Daily November 2023

daily@lists.cert.at

1 participants
21 discussions

Tageszusammenfassung - 30.11.2023
by Daily end-of-shift report 30 Nov '23

30 Nov '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 29-11-2023 18:00 − Donnerstag 30-11-2023 18:00 Handler: Robert Waldner Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ FjordPhantom Android malware uses virtualization to evade detection ∗∗∗ --------------------------------------------- A new Android malware named FjordPhantom has been discovered using virtualization to run malicious code in a container and evade detection. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fjordphantom-android-malware… ∗∗∗ TRAP; RESET; POISON; - Übernahme eines Landes nach Kaminsky Art ∗∗∗ --------------------------------------------- Ein technischer Einblick in die Manipulation der DNS-Namensauflösung eines ganzen Landes. --------------------------------------------- https://sec-consult.com/de/blog/detail/uebernahme-eines-landes-nach-kaminsk… ∗∗∗ CACTUS Ransomware Exploits Qlik Sense Vulnerabilities in Targeted Attacks ∗∗∗ --------------------------------------------- A CACTUS ransomware campaign has been observed exploiting recently disclosed security flaws in a cloud analytics and business intelligence platform called Qlik Sense to obtain a foothold into targeted environments. --------------------------------------------- https://thehackernews.com/2023/11/cactus-ransomware-exploits-qlik-sense.html ∗∗∗ Zoom Vulnerability Allowed Hackers to Take Over Meetings, Steal Data ∗∗∗ --------------------------------------------- Zoom Rooms, the cloud-based video conferencing platform by Zoom, is making headlines due to a recently discovered vulnerability. This flaw poses a significant security risk as it enables attackers to seize control of a Zoom Room’s service account, gaining unauthorized access to the victim organization’s tenant. --------------------------------------------- https://www.hackread.com/zoom-vulnerability-hackers-hijack-meetings-data/ ∗∗∗ BLUFFS: Neue Angriffe gefährden Bluetooth-Datensicherheit auf Milliarden Geräten ∗∗∗ --------------------------------------------- Durch eine Lücke im Bluetooth-Protokoll können Angreifer einfach zu knackende Schlüssel erzwingen und so vergangene wie zukünftige Datenübertragung knacken. --------------------------------------------- https://www.heise.de/-9544862 ===================== = Vulnerabilities = ===================== ∗∗∗ Drupal: Xsendfile - Moderately critical - Access bypass - SA-CONTRIB-2023-053 ∗∗∗ --------------------------------------------- The Xsendfile module enables fast transfer for private files in Drupal. In order to control private file downloads, the module overrides ImageStyleDownloadController, for which a vulnerability was disclosed in SA-CORE-2023-005. The Xsendfile module was still based on an insecure version of ImageStyleDownloadController. --------------------------------------------- https://www.drupal.org/sa-contrib-2023-053 ∗∗∗ Apache ActiveMQ: Mehrere Codeschmuggel-Lücken von Botnetbetreibern ausgenutzt ∗∗∗ --------------------------------------------- Derweil meldet das ActiveMQ-Projekt eine neue Sicherheitslücke, die ebenfalls zur Ausführung von Schadcode genutzt werden kann. Der Fehler verbirgt sich in der Deserialisierungsroutine der Jolokia-Komponente, setzt aber eine Authentisierung voraus. Während die ActiveMQ-Entwickler von einem mittleren Schweregrad ausgehen, vergeben der Warn- und Informationsdienst des BSI einen CVSS-Wert von 8.8 und stuft den Schweregrad somit als "hoch" ein. CVE ID: CVE-2022-41678 --------------------------------------------- https://www.heise.de/-9544281 ∗∗∗ MOVEit Transfer Service Pack (November 2023) ∗∗∗ --------------------------------------------- This article contains the details of the specific updates within the MOVEit Transfer November 2023 Service Pack. The Service Pack contains fixes for (2) newly disclosed CVEs described below. Progress Software highly recommends you apply this Service Pack for product updates and security improvements. CVE IDs: CVE-2023-6217, CVE-2023-6218 --------------------------------------------- https://community.progress.com/s/article/MOVEit-Transfer-Service-Pack-Novem… ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (November 20, 2023 to November 26, 2023) ∗∗∗ --------------------------------------------- Last week, there were 115 vulnerabilities disclosed in 87 WordPress Plugins and 1 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 39 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected. --------------------------------------------- https://www.wordfence.com/blog/2023/11/wordfence-intelligence-weekly-wordpr… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (chromium, gnutls, gst-devtools, gstreamer1, gstreamer1-doc, libcap, mingw-poppler, python-gstreamer1, qbittorrent, webkitgtk, and xen), Mageia (docker, kernel-linus, and python-django), Oracle (dotnet6.0, dotnet7.0, dotnet8.0, firefox, samba, squid, and thunderbird), Red Hat (firefox, postgresql:13, squid, and thunderbird), SUSE (cilium, freerdp, java-1_8_0-ibm, and java-1_8_0-openj9), and Ubuntu (ec2-hibinit-agent, freerdp2, gimp, gst-plugins-bad1.0, openjdk-17, openjdk-21, openjdk-lts, openjdk-8, pypy3, pysha3, and u-boot-nezha). --------------------------------------------- https://lwn.net/Articles/953379/ ∗∗∗ [R1] Nessus Network Monitor 6.3.1 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- Risk Factor: Critical, CVE ID: CVE-2023-5363, CVE-2021-23369, CVE-2021-23383, CVE-2018-9206 --------------------------------------------- https://www.tenable.com/security/tns-2023-43 ∗∗∗ Zyxel security advisory for authentication bypass and command injection vulnerabilities in NAS products ∗∗∗ --------------------------------------------- Zyxel has released patches addressing an authentication bypass vulnerability and command injection vulnerabilities in NAS products. Users are advised to install them for optimal protection. CVEs: CVE-2023-35137, CVE-2023-35138, CVE-2023-37927, CVE-2023-37928, CVE-2023-4473, CVE-2023-4474 --------------------------------------------- https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-… ∗∗∗ CISA Adds Two Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/11/30/cisa-adds-two-known-expl… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ PTC KEPServerEx ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-334-03 ∗∗∗ Delta Electronics DOPSoft ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-334-01 ∗∗∗ Mitsubishi Electric FA Engineering Software Products ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-334-04 ∗∗∗ Yokogawa STARDOM ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-334-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.11.2023
by Daily end-of-shift report 29 Nov '23

29 Nov '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 28-11-2023 18:00 − Mittwoch 29-11-2023 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ GoTitan Botnet Spotted Exploiting Recent Apache ActiveMQ Vulnerability ∗∗∗ --------------------------------------------- The recently disclosed critical security flaw impacting Apache ActiveMQ is being actively exploited by threat actors to distribute a new Go-based botnet called GoTitan as well as a .NET program known as PrCtrl Rat thats capable of remotely commandeering the infected hosts. The attacks involve the exploitation of a remote code execution bug (CVE-2023-46604, CVSS score: 10.0) [...] --------------------------------------------- https://thehackernews.com/2023/11/gotitan-botnet-spotted-exploiting.html ∗∗∗ DJVU Ransomwares Latest Variant Xaro Disguised as Cracked Software ∗∗∗ --------------------------------------------- A variant of a ransomware strain known as DJVU has been observed to be distributed in the form of cracked software. "While this attack pattern is not new, incidents involving a DJVU variant that appends the .xaro extension to affected files and demanding ransom for a decryptor have been observed infecting systems alongside a host of various commodity loaders and infostealers," [...] --------------------------------------------- https://thehackernews.com/2023/11/djvu-ransomwares-latest-variant-xaro.html ∗∗∗ Okta Breach Impacted All Customer Support Users—Not 1 Percent ∗∗∗ --------------------------------------------- Okta upped its original estimate of customer support users affected by a recent breach from 1 percent to 100 percent, citing a “discrepancy.” --------------------------------------------- https://www.wired.com/story/okta-breach-disclosure-all-customer-support-use… ∗∗∗ Scans zu kritischer Sicherheitslücke in ownCloud-Plugin ∗∗∗ --------------------------------------------- Die Schwachstelle im GraphAPI-Plugin kann zur unfreiwilligen Preisgabe der Admin-Zugangsdaten führen. ownCloud-Admins sollten schnell reagieren. --------------------------------------------- https://www.heise.de/-9542895.html ∗∗∗ Sicherheitslücke: Schadcode-Attacken auf Solarwinds Platform möglich ∗∗∗ --------------------------------------------- Die Solarwinds-Entwickler haben zwei Schwachstellen in ihrer Monitoringsoftware geschlossen. --------------------------------------------- https://www.heise.de/-9543391.html ∗∗∗ New BLUFFS Bluetooth Attack Methods Can Have Large-Scale Impact: Researcher ∗∗∗ --------------------------------------------- An academic researcher demonstrates BLUFFS, six novel attacks targeting Bluetooth sessions’ forward and future secrecy. --------------------------------------------- https://www.securityweek.com/new-bluffs-bluetooth-attacks-have-large-scale-… ∗∗∗ Deepfake-Videos mit Armin Assinger führen zu Investitionsbetrug! ∗∗∗ --------------------------------------------- Aktuell kursieren auf Facebook, Instagram, TikTok und YouTube Werbevideos mit betrügerischen Inhalten. Dabei wird insbesondere das Gesicht Armin Assingers für Deepfakes eingesetzt. Armin Assinger werden mithilfe von Künstlicher Intelligenz (KI) Worte in den Mund gelegt, sodass dadurch betrügerische Investitionsplattformen beworben werden. Vorsicht: Folgen Sie diesen Links nicht, denn hier sind sämtliche Investments verloren! --------------------------------------------- https://www.watchlist-internet.at/news/deepfake-videos-mit-armin-assinger-f… ∗∗∗ Spyware Employs Various Obfuscation Techniques to Bypass Static Analysis ∗∗∗ --------------------------------------------- A look at some deceptive tactics used by malware authors in an effort to evade analysis. --------------------------------------------- https://symantec-enterprise-blogs.security.com/threat-intelligence/spyware-… ∗∗∗ Exploitation of Unitronics PLCs used in Water and Wastewater Systems ∗∗∗ --------------------------------------------- CISA is responding to active exploitation of Unitronics programmable logic controllers (PLCs) used in the Water and Wastewater Systems (WWS) Sector. Cyber threat actors are targeting PLCs associated with WWS facilities, including an identified Unitronics PLC, at a U.S. water facility. In response, the affected municipality’s water authority immediately took the system offline and switched to manual operations [...] --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/11/28/exploitation-unitronics-… ∗∗∗ CISA Releases First Secure by Design Alert ∗∗∗ --------------------------------------------- Today, CISA published guidance on How Software Manufacturers Can Shield Web Management Interfaces From Malicious Cyber Activity as a part of a new Secure by Design (SbD) Alert series. This SbD Alert urges software manufacturers to proactively prevent the exploitation of vulnerabilities in web management interfaces by designing and developing their products using SbD principles: [...] --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/11/29/cisa-releases-first-secu… ===================== = Vulnerabilities = ===================== ∗∗∗ Zero-Day Alert: Google Chrome Under Active Attack, Exploiting New Vulnerability ∗∗∗ --------------------------------------------- Google has rolled out security updates to fix seven security issues in its Chrome browser, including a zero-day that has come under active exploitation in the wild. Tracked as CVE-2023-6345, the high-severity vulnerability has been described as an integer overflow bug in Skia, an open source 2D graphics library. --------------------------------------------- https://thehackernews.com/2023/11/zero-day-alert-google-chrome-under.html ∗∗∗ CISA Releases Four Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- * ICSA-23-331-01 Delta Electronics InfraSuite Device Master * ICSA-23-331-02 Franklin Electric Fueling Systems Colibri * ICSA-23-331-03 Mitsubishi Electric GX Works2 * ICSMA-23-331-01 BD FACSChorus --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/11/28/cisa-releases-four-indus… ∗∗∗ SolarWinds Platform 2023.4.2 Release Notes ∗∗∗ --------------------------------------------- SolarWinds Platform 2023.4.2 is a service release providing bug and security fixes for release 2023.4. CVE-2023-40056: SQL Injection Remote Code Execution Vulnerability Severity: 8.0 (high) --------------------------------------------- https://documentation.solarwinds.com/en/success_center/orionplatform/conten… ∗∗∗ Arcserve Unified Data Protection Multiple Vulnerabilities ∗∗∗ --------------------------------------------- * CVE-2023-41998 - UDP Unauthenticated RCE * CVE-2023-41999 - UDP Management Authentication Bypass * CVE-2023-42000 - UDP Agent Unauthenticated Path Traversal File Upload Solution: Upgrade to Arcserve UDP version 9.2 or later. --------------------------------------------- https://www.tenable.com/security/research/tra-2023-37 ∗∗∗ Sicherheitslücke in Hikvision-Kameras und NVR ermöglicht unbefugten Zugriff ∗∗∗ --------------------------------------------- Verschiedene Modelle des chinesischen Herstellers gestatteten Angreifern den unbefugten Zugriff. Auch andere Marken sind betroffen, Patches stehen bereit. --------------------------------------------- https://www.heise.de/-9543336.html ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (gst-plugins-bad1.0 and postgresql-multicorn), Fedora (golang-github-nats-io, golang-github-nats-io-jwt-2, golang-github-nats-io-nkeys, golang-github-nats-io-streaming-server, libcap, nats-server, openvpn, and python-geopandas), Mageia (kernel), Red Hat (c-ares, curl, fence-agents, firefox, kernel, kernel-rt, kpatch-patch, libxml2, pixman, postgresql, and tigervnc), SUSE (python-azure-storage-queue, python-Twisted, and python3-Twisted), and Ubuntu (afflib, ec2-hibinit-agent, linux-nvidia-6.2, linux-starfive-6.2, and poppler). --------------------------------------------- https://lwn.net/Articles/953226/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.11.2023
by Daily end-of-shift report 28 Nov '23

28 Nov '23

===================== = End-of-Day report = ===================== Timeframe: Montag 27-11-2023 18:00 − Dienstag 28-11-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Design Flaw in Google Workspace Could Let Attackers Gain Unauthorized Access ∗∗∗ --------------------------------------------- Cybersecurity researchers have detailed a "severe design flaw" in Google Workspaces domain-wide delegation (DWD) feature that could be exploited by threat actors to facilitate privilege escalation and obtain unauthorized access to Workspace APIs without super admin privileges. --------------------------------------------- https://thehackernews.com/2023/11/design-flaw-in-google-workspace-could.html ∗∗∗ LostTrust Ransomware ∗∗∗ --------------------------------------------- The LostTrust ransomware family has a fairly small victim pool and has compromised victims earlier this year. The encryptor has similar characteristcs to the MetaEncryptor ransomware family including code flow and strings which indicates that the encryptor is a variant from the original MetaEncryptor source. --------------------------------------------- https://www.shadowstackre.com/analysis/losttrust ∗∗∗ Slovenian power company hit by ransomware ∗∗∗ --------------------------------------------- Slovenian power generation company Holding Slovenske Elektrarne (HSE) has been hit by ransomware and has had some of its data encrypted. The attack HSE is a state-owned company that controls numerous hydroelectric, thermal and coal-fired power plants. The company has declined to share any details about the cyber intrusion, but has confirmed that operation of its power plants has not been affected. --------------------------------------------- https://www.helpnetsecurity.com/2023/11/28/slovenian-power-company-ransomwa… ∗∗∗ Exploitation of Critical ownCloud Vulnerability Begins ∗∗∗ --------------------------------------------- Threat actors have started exploiting a critical ownCloud vulnerability leading to sensitive information disclosure. --------------------------------------------- https://www.securityweek.com/exploitation-of-critical-owncloud-vulnerabilit… ∗∗∗ Webinar: Sicheres Online-Shopping ∗∗∗ --------------------------------------------- Darf ich Artikel immer zurücksenden und wie lange habe ich dafür Zeit? Was ist das Rücktrittsrecht und welche Zahlungsmethoden gelten als sicher? Dieses Webinar gibt rechtliche Tipps und Infos zum sicheren Online-Einkauf. Nehmen Sie kostenlos teil: Montag, 11. Dezember 2023, 18:30 - 20:00 Uhr via zoom --------------------------------------------- https://www.watchlist-internet.at/news/webinar-sicheres-online-shopping-2/ ∗∗∗ Betrügerische Plattform für Sportwetten: xxwin.bet ∗∗∗ --------------------------------------------- xxwin.bet ist eine betrügerische Online-Plattform für Sportwetten. Die Plattform wird meist in fragwürdigen Telegram-Kanälen empfohlen. Wenn Sie dort einzahlen, verlieren Sie Ihr Geld, denn die Plattform zahlt keine Gewinne aus. --------------------------------------------- https://www.watchlist-internet.at/news/betruegerische-plattform-fuer-sportw… ===================== = Vulnerabilities = ===================== ∗∗∗ Missing Certificate Validation & User Enumeration in Anveo Mobile App and Server ∗∗∗ --------------------------------------------- The Anveo Mobile App (Windows version) does not validate server certificates and therefore enables man-in-the-middle attacks. The Anveo Server is also vulnerable against user enumeration because of different error messages for existing vs. non-existing users. The vendor was unresponsive and did not reply to our communication attempts and even deleted our comment to request a contact on LinkedIn, see the timeline section further below. --------------------------------------------- https://sec-consult.com/vulnerability-lab/advisory/missing-certificate-vali… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (cryptojs, fastdds, mediawiki, and minizip), Fedora (chromium, kubernetes, and thunderbird), Mageia (lilypond, mariadb, and packages), Red Hat (firefox, linux-firmware, and thunderbird), SUSE (compat-openssl098, gstreamer-plugins-bad, squashfs, squid, thunderbird, vim, and xerces-c), and Ubuntu (libtommath, linux-intel-iotg, linux-intel-iotg-5.15, linux-oracle, perl, and python3.8, python3.10, python3.11). --------------------------------------------- https://lwn.net/Articles/953099/ ∗∗∗ Critical Vulnerability Found in Ray AI Framework ∗∗∗ --------------------------------------------- Tracked as CVE-2023-48023, the bug exists because Ray does not properly enforce authentication on at least two of its components, namely the dashboard and client. A remote attacker can abuse this issue to submit or delete jobs without authentication. Furthermore, the attacker could retrieve sensitive information and execute arbitrary code, Bishop Fox says. --------------------------------------------- https://www.securityweek.com/critical-vulnerability-found-in-ray-ai-framewo… ∗∗∗ Zyxel security advisory for multiple vulnerabilities in firewalls and APs ∗∗∗ --------------------------------------------- CVEs: CVE-2023-35136, CVE-2023-35139, CVE-2023-37925, CVE-2023-37926, CVE-2023-4397, CVE-2023-4398, CVE-2023-5650, CVE-2023-5797, CVE-2023-5960 --------------------------------------------- https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-… ∗∗∗ Joomla: [20231101] - Core - Exposure of environment variables ∗∗∗ --------------------------------------------- https://developer.joomla.org:443/security-centre/919-20231101-core-exposure… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ FESTO: Multiple products affected by WIBU Codemeter vulnerability ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-036/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.11.2023
by Daily end-of-shift report 27 Nov '23

27 Nov '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 24-11-2023 18:00 − Montag 27-11-2023 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Atomic Stealer malware strikes macOS via fake browser updates ∗∗∗ --------------------------------------------- The ClearFake fake browser update campaign has expanded to macOS, targeting Apple computers with Atomic Stealer (AMOS) malware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/atomic-stealer-malware-strik… ∗∗∗ EvilSlackbot: A Slack Attack Framework ∗∗∗ --------------------------------------------- To authenticate to the Slack API, each bot is assigned an api token that begins with xoxb or xoxp. More often than not, these tokens are leaked somewhere. When these tokens are exfiltrated during a Red Team exercise, it can be a pain to properly utilize them. Now EvilSlackbot is here to automate and streamline that process. You can use EvilSlackbot to send spoofed Slack messages, phishing links, files, and search for secrets leaked in slack. [..] In addition to red teaming, EvilSlackbot has also been developed with Slack phishing simulations in mind. --------------------------------------------- https://github.com/Drew-Sec/EvilSlackbot ∗∗∗ Scans for ownCloud Vulnerability (CVE-2023-49103), (Mon, Nov 27th) ∗∗∗ --------------------------------------------- Last week, ownCloud released an advisory disclosing a new vulnerability, CVE-2023-49103 [1]. The vulnerability will allow attackers to gain access to admin passwords. To exploit the vulnerability, the attacker will use the "graphapi" app to access the output of "phpinfo". If the ownCloud install runs in a container, it will allow access to admin passwords, mail server credentials, and license keys. --------------------------------------------- https://isc.sans.edu/diary/rss/30432 ∗∗∗ WordPress Vulnerability & Patch Roundup November 2023 ∗∗∗ --------------------------------------------- Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises. To help educate website owners on emerging threats to their environments, we’ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this past month. --------------------------------------------- https://blog.sucuri.net/2023/11/wordpress-vulnerability-patch-roundup-novem… ∗∗∗ Experts Uncover Passive Method to Extract Private RSA Keys from SSH Connections ∗∗∗ --------------------------------------------- A new study has demonstrated that its possible for passive network attackers to obtain private RSA host keys from a vulnerable SSH server by observing when naturally occurring computational faults that occur while the connection is being established. [..] The researchers described the method as a lattice-based key recovery fault attack, which allowed them to retrieve the private keys corresponding to 189 unique RSA public keys that were subsequently traced to devices from four manufacturers: Cisco, Hillstone Networks, Mocana, and Zyxel. --------------------------------------------- https://thehackernews.com/2023/11/experts-uncover-passive-method-to.html ∗∗∗ Eine Milliarde unsichere Webseiten … Vergessen Sie die Duschmatte nicht! ∗∗∗ --------------------------------------------- In der Werbung aufgebauschte Risiken dienen eher dem Verkauf von Sicherheitsprodukten als der Sicherheit selbst. Im Gegenteil, für diese sind sie oft schädlich. --------------------------------------------- https://www.heise.de/meinung/Eine-Milliarde-unsichere-Webseiten-Vergessen-S… ∗∗∗ BSI und weitere Cybersicherheitsbehörden veröffentlichen KI-Richtlinien ∗∗∗ --------------------------------------------- Das BSI veröffentlicht Richtlinien für sichere KI-Systeme in Zusammenarbeit mit Partnerbehörden aus Großbritannien und den USA. --------------------------------------------- https://www.heise.de/news/BSI-und-weitere-Cybersicherheitsbehoerden-veroeff… ∗∗∗ Free Micropatches For Microsoft Access Forced Authentication Through Firewall (0day) ∗∗∗ --------------------------------------------- On November 9, 2023, Check Point Research published an article about an "information disclosure" / "forced authentication" vulnerability in Microsoft Access that allows an attacker to obtain the victim's NTLM hash by having them open a Microsoft Office document (docx, rtf, accdb, etc.) with an embedded Access database. --------------------------------------------- https://blog.0patch.com/2023/11/free-micropatches-for-microsoft-access.html ∗∗∗ Vorsicht vor Fake-Shops für Skins ∗∗∗ --------------------------------------------- Beim Online-Shop fngalaxy.de finden Sie Skins und Accounts für Fortnite. „Renegade Raider“, „OG Ghoul Trooper“ oder „Black Knight“ werden dort vergünstigt angeboten. Wir raten aber von einer Bestellung ab, da Sie nur mit einem Paysafecard- oder Amazon-Code bezahlen können und Ihre Bestellung nicht erhalten. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-fake-shops-fuer-skins/ ∗∗∗ Warnung vor betrügerischen Mails im Namen von Finanz Online ∗∗∗ --------------------------------------------- Die täuschend echt wirkenden E-Mails verlinken auf eine gefälschte Website, auf der die Opfer wiederum ihre Bankdaten eingeben sollen --------------------------------------------- https://www.derstandard.at/story/3000000197015/warnung-betrugs-mails-finanz… ∗∗∗ LKA-Warnung vor gefälschten Temu-Benachrichtigungen ∗∗∗ --------------------------------------------- Das Landeskriminalamt Niedersachsen hat die Tage eine Warnung herausgegeben, die Kunden des chinesischen Billig-Versandhändlers Temu betrifft. Betrüger versuchen Empfänger mit der Vorspiegelung falscher Tatsachen in Form einer vorgeblichen Temu-Benachrichtigung zur Preisgabe persönlicher Informationen zu bringen. Hier ein kurzer Überblick [..] --------------------------------------------- https://www.borncity.com/blog/2023/11/26/lka-warnung-vor-geflschten-temu-be… ∗∗∗ Circumstances of the Andariel Group Exploiting an Apache ActiveMQ Vulnerability (CVE-2023-46604) ∗∗∗ --------------------------------------------- While monitoring recent attacks by the Andariel threat group, AhnLab Security Emergency response Center (ASEC) has discovered the attack case in which the group is assumed to be exploiting Apache ActiveMQ remote code execution vulnerability (CVE-2023-46604) to install malware. --------------------------------------------- https://asec.ahnlab.com/en/59318/ ===================== = Vulnerabilities = ===================== ∗∗∗ CVE-2023-34053, CVE-2023-34055: Spring Framework and Spring Boot vulnerabilities ∗∗∗ --------------------------------------------- The Spring Framework 6.0.14 release shipped on November 16th includes a fix for CVE-2023-34053. The Spring Boot 2.7.18 release shipped on November 23th includes fixes for CVE-2023-34055. Users are encouraged to update as soon as possible. --------------------------------------------- https://spring.io/blog/2023/11/27/cve-2023-34053-cve-2023-34055-spring-fram… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (freeimage, gimp, gst-plugins-bad1.0, node-json5, opensc, python-requestbuilder, reportbug, strongswan, symfony, thunderbird, and tiff), Fedora (chromium, galera, golang, kubernetes, mariadb, python-asyncssh, thunderbird, vim, and webkitgtk), Gentoo (AIDE, Apptainer, GLib, GNU Libmicrohttpd, Go, GRUB, LibreOffice, MiniDLNA, multipath-tools, Open vSwitch, phpMyAdmin, QtWebEngine, and RenderDoc), Slackware (vim), SUSE (gstreamer-plugins-bad, java-1_8_0-ibm, openvswitch, poppler, slurm, slurm_22_05, slurm_23_02, sqlite3, vim, webkit2gtk3, and xrdp), and Ubuntu (openvswitch and thunderbird). --------------------------------------------- https://lwn.net/Articles/952923/ ∗∗∗ MISP 2.4.179 released with a host of improvements a security fix and some new tooling. ∗∗∗ --------------------------------------------- MISP 2.4.179 released with a host of improvements a security fix and some new tooling.First baby steps taken towards LLM integration. --------------------------------------------- https://github.com/MISP/MISP/releases/tag/v2.4.179 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.11.2023
by Daily end-of-shift report 24 Nov '23

24 Nov '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 23-11-2023 18:00 − Freitag 24-11-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Building your first metasploit exploit ∗∗∗ --------------------------------------------- This post outlines the process I followed to transform the authenticated Remote Code Execution (RCE) vulnerability in PRTG, identified as CVE-2023-32781, into a Metasploit exploit. The focus here is on the development of the exploit itself, rather than the steps for exploiting the RCE. For specific details on the vulnerability, please refer to the corresponding post titled PRTG Remote Code Execution. --------------------------------------------- https://baldur.dk/blog/writing-metasploit-exploit.html ∗∗∗ OpenSSL 3.2 implementiert TCP-Nachfolger QUIC ∗∗∗ --------------------------------------------- Das Transportprotokoll QUIC nimmt mit OpenSSL Fahrt auf: Die Open-Source-Kryptobibliothek implementiert es in der neuen Version 3.2 – zumindest teilweise. --------------------------------------------- https://www.heise.de/-9538866.html ∗∗∗ Synology schließt Pwn2Own-Lücke in Router-Manager-Firmware ∗∗∗ --------------------------------------------- Im Betriebssystem für Synology-Router haben IT-Forscher beim Pwn2Own-Wettbewerb Sicherheitslücken aufgedeckt. Ein Update schließt sie. --------------------------------------------- https://www.heise.de/-9538922.html ∗∗∗ Telekopye: Chamber of Neanderthals’ secrets ∗∗∗ --------------------------------------------- Insight into groups operating Telekopye bots that scam people in online marketplaces --------------------------------------------- https://www.welivesecurity.com/en/eset-research/telekopye-chamber-neanderth… ∗∗∗ Atomic Stealer: Mac-Malware täuscht Nutzer mit angeblichen Browser-Updates ∗∗∗ --------------------------------------------- Die Updates bieten die Cyberkriminellen über kompromittierte Websites an. Atomic Stealer hat es unter anderem auf Passwörter in Apple iCloud Keychain abgesehen. --------------------------------------------- https://www.zdnet.de/88413104/atomic-stealer-mac-malware-taeuscht-nutzer-mi… ∗∗∗ Trend Micro Apex One Service Pack 1 Critical Patch (build 12534) ∗∗∗ --------------------------------------------- Kurzer Hinweis für Nutzer von Trend Micro Apex One für Windows. Der Hersteller hat zum Service Pack 1 den Critical Patch (build 12534) veröffentlicht (danke an den Leser für den Hinweis). Dieser Patch enthält eine Reihe von Korrekturen und Erweiterungen [...] --------------------------------------------- https://www.borncity.com/blog/2023/11/23/trend-micro-apex-one-service-pack-… ∗∗∗ Intel Arc und Iris Xe Grafiktreiber 31.0.101.4972 fixt Office-Probleme (Nov. 2023) ∗∗∗ --------------------------------------------- Noch ein kleiner Nachtrag von dieser Woche, den ich mal separat herausziehe. Intel hat ein Update seiner Intel Arc und Iris Xe Grafiktreiber auf die Version 31.0.101.4972 veröffentlich. Dieses Update soll eine Reihe von Problemen (z.B bei Starfield (DX12) beheben. --------------------------------------------- https://www.borncity.com/blog/2023/11/24/intel-arc-und-iris-xe-grafiktreibe… ===================== = Vulnerabilities = ===================== ∗∗∗ Advisory: TunnelCrack Vulnerabilities in VPN Clients ∗∗∗ --------------------------------------------- CVE(s): CVE-2023-36672, CVE-2023-35838, CVE-2023-36673, CVE-2023-36671 Product(s): Sophos Connect Client 2.0 Workaround: Yes --------------------------------------------- https://www.sophos.com/en-us/security-advisories/sophos-sa-20231124-tunnelc… ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (November 13, 2023 to November 19, 2023) ∗∗∗ --------------------------------------------- Wordfence just launched its bug bounty program. For the first 6 months, all awarded bounties receive a 10% bonus. View the announcement to learn more now! Last week, there were 126 vulnerabilities disclosed in 102 WordPress Plugins and 2 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 37 [...] --------------------------------------------- https://www.wordfence.com/blog/2023/11/wordfence-intelligence-weekly-wordpr… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr, gnutls28, intel-microcode, and tor), Fedora (chromium, microcode_ctl, openvpn, and vim), Gentoo (LinuxCIFS utils, SQLite, and Zeppelin), Oracle (c-ares, container-tools:4.0, dotnet7.0, kernel, kernel-container, nodejs:20, open-vm-tools, squid:4, and tigervnc), Red Hat (samba and squid), Slackware (mozilla), SUSE (fdo-client, firefox, libxml2, maven, maven-resolver, sbt, xmvn, poppler, python-Pillow, squid, strongswan, and xerces-c), and Ubuntu (apache2, firefox, glusterfs, nghttp2, poppler, python2.7, python3.5, python3.6, tiff, and zfs-linux). --------------------------------------------- https://lwn.net/Articles/952602/ ∗∗∗ ActiveMQ-5.18.2 RCE-shell-reverse-Metasploit ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2023110026 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.11.2023
by Daily end-of-shift report 23 Nov '23

23 Nov '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 22-11-2023 18:00 − Donnerstag 23-11-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Proof of Concept Exploit Publicly Available for Critical Windows SmartScreen Flaw ∗∗∗ --------------------------------------------- Threat actors were actively exploiting CVE-2023-36025 before Microsoft patched it in November. --------------------------------------------- https://www.darkreading.com/vulnerabilities-threats/proof-of-concept-exploi… ∗∗∗ Consumer cyberthreats: predictions for 2024 ∗∗∗ --------------------------------------------- Kaspersky experts review last years predictions on consumer cyberthreats and try to anticipate the trends for 2024. --------------------------------------------- https://securelist.com/kaspersky-security-bulletin-consumer-threats-2024/11… ∗∗∗ Mirai-based Botnet Exploiting Zero-Day Bugs in Routers and NVRs for Massive DDoS Attacks ∗∗∗ --------------------------------------------- An active malware campaign is leveraging two zero-day vulnerabilities with remote code execution (RCE) functionality to rope routers and video recorders into a Mirai-based distributed denial-of-service (DDoS) botnet. “The payload targets routers and network video recorder (NVR) devices with default admin credentials and installs Mirai variants when successful,” Akamai said in an advisory. --------------------------------------------- https://thehackernews.com/2023/11/mirai-based-botnet-exploiting-zero-day.ht… ∗∗∗ The Platform Matters: A Comparative Study on Linux and Windows Ransomware Attacks ∗∗∗ --------------------------------------------- During the last few months, we conducted a study of some of the top ransomware families (12 in total) that either directly developed ransomware for Linux systems or were developed in languages with a strong cross-platform component, such as Golang or Rust, thereby allowing them to be compiled for both Windows and Linux indiscriminately. Our main objectives were to increase our understanding of the main motivations for developing ransomware targeting Linux instead of Windows systems, which historically have been the main target until now. --------------------------------------------- https://research.checkpoint.com/2023/the-platform-matters-a-comparative-stu… ∗∗∗ Your voice is my password ∗∗∗ --------------------------------------------- AI-driven voice cloning can make things far too easy for scammers – I know because I’ve tested it so that you don’t have to learn about the risks the hard way. --------------------------------------------- https://www.welivesecurity.com/en/cybersecurity/your-voice-is-my-password/ ∗∗∗ Israel-Hamas War Spotlight: Shaking the Rust Off SysJoker ∗∗∗ --------------------------------------------- SysJoker, initially discovered by Intezer in 2021, is a multi-platform backdoor with multiple variants for Windows, Linux and Mac. The same malware was also analyzed in another report a few months after the original publication. Since then, SysJoker Windows variants have evolved enough to stay under the radar. --------------------------------------------- https://research.checkpoint.com/2023/israel-hamas-war-spotlight-shaking-the… ===================== = Vulnerabilities = ===================== ∗∗∗ Uninstall Key Caching in Fortra Digital Guardian Agent Uninstaller (CVE-2023-6253) ∗∗∗ --------------------------------------------- The Digital Guardian Management Console is vulnerable to a Stored Cross-Site Scripting attack in the PDF Template functionality. The vendor replied that this is an intended feature. The Digital Guardian Agent Uninstaller File also caches the Uninstall Key which can be extracted by an attacker and be used to terminate and uninstall the agent. --------------------------------------------- https://sec-consult.com/vulnerability-lab/advisory/uninstall-key-caching-in… ∗∗∗ Sicherheitsschwachstellen in easySoft und easyE4 (SYSS-2023-007/-008/-009/-010) ∗∗∗ --------------------------------------------- In der Software „easySoft“ sowie dem Steuerrelais „easyE4“ der Eaton Industries GmbH wurden Schwachstellen gefunden. Diese ermöglichen sowohl das Extrahieren des Projektpassworts aus einer easySoft-Projektdatei als auch das Berechnen von Passwortkandidaten für easyE4-Programme, welche auf einer SD-Karte gespeichert sind. Darüber hinaus können auch Passwortkandidaten aus einem Netzwerkstream extrahiert werden, der z. B. während der Administration eines easyE4 aufgezeichnet wurde. --------------------------------------------- https://www.syss.de/pentest-blog/sicherheitsschwachstellen-in-easysoft-und-… ∗∗∗ ownCloud Security Advisories 2023-11-21 ∗∗∗ --------------------------------------------- ownCloud released 3 security advisories: 2x critical, 1x high --------------------------------------------- https://owncloud.com/security/https://owncloud.com/security/ ∗∗∗ Atlassian rüstet Jira Data Center and Server & Co. gegen mögliche Attacken ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitsupdates für verschiedene Softwarelösungen von Atlassian. Es kann Schadcode auf Systeme gelangen. --------------------------------------------- https://www.heise.de/-9537138 ∗∗∗ Sicherheitsupdates in Foxit PDF Reader 2023.3 und Foxit PDF Editor 2023.3 verfügbar ∗∗∗ --------------------------------------------- https://www.foxit.com/de/support/security-bulletins.html ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.11.2023
by Daily end-of-shift report 22 Nov '23

22 Nov '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 21-11-2023 18:00 − Mittwoch 22-11-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ HrServ – Previously unknown web shell used in APT attack ∗∗∗ --------------------------------------------- In this report Kaspersky researchers provide an analysis of the previously unknown HrServ web shell, which exhibits both APT and crimeware features and has likely been active since 2021. --------------------------------------------- https://securelist.com/hrserv-apt-web-shell/111119/ ∗∗∗ ClearFake Campaign Expands to Deliver Atomic Stealer on Macs Systems ∗∗∗ --------------------------------------------- The macOS information stealer known as Atomic is now being delivered to target via a bogus web browser update chain tracked as ClearFake."This may very well be the first time we see one of the main social engineering campaigns, previously reserved for Windows, branch out not only in terms of geolocation but also operating system," Malwarebytes Jérôme Segura said in a Tuesday analysis. --------------------------------------------- https://thehackernews.com/2023/11/clearfake-campaign-expands-to-deliver.html ∗∗∗ Lumma malware can allegedly restore expired Google auth cookies ∗∗∗ --------------------------------------------- The Lumma information-stealer malware (aka LummaC2) is promoting a new feature that allegedly allows cybercriminals to restore expired Google cookies, which can be used to hijack Google accounts. [..] This new feature allegedly introduced in recent Lumma releases is yet to be verified by security researchers or Google, so whether or not it works as advertised remains uncertain. --------------------------------------------- https://www.bleepingcomputer.com/news/security/lumma-malware-can-allegedly-… ∗∗∗ Windows Hello Fingerprint Authentication Bypassed on Popular Laptops ∗∗∗ --------------------------------------------- Researchers have tested the fingerprint sensors used for Windows Hello on three popular laptops and managed to bypass them. --------------------------------------------- https://www.securityweek.com/windows-hello-fingerprint-authentication-bypas… ∗∗∗ „Ich möchte meine Bankdaten ändern“: Dieses Mail an die Personalabteilung könnte Betrug sein ∗∗∗ --------------------------------------------- Kriminelle geben sich als Mitarbeiter:innen Ihres Unternehmens aus und bitten um Änderung Ihrer Bankdaten für die Gehaltsüberweisung. Wird das E-Mail nicht als Fake erkannt, wird das Gehalt der jeweiligen Mitarbeiter:innen auf das Bankkonto von Kriminellen überwiesen. Wir zeigen Ihnen, woher Kriminelle die Daten kennen und wie Sie sich schützen. --------------------------------------------- https://www.watchlist-internet.at/news/ich-moechte-meine-bankdaten-aendern-… ∗∗∗ The Ticking Supply Chain Attack Bomb of Exposed Kubernetes Secrets ∗∗∗ --------------------------------------------- Exposed Kubernetes secrets pose a critical threat of supply chain attack. Aqua Nautilus researchers found that the exposed Kubernetes secrets of hundreds of organizations and open-source projects allow access to sensitive environments in the Software Development Life Cycle (SDLC) and open a severe supply chain attack threat. Among the companies were SAP’s Artifacts management system with over 95 million, two top blockchain companies, and various other fortune-500 companies. --------------------------------------------- https://blog.aquasec.com/the-ticking-supply-chain-attack-bomb-of-exposed-ku… ===================== = Vulnerabilities = ===================== ∗∗∗ Multiple Vulnerabilities in m-privacy TightGate-Pro ∗∗∗ --------------------------------------------- There are several vulnerabilities in the server which enables attackers to view the VNC sessions of other users, infect the VNC session with keyloggers and start internal phishing attacks. Additionally, a TightGate-Pro administrator can push malicious PDFs to the endpoint of the user. Furthermore, the update servers which are only reachable via an SSH-tunnel are severely outdated (2003). CVEs: CVE-2023-47250, CVE-2023-47251 --------------------------------------------- https://sec-consult.com/vulnerability-lab/advisory/multiple-vulnerabilities… ∗∗∗ Several Critical Vulnerabilities including Privilege Escalation, Authentication Bypass, and More Patched in UserPro WordPress Plugin ∗∗∗ --------------------------------------------- On May 1, 2023, the Wordfence Threat Intelligence team began the responsible disclosure process for multiple high and critical severity vulnerabilities we discovered in Kirotech’s UserPro plugin, which is actively installed on more than 20,000 WordPress websites [..] We made an initial attempt to contact Kirotech, the vendor of UserPro, on May 1, 2023, but we did not receive a response until May 10, 2023, after many additional attempts. After providing full disclosure details, the developer released the first patch on July 27, 2023, and the final patch on October 31, 2023. --------------------------------------------- https://www.wordfence.com/blog/2023/11/several-critical-vulnerabilities-inc… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (gimp), Fedora (audiofile and firefox), Mageia (postgresql), Red Hat (binutils, c-ares, fence-agents, glibc, kernel, kernel-rt, kpatch-patch, libcap, libqb, linux-firmware, ncurses, pixman, python-setuptools, samba, and tigervnc), Slackware (kernel and mozilla), SUSE (apache2-mod_jk, avahi, container-suseconnect, java-1_8_0-openjdk, libxml2, openssl-1_0_0, openssl-1_1, openvswitch, python3-setuptools, strongswan, ucode-intel, and util-linux), and Ubuntu (frr, gnutls28, hibagent, linux, linux-aws, linux-aws-5.15, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-oracle, linux-oracle-5.15, linux-raspi, linux, linux-aws, linux-aws-5.4, linux-bluefield, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-iot, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux-xilinx-zynqmp, linux, linux-aws, linux-aws-6.2, linux-hwe-6.2, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-6.2, linux-raspi, linux-starfive, linux, linux-aws, linux-aws-hwe, linux-hwe, linux-kvm, linux-oracle, linux, linux-aws, linux-laptop, linux-lowlatency, linux-oem-6.5, linux-oracle, linux-raspi, linux-starfive, linux-oem-6.1, mosquitto, rabbitmq-server, squid, and tracker-miners). --------------------------------------------- https://lwn.net/Articles/952312/ ∗∗∗ Mozilla Releases Security Updates for Firefox and Thunderbird ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/11/22/mozilla-releases-securit… ∗∗∗ Fix for BIRT Report Engine that is vulnerable due to nested jtidy.jar r938 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7081112 ∗∗∗ Vulnerability in Apache HTTP Server affects IBM HTTP Server used by IBM Rational ClearQuest ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7081354 ∗∗∗ IBM QRadar Wincollect is vulnerable to using components with known vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7081403 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.11.2023
by Daily end-of-shift report 21 Nov '23

21 Nov '23

===================== = End-of-Day report = ===================== Timeframe: Montag 20-11-2023 18:00 − Dienstag 21-11-2023 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Kinsing Hackers Exploit Apache ActiveMQ Vulnerability to Deploy Linux Rootkits ∗∗∗ --------------------------------------------- The Kinsing threat actors are actively exploiting a critical security flaw in vulnerable Apache ActiveMQ servers to infect Linux systems with cryptocurrency miners and rootkits."Once Kinsing infects a system, it deploys a cryptocurrency mining script that exploits the hosts resources to mine cryptocurrencies like Bitcoin, [..] --------------------------------------------- https://thehackernews.com/2023/11/kinsing-hackers-exploit-apache-activemq.h… ∗∗∗ How Multi-Stage Phishing Attacks Exploit QRs, CAPTCHAs, and Steganography ∗∗∗ --------------------------------------------- Phishing attacks are steadily becoming more sophisticated, with cybercriminals investing in new ways of deceiving victims into revealing sensitive information or installing malicious software. One of the latest trends in phishing is the use of QR codes, CAPTCHAs, and steganography. See how they are carried out and learn to detect them. --------------------------------------------- https://thehackernews.com/2023/11/how-multi-stage-phishing-attacks.html ∗∗∗ Gefälschte Zeitungsartikel bewerben betrügerische Investment-Angebote ∗∗∗ --------------------------------------------- Kriminelle fälschen Webseiten von Medien wie oe24 und ORF und füllen diese mit Fake-News. In den gefälschten Artikeln wird eine Möglichkeit beworben, wie man schnell reich wird. Angeblich geben Christoph Grissemann, Miriam Weichselbraun oder Armin Assinger Investitionstipps und erklären, dass jeder Mensch mit nur 250 Euro in wenigen Monaten eine Million machen kann. --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschte-zeitungsartikel-bewerben… ∗∗∗ CISA, FBI, MS-ISAC, and ASD’s ACSC Release Advisory on LockBit Affiliates Exploiting Citrix Bleed ∗∗∗ --------------------------------------------- Today, the (CISA), (FBI), (MS-ISAC), and Australian (ASD’s ACSC) released a joint Cybersecurity Advisory (CSA), #StopRansomware: LockBit Ransomware Affiliates Exploit CVE 2023-4966 Citrix Bleed Vulnerability (along with an accompanying analysis report MAR-10478915-1.v1 Citrix Bleed), in response to LockBit 3.0 ransomware affiliates and multiple threat actor groups exploiting CVE-2023-4966. Labeled Citrix Bleed, the vulnerability affects Citrix’s NetScaler web application delivery control (ADC) and NetScaler Gateway appliances. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/11/21/cisa-fbi-ms-isac-and-asd… ===================== = Vulnerabilities = ===================== ∗∗∗ Technical Advisory: Adobe ColdFusion WDDX Deserialization Gadgets ∗∗∗ --------------------------------------------- Multiple vulnerabilities identified in Adobe ColdFusion allow an unauthenticated attacker to obtain the service account NTLM password hash, verify the existence of a file or directory on the underlying operating system, and configure central config server settings. CVE Identifiers: CVE-2023-44353, CVE-2023-29300, CVE-2023-38203, CVE-2023-38204 --------------------------------------------- https://research.nccgroup.com/2023/11/21/technical-advisory-adobe-coldfusio… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (activemq, strongswan, and wordpress), Mageia (u-boot), SUSE (avahi, frr, libreoffice, nghttp2, openssl, openssl1, postgresql, postgresql15, postgresql16, python-Twisted, ucode-intel, and xen), and Ubuntu (avahi, hibagent, nodejs, strongswan, tang, and webkit2gtk). --------------------------------------------- https://lwn.net/Articles/952088/ ∗∗∗ Synology-SA-23:16 SRM (PWN2OWN 2023) ∗∗∗ --------------------------------------------- The vulnerabilities allow man-in-the-middle attackers to execute arbitrary code or access intranet resources via a susceptible version of Synology Router Manager (SRM).A vulnerability reported by PWN2OWN 2023 has been addressed. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_23_16 ∗∗∗ [nextcloud]: Server-Side Request Forgery (SSRF) in Mail app ∗∗∗ --------------------------------------------- An attacker can use an unprotected endpoint in the Mail app to perform a SSRF attack. --------------------------------------------- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-4… ∗∗∗ [nextcloud]: DNS pin middleware can be tricked into DNS rebinding allowing SSRF ∗∗∗ --------------------------------------------- The DNS pin middleware was vulnerable to DNS rebinding allowing an attacker to perform SSRF as a final result. --------------------------------------------- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-8… ∗∗∗ [nextcloud]: user_ldap app logs user passwords in the log file on level debug ∗∗∗ --------------------------------------------- When the log level was set to debug the user_ldap app logged user passwords in plaintext into the log file. If the log file was then leaked or shared in any way the users' passwords would be leaked. --------------------------------------------- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-3… ∗∗∗ [nextcloud]: Can enable/disable birthday calendar for any user ∗∗∗ --------------------------------------------- An attacker could enable and disable the birthday calendar for any user on the same server. --------------------------------------------- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-8… ∗∗∗ [nextcloud]: Admins can change authentication details of user configured external storage ∗∗∗ --------------------------------------------- It is recommended that the Nextcloud Server is upgraded to 22.2.11 or 23.0.11 or 24.0.6 It is recommended that the Nextcloud Enterprise Server is upgraded to 22.2.11 or 23.0.11 or 24.0.6 --------------------------------------------- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-2… ∗∗∗ [nextcloud]: Self XSS when pasting HTML into Text app with Ctrl+Shift+V ∗∗∗ --------------------------------------------- When a user is tricked into copy pasting HTML code without markup (Ctrl+Shift+V) the markup will actually render. --------------------------------------------- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-p… ∗∗∗ [nextcloud]: HTML injection in search UI when selecting a circle with HTML in the display name ∗∗∗ --------------------------------------------- An attacker could insert links into circles name that would be opened when clicking the circle name in a search filter. --------------------------------------------- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-w… ∗∗∗ [nextcloud]: Users can make external storage mount points inaccessible for other users ∗∗∗ --------------------------------------------- A malicious user could update any personal or global external storage, making them inaccessible for everyone else as well. --------------------------------------------- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-f… ∗∗∗ Zyxel security advisory for out-of-bounds write vulnerability in SecuExtender SSL VPN Client software ∗∗∗ --------------------------------------------- The out-of-bounds write vulnerability in the Windows-based SecuExtender SSL VPN Client software could allow a local authenticated user to gain a privilege escalation by sending a crafted CREATE message. --------------------------------------------- https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-… ∗∗∗ WAGO: Remote Code execution vulnerability in managed Switches ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-037/ ∗∗∗ PHOENIX CONTACT: WIBU-SYSTEMS CodeMeter Runtime vulnerabilities in multiple products ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-062/ ∗∗∗ Multiple vulnerabilities on [Bosch Rexroth] ctrlX HMI / WR21 ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-175607.html ∗∗∗ IBM Sterling B2B Integrator is affected by vulnerability in JDOM (CVE-2021-33813) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7080105 ∗∗∗ IBM Sterling B2B Integrator dashboard is vulnerable to cross-site request forgery (CVE-2022-35638) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7080104 ∗∗∗ IBM Sterling B2B Integrator affected by FasterXML Jackson-data vulnerabilities (CVE-2022-42003, CVE-2022-42004) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7080107 ∗∗∗ IBM Sterling B2B Integrator affected by XStream security vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7080106 ∗∗∗ IBM Sterling Connect:Direct Browser User Interface is vulnerable to multiple vulnerabilities due to Jetty. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7080117 ∗∗∗ IBM Sterling Connect:Direct Web Services is vulnerable to multiple vulnerabilities due to Eclipse Jetty ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7080118 ∗∗∗ Multiple security vulnerabilities have been identified in DB2 JDBC driver shipped with IBM Tivoli Business Service Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7080122 ∗∗∗ There is an Apache vulnerability in Liberty used by the IBM Maximo Manage application in the IBM Maximo Application Suite (CVE-2023-24998) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7080157 ∗∗∗ There is a vulnerability in jetty-http-9.4.48.v20220622.jar used by IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2023-26049) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7080156 ∗∗∗ There is a vulnerability in jetty-server-9.4.48.v20220622.jar used by IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2023-26049) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7080155 ∗∗∗ Multiple security vulnerabilities in Snake YAML affect IBM Sterling B2B Integrator ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7080177 ∗∗∗ IBM Sterling B2B Integrator affected by remote code execution due to Snake Yaml (CVE-2022-1471) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7080174 ∗∗∗ IBM Sterling B2B Integrator is vulnerable to information disclosure (CVE-2023-25682) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7080172 ∗∗∗ IBM Sterling B2B Integrator is affected by sensitive information exposure due to Apache James MIME4J (CVE-2022-45787) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7080175 ∗∗∗ IBM Sterling B2B Integrator is vulnerable to denial of service due to Apache Commons FileUpload (CVE-2023-24998) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7080176 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.11.2023
by Daily end-of-shift report 20 Nov '23

20 Nov '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 17-11-2023 18:00 − Montag 20-11-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Exploit for CrushFTP RCE chain released, patch now ∗∗∗ --------------------------------------------- A proof-of-concept exploit was publicly released for a critical remote code execution vulnerability in the CrushFTP enterprise suite, allowing unauthenticated attackers to access files on the server, execute code, and obtain plain-text passwords. --------------------------------------------- https://www.bleepingcomputer.com/news/security/exploit-for-crushftp-rce-cha… ∗∗∗ Lumma Stealer malware now uses trigonometry to evade detection ∗∗∗ --------------------------------------------- The Lumma information-stealing malware is now using an interesting tactic to evade detection by security software - the measuring of mouse movements using trigonometry to determine if the malware is running on a real machine or an antivirus sandbox. --------------------------------------------- https://www.bleepingcomputer.com/news/security/lumma-stealer-malware-now-us… ∗∗∗ Kinsing malware exploits Apache ActiveMQ RCE to plant rootkits ∗∗∗ --------------------------------------------- The Kinsing malware operator is actively exploiting the CVE-2023-46604 critical vulnerability in the Apache ActiveMQ open-source message broker to compromise Linux systems. --------------------------------------------- https://www.bleepingcomputer.com/news/security/kinsing-malware-exploits-apa… ∗∗∗ New "Agent Tesla" Variant: Unusual "ZPAQ" Archive Format Delivers Malware ∗∗∗ --------------------------------------------- A new variant of Agent Tesla uses the uncommon compression format ZPAQ to steal information from approximately 40 web browsers and various email clients. But what exactly is this file compression format? What advantage does it provide to threat actors? And why it is assumed that the version of Agent Tesla is “new”? --------------------------------------------- https://www.gdatasoftware.com/blog/2023/11/37822-agent-tesla-zpaq ∗∗∗ DarkGate and PikaBot Malware Resurrect QakBots Tactics in New Phishing Attacks ∗∗∗ --------------------------------------------- Phishing campaigns delivering malware families such as DarkGate and PikaBot are following the same tactics previously used in attacks leveraging the now-defunct QakBot trojan. “These include hijacked email threads as the initial infection, URLs with unique patterns that limit user access, and an infection chain nearly identical to what we have seen with QakBot delivery,” Cofense said in a report [...] --------------------------------------------- https://thehackernews.com/2023/11/darkgate-and-pikabot-malware-resurrect.ht… ∗∗∗ NetSupport RAT Infections on the Rise - Targeting Government and Business Sectors ∗∗∗ --------------------------------------------- Threat actors are targeting the education, government and business services sectors with a remote access trojan called NetSupport RAT. "The delivery mechanisms for the NetSupport RAT encompass fraudulent updates, drive-by downloads, utilization of malware loaders (such as GHOSTPULSE), and various forms of phishing campaigns," VMware Carbon Black researchers said in a report [...] --------------------------------------------- https://thehackernews.com/2023/11/netsupport-rat-infections-on-rise.html ∗∗∗ Visual Studio Code Security: Markdown Vulnerabilities in Third-Party Extensions ∗∗∗ --------------------------------------------- In this blog post, we present code vulnerabilities we found in GitLens (27 million installs) and GitHub Pull Requests and Issues (15 million installs). We will first give some background on VSCode internals, then explain the vulnerable portions of the code, and finally show how these issues can be prevented. --------------------------------------------- https://www.sonarsource.com/blog/vscode-security-markdown-vulnerabilities-i… ∗∗∗ Xen Project Releases Version 4.18 with New Security, Performance, and Architecture Enhancements for AI/ML Applications ∗∗∗ --------------------------------------------- The Xen Project, an open source hypervisor hosted at the Linux Foundation, today announced the release of Xen Project Hypervisor 4.18 with architecture enhancements for High Performance Computing (HPC) and Machine Learning (ML) applications, as well as higher security and performance features. --------------------------------------------- https://xenproject.org/2023/11/20/xen-project-releases-version-4-18-with-ne… ∗∗∗ How to perform basic digital forensics on a Windows computer ∗∗∗ --------------------------------------------- Digital forensics is a critical field in the investigation of cybercrimes, data breaches, and other digital incidents. As our reliance on computers continues to grow, the need for skilled digital forensics professionals is more crucial than ever. In this guide, we will explore the basics of performing digital [...] --------------------------------------------- https://cybersecurity.att.com/blogs/security-essentials/how-to-perform-basi… ===================== = Vulnerabilities = ===================== ∗∗∗ Updates für Trellix ePolicy Orchestrator schließen Sicherheitslücken ∗∗∗ --------------------------------------------- Trellix, Nachfolger von McAfee und FireEye, hat den ePolicy Orchestrator aktualisiert. Das Update schließt etwa eine hochriskant eingestufte Schwachstelle. --------------------------------------------- https://www.heise.de/-9533816.html ∗∗∗ Synology schließt kritische Firmware-Lücke in Überwachungskameras ∗∗∗ --------------------------------------------- Angreifer können eigenen Code auf Überwachungskameras von Synology ausführen. --------------------------------------------- https://www.heise.de/-9534072.html ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (freerdp2, lwip, netty, and wireshark), Fedora (dotnet6.0, dotnet7.0, golang, gst-devtools, gstreamer1, gstreamer1-doc, gstreamer1-plugin-libav, gstreamer1-plugins-bad-free, gstreamer1-plugins-base, gstreamer1-plugins-good, gstreamer1-plugins-ugly-free, gstreamer1-rtsp-server, gstreamer1-vaapi, podman-tui, prometheus-podman-exporter, python-gstreamer1, syncthing, and tigervnc), Mageia (chromium-browser-stable, haproxy, and tigervnc), Oracle (curl, ghostscript, microcode_ctl, nghttp2, open-vm-tools, samba, and squid), SUSE (gcc13, postgresql14, and yt-dlp), and Ubuntu (iniparser). --------------------------------------------- https://lwn.net/Articles/951999/ ∗∗∗ Schwachstelle CVE-2023-46302 in Apache Submarine ∗∗∗ --------------------------------------------- In Apache Submarine gibt es eine kritische Remote Code Execution-Schwachstelle CVE-2023-46302. Die Schwachstelle rührt von einer Sicherheitslücke in snakeyaml (CVE-2022-1471) her und gefährdet Apache Submarine-Benutzer, da Angreifer beliebigen Code auf verwundbaren Systemen ausführen können. --------------------------------------------- https://www.borncity.com/blog/2023/11/20/schwachstelle-cve-2023-46302-in-ap… ∗∗∗ Multiple vulnerabilities in LuxCal Web Calendar ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN15005948/ ∗∗∗ WAGO: Improper privilege management in web-based management ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-015/ ∗∗∗ [R1] Security Center Version 6.2.1 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2023-42 ∗∗∗ CVE-2022-41713 An issue was discovered in deep-object-diff version 1.1.0 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7079403 ∗∗∗ CVE-2022-24434 An issue was discovered in the npm package dicer ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7079460 ∗∗∗ Vulnerability in d3-color affects IBM UrbanCode Velocity . WS-2022-0322 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7079484 ∗∗∗ IBM Storage Protect for Virtual Environments is vulnerable to arbitrary code execution, sensitive information disclosure, and denial of service due to CVEs in Apache Velocity, Apache Jena, and XStream (woodstox) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7079947 ∗∗∗ QRadar Suite Software includes components with multiple known vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7080058 ∗∗∗ IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to Go HTML injection vulnerabilitiy [CVE-2023-24539] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7080057 ∗∗∗ IBM App Connect Enterprise is vulnerable to a heap-based buffer overflow due to libcurl and cURL. (CVE-2023-38546, CVE-2023-38545) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7076344 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.11.2023
by Daily end-of-shift report 17 Nov '23

17 Nov '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 16-11-2023 18:00 − Freitag 17-11-2023 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ MySQL servers targeted by Ddostf DDoS-as-a-Service botnet ∗∗∗ --------------------------------------------- MySQL servers are being targeted by the Ddostf malware botnet to enslave them for a DDoS-as-a-Service platform whose firepower is rented to other cybercriminals. --------------------------------------------- https://www.bleepingcomputer.com/news/security/mysql-servers-targeted-by-dd… ∗∗∗ Beyond -n: Optimizing tcpdump performance, (Thu, Nov 16th) ∗∗∗ --------------------------------------------- If you ever had to acquire packets from a network, you probably used tcpdump. Other tools (Wireshark, dumpcap, snort...) can do the same thing, but none is as widely used as tcpdump. tcpdump is simple to use, fast, and universally available (and free!). --------------------------------------------- https://isc.sans.edu/diary/rss/30408 ∗∗∗ Beware: Malicious Google Ads Trick WinSCP Users into Installing Malware ∗∗∗ --------------------------------------------- Threat actors are leveraging manipulated search results and bogus Google ads that trick users who are looking to download legitimate software such as WinSCP into installing malware instead.Cybersecurity company Securonix is tracking the ongoing activity under the name SEO#LURKER. --------------------------------------------- https://thehackernews.com/2023/11/beware-malicious-google-ads-trick.html ∗∗∗ Understanding the Phobos affiliate structure and activity ∗∗∗ --------------------------------------------- Cisco Talos identified the most prolific Phobos variants, TTPs and affiliate structure, based on their activity and analysis of over 1,000 samples from VirusTotal dating back to 2019. We assess with moderate confidence Eking, Eight, Elbie, Devos and Faust are the most common variants --------------------------------------------- https://blog.talosintelligence.com/understanding-the-phobos-affiliate-struc… ∗∗∗ ALPHV (BlackCat) Ransomware Gang Uses Google Ads for Targeted Victims ∗∗∗ --------------------------------------------- Researchers noted that ALPHV/BlackCat threat actors gain initial access to their target’s IT networks through three methods. These include exploiting stolen or compromised login credentials to gain unauthorized access, exploiting vulnerabilities in remote management/monitoring tools to access IT systems, and browser-based attacks in which users are tricked into visiting malicious websites that deliver malware or malicious links in emails or social media posts. --------------------------------------------- https://www.hackread.com/alphv-blackcat-ransomware-gang-google-ads/ ∗∗∗ CISA Releases The Mitigation Guide: Healthcare and Public Health (HPH) Sector ∗∗∗ --------------------------------------------- Today, CISA released the Mitigation Guide: Healthcare and Public Health (HPH) Sector as a supplemental companion to the HPH Cyber Risk Summary, published July 19, 2023. This guide provides defensive mitigation strategy recommendations and best practices to combat pervasive cyber threats affecting this critical infrastructure sector. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/11/17/cisa-releases-mitigation… ===================== = Vulnerabilities = ===================== ∗∗∗ Bildbearbeitung: Angreifer können Gimp Schadcode unterjubeln ∗∗∗ --------------------------------------------- Die freie Open-Source-Bildbearbeitung Gimp ist in Version 2.10.36 erschienen. Sie schließt Sicherheitslücken, die Codeschmuggel erlauben. --------------------------------------------- https://www.heise.de/news/Bildbearbeitung-Angreifer-koennen-Gimp-Schadcode-… ∗∗∗ FortiNet flickt schwere Sicherheitslücken in FortiOS und anderen Produkten ∗∗∗ --------------------------------------------- Neben FortiOS und FortiClient sind auch FortiSIEM, FortiWLM und weitere von zum Teil kritischen Security-Fehlern betroffen. Admins sollten patchen. --------------------------------------------- https://www.heise.de/news/FortiNet-flickt-schwere-Sicherheitsluecken-in-For… ∗∗∗ Anonymisierendes Linux: Tails 5.19.1 behebt Tor-Lücke, Audit-Ergebnisse sind da ∗∗∗ --------------------------------------------- Ein offenbar aus der Ferne ausnutzbarer Bug in Tor führte zum neuerlichen Update. Die Ergebnisse der kürzlichen Sicherheitsprüfung hingegen sind positiv. --------------------------------------------- https://www.heise.de/news/Anonymisierendes-Linux-Tails-5-19-1-behebt-Tor-Lu… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (webkit2gtk), Fedora (microcode_ctl, pack, and tigervnc), Slackware (gimp), SUSE (frr, gcc13, go1.20, go1.20-openssl, go1.21, go1.21-openssl, libnbd, libxml2, python-Pillow, python-urllib3, and xen), and Ubuntu (intel-microcode and openvpn). --------------------------------------------- https://lwn.net/Articles/951801/ ∗∗∗ Over a Dozen Exploitable Vulnerabilities Found in AI/ML Tools ∗∗∗ --------------------------------------------- Since August 2023, members of the Huntr bug bounty platform for artificial intelligence (AI) and machine learning (ML) have uncovered over a dozen vulnerabilities exposing AI/ML models to system takeover and sensitive information theft. Identified in tools with hundreds of thousands or millions of downloads per month, such as H2O-3, MLflow, and Ray, these issues potentially impact the entire AI/ML supply chain --------------------------------------------- https://www.securityweek.com/over-a-dozen-exploitable-vulnerabilities-found… ∗∗∗ [R1] Nessus Agent Version 10.4.4 Fixes One Vulnerability ∗∗∗ --------------------------------------------- An arbitrary file write vulnerability exists where an authenticated attacker with privileges on the managing application could alter Nessus Rules variables to overwrite arbitrary files on the remote host, which could lead to a denial of service condition. --------------------------------------------- https://www.tenable.com/security/tns-2023-41 ∗∗∗ [R1] Nessus Version 10.6.3 Fixes One Vulnerability ∗∗∗ --------------------------------------------- An arbitrary file write vulnerability exists where an authenticated, remote attacker with administrator privileges on the Nessus application could alter Nessus Rules variables to overwrite arbitrary files on the remote host, which could lead to a denial of service condition. --------------------------------------------- https://www.tenable.com/security/tns-2023-40 ∗∗∗ [R1] Nessus Version 10.5.7 Fixes One Vulnerability ∗∗∗ --------------------------------------------- An arbitrary file write vulnerability exists where an authenticated, remote attacker with administrator privileges on the Nessus application could alter Nessus Rules variables to overwrite arbitrary files on the remote host, which could lead to a denial of service condition. --------------------------------------------- https://www.tenable.com/security/tns-2023-39 ∗∗∗ Juniper Releases Security Advisory for Juniper Secure Analytics ∗∗∗ --------------------------------------------- Juniper released a security advisory to address multiple vulnerabilities affecting Juniper Secure Analytics. A cyber threat actor could exploit one of these vulnerabilities to take control of an affected system.CISA encourages users and administrators to review the Juniper advisory JSA74298 and apply the necessary updates. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/11/17/juniper-releases-securit… ∗∗∗ ZDI-23-1716: Luxion KeyShot Viewer KSP File Parsing Memory Corruption Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-1716/ ∗∗∗ SVD-2023-1107: November 2023 Splunk Universal Forwarder Third-Party Updates ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2023-1107 ∗∗∗ SVD-2023-1106: November 2023 Third-Party Package Updates in Splunk Enterprise ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2023-1106 ∗∗∗ SVD-2023-1105: November 2023 Third Party Package updates in Splunk Enterprise ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2023-1105 ∗∗∗ SVD-2023-1104: Remote code execution (RCE) in Splunk Enterprise through Insecure XML Parsing ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2023-1104 ∗∗∗ SVD-2023-1103: Cross-site Scripting (XSS) on “Show Syntax Highlighted” View in Search Page ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2023-1103 ∗∗∗ SVD-2023-1102: Third Party Package Update in Splunk Add-on for Google Cloud Platform ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2023-1102 ∗∗∗ SVD-2023-1101: Third Party Package Update in Splunk Add-on for Amazon Web Services ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2023-1101 ∗∗∗ IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to multiple Node.js vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7077733 ∗∗∗ IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to Apache Ivy information disclosure vulnerabilitiy [CVE-2023-46751] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7077734 ∗∗∗ IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to libssh denial of service vulnerability [CVE-2023-3603] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7077736 ∗∗∗ IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to snappy-java information disclosure vulnerabilitiy [CVE-2023-43642] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7077735 ∗∗∗ IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to libssh denial of service vulnerability [CVE-2023-3603] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7077739 ∗∗∗ IBM QRadar SIEM contains multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7070736 ∗∗∗ IBM Storage Fusion may be vulnerable to Unauthorized requests (SSRF), Improper path traversal, via k8s.io\/apimachinery, k8s.io\/apiserver (CVE-2022-3172, CVE-2022-3162) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7077936 ∗∗∗ InfoSphere Information Server is vulnerable due to improper access control (CVE-2023-40363) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7070742 ∗∗∗ IBM InfoSphere Information Server is affected by a vulnerability in Eclipse Jetty (CVE-2023-26049) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7070740 ∗∗∗ IBM Storage Fusion may be vulnerable to Denial of Service via use of golang.org\/x\/net, x\/crypto, and x\/text (CVE-2022-30633, CVE-2022-27664, CVE-2022-28131, CVE-2022-41721, CVE-2021-43565, CVE-2022-27191, CVE-2022-32149) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7077942 ∗∗∗ IBM Planning Analytics is affected by vulnerabilities in IBM Java, IBM Websphere Application Server Liberty and IBM GSKit ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7070140 ∗∗∗ IBM Storage Fusion may be vulnerable to Denial of Service via use of openshift\/machine-api-operator, openshift\/machine-config-operator (CVE-2020-28851, CVE-2020-28852, CVE-2021-44716) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7077938 ∗∗∗ IBM Storage Fusion may be vulnerable to Injection, Regular Expression Denial of Service (ReDoS), and Arbitrary Code Execution and via use of postcss, semver, babel-traverse (CVE-2023-45133, CVE-2022-25883, CVE-2023-44270) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7077947 ∗∗∗ Java SE issues disclosed in the Oracle October 2023 Critical Patch Update plus CVE-2023-5676 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7078433 ∗∗∗ IBM Security SOAR is using a component with multiple known vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7063706 ∗∗∗ IBM MQ Operator and Queue manager container images are vulnerable to libcurl vulnerabilities (CVE-2023-38546, CVE-2023-38545) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7077530 ∗∗∗ IBM Sterling B2B Integrator is vulnerable to cross-site scripting (CVE-2022-43578) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6957156 ∗∗∗ Watson Machine Learning Accelerator on Cloud Pak for Data is affected by multiple vulnerabilities in Grafana ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7078751 ∗∗∗ Multiple Vulnerabilities in IBM\u00ae Java SDK affect IBM WebSphere Application Server and IBM WebSphere Application Server Liberty due to the October 2023 CPU ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7078745 ∗∗∗ Red Lion Sixnet RTUs ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-320-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily November 2023