Daily May 2022

daily@lists.cert.at

1 participants
21 discussions

Tageszusammenfassung - 16.05.2022
by Daily end-of-shift report 16 May '22

16 May '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 13-05-2022 18:00 − Montag 16-05-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Microsoft warnt vor Sysrv-Botnet ∗∗∗ --------------------------------------------- Eine neue Variante des Sysrv-Botnets hat Microsoft beobachtet, die Windows- und Linux-Systeme befällt, um Kryptowährungen zu schürfen. --------------------------------------------- https://heise.de/-7095053 ∗∗∗ HTML attachments in phishing e-mails ∗∗∗ --------------------------------------------- In this article we review phishing HTML attachments, explaining common tricks the attackers use, and give statistics on HTML attachments detected by Kaspersky solutions. --------------------------------------------- https://securelist.com/html-attachments-in-phishing-e-mails/106481/ ∗∗∗ Fake Mobile Apps Steal Facebook Credentials, Cryptocurrency-Related Keys ∗∗∗ --------------------------------------------- We recently observed a number of apps on Google Play designed to perform malicious activities such as stealing user credentials and other sensitive user information, including private keys. Because of the number and popularity of these apps — some of them have been installed over a hundred thousand times — we decided to shed some light on what these apps actually do by focusing on some of the more notable examples. --------------------------------------------- https://www.trendmicro.com/en_us/research/22/e/fake-mobile-apps-steal-faceb… ∗∗∗ SIP Digest Leak: Angriff auf SIP-Konten ∗∗∗ --------------------------------------------- Im Fachartikel "SIP Digest Leak" beschreibt IT Security Consultant Moritz Abrell einen SIP-spezifischen Angriff auf VoIP-Systeme. --------------------------------------------- https://www.syss.de/pentest-blog/sip-digest-leak-angriff-auf-sip-konten ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitslücken in Sonicwall SMA 1000 und SSL-VPN erlauben unbefugten Zugriff ∗∗∗ --------------------------------------------- Sonicwall schließt mehrere Sicherheitslücken in Firmwares von SMA-1000-Geräten und in SSL-VPN NetExtender. Angreifer könnten sich etwa Zugriff verschaffen. --------------------------------------------- https://heise.de/-7092533 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (gzip, java-1.8.0-openjdk, java-11-openjdk, and zlib), Debian (adminer, htmldoc, imagemagick, libgoogle-gson-java, lrzip, openjdk-8, openssl, and ruby-nokogiri), Fedora (ecdsautils, et, libxml2, podman, and supertux), Mageia (cairo, clamav, curl, fish, freetype2, golang-github-prometheus-client, python-django-registration, python-nbxmpp, python-waitress, and xmlrpc-c), Red Hat (pcs), SUSE (curl, kernel, pidgin, and webkit2gtk3), and Ubuntu (tiff). --------------------------------------------- https://lwn.net/Articles/895392/ ∗∗∗ Security Bulletin: IBM Maximo Asset Management may be vulnerable to arbitrary code execution due to Apache Log4j 1.2 (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-manageme… ∗∗∗ Security Bulletin: Information Disclosure in IBM Spectrum Protect Operations Center Browser's History (CVE-2022-22484) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-information-disclosure-in… ∗∗∗ Security Bulletin: IBM Planning Analytics Workspace is affected by multiple vulnerabilities (CVE-2022-22950, XFID:217968) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-planning-analytics-wo… ∗∗∗ Security Bulletin: AIX is vulnerable to a denial of service due to OpenSSL (CVE-2022-0778) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-aix-is-vulnerable-to-a-de… ∗∗∗ Security Bulletin: IBM Security Identity Governance and Intelligence is vulnerable to sensitive information disclosure (CVE-2020-4957) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-identity-gov… ∗∗∗ Security Bulletin: IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to a potential issue in jackson-databind – fasterxml-jackson (217968) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-speech-service… ∗∗∗ Security Bulletin: IBM Case Manager is vulnerable to cross-site scripting – CVE-2020-4768 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-case-manager-is-vulne… ∗∗∗ Security Bulletin: Vulnerabilities with OpenSSL affect IBM Cloud Object Storage Systems (May 2022 V1) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-with-open… ∗∗∗ Security Bulletin: Multiple Vulnerabilities have been identified in IBM Cloud Pak System ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Technical Advisory – BLE Proximity Authentication Vulnerable to Relay Attacks ∗∗∗ --------------------------------------------- https://research.nccgroup.com/2022/05/15/technical-advisory-ble-proximity-a… ∗∗∗ Pepperl+Fuchs: RSM-EX devices - Multiple Bluetooth vulnerabilities ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-021/ ∗∗∗ Webmin: Schwachstelle ermöglicht Codeausführung ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0609 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.05.2022
by Daily end-of-shift report 13 May '22

13 May '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 12-05-2022 18:00 − Freitag 13-05-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Jetzt patchen! Zyxel Firewalls als Schlupfloch in Firmen-Netzwerke ∗∗∗ --------------------------------------------- Ein wichtiges Sicherheitsupdate schließt eine kritische Lücke in mehreren Firewall-Modellen von Zyxel. --------------------------------------------- https://heise.de/-7090269 ∗∗∗ Desktop-Firewall ZoneAlarm: Kritische Lücke ermöglicht Rechteausweitung ∗∗∗ --------------------------------------------- Eine Sicherheitslücke in der Desktop-Firewall ZoneAlarm könnte Angreifern ermöglichen, ihre Rechte im System auszuweiten und somit die Kontrolle zu übernehmen. --------------------------------------------- https://heise.de/-7090411 ∗∗∗ Crypto-Betrug: Vorsicht vor Yuan Pay Group ∗∗∗ --------------------------------------------- Investitionsplattformen für Crypto-Währungen gibt es wie Sand am Meer. Sie locken mit dem großen Geld bei nur 250€ Investment. Der Haken: Haben Sie einmal investiert, sehen Sie ihr Geld oft nie wieder. Hier finden Sie eine Anleitung wie Sie Crypto-Scams erkennen. --------------------------------------------- https://www.watchlist-internet.at/news/crypto-betrug-vorsicht-vor-yuan-pay-… ∗∗∗ BIOS-Updates fixen kritische Schwachstellen in HPs Business- und Consumer-Modellen sowie in Intel-CPUs (Mai 2022) ∗∗∗ --------------------------------------------- Der Hersteller Hewlett Packard (HP) hat die Tage einen Sicherheitshinweis (Security Advisory) veröffentlicht. Diese Warnung adressiert zwei Schwachstellen in der Firmware von über 200 HP-Modellen (Business- und Consumer-Varianten), die ein Überschreiben der Firmware ermöglichen. Die Schwachstellen wurden mit einem Sicherheits-Score von 8.8 eingestuft – Updates stehen zur Verfügung. Weiterhin hat Intel einen Sicherheitshinweis auf eine Schwachstelle im BIOS von Intel-Systemen hingewiesen, die ebenfalls mit dem Score von 8.2 versehen sind und eine Privilegien-Ausweitung ermöglichen. --------------------------------------------- https://www.borncity.com/blog/2022/05/13/bios-updates-fixen-kritische-schwa… ∗∗∗ Eternity malware kit offers stealer, miner, worm, ransomware tools ∗∗∗ --------------------------------------------- Threat actors have launched the Eternity Project, a new malware-as-a-service where threat actors can purchase a malware toolkit that can be customized with different modules depending on the attack being conducted. --------------------------------------------- https://www.bleepingcomputer.com/news/security/eternity-malware-kit-offers-… ∗∗∗ Harmful Help: Analyzing a Malicious Compiled HTML Help File Delivering Agent Tesla ∗∗∗ --------------------------------------------- We analyze a malicious compiled HTML help file delivering Agent Tesla, following the chain of attack through JavaScript and multiple stages of PowerShell. --------------------------------------------- https://unit42.paloaltonetworks.com/malicious-compiled-html-help-file-agent… ===================== = Vulnerabilities = ===================== ∗∗∗ DSA-2022-068: Dell iDRAC9 Security Update for an Improper Authentication Vulnerability ∗∗∗ --------------------------------------------- Dell iDRAC9 versions 5.00.00.00 and later but before 5.10.10.00, contain an improper authentication vulnerability. A remote unauthenticated attacker may potentially exploit this vulnerability to gain access to the VNC Console. --------------------------------------------- https://www.dell.com/support/kbdoc/en-us/000199267/dsa-2022-068-dell-idrac9… ∗∗∗ CVE-2022-1552 Autovacuum, REINDEX, and others omit "security restricted operation" sandbox ∗∗∗ --------------------------------------------- Autovacuum, REINDEX, CREATE INDEX, REFRESH MATERIALIZED VIEW, CLUSTER, and pg_amcheck made incomplete efforts to operate safely when a privileged user is maintaining another users objects. Those commands activated relevant protections too late or not at all. An attacker having permission to create non-temp objects in at least one schema could execute arbitrary SQL functions under a superuser identity. --------------------------------------------- https://www.postgresql.org/support/security/CVE-2022-1552/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, postgresql-11, postgresql-13, and waitress), Fedora (curl, java-1.8.0-openjdk-aarch32, keylime, and pcre2), Oracle (gzip and zlib), Red Hat (subversion:1.10), SUSE (clamav, documentation-suse-openstack-cloud, kibana, openstack-keystone, openstack-monasca-notification, e2fsprogs, gzip, and kernel), and Ubuntu (libvorbis and rsyslog). --------------------------------------------- https://lwn.net/Articles/895202/ ∗∗∗ Vulnerability Spotlight: How an attacker could chain several vulnerabilities in an industrial wireless router to gain root access ∗∗∗ --------------------------------------------- Cisco Talos recently discovered several vulnerabilities in InHand Networks’ InRouter302 that could allow an attacker to escalate their privileges on the targeted device from a non-privileged user to a privileged one. There are also multiple vulnerabilities that could allow an adversary to reach unconstrained root privileges. The router has one privileged user and several non-privileged ones. --------------------------------------------- https://blog.talosintelligence.com/2022/05/blog-post-.html ∗∗∗ Delta Electronics CNCSoft ∗∗∗ --------------------------------------------- This advisory contains mitigations for Stack-based Buffer Overflow, and Out-of-bounds Read vulnerabilities in the Delta Electronics CNCSoft software management platform. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-132-01 ∗∗∗ Mitsubishi Electric MELSOFT iQ AppPortal ∗∗∗ --------------------------------------------- This advisory contains mitigations for Missing Authorization, Out-of-bounds Write, NULL Pointer Dereference, Classic Buffer Overflow, HTTP Request Smuggling, and Infinite Loop vulnerabilities in Mitsubishi Electric MELSOFT iQ AppPortal products. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-132-02 ∗∗∗ Cambium Networks cnMaestro ∗∗∗ --------------------------------------------- This advisory contains mitigations for OS Command Injection, SQL Injection, Path Traversal, and Use of Potentially Dangerous Function vulnerabilities in the Cambium Networks cnMaestro network management system. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-132-04 ∗∗∗ SonicWall SSLVPN SMA1000 series affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- SonicWall SSLVPN SMA1000 series appliances are affected by the below listed multiple vulnerabilities, organizations running previous versions of SSLVPN SMA1000 series firmware should upgrade to new firmware release versions. --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0009 ∗∗∗ ZDI-CAN-15739 Trend Micro Maximum Security Link Following Arbitrary File Deletion Vulnerability ∗∗∗ --------------------------------------------- https://helpcenter.trendmicro.com/en-us/article/TMKA-11017 ∗∗∗ K67090077: Apache HTTP Server vulnerability CVE-2022-22720 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K67090077 ∗∗∗ HP Computer: Schwachstelle ermöglicht Privilegieneskalation ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0606 ∗∗∗ Security Bulletin: IBM MQ for HP NonStop Server is affected by vulnerability CVE-2022-22316 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-for-hp-nonstop-ser… ∗∗∗ Security Bulletin: WebSphere MQ for HP NonStop Server is affected by OpenSSL vulnerability CVE-2021-4160 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-mq-for-hp-nonst… ∗∗∗ Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU – Oct 2021and Jan 2022 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-e… ∗∗∗ Security Bulletin: Vulnerabilities in Node.js affect IBM App Connect Enterprise & IBM Integration Bus (CVE-2021-4160) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-node-j… ∗∗∗ Security Bulletin: WebSphere MQ for HP NonStop Server is affected by OpenSSL vulnerability CVE-2022-0778 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-mq-for-hp-nonst… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by OpenSSL denial of service vulnerabilities (CVE-2021-23840, CVE-2021-23841) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: Operations Dashboard is vulnerable to denial of service by Go CVE-2021-43565 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-operations-dashboard-is-v… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities in Apache Thrift ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: A vulnerability in Samba affects IBM Spectrum Scale SMB protocol access method (CVE-2021-44142) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-samba-… ∗∗∗ Security Bulletin: Multiple Security vulnerabilities may affect IBM Robotic Process Automation ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to stack exhaustion by Go CVE-2022-24921 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-platform-navigator-and-au… ∗∗∗ Security Bulletin: IBM Robotic Process Automation is vulnerable to SQL Injection (CVE-2022-22413) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-robotic-process-autom… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a PolicyKit vulnerability (CVE-2021-4034) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: Vulnerabilities in Node.js affect IBM App Connect Enterprise & IBM Integration Bus (CVE-2022-0155 & CVE-2022-0536) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-node-j… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM MQ for HP NonStop Server is affected by vulnerability CVE-2022-22325 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-for-hp-nonstop-ser… ∗∗∗ Security Bulletin: IBM WebSphere Application Server Liberty is vulnerable to an Information Disclosure (CVE-2022-22393) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: A vulnerability in Spring Framework affects IBM Tivoli Application Dependency Discovery Manager (CVE-2022-22950, CVE-2021-22096, CVE-2022-22968, CVE-2021-22060). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-spring… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.05.2022
by Daily end-of-shift report 12 May '22

12 May '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 11-05-2022 18:00 − Donnerstag 12-05-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Backdoor in public repository used new form of attack to target big firms ∗∗∗ --------------------------------------------- A backdoor that researchers found hiding inside open source code targeting four German companies was the work of a professional penetration tester. The tester was checking clients’ resilience against a new class of attacks that exploit public repositories used by millions of software projects worldwide. But it could have been bad. Very bad. --------------------------------------------- https://arstechnica.com/?p=1853739 ∗∗∗ "Ive Found Some Bad Domains—Now What?" ∗∗∗ --------------------------------------------- When we talk about investigating bad domains, the focus of the story is usually the starting clues, but what about after you’ve identified bad domains? This blog discusses the approaches to take once a bad domain has been identified. --------------------------------------------- https://www.domaintools.com/resources/blog/ive-found-some-bad-domains-now-w… ∗∗∗ Massive WordPress JavaScript Injection Campaign Redirects to Ads ∗∗∗ --------------------------------------------- As outlined in our latest hacked website report, we’ve been tracking a long-lasting campaign responsible for injecting malicious scripts into compromised WordPress websites. This campaign leverages known vulnerabilities in WordPress themes and plugins and has impacted an enormous number of websites over the year — for example, according to PublicWWW, the April wave for this campaign was responsible for nearly 6,000 infected websites alone. --------------------------------------------- https://blog.sucuri.net/2022/05/massive-wordpress-javascript-injection-camp… ∗∗∗ Everything We Learned From the LAPSUS$ Attacks ∗∗∗ --------------------------------------------- There are two major takeaways from the LAPSUS$ attacks that organizations must pay attention to. First, the LAPSUS$ attacks clearly illustrate that gangs of cybercriminals are no longer content to perform run-of-the-mill ransomware attacks. Rather than just encrypting data as has so often been done in the past, LAPSUS$ seems far more focused on cyber extortion. LAPSUS$ gains access to an organization's most valuable intellectual property and threatens to leak that information unless a ransom is paid. --------------------------------------------- https://thehackernews.com/2022/05/everything-we-learned-from-lapsus.html ∗∗∗ Spoofing SaaS Vanity URLs for Social Engineering Attacks ∗∗∗ --------------------------------------------- While vanity URLs provide a custom, easy-to-remember link, Varonis Threat Labs discovered that some applications do not validate the legitimacy of the vanity URL’s subdomain (e.g., yourcompany.example.com), but instead only validate the URI (e.g., /s/1234). As a result, threat actors can use their own SaaS accounts to generate links to malicious content (files, folders, landing pages, forms, etc.) that appears to be hosted by your company’s sanctioned SaaS account. --------------------------------------------- https://www.varonis.com/blog/url-spoofing ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-22-759: Trend Micro Password Manager Link Following Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows local attackers to escalate privileges on affected installations of Trend Micro Password Manager. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-759/ ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (microcode_ctl, mingw-SDL2_ttf, seamonkey, and thunderbird), Mageia (cifs-utils, gerbv, golang, libcaca, libxml2, openssl, python-pillow, python-rencode, python-twisted, python-ujson, slurm, and sqlite3), Red Hat (gzip, kernel, kpatch-patch, podman, rsync, subversion:1.10, and zlib), Scientific Linux (gzip), Slackware (curl), SUSE (clamav), and Ubuntu (curl, firefox, linux, linux-aws, linux-aws-5.13, linux-azure, linux-azure-5.13, linux-gcp, linux-gcp-5.13, linux-hwe-5.13, linux-kvm, linux-oracle, linux-raspi, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-dell300x, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux-snapdragon, linux, linux-aws, linux-azure, linux-azure-5.4, linux-azure-fde, linux-gcp, linux-gcp-5.4, linux-gke, linux-gkeop, linux-gkeop-5.4, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux, linux-aws, linux-kvm, linux-lts-xenial, and linux-oem-5.14) --------------------------------------------- https://lwn.net/Articles/895063/ ∗∗∗ Sandbox Escape mit Root Access & Klartext-Passwörtern in zahlreichen Konica Minolta bizhub MFP Drucker Terminals ∗∗∗ --------------------------------------------- Zahlreiche Konica Minolta MFP bizhub Geräte, sowie Geräte anderer Hersteller mit derselben Firmware, sind anfällig für einen Sandbox Breakout über den internen Browser, der die Hilfe-Menüs anzeigt. Der Browser selbst ist mit root-Rechten gestartet, was einen Zugriff auf das komplette Dateisystem ermöglicht. In einer Datei des Dateisystems befand sich das Administratorpasswort für das Webinterface des Druckers im Klartext. --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/sandbox-escape-with-r… ∗∗∗ CVE-2022-0024 PAN-OS: Improper Neutralization Vulnerability Leads to Unintended Program Execution During Configuration Commit (Severity: HIGH) ∗∗∗ --------------------------------------------- A vulnerability exists in Palo Alto Networks PAN-OS software that enables an authenticated network-based PAN-OS administrator to upload a specifically created configuration that disrupts system processes and potentially execute arbitrary code with root privileges when the configuration is committed on both hardware and virtual firewalls. --------------------------------------------- https://security.paloaltonetworks.com/CVE-2022-0024 ∗∗∗ CVE-2022-30525 (FIXED): Zyxel Firewall Unauthenticated Remote Command Injection ∗∗∗ --------------------------------------------- Rapid7 discovered and reported a vulnerability that affects Zyxel firewalls supporting Zero Touch Provisioning (ZTP), which includes the ATP series, VPN series, and the USG FLEX series (including USG20-VPN and USG20W-VPN). The vulnerability, identified as CVE-2022-30525, allows an unauthenticated and remote attacker to achieve arbitrary code execution as the nobody user on the affected device. --------------------------------------------- https://www.rapid7.com/blog/post/2022/05/12/cve-2022-30525-fixed-zyxel-fire… ∗∗∗ Intel: May 2022 Patchday ∗∗∗ --------------------------------------------- https://www.intel.com/content/www/us/en/security-center/default.html ∗∗∗ Security Bulletin: IBM Security Guardium is vulnerable to arbitrary code execution due to Apache log4j (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: Vulnerability in IBM SDK Java affects IBM Cloud Pak System (CVE-2020-27221) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-sdk-… ∗∗∗ Security Bulletin: IBM Security Verify Password Synchronization Plug-in for Windows AD affected by multiple vulnerabilities (CVE-2021-20488, CVE-2021-20494, CVE-2021-20572, CVE-2021-20573, CVE-2021-20574) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-passw… ∗∗∗ Security Bulletin: Crypto Hardware Initialization and Maintenance is vulnerable to arbitrary code execution due to Apache Log4j (CVE 2021-4104, CVE 2022-23302, CVE 2022-23305, CVE 2022-23307) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-crypto-hardware-initializ… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities (CVE-2018-10237, CVE-2020-8908) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a Missing HTTP Strict-Transport-Security Header vulnerability (CVE-2021-39072) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by FasterXML jackson-databind vulnerabilities (CVE-2020-25649, X-Force ID 217968) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM MQ is vulnerable to multiple issues in IBM® Runtime Environment Java™ Technology Edition, Version 8 and Version 7 (CVE-2021-35578, CVE-2021-35588, CVE-2021-41035) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-is-vulnerable-to-m… ∗∗∗ Security Bulletin: IBM MQ is vulnerable to multiple Eclipse Jetty issues ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-is-vulnerable-to-m… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by path traversal and crypto vulnerabilities (CVE-2021-29425, CVE-2021-39076) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct for Microsoft Windows is affected but not classified as vulnerable by a remote code execution in Spring Framework (CVE-2022-22965) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a jsoup vulnerability (CVE-2021-37714) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM MQ WebConsole and REST API are affected by CVE-2021-39031. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-webconsole-and-res… ∗∗∗ Check Point Zone Alarm: Schwachstelle ermöglicht Privilegieneskalation ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0595 ∗∗∗ CVE-2022-0025 Cortex XDR Agent: An Uncontrolled Search Path Element Leads to Local Privilege Escalation (PE) Vulnerability (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2022-0025 ∗∗∗ CVE-2022-0026 Cortex XDR Agent: Unintended Program Execution Leads to Local Privilege Escalation (PE) Vulnerability (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2022-0026 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.05.2022
by Daily end-of-shift report 11 May '22

11 May '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 10-05-2022 18:00 − Mittwoch 11-05-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ New IceApple exploit toolset deployed on Microsoft Exchange servers ∗∗∗ --------------------------------------------- Security researchers have found a new post-exploitation framework that they dubbed IceApple, deployed mainly on Microsoft Exchange servers across a wide geography. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-iceapple-exploit-toolset… ∗∗∗ New stealthy Nerbian RAT malware spotted in ongoing attacks ∗∗∗ --------------------------------------------- A new remote access trojan called Nerbian RAT has been discovered that includes a rich set of features, including the ability to evade detection and analysis by researchers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-stealthy-nerbian-rat-mal… ∗∗∗ TA578 using thread-hijacked emails to push ISO files for Bumblebee malware, (Wed, May 11th) ∗∗∗ --------------------------------------------- Identified by Proofpoint as the threat actor behind the Contact Forms campaign, TA578 also appears to be pushing ISO files for Bumblebee malware through thread-hijacked emails. --------------------------------------------- https://isc.sans.edu/diary/rss/28636 ∗∗∗ Vorsicht vor aktuellen BAWAG-Phishing-Mails! ∗∗∗ --------------------------------------------- Auch aktuell kursieren unzählige Phishing-Nachrichten und landen in den E-Mail-Postfächern potenzieller Opfer. Bei neuen Betrugs-Mails im Namen der BAWAG P.S.K. haben sich die Kriminellen wieder etwas Neues einfallen lassen. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-aktuellen-bawag-phishin… ∗∗∗ From Project File to Code Execution: Exploiting Vulnerabilities in XINJE PLC Program Tool ∗∗∗ --------------------------------------------- Team82 has uncovered two vulnerabilities in XINJE’s PLC Program Tool, an engineering workstation. --------------------------------------------- https://claroty.com/2022/05/11/blog-research-from-project-file-to-code-exec… ===================== = Vulnerabilities = ===================== ∗∗∗ Microsoft May 2022 Patch Tuesday fixes 3 zero-days, 75 flaws ∗∗∗ --------------------------------------------- Today is Microsofts May 2022 Patch Tuesday, and with it comes fixes for three zero-day vulnerabilities, with one actively exploited, and a total of 75 flaws. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-may-2022-patch-tu… ∗∗∗ HP fixes bug letting attackers overwrite firmware in over 200 models ∗∗∗ --------------------------------------------- HP has released BIOS updates today to fix two high-severity vulnerabilities affecting a wide range of PC and notebook products, which might allow arbitrary code execution. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hp-fixes-bug-letting-attacke… ∗∗∗ Patchday Adobe: Schadcode-Lücken bedrohen ColdFusion, InDesign & Co. ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitsupdates für Anwendungen von Adobe. Den Großteil der Lücken stuft der Software-Hersteller als kritisch ein. --------------------------------------------- https://heise.de/-7081357 ∗∗∗ Patchday: SAP behebt acht neu entdeckte Sicherheitsprobleme ∗∗∗ --------------------------------------------- Zum Mai-Patchday meldet SAP acht neue Sicherheitslücken und aktualisiert Artikel zu vier Schwachstellen, die das Unternehmen bereits früher abgedichtet hat. --------------------------------------------- https://heise.de/-7081276 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (mutt), Fedora (blender, freerdp, kernel, kernel-headers, kernel-tools, mingw-freetype, and vim), Oracle (kernel and kernel-container), Red Hat (aspell, bind, bluez, c-ares, cairo and pixman, cockpit, compat-exiv2-026, container-tools:3.0, container-tools:rhel8, cpio, dovecot, exiv2, fapolicyd, fetchmail, flatpak, gfbgraph, gnome-shell, go-toolset:rhel8, grafana, grub2, httpd:2.4, keepalived, kernel, kernel-rt, libpq, libreoffice, libsndfile, libssh, [...] --------------------------------------------- https://lwn.net/Articles/894802/ ∗∗∗ Intel: May 2022 Patchday ∗∗∗ --------------------------------------------- https://www.intel.com/content/www/us/en/security-center/default.html ∗∗∗ Security Bulletin: IBM Engineering Lifecycle Management is vulnerable to Cross-site Scripting (XSS). (CVE-2021-39059) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-engineering-lifecycle… ∗∗∗ Security Bulletin: Vulnerability in remote support authentication affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-remote-s… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in VMware ESXi affect IBM Cloud Pak System (CVE-2021-21994, CVE-2021-21995) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM SDK, Java Technology Edition, Security Update October 2021 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-e… ∗∗∗ Security Bulletin: IBM QRadar SIEM is vulnerable to cross-site scripting (XSS) (CVE-2022-22345) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulner… ∗∗∗ ICS Patch Tuesday: Siemens, Schneider Electric Address 43 Vulnerabilities ∗∗∗ --------------------------------------------- https://www.securityweek.com/ics-patch-tuesday-siemens-schneider-electric-a… ∗∗∗ PHOENIX CONTACT: Multiple vulnerabilities in RAD-ISM-900-EN-BD devices ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-018/ ∗∗∗ AMD Prozessoren: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0567 ∗∗∗ Google Releases Security Updates for Chrome ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/05/11/google-releases-s… ∗∗∗ Intel Boot Guard and Intel TXT Advisory ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500488-INTEL-BOOT-GUARD-AND-IN… ∗∗∗ Intel SSD Firmware Advisory ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500487-INTEL-SSD-FIRMWARE-ADVI… ∗∗∗ Lenovo Smart Standby Driver Vulnerability ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500486-LENOVO-SMART-STANDBY-DR… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.05.2022
by Daily end-of-shift report 10 May '22

10 May '22

===================== = End-of-Day report = ===================== Timeframe: Montag 09-05-2022 18:00 − Dienstag 10-05-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Experts Detail Saintstealer and Prynt Stealer Info-Stealing Malware Families ∗∗∗ --------------------------------------------- Cybersecurity researchers have dissected the inner workings of an information-stealing malware called Saintstealer thats designed to siphon credentials and system information. --------------------------------------------- https://thehackernews.com/2022/05/experts-detail-saintstealer-and-prynt.html ∗∗∗ SEO Poisoning – A Gootloader Story ∗∗∗ --------------------------------------------- Gootloader was the name assigned to the multi-staged payload distribution by Sophos in March 2021. The threat actors utilize SEO (search engine optimization) poisoning tactics to move compromised websites hosting malware to the top of certain search requests such as “what is the difference between a grand agreement and a contract?” or “freddie mac shared driveway agreement?” --------------------------------------------- https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/ ∗∗∗ Hilfe, Kriminelle bestellen Produkte in meinem Namen! ∗∗∗ --------------------------------------------- Erhalten Sie Rechnungen, Mahnungen, ja vielleicht sogar Inkasso-Schreiben für Bestellungen, die Sie nie getätigt haben? Dann kann es sein, dass Verbrecher:innen Ihre Daten für Bestellbetrug missbrauchen. --------------------------------------------- https://www.watchlist-internet.at/news/hilfe-kriminelle-bestellen-produkte-… ===================== = Vulnerabilities = ===================== ∗∗∗ Hackers Actively Exploit F5 BIG-IP Bug ∗∗∗ --------------------------------------------- The bug has a severe rating of 9.8, public exploits are released. --------------------------------------------- https://threatpost.com/exploit-f5-big-ip-bug/179563/ ∗∗∗ Vulnerability mitigated in the third-party Data Connector used in Azure Synapse pipelines and Azure Data Factory (CVE-2022-29972) ∗∗∗ --------------------------------------------- Microsoft recently mitigated a vulnerability in Azure Data Factory and Azure Synapse pipelines. The vulnerability was specific to the third-party Open Database Connectivity (ODBC) driver used to connect to Amazon Redshift in Azure Synapse pipelines and Azure Data Factory Integration Runtime (IR) and did not impact Azure Synapse as a whole. --------------------------------------------- https://msrc-blog.microsoft.com/2022/05/09/vulnerability-mitigated-in-the-t… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (kicad and qemu), Fedora (thunderbird), Oracle (expat), Red Hat (samba), Slackware (kernel), and SUSE (firefox, ldb, and rsyslog). --------------------------------------------- https://lwn.net/Articles/894499/ ∗∗∗ GENEREX RCCMD vulnerable to directory traversal ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN60801132/ ∗∗∗ SSA-285795 V1.0: Denial of Service in OPC-UA in Industrial Products ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-285795.txt ∗∗∗ SSA-321292 V1.0: Denial of Service in the OPC Foundation Local Discovery Server (LDS) in Industrial Products ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-321292.txt ∗∗∗ SSA-363107 V1.0: An Improper Initialization Vulnerability Affects SIMATIC WinCC Kiosk Mode ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-363107.txt ∗∗∗ SSA-480937 V1.0: Denial of Service Vulnerability in CP 44x-1 RNA before V1.5.18 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-480937.txt ∗∗∗ SSA-553086 V1.0: Multiple File Parsing Vulnerabilities in JT2Go and Teamcenter Visualization ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-553086.txt ∗∗∗ SSA-626968 V1.0: Multiple Webserver Vulnerabilities in Desigo PXC and DXR Devices ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-626968.txt ∗∗∗ SSA-662649 V1.0: Denial of Service Vulnerability in Desigo DXR and PXC Controllers ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-662649.txt ∗∗∗ SSA-732250 V1.0: Libcurl Vulnerabilities in Industrial Devices ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-732250.txt ∗∗∗ SSA-736385 V1.0: Memory Corruption Vulnerability in OpenV2G ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-736385.txt ∗∗∗ SSA-789162 V1.0: Vulnerabilities in Teamcenter ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-789162.txt ∗∗∗ SSA-165073: Multiple Vulnerabilities in the Webinterface of SICAM P850 and SICAM P855 Devices ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-165073.txt ∗∗∗ SSA-162616: File Parsing Vulnerabilities in Simcenter Femap before V2022.2 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-162616.txt ∗∗∗ [CA8268] Local privilege escalation vulnerabilities in installers for ESET products for Windows fixed ∗∗∗ --------------------------------------------- https://support.eset.com/en/ca8268-local-privilege-escalation-vulnerabiliti… ∗∗∗ Security Bulletin: IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to string injection vulnerability due to Node.js (CVE-2021-44532, CVE-2021-44532 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-assistant-for-… ∗∗∗ Security Bulletin: Cúram Social Program Management is vulnerable to arbitrary code execution and SQL injection issues due to Apache Log4j (CVE-2022-23302, CVE-2022-23305, CVE-2022-23307) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cram-social-program-manag… ∗∗∗ Security Bulletin: Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to denial of service due to Go CVE-2022-23806 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-platform-navigator-and-au… ∗∗∗ Security Bulletin: IBM InfoSphere Information Server is vulnerable to OS command injection (CVE-2022-22454) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-informatio… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in VMware ESXi affect IBM Cloud Pak System (CVE-2021-21994, CVE-2021-21995) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Security vulnerabilities in IBM SDK for Node.js might affect the configuration editor used by IBM Business Automation Workflow and IBM Business Process Manager (BPM) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerability CVE-2021-39024 in IBM Guardium Data Encryption (GDE) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-cve-2021-39… ∗∗∗ Adminer in Industrial Products ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-130-01 ∗∗∗ Eaton Intelligent Power Protector ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-130-02 ∗∗∗ Eaton Intelligent Power Manager Infrastructure ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-130-03 ∗∗∗ Eaton Intelligent Power Manager ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-130-04 ∗∗∗ AVEVA InTouch Access Anywhere and Plant SCADA Access Anywhere ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-130-05 ∗∗∗ Mitsubishi Electric MELSOFT GT OPC UA ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-130-06 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.05.2022
by Daily end-of-shift report 09 May '22

09 May '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 06-05-2022 18:00 − Montag 09-05-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Hilfestellung für die Analyse schadbringender Dokumente ∗∗∗ --------------------------------------------- Das SANS-Institut veröffentlicht einen neuen "Spickzettel", der bei der Malware-Analyse verschiedener Dokumenttypen helfen soll. --------------------------------------------- https://heise.de/-7079601 ∗∗∗ Utimaco, der Krypto-Miner und ein Disclosure-Desaster ∗∗∗ --------------------------------------------- Auch Anbieter von Hochsicherheitslösungen sind vor Securityproblemen nicht gefeit. Man sollte sich vorbereiten, bevor man davon erfährt, sagt Jürgen Schmidt. --------------------------------------------- https://heise.de/-7079962 ∗∗∗ Jetzt patchen! Attacken auf F5 BIG-IP-Systeme könnten bevorstehen ∗∗∗ --------------------------------------------- Sicherheitsforscher habe in vergleichsweise kurzer Zeit Exploit-Code entwickelt. Das könnten Angreifer auch. Admins sollten BIP-IP-Produkte aktualisieren. --------------------------------------------- https://heise.de/-7079049 ∗∗∗ Kaufen Sie keine Schuhe vom Instagram-Account „wesleyroberts375“ ∗∗∗ --------------------------------------------- Auf der Instagram-Seite „wesleyroberts375“ finden sich zahlreiche Fotos von Nike-Schuhen, meist Modelle, die sonst überall ausverkauft sind. Wer einen Schuh kaufen oder den Preis erfahren möchte, muss dem Instagram-Nutzer eine private Nachricht senden. Achtung: Hinter dem Profil von „wesleyroberts375“ steckt kein echter Online-Shop. Sie werden betrogen. Schicken Sie kein Geld oder Gutscheincodes! --------------------------------------------- https://www.watchlist-internet.at/news/kaufen-sie-keine-schuhe-vom-instagra… ∗∗∗ Bedrohungen in der Cloud ∗∗∗ --------------------------------------------- Die größten Sicherheitsrisiken bei der Cloud-Nutzung und wie Hacker zu mehr Sicherheit beitragen, schildert Laurie Mercer, Security Engineer bei HackerOne, in einem Gastbeitrag. --------------------------------------------- https://www.zdnet.de/88401108/bedrohungen-in-der-cloud/ ∗∗∗ Gehärteter Online-Banking-Browser S-Protect, ein Totalausfall ∗∗∗ --------------------------------------------- Es klingt gut, was der Deutsche Sparkassen- und Giroverband da angestoßen hat. Mit S-Protect legt man einen "gehärteten" Browser vor, der Online-Banking-Kunden vor den Risiken bei Bankgeschäften auf Windows PCs oder Macs besser schützen soll. Der Haken an der Geschichte: [...] --------------------------------------------- https://www.borncity.com/blog/2022/05/09/gehrteter-online-banking-browser-s… ∗∗∗ Caramel credit card stealing service is growing in popularity ∗∗∗ --------------------------------------------- A credit card stealing service is growing in popularity, allowing any low-skilled threat actors an easy and automated way to get started in the world of financial fraud. --------------------------------------------- https://www.bleepingcomputer.com/news/security/caramel-credit-card-stealing… ∗∗∗ Constrained environment breakout. .NET Assembly exfiltration via Internet Options ∗∗∗ --------------------------------------------- It’s not uncommon for developers to find that they need to help their end users. For starter, the business requirements for software can be highly convoluted and technical. Working with [...] --------------------------------------------- https://www.pentestpartners.com/security-blog/constrained-environment-break… ∗∗∗ Beware: This cheap and homemade malware is surprisingly effective ∗∗∗ --------------------------------------------- DCRat malware targets Windows devices. And its cheap and popular, which makes it a problem. --------------------------------------------- https://www.zdnet.com/article/beware-this-cheap-and-homemade-malware-is-sur… ∗∗∗ Introducing pyCobaltHound – Let Cobalt Strike unleash the Hound ∗∗∗ --------------------------------------------- During our engagements, red team operators often find themselves operating within complex Active Directory environments. The question then becomes finding the needle in the haystack that allows the red team to further escalate and/or reach their objectives. Luckily, the security community has already come up with ways to assist operators in answering these questions, [...] --------------------------------------------- https://blog.nviso.eu/2022/05/09/introducing-pycobalthound/ ∗∗∗ Backdoor (*.chm) Disguised as Document Editing Software and Messenger Application ∗∗∗ --------------------------------------------- The ASEC analysis team confirmed that a backdoor malware disguised as document editing software and messenger application used by many Korean users is being distributed in Korea through malicious CHM files. The team recently introduced malicious CHM files distributed in various forms twice in the ASEC blog in March. The malicious files discussed in this post execute additional malicious files via a process that is different from the previous cases. --------------------------------------------- https://asec.ahnlab.com/en/34010/ ∗∗∗ BPFDoor - an active Chinese global surveillance tool ∗∗∗ --------------------------------------------- Recently, PwC Threat Intelligence documented the existence of BPFDoor, a passive network implant for Linux they attribute to [...] --------------------------------------------- https://doublepulsar.com/bpfdoor-an-active-chinese-global-surveillance-tool… ∗∗∗ [Infographic] Cloud Misconfigurations: Dont Become a Breach Statistic ∗∗∗ --------------------------------------------- Our latest infographic highlights some key commonalities uncovered in our 2022 Cloud Misconfigurations Report. --------------------------------------------- https://www.rapid7.com/blog/post/2022/05/09/infographic-cloud-misconfigurat… ===================== = Vulnerabilities = ===================== ∗∗∗ Advisory: New installations fail with HTTP Error 403 from https://sus.sophosupd.com/ in Sophos Intercept X for Windows ∗∗∗ --------------------------------------------- Overview: New installation and/or device updates fail with HTTP Error 403 from https://sus.sophosupd.com/. This error is seen in C:\ProramData\Sophos\AutoUpdate\SophosUpdate.log. --------------------------------------------- https://support.sophos.com/support/s/article/KB-000043980?language=en_US ∗∗∗ Patchday: Fortinet schützt IP-Telefone vor Schadcode-Attacken ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitsupdates für unter anderem FortiClient, FortiFone und FortiOS. Eine Lücke gilt als kritisch. --------------------------------------------- https://heise.de/-7079563 ∗∗∗ Freifunk: Einschleusen schädlicher Firmware durch kritische Lücke möglich ∗∗∗ --------------------------------------------- Freifunk aktualisiert seine Router-Firmware und schließt eine kritische Sicherheitslücke, durch die Angreifer eigene Firmware auf die Geräte aufspielen könnten. --------------------------------------------- https://heise.de/-7079644 ∗∗∗ Technical Advisory: Ruby on Rails – Possible XSS Vulnerability in ActionView tag helpers (CVE-2022-27777) ∗∗∗ --------------------------------------------- Ruby on Rails is a web application framework that follows the Model-view-controller (MVC) pattern. It offers some protections against Cross-site scripting (XSS) attacks in its helpers for the views. Several tag helpers in ActionView::Helpers::FormTagHelper and ActionView::Helpers::TagHelper are vulnerable against XSS because their current protection does not restrict properly the set of characters allowed in [...] --------------------------------------------- https://research.nccgroup.com/2022/05/06/technical-advisory-ruby-on-rails-p… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (firefox and thunderbird), Debian (ecdsautils and libz-mingw-w64), Fedora (cifs-utils, firefox, galera, git, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-latest-openjdk, mariadb, maven-shared-utils, mingw-freetype, redis, and seamonkey), Mageia (dcraw, firefox, lighttpd, rsyslog, ruby-nokogiri, and thunderbird), Scientific Linux (thunderbird), SUSE (giflib, kernel, and libwmf), and Ubuntu (dbus and rsyslog). --------------------------------------------- https://lwn.net/Articles/894353/ ∗∗∗ RubyGems Fixes Critical Gem Takeover Vulnerability ∗∗∗ --------------------------------------------- RubyGems has addressed a critical vulnerability that could have allowed any RubyGems.org user to remove and replace certain Ruby gems. A package hosting service for the Ruby programming language, RubyGems.org hosts more than 170,000 gems. RubyGems also functions as a package manager. --------------------------------------------- https://www.securityweek.com/rubygems-fixes-critical-gem-takeover-vulnerabi… ∗∗∗ SonicWall SSL-VPN NetExtender Windows Client Buffer Overflow Vulnerability ∗∗∗ --------------------------------------------- A buffer overflow vulnerability in the SonicWall SSL-VPN NetExtender Windows Client (32 and 64 bit) in 10.2.322 and earlier versions, allows an attacker to potentially execute arbitrary code in the host windows operating system. CVE: CVE-2022-22281 --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0008 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ K12492858: Appliance mode authenticated F5 BIG-IP Guided Configuration third-party lodash and jQuery vulnerabilities CVE-2021-23337, CVE-2020-28500, and CVE-2016-7103 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K12492858 ∗∗∗ Foxit Reader: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0549 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.05.2022
by Daily end-of-shift report 06 May '22

06 May '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 05-05-2022 18:00 − Freitag 06-05-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ New Raspberry Robin worm uses Windows Installer to drop malware ∗∗∗ --------------------------------------------- Red Canary intelligence analysts have discovered a new Windows malware with worm capabilities that spreads using external USB drives. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-raspberry-robin-worm-use… ∗∗∗ Tipps zur Passwortsicherheit am World Password Day ∗∗∗ --------------------------------------------- Heute jährt sich der Welt-Passwort-Tag. Was können Sie tun, um sich online bestmöglich zu schützen? Hier finden Sie Tipps und Tricks für den sicheren Umgang mit Ihren Daten! --------------------------------------------- https://www.watchlist-internet.at/news/tipps-zur-passwortsicherheit-am-worl… ===================== = Vulnerabilities = ===================== ∗∗∗ ClamAV 0.105.0, 0.104.3, 0.103.6 released ∗∗∗ --------------------------------------------- Today, were also publishing the 0.104.3 and 0.103.6 security patch versions, including several CVE fixes. --------------------------------------------- https://blog.clamav.net/2022/05/clamav-01050-01043-01036-released.html ∗∗∗ Schadcode-Attacken auf Videoüberwachungssystem und NAS von Qnap möglich ∗∗∗ --------------------------------------------- Wichtige Sicherheitsupdates schließen mehreren Lücken in Netzwerkprodukten von Qnap. --------------------------------------------- https://heise.de/-7077449 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (dpdk, mruby, openjdk-11, and smarty3), Oracle (thunderbird), Red Hat (thunderbird), SUSE (chromium, libvirt, python-Twisted, and tar), and Ubuntu (cron and jbig2dec). --------------------------------------------- https://lwn.net/Articles/894141/ ∗∗∗ Security Bulletin: IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is affected but not classified as vulnerable by a remote code execution in Spring Framework (CVE-2022-22965) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-speech-service… ∗∗∗ Security Bulletin: Rational Asset Analyzer is affected by two WebSphere Application Server vulnerabilities (CVE-2018-25031, CVE-2021-46708) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-rational-asset-analyzer-i… ∗∗∗ Security Bulletin: Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to denial of service due to Go CVE-2022-23772 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-platform-navigator-and-au… ∗∗∗ Security Bulletin: TS3000 (TSSC/IMC) is vulnerable to privilege escalation vulnerability due to polkit ( CVE-2021-4034 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ts3000-tssc-imc-is-vulner… ∗∗∗ Security Bulletin: IBM Watson Assistant for IBM Cloud Pak for Data is affected but not classified as vulnerable by a remote code execution in Spring Framework (CVE-2022-22965) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-assistant-for-… ∗∗∗ Security Bulletin: IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to arbitrary code execution with IBM WebSphere Application Server (CVE-2021-23450). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-speech-service… ∗∗∗ Security Bulletin: Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to denial of service due to Go CVE-2021-44716 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-platform-navigator-and-au… ∗∗∗ Security Bulletin: Rational Asset Analyzer is affected by a WebSphere Application Server vulnerability (CVE-2022-22310). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-rational-asset-analyzer-i… ∗∗∗ Security Bulletin: A vulnerability in IBM® SDK, Java™ may affect Rational Asset Analyzer (CVE-2021-35550) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-sd… ∗∗∗ Security Bulletin: IBM Cloud Transformation Advisor is vulnerable to multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-transformation-… ∗∗∗ Security Bulletin: Vulnerability CVE-2021-39023 in IBM Guardium Data Encryption (GDE) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-cve-2021-39… ∗∗∗ Security Bulletin: Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to remote attack due to Go CVE-2021-44717 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-platform-navigator-and-au… ∗∗∗ Security Bulletin: IBM Guardium Data Encryption is vulnerable to missing data encoding issue (CVE-2021-39027) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-guardium-data-encrypt… ∗∗∗ Security Bulletin: A vulnerability in IBM® SDK, Java™ affects Rational Asset Analyzer (CVE-2021-35603) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-sd… ∗∗∗ Security Bulletin: Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to attack under error due to Go CVE-2022-23773 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-platform-navigator-and-au… ∗∗∗ Security Bulletin: API Connect V10 is vulnerable to a remote code execution in Spring Framework (CVE-2022-22965) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-api-connect-v10-is-vulner… ∗∗∗ K52379673: Linux kernel vulnerability for CVE-2021-4083 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K52379673 ∗∗∗ K50899356: file vulnerability CVE-2018-10360 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K50899356 ∗∗∗ poppler: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0545 ∗∗∗ Foxit Reader: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0544 ∗∗∗ Johnson Controls Metasys ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-125-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.05.2022
by Daily end-of-shift report 05 May '22

05 May '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 04-05-2022 18:00 − Donnerstag 05-05-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ New NetDooka malware spreads via poisoned search results ∗∗∗ --------------------------------------------- A new malware framework known as NetDooka has been discovered being distributed through the PrivateLoader pay-per-install (PPI) malware distribution service, allowing threat actors full access to an infected device. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-netdooka-malware-spreads… ∗∗∗ The strange link between a destructive malware and a ransomware-gang linked custom loader: IsaacWiper vs Vatet ∗∗∗ --------------------------------------------- Cluster25 researchers, during a comparative analysis performed at the beginning of March 2022, found evidence that suggests a possible relationships between a piece of malware belonging to the Sprite Spider arsenal (or some elements that are or were part of it) and Vavet Loader. --------------------------------------------- https://cluster25.io/2022/05/03/a-strange-link-between-a-destructive-malwar… ∗∗∗ The curious case of mavinject.exe ∗∗∗ --------------------------------------------- Mavinject is a LOLBIN currently employed by the infamous adversary group Lazarus successfully evades detection by various security products because the execution is masked under a legitimate process. --------------------------------------------- https://fourcore.io/blogs/mavinject-curious-process-injection ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Security Advisories 2022-05-04 ∗∗∗ --------------------------------------------- Cisco published 9 Security Advisories (1 Critical, 8 Medium Severity) --------------------------------------------- https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&first… ∗∗∗ Angreifer könnten die volle Kontrolle über F5 BIG-IP-Systeme erlangen ∗∗∗ --------------------------------------------- Wichtige Sicherheitsupdates schließen unter anderem eine kritische Lücke in BIG-IP-Systemen. Admins sollten jetzt handeln. --------------------------------------------- https://heise.de/-7075530 ∗∗∗ Sicherheitsupdates: Cisco schließt VM-Ausbruch-Lücken mit Root-Zugriff ∗∗∗ --------------------------------------------- Der Netzwerkausrüster Cisco hat unter anderem in Enterprise NFV Infrastrucutre Software eine kritische Lücke geschlossen. --------------------------------------------- https://heise.de/-7075725 ∗∗∗ Sicherheitsupdate schützt IBMs Datenbanksystem Informix Dynamic Server ∗∗∗ --------------------------------------------- Ein wichtiger Sicherheitspatch schließt eine Schwachstelle in IBMs Informix Dynamic Server. --------------------------------------------- https://heise.de/-7076231 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr), Fedora (firefox, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-latest-openjdk, recutils, suricata, and zchunk), Oracle (firefox and kernel), Red Hat (firefox), Scientific Linux (firefox), Slackware (mozilla, openssl, and seamonkey), SUSE (apache2-mod_auth_mellon, libvirt, and pgadmin4), and Ubuntu (dpdk, mysql-5.7, networkd-dispatcher, openssl, openssl1.0, sqlite3, and twisted). --------------------------------------------- https://lwn.net/Articles/894036/ ∗∗∗ 10 Jahre alte Schwachstellen in Avast und AVG gefährden Millionen Nutzer ∗∗∗ --------------------------------------------- Sicherheitsforscher von Sentinel One haben in den Sicherheitsprodukten von Avast und AVG zwei seit 10 Jahren bestehende, schwerwiegende Schwachstellen entdeckt, die Millionen von Nutzern gefährden. --------------------------------------------- https://www.borncity.com/blog/2022/05/05/10-jahre-alte-schwachstellen-in-av… ∗∗∗ Image Field Caption - Moderately critical - Cross Site Scripting - SA-CONTRIB-2022-036 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2022-036 ∗∗∗ Doubleclick for Publishers (DFP) - Moderately critical - Cross site scripting - SA-CONTRIB-2022-035 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2022-035 ∗∗∗ Link - Moderately critical - Cross site scripting - SA-CONTRIB-2022-034 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2022-034 ∗∗∗ Duo Two-Factor Authentication - Critical - Unsupported - SA-CONTRIB-2022-039 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2022-039 ∗∗∗ Quick Node Clone - Moderately critical - Access bypass - SA-CONTRIB-2022-038 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2022-038 ∗∗∗ Security Bulletin: Cross-site scripting vulnerabilities in jQuery may affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) – CVE-2020-11022, CVE-2020-11023 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-vuln… ∗∗∗ Security Bulletin: Multiple Vulnerabilities may affect IBM Robotic Process Automation ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Robotic Process Automation could allow a user with physical access to create an API request modified to create additional objects (CVE-2022-22434) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-robotic-process-autom… ∗∗∗ Security Bulletin: IBM Robotic Process Automation is vulnerable to an issue where an API could be used to perform a DNS lookup via a third party provider. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-robotic-process-autom… ∗∗∗ Security Bulletin: Cross Site Scripting vulnerabilities in jQuery might affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) – CVE-2020-7656, CVE-2020-11022, CVE-2020-11023 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-vuln… ∗∗∗ Security Bulletin: IBM Robotic Process Automation may allow regular users to view some admin pages. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-robotic-process-autom… ∗∗∗ Security Bulletin: Multiple Vulnerabilities may affect IBM Robotic Process Automation ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Security Guardium Data Encryption has vulnerability ( CVE-2021-39020) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-dat… ∗∗∗ Security Vulnerabilities fixed in Thunderbird 91.9 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2022-18/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.05.2022
by Daily end-of-shift report 04 May '22

04 May '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 03-05-2022 18:00 − Mittwoch 04-05-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Conti, REvil, LockBit ransomware bugs exploited to block encryption ∗∗∗ --------------------------------------------- Hackers commonly exploit vulnerabilities in corporate networks to gain access, but a researcher has turned the table by finding exploits in the most common ransomware and malware being distributed today. --------------------------------------------- https://www.bleepingcomputer.com/news/security/conti-revil-lockbit-ransomwa… ∗∗∗ A new secret stash for “fileless” malware ∗∗∗ --------------------------------------------- We observed the technique of putting the shellcode into Windows event logs for the first time “in the wild” during the malicious campaign. It allows the “fileless” last stage Trojan to be hidden from plain sight in the file system. --------------------------------------------- https://securelist.com/a-new-secret-stash-for-fileless-malware/106393/ ∗∗∗ Compromising Read-Only Containers with Fileless Malware ∗∗∗ --------------------------------------------- Many people see read-only filesystems as a catch-all to stop malicious activity and container drift in containerized environments. This blog will explore the mechanics and prevalence of malware fileless execution in attacking read-only containerized environments. --------------------------------------------- https://sysdig.com/blog/containers-read-only-fileless-malware/ ∗∗∗ Update on cyber activity in Eastern Europe ∗∗∗ --------------------------------------------- Google’s Threat Analysis Group (TAG) has been closely monitoring the cybersecurity activity in Eastern Europe with regard to the war in Ukraine. Since our last update, TAG has observed a continuously growing number of threat actors using the war as a lure in phishing and malware campaigns. --------------------------------------------- https://blog.google/threat-analysis-group/update-on-cyber-activity-in-easte… ∗∗∗ Spyware blieb in Unternehmen bis zu 18 Monate lang unentdeckt ∗∗∗ --------------------------------------------- Die "Quietexit" genannte Backdoor blieb teilweise 18 Monate unentdeckt. Sicherheitsforscher vermuten, dass dahinter eine staatliche Gruppe steckt. --------------------------------------------- https://heise.de/-7074066 ∗∗∗ „Vorsicht, Falle!“: Wir brauchen Ihre Hilfe für ein neues Projekt! ∗∗∗ --------------------------------------------- Wir arbeiten derzeit an einem neuen Projekt: Bei „Vorsicht, Falle!“ entwickeln wir einen „Internetfallen-Generator“. Das heißt wir ahmen betrügerische Webseiten nach. Aber nicht mit dem Ziel, an Daten oder Geld zu kommen. Im Gegenteil: Allen, die in unsere Falle tappen, zeigen wir am Beispiel der Betrugsmasche, wie sie diese erkennen können. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-falle-wir-brauchen-ihre-hil… ∗∗∗ CISA Adds Five Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- CISA has added five new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/05/04/cisa-adds-five-kn… ∗∗∗ XSS in JSON: Old-School Attacks for Modern Applications ∗∗∗ --------------------------------------------- This post highlights how cross-site scripting has adapted to today’s modern web applications, specifically the API and Javascript Object Notation (JSON). --------------------------------------------- https://www.rapid7.com/blog/post/2022/05/04/xss-in-json-old-school-attacks-… ===================== = Vulnerabilities = ===================== ∗∗∗ Uclibc: Alte DNS-Lücke betrifft viele IoT-Geräte ∗∗∗ --------------------------------------------- Eine in Embedded-Geräten eingesetzte Bibliothek ist von Kaminskys DNS-Angriff betroffen, doch die Auswirkungen dürften sich in Grenzen halten. --------------------------------------------- https://www.golem.de/news/uclibc-alte-dns-luecke-betrifft-viele-iot-geraete… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (openjdk-17), Fedora (chromium and suricata), Oracle (mariadb:10.5), SUSE (amazon-ssm-agent, containerd, docker, java-11-openjdk, libcaca, libwmf, pcp, ruby2.5, rubygem-puma, webkit2gtk3, and xen), and Ubuntu (linux-raspi). --------------------------------------------- https://lwn.net/Articles/893839/ ∗∗∗ Security Bulletin: IBM Engineering Requirements Management DOORS Next is vulnerable to XML external entity (XXE) attacks due to FasterXML Jackson Databind (CVE-2020-25649) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-engineering-requireme… ∗∗∗ Security Bulletin: IBM Informix Dynamic Server is affected to denial of service due to FasterXML jackson-databind (CVE-2020-36518) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-informix-dynamic-serv… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in Intel Processors affect Cloud Pak System ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerabilitiìy identified in IBM DB2 that is shipped as component and pattern type or pType with Cloud Pak System and Cloud Pak System Software Suite. Cloud Pak System addressed response with new DB2 pType ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilitiy-identified… ∗∗∗ K55879220: Overview of F5 vulnerabilities (May 2022) ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K55879220 ∗∗∗ 2022-11 Multiple vulnerabilities in Provize Basic Frontend ∗∗∗ --------------------------------------------- https://dam.belden.com/dmm3bwsv3/assetstream.aspx?assetid=14299&mediaformat… ∗∗∗ 2022-05 Multiple vulnerabilities in Provize Basic Backend ∗∗∗ --------------------------------------------- https://dam.belden.com/dmm3bwsv3/assetstream.aspx?assetid=14298&mediaformat… ∗∗∗ 2022-01 Vulnerability in ‘axios’ HTTP client in Provize Basic ∗∗∗ --------------------------------------------- https://dam.belden.com/dmm3bwsv3/assetstream.aspx?assetid=14297&mediaformat… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.05.2022
by Daily end-of-shift report 03 May '22

03 May '22

===================== = End-of-Day report = ===================== Timeframe: Montag 02-05-2022 18:00 − Dienstag 03-05-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Cyberspies use IP cameras to deploy backdoors, steal Exchange emails ∗∗∗ --------------------------------------------- A newly discovered and uncommonly stealthy Advanced Persistent Threat (APT) group is breaching corporate networks to steal Exchange (on-premise and online) emails from employees involved in corporate transactions such as mergers and acquisitions. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cyberspies-use-ip-cameras-to… ∗∗∗ AvosLocker Ransomware Variant Using New Trick to Disable Antivirus Protection ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed a new variant of the AvosLocker ransomware that disables antivirus solutions to evade detection after breaching target networks by taking advantage of unpatched security flaws. --------------------------------------------- https://thehackernews.com/2022/05/avoslocker-ransomware-variant-using-new.h… ∗∗∗ Zyxel firmware extraction and password analysis ∗∗∗ --------------------------------------------- In this first article of our Zyxel audit series we will cover firmware extraction and password decryption against Zyxel ZyWALL Unified Security Gateway (USG) appliances. --------------------------------------------- https://security.humanativaspa.it/zyxel-firmware-extraction-and-password-an… ∗∗∗ Trend Micros Apex One meldet Trojaner im Webbrowser Microsoft Edge ∗∗∗ --------------------------------------------- Es mehren sich Beschwerden von Nutzern in den Internetforen, dass der Virenscanner Apex One bei Ihnen einen Trojaner-Befall in Microsofts Edge-Browser meldet. --------------------------------------------- https://heise.de/-7073156 ∗∗∗ Vorsicht vor Betrug auf BlaBlaCar ∗∗∗ --------------------------------------------- BlaBlaCar, eine Plattform für Mitfahrgelegenheiten, gerät ins Visier von Kriminellen. Kriminelle erstellen bei BlaBlaCar Fake-Profile und bieten Fahrten an. Mitfahrer:innen, die diese Fahrt buchen, werden dann auf WhatsApp kontaktiert und auf eine betrügerische Zahlungsplattform gelockt. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-betrug-auf-blablacar/ ∗∗∗ Attackers Target Packages in Multiple Programming Languages in Recent Software Supply Chain Attacks ∗∗∗ --------------------------------------------- Malicious packages in multiple programming languages that went undetected for years were revealed by the Checkmarx Supply Chain Security team using advanced threat hunting techniques. --------------------------------------------- https://checkmarx.com/blog/attackers-target-packages-in-multiple-programmin… ===================== = Vulnerabilities = ===================== ∗∗∗ Unpatched DNS bug affects millions of routers and IoT devices ∗∗∗ --------------------------------------------- A vulnerability in the domain name system (DNS) component of a popular C standard library that is present in a wide range of IoT products may put millions of devices at DNS poisoning attack risk. --------------------------------------------- https://www.bleepingcomputer.com/news/security/unpatched-dns-bug-affects-mi… ∗∗∗ Critical TLStorm 2.0 Bugs Affect Widely-Used Aruba and Avaya Network Switches ∗∗∗ --------------------------------------------- Cybersecurity researchers have detailed as many as five severe security flaws in the implementation of TLS protocol in several models of Aruba and Avaya network switches that could be abused to gain remote access to enterprise networks and steal valuable information. --------------------------------------------- https://thehackernews.com/2022/05/critical-tlstorm-20-bugs-affect-widely.ht… ∗∗∗ Fortinet Security Advisories (FortiClient, FortiSOAR, FortiIsolator, FortiOS, FortiProxy, PJSIP Library, FortiNAC) ∗∗∗ --------------------------------------------- * FortiClient (Windows) - Privilege escalation in FortiClient installer * FortiSOAR - Improper access control on gateway API * FortiIsolator - Unauthorized user able to regenerate CA certificate * FortiOS - Improper Inter-VDOM access control * FortiOS - Lack of certificate verification when establishing secure connections to some external end-points * FortiProxy & FortiOS - XSS vulnerability in Web Filter Block Override Form * Multiple vulnerabilities in PJSIP library * FortiNAC - SQL --------------------------------------------- https://fortiguard.fortinet.com/psirt?date=05-2022 ∗∗∗ Patchday: Wichtige Sicherheitsupdates für Android 10, 11 und 12 erschienen ∗∗∗ --------------------------------------------- Google hat sein mobiles Betriebssystem gegen mehrere mögliche Attacken abgesichert. --------------------------------------------- https://heise.de/-7072491 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (jackson-databind, kernel, openvpn, and twisted), Fedora (xz), Mageia (chromium-browser-stable and curl), Oracle (vim and xmlrpc-c), Red Hat (gzip), Slackware (libxml2), SUSE (git, python39, and subversion), and Ubuntu (libvirt and mysql-5.7, mysql-8.0). --------------------------------------------- https://lwn.net/Articles/893681/ ∗∗∗ Tenda HG6 v3.3.0 Remote Command Injection Vulnerability ∗∗∗ --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5706.php ∗∗∗ Security Bulletin: IBM MaaS360 Cloud Extender Configuration Utility and Mobile Enterprise Gateway have vulnerability (CVE-2021-43797) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maas360-cloud-extende… ∗∗∗ Security Bulletin: Vulnerability in IBM JAVA JDK affects IBM Spectrum Scale (CVE-2022-21291) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Security Bulletin: IBM Maximo Asset Management and the IBM Maximo Manage application in IBM Maximo Application Suite are vulnerable to Host Header Injection (CVE-2021-29854) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-manageme… ∗∗∗ Security Bulletin: A vulnerability in IBM WebSphere Application Server Liberty affects IBM Spectrum Scale (CVE-2021-39038) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-we… ∗∗∗ Security Bulletin: IBM Tivoli Monitoring is affected but not classified as vulnerable by a denial of service in Spring Framework (CVE-2022-22950) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tivoli-monitoring-is-… ∗∗∗ Security Bulletin: Vulnerability in Intel Xeon affects IBM Cloud Pak System (CVE-2021-0144) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-intel-xe… ∗∗∗ Security Bulletin: Vulnerabilities in IBM Java included with IBM Tivoli Monitoring ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-ja… ∗∗∗ Security Bulletin: A vulnerability in IBM WebSphere Application Server Liberty affects IBM Spectrum Scale (CVE-2021-39031) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-we… ∗∗∗ Security Bulletin: A vulnerability has been identified in IBM Spectrum Scale that could allow an attacker to decrypt highly sensitive information(CVE-2022-22368) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-has-been-… ∗∗∗ OpenSSL Security Advisory (CVE-2022-1292, CVE-2022-1343, CVE-2022-1434, CVE-2022-1473) ∗∗∗ --------------------------------------------- https://openssl.org/news/secadv/20220503.txt ∗∗∗ Security Vulnerabilities fixed in Firefox 100 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2022-16/ ∗∗∗ Yokogawa CENTUM and ProSafe-RS ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-123-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily May 2022