080) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: Vulnerabilities in the Golang language affect IBM Event Streams (CVE-2022-29526) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-the-go… ∗∗∗ Security Bulletin: IBM WebSphere Application Server Liberty is vulnerable to Identity Spoofing (CVE-2022-22476) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application… ∗∗∗ Security Bulletin: IBM MQ for HPE NonStop Server is affected by OpenSSL vulnerability CVE-2021-4160 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-for-hpe-nonstop-se… ∗∗∗ Security Bulletin: IBM OpenPages with Watson has addressed Apache Log4j vulnerability (CVE-2022-23302) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-openpages-with-watson… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.07.2022
by Daily end-of-shift report 11 Jul '22

11 Jul '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 08-07-2022 18:00 − Montag 11-07-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ New 0mega ransomware targets businesses in double-extortion attacks ∗∗∗ --------------------------------------------- A new ransomware operation named 0mega targets organizations worldwide in double-extortion attacks and demands millions of dollars in ransoms. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-0mega-ransomware-targets… ∗∗∗ Hackers Exploiting Follina Bug to Deploy Rozena Backdoor ∗∗∗ --------------------------------------------- A newly observed phishing campaign is leveraging the recently disclosed Follina security vulnerability to distribute a previously undocumented backdoor on Windows systems. --------------------------------------------- https://thehackernews.com/2022/07/hackers-exploiting-follina-bug-to.html ∗∗∗ Raspberry Robin Windows Worm Abuses QNAP Devices ∗∗∗ --------------------------------------------- A recently discovered Windows worm is abusing compromised QNAP network-attached storage (NAS) devices as stagers to spread to new systems, according to Cybereason. Dubbed Raspberry Robin, the malware was initially spotted in September 2021, spreading mainly via removable devices, such as USB drives. --------------------------------------------- https://www.securityweek.com/raspberry-robin-windows-worm-abuses-qnap-devic… ∗∗∗ The History and Evolution of Zero Trust ∗∗∗ --------------------------------------------- “The term ‘zero trust’ is now used so much and so widely that it has almost lost its meaning”. --------------------------------------------- https://www.securityweek.com/history-and-evolution-zero-trust ∗∗∗ WhatsApp: Kriminelle geben sich als Ihr Kind aus ∗∗∗ --------------------------------------------- „Hallo Papa. Mein Handy ist kaputt. Das ist meine neue Nummer.“ Vorsicht: Diese Nachricht könnte von Kriminellen stammen. Werden Sie um eine Überweisung gebeten, handelt es sich eindeutig um Betrug! --------------------------------------------- https://www.watchlist-internet.at/news/whatsapp-kriminelle-geben-sich-als-i… ∗∗∗ SELECT XMRig FROM SQLServer ∗∗∗ --------------------------------------------- Over the month of March, we observed a cluster of activity targeting MSSQL servers. The activity started via password brute force attempts for the MSSQL SA account. These brute force attempts were observed repeatedly over the month. --------------------------------------------- https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/ ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitslücken in node.js abgedichtet ∗∗∗ --------------------------------------------- Neue Versionen der node.js-Laufzeitumgebung beheben sicherheitskritische Fehler mit hohem Risiko. Angreifer könnten Opfern dadurch Schadcode unterjubeln. --------------------------------------------- https://heise.de/-7167912 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (php7.4), Fedora (gerbv, kernel, openssl, and podman-tui), Oracle (squid:4), Slackware (wavpack), and SUSE (apache2, chafa, containerd, docker and runc, fwupd, fwupdate, libqt5-qtwebengine, oracleasm, and python). --------------------------------------------- https://lwn.net/Articles/900670/ ∗∗∗ vim: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in vim ausnutzen, um einen Denial of Service Angriff durchzuführen, beliebigen Code auszuführen, Speicher zu verändern und vertrauliche Informationen offenzulegen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0630 ∗∗∗ ZDI-22-959: (0Day) Vinchin Backup and Recovery MySQL Server Use of Hard-coded Credentials Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-959/ ∗∗∗ Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM Tivoli Netcool System Service Monitors/Application Service Monitors ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: CVE-2021-23337 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2021-23337/ ∗∗∗ Security Bulletin: CVE-2020-28500 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2020-28500/ ∗∗∗ Security Bulletin: CVE-2020-8203 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2020-8203-2/ ∗∗∗ Security Bulletin: IBM Content Manager Enterprise Edition is is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-content-manager-enter… ∗∗∗ Security Bulletin: IBM CICS TX Standard is vulnerable to HTML injection (CVE-2022-34160) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cics-tx-standard-is-v… ∗∗∗ Security Bulletin: IBM MQ Operator and Queue manager container images are vulnerable to vulnerabilities from Golang Go and IBM WebSphere Application Server Liberty (CVE-2021-39293 and CVE-2021-39038) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-operator-and-queue… ∗∗∗ Security Bulletin: IBM MQ Operator and Queue manager container images are vulnerable to an issue in OPM and Golang Go packages (CVE-2020-15257, CVE-2021-21334 and CVE-2021-41771) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-operator-and-queue… ∗∗∗ Security Bulletin: CVE-2020-8203 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2020-8203/ ∗∗∗ Security Bulletin: CVE-2021-23369 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2021-23369/ ∗∗∗ Security Bulletin: CVE-2020-7774 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2020-7774/ ∗∗∗ Security Bulletin: IBM CICS TX Advanced is vulnerable to HTML injection (CVE-2022-34160) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cics-tx-advanced-is-v… ∗∗∗ K40582331: Apache HTTP server vulnerability CVE-2022-28615 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K40582331 ∗∗∗ K08006936: Apache Commons Configuration vulnerability CVE-2022-33980 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K08006936 ∗∗∗ K74251611: Linux kernel vulnerability CVE-2021-38166 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K74251611 ∗∗∗ K36462841: Linux kernel vulnerability CVE-2018-18281 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K36462841 ∗∗∗ ILIAS: Schwachstelle ermöglicht Erlangen von Benutzerrechten ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0629 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.07.2022
by Daily end-of-shift report 08 Jul '22

08 Jul '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 07-07-2022 18:00 − Freitag 08-07-2022 18:00 Handler: Robert Waldner Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Gesundheitseinrichtungen im Visier nordkoreanischer Cyberkrimineller ∗∗∗ --------------------------------------------- US-amerikanische Sicherheitsbehörden warnen vor der Maui-Ransomware. Mit ihr greifen nordkoreanische Cybergangs Organisationen des Gesundheitswesens an. --------------------------------------------- https://heise.de/-7166692 ∗∗∗ Free decryptor released for AstraLocker, Yashma ransomware victims ∗∗∗ --------------------------------------------- New Zealand-based cybersecurity firm Emsisoft has released a free decryption tool to help AstraLocker and Yashma ransomware victims recover their files without paying a ransom. --------------------------------------------- https://www.bleepingcomputer.com/news/security/free-decryptor-released-for-… ∗∗∗ SiteCheck Malware Trends Report – Q2 2022 ∗∗∗ --------------------------------------------- Conducting an external website scan for indicators of compromise is one of the easiest ways to identify security issues. While remote scanners may not provide as comprehensive of a scan as server-side scanners, they allow users to instantly identify malicious code and detect security issues on their website without installing any software or applications. --------------------------------------------- https://blog.sucuri.net/2022/07/sitecheck-malware-trends-report-q2-2022.html ∗∗∗ Over 1,200 NPM Packages Found Involved in "CuteBoi" Cryptomining Campaign ∗∗∗ --------------------------------------------- Researchers have disclosed what they say could be an attempt to kick-off a new large-scale cryptocurrency mining campaign targeting the NPM JavaScript package repository. The malicious activity, attributed to a software supply chain threat actor dubbed CuteBoi, involves an array of 1,283 rogue modules that were published in an automated fashion from over 1,000 different user accounts. --------------------------------------------- https://thehackernews.com/2022/07/over-1200-npm-packages-found-involved.html ∗∗∗ Koh: The Token Stealer ∗∗∗ --------------------------------------------- In this post I will introduce a toolkit called Koh that can indefinitely (..) harvest and reuse tokens for accounts that connect to a machine you have administrative rights on. I’ll go over the motivation for this approach, the technical background of why it’s possible and what changed in 2016, and briefly show what Koh can do. --------------------------------------------- https://posts.specterops.io/koh-the-token-stealer-41ca07a40ed6 ∗∗∗ New HavanaCrypt Ransomware Distributed as Fake Google Software Update ∗∗∗ --------------------------------------------- Security researchers at Trend Micro have identified a new ransomware family that is being delivered as a fake Google Software Update application. --------------------------------------------- https://www.securityweek.com/new-havanacrypt-ransomware-distributed-fake-go… ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins 2022-07-07 ∗∗∗ --------------------------------------------- IBM QRadar Network Security, IBM Engineering Lifecycle Management, IBM Rational Build Forge, IBM Tivoli Netcool/Omnibus, IBM Tivoli Network Manager, IBM Engineering Lifecycle Management, IBM CICS TX Standard, IBM CICS TX Advanced, IBM WebSphere Application Server Liberty, IBM Security Verify Information Queue, IBM Event Streams. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Sicherheitsupdates: Root-Lücke in Dell-EMC-Software geschlossen ∗∗∗ --------------------------------------------- Angreifer könnten Systeme mit Dell PowerProtect Cyber Recovery oder Cloud Mobility for Dell EMC Storage attackieren. Hiergegen gibt es jetzt ein Update. --------------------------------------------- https://heise.de/-7166118 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (direnv, golang-github-mattn-colorable, matrix-synapse, pypy3.7, pypy3.8, and pypy3.9), Oracle (squid), SUSE (curl, openssl-1_1, pcre, python-ipython, resource-agents, and rsyslog), and Ubuntu (nss, php7.2, and vim). --------------------------------------------- https://lwn.net/Articles/900443/ ∗∗∗ NetApp ActiveIQ Unified Manager: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in NetApp ActiveIQ Unified Manager ausnutzen, um Informationen offenzulegen, Daten zu manipulieren oder zu verändern und einen Denial of Service Zustand auszulösen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0608 ∗∗∗ Red Hat FUSE: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann mehrere Schwachstellen in Red Hat FUSE ausnutzen, um vertrauliche Informationen offenzulegen, beliebigen Code auszuführen, einen Denial of Service Zustand herbeizuführen, Sicherheitsmaßnahmen zu umgehen, Daten und Informationen zu manipulieren und seine Privilegien zu erweitern. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0607 ∗∗∗ July 7th 2022 Security Releases ∗∗∗ --------------------------------------------- Updates are now available for the v18.x, v16.x, and v14.x Node.js release [...] --------------------------------------------- https://nodejs.org/en/blog/vulnerability/july-2022-security-releases ∗∗∗ Exploitation of Mitel MiVoice Connect SA CVE-2022-29499 ∗∗∗ --------------------------------------------- Mitel MiVoice Connect customers who use vulnerable versions of the Service Appliance in their deployments should update to a fixed version of the appliance immediately. Mitel released patches for CVE-2022-29499 in early June 2022; organizations that have not updated the firmware on their appliances since before that timeframe should apply fixes as soon as possible. Appliances should not be exposed to the open internet. --------------------------------------------- https://www.rapid7.com/blog/post/2022/07/07/exploitation-of-mitel-mivoice-c… ∗∗∗ ZDI-22-955: Sante PACS Server SQL Injection Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-955/ ∗∗∗ K06524534: Linux kernel vulnerability CVE-2021-22555 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K06524534 ∗∗∗ K49622415: Apache Tomcat vulnerability CVE-2022-25762 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K49622415 ∗∗∗ 10 Vulnerabilities Found in Widely Used Robustel Industrial Routers ∗∗∗ --------------------------------------------- https://www.securityweek.com/10-vulnerabilities-found-widely-used-robustel-… ∗∗∗ Eclipse Jetty: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0614 ∗∗∗ Foxit PDF Editor: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0613 ∗∗∗ tribe29 checkmk: Mehrere Schwachstellen ermöglichen nicht spezifizierten Angriff ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0622 ∗∗∗ Rockwell Automation MicroLogix ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-188-01 ∗∗∗ Bently Nevada ADAPT 3701/4X Series and 60M100 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-188-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.07.2022
by Daily end-of-shift report 07 Jul '22

07 Jul '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 06-07-2022 18:00 − Donnerstag 07-07-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Ransomware, hacking groups move from Cobalt Strike to Brute Ratel ∗∗∗ --------------------------------------------- Hacking groups and ransomware operations are moving away from Cobalt Strike to the newer Brute Ratel post-exploitation toolkit to evade detection by EDR and antivirus solutions. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ransomware-hacking-groups-mo… ∗∗∗ Online programming IDEs can be used to launch remote cyberattacks ∗∗∗ --------------------------------------------- Security researchers are warning that hackers can abuse online programming learning platforms to remotely launch cyberattacks, steal data, and scan for vulnerable devices, simply by using a web browser. --------------------------------------------- https://www.bleepingcomputer.com/news/security/online-programming-ides-can-… ∗∗∗ Automating binary vulnerability discovery with Ghidra and Semgrep ∗∗∗ --------------------------------------------- Semgrep is a static analysis tool that works on source code, but thanks to Haruspex we can leverage its power also against closed source binaries. --------------------------------------------- https://security.humanativaspa.it/automating-binary-vulnerability-discovery… ∗∗∗ Liste betrügerischer Investitionsplattformen ∗∗∗ --------------------------------------------- Betrügerische Investitionsplattformen versprechen hohe Gewinne – risikofrei und ohne Finanzwissen. Der Handel erfolgt automatisiert oder mit persönlicher Beratung. Bereits mit kleinen Investitionen können angeblich hohe Gewinne erzielt werden. Klingt sehr verlockend, ist aber Betrug! --------------------------------------------- https://www.watchlist-internet.at/news/liste-betruegerischer-investitionspl… ∗∗∗ AsyncRAT Being Distributed to Vulnerable MySQL Servers ∗∗∗ --------------------------------------------- The ShadowServer foundation has recently released a report showing that there are about 3.6 million MySQL servers exposed to outside. --------------------------------------------- https://asec.ahnlab.com/en/36315/ ===================== = Vulnerabilities = ===================== ∗∗∗ Jetzt aktualisieren! Codeschmuggel durch Lücke in OpenSSL möglich∗∗∗ --------------------------------------------- Die gravierendere Schwachstelle betrifft OpenSSL 3.0.4, das am 21. Juni veröffentlicht wurde. Darin haben die Entwickler laut eigener Beschreibung einen ernsthaften Fehler eingebaut, der die RSA-Implementierung auf Prozessoren mit Unterstützung für die AVX-512 IFMA-Befehlssatzerweiterung betrifft. Die Implementierung mit privaten Schlüsseln mit 2048-Bit ist nicht korrekt und ein Speicherfehler tritt bei der Berechnung auf. Ein Angreifer könnte als Folge davon aus dem Internet Code einschleusen und ausführen (CVE-2022-2274, noch kein CVSS-Score, Risiko "hoch"). --------------------------------------------- https://www.heise.de/news/Jetzt-aktualisieren-Codeschmuggel-durch-Luecke-in… ∗∗∗ Cisco Security Advisories 2022-07-06 ∗∗∗ --------------------------------------------- Cisco published 9 Security Advisories (1 Critical, 1 High, 7 Medium Severity) --------------------------------------------- https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&first… ∗∗∗ IBM Security Bulletins 2022-07-06 ∗∗∗ --------------------------------------------- IBM CICS TX Standard, IBM Tivoli Netcool Impact, IBM Security Verify Access Product, App Connect professional, IBM Engineering Lifecycle Management, IBM CICS TX Advanced, IBM CICS TX Standard, IBM Security Verify Access Appliance, IBM Tivoli Application Dependency Discovery Manager. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Patchday Android: Systemlücke lässt Schadcode passieren ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitsupdates für Android-Smartphones und -Tablets. Einige Lücken sind als kritisch eingestuft. --------------------------------------------- https://heise.de/-7164810 ∗∗∗ Schwachstellen in OpenVPN Access Server geschlossen ∗∗∗ --------------------------------------------- Version 2.11.0 des OpenVPN Access Server schließt einige Sicherheitslücken. Angreifer hätten die Server etwa für DDoS-Verstärkungs-Angriffe missbrauchen können. --------------------------------------------- https://heise.de/-7165442 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (intel-microcode), Fedora (dotnet3.1 and gnupg2), Oracle (grub2, kernel, php:7.4, php:8.0, and qemu-kvm), SUSE (389-ds, apache2, crash, curl, expat, firefox, fwupd, fwupdate, ImageMagick, ldb, samba, liblouis, librttopo, openssl, openssl-1_0_0, openssl-1_1, openssl-3, oracleasm, php7, php8, python-Twisted, python310, rsyslog, s390-tools, salt, thunderbird, and xen), and Ubuntu (linux-lts-xenial, linux-kvm and openssl). --------------------------------------------- https://lwn.net/Articles/900286/ ∗∗∗ Apache Commons: Schwachstelle ermöglicht Codeausführung ∗∗∗ --------------------------------------------- Ein entfernter Angreifer kann eine Schwachstelle in Apache Commons ausnutzen, um beliebigen Programmcode auszuführen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0590 ∗∗∗ ZDI-22-949: (0Day) xhyve e1000 Stack-based Buffer Overflow Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-949/ ∗∗∗ Dovecot: Schwachstelle ermöglicht Privilegieneskalation ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0589 ∗∗∗ Nextcloud Mail: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0594 ∗∗∗ HCL BigFix: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0606 ∗∗∗ XSS-Schwachstelle in Jira-App (SYSS-2022-039) ∗∗∗ --------------------------------------------- https://www.syss.de/pentest-blog/xss-schwachstelle-in-jira-app-syss-2022-039 ∗∗∗ QNAP: Checkmate Ransomware via SMB Services Exposed to the Internet ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-22-21 ∗∗∗ Microsoft Edge 103.0.1264.49 (6. Juli 2022) ∗∗∗ --------------------------------------------- https://www.borncity.com/blog/2022/07/07/microsoft-edge-103-0-1264-49-6-jul… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.07.2022
by Daily end-of-shift report 06 Jul '22

06 Jul '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 05-07-2022 18:00 − Mittwoch 06-07-2022 18:00 Handler: Robert Waldner Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Microsoft quietly fixes ShadowCoerce Windows NTLM Relay bug ∗∗∗ --------------------------------------------- Microsoft has confirmed it fixed a previously disclosed ShadowCoerce vulnerability as part of the June 2022 updates that enabled attackers to target Windows servers in NTLM relay attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-quietly-fixes-sha… ∗∗∗ NPM supply-chain attack impacts hundreds of websites and apps ∗∗∗ --------------------------------------------- An NPM supply-chain attack dating back to December 2021 used dozens of malicious NPM modules containing obfuscated Javascript code to compromise hundreds of downstream desktop apps and websites. --------------------------------------------- https://www.bleepingcomputer.com/news/security/npm-supply-chain-attack-impa… ∗∗∗ Kryptographie: NIST gibt Post-Quanten-Algorithmen bekannt ∗∗∗ --------------------------------------------- Nach einem Wettbewerb kürt die US-Behörde Verschlüsselungs- und Signaturalgorithmen, die vor Quantencomputern sicher sein sollen. --------------------------------------------- https://www.golem.de/news/kryptographie-nist-gibt-post-quanten-algorithmen-… ∗∗∗ Top 5 Most Common WordPress Malware Infections: An Anatomy Lesson ∗∗∗ --------------------------------------------- WordPress security is serious business – and an essential consideration for anyone using the world’s most popular CMS (Content Management System). While the WordPress team quickly addresses known security issues in WordPress’ core to protect the millions of website owners who rely and depend on the software, the reality is that the same cannot be said for all plugin and theme developers. --------------------------------------------- https://blog.sucuri.net/2022/07/top-5-most-common-wordpress-malware-infecti… ∗∗∗ Fake-Shop-Alarm: Vorsicht beim Online-Kauf von Brennholz! ∗∗∗ --------------------------------------------- Die aktuelle Energiekrise lässt die Preise für Brennholz steigen. Der befürchtete Gasmangel führt dazu, dass Holz gehamstert und dementsprechend knapper wird. Eine perfekte Ausgangslage für Kriminelle: Sie nutzen die Situation aus und erstellen Fake-Shops, auf denen sie günstiges Brennholz anbieten. --------------------------------------------- https://www.watchlist-internet.at/news/fake-shop-alarm-vorsicht-beim-online… ∗∗∗ Electric Vehicle Charging: a Survey on the Security Issues and Challenges of the Open Charge Point Protocol (OCPP) ∗∗∗ --------------------------------------------- The increased use of smart Electric Vehicles (EVs) and Plug-in ElectricVehicles (PEV) opened a new area of research and development. The number of EVcharging sites has considerably increased in residential as well as in publicareas. Within these EV charging sites, various entities need to communicate in a secure and efficient way. --------------------------------------------- http://arxiv.org/abs/2207.01950 ∗∗∗ OrBit: New Undetected Linux Threat Uses Unique Hijack of Execution Flow ∗∗∗ --------------------------------------------- Linux is a popular operating system for servers and cloud infrastructures, and as such it’s not a surprise that it attracts threat actors’ interest and we see a continued growth and innovation of malware that targets Linux, such as the recent Symbiote malware that was discovered by our research team. --------------------------------------------- https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-t… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ldap-account-manager), Fedora (openssl1.1, thunderbird, and yubihsm-connector), Mageia (curl, cyrus-imapd, firefox, ruby-git, ruby-rack, squid, and thunderbird), Oracle (firefox, kernel, and thunderbird), Slackware (openssl), SUSE (dpdk, haproxy, and php7), and Ubuntu (gnupg2 and openssl). --------------------------------------------- https://lwn.net/Articles/900172/ ∗∗∗ Security Bulletin: IBM Maximo Asset Management and the IBM Maximo Manage application in IBM Maximo Application Suite are vulnerable to cross-site scripting (CVE-2022-22436) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-manageme… ∗∗∗ Security Bulletin: IBM Maximo Asset Management and the IBM Maximo Manage application in IBM Maximo Application Suite are vulnerable to cross-site scripting (CVE-2022-22435) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-manageme… ∗∗∗ Security Bulletin: IBM Rational Build Forge is affected by Apache Tomcat version used in it. (CVE-2021-42340) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-rational-build-forge-… ∗∗∗ Security Bulletin: IBM Tivoli Netcool Impact is affected but not classified as vulnerable by a remote code execution in Spring Framework (CVE-2022-22965) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tivoli-netcool-impact… ∗∗∗ Security Bulletin: IBM Event Streams is vulnerable to arbitrary code execution due to the Fabric8 Kubernetes client (CVE-2021-4178) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-event-streams-is-vuln… ∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container DesignerAuthoring operands may be vulnerable to loss of confidentiality due to CVE-2022-32210 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: IBM QRadar Network Packet Capture includes multiple vulnerable components. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-network-packet… ∗∗∗ K58003591: Apache HTTP server vulnerability CVE-2022-28614 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K58003591 ∗∗∗ vim: Schwachstelle ermöglicht Manipulation von Speicher ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0583 ∗∗∗ tribe29 checkmk: Mehrere Schwachstellen ermöglichen nicht spezifizierten Angriff ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0581 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.07.2022
by Daily end-of-shift report 05 Jul '22

05 Jul '22

===================== = End-of-Day report = ===================== Timeframe: Montag 04-07-2022 18:00 − Dienstag 05-07-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Jetzt aktualisieren! Zero-Day-Lücke in Google Chrome geschlossen ∗∗∗ --------------------------------------------- Im Webbrowser Google Chrome hat der Hersteller mehrere Sicherheitslücken geschlossen. Angreifer missbrauchen eine davon bereits in freier Wildbahn. --------------------------------------------- https://heise.de/-7162462 ∗∗∗ Erpressungstrojaner AstraLocker ist Geschichte, Entschlüsselungstools verfügbar ∗∗∗ --------------------------------------------- Die Drahtzieher der Ransomware AstraLocker wollen die Cybercrime-Branche wechseln und veröffentlichen Tools, über die Opfer auf ihre Daten zugreifen können. --------------------------------------------- https://heise.de/-7163123 ∗∗∗ Memory Sanitizer: Neues Kernel-Werkzeug findet 300 Speicherfehler ∗∗∗ --------------------------------------------- Trotz Compilerwarnungen und -Werkzeuge gibt es weiter neue Speicherfehler im Linux-Kernel. Ein Memory Sanitizer soll das zum Teil verhindern. --------------------------------------------- https://www.golem.de/news/memory-sanitizer-neues-kernel-werkzeug-findet-300… ∗∗∗ Abo-Falle auf lebenslaufschreiben.com ∗∗∗ --------------------------------------------- Sie erstellen gerade einen Lebenslauf und suchen im Internet nach Vorlagen? Möglicherweise landen Sie bei lebenslaufschreiben.com – einem Lebenslaufgenerator. Online können alle Informationen eingetippt und ein sehr professioneller Lebenslauf gebastelt werden. Doch Vorsicht: Sie werden in eine Abo-Falle gelockt. --------------------------------------------- https://www.watchlist-internet.at/news/abo-falle-auf-lebenslaufschreibencom/ ∗∗∗ EternalBlue 5 years after WannaCry and NotPetya, (Tue, Jul 5th) ∗∗∗ --------------------------------------------- We are about two months past the 5-year anniversary of WannaCry outbreak[1] and about a week past the 5-year anniversary of NotPetya outbreak[2]. Since both WannaCry and NotPetya used the EternalBlue[3] exploit in order to spread, I thought that it might be interesting to take a look at how many internet-facing systems still remain vulnerable to it. --------------------------------------------- https://isc.sans.edu/diary/rss/28816 ∗∗∗ When Pentest Tools Go Brutal: Red-Teaming Tool Being Abused by Malicious Actors ∗∗∗ --------------------------------------------- Penetration testing and adversary emulation tool Brute Ratel C4 is effective at defeating modern detection capabilities – and malicious actors have begun to adopt it. --------------------------------------------- https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/ ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitsupdate für Django Web Framework ∗∗∗ --------------------------------------------- Eine Sicherheitslücke im Django Web-Framework ermöglichte Angreifern das Einschleusen von SQL-Befehlen. Aktualisierte Software bessert die Schwachstelle aus. --------------------------------------------- https://heise.de/-7163246 ∗∗∗ IBM Security Bulletins 2022-07-04 ∗∗∗ --------------------------------------------- IBM Tivoli Network Manager, IBM App Connect Enterprise, IBM Integration Bus, IBM Engineering Test Management, IBM WebSphere Cast Iron Solution, IBM App Connect Professional, IBM Cloud Pak, IBM Tivoli Netcool, IBM Netezza, IBM Operations Analytics, App Connect professional. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Fortinet Security Advisories 2022-07-05 ∗∗∗ --------------------------------------------- On Jul 05, 2022, Fortinet has released 11 advisories for issues resolved in Fortinet products. (Severity: Low (1), Medium (6), High (4)) --------------------------------------------- https://fortiguard.fortinet.com/psirt ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (blender and thunderbird), SUSE (ImageMagick, qemu, and sysstat), and Ubuntu (php7.0). --------------------------------------------- https://lwn.net/Articles/900064/ ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2022-0006 ∗∗∗ --------------------------------------------- Several vulnerabilities were discovered in WebKitGTK and WPE WebKit. CVE-2022-22662 Versions affected: WebKitGTK and WPE WebKit before 2.36.0. --------------------------------------------- https://webkitgtk.org/security/WSA-2022-0006.html ∗∗∗ OpenSSL: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- Ein Angreifer kann eine Schwachstelle in OpenSSL ausnutzen, um Informationen offenzulegen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0561 ∗∗∗ JFrog Artifactory: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in JFrog Artifactory ausnutzen, um Cross-Site Scripting- und Cross-Site Request Forgery Angriffe durchzuführen und um Informationen offenzulegen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0562 ∗∗∗ July 5th 2022 Security Releases ∗∗∗ --------------------------------------------- The Node.js project will release new versions of the 14.x, 16.x, and 18.x releases lines on or shortly after Tuesday, July 5th, 2022 in order to address: Three medium severity issues. Two high severity issues. --------------------------------------------- https://nodejs.org/en/blog/vulnerability/july-2022-security-releases ∗∗∗ LiteCart vulnerable to cross-site scripting ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN32625020/ ∗∗∗ Xen Security Advisory CVE-2022-33743 / XSA-405 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-405.html ∗∗∗ Xen Security Advisory CVE-2022-33744 / XSA-406 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-406.html ∗∗∗ Xen Security Advisory CVE-2022-26365,CVE-2022-33740,CVE-2022-33741,CVE-2022-33742 / XSA-403 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-403.html ∗∗∗ Nextcloud: Schwachstelle ermöglicht Injektion von Kommandos ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0558 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.07.2022
by Daily end-of-shift report 04 Jul '22

04 Jul '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 01-07-2022 18:00 − Montag 04-07-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Raspberry Robin: Microsoft warnt vor mysteriösem Wurm ∗∗∗ --------------------------------------------- Die Schadsoftware verbreitet sich über USB-Sticks. Unklar bleibt, wer die Urheber*innen sind und welches Ziel damit verfolgt wird. --------------------------------------------- https://futurezone.at/digital-life/raspberry-robin-wurm-windows-microsoft-w… ∗∗∗ Warnung vor Hackerangriffen auf Politiker ∗∗∗ --------------------------------------------- Das BSI und der Verfassungsschutz warnen vor Hackern, die durch einen einfachen Trick den Zugang zu Chats von hochrangigen Politikern erlangen könnten. --------------------------------------------- https://www.tagesschau.de/investigativ/ndr-wdr/hacker-angriffe-verfassungss… ∗∗∗ Gefälschtes ÖBB-Gewinnspiel auf WhatsApp ∗∗∗ --------------------------------------------- Viele WhatsApp-Nutzer:innen verbreiten unter ihren Kontakten unwissentlich ein Fake-ÖBB-Gewinnspiel. Die Nachricht lautet „ÖBB 100 Jahre Staatliche Verkehrsförderung! Jeder Bürger kann sich über…“. Darunter ist ein Link. Der Link führt zu einem gefälschten Gewinnspiel. Klicken Sie nicht auf den Link, Sie werden abgezockt. Ignorieren Sie die Nachricht und melden Sie sie an WhatsApp. --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschtes-oebb-gewinnspiel-auf-wh… ∗∗∗ CISA fordert US-Einrichtungen zum Patchen von CVE-2022-26925 in AD-Umgebungen auf ∗∗∗ --------------------------------------------- Zum 1. Juli 2022 hat die US Cybersecurity & Infrastructur Security Agency (CISA) erneut den Patch für die Schwachstelle CVE-2022-26925 (Active Directory) in die Liste der zu schließenden Schwachstellen aufgenommen (soll bis 22. 7. 2022 geschlossen werden). --------------------------------------------- https://www.borncity.com/blog/2022/07/04/cisa-fordert-us-einrichtungen-zum-… ∗∗∗ Cloud OSINT. Finding Interesting Resources ∗∗∗ --------------------------------------------- Locating sensitive information, personally identifiable information (PII) and questionable assets in the cloud. TL; DR I had a curiosity driven excursion into the public clouds of AWS and Azure to [...] --------------------------------------------- https://www.pentestpartners.com/security-blog/cloud-osint-finding-interesti… ===================== = Vulnerabilities = ===================== ∗∗∗ Django fixes SQL Injection vulnerability in new releases ∗∗∗ --------------------------------------------- Django, an open source Python-based web framework has patched a high severity vulnerability in its latest releases. Tracked as CVE-2022-34265, the potential SQL Injection vulnerability impacts Djangos main branch, and versions 4.1 (currently in beta), 4.0, and 3.2, with patches and new releases issued fixing the vulnerability. --------------------------------------------- https://www.bleepingcomputer.com/news/security/django-fixes-sql-injection-v… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (gnupg2 and kernel), Fedora (golang-github-apache-beam-2, golang-github-etcd-io-gofail, golang-github-intel-goresctrl, golang-github-spf13-cobra, golang-k8s-pod-security-admission, and vim), Oracle (.NET 6.0, compat-openssl10, compat-openssl11, cups, curl, expat, firefox, go-toolset:ol8, grub2,, gzip, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, kernel, libarchive, libgcrypt, libinput, libxml2, pcre2, postgresql, python, rsync, rsyslog, [...] --------------------------------------------- https://lwn.net/Articles/899963/ ∗∗∗ libTIFF: Mehrere Schwachstellen ermöglichen Denial of Service ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0544 ∗∗∗ xpdf: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0543 ∗∗∗ HPE FlexNetwork und FlexFabric Switches: Schwachstelle ermöglicht Cross-Site Scripting ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0542 ∗∗∗ Kyocera Drucker: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0551 ∗∗∗ Trend Micro Maximum Security: Schwachstelle ermöglicht Privilegieneskalation ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0550 ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects IBM WebSphere Cast Iron Solution & App Connect Professional. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple security vulnerabilities are addressed with IBM Cloud Pak for Business Automation iFixes for June 2022 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects IBM WebSphere Cast Iron Solution & App Connect Professional. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects IBM WebSphere Cast Iron Solution & App Connect Professional. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects IBM WebSphere Cast Iron Solution & App Connect Professional. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Remote code execution vulnerability affect IBM Business Automation Workflow – CVE-2021-43138 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-remote-code-execution-vul… ∗∗∗ Security Bulletin: junrar Denial of Service (DoS) security vulnerability in IBM FileNet Content Manager Content Search Services (CSS) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-junrar-denial-of-service-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect Rational Functional Tester ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: junrar v7.4.0 and prior Denial of Service (DoS) security vulnerability in IBM FileNet Content Manager Content Search Services (CSS) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-junrar-v7-4-0-and-prior-d… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 01.07.2022
by Daily end-of-shift report 01 Jul '22

01 Jul '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 30-06-2022 18:00 − Freitag 01-07-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Microsoft-Analyse: Linux-Malware-Kampagne erhält bemerkenswertes Update ∗∗∗ --------------------------------------------- Ein Sicherheitsteam von Microsoft hat beobachtet, dass die Malware-Gruppe "8220 Gang" ihre Kampagne signifikant aktualisiert hat. Im Visier: Linux-Systeme. --------------------------------------------- https://heise.de/-7159495 ∗∗∗ FBI and CISA warn: This ransomware is using RDP flaws to break into networks ∗∗∗ --------------------------------------------- US exposes MedusaLocker, one of the ransomware gangs that ramped up activity as the pandemic gripped the world. --------------------------------------------- https://www.zdnet.com/article/fbi-and-cisa-warn-this-ransomware-is-using-rd… ∗∗∗ RanSim: a ransomware simulation script written in PowerShell ∗∗∗ --------------------------------------------- You can use RanSim to test your defenses and backups against real ransomware-like activity in a controlled setting. The same script can be used to decrypt the files if needed. --------------------------------------------- https://github.com/lawndoc/RanSim ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitsupdates: Viele Jenkins-Plug-ins als Schlupflöcher für Angreifer ∗∗∗ --------------------------------------------- Software-Entwickler aufgepasst: Lücken in Plug-ins für den Automation-Server Jenkins geschlossen. Etliche Patches lassen aber noch auf sich warten. --------------------------------------------- https://heise.de/-7160083 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr, isync, kernel, and systemd), Fedora (chromium, curl, firefox, golang-github-vultr-govultr-2, and xen), Mageia (openssl, python-bottle, and python-pyjwt), Red Hat (compat-openssl10, curl, expat, firefox, go-toolset-1.17 and go-toolset-1.17-golang, go-toolset:rhel8, kernel, kpatch-patch, libarchive, libgcrypt, libinput, libxml2, pcre2, php:7.4, php:8.0, qemu-kvm, ruby:2.6, thunderbird, and vim), and Ubuntu (curl, libjpeg6b, and vim). --------------------------------------------- https://lwn.net/Articles/899701/ ∗∗∗ GitLab: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in GitLab ausnutzen, um Informationen offenzulegen, Sicherheitseinstellungen zu umgehen, einen Denial of Service zu verursachen, Daten zu manipulieren und Code zur Ausführung zu bringen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0531 ∗∗∗ Microsoft Edge 103.0.1264.44 fixt CVE-2022-33680 (30. Juni 2022) ∗∗∗ --------------------------------------------- Microsoft hat zum 30. Juni 2022 den Edge-Browser im Stable Channel auf die Version 103.0.1264.44 aktualisiert. Es ist ein Wartungsupdate, welches die als kritisch eingestufte Elevation of Privilege-Schwachstelle CVE-2022-33680 (Ausbruch aus der Sandbox) beseitigt. --------------------------------------------- https://www.borncity.com/blog/2022/07/01/microsoft-edge-103-0-1264-44-fixt-… ∗∗∗ ZDI-22-948: Parallels Access Agent Uncontrolled Search Path Element Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-948/ ∗∗∗ Carel pCOWeb HVAC BACnet Gateway 2.1.0 Unauthenticated Directory Traversal ∗∗∗ --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5709.php ∗∗∗ Security Bulletin: IBM UrbanCode Deploy (UCD) could disclose sensitive database information to a local user in plain text. (CVE-2022-22367) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-deploy-ucd-… ∗∗∗ Security Bulletin: IBM Urbancode Deploy (UCD) vulnerable to information disclosure which can be read by a local user. (CVE-2022-22366) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-deploy-ucd-… ∗∗∗ Security Bulletin: Vulnerabilities in Samba, OpenSSL, Python, and XStream affect IBM Spectrum Protect Plus (CVE-2021-20254, CVE-2021-3712, CVE-2021-43859, CVE-2022-0778, CVE-2020-25717, CVE-2021-23192, CVE-2021-3733) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-samba-… ∗∗∗ Security Bulletin: IBM InfoSphere Information Server Pack for SAP Apps and BW Packs is affected by an improper validation vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-informatio… ∗∗∗ Security Bulletin: UrbanCode Deploy is vulnerable to denial of service due to Jackson-databind (CVE-2020-36518) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-urbancode-deploy-is-vulne… ∗∗∗ Security Bulletin: Vulnerability in PostgreSQL may affect IBM Spectrum Protect Plus ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-postgres… ∗∗∗ Kibana: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0527 ∗∗∗ npm: Schwachstelle ermöglicht Cross-Site Scripting ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0524 ∗∗∗ Exemys RME1 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-181-01 ∗∗∗ Yokogawa Wide Area Communication Router ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-181-02 ∗∗∗ Emerson DeltaV Distributed Control System ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-181-03 ∗∗∗ Distributed Data Systems WebHMI ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-181-04 ∗∗∗ 2022-09 FragAttacks ProSoft RadioLinx RLX2 ∗∗∗ --------------------------------------------- https://dam.belden.com/dmm3bwsv3/assetstream.aspx?assetid=14521&mediaformat… ∗∗∗ Unauthorized RCE CVE-2022-28219 in Zoho ManageEngine ADAudit Plus ∗∗∗ --------------------------------------------- https://www.borncity.com/blog/2022/07/01/unauthorized-rce-cve-2022-28219-in… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.06.2022
by Daily end-of-shift report 30 Jun '22

30 Jun '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 29-06-2022 18:00 − Donnerstag 30-06-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Atlassian warnt vor Sicherheitslücke in Projektverwaltung Jira ∗∗∗ --------------------------------------------- Vor einer Sicherheitslücke mit hohem Risiko in Jira warnt Hersteller Atlassian. Updates stehen bereit. Auch ein Workaround bietet das Unternehmen an. --------------------------------------------- https://heise.de/-7157892 ∗∗∗ Recovery-Scams: Kriminelle geben sich als FMA und Börsenaufsicht aus! ∗∗∗ --------------------------------------------- Sind Sie Opfer einer unseriösen Trading-Plattform geworden? Anbieter wie börsenaufsicht.net, finanzmarktaufsicht.net und payback-ltd.com versprechen Ihr verlorenes Geld zurückzuholen. Vorsicht! Es handelt sich um betrügerische Dienste, die Sie noch weiter abzocken wollen. --------------------------------------------- https://www.watchlist-internet.at/news/recovery-scams-kriminelle-geben-sich… ∗∗∗ Microsoft Exchange Server: Remote Code Execution-Schwachstelle CVE-2022-23277 trotz Patch ausnutzbar? ∗∗∗ --------------------------------------------- Sind auf dem aktuellen Patch-Stand befindliche Microsoft Exchange Server über die Remote Code Execution-Schwachstelle CVE-2022-23277 immer noch angreifbar? Mir sind gerade einige Informationsfragmente unter die Augen gekommen, die dies zumindest nahelegen, dass der betreffende Patch die Möglichkeiten zur Ausnutzung nicht [...] --------------------------------------------- https://www.borncity.com/blog/2022/06/30/microsoft-exchange-server-remote-c… ∗∗∗ CISA warns of hackers exploiting PwnKit Linux vulnerability ∗∗∗ --------------------------------------------- The Cybersecurity and Infrastructure Security Agency (CISA) has added a high-severity Linux vulnerability known as PwnKit to its list of bugs exploited in the wild. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cisa-warns-of-hackers-exploi… ∗∗∗ AstraLocker 2.0 infects users directly from Word attachments ∗∗∗ --------------------------------------------- A lesser-known ransomware strain called AstraLocker has recently released its second major version, and according to threat analysts, its operators engage in rapid attacks that drop its payload directly from email attachments. --------------------------------------------- https://www.bleepingcomputer.com/news/security/astralocker-20-infects-users… ∗∗∗ XFiles info-stealing malware adds support for Follina delivery ∗∗∗ --------------------------------------------- The XFiles info-stealer malware has added a delivery module that exploits CVE-2022-30190, aka Follina, for dropping the payload on target computers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/xfiles-info-stealing-malware… ∗∗∗ The SessionManager IIS backdoor ∗∗∗ --------------------------------------------- In early 2022, we investigated an IIS backdoor called SessionManager. It has been used against NGOs, government, military and industrial organizations in Africa, South America, Asia, Europe, Russia and the Middle East. --------------------------------------------- https://securelist.com/the-sessionmanager-iis-backdoor/106868/ ∗∗∗ Toll fraud malware: How an Android application can drain your wallet ∗∗∗ --------------------------------------------- Toll fraud malware, a subcategory of billing fraud in which malicious applications subscribe users to premium services without their knowledge or consent, is one of the most prevalent types of Android malware - and it continues to evolve. --------------------------------------------- https://www.microsoft.com/security/blog/2022/06/30/toll-fraud-malware-how-a… ∗∗∗ Case Study: Cobalt Strike Server Lives on After Its Domain Is Suspended, (Thu, Jun 30th) ∗∗∗ --------------------------------------------- How do threat actors behind a Cobalt Strike server keep it running after its domain is taken down? If the server is not hosted through the domain registrar, it merely keeps running on the same IP address. Today's diary is a case study where Cobalt Strike remained active on the same IP address at least one week after its domain was suspended. --------------------------------------------- https://isc.sans.edu/diary/rss/28804 ∗∗∗ Flubot: the evolution of a notorious Android Banking Malware ∗∗∗ --------------------------------------------- Flubot is an Android based malware that has been distributed in the past 1.5 years in Europe, Asia and Oceania affecting thousands of devices of mostly unsuspecting victims. Like the majority of Android banking malware, Flubot abuses Accessibility Permissions and Services in order to steal the [...] --------------------------------------------- https://blog.fox-it.com/2022/06/29/flubot-the-evolution-of-a-notorious-andr… ∗∗∗ Amazon Photos vulnerability could have given attackers access to user files and data ∗∗∗ --------------------------------------------- The retail giant patched a serious flaw in its Amazon Photos app that left user access token exposed to potential attackers. --------------------------------------------- https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/06/amazon-p… ∗∗∗ Cloudy with a Chance of Risk: Managing Risks in Cloud-Managed OT Networks ∗∗∗ --------------------------------------------- In this blog, we'll examine the potential threats and risks of OT cloud migration, offering guidance on how to manage and mitigate them effectively. --------------------------------------------- https://claroty.com/2022/06/30/blog-research-cloudy-with-a-chance-of-risk/ ∗∗∗ Reducing data exfiltration by malicious insiders ∗∗∗ --------------------------------------------- Advice and recommendations for mitigating this type of insider behaviour. --------------------------------------------- https://www.ncsc.gov.uk/guidance/reducing-data-exfiltration-by-malicious-in… ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins 2022-06-29 ∗∗∗ --------------------------------------------- IBM Spectrum Protect, IBM Watson Discovery, IBM Sterling B2B Integrator, IBM Sterling Connect, IBM Cloud Pak, IBM Tivoli Netcool Impact, IBM Db2 --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr, firejail, and ublock-origin), Fedora (chromium, firefox, thunderbird, and vim), Mageia (kernel and kernel-linus), Oracle (389-ds-base and python-virtualenv), SUSE (chromium), and Ubuntu (cloud-init). --------------------------------------------- https://lwn.net/Articles/899483/ ∗∗∗ Mitsubishi Electric FA Engineering Software (Update A) ∗∗∗ --------------------------------------------- This updated advisory is a follow-up to the original advisory titled ICSA-21-350-05 Mitsubishi Electric FA Engineering Software that was published December 16, 2021, on the ICS webpage on cisa.gov/ics. This advisory contains mitigations for Out-of-bounds Read, and Integer Underflow vulnerabilities in Mitsubishi Electrics FA Engineering Software products. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-350-05 ∗∗∗ CODESYS Gateway Server (Update A) ∗∗∗ --------------------------------------------- This updated advisory is a follow-up to the original advisory titled ICSA-15-258-02 3S CODESYS Gateway Server Buffer overflow Vulnerability that was published September 15, 2015, on the ICS webpage at cisa.gov/ics. This advisory provides mitigation details for a heap-based buffer overflow vulnerability in CODESYS Gateway Server products. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/ICSA-15-258-02 ∗∗∗ Revision von CVE-2021-26414 (Windows DCOM Server Security Feature Bypass) vom 28. Juni 2022 ∗∗∗ --------------------------------------------- Microsoft hat seine Beschreibung von CVE-2021-26414 (Windows DCOM Server Security Feature Bypass) zum 28. Juni 2022 revidiert. Es wurden die Sicherheitsupdates für Windows 10 Version 21H2, Windows 11 und Windows Server 2022 hinzugefügt, da diese Windows-Versionen ebenfalls von dieser Sicherheitslücke [...] --------------------------------------------- https://www.borncity.com/blog/2022/06/29/revision-von-cve-2022-26414-window… ∗∗∗ Config Terms - Critical - Access bypass - SA-CONTRIB-2022-047 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2022-047 ∗∗∗ Lottiefiles Field - Moderately critical - Cross Site Scripting - SA-CONTRIB-2022-046 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2022-046 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.06.2022
by Daily end-of-shift report 29 Jun '22

29 Jun '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 28-06-2022 18:00 − Mittwoch 29-06-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ MITM at the Edge: Abusing Cloudflare Workers ∗∗∗ --------------------------------------------- Cloudflare Workers provide a powerful serverless solution to run code that sits between every HTTP request and response. In this post, we’ll see how an attacker compromising a Cloudflare account can abuse Workers to establish persistence and exfiltrate sensitive data. --------------------------------------------- https://blog.christophetd.fr/abusing-cloudflare-workers/ ∗∗∗ Achtung vor Fake-Shops mit Gartenmöbeln! ∗∗∗ --------------------------------------------- Kriminelle passen ihre Fake-Shops aktuell wieder an die Sommersaison an, indem sie vermehrt Gartenmöbel, Rasenmäher oder sonstige Gartengeräte anbieten. Beispiele sind waganu.de, bbvipanswer.shop, strandkorbia.com oder zzyha.shop. --------------------------------------------- https://www.watchlist-internet.at/news/achtung-vor-fake-shops-mit-gartenmoe… ∗∗∗ CISA Releases Guidance on Switching to Modern Auth in Exchange Online before October 1 ∗∗∗ --------------------------------------------- CISA has released guidance on switching from Basic Authentication (“Basic Auth”) in Microsoft Exchange Online to Modern Authentication ("Modern Auth") before Microsoft begins permanently disabling Basic Auth on October 1, 2022. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/06/28/cisa-releases-gui… ∗∗∗ YTStealer Malware: “YouTube Cookies! Om Nom Nom Nom” ∗∗∗ --------------------------------------------- YTStealer is a malware whose objective is to steal YouTube authentication cookies. --------------------------------------------- https://www.intezer.com/blog/research/ytstealer-malware-youtube-cookies/ ∗∗∗ Decryptor für Hive Ransomware v1 bis v4 verfügbar ∗∗∗ --------------------------------------------- Opfer der Hive Ransomware können ggf. hoffen, ihre verschlüsselten Dateien wieder entschlüsseln zu können. Denn koreanischen Sicherheitsforschern ist es gelungen, einen Decryptor für die Versionen 1 bis 4 dieser Hive Ransomware zu entwickeln. --------------------------------------------- https://www.borncity.com/blog/2022/06/29/decryptor-fr-hive-ransomware-v1-bi… ∗∗∗ Did You Know Your Browser’s Autofill Credentials Could Be Stolen via Cross-Site Scripting (XSS) ∗∗∗ --------------------------------------------- Cross-Site Scripting (XSS) is a well-known vulnerability that has been around for a long time and can be used to steal sessions, create fake logins and carry out actions as someone else, etc. In addition, many users are unaware of the potential dangers associated with their browser’s credential autofill feature. --------------------------------------------- https://www.gosecure.net/blog/2022/06/29/did-you-know-your-browsers-autofil… ===================== = Vulnerabilities = ===================== ∗∗∗ CVE-2022-30522 – Denial of Service (DoS) Vulnerability in Apache httpd “mod_sed” filter ∗∗∗ --------------------------------------------- This past March we posted an analysis of a vulnerability in the Apache HTTP Server mod_sed filter module, CVE-2022-23943, in which a Denial of Service (DoS) can be triggered due to a miscalculation of buffers’ sizes. While analyzing this Apache httpd vulnerability and its patch, we suspected that although the fix resolved the issue, it created a new unwanted behavior. --------------------------------------------- https://jfrog.com/blog/cve-2022-30522-denial-of-service-dos-vulnerability-i… ∗∗∗ Groupware: Präparierte E-Mails könnten zur Codeausführung in Zimbra führen ∗∗∗ --------------------------------------------- Angreifer könnten in Zimbra Backdoors per E-Mail hochladen. Schuld daran ist eine Lücke im Entpacker unrar, die die Erstellung beliebiger Dateien erlaubt. --------------------------------------------- https://heise.de/-7156812 ∗∗∗ Datenverwaltung: Kritische Lücke in Dell EMC PowerScale OneFS abgedichtet ∗∗∗ --------------------------------------------- Dell EMC PowerScale OneFS zur skalierbaren Datenspeicherung und -verwaltung enthält teils kritische Sicherheitslücken. Updates sollen sie schließen. --------------------------------------------- https://heise.de/-7156674 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (blender, libsndfile, and maven-shared-utils), Fedora (openssl), Red Hat (389-ds-base, kernel, kernel-rt, kpatch-patch, and python-virtualenv), Scientific Linux (389-ds-base, kernel, python, and python-virtualenv), and Slackware (curl, mozilla, and openssl). --------------------------------------------- https://lwn.net/Articles/899364/ ∗∗∗ FabricScape: Escaping Service Fabric and Taking Over the Cluster ∗∗∗ --------------------------------------------- Unit 42 researchers identified FabricScape (CVE-2022-30137), a vulnerability of important severity in Microsoft’s Service Fabric – commonly used with Azure – that allows Linux containers to escalate their privileges in order to gain root privileges on the node, and then compromise all of the nodes in the cluster. The vulnerability could be exploited on containers that are configured to have runtime access, which is granted by default to every container. --------------------------------------------- https://unit42.paloaltonetworks.com/fabricscape-cve-2022-30137/ ∗∗∗ Security Bulletin: IBM Netezza as a Service is vulnerable to denial of service due to Golang net package (CVE-2021-33194, CVE-2021-44716, CVE-2021-31525) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-netezza-as-a-service-… ∗∗∗ Security Bulletin: OpenSSL for IBM i is vulnerable to command injection due to a flaw in c_rehash script (CVE-2022-1292) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-openssl-for-ibm-i-is-vuln… ∗∗∗ Security Bulletin: Zlib for IBM i is vulnerable to a denial of service attack due to memory corruption (CVE-2018-25032) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-zlib-for-ibm-i-is-vulnera… ∗∗∗ Security Vulnerabilities fixed in Thunderbird 91.11 and Thunderbird 102 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2022-26/ ∗∗∗ Security Vulnerabilities fixed in Firefox for iOS 102 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2022-27/ ∗∗∗ Advantech iView ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-179-03 ∗∗∗ Motorola Solutions MOSCAD IP and ACE IP Gateways ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-179-04 ∗∗∗ Motorola Solutions MDLC ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-179-05 ∗∗∗ Motorola Solutions ACE1000 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-179-06 ∗∗∗ Omron SYSMAC CS/CJ/CP Series and NJ/NX Series ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-179-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.06.2022
by Daily end-of-shift report 28 Jun '22

28 Jun '22

===================== = End-of-Day report = ===================== Timeframe: Montag 27-06-2022 18:00 − Dienstag 28-06-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Over 900,000 Kubernetes instances found exposed online ∗∗∗ --------------------------------------------- Over 900,000 misconfigured Kubernetes clusters were found exposed on the Internet to potentially malicious scans, some even vulnerable to data-exposing cyberattacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/over-900-000-kubernetes-inst… ∗∗∗ Raccoon Stealer is back with a new version to steal your passwords ∗∗∗ --------------------------------------------- The Raccoon Stealer malware is back with a second major version circulating on cybercrime forums, offering hackers elevated password-stealing functionality and upgraded operational capacity. --------------------------------------------- https://www.bleepingcomputer.com/news/security/raccoon-stealer-is-back-with… ∗∗∗ ZuoRAT Malware Hijacking Home-Office Routers to Spy on Targeted Networks ∗∗∗ --------------------------------------------- A never-before-seen remote access trojan dubbed ZuoRAT has been singling out small office/home office (SOHO) routers as part of a sophisticated campaign targeting North American and European networks. --------------------------------------------- https://thehackernews.com/2022/06/zuorat-malware-hijacking-home-office.html ∗∗∗ Microsoft: Support-Ende von Exchange 2013 naht - jetzt Migration planen ∗∗∗ --------------------------------------------- Der Exchange-Server 2013 erreicht in neun Monaten sein absolutes Support-Ende. Daran erinnert Microsofts Exchange-Team und empfiehlt die zügige Migration. --------------------------------------------- https://heise.de/-7155579 ∗∗∗ Lockbit-Ransomware-Gruppe stellt sich professioneller auf ∗∗∗ --------------------------------------------- Die Erpresserbande hinter der Ransomware Lockbit hebt den Professionalisierungsgrad auf eine neue Stufe. Sogar ein Bug-Bounty-Programm hat sie aufgelegt. --------------------------------------------- https://heise.de/-7155742 ∗∗∗ Krypto-Lovescam: Wenn Tinder-Matches Investment-Tipps geben ∗∗∗ --------------------------------------------- Betrügerische Internetbekanntschaften zielen nicht darauf ab, Sie näher kennenzulernen. Sie bauen Vertrauen auf, um Sie später auf gefälschte Investitionsplattformen zu locken. --------------------------------------------- https://www.watchlist-internet.at/news/krypto-lovescam-wenn-tinder-matches-… ∗∗∗ Understanding the Function Call Stack ∗∗∗ --------------------------------------------- That thread was inspired by a series of tweets by inversecos who shared how malware authors will often use Native APIs instead of Win32 APIs as a mechanism to evade naive detections that assume every application will use the Win32 API function. --------------------------------------------- https://posts.specterops.io/understanding-the-function-call-stack-f08b5341e… ∗∗∗ De-anonymizing ransomware domains on the dark web ∗∗∗ --------------------------------------------- We have developed three techniques to identify ransomware operators dark websites hosted on public IP addresses, allowing us to uncover previously unknown infrastructure for the DarkAngels, Snatch, Quantum and Nokoyawa ransomware groups. --------------------------------------------- http://blog.talosintelligence.com/2022/06/de-anonymizing-ransomware-domains… ===================== = Vulnerabilities = ===================== ∗∗∗ Firefox 102: Mehrere Sicherheitslücken geschlossen ∗∗∗ --------------------------------------------- Mozilla hat Version 102 von Firefox veröffentlicht. Diese Major-Version des Browsers ist die neue Basis für Firefox ESR und behebt einige Sicherheitsprobleme. --------------------------------------------- https://heise.de/-7156179 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (nodejs and squid), Fedora (uboot-tools), Red Hat (kernel-rt, kpatch-patch, and python), SUSE (drbd, openssl-1_0_0, oracleasm, and rubygem-rack), and Ubuntu (curl). --------------------------------------------- https://lwn.net/Articles/899239/ ∗∗∗ 2022 CWE Top 25 Most Dangerous Software Weaknesses ∗∗∗ --------------------------------------------- The Homeland Security Systems Engineering and Development Institute, sponsored by CISA and operated by MITRE, has released the 2022 Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software Weaknesses list. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/06/28/2022-cwe-top-25-m… ∗∗∗ Security Advisory - Password Verification Vulnerability of Huawei Router ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2022/huawei-sa-20220628-… ∗∗∗ Security Bulletin: IBM Cloud Transformation Advisor is vulnerable to multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-transformation-… ∗∗∗ Security Bulletin: IBM SDK, Java Technology Edition, Security Update October 2021 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-e… ∗∗∗ Security Bulletin: A Remote Attack Vulnerability in Apache Log4j affects IBM Common Licensing's License Key Server (LKS) Administration And Reporting Tool (ART) and its Agent(CVE-2021-4104,CVE-2021-44832,CVE-2021-3100,CVE-2022-33915). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-remote-attack-vulnerabi… ∗∗∗ Security Bulletin: Vulnerabilities in the Java JDK affect IBM Event Streams (CVE-2022-21365, CVE-2022-21360, CVE-2022-21349, CVE-2022-21341, CVE-2022-21340, CVE-2022-21305, CVE-2022-21294, CVE-2022-21293, CVE-2022-21291, CVE-2022-21248) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-the-ja… ∗∗∗ Security Bulletin: Vulnerabilities in lodash library affect Tivoli Netcool/OMNIbus WebGUI (CVE-2019-1010266, CVE-2020-28500, CVE-2018-16487, CVE-2018-3721, CVE-2020-8203, CVE-2021-23337, CVE-2019-10744) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-lodash… ∗∗∗ Security Bulletin: IBM Robotic Process Automation may be affected by multiple vulnerabilities in open source components (CVE-2019-0820, CVE-2020-15522, CVE-2021-43569) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-robotic-process-autom… ∗∗∗ Security Bulletin: IBM SDK, Java Technology Edition, Security Update October 2021 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-e… ∗∗∗ Security Bulletin: Vulnerability in Apache Struts library affect Tivoli Netcool/OMNIbus WebGUI (CVE-2021-31805) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-s… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a Cross-Site Scripting vulnerability (CVE-2021-39074) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM Java SDK affect IBM Virtualization Engine TS7700 – October 2021 & January 2022 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ K01311313: Linux kernel vulnerability CVE-2021-3612 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K01311313 ∗∗∗ Long Term Support Channel Update for ChromeOS ∗∗∗ --------------------------------------------- http://chromereleases.googleblog.com/2022/06/long-term-support-channel-upda… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.06.2022
by Daily end-of-shift report 27 Jun '22

27 Jun '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 24-06-2022 18:00 − Montag 27-06-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Fake copyright infringement emails install LockBit ransomware ∗∗∗ --------------------------------------------- LockBit ransomware affiliates are using an interesting trick to get people into infecting their devices by disguising their malware as copyright claims. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fake-copyright-infringement-… ∗∗∗ Clever phishing method bypasses MFA using Microsoft WebView2 apps ∗∗∗ --------------------------------------------- A clever, new phishing technique uses Microsoft Edge WebView2 applications to steal victims authentication cookies, allowing threat actors to bypass multi-factor authentication when logging into stolen accounts. --------------------------------------------- https://www.bleepingcomputer.com/news/security/clever-phishing-method-bypas… ∗∗∗ NetSec Goggle shows search results only from cybersecurity sites ∗∗∗ --------------------------------------------- A new Brave Search Goggle modifies Brave Search results to only show reputable cybersecurity sites, making it easier to search for and find security information. --------------------------------------------- https://www.bleepingcomputer.com/news/security/netsec-goggle-shows-search-r… ∗∗∗ LockBit 3.0 introduces the first ransomware bug bounty program ∗∗∗ --------------------------------------------- The LockBit ransomware operation has released LockBit 3.0, introducing the first ransomware bug bounty program and leaking new extortion tactics and Zcash cryptocurrency payment options. --------------------------------------------- https://www.bleepingcomputer.com/news/security/lockbit-30-introduces-the-fi… ∗∗∗ Malicious Code Passed to PowerShell via the Clipboard, (Sat, Jun 25th) ∗∗∗ --------------------------------------------- Another day, another malicious script was found! Today, the script is a Windows bat file that executes malicious PowerShell code but the way it works is interesting. --------------------------------------------- https://isc.sans.edu/diary/rss/28784 ∗∗∗ Encrypted Client Hello: Anybody Using it Yet?, (Mon, Jun 27th) ∗∗∗ --------------------------------------------- The first payload sent by a TLS client to a TLS server is a "Client Hello." It includes several parameters supported by the client, such as available cipher suites, to start negotiating a compatible set of TLS parameters with the server. --------------------------------------------- https://isc.sans.edu/diary/rss/28792 ∗∗∗ Ransomware-Gang Conti schließt Leak- und Verhandlungsplattform ∗∗∗ --------------------------------------------- Die Conti-Gruppe hinter dem gleichnamigen Erpressungstrojaner finalisiert ihren Rückzug und teilt sich weiter in kleinere Gangs auf. --------------------------------------------- https://heise.de/-7154035 ∗∗∗ Flut von Angriffen auf Paketmanager PyPI schleust Backdoor in Python-Pakete ein ∗∗∗ --------------------------------------------- Nachdem zunächst Sonatype einen Angriff auf fünf Pakete im Python-Paketmanager entdeckt hat, füllt sich die CVE-Schwachstellendatenbank mit weiteren Vorfällen. --------------------------------------------- https://heise.de/-7154405 ∗∗∗ Ransomware: Unternehmen im Gesundheitswesen zahlen am häufigsten Lösegeld ∗∗∗ --------------------------------------------- Verschlüsselungsangriffe haben vor allem in der Gesundheitsbranche in den vergangenen Monaten stark zugenommen. Die Daten sind bei Angreifern beliebt. --------------------------------------------- https://heise.de/-7154906 ∗∗∗ NIST Releases New macOS Security Guidance for Organizations ∗∗∗ --------------------------------------------- The National Institute of Standards and Technology (NIST) has published the final version of its guidance on securing macOS endpoints and assessing their security. --------------------------------------------- https://www.securityweek.com/nist-releases-new-macos-security-guidance-orga… ∗∗∗ Vorsicht vor Fake-E-Mails der Wiener Polizei ∗∗∗ --------------------------------------------- In einem gefälschten E-Mail der Polizei werden Sie beschuldigt, eine Straftat begangen zu haben. Es geht um Kinderpornografie, Pädophilie, Cyberpornografie und Exhibitionismus. Sie werden aufgefordert, per E-Mail eine Rechtfertigung zu schicken. Antworten Sie nicht und ignorieren Sie dieses Schreiben. Es ist Fake! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-fake-e-mails-der-wiener… ∗∗∗ CISA Adds Eight Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- CISA has added eight new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/06/27/cisa-adds-eight-k… ===================== = Vulnerabilities = ===================== ∗∗∗ Citrix dichtet Sicherheitslücken in Hypervisor ab ∗∗∗ --------------------------------------------- Der Hypervisor von Citrix enthält mehrere Schwachstellen. Angreifer könnten die Kontrolle übernehmen. Aktualisierte Pakete dichten die Lücken ab. --------------------------------------------- https://heise.de/-7154435 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (openssl), Fedora (dotnet6.0, mediawiki, and python2.7), Mageia (389-ds-base, chromium-browser-stable, exo, and libtiff), Oracle (httpd:2.4 and microcode_ctl), SUSE (dbus-broker, drbd, kernel, liblouis, mariadb, openssl, openssl-1_1, openSUSE kernel modules, oracleasm, php7, php72, python39, salt, and wdiff), and Ubuntu (linux, linux-hwe, mozjs91, and vim). --------------------------------------------- https://lwn.net/Articles/899158/ ∗∗∗ Security Bulletin: Multiple Vulnerabilities found in Apache Tika used by Content Collector for Email, Content Collector for File Systems, Content Collector for Microsoft SharePoint and Content Collector for IBM Connections ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct for Microsoft Windows is vulnerable to an unspecified vulnerability due to IBM Java Runtime (CVE-2021-35603) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: Vulnerability in IBM Java SDK and IBM Java Runtime affects Rational Business Developer ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect Rational Business Developer ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerability in IBM Java SDK and IBM Java Runtime affects Rational Business Developer ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct for Microsoft Windows is vulnerable to an unspecified vulnerability due to IBM Java Runtime (CVE-2021-35550) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: IBM MQ is vulnerable to an issue within Jackson ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-is-vulnerable-to-a… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct for Microsoft Windows is vulnerable to denial of service due to zlib (CVE-2018-25032) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM® Runtime Environment Java™ Technology Edition affects WebSphere eXtreme Scale ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM QRadar SIEM is affected by a remote code execution in Spring Framework (CVE-2022-22963, CVE-2022-22965, CVE-2022-22950) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-affect… ∗∗∗ Spring Function Cloud DoS (CVE-2022-22979) and Unintended Function Invocation ∗∗∗ --------------------------------------------- https://checkmarx.com/blog/spring-function-cloud-dos-cve-2022-22979-and-uni… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.06.2022
by Daily end-of-shift report 24 Jun '22

24 Jun '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 23-06-2022 18:00 − Freitag 24-06-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ 2FA: Wie sicher sind TOTP, Fido, SMS und Push-Apps? ∗∗∗ --------------------------------------------- Zwei- oder Multi-Faktor-Authentifizierung soll uns sicherer machen. Wir erklären, wie TOTP, Fido & Co. funktionieren und wovor sie schützen. --------------------------------------------- https://www.golem.de/news/2fa-wie-sicher-sind-totp-fido-sms-und-push-apps-2… ∗∗∗ Multiple Backdoored Python Libraries Caught Stealing AWS Secrets and Keys ∗∗∗ --------------------------------------------- Researchers have discovered a number of malicious Python packages in the official third-party software repository that are engineered to exfiltrate AWS credentials and environment variables to a publicly exposed endpoint. --------------------------------------------- https://thehackernews.com/2022/06/multiple-backdoored-python-libraries.html ∗∗∗ Black Basta Ransomware Becomes Major Threat in Two Months ∗∗∗ --------------------------------------------- Black Basta ransomware has become a major new threat in just a couple months. Evidence suggests it was still in development in February 2022, and only became operational in April 2022. --------------------------------------------- https://www.securityweek.com/black-basta-ransomware-becomes-major-threat-tw… ∗∗∗ There Is More Than One Way to Sleep: Dive Deep Into the Implementations of API Hammering by Various Malware Families ∗∗∗ --------------------------------------------- Learn about the unique implementations of API Hammering malware samples and how to mitigate them. --------------------------------------------- https://unit42.paloaltonetworks.com/api-hammering-malware-families/ ===================== = Vulnerabilities = ===================== ∗∗∗ Angreifer nutzen kontinuierlich Log4Shell-Lücke in VMware Horizon aus ∗∗∗ --------------------------------------------- Die Cybersecurity & Infrastructure Security Agency warnt vor Attacken auf die Virtualisierungslösung VMware Horizon. Admins sollten zügig handeln. --------------------------------------------- https://heise.de/-7152258 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (ntfs-3g and ntfs-3g-system-compression), SUSE (389-ds, chafa, containerd, mariadb, php74, python3, salt, and xen), and Ubuntu (apache2). --------------------------------------------- https://lwn.net/Articles/898925/ ∗∗∗ Codesys Patches 11 Flaws Likely Affecting Controllers From Several ICS Vendors ∗∗∗ --------------------------------------------- Codesys this week announced patches for nearly a dozen vulnerabilities discovered in the company’s products by researchers at Chinese cybersecurity firm NSFocus. --------------------------------------------- https://www.securityweek.com/codesys-patches-11-flaws-likely-affecting-cont… ∗∗∗ ZDI-22-872: DevExpress SafeBinaryFormatter Deserialization of Untrusted Data Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-872/ ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to a denial of service (CVE-2022-22389) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… ∗∗∗ Security Bulletin: One or more security vulnerabilities has been identified in IBM® DB2® shipped with IBM PureData System for Operational Analytics (CVE-2020-4230,CVE-2020-4135,CVE-2020-4204,CVE-2020-4200) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-one-or-more-security-vuln… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities (CVE-2019-10086, CVE-2021-41617) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Robotic Process Automation is vulnerable to configuration credentials unencrypted in system memory (CVE-2022-22414) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-robotic-process-autom… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM® Db2® is affected by multiple vulnerabilities due to the consumed Expat library ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-affected-by-mu… ∗∗∗ Security Bulletin: CVE-2021-35603 may affect IBM® SDK, Java™ Technology Edition for IBM Content Collector for SAP Applications ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2021-35603-may-affect… ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to an information disclosure caused by improper privilege management when table function is used. (CVE-2022-22390) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… ∗∗∗ Security Bulletin: Multiple vulnerabilities has been identified in IBM® DB2® shipped with IBM PureData System for Operational Analytics ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by an information leak vulnerability within Kafka (CVE-2021-38153) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: A vulnerability in zlib affects IBM Common Inventory Technology (CIT). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-zlib-a… ∗∗∗ Security Bulletin: CVE-2020-35550 may affect IBM® SDK, Java™ Technology Edition for IBM Content Collector for SAP Applications ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2020-35550-may-affect… ∗∗∗ K26314875: Apache vulnerability CVE-2022-26377 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K26314875 ∗∗∗ Citrix Hypervisor Security Update ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX460064/citrix-hypervisor-security-upd… ∗∗∗ OFFIS DCMTK ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsma-22-174-01 ∗∗∗ Yokogawa STARDOM ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-174-01 ∗∗∗ Yokogawa CAMS for HIS ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-174-02 ∗∗∗ Secheron SEPCOS Control and Protection Relay ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-174-03 ∗∗∗ Pyramid Solutions EtherNet/IP Adapter Development Kit ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-174-04 ∗∗∗ Elcomplus SmartICS ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-174-05 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.06.2022
by Daily end-of-shift report 23 Jun '22

23 Jun '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 22-06-2022 18:00 − Donnerstag 23-06-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Conti ransomware hacking spree breaches over 40 orgs in a month ∗∗∗ --------------------------------------------- The Conti cybercrime syndicate runs one of the most aggressive ransomware operations and has grown highly organized, to the point that affiliates were able to hack more than 40 companies in a little over a month. --------------------------------------------- https://www.bleepingcomputer.com/news/security/conti-ransomware-hacking-spr… ∗∗∗ Malicious Windows LNK attacks made easy with new Quantum builder ∗∗∗ --------------------------------------------- Malware researchers have noticed a new tool that helps cybercriminals build malicious .LNK files to deliver payloads for the initial stages of an attack. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malicious-windows-lnk-attack… ∗∗∗ The hateful eight: Kaspersky’s guide to modern ransomware groups’ TTPs ∗∗∗ --------------------------------------------- We want to familiarize the reader with the different stages of ransomware deployment and provide a visual guide to defending against targeted ransomware attacks. --------------------------------------------- https://securelist.com/modern-ransomware-groups-ttps/106824/ ∗∗∗ Understanding the Compound File Binary Format and OLE Structures to Mess with CVE-2022-30190 ∗∗∗ --------------------------------------------- Initially, I began this research to generate weaponized RTF files delivering the CVE-2022-30190(Follina) exploit. --------------------------------------------- https://cymulate.com/blog/cve-2022-30190-2/ ∗∗∗ Miracle - One Vulnerability To Rule Them All ∗∗∗ --------------------------------------------- As mentioned in Jang blog, We (me and Jang) found a mega 0-day. After April Critical Patch, finally the vulnerability was patched properly. If you never known about this vulnerability, please patch your system ASAP! --------------------------------------------- https://peterjson.medium.com/miracle-one-vulnerability-to-rule-them-all-c3a… ∗∗∗ Vorsicht vor betrügerischen „Remote Jobs“ auf LinkedIn ∗∗∗ --------------------------------------------- “Work from Home Jobs No Experience Required” – von zuhause aus arbeiten, dabei bis zu 2.000€ pro Woche verdienen und das alles ohne Berufserfahrung? Laut der massenhaft geschaltenen Stellenanzeigen von KADANSE ist das möglich. Was nicht erwähnt wird: Für diesen scheinbar lukrativen Job müssen Sie erst Geld bezahlen, der Job existiert so nicht. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-betruegerischen-remote-… ∗∗∗ Schwachstellen in Programmierschnittstellen ∗∗∗ --------------------------------------------- Weltweit sind 4,1 bis 7,5 Prozent der Cybersecurity-Vorfälle und -schäden auf Schwachstellen in Programmierschnittstellen (Application Programming Interfaces, APIs) zurückzuführen und verursachen Kosten in Milliardenhöhe. --------------------------------------------- https://www.zdnet.de/88402008/schwachstellen-in-programmierschnittstellen/ ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins 2022-06-22 ∗∗∗ --------------------------------------------- IBM App Connect Enterprise, IBM Engineering Lifecycle Management, WebSphere Liberty, CICS Transaction Gateway, Watson Knowledge Catalog for IBM Cloud Pak for Data, IBM Robotic Process Automation, IBM Tivoli Business Service Manager, IBM MQ Internet Pass-Thru, IBM Cognos Analytics, IBM Sterling Global Mailbox. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Synology: Aktualisierte Firmware dichtet Sicherheitslecks in Routern ab ∗∗∗ --------------------------------------------- In Firmware von Synology-Geräten hat der Hersteller Sicherheitslücken gefunden. Angreifer könnten unter anderem unberechtigt auf Dateien zugreifen. --------------------------------------------- https://heise.de/-7151202 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, firejail, and request-tracker4), Fedora (ghex, golang-github-emicklei-restful, and openssl1.1), Oracle (postgresql), Scientific Linux (postgresql), Slackware (openssl), SUSE (salt and tor), and Ubuntu (apache2 and squid, squid3). --------------------------------------------- https://lwn.net/Articles/898720/ ∗∗∗ Cisco Adaptive Security Device Manager and Adaptive Security Appliance Software Client-side Arbitrary Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco FirePOWER Software for ASA FirePOWER Module Command Injection Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ K55051330: Intel BIOS vulnerability CVE-2021-33123 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K55051330 ∗∗∗ K87351324: Intel BIOS vulnerability CVE-2021-33124 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K87351324 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.06.2022
by Daily end-of-shift report 22 Jun '22

22 Jun '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 21-06-2022 18:00 − Mittwoch 22-06-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Newly Discovered Magecart Infrastructure Reveals the Scale of Ongoing Campaign ∗∗∗ --------------------------------------------- A newly discovered Magecart skimming campaign has its roots in a previous attack activity going all the way back to November 2021. --------------------------------------------- https://thehackernews.com/2022/06/newly-discovered-magecart.html ∗∗∗ Du kommst hier nicht rein: Adobes PDF-Tools blockieren Antivirenschutz ∗∗∗ --------------------------------------------- Adobe Acrobat und Reader legen einen Registry-Eintrag an. Dieser hält über Chromiums libcef.dll Sicherheitsprogramm-DLLs aus den PDF-Programmen fern. --------------------------------------------- https://heise.de/-7147804 ∗∗∗ Sharehoster Mega: Sicherheitsforscher entschlüsseln eigentlich geschützte Daten ∗∗∗ --------------------------------------------- Eine problematische Kryptografie-Implementierung kann verschlüsselte Dateien für den Betreiber oder Angreifer lesbar machen. --------------------------------------------- https://heise.de/-7148227 ∗∗∗ Machen Sie mit bei unserer Studie zum Fake-Shop-Detector! ∗∗∗ --------------------------------------------- Fake-Shops stellen Konsument:innen vor große Herausforderungen: Sie werden immer zahlreicher und sind gleichzeitig schwieriger zu erkennen. Um das Einkaufen im Internet sicherer zu machen, haben wir den Fake-Shop Detector entwickelt. --------------------------------------------- https://www.watchlist-internet.at/news/machen-sie-mit-bei-unserer-studie-zu… ∗∗∗ Keeping PowerShell: Measures to Use and Embrace ∗∗∗ --------------------------------------------- Cybersecurity authorities from the United States, New Zealand, and the United Kingdom have released a joint Cybersecurity Information Sheet (CIS) on PowerShell. The CIS provides recommendations for proper configuration and monitoring of PowerShell, as opposed to removing or disabling it entirely due to its use by malicious actors after gaining access into victim networks. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/06/22/keeping-powershel… ===================== = Vulnerabilities = ===================== ∗∗∗ Webbrowser: Google schließt 14 Sicherheitslücken in Chrome ∗∗∗ --------------------------------------------- Mit dem Sprung auf das 103er-Release dichtet Google im Webbrowser Chrome 14 Schwachstellen ab. Auch für Android und iOS steht die neue Version bereit. --------------------------------------------- https://heise.de/-7147522 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (exo and ntfs-3g), Fedora (collectd, golang-github-cli-gh, grub2, qemu, and xen), Red Hat (httpd:2.4, kernel, and postgresql), SUSE (drbd, fwupdate, neomutt, and trivy), and Ubuntu (apache2, openssl, openssl1.0, and qemu). --------------------------------------------- https://lwn.net/Articles/898605/ ∗∗∗ JTEKT TOYOPUC ∗∗∗ --------------------------------------------- This advisory contains mitigations for a Missing Authentication for Critical Function vulnerability in the JTEKT TOYOPUC programmable logic controller. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-172-02 ∗∗∗ VU#142546: SMA Technologies OpCon UNIX agent adds the same SSH key to all installations ∗∗∗ --------------------------------------------- https://kb.cert.org/vuls/id/142546 ∗∗∗ Security Bulletin: June 2022 :Multiple vulnerabilities in IBM Java Runtime affect CICS Transaction Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-june-2022-multiple-vulner… ∗∗∗ Security Bulletin: A vulnerability (CVE-2021-35550) in IBM Java Runtime affects CICS Transaction Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-cve-2021-… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct Browser User Interface is vulnerable to multiple vulnerabilities due to Jetty ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct File Agent is vulnerable to an unspecified vulnerability due to IBM Java Runtime (CVE-2021-35603) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: Rational Team Concert (RTC) and IBM Engineering Workflow Management (EWM) OpenSSL vulnerability CVE-2021-4044 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-rational-team-concert-rtc… ∗∗∗ Security Bulletin: Security vulnerability has been identified in IBM DB2 used by IBM Security Verify Governance, Identity Manager virtual appliance component ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerability-ha… ∗∗∗ Security Bulletin: Vulnerabilities in IBM WebSphere Application Server and WebSphere Application Server Liberty affect IBM Watson Explorer (CVE-2022-22475, CVE-2021-39038) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-we… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct FTP+ is vulnerable to unauthorized sensitive information access due to IBM Java vulnerability (CVE-2021-35603) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: Vulnerability in Spring Framework affects IBM Watson Explorer (CVE-2022-22971, CVE-2022-22968, CVE-2022-22970) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-spring-f… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct File Agent is vulnerable to an unspecified vulnerability due to IBM Java Runtime (CVE-2021-35550) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects IBM WebSphere Application Server January 2022 CPU that is bundled with IBM WebSphere Application Server Patterns ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct FTP+ is vulnerable to unauthorized data access due to IBM Java (CVE-2021-35550) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: Vulnerability in OpenSSL affects IBM Watson Explorer (CVE-2022-0778) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-openssl-… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct Browser User Interface has multiple vulnerabilities due to IBM Java ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU – Jan 2022 – Includes Oracle® January 2022 CPU affects IBM Tivoli Composite Application Manager for Transactions-Robotic Response Time ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-e… ∗∗∗ K53252134: Intel BIOS vulnerability CVE-2021-0155 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K53252134 ∗∗∗ K16162257: Intel BIOS vulnerability CVE-2021-0154 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K16162257 ∗∗∗ K14454359: Intel BIOS vulnerability CVE-2021-0153 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K14454359 ∗∗∗ K04303225: Intel BIOS vulnerability CVE-2021-0190 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K04303225 ∗∗∗ Multiple Vulnerabilities PRA-ES8P2S Ethernet-Switch ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-247052-bt.html ∗∗∗ PHP Vulnerability ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-22-20 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.06.2022
by Daily end-of-shift report 21 Jun '22

21 Jun '22

===================== = End-of-Day report = ===================== Timeframe: Montag 20-06-2022 18:00 − Dienstag 21-06-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ New DFSCoerce NTLM Relay attack allows Windows domain takeover ∗∗∗ --------------------------------------------- A new Windows NTLM relay attack called DFSCoerce has been discovered that uses MS-DFSNM, Microsofts Distributed File System, to completely take over a Windows domain. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/new-dfscoerce-ntlm-relay-at… ∗∗∗ APT ToddyCat ∗∗∗ --------------------------------------------- ToddyCat is a relatively new APT actor responsible for multiple sets of attacks against high-profile entities in Europe and Asia. Its main distinctive signs are two formerly unknown tools that we call ‘Samurai backdoor’ and ‘Ninja Trojan’. --------------------------------------------- https://securelist.com/toddycat/106799/ ∗∗∗ Office 365 Config Loophole Opens OneDrive, SharePoint Data to Ransomware Attack ∗∗∗ --------------------------------------------- A reported a "potentially dangerous piece of functionality" allows an attacker to launch an attack on cloud infrastructure and ransom files stored in SharePoint and OneDrive. --------------------------------------------- https://threatpost.com/office-365-opens-ransomware-attacks-on-onedrive-shar… ∗∗∗ Bestellen Sie nicht bei funkelnmarkt.de ∗∗∗ --------------------------------------------- Der Online-Shop funkelnmarkt.de bietet Laptops, Waschmaschinen, Konsolen und Co. Die Preise sind teilweise etwas günstiger als bei anderen Shops und die Webseite wirkt professionell. Grund genug dort zu bestellen. Oder? Lieber nicht! Wenn Sie dort bestellen, erhalten Sie keine Ware und verlieren Ihr Geld! --------------------------------------------- https://www.watchlist-internet.at/news/bestellen-sie-nicht-bei-funkelnmarkt… ===================== = Vulnerabilities = ===================== ∗∗∗ Icefall: 56 flaws impact thousands of exposed industrial devices ∗∗∗ --------------------------------------------- A security report has been published on a set of 56 vulnerabilities that are collectively called Icefall and affect operational technology (OT) equipment used in various critical infrastructure environments. --------------------------------------------- https://www.bleepingcomputer.com/news/security/icefall-56-flaws-impact-thou… ∗∗∗ OpenSSL Security Advisory [21 June 2022] ∗∗∗ --------------------------------------------- When the CVE-2022-1292 was fixed it was not discovered that there are other places in the script where the file names of certificates being hashed were possibly passed to a command executed through the shell. --------------------------------------------- https://openssl.org/news/secadv/20220621.txt ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (tzdata), Oracle (cups), and SUSE (atheme, golang-github-prometheus-alertmanager, golang-github-prometheus-node_exporter, node_exporter, python36, release-notes-susemanager, release-notes-susemanager-proxy, SUSE Manager 4.1.15 Release Notes, SUSE Manager Client Tools, and SUSE Manager Server 4.2). --------------------------------------------- https://lwn.net/Articles/898504/ ∗∗∗ SSA-111512: Client-side Authentication in SIMATIC WinCC OA ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-111512.txt ∗∗∗ ABB Security Advisory: ABB Relion REX640 Insufficient file access control ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=2NGA001421 ∗∗∗ Security Bulletin: Multiple security vulnerabilities are addressed with IBM Cloud Pak for Business Automation iFixes for May 2022 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Flaw in Go may affect DataPower Operator (CVE-2021-44717) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-flaw-in-go-may-affect-dat… ∗∗∗ Security Bulletin: An Unspecified Vulnerability in Java runtime affects IBM SPSS Statistics (CVE-2021-35603) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-an-unspecified-vulnerabil… ∗∗∗ Security Bulletin: An Unspecified Vulnerability in Java runtime affects IBM SPSS (CVE-2022-21496) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-an-unspecified-vulnerabil… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities in Apache Thrift ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: An Unspecified Vulnerability in Java runtime affects IBM SPSS Statistics (CVE-2022-21496) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-an-unspecified-vulnerabil… ∗∗∗ Security Bulletin: IBM DataPower Operator affected by flaw in Go (CVE-2022-23773) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-operator-af… ∗∗∗ Security Bulletin: IBM Spectrum Symphony is affected but not classified as vulnerable by a remote code execution in Spring Framework (CVE-2022-22965) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-spectrum-symphony-is-… ∗∗∗ Security Bulletin: IBM Spectrum Conductor is affected but not classified as vulnerable by a remote code execution in Spring Framework (CVE-2022-22965) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-spectrum-conductor-is… ∗∗∗ Security Bulletin: IBM DataPower Gateway affected by prototype pollution in DOJO (CVE-2021-23450) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-gateway-aff… ∗∗∗ Security Bulletin: IBM DataPower Operator potentially vulnerable to Denial of Service (CVE-2021-44716) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-operator-po… ∗∗∗ Security Bulletin: IBM QRadar Wincollect agent is vulnerable to information disclosure ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-wincollect-age… ∗∗∗ Security Bulletin: DataPower Operator vulnerable to a Denial of Service (CVE-2022-23806) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-datapower-operator-vulner… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a postgresql-42.0.0.jar vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a mongodb-driver-legacy-4.1.1.jar vulnerability (CVE-2021-20328) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ PHOENIX CONTACT: Missing Authentication in ProConOS/ProConOS eCLR SDK and MULTIPROG Engineering tool ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-028/ ∗∗∗ PHOENIX CONTACT: Vulnerability in ProConOS/ProConOS eCLR SDK and MULTIPROG Engineering tool ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-026/ ∗∗∗ PHOENIX CONTACT: Vulnerability in classic line industrial controllers ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-025/ ∗∗∗ WEIDMUELLER: EtherNet/IP Fieldbus Coupler out-of-bounds write ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2021-004/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.06.2022
by Daily end-of-shift report 20 Jun '22

20 Jun '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 17-06-2022 18:00 − Montag 20-06-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Kritische CVE-2022-20825 in Cisco Small-Business-Routern wird nicht gefixt ∗∗∗ --------------------------------------------- In den Small-Business-Routern RV110W, RV130, RV130W und RV215W gibt es eine kritische Schwachstelle CVE-2022-20825, die mit dem CVE-Wert von 9.8 bewertet wurde. Auf Grund einer fehlenden Authentifizierung ermöglicht die Schwachstelle sowohl eine Remote Command Execution als auch Denial of Service-Angriffe. --------------------------------------------- https://www.borncity.com/blog/2022/06/20/kritische-cve-2022-20825-in-cisco-… ∗∗∗ New phishing attack infects devices with Cobalt Strike ∗∗∗ --------------------------------------------- Security researchers have noticed a new malicious spam campaign that delivers the Matanbuchus malware to drop Cobalt Strike beacons on compromised machines. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-phishing-attack-infects-… ∗∗∗ Android-wiping BRATA malware is evolving into a persistent threat ∗∗∗ --------------------------------------------- The threat actors operating the BRATA banking trojan have evolved their tactics and incorporated new information-stealing features into their malware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/android-wiping-brata-malware… ∗∗∗ Decoding Obfuscated BASE64 Statistically ∗∗∗ --------------------------------------------- In diary entry "Houdini is Back Delivered Through a JavaScript Dropper", Xavier mentions that he had to deal with an obfuscated BASE64 string. --------------------------------------------- https://isc.sans.edu/diary/rss/28758 ∗∗∗ The Importance of White-Box Testing: A Dive into CVE-2022-21662 ∗∗∗ --------------------------------------------- When CVE-2022-21662 came out there wasn’t a much-published material regarding this vulnerability. I want to take some time to explain the importance of using a white-box approach when testing applications for vulnerabilities. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/the-importa… ∗∗∗ Cerber2021 Ransomware Back in Action ∗∗∗ --------------------------------------------- In December 2021, researchers identified a new version of Cerber ransomware targeting both Linux and Windows users. In this infection, Cerber2021 was delivered by targeting the vulnerabilities in the Confluence and Gitlab servers. These vulnerabilities are tracked as CVE-2021-26084 and CVE-2021-22205, respectively. --------------------------------------------- https://blog.cyble.com/2022/06/17/cerber2021-ransomware-back-in-action/ ∗∗∗ Europol-Masche: Neue Welle betrügerischer Anrufe ∗∗∗ --------------------------------------------- Die Telefonbetrugsmasche, bei der sich die Kriminellen als Ermittlungsbehörde ausgeben, ist nicht neu. Dennoch rollt aktuell wieder eine Welle solcher Anrufe. --------------------------------------------- https://heise.de/-7146013 ∗∗∗ Erpressung per E-Mail: Hacker fordert die Überweisung von Bitcoins ∗∗∗ --------------------------------------------- Sie haben ein E-Mail von einem Hacker bekommen? Er schreibt, dass er Ihren Computer gehackt hat und Sie beim Masturbieren gefilmt hat? Er droht damit das Video zu verbreiten, wenn Sie keine Bitcoins überweisen? Im E-Mail wird sogar eines Ihrer Passwörter genannt? Machen Sie sich keine Sorgen! Dieses E-Mail ist Fake. Lassen Sie sich nicht erpressen und überweisen Sie keinesfalls Bitcoins. Ändern Sie aber umgehend Ihr Passwort! --------------------------------------------- https://www.watchlist-internet.at/news/erpressung-per-e-mail-hacker-fordert… ∗∗∗ Azure Attack Paths: Common Findings and Fixes (Part 1) ∗∗∗ --------------------------------------------- This post will walk through various services within the Azure catalogue and look at potential attack paths. --------------------------------------------- https://blog.zsec.uk/azure-fundamentals-pt1/ ===================== = Vulnerabilities = ===================== ∗∗∗ AWS: Amazon-Hotpatch für log4j-Lücke ermöglicht Rechteausweitung ∗∗∗ --------------------------------------------- In einem Skript zum Absichern vor der log4j-Lücke von Amazon findet sich eine Sicherheitslücke. Angreifer könnten ihre Rechte damit ausweiten. --------------------------------------------- https://heise.de/-7145383 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (cyrus-imapd, exo, sleuthkit, slurm-wlm, vim, and vlc), Fedora (golang-github-docker-libnetwork, kernel, moby-engine, ntfs-3g-system-compression, python-cookiecutter, python2.7, python3.6, python3.7, python3.8, python3.9, rubygem-mechanize, and webkit2gtk3), Mageia (bluez, dnsmasq, exempi, halibut, and php), Oracle (.NET 6.0, .NET Core 3.1, and xz), SUSE (chafa, firejail, kernel, python-Twisted, and tensorflow2), and Ubuntu (intel-microcode). --------------------------------------------- https://lwn.net/Articles/898413/ ∗∗∗ Security Advisory - Input Verification Vulnerability Involving Huawei Printer Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2022/huawei-sa-20220620-… ∗∗∗ Security Bulletin: An Unspecified Vulnerability in Java runtime affects IBM SPSS (CVE-2021-35550) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-an-unspecified-vulnerabil… ∗∗∗ Security Bulletin: StoredIQ Is Vulnerable To Arbitrary Code Execution Due to Apache Log4j (CVE-2021-44228). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-storediq-is-vulnerable-to… ∗∗∗ Security Bulletin: StoredIQ Is Vulnerable To Arbitrary Code Execution Due To Apache Log4j (CVE-2021-4104). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-storediq-is-vulnerable-to… ∗∗∗ Security Bulletin: Potential module resolution error in DataPower Operator ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-potential-module-resoluti… ∗∗∗ Security Bulletin: Cúram Social Program Management may be affected by Denial of Service vulnerability in jackson-databind (217968) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cram-social-program-manag… ∗∗∗ Security Bulletin: StoredIQ is vulnerable to denial of service and remote code execution in Apache Log4j (CVE-2021-44228, CVE-2021-45046). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-storediq-is-vulnerable-to… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities in Apache Thrift ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Robotic Process Automation is vulnerable to configuration credentials unencrypted in system memory (CVE-2022-22414) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-robotic-process-autom… ∗∗∗ Security Bulletin: IBM QRadar WinCollect is vulnerable to using components with known vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-wincollect-is-… ∗∗∗ Security Bulletin: Potential Denial of Service in IBM DataPower Gateway (CVE-2022-23806) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-potential-denial-of-servi… ∗∗∗ Security Bulletin: IBM Integration Bus is vulnerable to arbitrary code execution due to json-schema (CVE-2021-3918) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-integration-bus-is-vu… ∗∗∗ Security Bulletin: IBM Analytic Accelerator Framework for Communication Service Providers & IBM Customer and Network Analytics for Communications Service Providers and Datasets Impacted by Log4j Vulnerabilities ( CVE-2021-44832) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-analytic-accelerator-… ∗∗∗ Security Bulletin: Cúram Social Program Management may be affected by Denial of Service vulnerability in JDOM (CVE-2021-33813) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cram-social-program-manag… ∗∗∗ Security Bulletin: AIX is vulnerable to a denial of service due to lpd (CVE-2022-22444) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-aix-is-vulnerable-to-a-de… ∗∗∗ Security Bulletin: Vulnerabilities with Kernel, Eclipse Jetty, and OpenJDK affect IBM Cloud Object Storage Systems (June 2022) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-with-kern… ∗∗∗ Security Bulletin: Cúram Social Program Management is affected by session timeout issues (CVE-2022-22318, CVE-2022-22317) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cram-social-program-manag… ∗∗∗ Spring Data MongoDB SpEL Expression Injection Vulnerability (CVE-2022-22980) ∗∗∗ --------------------------------------------- https://spring.io/blog/2022/06/20/spring-data-mongodb-spel-expression-injec… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.06.2022
by Daily end-of-shift report 17 Jun '22

17 Jun '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 15-06-2022 18:00 − Freitag 17-06-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Security: Github informiert über Malware im Open-Source-Ökosystem ∗∗∗ --------------------------------------------- Nicht nur Sicherheitslücken machen Open-Source-Software anfällig. Auch Malware bereitet viele Probleme, die Github jetzt sammeln möchte. --------------------------------------------- https://www.golem.de/news/security-github-informiert-ueber-malware-im-open-… ∗∗∗ Zügig aktualisieren: Angreifer könnten Citrix ADM übernehmen ∗∗∗ --------------------------------------------- In Citrix Application Delivery Management-Software könnten Angreifer aus dem Netz eine Sicherheitslücke ausnutzen. Sie können damit volle Kontrolle erlangen. --------------------------------------------- https://heise.de/-7142301 ∗∗∗ NAS: Qnap warnt vor Angriffswelle mit DeadBolt-Ransomware ∗∗∗ --------------------------------------------- Der Hersteller Qnap warnt vor derzeit laufenden Angriffen auf die NAS-Systeme mit der DeadBolt-Ransomware. Administratoren sollen den Update-Stand überprüfen. --------------------------------------------- https://heise.de/-7144383 ∗∗∗ Kritische Sicherheitslücke in WordPress-Plug-in Ninja Forms behoben ∗∗∗ --------------------------------------------- WordPress-Admins, die das Plug-in Ninja Forms einsetzen, sollten unverzüglich dessen Aktualität sicherstellen. Angreifer könnten sonst eigenen Code ausführen. --------------------------------------------- https://heise.de/-7143515 ∗∗∗ Zahlreiche betrügerische Nachrichten im Namen der Post im Umlauf! ∗∗∗ --------------------------------------------- Sie warten auf ein Paket. Plötzlich werden Sie per SMS oder E-Mail benachrichtigt, dass es ein Problem mit Ihrer Lieferung gäbe. Immer wieder berichten wir von dieser Betrugsmasche, bei der Kriminelle willkürlich Nachrichten versenden und behaupten, dass ein Paket nicht geliefert werden könnte. Wer tatsächlich gerade auf ein Paket wartet, kann leicht in diese Falle tappen. Meist wollen die Kriminellen an Ihre Kreditkartendaten oder an Ihr Geld. Dieses Mal wird aber auch versucht Ihr Post-Konto zu kapern. --------------------------------------------- https://www.watchlist-internet.at/news/zahlreiche-betruegerische-nachrichte… ∗∗∗ Anatomie eines Hive Ransomware-Angriffs auf Exchange per ProxyShell ∗∗∗ --------------------------------------------- Häufig bleiben ja die Details einer Ransomware-Infektion für Außenstehende im Dunkeln. Mir ist diese Woche eine Information vom Sicherheitsdienstleister Varonis zugegangen, deren Sicherheitsteam den Ablauf eines Angriffs mit der Hive-Ransomware aufbereitet haben. --------------------------------------------- https://www.borncity.com/blog/2022/06/17/anatomie-eines-hive-ransomware-ang… ∗∗∗ Hackers exploit three-year-old Telerik flaws to deploy Cobalt Strike ∗∗∗ --------------------------------------------- The threat actor known as Blue Mockingbird has been observed by analysts targeting Telerik UI vulnerabilities to compromise servers, install Cobalt Strike beacons, and mine Monero by hijacking system resources. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-exploit-three-year-o… ∗∗∗ New MaliBot Android banking malware spreads as a crypto miner ∗∗∗ --------------------------------------------- Threat analysts have discovered a new Android malware strain named MaliBot, which poses as a cryptocurrency mining app or the Chrome web browser to target users in Italy and Spain. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-malibot-android-banking-… ∗∗∗ Facebook Messenger Scam Duped Millions ∗∗∗ --------------------------------------------- One well crafted phishing message sent via Facebook Messenger ensnared 10 million Facebook users and counting. --------------------------------------------- https://threatpost.com/acebook-messenger-scam/179977/ ∗∗∗ WooCommerce Credit Card Skimmer Uses Telegram Bot to Exfiltrate Stolen Data ∗∗∗ --------------------------------------------- Our story starts like many others told on this blog: A new client came to us with reported cases of credit card theft on their eCommerce website. The website owner had received complaints from several customers who reported bogus transactions on their cards shortly after purchasing from their webstore, so the webmaster suspected that something could be amiss. --------------------------------------------- https://blog.sucuri.net/2022/06/woocommerce-credit-card-skimmer-uses-telegr… ∗∗∗ Difference Between Agent-Based and Network-Based Internal Vulnerability Scanning ∗∗∗ --------------------------------------------- For years, the two most popular methods for internal scanning: agent-based and network-based were considered to be about equal in value, each bringing its own strengths to bear. However, with remote working now the norm in most if not all workplaces, it feels a lot more like agent-based scanning is a must, while network-based scanning is an optional extra. --------------------------------------------- https://thehackernews.com/2022/06/difference-between-agent-based-and.html ∗∗∗ Details of Twice-Patched Windows RDP Vulnerability Disclosed ∗∗∗ --------------------------------------------- Researchers at identity security firm CyberArk this week shared technical information on an RDP named pipe vulnerability in Windows for which Microsoft had to release two rounds of patches. --------------------------------------------- https://www.securityweek.com/details-twice-patched-windows-rdp-vulnerabilit… ∗∗∗ DriftingCloud: Zero-Day Sophos Firewall Exploitation and an Insidious Breach ∗∗∗ --------------------------------------------- [...] This particular attack leveraged a zero-day exploit to compromise the customer's firewall. Volexity observed the attacker implement an interesting webshell backdoor, create a secondary form of persistence, and ultimately launch attacks against the customer's staff. These attacks aimed to further breach cloud-hosted web servers hosting the organization's public-facing websites. This type of attack is rare and difficult to detect. This blog post serves to share what highly targeted organizations are up against and ways to defend against attacks of this nature. --------------------------------------------- https://www.volexity.com/blog/2022/06/15/driftingcloud-zero-day-sophos-fire… ===================== = Vulnerabilities = ===================== ∗∗∗ High-Severity RCE Vulnerability Reported in Popular Fastjson Library ∗∗∗ --------------------------------------------- Cybersecurity researchers have detailed a recently patched high-severity security vulnerability in the popular Fastjson library that could be potentially exploited to achieve remote code execution. Tracked as CVE-2022-25845 (CVSS score: 8.1), the issue relates to a case of deserialization of untrusted data in a supported feature called "AutoType." --------------------------------------------- https://thehackernews.com/2022/06/high-severity-rce-vulnerability.html ∗∗∗ IBM Security Bulletins 2022-06-15 - 2022-06-16 ∗∗∗ --------------------------------------------- IBM Spectrum Protect Server, IBM Disconnected Log Collector, IBM Cloud Application Business Insights, IBM Tivoli Application Dependency Discovery Manager, IBM CICS TX Advanced, IBM Analytic Accelerator Framework, IBM Customer and Network Analytics, IBM QRadar SIEM, IBM QRadar Use Case Manager App, Rational Test Virtualization Server and Rational Test Workbench, IBM Robotic Process Automation, IBM Security QRadar Event and Flow Exporter App, IBM WebSphere Application Server Liberty, IBM TXSeries, IBM CICS TX Standard, IBM CICS TX Advanced, IBM Java Runtime, ISC BIND and IBM HTTP Server. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Cisco Security Advisories 2022-06-15 ∗∗∗ --------------------------------------------- Cisco published 7 Security Advisories (2 Critical, 1 High, 4 Medium Severity) --------------------------------------------- https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&first… ∗∗∗ Kritische Lücke mit Höchstwertung in Smart-Home-Zentrale Anker Eufy Homebase 2 ∗∗∗ --------------------------------------------- Angreifer könnten sich über drei Sicherheitslücken in Eufy Homebase 2 Zugang zum Smart Home verschaffen. Ein Sicherheitsupdate ist verfügbar. --------------------------------------------- https://heise.de/-7143710 ∗∗∗ VMSA-2022-0017 ∗∗∗ --------------------------------------------- VMware HCX update addresses an information disclosure vulnerability (CVE-2022-22953) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2022-0017.html ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (containerd, golang-github-containerd-cni, golang-github-containernetworking-cni, golang-x-sys, kernel, and qt5-qtbase), Oracle (kernel, kernel-container, microcode_ctl, subversion:1.14, and xz), Red Hat (.NET 6.0, .NET Core 3.1, cups, and xz), Scientific Linux (xz), SUSE (caddy, chromium, librecad, libredwg, varnish, and webkit2gtk3), and Ubuntu (bluez). --------------------------------------------- https://lwn.net/Articles/898121/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (kernel, liblouis, ntfs-3g, php, shim, shim-unsigned-aarch64, shim-unsigned-x64, thunderbird, and vim), Mageia (chromium-browser-stable and golang), Red Hat (grub2, mokutil, and shim and grub2, mokutil, shim, and shim-unsigned-x64), SUSE (389-ds, apache2, kernel, mariadb, openssl, openssl-1_0_0, rubygem-actionpack-5_1, rubygem-activesupport-5_1, and vim), and Ubuntu (exempi, kernel, linux, linux-aws, linux-aws-hwe, linux-aws-5.13, linux-aws-5.4, [...] --------------------------------------------- https://lwn.net/Articles/898234/ ∗∗∗ Hillrom Medical Device Management ∗∗∗ --------------------------------------------- This advisory contains mitigations for Use of Hard-coded Password, and Improper Access Control vulnerability in Welch Allyn resting electrocardiograph devices. Hillrom Medical. Welch Allyn, and ELI are registered trademarks of Baxter International, Inc., or its subsidiaries. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsma-22-167-01 ∗∗∗ AutomationDirect C-More EA9 HMI ∗∗∗ --------------------------------------------- This advisory contains mitigations for Uncontrolled Search Path Element, Cleartext Transmission of Sensitive Information vulnerabilities in AutomationDirect C-More EA9 human-machine interface products. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-167-01 ∗∗∗ AutomationDirect DirectLOGIC with Serial Communication ∗∗∗ --------------------------------------------- This advisory contains mitigations for a Cleartext Transmission of Sensitive Information vulnerability in DirectLOGIC programmable controllers with serial communication. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-167-02 ∗∗∗ AutomationDirect DirectLOGIC with Ethernet ∗∗∗ --------------------------------------------- This advisory contains mitigations for Uncontrolled Resource Consumption, and Cleartext Transmission of Sensitive Information vulnerabilities in AutomationDirect DirectLOGIC programmable logic Ethernet controllers. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-167-03 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.06.2022
by Daily end-of-shift report 15 Jun '22

15 Jun '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 14-06-2022 18:00 − Mittwoch 15-06-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Security baseline for Microsoft 365 Apps for enterprise v2206 ∗∗∗ --------------------------------------------- Microsoft is pleased to announce the release of the recommended security configuration baseline settings for Microsoft 365 Apps for enterprise, version 2206. --------------------------------------------- https://techcommunity.microsoft.com/t5/microsoft-security-baselines/securit… ∗∗∗ Panchan: A New Golang-based Peer-To-Peer Botnet Targeting Linux Servers ∗∗∗ --------------------------------------------- A new Golang-based peer-to-peer (P2P) botnet has been spotted actively targeting Linux servers in the education sector since its emergence in March 2022. --------------------------------------------- https://thehackernews.com/2022/06/panchan-new-golang-based-peer-to-peer.html ∗∗∗ TPM Sniffing Attacks Against Non-Bitlocker Targets ∗∗∗ --------------------------------------------- Last year, during an uptick in media attention for Trusted Platform Module (TPM) security triggered by a blog post from the Dolos Group describing a sniffing attack on Windows Bitlocker relying on a TPM, a customer asked us to investigate their TPM-based Full Disk Encryption (FDE) set up in light of this type of attack. --------------------------------------------- https://www.secura.com/blog/tpm-sniffing-attacks-against-non-bitlocker-targ… ∗∗∗ Bypassing CSP with dangling iframes ∗∗∗ --------------------------------------------- Our Web Security Academy has a topic on dangling markup injection - a technique for exploiting sites protected by CSP. --------------------------------------------- https://portswigger.net/research/bypassing-csp-with-dangling-iframes ∗∗∗ A tiny botnet launched the largest DDoS attack on record ∗∗∗ --------------------------------------------- A small but powerful army of just 5,000 devices generated a record-breaking web attack. --------------------------------------------- https://www.zdnet.com/article/a-tiny-botnet-launched-the-largest-ddos-attac… ===================== = Vulnerabilities = ===================== ∗∗∗ Citrix warns critical bug can let attackers reset admin passwords ∗∗∗ --------------------------------------------- Citrix warned customers to deploy security updates that address a critical Citrix Application Delivery Management (ADM) vulnerability that can let attackers reset admin passwords. --------------------------------------------- https://www.bleepingcomputer.com/news/security/citrix-warns-critical-bug-ca… ∗∗∗ Patchday: Updates bessern zehn SAP-Schwachstellen aus ∗∗∗ --------------------------------------------- Am Juni-Patchday hat SAP zehn Sicherheitslücken geschlossen. Für zwei ältere Sicherheitsmeldungen aktualisiert der Hersteller die Sicherheitsmeldungen. --------------------------------------------- https://heise.de/-7141579 ∗∗∗ Patchday: Microsoft schließt MSDT-Lücke, die auch ohne Makros funktioniert ∗∗∗ --------------------------------------------- Windows ist unter anderem über Word verwundbar, wobei auch RTF-Formate genutzt werden können. Aber auch Azure, Edge & Co. bekommen wichtige Sicherheitsupdates. --------------------------------------------- https://heise.de/-7141070 ∗∗∗ Patchday Adobe: Schadcode-Lücken in InDesign, Illustrator & Co. geschlossen ∗∗∗ --------------------------------------------- Mehrere Adobe-Anwendungen sind über als kritisch eingestufte Schwachstellen attackierbar. Sicherheitsupdates schaffen Abhilfe. --------------------------------------------- https://heise.de/-7141175 ∗∗∗ Sicherheitslücke Hertzbleed: x86-Prozessortaktung verrät Geheimnisse ∗∗∗ --------------------------------------------- Ein Forscherteam belauscht kryptografische Berechnungen auf modernen x86-CPUs anhand charakteristischer Taktfrequenzänderungen. --------------------------------------------- https://heise.de/-7141221 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Red Hat (.NET 6.0 and log4j), SUSE (389-ds, grub2, kernel, openssl-1_1, python-Twisted, webkit2gtk3, and xen), and Ubuntu (php7.2, php7.4, php8.0, php8.1 and util-linux). --------------------------------------------- https://lwn.net/Articles/897992/ ∗∗∗ Critical Code Execution Vulnerability Patched in Splunk Enterprise ∗∗∗ --------------------------------------------- Splunk this week announced the release of out-of-band patches that address multiple vulnerabilities across Splunk Enterprise, including a critical issue that could lead to arbitrary code execution. --------------------------------------------- https://www.securityweek.com/critical-code-execution-vulnerability-patched-… ∗∗∗ Schneider Electric Advisories 2022-06-15 ∗∗∗ --------------------------------------------- https://www.se.com/ww/en/work/support/cybersecurity/security-notifications.… ∗∗∗ Security Bulletin: IBM Financial Transaction Manager for Digital Payments for Multi-Platform is vulnerable to SQL injection. (CVE-2019-4575) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-financial-transaction… ∗∗∗ Security Bulletin: Operations Dashboard is vulnerable to denial of service by Go vulnerability CVE-2022-28327 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-operations-dashboard-is-v… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect AIX ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Netcool Operations Insight v1.6.4 contains fixes for multiple security vulnerabilities. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-netcool-operations-insigh… ∗∗∗ Security Bulletin: Financial Transaction Manager for Digital Payments is affected by a potential Cross-Site Scripting (Reflected) vulnerability (CVE-2020-4560) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-financial-transaction-man… ∗∗∗ Security Bulletin: Vulnerabilities in Java affects IBM Cloud Application Business Insights – Quaterly Java update, CVE-2021-35603 and CVE-2021-35550 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-java-a… ∗∗∗ Security Bulletin: Vulnerability in PostgreSQL may affect IBM Spectrum Copy Data Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-postgres… ∗∗∗ Security Bulletin: AIX is vulnerable to a denial of service due to lpd (CVE-2022-22444) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-aix-is-vulnerable-to-a-de… ∗∗∗ Security Bulletin: Operations Dashboard is vulnerable to denial of service by Go vulnerability CVE-2022-24675 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-operations-dashboard-is-v… ∗∗∗ Security Bulletin: Financial Transaction Manager for Digital Payments is affected by a potential SQL Injection CVE-2020-4328 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-financial-transaction-man… ∗∗∗ VMSA-2022-0016 ∗∗∗ --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2022-0016.html ∗∗∗ AUMA: SIMA² Master Station Denial of Service Vulnerability on Automation Runtime Webserver ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-024/ ∗∗∗ Johnson Controls Metasys ADS ADX OAS Servers ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-165-01 ∗∗∗ Hardkodierte Backdoor Benutzer und veraltete Software Komponenten in der Nexans FTTO GigaSwitch Serie ∗∗∗ --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/nexans-ftto-gigaswitc… ∗∗∗ Synaptics Fingerprint Driver Vulnerability ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500494-SYNAPTICS-FINGERPRINT-D… ∗∗∗ Intel Processors MMIO Stale Data Advisory ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500497-INTEL-PROCESSORS-MMIO-S… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.06.2022
by Daily end-of-shift report 14 Jun '22

14 Jun '22

===================== = End-of-Day report = ===================== Timeframe: Montag 13-06-2022 18:00 − Dienstag 14-06-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ The many lives of BlackCat ransomware ∗∗∗ --------------------------------------------- The use of an unconventional programming language, multiple target devices and possible entry points, and affiliation with prolific threat activity groups have made the BlackCat ransomware a prevalent threat and a prime example of the growing ransomware-as-a-service (RaaS) gig economy. --------------------------------------------- https://www.microsoft.com/security/blog/2022/06/13/the-many-lives-of-blackc… ∗∗∗ Researchers Detail PureCrypter Loader Cyber Criminals Using to Distribute Malware ∗∗∗ --------------------------------------------- Cybersecurity researchers have detailed the workings of a fully-featured malware loader dubbed PureCrypter thats being purchased by cyber criminals to deliver remote access trojans (RATs) and information stealers. --------------------------------------------- https://thehackernews.com/2022/06/researchers-detail-purecrypter-loader.html ∗∗∗ Public Travis CI Logs (Still) Expose Users to Cyber Attacks ∗∗∗ --------------------------------------------- In our latest research, we at Team Nautilus found that tens of thousands of user tokens are exposed via the Travis CI API, which allows anyone to access historical clear-text logs. More than 770 million logs of free tier users are available. --------------------------------------------- https://blog.aquasec.com/travis-ci-security ∗∗∗ Sicherheitslücke im Apple M1 Chip: Pacman-Attacke umgeht Schutzschicht ∗∗∗ --------------------------------------------- Angriffe auf den M1-Prozessor sind durch ein Zusammenspiel von Hard- und Software möglich. Apple sieht allerdings keine unmittelbare Gefahr. --------------------------------------------- https://heise.de/-7140316 ∗∗∗ Vorsicht vor gefälschten Zahlungsaufforderungen per WhatsApp ∗∗∗ --------------------------------------------- Ihre Chefin bittet Sie, eine Rechnung zu begleichen. Sie fragen nach den Details und bekommen die Rechnung mit Zahlungsanweisungen zugesendet. Sie überweisen. Erst später bemerken Sie, dass es gar nicht Ihre Chefin war – sondern Kriminelle. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-gefaelschten-zahlungsau… ∗∗∗ Internet Explorer 11 erreicht am 15. Juni 2022 End-of-Life (EOL) ∗∗∗ --------------------------------------------- Noch eine kurze Information an die Blog-Leserschaft, die ggf. noch den Internet Explorer 11 von Microsoft unter Windows im Einsatz haben. Zum heutigen Patchday, 14. Juni 2022, erhält der Browser letztmalig Sicherheitsupdates für verschiedene Windows-Versionen und fällt dann (zum 15. Juni 2022) aus dem Support. --------------------------------------------- https://www.borncity.com/blog/2022/06/14/internet-explorer-11-erreicht-am-1… ∗∗∗ CHM Malware Types with Anti-Sandbox Technique and Targeting Companies ∗∗∗ --------------------------------------------- Among CHM strains that are recently being distributed in Korea, the ASEC analysis team has discovered those applied with the anti-sandbox technique and targeting companies. --------------------------------------------- https://asec.ahnlab.com/en/35268/ ∗∗∗ NPM Replicator Remote Code Execution Deserialization ∗∗∗ --------------------------------------------- NPM, the package manager for Node.js, is an open source project that serves as a critical part of the JavaScript community and helps support one of the largest developer ecosystems. --------------------------------------------- https://checkmarx.com/blog/npm-replicator-remote-code-execution-deserializa… ∗∗∗ Supply Chain Attack: CTX Account Takeover and PHPass Hijack Explained ∗∗∗ --------------------------------------------- A threat actor recently hacked a popular PyPi repo on GitHub, setting off a supply chain attack that could have impacted millions of users. --------------------------------------------- https://orca.security/resources/blog/python-supply-chain-attack-ctx-phpass/ ∗∗∗ SynLapse – Technical Details for Critical Azure Synapse Vulnerability ∗∗∗ --------------------------------------------- Recently, the Orca Security research team discovered SynLapse, a tenant separation violation vulnerability in the Microsoft Azure Synapse environment. --------------------------------------------- https://orca.security/resources/blog/synlapse-critical-azure-synapse-analyt… ===================== = Vulnerabilities = ===================== ∗∗∗ New Zimbra Email Vulnerability Could Let Attackers Steal Your Login Credentials ∗∗∗ --------------------------------------------- A new high-severity vulnerability has been disclosed in the Zimbra email suite that, if successfully exploited, enables an unauthenticated attacker to steal cleartext passwords of users sans any user interaction. --------------------------------------------- https://thehackernews.com/2022/06/new-zimbra-email-vulnerability-could.html ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (golang-github-docker-libnetwork and moby-engine), Mageia (apache, docker-containerd, kernel, kernel-linus, nats-server, and php-smarty), Slackware (php), SUSE (gimp, grub2, thunderbird, u-boot, and xen), and Ubuntu (firefox, liblouis, ncurses, and rsync). --------------------------------------------- https://lwn.net/Articles/897847/ ∗∗∗ JM-DATA ONU JF511-TV Multiple Remote Vulnerabilities ∗∗∗ --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5708.php ∗∗∗ SSA-988345 V1.0: Local Privilege Escalation Vulnerability in Xpedition Designer ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-988345.txt ∗∗∗ SSA-911567 V1.0: Missing HTTP headers in SINEMA Remote Connect Server before V3.0 SP2 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-911567.txt ∗∗∗ SSA-740594 V1.0: Privilege Escalation Vulnerability in Mendix SAML Module ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-740594.txt ∗∗∗ SSA-712929 V1.0: Denial of Service Vulnerability in OpenSSL (CVE-2022-0778) Affecting Industrial Products ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-712929.txt ∗∗∗ SSA-693555 V1.0: Memory Corruption Vulnerability in EN100 Ethernet Module ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-693555.txt ∗∗∗ SSA-685781 V1.0: Multiple Vulnerabilities in Apache HTTP Server Affecting Siemens Products ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-685781.txt ∗∗∗ SSA-631336 V1.0: Multiple Web Server Vulnerabilities in SICAM GridEdge Software ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-631336.txt ∗∗∗ SSA-484086 V1.0: Multiple Vulnerabilities in SINEMA Remote Connect Server before V3.1 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-484086.txt ∗∗∗ SSA-401167 V1.0: Cross-site scripting Vulnerability in Teamcenter Active Workspace ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-401167.txt ∗∗∗ SSA-388239 V1.0: Default Password Leakage affecting the Component Shared HIS used in Spectrum Power Systems ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-388239.txt ∗∗∗ SSA-330556 V1.0: PwnKit Vulnerability in SCALANCE LPE9403 and SINUMERIK Edge Products (CVE-2021-4034) ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-330556.txt ∗∗∗ SSA-222547 V1.0: Third-Party Component Vulnerabilities in SCALANCE LPE9403 before V2.0 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-222547.txt ∗∗∗ SSA-220589 V1.0: Hard Coded Default Credential Vulnerability in Teamcenter ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-220589.txt ∗∗∗ SSA-145224 V1.0: Vulnerability in OSPF Packet Handling of SCALANCE XM-400 and XR-500 Devices ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-145224.txt ∗∗∗ IBM Security Bulletins 2022-06-13 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ TYPO3 CORE: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://typo3.org/help/security-advisories/typo3-cms ∗∗∗ ABB Security Advisory: Link Following Local Privilege Escalation Vulnerabilities in ABB Automation Builder, Drive Composer and Mint WorkBench ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=9AKK108467A0305&Lan… ∗∗∗ Citrix Application Delivery Management Security Bulletin for CVE-2022-27511 and CVE-2022-27512 ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX460016/citrix-application-delivery-ma… ∗∗∗ Meridian Cooperative Meridian ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-165-02 ∗∗∗ Mitsubishi Electric MELSEC-Q/L and MELSEC iQ-R ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-165-03 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.06.2022
by Daily end-of-shift report 13 Jun '22

13 Jun '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 10-06-2022 18:00 − Montag 13-06-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Krypto-Miner und Verschlüsselungstrojaner schlüpfen durch Confluence-Lücke ∗∗∗ --------------------------------------------- Es häufen sich Attacken auf ungepatchte Instanzen von Confluence und Data Center. Sicherheitspatches sind verfügbar. --------------------------------------------- https://heise.de/-7138563 ∗∗∗ Buchen Sie Ihr Hotel nicht über hotels-in-tyrol.com ∗∗∗ --------------------------------------------- Die Buchungsplattform hotels-in-tyrol.com vermittelt Unterkünfte in Tirol. Wir raten zur Vorsicht. Auf der Plattform gibt es weder Informationen zum Betreiber noch Kontaktdaten. Im Reiter „Über uns“ wird lediglich ein Unternehmen namens „LocalHotels Ltd“ angeführt. Wir gehen aber davon aus, dass dieses Unternehmen gar nicht existiert. --------------------------------------------- https://www.watchlist-internet.at/news/buchen-sie-ihr-hotel-nicht-ueber-hot… ∗∗∗ Massenhafte Kontenübernahme bei smarten Yunmai Waagen möglich ∗∗∗ --------------------------------------------- Vom chinesischen Hersteller Yunmai wurden auch in Deutschland smarte Körperfettwaagen angeboten. Diese lassen sich per Bluetooth mit einer App auf dem Smartphone koppeln, so dass die persönlichen Daten mehrerer Personen in persönlichen Profilen gespeichert werden können. Leider hapert es mit der Sicherheit, wie Sicherheitsexperten festgestellt haben. Das Yunmai API ermöglicht die massenhafte Kontenübernahme oder die Umgehung der Hersteller-Restriktionen. --------------------------------------------- https://www.borncity.com/blog/2022/06/11/massenhafte-kontenbernahme-bei-sma… ∗∗∗ PyPI package keep mistakenly included a password stealer ∗∗∗ --------------------------------------------- PyPI packages keep, pyanxdns, api-res-py were found to contain a password-stealer and a backdoor due to the presence of malicious request dependency within some versions. --------------------------------------------- https://www.bleepingcomputer.com/news/security/pypi-package-keep-mistakenly… ∗∗∗ New Syslogk Linux rootkit uses magic packets to trigger backdoor ∗∗∗ --------------------------------------------- A new rootkit malware named Syslogk has been spotted in the wild, and it features advanced process and file hiding techniques that make detection highly unlikely. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-syslogk-linux-rootkit-us… ∗∗∗ EPSScall: An Exploit Prediction Scoring System App, (Fri, Jun 10th) ∗∗∗ --------------------------------------------- If you follow Cyentia Institute’s Jay Jacobs via social media you may FIRST ;-) have learned about the Exploit Prediction Scoring System (EPSS) from him, as I did. I quickly learned that FIRST offers an API for the EPSS Model, which immediately piqued my interest. Per FIRST, EPSS provides a fundamentally new capability for efficient, data-driven vulnerability management. While EPSS predicts the probability (threat) of a specific vulnerability being exploited, it can scale to estimate the threat for multiple vulnerabilities on a server, a subnet, mobile device, or at an enterprise level (Jacobs, 2022). --------------------------------------------- https://isc.sans.edu/diary/rss/28732 ∗∗∗ Translating Saitamas DNS tunneling messages, (Mon, Jun 13th) ∗∗∗ --------------------------------------------- Saitama is a backdoor that uses the DNS protocol to encapsulate its command and control (C2) messages - a technique known as DNS Tunneling (MITRE ATT&CK T1071). Spotted and documented by MalwareBytes in two articles posted last month (How the Saitama backdoor uses DNS tunneling and APT34 targets Jordan Government using new Saitama backdoor), Saitama was used in a phishing e-mail targeted to a government official from Jordans foreign ministry on an attack [...] --------------------------------------------- https://isc.sans.edu/diary/rss/28738 ∗∗∗ ModBus 101: One Protocol to Rule the OT World ∗∗∗ --------------------------------------------- Ever wondered how large-scale power plants monitor or control the myriad of systems that fill their environment? Have you thought about how some of the world’s greatest industrial hacks were enacted? This post will look to illuminate how one tiny legacy protocol, namely "ModBus" could help to understand just how straight forward this could be. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/modbus-101-… ∗∗∗ Smilodon Credit Card Skimming Malware Shifts to WordPress ∗∗∗ --------------------------------------------- WordPress’ massive market share has come with an unsurprising side effect: As more and more site admins turn to popular plugins like WooCommerce to turn a profit on their website and set up online stores we’ve seen a significant increase in the number of attacks targeting WordPress eCommerce sites. What’s more, bad actors are repurposing their old Magento credit card stealing malware for use against WordPress. --------------------------------------------- https://blog.sucuri.net/2022/06/smilodon-credit-card-skimming-malware-shift… ∗∗∗ MIT Researchers Discover New Flaw in Apple M1 CPUs That Cant Be Patched ∗∗∗ --------------------------------------------- A novel hardware attack dubbed PACMAN has been demonstrated against Apples M1 processor chipsets, potentially arming a malicious actor with the capability to gain arbitrary code execution on macOS systems. It leverages "speculative execution attacks to bypass an important memory protection mechanism, ARM Pointer Authentication, a security feature that is used to enforce pointer integrity," [...] --------------------------------------------- https://thehackernews.com/2022/06/mit-researchers-discover-new-flaw-in.html ∗∗∗ Extracting Clear-Text Credentials Directly From Chromium’s Memory ∗∗∗ --------------------------------------------- Credential data (URL/username/password) is stored in Chrome’s memory in clear-text format. In addition to data that is dynamically entered when signing into specific web applications, an attacker can cause the browser to load into memory all the passwords that are stored in the password manager (“Login Data” file). --------------------------------------------- https://www.cyberark.com/resources/threat-research-blog/extracting-clear-te… ∗∗∗ Researchers: Wi-Fi Probe Requests Expose User Data ∗∗∗ --------------------------------------------- A group of academic researchers from the University of Hamburg in Germany has discovered that mobile devices leak identifying information about their owners via Wi-Fi probe requests. Mobile devices use these probe requests to receive information about nearby Wi-Fi access points and establish connections to them when a probe response is received. --------------------------------------------- https://www.securityweek.com/researchers-wi-fi-probe-requests-expose-user-d… ∗∗∗ Exposing HelloXD Ransomware and x4k ∗∗∗ --------------------------------------------- HelloXD is a ransomware family in its initial stages - but already seeking to impact organizations. We analyze samples and hunt for attribution. --------------------------------------------- https://unit42.paloaltonetworks.com/helloxd-ransomware/ ∗∗∗ GALLIUM Expands Targeting Across Telecommunications, Government and Finance Sectors With New PingPull Tool ∗∗∗ --------------------------------------------- A new, difficult-to-detect remote access trojan named PingPull is being used by GALLIUM, an advanced persistent threat (APT) group. --------------------------------------------- https://unit42.paloaltonetworks.com/pingpull-gallium/ ∗∗∗ Microsoft Azure Synapse Pwnalytics ∗∗∗ --------------------------------------------- [...] Synapse Analytics utilizes Apache Spark for the underlying provisioning of clusters that user code is run on. User code in these environments is run with intentionally limited privileges because the environments are managed by internal Microsoft subscription IDs, which is generally indicative of a multi-tenant environment. Tenable Research has discovered a privilege escalation flaw that allows a user to escalate privileges to that of the root user within the context of a Spark VM. We have also discovered a flaw that allows a user to poison the hosts file on all nodes in their Spark pool, which allows one to redirect subsets of traffic and snoop on services users generally do not have access to. The full privilege escalation flaw has been adequately addressed. However, the hosts file poisoning flaw remains unpatched at the time of this writing. --------------------------------------------- https://medium.com/tenable-techblog/microsoft-azure-synapse-pwnalytics-87c9… ===================== = Vulnerabilities = ===================== ∗∗∗ QTS 5.0.0-Sicherheitsupdates für QNAP-NAS Geräte (8. Juni 2022) ∗∗∗ --------------------------------------------- Kurzer Hinweis an Leser und Leserinnen, die NAS-Laufwerke von QNAP im Einsatz haben. In der QTS 5.0.0-Software gibt es in älteren Versionen gravierende Schwachstellen, die am 8. Juni 2022 mit einem Update der Firmware auf QTS 5.0.0.2055 build 20220531 beseitigt wurden. --------------------------------------------- https://www.borncity.com/blog/2022/06/11/qts-5-sicherheitsupdates-fr-qnap-n… ∗∗∗ Technical Advisory – Multiple Vulnerabilities in Trendnet TEW-831DR WiFi Router (CVE-2022-30325, CVE-2022-30326, CVE-2022-30327, CVE-2022-30328, CVE-2022-30329) ∗∗∗ --------------------------------------------- The Trendnet TEW-831DR WiFi Router was found to have multiple vulnerabilities exposing the owners of the router to potential intrusion of their local WiFi network and possible takeover of the device. Five vulnerabilities were discovered. Below are links to the associated technical advisories: [...] --------------------------------------------- https://research.nccgroup.com/2022/06/10/technical-advisory-multiple-vulner… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, containerd, kernel, ntfs-3g, and vlc), Fedora (buildah and logrotate), Red Hat (xz), and SUSE (google-gson, netty3, rubygem-sinatra, and u-boot). --------------------------------------------- https://lwn.net/Articles/897711/ ∗∗∗ Drupal Releases Security Updates ∗∗∗ --------------------------------------------- Drupal has released security updates to address a Guzzle third-party library vulnerability that does not affect Drupal core but may affect some contributed projects or custom code on Drupal sites. Exploitation of this vulnerability could allow a remote attacker to take control of an affected website. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/06/13/drupal-releases-s… ∗∗∗ Screams of Power vulnerabilities (Powertek-based PDUs) ∗∗∗ --------------------------------------------- Even if the PDUs you use in your data center aren't branded "Powertek", please keep reading. Powertek is a company that makes datacenter class smart PDUs (Power Distribution Units - i.e. heavy duty power cords) for server racks. They sell both directly (or at least used to in the past I think?) and through their resellers. There is one reseller per country and they commonly rebrand their PDUs (e.g. mine has a logo of the Swiss reseller - schneikel). Anyway, in March I've done a quick 3h review of the firmware and found multiple vulnerabilities and weaknesses in Powertek PDU's firmware v3.30.23 and possibly prior (details below). So, if you're using a PDU that is running Powertek firmware, you might want to patch now. --------------------------------------------- https://gynvael.coldwind.pl/?id=748 ∗∗∗ OTRS: Mehrere Schwachstellen ermöglichen Offenlegung von Informationen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0702 ∗∗∗ Security Bulletin: A vulnerability in OpenSSL affects IBM InfoSphere Information Server (CVE-2022-0778) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-openss… ∗∗∗ Security Bulletin: A Unspecified Java Vulnerability is affecting Watson Knowledge Catalog for IBM Cloud Pak for Data (CVE-2021-35550) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-unspecified-java-vulner… ∗∗∗ Security Bulletin: IBM Event Streams is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-44832) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-event-streams-is-vuln… ∗∗∗ Security Bulletin: Due to use of Spring Framework, IBM Db2 Web Query for i is vulnerable to unprotected fields (CVE-2022-22968), remote code execution (CVE-2022-22965), and denial of service (CVE-2022-22950). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-due-to-use-of-spring-fram… ∗∗∗ Security Bulletin: IBM App Connect Enterprise & IBM Integration Bus are vulnerable to a denial of service, due to OpenSSL (CVE-2022-0778) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: IBM Java XML vulnerability affects Liberty for Java for IBM Cloud due to CVE-2022-21299 deferred from Oracle Jan 2022 CPU ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-java-xml-vulnerabilit… ∗∗∗ Security Bulletin: Vulnerability in PostgreSQL may affect IBM Spectrum Copy Data Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-postgres… ∗∗∗ Security Bulletin: Liberty for Java for IBM Cloud is vulnerable to Identity Spoofing (CVE-2022-22475) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-liberty-for-java-for-ibm-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.06.2022
by Daily end-of-shift report 10 Jun '22

10 Jun '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 09-06-2022 18:00 − Freitag 10-06-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Cyber Europe 2022 – europaweite Cyber-Sicherheitsübung ∗∗∗ --------------------------------------------- Im Zuge der 2-tägigen Cyber-Sicherheitsübung „Cyber Europe“ arbeiteten Behörden und nationale Computer-Notfallteams in ganz Europa intensiv an Schutz und Abwehr der angegriffenen IT-Bereiche. Über 800 Teilnehmer:innen waren dazu EU-weit an der Übung beteiligt. In Österreich war für die Koordination das Bundeskanzleramt zuständig. Das Gesundheitsministerium, das Innenministerium, das Außenministerium, das Verteidigungsministerium und die zuständigen Computernotfallteams waren in die Übung eingebunden. --------------------------------------------- https://www.ots.at/presseaussendung/OTS_20220609_OTS0200/cyber-europe-2022-… ∗∗∗ Phishing Campaigns featuring Ursnif Trojan on the Rise ∗∗∗ --------------------------------------------- McAfee Labs have been observing a spike in phishing campaigns that utilize Microsoft office macro capabilities. These malicious documents reach victims via mass spam E-mail campaigns and generally invoke urgency, fear, or similar emotions, leading unsuspecting users to promptly open them. --------------------------------------------- https://www.mcafee.com/blogs/other-blogs/mcafee-labs/phishing-campaigns-fea… ∗∗∗ Neue Linux-Malware aufgespürt ∗∗∗ --------------------------------------------- Eine gemeinsame Forschungsarbeit hat zur Entdeckung von Symbiote geführt, einer neuen Form von Linux-Malware, die nur schwer zu erkennen ist. Hacker erhalten damit Rootkit-Zugriff. --------------------------------------------- https://www.zdnet.de/88401771/neue-linux-malware-aufgespuert/ ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins 2022-06-09 - 2022-06-10 ∗∗∗ --------------------------------------------- IBM TXSeries, IBM Connections, IBM Watson, IBM Spectrum, IBM SDK, IBM Cloud Pak, IBM Db2 Mirror for i and IBM StoredIQ. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Schwachstellen in Infiray IRAY-A8Z3 Wärmebildkamera ∗∗∗ --------------------------------------------- Die IRAY A8Z3 Wärmebildkamera für Industrieapplikationen von Infiray/IRay Technologies ist anfällig auf verschiedene Schwachstellen, welche sich aus unsicherer Programmierung, unsicherer Konfiguration sowie veralteten eingebetteten Softwarekomponenten ergeben. Mehrere Angriffsmöglichkeiten für Remote Code Execution (RCE) wurden gefunden. Der Hersteller hat sich im Zuge unserer Responsible Disclosure nicht mehr gemeldet, weshalb unklar ist, ob Patches verfügbar sind. --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/schwachstellen-infira… ∗∗∗ PHP: Updates verhindern Einschleusen von Schadcode ∗∗∗ --------------------------------------------- Fehler in PHP-Modulen zur Verbindung mit SQL-Datenbanken erlauben die Ausführung beliebigen Codes. Admins von Shared-Hosting-Servern sollten schnell updaten. --------------------------------------------- https://heise.de/-7136766 ∗∗∗ Fortinet entfernt hartcodierten Schlüssel und verhindert unberechtigte Zugriffe ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitsupdates für mehrere Produkte von Fortinet. Einige Lücken gelten als kritisch. --------------------------------------------- https://heise.de/-7136620 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (python-bottle), Fedora (grub2 and kernel), Mageia (python-pypdf2, python-ujson, and vim), and SUSE (fribidi, grub2, mozilla-nss, and webkit2gtk3). --------------------------------------------- https://lwn.net/Articles/897518/ ∗∗∗ Vulnerabilities in HID Mercury Access Controllers Allow Hackers to Unlock Doors ∗∗∗ --------------------------------------------- https://www.securityweek.com/vulnerabilities-hid-mercury-access-controllers… ∗∗∗ Mitsubishi Electric Air Conditioning Systems ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-160-01 ∗∗∗ "Undocumented Functionality" (Backdoor) in Mitel Desk Phones (SYSS-2022-021) ∗∗∗ --------------------------------------------- https://www.syss.de/pentest-blog/undocumented-functionality-backdoor-in-mit… ∗∗∗ Kritische Schwachstelle in Crypto USB Flash Drive Lepin EP-KP001 (SYSS-2022-024) ∗∗∗ --------------------------------------------- https://www.syss.de/pentest-blog/kritische-schwachstelle-in-crypto-usb-flas… ∗∗∗ Chrome 102.0.5005.115 fixt Schwachstellen ∗∗∗ --------------------------------------------- https://www.borncity.com/blog/2022/06/10/chrome-102-0-5005-115-fixt-schwach… ∗∗∗ Microsoft Edge: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0697 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.06.2022
by Daily end-of-shift report 09 Jun '22

09 Jun '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 08-06-2022 18:00 − Donnerstag 09-06-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ New Emotet Variant Stealing Users Credit Card Information from Google Chrome ∗∗∗ --------------------------------------------- The notorious Emotet malware has turned to deploy a new module designed to siphon credit card information stored in the Chrome web browser. --------------------------------------------- https://thehackernews.com/2022/06/new-emotet-variant-stealing-users.html ∗∗∗ MakeMoney malvertising campaign adds fake update template ∗∗∗ --------------------------------------------- We catch up with some old acquaintances that just arent ready to hang up the towel just yet. The post MakeMoney malvertising campaign adds fake update template appeared first on Malwarebytes Labs. --------------------------------------------- https://blog.malwarebytes.com/threat-intelligence/2022/06/makemoney-malvert… ∗∗∗ ASyncRat surpasses Dridex, TrickBot and Emotet to become dominant email threat ∗∗∗ --------------------------------------------- A review of whats changed in malware in 2022, and what hasnt, based on Adam Kujawas talk at RSAC 2022. The post ASyncRat surpasses Dridex, TrickBot and Emotet to become dominant email threat appeared first on Malwarebytes Labs. --------------------------------------------- https://blog.malwarebytes.com/threat-analysis/2022/06/asyncrat-surpasses-dr… ∗∗∗ Nebenjob als Betrugshelfer:in – Vorsicht vor europost-eu.biz ∗∗∗ --------------------------------------------- Ein vielversprechender Nebenjob als Paketempfänger:in lockt mit Home-Office und guten Arbeitsbedingungen. Für 25 € pro Stunde müssen Sie Pakete empfangen und weiterversenden. Was nicht erwähnt wird: Nehmen Sie den Job an, beteiligen Sie sich möglicherweise an Bestellbetrug und machen sich strafbar! --------------------------------------------- https://www.watchlist-internet.at/news/nebenjob-als-betrugshelferin-vorsich… ∗∗∗ LockBit 2.0: How This RaaS Operates and How to Protect Against It ∗∗∗ --------------------------------------------- LockBit 2.0 has so far been this years most active ransomware gang on double-extortion leak sites. Learn about their tactics. --------------------------------------------- https://unit42.paloaltonetworks.com/lockbit-2-ransomware/ ∗∗∗ How to audit Node.js modules ∗∗∗ --------------------------------------------- Node.js is one of the best and most widely used Javascript runtimes used for building APIs. But, this popularity status has led to many hackers distributing insecure modules that exploit the Node.js application or provide a weak point for exploitation. --------------------------------------------- https://mattermost.com/blog/how-to-audit-nodejs-modules/ ∗∗∗ Follina-Schwachstelle (CVE-2022-30190): Neue Erkenntnisse, neue Risiken (9.6.2022) ∗∗∗ --------------------------------------------- Die seit Ende Mai 2022 bekannt gewordene Schwachstelle CVE-2022-30190 (Follina) in Windows entwickelt sich langsam zum Problembär. Die von Microsoft und hier im Blog beschriebenen Gegenmaßnahmen erscheinen nicht ausreichend. --------------------------------------------- https://www.borncity.com/blog/2022/06/09/follina-schwachstelle-cve-2022-301… ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitslücken in veralteten Zyxel-Firewalls: Neukauf als Fix ∗∗∗ --------------------------------------------- Der Netzwerkausrüster Zyxel warnt vor Sicherheitslücken in älteren Firewalls, deren Support ausgelaufen ist. Abhilfe schaffe der Austausch mit neueren Geräten. --------------------------------------------- https://heise.de/-7135405 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (mailman and python-bottle), Red Hat (java-1.7.1-ibm, java-1.8.0-ibm, subversion:1.14, and xz), Scientific Linux (python-twisted-web), Slackware (httpd), and Ubuntu (ca-certificates, ffmpeg, ghostscript, and varnish). --------------------------------------------- https://lwn.net/Articles/897372/ ∗∗∗ Symbiote Deep-Dive: Analysis of a New, Nearly-Impossible-to-Detect Linux Threat ∗∗∗ --------------------------------------------- Symbiote is a new Linux malware we discovered that acts in a parasitic nature, infecting other running processes to inflict damage on machines. --------------------------------------------- https://www.intezer.com/blog/research/new-linux-threat-symbiote/ ∗∗∗ Security Bulletin: IBM Db2 Mirror for i is vulnerable to directory traversal due to Moment.js (CVE-2022-24785) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-mirror-for-i-is-v… ∗∗∗ Security Bulletin: IBM Security Identity Governance and Intelligence is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-identity-gov… ∗∗∗ Security Bulletin: IBM Db2 Mirror for i is vulnerable to cross-site scripting due to Angular (220414) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-mirror-for-i-is-v… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK (January 2022) affects IBM InfoSphere Information Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Rational Software Architect RealTime Edition (RSA RT) is vulnerable to Apache Log4j2 – CVE-2021-44832 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-rational-software-arc… ∗∗∗ Security Bulletin: IBM Db2 Mirror for i is vulnerable to denial of service due to gson 217225 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-mirror-for-i-is-v… ∗∗∗ Security Bulletin: IBM Security Identity Governance and Intelligence is vulnerable to exposure of sensitive information (CVE-2021-35603) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-identity-gov… ∗∗∗ Security Bulletin: Vulnerability in jackson-databind affects IBM Process Mining (Multiple CVEs) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-jackson-… ∗∗∗ K13559191: Linux kernel vulnerability CVE-2022-25636 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K13559191?utm_source=f5support&utm_mediu… ∗∗∗ Xen Security Advisory CVE-2022-26363, CVE-2022-26364 / XSA-402 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-402.html ∗∗∗ Xen Security Advisory CVE-2022-26362 / XSA-401 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-401.html ∗∗∗ Case opened: DIVD-2021-00037 - Critical vulnerabilities in ITarian MSP platform and on-premise solution ∗∗∗ --------------------------------------------- https://csirt.divd.nl/cases/DIVD-2021-00037/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.06.2022
by Daily end-of-shift report 08 Jun '22

08 Jun '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 07-06-2022 18:00 − Mittwoch 08-06-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Linux version of Black Basta ransomware targets VMware ESXi servers ∗∗∗ --------------------------------------------- Black Basta is the latest ransomware gang to add support for encrypting VMware ESXi virtual machines running on enterprise Linux servers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/linux-version-of-black-basta… ∗∗∗ Poisoned CCleaner search results spread information-stealing malware ∗∗∗ --------------------------------------------- Malware that steals your passwords, credit cards, and crypto wallets is being promoted through search results for a pirated copy of the CCleaner Pro Windows optimization program. --------------------------------------------- https://www.bleepingcomputer.com/news/security/poisoned-ccleaner-search-res… ∗∗∗ Cuba ransomware returns to extorting victims with updated encryptor ∗∗∗ --------------------------------------------- The Cuba ransomware operation has returned to regular operations with a new version of its malware found used in recent attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cuba-ransomware-returns-to-e… ∗∗∗ Targeted phishing past defender ∗∗∗ --------------------------------------------- Signature based detections has shortcomings that matter in real scenarios. Depending only on prevention through an EDR like Defender is not enough in a modern attack scenario. --------------------------------------------- https://www.derant.com/network%20monitoring/2022/06/07/Targetted-phishing-p… ∗∗∗ New Technique Used by Attackers in NPM to Avoid Detection ∗∗∗ --------------------------------------------- Checkmarx SCS team recently detected several malicious NPM packages using a new evasion technique, enhancing dependency confusion attacks to help malicious packages avoid detection. --------------------------------------------- https://checkmarx.com/blog/new-technique-used-by-attackers-in-npm-to-avoid-… ===================== = Vulnerabilities = ===================== ∗∗∗ Researchers Warn of Unpatched "DogWalk" Microsoft Windows Vulnerability ∗∗∗ --------------------------------------------- An unofficial security patch has been made available for a new Windows zero-day vulnerability in the Microsoft Support Diagnostic Tool (MSDT), even as the Follina flaw continues to be exploited in the wild. --------------------------------------------- https://thehackernews.com/2022/06/researchers-warn-of-unpatched-dogwalk.html ∗∗∗ Zero-Day-Lücke: Cybergangs missbrauchen MSDT-Leck für Qakbot-Infektionen ∗∗∗ --------------------------------------------- Die Cybergang hinter der Malware Quakbot missbraucht in Phishing-Kampagnen die MSDT-Zero-Day-Lücke. Infizierte Rechner verkauft sie meist an Ransomware-Banden. --------------------------------------------- https://heise.de/-7134949 ∗∗∗ Fehler in Linux-Kernel ermöglicht Rechteausweitung ∗∗∗ --------------------------------------------- Ein Fehler im Firewall-Code des Linux-Kernels ermöglicht es Nutzern, Befehle als Root auszuführen. Administratoren können einen Workaround anwenden. --------------------------------------------- https://heise.de/-7134791 ∗∗∗ Kritische Schadcode-Lücke bedroht Universal Boot Loader U-Boot ∗∗∗ --------------------------------------------- Die Entwickler von U-Boot haben zwei gefährliche Sicherheitslücken geschlossen. --------------------------------------------- https://heise.de/-7134785 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (avahi), Fedora (firefox), Oracle (grub2, python-twisted-web, shim, shim-signed, and thunderbird), Red Hat (kernel and python-twisted-web), SUSE (gcc48, go1.17, go1.18, and mariadb), and Ubuntu (e2fsprogs, linux, linux-aws, linux-aws-5.13, linux-azure, linux-azure-5.13, linux-gcp, linux-gcp-5.13, linux-hwe-5.13, linux-intel-5.13, linux-kvm, linux-oracle, linux-oracle-5.13, linux-raspi, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, [...] --------------------------------------------- https://lwn.net/Articles/897297/ ∗∗∗ Technical Details Released for Recently Patched Zyxel Firewall Vulnerabilities ∗∗∗ --------------------------------------------- Security researchers with HN Security have published technical details on two vulnerabilities affecting many Zyxel products. --------------------------------------------- https://www.securityweek.com/technical-details-released-recently-patched-zy… ∗∗∗ Owl Labs Patches Severe Vulnerability in Video Conferencing Devices ∗∗∗ --------------------------------------------- Video conferencing company Owl Labs has released patches for a severe vulnerability affecting its Meeting Owl Pro and Whiteboard Owl devices. --------------------------------------------- https://www.securityweek.com/owl-labs-patches-severe-vulnerability-video-co… ∗∗∗ Attackers Exploit MSDT Follina Bug to Drop RAT, Infostealer ∗∗∗ --------------------------------------------- Symantec has observed threat actors exploiting remote code execution flaw to drop AsyncRAT and information stealer. --------------------------------------------- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/fo… ∗∗∗ Security Bulletin: A vulnerability in Apache Log4j affects some features of IBM® Db2® (CVE-2021-44832) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-apache… ∗∗∗ Security Bulletin: IBM Cognos Command Center is affected but not classified as vulnerable by a remote code execution in Spring Framework (CVE-2022-22965) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cognos-command-center… ∗∗∗ Security Bulletin: IBM WebSphere Application Server is vulnerable to Spoofing (CVE-2022-22365) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects some features of IBM® Db2® (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects some features of IBM® Db2® (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct Web Services is affected but not classified as vulnerable by a remote code execution in Spring Framework (CVE-2022-22965) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: Vulnerabilities have been identified in Spring Framework, OpenSSL and Apache HTTP Server shipped with the DS8000 Hardware Management Console (HMC) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-have-been… ∗∗∗ Security Bulletin: Multiple vulnerabilities in Apache Log4j affects some features of IBM® Db2® (CVE-2021-45046, CVE-2021-45105) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Cognos Command Center is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cognos-command-center… ∗∗∗ FESTO: CECC-X-M1 - command injection vulnerabilities ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-020/ ∗∗∗ Apache HTTP Server: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0692 ∗∗∗ Mehrere Schwachstellen in "sicheren" mobilen Festplatten und Crypto-USB-Sticks von Verbatim (SYSS-2022-001/-017) ∗∗∗ --------------------------------------------- https://www.syss.de/pentest-blog/mehrere-schwachstellen-in-sicheren-mobilen… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.06.2022
by Daily end-of-shift report 07 Jun '22

07 Jun '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 03-06-2022 18:00 − Dienstag 07-06-2022 18:15 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ WatchDog hacking group launches new Docker cryptojacking campaign ∗∗∗ --------------------------------------------- The WatchDog hacking group is conducting a new cryptojacking campaign with advanced techniques for intrusion, worm-like propagation, and evasion of security software. --------------------------------------------- https://www.bleepingcomputer.com/news/security/watchdog-hacking-group-launc… ∗∗∗ QBot now pushes Black Basta ransomware in bot-powered attacks ∗∗∗ --------------------------------------------- The Black Basta ransomware gang has partnered with the QBot malware operation to gain spread laterally through hacked corporate environments. --------------------------------------------- https://www.bleepingcomputer.com/news/security/qbot-now-pushes-black-basta-… ∗∗∗ Researchers Warn of Spam Campaign Targeting Victims with SVCReady Malware ∗∗∗ --------------------------------------------- A new wave of phishing campaigns has been observed spreading a previously documented malware called SVCReady. --------------------------------------------- https://thehackernews.com/2022/06/researchers-warn-of-spam-campaign.html ∗∗∗ Neues Phishing-E-Mail der Erste Bank und Sparkasse ∗∗∗ --------------------------------------------- Aktuell kursiert ein neues Phishing-E-Mail im Namen der Erste Bank und Sparkasse. Im Schreiben werden Sie über eine angebliche Abbuchung von 1 259 Euro informiert. --------------------------------------------- https://www.watchlist-internet.at/news/neues-phishing-e-mail-der-erste-bank… ===================== = Vulnerabilities = ===================== ∗∗∗ Fortiguard June 2022 Vulnerability Advisories ∗∗∗ --------------------------------------------- FortiAP-U, FortiDDoS, FortiOS, FortiAnalyzer, FortiManager, FortiSandbox, FortiTokenMobile, FortiAuthenticator, Apache Airflow and FortiClient. --------------------------------------------- https://www.fortiguard.com/psirt-monthly-advisory/june-2022-vulnerability-a… ∗∗∗ Jetzt patchen! Lage um Attacken auf Atlassian Confluence spitzt sich zu ∗∗∗ --------------------------------------------- Aufgrund von öffentlich verfügbarem Exploit-Code steigen die Attacken auf Confluence-Instanzen. Patches sind jetzt verfügbar. --------------------------------------------- https://heise.de/-7132633 ∗∗∗ Patchday: Google schließt Kernel- und Software-Lücken in Android ∗∗∗ --------------------------------------------- Besitzer von Android-Hardware sollte ihre Geräte aus Sicherheitsgründen auf den aktuellen Stand bringen. --------------------------------------------- https://heise.de/-7133294 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (clamav, firefox-esr, pidgin, and thunderbird), Fedora (dotnet3.1, firefox, kernel, vim, and webkit2gtk3), Mageia (firefox/nss/nspr, gimp, logrotate, mariadb, thunderbird, trojita, webkit2, and webmin), Oracle (thunderbird), Red Hat (compat-openssl11, postgresql:10, postgresql:12, and thunderbird), Slackware (pidgin), and SUSE (openvpn). --------------------------------------------- https://lwn.net/Articles/897163/ ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (glib2.0, librecad, and php-horde-mime-viewer), Fedora (vim), and Ubuntu (freerdp2, ruby2.3, ruby2.5, ruby2.7, ruby3.0, and vim). --------------------------------------------- https://lwn.net/Articles/897226/ ∗∗∗ Critical U-Boot Vulnerability Allows Rooting of Embedded Systems ∗∗∗ --------------------------------------------- A critical vulnerability in the U-Boot boot loader could be exploited to write arbitrary data, which can allow an attacker to root Linux-based embedded systems, according to NCC Group. --------------------------------------------- https://www.securityweek.com/critical-u-boot-vulnerability-allows-rooting-e… ∗∗∗ Security Advisory -Input Verification Vulnerabilities Involved in Huawei Printer Product ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2022/huawei-sa-20220608-… ∗∗∗ Security Bulletin: IBM Cognos Controller is affected but not vulnerable to arbitrary code execution and SQL injection due to Apache Log4j v1 vulnerabilities (CVE-2022-23305, CVE-2022-23302, CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cognos-controller-is-… ∗∗∗ Security Bulletin: Publicly disclosed vulnerabilities from Kernel affect IBM Netezza Host Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-publicly-disclosed-vulner… ∗∗∗ Security Bulletin: Public disclosed vulnerability from OpenSSL affects IBM Netezza Host Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-public-disclosed-vulnerab… ∗∗∗ Security Bulletin: IBM DataPower Gateway affected by prototype pollution in DOJO (CVE-2021-23450) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-gateway-aff… ∗∗∗ Security Bulletin: IBM InfoSphere Information Server is vulnerable to SQL Injection (CVE-2022-31768) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-informatio… ∗∗∗ Security Bulletin: Apache Commons as used by IBM QRadar SIEM is vulnerable to denial of service (CVE-2021-35515, CVE-2021-35516, CVE-2021-36090, CVE-2021-35517) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-commons-as-used-by… ∗∗∗ Security Bulletin: CP4D Match 360 is vulnerable to remote attacker executing arbitrary code within IBM WebSphere Application Server Liberty (CVE-2021-23450) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cp4d-match-360-is-vulnera… ∗∗∗ Security Bulletin: Vulnerabilities have been identified in Apache Log4j and the application code shipped with the DS8000 Hardware Management Console (HMC) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-have-been… ∗∗∗ Security Bulletin: IBM Security SiteProtector System is affected by multiple Apache HTTP Server Vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-siteprotecto… ∗∗∗ Security Bulletin: IBM Cloud Pak for Data System 1.0 is vulnerable to denial of service due to Apache Log4j (CVE-2021-45105) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-data-sy… ∗∗∗ Security Bulletin: Multiple vulnerabilities in multiple dependencies affect IBM MessageGateway/ MessageSight ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM MaaS360 Mobile Enterprise Gateway uses Eclipse Jetty with multiple known vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maas360-mobile-enterp… ∗∗∗ Security Bulletin: IBM MaaS360 Cloud Extender Agent, Mobile Enterprise Gateway and VPN module have multiple vulnerabilities (CVE-2021-22060, CVE-2022-22950, CVE-2022-0547, CVE-2022-0778, CVE-2022-22965) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maas360-cloud-extende… ∗∗∗ Security Bulletin: IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to a denial of service in NumPy. (CVE-2021-33430). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-speech-service… ∗∗∗ K29421535: Intel processor vulnerability CVE-2021-33117 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K29421535 ∗∗∗ K95204515: Intel CPU vulnerability CVE-2022-21151 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K95204515 ∗∗∗ Grafana: Mehrere Schwachstellen ermöglichen Offenlegung von Informationen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0690 ∗∗∗ Case update: DIVD-2022-00032 - Exchange backdoor ∗∗∗ --------------------------------------------- https://csirt.divd.nl/cases/DIVD-2022-00032/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.06.2022
by Daily end-of-shift report 03 Jun '22

03 Jun '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 02-06-2022 18:00 − Freitag 03-06-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Chinese LuoYu hackers deploy cyber-espionage malware via app updates ∗∗∗ --------------------------------------------- A Chinese-speaking hacking group known as LuoYu is infecting victims WinDealer information stealer malware deployed by switching legitimate app updates with malicious payloads in man-on-the-side attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/chinese-luoyu-hackers-deploy… ∗∗∗ Evil Corp switches to LockBit ransomware to evade sanctions ∗∗∗ --------------------------------------------- The Evil Corp cybercrime group has now switched to deploying LockBit ransomware on targets networks to evade sanctions imposed by the U.S. Treasury Departments Office of Foreign Assets Control (OFAC). --------------------------------------------- https://www.bleepingcomputer.com/news/security/evil-corp-switches-to-lockbi… ∗∗∗ Analysis of the Massive NDSW/NDSX Malware Campaign ∗∗∗ --------------------------------------------- Recently, Avast’s researchers Pavel Novák and Jan Rubín posted a detailed writeup about the “Parrot TDS” campaign involving more than 16,500 infected websites. Such massive infections don’t go unnoticed by Sucuri and we immediately recognized that the infection in their writeup belonged to the campaign we internally refer to as “ndsw/ndsx” malware. --------------------------------------------- https://blog.sucuri.net/2022/06/analysis-massive-ndsw-ndsx-malware-campaign… ∗∗∗ Reich mit Öl? Vorsicht vor der betrügerischen Investment-Plattform „Öl-Profit“! ∗∗∗ --------------------------------------------- Noch nie war der Online-Ölhandel so einfach wie heute. Jede Person könne hier reich werden – ohne etwas über Öl oder Wirtschaft zu wissen. So heißt es in einem angeblichen Artikel der deutschen Tageszeitung BILD. --------------------------------------------- https://www.watchlist-internet.at/news/reich-mit-oel-vorsicht-vor-der-betru… ∗∗∗ Popping Eagle: How We Leveraged Global Analytics to Discover a Sophisticated Threat Actor ∗∗∗ --------------------------------------------- We observed a specially crafted DLL hijacking attack used by a previously unknown piece of malware that we dubbed Popping Eagle. --------------------------------------------- https://unit42.paloaltonetworks.com/popping-eagle-malware/ ===================== = Vulnerabilities = ===================== ∗∗∗ Angriffe auf Code-Execution-Lücke bedrohen Confluence-Installationen ∗∗∗ --------------------------------------------- Seit Anfang der Woche installieren Angreifer Backdoors über eine neue Lücke in Confluence. Admins sollten noch vor dem langen Wochenende Maßnahmen ergreifen. --------------------------------------------- https://heise.de/-7131081 ∗∗∗ GitLab Issues Security Patch for Critical Account Takeover Vulnerability ∗∗∗ --------------------------------------------- GitLab has moved to address a critical security flaw in its service that, if successfully exploited, could result in an account takeover. Tracked as CVE-2022-1680, the issue has a CVSS severity score of 9.9 and was discovered internally by the company. --------------------------------------------- https://thehackernews.com/2022/06/gitlab-issues-security-patch-for.html ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (cifs-utils, debian-security-support, and pypdf2), Fedora (fapolicyd, mariadb, openssl, and qt5-qtbase), Oracle (firefox, maven:3.5, maven:3.6, postgresql:10, postgresql:12, and postgresql:13), Red Hat (.NET 6.0, firefox, gzip, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, pcs, rsync, subversion, thunderbird, and zlib), Scientific Linux (thunderbird), Slackware (mozilla), SUSE (firefox, hdf5, suse-hpc, kernel-firmware, libarchive, patch, php8, and redis), and Ubuntu (cifs-utils and vim). --------------------------------------------- https://lwn.net/Articles/897016/ ∗∗∗ Security Bulletin: IBM Edge Application Manager is affected but not classified as vulnerable by a remote code execution in Spring Framework (CVE-2022-22965)) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-edge-application-mana… ∗∗∗ Security Bulletin: IBM DataPower Gateway Virtual Edition uses out of date ICU libraries in open-vm-tools ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-gateway-vir… ∗∗∗ Security Bulletin: IBM Telco Network Cloud Manager – Performance is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-44832,CVE-2022-23302 and CVE-2022-23305) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-telco-network-cloud-m… ∗∗∗ Security Bulletin: IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to improper input validation in Spring Framework (CVE-2022-22950) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-speech-service… ∗∗∗ Security Bulletin: IBM DataPower Gateway affected by vulnerabilities in Kerberos ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-gateway-aff… ∗∗∗ Security Bulletin: IBM Flex System switch firmware products are affected by a vulnerability in glibc (CVE-2021-35942) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-flex-system-switch-fi… ∗∗∗ Security Bulletin: IBM RackSwitch firmware products are affected by a vulnerability in glibc (CVE-2021-35942) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-rackswitch-firmware-p… ∗∗∗ Security Bulletin: IBM Java SDK and IBM Java Runtime for IBM i are vulnerable to unauthenticated attacker obtaining sensitive information and other attacks due to multiple vulnerabilities. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-java-sdk-and-ibm-java… ∗∗∗ Security Bulletin: IBM Spectrum Protect Plus may disclose sensitive information in virgo log file (CVE-2022-22396) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-spectrum-protect-plus… ∗∗∗ D-LINK Router: Schwachstelle ermöglicht Codeausführung ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0682 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.06.2022
by Daily end-of-shift report 02 Jun '22

02 Jun '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 01-06-2022 18:00 − Donnerstag 02-06-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Conti ransomware targeted Intel firmware for stealthy attacks ∗∗∗ --------------------------------------------- Researchers analyzing the leaked chats of the notorious Conti ransomware operation have discovered that teams inside the Russian cybercrime group were actively developing firmware hacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/conti-ransomware-targeted-in… ∗∗∗ Researchers Demonstrate Ransomware for IoT Devices That Targets IT and OT Networks ∗∗∗ --------------------------------------------- As ransomware infections have evolved from purely encrypting data to schemes such as double and triple extortion, a new attack vector is likely to set the stage for future campaigns. --------------------------------------------- https://thehackernews.com/2022/06/researchers-demonstrate-ransomware-for.ht… ∗∗∗ Europol: FluBot-Infrastruktur unter Kontrolle von Strafverfolgern ∗∗∗ --------------------------------------------- Internationale Strafverfolger konnten die SMS-basierte Android-Spyware FluBot einbremsen. Dies gelang durch die Übernahme der FluBot-Infrastruktur. --------------------------------------------- https://heise.de/-7130270 ∗∗∗ Warnung vor Spoofing mit BSI-Rufnummer ∗∗∗ --------------------------------------------- Das BSI erhält derzeit Meldungen, dass vermehrte Anrufe mit der Rufnummer des BSI und einer zweistelligen Durchwahl erfolgen. Es handelt sich nicht um Anrufe des BSI. --------------------------------------------- https://www.bsi.bund.de/DE/Service-Navi/Presse/Alle-Meldungen-News/Meldunge… ∗∗∗ Vorsicht Telefon-Betrug: Tonbandstimme lockt in die Falle! ∗∗∗ --------------------------------------------- Zahlreiche Meldungen berichten von Anrufen einer Tonbandstimme, die dazu auffordert auf die Taste 1 zu drücken. Folgen Sie den Anweisungen nicht! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-telefon-betrug-tonbandstimm… ===================== = Vulnerabilities = ===================== ∗∗∗ SearchNightmare: Windows 10 search-ms: URI Handler 0-day Exploit mit Office 2019 ∗∗∗ --------------------------------------------- Nach der Entdeckung des Missbrauchs der Follina-Schwachstelle (CVE-2022-30190) über das Windows ms-msdt-Protokolls wird diese Bastion "sturmreif" geschossen. Ein Hacker hat sich den search-ms: URI Handler in Windows 10 angesehen und einen ähnlichen Exploit wie Follina entwickelt. --------------------------------------------- https://www.borncity.com/blog/2022/06/02/searchnightmare-windows-10-search-… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr), Fedora (thunderbird and vim), Red Hat (firefox, postgresql:10, postgresql:12, and postgresql:13), Scientific Linux (firefox and rsyslog), SUSE (hdf5, hdf5, suse-hpc, postgresql14, rubygem-yajl-ruby, and udisks2), and Ubuntu (imagemagick and influxdb). --------------------------------------------- https://lwn.net/Articles/896896/ ∗∗∗ Millions of Budget Smartphones With UNISOC Chips Vulnerable to Remote DoS Attacks ∗∗∗ --------------------------------------------- Millions of budget smartphones that use UNISOC chipsets could have their communications remotely disrupted by hackers due to a critical vulnerability discovered recently by researchers at cybersecurity firm Check Point. --------------------------------------------- https://www.securityweek.com/millions-budget-smartphones-unisoc-chips-vulne… ∗∗∗ Security Bulletin: IBM Security SOAR is using a component with known vulnerabilities (CVE-2022-0391) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-soar-is-usin… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in Node.js affects IBM Netcool Agile Service Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Enterprise Content Management System Monitor is affected by a vulnerability CVE-2021-35550 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-enterprise-content-manage… ∗∗∗ Security Bulletin: IBM Db2 Mirror for i is vulnerable to directory traversal due to Moment.js (CVE-2022-24785) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-mirror-for-i-is-v… ∗∗∗ Security Bulletin: IBM Common Licensing is vulnerable by a remote code attack in Spring Framework (CVE-2021-22096,CVE-2021-22060,CVE-2022-22950,CVE-2022-22968) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-common-licensing-is-v… ∗∗∗ Security Bulletin: Multiple vulnerabilities in Java SE that could allow an unauthenticated attacker to obtain sensitive information affect IBM® Db2®. (CVE-2021-35603, CVE-2021-35550, CVE-2021-2341) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by OpenSSL denial of service vulnerabilities (CVE-2021-23840, CVE-2021-23841) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: Vulnerability in Nginx affects IBM Cloud Private and could allow a remote attacker to obtain sensitive information (177988) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-nginx-af… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct Web Service is vulnerable to multiple vulnerabilities due to IBM Java ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct Web Services is vulnerable to multiple vulnerabilities due to Eclipse Jetty ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: Watson Machine Learning Accelerator is affected but not classified as vulnerable by a remote code execution in Spring Framework (CVE-2022-22965) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-watson-machine-learning-a… ∗∗∗ Security Bulletin: CVE-2022-21299 may affect IBM® SDK, Java™ Technology Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2022-21299-may-affect… ∗∗∗ Security Bulletin: HMC is affected but not classified as vulnerable by a remote code execution in Spring Framework (CVE-2022-22965) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-hmc-is-affected-but-not-c… ∗∗∗ Security Bulletin: IBM Db2 Mirror for i is vulnerable to cross-site scripting due to Angular (220414) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-mirror-for-i-is-v… ∗∗∗ Security Bulletin: Enterprise Content Management System Monitor is affected by a vulnerability in IBM® SDK Java™ Technology Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-enterprise-content-manage… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct Web Services is vulnerable to denial of service due to FasterXML jackson-databind ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: IBM Db2 Mirror for i is vulnerable to denial of service due to gson 217225 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-mirror-for-i-is-v… ∗∗∗ Security Bulletin: IBM Security SOAR is using a component with multiple known vulnerabilities – IBM JDK 8.0.7.0 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-soar-is-usin… ∗∗∗ Security Bulletin: IBM Robotic Process Automation is vulnerable to cross tenant information exposure (CVE-2022-22506) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-robotic-process-autom… ∗∗∗ Security Bulletin: Multiple vulnerabilities may affect IBM® SDK, Java™ Technology Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: CVE-2021-35561 may affect IBM® SDK, Java™ Technology Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2021-35561-may-affect… ∗∗∗ Long Term Support Channel Update for ChromeOS ∗∗∗ --------------------------------------------- http://chromereleases.googleblog.com/2022/05/long-term-support-channel-upda… ∗∗∗ Security Vulnerabilities fixed in Firefox for iOS 101 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2022-23/ ∗∗∗ Autodesk AutoCAD: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit Benutzerrechten ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0677 ∗∗∗ Illumina Local Run Manager ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-153-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 01.06.2022
by Daily end-of-shift report 01 Jun '22

01 Jun '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 31-05-2022 18:00 − Mittwoch 01-06-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Zero-Day-Lücke: Erste Cybergangs greifen MSDT-Sicherheitslücke an ∗∗∗ --------------------------------------------- Die Zero-Day-Lücke von Microsoft wird inzwischen von Cybergangs für Angriffe missbraucht. Der Hersteller ordnete das Problem erst falsch als irrelevant ein. --------------------------------------------- https://heise.de/-7128265 ∗∗∗ FluBot Android malware operation shutdown by law enforcement ∗∗∗ --------------------------------------------- Europol has announced the takedown of the FluBot operation, one of the largest and fastest-growing Android malware operations in existence. --------------------------------------------- https://www.bleepingcomputer.com/news/security/flubot-android-malware-opera… ∗∗∗ New XLoader Botnet Version Using Probability Theory to Hide its C&C Servers ∗∗∗ --------------------------------------------- An enhanced version of the XLoader malware has been spotted adopting a probability-based approach to camouflage its command-and-control (C&C) infrastructure, according to the latest research. --------------------------------------------- https://thehackernews.com/2022/06/new-xloader-botnet-version-using.html ∗∗∗ New Unpatched Horde Webmail Bug Lets Hackers Take Over Server by Sending Email ∗∗∗ --------------------------------------------- A new unpatched security vulnerability has been disclosed in the open-source Horde Webmail client that could be exploited to achieve remote code execution on the email server simply by sending a specially crafted email to a victim. --------------------------------------------- https://thehackernews.com/2022/06/new-unpatched-horde-webmail-bug-lets.html ∗∗∗ Watch out for phishing emails that inject spyware trio ∗∗∗ --------------------------------------------- You wait for one infection and then three come along at once. An emailed report seemingly about a payment will, when opened in Excel on a Windows system, attempt to inject three pieces of file-less malware that steal sensitive information. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2022/06/01/phishing-rat… ∗∗∗ Certificate Transparency data is used to compromise WordPress before installation ∗∗∗ --------------------------------------------- Recently in the community forums of WordPress and Lets Encrypt, reports have shown up about webshells on freshly installed WordPress blogs that were later used for DDoS attacks. --------------------------------------------- https://www.feistyduck.com/bulletproof-tls-newsletter/issue_89_certificate_… ∗∗∗ AA22-152A: Karakurt Data Extortion Group ∗∗∗ --------------------------------------------- The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Department of the Treasury (Treasury), and the Financial Crimes Enforcement Network (FinCEN) are releasing this joint Cybersecurity Advisory (CSA) to provide information on the Karakurt data extortion group, also known as the Karakurt Team and Karakurt Lair. --------------------------------------------- https://us-cert.cisa.gov/ncas/alerts/aa22-152a ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libjpeg-turbo, webkit2gtk, and wpewebkit), Fedora (golang-github-opencontainers-runc, mingw-pcre2, python-jwt, python-ujson, and weechat), Oracle (nodejs:16 and rsyslog), Red Hat (container-tools:3.0, expat, fapolicyd, kernel, kernel-rt, kpatch-patch, mariadb:10.3, postgresql:12, rsyslog and rsyslog7, and zlib), Slackware (mozilla), SUSE (bind, dpdk, fribidi, hdf5, librelp, php74, postgresql12, and postgresql13), and Ubuntu (cups, linux-gcp-5.13, linux-oracle, linux-oracle-5.13, linux-gcp-5.4, linux-gkeop, linux-gkeop-5.4, linux-ibm-5.4, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, and webkit2gtk). --------------------------------------------- https://lwn.net/Articles/896803/ ∗∗∗ T&D Data Server and THERMO RECORDER DATA SERVER vulnerable to directory traversal ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN28659051/ ∗∗∗ Security Advisory - Insufficient Input Verification Vulnerability In Huawei Product ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2022/huawei-sa-20220601-… ∗∗∗ Security Bulletin: IBM® PureData System for Operational Analytics is vulnerable to arbitrary code execution, remote code execution and denial of service due to Apache Log4j (CVE-2021-44228, CVE-2021-45046, CVE-2021-45105) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-puredata-system-for-o… ∗∗∗ Security Bulletin: IBM CICS TX Standard is vulnerable to arbitrary code execution due to IBM WebSphere Application Server Liberty (CVE-2021-23450) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cics-tx-standard-is-v… ∗∗∗ Security Bulletin: Vulnerability in bind (CVE-2021-25214) affects Power HMC ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-bind-cve… ∗∗∗ Security Bulletin: Publicly disclosed vulnerabilities from Kernel affect IBM Netezza Host Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-publicly-disclosed-vulner… ∗∗∗ Security Bulletin: IBM CICS TX Advanced is vulnerable to arbitrary code execution due to IBM WebSphere Application Server Liberty (CVE-2021-23450) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cics-tx-advanced-is-v… ∗∗∗ Security Bulletin: Multiple vulnerabilities affect IBM Tivoli Monitoring included WebSphere Application Server and IBM HTTP Server used by WebSphere Application Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect Rational Service Tester ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container DesignerAuthoring and IntegrationServer operands may be vulnerable to code injection due to CVE-2022-29078 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: IBM QRadar Data Synchronization App for IBM QRadar SIEM is vulnerable to using components with known vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-data-synchroni… ∗∗∗ Security Bulletin: A vulnerability has been identified in IBM Spectrum Scale that could allow an attacker to decrypt highly sensitive information(CVE-2022-22368) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-has-been-… ∗∗∗ Security Bulletin: Vulnerability in Apache HTTP (CVE-2022-22720) affects Power HMC ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-h… ∗∗∗ K43541501: Intel CPU vulnerabilities CVE-2022-21131 and CVE-2022-21136 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K43541501 ∗∗∗ Security Vulnerabilities fixed in Thunderbird 91.10 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2022-22/ ∗∗∗ BD Pyxis ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsma-22-151-01 ∗∗∗ BD Synapsys ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsma-22-151-02 ∗∗∗ Fuji Electric Alpha7 PC Loader ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-151-01 ∗∗∗ SSRF-Schwachstelle in Canto Cumulus (SYSS-2022-023) ∗∗∗ --------------------------------------------- https://www.syss.de/pentest-blog/ssrf-schwachstelle-in-canto-cumulus-syss-2… ∗∗∗ Microsoft Edge 102.0.1245.30 schließt Schwachstellen ∗∗∗ --------------------------------------------- https://www.borncity.com/blog/2022/06/01/microsoft-edge-102-0-1245-30-schli… ∗∗∗ Security Advisory: Multiple Vulnerabilities Impact 3CX Phone System ∗∗∗ --------------------------------------------- https://www.gosecure.net/blog/2022/05/31/security-advisory-multiple-vulnera… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 31.05.2022
by Daily end-of-shift report 31 May '22

31 May '22

===================== = End-of-Day report = ===================== Timeframe: Montag 30-05-2022 18:00 − Dienstag 31-05-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Meeting Owl Pro: Konferenzeule hat viele Sicherheitslücken ∗∗∗ --------------------------------------------- Das Konferenzsystem Meeting Owl Pro sieht putzig aus, hat aber viele Sicherheitslücken, die auch nach vier Monaten nicht geschlossen wurden. --------------------------------------------- https://www.golem.de/news/meeting-owl-pro-konferenzeule-hat-viele-sicherhei… ∗∗∗ GSM-Codes: Whatsapp-Konten per Anruf übernehmen ∗∗∗ --------------------------------------------- Mit einer neuen Masche können Betrüger Whatsapp-Konten übernehmen. Nutzer sollen zum Anrufen dubioser Telefonnummern verleitet werden. --------------------------------------------- https://www.golem.de/news/gsm-codes-whatsapp-konten-per-anruf-uebernehmen-2… ∗∗∗ Over 3.6 million exposed MySQL servers on IPv4 and IPv6 ∗∗∗ --------------------------------------------- We have recently began scanning for accessible MySQL server instances on port 3306/TCP. These are instances that respond to our MySQL connection request with a Server Greeting. Surprisingly to us, we found around 2.3M IPv4 addresses responding with such a greeting to our queries. Even more surprisingly, we found over 1.3M IPv6 devices responding as well (though mostly associated with a single AS). IPv4 and IPv6 scans together uncover 3.6M accessible MySQL servers worldwide. --------------------------------------------- https://www.shadowserver.org/news/over-3-6m-exposed-mysql-servers-on-ipv4-a… ∗∗∗ Buchen Sie Ihre Unterkunft nicht auf ferienhaeuser-porec.de ∗∗∗ --------------------------------------------- ferienhaeuser-porec.de ist eine betrügerische Buchungswebseite für „Exklusive Villen und Ferienhäuser“ in Porec, Kroatien. Auf den ersten Blick wirkt die Webseite professionell. Das Impressum sowie das Foto der deutschen Inhaber stiften Vertrauen. Aber: Wer dort bucht und bezahlt verliert sein Geld und hat keine Unterkunft. --------------------------------------------- https://www.watchlist-internet.at/news/buchen-sie-ihre-unterkunft-nicht-auf… ∗∗∗ Nächste Runde: FluBot-Banking-Malware (Mai 2022) ∗∗∗ --------------------------------------------- Kleines Update in Sachen Flubot. Die Cyberkriminellen hinter FluBot greifen Smartphone-Nutzer in Europa mit einer Neuauflage ihrer Smishing-Kampagne an, um die Malware zum Stehlen persönlicher Banking-Daten auf mobilen Telefonen in Europa zu verbreiten. --------------------------------------------- https://www.borncity.com/blog/2022/05/31/nchste-rund-flubot-banking-malware… ∗∗∗ CVE Farming through Software Center – A group effort to flush out zero-day privilege escalations ∗∗∗ --------------------------------------------- In this blogpost we discuss a zero-day topic for finding privilege escalation vulnerabilities discovered by Ahmad Mahfouz. It abuses applications like Software Center, which are typically used in large-scale environments for automated software deployment performed on demand by regular (i.e. unprivileged) users. --------------------------------------------- https://blog.nviso.eu/2022/05/31/cve-farming-through-software-center-a-grou… ===================== = Vulnerabilities = ===================== ∗∗∗ Zero-Day-Lücke in MS Office: Microsoft gibt Empfehlungen ∗∗∗ --------------------------------------------- Microsoft gibt Handlungsempfehlungen gegen die Zero-Day-Schwachstelle in Office. Angreifer könnten diese zum Einschleusen von Schadcode missbrauchen. --------------------------------------------- https://heise.de/-7126993 ∗∗∗ Content Management System: Sicherheitslücke in Drupal erlaubt Website-Übernahme ∗∗∗ --------------------------------------------- Die Sicherheitslücke findet sich nicht im eigentlichen Drupal-Code, sondern in der Drittherstellerbibliothek Guzzle. Darüber wickelt Drupal HTTP-Anfragen und -Antworten an externe Dienste ab. Das Guzzle-Projekt hat ein Update veröffentlicht, dass zwar nicht den Drupal-Core betreffe, jedoch Auswirkungen auf beigesteuerte Projekte oder individuell angepassten Code von Drupal-Seiten haben könnte. --------------------------------------------- https://heise.de/-7127268 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (haproxy, libdbi-perl, pjproject, spip, and trafficserver), Oracle (firefox, kernel, kernel-container, libvirt libvirt-python, and thunderbird), Red Hat (maven:3.5, maven:3.6, nodejs:16, postgresql, postgresql:10, and rsyslog), SUSE (gimp, helm-mirror, ImageMagick, mailman, openstack-neutron, pcmanfm, pcre2, postgresql10, and tiff), and Ubuntu (dpkg and freetype). --------------------------------------------- https://lwn.net/Articles/896721/ ∗∗∗ Siemens Healthineers SHSA-455016: Deserialization Vulnerability in Healthcare Products ∗∗∗ --------------------------------------------- https://www.siemens-healthineers.com/support-documentation/cybersecurity/sh… ∗∗∗ Security Bulletin: Multiple vulnerabilities in Apache Log4j affect IBM Cloud Pak System ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerability in OpenSSL (CVE-2022-0778) affects Power HMC ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-openssl-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in Spring Framework affect SPSS Collaboration and Deployment Services ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerabilities in Apache HTTP (CVE-2021-34798 and CVE-2021-39275) affects Power HMC ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-apache… ∗∗∗ Security Bulletin:IBM Common Licensing is affected but not classified as vulnerable by a remote code execution in Spring Framework (220575,CVE-2022-22965) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletinibm-common-licensing-is-af… ∗∗∗ Security Bulletin: Vulnerability in IBM SDK, Java Technology (CVE-2022-21341, CVE-2022-21294, CVE-2022-21293 and CVE-2022-21248) affects Power HMC ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-sdk-… ∗∗∗ Security Bulletin: Vulnerability in OpenSSL (CVE-2021-3712) affects Power HMC ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-openssl-… ∗∗∗ Security Vulnerabilities fixed in Firefox ESR 91.10 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2022-21/ ∗∗∗ Security Vulnerabilities fixed in Firefox 101 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2022-20/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.05.2022
by Daily end-of-shift report 30 May '22

30 May '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 27-05-2022 18:00 − Montag 30-05-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Clop ransomware gang is back, hits 21 victims in a single month ∗∗∗ --------------------------------------------- After effectively shutting down their entire operation for several months, between November and February, the Clop ransomware is now back according to NCC Group researchers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/clop-ransomware-gang-is-back… ∗∗∗ New Windows Subsystem for Linux malware steals browser auth cookies ∗∗∗ --------------------------------------------- Hackers are showing an increased interest in the Windows Subsystem for Linux (WSL) as an attack surface as they build new malware, the more advanced samples being suitable for espionage and downloading additional malicious modules. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-windows-subsystem-for-li… ∗∗∗ New GoodWill Ransomware Forces Victims to Donate Money and Clothes to the Poor ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed a new ransomware strain called GoodWill that compels victims into donating for social causes and provide financial assistance to people in need. --------------------------------------------- https://thehackernews.com/2022/05/new-goodwill-ransomware-forces-victims.ht… ∗∗∗ Understanding CVE-2022-22972 (VMWare Workspace One Access Auth Bypass) ∗∗∗ --------------------------------------------- We’ve got a copy of the vulnerable version of VMWare Workspace One Access, and we’ve gone through the extremely boring process of setting it up (oh the joys of vulnerability research). At this stage, we want to try and narrow down exactly where this vulnerability exists in code. --------------------------------------------- https://blog.assetnote.io/2022/05/27/understanding-cve-2022-22972-vmware-wo… ∗∗∗ Bösartige Browser-Erweiterung: ChromeLoader kommt als ISO getarnt ∗∗∗ --------------------------------------------- Eine bösartige Erweiterung kann allen Browserverkehr über unerwünschte Server leiten und so Daten abschöpfen. ChromeLoader geht dabei trickreich vor. --------------------------------------------- https://heise.de/-7126317 ∗∗∗ Probleme mit Ihrer Lebensversicherung? Vorsicht vor Beratungsleistungen von konsumentenschuetzer.com ∗∗∗ --------------------------------------------- Im Internet finden Sie die Beratungsagentur „Konsumentenschützer“, die Ihren Vertrag prüft und bei Bedarf eine Klage bei Ihrer Versicherung einbringt. Wir raten zur Vorsicht. --------------------------------------------- https://www.watchlist-internet.at/news/probleme-mit-ihrer-lebensversicherun… ∗∗∗ Microsoft findet Schwachstellen in Apps großer Mobilfunkprovider (Mai 2022) ∗∗∗ --------------------------------------------- Das Microsoft 365 Defender Research Team hat in einem mobilen Framework von mce Systems einige Schwachstellen gefunden. --------------------------------------------- https://www.borncity.com/blog/2022/05/30/microsoft-findet-schwachstellen-in… ∗∗∗ Detecting BCD Changes To Inhibit System Recovery ∗∗∗ --------------------------------------------- Earlier this year, we observed a rise in malware that inhibits system recovery. This tactic is mostly used by ransomware and wiper malware. One notable example of such malware is “Hermetic wiper”. To inhibit recovery an attacker has many possibilities, one of which is changing the Boot Configuration Database (BCD). --------------------------------------------- https://blog.nviso.eu/2022/05/30/detecting-bcd-changes-to-inhibit-system-re… ∗∗∗ Rapidly evolving IoT malware EnemyBot now targeting Content Management System servers and Android devices ∗∗∗ --------------------------------------------- Alien Labs has discovered that EnemyBot is expanding its capabilities, exploiting recently identified vulnerabilities (2022), and now targeting IoT devices, web servers, Android devices and content management system (CMS) servers. --------------------------------------------- https://cybersecurity.att.com/blogs/labs-research/rapidly-evolving-iot-malw… ∗∗∗ GitHub RepoJacking Weakness Exploited in the Wild by Attackers ∗∗∗ --------------------------------------------- A logical flaw in GitHub allows attackers to take control over thousands of repositories, enabling the poisoning of popular open-source packages. This flaw is yet to be fixed and the steps to exploit it were recently published. --------------------------------------------- https://checkmarx.com/blog/github-repojacking-weakness-exploited-in-the-wil… ===================== = Vulnerabilities = ===================== ∗∗∗ New Microsoft Office Attack Vector via "ms-msdt" Protocol Scheme, (Mon, May 30th) ∗∗∗ --------------------------------------------- It was a long weekend for many European countries and it’s an off-day in the US but we were aware of a new attack vector for Microsoft Office documents. --------------------------------------------- https://isc.sans.edu/diary/rss/28694 ∗∗∗ Zero-Day-Lücke in Microsoft Office ermöglicht Codeschmuggel ∗∗∗ --------------------------------------------- Sicherheitsforscher haben ein Word-Dokument entdeckt, das beim Öffnen Schadcode nachladen und ausführen kann. Aktuelle Software scheint davor zu schützen. --------------------------------------------- https://heise.de/-7125635 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (modsecurity-apache, pngcheck, rsyslog, and smarty3), Fedora (firefox, golang-github-opencontainers-runc, gron, kernel, kernel-headers, kernel-tools, logrotate, mingw-pcre2, and rubygem-git), Mageia (admesh, chromium-browser-stable, golang, kernel, kernel-linus, and pidgin), Red Hat (firefox, openvswitch2.13, openvswitch2.15, openvswitch2.16, rsyslog, and thunderbird), SUSE (bind, curl, opera, pcp, postgresql12, and postgresql14), [...] --------------------------------------------- https://lwn.net/Articles/896640/ ∗∗∗ Security Bulletin: PowerVC installation on RHEL is vulnerable to MariaDB with CVE-2021-46669, CVE-2022-24048, MariaDB – 219814, MariaDB – 219815, CVE-2022-24050, CVE-2022-24052 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-powervc-installation-on-r… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a number of security vulnerabilities in Netty, which is used by Guardium (CVE-2021-21290, CVE-2021-21295, CVE-2021-21409, CVE-2021-37136, CVE-2021-37137) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities in Apache Thrift ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: A vulnerability exists in golang x/crypto (CVE-2020-9283) which is consumed by IBM CICS TX Standard ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-exists-in… ∗∗∗ Security Bulletin: A vulnerability exists in golang x/crypto (CVE-2020-9283) which is consumed by IBM CICS TX Advanced ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-exists-in… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by FasterXML jackson-databind vulnerabilities (CVE-2020-25649, X-Force ID 217968) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: Automation Assets in IBM Cloud Pak for Integration is vulnerable to remote attack due to Moment.js CVE-2022-24785 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-automation-assets-in-ibm-… ∗∗∗ Security Bulletin: Cross-Site Request Forgery vulnerability affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) – CVE-2022-22361 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-request-forger… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by path traversal and crypto vulnerabilities (CVE-2021-29425, CVE-2021-39076) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ MariaDB: Mehrere Schwachstellen ermöglichen Denial of Service ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0665 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.05.2022
by Daily end-of-shift report 27 May '22

27 May '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 25-05-2022 18:00 − Freitag 27-05-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ New ChromeLoader malware surge threatens browsers worldwide ∗∗∗ --------------------------------------------- The ChromeLoader malware is seeing an uptick in detections this month, following a relatively stable operation volume since the start of the year, which means that the malvertiser is now becoming a widespread threat. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-chromeloader-malware-sur… ∗∗∗ New ‘Cheers’ Linux ransomware targets VMware ESXi servers ∗∗∗ --------------------------------------------- A new ransomware named Cheers has appeared in the cybercrime space and has started its operations by targeting vulnerable VMware ESXi servers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-cheers-linux-ransomware-… ∗∗∗ New ERMAC 2.0 Android malware steals accounts, wallets from 467 apps ∗∗∗ --------------------------------------------- The ERMAC Android banking trojan has released version 2.0, increasing the number of applications targeted from 378 to 467, covering a much wider range of apps to steal account credentials and crypto wallets. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-ermac-20-android-malware… ∗∗∗ Microsoft shares mitigation for Windows KrbRelayUp LPE attacks ∗∗∗ --------------------------------------------- Microsoft has shared guidance to help admins defend their Windows enterprise environments against KrbRelayUp attacks that enable attackers to gain SYSTEM privileges on Windows systems with default configurations. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-shares-mitigation-… ∗∗∗ Windows 11 KB5014019 breaks Trend Micro ransomware protection ∗∗∗ --------------------------------------------- This weeks Windows optional cumulative update previews have introduced a compatibility issue with some of Trend Micros security products that breaks some of their capabilities, including the ransomware protection feature. --------------------------------------------- https://www.bleepingcomputer.com/news/security/windows-11-kb5014019-breaks-… ∗∗∗ Warten auf abgesicherte Version: Anonymes Surfen unter Tails gefährdet ∗∗∗ --------------------------------------------- Wer mit dem Tor Browser des Tails-Systems surft, könnte Passwörter an Angreifer preisgeben. --------------------------------------------- https://heise.de/-7123771 ∗∗∗ Sie sollen Zollgebühren mit einer Paysafecard bezahlen? Achtung, Betrug! ∗∗∗ --------------------------------------------- Kriminelle versenden betrügerische E-Mails im Namen des Zolls und behaupten, dass Sie Zollgebühren bezahlen müssen, und zwar in Form einer Paysafecard. Nur so könne Ihr Paket zugestellt werden. Ignorieren Sie solche E-Mails, Kriminelle versuchen nur an Ihr Geld zu kommen. --------------------------------------------- https://www.watchlist-internet.at/news/sie-sollen-zollgebuehren-mit-einer-p… ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins 2022-05-26 - 2022-05-27 ∗∗∗ --------------------------------------------- IBM MQ Internet Pass-Thru, IBM MQ Operator, IBM MQ Appliance, IBM MQ trace, IBM Semeru Runtime, IBM Sterling Control Center, IBM App Connect Enterprise, IBM Watson Discovery, IBM Spectrum Control, IBM Netezza Host Management, IBM Tivoli Netcool/OMNIbus Probe Integrations, IBM DataPower. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Sicherheitsupdates: Angreifer könnten Netzwerk-Hardware von Citrix lahmlegen ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitspatches für Citritx ADC und Citrix Gateway. Angreifer könnten die Netzwerk-Hardware lahmlegen. --------------------------------------------- https://heise.de/-7123795 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, dpkg, filezilla, irssi, puma, and python-django), Fedora (firefox, ignition, and pcre2), Mageia (cockpit, firefox/thunderbird, openldap, supertux, unrar, and vim), Oracle (firefox and thunderbird), Red Hat (rh-varnish6-varnish), SUSE (cups, fribidi, kernel-firmware, redis, and wpa_supplicant), and Ubuntu (dpkg, logrotate, and subversion). --------------------------------------------- https://lwn.net/Articles/896346/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (atftp, cups, neutron, and zipios++), Fedora (clash, moodle, python-jwt, and thunderbird), Red Hat (thunderbird), Slackware (cups), SUSE (go1.17, libredwg, opera, seamonkey, and varnish), and Ubuntu (libxv, ncurses, openssl, and subversion). --------------------------------------------- https://lwn.net/Articles/896465/ ∗∗∗ ABB Cyber Security Advisory: e-Design - Multiple vulnerabilities ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=2%20CMT%200%200%206… ∗∗∗ K32760744: libxml2 vulnerability CVE-2022-23308 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K32760744 ∗∗∗ K54724312: Linux kernel vulnerability CVE-2022-0492 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K54724312 ∗∗∗ Drupal: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0661 ∗∗∗ Drupal CORE: Schwachstelle ermöglicht nicht spezifizierten Angriff ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0662 ∗∗∗ Keysight N6854A Geolocation server and N6841A RF Sensor software ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-146-01 ∗∗∗ Horner Automation Cscape Csfont ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-146-02 ∗∗∗ Cross-Site Request Forgery Vulnerability in Proxy Server ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-22-18 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.05.2022
by Daily end-of-shift report 25 May '22

25 May '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 24-05-2022 18:00 − Mittwoch 25-05-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Vorsicht vor unseriösen Spendenaufrufen für krebskranke Kinder ∗∗∗ --------------------------------------------- Immer wieder stoßen Watchlist Internet Leser:innen auf betrügerische Spendenaufrufe für krebskranke Kinder. Insbesondere in Werbeeinschaltungen auf YouTube werden häufig derartige Kampagnen angezeigt. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-unserioesen-spendenaufr… ∗∗∗ Bablosoft; Lowering the Barrier of Entry for Malicious Actors ∗∗∗ --------------------------------------------- Summary Evidence suggests an increasing number of threat actor groups are making use of a free-to-use browser automation framework. The framework contains numerous features which we assess may be utilized in the enablement of malicious activities. --------------------------------------------- https://team-cymru.com/blog/2022/05/25/bablosoft-lowering-the-barrier-of-en… ∗∗∗ How the Saitama backdoor uses DNS tunnelling ∗∗∗ --------------------------------------------- A walkthrough of one of the stealthy communication techniques employed in a recent attack using APT34s Saitama backdoor. --------------------------------------------- https://blog.malwarebytes.com/threat-intelligence/2022/05/how-the-saitama-b… ∗∗∗ Vulnerability Spotlight: Vulnerabilities in Open Automation Software Platform could lead to information disclosure, denial of service ∗∗∗ --------------------------------------------- Cisco Talos recently discovered eight vulnerabilities in the Open Automation Software Platform that could allow an adversary to carry out a variety of malicious actions, including improperly authenticating into the targeted device and causing a denial of service. --------------------------------------------- http://blog.talosintelligence.com/2022/05/vuln-spotlight-open-automation-pl… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (lrzip and puma), Fedora (plantuml and plib), Oracle (kernel and kernel-container), Red Hat (firefox, kernel, kpatch-patch, subversion:1.14, and thunderbird), Scientific Linux (firefox and thunderbird), SUSE (kernel-firmware, libxml2, pcre2, and postgresql13), and Ubuntu (accountsservice, postgresql-10, postgresql-12, postgresql-13, postgresql-14, and rsyslog). --------------------------------------------- https://lwn.net/Articles/896216/ ∗∗∗ CISA Adds 34 Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- CISA has added 34 new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/05/25/cisa-adds-34-know… ∗∗∗ Chrome 102.0.5005.61/62/63 fixen kritische Schwachstellen ∗∗∗ --------------------------------------------- Google hat zum 24. Mai 2022 die Updates des 102.0.5005.61/62/63 Google Chrome Browsers für Windows und Mac auf dem Desktop im Stable Channel freigegeben (Chrome 102 wird auch im Stable Channel für Windows und Mac aufgenommen). --------------------------------------------- https://www.borncity.com/blog/2022/05/25/chrome-102-0-5005-61-62-63-fixen-s… ∗∗∗ Security Bulletin: IBM Aspera Faspex is vulnerable to exposing data improperly (CVE-2022-22497) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-aspera-faspex-is-vuln… ∗∗∗ Security Bulletin: Node.js as used by IBM Security QRadar Analyst Workflow App for IBM QRadar SIEM is vulnerable to multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-node-js-as-used-by-ibm-se… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct for UNIX is affected but not classified as vulnerable by a remote code execution in Spring Framework (CVE-2022-22965) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: IBM QRadar Deployment Intelligence app for IBM QRadar SIEM is vulnerable to using components with known vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-deployment-int… ∗∗∗ Security Bulletin: IBM Aspera Faspex is vulnerable to exposing data improperly (CVE-2022-22497) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-aspera-faspex-is-vuln… ∗∗∗ Security Bulletin: IBM Aspera Faspex is vulnerable to exposing data improperly (CVE-2022-22497) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-aspera-faspex-is-vuln… ∗∗∗ VMSA-2022-0015 ∗∗∗ --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2022-0015.html ∗∗∗ Citrix ADC and Citrix Gateway Security Bulletin for CVE-2022-27507 and CVE-2022-27508 ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX457048 ∗∗∗ Rockwell Automation Logix Controllers ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-144-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.05.2022
by Daily end-of-shift report 24 May '22

24 May '22

===================== = End-of-Day report = ===================== Timeframe: Montag 23-05-2022 18:00 − Dienstag 24-05-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Researchers to release exploit for new VMware auth bypass, patch now ∗∗∗ --------------------------------------------- Proof-of-concept exploit code is about to be published for a vulnerability that allows administrative access without authentication in several VMware products. --------------------------------------------- https://www.bleepingcomputer.com/news/security/researchers-to-release-explo… ∗∗∗ Beneath the surface: Uncovering the shift in web skimming ∗∗∗ --------------------------------------------- Web skimming campaigns now employ various obfuscation techniques to deliver and hide the skimming scripts. It’s a shift from earlier tactics where attackers conspicuously injected the malicious scripts into e-commerce platforms and content management systems (CMSs) via vulnerability exploitation, making this threat highly evasive to traditional security solutions. --------------------------------------------- https://www.microsoft.com/security/blog/2022/05/23/beneath-the-surface-unco… ∗∗∗ Anatomy of a DDoS amplification attack ∗∗∗ --------------------------------------------- Amplification attacks are one of the most common distributed denial of service (DDoS) attack vectors. These attacks are typically categorized as flooding or volumetric attacks, where the attacker succeeds in generating more traffic than the target can process, resulting in exhausting its resources due to the amount of traffic it receives. --------------------------------------------- https://www.microsoft.com/security/blog/2022/05/23/anatomy-of-ddos-amplific… ∗∗∗ New Research Paper: Pre-hijacking Attacks on Web User Accounts ∗∗∗ --------------------------------------------- In 2020, MSRC awarded two Identity Project Research Grants to support external researchers working to further strengthen the security of identity protocols and systems. Today we are pleased to release the results of the first of these projects. --------------------------------------------- https://msrc-blog.microsoft.com/2022/05/23/pre-hijacking-attacks/ ∗∗∗ Cybersecurity Community Warned of Fake PoC Exploits Delivering Malware ∗∗∗ --------------------------------------------- Researchers have spotted fake proof-of-concept (PoC) exploits that appear to have been created by threat actors in an effort to deliver malware to members of the cybersecurity community. --------------------------------------------- https://www.securityweek.com/cybersecurity-community-warned-fake-poc-exploi… ∗∗∗ Die wichtigsten Einstellungen für ein sicheres Smartphone ∗∗∗ --------------------------------------------- Das Smartphone ist mittlerweile ein treuer Begleiter. Kontaktinformationen, Termine, Fotos, Bankdaten und Nachrichten befinden sich auf unseren Geräten. Kein Wunder, dass uns ein ungutes Gefühl überkommt, wenn das Smartphone nicht auffindbar und möglicherweise verloren gegangen ist. Am Smartphone sind viele persönliche Daten gespeichert und diese gilt es zu schützen. --------------------------------------------- https://www.watchlist-internet.at/news/die-wichtigsten-einstellungen-fuer-e… ∗∗∗ Breaking out of Windows Kiosks using only Microsoft Edge ∗∗∗ --------------------------------------------- I will take you through the steps that I performed to get code execution on a Windows kiosk host using ONLY Microsoft Edge. --------------------------------------------- https://blog.nviso.eu/2022/05/24/breaking-out-of-windows-kiosks-using-only-… ===================== = Vulnerabilities = ===================== ∗∗∗ Zyxel: Lücken in Access-Points, Access-Point-Controllern und Firewalls ∗∗∗ --------------------------------------------- Der Netzwerkausrüster Zyxel warnt vor mehreren Sicherheitslücken in den Access-Points, Access-Point-Controllern sowie Firewalls. Updates sind verfügbar. --------------------------------------------- https://heise.de/-7108626 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr and openldap), Fedora (curl), Oracle (kernel and kernel-container), Red Hat (maven:3.5), SUSE (cacti, cacti-spine, firefox, go1.18, openldap2, python-requests, rsyslog, and slurm_20_11), and Ubuntu (firefox, htmldoc, libpng, libxfixes, libxrender, thunderbird, and vim). --------------------------------------------- https://lwn.net/Articles/896114/ ∗∗∗ CVE-2022-25237: Bonitasoft Authorization Bypass and RCE ∗∗∗ --------------------------------------------- https://rhinosecuritylabs.com/application-security/cve-2022-25237-bonitasof… ∗∗∗ Security Bulletin: A vulnerability has been identified in IBM Spectrum Scale which is packaged in IBM ESS (CVE-2022-22368) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-has-been-… ∗∗∗ Security Bulletin: IBM DataPower Gateway Operand affected by vulnerabilities in Go (CVE-2021-44716, CVE-2021-44717) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-gateway-ope… ∗∗∗ Security Bulletin: IBM DataPower Gateway potentially vulnerable to DNS spoofing ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-gateway-pot… ∗∗∗ Security Bulletin: A vulnerability has been identified in IBM Spectrum Scale where an unauthorized user can send arbitrary data to the CLI commands and daemon (CVE-2020-4926) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-has-been-… ∗∗∗ Security Bulletin: This Power System update is being released to address CVE 2022-22309 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-this-power-system-update-… ∗∗∗ Security Bulletin: A vulnerability in IBM WebSphere Application Server Liberty affects IBM Spectrum Scale packaged in IBM ESS ( CVE-2021-39031) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-we… ∗∗∗ Security Bulletin: Linux Kernel vulnerability may affect IBM Elastic Storage System (CVE-2021-4083) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-linux-kernel-vulnerabilit… ∗∗∗ Security Bulletin: A vulnerability in IBM JAVA JDK affects IBM Spectrum Scale packaged in IBM Elastic Storage System (CVE-2022-21291) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Security Bulletin: A vulnerability in IBM WebSphere Application Server Liberty affects IBM Spectrum Scale packaged in IBM Elastic Storage System (CVE-2021-39031) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-we… ∗∗∗ Security Bulletin: This Power System update is being released to address CVE-2020-1968 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-this-power-system-update-… ∗∗∗ Security Bulletin: IBM Security Verify Adapters are vulnerable to denial of service and bypass security restrictions due to OpenSSL (CVE-2021-3449, CVE-2021-3450) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-adapt… ∗∗∗ Security Bulletin: IBM Navigator for i is vulnerable to an SQL injection (CVE-2022-22495) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-navigator-for-i-is-vu… ∗∗∗ Security Bulletin: IBM DataPower Gateway affected by vulnerability in JRE ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-gateway-aff… ∗∗∗ Security Bulletin: A vulnerability has been identified in IBM Spectrum Scale that could allow an attacker to decrypt highly sensitive information(CVE-2022-22368) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-has-been-… ∗∗∗ Security Bulletin: A vulnerability has been identified in IBM Spectrum Scale which is packaged in IBM ESS (CVE-2020-4926) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-has-been-… ∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container Operator may be vulnerable to denial of service due to CVE-2021-38561 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ F-Secure Produkte: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0646 ∗∗∗ Matrikon OPC Server ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-144-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.05.2022
by Daily end-of-shift report 23 May '22

23 May '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 20-05-2022 18:00 − Montag 23-05-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Malicious PyPI package opens backdoors on Windows, Linux, and Macs ∗∗∗ --------------------------------------------- Yet another malicious Python package has been spotted in the PyPI registry performing supply chain attacks to drop Cobalt Strike beacons and backdoors on Windows, Linux, and macOS systems. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malicious-pypi-package-opens… ∗∗∗ How to find NPM dependencies vulnerable to account hijacking ∗∗∗ --------------------------------------------- Following the recent disclosure of a technique for hijacking certain NPM packages, security engineer Danish Tariq has proposed a defensive strategy for those looking to assess whether their web apps include dependencies tied to subvertable email domains. --------------------------------------------- https://www.theregister.com/2022/05/23/npm_dependencies_vulnerable/ ∗∗∗ Conti Ransomware Operation Shut Down After Brand Becomes Toxic ∗∗∗ --------------------------------------------- The Conti brand’s downfall appears to have started in late February, after Russia launched an invasion of Ukraine. --------------------------------------------- https://www.securityweek.com/conti-ransomware-operation-shut-down-after-bra… ∗∗∗ Wenn nach einer Bestellung auf Vinted ein Zalando-Paket ankommt… ∗∗∗ --------------------------------------------- Sie haben etwas auf Vinted gekauft aber ein Zalando-Paket erhalten? Dann sollten Sie rasch handeln. Dabei handelt es sich nämlich um eine Betrugsmasche. --------------------------------------------- https://www.watchlist-internet.at/news/wenn-nach-einer-bestellung-auf-vinte… ∗∗∗ Botnet bedroht Linux-Server ∗∗∗ --------------------------------------------- Schützen Sie Ihre Linux-Server vor XorDdoS, einem Botnet, das im Internet nach SSH-Servern mit schwachen Passwörtern sucht, warnt Microsoft. --------------------------------------------- https://www.zdnet.de/88401426/botnet-bedroht-linux-server/ ∗∗∗ Windows Defender Application Control: Empfohlene Blockierungsregeln (Mai 2022) ∗∗∗ --------------------------------------------- In Windows 10 und Windows 11 sind Windows Defender Application Control (WDAC) und AppLocker als Features in den Unternehmensvarianten (Windows 10/11 Enterprise) als Sicherheitsfunktionen verfügbar. Nun hat Microsoft Mitte Mai 2022 eine Liste der empfohlenen Blockierungsregeln veröffentlicht. --------------------------------------------- https://www.borncity.com/blog/2022/05/22/windows-defender-application-contr… ===================== = Vulnerabilities = ===================== ∗∗∗ PDF smuggles Microsoft Word doc to drop Snake Keylogger malware ∗∗∗ --------------------------------------------- Threat analysts have discovered a recent malware distribution campaign using PDF attachments to smuggle malicious Word documents that infect users with malware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/pdf-smuggles-microsoft-word-… ∗∗∗ Jetzt patchen! Angreifer attackieren Cisco 8000 Series Router ∗∗∗ --------------------------------------------- Der Netzwerkausrüster Cisco hat Sicherheitsupdates für verschiedene Netzwerk-Komponenten veröffentlicht. --------------------------------------------- https://heise.de/-7102828 ∗∗∗ Oracle warnt vor Sicherheitslücke in E-Business Suite ∗∗∗ --------------------------------------------- Oracle veröffentlicht Updates eigentlich quartalsweise zum Critical-Patch-Update-Termin. Ein Patch schließt bereits jetzt eine Lücke in der E-Business-Suite. --------------------------------------------- https://heise.de/-7102875 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (admesh, condor, firefox-esr, libpgjava, libxml2, rsyslog, and thunderbird), Fedora (dotnet6.0, libarchive, php-openpsa-universalfeedcreator, thunderbird, and vim), Mageia (ffmpeg, kernel, kernel-linus, microcode, netatalk, nvidia-current, nvidia390, opencontainers-runc, postgresql, and ruby-nokogiri), Slackware (mariadb and mozilla), and SUSE (curl, firefox, libarchive, librecad, libxls, openldap2, php7, and postgresql10). --------------------------------------------- https://lwn.net/Articles/896032/ ∗∗∗ Password policy guidance ∗∗∗ --------------------------------------------- Why do we need strong passwords? Passwords are stored by using a one-way hashing algorithm to generate a representation of the original password on a securely designed system. --------------------------------------------- https://www.pentestpartners.com/security-blog/password-policy-guidance/ ∗∗∗ Denial of Service Vulnerability in some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2022/huawei-sa-20220601-… ∗∗∗ Security Bulletin: IBM Tivoli Monitoring is vulnerable to remote code execution and denial of service due to multiple Expat CVEs ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tivoli-monitoring-is-… ∗∗∗ Security Bulletin: IBM MQ for HPE NonStop Server is affected by OpenSSL vulnerability CVE-2022-0778 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-for-hpe-nonstop-se… ∗∗∗ Security Bulletin: IBM Cloud Private is vulnerable to server-side request forgery due to Python (CVE-2021-29921) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-private-is-vuln… ∗∗∗ Security Bulletin: TXSeries for Multiplatforms is vulnerable to arbitrary code execution due to IBM WebSphere Application Server Liberty (CVE-2021-23450) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-txseries-for-multiplatfor… ∗∗∗ Security Bulletin: Vulnerability in Curl affects IBM Cloud Private and could allow a remote attacker to bypass security restrictions (CVE-2021-22926) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-curl-aff… ∗∗∗ Security Bulletin: IBM Tivoli Monitoring is affected but not classified as vulnerable by a remote code execution in Spring Framework (CVE-2022-22965) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tivoli-monitoring-is-… ∗∗∗ Security Bulletin: IBM MQ for HPE NonStop Server is affected by OpenSSL vulnerability CVE-2021-4160 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-for-hpe-nonstop-se… ∗∗∗ K08832573: DHCP vulnerability CVE-2021-25217 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K08832573 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.05.2022
by Daily end-of-shift report 20 May '22

20 May '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 19-05-2022 18:00 − Freitag 20-05-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Rise in XorDdos: A deeper look at the stealthy DDoS malware targeting Linux devices ∗∗∗ --------------------------------------------- Observing a 254% increase in activity over the last six months from a versatile Linux trojan called XorDdos, the Microsoft 365 Defender research team provides in-depth analysis into this stealthy malwares capabilities and key infection signs. --------------------------------------------- https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper… ∗∗∗ Hackers Trick Users with Fake Windows 11 Downloads to Distribute Vidar Malware ∗∗∗ --------------------------------------------- Fraudulent domains masquerading as Microsofts Windows 11 download portal are attempting to trick users into deploying trojanized installation files to infect systems with the Vidar information stealer malware. --------------------------------------------- https://thehackernews.com/2022/05/hackers-trick-users-with-fake-windows.html ∗∗∗ Cytroxs Predator Spyware Targeted Android Users with Zero-Day Exploits ∗∗∗ --------------------------------------------- Googles Threat Analysis Group (TAG) on Thursday pointed fingers at a North Macedonian spyware developer named Cytrox for developing exploits against five zero-day (aka 0-day) flaws, four in Chrome and one in Android, to target Android users. --------------------------------------------- https://thehackernews.com/2022/05/cytroxs-predator-spyware-target-android.h… ∗∗∗ Metastealer – filling the Racoon void ∗∗∗ --------------------------------------------- MetaStealer is a new information stealer variant designed to fill the void following Racoon stealer suspending operations in March of this year. --------------------------------------------- https://research.nccgroup.com/2022/05/20/metastealer-filling-the-racoon-voi… ∗∗∗ Emotet Being Distributed Using Various Files ∗∗∗ --------------------------------------------- The ASEC analysis team has recently discovered the distribution of Emotet through link files (.lnk). The malware has been steadily distributed in the past, but starting from April, it was found that the Emotet downloader uses Excel files as well as link files (.lnk). --------------------------------------------- https://asec.ahnlab.com/en/34556/ ===================== = Vulnerabilities = ===================== ∗∗∗ Oracle Security Alert for CVE-2022-21500 - 19 May 2022 ∗∗∗ --------------------------------------------- This Security Alert addresses vulnerability CVE-2022-21500, which affects some deployments of Oracle E-Business Suite. --------------------------------------------- https://www.oracle.com/security-alerts/alert-cve-2022-21500.html ∗∗∗ Angreifer könnten mit DNS-Software BIND erstellte TLS-Sessions "zerstören" ∗∗∗ --------------------------------------------- Es gibt ein wichtiges Sicherheitsupdate für BIND, welches Admins zeitnah installieren sollten. --------------------------------------------- https://heise.de/-7101032 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (kernel), Debian (ark, openldap, and thunderbird), Fedora (freetype and vim), Oracle (.NET 5.0, .NET 6.0, .NET Core 3.1, container-tools:3.0, glibc, kernel, rsync, and subversion:1.10), Scientific Linux (kernel), SUSE (dcraw, firefox, glib2, ImageMagick, kernel-firmware, libxml2, libyajl, php7, ucode-intel, and unrar), and Ubuntu (openldap). --------------------------------------------- https://lwn.net/Articles/895862/ ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Process Designer in IBM Business Automation Workflow and IBM Business Process Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Rational Asset Analyzer is affected by two WebSphere Application Server vulnerabilities. (CVE-2021-23450, CVE-1999-0001) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-rational-asset-analyzer-i… ∗∗∗ Security Bulletin: IBM WebSphere Application Server is vulnerable to Spoofing (CVE-2022-22365) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application… ∗∗∗ Security Bulletin: IBM Robotic Process Automation with Automation Anywhere is affected but not classified as vulnerable by a remote code execution in Spring Framework (CVE-2022-22965) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-robotic-process-autom… ∗∗∗ Security Bulletin: Rational Asset Analyzer is affected by two WebSphere Application Server vulnerabilities. (CVE-2021-39038, CVE-1999-0002) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-rational-asset-analyzer-i… ∗∗∗ Security Bulletin: IBM Engineering Lifecycle Management is vulnerable to Cross-site Scripting (XSS) vulnerability (CVE-2021-39043) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-engineering-lifecycle… ∗∗∗ Galleon NTS-6002-GPS Command Injection vulnerability (CVE-2022-27224) ∗∗∗ --------------------------------------------- https://www.pentestpartners.com/security-blog/galleon-nts-6002-gps-command-… ∗∗∗ Security Vulnerabilities fixed in Firefox 100.0.2, Firefox for Android 100.3.0, Firefox ESR 91.9.1, Thunderbird 91.9.1 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2022-19/ ∗∗∗ Grafana: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0639 ∗∗∗ Trend Micro Security Produkte: Mehrere Schwachstellen ermöglichen Offenlegung von Informationen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0638 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.05.2022
by Daily end-of-shift report 19 May '22

19 May '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 18-05-2022 18:00 − Donnerstag 19-05-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Lazarus hackers target VMware servers with Log4Shell exploits ∗∗∗ --------------------------------------------- The North Korean hacking group known as Lazarus is exploiting the Log4J remote code execution vulnerability to inject backdoors that fetch information-stealing payloads on VMware Horizon servers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/lazarus-hackers-target-vmwar… ∗∗∗ iPhone aus, Funk bleibt an: Sicherheitsforscher sehen neue Angriffsfläche ∗∗∗ --------------------------------------------- Auf einem abgeschalteten iPhone kann Malware laufen, warnt ein Forschungsteam der TU Darmstadt. Apples Low-Power-Mode fehlen Schutzvorkehrungen. --------------------------------------------- https://heise.de/-7099330 ∗∗∗ Qnap warnt vor Ransomware-Angriffen auf Netzwerkspeicher ∗∗∗ --------------------------------------------- Der Hersteller Qnap warnt vor neuen Angriffen mit Ransomware auf die Netzwerkspeicher des Unternehmens. Admins sollen bereitstehende Updates zügig installieren. --------------------------------------------- https://heise.de/-7099676 ∗∗∗ „Domain ist abgelaufen“: Ignorieren Sie die E-Mail im Namen von domaintechnik.at ∗∗∗ --------------------------------------------- Sie besitzen eine Website? Dann sollten Sie sich vor betrügerischen Phishing-Mails in Acht nehmen, die derzeit im Namen von domaintechnik.at versendet werden. Darin behaupten Kriminelle, dass sie eine Bestellung nicht bearbeiten konnten und daher Ihre Domain sperren mussten. Um die Domain zu verlängern, werden Sie dazu aufgefordert auf einen Link zu klicken und Ihre Kreditkartendaten einzugeben. --------------------------------------------- https://www.watchlist-internet.at/news/domain-ist-abgelaufen-ignorieren-sie… ===================== = Vulnerabilities = ===================== ∗∗∗ Attacken auf VMware-Sicherheitslücken: Jetzt updaten! ∗∗∗ --------------------------------------------- Die US-amerikanische CISA warnt vor Angriffen auf mehrere Sicherheitslücken in VMware-Produkten. VMware dichtet zudem neu entdeckte Schwachstellen ab. --------------------------------------------- https://heise.de/-7099531 ∗∗∗ iTunes 12.12.4 for Windows ∗∗∗ --------------------------------------------- This document describes the security content of iTunes 12.12.4 for Windows. --------------------------------------------- https://support.apple.com/kb/HT213259 ∗∗∗ Cisco Security Advisories 2022-05-18 ∗∗∗ --------------------------------------------- Cisco published 5 Security Advisories (5 Medium Severity) --------------------------------------------- https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&first… ∗∗∗ Sicherheitsupdates: Admin-Lücke bedroht WordPress-Websites mit Jupiter Theme ∗∗∗ --------------------------------------------- Mit dem Theme-Builder Jupiter Theme oder Jupiter X Core Plugin erstellte WordPress-Websites sind verwundbar. --------------------------------------------- https://heise.de/-7099655 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (microcode_ctl, rubygem-nokogiri, and vim), Mageia (htmldoc, python-django, and python-oslo-utils), Red Hat (container-tools:2.0, kernel, kernel-rt, kpatch-patch, and pcs), SUSE (ardana-barbican, grafana, openstack-barbican, openstack-cinder, openstack-heat-gbp, openstack-horizon-plugin-gbp-ui, openstack-ironic, openstack-keystone, openstack-neutron-gbp, python-lxml, release-notes-suse-openstack-cloud, autotrace, curl, firefox, libslirp, php7, poppler, slurm_20_11, and ucode-intel), and Ubuntu (bind9, gnome-control-center, and libxrandr). --------------------------------------------- https://lwn.net/Articles/895771/ ∗∗∗ Zoom Video Communications Zoom Client: Mehrere Schwachstellen ermöglichen Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- CB-K22/0632: Zoom Video Communications Zoom Client: Mehrere Schwachstellen ermöglichen Umgehen von Sicherheitsvorkehrungen. Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in Zoom Video Communications Zoom Client ausnutzen, um Sicherheitsvorkehrungen zu umgehen. --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0632 ∗∗∗ Wingsuit - Storybook for UI Patterns - Critical - Access bypass - SA-CONTRIB-2022-040 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2022-040 ∗∗∗ Security Bulletin: IBM Security Identity Governance and Intelligence is vulnerable to Denial of Service (CVE-2021-35578) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-identity-gov… ∗∗∗ Security Bulletin: IBM Security Identity Governance and Intelligence is vulnarable to exposure of sensitive information (CVE-20204970) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-identity-gov… ∗∗∗ Security Bulletin: IBM Security Identity Governance and Intelligence is vulnerable to exposure of sensitive information (CVE-2021-35603) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-identity-gov… ∗∗∗ Security Bulletin: PowerVC installation on RHEL is vulnerable to MariaDB with CVE-2021-27928 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-powervc-installation-on-r… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in Apache Commons Compress affect WebSphere Application Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Due to use of IBM SDK, Java Technology Edition, IBM Tivoli Application Dependency Discovery Manager (TADDM) is vulnerable to denial of service ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-due-to-use-of-ibm-sdk-jav… ∗∗∗ K18484125: Eclipse Jetty vulnerability CVE-2020-27216 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K18484125 ∗∗∗ K82896488: Cyrus SASL vulnerability CVE-2022-24407 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K82896488 ∗∗∗ K21548854: zlib vulnerability CVE-2018-25032 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K21548854 ∗∗∗ K83120834: Diffie-Hellman key agreement protocol vulnerability CVE-2002-20001 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K83120834 ∗∗∗ Mitsubishi Electric MELSEC iQ-F Series ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-139-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.05.2022
by Daily end-of-shift report 18 May '22

18 May '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 17-05-2022 18:00 − Mittwoch 18-05-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Microsoft warns of brute-force attacks targeting MSSQL servers ∗∗∗ --------------------------------------------- Microsoft warned of brute-forcing attacks targeting Internet-exposed and poorly secured Microsoft SQL Server (MSSQL) database servers using weak passwords. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-warns-of-brute-for… ∗∗∗ Researchers Expose Inner Workings of Billion-Dollar Wizard Spider Cybercrime Gang ∗∗∗ --------------------------------------------- The inner workings of a cybercriminal group known as the Wizard Spider have been exposed, shedding light on its organizational structure and motivations. --------------------------------------------- https://thehackernews.com/2022/05/researchers-expose-inner-working-of.html ∗∗∗ We Love Relaying Credentials: A Technical Guide to Relaying Credentials Everywhere ∗∗∗ --------------------------------------------- A guide to relaying credentials everywhere in 2022. --------------------------------------------- https://www.secureauth.com/blog/we-love-relaying-credentials-a-technical-gu… ∗∗∗ Gefährliche PayPal-Phishing-Nachricht in Umlauf ∗∗∗ --------------------------------------------- In einer gefährlichen PayPal-Phishing-Mail wird behauptet „Aktion fur Ihr PayPal-Konto erforderlich“. Die Nachricht ist im PayPal-Design gehalten und spielt vor, dass eine Transaktion für Glücksspiel aufgehalten und Ihr Konto deshalb eingeschränkt wurde. Schenken Sie dem keinen Glauben und geben Sie keine Daten bekannt! Man versucht Ihre PayPal-Login-Daten und Ihre Kreditkartendaten zu stehlen! --------------------------------------------- https://www.watchlist-internet.at/news/gefaehrliche-paypal-phishing-nachric… ∗∗∗ EntropyCapture: Simple Extraction of DPAPI Optional Entropy ∗∗∗ --------------------------------------------- During a short application assessment, enumeration and decryption of a third-party application’s Windows Data Protection API (DPAPI) blobs using SharpDPAPI produced non-readable data because optional entropy was being used. --------------------------------------------- https://posts.specterops.io/entropycapture-simple-extraction-of-dpapi-optio… ===================== = Vulnerabilities = ===================== ∗∗∗ BIND: Destroying a TLS session early causes assertion failure (CVE-2022-1183) ∗∗∗ --------------------------------------------- An assertion failure can be triggered if a TLS connection to a configured http TLS listener with a defined endpoint is destroyed too early. --------------------------------------------- https://kb.isc.org/docs/cve-2022-1183 ∗∗∗ VMSA-2022-0014 ∗∗∗ --------------------------------------------- VMware Workspace ONE Access, Identity Manager and vRealize Automation updates address multiple vulnerabilities. --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2022-0014.html ∗∗∗ Sicherheitsupdates: Schadcode-Lücken in GPU-Treibern von Nvidia geschlossen ∗∗∗ --------------------------------------------- Berechnen Nvidia-Grafikkarten von Angreifern präparierte Shader, kann es zu Sicherheitsproblemen kommen. --------------------------------------------- https://heise.de/-7097875 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (elog, needrestart, openssl, and waitress), Fedora (curl, libxml2, slurm, and vim), Scientific Linux (zlib), SUSE (e2fsprogs, nodejs10, php72, and thunderbird), and Ubuntu (apport, clamav, needrestart, and pcre3). --------------------------------------------- https://lwn.net/Articles/895642/ ∗∗∗ Security Bulletin: OpenSSL publicly disclosed vulnerability affects IBM MobileFirst Platform Foundation ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-openssl-publicly-disclose… ∗∗∗ Security Bulletin: IBM DataPower Gateway vulnerable to HTTP header injection ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-gateway-vul… ∗∗∗ Security Bulletin: IBM DataPower Gateway vulnerable to temporary DoS ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-gateway-vul… ∗∗∗ Security Bulletin: Heap-Based Buffer Overflow in Mozilla Network Security Services (NSS) may affect IBM Spectrum Protect Plus (CVE-2021-43527) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-heap-based-buffer-overflo… ∗∗∗ Security Bulletin: Vulnerabilities in IBM HTTP Server affect IBM Netezza Performance Portal ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-ht… ∗∗∗ Security Bulletin: IBM Planning Analytics Workspace is affected but not classified as vulnerable by a remote code execution in Spring Framework (CVE-2022-22965) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-planning-analytics-wo… ∗∗∗ Security Bulletin: IBM Sterling Connect:Express for UNIX is vulnerable to denial of service due to OpenSSL (CVE-2022-0778) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectexpre… ∗∗∗ Security Bulletin: IBM DataPower Gateway: Update Redis to remediate two CVEs ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-gateway-upd… ∗∗∗ Synology-SA-22:07 Synology Calendar ∗∗∗ --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_22_07 ∗∗∗ GIMP: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0623 ∗∗∗ SMA100 post-authentication Remote Command Execution vulnerability ∗∗∗ --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0010 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.05.2022
by Daily end-of-shift report 17 May '22

17 May '22

===================== = End-of-Day report = ===================== Timeframe: Montag 16-05-2022 18:00 − Dienstag 17-05-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Hackers target Tatsu WordPress plugin in millions of attacks ∗∗∗ --------------------------------------------- All users of the Tatsu Builder plugin are strongly recommended to upgrade to version 3.3.13 to avoid attack risks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-target-tatsu-wordpre… ∗∗∗ Over 380 000 open Kubernetes API servers ∗∗∗ --------------------------------------------- We have recently started scanning for accessible Kubernetes API instances that respond with a 200 OK HTTP response to our probes. Kubernetes is an open-source system for automating deployment, scaling, and management of containerized applications. We find over 380 000 Kubernetes API daily that allow for some form of access, out of over 450 000 that we are able to identify. Data on these is shared daily in our Accessible Kubernetes API Server Report. --------------------------------------------- https://www.shadowserver.org/news/over-380-000-open-kubernetes-api-servers/ ∗∗∗ UpdateAgent Returns with New macOS Malware Dropper Written in Swift ∗∗∗ --------------------------------------------- A new variant of the macOS malware tracked as UpdateAgent has been spotted in the wild, indicating ongoing attempts on the part of its authors to upgrade its functionalities. --------------------------------------------- https://thehackernews.com/2022/05/updateagent-returns-with-new-macos.html ∗∗∗ Weak Security Controls and Practices Routinely Exploited for Initial Access ∗∗∗ --------------------------------------------- This joint Cybersecurity Advisory identifies commonly exploited controls and practices and includes best practices to mitigate the issues. --------------------------------------------- https://www.cisa.gov/uscert/ncas/alerts/aa22-137a ∗∗∗ Fahrräder im Internet kaufen: Vorsicht vor Fake-Shops ∗∗∗ --------------------------------------------- Im Internet gibt es zahlreiche Fake-Shops für Fahrräder und Zubehör. vandeyk-sport.com, motaza.shop oder nemino.net sind nur einige wenige Beispiele. Diese Fake-Shops bieten Fahrräder, die sonst schon überall ausverkauft sind – auch noch zu einem günstigeren Preis als andere Online-Shops! Außerdem können Sie nur vorab bezahlen. Finger weg: Sie erhalten keine Lieferung! --------------------------------------------- https://www.watchlist-internet.at/news/fahrraeder-im-internet-kaufen-vorsic… ===================== = Vulnerabilities = ===================== ∗∗∗ iOS und iPadOS 15.5 sind da: Bugfixes und kleinere Verbesserungen ∗∗∗ --------------------------------------------- Apple hat in der Nacht zum Dienstag iOS 15.5 und iPadOS 15.5 freigegeben. Es handelt sich um kleinere Aktualisierungen, die Fehler beheben und minimale Verbesserungen bringen. --------------------------------------------- https://heise.de/-7096570 ∗∗∗ macOS 12.4 und Sicherheitsupdates für Big Sur und Catalina erhältlich ∗∗∗ --------------------------------------------- Neben iOS 15.5 liefert Apple auch neue Betriebssysteme für Mac, Apple TV, Apple Watch, HomePod und das Studio Display. --------------------------------------------- https://heise.de/-7096585 ∗∗∗ Zugangskontrolle: Aruba schließt Sicherheitslücken in ClearPass Policy Manager ∗∗∗ --------------------------------------------- Mit Arubas ClearPass Policy Manager können Administratoren die Zugangskontrolle regeln. Sicherheitslücken darin ermöglichen Angreifern die komplette Übernahme. --------------------------------------------- https://heise.de/-7097151 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (cifs-utils, ffmpeg, libxml2, and vim), Fedora (rsyslog), Mageia (chromium-browser-stable), SUSE (chromium, containerd, docker, e2fsprogs, gzip, jackson-databind, jackson-dataformats-binary, jackson-annotations, jackson-bom, jackson-core, kernel, nodejs8, openldap2, pidgin, podofo, slurm, and tiff), and Ubuntu (clamav, containerd, libxml2, and openldap). --------------------------------------------- https://lwn.net/Articles/895521/ ∗∗∗ Apache Releases Security Advisory for Tomcat ∗∗∗ --------------------------------------------- Original release date: May 16, 2022The Apache Software Foundation has released a security advisory to address a vulnerability in multiple versions of Tomcat. An attacker could exploit this vulnerability to obtain sensitive information. CISA encourages users and administrators to review Apache’s security advisory and apply the necessary updates. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/05/16/apache-releases-s… ∗∗∗ Nvidia Sicherheitsupdates für Kepler GTX 700/600 GPU WHQL-Treiber (473.47) freigegeben ∗∗∗ --------------------------------------------- Hersteller Nvidia hat zum 16. Mai 2022 ein Sicherheitsupdate für den Grafiktreiber der Kepler GeForce GPUs freigegeben. --------------------------------------------- https://www.borncity.com/blog/2022/05/17/nvidia-sicherheitsupdates-fr-keple… ∗∗∗ Vulnerability Spotlight: Multiple memory corruption vulnerabilities in NVIDIA GPU driver ∗∗∗ --------------------------------------------- Piotr Bania of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw. Cisco Talos recently discovered four vulnerabilities in the NVIDIA D3D10 driver for graphics cards that could allow an attacker to corrupt memory and write arbitrary memory on the card. --------------------------------------------- http://blog.talosintelligence.com/2022/05/vuln-spotlight-nvidia-driver-memo… ∗∗∗ Spring Security 5.7.0, 5.6.4, 5.5.7 Released - Fixes CVE-2022-22975 & CVE-2022-22976 ∗∗∗ --------------------------------------------- Spring Security 5.7.0 (release notes), 5.6.4 (release notes), 5.5.7 (release notes) have been released which fix CVE-2022-22978, CVE-2022-22976. Please update as soon as possible. --------------------------------------------- https://spring.io/blog/2022/05/15/spring-security-5-7-0-5-6-4-5-5-7-release… ∗∗∗ Security Bulletin: IBM MQ Operator and IBM supplied MQ Advanced container images are vulnerable to multiple issues from Red Hat UBI packages and the IBM WebSphere Application Server Liberty ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-operator-and-ibm-s… ∗∗∗ Security Bulletin: Potential Denial of Service in IBM DataPower Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-potential-denial-of-servi… ∗∗∗ Security Bulletin: IBM Security Identity Governance and Intelligence is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-identity-gov… ∗∗∗ Security Bulletin: IBM Sterling External Authentication Server is vulnerable to multiple vulnerabilities due to IBM Java Runtime ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-external-aut… ∗∗∗ Security Bulletin: IBM Process Mining is vulnerable to cross-site scripting due to Select2 CVE-2016-10744 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-process-mining-is-vul… ∗∗∗ Security Bulletin: IBM Security Verify Governance is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-gover… ∗∗∗ Security Bulletin: OpenSSL (Publicly disclosed vulnerability) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-openssl-publicly-disclose… ∗∗∗ Security Bulletin: IBM DataPower vulnerable to DoS ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-vulnerable-… ∗∗∗ Security Bulletin: IBM DataPower Gateway API Gateway component potentially vulnerable to a Denial of Service ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-gateway-api… ∗∗∗ Security Bulletin: IBM MQ Operator and Queue manager container images are vulnerable to multiple vulnerabilities from expat, Golang Go, gcc, openssl and libxml. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-operator-and-queue… ∗∗∗ Security Bulletin: IBM Sterling External Authentication Server is vulnerable to improper validation of certificates ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-external-aut… ∗∗∗ Security Bulletin: IBM WebSphere Application Server Liberty is vulnerable to Identity Spoofing (CVE-2022-22475) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application… ∗∗∗ Security Bulletin: IBM Sterling Secure Proxy is vulnerable to multiple vulnerabilities due to IBM Java Runtime ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-secure-proxy… ∗∗∗ Security Bulletin: IBM Process Mining is vulnerable to DOS due to Eclipse Jetty CVE-2018-12545 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-process-mining-is-vul… ∗∗∗ Security Bulletin: IBM Sterling B2B Integrator is vulnerable to permission control vulnerability (CVE-2022-22482) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-b2b-integrat… ∗∗∗ Security Bulletin: IBM Sterling Secure Proxy is vulnerable to improper validation of certificates (CVE-2021-29726) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-secure-proxy… ∗∗∗ Security Bulletin: IBM Process Mining is vulnerable to phishing attacks due to URI.js. CVE-2022-0868 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-process-mining-is-vul… ∗∗∗ QEMU: Schwachstelle ermöglicht Denial of Service und Codeausführung ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0618 ∗∗∗ Circutor COMPACT DC-S BASIC ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-137-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.05.2022
by Daily end-of-shift report 16 May '22

16 May '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 13-05-2022 18:00 − Montag 16-05-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Microsoft warnt vor Sysrv-Botnet ∗∗∗ --------------------------------------------- Eine neue Variante des Sysrv-Botnets hat Microsoft beobachtet, die Windows- und Linux-Systeme befällt, um Kryptowährungen zu schürfen. --------------------------------------------- https://heise.de/-7095053 ∗∗∗ HTML attachments in phishing e-mails ∗∗∗ --------------------------------------------- In this article we review phishing HTML attachments, explaining common tricks the attackers use, and give statistics on HTML attachments detected by Kaspersky solutions. --------------------------------------------- https://securelist.com/html-attachments-in-phishing-e-mails/106481/ ∗∗∗ Fake Mobile Apps Steal Facebook Credentials, Cryptocurrency-Related Keys ∗∗∗ --------------------------------------------- We recently observed a number of apps on Google Play designed to perform malicious activities such as stealing user credentials and other sensitive user information, including private keys. Because of the number and popularity of these apps — some of them have been installed over a hundred thousand times — we decided to shed some light on what these apps actually do by focusing on some of the more notable examples. --------------------------------------------- https://www.trendmicro.com/en_us/research/22/e/fake-mobile-apps-steal-faceb… ∗∗∗ SIP Digest Leak: Angriff auf SIP-Konten ∗∗∗ --------------------------------------------- Im Fachartikel "SIP Digest Leak" beschreibt IT Security Consultant Moritz Abrell einen SIP-spezifischen Angriff auf VoIP-Systeme. --------------------------------------------- https://www.syss.de/pentest-blog/sip-digest-leak-angriff-auf-sip-konten ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitslücken in Sonicwall SMA 1000 und SSL-VPN erlauben unbefugten Zugriff ∗∗∗ --------------------------------------------- Sonicwall schließt mehrere Sicherheitslücken in Firmwares von SMA-1000-Geräten und in SSL-VPN NetExtender. Angreifer könnten sich etwa Zugriff verschaffen. --------------------------------------------- https://heise.de/-7092533 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (gzip, java-1.8.0-openjdk, java-11-openjdk, and zlib), Debian (adminer, htmldoc, imagemagick, libgoogle-gson-java, lrzip, openjdk-8, openssl, and ruby-nokogiri), Fedora (ecdsautils, et, libxml2, podman, and supertux), Mageia (cairo, clamav, curl, fish, freetype2, golang-github-prometheus-client, python-django-registration, python-nbxmpp, python-waitress, and xmlrpc-c), Red Hat (pcs), SUSE (curl, kernel, pidgin, and webkit2gtk3), and Ubuntu (tiff). --------------------------------------------- https://lwn.net/Articles/895392/ ∗∗∗ Security Bulletin: IBM Maximo Asset Management may be vulnerable to arbitrary code execution due to Apache Log4j 1.2 (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-manageme… ∗∗∗ Security Bulletin: Information Disclosure in IBM Spectrum Protect Operations Center Browser's History (CVE-2022-22484) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-information-disclosure-in… ∗∗∗ Security Bulletin: IBM Planning Analytics Workspace is affected by multiple vulnerabilities (CVE-2022-22950, XFID:217968) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-planning-analytics-wo… ∗∗∗ Security Bulletin: AIX is vulnerable to a denial of service due to OpenSSL (CVE-2022-0778) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-aix-is-vulnerable-to-a-de… ∗∗∗ Security Bulletin: IBM Security Identity Governance and Intelligence is vulnerable to sensitive information disclosure (CVE-2020-4957) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-identity-gov… ∗∗∗ Security Bulletin: IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to a potential issue in jackson-databind – fasterxml-jackson (217968) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-speech-service… ∗∗∗ Security Bulletin: IBM Case Manager is vulnerable to cross-site scripting – CVE-2020-4768 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-case-manager-is-vulne… ∗∗∗ Security Bulletin: Vulnerabilities with OpenSSL affect IBM Cloud Object Storage Systems (May 2022 V1) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-with-open… ∗∗∗ Security Bulletin: Multiple Vulnerabilities have been identified in IBM Cloud Pak System ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Technical Advisory – BLE Proximity Authentication Vulnerable to Relay Attacks ∗∗∗ --------------------------------------------- https://research.nccgroup.com/2022/05/15/technical-advisory-ble-proximity-a… ∗∗∗ Pepperl+Fuchs: RSM-EX devices - Multiple Bluetooth vulnerabilities ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-021/ ∗∗∗ Webmin: Schwachstelle ermöglicht Codeausführung ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0609 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.05.2022
by Daily end-of-shift report 13 May '22

13 May '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 12-05-2022 18:00 − Freitag 13-05-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Jetzt patchen! Zyxel Firewalls als Schlupfloch in Firmen-Netzwerke ∗∗∗ --------------------------------------------- Ein wichtiges Sicherheitsupdate schließt eine kritische Lücke in mehreren Firewall-Modellen von Zyxel. --------------------------------------------- https://heise.de/-7090269 ∗∗∗ Desktop-Firewall ZoneAlarm: Kritische Lücke ermöglicht Rechteausweitung ∗∗∗ --------------------------------------------- Eine Sicherheitslücke in der Desktop-Firewall ZoneAlarm könnte Angreifern ermöglichen, ihre Rechte im System auszuweiten und somit die Kontrolle zu übernehmen. --------------------------------------------- https://heise.de/-7090411 ∗∗∗ Crypto-Betrug: Vorsicht vor Yuan Pay Group ∗∗∗ --------------------------------------------- Investitionsplattformen für Crypto-Währungen gibt es wie Sand am Meer. Sie locken mit dem großen Geld bei nur 250€ Investment. Der Haken: Haben Sie einmal investiert, sehen Sie ihr Geld oft nie wieder. Hier finden Sie eine Anleitung wie Sie Crypto-Scams erkennen. --------------------------------------------- https://www.watchlist-internet.at/news/crypto-betrug-vorsicht-vor-yuan-pay-… ∗∗∗ BIOS-Updates fixen kritische Schwachstellen in HPs Business- und Consumer-Modellen sowie in Intel-CPUs (Mai 2022) ∗∗∗ --------------------------------------------- Der Hersteller Hewlett Packard (HP) hat die Tage einen Sicherheitshinweis (Security Advisory) veröffentlicht. Diese Warnung adressiert zwei Schwachstellen in der Firmware von über 200 HP-Modellen (Business- und Consumer-Varianten), die ein Überschreiben der Firmware ermöglichen. Die Schwachstellen wurden mit einem Sicherheits-Score von 8.8 eingestuft – Updates stehen zur Verfügung. Weiterhin hat Intel einen Sicherheitshinweis auf eine Schwachstelle im BIOS von Intel-Systemen hingewiesen, die ebenfalls mit dem Score von 8.2 versehen sind und eine Privilegien-Ausweitung ermöglichen. --------------------------------------------- https://www.borncity.com/blog/2022/05/13/bios-updates-fixen-kritische-schwa… ∗∗∗ Eternity malware kit offers stealer, miner, worm, ransomware tools ∗∗∗ --------------------------------------------- Threat actors have launched the Eternity Project, a new malware-as-a-service where threat actors can purchase a malware toolkit that can be customized with different modules depending on the attack being conducted. --------------------------------------------- https://www.bleepingcomputer.com/news/security/eternity-malware-kit-offers-… ∗∗∗ Harmful Help: Analyzing a Malicious Compiled HTML Help File Delivering Agent Tesla ∗∗∗ --------------------------------------------- We analyze a malicious compiled HTML help file delivering Agent Tesla, following the chain of attack through JavaScript and multiple stages of PowerShell. --------------------------------------------- https://unit42.paloaltonetworks.com/malicious-compiled-html-help-file-agent… ===================== = Vulnerabilities = ===================== ∗∗∗ DSA-2022-068: Dell iDRAC9 Security Update for an Improper Authentication Vulnerability ∗∗∗ --------------------------------------------- Dell iDRAC9 versions 5.00.00.00 and later but before 5.10.10.00, contain an improper authentication vulnerability. A remote unauthenticated attacker may potentially exploit this vulnerability to gain access to the VNC Console. --------------------------------------------- https://www.dell.com/support/kbdoc/en-us/000199267/dsa-2022-068-dell-idrac9… ∗∗∗ CVE-2022-1552 Autovacuum, REINDEX, and others omit "security restricted operation" sandbox ∗∗∗ --------------------------------------------- Autovacuum, REINDEX, CREATE INDEX, REFRESH MATERIALIZED VIEW, CLUSTER, and pg_amcheck made incomplete efforts to operate safely when a privileged user is maintaining another users objects. Those commands activated relevant protections too late or not at all. An attacker having permission to create non-temp objects in at least one schema could execute arbitrary SQL functions under a superuser identity. --------------------------------------------- https://www.postgresql.org/support/security/CVE-2022-1552/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, postgresql-11, postgresql-13, and waitress), Fedora (curl, java-1.8.0-openjdk-aarch32, keylime, and pcre2), Oracle (gzip and zlib), Red Hat (subversion:1.10), SUSE (clamav, documentation-suse-openstack-cloud, kibana, openstack-keystone, openstack-monasca-notification, e2fsprogs, gzip, and kernel), and Ubuntu (libvorbis and rsyslog). --------------------------------------------- https://lwn.net/Articles/895202/ ∗∗∗ Vulnerability Spotlight: How an attacker could chain several vulnerabilities in an industrial wireless router to gain root access ∗∗∗ --------------------------------------------- Cisco Talos recently discovered several vulnerabilities in InHand Networks’ InRouter302 that could allow an attacker to escalate their privileges on the targeted device from a non-privileged user to a privileged one. There are also multiple vulnerabilities that could allow an adversary to reach unconstrained root privileges. The router has one privileged user and several non-privileged ones. --------------------------------------------- https://blog.talosintelligence.com/2022/05/blog-post-.html ∗∗∗ Delta Electronics CNCSoft ∗∗∗ --------------------------------------------- This advisory contains mitigations for Stack-based Buffer Overflow, and Out-of-bounds Read vulnerabilities in the Delta Electronics CNCSoft software management platform. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-132-01 ∗∗∗ Mitsubishi Electric MELSOFT iQ AppPortal ∗∗∗ --------------------------------------------- This advisory contains mitigations for Missing Authorization, Out-of-bounds Write, NULL Pointer Dereference, Classic Buffer Overflow, HTTP Request Smuggling, and Infinite Loop vulnerabilities in Mitsubishi Electric MELSOFT iQ AppPortal products. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-132-02 ∗∗∗ Cambium Networks cnMaestro ∗∗∗ --------------------------------------------- This advisory contains mitigations for OS Command Injection, SQL Injection, Path Traversal, and Use of Potentially Dangerous Function vulnerabilities in the Cambium Networks cnMaestro network management system. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-132-04 ∗∗∗ SonicWall SSLVPN SMA1000 series affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- SonicWall SSLVPN SMA1000 series appliances are affected by the below listed multiple vulnerabilities, organizations running previous versions of SSLVPN SMA1000 series firmware should upgrade to new firmware release versions. --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0009 ∗∗∗ ZDI-CAN-15739 Trend Micro Maximum Security Link Following Arbitrary File Deletion Vulnerability ∗∗∗ --------------------------------------------- https://helpcenter.trendmicro.com/en-us/article/TMKA-11017 ∗∗∗ K67090077: Apache HTTP Server vulnerability CVE-2022-22720 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K67090077 ∗∗∗ HP Computer: Schwachstelle ermöglicht Privilegieneskalation ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0606 ∗∗∗ Security Bulletin: IBM MQ for HP NonStop Server is affected by vulnerability CVE-2022-22316 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-for-hp-nonstop-ser… ∗∗∗ Security Bulletin: WebSphere MQ for HP NonStop Server is affected by OpenSSL vulnerability CVE-2021-4160 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-mq-for-hp-nonst… ∗∗∗ Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU – Oct 2021and Jan 2022 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-e… ∗∗∗ Security Bulletin: Vulnerabilities in Node.js affect IBM App Connect Enterprise & IBM Integration Bus (CVE-2021-4160) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-node-j… ∗∗∗ Security Bulletin: WebSphere MQ for HP NonStop Server is affected by OpenSSL vulnerability CVE-2022-0778 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-mq-for-hp-nonst… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by OpenSSL denial of service vulnerabilities (CVE-2021-23840, CVE-2021-23841) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: Operations Dashboard is vulnerable to denial of service by Go CVE-2021-43565 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-operations-dashboard-is-v… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities in Apache Thrift ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: A vulnerability in Samba affects IBM Spectrum Scale SMB protocol access method (CVE-2021-44142) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-samba-… ∗∗∗ Security Bulletin: Multiple Security vulnerabilities may affect IBM Robotic Process Automation ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to stack exhaustion by Go CVE-2022-24921 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-platform-navigator-and-au… ∗∗∗ Security Bulletin: IBM Robotic Process Automation is vulnerable to SQL Injection (CVE-2022-22413) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-robotic-process-autom… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a PolicyKit vulnerability (CVE-2021-4034) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: Vulnerabilities in Node.js affect IBM App Connect Enterprise & IBM Integration Bus (CVE-2022-0155 & CVE-2022-0536) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-node-j… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM MQ for HP NonStop Server is affected by vulnerability CVE-2022-22325 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-for-hp-nonstop-ser… ∗∗∗ Security Bulletin: IBM WebSphere Application Server Liberty is vulnerable to an Information Disclosure (CVE-2022-22393) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: A vulnerability in Spring Framework affects IBM Tivoli Application Dependency Discovery Manager (CVE-2022-22950, CVE-2021-22096, CVE-2022-22968, CVE-2021-22060). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-spring… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.05.2022
by Daily end-of-shift report 12 May '22

12 May '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 11-05-2022 18:00 − Donnerstag 12-05-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Backdoor in public repository used new form of attack to target big firms ∗∗∗ --------------------------------------------- A backdoor that researchers found hiding inside open source code targeting four German companies was the work of a professional penetration tester. The tester was checking clients’ resilience against a new class of attacks that exploit public repositories used by millions of software projects worldwide. But it could have been bad. Very bad. --------------------------------------------- https://arstechnica.com/?p=1853739 ∗∗∗ "Ive Found Some Bad Domains—Now What?" ∗∗∗ --------------------------------------------- When we talk about investigating bad domains, the focus of the story is usually the starting clues, but what about after you’ve identified bad domains? This blog discusses the approaches to take once a bad domain has been identified. --------------------------------------------- https://www.domaintools.com/resources/blog/ive-found-some-bad-domains-now-w… ∗∗∗ Massive WordPress JavaScript Injection Campaign Redirects to Ads ∗∗∗ --------------------------------------------- As outlined in our latest hacked website report, we’ve been tracking a long-lasting campaign responsible for injecting malicious scripts into compromised WordPress websites. This campaign leverages known vulnerabilities in WordPress themes and plugins and has impacted an enormous number of websites over the year — for example, according to PublicWWW, the April wave for this campaign was responsible for nearly 6,000 infected websites alone. --------------------------------------------- https://blog.sucuri.net/2022/05/massive-wordpress-javascript-injection-camp… ∗∗∗ Everything We Learned From the LAPSUS$ Attacks ∗∗∗ --------------------------------------------- There are two major takeaways from the LAPSUS$ attacks that organizations must pay attention to. First, the LAPSUS$ attacks clearly illustrate that gangs of cybercriminals are no longer content to perform run-of-the-mill ransomware attacks. Rather than just encrypting data as has so often been done in the past, LAPSUS$ seems far more focused on cyber extortion. LAPSUS$ gains access to an organization's most valuable intellectual property and threatens to leak that information unless a ransom is paid. --------------------------------------------- https://thehackernews.com/2022/05/everything-we-learned-from-lapsus.html ∗∗∗ Spoofing SaaS Vanity URLs for Social Engineering Attacks ∗∗∗ --------------------------------------------- While vanity URLs provide a custom, easy-to-remember link, Varonis Threat Labs discovered that some applications do not validate the legitimacy of the vanity URL’s subdomain (e.g., yourcompany.example.com), but instead only validate the URI (e.g., /s/1234). As a result, threat actors can use their own SaaS accounts to generate links to malicious content (files, folders, landing pages, forms, etc.) that appears to be hosted by your company’s sanctioned SaaS account. --------------------------------------------- https://www.varonis.com/blog/url-spoofing ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-22-759: Trend Micro Password Manager Link Following Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows local attackers to escalate privileges on affected installations of Trend Micro Password Manager. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-759/ ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (microcode_ctl, mingw-SDL2_ttf, seamonkey, and thunderbird), Mageia (cifs-utils, gerbv, golang, libcaca, libxml2, openssl, python-pillow, python-rencode, python-twisted, python-ujson, slurm, and sqlite3), Red Hat (gzip, kernel, kpatch-patch, podman, rsync, subversion:1.10, and zlib), Scientific Linux (gzip), Slackware (curl), SUSE (clamav), and Ubuntu (curl, firefox, linux, linux-aws, linux-aws-5.13, linux-azure, linux-azure-5.13, linux-gcp, linux-gcp-5.13, linux-hwe-5.13, linux-kvm, linux-oracle, linux-raspi, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-dell300x, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux-snapdragon, linux, linux-aws, linux-azure, linux-azure-5.4, linux-azure-fde, linux-gcp, linux-gcp-5.4, linux-gke, linux-gkeop, linux-gkeop-5.4, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux, linux-aws, linux-kvm, linux-lts-xenial, and linux-oem-5.14) --------------------------------------------- https://lwn.net/Articles/895063/ ∗∗∗ Sandbox Escape mit Root Access & Klartext-Passwörtern in zahlreichen Konica Minolta bizhub MFP Drucker Terminals ∗∗∗ --------------------------------------------- Zahlreiche Konica Minolta MFP bizhub Geräte, sowie Geräte anderer Hersteller mit derselben Firmware, sind anfällig für einen Sandbox Breakout über den internen Browser, der die Hilfe-Menüs anzeigt. Der Browser selbst ist mit root-Rechten gestartet, was einen Zugriff auf das komplette Dateisystem ermöglicht. In einer Datei des Dateisystems befand sich das Administratorpasswort für das Webinterface des Druckers im Klartext. --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/sandbox-escape-with-r… ∗∗∗ CVE-2022-0024 PAN-OS: Improper Neutralization Vulnerability Leads to Unintended Program Execution During Configuration Commit (Severity: HIGH) ∗∗∗ --------------------------------------------- A vulnerability exists in Palo Alto Networks PAN-OS software that enables an authenticated network-based PAN-OS administrator to upload a specifically created configuration that disrupts system processes and potentially execute arbitrary code with root privileges when the configuration is committed on both hardware and virtual firewalls. --------------------------------------------- https://security.paloaltonetworks.com/CVE-2022-0024 ∗∗∗ CVE-2022-30525 (FIXED): Zyxel Firewall Unauthenticated Remote Command Injection ∗∗∗ --------------------------------------------- Rapid7 discovered and reported a vulnerability that affects Zyxel firewalls supporting Zero Touch Provisioning (ZTP), which includes the ATP series, VPN series, and the USG FLEX series (including USG20-VPN and USG20W-VPN). The vulnerability, identified as CVE-2022-30525, allows an unauthenticated and remote attacker to achieve arbitrary code execution as the nobody user on the affected device. --------------------------------------------- https://www.rapid7.com/blog/post/2022/05/12/cve-2022-30525-fixed-zyxel-fire… ∗∗∗ Intel: May 2022 Patchday ∗∗∗ --------------------------------------------- https://www.intel.com/content/www/us/en/security-center/default.html ∗∗∗ Security Bulletin: IBM Security Guardium is vulnerable to arbitrary code execution due to Apache log4j (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: Vulnerability in IBM SDK Java affects IBM Cloud Pak System (CVE-2020-27221) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-sdk-… ∗∗∗ Security Bulletin: IBM Security Verify Password Synchronization Plug-in for Windows AD affected by multiple vulnerabilities (CVE-2021-20488, CVE-2021-20494, CVE-2021-20572, CVE-2021-20573, CVE-2021-20574) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-passw… ∗∗∗ Security Bulletin: Crypto Hardware Initialization and Maintenance is vulnerable to arbitrary code execution due to Apache Log4j (CVE 2021-4104, CVE 2022-23302, CVE 2022-23305, CVE 2022-23307) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-crypto-hardware-initializ… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities (CVE-2018-10237, CVE-2020-8908) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a Missing HTTP Strict-Transport-Security Header vulnerability (CVE-2021-39072) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by FasterXML jackson-databind vulnerabilities (CVE-2020-25649, X-Force ID 217968) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM MQ is vulnerable to multiple issues in IBM® Runtime Environment Java™ Technology Edition, Version 8 and Version 7 (CVE-2021-35578, CVE-2021-35588, CVE-2021-41035) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-is-vulnerable-to-m… ∗∗∗ Security Bulletin: IBM MQ is vulnerable to multiple Eclipse Jetty issues ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-is-vulnerable-to-m… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by path traversal and crypto vulnerabilities (CVE-2021-29425, CVE-2021-39076) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct for Microsoft Windows is affected but not classified as vulnerable by a remote code execution in Spring Framework (CVE-2022-22965) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a jsoup vulnerability (CVE-2021-37714) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM MQ WebConsole and REST API are affected by CVE-2021-39031. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-webconsole-and-res… ∗∗∗ Check Point Zone Alarm: Schwachstelle ermöglicht Privilegieneskalation ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0595 ∗∗∗ CVE-2022-0025 Cortex XDR Agent: An Uncontrolled Search Path Element Leads to Local Privilege Escalation (PE) Vulnerability (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2022-0025 ∗∗∗ CVE-2022-0026 Cortex XDR Agent: Unintended Program Execution Leads to Local Privilege Escalation (PE) Vulnerability (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2022-0026 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.05.2022
by Daily end-of-shift report 11 May '22

11 May '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 10-05-2022 18:00 − Mittwoch 11-05-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ New IceApple exploit toolset deployed on Microsoft Exchange servers ∗∗∗ --------------------------------------------- Security researchers have found a new post-exploitation framework that they dubbed IceApple, deployed mainly on Microsoft Exchange servers across a wide geography. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-iceapple-exploit-toolset… ∗∗∗ New stealthy Nerbian RAT malware spotted in ongoing attacks ∗∗∗ --------------------------------------------- A new remote access trojan called Nerbian RAT has been discovered that includes a rich set of features, including the ability to evade detection and analysis by researchers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-stealthy-nerbian-rat-mal… ∗∗∗ TA578 using thread-hijacked emails to push ISO files for Bumblebee malware, (Wed, May 11th) ∗∗∗ --------------------------------------------- Identified by Proofpoint as the threat actor behind the Contact Forms campaign, TA578 also appears to be pushing ISO files for Bumblebee malware through thread-hijacked emails. --------------------------------------------- https://isc.sans.edu/diary/rss/28636 ∗∗∗ Vorsicht vor aktuellen BAWAG-Phishing-Mails! ∗∗∗ --------------------------------------------- Auch aktuell kursieren unzählige Phishing-Nachrichten und landen in den E-Mail-Postfächern potenzieller Opfer. Bei neuen Betrugs-Mails im Namen der BAWAG P.S.K. haben sich die Kriminellen wieder etwas Neues einfallen lassen. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-aktuellen-bawag-phishin… ∗∗∗ From Project File to Code Execution: Exploiting Vulnerabilities in XINJE PLC Program Tool ∗∗∗ --------------------------------------------- Team82 has uncovered two vulnerabilities in XINJE’s PLC Program Tool, an engineering workstation. --------------------------------------------- https://claroty.com/2022/05/11/blog-research-from-project-file-to-code-exec… ===================== = Vulnerabilities = ===================== ∗∗∗ Microsoft May 2022 Patch Tuesday fixes 3 zero-days, 75 flaws ∗∗∗ --------------------------------------------- Today is Microsofts May 2022 Patch Tuesday, and with it comes fixes for three zero-day vulnerabilities, with one actively exploited, and a total of 75 flaws. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-may-2022-patch-tu… ∗∗∗ HP fixes bug letting attackers overwrite firmware in over 200 models ∗∗∗ --------------------------------------------- HP has released BIOS updates today to fix two high-severity vulnerabilities affecting a wide range of PC and notebook products, which might allow arbitrary code execution. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hp-fixes-bug-letting-attacke… ∗∗∗ Patchday Adobe: Schadcode-Lücken bedrohen ColdFusion, InDesign & Co. ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitsupdates für Anwendungen von Adobe. Den Großteil der Lücken stuft der Software-Hersteller als kritisch ein. --------------------------------------------- https://heise.de/-7081357 ∗∗∗ Patchday: SAP behebt acht neu entdeckte Sicherheitsprobleme ∗∗∗ --------------------------------------------- Zum Mai-Patchday meldet SAP acht neue Sicherheitslücken und aktualisiert Artikel zu vier Schwachstellen, die das Unternehmen bereits früher abgedichtet hat. --------------------------------------------- https://heise.de/-7081276 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (mutt), Fedora (blender, freerdp, kernel, kernel-headers, kernel-tools, mingw-freetype, and vim), Oracle (kernel and kernel-container), Red Hat (aspell, bind, bluez, c-ares, cairo and pixman, cockpit, compat-exiv2-026, container-tools:3.0, container-tools:rhel8, cpio, dovecot, exiv2, fapolicyd, fetchmail, flatpak, gfbgraph, gnome-shell, go-toolset:rhel8, grafana, grub2, httpd:2.4, keepalived, kernel, kernel-rt, libpq, libreoffice, libsndfile, libssh, [...] --------------------------------------------- https://lwn.net/Articles/894802/ ∗∗∗ Intel: May 2022 Patchday ∗∗∗ --------------------------------------------- https://www.intel.com/content/www/us/en/security-center/default.html ∗∗∗ Security Bulletin: IBM Engineering Lifecycle Management is vulnerable to Cross-site Scripting (XSS). (CVE-2021-39059) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-engineering-lifecycle… ∗∗∗ Security Bulletin: Vulnerability in remote support authentication affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-remote-s… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in VMware ESXi affect IBM Cloud Pak System (CVE-2021-21994, CVE-2021-21995) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM SDK, Java Technology Edition, Security Update October 2021 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-e… ∗∗∗ Security Bulletin: IBM QRadar SIEM is vulnerable to cross-site scripting (XSS) (CVE-2022-22345) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulner… ∗∗∗ ICS Patch Tuesday: Siemens, Schneider Electric Address 43 Vulnerabilities ∗∗∗ --------------------------------------------- https://www.securityweek.com/ics-patch-tuesday-siemens-schneider-electric-a… ∗∗∗ PHOENIX CONTACT: Multiple vulnerabilities in RAD-ISM-900-EN-BD devices ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-018/ ∗∗∗ AMD Prozessoren: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0567 ∗∗∗ Google Releases Security Updates for Chrome ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/05/11/google-releases-s… ∗∗∗ Intel Boot Guard and Intel TXT Advisory ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500488-INTEL-BOOT-GUARD-AND-IN… ∗∗∗ Intel SSD Firmware Advisory ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500487-INTEL-SSD-FIRMWARE-ADVI… ∗∗∗ Lenovo Smart Standby Driver Vulnerability ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500486-LENOVO-SMART-STANDBY-DR… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.05.2022
by Daily end-of-shift report 10 May '22

10 May '22

===================== = End-of-Day report = ===================== Timeframe: Montag 09-05-2022 18:00 − Dienstag 10-05-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Experts Detail Saintstealer and Prynt Stealer Info-Stealing Malware Families ∗∗∗ --------------------------------------------- Cybersecurity researchers have dissected the inner workings of an information-stealing malware called Saintstealer thats designed to siphon credentials and system information. --------------------------------------------- https://thehackernews.com/2022/05/experts-detail-saintstealer-and-prynt.html ∗∗∗ SEO Poisoning – A Gootloader Story ∗∗∗ --------------------------------------------- Gootloader was the name assigned to the multi-staged payload distribution by Sophos in March 2021. The threat actors utilize SEO (search engine optimization) poisoning tactics to move compromised websites hosting malware to the top of certain search requests such as “what is the difference between a grand agreement and a contract?” or “freddie mac shared driveway agreement?” --------------------------------------------- https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/ ∗∗∗ Hilfe, Kriminelle bestellen Produkte in meinem Namen! ∗∗∗ --------------------------------------------- Erhalten Sie Rechnungen, Mahnungen, ja vielleicht sogar Inkasso-Schreiben für Bestellungen, die Sie nie getätigt haben? Dann kann es sein, dass Verbrecher:innen Ihre Daten für Bestellbetrug missbrauchen. --------------------------------------------- https://www.watchlist-internet.at/news/hilfe-kriminelle-bestellen-produkte-… ===================== = Vulnerabilities = ===================== ∗∗∗ Hackers Actively Exploit F5 BIG-IP Bug ∗∗∗ --------------------------------------------- The bug has a severe rating of 9.8, public exploits are released. --------------------------------------------- https://threatpost.com/exploit-f5-big-ip-bug/179563/ ∗∗∗ Vulnerability mitigated in the third-party Data Connector used in Azure Synapse pipelines and Azure Data Factory (CVE-2022-29972) ∗∗∗ --------------------------------------------- Microsoft recently mitigated a vulnerability in Azure Data Factory and Azure Synapse pipelines. The vulnerability was specific to the third-party Open Database Connectivity (ODBC) driver used to connect to Amazon Redshift in Azure Synapse pipelines and Azure Data Factory Integration Runtime (IR) and did not impact Azure Synapse as a whole. --------------------------------------------- https://msrc-blog.microsoft.com/2022/05/09/vulnerability-mitigated-in-the-t… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (kicad and qemu), Fedora (thunderbird), Oracle (expat), Red Hat (samba), Slackware (kernel), and SUSE (firefox, ldb, and rsyslog). --------------------------------------------- https://lwn.net/Articles/894499/ ∗∗∗ GENEREX RCCMD vulnerable to directory traversal ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN60801132/ ∗∗∗ SSA-285795 V1.0: Denial of Service in OPC-UA in Industrial Products ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-285795.txt ∗∗∗ SSA-321292 V1.0: Denial of Service in the OPC Foundation Local Discovery Server (LDS) in Industrial Products ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-321292.txt ∗∗∗ SSA-363107 V1.0: An Improper Initialization Vulnerability Affects SIMATIC WinCC Kiosk Mode ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-363107.txt ∗∗∗ SSA-480937 V1.0: Denial of Service Vulnerability in CP 44x-1 RNA before V1.5.18 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-480937.txt ∗∗∗ SSA-553086 V1.0: Multiple File Parsing Vulnerabilities in JT2Go and Teamcenter Visualization ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-553086.txt ∗∗∗ SSA-626968 V1.0: Multiple Webserver Vulnerabilities in Desigo PXC and DXR Devices ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-626968.txt ∗∗∗ SSA-662649 V1.0: Denial of Service Vulnerability in Desigo DXR and PXC Controllers ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-662649.txt ∗∗∗ SSA-732250 V1.0: Libcurl Vulnerabilities in Industrial Devices ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-732250.txt ∗∗∗ SSA-736385 V1.0: Memory Corruption Vulnerability in OpenV2G ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-736385.txt ∗∗∗ SSA-789162 V1.0: Vulnerabilities in Teamcenter ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-789162.txt ∗∗∗ SSA-165073: Multiple Vulnerabilities in the Webinterface of SICAM P850 and SICAM P855 Devices ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-165073.txt ∗∗∗ SSA-162616: File Parsing Vulnerabilities in Simcenter Femap before V2022.2 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-162616.txt ∗∗∗ [CA8268] Local privilege escalation vulnerabilities in installers for ESET products for Windows fixed ∗∗∗ --------------------------------------------- https://support.eset.com/en/ca8268-local-privilege-escalation-vulnerabiliti… ∗∗∗ Security Bulletin: IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to string injection vulnerability due to Node.js (CVE-2021-44532, CVE-2021-44532 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-assistant-for-… ∗∗∗ Security Bulletin: Cúram Social Program Management is vulnerable to arbitrary code execution and SQL injection issues due to Apache Log4j (CVE-2022-23302, CVE-2022-23305, CVE-2022-23307) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cram-social-program-manag… ∗∗∗ Security Bulletin: Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to denial of service due to Go CVE-2022-23806 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-platform-navigator-and-au… ∗∗∗ Security Bulletin: IBM InfoSphere Information Server is vulnerable to OS command injection (CVE-2022-22454) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-informatio… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in VMware ESXi affect IBM Cloud Pak System (CVE-2021-21994, CVE-2021-21995) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Security vulnerabilities in IBM SDK for Node.js might affect the configuration editor used by IBM Business Automation Workflow and IBM Business Process Manager (BPM) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerability CVE-2021-39024 in IBM Guardium Data Encryption (GDE) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-cve-2021-39… ∗∗∗ Adminer in Industrial Products ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-130-01 ∗∗∗ Eaton Intelligent Power Protector ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-130-02 ∗∗∗ Eaton Intelligent Power Manager Infrastructure ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-130-03 ∗∗∗ Eaton Intelligent Power Manager ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-130-04 ∗∗∗ AVEVA InTouch Access Anywhere and Plant SCADA Access Anywhere ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-130-05 ∗∗∗ Mitsubishi Electric MELSOFT GT OPC UA ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-130-06 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.05.2022
by Daily end-of-shift report 09 May '22

09 May '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 06-05-2022 18:00 − Montag 09-05-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Hilfestellung für die Analyse schadbringender Dokumente ∗∗∗ --------------------------------------------- Das SANS-Institut veröffentlicht einen neuen "Spickzettel", der bei der Malware-Analyse verschiedener Dokumenttypen helfen soll. --------------------------------------------- https://heise.de/-7079601 ∗∗∗ Utimaco, der Krypto-Miner und ein Disclosure-Desaster ∗∗∗ --------------------------------------------- Auch Anbieter von Hochsicherheitslösungen sind vor Securityproblemen nicht gefeit. Man sollte sich vorbereiten, bevor man davon erfährt, sagt Jürgen Schmidt. --------------------------------------------- https://heise.de/-7079962 ∗∗∗ Jetzt patchen! Attacken auf F5 BIG-IP-Systeme könnten bevorstehen ∗∗∗ --------------------------------------------- Sicherheitsforscher habe in vergleichsweise kurzer Zeit Exploit-Code entwickelt. Das könnten Angreifer auch. Admins sollten BIP-IP-Produkte aktualisieren. --------------------------------------------- https://heise.de/-7079049 ∗∗∗ Kaufen Sie keine Schuhe vom Instagram-Account „wesleyroberts375“ ∗∗∗ --------------------------------------------- Auf der Instagram-Seite „wesleyroberts375“ finden sich zahlreiche Fotos von Nike-Schuhen, meist Modelle, die sonst überall ausverkauft sind. Wer einen Schuh kaufen oder den Preis erfahren möchte, muss dem Instagram-Nutzer eine private Nachricht senden. Achtung: Hinter dem Profil von „wesleyroberts375“ steckt kein echter Online-Shop. Sie werden betrogen. Schicken Sie kein Geld oder Gutscheincodes! --------------------------------------------- https://www.watchlist-internet.at/news/kaufen-sie-keine-schuhe-vom-instagra… ∗∗∗ Bedrohungen in der Cloud ∗∗∗ --------------------------------------------- Die größten Sicherheitsrisiken bei der Cloud-Nutzung und wie Hacker zu mehr Sicherheit beitragen, schildert Laurie Mercer, Security Engineer bei HackerOne, in einem Gastbeitrag. --------------------------------------------- https://www.zdnet.de/88401108/bedrohungen-in-der-cloud/ ∗∗∗ Gehärteter Online-Banking-Browser S-Protect, ein Totalausfall ∗∗∗ --------------------------------------------- Es klingt gut, was der Deutsche Sparkassen- und Giroverband da angestoßen hat. Mit S-Protect legt man einen "gehärteten" Browser vor, der Online-Banking-Kunden vor den Risiken bei Bankgeschäften auf Windows PCs oder Macs besser schützen soll. Der Haken an der Geschichte: [...] --------------------------------------------- https://www.borncity.com/blog/2022/05/09/gehrteter-online-banking-browser-s… ∗∗∗ Caramel credit card stealing service is growing in popularity ∗∗∗ --------------------------------------------- A credit card stealing service is growing in popularity, allowing any low-skilled threat actors an easy and automated way to get started in the world of financial fraud. --------------------------------------------- https://www.bleepingcomputer.com/news/security/caramel-credit-card-stealing… ∗∗∗ Constrained environment breakout. .NET Assembly exfiltration via Internet Options ∗∗∗ --------------------------------------------- It’s not uncommon for developers to find that they need to help their end users. For starter, the business requirements for software can be highly convoluted and technical. Working with [...] --------------------------------------------- https://www.pentestpartners.com/security-blog/constrained-environment-break… ∗∗∗ Beware: This cheap and homemade malware is surprisingly effective ∗∗∗ --------------------------------------------- DCRat malware targets Windows devices. And its cheap and popular, which makes it a problem. --------------------------------------------- https://www.zdnet.com/article/beware-this-cheap-and-homemade-malware-is-sur… ∗∗∗ Introducing pyCobaltHound – Let Cobalt Strike unleash the Hound ∗∗∗ --------------------------------------------- During our engagements, red team operators often find themselves operating within complex Active Directory environments. The question then becomes finding the needle in the haystack that allows the red team to further escalate and/or reach their objectives. Luckily, the security community has already come up with ways to assist operators in answering these questions, [...] --------------------------------------------- https://blog.nviso.eu/2022/05/09/introducing-pycobalthound/ ∗∗∗ Backdoor (*.chm) Disguised as Document Editing Software and Messenger Application ∗∗∗ --------------------------------------------- The ASEC analysis team confirmed that a backdoor malware disguised as document editing software and messenger application used by many Korean users is being distributed in Korea through malicious CHM files. The team recently introduced malicious CHM files distributed in various forms twice in the ASEC blog in March. The malicious files discussed in this post execute additional malicious files via a process that is different from the previous cases. --------------------------------------------- https://asec.ahnlab.com/en/34010/ ∗∗∗ BPFDoor - an active Chinese global surveillance tool ∗∗∗ --------------------------------------------- Recently, PwC Threat Intelligence documented the existence of BPFDoor, a passive network implant for Linux they attribute to [...] --------------------------------------------- https://doublepulsar.com/bpfdoor-an-active-chinese-global-surveillance-tool… ∗∗∗ [Infographic] Cloud Misconfigurations: Dont Become a Breach Statistic ∗∗∗ --------------------------------------------- Our latest infographic highlights some key commonalities uncovered in our 2022 Cloud Misconfigurations Report. --------------------------------------------- https://www.rapid7.com/blog/post/2022/05/09/infographic-cloud-misconfigurat… ===================== = Vulnerabilities = ===================== ∗∗∗ Advisory: New installations fail with HTTP Error 403 from https://sus.sophosupd.com/ in Sophos Intercept X for Windows ∗∗∗ --------------------------------------------- Overview: New installation and/or device updates fail with HTTP Error 403 from https://sus.sophosupd.com/. This error is seen in C:\ProramData\Sophos\AutoUpdate\SophosUpdate.log. --------------------------------------------- https://support.sophos.com/support/s/article/KB-000043980?language=en_US ∗∗∗ Patchday: Fortinet schützt IP-Telefone vor Schadcode-Attacken ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitsupdates für unter anderem FortiClient, FortiFone und FortiOS. Eine Lücke gilt als kritisch. --------------------------------------------- https://heise.de/-7079563 ∗∗∗ Freifunk: Einschleusen schädlicher Firmware durch kritische Lücke möglich ∗∗∗ --------------------------------------------- Freifunk aktualisiert seine Router-Firmware und schließt eine kritische Sicherheitslücke, durch die Angreifer eigene Firmware auf die Geräte aufspielen könnten. --------------------------------------------- https://heise.de/-7079644 ∗∗∗ Technical Advisory: Ruby on Rails – Possible XSS Vulnerability in ActionView tag helpers (CVE-2022-27777) ∗∗∗ --------------------------------------------- Ruby on Rails is a web application framework that follows the Model-view-controller (MVC) pattern. It offers some protections against Cross-site scripting (XSS) attacks in its helpers for the views. Several tag helpers in ActionView::Helpers::FormTagHelper and ActionView::Helpers::TagHelper are vulnerable against XSS because their current protection does not restrict properly the set of characters allowed in [...] --------------------------------------------- https://research.nccgroup.com/2022/05/06/technical-advisory-ruby-on-rails-p… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (firefox and thunderbird), Debian (ecdsautils and libz-mingw-w64), Fedora (cifs-utils, firefox, galera, git, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-latest-openjdk, mariadb, maven-shared-utils, mingw-freetype, redis, and seamonkey), Mageia (dcraw, firefox, lighttpd, rsyslog, ruby-nokogiri, and thunderbird), Scientific Linux (thunderbird), SUSE (giflib, kernel, and libwmf), and Ubuntu (dbus and rsyslog). --------------------------------------------- https://lwn.net/Articles/894353/ ∗∗∗ RubyGems Fixes Critical Gem Takeover Vulnerability ∗∗∗ --------------------------------------------- RubyGems has addressed a critical vulnerability that could have allowed any RubyGems.org user to remove and replace certain Ruby gems. A package hosting service for the Ruby programming language, RubyGems.org hosts more than 170,000 gems. RubyGems also functions as a package manager. --------------------------------------------- https://www.securityweek.com/rubygems-fixes-critical-gem-takeover-vulnerabi… ∗∗∗ SonicWall SSL-VPN NetExtender Windows Client Buffer Overflow Vulnerability ∗∗∗ --------------------------------------------- A buffer overflow vulnerability in the SonicWall SSL-VPN NetExtender Windows Client (32 and 64 bit) in 10.2.322 and earlier versions, allows an attacker to potentially execute arbitrary code in the host windows operating system. CVE: CVE-2022-22281 --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0008 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ K12492858: Appliance mode authenticated F5 BIG-IP Guided Configuration third-party lodash and jQuery vulnerabilities CVE-2021-23337, CVE-2020-28500, and CVE-2016-7103 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K12492858 ∗∗∗ Foxit Reader: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0549 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.05.2022
by Daily end-of-shift report 06 May '22

06 May '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 05-05-2022 18:00 − Freitag 06-05-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ New Raspberry Robin worm uses Windows Installer to drop malware ∗∗∗ --------------------------------------------- Red Canary intelligence analysts have discovered a new Windows malware with worm capabilities that spreads using external USB drives. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-raspberry-robin-worm-use… ∗∗∗ Tipps zur Passwortsicherheit am World Password Day ∗∗∗ --------------------------------------------- Heute jährt sich der Welt-Passwort-Tag. Was können Sie tun, um sich online bestmöglich zu schützen? Hier finden Sie Tipps und Tricks für den sicheren Umgang mit Ihren Daten! --------------------------------------------- https://www.watchlist-internet.at/news/tipps-zur-passwortsicherheit-am-worl… ===================== = Vulnerabilities = ===================== ∗∗∗ ClamAV 0.105.0, 0.104.3, 0.103.6 released ∗∗∗ --------------------------------------------- Today, were also publishing the 0.104.3 and 0.103.6 security patch versions, including several CVE fixes. --------------------------------------------- https://blog.clamav.net/2022/05/clamav-01050-01043-01036-released.html ∗∗∗ Schadcode-Attacken auf Videoüberwachungssystem und NAS von Qnap möglich ∗∗∗ --------------------------------------------- Wichtige Sicherheitsupdates schließen mehreren Lücken in Netzwerkprodukten von Qnap. --------------------------------------------- https://heise.de/-7077449 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (dpdk, mruby, openjdk-11, and smarty3), Oracle (thunderbird), Red Hat (thunderbird), SUSE (chromium, libvirt, python-Twisted, and tar), and Ubuntu (cron and jbig2dec). --------------------------------------------- https://lwn.net/Articles/894141/ ∗∗∗ Security Bulletin: IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is affected but not classified as vulnerable by a remote code execution in Spring Framework (CVE-2022-22965) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-speech-service… ∗∗∗ Security Bulletin: Rational Asset Analyzer is affected by two WebSphere Application Server vulnerabilities (CVE-2018-25031, CVE-2021-46708) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-rational-asset-analyzer-i… ∗∗∗ Security Bulletin: Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to denial of service due to Go CVE-2022-23772 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-platform-navigator-and-au… ∗∗∗ Security Bulletin: TS3000 (TSSC/IMC) is vulnerable to privilege escalation vulnerability due to polkit ( CVE-2021-4034 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ts3000-tssc-imc-is-vulner… ∗∗∗ Security Bulletin: IBM Watson Assistant for IBM Cloud Pak for Data is affected but not classified as vulnerable by a remote code execution in Spring Framework (CVE-2022-22965) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-assistant-for-… ∗∗∗ Security Bulletin: IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to arbitrary code execution with IBM WebSphere Application Server (CVE-2021-23450). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-speech-service… ∗∗∗ Security Bulletin: Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to denial of service due to Go CVE-2021-44716 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-platform-navigator-and-au… ∗∗∗ Security Bulletin: Rational Asset Analyzer is affected by a WebSphere Application Server vulnerability (CVE-2022-22310). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-rational-asset-analyzer-i… ∗∗∗ Security Bulletin: A vulnerability in IBM® SDK, Java™ may affect Rational Asset Analyzer (CVE-2021-35550) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-sd… ∗∗∗ Security Bulletin: IBM Cloud Transformation Advisor is vulnerable to multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-transformation-… ∗∗∗ Security Bulletin: Vulnerability CVE-2021-39023 in IBM Guardium Data Encryption (GDE) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-cve-2021-39… ∗∗∗ Security Bulletin: Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to remote attack due to Go CVE-2021-44717 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-platform-navigator-and-au… ∗∗∗ Security Bulletin: IBM Guardium Data Encryption is vulnerable to missing data encoding issue (CVE-2021-39027) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-guardium-data-encrypt… ∗∗∗ Security Bulletin: A vulnerability in IBM® SDK, Java™ affects Rational Asset Analyzer (CVE-2021-35603) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-sd… ∗∗∗ Security Bulletin: Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to attack under error due to Go CVE-2022-23773 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-platform-navigator-and-au… ∗∗∗ Security Bulletin: API Connect V10 is vulnerable to a remote code execution in Spring Framework (CVE-2022-22965) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-api-connect-v10-is-vulner… ∗∗∗ K52379673: Linux kernel vulnerability for CVE-2021-4083 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K52379673 ∗∗∗ K50899356: file vulnerability CVE-2018-10360 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K50899356 ∗∗∗ poppler: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0545 ∗∗∗ Foxit Reader: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0544 ∗∗∗ Johnson Controls Metasys ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-125-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.05.2022
by Daily end-of-shift report 05 May '22

05 May '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 04-05-2022 18:00 − Donnerstag 05-05-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ New NetDooka malware spreads via poisoned search results ∗∗∗ --------------------------------------------- A new malware framework known as NetDooka has been discovered being distributed through the PrivateLoader pay-per-install (PPI) malware distribution service, allowing threat actors full access to an infected device. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-netdooka-malware-spreads… ∗∗∗ The strange link between a destructive malware and a ransomware-gang linked custom loader: IsaacWiper vs Vatet ∗∗∗ --------------------------------------------- Cluster25 researchers, during a comparative analysis performed at the beginning of March 2022, found evidence that suggests a possible relationships between a piece of malware belonging to the Sprite Spider arsenal (or some elements that are or were part of it) and Vavet Loader. --------------------------------------------- https://cluster25.io/2022/05/03/a-strange-link-between-a-destructive-malwar… ∗∗∗ The curious case of mavinject.exe ∗∗∗ --------------------------------------------- Mavinject is a LOLBIN currently employed by the infamous adversary group Lazarus successfully evades detection by various security products because the execution is masked under a legitimate process. --------------------------------------------- https://fourcore.io/blogs/mavinject-curious-process-injection ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Security Advisories 2022-05-04 ∗∗∗ --------------------------------------------- Cisco published 9 Security Advisories (1 Critical, 8 Medium Severity) --------------------------------------------- https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&first… ∗∗∗ Angreifer könnten die volle Kontrolle über F5 BIG-IP-Systeme erlangen ∗∗∗ --------------------------------------------- Wichtige Sicherheitsupdates schließen unter anderem eine kritische Lücke in BIG-IP-Systemen. Admins sollten jetzt handeln. --------------------------------------------- https://heise.de/-7075530 ∗∗∗ Sicherheitsupdates: Cisco schließt VM-Ausbruch-Lücken mit Root-Zugriff ∗∗∗ --------------------------------------------- Der Netzwerkausrüster Cisco hat unter anderem in Enterprise NFV Infrastrucutre Software eine kritische Lücke geschlossen. --------------------------------------------- https://heise.de/-7075725 ∗∗∗ Sicherheitsupdate schützt IBMs Datenbanksystem Informix Dynamic Server ∗∗∗ --------------------------------------------- Ein wichtiger Sicherheitspatch schließt eine Schwachstelle in IBMs Informix Dynamic Server. --------------------------------------------- https://heise.de/-7076231 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr), Fedora (firefox, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-latest-openjdk, recutils, suricata, and zchunk), Oracle (firefox and kernel), Red Hat (firefox), Scientific Linux (firefox), Slackware (mozilla, openssl, and seamonkey), SUSE (apache2-mod_auth_mellon, libvirt, and pgadmin4), and Ubuntu (dpdk, mysql-5.7, networkd-dispatcher, openssl, openssl1.0, sqlite3, and twisted). --------------------------------------------- https://lwn.net/Articles/894036/ ∗∗∗ 10 Jahre alte Schwachstellen in Avast und AVG gefährden Millionen Nutzer ∗∗∗ --------------------------------------------- Sicherheitsforscher von Sentinel One haben in den Sicherheitsprodukten von Avast und AVG zwei seit 10 Jahren bestehende, schwerwiegende Schwachstellen entdeckt, die Millionen von Nutzern gefährden. --------------------------------------------- https://www.borncity.com/blog/2022/05/05/10-jahre-alte-schwachstellen-in-av… ∗∗∗ Image Field Caption - Moderately critical - Cross Site Scripting - SA-CONTRIB-2022-036 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2022-036 ∗∗∗ Doubleclick for Publishers (DFP) - Moderately critical - Cross site scripting - SA-CONTRIB-2022-035 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2022-035 ∗∗∗ Link - Moderately critical - Cross site scripting - SA-CONTRIB-2022-034 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2022-034 ∗∗∗ Duo Two-Factor Authentication - Critical - Unsupported - SA-CONTRIB-2022-039 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2022-039 ∗∗∗ Quick Node Clone - Moderately critical - Access bypass - SA-CONTRIB-2022-038 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2022-038 ∗∗∗ Security Bulletin: Cross-site scripting vulnerabilities in jQuery may affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) – CVE-2020-11022, CVE-2020-11023 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-vuln… ∗∗∗ Security Bulletin: Multiple Vulnerabilities may affect IBM Robotic Process Automation ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Robotic Process Automation could allow a user with physical access to create an API request modified to create additional objects (CVE-2022-22434) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-robotic-process-autom… ∗∗∗ Security Bulletin: IBM Robotic Process Automation is vulnerable to an issue where an API could be used to perform a DNS lookup via a third party provider. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-robotic-process-autom… ∗∗∗ Security Bulletin: Cross Site Scripting vulnerabilities in jQuery might affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) – CVE-2020-7656, CVE-2020-11022, CVE-2020-11023 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-vuln… ∗∗∗ Security Bulletin: IBM Robotic Process Automation may allow regular users to view some admin pages. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-robotic-process-autom… ∗∗∗ Security Bulletin: Multiple Vulnerabilities may affect IBM Robotic Process Automation ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Security Guardium Data Encryption has vulnerability ( CVE-2021-39020) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-dat… ∗∗∗ Security Vulnerabilities fixed in Thunderbird 91.9 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2022-18/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.05.2022
by Daily end-of-shift report 04 May '22

04 May '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 03-05-2022 18:00 − Mittwoch 04-05-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Conti, REvil, LockBit ransomware bugs exploited to block encryption ∗∗∗ --------------------------------------------- Hackers commonly exploit vulnerabilities in corporate networks to gain access, but a researcher has turned the table by finding exploits in the most common ransomware and malware being distributed today. --------------------------------------------- https://www.bleepingcomputer.com/news/security/conti-revil-lockbit-ransomwa… ∗∗∗ A new secret stash for “fileless” malware ∗∗∗ --------------------------------------------- We observed the technique of putting the shellcode into Windows event logs for the first time “in the wild” during the malicious campaign. It allows the “fileless” last stage Trojan to be hidden from plain sight in the file system. --------------------------------------------- https://securelist.com/a-new-secret-stash-for-fileless-malware/106393/ ∗∗∗ Compromising Read-Only Containers with Fileless Malware ∗∗∗ --------------------------------------------- Many people see read-only filesystems as a catch-all to stop malicious activity and container drift in containerized environments. This blog will explore the mechanics and prevalence of malware fileless execution in attacking read-only containerized environments. --------------------------------------------- https://sysdig.com/blog/containers-read-only-fileless-malware/ ∗∗∗ Update on cyber activity in Eastern Europe ∗∗∗ --------------------------------------------- Google’s Threat Analysis Group (TAG) has been closely monitoring the cybersecurity activity in Eastern Europe with regard to the war in Ukraine. Since our last update, TAG has observed a continuously growing number of threat actors using the war as a lure in phishing and malware campaigns. --------------------------------------------- https://blog.google/threat-analysis-group/update-on-cyber-activity-in-easte… ∗∗∗ Spyware blieb in Unternehmen bis zu 18 Monate lang unentdeckt ∗∗∗ --------------------------------------------- Die "Quietexit" genannte Backdoor blieb teilweise 18 Monate unentdeckt. Sicherheitsforscher vermuten, dass dahinter eine staatliche Gruppe steckt. --------------------------------------------- https://heise.de/-7074066 ∗∗∗ „Vorsicht, Falle!“: Wir brauchen Ihre Hilfe für ein neues Projekt! ∗∗∗ --------------------------------------------- Wir arbeiten derzeit an einem neuen Projekt: Bei „Vorsicht, Falle!“ entwickeln wir einen „Internetfallen-Generator“. Das heißt wir ahmen betrügerische Webseiten nach. Aber nicht mit dem Ziel, an Daten oder Geld zu kommen. Im Gegenteil: Allen, die in unsere Falle tappen, zeigen wir am Beispiel der Betrugsmasche, wie sie diese erkennen können. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-falle-wir-brauchen-ihre-hil… ∗∗∗ CISA Adds Five Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- CISA has added five new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/05/04/cisa-adds-five-kn… ∗∗∗ XSS in JSON: Old-School Attacks for Modern Applications ∗∗∗ --------------------------------------------- This post highlights how cross-site scripting has adapted to today’s modern web applications, specifically the API and Javascript Object Notation (JSON). --------------------------------------------- https://www.rapid7.com/blog/post/2022/05/04/xss-in-json-old-school-attacks-… ===================== = Vulnerabilities = ===================== ∗∗∗ Uclibc: Alte DNS-Lücke betrifft viele IoT-Geräte ∗∗∗ --------------------------------------------- Eine in Embedded-Geräten eingesetzte Bibliothek ist von Kaminskys DNS-Angriff betroffen, doch die Auswirkungen dürften sich in Grenzen halten. --------------------------------------------- https://www.golem.de/news/uclibc-alte-dns-luecke-betrifft-viele-iot-geraete… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (openjdk-17), Fedora (chromium and suricata), Oracle (mariadb:10.5), SUSE (amazon-ssm-agent, containerd, docker, java-11-openjdk, libcaca, libwmf, pcp, ruby2.5, rubygem-puma, webkit2gtk3, and xen), and Ubuntu (linux-raspi). --------------------------------------------- https://lwn.net/Articles/893839/ ∗∗∗ Security Bulletin: IBM Engineering Requirements Management DOORS Next is vulnerable to XML external entity (XXE) attacks due to FasterXML Jackson Databind (CVE-2020-25649) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-engineering-requireme… ∗∗∗ Security Bulletin: IBM Informix Dynamic Server is affected to denial of service due to FasterXML jackson-databind (CVE-2020-36518) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-informix-dynamic-serv… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in Intel Processors affect Cloud Pak System ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerabilitiìy identified in IBM DB2 that is shipped as component and pattern type or pType with Cloud Pak System and Cloud Pak System Software Suite. Cloud Pak System addressed response with new DB2 pType ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilitiy-identified… ∗∗∗ K55879220: Overview of F5 vulnerabilities (May 2022) ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K55879220 ∗∗∗ 2022-11 Multiple vulnerabilities in Provize Basic Frontend ∗∗∗ --------------------------------------------- https://dam.belden.com/dmm3bwsv3/assetstream.aspx?assetid=14299&mediaformat… ∗∗∗ 2022-05 Multiple vulnerabilities in Provize Basic Backend ∗∗∗ --------------------------------------------- https://dam.belden.com/dmm3bwsv3/assetstream.aspx?assetid=14298&mediaformat… ∗∗∗ 2022-01 Vulnerability in ‘axios’ HTTP client in Provize Basic ∗∗∗ --------------------------------------------- https://dam.belden.com/dmm3bwsv3/assetstream.aspx?assetid=14297&mediaformat… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.05.2022
by Daily end-of-shift report 03 May '22

03 May '22

===================== = End-of-Day report = ===================== Timeframe: Montag 02-05-2022 18:00 − Dienstag 03-05-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Cyberspies use IP cameras to deploy backdoors, steal Exchange emails ∗∗∗ --------------------------------------------- A newly discovered and uncommonly stealthy Advanced Persistent Threat (APT) group is breaching corporate networks to steal Exchange (on-premise and online) emails from employees involved in corporate transactions such as mergers and acquisitions. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cyberspies-use-ip-cameras-to… ∗∗∗ AvosLocker Ransomware Variant Using New Trick to Disable Antivirus Protection ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed a new variant of the AvosLocker ransomware that disables antivirus solutions to evade detection after breaching target networks by taking advantage of unpatched security flaws. --------------------------------------------- https://thehackernews.com/2022/05/avoslocker-ransomware-variant-using-new.h… ∗∗∗ Zyxel firmware extraction and password analysis ∗∗∗ --------------------------------------------- In this first article of our Zyxel audit series we will cover firmware extraction and password decryption against Zyxel ZyWALL Unified Security Gateway (USG) appliances. --------------------------------------------- https://security.humanativaspa.it/zyxel-firmware-extraction-and-password-an… ∗∗∗ Trend Micros Apex One meldet Trojaner im Webbrowser Microsoft Edge ∗∗∗ --------------------------------------------- Es mehren sich Beschwerden von Nutzern in den Internetforen, dass der Virenscanner Apex One bei Ihnen einen Trojaner-Befall in Microsofts Edge-Browser meldet. --------------------------------------------- https://heise.de/-7073156 ∗∗∗ Vorsicht vor Betrug auf BlaBlaCar ∗∗∗ --------------------------------------------- BlaBlaCar, eine Plattform für Mitfahrgelegenheiten, gerät ins Visier von Kriminellen. Kriminelle erstellen bei BlaBlaCar Fake-Profile und bieten Fahrten an. Mitfahrer:innen, die diese Fahrt buchen, werden dann auf WhatsApp kontaktiert und auf eine betrügerische Zahlungsplattform gelockt. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-betrug-auf-blablacar/ ∗∗∗ Attackers Target Packages in Multiple Programming Languages in Recent Software Supply Chain Attacks ∗∗∗ --------------------------------------------- Malicious packages in multiple programming languages that went undetected for years were revealed by the Checkmarx Supply Chain Security team using advanced threat hunting techniques. --------------------------------------------- https://checkmarx.com/blog/attackers-target-packages-in-multiple-programmin… ===================== = Vulnerabilities = ===================== ∗∗∗ Unpatched DNS bug affects millions of routers and IoT devices ∗∗∗ --------------------------------------------- A vulnerability in the domain name system (DNS) component of a popular C standard library that is present in a wide range of IoT products may put millions of devices at DNS poisoning attack risk. --------------------------------------------- https://www.bleepingcomputer.com/news/security/unpatched-dns-bug-affects-mi… ∗∗∗ Critical TLStorm 2.0 Bugs Affect Widely-Used Aruba and Avaya Network Switches ∗∗∗ --------------------------------------------- Cybersecurity researchers have detailed as many as five severe security flaws in the implementation of TLS protocol in several models of Aruba and Avaya network switches that could be abused to gain remote access to enterprise networks and steal valuable information. --------------------------------------------- https://thehackernews.com/2022/05/critical-tlstorm-20-bugs-affect-widely.ht… ∗∗∗ Fortinet Security Advisories (FortiClient, FortiSOAR, FortiIsolator, FortiOS, FortiProxy, PJSIP Library, FortiNAC) ∗∗∗ --------------------------------------------- * FortiClient (Windows) - Privilege escalation in FortiClient installer * FortiSOAR - Improper access control on gateway API * FortiIsolator - Unauthorized user able to regenerate CA certificate * FortiOS - Improper Inter-VDOM access control * FortiOS - Lack of certificate verification when establishing secure connections to some external end-points * FortiProxy & FortiOS - XSS vulnerability in Web Filter Block Override Form * Multiple vulnerabilities in PJSIP library * FortiNAC - SQL --------------------------------------------- https://fortiguard.fortinet.com/psirt?date=05-2022 ∗∗∗ Patchday: Wichtige Sicherheitsupdates für Android 10, 11 und 12 erschienen ∗∗∗ --------------------------------------------- Google hat sein mobiles Betriebssystem gegen mehrere mögliche Attacken abgesichert. --------------------------------------------- https://heise.de/-7072491 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (jackson-databind, kernel, openvpn, and twisted), Fedora (xz), Mageia (chromium-browser-stable and curl), Oracle (vim and xmlrpc-c), Red Hat (gzip), Slackware (libxml2), SUSE (git, python39, and subversion), and Ubuntu (libvirt and mysql-5.7, mysql-8.0). --------------------------------------------- https://lwn.net/Articles/893681/ ∗∗∗ Tenda HG6 v3.3.0 Remote Command Injection Vulnerability ∗∗∗ --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5706.php ∗∗∗ Security Bulletin: IBM MaaS360 Cloud Extender Configuration Utility and Mobile Enterprise Gateway have vulnerability (CVE-2021-43797) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maas360-cloud-extende… ∗∗∗ Security Bulletin: Vulnerability in IBM JAVA JDK affects IBM Spectrum Scale (CVE-2022-21291) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Security Bulletin: IBM Maximo Asset Management and the IBM Maximo Manage application in IBM Maximo Application Suite are vulnerable to Host Header Injection (CVE-2021-29854) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-manageme… ∗∗∗ Security Bulletin: A vulnerability in IBM WebSphere Application Server Liberty affects IBM Spectrum Scale (CVE-2021-39038) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-we… ∗∗∗ Security Bulletin: IBM Tivoli Monitoring is affected but not classified as vulnerable by a denial of service in Spring Framework (CVE-2022-22950) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tivoli-monitoring-is-… ∗∗∗ Security Bulletin: Vulnerability in Intel Xeon affects IBM Cloud Pak System (CVE-2021-0144) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-intel-xe… ∗∗∗ Security Bulletin: Vulnerabilities in IBM Java included with IBM Tivoli Monitoring ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-ja… ∗∗∗ Security Bulletin: A vulnerability in IBM WebSphere Application Server Liberty affects IBM Spectrum Scale (CVE-2021-39031) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-we… ∗∗∗ Security Bulletin: A vulnerability has been identified in IBM Spectrum Scale that could allow an attacker to decrypt highly sensitive information(CVE-2022-22368) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-has-been-… ∗∗∗ OpenSSL Security Advisory (CVE-2022-1292, CVE-2022-1343, CVE-2022-1434, CVE-2022-1473) ∗∗∗ --------------------------------------------- https://openssl.org/news/secadv/20220503.txt ∗∗∗ Security Vulnerabilities fixed in Firefox 100 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2022-16/ ∗∗∗ Yokogawa CENTUM and ProSafe-RS ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-123-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.05.2022
by Daily end-of-shift report 02 May '22

02 May '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 29-04-2022 18:00 − Montag 02-05-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Fake Windows 10 updates infect you with Magniber ransomware ∗∗∗ --------------------------------------------- Fake Windows 10 updates on crack sites are being used to distribute the Magniber ransomware in a massive campaign that started earlier this month. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fake-windows-10-updates-infe… ∗∗∗ REvil ransomware returns: New malware sample confirms gang is back ∗∗∗ --------------------------------------------- The notorious REvil ransomware operation has returned amidst rising tensions between Russia and the USA, with new infrastructure and a modified encryptor allowing for more targeted attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/revil-ransomware-returns-new… ∗∗∗ Fake-YouTube-Videos mit Elon Musk führen zu Betrug mit Kryptowährung ∗∗∗ --------------------------------------------- Kriminelle fälschen Videos mit Elon Musk. In diesen Videos erhalten Zuseher:innen angeblich ein Geschenk von Musk. Er bietet die Möglichkeit, Bitcoins oder Ethereum zu verdoppeln. Und das ganz einfach: Sie überweisen Kryptowährung an ein bestimmtes Wallet und erhalten das Doppelte zurück. Achtung: Sie überweisen an Kriminelle und verlieren Geld! --------------------------------------------- https://www.watchlist-internet.at/news/fake-youtube-videos-mit-elon-musk-fu… ∗∗∗ Analysis on recent wiper attacks: examples and how wiper malware works ∗∗∗ --------------------------------------------- This blog post looks to explain how wipers work, what makes them so effective and provides a short overview of the most recent samples that appeared in the eastern Europe geopolitical conflict. --------------------------------------------- https://cybersecurity.att.com/blogs/labs-research/analysis-on-recent-wiper-… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ffmpeg, ghostscript, libarchive, and tinyxml), Fedora (CuraEngine, epiphany, gzip, usd, vim, xen, and xz), Oracle (maven-shared-utils and qemu), Red Hat (gzip, python27-python and python27-python-pip, rh-maven36-maven-shared-utils, rh-python38-python, rh-python38-python-lxml, and rh-python38-python-pip, and zlib), Slackware (pidgin), SUSE (jasper, java-11-openjdk, libcaca, libslirp, mariadb, mutt, nodejs12, opera, and python-Twisted), [...] --------------------------------------------- https://lwn.net/Articles/893440/ ∗∗∗ Security Bulletin: IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to stack-based buffer overflow in GNU C Library (CVE-2022-23219) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-speech-service… ∗∗∗ Security Bulletin: IBM Integration Designer is vulnerable to arbitrary code execution because of Apache Log4j (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-integration-designer-… ∗∗∗ Security Bulletin: IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to a stack-based buffer overflow in GNU C Library (CVE-2022-23218) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-speech-service… ∗∗∗ Security Bulletin: IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to a buffer overflow and underflow in GNU C Library (CVE-2021-3999) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-speech-service… ∗∗∗ Security Bulletin: Multiple security vulnerabilities are addressed with IBM Cloud Pak for Business Automation iFixes for April 2022 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Multiple vulnerabilities of Mozilla Firefox (less than Firefox 91.8.0ESR) have affected Synthetic Playback Agent 8.1.4.0-8.1.4 IF16 – 2022.4.0 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ K24207649: GNU C Library (glibc) vulnerability CVE-2021-3999 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K24207649 ∗∗∗ K52308021: GNU C Library (glibc) vulnerabilities CVE-2022-23218 and CVE-2022-23219 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K52308021 ∗∗∗ K19473898: Multiple Expat vulnerabilities CVE-2022-23852, CVE-2022-25235, CVE-2022-25236, and CVE-2022-23515 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K19473898 ∗∗∗ K91589041: Expat vulnerabilities CVE-2021-45960, CVE-2022-22825, CVE-2022-22826, and CVE-2022-22827 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K91589041 ∗∗∗ K23421535: Expat vulnerabilities CVE-2022-22822, CVE-2022-22823, and CVE-2022-22824 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K23421535 ∗∗∗ K23231802: Expat vulnerability CVE-2021-46143 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K23231802 ∗∗∗ TRUMPF: TruTops Fab, TruTops Boost prone to vulnerability ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-016/ ∗∗∗ Vulnerabilities in the communication protocol of the PLC runtime ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-577411.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.04.2022
by Daily end-of-shift report 29 Apr '22

29 Apr '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 28-04-2022 18:00 − Freitag 29-04-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Ransomware und Wiper: Cyberangriffe auf deutsche Windenergieunternehmen ∗∗∗ --------------------------------------------- Seit Beginn des Ukrainekrieges sind Windkraftanlagen-Hersteller Opfer von Cyberangriffen geworden. Besonders schwer hatten es die Angreifer wohl nicht. --------------------------------------------- https://www.golem.de/news/ransomware-und-wiper-cyberangriffe-auf-deutsche-w… ∗∗∗ Sicherheitsupdates: Angreifer könnten Firewalls von Cisco neu starten lassen ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitsupdates für Cisco Firepower Threat Defense und Adaptive Security Appliance. --------------------------------------------- https://heise.de/-7069408 ∗∗∗ Angreifer könnten in Installationsprozess von Sonicwall Global VPN einsteigen ∗∗∗ --------------------------------------------- Sicherheitslücken gefährden Sonicwall Global VPN Client und Sonicos. Sicherheitsupdates stehen zum Download bereit. --------------------------------------------- https://heise.de/-7069729 ∗∗∗ Videokonferenzen: Schwachstellen in Zoom ermöglichen Rechteausweitung und mehr ∗∗∗ --------------------------------------------- Mehrere Schwachstellen in der Zoom-Software könnten Angreifern ermöglichen, ihre Rechte im System auszuweiten oder unbefugt Informationen abzugreifen. --------------------------------------------- https://heise.de/-7069420 ∗∗∗ Studie: Active Directory je nach Branche unterschiedlich angreifbar ∗∗∗ --------------------------------------------- Einer Befragung von IT-Verantwortlichen zufolge spielt bei der Absicherung des Active Directory die Branche eine Rolle. Auch ist die Unternehmensgröße relevant. --------------------------------------------- https://heise.de/-7069098 ∗∗∗ EmoCheck now detects new 64-bit versions of Emotet malware ∗∗∗ --------------------------------------------- The Japan CERT has released a new version of their EmoCheck utility to detect new 64-bit versions of the Emotet malware that began infecting users this month. --------------------------------------------- https://www.bleepingcomputer.com/news/security/emocheck-now-detects-new-64-… ∗∗∗ Colibri Loaders Unique Persistence Technique Using Get-Variable Cmdlet ∗∗∗ --------------------------------------------- Recently there has been a lot of talk on Twitter regarding the Colibri Loader and its persistence mechanism, which somehow uses the Powershell's Get-Variable cmdlet. According to MSDN, Get-Variable is a Powershell cmdlet that gets the PowerShell variables in the current console. In short, on Windows 10 or later systems, Colibri Loader drops its copy in %APPDATA%\Local\Microsoft\WindowsApps directory with the name Get-Variable.exe. It then creates a scheduled task to run Powershell in a hidden manner using powershell.exe -windowstyle hidden To the naked eye, it looks that only Powershell is running, but this scheduled task somehow triggers Colibri Loader to run. --------------------------------------------- https://fourcore.io/blogs/colibri-loader-powershell-get-variable-persistence ∗∗∗ Using Passive DNS sources for Reconnaissance and Enumeration, (Fri, Apr 29th) ∗∗∗ --------------------------------------------- In so many penetration tests or assessments, the client gives you a set of subnets and says "go for it". This all seems reasonable, until you realize that if you have a website, there might be dozens or hundreds of websites hosted there, each only accessible by their DNS name. --------------------------------------------- https://isc.sans.edu/diary/rss/28596 ∗∗∗ Don’t expect to get your data back from the Onyx ransomware group ∗∗∗ --------------------------------------------- Ransomware groups in recent years have ramped up the threats against victims to incentivize them to pay the ransom in return for their stolen and encrypted data. But a new crew is essentially destroying files larger than 2MB, so data in those files is lost even if the ransom is paid. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2022/04/29/onyx-ransomw… ∗∗∗ Bypassing LDAP Channel Binding with StartTLS ∗∗∗ --------------------------------------------- Active Directory LDAP implements StartTLS and it can be used to bypass the Channel Binding requirement of LDAPS for some relay attacks such as the creation of a machine account if LDAP signing is not required by the domain controller. --------------------------------------------- https://offsec.almond.consulting/bypassing-ldap-channel-binding-with-startt… ∗∗∗ New APT Group Earth Berberoka Targets Gambling Websites With Old and New Malware ∗∗∗ --------------------------------------------- We recently discovered a new advanced persistent threat (APT) group that we have dubbed Earth Berberoka (aka GamblingPuppet). --------------------------------------------- https://www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberok… ∗∗∗ The Package Analysis Project: Scalable detection of malicious open source packages ∗∗∗ --------------------------------------------- Despite open source software’s essential role in all software built today, it’s far too easy for bad actors to circulate malicious packages that attack the systems and users running that software. Unlike mobile app stores that can scan for and reject malicious contributions, package repositories have limited resources to review the thousands of daily updates and must maintain an open model where anyone can freely contribute. --------------------------------------------- http://security.googleblog.com/2022/04/the-package-analysis-project-scalabl… ∗∗∗ Analyzing VSTO Office Files ∗∗∗ --------------------------------------------- VSTO Office files are Office document files linked to a Visual Studio Office File application. When opened, they launch a custom .NET application. There are various ways to achieve this, including methods to serve the VSTO files via an external web server. An article was recently published on the creation of these document files for [...] --------------------------------------------- https://blog.nviso.eu/2022/04/29/analyzing-vsto-office-files/ ∗∗∗ Trello From the Other Side: Tracking APT29 Phishing Campaigns ∗∗∗ --------------------------------------------- Since early 2021, Mandiant has been tracking extensive APT29 phishing campaigns targeting diplomatic organizations in Europe, the Americas, and Asia. This blog post discusses our recent observations related to the identification of two new malware families in 2022, BEATDROP and BOOMMIC, as well as APT29’s efforts to evade detection through retooling and abuse of Atlassian's Trello service. --------------------------------------------- https://www.mandiant.com/resources/tracking-apt29-phishing-campaigns ===================== = Vulnerabilities = ===================== ∗∗∗ SonicWall Global VPN Client DLL Search Order Hijacking via Application Installer ∗∗∗ --------------------------------------------- SonicWall Global VPN Client 4.10.7 installer (32-bit and 64-bit) and earlier have a DLL Search Order Hijacking vulnerability in one of the installer components. Successful exploitation via a local attacker could result in command execution in the target system. --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0036 ∗∗∗ AC500 V3 CODESYS VULNERABILITIES ∗∗∗ --------------------------------------------- All AC500 V3 products with firmware version smaller than 3.6.0 are affected by these vulnerabilities: CVE-2022-22513, CVE-2022-22514, CVE-2022-22515, CVE-2022-22517, CVE-2022-22518 and CVE-2022-22519. --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=3ADR010997&Language… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (dhcp, gzip, podman, rsync, and usd), Mageia (firefox/nss/rootcerts, kernel, kernel-linus, and thunderbird), Oracle (container-tools:2.0, container-tools:3.0, mariadb:10.3, and zlib), Red Hat (Red Hat OpenStack Platform 16.2 (python-twisted), xmlrpc-c, and zlib), SUSE (glib2, nodejs12, nodejs14, python-paramiko, python-pip, and python-requests), and Ubuntu (curl, ghostscript, libsdl1.2, libsdl2, mutt, networkd-dispatcher, and webkit2gtk). --------------------------------------------- https://lwn.net/Articles/893102/ ∗∗∗ Endress+Hauser: FieldPort SFP50 Memory Corruption in Bluetooth Controller Firmware ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-006/ ∗∗∗ Microsoft Edge: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0521 ∗∗∗ Mattermost security updates 6.6.1, 6.5.1, 6.4.3, 6.3.8 (ESR) released ∗∗∗ --------------------------------------------- https://mattermost.com/blog/mattermost-security-update-6-6-1-released/ ∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container operands may be vulnerable to directory traversal due to CVE-2022-24785 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: Information disclosure vulnerability affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) – CVE-2022-0155, CVE-2022-0536, CVE-2021-3749 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-information-disclosure-vu… ∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container IntegrationServer components that use Designer flows may be vulnerable to CVE-2022-1233 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container IntegrationServer components that use Designer flows may be vulnerable to CVE-2022-1243 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: Multiple vulnerabilities in Linux Kernel affect IBM QRadar SIEM (CVE-2021-22543, CVE-2021-3653, CVE-2021-3656, CVE-2021-37576) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container DesignerAuthoring operands may be vulnerable to arbitrary code execution due to CVE-2022-25645 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container operands may be vulnerable to denial of service due to CVE-2022-0778 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: Denial of Service Vulnerability in Golang Go affects IBM Spectrum Protect Plus Container Backup and Restore for Kubernetes and Red Hat OpenShift (CVE-2022-24921) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-denial-of-service-vulnera… ∗∗∗ Security Bulletin: UC Deploy Container images may contain non-unique https certificates and database encryption key. (CVE-2021-39082 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-uc-deploy-container-image… ∗∗∗ Security Bulletin: Content Collector for Email is affected by a embedded WebSphere Application Server Admin Console ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-content-collector-for-ema… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.04.2022
by Daily end-of-shift report 28 Apr '22

28 Apr '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 27-04-2022 18:00 − Donnerstag 28-04-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ security.txt: Kontaktinfos für IT-Sicherheitsmeldungen standardisiert ∗∗∗ --------------------------------------------- Ein RFC beschreibt, wie Webseiten über die Datei security.txt Kontaktinformationen für Sicherheitsforscher bereitstellen können. --------------------------------------------- https://www.golem.de/news/security-txt-kontaktinfos-fuer-it-sicherheitsmeld… ∗∗∗ Azure Database for PostgreSQL Flexible Server Privilege Escalation and Remote Code Execution ∗∗∗ --------------------------------------------- MSRC was informed by Wiz, a cloud security vendor, under Coordinated Vulnerability Disclosure (CVD) of an issue with the Azure Database for PostgreSQL Flexible Server that could result in unauthorized cross-account database access in a region. [...] This was mitigated within 48 hours (on January 13, 2022). --------------------------------------------- https://msrc-blog.microsoft.com/2022/04/28/azure-database-for-postgresql-fl… ∗∗∗ A Day of SMB: What does our SMB/RPC Honeypot see? CVE-2022-26809, (Thu, Apr 28th) ∗∗∗ --------------------------------------------- After Microsoft patched and went public with CVE-2022-26809, the recent RPC vulnerability, we set up a complete Windows 10 system exposing port 445/TCP "to the world." The system is not patched for the RPC vulnerability. And to keep things more interesting, we are forwarding traffic from a subset of our honeypots to the system. This gives us a pretty nice cross-section and keeps the system pretty busy. Other than not applying the April patches, the system isn't particularly vulnerable and is left in the default configuration (firewall disabled, of course). So what did we get? --------------------------------------------- https://isc.sans.edu/diary/rss/28594 ∗∗∗ This isnt Optimus Primes Bumblebee but its Still Transforming ∗∗∗ --------------------------------------------- Proofpoint has tracked a new malware loader called Bumblebee used by multiple crimeware threat actors previously observed delivering BazaLoader and IcedID. --------------------------------------------- https://www.proofpoint.com/us/blog/threat-insight/bumblebee-is-still-transf… ∗∗∗ Nimbuspwn detector ∗∗∗ --------------------------------------------- This tool performs several tests to determine whether the system is possibly vulnerable to Nimbuspwn (CVE-2022-29799 & CVE-2022-29800), a vulnerability in the networkd-dispatcher daemon discovered by the Microsoft 365 Defender Research Team. --------------------------------------------- https://github.com/jfrog/nimbuspwn-tools ∗∗∗ QNAP customers urged to disable AFP to protect against severe vulnerabilities ∗∗∗ --------------------------------------------- MacOS users that have a network-attached storage (NAS) device made by QNAP are being advised to disable the Apple Filing Protocol (AFP) on their devices until some severe vulnerabilities have been fixed. --------------------------------------------- https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/04/qnap-cus… ∗∗∗ LAPSUS$: Recent techniques, tactics and procedures ∗∗∗ --------------------------------------------- This post describes the techniques, tactics and procedures we observed during recent LAPSUS$ incidents. --------------------------------------------- https://research.nccgroup.com/2022/04/28/lapsus-recent-techniques-tactics-a… ∗∗∗ Neue Cyberspionage‑Kampagnen der TA410 Gruppe ∗∗∗ --------------------------------------------- ESET-Forscher enthüllen ein detailliertes Profil der APT-Gruppe TA410: Wir glauben, dass diese Cyberspionage-Dachgruppe aus drei verschiedenen Teams besteht, die unterschiedliche Tools verwenden, darunter eine neue Version der von ESET entdeckten FlowCloud-Spionage-Backdoor. --------------------------------------------- https://www.welivesecurity.com/deutsch/2022/04/27/cyberspionage-unter-dem-t… ∗∗∗ CISA and FBI Update Advisory on Destructive Malware Targeting Organizations in Ukraine ∗∗∗ --------------------------------------------- CISA and the Federal Bureau of Investigation (FBI) have updated joint Cybersecurity Advisory AA22-057A: Destructive Malware Targeting Organizations in Ukraine, originally released February 26, 2022. The advisory has been updated to include additional indicators of compromise for WhisperGate and technical details for HermeticWiper, IsaacWiper, HermeticWizard, and CaddyWiper destructive malware. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/04/28/cisa-and-fbi-upda… ===================== = Vulnerabilities = ===================== ∗∗∗ VU#730007: Tychon is vulnerable to privilege escalation due to OPENSSLDIR location ∗∗∗ --------------------------------------------- Tychon includes an OpenSSL component that specifies an OPENSSLDIR variable as a subdirectory that my be controllable by an unprivileged user on Windows. Tychon contains a privileged service that uses this OpenSSL component. A user who can place a specially-crafted openssl.cnf file at an appropriate path may be able to achieve arbitrary code execution with SYSTEM privileges. --------------------------------------------- https://kb.cert.org/vuls/id/730007 ∗∗∗ VU#411271: Qt allows for privilege escalation due to hard-coding of qt_prfxpath value ∗∗∗ --------------------------------------------- Prior to version 5.14, Qt hard-codes the qt_prfxpath value to a fixed value, which may lead to privilege escalation vulnerabilities in Windows software that uses Qt. --------------------------------------------- https://kb.cert.org/vuls/id/411271 ∗∗∗ IBM Security Bulletins 2022-04-27 ∗∗∗ --------------------------------------------- IBM InfoSphere Information Server, IBM Watson for IBM Cloud Pak, Liberty for Java for IBM Cloud, IBM Cloud Transformation Advisor, WebSphere Application Server, IBM Spectrum Discover, IBM Integration Bus, IBM App Connect Enterprise, IBM Netezza Platform Server, IBM PowerVM Novalink, IBM Spectrum Scale SMB protocol --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Cisco Security Advisories 2022-04-27 ∗∗∗ --------------------------------------------- Cisco released 17 Security Advisories (11 High, 6 Medium Severity) --------------------------------------------- https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&secur… ∗∗∗ PHP Object Injection Vulnerability in Booking Calendar Plugin ∗∗∗ --------------------------------------------- On April 18, 2022, the Wordfence Threat Intelligence team initiated the responsible disclosure process for an Object Injection vulnerability in the Booking Calendar plugin for WordPress, which has over 60,000 installations. We received a response the same day and sent over our full disclosure early the next day, on April 19, 2022. A patched version of the plugin, 9.1.1, was released on April 21, 2022. --------------------------------------------- https://www.wordfence.com/blog/2022/04/php-object-injection-in-booking-cale… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, golang-1.7, and golang-1.8), Fedora (bettercap, chisel, containerd, doctl, gobuster, golang-contrib-opencensus-resource, golang-github-appc-docker2aci, golang-github-appc-spec, golang-github-containerd-continuity, golang-github-containerd-stargz-snapshotter, golang-github-coredns-corefile-migration, golang-github-envoyproxy-protoc-gen-validate, golang-github-francoispqt-gojay, golang-github-gogo-googleapis, golang-github-gohugoio-testmodbuilder, golang-github-google-containerregistry, golang-github-google-slothfs, golang-github-googleapis-gnostic, golang-github-googlecloudplatform-cloudsql-proxy, golang-github-grpc-ecosystem-gateway-2, golang-github-haproxytech-client-native, golang-github-haproxytech-dataplaneapi, golang-github-instrumenta-kubeval, golang-github-intel-goresctrl, golang-github-oklog, golang-github-pact-foundation, golang-github-prometheus, golang-github-prometheus-alertmanager, golang-github-prometheus-node-exporter, golang-github-prometheus-tsdb, golang-github-redteampentesting-monsoon, golang-github-spf13-cobra, golang-github-xordataexchange-crypt, golang-gopkg-src-d-git-4, golang-k8s-apiextensions-apiserver, golang-k8s-code-generator, golang-k8s-kube-aggregator, golang-k8s-sample-apiserver, golang-k8s-sample-controller, golang-mongodb-mongo-driver, golang-storj-drpc, golang-x-perf, gopass, grpcurl, onionscan, shellz, shhgit, snowcrash, stb, thunderbird, and xq), Oracle (gzip, kernel, and polkit), Slackware (curl), SUSE (buildah, cifs-utils, firewalld, golang-github-prometheus-prometheus, libaom, and webkit2gtk3), and Ubuntu (nginx and thunderbird). --------------------------------------------- https://lwn.net/Articles/893001/ ∗∗∗ Synology-SA-22:06 Netatalk ∗∗∗ --------------------------------------------- Multiple vulnerabilities allow remote attackers to obtain sensitive information and possibly execute arbitrary code via a susceptible version of Synology DiskStation Manager (DSM) and Synology Router Manager (SRM). --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_22_06 ∗∗∗ CVE-2022-23812: NPM Package node-ipc With Malicious Code Found in Russia and Belarus ∗∗∗ --------------------------------------------- Malicious code, also known as protestware, within certain versions of the package was causing chaos among Russia and Belarus based developers—overwriting their entire file system with a heart emoji. These versions (10.1.0 and 10.1.2) are now tracked under CVE-2022-23812. --------------------------------------------- https://orca.security/resources/blog/cve-2022-23812-protestware-malicious-c… ∗∗∗ ZDI-22-622: Sante DICOM Viewer Pro J2K File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-622/ ∗∗∗ Johnson Controls Metasys ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-118-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.04.2022
by Daily end-of-shift report 27 Apr '22

27 Apr '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 26-04-2022 18:00 − Mittwoch 27-04-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Emotet malware now installs via PowerShell in Windows shortcut files ∗∗∗ --------------------------------------------- The Emotet botnet is now using Windows shortcut files (.LNK) containing PowerShell commands to infect victims computers, moving away from Microsoft Office macros that are now disabled by default. --------------------------------------------- https://www.bleepingcomputer.com/news/security/emotet-malware-now-installs-… ∗∗∗ RIG Exploit Kit drops RedLine malware via Internet Explorer bug ∗∗∗ --------------------------------------------- Threat analysts have uncovered yet another large-scale campaign delivering the RedLine stealer malware onto worldwide targets. --------------------------------------------- https://www.bleepingcomputer.com/news/security/rig-exploit-kit-drops-redlin… ∗∗∗ MITRE ATT&CK v11 - a small update that can help (not just) with detection engineering, (Wed, Apr 27th) ∗∗∗ --------------------------------------------- On Monday, a new version of the framework was released, which (among other changes) extends its content a little in order to make its use more straightforward when it comes to mapping of existing detections and for implementation of new ones. --------------------------------------------- https://isc.sans.edu/diary/rss/28590 ∗∗∗ Encrypting our way to SSRF in VMWare Workspace One UEM (CVE-2021-22054) ∗∗∗ --------------------------------------------- We discovered a pre-authentication vulnerability that allowed us to make arbitrary HTTP requests, including requests with any HTTP method and request body. --------------------------------------------- https://blog.assetnote.io/2022/04/27/vmware-workspace-one-uem-ssrf/ ∗∗∗ Npm-Schwachstelle "Package Planting": Vertrauen ist gut, Kontrolle ist besser ∗∗∗ --------------------------------------------- Eine als Package Planting bezeichnete Sicherheitslücke im Paketmanager npm erlaubte laut Aquasec, die Vertrauenswürdigkeit bekannter Maintainer zu missbrauchen. --------------------------------------------- https://heise.de/-7066873 ∗∗∗ Knapp die Hälfte der Ransomware-Opfer zahlt Lösegeld ∗∗∗ --------------------------------------------- Die Zahl der von Erpressungstrojanern angegriffenen Mittelständler weltweit steigt. Und viele von ihnen zahlen Lösegeld - oft in siebenstelliger Höhe. --------------------------------------------- https://heise.de/-7067219 ∗∗∗ Webinar: Sicher bezahlen im Internet ∗∗∗ --------------------------------------------- Am Dienstag, den 3. Mai 2022 von 18:30 – 20:00 Uhr findet das kostenlose Webinar zum Thema „Sicher bezahlen im Internet" statt. --------------------------------------------- https://www.watchlist-internet.at/news/webinar-sicher-bezahlen-im-internet/ ∗∗∗ Betrügerische Anrufe zu Investitionsmöglichkeiten und Bitcoin ∗∗∗ --------------------------------------------- Vermehrt werden der Watchlist Internet aktuell betrügerische Anrufe gemeldet. Kriminelle versuchen durch diese Anrufe Opfer für Investment-Betrugsmaschen zu gewinnen. --------------------------------------------- https://www.watchlist-internet.at/news/betruegerische-anrufe-zu-investition… ∗∗∗ AA22-117A: 2021 Top Routinely Exploited Vulnerabilities ∗∗∗ --------------------------------------------- This advisory provides details on the top 15 Common Vulnerabilities and Exposures (CVEs) routinely exploited by malicious cyber actors in 2021, as well as other CVEs frequently exploited. --------------------------------------------- https://us-cert.cisa.gov/ncas/alerts/aa22-117a ===================== = Vulnerabilities = ===================== ∗∗∗ New Nimbuspwn Linux vulnerability gives hackers root privileges ∗∗∗ --------------------------------------------- A new set of vulnerabilities collectively tracked as Nimbuspwn could let local attackers escalate privileges on Linux systems to deploy malware ranging from backdoors to ransomware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-nimbuspwn-linux-vulnerab… ∗∗∗ CVE-2022-26148 Grafana Vulnerability in NetApp Products ∗∗∗ --------------------------------------------- Multiple NetApp products incorporate Grafana. Grafana versions through 7.3.4 are susceptible to a vulnerability which when successfully exploited could lead to disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS). --------------------------------------------- https://security.netapp.com/advisory/ntap-20220425-0005/ ∗∗∗ Schadcode könnte Nvidias Embedded-System Jetson gefährlich werden ∗∗∗ --------------------------------------------- Sicherheitsupdates schließen Lücken in verschiedenen Jetson-Systemen von Nvidia. --------------------------------------------- https://heise.de/-7067304 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Mageia (virtualbox), Red Hat (container-tools:2.0, container-tools:3.0, gzip, kernel, kernel-rt, kpatch-patch, mariadb:10.3, mariadb:10.5, maven-shared-utils, polkit, vim, xmlrpc-c, and zlib), Scientific Linux (maven-shared-utils), SUSE (ant, go1.17, go1.18, kernel, and xen), and Ubuntu (fribidi, git, libcroco, libsepol, linux, linux-gcp, linux-ibm, linux-lowlatency, openjdk-17, and openjdk-lts). --------------------------------------------- https://lwn.net/Articles/892802/ ∗∗∗ Chrome 101.0.4951.41 fixt 30 Schwachstellen ∗∗∗ --------------------------------------------- Google hat zum 26. April 2022 Updates des Google Chrome 101.0.4951.41 für Windows und Mac auf dem Desktop im Stable Channel freigegeben. Das ist der neue 101-Entwicklungszweig, wobei das Update 30, zum Teil als Hoch eingestufte Schwachstellen schließt. --------------------------------------------- https://www.borncity.com/blog/2022/04/27/chrome-101-0-4951-41-fixt-30-schwa… ∗∗∗ Security Advisory - Buffer Overflow Vulnerabilities In Huawei Product ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2022/huawei-sa-20220427-… ∗∗∗ Security Bulletin: UrbanCode Deploy users with create-resource permission for the standard resource type may create child resources inheriting custom types (CVE-2022-22315). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-urbancode-deploy-users-wi… ∗∗∗ Security Bulletin: Dojo vulnerability in WebSphere Liberty affects SPSS Collaboration and Deployment Services (CVE-2021-23450) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-dojo-vulnerability-in-web… ∗∗∗ K51975973: Eclipse Jetty vulnerability CVE-2021-34428 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K51975973 ∗∗∗ PILZ: PMC programming tool 2.x.x affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2021-055/ ∗∗∗ PILZ: PMC programming tool 3.x.x affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2021-061/ ∗∗∗ PILZ: Multiple vulnerabilities in CODESYS V2 and V3 runtime system ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2021-054/ ∗∗∗ BENDER/EBEE: Multiple Charge Controller Vulnerabilities ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2021-047/ ∗∗∗ Miele: Security vulnerability in Benchmark Programming Tool ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-015/ ∗∗∗ Improper Control of Generation of Code in Bosch MATRIX ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-309239-bt.html ∗∗∗ Vulnerability in routers FL MGUARD and TC MGUARD ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-982696.html ∗∗∗ SonicOS Content Filtering Service and SNMP feature affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0004 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.04.2022
by Daily end-of-shift report 26 Apr '22

26 Apr '22

===================== = End-of-Day report = ===================== Timeframe: Montag 25-04-2022 18:00 − Dienstag 26-04-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Emotet war kaputt, infiziert jetzt aber wieder vermehrt Windows-Computer ∗∗∗ --------------------------------------------- Die hoch entwickelte Schadsoftware Emotet baut nach einem Fehler seine Attacken weltweit weiter aus. --------------------------------------------- https://heise.de/-7064903 ∗∗∗ Virustotal: Einbrecher führen eigenen Code auf Googles Servern aus ∗∗∗ --------------------------------------------- Update 26.04.2022 16:00 Uhr: Der Virustotal-Gründer Bernardo Quintero twitterte, dass keine VT-Maschinen direkt betroffen waren. Es handelte sich um Dritthersteller-und Partner-Maschinen etwa bei Antivirus-Herstellern, die die Daten von Virustotal für ihre Zwecke analysieren, erläutert Quintero dort. --------------------------------------------- https://heise.de/-7065048 ∗∗∗ Welpen kaufen im Internet: bulldogge-franzosische-welpen.com ist Betrug ∗∗∗ --------------------------------------------- Wer im Internet nach Welpen sucht, stößt höchstwahrscheinlich auf betrügerische Online-Shops für Welpen. „bulldogge-franzosische-welpen.com“ ist ein solcher Shop. Dort werden bezaubernde Welpen geboten, sogar mit Papieren. 900 Euro kostet eine französische Bulldogge. Doch Vorsicht: Sie erhalten trotz Bezahlung keinen Welpen. --------------------------------------------- https://www.watchlist-internet.at/news/welpen-kaufen-im-internet-bulldogge-… ∗∗∗ Hackers exploit critical VMware RCE flaw to install backdoors ∗∗∗ --------------------------------------------- Advanced hackers are actively exploiting a critical remote code execution (RCE) vulnerability, CVE-2022-22954, that affects in VMware Workspace ONE Access (formerly called VMware Identity Manager). --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-exploit-critical-vmw… ∗∗∗ Phishing goes KISS: Don’t let plain and simple messages catch you out! ∗∗∗ --------------------------------------------- Sometimes we receive phishing tricks that we grudgingly have to admit are better than average, just because theyre uncomplicated. --------------------------------------------- https://nakedsecurity.sophos.com/2022/04/25/phishing-goes-kiss-dont-let-pla… ∗∗∗ WSO2 RCE exploited in the wild, (Tue, Apr 26th) ∗∗∗ --------------------------------------------- While investigating a malicious crypto-mining case, I discovered that attackers implanted the payload exploiting a recently patched RCE vulnerability (CVE-2022-29464) affecting multiple WSO2 products, including API Manager. The vulnerability was discovered by Orange Tsai and responsibly disclosed to WSO2. --------------------------------------------- https://isc.sans.edu/diary/rss/28586 ∗∗∗ Over 18.8 million IPs vulnerable to Middlebox TCP reflection DDoS attacks ∗∗∗ --------------------------------------------- We recently began scanning for middlebox devices that are vulnerable to Middlebox TCP reflection, which can be abused for DDoS amplification attacks. Our results are now shared daily, filtered for your network or constituency in the new Vulnerable DDoS Middlebox. We uncover over 18,800,000 IPv4 addresses responding to our Middlebox probes. In some cases the amplification rates can exceed 10,000! --------------------------------------------- https://www.shadowserver.org/news/over-18-8-million-ips-vulnerable-to-middl… ∗∗∗ Conti Ransomware Activity Surges Despite Exposure of Groups Operations ∗∗∗ --------------------------------------------- Conti ransomware activity has surged in the past weeks despite the recent exposure of the group’s operations by a pro-Ukraine hacktivist. --------------------------------------------- https://www.securityweek.com/conti-ransomware-activity-surges-despite-expos… ∗∗∗ Lapsus$: The script kiddies are alright ∗∗∗ --------------------------------------------- One afternoon last month, the regional head of security for the identity management platform Okta, an Australian named Brett Winterford, was in the middle of a client meeting when his phone sprang to life. “The first message said, ‘It looks like you’re going to have a bad day,’” he recently recalled. “And the second message [...] --------------------------------------------- https://therecord.media/lapsus-the-script-kiddies-are-alright/ ∗∗∗ New Malware of Lazarus Threat Actor Group Exploiting INITECH Process ∗∗∗ --------------------------------------------- The AhnLab ASEC analysis team has discovered that there are 47 companies and institutions—including defense companies—infected with the malware distributed by the Lazarus group in the first quarter of 2022. Considering the severity of the situation, the team has been monitoring the infection cases. In systems of the organizations infected with the malware, it was found that malicious behaviors stemmed from the process of INITECH (inisafecrosswebexsvc.exe), [...] --------------------------------------------- https://asec.ahnlab.com/en/33801/ ∗∗∗ Evasive Phishing Techniques Threat Actors Use to Circumvent Defense Mechanisms ∗∗∗ --------------------------------------------- Phishing continues to be the number one threat faced by companies of all sizes, and one of the main entry points threat actors use to infiltrate networks. As defenses continue to evolve, so do the tactics threat actors use to circumvent those defenses. In this article, the GoSecure Titan® Inbox Detection & Response (IDR) team shares examples of tactics threat actors have used to bypass anti-phishing defenses. --------------------------------------------- https://www.gosecure.net/blog/2022/04/26/evasive-phishing-techniques-threat… ∗∗∗ Attacker Adds Evasive Technique to Their Ongoing Attacks on NPM ∗∗∗ --------------------------------------------- A few weeks ago, we wrote about a new threat actor we called RED-LILI and described their capabilities, including an in-depth walkthrough of the automated system for publishing malicious NPM packages from automatically created user accounts. After our publication, we [...] --------------------------------------------- https://checkmarx.com/blog/attacker-adds-evasive-technique-to-their-ongoing… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ffmpeg), Fedora (htmldoc, moby-engine, plantuml, and zchunk), Oracle (java-1.8.0-openjdk, java-17-openjdk, and kernel), Red Hat (java-1.8.0-openjdk), Scientific Linux (java-1.8.0-openjdk), Slackware (freerdp), SUSE (kernel, mutt, SUSE Manager Client Tools, and xen), and Ubuntu (barbican and git). --------------------------------------------- https://lwn.net/Articles/892674/ ∗∗∗ Hitachi Energy System Data Manager ∗∗∗ --------------------------------------------- This advisory contains mitigations for a Integer Overflow or Wraparound, Reachable Assertion, Type Confusion, Uncontrolled Recursion, and Observable Discrepancy vulnerabilities in Hitachi Energy System Data Manager products. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-116-01 ∗∗∗ Mitsubishi Electric MELSEC and MELIPC Series (Update B) ∗∗∗ --------------------------------------------- This updated advisory is a follow up to the advisory update titled ICSA-21-334-02 Mitsubishi Electric MELSEC and MELIPC Series (Update A) that was published January 27, 2022, to the ICS webpage on www.cisa.gov/uscert. This advisory contains mitigations for Uncontrolled Resource Consumption, Improper Handling of Length Parameter Inconsistency, and Improper Input Validation vulnerabilities in Mitsubishi Electric MELSEC and MELIPC Series software management platforms. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-334-02 ∗∗∗ CISA Adds Seven Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- CISA has added seven new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/04/25/cisa-adds-seven-k… ∗∗∗ K53648360: Linux kernel vulnerability CVE-2022-27666 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K53648360 ∗∗∗ Pepperl+Fuchs: Vulnerability in multiple VisuNet devices ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-012/ ∗∗∗ TYPO3 Extensions: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0499 ∗∗∗ Security Bulletin: IBM Security Verify Password Synchronization Plug-in for Windows AD is vulnerable to a denial of service vulnerability (CVE-2022-22323, CVE-2022-22312) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-passw… ∗∗∗ Security Bulletin: Crypto Hardware Initialization and Maintenance is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-44832) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-crypto-hardware-initializ… ∗∗∗ Security Bulletin: IBM Robotic Process Automation may be vulnerable to an exposure of sensitive information by an aunauthorized actor through follow-redirects (CVE-2022-0536) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-robotic-process-autom… ∗∗∗ Security Bulletin: IBM Cognos Analytics has addressed multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cognos-analytics-has-… ∗∗∗ Security Bulletin: Due to use of IBM SDK, Java Technology Edition, IBM Tivoli Application Dependency Discovery Manager (TADDM) is vulnerable to denial of service ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-due-to-use-of-ibm-sdk-jav… ∗∗∗ Security Bulletin: IBM QRadar SIEM is vulnerable to using components with Known Vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulner… ∗∗∗ Security Bulletin: Vulnerability in Apache Tomcat affects IBM Process Mining (CVE-2022-23181) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-t… ∗∗∗ Security Bulletin: IBM QRadar SIEM is vulnerable to using components with known vulnerabilities (CVE-2022-22345, CVE-2020-8022, CVE-2021-33813, CVE-2020-9488) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulner… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.04.2022
by Daily end-of-shift report 25 Apr '22

25 Apr '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 22-04-2022 18:00 − Montag 25-04-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Einbruch in kritische Infrastrukturen: Experten zeigen, wie einfach es ist ∗∗∗ --------------------------------------------- Niederländische Forscher haben beim Hackerwettbewerb Pwn2Own demonstriert, wie leicht sich Industriesoftware übernehmen lässt, die zentrale Dienste steuert. --------------------------------------------- https://heise.de/-7062641 ∗∗∗ Netzwerkspeicher: Apple-Protokolle reißen Sicherheitslücken in Qnap-NAS ∗∗∗ --------------------------------------------- Die Unterstützung von Apples Netzwerkprotokollen durch netatalk in Qnap-NAS-Systemen bringt teils kritische Sicherheitslücken mit. Erste Updates stehen bereit. --------------------------------------------- https://heise.de/-7064336 ∗∗∗ Hacker-Gruppe Lapsus$ soll Sourcecode von T-Mobile kopiert haben ∗∗∗ --------------------------------------------- Angreifer sind mit erbeuteten Zugangsdaten in Computer-Systeme von T-Mobile eingebrochen. Kundendaten sollen nicht betroffen sein. --------------------------------------------- https://heise.de/-7063836 ∗∗∗ Fake-E-Mail von Spotify: Kriminelle versuchen Ihr Konto zu übernehmen ∗∗∗ --------------------------------------------- Kriminelle versenden momentan gefälschte Spotify-E-Mails, um Ihr Konto zu übernehmen und Kreditkartendaten zu stehlen. Nutzer:innen erhalten vom Absender „Spotify-Rechnung“ ein Schreiben, in dem ein Problem mit Ihrer Zahlung vorgetäuscht wird. Im E-Mail werden Sie gebeten, auf einen Button zu klicken. Dieser führt dann auf eine gefälschte Spotify-Login-Seite. Daten, die dort eingetippt werden, landen direkt bei Kriminellen. --------------------------------------------- https://www.watchlist-internet.at/news/fake-e-mail-von-spotify-kriminelle-v… ∗∗∗ New powerful Prynt Stealer malware sells for just $100 per month ∗∗∗ --------------------------------------------- Threat analysts have spotted yet another addition to the growing space of info-stealer malware infections, named Prynt Stealer, which offers powerful capabilities and extra keylogger and clipper modules. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-powerful-prynt-stealer-m… ∗∗∗ DDoS attacks in Q1 2022 ∗∗∗ --------------------------------------------- Against the backdrop of the conflict between Russia and Ukraine, the number of DDoS attacks in Q1 2022 increased by 4.5 times against Q1 2021. A significant proportion of them were by hacktivists. --------------------------------------------- https://securelist.com/ddos-attacks-in-q1-2022/106358/ ∗∗∗ Are Roku Streaming Devices Safe from Exploitation?, (Sat, Apr 23rd) ∗∗∗ --------------------------------------------- I have noticed in the past several weeks random scans specifically for Roku streaming devices (and likely other types) captured by my honeypot. If they can be compromised, what can be gain? Settings like stored payment information, personal information (email/password), subscription, App selected, etc. Like any other devices, it is important to keep the OS and Apps up-to-date. --------------------------------------------- https://isc.sans.edu/diary/rss/28578 ∗∗∗ Simple PDF Linking to Malicious Content, (Mon, Apr 25th) ∗∗∗ --------------------------------------------- Last week, I found an interesting piece of phishing based on a PDF file. Today, most of the PDF files that are delivered to end-user are not malicious, I mean that they dont contain an exploit to trigger a vulnerability and infect the victims computer. They are just used as a transport mechanism to deliver more malicious content. Yesterday, Didier analyzed the same kind of Word document[1]. They are more and more common because they are (usually) not blocked by common filters at the perimeter. --------------------------------------------- https://isc.sans.edu/diary/rss/28582 ∗∗∗ Researcher Releases PoC for Recent Java Cryptographic Vulnerability ∗∗∗ --------------------------------------------- A proof-of-concept (PoC) code demonstrating a newly disclosed digital signature bypass vulnerability in Java has been shared online. The high-severity flaw in question, CVE-2022-21449 (CVSS score: 7.5), impacts the following versions of Java SE and Oracle GraalVM Enterprise Edition - [...] --------------------------------------------- https://thehackernews.com/2022/04/researcher-releases-poc-for-recent-java.h… ∗∗∗ Defeating BazarLoader Anti-Analysis Techniques ∗∗∗ --------------------------------------------- Anti-analysis techniques make it harder for malware analysts to do their work. We cover BazarLoader anti-analysis techniques and how to defeat them. --------------------------------------------- https://unit42.paloaltonetworks.com/bazarloader-anti-analysis-techniques/ ∗∗∗ Webcam hacking: How to know if someone may be spying on you through your webcam ∗∗∗ --------------------------------------------- Camfecting doesn’t ‘just’ invade your privacy – it could seriously impact your mental health and wellbeing. Here’s how to keep an eye on your laptop camera. --------------------------------------------- https://www.welivesecurity.com/2022/04/25/webcam-hacking-how-know-someone-s… ∗∗∗ Quantum Ransomware ∗∗∗ --------------------------------------------- In one of the fastest ransomware cases we have observed, in under four hours the threat actors went from initial access, to domain wide ransomware. The initial access vector for [...] --------------------------------------------- https://thedfirreport.com/2022/04/25/quantum-ransomware/ ∗∗∗ FBI Releases IOCs Associated with BlackCat/ALPHV Ransomware ∗∗∗ --------------------------------------------- The Federal Bureau of Investigation (FBI) has released a Flash report detailing indicators of compromise (IOCs) associated with attacks involving BlackCat/ALPHV, a Ransomware-as-a-Service that has compromised at least 60 entities worldwide. CISA encourages users and administrators to review the IOCs and technical details in FBI Flash CU-000167-MW and apply the recommended mitigations. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/04/22/fbi-releases-iocs… ∗∗∗ Malware analysis report on SparrowDoor malware ∗∗∗ --------------------------------------------- A technical analysis of a new variant of the SparrowDoor malware. --------------------------------------------- https://www.ncsc.gov.uk/report/mar-sparrowdoor ===================== = Vulnerabilities = ===================== ∗∗∗ Critical Bug in Everscale Wallet Couldve Let Attackers Steal Cryptocurrencies ∗∗∗ --------------------------------------------- A security vulnerability has been disclosed in the web version of the Ever Surf wallet that, if successfully weaponized, could allow an attacker to gain full control over a victims wallet. --------------------------------------------- https://thehackernews.com/2022/04/critical-bug-in-everscale-wallet.html ∗∗∗ IBM Security Bulletins 2022-04-22 ∗∗∗ --------------------------------------------- IBM Cloud Private, IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data, IBM Sterling File Gateway, IBM Watson Explorer, IBM Planning Analytics, IBM App Connect Enterprise --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ IBM schließt kritische Sicherheitslücken in Cognos Analytics ∗∗∗ --------------------------------------------- In der Business-Intelligence-Software IBM Cognos Analytics könnten Angreifer unter anderem Schadcode einschleusen. Aktualisierte Software behebt die Probleme. --------------------------------------------- https://heise.de/-7063645 ∗∗∗ Sicherheitsupdates Atlassian Jira: Angreifer könnten Authentifizierung umgehen ∗∗∗ --------------------------------------------- Die Entwickler haben eine kritische Sicherheitslücke im Projektmanagement-Tool Jira geschlossen. --------------------------------------------- https://heise.de/-7063649 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (kernel, kernel-headers, kernel-tools, libinput, podman-tui, and vim), Mageia (git, gzip/xz, libdxfrw, libinput, librecad, and openscad), and SUSE (dnsmasq, git, libinput, libslirp, libxml2, netty, podofo, SDL, SDL2, and tomcat). --------------------------------------------- https://lwn.net/Articles/892536/ ∗∗∗ Opportunistic Exploitation of WSO2 CVE-2022-29464 ∗∗∗ --------------------------------------------- On April 18, 2022, MITRE published CVE-2022-29464, an unrestricted file upload vulnerability affecting various WSO2 products. --------------------------------------------- https://www.rapid7.com/blog/post/2022/04/22/opportunistic-exploitation-of-w… ∗∗∗ FreeRADIUS: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0496 ∗∗∗ Multiple Vulnerabilities in Netatalk ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-22-12 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.04.2022
by Daily end-of-shift report 22 Apr '22

22 Apr '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 21-04-2022 18:00 − Freitag 22-04-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Sicherheitslücke: Apple-Codec sorgt für Lücke in Android-Smartphones ∗∗∗ --------------------------------------------- Mit päparierten Audiodateien haben sich etliche Android-Smartphones mit Qualcomm- oder Mediatek-Chip hacken lassen. --------------------------------------------- https://www.golem.de/news/sicherheitsluecke-apple-codec-sorgt-fuer-luecke-i… ∗∗∗ LemonDuck zielt auf Docker ∗∗∗ --------------------------------------------- LemonDuck, ein Kryptomining-Botnet, hat es auf Docker abgesehen, um Kryptowährung auf Linux-Systemen zu schürfen. Diese Kampagne ist derzeit aktiv. --------------------------------------------- https://www.zdnet.de/88400783/lemonduck-zielt-auf-docker/ ∗∗∗ Kritische Lücken in XML Parser Expat gefährden IBM Db2 ∗∗∗ --------------------------------------------- Updates sichern die Datenbank-Software Db2 von IBM ab. Angreifer könnten Systeme mit Schadcode attackieren. --------------------------------------------- https://heise.de/-7062152 ∗∗∗ Vorsicht Fake-SMS: „Sie haben eine neue Sprachnachricht erhalten“ ∗∗∗ --------------------------------------------- Leser:innen der Watchlist Internet melden derzeit wieder vermehrt betrügerische SMS. Kriminelle behaupten dabei, dass Sie eine neue Sprachnachricht hätten. Um mehr zu erfahren, sollen Sie auf einen Link klicken. Wer diesem Link folgt, landet auf einer betrügerischen Webseite, auf der eine App heruntergeladen werden soll. Installieren Sie die App auf keinen Fall! Es handelt sich um gefährliche Schadsoftware. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-fake-sms-sie-haben-eine-neu… ∗∗∗ QNAP warns of new bugs in its Network Attached Storage devices ∗∗∗ --------------------------------------------- Heres what you need to know - plus some sensible advice for all the devices on your home or small biz network! --------------------------------------------- https://nakedsecurity.sophos.com/2022/04/22/qnap-warns-of-new-bugs-in-its-n… ∗∗∗ Threat Assessment: BlackByte Ransomware ∗∗∗ --------------------------------------------- BlackByte is ransomware as a service that emerged in July 2021. Read our overview and recommended courses of action for mitigation. --------------------------------------------- https://unit42.paloaltonetworks.com/blackbyte-ransomware/ ∗∗∗ Atlassian fixes critical Jira authentication bypass vulnerability ∗∗∗ --------------------------------------------- Atlassian has published a security advisory to alert that its Jira and Jira Service Management products are affected by a critical authentication bypass vulnerability in Seraph, the companys web application security framework. --------------------------------------------- https://www.bleepingcomputer.com/news/security/atlassian-fixes-critical-jir… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (composer, golang-x-crypto, rubygem-nokogiri, wavpack, xen, and xz) and SUSE (dnsmasq, openjpeg, swtpm, tomcat, and xen). --------------------------------------------- https://lwn.net/Articles/892372/ ∗∗∗ Multiple vulnerabilities found in Mitsubishi controllers ∗∗∗ --------------------------------------------- Mitsubishi recommends using encryption and firewalls. This will help minimize the risk of the detected vulnerabilities being exploited. --------------------------------------------- https://www.ptsecurity.com/ww-en/about/news/multiple-vulnerabilities-found-… ∗∗∗ Security Bulletin: Security Vulnerabilities affect IBM Cloud Private – nginx (CVE-2018-16844, CVE-2018-16845, CVE-2018-16843, CVE-2019-7401) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerability in Eclipse Jetty affects IBM Process Mining (Multiple CVEs) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-eclipse-… ∗∗∗ Security Bulletin: Vulnerabilities in Node.js affect IBM App Connect Enterprise (CVE-2022-21824) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-node-j… ∗∗∗ Security Bulletin: Vulnerability in Node.js affects IBM Process Mining (CVE-2019-5484) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-node-js-… ∗∗∗ Security Bulletin: Vulnerability in Lodash affects IBM Process Mining (Multiple CVEs) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-lodash-a… ∗∗∗ Security Bulletin: Vulnerabilities in Node.js affect IBM App Connect Enterprise (CVE-2021-44532) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-node-j… ∗∗∗ Security Bulletin: Vulnerability in Eclipse Jetty affects IBM Process Mining (CVE-2020-27223,CVE-2021-28169) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-eclipse-… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects IBM Integrated Analytics System. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: Vulnerability in Node.js Color-String affects IBM Process Mining (CVE-2021-29060) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-node-js-… ∗∗∗ Security Bulletin: Security Vulnerabilities affect IBM Cloud Private – curl (CVE-2020-8231) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerability in Node.js lodash affects IBM Process Mining (CVE-2021-23337,CVE-2020-28500) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-node-js-… ∗∗∗ Security Bulletin: Vulnerability in Eclipse Jetty affects IBM Process Mining (CVE-2020-27216) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-eclipse-… ∗∗∗ Security Bulletin: Vulnerability in jQuery affects IBM Process Mining (Multiple CVEs) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-jquery-a… ∗∗∗ Security Bulletin: Vulnerabilities in Node.js affect IBM App Connect Enterprise (CVE-2021-44533) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-node-j… ∗∗∗ Security Bulletin: Vulnerability in http2-common affects IBM Process Mining (Multiple CVEs) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-http2-co… ∗∗∗ Security Bulletin: Vulnerability in Eclipse Jetty affects IBM Process Mining (CVE-2021-28165) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-eclipse-… ∗∗∗ Security Bulletin: A Security Vulnerability affects IBM Cloud Private – NGINX (CVE-2019-20372) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: Vulnerability in Node.js normalize-url affects IBM Process Mining (CVE-2021-33502) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-node-js-… ∗∗∗ Security Bulletin: Vulnerability in Node.js IS-SVG affects IBM Process Mining (CVE-2021-29059, CVE-2021-28092) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-node-js-… ∗∗∗ Security Bulletin: The Apache Log4j (CVE-2021-4104) vulnerability affects TPF Operations Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-the-apache-log4j-cve-2021… ∗∗∗ Security Bulletin: IBM Cognos Analytics has addressed multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cognos-analytics-has-… ∗∗∗ Security Bulletin: Due to WebSphere Liberty is vulnerable, PowerVM Novalink could allow a remote attacker to hijack the clicking action of the victim. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-due-to-websphere-liberty-… ∗∗∗ Security Bulletin: Security Bulletin: Vulnerabilities in IBM WebSphere Application Server Liberty affects IBM Cloud Application Business Insights CVE-2021-39031 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-bulletin-vulnera… ∗∗∗ Security Bulletin: IBM Robotic Process Automation is vulnerable to a denial of service through node.js lodash ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-robotic-process-autom… ∗∗∗ Security Bulletin: Vulnerability in Apache Commons IO affects IBM Process Mining (CVE-2021-29425) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-c… ∗∗∗ Security Bulletin: Vulnerability in nth-check affects IBM Process Mining (CVE-2021-3803) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-nth-chec… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.04.2022
by Daily end-of-shift report 21 Apr '22

21 Apr '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 20-04-2022 18:00 − Donnerstag 21-04-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Microsoft Exchange servers hacked to deploy Hive ransomware ∗∗∗ --------------------------------------------- A Hive ransomware affiliate has been targeting Microsoft Exchange servers vulnerable to ProxyShell security issues to deploy various backdoors, including Cobalt Strike beacon. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-h… ∗∗∗ REvils TOR sites come alive to redirect to new ransomware operation ∗∗∗ --------------------------------------------- REvil ransomwares servers in the TOR network are back up after months of inactivity and redirect to a new operation that appears to have started since at least mid-December last year. --------------------------------------------- https://www.bleepingcomputer.com/news/security/revils-tor-sites-come-alive-… ∗∗∗ Multi-Cryptocurrency Clipboard Swapper, (Thu, Apr 21st) ∗∗∗ --------------------------------------------- It’s not the first time that I found a piece of code that monitors the clipboard and swap the BTC address found with the attacker's one. This time, the script that I found supports a lot of cryptocurrencies! --------------------------------------------- https://isc.sans.edu/diary/rss/28574 ∗∗∗ Mitigating the top 10 security threats to GCP using the CIS Google Cloud Platform Foundation Benchmark ∗∗∗ --------------------------------------------- This time we will take a closer look at what the CIS Google Cloud Platform Foundation Benchmark offers against 10 of the most common GCP misconfigurations that NCC Group comes across during client assessments. --------------------------------------------- https://research.nccgroup.com/2022/04/20/mitigating-the-top-10-security-thr… ∗∗∗ Two OpenWrt updates ∗∗∗ --------------------------------------------- The OpenWrt 21.02.3 and 19.07.10 updates have been released. These updates contain some security fixes and improved device support. --------------------------------------------- https://lwn.net/Articles/892161/ ∗∗∗ Willhaben, ebay, Vinted & Co. im Fokus von Kriminellen! ∗∗∗ --------------------------------------------- Egal ob Sie etwas kaufen oder verkaufen wollen – nehmen Sie sich vor der Abzocke auf Kleinanzeigenplattformen in Acht! Wenn Sie dazu aufgefordert werden, die Transaktion mithilfe eines Kurierdienstes abzuwickeln, brechen Sie den Kontakt ab. --------------------------------------------- https://www.watchlist-internet.at/news/willhaben-ebay-vinted-co-im-fokus-vo… ∗∗∗ Abusing Azure Container Registry Tasks ∗∗∗ --------------------------------------------- In this post, I will explain how one Azure service supporting DevOps can start in a very solid “secure by default” state, but then quickly descend into a very dangerous configured state. --------------------------------------------- https://posts.specterops.io/abusing-azure-container-registry-tasks-1f407bfa… ∗∗∗ Understanding Cobalt Strike Profiles - Updated for Cobalt Strike 4.6 ∗∗∗ --------------------------------------------- A deep dive into specifics around cobalt strike malleable c2 profiles and key information that is new in cobalt strike 4.6 --------------------------------------------- https://blog.zsec.uk/cobalt-strike-profiles/ ∗∗∗ TeamTNT targeting AWS, Alibaba ∗∗∗ --------------------------------------------- TeamTNT is actively modifying its scripts after they were made public by security researchers. These scripts primarily target Amazon Web Services, but can also run in on-premise, container, or other forms of Linux instances. --------------------------------------------- http://blog.talosintelligence.com/2022/04/teamtnt-targeting-aws-alibaba.html ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Security Advisories 2022-04-20 ∗∗∗ --------------------------------------------- Cisco published 12 Security Advisories (3 High, 9 Medium Severity) --------------------------------------------- https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&secur… ∗∗∗ Statischer SSH-Schlüssel macht Cloudsicherheitssystem Cisco Umbrella zu schaffen ∗∗∗ --------------------------------------------- Wichtige Sicherheitsupdates für Hard- und Software von Cisco schließen mehrere Lücken. Angreifer könnten Admin-Zugangsdaten mitschneiden. --------------------------------------------- https://heise.de/-7061311 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (frr, grafana, gzip, and pdns), Oracle (java-11-openjdk), Red Hat (java-11-openjdk and kernel), Scientific Linux (java-11-openjdk), SUSE (dcraw, GraphicsMagick, gzip, kernel, nbd, netty, qemu, SDL, and xen), and Ubuntu (libinput, linux, linux-aws, linux-aws-5.13, linux-azure, linux-azure-5.13, linux-gcp, linux-gcp-5.13, linux-hwe-5.13, linux-kvm, linux-oracle, linux-oracle-5.13, linux-raspi, linux, linux-aws, linux-aws-hwe, linux-azure,[...] --------------------------------------------- https://lwn.net/Articles/892214/ ∗∗∗ Drupal core - Moderately critical - Access bypass - SA-CORE-2022-009 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-core-2022-009 ∗∗∗ Drupal core - Moderately critical - Improper input validation - SA-CORE-2022-008 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-core-2022-008 ∗∗∗ Security Bulletin: IBM Maximo Asset Management and the IBM Maximo Manage application in IBM Maximo Application Suite are vulnerable to cross-site scripting (CVE-2022-22436) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-manageme… ∗∗∗ Security Bulletin: IBM Maximo Asset Management and the IBM Maximo Manage application in IBM Maximo Application Suite are vulnerable to cross-site scripting (CVE-2022-22435) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-manageme… ∗∗∗ Security Bulletin: Vulnerability in OpenSSL affect App Connect Professional. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-openssl-… ∗∗∗ Security Bulletin: Vulnerability in OpenSSL affects IBM Integrated Analytics System. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-openssl-… ∗∗∗ Security Bulletin: Multiple vulnerabilities may affect IBM Robotic Process Automation ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: App Connect Professional is affected by GNU C Library vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-app-connect-professional-… ∗∗∗ Security Bulletin: App Connect Professional is affected by GNU C Library vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-app-connect-professional-… ∗∗∗ Security Bulletin: Vulnerability in Linux Kernel affects IBM Integrated Analytics System. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-linux-ke… ∗∗∗ Security Bulletin: IBM Emptoris Supplier Lifecycle Management vulnerable to unspecified vulnerability due to Oracle Database Server (CVE-2021-35576) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-emptoris-supplier-lif… ∗∗∗ Security Bulletin: App Connect Professional is affected by GNU C Library vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-app-connect-professional-… ∗∗∗ Security Bulletin: IBM QRadar Use Case Manager app is vulnerable to using components with known vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-use-case-manag… ∗∗∗ Security Bulletin: IBM® Db2® is affected by multiple vulnerabilities in the included Expat 3rd party library (CVE-2022-23852 and CVE-2022-23990) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-affected-by-mu… ∗∗∗ Security Bulletin: A Vulnerability in IBM WebSphere Application Server – Liberty affects IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-we… ∗∗∗ Jira Security Advisory 2022-04-20 ∗∗∗ --------------------------------------------- https://confluence.atlassian.com/jira/jira-security-advisory-2022-04-20-111… ∗∗∗ Delta Electronics ASDA-Soft ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-111-01 ∗∗∗ Johnson Controls Metasys SCT Pro ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-111-02 ∗∗∗ Hitachi Energy MicroSCADA Pro/X SYS600 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-111-03 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.04.2022
by Daily end-of-shift report 20 Apr '22

20 Apr '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 19-04-2022 18:00 − Mittwoch 20-04-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ CISA warns of attackers now exploiting Windows Print Spooler bug ∗∗∗ --------------------------------------------- The Cybersecurity and Infrastructure Security Agency (CISA) has added three new security flaws to its list of actively exploited bugs, including a local privilege escalation bug in the Windows Print Spooler. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cisa-warns-of-attackers-now-… ∗∗∗ Emotet botnet switches to 64-bit modules, increases activity ∗∗∗ --------------------------------------------- The Emotet malware is having a burst in distribution and is likely to soon switch to new payloads that are currently detected by fewer antivirus engines. --------------------------------------------- https://www.bleepingcomputer.com/news/security/emotet-botnet-switches-to-64… ∗∗∗ Google: 2021 war Rekordjahr für entdeckte Zero Days ∗∗∗ --------------------------------------------- Laut Google ändert sich die Ursache der Sicherheitslücken selbst aber kaum. Größtes Problem bleiben Speicherfehler. --------------------------------------------- https://www.golem.de/news/google-2021-war-rekordjahr-fuer-entdeckte-zero-da… ∗∗∗ "aa" distribution Qakbot (Qbot) infection with DarkVNC traffic, (Wed, Apr 20th) ∗∗∗ --------------------------------------------- Chain of Events and IOCs of a Qakbot infection. --------------------------------------------- https://isc.sans.edu/diary/rss/28568 ∗∗∗ Phishing-Welle zu Online-Banking rollt durch Postfächer ∗∗∗ --------------------------------------------- Aktuell rollt eine Phishing-Welle durch österreichische E-Mail-Postfächer, mit der es Kriminelle vor allem auf Online-Banking-Daten abgesehen haben. --------------------------------------------- https://www.watchlist-internet.at/news/phishing-welle-zu-online-banking-rol… ∗∗∗ CISA Releases Secure Cloud Business Applications (SCuBA) Guidance Documents for Public Comment ∗∗∗ --------------------------------------------- CISA has released draft versions of two guidance documents—along with a request for comment (RFC)—that are a part of the recently launched Secure Cloud Business Applications (SCuBA) project. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/04/19/cisa-releases-sec… ∗∗∗ Investigating an engineering workstation – Part 3 ∗∗∗ --------------------------------------------- In our third blog post we will focus on information we can get from the projects itself. --------------------------------------------- https://blog.nviso.eu/2022/04/20/investigating-an-engineering-workstation-p… ===================== = Vulnerabilities = ===================== ∗∗∗ Elliptische Kurven: Java-Signaturprüfung lässt sich mit Nullen austricksen ∗∗∗ --------------------------------------------- Bei der Prüfung von ECDSA-Signaturen in Java fand sich ein Fehler, der dazu führt, dass man eine immer gültige Signatur erstellen kann. --------------------------------------------- https://www.golem.de/news/elliptische-kurven-java-signaturpruefung-laesst-s… ∗∗∗ Oracle stellt 520 Sicherheitspatches für sein Software-Portfolio bereit ∗∗∗ --------------------------------------------- Admins von Oracle-Anwendungen sollten die verfügbaren Aktualisierungen installieren, um zum Teil kritische Sicherheitslücken zu schließen. --------------------------------------------- https://heise.de/-6746906 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (condor), Red Hat (389-ds:1.4, container-tools:2.0, kernel, kernel-rt, and kpatch-patch), SUSE (chrony, containerd, expat, git, icedtea-web, jsoup, jsr-305, kernel, libeconf, shadow and util-linux, protobuf, python-libxml2-python, python3, slirp4netns, sssd, vim, and wpa_supplicant), and Ubuntu (bash). --------------------------------------------- https://lwn.net/Articles/892047/ ∗∗∗ AWSs Log4Shell Hot Patch Vulnerable to Container Escape and Privilege Escalation ∗∗∗ --------------------------------------------- We identified severe security issues within AWS Log4Shell hot patch solutions. We provide a root cause analysis and overview of fixes and mitigations. --------------------------------------------- https://unit42.paloaltonetworks.com/aws-log4shell-hot-patch-vulnerabilities/ ∗∗∗ SSA-254054: Spring Framework Vulnerability (Spring4Shell or SpringShell, CVE-2022-22965) - Impact to Siemens Products ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-254054.txt ∗∗∗ Security Bulletin: IBM Emptoris Strategic Supply Management Platform is vulnerable to unspecified vulnerability due to Oracle Database Server (CVE-2021-35576) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-emptoris-strategic-su… ∗∗∗ Security Bulletin: IBM Security Guardium Insights is affected by Node.js vulnerability (CVE-2021-22939) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-ins… ∗∗∗ Security Bulletin: Due to use of IBM SDK, Java Technology Edition, IBM Tivoli Application Dependency Discovery Manager (TADDM) is vulnerable to denial of service ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-due-to-use-of-ibm-sdk-jav… ∗∗∗ Security Bulletin: IBM Emptoris Sourcing is vulnerable to unspecified vulnerability due to Oracle Database Server (CVE-2021-35576) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-emptoris-sourcing-is-… ∗∗∗ Security Bulletin: IBM Emptoris Contract Management is vulnerable to unspecified vulnerability due to Oracle Database Server (CVE-2021-35576) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-emptoris-contract-man… ∗∗∗ Security Bulletin: IBM Emptoris Program Management is vulnerable to unspecified vulnerability due to Oracle Database Server (CVE-2021-35576) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-emptoris-program-mana… ∗∗∗ April 19, 2022 TNS-2022-09 [R1] Tenable.sc 5.21.0 Fixes Multiple Third-Party Vulnerabilities ∗∗∗ --------------------------------------------- http://www.tenable.com/security/tns-2022-09 ∗∗∗ Veritas NetBackup: Schwachstelle ermöglicht Cross-Site Scripting ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0474 ∗∗∗ Interlogix Hills ComNav ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-109-01 ∗∗∗ Automated Logic WebCTRL ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-109-02 ∗∗∗ FANUC ROBOGUIDE Simulation Platform ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-109-03 ∗∗∗ Elcomplus SmartPPT SCADA ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-109-04 ∗∗∗ Multiple ctrlX CORE vulnerabilities ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-029150.html ∗∗∗ MISP 2.4.158 security fix and general improvement release ∗∗∗ --------------------------------------------- https://github.com/MISP/MISP/releases/tag/v2.4.158 ∗∗∗ Multiple Vulnerabilities in Apache HTTP Server ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-22-11 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.04.2022
by Daily end-of-shift report 19 Apr '22

19 Apr '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 15-04-2022 18:00 − Dienstag 19-04-2022 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Freier Decryptor für Yanlouwang-Ransomware ∗∗∗ --------------------------------------------- Sicherheitsanbieter Kaspersky hat in der Verschlüsselung der Yanlouwang-Ransomware eine Schwachstelle entdeckt. In Folge dieser Schwachstelle kann die Verschlüsselung von Dateien unter bestimmten Voraussetzungen geknackt werden. Jedenfalls steht ein kostenloser Decryptor für die Yanlouwang-Ransomware zur Verfügung. --------------------------------------------- https://www.borncity.com/blog/2022/04/19/freier-decryptor-fr-yanlouwang-ran… ∗∗∗ Achtung unseriös: hondrox.com, hondrox.eu & hondrox.shop ∗∗∗ --------------------------------------------- Auf der Suche nach Behandlungsmöglichkeiten bei Gelenkschmerzen stoßen Sie möglicherweise auf „Hondrox“. Ein Spray, der die „Wiederherstellung der Knorpel in den Gelenken“ sowie Schmerzlinderung verspricht. Auf hondrox.com, hondrox.eu und hondrox.shop wird dieses vermeintliche Wundermittel angeboten. Doch Vorsicht: Diese Online-Shops sind unseriös. Sie verschwenden Ihr Geld! --------------------------------------------- https://www.watchlist-internet.at/news/achtung-unserioes-hondroxcom-hondrox… ∗∗∗ GitHub-Sicherheitslücke: OAuth-Token von Heroku und Travis-CI kompromittiert ∗∗∗ --------------------------------------------- Unauthorisierte Zugriffe auf die npm-Infrastruktur haben kriminelle Aktivitäten enttarnt. Betroffenen sind OAuth-Token von Heroku und Travis-CI. --------------------------------------------- https://heise.de/-6703708 ∗∗∗ Sicherheit fürs Anmelden: Was bei Kennwörtern, FIDO2 und TOTP zu beachten ist ∗∗∗ --------------------------------------------- In der Theorie sind zweite Faktoren einfach. In der praktischen Umsetzung tauchen aber diverse Fragen auf – die häufigsten haben wir zusammengetragen. --------------------------------------------- https://heise.de/-6660829 ∗∗∗ Lenovo System Update könnte Schadcode auf Computer lassen ∗∗∗ --------------------------------------------- Lenovo hat Sicherheitslücken in einer Anwendung und verschiedenen BIOS-Versionen geschlossen und Hintertüren entfernt. --------------------------------------------- https://heise.de/-6740544 ∗∗∗ Studie: Ciscos Webex telefoniert auch stummgeschaltet nach Hause ∗∗∗ --------------------------------------------- Bei einer Untersuchung der Stummschaltefunktion von Videokonferenzsoftware fiel Ciscos Webex negativ auf. --------------------------------------------- https://www.golem.de/news/studie-ciscos-webex-telefoniert-auch-stummgeschal… ∗∗∗ New stealthy BotenaGo malware variant targets DVR devices ∗∗∗ --------------------------------------------- Threat analysts have spotted a new variant of the BotenaGo botnet malware, and its the stealthiest seen so far, running undetected by any anti-virus engine. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-stealthy-botenago-malwar… ∗∗∗ Managing container vulnerability risks: Tools and best practices ∗∗∗ --------------------------------------------- Containers are quickly becoming the de facto form of compute and workload deployments in the cloud-native ecosystem. The latest Cloud Native Computing Foundation (CNCF) Cloud Native Survey shows that 96% of organizations are either actively using containers and Kubernetes or are evaluating them. Containers have well-known benefits such as portability, consistency and efficiency, but they aren’t without security concerns. --------------------------------------------- https://www.csoonline.com/article/3656702/managing-container-vulnerability-… ∗∗∗ Sysmons RegistryEvent (Value Set), (Mon, Apr 18th) ∗∗∗ --------------------------------------------- A colleague asked me about Sysmon's event ID 13 RegistryEvent (Value Set). They wanted to know if binary data could be recorded in event 13. --------------------------------------------- https://isc.sans.edu/diary/rss/28558 ∗∗∗ Why you shouldn’t automate your VirusTotal uploads ∗∗∗ --------------------------------------------- Security teams use VirusTotal as a second opinion scanner, but its not advisable to upload documents to VirusTotal as that may result in a breach of confidence and exposure of confidential data. --------------------------------------------- https://blog.malwarebytes.com/101/2022/04/why-you-shouldnt-automate-your-vi… ∗∗∗ How vx-underground is building a hacker’s dream library ∗∗∗ --------------------------------------------- When malware repository vx-underground launched in 2019, it hardly made a splash in the hacking world. "I had no success really," said its founder, who goes by the online moniker smelly_vx. --------------------------------------------- https://therecord.media/how-vx-underground-is-building-a-hackers-dream-libr… ∗∗∗ Stories from the SOC - Lateral movement using default accounts ∗∗∗ --------------------------------------------- The Windows ‘Administrator’ account is a highly privileged account that is created during a Windows installation by default. If this account is not properly secured, attackers may leverage it to conduct privilege escalation and lateral movement. --------------------------------------------- https://cybersecurity.att.com/blogs/security-essentials/stories-from-the-so… ===================== = Vulnerabilities = ===================== ∗∗∗ Angreifer könnten sich als Admins an Cisco Wireless LAN Controller anmelden ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitsupdates für unter anderem Cisco IOS XE, SD-WAN und WLC. Eine Lücke gilt als kritisch. --------------------------------------------- https://heise.de/-6737709 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (abcm2ps and chromium), Fedora (cacti, cacti-spine, and fribidi), and Mageia (crun, docker-containerd, libarchive, mediawiki, and ruby). --------------------------------------------- https://lwn.net/Articles/891725/ ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (gzip and xz-utils), Fedora (dhcp and rsync), Mageia (chromium-browser-stable), openSUSE (chromium), SUSE (gzip, openjpeg2, and zabbix), and Ubuntu (klibc). --------------------------------------------- https://lwn.net/Articles/891818/ ∗∗∗ Elcomplus SmartPPT SCADA Server ∗∗∗ --------------------------------------------- This advisory contains mitigations for Cross-site Scripting, Unauthorized Exposure to Sensitive Information, Unrestricted Upload of File with Dangerous Type, Path Traversal, and Cross-site Request Forgery vulnerabilities in the Elcomplus SmartPPT SCADA Server voice and data dispatch software. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-109-05 ∗∗∗ Multiple RTOS (Update E) ∗∗∗ --------------------------------------------- Update E: Windriver VxWorks – Update in progress The following devices use Windriver VxWorks as their RTOS: Hitachi Energy GMS600 – See public advisory. Hitachi Energy PWC600 – See public advisory. Hitachi Energy REB500 – See public advisory. Hitachi Energy Relion 670, 650 series and SAM600-IO – See public advisory Hitachi Energy RTU500 series CMU – Updates available for some firmware versions – See public advisory. Hitachi Energy Modular Switchgear Monitoring System MSM – Protect your network – See public advisory. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-119-04 ∗∗∗ Delta Controls enteliTOUCH 3.40.3935 Cookie User Password Disclosure ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2022040067 ∗∗∗ Delta Controls enteliTOUCH 3.40.3935 Cross Site Scripting ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2022040065 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ K56105136: BIND vulnerability CVE-2022-0396 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K56105136 ∗∗∗ K21054458: Eclipse Jetty vulnerability CVE-2017-7656 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K21054458 ∗∗∗ Asterisk: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0456 ∗∗∗ 7-Zip: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0459 ∗∗∗ Microsoft Edge: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0458 ∗∗∗ MariaDB: Mehrere Schwachstellen ermöglichen Denial of Service ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0461 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.04.2022
by Daily end-of-shift report 15 Apr '22

15 Apr '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 14-04-2022 18:00 − Freitag 15-04-2022 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Sicherheit: Best Practice, zum Updaten von Windows Domain Controllern ∗∗∗ --------------------------------------------- In Unternehmensumgebungen werden oft Windows Server eingesetzt, die als Domain Controller (DC) fungieren. Domänencontroller sind für viele Unternehmen nach wie vor (trotz Trend zur Azure-Coud, so Microsoft) ein zentraler Bestandteil der Infrastruktur. Und die in der Active Directory gespeicherten Identitäten [...] --------------------------------------------- https://www.borncity.com/blog/2022/04/15/sicherheit-best-practice-zum-updat… ∗∗∗ Vorsicht vor ungerechtfertigten Kreditkartenabbuchungen von medianess.co ∗∗∗ --------------------------------------------- Ein QR-Code wird gescannt, ein Programm heruntergeladen oder eine App am Handy installiert. Konsument:innen berichten von ganz alltäglichen Situationen, in denen sie plötzlich auf der Seite medianess.co landen und aufgefordert werden ihre Kreditkartendaten einzugeben. Einige Tage später stellen sie verwundert fest, dass sie ein ungewolltes Abo abgeschlossen haben. Wir erklären Ihnen, wie Sie die ungerechtfertigten Abbuchungen beenden können und Ihr Geld zurückerhalten. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-ungerechtfertigten-kred… ∗∗∗ CVE-2021-1782, an iOS in-the-wild vulnerability in vouchers ∗∗∗ --------------------------------------------- This blog post is my analysis of a vulnerability exploited in the wild and patched in early 2021. Like the writeup published last week looking at an ASN.1 parser bug, this blog post is based on the notes I took as I was analyzing the patch and trying to understand the XNU vouchers subsystem. I hope that this writeup serves as the missing documentation for how some of the internals of the voucher subsystem works and its quirks which lead to this vulnerability. --------------------------------------------- https://googleprojectzero.blogspot.com/2022/04/cve-2021-1782-ios-in-wild-vu… ∗∗∗ Gaining Visibility Within Container Clusters ∗∗∗ --------------------------------------------- Service mesh platforms can be used to provide insight into the container processes and their network operations within K8s clusters. --------------------------------------------- https://unit42.paloaltonetworks.com/visibility-k8s-clusters/ ∗∗∗ CISA Adds Nine Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- CISA has added nine new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise. Note: to view the newly added vulnerabilities in the catalog, click on the arrow on the of the "Date Added to Catalog" column, which will sort by descending dates. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/04/15/cisa-adds-nine-kn… ===================== = Vulnerabilities = ===================== ∗∗∗ Vulnerability in Spring Cloud Function Framework Affecting Cisco Products: March 2022 ∗∗∗ --------------------------------------------- On March 29, 2022, the following critical vulnerability in the Spring Cloud Function Framework affecting releases 3.1.6, 3.2.2, and older unsupported releases was disclosed: CVE-2022-22963: Remote code execution in Spring Cloud Function by malicious Spring Expression For a description of this vulnerability, see VMware Spring Framework Security Vulnerability Report. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (fribidi and python-django), Fedora (postgresql-jdbc, stargz-snapshotter, and thunderbird), Slackware (git, gzip, and xz), and SUSE (kernel, SDL2, and tomcat). --------------------------------------------- https://lwn.net/Articles/891453/ ∗∗∗ Johnson Controls Metasys ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Incomplete Cleanup vulnerability in the Johnson Controls Metasys ADS/ADX/OAS servers for building management systems. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-104-02 ∗∗∗ Red Lion DA50N ∗∗∗ --------------------------------------------- This advisory contains mitigation for Insufficient Verification of Data Authenticity, Weak Password Requirements, Use of Unmaintained Third-Party Components, and Insufficiently Protected Credentials vulnerabilities in the Red Lion DA50N networking gateway. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-104-03 ∗∗∗ Siemens SCALANCE FragAttacks ∗∗∗ --------------------------------------------- This advisory contains mitigations for Improper Authentication, Injection, Improper Validation of Integrity Check, and Improper Input Validation vulnerabilities in the Siemens SCALANCE FragAttacks. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-104-04 ∗∗∗ Siemens OpenSSL Vulnerabilities in Industrial Products ∗∗∗ --------------------------------------------- This advisory contains mitigations for a NULL Pointer Dereference vulnerability in the Siemens OpenSSL. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-104-05 ∗∗∗ Delta Electronics DMARS ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Improper Restriction of XML External Entity Reference vulnerability in the Delta Electronics DMARS program development tool. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-104-01 ∗∗∗ Juniper Networks Releases Security Updates for Multiple Products ∗∗∗ --------------------------------------------- Juniper Networks has released security updates to address vulnerabilities affecting multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected system. CISA encourages users and administrators to review the Juniper Networks security advisories page and apply the necessary updates. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/04/14/juniper-networks-… ∗∗∗ Chrome 100.0.4896.127 fixt 0-day Schwachstelle CVE-2022-1364 ∗∗∗ --------------------------------------------- Google hat zum 14. April 2022 Notfall-Updates des Google Chrome 100.0.4896.127 für Android, sowie für Windows und Mac auf dem Desktop im Stable Channel freigegeben. Das Update schließt die 0-day-Schwachstelle CVE-2022-1364, die bereits Exploits existieren. --------------------------------------------- https://www.borncity.com/blog/2022/04/15/chrome-100-0-4896-127-fixt-ausgenu… ∗∗∗ OpenSSL Infinite loop when parsing certificates CVE-2022-0778 ∗∗∗ --------------------------------------------- A vulnerability CVE-2022-0778 was found in OpenSSL that allows to trigger an infinite loop by crafting a certificate that has invalid elliptic curve parameters. Since certificate parsing happens before verification of the certificate signature, any process that parses an externally supplied certificate leads to a DoS (Denial of service) attack. SonicWall is investigating its product line to determine which products and cloud services may be affected by this vulnerability. --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0002 ∗∗∗ Security Bulletin: IBM Sterling B2B Integrator vulnerable to multiple vulnerabilities due to Spring Security ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-b2b-integrat… ∗∗∗ Security Bulletin: Due to use of Apache Storm IBM Tivoli Network Manager is vulnerable to arbiraty code execution ( CVE-2021-38294, CVE-2021-40865 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-due-to-use-of-apache-stor… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities in Apache Thrift ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: Publicly disclosed vulnerabilities in Plexus-utils affect IBM Netezza Analytics ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-publicly-disclosed-vulner… ∗∗∗ Security Bulletin: OpenSSL for IBM i is vulnerable to a denial of service due to a flaw in the BN_mod_sqrt() function (CVE-2022-0778) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-openssl-for-ibm-i-is-vuln… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in node.js ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.04.2022
by Daily end-of-shift report 14 Apr '22

14 Apr '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 13-04-2022 18:00 − Donnerstag 14-04-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ New EnemyBot DDoS botnet recruits routers and IoTs into its army ∗∗∗ --------------------------------------------- A new Mirai-based botnet malware named Enemybot has been observed growing its army of infected devices through vulnerabilities in modems, routers, and IoT devices, with the threat actor operating it known as Keksec. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-enemybot-ddos-botnet-rec… ∗∗∗ An Update on CVE-2022-26809 - MSRPC Vulnerabliity - PATCH NOW, (Thu, Apr 14th) ∗∗∗ --------------------------------------------- If your main concern is that you do not have time to apply the April update, stop wasting more time reading this (or anything else about CVE-2022-26809) and start patching. --------------------------------------------- https://isc.sans.edu/diary/rss/28550 ∗∗∗ A Primer on Cold Boot Attacks Against Embedded Systems ∗∗∗ --------------------------------------------- A computers main memory is volatile, and its content disappears if it is not regularly refreshed. This enables some attacks that exploit this behavior. One fairly well-known attack is called the "cold boot attack". --------------------------------------------- https://sec-consult.com/blog/detail/a-primer-on-cold-boot-attacks-against-e… ∗∗∗ "Pipedream": US-Warnung vor ausgeklügelten Cyberangriffen auf Energiesektor ∗∗∗ --------------------------------------------- Mit einem Werkzeugkasten hochentwickelter Cyberwaffen sollen unbekannte Angreifer industrielle Steuerungslagen übernehmen können. --------------------------------------------- https://heise.de/-6670554 ∗∗∗ Microsoft Seizes Control of Notorious Zloader Cybercrime Botnet ∗∗∗ --------------------------------------------- Microsoft has disrupted the operation of one of the most notorious cybercrime botnets and named a Crimean hacker as an alleged perpetrator behind the distribution of ransomware to the network of infected machines. --------------------------------------------- https://www.securityweek.com/microsoft-seizes-control-notorious-zloader-cyb… ∗∗∗ SMS-Werbung für sichernow.com führt in Crypto-Investment-Falle ∗∗∗ --------------------------------------------- Aktuell versenden Kriminelle SMS, in denen für eine Crypto-Investment-Falle geworben wird. Der enthaltene Link führt zu einer betrügerischen Investment-Plattform. --------------------------------------------- https://www.watchlist-internet.at/news/sms-werbung-fuer-sichernowcom-fuehrt… ∗∗∗ Blinding Snort: Breaking the Modbus OT Preprocessor ∗∗∗ --------------------------------------------- Team82 discovered a means by which it could blind the popular Snort intrusion detection and prevention system to malicious packets. --------------------------------------------- https://claroty.com/2022/04/14/blog-research-blinding-snort-breaking-the-mo… ∗∗∗ Old Gremlins, new methods ∗∗∗ --------------------------------------------- After a long break, the Russian-speaking ransomware group OldGremlin resumes attacks in Russia --------------------------------------------- https://blog.group-ib.com/oldgremlin_comeback ∗∗∗ Threat Spotlight: "Haskers Gang" Introduces New ZingoStealer ∗∗∗ --------------------------------------------- Cisco Talos recently observed a new information stealer, called "ZingoStealer" that has been released for free by a threat actor known as "Haskers Gang." --------------------------------------------- http://blog.talosintelligence.com/2022/04/haskers-gang-zingostealer.html ∗∗∗ Unfolding the Log4j Security Vulnerability and Log4shell TTPs in AWS ∗∗∗ --------------------------------------------- Orca researcher Lidor Ben Shitrit reveals how Log4 shell TTPs in an AWS cloud environment can be used to open up a Log4j security vulnerability. --------------------------------------------- https://orca.security/resources/blog/log4j-security-vulnerability-log4shell… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Security Advisories 2022-04-13 ∗∗∗ --------------------------------------------- 1 Critical, 13 High, 9 Medium Severity --------------------------------------------- https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&secur… ∗∗∗ Jetzt patchen! Attacken auf VMware Identity Manager und Workspace One Access ∗∗∗ --------------------------------------------- Angreifer schieben Krypto-Miner durch eine kritische Schadcode-Lücke in VMware Identity Manager und Workspace One Access. Updates stehen zum Download bereit. --------------------------------------------- https://heise.de/-6677723 ∗∗∗ Lücken in mehren Komponente machen Datenmanagement-Software IBM Db2 angreifbar ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitsupdates für IBM Db2, IBM Db2 On Openshift und IBM Db2 Warehouse on Cloud Pak for Data. --------------------------------------------- https://heise.de/-6677497 ∗∗∗ Sicherheitsupdate: Admin-Tool Grafana ist verwundbar ∗∗∗ --------------------------------------------- Angreifer könnten Systeme mit der Datenvisualisierungssoftware Grafana attackieren. --------------------------------------------- https://heise.de/-6678300 ∗∗∗ VMSA-2022-0013 ∗∗∗ --------------------------------------------- VMware Cloud Director update addresses remote code execution vulnerability (CVE-2022-22966) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2022-0013.html ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (lrzip), Fedora (community-mysql, expat, firefox, kernel, mingw-openjpeg2, nss, and openjpeg2), Mageia (ceph, subversion, and webkit2), openSUSE (chromium), Oracle (httpd:2.4), Red Hat (kpatch-patch), Slackware (ruby), SUSE (kernel and netatalk), and Ubuntu (gzip and xz-utils). --------------------------------------------- https://lwn.net/Articles/891354/ ∗∗∗ Security Bulletin: IBM Security Guardium is vulnerable to arbitrary code execution due to Apache log4j (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: Vulnerabilities with libxml2 affect IBM Cloud Object Storage Systems (Apr 2022 V2) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-with-libx… ∗∗∗ Security Bulletin: IBM Aspera High-Speed Transfer Server and Aspera High-Speed Transfer Endpoint are vulnerable to exposing sensitive information (CVE-2022-22391) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-aspera-high-speed-tra… ∗∗∗ Security Bulletin: Vulnerabilities have been identified in Apache Log4j and the application code shipped with the DS8000 Hardware Management Console (HMC) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-have-been… ∗∗∗ Security Bulletin: OpenSSL vulnerability impacting Aspera High-Speed Transfer Server and Aspera High-Speed Transfer Endpoint 4.3.0 and earlier (CVE-2021-3712) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-openssl-vulnerability-imp… ∗∗∗ Security Bulletin: Vulnerability in Apache Struts affects IBM Tivoli Application Dependency Discovery Manager (CVE-2020-17530) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-s… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect Rational Performance Tester ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ K11455641: NGINX LDAP Reference Implementation security exposure ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K11455641 ∗∗∗ Juniper JUNOS (J-Web): Mehrere Schwachstellen ermöglichen Cross-Site Scripting ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0444 ∗∗∗ CVE-2022-0023 PAN-OS: Denial-of-Service (DoS) Vulnerability in DNS Proxy (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2022-0023 ∗∗∗ PAN-SA-2022-0002 Informational: Cortex XDR Agent: Product Disruption by Local Windows Administrator (Severity: NONE) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/PAN-SA-2022-0002 ∗∗∗ PAN-SA-2022-0001 Cortex XDR Agent: Supervisor Password Hash Disclosure Vulnerability When Generating Support Files (Severity: LOW) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/PAN-SA-2022-0001 ∗∗∗ CVE-2022-28810: ManageEngine ADSelfService Plus Authenticated Command Execution (Fixed) ∗∗∗ --------------------------------------------- https://www.rapid7.com/blog/post/2022/04/14/cve-2022-28810-manageengine-ads… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.04.2022
by Daily end-of-shift report 13 Apr '22

13 Apr '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 12-04-2022 18:00 − Mittwoch 13-04-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Emotet modules and recent attacks ∗∗∗ --------------------------------------------- Emotet was disrupted in January 2021 and returned in November. This report provides technical description of its active modules and statistics on the malwares recent attacks. --------------------------------------------- https://securelist.com/emotet-modules-and-recent-attacks/106290/ ∗∗∗ Fodcha, a new DDos botnet ∗∗∗ --------------------------------------------- Recently, CNCERT and 360netlab worked together and discovered a rapidly spreading DDoS botnet on the Internet. The global infection looks fairly big as just in China there are more than 10,000 daily active bots (IPs) and alsomore than 100 DDoS victims being targeted on a daily basis. --------------------------------------------- https://blog.netlab.360.com/fodcha-a-new-ddos-botnet/ ∗∗∗ TallGrass - A Python script that enumerates supported antiviruses and their exclusions on Windows hosts within a domain ∗∗∗ --------------------------------------------- Some antiviruses, like Windows Defender, expose their exclusions through the registry. Because of this, it is possible, and somewhat trivial, to enumerate them for potential means of AV evasion. TallGrass queries the domain controller for all domain-joined Windows hosts, then enumerates the AV exclusions for each host. --------------------------------------------- https://github.com/chdav/TallGrass ∗∗∗ PCI DSS 4.0 veröffentlicht: Mehr Sicherheit für Kreditkartendaten ∗∗∗ --------------------------------------------- Die neue Version 4.0 von PCI DSS erweitert den De-facto-Standard der Security für Zahlungssysteme. Vor allem sollen die Ziele flexibler umzusetzen sein. --------------------------------------------- https://heise.de/-6671323 ∗∗∗ Achtung vor unseriösen Urlaubsangeboten wie reisebuero-fuchs.com! ∗∗∗ --------------------------------------------- Die Urlaubsplanungen für Frühling und Sommer sind längst voll in Gang. Das nützen auch Kriminelle und veröffentlichen betrügerische Plattformen zur Urlaubsbuchung. Dort finden Sie tolle Unterkünfte zu top Konditionen. Der Haken: Sie sollen vorab Anzahlungen leisten, die Inhaber:innen der Unterkünfte erfahren aber nichts von Ihren Buchungen und das Geld landet in der Tasche Krimineller! Fazit: Nichts bezahlen! --------------------------------------------- https://www.watchlist-internet.at/news/achtung-vor-unserioesen-urlaubsangeb… ∗∗∗ Coercing NTLM Authentication from SCCM ∗∗∗ --------------------------------------------- tl;dr: Disable NTLM for Client Push Installation [...] Client push installation accounts require local admin privileges to install software on systems in an SCCM site, so it is often possible to relay the credentials and execute actions in the context of a local admin on other SCCM clients in the site. --------------------------------------------- https://posts.specterops.io/coercing-ntlm-authentication-from-sccm-e6e23ea8… ∗∗∗ CVE-2022-26809: All your RPC are belong to us ∗∗∗ --------------------------------------------- Im April 2022 Patchday von Microsoft findet man wieder Updates [...] Spannender ist das Pärchen CVE-2022-26809/CVE-2022-24491 mit RCE: hier kommt zwar der Patch vor der ersten bekannten Ausnutzung der Schwachstelle, dafür sollten bei CVSS 9.8 die Alarmglocken laut läuten. Beim ersten geht es um das generische RPC Service, beim zweiten um den NFS Server. Während NFS nicht überall im Einsatz sein wird, ist Windows RPC auf Port 445 sehr weit verbreitet und innerhalb von Firmennetzen auch zwangsläufig sehr selten durch Firewalls geschützt. --------------------------------------------- https://cert.at/de/aktuelles/2022/4/2022-04-windows-patchday ∗∗∗ [Caution] Virus/XLS Xanpei Infecting Normal Excel Files ∗∗∗ --------------------------------------------- The ASEC analysis team has recently discovered the constant distribution of malware strains that spread the infection when Excel file is opened. Besides infecting normal Excel files, they can also perform additional malicious behaviors such as acting as a downloader and performing DNS Spoofing, therefore, users need to take great caution. --------------------------------------------- https://asec.ahnlab.com/en/33630/ ===================== = Vulnerabilities = ===================== ∗∗∗ Critical flaw in Elementor WordPress plugin may affect 500k sites ∗∗∗ --------------------------------------------- The authors of the Elementor Website Builder plugin for WordPress have just released version 3.6.3 to address a critical remote code execution flaw that may impact as many as 500,000 websites. [..] The latest version includes a commit that implements an additional check on the nonce access, using the "current_user_can" WordPress function. While this should address the security gap, the researchers haven't validated the fix yet, and the Elementor team hasn't published any details about the patch. --------------------------------------------- https://www.bleepingcomputer.com/news/security/critical-flaw-in-elementor-w… ∗∗∗ Sicherheit: Git gibt Sicherheitslücken bekannt und veröffentlicht Patch ∗∗∗ --------------------------------------------- Git hat zwei Sicherheitslücken bekannt gegeben und gleich auch einen Patch bereitgestellt, der diese stopft: Update dringend empfohlen. --------------------------------------------- https://www.golem.de/news/sicherheit-git-gibt-sicherheitsluecken-bekannt-un… ∗∗∗ Patchday: SAP dichtet 30 Sicherheitslücken ab ∗∗∗ --------------------------------------------- SAP hat zu Lücken in diversen Produkten 21 neue Meldungen veröffentlicht und neun ältere aktualisiert. Administratoren sollten die Updates bald installieren. --------------------------------------------- https://heise.de/-6670382 ∗∗∗ Sicherheitspatch für Apache Struts unvollständig – neues Updates soll es richten ∗∗∗ --------------------------------------------- Aufgrund der Gefahr von möglichen Schadcode-Attacken sollten Admins ihre Apache-Struts-Systeme auf den aktuellen Stand bringen. --------------------------------------------- https://heise.de/-6670584 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (gzip, python-django, and xz), Debian (chromium, subversion, and zabbix), Red Hat (expat, kernel, and thunderbird), SUSE (go1.16, go1.17, kernel, libexif, libsolv, libzypp, zypper, opensc, subversion, thunderbird, and xz), and Ubuntu (git, linux-bluefield, nginx, and subversion). --------------------------------------------- https://lwn.net/Articles/891182/ ∗∗∗ Apache Subversion: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, authentisierter oder anonymer Angreifer kann mehrere Schwachstellen in Apache Subversion ausnutzen, um Informationen offenzulegen oder einen Denial of Service zu verursachen. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0436 ∗∗∗ Citrix Releases Security Updates for Multiple Products ∗∗∗ --------------------------------------------- Original release date: April 12, 2022Citrix has released security updates to address vulnerabilities in multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected system.CISA encourages users and administrators to review the following Citrix security bulletins and apply the necessary updates. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/04/12/citrix-releases-s… ∗∗∗ Motorola Android App Vulnerabilities ∗∗∗ --------------------------------------------- Some Motorola Android applications do not properly verify the server certificate which could lead to the communication channel being accessible by an attacker. [..] Update to latest version of the applications in the Product Impact section below. App Name: 'Ready For', 'Device Help' --------------------------------------------- http://support.lenovo.com/product_security/PS500482-MOTOROLA-ANDROID-APP-VU… ∗∗∗ ThinkPad BIOS Vulnerabilities ∗∗∗ --------------------------------------------- The following vulnerabilities were reported in ThinkPad BIOS. CVE IDs: CVE-2022-1107, CVE-2022-1108 Update system firmware to the version (or newer) indicated for your model [..] --------------------------------------------- http://support.lenovo.com/product_security/PS500480-THINKPAD-BIOS-VULNERABI… ∗∗∗ Lenovo System Update Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- A vulnerability was reported in Lenovo System Update that could allow a local user with interactive system access the ability to execute code with elevated privileges only during the installation of a System Update package released before 2022-02-25 that displays a command prompt window. --------------------------------------------- http://support.lenovo.com/product_security/PS500483-LENOVO-SYSTEM-UPDATE-PR… ∗∗∗ Spring Framework Data Binding Rules Vulnerability (CVE-2022-22968) ∗∗∗ --------------------------------------------- While investigating the Spring Framework RCE vulnerability CVE-2022-22965 and the suggested workaround, we realized that the disallowedFields configuration setting on WebDataBinder is not intuitive and is not clearly documented. We have fixed that but also decided to be on the safe side and announce a follow-up CVE, in order to ensure application developers are alerted and have a chance to review their configuration. --------------------------------------------- https://spring.io/blog/2022/04/13/spring-framework-data-binding-rules-vulne… ∗∗∗ Bentley Security Advisory BE-2022-0006: IFC File Parsing Vulnerabilities in MicroStation and MicroStation-based applications ∗∗∗ --------------------------------------------- https://www.bentley.com/en/common-vulnerability-exposure/be-2022-0006 ∗∗∗ Security Bulletin: IBM Security SOAR is affected but not classified as vulnerable to remote code execution in Spring Framework (CVE-2022-22965) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-soar-is-affe… ∗∗∗ Security Bulletin: IBM Tivoli Netcool Impact is vulnerable to arbitrary code exection due to Apache Log4j (CVE-2022-23307) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tivoli-netcool-impact… ∗∗∗ Security Bulletin: Publicly disclosed vulnerability in GNU binutils affects IBM Netezza Analytics for NPS ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-publicly-disclosed-vulner… ∗∗∗ Valmet DNA ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-102-01 ∗∗∗ Mitsubishi Electric MELSEC-Q Series C Controller Module ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-102-02 ∗∗∗ Inductive Automation Ignition ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-102-03 ∗∗∗ Mitsubishi Electric GT25-WLAN ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-102-04 ∗∗∗ Aethon TUG Home Base Server ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-102-05 ∗∗∗ NetApp Active IQ Unified Manager Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500484-NETAPP-ACTIVE-IQ-UNIFIE… ∗∗∗ Post-Auth Arbitrary File Read vulnerability Impacting End-Of-Life SRA Appliances and End-Of-Support SMA100 firmware versions ∗∗∗ --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0006 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.04.2022
by Daily end-of-shift report 12 Apr '22

12 Apr '22

===================== = End-of-Day report = ===================== Timeframe: Montag 11-04-2022 18:00 − Dienstag 12-04-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Qbot malware switches to new Windows Installer infection vector ∗∗∗ --------------------------------------------- The Qbot botnet is now pushing malware payloads via phishing emails with password-protected ZIP archive attachments containing malicious MSI Windows Installer packages. --------------------------------------------- https://www.bleepingcomputer.com/news/security/qbot-malware-switches-to-new… ∗∗∗ Discord-Konten im Visier von Cyberkriminellen ∗∗∗ --------------------------------------------- Seit Jahresanfang sehen GDatas Sicherheitsforscher einen Anstieg an Malware, die Zugangstoken zu Discord stehlen will. Nutzer sollten Maßnahmen ergreifen. --------------------------------------------- https://heise.de/-6669765 ∗∗∗ Terrible cloud security is leaving the door open for hackers. Heres what youre doing wrong ∗∗∗ --------------------------------------------- A rise in hybrid work and a shift to cloud platforms has changed how businesses operate - but its also leaving them vulnerable to cyberattacks. --------------------------------------------- https://www.zdnet.com/article/terrible-cloud-security-is-leaving-the-door-o… ∗∗∗ Industroyer2: Industroyer reloaded ∗∗∗ --------------------------------------------- This ICS-capable malware targets a Ukrainian energy company --------------------------------------------- https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/ ∗∗∗ F5 investigating reports of NGINX zero day ∗∗∗ --------------------------------------------- UPDATE 4/12: On Monday evening, NGINX released a blog about the issue, writing that it only affects reference implementations and does not affect NGINX Open Source or NGINX Plus. The company said deployments of the LDAP reference implementation are affected by the vulnerabilities if command-line parameters are used to configure the Python daemon, if there are unused, optional configuration parameters and if LDAP authentication depends on specific group membership. --------------------------------------------- https://therecord.media/f5-investigating-reports-of-nginx-zero-day/ ∗∗∗ SystemBC Being Used by Various Attackers ∗∗∗ --------------------------------------------- SystemBC is a proxy malware that has been used by various attackers for the last few years. While it is recently distributed through SmokeLoader or Emotet, this malware has steadily been used in various ransomware attacks in the past. When an attacker attempts to access a certain address with malicious intent, the system can be used as a passage if the infected system utilizes SystemBC, which acts as a Proxy Bot. --------------------------------------------- https://asec.ahnlab.com/en/33600/ ===================== = Vulnerabilities = ===================== ∗∗∗ Critical LFI Vulnerability Reported in Hashnode Blogging Platform ∗∗∗ --------------------------------------------- Researchers have disclosed a previously undocumented local file inclusion (LFI) vulnerability in Hashnode, a developer-oriented blogging platform, that could be abused to access sensitive data such as SSH keys, servers IP address, and other network information. --------------------------------------------- https://thehackernews.com/2022/04/critical-lfi-vulnerability-reported-in.ht… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (thunderbird and usbguard), Fedora (containerd, firefox, golang-github-containerd-imgcrypt, nss, and vim), Oracle (firefox, kernel, kernel-container, and thunderbird), Red Hat (thunderbird), Scientific Linux (thunderbird), SUSE (libexif, mozilla-nss, mysql-connector-java, and qemu), and Ubuntu (libarchive and python-django). --------------------------------------------- https://lwn.net/Articles/891048/ ∗∗∗ Amazon RDS Vulnerability Led to Exposure of Credentials ∗∗∗ --------------------------------------------- Amazon Web Services (AWS) on Monday announced that it recently addressed a vulnerability in Amazon Relational Database Service (RDS) that could lead to the exposure of internal credentials. --------------------------------------------- https://www.securityweek.com/amazon-rds-vulnerability-led-exposure-credenti… ∗∗∗ SSA-350757 V1.0: Improper Access Control Vulnerability in TIA Portal Affecting S7-1200 and S7-1500 CPUs Web Server (Incl. Related ET200 CPUs and SIPLUS variants) ∗∗∗ --------------------------------------------- An attacker could achieve privilege escalation on the web server of certain devices configured by SIMATIC STEP 7 (TIA Portal) due to incorrect handling of the webserverâ€™s user management configuration during downloading. This only affects the S7-1200 and S7-1500 CPUsâ€™ (incl.Â related ET200 CPUs and SIPLUS variants) web server, when activated. Siemens has released updates for several affected products and recommends to update to the latest versions. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-350757.txt ∗∗∗ SSA-392912 V1.0: Multiple Denial Of Service Vulnerabilities in SCALANCE W1700 Devices ∗∗∗ --------------------------------------------- Vulnerabilities have been identified in devices of the SCALANCE W-1700 (11ac) family that could allow an attacker to cause various denial of service conditions. Siemens has released updates for the affected products and recommends to update to the latest versions. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-392912.txt ∗∗∗ SSA-414513 V1.0: Information Disclosure Vulnerability in Mendix ∗∗∗ --------------------------------------------- An information disclosure vulnerability in Mendix applications was discovered. The vulnerability could allow to read sensitive data. Siemens has released an update for the Mendix Applications using Mendix 9 and recommends to update to the latest version. Siemens recommends countermeasures for products where updates are not, or not yet available. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-414513.txt ∗∗∗ SSA-446448 V1.0: Denial of Service Vulnerability in PROFINET Stack Integrated on Interniche Stack ∗∗∗ --------------------------------------------- The PROFINET (PNIO) stack, when integrated with the Interniche IP stack, contains a vulnerability that could allow an attacker to cause a denial of service condition on affected industrial products. Siemens has released updates for several affected products and recommends to update to the latest versions. Siemens is preparing further updates and recommends specific countermeasures for products where updates are not, or not yet available. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-446448.txt ∗∗∗ SSA-557541 V1.0: Denial-of-Service Vulnerability in SIMATIC S7-400 CPUs ∗∗∗ --------------------------------------------- SIMATIC S7-400 CPU devices contain an input validation vulnerability that could allow an attacker to create a Denial-of-Service condition. A restart is needed to restore normal operations. Siemens has released an update for SIMATIC S7-410 V10 CPU family and SIMATIC S7-400 H V6 CPU family (incl.Â SIPLUS variants for both) and recommends to update to the latest version. Siemens is preparing further updates and recommends specific countermeasures for products where updates are not yet --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-557541.txt ∗∗∗ SSA-655554 V1.0: Multiple Vulnerabilities in SIMATIC Energy Manager before V7.3 Update 1 ∗∗∗ --------------------------------------------- SIMATIC Energy Manager is affected by multiple vulnerabilities that could allow an attacker to gain local privilege escalation, local code execution or remote code execution. Siemens has released updates for the affected products and recommends to update to the latest versions. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-655554.txt ∗∗∗ SSA-711829 V1.0: Denial of Service Vulnerability in TIA Administrator ∗∗∗ --------------------------------------------- In conjunction with the installation of the affected products listed in the table below, a vulnerability in TIA Administrator occurs that could allow an unauthenticated attacker to perform a denial of service attack. Siemens has released a first update for one of the affected products and recommends to update to the latest version. Siemens is preparing further updates and recommends specific countermeasures. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-711829.txt ∗∗∗ SSA-836527 V1.0: Multiple Vulnerabilities in SCALANCE X-300 Switch Family Devices ∗∗∗ --------------------------------------------- Several SCALANCE X-300 switches contain multiple vulnerabilities. An unauthenticated attacker could reboot, cause denial of service conditions and potentially impact the system by other means through heap and buffer overflow vulnerabilities. Siemens has released updates for the affected products and recommends to update to the latest versions. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-836527.txt ∗∗∗ SSA-870917 V1.0: Improper Access Control Vulnerability in Mendix ∗∗∗ --------------------------------------------- When querying the database, it is possible to sort the results using a protected field. With this an authenticated attacker could extract information about the contents of a protected field. Siemens has released updates for the affected products and recommends to update to the latest versions. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-870917.txt ∗∗∗ SSA-998762 V1.0: File Parsing Vulnerabilities in Simcenter Femap before V2022.1.2 ∗∗∗ --------------------------------------------- Siemens Simcenter Femap versions before V2022.1.2 are affected by vulnerabilities that could be triggered when the application reads files in .NEU format. If a user is tricked to open a malicious file with the affected application, an attacker could leverage the vulnerability to leak information or potentially perform remote code execution in the context of the current process. Siemens recommends to update to the latest version line of Simcenter Femap and to avoid opening of untrusted files --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-998762.txt ∗∗∗ SSA-316850: Unauthenticated File Access in SICAM A8000 Devices ∗∗∗ --------------------------------------------- SICAM A8000 CP-8050 and CP-8031 devices contain vulnerabilities that could allow an attacker to access files without authentication. --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-316850.txt ∗∗∗ SAP Patchday April 2022 ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0414 ∗∗∗ Citrix SD-WAN Security Bulletin for CVE-2022-27505 and CVE-2022-27506 ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX370550 ∗∗∗ Citrix StoreFront Security Bulletin for CVE-2022-27503 ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX377814 ∗∗∗ Citrix Gateway Plug-in for Windows Security Bulletin for CVE-2022-21827 ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX341455 ∗∗∗ PHOENIX CONTACT: Multiple Linux component vulnerabilities fixed in latest AXC F x152 LTS release ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-010/ ∗∗∗ PHOENIX CONTACT: mGuard Device Manager affected by HTTP Request Smuggling of Apache Webserver ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-014/ ∗∗∗ PHOENIX CONTACT: Multiple products affected by possible infinite loop within OpenSSL library ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-013/ ∗∗∗ Security Bulletin: IBM Sterling B2B Integrator vulnerable to multiple vulnerabilities due to Spring Framework ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-b2b-integrat… ∗∗∗ Security Bulletin: IBM Sterling B2B Integrator is affected by a remote code execution in Spring Framework (CVE-2022-22965) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-b2b-integrat… ∗∗∗ Security Bulletin: IBM Maximo For Civil infrastructure is vulnerable to a remote code execution in Spring Framework (CVE-2022-22965) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-for-civil-infr… ∗∗∗ Security Bulletin: Vulnerability which affects Rational Team Concert (RTC) and IBM Engineering Workflow Management (EWM) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-which-affec… ∗∗∗ Security Bulletin: IBM Process Mining is vulnerable to Prototype Pollution due to json-schema CVE-2021-3918 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-process-mining-is-vul… ∗∗∗ Security Bulletin: Vulnerabilities in Dojo and dom4j libraries affect Tivoli Netcool/OMNIbus WebGUI (CVE-2020-10683, CVE-2021-23450) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-dojo-a… ∗∗∗ Security Bulletin: A vulnerability in IBM WebSphere Application Server Liberty affects IBM Performance Management products (CVE-2021-23450) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-we… ∗∗∗ Security Bulletin: IBM Data Risk Manager is affected by multiple vulnerabilities including a remote code execution in Spring Framework (CVE-2022-22965) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-data-risk-manager-is-… ∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container IntegrationServers that use the Box connector may be vulnerable to arbitrary code execution due to CVE-2021-23555 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: Multiple Vulnerabilities affect IBM® Db2® On Openshift and IBM® Db2® and Db2 Warehouse® on Cloud Pak for Data ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Sterling B2B Integrator vulnerable to multiple vulnerabilities due to CKEditor ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-b2b-integrat… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.04.2022
by Daily end-of-shift report 11 Apr '22

11 Apr '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 08-04-2022 18:00 − Montag 11-04-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Android banking malware takes over calls to customer support ∗∗∗ --------------------------------------------- A banking trojan for Android that researchers call Fakecalls comes with a powerful capability that enables it to take over calls to a banks customer support number and connect the victim directly with the cybercriminals operating the malware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/android-banking-malware-take… ∗∗∗ Security: OpenSSH 9.0 veröffentlicht ∗∗∗ --------------------------------------------- Die neue Version von OpenSSH bringt unter anderem eine Härtung gegen Faktorisierungsattacken mit zukünftigen Quantencomputern mit. --------------------------------------------- https://www.golem.de/news/security-openssh-9-0-veroeffentlicht-2204-164550-… ∗∗∗ Method For String Extraction Filtering, (Sat, Apr 9th) ∗∗∗ --------------------------------------------- In diary entry "XLSB Files: Because Binary is Stealthier Than XML", Xavier shows how to extract strings (URLs) from binary files that make up an Excel spreadsheet. This inspired me to make a tool to parse this XLSB file format: "Quickie: Parsing XLSB Documents". Now I'm presenting another method, one that uses string analysis. --------------------------------------------- https://isc.sans.edu/diary/rss/28532 ∗∗∗ Mirai-Botnet missbraucht Spring4Shell-Sicherheitsleck ∗∗∗ --------------------------------------------- Sicherheitsforscher haben beobachtet, dass das Mirai-Botnet die Spring4Shell-Schwachstelle angreift und dadurch die Malware verbreitet. --------------------------------------------- https://heise.de/-6668646 ∗∗∗ Denonia cryptominer is first malware to target AWS Lambda ∗∗∗ --------------------------------------------- There is now malware in serverless environments. Dubbed Denonia, it specifically targets the AWS Lambda to perform cryptojacking. --------------------------------------------- https://blog.malwarebytes.com/business-2/2022/04/denonia-cryptominer-is-fir… ∗∗∗ Octo Android Trojan Allows Cybercrooks to Conduct On-Device Fraud ∗∗∗ --------------------------------------------- Threat Fabric security researchers have analyzed an Android banking trojan that allows its operators to perform on-device fraud. --------------------------------------------- https://www.securityweek.com/octo-android-trojan-allows-cybercrooks-conduct… ∗∗∗ Think Like a Criminal: Knowing Popular Attack Techniques to Stop Bad Actors Faster ∗∗∗ --------------------------------------------- Analyzing the attack goals of adversaries is important to be able to better align defenses against the speed of changing attack techniques. By focusing on a handful of techniques, you can effectively shut down malware’s methods of choice for getting in and making itself at home. To achieve this, you need to know which key areas to be focusing on in the coming months. --------------------------------------------- https://www.securityweek.com/think-criminal-knowing-popular-attack-techniqu… ∗∗∗ Love-Scam - Wie unterstütze ich Betroffene? ∗∗∗ --------------------------------------------- Hilfe! Mein Mutter, mein Onkel, meine Bekannte liebt eine:n Internetbetrüger:in. Für Außenstehende ist der Fall meist klar: Die Internetliebe ist ein:e Betrüger:in. Das Opfer möchte dies aber nicht glauben und überweist immer wieder Geld. Was tun? Wie können Sie Opfer von Liebesbetrüger:innen unterstützen? --------------------------------------------- https://www.watchlist-internet.at/news/love-scam-wie-unterstuetze-ich-betro… ∗∗∗ New SolarMarker (Jupyter) Campaign Demonstrates the Malware's Changing Attack Patterns ∗∗∗ --------------------------------------------- A new version of SolarMarker malware appears to upgrade evasion abilities and demonstrates that the infostealer and backdoor continues to evolve. --------------------------------------------- https://unit42.paloaltonetworks.com/solarmarker-malware/ ∗∗∗ Insider-Bedrohungen greifen nach außen ∗∗∗ --------------------------------------------- Wenn Mitarbeiter auf eigene Faust zum Cyberkrieger werden wollen, kann das die Unternehmenssicherheit ebenso gefährden wie traditionelle Insider- und externe Bedrohungen, berichtet Andreas Riepen, Regional Sales Director Central Europe bei Vectra AI, in einem Gastbeitrag. --------------------------------------------- https://www.zdnet.de/88400523/insider-bedrohungen-greifen-nach-aussen/ ∗∗∗ Cyber-Sicherheit im Gesundheitswesen ∗∗∗ --------------------------------------------- Das Gesundheitswesen ist nach wie vor einer der am häufigsten durch Hacker angegriffenen Bereiche. Lieder wurden in der Vergangenheit entsprechende Hausaufgaben lange aufgeschobene. --------------------------------------------- https://www.borncity.com/blog/2022/04/10/cyber-sicherheit-im-gesundheitswes… ===================== = Vulnerabilities = ===================== ∗∗∗ Popular Ruby Asciidoc toolkit patched against critical vuln – get the update now! ∗∗∗ --------------------------------------------- A rogue line-continuation character can trick the code into validating just the second half of the line, but executing all of it. --------------------------------------------- https://nakedsecurity.sophos.com/2022/04/08/popular-ruby-asciidoc-toolkit-p… ∗∗∗ Spring: It isnt just about Spring4Shell. Spring Cloud Function Vulnerabilities are being probed too., (Mon, Apr 11th) ∗∗∗ --------------------------------------------- Our "First Seen URL" page did show attempts to access /actuator/gateway/routes this weekend. So I dug in a bit deeper to see what these scans are all about. [...] The scan for /actuator/gateway/routes may be looking for systems that are possibly vulnerable to CVE-2022-22947 or other vulnerabilities in the Spring Cloud function (we had at least three different vulnerabilities recently). --------------------------------------------- https://isc.sans.edu/diary/rss/28538 ∗∗∗ ABB Cyber Security Advisory: ARM600 M2M Gateway NSS library and polkit vulnerabilities ∗∗∗ --------------------------------------------- These vulnerabilities affect cryptographic libraries and privilege handling. Subsequently, a successful exploit could allow attackers to execute code with root user privileges or to elevate a non-privileged user to a privileged user. --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=2NGA001254&Language… ∗∗∗ ABB Cyber Security Advisory: Arctic Wireless Gateway Firewall vulnerability (CVE-2022-0947) ∗∗∗ --------------------------------------------- A vulnerability is found in the ABB Arctic wireless gateways in a specific configuration and when using firmware versions from 2.4.0 or later until version 3.4.10. --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=2NGA001253&Language… ∗∗∗ Verschlüsselungsschwächen in Datenmanagementsoftware Dell EMC PowerScale OneFS ∗∗∗ --------------------------------------------- Admins von Systemen mit Dell EMC PowerScale OneFS sollten die Software aus Sicherheitsgründen auf den aktuellen Stand bringen. --------------------------------------------- https://heise.de/-6668566 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (gzip, libxml2, minidlna, openjpeg2, thunderbird, webkit2gtk, wpewebkit, xen, and xz-utils), Fedora (crun, unrealircd, and vim), Mageia (389-ds-base, busybox, flatpak, fribidi, gdal, python-paramiko, and usbredir), openSUSE (opera and seamonkey), Oracle (kernel and kernel-container), Red Hat (firefox), Scientific Linux (firefox), Slackware (libarchive), SUSE (389-ds, libsolv, libzypp, zypper, and python), and Ubuntu (python-django and tcpdump). --------------------------------------------- https://lwn.net/Articles/890936/ ∗∗∗ XSS vulnerability patched in Directus data engine platform ∗∗∗ --------------------------------------------- The platform is described as a "flexible powerhouse for engineers." --------------------------------------------- https://www.zdnet.com/article/xss-vulnerability-patched-in-directus-data-en… ∗∗∗ Webmin: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0412 ∗∗∗ Security Bulletin: Operations Dashboard is vulnerable to Go CVE-2022-23806 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-operations-dashboard-is-v… ∗∗∗ Security Bulletin: Vulnerabilities have been identified in Apache Log4j and the application code shipped with the DS8000 Hardware Management Console (HMC) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-have-been… ∗∗∗ Security Bulletin: IBM WebSphere Application Server Liberty for IBM i is vulnerable to spoofing and clickjacking attacks due to swagger-ui (CVE-2018-25031, CVE-2021-46708) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application… ∗∗∗ Security Bulletin: IBM Sterling Global Mailbox is vulnerable to denial of service due to Jackson-Databind (217968 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-global-mailb… ∗∗∗ Security Bulletin: Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to log4js-node CVE-2022-21704 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-platform-navigator-and-au… ∗∗∗ Security Bulletin: A cross-site scripting (XSS) vulnerability may impact IBM Cúram Social Program Management(CVE-2021-39068) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-cross-site-scripting-xs… ∗∗∗ Security Bulletin: Vulnerability in IBM Java Runtime affects Host On-Demand ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Security Bulletin: Cúram Social Program Management may be affected by Denial of Service vulnerability in Google Gson (217225) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cram-social-program-manag… ∗∗∗ Security Bulletin: Operations Dashboard is vulnerable to Go CVE-2022-24921 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-operations-dashboard-is-v… ∗∗∗ Security Bulletin: Operations Dashboard is vulnerable to Go CVE-2022-23772 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-operations-dashboard-is-v… ∗∗∗ Security Bulletin: Operations Dashboard is vulnerable to Go CVE-2022-23773 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-operations-dashboard-is-v… ∗∗∗ Security Bulletin: Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to node-request-retry CVE-2022-0654 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-platform-navigator-and-au… ∗∗∗ Security Bulletin: A vulnerability in Spring Framework affects IBM Tivoli Application Dependency Discovery Manager (CVE-2020-5421). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-spring… ∗∗∗ Security Bulletin: IBM Sterling B2B Integrator vulnerable to cross-site Ajax request vulnerability due to Prototype JavaScript (CVE-2008-7220) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-b2b-integrat… ∗∗∗ Security Bulletin: IBM Security Guardium Insights is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-ins… ∗∗∗ Security Bulletin: Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to multiple CVEs in Node.js ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-platform-navigator-and-au… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.04.2022
by Daily end-of-shift report 08 Apr '22

08 Apr '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 07-04-2022 18:00 − Freitag 08-04-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Malicious web redirect service infects 16,500 sites to push malware ∗∗∗ --------------------------------------------- A new TDS (Traffic Direction System) operation called Parrot has emerged in the wild, having already infected servers hosting 16,500 websites of universities, local governments, adult content platforms, and personal blogs. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malicious-web-redirect-servi… ∗∗∗ Mirai malware now delivered using Spring4Shell exploits ∗∗∗ --------------------------------------------- The Mirai malware is now leveraging the Spring4Shell exploit to infect vulnerable web servers and recruit them for DDoS (distributed denial of service) attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/mirai-malware-now-delivered-… ∗∗∗ CVE-2021-30737, @xerubs 2021 iOS ASN.1 Vulnerability ∗∗∗ --------------------------------------------- Originally this post was just a series of notes I took last year as I was trying to understand this bug. But the bug itself and the narrative around it are so fascinating that I thought it would be worth writing up these notes into a more coherent form to share with the community. --------------------------------------------- https://googleprojectzero.blogspot.com/2022/04/cve-2021-30737-xerubs-2021-i… ∗∗∗ Public Report – Google Enterprise API Security Assessment ∗∗∗ --------------------------------------------- During the autumn of 2021, Google engaged NCC Group to perform a review of the Android 12 Enterprise API to evaluate its compliance with the Security Technical Implementation Guides (STIG) matrix provided by Google. --------------------------------------------- https://research.nccgroup.com/2022/04/07/public-report-google-enterprise-ap… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (libtiff), Debian (chromium), Fedora (buildah and chromium), openSUSE (firefox), SUSE (firefox, libsolv, libzypp, and openjpeg2), and Ubuntu (firefox and python-oslo.utils). --------------------------------------------- https://lwn.net/Articles/890718/ ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Host On-Demand ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM SPSS Analytic Server is vulnerable to LDAP Injection (CVE-2021-39031) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-spss-analytic-server-… ∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Verify Governance in response to a security vulnerability (CVE-2021-22931) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-relea… ∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Verify Governance in response to a security vulnerability (CVE-2022-21824) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-relea… ∗∗∗ Security Bulletin: Vulnerability in IBM Java Runtime affects Host On-Demand ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Security Bulletin: IBM Sterling B2B Integrator is vulnerable to cross-site request forgery (CVE-2020-4668) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-b2b-integrat… ∗∗∗ Security Bulletin: Vulnerability in json4j – CVE-2021-3918 (Publicly disclosed vulnerability) impacts IBM Watson Machine Learning Accelerator ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-json4j-c… ∗∗∗ Security Bulletin: IBM Maximo Asset Management and the IBM Maximo Manage application in IBM Maximo Application Suite may be vulnerable to arbitrary code execution due to Apache Log4j 1.2 (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-manageme… ∗∗∗ Security Bulletin: IBM Planning Analytics Workspace is affected by security vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-planning-analytics-wo… ∗∗∗ Security Bulletin: Apache Log4j vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit… ∗∗∗ Security Bulletin: LDAP vulnerability in WebSphere Liberty Profile can affect IBM InfoSphere Global Name Management ENS (CVE-2021-39031) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ldap-vulnerability-in-web… ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2022-0004 ∗∗∗ --------------------------------------------- https://webkitgtk.org/security/WSA-2022-0004.html ∗∗∗ D-LINK Router: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit Administratorrechten ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0405 ∗∗∗ D-LINK Router: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit Administratorrechten ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0406 ∗∗∗ Microsoft Edge 100.0.1185.36 fixt Schwachstelle ∗∗∗ --------------------------------------------- https://www.borncity.com/blog/2022/04/08/microsoft-edge-100-0-1185-36-fixt-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.04.2022
by Daily end-of-shift report 07 Apr '22

07 Apr '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 06-04-2022 18:00 − Donnerstag 07-04-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ New FFDroider malware steals Facebook, Instagram, Twitter accounts ∗∗∗ --------------------------------------------- A new information stealer named FFDroider has emerged, stealing credentials and cookies stored in browsers to hijack victims social media accounts. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-ffdroider-malware-steals… ∗∗∗ A Bad Luck BlackCat ∗∗∗ --------------------------------------------- A new ransomware actor started advertising its services on a Russian underground forum. They presented themselves as ALPHV, but the group is also known as BlackCat. --------------------------------------------- https://securelist.com/a-bad-luck-blackcat/106254/ ∗∗∗ What is BIMI and how is it supposed to help with Phishing., (Thu, Apr 7th) ∗∗∗ --------------------------------------------- Phishing works because it is hard to figure out if an email or a website is authentic. Over the years, many technical solutions have been implemented to make it easier to recognize valid senders or a valid website. --------------------------------------------- https://isc.sans.edu/diary/rss/28528 ∗∗∗ SharkBot Banking Trojan Resurfaces On Google Play Store Hidden Behind 7 New Apps ∗∗∗ --------------------------------------------- As many as seven malicious Android apps discovered on the Google Play Store masqueraded as antivirus solutions to deploy a banking trojan called SharkBot. --------------------------------------------- https://thehackernews.com/2022/04/sharkbot-banking-trojan-resurfaces-on.html ∗∗∗ Whatsapp-Kettenbrief: "Milka" erneut Köder für gefälschte Gewinnspiele ∗∗∗ --------------------------------------------- Kriminelle werden nicht müde, die Schokoladenmarke für ihre Zwecke zu nutzen. Erst recht kurz vor Ostern. --------------------------------------------- https://heise.de/-6665629 ∗∗∗ DSGVO-Verstoß auf Ihrer Webseite? Lassen Sie sich nicht verunsichern! ∗∗∗ --------------------------------------------- Uns wurden zahlreiche E-Mails gemeldet, die auf einen DSGVO-Verstoß auf der Website von Unternehmen hinweisen. Das E-Mail bezieht sich auf die Verwendung von Google Analytics. Es besteht kein Grund zur Sorge, doch langfristig sollten Sie nach Alternativen zu dem Google-Dienst suchen. --------------------------------------------- https://www.watchlist-internet.at/news/dsgvo-verstoss-auf-ihrer-webseite-la… ∗∗∗ CISA Adds Three Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- CISA has added three new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/04/06/cisa-adds-three-k… ∗∗∗ CVE-2022-26381: Gone by others! Triggering a UAF in Firefox ∗∗∗ --------------------------------------------- Memory corruption vulnerabilities have been well known for a long time and programmers have developed various methods to prevent them. One type of memory corruption that is very hard to prevent is the use-after-free and the reason is that it has too many faces! --------------------------------------------- https://www.thezdi.com/blog/2022/4/7/cve-2022-26381-gone-by-others-triggeri… ===================== = Vulnerabilities = ===================== ∗∗∗ Palo Alto Networks firewalls, VPNs vulnerable to OpenSSL bug ∗∗∗ --------------------------------------------- American cybersecurity company Palo Alto Networks warned customers on Wednesday that some of its firewall, VPN, and XDR products are vulnerable to a high severity OpenSSL infinite loop bug disclosed three weeks ago. --------------------------------------------- https://www.bleepingcomputer.com/news/security/palo-alto-networks-firewalls… ∗∗∗ Jetzt aktualisieren: VMware patcht teils kritische Sicherheitslücken ∗∗∗ --------------------------------------------- Mehrere VMware-Produkte sind von teils kritischen Lücken betroffen, durch die Angreifer Schadcode einschleusen könnten. Es gibt Updates und Gegenmaßnahmen. --------------------------------------------- https://heise.de/-6665440 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (bind), Debian (firefox-esr), Fedora (fribidi, gdal, and mingw-gdal), openSUSE (pdns-recursor and SDL2), Oracle (kernel), Slackware (mozilla), SUSE (glibc and openvpn-openssl1), and Ubuntu (fribidi and linux-azure-5.13, linux-oracle-5.13). --------------------------------------------- https://lwn.net/Articles/890620/ ∗∗∗ Multiple Cisco Security Products Simple Network Management Protocol Service Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Web Security Appliance Stored Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Webex Meetings Java Deserialization Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco IP Phone 6800, 7800, and 8800 Series with Multiplatform Firmware Cross-Site Request Forgery Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Web Security Appliance Filter Bypass Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Secure Network Analytics Network Diagrams Application Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Identity Services Engine Sensitive Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Security Bulletin: Denial of Service vulnerability affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-denial-of-service-vulnera… ∗∗∗ Security Bulletin: Apache Log4j vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit… ∗∗∗ April 6, 2022 TNS-2022-08 [R1] Stand-alone Security Patch Available for Tenable.sc versions 5.19.0 to 5.20.1: Patch 202204.1 ∗∗∗ --------------------------------------------- http://www.tenable.com/security/tns-2022-08 ∗∗∗ VMSA-2022-0012 ∗∗∗ --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2022-0012.html ∗∗∗ K51048910: Eclipse Jetty vulnerability CVE-2021-28169 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K51048910 ∗∗∗ Critical Authentication Bypass Vulnerability Patched in SiteGround Security Plugin ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2022/04/critical-authentication-bypass-vulne… ∗∗∗ WEIDMUELLER: Multiple vulnerabilities in Modbus TCP/RTU Gateways ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-008/ ∗∗∗ Pepperl+Fuchs WirelessHART-Gateway ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-097-01 ∗∗∗ ABB SPIET800 and PNI800 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-097-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.04.2022
by Daily end-of-shift report 06 Apr '22

06 Apr '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 05-04-2022 18:00 − Mittwoch 06-04-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Microsoft detects Spring4Shell attacks across its cloud services ∗∗∗ --------------------------------------------- Microsoft said that its currently tracking a "low volume of exploit attempts" targeting the critical Spring4Shell (aka SpringShell) remote code execution (RCE) vulnerability across its cloud services. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-detects-spring4she… ∗∗∗ Windows MetaStealer Malware, (Wed, Apr 6th) ∗∗∗ --------------------------------------------- The malware abuses legitimate services by Github and transfer.sh to host these data binaries. All URLs, domains, and IP addresses were still active for the infection approximately 3 hours before I posted this diary. --------------------------------------------- https://isc.sans.edu/diary/rss/28522 ∗∗∗ Zero-Day-Lücken: Ältere macOS- und iOS-Versionen weiter angreifbar ∗∗∗ --------------------------------------------- Aktiv ausgenutzte Lücken hat Apple nur in iOS 15 und macOS 12 gestopft. Sicherheitsforschern zufolge sind aber auch ältere Betriebssystemversionen verwundbar. --------------------------------------------- https://heise.de/-6664730 ∗∗∗ Wenn der PC plötzlich steckenbleibt, nicht bei Microsoft anrufen! ∗∗∗ --------------------------------------------- Die Betrugsmasche, bei der sich Kriminelle als Microsoft-Angestellte ausgeben und ihre Opfer telefonisch kontaktieren, ist weitläufig bekannt. Aktuell erhalten Betroffene vermehrt keinen Anruf, sondern werden durch Pop-ups auf ihren Bildschirmen, die die Nutzung des Computers einschränken, zu Anrufen bewegt. Achtung: Nicht anrufen, sonst drohen Geld- und Datenverluste! --------------------------------------------- https://www.watchlist-internet.at/news/wenn-der-pc-ploetzlich-steckenbleibt… ∗∗∗ Fake e‑shops on the prowl for banking credentials using Android malware ∗∗∗ --------------------------------------------- This campaign was first identified at the end of 2021, with the attackers impersonating the legitimate cleaning service Maid4u. Distributed through Facebook ads, the campaign tempts potential victims to download Android malware from a malicious website. It is still ongoing as of the publication of this blogpost, with even more distribution domains registered after its discovery. In January 2022, MalwareHunterTeam shared three more malicious websites and Android trojans attributed to this campaign. --------------------------------------------- https://www.welivesecurity.com/2022/04/06/fake-eshops-prowl-banking-credent… ∗∗∗ Analyzing a “multilayer” Maldoc: A Beginner’s Guide ∗∗∗ --------------------------------------------- In this blog post, we will not only analyze an interesting malicious document, but we will also demonstrate the steps required to get you up and running with the necessary analysis tools. There is also a howto video for this blog post. --------------------------------------------- https://blog.nviso.eu/2022/04/06/analyzing-a-multilayer-maldoc-a-beginners-… ===================== = Vulnerabilities = ===================== ∗∗∗ Fortinet Security Advisories (FortiClient, FortiEDR, FortiWAN) ∗∗∗ --------------------------------------------- * FortiClient (Linux) - Improper directories permissions * FortiClient (Linux) - external access to confighandler webserver * FortiClient (Windows) - privilege escalation in online installer due to incorrect working directory * FortiEDR - Denial of service due to folder access permission change * FortiEDR - Hardcoded AES key enable disabling local Collector * FortiEDR - Insecure RSA key transport * FortiWAN - Improper cryptographic operations in Dynamic Tunnel Protocol * FortiWAN - Pervasive OS command --------------------------------------------- https://www.fortiguard.com/psirt?date=04-2022 ∗∗∗ VMSA-2022-0011 ∗∗∗ --------------------------------------------- CVSSv3 Range: 5.3-9.8 CVE(s): CVE-2022-22954, CVE-2022-22955,CVE-2022-22956, CVE-2022-22957, CVE-2022-22958, CVE-2022-22959, CVE-2022-22960, CVE-2022-22961 Synopsis: VMware Workspace ONE Access, Identity Manager and vRealize Automation updates address multiple vulnerabilities. --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2022-0011.html ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (rizin), Fedora (fish, gdal, mingw-fribidi, mingw-gdal, mingw-openexr, mingw-python-pillow, mingw-python3, and python-pillow), Mageia (chromium-browser-stable), Oracle (Extended Lifecycle Support (ELS) Unbreakable Enterprise kernel and kernel), Red Hat (kernel, kernel-rt, and Red Hat OpenStack Platform 16.2 (python-waitress)), Scientific Linux (kernel), Slackware (mozilla), SUSE (mozilla-nss), and Ubuntu (h2database). --------------------------------------------- https://lwn.net/Articles/890404/ ∗∗∗ Security Vulnerabilities fixed in Thunderbird 91.8 ∗∗∗ --------------------------------------------- CVE-2022-1097, CVE-2022-28281, CVE-2022-1197, CVE-2022-1196, CVE-2022-28282, CVE-2022-28285, CVE-2022-28286, CVE-2022-24713, CVE-2022-28289 In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts. --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2022-15/ ∗∗∗ Spring Cloud Data Flow 2.9.4 Released ∗∗∗ --------------------------------------------- On behalf of the team and everyone who has contributed, I’m happy to announce that Spring Cloud Dataflow 2.9.4 has been released and is now available from Maven Central. This release contains an update of the Spring Boot version and addresses a couple of CVEs. Notable Changes in 2.9.4: * Update to Spring Boot 2.5.12 * Resolves CVE-2022-22965 * Resolves CVE-2021-29425 --------------------------------------------- https://spring.io/blog/2022/04/05/spring-cloud-data-flow-2-9-4-released ∗∗∗ Improper Authentication Management Vulnerability in some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2022/huawei-sa-20220406-… ∗∗∗ Security Bulletin: IBM WebSphere Application Server Liberty is vulnerable to spoofing attacks and clickjacking due to swagger-ui (CVE-2018-25031, CVE-2021-46708) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application… ∗∗∗ Security Bulletin: Watson Query potentially exposes adminstrator's key under some conditions due to CVE-2022-22410 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-watson-query-potentially-… ∗∗∗ Security Bulletin: Cross-site scripting vulnerability affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) – CVE-2021-38893 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-vuln… ∗∗∗ Security Bulletin: Vulnerabilities with Apache HTTP Server affect IBM Cloud Object Storage Systems (Apr 2022 V1) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-with-apac… ∗∗∗ K49419538: libxml2 vulnerability CVE 2016-4658 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K49419538?utm_source=f5support&utm_mediu… ∗∗∗ WAGO: Multiple Products affected by Linux Kernel Vulnerability Dirty Pipe ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-009/ ∗∗∗ LifePoint Informatics Patient Portal ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsma-22-095-01 ∗∗∗ Rockwell Automation ISaGRAF ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-095-01 ∗∗∗ Johnson Controls Metasys ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-095-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.04.2022
by Daily end-of-shift report 05 Apr '22

05 Apr '22

===================== = End-of-Day report = ===================== Timeframe: Montag 04-04-2022 18:00 − Dienstag 05-04-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ WhatsApp voice message phishing emails push info-stealing malware ∗∗∗ --------------------------------------------- A new WhatsApp phishing campaign impersonating WhatsApps voice message feature has been discovered, attempting to spread information-stealing malware to at least 27,655 email addresses. --------------------------------------------- https://www.bleepingcomputer.com/news/security/whatsapp-voice-message-phish… ∗∗∗ SpringShell RCE vulnerability: Guidance for protecting against and detecting CVE-2022-22965 ∗∗∗ --------------------------------------------- Microsoft provides guidance for customers looking for protection against exploitation and ways to detect vulnerable installations on their network of the critical vulnerability CVE-2022-22965, also known as SpringShell or Spring4Shell. --------------------------------------------- https://www.microsoft.com/security/blog/2022/04/04/springshell-rce-vulnerab… ∗∗∗ WebLogic Crypto Miner Malware Disabling Alibaba Cloud Monitoring Tools, (Tue, Apr 5th) ∗∗∗ --------------------------------------------- Looking through my honeypot logs for some Spring4Shell exploits (I didn't find anything interesting), I came across this attempt to exploit an older WebLogic vulnerability (likely %%cve:2020-14882%% or %%cve:2020-14883%%). The exploit itself is "run of the mill," but the script downloaded is going through an excessively long list of competitors to disable and disabled cloud monitoring tools, likely to make detecting and response more difficult. --------------------------------------------- https://isc.sans.edu/diary/rss/28520 ∗∗∗ ZDI-22-547: (0Day) (Pwn2Own) Samsung Galaxy S21 Exposed Dangerous Method Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows local attackers to execute arbitrary code on affected installations of Samsung Galaxy S21 phones. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-547/ ∗∗∗ Phishing-Angriffe auf Kryptowährungssektor nach Einbruch bei MailChimp ∗∗∗ --------------------------------------------- Nach einem Einbruch beim Marketing-Mail-Anbieter MailChimp haben Cyberkriminelle versucht, per Phishing an Kryptowährungen von Krypto-Wallet-Kunden zu gelangen. --------------------------------------------- https://heise.de/-6662971 ∗∗∗ CISA advises D-Link users to take vulnerable routers offline ∗∗∗ --------------------------------------------- CISA has advised users to take certain vulnerable D-Link routers offline since the existing vulnerabilities are know to be actively exploited and the models have reached EOL and will not get patched. --------------------------------------------- https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/04/cisa-adv… ∗∗∗ Threat Spotlight: AsyncRAT campaigns feature new version of 3LOSH crypter ∗∗∗ --------------------------------------------- Ongoing malware distribution campaigns are using ISO disk images to deliver AsyncRAT, LimeRAT and other commodity malware to victims.The infections leverage process injection to evade detection by endpoint security software. --------------------------------------------- http://blog.talosintelligence.com/2022/04/asyncrat-3losh-update.html ===================== = Vulnerabilities = ===================== ∗∗∗ Android Security Bulletin—April 2022 ∗∗∗ --------------------------------------------- The Android Security Bulletin contains details of security vulnerabilities affecting Android devices. Security patch levels of 2022-04-05 or later address all of these issues. --------------------------------------------- https://source.android.com/security/bulletin/2022-04-01 ∗∗∗ Xen Security Advisory CVE-2022-26358,CVE-2022-26359,CVE-2022-26360,CVE-2022-26361 / XSA-400 ∗∗∗ --------------------------------------------- IOMMU: RMRR (VT-d) and unity map (AMD-Vi) handling issues. The precise impact is system specific, but would likely be a Denial of Service (DoS) affecting the entire host. Privilege escalation and information leaks cannot be ruled out. --------------------------------------------- https://xenbits.xen.org/xsa/advisory-400.html ∗∗∗ Xen Security Advisory CVE-2022-26357 / XSA-399 ∗∗∗ --------------------------------------------- race in VT-d domain ID cleanup. The precise impact is system specific, but would typically be a Denial of Service (DoS) affecting the entire host. Privilege escalation and information leaks cannot be ruled out. --------------------------------------------- https://xenbits.xen.org/xsa/advisory-399.html ∗∗∗ Xen Security Advisory CVE-2022-26356 / XSA-397 ∗∗∗ --------------------------------------------- Racy interactions between dirty vram tracking and paging log dirty hypercalls. An attacker can cause Xen to leak memory, eventually leading to a Denial of Service (DoS) affecting the entire host. --------------------------------------------- https://xenbits.xen.org/xsa/advisory-397.html ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Arch Linux (polkit, postgresql, and zlib), openSUSE (389-ds and opera), Red Hat (kpatch-patch), SUSE (389-ds and util-linux), and Ubuntu (waitress). --------------------------------------------- https://lwn.net/Articles/890258/ ∗∗∗ Kyocera Printer: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Kyocera Printer ausnutzen, um Informationen offenzulegen. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0391 ∗∗∗ Citrix Hypervisor Security Update ∗∗∗ --------------------------------------------- This issue may allow privileged code in a guest VM to cause the host to crash or become unresponsive. The issue only affects systems with Intel CPUs where the malicious guest VM has had a physical PCI device assigned to it by the host administrator using the PCI passthrough feature. The issue has the following identifier: CVE-2022-26357 Customers who have not assigned a physical PCI device to a guest VM are not affected by this issue. Customers who are running on systems with only AMD CPUs are also not affected by this issue. --------------------------------------------- https://support.citrix.com/article/CTX390511 ∗∗∗ Sicherheitsupdate für Webbrowser Google Chrome ∗∗∗ --------------------------------------------- https://heise.de/-6662814 ∗∗∗ Security Bulletin: IBM MQ Operator and Queue manager container images are vulnerable to multiple issues within Red Hat UBI packages and the IBM WebSphere Application Server Liberty shipped with IBM MQ Operator v1.7 CD Release ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-operator-and-queue… ∗∗∗ Security Bulletin: A security vulnerability has been identified in Dojo Toolkil shipped with IBM Tivoli Netcool Impact (CVE-2021-23450) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: IBM Tivoli Netcool Impact is affected by an Apache Log4j vulnerability (CVE-2022-23302) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tivoli-netcool-impact… ∗∗∗ Security Bulletin: A vulnerability has been identified in IBM WebSphere Application Server Liberty shipped with IBM Tivoli Netcool Impact (CVE-2021-39031) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-has-been-… ∗∗∗ Security Bulletin: A vulnerability has been identified in IBM WebSphere Application Server Liberty shipped with IBM Tivoli Netcool Impact (CVE-2022-22310) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-has-been-… ∗∗∗ Security Bulletin: IBM Maximo Asset Management may be vulnerable to arbitrary code execution due to Apache Log4j 1.2 (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-manageme… ∗∗∗ Security Bulletin: IBM Tivoli Netcool Impact is affected by an Apache Log4j vulnerability (CVE-2022-23305) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tivoli-netcool-impact… ∗∗∗ Security Bulletin: IBM MQ Appliance affected by account enumeration and denial of service vulnerabilities (CVE-2022-22356 and CVE-2022-22355) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-affected… ∗∗∗ Security Bulletin: One or more security vulnerabilities has been identified in IBM® DB2® shipped with IBM PureData System for Operational Analytics ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-one-or-more-security-vuln… ∗∗∗ Security Bulletin: IBM Tivoli Netcool Impact is affected by gson vulnerability (C2021-0419) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tivoli-netcool-impact… ∗∗∗ K29855410: Vim vulnerabilities CVE-2022-0261, CVE-2022-0318, CVE-2022-0361, CVE-2022-0392, and CVE-2022-0413 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K29855410?utm_source=f5support&utm_mediu… ∗∗∗ K08827426: Vim vulnerability CVE-2022-0359 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K08827426?utm_source=f5support&utm_mediu… ∗∗∗ Security Vulnerabilities fixed in Firefox ESR 91.8 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2022-14/ ∗∗∗ Security Vulnerabilities fixed in Firefox 99 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2022-13/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.04.2022
by Daily end-of-shift report 04 Apr '22

04 Apr '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 01-04-2022 18:00 − Montag 04-04-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Fake-Shop-Alarm: Vorsicht beim Online-Einkauf von Markenware! ∗∗∗ --------------------------------------------- Wer Markenkleidung oder -schuhe online kaufen will, sollte sich vergewissern, dass das Angebot seriös ist. Denn derzeit tauchen zahlreiche Fake-Shops auf, die angeben, beliebte Markenware zu verkaufen. Keine dieser betrügerischen Shops hat ein Impressum auf der Seite, die Webadresse hat außerdem nichts mit den angebotenen Waren zu tun. Das sind typische Merkmale für Fake-Shops und gute Gründe, hier nicht einzukaufen! --------------------------------------------- https://www.watchlist-internet.at/news/fake-shop-alarm-vorsicht-beim-online… ∗∗∗ Explaining Spring4Shell: The Internet security disaster that wasn’t ∗∗∗ --------------------------------------------- Vulnerability in the Spring Java Framework is important, but its no Log4Shell. --------------------------------------------- https://arstechnica.com/?p=1845362 ∗∗∗ Beastmode botnet boosts DDoS power with new router exploits ∗∗∗ --------------------------------------------- A Mirai-based distributed denial-of-service (DDoS) botnet tracked as Beastmode (aka B3astmode) has updated its list of exploits to include several new ones, three of them targeting various models of Totolink routers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/beastmode-botnet-boosts-ddos… ∗∗∗ Emptying the Phishtank: Are WordPress sites the Mosquitoes of the Internet?, (Mon, Apr 4th) ∗∗∗ --------------------------------------------- In November, an accountant working for a construction company received an innocent enough-looking email: An update on the terms to submit bills to a local county. Seeing the email, the accountant clicked on the link and quickly downloaded the new document after entering their Outlook 365 credentials. The PDF looked all right but was something the accountant had already downloaded a couple of weeks ago from the county’s official website. [...] This, turns out, was a typical case of “business email compromise.” --------------------------------------------- https://isc.sans.edu/diary/rss/28516 ∗∗∗ WordPress Popunder Malware Redirects to Scam Sites ∗∗∗ --------------------------------------------- Over the last year we’ve seen an ongoing malware infection which redirects website visitors to scam sites. So far this year our monitoring has detected over 3,000 websites infected with this injection this year and over 17,000 in total since we first detected it in March of 2021. The reported behaviour is always the same: After a few seconds of loading, the website will redirect to a dodgy scam site. --------------------------------------------- https://blog.sucuri.net/2022/04/wordpress-popunder-malware-redirects-to-sca… ∗∗∗ Brokenwire Hack Could Let Remote Attackers Disrupt Charging for Electric Vehicles ∗∗∗ --------------------------------------------- A group of academics from the University of Oxford and Armasuisse S+T has disclosed details of a new attack technique against the popular Combined Charging System (CCS) that could potentially disrupt the ability to charge electric vehicles at scale. Dubbed "Brokenwire," the method interferes with the control communications that transpire between the vehicle and charger to wirelessly abort the abort the charging sessions from a distance of as far as 47m (151ft). --------------------------------------------- https://thehackernews.com/2022/04/brokenwire-hack-could-let-remote.html ∗∗∗ Deep Dive Analysis - Borat RAT ∗∗∗ --------------------------------------------- [...] During our regular OSINT research, Cyble Research Labs came across a new Remote Access Trojan (RAT) named Borat. Unlike other RATs, the Borat provides Ransomware, DDOS services, etc., to Threat Actors along with usual RAT features, further expanding the malware capabilities. --------------------------------------------- https://blog.cyble.com/2022/03/31/deep-dive-analysis-borat-rat/ ∗∗∗ FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7 ∗∗∗ --------------------------------------------- Recent public research asserts threat groups sharing overlaps with FIN7 transitioned to targeted ransomware operations involving REVIL, DARKSIDE, BLACKMATTER, and ALPHV ransomware. With the purported shift to ransomware operations, Mandiant is publishing our research on the evolution of FIN7 which we haven’t publicly written about since Mahalo FIN7, published in 2019. --------------------------------------------- https://www.mandiant.com/resources/evolution-of-fin7 ∗∗∗ Hacker accessed 319 crypto- and finance-related Mailchimp accounts, company said ∗∗∗ --------------------------------------------- Email marketing firm Mailchimp announced on Monday that a hacker breached its internal tools and managed to gain access to 319 Mailchimp accounts for companies in the cryptocurrency and finance industries. --------------------------------------------- https://therecord.media/hacker-accessed-319-crypto-and-finance-related-mail… ∗∗∗ Kaseya Full Disclosure ∗∗∗ --------------------------------------------- In honor of our appearance on the Ransomware Files podcast episode #5 we are releasing the full details of the vulnerabilities we found during our research into Kaseya VSA of which some were used by REvil to attack Kaseya’s customers. The details can be found in our CVE entries: [...] --------------------------------------------- https://csirt.divd.nl/2022/04/04/Kaseya-VSA-Full-Disclosure/ ===================== = Vulnerabilities = ===================== ∗∗∗ 15-Year-Old Bug in PEAR PHP Repository Couldve Enabled Supply Chain Attacks ∗∗∗ --------------------------------------------- A 15-year-old security vulnerability has been disclosed in the PEAR PHP repository that could permit an attacker to carry out a supply chain attack, including obtaining unauthorized access to publish rogue packages and execute arbitrary code. --------------------------------------------- https://thehackernews.com/2022/04/15-year-old-bug-in-pear-php-repository.ht… ∗∗∗ FG-IR-22-059: Vulnerability in OpenSSL library ∗∗∗ --------------------------------------------- A security advisory was released affecting the version of OpenSSL library used in some Fortinet products. --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-22-059 ∗∗∗ VMSA-2022-0010 ∗∗∗ --------------------------------------------- A critical vulnerability in Spring Framework project identified by CVE-2022-22965 has been publicly disclosed which impacts VMware products. --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2022-0010.html ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (asterisk, qemu, and zlib), Fedora (389-ds-base, ghc-cmark-gfm, ghc-hakyll, gitit, libkiwix, openssl, pandoc, pandoc-citeproc, patat, phoronix-test-suite, seamonkey, and skopeo), Mageia (libtiff, openjpeg2, and php-smarty), openSUSE (python), Oracle (httpd), Red Hat (httpd), and SUSE (libreoffice, python, and python36). --------------------------------------------- https://lwn.net/Articles/890187/ ∗∗∗ Microsoft Edge 100.0.1185.29 fixt Schwachstellen ∗∗∗ --------------------------------------------- Microsoft hat zum 1. April 2022 (kein April-Scherz) den Chromium-Edge Browser auf die Version Edge 100.0.1185.29 aktualisiert. Es handelt sich um ein Wartungsupdate, das eine Reihe Schwachstellen schließt und den 100er-Entwicklungszweig einleitet. --------------------------------------------- https://www.borncity.com/blog/2022/04/02/microsoft-edge-100-0-1185-29-fixt-… ∗∗∗ Kaspersky Anti-Virus: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0384 ∗∗∗ Vulnerability in Spring Framework Affecting Cisco Products: March 2022 ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Vulnerability in Spring Cloud Function Framework Affecting Cisco Products: March 2022 ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Integration Bus and IBM App Connect Enterprise ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerability in Netty – CVE-2021-43797 may affect IBM Watson Assistant for IBM Cloud Pak for Data. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-netty-cv… ∗∗∗ Security Bulletin: Vulnerability in IBM Java SDK affect IBM WebSphere Cast Iron Solution & App Connect Professional ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Security Bulletin: IBM App Connect Enterprise & IBM Integration Bus are vulnerable to arbitrary code execution due to Apache Log4j (CVE-2022-23307, CVE-2022-23302) and SQL injection due to Apache Log4j (CVE-2022-23305) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: Cloud Pak for Security contains packages that have multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cloud-pak-for-security-co… ∗∗∗ Security Bulletin: Cross-Site Scripting and information disclosure vulnerabilities are addressed with IBM Cloud Pak for Business Automation iFixes for March 2022 (CVE-2021-29835, CVE-39046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-and-… ∗∗∗ Security Bulletin: IBM Spectrum Discover is vulnerable to Docker CLI (CVE-2021-41092) and Apache Log4j (CVE-2021-4104, CVE-2022-23302, CVE-2022-23305, CVE-2022-23307) weaknesses ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-spectrum-discover-is-… ∗∗∗ Security Bulletin: IBM Informix Dynamic Server in Cloud Pak for Data is vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-informix-dynamic-serv… ∗∗∗ Security Bulletin: Vulnerability in IBM Java SDK affect IBM WebSphere Cast Iron Solution & App Connect Professional ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM WebSphere Cast Iron Solution & App Connect Professional ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 01.04.2022
by Daily end-of-shift report 01 Apr '22

01 Apr '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 31-03-2022 18:00 − Freitag 01-04-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ New BlackGuard password-stealing malware sold on hacker forums ∗∗∗ --------------------------------------------- A new information-stealing malware named BlackGuard is winning the attention of the cybercrime community, now sold on numerous darknet markets and forums for a lifetime price of $700 or a subscription of $200 per month. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-blackguard-password-stea… ∗∗∗ Viasat confirms satellite modems were wiped with AcidRain malware ∗∗∗ --------------------------------------------- A newly discovered data wiper malware that wipes routers and modems has been deployed in the cyberattack that targeted the KA-SAT satellite broadband service to wipe SATCOM modems on February 24, affecting thousands in Ukraine and tens of thousands more across Europe. --------------------------------------------- https://www.bleepingcomputer.com/news/security/viasat-confirms-satellite-mo… ∗∗∗ Phishing uses Azure Static Web Pages to impersonate Microsoft ∗∗∗ --------------------------------------------- Phishing attacks are abusing Microsoft Azures Static Web Apps service to steal Microsoft, Office 365, Outlook, and OneDrive credentials. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/phishing-uses-azure-static-… ∗∗∗ FORCEDENTRY: Sandbox Escape ∗∗∗ --------------------------------------------- In this post we'll take a look at that sandbox escape. It's notable for using only logic bugs. In fact it's unclear where the features that it uses end and the vulnerabilities which it abuses begin. --------------------------------------------- https://googleprojectzero.blogspot.com/2022/03/forcedentry-sandbox-escape.h… ∗∗∗ iOS-Updates: Automatik braucht mehrere Wochen ∗∗∗ --------------------------------------------- Wer will, dass sein iPhone auf aktuellem Stand ist, sollte händisch aktualisieren. Die automatische Verteilung braucht lange, bestätigt Apples Softwarechef. --------------------------------------------- https://heise.de/-6657879 ∗∗∗ CVE-2022-22965: Spring Core Remote Code Execution Vulnerability Exploited In the Wild (SpringShell) ∗∗∗ --------------------------------------------- CVE-2022-22965, aka SpringShell, is a remote code execution vulnerability in the Spring Framework. We provide a root cause analysis and mitigations. --------------------------------------------- https://unit42.paloaltonetworks.com/cve-2022-22965-springshell/ ∗∗∗ The spectre of Stuxnet: CISA issues alert on Rockwell Automation ICS vulnerabilities ∗∗∗ --------------------------------------------- The flaws can be exploited to execute code on vulnerable controllers and workstations. --------------------------------------------- https://www.zdnet.com/article/cisa-issues-alert-on-critical-ics-vulnerabili… ∗∗∗ Spring Framework RCE, Mitigation Alternative ∗∗∗ --------------------------------------------- Yesterday we announced a Spring Framework RCE vulnerability CVE-2022-22965, listing Apache Tomcat as one of several preconditions. The Apache Tomcat team has since released versions 10.0.20, 9.0.62, and 8.5.78 all of which close the attack vector on Tomcat’s side. While the vulnerability is not in Tomcat itself, in real world situations, it is important to be able to choose among multiple upgrade paths that in turn provides flexibility and layered protection. --------------------------------------------- https://spring.io/blog/2022/04/01/spring-framework-rce-mitigation-alternati… ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins 2022-03-31 ∗∗∗ --------------------------------------------- IBM App Connect Enterprise Certified Container, IBM Sterling Partner Engagement Manager, IBM QRadar Network Security, IBM Security Access Manager for Enterprise, IBM Urbancode Deploy, IBM Tivoli Application Dependency Discovery Manager, IBM Tivoli Netcool Impact, Watson Knowledge Catalog InstaScan --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Kritische Sicherheitslücke: Gitlab-Update außer der Reihe ∗∗∗ --------------------------------------------- Die Gitlab-Entwickler haben ein Update veröffentlicht, um Sicherheitslücken zu schließen. Eine kritische Lücke könnte Angreifern die Kontoübernahme ermöglichen. --------------------------------------------- https://heise.de/-6660080 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (wireshark), Fedora (389-ds-base), Mageia (golang, wavpack, and zlib), openSUSE (yaml-cpp), SUSE (expat and yaml-cpp), and Ubuntu (linux, linux-aws, linux-kvm, linux-lts-xenial, linux-aws-5.4, linux-azure, linux-gcp, linux-gcp-5.13, linux-gcp-5.4, linux-gke, linux-gke-5.4, linux-gkeop, linux-gkeop-5.4, linux-aws-hwe, linux-gcp-4.15, linux-oracle, linux-intel-5.13, and tomcat9). --------------------------------------------- https://lwn.net/Articles/889983/ ∗∗∗ Sicherheitsupdates: iOS 15.4.1 und macOS Monterey 12.3.1 ∗∗∗ --------------------------------------------- Apple hat zum 31. März 2022 zwei Sicherheitsupdates für macOS 12.3.1 (Monterey) und iOS/iPad OS 15.4.1 freigegeben. Diese schließen die Schwachstellen CVE-2022-22675 (in AppleAVD für iOS und macOS) und CVE-2022-22674 im macOS Intel Grafiktreiber. --------------------------------------------- https://www.borncity.com/blog/2022/04/01/sicherheitsupdates-ios-15-4-1-und-… ∗∗∗ K56241216: OpenLDAP vulnerabilities CVE-2020-25709 and CVE-2020-25710 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K56241216 ∗∗∗ K44994972: Linux kernel vulnerability CVE-2020-25704 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K44994972 ∗∗∗ Schneider Electric SCADAPack Workbench ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-090-01 ∗∗∗ Hitachi Energy e-mesh EMS ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-090-02 ∗∗∗ Fuji Electric Alpha5 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-090-03 ∗∗∗ Mitsubishi Electric FA Products ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-090-04 ∗∗∗ General Electric Renewable Energy MDS Radios ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-090-06 ∗∗∗ CISA Adds Seven Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/03/31/cisa-adds-seven-k… ∗∗∗ Mehrere Schwachstellen in ZA|ARC (SYSS-2021-063/-064/-065/-066/-067) ∗∗∗ --------------------------------------------- https://www.syss.de/pentest-blog/mehrere-schwachstellen-in-zaarc-syss-2021-… ∗∗∗ SA45100 - CVE-2022-0778-OpenSSL-Vulnerability may lead to DoS attack ∗∗∗ --------------------------------------------- https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/CVE-2022-0778… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 31.03.2022
by Daily end-of-shift report 31 Mar '22

31 Mar '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 30-03-2022 18:00 − Donnerstag 31-03-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Spring patches leaked Spring4Shell zero-day RCE vulnerability ∗∗∗ --------------------------------------------- Spring released emergency updates to fix the Spring4Shell zero-day remote code execution vulnerability, which leaked prematurely online before a patch was released. --------------------------------------------- https://www.bleepingcomputer.com/news/security/spring-patches-leaked-spring… ∗∗∗ Java: Exploit für RCE-Lücke in Spring geleakt ∗∗∗ --------------------------------------------- Unter Umständen reicht ein HTTP-Request, um Spring-Anwendungen eine Webshell unterzujubeln. Die Lücke wird wohl bereits ausgenutzt. --------------------------------------------- https://www.golem.de/news/java-exploit-fuer-rce-luecke-in-spring-geleakt-22… ∗∗∗ SpringShell Detector - searches compiled code (JAR/WAR binaries) for potentially vulnerable web apps ∗∗∗ --------------------------------------------- The SpringShell vulnerability may affect some web applications using Spring Framework, but requires a number of conditions to be exploitable. One specific condition which may be rather rare (and therefore render most applications non-exploitable in practice) is the existence of Spring endpoints which bind request parameters to a non-primitive (Java Bean) type. This tool can be used to scan compiled code and verify whether such endpoints exist in the codebase. --------------------------------------------- https://github.com/jfrog/jfrog-spring-tools ∗∗∗ Simple local Spring vulnerability scanner ∗∗∗ --------------------------------------------- This is a simple tool that can be used to find instances of Spring vulnerable to CVE-2022-22965 ("SpringShell") in installations of Java software such as web applications. JAR and WAR archives are inspected and class files that are known to be vulnerable are flagged. --------------------------------------------- https://github.com/hillu/local-spring-vuln-scanner ∗∗∗ Spring4Shell: Security Analysis of the latest Java RCE 0-day vulnerabilities in Spring ∗∗∗ --------------------------------------------- Weve been taking a look at the new zero-day exploit, dubbed Spring4Shell, supposedly discovered in Spring Core to determine if its a problem or not, as well as explained another RCE vulnerability found in Spring. --------------------------------------------- https://www.lunasec.io/docs/blog/spring-rce-vulnerabilities ∗∗∗ Calendly actively abused in Microsoft credentials phishing ∗∗∗ --------------------------------------------- Phishing actors are actively abusing Calendly to kick off a clever sequence to trick targets into entering their email account credentials on the phishing page. --------------------------------------------- https://www.bleepingcomputer.com/news/security/calendly-actively-abused-in-… ∗∗∗ Lazarus Trojanized DeFi app for delivering malware ∗∗∗ --------------------------------------------- We recently discovered a Trojanized DeFi application that was compiled in November 2021. This application contains a legitimate program called DeFi Wallet that saves and manages a cryptocurrency wallet, but also implants a full-featured backdoor. --------------------------------------------- https://securelist.com/lazarus-trojanized-defi-app/106195/ ∗∗∗ Conti-nuation: methods and techniques observed in operations post the leaks ∗∗∗ --------------------------------------------- This post describes the methods and techniques we observed during recent incidents that took place after the Coni data leaks. --------------------------------------------- https://research.nccgroup.com/2022/03/31/conti-nuation-methods-and-techniqu… ===================== = Vulnerabilities = ===================== ∗∗∗ QNAP warns severe OpenSSL bug affects most of its NAS devices ∗∗∗ --------------------------------------------- Taiwan-based network-attached storage (NAS) maker QNAP warned on Tuesday that most of its NAS devices are impacted by a high severity OpenSSL bug disclosed two weeks ago. --------------------------------------------- https://www.bleepingcomputer.com/news/security/qnap-warns-severe-openssl-bu… ∗∗∗ “VMware Spring Cloud” Java bug gives instant remote code execution – update now! ∗∗∗ --------------------------------------------- Easy unauthenticated remote code execution - PoC code already out --------------------------------------------- https://nakedsecurity.sophos.com/2022/03/30/vmware-spring-cloud-java-bug-gi… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libgc and pjproject), Fedora (cobbler, mingw-openjpeg2, and openjpeg2), Mageia (openvpn), openSUSE (abcm2ps, fish3, icingaweb2, kernel-firmware, nextcloud, openSUSE-build-key, python2-numpy, salt, and zlib), Slackware (vim), SUSE (kernel-firmware, opensc, python2-numpy, python3, salt, and zlib), and Ubuntu (dosbox, linux, linux-aws, linux-azure, linux-gcp, linux-hwe-5.13, linux-hwe-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux, linux-aws, [...] --------------------------------------------- https://lwn.net/Articles/889852/ ∗∗∗ The Old Switcheroo: Hiding Code on Rockwell Automation PLCs ∗∗∗ --------------------------------------------- CVE-2022-1161 affects numerous versions of Rockwell’s Logix Controllers and has a CVSS score of 10, the highest criticality. CVE-2022-1159 affects several versions of its Studio 5000 Logix Designer application, and has a CVSS score of 7.7, high severity. --------------------------------------------- https://claroty.com/2022/03/31/blog-research-hiding-code-on-rockwell-automa… ∗∗∗ WordPress Plugin "Advanced Custom Fields" vulnerable to missing authorization ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN42543427/ ∗∗∗ Anti Spam by CleanTalk - Moderately critical - SQL Injection - SA-CONTRIB-2022-032 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2022-032 ∗∗∗ Security Bulletin: IBM Db2 Web Query for i is vulnerable to denial of service in Apache Commons Compress (CVE-2021-36090), arbitrary code execution in Apache Log4j (CVE-2021-44832), and cross-site scripting in TIBCO WebFOCUS (CVE-2021-35493) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-web-query-for-i-i… ∗∗∗ Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in NumPy ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM WebSphere Cast Iron Solution & App Connect Professional ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in XStream ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-… ∗∗∗ Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in FasterXML jackson-databind ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-… ∗∗∗ Security Bulletin: IBM Tivoli Netcool/OMNIbus Transport Module Common Integration Library is vulnerable to HTTP request smuggling due to Netty (CVE-2021-43797) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tivoli-netcool-omnibu… ∗∗∗ Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in TensorFlow ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-… ∗∗∗ Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Go ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-… ∗∗∗ Security Bulletin: IBM QRadar Network Security is affected by Wget vulnerability (CVE-2021-31879) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-network-securi… ∗∗∗ Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Spring ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-… ∗∗∗ Security Bulletin: IBM Security Verify Access is vulnerable to obtaining sensitive information due to improper validation of JWT tokens. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-acces… ∗∗∗ CVE-2022-0778 Impact of the OpenSSL Infinite Loop Vulnerability CVE-2022-0778 (Severity: HIGH) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2022-0778 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.03.2022
by Daily end-of-shift report 30 Mar '22

30 Mar '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 29-03-2022 18:00 − Mittwoch 30-03-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Mars Stealer malware pushed via OpenOffice ads on Google ∗∗∗ --------------------------------------------- A newly launched information-stealing malware variant called Mars Stealer is rising in popularity, and threat analysts are now spotting the first notable large-scale campaigns employing it. --------------------------------------------- https://www.bleepingcomputer.com/news/security/mars-stealer-malware-pushed-… ∗∗∗ Viasat shares details on KA-SAT satellite service cyberattack ∗∗∗ --------------------------------------------- US satellite communications provider Viasat has shared an incident report regarding the cyberattack that affected its KA-SAT consumer-oriented satellite broadband service on February 24, the day Russia invaded Ukraine. --------------------------------------------- https://www.bleepingcomputer.com/news/security/viasat-shares-details-on-ka-… ∗∗∗ Angriff auf Schnellllader: Forscher können Ladevorgänge per Funk unterbrechen ∗∗∗ --------------------------------------------- CCS hat sich als Standard beim Schnellladen von Elektroautos etabliert. Doch der Ladevorgang lässt sich durch Funksignale zum Absturz bringen. --------------------------------------------- https://www.golem.de/news/schnelllladen-forscher-bringen-ccs-ladevorgaenge-… ∗∗∗ Threat Alert: First Python Ransomware Attack Targeting Jupyter Notebooks ∗∗∗ --------------------------------------------- Team Nautilus has uncovered a Python-based ransomware attack that, for the first time, was targeting Jupyter Notebook, a popular tool used by data practitioners. The attackers gained initial access via misconfigured environments, then ran a ransomware script that encrypts every file on a given path on the server and deletes itself after execution to conceal the attack. --------------------------------------------- https://blog.aquasec.com/python-ransomware-jupyter-notebook ∗∗∗ Kostenlose Webinar-Reihe: So schützen Sie sich im Internet ∗∗∗ --------------------------------------------- Mit Unterstützung der Arbeiterkammer Burgenland veranstalten unsere KollegInnen von saferinternet.at ab 5. April eine Webinar-Reihe. Die kostenlosen Webinare sind für alle interessierten Erwachsenen offen und beschäftigen sich mit dem sicheren und verantwortungsvollen Umgang mit digitalen Medien. Mit dabei sind auch ExpertInnen der Watchlist Internet. --------------------------------------------- https://www.watchlist-internet.at/news/kostenlose-webinar-reihe-so-schuetze… ∗∗∗ Investigating an engineering workstation – Part 2 ∗∗∗ --------------------------------------------- In this second post we will focus on specific evidence written by the TIA Portal. As you might remember, in the first part we covered standard Windows-based artefacts regarding execution of the TIA Portal and usage of projects. --------------------------------------------- https://blog.nviso.eu/2022/03/30/investigating-an-engineering-workstation-p… ∗∗∗ Advanced warning: probable remote code execution (RCE) in Spring, an extremely popular Java framework ∗∗∗ --------------------------------------------- This notice is intended to alert you that there may be a significant issue with Spring which, if confirmed, would require immediate attention.In the morning (New York time) on Wednesday, March 29th, 2022, a member of the security research team KnownSec posted a now-removed screenshot to Twitter purporting to show a trivially-exploited remote code execution vulnerability against Spring core, the most popular Java framework in use on the Internet. The researcher did not provide a proof-of-concept or public details. --------------------------------------------- https://bugalert.org/content/notices/2022-03-29-spring.html ===================== = Vulnerabilities = ===================== ∗∗∗ Jetzt aktualisieren! Angriffe auf Sicherheitslücke in Trend Micro Apex Central ∗∗∗ --------------------------------------------- Trend Micro warnt vor Angriffen auf eine Sicherheitslücke in zentralen Verwaltungssoftware Apex Central. Zum Abdichten des Lecks stehen Updates bereit. --------------------------------------------- https://heise.de/-6656849 ∗∗∗ VMSA-2022-0009 ∗∗∗ --------------------------------------------- CVSSv3 Range: 5.5 CVE(s): CVE-2022-22948 Synopsis: VMware vCenter Server updates address an information disclosure vulnerability --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2022-0009.html ∗∗∗ Reflected XSS in Spam protection, AntiSpam, FireWall by CleanTalk ∗∗∗ --------------------------------------------- On February 15, 2022, the Wordfence Threat Intelligence team finished research on two separate vulnerabilities in Spam protection, AntiSpam, FireWall by CleanTalk, a WordPress plugin with over 100,000 installations. [...] A patched version, 5.174.1, was made available on March 25, 2022. --------------------------------------------- https://www.wordfence.com/blog/2022/03/reflected-xss-in-spam-protection-ant… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (expat, firefox, httpd, openssl, and thunderbird), Debian (cacti), Fedora (kernel, rsh, unrealircd, and xen), Mageia (kernel and kernel-linus), openSUSE (apache2, java-1_8_0-ibm, kernel, openvpn, and protobuf), Oracle (openssl), Red Hat (httpd:2.4, kernel, kpatch-patch, and openssl), SUSE (apache2, java-1_7_1-ibm, java-1_8_0-ibm, kernel, openvpn, protobuf, and zlib), and Ubuntu (chromium-browser and paramiko). --------------------------------------------- https://lwn.net/Articles/889682/ ∗∗∗ SaltStack Salt: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in SaltStack Salt ausnutzen, um Dateien zu manipulieren, einen Denial of Service Zustand herbeizuführen, Privilegien zu erweitern oder beliebigen Programmcode auszuführen. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0371 ∗∗∗ Trend Micro AntiVirus für Mac: Schwachstelle ermöglicht Privilegieneskalation ∗∗∗ --------------------------------------------- Ein lokaler Angreifer kann eine Schwachstelle in Trend Micro AntiVirus für Mac ausnutzen, um seine Privilegien zu erhöhen. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0370 ∗∗∗ Google Releases Security Updates for Chrome ∗∗∗ --------------------------------------------- Google has released Chrome version 100.0.4896.60 for Windows, Mac, and Linux. This version addresses vulnerabilities that an attacker could exploit to take control of an affected system. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/03/30/google-releases-s… ∗∗∗ Password-Hash-Preisgabe im CMS Statamic (SYSS-2022-022) ∗∗∗ --------------------------------------------- Im CMS Statamic können in der REST-API Passwort-Hash-Werte aller Benutzer:innen ausgelesen werden. Dies kann zur Übernahme der Website führen. --------------------------------------------- https://www.syss.de/pentest-blog/password-hash-preisgabe-in-statamic-cms-sy… ∗∗∗ Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU – Oct 2021and Jan 2022 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-e… ∗∗∗ Security Bulletin: An Eclipse Jetty vulnerability affects IBM Rational Functional Tester ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-an-eclipse-jetty-vulnerab… ∗∗∗ PHOENIX CONTACT: Vulnerabilities in XML parser library Expat (libexpat) ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-005/ ∗∗∗ Buffer Overflow Vulnerability in Recovery Image ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-446276-bt.html ∗∗∗ CVE-2022-0778: Sicherheitslücken mit Denial of Service-Potential in OpenSSL ∗∗∗ --------------------------------------------- https://www.sprecher-automation.com/it-sicherheit/security-alerts -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.03.2022
by Daily end-of-shift report 29 Mar '22

29 Mar '22

===================== = End-of-Day report = ===================== Timeframe: Montag 28-03-2022 18:00 − Dienstag 29-03-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Sophos warns critical firewall bug is being actively exploited ∗∗∗ --------------------------------------------- British-based cybersecurity vendor Sophos warned that a recently patched Sophos Firewall bug allowing remote code execution (RCE) is now actively exploited in attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/apple/sophos-warns-critical-firewall-… ∗∗∗ Triton Malware Still Targeting Energy Firms ∗∗∗ --------------------------------------------- The FBIs latest Private Industry Notification warns the energy sector that the group behind Triton is still up to no good. --------------------------------------------- https://www.darkreading.com/attacks-breaches/triton-malware-still-targeting… ∗∗∗ Linux-Kernel: Netfilter-Bug gibt Nutzern Root-Rechte ∗∗∗ --------------------------------------------- Im Linux-Kernel sind mehrere Fehler im Netfilter-Code gefunden worden, die es einem Nutzer ermöglichen, Root-Rechte zu erlangen. Das Kernel-Team hat für alle unterstützten Versionszweige Updates veröffentlicht. CVE-2022-1015, CVE-2022-1016). --------------------------------------------- https://www.golem.de/news/linux-kernel-netfilter-bug-gibt-nutzern-root-rech… ∗∗∗ A Large-Scale Supply Chain Attack Distributed Over 800 Malicious NPM Packages ∗∗∗ --------------------------------------------- A threat actor dubbed "RED-LILI" has been linked to an ongoing large-scale supply chain attack campaign targeting the NPM package repository by publishing nearly 800 malicious modules. --------------------------------------------- https://thehackernews.com/2022/03/a-threat-actor-dubbed-red-lili-has-been.h… ∗∗∗ Betrügerische SMS im Namen der Volksbank ∗∗∗ --------------------------------------------- Aktuell kursieren betrügerische SMS im Namen der Volksbank. EmpfängerInnen werden dringlich aufgefordert, auf einen Link zu klicken – angeblich, weil das Konto gesperrt wurde. Achtung: Dabei handelt es sich um Betrug. Wer den Link anklickt, landet auf einer gefälschten Login-Seite der Volksbank. Dort werden Zugangsdaten gestohlen! --------------------------------------------- https://www.watchlist-internet.at/news/betruegerische-sms-im-namen-der-volk… ∗∗∗ Log4Shell exploited to infect VMware Horizon servers with backdoors, crypto miners ∗∗∗ --------------------------------------------- A patch was released in December 2021, but as is often the case with internet-facing servers, many systems have not been updated. According to Sophos, the latest Log4Shell attacks target unpatched VMware Horizon servers with three different backdoors and four cryptocurrency miners. --------------------------------------------- https://www.zdnet.com/article/log4shell-exploited-to-infect-vmware-horizon-… ∗∗∗ Verblecon: Sophisticated New Loader Used in Low-level Attacks ∗∗∗ --------------------------------------------- Indications the attacker may not realize the potential capabilities of the malware they are using. --------------------------------------------- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ve… ∗∗∗ Mitigating Attacks Against Uninterruptable Power Supply Devices ∗∗∗ --------------------------------------------- CISA and the Department of Energy (DOE) are aware of threat actors gaining access to a variety of internet-connected uninterruptable power supply (UPS) devices, often through unchanged default usernames and passwords. Organizations can mitigate attacks against their UPS devices, which provide emergency power in a variety of applications when normal power sources are lost, by removing management interfaces from the internet. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/03/29/mitigating-attack… ===================== = Vulnerabilities = ===================== ∗∗∗ Wyze Cam flaw lets hackers remotely access your saved videos ∗∗∗ --------------------------------------------- The authentication bypass flaw tracked as CVE-2019-9564 was addressed by the Wyze team via a security update on September 24, 2019. The remote execution vulnerability, assigned CVE-2019-12266, was fixed via an app update on November 9, 2020, 21 months after its initial discovery. The worst treatment of the bunch was reserved for the SD card issue, which was fixed only on January 29, 2022, when Wyze pushed a fixing firmware update. --------------------------------------------- https://www.bleepingcomputer.com/news/security/wyze-cam-flaw-lets-hackers-r… ∗∗∗ ZDI-22-545: (0Day) Siemens Simcenter Femap NEU File Parsing Out-Of-Bounds Write Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to disclose sensitive information on affected installations of Siemens Simcenter Femap. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-545/ ∗∗∗ Kritische Schadcode-Lücke in In-Memory-Datenbank Redis geschlossen ∗∗∗ --------------------------------------------- Das Zusammenspiel von Debian-Systemen und Redis kann zu ernsten Sicherheitsproblemen führen. Dagegen abgesicherte Versionen schaffen Abhilfe. --------------------------------------------- https://heise.de/-6655726 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libdatetime-timezone-perl, pjproject, and tzdata), Mageia (chromium-browser-stable, docker, graphicsmagick, and libtiff), Oracle (expat), Red Hat (expat, httpd:2.4, openssl, and screen), Scientific Linux (expat and openssl), and Ubuntu (libtasn1-6, linux-oem-5.14, openjdk-lts, and paramiko). --------------------------------------------- https://lwn.net/Articles/889571/ ∗∗∗ Sicherheitswarnung: Authentifizierungsschwachstelle CVE-2022-0342 in Zyxel USG/ZyWALL ∗∗∗ --------------------------------------------- In verschiedenen Zyxel Firewall-Produkten gibt es eine kritische Authentifizierungs-Schwachstelle (CVE-2022-0342). Durch diese Sicherheitslücke wird eine Übernahme der Firewall möglich. Zyxel stellt zwar für Geräte, die noch im Support sind, Firmware-Updates bereits. --------------------------------------------- https://www.borncity.com/blog/2022/03/29/sicherheitswarnung-authentifizieru… ∗∗∗ CVE-2018-25032: Zlib Memory Corruption Vulnerability ∗∗∗ --------------------------------------------- You may be thinking: ‘Wait, this new CVE starts with 2018.., this must be a mistake?’. In fact, it is not a mistake. This is about a CVE that everyone thought was patched years ago but now appears to be alive and well. [...] Linux distributions such as Ubuntu and Alpine have already implemented the fix in their latest releases, so you may want to update Zlib to your platform’s release of version 1.2.12, and re-compile any programs with the updated library. --------------------------------------------- https://orca.security/resources/blog/zlib-memory-corruption-vulnerability-c… ∗∗∗ Security Bulletin: CVE-2021-44228 log4j affects MAS Monitor 8.4, 8.5 and 8.6 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2021-44228-log4j-affe… ∗∗∗ Security Bulletin: MAS Monitor 8.4, 8.5, and 8.6 log4j ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-mas-monitor-8-4-8-5-and-8… ∗∗∗ Security Bulletin: Critical Vulnerabilities in libraries used by libraries that IBM Spectrum discover is using (libraries of libraries) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-critical-vulnerabilities-… ∗∗∗ K33548065: Eclipse Jetty vulnerability CVE-2018-12536 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K33548065?utm_source=f5support&utm_mediu… ∗∗∗ K03674368: Linux kernel vulnerability CVE-2021-3715 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K03674368?utm_source=f5support&utm_mediu… ∗∗∗ Philips e-Alert ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsma-22-088-01 ∗∗∗ Rockwell Automation ISaGRAF ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-088-01 ∗∗∗ Omron CX-Position ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-088-02 ∗∗∗ Hitachi Energy LinkOne WebView ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-088-03 ∗∗∗ Modbus Tools Modbus Slave ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-088-04 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.03.2022
by Daily end-of-shift report 28 Mar '22

28 Mar '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 25-03-2022 18:00 − Montag 28-03-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Webbrowser: Notfallupdate für Google Chrome ∗∗∗ --------------------------------------------- Google hat neue Versionen vom Webbrowser Chrome veröffentlicht, die eine Sicherheitslücke schließen, für die bereits Exploit-Code existiert. --------------------------------------------- https://heise.de/-6638415 ∗∗∗ PayPal Funktion „Geld an Freunde senden“ nicht als Zahlungsmittel auf Online-Marktplätzen verwenden ∗∗∗ --------------------------------------------- Momentan melden uns Facebook-NutzerInnen betrügerische Inserate im Facebook Marketplace. Darin werden beispielsweise Gaming-Stühle zum Verschenken angeboten. Die Person verlangt nur 15 Euro für den Versand. Der Betrag sollte mit der PayPal-Funktion „Geld an Freunde senden“ übermittelt werden. Achtung: Dabei handelt es sich um Betrug! Sie verlieren Ihr Geld und erhalten kein Produkt! --------------------------------------------- https://www.watchlist-internet.at/news/paypal-funktion-geld-an-freunde-send… ∗∗∗ Public Redis exploit used by malware gang to grow botnet ∗∗∗ --------------------------------------------- Threat analysts report having spotted a change in the operations of the Muhstik threat group, which has now switched to actively exploiting a Lua sandbox escape flaw in Redis. --------------------------------------------- https://www.bleepingcomputer.com/news/security/public-redis-exploit-used-by… ∗∗∗ Hive ransomware ports its Linux VMware ESXi encryptor to Rust ∗∗∗ --------------------------------------------- The Hive ransomware operation has converted their VMware ESXi Linux encryptor to the Rust programming language and added new features to make it harder for security researchers to snoop on victims ransom negotiations. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hive-ransomware-ports-its-li… ∗∗∗ The Mystery Admin User ∗∗∗ --------------------------------------------- One of our clients recently submitted a malware removal request with a curious problem: A mystery admin user kept getting re-created on their website. Try as they might, nothing they did would get rid of this user; it just kept coming back. --------------------------------------------- https://blog.sucuri.net/2022/03/the-mystery-admin-user.html ∗∗∗ Purple Fox Hackers Spotted Using New Variant of FatalRAT in Recent Malware Attacks ∗∗∗ --------------------------------------------- The operators of the Purple Fox malware have retooled their malware arsenal with a new variant of a remote access trojan called FatalRAT, while also simultaneously upgrading their evasion mechanisms to bypass security software. "Users machines are targeted via trojanized software packages masquerading as legitimate application installers," Trend Micro researchers said in a report [...] --------------------------------------------- https://thehackernews.com/2022/03/purple-fox-hackers-spotted-using-new.html ∗∗∗ Hackers Hijack Email Reply Chains on Unpatched Exchange Servers to Spread Malware ∗∗∗ --------------------------------------------- A new email phishing campaign has been spotted leveraging the tactic of conversation hijacking to deliver the IcedID info-stealing malware onto infected machines by making use of unpatched and publicly-exposed Microsoft Exchange servers. "The emails use a social engineering technique of conversation hijacking (also known as thread hijacking)," Israeli company Intezer said in a report [...] --------------------------------------------- https://thehackernews.com/2022/03/hackers-hijack-email-reply-chains-on.html ∗∗∗ Under the hood of Wslink’s multilayered virtual machine ∗∗∗ --------------------------------------------- ESET researchers describe the structure of the virtual machine used in samples of Wslink and suggest a possible approach to see through its obfuscation techniques --------------------------------------------- https://www.welivesecurity.com/2022/03/28/under-hood-wslink-multilayered-vi… ∗∗∗ Vulnerability Management in a nutshell ∗∗∗ --------------------------------------------- Vulnerability Management plays an important role in an organization’s line of defense. However, setting up a Vulnerability Management process can be very time consuming. This blogpost will briefly cover the core principles of Vulnerability Management and how it can help protect your organization against threats and adversaries looking to abuse weaknesses. --------------------------------------------- https://blog.nviso.eu/2022/03/28/vulnerability-management-in-a-nutshell/ ∗∗∗ Ransomware profile: RansomExx ∗∗∗ --------------------------------------------- A comprehensive profile of the RansomExx ransomware strain. --------------------------------------------- https://blog.emsisoft.com/en/41027/ransomware-profile-ransomexx/ ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitsupdate: Sophos Firewall könnte Schadcode passieren lassen ∗∗∗ --------------------------------------------- Die Firewall von Sophos ist löchrig. Aktualisierte Versionen lösen das Sicherheitsproblem. --------------------------------------------- https://heise.de/-6653493 ∗∗∗ Whitepaper – Double Fetch Vulnerabilities in C and C++ ∗∗∗ --------------------------------------------- Double fetch vulnerabilities in C and C++ have been known about for a number of years. However, they can appear in multiple forms and can have varying outcomes. As much of this information is spread across various sources, this whitepaper, draws the knowledge together into a single place, in order to better describe the different [...] --------------------------------------------- https://research.nccgroup.com/2022/03/28/whitepaper-double-fetch-vulnerabil… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium and faad2), Fedora (dotnet3.1, libass, linux-firmware, python-paramiko, seamonkey, and xen), openSUSE (perl-DBD-SQLite and wavpack), Slackware (seamonkey), SUSE (perl-DBD-SQLite and wavpack), and Ubuntu (binutils, python2.7, python3.4, python3.5, python3.6, python3.8, and smarty3). --------------------------------------------- https://lwn.net/Articles/889423/ ∗∗∗ CISA Adds 66 Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- CISA has added 66 new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/03/25/cisa-adds-66-know… ∗∗∗ Microsoft Security Update Revisions (25. März 2022) ∗∗∗ --------------------------------------------- Microsoft hat zum 25. März 2022 noch einige Revisionen für Sicherheitsupdates veröffentlicht. In den Revisionen werden geänderte Einschätzungen zu Schwachstellen thematisiert. Hier eine unkommentierte Übersicht. --------------------------------------------- https://www.borncity.com/blog/2022/03/28/microsoft-security-update-revision… ∗∗∗ SonicWall SonicOS: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0348 ∗∗∗ PowerDNS: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0358 ∗∗∗ Cross-Site Scripting-Schwachstelle in DHC Vision (SYSS-2022-019) ∗∗∗ --------------------------------------------- https://www.syss.de/pentest-blog/cross-site-scripting-schwachstelle-in-dhc-… ∗∗∗ SQL Injection in der B2B Suite des Shopware e-Commerce Frameworks (SYSS-2022-018) ∗∗∗ --------------------------------------------- https://www.syss.de/pentest-blog/sql-injection-in-der-b2b-suite-des-shopwar… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Watson Explorer and Watson Explorer Content Analytics Studio (CVE-2021-35550, CVE-2021-35603) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Enterprise Content Management System Monitor is affected by a vulnerability in IBM® SDK Java™ Technology Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-enterprise-content-manage… ∗∗∗ Security Bulletin: Cross Site Scripting may affect IBM Business Automation Workflow and IBM Case Manager (ICM) – CVE-2020-4768 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-may-… ∗∗∗ Security Bulletin: Vulnerability in IBM Java Runtime affects Watson Explorer and Watson Explorer Content Analytics Studio (CVE-2021-35578) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Security Bulletin: IBM UrbanCode Build is affected by CVE-2022-23181 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-build-is-af… ∗∗∗ Security Bulletin: IBM UrbanCode Build is affected by CVE-2021-42340 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-build-is-af… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.03.2022
by Daily end-of-shift report 25 Mar '22

25 Mar '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 24-03-2022 18:00 − Freitag 25-03-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Phishing kits constantly evolve to evade security software ∗∗∗ --------------------------------------------- Modern phishing kits sold on cybercrime forums as off-the-shelve packages feature multiple and sophisticated detection avoidance and traffic filtering systems to ensure that internet security solutions wont mark them as a threat. --------------------------------------------- https://www.bleepingcomputer.com/news/security/phishing-kits-constantly-evo… ∗∗∗ Malicious Microsoft Excel add-ins used to deliver RAT malware ∗∗∗ --------------------------------------------- Researchers report a new version of the JSSLoader remote access trojan being distributed via malicious Microsoft Excel addins. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malicious-microsoft-excel-ad… ∗∗∗ Racing against the clock -- hitting a tiny kernel race window ∗∗∗ --------------------------------------------- This is a writeup of how I managed to hit the race on a normal Linux desktop kernel, with a hit rate somewhere around 30% if the proof of concept has been tuned for the specific machine. --------------------------------------------- https://googleprojectzero.blogspot.com/2022/03/racing-against-clock-hitting… ∗∗∗ XLSB Files: Because Binary is Stealthier Than XML, (Fri, Mar 25th) ∗∗∗ --------------------------------------------- In one of his last diaries, Brad mentioned an Excel sheet named with a .xlsb extension. Now, it was my turn to find one... --------------------------------------------- https://isc.sans.edu/diary/rss/28476 ∗∗∗ Linux-Malware bedroht Windows ∗∗∗ --------------------------------------------- Es taucht immer mehr Malware auf, die das Windows Subsytem for Linux (WSL) als Einfallstor nutzen. Die Gefahr steigt, warnen Sicherheitsforscher. --------------------------------------------- https://heise.de/-6631700 ∗∗∗ Mining data from Cobalt Strike beacons ∗∗∗ --------------------------------------------- Since we published about identifying Cobalt Strike Team Servers in the wild just over three years ago, we’ve collected over 128,000 beacons from over 24,000 active Team Servers. --------------------------------------------- https://research.nccgroup.com/2022/03/25/mining-data-from-cobalt-strike-bea… ∗∗∗ E-Mails mit Anschuldigungen der Polizei sind Fake! ∗∗∗ --------------------------------------------- Auch Sie haben ein E-Mail von der Polizei oder dem Bundeskriminalamt erhalten, das Sie der Kinderpornografie, Pädophilie und des Exhibitionismus beschuldigt? Das E-Mail ist fake, die Anschuldigungen frei erfunden. Antworten Sie nicht und löschen Sie die Nachricht am besten. --------------------------------------------- https://www.watchlist-internet.at/news/e-mails-mit-anschuldigungen-der-poli… ∗∗∗ Crypto malware in patched wallets targeting Android and iOS devices ∗∗∗ --------------------------------------------- ESET Research uncovers a sophisticated scheme that distributes trojanized Android and iOS apps posing as popular cryptocurrency wallets. --------------------------------------------- https://www.welivesecurity.com/2022/03/24/crypto-malware-patched-wallets-ta… ===================== = Vulnerabilities = ===================== ∗∗∗ URL rendering trick enabled WhatsApp, Signal, iMessage phishing ∗∗∗ --------------------------------------------- A set of flaws affecting the worlds leading messaging and email platforms, including Instagram, iMessage, WhatsApp, Signal, and Facebook Messenger, has allowed threat actors to create legitimate-looking phishing URLs for the past three years. --------------------------------------------- https://www.bleepingcomputer.com/news/security/url-rendering-trick-enabled-… ∗∗∗ Western Digital schließt Root-Schadcode-Lücke in My-Cloud-Netzwerkspeichern ∗∗∗ --------------------------------------------- Es gibt ein wichtiges Sicherheitsupdate für verschiedene NAS-Modelle von Western Digital. --------------------------------------------- https://heise.de/-6630582 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (tiff), Fedora (nicotine+ and openvpn), openSUSE (bind, libarchive, python3, and slirp4netns), Oracle (cyrus-sasl, httpd, httpd:2.4, and openssl), Red Hat (httpd and httpd:2.4), Scientific Linux (httpd), SUSE (bind, libarchive, python3, and slirp4netns), and Ubuntu (firefox). --------------------------------------------- https://lwn.net/Articles/889265/ ∗∗∗ ZDI-22-538: (0Day) Epic Games Launcher Link Following Denial-of-Service Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-538/ ∗∗∗ ZDI-22-537: (0Day) Epic Games Launcher Link Following Denial-of-Service Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-537/ ∗∗∗ ZDI-22-536: (0Day) Electronic Arts Origin Web Helper Service Link Following Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-536/ ∗∗∗ ZDI-22-541: (0Day) Array Networks MotionPro Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-541/ ∗∗∗ Security Bulletin: Vulnerability in AIX nimsh (CVE-2022-22351) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-aix-nims… ∗∗∗ Security Bulletin: IBM QRadar Network Security is affected by denial of service vulnerabilities in OpenSSL (CVE-2021-23840, CVE-2021-23841) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-network-securi… ∗∗∗ Security Bulletin: IBM QRadar Network Security is affected by an OpenSSL vulnerability (CVE-2021-3712) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-network-securi… ∗∗∗ Security Bulletin: IBM SDK, Java Technology Edition, Security Update October 2021 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-e… ∗∗∗ Atlassian Confluence: Schwachstelle ermöglicht Codeausführung ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0342 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.03.2022
by Daily end-of-shift report 24 Mar '22

24 Mar '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 23-03-2022 18:00 − Donnerstag 24-03-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Botnet of Thousands of MikroTik Routers Abused in Glupteba, TrickBot Campaigns ∗∗∗ --------------------------------------------- Vulnerable routers from MikroTik have been misused to form what cybersecurity researchers have called one of the largest botnet-as-a-service cybercrime operations seen in recent years. According to a new piece of research published by Avast, a cryptocurrency mining campaign leveraging the new-disrupted Glupteba botnet as well as the infamous TrickBot malware were all distributed using the same command-and-control (C2) server. --------------------------------------------- https://thehackernews.com/2022/03/over-200000-microtik-routers-worldwide.ht… ∗∗∗ Doppelter Betrug: Phishing-Konzept mit Browser-In-The-Browser-Attacke ausgebaut ∗∗∗ --------------------------------------------- In seinem Beispiel macht sich der Sicherheitsforscher das OAuth-Fenster zunutze. In seiner Demo baut er es via HTML/CSS exakt nach und versieht es mit einer legitimen Google-URL inklusive HTTPS-Schloss-Symbol. Dadurch fällt es Opfern schwerer, den Betrug aufzudecken und eingegebene Passwörter landen bei Betrügern. Einen Schwachpunkt hat dieser Ansatz aber: Der Ausgangspunkt von einer BITB-Attacke ist eine Phishing-Website, die das OAuth-Anmeldeverfahren mit dem Fake-Fenster anbietet. Dahin müssen Betrüger Opfer erst mal locken, ohne dass Verdacht aufkommt. --------------------------------------------- https://heise.de/-6621914 ∗∗∗ A Closer Look at the LAPSUS$ Data Extortion Group ∗∗∗ --------------------------------------------- Microsoft and identity management platform Okta both disclosed this week breaches involving LAPSUS$, a relatively new cybercrime group that specializes in stealing data from big companies and threatening to publish the information unless a ransom demand is paid. Heres a closer look at LAPSUS$, and some of the low-tech but high-impact methods the group uses to gain access to targeted organizations. --------------------------------------------- https://krebsonsecurity.com/2022/03/a-closer-look-at-the-lapsus-data-extort… ===================== = Vulnerabilities = ===================== ∗∗∗ Role Delegation - Moderately critical - Privilege escalation - SA-CONTRIB-2022-031 ∗∗∗ --------------------------------------------- Security risk: Moderately critical This module allows site administrators to grant specific roles the authority to assign selected roles to users, without them needing the administer permissions permission.The module contains an access bypass vulnerability when used in combination with the Views Bulk Operations module. An authenticated user is able to assign the administrator role to his own user. --------------------------------------------- https://www.drupal.org/sa-contrib-2022-031 ∗∗∗ Colorbox Node - Critical - Unsupported - SA-CONTRIB-2022-030 ∗∗∗ --------------------------------------------- Security risk: Critical The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. --------------------------------------------- https://www.drupal.org/sa-contrib-2022-030 ∗∗∗ Remote Code Execution on Western Digital PR4100 NAS (CVE-2022-23121) ∗∗∗ --------------------------------------------- Western Digital published a firmware update (5.19.117) which entirely removed support for the open source third party vulnerable service "Depreciated Netatalk Service". As this vulnerability was addressed in the upstream Netatalk code, CVE-2022-23121 was assigned and a ZDI advisory published together with a new Netatalk release 3.1.13 distributed which fixed this vulnerability together with a number of others. --------------------------------------------- https://research.nccgroup.com/2022/03/24/remote-code-execution-on-western-d… ∗∗∗ Splunk: SVD-2022-0301 Indexer denial-of-service via malformed S2S request ∗∗∗ --------------------------------------------- CVSSv3.1 Score: 7.5, High CVE ID: CVE-2021-3422 The lack of validation of a key-value field in the Splunk-to-Splunk protocol results in a denial-of-service in Splunk Enterprise instances configured to index Universal Forwarder traffic. --------------------------------------------- https://www.splunk.com/en_us/product-security/announcements/svd-2022-0301.h… ∗∗∗ VMware Carbon App Control: Angreifer könnten Schadcode auf Server schieben ∗∗∗ --------------------------------------------- Wichtige Sicherheitsupdates schließen zwei kritische Lücken in Carbon App Control für Windows. --------------------------------------------- https://heise.de/-6619596 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (php-twig), Mageia (abcm2ps, libpano13, and pesign), openSUSE (nextcloud and xen), Oracle (kernel, kernel-container, and openssl), SUSE (java-1_7_1-ibm and xen), and Ubuntu (linux-oem-5.14, openvpn, and thunderbird). --------------------------------------------- https://lwn.net/Articles/889120/ ∗∗∗ Schwachstelle in Windows 3CX-Telefonanlagen, Patchen ist angesagt ∗∗∗ --------------------------------------------- Wer unter Windows ein 3CX-System (Telefonanlage) in einer Version unterhalb v18 Update 3 (Build 450) betreibt, sollte reagieren. Der Hersteller hat ein Sicherheitsupdate für dieses Produkt in Form der v18 Update 3 (Build 450) veröffentlicht. --------------------------------------------- https://www.borncity.com/blog/2022/03/24/schwachstelle-in-windows-3cx-telef… ∗∗∗ Security Bulletin: IBM Sterling Order Management Apache Struts vulnerablity ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-order-manage… ∗∗∗ Security Bulletin: IBM Security Verify Governance, Identity Manager virtual appliance component is vulnerable to denial of service (CVE-2021-38951) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-gover… ∗∗∗ Security Bulletin: A vulnerability in Java affects IBM License Metric Tool v9 (CVE-2021-35550). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-java-a… ∗∗∗ Security Bulletin:IBM SDK, Java Technology Edition Quarterly CPU – Oct 2021 affects IBM Security Verify Governance, Identity Manager virtual appliance component ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletinibm-sdk-java-technology-ed… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM® Java SDK affect Liberty for Java for IBM Cloud due to January 2022 CPU plus deferred CVE-2021-35550 and CVE-2021-35603 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect SPSS Collaboration and Deployment Services ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A vulnerability in Java affects IBM License Metric Tool v9 (CVE-2021-35603). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-java-a… ∗∗∗ Security Bulletin: Lodash versions prior to 4.17.21 vulnerability in PowerHA System Mirror for AIX ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-lodash-versions-prior-to-… ∗∗∗ Security Bulletin: Liberty for Java for IBM Cloud is vulnerable to Clickjacking (CVE-2021-39038) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-liberty-for-java-for-ibm-… ∗∗∗ Security Bulletin: Vulnerabilities with Expat affect IBM Cloud Object Storage Systems (Mar 2022 V1) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-with-expa… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect Rational Functional Tester ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Sterling Order Management Apache Struts vulnerablity ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-order-manage… ∗∗∗ Security Bulletin: This Power System update is being released to address CVE-2022-22374 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-this-power-system-update-… ∗∗∗ Security Bulletin: A vulnerability in Java affects IBM License Metric Tool v9 (CVE-2021-35578). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-java-a… ∗∗∗ Endress+Hauser: FieldPort SFP50 Memory Corruption in Bluetooth Controller Firmware ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-006/ ∗∗∗ Yokogawa CENTUM and Exaopc ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-083-01 ∗∗∗ mySCADA myPRO ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-083-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.03.2022
by Daily end-of-shift report 23 Mar '22

23 Mar '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 22-03-2022 18:00 − Mittwoch 23-03-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Okta confirms 2.5% customers impacted by hack in January ∗∗∗ --------------------------------------------- Okta, a major provider of access management systems, says that 2.5%, or approximately 375 customers, were impacted by a cyberattack claimed by the Lapsus$ data extortion group. --------------------------------------------- https://www.bleepingcomputer.com/news/security/okta-confirms-25-percent-cus… ∗∗∗ Raccoon Stealer – An Insight into Victim “Gates” ∗∗∗ --------------------------------------------- Raccoon Stealer is an information stealer sold to ‘affiliates’ as a Malware-as-a-Service (MaaS) on multiple underground forums. Affiliates are provided access to a control panel hosted on the Tor network as an onion site, where they can generate new malware builds and review data collected from infected hosts. --------------------------------------------- https://team-cymru.com/blog/2022/03/23/raccoon-stealer-an-insight-into-vict… ∗∗∗ Ransomware: Microsoft bestätigt Hack durch Lapsus$ ∗∗∗ --------------------------------------------- Nach der Veröffentlichung von Code durch Lapsus$ bestätigt Microsoft nun den Hack. Der sei aber sehr begrenzt gewesen. --------------------------------------------- https://www.golem.de/news/ransomware-microsoft-bestaetigt-hack-durch-lapsus… ∗∗∗ DEV-0537 criminal actor targeting organizations for data exfiltration and destruction ∗∗∗ --------------------------------------------- The activity we have observed has been attributed to a threat group that Microsoft tracks as DEV-0537, also known as LAPSUS$. DEV-0537 is known for using a pure extortion and destruction model without deploying ransomware payloads. --------------------------------------------- https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-… ∗∗∗ Exploring a New Class of Kernel Exploit Primitive ∗∗∗ --------------------------------------------- MSRC receives a wide variety of cases spanning different products, bug types and exploit primitives. One particularly interesting primitive we see is an arbitrary kernel pointer read. --------------------------------------------- https://msrc-blog.microsoft.com/2022/03/22/exploring-a-new-class-of-kernel-… ∗∗∗ Arkei Variants: From Vidar to Mars Stealer, (Wed, Mar 23rd) ∗∗∗ --------------------------------------------- Sometime in 2018, a new information stealer named Vidar appeared. Analysis revealed Vidar is an information stealer that is a copycat or fork of Arkei malware. Since that time, Vidar has led to other Arkei-based variants. --------------------------------------------- https://isc.sans.edu/diary/rss/28468 ∗∗∗ Dissecting a Phishing Campaign with a Captcha-based URL ∗∗∗ --------------------------------------------- In today’s environment, much of the population are doing their bank or financial transactions online and online banking or wire transfers have become a huge necessity. Recently, we received a phishing email that is targeting PayPal accounts. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/dissecting-… ∗∗∗ A journey into IoT – Unknown Chinese alarm – Part 1 – Discover components and ports ∗∗∗ --------------------------------------------- So, after a couple of introductory articles, let’s start with a series of articles on an analysis executed on an unknown device. I received a Chinese smart alarm, clone of the Xiaomi Smart Home system, and it seemed perfect for the purpose. --------------------------------------------- https://security.humanativaspa.it/a-journey-into-iot-unknown-chinese-alarm-… ∗∗∗ Alte Tricks, neue Korplug‑Variante: Hodur von Mustang Panda ∗∗∗ --------------------------------------------- ESET-Forscher haben eine zuvor undokumentierte Korplug-Variante namens Hodur entdeckt, die von Mustang Panda verbreitet wird. Sie nutzt Phishing-Köder, die auf aktuelle Ereignisse in Europa anspielen, einschließlich der Invasion in der Ukraine. --------------------------------------------- https://www.welivesecurity.com/deutsch/2022/03/23/alte-tricks-neue-korplug-… ∗∗∗ Fake-Shop auf idealo.com.de! ∗∗∗ --------------------------------------------- Kriminelle haben die Website der Preisvergleichsplattformen idealo.at und idealo.de nachgebaut. --------------------------------------------- https://www.watchlist-internet.at/news/fake-shop-auf-idealocomde/ ===================== = Vulnerabilities = ===================== ∗∗∗ Netatalk < 3.1.13: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Netatalk 3.1.13 behebt die folgenden Schwachstellen: CVE-2021-31439, CVE-2022-23121, CVE-2022-23123, CVE-2022-23122, CVE-2022-23125, CVE-2022-23124, CVE-2022-0194 --------------------------------------------- https://netatalk.sourceforge.io/3.1/ReleaseNotes3.1.13.html ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Mageia (cyrus-sasl, openssl, sphinx, and swtpm), openSUSE (qemu), Red Hat (expat, rh-mariadb103-mariadb, and rh-mariadb105-mariadb), SUSE (apache2, binutils, java-1_7_0-ibm, kernel-firmware, nodejs12, qemu, and xen), and Ubuntu (ckeditor and linux, linux-aws, linux-kvm, linux-lts-xenial). --------------------------------------------- https://lwn.net/Articles/888994/ ∗∗∗ Bosch Fire Monitoring System (FSM) affected by log4net Vulnerability ∗∗∗ --------------------------------------------- A vulnerability has been discovered affecting the Bosch Fire Monitoring System (FSM-2500, FSM-5000, FSM-10k and obsolete FSM-10000). The issue applies to FSM server with version 5.6.630 and lower, and FSM client with version 5.6.2131 and lower. --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-479793-bt.html ∗∗∗ ZDI-22-524: (Pwn2Own) NETGEAR R6700v3 libreadycloud.so Command Injection Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-524/ ∗∗∗ ZDI-22-523: (Pwn2Own) NETGEAR R6700v3 circled Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-523/ ∗∗∗ ZDI-22-522: (Pwn2Own) NETGEAR R6700v3 readycloud_control.cgi Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-522/ ∗∗∗ ZDI-22-521: (Pwn2Own) NETGEAR R6700v3 Missing Authentication for Critical Function Arbitrary File Upload Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-521/ ∗∗∗ ZDI-22-520: (Pwn2Own) NETGEAR R6700v3 Improper Certificate Validation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-520/ ∗∗∗ ZDI-22-519: (Pwn2Own) NETGEAR R6700v3 upnpd Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-519/ ∗∗∗ ZDI-22-518: (Pwn2Own) NETGEAR R6700v3 httpd Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-518/ ∗∗∗ Security Bulletin: IBM Transformation Extender Advanced is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-transformation-extend… ∗∗∗ Security Bulletin: Multiple vulnerabilities in WebSphere Service Registry and Repository in packages such as Apache Struts and Node.js ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM® Java SDK affect IBM WebSphere Service Registry and Repository due to January 2022 CPU plus deferred CVE-2021-35550 and CVE-2021-35603 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Db2 Big SQL is vulnerable to arbitrary code execution and denial of service due to Apache Log4j (CVE-2021-45046, CVE-2021-45105) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-big-sql-is-vulner… ∗∗∗ Security Bulletin: IBM Transformation Extender Advanced is vulnerable to information exposure due to IBM WebSphere Application Server Liberty (CVE-2022-22310) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-transformation-extend… ∗∗∗ Security Bulletin: Vulnerability in Apache log4j affects WebSphere Service Registry and Repository (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: IBM Transformation Extender Advanced is vulnerable to information exposure due to IBM WebSphere Application Server Liberty (CVE-2021-29842) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-transformation-extend… ∗∗∗ Security Bulletin: IBM Transformation Extender Advanced is vulnerable to LDAP injection due to WebSphere Application Server Liberty (CVE-2021-39031) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-transformation-extend… ∗∗∗ Security Bulletin: Cloudera Data Platform Private Cloud Base with IBM products have log messages vulnerable to arbitrary code execution, denial of service, remote code execution, and SQL injection due to Apache Log4j vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cloudera-data-platform-pr… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM HTTP Server used by IBM WebSphere Application Server (CVE-2022-22719, CVE-2022-22720, CVE-2022-22721) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM MQ Appliance is affected by a denial of service vulnerability (CVE-2022-22316) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-affec… ∗∗∗ Security Bulletin: IBM WebSphere eXtreme Scale is vulnerable to arbitrary code execution due to Apache Log4j v1.x (CVE-2022-23307) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-extreme-sca… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects IBM Elastic Storage System (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ VMSA-2022-0008 ∗∗∗ --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2022-0008.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.03.2022
by Daily end-of-shift report 22 Mar '22

22 Mar '22

===================== = End-of-Day report = ===================== Timeframe: Montag 21-03-2022 18:00 − Dienstag 22-03-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Serpent malware campaign abuses Chocolatey Windows package manager ∗∗∗ --------------------------------------------- Threat actors are abusing the popular Chocolatey Windows package manager in a new phishing campaign to install new Serpent backdoor malware on systems of French government agencies and large construction firms. --------------------------------------------- https://www.bleepingcomputer.com/news/security/serpent-malware-campaign-abu… ∗∗∗ Conti Ransomware V. 3, Including Decryptor, Leaked ∗∗∗ --------------------------------------------- The latest is a fresher version of the ransomware pro-Ukraine researcher ContiLeaks already released, but it’s reportedly clunkier code. Pro-Ukraine security researcher @ContiLeaks yesterday uploaded a fresher version of Conti ransomware than they had previously released – specifically, the source code for Conti Ransomware V3.0 – to VirusTotal. --------------------------------------------- https://threatpost.com/conti-ransomware-v-3-including-decryptor-leaked/1790… ∗∗∗ CryptoRom Crypto Scam Abusing iPhone Features to Target Mobile Users ∗∗∗ --------------------------------------------- Social engineering attacks leveraging a combination of romantic lures and cryptocurrency fraud have been deceiving unsuspecting victims into installing fake apps by taking advantage of legitimate iOS features like TestFlight and Web Clips. --------------------------------------------- https://thehackernews.com/2022/03/cryptorom-crypto-scam-abusing-iphone.html ∗∗∗ Microsoft und Okta: Hacker-Gruppe Lapsus$ hat offenbar erneut zugeschlagen ∗∗∗ --------------------------------------------- Derzeit untersuchen Microsoft bei Azure DevOps und der Zugriffsmanagement-Dienstleister Okta unberechtigte Server-Zugriffe. --------------------------------------------- https://heise.de/-6603364 ∗∗∗ Ausgesperrt? Vorsicht vor unseriösen Schlüsseldiensten ∗∗∗ --------------------------------------------- Sie haben sich ausgesperrt und benötigen einen Schlüsseldienst, um wieder in Ihre Wohnung zu kommen? Bleiben Sie ruhig, recherchieren Sie sorgfältig und überprüfen Sie das Unternehmen genau! Bedenken Sie: Die ersten Google-Suchergebnisse sind nicht immer die besten. Im Gegenteil: Wie Erfahrungen und Analysen zeigen, sind viele beworbene Schlüsseldienste unseriös! --------------------------------------------- https://www.watchlist-internet.at/news/ausgesperrt-vorsicht-vor-unserioesen… ∗∗∗ Sandworm: A tale of disruption told anew ∗∗∗ --------------------------------------------- [..] BlackEnergy, TeleBots, GreyEnergy, Industroyer, NotPetya, Exaramel, and, in 2022 alone, WhisperGate, HermeticWiper, IsaacWiper, and CaddyWiper. In all cases, except the last four, the cybersecurity community discovered enough code similarities, shared command and control infrastructure, malware execution chains and other hints to attribute all the malware samples to one overarching group – Sandworm. Who is Sandworm? --------------------------------------------- https://www.welivesecurity.com/2022/03/21/sandworm-tale-disruption-told-ane… ∗∗∗ FBI and FinCEN Release Advisory on AvosLocker Ransomware ∗∗∗ --------------------------------------------- The Federal Bureau of Investigation (FBI) and the Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) have released a joint Cybersecurity Advisory identifying indicators of compromise associated with AvosLocker ransomware. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/03/22/fbi-and-fincen-re… ∗∗∗ Storm Cloud on the Horizon: GIMMICK Malware Strikes at macOS ∗∗∗ --------------------------------------------- In late 2021, Volexity discovered an intrusion in an environment monitored as part of its Network Security Monitoring service. Volexity detected a system running frp, otherwise known as fast reverse proxy, and subsequently detected internal port scanning shortly afterward. This traffic was determined to be unauthorized and the system, a MacBook Pro running macOS 11.6 (Big Sur), was isolated for further forensic analysis. --------------------------------------------- https://www.volexity.com/blog/2022/03/22/storm-cloud-on-the-horizon-gimmick… ∗∗∗ Facestealer-Trojaner aus der Google Play Store-App Craftsart Cartoon Photo Tools klaut Facebook-Zugangsdaten ∗∗∗ --------------------------------------------- Sicherheitsforscher von Pradeo haben eine Android-App Craftsart Cartoon Photo Tools im Google Play Store entdeckt. Diese ist mit dem bekannten Facestealer-Trojaner verseucht und 100.000 Leute haben die App auf ihre Geräte gezogen. --------------------------------------------- https://www.borncity.com/blog/2022/03/22/facestealer-trojaner-aus-der-googl… ∗∗∗ Cobalt Strike: Overview – Part 7 ∗∗∗ --------------------------------------------- This is an overview of a series of 6 blog posts we dedicated to the analysis and decryption of Cobalt Strike traffic. We include videos for different analysis methods. --------------------------------------------- https://blog.nviso.eu/2022/03/22/cobalt-strike-overview-part-7/ ∗∗∗ Detecting shadow credentials ∗∗∗ --------------------------------------------- This article is about my journey into tracing changes to the msDS-KeyCredentialLink attribute to verify if their origin is legitimate or a potential attack (aka. Shadow Credentials). --------------------------------------------- https://cyberstoph.org/posts/2022/03/detecting-shadow-credentials/ ∗∗∗ 8 Tips for Securing Networks When Time Is Scarce ∗∗∗ --------------------------------------------- In light of increased cyber risk surrounding the Russia-Ukraine conflict, we’ve put together 8 tips that defenders can take right now to prepare. --------------------------------------------- https://www.rapid7.com/blog/post/2022/03/22/8-tips-for-securing-networks-wh… ===================== = Vulnerabilities = ===================== ∗∗∗ Drupal core - Moderately critical - Third-party libraries - SA-CORE-2022-006 ∗∗∗ --------------------------------------------- Security risk: Moderately critical Vulnerability: Third-party libraries CVE IDs: CVE-2022-24775 Description: Drupal uses the third-party Guzzle library for handling HTTP requests and responses to external services. Guzzle has released a security update which may affect some Drupal sites. --------------------------------------------- https://www.drupal.org/sa-core-2022-006 ∗∗∗ Multiple Vulnerabilities in GARO Wallbox ∗∗∗ --------------------------------------------- 1. Without Authentication(CVE-2021-45878) 2. Hard Coded Credentials for Tomcat Manager(CVE-2021-45877) 3. Unauthenticated Command Injection(CVE-2021-45876) --------------------------------------------- https://github.com/delikely/advisory/tree/main/GARO ∗∗∗ Kritische Sicherheitslücken in mehr als 200 HP-Drucker-Modellen ∗∗∗ --------------------------------------------- Zahlreiche HP-Drucker haben Sicherheitslücken, durch die Angreifer Schadcode einschleusen und ausführen könnten. Firmware-Updates schaffen Abhilfe. --------------------------------------------- https://heise.de/-6605306 ∗∗∗ Sophos schließt Sicherheitslücken in Unified Threat Management-Firmware ∗∗∗ --------------------------------------------- Eine neue Firmware-Version schließt unter anderem Sicherheitslücken, durch die angemeldete Nutzer Schadcode hätten ausführen können. --------------------------------------------- https://heise.de/-6602749 ∗∗∗ Cyclops-Blink-Botnet: Asus-Router im Fokus, Firmware-Updates verfügbar ∗∗∗ --------------------------------------------- Die Cybergang Sandworm hat ihr Cyclops-Blink-Botnet inzwischen auf Asus-Router angesetzt. Firmware-Updates sollen dem Befall vorbeugen. --------------------------------------------- https://heise.de/-6604576 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (apache2 and thunderbird), Fedora (abcm2ps, containerd, dotnet6.0, expat, ghc-cmark-gfm, moodle, openssl, and zabbix), Mageia (389-ds-base, apache, bind, chromium-browser-stable, nodejs-tar, python-django/python-asgiref, and stunnel), openSUSE (icingaweb2, lapack, SUSE:SLE-15-SP4:Update (security), and thunderbird), Oracle (openssl), Slackware (bind), SUSE (apache2, bind, glibc, kernel-firmware, lapack, net-snmp, and thunderbird), and Ubuntu (binutils, linux, linux-aws, linux-aws-5.13, linux-gcp, linux-hwe-5.13, linux-kvm, linux-raspi, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gke, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, and linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-dell300x, linux-hwe, linux-gcp-4.15, linux-kvm, linux-oracle, linux-snapdragon). --------------------------------------------- https://lwn.net/Articles/888859/ ∗∗∗ Security Bulletin: A vulnerability in Samba affects IBM Spectrum Scale SMB protocol access method (CVE-2021-23192) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-samba-… ∗∗∗ Security Bulletin: IBM WebSphere Application Server 7.0, 8.0, 8.5, 9.0 and Liberty 17.0.0.3 through 21.0.0.9 could allow a remote user to enumerate usernames due to a difference of responses from valid and invalid login attempts. IBM X-Force ID: ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application… ∗∗∗ Security Bulletin: Apache Log4j vulnerability impacts IBM Watson Knowledge Catalog in Cloud Pak for Data (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit… ∗∗∗ Security Bulletin: A vulnerability in Samba affects IBM Spectrum Scale SMB protocol access method (CVE-2016-2124) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-samba-… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects IBM Cloud Pak for Data System 1.0 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects DB2 Recovery Expert for Linux, Unix and Windows ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects IBM Cloud Pak for Data System 1.0 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Semeru Runtime may affect IBM Decision Optimization for IBM Cloud Pak for Data (CVE-2022-21282, CVE-2022-21296, CVE-2022-21299) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ K31323265: OpenSSL vulnerability CVE-2022-0778 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K31323265?utm_source=f5support&utm_mediu… ∗∗∗ PHOENIX CONTACT: Path Traversal in Library of PLCnext Technology Toolchain and FL Network Manager ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-007/ ∗∗∗ Delta Electronics DIAEnergie ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-081-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.03.2022
by Daily end-of-shift report 21 Mar '22

21 Mar '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 18-03-2022 18:00 − Montag 21-03-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Elden Ring: Hacker zerstören Spielstände ∗∗∗ --------------------------------------------- Invasionen feindlicher Spieler sind noch gefährlicher geworden, denn eine Sicherheitslücke kann Elden Ring zum Absturz zu bringen. --------------------------------------------- https://www.golem.de/news/elden-ring-hacker-zerstoeren-spielstaende-2203-16… ∗∗∗ Sicherheitsanalyse zum Industrieprotokoll OPC UA aktualisiert ∗∗∗ --------------------------------------------- Die Studie des BSI liefert eine Bewertung der spezifizierten und realisierten Sicherheitsfunktionen von OPC UA. --------------------------------------------- https://www.bsi.bund.de/DE/Service-Navi/Presse/Alle-Meldungen-News/Meldunge… ∗∗∗ Willhaben-VerkäuferInnen aufgepasst: Kurierdienst von Willhaben ist Betrug ∗∗∗ --------------------------------------------- Auf willhaben.at inseriert? Dann nehmen Sie sich vor betrügerischen KäuferInnen in Acht! Betrügerische KäuferInnen schlagen Ihnen vor, die Zahlung und Übergabe der Ware über den „Kurierdienst PayLivery AG“ vorzunehmen. Der Link zur Webseite, auf der dieser „Kurierdienst“ beschrieben wird, wird gleich mitgesendet. Vorsicht: Diesen Kurierdienst gibt es gar nicht. Die Webseite willhaben-at.shop/help.html ist gefälscht und gehört nicht zu willhaben.at! --------------------------------------------- https://www.watchlist-internet.at/news/willhaben-verkaeuferinnen-aufgepasst… ∗∗∗ Free decryptor released for TrickBot gangs Diavol ransomware ∗∗∗ --------------------------------------------- Cybersecurity firm Emsisoft has released a free decryption tool to help Diavol ransomware victims recover their files without paying a ransom. --------------------------------------------- https://www.bleepingcomputer.com/news/security/free-decryptor-released-for-… ∗∗∗ New Phishing toolkit lets anyone create fake Chrome browser windows ∗∗∗ --------------------------------------------- A phishing kit has been released that allows red teamers and wannabe cybercriminals to create effective single sign-on phishing login forms using fake Chrome browser windows. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-phishing-toolkit-lets-an… ∗∗∗ Meet Exotic Lily, access broker for ransomware and other malware peddlers ∗∗∗ --------------------------------------------- Exotic Lily is the name given to a group of cybercriminals that specialized as an initial access broker, serving groups like Conti and Diavol ransomware. --------------------------------------------- https://blog.malwarebytes.com/threat-spotlight/2022/03/meet-exotic-lily-acc… ∗∗∗ APT35 Automates Initial Access Using ProxyShell ∗∗∗ --------------------------------------------- In December 2021, we observed an adversary exploiting the Microsoft Exchange ProxyShell vulnerabilities to gain initial access and execute code via multiple web shells. The overlap of activities and tasks [...] --------------------------------------------- https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-p… ===================== = Vulnerabilities = ===================== ∗∗∗ Kritische Sicherheitslücke in Western Digital EdgeRover geschlossen ∗∗∗ --------------------------------------------- Ein Sicherheitsupdate für Western Digitals Datenverwaltungsanwendung EdgeRover sperrt Angreifer aus. --------------------------------------------- https://heise.de/-6594172 ∗∗∗ A Bug That Doesnt Want To Die (CVE-2021-34484) ∗∗∗ --------------------------------------------- In November we issued a micropatch for a local privilege escalation in User Profile Service. This vulnerability was found and reported to Microsoft by security researcher Abdelhamid Naceri and assigned CVE-2021-34484 when initially fixed. Abdelhamid subsequently noticed that Microsofts patch was incomplete and wrote a POC to bypass it. Based on that information, we were able to create a micropatch for what was then considered a 0day [...] --------------------------------------------- https://blog.0patch.com/2022/03/a-bug-that-doesnt-want-to-die-cve-2021.html ∗∗∗ Micropatching Unpatched Local Privilege Escalation in Mobile Device Management Service (CVE-2021-24084 / 0day) ∗∗∗ --------------------------------------------- Update 3/21/2022: Microsofts fix for this issue turned out to be flawed. We ported our micropatches to all affected Windows versions and made them all FREE for everyone again. --------------------------------------------- https://blog.0patch.com/2021/11/micropatching-unpatched-local-privilege.html ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (bind9, chromium, libgit2, libpano13, paramiko, usbredir, and wordpress), Fedora (expat, kernel, openexr, thunderbird, and wordpress), openSUSE (chromium, frr, and weechat), Red Hat (java-1.7.1-ibm and java-1.8.0-ibm), SUSE (frr), and Ubuntu (imagemagick). --------------------------------------------- https://lwn.net/Articles/888686/ ∗∗∗ OTRS: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0332 ∗∗∗ MISP: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0331 ∗∗∗ Security Bulletin: IBM Security Guardium is vulnerable to arbitrary code execution due to Apache log4j (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: Multiple vulnerabilities fixed in IBM Maximo Application Suite Monitor ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Answer Retrieval for Watson Discovery is vulnerable to phishing attacks due to Swagger UI (CVE number(s) 221508) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-answer-retrieval-for-… ∗∗∗ Security Bulletin: urllib upgrade CVE-2021-33503, CVE-2021-28363 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-urllib-upgrade-cve-2021-3… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Spectrum Protect 8.1.14.000 Server is vulnerable to bypass of security restrictions (CVE-2022-22394) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-spectrum-protect-8-1-… ∗∗∗ Security Bulletin: A vulnerability in Java SE affects IBM Control Center (CVE-2021-2369) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-java-s… ∗∗∗ Security Bulletin: A vulnerability in Java SE affects IBM Control Center (CVE-2020-14781) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-java-s… ∗∗∗ Security Bulletin: A vulnerability in Java SE affects IBM Control Center (CVE-2021-2161) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-java-s… ∗∗∗ Security Bulletin: A vulnerability in Java SE affects IBM Control Center (CVE-2021-35550) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-java-s… ∗∗∗ Security Bulletin: A vulnerability in Java SE affects IBM Control Center (CVE-2021-35578) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-java-s… ∗∗∗ Security Bulletin: A vulnerability in Java SE related to the Libraries component affects IBM Control Center (CVE-2020-14782) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-java-s… ∗∗∗ Security Bulletin: A vulnerability in Java SE affects IBM Control Center (CVE-2020-2773) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-java-s… ∗∗∗ Security Bulletin: Vulnerabilities in Java SE and Eclipse OpenJ9 affect IBM Control Center (CVE-2020-14803 & CVE-2020-27221) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-java-s… ∗∗∗ Security Bulletin: A vulnerability in Java SE affects IBM Control Center (CVE-2021-35603) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-java-s… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.03.2022
by Daily end-of-shift report 18 Mar '22

18 Mar '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 17-03-2022 18:00 − Freitag 18-03-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ New Unix rootkit used to steal ATM banking data ∗∗∗ --------------------------------------------- Threat analysts following the activity of LightBasin, a financially motivated group of hackers, report the discovery of a previously unknown Unix rootkit that is used to steal ATM banking data and conduct fraudulent transactions. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-unix-rootkit-used-to-ste… ∗∗∗ Open Source: NPM-Paket löscht Dateien aus Protest gegen Ukrainekrieg ∗∗∗ --------------------------------------------- Ein weitverbreitetes NPM-Paket löscht die Dateien von russischen Entwicklern und vervielfältigt Anti-Kriegsbotschaften. --------------------------------------------- https://www.golem.de/news/open-source-npm-paket-loescht-dateien-aus-protest… ∗∗∗ Scans for Movable Type Vulnerability (CVE-2021-20837), (Fri, Mar 18th) ∗∗∗ --------------------------------------------- Yesterday, our honeypots started seeing many requests scanning for the Movable Type API. Movable Type is a content management system comparable to WordPress or Drupal. --------------------------------------------- https://isc.sans.edu/diary/rss/28454 ∗∗∗ New Variant of Russian Cyclops Blink Botnet Targeting ASUS Routers ∗∗∗ --------------------------------------------- ASUS routers have emerged as the target of a nascent botnet called Cyclops Blink, almost a month after it was revealed the malware abused WatchGuard firewall appliances as a stepping stone to gain remote access to breached networks. --------------------------------------------- https://thehackernews.com/2022/03/new-variant-of-russian-cyclops-blink.html ∗∗∗ Neue Phishing-Methode kombiniert Fax und Captchas ∗∗∗ --------------------------------------------- Um den Anti-Phishing-Filter auszutricksen, packt eine neue Angriffsmethode Links in Fax-PDFs und versteckt die gefälschte Webseite hinter einem Google-Captcha. --------------------------------------------- https://heise.de/-6587105 ∗∗∗ How to protect RDP ∗∗∗ --------------------------------------------- RDP is still a popular target for attackers, so how do you keep your remote desktops safe? --------------------------------------------- https://blog.malwarebytes.com/security-world/business-security-world/2022/0… ∗∗∗ Diese Betrugsmaschen sollten LinkedIn-NutzerInnen kennen ∗∗∗ --------------------------------------------- LinkedIn wird vor allem mit Professionalität verbunden. Das ist wohl auch ein Grund, wieso LinkedIn weniger mit Betrug in Zusammenhang gebracht wird. Das spielt Kriminellen in die Hände, die mit Fake-Profilen Schadsoftware verbreiten können, betrügerische Jobs anbieten oder mit Hilfe von Phishing-Mails versuchen an sensible Daten zu kommen. --------------------------------------------- https://www.watchlist-internet.at/news/diese-betrugsmaschen-sollten-linkedi… ∗∗∗ Strengthening Cybersecurity of SATCOM Network Providers and Customers ∗∗∗ --------------------------------------------- CISA and FBI strongly encourage critical infrastructure organizations and, specifically, organizations that are SATCOM network providers or customers to review the joint CSA and implement the mitigations. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/03/17/strengthening-cyb… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (python-treq), Fedora (openvpn, pesign, rust-regex, and thunderbird), Oracle (expat), Red Hat (kpatch-patch-4_18_0-147_58_1), Slackware (bind and openssl), SUSE (python-lxml), and Ubuntu (apache2). --------------------------------------------- https://lwn.net/Articles/888412/ ∗∗∗ CVE-2021-28372: How a Vulnerability in Third-Party Technology Is Leaving Many IP Cameras and Surveillance Systems Vulnerable ∗∗∗ --------------------------------------------- CVE-2021-28372, a vulnerability in third-party software commonly built into many IP cameras, highlights issues in IoT supply chain security. --------------------------------------------- https://unit42.paloaltonetworks.com/iot-supply-chain-cve-2021-28372/ ∗∗∗ Security Bulletin: A vulnerability in IBM® SDK, Java™ may affect IBM Decision Optimization Center (CVE-2021-35603) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-sd… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM® Java™ may affect IBM ILOG CPLEX Optimization Studio (CVE-2022-21360, CVE-2022-21365) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: There are multiple vulnerabilites that affect IBM Engineering Requirements Quality Assistant On-Premises (CVE-2021-4104, CVE-2021-29469, CVE-2021-44531, CVE-2021-44531, CVE-2022-21824, CVE-2021-29899, CVE-2021-27290 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-there-are-multiple-vulner… ∗∗∗ Security Bulletin: Information disclosure vulnerability affects IBM Business Automation Workflow and IBM Business Process Manager (BPM) – CVE-CVE-2021-39046 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-information-disclosure-vu… ∗∗∗ Security Bulletin: A vulnerability in IBM® SDK, Java™ may affect IBM Decision Optimization Center (CVE-2021-35550) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-sd… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM® Java™ Runtime may affect IBM Decision Optimization Center (CVE-2022-21360, CVE-2022-21365) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ K08173228: Multiple Intel CPU vulnerabilities ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K08173228 ∗∗∗ Synology-SA-22:04 OpenSSL ∗∗∗ --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_22_04 ∗∗∗ Microsoft Edge: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0329 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.03.2022
by Daily end-of-shift report 17 Mar '22

17 Mar '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 16-03-2022 18:00 − Donnerstag 17-03-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ SolarWinds warns of attacks targeting Web Help Desk instances ∗∗∗ --------------------------------------------- SolarWinds warned customers of attacks targeting Internet-exposed Web Help Desk (WHD) instances and advised removing them from publicly accessible infrastructure (likely to prevent the exploitation of a potential security flaw). --------------------------------------------- https://www.bleepingcomputer.com/news/security/solarwinds-warns-of-attacks-… ∗∗∗ Microsoft creates tool to scan MikroTik routers for TrickBot infections ∗∗∗ --------------------------------------------- The TrickBot trojan has just added one more trick up its sleeve, now using vulnerable IoT (internet of things) devices like modem routers as proxies for its C2 (command and control) server communication. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-creates-tool-to-sc… ∗∗∗ CISA: US-Behörde warnt vor 15 aktiv ausgenutzten Sicherheitslücken ∗∗∗ --------------------------------------------- Die US-Sicherheitsbehörde CISA warnt Unternehmen und Behörden vor 15 älteren Sicherheitslücken, die aktiv für Angriffe ausgenutzt werden. --------------------------------------------- https://www.golem.de/news/cisa-us-behoerde-warnt-vor-15-aktiv-ausgenutzten-… ∗∗∗ DirtyMoe Botnet Gains New Exploits in Wormable Module to Spread Rapidly ∗∗∗ --------------------------------------------- The malware known as DirtyMoe has gained new worm-like propagation capabilities that allow it to expand its reach without requiring any user interaction, the latest research has found. "The worming module targets older well-known vulnerabilities, e.g., EternalBlue and Hot Potato Windows privilege escalation," Avast researcher Martin Chlumecký said in a report published Wednesday. --------------------------------------------- https://thehackernews.com/2022/03/dirtymoe-botnet-gains-new-exploits-in.html ∗∗∗ LokiLocker ransomware family spotted with built-in wiper ∗∗∗ --------------------------------------------- BlackBerry says extortionists erase documents if ransom unpaid BlackBerry security researchers have identified a ransomware family targeting English-speaking victims that is capable of erasing all non-system files from infected Windows PCs. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2022/03/16/blackberry_l… ∗∗∗ Abusing Arbitrary File Deletes to Escalate Privilege and Other Great Tricks ∗∗∗ --------------------------------------------- What do you do when you’ve found an arbitrary file delete as NT AUTHORITY\SYSTEM? Probably just sigh and call it a DoS. Well, no more. In this article, we’ll show you some great techniques for getting much more out of your arbitrary file deletes, arbitrary folder deletes, and other seemingly low-impact filesystem-based exploit primitives. --------------------------------------------- https://www.thezdi.com/blog/2022/3/16/abusing-arbitrary-file-deletes-to-esc… ∗∗∗ From BlackMatter to BlackCat: Analyzing two attacks from one affiliate ∗∗∗ --------------------------------------------- While researching a BlackCat ransomware attack from December 2021, we observed a domain (and respective IP addresses) used to maintain persistent access to the network. This domain had also been used in a BlackMatter attack in September 2021. Further analysis revealed more commonalities, such as tools, file names and techniques that were common to both ransomware variants. --------------------------------------------- http://blog.talosintelligence.com/2022/03/from-blackmatter-to-blackcat-anal… ===================== = Vulnerabilities = ===================== ∗∗∗ New Vulnerability in CRI-O Engine Lets Attackers Escape Kubernetes Containers ∗∗∗ --------------------------------------------- A newly disclosed security vulnerability in the Kubernetes container engine CRI-O called cr8escape could be exploited by an attacker to break out of containers and obtain root access to the host. "Invocation of CVE-2022-0811 can allow an attacker to perform a variety of actions on objectives, including execution of malware, exfiltration of data, and lateral movement across pods," [..] --------------------------------------------- https://thehackernews.com/2022/03/new-vulnerability-in-cri-o-engine-lets.ht… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (flac, openssl, and openssl1.0), Fedora (nbd, pesign, and rust-regex), openSUSE (ansible, java-1_8_0-openjdk, libreoffice, and stunnel), Oracle (expat, glibc, and virt:ol and virt-devel:rhel), Red Hat (expat, redhat-ds:11.3, and virt:av and virt-devel:av), SUSE (atftp, java-1_8_0-openjdk, libreoffice, python3, and stunnel), and Ubuntu (apache2, bind9, firefox, fuse, and man-db). --------------------------------------------- https://lwn.net/Articles/888288/ ∗∗∗ Red Hat Virtualization: Schwachstelle ermöglicht Manipulation von Dateien ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Red Hat Virtualization ausnutzen, um Dateien zu manipulieren. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0328 ∗∗∗ ISC Releases Security Advisories for BIND ∗∗∗ --------------------------------------------- Original release date: March 17, 2022The Internet Systems Consortium (ISC) has released security advisories that address vulnerabilities affecting multiple versions of ISC Berkeley Internet Name Domain (BIND). A remote attacker could exploit these vulnerabilities to cause a denial-of-service condition. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/03/17/isc-releases-secu… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM HTTP Server affect IBM Netezza Performance Portal ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A security vulnerability in Node.js vm2 module affects IBM Cloud Automation Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: Vulnerability in IBM Dojo affects IBM Spectrum Protect for Virtual Environments (CVE-2021-23450) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-dojo… ∗∗∗ Security Bulletin: Due to use of Apache Log4j, IBM Netcool/OMNIbus Probe DSL Factory Framework is vulnerable to arbitrary code execution (CVE-2022-23302, CVE-2022-23307) and SQL injection (CVE-2022-23305) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-due-to-use-of-apache-log4… ∗∗∗ Security Bulletin: IBM Cloud Pak for Multicloud Management Monitoring has applied security fixes for its use of IBM Websphere Liberty (CVE-2021-35517, CVE-2021-36090) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-multicl… ∗∗∗ Security Bulletin: Vulnerabilities in Node.js affect IBM App Connect Enterprise (CVE-2021-44531) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-node-j… ∗∗∗ Security Bulletin: Vulnerabilities in Node.js affect IBM App Connect Enterprise (CVE-2022-0235) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-node-j… ∗∗∗ Security Bulletin: Vulnerability in BIND affects AIX (CVE-2021-25219) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-bind-aff… ∗∗∗ Security Bulletin: Vulnerabilities in IBM Db2 affect IBM Spectrum Protect Server (CVE-2021-38931, CVE-2021-29678, CVE-2021-20373, CVE-2021-39002, CVE-2021-38926) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-db… ∗∗∗ Security Bulletin: Vulnerabilities in IBM Java Runtime and Golang Go affect IBM Spectrum Protect Server (CVE-2021-35578, CVE-2021-44716, CVE-2021-44717) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-ja… ∗∗∗ Security Bulletin: A security vulnerability in log4j v1.2 affects IBM Cloud Automation Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.03.2022
by Daily end-of-shift report 16 Mar '22

16 Mar '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 15-03-2022 18:00 − Mittwoch 16-03-2022 18:00 Handler: Robert Waldner Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Android trojan persists on the Google Play Store since January ∗∗∗ --------------------------------------------- Security researchers tracking the mobile app ecosystem have noticed a recent spike in trojan infiltration on the Google Play Store, with one of the apps having over 500,000 installs. --------------------------------------------- https://www.bleepingcomputer.com/news/security/android-trojan-persists-on-t… ∗∗∗ Qakbot infection with Cobalt Strike and VNC activity, (Wed, Mar 16th) ∗∗∗ --------------------------------------------- On Monday 2022-03-14, I infected a vulnerable Windows host with Qakbot (Qbot) malware. Today's diary provides a quick review of the infection activity. --------------------------------------------- https://isc.sans.edu/diary/rss/28448 ∗∗∗ The Attack of the Chameleon Phishing Page ∗∗∗ --------------------------------------------- Recently, we encountered an interesting phishing webpage that caught our interest because it acts like a chameleon by changing and blending its color based on its environment. In addition, the site adapts its background page and logo depending on user input to trick its victims into giving away their email credentials. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/the-attack-… ∗∗∗ Werbe-SMS „Bewerbung erhalten“ führt zu Investment-Betrug ∗∗∗ --------------------------------------------- Aktuell versenden Kriminelle SMS, in denen von einer angeblichen Bewerbung durch die EmpfängerInnen die Rede ist. Wie die Kriminellen an Namen und Telefonnummer der Betroffenen gelangen, ist unklar. Klar hingegen ist, dass der enthaltene Link auf eine betrügerische Investment-Werbung führt. --------------------------------------------- https://www.watchlist-internet.at/news/werbe-sms-bewerbung-erhalten-fuehrt-… ∗∗∗ Gh0stCringe RAT Being Distributed to Vulnerable Database Servers ∗∗∗ --------------------------------------------- This blog will explain the RAT malware named Gh0stCringe. Gh0stCringe, also known as CirenegRAT, is one of the malware variants based on the code of Gh0st RAT. --------------------------------------------- https://asec.ahnlab.com/en/32572/ ===================== = Vulnerabilities = ===================== ∗∗∗ Unpatched RCE Bug in dompdf Project Affects HTML to PDF Converters ∗∗∗ --------------------------------------------- Researchers have disclosed an unpatched security vulnerability in "dompdf," a PHP-based HTML to PDF converter, that, if successfully exploited, could lead to remote code execution in certain configurations. --------------------------------------------- https://thehackernews.com/2022/03/unpatched-rce-bug-in-dompdf-project.html ∗∗∗ 7 RCE and DoS vulnerabilities Found in ClickHouse DBMS ∗∗∗ --------------------------------------------- The vulnerabilities require authentication, but can be triggered by any user with read permissions. This means the attacker must perform reconnaissance on the specific ClickHouse server target to obtain valid credentials. --------------------------------------------- https://jfrog.com/blog/7-rce-and-dos-vulnerabilities-found-in-clickhouse-db… ∗∗∗ Sicherheitslücke: Präparierte TLS-Zertifikate können OpenSSL-Systeme gefährden ∗∗∗ --------------------------------------------- Angreifer könnten Clients und Server mit präparierten TLS-Zertifikaten auf Basis von elliptischen Kurven lahmlegen. --------------------------------------------- https://heise.de/-6550820 ∗∗∗ Sicherheitsupdates: Angreifer könnten Schadcode durch pfSense-Firewall schieben ∗∗∗ --------------------------------------------- Mehrere Schwachstellen gefährden Systeme mit der Firewall-Distribution pfSense. --------------------------------------------- https://heise.de/-6577971 ∗∗∗ Sicherheitsupdates: Schadcode-Schlupflöcher in Dell-BIOS ∗∗∗ --------------------------------------------- Angreifer könnten Dell-Computer attackieren und im schlimmsten Fall die volle Kontrolle über Geräte erlangen. --------------------------------------------- https://heise.de/-6550647 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (openssl and python-scrapy), openSUSE (chrony, expat, java-1_8_0-openj9, libqt5-qtbase, openssl-1_0_0, php7, and rust, rust1.58, rust1.59), Oracle (389-ds:1.4, httpd:2.4, libarchive, libxml2, and vim), Red Hat (389-ds:1.4, glibc, httpd:2.4, kpatch-patch, libarchive, libxml2, vim, and virt:rhel and virt-devel:rhel), SUSE (chrony, compat-openssl098, expat, libqt5-qtbase, openssl, openssl-1_0_0, openssl-1_1, openssl1, php7, rust, rust1.58, rust1.59, [...] --------------------------------------------- https://lwn.net/Articles/888093/ ∗∗∗ Drupal core - Moderately critical - Third-party libraries - SA-CORE-2022-005 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-core-2022-005 ∗∗∗ Security Bulletin: IBM Security Guardium is vulnerable to arbitrary code execution due to Apache log4j (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: A security vulnerability in Node.js follow-redirects module affects IBM Cloud Automation Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects IBM Cloud Pak for Network Automation (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by OpenSSL denial of service vulnerabilities (CVE-2021-23840, CVE-2021-23841) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM TRIRIGA Reporting a component of IBM TRIRIGA Application Platform upgrade from Log4j 2.17 to 2.17.1 to protect from infinite recursion in lookup evaluation ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tririga-reporting-a-c… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM HTTP Server used by IBM WebSphere Application Server due to Expat vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect Rational Business Developer ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A security vulnerability in Node.js node-fetch module affects IBM Cloud Automation Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: A security vulnerability in Node.js marked module affects IBM Cloud Automation Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: A security vulnerability in Node.js node-forge module affects IBM Cloud Automation Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM WebSphere Application Server and IBM WebSphere Application Server Liberty are vulnerable to Clickjacking (CVE-2021-39038) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application… ∗∗∗ Security Bulletin: A security vulnerability in Node.js node-forge module affects IBM Cloud Automation Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: A security vulnerability in golang affects IBM Cloud Automation Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: A security vulnerability in golang affects IBM Cloud Automation Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: Operations Dashboard is vulnerable to denial of service by Go vulnerability CVE-2021-33198 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-operations-dashboard-is-v… ∗∗∗ Security Bulletin: A security vulnerability in Node.js marked module affects IBM Cloud Automation Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: Vulnerability in IBM Java SDK and IBM Java Runtime affects Rational Business Developer ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Improper Restriction of XML External Entity Reference in BVMS ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-506619-bt.html ∗∗∗ Google Releases Security Updates for Chrome ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/03/16/google-releases-s… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.03.2022
by Daily end-of-shift report 15 Mar '22

15 Mar '22

===================== = End-of-Day report = ===================== Timeframe: Montag 14-03-2022 18:00 − Dienstag 15-03-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Massive phishing campaign uses 500+ domains leading to fake login pages ∗∗∗ --------------------------------------------- Large-scale phishing activity using hundreds of domains to steal credentials for Naver, a Google-like online platform in South Korea, shows infrastructure overlaps linked to the TrickBot botnet. --------------------------------------------- https://www.bleepingcomputer.com/news/security/massive-phishing-campaign-us… ∗∗∗ Sicherheitslücke in Druckern: Über 300 Jahre alter Algorithmus knackt RSA-Keys ∗∗∗ --------------------------------------------- Drucker von Canon und Fujifilm erzeugen schwache RSA-Schlüssel, die sich mit dem Faktorisierungsalgorithmus von Fermat angreifen lassen. --------------------------------------------- https://www.golem.de/news/sicherheitsluecke-in-druckern-ueber-300-jahre-alt… ∗∗∗ New Threat: B1txor20, A Linux Backdoor Using DNS Tunnel ∗∗∗ --------------------------------------------- Since the Log4J vulnerability was exposed, we see more and more malware jumped on the wagon, Elknot, Gafgyt, Mirai are all too familiar, on February 9, 2022, 360Netlab's honeypot system captured an unknown ELF file propagating through the Log4J vulnerability. What stands out is that the network traffic generated by this sample triggered a DNS Tunnel alert in our system, We decided to take a close look, and indeed, it is a new botnet family, which we named B1txor20 based on its propagation using the file name "b1t", the XOR encryption algorithm, and the RC4 algorithm key length of 20 bytes. --------------------------------------------- https://blog.netlab.360.com/b1txor20-use-of-dns-tunneling_en/ ∗∗∗ Clean Binaries with Suspicious Behaviour, (Tue, Mar 15th) ∗∗∗ --------------------------------------------- EDR or "Endpoint Detection & Response" is a key element of many networks today. An agent is installed on all endpoints to track suspicious/malicious activity and (try to) block it. Behavioral monitoring is also a key element in modern SIEM infrastructure: To see a word.exe running is definitively not malicious, same with a Powershell script being launched. But if you monitor parent/child relations, to see a Powershell script launched from a Word process, that is suspicious! --------------------------------------------- https://isc.sans.edu/diary/rss/28444 ∗∗∗ A Simple Guide to Getting CVEs Published ∗∗∗ --------------------------------------------- This guide will, hopefully, let you skip the headaches and guesswork that we endured learning this process when you try to get a CVE published. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/a-simple-gu… ∗∗∗ Can an HTTPS Website be Hacked? ∗∗∗ --------------------------------------------- It should be no shock by now that a professional can break through anything. These days, zero-days are a dime a dozen, so it’s important to ensure your site is hardened and protected as much as possible. While an SSL certificate can certainly be an important factor, it’s only one slice of the pie. In this article, we’ll be elaborating on the myths of SSL, the kinds of hacks that still have the potential to occur, and how you can improve an HTTPS site beyond installing an SSL certificate. --------------------------------------------- https://blog.sucuri.net/2022/03/can-an-https-website-be-hacked.html ∗∗∗ Ukraine-Krieg: BSI warnt vor Kasperskys Sicherheits- und Antiviren-Software ∗∗∗ --------------------------------------------- Wer Antiviren-Software des russischen Herstellers einsetzt, sollte auf alternative Produkte ausweichen, heißt es der offizellen BSI-Warnung. --------------------------------------------- https://heise.de/-6549515 ∗∗∗ Vorsicht vor Anrufe und E-Mails von „Besser-Gefunden“ ∗∗∗ --------------------------------------------- Momentan werden Unternehmen telefonisch von „Besser-Gefunden“ kontaktiert. Die Person am Telefon erklärt Ihnen, dass Ihr Unternehmen einen Vertrag für die Schaltung von kostenpflichtigen Anzeigen im Firmenverzeichnis von „Besser-Gefunden“ abgeschlossen hat und die Gebühren bald fällig werden. Dieser Vertrag verlängert sich automatisch, wenn er nicht sofort schriftlich storniert wird. Vorsicht: Dabei handelt es sich um eine betrügerische Masche zur Kundengewinnung! Legen Sie auf und unterschreiben Sie nichts. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-anrufe-und-e-mails-von-… ∗∗∗ Updated: Kubernetes Hardening Guide ∗∗∗ --------------------------------------------- The National Security Agency (NSA) and CISA have updated their joint Cybersecurity Technical Report (CTR): Kubernetes Hardening Guide, originally released in August 2021, based on valuable feedback and inputs from the cybersecurity community. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/03/15/updated-kubernete… ∗∗∗ Investigating an engineering workstation – Part 1 ∗∗∗ --------------------------------------------- In this series of blog posts we will deal with the investigation of an engineering workstation running Windows 10 with the Siemens TIA Portal Version 15.1 installed. In this first part we will cover some selected classic Windows-based evidence sources, and how they behave with regards to the execution of the TIA Portal and interaction with it. --------------------------------------------- https://blog.nviso.eu/2022/03/15/investigating-an-engineering-workstation-p… ∗∗∗ Threat Advisory: CaddyWiper ∗∗∗ --------------------------------------------- Overview Cybersecurity company ESET disclosed another Ukraine-focused wiper dubbed "CaddyWiper" on March 14. [..] Analysis: The wiper is relatively small in size and dynamically resolves most of the APIs it uses. Our analysis didn't show any indications of persistency, self-propagation or exploitation code. Before starting any file destruction, it checks to ensure that the machine is not a domain controller. If the machine is a domain controller, it stops execution. --------------------------------------------- http://blog.talosintelligence.com/2022/03/threat-advisory-caddywiper.html ∗∗∗ OpenSSL security releases may require Node.js security releases ∗∗∗ --------------------------------------------- The Node.js project may be releasing new versions across all of its supportedrelease lines late this week to incorporate upstream patches from OpenSSL. --------------------------------------------- https://nodejs.org/en/blog/vulnerability/mar-2022-security-releases ===================== = Vulnerabilities = ===================== ∗∗∗ Apple Updates Everything: MacOS 12.3, XCode 13.3, tvOS 15.4, watchOS 8.5, iPadOS 15.4 and more, (Mon, Mar 14th) ∗∗∗ --------------------------------------------- Apple today released one of its massive "surprise" updates for all of its operating systems. This includes updates for Safari as well as stand-alone security updates for older operating systems like macOS Big Sur and Catalina. As so often, this also includes feature updates for the respective operating systems. --------------------------------------------- https://isc.sans.edu/diary/rss/28438 ∗∗∗ Sicherheitsupdate für IBM Spectrum Protect: Fremdzugriff auf Datenbanken möglich ∗∗∗ --------------------------------------------- Es gibt Sicherheitsupdates für IBMs Backup-Lösung Spectrum Protect. Angreifer könnten unter anderem auf eigentlich verschlüsselte Informationen zugreifen. --------------------------------------------- https://heise.de/-6548621 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (spip), Fedora (chromium), Mageia (chromium-browser-stable, kernel, kernel-linus, and ruby), openSUSE (firefox, flac, java-11-openjdk, protobuf, tomcat, and xstream), Oracle (thunderbird), Red Hat (kpatch-patch and thunderbird), Scientific Linux (thunderbird), Slackware (httpd), SUSE (firefox, flac, glib2, glibc, java-11-openjdk, libcaca, SDL2, squid, sssd, tomcat, xstream, and zsh), and Ubuntu (zsh). --------------------------------------------- https://lwn.net/Articles/887914/ ∗∗∗ Belden Security Bulletin – Industrial IT BSECV-2021-16 ∗∗∗ --------------------------------------------- CVEs: CVE-2020-24588, CVE-2020-26144, CVE-2020-26146 and CVE-2020-26147. FragAttacks 2 (fragmentation and aggregation attacks) is a collection of security vulnerabilities that affect Wi-Fi devices. An adversary that is within range of a victim's Wi-Fi network can exploit these vulnerabilities to steal user information or attack devices. Affected products: Hirschmann OpenBAT, WLC, BAT450 --------------------------------------------- https://dam.belden.com/dmm3bwsv3/assetstream.aspx?assetid=14146&mediaformat… ∗∗∗ Dirty Pipe Linux Flaw Affects a Wide Range of QNAP NAS Devices ∗∗∗ --------------------------------------------- https://thehackernews.com/2022/03/dirty-pipe-linux-flaw-affects-wide.html ∗∗∗ Security Bulletin: CVE-2021-2341 (deferred from Oracle Jul 2021 CPU for Java 7.x) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2021-2341-deferred-fr… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct for UNIX Certified Container is affected by multiple vulnerabilities in Red Hat Universal Base Image version 8.4-206.1626828523 and Binutils version 2.30-93 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: Vulnerability in Intel Xeon affects IBM Cloud Pak System (CVE-2021-0144) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-intel-xe… ∗∗∗ Security Bulletin: Vulnerabilities in IBM Java Runtime and Golang Go affect IBM Spectrum Protect Server (CVE-2021-35578, CVE-2021-44716, CVE-2021-44717) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-ja… ∗∗∗ Security Bulletin: IBM WebSphere Application Server Liberty vulnerabilities affect IBM Spectrum Protect Backup-Archive Client, IBM Spectrum Protect for Virtual Environments, and IBM Spectrum Protect for Space Management (CVE-2021-35517, ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application… ∗∗∗ Security Bulletin: Vulnerabilities in IBM Db2 affect IBM Spectrum Protect Server (CVE-2021-38931, CVE-2021-29678, CVE-2021-20373, CVE-2021-39002, CVE-2021-38926) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-db… ∗∗∗ Security Bulletin: IBM WebSphere Application Server 7.0, 8.0, 8.5, 9.0 and Liberty 17.0.0.3 through 21.0.0.9 could allow a remote user to enumerate usernames due to a difference of responses from valid and invalid login attempts. IBM X-Force ID: ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application… ∗∗∗ Security Bulletin: A Vulnerability In Apache Commons IO Affects IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-apache… ∗∗∗ Security Bulletin: Vulnerability in IBM Dojo affects IBM Spectrum Protect for Workstations Central Administration Console (CVE-2021-23450) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-dojo… ∗∗∗ Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU – Oct 2021 – Includes Oracle October 2021 CPU ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-e… ∗∗∗ Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with Tivoli Netcool/OMNIbus WebGUI (CVE-2021-23450) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM® Java SDK affect IBM WebSphere Application Server shipped with IBM Security Access Manager for Enterprise Single Sign-On due to January 2022 CPU plus deferred CVE-2021-35550 and CVE-2021-35603 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Mobilefirst is affected by a log4j vulnerability (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-mobilefirst-is-affected-b… ∗∗∗ Security Bulletin: Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-1-2-reached-… ∗∗∗ Security Bulletin: Vulnerablity in Apache Log4j affects IBM Tivoli Composite Application Manager for Application Diagnostics (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerablity-in-apache-lo… ∗∗∗ Security Bulletin: Vulnerability which affects Rational Team Concert (RTC) and IBM Engineering Workflow Management (EWM) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-which-affec… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects IBM Cloud Private (CVE-2021-44832) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: Vulnerability in IBM Dojo affects IBM Spectrum Protect for Virtual Environments (CVE-2021-23450) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-dojo… ∗∗∗ Security Bulletin: Vulnerability in IBM Dojo affects IBM Spectrum Protect Operations Center (CVE-2021-23450) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-dojo… ∗∗∗ ABB OPC Server for AC 800M ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-074-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.03.2022
by Daily end-of-shift report 14 Mar '22

14 Mar '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 11-03-2022 18:00 − Montag 14-03-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Android malware Escobar steals your Google Authenticator MFA codes ∗∗∗ --------------------------------------------- The Aberebot banking trojan appears to have returned, as its author is actively promoting a new version of the tool on dark web markets and forums. --------------------------------------------- https://www.bleepingcomputer.com/news/security/android-malware-escobar-stea… ∗∗∗ Curl on Windows, (Mon, Mar 14th) ∗∗∗ --------------------------------------------- It's about 2 years ago that Xavier wrote a diary entry ("Keep an Eye on Command-Line Browsers") mentioning that curl was now build into Windows. [...] So with this particular malicious script, it's rather easy to detect (especially if you are in a network environment without Linux machines): search for curl UAS. If you are in a corporate environment, there's something else to know about curl on Windows. --------------------------------------------- https://isc.sans.edu/diary/rss/28436 ∗∗∗ New Linux Bug in Netfilter Firewall Module Lets Attackers Gain Root Access ∗∗∗ --------------------------------------------- Tracked as CVE-2022-25636 (CVSS score: 7.8), the vulnerability impacts Linux kernel versions 5.4 through 5.6.10 and is a result of a heap out-of-bounds write in the netfilter subcomponent in the kernel. [..] "This flaw allows a local attacker with a user account on the system to gain access to out-of-bounds memory, leading to a system crash or a privilege escalation threat," Red Hat said in an advisory published on February 22, 2022. Similar alerts have been released by Debian, Oracle Linux, SUSE, and Ubuntu. --------------------------------------------- https://thehackernews.com/2022/03/new-linux-bug-in-netfilter-firewall.html ∗∗∗ Reverse Engineering a Netgear Nday ∗∗∗ --------------------------------------------- This post will detail how I went about developing a proof of concept for a Netgear Nday vulnerability. --------------------------------------------- https://nstarke.github.io/netgear/nday/2022/03/13/reverse-engineering-a-net… ∗∗∗ Making Sense of the Dirty Pipe Vulnerability (CVE-2022-0847) ∗∗∗ --------------------------------------------- [..] the flaw could allow anyone with read access on a system to write arbitrary data into arbitrary files. In this blog post, we analyze the vulnerability details in-depth and demonstrate how the exploit works to successfully escalate privileges. --------------------------------------------- https://redhuntlabs.com/blog/the-dirty-pipe-vulnerability.html ∗∗∗ Multiple Security Flaws Discovered in Popular Software Package Managers ∗∗∗ --------------------------------------------- Following responsible disclosure on September 9, 2021, fixes have been released to address the issues in Composer, Bundler, Bower, Poetry, Yarn, and Pnpm. But Composer, Pip, and Pipenv, all three of which are affected by the untrusted search path flaw, have opted not to address the bug. --------------------------------------------- https://thehackernews.com/2022/03/multiple-security-flaws-discovered-in.html ∗∗∗ Shodan: Introducing the InternetDB API ∗∗∗ --------------------------------------------- The major differences between the InternetDB API and the main Shodan API are: - No API key required - Much higher rate limit - Weekly updates - Minimal port/ service information - Non-commercial use only --------------------------------------------- https://blog.shodan.io/introducing-the-internetdb-api/ ∗∗∗ Diskrepanz zwischen erwarteten und tatsächlichen Cyberattacken im Ukraine-Krieg ∗∗∗ --------------------------------------------- c’t: Ukrainische Behörden haben Freiwillige in aller Welt aufgerufen, sich an Cyberattacken gegen Russland zu beteiligen. Halten Sie es für sinnvoll, dabei mitzumachen? Dr. Sven Herpig: Nein. Natürlich könnten Freiwillige irgendwelche Ziele in Russland ärgern, aber das wird weit weg sein von kriegsentscheidend. Gleichzeitig ist es aus drei Gründen ziemlich gefährlich. --------------------------------------------- https://heise.de/-6540223 ∗∗∗ Gefälschte Otto-Shops werben auf Facebook ∗∗∗ --------------------------------------------- ottot.shop, otto.us.com und ghrh.shop sind betrügerische Online-Shops. Diese Shops imitieren das deutsche Handelsunternehmen „OTTO“ und bieten Produkte zu sehr günstigen Preisen an. Aber: Ware, die dort bestellt und bezahlt wird, wird nicht geliefert. Geschädigte können versuchen ihr Geld über den Käuferschutz von PayPal zurückzubekommen. --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschte-otto-shops-werben-auf-fa… ===================== = Vulnerabilities = ===================== ∗∗∗ Veeam Backup & Replication - CVE-2022-26500 | CVE-2022-26501 ∗∗∗ --------------------------------------------- Multiple vulnerabilities in Veeam Backup & Replication allow executing malicious code remotely without authentication. This may lead to gaining control over the target system. CVSS v3 score: 9.8 --------------------------------------------- https://www.veeam.com/kb4288 ∗∗∗ High-Severity Vulnerabilities Patched in Omron PLC Programming Software ∗∗∗ --------------------------------------------- Several high-severity vulnerabilities that can be exploited for remote code execution were patched recently in the CX-Programmer software of Japanese electronics giant Omron. An advisory released earlier this month by Japan’s JPCERT/CC revealed that the product is affected by five use-after-free and out-of-bounds vulnerabilities, all with a CVSS score of 7.8. --------------------------------------------- https://www.securityweek.com/high-severity-vulnerabilities-patched-omron-pl… ∗∗∗ Riverbed spinoff Aternity ships emergency software patch ∗∗∗ --------------------------------------------- Riverbed’s performance monitoring spinoff Aternity has published seven security advisories describing now-patched vulnerabilities in its AppInternals monitoring agent software. The most serious of the bugs gave attackers remote code execution with system-level privilege. [..] Riverbed has shipped AppInternals Agent versions 11.8.8 and 12.14.0, which include patches for the bugs. --------------------------------------------- https://www.itnews.com.au/news/riverbed-spinoff-aternity-ships-emergency-so… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (expat, haproxy, libphp-adodb, nbd, and vim), Fedora (chromium, cobbler, firefox, gnutls, linux-firmware, radare2, thunderbird, and usbguard), Mageia (gnutls), Oracle (.NET 5.0, .NET 6.0, .NET Core 3.1, firefox, and kernel), SUSE (firefox, tomcat, and webkit2gtk3), and Ubuntu (libxml2 and nbd). --------------------------------------------- https://lwn.net/Articles/887807/ ∗∗∗ Dell BIOS: Mehrere Schwachstellen ermöglichen Codeausführung ∗∗∗ --------------------------------------------- CVE Liste: CVE-2022-24415, CVE-2022-24416, CVE-2022-24419, CVE-2022-24420, CVE-2022-24421 Ein lokaler Angreifer kann mehrere Schwachstellen in Dell BIOS und Dell Computer ausnutzen, um beliebigen Programmcode auszuführen. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0308 ∗∗∗ Apache HTTP Server: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- CVE Liste: CVE-2022-22719, CVE-2022-22720, CVE-2022-22721, CVE-2022-23943 Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Apache HTTP Server ausnutzen, um beliebigen Programmcode auszuführen, Informationen offenzulegen, Dateien zu manipulieren oder einen Denial of Service Zustand herbeizuführen. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0306 ∗∗∗ Security Bulletin: Data masking rules are not enforced when CREATE TABLE AS SELECT statement is executed in IBM Data Virtualization on Cloud Pak for Data ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-data-masking-rules-are-no… ∗∗∗ Security Bulletin: WebSphere Application Server is vulnerable to a Privilege Escalation vulnerability and affects Content Collector for Email ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-ser… ∗∗∗ Security Bulletin: IBM Spectrum Protect Plus is vulnerable to PostgreSQL Man-in-the-Middle and Slowloris Denial of Service attacks (CVE-2021-23222, CVE-2022-22354) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-spectrum-protect-plus… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects IBM Analytical Decision Management (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects SPSS Collaboration and Deployment Services (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: Vulnerabilities in IBM Db2 affect IBM Spectrum Protect Server (CVE-2021-38931, CVE-2021-29678, CVE-2021-20373, CVE-2021-39002, CVE-2021-38926) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-db… ∗∗∗ Security Bulletin: Data masking rules are not enforced when CREATE TABLE AS SELECT statement is executed in IBM Big SQL ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-data-masking-rules-are-no… ∗∗∗ Security Bulletin: Vulnerabilities in IBM Java Runtime and Golang Go affect IBM Spectrum Protect Server (CVE-2021-35578, CVE-2021-44716, CVE-2021-44717) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-ja… ∗∗∗ Security Bulletin: IBM WebSphere Application Server Liberty vulnerabilities affect IBM Spectrum Protect Backup-Archive Client, IBM Spectrum Protect for Virtual Environments, and IBM Spectrum Protect for Space Management (CVE-2021-35517, ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application… ∗∗∗ Security Bulletin: IBM Integration Designer is vulnerable to arbitrary code execution because of Apache Log4j (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-integration-designer-… ∗∗∗ Security Bulletin: Vulnerabilities in the Linux Kernel, Samba, Sudo, Python, and tcmu-runner affect IBM Spectrum Protect Plus ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-the-li… ∗∗∗ Security Bulletin: IBM Spectrum Copy Data Management is vulnerable to Slowloris, HTTP header injection, XSS, and CSRF (CVE-2022-22354, CVE-2022-22344, CVE-2021-39055, CVE-2021-39051) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-spectrum-copy-data-ma… ∗∗∗ Security Bulletin: Vulnerabilities in Celery, Golang Go, and Python affect IBM Spectrum Protect Plus Container Backup and Restore for Kubernetes and Red Hat OpenShift ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-celery… ∗∗∗ Security Bulletin: Vulnerability in Flask and Python affects IBM Spectrum Protect Plus Microsoft File Systems Backup and Restore (CVE-2021-33026, CVE-2022-0391) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-flask-an… ∗∗∗ Security Bulletin: Vulnerabilities in IBM Java Runtime and Golang Go affect IBM Spectrum Protect Server (CVE-2021-35578, CVE-2021-44716, CVE-2021-44717) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-ja… ∗∗∗ Security Bulletin: Vulnerabilities in Polkit, PostgreSQL, OpenSSL, OpenSSH, and jQuery affect IBM Spectrum Copy Data Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-polkit… ∗∗∗ Security Bulletin: Vulnerabilities in IBM Java Runtime and IBM WebSphere Application Server Liberty affect IBM Operations Center and Client Management Service (CVE-2021-35578, CVE-2021-35517, CVE-2021-36090) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-ja… ∗∗∗ Security Bulletin: Vulnerabilities in Polkit, Node.js, OpenSSH, and Golang Go affect IBM Spectrum Protect Plus (CVE-2021-4034, CVE-2022-21681, CVE-2022-21680, CVE-2022-0235, CVE-2021-41617, CVE-2021-44716, CVE-2021-44717, 218243) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-polkit… ∗∗∗ Security Bulletin: Reverse Tabnabbing and Cross-Site Request Forgery vulnerabilities in IBM Spectrum Protect Operations Center (CVE-2020-22348, CVE-2020-22346) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-reverse-tabnabbing-and-cr… ∗∗∗ K63603485: Linux kernel vulnerability CVE-2022-0847 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K63603485 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.03.2022
by Daily end-of-shift report 11 Mar '22

11 Mar '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 10-03-2022 18:00 − Freitag 11-03-2022 18:00 Handler: Robert Waldner Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Raccoon Stealer Crawls Into Telegram ∗∗∗ --------------------------------------------- The credential-stealing trash panda is using the chat app to store and update C2 addresses as crooks find creative new ways to distribute the malware. --------------------------------------------- https://threatpost.com/raccoon-stealer-telegram/178881/ ∗∗∗ Keep an Eye on WebSockets, (Fri, Mar 11th) ∗∗∗ --------------------------------------------- It has been a while that I did not spot WebSockets used by malware. Yesterday I discovered an interesting piece of Powershell. Very small and almost undetected according to its Virustotal score (2/54)[1]. A quick reminder for those that don't know what a "WebSocket" is. --------------------------------------------- https://isc.sans.edu/diary/rss/28430 ∗∗∗ Bypassing MFA: A Pentest Case Study ∗∗∗ --------------------------------------------- When a company implements multifactor authentication, the organization is usually confident that it’s using the best system possible. However, not all MFA is built the same and there are times when the MFA solution being implemented is not delivering the protection required. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/bypassing-m… ∗∗∗ Multiple Security Flaws Discovered in Popular Software Package Managers ∗∗∗ --------------------------------------------- Multiple security vulnerabilities have been disclosed in popular package managers that, if potentially exploited, could be abused to run arbitrary code and access sensitive information, including source code and access tokens, from compromised machines. Its, however, worth noting that the flaws require the targeted developers to handle a malicious package in conjunction with one of the affected package managers. --------------------------------------------- https://thehackernews.com/2022/03/multiple-security-flaws-discovered-in.html ∗∗∗ Whats up with in-the-wild exploits? Plus, what were doing about it. ∗∗∗ --------------------------------------------- If you are a regular reader of our Chrome release blog, you may have noticed that phrases like exploit for CVE-1234-567 exists in the wild have been appearing more often recently. In this post well explore why there seems to be such an increase in exploits, and clarify some misconceptions in the process. Well then share how Chrome is continuing to make it harder for attackers to achieve their goals. --------------------------------------------- http://security.googleblog.com/2022/03/whats-up-with-in-wild-exploits-plus.… ∗∗∗ WordPress 5.9.2 Security Update Fixes XSS and Prototype Pollution Vulnerabilities ∗∗∗ --------------------------------------------- Last night, just after 6pm Pacific time, on Thursday March 10, 2022, the WordPress core team released WordPress version 5.9.2, which contains security patches for a high-severity vulnerability as well as two medium-severity issues. The high-severity issue affects version 5.9.0 and 5.9.1 and allows contributor-level users and above to insert malicious JavaScript into WordPress posts. --------------------------------------------- https://www.wordfence.com/blog/2022/03/wordpress-5-9-2-security-update-fixe… ∗∗∗ Cobalt Strike: Memory Dumps – Part 6 ∗∗∗ --------------------------------------------- This is an overview of different methods to create and analyze memory dumps of Cobalt Strike beacons. This series of blog posts describes different methods to decrypt Cobalt Strike traffic. --------------------------------------------- https://blog.nviso.eu/2022/03/11/cobalt-strike-memory-dumps-part-6/ ∗∗∗ Infostealer Being Distributed via YouTube ∗∗∗ --------------------------------------------- The ASEC analysis team has recently discovered an infostealer that is being distributed via YouTube. The attacker disguised the malware as a game hack for Valorant, and uploaded the following video with the download link for the malware, then guided the user to turn off the anti-malware program. The team has introduced another case of distribution disguised as a game hack or crack via YouTube in a previous ASEC blog post. --------------------------------------------- https://asec.ahnlab.com/en/32499/ ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-22-503: MyBB Admin Control Panel Code Injection Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of MyBB. Authentication is required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-503/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (nbd, ruby-sidekiq, tryton-proteus, and tryton-server), Mageia (shapelib and thunderbird), openSUSE (minidlna, python-libxml2-python, python-lxml, and thunderbird), Oracle (kernel, kernel-container, and python-pip), Red Hat (.NET 5.0, .NET 6.0, .NET Core 3.1, firefox, kernel, and kernel-rt), Scientific Linux (firefox), SUSE (openssh, python-libxml2-python, python-lxml, and thunderbird), and Ubuntu (expat vulnerabilities and, firefox, and subversion). --------------------------------------------- https://lwn.net/Articles/887635/ ∗∗∗ Mattermost security updates 6.4.2, 6.3.5, 6.2.5, 5.37.9 released ∗∗∗ --------------------------------------------- We’re informing you about a Mattermost security update, which addresses medium-level severity vulnerabilities. We highly recommend that you apply the update. The security update is available for Mattermost dot releases 6.4.2, 6.3.5 (Extended Support Release), 6.2.5, 5.37.9 (Extended Support Release) for both Team Edition and Enterprise Edition. --------------------------------------------- https://mattermost.com/blog/mattermost-security-updates-6-4-2-6-3-5-6-2-5-5… ∗∗∗ Siemens Solid Edge, JT2Go, and Teamcenter Visualization ∗∗∗ --------------------------------------------- This updated advisory is a follow-up to the original advisory titled ICSA-22-041-07 Siemens Solid Edge, JT2Go, and Teamcenter Visualization that was published February 10, 2022, on the ICS webpage at www.cisa.gov/uscert. This advisory contains mitigations for Improper Restriction of Operations within the Bounds of a Memory Buffer, Out-of-bounds Write, Heap-based Buffer Overflow, and Out-of-bounds Read vulnerabilities in Siemens Solid Edge, JT2Go, and Teamcenter Visualization software products. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-041-07 ∗∗∗ Mehrere Schwachstellen in PONTON X/P Messenger (SYSS-2021-077/-078/-079/-080) ∗∗∗ --------------------------------------------- Der PONTON X/P Messenger der PONTON GmbH ist in den Versionen 3.8.0 und 3.10.0 unter eingeschränkten Voraussetzungen anfällig für mehrere Schwachstellen. --------------------------------------------- https://www.syss.de/pentest-blog/mehrere-schwachstellen-in-ponton-x/p-messe… ∗∗∗ CERT-EU warnt vor SMBv3-Schwachstelle CVE-2022-24508, Fix durch Windows März 2022-Updates ∗∗∗ --------------------------------------------- Mit den Sicherheitsupdates vom 8. März 2022 für Windows hat Microsoft eine Reihe Schwachstellen geschlossen. Darunter ist auch eine als wichtig eingestufte Remote Code Execution-Schwachstelle (REC) im Windows SMBv3 Client/Server. CERT-EU warnt in einer aktuellen Mitteilung vor dieser SMBv3-Schwachstelle CVE-2022-24508 [...] --------------------------------------------- https://www.borncity.com/blog/2022/03/11/cert-eu-warnt-vor-smbv3-schwachste… ∗∗∗ Regarding vulnerability measure against buffer overflow for Laser Printers and Small Office Multifunction Printers – 10 March 2022 ∗∗∗ --------------------------------------------- Multiple cases of buffer overflow vulnerabilities have been identified with Canon Laser Printers and Small Office Multifunctional Printers. Related CVEs are: CVE-2022-24672, CVE-2022-24673 and CVE-2022-24674. A list of affected models is given below. --------------------------------------------- https://www.canon-europe.com/support/product-security-latest-news/ ∗∗∗ D-LINK Router: Mehrere Schwachstellen ermöglichen Codeausführung ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0299 ∗∗∗ phpMyAdmin: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0304 ∗∗∗ McAfee Total Protection: Schwachstelle ermöglicht Privilegieneskalation ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0302 ∗∗∗ Security Bulletin: IBM Guardium Data Encryption (GDE) has a vulnerability (CVE-2021-39022), related to hazardous input. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-guardium-data-encrypt… ∗∗∗ Security Bulletin: A Python Issue Affects IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-python-issue-affects-ib… ∗∗∗ Security Bulletin: Multiple security vulnerability are addressed in monthly security fix for IBM Cloud Pak for Business Automation February 2022 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: IBM Integration Designer is vulnerable to an attacker obtaining sensitive information (CVE-2021-35550, CVE-2021-35603) and denial of service (CVE-2021-35578) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-integration-designer-… ∗∗∗ Security Bulletin: Cross-Site Scripting vulnerability affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) – CVE-2021-38893 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-vuln… ∗∗∗ Security Bulletin: Cross-Site Scripting vulnerability affect IBM Cloud Pak for Automation Workflow Process Service (CVE-2021-38893 CVE-2021-38966) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-vuln… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.03.2022
by Daily end-of-shift report 10 Mar '22

10 Mar '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 09-03-2022 18:00 − Donnerstag 10-03-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Nearly 30% of critical WordPress plugin bugs dont get a patch ∗∗∗ --------------------------------------------- Patchstack, a leader in WordPress security and threat intelligence, has released a whitepaper to present the state of WordPress security in 2021, and the report paints a dire picture. --------------------------------------------- https://www.bleepingcomputer.com/news/security/nearly-30-percent-of-critica… ∗∗∗ What Security Controls Do I Need for My Kubernetes Cluster? ∗∗∗ --------------------------------------------- This Tech Tip offers some security controls to embed in your organizations CI/CD pipeline to protect Kubernetes clusters and corporate networks. --------------------------------------------- https://www.darkreading.com/dr-tech/what-security-controls-do-i-need-for-my… ∗∗∗ Qakbot Botnet Sprouts Fangs, Injects Malware into Email Threads ∗∗∗ --------------------------------------------- The ever-shifting, ever-more-powerful malware is now hijacking email threads to download malicious DLLs that inject password-stealing code into webpages, among other foul things. --------------------------------------------- https://threatpost.com/qakbot-botnet-sprouts-fangs-injects-malware-into-ema… ∗∗∗ Credentials Leaks on VirusTotal, (Thu, Mar 10th) ∗∗∗ --------------------------------------------- A few weeks ago, researchers published some information about stolen credentials that were posted on Virustotal[1]. Im keeping an eye on VT for my customers and searching for data related to them. For example, I looking for their domain name(s) inside files posted on VT. I may confirm what researchers said, there are a lot of passwords leaks shared on VTI but yesterday, there was a peak of files uploaded on this platform. --------------------------------------------- https://isc.sans.edu/diary/rss/28426 ∗∗∗ Demystifying E-Commerce Website Security ∗∗∗ --------------------------------------------- Here we’ll be discussing the main aspects that are important to an E-Commerce website, the kinds of vulnerabilities that can impact your business, and how to take better preventative measures. --------------------------------------------- https://blog.sucuri.net/2022/03/demystifying-e-commerce-website-security.ht… ∗∗∗ Pre-announcement of 4 BIND security issues scheduled for disclosure 16 March 2022 ∗∗∗ --------------------------------------------- As part of our policy of pre-notification of upcoming security releases, we are writing to inform you that the March 2022 BIND maintenance releases that will be released on Wednesday, 16 March, will contain a patches for a security vulnerabilities affecting the BIND 9.11.x, 9.16.x and 9.18.x release branches. Further details about those vulnerabilities will be publicly disclosed at the time the releases are published. --------------------------------------------- https://lists.isc.org/pipermail/bind-announce/2022-March/001211.html ∗∗∗ Getting Critical: Making Sense of the EU Cybersecurity Framework for Cloud Providers ∗∗∗ --------------------------------------------- In this chapter, we review how the EU cybersecurity regulatory framework impacts providers of cloud computing services. We examine the evolving regulatory treatment of cloud services as an enabler of the EUs digital economy and question whether all cloud services should be treated as critical infrastructure. Further, we look at how the safeguarding and incident notification obligations under the General Data Protection Regulation (GDPR) and the Network and Information Systems Directive (NISD) --------------------------------------------- https://arxiv.org/abs/2203.04887 ∗∗∗ The Conti Leaks: Insight into a Ransomware Unicorn ∗∗∗ --------------------------------------------- In late February 2022, the internal chat logs of the Conti ransomware group were disclosed. This blog dissects the internal chat logs that illuminate how Conti’s organizational infrastructure is run, details key figureheads, tooling as well as bitcoin transactions. --------------------------------------------- https://www.breachquest.com/conti-leaks-insight-into-a-ransomware-unicorn/ ∗∗∗ Spectre V2 ist auch bei ARM und Intel zurück: Angriff auf Branch History Buffer ∗∗∗ --------------------------------------------- Bisherige Schutzmechanismen von Intel-Prozessoren und ARM-Kernen gegen Seitenkanalangriffe vom Typ Spectre V2 reichen nicht aus. --------------------------------------------- https://heise.de/-6545263 ∗∗∗ „Ihr ID-Betriebssystem wird gesperrt“ – Apple E-Mail ist Fake! ∗∗∗ --------------------------------------------- Im betrügerischen E-Mail, das angeblich von Apple versendet wird, werden Sie aufgefordert Ihre Apple ID zu überprüfen. Doch Vorsicht – es handelt sich um Phishing! Hier sind Kriminelle auf Ihre Daten aus! Am besten ignorieren Sie das E-Mail. --------------------------------------------- https://www.watchlist-internet.at/news/ihr-id-betriebssystem-wird-gesperrt-… ∗∗∗ Threat advisory: Cybercriminals compromise users with malware disguised as pro-Ukraine cyber tools ∗∗∗ --------------------------------------------- Opportunistic cybercriminals are attempting to exploit Ukrainian sympathizers by offering malware purporting to be offensive cyber tools to target Russian entities. Once downloaded, these files infect unwitting users rather than delivering the tools originally advertised. --------------------------------------------- http://blog.talosintelligence.com/2022/03/threat-advisory-cybercriminals.ht… ===================== = Vulnerabilities = ===================== ∗∗∗ [webapps] Zabbix 5.0.17 - Remote Code Execution (RCE) (Authenticated) ∗∗∗ --------------------------------------------- # note : this is blind RCE so don't expect to see results on the site # this exploit is tested against Zabbix 5.0.17 only --------------------------------------------- https://www.exploit-db.com/exploits/50816 ∗∗∗ XSA-396 ∗∗∗ --------------------------------------------- CVEs: CVE-2022-23036 CVE-2022-23037 CVE-2022-23038 CVE-2022-23039 CVE-2022-23040 CVE-2022-23041 CVE-2022-23042 Several Linux PV device frontends are using the grant table interfaces for removing access rights of the backends in ways being subject to race conditions, resulting in potential data leaks, data corruption by malicious backends, and denial of service triggered by malicious backends --------------------------------------------- https://xenbits.xen.org/xsa/advisory-396.html ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr and kernel), Fedora (cyrus-sasl, mingw-protobuf, and thunderbird), Mageia (kernel-linus), openSUSE (firefox, kernel, and libcaca), Oracle (.NET 6.0, kernel, kernel-container, and ruby:2.5), Slackware (mozilla-thunderbird), and SUSE (firefox, mariadb, and tomcat). --------------------------------------------- https://lwn.net/Articles/887484/ ∗∗∗ Drupal: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- - SVG Formatter - Critical - Cross Site Scripting - SA-CONTRIB-2022-028 - Opigno Learning path - Moderately critical - Access bypass - SA-CONTRIB-2022-029 --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0298 ∗∗∗ CVE-2022-0022 PAN-OS: Use of a Weak Cryptographic Algorithm for Stored Password Hashes (Severity: MEDIUM) ∗∗∗ --------------------------------------------- Usage of a weak cryptographic algorithm in Palo Alto Networks PAN-OS software where the password hashes of administrator and local user accounts are not created with a sufficient level of computational effort, which allows for password cracking attacks on accounts in normal (non-FIPS-CC) operational mode. [..] Fixed versions of PAN-OS software use a secure cryptographic algorithm for account password hashes. --------------------------------------------- https://security.paloaltonetworks.com/CVE-2022-0022 ∗∗∗ UNIVERGE WA Series vulnerable to OS command injection ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN72801744/ ∗∗∗ [remote] Siemens S7-1200 - Unauthenticated Start/Stop Command ∗∗∗ --------------------------------------------- https://www.exploit-db.com/exploits/50820 ∗∗∗ Security Bulletin: IBM Guardium Data Encryption (GDE) has an information exposure vulnerability (CVE-2021-39025) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-guardium-data-encrypt… ∗∗∗ Security Bulletin: Vulnerabilities in IBM WebSphere Application Server Liberty affects IBM Cloud Application Business Insights CVE-2021-23450 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-we… ∗∗∗ Security Bulletin: IBM Guardium Data Encryption is vulnerable to cross-site scripting (CVE-2020-7676) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-guardium-data-encrypt… ∗∗∗ Security Bulletin: Vulnerability in Intel Xeon affects IBM Cloud Pak System (CVE-2021-0144) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-intel-xe… ∗∗∗ Security Bulletin: Vulnerability in BIND affects AIX (CVE-2021-25219) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-bind-aff… ∗∗∗ Security Bulletin: IBM DataPower Gateway permits reflected JSON injection (CVE-2021-38910) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-gateway-per… ∗∗∗ Security Bulletin: Due to use of Apache Log4j, OmniFind Text Search Server for DB2 for i is vulnerable to arbitrary code execution (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-due-to-use-of-apache-log4… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily