Daily July 2022

daily@lists.cert.at

1 participants
21 discussions

Tageszusammenfassung - 29.07.2022
by Daily end-of-shift report 29 Jul '22

29 Jul '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 28-07-2022 18:00 − Freitag 29-07-2022 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Web-Portale: Seit sechs Jahren kostenlose Hilfe für Ransomware-Opfer ∗∗∗ --------------------------------------------- Mit etwas Glück findet man auf den Websites von ID Ransomware und No More Ransom Infos zu kostenlosen Entschlüsselungstools für einige Erpressungstrojaner. --------------------------------------------- https://heise.de/-7193953 ∗∗∗ Jetzt patchen! Attacken auf Atlassian Confluence ∗∗∗ --------------------------------------------- Nachdem ein Standard-Passwort auf Social-Media-Plattformen aufgetaucht ist, nehmen Angreifer Confluence ins Visier. Aber nicht alle Instanzen sind verwundbar. --------------------------------------------- https://heise.de/-7193458 ∗∗∗ LockBit operator abuses Windows Defender to load Cobalt Strike ∗∗∗ --------------------------------------------- Security analysts have observed an affiliate of the LockBit 3.0 ransomware operation abusing a Windows Defender command line tool to decrypt and load Cobalt Strike beacons on the target systems. --------------------------------------------- https://www.bleepingcomputer.com/news/security/lockbit-operator-abuses-wind… ∗∗∗ Month of PowerShell - Renaming Groups of Files ∗∗∗ --------------------------------------------- In this article we look at how to automate a massive file-rename task using PowerShell. --------------------------------------------- https://www.sans.org/blog/renaming-groups-files?msc=rss ∗∗∗ Researchers Warns of Increase in Phishing Attacks Using Decentralized IPFS Network ∗∗∗ --------------------------------------------- The decentralized file system solution known as IPFS is becoming the new "hotbed" for hosting phishing sites, researchers have warned. Cybersecurity firm Trustwave SpiderLabs, which disclosed specifics of the attack campaigns, said it identified no less than 3,000 emails containing IPFS phishing URLs as an attack vector in the last three months. --------------------------------------------- https://thehackernews.com/2022/07/researchers-warns-of-increase-in.html ∗∗∗ ENISA: Telecom Security Incidents 2021 ∗∗∗ --------------------------------------------- This report provides anonymised and aggregated information about major telecom security incidents in 2021. The 2021 annual summary contains reports of 168 incidents submitted by national authorities from 26 EU Member States (MS) and 2 EFTA countries. --------------------------------------------- https://www.enisa.europa.eu/publications/telecom-security-incidents-2021 ∗∗∗ UEFI rootkits and UEFI secure boot ∗∗∗ --------------------------------------------- Kaspersky describes a UEFI-implant used to attack Windows systems. Based on it appearing to require patching of the system firmware image, they hypothesise that its propagated by manually dumping the contents of the system flash, modifying it, and then reflashing it back to the board. [..] But lets think about why this is in the firmware at all. --------------------------------------------- https://mjg59.dreamwidth.org/60654.html ∗∗∗ Microsoft has blocked hackers favourite trick. So now they are looking for a new route of attack ∗∗∗ --------------------------------------------- Microsofts default block on Office macro malware is working, which means hackers need to find a new way to carry out their attacks. --------------------------------------------- https://www.zdnet.com/article/microsoft-has-blocked-hackers-favourite-trick… ∗∗∗ Vulnerability Spotlight: How a code re-use issue led to vulnerabilities across multiple products ∗∗∗ --------------------------------------------- Recently, I was performing some research on a wireless router and noticed the following piece of code: This unescape function will revert the URL encoded bytes to its original form. But something specifically caught my attention: There was no size check for the performed operations and the function assumes that after a ‘%’ there are always two bytes. So, what would happen if after ‘%’, only one character existed? --------------------------------------------- https://blog.talosintelligence.com/2022/07/vulnerability-spotlight-how-code… ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-22-1031: OPC Labs QuickOPC Connectivity Explorer Deserialization of Untrusted Data Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of OPC Labs QuickOPC. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-22-1031/ ∗∗∗ ABB Cyber Security Advisory: ABB Ability TM Operations Data Management Zenon Log Server file access control ∗∗∗ --------------------------------------------- These vulnerabilities affect the ABB Ability™ Operations Data Management Zenon. Subsequently, a successful exploit could allow attackers to log additional messages and access files from the Zenon system. While the passwords in the INI files are not stored in clear text, they can be subjected to further attacks against the hash algorithm. --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=2NGA001479&Language… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (xorg-x11-server and xorg-x11-server-Xwayland), SUSE (aws-iam-authenticator, ldb, samba, libguestfs, samba, and u-boot), and Ubuntu (firefox, intel-microcode, libtirpc, linux, linux-aws, linux-kvm, linux-lts-xenial, linux-azure, linux-bluefield, linux-gcp-5.4, linux-gke-5.4, mysql-5.7, and mysql-5.7, mysql-8.0). --------------------------------------------- https://lwn.net/Articles/902913/ ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2022-0007 ∗∗∗ --------------------------------------------- Several vulnerabilities were discovered in WebKitGTK and WPE WebKit. [...] Impact: Processing maliciously crafted web content may lead to arbitrary code execution. --------------------------------------------- https://webkitgtk.org/security/WSA-2022-0007.html ∗∗∗ Synology-SA-22:10 Samba ∗∗∗ --------------------------------------------- CVE-2022-32742 allows remote authenticated users to obtain sensitive information via a susceptible version of Synology DiskStation Manager (DSM), Synology Router Manager (SRM) and SMB Service. CVE-2022-2031, CVE-2022-32744, and CVE-2022-32746 allow remote authenticated users to bypass security constraint and conduct denial-of-service attacks via a susceptible version of Synology Directory Server. None of Synologys products are affected by CVE-2022-32745 as [...] --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_22_10 ∗∗∗ JetBrains IntelliJ IDEA: Mehrere Schwachstellen ermöglichen Codeausführung ∗∗∗ --------------------------------------------- Ein lokaler Angreifer kann mehrere Schwachstellen in JetBrains IntelliJ IDEA ausnutzen, um beliebigen Programmcode auszuführen oder Sicherheitsvorkehrungen zu umgehen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0860 ∗∗∗ Foxit Reader und Foxit PDF Editor: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Foxit Reader und Foxit PDF Editor ausnutzen, um beliebigen Code auszuführen, vertrauliche Informationen preiszugeben und einen Denial-of-Service-Zustand zu verursachen --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0862 ∗∗∗ GitLab: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in GitLab ausnutzen, um Sicherheitsmaßnahmen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuführen und vertrauliche Informationen offenzulegen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0861 ∗∗∗ Rockwell Products Impacted by Chromium Type Confusion ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-209-01 ∗∗∗ Security Bulletin: IBM App Connect Enterprise and IBM Integration Bus are vulnerable to arbitrary code execution due to node.js minimist module ( CVE-2021-44906) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: IBM PowerVM VIOS could allow a remote attacker to tamper with system configuration or cause a denial of service (CVE-2022-35643) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-powervm-vios-could-al… ∗∗∗ Security Bulletin: Multiple vulnerabilities affect IBM Tivoli Monitoring included WebSphere Application Server and IBM HTTP Server used by WebSphere Application Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Apache Log4j (CVE-2021-44228) vulnerability in IBM Engineering Systems Design Rhapsody (Rhapsody) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-cve-2021-442… ∗∗∗ Security Bulletin: IBM HTTP Server (powered by Apache) for IBM i is vulnerable to bypass security restrictions and obtain sensitive information due to multiple vulnerabilities. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-http-server-powered-b… ∗∗∗ Security Bulletin: AIX is affected by multiple vulnerabilities in Python ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-aix-is-affected-by-multip… ∗∗∗ Security Bulletin: Denial of service vulnerability in OpenSSL as shipped with IBM Security Verify Bridge Docker image (CVE-2022-0778) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-denial-of-service-vulnera… ∗∗∗ Security Bulletin: A Remote Attack Vulnerability in Apache Log4j affects IBM Engineering Lifecycle Optimization – Publishing ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-remote-attack-vulnerabi… ∗∗∗ Security Bulletin: AIX is vulnerable to cache poisoning due to ISC BIND (CVE-2021-25220) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-aix-is-vulnerable-to-cach… ∗∗∗ Security Bulletin: IBM Db2® Warehouse has released a fix in response to multiple vulnerabilities found in IBM Db2® ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-warehouse-has-rel… ∗∗∗ Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server Liberty shipped with IBM Tivoli Netcool Impact (CVE-2018-25031, CVE-2021-46708) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.07.2022
by Daily end-of-shift report 28 Jul '22

28 Jul '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 27-07-2022 18:00 − Donnerstag 28-07-2022 18:00 Handler: Stephan Richter Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ LofyLife: malicious npm packages steal Discord tokens and bank card data ∗∗∗ --------------------------------------------- This week, we identified four suspicious packages in the Node Package Manager (npm) repository. All these packages contained highly obfuscated malicious Python and JavaScript code. We dubbed this malicious campaign “LofyLife”. --------------------------------------------- https://securelist.com/lofylife-malicious-npm-packages/107014/ ∗∗∗ Month of PowerShell - PowerShell Remoting, Part 1 ∗∗∗ --------------------------------------------- In this article, we discuss perhaps the most immediately-valuable feature in PowerShell for Windows administrators, the ability to run PowerShell commands on remote systems. --------------------------------------------- https://www.sans.org/blog/powershell-remoting-part-1?msc=rss ∗∗∗ Looking at Patch Gap Vulnerabilities in the VMware ESXi TCP/IP Stack ∗∗∗ --------------------------------------------- In this blog post, we explore another remotely reachable attack surface: ESXi’s TCP/IP stack implemented as a VMkernel module. The most interesting outcome of this analysis is that ESXi’s TCP/IP stack is based on FreeBSD 8.2 and does not include security patches for the vulnerabilities disclosed over the years since that release of FreeBSD. This result also prompted us to analyze the nature of vulnerabilities disclosed in other open-source components used by VMware, such as OpenSLP and ISC-DHCP. --------------------------------------------- https://www.zerodayinitiative.com/blog/2022/7/25/looking-at-patch-gap-vulne… ∗∗∗ Vorsicht vor Fake Last-Minute-Angeboten auf Mallorca und Ibiza! ∗∗∗ --------------------------------------------- Die Hitze schlägt zu und Kurzentschlossene suchen nach den letzten verfügbaren Ferienhäusern, um ein paar Tage am Meer zu verbringen. Doch Vorsicht: Kriminelle versuchen Sie mit attraktiven Angeboten in die Falle zu locken! Wird eine Vorauszahlung für ein Ferienhaus verlangt, brechen Sie den Kontakt ab, Ihr Geld ist sonst verloren! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-fake-last-minute-angebo… ∗∗∗ MFA hilft gegen Ransomware ∗∗∗ --------------------------------------------- Die Multi-Faktor-Authentifizierung (MFA) funktioniert. Die europäische Polizeibehörde Europol erklärt, wie Ransomware-Banden ihre Angriffe aufgegeben haben, als sie auf die MFA-Sicherheit trafen. --------------------------------------------- https://www.zdnet.de/88402613/mfa-hilft-gegen-ransomware/ ∗∗∗ IIS-Attacken auf Exchange Server ∗∗∗ --------------------------------------------- Microsoft warnt vor heimlichen Backdoor-Angriffen auf Exchange Server mittels bösartiger IIS-Erweiterungen. --------------------------------------------- https://www.zdnet.de/88402615/iis-attacken-auf-exchange-server/ ∗∗∗ CISA Releases Log4Shell-Related MAR ∗∗∗ --------------------------------------------- >From May through June 2022, CISA responded to an organization that was compromised by an exploitation of an unpatched and unmitigated Log4Shell vulnerability in a VMware Horizon server. CISA analyzed five malware samples obtained from the organization’s network and released a Malware Analysis Report of the findings. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/07/28/cisa-releases-log… ∗∗∗ SharpTongue Deploys Clever Mail-Stealing Browser Extension “SHARPEXT” ∗∗∗ --------------------------------------------- One frequently encountered—that often results in forensics investigations on compromised systems—is tracked by Volexity as SharpTongue. [..] Volexity frequently observes SharpTongue targeting and victimizing individuals working for organizations in the United States, Europe and South Korea ... --------------------------------------------- https://www.volexity.com/blog/2022/07/28/sharptongue-deploys-clever-mail-st… ===================== = Vulnerabilities = ===================== ∗∗∗ "JustSystems JUST Online Update for J-License" starts a program with an unquoted file path ∗∗∗ --------------------------------------------- "JustSystems JUST Online Update for J-License" bundled with multiple JustSystems products for corporate users starts another program with an unquoted file path. --------------------------------------------- https://jvn.jp/en/jp/JVN57073973/ ∗∗∗ Tagify - Moderately critical - Access bypass - SA-CONTRIB-2022-051 ∗∗∗ --------------------------------------------- Project: Tagify Security risk: Moderately critical Description: This module provides a widget to transform entity reference fields into a more user-friendly tags input component with a great performance.The module doesnt sufficiently check access for the add operation. --------------------------------------------- https://www.drupal.org/sa-contrib-2022-051 ∗∗∗ PDF generator API - Moderately critical - Remote Code Execution - SA-CONTRIB-2022-050 ∗∗∗ --------------------------------------------- Project: PDF generator API Security risk: Moderately critical Description: This module enables you to generate PDF versions of content.Some installations of the module make use of the dompdf/dompdf third-party dependency.Security vulnerabilities exist for versions of dompdf/dompdf before 2.0.0 as described in the 2.0.0 release notes. --------------------------------------------- https://www.drupal.org/sa-contrib-2022-050 ∗∗∗ Context - Moderately critical - Cross Site Scripting - SA-CONTRIB-2022-049 ∗∗∗ --------------------------------------------- Project: Context Security risk: Moderately critical Description: This module enables you to conditionally display blocks in particular theme regions. The module doesn't sufficiently sanitize the title of a block as displayed in the admin UI when a site administrator edits a context block reaction. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer blocks". --------------------------------------------- https://www.drupal.org/sa-contrib-2022-049 ∗∗∗ Sicherheitsupdates: Angreifer könnten Veritas NetBackup vielfältig attackieren ∗∗∗ --------------------------------------------- Die Entwickler haben in aktuellen Versionen der Backuplösung NetBackup von Veritas unter anderem kritische Lücken geschlossen. --------------------------------------------- https://heise.de/-7192562 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr), Fedora (chromium, gnupg1, java-17-openjdk, osmo, and podman), Oracle (grafana and java-17-openjdk), Red Hat (389-ds:1.4, container-tools:rhel8, grafana, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, kernel, kernel-rt, kpatch-patch, pandoc, squid, and squid:4), Slackware (samba), and SUSE (crash, mariadb, pcre2, python-M2Crypto, virtualbox, and xen). --------------------------------------------- https://lwn.net/Articles/902795/ ∗∗∗ Trend Micro Produkte: Schwachstelle ermöglicht Privilegieneskalation ∗∗∗ --------------------------------------------- Ein lokaler Angreifer kann eine Schwachstelle in Trend Micro Apex One und Trend Micro Worry-Free Business Security ausnutzen, um seine Privilegien zu erhöhen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0850 ∗∗∗ Atlassian Jira Software: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in Atlassian Jira Software ausnutzen, um Informationen offenzulegen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0849 ∗∗∗ McAfee Agent: Schwachstelle ermöglicht Privilegieneskalation ∗∗∗ --------------------------------------------- Ein lokaler Angreifer kann eine Schwachstelle im McAfee Agent ausnutzen, um seine Privilegien zu erhöhen und beliebigen Code mit Administratorrechten auszuführen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0848 ∗∗∗ Jenkins: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Jenkins ausnutzen, um einen Cross Site Scripting oder CSRF Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen, Informationen offenzulegen oder Daten zu manipulieren --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0852 ∗∗∗ Security Bulletin: OpenSSL for IBM i is vulnerable to arbitrary command execution (CVE-2022-2068) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-openssl-for-ibm-i-is-vuln… ∗∗∗ Security Bulletin: IBM Cloud Transformation Advisor is vulnerable to multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-transformation-… ∗∗∗ Security Bulletin: Vulnerability in Golang Go affects IBM Spectrum Protect Plus Container Backup and Restore for Kubernetes and Red Hat OpenShift (CVE-2022-29526) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-golang-g… ∗∗∗ Security Bulletin: IBM WebSphere Application Server Liberty is vulnerable to Identity Spoofing (CVE-2022-22476) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.07.2022
by Daily end-of-shift report 27 Jul '22

27 Jul '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 26-07-2022 18:00 − Mittwoch 27-07-2022 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ 15 Minuten nach Bekanntwerden einer Lücke starten Scans nach verwundbaren PCs ∗∗∗ --------------------------------------------- Einem aktuellen Bericht über IT-Sicherheitsvorfälle zufolge verschärft sich das Katz-und-Maus-Spiel zwischen Admins und Cyberkriminellen. --------------------------------------------- https://heise.de/-7191301 ∗∗∗ Cyberkriminalität: Weniger Ransomware, aber wieder mehr Malware ∗∗∗ --------------------------------------------- 2022 stieg das Malware-Volumen erstmals wieder, bei gleichzeitig weniger Ransomware-Attacken - zumindest global, denn in Europa gilt der gegensätzliche Trend. --------------------------------------------- https://heise.de/-7191680 ∗∗∗ Student:innen aufgepasst: akademischeslektorat.com ist unseriös! ∗∗∗ --------------------------------------------- Wenn Sie auf der Suche nach einem Lektorat, einer Plagiatsprüfung oder Übersetzungsarbeiten für wissenschaftliche Arbeiten sind, stoßen Sie bei Ihrer Suche womöglich auf akademischeslektorat.com. Wir raten dazu, Abstand von den Angeboten zu nehmen, denn die Leistungen werden Erfahrungsberichten nach minderwertig oder gar nicht erbracht und auch frühere Mitarbeiter:innen sowie die Bewertungsseite Trustpilot warnen vor dem Angebot. --------------------------------------------- https://www.watchlist-internet.at/news/studentinnen-aufgepasst-akademisches… ∗∗∗ Untangling KNOTWEED: European private-sector offensive actor using 0-day exploits ∗∗∗ --------------------------------------------- MSTIC and MSRC disclose technical details of a private-sector offensive actor (PSOA) tracked as KNOTWEED using multiple Windows and Adobe 0-day exploits, including one for the recently patched CVE-2022-22047, in limited and targeted attacks against European and Central American customers. --------------------------------------------- https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-euro… ∗∗∗ Month of PowerShell: Fileless Malware with Get-Clipboard ∗∗∗ --------------------------------------------- In this article we look at using PowerShell maliciously while evading detection. --------------------------------------------- https://www.sans.org/blog/fileless-malware-get-clipboard/ ∗∗∗ DHL Phishing Page Uses Telegram Bot for Exfiltration ∗∗∗ --------------------------------------------- One of the quickest ways for an attacker to harvest financial data, credentials, and sensitive personal information is through phishing. These social engineering attacks can typically be found masquerading as a trusted or recognizable service, intent on tricking unsuspecting users into submitting sensitive information on the attacker’s customized web page. --------------------------------------------- https://blog.sucuri.net/2022/07/dhl-phishing-page-uses-telegram-bot-for-exf… ∗∗∗ Inside Matanbuchus: A Quirky Loader ∗∗∗ --------------------------------------------- This blog post will shed light on Matanbuchus’ main stage, the second stage of the loader. From our point of view, the second stage is the more interesting component of the loader, as it involves many payload loading techniques. By dissecting the loader’s features and capabilities, we will attempt to answer whether Matanbuchus is a loader malware, as it markets itself, or if it is more like a bot service. --------------------------------------------- https://www.cyberark.com/resources/threat-research-blog/inside-matanbuchus-… ∗∗∗ Top 10 Awesome Open-Source Adversary Simulation Tools ∗∗∗ --------------------------------------------- Cyberattack simulation, aka Threat Simulation, is an emerging IT security technology that can help discover gaps, vulnerabilities, and misconfigurations in your security infrastructure. We will take a look at the need for adversary simulation and the top ten open-source adversary simulation tools. --------------------------------------------- https://fourcore.io/blogs/top-10-open-source-adversary-emulation-tools ∗∗∗ Looking at Patch Gap Vulnerabilities in the VMware ESXi TCP/IP Stack ∗∗∗ --------------------------------------------- Over the last few years, multiple VMware ESXi remote, unauthenticated code execution vulnerabilities have been publicly disclosed. Some were also found to be exploited in the wild. Since these bugs were found in ESXi’s implementation of the SLP service, VMware provided workarounds to turn off the service. VMware also disabled the service by default starting with ESX 7.0 Update 2c. In this blog post, we explore another remotely reachable attack surface: ESXi’s TCP/IP stack --------------------------------------------- https://www.thezdi.com/blog/2022/7/25/looking-at-patch-gap-vulnerabilities-… ∗∗∗ What Talos Incident Response learned from a recent Qakbot attack hijacking old email threads ∗∗∗ --------------------------------------------- In a recent malspam campaign delivering the Qakbot banking trojan, Cisco Talos Incident Response (CTIR) observed the adversary using aggregated, old email threads from multiple organizations that we assess were likely harvested during the 2021 ProxyLogon-related compromises targeting vulnerable Microsoft Exchange servers. This campaign relies on external thread hijacking, whereby the adversary is likely using a bulk aggregation of multiple organizations’ harvested emails to launch focused phishing campaigns against previously uncompromised organizations. This differs from the more common approach to thread hijacking, in which attackers use a single compromised organization’s emails to deliver their threat. --------------------------------------------- http://blog.talosintelligence.com/2022/07/what-talos-incident-response-lear… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (kernel and openjdk-17), Fedora (ceph, lua, and moodle), Oracle (java-1.8.0-openjdk), Red Hat (grafana), SUSE (git, kernel, libxml2, nodejs16, and squid), and Ubuntu (imagemagick, protobuf-c, and vim). --------------------------------------------- https://lwn.net/Articles/902642/ ∗∗∗ Samba: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, authentisierter Angreifer kann mehrere Schwachstellen in Samba ausnutzen, um Sicherheitsvorkehrungen zu umgehen, Informationen offenzulegen, einen Denial of Service Zustand zu verursachen oder seine Rechte zu erweitern. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0842 ∗∗∗ MOXA NPort 5110 ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Out-of-bounds Write vulnerability in MOXA NPort 5110, a device server. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-207-04 ∗∗∗ Honeywell Saia Burgess PG5 PCD ∗∗∗ --------------------------------------------- This advisory contains mitigations for Authentication Bypass and Use of a Broken or Risky Cryptographic Algorithm vulnerabilities in Honeywell Saia Burgess PG5 PCD, a PLC. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-207-03 ∗∗∗ Honeywell Safety Manager ∗∗∗ --------------------------------------------- This advisory contains mitigations for Insufficient Verification of Data Authenticity, Missing Authentication for Critical Function, and Use of Hard-coded Credentials vulnerabilities in Honeywell Safety Manager, a safety solution of the Experion Process Knowledge System. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-207-02 ∗∗∗ Inductive Automation Ignition ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Improper Restriction of XML External Entity Reference vulnerability in versions of Inductive Automation Ignition software. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-207-01 ∗∗∗ CVE-2022-35629..35632 Velociraptor Multiple Vulnerabilities (FIXED) ∗∗∗ --------------------------------------------- This advisory covers a number of issues identified in Velociraptor and fixed as of Version 0.6.5-2, released July 26, 2022. --------------------------------------------- https://www.rapid7.com/blog/post/2022/07/26/cve-2022-35629-35632-velocirapt… ∗∗∗ Security Bulletin: Multiple vulnerabilities in the IBM Java Runtime affect IBM Rational ClearQuest (CVE-2021-35561, CVE-2022-21299, CVE-2022-21496) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple security vulnerabilities are addressed with IBM Cloud Pak for Business Automation iFixes for June 2022 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: IBM QRadar SIEM is vulnerable to local privilege escalation (CVE-2021-39088) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulner… ∗∗∗ Security Bulletin: Vulnerabilities in OpenSSL affect IBM Rational ClearQuest (CVE-2022-0778, CVE-2022-1292) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-openss… ∗∗∗ Security Bulletin: OpenSSL as used by IBM QRadar SIEM is vulnerable to denial of service (CVE-2022-0778) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-openssl-as-used-by-ibm-qr… ∗∗∗ Security Bulletin: Multiple vulnerabilities in the IBM Java Runtime affect IBM Rational ClearQuest ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM QRadar SIEM Application Framework Base Image is vulnerable to using components with Known Vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-applicati… ∗∗∗ Security Bulletin: Apache Commons Email as used by IBM QRadar SIEM is vulnerable to information disclosure (CVE-2017-9801, CVE-2018-1294) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-commons-email-as-u… ∗∗∗ Security Bulletin: IBM Integration Bus and IBM App Connect Enterprise are vulnerable to a denial of service due to jackson-databind (CVE-2020-36518) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-integration-bus-and-i… ∗∗∗ Security Bulletin: IBM Maximo Asset Management, IBM Maximo Manage in IBM Maximo Application Suite and IBM Maximo Manage in IBM Maximo Application Suite as a Service may be affected by XML External Entity (XXE) attacks (CVE-2021-33813) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-manageme… ∗∗∗ Security Bulletin: Multiple vulnerabilites affect IBM Engineering Test Management product due to XStream ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilites-a… ∗∗∗ Security Bulletin: Apache Derby security vulnerabilities in IBM System Dashboard for Enterprise Content Manager (affected, not vulnerable) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-derby-security-vul… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.07.2022
by Daily end-of-shift report 26 Jul '22

26 Jul '22

===================== = End-of-Day report = ===================== Timeframe: Montag 25-07-2022 18:00 − Dienstag 26-07-2022 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Betrugsmasche nimmt auf Willhaben zu: Konsumentenschützer warnen ∗∗∗ --------------------------------------------- Wer im auf Handelsplattformen wie Willhaben unterwegs ist, sollte vorsichtig mit seinen persönlichen Daten umgehen. --------------------------------------------- https://futurezone.at/digital-life/phishing-willhaben-betrug-opfer-sicherhe… ∗∗∗ Sicherheit: Forscher greifen Smartphones über Ladebuchse an ∗∗∗ --------------------------------------------- Ghost Touches sind erzwungene Berührungen auf Touchscreens von Smartphones und Tablets - Forscher konnten diese über ein Ladekabel auslösen. --------------------------------------------- https://www.golem.de/news/sicherheit-forscher-greifen-smartphones-ueber-lad… ∗∗∗ How is Your macOS Security Posture?, (Tue, Jul 26th) ∗∗∗ --------------------------------------------- Many people who use Apple devices daily often have a wrong sense of security. A few years ago, Apple devices were left aside of many security issues that Windows users faced for a long time. Also, based on a BSD layer, the OS wasn' a juicy target for attackers. Today, the landscape changed: Apple devices, especially Macbooks, are used not only by "creators" (musicians, designers, ...) and geeks but by many interesting profiles like managers and security researchers. --------------------------------------------- https://isc.sans.edu/diary/rss/28882 ∗∗∗ Month of PowerShell - PowerShell Version of Keeper (Save Useful Command Lines) ∗∗∗ --------------------------------------------- In this article we build a useful PowerShell function to save useful commands for later reference: Save-Keeper! --------------------------------------------- https://www.sans.org/blog/powershell-version-keeper?msc=rss ∗∗∗ How to analyze Linux malware – A case study of Symbiote ∗∗∗ --------------------------------------------- Symbiote is a Linux threat that hooks libc and libpcap functions to hide the malicious activity. The malware hides processes and files that are used during the activity by implementing two functions called hidden_proc and hidden_file. It can also hide network connections based on a list of ports and by hijacking any injected packet filtering bytecode. The malware’s purpose is to steal credentials from the SSH and SCP processes by hooking the libc read function. --------------------------------------------- https://cybergeeks.tech/how-to-analyze-linux-malware-a-case-study-of-symbio… ∗∗∗ CVE-2022-31813: Forwarding addresses is hard ∗∗∗ --------------------------------------------- A few weeks ago, version 2.4.54 of Apache HTTPD server was released. It includes a fix for CVE-2022-31813, a vulnerability we identified in mod_proxy that could affect unsuspecting applications served by an Apache reverse proxy. Lets see why it is rated as low in the software changelog and why it still matters. TL;DR: when in doubt, patch! --------------------------------------------- https://www.synacktiv.com/publications/cve-2022-31813-forwarding-addresses-… ∗∗∗ Brennholz, Pellets, Photovoltaik & Co: Vorsicht vor Fake-Shops ∗∗∗ --------------------------------------------- Zahlreichen Fake-Shops mit Brennholz, lassen Kriminelle nun Photovoltaik-Shops wie solanex.de und solarnetz.at folgen. Die aktuelle Energiekrise soll offenbar maximal ausgenützt werden. Wechselrichter, Solaranlagen und Stromspeicher – all jene Produkte, die am Markt momentan schwer zu erhalten sind, sind bei solanex.de und solarnetz.at nicht nur lagernd, sondern teils weit unter Marktpreis zu haben. Kaufen Sie hier nichts, denn die Vorkassezahlungen sind verloren! --------------------------------------------- https://www.watchlist-internet.at/news/brennholz-pellets-photovoltaik-co-vo… ∗∗∗ Ransomware: 1.5 million people have got their files back without paying the gangs. Heres how ∗∗∗ --------------------------------------------- No More Ransom project now offers free tools for decrypting 165 families of ransomware as the fight against extortion groups continues. --------------------------------------------- https://www.zdnet.com/article/ransomware-1-5-million-people-have-got-their-… ===================== = Vulnerabilities = ===================== ∗∗∗ Hackers Exploit PrestaShop Zero-Day to Steal Payment Data from Online Stores ∗∗∗ --------------------------------------------- The issue in question is an SQL injection vulnerability affecting versions 1.6.0.10 or greater, and is being tracked as CVE-2022-36408. ... The PrestaShop maintainers also said they found a zero-day flaw in its service that they said has been addressed in version 1.7.8.7, although they cautioned that "we cannot be sure that it's the only way for them to perform the attack." --------------------------------------------- https://thehackernews.com/2022/07/hackers-exploit-prestashop-zero-day-to.ht… ∗∗∗ Critical FileWave MDM Flaws Open Organization-Managed Devices to Remote Hackers ∗∗∗ --------------------------------------------- FileWaves mobile device management (MDM) system has been found vulnerable to two critical security flaws that could be leveraged to carry out remote attacks and seize control of a fleet of devices connected to it."The vulnerabilities are remotely exploitable and enable an attacker to bypass authentication mechanisms and gain full control over the MDM platform and its managed devices," Claroty security researcher Noam Moshe said in a Monday report. --------------------------------------------- https://thehackernews.com/2022/07/critical-filewave-mdm-flaws-open.html ∗∗∗ Xen XSA-408 - insufficient TLB flush for x86 PV guests in shadow mode ∗∗∗ --------------------------------------------- For migration as well as to work around kernels unaware of L1TF (see XSA-273), PV guests may be run in shadow paging mode. To address XSA-401, code was moved inside a function in Xen. This code movement missed a variable changing meaning / value between old and new code positions. The now wrong use of the variable did lead to a wrong TLB flush condition, omitting flushes where such are necessary. --------------------------------------------- https://xenbits.xen.org/xsa/advisory-408.html ∗∗∗ Weitere Lücken in Videokonferenz-Hardware Meeting Owl geschlossen ∗∗∗ --------------------------------------------- Owl Labs hat seine Geräte mit zusätzlichen Sicherheitsupdates gegen mögliche Attacken abgesichert. --------------------------------------------- https://heise.de/-7189904 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (spip), Mageia (libtiff and logrotate), Oracle (java-1.8.0-openjdk and java-11-openjdk), SUSE (gpg2, logrotate, and phpPgAdmin), and Ubuntu (python-bottle). --------------------------------------------- https://lwn.net/Articles/902547/ ∗∗∗ LibreOffice: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer oder lokaler Angreifer kann mehrere Schwachstellen in LibreOffice ausnutzen, um Sicherheitsvorkehrungen zu umgehen und vertrauliche Informationen offenzulegen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0821 ∗∗∗ Citrix ADC and Citrix Gateway Security Bulletin for CVE-2022-27509 ∗∗∗ --------------------------------------------- A vulnerability has been discovered in Citrix ADC and Citrix Gateway which enables an attacker to create a specially crafted URL that redirects to a malicious website. Pre-conditions: - Appliance must be configured as a VPN (Gateway) or AAA virtual server - A victim user must use an attacker-crafted link --------------------------------------------- https://support.citrix.com/article/CTX457836/citrix-adc-and-citrix-gateway-… ∗∗∗ Security Bulletin: Vulnerability in libcURL affect IBM Rational ClearCase ( CVE-2022-27778, CVE-2022-27779, CVE-2022-27780, CVE-2022-27782, CVE-2022-30115, CVE-2022-27774 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-libcurl-… ∗∗∗ Security Bulletin: IBM Security Verify Information Queue web UI is vulnerable to cross-site request forgery (CVE-2022-35286) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-infor… ∗∗∗ Security Bulletin: IBM Common Licensing is vulnerable by a remote code attack in Spring Framework and Apache Commons(CVE-2022-22970,CVE-2022-22971,CVE-2022-33980) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-common-licensing-is-v… ∗∗∗ Security Bulletin: IBM Robotic Process Automation is vulnerable to insufficiently protected access tokens (CVE-2022-22412) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-robotic-process-autom… ∗∗∗ Security Bulletin: A security vulnerability in Node.js nconf affects IBM Cloud Automation Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: IBM App Connect Enterprise and IBM Integration Bus are vulnerable to arbitrary code execution due to node.js minimist module ( CVE-2021-44906) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: A security vulnerability in Node.js node-forge affects IBM Cloud Automation Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in Expat component shipped with IBM Rational ClearCase ( CVE-2021-45960, CVE-2021-46143 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in Expat component shipped with IBM Rational ClearCase ( CVE-2022-23852, CVE-2022-23990, CVE-2022-25235, CVE-2022-25315 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM HTTP Server used by IBM WebSphere Application Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: WebSphere network security vulnerability in IBM Content Foundation on Cloud ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-network-securit… ∗∗∗ Security Bulletin: A security vulnerability in Node.js node-forge affects IBM Cloud Automation Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: IBM Sterling Partner Engagement Manager is vulnerable to Slowloris HTTP DOS attack (CVE-2022-35639) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-partner-enga… ∗∗∗ Security Bulletin: A security vulnerability in GO affects IBM Cloud Automation Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: A security vulnerability in GO affects IBM Cloud Automation Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in Expat component shipped with IBM Rational ClearCase ( CVE-2022-22822, CVE-2022-22823, CVE-2022-22824, CVE-2022-22825, CVE-2022-22826, CVE-2022-22827 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A security vulnerability in Node.js node-forge affects IBM Cloud Automation Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: Vulnerability in OpenSSL affects IBM Rational ClearCase (CVE-2022-1292, CVE-2022-0778) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-openssl-… ∗∗∗ Security Bulletin: IBM Cloud Pak for Security is vulnerable to Using Components with Known Vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-securit… ∗∗∗ Security Bulletin: Java SE as used by IBM Cloud Pak For Security is vulnerable to information disclosure and denial of service. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-java-se-as-used-by-ibm-cl… ∗∗∗ Security Bulletin: IBM Robotic Process Automation is vulnerable to arbitrary code execution due to async (CVE-2021-43138) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-robotic-process-autom… ∗∗∗ Security Bulletin: A security vulnerability in GO affects IBM Cloud Automation Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: IBM Sterling Control Center vulnerable to arbitrary file upload and sensitive information exposure due to IBM Cognos Analytics (CVE-2021-38945, CVE-2021-29768) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-control-cent… ∗∗∗ Security Bulletin: Vulnerability in Spring Framework affects IBM Process Mining and could allow a local attacker to execute arbitrary code on the system (CVE-2022-22965) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-spring-f… ∗∗∗ Security Bulletin: Multiple vulnerabilities in the IBM Java Runtime affect IBM Rational ClearCase ( CVE-2021-35578, CVE-2021-35603, CVE-2021-35550, CVE-2021-35561, CVE-2022-21299 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.07.2022
by Daily end-of-shift report 25 Jul '22

25 Jul '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 22-07-2022 18:00 − Montag 25-07-2022 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Windows-Sicherheit: Microsoft härtet RDP, MS-Office und geschützte Prozesse ∗∗∗ --------------------------------------------- Automatische Login-Sperren, Schutz vor Makros und Passwortklau - hinter den Kulissen tut sich einiges. Mit der Kommunikation tut sich Microsoft jedoch schwer. --------------------------------------------- https://heise.de/-7189313 ∗∗∗ Vorsicht vor gefälschten Post und DHL-Mails ∗∗∗ --------------------------------------------- Kriminelle geben sich als Post oder DHL aus und versenden wahllos betrügerische E-Mails. In den E-Mails mit dem Betreff „Ihr Paket wartet auf die Zustellung“ oder „Ihr Paket ist gerade bei der örtlichen Post angekommen“ wird behauptet, dass ein Paket angekommen sei, es aber nicht zugestellt werden kann, weil noch Zoll- bzw. Lieferkosten offen seien. Sie werden aufgefordert, auf einen Link zu klicken. Ignorieren Sie derartige E-Mails. Es handelt sich um Fake! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-gefaelschten-post-und-d… ∗∗∗ CosmicStrand: the discovery of a sophisticated UEFI firmware rootkit ∗∗∗ --------------------------------------------- In this report, we present a UEFI firmware rootkit that we called CosmicStrand and attribute to an unknown Chinese-speaking threat actor. --------------------------------------------- https://securelist.com/cosmicstrand-uefi-firmware-rootkit/106973/ ∗∗∗ Month of PowerShell: Process Threat Hunting, Part 1 ∗∗∗ --------------------------------------------- PowerShell is a powerful tool for threat hunting. Here we look at PowerShell threat hunting steps by assessing processes on Windows. --------------------------------------------- https://www.sans.org/blog/process-threat-hunting-part-1/ ∗∗∗ Month of PowerShell - The Curious Case of AD User Properties ∗∗∗ --------------------------------------------- Where are all of the user properties for Active Directory users for Get-ADUSer? --------------------------------------------- https://www.sans.org/blog/curious-case-ad-user-properties/ ∗∗∗ Month of PowerShell: Process Threat Hunting, Part 2 ∗∗∗ --------------------------------------------- We continue our look at PowerShell threat hunting through process analysis, identifying Command & Control/C2 threats on a Windows system. --------------------------------------------- https://www.sans.org/blog/process-threat-hunting-part-2/ ∗∗∗ Defeating Javascript Obfuscation ∗∗∗ --------------------------------------------- To make a long story short, I’m releasing a Javascript deobfuscation tool called REstringer. To make a short story long - I want to share my incentive for creating the tool, some design decisions, and the process through which I’m adding new capabilities to it - so you can join in on the fun! --------------------------------------------- https://www.perimeterx.com/tech-blog/2022/defeating-javascript-obfuscation/ ∗∗∗ A repository of Windows persistence mechanisms ∗∗∗ --------------------------------------------- The repository tries to gather an information about Windows persistence mechanisms to make the protection/detection more efficient. Most of the information is well known for years, being actively used within various scenarios. --------------------------------------------- https://persistence-info.github.io/ ∗∗∗ IAM-Deescalate: An Open Source Tool to Help Users Reduce the Risk of Privilege Escalation ∗∗∗ --------------------------------------------- We developed an open source tool, IAM-Deescalate, to help mitigate the privilege escalation risks of overly permissive identities in AWS. --------------------------------------------- https://unit42.paloaltonetworks.com/iam-deescalate/ ∗∗∗ Case closed: DIVD-2022-00009 - SolarMan backend administrator account/password ∗∗∗ --------------------------------------------- DIVD researcher Jelle Ursem found the password of the super user of the web backend for all SolarMan / Solis / Omnik / Ginlong inverters, loggers, and batteries. The password has been changed now, and the repository containing the password has been deleted. --------------------------------------------- https://csirt.divd.nl/cases/DIVD-2022-00009/ ∗∗∗ Cases of Attacks Targeting Vulnerable Atlassian Confluence Servers ∗∗∗ --------------------------------------------- The ASEC analysis team has been monitoring attacks that are targeting vulnerable systems. This post will discuss cases of attacks targeting vulnerable Atlassian Confluence Servers that are not patched. --------------------------------------------- https://asec.ahnlab.com/en/36820/ ===================== = Vulnerabilities = ===================== ∗∗∗ Google Chrome: Update schließt Hochrisiko-Sicherheitslöcher ∗∗∗ --------------------------------------------- Google veröffentlicht ein Update für Chrome, das elf potenzielle Sicherheitsschwachstellen schließt - fünf davon sind mit High Risk bewertet. --------------------------------------------- https://www.golem.de/news/google-chrome-update-schliesst-hochrisiko-sicherh… ∗∗∗ Angreifer könnten Scan-Engine von F-Secure und WithSecure crashen lassen ∗∗∗ --------------------------------------------- Patches schließen mehrere Lücken in Sicherheitsprodukten von WithSecure ehemals F-Secure. --------------------------------------------- https://heise.de/-7189082 ∗∗∗ Technical Advisory – Multiple vulnerabilities in Nuki smart locks (CVE-2022-32509, CVE-2022-32504, CVE-2022-32502, CVE-2022-32507, CVE-2022-32503, CVE-2022-32510, CVE-2022-32506, CVE-2022-32508, CVE-2022-32505) ∗∗∗ --------------------------------------------- The following vulnerabilities were found as part of a research project looking at the state of security of the different Nuki (smart lock) products. The main goal was to look for vulnerabilities which could affect to the availability, integrity or confidentiality of the different devices, from hardware to software. Eleven vulnerabilities were discovered. --------------------------------------------- https://research.nccgroup.com/2022/07/25/technical-advisory-multiple-vulner… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, djangorestframework, gsasl, and openjdk-11), Fedora (giflib, openssl, python-ujson, and xen), Mageia (virtualbox), SUSE (git, gpg2, java-1_7_1-ibm, java-1_8_0-ibm, java-1_8_0-openjdk, mozilla-nspr, mozilla-nss, mozilla-nss, python-M2Crypto, and s390-tools), and Ubuntu (php8.1). --------------------------------------------- https://lwn.net/Articles/902400/ ∗∗∗ WordPress Plugin "Newsletter" vulnerable to cross-site scripting ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN77850327/ ∗∗∗ Multiple vulnerabilities in untangle ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN30454777/ ∗∗∗ K08152433: Intel processors MMIO stale data vulnerability CVE-2022-21166 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K08152433/ ∗∗∗ Unify OpenScape Branch: Schwachstelle ermöglicht Codeausführung ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0814 ∗∗∗ Security Bulletin: A failed attempt to regenerate an IBM Security Verify Information Queue API token reveals sensitive data (CVE-2022-35288) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-failed-attempt-to-regen… ∗∗∗ Security Bulletin: A security vulnerability in Node.js node-forge affects IBM Cloud Pak for Multicloud Management Managed Services ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: Vulnerabilities from log4j affect IBM Operations Analytics – Log Analysis (CVE-2019-17571, CVE-2020-9488) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-from-log4… ∗∗∗ Security Bulletin: Multiple Security Vulnerabilities in Apache Struts Affect IBM Sterling File Gateway (CVE-2019-0233, CVE-2019-0230) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: IBM Security Verify Information Queue distributes configuration files with hard-coded credentials (CVE-2022-35287) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-infor… ∗∗∗ Security Bulletin: IBM OpenPages with Watson has addressed Apache Log4j vulnerability (CVE-2022-23307). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-openpages-with-watson… ∗∗∗ Security Bulletin: Vulnerabilities from log4j-core-2.16.0.jar affect IBM Operations Analytics – Log Analysis (CVE-2021-44832, CVE-2021-45105) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-from-log4… ∗∗∗ Security Bulletin: Multiple vulnerabilities in log4j-1.2.16.jar used by IBM Operations Analytics – Log Analysis ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Audit events query facility in IBM Security Verify Information Queue is vulnerable to SQL injection (CVE-2022-35285) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-audit-events-query-facili… ∗∗∗ Security Bulletin: Session cookie used by IBM Security Verify Information Queue is not properly secured (CVE-2022-35284) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-session-cookie-used-by-ib… ∗∗∗ Security Bulletin: A security vulnerability in Node.js node-forge affects IBM Cloud Pak for Multicloud Management Managed Services ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.07.2022
by Daily end-of-shift report 22 Jul '22

22 Jul '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 21-07-2022 18:00 − Freitag 22-07-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ SATAn-Attacke: Zweckentfremdetes SATA-Kabel funkt geheime Infos ∗∗∗ --------------------------------------------- Sicherheitsforscher, die auf Attacken auf abgeschottete Air-Gap-Systeme spezialisiert sind, haben eine neue Methode vorgestellt. --------------------------------------------- https://heise.de/-7186463 ∗∗∗ Confluence Security Advisory 2022-07-20 ∗∗∗ --------------------------------------------- Confluence hat zum 20. Juli 2022 das Security Advisory 2022-07-20 veröffentlicht und heute aktualisiert. Im Sicherheitshinweis geht es um Confluence-Konten mit fest kodierten Anmeldeinformationen, die von Questions for Confluence erstellt wurden. Das betrifft die Confluence-App für Confluence Server und Confluence Data Center. --------------------------------------------- https://www.borncity.com/blog/2022/07/21/confluence-security-advisory-2022-… ∗∗∗ Zero-day used to infect Chrome users could pose threat to Edge and Safari users, too ∗∗∗ --------------------------------------------- After laying low, exploit seller Candiru rears its ugly head once more. --------------------------------------------- https://arstechnica.com/?p=1868594 ∗∗∗ Maldoc: non-ASCII VBA Identifiers, (Thu, Jul 21st) ∗∗∗ --------------------------------------------- I found a malicious Office document with VBA code where most of the identifiers (variables, function names, ...) consist solely out of characters that are not ASCII (.e.g, these characters have values between 128 and 255). --------------------------------------------- https://isc.sans.edu/diary/rss/28866 ∗∗∗ An Analysis of a Discerning Phishing Website , (Fri, Jul 22nd) ∗∗∗ --------------------------------------------- Cybercriminals and adversaries have long used phishing websites to obtain credentials and access systems they usually would not have access to. Indeed, it could be more cost-effective than other methods, such as buying zero-day vulnerabilities and weaponizing them. I was alerted to a phishing attempt and requested further details. After doing some analysis, I observed several differences and technological improvements that the adversaries had made as compared to the usual phishing attempts. --------------------------------------------- https://isc.sans.edu/diary/rss/28870 ∗∗∗ Month of PowerShell - Recording Your Session with Start-Transcript ∗∗∗ --------------------------------------------- PowerShell allows us to create a transaction file of all commands entered and output received, perfect for pentests, incident response, and more! --------------------------------------------- https://www.sans.org/blog/recording-your-session-with-start-transcript ∗∗∗ Cryptominers & WebAssembly in Website Malware ∗∗∗ --------------------------------------------- WebAssembly (also referred to as Wasm) is a binary instruction format that runs in the browser to enable high-performance applications on web pages and can be executed much faster than traditional JavaScript. WebAssembly can be executed in a variety of environments, including servers, IoT devices, and mobile or desktop apps — but was originally designed to run on the web. --------------------------------------------- https://blog.sucuri.net/2022/07/cryptominers-webassembly-in-website-malware… ∗∗∗ An Easier Way to Keep Old Python Code Healthy and Secure ∗∗∗ --------------------------------------------- Python has its pros and cons, but its nonetheless used extensively. For example, Python is frequently used in data crunching tasks even when there are more appropriate languages to choose from. Why? Well, Python is relatively easy to learn. Someone with a science background can pick up Python much more quickly than, say, C. However, Pythons inherent approachability also creates a couple of problems. --------------------------------------------- https://thehackernews.com/2022/07/an-easier-way-to-keep-old-python-code.html ∗∗∗ Sh*Load Exploits (Episode V: Return of the Error) ∗∗∗ --------------------------------------------- Our first post in the Firmware Developers Need To Know blog series, Episode I: The Last Error, pointed out the benefits of adopting clean error codes. And then two weeks later, TLStorm, bam. Armis’ research engineers announced the discovery of three vulnerabilities in APC devices –the key problem – ignoring error codes! Unfortunately, little attention or thought is paid to error codes within firmware code (and many critical open source projects). --------------------------------------------- https://dellfer.com/shload-exploits-episode-v-return-of-the-error/ ∗∗∗ PART 1: How I Met Your Beacon – Overview ∗∗∗ --------------------------------------------- During this research we will outline a number of effective strategies for hunting for beacons, supported by our BeaconHunter tool that we developed to execute these strategies and which we intend to open source in due course. --------------------------------------------- https://www.mdsec.co.uk/2022/07/part-1-how-i-met-your-beacon-overview/ ∗∗∗ Cloud Threat Detection: To Agent or Not to Agent? ∗∗∗ --------------------------------------------- Should you be using agents to secure cloud applications, or not? The answer depends on what exactly youre trying to secure. --------------------------------------------- https://www.rapid7.com/blog/post/2022/07/22/cloud-threat-detection-to-agent… ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins 2022-07-21 ∗∗∗ --------------------------------------------- IBM Cloud App Management, IBM Cloud Pak for Multicloud Management Monitoring, IBM Rational Build Forge, IBM Rational Build Forge, IBM Cloud App Management, IBM Tivoli Netcool Manager. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (gnupg2, oci-seccomp-bpf-hook, suricata, and vim), Oracle (java-11-openjdk), Slackware (net), and SUSE (kernel, nodejs16, rubygem-rack, and webkit2gtk3). --------------------------------------------- https://lwn.net/Articles/902184/ ∗∗∗ Moodle: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, authentisierter Angreifer kann mehrere Schwachstellen in Moodle ausnutzen, um beliebigen Programmcode auszuführen, Dateien zu manipulieren, Informationen offenzulegen oder einen Cross-Site-Scripting-Angriff durchzuführen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0797 ∗∗∗ Veritas NetBackup: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, authentisierter Angreifer kann mehrere Schwachstellen in Veritas NetBackup ausnutzen, um beliebigen Programmcode auszuführen oder seine Privilegien zu erweitern. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0801 ∗∗∗ Veritas NetBackup: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann eine Schwachstelle in Veritas NetBackup ausnutzen, um beliebigen Code auszuführen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszulösen, seine Privilegien zu erweitern und Verzeichnisse zu manipulieren. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0802 ∗∗∗ F-Secure Linux Security: Mehrere Schwachstellen ermöglichen Denial of Service ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in F-Secure Linux Security und F-Secure Internet Gatekeeper ausnutzen, um einen Denial of Service Angriff durchzuführen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0803 ∗∗∗ AutomationDirect Stride Field I/O ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Cleartext Transmission of Sensitive Information vulnerability in AutomationDirect products. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-202-05 ∗∗∗ ICONICS Suite and Mitsubishi Electric MC Works64 Products ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Path Traversal, Deserialization of Untrusted Data, Inclusion of Functionality from Untrusted Control Sphere, Out-of-Bounds Read vulnerabilities in the SCADA products. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-202-04 ∗∗∗ Rockwell Automation ISaGRAF Workbench ∗∗∗ --------------------------------------------- This advisory contains mitigations for a Missing Authentication for Critical Function vulnerability in the ISaGRAF Workbench. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-202-03 ∗∗∗ Johnson Controls Metasys ADS, ADX, OAS ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Missing Authentication for Critical Function vulnerability in the Metasys ADS, ADX, OAS. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-202-02 ∗∗∗ ABB Drive Composer, Automation Builder, Mint Workbench ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Improper Privilege Management vulnerabilities in the ABB products. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-202-01 ∗∗∗ Unauthenticated SQL Injection in SonicWall GMS and Analytics ∗∗∗ --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0007 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.07.2022
by Daily end-of-shift report 21 Jul '22

21 Jul '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 20-07-2022 18:00 − Donnerstag 21-07-2022 18:00 Handler: Robert Waldner Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Apple Patches Everything Day, (Wed, Jul 20th) ∗∗∗ --------------------------------------------- Apple today released its usual "surprise patch day" in updating all of its operating systems. There may still be specific Safari updates, but for currently supported operating systems, the operating system upgrades should include respective Safari/WebKit fixes. --------------------------------------------- https://isc.sans.edu/diary/rss/28862 ∗∗∗ New Linux Malware Framework Lets Attackers Install Rootkit on Targeted Systems ∗∗∗ --------------------------------------------- A never-before-seen Linux malware has been dubbed a "Swiss Army Knife" for its modular architecture and its capability to install rootkits. This previously undetected Linux threat, called Lightning Framework by Intezer, is equipped with a plethora of features, making it one of the most intricate frameworks developed for targeting Linux systems. --------------------------------------------- https://thehackernews.com/2022/07/new-linux-malware-framework-let.html ∗∗∗ Outlook email users alerted to suspicious activity from Microsoft-owned IP address ∗∗∗ --------------------------------------------- People turn amateur sleuths to discover that the source of all those sign-ins seems to be in Redmond Strange things are afoot in the world of Microsoft email with multiple users reporting unusual sign-in notifications for their Outlook accounts. --------------------------------------------- https://www.theregister.com/2022/07/21/outlook_sign_ins/ ∗∗∗ [CVE-2022-34918] A crack in the Linux firewall ∗∗∗ --------------------------------------------- In our previous article Yet another bug into Netfilter, I presented a vulnerability found within the netfilter subsystem of the Linux kernel. During my investigation, I found a weird comparison that does not fully protect a copy within a buffer. It led to a heap buffer overflow that was exploited to obtain root privileges on Ubuntu 22.04. --------------------------------------------- https://www.randorisec.fr/crack-linux-firewall/ ∗∗∗ Gitlab Project Import RCE Analysis (CVE-2022-2185) ∗∗∗ --------------------------------------------- At the beginning of this month, GitLab released a security patch for versions 14->15. Interestingly in the advisory, there was a mention of a post-auth RCE bug with CVSS 9.9. The bug exists in GitLab’s Project Imports feature, which was found by @vakzz. Incidentally, when I rummaged in the author’s h1 profile. I discovered that four months ago, he also found a bug in the import project feature. --------------------------------------------- https://starlabs.sg/blog/2022/07-gitlab-project-import-rce-analysis-cve-202… ∗∗∗ Cybercrime: Industriesteuerungen im Visier ∗∗∗ --------------------------------------------- Ein Passwort-Cracker mit Trojaner an Bord liefert Passwörter für programmierbare Industrie-Steuersysteme frei Haus und wirft damit eine wichtige Frage auf. --------------------------------------------- https://heise.de/-7185890 ∗∗∗ Vorsicht vor Shops mit Abo-Fallen ∗∗∗ --------------------------------------------- Sie suchen nach einem Produkt online – sei es Make-Up, Sportkleidung oder Tiernahrung. Plötzlich stoßen Sie auf ein gutes Angebot und das Produkt ist sogar 60 % billiger, wenn Sie VIP-Mitglied werden. Doch im Kleingedruckten steht: Mit diesem Einkauf schließen Sie eine automatische Clubmitgliedschaft und ein teures Abo ab. Vorsicht vor diesen unseriösen Abo-Fallen! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-shops-mit-abo-fallen/ ∗∗∗ Shodan Verified Vulns 2022-07-01 ∗∗∗ --------------------------------------------- Mit Stand 2022-07-01 sieht Shodan in Österreich die folgenden Schwachstellen: Verglichen mit Juni 2022 ist durch die Bank ein leichter Abwärtstrend zu erkennen (insgesamt von 9355 auf 8987 verifizierte Schwachstellen). Spitzenreiter sind noch immer CVE-2015-0204 (SSL FREAK, 4090) und CVE-2015-4000 (Logjam, 3193). Davor schon relativ gering vertreten (35), jedoch auffällig gesunken ist die Schwachstelle CVE-2021-43798 (Grafana Path Traversal Vulnerability, -80%). Ausreißer nach oben oder Neuzugänge gibt es nicht. --------------------------------------------- https://cert.at/de/aktuelles/2022/7/shodan-verified-vulns-2022-07-01 ===================== = Vulnerabilities = ===================== ∗∗∗ Atlassian Rolls Out Security Patch for Critical Confluence Vulnerability ∗∗∗ --------------------------------------------- Atlassian has rolled out fixes to remediate a critical security vulnerability pertaining to the use of hard-coded credentials affecting the Questions For Confluence app for Confluence Server and Confluence Data Center. The flaw, tracked as CVE-2022-26138, arises when the app in question is enabled on either of two services, causing it to create a Confluence user account with the username "disabledsystemuser." --------------------------------------------- https://thehackernews.com/2022/07/atlassian-releases-patch-for-critical.html ∗∗∗ Schadcode-Attacken mit Root-Rechten auf Cisco Nexus Dashboard möglich ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitsupdates für Hard- und Software vom Netzwerkausrüster Cisco. --------------------------------------------- https://heise.de/-7185582 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Mageia (kernel and kernel-linus), SUSE (dovecot23), and Ubuntu (freetype, libxml-security-java, and linux-oem-5.17). --------------------------------------------- https://lwn.net/Articles/902011/ ∗∗∗ Request Tracker: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Request Tracker ausnutzen, um einen Cross-Site Scripting Angriff durchzuführen oder Sicherheitsmaßnahmen zu umgehen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0788 ∗∗∗ Security Bulletin: IBM Tivoli Network Manager is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2019-1757) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tivoli-network-manage… ∗∗∗ Security Bulletin: Security Vulnerabilities have been fixed in IBM Security Access Manager appliance (CVE-2022-24407, CVE-2020-25709, CVE-2020-25710) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Security Verify Information Queue uses an Oracle JDBC jar with multiple vulnerabilities (CVE-2019-2444, CVE-2019-2619, CVE-2017-10321, CVE-2017-10202) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-infor… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Security Verify Information Queue connect image (CVE-2020-9493, CVE-2022-23307) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple security vulnerabilities have been identified in IBM® DB2® shipped with IBM PureData System for Operational Analytics ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: IBM Security Verify Information Queue uses a Wire Schema jar with multiple vulnerabilities (CVE-2020-27853, CVE-2021-41093) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-infor… ∗∗∗ Security Bulletin: IBM Security Verify Information Queue uses a Google gRPC framework with multiple vulnerabilities (CVE-2017-7860, CVE-2017-7861, CVE-2017-9431) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-infor… ∗∗∗ Security Bulletin: IBM Security Guardium Insights is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-ins… ∗∗∗ Security Bulletin: IBM QRadar SIEM is vulnerable to information disclosure (CVE-2021-38936) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulner… ∗∗∗ Security Bulletin: Multiple security vulnerabilities found in open source code that is shipped with IBM Security Verify Governance, Identity Manager virtual appliance component ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: OpenSSL vulnerabilities in the IBM Security Verify Information Queue web server (CVE-2021-3711, CVE-2021-3712) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-openssl-vulnerabilities-i… ∗∗∗ Security Bulletin: Vulnerability in async opensource package affects IBM VM Recovery Manager HA & DR GUI ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-async-op… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ CVE-2022-0778: Sicherheitslücken mit Denial of Service-Potential in OpenSSL ∗∗∗ --------------------------------------------- https://www.sprecher-automation.com/it-sicherheit/security-alerts ∗∗∗ Drupal core - Moderately critical - Multiple vulnerabilities - SA-CORE-2022-015 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-core-2022-015 ∗∗∗ Drupal core - Critical - Arbitrary PHP code execution - SA-CORE-2022-014 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-core-2022-014 ∗∗∗ Drupal core - Moderately critical - Access Bypass - SA-CORE-2022-013 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-core-2022-013 *** Drupal core - Moderately critical - Information Disclosure - SA-CORE-2022-012 *** --------------------------------------------- https://www.drupal.org/sa-core-2022-012 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.07.2022
by Daily end-of-shift report 20 Jul '22

20 Jul '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 19-07-2022 18:00 − Mittwoch 20-07-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Sicherheitslücken in GPS-Tracker von MiCODUS können Menschenleben gefährden ∗∗∗ --------------------------------------------- Sicherheitsforscher warnen davor, dass Angreifer unter anderem PKWs der Regierung aus der Ferne stoppen könnten. Sicherheitspatches gibt es bislang nicht. --------------------------------------------- https://heise.de/-7184324 ∗∗∗ Phishing-Mail zu „unbefugten Aktivitäten“ ignorieren! ∗∗∗ --------------------------------------------- Aktuell kursiert eine Phishing Nachricht im Namen der Raiffeisen Bank, die nach einer Authentifizierung verlangt. Angeblich wurde eine Zahlung in Höhe von 1259,00 EUR vorgenommen, die blockiert wurde. Achtung: Es handelt sich lediglich um einen erfundenen Grund, mit dem Kriminelle Sie zum Klick auf eine Phishing-Seite bewegen wollen. Löschen Sie die Nachricht einfach! --------------------------------------------- https://www.watchlist-internet.at/news/phishing-mail-zu-unbefugten-aktivita… ∗∗∗ Breaking down CISs new software supply chain security guidance ∗∗∗ --------------------------------------------- Securing the software supply chain continues to be one of the most discussed topics currently among IT and cybersecurity leaders. A study by In-Q-Tel researchers shows a rapid rise in software supply chain attacks starting around 2016, going from almost none in 2015 to about 1,500 in 2020. The Cloud Native Computing Foundation’s (CNCF’s) catalog of software supply chain attacks also supports a rise in this attack vector. --------------------------------------------- https://www.csoonline.com/article/3666742/breaking-down-ciss-new-software-s… ∗∗∗ Luna and Black Basta — new ransomware for Windows, Linux and ESXi ∗∗∗ --------------------------------------------- This report discusses new ransomware, that targets Windows, Linux and ESXi systems: Luna written in Rust and Black Basta. --------------------------------------------- https://securelist.com/luna-black-basta-ransomware/106950/ ∗∗∗ PrestaShop Skimmer Concealed in One Page Checkout Module ∗∗∗ --------------------------------------------- PrestaShop is a popular freemium open source e-commerce platform used by hundreds of thousands of webmasters to sell products and services to website visitors. While PrestaShop’s CMS market share is only 0.8%, it should still come as no surprise that attackers have been crafting malware to specifically target environments who use this software. --------------------------------------------- https://blog.sucuri.net/2022/07/prestashop-skimmer-concealed-in-one-page-ch… ∗∗∗ LockBit: Ransomware Puts Servers in the Crosshairs ∗∗∗ --------------------------------------------- LockBit affiliates using servers to spread ransomware throughout networks. --------------------------------------------- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lo… ∗∗∗ Analysis of a trojanized jQuery script: GootLoader unleashed ∗∗∗ --------------------------------------------- In this blog post, we will perform a deep analysis into GootLoader, malware which is known to deliver several types of payloads, such as Kronos trojan, REvil, IcedID, GootKit payloads and in this case Cobalt Strike. --------------------------------------------- https://blog.nviso.eu/2022/07/20/analysis-of-a-trojanized-jquery-script-goo… ∗∗∗ 4 Strategies for Achieving Greater Visibility in the Cloud ∗∗∗ --------------------------------------------- Here are four ways to put visibility at the center of your cloud security approach and better understand whats going on in your environment. --------------------------------------------- https://www.rapid7.com/blog/post/2022/07/20/4-strategies-for-achieving-grea… ===================== = Vulnerabilities = ===================== ∗∗∗ Jetzt patchen! Oracle sichert seine Produkte mit 349 Updates ab ∗∗∗ --------------------------------------------- Wichtige Sicherheitspatches schließen unter anderem kritische Lücken in Oracle-Anwendungen. --------------------------------------------- https://heise.de/-7184179 ∗∗∗ Sicherheitsupdates: Root-Lücke bedroht Zyxel-Firewalls ∗∗∗ --------------------------------------------- Mehrere Firewall-Modelle von Zyxel sind über Sicherheitslücken attackierbar. --------------------------------------------- https://heise.de/-7184526 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (golang-github-gosexy-gettext, golang-github-hub, oci-seccomp-bpf-hook, and popub), Oracle (kernel and kernel-container), SUSE (python2-numpy), and Ubuntu (check-mk and pyjwt). --------------------------------------------- https://lwn.net/Articles/901879/ ∗∗∗ Chrome 103 Update Patches High-Severity Vulnerabilities ∗∗∗ --------------------------------------------- Google this week announced a Chrome update that resolves a total of 11 vulnerabilities in the browser, including six reported by external researchers. Of these, five are use-after-free issues, including four that are considered “high severity.” --------------------------------------------- https://www.securityweek.com/chrome-103-update-patches-high-severity-vulner… ∗∗∗ HCL BigFix: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, authentisierter Angreifer kann mehrere Schwachstellen in HCL BigFix ausnutzen, um Sicherheitsvorkehrungen zu umgehen oder Informationen offenzulegen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0733 ∗∗∗ OpenJDK: Mehrere Schwachstellen ermöglichen Codeausführung ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in OpenJDK ausnutzen, um beliebigen Programmcode auszuführen, Sicherheitsvorkehrungen zu umgehen oder Dateien zu manipulieren. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0746 ∗∗∗ Arista EOS: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Arista EOS ausnutzen, um Sicherheitsvorkehrungen zu umgehen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0761 ∗∗∗ Red Hat OpenShift (Logging Subsystem): Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Red Hat OpenShift (Logging Subsystem) ausnutzen, um einen Denial of Service Angriff durchzuführen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0707 ∗∗∗ Security Bulletin: IBM Resilient Platform could allow formula injection in Excel (CVE-2020-4633) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-resilient-platform-co… ∗∗∗ Security Bulletin: IBM InfoSphere Information Analyzer is affected by a cross-site scripting vulnerability in jQuery-UI(CVE-2021-41184) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-informatio… ∗∗∗ Security Bulletin: Multiple cross-site scripting vulnerabilities in JQuery affect IBM InfoSphere Information Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-cross-site-scrip… ∗∗∗ Security Bulletin: Apache log4j security vulnerability as it relates to IBM Maximo Scheduler Optimization – Apache Log4j – CVE-2021-45105 (affecting v2.16) and CVE-2021-45046 (affecting v2.15) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-security-vul… ∗∗∗ Security Bulletin: IBM QRadar Network Security is affected by multiple vulnerabilities in Expact library. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-network-securi… ∗∗∗ Security Bulletin: IBM WebSphere Application Server is vulnerable to Cross-site Scripting (CVE-2022-22477) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application… ∗∗∗ Security Bulletin: IBM QRadar SIEM is vulnerable to improper certificate validation (CVE-2021-29755) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulner… ∗∗∗ Security Bulletin: IBM QRadar Network Security is affected by multiple vulnerabilities. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-network-securi… ∗∗∗ Security Bulletin: IBM QRadar SIEM is vulnerable to infomation disclosured due to incorrect file permissions (CVE-2022-22424) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulner… ∗∗∗ Security Bulletin: A vulnerability in IBM Java SDK and IBM Java Runtime affects IBM QRadar SIEM ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Security Bulletin: IBM QRadar SIEM is vulnerable to infomarion discosure (CVE-2021-38936) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulner… ∗∗∗ Security Bulletin: Vulnerability in Java SE related to the JSSE component affects DB2 Recovery Expert for Linux, Unix and Windows ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-java-se-… ∗∗∗ Security Bulletin: A security vulnerability in Node.js nconf affects IBM Cloud Pak for Multicloud Management Managed Services ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: IBM Resilient SOAR is Using Components with Known Vulnerabilities – Java SE (CVE-2020-2773) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-resilient-soar-is-usi… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.07.2022
by Daily end-of-shift report 19 Jul '22

19 Jul '22

===================== = End-of-Day report = ===================== Timeframe: Montag 18-07-2022 18:00 − Dienstag 19-07-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Authentication Risks Discovered in Okta Platform ∗∗∗ --------------------------------------------- Four newly discovered attack paths could lead to PII exposure, account takeover, even organizational data destruction. --------------------------------------------- https://threatpost.com/risks-okta-sso/180249/ ∗∗∗ Requests For beacon.http-get. Help Us Figure Out What They Are Looking For, (Tue, Jul 19th) ∗∗∗ --------------------------------------------- Based on our First Seen URLs page, we started seeing more requests for 'beacon.http-get' these last few days. The requests are going back a while now but have been increasing. --------------------------------------------- https://isc.sans.edu/diary/rss/28856 ∗∗∗ Sicherheit bei Mac-Office: Microsoft fordert zur Systemaktualisierung auf ∗∗∗ --------------------------------------------- Nur mit den jüngsten Versionen von Monterey und Big Sur lassen sich Angriffe über Makro-Exploits verhindern, so der Konzern. --------------------------------------------- https://heise.de/-7182296 ∗∗∗ WhatsApp-Nachricht über einen Covid-19-Zuschuss von UNICEF ist Fake ∗∗∗ --------------------------------------------- Sie haben auf WhatsApp eine Nachricht von UNICEF erhalten? Man will Ihnen einen Covid-19-Zuschuss von 50.000 Euro überweisen? Vorsicht: Dabei handelt es sich um Betrug. Kriminelle geben sich als UNICEF aus und täuschen Spenden oder Gewinne vor. In Wirklichkeit will man Ihnen Geld stehlen! Antworten Sie nicht und blockieren Sie die Nummer! --------------------------------------------- https://www.watchlist-internet.at/news/whatsapp-nachricht-ueber-einen-covid… ∗∗∗ I see what you did there: A look at the CloudMensis macOS spyware ∗∗∗ --------------------------------------------- Previously unknown macOS malware uses cloud storage as its C&C channel and to exfiltrate documents, keystrokes, and screen captures from compromised Macs --------------------------------------------- https://www.welivesecurity.com/2022/07/19/i-see-what-you-did-there-look-clo… ∗∗∗ Riding the InfoRail to Exploit Ivanti Avalanche ∗∗∗ --------------------------------------------- I was able to quickly identify a chain of three vulnerabilities in the Ivanti Avalanche Web Application: [...] Even though this chain is powerful, its first part heavily depends on factors that are not within the attacker’s control. We can do better, right? --------------------------------------------- https://www.thezdi.com/blog/2022/7/19/riding-the-inforail-to-exploit-ivanti… ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins 2022-07-18 ∗∗∗ --------------------------------------------- IBM UrbanCode Build, IBM UrbanCode Release, IBM Sterling Partner Engagement Manager, IBM MQ, App Connect professional, IBM WebSphere Application Server Liberty, IBM Tivoli Netcool Configuration Manager, IBM UrbanCode Build. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Sicherheitsupdates: Angreifer könnten Juniper-Software mit Schadcode attackieren ∗∗∗ --------------------------------------------- Der Netzwerkausrüster Juniper hat unter anderem in Contrail Networking kritische Sicherheitslücken geschlossen. --------------------------------------------- https://heise.de/-7183158 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (buildah), SUSE (dovecot23 and nodejs12), and Ubuntu (harfbuzz, libhttp-daemon-perl, tiff, and webkit2gtk). --------------------------------------------- https://lwn.net/Articles/901787/ ∗∗∗ EMC Avamar: Mehrere Schwachstellen ermöglichen Privilegieneskalation ∗∗∗ --------------------------------------------- Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann mehrere Schwachstellen in EMC Avamar und EMC NetWorker ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0715 ∗∗∗ QEMU: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- Ein lokaler Angreifer kann eine Schwachstelle in QEMU ausnutzen, um einen Denial of Service Angriff durchzuführen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0713 ∗∗∗ Apache CloudStack: Schwachstelle ermöglicht Manipulation von Dateien ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Apache CloudStack ausnutzen, um vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszulösen und Serverdaten zu manipulieren. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0711 ∗∗∗ Redis: Schwachstelle ermöglicht Codeausführung ∗∗∗ --------------------------------------------- Ein entfernter Angreifer kann eine Schwachstelle in Redis ausnutzen, um beliebigen Programmcode auszuführen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0709 ∗∗∗ jQuery: Schwachstelle ermöglicht Cross-Site Scripting ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann eine Schwachstelle in jQuery ausnutzen, um einen Cross-Site Scripting Angriff durchzuführen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0708 ∗∗∗ CVE-2022-30526 (Fixed): Zyxel Firewall Local Privilege Escalation ∗∗∗ --------------------------------------------- Rapid7 discovered a local privilege escalation vulnerability affecting Zyxel firewalls. The vulnerability allows a low privileged user, such as `nobody`, to escalate to `root` on affected firewalls. --------------------------------------------- https://www.rapid7.com/blog/post/2022/07/19/cve-2022-30526-fixed-zyxel-fire… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.07.2022
by Daily end-of-shift report 18 Jul '22

18 Jul '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 15-07-2022 18:00 − Montag 18-07-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Cybercrime und Trickbot-Leaks: "Wir zahlen Krankengeld und 13. Monatsgehalt" ∗∗∗ --------------------------------------------- Cybercrime goes Business: Ein Bewerbungsgespräch im Cybercrime-Untergrund zeigt eindrucksvoll, wie sehr sich organisiertes Verbrechen schon "normalisiert" hat. --------------------------------------------- https://heise.de/-7182800 ∗∗∗ Fake-Shop für Pellets und Brennholz kontaktiert Kund:innen auf WhatsApp ∗∗∗ --------------------------------------------- Aktuell boomen Fake-Shops für Brennholz, Pellets, Photovoltaik-Anlagen und Öfen. Der betrügerische Shop wibois.com gibt sich besonders viel Mühe, um Ihnen Geld zu stehlen. Neben professionell gestalteten Werbeanzeigen auf Facebook und Instagram, senden die Kriminellen Ihnen Bestellbestätigung und Überweisungsaufforderung auf WhatsApp. Das stiftet Vertrauen und vermittelt das Gefühl von Erreichbarkeit. Zahlen Sie nicht und blockieren Sie die Nummer! --------------------------------------------- https://www.watchlist-internet.at/news/fake-shop-fuer-pellets-und-brennholz… ∗∗∗ Mit Sality-Malware infiziertes Passwort Cracking-Tool für Industrie-Steuerungen/Leitsysteme verteilt ∗∗∗ --------------------------------------------- Cyberkriminelle bewerben in sozialen Netzwerken wohl ein Tool, mit denen Kennwörter in Industriesteuerungen (ICS, PLCs) geknackt werden können. --------------------------------------------- https://www.borncity.com/blog/2022/07/16/mit-sality-malware-infiziertes-pas… ∗∗∗ Supply Chain Attack Technique Spoofs GitHub Commit Metadata ∗∗∗ --------------------------------------------- Security researchers at Checkmarx are warning of a new supply chain attack technique that relies on spoofed commit metadata to add legitimacy to malicious GitHub repositories. --------------------------------------------- https://www.securityweek.com/supply-chain-attack-technique-spoofs-github-co… ∗∗∗ Mitigation for Azure Storage SDK Client-Side Encryption Padding Oracle Vulnerability ∗∗∗ --------------------------------------------- Google informed Microsoft under Coordinated Vulnerability Disclosure (CVD) of a padding oracle vulnerability that may affect customers using Azure Storage SDK (for Python, .NET, Java) client-side encryption (CVE-2022-30187). To mitigate this vulnerability, we released a new General Availability (GA) version of the Azure Storage SDK client-side encryption feature (v2) on July 12, 2022. --------------------------------------------- https://msrc-blog.microsoft.com/2022/07/18/mitigation-for-azure-storage-sdk… ∗∗∗ Month of PowerShell - Working with the Event Log, Part 3 - Accessing Message Elements ∗∗∗ --------------------------------------------- In part 3 of Working with the Event Log we look at using a third-party function to make accessing event log data much easier. --------------------------------------------- https://www.sans.org/blog/working-with-the-event-log-part-3-accessing-messa… ∗∗∗ Month of PowerShell - Working with the Event Log, Part 4 - Tweaking Event Log Settings ∗∗∗ --------------------------------------------- In this final part of this series on working with the event log in PowerShell, we look at tips and commands for tweaking event log settings. --------------------------------------------- https://www.sans.org/blog/working-with-the-event-log-part-4-tweaking-event-… ∗∗∗ Genesis - The Birth of a Windows Process (Part 2) ∗∗∗ --------------------------------------------- In this second and final part of the series, we will go through the exact flow CreateProcess carries out to launch a process on Windows using the APIs and Data Structure we discussed in Part 1. --------------------------------------------- https://fourcore.io/blogs/how-a-windows-process-is-created-part-2 ===================== = Vulnerabilities = ===================== ∗∗∗ New Netwrix Auditor Bug Could Let Attackers Compromise Active Directory Domain ∗∗∗ --------------------------------------------- Researchers have disclosed details about a security vulnerability in the Netwrix Auditor application that, if successfully exploited, could lead to arbitrary code execution on affected devices. "Since this service is typically executed with extensive privileges in an Active Directory environment, the attacker would likely be able to compromise the Active Directory domain," [...] --------------------------------------------- https://thehackernews.com/2022/07/new-netwrix-auditor-bug-could-let.html ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (mat2 and xen), Fedora (butane, caddy, clash, direnv, geoipupdate, gitjacker, golang-bug-serial-1, golang-github-a8m-envsubst, golang-github-apache-beam-2, golang-github-aws-lambda, golang-github-cespare-xxhash, golang-github-chromedp, golang-github-cloudflare, golang-github-cloudflare-redoctober, golang-github-cockroachdb-pebble, golang-github-cucumber-godog, golang-github-dreamacro-shadowsocks2, golang-github-dustinkirkland-petname, [...] --------------------------------------------- https://lwn.net/Articles/901699/ ∗∗∗ Log4J-Schwachstelle: Mittelstand schläft, DHS sieht Problem für Jahre ∗∗∗ --------------------------------------------- Die in Java ausnutzbare Log4Shell-Schwachstelle in der Log4j-Bibliothek steckt mutmaßlich in vielen Systemen bzw. Software-Paketen. Das Problem dürfte uns noch für Jahre tangieren, schätzen Experten und im deutschen Mittelstand ist das noch nicht angekommen. Auch das Department of Homeland Security [...] --------------------------------------------- https://www.borncity.com/blog/2022/07/17/log4j-schwachstelle-mittelstand-sc… ∗∗∗ SonicWall Switch Post-Authenticated Remote Code Execution ∗∗∗ --------------------------------------------- A vulnerability in SonicWall Switch 1.1.1.0-2s and earlier allows an authenticated malicious user to perform remote code execution in the host system. --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0013 ∗∗∗ Festo: Controller CECC-S,LK,D family firmware 2.4.2.0 - multiple vulnerabilities in CODESYS V3 runtime system ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-027/ ∗∗∗ Festo: Controller CECC-S,LK,D family <= 2.3.8.1 - multiple vulnerabilities in CODESYS V3 runtime system ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-022/ ∗∗∗ Security Bulletin: IBM UrbanCode Deploy (UCD) could disclose sensitive database information to a local user in plain text. (CVE-2022-22367) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-deploy-ucd-… ∗∗∗ Security Bulletin: The CVE-2022-34305 vulnerability in Apache Tomcat affects App Connect Professional. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-the-cve-2022-34305-vulner… ∗∗∗ Security Bulletin: There are multiple vulnerabilites that affect IBM Engineering Requirements Quality Assistant On-Premises (CVE-2022-0778, CVE-2021-38868, CVE-2021-29799, CVE-2021-29790, CVE-2021-29788) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-there-are-multiple-vulner… ∗∗∗ Security Bulletin: IBM Cloud Pak for Multicloud Management Monitoring is vulnerable to multiple vulnerabilities due to its use of IBM JAVA (CVE-2021-35560, CVE-2021-35578, CVE-2021-35565, CVE-2021-35603) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-multicl… ∗∗∗ Security Bulletin: An attacker that gains service access to the FSP (POWER9 only) or gains admin authority to a partition can compromise partition firmware. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-an-attacker-that-gains-se… ∗∗∗ Security Bulletin: IBM Cloud Pak for Multicloud Management Monitoring is vulnerable to a denial server due to its use of Apache Xerces2 (CVE-2022-23437) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-multicl… ∗∗∗ Security Bulletin: Vulnerability in OpenSSL (CVE-2022-0778) affects PowerVM ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-openssl-… ∗∗∗ Security Bulletin: The vulnerability CVE-2022-21299 in IBM Java SDK affects IBM WebSphere Cast Iron Solution & App Connect Professional ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-the-vulnerability-cve-202… ∗∗∗ Security Bulletin: IBM Urbancode Deploy (UCD) vulnerable to information disclosure which can be read by a local user. (CVE-2022-22366) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-deploy-ucd-… ∗∗∗ Security Bulletin: IBM Cloud Pak for Multicloud Management Monitoring is vulnerable to multiple security vulnerabilities due to its use of NodeJS (CVE-2021-22918, CVE-2021-22960, CVE-2021-22959) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-multicl… ∗∗∗ Security Bulletin: Vulnerability in async opensource package affects IBM VM Recovery Manager HA & DR GUI ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-async-op… ∗∗∗ Security Bulletin: Vulnerability in the jackson-databind component affects IBM Event Streams ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-the-jack… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily July 2022