Daily June 2022

daily@lists.cert.at

1 participants
20 discussions

Tageszusammenfassung - 30.06.2022
by Daily end-of-shift report 30 Jun '22

30 Jun '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 29-06-2022 18:00 − Donnerstag 30-06-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Atlassian warnt vor Sicherheitslücke in Projektverwaltung Jira ∗∗∗ --------------------------------------------- Vor einer Sicherheitslücke mit hohem Risiko in Jira warnt Hersteller Atlassian. Updates stehen bereit. Auch ein Workaround bietet das Unternehmen an. --------------------------------------------- https://heise.de/-7157892 ∗∗∗ Recovery-Scams: Kriminelle geben sich als FMA und Börsenaufsicht aus! ∗∗∗ --------------------------------------------- Sind Sie Opfer einer unseriösen Trading-Plattform geworden? Anbieter wie börsenaufsicht.net, finanzmarktaufsicht.net und payback-ltd.com versprechen Ihr verlorenes Geld zurückzuholen. Vorsicht! Es handelt sich um betrügerische Dienste, die Sie noch weiter abzocken wollen. --------------------------------------------- https://www.watchlist-internet.at/news/recovery-scams-kriminelle-geben-sich… ∗∗∗ Microsoft Exchange Server: Remote Code Execution-Schwachstelle CVE-2022-23277 trotz Patch ausnutzbar? ∗∗∗ --------------------------------------------- Sind auf dem aktuellen Patch-Stand befindliche Microsoft Exchange Server über die Remote Code Execution-Schwachstelle CVE-2022-23277 immer noch angreifbar? Mir sind gerade einige Informationsfragmente unter die Augen gekommen, die dies zumindest nahelegen, dass der betreffende Patch die Möglichkeiten zur Ausnutzung nicht [...] --------------------------------------------- https://www.borncity.com/blog/2022/06/30/microsoft-exchange-server-remote-c… ∗∗∗ CISA warns of hackers exploiting PwnKit Linux vulnerability ∗∗∗ --------------------------------------------- The Cybersecurity and Infrastructure Security Agency (CISA) has added a high-severity Linux vulnerability known as PwnKit to its list of bugs exploited in the wild. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cisa-warns-of-hackers-exploi… ∗∗∗ AstraLocker 2.0 infects users directly from Word attachments ∗∗∗ --------------------------------------------- A lesser-known ransomware strain called AstraLocker has recently released its second major version, and according to threat analysts, its operators engage in rapid attacks that drop its payload directly from email attachments. --------------------------------------------- https://www.bleepingcomputer.com/news/security/astralocker-20-infects-users… ∗∗∗ XFiles info-stealing malware adds support for Follina delivery ∗∗∗ --------------------------------------------- The XFiles info-stealer malware has added a delivery module that exploits CVE-2022-30190, aka Follina, for dropping the payload on target computers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/xfiles-info-stealing-malware… ∗∗∗ The SessionManager IIS backdoor ∗∗∗ --------------------------------------------- In early 2022, we investigated an IIS backdoor called SessionManager. It has been used against NGOs, government, military and industrial organizations in Africa, South America, Asia, Europe, Russia and the Middle East. --------------------------------------------- https://securelist.com/the-sessionmanager-iis-backdoor/106868/ ∗∗∗ Toll fraud malware: How an Android application can drain your wallet ∗∗∗ --------------------------------------------- Toll fraud malware, a subcategory of billing fraud in which malicious applications subscribe users to premium services without their knowledge or consent, is one of the most prevalent types of Android malware - and it continues to evolve. --------------------------------------------- https://www.microsoft.com/security/blog/2022/06/30/toll-fraud-malware-how-a… ∗∗∗ Case Study: Cobalt Strike Server Lives on After Its Domain Is Suspended, (Thu, Jun 30th) ∗∗∗ --------------------------------------------- How do threat actors behind a Cobalt Strike server keep it running after its domain is taken down? If the server is not hosted through the domain registrar, it merely keeps running on the same IP address. Today's diary is a case study where Cobalt Strike remained active on the same IP address at least one week after its domain was suspended. --------------------------------------------- https://isc.sans.edu/diary/rss/28804 ∗∗∗ Flubot: the evolution of a notorious Android Banking Malware ∗∗∗ --------------------------------------------- Flubot is an Android based malware that has been distributed in the past 1.5 years in Europe, Asia and Oceania affecting thousands of devices of mostly unsuspecting victims. Like the majority of Android banking malware, Flubot abuses Accessibility Permissions and Services in order to steal the [...] --------------------------------------------- https://blog.fox-it.com/2022/06/29/flubot-the-evolution-of-a-notorious-andr… ∗∗∗ Amazon Photos vulnerability could have given attackers access to user files and data ∗∗∗ --------------------------------------------- The retail giant patched a serious flaw in its Amazon Photos app that left user access token exposed to potential attackers. --------------------------------------------- https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/06/amazon-p… ∗∗∗ Cloudy with a Chance of Risk: Managing Risks in Cloud-Managed OT Networks ∗∗∗ --------------------------------------------- In this blog, we'll examine the potential threats and risks of OT cloud migration, offering guidance on how to manage and mitigate them effectively. --------------------------------------------- https://claroty.com/2022/06/30/blog-research-cloudy-with-a-chance-of-risk/ ∗∗∗ Reducing data exfiltration by malicious insiders ∗∗∗ --------------------------------------------- Advice and recommendations for mitigating this type of insider behaviour. --------------------------------------------- https://www.ncsc.gov.uk/guidance/reducing-data-exfiltration-by-malicious-in… ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins 2022-06-29 ∗∗∗ --------------------------------------------- IBM Spectrum Protect, IBM Watson Discovery, IBM Sterling B2B Integrator, IBM Sterling Connect, IBM Cloud Pak, IBM Tivoli Netcool Impact, IBM Db2 --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr, firejail, and ublock-origin), Fedora (chromium, firefox, thunderbird, and vim), Mageia (kernel and kernel-linus), Oracle (389-ds-base and python-virtualenv), SUSE (chromium), and Ubuntu (cloud-init). --------------------------------------------- https://lwn.net/Articles/899483/ ∗∗∗ Mitsubishi Electric FA Engineering Software (Update A) ∗∗∗ --------------------------------------------- This updated advisory is a follow-up to the original advisory titled ICSA-21-350-05 Mitsubishi Electric FA Engineering Software that was published December 16, 2021, on the ICS webpage on cisa.gov/ics. This advisory contains mitigations for Out-of-bounds Read, and Integer Underflow vulnerabilities in Mitsubishi Electrics FA Engineering Software products. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-350-05 ∗∗∗ CODESYS Gateway Server (Update A) ∗∗∗ --------------------------------------------- This updated advisory is a follow-up to the original advisory titled ICSA-15-258-02 3S CODESYS Gateway Server Buffer overflow Vulnerability that was published September 15, 2015, on the ICS webpage at cisa.gov/ics. This advisory provides mitigation details for a heap-based buffer overflow vulnerability in CODESYS Gateway Server products. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/ICSA-15-258-02 ∗∗∗ Revision von CVE-2021-26414 (Windows DCOM Server Security Feature Bypass) vom 28. Juni 2022 ∗∗∗ --------------------------------------------- Microsoft hat seine Beschreibung von CVE-2021-26414 (Windows DCOM Server Security Feature Bypass) zum 28. Juni 2022 revidiert. Es wurden die Sicherheitsupdates für Windows 10 Version 21H2, Windows 11 und Windows Server 2022 hinzugefügt, da diese Windows-Versionen ebenfalls von dieser Sicherheitslücke [...] --------------------------------------------- https://www.borncity.com/blog/2022/06/29/revision-von-cve-2022-26414-window… ∗∗∗ Config Terms - Critical - Access bypass - SA-CONTRIB-2022-047 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2022-047 ∗∗∗ Lottiefiles Field - Moderately critical - Cross Site Scripting - SA-CONTRIB-2022-046 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2022-046 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.06.2022
by Daily end-of-shift report 29 Jun '22

29 Jun '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 28-06-2022 18:00 − Mittwoch 29-06-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ MITM at the Edge: Abusing Cloudflare Workers ∗∗∗ --------------------------------------------- Cloudflare Workers provide a powerful serverless solution to run code that sits between every HTTP request and response. In this post, we’ll see how an attacker compromising a Cloudflare account can abuse Workers to establish persistence and exfiltrate sensitive data. --------------------------------------------- https://blog.christophetd.fr/abusing-cloudflare-workers/ ∗∗∗ Achtung vor Fake-Shops mit Gartenmöbeln! ∗∗∗ --------------------------------------------- Kriminelle passen ihre Fake-Shops aktuell wieder an die Sommersaison an, indem sie vermehrt Gartenmöbel, Rasenmäher oder sonstige Gartengeräte anbieten. Beispiele sind waganu.de, bbvipanswer.shop, strandkorbia.com oder zzyha.shop. --------------------------------------------- https://www.watchlist-internet.at/news/achtung-vor-fake-shops-mit-gartenmoe… ∗∗∗ CISA Releases Guidance on Switching to Modern Auth in Exchange Online before October 1 ∗∗∗ --------------------------------------------- CISA has released guidance on switching from Basic Authentication (“Basic Auth”) in Microsoft Exchange Online to Modern Authentication ("Modern Auth") before Microsoft begins permanently disabling Basic Auth on October 1, 2022. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/06/28/cisa-releases-gui… ∗∗∗ YTStealer Malware: “YouTube Cookies! Om Nom Nom Nom” ∗∗∗ --------------------------------------------- YTStealer is a malware whose objective is to steal YouTube authentication cookies. --------------------------------------------- https://www.intezer.com/blog/research/ytstealer-malware-youtube-cookies/ ∗∗∗ Decryptor für Hive Ransomware v1 bis v4 verfügbar ∗∗∗ --------------------------------------------- Opfer der Hive Ransomware können ggf. hoffen, ihre verschlüsselten Dateien wieder entschlüsseln zu können. Denn koreanischen Sicherheitsforschern ist es gelungen, einen Decryptor für die Versionen 1 bis 4 dieser Hive Ransomware zu entwickeln. --------------------------------------------- https://www.borncity.com/blog/2022/06/29/decryptor-fr-hive-ransomware-v1-bi… ∗∗∗ Did You Know Your Browser’s Autofill Credentials Could Be Stolen via Cross-Site Scripting (XSS) ∗∗∗ --------------------------------------------- Cross-Site Scripting (XSS) is a well-known vulnerability that has been around for a long time and can be used to steal sessions, create fake logins and carry out actions as someone else, etc. In addition, many users are unaware of the potential dangers associated with their browser’s credential autofill feature. --------------------------------------------- https://www.gosecure.net/blog/2022/06/29/did-you-know-your-browsers-autofil… ===================== = Vulnerabilities = ===================== ∗∗∗ CVE-2022-30522 – Denial of Service (DoS) Vulnerability in Apache httpd “mod_sed” filter ∗∗∗ --------------------------------------------- This past March we posted an analysis of a vulnerability in the Apache HTTP Server mod_sed filter module, CVE-2022-23943, in which a Denial of Service (DoS) can be triggered due to a miscalculation of buffers’ sizes. While analyzing this Apache httpd vulnerability and its patch, we suspected that although the fix resolved the issue, it created a new unwanted behavior. --------------------------------------------- https://jfrog.com/blog/cve-2022-30522-denial-of-service-dos-vulnerability-i… ∗∗∗ Groupware: Präparierte E-Mails könnten zur Codeausführung in Zimbra führen ∗∗∗ --------------------------------------------- Angreifer könnten in Zimbra Backdoors per E-Mail hochladen. Schuld daran ist eine Lücke im Entpacker unrar, die die Erstellung beliebiger Dateien erlaubt. --------------------------------------------- https://heise.de/-7156812 ∗∗∗ Datenverwaltung: Kritische Lücke in Dell EMC PowerScale OneFS abgedichtet ∗∗∗ --------------------------------------------- Dell EMC PowerScale OneFS zur skalierbaren Datenspeicherung und -verwaltung enthält teils kritische Sicherheitslücken. Updates sollen sie schließen. --------------------------------------------- https://heise.de/-7156674 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (blender, libsndfile, and maven-shared-utils), Fedora (openssl), Red Hat (389-ds-base, kernel, kernel-rt, kpatch-patch, and python-virtualenv), Scientific Linux (389-ds-base, kernel, python, and python-virtualenv), and Slackware (curl, mozilla, and openssl). --------------------------------------------- https://lwn.net/Articles/899364/ ∗∗∗ FabricScape: Escaping Service Fabric and Taking Over the Cluster ∗∗∗ --------------------------------------------- Unit 42 researchers identified FabricScape (CVE-2022-30137), a vulnerability of important severity in Microsoft’s Service Fabric – commonly used with Azure – that allows Linux containers to escalate their privileges in order to gain root privileges on the node, and then compromise all of the nodes in the cluster. The vulnerability could be exploited on containers that are configured to have runtime access, which is granted by default to every container. --------------------------------------------- https://unit42.paloaltonetworks.com/fabricscape-cve-2022-30137/ ∗∗∗ Security Bulletin: IBM Netezza as a Service is vulnerable to denial of service due to Golang net package (CVE-2021-33194, CVE-2021-44716, CVE-2021-31525) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-netezza-as-a-service-… ∗∗∗ Security Bulletin: OpenSSL for IBM i is vulnerable to command injection due to a flaw in c_rehash script (CVE-2022-1292) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-openssl-for-ibm-i-is-vuln… ∗∗∗ Security Bulletin: Zlib for IBM i is vulnerable to a denial of service attack due to memory corruption (CVE-2018-25032) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-zlib-for-ibm-i-is-vulnera… ∗∗∗ Security Vulnerabilities fixed in Thunderbird 91.11 and Thunderbird 102 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2022-26/ ∗∗∗ Security Vulnerabilities fixed in Firefox for iOS 102 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2022-27/ ∗∗∗ Advantech iView ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-179-03 ∗∗∗ Motorola Solutions MOSCAD IP and ACE IP Gateways ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-179-04 ∗∗∗ Motorola Solutions MDLC ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-179-05 ∗∗∗ Motorola Solutions ACE1000 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-179-06 ∗∗∗ Omron SYSMAC CS/CJ/CP Series and NJ/NX Series ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-179-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.06.2022
by Daily end-of-shift report 28 Jun '22

28 Jun '22

===================== = End-of-Day report = ===================== Timeframe: Montag 27-06-2022 18:00 − Dienstag 28-06-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Over 900,000 Kubernetes instances found exposed online ∗∗∗ --------------------------------------------- Over 900,000 misconfigured Kubernetes clusters were found exposed on the Internet to potentially malicious scans, some even vulnerable to data-exposing cyberattacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/over-900-000-kubernetes-inst… ∗∗∗ Raccoon Stealer is back with a new version to steal your passwords ∗∗∗ --------------------------------------------- The Raccoon Stealer malware is back with a second major version circulating on cybercrime forums, offering hackers elevated password-stealing functionality and upgraded operational capacity. --------------------------------------------- https://www.bleepingcomputer.com/news/security/raccoon-stealer-is-back-with… ∗∗∗ ZuoRAT Malware Hijacking Home-Office Routers to Spy on Targeted Networks ∗∗∗ --------------------------------------------- A never-before-seen remote access trojan dubbed ZuoRAT has been singling out small office/home office (SOHO) routers as part of a sophisticated campaign targeting North American and European networks. --------------------------------------------- https://thehackernews.com/2022/06/zuorat-malware-hijacking-home-office.html ∗∗∗ Microsoft: Support-Ende von Exchange 2013 naht - jetzt Migration planen ∗∗∗ --------------------------------------------- Der Exchange-Server 2013 erreicht in neun Monaten sein absolutes Support-Ende. Daran erinnert Microsofts Exchange-Team und empfiehlt die zügige Migration. --------------------------------------------- https://heise.de/-7155579 ∗∗∗ Lockbit-Ransomware-Gruppe stellt sich professioneller auf ∗∗∗ --------------------------------------------- Die Erpresserbande hinter der Ransomware Lockbit hebt den Professionalisierungsgrad auf eine neue Stufe. Sogar ein Bug-Bounty-Programm hat sie aufgelegt. --------------------------------------------- https://heise.de/-7155742 ∗∗∗ Krypto-Lovescam: Wenn Tinder-Matches Investment-Tipps geben ∗∗∗ --------------------------------------------- Betrügerische Internetbekanntschaften zielen nicht darauf ab, Sie näher kennenzulernen. Sie bauen Vertrauen auf, um Sie später auf gefälschte Investitionsplattformen zu locken. --------------------------------------------- https://www.watchlist-internet.at/news/krypto-lovescam-wenn-tinder-matches-… ∗∗∗ Understanding the Function Call Stack ∗∗∗ --------------------------------------------- That thread was inspired by a series of tweets by inversecos who shared how malware authors will often use Native APIs instead of Win32 APIs as a mechanism to evade naive detections that assume every application will use the Win32 API function. --------------------------------------------- https://posts.specterops.io/understanding-the-function-call-stack-f08b5341e… ∗∗∗ De-anonymizing ransomware domains on the dark web ∗∗∗ --------------------------------------------- We have developed three techniques to identify ransomware operators dark websites hosted on public IP addresses, allowing us to uncover previously unknown infrastructure for the DarkAngels, Snatch, Quantum and Nokoyawa ransomware groups. --------------------------------------------- http://blog.talosintelligence.com/2022/06/de-anonymizing-ransomware-domains… ===================== = Vulnerabilities = ===================== ∗∗∗ Firefox 102: Mehrere Sicherheitslücken geschlossen ∗∗∗ --------------------------------------------- Mozilla hat Version 102 von Firefox veröffentlicht. Diese Major-Version des Browsers ist die neue Basis für Firefox ESR und behebt einige Sicherheitsprobleme. --------------------------------------------- https://heise.de/-7156179 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (nodejs and squid), Fedora (uboot-tools), Red Hat (kernel-rt, kpatch-patch, and python), SUSE (drbd, openssl-1_0_0, oracleasm, and rubygem-rack), and Ubuntu (curl). --------------------------------------------- https://lwn.net/Articles/899239/ ∗∗∗ 2022 CWE Top 25 Most Dangerous Software Weaknesses ∗∗∗ --------------------------------------------- The Homeland Security Systems Engineering and Development Institute, sponsored by CISA and operated by MITRE, has released the 2022 Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software Weaknesses list. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/06/28/2022-cwe-top-25-m… ∗∗∗ Security Advisory - Password Verification Vulnerability of Huawei Router ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2022/huawei-sa-20220628-… ∗∗∗ Security Bulletin: IBM Cloud Transformation Advisor is vulnerable to multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-transformation-… ∗∗∗ Security Bulletin: IBM SDK, Java Technology Edition, Security Update October 2021 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-e… ∗∗∗ Security Bulletin: A Remote Attack Vulnerability in Apache Log4j affects IBM Common Licensing's License Key Server (LKS) Administration And Reporting Tool (ART) and its Agent(CVE-2021-4104,CVE-2021-44832,CVE-2021-3100,CVE-2022-33915). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-remote-attack-vulnerabi… ∗∗∗ Security Bulletin: Vulnerabilities in the Java JDK affect IBM Event Streams (CVE-2022-21365, CVE-2022-21360, CVE-2022-21349, CVE-2022-21341, CVE-2022-21340, CVE-2022-21305, CVE-2022-21294, CVE-2022-21293, CVE-2022-21291, CVE-2022-21248) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-the-ja… ∗∗∗ Security Bulletin: Vulnerabilities in lodash library affect Tivoli Netcool/OMNIbus WebGUI (CVE-2019-1010266, CVE-2020-28500, CVE-2018-16487, CVE-2018-3721, CVE-2020-8203, CVE-2021-23337, CVE-2019-10744) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-lodash… ∗∗∗ Security Bulletin: IBM Robotic Process Automation may be affected by multiple vulnerabilities in open source components (CVE-2019-0820, CVE-2020-15522, CVE-2021-43569) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-robotic-process-autom… ∗∗∗ Security Bulletin: IBM SDK, Java Technology Edition, Security Update October 2021 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-e… ∗∗∗ Security Bulletin: Vulnerability in Apache Struts library affect Tivoli Netcool/OMNIbus WebGUI (CVE-2021-31805) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-s… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a Cross-Site Scripting vulnerability (CVE-2021-39074) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM Java SDK affect IBM Virtualization Engine TS7700 – October 2021 & January 2022 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ K01311313: Linux kernel vulnerability CVE-2021-3612 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K01311313 ∗∗∗ Long Term Support Channel Update for ChromeOS ∗∗∗ --------------------------------------------- http://chromereleases.googleblog.com/2022/06/long-term-support-channel-upda… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.06.2022
by Daily end-of-shift report 27 Jun '22

27 Jun '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 24-06-2022 18:00 − Montag 27-06-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Fake copyright infringement emails install LockBit ransomware ∗∗∗ --------------------------------------------- LockBit ransomware affiliates are using an interesting trick to get people into infecting their devices by disguising their malware as copyright claims. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fake-copyright-infringement-… ∗∗∗ Clever phishing method bypasses MFA using Microsoft WebView2 apps ∗∗∗ --------------------------------------------- A clever, new phishing technique uses Microsoft Edge WebView2 applications to steal victims authentication cookies, allowing threat actors to bypass multi-factor authentication when logging into stolen accounts. --------------------------------------------- https://www.bleepingcomputer.com/news/security/clever-phishing-method-bypas… ∗∗∗ NetSec Goggle shows search results only from cybersecurity sites ∗∗∗ --------------------------------------------- A new Brave Search Goggle modifies Brave Search results to only show reputable cybersecurity sites, making it easier to search for and find security information. --------------------------------------------- https://www.bleepingcomputer.com/news/security/netsec-goggle-shows-search-r… ∗∗∗ LockBit 3.0 introduces the first ransomware bug bounty program ∗∗∗ --------------------------------------------- The LockBit ransomware operation has released LockBit 3.0, introducing the first ransomware bug bounty program and leaking new extortion tactics and Zcash cryptocurrency payment options. --------------------------------------------- https://www.bleepingcomputer.com/news/security/lockbit-30-introduces-the-fi… ∗∗∗ Malicious Code Passed to PowerShell via the Clipboard, (Sat, Jun 25th) ∗∗∗ --------------------------------------------- Another day, another malicious script was found! Today, the script is a Windows bat file that executes malicious PowerShell code but the way it works is interesting. --------------------------------------------- https://isc.sans.edu/diary/rss/28784 ∗∗∗ Encrypted Client Hello: Anybody Using it Yet?, (Mon, Jun 27th) ∗∗∗ --------------------------------------------- The first payload sent by a TLS client to a TLS server is a "Client Hello." It includes several parameters supported by the client, such as available cipher suites, to start negotiating a compatible set of TLS parameters with the server. --------------------------------------------- https://isc.sans.edu/diary/rss/28792 ∗∗∗ Ransomware-Gang Conti schließt Leak- und Verhandlungsplattform ∗∗∗ --------------------------------------------- Die Conti-Gruppe hinter dem gleichnamigen Erpressungstrojaner finalisiert ihren Rückzug und teilt sich weiter in kleinere Gangs auf. --------------------------------------------- https://heise.de/-7154035 ∗∗∗ Flut von Angriffen auf Paketmanager PyPI schleust Backdoor in Python-Pakete ein ∗∗∗ --------------------------------------------- Nachdem zunächst Sonatype einen Angriff auf fünf Pakete im Python-Paketmanager entdeckt hat, füllt sich die CVE-Schwachstellendatenbank mit weiteren Vorfällen. --------------------------------------------- https://heise.de/-7154405 ∗∗∗ Ransomware: Unternehmen im Gesundheitswesen zahlen am häufigsten Lösegeld ∗∗∗ --------------------------------------------- Verschlüsselungsangriffe haben vor allem in der Gesundheitsbranche in den vergangenen Monaten stark zugenommen. Die Daten sind bei Angreifern beliebt. --------------------------------------------- https://heise.de/-7154906 ∗∗∗ NIST Releases New macOS Security Guidance for Organizations ∗∗∗ --------------------------------------------- The National Institute of Standards and Technology (NIST) has published the final version of its guidance on securing macOS endpoints and assessing their security. --------------------------------------------- https://www.securityweek.com/nist-releases-new-macos-security-guidance-orga… ∗∗∗ Vorsicht vor Fake-E-Mails der Wiener Polizei ∗∗∗ --------------------------------------------- In einem gefälschten E-Mail der Polizei werden Sie beschuldigt, eine Straftat begangen zu haben. Es geht um Kinderpornografie, Pädophilie, Cyberpornografie und Exhibitionismus. Sie werden aufgefordert, per E-Mail eine Rechtfertigung zu schicken. Antworten Sie nicht und ignorieren Sie dieses Schreiben. Es ist Fake! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-fake-e-mails-der-wiener… ∗∗∗ CISA Adds Eight Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- CISA has added eight new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/06/27/cisa-adds-eight-k… ===================== = Vulnerabilities = ===================== ∗∗∗ Citrix dichtet Sicherheitslücken in Hypervisor ab ∗∗∗ --------------------------------------------- Der Hypervisor von Citrix enthält mehrere Schwachstellen. Angreifer könnten die Kontrolle übernehmen. Aktualisierte Pakete dichten die Lücken ab. --------------------------------------------- https://heise.de/-7154435 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (openssl), Fedora (dotnet6.0, mediawiki, and python2.7), Mageia (389-ds-base, chromium-browser-stable, exo, and libtiff), Oracle (httpd:2.4 and microcode_ctl), SUSE (dbus-broker, drbd, kernel, liblouis, mariadb, openssl, openssl-1_1, openSUSE kernel modules, oracleasm, php7, php72, python39, salt, and wdiff), and Ubuntu (linux, linux-hwe, mozjs91, and vim). --------------------------------------------- https://lwn.net/Articles/899158/ ∗∗∗ Security Bulletin: Multiple Vulnerabilities found in Apache Tika used by Content Collector for Email, Content Collector for File Systems, Content Collector for Microsoft SharePoint and Content Collector for IBM Connections ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct for Microsoft Windows is vulnerable to an unspecified vulnerability due to IBM Java Runtime (CVE-2021-35603) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: Vulnerability in IBM Java SDK and IBM Java Runtime affects Rational Business Developer ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect Rational Business Developer ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerability in IBM Java SDK and IBM Java Runtime affects Rational Business Developer ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct for Microsoft Windows is vulnerable to an unspecified vulnerability due to IBM Java Runtime (CVE-2021-35550) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: IBM MQ is vulnerable to an issue within Jackson ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-is-vulnerable-to-a… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct for Microsoft Windows is vulnerable to denial of service due to zlib (CVE-2018-25032) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM® Runtime Environment Java™ Technology Edition affects WebSphere eXtreme Scale ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM QRadar SIEM is affected by a remote code execution in Spring Framework (CVE-2022-22963, CVE-2022-22965, CVE-2022-22950) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-affect… ∗∗∗ Spring Function Cloud DoS (CVE-2022-22979) and Unintended Function Invocation ∗∗∗ --------------------------------------------- https://checkmarx.com/blog/spring-function-cloud-dos-cve-2022-22979-and-uni… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.06.2022
by Daily end-of-shift report 24 Jun '22

24 Jun '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 23-06-2022 18:00 − Freitag 24-06-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ 2FA: Wie sicher sind TOTP, Fido, SMS und Push-Apps? ∗∗∗ --------------------------------------------- Zwei- oder Multi-Faktor-Authentifizierung soll uns sicherer machen. Wir erklären, wie TOTP, Fido & Co. funktionieren und wovor sie schützen. --------------------------------------------- https://www.golem.de/news/2fa-wie-sicher-sind-totp-fido-sms-und-push-apps-2… ∗∗∗ Multiple Backdoored Python Libraries Caught Stealing AWS Secrets and Keys ∗∗∗ --------------------------------------------- Researchers have discovered a number of malicious Python packages in the official third-party software repository that are engineered to exfiltrate AWS credentials and environment variables to a publicly exposed endpoint. --------------------------------------------- https://thehackernews.com/2022/06/multiple-backdoored-python-libraries.html ∗∗∗ Black Basta Ransomware Becomes Major Threat in Two Months ∗∗∗ --------------------------------------------- Black Basta ransomware has become a major new threat in just a couple months. Evidence suggests it was still in development in February 2022, and only became operational in April 2022. --------------------------------------------- https://www.securityweek.com/black-basta-ransomware-becomes-major-threat-tw… ∗∗∗ There Is More Than One Way to Sleep: Dive Deep Into the Implementations of API Hammering by Various Malware Families ∗∗∗ --------------------------------------------- Learn about the unique implementations of API Hammering malware samples and how to mitigate them. --------------------------------------------- https://unit42.paloaltonetworks.com/api-hammering-malware-families/ ===================== = Vulnerabilities = ===================== ∗∗∗ Angreifer nutzen kontinuierlich Log4Shell-Lücke in VMware Horizon aus ∗∗∗ --------------------------------------------- Die Cybersecurity & Infrastructure Security Agency warnt vor Attacken auf die Virtualisierungslösung VMware Horizon. Admins sollten zügig handeln. --------------------------------------------- https://heise.de/-7152258 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (ntfs-3g and ntfs-3g-system-compression), SUSE (389-ds, chafa, containerd, mariadb, php74, python3, salt, and xen), and Ubuntu (apache2). --------------------------------------------- https://lwn.net/Articles/898925/ ∗∗∗ Codesys Patches 11 Flaws Likely Affecting Controllers From Several ICS Vendors ∗∗∗ --------------------------------------------- Codesys this week announced patches for nearly a dozen vulnerabilities discovered in the company’s products by researchers at Chinese cybersecurity firm NSFocus. --------------------------------------------- https://www.securityweek.com/codesys-patches-11-flaws-likely-affecting-cont… ∗∗∗ ZDI-22-872: DevExpress SafeBinaryFormatter Deserialization of Untrusted Data Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-872/ ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to a denial of service (CVE-2022-22389) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… ∗∗∗ Security Bulletin: One or more security vulnerabilities has been identified in IBM® DB2® shipped with IBM PureData System for Operational Analytics (CVE-2020-4230,CVE-2020-4135,CVE-2020-4204,CVE-2020-4200) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-one-or-more-security-vuln… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities (CVE-2019-10086, CVE-2021-41617) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Robotic Process Automation is vulnerable to configuration credentials unencrypted in system memory (CVE-2022-22414) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-robotic-process-autom… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM® Db2® is affected by multiple vulnerabilities due to the consumed Expat library ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-affected-by-mu… ∗∗∗ Security Bulletin: CVE-2021-35603 may affect IBM® SDK, Java™ Technology Edition for IBM Content Collector for SAP Applications ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2021-35603-may-affect… ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to an information disclosure caused by improper privilege management when table function is used. (CVE-2022-22390) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… ∗∗∗ Security Bulletin: Multiple vulnerabilities has been identified in IBM® DB2® shipped with IBM PureData System for Operational Analytics ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by an information leak vulnerability within Kafka (CVE-2021-38153) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: A vulnerability in zlib affects IBM Common Inventory Technology (CIT). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-zlib-a… ∗∗∗ Security Bulletin: CVE-2020-35550 may affect IBM® SDK, Java™ Technology Edition for IBM Content Collector for SAP Applications ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2020-35550-may-affect… ∗∗∗ K26314875: Apache vulnerability CVE-2022-26377 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K26314875 ∗∗∗ Citrix Hypervisor Security Update ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX460064/citrix-hypervisor-security-upd… ∗∗∗ OFFIS DCMTK ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsma-22-174-01 ∗∗∗ Yokogawa STARDOM ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-174-01 ∗∗∗ Yokogawa CAMS for HIS ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-174-02 ∗∗∗ Secheron SEPCOS Control and Protection Relay ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-174-03 ∗∗∗ Pyramid Solutions EtherNet/IP Adapter Development Kit ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-174-04 ∗∗∗ Elcomplus SmartICS ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-174-05 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.06.2022
by Daily end-of-shift report 23 Jun '22

23 Jun '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 22-06-2022 18:00 − Donnerstag 23-06-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Conti ransomware hacking spree breaches over 40 orgs in a month ∗∗∗ --------------------------------------------- The Conti cybercrime syndicate runs one of the most aggressive ransomware operations and has grown highly organized, to the point that affiliates were able to hack more than 40 companies in a little over a month. --------------------------------------------- https://www.bleepingcomputer.com/news/security/conti-ransomware-hacking-spr… ∗∗∗ Malicious Windows LNK attacks made easy with new Quantum builder ∗∗∗ --------------------------------------------- Malware researchers have noticed a new tool that helps cybercriminals build malicious .LNK files to deliver payloads for the initial stages of an attack. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malicious-windows-lnk-attack… ∗∗∗ The hateful eight: Kaspersky’s guide to modern ransomware groups’ TTPs ∗∗∗ --------------------------------------------- We want to familiarize the reader with the different stages of ransomware deployment and provide a visual guide to defending against targeted ransomware attacks. --------------------------------------------- https://securelist.com/modern-ransomware-groups-ttps/106824/ ∗∗∗ Understanding the Compound File Binary Format and OLE Structures to Mess with CVE-2022-30190 ∗∗∗ --------------------------------------------- Initially, I began this research to generate weaponized RTF files delivering the CVE-2022-30190(Follina) exploit. --------------------------------------------- https://cymulate.com/blog/cve-2022-30190-2/ ∗∗∗ Miracle - One Vulnerability To Rule Them All ∗∗∗ --------------------------------------------- As mentioned in Jang blog, We (me and Jang) found a mega 0-day. After April Critical Patch, finally the vulnerability was patched properly. If you never known about this vulnerability, please patch your system ASAP! --------------------------------------------- https://peterjson.medium.com/miracle-one-vulnerability-to-rule-them-all-c3a… ∗∗∗ Vorsicht vor betrügerischen „Remote Jobs“ auf LinkedIn ∗∗∗ --------------------------------------------- “Work from Home Jobs No Experience Required” – von zuhause aus arbeiten, dabei bis zu 2.000€ pro Woche verdienen und das alles ohne Berufserfahrung? Laut der massenhaft geschaltenen Stellenanzeigen von KADANSE ist das möglich. Was nicht erwähnt wird: Für diesen scheinbar lukrativen Job müssen Sie erst Geld bezahlen, der Job existiert so nicht. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-betruegerischen-remote-… ∗∗∗ Schwachstellen in Programmierschnittstellen ∗∗∗ --------------------------------------------- Weltweit sind 4,1 bis 7,5 Prozent der Cybersecurity-Vorfälle und -schäden auf Schwachstellen in Programmierschnittstellen (Application Programming Interfaces, APIs) zurückzuführen und verursachen Kosten in Milliardenhöhe. --------------------------------------------- https://www.zdnet.de/88402008/schwachstellen-in-programmierschnittstellen/ ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins 2022-06-22 ∗∗∗ --------------------------------------------- IBM App Connect Enterprise, IBM Engineering Lifecycle Management, WebSphere Liberty, CICS Transaction Gateway, Watson Knowledge Catalog for IBM Cloud Pak for Data, IBM Robotic Process Automation, IBM Tivoli Business Service Manager, IBM MQ Internet Pass-Thru, IBM Cognos Analytics, IBM Sterling Global Mailbox. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Synology: Aktualisierte Firmware dichtet Sicherheitslecks in Routern ab ∗∗∗ --------------------------------------------- In Firmware von Synology-Geräten hat der Hersteller Sicherheitslücken gefunden. Angreifer könnten unter anderem unberechtigt auf Dateien zugreifen. --------------------------------------------- https://heise.de/-7151202 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, firejail, and request-tracker4), Fedora (ghex, golang-github-emicklei-restful, and openssl1.1), Oracle (postgresql), Scientific Linux (postgresql), Slackware (openssl), SUSE (salt and tor), and Ubuntu (apache2 and squid, squid3). --------------------------------------------- https://lwn.net/Articles/898720/ ∗∗∗ Cisco Adaptive Security Device Manager and Adaptive Security Appliance Software Client-side Arbitrary Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco FirePOWER Software for ASA FirePOWER Module Command Injection Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ K55051330: Intel BIOS vulnerability CVE-2021-33123 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K55051330 ∗∗∗ K87351324: Intel BIOS vulnerability CVE-2021-33124 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K87351324 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.06.2022
by Daily end-of-shift report 22 Jun '22

22 Jun '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 21-06-2022 18:00 − Mittwoch 22-06-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Newly Discovered Magecart Infrastructure Reveals the Scale of Ongoing Campaign ∗∗∗ --------------------------------------------- A newly discovered Magecart skimming campaign has its roots in a previous attack activity going all the way back to November 2021. --------------------------------------------- https://thehackernews.com/2022/06/newly-discovered-magecart.html ∗∗∗ Du kommst hier nicht rein: Adobes PDF-Tools blockieren Antivirenschutz ∗∗∗ --------------------------------------------- Adobe Acrobat und Reader legen einen Registry-Eintrag an. Dieser hält über Chromiums libcef.dll Sicherheitsprogramm-DLLs aus den PDF-Programmen fern. --------------------------------------------- https://heise.de/-7147804 ∗∗∗ Sharehoster Mega: Sicherheitsforscher entschlüsseln eigentlich geschützte Daten ∗∗∗ --------------------------------------------- Eine problematische Kryptografie-Implementierung kann verschlüsselte Dateien für den Betreiber oder Angreifer lesbar machen. --------------------------------------------- https://heise.de/-7148227 ∗∗∗ Machen Sie mit bei unserer Studie zum Fake-Shop-Detector! ∗∗∗ --------------------------------------------- Fake-Shops stellen Konsument:innen vor große Herausforderungen: Sie werden immer zahlreicher und sind gleichzeitig schwieriger zu erkennen. Um das Einkaufen im Internet sicherer zu machen, haben wir den Fake-Shop Detector entwickelt. --------------------------------------------- https://www.watchlist-internet.at/news/machen-sie-mit-bei-unserer-studie-zu… ∗∗∗ Keeping PowerShell: Measures to Use and Embrace ∗∗∗ --------------------------------------------- Cybersecurity authorities from the United States, New Zealand, and the United Kingdom have released a joint Cybersecurity Information Sheet (CIS) on PowerShell. The CIS provides recommendations for proper configuration and monitoring of PowerShell, as opposed to removing or disabling it entirely due to its use by malicious actors after gaining access into victim networks. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/06/22/keeping-powershel… ===================== = Vulnerabilities = ===================== ∗∗∗ Webbrowser: Google schließt 14 Sicherheitslücken in Chrome ∗∗∗ --------------------------------------------- Mit dem Sprung auf das 103er-Release dichtet Google im Webbrowser Chrome 14 Schwachstellen ab. Auch für Android und iOS steht die neue Version bereit. --------------------------------------------- https://heise.de/-7147522 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (exo and ntfs-3g), Fedora (collectd, golang-github-cli-gh, grub2, qemu, and xen), Red Hat (httpd:2.4, kernel, and postgresql), SUSE (drbd, fwupdate, neomutt, and trivy), and Ubuntu (apache2, openssl, openssl1.0, and qemu). --------------------------------------------- https://lwn.net/Articles/898605/ ∗∗∗ JTEKT TOYOPUC ∗∗∗ --------------------------------------------- This advisory contains mitigations for a Missing Authentication for Critical Function vulnerability in the JTEKT TOYOPUC programmable logic controller. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-172-02 ∗∗∗ VU#142546: SMA Technologies OpCon UNIX agent adds the same SSH key to all installations ∗∗∗ --------------------------------------------- https://kb.cert.org/vuls/id/142546 ∗∗∗ Security Bulletin: June 2022 :Multiple vulnerabilities in IBM Java Runtime affect CICS Transaction Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-june-2022-multiple-vulner… ∗∗∗ Security Bulletin: A vulnerability (CVE-2021-35550) in IBM Java Runtime affects CICS Transaction Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-cve-2021-… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct Browser User Interface is vulnerable to multiple vulnerabilities due to Jetty ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct File Agent is vulnerable to an unspecified vulnerability due to IBM Java Runtime (CVE-2021-35603) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: Rational Team Concert (RTC) and IBM Engineering Workflow Management (EWM) OpenSSL vulnerability CVE-2021-4044 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-rational-team-concert-rtc… ∗∗∗ Security Bulletin: Security vulnerability has been identified in IBM DB2 used by IBM Security Verify Governance, Identity Manager virtual appliance component ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerability-ha… ∗∗∗ Security Bulletin: Vulnerabilities in IBM WebSphere Application Server and WebSphere Application Server Liberty affect IBM Watson Explorer (CVE-2022-22475, CVE-2021-39038) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-we… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct FTP+ is vulnerable to unauthorized sensitive information access due to IBM Java vulnerability (CVE-2021-35603) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: Vulnerability in Spring Framework affects IBM Watson Explorer (CVE-2022-22971, CVE-2022-22968, CVE-2022-22970) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-spring-f… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct File Agent is vulnerable to an unspecified vulnerability due to IBM Java Runtime (CVE-2021-35550) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects IBM WebSphere Application Server January 2022 CPU that is bundled with IBM WebSphere Application Server Patterns ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct FTP+ is vulnerable to unauthorized data access due to IBM Java (CVE-2021-35550) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: Vulnerability in OpenSSL affects IBM Watson Explorer (CVE-2022-0778) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-openssl-… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct Browser User Interface has multiple vulnerabilities due to IBM Java ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU – Jan 2022 – Includes Oracle® January 2022 CPU affects IBM Tivoli Composite Application Manager for Transactions-Robotic Response Time ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-e… ∗∗∗ K53252134: Intel BIOS vulnerability CVE-2021-0155 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K53252134 ∗∗∗ K16162257: Intel BIOS vulnerability CVE-2021-0154 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K16162257 ∗∗∗ K14454359: Intel BIOS vulnerability CVE-2021-0153 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K14454359 ∗∗∗ K04303225: Intel BIOS vulnerability CVE-2021-0190 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K04303225 ∗∗∗ Multiple Vulnerabilities PRA-ES8P2S Ethernet-Switch ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-247052-bt.html ∗∗∗ PHP Vulnerability ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-22-20 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.06.2022
by Daily end-of-shift report 21 Jun '22

21 Jun '22

===================== = End-of-Day report = ===================== Timeframe: Montag 20-06-2022 18:00 − Dienstag 21-06-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ New DFSCoerce NTLM Relay attack allows Windows domain takeover ∗∗∗ --------------------------------------------- A new Windows NTLM relay attack called DFSCoerce has been discovered that uses MS-DFSNM, Microsofts Distributed File System, to completely take over a Windows domain. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/new-dfscoerce-ntlm-relay-at… ∗∗∗ APT ToddyCat ∗∗∗ --------------------------------------------- ToddyCat is a relatively new APT actor responsible for multiple sets of attacks against high-profile entities in Europe and Asia. Its main distinctive signs are two formerly unknown tools that we call ‘Samurai backdoor’ and ‘Ninja Trojan’. --------------------------------------------- https://securelist.com/toddycat/106799/ ∗∗∗ Office 365 Config Loophole Opens OneDrive, SharePoint Data to Ransomware Attack ∗∗∗ --------------------------------------------- A reported a "potentially dangerous piece of functionality" allows an attacker to launch an attack on cloud infrastructure and ransom files stored in SharePoint and OneDrive. --------------------------------------------- https://threatpost.com/office-365-opens-ransomware-attacks-on-onedrive-shar… ∗∗∗ Bestellen Sie nicht bei funkelnmarkt.de ∗∗∗ --------------------------------------------- Der Online-Shop funkelnmarkt.de bietet Laptops, Waschmaschinen, Konsolen und Co. Die Preise sind teilweise etwas günstiger als bei anderen Shops und die Webseite wirkt professionell. Grund genug dort zu bestellen. Oder? Lieber nicht! Wenn Sie dort bestellen, erhalten Sie keine Ware und verlieren Ihr Geld! --------------------------------------------- https://www.watchlist-internet.at/news/bestellen-sie-nicht-bei-funkelnmarkt… ===================== = Vulnerabilities = ===================== ∗∗∗ Icefall: 56 flaws impact thousands of exposed industrial devices ∗∗∗ --------------------------------------------- A security report has been published on a set of 56 vulnerabilities that are collectively called Icefall and affect operational technology (OT) equipment used in various critical infrastructure environments. --------------------------------------------- https://www.bleepingcomputer.com/news/security/icefall-56-flaws-impact-thou… ∗∗∗ OpenSSL Security Advisory [21 June 2022] ∗∗∗ --------------------------------------------- When the CVE-2022-1292 was fixed it was not discovered that there are other places in the script where the file names of certificates being hashed were possibly passed to a command executed through the shell. --------------------------------------------- https://openssl.org/news/secadv/20220621.txt ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (tzdata), Oracle (cups), and SUSE (atheme, golang-github-prometheus-alertmanager, golang-github-prometheus-node_exporter, node_exporter, python36, release-notes-susemanager, release-notes-susemanager-proxy, SUSE Manager 4.1.15 Release Notes, SUSE Manager Client Tools, and SUSE Manager Server 4.2). --------------------------------------------- https://lwn.net/Articles/898504/ ∗∗∗ SSA-111512: Client-side Authentication in SIMATIC WinCC OA ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-111512.txt ∗∗∗ ABB Security Advisory: ABB Relion REX640 Insufficient file access control ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=2NGA001421 ∗∗∗ Security Bulletin: Multiple security vulnerabilities are addressed with IBM Cloud Pak for Business Automation iFixes for May 2022 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Flaw in Go may affect DataPower Operator (CVE-2021-44717) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-flaw-in-go-may-affect-dat… ∗∗∗ Security Bulletin: An Unspecified Vulnerability in Java runtime affects IBM SPSS Statistics (CVE-2021-35603) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-an-unspecified-vulnerabil… ∗∗∗ Security Bulletin: An Unspecified Vulnerability in Java runtime affects IBM SPSS (CVE-2022-21496) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-an-unspecified-vulnerabil… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities in Apache Thrift ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: An Unspecified Vulnerability in Java runtime affects IBM SPSS Statistics (CVE-2022-21496) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-an-unspecified-vulnerabil… ∗∗∗ Security Bulletin: IBM DataPower Operator affected by flaw in Go (CVE-2022-23773) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-operator-af… ∗∗∗ Security Bulletin: IBM Spectrum Symphony is affected but not classified as vulnerable by a remote code execution in Spring Framework (CVE-2022-22965) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-spectrum-symphony-is-… ∗∗∗ Security Bulletin: IBM Spectrum Conductor is affected but not classified as vulnerable by a remote code execution in Spring Framework (CVE-2022-22965) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-spectrum-conductor-is… ∗∗∗ Security Bulletin: IBM DataPower Gateway affected by prototype pollution in DOJO (CVE-2021-23450) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-gateway-aff… ∗∗∗ Security Bulletin: IBM DataPower Operator potentially vulnerable to Denial of Service (CVE-2021-44716) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-operator-po… ∗∗∗ Security Bulletin: IBM QRadar Wincollect agent is vulnerable to information disclosure ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-wincollect-age… ∗∗∗ Security Bulletin: DataPower Operator vulnerable to a Denial of Service (CVE-2022-23806) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-datapower-operator-vulner… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a postgresql-42.0.0.jar vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a mongodb-driver-legacy-4.1.1.jar vulnerability (CVE-2021-20328) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ PHOENIX CONTACT: Missing Authentication in ProConOS/ProConOS eCLR SDK and MULTIPROG Engineering tool ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-028/ ∗∗∗ PHOENIX CONTACT: Vulnerability in ProConOS/ProConOS eCLR SDK and MULTIPROG Engineering tool ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-026/ ∗∗∗ PHOENIX CONTACT: Vulnerability in classic line industrial controllers ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-025/ ∗∗∗ WEIDMUELLER: EtherNet/IP Fieldbus Coupler out-of-bounds write ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2021-004/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.06.2022
by Daily end-of-shift report 20 Jun '22

20 Jun '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 17-06-2022 18:00 − Montag 20-06-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Kritische CVE-2022-20825 in Cisco Small-Business-Routern wird nicht gefixt ∗∗∗ --------------------------------------------- In den Small-Business-Routern RV110W, RV130, RV130W und RV215W gibt es eine kritische Schwachstelle CVE-2022-20825, die mit dem CVE-Wert von 9.8 bewertet wurde. Auf Grund einer fehlenden Authentifizierung ermöglicht die Schwachstelle sowohl eine Remote Command Execution als auch Denial of Service-Angriffe. --------------------------------------------- https://www.borncity.com/blog/2022/06/20/kritische-cve-2022-20825-in-cisco-… ∗∗∗ New phishing attack infects devices with Cobalt Strike ∗∗∗ --------------------------------------------- Security researchers have noticed a new malicious spam campaign that delivers the Matanbuchus malware to drop Cobalt Strike beacons on compromised machines. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-phishing-attack-infects-… ∗∗∗ Android-wiping BRATA malware is evolving into a persistent threat ∗∗∗ --------------------------------------------- The threat actors operating the BRATA banking trojan have evolved their tactics and incorporated new information-stealing features into their malware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/android-wiping-brata-malware… ∗∗∗ Decoding Obfuscated BASE64 Statistically ∗∗∗ --------------------------------------------- In diary entry "Houdini is Back Delivered Through a JavaScript Dropper", Xavier mentions that he had to deal with an obfuscated BASE64 string. --------------------------------------------- https://isc.sans.edu/diary/rss/28758 ∗∗∗ The Importance of White-Box Testing: A Dive into CVE-2022-21662 ∗∗∗ --------------------------------------------- When CVE-2022-21662 came out there wasn’t a much-published material regarding this vulnerability. I want to take some time to explain the importance of using a white-box approach when testing applications for vulnerabilities. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/the-importa… ∗∗∗ Cerber2021 Ransomware Back in Action ∗∗∗ --------------------------------------------- In December 2021, researchers identified a new version of Cerber ransomware targeting both Linux and Windows users. In this infection, Cerber2021 was delivered by targeting the vulnerabilities in the Confluence and Gitlab servers. These vulnerabilities are tracked as CVE-2021-26084 and CVE-2021-22205, respectively. --------------------------------------------- https://blog.cyble.com/2022/06/17/cerber2021-ransomware-back-in-action/ ∗∗∗ Europol-Masche: Neue Welle betrügerischer Anrufe ∗∗∗ --------------------------------------------- Die Telefonbetrugsmasche, bei der sich die Kriminellen als Ermittlungsbehörde ausgeben, ist nicht neu. Dennoch rollt aktuell wieder eine Welle solcher Anrufe. --------------------------------------------- https://heise.de/-7146013 ∗∗∗ Erpressung per E-Mail: Hacker fordert die Überweisung von Bitcoins ∗∗∗ --------------------------------------------- Sie haben ein E-Mail von einem Hacker bekommen? Er schreibt, dass er Ihren Computer gehackt hat und Sie beim Masturbieren gefilmt hat? Er droht damit das Video zu verbreiten, wenn Sie keine Bitcoins überweisen? Im E-Mail wird sogar eines Ihrer Passwörter genannt? Machen Sie sich keine Sorgen! Dieses E-Mail ist Fake. Lassen Sie sich nicht erpressen und überweisen Sie keinesfalls Bitcoins. Ändern Sie aber umgehend Ihr Passwort! --------------------------------------------- https://www.watchlist-internet.at/news/erpressung-per-e-mail-hacker-fordert… ∗∗∗ Azure Attack Paths: Common Findings and Fixes (Part 1) ∗∗∗ --------------------------------------------- This post will walk through various services within the Azure catalogue and look at potential attack paths. --------------------------------------------- https://blog.zsec.uk/azure-fundamentals-pt1/ ===================== = Vulnerabilities = ===================== ∗∗∗ AWS: Amazon-Hotpatch für log4j-Lücke ermöglicht Rechteausweitung ∗∗∗ --------------------------------------------- In einem Skript zum Absichern vor der log4j-Lücke von Amazon findet sich eine Sicherheitslücke. Angreifer könnten ihre Rechte damit ausweiten. --------------------------------------------- https://heise.de/-7145383 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (cyrus-imapd, exo, sleuthkit, slurm-wlm, vim, and vlc), Fedora (golang-github-docker-libnetwork, kernel, moby-engine, ntfs-3g-system-compression, python-cookiecutter, python2.7, python3.6, python3.7, python3.8, python3.9, rubygem-mechanize, and webkit2gtk3), Mageia (bluez, dnsmasq, exempi, halibut, and php), Oracle (.NET 6.0, .NET Core 3.1, and xz), SUSE (chafa, firejail, kernel, python-Twisted, and tensorflow2), and Ubuntu (intel-microcode). --------------------------------------------- https://lwn.net/Articles/898413/ ∗∗∗ Security Advisory - Input Verification Vulnerability Involving Huawei Printer Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2022/huawei-sa-20220620-… ∗∗∗ Security Bulletin: An Unspecified Vulnerability in Java runtime affects IBM SPSS (CVE-2021-35550) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-an-unspecified-vulnerabil… ∗∗∗ Security Bulletin: StoredIQ Is Vulnerable To Arbitrary Code Execution Due to Apache Log4j (CVE-2021-44228). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-storediq-is-vulnerable-to… ∗∗∗ Security Bulletin: StoredIQ Is Vulnerable To Arbitrary Code Execution Due To Apache Log4j (CVE-2021-4104). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-storediq-is-vulnerable-to… ∗∗∗ Security Bulletin: Potential module resolution error in DataPower Operator ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-potential-module-resoluti… ∗∗∗ Security Bulletin: Cúram Social Program Management may be affected by Denial of Service vulnerability in jackson-databind (217968) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cram-social-program-manag… ∗∗∗ Security Bulletin: StoredIQ is vulnerable to denial of service and remote code execution in Apache Log4j (CVE-2021-44228, CVE-2021-45046). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-storediq-is-vulnerable-to… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities in Apache Thrift ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Robotic Process Automation is vulnerable to configuration credentials unencrypted in system memory (CVE-2022-22414) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-robotic-process-autom… ∗∗∗ Security Bulletin: IBM QRadar WinCollect is vulnerable to using components with known vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-wincollect-is-… ∗∗∗ Security Bulletin: Potential Denial of Service in IBM DataPower Gateway (CVE-2022-23806) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-potential-denial-of-servi… ∗∗∗ Security Bulletin: IBM Integration Bus is vulnerable to arbitrary code execution due to json-schema (CVE-2021-3918) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-integration-bus-is-vu… ∗∗∗ Security Bulletin: IBM Analytic Accelerator Framework for Communication Service Providers & IBM Customer and Network Analytics for Communications Service Providers and Datasets Impacted by Log4j Vulnerabilities ( CVE-2021-44832) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-analytic-accelerator-… ∗∗∗ Security Bulletin: Cúram Social Program Management may be affected by Denial of Service vulnerability in JDOM (CVE-2021-33813) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cram-social-program-manag… ∗∗∗ Security Bulletin: AIX is vulnerable to a denial of service due to lpd (CVE-2022-22444) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-aix-is-vulnerable-to-a-de… ∗∗∗ Security Bulletin: Vulnerabilities with Kernel, Eclipse Jetty, and OpenJDK affect IBM Cloud Object Storage Systems (June 2022) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-with-kern… ∗∗∗ Security Bulletin: Cúram Social Program Management is affected by session timeout issues (CVE-2022-22318, CVE-2022-22317) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cram-social-program-manag… ∗∗∗ Spring Data MongoDB SpEL Expression Injection Vulnerability (CVE-2022-22980) ∗∗∗ --------------------------------------------- https://spring.io/blog/2022/06/20/spring-data-mongodb-spel-expression-injec… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.06.2022
by Daily end-of-shift report 17 Jun '22

17 Jun '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 15-06-2022 18:00 − Freitag 17-06-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Security: Github informiert über Malware im Open-Source-Ökosystem ∗∗∗ --------------------------------------------- Nicht nur Sicherheitslücken machen Open-Source-Software anfällig. Auch Malware bereitet viele Probleme, die Github jetzt sammeln möchte. --------------------------------------------- https://www.golem.de/news/security-github-informiert-ueber-malware-im-open-… ∗∗∗ Zügig aktualisieren: Angreifer könnten Citrix ADM übernehmen ∗∗∗ --------------------------------------------- In Citrix Application Delivery Management-Software könnten Angreifer aus dem Netz eine Sicherheitslücke ausnutzen. Sie können damit volle Kontrolle erlangen. --------------------------------------------- https://heise.de/-7142301 ∗∗∗ NAS: Qnap warnt vor Angriffswelle mit DeadBolt-Ransomware ∗∗∗ --------------------------------------------- Der Hersteller Qnap warnt vor derzeit laufenden Angriffen auf die NAS-Systeme mit der DeadBolt-Ransomware. Administratoren sollen den Update-Stand überprüfen. --------------------------------------------- https://heise.de/-7144383 ∗∗∗ Kritische Sicherheitslücke in WordPress-Plug-in Ninja Forms behoben ∗∗∗ --------------------------------------------- WordPress-Admins, die das Plug-in Ninja Forms einsetzen, sollten unverzüglich dessen Aktualität sicherstellen. Angreifer könnten sonst eigenen Code ausführen. --------------------------------------------- https://heise.de/-7143515 ∗∗∗ Zahlreiche betrügerische Nachrichten im Namen der Post im Umlauf! ∗∗∗ --------------------------------------------- Sie warten auf ein Paket. Plötzlich werden Sie per SMS oder E-Mail benachrichtigt, dass es ein Problem mit Ihrer Lieferung gäbe. Immer wieder berichten wir von dieser Betrugsmasche, bei der Kriminelle willkürlich Nachrichten versenden und behaupten, dass ein Paket nicht geliefert werden könnte. Wer tatsächlich gerade auf ein Paket wartet, kann leicht in diese Falle tappen. Meist wollen die Kriminellen an Ihre Kreditkartendaten oder an Ihr Geld. Dieses Mal wird aber auch versucht Ihr Post-Konto zu kapern. --------------------------------------------- https://www.watchlist-internet.at/news/zahlreiche-betruegerische-nachrichte… ∗∗∗ Anatomie eines Hive Ransomware-Angriffs auf Exchange per ProxyShell ∗∗∗ --------------------------------------------- Häufig bleiben ja die Details einer Ransomware-Infektion für Außenstehende im Dunkeln. Mir ist diese Woche eine Information vom Sicherheitsdienstleister Varonis zugegangen, deren Sicherheitsteam den Ablauf eines Angriffs mit der Hive-Ransomware aufbereitet haben. --------------------------------------------- https://www.borncity.com/blog/2022/06/17/anatomie-eines-hive-ransomware-ang… ∗∗∗ Hackers exploit three-year-old Telerik flaws to deploy Cobalt Strike ∗∗∗ --------------------------------------------- The threat actor known as Blue Mockingbird has been observed by analysts targeting Telerik UI vulnerabilities to compromise servers, install Cobalt Strike beacons, and mine Monero by hijacking system resources. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-exploit-three-year-o… ∗∗∗ New MaliBot Android banking malware spreads as a crypto miner ∗∗∗ --------------------------------------------- Threat analysts have discovered a new Android malware strain named MaliBot, which poses as a cryptocurrency mining app or the Chrome web browser to target users in Italy and Spain. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-malibot-android-banking-… ∗∗∗ Facebook Messenger Scam Duped Millions ∗∗∗ --------------------------------------------- One well crafted phishing message sent via Facebook Messenger ensnared 10 million Facebook users and counting. --------------------------------------------- https://threatpost.com/acebook-messenger-scam/179977/ ∗∗∗ WooCommerce Credit Card Skimmer Uses Telegram Bot to Exfiltrate Stolen Data ∗∗∗ --------------------------------------------- Our story starts like many others told on this blog: A new client came to us with reported cases of credit card theft on their eCommerce website. The website owner had received complaints from several customers who reported bogus transactions on their cards shortly after purchasing from their webstore, so the webmaster suspected that something could be amiss. --------------------------------------------- https://blog.sucuri.net/2022/06/woocommerce-credit-card-skimmer-uses-telegr… ∗∗∗ Difference Between Agent-Based and Network-Based Internal Vulnerability Scanning ∗∗∗ --------------------------------------------- For years, the two most popular methods for internal scanning: agent-based and network-based were considered to be about equal in value, each bringing its own strengths to bear. However, with remote working now the norm in most if not all workplaces, it feels a lot more like agent-based scanning is a must, while network-based scanning is an optional extra. --------------------------------------------- https://thehackernews.com/2022/06/difference-between-agent-based-and.html ∗∗∗ Details of Twice-Patched Windows RDP Vulnerability Disclosed ∗∗∗ --------------------------------------------- Researchers at identity security firm CyberArk this week shared technical information on an RDP named pipe vulnerability in Windows for which Microsoft had to release two rounds of patches. --------------------------------------------- https://www.securityweek.com/details-twice-patched-windows-rdp-vulnerabilit… ∗∗∗ DriftingCloud: Zero-Day Sophos Firewall Exploitation and an Insidious Breach ∗∗∗ --------------------------------------------- [...] This particular attack leveraged a zero-day exploit to compromise the customer's firewall. Volexity observed the attacker implement an interesting webshell backdoor, create a secondary form of persistence, and ultimately launch attacks against the customer's staff. These attacks aimed to further breach cloud-hosted web servers hosting the organization's public-facing websites. This type of attack is rare and difficult to detect. This blog post serves to share what highly targeted organizations are up against and ways to defend against attacks of this nature. --------------------------------------------- https://www.volexity.com/blog/2022/06/15/driftingcloud-zero-day-sophos-fire… ===================== = Vulnerabilities = ===================== ∗∗∗ High-Severity RCE Vulnerability Reported in Popular Fastjson Library ∗∗∗ --------------------------------------------- Cybersecurity researchers have detailed a recently patched high-severity security vulnerability in the popular Fastjson library that could be potentially exploited to achieve remote code execution. Tracked as CVE-2022-25845 (CVSS score: 8.1), the issue relates to a case of deserialization of untrusted data in a supported feature called "AutoType." --------------------------------------------- https://thehackernews.com/2022/06/high-severity-rce-vulnerability.html ∗∗∗ IBM Security Bulletins 2022-06-15 - 2022-06-16 ∗∗∗ --------------------------------------------- IBM Spectrum Protect Server, IBM Disconnected Log Collector, IBM Cloud Application Business Insights, IBM Tivoli Application Dependency Discovery Manager, IBM CICS TX Advanced, IBM Analytic Accelerator Framework, IBM Customer and Network Analytics, IBM QRadar SIEM, IBM QRadar Use Case Manager App, Rational Test Virtualization Server and Rational Test Workbench, IBM Robotic Process Automation, IBM Security QRadar Event and Flow Exporter App, IBM WebSphere Application Server Liberty, IBM TXSeries, IBM CICS TX Standard, IBM CICS TX Advanced, IBM Java Runtime, ISC BIND and IBM HTTP Server. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Cisco Security Advisories 2022-06-15 ∗∗∗ --------------------------------------------- Cisco published 7 Security Advisories (2 Critical, 1 High, 4 Medium Severity) --------------------------------------------- https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&first… ∗∗∗ Kritische Lücke mit Höchstwertung in Smart-Home-Zentrale Anker Eufy Homebase 2 ∗∗∗ --------------------------------------------- Angreifer könnten sich über drei Sicherheitslücken in Eufy Homebase 2 Zugang zum Smart Home verschaffen. Ein Sicherheitsupdate ist verfügbar. --------------------------------------------- https://heise.de/-7143710 ∗∗∗ VMSA-2022-0017 ∗∗∗ --------------------------------------------- VMware HCX update addresses an information disclosure vulnerability (CVE-2022-22953) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2022-0017.html ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (containerd, golang-github-containerd-cni, golang-github-containernetworking-cni, golang-x-sys, kernel, and qt5-qtbase), Oracle (kernel, kernel-container, microcode_ctl, subversion:1.14, and xz), Red Hat (.NET 6.0, .NET Core 3.1, cups, and xz), Scientific Linux (xz), SUSE (caddy, chromium, librecad, libredwg, varnish, and webkit2gtk3), and Ubuntu (bluez). --------------------------------------------- https://lwn.net/Articles/898121/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (kernel, liblouis, ntfs-3g, php, shim, shim-unsigned-aarch64, shim-unsigned-x64, thunderbird, and vim), Mageia (chromium-browser-stable and golang), Red Hat (grub2, mokutil, and shim and grub2, mokutil, shim, and shim-unsigned-x64), SUSE (389-ds, apache2, kernel, mariadb, openssl, openssl-1_0_0, rubygem-actionpack-5_1, rubygem-activesupport-5_1, and vim), and Ubuntu (exempi, kernel, linux, linux-aws, linux-aws-hwe, linux-aws-5.13, linux-aws-5.4, [...] --------------------------------------------- https://lwn.net/Articles/898234/ ∗∗∗ Hillrom Medical Device Management ∗∗∗ --------------------------------------------- This advisory contains mitigations for Use of Hard-coded Password, and Improper Access Control vulnerability in Welch Allyn resting electrocardiograph devices. Hillrom Medical. Welch Allyn, and ELI are registered trademarks of Baxter International, Inc., or its subsidiaries. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsma-22-167-01 ∗∗∗ AutomationDirect C-More EA9 HMI ∗∗∗ --------------------------------------------- This advisory contains mitigations for Uncontrolled Search Path Element, Cleartext Transmission of Sensitive Information vulnerabilities in AutomationDirect C-More EA9 human-machine interface products. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-167-01 ∗∗∗ AutomationDirect DirectLOGIC with Serial Communication ∗∗∗ --------------------------------------------- This advisory contains mitigations for a Cleartext Transmission of Sensitive Information vulnerability in DirectLOGIC programmable controllers with serial communication. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-167-02 ∗∗∗ AutomationDirect DirectLOGIC with Ethernet ∗∗∗ --------------------------------------------- This advisory contains mitigations for Uncontrolled Resource Consumption, and Cleartext Transmission of Sensitive Information vulnerabilities in AutomationDirect DirectLOGIC programmable logic Ethernet controllers. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-167-03 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily June 2022