Daily December 2023

daily@lists.cert.at

1 participants
18 discussions

Tageszusammenfassung - 13.12.2023
by Daily end-of-shift report 13 Dec '23

13 Dec '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 12-12-2023 18:00 − Mittwoch 13-12-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ FakeSG campaign, Akira ransomware and AMOS macOS stealer ∗∗∗ --------------------------------------------- In this report, we share our latest crimeware findings: FakeSG malware distribution campaign delivering NetSupport RAT, new Conti-like Akira ransomware and AMOS stealer for macOS. --------------------------------------------- https://securelist.com/crimeware-report-fakesg-akira-amos/111483/ ∗∗∗ Willhaben: Lassen Sie sich nicht auf WhatsApp und Co locken! ∗∗∗ --------------------------------------------- Wenn Sie auf willhaben über Kleinanzeigen Ware verkaufen oder kaufen wollen, dann sind Sie am besten vor Betrug geschützt, wenn Sie einige einfach Tipps beachten. Insbesondere sollten Sie sich aber nicht über den willhaben-Chat auf externe Kanäle leiten lassen. --------------------------------------------- https://www.watchlist-internet.at/news/willhaben-lassen-sie-sich-nicht-auf-… ∗∗∗ A pernicious potpourri of Python packages in PyPI ∗∗∗ --------------------------------------------- The past year has seen over 10,000 downloads of malicious packages hosted on the official Python package repository --------------------------------------------- https://www.welivesecurity.com/en/eset-research/pernicious-potpourri-python… ∗∗∗ Web shell on a SonicWall SMA ∗∗∗ --------------------------------------------- Truesec Cybersecurity Incident Response Team (CSIRT) found a compromised SonicWall Secure Mobile Access (SonicWall SMA) device on which a threat actor (TA) had deployed a web shell, a hiding mechanism, and a way to ensure persistence across firmware upgrades. --------------------------------------------- https://www.truesec.com/hub/blog/web-shell-on-a-sonicwall-sma ∗∗∗ A Day In The Life Of A GreyNoise Researcher: The Path To Understanding The Remote Code Execution Vulnerability Apache (CVE-2023-50164) in Apache Struts2 ∗∗∗ --------------------------------------------- This weakness enables attackers to remotely drop and call a web shell through a public interface. --------------------------------------------- https://www.greynoise.io/blog/a-day-in-the-life-of-a-greynoise-researcher-t… ∗∗∗ Responding to CitrixBleed (CVE-2023-4966): Key Takeaways from Affected Companies ∗∗∗ --------------------------------------------- This critical security flaw has had a significant impact across various industries in the United States, including credit unions and healthcare services, marking it as one of the most critical vulnerabilities of 2023. Its relatively straightforward buffer overflow exploitability has raised major concerns. --------------------------------------------- https://blog.morphisec.com/responding-to-citrixbleed ===================== = Vulnerabilities = ===================== ∗∗∗ Microsoft: OAuth apps used to automate BEC and cryptomining attacks ∗∗∗ --------------------------------------------- Microsoft warns that financially-motivated threat actors are using OAuth applications to automate BEC and phishing attacks, push spam, and deploy VMs for cryptomining. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-oauth-apps-used-to… ∗∗∗ Final Patch Tuesday of 2023 goes out with a bang ∗∗∗ --------------------------------------------- Microsoft fixed 36 flaws. Adobe addressed 212. Apple, Google, Cisco, VMware and Atlassian joined the party Its the last Patch Tuesday of 2023, which calls for celebration – just as soon as you update Windows, Adobe, Google, Cisco, FortiGuard, SAP, VMware, Atlassian and Apple products, of course. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2023/12/13/december_202… ∗∗∗ Patchday Microsoft: Outlook kann sich an Schadcode-E-Mail verschlucken ∗∗∗ --------------------------------------------- Microsoft hat wichtige Sicherheitsupdates für Azure, Defender & Co. veröffentlicht. Bislang soll es keine Attacken geben. --------------------------------------------- https://www.heise.de/news/Patchday-Microsoft-Outlook-kann-sich-an-Schadcode… ∗∗∗ Patchday: Adobe schließt 185 Sicherheitslücken in Experience Manager ∗∗∗ --------------------------------------------- Angreifer können Systeme mit Anwendungen von Adobe ins Visier nehmen. Nun hat der Softwarehersteller Schwachstellen geschlossen. --------------------------------------------- https://www.heise.de/news/Patchday-Adobe-Adobe-schliesst-185-Sicherheitslue… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (debian-security-support and xorg-server), Fedora (java-17-openjdk, libcmis, and libreoffice), Mageia (fish), Red Hat (buildah, containernetworking-plugins, curl, fence-agents, kernel, kpatch-patch, libxml2, pixman, podman, runc, skopeo, and tracker-miners), SUSE (kernel, SUSE Manager 4.3.10 Release Notes, and SUSE Manager Client Tools), and Ubuntu (gnome-control-center, linux-gcp, linux-kvm, linux-gkeop, linux-gkeop-5.15, linux-hwe-6.2, [...] --------------------------------------------- https://lwn.net/Articles/954921/ ∗∗∗ Mal wieder Apache Struts: CVE-2023-50164 ∗∗∗ --------------------------------------------- Wir haben in der Vergangenheit ernsthaft schlechte Erfahrungen mit Schwachstellen in der Apache Struts Library gemacht. Etwa mit CVE-2017-5638 oder CVE-2017-9805. Insbesondere komplexe Webseiten/Portal, oft von größeren Firmen, wurden öfters in Java entwickelt und waren für eine Massenexploitation anfällig. Daher haben wir die Veröffentlichung einer neuen Schwachstelle in Struts CVE-2023-50164 mit dem CVSS Score von 9.8 initial als besorgniserregend eingestuft. --------------------------------------------- https://cert.at/de/aktuelles/2023/12/mal-wieder-apache-struts-cve-2023-50164 ∗∗∗ Apache Struts Vulnerability Affecting Cisco Products: December 2023 ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Atos Unify Security Advisories ∗∗∗ --------------------------------------------- https://unify.com/en/support/security-advisories ∗∗∗ Fortiguard Security Advisories ∗∗∗ --------------------------------------------- https://www.fortiguard.com/psirt ∗∗∗ Technical Advisory – Multiple Vulnerabilities in Nagios XI ∗∗∗ --------------------------------------------- https://research.nccgroup.com/2023/12/13/technical-advisory-multiple-vulner… ∗∗∗ VMSA-2023-0027 ∗∗∗ --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2023-0027.html ∗∗∗ Command injection vulnerability in Bosch IP Cameras ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-638184-bt.html ∗∗∗ Denial of Service vulnerability in Bosch BT software products ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-092656-bt.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.12.2023
by Daily end-of-shift report 12 Dec '23

12 Dec '23

===================== = End-of-Day report = ===================== Timeframe: Montag 11-12-2023 18:00 − Dienstag 12-12-2023 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Counter-Strike 2 HTML injection bug exposes players’ IP addresses ∗∗∗ --------------------------------------------- Valve has reportedly fixed an HTML injection flaw in CS2 that was heavily abused today to inject images into games and obtain other players IP addresses. --------------------------------------------- https://www.bleepingcomputer.com/news/security/counter-strike-2-html-inject… ∗∗∗ New MrAnon Stealer Malware Targeting German Users via Booking-Themed Scam ∗∗∗ --------------------------------------------- A phishing campaign has been observed delivering an information stealer malware called MrAnon Stealer to unsuspecting victims via seemingly benign booking-themed PDF lures. "This malware is a Python-based information stealer compressed with cx-Freeze to evade detection," Fortinet FortiGuard Labs researcher Cara Lin said. --------------------------------------------- https://thehackernews.com/2023/12/new-mranon-stealer-targeting-german-it.ht… ∗∗∗ Intercepting MFA. Phishing and Adversary in The Middle attacks ∗∗∗ --------------------------------------------- In this post I’ll show you at a high level how attackers carry out such an attack. The main focus here is to understand what artefacts we look for when investigating these types of attacks in a DFIR capacity. I’ll also cover the steps you can take to increase your security to try and stop your team falling foul of them. --------------------------------------------- https://www.pentestpartners.com/security-blog/intercepting-mfa-phishing-and… ∗∗∗ MySQL 5.7 reached EOL. Upgrade to MySQL 8.x today ∗∗∗ --------------------------------------------- In October 2023, MySQL 5.7 reached its end of life. As such, it will no longer be supported and won’t receive security patches or bug fixes anymore. --------------------------------------------- https://mattermost.com/blog/mysql-5-7-reached-eol-upgrade-to-mysql-8-x-toda… ∗∗∗ CISA Releases SCuBA Google Workspace Secure Configuration Baselines for Public Comment ∗∗∗ --------------------------------------------- Today, CISA released the draft Secure Cloud Business Applications (SCuBA) Google Workspace (GWS) Secure Configuration Baselines and the associated assessment tool ScubaGoggles for public comment. The draft baselines offer minimum viable security configurations for nine GWS services: Groups for Business, Google Calendar, Google Common Controls, Google Classroom, Google Meet, Gmail, Google Chat, Google Drive and Docs, and Google Sites. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/12/12/cisa-releases-scuba-goog… ===================== = Vulnerabilities = ===================== ∗∗∗ Patchday: SAP behandelt mehr als 15 Schwachstellen ∗∗∗ --------------------------------------------- Am Dezember-Patchday hat SAP 15 neue Sicherheitsmitteilungen herausgegeben. Sie thematisieren teils kritische Lücken. --------------------------------------------- https://www.heise.de/-9571722 ∗∗∗ WordPress Elementor: Halbgarer Sicherheitspatch gefährdete Millionen Websites ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitsupdates für die WordPress-Plug-ins Backup Migration und Elementor. --------------------------------------------- https://www.heise.de/-9571957 ∗∗∗ Sicherheitslücken: Apple-Patches auch für ältere Betriebssysteme – außer iOS 15 ∗∗∗ --------------------------------------------- Parallel zu iOS 17.2 und macOS 14.2 beseitigt der Hersteller auch manche Schwachstellen in früheren Versionen. Für ältere iPhones gibt es kein Update. --------------------------------------------- https://www.heise.de/news/-9572049 ∗∗∗ Xen Security Advisory CVE-2023-46837 / XSA-447 ∗∗∗ --------------------------------------------- A malicious guest may be able to read sensitive data from memory that previously belonged to another guest. --------------------------------------------- https://xenbits.xen.org/xsa/advisory-447.html ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libreoffice and webkit2gtk), Fedora (java-1.8.0-openjdk and seamonkey), Oracle (apr, edk2, kernel, and squid:4), Red Hat (postgresql:12, tracker-miners, and webkit2gtk3), SUSE (curl, go1.20, go1.21, hplip, openvswitch, opera, squid, and xerces-c), and Ubuntu (binutils, ghostscript, libreoffice, linux, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15, linux-gcp, linux-gke, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-kvm, linux-nvidia, linux-oracle, linux-oracle-5.15, linux-raspi, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-xilinx-zynqmp, postfixadmin, python3.11, and webkit2gtk). --------------------------------------------- https://lwn.net/Articles/954706/ ∗∗∗ Beckhoff Security Advisory 2023-001: Open redirect in TwinCAT/BSD package “authelia-bhf” ∗∗∗ --------------------------------------------- https://download.beckhoff.com/download/document/product-security/Advisories… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Phoenix Contact: MULTIPROG Engineering tool and ProConOS eCLR SDK prone to CWE-732 ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-051/ ∗∗∗ Phoenix Contact: ProConOS prone to Download of Code Without Integrity Check ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-054/ ∗∗∗ Phoenix Contact: Automation Worx and classic line controllers prone to Incorrect Permission Assignment for Critical Resource ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-055/ ∗∗∗ Phoenix Contact: PLCnext prone to Incorrect Permission Assignment for Critical Resource ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-056/ ∗∗∗ Phoenix Contact: Classic line industrial controllers prone to inadequate integrity check of PLC ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-057/ ∗∗∗ Phoenix Contact: PLCnext Control prone to download of code without integrity check ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-058/ ∗∗∗ Schneider Electric Easy UPS Online Monitoring Software ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icaa-23-346-01 ∗∗∗ F5: K000137871 : Linux kernel vulnerability CVE-2023-35001 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000137871 ∗∗∗ SSA-999588 V1.0: Multiple Vulnerabilities in User Management Component (UMC) before V2.11.2 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-999588.html ∗∗∗ SSA-892915 V1.0: Multiple Denial of Service Vulnerabilities in the Webserver of Industrial Products ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-892915.html ∗∗∗ SSA-887801 V1.0: Information Disclosure Vulnerability in SIMATIC STEP 7 (TIA Portal) ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-887801.html ∗∗∗ SSA-844582 V1.0: Electromagnetic Fault Injection in LOGO! V8.3 BM Devices Results in Broken LOGO! V8.3 Product CA ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-844582.html ∗∗∗ SSA-693975 V1.0: Denial-of-Service Vulnerability in the Web Server of Industrial Products ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-693975.html ∗∗∗ SSA-592380 V1.0: Denial of Service Vulnerability in SIMATIC S7-1500 CPUs and related products ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-592380.html ∗∗∗ SSA-480095 V1.0: Vulnerabilities in the Web Interface of SICAM Q100 Devices before V2.60 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-480095.html ∗∗∗ SSA-398330 V1.0: Vulnerabilities in the additional GNU/Linux subsystem of the SIMATIC S7-1500 CPU 1518(F)-4 PN/DP MFP V3.1 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-398330.html ∗∗∗ SSA-280603 V1.0: Denial of Service Vulnerability in SINUMERIK ONE and SINUMERIK MC ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-280603.html ∗∗∗ SSA-180704 V1.0: Multiple Vulnerabilities in SCALANCE M-800/S615 Family before V8.0 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-180704.html ∗∗∗ SSA-118850 V1.0: Denial of Service Vulnerability in the OPC UA Implementation in SINUMERIK ONE and SINUMERIK MC ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-118850.html ∗∗∗ SSA-077170 V1.0: Multiple Vulnerabilities in SINEC INS before V1.0 SP2 Update 2 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-077170.html ∗∗∗ SSA-068047 V1.0: Multiple Vulnerabilities in SCALANCE M-800/S615 Family before V7.2.2 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-068047.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.12.2023
by Daily end-of-shift report 11 Dec '23

11 Dec '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 07-12-2023 18:00 − Montag 11-12-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ AutoSpill attack steals credentials from Android password managers ∗∗∗ --------------------------------------------- Security researchers developed a new attack, which they named AutoSpill, to steal account credentials on Android during the autofill operation. --------------------------------------------- https://www.bleepingcomputer.com/news/security/autospill-attack-steals-cred… ∗∗∗ Over 30% of Log4J apps use a vulnerable version of the library ∗∗∗ --------------------------------------------- Roughly 38% of applications using the Apache Log4j library are using a version vulnerable to security issues, including Log4Shell, a critical vulnerability identified as CVE-2021-44228 that carries the maximum severity rating, despite patches being available for more than two years. --------------------------------------------- https://www.bleepingcomputer.com/news/security/over-30-percent-of-log4j-app… ∗∗∗ Sicherheitsupdate: WordPress unter bestimmten Bedingungen angreifbar ∗∗∗ --------------------------------------------- In der aktuellen WordPress-Version haben die Entwickler eine Sicherheitslücke geschlossen. --------------------------------------------- https://www.heise.de/-9567923 ∗∗∗ DoS-Schwachstellen: Angreifer können 714 Smartphone-Modelle vom 5G-Netz trennen ∗∗∗ --------------------------------------------- Forscher haben mehrere Schwachstellen in gängigen 5G-Modems offengelegt. Damit können Angreifer vielen Smartphone-Nutzern 5G-Verbindungen verwehren. --------------------------------------------- https://www.golem.de/news/dos-schwachstellen-angreifer-koennen-714-smartpho… ∗∗∗ 40 New Domains of Magecart Veteran ATMZOW Found in Google Tag Manager ∗∗∗ --------------------------------------------- In today’s post, we’ll take a look at some recent Google Tag Manager containers used in ecommerce malware, examine some newer forms of obfuscation techniques used in the malicious code, and track the evolution of the ATMZOW skimmer linked to widespread Magento website infections since 2015. --------------------------------------------- https://blog.sucuri.net/2023/12/40-new-domains-of-magecart-veteran-atmzow-f… ∗∗∗ Bluetooth-Lücke erlaubt Einschleusen von Tastenanschlägen ∗∗∗ --------------------------------------------- Eine Sicherheitslücke in Bluetooth-Stacks erlaubt Angreifern, Tastenanschläge einzuschmuggeln. Unter Android, iOS, Linux und macOS. --------------------------------------------- https://www.heise.de/-9570583 ∗∗∗ Achtung Fake-Shop: fressnapfs.shop ∗∗∗ --------------------------------------------- Kriminelle schalten auf Facebook und Instagram Werbung für einen betrügerischen Fressnapf-Online-Shop. Der gefälschte Online-Shop sieht dem echten Shop zum Verwechseln ähnlich. Auch die Internetadresse „fressnapfs.shop“ scheint plausibel. Wenn Sie beim Fake-Shop bestellen, verlieren Sie Ihr Geld und erhalten keine Lieferung! --------------------------------------------- https://www.watchlist-internet.at/news/achtung-fake-shop-fressnapfsshop/ ∗∗∗ To tap or not to tap: Are NFC payments safer? ∗∗∗ --------------------------------------------- Contactless payments are quickly becoming ubiquitous – but are they more secure than traditional payment methods? --------------------------------------------- https://www.welivesecurity.com/en/cybersecurity/to-tap-or-not-to-tap-are-nf… ∗∗∗ Kaspersky entdeckt „hochkomplexen“ Proxy-Trojaner für macOS ∗∗∗ --------------------------------------------- Die Malware wird über raubkopierte Software verbreitet. Varianten für Android und Windows sind offenbar auch im Umlauf. --------------------------------------------- https://www.zdnet.de/88413363/kaspersky-entdeckt-hochkomplexen-proxy-trojan… ∗∗∗ Risiko Active Directory-Fehlkonfigurationen; Forest Druid zur Analyse ∗∗∗ --------------------------------------------- Fehlkonfigurationen und Standardeinstellungen des Active Directory können die IT-Sicherheit von Unternehmen gefährden. Bastien Bossiroy von den NVISO Labs hat sich Gedanken um dieses Thema gemacht und bereits Ende Oktober 2023 einen Beitrag zu den häufigsten Fehlkonfigurationen/Standardkonfigurationen des Active Directory, die Unternehmen gefährden, veröffentlicht. Zudem ist mir kürzlich ein Hinweis auf "Forest Druid" untergekommen, ein kostenloses Attack-Path-Management-Tool von Semperis. --------------------------------------------- https://www.borncity.com/blog/2023/12/09/risiko-active-directory-die-hufigs… ∗∗∗ Operation Blacksmith: Lazarus targets organizations worldwide using novel Telegram-based malware written in DLang ∗∗∗ --------------------------------------------- Operation Blacksmith involved the exploitation of CVE-2021-44228, also known as Log4Shell, and the use of a previously unknown DLang-based RAT utilizing Telegram as its C2 channel. We’re naming this malware family “NineRAT.” NineRAT was initially built around May 2022 and was first used in this campaign as early as March 2023, almost a year later, against a South American agricultural organization. We then saw NineRAT being used again around September 2023 against a European manufacturing entity. --------------------------------------------- https://blog.talosintelligence.com/lazarus_new_rats_dlang_and_telegram/ ∗∗∗ 2023 Review: Reflecting on Cybersecurity Trends ∗∗∗ --------------------------------------------- With the season of ubiquitous year-ahead predictions around the corner, Trend Micro’s Greg Young and William Malik decided to look back at 2023 and see which forecasted cybersecurity trends came to pass and which, um, didn’t. --------------------------------------------- https://www.trendmicro.com/en_us/ciso/23/l/2023-review-reflecting-on-cybers… ∗∗∗ Analyzing AsyncRATs Code Injection into aspnet_compiler.exe Across Multiple Incident Response Cases ∗∗∗ --------------------------------------------- This blog entry delves into MxDRs unraveling of the AsyncRAT infection chain across multiple cases, shedding light on the misuse of aspnet_compiler.exe, a legitimate Microsoft process originally designed for precompiling ASP.NET web applications. --------------------------------------------- https://www.trendmicro.com/en_us/research/23/l/analyzing-asyncrat-code-inje… ===================== = Vulnerabilities = ===================== ∗∗∗ Resolved RCE in Sophos Firewall (CVE-2022-3236) ∗∗∗ --------------------------------------------- The vulnerability was originally fixed in September 2022. In December 2023, we delivered an updated fix after identifying new exploit attempts against this same vulnerability in older, unsupported versions of the Sophos Firewall. No action is required if organizations have upgraded their firewalls to a supported firmware version after September 2022. --------------------------------------------- https://www.sophos.com/en-us/security-advisories/sophos-sa-20220923-sfos-rce ∗∗∗ Sicherheitslücken: Angreifer können Schadcode auf Qnap NAS schieben ∗∗∗ --------------------------------------------- Netzwerkspeicher von Qnap sind verwundbar. In aktuellen Versionen haben die Entwickler Sicherheitsprobleme gelöst. --------------------------------------------- https://www.heise.de/-9570375 ∗∗∗ New RCE vulnerability in Apache Struts 2 fixed, upgrade ASAP (CVE-2023-50164) ∗∗∗ --------------------------------------------- The Apache Struts project has released updates for the popular open-source web application framework, with fixes for a critical vulnerability that could lead to remote code execution (CVE-2023-50164). --------------------------------------------- https://www.helpnetsecurity.com/2023/12/08/cve-2023-50164/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (chromium), Mageia (firefox, thunderbird, and vim), SUSE (kubevirt, virt-api-container, virt-controller-container, virt-handler-container, virt-launcher-container, virt-libguestfs-tools- container, virt-operator-container), and Ubuntu (freerdp2, glibc, and tinyxml). --------------------------------------------- https://lwn.net/Articles/954092/ ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium), Fedora (bluez, chromium, and curl), Red Hat (apr), Slackware (libxml2), and Ubuntu (squid3 and tar). --------------------------------------------- https://lwn.net/Articles/954449/ ∗∗∗ Edge 120.0.2210.61 mit Sicherheitsfixes und neuer Telemetriefunktion ∗∗∗ --------------------------------------------- Microsoft hat zum 7. Dezember 2023 den Edge 120.0.2210.61 im Stable-Channel veröffentlicht. Diese Version schließt gleich drei Schwachstellen (und zudem Chromium-Sicherheitslücken). Der neue Edge kommt zudem mit neuen Richtlinien. --------------------------------------------- https://www.borncity.com/blog/2023/12/08/edge-120-0-2210-61-mit-sicherheits… ∗∗∗ GarageBand 10.4.9 ∗∗∗ --------------------------------------------- https://support.apple.com/kb/HT214042 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Frauscher: FDS102 for FAdC/FAdCi remote code execution vulnerability ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-049/ ∗∗∗ Local Privilege Escalation durch MSI installer in PDF24 Creator (geek Software GmbH) ∗∗∗ --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/local-privilege-escal… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.12.2023
by Daily end-of-shift report 07 Dec '23

07 Dec '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 06-12-2023 18:00 − Donnerstag 07-12-2023 18:00 Handler: Robert Waldner Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ CISA and International Partners Release Advisory on [..] Star Blizzard ∗∗∗ --------------------------------------------- The joint CSA aims to raise awareness of the specific tactics, techniques, and delivery methods [..] Known Star Blizzard techniques include: Impersonating known contacts' email accounts, Creating fake social media profiles, Using webmail addresses from providers such as Outlook, Gmail and others, and Creating malicious domains that resemble legitimate organizations. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/12/07/cisa-and-international-p… ∗∗∗ CISA, NSA, FBI and International Cybersecurity Authorities Publish Guide on The Case for Memory Safe Roadmaps ∗∗∗ --------------------------------------------- The guide strongly encourages executives of software manufacturers to prioritize using memory safe programing languages, write and publish memory safe roadmaps and implement changes to eliminate this class of vulnerability and protect their customers. Software developers and support staff should develop the roadmap, which should detail how the manufacturer will modify their software development life cycle (SDLC) to dramatically reduce and eventually eliminate memory unsafe code in their products. This guidance also provides a clear outline of elements that a memory safe roadmap should include. --------------------------------------------- https://www.cisa.gov/news-events/news/cisa-nsa-fbi-and-international-cybers… ===================== = Vulnerabilities = ===================== ∗∗∗ PSA: Critical POP Chain Allowing Remote Code Execution Patched in WordPress 6.4.2 ∗∗∗ --------------------------------------------- WordPress 6.4.2 was released today, on December 6, 2023. It includes a patch for a POP chain introduced in version 6.4 that, combined with a separate Object Injection vulnerability, could result in a Critical-Severity vulnerability allowing attackers to execute arbitrary PHP code on the site. We urge all WordPress users to update to 6.4.2 immediately, as this issue could allow full site takeover if another vulnerability is present. --------------------------------------------- https://www.wordfence.com/blog/2023/12/psa-critical-pop-chain-allowing-remo… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (tzdata), Fedora (gmailctl), Oracle (kernel), Red Hat (linux-firmware, postgresql:12, postgresql:13, and squid:4), SUSE (cdi-apiserver-container, cdi-cloner-container, cdi- controller-container, cdi-importer-container, cdi-operator-container, cdi- uploadproxy-container, cdi-uploadserver-container, cont, frr, libtorrent-rasterbar, qbittorrent, openssl-3, openvswitch, openvswitch3, and suse-build-key), and Ubuntu (bluez, curl, linux, linux-aws, linux-azure, linux-laptop, linux-lowlatency, linux-oem-6.5, linux-oracle, linux-raspi, linux-starfive, linux-gcp, open-vm-tools, postgresql-12, postgresql-14, postgresql-15, and python-cryptography). --------------------------------------------- https://lwn.net/Articles/953977/ ∗∗∗ Kritische Sicherheitslücken in mehreren Produkten von Atlassian - Patches verfügbar ∗∗∗ --------------------------------------------- Mehrere Versionen von Produkten des Unternehmens Atlassian enthalten kritische Sicherheitslücken. Die Ausnutzung der Sicherheitslücken ermöglicht Angreifer:innen die vollständige Übernahme von verwundbaren Systemen, sowie den Zugriff auf alle darauf gespeicherten Daten. CVE-Nummer(n): CVE-2023-22522, CVE-2022-1471 CVSS Base Score: 9.0 bzw. 9.8 --------------------------------------------- https://cert.at/de/warnungen/2023/12/kritische-sicherheitslucken-in-mehrere… ∗∗∗ CISA Releases Five Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- ICSA-23-341-01 Mitsubishi Electric FA Engineering Software Products, ICSA-23-341-02 Schweitzer Engineering Laboratories SEL-411L, ICSA-23-341-03 Johnson Controls Metasys and Facility Explorer, ICSA-23-341-05 ControlbyWeb Relay, ICSA-23-341-06 Sierra Wireless AirLink with ALEOS firmware --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/12/07/cisa-releases-five-indus… ∗∗∗ BIOS Image Parsing Function Vulnerabilities (LogoFAIL) ∗∗∗ --------------------------------------------- Vulnerabilities were reported in the image parsing libraries in AMI, Insyde and Phoenix BIOS which are used to parse personalized boot logos that are loaded from the EFI System Partition that could allow a local attacker with elevated privileges to trigger a denial of service or arbitrary code execution. [..] Update system firmware to the version (or newer) indicated for your model in the Product Impact section. --------------------------------------------- http://support.lenovo.com/product_security/PS500590-BIOS-IMAGE-PARSING-FUNC… ∗∗∗ Drupal: Group - Less critical - Access bypass - SA-CONTRIB-2023-054 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2023-054 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.12.2023
by Daily end-of-shift report 06 Dec '23

06 Dec '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 05-12-2023 18:00 − Mittwoch 06-12-2023 18:00 Handler: Robert Waldner Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Trügerische Sicherheit: Angreifer können Lockdown-Modus von iOS fälschen ∗∗∗ --------------------------------------------- Der Lockdown-Modus von iOS soll iPhone-Besitzer vor Cyberangriffen schützen. Forscher haben gezeigt, wie sich die Funktion fälschen lässt. --------------------------------------------- https://www.golem.de/news/truegerische-sicherheit-angreifer-koennen-lockdow… ∗∗∗ Whose packet is it anyway: a new RFC for attribution of internet probes, (Wed, Dec 6th) ∗∗∗ --------------------------------------------- So far, security analysts and administrators have had to rely mostly on WHOIS, RDAP, reverse DNS lookups and third-party data (e.g., data from ISC/DShield) in order to gain some idea of who might be behind a specific scan and whether it was malicious or not. However, authors of the aforementioned RFC came up with several ideas of how originators of “internet probes” might simplify their own identification. --------------------------------------------- https://isc.sans.edu/diary/rss/30456 ∗∗∗ Qualcomm Releases Details on Chip Vulnerabilities Exploited in Targeted Attacks ∗∗∗ --------------------------------------------- Chipmaker Qualcomm has released more information about three high-severity security flaws that it said came under "limited, targeted exploitation" back in October 2023. --------------------------------------------- https://thehackernews.com/2023/12/qualcomm-releases-details-on-chip.html ∗∗∗ Alert: Threat Actors Can Leverage AWS STS to Infiltrate Cloud Accounts ∗∗∗ --------------------------------------------- Threat actors can take advantage of Amazon Web Services Security Token Service (AWS STS) as a way to infiltrate cloud accounts and conduct follow-on attacks. The service enables threat actors to impersonate user identities and roles in cloud environments, Red Canary researchers Thomas Gardner and Cody Betsworth said in a Tuesday analysis. --------------------------------------------- https://thehackernews.com/2023/12/alert-threat-actors-can-leverage-aws.html ∗∗∗ Blind CSS Exfiltration: exfiltrate unknown web pages ∗∗∗ --------------------------------------------- Why would we want to do blind CSS exfiltration? Imagine youve got a blind HTML injection vulnerability but you cant get XSS because of the sites CSP or perhaps the site has a server-side or DOM-based filter such as DOMPurify. JavaScript is off the table but they allow styles because theyre just styles right? What possible damage can you do with just CSS? --------------------------------------------- https://portswigger.net/research/blind-css-exfiltration ∗∗∗ SLAM: Neue Spectre-Variante gefährdet zukünftige CPU-Generationen ∗∗∗ --------------------------------------------- Forscher tricksen das Speichermanagement kommender CPU-Generationen aus, um vermeintlich geschützte Daten aus dem RAM zu lesen. --------------------------------------------- https://www.heise.de/-9549625 ∗∗∗ Windows 10: Security-Updates nach Support-Ende ∗∗∗ --------------------------------------------- Wer Windows 10 länger als bis 2025 betreiben will, muss entweder in die Microsoft-365-Cloud oder für Patches zahlen. --------------------------------------------- https://www.heise.de/-9566262 ∗∗∗ Achtung Betrug: Rechnung vom "Registergericht" ∗∗∗ --------------------------------------------- Aktuell läuft wohl wieder eine Betrugskampagne, in der Brief mit falschen Rechnungen von einem angeblichen "Registergericht" an Firmen geschickt werden. --------------------------------------------- https://www.borncity.com/blog/2023/12/06/achtung-betrug-rechnung-vom-regist… ∗∗∗ CVE-2023-49105, WebDAV Api Authentication Bypass in ownCloud ∗∗∗ --------------------------------------------- While the 10/10 CVE-2023-49103 got all the attention last week, organizations should not quickly overlook CVE-2023-49105! CVE-2023-49105 is an authentication bypass issue affecting ownCloud from version 10.6.0 to version 10.13.0. It allows an attacker to access, modify, or delete any file without authentication if the username is known. Even if the user has no signing key configured, ownCloud accepts pre-signed URLs, enabling the attacker to generate URLs for arbitrary file operations. --------------------------------------------- https://www.greynoise.io/blog/cve-2023-49105-webdav-api-authentication-bypa… ===================== = Vulnerabilities = ===================== ∗∗∗ "Sierra:21" vulnerabilities impact critical infrastructure routers ∗∗∗ --------------------------------------------- A set of 21 newly discovered vulnerabilities impact Sierra OT/IoT routers and threaten critical infrastructure with remote code execution, unauthorized access, cross-site scripting, authentication bypass, and denial of service attacks. [..] AirLink routers are highly regarded in the field of industrial and mission-critical applications due to high-performance 3G/4G/5G and WiFi and multi-network connectivity. --------------------------------------------- https://www.bleepingcomputer.com/news/security/sierra-21-vulnerabilities-im… ∗∗∗ Codeschmuggel in Atlassian-Produkten: Vier kritische Lücken aufgetaucht ∗∗∗ --------------------------------------------- Admins von Confluence, Jira und Bitbucket kommen aus dem Patchen nicht heraus: Erneut hat Atlassian dringende Updates für seine wichtigsten Produkte vorgelegt. --------------------------------------------- https://www.heise.de/-9565780 ∗∗∗ Kiosk Escape Privilege Escalation in One Identity Password Manager Secure Password Extension ∗∗∗ --------------------------------------------- The Password Manager Extension from One Identity can be used to perform two different kiosk escapes on the lock screen of a Windows client. These two escapes allow an attacker to execute commands with the highest permissions of a user with the SYSTEM role. --------------------------------------------- https://sec-consult.com/vulnerability-lab/advisory/kiosk-escape-privilege-e… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (chromium, clevis-pin-tpm2, firefox, keyring-ima-signer, libkrun, perl, perl-PAR-Packer, polymake, poppler, rust-bodhi-cli, rust-coreos-installer, rust-fedora-update-feedback, rust-gst-plugin-reqwest, rust-pore, rust-rpm-sequoia, rust-sequoia-octopus-librnp, rust-sequoia-policy-config, rust-sequoia-sq, rust-sequoia-wot, rust-sevctl, rust-snphost, and rust-tealdeer), Mageia (samba), Red Hat (postgresql:12), SUSE (haproxy and kernel-firmware), and Ubuntu (haproxy, linux, linux-aws, linux-aws-6.2, linux-azure, linux-azure-6.2, linux-azure-fde-6.2, linux-lowlatency, linux-oracle, linux-raspi, linux-starfive, linux, linux-aws, linux-kvm, linux-lts-xenial, linux-oem-6.1, and redis). --------------------------------------------- https://lwn.net/Articles/953861/ ∗∗∗ Command Injection via CLI des DrayTek Vigor167 (SYSS-2023-023) ∗∗∗ --------------------------------------------- Die Kommandozeile (Command-Line Interface, CLI) des DrayTek Vigor167 mit der Modemfirmware 5.2.2 erlaubt es angemeldeten Angreifenden, beliebigen Code auf dem Modem auszuführen. Nutzende mit Zugang zur Weboberfläche, aber ohne jegliche Berechtigungen, haben ebenfalls Zugriff auf die CLI und können hierüber das Modem übernehmen. --------------------------------------------- https://www.syss.de/pentest-blog/command-injection-via-cli-des-draytek-vigo… ∗∗∗ Security Advisory - Identity Bypass Vulnerability in Some Huawei Smart Screen Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2023/huawei-sa-ibvishssp… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.12.2023
by Daily end-of-shift report 05 Dec '23

05 Dec '23

===================== = End-of-Day report = ===================== Timeframe: Montag 04-12-2023 18:00 − Dienstag 05-12-2023 18:00 Handler: Robert Waldner Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Unpatched Loytec Building Automation Flaws Disclosed 2 Years After Discovery ∗∗∗ --------------------------------------------- Industrial cybersecurity firm TXOne Networks has disclosed the details of 10 unpatched vulnerabilities discovered by its researchers in building automation products made by Austrian company Loytec more than two years ago. --------------------------------------------- https://www.securityweek.com/unpatched-loytec-building-automation-flaws-dis… ∗∗∗ BlueNoroff: new Trojan attacking macOS users ∗∗∗ --------------------------------------------- BlueNoroff has been attacking macOS users with a new loader that delivers unknown malware to the system. --------------------------------------------- https://securelist.com/bluenoroff-new-macos-malware/111290/ ∗∗∗ Zarya Hacktivists: More than just Sharepoint., (Mon, Dec 4th) ∗∗∗ --------------------------------------------- Zarya isn't exactly the type of threat you should be afraid of, but it is sad how these groups can still be effective due to organizations exposing unpatched or badly configured systems to the internet. Most of the attacks sent by Zarya will not succeed even if they hit a vulnerable system. For some added protection, you may consider blocking some of the Aeza network's traffic after ensuring that this network hosts no critical resources you need. Aeza uses ASN 210644. --------------------------------------------- https://isc.sans.edu/diary/rss/30450 ∗∗∗ Warning for iPhone Users: Experts Warn of Sneaky Fake Lockdown Mode Attack ∗∗∗ --------------------------------------------- A new "post-exploitation tampering technique" can be abused by malicious actors to visually deceive a target into believing that their Apple iPhone is running in Lockdown Mode when its actually not and carry out covert attacks. --------------------------------------------- https://thehackernews.com/2023/12/warning-for-iphone-users-experts-warn.html ∗∗∗ Sicherheitslücke in iOS 16 soll angeblich leichteres Auslesen ermöglichen ∗∗∗ --------------------------------------------- In Moskau streiten sich zwei Forensikfirmen wegen gestohlenem Programmcode. Dieser aber offenbart eine mögliche neue Sicherheitslücke im iPhone-Betriebssystem. --------------------------------------------- https://www.heise.de/-9548725 ∗∗∗ OSINT. What can you find from a domain or company name ∗∗∗ --------------------------------------------- To help OPSEC people I thought it might be useful to go over some of the key things that can be found using domain and company names. --------------------------------------------- https://www.pentestpartners.com/security-blog/osint-what-can-you-find-from-… ∗∗∗ Viele Beschwerden zu luckyluna.de ∗∗∗ --------------------------------------------- luckyluna.de bietet handgezeichnete Tierportraits. Sie laden ein Foto Ihres Tieres hoch, es wird gezeichnet und Sie erhalten das Bild entweder digital oder auf einer Leinwand – so zumindest das Versprechen. Verärgerte Kund:innen beschweren sich aber, dass die Bilder nicht handgezeichnet sind, sondern die „handgefertigten Portraits“ nur mit Hilfe eines Bildbearbeitungsprogramms erstellt werden. --------------------------------------------- https://www.watchlist-internet.at/news/viele-beschwerden-zu-luckylunade/ ∗∗∗ Threat Actors Exploit Adobe ColdFusion CVE-2023-26360 for Initial Access to Government Servers ∗∗∗ --------------------------------------------- This CSA provides network defenders with tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), and methods to detect and protect against similar exploitation. --------------------------------------------- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-339a ===================== = Vulnerabilities = ===================== ∗∗∗ Patchday Android: Android 11, 12, 13 und 14 für Schadcode-Attacken anfällig ∗∗∗ --------------------------------------------- Angreifer können Android-Smartphones und -Tablets verschiedener Hersteller ins Visier nehmen. Für einige Geräte gibt es Sicherheitsupdates. --------------------------------------------- https://www.heise.de/-9548839 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (roundcube), Fedora (java-latest-openjdk), Mageia (libqb), SUSE (python-Django1), and Ubuntu (request-tracker4). --------------------------------------------- https://lwn.net/Articles/953783/ ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2023-0011 ∗∗∗ --------------------------------------------- Several vulnerabilities were discovered in WebKitGTK and WPE WebKit. CVE identifiers: CVE-2023-42916, CVE-2023-42917. --------------------------------------------- https://webkitgtk.org/security/WSA-2023-0011.html ∗∗∗ Security updates for Ivanti Connect Secure and Ivanti Policy Secure ∗∗∗ --------------------------------------------- We are reporting the Ivanti Connect Secure issues as CVE-2023-39340, CVE-2023-41719 and CVE-2023-41720, and Ivanti Policy Secure issue as CVE-2023-39339. We encourage customers to download the latest releases of ICS and IPS to remediate the issues. --------------------------------------------- https://www.ivanti.com/blog/security-updates-for-ivanti-connect-secure-and-… ∗∗∗ SonicWall SSL-VPN SMA100 Version 10.x Is Affected By Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2023-0018 ∗∗∗ Cisco Adaptive Security Appliance and Firepower Threat Defense Software VPN Packet Validation Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Wago: Vulnerabilities in IEC61850 Server / Telecontrol ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-044/ ∗∗∗ Wago: Vulnerability in Smart Designer Web-Application ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-045/ ∗∗∗ CODESYS: Multiple products affected by WIBU Codemeter vulnerability ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-035/ ∗∗∗ CODESYS: OS Command Injection Vulnerability in multiple CODESYS Control products ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-066/ ∗∗∗ Pilz : WIBU Vulnerabilitiy in multiple Products (Update A) ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-033/ ∗∗∗ Pilz: Electron Vulnerabilities in PASvisu and PMI v8xx ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-059/ ∗∗∗ Pilz: Multiple products prone to libwebp vulnerability ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-048/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Zebra ZTC Industrial ZT400 and ZTC Desktop GK420d ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-339-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.12.2023
by Daily end-of-shift report 04 Dec '23

04 Dec '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 01-12-2023 18:00 − Montag 04-12-2023 18:00 Handler: Robert Waldner Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ LogoFAIL: UEFI Vulnerabilities Expose Devices to Stealth Malware Attacks ∗∗∗ --------------------------------------------- The Unified Extensible Firmware Interface (UEFI) code from various independent firmware/BIOS vendors (IBVs) has been found vulnerable to potential attacks through high-impact flaws in image parsing libraries embedded into the firmware. --------------------------------------------- https://thehackernews.com/2023/12/logofail-uefi-vulnerabilities-expose.html ∗∗∗ New P2PInfect Botnet MIPS Variant Targeting Routers and IoT Devices ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered a new variant of an emerging botnet called P2PInfect thats capable of targeting routers and IoT devices. --------------------------------------------- https://thehackernews.com/2023/12/new-p2pinfect-botnet-mips-variant.html ∗∗∗ Advisory on IRGC-Affiliated Cyber Actors Exploiting PLCs ∗∗∗ --------------------------------------------- Today, CISA, (FBI), (NSA), (EPA), and (INCD) released a joint Cybersecurity Advisory (CSA) IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors in response to the active exploitation of Unitronics programmable logic controllers (PLCs) in multiple sectors. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/12/01/cisa-and-partners-releas… ∗∗∗ Phishing-Angriffe: Betrüger missbrauchen Hotelbuchungsplattform booking.com ∗∗∗ --------------------------------------------- Mit auf Datendiebstahl spezialisierte Malware griffen Cyberkriminelle zunächst Hotelmitarbeiter an und verschickten dann über Booking betrügerische Mails. --------------------------------------------- https://www.heise.de/-9547507 ∗∗∗ Update your iPhones! Apple fixes two zero-days in iOS ∗∗∗ --------------------------------------------- Apple has released an emergency security update for two zero-day vulnerabilities which may have already been exploited. --------------------------------------------- https://www.malwarebytes.com/blog/news/2023/12/update-your-iphones-apple-fi… ∗∗∗ PSA: Fake CVE-2023-45124 Phishing Scam Tricks Users Into Installing Backdoor Plugin ∗∗∗ --------------------------------------------- The Wordfence Threat Intelligence Team has recently been informed of a phishing campaign targeting WordPress users. The Phishing email claims to be from the WordPress team and warns of a Remote Code Execution vulnerability on the user’s site with an identifier of CVE-2023-45124, which is not currently a valid CVE. --------------------------------------------- https://www.wordfence.com/blog/2023/12/psa-fake-cve-2023-45124-phishing-sca… ∗∗∗ Vorsicht vor gefälschter Microsoft-Sicherheitswarnung ∗∗∗ --------------------------------------------- Beim Surfen im Internet poppt plötzlich eine Sicherheitswarnung auf: „Aus Sicherheitsgründen wurde das Gerät blockiert. Windows-Support Anrufen“. Zusätzlich wird eine Computerstimme abgespielt, die Ihnen erklärt, dass Ihre Kreditkarten- und Facebookdaten sowie persönliche Daten an Hacker weitergegeben werden. Für technische Unterstützung sollen Sie eine Nummer anrufen. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-gefaelschter-microsoft-… ∗∗∗ Zyxel warnt vor kritischen Sicherheitslücken in NAS-Geräten ∗∗∗ --------------------------------------------- Betreibt jemand ein Zyxel NAS in seiner Umgebung? Der taiwanesische Hersteller hat gerade vor mehreren Schwachstellen in der Firmware dieser Geräte gewarnt. Drei kritische Schwachstellen ermöglichen es einem nicht authentifizierten Angreifer Betriebssystembefehle auf anfälligen NAS-Geräten (Network-Attached Storage) auszuführen. --------------------------------------------- https://www.borncity.com/blog/2023/12/02/zyxel-warnt-vor-kritischen-sicherh… ===================== = Vulnerabilities = ===================== ∗∗∗ SQUID-2023:7 Denial of Service in HTTP Message Processing ∗∗∗ --------------------------------------------- Due to a Buffer Overread bug Squid is vulnerable to a Denial of Service attack against Squid HTTP Message processing[..] This problem allows a remote attacker to perform Denial of Service when sending easily crafted HTTP Messages. --------------------------------------------- https://github.com/squid-cache/squid/security/advisories/GHSA-8w9r-p88v-mmx9 ∗∗∗ SQUID-2023:8 Denial of Service in Helper Process management ∗∗∗ --------------------------------------------- Due to an Incorrect Check of Function Return Value bug Squid is vulnerable to a Denial of Service attack against its Helper process management. [..] This problem allows a trusted client or remote server to perform a Denial of Service attack when the Squid proxy is under load. --------------------------------------------- https://github.com/squid-cache/squid/security/advisories/GHSA-xggx-9329-3c27 ∗∗∗ SQUID-2023:9 Denial of Service in HTTP Collapsed Forwarding ∗∗∗ --------------------------------------------- Due to a Use-After-Free bug Squid is vulnerable to a Denial of Service attack against collapsed forwarding [..] This problem allows a remote client to perform Denial of Service attack on demand when Squid is configured with collapsed forwarding. --------------------------------------------- https://github.com/squid-cache/squid/security/advisories/GHSA-rj5h-46j6-q2g5 ∗∗∗ GitLab Security Release: 16.6.1, 16.5.3, 16.4.3 ∗∗∗ --------------------------------------------- These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. CVE IDs: CVE-2023-6033, CVE-2023-6396, CVE-2023-3949, CVE-2023-5226, CVE-2023-5995, CVE-2023-4912, CVE-2023-4317, CVE-2023-3964, CVE-2023-4658, CVE-2023-3443 --------------------------------------------- https://about.gitlab.com/releases/2023/11/30/security-release-gitlab-16-6-1… ∗∗∗ Technical Advisory: Sonos Era 100 Secure Boot Bypass Through Unchecked setenv() call ∗∗∗ --------------------------------------------- Sonos Era 100 is a smart speaker released in 2023. A vulnerability exists in the U-Boot component of the firmware which would allow for persistent arbitrary code execution with Linux kernel privileges. This vulnerability could be exploited either by an attacker with physical access to the device, or by obtaining write access to the flash memory through a separate runtime vulnerability. [..] Sonos state an update was released on 2023-11-15 which remediated the issue. --------------------------------------------- https://research.nccgroup.com/2023/12/04/technical-advisory-sonos-era-100-s… ∗∗∗ Update ASAP! Critical Unauthenticated Arbitrary File Upload in MW WP Form Allows Malicious Code Execution ∗∗∗ --------------------------------------------- In this blog post, we detailed an Arbitrary File Upload vulnerability within the MW WP Form plugin affecting versions 5.0.1 and earlier. This vulnerability allows unauthenticated threat actors to upload arbitrary files, including PHP backdoors, and execute those files on the server. The vulnerability has been fully addressed in version 5.0.2 of the plugin. [..] CVE ID: CVE-2023-6316 / CVSS Score: 9.8 (Critical) --------------------------------------------- https://www.wordfence.com/blog/2023/12/update-asap-critical-unauthenticated… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (amanda, ncurses, nghttp2, opendkim, rabbitmq-server, and roundcube), Fedora (golang-github-openprinting-ipp-usb, kernel, kernel-headers, kernel-tools, and samba), Mageia (audiofile, galera, libvpx, and virtualbox), Oracle (kernel and postgresql:13), SUSE (openssl-3, optipng, and python-Pillow), and Ubuntu (firefox). --------------------------------------------- https://lwn.net/Articles/953702/ ∗∗∗ Ruckus Access Point vulnerable to cross-site scripting ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN45891816/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 01.12.2023
by Daily end-of-shift report 01 Dec '23

01 Dec '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 30-11-2023 18:00 − Freitag 01-12-2023 18:00 Handler: Robert Waldner Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ IT threat evolution Q3 2023 ∗∗∗ --------------------------------------------- Non-mobile statistics & Mobile statistics --------------------------------------------- https://securelist.com/it-threat-evolution-q3-2023/111171/ ∗∗∗ Skimming Credit Cards with WebSockets ∗∗∗ --------------------------------------------- In this post we’ll review what web sockets are, why they are beneficial to attackers to use in skimming attacks, and an analysis of several different web socket credit card skimmers that we’ve identified on compromised ecommerce websites. --------------------------------------------- https://blog.sucuri.net/2023/11/skimming-credit-cards-with-websockets.html ∗∗∗ Cyber Resilience Act: EU einigt sich auf Vorschriften für vernetzte Produkte ∗∗∗ --------------------------------------------- Anbieter müssen in der EU zukünftig für längere Zeit Sicherheitsupdates zur Verfügung stellen – in der Regel für fünf Jahre. --------------------------------------------- https://www.heise.de/-9545873 ∗∗∗ Opening Critical Infrastructure: The Current State of Open RAN Security ∗∗∗ --------------------------------------------- The Open Radio Access Network (ORAN) architecture provides standardized interfaces and protocols to previously closed systems. However, our research on ORAN demonstrates the potential threat posed by malicious xApps that are capable of compromising the entire Ran Intelligent Controller (RIC) subsystem. --------------------------------------------- https://www.trendmicro.com/en_us/research/23/l/the-current-state-of-open-ra… ===================== = Vulnerabilities = ===================== ∗∗∗ Apple security updates and Rapid Security Responses ∗∗∗ --------------------------------------------- WebKit: CVE-2023-42916, CVE-2023-42917 * Safari 17.1.2 * iOS 17.1.2 and iPadOS 17.1.2 * macOS Sonoma 14.1.2 --------------------------------------------- https://support.apple.com/en-us/HT201222 ∗∗∗ Multiple Vulnerabilities in Autodesk Desktop Licensing Service ∗∗∗ --------------------------------------------- Autodesk Desktop Licensing Service has been affected by multiple vulnerabilities detailed below. Exploitation of these vulnerabilities could lead to code execution due to weak permissions. Autodesk Desktop Licensing Installer, libcurl: CVE-2023-38039, CVE-2023-28321, CVE-2023-38545 --------------------------------------------- https://www.autodesk.com/trust/security-advisories/adsk-sa-2023-0023 ∗∗∗ VMware Cloud Director 10.5 GA Workaround for CVE-2023-34060 ∗∗∗ --------------------------------------------- VMware released VMware Cloud Director 10.5.1 on November 30th 2023. This version includes a fix for the authentication bypass vulnerability documented in VMSA-2023-0026. --------------------------------------------- https://kb.vmware.com/s/article/95534 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, gimp-dds, horizon, libde265, thunderbird, vlc, and zbar), Fedora (java-17-openjdk and xen), Mageia (optipng, roundcubemail, and xrdp), Red Hat (postgresql), Slackware (samba), SUSE (chromium, containerd, docker, runc, libqt4, opera, python-django-grappelli, sqlite3, and traceroute), and Ubuntu (linux-azure, linux-azure-4.15, linux-gcp, linux-gcp-4.15, linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-gkeop-5.15, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-gkeop, and linux-azure, linux-azure-6.2, linux-azure-fde-6.2, linux-gcp, linux-gcp-6.2). --------------------------------------------- https://lwn.net/Articles/953512/ ∗∗∗ Mattermost security updates 9.2.3 / 9.1.4 / 9.0.5 / 8.1.7 (ESR) released ∗∗∗ --------------------------------------------- We’re informing you about a Mattermost security update, which addresses low- to medium-level severity vulnerabilities. We highly recommend that you apply the update. The security update is available for Mattermost dot releases 9.2.3, 9.1.4, 9.0.5, and 8.1.7 (Extended Support Release), for both Team Edition and Enterprise Edition. --------------------------------------------- https://mattermost.com/blog/mattermost-security-updates-9-2-3-9-1-4-9-0-5-8… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily December 2023