August 2023 - Daily

Tageszusammenfassung - 31.08.2023
by Daily end-of-shift report 31 Aug '23

31 Aug '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 30-08-2023 18:00 − Donnerstag 31-08-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ MMRat Android Trojan Executes Remote Financial Fraud Through Accessibility Feature ∗∗∗ --------------------------------------------- A previously undocumented Android banking trojan dubbed MMRat has been observed targeting mobile users in Southeast Asia since late June 2023 to remotely commandeer the devices and perform financial fraud."The malware, named after its distinctive package name com.mm.user, can capture user input and screen content, and can also remotely control victim devices through various techniques [..] --------------------------------------------- https://thehackernews.com/2023/08/mmrat-android-trojan-executes-remote.html ∗∗∗ North Korean Hackers Deploy New Malicious Python Packages in PyPI Repository ∗∗∗ --------------------------------------------- Three additional malicious Python packages have been discovered in the Package Index (PyPI) repository as part of an ongoing malicious software supply chain campaign called VMConnect, with signs pointing to the involvement of North Korean state-sponsored threat actors.The findings come from ReversingLabs, which detected the packages tablediter, request-plus, and requestspro. --------------------------------------------- https://thehackernews.com/2023/08/north-korean-hackers-deploy-new.html ∗∗∗ CISA and FBI Publish Joint Advisory on QakBot Infrastructure ∗∗∗ --------------------------------------------- CISA and FBI urge organizations to implement the recommendations contained within the joint CSA to reduce the likelihood of QakBot-related activity and promote identification of QakBot-facilitated ransomware and malware infections. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/08/30/cisa-and-fbi-publish-joi… ∗∗∗ Converting Tokens to Session Cookies for Outlook Web Application ∗∗∗ --------------------------------------------- More and more organizations are adopting cloud-based solutions and federating with various identity providers. As these deployments increase in complexity, ensuring that Conditional Access Policies (CAPs) always act as expected can become a challenge. Today, we will share a technique weve been using to gain access to Outlook Web Application (OWA) in a browser by utilizing Bearer and Refresh tokens for the outlook.office365.com or outlook.office.com endpoints. --------------------------------------------- https://labs.lares.com/owa-cap-bypass/ ∗∗∗ Contain Yourself: Staying Undetected Using the Windows Container Isolation Framework ∗∗∗ --------------------------------------------- Starting with Windows Server 2016, Microsoft released its own version of this solution, Windows Containers, which offers process and Hyper-V isolation modes. The presentation covered the basics of Windows containers, broke down its file system isolation framework, reverse-engineered its main mini-filter driver, and detailed how it can be utilized and manipulated by a bad actor to bypass EDR products in multiple domains. --------------------------------------------- https://www.deepinstinct.com/blog/contain-yourself-staying-undetected-using… ∗∗∗ NosyMonkey: API hooking and code injection made easy ∗∗∗ --------------------------------------------- As a researcher I often run into situations in which I need to make a compiled binary do things that it wouldn’t normally do or change the way it works in some way. [..] Enter, NosyMonkey: a library to inject code and place hooks that does almost everything for you. No need to write complicated ASM shellcode, or even think about allocating code, hot patching and other dirty business. --------------------------------------------- https://www.anvilsecure.com/blog/nosymonkey.html ∗∗∗ Bypassing Defender’s LSASS dump detection and PPL protection In Go ∗∗∗ --------------------------------------------- This blog reviews the technique that can be used to bypass Protected Process Light protection for any Windows process using theProcess Explorer driver and explores methods to bypass Windows Defender’s signature-based mechanisms for process dump detection. The tool introduced in this blog (PPLBlade), is written entirely in GO and can be used as a POC for the techniques overviewed below. --------------------------------------------- https://tastypepperoni.medium.com/bypassing-defenders-lsass-dump-detection-… ∗∗∗ Unpinnable Actions: How Malicious Code Can Sneak into Your GitHub Actions Workflows ∗∗∗ --------------------------------------------- In today’s post, we look at action pinning, one of the profound mitigations against supply chain attacks in the GitHub Actions ecosystem. It turns out, though, that action pinning comes with a downside — a pitfall we call "unpinnable actions" that allows attackers to execute code in GitHub Actions workflows. --------------------------------------------- https://www.paloaltonetworks.com/blog/prisma-cloud/unpinnable-actions-githu… ∗∗∗ Trojanized Signal, Telegram apps found on Google Play, Samsung Galaxy Store ∗∗∗ --------------------------------------------- ESET researchers have identified two active campaigns targeting Android users, where the threat actors behind the tools for Telegram and Signal are attributed to the China-aligned APT group GREF. Most likely active since July 2020 and since July 2022, respectively for each malicious app, the campaigns have distributed the Android BadBazaar espionage code through the Google Play store, Samsung Galaxy Store, and dedicated websites posing as legitimate encrypted chat applications [..] --------------------------------------------- https://www.helpnetsecurity.com/2023/08/31/fake-signal-telegram-apps/ ∗∗∗ Infamous Chisel Malware Analysis Report ∗∗∗ --------------------------------------------- Infamous Chisel is a collection of components targeting Android devices.This malware is associated with Sandworm activity.It performs periodic scanning of files and network information for exfiltration.System and application configuration files are exfiltrated from an infected device. --------------------------------------------- https://www.cisa.gov/news-events/analysis-reports/ar23-243a ∗∗∗ A Deep Dive into Brute Ratel C4 payloads ∗∗∗ --------------------------------------------- Summary Brute Ratel C4 is a Red Team & Adversary Simulation software that can be considered an alternative to Cobalt Strike. In this blog post, we’re presenting a technical analysis of a Brute Ratel badger/agent that doesn’t implement all the recent features of the framework. --------------------------------------------- https://cybergeeks.tech/a-deep-dive-into-brute-ratel-c4-payloads/ ===================== = Vulnerabilities = ===================== ∗∗∗ WordPress migration add-on flaw could lead to data breaches ∗∗∗ --------------------------------------------- All-in-One WP Migration, a popular data migration plugin for WordPress sites that has 5 million active installations, suffers from unauthenticated access token manipulation that could allow attackers to access sensitive site information. --------------------------------------------- https://www.bleepingcomputer.com/news/security/wordpress-migration-add-on-f… ∗∗∗ Wordpress: Cloud-Extensions für Migrationstool ermöglichen Datenklau ∗∗∗ --------------------------------------------- Die Box-, Google-Drive-, Onedrive- und Dropbox-Erweiterungen für ein weitverbreitetes Wordpress-Migrations-Plug-in sind anfällig für Datenklau. --------------------------------------------- https://www.golem.de/news/wordpress-cloud-extensions-fuer-migrationstool-er… ∗∗∗ Drupal: Unified Twig Extensions - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-041 ∗∗∗ --------------------------------------------- This module makes PatternLab's custom Twig functions available to Drupal theming. The module's included examples don't sufficiently filter data. This vulnerability is mitigated by the fact that the included examples must have been copied to a site's theme. --------------------------------------------- https://www.drupal.org/sa-contrib-2023-041 ∗∗∗ Drupal: Obfuscate Email - Less critical - Cross Site Scripting - SA-CONTRIB-2023-042 ∗∗∗ --------------------------------------------- This module enables you to hide email addresses from bots and site scrapers by using the rot13 strategy. The module doesnt sufficiently escape the data attribute under the scenario a user has access to manipulate that value. This vulnerability is mitigated by the fact that an attacker must have a role with permissions to allow data attributes in content on a site. --------------------------------------------- https://www.drupal.org/sa-contrib-2023-042 ∗∗∗ CISA Releases Four Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- * ICSA-23-243-01 ARDEREG Sistemas SCADA, CVE-2023-4485 * ICSA-23-243-02 GE Digital CIMPLICITY, CVE-2023-4487 * ICSA-23-243-03 PTC Kepware KepServerEX, CVE-2023-29444, CVE-2023-29445, CVE-2023-29446, CVE-2023-29447 * ICSA-23-243-04 Digi RealPort Protocol, CVE-2023-4299 --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/08/31/cisa-releases-four-indus… ∗∗∗ Sicherheitsupdates: Schadcode-Attacken auf Aruba-Switches möglich ∗∗∗ --------------------------------------------- Verschiedene Switch-Modelle von Aruba sind verwundbar. Abgesicherte Ausgaben von ArubaOS schaffen Abhilfe. --------------------------------------------- https://heise.de/-9290375 ∗∗∗ Big Data: Splunk dichtet hochriskante Lücken ab ∗∗∗ --------------------------------------------- Die Big-Data-Experten von Splunk haben aktualisierte Software bereitgestellt, die teils hochriskante Schwachstellen in der Analysesoftware ausbessert. --------------------------------------------- https://heise.de/-9290325 ∗∗∗ VMware Tools: Schwachstelle ermöglicht Angreifern unbefugte Aktionen in Gästen ∗∗∗ --------------------------------------------- VMware warnt vor einer Sicherheitslücke in VMware Tools. Sie ermöglicht eine Man-in-the-Middle-Attacke auf Gastsysteme. --------------------------------------------- https://heise.de/-9290783 ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (August 21, 2023 to August 27, 2023) ∗∗∗ --------------------------------------------- Last week, there were 43 vulnerabilities disclosed in 38 WordPress Plugins and no WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 23 Vulnerability Researchers that contributed to WordPress Security last week. --------------------------------------------- https://www.wordfence.com/blog/2023/08/wordfence-intelligence-weekly-wordpr… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr, json-c, opendmarc, and otrs2), Red Hat (java-1.8.0-ibm and kpatch-patch), Scientific Linux (kernel), Slackware (mozilla), SUSE (haproxy, php7, vim, and xen), and Ubuntu (elfutils, frr, and linux-gcp, linux-starfive). --------------------------------------------- https://lwn.net/Articles/943192/ ∗∗∗ Mozilla Releases Security Updates for Firefox and Firefox ESR ∗∗∗ --------------------------------------------- Mozilla has released security updates to address vulnerabilities for Firefox 117, Firefox ESR 115.2, and Firefox ESR 102.15. A cyber threat actor can exploit some of these vulnerabilities to take control of an affected system. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/08/30/mozilla-releases-securit… ∗∗∗ Weitere Windows-Rechteausweitung über Razer Synapse (SYSS-2023-002) ∗∗∗ --------------------------------------------- In Razer Synapse kann über eine Time-of-check Time-of-use Race Condition die Überprüfung fremder Bibliotheken durch den Dienst überlistet werden. --------------------------------------------- https://www.syss.de/pentest-blog/weitere-windows-rechteausweitung-ueber-raz… ∗∗∗ Cisco Unified Communications Products Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Multiple vulnerabilities in IBM Storage Defender Data Protect ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7029861 ∗∗∗ Security Vulnerability in the IBM Java Runtime Environment (JRE) affect the 3592 Enterprise Tape Controller ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/691223 ∗∗∗ Vulnerability in SSLv3 affects IBM System Storage Tape Controller 3592 Model C07 (CVE-2014-3566) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/690117 ∗∗∗ IBM Java Runtime (JRE) security vulnerabilities CVE-2022-21426 in FileNet Content Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6983442 ∗∗∗ Security vulnerability in IBM Java Object Request Broker (ORB) in FileNet Content Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7027874 ∗∗∗ IBM Java Runtime (JRE) security vulnerabilities CVE-2023-21830, CVE-2023-21843 in FileNet Content Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6983440 ∗∗∗ Multiple Security vulnerabilities in IBM Java in FileNet Content Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7001699 ∗∗∗ IBM QRadar User Behavior Analytics is vulnerable to components with known vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7029864 ∗∗∗ TADDM affected by vulnerability due to IBM Java and its runtime ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7029984 ∗∗∗ Due to use of Mozilla Firefox, IBM Cloud Pak for Multicloud Management Monitoring is vulnerable to multiple vulnerabilities. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7029986 ∗∗∗ Multiple Vulnerabilities in IBM Java SDK affect IBM WebSphere Application Server and IBM WebSphere Application Server Liberty, which are used in IBM Security Guardium Key Lifecycle Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7006475 ∗∗∗ A vulnerability in Microsoft ASP.NET affects IBM Robotic Process Automation and may result in a denial of service (CVE-2022-29117) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7029527 ∗∗∗ A vulnerability in Microsoft Azure SDK for .NET affects IBM Robotic Process Automation and could allow a remote authenticated attacker to obtain sensitive information (CVE-2022-26907). ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7029524 ∗∗∗ Multiple security vulnerabilities affect IBM Robotic Process Automation ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7026754 ∗∗∗ A vulnerability in MicrosoftAspNetCore.Identity affects IBM Robotic Process Automation and may result in allowing an attacker to bypass secrity restrictions (CVE-2023-33170). ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7029540 ∗∗∗ Multiple security vulnerabilities in Java affect IBM Robotic Process Automation ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7026758 ∗∗∗ IBM Security Guardium is affected by an Hazardous Input Validation vulnerability (CVE-2022-43903) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7030110 ∗∗∗ IBM MQ is affected by OpenSSL vulnerability (CVE-2023-2650) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7030100 ∗∗∗ IBM MQ is affected by a sensitive information disclosure vulnerability (CVE-2023-28514) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7030101 ∗∗∗ IBM MQ is affected by a denial of service vulnerability (CVE-2023-28513) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7030102 ∗∗∗ IBM MQ is vulnerable to a denial of service attack (CVE-2023-26285) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7030103 ∗∗∗ IBM Edge Application Manager 4.5.2 addresses the security vulnerabilities listed in the CVEs below. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7030159 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.08.2023
by Daily end-of-shift report 30 Aug '23

30 Aug '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 29-08-2023 18:00 − Mittwoch 30-08-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Border Gateway Protocol: Der Klebstoff des Internets hat eine Schwachstelle ∗∗∗ --------------------------------------------- Durch eine neu entdeckte Schwachstelle im Border Gateway Protocol können Angreifer potenziell Teile des Internets abschotten. --------------------------------------------- https://www.golem.de/news/border-gateway-protocol-der-klebstoff-des-interne… ∗∗∗ Kritische Sicherheitslücke in VMware Aria Operations for Networks ∗∗∗ --------------------------------------------- VMware schließt Sicherheitslücken in Aria Operations for Networks. Eine gilt als kritisch und erlaubt den Zugriff ohne Anmeldung. --------------------------------------------- https://heise.de/-9288934 ∗∗∗ Botnet: Internationale Strafverfolger deinstallieren 700.000 Qakbot-Drohnen ∗∗∗ --------------------------------------------- Zusammen mit internationalen Strafverfolgern hat das FBI das Qakbot-Botnetz vorerst außer Gefecht gesetzt. Von 700.000 Systemen entfernten sie die Malware. --------------------------------------------- https://heise.de/-9289070 ∗∗∗ Cisco warnt vor Ransomware-Angriffen auf VPNs ohne Mehrfaktorauthentifizierung ∗∗∗ --------------------------------------------- Cisco warnt vor Angriffen mit der Akira-Ransomware, die auf VPNs des Herstellers zielt. Bei nicht genutzter Mehrfaktorauthentifizierung gelingen Einbrüche. --------------------------------------------- https://heise.de/-9289242 ∗∗∗ Vorsicht vor Jobs auf zalandoovip.vip und remote-rpo-at.com! ∗∗∗ --------------------------------------------- Auf remote-rpo-at.com wird Ihnen ein lukratives Job-Angebot präsentiert. „Seien Sie Ihr Eigener Chef Und Verdienen Sie Bis zu €1260 Pro Woche!“, heißt es da auf der Startseite. Sie sollen im weiteren Verlauf auf der betrügerischen Website zalandoovip.vip für Zalando Produktbewertungen abgeben und so angeblich Verkäufe steigern. Sobald Sie Ihr verdientes Geld auszahlen lassen wollen, folgt die böse Überraschung: [...] --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-jobs-auf-zalandoovipvip… ∗∗∗ Tausende Organisationen verwundbar auf Subdomain Hijacking ∗∗∗ --------------------------------------------- Subdomain-Hijacking stellt ein besorgniserregendes Szenario dar, bei dem Angreifer die Kontrolle über Websites übernehmen, die auf Subdomains seriöser Organisationen gehostet werden. Dies ermöglicht Angreifern zum Beispiel die Verbreitung von Schadsoftware und Desinformationen oder die Durchführung Phishing-Angriffen. --------------------------------------------- https://certitude.consulting/blog/de/subdomain-hijacking-2/ ∗∗∗ Trojanized Signal and Telegram apps on Google Play delivered spyware ∗∗∗ --------------------------------------------- Trojanized Signal and Telegram apps containing the BadBazaar spyware were uploaded onto Google Play and Samsung Galaxy Store by a Chinese APT hacking group known as GREF. --------------------------------------------- https://www.bleepingcomputer.com/news/security/trojanized-signal-and-telegr… ∗∗∗ Getting into AWS cloud security research as a n00bcake ∗∗∗ --------------------------------------------- Today, AWS security research can feel impenetrable, like understanding the latest meme that’s already gone through three ironic revivals. But if I’m being honest, I might suggest AWS security research is far more accessible than the other insane research in our industry. That’s why I attempt it. I’m just too dumb to write shellcode or disassemble a binary. So don’t be scared, let’s do it together! --------------------------------------------- https://dagrz.com/writing/aws-security/getting-into-aws-security-research/ ∗∗∗ CISA Releases IOCs Associated with Malicious Barracuda Activity ∗∗∗ --------------------------------------------- CISA has released additional indicators of compromise (IOCs) associated with exploitation of CVE-2023-2868. CVE-2023-2868 is a remote command injection vulnerability affecting Barracuda Email Security Gateway (ESG) Appliance, versions 5.1.3.001-9.2.0.006. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/08/29/cisa-releases-iocs-assoc… ∗∗∗ Diving Deep into UNC4841 Operations Following Barracuda ESG Zero-Day Remediation (CVE-2023-2868) ∗∗∗ --------------------------------------------- On June 15, 2023, Mandiant released a blog post detailing an 8-month-long global espionage campaign conducted by a Chinese-nexus threat group tracked as UNC4841. In this follow-up blog post, we will detail additional tactics, techniques, and procedures (TTPs) employed by UNC4841 that have since been uncovered through Mandiant’s incident response engagements, as well as through collaborative efforts with Barracuda Networks and our International Government partners. Over the course of this --------------------------------------------- https://www.mandiant.com/resources/blog/unc4841-post-barracuda-zero-day-rem… ∗∗∗ Pay our ransom instead of a GDPR fine, cybercrime gang tells its targets ∗∗∗ --------------------------------------------- Researchers are tracking a new cybercrime group that uses a never-seen-before extortion tactic. The gang, which operates through a blog called Ransomed, tells victims that if they don’t pay to protect stolen files, they will face fines under data protection laws like the EU’s GDPR, according to a new report by cybersecurity firm Flashpoint. --------------------------------------------- https://therecord.media/ransomed-cybercrime-group-extortion-gdpr ===================== = Vulnerabilities = ===================== ∗∗∗ Netgear: Security Advisory for Post-authentication Command Injection on the Prosafe® Network Management System, PSV-2023-0037 ∗∗∗ --------------------------------------------- NETGEAR is aware of a post-authentication command injection security vulnerability on NMS300 and strongly recommends that you download the latest version of NMS300 as soon as possible. --------------------------------------------- https://kb.netgear.com/000065705/Security-Advisory-for-Post-authentication-… ∗∗∗ Netgear: Security Advisory for Authentication Bypass on the RBR760, PSV-2023-0052 ∗∗∗ --------------------------------------------- NETGEAR is aware of an authentication bypass security vulnerability on the RBR760. This vulnerability requires an attacker to have your WiFi password or an Ethernet connection to a device on your network to be exploited. --------------------------------------------- https://kb.netgear.com/000065734/Security-Advisory-for-Authentication-Bypas… ∗∗∗ Webbrowser: Google-Chrome-Update stopft hochriskante Sicherheitslücke ∗∗∗ --------------------------------------------- Google bessert im Webbrowser Chrome eine als hochriskant eingestufte Schwachstelle aus. --------------------------------------------- https://heise.de/-9288903 ∗∗∗ Entwickler von Notepad++ ignoriert offensichtlich Sicherheitslücken ∗∗∗ --------------------------------------------- Mehrere Sicherheitslücken gefährden den Texteditor Notepad++. Trotz Informationen zu den Lücken und möglichen Fixes steht ein Sicherheitsupdate noch aus. --------------------------------------------- https://heise.de/-9289124 ∗∗∗ VMSA-2023-0018 ∗∗∗ --------------------------------------------- Synopsis: VMware Aria Operations for Networks updates address multiple vulnerabilities. --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2023-0018.html ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (qpdf, ring, and tryton-server), Fedora (mingw-qt5-qtbase and moby-engine), Red Hat (cups, kernel, kernel-rt, kpatch-patch, librsvg2, and virt:rhel and virt-devel:rhel), and Ubuntu (amd64-microcode, firefox, linux, linux-aws, linux-aws-5.15, linux-gcp, linux-gke, linux-gkeop, linux-hwe-5.15, linux-ibm, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-nvidia, linux-oracle, linux-oracle-5.15, linux, linux-aws, linux-aws-5.4, linux-gcp, linux-hwe-5.4, linux-kvm, linux-oracle, linux-xilinx-zynqmp, linux, linux-aws, linux-aws-6.2, linux-azure, linux-hwe-6.2, linux-ibm, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-6.2, linux-raspi, linux-bluefield, linux-ibm, linux-oem-6.1, and openjdk-lts, openjdk-17). --------------------------------------------- https://lwn.net/Articles/943087/ ∗∗∗ Remote Code Execution in RTS VLink Virtual Matrix ∗∗∗ --------------------------------------------- BOSCH-SA-893251-BT: A security vulnerability has been uncovered in the admin interface of the RTS VLink Virtual Matrix Software. The vulnerability will allow a Remote Code Execution (RCE) attack. --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-893251-bt.html ∗∗∗ 2023-08-29 Out-of-Cycle Security Bulletin: Junos OS and Junos OS Evolved: A crafted BGP UPDATE message allows a remote attacker to de-peer (reset) BGP sessions (CVE-2023-4481) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2023-08-29-Out-of-Cycle-Securit… ∗∗∗ [R1] Nessus Version 10.6.0 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2023-29 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.08.2023
by Daily end-of-shift report 29 Aug '23

29 Aug '23

===================== = End-of-Day report = ===================== Timeframe: Montag 28-08-2023 18:00 − Dienstag 29-08-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Malware loader lowdown: The big 3 responsible for 80% of attacks so far this year ∗∗∗ --------------------------------------------- Three malware loaders — QBot, SocGholish, and Raspberry Robin — are responsible for 80 percent of observed attacks on computers and networks so far this year. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2023/08/28/top_malware_… ∗∗∗ Leaking File Contents with a Blind File Oracle in Flarum ∗∗∗ --------------------------------------------- Flarum is a free, open source PHP-based forum software used for everything from gaming hobbyist sites to cryptocurrency discussion. [..] Through our research we were able to leak the contents of arbitrary local files in Flarum through a blind oracle, and conduct blind SSRF attacks with only a basic user account. --------------------------------------------- https://blog.assetnote.io/2023/08/28/leaking-file-contents-with-a-blind-fil… ∗∗∗ Compromised OpenCart Payment Module Steals Credit Card Information ∗∗∗ --------------------------------------------- It seems that the attackers had manually modified one of the key files responsible for the processing of payment information on their OpenCart website; this is very similar to another credit card skimmer that we recently wrote about. --------------------------------------------- https://blog.sucuri.net/2023/08/opencart-payment-module-steals-credit-card-… ∗∗∗ Jetzt patchen! Exploitcode legt Attacken auf Juniper-Firewalls nahe ∗∗∗ --------------------------------------------- Sicherheitsforscher haben Schwachstellen in Juniper Firewalls und Switches dokumentiert. Das können Angreifer nun missbrauchen. --------------------------------------------- https://heise.de/-9287740 ∗∗∗ Zoho ManageEngine: Schwachstelle erlaubt Umgehen von Mehrfaktorauthentifizierung ∗∗∗ --------------------------------------------- Zahlreiche ManageEninge-Produkte von Zoho sind von Schwachstellen betroffen, die die Umgehung der Mehrfaktorauthentifizierung (MFA) ermöglichen. Während aktualisierte Softwarepakete offenbar seit Ende Juni bereitstehen, wurde erst jetzt die CVE-Meldung dazu bekannt. --------------------------------------------- https://heise.de/-9287917 ∗∗∗ MalDoc in PDF: Japanisches CERT warnt vor in PDFs versteckten Malware-Dokumenten ∗∗∗ --------------------------------------------- Cyberkriminelle finden immer neue Wege, Malware vor der Erkennung zu verstecken. Das japanische CERT hat jetzt bösartige Word-Dokumente in PDFs gefunden. --------------------------------------------- https://heise.de/-9288262 ∗∗∗ Gefälschte Beschwerdemails an Hotels führen zu Schadsoftware ∗∗∗ --------------------------------------------- Derzeit kursieren gefälschte E-Mails mit angeblichen Gästebeschwerden. Bisher sind uns zwei Versionen bekannt. In einem E-Mail beklagt sich ein vermeintlicher Gast über die Sauberkeit der Zimmer, in einer anderen Version, wirft man dem Personal vor, Wertgegenstände aus dem Zimmer gestohlen zu haben. Als Beweis finden Sie im E-Mail einen Link zu Fotos. Wir vermuten Schadsoftware, klicken Sie nicht auf den Link! --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschte-beschwerdemails-an-hotel… ∗∗∗ Ungefixter Skype-Bug ermöglicht Angreifern die IP-Adresse der Opfer abzufragen (August 2023) ∗∗∗ --------------------------------------------- Ein Sicherheitsforscher ist auf eine Möglichkeit gestoßen, die IP-Adresse eines Skype-Benutzers zu ermitteln, ohne dass die Zielperson überhaupt auf einen Link klicken muss. --------------------------------------------- https://www.borncity.com/blog/2023/08/29/ungefixter-skype-bug-ermglicht-ang… ===================== = Vulnerabilities = ===================== ∗∗∗ Multiple Vulnerabilities found in Techview LA-5570 Wireless Gateway Home Automation Controller ∗∗∗ --------------------------------------------- The Security Team at [exploitsecurity.io] uncovered multiple vulnerabilities in the Techview LA-5570 Wireless Home Automation Controller [Firmware Version 1.0.19_T53]. These vulnerabilities can be used to to gain full control of the affected device. CVE IDs: CVE-2023-34723, CVE-2023-34724, CVE-2023-34725 --------------------------------------------- https://www.exploitsecurity.io/post/cve-2023-34723-cve-2023-34724-cve-2023-… ∗∗∗ Webbrowser: Firefox 117, ESR 115.2 und ESR 102.15 dichten Sicherheitslecks ab ∗∗∗ --------------------------------------------- Die Mozilla-Entwickler haben die Firefox-Versionen 117, ESR 115.2 und ESR 102.15 herausgegeben, die mehrere teils hochriskante Sicherheitslücken schließen. --------------------------------------------- https://heise.de/-9288483 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (flask-security and opendmarc), Fedora (qemu), Oracle (rust and rust-toolset:ol8), Red Hat (cups and libxml2), Scientific Linux (cups), SUSE (ca-certificates-mozilla, chromium, clamav, freetype2, haproxy, nodejs12, procps, and vim), and Ubuntu (faad2, json-c, libqb, linux, linux-aws, linux-lts-xenial, linux-gcp-5.15, linux-gke, linux-gke-5.15, linux-gkeop, linux-gkeop-5.15, and linux-gke, linux-ibm-5.4). --------------------------------------------- https://lwn.net/Articles/943006/ ∗∗∗ Unauthenticated OS Command Injection im Patton SN200 VoIP-Gateway (SYSS-2023-019) ∗∗∗ --------------------------------------------- Durch verschiedene Schwachstellen können unangemeldete Angreifende Sytembefehle auf dem Patton SN200 VoIP-Gateway ausführen. --------------------------------------------- https://www.syss.de/pentest-blog/unauthenticated-os-command-injection-im-pa… ∗∗∗ Festo Didactic: Cross-Site-Scripting (XSS) vulnerability in LX-Appliance ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-040/ ∗∗∗ Reflected Cross-Site Scripting (XSS) Schwachstelle in Codebeamer (ALM Solution) von PTC ∗∗∗ --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/reflected-cross-site-… ∗∗∗ IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in scikit-learn ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7029479 ∗∗∗ A CVE-2023-21967 vulnerability in IBM Java Runtime affects IBM Process Designer 8.5.7 shipped with IBM Business Automation Workflow ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7029615 ∗∗∗ The IBM Engineering Lifecycle Engineering product using IBM SDK, Java Technology Edition Quarterly CPU - Apr 2023 - Includes Oracle April 2023 CPU is vulnerable to (CVE-2023-2597) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7029634 ∗∗∗ IBM Event Streams is vulnerable to denial of service attacks due to snappy-java (CVE-2023-34453, CVE-2023-34455, CVE-2023-34454) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7029640 ∗∗∗ IBM Event Streams is vulnerable to a denial of service attack due to Golang Go (CVE-2023-29409) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7029639 ∗∗∗ Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to code injection and privilege escalation due to multiple vulnerabilities in Go ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7029646 ∗∗∗ Operations Dashboard is vulnerable to remote code execution, privilege escalation, and denial of service due to multiple Go vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7029648 ∗∗∗ IBM Cloud Transformation Advisor is vulnerable to multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7029656 ∗∗∗ Vulnerabilities in IBM Java included with IBM Tivoli Monitoring. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7029662 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.08.2023
by Daily end-of-shift report 28 Aug '23

28 Aug '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 25-08-2023 18:00 − Montag 28-08-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Update korrigiert Verschlüsselung von Qnap-Betriebssystemen ∗∗∗ --------------------------------------------- Qnap hat aktualisierte Versionen der QTS- und QuTS hero-Betriebssysteme veröffentlicht. Sie korrigieren unter anderem zu schwache Verschlüsselung. --------------------------------------------- https://heise.de/-9286394 ∗∗∗ Stalker-Malware: Whiffy Recon schnüffelt Standort alle 60 Sekunden aus ∗∗∗ --------------------------------------------- Eine Malware namens Whiffy Recon überprüft alle 60 Sekunden den Standort des infizierten Geräts. Es bleibt unklar, wozu. --------------------------------------------- https://heise.de/-9286754 ∗∗∗ Auch Antivirensoftware: Winrar-Schwachstelle betrifft womöglich weitere Programme ∗∗∗ --------------------------------------------- Nachtrag vom 28. August 2023, 17:28 Uhr: Herr Marx wies die Redaktion im Nachhinein darauf hin, dass eine mögliche Ausnutzung von CVE-2023-40477 für die einzelnen Anwendungen individuell beurteilt werden muss. Nicht jedes Programm, das die gefährdete DLL verwendet, macht automatisch Gebrauch von dem problematischen Code. --------------------------------------------- https://www.golem.de/news/auch-antivirensoftware-winrar-schwachstelle-betri… ∗∗∗ Duolingo: Leck mit 2,6 Millionen Nutzerdatensätze, Prüfung auf Have I been Pwned möglich ∗∗∗ --------------------------------------------- Bei der Sprachlern-App Duolingo bzw. bei deren Anbieter ermöglichten Schwachstellen Benutzerdaten abzuziehen. Jetzt hat Troy Hunt einen Datensatz mit den Informationen zu 2,6 Millionen Duolingo Nutzern in seine Plattform Have I been Pwned integriert. --------------------------------------------- https://www.borncity.com/blog/2023/08/24/duolingo-leck-mit-26-millionen-nut… ∗∗∗ Antworten von Microsoft zum Hack der Microsoft Azure-Cloud durch Storm-0588 – Teil 1 ∗∗∗ --------------------------------------------- Ich hatte nach dem Hack der Microsoft Azure Cloud-Infrastruktur durch die mutmaßlich chinesische Gruppe Storm-0588 bei Microsoft Irland konkret nachgefragt, ob persönliche Daten eines meiner Microsoft Konten betroffen seien. Und ich hatte an den Bundesdatenschutzbeauftragten (BfDI), Ulrich Kelber, [...] --------------------------------------------- https://www.borncity.com/blog/2023/08/26/antworten-von-microsoft-zum-hack-d… ∗∗∗ Antworten des Bundesdatenschutzbeauftragten, Ulrich Kelber, zum Hack der Microsoft Azure-Cloud durch Storm-0588 – Teil 2 ∗∗∗ --------------------------------------------- In Teil 1 dieser Artikelreihe hatte die die Antworten Microsofts auf meine konkreten Fragen zum Hack der Microsoft Azure Cloud-Infrastruktur durch die mutmaßlich chinesische Gruppe Storm-0588 wiedergegeben. Ich hatte aber auch einige Fragen an die Presseabteilung des Bundesdatenschutzbeauftragten (BfDI) [...] --------------------------------------------- https://www.borncity.com/blog/2023/08/26/antworten-des-bundesdatenschutzbea… ∗∗∗ PoC for no-auth RCE on Juniper firewalls released ∗∗∗ --------------------------------------------- Researchers have released additional details about the recently patched four vulnerabilities affecting Juniper Networks’ SRX firewalls and EX switches that could allow remote code execution (RCE), as well as a proof-of-concept (PoC) exploit. --------------------------------------------- https://www.helpnetsecurity.com/2023/08/28/poc-rce-juniper-firewalls/ ∗∗∗ Beware the Azure Guest User: How to Detect When a Guest User Account Is Being Exploited ∗∗∗ --------------------------------------------- In Azure environments, guest users are the go-to option when giving access to a user from a different tenant. Often, little effort is invested in keeping guest users safe. However, this could prove to be a costly mistake. It’s actually very important to monitor the third-party applications and identities that have access to your environment, [...] --------------------------------------------- https://orca.security/resources/blog/detect-guest-user-account-exploited/ ∗∗∗ Reply URL Flaw Allowed Unauthorized MS Power Platform API Access ∗∗∗ --------------------------------------------- Cybersecurity experts from Secureworks have revealed a critical vulnerability within Microsoft’s Power Platform, now known as Entra ID. The vulnerability, discovered early this year, involved an abandoned reply URL within the Azure Active Directory (AD) environment, granting unauthorized access to elevated permissions and control within an organization. --------------------------------------------- https://www.hackread.com/reply-url-flaw-ms-power-platform-api-access/ ∗∗∗ KmsdBot Malware Gets an Upgrade: Now Targets IoT Devices with Enhanced Capabilities ∗∗∗ --------------------------------------------- An updated version of a botnet malware called KmsdBot is now targeting Internet of Things (IoT) devices, simultaneously branching out its capabilities and the attack surface. "The binary now includes support for Telnet scanning and support for more CPU architectures," Akamai security researcher Larry W. Cashdollar said in an analysis published this month. --------------------------------------------- https://thehackernews.com/2023/08/kmsdbot-malware-gets-upgrade-now.html ===================== = Vulnerabilities = ===================== ∗∗∗ D-Link DAP-2622: Various Security Vulnerabilities Reported ∗∗∗ --------------------------------------------- Affected Models: DAP-2622 Hardware Revision: All A Series Hardware Revisions Region: Non-US/CA Affected FW: v1.00 & Below Fixed FW: v1.10B03R022 Beta-Hotfix --------------------------------------------- https://supportannouncement.us.dlink.com/announcement/publication.aspx?name… ∗∗∗ Busybox cpio directory traversal vulnerability (CVE-2023-39810) ∗∗∗ --------------------------------------------- When extracting cpio archives with BusyBox cpio, the cpio archiving tools may write files outside the destination directory and there is no option to prevent this. --------------------------------------------- https://www.pentagrid.ch/en/blog/busybox-cpio-directory-traversal-vulnerabi… ∗∗∗ Sicherheitsupdates: Drupal-Plug-ins mit Schadcode-Lücken ∗∗∗ --------------------------------------------- Wenn bestimmte Plug-ins zum Einsatz kommen, sind mit dem CMS Drupal erstellte Websites attackierbar. --------------------------------------------- https://heise.de/-9286388 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, clamav, librsvg, rar, and unrar-nonfree), Fedora (caddy, chromium, and xen), and SUSE (ca-certificates-mozilla, gawk, ghostscript, java-1_8_0-ibm, java-1_8_0-openjdk, php7, qemu, and xen). --------------------------------------------- https://lwn.net/Articles/942922/ ∗∗∗ Sicherheitsschwachstellen im tef-Händlerportal (SYSS-2023-020/-021) ∗∗∗ --------------------------------------------- Im tef-Händlerportal kann über eine Persistent Cross-Site Scripting-Schwachstelle beliebiger Code im Kontext des Benutzers ausgeführt werden. --------------------------------------------- https://www.syss.de/pentest-blog/sicherheitsschwachstellen-im-tef-haendlerp… ∗∗∗ VU#757109: Groupnotes Inc. Videostream Mac client allows for privilege escalation to root account ∗∗∗ --------------------------------------------- https://kb.cert.org/vuls/id/757109 ∗∗∗ Vulnerabilities in IBM Java Runtime affect z/Transaction Processing Facility ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7028975 ∗∗∗ IBM Java SDK and IBM Java Runtime for IBM i are vulnerable to arbitrary code execution due to an unsafe deserialization flaw (CVE-2022-40609). ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7029160 ∗∗∗ IBM MQ Operator and Queue manager container images are vulnerable to multiple vulnerabilities from systemd, libcap, openssl-libs, libxml2, go-toolset, and prometheus-operator ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7029356 ∗∗∗ Security vulnerabilities have been identified in IBM DB2 shipped with IBM License Metric Tool v9. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7029359 ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Rational ClearCase (CVE-2023-35890) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7029364 ∗∗∗ A security vulnerability has been identified in IBM HTTP Server shipped with IBM Rational ClearCase [CVE-2023-32342] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7029362 ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with Tivoli Netcool/OMNIbus WebGUI (CVE-2022-40609) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7029361 ∗∗∗ Multiple security vulnerabilities has been identified in IBM WebSphere Application Server shipped with Tivoli Netcool/OMNIbus WebGUI - July 2023 CPU ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7029360 ∗∗∗ GNU C library (glibc) vulnerability affects (CVE-2015-7547) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/650093 ∗∗∗ ISC DHCP vulnerability affects TS4500 Tape Library (CVE-2018-5732) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/650877 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.08.2023
by Daily end-of-shift report 25 Aug '23

25 Aug '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 24-08-2023 18:00 − Freitag 25-08-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Auch Antivirensoftware: Winrar-Schwachstelle betrifft Hunderte weitere Programme ∗∗∗ --------------------------------------------- Nicht nur alte Winrar-Versionen sind für eine jüngst gepatchte Sicherheitslücke anfällig, sondern auch zahlreiche weitere Anwendungen. --------------------------------------------- https://www.golem.de/news/auch-antivirensoftware-winrar-schwachstelle-betri… ∗∗∗ FBI-Warnung: Barracuda ESG-Appliances noch immer bedroht, umgehend entfernen ∗∗∗ --------------------------------------------- Das FBI warnt vor den Barracuda-ESG-Schwachstellen, die Ende Mai bekannt wurden. Es geht davon aus, dass alle Geräte kompromittiert seien. --------------------------------------------- https://heise.de/-9284695 ∗∗∗ „Mammutjagd“ auf Online-Marktplätze ∗∗∗ --------------------------------------------- Mit dem Toolset "Telekopye" können auch technisch wenig versierte Hacker auf Online-Marktplätzen Jagd auf ahnungslose Käufer – im Gauner-Slang "Mammut" - machen. --------------------------------------------- https://www.zdnet.de/88411400/mammutjagd-auf-online-marktplaetze/ ∗∗∗ Jupiter X Core WordPress plugin could let hackers hijack sites ∗∗∗ --------------------------------------------- Two vulnerabilities affecting some version of Jupiter X Core, a premium plugin for setting up WordPress and WooCommerce websites, allow hijacking accounts and uploading files without authentication. --------------------------------------------- https://www.bleepingcomputer.com/news/security/jupiter-x-core-wordpress-plu… ∗∗∗ Python Malware Using Postgresql for C2 Communications, (Fri, Aug 25th) ∗∗∗ --------------------------------------------- For modern malware, having access to its C2 (Command and control) is a crucial point. There are many ways to connect to a C2 server using tons of protocols, but today, HTTP remains very common because HTTP is allowed on most networks... --------------------------------------------- https://isc.sans.edu/diary/rss/30158 ∗∗∗ Playing Dominos with Moodles Security (1/2) ∗∗∗ --------------------------------------------- This is the first blog in a two-part series where we will present our findings on a Moodle security audit we conducted. We were drawn to researching the security aspect of the framework due to its popularity, with the goal of contributing to a safer internet. In this first article, we demonstrate how an unauthenticated attacker can leverage a vulnerability with a supposedly low impact to gain full control over the Moodle instance. --------------------------------------------- https://www.sonarsource.com/blog/playing-dominos-with-moodles-security-1/ ∗∗∗ A broken marriage. Abusing mixed vendor Kerberos stacks ∗∗∗ --------------------------------------------- *nix based servers and services can be joined to Active Directory networks in the same way as their Windows counterparts. This is usually facilitated through the MIT or Heimdal Kerberos stacks. Kerberos is designed as an authentication-based protocol therefore authorisation decisions are implemented independently to the Kerberos protocol itself. Due to this, different vendor stacks behave differently on how authorisation decisions are made. --------------------------------------------- https://www.pentestpartners.com/security-blog/a-broken-marriage-abusing-mix… ∗∗∗ A Beginner’s Guide to Adversary Emulation with Caldera ∗∗∗ --------------------------------------------- The target audience for this blog post is individuals who have a basic understanding of cybersecurity concepts and terminology and looking to expand their knowledge on adversary emulation. This post delves into the details of adversary emulation with the Caldera framework exploring the benefits it offers. --------------------------------------------- https://blog.nviso.eu/2023/08/25/a-beginners-guide-to-adversary-emulation-w… ∗∗∗ Analysis of MS-SQL Server Proxyjacking Cases ∗∗∗ --------------------------------------------- AhnLab Security Emergency response Center (ASEC) has recently discovered cases of proxyjacking targeting poorly managed MS-SQL servers. Publicly accessible MS-SQL servers with simple passwords are one of the main attack vectors used when targeting Windows systems. Typically, threat actors target poorly managed MS-SQL servers and attempt to gain access through brute force or dictionary attacks. If successful, they install malware on the infected system. --------------------------------------------- https://asec.ahnlab.com/en/56350/ ∗∗∗ Stories from the SOC - Unveiling the stealthy tactics of Aukill malware ∗∗∗ --------------------------------------------- On April 21st, 2023, AT&T Managed Extended Detection and Response (Managed XDR) investigated an attempted ransomware attack on one of our clients, a home improvement business. The investigation revealed the attacker used AuKill malware on the clients print server to disable the servers installed endpoint detection and response (EDR) solution by brute-forcing an administrator account and downgrading a driver to a vulnerable version. --------------------------------------------- https://cybersecurity.att.com/blogs/security-essentials/stories-from-the-so… ===================== = Vulnerabilities = ===================== ∗∗∗ Maxon Cinema 4D SKP File Parsing vulnerabilities ∗∗∗ --------------------------------------------- CVSS Score: 7.8 CVE-2023-40482, CVE-2023-40483, CVE-2023-40486, CVE-2023-40485, CVE-2023-40484, CVE-2023-40488, CVE-2023-4049[0], CVE-2023-40491, CVE-2023-40487, CVE-2023-40489 Mitigation: Given the nature of the [vulnerabilities], the only salient mitigation strategy is to restrict interaction with the application. --------------------------------------------- https://www.zerodayinitiative.com/advisories/published/ ∗∗∗ (0Day) LG Simple Editor vulnerabilities ∗∗∗ --------------------------------------------- CVSS Scores: 6.5-9.8 CVE-2023-40502, CVE-2023-40513, CVE-2023-40514, CVE-2023-40515, CVE-2023-40492, CVE-2023-40493, CVE-2023-40494, CVE-2023-40495, CVE-2023-40496, CVE-2023-40497, CVE-2023-40498, CVE-2023-40499, CVE-2023-40500, CVE-2023-40503, CVE-2023-40503, CVE-2023-40504, CVE-2023-40505, CVE-2023-40506, CVE-2023-40507, CVE-2023-40508, CVE-2023-40509, CVE-2023-40510, CVE-2023-40511, CVE-2023-40512, CVE-2023-40501, CVE-2023-40516 [...] they do not have plans to fix the [vulnerabilities] --------------------------------------------- https://www.zerodayinitiative.com/advisories/published/ ∗∗∗ (0Day) LG SuperSign Media Editor vulnerabilities ∗∗∗ --------------------------------------------- CVSS Scores: 5.3-7.5 CVE-2023-40517, CVE-2023-41181 The vendor states that they do not have plans to fix the [vulnerabilities] now or in the future. [...] Given the nature of the [vulnerabilities], the only salient mitigation strategy is to restrict interaction with the application. --------------------------------------------- https://www.zerodayinitiative.com/advisories/published/ ∗∗∗ QNap: [Vulnerabilities] in QTS and QuTS hero ∗∗∗ --------------------------------------------- CVE-2023-34971, CVE-2023-34973, CVE-2023-34972 Affected products: QTS 5.1.0, 5.0.1, 4.5.4; QuTS hero h5.1.0, h4.5.4 We have already fixed the [vulnerabilities] in the following operating system versions: * QTS 5.1.0.2444 build 20230629 and later * QTS 5.0.1.2425 build 20230609 and later * QTS 4.5.4.2467 build 20230718 and later * QuTS hero h5.1.0.2424 build 20230609 and later * QuTS hero h4.5.4.2476 build 20230728 and later --------------------------------------------- https://www.qnap.com/en-us/security-advisories?ref=security_advisory_details ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (tryton-server), Fedora (youtube-dl), SUSE (clamav and krb5), and Ubuntu (cjose and fastdds). --------------------------------------------- https://lwn.net/Articles/942766/ ∗∗∗ ZDI-23-1224: LG LED Assistant updateFile Directory Traversal Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-23-1224/ ∗∗∗ ZDI-23-1223: LG LED Assistant thumbnail Directory Traversal Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-23-1223/ ∗∗∗ ZDI-23-1222: LG LED Assistant setThumbnailRc Directory Traversal Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-23-1222/ ∗∗∗ ZDI-23-1221: LG LED Assistant upload Directory Traversal Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-23-1221/ ∗∗∗ IBM Security Guardium is affected by multiple vulnerabilities (CVE-2023-30435, CVE-2023-30436, CVE-2023-30437) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7028506 ∗∗∗ ISC BIND on IBM i is vulnerable to denial of service due to a memory usage flaw (CVE-2023-2828) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7017974 ∗∗∗ Multiple vulnerabilities found in IBM Java which is shipped with IBM Intelligent Operations Center(CVE-2022-21541, CVE-2022-21540) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7028934 ∗∗∗ IBM App Connect Enterprise Certified Container operands are vulnerable to denial of service due to [CVE-2023-26115] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7028936 ∗∗∗ IBM Spectrum Copy Data Management uses weaker than expected cryptographic algorithms ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7028841 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.08.2023
by Daily end-of-shift report 24 Aug '23

24 Aug '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 23-08-2023 18:00 − Donnerstag 24-08-2023 18:00 Handler: Robert Waldner Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ New "Whiffy Recon" Malware Triangulates Infected Device Location via Wi-Fi Every Minute ∗∗∗ --------------------------------------------- The SmokeLoader malware is being used to deliver a new Wi-Fi scanning malware strain called Whiffy Recon on compromised Windows machines. "The new malware strain has only one operation. Every 60 seconds it triangulates the infected systems positions by scanning nearby Wi-Fi access points as a data point for Googles geolocation API," [...] --------------------------------------------- https://thehackernews.com/2023/08/new-whiffy-recon-malware-triangulates.html ∗∗∗ Using LLMs to reverse JavaScript variable name minification ∗∗∗ --------------------------------------------- This blog introduces a novel way to reverse minified Javascript using large language models (LLMs) like ChatGPT and llama2 while keeping the code semantically intact. The code is open source and available at Github --------------------------------------------- https://thejunkland.com/blog/using-llms-to-reverse-javascript-minification ∗∗∗ Microsoft: Windows-Update-Vorschauen schützen vor Downfall-CPU-Lücke ∗∗∗ --------------------------------------------- Microsoft hat die Vorschauen auf die Windows-Updates im September veröffentlicht. Sie bringen Gegenmaßnahmen für die Downfall-Intel-CPU-Lücke mit. --------------------------------------------- https://heise.de/-9283485 ∗∗∗ FBI: Patches for Recent Barracuda ESG Zero-Day Ineffective ∗∗∗ --------------------------------------------- The Federal Bureau of Investigation says that the patches released for a recent Barracuda Email Security Gateway (ESG) vulnerability were not effective, advising organizations to “remove all ESG appliances immediately”. --------------------------------------------- https://www.securityweek.com/fbi-patches-for-recent-barracuda-esg-zero-day-… ∗∗∗ Lazarus Group exploits ManageEngine vulnerability to deploy QuiteRAT ∗∗∗ --------------------------------------------- This is the third documented campaign attributed to this actor in less than a year, with the actor reusing the same infrastructure throughout these operations. --------------------------------------------- https://blog.talosintelligence.com/lazarus-quiterat/ ∗∗∗ Tunnel Warfare: Exposing DNS Tunneling Campaigns using Generative Models – CoinLoader Case Study ∗∗∗ --------------------------------------------- In this blog post, we provide a deep dive into Check Point’s ongoing use of such a model to sweep across this haystack, and routinely thwart malicious campaigns abusing the DNS protocol to communicate with C&C servers. We focus on one such campaign, of CoinLoader, and lay out its infrastructure as well as an in-depth technical analysis of its DNS tunnelling functionality. --------------------------------------------- https://research.checkpoint.com/2023/tunnel-warfare-exposing-dns-tunneling-… ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitsupdates: DoS-Attacken auf Firewalls und Switches von Cisco möglich ∗∗∗ --------------------------------------------- Angreifer können Geräte von Cisco via DoS-Attacken lahmlegen. Der Netzwerkausrüster hat Sicherheitspatches veröffentlicht. --------------------------------------------- https://heise.de/-9283445 ∗∗∗ Security Advisories for Drupal contributed projects ∗∗∗ --------------------------------------------- * Config Pages - Moderately critical - Information Disclosure * Shorthand - Critical - Access bypass * SafeDelete - Moderately critical - Access bypass * Data field - Moderately critical - Access bypass * ACL - Critical - Arbitrary PHP code execution * Forum Access - Critical - Arbitrary PHP code execution * Flexi Access - Critical - Arbitrary PHP code execution --------------------------------------------- https://www.drupal.org/security/contrib ∗∗∗ CVE-2023-35150: Arbitrary Code Injection in XWiki.org XWiki ∗∗∗ --------------------------------------------- [..] detail a recently patched remote code execution vulnerability in the XWiki free wiki software platform. This bug was originally discovered by Michael Hamann with public Proof-of-Concept (PoC) code provided by Manuel Leduc. Successful exploitation of this vulnerability would allow an authenticated attacker to perform an arbitrary code injection on affected systems. --------------------------------------------- https://www.zerodayinitiative.com/blog/2023/8/22/cve-2023-35150-arbitrary-c… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (w3m), Fedora (libqb), Mageia (docker-containerd, kernel, kernel-linus, microcode, php, redis, and samba), Oracle (kernel, kernel-container, and openssh), Scientific Linux (subscription-manager), SUSE (ca-certificates-mozilla, erlang, gawk, gstreamer-plugins-base, indent, java-1_8_0-ibm, kernel, kernel-firmware, krb5, libcares2, nodejs14, nodejs16, openssl-1_1, openssl-3, poppler, postfix, redis, webkit2gtk3, and xen), and Ubuntu (php8.1). --------------------------------------------- https://lwn.net/Articles/942654/ ∗∗∗ Synology-SA-23:12 Synology SSL VPN Client ∗∗∗ --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_23_12 ∗∗∗ MISP 2.4.175 released with various bugs fixed, improvements and security fixes. ∗∗∗ --------------------------------------------- https://www.misp-project.org/2023/08/24/MISP.2.4.175.released.html/ ∗∗∗ OPTO 22 SNAP PAC S1 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-236-02 ∗∗∗ CODESYS Development System ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-236-03 ∗∗∗ CODESYS Development System ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-236-04 ∗∗∗ CODESYS Development System ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-236-05 ∗∗∗ Rockwell Automation Input/Output Modules ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-236-06 ∗∗∗ KNX Protocol ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-236-01 ∗∗∗ Multiple Vulnerabilities in IBM Java SDK affect IBM WebSphere Application Server and IBM WebSphere Application Server Liberty due to July 2023 CPU ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7028350 ∗∗∗ IBM Security Guardium is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7028511 ∗∗∗ IBM Security Guardium is affected by multiple vulnerabilities (CVE-2023-30435, CVE-2023-30436, CVE-2023-30437) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7028506 ∗∗∗ IBM Security Guardium is affected by an Improper Restriction of Excessive Authentication Attempts vulnerability (CVE-2022-43904) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7028509 ∗∗∗ IBM Security Guardium is affected by an SQL Injection vulnerability (CVE-2023-33852) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7028514 ∗∗∗ IBM Security Verify Access OpenID Connect Provider container has fixed multiple vulnerabilities (CVE-2022-43868, CVE-2022-43739, CVE-2022-43740) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7028513 ∗∗∗ AIX is affected by security restrictions bypass (CVE-2023-24329) due to Python ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7028095 ∗∗∗ IBM Elastic Storage System is affected by a vulnerability in OpenSSL (CVE-2022-4304) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7028709 ∗∗∗ IBM Data Risk Manager is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7028713 ∗∗∗ IBM App Connect Enterprise Certified Container DesignerAuthoring operands are vulnerable to loss of confidentiality due to [CVE-2023-26268] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7028728 ∗∗∗ IBM App Connect Enterprise Certified Container operands that use the Box or Snowflake connectors are vulnerable to arbitrary code execution due to [CVE-2023-37466], [CVE-2023-37903] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7028727 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.08.2023
by Daily end-of-shift report 23 Aug '23

23 Aug '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 22-08-2023 18:00 − Mittwoch 23-08-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Schwachstellen im Web-Interface machen Aruba Orchestrator angreifbar ∗∗∗ --------------------------------------------- Angreifer können Arubas SD-WAN-Managementlösung EdgeConnect SD-WAN Orchestrator attackieren. --------------------------------------------- https://heise.de/-9282524 ∗∗∗ CISA warnt vor Angriffen auf Veeam-Backup-Sicherheitslücke ∗∗∗ --------------------------------------------- Die Cybersicherheitsbehörde CISA warnt vor aktuell laufenden Angriffen auf eine Veeam-Backup-Schwachstelle. Updates stehen bereit. --------------------------------------------- https://heise.de/-9282365 ∗∗∗ Die beliebteste WLAN-Glühbirne auf Amazon lässt Hacker in euer Netzwerk ∗∗∗ --------------------------------------------- Die TP-Link Tapo L530E hat Sicherheitslücken, mit denen sich Fremde Zugriff auf euer WLAN und damit auch auf die Geräte darin verschaffen können. --------------------------------------------- https://futurezone.at/produkte/wlan-lampe-gluehbrine-amazon-hacker-tp-link-… ∗∗∗ Vorsicht: Gefälschte Versionen von Google Bard verbreiten Malware ∗∗∗ --------------------------------------------- Achtung vor Fake-Werbung mit Google Bard: Hinter den Links befindet sich Malware. --------------------------------------------- https://futurezone.at/digital-life/google-bard-malware-faelschungen-fake-so… ∗∗∗ More Exotic Excel Files Dropping AgentTesla, (Wed, Aug 23rd) ∗∗∗ --------------------------------------------- Excel is an excellent target for attackers. The Microsoft Office suite is installed on millions of computers, and people trust these files. If we have the classic xls, xls, xlsm file extensions, Excel supports many others! Just check your local registry: [...] --------------------------------------------- https://isc.sans.edu/diary/rss/30150 ∗∗∗ Lateral movement: A conceptual overview ∗∗∗ --------------------------------------------- I think it would help a lot of those people to look at lateral movement from a conceptual point of view, instead of trying to understand all the techniques and ways in which lateral movement is achieved. [...] The goal is to hopefully enable more people to learn about how they can restructure or design their environments to be more resilient against lateral movement. --------------------------------------------- https://diablohorn.com/2023/08/22/lateral-movement-a-conceptual-overview/ ∗∗∗ Tourists Give Themselves Away by Looking Up. So Do Most Network Intruders. ∗∗∗ --------------------------------------------- In large metropolitan areas, tourists are often easy to spot because theyre far more inclined than locals to gaze upward at the surrounding skyscrapers. Security experts say this same tourist dynamic is a dead giveaway in virtually all computer intrusions that lead to devastating attacks like ransomware, and that more organizations should set simple virtual tripwires that sound the alarm when authorized users and devices are spotted exhibiting this behavior. --------------------------------------------- https://krebsonsecurity.com/2023/08/tourists-give-themselves-away-by-lookin… ∗∗∗ Hackergruppe CosmicBeetle verbreitet Ransomware in Europa ∗∗∗ --------------------------------------------- Gruppe verwendet das Toolset Spacecolon, um Ransomware unter ihren Opfern zu verbreiten und Lösegeld zu erpressen. --------------------------------------------- https://www.zdnet.de/88411341/hackergruppe-cosmicbeetle-verbreitet-ransomwa… ∗∗∗ NVMe: New Vulnerabilities Made Easy ∗∗∗ --------------------------------------------- As vulnerability researchers, our primary mission is to find as many vulnerabilities as possible with the highest severity as possible. Finding vulnerabilities is usually challenging. But could there be a way, in some cases, to reach the same results with less effort? --------------------------------------------- https://www.cyberark.com/resources/threat-research-blog/nvme-new-vulnerabil… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (mediawiki and qt4-x11), Fedora (java-17-openjdk, linux-firmware, and python-yfinance), Red Hat (kernel, kpatch-patch, and subscription-manager), SUSE (evolution, janino, kernel, nodejs16, nodejs18, postgresql15, qt6-base, and ucode-intel), and Ubuntu (inetutils). --------------------------------------------- https://lwn.net/Articles/942514/ ∗∗∗ Google Chrome 116.0.5845.110/.111 Sicherheitsupdates ∗∗∗ --------------------------------------------- Google hat zum 22. August 2023 Updates des Google Chrome Browsers 116 im Stable Channel für Mac, Linux und Windows freigegeben. Es sind Sicherheitsupdates, die in den kommenden Wochen ausgerollt werden und 5 Schwachstellen (Einstufung als "hoch") beseitigen soll. --------------------------------------------- https://www.borncity.com/blog/2023/08/23/google-chrome-116-0-5845-110-111-s… ∗∗∗ CVE-2022-40609 may affect IBM Java shipped with IBM CICS TX Standard ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7028405 ∗∗∗ CVE-2022-40609 may affect IBM Java shipped with IBM CICS TX Advanced ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7028403 ∗∗∗ CVE-2022-40609 may affect IBM Java shipped with IBM TXSeries for Multiplatforms ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7028404 ∗∗∗ Multiple vulnerabilities may affect IBM Semeru Runtime ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7028407 ∗∗∗ AIX is vulnerable to unauthorized file access and arbitrary code execution due to OpenSSH (CVE-2023-40371 and CVE-2023-38408) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7028420 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.08.2023
by Daily end-of-shift report 22 Aug '23

22 Aug '23

===================== = End-of-Day report = ===================== Timeframe: Montag 21-08-2023 18:00 − Dienstag 22-08-2023 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Sneaky Amazon Google ad leads to Microsoft support scam ∗∗∗ --------------------------------------------- A legitimate-looking ad for Amazon in Google search results redirects visitors to a Microsoft Defender tech support scam that locks up their browser. --------------------------------------------- https://www.bleepingcomputer.com/news/security/sneaky-amazon-google-ad-lead… ∗∗∗ Akira ransomware targets Cisco VPNs to breach organizations ∗∗∗ --------------------------------------------- Theres mounting evidence that Akira ransomware targets Cisco VPN (virtual private network) products as an attack vector to breach corporate networks, steal, and eventually encrypt data. --------------------------------------------- https://www.bleepingcomputer.com/news/security/akira-ransomware-targets-cis… ∗∗∗ Security review for Microsoft Edge version 116 ∗∗∗ --------------------------------------------- We are pleased to announce the security review for Microsoft Edge, version 116! We have reviewed the new settings in Microsoft Edge version 116 and determined that there are no additional security settings that require enforcement. The Microsoft Edge version 114 security baseline continues to be our recommended configuration which can be downloaded from the Microsoft Security Compliance Toolkit. --------------------------------------------- https://techcommunity.microsoft.com/t5/microsoft-security-baselines/securit… ∗∗∗ New Variant of XLoader macOS Malware Disguised as OfficeNote Productivity App ∗∗∗ --------------------------------------------- A new variant of an Apple macOS malware called XLoader has surfaced in the wild, masquerading its malicious features under the guise of an office productivity app called "OfficeNote.""The new version of XLoader is bundled inside a standard Apple disk image with the name OfficeNote.dmg," SentinelOne security researchers Dinesh Devadoss and Phil Stokes said in a Monday analysis. --------------------------------------------- https://thehackernews.com/2023/08/new-variant-of-xloader-macos-malware.html ∗∗∗ CISA, NSA, and NIST Publish Factsheet on Quantum Readiness ∗∗∗ --------------------------------------------- Today, [CISA, NSA, NIST] released a joint factsheet, Quantum-Readiness: Migration to Post-Quantum Cryptography (PQC), to inform organizations—especially those that support Critical Infrastructure—of the impacts of quantum capabilities, and to encourage the early planning for migration to post-quantum cryptographic standards by developing a Quantum-Readiness Roadmap. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/08/21/cisa-nsa-and-nist-publis… ∗∗∗ Exploitation of Openfire CVE-2023-32315 ∗∗∗ --------------------------------------------- This vulnerability has flown under the radar on the defensive side of the industry. CVE-2023-32315 has been exploited in the wild, but you won’t find it in the CISA KEV catalog. There has also been minimal discussion about indicators of compromise and very few detections (although to their credit, Ignite Realtime put out patches and a great mitigation guide back in May). --------------------------------------------- https://vulncheck.com/blog/openfire-cve-2023-32315 ∗∗∗ Kritische Sicherheitslücke in Ivanti Sentry wird bereits missbraucht ∗∗∗ --------------------------------------------- Ivanti schließt in Sentry, vormals MobileIron Sentry, eine kritische Sicherheitslücke. Sie wird bereits angegriffen. --------------------------------------------- https://heise.de/-9278280 ∗∗∗ Facebook: Vorsicht vor Fake-Gewinnspielen von Kronehit und Radio Arabella ∗∗∗ --------------------------------------------- Kriminelle erstellen auf Facebook Fake-Profile von österreichischen Radiomoderator:innen. Betroffen sind aktuell Melanie See von Radio Arabella und Christian Mederitsch von Kronehit. Auf den Fake-Profilen werden betrügerische Gewinnspiele verbreitet. „Gewinner:innen“ werden per Kommentar benachrichtigt und müssen dann einen Link aufrufen oder dem Fake-Profil eine Privatnachricht schreiben. Melden Sie das Fake-Gewinnspiel und antworten Sie nicht! --------------------------------------------- https://www.watchlist-internet.at/news/facebook-vorsicht-vor-fake-gewinnspi… ∗∗∗ This AI-generated crypto invoice scam almost got me, and Im a security pro ∗∗∗ --------------------------------------------- Even a tech pro can fall for a well-laid phishing trap. Heres what happened to me - and how you can avoid a similar fate, too. --------------------------------------------- https://www.zdnet.com/article/this-ai-generated-crypto-invoice-scam-almost-… ∗∗∗ Verbraucherzentrale warnt vor Fake-Paypal-Betrugsanrufen ∗∗∗ --------------------------------------------- Ich nehme mal die Warnung vor einer Betrugsmasche hier mit im Blog auf, vor der die Verbraucherzentrale Baden-Württemberg aktuell warnt. Betrüger versuchen wohl über Call Center Opfer in Deutschland mit Schockanrufen über den Tisch zu ziehen. --------------------------------------------- https://www.borncity.com/blog/2023/08/22/verbraucherzentrale-warnt-vor-fake… ===================== = Vulnerabilities = ===================== ∗∗∗ TP-Link smart bulbs can let hackers steal your WiFi password ∗∗∗ --------------------------------------------- Researchers from Italy and the UK have discovered four vulnerabilities in the TP-Link Tapo L530E smart bulb and TP-Links Tapo app, which could allow attackers to steal their targets WiFi password. --------------------------------------------- https://www.bleepingcomputer.com/news/security/tp-link-smart-bulbs-can-let-… ∗∗∗ McAfee Security Bulletin – McAfee Safe Connect update fixes Privilege Escalation vulnerability (CVE-2023-40352) ∗∗∗ --------------------------------------------- This Security Bulletin describes a vulnerability in a McAfee program, and provides ways to remediate (fix) the issue or mitigate (minimize) its impact. --------------------------------------------- https://www.mcafee.com/support/?articleId=TS103462&page=shell&shell=article… ∗∗∗ Hitachi Energy AFF66x ∗∗∗ --------------------------------------------- CVSS v3 9.6 Successful exploitation of these vulnerabilities could allow an attacker to compromise availability, integrity, and confidentiality of the targeted devices. CVE-2021-43523, CVE-2020-13817, CVE-2020-11868, CVE-2019-11477, CVE-2022-3204, CVE-2018-18066 --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-234-01 ∗∗∗ Rockwell Automation ThinManager ThinServer ∗∗∗ --------------------------------------------- CVSS v3 9.8 Rockwell Automation reports this vulnerability affects the following versions of ThinManager ThinServer, a thin client and remote desktop protocol (RDP) server management software CVE-2023-2914, CVE-2023-2915, CVE-2023-2917 --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-234-03 ∗∗∗ Trane Thermostats ∗∗∗ --------------------------------------------- CVSS v3 6.8 Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands as root using a specially crafted filename. CVE-2023-4212 --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-234-02 ∗∗∗ Jetzt patchen! Angreifer schieben Schadcode durch Lücke in Adobe ColdFusion ∗∗∗ --------------------------------------------- Angreifer attackieren Adobes Middleware ColdFusion. Sicherheitsupdates sind verfügbar. --------------------------------------------- https://heise.de/-9278446 ∗∗∗ K000135921 : Python urllib.parse vulnerability CVE-2023-24329 ∗∗∗ --------------------------------------------- An issue in the urllib.parse component of Python before 3.11.4 allows attackers to bypass blocklisting methods by supplying a URL that starts with blank characters. --------------------------------------------- https://my.f5.com/manage/s/article/K000135921?utm_source=f5support&utm_medi… ∗∗∗ Critical Privilege Escalation Vulnerability in Charitable WordPress Plugin Affects Over 10,000 sites ∗∗∗ --------------------------------------------- After providing full disclosure details, the developer released a patch on August 17, 2023. We would like to commend the WP Charitable Team for their prompt response and timely patch, which was released in just one day. We urge users to update their sites with the latest patched version of Charitable, which is version 1.7.0.13 at the time of this writing, as soon as possible. --------------------------------------------- https://www.wordfence.com/blog/2023/08/critical-privilege-escalation-vulner… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (intel-microcode, lxc, and zabbix), Fedora (clamav), SUSE (python-configobj), and Ubuntu (clamav). --------------------------------------------- https://lwn.net/Articles/942405/ ∗∗∗ IBM Robotic Process Automation is vulnerable to exposure of sensitive information in application logs (CVE-2023-38732) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7028221 ∗∗∗ IBM Robotic Process Automation is vulnerable to information disclosure of script content (CVE-2023-40370) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7028218 ∗∗∗ Security vulnerabilities have been identified in IBM WebSphere Application Server used by IBM Master Data Management ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7028226 ∗∗∗ IBM Robotic Process Automation is vulnerable to sensitive information disclosure in installation logs (CVE-2023-38733) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7028223 ∗∗∗ A vulnerability in urlib3 affects IBM Robotic Process Automation for Cloud Pak which may result in CRLF injection (CVE-2020-26137). ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7028229 ∗∗∗ Multiple security vulnerabilities in .NET may affect IBM Robotic Process Automation for Cloud Pak (CVE-2023-24936, CVE-2023-29337, CVE-2023-33128) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7028228 ∗∗∗ IBM Robotic Process Automation is vulnerable to incorrect privilege assignment when importing user from an LDAP directory (CVE-2023-38734). ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7028227 ∗∗∗ AWS SDK for Java as used by IBM QRadar SIEM is vulnerable to path traversal (CVE-2022-31159) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7027598 ∗∗∗ IBM Decision Optimization for Cloud Pak for Data is vulnerable to denial of service due to Apache Log4j (CVE-2021-45105) and arbitrary code execution due to Apache Log4j (CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6551376 ∗∗∗ IBM Cloud Pak for Data is vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6551326 ∗∗∗ IBM Informix JDBC Driver Is Vulnerable to Remote Code Execution (CVE-2023-27866) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7007615 ∗∗∗ Multiple vulnerabilities in IBM Semeru Runtime may affect IBM Decision Optimization for IBM Cloud Pak for Data (CVE-2022-21282, CVE-2022-21296, CVE-2022-21299) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6565069 ∗∗∗ A Unspecified Java Vulnerability is affecting Watson Knowledge Catalog for IBM Cloud Pak for Data (CVE-2021-35550) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6594121 ∗∗∗ Vulnerabilities in Linux kernel, libssh, and Java can affect IBM Spectrum Protect Plus ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7028316 ∗∗∗ Vulnerabilities in Oracle Java and the IBM Java SDK (CVE-2023-21930, CVE-2023-21967, CVE-2023-21954, CVE-2023-21939, CVE-2023-21968 and CVE-2023-21937 ) affect Power HMC ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7028209 ∗∗∗ Multiple Vulnerabilities in IBM\u00ae Java SDK affect IBM WebSphere Application Server and IBM WebSphere Application Server Liberty due to July 2023 CPU ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7028350 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.08.2023
by Daily end-of-shift report 21 Aug '23

21 Aug '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 18-08-2023 18:00 − Montag 21-08-2023 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ The Week in Ransomware - August 18th 2023 - LockBit on Thin Ice ∗∗∗ --------------------------------------------- While there was quite a bit of ransomware news this week, the highlighted story was the release of Jon DiMaggios third article in the Ransomware Diaries series, with the focus of this article on the LockBit ransomware operation. --------------------------------------------- https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-augus… ∗∗∗ WoofLocker Toolkit Hides Malicious Codes in Images to Run Tech Support Scams ∗∗∗ --------------------------------------------- Cybersecurity researchers have detailed an updated version of an advanced fingerprinting and redirection toolkit called WoofLocker thats engineered to conduct tech support scams.The sophisticated traffic redirection scheme was first documented by Malwarebytes in January 2020, leveraging JavaScript embedded in compromised websites to perform anti-bot and web traffic filtering checks [..] --------------------------------------------- https://thehackernews.com/2023/08/wooflocker-toolkit-hides-malicious.html ∗∗∗ How to Investigate an OAuth Grant for Suspicious Activity or Overly Permissive Scopes ∗∗∗ --------------------------------------------- >From a user’s perspective, OAuth works like magic. In just a few keystrokes, you can whisk through the account creation process and gain immediate access to whatever new app or integration you’re seeking. Unfortunately, few users understand the implications of the permissions they allow when they create a new OAuth grant, making it easy for malicious actors to manipulate employees into giving away unintended access to corporate environments. --------------------------------------------- https://thehackernews.com/2023/08/how-to-investigate-oauth-grant-for.html ∗∗∗ Journey into Windows Kernel Exploitation: The Basics ∗∗∗ --------------------------------------------- This blogpost embarks on the initial stages of kernel exploitation. The content serves as an introduction, leading to an imminent and comprehensive whitepaper centered around this subject matter. Through this, a foundation is laid for understanding how kernel drivers are developed, as well as basic understanding around key concepts that will be instrumental to comprehending the paper itself. --------------------------------------------- https://blog.neuvik.com/journey-into-windows-kernel-exploitation-the-basics… ∗∗∗ mTLS: When certificate authentication is done wrong ∗∗∗ --------------------------------------------- In this post, well deep dive into some interesting attacks on mTLS authentication. Well have a look at implementation vulnerabilities and how developers can make their mTLS systems vulnerable to user impersonation, privilege escalation, and information leakages. --------------------------------------------- https://github.blog/2023-08-17-mtls-when-certificate-authentication-is-done… ∗∗∗ ScienceLogic Dumpster Fire ∗∗∗ --------------------------------------------- In the last email correspondence with the vendor, nearly 9 months ago, the security director asserted that the vulnerabilities were addressed. However, they remained reluctant to proceed with CVE issuance. Considering the extensive duration that’s transpired, we opted to independently proceed with CVE issuance and disclosure. As a result, the vulnerabilities we identified are logged as CVE-2022-48580 through CVE-2022-48604. --------------------------------------------- https://www.securifera.com/blog/2023/08/16/sciencelogic-dumpster-fire/ ∗∗∗ Volatility Workbench: Empowering memory forensics investigations ∗∗∗ --------------------------------------------- Memory forensics plays a crucial role in digital investigations, allowing forensic analysts to extract valuable information from a computers volatile memory. Two popular tools in this field are Volatility Workbench and Volatility Framework. This article aims to compare and explore these tools, highlighting their features and differences to help investigators choose the right one for their needs. --------------------------------------------- https://cybersecurity.att.com/blogs/security-essentials/volatility-workbenc… ∗∗∗ Vorsicht vor Investment-Tipps aus Telegram-Gruppen ∗∗∗ --------------------------------------------- Zahlreiche Telegram-Gruppen wie „Didi Random“, „Glück liebt Geld“ oder „Geld-Leuchtturm“ versprechen schnellen Reichtum. In diesen Gruppen erhalten Sie angebliche Investmenttipps, Erfolgsgeschichten von Anleger:innen und Kontakte zu „Finanz-Gurus“, die Ihnen bei der Geldanlage helfen. Wenn Sie bei den empfohlenen Plattformen investieren, verlieren Sie viel Geld! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-investment-tipps-aus-te… ===================== = Vulnerabilities = ===================== ∗∗∗ WordPress Plugin "Advanced Custom Fields" vulnerable to cross-site scripting (CVE-2023-40068) ∗∗∗ --------------------------------------------- Description: WordPress Plugin "Advanced Custom Fields" provided by WP Engine contains a cross-site scripting vulnerability (CWE-79). Impact: An arbitrary script may be executed on the web browser of the user who is logging in to the product with the editor or higher privilege. --------------------------------------------- https://jvn.jp/en/jp/JVN98946408/ ∗∗∗ Multiple vulnerabilities in LuxCal Web Calendar ∗∗∗ --------------------------------------------- Impact: - An arbitrary script may be executed on the web browser of the user who is using the product - CVE-2023-39543 - A remote attacker may execute arbitrary queries against the database and obtain or alter the information in it - CVE-2023-39939 --------------------------------------------- https://jvn.jp/en/jp/JVN04876736/ ∗∗∗ CD_SVA_2023_3: Wibu Systems - CodeMeter Runtime - security vulnerability addressed ∗∗∗ --------------------------------------------- A report has been received for the following security vulnerability in the zenon software platform: CVE-2023-3935 Further details regarding the vulnerability, mitigation options and product fixes that may be available, can be found in [...] --------------------------------------------- https://selfservice.copadata.com/portal/en/kb/articles/cd-sva-2023-3-wibu-s… ∗∗∗ CVE-2023-38035 - Vulnerability affecting Ivanti Sentry ∗∗∗ --------------------------------------------- A vulnerability has been discovered in Ivanti Sentry, formerly MobileIron Sentry. We have reported this as CVE-2023-38035. This vulnerability impacts all supported versions – Versions 9.18. 9.17 and 9.16. Older versions/releases are also at risk. This vulnerability does not affect other Ivanti products or solutions [..] While the issue has a high CVSS score, there is low risk of exploitation for customers who do not expose 8443 to the internet. --------------------------------------------- https://www.ivanti.com/blog/cve-2023-38035-vulnerability-affecting-ivanti-s… ∗∗∗ Update bereits ausgespielt: Kritische Lücke in WinRAR erlaubte Code-Ausführung ∗∗∗ --------------------------------------------- Das verbreitete Kompressionstool WinRAR besaß in älteren Versionen eine schwere Lücke, die beliebige Codeausführung erlaubte. Die aktuelle Version schließt sie. --------------------------------------------- https://heise.de/-9268105 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (fastdds, flask, and kernel), Fedora (chromium, dotnet6.0, dotnet7.0, gerbv, java-1.8.0-openjdk, libreswan, procps-ng, and spectre-meltdown-checker), SUSE (chromium, kernel-firmware, krb5, opensuse-welcome, and python-mitmproxy), and Ubuntu (clamav, firefox, and vim). --------------------------------------------- https://lwn.net/Articles/942311/ ∗∗∗ GraphQL Java component is vulnerable to CVE-2023-28867 is used by IBM Maximo Application Suite ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7028108 ∗∗∗ Google Guava component is vulnerable to CVE-2023-2976 is used by IBM Maximo Application Suite ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7028091 ∗∗∗ Mutiple Vulnerabilties Affecting IBM Watson Machine Learning Accelerator ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7028166 ∗∗∗ IBM Java SDK and IBM Java Runtime for IBM i are vulnerable to denial of service, availability, integrity, and confidentiality impacts due to multiple vulnerabilities. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7028168 ∗∗∗ IBM Connect:Direct Web Services vulnerable to sensitive information exposure due to PostgreSQL (CVE-2023-2454) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7028185 ∗∗∗ A security vulnerability in Microsoft.NET affects IBM Robotic Process Automation and may result in a denial of service (CVE-2023-29331). ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7026762 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.08.2023
by Daily end-of-shift report 18 Aug '23

18 Aug '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 17-08-2023 18:00 − Freitag 18-08-2023 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ „Ihre Rückerstattung ist online verfügbar“: Phishing-Mail im Namen von oesterreich.gv.at ∗∗∗ --------------------------------------------- Aktuell melden uns zahlreiche Leser:innen eine betrügerische E-Mail, die im Namen von oesterreich.gv.at verschickt wird. In der E-Mail wird behauptet, dass eine Rückerstattung von 176,88 Euro aussteht. Achtung: Dahinter stecken Kriminelle! --------------------------------------------- https://www.watchlist-internet.at/news/ihre-rueckerstattung-ist-online-verf… ∗∗∗ Microsoft: BlackCats Sphynx ransomware embeds Impacket, RemCom ∗∗∗ --------------------------------------------- Microsoft has discovered a new version of the BlackCat ransomware that embeds the Impacket networking framework and the Remcom hacking tool, both enabling spreading laterally across a breached network. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-blackcats-sphynx-… ∗∗∗ From a Zalando Phishing to a RAT, (Fri, Aug 18th) ∗∗∗ --------------------------------------------- Phishing remains a lucrative threat. We get daily emails from well-known brands (like DHL, PayPal, Netflix, Microsoft, Dropbox, Apple, etc). Recently, I received a bunch of phishing emails targeting Zalando customers. Zalando is a German retailer of shoes, fashion across Europe. It was the first time that I saw them used in a phishing campaign. --------------------------------------------- https://isc.sans.edu/diary/rss/30136 ∗∗∗ Critical Security Update for Magento Open Source & Adobe Commerce ∗∗∗ --------------------------------------------- Last week on August 8th, 2023, Adobe released a critical security patch for Adobe Commerce and the Magento Open Source CMS. The patch provides fixes for three vulnerabilities which affect the popular ecommerce platforms. Successful exploitation could lead to arbitrary code execution, privilege escalation and arbitrary file system read. --------------------------------------------- https://blog.sucuri.net/2023/08/critical-security-update-for-magento-adobe-… ∗∗∗ New BlackCat Ransomware Variant Adopts Advanced Impacket and RemCom Tools ∗∗∗ --------------------------------------------- Microsoft on Thursday disclosed that it found a new version of the BlackCat ransomware (aka ALPHV and Noberus) that embeds tools like Impacket and RemCom to facilitate lateral movement and remote code execution. "The Impacket tool has credential dumping and remote service execution modules that could be used for broad deployment of the BlackCat ransomware in target environments," the companys [...] --------------------------------------------- https://thehackernews.com/2023/08/new-blackcat-ransomware-variant-adopts.ht… ∗∗∗ Catching up with WoofLocker, the most elaborate traffic redirection scheme to tech support scams ∗∗∗ --------------------------------------------- [...] another 3 years have gone by and this campaign is still going as if nothing has happened. The tactics and techniques are very similar, but the infrastructure is now more robust than before to defeat potential takedown attempts. [...] This blog post summarizes our latest findings and provides indicators of compromise that may be helpful to the security community. --------------------------------------------- https://www.malwarebytes.com/blog/threat-intelligence/2023/08/wooflocker2 ∗∗∗ Recapping the top stories from Black Hat and DEF CON ∗∗∗ --------------------------------------------- If you’re in the same boat as me and couldn’t attend BlackHat or DEF CON in person, I wanted to use this space to recap what I felt were the top stories and headlines coming out of the various new research that was published, talks, interviews and more. --------------------------------------------- https://blog.talosintelligence.com/threat-source-newsletter-aug-17-2023/ ∗∗∗ NoFilter Attack: Sneaky Privilege Escalation Method Bypasses Windows Security ∗∗∗ --------------------------------------------- A previously undetected attack method called NoFilter has been found to abuse the Windows Filtering Platform (WFP) to achieve privilege escalation in the Windows operating system. "If an attacker has the ability to execute code with admin privilege and the target is to perform LSASS Shtinkering, these privileges are not enough," Ron Ben Yizhak, a security researcher at Deep Instinct, told The Hacker News. "Running as "NT AUTHORITY\SYSTEM" is required. --------------------------------------------- https://thehackernews.com/2023/08/nofilter-attack-sneaky-privilege.html ∗∗∗ Kommentar zum Azure-Master-Key-Diebstahl: Microsofts Reaktion lässt tief blicken ∗∗∗ --------------------------------------------- Microsoft lässt sich einen Signing Key für Azure klauen. Bis jetzt ist die Tragweite des Angriffs unklar. Das ist unverantwortlich, kommentiert Oliver Diedrich. --------------------------------------------- https://heise.de/-9258697 ∗∗∗ Gefälschte Buchungsseite vom Hotel Regina ∗∗∗ --------------------------------------------- Planen Sie gerade einen Urlaub in Wien? Vorsicht, wenn Sie das Hotel Regina buchen wollen. Kriminelle haben eine gefälschte Buchungsseite ins Netz gestellt. Die Internetadresse der betrügerischen Buchungsseite lautet regina-hotel-vienna.h-rez.com. Wenn Sie dort buchen, stehlen Kriminelle Ihnen persönliche Daten und Kreditkartendaten. --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschte-buchungsseite-vom-hotel-… ===================== = Vulnerabilities = ===================== ∗∗∗ 2023-08 Out-of-Cycle Security Bulletin: Junos OS: SRX Series and EX Series: Multiple vulnerabilities in J-Web can be combined to allow a preAuth Remote Code Execution ∗∗∗ --------------------------------------------- Multiple vulnerabilities in the J-Web component of Juniper Networks Junos OS on SRX Series and EX Series have been resolved through the application of specific fixes to address each vulnerability. By chaining exploitation of these vulnerabilities, an unauthenticated, network-based attacker may be able to remotely execute code on the devices. CVE IDs: CVE-2023-36844, CVE-2023-36845, CVE-2023-36846, CVE-2023-36847 --------------------------------------------- https://supportportal.juniper.net/s/article/2023-08-Out-of-Cycle-Security-B… ∗∗∗ K30444545 : libxslt vulnerability CVE-2019-11068 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K30444545 ∗∗∗ IBM Match 360 is vulnerable to a denial of service due to Apache Commons FileUpload in IBM WebSphere Application Server Liberty (CVE-2023-24998) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7027948 ∗∗∗ IBM Match 360 is vulnerable to a denial of service due to Apache Commons FileUpload in IBM WebSphere Application Server Liberty (CVE-2023-24998) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7027944 ∗∗∗ Automation Assets in IBM Cloud Pak for Integration is vulnerable to remote information transfer due to CouchDB CVE-2023-26268 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7028066 ∗∗∗ Multiple vulnerabilities affect IBM SDK, Java Technology Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7028074 ∗∗∗ Multiple vulnerabilities in IBM DB2 affect IBM Operations Analytics Predictive Insights ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7028087 ∗∗∗ A security vulnerability has been identified in the Apache POI, which is vulnerable to Denial of Service. (CVE-2017-5644) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/711741 ∗∗∗ AIX is affected by security restrictions bypass (CVE-2023-24329) due to Python ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7028095 ∗∗∗ RESTEasy component is vulnerable to CVE-2023-0482 is used by IBM Maximo Application Suite ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7028099 ∗∗∗ netplex json-smart-v2 component is vulnerable to CVE-2023-1370 is used by IBM Maximo Application Suite ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7028097 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.08.2023
by Daily end-of-shift report 17 Aug '23

17 Aug '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 16-08-2023 18:00 − Donnerstag 17-08-2023 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Triple Extortion Ransomware and the Cybercrime Supply Chain ∗∗∗ --------------------------------------------- Ransomware attacks continue to grow both in sophistication and quantity. 2023 has already seen more ransomware attacks involving data exfiltration and extortion than all of 2022, an increasing trend we expect to continue. This article will explore the business model of ransomware groups and the complex cybercrime ecosystem that has sprung up around them. --------------------------------------------- https://www.bleepingcomputer.com/news/security/triple-extortion-ransomware-… ∗∗∗ New Apple iOS 16 Exploit Enables Stealthy Cellular Access Under Fake Airplane Mode ∗∗∗ --------------------------------------------- The method "tricks the victim into thinking their devices Airplane Mode works when in reality the attacker (following successful device exploit) has planted an artificial Airplane Mode which edits the UI to display Airplane Mode icon and cuts internet connection to all apps except the attacker application," [..] --------------------------------------------- https://thehackernews.com/2023/08/new-apple-ios-16-exploit-enables.html ∗∗∗ CISA Releases JCDC Remote Monitoring and Management (RMM) Cyber Defense Plan ∗∗∗ --------------------------------------------- This plan addresses systemic risks facing the exploitation of RMM software. Cyber threat actors can gain footholds via RMM software into managed service providers (MSPs) or manage security service providers (MSSPs) servers and, by extension, can cause cascading impacts for the small and medium-sized organizations that are MSP/MSSP customers. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/08/16/cisa-releases-jcdc-remot… ∗∗∗ Angreifer attackieren Citrix ShareFile ∗∗∗ --------------------------------------------- Die US-Behörde [CISA] hat die "kritische" Sicherheitslücke (CVE-2023-24489) in ihren Katalog bekannter ausgenutzter Sicherheitslücken eingetragen. In welchem Umfang die Attacken ablaufen, ist derzeit nicht bekannt. [..] Die Lücke ist seit Juni 2023 bekannt. Seitdem gibt es auch die gepatchte Version 5.11.24. --------------------------------------------- https://www.heise.de/news/Jetzt-patchen-Angreifer-attackieren-Citrix-ShareF… ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (August 7, 2023 to August 13, 2023) ∗∗∗ --------------------------------------------- Last week, there were 86 vulnerabilities disclosed in 68 WordPress Plugins and 3 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database [..] Patch Status : - Unpatched 25 - Patched 61 --------------------------------------------- https://www.wordfence.com/blog/2023/08/wordfence-intelligence-weekly-wordpr… ∗∗∗ Phishing-Kampagne zielt auf Zimbra-Nutzer ab ∗∗∗ --------------------------------------------- Die Kampagne ist seit mindestens April 2023 aktiv und dauert laut Security-Forschern von ESET an. --------------------------------------------- https://www.zdnet.de/88411237/phishing-kampagne-zielt-auf-zimbra-nutzer-ab/ ===================== = Vulnerabilities = ===================== ∗∗∗ PAN-SA-2023-0004 Informational Bulletin: Impact of TunnelCrack Vulnerabilities (CVE-2023-36671 CVE-2023-36672 CVE-2023-35838 CVE-2023-36673) ∗∗∗ --------------------------------------------- LocalNet attack is only applicable to GlobalProtect Agent configurations that allow direct access to the local network setting in the Split Tunnel tab on the firewall configuration. ServerIP attack is relevant only to PAN-OS firewall configurations with a GlobalProtect gateway enabled. You can verify whether you have a GlobalProtect portal or gateway configured by checking for entries in Network > GlobalProtect > Gateways from the web interface. --------------------------------------------- https://security.paloaltonetworks.com/PAN-SA-2023-0004 ∗∗∗ ClamAV 1.1.1, 1.0.2, 0.103.9 patch versions published ∗∗∗ --------------------------------------------- - CVE-2023-20197 Fixed a possible denial of service vulnerability in the HFS+ file parser. - CVE-2023-20212 Fixed a possible denial of service vulnerability in the AutoIt file parser. This issue affects versions 1.0.1 and 1.0.0. This issue does not affect version 1.1.0. ClamAV 0.105 and 0.104 have reached end-of-life according to the ClamAV’s End of Life (EOL) policy and will not be patched. --------------------------------------------- https://blog.clamav.net/2023/07/2023-08-16-releases.html ∗∗∗ Parsec Remote Desktop App is prone to a local elevation of privilege due to a logical flaw in its code integrity verification process ∗∗∗ --------------------------------------------- By exploiting this race condition, a local attacker could swap out the officially signed Parsec DLL with a DLL that they created, which would subsequently be executed as the SYSTEM user as described in CVE-2023-37250. The vulnerability applies to a "Per User" installation as opposed to a "Shared User". There is an update that has been made available. --------------------------------------------- https://kb.cert.org/vuls/id/287122 ∗∗∗ TYPO3-EXT-SA-2023-007: Broken Access Control in extension "hCaptcha for EXT:form" (hcaptcha) ∗∗∗ --------------------------------------------- The extension fails to check the requirement of the captcha field in submitted form data allowing a remote user to bypass the captcha check. [..] An updated version 2.1.2 is available --------------------------------------------- https://typo3.org/security/advisory/typo3-ext-sa-2023-007 ∗∗∗ Varnish Enterprise/Cache: Base64 decoding vulnerability in vmod-digest ∗∗∗ --------------------------------------------- The potential outcome of the vulnerability can be both authentication bypass and information disclosure, however the exact attack surface will depend on the particular VCL configuration in use. [..] Affected software versions: - vmod-digest shipped with Varnish Enterprise 6.0 series up to and including 6.0.11r4. - vmod-digest for Varnish Cache 6.0 LTS built on upstream source code prior to 2023-08-17. - vmod-digest for Varnish Cache trunk built on upstream source code prior to 2023-08-17. --------------------------------------------- https://docs.varnish-software.com/security/VSV00012/ ∗∗∗ IP-Telefonie: Schwachstellen in der Provisionierung von Zoom und Audiocodes ∗∗∗ --------------------------------------------- Der Security-Experte Moritz Abrell von SySS hat Schwachstellen bei der IP-Telefonie mithilfe des Zoom Zero Touch Provisioning-Prozesses in Kombination mit Audiocodes 400HD Telefonen entdeckt. [..] Angreifer könnten gemäß den Darstellungen Gesprächsinhalte mithören, ein Botnetz aus infizierten Geräten bilden oder auf Basis der Kompromittierung der Endgeräte die Netzwerke attackieren, in denen diese betrieben werden. --------------------------------------------- https://www.heise.de/news/IP-Telefonie-Schwachstellen-in-der-Provisionierun… ∗∗∗ Synology-SA-23:11 Synology Camera ∗∗∗ --------------------------------------------- A vulnerability allows remote attackers to execute arbitrary code via a susceptible version of Synology Camera BC500 Firmware and Synology Camera TC500 Firmware. Solution: Upgrade to 1.0.5-0185 or above. Workaround: Setting up firewall rules to allow only trusted clients to connect can be used as a temporary mitigation. --------------------------------------------- https://www.synology.com/en-global/security/advisory/Synology_SA_23_11 ∗∗∗ CISA Releases Three Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- - ICSA-23-229-01 ICONICS and Mitsubishi Electric Products: CVE-2022-3602, CVE-2022-3786, CVE-2022-4203, CVE-2022-4304, CVE-2022-4450, CVE-2023-0401 - ICSA-23-229-03 Schnieder Electric PowerLogic ION7400 PM8000 ION9000 Power Meters: CVE-2022-46680 - ICSA-23-229-04 Walchem Intuition 9: CVE-2022-3602, CVE-2022-3786, CVE-2022-4203, CVE-2022-4304, CVE-2022-4450, CVE-2023-0401 --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/08/17/cisa-releases-three-indu… ∗∗∗ Privilege Escalation in IBM Spectrum Virtualize ∗∗∗ --------------------------------------------- Im Rahmen einer oberflächlichen Sicherheitsprüfung stellte Certitude zwei Schwachstellen in der Firmware der IBM Spectrum Virtualize Storage-Lösung fest. Eine der Schwachstellen erlaubt es einem Benutzer der Administrationsschnittstelle, der nur über eingeschränkte Berechtigungen verfügt, beliebigen Code auszuführen. --------------------------------------------- https://certitude.consulting/blog/de/privilege-escalation-in-ibm-spectrum-v… ∗∗∗ Atlassian Releases Security Update for Confluence Server and Data Center ∗∗∗ --------------------------------------------- Atlassian has released its security bulletin for August 2023 to address a vulnerability in Confluence Server and Data Center, CVE-2023-28709. A remote attacker can exploit this vulnerability to cause a denial-of-service condition.CISA encourages users and administrators to review Atlassian’s August 2003 Security Bulletin and apply the necessary update. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/08/17/atlassian-releases-secur… ∗∗∗ Cisco Integrated Management Controller Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Umbrella Virtual Appliance Undocumented Support Tunnel Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Unified Contact Center Express Finesse Portal Web Cache Poisoning Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco ThousandEyes Enterprise Agent Virtual Appliance Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco ThousandEyes Enterprise Agent Virtual Appliance Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Prime Infrastructure and Evolved Programmable Network Manager Stored Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Prime Infrastructure and Evolved Programmable Network Manager Cross-Site Scripting Vulnerabilities ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Intersight Private Virtual Appliance Command Injection Vulnerabilities ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Identity Services Engine Device Credential Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco IP Phone 6800, 7800, and 8800 Series with Multiplatform Firmware Cross-Site Request Forgery Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Intersight Virtual Appliance Unauthenticated Port Forwarding Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Expressway Series and Cisco TelePresence Video Communication Server Command Injection Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Duo Device Health Application for Windows Arbitrary File Write Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Unified Communications Manager SQL Injection Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Unified Communications Products Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ ClamAV HFS+ File Scanning Infinite Loop Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ ClamAV AutoIt Module Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Vulnerability in Apache Tomcat Server (CVE-2023-28709 ) affects Power HMC ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7005499 ∗∗∗ IBM Security Guardium is affected by Using Components with Known Vulnerabilities [CVE-2018-8909, CVE-2021-41100 and CVE-2021-41119] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7027854 ∗∗∗ IBM Security Guardium is affected by a Command injection in CLI vulnerability [CVE-2023-35893] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7027853 ∗∗∗ IBM Security Guardium is affected by several vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7007815 ∗∗∗ Vulnerability in IBM Java SDK and IBM Java Runtime affect Rational Functional Tester ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7027855 ∗∗∗ IBM Security Guardium is affected by a multiple vulnerabilities (CVE-2023-22809, CVE-2019-12490, CVE-2023-0041) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7000021 ∗∗∗ IBM Security Guardium is affected by multiple Oracle\u00ae MySQL vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6981105 ∗∗∗ IBM Security Guardium is affected by a denial of service vulnerability in MIT keb5 (CVE-2022-42898) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6981101 ∗∗∗ Security Vulnerabilities affect IBM Cloud Pak for Data - Python (CVE-2019-20907) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6380954 ∗∗∗ Security Vulnerabilities affect IBM Cloud Pak for Data - Golang (CVE-2020-24553) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6380968 ∗∗∗ Security Vulnerabilities in GNU glibc affect IBM Cloud Pak for Data - GNU glibc (CVE-2020-1751) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6381220 ∗∗∗ Vulnerability in IBM JDK (CVE-2022-40609 ) affects Power HMC ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7027898 ∗∗∗ IBM WebSphere Application Server Liberty, which is bundled with IBM Cloud Pak for Applications, is vulnerable to a denial of service (CVE-2023-38737) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7027921 ∗∗∗ IBM WebSphere Application Server Liberty, which is bundled with IBM WebSphere Hybrid Edition, is vulnerable to a denial of service (CVE-2023-38737) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7027919 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.08.2023
by Daily end-of-shift report 16 Aug '23

16 Aug '23

===================== = End-of-Day report = ===================== Timeframe: Montag 14-08-2023 18:00 − Mittwoch 16-08-2023 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Jetzt 2FA aktivieren: Hackerangriffe auf Linkedin-Konten nehmen massiv zu ∗∗∗ --------------------------------------------- Cyberkriminelle haben es zuletzt vermehrt auf Linkedin-Konten abgesehen. Bei Google getätigte Suchanfragen bestätigen diesen Trend. --------------------------------------------- https://www.golem.de/news/jetzt-2fa-aktivieren-hackerangriffe-auf-linkedin-… ∗∗∗ Vielfältige Attacken auf Ivanti Enterprise Mobility Management möglich (CVE-2023-32560) ∗∗∗ --------------------------------------------- Die Forscher geben an, die Schwachstelle im April 2023 gemeldet zu haben. Die gegen die Attacke abgesicherte EMM-Version 6.4.1 ist Anfang August erschienen. Mitte August haben die Sicherheitsforscher ihren Bericht veröffentlicht. --------------------------------------------- https://www.heise.de/news/Vielfaeltige-Attacken-auf-Ivanti-Enterprise-Mobil… ∗∗∗ IT-Schutz für Kommunen: 18 Checklisten für den Schnelleinstieg ∗∗∗ --------------------------------------------- Kommunen sind zunehmend Ziele von Cyber-Angriffen. Für angemessenen Schutz mangelt es oft an Wissen und Personal. 18 WiBA-Checklisten des BSI sollen das ändern. --------------------------------------------- https://heise.de/-9246027 ∗∗∗ TR-75 - Unauthenticated remote code execution vulnerability in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway) - CVE-2023-3519 ∗∗∗ --------------------------------------------- Use this Checklist to identify if your infrastructure already shows indications of a successful compromise --------------------------------------------- https://www.circl.lu/pub/tr-75/ ∗∗∗ Indicators of Compromise Scanner for Citrix ADC Zero-Day (CVE-2023-3519) ∗∗∗ --------------------------------------------- Today we are releasing a tool to help organizations scan their Citrix appliances for evidence of post-exploitation activity related to CVE-2023-3519. The tool contains indicators of compromise (IOCs) collected during Mandiant investigations and sourced from our partners and the community. Head over to the Mandiant GitHub page to download the tool today to scan your appliances. --------------------------------------------- https://www.mandiant.com/resources/blog/citrix-adc-vulnerability-ioc-scanner ∗∗∗ l+f: Trojaner unterscheiden nicht zwischen Gut und Böse ∗∗∗ --------------------------------------------- D’oh! Sicherheitsforscher sind auf rund 120.000 mit Malware infizierte PCs gestoßen – von Cybergangstern. --------------------------------------------- https://heise.de/-9244810 ∗∗∗ Instagram-Nachricht: Gefälschte Beschwerde über Produktqualität führt zu Schadsoftware ∗∗∗ --------------------------------------------- Sie erhalten eine Nachricht auf Instagram. Darin beschwert sich eine Kundin, dass Ihre Produktqualität schlecht ist und das Produkt bereits nach 2 Tagen kaputt war. Ein Bild wird mitgeschickt. Laden Sie das Dokument mit der Endung .rar nicht herunter, es handelt sich um Schadsoftware. --------------------------------------------- https://www.watchlist-internet.at/news/instagram-nachricht-gefaelschte-besc… ∗∗∗ An Apple malware-flagging tool is “trivially” easy to bypass ∗∗∗ --------------------------------------------- Background Task Manager can potentially miss malicious software on your machine. --------------------------------------------- https://arstechnica.com/?p=1960742 ∗∗∗ Ongoing scam tricks kids playing Roblox and Fortnite ∗∗∗ --------------------------------------------- The scams are often disguised as promotions, and they can all be linked to one network. --------------------------------------------- https://arstechnica.com/?p=1961085 ∗∗∗ Raccoon Stealer malware returns with new stealthier version ∗∗∗ --------------------------------------------- The developers of Raccoon Stealer information-stealing malware have ended their 6-month hiatus from hacker forums to promote a new 2.3.0 version of the malware to cyber criminals. --------------------------------------------- https://www.bleepingcomputer.com/news/security/raccoon-stealer-malware-retu… ∗∗∗ Massive 400,000 proxy botnet built with stealthy malware infections ∗∗∗ --------------------------------------------- A new campaign involving the delivery of proxy server apps to Windows systems has been uncovered, where users are reportedly involuntarily acting as residential exit nodes controlled by a private company. --------------------------------------------- https://www.bleepingcomputer.com/news/security/massive-400-000-proxy-botnet… ∗∗∗ QwixxRAT: New Remote Access Trojan Emerges via Telegram and Discord ∗∗∗ --------------------------------------------- A new remote access trojan (RAT) called QwixxRAT is being advertised for sale by its threat actor through Telegram and Discord platforms. "Once installed on the victims Windows platform machines, the RAT stealthily collects sensitive data, which is then sent to the attackers Telegram bot, providing them with unauthorized access to the victims sensitive information," [...] --------------------------------------------- https://thehackernews.com/2023/08/qwixxrat-new-remote-access-trojan.html ∗∗∗ Cookie Crumbles: Breaking and Fixing Web Session Integrity ∗∗∗ --------------------------------------------- In this paper, we question the effectiveness of existing protections and study the real-world security implications of cookie integrity issues. In particular, we focus on network and same-site attackers, a class of attackers increasingly becoming a significant threat to Web application security. --------------------------------------------- https://www.usenix.org/system/files/usenixsecurity23-squarcina.pdf ∗∗∗ Chrome 116 Patches 26 Vulnerabilities ∗∗∗ --------------------------------------------- Google has released Chrome 116 with patches for 26 vulnerabilities and plans to ship weekly security updates for the popular web browser. --------------------------------------------- https://www.securityweek.com/chrome-116-patches-26-vulnerabilities/ ∗∗∗ Monti ransomware targets legal and gov’t entities with new Linux-based variant ∗∗∗ --------------------------------------------- The Monti hacker gang appears to have resumed its operations after a two-month break, this time claiming to target legal and government entities with a fresh Linux-based ransomware variant, according to new research. Monti was first discovered in June 2022, shortly after the infamous Conti ransomware group went out of business. --------------------------------------------- https://therecord.media/monti-ransomware-targets-govt-entities ∗∗∗ CISA Adds One Known Exploited Vulnerability to Catalog ∗∗∗ --------------------------------------------- CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. CVE-2023-24489 Citrix Content Collaboration ShareFile Improper Access Control Vulnerability - These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/08/16/cisa-adds-one-known-expl… ∗∗∗ PowerHell: Active Flaws in PowerShell Gallery Expose Users to Attacks ∗∗∗ --------------------------------------------- Recent findings by Aqua Nautilus have exposed significant flaws that are still active in the PowerShell Gallerys policy regarding package names and owners. These flaws make typosquatting attacks inevitable in this registry, while also making it extremely difficult for users to identify the true owner of a package. Consequently, these flaws pave the way for potential supply chain attacks on the registrys vast user base. --------------------------------------------- https://blog.aquasec.com/powerhell-active-flaws-in-powershell-gallery-expos… ∗∗∗ Verwundbare Webserver: Status in Österreich ∗∗∗ --------------------------------------------- Nachdem wir in den letzten Wochen von Schwachstellen in Systemen von Citrix, Ivanti und Fortinet berichtet haben, wollte ich wissen, wie weit Österreich beim Patchen ist. Wir bekommen von ShadowServer täglich Reports mit den Ergebnissen ihrer Scans über das ganze Internet. Im „Vulnerable HTTP Report“ geht es unter anderem um Schwachstellen, die in Web-Applikationen gefunden wurden. Auf Hersteller bezogen kann man aus den Daten für Österreich folgende folgende Entwicklung ablesen: [...] --------------------------------------------- https://cert.at/de/aktuelles/2023/8/verwundbare-webserver-status-in-osterre… ===================== = Vulnerabilities = ===================== ∗∗∗ Advisory | NetModule Router Software Race Condition Leads to Remote Code Execution ∗∗∗ --------------------------------------------- CVSSv3.1 Score: 8.4 Affected Vendor & Products: NetModule NB1601, NB1800, NB1810, NB2800, NB2810, NB3701, NB3800, NB800, NG800 Vulnerable version: < 4.6.0.105, < 4.7.0.103 --------------------------------------------- https://pentest.blog/advisory-netmodule-router-software-race-condition-lead… ∗∗∗ Sicherheitslücken: Angreifer können Hintertüren in Datenzentren platzieren ∗∗∗ --------------------------------------------- Schwachstellen in Software von CyberPower und Dataprobe zur Energieüberwachung und -Verteilung gefährden Datenzentren. --------------------------------------------- https://heise.de/-9245788 ∗∗∗ Lücken in Kennzeichenerkennungssoftware gefährden Axis-Überwachungskamera ∗∗∗ --------------------------------------------- Mehrere Sicherheitslücken in Software für Überwachungskameras von Axis gefährden Geräte. --------------------------------------------- https://heise.de/-9245978 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (samba), Red Hat (.NET 6.0, .NET 7.0, rh-dotnet60-dotnet, rust, rust-toolset-1.66-rust, and rust-toolset:rhel8), and SUSE (kernel and opensuse-welcome). --------------------------------------------- https://lwn.net/Articles/941658/ ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (datatables.js and openssl), Fedora (ghostscript, java-11-openjdk, java-latest-openjdk, microcode_ctl, and xen), Red Hat (redhat-ds:11), SUSE (java-1_8_0-openj9, kernel, krb5, pcre2, and perl-HTTP-Tiny), and Ubuntu (gstreamer1.0, mysql-8.0, tiff, and webkit2gtk). --------------------------------------------- https://lwn.net/Articles/941722/ ∗∗∗ Schneider Electric EcoStruxure Control Expert, Process Expert, Modicon M340, M580 and M580 CPU ∗∗∗ --------------------------------------------- Successful exploitation of this vulnerability could allow an attacker to execute unauthorized Modbus functions on the controller when hijacking an authenticated Modbus session. --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-227-01 ∗∗∗ Rockwell Automation Armor PowerFlex ∗∗∗ --------------------------------------------- Successful exploitation of this vulnerability could allow an attacker to send an influx of network commands, causing the product to generate an influx of event log traffic at a high rate, resulting in the stop of normal operation. --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-227-02 ∗∗∗ K000135852 : FasterXML jackson-databind vulnerability CVE-2022-42003 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000135852 ∗∗∗ CPE2023-003 Vulnerability Mitigation/Remediation for Inkjet Printers (Home and Office/Large Format) – 15 August 2023 ∗∗∗ --------------------------------------------- https://www.canon-europe.com/support/product-security-latest-news/ ∗∗∗ [R1] Sensor Proxy Version 1.0.8 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2023-28 ∗∗∗ Vulnerabilities in Node.js modules affect IBM Voice Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7026694 ∗∗∗ Security Vulnerabilities affect IBM Cloud Pak for Data - Python (CVE-2019-20907) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6380956 ∗∗∗ Multiple Eclipse Jetty Vulnerabilities Affect IBM Analytic Accelerator Framework for Communication Service Providers & IBM Customer and Network Analytics ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7027483 ∗∗∗ AWS SDK for Java as used by IBM QRadar SIEM is vulnerable to path traversal (CVE-2022-31159) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7027598 ∗∗∗ IBM WebSphere Application Server Liberty is vulnerable to a denial of service (CVE-2023-38737) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7027509 ∗∗∗ IBM Cognos Analytics has addressed multiple security vulnerabilities (CVE-2022-48285, CVE-2023-35009, CVE-2023-35011) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7026692 ∗∗∗ Zyxel security advisory for post-authentication command injection in NTP feature of NBG6604 home router ∗∗∗ --------------------------------------------- https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-… ∗∗∗ Zyxel security advisory for DoS vulnerability of XGS2220, XMG1930, and XS1930 series switches ∗∗∗ --------------------------------------------- https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.08.2023
by Daily end-of-shift report 14 Aug '23

14 Aug '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 11-08-2023 18:00 − Montag 14-08-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ MaginotDNS attacks exploit weak checks for DNS cache poisoning ∗∗∗ --------------------------------------------- A team of researchers from UC Irvine and Tsinghua University has developed a new powerful cache poisoning attack named MaginotDNS, that targets Conditional DNS (CDNS) resolvers and can compromise entire TLDs top-level domains. --------------------------------------------- https://www.bleepingcomputer.com/news/security/maginotdns-attacks-exploit-w… ∗∗∗ Phishing with hacked sites ∗∗∗ --------------------------------------------- Scammers are hacking websites powered by WordPress and placing phishing pages inside hidden directories. We share some statistics and tips on recognizing a hacked site. --------------------------------------------- https://securelist.com/phishing-with-hacked-sites/110334/ ∗∗∗ Zoom ZTP & AudioCodes Phones Flaws Uncovered, Exposing Users to Eavesdropping ∗∗∗ --------------------------------------------- Multiple security vulnerabilities have been disclosed in AudioCodes desk phones and Zooms Zero Touch Provisioning (ZTP) that could be potentially exploited by a malicious attacker to conduct remote attacks. "An external attacker who leverages the vulnerabilities discovered in AudioCodes Ltd.'s desk phones and Zoom's Zero Touch Provisioning feature can gain full remote control of the devices," SySS security researcher Moritz Abrell said in an analysis published Friday. --------------------------------------------- https://thehackernews.com/2023/08/zoom-ztp-audiocodes-phones-flaws.html ∗∗∗ Ongoing Xurum Attacks on E-commerce Sites Exploiting Critical Magento 2 Vulnerability ∗∗∗ --------------------------------------------- E-commerce sites using Adobes Magento 2 software are the target of an ongoing campaign that has been active since at least January 2023. The attacks, dubbed Xurum by Akamai, leverage a now-patched critical security flaw (CVE-2022-24086, CVSS score: 9.8) in Adobe Commerce and Magento Open Source that, if successfully exploited, could lead to arbitrary code execution. --------------------------------------------- https://thehackernews.com/2023/08/ongoing-xurum-attacks-on-e-commerce.html ∗∗∗ HAK5 BashBunny USB Gadget IoC Removal ∗∗∗ --------------------------------------------- StealthBunny is a tool designed to modify HAK5s BashBunny USB gadget kernel driver to remove possible indicators of compromise. --------------------------------------------- https://github.com/emptynebuli/StealthBunny ∗∗∗ Microsofts Cloud-Hack: Überprüfung durch US Cyber Safety Review Board ∗∗∗ --------------------------------------------- Die Cybervorfälle der letzten Monate haben die US-Sicherheitsbehörden aufgeschreckt. Nun will sich das US Cyber Safety Review Board (CSRB) den Hack der Microsoft Cloud durch die mutmaßlich chinesische Hackergruppe Storm-0558 genauer ansehen. Der Fall war im Juli 2023 bekannt geworden und hatte wegen der Umstände Wellen geschlagen. --------------------------------------------- https://www.borncity.com/blog/2023/08/12/microsofts-cloud-hack-berprfung-du… ∗∗∗ Whats New in CVSS v4 ∗∗∗ --------------------------------------------- The standard has been improved over time with the release of v1 in Feb. 2005, v2 in June 2007, and v3 in June 2015. The current version (v3.1) debuted in June 2019. Version 4 is slated for release on October 1, 2023. --------------------------------------------- https://www.rapid7.com/blog/post/2023/08/14/whats-new-in-cvss-v4/ ===================== = Vulnerabilities = ===================== ∗∗∗ VU#127587: Python Parsing Error Enabling Bypass CVE-2023-24329 ∗∗∗ --------------------------------------------- An issue in the urllib.parse component of Python before v3.11 allows attackers to bypass blocklisting methods by supplying a URL that starts with blank characters. --------------------------------------------- https://kb.cert.org/vuls/id/127587 ∗∗∗ Schwachstelle in Sync 3: Infotainmentsystem von Ford ermöglicht Angriff via Wi-Fi ∗∗∗ --------------------------------------------- Das in vielen Ford-Modellen genutzte Infotainmentsystem Sync 3 hat eine Schwachstelle, durch die Angreifer böswilligen Code ausführen können. --------------------------------------------- https://www.golem.de/news/schwachstelle-in-sync-3-infotainmentsystem-von-fo… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (gst-plugins-ugly1.0, libreoffice, linux-5.10, netatalk, poppler, and sox), Fedora (chromium, ghostscript, java-1.8.0-openjdk-portable, java-11-openjdk, java-11-openjdk-portable, java-17-openjdk-portable, java-latest-openjdk-portable, kernel, linux-firmware, mingw-python-certifi, ntpsec, and php), Oracle (.NET 6.0, .NET 7.0, 15, 18, bind, bind9.16, buildah, cjose, curl, dbus, emacs, firefox, go-toolset and golang, go-toolset:ol8, grafana, iperf3, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, kernel, libcap, libeconf, libssh, libtiff, libxml2, linux-firmware, mod_auth_openidc:2.3, nodejs, nodejs:16, nodejs:18, open-vm-tools, openssh, postgresql:12, postgresql:13, python-requests, python27:2.7, python3, python38:3.8 and python38-devel:3.8, python39:3.9 and python39-devel:3.9, ruby:2.7, samba, sqlite, systemd, thunderbird, virt:ol and virt-devel:rhel, and webkit2gtk3), SUSE (docker, java-1_8_0-openj9, kernel, kernel-firmware, libyajl, nodejs14, openssl-1_0_0, poppler, and webkit2gtk3), and Ubuntu (golang-yaml.v2, intel-microcode, linux, linux-aws, linux-aws-5.4, linux-gcp, linux-gcp-5.4, linux-gkeop, linux-iot, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux, linux-aws, linux-azure, linux-gcp, linux-ibm, linux-kvm, linux-lowlatency, linux-oracle, linux-raspi, linux-oem-6.1, pygments, and pypdf2). --------------------------------------------- https://lwn.net/Articles/941587/ ∗∗∗ F5: K000135795 : Downfall Attacks CVE-2022-40982 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000135795 ∗∗∗ F5: K000135831 : Node.js vulnerability CVE-2023-32067 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000135831 ∗∗∗ A vulnerability in IBM WebSphere Application Server Liberty affects IBM Storage Scale packaged in IBM Elastic Storage System (CVE-2023-24998) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7025515 ∗∗∗ Multiple Linux Kernel vulnerabilities may affect IBM Elastic Storage System ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7025507 ∗∗∗ IBM Elastic Storage System is affected by a vulnerability in OpenSSL (CVE-2022-4450) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7025510 ∗∗∗ Postgresql JDBC drivers shipped with IBM Security Verify Access have a vulnerability (CVE-2022-41946) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014261 ∗∗∗ IBM GSKit as shipped with IBM Security Verify Access has fixed a reported vulnerability (CVE-2023-32342) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014259 ∗∗∗ Security Vulnerabilities fixed in IBM Security Verify Access (CVE-2022-40303) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7009741 ∗∗∗ Apache Log4j Vulnerability affects Cloud Pak for Data (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6529302 ∗∗∗ IBM PowerVM Novalink is vulnerable because flaw was found in IBM SDK, Java Technology Edition, which could allow a remote attacker to execute arbitrary code on the system caused by an unsafe deserialization flaw. (CVE-2022-40609) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7026380 ∗∗∗ Kafka nodes in IBM App Connect Enterprise and IBM Integration Bus are vulnerable to a denial of service due to snappy-java (CVE-2023-34453, CVE-2023-34455, CVE-2023-34454). ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7026403 ∗∗∗ IBM ELM affected as Java deserialization filters (JEP 290) ignored during IBM ORB deserialization (CVE-2022-40609) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7026536 ∗∗∗ Vulnerability in IBM Java SDK affects WebSphere Service Registry and Repository (CVE-2022-40609) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7026489 ∗∗∗ Security Vulnerabilities in JRE and Java packages affect IBM Voice Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7026553 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.08.2023
by Daily end-of-shift report 11 Aug '23

11 Aug '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 10-08-2023 18:00 − Freitag 11-08-2023 18:00 Handler: Robert Waldner Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Gafgyt malware exploits five-years-old flaw in EoL Zyxel router ∗∗∗ --------------------------------------------- Fortinet has issued an alert warning that the Gafgyt botnet malware is actively trying to exploit a vulnerability in the end-of-life Zyxel P660HN-T1A router in thousands of daily attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/gafgyt-malware-exploits-five… ∗∗∗ Nutzerdaten in Gefahr: Microsoft Onedrive als Werkzeug für Ransomware-Angriffe ∗∗∗ --------------------------------------------- Onedrive soll die Daten von Windows-Nutzern eigentlich vor Ransomware-Angriffen schützen. Effektiv ist das aber offenbar nicht immer. --------------------------------------------- https://www.golem.de/news/nutzerdaten-in-gefahr-microsoft-onedrive-als-werk… ∗∗∗ 16 New CODESYS SDK Flaws Expose OT Environments to Remote Attacks ∗∗∗ --------------------------------------------- A set of 16 high-severity security flaws have been disclosed in the CODESYS V3 software development kit (SDK) that could result in remote code execution and denial-of-service under specific conditions, posing risks to operational technology (OT) environments. The flaws, tracked from CVE-2022-47378 through CVE-2022-47393 and dubbed CoDe16, carry a CVSS score of 8.8 with the exception of CVE-2022-47391, which has a severity rating of 7.5. Twelve of the flaws are buffer overflow vulnerabilities. --------------------------------------------- https://thehackernews.com/2023/08/15-new-codesys-sdk-flaws-expose-ot.html ∗∗∗ When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability ∗∗∗ --------------------------------------------- While the SugarCRM CVE-2023-22952 zero-day authentication bypass and remote code execution vulnerability might seem like a typical exploit, there’s actually more for defenders to be aware of. [..] This article maps out various attacks against AWS environments following the MITRE ATT&CK Matrix framework, wrapping up with multiple prevention mechanisms an organization can put in place to protect themselves. Some of these protections include taking advantage of controls and services provided by AWS, cloud best practices, and ensuring sufficient data retention to catch the full attack. --------------------------------------------- https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/ ∗∗∗ Lexmark Command Injection Vulnerability ZDI-CAN-19470 Pwn2Own Toronto 2022 ∗∗∗ --------------------------------------------- In December 2022, we competed at our first pwn2own. We were able to successfully exploit the Lexmark MC3224i using a command injection 0-day. This post will detail the process we used to discover, weaponize, and have some fun with this vulnerability. --------------------------------------------- https://www.horizon3.ai/lexmark-command-injection-vulnerability-zdi-can-194… ∗∗∗ Theres a good chance your VPN is vulnerable to privacy-menacing TunnelCrack attack ∗∗∗ --------------------------------------------- A couple of techniques collectively known as TunnelCrack can, in the right circumstances, be used by snoops to force victims network traffic to go outside their encrypted VPNs, it was demonstrated this week. [..] Their co-authored Usenix-accepted paper [PDF] has all the details. The researchers said they tested more than 60 VPN clients, and found that "all VPN apps" on iOS are vulnerable. Android appears to be most secure of the bunch. --------------------------------------------- https://www.theregister.com/2023/08/10/tunnelcrack_vpn/ ∗∗∗ Site Takeover via SCCM’s AdminService API ∗∗∗ --------------------------------------------- tl:dr: The SCCM AdminService API is vulnerable to NTLM relaying and can be abused for SCCM site takeover. --------------------------------------------- https://posts.specterops.io/site-takeover-via-sccms-adminservice-api-d932e2… ∗∗∗ A-Z: OPNsense - Penetration Test ∗∗∗ --------------------------------------------- We reported found vulnerabilities to OPNsense maintainers and we really want to thank them for a great response. They handled the whole process very professionally, quickly prepared effective patches for many vulnerabilities and included them in the newest release - OPNsense 23.7 “Restless Roadrunner”. Also, they provided us with reasoning behind decision to not patch some of them right now. --------------------------------------------- https://logicaltrust.net/blog/2023/08/opnsense.html ∗∗∗ Lesetipp: Wenn der Microsoft Defender zum Angreifer wird ∗∗∗ --------------------------------------------- Forscher haben spannende Details zu einer im April gefixten Lücke im Defender-Signaturupdateprozess veröffentlicht. Sie sehen Potenzial für künftige Angriffe. --------------------------------------------- https://heise.de/-9241230 ∗∗∗ Samsonite-Gewinnspiel auf Facebook führt in teure Abo-Falle! ∗∗∗ --------------------------------------------- Die betrügerische Facebook-Seite „Koffer-Paradies“ verbreitet derzeit ein Gewinnspiel, das in eine teure Abo-Falle führt. Versprochen wird ein Koffer der Marke Samsonite. Achtung! Wer mitspielt, erhält keinen Gewinn, sondern soll monatlich 70 Euro an Kriminelle bezahlen. --------------------------------------------- https://www.watchlist-internet.at/news/samsonite-gewinnspiel-auf-facebook-f… ∗∗∗ Phishing über Amazon Web Services ∗∗∗ --------------------------------------------- Sicherheitsforscher von Check Point haben vor einiger Zeit einen weiteren Dienst entdeckt, der für fortschrittliche Phishing-Kampagnen von Hackern missbraucht wird. Diesmal erfolgt der Missbrauch für Phishing-Kampagnen über die Amazon Web Services (AWS). . Das Programm wird zum Versenden von Phishing-E-Mails genutzt, um diesen einen täuschend echten Anstrich zu geben. --------------------------------------------- https://www.borncity.com/blog/2023/08/11/phishing-ber-amazon-web-services/ ===================== = Vulnerabilities = ===================== ∗∗∗ AMD and Intel CPU security bugs bring Linux patches ∗∗∗ --------------------------------------------- Its not really a Linux problem, but as is so often the case, Linux kernel developers have to clean up after AMD and Intel. It happened again with the chipmakers latest CPU vulnerabilities: AMD Inception and Intel Downfall. To fix these, Linux creator Linus Torvalds has released a new set of patches. Oddly, both are speculative side-channel attacks, which can lead to privileged data leakage to unprivileged processes. --------------------------------------------- https://www.zdnet.com/article/amd-and-intel-cpu-security-bugs-bring-linux-p… ∗∗∗ Statischer Schlüssel in Dell Compellent leakt Zugangsdaten für VMware vCenter ∗∗∗ --------------------------------------------- Aufgrund einer Schwachstelle in Dells Compellent Integration Tools for VMware (CITV) können Angreifer Log-in-Daten entschlüsseln. --------------------------------------------- https://heise.de/-9241495 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (intel-microcode, kernel, and php-dompdf), Fedora (linux-firmware, OpenImageIO, and php), Oracle (aardvark-dns, kernel, linux-firmware, python-flask, and python-werkzeug), SUSE (container-suseconnect, go1.19, gstreamer-plugins-bad, gstreamer-plugins-base, gstreamer-plugins-good, java-11-openjdk, kernel-firmware, kubernetes1.24, openssl-1_1, poppler, python-scipy, qatengine, ucode-intel, util-linux, and vim), and Ubuntu (dotnet6, dotnet7, php-dompdf, and velocity-tools). --------------------------------------------- https://lwn.net/Articles/941271/ ∗∗∗ IBM Operational Decision Manager July 2023 - Multiple CVEs ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014699 ∗∗∗ IBM InfoSphere Global Name Management Vulnerable to CVE-2023-30441 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7025193 ∗∗∗ App Connect Professional is affected by Bouncy Castle vulnerability. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7025330 ∗∗∗ Multiple Linux Kernel vulnerabilities may affect IBM Elastic Storage System ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7025344 ∗∗∗ Vulnerability in the Flask repo may affect affect IBM Elastic Storage System (CVE-2023-30861) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7025351 ∗∗∗ Multiple vulnerabilities in the werkzeug repo affect IBM Elastic Storage System ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7025349 ∗∗∗ A vulnerability in IBM WebSphere Application Server Liberty affects IBM Storage Scale packaged in IBM Elastic Storage Server (CVE-2023-24998) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7025354 ∗∗∗ Multiple vulnerabilities may affect CICS Transaction Gateway for Multiplatforms and CICS Transaction Gateway Desktop Edition. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7025446 ∗∗∗ Multiple vulnerabilities may affect CICS Transaction Gateway for Multiplatforms and CICS Transaction Gateway Desktop Edition. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7025170 ∗∗∗ IBM TXSeries for Multiplatforms Web Services is vulnerable to Slowloris attack which is a type of denial-of-service (DoS) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7025476 ∗∗∗ A vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Business Automation Workflow (CVE-2022-40609) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7024675 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.08.2023
by Daily end-of-shift report 10 Aug '23

10 Aug '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 09-08-2023 18:00 − Donnerstag 10-08-2023 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Common TTPs of attacks against industrial organizations ∗∗∗ --------------------------------------------- In 2022 we investigated a series of attacks against industrial organizations in Eastern Europe. In the campaigns, the attackers aimed to establish a permanent channel for data exfiltration, including data stored on air-gapped systems. --------------------------------------------- https://securelist.com/common-ttps-of-attacks-against-industrial-organizati… ∗∗∗ Cryptographic Flaw in Libbitcoin Explorer Cryptocurrency Wallet ∗∗∗ --------------------------------------------- Cryptographic flaws still matter. Here’s a flaw in the random-number generator used to create private keys. The seed has only 32 bits of entropy.Seems like this flaw is being exploited in the wild. --------------------------------------------- https://www.schneier.com/blog/archives/2023/08/cryptographic-flaw-in-libbit… ∗∗∗ Cybercriminals Increasingly Using EvilProxy Phishing Kit to Target Executives ∗∗∗ --------------------------------------------- Threat actors are increasingly using a phishing-as-a-service (PhaaS) toolkit dubbed EvilProxy to pull off account takeover attacks aimed at high-ranking executives at prominent companies.According to Proofpoint, an ongoing hybrid campaign has leveraged the service to target thousands of Microsoft 365 user accounts, sending approximately 120,000 phishing emails to hundreds of organizations --------------------------------------------- https://thehackernews.com/2023/08/cybercriminals-increasingly-using.html ∗∗∗ New Statc Stealer Malware Emerges: Your Sensitive Data at Risk ∗∗∗ --------------------------------------------- A new information malware strain called Statc Stealer has been found infecting devices running Microsoft Windows to siphon sensitive personal and payment information."Statc Stealer exhibits a broad range of stealing capabilities, making it a significant threat," Zscaler ThreatLabz researchers Shivam Sharma and Amandeep Kumar said in a technical report published this week. --------------------------------------------- https://thehackernews.com/2023/08/new-statc-stealer-malware-emerges-your.ht… ∗∗∗ CISA Analysis Report: MAR-10454006.r4.v2 SEASPY and WHIRLPOOL Backdoors ∗∗∗ --------------------------------------------- CISA obtained four malware samples - including SEASPY and WHIRLPOOL backdoors. The device was compromised by threat actors exploiting CVE-2023-2868, a former zero-day vulnerability affecting versions 5.1.3.001-9.2.0.006 of Barracuda Email Security Gateway (ESG). --------------------------------------------- https://www.cisa.gov/news-events/analysis-reports/ar23-221a ∗∗∗ Microsoft Azure Machine Learning Compute Instance certificate Exposure of Resource to Wrong Sphere Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to disclose sensitive information on Microsoft Azure. An attacker must first obtain the ability to execute high-privileged code on the target environment in order to exploit this vulnerability. The specific flaw exists within the handling of certificates. The issue results from the exposure of a resource to the wrong control sphere. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-23-1056/ ∗∗∗ Some things never change ? such as SQL Authentication ?encryption? ∗∗∗ --------------------------------------------- Fat client applications running on (usually) Windows are still extremely common in enterprises. [..] “traditional” fat client applications will most of the time connect directly to a database (again, since we’re looking at Windows environment primarily here, this will be most of the time a Microsoft SQL Server database). [..] Finally, how do we prevent this? Well, one solution is easy – do not use SQL Server authentication but instead have users use their Windows credentials --------------------------------------------- https://isc.sans.edu/diary/rss/30112 ∗∗∗ Honeypot: Forscher lockten Hacker in über 20.000 RDP-Sitzungen ∗∗∗ --------------------------------------------- Die Sicherheitsforscher planen für die kommenden Monate die Veröffentlichung einer Blog-Post-Serie, in der sie die Strategien und Tools der beobachteten Hacker näher erläutern wollen. Die Erkenntnisse sollen vor allem Strafverfolgern sowie anderen Sicherheitsexperten dienen, um effektive Abwehrstrategien gegen Cyberangriffe zu entwickeln und Ermittlungen gegen kriminelle Akteure in Zukunft schneller voranzutreiben --------------------------------------------- https://www.golem.de/news/honeypot-forscher-lockten-hacker-in-ueber-20-000-… ∗∗∗ Emerging Attacker Exploit: Microsoft Cross-Tenant Synchronization ∗∗∗ --------------------------------------------- Attackers continue to target Microsoft identities to gain access to connected Microsoft applications and federated SaaS applications. Additionally, attackers continue to progress their attacks in these environments, not by exploiting vulnerabilities, but by abusing native Microsoft functionality to achieve their objective. [..] This article demonstrates an additional native functionality that when leveraged by an attacker enables persistent access to a Microsoft cloud tenant and lateral movement --------------------------------------------- https://thehackernews.com/2023/08/emerging-attacker-exploit-microsoft.html ∗∗∗ A Pain in the NAS: Exploiting Cloud Connectivity to PWN your NAS: WD PR4100 Edition ∗∗∗ --------------------------------------------- Team82 today shares some details about a unique attack technique that could allow an attacker to impersonate Western Digital (WD) network-attached storage (NAS) devices. [..] Western Digital has provided firmware updates for all affected devices and also released advisories (here, here, here). Connected devices have been updated automatically. Any device yet to be updated has been banned by WD from connecting to the MyCloud service until it’s running the current firmware version. --------------------------------------------- https://claroty.com/team82/research/a-pain-in-the-nas-exploiting-cloud-conn… ∗∗∗ A Pain in the NAS: Exploiting Cloud Connectivity to PWN your NAS: Synology DS920+ Edition ∗∗∗ --------------------------------------------- Team82 has developed a unique technique that allowed us to impersonate Synology’s DS920+ network-attached storage device and force its QuickConnect cloud service to redirect users to an attacker-controlled device. Synology, a top-tier NAS vendor, has addressed the vulnerabilities we uncovered, and has updated its cloud service to protect its users. [..] We uncovered not only credential theft flaws, but also remote code execution vulnerabilities [..] --------------------------------------------- https://claroty.com/team82/research/a-pain-in-the-nas-exploiting-cloud-conn… ∗∗∗ Smashing the state machine: the true potential of web race conditions ∗∗∗ --------------------------------------------- For too long, web race condition attacks have focused on a tiny handful of scenarios. Their true potential has been masked thanks to tricky workflows, missing tooling, and simple network jitter hiding all but the most trivial, obvious examples. In this paper, Ill introduce new classes of race condition that go far beyond the limit-overrun exploits youre probably already familiar with. --------------------------------------------- https://portswigger.net/research/smashing-the-state-machine? ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (July 31, 2023 to August 6, 2023) ∗∗∗ --------------------------------------------- Last week, there were 29 vulnerabilities disclosed in 24 WordPress Plugins and no WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 18 Vulnerability Researchers that contributed to WordPress Security last week. --------------------------------------------- https://www.wordfence.com/blog/2023/08/wordfence-intelligence-weekly-wordpr… ∗∗∗ Achtung, Smishing-Welle zu Online-Banking im Umlauf! ∗∗∗ --------------------------------------------- Derzeit melden uns zahlreiche Leser:innen eine SMS, die im Namen von verschiedenen Banken versendet wird. Kriminelle behaupten dabei, dass „Ihre George Registrierung“, "Ihre Bawag Security App" oder „Ihre Mein-Elba Registrierung“ abläuft. Die „Legitimation“ könne man mit einem Klick auf einen Link verlängern. Wer auf den mitgeschickten Link klickt, wird aufgefordert Bankdaten und andere persönliche Daten einzugeben. Ignorieren Sie diese SMS und geben Sie keine Daten preis. --------------------------------------------- https://www.watchlist-internet.at/news/achtung-smishing-welle-zu-online-ban… ∗∗∗ Ein Deepdive in die ESXiArgs Ransomware Kampagne ∗∗∗ --------------------------------------------- Da dieser Vorfall inzwischen schon etwas weiter in der Vergangenheit liegt, ist Ruhe um ihn eingekehrt. Allerdings gibt es doch so manch interessanten Aspekt, der - zumindest mir bekannt - so noch nicht berichtet wurde. --------------------------------------------- https://cert.at/de/blog/2023/8/ein-deepdive-in-die-esxiargs-ransomware-kamp… ∗∗∗ Mac systems turned into proxy exit nodes by AdLoad ∗∗∗ --------------------------------------------- AdLoad malware is still infecting Mac systems years after its first appearance in 2017. AdLoad, a package bundler, has been observed delivering a wide range of payloads throughout its existence. During AT&T Alien Labs’ investigation of its most recent payload, it was discovered that the most common component dropped by AdLoad during the past year has been a proxy application turning MacOS AdLoad victims into a giant, residential proxy botnet. --------------------------------------------- https://cybersecurity.att.com/blogs/labs-research/mac-systems-turned-into-p… ===================== = Vulnerabilities = ===================== ∗∗∗ Multiple Vulnerabilities in Nextcloud/Nextcloud Enterprise/Nextcloud Talk Android app ∗∗∗ --------------------------------------------- High severity: - Missing password confirmation when creating app passwords, CVSS 8.1 - Path traversal allows tricking the Talk Android app into writing files into its root directory, CVSS 7.2 - Users can delete external storage mount points, CVSS 7.7 3x Moderate Severity, 4x Low Severity --------------------------------------------- https://github.com/nextcloud/security-advisories/security ∗∗∗ Multiple Vulnerabilities in Softing edgeAggregator/Secure Integration Server/edgeConnector Siemens ∗∗∗ --------------------------------------------- CVE-2023-27335/CVSS 8.8, CVE-2023-38126/CVSS 7.2, CVE-2023-38125/CVSS 7.5, CVE-2023-39478/CSS 6.6, CVE-2023-39479/CVSS 6.6, CVE-2023-39480/CVSS 4.4, CVE-2023-39481/CVSS 6.6, CVE-2023-39482/CVSS 4.9, CVE-2023-27336/CVSS 7.5, CVE-2023-27334/CVSS 7.5, CVE-2023-29377/CVSS 6.6 --------------------------------------------- https://www.zerodayinitiative.com/advisories/published/ ∗∗∗ Videomeeting-Anwendungen: Zoom rüstet Produkte gegen mögliche Attacken ∗∗∗ --------------------------------------------- Wichtige Sicherheitsupdates, für unter anderem den Windows-Client von Zoom, schließen mehrere Lücken. --------------------------------------------- https://heise.de/-9240044 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr), Fedora (chromium, kernel, krb5, and rust), and Ubuntu (graphite-web and velocity). --------------------------------------------- https://lwn.net/Articles/941082/ ∗∗∗ Vulnerability in IBM\u00ae Java SDK affects IBM Liberty for Java for IBM Cloud due to CVE-2022-40609 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7024969 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.08.2023
by Daily end-of-shift report 09 Aug '23

09 Aug '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 08-08-2023 18:00 − Mittwoch 09-08-2023 18:00 Handler: Robert Waldner Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Malicious extensions can abuse VS Code flaw to steal auth tokens ∗∗∗ --------------------------------------------- Microsofts Visual Studio Code (VS Code) code editor and development environment contains a flaw that allows malicious extensions to retrieve authentication tokens stored in Windows, Linux, and macOS credential managers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malicious-extensions-can-abu… ∗∗∗ EvilProxy phishing campaign targets 120,000 Microsoft 365 users ∗∗∗ --------------------------------------------- EvilProxy is becoming one of the more popular phishing platforms to target MFA-protected accounts, with researchers seeing 120,000 phishing emails sent to over a hundred organizations to steal Microsoft 365 accounts. --------------------------------------------- https://www.bleepingcomputer.com/news/security/evilproxy-phishing-campaign-… ∗∗∗ Malicious Campaigns Exploit Weak Kubernetes Clusters for Crypto Mining ∗∗∗ --------------------------------------------- Exposed Kubernetes (K8s) clusters are being exploited by malicious actors to deploy cryptocurrency miners and other backdoors. Cloud security firm Aqua, in a report shared with The Hacker News, said a majority of the clusters belonged to small to medium-sized organizations, with a smaller subset tied to bigger companies, spanning financial, aerospace, automotive, industrial, and security sectors. --------------------------------------------- https://thehackernews.com/2023/08/malicious-campaigns-exploit-weak.html ∗∗∗ Achtung, Smishing-Welle zu Online-Banking im Umlauf! ∗∗∗ --------------------------------------------- Derzeit melden uns zahlreiche Leser:innen eine SMS, die im Namen von verschiedenen Banken versendet wird. Kriminelle behaupten dabei, dass „Ihre George Registrierung“ oder „Ihre Mein-Elba Registrierung“ abläuft. Die „Legitimation“ könne man mit einem Klick auf einen Link verlängern. Wer auf den mitgeschickten Link klickt, wird aufgefordert Bankdaten und andere persönliche Daten einzugeben. Ignorieren Sie diese SMS und geben Sie keine Daten preis. --------------------------------------------- https://www.watchlist-internet.at/news/achtung-smishing-welle-zu-online-ban… ∗∗∗ Ein Deepdive in die ESXiArgs Ransomware Kampagne ∗∗∗ --------------------------------------------- Es war ein schöner Tag dieser Freitag der 03. Februar 2023, aber wie es Freitage im Cybersicherheits-Umfeld leider so an sich haben, sollte sich das schnell ändern. Da dieser Vorfall inzwischen schon etwas weiter in der Vergangenheit liegt, ist Ruhe um ihn eingekehrt. Allerdings gibt es doch so manch interessanten Aspekt, der - zumindest mir bekannt - so noch nicht berichtet wurde. --------------------------------------------- https://cert.at/de/blog/2023/8/ein-deepdive-in-die-esxiargs-ransomware-kamp… ∗∗∗ Fantastic Rootkits: And Where To Find Them (Part 3) – ARM Edition ∗∗∗ --------------------------------------------- In this blog, we will discuss innovative rootkit techniques on a non-traditional architecture, Windows 11 on ARM64. --------------------------------------------- https://www.cyberark.com/resources/threat-research-blog/fantastic-rootkits-… ===================== = Vulnerabilities = ===================== ∗∗∗ FortiOS - Buffer overflow in execute extender command (CVE-2023-29182) ∗∗∗ --------------------------------------------- A stack-based buffer overflow vulnerability [CWE-121] in FortiOS may allow a privileged attacker to execute arbitrary code via specially crafted CLI commands, provided the attacker were able to evade FortiOS stack protections. --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-23-149 ∗∗∗ Lenovo: Multi-vendor BIOS Security Vulnerabilities (August 2023) ∗∗∗ --------------------------------------------- The following list of vulnerabilities were reported by suppliers and researchers or were found during our regular internal testing. CVE Identifier: CVE-2022-24351, CVE-2022-27879, CVE-2022-37343, CVE-2022-38083, CVE-2022-40982, CVE-2022-41804, CVE-2022-43505, CVE-2022-44611, CVE-2022-46897, CVE-2023-2004, CVE-2023-20555, CVE-2023-20569, CVE-2023-23908, CVE-2023-26090, CVE-2023-27471, CVE-2023-28468, CVE-2023-31041, CVE-2023-34419, CVE-2023-4028, CVE-2023-4029, CVE-2023-4030 --------------------------------------------- https://support.lenovo.com/at/en/product_security/ps500572-multi-vendor-bio… ∗∗∗ Lenovo: AMD Graphics OpenSSL Vulnerabilities ∗∗∗ --------------------------------------------- CVE Identifier: CVE-2022-3602, CVE-2022-3786 Summary Description: AMD reported two high severity OpenSSL vulnerabilities affecting certain versions of their product. Mitigation Strategy for Customers (what you should do to protect yourself): Update AMD Graphics Driver to the version (or newer) indicated for your model in the Product Impact section. --------------------------------------------- https://support.lenovo.com/at/en/product_security/ps500575-amd-graphics-ope… ∗∗∗ Lenovo: Intel PROSet Wireless WiFi and Killer WiFi Advisory ∗∗∗ --------------------------------------------- CVE Identifier: CVE-2022-27635, CVE-2022-46329, CVE-2022-40964, CVE-2022-36351, CVE-2022-38076 Summary Description: Intel reported potential security vulnerabilities in some Intel PROSet/Wireless WiFi and Killer WiFi products that may allow escalation of privilege or denial of service. Mitigation Strategy for Customers (what you should do to protect yourself): Update to the firmware or software version (or higher) as recommended in the Product Impact section below. --------------------------------------------- https://support.lenovo.com/at/en/product_security/ps500574-intel-proset-wir… ∗∗∗ Lenovo: Intel Chipset Firmware Advisory ∗∗∗ --------------------------------------------- CVE Identifier: CVE-2022-36392, CVE-2022-38102, CVE-2022-29871 Summary Description: Intel reported potential security vulnerabilities in the Intel Converged Security Management Engine (CSME) that may allow escalation of privilege and Denial of Service. Mitigation Strategy for Customers (what you should do to protect yourself): Update to the firmware or software version (or higher) as recommended in the Product Impact section below. --------------------------------------------- https://support.lenovo.com/at/en/product_security/ps500573-intel-chipset-fi… ∗∗∗ Xen XSA-432: Linux: buffer overrun in netback due to unusual packet (CVE-2023-34319) ∗∗∗ --------------------------------------------- The fix for XSA-423 added logic to Linuxes netback driver to deal with a frontend splitting a packet in a way such that not all of the headers would come in one piece. Unfortunately the logic introduced there didnt account for the extreme case of the entire packet being split into as many pieces as permitted by the protocol, yet still being smaller than the area thats specially dealt with to keep all (possible) headers together. --------------------------------------------- https://xenbits.xen.org/xsa/advisory-432.html ∗∗∗ Xen XSA-434 x86/AMD: Speculative Return Stack Overflow (CVE-2023-20569) ∗∗∗ --------------------------------------------- It is possible to poison the branch type and target predictions such that, at a point of the attackers choosing, the branch predictor predicts enough CALLs back-to-back to wrap around the entire RAS and overwrite a correct return prediction with one of the attackers choosing. This allows the attacker to control RET speculation in a victim context, and leak arbitrary data as a result. --------------------------------------------- https://xenbits.xen.org/xsa/advisory-434.html ∗∗∗ Xen XSA-435 x86/Intel: Gather Data Sampling ∗∗∗ --------------------------------------------- A researcher has discovered Gather Data Sampling, a transient execution side-channel whereby the AVX GATHER instructions can forward the content of stale vector registers to dependent instructions. The physical register file is a structure competitively shared between sibling threads. Therefore an attacker can infer data from the sibling thread, or from a more privileged context. --------------------------------------------- https://xenbits.xen.org/xsa/advisory-435.html ∗∗∗ Citrix Hypervisor Security Bulletin for CVE-2023-20569, CVE-2023-34319 and CVE-2022-40982 ∗∗∗ --------------------------------------------- - An issue has been discovered in Citrix Hypervisor 8.2 CU1 LTSR that may allow malicious, privileged code in a guest VM to cause the host to crash. (CVE-2023-34319) - In addition, Intel has disclosed a security issue affecting certain Intel CPUs [..] (CVE-2022-40982) - In addition, AMD has disclosed a security issue affecting AMD CPUs [..] (CVE-2023-20569) --------------------------------------------- https://support.citrix.com/article/CTX569353/citrix-hypervisor-security-bul… ∗∗∗ LibreSwan: CVE-2023-38710: Invalid IKEv2 REKEY proposal causes restart ∗∗∗ --------------------------------------------- When an IKEv2 Child SA REKEY packet contains an invalid IPsec protocol ID number of 0 or 1, an error notify INVALID_SPI is sent back. The notify payloads protocol ID is copied from the incoming packet, but the code that verifies outgoing packets fails an assertion that the protocol ID must be ESP (2) or AH(3) and causes the pluto daemon to crash and restart. --------------------------------------------- https://libreswan.org/security/CVE-2023-38710/CVE-2023-38710.txt ∗∗∗ LibreSwan: CVE-2023-38711: Invalid IKEv1 Quick Mode ID causes restart ∗∗∗ --------------------------------------------- When an IKEv1 Quick Mode connection configured with ID_IPV4_ADDR or ID_IPV6_ADDR, receives an IDcr payload with ID_FQDN, a null pointer dereference causes a crash and restart of the pluto daemon. --------------------------------------------- https://libreswan.org/security/CVE-2023-38711/CVE-2023-38711.txt ∗∗∗ LibreSwan: CVE-2023-38712: Invalid IKEv1 repeat IKE SA delete causes crash and restart ∗∗∗ --------------------------------------------- When an IKEv1 ISAKMP SA Informational Exchange packet contains a Delete/Notify payload followed by further Notifies that act on the ISAKMP SA, such as a duplicated Delete/Notify message, a null pointer dereference on the deleted state causes the pluto daemon to crash and restart. --------------------------------------------- https://libreswan.org/security/CVE-2023-38712/CVE-2023-38712.txt ∗∗∗ LWN: Stable kernels with security fixes ∗∗∗ --------------------------------------------- The 6.4.9, 6.1.44, 5.15.125, 5.10.189, 5.4.252, 4.19.290, and 4.14.321 stable kernel updates have all been released; they are dominated by fixes for the latest round of speculative-execution vulnerabilities. Do note the warning attached to each of these releases --------------------------------------------- https://lwn.net/Articles/940798/ ∗∗∗ Neue Sicherheitslücken in AMD- und Intel-Prozessoren entdeckt ∗∗∗ --------------------------------------------- Die Security-Konferenz Black Hat ist für AMD und Intel kein Spaß. Beide Hersteller müssen sich mit zahlreichen Sicherheitslücken befassen – BIOS-Updates kommen. --------------------------------------------- https://heise.de/-9239339 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (cjose, hdf5, and orthanc), Fedora (java-17-openjdk and seamonkey), Red Hat (curl, dbus, iperf3, kernel, kpatch-patch, libcap, libxml2, nodejs:16, nodejs:18, postgresql:10, postgresql:12, postgresql:13, and python-requests), SUSE (bluez, cjose, gstreamer-plugins-bad, gstreamer-plugins-base, gstreamer-plugins-good, gstreamer-plugins-ugly, keylime, openssl-1_1, openssl-3, pipewire, poppler, qemu, rubygem-actionpack-4_2, rubygem-actionpack-5_1, rust1.71, tomcat, webkit2gtk3, and wireshark), and Ubuntu (binutils, dotnet6, dotnet7, openssh, php-dompdf, and unixodbc). --------------------------------------------- https://lwn.net/Articles/940912/ ∗∗∗ SAP Patches Critical Vulnerability in PowerDesigner Product ∗∗∗ --------------------------------------------- SAP has fixed over a dozen new vulnerabilities with its Patch Tuesday updates, including a critical flaw in its PowerDesigner product. --------------------------------------------- https://www.securityweek.com/sap-patches-critical-vulnerability-in-powerdes… ∗∗∗ Microsoft Releases August 2023 Security Updates ∗∗∗ --------------------------------------------- Microsoft has released updates to address multiple vulnerabilities in Microsoft software. An attacker can exploit some of these vulnerabilities to take control of an affected system. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/08/08/microsoft-releases-augus… ∗∗∗ Released: August 2023 Exchange Server Security Updates ∗∗∗ --------------------------------------------- We are aware of Setup issues on non-English servers and have temporarily removed August SU from Windows / Microsoft update. If you are using a non-English language server, we recommend you wait with deployment of August SU until we provide more information. --------------------------------------------- https://techcommunity.microsoft.com/t5/exchange-team-blog/released-august-2… ∗∗∗ Adobe Releases Security Updates for Multiple Products ∗∗∗ --------------------------------------------- Adobe has released security updates to address multiple vulnerabilities in Adobe software. An attacker can exploit some of these vulnerabilities to take control of an affected system. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/08/08/adobe-releases-security-… ∗∗∗ Certifi component is vulnerable to CVE-2022-23491 used by IBM Maximo Application Suite ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7023647 ∗∗∗ protobuf-java component is vulnerable to CVE-2022-3510 and CVE-2022-3509 is used by IBM Maximo Application Suite ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7023656 ∗∗∗ A vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Buinses Automation Workflow (CVE-2022-40609) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7024675 ∗∗∗ Multiple Vulnerabilities in IBM\u00ae Java SDK affect IBM WebSphere Application Server shipped with IBM Business Automation Workflow containers - April 2023 CPU ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7024729 ∗∗∗ Multiple security vulnerabilities have been identified in IBM Db2 shipped with IBM Security Guardium Key Lifecycle Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7016660 ∗∗∗ IBM Facsimile Support for i is vulnerable to local privilege escalation (CVE-2023-38721) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7023423 ∗∗∗ IBM App Connect Enterprise toolkit and IBM Integration Bus toolkit are vulnerable to a local authenticated attacker and a denial of service due to Guava and JDOM (CVE-2023-2976, CVE-2021-33813). ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7024862 ∗∗∗ IBM MQ is affected by multiple Angular JS vulnerabilities. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7023212 ∗∗∗ IBM MQ Appliance is affected by multiple AngularJS vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7013499 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.08.2023
by Daily end-of-shift report 08 Aug '23

08 Aug '23

===================== = End-of-Day report = ===================== Timeframe: Montag 07-08-2023 18:00 − Dienstag 08-08-2023 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Microsoft GitHub Dev-Containers Improper Privilege Management Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to escalate privileges on affected installations of Microsoft GitHub. Authentication is required to exploit this vulnerability. [..] The vendor states this is by-design, and they do not consider it to be a security risk. --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-23-1044/ ∗∗∗ Understanding Active Directory Attack Paths to Improve Security ∗∗∗ --------------------------------------------- Active Directory, Actively Problematic. But as central as it is, Active Directory security posture is often woefully lacking. Lets take a quick peek at how Active Directory assigns users, which will shed some light on why this tool has some shall we say, issues, associated with it. --------------------------------------------- https://thehackernews.com/2023/08/understanding-active-directory-attack.html ∗∗∗ Fake-Shop presssi.shop kopiert österreichisches Unternehmen ∗∗∗ --------------------------------------------- Der Online-Shop presssi.shop ist besonders schwer als Fake-Shop zu erkennen, da er ein echtes Unternehmen kopiert. Die Kriminellen stehlen Firmendaten und das Logo der „niceshops GmbH“, einer E-Commerce-Dienstleistung aus Österreich. Außerdem sind herkömmliche Tipps zum Erkennen von Fake-Shops in diesem Fall nicht anwendbar. Wir zeigen Ihnen, wie wir den Shop als Fake entlarvt haben. --------------------------------------------- https://www.watchlist-internet.at/news/fake-shop-presssishop-kopiert-oester… ∗∗∗ Abmahnung im Namen von Dr. Matthias Losert ist betrügerisch ∗∗∗ --------------------------------------------- Kriminelle versenden im Namen vom Berliner Anwalt Dr. Matthias Losert Abmahnungen wegen einer Urheberrechtsverletzung. Sie werden beschuldigt, illegal einen Film heruntergeladen zu haben. Für diesen Verstoß fordert man von Ihnen nun 450 Euro. Ignorieren Sie dieses E-Mail und antworten Sie nicht, es handelt sich um Betrug. --------------------------------------------- https://www.watchlist-internet.at/news/abmahnung-im-namen-von-dr-matthias-l… ===================== = Vulnerabilities = ===================== ∗∗∗ Bypassing Tunnels: Leaking VPN Client Traffic by Abusing Routing Tables Affecting Cisco AnyConnect Secure Mobility Client and Cisco Secure Client ∗∗∗ --------------------------------------------- On August 8, 2023, the paper Bypassing Tunnels: Leaking VPN Client Traffic by Abusing Routing Tables was made public. The paper discusses two attacks that can cause VPN clients to leak traffic outside the protected VPN tunnel. In both instances, an attacker can manipulate routing exceptions that are maintained by the client to redirect traffic to a device that they control without the benefit of the VPN tunnel encryption. --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Siemens: Multiple Vulnerabilities ∗∗∗ --------------------------------------------- JT Open, JT Utilities, Parasolid, Parasolid Installer, Solid Edge, JT2Go, Teamcenter Visualization, APOGEE/TALON Field Panels, Siemens Software Center, SIMATIC Products, RUGGEDCOM CROSSBOW, RUGGEDCOM ROS Devices, SICAM TOOLBOX II --------------------------------------------- https://new.siemens.com/global/en/products/services/cert.html#SecurityPubli… ∗∗∗ Multiple Vulnerabilities in Inductive Automation Ignition ∗∗∗ --------------------------------------------- * Deserialization of Untrusted Data Remote Code Execution (CVE-2023-39473, CVE-2023-39476, CVE-2023-39475) * XML External Entity Processing Information Disclosure (CVE-2023-39472) * Remote Code Execution (CVE-2023-39477) --------------------------------------------- https://www.zerodayinitiative.com/advisories/published/ ∗∗∗ Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability (CVE-2023-38157) ∗∗∗ --------------------------------------------- CVSS:3.1 6.5 / 5.7 This vulnerability requires a user to open a Web Archive file with spoofed origin of the web content in the affected version of Microsoft Edge (Chromium-based). --------------------------------------------- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-38157 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libhtmlcleaner-java and thunderbird), Red Hat (dbus, kernel, kernel-rt, kpatch-patch, and thunderbird), Scientific Linux (thunderbird), SUSE (chromium, gstreamer-plugins-bad, gstreamer-plugins-base, gstreamer-plugins-good, gstreamer-plugins-ugly, kernel-firmware, libqt5-qtbase, libqt5-qtsvg, librsvg, pcre2, perl-Net-Netmask, qt6-base, and thunderbird), and Ubuntu (firefox). --------------------------------------------- https://lwn.net/Articles/940755/ ∗∗∗ Android: August-Patchday bringt Fixes für 53 Schwachstellen ∗∗∗ --------------------------------------------- Vier Lücken stuft Google als kritisch ein. Sie erlauben unter anderem das Ausführen von Schadcode ohne Interaktion mit einem Nutzer. --------------------------------------------- https://www.zdnet.de/88411017/android-august-patchday-bringt-fixes-fuer-53-… ∗∗∗ PHOENIX CONTACT: PLCnext Engineer Vulnerabilities in LibGit2Sharp/LibGit2 ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-016/ ∗∗∗ PHOENIX CONTACT: Multiple vulnerabilities in TC ROUTER, TC CLOUD CLIENT and CLOUD CLIENT devices ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-017/ ∗∗∗ PHOENIX CONTACT: Multiple vulnerabilities in WP 6xxx Web panels ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-018/ ∗∗∗ Vulnerability in IBM Java SDK affects IBM WebSphere Application Server due to CVE-2022-40609 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7022475 ∗∗∗ IBM Security Guardium is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6999317 ∗∗∗ A remote code execution vulnerability in IBM Java SDK affects IBM InfoSphere Information Server (CVE-2022-40609) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7022836 ∗∗∗ IBM Jazz Team Server is vulnerable to server-side request forgery. (CVE-2022-43879) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7023193 ∗∗∗ OpenSSL publicly disclosed vulnerabilities affect IBM MobileFirst Platform ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7023206 ∗∗∗ Multiple vulnerabilities found on thirdparty libraries used by IBM MobileFirst Platform ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7023204 ∗∗∗ IBM App Connect Enterprise and IBM Integration Bus are vulnerable to a remote attack due to IBM SDK Java (CVE-2022-40609) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7023275 ∗∗∗ Schneider Electric IGSS ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-220-01 ∗∗∗ Hitachi Energy RTU500 series ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-220-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.08.2023
by Daily end-of-shift report 07 Aug '23

07 Aug '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 04-08-2023 18:00 − Montag 07-08-2023 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ New SkidMap Linux Malware Variant Targeting Vulnerable Redis Servers ∗∗∗ --------------------------------------------- Vulnerable Redis services have been targeted by a "new, improved, dangerous" variant of a malware called SkidMap thats engineered to target a wide range of Linux distributions. "The malicious nature of this malware is to adapt to the system on which it is executed," Trustwave security researcher Radoslaw Zdonczyk said in an analysis published last week. --------------------------------------------- https://thehackernews.com/2023/08/new-skidmap-redis-malware-variant.html ∗∗∗ New 'Deep Learning Attack' Deciphers Laptop Keystrokes with 95% Accuracy ∗∗∗ --------------------------------------------- A group of academics has devised a "deep learning-based acoustic side-channel attack" that can be used to classify laptop keystrokes that are recorded using a nearby phone with 95% accuracy. "When trained on keystrokes recorded using the video conferencing software Zoom, an accuracy of 93% was achieved, a new best for the medium," researchers Joshua Harrison, Ehsan Toreini, and Maryam Mehrnezhad said in a new study published last week. --------------------------------------------- https://thehackernews.com/2023/08/new-deep-learning-attack-deciphers.html ∗∗∗ Technical Summary of Observed Citrix CVE-2023-3519 Incidents ∗∗∗ --------------------------------------------- The Shadowserver Foundation and trusted partners have observed three different malicious campaigns that have exploited CVE-2023-3519, a code injection vulnerability rated CVSS 9.8 critical in Citrix NetScaler ADC and NetScaler Gateway. [...] Please ensure you follow the detection and hunting steps provided for signs of possible compromise and webshell presence. --------------------------------------------- https://www.shadowserver.org/news/technical-summary-of-observed-citrix-cve-… ∗∗∗ Security-Bausteine, Teil 5: Vier Stufen – Risiko und Security Levels ∗∗∗ --------------------------------------------- Das Einrichten des IT-Schutzes bedeutet häufig langwierige Prozesse. Abhilfe schaffen die Security Levels zum Absichern gegen potenzielle Angreiferklassen. --------------------------------------------- https://heise.de/-9220500 ∗∗∗ Vernetzte Geräte: EU gewährt Aufschub für höhere Cybersicherheit ∗∗∗ --------------------------------------------- Die EU wollte Hersteller von Smartphones, Wearables & Co. ab 2024 zu deutlich mehr IT-Sicherheit und Datenschutz verpflichten. Doch jetzt gibt es Aufschub. --------------------------------------------- https://heise.de/-9235663 ∗∗∗ Zutatenliste: BSI stellt Regeln zum Absichern der Software-Lieferkette auf ∗∗∗ --------------------------------------------- Das BSI hat eine Richtlinie für Software Bills of Materials (SBOM) herausgegeben. Solche Übersichtslisten sollen Sicherheitsdebakeln wie Log4J entgegenwirken. --------------------------------------------- https://heise.de/-9235853 ∗∗∗ Visualizing Qakbot Infrastructure Part II: Uncharted Territory ∗∗∗ --------------------------------------------- A Data-Driven Approach Based on Analysis of Network Telemetry - In this blog post, we will provide an update on our high-level analysis of... --------------------------------------------- https://www.team-cymru.com/post/visualizing-qakbot-infrastructure-part-ii-u… ===================== = Vulnerabilities = ===================== ∗∗∗ Kritische RCE-Schwachstelle CVE-2023-39143 in PaperCut vor Version 22.1.3 ∗∗∗ --------------------------------------------- Wer die Druck-Management-Lösung Papercut MF/NG im Einsatz hat, sollte das Produkt dringend patchen. Eine gerade bekannt gewordene kritische RCE-Schwachstelle CVE-2023-39143 ermöglicht die Übernahme der PaperCut-Server. Der Anbieter hat bereits einen entsprechenden Sicherheitspatch zum Beseitigen der Schwachstelle veröffentlicht. --------------------------------------------- https://www.borncity.com/blog/2023/08/05/kritische-rce-schwachstelle-cve-20… ∗∗∗ Sicherheitsupdates: Angreifer können Drucker von HP und Samsung attackieren ∗∗∗ --------------------------------------------- Einige Drucker-Modelle von HP und Samsung sind verwundbar. Sicherheitsupdates lösen das Problem. --------------------------------------------- https://heise.de/-9236703 ∗∗∗ VU#947701: Freewill Solutions IFIS new trading web application vulnerable to unauthenticated remote code execution ∗∗∗ --------------------------------------------- Freewill Solutions IFIS new trading web application version 20.01.01.04 is vulnerable to unauthenticated remote code execution. Successful exploitation of this vulnerability allows an attacker to run arbitrary shell commands on the affected host. [...] The CERT/CC is currently unaware of a practical solution to this problem. [...] We have not received a statement from the vendor. --------------------------------------------- https://kb.cert.org/vuls/id/947701 ∗∗∗ ZDI-23-1017: Extreme Networks AP410C Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Extreme Networks AP410C routers. Authentication is not required to exploit this vulnerability. --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-23-1017/ ∗∗∗ Triangle MicroWorks SCADA Data Gateway: Multiple Vulnerabilities ∗∗∗ --------------------------------------------- CVE: CVE-2023-39458, CVE-2023-39459, CVE-2023-39460, CVE-2023-39461, CVE-2023-39462, CVE-2023-39463, CVE-2023-39464, CVE-2023-39465, CVE-2023-39466, CVE-2023-39467, CVE-2023-39468, CVE-2023-39457 CVSS Scores: <= 9.8 See also https://www.zerodayinitiative.com/advisories/published/ --------------------------------------------- https://www.trianglemicroworks.com/products/scada-data-gateway/whats-new ∗∗∗ CVE-2023-35082 - Vulnerability affecting EPMM and MobileIron Core ∗∗∗ --------------------------------------------- On 2 August 2023 at 10:00 MDT, Ivanti reported CVE-2023-35082. This vulnerability, which was originally discovered in MobileIron Core had not been previously identified as a vulnerability [...] Ivanti has continued its investigation and has found additional paths to exploiting CVE-2023-35082 depending on configuration of the Ivanti Endpoint Manager Mobile (EPMM) appliance. This impacts all versions of EPMM 11.10, 11.9 and 11.8 and MobileIron Core 11.7 and below. --------------------------------------------- https://www.ivanti.com/blog/vulnerability-affecting-mobileiron-core-11-2-an… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (burp, chromium, ghostscript, openimageio, pdfcrack, python-werkzeug, thunderbird, and webkit2gtk), Fedora (amanda, libopenmpt, llhttp, samba, seamonkey, and xen), Red Hat (thunderbird), Slackware (mozilla and samba), and SUSE (perl-Net-Netmask, python-Django1, trytond, and virtualbox). --------------------------------------------- https://lwn.net/Articles/940682/ ∗∗∗ AUMA: SIMA Master Station affected by WRECK vulnerability ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-028/ ∗∗∗ AUMA: Reflected Cross-Site Scripting Vulnerability in SIMA Master Stations ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-027/ ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Tivoli System Automation Application Manager (CVE-2023-27554) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7020515 ∗∗∗ An unauthorized attacker who has obtained an IBM Watson IoT Platform security authentication token can use it to impersonate an authorized platform user (CVE-2023-38372) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7020635 ∗∗∗ ISC BIND on IBM i is vulnerable to denial of service due to a memory usage flaw (CVE-2023-2828) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7017974 ∗∗∗ IBM OpenPages for IBM Cloud Pak for Data is Vulnerable to FasterXML jackson-databind [CVE-2022-42003, CVE-2022-42004] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7020695 ∗∗∗ IBM OpenPages for IBM Cloud Pak for Data is Vulnerable to JetBrains Kotlin weak security [CVE-2022-24329] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7020659 ∗∗∗ IBM OpenPages for IBM Cloud Pak for Data is Vulnerable to JCommander [X-Force ID: 221124] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7020636 ∗∗∗ Timing Oracle in RSA Decryption issue may affect GSKit shipped with IBM CICS TX Standard ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7022413 ∗∗∗ Timing Oracle in RSA Decryption issue may affect GSKit shipped with IBM CICS TX Advanced ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7022414 ∗∗∗ A vulnerability has been identified in the IBM Storage Scale GUI where a remote authenticated user can execute commands (CVE-2023-33201) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7022431 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.08.2023
by Daily end-of-shift report 04 Aug '23

04 Aug '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 03-08-2023 18:00 − Freitag 04-08-2023 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ A Call to Action: Bolster UEFI Cybersecurity Now ∗∗∗ --------------------------------------------- Based on recent incident responses to UEFI malware such as BlackLotus, the cybersecurity community and UEFI developers appear to still be in learning mode. [...] Adversaries have demonstrated that they already know how to exploit UEFI components for persistence, and they will only get better with practice. CISA encourages the UEFI community to pursue all the options discussed in this blog with vigor. And the work must start today. --------------------------------------------- https://www.cisa.gov/news-events/news/call-action-bolster-uefi-cybersecurit… ∗∗∗ Fake VMware vConnector package on PyPI targets IT pros ∗∗∗ --------------------------------------------- A malicious package that mimics the VMware vSphere connector module vConnector was uploaded on the Python Package Index (PyPI) under the name VMConnect, targeting IT professionals. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fake-vmware-vconnector-packa… ∗∗∗ Midnight Blizzard conducts targeted social engineering over Microsoft Teams ∗∗∗ --------------------------------------------- Microsoft Threat Intelligence has identified highly targeted social engineering attacks using credential theft phishing lures sent as Microsoft Teams chats by the threat actor that Microsoft tracks as Midnight Blizzard (previously tracked as NOBELIUM). --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2023/08/02/midnight-blizzard-… ∗∗∗ From small LNK to large malicious BAT file with zero VT score, (Thu, Aug 3rd) ∗∗∗ --------------------------------------------- Last week, my spam trap caught an e-mail with LNK attachment, which turned out to be quite interesting. --------------------------------------------- https://isc.sans.edu/diary/rss/30094 ∗∗∗ Malicious npm Packages Found Exfiltrating Sensitive Data from Developers ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered a new bunch of malicious packages on the npm package registry that are designed to exfiltrate sensitive developer information. Software supply chain firm Phylum, which first identified the "test" packages on July 31, 2023, said they "demonstrated increasing functionality and refinement," [...] --------------------------------------------- https://thehackernews.com/2023/08/malicious-npm-packages-found.html ∗∗∗ Are Leaked Credentials Dumps Used by Attackers? ∗∗∗ --------------------------------------------- I’ve been watching dumps of leaked credentials for a long time. [...] But are these leaks used to try to get access to mailboxes (or other services)? [...] Conclusion: Even if the quality of these dumps is very poor, they are used a lot in the wild! This is a perfect example of why you must safely manage your credentials! --------------------------------------------- https://isc.sans.edu/diary/rss/30098 ∗∗∗ Handwerker:innen aufgepasst: Hier sollten Sie keine Werkzeuge kaufen! ∗∗∗ --------------------------------------------- Aktuell stoßen wir auf zahlreiche Fake-Shops, die Werkzeuge aller Art verkaufen. Allein in den letzten zwei Wochen haben wir mehr als 70 Online-Shops gefunden, die Werkzeuge anbieten – diese aber trotz Bezahlung nicht liefern. --------------------------------------------- https://www.watchlist-internet.at/news/handwerkerinnen-aufgepasst-hier-soll… ===================== = Vulnerabilities = ===================== ∗∗∗ VMware VMSA-2023-0017 - VMware Horizon Server updates address multiple security vulnerabilities ∗∗∗ --------------------------------------------- - Request smuggling vulnerability (CVE-2023-34037), CVSSv3 base score of 5.3 - Information disclosure vulnerability (CVE-2023-34038), CVSSv3 base score of 5.3 --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2023-0017.html ∗∗∗ Mozilla VPN: CVE-2023-4104: Privileged vpndaemon on Linux wrongly and incompletely implements Polkit authentication ∗∗∗ --------------------------------------------- [...] it contains a privileged D-Bus service running as root and a Polkit policy. In the course of this review we noticed a broken and otherwise lacking Polkit authorization logic in the privileged `mozillavpn linuxdaemon` process. We publish this report today, because the maximum embargo period of 90 days we offer has been exceeded. Most of the issues mentioned in this report are currently not addressed by upstream, as is outlined in more detail below. --------------------------------------------- https://www.openwall.com/lists/oss-security/2023/08/03/1 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (bind and kernel), Debian (cjose, firefox-esr, ntpsec, and python-django), Fedora (chromium, firefox, librsvg2, and webkitgtk), Red Hat (firefox), Scientific Linux (firefox and openssh), SUSE (go1.20, ImageMagick, javapackages-tools, javassist, mysql-connector-java, protobuf, python-python-gflags, kernel, openssl-1_1, pipewire, python-pip, and xtrans), and Ubuntu (cargo, rust-cargo, cpio, poppler, and xmltooling). --------------------------------------------- https://lwn.net/Articles/940481/ ∗∗∗ Fujitsu Software Infrastructure Manager (ISM) stores sensitive information in cleartext ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN38847224/ ∗∗∗ Multiple security vulnerabilities affecting Watson Knowledge Catalog for IBM Cloud Pak for Data ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7020316 ∗∗∗ Timing Oracle in RSA Decryption vulnerability might affect GSKit supplied with IBM TXSeries for Multiplatforms. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7010369 ∗∗∗ IBM Db2 has multiple denial of service vulnerabilities with a specially crafted query ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7010557 ∗∗∗ IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to multiple Tensorflow vulnerabilities. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7020364 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.08.2023
by Daily end-of-shift report 03 Aug '23

03 Aug '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 02-08-2023 18:00 − Donnerstag 03-08-2023 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Fake FlipperZero sites promise free devices after completing offer ∗∗∗ --------------------------------------------- A site impersonating Flipper Devices promises a free Flipper Zero after completing an offer but only leads to shady browser extensions and scam sites. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fake-flipperzero-sites-promi… ∗∗∗ Hackers can abuse Microsoft Office executables to download malware ∗∗∗ --------------------------------------------- The list of LOLBAS files - legitimate binaries and scripts present in Windows that can be abused for malicious purposes, will include the main executables for Microsofts Outlook email client and Access database management system. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-can-abuse-microsoft-… ∗∗∗ "Grob fahrlässig": Sicherheitsproblem gefährdet Microsoft-Kunden seit Monaten ∗∗∗ --------------------------------------------- Eine Microsoft seit März bekannte kritische Schwachstelle in Azure AD macht weitere zahllose Organisationen noch heute anfällig für Cyberangriffe. --------------------------------------------- https://www.golem.de/news/grob-fahrlaessig-sicherheitsproblem-gefaehrdet-mi… ∗∗∗ What’s happening in the world of crimeware: Emotet, DarkGate and LokiBot ∗∗∗ --------------------------------------------- In this report, we share our recent crimeware findings: the new DarkGate loader, new LokiBot campaign and new Emotet version delivered via OneNote. --------------------------------------------- https://securelist.com/emotet-darkgate-lokibot-crimeware-report/110286/ ∗∗∗ New Rilide Stealer Version Targets Banking Data and Works Around Google Chrome Manifest V3 ∗∗∗ --------------------------------------------- Trustwave SpiderLabs discovered a new version of the Rilide Stealer extension targeting Chromium-based browsers such as Google Chrome, Microsoft Edge, Brave, and Opera. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/new-rilide-… ∗∗∗ Exploiting a Flaw in Bitmap Handling in Windows User-Mode Printer Drivers ∗∗∗ --------------------------------------------- In this guest blog from researcher Marcin Wiązowski, he details CVE-2023-21822 – a Use-After-Free (UAF) in win32kfull that could lead to a privilege escalation. The bug was reported through the ZDI program and later patched by Microsoft. Marcin has graciously provided this detailed write-up of the vulnerability, examines how it could be exploited, and a look at the patch Microsoft released to address the bug. --------------------------------------------- https://www.zerodayinitiative.com/blog/2023/8/1/exploiting-a-flaw-in-bitmap… ∗∗∗ Hook, Line, and Phishlet: Conquering AD FS with Evilginx ∗∗∗ --------------------------------------------- Recently, I was assigned to a red team engagement, and the client specifically requested a phishing simulation targeting their employees. The organisation utilises AD FS for federated single sign-on and has implemented Multi-Factor Authentication (MFA) as a company-wide policy. [..] Despite my efforts to find a detailed write-up on how to successfully phish a target where AD FS is being used, I couldn’t find a technical post covering this topic. So I saw this as an opportunity to learn --------------------------------------------- https://research.aurainfosec.io/pentest/hook-line-and-phishlet/ ∗∗∗ New Report: Medical Health Care Organizations Highly Vulnerable Due to Improper De-acquisition Processes ∗∗∗ --------------------------------------------- In Security Implications from Improper De-acquisition of Medical Infusion Pumps Heiland performs a physical and technical teardown of more than a dozen medical infusion pumps — devices used to deliver and control fluids directly into a patient’s body. Each of these devices was available for purchase on the secondary market and each one had issues that could compromise their previous organization’s networks. --------------------------------------------- https://www.rapid7.com/blog/post/2023/08/02/security-implications-improper-… ∗∗∗ MSMQ QueueJumper (RCE Vulnerability): An In-Depth Technical Analysis ∗∗∗ --------------------------------------------- The security updates released by Microsoft on April 11, 2023, addressed over 90 individual vulnerabilities. Of particular note was CVE-2023-21554, dubbed QueueJumper, a remote code execution vulnerability affecting the Microsoft Message Queueing (MSMQ) service. MSMQ is an optional Windows component that enables applications to exchange messages via message queues that are reachable both locally and remotely. --------------------------------------------- https://securityintelligence.com/posts/msmq-queuejumper-rce-vulnerability-t… ∗∗∗ Google Project Zero - Summary: MTE As Implemented ∗∗∗ --------------------------------------------- In mid-2022, Project Zero was provided with access to pre-production hardware implementing the ARM MTE specification. This blog post series is based on that review, and includes general conclusions about the effectiveness of MTE as implemented, specifically in the context of preventing the exploitation of memory-safety vulnerabilities. Despite its limitations, MTE is still by far the most promising path forward for improving C/C++ software security in 2023. --------------------------------------------- https://googleprojectzero.blogspot.com/2023/08/summary-mte-as-implemented.h… ∗∗∗ Microsoft veröffentlicht TokenTheft-Playbook ∗∗∗ --------------------------------------------- Der Diebstahl von Tokens kann Angreifern den Zugriff auf entsprechende Dienste ermöglichen. Als Folge eines entsprechenden Vorfalls hat Microsoft daher das sogenannte TokenTheft-Playbook veröffentlicht. Es handelt sich um ein Online-Dokument mit zahlreichen Hinweisen für "Cloud-Verantwortliche", die sich um die Sicherheit und den Schutz vor dem Diebstahl von Zugangstokens kümmern müssen. --------------------------------------------- https://www.borncity.com/blog/2023/08/03/microsoft-verffentlicht-tokentheft… ∗∗∗ BSI Newsletter SICHER INFORMIERT vom 03.08.2023 ∗∗∗ --------------------------------------------- DSGVO – ein Segen für die IT-Sicherheit, Hersteller beklagen Patch-Müdigkeit, kritische Sicherheitslücke gefährdet Router & das BSI auf der Gamescom --------------------------------------------- https://www.bsi.bund.de/SharedDocs/Newsletter/DE/BuergerCERT-Newsletter/16_… ∗∗∗ How Malicious Android Apps Slip Into Disguise ∗∗∗ --------------------------------------------- Researchers say mobile malware purveyors have been abusing a bug in the Google Android platform that lets them sneak malicious code into benign mobile apps and evade security scanning tools. Google says it has updated its app malware detection mechanisms in response to the new research. --------------------------------------------- https://krebsonsecurity.com/2023/08/how-malicious-android-apps-slip-into-di… ∗∗∗ Watchlist Internet: Bestellen Sie unsere neue Broschüre „Betrug im Internet: So schützen Sie sich“ ∗∗∗ --------------------------------------------- Mit unserer neuen Broschüre „Betrug im Internet“ informieren wir Interessierte zu den Themen Einkaufen im Internet, betrügerische Nachrichten, Schadsoftware, Phishing, Vorschussbetrug und Finanzbetrug. Die kostenlose Broschüre können Sie herunterladen oder bei uns bestellen. --------------------------------------------- https://www.watchlist-internet.at/news/bestellen-sie-unsere-neue-broschuere… ∗∗∗ Reptile Malware Targeting Linux Systems ∗∗∗ --------------------------------------------- Reptile is an open-source kernel module rootkit that targets Linux systems and is publicly available on GitHub. Rootkits are malware that possess the capability to conceal themselves or other malware. They primarily target files, processes, and network communications for their concealment. Reptile’s concealment capabilities include not only its own kernel module but also files, directories, file contents, processes, and network traffic. --------------------------------------------- https://asec.ahnlab.com/en/55785/ ∗∗∗ 2022 Top Routinely Exploited Vulnerabilities ∗∗∗ --------------------------------------------- This advisory provides details on the Common Vulnerabilities and Exposures (CVEs) routinely and frequently exploited by malicious cyber actors in 2022 and the associated Common Weakness Enumeration(s) (CWE). In 2022, malicious cyber actors exploited older software vulnerabilities more frequently than recently disclosed vulnerabilities and targeted unpatched, internet-facing systems. --------------------------------------------- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-215a ===================== = Vulnerabilities = ===================== ∗∗∗ Matomo Analytics - Less critical - Cross Site Scripting - SA-CONTRIB-2023-033 ∗∗∗ --------------------------------------------- Security risk: Less critical Description: This module enables you to add the Matomo web statistics tracking system to your website.The module does not check the Matomo JS code loaded on the website. So a user could configure the module to load JS from a malicious website.This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer matomo" or "administer matomo tag manager" (D8+ only) to access the settings forms where this can be configured. --------------------------------------------- https://www.drupal.org/sa-contrib-2023-033 ∗∗∗ CVE-2023-35082 – Remote Unauthenticated API Access Vulnerability in MobileIron Core 11.2 and older ∗∗∗ --------------------------------------------- A vulnerability has been discovered in MobileIron Core which affects version 11.2 and prior. [..] MobileIron Core 11.2 has been out of support since March 15, 2022. Therefore, Ivanti will not be issuing a patch or any other remediations to address this vulnerability in 11.2 or earlier versions. Upgrading to the latest version of Ivanti Endpoint Manager Mobile (EPMM) is the best way to protect your environment from threats. --------------------------------------------- https://forums.ivanti.com/s/article/CVE-2023-35082-Remote-Unauthenticated-A… ∗∗∗ CVE-2023-28130 – Command Injection in Check Point Gaia Portal ∗∗∗ --------------------------------------------- The parameter hostname in the web request /cgi-bin/hosts_dns.tcl is vulnerable for command injection. This can be exploited by any user with a valid session, as long as the user has write permissions on the DNS settings. The injected commands are executed by the user ‘Admin’. --------------------------------------------- https://pentests.nl/pentest-blog/cve-2023-28130-command-injection-in-check-… ∗∗∗ CVE-2023-31928 - XSS vulnerability in Brocade Webtools ∗∗∗ --------------------------------------------- A reflected cross-site scripting (XSS) vulnerability exists in Brocade Webtools PortSetting.html of Brocade Fabric OS version before Brocade Fabric OS v9.2.0 that could allow a remote unauthenticated attacker to execute arbitrary JavaScript code in a target user’s session with the Brocade Webtools application. --------------------------------------------- https://support.broadcom.com/web/ecx/support-content-notification/-/externa… ∗∗∗ CVE-2023-31927 - An information disclosure in the web interface of Brocade Fabric OS ∗∗∗ --------------------------------------------- An information disclosure in the web interface of Brocade Fabric OS versions before Brocade Fabric OS v9.2.0 and v9.1.1c, could allow a remote unauthenticated attacker to get technical details about the web interface. --------------------------------------------- https://support.broadcom.com/web/ecx/support-content-notification/-/externa… ∗∗∗ CVE-2023-31926 - Arbitrary File Overwrite using less command ∗∗∗ --------------------------------------------- System files could be overwritten using the less command in Brocade Fabric OS before Brocade Fabric OS v9.1.1c and v9.2.0. --------------------------------------------- https://support.broadcom.com/web/ecx/support-content-notification/-/externa… ∗∗∗ CVE-2023-31432 - Privilege issues in multiple commands ∗∗∗ --------------------------------------------- Through manipulation of passwords or other variables, using commands such as portcfgupload, configupload, license, myid, a non-privileged user could obtain root privileges in Brocade Fabric OS versions before Brocade Fabric OS v9.1.1c and v9.2.0. --------------------------------------------- https://support.broadcom.com/web/ecx/support-content-notification/-/externa… ∗∗∗ CVE-2023-31431 - A buffer overflow vulnerability in “diagstatus” command ∗∗∗ --------------------------------------------- A buffer overflow vulnerability in “diagstatus” command in Brocade Fabric OS before Brocade Fabric v9.2.0 and v9.1.1c could allow an authenticated user to crash the Brocade Fabric OS switch leading to a denial of service. --------------------------------------------- https://support.broadcom.com/web/ecx/support-content-notification/-/externa… ∗∗∗ CVE-2023-31430 - buffer overflow vulnerability in “secpolicydelete” command ∗∗∗ --------------------------------------------- A buffer overflow vulnerability in “secpolicydelete” command in Brocade Fabric OS before Brocade Fabric OS v9.1.1c and v9.2.0 could allow an authenticated privileged user to crash the Brocade Fabric OS switch leading to a denial of service. --------------------------------------------- https://support.broadcom.com/web/ecx/support-content-notification/-/externa… ∗∗∗ VE-2023-31425 - Privilege escalation via the fosexec command ∗∗∗ --------------------------------------------- A vulnerability in the fosexec command of Brocade Fabric OS after Brocade Fabric OS v9.1.0 and, before Brocade Fabric OS v9.1.1 could allow a local authenticated user to perform privilege escalation to root by breaking the rbash shell. Starting with Fabric OS v9.1.0, “root” account access is disabled. --------------------------------------------- https://support.broadcom.com/web/ecx/support-content-notification/-/externa… ∗∗∗ CVE-2023-31429 - Vulnerability in multiple commands ∗∗∗ --------------------------------------------- Brocade Fabric OS before Brocade Fabric OS v9.1.1c, v9.2.0 contains a vulnerability when using various commands such as “chassisdistribute”, “reboot”, “rasman”, errmoduleshow, errfilterset, hassiscfgperrthreshold, supportshowcfgdisable and supportshowcfgenable commands that can cause the content of shell interpreted variables to be printed in the terminal. --------------------------------------------- https://support.broadcom.com/web/ecx/support-content-notification/-/externa… ∗∗∗ CVE-2023-31427 - Knowledge of full path name ∗∗∗ --------------------------------------------- Brocade Fabric OS versions before Brocade Fabric OS v9.1.1c, and v9.2.0 Could allow an authenticated, local user with knowledge of full path names inside Brocade Fabric OS to execute any command regardless of assigned privilege. Starting with Fabric OS v9.1.0, “root” account access is disabled. --------------------------------------------- https://support.broadcom.com/web/ecx/support-content-notification/-/externa… ∗∗∗ CVE-2023-31428 - CLI allows upload or transfer files of dangerous types ∗∗∗ --------------------------------------------- Brocade Fabric OS before Brocade Fabric OS v9.1.1c, v9.2.0 contains a vulnerability in the command line that could allow a local user to dump files under users home directory using grep. --------------------------------------------- https://support.broadcom.com/web/ecx/support-content-notification/-/externa… ∗∗∗ Sicherheitsupdates: Angreifer können Aruba-Switches kompromittieren (CVE-2023-3718) ∗∗∗ --------------------------------------------- Bestimmte Switch-Modelle von Aruba sind verwundbar. Die Entwickler haben eine Sicherheitslücke geschlossen. --------------------------------------------- https://heise.de/-9233677 ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (July 24, 2023 to July 30, 2023) ∗∗∗ --------------------------------------------- Last week, there were 64 vulnerabilities disclosed in 66 WordPress Plugins and 3 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database --------------------------------------------- https://www.wordfence.com/blog/2023/08/wordfence-intelligence-weekly-wordpr… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (linux-5.10), Red Hat (.NET 6.0 and iperf3), Slackware (openssl), SUSE (kernel, mariadb, poppler, and python-Django), and Ubuntu (gst-plugins-base1.0, gst-plugins-good1.0, maradns, openjdk-20, and vim). --------------------------------------------- https://lwn.net/Articles/940335/ ∗∗∗ CISA Releases Five Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- - ICSA-23-215-01 Mitsubishi Electric GOT2000 and GOT SIMPLE - ICSA-23-215-02 Mitsubishi Electric GT and GOT Series Products - ICSA-23-215-03 TEL-STER TelWin SCADA WebInterface - ICSA-23-215-04 Sensormatic Electronics VideoEdge - ICSA-23-208-03 Mitsubishi Electric CNC Series --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/08/03/cisa-releases-five-indus… ∗∗∗ Sicherheitsschwachstelle in verschiedenen Canon Inkjet-Druckermodellen (SYSS-2023-011) ∗∗∗ --------------------------------------------- Bei dem Canon Inkjet-Drucker PIXMA TR4550 besteht eine Sicherheitsschwachstelle aufgrund eines unzureichenden Schutzes sensibler Daten. --------------------------------------------- https://www.syss.de/pentest-blog/sicherheitsschwachstelle-in-verschiedenen-… ∗∗∗ [R1] Nessus Version 10.5.4 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- Nessus leverages third-party software to help provide underlying functionality. One of the third-party components (OpenSSL) was found to contain vulnerabilities, and updated versions have been made available by the provider. Out of caution and in line with best practice, Tenable has opted to upgrade these components to address the potential impact of the issues. Nessus 10.5.4 updates OpenSSL to version 3.0.10 to address the identified vulnerabilities. --------------------------------------------- https://www.tenable.com/security/tns-2023-27 ∗∗∗ Mozilla Releases Security Updates for Multiple Products ∗∗∗ --------------------------------------------- Mozilla has released security updates to address vulnerabilities for Firefox 116, Firefox ESR 115.1, Firefox ESR 102.14, Thunderbird 115.1, and Thunderbird 102.14. An attacker could exploit some of these vulnerabilities to take control of an affected system. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/08/02/mozilla-releases-securit… ∗∗∗ Cisco BroadWorks CommPilot Application Software Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Secure Web Appliance Content Encoding Filter Bypass Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Unified Communications Products Arbitrary File Read Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ CODESYS: Missing Brute-Force protection in CODESYS Development System ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-023/ ∗∗∗ CODESYS: Control runtime system memory and integrity check vulnerabilities (CVE-2022-4046, CVE-2023-28355)) ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-025/ ∗∗∗ CODESYS: Vulnerability in CODESYS Development System allows execution of binaries ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-021/ ∗∗∗ CODESYS: Missing integrity check in CODESYS Development System ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-022/ ∗∗∗ Shelly 4PM Pro four-channel smart switch: Authentication Bypass via an out-of-bounds read vulnerability (CVE-2023-033383) ∗∗∗ --------------------------------------------- https://www.exploitsecurity.io/post/cve-2023-33383-authentication-bypass-vi… ∗∗∗ CODESYS: Multiple Vulnerabilities in CmpApp CmpAppBP and CmpAppForce ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-019/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.08.2023
by Daily end-of-shift report 02 Aug '23

02 Aug '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 01-08-2023 18:00 − Mittwoch 02-08-2023 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Threat actors abuse Google AMP for evasive phishing attacks ∗∗∗ --------------------------------------------- Security researchers are warning of increased phishing activity that abuses Google Accelerated Mobile Pages (AMP) to bypass email security measures and get to inboxes of enterprise employees. --------------------------------------------- https://www.bleepingcomputer.com/news/security/threat-actors-abuse-google-a… ∗∗∗ Amazons AWS SSM agent can be used as post-exploitation RAT malware ∗∗∗ --------------------------------------------- Researchers have discovered a new post-exploitation technique in Amazon Web Services (AWS) that allows hackers to use the platforms System Manager (SSM) agent as an undetectable Remote Access Trojan (RAT). --------------------------------------------- https://www.bleepingcomputer.com/news/security/amazons-aws-ssm-agent-can-be… ∗∗∗ New NodeStealer Variant Targeting Facebook Business Accounts and Crypto Wallets ∗∗∗ --------------------------------------------- Cybersecurity researchers have unearthed a Python variant of a stealer malware NodeStealer thats equipped to fully take over Facebook business accounts as well as siphon cryptocurrency. Palo Alto Network Unit 42 said it detected the previously undocumented strain as part of a campaign that commenced in December 2022. There is no evidence to suggest that the cyber offensive is currently active. --------------------------------------------- https://thehackernews.com/2023/08/new-nodestealer-targeting-facebook.html ∗∗∗ Nearly All Modern CPUs Leak Data to New Collide+Power Side-Channel Attack ∗∗∗ --------------------------------------------- A new side-channel attack method that can lead to data leakage works against nearly any modern CPU, but we’re unlikely to see it being used in the wild any time soon. [..] Collide+Power is a generic software-based attack that works against devices powered by Intel, AMD or Arm processors and it’s applicable to any application and any type of data. The chipmakers are publishing their own advisories for the attack and the CVE-2023-20583 has been assigned. --------------------------------------------- https://www.securityweek.com/nearly-all-modern-cpus-leak-data-to-new-collid… ∗∗∗ New hVNC macOS Malware Advertised on Hacker Forum ∗∗∗ --------------------------------------------- A new macOS-targeting hVNC malware family is being advertised on a prominent cybercrime forum. --------------------------------------------- https://www.securityweek.com/new-hvnc-macos-malware-advertised-on-hacker-fo… ∗∗∗ SSH Remains Most Targeted Service in Cado’s Cloud Threat Report ∗∗∗ --------------------------------------------- Cado Security Labs 2023 Cloud Threat Findings Report dives deep into the world of cybercrime, cyberattacks, and vulnerabilities. --------------------------------------------- https://www.hackread.com/ssh-targeted-service-cado-cloud-threat-report/ ∗∗∗ The Most Important Part of the Internet You’ve Probably Never Heard Of ∗∗∗ --------------------------------------------- Few people realize how much they depend on the Border Gateway Protocol (BGP) every day—a set of technical rules responsible for routing data efficiently. --------------------------------------------- https://www.cisa.gov/news-events/news/most-important-part-internet-youve-pr… ∗∗∗ CISA and International Partner NCSC-NO Release Joint Cybersecurity Advisory on Threat Actors Exploiting Ivanti EPMM Vulnerabilities ∗∗∗ --------------------------------------------- The Cybersecurity and Infrastructure Security Agency (CISA) and the Norwegian National Cyber Security Centre (NCSC-NO) have released a joint Cybersecurity Advisory (CSA), Threat Actors Exploiting Ivanti EPMM Vulnerabilities, in response to the active exploitation of CVE-2023-35078 and CVE-2023-35081 affecting Ivanti Endpoint Manager Mobile (EPMM) (formerly known as MobileIron Core). --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/08/01/cisa-and-international-p… ===================== = Vulnerabilities = ===================== ∗∗∗ K000135479: Overview of F5 vulnerabilities (August 2023) ∗∗∗ --------------------------------------------- On August 2, 2023, F5 announced the following security issues. This document is intended to serve as an overview of these vulnerabilities to help determine the impact to your F5 devices. You can find the details of each issue in the associated articles. --------------------------------------------- https://my.f5.com/manage/s/article/K000135479 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (bouncycastle), Fedora (firefox), Red Hat (cjose, curl, iperf3, kernel, kernel-rt, kpatch-patch, libeconf, libxml2, mod_auth_openidc:2.3, openssh, and python-requests), SUSE (firefox, jtidy, libredwg, openssl, salt, SUSE Manager Client Tools, and SUSE Manager Salt Bundle), and Ubuntu (firefox). --------------------------------------------- https://lwn.net/Articles/940103/ ∗∗∗ IBM TRIRIGA Application Platform discloses use of Apache Xerces (CVE-2022-23437) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7017724 ∗∗∗ IBM TRIRIGA Application Platform suseptable to clickjacking (CBE-2017-4015) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7017716 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 01.08.2023
by Daily end-of-shift report 01 Aug '23

01 Aug '23

===================== = End-of-Day report = ===================== Timeframe: Montag 31-07-2023 18:00 − Dienstag 01-08-2023 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Hackers steal Signal, WhatsApp user data with fake Android chat app ∗∗∗ --------------------------------------------- Hackers are using a fake Android app named SafeChat to infect devices with spyware malware that steals call logs, texts, and GPS locations from phones. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-steal-signal-whatsap… ∗∗∗ European Bank Customers Targeted in SpyNote Android Trojan Campaign ∗∗∗ --------------------------------------------- Various European customers of different banks are being targeted by an Android banking trojan called SpyNote as part of an aggressive campaign detected in June and July 2023."The spyware is distributed through email phishing or smishing campaigns and the fraudulent activities are executed with a combination of remote access trojan (RAT) capabilities and vishing attack," [..] --------------------------------------------- https://thehackernews.com/2023/08/european-bank-customers-targeted-in.html ∗∗∗ BSI-Magazin: Neue Ausgabe erschienen ∗∗∗ --------------------------------------------- In der neuen Ausgabe seines Magazins „Mit Sicherheit“ beleuchtet das Bundesamt für Sicherheit in der Informationstechnik (BSI) aktuelle Themen der Cybersicherheit. Im Fokus steht der digitale Verbraucherschutz. --------------------------------------------- https://www.bsi.bund.de/DE/Service-Navi/Presse/Pressemitteilungen/Presse202… ∗∗∗ Kaufen Sie nicht in diesen betrügerischen Online-Apotheken ein! ∗∗∗ --------------------------------------------- Ob Schlaftabletten, Schmerz- oder Potzenmittel: Betrügerische Online-Apotheken setzen auf eine breite Produktpalette und bieten verschreibungspflichtige Medikamente ohne Rezept an. Aktuell stoßen wir auf zahlreiche solcher betrügerischen Versandapotheken. Die bestellten Waren werden oftmals gar nicht geliefert und wenn doch, müssen Konsument:innen mit wirkungslosen oder sogar mit gesundheitsschädigenden Fälschungen rechnen. --------------------------------------------- https://www.watchlist-internet.at/news/kaufen-sie-nicht-in-diesen-betrueger… ∗∗∗ Tuesday August 8th 2023 Security Releases ∗∗∗ --------------------------------------------- The Node.js project will release new versions of the 16.x, 18.x and 20.x releases lines on or shortly after, Tuesday August 8th 2023 in order to address: * 3 high severity issues. * 2 medium severity issues. * 2 low severity issues. --------------------------------------------- https://nodejs-9c1r4fxv8-openjs.vercel.app/en/blog/vulnerability/august-202… ===================== = Vulnerabilities = ===================== ∗∗∗ TacJS - Moderately critical - Cross site scripting - SA-CONTRIB-2023-029 ∗∗∗ --------------------------------------------- Security risk: Moderately critical This module enables sites to comply with the European cookie law using tarteaucitron.js. The module doesn't sufficiently filter user-supplied text leading to a Cross Site Scripting (XSS) vulnerability. This vulnerability is mitigated by the fact that an attacker needs additional permissions. --------------------------------------------- https://www.drupal.org/sa-contrib-2023-029 ∗∗∗ Expandable Formatter - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-028 ∗∗∗ --------------------------------------------- Security risk: Moderately critical This module enables you to render a field in an expandable/collapsible region. The module doesn't sufficiently sanitize the field content when displaying it to an end user. This vulnerability is mitigated by the fact that an attacker must have a role capable of creating content that uses the field formatter. --------------------------------------------- https://www.drupal.org/sa-contrib-2023-028 ∗∗∗ Libraries UI - Moderately critical - Access bypass - SA-CONTRIB-2023-027 ∗∗∗ --------------------------------------------- Security risk: Moderately critical This module enables a UI to display all libraries provided by modules and themes on the Drupal site. The module doesn't sufficiently protect the libraries reporting page. It curently is using the 'access content' permission and not a proper administrative/access permission. --------------------------------------------- https://www.drupal.org/sa-contrib-2023-027 ∗∗∗ OpenSSL version 3.1.2 released ∗∗∗ --------------------------------------------- Major changes between OpenSSL 3.1.1 and OpenSSL 3.1.2 [1 Aug 2023] - Fix excessive time spent checking DH q parameter value ([CVE-2023-3817]) - Fix DH_check() excessive time with over sized modulus ([CVE-2023-3446]) - Do not ignore empty associated data entries with AES-SIV ([CVE-2023-2975]) --------------------------------------------- https://www.openssl.org/news/openssl-3.1-notes.html ∗∗∗ OpenSSL version 3.0.10 released ∗∗∗ --------------------------------------------- Major changes between OpenSSL 3.0.9 and OpenSSL 3.0.10 [1 Aug 2023] - Fix excessive time spent checking DH q parameter value ([CVE-2023-3817]) - Fix DH_check() excessive time with over sized modulus ([CVE-2023-3446]) - Do not ignore empty associated data entries with AES-SIV ([CVE-2023-2975]) --------------------------------------------- https://www.openssl.org/news/openssl-3.0-notes.html ∗∗∗ OpenSSL version 1.1.1v released ∗∗∗ --------------------------------------------- Major changes between OpenSSL 1.1.1u and OpenSSL 1.1.1v [1 Aug 2023] - Fix excessive time spent checking DH q parameter value (CVE-2023-3817) - Fix DH_check() excessive time with over sized modulus (CVE-2023-3446) --------------------------------------------- https://www.openssl.org/news/openssl-1.1.1-notes.html ∗∗∗ Xen Security Advisory 436 v1 (CVE-2023-34320) - arm: Guests can trigger a deadlock on Cortex-A77 ∗∗∗ --------------------------------------------- Cortex-A77 cores (r0p0 and r1p0) are affected by erratum 1508412 where software, under certain circumstances, could deadlock a core due to the execution of either a load to device or non-cacheable memory, and either a store exclusive or register read of the Physical Address Register (PAR_EL1) in close proximity. [..] A (malicious) guest that doesnt include the workaround for erratum 1508412 could deadlock the core. This will ultimately result to a deadlock of the system. --------------------------------------------- https://lists.xenproject.org/archives/html/xen-announce/2023-08/msg00000.ht… ∗∗∗ SVD-2023-0702: Unauthenticated Log Injection In Splunk SOAR ∗∗∗ --------------------------------------------- Splunk SOAR versions 6.0.2 and earlier are indirectly affected by a potential vulnerability accessed through the user’s terminal. A third party can send Splunk SOAR a maliciously crafted web request containing special ANSI characters to cause log file poisoning. When a terminal user attempts to view the poisoned logs, this can tamper with the terminal and cause possible malicious code execution from the terminal user’s action. --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2023-0702 ∗∗∗ WebToffee Addresses Authentication Bypass Vulnerability in Stripe Payment Plugin for WooCommerce WordPress Plugin ∗∗∗ --------------------------------------------- Description: Stripe Payment Plugin for WooCommerce <= 3.7.7 – Authentication Bypass Affected Plugin: Stripe Payment Plugin for WooCommerce Plugin Slug: payment-gateway-stripe-and-woocommerce-integration Affected Versions: <= 3.7.7 Fully Patched Version: 3.7.8 CVE ID: CVE-2023-3162 CVSS Score: 9.8 (Critical) --------------------------------------------- https://www.wordfence.com/blog/2023/08/webtoffee-addresses-authentication-b… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (tiff), Fedora (curl), Red Hat (bind, ghostscript, iperf3, java-1.8.0-ibm, nodejs, nodejs:18, openssh, postgresql:15, and samba), Scientific Linux (iperf3), Slackware (mozilla and seamonkey), SUSE (compat-openssl098, gnuplot, guava, openssl-1_0_0, pipewire, python-requests, qemu, samba, and xmltooling), and Ubuntu (librsvg, openjdk-8, openjdk-lts, openjdk-17, openssh, rabbitmq-server, and webkit2gtk). --------------------------------------------- https://lwn.net/Articles/939917/ ∗∗∗ Security Vulnerabilities fixed in Firefox 116 ∗∗∗ --------------------------------------------- Impact high: CVE-2023-4045, CVE-2023-4046, CVE-2023-4047, CVE-2023-4048, CVE-2023-4049, CVE-2023-4050 --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2023-29/ ∗∗∗ IBM Cloud Pak for Security includes components with multiple known vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7015859 ∗∗∗ IBM Cloud Pak for Security includes components with multiple known vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7015865 ∗∗∗ IBM App Connect Enterprise Certified Container operator and operands are vulnerable to arbitrary code execution due to [CVE-2023-29402] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7015871 ∗∗∗ IBM App Connect Enterprise Certified Container IntegrationServer and IntegrationRuntime operands that use Google PubSub nodes are vulnerable to arbitrary code execution due to [CVE-2023-36665] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7015873 ∗∗∗ IBM Robotic Process Automation for Cloud Pak is vulnerable to cross-protocol attacks due to sendmail (CVE-2021-3618) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7013521 ∗∗∗ Vulnerabilities in Node.js affects IBM Voice Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7013909 ∗∗∗ IBM Virtualization Engine TS7700 is susceptible to multiple vulnerabilities due to use of IBM SDK Java Technology Edition, Version 8 (CVE-2023-21967, CVE-2023-21939, CVE-2023-21968, CVE-2023-21937) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7015879 ∗∗∗ IBM MQ Operator and Queue manager container images are vulnerable to multiple vulnerabilities from openssl-libs, libssh, libarchive, sqlite and go-toolset ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7016688 ∗∗∗ Multiple security vulnerabilities have been identified in IBM Db2 shipped with IBM Security Guardium Key Lifecycle Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7016660 ∗∗∗ IBM PowerVM Novalink is vulnerable because RESTEasy could allow a local authenticated attacker to gain elevated privileges on the system, caused by the creation of insecure temp files in the File. (CVE-2023-0482) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7016690 ∗∗∗ IBM PowerVM Novalink is vulnerable because An unspecified vulnerability in Oracle Java SE. (CVE-2023-21930) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7016696 ∗∗∗ IBM PowerVM Novalink is vulnerable because GraphQL Java is vulnerable to a denial of service, caused by a stack-based buffer overflow. (CVE-2023-28867) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7016698 ∗∗∗ Multiple Vulnerabilities in Rational Synergy 7.2.2.5 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014913 ∗∗∗ Vulnerability in Rational Change 5.3.2 Fix Pack 05 and earlier versions. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014915 ∗∗∗ Multiple Vulnerabilities in Rational Change 5.3.2 Fix Pack 05 and earlier versions. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014917 ∗∗∗ Multiple Vulnerabilities in Rational Synergy 7.2.2 Fix Pack 05 and earlier versions. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014919 ∗∗∗ The IBM Engineering Lifecycle Engineering product using IBM WebSphere Application Server Liberty is vulnerable to spoofing - CVE-2022-39161 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7010669 ∗∗∗ The IBM Engineering Lifecycle Engineering product using IBM WebSphere Application Server traditional is vulnerable to an XML External Entity (XXE) Injection vulnerability - CVE-2023-27554 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7016810 ∗∗∗ CVE-2022-40609 affects IBM SDK, Java Technology Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7017032 ∗∗∗ The IBM Engineering Lifecycle Engineering products using IBM Java versions 8.0.7.0 - 8.0.7.11 are vulnerable to crypto attacks. (CVE-2023-30441) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7015777 ∗∗∗ IBM Cloud Pak for Security includes components with multiple known vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7015859 ∗∗∗ IBM Cloud Pak for Security includes components with multiple known vulnerabilities (CVE-2023-24998 , CVE-2022-31129) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7015061 ∗∗∗ IBM Robotic Process Automation is vulnerable to unauthorized access to data due to insufficient authorization validation on some API routes (CVE-2023-23476) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7017490 ∗∗∗ Decision Optimization for Cloud Pak for Data is vulnerable to a server-side request forgery (CVE-2023-28155). ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7017586 ∗∗∗ IBM Event Streams is affected by a vulnerability in Node.js Request package (CVE-2023-28155) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7017628 ∗∗∗ IBM Event Streams is affected by a vulnerability in Golang Go (CVE-2023-29406) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7017634 ∗∗∗ APSystems Altenergy Power Control ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-213-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily August 2023