Daily October 2023

daily@lists.cert.at

1 participants
21 discussions

Tageszusammenfassung - 16.10.2023
by Daily end-of-shift report 16 Oct '23

16 Oct '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 13-10-2023 18:00 − Montag 16-10-2023 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ DarkGate malware spreads through compromised Skype accounts ∗∗∗ --------------------------------------------- Between July and September, DarkGate malware attacks have used compromised Skype accounts to infect targets through messages containing VBA loader script attachments. --------------------------------------------- https://www.bleepingcomputer.com/news/security/darkgate-malware-spreads-thr… ∗∗∗ Scanning evasion issue in Cisco Secure Email Gateway ∗∗∗ --------------------------------------------- Cisco Secure Email Gateway provided by Cisco Systems may fail to detect specially crafted files. --------------------------------------------- https://jvn.jp/en/jp/JVN58574030/ ∗∗∗ Security review for Microsoft Edge version 118 ∗∗∗ --------------------------------------------- We are pleased to announce the security review for Microsoft Edge, version 118! We have reviewed the new settings in Microsoft Edge version 118 and determined that there are no additional security settings that require enforcement. The Microsoft Edge version 117 security baseline continues to be our recommended configuration which can be downloaded from the Microsoft Security Compliance Toolkit. --------------------------------------------- https://techcommunity.microsoft.com/t5/microsoft-security-baselines/securit… ∗∗∗ SpyNote: Beware of This Android Trojan that Records Audio and Phone Calls ∗∗∗ --------------------------------------------- The Android banking trojan known as SpyNote has been dissected to reveal its diverse information-gathering features.Typically spread via SMS phishing campaigns, attack chains involving the spyware trick potential victims into installing the app by clicking on the embedded link, according to F-Secure. --------------------------------------------- https://thehackernews.com/2023/10/spynote-beware-of-this-android-trojan.html ∗∗∗ Pro-Russian Hackers Exploiting Recent WinRAR Vulnerability in New Campaign ∗∗∗ --------------------------------------------- Pro-Russian hacking groups have exploited a recently disclosed security vulnerability in the WinRAR archiving utility as part of a phishing campaign designed to harvest credentials from compromised systems."The attack involves the use of malicious archive files that exploit the recently discovered vulnerability affecting the WinRAR compression software versions prior to 6.23 [..] --------------------------------------------- https://thehackernews.com/2023/10/pro-russian-hackers-exploiting-recent.html ∗∗∗ Signal says there is no evidence rumored zero-day bug is real ∗∗∗ --------------------------------------------- As this is an ongoing investigation, and the mitigation is to simply disable the Link Previews feature, users may want to turn this setting off for the time being until its fully confirmed not to be real. --------------------------------------------- https://www.bleepingcomputer.com/news/security/signal-says-there-is-no-evid… ∗∗∗ “EtherHiding” — Hiding Web2 Malicious Code in Web3 Smart Contracts ∗∗∗ --------------------------------------------- Over the last two months, leveraging a vast array of hijacked WordPress sites, this threat actor has misled users into downloading malicious fake “browser updates”. While their initial method of hosting code on abused Cloudflare Worker hosts was taken down, they’ve quickly pivoted to take advantage of the decentralized, anonymous, and public nature of blockchain. This campaign is up and harder than ever to detect and take down. --------------------------------------------- https://labs.guard.io/etherhiding-hiding-web2-malicious-code-in-web3-smart-… ∗∗∗ Blocking Dedicated Attacking Hosts Is Not Enough: In-Depth Analysis of a Worldwide Linux XorDDoS Campaign ∗∗∗ --------------------------------------------- We provide a comprehensive analysis of the XorDDoS Trojans attacking behaviors. Subsequently, we unveil the intricate network infrastructure orchestrating the campaigns botnet. Lastly, we introduce the advanced signatures derived from the key attacking hotspots, including hostnames, URLs and IP addresses. These signatures effectively identified over 1,000 XorDDoS C2 traffic sessions in August 2023 alone. --------------------------------------------- https://unit42.paloaltonetworks.com/new-linux-xorddos-trojan-campaign-deliv… ∗∗∗ WS_FTP: Ransomware-Attacken auf ungepatchte Server ∗∗∗ --------------------------------------------- In WS_FTP hat Hersteller Progress kürzlich teils kritische Sicherheitslücken geschlossen. Inzwischen sieht Sophos Ransomware-Angriffe darauf. --------------------------------------------- https://www.heise.de/news/WS-FTP-Ransomware-Attacken-auf-ungepatchte-Server… ∗∗∗ Milesight Industrial Router Vulnerability Possibly Exploited in Attacks ∗∗∗ --------------------------------------------- A vulnerability affecting Milesight industrial routers, tracked as CVE-2023-4326, may have been exploited in attacks. --------------------------------------------- https://www.securityweek.com/milesight-industrial-router-vulnerability-poss… ∗∗∗ Sie verkaufen auf Willhaben? Diese Betrugsmasche sollten Sie kennen! ∗∗∗ --------------------------------------------- Auf Willhaben und anderen Verkaufsplattformen begegnen Ihnen sicherlich auch mal Betrüger:innen. Besonders vorsichtig sollten Sie sein, wenn Sie zum ersten Mal verkaufen und Sie den Ablauf eines Verkaufs noch nicht so gut kennen. Wir zeigen Ihnen eine gängige Betrugsmasche und wie Sie sich davor schützen! --------------------------------------------- https://www.watchlist-internet.at/news/sie-verkaufen-auf-willhaben-diese-be… ∗∗∗ curl-Schwachstelle durch Microsoft ungepatcht ∗∗∗ --------------------------------------------- In der Bibliothek und im Tool curl gibt es in älteren Versionen eine Schwachstelle, die vom Projekt am 11. Oktober 2023 mit der Version 8.4.0 geschlossen wurde. Microsoft liefert curl mit Windows aus, und es stellte sich die Frage, ob curl zum Patchday, 10. Oktober 2023, ebenfalls aktualisiert wurde. Mein Stand ist, dass in Windows auch nach den Oktober 2023-Updates die veraltete curl-Version enthalten ist. --------------------------------------------- https://www.borncity.com/blog/2023/10/14/curl-schwachstelle-durch-microsoft… ∗∗∗ Active exploitation of Cisco IOS XE Software Web Management User Interface vulnerability ∗∗∗ --------------------------------------------- Cisco has identified active exploitation of a previously unknown vulnerability in the Web User Interface (Web UI) feature of Cisco IOS XE software (CVE-2023-20198) when exposed to the internet or untrusted networks. --------------------------------------------- https://blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-soft… ∗∗∗ Threat Actors Exploit Atlassian Confluence CVE-2023-22515 for Initial Access to Networks ∗∗∗ --------------------------------------------- The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and Multi-State Information Sharing and Analysis Center (MS-ISAC) are releasing this joint Cybersecurity Advisory (CSA) in response to the active exploitation of CVE-2023-22515. This recently disclosed vulnerability affects certain versions of Atlassian Confluence Data Center and Server, enabling malicious cyber threat actors to obtain initial access to Confluence instances by creating unauthorized Confluence administrator accounts. --------------------------------------------- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-289a ===================== = Vulnerabilities = ===================== ∗∗∗ Exim bugs ∗∗∗ --------------------------------------------- Fixed in 4.96.2/4.97: - CVE-2023-42117: Improper Neutralization of Special Elements - CVE-2023-42119: dnsdb Out-Of-Bounds Read libspf2 Integer Underflow: - CVE-2023-42118: Mitigation: Do not use the `spf` condition in your ACL --------------------------------------------- https://exim.org/static/doc/security/CVE-2023-zdi.txt ∗∗∗ Wordpress: Übernahme durch Lücke in Royal Elementor Addons and Template ∗∗∗ --------------------------------------------- Im Wordpress-Plug-in Royal Elementor Addons and Template missbrauchen Cyberkriminelle eine kritische Lücke. Sie nutzen sie zur Übernahme von Instanzen. --------------------------------------------- https://www.heise.de/news/Wordpress-Uebernahme-durch-Luecke-in-Royal-Elemen… ∗∗∗ Samba: Neue Versionen beheben mehrere Sicherheitslücken ∗∗∗ --------------------------------------------- Durch verschiedene Programmierfehler konnten Angreifer auf geheime Informationen bis hin zum Kerberos-TGT-Passwort zugreifen. Aktualisierungen stehen bereit. --------------------------------------------- https://www.heise.de/news/Samba-Neue-Versionen-beheben-mehrere-Sicherheitsl… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (batik, poppler, and tomcat9), Fedora (chromium, composer, curl, emacs, ghostscript, libwebp, libXpm, netatalk, nghttp2, python-asgiref, python-django, and webkitgtk), Mageia (curl and libX11), Oracle (bind, busybox, firefox, and kernel), Red Hat (curl, dotnet6.0, dotnet7.0, and nginx), SUSE (chromium, cni, cni-plugins, grub2, netatalk, opensc, opera, and wireshark), and Ubuntu (iperf3). --------------------------------------------- https://lwn.net/Articles/947891/ ∗∗∗ Vulnerabilities in Video Station ∗∗∗ --------------------------------------------- Three vulnerabilities have been reported to affect Video Station: - CVE-2023-34975 and CVE-2023-34976: SQL injection vulnerabilities - CVE-2023-34977: Cross-site scripting (XSS) vulnerability If exploited, these vulnerabilities could allow authenticated users to inject malicious code via a network. --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-23-52 ∗∗∗ Vulnerabilities in QTS, QuTS hero, and QuTScloud ∗∗∗ --------------------------------------------- Two vulnerabilities have been reported to affect several QNAP operating system versions: - CVE-2023-32970: If exploited, the null pointer dereference vulnerability could allow authenticated administrators to launch a denial-of-service (DoS) attack via a network. - CVE-2023-32973: If exploited, the buffer copy without checking size of input vulnerability could allow authenticated administrators to execute code via a network. --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-23-41 ∗∗∗ Vulnerability in QTS, QuTS hero, and QuTScloud ∗∗∗ --------------------------------------------- A path traversal vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to read and expose sensitive data via a network. --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-23-42 ∗∗∗ Vulnerability in Container Station ∗∗∗ --------------------------------------------- An OS command injection vulnerability has been reported to affect Container Station. If exploited, the vulnerability could allow authenticated administrators to execute arbitrary commands via a network. --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-23-44 ∗∗∗ web2py vulnerable to OS command injection ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN80476432/ ∗∗∗ cURL and libcurl Vulnerability Affecting Cisco Products: October 2023 ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco IOS XE Software Web UI Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ FortiSandbox - XSS on delete endpoint ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-23-311 ∗∗∗ FortiSandbox - Reflected Cross Site Scripting (XSS) on download progress endpoint ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-23-215 ∗∗∗ FortiSandbox - Arbitrary file delete ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-23-280 ∗∗∗ Red Lion Europe: Vulnerability allows access to non-critical information in mbCONNECT24 and mymbCONNECT24 ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-041/ ∗∗∗ Helmholz: Vulnerability allows access to non-critical information in myREX24 and myREX24.virtual ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-043/ ∗∗∗ 2023-10 Security Bulletin: Junos OS and Junos OS Evolved: High CPU load due to specific NETCONF command (CVE-2023-44184) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2023-10-Security-Bulletin-Junos… ∗∗∗ IBM Security Verify Access Appliance has multiple security vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7009735 ∗∗∗ Security Vulnerabilities have been identifed in the IBM WebSphere Liberty product as shipped with the IBM Security Verify Access products. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6953617 ∗∗∗ Security Vulnerabilities fixed in IBM Security Verify Access (CVE-2022-40303) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7009741 ∗∗∗ IBM Security Verify Access OpenID Connect Provider container has fixed multiple vulnerabilities (CVE-2022-43868, CVE-2022-43739, CVE-2022-43740) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7028513 ∗∗∗ IBM Security Verify Access product is vulnerable to Open Redirects (AAC module ) (CVE-2023-30433) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012613 ∗∗∗ Postgresql JDBC drivers shipped with IBM Security Verify Access have a vulnerability (CVE-2022-41946) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014261 ∗∗∗ IBM GSKit as shipped with IBM Security Verify Access has fixed a reported vulnerability (CVE-2023-32342) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014259 ∗∗∗ Security vulnerabilities have been identified in IBM DB2 shipped with IBM License Metric Tool v9. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7052776 ∗∗∗ Multiple Vulnerabilities of Apache HttpClient have affected IBM Jazz Reporting Service ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7052811 ∗∗∗ Google Guava component is vulnerable to CVE-2023-2976 is used by IBM Jazz Reporting Services. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7052810 ∗∗∗ IBM Jazz Reporting Service is vulnerable to a denial of service (CVE-2023-35116) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7052809 ∗∗∗ Vulnerability with snappy-java affect IBM Cloud Object Storage Systems (Oc2023v1) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7052829 ∗∗∗ Require strict cookies for image proxy requests ∗∗∗ --------------------------------------------- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-8… ∗∗∗ OAuth2 client_secret stored in plain text in the database ∗∗∗ --------------------------------------------- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-h… ∗∗∗ Inviting excessive long email addresses to a calendar event makes the server unresponsive ∗∗∗ --------------------------------------------- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-r… ∗∗∗ Password of talk conversations can be bruteforced ∗∗∗ --------------------------------------------- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-7… ∗∗∗ Rate limiter not working reliable when Memcached is installed ∗∗∗ --------------------------------------------- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-x… ∗∗∗ Security updates 1.5.5 and 1.4.15 released ∗∗∗ --------------------------------------------- https://roundcube.net/news/2023/10/16/security-updates-1.5.5-and-1.4.15 ∗∗∗ Security update 1.6.4 released ∗∗∗ --------------------------------------------- https://roundcube.net/news/2023/10/16/security-update-1.6.4-released -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.10.2023
by Daily end-of-shift report 13 Oct '23

13 Oct '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 12-10-2023 18:00 − Freitag 13-10-2023 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Ransomware attacks now target unpatched WS_FTP servers ∗∗∗ --------------------------------------------- Internet-exposed WS_FTP servers unpatched against a maximum severity vulnerability are now targeted in ransomware attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ransomware-attacks-now-targe… ∗∗∗ FBI shares AvosLocker ransomware technical details, defense tips ∗∗∗ --------------------------------------------- The U.S. government has updated the list of tools AvosLocker ransomware affiliates use in attacks to include open-source utilities along with custom PowerShell, and batch scripts. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fbi-shares-avoslocker-ransom… ∗∗∗ An analysis of an in-the-wild iOS Safari WebContent to GPU Process exploit ∗∗∗ --------------------------------------------- In April this year Google's Threat Analysis Group, in collaboration with Amnesty International, discovered an in-the-wild iPhone zero-day exploit chain being used in targeted attacks delivered via malicious link. --------------------------------------------- https://googleprojectzero.blogspot.com/2023/10/an-analysis-of-an-in-the-wil… ∗∗∗ DarkGate Malware Spreading via Messaging Services Posing as PDF Files ∗∗∗ --------------------------------------------- A piece of malware known as DarkGate has been observed being spread via instant messaging platforms such as Skype and Microsoft Teams. In these attacks, the messaging apps are used to deliver a Visual Basic for Applications (VBA) loader script that masquerades as a PDF document, which, when opened, triggers the download and execution of an AutoIt script designed to launch the malware. --------------------------------------------- https://thehackernews.com/2023/10/darkgate-malware-spreading-via.html ∗∗∗ GNOME what Im sayin? - GNOME libcue 0-click vulnerability ∗∗∗ --------------------------------------------- Am 10. Oktober wurde CVE-2023-43641 veröffentlicht, eine 0-click out-of-bounds array access Schwachstelle in libcue. GNOME verwendet diese Library zum Parsen von cuesheets beim Indizieren von Dateien für die Suchfunktion. Wie schlimm ist es? --------------------------------------------- https://cert.at/de/blog/2023/10/gnome-what-im-sayin-gnome-libcue-0-click-vu… ∗∗∗ WordPress 6.3.2 Security Release – What You Need to Know ∗∗∗ --------------------------------------------- WordPress Core 6.3.2 was released today, on October 12, 2023. It includes a number of security fixes and additional hardening against commonly exploited vulnerabilities. --------------------------------------------- https://www.wordfence.com/blog/2023/10/wordpress-6-3-2-security-release-wha… ∗∗∗ Analysis Report on Lazarus Threat Group’s Volgmer and Scout Malwares ∗∗∗ --------------------------------------------- Because the Lazarus threat group has been active since a long time ago, there are many attack cases and various malware strains are used in each case. In particular, there is also a wide variety of backdoors used for controlling the infected system after initial access. AhnLab Security Emergency response Center (ASEC) is continuously tracking and analyzing attacks by the Lazarus group, and in this post, we will analyze Volgmer and Scout, the two major malware strains used in their attacks. --------------------------------------------- https://asec.ahnlab.com/en/57685/ ===================== = Vulnerabilities = ===================== ∗∗∗ Apple fixes iOS Kernel zero-day vulnerability on older iPhones ∗∗∗ --------------------------------------------- Apple has published security updates for older iPhones and iPads to backport patches released one week ago, addressing two zero-day vulnerabilities exploited in attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/apple-fixes-ios-kernel-zero-… ∗∗∗ Caching-Proxy: 35 Schwachstellen in Squid schon mehr als 2 Jahre ungepatcht ∗∗∗ --------------------------------------------- Anfang 2021 hatte ein Sicherheitsforscher 55 Schwachstellen an das Entwicklerteam von Squid gemeldet. Ein Großteil ist noch offen. --------------------------------------------- https://www.golem.de/news/caching-proxy-35-schwachstellen-in-squid-schon-me… ∗∗∗ Schwere Sicherheitslücken in Monitoring-Software Zabbix behoben ∗∗∗ --------------------------------------------- In verschiedenen Komponenten der Monitoringsoftware Zabbix klafften kritische Sicherheitslücken, die Angreifern die Ausführung eigenen Codes ermöglichen. --------------------------------------------- https://www.heise.de/news/Schwere-Sicherheitsluecken-in-Monitoring-Software… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, tomcat9, and webkit2gtk), Fedora (cacti, cacti-spine, grafana-pcp, libcue, mbedtls, samba, and vim), Oracle (kernel, libvpx, and thunderbird), Red Hat (bind and galera, mariadb), SUSE (exiv2, go1.20, go1.21, and kernel), and Ubuntu (ffmpeg). --------------------------------------------- https://lwn.net/Articles/947710/ ∗∗∗ cURL and libcurl Vulnerability Affecting Cisco Products: October 2023 ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Nextcloud Security Advisory: Improper restriction of excessive authentication attempts on WebDAV endpoint ∗∗∗ --------------------------------------------- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-2… ∗∗∗ K000137229 : BIND vulnerability CVE-2022-38178 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000137229 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.10.2023
by Daily end-of-shift report 12 Oct '23

12 Oct '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 11-10-2023 18:00 − Donnerstag 12-10-2023 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Well, this SOCKS - curl SOCKS 5 Heap Buffer Overflow (CVE-2023-38545) ∗∗∗ --------------------------------------------- Nachdem letzte Woche ein Advisory zu "der schlimmsten Schwachstelle in curl seit Langem" angekündigt wurde, konnten verängstigte, verschlafene und chronisch unterkoffeinierte Admins und Security-Spezialisten nach der gestrigen Veröffentlichung den Schaden begutachten. Die gute Nachricht: Die Apokalypse ist an uns vorüber gegangen. Die schlechte Nachricht: Mit dem CVSS(v2) Score lässt sich die Schwere einer Schwachstelle nicht immer ausreichend abbilden. --------------------------------------------- https://cert.at/de/blog/2023/10/well-this-socks-curl-socks-5-heap-buffer-ov… ∗∗∗ ToddyCat: Keep calm and check logs ∗∗∗ --------------------------------------------- In this article, we’ll describe ToddyCat new toolset, the malware used to steal and exfiltrate data, and the techniques used by this group to move laterally and conduct espionage operations. --------------------------------------------- https://securelist.com/toddycat-keep-calm-and-check-logs/110696/ ∗∗∗ Malicious NuGet Package Targeting .NET Developers with SeroXen RAT ∗∗∗ --------------------------------------------- A malicious package hosted on the NuGet package manager for the .NET Framework has been found to deliver a remote access trojan called SeroXen RAT. The package, named Pathoschild.Stardew.Mod.Build.Config and published by a user named Disti, is a typosquat of a legitimate package called Pathoschild.Stardew.ModBuildConfig, software supply chain security firm Phylum said in a report today. While the real package has received nearly 79,000 downloads to date, the malicious variant is said to have artificially inflated its download count after being published on October 6, 2023, to surpass 100,000 downloads. --------------------------------------------- https://thehackernews.com/2023/10/malicious-nuget-package-targeting-net.html ∗∗∗ New paper: Nexus Android banking botnet – compromising C&C panels and dissecting mobile AppInjects ∗∗∗ --------------------------------------------- In a new paper, researchers Aditya K Sood and Rohit Bansal provide details of a security vulnerability in the Nexus Android botnet C&C panel that was exploited in order to gather threat intelligence, and present a model of mobile AppInjects. --------------------------------------------- https://www.virusbulletin.com/blog/2023/10/new-paper-nexus-android-banking-… ∗∗∗ Backdoor Malware Found on WordPress Website Disguised as Legitimate Plugin ∗∗∗ --------------------------------------------- A backdoor deployed on a compromised WordPress website poses as a legitimate plugin to hide its presence. --------------------------------------------- https://www.securityweek.com/backdoor-malware-found-on-wordpress-website-di… ∗∗∗ Using Velociraptor for large-scale endpoint visibility and rapid threat hunting ∗∗∗ --------------------------------------------- In this post we give on overview of some of the capabilities of Velociraptor, and also how we have leveraged them to conduct some real-time threat hunting shedding light on how it can equip security teams to proactively safeguard digital environments. --------------------------------------------- https://www.pentestpartners.com/security-blog/using-velociraptor-for-large-… ∗∗∗ Angebliche Branchenbücher und Firmenverzeichnisse locken in teure Abo-Falle! ∗∗∗ --------------------------------------------- Aktuell werden uns zahlreiche unseriöse Branchen-, Adressen- und Firmenverzeichnisse gemeldet, die versuchen Unternehmen das Geld aus der Tasche zu ziehen. Per E-Mail, Telefon oder Fax werden Unternehmen dazu überredet, sich in ein nutzloses und oft gar nicht existierendes Branchenbuch einzutragen. Wer auf das Angebot eingeht, schließt ein überteuertes Abo ab, das nur schwer zu kündigen ist. Betroffen von dieser Abzocke sind vor allem kleine und mittlere Unternehmen. --------------------------------------------- https://www.watchlist-internet.at/news/angebliche-branchenbuecher-und-firme… ∗∗∗ XOR Known-Plaintext Attacks ∗∗∗ --------------------------------------------- In this blog post, we show in detail how a known-plaintext attack on XOR encoding works, and automate it with custom tools to decrypt and extract the configuration of a Cobalt Strike beacon. If you are not interested in the theory, just in the tools, go straight to the conclusion. --------------------------------------------- https://blog.nviso.eu/2023/10/12/xor-known-plaintext-attacks/ ===================== = Vulnerabilities = ===================== ∗∗∗ An analysis of PoS/ cashIT! cash registers ∗∗∗ --------------------------------------------- This report summarizes our findings about vulnerabilities in cashIT!, a cash register system implementing the Austrian cash registers security regulation (RKSV). Besides lack of encryption, outdated software components and low-entropy passwords, these weaknesses include a bypass of origin checks (CVE-2023-3654), unauthenticated remote database exfiltration (CVE-2023-3655), and unauthenticated remote code with administrative privileges on the cash register host machines (CVE-2023-3656). Based on our analysis result, these vulnerabilities affect over 200 cash register installations in Austrian restaurants that are accessible over the Internet. --------------------------------------------- https://epub.jku.at/obvulioa/content/titleinfo/9142358 ∗∗∗ Sicherheitsupdates: Backdoor-Lücke bedroht Netzwerkgeräte von Juniper ∗∗∗ --------------------------------------------- Schwachstellen im Netzwerkbetriebssystem Junos OS bedrohen Routing-, Switching- und Sicherheitsgeräte von Juniper. --------------------------------------------- https://www.heise.de/-9332169 ∗∗∗ 10 zero-day vulnerabilities in industrial cell router could lead to code execution, buffer overflows ∗∗∗ --------------------------------------------- Attackers could exploit these vulnerabilities in the Yifan YF325 to carry out a variety of attacks, in some cases gaining the ability to execute arbitrary shell commands on the targeted device [..] All these vulnerabilities also have a severity score of 9.8. Talos is disclosing these vulnerabilities despite no official patch from Yifan, all in adherence to Cisco’s third-party vendor vulnerability disclosure policy. --------------------------------------------- https://blog.talosintelligence.com/vulnerability-roundup-webkit-and-yifan-r… ∗∗∗ 40 Schwachstellen in IBM-Sicherheitslösung QRadar SIEM geschlossen ∗∗∗ --------------------------------------------- Mehrere Komponenten in IBM QRadar SIEM weisen Sicherheitslücken auf und gefährden das Security-Information-and-Event-Management-System. --------------------------------------------- https://www.heise.de/-9332542 ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (October 2, 2023 to October 8, 2023) ∗∗∗ --------------------------------------------- Last week, there were 92 vulnerabilities disclosed in 88 WordPress Plugins and no WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 37 Vulnerability Researchers that contributed to WordPress Security last week. --------------------------------------------- https://www.wordfence.com/blog/2023/10/wordfence-intelligence-weekly-wordpr… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libcue, org-mode, python3.7, and samba), Fedora (libcue, oneVPL, oneVPL-intel-gpu, and xen), Mageia (glibc), Oracle (glibc, kernel, libssh2, libvpx, nodejs, and python-reportlab), Slackware (libcaca), SUSE (gsl, ImageMagick, kernel, opensc, python-urllib3, qemu, rage-encryption, samba, and xen), and Ubuntu (curl and samba). --------------------------------------------- https://lwn.net/Articles/947570/ ∗∗∗ Weintek cMT3000 HMI Web CGI ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-285-12 ∗∗∗ Advantech WebAccess ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-285-15 ∗∗∗ Santesoft Sante FFT Imaging ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-medical-advisories/icsma-23-285-02 ∗∗∗ Santesoft Sante DICOM Viewer Pro ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-medical-advisories/icsma-23-285-01 ∗∗∗ Mitsubishi Electric MELSEC-F Series ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-285-13 ∗∗∗ Hikvision Access Control and Intercom Products ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-285-14 ∗∗∗ PILZ : WIBU Vulnerabilities in multiple Products ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-033/ ∗∗∗ Schneider Electric IGSS ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-285-16 ∗∗∗ Hikvision Access Control and Intercom Products ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-285-14 ∗∗∗ CVE-2023-3281 Cortex XSOAR: Cleartext Exposure of Client Certificate Key in Kafka v3 Integration (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2023-3281 ∗∗∗ IBM Aspera Faspex has addressed an IP address restriction bypass vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7048851 ∗∗∗ Vulnerability of okio-1.13.0.jar is affecting APM WebSphere Application Server Agent, APM Tomcat Agent, APM SAP NetWeaver Java Stack Agent, APM WebLogic Agent and APM Data Collector for J2SE ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7051173 ∗∗∗ IBM App Connect Enterprise is vulnerable to a potential information disclosure ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7051204 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.10.2023
by Daily end-of-shift report 11 Oct '23

11 Oct '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 10-10-2023 18:00 − Mittwoch 11-10-2023 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Microsoft to kill off VBScript in Windows to block malware delivery ∗∗∗ --------------------------------------------- Microsoft is planning to phase out VBScript in future Windows releases after 30 years of use, making it an on-demand feature until it is removed. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-to-kill-off-vbscri… ∗∗∗ Microsoft warns of incorrect BitLocker encryption errors ∗∗∗ --------------------------------------------- Microsoft warned customers this week of incorrect BitLocker drive encryption errors being shown in some managed Windows environments. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-warns-of-incorrec… ∗∗∗ LinkedIn Smart Links attacks return to target Microsoft accounts ∗∗∗ --------------------------------------------- Hackers are once again abusing LinkedIn Smart Links in phishing attacks to bypass protection measures and evade detection in attempts to steal Microsoft account credentials. --------------------------------------------- https://www.bleepingcomputer.com/news/security/linkedin-smart-links-attacks… ∗∗∗ Support-Ende für Windows Server 2012 R2: Warum Sie das nicht ignorieren dürfen ∗∗∗ --------------------------------------------- Ab sofort steht der Windows Server 2012 R2 komplett ohne Support dar. Doch aufgrund seiner Beliebtheit kommt er noch immer zum Einsatz – das muss sich ändern. --------------------------------------------- https://www.heise.de/news/Support-Ende-fuer-Windows-Server-2012-R2-Warum-Si… ∗∗∗ Wireshark Tutorial: Identifying Hosts and Users ∗∗∗ --------------------------------------------- When a host is infected or otherwise compromised, security professionals need to quickly review packet captures of suspicious network traffic to identify affected hosts and users. --------------------------------------------- https://unit42.paloaltonetworks.com/using-wireshark-identifying-hosts-and-u… ∗∗∗ Distribution of Magniber Ransomware Stops (Since August 25th) ∗∗∗ --------------------------------------------- Through a continuous monitoring process, AhnLab Security Emergency response Center (ASEC) is swiftly responding to Magniber, the main malware that is actively being distributed using the typosquatting method which abuses typos in domain addresses. --------------------------------------------- https://asec.ahnlab.com/en/57592/ ∗∗∗ The Risks of Exposing DICOM Data to the Internet ∗∗∗ --------------------------------------------- DICOM has revolutionized the medical imaging industry. However, it also presents potential vulnerabilities when exposed to the open internet. --------------------------------------------- https://www.rapid7.com/blog/post/2023/10/11/the-risks-of-exposing-dicom-dat… ===================== = Vulnerabilities = ===================== ∗∗∗ CVE-2023-38545: curl SOCKS5 oversized hostname vulnerability. How bad is it?, (Wed, Oct 11th) ∗∗∗ --------------------------------------------- Today, we got the promised fix for CVE-2023-38545. So here is a quick overview of how severe it is. --------------------------------------------- https://isc.sans.edu/diary/rss/30304 ∗∗∗ Patchday Microsoft: Attacken auf Skype for Business und WordPad ∗∗∗ --------------------------------------------- Microsoft hat wichtige Sicherheitsupdates für etwa Azure, Office und Windows veröffentlicht. --------------------------------------------- https://www.heise.de/news/Patchday-Microsoft-Attacken-auf-Skype-for-Busines… ∗∗∗ Patchday Adobe: Schadcode-Attacken auf Magento-Shops und Photoshop möglich ∗∗∗ --------------------------------------------- Die Entwickler von Adobe haben in Bridge, Commerce, Magento Open Source und Photoshop mehrere Sicherheitslücken geschlossen. --------------------------------------------- https://www.heise.de/news/Patchday-Adobe-Schadcode-Attacken-auf-Magento-Sho… ∗∗∗ Webbrowser: Google-Chrome-Update schließt kritische Sicherheitslücke ∗∗∗ --------------------------------------------- Google hat das wöchentliche Chrome-Update herausgegeben. Es schließt 20 Sicherheitslücken, von denen mindestens eine als kritisch gilt. --------------------------------------------- https://www.heise.de/news/Webbrowser-Google-Chrome-Update-schliesst-kritisc… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (curl, mediawiki, tomcat10, and tomcat9), Fedora (libcaca, oneVPL, oneVPL-intel-gpu, and tracker-miners), Gentoo (curl), Mageia (cups and firefox, thunderbird), Red Hat (curl, kernel, kernel-rt, kpatch-patch, libqb, libssh2, linux-firmware, python-reportlab, tar, and the virt:rhel module), Slackware (curl, libcue, libnotify, nghttp2, and samba), SUSE (conmon, curl, glibc, kernel, php-composer2, python-reportlab, samba, and shadow), [...] --------------------------------------------- https://lwn.net/Articles/947409/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Sicherheitsupdates Fortinet: Angreifer können Passwörter im Klartext einsehen ∗∗∗ --------------------------------------------- https://www.heise.de/news/Sicherheitsupdates-Fortinet-Angreifer-koennen-Pas… ∗∗∗ K000137202 : Intel BIOS vulnerability CVE-2022-38083 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000137202 ∗∗∗ Lenovo System Update Vulnerability ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500581-LENOVO-SYSTEM-UPDATE-VU… ∗∗∗ Lenovo View Denial of Service Vulnerability ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500580-LENOVO-VIEW-DENIAL-OF-S… ∗∗∗ Multi-vendor BIOS Security Vulnerabilities (October 2023) ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500582-MULTI-VENDOR-BIOS-SECUR… ∗∗∗ Lenovo Preload Directory Vulnerability ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500579-LENOVO-PRELOAD-DIRECTOR… ∗∗∗ [R1] Security Center Version 6.2.0 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2023-32 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.10.2023
by Daily end-of-shift report 10 Oct '23

10 Oct '23

===================== = End-of-Day report = ===================== Timeframe: Montag 09-10-2023 18:00 − Dienstag 10-10-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Patch Now: Massive RCE Campaign Wrangles Routers Into Botnet ∗∗∗ --------------------------------------------- Thousands of devices, including D-Link and Zyxel gear, remain vulnerable to takeover despite the availability of patches for the several bugs being exploited by IZ1H9 campaign. --------------------------------------------- https://www.darkreading.com/cloud/patch-now-massive-rce-campaign-d-link-zyx… ∗∗∗ Over 17,000 WordPress sites hacked in Balada Injector attacks last month ∗∗∗ --------------------------------------------- Multiple Balada Injector campaigns have compromised and infected over 17,000 WordPress sites using known flaws in premium theme plugins. --------------------------------------------- https://www.bleepingcomputer.com/news/security/over-17-000-wordpress-sites-… ∗∗∗ The Art of Concealment: A New Magecart Campaign That’s Abusing 404 Pages ∗∗∗ --------------------------------------------- A new, sophisticated, and covert Magecart web skimming campaign has been targeting Magento and WooCommerce websites. --------------------------------------------- https://www.akamai.com/blog/security-research/magecart-new-technique-404-pa… ∗∗∗ Inzwischen vorhanden: Details zu gefixten Lücken in iOS 17 und Co. ∗∗∗ --------------------------------------------- Als iOS 17, iPadOS 17, watchOS 10 und tvOS 17 erschienen, machte Apple keine Angaben zu enthaltenen Sicherheitspatches. Mittlerweile lassen sie sich einsehen. --------------------------------------------- https://www.heise.de/-9319162 ∗∗∗ ‘HTTP/2 Rapid Reset’ Zero-Day Exploited to Launch Largest DDoS Attacks in History ∗∗∗ --------------------------------------------- Cloudflare, Google and AWS revealed on Tuesday that a new zero-day vulnerability named ‘HTTP/2 Rapid Reset’ has been exploited by malicious actors to launch the largest distributed denial-of-service (DDoS) attacks in internet history. --------------------------------------------- https://www.securityweek.com/rapid-reset-zero-day-exploited-to-launch-large… ∗∗∗ Take a note of SpyNote! ∗∗∗ --------------------------------------------- Among noteworthy spyware, one that has been in the limelight recently is SpyNote. This spyware app spreads via smishing (i.e. malicious SMS messages) by urging the victims to install the app from provided links. Naturally, the hosting and downloading happen outside of the official Play Store app, to prevent the security evaluation done by Google Play Store from thwarting the spread of this spyware. --------------------------------------------- https://blog.f-secure.com/take-a-note-of-spynote/ ∗∗∗ Android-Geräte ab Werk mit Malware infiziert ∗∗∗ --------------------------------------------- Settop-Boxen mit bestimmten Chipsätzen von Allwinner und Rockchip enthalten den Trojaner Badbox. Der zeigt unterwünschte Werbung an und verbreitet schädliche Apps. --------------------------------------------- https://www.zdnet.de/88412275/android-geraete-ab-werk-mit-malware-infiziert/ ∗∗∗ Infostealer with Abnormal Certificate Being Distributed ∗∗∗ --------------------------------------------- Recently, there has been a high distribution rate of malware using abnormal certificates. Malware often disguise themselves with normal certificates. However, in this case, the malware entered the certificate information randomly, with the Subject Name and Issuer Name fields having unusually long strings. As a result, the certificate information is not visible in Windows operating systems, and a specific tool or infrastructure is required to inspect the structure of these certificates. --------------------------------------------- https://asec.ahnlab.com/en/57553/ ∗∗∗ CISA, Government, and Industry Partners Publish Fact Sheet for Organizations Using Open Source Software ∗∗∗ --------------------------------------------- This guidance is intended to assist both senior leadership and operations personnel at OT/ICS vendors and critical infrastructure entities with better management of risk from OSS use in OT/ICS products, to include software supply chain, and increase resilience using available resources. --------------------------------------------- https://www.cisa.gov/news-events/news/cisa-government-and-industry-partners… ===================== = Vulnerabilities = ===================== ∗∗∗ Per SSID: Schwachstelle in D-Link-Repeater erlaubt Codeausführung ∗∗∗ --------------------------------------------- Beim Netzwerk-Scan des D-Link DAP-X1860 kann es zu einer unerwünschten Codeausführung kommen. Über spezielle SSIDs sind Angriffe möglich. --------------------------------------------- https://www.golem.de/news/per-ssid-schwachstelle-in-d-link-repeater-erlaubt… ∗∗∗ Siemens Security Advisories 2023-10-10 ∗∗∗ --------------------------------------------- SSA-843070: SCALANCE W1750D, SSA-829656: Xpedition Layout Browser, SSA-784849: SIMATIC CP Devices, SSA-770890: SICAM A8000 Devices, SSA-647455: RUGGEDCOM APE1808 devices, SSA-594373: SINEMA Server V14, SSA-524778: Tecnomatix Plant Simulation, SSA-386812: Simcenter Amesim before V2021.1, SSA-295483: Mendix, SSA-160243: SINEC NMS before V2.0, SSA-134651: SICAM A8000 Devices, SSA-035466: SICAM PAS/PQS --------------------------------------------- https://www.siemens.com/global/en/products/services/cert.html#SecurityPubli… ∗∗∗ Backup: Acronis schließt Sicherheitslücken im Agent für Linux, Mac und Windows ∗∗∗ --------------------------------------------- Acronis hat eine Aktualisierung des Agent für Linux, Mac und Windows veröffentlicht. Sie dichtet unter anderem ein Leck mit hohem Risiko ab. --------------------------------------------- https://www.heise.de/-9329516 ∗∗∗ Sicherheitsupdates: Schadcode- und Root-Lücken bedrohen IBM-Software ∗∗∗ --------------------------------------------- IBM hat unter anderem im Datenbankmanagementsystem Db2 schwerwiegende Schwachstellen geschlossen. --------------------------------------------- https://www.heise.de/-9329404 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (chromium, firefox, and kernel), Gentoo (less and libcue), Red Hat (bind, libvpx, nodejs, and python3), Scientific Linux (firefox and thunderbird), SUSE (conmon, go1.20, go1.21, shadow, and thunderbird), and Ubuntu (libcue, ring, and ruby-kramdown). --------------------------------------------- https://lwn.net/Articles/947233/ ∗∗∗ One-Click GNOME Exploit Could Pose Serious Threat to Linux Systems ∗∗∗ --------------------------------------------- A one-click exploit targeting the Libcue component of the GNOME desktop environment could pose a serious threat to Linux systems. --------------------------------------------- https://www.securityweek.com/one-click-gnome-exploit-could-pose-serious-thr… ∗∗∗ SAP Releases 7 New Notes on October 2023 Patch Day ∗∗∗ --------------------------------------------- SAP has released seven new notes as part of its October 2023 Security Patch Day, all rated ‘medium severity’. --------------------------------------------- https://www.securityweek.com/sap-releases-7-new-notes-on-october-2023-patch… ∗∗∗ Unverschlüsselte Bluetoothverbindung bei Smartwatch Amazfit Bip U (SYSS-2023-022) ∗∗∗ --------------------------------------------- Die Smartwatch Amazfit Bip U kommuniziert unverschlüsselt mit dem verbundenen Smartphone. Alle Nachrichten können daher von Angreifenden abgehört werden. --------------------------------------------- https://www.syss.de/pentest-blog/unverschluesselte-bluetoothverbindung-bei-… ∗∗∗ Ivanti Endpoint Manager new vulnerabilities ∗∗∗ --------------------------------------------- There are two vulnerabilities we have recently discovered that impact Ivanti Endpoint Manager (EPM) versions 2022 and below. They both have CVSS scores in the ‘Moderate’ range. We are reporting them as CVE-2023-35083 and CVE-2023-35084. --------------------------------------------- https://www.ivanti.com/blog/ivanti-endpoint-manager-new-vulnerabilities ∗∗∗ F5 BIG-IP Security Advisories 2023-10-10 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/new-updated-articles#sort=%40f5_updated_publishe… ∗∗∗ Xen Security Advisories ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/ ∗∗∗ Citrix NetScaler ADC and NetScaler Gateway Security Bulletin for CVE-2023-4966 and CVE-2023-4967 ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX579459/netscaler-adc-and-netscaler-ga… ∗∗∗ Citrix Hypervisor Multiple Security Updates ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX575089/citrix-hypervisor-multiple-sec… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.10.2023
by Daily end-of-shift report 09 Oct '23

09 Oct '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 06-10-2023 18:00 − Montag 09-10-2023 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ HelloKitty ransomware source code leaked on hacking forum ∗∗∗ --------------------------------------------- A threat actor has leaked the complete source code for the first version of the HelloKitty ransomware on a Russian-speaking hacking forum, claiming to be developing a new, more powerful encryptor. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hellokitty-ransomware-source… ∗∗∗ High-Severity Flaws in ConnectedIOs 3G/4G Routers Raise Concerns for IoT Security ∗∗∗ --------------------------------------------- Multiple high-severity security vulnerabilities have been disclosed in ConnectedIOs ER2000 edge routers and the cloud-based management platform that could be exploited by malicious actors to execute malicious code and access sensitive data. --------------------------------------------- https://thehackernews.com/2023/10/high-severity-flaws-in-connectedios.html ∗∗∗ Turn OFF This WatchGuard Feature - GuardLapse ∗∗∗ --------------------------------------------- Picture this: a feature from a security appliance that willingly dispatches its password hashes to any device on the network. That is precisely what WatchGuards SSO does under certain circumstances. --------------------------------------------- https://projectblack.io/blog/turn-off-this-watchguard-feature-guardlapse/ ∗∗∗ Amazon Prime email scammer snatches defeat from the jaws of victory ∗∗∗ --------------------------------------------- A very convincing Amazon Prime scam landed in our mail server today and...went straight to spam. Heres why. --------------------------------------------- https://www.malwarebytes.com/blog/news/2023/10/amazon-prime ∗∗∗ Credential Harvesting Campaign Targets Unpatched NetScaler Instances ∗∗∗ --------------------------------------------- Threat actors are targeting Citrix NetScaler instances unpatched against CVE-2023-3519 to steal user credentials. --------------------------------------------- https://www.securityweek.com/credential-harvesting-campaign-targets-unpatch… ∗∗∗ The reality of Apple watch pen testing ∗∗∗ --------------------------------------------- We were approached to do an Apple Watch application test. It seems this isn’t a standard service offered by most companies (including us, although we’ve done plenty of work [...] --------------------------------------------- https://www.pentestpartners.com/security-blog/the-reality-of-apple-watch-pe… ∗∗∗ Immer wieder Abo-Fallen bei IQ-Tests wie auf iq-fast.com/de! ∗∗∗ --------------------------------------------- Wer einen IQ-Test durchführen möchte, findet im Internet unzählige Angebote dafür. Auch iq-fast.com/de lockt mit einem entsprechenden Test auf die eigene Website. Abgesehen von der minderwertigen Qualität des dort angebotenen Tests, der lediglich aus 20 Fragen besteht, führt eine Eingabe der Kreditkartendaten nicht zum Erhalt sinnvoller Ergebnisse, sondern in eine Abo-Falle! --------------------------------------------- https://www.watchlist-internet.at/news/immer-wieder-abo-fallen-bei-iq-tests… ∗∗∗ Fake friends and followers on social media – and how to spot them ∗∗∗ --------------------------------------------- One of the biggest threats to watch out for on social media is fraud perpetrated by people who aren’t who they claim to be. Here’s how to recognize them. --------------------------------------------- https://www.welivesecurity.com/en/social-media/fake-friends-followers-socia… ∗∗∗ Android TV Boxes Infected with Backdoors, Compromising Home Networks ∗∗∗ --------------------------------------------- The Android TV box you recently purchased may be riddled with harmful backdoors. --------------------------------------------- https://www.hackread.com/android-tv-boxes-backdoors-home-networks/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (freerdp2, gnome-boxes, grub2, inetutils, lemonldap-ng, prometheus-alertmanager, python-urllib3, thunderbird, and vinagre), Fedora (freeimage, fwupd, libspf2, mingw-freeimage, thunderbird, and vim), Gentoo (c-ares, dav1d, Heimdal, man-db, and Oracle VirtualBox), Oracle (bind, bind9.16, firefox, ghostscript, glibc, ImageMagick, and thunderbird), Slackware (netatalk), SUSE (ImageMagick, nghttp2, poppler, python, python-gevent, and yq), and Ubuntu (bind9 and vim). --------------------------------------------- https://lwn.net/Articles/947117/ ∗∗∗ Vulnerabilities in Music Station ∗∗∗ --------------------------------------------- Two path traversal vulnerabilities have been reported to affect Music Station. --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-23-28 ∗∗∗ Vulnerabilities in ClamAV ∗∗∗ --------------------------------------------- Multiple vulnerabilities have been reported in ClamAV. --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-23-26 ∗∗∗ Vulnerability in QTS, QuTS hero, and QuTScloud ∗∗∗ --------------------------------------------- A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating systems. --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-23-37 ∗∗∗ Vulnerability in QVPN Device Client for Windows ∗∗∗ --------------------------------------------- An insufficiently protected credentials vulnerability has been reported to affect QVPN Device Client for Windows. --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-23-36 ∗∗∗ Vulnerability in QVPN Device Client for Windows ∗∗∗ --------------------------------------------- A cleartext transmission of sensitive information vulnerability has been reported to affect QVPN Device Client for Windows. --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-23-39 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.10.2023
by Daily end-of-shift report 06 Oct '23

06 Oct '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 05-10-2023 18:00 − Freitag 06-10-2023 18:00 Handler: Stephan Richter Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Exploits released for Linux flaw giving root on major distros ∗∗∗ --------------------------------------------- Proof-of-concept exploits have already surfaced online for a high-severity flaw in GNU C Librarys dynamic loader, allowing local attackers to gain root privileges on major Linux distributions. --------------------------------------------- https://www.bleepingcomputer.com/news/security/exploits-released-for-linux-… ∗∗∗ Jetzt patchen! Exploits für glibc-Lücke öffentlich verfügbar ∗∗∗ --------------------------------------------- Nachdem der Bug in der Linux-Bibliothek glibc am vergangenen Dienstag bekannt wurde, sind nun zuverlässig funktionierende Exploits aufgetaucht. --------------------------------------------- https://www.heise.de/-9326518 ∗∗∗ Finanzbetrug per Telefon: Ignorieren Sie Anrufer:innen, die Sie zu Investitionen überreden wollen ∗∗∗ --------------------------------------------- Finanzbetrug ist ein lukratives Geschäft. Der finanzielle Schaden für die Betroffenen ist oft enorm. Gleichzeitig ist der Finanzmarkt streng reguliert, um Betrug in diesem Bereich zu erschweren. Das ist mit ein Grund, wieso Betrüger:innen immer wieder neue Wege finden, um an ihre Opfer zu kommen. Aktuell berichten unsere Leser:innen vermehrt davon, dass sie von Kriminellen angerufen und direkt am Telefon zu Investments überredet werden. --------------------------------------------- https://www.watchlist-internet.at/news/finanzbetrug-per-telefon-ignorieren-… ∗∗∗ Leveraging a Hooking Framework to Expand Malware Detection Coverage on the Android Platform ∗∗∗ --------------------------------------------- In this article, we will discuss this issue of how malware authors use obfuscation to make analyzing their Android malware more challenging. We will review two such case studies to illustrate those obfuscation techniques in action. Finally, we’ll cover some overall techniques researchers can use to address these obstacles. --------------------------------------------- https://unit42.paloaltonetworks.com/hooking-framework-in-sandbox-to-analyze… ∗∗∗ Microsoft: Human-operated ransomware attacks tripled over past year ∗∗∗ --------------------------------------------- Human-operated ransomware attacks are up more than 200% since September 2022, according to researchers from Microsoft, who warned that it could represent a shift in the cybercrime underground. --------------------------------------------- https://therecord.media/human-operated-ransomware-attacks-report-microsoft ∗∗∗ New tool: le-hex-to-ip.py, (Thu, Oct 5th) ∗∗∗ --------------------------------------------- So, this week it is my privilege to be TA-ing for Taz Wake for the beta run of his new class FOR577: Linux Incident Response and Threat Hunting. We were looking in the linux /proc filesystem and were noticing in the /proc//net/{tcp/udp/icmp/...} that the IP addresses were listed in hex, but little-endian. I immediately remembered Didier's Handler's Diary from last week about the IPs in the event logs that were in decimal and little endian. --------------------------------------------- https://isc.sans.edu/diary/rss/30284 ∗∗∗ NSA and CISA Red and Blue Teams Share Top Ten Cybersecurity Misconfigurations ∗∗∗ --------------------------------------------- The National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint cybersecurity advisory (CSA) to highlight the most common cybersecurity misconfigurations in large organizations, and detail the tactics, techniques, and procedures (TTPs) actors use to exploit these misconfigurations. --------------------------------------------- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-278a ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitsupdate: Root-Lücke bedroht Dell SmartFabric Storage Software ∗∗∗ --------------------------------------------- Dell hat mehrere gefährliche Sicherheitslücken in SmartFabric Storage Software geschlossen. --------------------------------------------- https://www.heise.de/-9326738 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (grub2, libvpx, libx11, libxpm, and qemu), Fedora (firefox, matrix-synapse, tacacs, thunderbird, and xrdp), Oracle (glibc), Red Hat (bind, bind9.16, firefox, frr, ghostscript, glibc, ImageMagick, libeconf, python3.11, python3.9, and thunderbird), Scientific Linux (ImageMagick), SUSE (kernel, libX11, and tomcat), and Ubuntu (linux-hwe-5.15, linux-oracle-5.15). --------------------------------------------- https://lwn.net/Articles/946848/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.10.2023
by Daily end-of-shift report 05 Oct '23

05 Oct '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 04-10-2023 18:00 − Donnerstag 05-10-2023 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Curl 8.4.0 is to be released on October 11th ... ∗∗∗ --------------------------------------------- ... containing a fix for "the worst security problem found in curl in a long time". The associated CVE is expected to be published shortly after. Use the time to check where you have #curl & #libcurl in your environment. --------------------------------------------- https://twitter.com/pyotam2/status/1709305830573473987 ∗∗∗ Jetzt patchen! Confluence Data Center: Angreifer machen sich zu Admins ∗∗∗ --------------------------------------------- Atlassian hat eine kritische Sicherheitslücke in Confluence Data Center und Server geschlossen. --------------------------------------------- https://www.heise.de/-9325414 ∗∗∗ Lorenz ransomware crew bungles blackmail blueprint by leaking two years of contacts ∗∗∗ --------------------------------------------- A security researcher noticed Lorenz's dark web victim blog was leaking backend code, pulled the data from the site, and uploaded to it a public GitHub repository. The data includes names, email addresses, and the subject line entered into the ransomware group's limited online form to request information from Lorenz. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2023/10/05/lorenz_ranso… ∗∗∗ The discovery of Gatekeeper bypass CVE-2023-27943 ∗∗∗ --------------------------------------------- Looking for vulnerabilities is not my usual daily routine. I am a software developer for Endpoint Security software. I implement new features, improve existing functionality, fixing bugs. So, the discovery of this vulnerability was a surprise. And it made me scared that a macOS update broke our product. In the end, it turned out to be quite a severe vulnerability on macOS. --------------------------------------------- https://blog.f-secure.com/discovery-of-gatekeeper-bypass-cve-2023-27943/ ∗∗∗ H1 2023 – a brief overview of main incidents in industrial cybersecurity ∗∗∗ --------------------------------------------- In this overview, we discuss cybercriminal and hacktivist attacks on industrial organizations. --------------------------------------------- https://ics-cert.kaspersky.com/publications/h1-2023-a-brief-overview-of-mai… ∗∗∗ Looking at the Attack Surface of the Sony XAV-AX5500 Head Unit ∗∗∗ --------------------------------------------- In this post, we look at the attack surface of another target in a different category. The Sony XAV-AX5500 is a popular aftermarket head unit that interacts with different systems within a vehicle. It also offers attackers a potential foothold into an automobile. --------------------------------------------- https://www.thezdi.com/blog/2023/10/5/looking-at-the-attack-surface-of-the-… ∗∗∗ Exposing Infection Techniques Across Supply Chains and Codebases ∗∗∗ --------------------------------------------- This entry delves into threat actors intricate methods to implant malicious payloads within seemingly legitimate applications and codebases. --------------------------------------------- https://www.trendmicro.com/en_us/research/23/j/infection-techniques-across-… ∗∗∗ Your printer is not your printer ! - Hacking Printers at Pwn2Own Part I ∗∗∗ --------------------------------------------- At 2021, we found Pre-auth RCE vulnerabilities(CVE-2022-24673 and CVE-2022-3942) in Canon and HP printers, and vulnerabilty(CVE-2021-44734) in Lexmark. We used these vulnerabilities to exploit Canon ImageCLASS MF644Cdw, HP Color LaserJet Pro MFP M283fdw and Lexmark MC3224i in Pwn2Own Austin 2021. Following we will describe the details of the Canon and HP vulnerabilities and exploitation. --------------------------------------------- https://devco.re/blog/2023/10/05/your-printer-is-not-your-printer-hacking-p… ∗∗∗ EvilProxy Phishing Kit Targets Microsoft Users via Indeed.com Vulnerability ∗∗∗ --------------------------------------------- Threat actors are exploiting the open redirection vulnerability on Indeed.com to launch EvilProxy phishing attacks against high-ranking executives. --------------------------------------------- https://www.hackread.com/evilproxy-phishing-kit-microsoft-indeed-vulnerabil… ∗∗∗ CISA and NSA Release New Guidance on Identity and Access Management ∗∗∗ --------------------------------------------- Today, CISA and the National Security Agency (NSA) published Identity and Access Management: Developer and Vendor Challenges, authored by the Enduring Security Framework (ESF), a CISA- and NSA-led working panel that includes a public-private cross-sector partnership. ESF aims to address risks that threaten critical infrastructure and national security systems. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/10/04/cisa-and-nsa-release-new… ∗∗∗ Notruf-Tool Cisco Emergency Responder mit statischen Zugangsdaten ∗∗∗ --------------------------------------------- Der Netzwerkausrüster Cisco hat für mehrere Produkte wichtige Sicherheitsupdates veröffentlicht. --------------------------------------------- https://www.heise.de/-9325669 ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Security Advisories 2023-10-04 ∗∗∗ --------------------------------------------- Cisco has published 3 Security Advisories (1 Critical, 1 High, 1 Medium Severity) --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/Search.x?publicationTypeIDs… ∗∗∗ (0Day) D-Link ∗∗∗ --------------------------------------------- ZDI-23-1501 - ZDI-23-1525: Multiple Routers, DIR-X3260, DAP-2622, DAP-1325 and D-View --------------------------------------------- https://www.zerodayinitiative.com/advisories/published/ ∗∗∗ Wieder Exploit-Update für iOS und iPadOS – das wohl auch Hitzeproblem fixt ∗∗∗ --------------------------------------------- Apple hat in der Nacht zum Donnerstag erneut wichtige Fixes für sein iPhone- und iPad-Betriebssystem vorgelegt. Es geht um Sicherheit und Überhitzung. --------------------------------------------- https://www.heise.de/-9325367 ∗∗∗ Malware-Schutz: Schwachstellen in Watchguard EPDR und AD360 geschlossen ∗∗∗ --------------------------------------------- In den Malware-Schutzlösungen Watchguard EPDR und AD360 klaffen teils Sicherheitslücken mit hohem Risiko. Aktualisierungen stehen bereit. --------------------------------------------- https://www.heise.de/-9326078 ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (September 25, 2023 to October 1, 2023) ∗∗∗ --------------------------------------------- Last week, there were 90 vulnerabilities disclosed in 68 WordPress Plugins and no WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 31 Vulnerability Researchers that contributed to WordPress Security last week. --------------------------------------------- https://www.wordfence.com/blog/2023/10/wordfence-intelligence-weekly-wordpr… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, libx11, and libxpm), Fedora (ckeditor, drupal7, glibc, golang-github-cncf-xds, golang-github-envoyproxy-control-plane, golang-github-hashicorp-msgpack, golang-github-minio-highwayhash, golang-github-nats-io, golang-github-nats-io-jwt-2, golang-github-nats-io-nkeys, golang-github-nats-io-streaming-server, golang-github-protobuf, golang-google-protobuf, nats-server, and pgadmin4), Red Hat (firefox and thunderbird), SUSE (chromium, exim, ghostscript, kernel, poppler, python-gevent, and python-reportlab), and Ubuntu (binutils, exim4, jqueryui, linux, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-gkeop-5.15, linux-ibm, linux-ibm-5.15, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-oracle, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-iot, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux-xilinx-zynqmp, linux, linux-aws, linux-aws-6.2, linux-azure, linux-azure-6.2, linux-azure-fde-6.2, linux-gcp, linux-gcp-6.2, linux-hwe-6.2, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-6.2, linux-oracle, linux-raspi, linux-starfive, linux-kvm, linux-oem-6.1, nodejs, and python-django). --------------------------------------------- https://lwn.net/Articles/946698/ ∗∗∗ ZDI-23-1498: Ansys SpaceClaim X_B File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-1498/ ∗∗∗ Open Redirect in SAP® BSP Test Application it00 (Bypass for CVE-2020-6215 Patch) ∗∗∗ --------------------------------------------- https://sec-consult.com/vulnerability-lab/advisory/open-redirect-in-bsp-tes… ∗∗∗ Qognify NiceVision ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-278-02 ∗∗∗ Mitsubishi Electric CC-Link IE TSN Industrial Managed Switch ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-278-03 ∗∗∗ Hitachi Energy AFS65x, AFF66x, AFS67x, and AFR67x Series Products ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-278-01 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.10.2023
by Daily end-of-shift report 04 Oct '23

04 Oct '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 03-10-2023 18:00 − Mittwoch 04-10-2023 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Sicherheitswarnung: Schwachstellen in Qualcomm-Treibern werden aktiv ausgenutzt ∗∗∗ --------------------------------------------- Mehrere Schwachstellen in Qualcomm-Treibern gefährden Smartphones und Tablets weltweit. Patches sind vorhanden - zumindest bei den Herstellern. --------------------------------------------- https://www.golem.de/news/sicherheitswarnung-schwachstellen-in-qualcomm-tre… ∗∗∗ Looney Tunables: Schwachstelle in C-Bibliothek gefährdet Linux-Systeme ∗∗∗ --------------------------------------------- Eine Pufferüberlauf-Schwachstelle im dynamischen Lader von glibc ermöglicht es Angreifern, auf Linux-Systemen Root-Rechte zu erlangen. --------------------------------------------- https://www.golem.de/news/looney-tunables-schwachstelle-in-c-bibliothek-gef… ∗∗∗ Defending new vectors: Threat actors attempt SQL Server to cloud lateral movement ∗∗∗ --------------------------------------------- Microsoft security researchers recently identified an attack where attackers attempted to move laterally to a cloud environment through a SQL Server instance. The attackers initially exploited a SQL injection vulnerability in an application within the target’s environment to gain access and elevated permissions to a Microsoft SQL Server instance deployed in an Azure Virtual Machine (VM). --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2023/10/03/defending-new-vect… ∗∗∗ Optimizing WordPress: Security Beyond Default Configurations ∗∗∗ --------------------------------------------- Default configurations in software are not always the most secure. For example, you might buy a network-attached home security camera from your friendly neighborhood electronics store. While these are handy to keep an eye on your property from the comfort of your phone, they also typically come shipped with a default username and password. And since they are connected to the web, they can be accessed from anywhere. Attackers know this, [...] --------------------------------------------- https://blog.sucuri.net/2023/10/optimizing-wordpress-security-beyond-defaul… ∗∗∗ Warning: PyTorch Models Vulnerable to Remote Code Execution via ShellTorch ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed multiple critical security flaws in the TorchServe tool for serving and scaling PyTorch models that could be chained to achieve remote code execution on affected systems. Israel-based runtime application security company Oligo, which made the discovery, has coined the vulnerabilities ShellTorch. "These vulnerabilities [...] can lead to a full chain Remote Code Execution (RCE), leaving countless thousands of services and end-users — including some of the world's largest companies — open to unauthorized access and insertion of malicious AI models, and potentially a full server takeover," [...] --------------------------------------------- https://thehackernews.com/2023/10/warning-pytorch-models-vulnerable-to.html ∗∗∗ Patchday: Attacken auf Android 11, 12 und 13 beobachtet ∗∗∗ --------------------------------------------- Unter anderem Google hat wichtige Sicherheitsupdates für Android-Geräte veröffentlicht. Zwei Lücken haben Angreifer bereits im Visier. --------------------------------------------- https://www.heise.de/-9324125.html ∗∗∗ Linux tries to dump Windows notoriously insecure RNDIS protocol ∗∗∗ --------------------------------------------- Here we go again. Linux developers are trying, once more, to rid Linux of Microsofts Remote Network Driver Interface Specification. Heres why its complicated. --------------------------------------------- https://www.zdnet.com/home-and-office/networking/linux-tries-to-dump-window… ∗∗∗ Five Misconfigurations Threatening Your AWS Environment Today ∗∗∗ --------------------------------------------- In the ever-expanding realm of AWS, with over 200 services at your disposal, securing your cloud account configurations and mastering complex environments can feel like an overwhelming challenge. To help you prioritize and root them out, we’ve put together a guide for AWS configurations that are most commonly overlooked. Here are five of the top misconfigurations that could be lurking in your AWS environment right now. --------------------------------------------- https://blog.aquasec.com/five-misconfigurations-threatening-your-aws-enviro… ===================== = Vulnerabilities = ===================== ∗∗∗ CVE-2023-22515 - Privilege Escalation Vulnerability in Confluence Data Center and Server ∗∗∗ --------------------------------------------- Atlassian has been made aware of an issue reported by a handful of customers where external attackers may have exploited a previously unknown vulnerability in publicly accessible Confluence Data Center and Server instances to create unauthorized Confluence administrator accounts and access Confluence instances. --------------------------------------------- https://confluence.atlassian.com/security/cve-2023-22515-privilege-escalati… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (glibc, postgresql-11, and thunderbird), Fedora (openmpi, pmix, prrte, and slurm), Gentoo (glibc and libvpx), Oracle (kernel), Red Hat (kernel), Slackware (libX11 and libXpm), SUSE (firefox, kernel, libeconf, libqb, libraw, libvpx, libX11, libXpm, mdadm, openssl-1_1, poppler, postfix, python311, rubygem-puma, runc, and vim), and Ubuntu (freerdp2, glibc, grub2-signed, grub2-unsigned, libx11, libxpm, linux-intel-iotg, linux-intel-iotg-5.15, linux-oracle, linux-oracle-5.15, and mozjs102). --------------------------------------------- https://lwn.net/Articles/946496/ ∗∗∗ New Supermicro BMC Vulnerabilities Could Expose Many Servers to Remote Attacks ∗∗∗ --------------------------------------------- Supermicro has released BMC IPMI firmware updates to address multiple vulnerabilities impacting select motherboard models. --------------------------------------------- https://www.securityweek.com/new-supermicro-bmc-vulnerabilities-could-expos… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.10.2023
by Daily end-of-shift report 03 Oct '23

03 Oct '23

===================== = End-of-Day report = ===================== Timeframe: Montag 02-10-2023 18:00 − Dienstag 03-10-2023 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ AVM: Fritzbox-Schwachstelle wohl ohne Fernzugriff ausnutzbar ∗∗∗ --------------------------------------------- Seit Anfang September verteilt AVM Sicherheitsupdates für die Fritzbox. Inzwischen gibt es weitere Informationen zur gepatchten Schwachstelle. --------------------------------------------- https://www.golem.de/news/avm-fritzbox-schwachstelle-wohl-ohne-fernzugriff-… ∗∗∗ Exclusive: Lighting the Exfiltration Infrastructure of a LockBit Affiliate (and more) ∗∗∗ --------------------------------------------- Researchers have identified the exfiltration infrastructure of a LockBit affiliate while investigating a LockBit extortion incident that occurred in Q3 2023. --------------------------------------------- https://securityaffairs.com/151862/breaking-news/exfiltration-infrastructur… ∗∗∗ BunnyLoader, a new Malware-as-a-Service advertised in cybercrime forums ∗∗∗ --------------------------------------------- Zscaler ThreatLabz researchers discovered a new malware-as-a-service (MaaS) that is called BunnyLoader, which has been advertised for sale in multiple cybercrime forums since September 4, 2023. --------------------------------------------- https://securityaffairs.com/151869/malware/bunnyloader-maas.html ∗∗∗ Security researchers believe mass exploitation attempts against WS_FTP have begun ∗∗∗ --------------------------------------------- Security researchers have spotted what they believe to be a "possible mass exploitation" of vulnerabilities in Progress Softwares WS_FTP Server. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2023/10/02/ws_ftp_updat… ∗∗∗ Cloudflare Protection Bypass Vulnerability on Threat Actors’ Radar ∗∗∗ --------------------------------------------- Researchers have identified two mechanisms that hinge on the assumption that traffic originating from Cloudflare towards the origin server is inherently trustworthy, while traffic from other origins should be blocked. --------------------------------------------- https://socradar.io/cloudflare-protection-bypass-vulnerability-on-threat-ac… ∗∗∗ Drei Fragen und Antworten: Der beste Schutz für das Active Directory ∗∗∗ --------------------------------------------- Bis zu 90 Prozent aller Angriffe bedienen sich Microsofts Active Directory – es ist der Hebel, um die eigene Sicherheit zu verbessern. Wir zeigen, wie das geht. --------------------------------------------- https://www.heise.de/news/Drei-Fragen-und-Antworten-Der-beste-Schutz-fuer-d… ∗∗∗ Exim-Lücke: Erste Patches laufen ein ∗∗∗ --------------------------------------------- Nach verschiedenen Kommunikationspannen hat das Exim-Team kritische Sicherheitslücken im beliebten Mailserver behoben. Debian verteilt bereits Updates. --------------------------------------------- https://www.heise.de/news/Exim-Luecke-Erste-Patches-laufen-ein-9323709.html… ∗∗∗ Angriffe auf ältere Android-Geräte: Lücke in Mali-GPU nur teilweise geschlossen ∗∗∗ --------------------------------------------- Aufgrund mehrerer Schwachstellen im Treiber der Grafikeinheit Mali sind unter anderem Smartphone-Modelle von Samsung und Xiaomi verwundbar. --------------------------------------------- https://www.heise.de/news/Angriffe-auf-aeltere-Android-Geraete-Luecke-in-Ma… ∗∗∗ Booking.com: Achtung bei „fehlgeschlagener Zahlung“ oder „Verifikation Ihrer Zahlungsinfos“ ∗∗∗ --------------------------------------------- Fälle, in denen Unterkünfte über booking.com gebucht wurden und Buchende anschließend zur Verifikation ihrer Zahlungen oder zu einer neuerlichen Zahlung aufgefordert werden, häufen sich aktuell. Vorsicht ist geboten, denn die Aufforderungen stammen von Kriminellen, die sich Zugang zu den Buchungsdaten verschaffen konnten und es nun auf das Geld der Hotelgäste abgesehen haben! --------------------------------------------- https://www.watchlist-internet.at/news/bookingcom-achtung-bei-fehlgeschlage… ∗∗∗ Fortinet Labs Uncovers Series of Malicious NPM Packages Stealing Data ∗∗∗ --------------------------------------------- FortiGuard Labs has uncovered a series of malicious packages concealed within NPM (Node Package Manager), the primary software repository for JavaScript developers. The researchers utilized a dedicated system designed to detect nefarious open-source packages across multiple ecosystems, including PyPI and NPM. --------------------------------------------- https://www.hackread.com/fortinet-labs-malicious-npm-packages-steal-data/ ===================== = Vulnerabilities = ===================== ∗∗∗ Microsoft Edge, Teams get fixes for zero-days in open-source libraries ∗∗∗ --------------------------------------------- Microsoft released emergency security updates for Edge, Teams, and Skype to patch two zero-day vulnerabilities in open-source libraries used by the three products. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-edge-teams-get-fi… ∗∗∗ Qualcomm says hackers exploit 3 zero-days in its GPU, DSP drivers ∗∗∗ --------------------------------------------- Qualcomm is warning of three zero-day vulnerabilities in its GPU and Compute DSP drivers that hackers are actively exploiting in attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/qualcomm-says-hackers-exploi… ∗∗∗ Jetzt patchen! Ransomware schlüpft durch kritische TeamCity-Lücke ∗∗∗ --------------------------------------------- Angreifer nutzen eine Sicherheitslücke des Software-Distributionssystems TeamCity aus, das weltweit über 30.000 Firmen wie Citibank, HP und Nike einsetzen. --------------------------------------------- https://www.heise.de/news/Jetzt-patchen-Ransomware-schluepft-durch-kritisch… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (exim4), Fedora (firecracker, rust-aes-gcm, rust-axum, rust-tokio-tungstenite, rust-tungstenite, and rust-warp), Gentoo (nvidia-drivers), Mageia (chromium-browser-stable, glibc, and libwebp), Red Hat (kernel), SUSE (ghostscript and python3), and Ubuntu (firefox, libtommath, libvpx, and thunderbird). --------------------------------------------- https://lwn.net/Articles/946313/ ∗∗∗ Mattermost security updates Desktop app v5.5.1 and Mobile app v2.8.1 released ∗∗∗ --------------------------------------------- We’re informing you about a Mattermost security update, which addresses the vulnerability CVE-2023-4863 of the third-party library libwebp which was affecting the Desktop app and the Mobile iOS app. We highly recommend that you apply the update. The security update is available for Mattermost dot releases Desktop app v5.5.1 and Mobile app v2.8.1. --------------------------------------------- https://mattermost.com/blog/mattermost-security-updates-desktop-app-v5-5-1-… ∗∗∗ K000137090 : Node.js vulnerabilities CVE-2018-12121, CVE-2018-12122, and CVE-2018-12123 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000137090?utm_source=f5support&utm_medi… ∗∗∗ K000137093 : Node.js vulnerabilities CVE-2018-7167, CVE-2018-12115, and CVE-2018-12116 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000137093?utm_source=f5support&utm_medi… ∗∗∗ The IBM App Connect Enterprise Toolkit and the IBM Integration Bus Toolkit are vulnerable to a server-side request forgery due to Apache Batik (CVE-2022-44730, CVE-2022-44729) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7043490 ∗∗∗ Vulnerabilities in Node.js affect IBM Voice Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7043727 ∗∗∗ IBM App Connect Enterprise is vulnerable to a denial of service due to Google Protocol Buffer protobuf-cpp (CVE-2022-1941) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7045071 ∗∗∗ Multiple vulnerabilities in OpenSSL affects IBM Rational ClearCase. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7035373 ∗∗∗ Multiple vulnerabilities in OpenSSL affects IBM Rational ClearCase ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7035370 ∗∗∗ Multiple vulnerabilities in the IBM Java Runtime affects IBM Rational ClearCase. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7035371 ∗∗∗ A vulnerability in libcURL affect IBM Rational ClearCase. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7035382 ∗∗∗ IBM Spectrum Symphony openssl 1.1.1 End of Life ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7045753 ∗∗∗ IBM\u00ae Db2\u00ae is vulnerable to information disclosure due to improper privilege management when certain federation features are used. (CVE-2023-29256) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7010573 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily October 2023