Daily January 2022

daily@lists.cert.at

1 participants
20 discussions

Tageszusammenfassung - 17.01.2022
by Daily end-of-shift report 17 Jan '22

17 Jan '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 14-01-2022 18:00 − Montag 17-01-2022 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Security baseline for Microsoft Edge v97 ∗∗∗ --------------------------------------------- We are pleased to announce the enterprise-ready release of the security baseline for Microsoft Edge version 97! We have reviewed the settings in Microsoft Edge version 97 and updated our guidance with the addition of 1 setting. A new Microsoft Edge security baseline package was just released to the Download Center. You can download the version 97 package from the Security Compliance Toolkit. --------------------------------------------- https://techcommunity.microsoft.com/t5/microsoft-security-baselines/securit… ∗∗∗ Log4Shell Attacks Getting "Smarter", (Mon, Jan 17th) ∗∗∗ --------------------------------------------- Ever since news of the Log4Shell vulnerability broke, we saw a stream of attacks attempting to exploit this vulnerability in log4j (CVE-2021-44228). --------------------------------------------- https://isc.sans.edu/diary/rss/28246 ∗∗∗ New Unpatched Apple Safari Browser Bug Allows Cross-Site User Tracking ∗∗∗ --------------------------------------------- A software bug introduced in Apple Safari 15s implementation of the IndexedDB API could be abused by a malicious website to track users online activity in the web browser and worse, even reveal their identity. The vulnerability, dubbed IndexedDB Leaks, was disclosed by fraud protection software company FingerprintJS, which reported the issue to the iPhone maker on November 28, 2021. --------------------------------------------- https://thehackernews.com/2022/01/new-unpatched-apple-safari-browser-bug.ht… ∗∗∗ Domain Persistence – Machine Account ∗∗∗ --------------------------------------------- Machine accounts play a role in red team operations as in a number of techniques are utilized for privilege escalation, lateral movement and domain escalation. However, there are also cases which a machine account could be used for establishing domain persistence. This involves either the addition of an arbitrary machine account to a high privilege group such as the domain admins or the modification of the “userAccountControl” attribute [...] --------------------------------------------- https://pentestlab.blog/2022/01/17/domain-persistence-machine-account/ ∗∗∗ "Smishing"-Masche: Weiter massenhaft Betrugs-SMS auf Handys ∗∗∗ --------------------------------------------- Wer eine SMS von unbekannt mit einem Link bekommt, sollte vorsichtig sein. Es könnte sich um eine Betrugs-SMS handeln. "Smishing" ist noch immer nicht vorbei. --------------------------------------------- https://heise.de/-6328158 ∗∗∗ Capturing RDP NetNTLMv2 Hashes: Attack details and a Technical How-To Guide ∗∗∗ --------------------------------------------- The GoSecure Titan Labs team saw an opportunity to further explore the topic of hash capturing (which is a must in the arsenal of any offensive team). This blog will examine RDP security modes, how they work and how to put that into action to capture NetNTLMv2 hashes via the RDP protocol using PyRDP—a library created by GoSecure. --------------------------------------------- https://www.gosecure.net/blog/2022/01/17/capturing-rdp-netntlmv2-hashes-att… ===================== = Vulnerabilities = ===================== ∗∗∗ Serious Security: Linux full-disk encryption bug fixed – patch now! ∗∗∗ --------------------------------------------- Imagine if someone who didnt have your password could sneakily modify data that was encrypted with it. --------------------------------------------- https://nakedsecurity.sophos.com/2022/01/14/serious-security-linux-full-dis… ∗∗∗ Über drei Millionen PCs in Deutschland mit unsicherem Windows-System ∗∗∗ --------------------------------------------- Vor zwei Jahren stellte Microsoft den Support für Windows 7 ein. Trotzdem schaffen es viele Anwender nicht, sich von dem unsicheren System zu trennen. --------------------------------------------- https://heise.de/-6328189 ∗∗∗ Virenschutz: Microsoft Defender erleichtert Einnisten von Schädlingen ∗∗∗ --------------------------------------------- Eine kleine Schwachstelle bei Zugriffsrechten des Microsoft Defender unter Windows 10 ermöglicht Angreifern, Malware vor Scans zu verstecken. --------------------------------------------- https://heise.de/-6329300 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, firefox-esr, ghostscript, libreswan, prosody, sphinxsearch, thunderbird, and uriparser), Fedora (cryptsetup, flatpak, kernel, mingw-uriparser, python-celery, python-kombu, and uriparser), Mageia (htmldoc, mbedtls, openexr, perl-CPAN, systemd, thunderbird, and vim), openSUSE (chromium and prosody), Red Hat (httpd, kernel, and samba), Scientific Linux (kernel), Slackware (expat), SUSE (ghostscript), and Ubuntu (pillow). --------------------------------------------- https://lwn.net/Articles/881545/ ∗∗∗ Oracle to Release Nearly 500 New Security Patches ∗∗∗ --------------------------------------------- Oracle is preparing the release of nearly 500 new security patches with its Critical Patch Update (CPU) for January 2022. --------------------------------------------- https://www.securityweek.com/oracle-release-nearly-500-new-security-patches ∗∗∗ Microsoft Januar 2022 Patchday-Revisionen (14.1.2022) ∗∗∗ --------------------------------------------- Zum 11. Januar 2022 hat Microsoft eine Reihe Sicherheitsupdates für Windows und Office freigegeben, die Schwachstellen beseitigen sollen. Einige dieser Updates führten aber zu Problemen, so dass Funktionen in Windows gestört wurden. Am 14. Januar 2022 hat Microsoft eine Liste [...] --------------------------------------------- https://www.borncity.com/blog/2022/01/17/microsoft-januar-2022-patchday-rev… ∗∗∗ ZDI-22-081: TP-Link TL-WA1201 DNS Response Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-081/ ∗∗∗ ZDI-22-080: TP-Link Archer C90 DNS Response Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-080/ ∗∗∗ OpenBMCS 2.4 Secrets Disclosure ∗∗∗ --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5695.php ∗∗∗ OpenBMCS 2.4 Unauthenticated SSRF / RFI ∗∗∗ --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5694.php ∗∗∗ OpenBMCS 2.4 Create Admin / Remote Privilege Escalation ∗∗∗ --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5693.php ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Pepperl+Fuchs: Multiple DTM and VisuNet Software affected by log4net vulnerability (UPDATE A) ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2021-041/ ∗∗∗ GNU libc: Mehrere Schwachstellen ermöglichen Codeausführung und Denial of Service ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0054 ∗∗∗ Stored Cross-Site Scripting Schwachstelle in Typo3 Extension "femanager" ∗∗∗ --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/stored-cross-site-scr… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.01.2022
by Daily end-of-shift report 14 Jan '22

14 Jan '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 13-01-2022 18:00 − Freitag 14-01-2022 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Microsoft Defender weakness lets hackers bypass malware detection ∗∗∗ --------------------------------------------- Threat actors can take advantage of a weakness that affects Microsoft Defender antivirus on Windows to learn locations excluded from scanning and plant malware there. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-defender-weakness-… ∗∗∗ Nach Log4J: Google will zusammen mit Regierungen Open Source absichern ∗∗∗ --------------------------------------------- Seit langem sucht Google nach Wegen, Open-Source-Software besser abzusichern. Nach der Log4J-Lücke kommen nun auch Regierungen ins Spiel. --------------------------------------------- https://www.golem.de/news/nach-log4j-google-will-zusammen-mit-regierungen-o… ∗∗∗ Microsoft Yanks Buggy Windows Server Updates ∗∗∗ --------------------------------------------- Since their release on Patch Tuesday, the updates have been breaking Windows, causing spontaneous boot loops on Windows domain controller servers, breaking Hyper-V and making ReFS volume systems unavailable. --------------------------------------------- https://threatpost.com/microsoft-yanks-buggy-windows-server-updates/177648/ ∗∗∗ A closer look at Flubot’s DoH tunneling ∗∗∗ --------------------------------------------- [...] The following blog post will take a closer look at Flubot version 4.9, and in particular its Command and Control (C&C) communication, based on the data F-Secure gathered during that campaign. --------------------------------------------- https://blog.f-secure.com/flubot_doh_tunneling/ ∗∗∗ Verwundbare Exchange-Server der öffentlichen Verwaltung ∗∗∗ --------------------------------------------- 20 Exchange-Server in öffentlicher Hand waren für eine Sicherheitslücke anfällig. Kriminelle hätten die Kontrolle übernehmen können. --------------------------------------------- https://heise.de/-6320504 ∗∗∗ Citrix liefert Sicherheitsupdates für Workspace App und Hypervisor ∗∗∗ --------------------------------------------- Sicherheitslücken in der Citrix Workspace App for Linux und im Hypervisor ermöglichten Angreifern die Rechteausweitung oder DoS-Attacken auf den Host. --------------------------------------------- https://heise.de/-6327171 ∗∗∗ Aus für iOS 14? Verwirrung über fehlende Sicherheits-Updates ∗∗∗ --------------------------------------------- Neben iOS 15 stellte Apple erstmals Updates für die Vorjahresversion des Betriebssystems in Aussicht. Es fehlen aber wichtige Patches für iOS 14. --------------------------------------------- https://heise.de/-6327709 ∗∗∗ Sicherheitsupdates: Admin-Lücke bedroht Cisco Unified Contact Manager ∗∗∗ --------------------------------------------- Admins von Cisco-Hard- und -Software sind gefragt, ihre Systeme abzusichern. --------------------------------------------- https://heise.de/-6327050 ∗∗∗ Schadcode-Schlupflöcher in Qnap NAS geschlossen ∗∗∗ --------------------------------------------- Die Qnap-Entwickler haben ihr NAS-Betriebssystem und zwei Apps gegen mögliche Attacken abgesichert. --------------------------------------------- https://heise.de/-6327201 ∗∗∗ Juniper Networks stopft zahlreiche Sicherheitslücken ∗∗∗ --------------------------------------------- In Geräten und Diensten von Juniper hätten Angreifer Schwachstellen etwa für DoS-Angriffe, die Ausweitung von Rechten oder Schlimmeres missbrauchen können. --------------------------------------------- https://heise.de/-6327645 ∗∗∗ Signierte Kernel‑Treiber – unbewachte Zugänge zum Windows‑Kern ∗∗∗ --------------------------------------------- ESET Forscher untersuchen Schwachstellen in signierten Windows-Treibern, die trotz Gegenmaßnahmen immer noch ein Sicherheitsproblem darstellen. --------------------------------------------- https://www.welivesecurity.com/deutsch/2022/01/13/signierte-kernel-treiber-… ∗∗∗ Telefon-Betrug: Drücken Sie nicht die Taste 1! ∗∗∗ --------------------------------------------- LeserInnen der Watchlist Internet melden uns derzeit betrügerische Anrufe: Dabei werden willkürlich Personen angerufen und mit einer Bandansage darauf hingewiesen, dass es einen Haftbefehl gegen sie gäbe. Um mehr zu erfahren, solle die Taste 1 gedrückt werden. Machen Sie das auf keinen Fall! Die BetrügerInnen wollen Sie damit in eine Kostenfalle locken. --------------------------------------------- https://www.watchlist-internet.at/news/telefon-betrug-druecken-sie-nicht-di… ∗∗∗ Schwachstellen in AWS Glue und AWS Cloud Formation entdeckt ∗∗∗ --------------------------------------------- Das Orca Security Research Team hat Sicherheitslücken im Amazon Web Services AWS Glue-Service sowie zur Zero-Day-Schwachstelle BreakingFormation erkannt. Beide Unternehmen konnten binnen weniger Tagen die Fehler beheben. --------------------------------------------- https://www.zdnet.de/88398803/schwachstellen-in-aws-glue-und-aws-cloud-form… ∗∗∗ Detection Rules for Sysjoker (and How to Make Them With Osquery) ∗∗∗ --------------------------------------------- On January 11, 2022, we released a blog post on a new malware called SysJoker. SysJoker is a malware targeting Windows, macOS, and Linux. At the time of the publication, the Linux and macOS versions were not detected by any scanning engines on VirusTotal. As a consequence to this, we decided to release a followup [...] --------------------------------------------- https://www.intezer.com/blog/cloud-security/detection-rules-sysjoker-osquer… ∗∗∗ Adobe Acrobat (Reader) DC 21.011.20039, Installationsfehler und offene Bugs ∗∗∗ --------------------------------------------- Kurzer Sammelbeitrag zum Acrobat Gelump, was Adobe auf die Rechner der Nutzer kippt. Zum 11. Januar 2022 gab es ein Sicherheitsupdate für den Adobe Acrobat (Reader) DC auf die Version 21.011.20039. Weiterhin haben mich die letzten Tage einige Nutzer auf eine Latte an offenen Bugs hingewiesen, die ich hier mal einfach einstellen will. Soll ja niemand behaupten, ich ließe die "Qualitätsupdates" von Adobe zum Acrobat unerwähnt. --------------------------------------------- https://www.borncity.com/blog/2022/01/14/adobe-acrobat-reader-dc-21-011-200… ===================== = Vulnerabilities = ===================== ∗∗∗ Positive Technologies Uncovers Vulnerability in IDEMIA Biometric Identification Devices That Can Unlock Doors and Turnstiles ∗∗∗ --------------------------------------------- Positive Technologies researchers, Natalya Tlyapova, Sergey Fedonin, Vladimir Kononovich, and Vyacheslav Moskvin have discovered a critical vulnerability (VU-2021-004) in IDEMIA biometric identification devices used in the world’s largest financial institutions, universities, healthcare organizations, and critical infrastructure facilities. By exploiting the flaw, which received a score of 9.1 on the CVSS v3 scale, attackers can unlock doors and turnsites. --------------------------------------------- https://www.ptsecurity.com/ww-en/about/news/positive-technologies-uncovers-… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr), Fedora (cockpit, python-cvxopt, and vim), openSUSE (libmspack), Oracle (webkitgtk4), Scientific Linux (firefox and thunderbird), SUSE (kernel and libmspack), and Ubuntu (firefox and pillow). --------------------------------------------- https://lwn.net/Articles/881407/ ∗∗∗ Mitsubishi Electric MELSEC-F Series ∗∗∗ --------------------------------------------- This advisory contains mitigations for a Lack of Administrator Control Over Security vulnerability in the Mitsubishi Electric MELSEC-F Series FX3U-ENET Ethernet-Internet block. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-013-01 ∗∗∗ Mitsubishi Electric MELSEC-F Series ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Improper Initialization vulnerability in the Mitsubishi Electric MELSEC-F Series FX3U-ENET Ethernet-Internet block, --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-013-07 ∗∗∗ Mitsubishi Electric MELSEC iQ-R, Q and L Series (Update B) ∗∗∗ --------------------------------------------- [...] 4.1 AFFECTED PRODUCTS [...] Begin Update B Part 1 of 1 - L 02/06/26 CPU (-P), L 26 CPU - (P) BT, serial number 23121 and earlier End Update B Part 1 of 1 --------------------------------------------- https://www.cisa.gov/uscert/ics/advisories/icsa-20-303-01 ∗∗∗ Trane Symbio (Update B) ∗∗∗ --------------------------------------------- [...] 3. RISK EVALUATION Begin Update B Part 1 of 1 Successful exploitation of this vulnerability could allow a user to execute arbitrary code on the controller. End Update B Part 1 of 1 --------------------------------------------- https://www.cisa.gov/uscert/ics/advisories/icsa-21-266-01 ∗∗∗ Ivanti Updates Log4j Advisory with Security Updates for Multiple Products ∗∗∗ --------------------------------------------- Ivanti has updated its Log4j Advisory with security updates for multiple products to address CVE-2021-44228. An unauthenticated attacker could exploit this vulnerability to take control of an affected system. CISA encourages users and administrators to review the Ivanti security advisories pages for Avalanche; File Director; and MobileIron Core, MobileIron Sentry (Core/Cloud), and MobileIron Core Connector and apply the necessary updates and workarounds. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/01/14/ivanti-updates-lo… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ MediaWiki: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0050 ∗∗∗ ClamAV: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0052 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.01.2022
by Daily end-of-shift report 13 Jan '22

13 Jan '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 12-01-2022 18:00 − Donnerstag 13-01-2022 18:00 Handler: Stephan Richter Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ 19-jähriger Hacker kann Teslas in 13 Ländern fernsteuern ∗∗∗ --------------------------------------------- Der junge IT-Sicherheitsexperte kann die Autos lokalisieren, Türen öffnen und das Entertainment-System fernsteuern. [..] In einem Twitter-Beitrag, den er am Montag veröffentlichte, erklärte er auch, dass es sich bei dem Fehler nicht um eine Schwachstelle in der Infrastruktur von Tesla handelt. Es sei der Fehler der Besitzer*innen. Weiters schreibt Colombo, dass er das Problem an das Sicherheitsteam von Tesla gemeldet hat, das die Angelegenheit untersucht. --------------------------------------------- https://futurezone.at/digital-life/19-jaehriger-hacker-25-teslas-in-13-laen… ∗∗∗ Adobe Cloud Abused to Steal Office 365, Gmail Credentials ∗∗∗ --------------------------------------------- Threat actors are creating accounts within the Adobe Cloud suite and sending images and PDFs that appear legitimate to target Office 365 and Gmail users, researchers from Avanan discovered. --------------------------------------------- https://threatpost.com/adobe-cloud-steal-office-365-gmail-credentials/17762… ∗∗∗ Decrypting Qakbot’s Encrypted Registry Keys ∗∗∗ --------------------------------------------- One new skill is to insert encrypted data into the registry. One of the requests we received from Trustwave’s DFIR and Global Threats Operations teams is for us to decrypt the registry data that Qakbot created. We duly jumped into this task, and, as it was a bit of fun, decided to blog about it. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/decrypting-… ∗∗∗ Viele Lücken im Software-System Jenkins entdeckt – und noch nicht geschlossen ∗∗∗ --------------------------------------------- Entwickler sollten ihre Jenkins-Umgebung aus Sicherheitsgründen auf den aktuellen Stand bringen. Viele Updates sind jedoch noch nicht verfügbar. --------------------------------------------- https://heise.de/-6326362 ∗∗∗ 84,000 WordPress Sites Affected by Three Plugins With The Same Vulnerability ∗∗∗ --------------------------------------------- We sent the full disclosure details on November 5, 2021, after the developer confirmed the appropriate channel to handle communications. After several follow-ups a patched version of “Login/Signup Popup” was released on November 24, 2021, while patched versions of “Side Cart Woocommerce (Ajax)” and “Waitlist Woocommerce ( Back in stock notifier )” were released on December 17, 2021. We strongly recommend ensuring that your site has been updated to the latest patched version of any of these plugins.. --------------------------------------------- https://www.wordfence.com/blog/2022/01/84000-wordpress-sites-affected-by-th… ∗∗∗ Free Micropatches for "RemotePotato0", a "WONT FIX" Local Privilege Escalation Affecting all Windows Systems ∗∗∗ --------------------------------------------- [..] a local privilege escalation vulnerability they had found in Windows and reported to Microsoft, who decided not to fix because "Servers must defend themselves against NTLM relay attacks." As far as real world goes, many servers do not, in fact, defend themselves against NTLM relay attacks. Since the vulnerability is present on all supported Windows versions as of today (as well as all unsupported versions which we had security-adopted), we decided to fix it ourselves. --------------------------------------------- https://blog.0patch.com/2022/01/free-micropatches-for-remotepotato0.html ∗∗∗ Code-Signatur-Prozesse sichern ∗∗∗ --------------------------------------------- DevOps steht unter Druck, wie unter anderem bei der Attacke auf SolarWinds offenkundig wurde. Fünf Wege zur Absicherung von Code-Signatur-Prozessen schildert Tony Hadfield, Director Solutions Architect bei Venafi, in einem Gastbeitrag. --------------------------------------------- https://www.zdnet.de/88398761/code-signatur-prozesse-sichern/ ===================== = Vulnerabilities = ===================== ∗∗∗ Multiple vulnerabilities in WordPress Plugin "Quiz And Survey Master" ∗∗∗ --------------------------------------------- * Cross-site request forgery (CWE-352) - CVE-2022-0180 * Reflected cross-site scripting (CWE-79) - CVE-2022-0181 * Stored cross-site scripting (CWE-79) - CVE-2022-0182 Solution: Update the plugin --------------------------------------------- https://jvn.jp/en/jp/JVN72788165/ ∗∗∗ Juniper Security Advisories ∗∗∗ --------------------------------------------- Juniper hat 34 Security Advisories veröffentlicht. --------------------------------------------- https://kb.juniper.net/InfoCenter/index?page=content&channel=SECURITY_ADVIS… ∗∗∗ Klartextspeicherung des Kennwortes in Cisco IP Telefonen ∗∗∗ --------------------------------------------- Mehrere Cisco IP Telefone speichern das konfigurierte Verwalterkennwort als Klartext im unverschlüsselten Flash Speicher. Somit ist die Extrahierung des Kennworts bei physischem Zugriff auf ein Telefon problemlos möglich. Wird dieses Kennwort nun bei mehreren Telefonen verwendet, bekommt ein Angreifer Zugriff auf die administrativen Einstellungen aller Geräte im Netzwerk. --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/klartextspeicherung-d… ∗∗∗ Apache Log4j vulnerabilities (Log4Shell) – impact on ABB products ∗∗∗ --------------------------------------------- Product / System line - Potentially affected products and versions * B&R Products - See further details in specific advisory * ABB Remote Service - ABB Remote Access Platform (RAP) --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=9ADB012621&Language… ∗∗∗ iOS 15.2.1 und iPadOS 15.2.1: Wartungsupdates für iPhone und iPad ∗∗∗ --------------------------------------------- Apple hat eine Bugfix- und Sicherheitsaktualisierung für seine Handys und Tablets. Neben einigen Fehler wird auch ein Sicherheitsproblem behoben. --------------------------------------------- https://heise.de/-6325566 ∗∗∗ Sicherheitsupdate: Schadcode-Lücke bedroht Computer mit HP-UX ∗∗∗ --------------------------------------------- HPE-Entwickler haben eine kritische Schwachstelle im Unix-Betriebssystem HP-UX geschlossen. --------------------------------------------- https://heise.de/-6326104 ∗∗∗ IBM sichert sein Server- und Workstation-System AIX ab ∗∗∗ --------------------------------------------- Angreifer könnten AIX-Systeme von IBM attackieren und Schadcode ausführen. Sicherheitsupdates sind verfügbar. --------------------------------------------- https://heise.de/-6326080 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (epiphany-browser, lxml, and roundcube), Fedora (gegl04, mingw-harfbuzz, and mod_auth_mellon), openSUSE (openexr and python39-pip), Oracle (firefox and thunderbird), Red Hat (firefox and thunderbird), SUSE (apache2, openexr, python36-pip, and python39-pip), and Ubuntu (apache-log4j1.2, ghostscript, linux, linux-gcp, linux-gcp-5.4, linux-hwe-5.4, and systemd). --------------------------------------------- https://lwn.net/Articles/881303/ ∗∗∗ Cisco Patches Critical Vulnerability in Contact Center Products ∗∗∗ --------------------------------------------- Cisco on Wednesday announced patches for a critical vulnerability in Unified Contact Center Management Portal (Unified CCMP) and Unified Contact Center Domain Manager (Unified CCDM) that could be exploited remotely to elevate privileges to administrator. --------------------------------------------- https://www.securityweek.com/cisco-patches-critical-vulnerability-contact-c… ∗∗∗ Citrix Hypervisor Security Update - CTX335432 ∗∗∗ --------------------------------------------- Several security issues have been identified in Citrix Hypervisor, that may each allow privileged code in a guest VM to cause the host to crash or become unresponsive. These issues have the following identifiers: CVE-2021-28704, CVE-2021-28705, CVE-2021-28714, CVE-2021-28715 All of these issues affect all currently supported versions of Citrix Hypervisor. Citrix has released hotfixes to address these issues --------------------------------------------- https://support.citrix.com/article/CTX335432 ∗∗∗ CVE-2022-0015 Cortex XDR Agent: An Uncontrolled Search Path Element Leads to Local Privilege Escalation (PE) Vulnerability (Severity: HIGH) ∗∗∗ --------------------------------------------- A local privilege escalation (PE) vulnerability exists in the Palo Alto Networks Cortex XDR agent that enables an authenticated local user to execute programs with elevated privileges. This issue impacts: * Cortex XDR agent 5.0 versions earlier than Cortex XDR agent 5.0.12; * Cortex XDR agent 6.1 versions earlier than Cortex XDR agent 6.1.9. --------------------------------------------- https://security.paloaltonetworks.com/CVE-2022-0015 ∗∗∗ Security Bulletin: IBM Cloud Pak System is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-45046, CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-system-is-v… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects IBM Spectrum Archive Enterprise Edition (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: Vulnerabilities in Apache Log4j affect IBM Spectrum Archive Enterprise Edition (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-apache… ∗∗∗ Security Bulletin: Rational Asset Analyzer (RAA) is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-rational-asset-analyzer-r… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM HTTP Server used by IBM WebSphere Application Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM PowerVM Novalink is vulnerable to allow a remote attacker with permission to modify the logging configuration file to execute arbitrary code on the system due to Apache Log4j (CVE-2021-44832) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-powervm-novalink-is-v… ∗∗∗ Security Bulletin: IBM Engineering Lifecycle Management products are vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-44832, CVE-2021-45046, ) and denial of service due to Apache Log4j (CVE-2021-45105) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-engineering-lifecycle… ∗∗∗ Security Bulletin: IBM Db2 Big SQL for Hortonworks Data Platform, for Cloudera Data Platform Private Cloud, and IBM Db2 Big SQL on Cloud Pak for Data are affected by critical vulnerability in Log4j (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-big-sql-for-horto… ∗∗∗ Security Bulletin: The IBM i Extended Dynamic Remote SQL server (EDRSQL) is affected by CVE-2021-39056 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-the-ibm-i-extended-dynami… ∗∗∗ January 12, 2022 TNS-2022-03 [R1] Stand-alone Security Patch Available for Tenable.sc versions 5.16.0 to 5.19.1: Patch 202201.1 ∗∗∗ --------------------------------------------- http://www.tenable.com/security/tns-2022-03 ∗∗∗ CVE-2022-0014 Cortex XDR Agent: Unintended Program Execution When Using Live Terminal Session (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2022-0014 ∗∗∗ CVE-2022-0013 Cortex XDR Agent: File Information Exposure Vulnerability When Generating Support File (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2022-0013 ∗∗∗ CVE-2022-0012 Cortex XDR Agent: Local Arbitrary File Deletion Vulnerability (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2022-0012 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.01.2022
by Daily end-of-shift report 12 Jan '22

12 Jan '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 11-01-2022 18:00 − Mittwoch 12-01-2022 18:00 Handler: Stephan Richter Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ TellYouThePass ransomware returns as a cross-platform Golang threat ∗∗∗ --------------------------------------------- TellYouThePass ransomware has re-emerged as a Golang-compiled malware, making it easier to target major platforms beyond Windows, like macOS and Linux. --------------------------------------------- https://www.bleepingcomputer.com/news/security/tellyouthepass-ransomware-re… ∗∗∗ Coming Soon: New Security Update Guide Notification System ∗∗∗ --------------------------------------------- Sharing information through the Security Update Guide is an important part of our ongoing effort to help customers manage security risks and keep systems protected. --------------------------------------------- https://msrc-blog.microsoft.com:443/2022/01/11/coming-soon-new-security-upd… ∗∗∗ SysJoker, the first (macOS) malware of 2022! ∗∗∗ --------------------------------------------- Here, we analyze the macOS versions of a cross-platform backdoor. --------------------------------------------- https://objective-see.com/blog/blog_0x6C.html ∗∗∗ A Quick CVE-2022-21907 FAQ (work in progress), (Wed, Jan 12th) ∗∗∗ --------------------------------------------- Microsoft implemented http.sys as a kernel-mode driver. In other words: Running code via http.sys can lead to a complete system compromise. --------------------------------------------- https://isc.sans.edu/diary/rss/28234 ∗∗∗ Attacking RDP from Inside: How we abused named pipes for smart-card hijacking, unauthorized file system access to client machines and more ∗∗∗ --------------------------------------------- This vulnerability enables any standard unprivileged user connected to a remote machine via remote desktop to gain file system access to the client machines of other connected users, to view and modify clipboard data of other connected users, and to impersonate the identity of other users logged on to the machine using smart cards. --------------------------------------------- https://www.cyberark.com/resources/threat-research-blog/attacking-rdp-from-… ∗∗∗ Kaufen Sie keine Immobilien über term-re.com oder den-home.com! ∗∗∗ --------------------------------------------- Aktuell beobachten wir vermehrt Betrug mit angeblichen Traum-Immobilien: Kriminelle bieten dabei günstige Immobilien über bekannte Internetplattformen an. Besichtigungen sollen über ein Treuhandunternehmen abgewickelt werden. Aber Achtung: Kriminelle versuchen so an Ihre Ausweiskopie und an Ihr Geld zu kommen. --------------------------------------------- https://www.watchlist-internet.at/news/kaufen-sie-keine-immobilien-ueber-te… ∗∗∗ Check your SPF records: Wide IP ranges undo email security and make for tasty phishes ∗∗∗ --------------------------------------------- With parts of the Australian private sector, governments at all levels, and a university falling foul of wide IP ranges in a SPF record, it might be time to check yours. --------------------------------------------- https://www.zdnet.com/article/check-your-spf-records-wide-ip-ranges-undo-em… ∗∗∗ Signed kernel drivers – Unguarded gateway to Windows’ core ∗∗∗ --------------------------------------------- ESET researchers look at malware that abuses vulnerabilities in kernel drivers and outline mitigation techniques against this type of exploitation. --------------------------------------------- https://www.welivesecurity.com/2022/01/11/signed-kernel-drivers-unguarded-g… ∗∗∗ Ransomware-Angreifer leakten möglicherweise frühere Opfer ∗∗∗ --------------------------------------------- Kürzlich wurden wir damit beauftragt, einen Ransomware-Angriff zu untersuchen. Wir konnten den wahrscheinlichen Angriffsvektor rekonstruieren und die wahrscheinlich gestohlenen Daten identifizieren. Was diesen Fall besonders interessant machte, war der Mechanismus zum Exfiltrieren von Daten. --------------------------------------------- https://certitude.consulting/blog/de/ransomware-leak-de/ ∗∗∗ How to Analyze Malicious Microsoft Office Files ∗∗∗ --------------------------------------------- Most phishing attacks arrive via emails containing malicious attachments. A seemingly innocent Microsoft Word file, for example, can be the initial infection stage of a dangerous attack where a threat actor uses a document to deliver malware. --------------------------------------------- https://www.intezer.com/blog/malware-analysis/analyze-malicious-microsoft-o… ∗∗∗ Windows Server: Januar 2022-Sicherheitsupdates verursachen Boot-Schleife ∗∗∗ --------------------------------------------- Administratoren von Windows Domain Controllern sollten mit der Installation der Sicherheitsupdates von Januar 2022 vorsichtig sein.Mir liegen inzwischen zahlreiche Berichte vor, dass die Windows Server, die als Domain Controller fungieren, anschließend nicht mehr booten. --------------------------------------------- https://www.borncity.com/blog/2022/01/12/windows-server-januar-2022-sicherh… ∗∗∗ Magniber Ransomware Being Distributed via Microsoft Edge and Google Chrome ∗∗∗ --------------------------------------------- The ASEC analysis team has been continuously monitoring Magniber, ransomware that is distributed via Internet Explorer (IE) vulnerabilities. --------------------------------------------- https://asec.ahnlab.com/en/30645/ ∗∗∗ Nanocore, Netwire and AsyncRAT spreading campaign uses public cloud infrastructure ∗∗∗ --------------------------------------------- Cisco Talos discovered a malicious campaign in October 2021 delivering variants of Nanocore, Netwire and AsyncRATs targeting users information. --------------------------------------------- http://blog.talosintelligence.com/2022/01/nanocore-netwire-and-asyncrat-spr… ===================== = Vulnerabilities = ===================== ∗∗∗ Make sure youre up-to-date with Sonicwall SMA 100 VPN box patches – security hole exploit info is now out ∗∗∗ --------------------------------------------- Nothing like topping off unauthd remote code execution with a su password of ... password. Technical details and exploitation notes have been published for a remote-code-execution vulnerability in Sonicwall SMA 100 series VPN appliances. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2022/01/11/sonicwall_mu… ∗∗∗ Cisco Security Advisories 2022-01-12 ∗∗∗ --------------------------------------------- 1 Critical, 8 Medium severity --------------------------------------------- https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&secur… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- IBM published 14 Security Bulletins --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Patchday: Trojaner könnte sich über kritische Windows-Lücke wurmartig verbreiten ∗∗∗ --------------------------------------------- Es sind wichtige Sicherheitsupdates für Office, Windows & Co. erschienen. Der Großteil der geschlossenen Lücken ist mit dem Bedrohungsgrad "hoch" eingestuft. --------------------------------------------- https://heise.de/-6323634 ∗∗∗ Patchday Adobe: Acrobat und Reader bekommen jede Menge Sicherheitsupdates ∗∗∗ --------------------------------------------- Angreifer könnten auf Computern mit Adobe-Anwendungen Schadcode platzieren. Dagegen abgesicherte Versionen schaffen Abhilfe. --------------------------------------------- https://heise.de/-6323723 ∗∗∗ Patchday: SAP schließt in mehreren Anwendungen Lücke mit Höchstwertung ∗∗∗ --------------------------------------------- Der deutsche Software-Hersteller SAP kümmert sich unter anderem um eine kritische Lücke in seinem Portfolio. --------------------------------------------- https://heise.de/-6323843 ∗∗∗ Firefox, Thunderbird: Angreifer könnten Opfer im Vollbildmodus gefangen halten ∗∗∗ --------------------------------------------- Mozillas Mailclient und Webrowser sind Versionen erschienen, die gegen verschiedene Attacken gewappnetet sind. --------------------------------------------- https://heise.de/-6323936 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (cfrpki, gdal, and lighttpd), Fedora (perl-CPAN and roundcubemail), Mageia (firefox), openSUSE (jawn, kernel, and thunderbird), Oracle (kernel, openssl, and webkitgtk4), Red Hat (cpio, idm:DL1, kernel, kernel-rt, openssl, virt:av and virt-devel:av, webkit2gtk3, and webkitgtk4), Scientific Linux (openssl and webkitgtk4), SUSE (kernel and thunderbird), and Ubuntu (apache-log4j2, ghostscript, and lxml). --------------------------------------------- https://lwn.net/Articles/881144/ ∗∗∗ ICS Patch Tuesday: Siemens, Schneider Electric Address 40 Vulnerabilities ∗∗∗ --------------------------------------------- The first round of security advisories released by Siemens and Schneider Electric in 2022 address a total of 40 vulnerabilities. --------------------------------------------- https://www.securityweek.com/ics-patch-tuesday-siemens-schneider-electric-a… ∗∗∗ Credential Disclosure in Web Interface of Crestron Device ∗∗∗ --------------------------------------------- When the administrative web interface of the Crestron HDMI switcher is accessed unauthenticated, user credentials are disclosed which are validto authenticate to the web interface. --------------------------------------------- https://www.redteam-pentesting.de/en/advisories/rt-sa-2021-009/ ∗∗∗ Released: January 2022 Exchange Server Security Updates ∗∗∗ --------------------------------------------- Microsoft has released security updates for vulnerabilities found in any version of: Exchange Server 2013, Exchange Server 2016, Exchange Server 2019 --------------------------------------------- https://techcommunity.microsoft.com/t5/exchange-team-blog/released-january-… ∗∗∗ QNX-2022-001 Vulnerability in QNX Neutrino Kernel Impacts QNX Software Development Platform (SDP), QNX OS for Medical, and QNX OS for Safety ∗∗∗ --------------------------------------------- https://support.blackberry.com/kb/articleDetail?language=en_US&articleNumbe… ∗∗∗ Apache Guacamole: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0037 ∗∗∗ Vulnerability in QTS and QuTS hero ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-21-57 ∗∗∗ Stack Overflow Vulnerability in QVR Elite, QVR Pro, and QVR Guard ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-21-59 ∗∗∗ XSS and Open Redirect Vulnerabilities in QcalAgent ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-21-60 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.01.2022
by Daily end-of-shift report 11 Jan '22

11 Jan '22

===================== = End-of-Day report = ===================== Timeframe: Montag 10-01-2022 18:00 − Dienstag 11-01-2022 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ l+f: Malware-Entwickler kuscheln etwas zu eng mit ihrem Trojaner ∗∗∗ --------------------------------------------- Sicherheitsforscher bekommen unerwartet Hilfe. [...] Einem Bericht von Malwarebytes zufolge gehen alle gesammelten Informationen auf ein Missgeschick der Hintermänner der Kampagne zurück: Die Malware-Entwickler haben ihre Entwicklungsumgebung mit dem eigenen Trojaner infiziert. --------------------------------------------- https://heise.de/-6323191 ∗∗∗ macOS-Lücke: Spionieren über Teams und andere Apps ∗∗∗ --------------------------------------------- Microsoft hat Details zu einem Bug publiziert, mit dem es möglich war, den Systemschutz TCC zu umgehen, der eigentlich Mac-Nutzer vor Datenabgriff bewahrt. --------------------------------------------- https://heise.de/-6322269 ∗∗∗ Facebook-Währung „Diem“ nicht bei thediemtoken.com kaufen ∗∗∗ --------------------------------------------- Diem – eine Kryptowährung, die ursprünglich Libra hieß, wird vermutlich bald verfügbar sein. Kriminelle bieten Diem aber schon jetzt auf ihren betrügerischen Trading-Plattformen wie „thediemtoken.com“ an. Auf Facebook, Instagram und Co werden diese dann beworben, um möglichst viele AnlegerInnen in die Falle zu locken. Vorsicht: Wer dort investiert, verliert sein Geld! --------------------------------------------- https://www.watchlist-internet.at/news/facebook-waehrung-diem-nicht-bei-the… ∗∗∗ Linux version of AvosLocker ransomware targets VMware ESXi servers ∗∗∗ --------------------------------------------- AvosLocker is the latest ransomware gang that has added support for encrypting Linux systems to its recent malware variants, specifically targeting VMware ESXi virtual machines. --------------------------------------------- https://www.bleepingcomputer.com/news/security/linux-version-of-avoslocker-… ∗∗∗ Night Sky ransomware uses Log4j bug to hack VMware Horizon servers ∗∗∗ --------------------------------------------- The Night Sky ransomware gang has started to exploit the critical CVE-2021-4422 vulnerability in the Log4j logging library, also known as Log4Shell, to gain access to VMware Horizon systems. --------------------------------------------- https://www.bleepingcomputer.com/news/security/night-sky-ransomware-uses-lo… ∗∗∗ Millions of Routers Exposed to RCE by USB Kernel Bug ∗∗∗ --------------------------------------------- The high-severity RCE flaw is in the KCodes NetUSB kernel module, used by popular routers from Netgear, TP-Link, DLink, Western Digital, et al. --------------------------------------------- https://threatpost.com/millions-routers-exposed-bug-usb-module-kcodes-netus… ∗∗∗ Don’t Trust This Title: Abusing Terminal Emulators with ANSI Escape Characters ∗∗∗ --------------------------------------------- TL;DR This research led to: * Five high severity vulnerabilities: CVE-2021-28847, CVE-2021-28848, CVE-2021-32198, CVE-2021-33500 and CVE-2021-42095. We found a way to cause a remote DoS on the terminal client’s host. * An ANSI escape characters injection vulnerability in OpenShift and Kubernetes (CVE-2021-25743). * Three additional vulnerabilities: CVE-2021-31701, CVE-2021-37326 and CVE-2021-40147. We found a way to bypass the bracket paste mode mechanism inside the terminals. --------------------------------------------- https://www.cyberark.com/resources/threat-research-blog/dont-trust-this-tit… ∗∗∗ Domain Escalation – sAMAccountName Spoofing ∗∗∗ --------------------------------------------- Microsoft has released patches in order to prevent successful exploitation. However, there are many occasions where patches are not applied on time which creates a time period which this technique could be leveraged during a red team assessment. The prerequisites of the technique are the following: * A domain controller which is missing the KB5008380 and KB5008602 security patches * A valid domain user account * The machine account quota to be above 0 --------------------------------------------- https://pentestlab.blog/2022/01/10/domain-escalation-samaccountname-spoofin… ∗∗∗ What Is FIM (File Integrity Monitoring)? ∗∗∗ --------------------------------------------- Change is prolific in organizations’ IT environments. Hardware assets change. Software programs change. Configuration states change. Some of these modifications are authorized insofar as they occur during an organization’s regular patching cycle, while others cause concern by popping up unexpectedly. Organizations commonly respond to this dynamism by investing in asset discovery and secure configuration management [...] --------------------------------------------- https://www.tripwire.com/state-of-security/security-data-protection/securit… ∗∗∗ SFile (Escal) ransomware ported for Linux attacks ∗∗∗ --------------------------------------------- The operators of the SFile ransomware, also known as Escal, have ported their malware to work and encrypt files on Linux-based operating systems. --------------------------------------------- https://therecord.media/sfile-escal-ransomware-ported-for-linux-attacks/ ∗∗∗ New SysJoker Backdoor Targets Windows, Linux, and macOS ∗∗∗ --------------------------------------------- Malware targeting multiple operating systems has become no exception in the malware threat landscape. Vermilion Strike, which was documented just last September, is among the latest examples until now. In December 2021, we discovered a new multi-platform backdoor that targets Windows, Mac, and Linux. The Linux and Mac versions are fully undetected in VirusTotal. --------------------------------------------- https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/ ===================== = Vulnerabilities = ===================== ∗∗∗ Critical SonicWall NAC Vulnerability Stems from Apache Mods ∗∗∗ --------------------------------------------- Researchers offer more detail on the bug, which can allow attackers to completely take over targets. --------------------------------------------- https://threatpost.com/sonicwall-nac-vulnerability-apache-mods/177529/ ∗∗∗ Microsoft: macOS Powerdir Flaw Could Let Attackers Gain Access to User Data ∗∗∗ --------------------------------------------- Microsoft today disclosed a vulnerability in Apples macOS that could enable an attacker to gain unauthorized access to protected user data through bypassing the Transparency, Consent, and Control (TCC) technology in the operating system. [...] Apple addressed CVE-2021-30970, dubbed "Powerdir," in a rollout of security updates released on Dec. 13. --------------------------------------------- https://www.darkreading.com/vulnerabilities-threats/microsoft-macos-powerdi… ∗∗∗ Siemens Security Advisories ∗∗∗ --------------------------------------------- Siemens hat am 2022-01-11 5 neue und 7 aktualiserte Advisories veröffentlicht. (CVSS Scores von 3.4 bis 9.9) --------------------------------------------- https://new.siemens.com/de/de/produkte/services/cert.html#SecurityVeroffent… ∗∗∗ PHOENIX CONTACT: BLUEMARK X1 / LED / CLED printers utilizing the Siemens Nucleus RTOS TCP/IP Stack ∗∗∗ --------------------------------------------- The TCP/IP stack and of the networking component (Nucleus NET) in Nucleus Real-Time Operating System (RTOS) contain several vulnerabilities. Nucleus NET is utilized by BLUEMARK X1 / LED / CLED. The abovementioned BLUEMARK printers are discontinued and only impacted by a subset of 8 of the 13 discovered vulnerabilities. --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2021-059/ ∗∗∗ HPESBUX04206 rev.1 - HP-UX Telnetd, Remote Execution of Arbitrary Code ∗∗∗ --------------------------------------------- A potential security vulnerability has been identified with HP-UX telnetd which allows remote attackers to execute arbitrary code via short writes or urgent data. This is due to a remote buffer overflow involving the netclear and nextitem functions. --------------------------------------------- https://support.hpe.com/hpesc/public/docDisplay?elq_mid=17739&elq_cid=67018… ∗∗∗ SAP Security Patch Day - January 2022 ∗∗∗ --------------------------------------------- On 11th of January 2022, SAP Security Patch Day saw the release of 11 new Patch Day Security Notes. 16 security notes were released out-of-band. Further, there were 3 updates to Patch Day Security Notes released previously. Note: 3131047 consolidates all Security Notes addressing recent vulnerabilities related to Apache Log4j 2 component. This security note is a living document that will be updated when a new Security Note is released. So, please refer the central Security Note for up-to-date information about all released Apache Log4j 2 related Security Notes. --------------------------------------------- https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=596902035 ∗∗∗ Citrix Workspace App for Linux Security Update ∗∗∗ --------------------------------------------- A vulnerability has been identified in Citrix Workspace app for Linux that could result in a local user elevating their privilege level to root on the computer running Citrix Workspace app for Linux. --------------------------------------------- https://support.citrix.com/article/CTX338435 ∗∗∗ An update on the Apache Log4j 2.x vulnerabilities ∗∗∗ --------------------------------------------- Update on IBM’s response: IBM’s top priority remains the security of our clients and products. Product teams are releasing remediations for Log4j 2.x CVE-2021-44228 as fast as possible, moving to the latest version that’s available when they are developing a fix. Where possible, the dependency on Log4j is removed entirely. IBM is aware of additional, recently disclosed vulnerabilities in Apache Log4j, tracked under CVE-2021-45105 and CVE-2021-45046. Work continues to mitigate [...] --------------------------------------------- https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-4422… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (clamav, vim, and wordpress), Mageia (ghostscript, osgi-core, apache-commons-compress, python-django, squashfs-tools, and suricata), openSUSE (libsndfile, net-snmp, and systemd), Oracle (httpd:2.4, kernel, and kernel-container), SUSE (libsndfile, libvirt, net-snmp, and systemd), and Ubuntu (exiv2, linux, linux-aws, linux-aws-5.11, linux-azure, linux-azure-5.11, linux-gcp, linux-gcp-5.11, linux-hwe-5.11, linux-kvm, linux-oem-5.10, linux-oracle, [...] --------------------------------------------- https://lwn.net/Articles/881005/ ∗∗∗ Synology-SA-22:01 DSM ∗∗∗ --------------------------------------------- Multiple vulnerabilities allow remote attackers, or remote authenticated users to inject arbitrary web script or HTML via a susceptible version of DiskStation Manager (DSM). --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_22_01 ∗∗∗ Johnson Controls VideoEdge ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Improper Handling of Syntactically Invalid Structure vulnerability in the Sensormatic Electronics VideoEdge network video recorder. Sensormatic Electronics is a subsidiary of Johnson Controls. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-011-01 ∗∗∗ CISA Adds 15 Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- CISA has added 15 new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence that threat actors are actively exploiting the vulnerabilities listed in the table below. These types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and pose significant risk to the federal enterprise. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/01/10/cisa-adds-15-know… ∗∗∗ January 10th 2022 Security Releases ∗∗∗ --------------------------------------------- Updates are now available for the v17.x, v16.x, v14.x, and v12.x Node.js release lines for the following issues. Improper handling of URI Subject Alternative Names (Medium)(CVE-2021-44531) Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI is specifically defined to use a particular SAN type, can result in bypassing name-constrained intermediates. Node.js was accepting URI SAN types, which PKIs are often not defined to use. --------------------------------------------- https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Atlassian Jira Software: Mehrere Schwachstellen ermöglichen Offenlegung von Informationen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0026 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.01.2022
by Daily end-of-shift report 10 Jan '22

10 Jan '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 07-01-2022 18:00 − Montag 10-01-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ FBI-Warnung: FIN7-Bande verschickt USB-Sticks mit Ransomware ∗∗∗ --------------------------------------------- Die Speichermedien mit der Malware erreichen US-Firmen etwa in der Rüstungsindustrie laut dem FBI getarnt als Geschenkbox oder Covid-19-Leitlinien. --------------------------------------------- https://heise.de/-6321079 ∗∗∗ FluBot malware now targets Europe posing as Flash Player app ∗∗∗ --------------------------------------------- The widely distributed FluBot malware continues to evolve, with new campaigns distributing the malware as Flash Player and the developers adding new features. --------------------------------------------- https://www.bleepingcomputer.com/news/security/flubot-malware-now-targets-e… ∗∗∗ Trojanized dnSpy app drops malware cocktail on researchers, devs ∗∗∗ --------------------------------------------- Hackers targeted cybersecurity researchers and developers this week in a sophisticated malware campaign distributing a malicious version of the dnSpy .NET application to install cryptocurrency stealers, remote access trojans, and miners. --------------------------------------------- https://www.bleepingcomputer.com/news/security/trojanized-dnspy-app-drops-m… ∗∗∗ Wheres the Interpreter!? ∗∗∗ --------------------------------------------- CVE-2021-30853 was able to bypass file quarantine, gatekeeper, & notarization requirements. In this post, we show exactly why! --------------------------------------------- https://objective-see.com/blog/blog_0x6A.html ∗∗∗ TShark & jq, (Sat, Jan 8th) ∗∗∗ --------------------------------------------- TShark (Wireshark's command-line version) can output JSON data, as shown in diary entry "Quicktip: TShark's Options -e and -T". --------------------------------------------- https://isc.sans.edu/diary/rss/28194 ∗∗∗ Extracting Cobalt Strike Beacons from MSBuild Scripts, (Sun, Jan 9th) ∗∗∗ --------------------------------------------- There is also a video of this analysis. --------------------------------------------- https://isc.sans.edu/diary/rss/28200 ∗∗∗ BADNEWS! Patchwork APT Hackers Score Own Goal in Recent Malware Attacks ∗∗∗ --------------------------------------------- Threat hunters have shed light on the tactics, techniques, and procedures embraced by an Indian-origin hacking group called Patchwork as part of a renewed campaign that commenced in late November 2021, targeting Pakistani government entities and individuals with a research focus on molecular medicine and biological science. --------------------------------------------- https://thehackernews.com/2022/01/badnews-patchwork-apt-hackers-score-own.h… ∗∗∗ Sophisticated phishing scheme spent years robbing authors of their unpublished work ∗∗∗ --------------------------------------------- The FBI says a multi-year phishing attack targeting authors and book publishers, and stole unpublished novels, manuscripts and other books. --------------------------------------------- https://blog.malwarebytes.com/scams/2022/01/sophisticated-phishing-scheme-s… ∗∗∗ Tool Release - insject: A Linux Namespace Injector ∗∗∗ --------------------------------------------- tl;dr Grab the release binary from our repo and have fun. Also, happy new year; 2021 couldn’t end soon enough. Background A while back, I was asked by one of my coworkers on the PSC team about ways in which to make their custom credit card data scanner cloud native to assess Kubernetes clusters. --------------------------------------------- https://research.nccgroup.com/2022/01/08/tool-release-insject-a-linux-names… ∗∗∗ U.S. Government Issues Warning Over Commercial Surveillance Tools ∗∗∗ --------------------------------------------- The U.S. State Department and the National Counterintelligence and Security Center (NCSC) on Friday issued a warning over the use of commercial surveillance tools. --------------------------------------------- https://www.securityweek.com/us-government-issues-warning-over-commercial-s… ∗∗∗ Abcbot botnet is linked to Xanthe cryptojacking group ∗∗∗ --------------------------------------------- Researchers believe the focus is moving from cryptocurrency to traditional botnet attacks. --------------------------------------------- https://www.zdnet.com/article/abcbot-botnet-has-now-been-linked-to-xanthe-c… ∗∗∗ Kernel Karnage - Part 8 (Getting Around DSE) ∗∗∗ --------------------------------------------- When life gives you exploits, you turn them into Beacon Object Files. 1. Back to BOFs I never thought I would say this, but after spending so much time in kernel land, it’s almost as if developing kernel functionality is easier than writing user land applications, especially when they need to fly under the radar. --------------------------------------------- https://blog.nviso.eu/2022/01/10/kernel-karnage-part-8-getting-around-dse/ ===================== = Vulnerabilities = ===================== ∗∗∗ VU#142629: Silicon Labs Z-Wave chipsets contain multiple vulnerabilities ∗∗∗ --------------------------------------------- Various Silicon Labs Z-Wave chipsets do not support encryption, can be downgraded to not use weaker encryption, and are vulnerable to denial of service. Some of these vulnerabilities are inherent in Z-Wave protocol specifications. --------------------------------------------- https://kb.cert.org/vuls/id/142629 ∗∗∗ Researchers Find Bugs in Over A Dozen Widely Used URL Parser Libraries ∗∗∗ --------------------------------------------- A study of 16 different Uniform Resource Locator (URL) parsing libraries has unearthed inconsistencies and confusions that could be exploited to bypass validations and open the door to a wide range of attack vectors. In a deep-dive analysis jointly conducted by cybersecurity firms Claroty and Synk, eight security vulnerabilities were identified in as many third-party libraries written in C, [...] --------------------------------------------- https://thehackernews.com/2022/01/researchers-find-bugs-in-over-dozen.html ∗∗∗ Qnap warnt vor Ransomware-Attacken auf Netzwerkspeicher ∗∗∗ --------------------------------------------- Es gibt wichtige Tipps zur Absicherung von NAS-Geräten von Qnap und aktuelle Sicherheitsupdates. --------------------------------------------- https://heise.de/-6321485 ∗∗∗ An update on the Apache Log4j 2.x vulnerabilities ∗∗∗ --------------------------------------------- IBM’s top priority remains the security of our clients and products. Product teams are releasing remediations for Log4j 2.x CVE-2021-44228 as fast as possible, moving to the latest version that’s available when they are developing a fix. Where possible, the dependency on Log4j is removed entirely. IBM is aware of additional, recently disclosed vulnerabilities in Apache Log4j, tracked under CVE-2021-45105 and CVE-2021-45046. Work continues to mitigate [...] --------------------------------------------- https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-4422… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ghostscript and roundcube), Fedora (gegl04, mbedtls, and mediawiki), openSUSE (kubevirt, virt-api-container, virt-controller-container, virt-handler-container, virt-launcher-container, virt-operator-container), SUSE (kubevirt, virt-api-container, virt-controller-container, virt-handler-container, virt-launcher-container, virt-operator-container and libvirt), and Ubuntu (apache2). --------------------------------------------- https://lwn.net/Articles/880807/ ∗∗∗ SonicWall Patches Y2K22 Bug in Email Security, Firewall Products ∗∗∗ --------------------------------------------- Cybersecurity firm SonicWall says it has released patches for some of its email security and firewall products to address a bug that resulted in failed junk box and message log updates. --------------------------------------------- https://www.securityweek.com/sonicwall-patches-y2k22-bug-email-security-fir… ∗∗∗ Vulnerability Spotlight: Buffer overflow vulnerability in AnyCubic Chitubox plugin ∗∗∗ --------------------------------------------- Cisco Talos recently discovered an exploitable heap-based buffer overflow vulnerability in the Chitubox AnyCubic plugin. Chitubox is 3-D printing software for users to download and process models and send them [...] --------------------------------------------- http://blog.talosintelligence.com/2022/01/vulnerability-spotlight-buffer-ov… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Samba: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0016 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.01.2022
by Daily end-of-shift report 07 Jan '22

07 Jan '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 05-01-2022 18:00 − Freitag 07-01-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Google Docs commenting feature exploited for spear-phishing ∗∗∗ --------------------------------------------- A new trend in phishing attacks emerged in December 2021, with threat actors abusing the commenting feature of Google Docs to send out emails that appear trustworthy. --------------------------------------------- https://www.bleepingcomputer.com/news/security/google-docs-commenting-featu… ∗∗∗ Night Sky is the latest ransomware targeting corporate networks ∗∗∗ --------------------------------------------- Its a new year, and with it comes a new ransomware to keep an eye on called Night Sky that targets corporate networks and steals data in double-extortion attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/night-sky-is-the-latest-rans… ∗∗∗ New Mac Malware Samples Underscore Growing Threat ∗∗∗ --------------------------------------------- A handful of malicious tools that emerged last year showed threat actors may be getting more serious about attacking Apple macOS and iOS environments. --------------------------------------------- https://www.darkreading.com/vulnerabilities-threats/new-mac-malware-samples… ∗∗∗ Custom Python RAT Builder, (Fri, Jan 7th) ∗∗∗ --------------------------------------------- This week I already wrote a diary about "code reuse" in the malware landscape but attackers also have plenty of tools to generate new samples on the fly. --------------------------------------------- https://isc.sans.edu/diary/rss/28224 ∗∗∗ NIST Cybersecurity Framework: A Quick Guide for SaaS Security Compliance ∗∗∗ --------------------------------------------- When I want to know the most recently published best practices in cyber security, I visit The National Institute of Standards and Technology (NIST). From the latest password requirements (NIST 800-63) to IoT security for manufacturers (NISTIR 8259), NIST is always the starting point. --------------------------------------------- https://thehackernews.com/2022/01/nist-cybersecurity-framework-quick.html ∗∗∗ iPhone-Angriff: Hacker könnten Reboot verunmöglichen ∗∗∗ --------------------------------------------- Malware wie die iOS-Version der Spyware Pegasus gehen nach einem Neustart verloren. Dieser lässt sich allerdings unterbinden, wie eine Sicherheitsfirma zeigt. --------------------------------------------- https://heise.de/-6319430 ∗∗∗ Patchday Android: Angreifer könnten sich weitreichende Berechtigungen aneignen ∗∗∗ --------------------------------------------- Google und weitere Smartphone-Hersteller haben wichtige Sicherheitsupdates für Android 9, 10, 11 und 12 veröffentlicht. --------------------------------------------- https://heise.de/-6320248 ∗∗∗ Vermeintlicher Amazon-Kundendienst verschickt betrügerische Mails zu Kundenprämienprogramm ∗∗∗ --------------------------------------------- LeserInnen melden uns derzeit eine E-Mail, die angeblich vom Amazon-Kundendienst stammt. Tatsächlich stecken Kriminelle dahinter. --------------------------------------------- https://www.watchlist-internet.at/news/vermeintlicher-amazon-kundendienst-v… ===================== = Vulnerabilities = ===================== ∗∗∗ QNAP warns of ransomware targeting Internet-exposed NAS devices ∗∗∗ --------------------------------------------- QNAP has warned customers today to secure Internet-exposed network-attached storage (NAS) devices immediately from ongoing ransomware and brute-force attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/qnap-warns-of-ransomware-tar… ∗∗∗ NHS warns of hackers exploiting Log4Shell in VMware Horizon ∗∗∗ --------------------------------------------- UKs National Health Service (NHS) has published a cyber alert warning of an unknown threat group targeting VMware Horizon deployments with Log4Shell exploits. --------------------------------------------- https://www.bleepingcomputer.com/news/security/nhs-warns-of-hackers-exploit… ∗∗∗ Log4Shell-like Critical RCE Flaw Discovered in H2 Database Console ∗∗∗ --------------------------------------------- Researchers have disclosed a security flaw affecting H2 database consoles that could result in remote code execution in a manner that echoes the Log4j "Log4Shell" vulnerability that came to light last month. --------------------------------------------- https://thehackernews.com/2022/01/log4shell-like-critical-rce-flaw.html ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- IBM hat 36 Security Bulletins veröffentlicht --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Sicherheitsupdate: Angreifer könnten sich auf WordPress-Websites einnisten ∗∗∗ --------------------------------------------- In der aktuellen Version des Content Management System WordPress haben die Entwickler vier Sicherheitslücken geschlossen. --------------------------------------------- https://heise.de/-6320363 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (log4j and quaternion), Mageia (gnome-shell and singularity), SUSE (libsndfile, libvirt, net-snmp, and python-Babel), and Ubuntu (linux, linux-aws, linux-aws-5.11, linux-azure, linux-azure-5.11, linux-gcp, linux-gcp-5.11, linux-hwe-5.11, linux-kvm, linux-oracle, linux-oracle-5.11, linux-raspi, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-gke, linux-gke-5.4, linux-gkeop, linux-hwe-5.4, linux-ibm, [...] --------------------------------------------- https://lwn.net/Articles/880564/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (sphinxsearch), Fedora (chromium and vim), Red Hat (rh-nodejs14-nodejs and rh-nodejs14-nodejs-nodemon), and Ubuntu (apache2 and webkit2gtk). --------------------------------------------- https://lwn.net/Articles/880672/ ∗∗∗ January 5, 2022 TNS-2022-01 [R1] Tenable.sc 5.20.0 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- http://www.tenable.com/security/tns-2022-01 ∗∗∗ January 5, 2022 TNS-2022-02 [R1] Nessus Network Monitor 6.0.0 Fixes Multiple Third-party Vulnerabilities ∗∗∗ --------------------------------------------- http://www.tenable.com/security/tns-2022-02 ∗∗∗ VMware Tanzu Spring Framework: Schwachstelle ermöglicht Manipulation von Log-Dateien ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0006 ∗∗∗ Drupal Plugins: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0014 ∗∗∗ Omron CX-One ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-006-01 ∗∗∗ Fernhill SCADA ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-006-02 ∗∗∗ IDEC PLCs ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-006-03 ∗∗∗ Philips Engage Software ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsma-22-006-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.01.2022
by Daily end-of-shift report 05 Jan '22

05 Jan '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 04-01-2022 18:00 − Mittwoch 05-01-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ iOS malware can fake iPhone shut downs to snoop on camera, microphone ∗∗∗ --------------------------------------------- Researchers have developed a new technique that fakes a shutdown or reboot of iPhones, preventing malware from being removed and allowing hackers to secretly snoop on microphones and receive sensitive data via a live network connection. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ios-malware-can-fake-iphone-… ∗∗∗ Code Reuse In the Malware Landscape, (Wed, Jan 5th) ∗∗∗ --------------------------------------------- Code re-use is classic behavior for many developers and this looks legit: Why reinvent the wheel if you can find some pieces of code that do what you are trying to achieve? --------------------------------------------- https://isc.sans.edu/diary/rss/28216 ∗∗∗ New Zloader Banking Malware Campaign Exploiting Microsoft Signature Verification ∗∗∗ --------------------------------------------- An ongoing ZLoader malware campaign has been uncovered exploiting remote monitoring tools and Microsofts digital signature verification to siphon user credentials and sensitive information. --------------------------------------------- https://thehackernews.com/2022/01/new-zloader-banking-malware-campaign.html ∗∗∗ Elephant Beetle: Uncovering an organized financial-theft operation ∗∗∗ --------------------------------------------- Using an arsenal of over 80 unique tools & scripts, the group executes its attacks patiently over long periods of time, blending in with the target’s environment and going completely undetected while it quietly liberates organizations of large amounts of money. --------------------------------------------- https://blog.sygnia.co/elephant-beetle-an-organized-financial-theft-operati… ∗∗∗ „Media Markt Exclusive Giveaway“ Aktion ist Fake! ∗∗∗ --------------------------------------------- Auf Facebook werden derzeit Links zu einer nachgeahmten Media Markt Seite verbreitet. Dort heißt es, dass Media Markt landesweit Filialen schließt und daher eine „Online-Aktion“ durchführt. KonsumentInnen hätten so die Chance, Produkte wie iPhones, Macbooks, Playstations und mehr günstig zu kaufen. Wer bei dieser Aktion mitmacht, verliert jedoch Geld und erhält keine der versprochenen Produkte. --------------------------------------------- https://www.watchlist-internet.at/news/media-markt-exclusive-giveaway-aktio… ∗∗∗ Malware Reverse Engineering for Beginners – Part 1: From 0x0 ∗∗∗ --------------------------------------------- Malware researchers require a diverse skill set usually gained over time through experience and self-training. Reverse engineering (RE) is an integral part of malware analysis and research but it is also one of the most advanced skills a researcher can have. --------------------------------------------- https://www.intezer.com/blog/malware-analysis/malware-reverse-engineering-b… ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins 2022-01-05 ∗∗∗ --------------------------------------------- IBM hat 26 Security Bulletins veröffentlicht. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ VMware-Sicherheitsupdates: Virtuelles CD-ROM-Laufwerk als Angreifer-Schlupfloch ∗∗∗ --------------------------------------------- VMware warnt vor einer Lücke in seinen Anwendungen für virtuelle Maschinen Cloud Foundation, ESXi, Fusion und Workstation. Einige Patches fehlen noch. --------------------------------------------- https://heise.de/-6318269 ∗∗∗ Sicherheitspatches: Angreifer könnten Datenbanken in IBM Db2 manipulieren ∗∗∗ --------------------------------------------- IBM hat Sicherheitslücken in mehreren Anwendungen wie Cloud Private, Db2 und Elastic Search geschlossen. Außerdem gibt es Neuigkeiten zu Log4j-Anfälligkeiten. --------------------------------------------- https://heise.de/-6318740 ∗∗∗ Entwickler schließen 37 Sicherheitslücken in Chrome 97 ∗∗∗ --------------------------------------------- Die Vorgängerversion von Chrome 97 enthielt mindestens eine kritische Sicherheitslücke. Angreifer hätten vermutlich eingeschleusten Code ausführen können. --------------------------------------------- https://heise.de/-6318885 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (xorg-x11-server), Debian (apache2), openSUSE (libvirt), Oracle (grafana, qemu, and xorg-x11-server), Red Hat (idm:DL1, samba, and telnet), SUSE (libvirt), and Ubuntu (python-django). --------------------------------------------- https://lwn.net/Articles/880454/ ∗∗∗ Google Patches 48 Vulnerabilities With First Set of 2022 Android Updates ∗∗∗ --------------------------------------------- Google this week published information on the first set of 2022 security updates for Android, describing a total of 48 vulnerabilities that were addressed across Android OS, Pixel devices, and Android Automotive OS. --------------------------------------------- https://www.securityweek.com/google-patches-48-vulnerabilities-first-set-20… ∗∗∗ K10396196: Linux RPM vulnerability CVE-2021-20271 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K10396196 ∗∗∗ WAGO: Smart Script affected by Log4Shell Vulnerability ∗∗∗ --------------------------------------------- http://cert.vde.com/de/advisories/VDE-2021-060/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.01.2022
by Daily end-of-shift report 04 Jan '22

04 Jan '22

===================== = End-of-Day report = ===================== Timeframe: Montag 03-01-2022 18:00 − Dienstag 04-01-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ A Simple Batch File That Blocks People, (Tue, Jan 4th) ∗∗∗ --------------------------------------------- I found another script that performs malicious actions. Its a simple batch file (.bat) that is not obfuscated but it has a very low VT score (1/53). --------------------------------------------- https://isc.sans.edu/diary/rss/28212 ∗∗∗ Purple Fox rootkit now bundled with Telegram installer ∗∗∗ --------------------------------------------- The Purple Fox malware family has been found to combine its payload with trusted apps in an interesting way. --------------------------------------------- https://blog.malwarebytes.com/trojans/2022/01/purple-fox-rootkit-now-bundle… ∗∗∗ Mails zu Hacks von einer Telefonnummer? Nicht zurückrufen! ∗∗∗ --------------------------------------------- Kriminelle versenden aktuell E-Mails, bei denen als Absender eine Telefonnummer angezeigt wird. Angeblich wurden die Systeme der EmpfängerInnen gehackt und mit Viren infiziert. Deshalb müsse dringend die Nummer zurückgerufen werden. Achtung: Hier lauert eine Falle und die E-Mail kann ignoriert werden. --------------------------------------------- https://www.watchlist-internet.at/news/mails-zu-hacks-von-einer-telefonnumm… ∗∗∗ A New Web Skimmer Campaign Targets Real Estate Websites Through Attacking Cloud Video Distribution Supply Chain ∗∗∗ --------------------------------------------- A supply chain attack leveraging a cloud video platform to distribute web skimmer campaigns compromised more than 100 real estate sites. --------------------------------------------- https://unit42.paloaltonetworks.com/web-skimmer-video-distribution/ ∗∗∗ Log4j flaw attack levels remain high, Microsoft warns ∗∗∗ --------------------------------------------- Organizations mights not realize their environments are already compromised. --------------------------------------------- https://www.zdnet.com/article/log4j-flaw-attacks-are-causing-lots-of-proble… ∗∗∗ State-of-the-art EDRs are not perfect, fail to detect common attacks ∗∗∗ --------------------------------------------- A team of Greek academics has tested endpoint detection & response (EDR) software from 11 of todays top cybersecurity firms and found that many fail to detect some of the most common attack techniques used by advanced persistent threat actors, such as state-sponsored espionage groups and ransomware gangs. --------------------------------------------- https://therecord.media/state-of-the-art-edrs-are-not-perfect-fail-to-detec… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (salt and thunderbird), Red Hat (xorg-x11-server), and Scientific Linux (xorg-x11-server). --------------------------------------------- https://lwn.net/Articles/880327/ ∗∗∗ Security Bulletin: Vulnerabilities in Apache Log4j affect IBM Spectrum Copy Data Management (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-apache… ∗∗∗ Security Bulletin: Apache Log4j vulnerabilities impact IBM Sterling Connect:Direct for UNIX (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit… ∗∗∗ Security Bulletin: IBM Jazz for Service Management is vulnerable to a Apache Log4j vulnerability(CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-jazz-for-service-mana… ∗∗∗ Security Bulletin: IBM Jazz for Service Management is vulnerable to a Apache Log4j vulnerabilities(CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-jazz-for-service-mana… ∗∗∗ Security Bulletin: Vulnerabilities in Apache Log4j impact IBM Spectrum Protect Plus (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-apache… ∗∗∗ Security Bulletin: Vulnerabilities in Apache Log4j affect IBM Spectrum Protect Plus Container Backup and Restore for Kubernetes and OpenShift (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-apache… ∗∗∗ VMSA-2022-0001 ∗∗∗ --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2022-0001.html ∗∗∗ Atlassian Jira Software: Schwachstelle ermöglicht Cross-Site Scripting ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0002 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.01.2022
by Daily end-of-shift report 03 Jan '22

03 Jan '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 30-12-2021 18:00 − Montag 03-01-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Dont copy-paste commands from webpages — you can get hacked ∗∗∗ --------------------------------------------- Programmers, sysadmins, security researchers, and tech hobbyists copying-pasting commands from web pages into a console or terminal risk having their system compromised. Wizers Gabriel Friedlander demonstrates an obvious, simple yet stunning trick that'll make you think twice before copying-pasting text from web pages. --------------------------------------------- https://www.bleepingcomputer.com/news/security/dont-copy-paste-commands-fro… ∗∗∗ Do you want your Agent Tesla in the 300 MB or 8 kB package?, (Fri, Dec 31st) ∗∗∗ --------------------------------------------- Since today is the last day of 2021, I decided to take a closer look at malware that got caught by my malspam trap over the course of the year. --------------------------------------------- https://isc.sans.edu/diary/rss/28202 ∗∗∗ McAfee Phishing Campaign with a Nice Fake Scan, (Mon, Jan 3rd) ∗∗∗ --------------------------------------------- I spotted this interesting phishing campaign that (ab)uses the McAfee antivirus to make people scared. --------------------------------------------- https://isc.sans.edu/diary/rss/28208 ∗∗∗ Detecting Evasive Malware on IoT Devices Using Electromagnetic Emanations ∗∗∗ --------------------------------------------- Cybersecurity researchers have proposed a novel approach that leverages electromagnetic field emanations from the Internet of Things (IoT) devices as a side-channel to glean precise knowledge about the different kinds of malware targeting the embedded systems, even in scenarios where obfuscation techniques have been applied to hinder analysis. --------------------------------------------- https://thehackernews.com/2022/01/detecting-evasive-malware-on-iot.html ∗∗∗ Nach Ransomware-Angriff: Webseiten mehrerer Medien aus Portugal offline ∗∗∗ --------------------------------------------- Eine neue Ransomware-Gruppe hat den portugiesischen Medienkonzern Impresa angegriffen. Mehrere Medien können aktuell nur über Social Media Meldungen verbreiten. --------------------------------------------- https://heise.de/-6316020 ∗∗∗ Y2K22-Bug stoppt Exchange-Mailzustellung: Antimalware-Engine stolpert über 2022 ∗∗∗ --------------------------------------------- Zum Jahreswechsel streiken weltweit zahlreiche Exchange-Server, weil die FIP-FS-Scan-Engine sich an der Jahreszahl verhebt. Immerhin gibt es temporäre Abhilfe. --------------------------------------------- https://heise.de/-6315605 ∗∗∗ On the malicious use of large language models like GPT-3 ∗∗∗ --------------------------------------------- Or, “Can large language models generate exploits?” --------------------------------------------- https://research.nccgroup.com/2021/12/31/on-the-malicious-use-of-large-lang… ∗∗∗ Detecting anomalous Vectored Exception Handlers on Windows ∗∗∗ --------------------------------------------- We have documented a method of enumerating which processes are using Vectored Exception Handling on Windows and which if any of the handlers are anomalous. --------------------------------------------- https://research.nccgroup.com/2022/01/03/detecting-anomalous-vectored-excep… ∗∗∗ Shodan Verified Vulns 2022-01-01 ∗∗∗ --------------------------------------------- Auch dieses Monat sehen wir wieder einen deutlichen Rückgang der verwundbaren Exchange-Server. Neu hinzugekommen ist die Grafana Path Traversal Schwachstelle CVE-2021-43798, welche am 7. Dezember veröffentlicht wurde. --------------------------------------------- https://cert.at/de/aktuelles/2022/1/shodan-verified-vulns-2022-01-01 ∗∗∗ Log4j Scanners ∗∗∗ --------------------------------------------- There are 19 tools, and each has certain stipulations with it. I would suggest take a look. --------------------------------------------- https://securitythreatnews.com/2022/01/03/log4j-scanners/ ===================== = Vulnerabilities = ===================== ∗∗∗ Apple: Sicherheitslücke kann iPhones und iPads unbenutzbar machen ∗∗∗ --------------------------------------------- Über eine Sicherheitslücke in Apples Homekit lassen sich iPhones erst nach einem Reset wieder nutzen. Ein Update hat Apple verschoben. --------------------------------------------- https://www.golem.de/news/apple-sicherheitsluecke-kann-iphones-und-ipads-un… ∗∗∗ Rootkit schlüpft durch Lücke in HPEs Fernwartung iLO ∗∗∗ --------------------------------------------- Eine Iranische Security-Firma hat ein Rootkit entdeckt, das sich in Hewlett Packards Fernwartungstechnik "Integrated Lights-Out" (iLO) eingenistet hat. --------------------------------------------- https://heise.de/-6315714 ∗∗∗ Jetzt patchen: Netgear-Router Nighthawk R6700v3 könnte Passwörter leaken ∗∗∗ --------------------------------------------- Angreifer könnten Nighthawk-Router von Netgear attackieren. Es könnten noch weitere Modelle betroffen sein. Aktuelle Firmware-Versionen sollen Abhilfe schaffen. --------------------------------------------- https://heise.de/-6316037 ∗∗∗ Trend Micro Apex One und Worry-Free Business Security gefährden Windows-PCs ∗∗∗ --------------------------------------------- Es sind wichtige Sicherheitsupdates für die Schutzlösungen Apex One und Worry-Free Business Security von Trend Micro erschienen. --------------------------------------------- https://heise.de/-6316263 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (agg, aria2, fort-validator, and lxml), Fedora (libgda, pgbouncer, and xorg-x11-server-Xwayland), Mageia (calibre, e2guardian, eclipse, libtpms/swtpm, nodejs, python-lxml, and toxcore), openSUSE (c-toxcore, gegl, getdata, kernel-firmware, log4j, postrsd, and privoxy), and SUSE (gegl). --------------------------------------------- https://lwn.net/Articles/880100/ ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (thunderbird), Fedora (kernel, libopenmpt, and xorg-x11-server), Mageia (gegl, libgda5.0, log4j, ntfs-3g, and wireshark), openSUSE (log4j), and Red Hat (grafana). --------------------------------------------- https://lwn.net/Articles/880232/ ∗∗∗ Security Bulletin: IBM Insurance Information Warehouse is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-insurance-information… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects IBM Banking and Financial Markets Data Warehouse (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: Apache Log4j Vulnerability Affects IBM Sterling B2B Integrator (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Rational Directory Server (Tivoli) & Rational Directory Administrator ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Unified Data Model for Healthcare is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-unified-data-model-fo… ∗∗∗ Security Bulletin: Apache Log4j Vulnerability Affects IBM Sterling File Gateway (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit… ∗∗∗ Security Bulletin: IBM Data Model for Energy and Utilities is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-data-model-for-energy… ∗∗∗ Security Bulletin: IBM Cognos Analytics: Apache Log4j vulnerability (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cognos-analytics-apac… ∗∗∗ Security Bulletin: Apache Log4j vulnerability impacts IBM Sterling Global Mailbox (CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit… ∗∗∗ Security Bulletin: Apache Log4j Vulnerability Affects IBM Sterling B2B Integrator (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects some features of IBM® Db2® (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: IBM i2 Analyze and IBM i2 Analyst's Notebook Premium are affected by Apache Log4j Vulnerabilities (CVE-2021-45105 and CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-i2-analyze-and-ibm-i2… ∗∗∗ Security Bulletin: Multiple vulnerabilities in Apache Log4j impact IBM Spectrum Scale for IBM Elastic Storage Server (CVE-2021-45105,CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Apache Log4j Vulnerability Affects IBM Sterling File Gateway (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit… ∗∗∗ Security Bulletin: Multiple vulnerabilities in Apache Log4j impact IBM Spectrum Scale (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in Apache Log4j impact IBM Elastic Storage System (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerabilities in Apache Log4j affect IBM App Connect Enterprise V11, V12 (CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-apache… ∗∗∗ Security Bulletin: Vulnerabilities in Apache Log4j affect IBM App Connect Enterprise V11, V12 and IBM Integration Bus (CVE-2021-17571) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-apache… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily January 2022