Daily November 2022

daily@lists.cert.at

1 participants
21 discussions

Tageszusammenfassung - 16.11.2022
by Daily end-of-shift report 16 Nov '22

16 Nov '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 15-11-2022 18:00 − Mittwoch 16-11-2022 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Forscher erraten Passwörter via Wärmebild mit Machine Learning und KI ∗∗∗ --------------------------------------------- In einem Versuchsaufbau haben Sicherheitsforscher auf einer Tastatur eingetippte zwölfstellige Passwörter mit einer Erfolgsquote von 83 Prozent rekonstruiert. --------------------------------------------- https://heise.de/-7341957 ∗∗∗ ESET APT Activity Report T2 2022 ∗∗∗ --------------------------------------------- Ein Überblick über die Aktivitäten ausgewählter APT-Gruppen, die von ESET Research in T2 2022 untersucht und analysiert wurden. --------------------------------------------- https://www.welivesecurity.com/deutsch/2022/11/16/apt-activity-report-t2-20… ∗∗∗ Fake Black Friday Gewinnspiele auf WhatsApp und Instagram im Umlauf ∗∗∗ --------------------------------------------- Vorsicht vor betrügerischen Gewinnspielen rund um den Black Friday. Zahlreiche WhatsApp- und Instagram-Nutzer:innen erhalten aktuell betrügerische Nachrichten von Unbekannten, aber auch eigenen Kontakten, die beispielsweise Gewinnspiele im Namen Amazons bewerben. Achtung: Es handelt sich um einen Versuch, Sie in eine Abo-Falle zu locken. Folgen Sie keinen Links in solchen Nachrichten und geben Sie keine Kreditkartendaten bekannt! --------------------------------------------- https://www.watchlist-internet.at/news/fake-black-friday-gewinnspiele-auf-w… ∗∗∗ Control Your Types or Get Pwned: Remote Code Execution in Exchange PowerShell Backend ∗∗∗ --------------------------------------------- By now you have likely already heard about the in-the-wild exploitation of Exchange Server, chaining CVE-2022-41040 and CVE-2022-41082. It was originally submitted to the ZDI program by the researcher known as “DA-0x43-Dx4-DA-Hx2-Tx2-TP-S-Q from GTSC”. After successful validation, it was immediately submitted to Microsoft. They patched both bugs along with several other Exchange vulnerabilities in the November Patch Tuesday release. It is a beautiful chain, with an ingenious vector [...] --------------------------------------------- https://www.thezdi.com/blog/2022/11/14/control-your-types-or-get-pwned-remo… ∗∗∗ CVE-2022-41622 and CVE-2022-41800 (FIXED): F5 BIG-IP and iControl REST Vulnerabilities and Exposures ∗∗∗ --------------------------------------------- Rapid7 discovered several vulnerabilities and exposures in specific F5 BIG-IP and BIG-IQ devices in August 2022. Since then, members of our research team have worked with the vendor to discuss impact, resolution, and a coordinated response. --------------------------------------------- https://www.rapid7.com/blog/post/2022/11/16/cve-2022-41622-and-cve-2022-418… ∗∗∗ Magento stores targeted in massive surge of TrojanOrders attacks ∗∗∗ --------------------------------------------- At least seven hacking groups are behind a massive surge in TrojanOrders attacks targeting Magento 2 websites, exploiting a vulnerability that allows the threat actors to compromise vulnerable servers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/magento-stores-targeted-in-m… ∗∗∗ Token tactics: How to prevent, detect, and respond to cloud token theft ∗∗∗ --------------------------------------------- As organizations increase their coverage of multifactor authentication (MFA), threat actors have begun to move to more sophisticated techniques to allow them to compromise corporate resources without needing to satisfy MFA. Recently, the Microsoft Detection and Response Team (DART) has seen an increase in attackers utilizing token theft for this purpose. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2022/11/16/token-tactics-how-… ∗∗∗ Packet Tuesday: Network Traffic Analysis for the Whole Family, (Tue, Nov 15th) ∗∗∗ --------------------------------------------- A short while ago, I floated the idea of a weekly video series with short lessons about packets, protocols, and networks. Today, we are kicking of "Packet Tuesday". Packet Tuesday, as the name implies, will release a new video each Tuesday. We will discuss packets in detail. See the first two videos below. --------------------------------------------- https://isc.sans.edu/diary/rss/29252 ∗∗∗ New SocGholish Malware Variant Uses Zip Compression & Evasive Techniques ∗∗∗ --------------------------------------------- Readers of this blog should already be familiar with SocGholish: a widespread, years-long malware campaign aimed at pushing fake browser updates to unsuspecting web users. Once installed, fake browser updates infect the victim’s computer with various types of malware including remote access trojans (RATs). SocGholish malware is often the first step in severe targeted ransomware attacks against corporations and other organizations. --------------------------------------------- https://blog.sucuri.net/2022/11/new-socgholish-malware-variant-uses-zip-com… ∗∗∗ Researchers Discover Hundreds of Amazon RDS Instances Leaking Users Personal Data ∗∗∗ --------------------------------------------- "Make sure when sharing a snapshot as public that none of your private information is included in the public snapshot," Amazon cautions in its documentation. "When a snapshot is shared publicly, it gives all AWS accounts permission both to copy the snapshot and to create DB instances from it." --------------------------------------------- https://thehackernews.com/2022/11/researchers-discover-hundreds-of-amazon.h… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Secure Email Gateway Malware Detection Evasion ∗∗∗ --------------------------------------------- This report is being published within a coordinated disclosure procedure. The researcher has been in contact with the vendor but not received a satisfactory response within a given time frame. As the attack complexity is low and exploits have already been published by a third party there must be no further delay in making the threads publicly known. --------------------------------------------- https://cxsecurity.com/issue/WLB-2022110021 ∗∗∗ Cisco Identity Services Engine Vulnerabilities ∗∗∗ --------------------------------------------- Multiple vulnerabilities in Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to inject arbitrary operating system commands, bypass security protections, and conduct cross-site scripting attacks. For more information about these vulnerabilities, see the Details section of this advisory. Cisco plans to release software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (grub2, nginx, and wordpress), Red Hat (389-ds-base, bind, buildah, curl, device-mapper-multipath, dnsmasq, dotnet7.0, dpdk, e2fsprogs, grafana-pcp, harfbuzz, ignition, Image Builder, kernel, keylime, libguestfs, libldb, libtiff, libvirt, logrotate, mingw-zlib, mutt, openjpeg2, podman, poppler, python-lxml, qt5, rsync, runc, samba, skopeo, toolbox, unbound, virt-v2v, wavpack, webkit2gtk3, xorg-x11-server, xorg-x11-server-Xwayland, and yajl), SUSE (389-ds, bluez, dhcp, freerdp, jackson-databind, kernel, LibVNCServer, libX11, nodejs12, nodejs16, php7, php8, python-Mako, python-Twisted, python310, sudo, systemd, and xen), and Ubuntu (mako). --------------------------------------------- https://lwn.net/Articles/915097/ ∗∗∗ RICOH Aficio SP 4210N vulnerable to cross-site scripting ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN24659622/ ∗∗∗ Multiple vulnerabilities in Movable Type ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN37014768/ ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM® Java SDK affect IBM WebSphere Application Server and IBM WebSphere Application Server Liberty due to the October 2022 CPU ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM SDK, Java Technology Edition, Security Update July 2022 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-e… ∗∗∗ Security Bulletin: Multiple vulnerabilities of Mozilla Firefox (less than Firefox 102.2ESR) have affected Synthetic Playback Agent 8.1.4.0-8.1.4 IF16 – 2022.4.0 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.11.2022
by Daily end-of-shift report 15 Nov '22

15 Nov '22

===================== = End-of-Day report = ===================== Timeframe: Montag 14-11-2022 18:00 − Dienstag 15-11-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ DTrack activity targeting Europe and Latin America ∗∗∗ --------------------------------------------- DTrack is a backdoor used by the Lazarus group. Initially discovered in 2019, the backdoor remains in use three years later. It is used by the Lazarus group against a wide variety of targets. [..] So, what’s new? DTrack itself hasn’t changed much over the course of time. Nevertheless, there are some interesting modifications that we want to highlight in this blogpost. Dtrack hides itself inside an executable that looks like a legitimate program, and there are several stages of decryption before the malware payload starts. --------------------------------------------- https://securelist.com/dtrack-targeting-europe-latin-america/107798/ ∗∗∗ ABI compatibility in Python: How hard could it be? ∗∗∗ --------------------------------------------- This post will cover just one tiny piece of Python packaging’s complexity: the CPython stable ABI. We’ll see what the stable ABI is, why it exists, how it’s integrated into Python packaging, and how each piece goes terribly wrong to make accidental ABI violations easy. --------------------------------------------- https://blog.trailofbits.com/2022/11/15/python-wheels-abi-abi3audit/ ∗∗∗ Checkmk: Remote Code Execution by Chaining Multiple Bugs ∗∗∗ --------------------------------------------- Within the series of articles, we take a detailed look at multiple vulnerabilities we identified in Checkmk and its NagVis integration, which can be chained together by an unauthenticated, remote attacker to fully take over the server running a vulnerable version of Checkmk. --------------------------------------------- https://blog.sonarsource.com/checkmk-rce-chain-3/ ∗∗∗ Organizations Warned of Critical Vulnerability in Backstage Developer Portal Platform ∗∗∗ --------------------------------------------- Backstage is affected by a critical vulnerability related to a security hole found earlier this year by Oxeye in the popular sandbox library VM2. The VM2 flaw, dubbed SandBreak and tracked as CVE-2022-36067, can allow a remote attacker to escape the sandbox and execute arbitrary code on the host. Backstage has been using VM2 and Oxeye researchers discovered that CVE-2022-36067 can be exploited for unauthenticated remote code execution in Backstage by abusing its software templates. --------------------------------------------- https://www.securityweek.com/organizations-warned-critical-vulnerability-ba… ∗∗∗ Kreditbetrug: Vorsicht vor darlehenexpert.com ∗∗∗ --------------------------------------------- darlehenexpert.com gibt sich als Kreditgeber aus und ermöglicht angeblich Privat- und Autokredite, Hypotheken sowie Darlehen. Interessierte füllen online ein Kreditantragsformular aus und erhalten nach kurzer Zeit eine Zusage. Doch Vorsicht: darlehenexpert.com ist betrügerisch. Sie werden aufgefordert, vorab unterschiedliche Gebühren zu überweisen. Wenn Sie überweisen, verlieren Sie Ihr Geld und erhalten keinen Kredit! --------------------------------------------- https://www.watchlist-internet.at/news/kreditbetrug-vorsicht-vor-darlehenex… ∗∗∗ Android malware: A million people downloaded these malicious apps before they were finally removed from Google Play ∗∗∗ --------------------------------------------- Cybersecurity researchers identify an aggressive adware campaign. The developer is now banned from Google Play - but if youve not uninstalled the apps, youre still infected. [..] The four apps that have been identified as malicious were from a developer called Mobile apps Group and were called 'Bluetooth Auto Connect', 'Bluetooth App Sender', 'Mobile transfer: smart switch', and 'Driver: Bluetooth, Wi-Fi, USB'. --------------------------------------------- https://www.zdnet.com/article/android-warning-these-malicious-apps-had-over… ∗∗∗ Windows Server 2012 R2: Sophos User-Authentifizierung mittels Heartbeat auf RDS-Servern abgeschaltet ∗∗∗ --------------------------------------------- Kurzer Hinweis für Administratoren, die Windows Server 2012 R2 einsetzen und sich auf die Sophos User-Authentifizierung per Sophos Security Heartbeats verlassen. Sophos hat ein Update verteilt, welches die Funktion auf Windows Server 2012 R2 stillschweigend außer Kraft setzt. --------------------------------------------- https://www.borncity.com/blog/2022/11/15/windows-server-2012-r2-sophos-user… ∗∗∗ LKA warnt vor Betrugsmasche mit digitalen Kreditkarten (Nov. 2022) ∗∗∗ --------------------------------------------- Das LKA Niedersachsen warnt vor einer neue Betrugsmasche, die Cyber-Kriminelle erdacht haben. Mittels Phishing-E-Mails, gefälschten Webseiten und digitalen Kreditkarten versuchen sie an Zahlungsdaten der Opfer heranzukommen. Die Daten der digitalen Kreditkarte werden dann für eigene Einkäufe auf Kosten des Opfers missbraucht. --------------------------------------------- https://www.borncity.com/blog/2022/11/15/lka-warnt-vor-betrugsmasche-mit-di… ∗∗∗ Firmware- und BIOS-Updates: AMD, Intel, Lenovo, HP (Nov. 2022) ∗∗∗ --------------------------------------------- Die Hersteller Lenovo und HP stopfen mit Firmware-Updates entdeckte Schwachstellen im BIOS (und in der Software) ihrer Systeme. Und die Prozessorhersteller AMD sowie Intel haben ebenfalls Sicherheitslücken in ihrer Firmware per Update im November 2022 geschlossen. Hier ein kompakter Überblick über diese Updates. --------------------------------------------- https://www.borncity.com/blog/2022/11/15/firmware-und-bios-updates-amd-inte… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (kernel and webkit2gtk3), Red Hat (dhcp, dovecot, flac, freetype, fribidi, frr, gimp, grafana, guestfs-tools, httpd, kernel-rt, libtirpc, mingw-gcc, mingw-glib2, pcs, php, protobuf, python3.9, qemu-kvm, redis, speex, and swtpm), SUSE (chromium, containerized-data-importer, jhead, kubevirt stack, nodejs14, nodejs16, python-Werkzeug, and xen), and Ubuntu (golang-1.13, nginx, and vim). --------------------------------------------- https://lwn.net/Articles/914952/ ∗∗∗ Security Vulnerabilities fixed in Thunderbird 102.5 ∗∗∗ --------------------------------------------- In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts. --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2022-49/ ∗∗∗ Security Vulnerabilities fixed in Firefox ESR 102.5 ∗∗∗ --------------------------------------------- CVE-2022-45403: Service Workers might have learned size of cross-origin media files CVE-2022-45404: Fullscreen notification bypass CVE-2022-45405: Use-after-free in InputStream implementation CVE-2022-45406: Use-after-free of a JavaScript Realm CVE-2022-45408: Fullscreen notification bypass via windowName CVE-2022-45409: Use-after-free in Garbage Collection CVE-2022-45421: Memory safety bugs fixed in Firefox 107 and Firefox ESR 102.5 --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2022-48/ ∗∗∗ Security Vulnerabilities fixed in Firefox 107 ∗∗∗ --------------------------------------------- CVE-2022-45407: Loading fonts on workers was not thread-safe CVE-2022-45403: Service Workers might have learned size of cross-origin media files CVE-2022-45404: Fullscreen notification bypass CVE-2022-45405: Use-after-free in InputStream implementation CVE-2022-45406: Use-after-free of a JavaScript Realm CVE-2022-45408: Fullscreen notification bypass via windowName CVE-2022-45409: Use-after-free in Garbage Collection CVE-2022-45421: Memory safety bugs fixed in Firefox 107 and Firefox ESR 102.5 --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2022-47/ ∗∗∗ TERASOLUNA Global Framework and TERASOLUNA Server Framework for Java (Rich) vulnerable to ClassLoader manipulation ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN54728399/ ∗∗∗ ZDI-22-1592: Parse Server _expandResultOnKeyPath Prototype Pollution Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-1592/ ∗∗∗ ZDI-22-1591: Parse Server buildUpdatedObject Prototype Pollution Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-1591/ ∗∗∗ ZDI-22-1590: Parse Server transformUpdate Prototype Pollution Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-1590/ ∗∗∗ ABB PCM600 Cleartext Credentials Vulnerability ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=2NGA001518 ∗∗∗ Security Bulletin: Multiple vulnerabilities may affect IBM® SDK, Java™ Technology Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM HTTP Server is vulnerable to denial of service due to libexpat (CVE-2022-43680, CVE-2013-0340, CVE-2017-9233) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-http-server-is-vulner… ∗∗∗ Security Bulletin: Vulnerability from Apache Kafka affect IBM Operations Analytics – Log Analysis (CVE-2021-38153) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-from-apache… ∗∗∗ PHOENIX CONTACT: Denial-of-Service vulnerability in mGuard product family ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-051/ ∗∗∗ Mitsubishi Electric GT SoftGOT2000 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-319-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.11.2022
by Daily end-of-shift report 14 Nov '22

14 Nov '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 11-11-2022 18:00 − Montag 14-11-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Jetzt deinstallieren! Sicherheitslücken, aber keine Patches für VMware Hyperic ∗∗∗ --------------------------------------------- Der Support für die IT-Managementsoftware VMware Hyperic ist ausgelaufen. Admins sollten umsteigen. --------------------------------------------- https://heise.de/-7339160 ∗∗∗ Neue Betrugsmasche auf Amazon: Betrügerische Marketplace-Händler stornieren Bestellungen und empfehlen Kauf bei „Amazon-Partnershops“ ∗∗∗ --------------------------------------------- Sabine sucht auf Amazon nach einer Kaffeemaschine. Bei einem Marketplace-Händler findet sie ein günstiges Angebot. Sie bestellt und wartet nun auf die Lieferung. Kurz nach der Bestellung wird der Kauf aber vom Händler storniert. Sie bekommt ein Mail, indem sich der Händler entschuldigt und ihr einen Shop nennt, bei dem sie die Kaffeemaschine zum gleichen Preis bestellen kann. Vorsicht: Dabei handelt es sich um Betrug! --------------------------------------------- https://www.watchlist-internet.at/news/neue-betrugsmasche-auf-amazon-betrue… ∗∗∗ Extracting HTTP CONNECT Requests with Python, (Mon, Nov 14th) ∗∗∗ --------------------------------------------- Seeing abnormal Suricata alerts isnt too unusual in my home environment. In many cases it may be a TLD being resolved that at one point in time was very suspicious. With the increased legitimate adoption of some of these domains, these alerts have been less useful, although still interesting to investigate. I ran into a few of these alerts one night and when diving deeper there was an unusual amount, frequency, and source of the alerts. --------------------------------------------- https://isc.sans.edu/diary/rss/29246 ∗∗∗ Extracting Information From "logfmt" Files With CyberChef, (Sat, Nov 12th) ∗∗∗ --------------------------------------------- https://isc.sans.edu/diary/rss/29244 ∗∗∗ KmsdBot: The Attack and Mine Malware ∗∗∗ --------------------------------------------- Akamai Security Research has observed a new malware that infected our honeypot, which we have dubbed KmsdBot. The botnet infects systems via an SSH connection that uses weak login credentials. --------------------------------------------- https://www.akamai.com/blog/security-research/kmdsbot-the-attack-and-mine-m… ∗∗∗ Discover 2022’s Nastiest Malware ∗∗∗ --------------------------------------------- For the past year, hackers have been following close behind businesses and families just waiting for the right time to strike. In other words, 2022 has been an eventful year in the threat landscape, with malware continuing to take center stage. The 6 Nastiest Malware of 2022 Since the mainstreaming of ransomware payloads and the [...] --------------------------------------------- https://www.webroot.com/blog/2022/10/14/discover-2022s-nastiest-malware/ ∗∗∗ Typhon Reborn With New Capabilities ∗∗∗ --------------------------------------------- Typhon Stealer, a crypto miner/stealer for hire that was discovered in August 2022, now has an updated version called Typhon Reborn. --------------------------------------------- https://unit42.paloaltonetworks.com/typhon-reborn-stealer/ ∗∗∗ BumbleBee Zeros in on Meterpreter ∗∗∗ --------------------------------------------- In this intrusion from May 2022, the threat actors used BumbleBee as the initial access vector from a Contact Forms campaign. --------------------------------------------- https://thedfirreport.com/2022/11/14/bumblebee-zeros-in-on-meterpreter/ ∗∗∗ Stories from the SOC: Fortinet authentication bypass observed in the wild ∗∗∗ --------------------------------------------- Fortinet’s newest vulnerability, CVE-2022-40684, allowing for authentication bypass to manipulate admin SSH keys, unauthorized downloading of configuration files, and creating of super admin accounts, is put a big target on the back’s of unpatched and exposed Fortinet devices. --------------------------------------------- https://cybersecurity.att.com/blogs/security-essentials/stories-from-the-so… ===================== = Vulnerabilities = ===================== ∗∗∗ HP-BIOS: Pufferüberlauf ermöglicht Rechteausweitung, Update ist verfügbar ∗∗∗ --------------------------------------------- HP warnt vor einer Sicherheitslücke im BIOS zahlreicher Notebooks und PC. Angreifer könnten dadurch ihre Rechte ausweiten oder beliebigen Code ausführen. --------------------------------------------- https://heise.de/-7339122 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (dropbear, php7.4, pixman, sysstat, and xorg-server), Fedora (mingw-expat, mingw-libtasn1, and mingw-pixman), Mageia (binutils/gdb, chromium-browser-stable, exiv2, libtiff, nodejs, pcre, pixman, wayland, and webkit2), Red Hat (device-mapper-multipath and libksba), SUSE (autotrace, busybox, libmodbus, php72, python-numpy, rustup, samba, varnish, xen, and xterm), and Ubuntu (thunderbird). --------------------------------------------- https://lwn.net/Articles/914811/ ∗∗∗ Path Traversal Schwachstelle in Payara Platform ∗∗∗ --------------------------------------------- Aufgrund einer fehlerhaften Pfadüberprüfung in der Payara Software ist es möglich, die Konfigurations- oder Sourcecode-Dateien von Webanwendungen in den Verzeichnissen WEB-INF und META-INF über eine Path Traversal Schwachstelle zu lesen. --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/path-traversal-vulner… ∗∗∗ Vielfältige Schwachstellen in BACKCLICK Professional (SYSS-2022-026 bis -037) ∗∗∗ --------------------------------------------- https://www.syss.de/pentest-blog/vielfaeltige-schwachstellen-in-backclick-p… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct File Agent is vulnerable to denial of service due to FasterXML jackson-databind (CVE-2022-42003) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: A vulnerability in Apache Log4j affects some features of IBM® Db2® (CVE-2021-44832) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-apache… ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to a denial of service after entering a specially crafted malformed SQL statement into the db2expln tool. (CVE-2022-35637) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct File Agent is vulnerable to denial of service due to FasterXML jackson-databind ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects some features of IBM® Db2® (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct File Agent is vulnerable to denial of service due to FasterXML jackson-databind (CVE-2022-42004) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to an information disclosure in some scenarios due to unauthorized access caused by improper privilege management when CREATE OR REPLACE command is used. (CVE-2022-22483) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in Apache Log4j affects some features of IBM® Db2® (CVE-2021-45046, CVE-2021-45105) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to an information disclosure caused by improper privilege management when table function is used. (CVE-2022-22390) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… ∗∗∗ Security Bulletin: IBM MQ Internet Pass-Thru traces sensitive data (CVE-2022-35719) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-internet-pass-thru… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.11.2022
by Daily end-of-shift report 11 Nov '22

11 Nov '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 10-11-2022 18:00 − Freitag 11-11-2022 18:00 Handler: Stephan Richter Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ US Health Dept warns of Venus ransomware targeting healthcare orgs ∗∗∗ --------------------------------------------- The U.S. Department of Health and Human Services (HHS) warned today that Venus ransomware attacks are also targeting the countrys healthcare organizations. --------------------------------------------- https://www.bleepingcomputer.com/news/security/us-health-dept-warns-of-venu… ∗∗∗ Microsoft fixes Windows zero-day bug exploited to push malware ∗∗∗ --------------------------------------------- Windows has fixed a bug that prevented Mark of the Web flags from propagating to files within downloaded ISO files, dealing a massive blow to malware distributors and developers. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-fixes-windows-zer… ∗∗∗ NIS2-Richtlinie: Domaininhaber müssen künftig Adressdaten hinterlegen ∗∗∗ --------------------------------------------- Die neue EU-Richtlinie zur IT-Sicherheit (NIS2) untersagt die anonyme Registrierung von Domains. --------------------------------------------- https://www.golem.de/news/nis2-richtlinie-domaininhaber-muessen-kuenftig-ad… ∗∗∗ Sicherheitslücke: Sperrbildschirm von Pixel-Smartphones ließ sich umgehen ∗∗∗ --------------------------------------------- Einem Forscher ist es gelungen, ein Pixel-Smartphone von Google ohne PIN zu entsperren. Doch Fix und Bug Bounty ließen lange auf sich warten. --------------------------------------------- https://www.golem.de/news/sicherheitsluecke-sperrbildschirm-von-pixel-smart… ∗∗∗ Cisco dichtet Sicherheitslecks in ASA und Firepower ab ∗∗∗ --------------------------------------------- Cisco dichtet teils hochriskante Sicherheitslücken in der Software der Adaptive Security Appliance und Firepower Threat Defense. Admins sollten aktiv werden. --------------------------------------------- https://heise.de/-7336757 ∗∗∗ Digitalbarometer 2022: Weiter leichtes Spiel für Cyber-Kriminelle ∗∗∗ --------------------------------------------- BSI und Polizeiliche Kriminalprävention der Länder und des Bundes (ProPK) veröffentlichen die vierte gemeinsame Bürgerbefragung: Viele Bürgerinnen und Bürger vernachlässigen grundlegende Maßnahmen, um sich vor Angriffen im Netz zu schützen. --------------------------------------------- https://www.bsi.bund.de/DE/Service-Navi/Presse/Pressemitteilungen/Presse202… ∗∗∗ CISA Releases Decision Tree Model to Help Companies Prioritize Vulnerability Patching ∗∗∗ --------------------------------------------- The US Cybersecurity and Infrastructure Security Agency (CISA) on Thursday announced the release of a Stakeholder-Specific Vulnerability Categorization (SSVC) guide that can help organizations prioritize vulnerability patching using a decision tree model. --------------------------------------------- https://www.securityweek.com/cisa-releases-decision-tree-model-help-compani… ∗∗∗ Phishing-resistente Multifaktor Authentifizierung ∗∗∗ --------------------------------------------- Multifaktor Authentifizierung (MFA) kann durch Phishing ausgehebelt werden. Es kommt darauf an, MFA widerstandsfähiger zu machen, betont Lance Spitzner, SANS Security Awareness Director, in einem Gastbeitrag. --------------------------------------------- https://www.zdnet.de/88404820/phishing-resistente-multifaktor-authentifizie… ∗∗∗ HackHound IRC Bot Being Distributed via Webhards ∗∗∗ --------------------------------------------- Webhards are the main platforms that the attackers targeting Korean users exploit to distribute malware. The ASEC analysis team has been monitoring malware types distributed through webhards and uploaded multiple blog posts about them in the past. --------------------------------------------- https://asec.ahnlab.com/en/41806/ ∗∗∗ CVE-2019-8561: A Hard-to-Banish PackageKit Framework Vulnerability in macOS ∗∗∗ --------------------------------------------- This blog entry details our investigation of CVE-2019-8561, a vulnerability that exists in the macOS PackageKit framework, a component used to install software installer packages (PKG files). --------------------------------------------- https://www.trendmicro.com/en_us/research/22/k/cve-2019-8561-a-hard-to-bani… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium and exiv2), Fedora (curl, device-mapper-multipath, dotnet6.0, mediawiki, mingw-gcc, and php-pear-CAS), Gentoo (lesspipe), Slackware (php), SUSE (git, glibc, kernel, libarchive, python, python-rsa, python3-lxml, rpm, sudo, xen, and xwayland), and Ubuntu (wavpack). --------------------------------------------- https://lwn.net/Articles/914571/ ∗∗∗ Preisgabe von sensiblen Informationen in Zoom (SYSS-2022-048) ∗∗∗ --------------------------------------------- Bei einer Videokonferenz über Zoom werden Chatnachrichten im Installationsverzeichnis gespeichert. Ein Angreifer kann diese Nachrichten entschlüsseln. --------------------------------------------- https://www.syss.de/pentest-blog/preisgabe-von-sensiblen-informationen-in-z… ∗∗∗ Rapid7’s Impact from OpenSSL Buffer Overflow Vulnerabilities (CVE-2022-3786 & CVE-2022-3602) ∗∗∗ --------------------------------------------- CVE-2022-3786 & CVE-2022-3602 vulnerabilities affecting OpenSSL’s 3.0.x versions both rely on a maliciously crafted email address in a certificate. --------------------------------------------- https://www.rapid7.com/blog/post/2022/11/11/rapid7s-impact-from-openssl-buf… ∗∗∗ Security Bulletin: Multiple vulnerabilities may affect IBM® Semeru Runtime ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM InfoSphere DataStage is vulnerable to a command injection vulnerability [CVE-2022-40752] ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-datastage-… ∗∗∗ Security Bulletin: A vulnerability in IBM Java Runtime used by the IBM Installation Manager and IBM Packaging Utility – CVE-2021-2163 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Omron NJ/NX-series Machine Automation Controllers ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-314-07 ∗∗∗ Omron NJNX-series ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-314-08 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.11.2022
by Daily end-of-shift report 10 Nov '22

10 Nov '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 09-11-2022 18:00 − Donnerstag 10-11-2022 18:00 Handler: Stephan Richter Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ New StrelaStealer malware steals your Outlook, Thunderbird accounts ∗∗∗ --------------------------------------------- A new information-stealing malware named StrelaStealer is actively stealing email account credentials from Outlook and Thunderbird, two widely used email clients. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-strelastealer-malware-st… ∗∗∗ VU#434994: Multiple race conditions due to TOCTOU flaws in various UEFI Implementations ∗∗∗ --------------------------------------------- Multiple Unified Extensible Firmware Interface (UEFI) implementations are vulnerable to code execution in System Management Mode (SMM) by an attacker who gains administrative privileges on the local machine. An attacker can corrupt the memory using Direct Memory Access (DMA) timing attacks that can lead to code execution. These threats are collectively referred to as RingHopper attacks. --------------------------------------------- https://kb.cert.org/vuls/id/434994 ∗∗∗ Windows breaks under upgraded IceXLoader malware ∗∗∗ --------------------------------------------- Were the malware of Nim! A malware loader deemed in June to be a "work in progress" is now fully functional and infecting thousands of Windows corporate and home PCs.… --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2022/11/10/icexloader_m… ∗∗∗ [SANS ISC] Do you collect “Observables” or “IOCs”? ∗∗∗ --------------------------------------------- Indicators of Compromise, or IOCs, are key elements in blue team activities. IOCs are mainly small pieces of technical information that have been collected during investigations, threat hunting activities or malware analysis. --------------------------------------------- https://blog.rootshell.be/2022/11/10/sans-isc-do-you-collect-observables-or… ∗∗∗ Phishing-Resistant MFA Does Not Mean Un-Phishable ∗∗∗ --------------------------------------------- Human societies have a bad habit of taking a specific, limited-in-scope fact and turning it into an overly broad generalization that gets incorrectly believed and perpetuated as if it were as comprehensively accurate as the original, more-limited fact it was based on. Anything can be hacked. Do not confuse “phishing-resistant” with being impossible to phish or socially engineer. --------------------------------------------- https://www.linkedin.com/pulse/phishing-resistant-mfa-does-mean-un-phishabl… ∗∗∗ The Case of Cloud9 Chrome Botnet ∗∗∗ --------------------------------------------- The Zimperium zLabs team recently discovered a malicious browser extension, which not only steals the information available during the browser session but can also install malware on a user’s device and subsequently assume control of the entire device. In this blog, we will take a deeper look into the architecture and modus operandi of this malicious browser extension, originally called Cloud9, by the malware author. --------------------------------------------- https://www.zimperium.com/blog/the-case-of-cloud9-chrome-botnet/ ∗∗∗ Certificates and Pwnage and Patches, Oh My! ∗∗∗ --------------------------------------------- A lot has happened since we released the “Certified Pre-Owned” blog post and whitepaper in June of last year. [...] A lot of organizations (and a lot of pentesters ;) definitely realized how pervasive misconfigurations in Active Directory Certificate Service are and how easy it is now to enumerate and abuse these issues. [...] With all of these changes, we wanted to revisit some of the offensive AD CS attacks, detail how the patch has affected some of the existing escalations, and --------------------------------------------- https://posts.specterops.io/certificates-and-pwnage-and-patches-oh-my-8ae0f… ∗∗∗ The November 2022 Security Update Review ∗∗∗ --------------------------------------------- Welcome to the penultimate Patch Tuesday of 2021. As expected, Adobe and Microsoft have released their latest security updates and fixes to the world. Take a break from your regularly scheduled activities and join us as we review the details of their latest security offerings. --------------------------------------------- https://www.thezdi.com/blog/2022/11/8/the-november-2022-security-update-rev… ∗∗∗ How LNK Files Are Abused by Threat Actors ∗∗∗ --------------------------------------------- LNK files are based on the Shell Link Binary file format, also known as Windows shortcuts. But what seems a relatively simple ability to execute other binaries on the system can inflict great harm when abused by threat actors. --------------------------------------------- https://www.intezer.com/blog/malware-analysis/how-threat-actors-abuse-lnk-f… ∗∗∗ Penetration and Distribution Method of Gwisin Attacker ∗∗∗ --------------------------------------------- The attacker of Gwisin ransomware targets and penetrates the publicly available servers of companies. They then use the server as their foothold for distributing the ransomware into the internal infrastructure. It is known that the attacker uses various means such as SFTP, WMI, integrated management solution, and IIS web service to distribute the ransomware into the internal infrastructure. In this confirmed case, they used the IIS web service to distribute Gwisin ransomware. --------------------------------------------- https://asec.ahnlab.com/en/41565/ ===================== = Vulnerabilities = ===================== ∗∗∗ Bios: Sicherheitslücken im UEFI etlicher Lenovo-Laptops ∗∗∗ --------------------------------------------- Lenovo hat Treiber verwendet, die nur für die Produktion vorgesehen waren. Dadurch lässt sich Secure Boot aus dem Betriebssystem heraus deaktivieren. --------------------------------------------- https://www.golem.de/news/bios-sicherheitsluecken-im-uefi-etlicher-lenovo-l… ∗∗∗ Aiphone Video Multi-Tenant System Entrance Stations vulnerable to information disclosure ∗∗∗ --------------------------------------------- Video Multi-Tenant System Entrance Stations provided by AIPHONE CO., LTD. contain an information disclosure vulnerability. --------------------------------------------- https://jvn.jp/en/jp/JVN75437943/ ∗∗∗ Cisco Security Advisories 2022-11-09 ∗∗∗ --------------------------------------------- Cisco Adaptive Security Appliance Software, Cisco FXOS Software, Cisco FirePOWER Software for ASA FirePOWER Module, Cisco Firepower Management Center Software, Cisco Firepower Threat Defense Software, Cisco NGIPS Software, Cisco Secure Firewall 3100 Series, Multiple Cisco Products Snort SMB2 Detection Engine --------------------------------------------- https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&first… ∗∗∗ IBM Security Bulletins 2022-11-09 ∗∗∗ --------------------------------------------- IBM Cloud Pak for Security, IBM Master Data Management, IBM Planning Analytics, IBM Planning Analytics Workspace, IBM QRadar, IBM Tivoli Business Service Manager --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ HTML Injection in BMC Remedy ITSM-Suite ∗∗∗ --------------------------------------------- Die Anwendung BMC Remedy erlaubt es Benutzern Incidents über Email weiterzuleiten. Im Email Editor ist es möglich HTML-Code in das "To" Feld einzufügen. Danach zeigt die Anwendung an, dass der Incident an Empfänger weitergeleitet wurde. Durch Klicken auf die Anzahl der Empfänger wird der eingefügte HTML-Code geladen und ausgeführt. --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/html-injection-in-bmc… ∗∗∗ CVE-2022-0031 Cortex XSOAR: Local Privilege Escalation (PE) Vulnerability in Cortex XSOAR Engine ∗∗∗ --------------------------------------------- A local privilege escalation (PE) vulnerability in the Palo Alto Networks Cortex XSOAR engine software running on a Linux operating system allows a local attacker with shell access to the engine to execute programs with elevated privileges. --------------------------------------------- https://security.paloaltonetworks.com/CVE-2022-0031 ∗∗∗ Bugfix-Updates: Apple stellt macOS 13.0.1, iPadOS 16.1.1 und iOS 16.1.1 bereit ∗∗∗ --------------------------------------------- Fehlerbehebungen und gestopfte Sicherheitslücken außer der Reihe: Apple legt macOS 13.0.1, iPadOS 16.1.1 und iOS 16.1.1 für Mac, iPad und iPhone vor. --------------------------------------------- https://heise.de/-7335516 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libjettison-java and xorg-server), Slackware (sysstat and xfce4), SUSE (python3 and xen), and Ubuntu (firefox). --------------------------------------------- https://lwn.net/Articles/914347/ ∗∗∗ Unit 42 Finds Three Vulnerabilities in OpenLiteSpeed Web Server ∗∗∗ --------------------------------------------- Unit 42 discovered three vulnerabilities in OpenLiteSpeed Web Server and LiteSpeed Web Server that could be used together for remote code execution. --------------------------------------------- https://unit42.paloaltonetworks.com/openlitespeed-vulnerabilities/ ∗∗∗ [R1] Nessus Version 8.15.7 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- Nessus leverages third-party software to help provide underlying functionality. Several of the third-party components (expat, libxml2, zlib) were found to contain vulnerabilities, and updated versions have been made available by the providers.Out of caution and in line with good practice, Tenable has opted to upgrade these components to address the potential impact of the issues. --------------------------------------------- https://www.tenable.com/security/tns-2022-26 ∗∗∗ 2022-12 Multiple Java SE vulnerabilities in Belden/Hirschmann software products ∗∗∗ --------------------------------------------- https://dam.belden.com/dmm3bwsv3/assetstream.aspx?assetid=14996&mediaformat…" target="_blank -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.11.2022
by Daily end-of-shift report 09 Nov '22

09 Nov '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 08-11-2022 18:00 − Mittwoch 09-11-2022 18:00 Handler: Stephan Richter Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Intel, AMD Address Many Vulnerabilities With Patch Tuesday Advisories ∗∗∗ --------------------------------------------- Intel and AMD have announced fixes for many vulnerabilities on this Patch Tuesday, including for flaws that have been assigned a ‘high severity’ rating. --------------------------------------------- https://www.securityweek.com/intel-amd-address-many-vulnerabilities-patch-t… ∗∗∗ Microsoft: Windows 10 21H1 reaches end of service next month ∗∗∗ --------------------------------------------- Microsoft has reminded customers today that all editions of Windows 10 21H1 (also known as the May 2021 Update) are reaching the end of service (EOS) next month. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-windows-10-21h1-r… ∗∗∗ Lenovo fixes flaws that can be used to disable UEFI Secure Boot ∗∗∗ --------------------------------------------- Lenovo has fixed two high-severity vulnerabilities impacting various ThinkBook, IdeaPad, and Yoga laptop models that could allow an attacker to deactivate UEFI Secure Boot. --------------------------------------------- https://www.bleepingcomputer.com/news/security/lenovo-fixes-flaws-that-can-… ∗∗∗ Phishing-Resistant MFA Does Not Mean Un-Phishable ∗∗∗ --------------------------------------------- Human societies have a bad habit of taking a specific, limited-in-scope fact and turning it into an overly broad generalization that gets incorrectly believed and perpetuated as if it were as comprehensively accurate as the original, more-limited fact it was based on. Anything can be hacked. Do not confuse “phishing-resistant” with being impossible to phish or socially engineer. --------------------------------------------- https://www.linkedin.com/pulse/phishing-resistant-mfa-does-mean-un-phishabl… ∗∗∗ SMS „Hallo Mama, mein Handy ist kaputt“ ist betrügerisch! ∗∗∗ --------------------------------------------- Eine großangelegte SMS-Betrugsmasche sorgt aktuell für Verunsicherung bei Empfänger:innen. Der Inhalt der „Hallo Mama“ oder „Hallo Papa“ SMS soll vermitteln, dass das eigene Kind eine neue Nummer hätte. Das Kind bittet deshalb um Kontaktaufnahme über WhatsApp. Wer hier antwortet, wird schon bald vom vermeintlichen Kind zu Zahlungen aufgefordert. Ignorieren Sie die Nachrichten und führen Sie auf keinen Fall Überweisungen durch. --------------------------------------------- https://www.watchlist-internet.at/news/sms-hallo-mama-mein-handy-ist-kaputt… ∗∗∗ Massive ois[.]is Black Hat Redirect Malware Campaign ∗∗∗ --------------------------------------------- Since September 2022, our research team has tracked a surge in WordPress malware redirecting website visitors to fake Q&A sites via ois[.]is. These malicious redirects appear to be designed to increase the authority of the attacker’s sites for search engines. PublicWWW results show nearly 15,000 websites have been affected by this malware so far. --------------------------------------------- https://blog.sucuri.net/2022/11/massive-ois-is-black-hat-redirect-malware-c… ∗∗∗ Threat Spotlight: Cyber Criminal Adoption of IPFS for Phishing, Malware Campaigns ∗∗∗ --------------------------------------------- The InterPlanetary File System (IPFS) is an emerging Web3 technology that is currently seeing widespread abuse by threat actors. Cisco Talos has observed multiple ongoing campaigns that leverage the IPFS network to host their malware payloads and phishing kit infrastructure while facilitating other attacks. --------------------------------------------- https://blog.talosintelligence.com/ipfs-abuse/ ∗∗∗ Check Point CloudGuard Spectral exposes new obfuscation techniques for malicious packages on PyPI ∗∗∗ --------------------------------------------- Check Point Research (CPR) detects a new and unique malicious package on PyPI, the leading package index used by developers for the Python programming language The new malicious package was designed to hide code in images and infect through open-source projects on Github CPR responsibly disclosed this information to PyPI, who removed the packages. --------------------------------------------- https://research.checkpoint.com/2022/check-point-cloudguard-spectral-expose… ===================== = Vulnerabilities = ===================== ∗∗∗ Microsoft fixes ProxyNotShell Exchange zero-days exploited in attacks ∗∗∗ --------------------------------------------- Microsoft has released security updates to address two high-severity Microsoft Exchange zero-day vulnerabilities collectively known as ProxyNotShell and exploited in the wild. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-fixes-proxynotshe… ∗∗∗ Kritische Sicherheitslücken in VMware Workspace ONE - Updates verfügbar ∗∗∗ --------------------------------------------- VMware hat Updates für drei kritische Authentication Bypass Sicherheitslücken im Remote-Access-Tool VMware Workspace ONE veröffentlicht. Entfernte, anonyme Angreifer:innen können die Authentifizierung in erreichbaren VMware Workspace ONE Instanzen umgehen und Administratorrechte auf den betroffenen Systemen erlangen. --------------------------------------------- https://cert.at/de/warnungen/2022/11/kritische-sicherheitslucken-in-vmware-… ∗∗∗ Citrix Gateway und ADC: Kritische Lücke ermöglicht unbefugten Zugriff ∗∗∗ --------------------------------------------- Citrix schließt Sicherheitslücken, durch die Angreifer etwa unberechtigt auf die Gerätefunktionen zugreifen können. Administratoren sollten zügig aktualisieren. --------------------------------------------- https://heise.de/-7334851 ∗∗∗ Multiple vulnerabilities in WordPress ∗∗∗ --------------------------------------------- WordPress contains multiple vulnerabilities listed below which are to the WordPress Post by Email Feature. --------------------------------------------- https://jvn.jp/en/jp/JVN09409909/ ∗∗∗ IBM Security Bulletins 2022-11-08 ∗∗∗ --------------------------------------------- IBM App Connect Enterprise, IBM Cloud Application Business Insights, IBM Security Guardium, IBM Security Verify Access --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Lenovo Product Security Advisories 2022-11-08 ∗∗∗ --------------------------------------------- AMD Graphics Driver, AMD IBPB Return Branch Predictions, Brocade EZSwitch, Elan UltraNav and MiniPort Driver, Intel AMT SDK, Intel EMA, Intel MC, Intel Chipset Firmware, Intel PROSet Wireless WiFi, Intel vPro CSME WiFi, Killer WiFi, Intel SGX SDK, Lenovo Diagnostics, Lenovo Notebook BIOS, Lenovo Vantage Component, Multi-Vendor BIOS --------------------------------------------- https://support.lenovo.com/at/en/product_security/home ∗∗∗ Cisco Security Advisories 2022-11-09 ∗∗∗ --------------------------------------------- Cisco Adaptive Security Appliance Software, Cisco FXOS Software, Cisco FirePOWER Software for ASA FirePOWER Module, Cisco Firepower Management Center Software, Cisco Firepower Threat Defense Software, Cisco NGIPS Software, Cisco Secure Firewall 3100 Series, Multiple Cisco Products Snort SMB2 Detection Engine --------------------------------------------- https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&first… ∗∗∗ Webbrowser: Zehn Sicherheitslücken weniger in Google Chrome ∗∗∗ --------------------------------------------- In dem jetzt verfügbaren Update für den Webbrowser Chrome schließt Google 10 Sicherheitslücken. Mit manipulierten Webseiten könnten Angreifer Code ausführen. --------------------------------------------- https://heise.de/-7334255 ∗∗∗ Foxit PDF Reader: Schadcode-Attacken über präparierte PDFs möglich ∗∗∗ --------------------------------------------- Die Foxit-Entwickler haben in ihren PDF-Anwendungen unter macOS und Windows Sicherheitslücken geschlossen. --------------------------------------------- https://heise.de/-7334993 ∗∗∗ Patchday: SAP stopft neun zum Teil kritische Schwachstellen ∗∗∗ --------------------------------------------- Am November-Patchday dichtet SAP teils kritische Sicherheitslücken in mehreren Produkten ab. Administratoren sollten sie zügig auf den aktuellen Stand bringen. --------------------------------------------- https://heise.de/-7334573 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (vim, webkit2gtk, and wpewebkit), Fedora (mingw-python3, vim, webkit2gtk3, webkitgtk, and xen), Mageia (389-ds-base, bluez, ffmpeg, libtasn1, libtiff, libxml2, and mbedtls), Red Hat (kpatch-patch and linux-firmware), SUSE (conmon, containerized data importer, exim, expat, ganglia-web, gstreamer-0_10-plugins-base, gstreamer-0_10-plugins-good, gstreamer-plugins-base, gstreamer-plugins-good, kernel, kubevirt, protobuf, sendmail, and vsftpd), and Ubuntu (libzstd, openjdk-8, openjdk-lts, openjdk-17, openjdk-19, php7.2, php7.4, php8.1, and pixman). --------------------------------------------- https://lwn.net/Articles/914221/ ∗∗∗ Zahlreiche kritische Schwachstellen in Simmeth System GmbH Lieferantenmanager ∗∗∗ --------------------------------------------- Die Software Lieferantenmanager der Simmeth System GmbH ist von mehreren kritischen Schwachstellen betroffen. Durch diese lassen sich beliebige Befehle ohne Authentifizierung auf dem SQL Server ausführen. Des Weiteren können beliebige Dateien auf dem Webserver gelesen und Nutzersessions gestohlen werden. Außerdem wurde das E-Mail Passwort der Firma Simmeth mithilfe eines unauthentifizierten Requests ausgelesen. --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/multiple-critical-vul… ∗∗∗ [R1] Nessus Network Monitor Version 6.1.1 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- Nessus Network Monitor leverages third-party software to help provide underlying functionality. One of the third-party components (OpenSSL) was found to contain vulnerabilities, and updated versions have been made available by the providers. --------------------------------------------- https://www.tenable.com/security/tns-2022-25 ∗∗∗ Xen Security Advisory CVE-2022-23824 / XSA-422 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-422.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.11.2022
by Daily end-of-shift report 08 Nov '22

08 Nov '22

===================== = End-of-Day report = ===================== Timeframe: Montag 07-11-2022 18:00 − Dienstag 08-11-2022 18:00 Handler: Stephan Richter Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ How to mimic Kerberos protocol transition using reflective RBCD ∗∗∗ --------------------------------------------- We know that a delegation is dangerous if an account allows delegating third-party user authentication to a privileged resource. In the case of constrained delegation, all it takes is to find a privileged account in one of the SPN (Service Principal Name) set in the msDS-AllowedToDelegateTo attribute of a compromised service account. --------------------------------------------- https://medium.com/tenable-techblog/how-to-mimic-kerberos-protocol-transiti… ∗∗∗ Azov-Malware zerstört Dateien in 666-Byte-Schritten ∗∗∗ --------------------------------------------- Der Windows-Schädling Azov ist ein Wiper und vernichtet Dateien unwiderruflich. Sicherheitsforscher beobachten ein erhöhtes Aufkommen. --------------------------------------------- https://heise.de/-7333231 ∗∗∗ Open Bug Bounty: Eine Million Sicherheitslücken im Web behoben ∗∗∗ --------------------------------------------- Eine offene Plattform für das Offenlegen von Sicherheitslücken im Web hat einen Meilenstein erreicht. Open Bug Bounty verzeichnet über 1,3 Mio. Entdeckungen. --------------------------------------------- https://heise.de/-7333872 ∗∗∗ Achtung Fake-Shop: marktstores.com gibt sich als Media Markt aus ∗∗∗ --------------------------------------------- Die Playstation 5 ist momentan überall ausverkauft. Vorsicht, wenn Sie im Internet dennoch einen Anbieter finden, der sie angeblich liefern kann. Dieser könnte sich als Fake-Shop herausstellen. --------------------------------------------- https://www.watchlist-internet.at/news/achtung-fake-shop-marktstorescom-gib… ∗∗∗ LockBit 3.0 Being Distributed via Amadey Bot ∗∗∗ --------------------------------------------- The ASEC analysis team has confirmed that attackers are using Amadey Bot to install LockBit. Amadey Bot, a malware that was first discovered in 2018, is capable of stealing information and installing additional malware by receiving commands from the attacker. --------------------------------------------- https://asec.ahnlab.com/en/41450/ ∗∗∗ Prepare, respond & recover: Battling complex Cybersecurity threats with fundamentals ∗∗∗ --------------------------------------------- The cybersecurity industry has seen a lot of recent trends. For example, the proliferation of multifactor authentication (MFA) to fight against credential harvesting is a common thread. --------------------------------------------- https://cybersecurity.att.com/blogs/security-essentials/prepare-respond-rec… ∗∗∗ Cracking 2.3M Attackers-Supplied Credentials: What Can We Learn from RDP Attacks ∗∗∗ --------------------------------------------- To study credentials attacks on RDP, we operate high-interaction honeypots on the Internet. We analyzed over 2.3 million connections that supplied hashed credentials and attempted to crack them. --------------------------------------------- https://www.gosecure.net/blog/2022/11/08/cracking-2-3m-attackers-supplied-c… ∗∗∗ DeimosC2: What SOC Analysts and Incident Responders Need to Know About This C&C Framework ∗∗∗ --------------------------------------------- This report provides defenders and security operations center teams with the technical details they need to know should they encounter the DeimosC2 C&C framework. --------------------------------------------- https://www.trendmicro.com/en_us/research/22/k/deimosc2-what-soc-analysts-a… ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins 2022-11-07 ∗∗∗ --------------------------------------------- IBM Tivoli Monitoring, IBM App Connect Enterprise Certified Container, IBM Operations Analytics - Log Analysis --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Siemens Security Advisories 2022-11-08 ∗∗∗ --------------------------------------------- Siemens released 9 new and 8 updated Advisories. (CVSS Scores 5.3-9.9) --------------------------------------------- https://new.siemens.com/global/en/products/services/cert.html?d=2022-11#Sec… ∗∗∗ Patchday: Angreifer könnten Android-Geräte über Attacken lahmlegen ∗∗∗ --------------------------------------------- Google hat wichtige Sicherheitsupdates für Android 10 bis 13 veröffentlicht. Einige andere Hersteller bieten ebenfalls Patches an. --------------------------------------------- https://heise.de/-7333334 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (pixman and sudo), Fedora (mingw-binutils and mingw-gdb), Red Hat (bind, bind9.16, container-tools:3.0, container-tools:4.0, container-tools:rhel8, dnsmasq, dotnet7.0, dovecot, e2fsprogs, flatpak-builder, freetype, fribidi, gdisk, grafana, grafana-pcp, gstreamer1-plugins-good, httpd:2.4, kernel, kernel-rt, libldb, libreoffice, libtiff, libxml2, mingw-expat, mingw-zlib, mutt, nodejs:14, nodejs:18, openblas, openjpeg2, osbuild, pcs, php:7.4, php:8.0, [...] --------------------------------------------- https://lwn.net/Articles/914119/ ∗∗∗ ICS Patch Tuesday: Siemens Addresses Critical Vulnerabilities ∗∗∗ --------------------------------------------- Siemens and Schneider Electric have released their Patch Tuesday advisories for November 2022. Siemens has released nine new security advisories covering a total of 30 vulnerabilities, but Schneider has only published one new advisory. --------------------------------------------- https://www.securityweek.com/ics-patch-tuesday-siemens-addresses-critical-v… ∗∗∗ Varnish HTTP/2 Request Forgery ∗∗∗ --------------------------------------------- https://docs.varnish-software.com/security/VSV00011/ ∗∗∗ Open Source Varnish Request Smuggling ∗∗∗ --------------------------------------------- https://docs.varnish-software.com/security/VSV00010/ ∗∗∗ PHOENIX CONTACT: Automationworx BCP File Parsing Vulnerabilities ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-048/ ∗∗∗ Citrix Gateway and Citrix ADC Security Bulletin for CVE-2022-27510 CVE-2022-27513 and CVE-2022-27516 ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX463706/citrix-gateway-and-citrix-adc-… ∗∗∗ McAfee Total Protection: Update fixt Schwachstelle CVE-2022-43751 ∗∗∗ --------------------------------------------- https://www.borncity.com/blog/2022/11/08/mcafee-total-protection-update-fix… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.11.2022
by Daily end-of-shift report 07 Nov '22

07 Nov '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 04-11-2022 18:00 − Montag 07-11-2022 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Windows Malware with VHD Extension, (Sat, Nov 5th) ∗∗∗ --------------------------------------------- Windows 10 supports various virtual drives natively and can recognize and use ISO, VHD and VHDX files. The file included as an attachment with this email, when extracted appears in the email as a PDF but is is in fact a VHD file. --------------------------------------------- https://isc.sans.edu/diary/rss/29222 ∗∗∗ IPv4 Address Representations, (Sun, Nov 6th) ∗∗∗ --------------------------------------------- A reader asked for help with this maldoc. Not with the analysis itself, but how to understand where the URL is pointing to. --------------------------------------------- https://isc.sans.edu/diary/rss/29224 ∗∗∗ Experts Find URLScan Security Scanner Inadvertently Leaks Sensitive URLs and Data ∗∗∗ --------------------------------------------- Security researchers are warning of "a trove of sensitive information" leaking through urlscan.io, a website scanner for suspicious and malicious URLs. "Sensitive URLs to shared documents, password reset pages, team invites, payment invoices and more are publicly listed and searchable," Positive Security co-founder, Fabian Bräunlein, said in a report published on November 2, 2022. --------------------------------------------- https://thehackernews.com/2022/11/experts-find-urlscan-security-scanner.html ∗∗∗ AWS Organizations Defaults ∗∗∗ --------------------------------------------- [...] These things combined mean that, should an attacker compromise the management account, the default behavior of AWS Organizations provides a path to compromise every account in the organization as an administrator. For offensive security professionals, identifying paths into the management account can be an incredibly fruitful exercise, and may result in an entire organization compromise. --------------------------------------------- https://hackingthe.cloud/aws/general-knowledge/aws_organizations_defaults/ ∗∗∗ Kommentar: Angriffe lassen sich nicht vermeiden – übernehmt die Verantwortung! ∗∗∗ --------------------------------------------- Shit happens, ebenso wie Sicherheitsvorfälle. Die Frage kann also nur sein, wie damit umzugehen ist - vorher wie nachher. --------------------------------------------- https://heise.de/-7328918 ∗∗∗ Versteckte Kosten für Kündigungen auf stornierenbei.de ∗∗∗ --------------------------------------------- Wenn Sie einen Vertrag kündigen wollen und dazu über Ihre Suchmaschine recherchieren, stoßen Sie womöglich auf stornierenbei.de. Dort wird eine einfache Kündigung von Verträgen unterschiedlichster Anbieter als Dienstleistung angeboten. Achtung: Statt der Kündigung des angegebenen Vertrages, kommen versteckte Kosten auf Sie zu, die auch eingemahnt werden! Bezahlen Sie nichts. Es besteht kein gültiger Vertrag mit stornierenbei.de. --------------------------------------------- https://www.watchlist-internet.at/news/versteckte-kosten-fuer-kuendigungen-… ∗∗∗ BYODC - Bring Your Own Domain Controller ∗∗∗ --------------------------------------------- BYODC or bring your own domain controller is a post-exploitation technique and another option for performing a DCSync in a more opsec safe manner. --------------------------------------------- https://blog.zsec.uk/byodc-attack/ ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins 2022-11-04 ∗∗∗ --------------------------------------------- AIX LPARs in IBM PureData System for Operational Analytics, IBM App Connect Enterprise, IBM MQ, IBM WebSphere Application Server Liberty / CICS Transaction Gateway --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ffmpeg, libxml2, python-django, python-scciclient, and xen), Fedora (ghc-cmark-gfm, java-latest-openjdk, and vim), Mageia (expat, ntfs-3g, and wkhtmltopdf), Oracle (kernel), Slackware (sudo), and SUSE (expat, libxml2, rubygem-loofah, and xmlbeans). --------------------------------------------- https://lwn.net/Articles/914012/ ∗∗∗ Shodan Verified Vulns 2022-11-01 ∗∗∗ --------------------------------------------- Mit Stand 2022-11-01 sieht Shodan in Österreich die folgenden Schwachstellen: [...] --------------------------------------------- https://cert.at/de/aktuelles/2022/11/shodan-verified-vulns-2022-11-01 ∗∗∗ Nov 3 2022 Security Releases ∗∗∗ --------------------------------------------- (Update 04-November-2022) Security releases available Updates are now available for v14,x, v16.x, v18.x and v19.x Node.jsrelease lines for the following issues. [...] --------------------------------------------- https://nodejs.org/en/blog/vulnerability/november-2022-security-releases ∗∗∗ WebKit HTMLSelectElement Use-After-Free ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2022110007 ∗∗∗ TRUMPF: Multiple products prone to X.Org server vulnerabilities ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-049/ ∗∗∗ Wiesemann &Theis: Multiple Vulnerabilities in the Com-Server Family ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-043/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.11.2022
by Daily end-of-shift report 04 Nov '22

04 Nov '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 03-11-2022 18:00 − Freitag 04-11-2022 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ WLAN-Sicherheitslücke: Für Spezialdrohnen sind Wände wie Glas ∗∗∗ --------------------------------------------- Kanadische Forscher haben eine Funktion entdeckt, die es Angreifern ermöglicht, durch Wände zu sehen - trotz Passwortschutz. --------------------------------------------- https://www.golem.de/news/wlan-sicherheitsluecke-fuer-eine-spezialdrohne-si… ∗∗∗ A Very Powerful Clipboard: Analysis of a Samsung in-the-wild exploit chain ∗∗∗ --------------------------------------------- Note: The three vulnerabilities discussed in this blog were all fixed in Samsung’s March 2021 release. They were fixed as CVE-2021-25337, CVE-2021-25369, CVE-2021-25370. To ensure your Samsung device is up-to-date under settings you can check that your device is running SMR Mar-2021 or later. As defenders, in-the-wild exploit samples give us important insight into what attackers are really doing. We get the “ground truth” data about the vulnerabilities and exploit techniques they’re using, which then informs our further research and guidance to security teams on what could have the biggest impact or return on investment. To do this, we need to know that the vulnerabilities and exploit samples were found in-the-wild. --------------------------------------------- https://googleprojectzero.blogspot.com/2022/11/a-very-powerful-clipboard-sa… ∗∗∗ What Is Cross-Origin Resource Sharing (CORS)? ∗∗∗ --------------------------------------------- Thanks to the rapid growth of JavaScript frameworks like Angular, React, and Vue, Cross-Origin Resource Sharing (CORS) has become a popular word in the developer’s vocabulary — and for good reason. It’s common practice for modern web applications to load resources from multiple domains. But accessing these website resources from different origins requires a thorough understanding of CORS. In this post, we’ll take a look at what CORS is and why proper implementation is an important component of building secure websites and applications. We’ll also examine some common examples of how to use CORS, dive into preflight requests, and discuss how to protect your website against attacks. --------------------------------------------- https://blog.sucuri.net/2022/11/what-is-cross-origin-resource-sharing-cors.… ∗∗∗ Multi-factor auth fatigue is real – and its why you may be in the headlines next ∗∗∗ --------------------------------------------- Overwhelmed by waves of push notifications, worn-down users inadvertently let the bad guys in Analysis The September cyberattack on ride-hailing service Uber began when a criminal bought the stolen credentials of a company contractor on the dark web. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2022/11/03/mfa_fatigue_… ∗∗∗ Inside the V1 Raccoon Stealer’s Den ∗∗∗ --------------------------------------------- Team Cymru’s S2 Research Team has blogged previously on the initial Raccoon stealer command and control methodology (Raccoon Stealer - An Insight into Victim “Gates”), which utilized “gate” IP addresses to proxy victim traffic / data to static threat actor-controlled infrastructure. Since the publication of our previous blog, the following timeline of events has occurred: [...] --------------------------------------------- https://www.team-cymru.com/post/inside-the-v1-raccoon-stealer-s-den ∗∗∗ Cisco-Sicherheitsupdates: Angreifer könnten durch Lücken in Netzwerke eindringen ∗∗∗ --------------------------------------------- Die Softwareentwickler von Cisco haben unter anderem in Identity Services Engine und Email Security Appliance Schwachstellen geschlossen. --------------------------------------------- https://heise.de/-7329978 ∗∗∗ UK-Cybersicherheitsbehörde startet landesweites Schwachstellen-Scanning ∗∗∗ --------------------------------------------- Die IT-Sicherheitsbehörde des Vereinigten Königreichs startet einen Schwachstellen-Scanner-Dienst. Der untersucht alle Systeme des Landes auf Sicherheitslücken. --------------------------------------------- https://heise.de/-7330532 ∗∗∗ Apple Rolls Out Xcode Update Patching Git Vulnerabilities ∗∗∗ --------------------------------------------- Apple this week announced a security update for the Xcode macOS development environment, to resolve three Git vulnerabilities, including one leading to arbitrary code execution. --------------------------------------------- https://www.securityweek.com/apple-rolls-out-xcode-update-patching-git-vuln… ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins 2022-11-03 ∗∗∗ --------------------------------------------- IBM App Connect Enterprise Certified Container, IBM InfoSphere Information server, IBM Operations Analytics - Log Analysis, IBM Security Verify Governance, IBM WebSphere Application Server Liberty --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Patchday: Big-Data-Spezialist Splunk dichtet zwölf Schwachstellen ab ∗∗∗ --------------------------------------------- Der Big-Data-Experte Splunk aktualisiert die gleichnamige Software Splunk Enterprise und Cloud. Nach den Updates klaffen darin zwölf Schwachstellen weniger. --------------------------------------------- https://heise.de/-7329933 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (pypy3), Fedora (drupal7, git, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, and php), Oracle (kernel, lua, openssl, pcs, php-pear, pki-core, python3.9, and zlib), Red Hat (kernel, kernel-rt, kpatch-patch, lua, openssl-container, pcs, php-pear, pki-core, python3.9, and zlib), Scientific Linux (kernel, pcs, and php-pear), SUSE (EternalTerminal, hsqldb, ntfs-3g_ntfsprogs, privoxy, rubygem-actionview-4_2, sqlite3, and xorg-x11-server), and Ubuntu [...] --------------------------------------------- https://lwn.net/Articles/913771/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (clickhouse, distro-info-data, and ntfs-3g), Fedora (firefox), Oracle (kernel), Slackware (mozilla), and SUSE (python-Flask-Security-Too). --------------------------------------------- https://lwn.net/Articles/913849/ ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2022-0010 ∗∗∗ --------------------------------------------- Several vulnerabilities were discovered in WebKitGTK and WPE WebKit. CVE-2022-32888 Versions affected: WebKitGTK and WPE WebKit before 2.38.0. Credit to P1umer (@p1umer). Impact: Processing maliciously crafted web content may lead toarbitrary code execution. --------------------------------------------- https://webkitgtk.org/security/WSA-2022-0010.html ∗∗∗ CVE Report Published for Spring Tools ∗∗∗ --------------------------------------------- We have released STS 4.16.1 for Eclipse and Spring VSCode extensions 1.40.0 to address the following CVE report: - CVE-2022-31691: Remote Code Execution via YAML editors in STS4 extensions for Eclipse and VSCode Please review the information in the CVE report and upgrade immediately. --------------------------------------------- https://spring.io/blog/2022/11/03/cve-report-published-for-spring-tools -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.11.2022
by Daily end-of-shift report 03 Nov '22

03 Nov '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 02-11-2022 18:00 − Donnerstag 03-11-2022 18:00 Handler: Stephan Richter Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Emotet botnet starts blasting malware again after 5 month break ∗∗∗ --------------------------------------------- The Emotet malware operation is again spamming malicious emails after almost a five-month "vacation" that saw little activity from the notorious cybercrime operation. --------------------------------------------- https://www.bleepingcomputer.com/news/security/emotet-botnet-starts-blastin… ∗∗∗ Hundreds of U.S. news sites push malware in supply-chain attack ∗∗∗ --------------------------------------------- The compromised infrastructure of an undisclosed media company is being used by threat actors to deploy the SocGholish JavaScript malware framework (also known as FakeUpdates) on the websites of hundreds of newspapers across the U.S. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hundreds-of-us-news-sites-pu… ∗∗∗ Was tun, wenn ich Opfer von Cybercrime geworden bin? ∗∗∗ --------------------------------------------- Die Online-Identität kann schnell gestohlen werden, wenn jemand seine Daten auf unseriösen Websites eingibt. Dann kann es zu weiteren Konsequenzen kommen. --------------------------------------------- https://futurezone.at/digital-life/cybercrime-identitaetsdiebstahl-phishing… ∗∗∗ The OpenSSL security update story – how can you tell what needs fixing? ∗∗∗ --------------------------------------------- How to Hack! Finding OpenSSL library files and accurately identifying their version numbers... --------------------------------------------- https://nakedsecurity.sophos.com/2022/11/03/the-openssl-security-update-sto… ∗∗∗ P2P Botnets: Review - Status - Continuous Monitoring ∗∗∗ --------------------------------------------- P2P networks are more scalable and robust than traditional C/S structures, and these advantages were recognized by the botnet authors early on and used in their botnets. --------------------------------------------- https://blog.netlab.360.com/p2p-botnets-review-status-continuous-monitoring/ ∗∗∗ Breakpoints in Burp, (Wed, Nov 2nd) ∗∗∗ --------------------------------------------- No, this is not a story about the Canadian Thanksgiving long weekend, it's about web application testing. I recently had a web application to assess, and I used Burp Suite Pro as part of that project. --------------------------------------------- https://isc.sans.edu/diary/rss/29214 ∗∗∗ Hackers Using Rogue Versions of KeePass and SolarWinds Software to Distribute RomCom RAT ∗∗∗ --------------------------------------------- The operators of RomCom RAT are continuing to evolve their campaigns with rogue versions of software such as SolarWinds Network Performance Monitor, KeePass password manager, and PDF Reader Pro. --------------------------------------------- https://thehackernews.com/2022/11/hackers-using-rogue-versions-of-keepass.h… ∗∗∗ Researchers discover security loophole allowing attackers to use Wi-Fi to see through walls ∗∗∗ --------------------------------------------- The Wi-Peep exploits a loophole the researchers call polite Wi-Fi. Even if a network is password protected, smart devices will automatically respond to contact attempts from any device within range. The Wi-Peep sends several messages to a device as it flies and then measures the response time on each, enabling it to identify the devices location to within a meter. --------------------------------------------- https://techxplore.com/news/2022-11-loophole-wi-fi-walls.html ∗∗∗ Passwörter: 64 Prozent der User verwenden Kennwörter mehrmals ∗∗∗ --------------------------------------------- Eine Umfrage unter 3750 Angestellten auch aus deutschen Organisationen fördert bedenkliche Passwortnutzung zutage. Und das trotz besseren Wissens. --------------------------------------------- https://heise.de/-7328871 ∗∗∗ BSI-Lagebericht 2022: Gefährdungslage im Cyber-Raum hoch wie nie ∗∗∗ --------------------------------------------- Im Berichtszeitraum hat sich die bereits zuvor angespannte Lage weiter zugespitzt. Grund dafür sind anhaltende Aktivitäten im Bereich der Cyber-Kriminalität, Cyber-Angriffe im Kontext des russischen Angriffs auf die Ukraine und eine unzureichende Produktqualität von IT- und Software-Produkten. --------------------------------------------- https://www.bsi.bund.de/DE/Service-Navi/Presse/Pressemitteilungen/Presse202… ∗∗∗ A new crop of malicious modules found on PyPI ∗∗∗ --------------------------------------------- Phylum has posted anarticle with a detailed look at a set of malicious packages discoveredby an automated system they have developed. Similar to this attacker’s previous attempts, this particular attack starts by copying existing popular libraries and simply injecting a malicious __import__ statement into an otherwise healthy codebase. --------------------------------------------- https://lwn.net/Articles/913555/ ∗∗∗ Vorsicht vor Scam-Versuchen auf Telegram ∗∗∗ --------------------------------------------- Eine Nachricht auf Telegram erreicht Sie aus heiterem Himmel: Jemand, den Sie nicht kennen bietet Ihnen eine lukrative Investment-Möglichkeit an, oder sogar eine große Summe Geld. Vorsicht, bei diesen Nachrichten handelt es sich um Betrugsversuche! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-scam-versuchen-auf-tele… ∗∗∗ Cobalt Strike Analysis and Tutorial: Identifying Beacon Team Servers in the Wild ∗∗∗ --------------------------------------------- We present new techniques that leverage active probing and network fingerprint technology to help you detect Cobalt Strike’s Team Servers. --------------------------------------------- https://unit42.paloaltonetworks.com/cobalt-strike-team-server/ ∗∗∗ ASEC Weekly Malware Statistics (October 24th, 2022 – October 30th, 2022) ∗∗∗ --------------------------------------------- This post will list weekly statistics collected from October 24th, 2022 (Monday) to October 30th (Sunday). --------------------------------------------- https://asec.ahnlab.com/en/41139/ ===================== = Vulnerabilities = ===================== ∗∗∗ Awareness and guidance related to OpenSSL 3.0 – 3.0.6 risk (CVE-2022-3786 and CVE-2202-3602) ∗∗∗ --------------------------------------------- Microsoft is aware and actively addressing the impact associated with the recent OpenSSL vulnerabilities announced on October 25th 2022, fixed in version 3.0.7. As part of our standard processes, we are rolling out fixes for impacted services. --------------------------------------------- https://msrc-blog.microsoft.com/2022/11/02/microsoft-guidance-related-to-op… ∗∗∗ IBM Security Bulletins 2022-11-02 ∗∗∗ --------------------------------------------- Content Collector for Email in Content Search Services container, IBM Business Automation Workflow, IBM Business Process Manager (BPM), IBM InfoSphere DataStage, IBM MQ, IBM Operations Analytics - Log Analysis, IBM SPSS Modeler, IBM Security SOAR, Platform Navigator and Automation Assets in IBM Cloud Pak for Integration --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Schwachstellenscanner Nessus: Updates schließen mehrere Sicherheitslücken ∗∗∗ --------------------------------------------- Der Netzwerk-Schwachstellenscanner Nessus behebt mit neuen Versionen mehrere Schwachstellen in Drittherstellerkomponenten. Admins sollten sie installieren. --------------------------------------------- https://heise.de/-7328440 ∗∗∗ Patchday Fortinet: FortiSIEM speichert Log-in-Daten unverschlüsselt ∗∗∗ --------------------------------------------- Es gibt wichtige Updates für Sicherheitsprodukte von Fortinet. Darunter etwa FortiADC und FortiOS. Keine Lücke gilt als kritisch. --------------------------------------------- https://heise.de/-7328476 ∗∗∗ (Non-US) DIR-1935 : Rev. Ax : F/W v1.03b02 :: Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://supportannouncement.us.dlink.com/announcement/publication.aspx?name… ∗∗∗ Splunk Patches 9 High-Severity Vulnerabilities in Enterprise Product ∗∗∗ --------------------------------------------- https://www.securityweek.com/splunk-patches-9-high-severity-vulnerabilities… ∗∗∗ ETIC Telecom Remote Access Server (RAS) ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-307-01 ∗∗∗ Nokia ASIK AirScale System Module ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-307-02 ∗∗∗ Delta Industrial Automation DIALink ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-307-03 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily November 2022