Daily October 2023

daily@lists.cert.at

1 participants
21 discussions

Tageszusammenfassung - 31.10.2023
by Daily end-of-shift report 31 Oct '23

31 Oct '23

===================== = End-of-Day report = ===================== Timeframe: Montag 30-10-2023 18:00 − Dienstag 31-10-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ CVE-2023-4966 in Citrix NetScaler ADC und NetScaler Gateway wurde bereits als 0-day ausgenutzt ∗∗∗ --------------------------------------------- Uns wurde inzwischen von drei Organisationen in Österreich berichtet, dass Angreifer aufgrund der Sicherheitslücke im Citrix Server in ihren Systemen aktiv geworden sind, bevor Patches von Citrix verfügbar waren. Es wurden Befehle zur Erkundung des Systems und erste Schritte in Richtung lateral Movement beobachtet. Wir gehen inzwischen von einer weitläufigen Ausnutzung dieses 0-days aus. --------------------------------------------- https://cert.at/de/aktuelles/2023/10/cve-2023-4966-0day ∗∗∗ Exploit für Cisco IOS XE veröffentlicht, Infektionszahlen weiter hoch ∗∗∗ --------------------------------------------- Sicherheitsforscher haben den Exploit für Cisco IOS XE untersucht und seinen simplen Trick aufgedeckt. Hunderte Geräte mit Hintertür sind noch online. --------------------------------------------- https://www.heise.de/-9349296 ∗∗∗ Multiple Layers of Anti-Sandboxing Techniques, (Tue, Oct 31st) ∗∗∗ --------------------------------------------- It has been a while that I did not find an interesting malicious Python script. All the scripts that I recently spotted were always the same: a classic intostealer using Discord as C2 channel. Today I found one that contains a lot of anti-sanboxing techniques. Let's review them. For malware, it's key to detect the environment where they are executed. When detonated inside a sandbox (automatically or, manually, by an Analyst), they will be able to change their behaviour (most likely, do nothing). --------------------------------------------- https://isc.sans.edu/diary/rss/30362 ∗∗∗ Malicious NuGet Packages Caught Distributing SeroXen RAT Malware ∗∗∗ --------------------------------------------- Cybersecurity researchers have uncovered a new set of malicious packages published to the NuGet package manager using a lesser-known method for malware deployment. --------------------------------------------- https://thehackernews.com/2023/10/malicious-nuget-packages-caught.html ∗∗∗ LDAP authentication in Active Directory environments ∗∗∗ --------------------------------------------- Understanding the different types of LDAP authentication methods is fundamental to apprehend subjects such as relay attacks or countermeasures. This post introduces them through the lens of Python libraries. --------------------------------------------- https://offsec.almond.consulting/ldap-authentication-in-active-directory-en… ∗∗∗ Programmiersprache: End of Life für PHP 8.0 und Neues für PHP 8.3 ∗∗∗ --------------------------------------------- Die kommende Version 8.3 der Programmiersprache PHP hält einige Neuerungen bereit, und PHP 8.0 nähert sich dem Supportende. --------------------------------------------- https://www.heise.de/-9348772 ∗∗∗ Verkaufen auf etsy: Vorsicht vor betrügerischen Anfragen ∗∗∗ --------------------------------------------- Auf allen gängigen Verkaufsplattformen tummeln sich Kriminelle. Sie nehmen vor allem neue Nutzer:innen ins Visier, die die Abläufe noch nicht kennen. Wir zeigen Ihnen, wie Sie betrügerische Anfragen erkennen und sicher verkaufen! --------------------------------------------- https://www.watchlist-internet.at/news/verkaufen-auf-etsy-vorsicht-vor-betr… ∗∗∗ Lateral Movement: Abuse the Power of DCOM Excel Application ∗∗∗ --------------------------------------------- In this post, we will talk about an interesting lateral movement technique called ActivateMicrosoftApp() method within the distributed component object model (DCOM) Excel application. This technique is built upon Matt Nelson’s initial research on “Lateral Movement using Excel.Application and DCOM”. --------------------------------------------- https://posts.specterops.io/lateral-movement-abuse-the-power-of-dcom-excel-… ∗∗∗ Over the Kazuar’s Nest: Cracking Down on a Freshly Hatched Backdoor Used by Pensive Ursa (Aka Turla) ∗∗∗ --------------------------------------------- While tracking the evolution of Pensive Ursa (aka Turla, Uroburos), Unit 42 researchers came across a new, upgraded variant of Kazuar. Not only is Kazuar another name for the enormous and dangerous cassowary bird, Kazuar is an advanced and stealthy .NET backdoor that Pensive Ursa usually uses as a second stage payload. --------------------------------------------- https://unit42.paloaltonetworks.com/pensive-ursa-uses-upgraded-kazuar-backd… ===================== = Vulnerabilities = ===================== ∗∗∗ Kritische Sicherheitslücke in Confluence Data Center und Confluence Server ∗∗∗ --------------------------------------------- In allen Versionen von Confluence Data Center und Confluence Server existiert eine kritische Sicherheitslücke (CVE-2023-22518 CVSS: 9.1). Das Ausnutzen der Sicherheitslücke auf betroffenen Geräten ermöglicht nicht authentifizierten Angreifern den Zugriff auf interne Daten des Systems. Obwohl Atlassian bislang keine Informationen zur aktiven Ausnutzung der Lücke hat, wird das zeitnahe Einspielen der verfügbaren Patches empfohlen. --------------------------------------------- https://cert.at/de/warnungen/2023/10/confluence-cve-2023-22518 ∗∗∗ RCE exploit for Wyze Cam v3 publicly released, patch now ∗∗∗ --------------------------------------------- A security researcher has published a proof-of-concept (PoC) exploit for Wyze Cam v3 devices that opens a reverse shell and allows the takeover of vulnerable devices [...] Wyze released firmware update version 4.36.11.7071, which addresses the identified issues, on October 22, 2023, so users are recommended to apply the security update as soon as possible. --------------------------------------------- https://www.bleepingcomputer.com/news/security/rce-exploit-for-wyze-cam-v3-… ∗∗∗ Unpatched NGINX ingress controller bugs can be abused to steal Kubernetes cluster secrets ∗∗∗ --------------------------------------------- Three unpatched high-severity bugs in the NGINX ingress controller can be abused by miscreants to steal credentials and other secrets from Kubernetes clusters. The vulnerabilities, tracked as CVE-2023-5043, CVE-2023-5044 and CVE-2022-4886, were disclosed on October 27, and are listed as currently awaiting triage. It's unclear if any of the flaws have been exploited. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2023/10/30/unpatched_ng… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (jetty9, node-browserify-sign, request-tracker4, and request-tracker5), Fedora (golang-github-altree-bigfloat, golang-github-seancfoley-bintree, golang-github-seancfoley-ipaddress, kitty, slurm, and thunderbird), Gentoo (ConnMan, libxslt, and Salt), Mageia (chromium-browser-stable), Red Hat (firefox, libguestfs-winsupport, and thunderbird), SUSE (clamav, gcc13, gstreamer-plugins-bad, icu73_2, java-17-openjdk, nodejs10, poppler, python-Werkzeug, redis, thunderbird, webkit2gtk3, xorg-x11-server, and xwayland), and Ubuntu (kernel, linux-aws, linux-azure, linux-gcp, linux-oracle, linux-raspi, linux-iot, linux-raspi, linux-raspi-5.4, and mysql-8.0). --------------------------------------------- https://lwn.net/Articles/949391/ ∗∗∗ FujiFilm printer credentials encryption issue fixed ∗∗∗ --------------------------------------------- Many multi-function printers made by FujiFilm Business Innovation Corporation (Fujifilm) which includes Apeos, ApeosPro, PrimeLink and RevoriaPress brands as well as Xerox Corporation (Xerox) which includes VersaLink, PrimeLink, and WorkCentre brands, allow administrators to store credentials on them to allow users to upload scans and other files to FTP and SMB file servers. With the default configuration of these printers, it’s possible to retrieve these credentials in an encrypted format without authenticating to the printer. A vulnerability in the encryption process of these credentials means that you can decrypt them with responses from the web interface. This has been given the ID CVE-2023-46327. --------------------------------------------- https://www.pentestpartners.com/security-blog/fujifilm-printer-credentials-… ∗∗∗ [R1] Stand-alone Security Patch Available for Tenable Security Center versions 5.23.1, 6.0.0, 6.1.0, 6.1.1, and 6.2.0: SC-202310.1 ∗∗∗ --------------------------------------------- TNS-2023-35 / Critical 9.8 / 8.8 (CVE-2023-38545), 3.7 / 3.4 (CVE-2023-38546) --------------------------------------------- https://www.tenable.com/security/tns-2023-35 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ INEA ME RTU ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-304-02 ∗∗∗ Zavio IP Camera ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-304-03 ∗∗∗ Sonicwall: TunnelCrack Vulnerabilities ∗∗∗ --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2023-0015 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.10.2023
by Daily end-of-shift report 30 Oct '23

30 Oct '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 27-10-2023 18:00 − Montag 30-10-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Flying under the Radar: The Privacy Impact of multicast DNS, (Mon, Oct 30th) ∗∗∗ --------------------------------------------- The recent patch to iOS/macOS for CVE-2023-42846 made me think it is probably time to write up a reminder about the privacy impact of UPNP and multicast DNS. This is not a new issue, but it appears to have been forgotten a bit [vuln]. In particular, Apple devices are well-known for their verbose multicast DNS messages. --------------------------------------------- https://isc.sans.edu/diary/rss/30358 ∗∗∗ Hackers Using MSIX App Packages to Infect Windows PCs with GHOSTPULSE Malware ∗∗∗ --------------------------------------------- A new cyber attack campaign has been observed using spurious MSIX Windows app package files for popular software such as Google Chrome, Microsoft Edge, Brave, Grammarly, and Cisco Webex to distribute a novel malware loader dubbed GHOSTPULSE. --------------------------------------------- https://thehackernews.com/2023/10/hackers-using-msix-app-packages-to.html ∗∗∗ Turning a boring file move into a privilege escalation on Mac ∗∗∗ --------------------------------------------- Hopefully other people find this trick useful, beyond just Parallels. You can find the code for this exploit on my GitHub [...] 2023-07-06 - fix released in version 18.3.2. --------------------------------------------- https://pwn.win/2023/10/28/file-move-privesc-mac.html ∗∗∗ citrix-logchecker - Parse citrix netscaler logs to check for signs of CVE-2023-4966 exploitation ∗∗∗ --------------------------------------------- CERT.at stellt via Github ein Skript zur Verfügung, welches genutzt werden kann, um Citrix-Logs nach potenziell übernommenen Sessions zu durchsuchen. Sollten auffällige Sessions gefunden werden, wird eine tiefergehende Analyse empfohlen. --------------------------------------------- https://github.com/certat/citrix-logchecker ∗∗∗ NATO und Behörden von kritischer Lücke in Lernplattform ILIAS betroffen ∗∗∗ --------------------------------------------- Gleich drei Sicherheitslücken in der Open-Source-Lernplattform ILIAS erlauben Codeschmuggel. Der Hersteller stellt eine aktualisierte Version bereit. --------------------------------------------- https://www.heise.de/-9344057.html ∗∗∗ Forscher: Sicherheitslücken beim Roaming bleiben auch bei 5G eine große Gefahr ∗∗∗ --------------------------------------------- Mobilfunker und Regulierer unternehmen laut einem Bericht des Citizen Lab zu wenig, um Sicherheitsschwächen der Roaming- und Abrechnungsprotokolle auszumerzen. --------------------------------------------- https://www.heise.de/-9347577.html ∗∗∗ F5 fixes critical BIG-IP vulnerability, PoC is public (CVE-2023-46747) ∗∗∗ --------------------------------------------- F5 Networks has released hotfixes for three vulnerabilities affecting its BIG-IP multi-purpose networking devices/modules, including a critical authentication bypass vulnerability (CVE-2023-46747) that could lead to unauthenticated remote code execution (RCE). About CVE-2023-46747 Discovered and reported by Thomas Hendrickson and Michael Weber of Praetorian Security, CVE-2023-46747 is a request smuggling bug in the Apache JServ Protocol (AJP) used by the vulnerable devices. [...] Praetorian has updated their blog post to include all the technical details, since Project Discovery has created a Nuclei template with the full CVE-2023-46747 attack chain. --------------------------------------------- https://www.helpnetsecurity.com/2023/10/30/cve-2023-46747/ ∗∗∗ Attackers Can Use Modified Wikipedia Pages to Mount Redirection Attacks on Slack ∗∗∗ --------------------------------------------- Researchers document the Wiki-Slack attack, a new technique that uses modified Wikipedia pages to target end users on Slack. --------------------------------------------- https://www.securityweek.com/attackers-can-use-modified-wikipedia-pages-to-… ∗∗∗ Vorsicht vor Fake-Shops mit günstigen Lebensmitteln ∗∗∗ --------------------------------------------- Mittlerweile können Sie auch Lebensmittel online bestellen. Bedenken Sie aber: Auch hier gibt es betrügerische Angebote. Kriminelle bieten stark vergünstigte Lebensmittel in Fake-Shops wie leckerwurzede.com an. Wenn Sie dort bestellen, verlieren Sie Ihr Geld! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-fake-shops-mit-guenstig… ∗∗∗ CloudKeys in the Air: Tracking Malicious Operations of Exposed IAM Keys ∗∗∗ --------------------------------------------- We analyze an attack path starting with GitHub IAM exposure and leading to creation of AWS Elastic Compute instances — which TAs used to perform cryptojacking. --------------------------------------------- https://unit42.paloaltonetworks.com/malicious-operations-of-exposed-iam-key… ∗∗∗ NetSupport Intrusion Results in Domain Compromise ∗∗∗ --------------------------------------------- NetSupport Manager is one of the oldest third-party remote access tools still currently on the market with over 33 years of history. This is the first time we will report on a NetSupport RAT intrusion, but malicious use of this tool dates back to at least 2016. During this report, we will analyze a case from January 2023 where a NetSupport RAT was utilized to infiltrate a network. The RAT was then used for persistence and command & control, resulting in a full domain compromise. --------------------------------------------- https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain… ===================== = Vulnerabilities = ===================== ∗∗∗ Multiple Vulnerabilities in Cisco IOS XE Software Web UI Feature ∗∗∗ --------------------------------------------- Version 2.4: Updated summary to indicate additional fixed releases and updated fixed release table. --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (distro-info, distro-info-data, gst-plugins-bad1.0, node-browserify-sign, nss, openjdk-11, and thunderbird), Fedora (chromium, curl, nghttp2, and xorg-x11-server-Xwayland), Gentoo (Dovecot, Rack, rxvt-unicode, and UnZip), Mageia (apache, bind, and vim), Red Hat (varnish:6), SUSE (nodejs12, opera, python-bugzilla, python-Django, and vorbis-tools), and Ubuntu (exim4, firefox, nodejs, and slurm-llnl, slurm-wlm). --------------------------------------------- https://lwn.net/Articles/949238/ ∗∗∗ Mattermost security updates 9.1.1 / 9.0.2 / 8.1.4 (ESR) / 7.8.13 (ESR) released ∗∗∗ --------------------------------------------- We’re informing you about a Mattermost security update, which addresses low- to medium-level severity vulnerabilities. We highly recommend that you apply the update. The security update is available for Mattermost dot releases 9.1.1, 9.0.2, 8.1.4 (Extended Support Release), and 7.8.13 (Extended Support Release), for both Team Edition and Enterprise Edition. --------------------------------------------- https://mattermost.com/blog/mattermost-security-updates-9-1-1-9-0-2-8-1-4-e… ∗∗∗ Inkdrop vulnerable to code injection ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN48057522/ ∗∗∗ 2023-10-30: Cyber Security Advisory - ABB COM600 CODESYS Vulnerabilities ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=2NGA001822&Language… ∗∗∗ Multiple security vulnerabilities are addressed with IBM Cloud Pak for Business Automation. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7061278 ∗∗∗ IBM i is vulnerable to a local privilege escalation due to flaws in Management Central (CVE-2023-40685, CVE-2023-40686). ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7060686 ∗∗∗ Due to use of Java 8.0.7.11 version, InfoSphere Data Replication is vulnerable to crypto attacks. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7061888 ∗∗∗ IBM Storage Ceph is vulnerable to a stack overflow attack in Golang (CVE-2022-24675) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7061939 ∗∗∗ Multiple vulnerabilities exist in the IBM SDK, Java Technology Edition affect IBM Tivoli Network Manager. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7062331 ∗∗∗ A vulnerability exists in the IBM SDK, Java Technology Edition affecting IBM Tivoli Network Manager (CVE-2023-22045, CVE-2023-22049). ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7062330 ∗∗∗ IBM Automation Decision Services October 2023 - Multiple CVEs addressed ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7062348 ∗∗∗ Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to code injection and privilege escalation due to multiple vulnerabilities in Go ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7062415 ∗∗∗ Due to the use of OpenSSL IBM Tivoli Netcool System Service Monitors/Application Service Monitors is vulnerable to a denial of service and security bypass restrictions. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7062426 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.10.2023
by Daily end-of-shift report 27 Oct '23

27 Oct '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 25-10-2023 18:00 − Freitag 27-10-2023 18:00 Handler: Stephan Richter Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ StripedFly malware framework infects 1 million Windows, Linux hosts ∗∗∗ --------------------------------------------- A sophisticated cross-platform malware platform named StripedFly flew under the radar of cybersecurity researchers for five years, infecting over a million Windows and Linux systems during that time. --------------------------------------------- https://www.bleepingcomputer.com/news/security/stripedfly-malware-framework… ∗∗∗ How to catch a wild triangle ∗∗∗ --------------------------------------------- How Kaspersky researchers obtained all stages of the Operation Triangulation campaign targeting iPhones and iPads, including zero-day exploits, validators, TriangleDB implant and additional modules. --------------------------------------------- https://securelist.com/operation-triangulation-catching-wild-triangle/11091… ∗∗∗ Octo Tempest crosses boundaries to facilitate extortion, encryption, and destruction ∗∗∗ --------------------------------------------- Microsoft has been tracking activity related to the financially motivated threat actor Octo Tempest, whose evolving campaigns represent a growing concern for organizations across multiple industries. Octo Tempest leverages broad social engineering campaigns to compromise organizations across the globe with the goal of financial extortion. With their extensive range of tactics, techniques, and procedures (TTPs), the threat actor, from our perspective, is one of the most dangerous financial criminal groups. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2023/10/25/octo-tempest-cross… ∗∗∗ iLeakage: Safari unzureichend vor Spectre-Seitenkanalangriff geschützt ∗∗∗ --------------------------------------------- Sicherheitsforscher sagen, dass Apples Browser nicht ausreichend vor CPU-Seitenkanalangriffen schützt. Angreifer können Daten lesen. Es gibt Schutzmaßnahmen. --------------------------------------------- https://www.heise.de/-9344659 ∗∗∗ CISA, HHS Release Cybersecurity Healthcare Toolkit ∗∗∗ --------------------------------------------- CISA and the HHS have released resources for healthcare and public health organizations to improve their security. --------------------------------------------- https://www.securityweek.com/cisa-hhs-release-cybersecurity-healthcare-tool… ∗∗∗ CVE-2023–4632: Local Privilege Escalation in Lenovo System Updater ∗∗∗ --------------------------------------------- The Lenovo System Update application is designed to allow non-administrators to check for and apply updates to their workstation. During the process of checking for updates, the privileged Lenovo Update application attempts to utilize C:\SSClientCommon\HelloLevel_9_58_00.xml, which doesn’t exist on the filesystem [...] This vulnerability has been fixed in the latest version of the Lenovo System Updater application. --------------------------------------------- https://posts.specterops.io/cve-2023-4632-local-privilege-escalation-in-len… ∗∗∗ ESET APT Activity Report Q2–Q3 2023 ∗∗∗ --------------------------------------------- An overview of the activities of selected APT groups investigated and analyzed by ESET Research in Q2 and Q3 2023 --------------------------------------------- https://www.welivesecurity.com/en/eset-research/eset-apt-activity-report-q2… ∗∗∗ Most common Active Directory misconfigurations and default settings that put your organization at risk ∗∗∗ --------------------------------------------- Introduction In this blog post, we will go over the most recurring (and critical) findings that we discovered when auditing the Active Directory environment of different companies, explain why these configurations can be dangerous, how they can be abused by attackers and how they can be mitigated or remediated. --------------------------------------------- https://blog.nviso.eu/2023/10/26/most-common-active-directory-misconfigurat… ∗∗∗ CVE-2023-4966 Helps Usher In A Baker’s Dozen Of Citrix Tags To Further Help Organizations Mitigate Harm ∗∗∗ --------------------------------------------- Citrixs NetScaler ADC and NetScaler Gateway have, once more, been found to have multiple vulnerabilities, tracked as CVE-2023-4966 and CVE-2023-4967 [...] As of this post’s publish time, GreyNoise has observed just under seventy IP addresses attempting to exploit this vulnerability. --------------------------------------------- https://www.greynoise.io/blog/cve-2023-4966-helps-usher-in-a-bakers-dozen-o… ∗∗∗ CISA Announces Launch of Logging Made Easy ∗∗∗ --------------------------------------------- Today, CISA announces the launch of a new version of Logging Made Easy (LME), a straightforward log management solution for Windows-based devices that can be downloaded and self-installed for free. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/10/27/cisa-announces-launch-lo… ∗∗∗ Rhysida Ransomware Technical Analysis ∗∗∗ --------------------------------------------- Technical analysis of Rhysida Ransomware family that emerged in the Q2 of 2023 --------------------------------------------- https://decoded.avast.io/threatresearch/rhysida-ransomware-technical-analys… ===================== = Vulnerabilities = ===================== ∗∗∗ CISA Releases Nine Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- ICSA-23-299-01 Dingtian DT-R002 ICSA-23-299-02 Centralite Pearl Thermostat ICSA-23-299-03 Ashlar-Vellum Cobalt, Graphite, Xenon, Argon, Lithium ICSA-23-299-04 Rockwell Automation Arena ICSA-23-299-05 Rockwell Automation FactoryTalk View Site Edition ICSA-23-299-06 Rockwell Automation FactoryTalk Services Platform ICSA-23-299-07 Sielco PolyEco FM Transmitter ICSA-23-299-08 Sielco Radio Link and Analog FM Transmitters ICSMA-23-194-01 BD Alaris System with Guardrails Suite MX (Update A) --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/10/26/cisa-releases-nine-indus… ∗∗∗ Cisco Update: HTTP/2 Rapid Reset Attack Affecting Cisco Products: October 2023 ∗∗∗ --------------------------------------------- Version 1.5: Updated the lists of vulnerable products and products confirmed not vulnerable. --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Update: Multiple Vulnerabilities in Cisco IOS XE Software Web UI Feature ∗∗∗ --------------------------------------------- Version 2.3: Updated summary to indicate additional fixed releases. Updated fixed release table and SMU table. Updated recommendations to add link to technical FAQ. --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Juniper Update: 2023-10 Security Bulletin: Junos OS: jkdsd crash due to multiple telemetry requests (CVE-2023-44188) ∗∗∗ --------------------------------------------- 2023-10-25: Added note that SRX Series devices are not vulnerable to this issue --------------------------------------------- https://supportportal.juniper.net/s/article/2023-10-Security-Bulletin-Junos… ∗∗∗ HPE Aruba Networking Product Security Advisory ∗∗∗ --------------------------------------------- HPE Aruba Networking has released updates to ClearPass Policy Manager that address multiple security vulnerabilities. --------------------------------------------- https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-016.txt ∗∗∗ Sicherheitsupdates: Jenkins-Plug-ins als Einfallstor für Angreifer ∗∗∗ --------------------------------------------- Jenkins kann bei der Softwareentwicklung helfen. Einige Plug-ins weisen Sicherheitslücken auf. Ein paar Updates stehen noch aus. --------------------------------------------- https://www.heise.de/-9344802 ∗∗∗ Sicherheitslücken im X.Org X-Server und Xwayland erlauben Rechteausweitung ∗∗∗ --------------------------------------------- Aktualisierte Fassung des X.Org X-Servers und von Xwayland schließen Sicherheitslücken. Die erlauben die Rechteausweitung oder einen Denial-of-Service. --------------------------------------------- https://www.heise.de/-9345096 ∗∗∗ Rechteausweitung durch Lücke in HP Print and Scan Doctor ∗∗∗ --------------------------------------------- Aktualisierte Software korrigiert einen Fehler im Support-Tool HP Print and Scan Doctor, der die Ausweitung der Rechte im System ermöglicht. --------------------------------------------- https://www.heise.de/-9345192 ∗∗∗ Konfigurationsprogramm von BIG-IP-Appliances als Sprungbrett für Angreifer ∗∗∗ --------------------------------------------- F5 hat wichtige Sicherheitsupdates für BIG-IP-Produkte veröffentlicht. Angreifer können Geräte kompromittieren. --------------------------------------------- https://www.heise.de/-9346460 ∗∗∗ Lücken in Nessus Network Monitor ermöglichen Rechteerhöhung ∗∗∗ --------------------------------------------- Eine neue Version vom Nessus Network Monitor schließt Sicherheitslücken, durch die Angreifer etwa ihre Rechte erhöhen können. --------------------------------------------- https://www.heise.de/news/-9346392 ∗∗∗ VMWare Tools: Schwachstellen erlauben Rechteausweitung ∗∗∗ --------------------------------------------- Die VMware Tools unter Linux, Windows und macOS erlauben Angreifern unter bestimmten Umständen, unbefugt Kommandos abzusetzen. Noch sind nicht alle Updates da. --------------------------------------------- https://www.heise.de/-9346863 ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (October 16, 2023 to October 22, 2023) ∗∗∗ --------------------------------------------- Last week, there were 109 vulnerabilities disclosed in 95 WordPress Plugins and 1 WordPress theme that have been added to the Wordfence Intelligence Vulnerability Database, and there were 39 Vulnerability Researchers that contributed to WordPress Security last week. --------------------------------------------- https://www.wordfence.com/blog/2023/10/wordfence-intelligence-weekly-wordpr… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr and xorg-server), Fedora (firefox, mbedtls, nodejs18, nodejs20, and xen), Gentoo (libinput, unifi, and USBView), Mageia (python-nltk), Oracle (linux-firmware), Red Hat (nginx:1.22), SUSE (chromium, firefox, java-11-openjdk, jetty-minimal, nghttp2, nodejs18, webkit2gtk3, and zlib), and Ubuntu (linux, linux-lowlatency, linux-oracle-5.15, vim, and xorg-server, xwayland). --------------------------------------------- https://lwn.net/Articles/948930/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium and firefox-esr), Fedora (firefox, redis, samba, and xen), Oracle (python39:3.9, python39-devel:3.9), Slackware (mozilla and xorg), and SUSE (libnbd, open-vm-tools, python, sox, vorbis-tools, and zchunk). --------------------------------------------- https://lwn.net/Articles/949057/ ∗∗∗ Critical Mirth Connect Vulnerability Could Expose Sensitive Healthcare Data ∗∗∗ --------------------------------------------- Mirth Connect versions prior to 4.4.1 are vulnerable to CVE-2023-43208, a bypass for an RCE vulnerability. --------------------------------------------- https://www.securityweek.com/critical-mirth-connect-vulnerability-could-exp… ∗∗∗ Apple Releases Security Advisories for Multiple Products ∗∗∗ --------------------------------------------- Apple has released security updates to address vulnerabilities in multiple products. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/10/26/apple-releases-security-… ∗∗∗ Schwachstelle CVE-2023-5363 in OpenSSL ∗∗∗ --------------------------------------------- In der Software OpenSSL wurde eine Schwachstelle CVE-2023-5363 gefunden. Die Initialisierung der Verschlüsselungsschlüssellänge und des Initialisierungsvektors in OpenSLL ist fehlerhaft. Für die Linux-Distributionen Debian und Ubuntu ist ein Fix aber bereits verfügbar. --------------------------------------------- https://www.borncity.com/blog/2023/10/27/schwachstelle-cve-2023-5363-in-ope… ∗∗∗ ServiceNow fixt stillschweigend Bug aus 2015 der Datenlecks ermöglichte ∗∗∗ --------------------------------------------- Das US-Unternehmen ServiceNow Inc. bietet eine Cloud-Plattform an, in deren Software wohl seit 2015 ein Bug klaffte, über den Dritte ohne Authentifizierung Informationen abziehen konnten. Nachdem ein Sicherheitsforscher auf die Schwachstelle gestoßen ist, wurde diese stillschweigend in der Cloud-Lösung beseitigt. --------------------------------------------- https://www.borncity.com/blog/2023/10/27/servicenow-fixt-stillschweigend-bu… ∗∗∗ 9 vulnerabilities found in VPN software, including 1 critical issue that could lead to remote code execution ∗∗∗ --------------------------------------------- Attackers could exploit these vulnerabilities in the SoftEther VPN solution for individual and enterprise users to force users to drop their connections or execute arbitrary code on the targeted machine. --------------------------------------------- https://blog.talosintelligence.com/vulnerability-roundup-oct-25-2023/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ VMSA-2023-0024 ∗∗∗ --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2023-0024.html ∗∗∗ SonicWall SSO Agent - Directory Services Connector MSI Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2023-0016 ∗∗∗ SonicWall NetExtender Windows Client DLL Search Order Hijacking Vulnerability ∗∗∗ --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2023-0017 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.10.2023
by Daily end-of-shift report 25 Oct '23

25 Oct '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 24-10-2023 18:00 − Mittwoch 25-10-2023 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Citrix Bleed exploit lets hackers hijack NetScaler accounts ∗∗∗ --------------------------------------------- A proof-of-concept (PoC) exploit is released for the Citrix Bleed vulnerability, tracked as CVE-2023-4966, that allows attackers to retrieve authentication session cookies from vulnerable Citrix NetScaler ADC and NetScaler Gateway appliances. --------------------------------------------- https://www.bleepingcomputer.com/news/security/citrix-bleed-exploit-lets-ha… ∗∗∗ Phishing-Masche: Klarstellung wegen Viren-Versands gefordert ∗∗∗ --------------------------------------------- Die Verbraucherzentralen warnen vor Betrugsmails, die Empfänger zu einer Klarstellung auffordern. Es seien Beschwerden wegen Malware-Versands eingegangen. --------------------------------------------- https://www.heise.de/news/Phishing-Masche-Klarstellung-wegen-Viren-Versands… ∗∗∗ Exploitcode für Root-Lücke in VMware Aria Operations for Logs in Umlauf ∗∗∗ --------------------------------------------- In Umlauf befindlicher Exploitcode gefährdet VMwares Management-Plattform für Cloudumgebungen. Admins sollten jetzt Sicherheitsupdates installieren. --------------------------------------------- https://www.heise.de/news/Exploitcode-fuer-Root-Luecke-in-VMware-Aria-Opera… ∗∗∗ Webmailer Roundcube: Attacken auf Zero-Day-Lücke ∗∗∗ --------------------------------------------- Im Webmailer Roundcube missbrauchen Cyberkriminelle eine Sicherheitslücke, um verwundbare Einrichtungen anzugreifen. Ein Update schließt das Leck. --------------------------------------------- https://www.heise.de/news/Webmailer-Roundcube-Attacken-auf-Zero-Day-Luecke-… ∗∗∗ Teils kritische Lücken in VMware vCenter Server und Cloud Foundation geschlossen ∗∗∗ --------------------------------------------- VMware hat aktualisierte Softwarepakete veröffentlicht, die mehrere Lücken in vCenter Server und Cloud Foundation abdichten. Eine gilt als kritisch. --------------------------------------------- https://www.heise.de/news/Update-stopft-kritische-Luecke-in-VMware-vCenter-… ∗∗∗ Nusuccess: Seriöse Marketingagentur oder unseriöses Schneeballsystem? ∗∗∗ --------------------------------------------- Die Nusuccess FZCO mit Sitz in Dubai – vormals mit Sitz in Kärnten – bezeichnet sich selbst als „weltweit renommierte Werbeagentur“. Welche Leistungen diese Firma tatsächlich erbringt, bleibt aber im besten Fall vage. Erfahrungsberichte deuten darauf hin, dass sie ihren Gewinn hauptsächlich durch den Verkauf von teuren „Franchise-Paketen“ erzielt. Was genau Inhalt dieser Franchise-Pakete sein soll, bleibt unklar. --------------------------------------------- https://www.watchlist-internet.at/news/nusuccess-serioese-marketingagentur-… ∗∗∗ Social engineering: Hacking minds over bytes ∗∗∗ --------------------------------------------- In this blog, lets focus on the intersection of psychology and technology, where cybercriminals manipulate human psychology through digital means to achieve their objectives. --------------------------------------------- https://cybersecurity.att.com/blogs/security-essentials/social-engineering-… ∗∗∗ How to Secure the WordPress Login Page ∗∗∗ --------------------------------------------- Given that WordPress powers millions of websites worldwide, it’s no surprise that it’s a prime target for malicious activities ranging from brute force attacks and hacking attempts to unauthorized access — all of which can wreak havoc on your site’s functionality, damage reputation, or even result in lost revenue and sales. A common entry point often exploited by hackers is the WordPress login page, [...] --------------------------------------------- https://blog.sucuri.net/2023/10/how-to-secure-the-wordpress-login-page.html ∗∗∗ The Rise of S3 Ransomware: How to Identify and Combat It ∗∗∗ --------------------------------------------- In todays digital landscape, around 60% of corporate data now resides in the cloud, with Amazon S3 standing as the backbone of data storage for many major corporations. Despite S3 being a secure service from a reputable provider, its pivotal role in handling vast amounts of sensitive data (customer personal information, financial data, intellectual property, etc.), provides a juicy target for threat actors. It remains susceptible to ransomware attacks which are often initiated using leaked access keys that have accidentally been exposed by human error and have access to the organization's buckets. --------------------------------------------- https://thehackernews.com/2023/10/the-rise-of-s3-ransomware-how-to.html ∗∗∗ RT 5.0.5 and 4.4.7 Now Available ∗∗∗ --------------------------------------------- RT versions 5.0.5 and 4.4.7 are now available. In addition to some new features and bug fixes, these releases contain important security updates and are recommended for all RT users. --------------------------------------------- https://bestpractical.com/blog/2023/10/rt-505-and-447-now-available ===================== = Vulnerabilities = ===================== ∗∗∗ Lücke in Cisco IOS XE: Auch Rockwell-Industrieswitches betroffen ∗∗∗ --------------------------------------------- Neben Cisco-eigenen Geräten sind auch Rockwell-Switches der Stratix-Serie für den Industrieeinsatz betroffen. Eine Fehlerbehebung steht noch aus. --------------------------------------------- https://www.heise.de/news/Luecke-in-Cisco-IOS-XE-Auch-Rockwell-Industrieswi… ∗∗∗ VMSA-2023-0023 ∗∗∗ --------------------------------------------- Synopsis: VMware vCenter Server updates address out-of-bounds write and information disclosure vulnerabilities (CVE-2023-34048, CVE-2023-34056) 1. Impacted Products * VMware vCenter Server * VMware Cloud Foundation --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2023-0023.html ∗∗∗ Several Critical Vulnerabilities Patched in AI ChatBot Plugin for WordPress ∗∗∗ --------------------------------------------- On September 28, 2023, the Wordfence Threat Intelligence team initiated the responsible disclosure process for multiple vulnerabilities in AI ChatBot, a WordPress plugin with over 4,000 active installations. After making our initial contact attempt on September 28th, 2023, we received a response on September 29, 2023 and sent over our full disclosure details. --------------------------------------------- https://www.wordfence.com/blog/2023/10/several-critical-vulnerabilities-pat… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (gst-plugins-bad1.0, openssl, roundcube, and xorg-server), Fedora (dotnet6.0, dotnet7.0, roundcubemail, and wordpress), Mageia (redis), Oracle (dnsmasq, python27:2.7, python3, tomcat, and varnish), Red Hat (python39:3.9, python39-devel:3.9), Slackware (mozilla and vim), SUSE (openssl-3, poppler, ruby2.5, and xen), and Ubuntu (.Net, linux-gcp-5.15, linux-gkeop-5.15, linux-intel-iotg-5.15, linux-starfive-6.2, mysql-5.7, ncurses, and openssl). --------------------------------------------- https://lwn.net/Articles/948814/ ∗∗∗ Movable Type vulnerable to cross-site scripting ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN39139884/ ∗∗∗ TEM Opera Plus FM Family Transmitter 35.45 XSRF ∗∗∗ --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5800.php ∗∗∗ TEM Opera Plus FM Family Transmitter 35.45 Remote Code Execution ∗∗∗ --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5799.php ∗∗∗ VIMESA VHF/FM Transmitter Blue Plus 9.7.1 (doreboot) Remote Denial Of Service ∗∗∗ --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5798.php ∗∗∗ AIX is vulnerable to sensitive information exposure due to Perl (CVE-2023-31484 and CVE-2023-31486) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7047272 ∗∗∗ IBM QRadar SIEM includes components with known vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7049133 ∗∗∗ IBM WebSphere Application Server Liberty, which is bundled with IBM Cloud Pak for Applications, is vulnerable to weaker than expected security (CVE-2023-46158) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7058540 ∗∗∗ IBM WebSphere Application Server Liberty, which is bundled with IBM WebSphere Hybrid Edition, is vulnerable to weaker than expected security (CVE-2023-46158) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7058536 ∗∗∗ A vulnerability in IBM Java SDK and IBM Java Runtime affect Rational Business Developer. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7059262 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.10.2023
by Daily end-of-shift report 24 Oct '23

24 Oct '23

===================== = End-of-Day report = ===================== Timeframe: Montag 23-10-2023 18:00 − Dienstag 24-10-2023 18:00 Handler: Stephan Richter Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Log in With... Feature Allows Full Online Account Takeover for Millions ∗∗∗ --------------------------------------------- Hundreds of millions of users of Grammarly, Vidio, and the Indonesian e-commerce giant Bukalapak are at risk for financial fraud and credential theft due to OAuth misfires — and other online services likely have the same problems. --------------------------------------------- https://www.darkreading.com/remote-workforce/oauth-log-in-full-account-take… ∗∗∗ Hostile Takeover: Malicious Ads via Facebook ∗∗∗ --------------------------------------------- Criminals hijack business accounts on Facebook and run their own advertising campaigns in someone elses name and at the expense of those affected. --------------------------------------------- https://www.gdatasoftware.com/blog/2023/10/37814-meta-hijacked-malicious-ads ∗∗∗ Stealer for PIX payment system, new Lumar stealer and Rhysida ransomware ∗∗∗ --------------------------------------------- In this report, we share our latest crimeware findings: GoPIX targeting PIX payment system; Lumar stealing files and passwords; Rhysida ransomware supporting old Windows. --------------------------------------------- https://securelist.com/crimeware-report-gopix-lumar-rhysida/110871/ ∗∗∗ Quasar RAT Leverages DLL Side-Loading to Fly Under the Radar ∗∗∗ --------------------------------------------- The open-source remote access trojan known as Quasar RAT has been observed leveraging DLL side-loading to fly under the radar and stealthily siphon data from compromised Windows hosts. --------------------------------------------- https://thehackernews.com/2023/10/quasar-rat-leverages-dll-side-loading.html ∗∗∗ Citrix Bleed: Leaking Session Tokens with CVE-2023-4966 ∗∗∗ --------------------------------------------- We were interested in CVE-2023-4966, which was described as "sensitive information disclosure" and had a CVSS score of 9.4. The high score for an information disclosure vulnerability and the mention of "buffer-related vulnerabilities" piqued our interest. --------------------------------------------- https://www.assetnote.io/resources/research/citrix-bleed-leaking-session-to… ∗∗∗ Best Practices for Writing Quality Vulnerability Reports ∗∗∗ --------------------------------------------- How to write great vulnerability reports? If you’re a security consultant, penetration tester or a bug bounty hunter, these tips are for you! --------------------------------------------- https://itnext.io/best-practices-for-writing-quality-vulnerability-reports-… ∗∗∗ Kriminelle verbreiten falsche Ryanair-Telefonnummern ∗∗∗ --------------------------------------------- Vorsicht, wenn Sie im Internet nach einer Telefonnummer von Ryanair suchen. Kriminelle stellen Webseiten mit falschen Nummern ins Netz. Wenn Sie bei der falschen Ryanair-Servicehotline anrufen, stehlen Kriminelle Ihnen sensible Daten und Geld. --------------------------------------------- https://www.watchlist-internet.at/news/kriminelle-verbreiten-falsche-ryanai… ∗∗∗ LOLBin mit WorkFolders.exe unter Windows ∗∗∗ --------------------------------------------- Die legitime Windows-Anwendung WorkFolders.exe lässt sich verwenden, um andere .exe-Programme im Windows-Ordner System32 oder im aktuellen Ordner zu starten. Dies ermöglicht Malware sogenannte LOLBin-Angriffe, bei der legitime Betriebssystemdateien zur Ausführung von Schadprogrammen missbraucht werden. --------------------------------------------- https://www.borncity.com/blog/2023/10/24/lolbin-mit-workfolders-exe-unter-w… ∗∗∗ The Great CVSS Bake Off: Testing How CVSS v4 Performs Versus v3 ∗∗∗ --------------------------------------------- The highly anticipated Common Vulnerability Scoring System (CVSS) version 4 is planned to be released on October 31st by the Forum of Incident Response and Security Teams (FIRST). --------------------------------------------- https://orca.security/resources/blog/cvss-version-4-versus-version-3/ ===================== = Vulnerabilities = ===================== ∗∗∗ VMware warns admins of public exploit for vRealize RCE flaw ∗∗∗ --------------------------------------------- VMware warned customers on Monday that proof-of-concept (PoC) exploit code is now available for an authentication bypass flaw in vRealize Log Insight (now known as VMware Aria Operations for Logs). --------------------------------------------- https://www.bleepingcomputer.com/news/security/vmware-warns-admins-of-publi… ∗∗∗ Viele Systeme längst kompromittiert: Cisco stellt Patches für IOS XE bereit ∗∗∗ --------------------------------------------- Durch Schwachstellen in der Betriebssoftware IOS XE sind weltweit Zehntausende von Cisco-Geräten infiltriert worden. Jetzt gibt es erste Patches. --------------------------------------------- https://www.golem.de/news/viele-systeme-laengst-kompromittiert-cisco-stellt… ∗∗∗ CVE-2023-33466 - Exploiting Healthcare Servers with Polyglot Files ∗∗∗ --------------------------------------------- Orthanc is an open source software to manage, exchange and visualize medical imaging data. In versions < 1.12.0, it is affected by an arbitrary file overwrite vulnerability (CVE-2023-33466) that might allow an authenticated attacker to obtain RCE on the system. --------------------------------------------- https://www.shielder.com/blog/2023/10/cve-2023-33466-exploiting-healthcare-… ∗∗∗ Proxy: Squid-Entwickler dichten teils kritische Lecks in Version 6.4 ab ∗∗∗ --------------------------------------------- Mit Squid 6.4 haben die Entwickler eine um vier Sicherheitslücken bereinigte Version des Proxy-Servers vorgelegt. Es klaffen jedoch weitere Lücken darin. --------------------------------------------- https://www.heise.de/news/Proxy-Squid-6-4-schliesst-teils-kritische-Sicherh… ∗∗∗ Lücke in LiteSpeed-Cache-Plug-in gefährdet 4 Millionen WordPress-Websites ∗∗∗ --------------------------------------------- Angreifer können WordPress-Websites mit Schadcode-Skripten verseuchen. Ein Sicherheitsupdate repariert das LiteSpeed-Cache-Plug-in. --------------------------------------------- https://www.heise.de/news/Luecke-in-LiteSpeed-Cache-Plug-in-gefaehrdet-4-Mi… ∗∗∗ Sicherheitsupdates: Firefox-Browser anfällig für Clickjacking-Attacken ∗∗∗ --------------------------------------------- Mozilla hat in aktuellen Versionen von Firefox und Firefox ESR mehrere Sicherheitsprobleme gelöst. --------------------------------------------- https://www.heise.de/news/Sicherheitsupdates-Firefox-Browser-anfaellig-fuer… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ceph and dbus), Fedora (cachelib, fb303, fbthrift, fizz, folly, matrix-synapse, mcrouter, mvfst, nats-server, nodejs18, proxygen, wangle, watchman, and wdt), Mageia (libcue), Oracle (18, grafana, kernel, nodejs, nodejs:16, nodejs:18, php, php:8.0, and tomcat), Red Hat (python27:2.7, python3, python39:3.9, python39-devel:3.9, toolbox, varnish, and varnish:6), SUSE (fwupdate, gcc13, icu73_2, netty, netty-tcnative, and xen), and Ubuntu [...] --------------------------------------------- https://lwn.net/Articles/948688/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Vulnerability in SICK Flexi Soft Gateway ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-164691.html ∗∗∗ Rockwell Automation Stratix 5800 and Stratix 5200 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-297-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.10.2023
by Daily end-of-shift report 23 Oct '23

23 Oct '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 20-10-2023 18:00 − Montag 23-10-2023 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Sessioncookies: Hacker erbeuten Zugangscodes bei Identitätsdienst Okta ∗∗∗ --------------------------------------------- Der Identitätsdienst Okta ist ein weiteres Mal das Einfallstor für Hacker gewesen. Dieses Mal betraf es Daten des Kundensupports. --------------------------------------------- https://www.golem.de/news/sessioncookies-hacker-erbeuten-zugangscodes-bei-i… ∗∗∗ Erst nach 3 Jahren gefixt: Zeiterfassungssystem ermöglichte OAuth-Token-Diebstahl ∗∗∗ --------------------------------------------- Harvest ermöglichte es Angreifern, OAuth-Token von Nutzern zu stehlen, die die Zeiterfassungssoftware mit Outlook verbinden wollten. --------------------------------------------- https://www.golem.de/news/erst-nach-3-jahren-gefixt-zeiterfassungssystem-er… ∗∗∗ Die MOVEit-Sicherheitslücke – eine Zwischenbilanz ∗∗∗ --------------------------------------------- Selbst wer die Software nicht verwendet, kann ein Opfer sein. Schätzungen gehen bisher von rund 68 Millionen Personen aus, deren Daten abgeflossen sind. --------------------------------------------- https://www.heise.de/-9318038.html ∗∗∗ Internationalen Ermittlungsbehörden gelingt Schlag gegen Ragnar Locker ∗∗∗ --------------------------------------------- Internationalen Ermittlern ist es gelungen, die Infrastruktur der bekannten Ransomware-Gruppierung Ragnar Locker zu zerschlagen. --------------------------------------------- https://www.heise.de/-9340480.html ∗∗∗ Cisco IOS XE und die verschwundenen Hintertüren ∗∗∗ --------------------------------------------- Die Anzahl der offensichtlich kompromittierten Geräte ist auch in Deutschland schlagartig gefallen, was wohl kaum an den gerade erschienenen Patches liegt. --------------------------------------------- https://www.heise.de/-9341205.html ∗∗∗ New TetrisPhantom hackers steal data from secure USB drives on govt systems ∗∗∗ --------------------------------------------- A new sophisticated threat tracked as TetrisPhantom has been using compromised secure USB drives to target government systems in the Asia-Pacific region. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-tetrisphantom-hackers-st… ∗∗∗ The outstanding stealth of Operation Triangulation ∗∗∗ --------------------------------------------- In this report Kaspersky shares insights into the validation components used in Operation Triangulation, TriangleDB implant post-compromise activity, as well as details of some additional modules. --------------------------------------------- https://securelist.com/triangulation-validators-modules/110847/ ∗∗∗ base64dump.py Handles More Encodings Than Just BASE64, (Sun, Oct 22nd) ∗∗∗ --------------------------------------------- My tool base64dump.py takes any input and searches for encoded data. By default, it searches for base64 encoding, but I implemented several encodings (like vaious hexadecimal formats) --------------------------------------------- https://isc.sans.edu/diary/rss/30332 ∗∗∗ How an AppleTV may take down your (#IPv6) network, (Mon, Oct 23rd) ∗∗∗ --------------------------------------------- I recently ran into an odd issue with IPv6 connectivity in my home network. During a lengthy outage, I decided to redo some of my network configurations. As part of this change, I also reorganized my IPv6 setup, relying more on DHCPv6 and less on router advertisements to configure IPv6 addresses. Overall, this worked well. My Macs had no issues connecting to IPv6. However, the Linux host I use to alert me of network connectivity issues could not "ping" the test host via IPv6. --------------------------------------------- https://isc.sans.edu/diary/rss/30336 ∗∗∗ Tampered OpenCart Authentication Aids Credit Card Skimming Attack ∗∗∗ --------------------------------------------- Using out of date software is the leading cause of website compromise, so keeping your environment patched and up to date is one of the most important responsibilities of a website administrator. It’s not uncommon to employ the use of custom code on websites, and spend small fortunes on software developers to tailor their website just the way they want it. However, the usage of customised code can sometimes inadvertently lock a website administrator into using an out of date CMS installation long after its expiry date, particularly if they no longer have access to their old developer (or sufficient funds to hire a new one). --------------------------------------------- https://blog.sucuri.net/2023/10/tampered-opencart-authentication-aids-credi… ∗∗∗ Abusing gdb Features for Data Ingress & Egress ∗∗∗ --------------------------------------------- As of November 2019, elfutils supports debuginfod, a client/server protocol that enables debuggers (gdb) to fetch debugging symbols via HTTP/HTTPs from a user-specified remote server. This blog post will demonstrate how this feature of gdb can be abused to create data communication paths for data exfiltration and tool ingress. --------------------------------------------- https://www.archcloudlabs.com/projects/debuginfod/ ∗∗∗ Vorsicht vor Jobangeboten auf WhatsApp oder Telegram ∗∗∗ --------------------------------------------- Sie suchen gerade einen Job? Praktisch, wenn Sie gar nicht suchen müssen und Sie direkt auf WhatsApp oder Telegram einen Job angeboten bekommen. Dahinter stecken aber Kriminelle, die Ihnen z. B. einen „Datenoptimierungsjob mit möglichen Provisionen“ anbieten. Auf Plattformen wie privko.live oder depopnr.com verlieren Sie dann Ihr Geld! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-jobangeboten-auf-whatsa… ∗∗∗ Important security update ∗∗∗ --------------------------------------------- Autodesk recently determined that an unauthorized third-party obtained access to portions of internal systems. Our findings show that sensitive data about our customers and their projects or products have not been compromised. We immediately took steps to contain the incident. Forensic analysis conducted by an independent, third party indicates that no customer operations or Autodesk products were disrupted due to this incident. --------------------------------------------- https://www.autodesk.com/trust/security-advisories/adsk-sa-2023-0020 ∗∗∗ Kritische Sicherheitslücke in Cisco IOS XE - aktiv ausgenützt ∗∗∗ --------------------------------------------- Update: 23. Oktober 2023 Cisco hat für einige der von der Schwachstelle betroffenen Geräte Aktualisierungen veröffentlicht, und weitere Updates angekündigt. Das Unternehmen aktualisiert die Liste an verfügbaren Patches auf einer dedizierten Seite laufend. Wenn das Management-WebInterface eines Cisco XE Gerätes vor dem Einspielen des Updates offen im Netz erreichbar war, ist davon auszugehen, dass ein Angreifer dies ausgenutzt hat und zumindest neue Admin-Accounts angelegt hat. Damit ist die Installation von weiteren Hintertüren möglich, die - aus heutiger Sicht - nur mit einem Factory Reset / Neuinstallation von IOS XE umfassend entfernt werden können --------------------------------------------- https://cert.at/de/warnungen/2023/10/kritische-sicherheitslucke-in-cisco-io… ===================== = Vulnerabilities = ===================== ∗∗∗ Multiple Vulnerabilities in Cisco IOS XE Software Web UI Feature ∗∗∗ --------------------------------------------- Version 1.4: Updated the summary to indicate the first fixes are available. Added specific fixed release information. --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (krb5, redis, roundcube, ruby-rack, ruby-rmagick, zabbix, and zookeeper), Fedora (ansible-core, chromium, libvpx, mingw-xerces-c, python-asgiref, python-django, and vim), Mageia (cadence, kernel, kernel-linus, libxml2, nodejs, and shadow-utils), Oracle (nghttp2), Slackware (LibRaw), and SUSE (chromium, java-11-openjdk, nodejs18, python-Django, python-urllib3, and suse-module-tools). --------------------------------------------- https://lwn.net/Articles/948522/ ∗∗∗ Vulnerability in QUSBCam2 ∗∗∗ --------------------------------------------- An OS command injection vulnerability has been reported to affect QUSBCam2. If exploited, the vulnerability could allow users to execute arbitrary commands via a network. --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-23-43 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.10.2023
by Daily end-of-shift report 20 Oct '23

20 Oct '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 19-10-2023 18:00 − Freitag 20-10-2023 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Malvertising: Angreifer nutzen Punycode für gefälschte Webseiten ∗∗∗ --------------------------------------------- Cyberkriminelle werben über Google Ads etwa mit gefälschten KeePass-URLs mit Punycode-Zeichen. Die beworbene Seite liefert Malware aus. --------------------------------------------- https://www.heise.de/-9339448.html ∗∗∗ SolarWinds behebt Codeschmuggel in Access Rights Manager ∗∗∗ --------------------------------------------- Die Software zur Verwaltung von Zugriffsberechtigungen hat unter anderem Fehler, die eine Rechteausweitung ermöglichten. Admins sollten zügig handeln. --------------------------------------------- https://www.heise.de/-9339437.html ∗∗∗ VMware dichtet hochriskante Lecks in Aria, Fusion und Workstation ab ∗∗∗ --------------------------------------------- VMware hat Updates für VMNware Aria Operations for Logs, VMware Fusion sowie VMware Workstation veröffentlicht. Sie schließen teils hochriskante Lücken. --------------------------------------------- https://www.heise.de/-9339932.html ∗∗∗ IT-Sicherheitsbehörden geben Tipps für sichere Software und Phishing-Prävention ∗∗∗ --------------------------------------------- Die US-Sicherheitsbehörde CISA veröffentlicht mit internationalen Partnern je eine Handreichung zu sicherem Software-Entwurf und zur Phishing-Prävention. --------------------------------------------- https://www.heise.de/-9339899.html ∗∗∗ Cybersicherheit ermöglichen – BSI veröffentlicht Checklisten für Kommunen ∗∗∗ --------------------------------------------- Das BSI bietet Kommunen nun einen unkomplizierten und ressourcenschonenden Einstieg in den etablierten IT-Grundschutz des BSI. --------------------------------------------- https://www.bsi.bund.de/DE/Service-Navi/Presse/Pressemitteilungen/Presse202… ∗∗∗ Fake Corsair job offers on LinkedIn push DarkGate malware ∗∗∗ --------------------------------------------- A threat actor is using fake LinkedIn posts and direct messages about a Facebook Ads specialist position at hardware maker Corsair to lure people into downloading info-stealing malware like DarkGate and RedLine. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fake-corsair-job-offers-on-l… ∗∗∗ ExelaStealer: A New Low-Cost Cybercrime Weapon Emerges ∗∗∗ --------------------------------------------- A new information stealer named ExelaStealer has become the latest entrant to an already crowded landscape filled with various off-the-shelf malware designed to capture sensitive data from compromised Windows systems. "ExelaStealer is a largely open-source infostealer with paid customizations available from the threat actor," Fortinet FortiGuard Labs researcher James Slaughter said [...] --------------------------------------------- https://thehackernews.com/2023/10/exelastealer-new-low-cost-cybercrime.html ∗∗∗ Ghost In The Wire, Sonic In The Wall - Adventures With SonicWall ∗∗∗ --------------------------------------------- Here at watchTowr, we just love attacking high-privilege devices [...]. A good example of these is the device class of ‘next generation’ firewalls, which usually include VPN termination functionality (meaning they’re Internet-accessible by network design). These devices patrol the border between the untrusted Internet and an organisation’s softer internal network, and so are a great place for attackers to elevate their status from ‘outsiders’ to ‘trusted users’. --------------------------------------------- https://labs.watchtowr.com/ghost-in-the-wire-sonic-in-the-wall/ ∗∗∗ VMware Aria Operations for Logs CVE-2023-34051 Technical Deep Dive and IOCs ∗∗∗ --------------------------------------------- Earlier this year we reported the technical details for VMSA-2023-0001 affecting VMware Aria Operations for Logs (formerly VMware vRealize Log Insight). [...] During the course of that investigation, we noticed the fix provided by VMware was not sufficient to stop a motivated attacker. We reported this new issue to VMware and it was fixed in VMSA-2023-0021. This post will discuss the technical details of CVE-2023-34051, an authentication bypass that allows remote code execution as root. --------------------------------------------- https://www.horizon3.ai/vmware-aria-operations-for-logs-cve-2023-34051-tech… ∗∗∗ Concerns grow as LockBit knockoffs increasingly target popular vulnerabilities ∗∗∗ --------------------------------------------- Hackers are using a leaked toolkit used to create do-it-yourself versions of the popular LockBit ransomware, making it easy for even amateur cybercriminals to target common vulnerabilities. The LockBit ransomware gang, which has attacked thousands of organizations across the world, had the toolkit leaked in September 2022 by a disgruntled affiliate. --------------------------------------------- https://therecord.media/lockbit-knockoffs-proliferate-leaked-toolkit ∗∗∗ Attacks on 5G Infrastructure From User Devices: ASN.1 Vulnerabilities in 5G Cores ∗∗∗ --------------------------------------------- In the second part of this series, we will examine how attackers can trigger vulnerabilities by sending control messages masquerading as user traffic to cross over from user plane to control plane. --------------------------------------------- https://www.trendmicro.com/en_us/research/23/j/asn1-vulnerabilities-in-5g-c… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco IOS XE Software Web UI Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- Version 1.2: Added access list mitigation. --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco IOS XE Software Web UI Command Injection Vulnerability ∗∗∗ --------------------------------------------- Version 1.1: Added information about active exploitation attempts. --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ RT 5.0.5 Release Notes ∗∗∗ --------------------------------------------- RT 5.0.5 is now available for general use. The list of changes included with this release is below. In addition to a batch of updates, new features, and fixes, there are several important security updates provided in this release. See below for details. --------------------------------------------- https://docs.bestpractical.com/release-notes/rt/5.0.5 ∗∗∗ RT 4.4.7 Release Notes ∗∗∗ --------------------------------------------- RT 4.4.7 is now available for general use. The list of changes included with this release is below. In addition to a batch of updates, new features, and fixes, there are several important security updates provided in this release. See below for details. --------------------------------------------- https://docs.bestpractical.com/release-notes/rt/4.4.7 ∗∗∗ VMSA-2023-0022 ∗∗∗ --------------------------------------------- VMware Fusion and Workstation updates address privilege escalation and information disclosure vulnerabilities (CVE-2023-34044, CVE-2023-34045, CVE-2023-34046) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2023-0022.html ∗∗∗ VMSA-2023-0021 ∗∗∗ --------------------------------------------- VMware Aria Operations for Logs updates address multiple vulnerabilities. (CVE-2023-34051, CVE-2023-34052) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2023-0021.html ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (linux-5.10 and webkit2gtk), Fedora (matrix-synapse and trafficserver), Mageia (chromium-browser-stable, ghostscript, libxpm, and ruby-RedCloth), Oracle (.NET 7.0, curl, dotnet7.0, galera, mariadb, go-toolset, golang, java-1.8.0-openjdk, and python-reportlab), Red Hat (php, php:8.0, tomcat, and varnish), Slackware (httpd), SUSE (bluetuith, grub2, kernel, rxvt-unicode, and suse-module-tools), and Ubuntu (dotnet6, dotnet7, dotnet8, linux, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15, linux-gcp, linux-gke, linux-gkeop, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15,linux-nvidia, linux-oracle, linux-raspi, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-xilinx-zynqmp, linux, linux-aws, linux-aws-6.2, linux-azure, linux-azure-6.2, linux-azure-fde-6.2, linux-gcp, linux-gcp-6.2, linux-hwe-6.2, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-6.2, linux-oracle, linux-raspi, linux-starfive, linux, linux-aws, linux-azure, linux-azure-4.15, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux, linux-aws, linux-kvm, linux-lts-xenial, linux-azure, linux-bluefield, linux-intel-iotg, linux-oem-6.1, linux-raspi, and mutt). --------------------------------------------- https://lwn.net/Articles/948368/ ∗∗∗ Kritische Sicherheitslücke in Citrix NetScaler ADC und NetScaler Gateway - aktiv ausgenutzt - Updates verfügbar ∗∗∗ --------------------------------------------- Eine kritische Schwachstelle in Citrix/Netscaler ADC und Citrix Gateway erlaubt es unauthentifizierten Angreifer:innen, bestehende, authentifizierte Sessions zu übernehmen. Diese Schwachstelle wird zumindest seit Ende August 2023 bei Angriffen gegen Ziele in verschiedenen Sektoren aktiv ausgenutzt. --------------------------------------------- https://cert.at/de/warnungen/2023/10/kritische-sicherheitslucke-in-citrix-n… ∗∗∗ Multiple vulnerabilities in ctrlX WR21 HMI ∗∗∗ --------------------------------------------- BOSCH-SA-175607: The operating system of the ctrlX WR21 HMI has several vulnerabilities when the Kiosk mode is used in conjunction with Google Chrome. In worst case, an attacker with physical access to the device might gain full root access without prior authentication by combining the exploitation of those vulnerabilities. --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-175607.html ∗∗∗ CVE-2023-38041 New client side release to address a privilege escalation on Windows user machines ∗∗∗ --------------------------------------------- A vulnerability exists on all versions of the Ivanti Secure Access Client Below 22.6R1 that would allow an unprivileged local user to gain unauthorized elevated privileges on the affected system. --------------------------------------------- https://forums.ivanti.com/s/article/CVE-2023-38041-New-client-side-release-… ∗∗∗ Decision Optimization in IBM Cloud Pak for Data is affected by a vulnerability in Node.js semver package (CVE-2022-25883) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7056400 ∗∗∗ Multiple vulnerabilities in IBM Semeru Runtime affect IBM ILOG CPLEX Optimization Studio (CVE-2023-21968, CVE-2023-21937, CVE-2023-21938) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7056397 ∗∗∗ Improper input validation may lead to a Denial of Service attack in web services with IBM CICS TX Standard and IBM CICS TX Advanced ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7056433 ∗∗∗ IBM App Connect Enterprise is vulnerable to a heap-based buffer overflow due to electron ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7056425 ∗∗∗ Improper input validation may lead to a Denial of Service attack in web services with IBM TXSeries for Multiplatforms ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7056429 ∗∗∗ IBM Integration Bus is vulnerable to a denial of service due to Eclipse Mosquitto ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7056456 ∗∗∗ IBM App Connect Enterprise Toolkit and IBM Integration Bus Toolkit are vulnerable to a denial of service due to Okio GzipSource (CVE-2023-3635). ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7056518 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.10.2023
by Daily end-of-shift report 19 Oct '23

19 Oct '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 18-10-2023 18:00 − Donnerstag 19-10-2023 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Money-making scripts attack organizations ∗∗∗ --------------------------------------------- Cybercriminals attack government, law enforcement, non-profit organizations, agricultural and commercial companies by slipping a cryptominer, keylogger, and backdoor into their systems. --------------------------------------------- https://securelist.com/miner-keylogger-backdoor-attack-b2b/110761/ ∗∗∗ HasMySecretLeaked findet auf GitHub veröffentlichte Secrets ∗∗∗ --------------------------------------------- Wer prüfen möchte, ob seine Secrets auf GitHub geleakt sind, kann das kostenfreie Toolset von GitGuardian nutzen. Es soll dabei private Daten schützen. --------------------------------------------- https://www.heise.de/news/Security-Toolset-HasMySecretLeaked-sucht-auf-GitH… ∗∗∗ Public Report – Caliptra Security Assessment ∗∗∗ --------------------------------------------- During August and September of 2023, Microsoft engaged NCC Group to conduct a security assessment of Caliptra v0.9. Caliptra is an open-source silicon IP block for datacenter-focused server-class ASICs. --------------------------------------------- https://research.nccgroup.com/2023/10/18/public-report-caliptra-security-as… ∗∗∗ Number of Cisco Devices Hacked via Unpatched Vulnerability Increases to 40,000 ∗∗∗ --------------------------------------------- The number of Cisco devices hacked via the CVE-2023-20198 zero-day has reached 40,000, including many in the US. --------------------------------------------- https://www.securityweek.com/number-of-cisco-devices-hacked-via-unpatched-v… ∗∗∗ Ein PayPal-Tonband ruft an? Drücken Sie nicht die 1! ∗∗∗ --------------------------------------------- Eine unbekannte Nummer erscheint am Smartphone-Bildschirm. Sie heben ab und eine Roboterstimme meldet sich im Namen PayPals. Angeblich soll Geld von Ihrem PayPal-Konto behoben werden. Um das zu verhindern, sollen Sie die Taste „1“ drücken. Tun Sie dies nicht – Kriminelle versuchen, Ihnen dadurch Geld und Daten zu stehlen. --------------------------------------------- https://www.watchlist-internet.at/news/ein-paypal-tonband-ruft-an-druecken-… ∗∗∗ Es cyberwart wieder. Oder so. ∗∗∗ --------------------------------------------- Wie schon zu Beginn des Krieges in der Ukraine vor inzwischen eineinhalb Jahren kam es auch kurz nach den Ereignissen, die am 07.10.2023 Israel erschüttert haben, relativ schnell zu Berichten über die mögliche Rolle von Cyberangriffen in diesem Konflikt. --------------------------------------------- https://cert.at/de/blog/2023/10/es-cyberwart-wieder-oder-so ∗∗∗ Hackers Exploit QR Codes with QRLJacking for Malware Distribution ∗∗∗ --------------------------------------------- Researchers report a surge in QR code-related cyberattacks exploiting phishing and malware distribution, especially QRLJacking and Quishing attacks. --------------------------------------------- https://www.hackread.com/hackers-exploit-qr-codes-qrljacking-malware/ ∗∗∗ CISA, NSA, FBI, MS-ISAC Publish Guide on Preventing Phishing Intrusions ∗∗∗ --------------------------------------------- The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Federal Bureau of Investigation (FBI) and Multi-State Information Sharing and Analysis Center (MS-ISAC) today published “Phishing Guidance, Stopping the Attack Cycle at Phase One” to help organizations reduce likelihood and impact of successful phishing attacks. --------------------------------------------- https://www.cisa.gov/news-events/news/cisa-nsa-fbi-ms-isac-publish-guide-pr… ∗∗∗ Exploited SSH Servers Offered in the Dark web as Proxy Pools ∗∗∗ --------------------------------------------- Aqua Nautilus researchers have shed brighter light on a long-standing threat to SSH in the context of the cloud. More specifically, the threat actor harnessed our SSH server to be a slave proxy and pass traffic through it. --------------------------------------------- https://blog.aquasec.com/threat-alert-exploited-ssh-servers-offered-in-the-… ===================== = Vulnerabilities = ===================== ∗∗∗ Casio discloses data breach impacting customers in 149 countries ∗∗∗ --------------------------------------------- Japanese electronics manufacturer Casio disclosed a data breach impacting customers from 149 countries after hackers gained to the servers of its ClassPad education platform. --------------------------------------------- https://www.bleepingcomputer.com/news/security/casio-discloses-data-breach-… ∗∗∗ Sophos Firewall: PDF-Passwortschutz der SPX-Funktion umgehbar ∗∗∗ --------------------------------------------- Sophos verteilt aktualisierte Firmware für die Firewalls. Im Secure PDF eXchange können Angreifer den Schutz umgehen und unbefugt PDF-Dateien entschlüsseln. --------------------------------------------- https://www.heise.de/news/Sophos-Firewall-PDF-Passwortschutz-der-SPX-Funkti… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (node-babel), Fedora (moodle), Gentoo (mailutils), Oracle (go-toolset:ol8 and java-11-openjdk), Red Hat (ghostscript, grafana, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, nghttp2, nodejs:16, nodejs:18, and rhc-worker-script), SUSE (cni, cni-plugins, container-suseconnect, containerd, cups, exim, grub2, helm, libeconf, nodejs18, python3, runc, slurm, supportutils, and tomcat), and Ubuntu (glib2.0, openssl, and vips). --------------------------------------------- https://lwn.net/Articles/948246/ ∗∗∗ ZDI-23-1568: NI Measurement & Automation Explorer Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-1568/ ∗∗∗ ZDI-23-1567: SolarWinds Access Rights Manager OpenClientUpdateFile Directory Traversal Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-1567/ ∗∗∗ ZDI-23-1566: SolarWinds Access Rights Manager GetParameterFormTemplateWithSelectionState Deserialization of Untrusted Data Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-1566/ ∗∗∗ ZDI-23-1565: SolarWinds Access Rights Manager OpenFile Directory Traversal Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-1565/ ∗∗∗ ZDI-23-1564: SolarWinds Access Rights Manager createGlobalServerChannelInternal Deserialization of Untrusted Data Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-1564/ ∗∗∗ ZDI-23-1563: SolarWinds Access Rights Manager ExecuteAction Deserialization of Untrusted Data Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-1563/ ∗∗∗ ZDI-23-1562: SolarWinds Access Rights Manager Incorrect Default Permissions Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-1562/ ∗∗∗ ZDI-23-1561: SolarWinds Access Rights Manager Incorrect Default Permissions Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-1561/ ∗∗∗ ZDI-23-1560: SolarWinds Access Rights Manager IFormTemplate Deserialization of Untrusted Data Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-1560/ ∗∗∗ Cisco Catalyst SD-WAN Manager Local File Inclusion Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Technical Advisory – Multiple Vulnerabilities in Connectize G6 AC2100 Dual Band Gigabit WiFi Router (CVE-2023-24046, CVE-2023-24047, CVE-2023-24048, CVE-2023-24049, CVE-2023-24050, CVE-2023-24051, CVE-2023-24052) ∗∗∗ --------------------------------------------- https://research.nccgroup.com/2023/10/19/technical-advisory-multiple-vulner… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.10.2023
by Daily end-of-shift report 18 Oct '23

18 Oct '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 17-10-2023 18:00 − Mittwoch 18-10-2023 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Malicious Notepad++ Google ads evade detection for months ∗∗∗ --------------------------------------------- A new Google Search malvertizing campaign targets users looking to download the popular Notepad++ text editor, employing advanced techniques to evade detection and analysis. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malicious-notepad-plus-plus-… ∗∗∗ Over 40,000 admin portal accounts use admin as a password ∗∗∗ --------------------------------------------- Security researchers found that IT administrators are using tens of thousands of weak passwords to protect access to portals, leaving the door open to cyberattacks on enterprise networks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/over-40-000-admin-portal-acc… ∗∗∗ Recently patched Citrix NetScaler bug exploited as zero-day since August ∗∗∗ --------------------------------------------- A critical vulnerability tracked as CVE-2023-4966 in Citrix NetScaler ADC/Gateway devices has been actively exploited as a zero-day since late August, security researchers announced. --------------------------------------------- https://www.bleepingcomputer.com/news/security/recently-patched-citrix-nets… ∗∗∗ Hiding in Hex, (Wed, Oct 18th) ∗∗∗ --------------------------------------------- There are a variety of attacks seen from DShield honeypots [1]. Most of the time these commands are human readable. but every now and again they are obfuscated using base64 or hex encoding. A quick look for commands containing the "/x" delimiter give a lot of results encoded in hexadecimal. --------------------------------------------- https://isc.sans.edu/diary/rss/30322 ∗∗∗ Qubitstrike Targets Jupyter Notebooks with Crypto Mining and Rootkit Campaign ∗∗∗ --------------------------------------------- Dubbed Qubitstrike by Cado, the intrusion set utilizes Telegram API to exfiltrate cloud service provider credentials following a successful compromise. "The payloads for the Qubitstrike campaign are all hosted on codeberg.org – an alternative Git hosting platform, providing much of the same functionality as GitHub," security researchers Matt Muir and Nate Bill said in a Wednesday write-up. --------------------------------------------- https://thehackernews.com/2023/10/qubitstrike-targets-jupyter-notebooks.html ∗∗∗ BlackCat Climbs the Summit With a New Tactic ∗∗∗ --------------------------------------------- BlackCat ransomware gang has released a utility called Munchkin, allowing attackers to propagate their payload to remote machines. We analyze this new tool. --------------------------------------------- https://unit42.paloaltonetworks.com/blackcat-ransomware-releases-new-utilit… ∗∗∗ Updated MATA attacks industrial companies in Eastern Europe ∗∗∗ --------------------------------------------- Kaspersky experts discovered several detections of malware from the MATA cluster, previously attributed to the Lazarus group, compromising defense contractor companies in Eastern Europe. --------------------------------------------- https://ics-cert.kaspersky.com/publications/updated-mata-attacks-industrial… ∗∗∗ Where Has the MS Office Document Malware Gone? ∗∗∗ --------------------------------------------- Infostealers, which steal user account credentials saved in web browsers or email clients, constitute the majority of attacks targeting general or corporate users. Related information was shared through the ASEC Blog in December of last year. [1] While the distribution method for the named malware differs slightly depending on their main features, Infostealer-type malware typically uses malicious sites disguised as pages for downloading legitimate programs as their distribution route. --------------------------------------------- https://asec.ahnlab.com/en/57883/ ∗∗∗ CISA Updates Toolkit to Promote Public Safety Communications and Cyber Resiliency ∗∗∗ --------------------------------------------- The Cybersecurity and Infrastructure Security Agency (CISA) collaborates with public safety, national security, and emergency preparedness communities to enhance seamless and secure communications to keep America safe, secure, and resilient. Any interruption in communications can have a cascading effect, impacting a public safety agency’s ability to deliver critical lifesaving services to the community. --------------------------------------------- https://www.cisa.gov/news-events/news/cisa-updates-toolkit-promote-public-s… ===================== = Vulnerabilities = ===================== ∗∗∗ Patchday: Oracle veröffentlicht 387 Sicherheits-Patches ∗∗∗ --------------------------------------------- Der vierteljährliche Patchday von Oracle hat stattgefunden. Er bringt im Oktober 387 Updates für mehr als 120 Produkte. --------------------------------------------- https://www.heise.de/-9337238 ∗∗∗ AMD-Grafiktreiber: Codeschmuggel durch Sicherheitslücke möglich ∗∗∗ --------------------------------------------- AMD warnt vor einer Sicherheitslücke in den eigenen Grafiktreibern. Angreifer könnten Code einschleusen und mit erhöhten Rechten ausführen. --------------------------------------------- https://www.heise.de/-9337480 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (slurm-wlm), Fedora (icecat and python-configobj), Oracle (dotnet6.0, kernel-container, nginx, nginx:1.20, nginx:1.22, and python3.9), Red Hat (bind9.16, curl, dotnet6.0, kernel-rt, kpatch-patch, nghttp2, nodejs, python-reportlab, and virt:rhel), Slackware (util), SUSE (buildah, conmon, erlang, glibc, kernel, nghttp2, opensc, python-urllib3, samba, slurm, and suse-module-tools), and Ubuntu (frr, linux-azure, and pmix). --------------------------------------------- https://lwn.net/Articles/948097/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.10.2023
by Daily end-of-shift report 17 Oct '23

17 Oct '23

===================== = End-of-Day report = ===================== Timeframe: Montag 16-10-2023 18:00 − Dienstag 17-10-2023 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Discord still a hotbed of malware activity — Now APTs join the fun ∗∗∗ --------------------------------------------- Discord continues to be a breeding ground for malicious activity by hackers and now APT groups, with it commonly used to distribute malware, exfiltrate data, and targeted by threat actors to steal authentication tokens. --------------------------------------------- https://www.bleepingcomputer.com/news/security/discord-still-a-hotbed-of-ma… ∗∗∗ A hack in hand is worth two in the bush ∗∗∗ --------------------------------------------- We analyzed the data published by Cyber Av3ngers and found it to be sourced from older leaks by another hacktivist group called Moses Staff. --------------------------------------------- https://securelist.com/a-hack-in-hand-is-worth-two-in-the-bush/110794/ ∗∗∗ Android Mobile Root Detection – Snake Oil or Silver Bullet? ∗∗∗ --------------------------------------------- Android is one of the most widely used mobile operating systems in the world. However, with its widespread use, it is also susceptible to security threats. --------------------------------------------- https://sec-consult.com/blog/detail/android-mobile-root-detection-snake-oil… ∗∗∗ NSA Publishes ICS/OT Intrusion Detection Signatures and Analytics ∗∗∗ --------------------------------------------- NSA has released Elitewolf, a repository of intrusion detection signatures and analytics for OT environments. --------------------------------------------- https://www.securityweek.com/nsa-publishes-ics-ot-intrusion-detection-signa… ∗∗∗ Betrügerische Spendenorganisationen sammeln Geld für Israel ∗∗∗ --------------------------------------------- Kriminelle wissen, dass die Spendenbereitschaft in Krisensituationen besonders hoch ist. Nur wenige Tage nach dem Anschlag in Israel tauchen im Netz betrügerische Spenden-Websiten für Israel auf. --------------------------------------------- https://www.watchlist-internet.at/news/betruegerische-spendenorganisationen… ∗∗∗ Snapshot fuzzing direct composition with WTF ∗∗∗ --------------------------------------------- Although there is public research on Direct Composition, only a few discuss fuzzing this feature, and none, to our knowledge, that covers snapshot fuzzing. --------------------------------------------- https://blog.talosintelligence.com/snapshot-fuzzing-direct-composition-with… ∗∗∗ Principles for ransomware-resistant cloud backups ∗∗∗ --------------------------------------------- Helping to make cloud backups resistant to the effects of destructive ransomware. --------------------------------------------- https://www.ncsc.gov.uk/guidance/principles-for-ransomware-resistant-cloud-… ===================== = Vulnerabilities = ===================== ∗∗∗ Critical Vulnerabilities Uncovered in Open Source CasaOS Cloud Software ∗∗∗ --------------------------------------------- Two critical security flaws discovered in the open-source CasaOS personal cloud software could be successfully exploited by attackers to achieve arbitrary code execution and take over susceptible systems. --------------------------------------------- https://thehackernews.com/2023/10/critical-vulnerabilities-uncovered-in.html ∗∗∗ Cisco: Schwere Sicherheitslücke in IOS XE ermöglicht Netzwerk-Übernahme ∗∗∗ --------------------------------------------- Geräte mit IOS XE und Web-UI können von Angreifern ohne Weiteres aus der Ferne übernommen werden. Cisco hat keine Patches, aber Empfehlungen für Betroffene. --------------------------------------------- https://www.heise.de/news/Cisco-Schwere-Sicherheitsluecke-in-IOS-XE-erlaubt… ∗∗∗ SonicOS: Angreifer können Sonicwalls abstürzen lassen ∗∗∗ --------------------------------------------- Sonicwall hat Updates für SonicOS veröffentlicht, die Sicherheitslücken schließen. Die Lecks erlauben Angreifern, verwundbare Geräte lahmzulegen. --------------------------------------------- https://www.heise.de/news/SonicOS-Angreifer-koennen-Sonicwalls-abstuerzen-l… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (axis, nghttp2, node-babel7, and tomcat9), Fedora (curl and ghostscript), Oracle (bind, kernel-container, mariadb:10.5, and python3.11), Red Hat (.NET 7.0, go-toolset, golang, and go-toolset:rhel8), SUSE (kernel, libcue, libxml2, python-Django, and python-gevent), and Ubuntu (curl, ghostscript, iperf3, libcue, python2.7, quagga, and samba). --------------------------------------------- https://lwn.net/Articles/948010/ ∗∗∗ K000137211 : cURL vulnerabilities CVE-2023-38546 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000137211 ∗∗∗ Festo: Vulnerable Siemens TIA-Portal in multiple Festo Didactic products ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-047/ ∗∗∗ WAGO: Multiple products vulnerable to local file inclusion ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-046/ ∗∗∗ Schneider Electric EcoStruxure Power Monitoring Expert and Power Operation Products ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-290-01 ∗∗∗ Rockwell Automation FactoryTalk Linx ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-290-02 ∗∗∗ Vulnerability CVE-2023-35116 affects CICS Transaction Gateway for Multiplatforms and CICS Transaction Gateway Desktop Edition. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7052938 ∗∗∗ IBM Personal Communications could allow a remote user to obtain sensitive information including user passwords, allowing unauthorized access. (CVE-2016-0321) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/276845 ∗∗∗ IBM Db2 is vulnerable to denial of service via a specially crafted query on certain databases. (CVE-2023-30987) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7047560 ∗∗∗ Vulnerability in pycrypto-2.6.1.tar.gz affects IBM Integrated Analytics System [CVE-2013-7459, CVE-2018-6594] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7053417 ∗∗∗ Multiple vulnerabilities in OpenSSL affect IBM Observability with Instana (Agent container image) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7053623 ∗∗∗ Remote code execution/denial of service attack is possible in IBM Observability with Instana (Self-hosted on Docker) due to use of Apache Kafka ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7053643 ∗∗∗ Due to use of Apache Commons FileUpload and Tomcat, IBM UrbanCode Release is vulnerable to a denial of service. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7053627 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily October 2023