Daily July 2022

daily@lists.cert.at

1 participants
21 discussions

Tageszusammenfassung - 15.07.2022
by Daily end-of-shift report 15 Jul '22

15 Jul '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 14-07-2022 18:00 − Freitag 15-07-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Callback-Phishing: Dringender Rückruf erbeten ∗∗∗ --------------------------------------------- Angreifer geben sich in E-Mails als Sicherheitsunternehmen aus und bitten um einen Rückruf. Doch statt einer Überprüfung wird der Rechner gehackt. --------------------------------------------- https://www.golem.de/news/callback-phishing-dringender-rueckruf-erbeten-220… ∗∗∗ Android-Malware mit 3 Millionen Installationen aus Google Play entfernt ∗∗∗ --------------------------------------------- Die Android-Malware Autolycos hat es auf insgesamt drei Millionen Installationen gebracht. Nach der Entdeckung hat Google die betroffenen Apps entfernt. --------------------------------------------- https://heise.de/-7180469 ∗∗∗ Windows Autopatch ab sofort allgemein verfügbar ∗∗∗ --------------------------------------------- Automatisch abgesicherte Updates für Windows verspricht Microsoft mit Autopatch – Administratoren steht so deutlich weniger händische Arbeit ins Haus. --------------------------------------------- https://heise.de/-7180876 ∗∗∗ Was kann ich bei Problemen mit Klarna tun? ∗∗∗ --------------------------------------------- „Das Produkt ist noch gar nicht gekommen, trotzdem will Klarna, das ich bezahle.“ „Klarna schickt trotz Rücksendung Mahnungen.“ „Ich habe Ramsch bekommen, Klarna fordert aber eine Zahlung.“ Immer wieder berichten uns Konsument:innen von Problemen mit Klarna und sind ratlos. Wir zeigen Ihnen, was Sie bei ungerechtfertigten Zahlungsaufforderungen und Mahnungen von Klarna tun können. --------------------------------------------- https://www.watchlist-internet.at/news/was-kann-ich-bei-problemen-mit-klarn… ∗∗∗ YouTuber-Cash: Vorsicht vor Abzocke ∗∗∗ --------------------------------------------- YouTube-Videos schauen und damit Geld verdienen? Angebote wie das von youtuber.ltd klingen verlockend, doch statt der Auszahlung warten Abzocke-Maschen auf Sie. Vertrauen Sie keinen Versprechen online, schnell viel Geld zu verdienen! Die Kriminellen, die hinter diesen Angeboten stecken sind lediglich auf Ihre Daten oder Ihr Geld aus. --------------------------------------------- https://www.watchlist-internet.at/news/youtuber-cash-vorsicht-vor-abzocke/ ∗∗∗ WordPress: Schwachstelle in Kaswara Modern WPBakery Page Builder wird angegriffen ∗∗∗ --------------------------------------------- WordPress-Nutzer, die das Kaswara Modern WPBakery Page Builder im Einsatz haben, sollten zügig handeln. In älteren Fassungen ist die Schwachstelle CVE-2021-24284 enthalten, die eine Übernahme der WordPress-Installation ermöglicht. --------------------------------------------- https://www.borncity.com/blog/2022/07/15/wordpress-schwachstelle-in-kaswara… ∗∗∗ New Phishing Kit Hijacks WordPress Sites for PayPal Scam ∗∗∗ --------------------------------------------- Attackers use scam security checks to steal victims government documents, photos, banking information, and email passwords, researchers warn. --------------------------------------------- https://www.darkreading.com/attacks-breaches/new-phishing-kit-hijacks-wordp… ∗∗∗ The real reason why malware detection is hard—and underestimated ∗∗∗ --------------------------------------------- Researchers develop an AI with a 98% malware detection rate and 5% false positive rate. If you think this is a splendid technology for antivirus software, this article might change your mind. --------------------------------------------- https://www.gdatasoftware.com/blog/2022/06/37445-malware-detection-is-hard ∗∗∗ Month of PowerShell: Working with Log Files ∗∗∗ --------------------------------------------- In this article we look at how we can leverage PowerShells object-passing pipeline to parse and retrieve data from an IIS web server log file. --------------------------------------------- https://www.sans.org/blog/powershell-working-with-log-files ∗∗∗ Software Vendors Start Patching Retbleed CPU Vulnerabilities ∗∗∗ --------------------------------------------- Vendors have started rolling out software updates to address the recently disclosed Retbleed speculative execution attack targeting Intel and AMD processors. --------------------------------------------- https://www.securityweek.com/software-vendors-start-patching-retbleed-cpu-v… ∗∗∗ Powerful Mantis DDoS Botnet Hits 1,000 Organizations in One Month ∗∗∗ --------------------------------------------- Web protection firm Cloudflare warns that a small but powerful botnet has launched distributed denial-of-service (DDoS) attacks on roughly 1,000 organizations over the past month alone. --------------------------------------------- https://www.securityweek.com/powerful-mantis-ddos-botnet-hits-1000-organiza… ∗∗∗ Digium Phones Under Attack: Insight Into the Web Shell Implant ∗∗∗ --------------------------------------------- We witnessed more than 500,000 unique samples of malicious traffic targeting Digium Asterisk software for VoIP phone devices. --------------------------------------------- https://unit42.paloaltonetworks.com/digium-phones-web-shell/ ∗∗∗ CVE-2022-30136: Microsoft Windows Network File System v4 Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- In this excerpt of a Trend Micro Vulnerability Research Service vulnerability report, Guy Lederfein and Quintin Crist of the Trend Micro Research Team detail a recently patched remote code execution vulnerability in the Microsoft Windows operating system, originally discovered and reported by Yuki Chen. The bug is found in the implementation of Network File System (NFS)and is due to improper handling of NFSv4 requests. An unauthenticated attacker could exploit this bug to execute arbitrary code in the context of SYSTEM. --------------------------------------------- https://www.thezdi.com/blog/2022/7/13/cve-2022-30136-microsoft-windows-netw… ===================== = Vulnerabilities = ===================== ∗∗∗ Security Update Available for Adobe InDesign APSB22-30 ∗∗∗ --------------------------------------------- Adobe has released a security update for Adobe InDesign. This update addresses multiple critical and an important vulnerability. Successful exploitation could lead to arbitrary code execution and memory leak. --------------------------------------------- https://helpx.adobe.com/security/products/indesign/apsb22-30.html ∗∗∗ Security Update Available for Adobe InCopy APSB22-29 ∗∗∗ --------------------------------------------- Adobe has released a security update for Adobe InCopy. This update addresses multiple  critical and an important vulnerability. Successful exploitation could lead to arbitrary code execution and memory leak. --------------------------------------------- https://helpx.adobe.com/security/products/incopy/apsb22-29.html ∗∗∗ ABB Flow Computer and Remote Controllers Path Traversal Vulnerability in Totalflow TCP protocol can lead to root access ∗∗∗ --------------------------------------------- ABB is aware of private reports of a vulnerability in the flow computer and remote controller product versions listed above. A flash update is available that resolves the vulnerability in the product versions listed above. Mitigation can be accomplished by proper network segmentation [...] --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=9AKK108467A0927&Lan… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (webkit2gtk and wpewebkit), Fedora (curl, kernel, openssl1.1, php, subversion, xorg-x11-server, and xorg-x11-server-Xwayland), Oracle (grub2), SUSE (gnutls, kernel, logrotate, oracleasm, p11-kit, and python-PyJWT), and Ubuntu (libhttp-daemon-perl and python2.7, python3.10, python3.4, python3.5, python3.6, python3.8, python3.9). --------------------------------------------- https://lwn.net/Articles/901412/ ∗∗∗ Grafana: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, authentisierter Angreifer kann mehrere Schwachstellen in Grafana ausnutzen, um einen Cross-Site Scripting Angriff durchzuführen und Sicherheitsmaßnahmen zu umgehen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0696 ∗∗∗ SonicWall Hosted Email Security Capture ATP Bypass ∗∗∗ --------------------------------------------- Improperly Implemented Security Check vulnerability in the SonicWall Hosted Email Security leads to bypass of Capture ATP security service in the appliance. --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0014 ∗∗∗ OpenSSL c_rehash script allows command injection CVE-2022-1292 ∗∗∗ --------------------------------------------- A critical vulnerability (CVE-2022-1292) was found in OpenSSL c_rehash script. This is due to shell metacharacters not being properly sanitized, resulting in command injection. An attacker could execute arbitrary commands with the privileges of the script. After review, it has been determined that vulnerability tracked as CVE-2022-1292 is not applicable to the SonicWall product suite. However, SonicWall has decided to update the impacted OpenSSL package to the fixed version (OpenSSL 1.1.1o) [...] --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0011 ∗∗∗ SolarWinds Dameware: Schwachstelle ermöglicht Nutzerzugriff ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0697 ∗∗∗ Mattermost: Mehrere Schwachstellen ermöglichen nicht spezifizierten Angriff ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0695 ∗∗∗ Autodesk AutoCAD: Schwachstelle ermöglicht Codeausführung ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0694 ∗∗∗ Security Bulletin: Denial of Service vulnerability affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) – CVE-2020-35618 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-denial-of-service-vulnera… ∗∗∗ Security Bulletin: IBM MQ Appliance is affected by FasterXML jackson-databind vulnerabilities (CVE-2020-36518) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-affec… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in Apache Commons Compress affect WebSphere Application Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Python (Publicly disclosed vulnerability) in IBM Tivoli Application Dependency Discovery Manager (CVE-2022-0391) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-python-publicly-disclosed… ∗∗∗ Security Bulletin: Vulnerability in Json-schema library affect Tivoli Netcool/OMNIbus WebGUI (CVE-2021-3918) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-json-sch… ∗∗∗ Security Bulletin: Vulnerability in Axios affects IBM Process Mining . CVE-2022-1214 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-axios-af… ∗∗∗ Security Bulletin: IBM MQ Appliance is affected by follow-redirects vulnerabilities (CVE-2022-0155 and CVE-2022-0536) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-affec… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.07.2022
by Daily end-of-shift report 14 Jul '22

14 Jul '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 13-07-2022 18:00 − Donnerstag 14-07-2022 18:00 Handler: Robert Waldner Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Month of PowerShell - Working with the Event Log, Part 2 - Threat Hunting with Event Logs ∗∗∗ --------------------------------------------- We continue our look at working with the Windows event log using PowerShell with 10 threat hunting techniques. --------------------------------------------- https://www.sans.org/blog/working-with-event-log-part-2-threat-hunting-with… ∗∗∗ Introducing Decompiler Explorer ∗∗∗ --------------------------------------------- Today, we’re releasing a little side project a few of our developers have been working with the community on: the Decompiler Explorer! This new (free, open source) web service lets you compare the output of different decompilers on small executables. In other words: It’s basically the same thing as Matt Godbolt’s awesome Compiler Explorer, but in reverse. --------------------------------------------- https://binary.ninja/2022/07/13/introducing-decompiler-explorer.html ∗∗∗ CVE-2022-29885 - Dont Open That Port - A Denial Of Service vulnerability on Apache Tomcat Cluster Service Listener ∗∗∗ --------------------------------------------- While performing the analysis I discovered that this was a part of a research made by 4ra1n, who reported the issue to the Apache Tomcat Security Team on 17 April 2022 and marked as CVE-2022-29885. Nonetheless, I had no luck finding a suitable PoC of the vulnerability. --------------------------------------------- https://voidzone.me/cve-2022-29885-apache-tomcat-cluster-service-dos/ ∗∗∗ Genesis - The Birth of a Windows Process (Part 1) ∗∗∗ --------------------------------------------- This is the first part of a two part series. In this post, I cover how Windows spawns a process, the various APIs and data structures involved and different types of processess available on Windows. The Windows API provides several functions for creating a process. We will go through some of the important APIs and structures Win32 offers before diving into the process creation procedure. --------------------------------------------- https://fourcore.io/blogs/how-a-windows-process-is-created-part-1 ∗∗∗ Exploiting Arbitrary Object Instantiations in PHP without Custom Classes ∗∗∗ --------------------------------------------- PHP’s Arbitrary Object Instantiation is a flaw in which an attacker can create arbitrary objects. This flaw can come in all shapes and sizes. --------------------------------------------- https://swarm.ptsecurity.com/exploiting-arbitrary-object-instantiations/ ∗∗∗ “RedAlert,” LILITH and 0mega leading a wave of Ransomware Campaigns ∗∗∗ --------------------------------------------- Multiple new ransomware groups have surfaced recently, highlighting the adoption of ransomware attacks by TAs for monetary gains. --------------------------------------------- https://blog.cyble.com/2022/07/12/new-ransomware-groups-on-the-rise/ ∗∗∗ Office-Nutzer im Visier: Phishing-Kampagne umgeht Multi-Faktor-Authentifizierung ∗∗∗ --------------------------------------------- Microsofts Sicherheitsforscher haben eine große Phishing-Kampagne aufgedeckt. Dabei stehlen Angreifer Session-Cookies, um MFA-Schutzmaßnahmen zu umgehen. --------------------------------------------- https://heise.de/-7179750 ∗∗∗ PSA: Sudden Increase In Attacks On Modern WPBakery Page Builder Addons Vulnerability ∗∗∗ --------------------------------------------- The Wordfence Threat Intelligence team has been monitoring a sudden increase in attack attempts targeting Kaswara Modern WPBakery Page Builder Addons. This ongoing campaign is attempting to take advantage of an arbitrary file upload vulnerability, tracked as CVE-2021-24284, which has been previously disclosed and has not been patched on the now closed plugin. --------------------------------------------- https://www.wordfence.com/blog/2022/07/attacks-on-modern-wpbakery-page-buil… ∗∗∗ YouTuber-Cash: Vorsicht vor Abzocke ∗∗∗ --------------------------------------------- YouTube-Videos schauen und damit Geld verdienen? Angebote wie das von youtuber.ltd klingen verlockend, doch statt der Auszahlung warten Abzocke-Maschen auf Sie. Vertrauen Sie keinen Versprechen online, schnell viel Geld zu verdienen! --------------------------------------------- https://www.watchlist-internet.at/news/youtuber-cash-vorsicht-vor-abzocke/ ===================== = Vulnerabilities = ===================== ∗∗∗ X.org servers update closes 2 security holes, adds neat component tweaks ∗∗∗ --------------------------------------------- Arbitrary code execution flaws in the X Keyboard Extension were bad news X.org has released a bunch of updates, which includes closing two security holes and, yes, this affects Wayland users too. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2022/07/13/xorg_servers… ∗∗∗ Tableau Server Leaks Sensitive Information From Reflected XSS ∗∗∗ --------------------------------------------- GoSecure Titan Labs has identified a vulnerability within the Tableau Server that could allow malicious actors to extract sensitive data from the application. Tableau Server is an analytics platform owned by Salesforce used to see and understand data. --------------------------------------------- https://www.gosecure.net/blog/2022/07/13/tableau-server-leaks-sensitive-inf… ∗∗∗ IBM Security Bulletins 2022-07-13 ∗∗∗ --------------------------------------------- IBM Db2, IBM MQ Appliance, IBM i, IBM WebSphere Application Server, IBM Engineering Lifecycle Optimization, IBM Cloud Pak, IBM Netezza Platform, IBM Security Verify Information Queue, IBM Security Verify Governance. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Lücke in VMware vCenter Server und Cloud Foundation zum Teil abgedichtet ∗∗∗ --------------------------------------------- In VMwares vCenter Server und der Cloud Foundation klafft eine Sicherheitslücke in der Integrated Windows Authentication. Nun gibt es ein Software-Update. --------------------------------------------- https://heise.de/-7179181 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (request-tracker4), Fedora (kernel and vim), Mageia (gerbv, gnupg2, pgadmin4, and python-coookiecutter), Slackware (xorg), SUSE (cifs-utils, gmp, gnutls, libnettle, kernel, libsolv, libzypp, zypper, logrotate, openssl-1_1, opera, squid, and virglrenderer), and Ubuntu (ca-certificates, git, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux-raspi2, linux-snapdragon, linux, linux-aws, linux-azure, linux-azure-5.4, linux-azure-fde, linux-gke, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-kvm, linux, linux-aws, linux-azure, linux-gcp, linux-gke, linux-ibm, linux-kvm, linux-lowlatency, linux-oracle, linux-aws, linux-oem-5.14, and vim). --------------------------------------------- https://lwn.net/Articles/901190/ ∗∗∗ UEFI-Firmware-Bug gefährdet über 70 Lenovo Notebooks (Juli 2022) ∗∗∗ --------------------------------------------- Hinweis für Blog-Leser und -Leserinnen, die Notebooks von Lenovo (und IBM) verwenden. Sicherheitsforscher von ESET haben gravierenden Schwachstellen in der UEFI-Firmware von Lenovo Notebooks gefunden, die eine Übernahme des Betriebssystems in der frühen Boot-Phase ermöglicht. --------------------------------------------- https://www.borncity.com/blog/2022/07/14/uefi-firmware-bug-gefhrdet-ber-70-… ∗∗∗ Internet Explorer 11: Update KB5015805 (12. Juli 2022) ∗∗∗ --------------------------------------------- Microsoft hat zum 12. Juli 2022 ein Sicherheitsupdate (KB5015805) für den Internet Explorer freigegeben. Dieses ist aber nur für ausgesuchte Windows-Versionen als kumulatives Update separat erhältlich. Hier ein Überblick über diesen Patch, der Schwachstellen im Browser schließen soll. --------------------------------------------- https://www.borncity.com/blog/2022/07/14/internet-explorer-11-update-kb5015… ∗∗∗ Entity Print - Moderately critical - Multiple: Remote Code Execution, Information disclosure - SA-CONTRIB-2022-048 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2022-048 ∗∗∗ K14335949: Intel processors vulnerability CVE-2022-24436 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K14335949 ∗∗∗ K43357358: AMD processors vulnerability CVE-2022-23823 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K43357358 ∗∗∗ Juniper JUNOS (EX, MX, PTX, QFX Series): Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0684 ∗∗∗ Juniper JUNOS (Verschiedene Plattformen): Mehrere Schwachstellen ermöglichen Denial of Service ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0683 ∗∗∗ Lenovo XClarity: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0687 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.07.2022
by Daily end-of-shift report 13 Jul '22

13 Jul '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 12-07-2022 18:00 − Mittwoch 13-07-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ From cookie theft to BEC: Attackers use AiTM phishing sites as entry point to further financial fraud ∗∗∗ --------------------------------------------- A large-scale phishing campaign that attempted to target over 10,000 organizations since September 2021 used adversary-in-the-middle (AiTM) phishing sites to steal passwords, hijack a user’s sign-in session, and skip the authentication process, even if the user had enabled multifactor authentication (MFA). --------------------------------------------- https://www.microsoft.com/security/blog/2022/07/12/from-cookie-theft-to-bec… ∗∗∗ Using Referers to Detect Phishing Attacks, (Wed, Jul 13th) ∗∗∗ --------------------------------------------- Referers are useful information for webmasters and system administrators that would like to have a better overview of the visitors browsing their websites. The referer is an HTTP header that identifies the address of the web page from which the resource has been requested. --------------------------------------------- https://isc.sans.edu/diary/rss/28836 ∗∗∗ Infected WordPress Site Reveals Malicious C&C Script ∗∗∗ --------------------------------------------- Cryptomining infections accounted for less than 4% of total detections last year. Despite the fact that CoinHive – one of the most popular JavaScript based miners – shut down its operations in 2019, we still find occasional infections on compromised environments during remote and server-side scans. --------------------------------------------- https://blog.sucuri.net/2022/07/infected-wordpress-site-reveals-malicious-c… ∗∗∗ Researchers Uncover New Attempts by Qakbot Malware to Evade Detection ∗∗∗ --------------------------------------------- The operators behind the Qakbot malware are transforming their delivery vectors in an attempt to sidestep detection. --------------------------------------------- https://thehackernews.com/2022/07/researchers-uncover-new-attempts-by.html ∗∗∗ Open-Source-Tool von Microsoft erstellt "Software Bill of Materials" ∗∗∗ --------------------------------------------- Das SBOM-Tool Salus listet alle Komponenten und Dependencies von Projekten auf, um potenzielle Schwachstellen in der Software Supply Chain aufzuspüren. --------------------------------------------- https://heise.de/-7177889 ∗∗∗ Vorsicht vor Fake-Shops am Energiesektor! ∗∗∗ --------------------------------------------- Zahlreichen Fake-Shops mit Brennholz, lassen Kriminelle nun Photovoltaik-Shops wie solanex.de und solarnetz.at folgen. Die aktuelle Energiekrise soll offenbar maximal ausgenützt werden. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-fake-shops-am-energiese… ∗∗∗ Cobalt Strike Analysis and Tutorial: CS Metadata Encryption and Decryption ∗∗∗ --------------------------------------------- We show how metadata encryption and decryption contributes to making Cobalt Strike an effective emulator that is difficult to defend against. --------------------------------------------- https://unit42.paloaltonetworks.com/cobalt-strike-metadata-encryption-decry… ===================== = Vulnerabilities = ===================== ∗∗∗ AMD Prozessoren: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein lokaler Angreifer kann mehrere Schwachstellen in AMD Prozessoren ausnutzen, um beliebigen Programmcode auszuführen oder Informationen offenzulegen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0665 ∗∗∗ Intel Prozessoren: Mehrere Schwachstellen ermöglichen Offenlegung von Informationen ∗∗∗ --------------------------------------------- Ein lokaler Angreifer kann mehrere Schwachstellen in Intel Prozessoren ausnutzen, um Informationen offenzulegen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0650 ∗∗∗ Microsoft Security Update Summary (12. Juli 2022) ∗∗∗ --------------------------------------------- Am 12. Juli 2022 hat Microsoft Sicherheitsupdates für Windows-Clients und -Server, für Office usw. – sowie für weitere Produkte – veröffentlicht. Die Sicherheitsupdates beseitigen zudem 84 Schwachstellen, davon einen 0-day. --------------------------------------------- https://www.borncity.com/blog/2022/07/12/microsoft-security-update-summary-… ∗∗∗ Adobe dichtet teils kritische Lücken ab ∗∗∗ --------------------------------------------- In Adobe Acrobat und Reader, Photoshop, RoboHelp und Character Animator schließt der Hersteller Sicherheitslücken. Einige sind kritisch. --------------------------------------------- https://heise.de/-7177696 ∗∗∗ IBM Security Bulletins 2022-07-12 ∗∗∗ --------------------------------------------- IBM Answer Retrieval for Watson Discovery, IBM Event Streams, IBM QRadar Network Security, IBM Cloud, Content Manager OnDemand, IBM Rational Build Forge, IBM App Connect Enterprise, IBM Sterling Connect, Digital Certificate Manager, Enterprise Content Management System Monitor. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (xen), Mageia (x11-server), SUSE (chromium, kernel, pcre, pcre2, squid, and xorg-x11-server), and Ubuntu (gnupg, gnupg2, uriparser, xorg-server, xorg-server-hwe-16.04, and xorg-server, xorg-server-hwe-18.04, xwayland). --------------------------------------------- https://lwn.net/Articles/901029/ ∗∗∗ Ruby on Rails: Schwachstelle ermöglicht Codeausführung ∗∗∗ --------------------------------------------- Ein entfernter Angreifer kann eine Schwachstelle in Ruby on Rails ausnutzen, um beliebigen Programmcode auszuführen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0662 ∗∗∗ ZDI-22-968: BMC Track-It! HTTP Module Improper Access Control Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-968/ ∗∗∗ ZDI-22-967: BMC Track-It! GetPopupSubQueryDetails SQL Injection Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-967/ ∗∗∗ VMSA-2022-0020 - VMware ESXi addresses Return-Stack-Buffer-Underflow and Branch Type Confusion vulnerabilities ∗∗∗ --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2022-0020.html ∗∗∗ VMSA-2022-0019 - VMware vRealize Log Insight contains multiple stored cross-site scripting vulnerabilities ∗∗∗ --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2022-0019.html ∗∗∗ VMSA-2022-0018 - VMware vCenter Server updates address a server-side request forgery vulnerability ∗∗∗ --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2022-0018.html ∗∗∗ Dahua ASI7213X-T1 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-193-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.07.2022
by Daily end-of-shift report 12 Jul '22

12 Jul '22

===================== = End-of-Day report = ===================== Timeframe: Montag 11-07-2022 18:00 − Dienstag 12-07-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ IBM-Middleware: Schwachstelle in MQ kann zu Rechtausweitung führen ∗∗∗ --------------------------------------------- Mehrere Sicherheitslücken in IBM MQ ermöglichen Angreifern, ihre Rechte an betroffenen Systemen auszuweiten oder diese lahmzulegen. Updates stehen bereit. --------------------------------------------- https://heise.de/-7169603 ∗∗∗ Wurm-Infektion: Malware-Kampagne Raspberry Robin befällt Windows und Qnap-NAS ∗∗∗ --------------------------------------------- IT-Forscher von Cybereason haben einen Netzwerkwurm entdeckt, der sich auf Windows- und Qnap-Geräten verbreitet. Sie nennen die Kampagne Raspberry Robin. --------------------------------------------- https://heise.de/-7170350 ∗∗∗ Month of PowerShell: Threat Hunting with PowerShell Differential Analysis ∗∗∗ --------------------------------------------- One of the most powerful techniques for threat hunting on Windows: differential analysis. --------------------------------------------- https://www.sans.org/blog/threat-hunting-with-powershell-differential-analy… ∗∗∗ CVE-2022-29593- Authentication Bypass by Capture Replay (Dingtian-DT-R002) ∗∗∗ --------------------------------------------- This blog post describes an authentication bypass within one such device, that allows an attacker with access to the IP network the ability to capture and subsequently replay discrete device commands, which allows for the switching on and off the physical relays on the device. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/cve-2022-29… ∗∗∗ Exploiting Authentication in AWS IAM Authenticator for Kubernetes ∗∗∗ --------------------------------------------- During my research on the AWS IAM Authenticator component, I found several flaws in the authentication process that could bypass the protection against replay attacks or allow an attacker to gain higher permissions in the cluster by impersonating other identities. --------------------------------------------- https://blog.lightspin.io/exploiting-eks-authentication-vulnerability-in-aw… ∗∗∗ Scanning for security.txt files ∗∗∗ --------------------------------------------- RFC 9116 was written by E. Foudil and Y. Shafranovich and left draft status in April 2022. This RFC formally defines the unofficial security.txt file that has been an unofficial standard for many years, initially created back in 2017 and documented at https://securitytxt.org/. --------------------------------------------- https://www.pentestpartners.com/security-blog/scanning-for-security-txt-fil… ∗∗∗ ChromeLoader: New Stubborn Malware Campaign ∗∗∗ --------------------------------------------- A malicious browser extension is the payload of the ChromeLoader malware family, serving as adware and an infostealer, leaking users’ search queries. --------------------------------------------- https://unit42.paloaltonetworks.com/chromeloader-malware/ ∗∗∗ Is exploiting a null pointer deref for LPE just a pipe dream? ∗∗∗ --------------------------------------------- A lot of blog posts I have read go over interesting vulnerabilities and exploits but do not typically share the process behind discovery. I want to show how sometimes just manually poking around can quickly uncover vulnerabilities you might miss with other approaches to vulnerability discovery. --------------------------------------------- https://www.thezdi.com/blog/2022/6/1/is-exploiting-a-null-pointer-deref-for… ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-22-962: Trend Micro Maximum Security Out-Of-Bounds Read Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows local attackers to disclose sensitive information on affected installations of Trend Micro Maximum Security. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-962/ ∗∗∗ Siemens ProductCERT published 19 and updated 15 advisories/bulletins ∗∗∗ --------------------------------------------- Opcenter Quality, SINAMICS PERFECT HARMONY GH180 Drives, EN100 Ethernet Module, RUGGEDCOM ROS, SIMATIC WinCC, Teamcenter Visualization, JT2Go, Industrial Products, TIA Administrator, Mendix Excel Importer Module, RUGGEDCOM ROX, SIMATIC eaSie Core Package, SCALANCE X Switches, SIMATIC CP Devices, Mendix Applications, SICAM A8000 Devicesm Simcenter Femap, PROFINET Stack, PADS Standard/Plus Viewer, SIMATIC S7-1500, Mendix, SIMATIC MV500 Devices, OPC Foundation Local Discovery Server, OPC-UA, Parasolid, SICAM GridEdge. --------------------------------------------- https://new.siemens.com/global/en/products/services/cert.html?d=2022-07#Sec… ∗∗∗ SAP-Patchday: 20 neue Sicherheitslücken im Juli abgedichtet ∗∗∗ --------------------------------------------- Mit den Updates zum Juli-Patchday schließt SAP 20 neue Sicherheitslücken. Zudem aktualisiert der Hersteller drei ältere Security-Bulletins. --------------------------------------------- https://heise.de/-7170698 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium), Mageia (openssl and webkit2), Slackware (seamonkey), SUSE (crash, curl, freerdp, ignition, libnbd, and python3), and Ubuntu (dovecot and python-ldap). --------------------------------------------- https://lwn.net/Articles/900855/ ∗∗∗ ICS Patch Tuesday: Siemens, Schneider Electric Address 59 Vulnerabilities ∗∗∗ --------------------------------------------- Industrial giants Siemens and Schneider Electric have released their Patch Tuesday security advisories for July 2022, with a total of 13 advisories describing 59 vulnerabilities. --------------------------------------------- https://www.securityweek.com/ics-patch-tuesday-siemens-schneider-electric-a… ∗∗∗ TYPO3-EXT-SA-2022-014: SQL Injection in extension "LUX - TYPO3 Marketing Automation" (lux) ∗∗∗ --------------------------------------------- https://typo3.org/security/advisory/typo3-ext-sa-2022-014 ∗∗∗ MariaDB: Mehrere Schwachstellen ermöglichen Denial of Service ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0641 ∗∗∗ Symantec Advanced Secure Gateway: Schwachstelle ermöglicht Manipulation und Offenlegung von Informationen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0638 ∗∗∗ Security Bulletin: Vulnerabilities in the Golang language affect IBM Event Streams (CVE-2022-24921) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-the-go… ∗∗∗ Security Bulletin: IBM Security SiteProtector System is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-siteprotecto… ∗∗∗ Security Bulletin: IBM OpenPages with Watson has addressed Apache Log4j vulnerability (CVE-2022-23305) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-openpages-with-watson… ∗∗∗ Security Bulletin: IBM Security Verify Governance is vulnerable to multiple security issues due to Node.js ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-gover… ∗∗∗ Security Bulletin: IBM QRadar SIEM is vulnerable to denial of service attack due to CVE-2021-39041 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulner… ∗∗∗ Security Bulletin: IBM Integration Bus is vulnerable to arbitrary code execution due to Node.js ejs module (CVE-2022-29078) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-integration-bus-is-vu… ∗∗∗ Security Bulletin: IBM MQ for HPE NonStop Server is affected by OpenSSL vulnerability CVE-2022-0778 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-for-hpe-nonstop-se… ∗∗∗ Security Bulletin: IBM Security Verify Information Queue uses Apache LDAP API with a known vulnerability (CVE-2018-1337) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-infor… ∗∗∗ Security Bulletin: IBM i Modernization Engine for Lifecycle Integration is vulnerable to multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-i-modernization-engin… ∗∗∗ Security Bulletin: A security vulnerability has been identified in Postgresql shipped with IBM Tivoli Netcool Impact (CVE-2022-26520, CVE-2022-21724, WS-2022-0080) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: Vulnerabilities in the Golang language affect IBM Event Streams (CVE-2022-29526) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-the-go… ∗∗∗ Security Bulletin: IBM WebSphere Application Server Liberty is vulnerable to Identity Spoofing (CVE-2022-22476) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application… ∗∗∗ Security Bulletin: IBM MQ for HPE NonStop Server is affected by OpenSSL vulnerability CVE-2021-4160 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-for-hpe-nonstop-se… ∗∗∗ Security Bulletin: IBM OpenPages with Watson has addressed Apache Log4j vulnerability (CVE-2022-23302) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-openpages-with-watson… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.07.2022
by Daily end-of-shift report 11 Jul '22

11 Jul '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 08-07-2022 18:00 − Montag 11-07-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ New 0mega ransomware targets businesses in double-extortion attacks ∗∗∗ --------------------------------------------- A new ransomware operation named 0mega targets organizations worldwide in double-extortion attacks and demands millions of dollars in ransoms. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-0mega-ransomware-targets… ∗∗∗ Hackers Exploiting Follina Bug to Deploy Rozena Backdoor ∗∗∗ --------------------------------------------- A newly observed phishing campaign is leveraging the recently disclosed Follina security vulnerability to distribute a previously undocumented backdoor on Windows systems. --------------------------------------------- https://thehackernews.com/2022/07/hackers-exploiting-follina-bug-to.html ∗∗∗ Raspberry Robin Windows Worm Abuses QNAP Devices ∗∗∗ --------------------------------------------- A recently discovered Windows worm is abusing compromised QNAP network-attached storage (NAS) devices as stagers to spread to new systems, according to Cybereason. Dubbed Raspberry Robin, the malware was initially spotted in September 2021, spreading mainly via removable devices, such as USB drives. --------------------------------------------- https://www.securityweek.com/raspberry-robin-windows-worm-abuses-qnap-devic… ∗∗∗ The History and Evolution of Zero Trust ∗∗∗ --------------------------------------------- “The term ‘zero trust’ is now used so much and so widely that it has almost lost its meaning”. --------------------------------------------- https://www.securityweek.com/history-and-evolution-zero-trust ∗∗∗ WhatsApp: Kriminelle geben sich als Ihr Kind aus ∗∗∗ --------------------------------------------- „Hallo Papa. Mein Handy ist kaputt. Das ist meine neue Nummer.“ Vorsicht: Diese Nachricht könnte von Kriminellen stammen. Werden Sie um eine Überweisung gebeten, handelt es sich eindeutig um Betrug! --------------------------------------------- https://www.watchlist-internet.at/news/whatsapp-kriminelle-geben-sich-als-i… ∗∗∗ SELECT XMRig FROM SQLServer ∗∗∗ --------------------------------------------- Over the month of March, we observed a cluster of activity targeting MSSQL servers. The activity started via password brute force attempts for the MSSQL SA account. These brute force attempts were observed repeatedly over the month. --------------------------------------------- https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/ ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitslücken in node.js abgedichtet ∗∗∗ --------------------------------------------- Neue Versionen der node.js-Laufzeitumgebung beheben sicherheitskritische Fehler mit hohem Risiko. Angreifer könnten Opfern dadurch Schadcode unterjubeln. --------------------------------------------- https://heise.de/-7167912 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (php7.4), Fedora (gerbv, kernel, openssl, and podman-tui), Oracle (squid:4), Slackware (wavpack), and SUSE (apache2, chafa, containerd, docker and runc, fwupd, fwupdate, libqt5-qtwebengine, oracleasm, and python). --------------------------------------------- https://lwn.net/Articles/900670/ ∗∗∗ vim: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in vim ausnutzen, um einen Denial of Service Angriff durchzuführen, beliebigen Code auszuführen, Speicher zu verändern und vertrauliche Informationen offenzulegen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0630 ∗∗∗ ZDI-22-959: (0Day) Vinchin Backup and Recovery MySQL Server Use of Hard-coded Credentials Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-959/ ∗∗∗ Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM Tivoli Netcool System Service Monitors/Application Service Monitors ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: CVE-2021-23337 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2021-23337/ ∗∗∗ Security Bulletin: CVE-2020-28500 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2020-28500/ ∗∗∗ Security Bulletin: CVE-2020-8203 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2020-8203-2/ ∗∗∗ Security Bulletin: IBM Content Manager Enterprise Edition is is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-content-manager-enter… ∗∗∗ Security Bulletin: IBM CICS TX Standard is vulnerable to HTML injection (CVE-2022-34160) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cics-tx-standard-is-v… ∗∗∗ Security Bulletin: IBM MQ Operator and Queue manager container images are vulnerable to vulnerabilities from Golang Go and IBM WebSphere Application Server Liberty (CVE-2021-39293 and CVE-2021-39038) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-operator-and-queue… ∗∗∗ Security Bulletin: IBM MQ Operator and Queue manager container images are vulnerable to an issue in OPM and Golang Go packages (CVE-2020-15257, CVE-2021-21334 and CVE-2021-41771) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-operator-and-queue… ∗∗∗ Security Bulletin: CVE-2020-8203 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2020-8203/ ∗∗∗ Security Bulletin: CVE-2021-23369 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2021-23369/ ∗∗∗ Security Bulletin: CVE-2020-7774 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2020-7774/ ∗∗∗ Security Bulletin: IBM CICS TX Advanced is vulnerable to HTML injection (CVE-2022-34160) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cics-tx-advanced-is-v… ∗∗∗ K40582331: Apache HTTP server vulnerability CVE-2022-28615 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K40582331 ∗∗∗ K08006936: Apache Commons Configuration vulnerability CVE-2022-33980 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K08006936 ∗∗∗ K74251611: Linux kernel vulnerability CVE-2021-38166 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K74251611 ∗∗∗ K36462841: Linux kernel vulnerability CVE-2018-18281 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K36462841 ∗∗∗ ILIAS: Schwachstelle ermöglicht Erlangen von Benutzerrechten ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0629 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.07.2022
by Daily end-of-shift report 08 Jul '22

08 Jul '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 07-07-2022 18:00 − Freitag 08-07-2022 18:00 Handler: Robert Waldner Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Gesundheitseinrichtungen im Visier nordkoreanischer Cyberkrimineller ∗∗∗ --------------------------------------------- US-amerikanische Sicherheitsbehörden warnen vor der Maui-Ransomware. Mit ihr greifen nordkoreanische Cybergangs Organisationen des Gesundheitswesens an. --------------------------------------------- https://heise.de/-7166692 ∗∗∗ Free decryptor released for AstraLocker, Yashma ransomware victims ∗∗∗ --------------------------------------------- New Zealand-based cybersecurity firm Emsisoft has released a free decryption tool to help AstraLocker and Yashma ransomware victims recover their files without paying a ransom. --------------------------------------------- https://www.bleepingcomputer.com/news/security/free-decryptor-released-for-… ∗∗∗ SiteCheck Malware Trends Report – Q2 2022 ∗∗∗ --------------------------------------------- Conducting an external website scan for indicators of compromise is one of the easiest ways to identify security issues. While remote scanners may not provide as comprehensive of a scan as server-side scanners, they allow users to instantly identify malicious code and detect security issues on their website without installing any software or applications. --------------------------------------------- https://blog.sucuri.net/2022/07/sitecheck-malware-trends-report-q2-2022.html ∗∗∗ Over 1,200 NPM Packages Found Involved in "CuteBoi" Cryptomining Campaign ∗∗∗ --------------------------------------------- Researchers have disclosed what they say could be an attempt to kick-off a new large-scale cryptocurrency mining campaign targeting the NPM JavaScript package repository. The malicious activity, attributed to a software supply chain threat actor dubbed CuteBoi, involves an array of 1,283 rogue modules that were published in an automated fashion from over 1,000 different user accounts. --------------------------------------------- https://thehackernews.com/2022/07/over-1200-npm-packages-found-involved.html ∗∗∗ Koh: The Token Stealer ∗∗∗ --------------------------------------------- In this post I will introduce a toolkit called Koh that can indefinitely (..) harvest and reuse tokens for accounts that connect to a machine you have administrative rights on. I’ll go over the motivation for this approach, the technical background of why it’s possible and what changed in 2016, and briefly show what Koh can do. --------------------------------------------- https://posts.specterops.io/koh-the-token-stealer-41ca07a40ed6 ∗∗∗ New HavanaCrypt Ransomware Distributed as Fake Google Software Update ∗∗∗ --------------------------------------------- Security researchers at Trend Micro have identified a new ransomware family that is being delivered as a fake Google Software Update application. --------------------------------------------- https://www.securityweek.com/new-havanacrypt-ransomware-distributed-fake-go… ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins 2022-07-07 ∗∗∗ --------------------------------------------- IBM QRadar Network Security, IBM Engineering Lifecycle Management, IBM Rational Build Forge, IBM Tivoli Netcool/Omnibus, IBM Tivoli Network Manager, IBM Engineering Lifecycle Management, IBM CICS TX Standard, IBM CICS TX Advanced, IBM WebSphere Application Server Liberty, IBM Security Verify Information Queue, IBM Event Streams. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Sicherheitsupdates: Root-Lücke in Dell-EMC-Software geschlossen ∗∗∗ --------------------------------------------- Angreifer könnten Systeme mit Dell PowerProtect Cyber Recovery oder Cloud Mobility for Dell EMC Storage attackieren. Hiergegen gibt es jetzt ein Update. --------------------------------------------- https://heise.de/-7166118 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (direnv, golang-github-mattn-colorable, matrix-synapse, pypy3.7, pypy3.8, and pypy3.9), Oracle (squid), SUSE (curl, openssl-1_1, pcre, python-ipython, resource-agents, and rsyslog), and Ubuntu (nss, php7.2, and vim). --------------------------------------------- https://lwn.net/Articles/900443/ ∗∗∗ NetApp ActiveIQ Unified Manager: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in NetApp ActiveIQ Unified Manager ausnutzen, um Informationen offenzulegen, Daten zu manipulieren oder zu verändern und einen Denial of Service Zustand auszulösen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0608 ∗∗∗ Red Hat FUSE: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann mehrere Schwachstellen in Red Hat FUSE ausnutzen, um vertrauliche Informationen offenzulegen, beliebigen Code auszuführen, einen Denial of Service Zustand herbeizuführen, Sicherheitsmaßnahmen zu umgehen, Daten und Informationen zu manipulieren und seine Privilegien zu erweitern. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0607 ∗∗∗ July 7th 2022 Security Releases ∗∗∗ --------------------------------------------- Updates are now available for the v18.x, v16.x, and v14.x Node.js release [...] --------------------------------------------- https://nodejs.org/en/blog/vulnerability/july-2022-security-releases ∗∗∗ Exploitation of Mitel MiVoice Connect SA CVE-2022-29499 ∗∗∗ --------------------------------------------- Mitel MiVoice Connect customers who use vulnerable versions of the Service Appliance in their deployments should update to a fixed version of the appliance immediately. Mitel released patches for CVE-2022-29499 in early June 2022; organizations that have not updated the firmware on their appliances since before that timeframe should apply fixes as soon as possible. Appliances should not be exposed to the open internet. --------------------------------------------- https://www.rapid7.com/blog/post/2022/07/07/exploitation-of-mitel-mivoice-c… ∗∗∗ ZDI-22-955: Sante PACS Server SQL Injection Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-955/ ∗∗∗ K06524534: Linux kernel vulnerability CVE-2021-22555 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K06524534 ∗∗∗ K49622415: Apache Tomcat vulnerability CVE-2022-25762 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K49622415 ∗∗∗ 10 Vulnerabilities Found in Widely Used Robustel Industrial Routers ∗∗∗ --------------------------------------------- https://www.securityweek.com/10-vulnerabilities-found-widely-used-robustel-… ∗∗∗ Eclipse Jetty: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0614 ∗∗∗ Foxit PDF Editor: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0613 ∗∗∗ tribe29 checkmk: Mehrere Schwachstellen ermöglichen nicht spezifizierten Angriff ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0622 ∗∗∗ Rockwell Automation MicroLogix ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-188-01 ∗∗∗ Bently Nevada ADAPT 3701/4X Series and 60M100 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-188-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.07.2022
by Daily end-of-shift report 07 Jul '22

07 Jul '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 06-07-2022 18:00 − Donnerstag 07-07-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Ransomware, hacking groups move from Cobalt Strike to Brute Ratel ∗∗∗ --------------------------------------------- Hacking groups and ransomware operations are moving away from Cobalt Strike to the newer Brute Ratel post-exploitation toolkit to evade detection by EDR and antivirus solutions. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ransomware-hacking-groups-mo… ∗∗∗ Online programming IDEs can be used to launch remote cyberattacks ∗∗∗ --------------------------------------------- Security researchers are warning that hackers can abuse online programming learning platforms to remotely launch cyberattacks, steal data, and scan for vulnerable devices, simply by using a web browser. --------------------------------------------- https://www.bleepingcomputer.com/news/security/online-programming-ides-can-… ∗∗∗ Automating binary vulnerability discovery with Ghidra and Semgrep ∗∗∗ --------------------------------------------- Semgrep is a static analysis tool that works on source code, but thanks to Haruspex we can leverage its power also against closed source binaries. --------------------------------------------- https://security.humanativaspa.it/automating-binary-vulnerability-discovery… ∗∗∗ Liste betrügerischer Investitionsplattformen ∗∗∗ --------------------------------------------- Betrügerische Investitionsplattformen versprechen hohe Gewinne – risikofrei und ohne Finanzwissen. Der Handel erfolgt automatisiert oder mit persönlicher Beratung. Bereits mit kleinen Investitionen können angeblich hohe Gewinne erzielt werden. Klingt sehr verlockend, ist aber Betrug! --------------------------------------------- https://www.watchlist-internet.at/news/liste-betruegerischer-investitionspl… ∗∗∗ AsyncRAT Being Distributed to Vulnerable MySQL Servers ∗∗∗ --------------------------------------------- The ShadowServer foundation has recently released a report showing that there are about 3.6 million MySQL servers exposed to outside. --------------------------------------------- https://asec.ahnlab.com/en/36315/ ===================== = Vulnerabilities = ===================== ∗∗∗ Jetzt aktualisieren! Codeschmuggel durch Lücke in OpenSSL möglich∗∗∗ --------------------------------------------- Die gravierendere Schwachstelle betrifft OpenSSL 3.0.4, das am 21. Juni veröffentlicht wurde. Darin haben die Entwickler laut eigener Beschreibung einen ernsthaften Fehler eingebaut, der die RSA-Implementierung auf Prozessoren mit Unterstützung für die AVX-512 IFMA-Befehlssatzerweiterung betrifft. Die Implementierung mit privaten Schlüsseln mit 2048-Bit ist nicht korrekt und ein Speicherfehler tritt bei der Berechnung auf. Ein Angreifer könnte als Folge davon aus dem Internet Code einschleusen und ausführen (CVE-2022-2274, noch kein CVSS-Score, Risiko "hoch"). --------------------------------------------- https://www.heise.de/news/Jetzt-aktualisieren-Codeschmuggel-durch-Luecke-in… ∗∗∗ Cisco Security Advisories 2022-07-06 ∗∗∗ --------------------------------------------- Cisco published 9 Security Advisories (1 Critical, 1 High, 7 Medium Severity) --------------------------------------------- https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&first… ∗∗∗ IBM Security Bulletins 2022-07-06 ∗∗∗ --------------------------------------------- IBM CICS TX Standard, IBM Tivoli Netcool Impact, IBM Security Verify Access Product, App Connect professional, IBM Engineering Lifecycle Management, IBM CICS TX Advanced, IBM CICS TX Standard, IBM Security Verify Access Appliance, IBM Tivoli Application Dependency Discovery Manager. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Patchday Android: Systemlücke lässt Schadcode passieren ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitsupdates für Android-Smartphones und -Tablets. Einige Lücken sind als kritisch eingestuft. --------------------------------------------- https://heise.de/-7164810 ∗∗∗ Schwachstellen in OpenVPN Access Server geschlossen ∗∗∗ --------------------------------------------- Version 2.11.0 des OpenVPN Access Server schließt einige Sicherheitslücken. Angreifer hätten die Server etwa für DDoS-Verstärkungs-Angriffe missbrauchen können. --------------------------------------------- https://heise.de/-7165442 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (intel-microcode), Fedora (dotnet3.1 and gnupg2), Oracle (grub2, kernel, php:7.4, php:8.0, and qemu-kvm), SUSE (389-ds, apache2, crash, curl, expat, firefox, fwupd, fwupdate, ImageMagick, ldb, samba, liblouis, librttopo, openssl, openssl-1_0_0, openssl-1_1, openssl-3, oracleasm, php7, php8, python-Twisted, python310, rsyslog, s390-tools, salt, thunderbird, and xen), and Ubuntu (linux-lts-xenial, linux-kvm and openssl). --------------------------------------------- https://lwn.net/Articles/900286/ ∗∗∗ Apache Commons: Schwachstelle ermöglicht Codeausführung ∗∗∗ --------------------------------------------- Ein entfernter Angreifer kann eine Schwachstelle in Apache Commons ausnutzen, um beliebigen Programmcode auszuführen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0590 ∗∗∗ ZDI-22-949: (0Day) xhyve e1000 Stack-based Buffer Overflow Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-949/ ∗∗∗ Dovecot: Schwachstelle ermöglicht Privilegieneskalation ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0589 ∗∗∗ Nextcloud Mail: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0594 ∗∗∗ HCL BigFix: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0606 ∗∗∗ XSS-Schwachstelle in Jira-App (SYSS-2022-039) ∗∗∗ --------------------------------------------- https://www.syss.de/pentest-blog/xss-schwachstelle-in-jira-app-syss-2022-039 ∗∗∗ QNAP: Checkmate Ransomware via SMB Services Exposed to the Internet ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-22-21 ∗∗∗ Microsoft Edge 103.0.1264.49 (6. Juli 2022) ∗∗∗ --------------------------------------------- https://www.borncity.com/blog/2022/07/07/microsoft-edge-103-0-1264-49-6-jul… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.07.2022
by Daily end-of-shift report 06 Jul '22

06 Jul '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 05-07-2022 18:00 − Mittwoch 06-07-2022 18:00 Handler: Robert Waldner Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Microsoft quietly fixes ShadowCoerce Windows NTLM Relay bug ∗∗∗ --------------------------------------------- Microsoft has confirmed it fixed a previously disclosed ShadowCoerce vulnerability as part of the June 2022 updates that enabled attackers to target Windows servers in NTLM relay attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-quietly-fixes-sha… ∗∗∗ NPM supply-chain attack impacts hundreds of websites and apps ∗∗∗ --------------------------------------------- An NPM supply-chain attack dating back to December 2021 used dozens of malicious NPM modules containing obfuscated Javascript code to compromise hundreds of downstream desktop apps and websites. --------------------------------------------- https://www.bleepingcomputer.com/news/security/npm-supply-chain-attack-impa… ∗∗∗ Kryptographie: NIST gibt Post-Quanten-Algorithmen bekannt ∗∗∗ --------------------------------------------- Nach einem Wettbewerb kürt die US-Behörde Verschlüsselungs- und Signaturalgorithmen, die vor Quantencomputern sicher sein sollen. --------------------------------------------- https://www.golem.de/news/kryptographie-nist-gibt-post-quanten-algorithmen-… ∗∗∗ Top 5 Most Common WordPress Malware Infections: An Anatomy Lesson ∗∗∗ --------------------------------------------- WordPress security is serious business – and an essential consideration for anyone using the world’s most popular CMS (Content Management System). While the WordPress team quickly addresses known security issues in WordPress’ core to protect the millions of website owners who rely and depend on the software, the reality is that the same cannot be said for all plugin and theme developers. --------------------------------------------- https://blog.sucuri.net/2022/07/top-5-most-common-wordpress-malware-infecti… ∗∗∗ Fake-Shop-Alarm: Vorsicht beim Online-Kauf von Brennholz! ∗∗∗ --------------------------------------------- Die aktuelle Energiekrise lässt die Preise für Brennholz steigen. Der befürchtete Gasmangel führt dazu, dass Holz gehamstert und dementsprechend knapper wird. Eine perfekte Ausgangslage für Kriminelle: Sie nutzen die Situation aus und erstellen Fake-Shops, auf denen sie günstiges Brennholz anbieten. --------------------------------------------- https://www.watchlist-internet.at/news/fake-shop-alarm-vorsicht-beim-online… ∗∗∗ Electric Vehicle Charging: a Survey on the Security Issues and Challenges of the Open Charge Point Protocol (OCPP) ∗∗∗ --------------------------------------------- The increased use of smart Electric Vehicles (EVs) and Plug-in ElectricVehicles (PEV) opened a new area of research and development. The number of EVcharging sites has considerably increased in residential as well as in publicareas. Within these EV charging sites, various entities need to communicate in a secure and efficient way. --------------------------------------------- http://arxiv.org/abs/2207.01950 ∗∗∗ OrBit: New Undetected Linux Threat Uses Unique Hijack of Execution Flow ∗∗∗ --------------------------------------------- Linux is a popular operating system for servers and cloud infrastructures, and as such it’s not a surprise that it attracts threat actors’ interest and we see a continued growth and innovation of malware that targets Linux, such as the recent Symbiote malware that was discovered by our research team. --------------------------------------------- https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-t… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ldap-account-manager), Fedora (openssl1.1, thunderbird, and yubihsm-connector), Mageia (curl, cyrus-imapd, firefox, ruby-git, ruby-rack, squid, and thunderbird), Oracle (firefox, kernel, and thunderbird), Slackware (openssl), SUSE (dpdk, haproxy, and php7), and Ubuntu (gnupg2 and openssl). --------------------------------------------- https://lwn.net/Articles/900172/ ∗∗∗ Security Bulletin: IBM Maximo Asset Management and the IBM Maximo Manage application in IBM Maximo Application Suite are vulnerable to cross-site scripting (CVE-2022-22436) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-manageme… ∗∗∗ Security Bulletin: IBM Maximo Asset Management and the IBM Maximo Manage application in IBM Maximo Application Suite are vulnerable to cross-site scripting (CVE-2022-22435) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-manageme… ∗∗∗ Security Bulletin: IBM Rational Build Forge is affected by Apache Tomcat version used in it. (CVE-2021-42340) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-rational-build-forge-… ∗∗∗ Security Bulletin: IBM Tivoli Netcool Impact is affected but not classified as vulnerable by a remote code execution in Spring Framework (CVE-2022-22965) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tivoli-netcool-impact… ∗∗∗ Security Bulletin: IBM Event Streams is vulnerable to arbitrary code execution due to the Fabric8 Kubernetes client (CVE-2021-4178) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-event-streams-is-vuln… ∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container DesignerAuthoring operands may be vulnerable to loss of confidentiality due to CVE-2022-32210 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: IBM QRadar Network Packet Capture includes multiple vulnerable components. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-network-packet… ∗∗∗ K58003591: Apache HTTP server vulnerability CVE-2022-28614 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K58003591 ∗∗∗ vim: Schwachstelle ermöglicht Manipulation von Speicher ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0583 ∗∗∗ tribe29 checkmk: Mehrere Schwachstellen ermöglichen nicht spezifizierten Angriff ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0581 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.07.2022
by Daily end-of-shift report 05 Jul '22

05 Jul '22

===================== = End-of-Day report = ===================== Timeframe: Montag 04-07-2022 18:00 − Dienstag 05-07-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Jetzt aktualisieren! Zero-Day-Lücke in Google Chrome geschlossen ∗∗∗ --------------------------------------------- Im Webbrowser Google Chrome hat der Hersteller mehrere Sicherheitslücken geschlossen. Angreifer missbrauchen eine davon bereits in freier Wildbahn. --------------------------------------------- https://heise.de/-7162462 ∗∗∗ Erpressungstrojaner AstraLocker ist Geschichte, Entschlüsselungstools verfügbar ∗∗∗ --------------------------------------------- Die Drahtzieher der Ransomware AstraLocker wollen die Cybercrime-Branche wechseln und veröffentlichen Tools, über die Opfer auf ihre Daten zugreifen können. --------------------------------------------- https://heise.de/-7163123 ∗∗∗ Memory Sanitizer: Neues Kernel-Werkzeug findet 300 Speicherfehler ∗∗∗ --------------------------------------------- Trotz Compilerwarnungen und -Werkzeuge gibt es weiter neue Speicherfehler im Linux-Kernel. Ein Memory Sanitizer soll das zum Teil verhindern. --------------------------------------------- https://www.golem.de/news/memory-sanitizer-neues-kernel-werkzeug-findet-300… ∗∗∗ Abo-Falle auf lebenslaufschreiben.com ∗∗∗ --------------------------------------------- Sie erstellen gerade einen Lebenslauf und suchen im Internet nach Vorlagen? Möglicherweise landen Sie bei lebenslaufschreiben.com – einem Lebenslaufgenerator. Online können alle Informationen eingetippt und ein sehr professioneller Lebenslauf gebastelt werden. Doch Vorsicht: Sie werden in eine Abo-Falle gelockt. --------------------------------------------- https://www.watchlist-internet.at/news/abo-falle-auf-lebenslaufschreibencom/ ∗∗∗ EternalBlue 5 years after WannaCry and NotPetya, (Tue, Jul 5th) ∗∗∗ --------------------------------------------- We are about two months past the 5-year anniversary of WannaCry outbreak[1] and about a week past the 5-year anniversary of NotPetya outbreak[2]. Since both WannaCry and NotPetya used the EternalBlue[3] exploit in order to spread, I thought that it might be interesting to take a look at how many internet-facing systems still remain vulnerable to it. --------------------------------------------- https://isc.sans.edu/diary/rss/28816 ∗∗∗ When Pentest Tools Go Brutal: Red-Teaming Tool Being Abused by Malicious Actors ∗∗∗ --------------------------------------------- Penetration testing and adversary emulation tool Brute Ratel C4 is effective at defeating modern detection capabilities – and malicious actors have begun to adopt it. --------------------------------------------- https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/ ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitsupdate für Django Web Framework ∗∗∗ --------------------------------------------- Eine Sicherheitslücke im Django Web-Framework ermöglichte Angreifern das Einschleusen von SQL-Befehlen. Aktualisierte Software bessert die Schwachstelle aus. --------------------------------------------- https://heise.de/-7163246 ∗∗∗ IBM Security Bulletins 2022-07-04 ∗∗∗ --------------------------------------------- IBM Tivoli Network Manager, IBM App Connect Enterprise, IBM Integration Bus, IBM Engineering Test Management, IBM WebSphere Cast Iron Solution, IBM App Connect Professional, IBM Cloud Pak, IBM Tivoli Netcool, IBM Netezza, IBM Operations Analytics, App Connect professional. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Fortinet Security Advisories 2022-07-05 ∗∗∗ --------------------------------------------- On Jul 05, 2022, Fortinet has released 11 advisories for issues resolved in Fortinet products. (Severity: Low (1), Medium (6), High (4)) --------------------------------------------- https://fortiguard.fortinet.com/psirt ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (blender and thunderbird), SUSE (ImageMagick, qemu, and sysstat), and Ubuntu (php7.0). --------------------------------------------- https://lwn.net/Articles/900064/ ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2022-0006 ∗∗∗ --------------------------------------------- Several vulnerabilities were discovered in WebKitGTK and WPE WebKit. CVE-2022-22662 Versions affected: WebKitGTK and WPE WebKit before 2.36.0. --------------------------------------------- https://webkitgtk.org/security/WSA-2022-0006.html ∗∗∗ OpenSSL: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- Ein Angreifer kann eine Schwachstelle in OpenSSL ausnutzen, um Informationen offenzulegen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0561 ∗∗∗ JFrog Artifactory: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in JFrog Artifactory ausnutzen, um Cross-Site Scripting- und Cross-Site Request Forgery Angriffe durchzuführen und um Informationen offenzulegen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0562 ∗∗∗ July 5th 2022 Security Releases ∗∗∗ --------------------------------------------- The Node.js project will release new versions of the 14.x, 16.x, and 18.x releases lines on or shortly after Tuesday, July 5th, 2022 in order to address: Three medium severity issues. Two high severity issues. --------------------------------------------- https://nodejs.org/en/blog/vulnerability/july-2022-security-releases ∗∗∗ LiteCart vulnerable to cross-site scripting ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN32625020/ ∗∗∗ Xen Security Advisory CVE-2022-33743 / XSA-405 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-405.html ∗∗∗ Xen Security Advisory CVE-2022-33744 / XSA-406 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-406.html ∗∗∗ Xen Security Advisory CVE-2022-26365,CVE-2022-33740,CVE-2022-33741,CVE-2022-33742 / XSA-403 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-403.html ∗∗∗ Nextcloud: Schwachstelle ermöglicht Injektion von Kommandos ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0558 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.07.2022
by Daily end-of-shift report 04 Jul '22

04 Jul '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 01-07-2022 18:00 − Montag 04-07-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Raspberry Robin: Microsoft warnt vor mysteriösem Wurm ∗∗∗ --------------------------------------------- Die Schadsoftware verbreitet sich über USB-Sticks. Unklar bleibt, wer die Urheber*innen sind und welches Ziel damit verfolgt wird. --------------------------------------------- https://futurezone.at/digital-life/raspberry-robin-wurm-windows-microsoft-w… ∗∗∗ Warnung vor Hackerangriffen auf Politiker ∗∗∗ --------------------------------------------- Das BSI und der Verfassungsschutz warnen vor Hackern, die durch einen einfachen Trick den Zugang zu Chats von hochrangigen Politikern erlangen könnten. --------------------------------------------- https://www.tagesschau.de/investigativ/ndr-wdr/hacker-angriffe-verfassungss… ∗∗∗ Gefälschtes ÖBB-Gewinnspiel auf WhatsApp ∗∗∗ --------------------------------------------- Viele WhatsApp-Nutzer:innen verbreiten unter ihren Kontakten unwissentlich ein Fake-ÖBB-Gewinnspiel. Die Nachricht lautet „ÖBB 100 Jahre Staatliche Verkehrsförderung! Jeder Bürger kann sich über…“. Darunter ist ein Link. Der Link führt zu einem gefälschten Gewinnspiel. Klicken Sie nicht auf den Link, Sie werden abgezockt. Ignorieren Sie die Nachricht und melden Sie sie an WhatsApp. --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschtes-oebb-gewinnspiel-auf-wh… ∗∗∗ CISA fordert US-Einrichtungen zum Patchen von CVE-2022-26925 in AD-Umgebungen auf ∗∗∗ --------------------------------------------- Zum 1. Juli 2022 hat die US Cybersecurity & Infrastructur Security Agency (CISA) erneut den Patch für die Schwachstelle CVE-2022-26925 (Active Directory) in die Liste der zu schließenden Schwachstellen aufgenommen (soll bis 22. 7. 2022 geschlossen werden). --------------------------------------------- https://www.borncity.com/blog/2022/07/04/cisa-fordert-us-einrichtungen-zum-… ∗∗∗ Cloud OSINT. Finding Interesting Resources ∗∗∗ --------------------------------------------- Locating sensitive information, personally identifiable information (PII) and questionable assets in the cloud. TL; DR I had a curiosity driven excursion into the public clouds of AWS and Azure to [...] --------------------------------------------- https://www.pentestpartners.com/security-blog/cloud-osint-finding-interesti… ===================== = Vulnerabilities = ===================== ∗∗∗ Django fixes SQL Injection vulnerability in new releases ∗∗∗ --------------------------------------------- Django, an open source Python-based web framework has patched a high severity vulnerability in its latest releases. Tracked as CVE-2022-34265, the potential SQL Injection vulnerability impacts Djangos main branch, and versions 4.1 (currently in beta), 4.0, and 3.2, with patches and new releases issued fixing the vulnerability. --------------------------------------------- https://www.bleepingcomputer.com/news/security/django-fixes-sql-injection-v… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (gnupg2 and kernel), Fedora (golang-github-apache-beam-2, golang-github-etcd-io-gofail, golang-github-intel-goresctrl, golang-github-spf13-cobra, golang-k8s-pod-security-admission, and vim), Oracle (.NET 6.0, compat-openssl10, compat-openssl11, cups, curl, expat, firefox, go-toolset:ol8, grub2,, gzip, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, kernel, libarchive, libgcrypt, libinput, libxml2, pcre2, postgresql, python, rsync, rsyslog, [...] --------------------------------------------- https://lwn.net/Articles/899963/ ∗∗∗ libTIFF: Mehrere Schwachstellen ermöglichen Denial of Service ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0544 ∗∗∗ xpdf: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0543 ∗∗∗ HPE FlexNetwork und FlexFabric Switches: Schwachstelle ermöglicht Cross-Site Scripting ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0542 ∗∗∗ Kyocera Drucker: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0551 ∗∗∗ Trend Micro Maximum Security: Schwachstelle ermöglicht Privilegieneskalation ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0550 ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects IBM WebSphere Cast Iron Solution & App Connect Professional. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple security vulnerabilities are addressed with IBM Cloud Pak for Business Automation iFixes for June 2022 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects IBM WebSphere Cast Iron Solution & App Connect Professional. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects IBM WebSphere Cast Iron Solution & App Connect Professional. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects IBM WebSphere Cast Iron Solution & App Connect Professional. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Remote code execution vulnerability affect IBM Business Automation Workflow – CVE-2021-43138 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-remote-code-execution-vul… ∗∗∗ Security Bulletin: junrar Denial of Service (DoS) security vulnerability in IBM FileNet Content Manager Content Search Services (CSS) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-junrar-denial-of-service-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect Rational Functional Tester ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: junrar v7.4.0 and prior Denial of Service (DoS) security vulnerability in IBM FileNet Content Manager Content Search Services (CSS) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-junrar-v7-4-0-and-prior-d… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily July 2022