Daily May 2023

daily@lists.cert.at

1 participants
20 discussions

Tageszusammenfassung - 31.05.2023
by Daily end-of-shift report 31 May '23

31 May '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 30-05-2023 18:00 − Mittwoch 31-05-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Zero-Day-Lücke: Leck in Barracudas ESG bereits seit 7 Monaten missbraucht ∗∗∗ --------------------------------------------- Barracuda hat vergangene Woche eine Zero-Day-Lücke in den ESG-Appliances abgedichtet. Untersuchungen ergeben, dass sie bereits seit Oktober missbraucht wurden. --------------------------------------------- https://heise.de/-9083222 ∗∗∗ Android-Spyware SpinOk kommt auf mehr als 421 Millionen Installationen ∗∗∗ --------------------------------------------- Ein Android-Software-Modul mit Spyware-Funktionen hat Doctor Web in Apps auf Google Play mit mehr als 421 Millionen Downloads aufgespürt. Google ist informiert. --------------------------------------------- https://heise.de/-9069832 ∗∗∗ Ransomware: Schutzkonzept gegen Angriffe ∗∗∗ --------------------------------------------- Trotz Maßnahmen gegen Cyber-Angriffe und Ransomware gelingen viele Attacken. Die Daten sind verschlüsselt. Einige Punkte verhelfen zu brauchbaren Backups. --------------------------------------------- https://heise.de/-9069092 ∗∗∗ RomCom malware spread via Google Ads for ChatGPT, GIMP, more ∗∗∗ --------------------------------------------- A new campaign distributing the RomCom backdoor malware is impersonating the websites of well-known or fictional software, tricking users into downloading and launching malicious installers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/romcom-malware-spread-via-go… ∗∗∗ Mirai Variant Opens Tenda, Zyxel Gear to RCE, DDoS ∗∗∗ --------------------------------------------- Researchers have observed several cyberattacks leveraging a botnet called IZ1H9, which exploits vulnerabilities in exposed devices and servers running on Linux. --------------------------------------------- https://www.darkreading.com/endpoint/mirai-variant-tenda-zyxel-rce-ddos ∗∗∗ Millions of Gigabyte Motherboards Were Sold With a Firmware Backdoor ∗∗∗ --------------------------------------------- Hidden code in hundreds of models of Gigabyte motherboards invisibly and insecurely downloads programs—a feature ripe for abuse, researchers say. --------------------------------------------- https://www.wired.com/story/gigabyte-motherboard-firmware-backdoor/ ∗∗∗ Netflix-Phishing-Nachrichten aktuell besonders gefährlich! ∗∗∗ --------------------------------------------- Netflix hat mit Mai 2023 das Account-Sharing – also das Teilen von Netflix-Konten – unterbunden, wodurch zahlreiche Userinnen und User ihren Zugriff verloren haben, oder weitere Gebühren zu bezahlen haben. Gleichzeitig sind unzählige Netflix-Phishing-Mails im Umlauf, die zwar in keinem Zusammenhang mit den neuen Account-Sharing-Richtlinien stehen, aber durch die Umstellungen schneller für echt gehalten werden. Achtung: Hier dürfen keine Daten bekanntgegeben werden! --------------------------------------------- https://www.watchlist-internet.at/news/netflix-phishing-nachrichten-aktuell… ∗∗∗ Investigating BlackSuit Ransomware’s Similarities to Royal ∗∗∗ --------------------------------------------- In this blog entry, we analyze BlackSuit ransomware and how it compares to Royal Ransomware. --------------------------------------------- https://www.trendmicro.com/en_us/research/23/e/investigating-blacksuit-rans… ===================== = Vulnerabilities = ===================== ∗∗∗ New macOS vulnerability, Migraine, could bypass System Integrity Protection ∗∗∗ --------------------------------------------- A new vulnerability, which we refer to as “Migraine” for its involvement with macOS migration, could allow an attacker with root access to automatically bypass System Integrity Protection (SIP) in macOS and perform arbitrary operations on a device. We shared these findings with Apple through Coordinated Vulnerability Disclosure (CVD) via Microsoft Security Vulnerability Research (MSVR). A fix for this vulnerability, now identified as CVE-2023-32369, was included in the security updates released by Apple on May 18, 2023. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2023/05/30/new-macos-vulnerab… ∗∗∗ Barracuda Email Security Gateway Appliance (ESG) Vulnerability ∗∗∗ --------------------------------------------- Barracuda Networks priorities throughout this incident have been transparency and to use this as an opportunity to strengthen our policies, practices, and technology to further protect against future attacks. Although our investigation is ongoing, the purpose of this document is to share preliminary findings, provide the known Indicators of Compromise (IOCs), and share YARA rules to aid our customers in their investigations, including with respect to their own environments. --------------------------------------------- https://www.barracuda.com/company/legal/esg-vulnerability ∗∗∗ CVE-2023-34152: Shell Command Injection Bug Affecting ImageMagick ∗∗∗ --------------------------------------------- [...] recent findings have brought to light a trio of security vulnerabilities that could transform this useful tool into a potential weapon in the hands of malicious entities. * CVE-2023-34151: Undefined behaviors of casting double to size_t in svg, mvg, and other coders * CVE-2023-34152: RCE (shell command injection) vulnerability * CVE-2023-34153: Shell command injection vulnerability --------------------------------------------- https://securityonline.info/cve-2023-34152-shell-command-injection-bug-affe… ∗∗∗ Webbrowser: Google Chrome 114 schließt 16 Lücken und verbessert Sicherheit ∗∗∗ --------------------------------------------- Neben den üblichen geschlossenen Sicherheitslücken, derer 16 an der Zahl, liefert Google Chrome 114 auch teils neue oder verbesserte Sicherheitsfunktionen. --------------------------------------------- https://heise.de/-9069705 ∗∗∗ Zwangsupdate: WordPress-Websites über Jetpack-Lücke manipulierbar ∗∗∗ --------------------------------------------- Die Jetpack-Entwickler haben 102 fehlerbereinigte Versionen ihres WordPress-Plug-ins veröffentlicht. --------------------------------------------- https://heise.de/-9069974 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (connman and kamailio), Fedora (texlive-base), Mageia (cups-filters, postgresql, qtbase5, tcpreplay, tomcat, and vim), Slackware (openssl), SUSE (amazon-ssm-agent, cni, cni-plugins, compat-openssl098, installation-images, libaom, openssl, openssl-1_0_0, openssl-1_1, terraform, terraform-provider-helm, tiff, tomcat, and wireshark), and Ubuntu (batik, flask, linux-oem-5.17, linux-oem-6.0, linux-oem-6.1, linux-oracle, linux-oracle-5.4, mozjs102, nanopb, openssl, openssl1.0, snapd, and texlive-bin). --------------------------------------------- https://lwn.net/Articles/933360/ ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2023-0004 ∗∗∗ --------------------------------------------- Date Reported: May 30, 2023 Advisory ID: WSA-2023-0004 CVE identifiers: CVE-2023-28204, CVE-2023-32373. --------------------------------------------- https://webkitgtk.org/security/WSA-2023-0004.html ∗∗∗ Possible damage of secure element in Bosch IP cameras ∗∗∗ --------------------------------------------- BOSCH-SA-435698-BT: Due to an error in the software interface to the secure element chip on the cameras, the chip can be **permanently damaged** leading to an unusable camera when enabling the Stream security option (signing of the video stream) on Bosch CPP13 and CPP14 cameras. The default setting for this option is "off". --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-435698-bt.html ∗∗∗ DataSpider Servista uses a hard-coded cryptographic key ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN38222042/ ∗∗∗ [20230501] - Core - Open Redirects and XSS within the mfa selection ∗∗∗ --------------------------------------------- https://developer.joomla.org:443/security-centre/899-20230501-core-open-red… ∗∗∗ [20230502] - Core - Bruteforce prevention within the mfa screen ∗∗∗ --------------------------------------------- https://developer.joomla.org:443/security-centre/900-20230502-core-brutefor… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.05.2023
by Daily end-of-shift report 30 May '23

30 May '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 26-05-2023 18:00 − Dienstag 30-05-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ QBot malware abuses Windows WordPad EXE to infect devices ∗∗∗ --------------------------------------------- The QBot malware operation has started to abuse a DLL hijacking flaw in the Windows 10 WordPad program to infect computers, using the legitimate program to evade detection by security software. --------------------------------------------- https://www.bleepingcomputer.com/news/security/qbot-malware-abuses-windows-… ∗∗∗ Hot Pixels attack checks CPU temp, power changes to steal data ∗∗∗ --------------------------------------------- A team of researchers at Georgia Tech, the University of Michigan, and Ruhr University Bochum have developed a novel attack called "Hot Pixels," which can retrieve pixels from the content displayed in the targets browser and infer the navigation history. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hot-pixels-attack-checks-cpu… ∗∗∗ Android apps with spyware installed 421 million times from Google Play ∗∗∗ --------------------------------------------- A new Android malware distributed as an advertisement SDK has been discovered in multiple apps, many previously on Google Play and collectively downloaded over 400 million times. --------------------------------------------- https://www.bleepingcomputer.com/news/security/android-apps-with-spyware-in… ∗∗∗ Analyzing Office Documents Embedded Inside PPT (PowerPoint) Files, (Mon, May 29th) ∗∗∗ --------------------------------------------- I was asked how to analyze Office Documents that are embedded inside PPT files. PPT is the "standard" binary format for PowerPoint, it's an olefile. You can analyze it with oledump.py --------------------------------------------- https://isc.sans.edu/diary/rss/29894 ∗∗∗ Malspam pushes ModiLoader (DBatLoader) infection for Remcos RAT, (Tue, May 30th) ∗∗∗ --------------------------------------------- Also known as DBatLoader, ModiLoader is malware that retreives and runs payloads like Formbook, Warzone RAT, Remcos RAT, or other types of malware. Today's diary reviews a ModiLoader infection for Remcos RAT on Monday 2023-05-29. --------------------------------------------- https://isc.sans.edu/diary/rss/29896 ∗∗∗ Beware of the new phishing technique “file archiver in the browser” that exploits zip domains ∗∗∗ --------------------------------------------- “file archiver in the browser” is a new phishing technique that can be exploited by phishers when victims visit a .ZIP domain. --------------------------------------------- https://securityaffairs.com/146828/cyber-crime/file-archiver-in-the-browser… ∗∗∗ Severe Flaw in Google Clouds Cloud SQL Service Exposed Confidential Data ∗∗∗ --------------------------------------------- A new security flaw has been disclosed in the Google Cloud Platforms (GCP) Cloud SQL service that could be potentially exploited to obtain access to confidential data. --------------------------------------------- https://thehackernews.com/2023/05/severe-flaw-in-google-clouds-cloud-sql.ht… ∗∗∗ Vorsicht vor Fake-Service-Telefonnummern beim Googeln! ∗∗∗ --------------------------------------------- Die Suche nach einer Service-Telefonnummer stellt sich bei manchen Web-Angeboten als kompliziertes Unterfangen heraus. Deshalb ist es oft einfacher, nicht auf den jeweiligen Unternehmens-Websites sondern direkt über die Suchmaschine nach den Kontaktdaten zu suchen. Doch Vorsicht: Unter echte Kontaktdaten mischen Kriminelle auch Fake-Seiten und -Nummern, über die Ihnen Geld und Daten gestohlen werden. Ein aktuelles Beispiel sind Fake-Nummern der Fluglinie Ryanair! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-fake-service-telefonnum… ===================== = Vulnerabilities = ===================== ∗∗∗ OpenSSL 3.0 Series Release Notes [30 May 2023] ∗∗∗ --------------------------------------------- * Mitigate for very slow `OBJ_obj2txt()` performance with gigantic OBJECT IDENTIFIER sub-identities. ([CVE-2023-2650]) * Fixed buffer overread in AES-XTS decryption on ARM 64 bit platforms ([CVE-2023-1255]) * Fixed documentation of X509_VERIFY_PARAM_add0_policy() ([CVE-2023-0466]) * Fixed handling of invalid certificate policies in leaf certificates ([CVE-2023-0465]) * Limited the number of nodes created in a policy tree ([CVE-2023-0464]) --------------------------------------------- https://www.openssl.org/news/openssl-3.0-notes.html ∗∗∗ OpenSSL 1.1.1 Series Release Notes [30th May 2023] ∗∗∗ --------------------------------------------- * Mitigate for very slow `OBJ_obj2txt()` performance with gigantic OBJECT IDENTIFIER sub-identities. (CVE-2023-2650) * Fixed documentation of X509_VERIFY_PARAM_add0_policy() (CVE-2023-0466) * Fixed handling of invalid certificate policies in leaf certificates (CVE-2023-0465) * Limited the number of nodes created in a policy tree ([CVE-2023-0464]) --------------------------------------------- https://www.openssl.org/news/openssl-1.1.1-notes.html ∗∗∗ Sicherheitslücke in Moxa MXsecurity Series gefährdet kritische Infrastrukturen ∗∗∗ --------------------------------------------- Eine kritische Sicherheitslücke in der Netzwerküberwachungslösung MXsecurity bringt Industrieanlagen in Gefahr. --------------------------------------------- https://heise.de/-9068382 ∗∗∗ Angreifer könnten Netzwerkanalysetool Wireshark crashen lassen ∗∗∗ --------------------------------------------- In der aktuellen Wireshark-Version haben die Entwickler mehrere Sicherheitsprobleme gelöst. --------------------------------------------- https://heise.de/-9069031 ∗∗∗ Kollaborations-Suite Nextcloud: Teils hochriskante Lücken geschlossen ∗∗∗ --------------------------------------------- In der Kollaborations-Software Nextcloud klaffen Sicherheitslücken mit teils hohem Risiko. Aktualisierte Software steht bereit. --------------------------------------------- https://heise.de/-9068654 ∗∗∗ VMSA-2023-0011 ∗∗∗ --------------------------------------------- VMware Workspace ONE Access and VMware Identity Manager contain an insecure redirect vulnerability. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 6.1. --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2023-0011.html ∗∗∗ Many Vulnerabilities Found in PrinterLogic Enterprise Software ∗∗∗ --------------------------------------------- Vulnerabilities identified in PrinterLogic’s enterprise management printer solution could expose organizations to authentication bypass, SQL injection, cross-site scripting (XSS) and other types of attacks. --------------------------------------------- https://www.securityweek.com/many-vulnerabilities-found-in-printerlogic-ent… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (docker-registry, gpac, libraw, libreoffice, rainloop, and sysstat), Fedora (bottles, c-ares, edk2, libssh, microcode_ctl, python-vkbasalt-cli, rust-buffered-reader, rust-nettle, rust-nettle-sys, rust-rpm-sequoia, rust-sequoia-keyring-linter, rust-sequoia-octopus-librnp, rust-sequoia-openpgp, rust-sequoia-policy-config, rust-sequoia-sop, rust-sequoia-sq, rust-sequoia-sqv, rust-sequoia-wot, and xen), SUSE (opera), and Ubuntu (Jhead, linuxptp, and sudo). --------------------------------------------- https://lwn.net/Articles/933165/ ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libssh and sssd), Fedora (microcode_ctl and python3.6), Gentoo (cgal, firefox firefox-bin, openimageio, squashfs-tools, thunderbird thunderbird-bin, tiff, tomcat, webkit-gtk, and xorg-server xwayland), SUSE (c-ares and go1.18-openssl), and Ubuntu (Jhead, node-hawk, node-nth-check, and perl). --------------------------------------------- https://lwn.net/Articles/933246/ ∗∗∗ Advantech WebAccess/SCADA ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-150-01 ∗∗∗ Zyxel security advisory for post-authentication command injection vulnerability in NAS products ∗∗∗ --------------------------------------------- https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-… ∗∗∗ Starlette vulnerable to directory traversal ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN95981715/ ∗∗∗ Technical Advisory – Multiple Vulnerabilities in Faronics Insight (CVE-2023-28344, CVE-2023-28345, CVE-2023-28346, CVE-2023-28347, CVE-2023-28348, CVE-2023-28349, CVE-2023-28350, CVE-2023-28351, CVE-2023-28352, CVE-2023-28353) ∗∗∗ --------------------------------------------- https://research.nccgroup.com/2023/05/30/technical-advisory-multiple-vulner… ∗∗∗ Memory corruption vulnerability in Mitsubishi PLC could lead to DoS, code execution ∗∗∗ --------------------------------------------- https://blog.talosintelligence.com/vulnerability-in-mitsubishi-plc-could-le… ∗∗∗ Vulnerabilities in IBM Java SDK and IBM Java Runtime affects Rational Business Developer ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6998795 ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Case Manager (CVE-2022-39161) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6998811 ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Case Manager (CVE-2023-27554) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6998813 ∗∗∗ A security vulnerability has been identified in WebSphere Application Server traditional shipped with IBM Intelligent Operations Center (CVE-2023-24966) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6999091 ∗∗∗ A vulnerability exists in the IBM\u00ae SDK, Java\u2122 Technology Edition affecting IBM Tivoli Network Manager (CVE-2023-30441). ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6999115 ∗∗∗ Vulnerability in Spring Framework affects IBM Process Mining [CVE-2023-20860] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6999119 ∗∗∗ Apache Commons Text vulnerability affects Netcool Operations Insight [CVE-2022-42889] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6999133 ∗∗∗ A security vulnerability has been identified in WebSphere Application Server traditional shipped with IBM Intelligent Operations Center(CVE-2023-27554) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6999213 ∗∗∗ A security vulnerability has been identified in IBM DB2 shipped with IBM Intelligent Operations Center (CVE-2023-29257, CVE-2023-29255, CVE-2023-27555, CVE-2023-26021, CVE-2023-25930, CVE-2023-26022, CV) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6999215 ∗∗∗ [All] Expat - CVE-2022-43680 (Publicly disclosed vulnerability) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6999237 ∗∗∗ Apache HTTP Server as used by IBM QRadar SIEM is vulnerable to HTTP request splitting attacks (CVE-2023-25690) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6999241 ∗∗∗ IBM Copy Services Manager is vulnerable to crypto attack vulnerabilities due to IBM Java 8 vulnerabilities. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6999269 ∗∗∗ IBM Db2 Mirror for i is vulnerable to attacker obtaining sensitive information due to Java string processing in IBM Toolbox for Java (CVE-2022-43928) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6981113 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.05.2023
by Daily end-of-shift report 26 May '23

26 May '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 25-05-2023 18:00 − Freitag 26-05-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Microsoft 365 phishing attacks use encrypted RPMSG messages ∗∗∗ --------------------------------------------- Attackers are now using encrypted RPMSG attachments sent via compromised Microsoft 365 accounts to steal Microsoft credentials in targeted phishing attacks designed to evade detection by email security gateways. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-365-phishing-attac… ∗∗∗ Dark Frost Botnet targets the gaming sector with powerful DDoS ∗∗∗ --------------------------------------------- Researchers from Akamai discovered a new botnet called Dark Frost that was employed in distributed denial-of-service (DDoS) attacks. The botnet borrows code from several popular bot families, including Mirai, Gafgyt, and Qbot. --------------------------------------------- https://securityaffairs.com/146683/malware/dark-frost-botnet.html ∗∗∗ New COSMICENERGY Malware Exploits ICS Protocol to Sabotage Power Grids ∗∗∗ --------------------------------------------- A new strain of malicious software thats engineered to penetrate and disrupt critical systems in industrial environments has been unearthed. Google-owned threat intelligence firm Mandiant dubbed the malware COSMICENERGY, [...] --------------------------------------------- https://thehackernews.com/2023/05/new-cosmicenergy-malware-exploits-ics.html ∗∗∗ Sicherheitslücken in Gesundheits-App: Datendiebstahl wäre möglich gewesen ∗∗∗ --------------------------------------------- Lücken in Gesundheits-Apps haben den schlechten Zustand der Digitalisierung im Gesundheitswesen offengelegt. Es fehle eine "sichere Basisinfrastruktur". --------------------------------------------- https://heise.de/-9064935 ∗∗∗ Cold as Ice: Unit 42 Wireshark Quiz for IcedID ∗∗∗ --------------------------------------------- IcedID is a known vector for ransomware. Analyze infection traffic from this banking trojan in our latest Wireshark tutorial. --------------------------------------------- https://unit42.paloaltonetworks.com/wireshark-quiz-icedid/ ∗∗∗ Exploiting the Sonos One Speaker Three Different Ways: A Pwn2Own Toronto Highlight ∗∗∗ --------------------------------------------- During Pwn2Own Toronto 2022, three different teams successfully exploited the Sonos One Speaker. In total, $105,000 was awarded to the three teams, with the team of Toan Pham and Tri Dang from Qrious Secure winning $60,000 since their entry was first on the schedule. --------------------------------------------- https://www.thezdi.com/blog/2023/5/24/exploiting-the-sonos-one-speaker-thre… ∗∗∗ What is a web shell? ∗∗∗ --------------------------------------------- What are web shells? And why are attackers increasingly using them in their campaigns? We break it down in this blog. --------------------------------------------- https://blog.talosintelligence.com/what-is-a-web-shell/ ∗∗∗ New Info Stealer Bandit Stealer Targets Browsers, Wallets ∗∗∗ --------------------------------------------- This is an analysis of Bandit Stealer, a new Go-based information-stealing malware capable of evading detection as it targets multiple browsers and cryptocurrency wallets. --------------------------------------------- https://www.trendmicro.com/en_us/research/23/e/new-info-stealer-bandit-stea… ===================== = Vulnerabilities = ===================== ∗∗∗ LibreOffice-Lücken: Risiko von Codeschmuggel mit präparierten Dokumenten ∗∗∗ --------------------------------------------- Neue LibreOffice-Versionen stopfen teils hochriskante Sicherheitslücken. Mit manipulierten Spreadsheets könnten Angreifer Schadcode einschleusen. --------------------------------------------- https://heise.de/-9066277 ∗∗∗ Kritische Lücken in Netzwerkverwaltungssoftware D-Link D-View 8 geschlossen ∗∗∗ --------------------------------------------- D-Link hat offensichtlich knapp fünf Monate gebraucht, um einen Sicherheitspatch für D-View 8 zu entwickeln, der sich aber immer noch im Beta-Stadium befindet. --------------------------------------------- https://heise.de/-9066361 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (sniproxy), Fedora (c-ares), Oracle (apr-util, curl, emacs, git, go-toolset and golang, go-toolset:ol8, gssntlmssp, libreswan, mysql:8.0, thunderbird, and webkit2gtk3), Red Hat (go-toolset-1.19 and go-toolset-1.19-golang and go-toolset:rhel8), Slackware (ntfs), SUSE (rmt-server), and Ubuntu (linux-raspi, linux-raspi-5.4 and python-django). --------------------------------------------- https://lwn.net/Articles/933071/ ∗∗∗ K000134793 : OpenJDK vulnerability CVE-2018-2952 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000134793 ∗∗∗ IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to a heap-based buffer overflow in Perl (CVE-2020-10543) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6998419 ∗∗∗ IBM MQ is affected by a vulnerability in the IBM Runtime Environment, Java Technology Edition (CVE-2023-30441) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6998353 ∗∗∗ : IBM Sterling Connect:Direct Browser User Interface vulnerable to multiple issues due to IBM Runtime Environment Java ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6998677 ∗∗∗ IBM Sterling Connect:Direct Web Services is vulnerable to multiple vulnerabilities due to IBM Java ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6998685 ∗∗∗ IBM Sterling Connect:Direct Browser User Interface vulnerable to multiple issues due to IBM Runtime Environment Java ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6998673 ∗∗∗ IBM Sterling Connect:Direct Browser User Interface vulnerable to multiple issues due to IBM Runtime Environment Java ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6998679 ∗∗∗ IBM Sterling Connect:Direct Web Services is vulnerable to multiple vulnerabilities due to IBM Java ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6998675 ∗∗∗ IBM Sterling Connect:Direct Web Services is vulnerable to multiple vulnerabilities due to IBM Java ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6998681 ∗∗∗ Vulnerability in IBM Java (CVE-2022-21426) affects Power HMC ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6998705 ∗∗∗ Vulnerability in OpenSSL (CVE-2022-4304, CVE-2022-4450, CVE-2023-0215 and CVE-2023-0286 ) affects Power HMC ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6998707 ∗∗∗ Security vulnerabilities are addressed with IBM Cloud Pak for Business Automation iFixes for May 2023 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6998727 ∗∗∗ IBM Cloud Transformation Advisor is vulnerable to multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6998753 ∗∗∗ AIX is vulnerable to security restrictions bypass due to curl (CVE-2022-32221) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6998763 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.05.2023
by Daily end-of-shift report 25 May '23

25 May '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 24-05-2023 18:00 − Donnerstag 25-05-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Hackers target 1.5M WordPress sites with cookie consent plugin exploit ∗∗∗ --------------------------------------------- Ongoing attacks are targeting an Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability in a WordPress cookie consent plugin named Beautiful Cookie Consent Banner with more than 40,000 active installs. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-target-15m-wordpress… ∗∗∗ A new OAuth vulnerability that may impact hundreds of online services ∗∗∗ --------------------------------------------- This post details issues identified in Expo, a popular framework used by many online services to implement OAuth (as well as other functionality). The vulnerability in the expo-auth-session library warranted a CVE assignment – CVE-2023-28131. Expo created a hotfix within the day that automatically provided mitigation, but Expo recommends that customers update their deployment to deprecate this service to fully remove the risk (see the Expo security advisory on the topic). --------------------------------------------- https://salt.security/blog/a-new-oauth-vulnerability-that-may-impact-hundre… ∗∗∗ codeexplain.vim: A nvim plugin Powered by GPT4ALL for Real-time Code Explanation and Vulnerability Detection (no internet necessary) ∗∗∗ --------------------------------------------- codeexplain.nvim is a NeoVim plugin that uses the powerful GPT4ALL language model to provide on-the-fly, line-by-line explanations and potential security vulnerabilities for selected code directly in your NeoVim editor. Its like having your personal code assistant right inside your editor without leaking your codebase to any company. --------------------------------------------- https://github.com/mthbernardes/codeexplain.nvim ∗∗∗ Google Authenticator: Geräteverschlüsselung versprochen, aber nicht geliefert ∗∗∗ --------------------------------------------- Google hat dem Authenticator eine Backup-Funktion spendiert, die Geheimnisse jedoch nicht verschlüsselt. Ein Update soll das ändern. Das tut es aber nicht. --------------------------------------------- https://heise.de/-9065547 ∗∗∗ Buhti: New Ransomware Operation Relies on Repurposed Payloads ∗∗∗ --------------------------------------------- Attackers use rebranded variants of leaked LockBit and Babuk ransomware payloads but use own custom exfiltration tool. --------------------------------------------- https://symantec-enterprise-blogs.security.com/threat-intelligence/buhti-ra… ∗∗∗ Mercenary mayhem: A technical analysis of Intellexas PREDATOR spyware ∗∗∗ --------------------------------------------- Commercial spyware use is on the rise, with actors leveraging these sophisticated tools to conduct surveillance operations against a growing number of targets. Cisco Talos has new details of a commercial spyware product sold by the spyware firm Intellexa (formerly known as Cytrox). --------------------------------------------- https://blog.talosintelligence.com/mercenary-intellexa-predator/ ∗∗∗ Abusing Web Services Using Automated CAPTCHA-Breaking Services and Residential Proxies ∗∗∗ --------------------------------------------- This blog entry features three case studies that show how malicious actors evade the antispam, antibot, and antiabuse measures of online web services via residential proxies and CAPTCHA-breaking services. --------------------------------------------- https://www.trendmicro.com/en_us/research/23/e/abusing-web-services-using-a… ===================== = Vulnerabilities = ===================== ∗∗∗ Teils kritische Sicherheitslücken in Mitel MiVoice Connect ∗∗∗ --------------------------------------------- In Mitels MiVoice Connect und Connect Mobility Router klaffen teils kritische Sicherheitslücken. Updates zum Schließen stehen bereit. --------------------------------------------- https://heise.de/-9064992 ∗∗∗ Kritisches Sicherheitsupdate (24. Mai 2023) für alle Zyxel-Firewall-Produkte – Angriffe laufen bereits ∗∗∗ --------------------------------------------- Der taiwanesische Hersteller Zyxel hat ein sehr kritisches Security Update für sämtliche Security Produkte veröffentlicht. Die Sicherheitswarnung gibt an, dass gleich mehrere Buffer Overflow-Schwachstellen (CVE-2023-33009, CVE-2023-33010) betroffen seien. --------------------------------------------- https://www.borncity.com/blog/2023/05/25/kritisches-sicherheitsupdate-24-ma… ∗∗∗ Kritische Sicherheitslücke mit Höchstwertung bedroht GitLab ∗∗∗ --------------------------------------------- Es gibt eine wichtiges Sicherheitsupdate für die Versionsverwaltung GitLab. Entwickler sollten jetzt reagieren. --------------------------------------------- https://heise.de/-9065150 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (python2.7), Fedora (maradns), Red Hat (devtoolset-12-binutils, go-toolset and golang, httpd24-httpd, jenkins and jenkins-2-plugins, rh-ruby27-ruby, and sudo), Scientific Linux (git), Slackware (texlive), SUSE (cups-filters, poppler, texlive, distribution, golang-github-vpenso-prometheus_slurm_exporter, kubernetes1.18, kubernetes1.23, openvswitch, rmt-server, and ucode-intel), and Ubuntu (ca-certificates, calamares-settings-ubuntu, Jhead, libhtml-stripscripts-perl, and postgresql-10, postgresql-12, postgresql-14, postgresql-15). --------------------------------------------- https://lwn.net/Articles/932994/ ∗∗∗ Wacom Tablet Driver installer for macOS vulnerable to improper link resolution before file access ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN90278893/ ∗∗∗ D-Link D-View 8 : v2.0.1.27 and below : TrendMicro (ZDI) Reported Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://supportannouncement.us.dlink.com/announcement/publication.aspx?name… ∗∗∗ Autodesk: Multiple Vulnerabilities in PSKernel component used by specific Autodesk products ∗∗∗ --------------------------------------------- https://www.autodesk.com/trust/security-advisories/adsk-sa-2023-0009 ∗∗∗ Autodesk: Privilege Escalation Vulnerability in the Autodesk Installer Software ∗∗∗ --------------------------------------------- https://www.autodesk.com/trust/security-advisories/adsk-sa-2023-0010 ∗∗∗ F5: K000134768 : Linux kernel vulnerability CVE-2022-4378 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000134768 ∗∗∗ F5: K000134770 : Linux kernel vulnerability CVE-2022-42703 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000134770 ∗∗∗ Moxa MXsecurity Series ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-145-01 ∗∗∗ Nextcloud: Blind SSRF in the Mail app on avatar endpoint ∗∗∗ --------------------------------------------- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-8… ∗∗∗ Nextcloud: Contacts - PHOTO svg only sanitized if mime type is all lower case ∗∗∗ --------------------------------------------- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-h… ∗∗∗ Nextcloud: Error in calendar when booking an appointment reveals the full path of the website ∗∗∗ --------------------------------------------- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-2… ∗∗∗ Multiple Security Vulnerabilities may affect IBM Robotic Process Automation for Cloud Pak. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6987493 ∗∗∗ IBM HTTP Server is vulnerable to information disclosure due to IBM GSKit (CVE-2023-32342) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6998037 ∗∗∗ IBM Planning Analytics Workspace has addressed a vulnerability in SnakeYaml (CVE-2022-1471) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6998025 ∗∗∗ Vulnerability from log4j-1.2.16.jar affect IBM Operations Analytics - Log Analysis (CVE-2023-26464) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6998333 ∗∗∗ IBM App Connect Enterprise Certified Container IntegrationServer operands that run Designer flows is vulnerable to arbitrary code execution due to [CVE-2022-37614] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6998341 ∗∗∗ IBM App Connect Enterprise Certified Container DesignerAuthoring operands are vulnerable to denial of service due to [CVE-2023-2251] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6998357 ∗∗∗ A vulnerability in Etcd-io could affect IBM CICS TX Standard [CVE-2021-28235] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6998361 ∗∗∗ A vulnerability in Etcd-io could affect IBM CICS TX Advanced [CVE-2021-28235] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6998367 ∗∗∗ IBM App Connect Enterprise Certified Container DesignerAuthoring operands is vulnerable to arbitrary code execution due to [CVE-2023-30547] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6998381 ∗∗∗ Due to the use of Apache spring-web, IBM ECM Content Management Interoperability Services (CMIS) is affected by remote code execution (RCE) security vulnerability CVE-2016-1000027 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6998405 ∗∗∗ Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to multiple vulnerabilities in Go ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6998391 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.05.2023
by Daily end-of-shift report 24 May '23

24 May '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 23-05-2023 18:00 − Mittwoch 24-05-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Barracuda warns of email gateways breached via zero-day flaw ∗∗∗ --------------------------------------------- Barracuda, a company known for its email and network security solutions, warned customers today that some of their Email Security Gateway (ESG) appliances were breached last week by targeting a now-patched zero-day vulnerability. --------------------------------------------- https://www.bleepingcomputer.com/news/security/barracuda-warns-of-email-gat… ∗∗∗ Legion Malware Upgraded to Target SSH Servers and AWS Credentials ∗∗∗ --------------------------------------------- An updated version of the commodity malware called Legion comes with expanded features to compromise SSH servers and Amazon Web Services (AWS) credentials associated with DynamoDB and CloudWatch. --------------------------------------------- https://thehackernews.com/2023/05/legion-malware-upgraded-to-target-ssh.html ∗∗∗ Malvertising via brand impersonation is back again ∗∗∗ --------------------------------------------- In recent months, numerous incidents have shown that malvertising is on the rise again and affecting the user experience and trust in their favorite search engine. Indeed, Search Engine Results Pages (SERPs) include paid Google ads that in some cases lead to scams or malware. --------------------------------------------- https://www.malwarebytes.com/blog/threat-intelligence/2023/05/malvertising-… ∗∗∗ Von legitim zu bösartig: Die Verwandlung einer Android‑App innerhalb eines Jahres ∗∗∗ --------------------------------------------- ESET-Forscher entdecken AhRat - ein neuer Android-RAT auf der Basis von AhMyth - der Dateien exfiltriert und Audio aufzeichnet. --------------------------------------------- https://www.welivesecurity.com/deutsch/2023/05/23/von-legitim-zu-bosartig-a… ∗∗∗ Mikrotik Belatedly Patches RouterOS Flaw Exploited at Pwn2Own ∗∗∗ --------------------------------------------- MikroTik patches a major security defect in its RouterOS product a full five months after it was exploited at Pwn2Own Toronto. --------------------------------------------- https://www.securityweek.com/mikrotik-belatedly-patches-routeros-flaw-explo… ∗∗∗ Zahlreiche World4You Phishing-Mails im Umlauf! ∗∗∗ --------------------------------------------- Website-Betreiber:innen aufgepasst: Kriminelle versenden aktuell vermehrt E-Mails im Namen des österreichischen Hosting-Providers World4You. Darin wird meist fälschlicherweise behauptet, dass Rechnungen nicht beglichen oder Webadressen gesperrt wurden. --------------------------------------------- https://www.watchlist-internet.at/news/zahlreiche-world4you-phishing-mails-… ∗∗∗ CISA and Partners Update the #StopRansomware Guide, Developed through the Joint Ransomware Task Force (JRTF) ∗∗∗ --------------------------------------------- Today, CISA, the Federal Bureau of Investigation (FBI), the National Security Agency (NSA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) published an updated version of the #StopRansomware Guide, as ransomware actors have accelerated their tactics and techniques since its initial release in 2020. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/05/23/cisa-and-partners-update… ===================== = Vulnerabilities = ===================== ∗∗∗ VMSA-2023-0010 ∗∗∗ --------------------------------------------- NSX-T contains a reflected cross-site scripting vulnerability due to a lack of input validation. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 4.3. --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2023-0010.html ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libssh and sofia-sip), Fedora (cups-filters, dokuwiki, qt5-qtbase, and vim), Oracle (git, python-pip, and python3-setuptools), Red Hat (git, kernel, kpatch-patch, rh-git227-git, and sudo), SUSE (openvswitch, rmt-server, and texlive), and Ubuntu (binutils, cinder, cloud-init, firefox, golang-1.13, Jhead, liblouis, ncurses, node-json-schema, node-xmldom, nova, python-glance-store, python-os-brick, and runc). --------------------------------------------- https://lwn.net/Articles/932827/ ∗∗∗ Nextcloud: user_oidc app is missing bruteforce protection ∗∗∗ --------------------------------------------- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-x… ∗∗∗ Nextcloud: User session not correctly destroyed on logout ∗∗∗ --------------------------------------------- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-q… ∗∗∗ Nextcloud: Basic auth header on WebDAV requests is not brute-force protected ∗∗∗ --------------------------------------------- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-m… ∗∗∗ Apple security updates: iTunes 12.12.9 for Windows ∗∗∗ --------------------------------------------- https://support.apple.com/kb/HT213763 ∗∗∗ F5: K000134744 : Intel BIOS vulnerability CVE-2022-38087 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000134744 ∗∗∗ F5: K000134747 : PHP vulnerability CVE-2023-0568 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000134747 ∗∗∗ Bosch: Unrestricted SSH port forwarding in BVMS ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-025794-bt.html ∗∗∗ Bosch: Vulnerability in Wiegand card data interpretation ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-391095-bt.html ∗∗∗ Bosch: .NET Remote Code Execution Vulnerability in BVMS, BIS and AMS ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-110112-bt.html ∗∗∗ IBM App Connect Enterprise and IBM Integration Bus are vulnerable to a remote attacker due to the module xml2js (CVE-2023-0842) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6997617 ∗∗∗ IBM App Connect Enterprise is vulnerable to a denial of service due to cURL libcurl and Google protobuf-java. (CVE-2022-42915, CVE-2021-22569, CVE-2022-3509, CVE-2022-3171, CVE-2022-3510) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6997631 ∗∗∗ IBM InfoSphere Information Server is affected by a remote code execution vulnerability (CVE-2023-32336) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6995879 ∗∗∗ This Power System update is being released to address CVE 2023-30438 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6993021 ∗∗∗ TADDM affected by multiple vulnerabilities due to IBM Java and its runtime ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6997919 ∗∗∗ Vulnerability in IBM\u00ae Runtime Environment Java\u2122 Version 8 \u00a0affect Cloud Pak System. [CVE-2023-30441] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6997913 ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server used by IBM Rational ClearQuest (CVE-2023-27554) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6997097 ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server used by IBM Rational ClearQuest (CVE-2022-39161) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6997921 ∗∗∗ A security vulnerability has been identified in IBM HTTP Server shipped with IBM WebSphere Application Server used by IBM Rational ClearQuest (CVE-2022-39161) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6997923 ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server used by IBM Rational ClearQuest (CVE-2023-24966) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6997925 ∗∗∗ Red Hat OpenShift on IBM Cloud is affected by a Kubernetes API server security vulnerability (CVE-2022-3172) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6997115 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.05.2023
by Daily end-of-shift report 23 May '23

23 May '23

===================== = End-of-Day report = ===================== Timeframe: Montag 22-05-2023 18:00 − Dienstag 23-05-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Malicious Windows kernel drivers used in BlackCat ransomware attacks ∗∗∗ --------------------------------------------- The ALPHV ransomware group (aka BlackCat) was observed employing signed malicious Windows kernel drivers to evade detection by security software during attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malicious-windows-kernel-dri… ∗∗∗ Sicherheitslücke in Samsung-Smartphones wird angegriffen ∗∗∗ --------------------------------------------- Eine Sicherheitslücke in Samsung-Smartphones, die das Unternehmen mit den Mai-Updates schließt, wird von Angreifern missbraucht. Einige Details sind unklar. --------------------------------------------- https://heise.de/-9062566 ∗∗∗ BrutePrint: Attacke knackt Schutz mit Fingerabdrucksensoren ∗∗∗ --------------------------------------------- IT-Sicherheitsforscher haben einen Angriff namens BrutePrint auf den Zugangsschutz von Smartphones mit Fingerabdrucksensoren vorgestellt. --------------------------------------------- https://heise.de/-9062997 ∗∗∗ OffensiveCon 2023 – Exploit Engineering – Attacking the Linux Kernel ∗∗∗ --------------------------------------------- Cedric Halbronn and Alex Plaskett presented at OffensiveCon on the 19th of May 2023 on Exploit Engineering – Attacking the Linux kernel. --------------------------------------------- https://research.nccgroup.com/2023/05/23/offensivecon-2023-exploit-engineer… ∗∗∗ Willhaben: Betrug mit PayLivery erkennen ∗∗∗ --------------------------------------------- Betrügerische Käufer:innen fälschen den PayLivery-Dienst von Willhaben und täuschen Ihnen vor, dass sie bereits bezahlt haben. Sie locken Sie auf eine Fake-Zahlungsplattform, wo Sie Ihre Kreditkartendaten zur Anforderung der Zahlung angeben müssen. Anschließend fordert man Sie auf, den Zahlungseingang in Ihrer Bank-App zu bestätigen. In Wirklichkeit geben Sie aber eine Zahlung frei und verlieren Ihr Geld. --------------------------------------------- https://www.watchlist-internet.at/news/willhaben-betrug-mit-paylivery-erken… ∗∗∗ Android app breaking bad: From legitimate screen recording to file exfiltration within a year ∗∗∗ --------------------------------------------- ESET researchers discover AhRat – a new Android RAT based on AhMyth – that exfiltrates files and records audio --------------------------------------------- https://www.welivesecurity.com/2023/05/23/android-app-breaking-bad-legitima… ∗∗∗ Hacker nutzen Dropbox für betrügerische E-Mails ∗∗∗ --------------------------------------------- Aufgrund der Verbindung zu Dropbox scheinen die Nachrichten harmlos zu sein. Auch Sicherheitslösungen beanstanden unter Umständen die URLs zu Dropbox nicht. Nutzer laufen indes Gefahr, ihre Anmeldedaten an Hacker weiterzugeben. --------------------------------------------- https://www.zdnet.de/88409355/hacker-nutzen-dropbox-fuer-betruegerische-e-m… ∗∗∗ DarkCloud Infostealer Being Distributed via Spam Emails ∗∗∗ --------------------------------------------- AhnLab Security Emergency response Center (ASEC) has recently discovered the DarkCloud malware being distributed via spam email. DarkCloud is an Infostealer that steals account credentials saved on infected systems, and the threat actor installed ClipBanker alongside DarkCloud. --------------------------------------------- https://asec.ahnlab.com/en/53128/ ∗∗∗ Lazarus Group Targeting Windows IIS Web Servers ∗∗∗ --------------------------------------------- AhnLab Security Emergency response Center (ASEC) has recently confirmed the Lazarus group, a group known to receive support on a national scale, carrying out attacks against Windows IIS web servers. --------------------------------------------- https://asec.ahnlab.com/en/53132/ ∗∗∗ Info Stealer Abusing Codespaces Puts Discord Users at Risk ∗∗∗ --------------------------------------------- In this entry, we detail our research findings on how an info stealer is able to achieve persistence on a victim’s machine by modifying the victim’s Discord client. --------------------------------------------- https://www.trendmicro.com/en_us/research/23/e/info-stealer-abusing-codespa… ===================== = Vulnerabilities = ===================== ∗∗∗ WordPress 6.2.2: Durch Sicherheitspatch ausgelösten Fehler ausgebügelt ∗∗∗ --------------------------------------------- Die WordPress-Entwickler haben ein Sicherheitsupdate korrigiert. Die aktuelle Version steht ab sofort zum Download bereit. --------------------------------------------- https://heise.de/-9062515 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (node-nth-check), Mageia (mariadb and python-reportlab), Slackware (c-ares), SUSE (geoipupdate and qt6-svg), and Ubuntu (linux, linux-aws, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-gke, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-bluefield, linux-gcp, linux-hwe, linux-raspi2, linux-snapdragon, and linux-gcp, linux-hwe-5.19). --------------------------------------------- https://lwn.net/Articles/932693/ ∗∗∗ CISA Releases Four Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- CISA released four Industrial Control Systems (ICS) advisories on May 23, 2023. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. * ICSA-23-143-01 Hitachi Energy AFS65x, AFS67x, AFR67x and AFF66x Products * ICSA-23-143-02 Hitachi Energy RTU500 * ICSA-23-143-03 Mitsubishi Electric MELSEC Series CPU module * ICSA-23-143-04 Horner Automation Cscape --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/05/23/cisa-releases-four-indus… ∗∗∗ This Power System update is being released to address CVE 2023-30440 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6997133 ∗∗∗ IBM® MobileFirst Platform is vulnerable to CVE-2023-24998 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6997293 ∗∗∗ Vulnerabilities in Python may affect IBM Spectrum Protect Plus Container backup and restore for Kubernetes and OpenShift ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6997507 ∗∗∗ IBM Java SDK and IBM Java Runtime for IBM i are vulnerable to exposing sensitive information due to flaws and configurations (CVE-2023-30441). ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6997499 ∗∗∗ IBM App Connect Enterprise Certified Container DesignerAuthoring and IntegrationServer operands may be vulnerable to denial of service due to [CVE-2012-0881], [CVE-2013-4002] and [CVE-2022-23437] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6985605 ∗∗∗ Multiple Security Vulnerabilities have been fixed in the IBM Directory Server and IBM Directory Suite products (CVE-2022-22476, CVE-2022-34165) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6997581 ∗∗∗ Multiple Security Vulnerabilities have been fixed in the IBM Directory Server and IBM Directory Suite products (CVE-2022-22473. CVE-2021-38951) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6997587 ∗∗∗ Multiple Security Vulnerabilities have been fixed in IBM Security Directory Server, IBM Security Directory Suite and IBM Security Verify Directory. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6997593 ∗∗∗ Multiple Security Vulnerabilities have been fixed in the IBM Directory Server and IBM Directory Suite products (CVE-2022-21496, CVE-2021-35550, CVE-2021-2163, CVE-2021-35603) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6997585 ∗∗∗ A vulnerability in IBM SDK, Java Technology Edition affect IBM Operations Analytics Predictive Insights ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6997589 ∗∗∗ CVE-2022-41723 and CVE-2022-41721 may affect IBM CICS TX Advanced ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6997601 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.05.2023
by Daily end-of-shift report 22 May '23

22 May '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 19-05-2023 18:00 − Montag 22-05-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Aktuelle Qakbot/Pikabot-Welle in Österreich ∗∗∗ --------------------------------------------- Aktuell ist neben anderen Ländern auch Österreich wieder von einer Phishing/Malspam-Welle durch Qakbot/Pikabot betroffen. Die aktuelle Kampagne läuft unter dem Namen BB28 und führt nach einer erfolgten Infektion zum Nachladen von Cobalt Strike und in weiterer Folge oft zu Ransomware - hier im Speziellen häufig BlackBasta. Eine Besonderheit dieser Kampagne ist das Auftreten eines potentiellen Nachfolgers oder Mitstreiters von Qakbot namens Pikabot. --------------------------------------------- https://cert.at/de/aktuelles/2023/5/aktuelle-qakbotpikabot-welle-in-osterre… ∗∗∗ CISA warns of Samsung ASLR bypass flaw exploited in attacks ∗∗∗ --------------------------------------------- CISA warned today of a security vulnerability affecting Samsung devices used in attacks to bypass Android address space layout randomization (ASLR) protection. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cisa-warns-of-samsung-aslr-b… ∗∗∗ Cloned CapCut websites push information stealing malware ∗∗∗ --------------------------------------------- A new malware distribution campaign is underway impersonating the CapCut video editing tool to push various malware strains to unsuspecting victims. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cloned-capcut-websites-push-… ∗∗∗ Notorious Cyber Gang FIN7 Returns Cl0p Ransomware in New Wave of Attacks ∗∗∗ --------------------------------------------- The notorious cybercrime group known as FIN7 has been observed deploying Cl0p (aka Clop) ransomware, marking the threat actor's first ransomware campaign since late 2021. Microsoft, which detected the activity in April 2023, is tracking the financially motivated actor under its new taxonomy Sangria Tempest. --------------------------------------------- https://thehackernews.com/2023/05/notorious-cyber-gang-fin7-returns-cl0p.ht… ∗∗∗ IcedID Macro Ends in Nokoyawa Ransomware ∗∗∗ --------------------------------------------- In this case we document an incident taking place during Q4 of 2022 consisting of threat actors targeting Italian organizations with Excel maldocs that deploy IcedID. The threat actors deploying such a campaign may hope to target organizations who have not updated their Microsoft Office deployments after the newly released patches to block macros on documents downloaded from the internet. --------------------------------------------- https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomwa… ∗∗∗ Microsoft: BEC Scammers Use Residential IPs to Evade Detection ∗∗∗ --------------------------------------------- BEC scammers use residential IP addresses in attacks to make them seem locally generated and evade detection. --------------------------------------------- https://www.securityweek.com/microsoft-bec-scammers-use-residential-ips-to-… ∗∗∗ Webinar: Wie schütze ich mich vor Love Scams? ∗∗∗ --------------------------------------------- Sie täuschen die große Liebe vor und bringen ihr Gegenüber damit um hohe Geldsummen: Beim Love-Scamming erschleichen sich Betrüger:innen auf Online-Partnerbörsen und in Sozialen Netzwerken das Vertrauen ihrer Opfer, um an deren Geld zu kommen. Nehmen Sie kostenlos teil: Dienstag 30. Mai 2023, 18:30 - 20:00 Uhr via zoom --------------------------------------------- https://www.watchlist-internet.at/news/webinar-wie-schuetze-ich-mich-vor-lo… ∗∗∗ Gratis-Testangebot einer Lichttherapie nur ein Verkaufsgespräch ∗∗∗ --------------------------------------------- Um Kund:innen zu gewinnen, verspricht Lumina Vital Ihnen Gratis-Anwendungen. Telefonisch wird auf einen Besuch bei Ihnen zu Hause gedrängt. Auch wenn Sie keinem Datum zusagen, bekommen Sie einen Brief mit einem fixierten Termin zugeschickt. Lassen Sie sich nicht unter Druck setzen, wenn Sie nichts kaufen möchten! --------------------------------------------- https://www.watchlist-internet.at/news/gratis-testangebot-einer-lichttherap… ∗∗∗ Threat Hunting mit PowerShell – Sicherheit auch mit kleinem Budget ∗∗∗ --------------------------------------------- [English]IT-Sicherheit sollte keine Frage des Geldes sein – das sind oft vorgeschobene Ausreden. MVP Tom Wechsler hat sich einige Gedanken um das Thema gemacht und zeigt, wie man sogar mit der PowerShell und wenigen Zeilen Code nach Problemen in der … Weiterlesen → --------------------------------------------- https://www.borncity.com/blog/2023/05/22/threat-hunting-mit-powershell-sich… ∗∗∗ Distribution of Remcos RAT Exploiting sqlps.exe Utility of MS-SQL Servers ∗∗∗ --------------------------------------------- AhnLab Security Emergency response Center (ASEC) has recently discovered the case of Remcos RAT being installed on poorly managed MS-SQL servers. Unlike the past attack, the recent case showed the threat actor using sqlps to distribute the malware. --------------------------------------------- https://asec.ahnlab.com/en/52920/ ∗∗∗ Cloud-Based Malware Delivery: The Evolution of GuLoader ∗∗∗ --------------------------------------------- Antivirus products are constantly evolving to become more sophisticated and better equipped to handle complex threats. As a result, malware developers strive to create new threats that can bypass the defenses of antivirus products. “Packing” and “crypting” services are specifically designed to resist analysis. GuLoader is one of the most prominent services cybercriminals use to evade antivirus detection. --------------------------------------------- https://research.checkpoint.com/2023/cloud-based-malware-delivery-the-evolu… ===================== = Vulnerabilities = ===================== ∗∗∗ CUPS: Sicherheitslücke in Drucksystem ermöglicht Schadcodeausführung ∗∗∗ --------------------------------------------- Im Drucksystem CUPS können Angreifer im Netz eine Sicherheitslücke missbrauchen, um beliebigen Code einzuschmuggeln und auszuführen. --------------------------------------------- https://heise.de/-9061315 ∗∗∗ Angreifer könnten Entwicklungsumgebungen mit Jenkins attackieren ∗∗∗ --------------------------------------------- Softwareentwickler aufgepasst: Es gibt wichtige Sicherheitsupdates für mehrere Jenkins-Plug-ins. Angreifer könnten auf Log-in-Daten zugreifen. --------------------------------------------- https://heise.de/-9061545 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (cups-filters, imagemagick, libwebp, sqlite, and texlive-bin), Fedora (chromium and vim), Gentoo (librecad, mediawiki, modsecurity-crs, snakeyaml, and tinyproxy), Mageia (apache-mod_security, cmark, dmidecode, freetype2, glib2.0, libssh, patchelf, python-sqlparse, sniproxy, suricata, and webkit2), Oracle (apr-util and firefox), Red Hat (git), SUSE (containerd, openvswitch, python-Flask, runc, terraform-provider-aws, and terraform-provider-null), and Ubuntu (tar). --------------------------------------------- https://lwn.net/Articles/932625/ ∗∗∗ Tornado vulnerable to open redirect ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN45127776/ ∗∗∗ WordPress 6.2.2 Security Release ∗∗∗ --------------------------------------------- https://wordpress.org/news/2023/05/wordpress-6-2-2-security-release/ ∗∗∗ F5: K000134681 : Spring Framework vulnerability CVE-2023-20861 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000134681 ∗∗∗ F5: K000134706 : Python IDNA vulnerability CVE-2022-45061 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000134706 ∗∗∗ CISA Adds Three Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/05/22/cisa-adds-three-known-ex… ∗∗∗ Vulnerability in IBM Java SDK affects IBM Tivoli Business Service Manager (CVE-2023-30441) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6995893 ∗∗∗ Security vulnerability in IBM Java SDK affect IBM Tivoli Netcool Impact (CVE-2023-30441) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6995895 ∗∗∗ Multiple vulnerabilities in IBM Java SDK affect AIX ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6995887 ∗∗∗ IBM Security Guardium is affected by an AWS SDK vulnerability (CVE-2022-31159) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6960215 ∗∗∗ IBM Operational Decision Manager April 2023 - Multiple CVEs ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6997063 ∗∗∗ Multiple vulnerabilities of Mozilla Firefox (less than Firefox 102.9ESR) have affected APM Synthetic Playback Agent ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6997069 ∗∗∗ A vulnerability in IBM Java SDK affects IBM Tivoli Monitoring for Virtual Environments Base(CVE-2023-30441) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6997075 ∗∗∗ A vulnerability in IBM Java SDK affects IBM Tivoli Monitoring for Virtual Environments Agent for Linux Kernel-based Virtual Machines (CVE-2023-30441) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6997083 ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server used by IBM Rational ClearQuest (CVE-2023-27554) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6997097 ∗∗∗ There are multiple vulnerabilites that affect IBM Engineering Requirements Quality Assistant On-Premises ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6997107 ∗∗∗ IBM App Connect Enterprise and IBM Integration Bus are affected by a vulnerability in the IBM SDK, Java Technology Edition [CVE-2023-30441] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6997131 ∗∗∗ IBM b-type SAN switches and directors affected by XSS vulnerabilities CVE-2017-6225. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/650695 ∗∗∗ IBM b-type SAN Network\/Storage switches is affected by a denial of service vulnerability, caused by a CPU consumption in the IPv6 stack (CVE-2017-6227). ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/650699 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.05.2023
by Daily end-of-shift report 19 May '23

19 May '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 17-05-2023 18:00 − Freitag 19-05-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Attacken könnten bevorstehen: Kritische Root-Lücken bedrohen Cisco-Switches ∗∗∗ --------------------------------------------- Cisco hat unter anderem mehrere kritische Sicherheitslücken in verschiedenen Small-Business-Switches geschlossen. Aber nicht alle Modelle bekommen Updates. --------------------------------------------- https://heise.de/-9059775 ∗∗∗ Passwortmanager KeePass: Sicherheitsforscher liest Master-Passwort aus ∗∗∗ --------------------------------------------- Einem Sicherheitsforscher ist es gelungen, Master-Passwörter von KeePass auszulesen. Entsprechende Angriffe sind allerdings aufwendig. --------------------------------------------- https://heise.de/-9059945 ∗∗∗ Zero-Days und mehr: Ein Blick auf Apples jüngste Sicherheitspatches ∗∗∗ --------------------------------------------- iOS 16.5, macOS 13.4 und die anderen Updates patchen wie üblich auch Sicherheitsfehler. Auch bereits ausgenutzte Fehler sind dabei. --------------------------------------------- https://heise.de/-9059799 ∗∗∗ Malware infizierte fast 10 Millionen Android-Handys ∗∗∗ --------------------------------------------- Zahlreiche Smartphones wurden mit vorinstallierter, schädlicher Software ausgeliefert. --------------------------------------------- https://futurezone.at/produkte/android-schadsoftware-infiziert-10-millionen… ∗∗∗ MalasLocker ransomware targets Zimbra servers, demands charity donation ∗∗∗ --------------------------------------------- A new ransomware operation is hacking Zimbra servers to steal emails and encrypt files. However, instead of demanding a ransom payment, the threat actors claim to require a donation to charity to provide an encryptor and prevent data leaking. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malaslocker-ransomware-targe… ∗∗∗ Hackers target vulnerable Wordpress Elementor plugin after PoC released ∗∗∗ --------------------------------------------- Hackers are now actively probing for vulnerable Essential Addons for Elementor plugin versions on thousands of WordPress websites in massive Internet scans, attempting to exploit a critical account password reset flaw disclosed earlier in the month. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-target-vulnerable-wo… ∗∗∗ Playing for the Wrong Team: Dangerous Functionalities in Microsoft Teams Enable Phishing and Malware Delivery by Attackers ∗∗∗ --------------------------------------------- Microsoft is a major productivity partner for many organizations and enterprises. These organizations widely trust Microsoft Office’s suite of products as a reliable foundation for their daily cloud ecosystem needs. However, as Proofpoint has shown in the past, this migration to the cloud also introduces new kinds of threats. --------------------------------------------- https://www.proofpoint.com/us/blog/threat-insight/dangerous-functionalities… ∗∗∗ RATs found hiding in the npm attic ∗∗∗ --------------------------------------------- ReversingLabs researchers discovered two malicious packages that contained TurkoRat, an open source infostealer that lurked on npm for two months before being detected. --------------------------------------------- https://www.reversinglabs.com/blog/rats-found-hiding-in-the-npm-attic ∗∗∗ The Paillier Cryptosystem with Applications to Threshold ECDSA ∗∗∗ --------------------------------------------- You may have heard of RSA (b. 1977), but have you heard of its cousin, Paillier (b. 1999)? In this post, we provide a close look at the Paillier homomorphic encryption scheme [Paillier1999], what it offers, how it’s used in complex protocols, and how to implement it securely. --------------------------------------------- https://research.nccgroup.com/2023/05/19/the-paillier-cryptosystem-with-app… ∗∗∗ All your building are belong to us ∗∗∗ --------------------------------------------- TL;DR: Building Management Systems (BMS) bring new risks to businesses that haven’t had previous experience of securing Operational Technology (OT). While there might not be direct financial gain from hacking BMS, these systems can be a soft target for attackers to pivot into your business operations. IoT offerings in this space can help manage risk within your networks, but can also provide unintended access to sensitive information. --------------------------------------------- https://www.pentestpartners.com/security-blog/all-your-building-are-belong-… ∗∗∗ CVE-2023-20869/20870: Exploiting VMware Workstation at Pwn2Own Vancouver ∗∗∗ --------------------------------------------- This post covers an exploit chain demonstrated by Nguyễn Hoàng Thạch (@hi_im_d4rkn3ss) of STAR Labs SG Pte. Ltd. during the Pwn2Own Vancouver event in 2023. During the contest, he used an uninitialized variable bug and a stack-based buffer overflow in VMware to escalate from a guest OS to execute code on the underlying hypervisor. --------------------------------------------- https://www.thezdi.com/blog/2023/5/17/cve-2023-2086920870-exploiting-vmware… ∗∗∗ VSCode Security: Malicious Extensions Detected- More Than 45,000 Downloads- PII Exposed, and Backdoors Enabled ∗∗∗ --------------------------------------------- Highlights: CloudGuard Spectral detected malicious extensions on the VSCode marketplace Users installing these extensions were enabling attackers to steal PII records and to set remote shell to their machines Once detected, we’ve alerted VSCode on these extensions. Soon after notification, they were removed by the VSCode marketplace team. VSCode (short for Visual Studio Code) is a popular and free source code editor developed by Microsoft. --------------------------------------------- https://blog.checkpoint.com/securing-the-cloud/malicious-vscode-extensions-… ∗∗∗ Visualizing QakBot Infrastructure ∗∗∗ --------------------------------------------- This blog post seeks to draw out some high-level trends and anomalies based on our ongoing tracking of QakBot command and control (C2) infrastructure. By looking at the data with a broader scope, we hope to supplement other research into this particular threat family, which in general focuses on specific infrastructure elements; e.g., daily alerting on active C2 servers. --------------------------------------------- https://www.team-cymru.com/post/visualizing-qakbot-infrastructure ===================== = Vulnerabilities = ===================== ∗∗∗ File Chooser Field - Moderately critical - Server Side Request Forgery, Information Disclosure - SA-CONTRIB-2023-015 ∗∗∗ --------------------------------------------- The File Chooser Field allows users to upload files using 3rd party plugins such as Google Drive and Dropbox. This module fails to validate user input sufficiently which could under certain circumstances lead to a Server Side Request Forgery (SSRF) vulnerability [...] --------------------------------------------- https://www.drupal.org/sa-contrib-2023-015 ∗∗∗ SECURITY BULLETIN: May 2023 Security Bulletin for Trend Micro Apex Central ∗∗∗ --------------------------------------------- Trend Micro has released a new build for Trend Micro Apex Central that resolves several known vulnerabilities. --------------------------------------------- https://success.trendmicro.com/dcx/s/solution/000293107?language=en_US ∗∗∗ SECURITY BULLETIN: May 2023 Security Bulletin for Trend Micro Apex One ∗∗∗ --------------------------------------------- Trend Micro has released a new Critical Patch (CP) for Trend Micro Apex One and Trend Micro Apex One as a Service that resolves several known vulnerabilities. --------------------------------------------- https://success.trendmicro.com/dcx/s/solution/000293108?language=en_US ∗∗∗ Cisco Security Advisories 2023-05-17 ∗∗∗ --------------------------------------------- Cisco has published 9 security advisories: (1x Critical, 8x Medium) --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/Search.x?publicationTypeIDs… ∗∗∗ CISA Releases Five Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- * ICSA-23-138-04 Johnson Controls OpenBlue Enterprise Manager Data Collector * ICSA-23-138-03 Hitachi Energy’s MicroSCADA Pro/X SYS600 Products * ICSA-23-138-02 Mitsubishi Electric MELSEC WS Series * ICSA-23-138-01 Carlo Gavazzi Powersoft * ICSA-20-051-02 Rockwell Automation FactoryTalk Diagnostics (Update B) --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/05/18/cisa-releases-five-indus… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium and libapache2-mod-auth-openidc), Fedora (clevis-pin-tpm2, greetd, keyring-ima-signer, libkrun, mirrorlist-server, nispor, nmstate, qt5-qtbase, rust-afterburn, rust-below, rust-bodhi-cli, rust-cargo-c, rust-coreos-installer, rust-fedora-update-feedback, rust-git-delta, rust-gst-plugin-reqwest, rust-pore, rust-rpm-sequoia, rust-sequoia-octopus-librnp, rust-sequoia-policy-config, rust-sequoia-sq, rust-sevctl, rust-tealdeer, and rust-ybaas), Oracle (apr-util, curl, emacs, firefox, kernel, libreswan, mysql, nodejs and nodejs-nodemon, openssh, thunderbird, and webkit2gtk3), Red Hat (apr-util, emacs, firefox, git, jenkins and jenkins-2-plugins, kernel, kpatch-patch, and thunderbird), Scientific Linux (apr-util, firefox, and thunderbird), Slackware (curl), SUSE (cups-filters, curl, java-1_8_0-openjdk, kernel, mysql-connector-java, and ovmf), and Ubuntu (cups-filters, git, linux-gcp-4.15, linux-oracle, linux-raspi, node-minimatch, ruby2.3, ruby2.5, ruby2.7, and runc). --------------------------------------------- https://lwn.net/Articles/932371/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (cups-filters, kitty, mingw-LibRaw, nispor, rust-ybaas, and rust-yubibomb), Mageia (kernel-linus), Red Hat (jenkins and jenkins-2-plugins), SUSE (openvswitch and ucode-intel), and Ubuntu (linux-azure, linux-azure-4.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gke-5.15, linux-gkeop, linux-oracle-5.15, linux-ibm, linux-oracle, and linux-oem-6.0). --------------------------------------------- https://lwn.net/Articles/932464/ ∗∗∗ Path Traversal in SymBox, SymOS (SYSS-2023-014) ∗∗∗ --------------------------------------------- Das Webinterface von SymBox, SymOS ermöglicht ein Path Traversal, wodurch Zugriff auf Systemdateien außerhalb des Web Root erlangt werden kann. --------------------------------------------- https://www.syss.de/pentest-blog/path-traversal-in-symbox-symos-syss-2023-0… ∗∗∗ Spring Boot available now, fixing CVE-2023-20883 ∗∗∗ --------------------------------------------- https://spring.io/security/cve-2023-20883 ∗∗∗ Mattermost security updates 7.10.1 / 7.9.4 / 7.8.5 (ESR) released ∗∗∗ --------------------------------------------- https://mattermost.com/blog/mattermost-security-updates-7-10-1-7-9-4-7-8-5-… ∗∗∗ CPE2023-002 Vulnerabilities of IJ Network Tool regarding Wi-Fi connection setup – 18 May 2023 ∗∗∗ --------------------------------------------- https://www.canon-europe.com/support/product-security-latest-news/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.05.2023
by Daily end-of-shift report 17 May '23

17 May '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 16-05-2023 18:00 − Mittwoch 17-05-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Hackers use Azure Serial Console for stealthy access to VMs ∗∗∗ --------------------------------------------- A financially motivated cybergang tracked by Mandiant as UNC3944 is using phishing and SIM swapping attacks to hijack Microsoft Azure admin accounts and gain access to virtual machines. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-use-azure-serial-con… ∗∗∗ Phishing: Streit um Google-TLDs .zip und .mov ∗∗∗ --------------------------------------------- IT- und Sicherheitsexperten streiten sich um die Sinnhaftigkeit und Risiken neuer gTLD. Neu sind die Probleme allerdings nicht. --------------------------------------------- https://www.golem.de/news/phishing-streit-um-google-tlds-zip-und-mov-2305-1… ∗∗∗ Minas – on the way to complexity ∗∗∗ --------------------------------------------- Kaspersky analysis of a complicated multi-stage attack dubbed Minas that features a number of detection evasion and persistence techniques and results in a cryptocurrency miner infection. --------------------------------------------- https://securelist.com/minas-miner-on-the-way-to-complexity/109692/ ∗∗∗ Wemo Wont Fix Smart Plug Vulnerability Allowing Remote Operation ∗∗∗ --------------------------------------------- IoT security research firm Sternum has discovered (and disclosed) a buffer overflow vulnerability in the Wemo Mini Smart Plug V2. The firms blog post is full of interesting details about how this device works (and doesnt), but a key takeaway is that you can predictably trigger a buffer overflow by passing the device a name longer than its 30-character limit -- a limit enforced solely by Wemos own apps -- with third-party tools. --------------------------------------------- https://it.slashdot.org/story/23/05/17/141200/wemo-wont-fix-smart-plug-vuln… ∗∗∗ Respawning Malware Persists on PyPI ∗∗∗ --------------------------------------------- A bad actor on GitHub laces his repositories with malware written in Python and hosted on PyPI. Minutes after his malware is taken down from PyPI, the same malware respawns on PyPI under a slightly different name. He then immediately updates all of his repositories to point to this new package. Most of his GitHub projects are bots or some variety of a stealer. --------------------------------------------- https://blog.phylum.io/respawning-malware-persists-on-pypi/ ∗∗∗ Neue Scam-Website im Umlauf: finanavas.com ∗∗∗ --------------------------------------------- Investmentbetrüger versuchen mit einer neuen Website Leuten Geld aus der Tasche zu ziehen. Sie nutzen Telegram, um "Investoren" um den Finger zu wickeln. --------------------------------------------- https://heise.de/-9058909 ∗∗∗ Abo-Falle statt Informationen zu Telefonnummern auf reversera.com/de ∗∗∗ --------------------------------------------- In einer Zeit ständiger betrügerischer Anrufe und „Cold-Calls“ ist ein Service, der einem Informationen zu Telefonnummern und den Besitzer:innen liefert, äußerst nützlich. Reversera.com/de der АLРНАСLІС LТD bietet angeblich genau das an. Tatsächlich spielte man uns im Test bei erfundenen Nummern ein Ergebnis vor. Um dieses einsehen zu können, hätten wir 50 Cent per Kreditkarte bezahlen müssen, doch die Zahlung führt in eine Abo-Falle! --------------------------------------------- https://www.watchlist-internet.at/news/abo-falle-statt-informationen-zu-tel… ∗∗∗ How to encrypt your email (and why you should) ∗∗∗ --------------------------------------------- If you send emails with sensitive or private info inside, you should consider email encryption. Heres what to know. --------------------------------------------- https://www.zdnet.com/article/how-to-encrypt-your-email-and-why-you-should/ ∗∗∗ WordPress 6.2.1 freigegeben ∗∗∗ --------------------------------------------- Die Entwickler haben zum 16. Mai 2023 WordPress Version 6.2.1 veröffentlicht. Es handelt sich um ein Wartungs- und Sicherheitsupdate, welches 30 Fehler behebt. Details lassen sich in den Veröffentlichungsmitteilungen nachlesen. --------------------------------------------- https://www.borncity.com/blog/2023/05/16/wordpress-6-2-1-freigegeben/ ∗∗∗ SIM Swapping and Abuse of the Microsoft Azure Serial Console: Serial Is Part of a Well Balanced Attack ∗∗∗ --------------------------------------------- In 2022, Mandiant identified attacker activity centered in Microsoft Azure that Mandiant attributed to UNC3944. Mandiant’s investigation revealed that the attacker employed malicious use of the Serial Console on Azure Virtual Machines (VM) to install third-party remote management software within client environments. This method of attack was unique in that it avoided many of the traditional detection methods employed within Azure and provided the attacker with full administrative access to the VM. Unfortunately, cloud resources are often poorly misunderstood, leading to misconfigurations that can leave these assets vulnerable to attackers. While methods of initial access, lateral movement, and persistence vary from one attacker to another, one thing is clear: Attackers have their eyes on the cloud. --------------------------------------------- https://www.mandiant.com/resources/blog/sim-swapping-abuse-azure-serial ∗∗∗ CISA and Partners Release BianLian Ransomware Cybersecurity Advisory ∗∗∗ --------------------------------------------- CISA, the Federal Bureau of Investigation (FBI), and the Australian Cyber Security Centre (ACSC) have released a joint Cybersecurity Advisory (CSA) with known BianLian ransomware and data extortion group technical details. Microsoft and Sophos contributed to the advisory. To reduce the likelihood and impact of BianLian and other ransomware incidents, CISA encourages organizations to implement mitigations recommended in this advisory. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/05/16/cisa-and-partners-releas… ===================== = Vulnerabilities = ===================== ∗∗∗ Webbrowser: Kritische Sicherheitslücke in Google Chrome ∗∗∗ --------------------------------------------- Google hat ein Update für den Chrome-Webbrowser herausgegeben. Es schließt mindestens eine kritische Sicherheitslücke. Angreifer könnten Schadcode einschleusen. --------------------------------------------- https://heise.de/-9057932 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (netatalk), Mageia (connman, firefox/nss/rootcerts, freeimage, golang, indent, kernel, python-django, python-pillow, and thunderbird), Red Hat (apr-util, firefox, java-1.8.0-ibm, libreswan, and thunderbird), SUSE (conmon, curl, java-11-openjdk, and libheif), and Ubuntu (libwebp, linux, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15, linux-hwe-5.15, linux-ibm, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-oracle, linux, linux-aws, linux-aws-hwe, linux-kvm, linux, linux-aws, linux-azure, linux-azure-5.19, linux-kvm, linux-lowlatency, linux-raspi, node-eventsource, and openjdk-8, openjdk-lts, openjdk-17, openjdk-20). --------------------------------------------- https://lwn.net/Articles/932130/ ∗∗∗ Vulnerability Summary for the Week of May 8, 2023 ∗∗∗ --------------------------------------------- The CISA Vulnerability Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. NVD is sponsored by CISA. In some cases, the vulnerabilities in the bulletin may not yet have assigned CVSS scores. Please visit NVD for updated vulnerability entries, which include CVSS scores once they are available. --------------------------------------------- https://www.cisa.gov/news-events/bulletins/sb23-135 ∗∗∗ Path Traversal in IP-Symcon (SYSS-2023-014) ∗∗∗ --------------------------------------------- Das Webinterface von IP-Symcon ermöglicht ein Path Traversal, wodurch Zugriff auf Systemdateien außerhalb des Web Root erlangt werden kann. --------------------------------------------- https://www.syss.de/pentest-blog/path-traversal-in-ip-symcon-syss-2023-014 ∗∗∗ Security Advisory - Traffic Hijacking Vulnerability in Huawei Routers ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2023/huawei-sa-thvihr-70… ∗∗∗ Stored XSS Schwachstelle in der Umbenennen Funktionalität von Wekan (Open-Source Kanban) ∗∗∗ --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/stored-xss-schwachste… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.05.2023
by Daily end-of-shift report 16 May '23

16 May '23

===================== = End-of-Day report = ===================== Timeframe: Montag 15-05-2023 18:00 − Dienstag 16-05-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ VirusTotal AI code analysis expands Windows, Linux script support ∗∗∗ --------------------------------------------- Google has added support for more scripting languages to VirusTotal Code Insight, a recently introduced artificial intelligence-based code analysis feature. --------------------------------------------- https://www.bleepingcomputer.com/news/security/virustotal-ai-code-analysis-… ∗∗∗ Open-source Cobalt Strike port Geacon used in macOS attacks ∗∗∗ --------------------------------------------- Geacon, a Go-based implementation of the beacon from the widely abused penetration testing suite Cobalt Strike, is being used more and more to target macOS devices. --------------------------------------------- https://www.bleepingcomputer.com/news/security/open-source-cobalt-strike-po… ∗∗∗ Signals Defense With Faraday Bags & Flipper Zero, (Tue, May 16th) ∗∗∗ --------------------------------------------- There are situations where it is desired to block signals between devices. Commonly scenarios are when traveling, in a location of uncertain safety, or otherwise concerned with data privacy and geolocation. I was curious how well a faraday bags and similar products protected wireless communications. --------------------------------------------- https://isc.sans.edu/diary/rss/29840 ∗∗∗ Triple Threat: Breaking Teltonika Routers Three Ways ∗∗∗ --------------------------------------------- Comprehensive research was conducted on Teltonika Networks’ IIoT products, with a focus on industrial cellular devices widely used in various industries, specifically, the Teltonika Remote Management System, and RUT model routers. --------------------------------------------- https://claroty.com/team82/research/triple-threat-breaking-teltonika-router… ∗∗∗ You’ve been kept in the dark (web): exposing Qilin’s RaaS program ∗∗∗ --------------------------------------------- All you need to know about Qilin ransomware and its operations targeting critical sectors. --------------------------------------------- https://www.group-ib.com/blog/qilin-ransomware/ ∗∗∗ Seitenkanalangriff auf Cortex-M: Zugriff auf sensible Informationen ∗∗∗ --------------------------------------------- Auf der Blackhat Asia haben IT-Forscher Seitenkanalangriffe auf ARM-Cortex-M-Mikroprozessoren vorgestellt. Sie ermöglichen Zugriff auf sensible Informationen. --------------------------------------------- https://heise.de/-9057108 ∗∗∗ It’s always DNS, here’s why… ∗∗∗ --------------------------------------------- There’s an old adage in network and Internet support: When something breaks in any network “it was DNS”. Sadly it’s usually true. --------------------------------------------- https://www.pentestpartners.com/security-blog/its-always-dns-heres-why/ ∗∗∗ Vorsicht vor Anrufen von „austriamegachance.com“ ∗∗∗ --------------------------------------------- Ihr Telefon klingelt. Austria Mega Chance meldet sich, eine Lotto-Tipp-Dienstleistung. Ihnen werden hohe Gewinnchancen beim Lotto versprochen und eine Dienstleistung für Gemeinschaftstipps angeboten. Die aufdringliche Person entlockt Ihnen Kontodaten. Einige Zeit später werden Ihnen dann monatlich, ohne schriftliche Infos oder einen Vertrag unterschieben zu haben, knapp 70 Euro von Ihrem Konto abgebucht. Wir zeigen Ihnen, was Sie tun können! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-anrufen-von-austriamega… ∗∗∗ Microsoft SharePoint scannt Password-geschützte ZIP-Archive ∗∗∗ --------------------------------------------- Es sieht so aus, dass Microsoft in seinen Cloud-Speichern auch ZIP-Archive auf schädliche Inhalte (und ggf. weitere Inhalte) scannt – auch Archive, die vom Benutzer mit einem Kennwort vor der Einsichtnahme geschützt sind. --------------------------------------------- https://www.borncity.com/blog/2023/05/16/microsoft-sharepoint-scannt-passwo… ∗∗∗ The Dragon Who Sold His Camaro: Analyzing Custom Router Implant ∗∗∗ --------------------------------------------- Through our investigation, we have gained a deeper comprehension of the ways in which attackers are employing malware to target edge devices, particularly routers. Our efforts have led us to uncover several of the tactics and tools utilized by Camaro Dragon in their attacks. --------------------------------------------- https://research.checkpoint.com/2023/the-dragon-who-sold-his-camaro-analyzi… ∗∗∗ 8220 Gang Evolves With New Strategies ∗∗∗ --------------------------------------------- We observed the threat actor group known as “8220 Gang” employing new strategies for their respective campaigns, including exploits for the Linux utility “lwp-download” and CVE-2017-3506, an Oracle WebLogic vulnerability. --------------------------------------------- https://www.trendmicro.com/en_us/research/23/e/8220-gang-evolution-new-stra… ∗∗∗ How to Write a PoC for an Uninitialized Smart Contract Vulnerability in BadgerDAO Using Foundry ∗∗∗ --------------------------------------------- In this post, we’re going to learn how Foundry can be used to write a proof of concept (PoC) for uninitialized smart contract vulnerabilities. --------------------------------------------- https://www.cyberark.com/resources/threat-research-blog/how-to-write-a-poc-… ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- IBM Cloud Pak for Network Automation, IBM Control Desk, IBM Maximo, IBM Edge Application Manager, IBM Cloud Automation Manager, Tivoli Monitoring, IBM Business Monitor, IBM Business Automation Workflow Enterprise Service Bus, WebSphere Application Server, Tivoli Application Dependency Discovery Manager, IBM Operations Analytics - Predictive Insights, IBM Security Verify Information Queue. --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ CISA Releases Three Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- * ICSA-23-136-02 Rockwell ArmorStart * ICSA-23-136-03 Rockwell Automation FactoryTalk Vantagepoint * ICSA-23-136-01 Snap One OvrC Cloud --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/05/16/cisa-releases-three-indu… ∗∗∗ JavaScript-Sandbox vm2: PoC zeigt neuen Sandbox-Ausbruch ∗∗∗ --------------------------------------------- Eine kritische Lücke in der JavaScript-Sandbox vm2 können Angreifer zum Ausbruch missbrauchen. Aktualisierte Software steht bereit, die die Lücken schließt. --------------------------------------------- https://heise.de/-9056842 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (epiphany-browser, python-ipaddress, and sqlparse), Fedora (python-django3 and qemu), Red Hat (apr-util, autotrace, bind, bind9.16, container-tools:4.0, container-tools:rhel8, ctags, curl, device-mapper-multipath, dhcp, edk2, emacs, freeradius:3.0, freerdp, frr, gcc-toolset-12-binutils, git, git-lfs, go-toolset:rhel8, grafana, grafana-pcp, gssntlmssp, Image Builder, kernel, kernel-rt, libarchive, libreswan, libtar, libtiff, mingw-expat, mysql:8.0, net-snmp, pcs, php:7.4, poppler, postgresql-jdbc, python-mako, python27:2.7, python38:3.8 and python38-devel:3.8, python39:3.9 and python39-devel:3.9, samba, sysstat, tigervnc, unbound, virt:rhel and virt-devel:rhel, wayland, webkit2gtk3, xorg-x11-server, and xorg-x11-server-Xwayland), SUSE (dmidecode, postgresql13, prometheus-sap_host_exporter, python-cryptography, rekor, and thunderbird), and Ubuntu (firefox, matrix-synapse, and mysql-8.0). --------------------------------------------- https://lwn.net/Articles/932033/ ∗∗∗ D-Link DIR-2150 DIR-2150 Firmware Release Notes v1.06 ∗∗∗ --------------------------------------------- https://support.dlink.com.au/Download/download.aspx?product=DIR-2150 ∗∗∗ XSA-431 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-431.html ∗∗∗ Zahlreiche Schwachstellen in Serenity and StartSharp Software ∗∗∗ --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/zahlreiche-schwachste… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily May 2023