Daily August 2023

daily@lists.cert.at

1 participants
22 discussions

Tageszusammenfassung - 02.08.2023
by Daily end-of-shift report 02 Aug '23

02 Aug '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 01-08-2023 18:00 − Mittwoch 02-08-2023 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Threat actors abuse Google AMP for evasive phishing attacks ∗∗∗ --------------------------------------------- Security researchers are warning of increased phishing activity that abuses Google Accelerated Mobile Pages (AMP) to bypass email security measures and get to inboxes of enterprise employees. --------------------------------------------- https://www.bleepingcomputer.com/news/security/threat-actors-abuse-google-a… ∗∗∗ Amazons AWS SSM agent can be used as post-exploitation RAT malware ∗∗∗ --------------------------------------------- Researchers have discovered a new post-exploitation technique in Amazon Web Services (AWS) that allows hackers to use the platforms System Manager (SSM) agent as an undetectable Remote Access Trojan (RAT). --------------------------------------------- https://www.bleepingcomputer.com/news/security/amazons-aws-ssm-agent-can-be… ∗∗∗ New NodeStealer Variant Targeting Facebook Business Accounts and Crypto Wallets ∗∗∗ --------------------------------------------- Cybersecurity researchers have unearthed a Python variant of a stealer malware NodeStealer thats equipped to fully take over Facebook business accounts as well as siphon cryptocurrency. Palo Alto Network Unit 42 said it detected the previously undocumented strain as part of a campaign that commenced in December 2022. There is no evidence to suggest that the cyber offensive is currently active. --------------------------------------------- https://thehackernews.com/2023/08/new-nodestealer-targeting-facebook.html ∗∗∗ Nearly All Modern CPUs Leak Data to New Collide+Power Side-Channel Attack ∗∗∗ --------------------------------------------- A new side-channel attack method that can lead to data leakage works against nearly any modern CPU, but we’re unlikely to see it being used in the wild any time soon. [..] Collide+Power is a generic software-based attack that works against devices powered by Intel, AMD or Arm processors and it’s applicable to any application and any type of data. The chipmakers are publishing their own advisories for the attack and the CVE-2023-20583 has been assigned. --------------------------------------------- https://www.securityweek.com/nearly-all-modern-cpus-leak-data-to-new-collid… ∗∗∗ New hVNC macOS Malware Advertised on Hacker Forum ∗∗∗ --------------------------------------------- A new macOS-targeting hVNC malware family is being advertised on a prominent cybercrime forum. --------------------------------------------- https://www.securityweek.com/new-hvnc-macos-malware-advertised-on-hacker-fo… ∗∗∗ SSH Remains Most Targeted Service in Cado’s Cloud Threat Report ∗∗∗ --------------------------------------------- Cado Security Labs 2023 Cloud Threat Findings Report dives deep into the world of cybercrime, cyberattacks, and vulnerabilities. --------------------------------------------- https://www.hackread.com/ssh-targeted-service-cado-cloud-threat-report/ ∗∗∗ The Most Important Part of the Internet You’ve Probably Never Heard Of ∗∗∗ --------------------------------------------- Few people realize how much they depend on the Border Gateway Protocol (BGP) every day—a set of technical rules responsible for routing data efficiently. --------------------------------------------- https://www.cisa.gov/news-events/news/most-important-part-internet-youve-pr… ∗∗∗ CISA and International Partner NCSC-NO Release Joint Cybersecurity Advisory on Threat Actors Exploiting Ivanti EPMM Vulnerabilities ∗∗∗ --------------------------------------------- The Cybersecurity and Infrastructure Security Agency (CISA) and the Norwegian National Cyber Security Centre (NCSC-NO) have released a joint Cybersecurity Advisory (CSA), Threat Actors Exploiting Ivanti EPMM Vulnerabilities, in response to the active exploitation of CVE-2023-35078 and CVE-2023-35081 affecting Ivanti Endpoint Manager Mobile (EPMM) (formerly known as MobileIron Core). --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/08/01/cisa-and-international-p… ===================== = Vulnerabilities = ===================== ∗∗∗ K000135479: Overview of F5 vulnerabilities (August 2023) ∗∗∗ --------------------------------------------- On August 2, 2023, F5 announced the following security issues. This document is intended to serve as an overview of these vulnerabilities to help determine the impact to your F5 devices. You can find the details of each issue in the associated articles. --------------------------------------------- https://my.f5.com/manage/s/article/K000135479 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (bouncycastle), Fedora (firefox), Red Hat (cjose, curl, iperf3, kernel, kernel-rt, kpatch-patch, libeconf, libxml2, mod_auth_openidc:2.3, openssh, and python-requests), SUSE (firefox, jtidy, libredwg, openssl, salt, SUSE Manager Client Tools, and SUSE Manager Salt Bundle), and Ubuntu (firefox). --------------------------------------------- https://lwn.net/Articles/940103/ ∗∗∗ IBM TRIRIGA Application Platform discloses use of Apache Xerces (CVE-2022-23437) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7017724 ∗∗∗ IBM TRIRIGA Application Platform suseptable to clickjacking (CBE-2017-4015) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7017716 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 01.08.2023
by Daily end-of-shift report 01 Aug '23

01 Aug '23

===================== = End-of-Day report = ===================== Timeframe: Montag 31-07-2023 18:00 − Dienstag 01-08-2023 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Hackers steal Signal, WhatsApp user data with fake Android chat app ∗∗∗ --------------------------------------------- Hackers are using a fake Android app named SafeChat to infect devices with spyware malware that steals call logs, texts, and GPS locations from phones. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-steal-signal-whatsap… ∗∗∗ European Bank Customers Targeted in SpyNote Android Trojan Campaign ∗∗∗ --------------------------------------------- Various European customers of different banks are being targeted by an Android banking trojan called SpyNote as part of an aggressive campaign detected in June and July 2023."The spyware is distributed through email phishing or smishing campaigns and the fraudulent activities are executed with a combination of remote access trojan (RAT) capabilities and vishing attack," [..] --------------------------------------------- https://thehackernews.com/2023/08/european-bank-customers-targeted-in.html ∗∗∗ BSI-Magazin: Neue Ausgabe erschienen ∗∗∗ --------------------------------------------- In der neuen Ausgabe seines Magazins „Mit Sicherheit“ beleuchtet das Bundesamt für Sicherheit in der Informationstechnik (BSI) aktuelle Themen der Cybersicherheit. Im Fokus steht der digitale Verbraucherschutz. --------------------------------------------- https://www.bsi.bund.de/DE/Service-Navi/Presse/Pressemitteilungen/Presse202… ∗∗∗ Kaufen Sie nicht in diesen betrügerischen Online-Apotheken ein! ∗∗∗ --------------------------------------------- Ob Schlaftabletten, Schmerz- oder Potzenmittel: Betrügerische Online-Apotheken setzen auf eine breite Produktpalette und bieten verschreibungspflichtige Medikamente ohne Rezept an. Aktuell stoßen wir auf zahlreiche solcher betrügerischen Versandapotheken. Die bestellten Waren werden oftmals gar nicht geliefert und wenn doch, müssen Konsument:innen mit wirkungslosen oder sogar mit gesundheitsschädigenden Fälschungen rechnen. --------------------------------------------- https://www.watchlist-internet.at/news/kaufen-sie-nicht-in-diesen-betrueger… ∗∗∗ Tuesday August 8th 2023 Security Releases ∗∗∗ --------------------------------------------- The Node.js project will release new versions of the 16.x, 18.x and 20.x releases lines on or shortly after, Tuesday August 8th 2023 in order to address: * 3 high severity issues. * 2 medium severity issues. * 2 low severity issues. --------------------------------------------- https://nodejs-9c1r4fxv8-openjs.vercel.app/en/blog/vulnerability/august-202… ===================== = Vulnerabilities = ===================== ∗∗∗ TacJS - Moderately critical - Cross site scripting - SA-CONTRIB-2023-029 ∗∗∗ --------------------------------------------- Security risk: Moderately critical This module enables sites to comply with the European cookie law using tarteaucitron.js. The module doesn't sufficiently filter user-supplied text leading to a Cross Site Scripting (XSS) vulnerability. This vulnerability is mitigated by the fact that an attacker needs additional permissions. --------------------------------------------- https://www.drupal.org/sa-contrib-2023-029 ∗∗∗ Expandable Formatter - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-028 ∗∗∗ --------------------------------------------- Security risk: Moderately critical This module enables you to render a field in an expandable/collapsible region. The module doesn't sufficiently sanitize the field content when displaying it to an end user. This vulnerability is mitigated by the fact that an attacker must have a role capable of creating content that uses the field formatter. --------------------------------------------- https://www.drupal.org/sa-contrib-2023-028 ∗∗∗ Libraries UI - Moderately critical - Access bypass - SA-CONTRIB-2023-027 ∗∗∗ --------------------------------------------- Security risk: Moderately critical This module enables a UI to display all libraries provided by modules and themes on the Drupal site. The module doesn't sufficiently protect the libraries reporting page. It curently is using the 'access content' permission and not a proper administrative/access permission. --------------------------------------------- https://www.drupal.org/sa-contrib-2023-027 ∗∗∗ OpenSSL version 3.1.2 released ∗∗∗ --------------------------------------------- Major changes between OpenSSL 3.1.1 and OpenSSL 3.1.2 [1 Aug 2023] - Fix excessive time spent checking DH q parameter value ([CVE-2023-3817]) - Fix DH_check() excessive time with over sized modulus ([CVE-2023-3446]) - Do not ignore empty associated data entries with AES-SIV ([CVE-2023-2975]) --------------------------------------------- https://www.openssl.org/news/openssl-3.1-notes.html ∗∗∗ OpenSSL version 3.0.10 released ∗∗∗ --------------------------------------------- Major changes between OpenSSL 3.0.9 and OpenSSL 3.0.10 [1 Aug 2023] - Fix excessive time spent checking DH q parameter value ([CVE-2023-3817]) - Fix DH_check() excessive time with over sized modulus ([CVE-2023-3446]) - Do not ignore empty associated data entries with AES-SIV ([CVE-2023-2975]) --------------------------------------------- https://www.openssl.org/news/openssl-3.0-notes.html ∗∗∗ OpenSSL version 1.1.1v released ∗∗∗ --------------------------------------------- Major changes between OpenSSL 1.1.1u and OpenSSL 1.1.1v [1 Aug 2023] - Fix excessive time spent checking DH q parameter value (CVE-2023-3817) - Fix DH_check() excessive time with over sized modulus (CVE-2023-3446) --------------------------------------------- https://www.openssl.org/news/openssl-1.1.1-notes.html ∗∗∗ Xen Security Advisory 436 v1 (CVE-2023-34320) - arm: Guests can trigger a deadlock on Cortex-A77 ∗∗∗ --------------------------------------------- Cortex-A77 cores (r0p0 and r1p0) are affected by erratum 1508412 where software, under certain circumstances, could deadlock a core due to the execution of either a load to device or non-cacheable memory, and either a store exclusive or register read of the Physical Address Register (PAR_EL1) in close proximity. [..] A (malicious) guest that doesnt include the workaround for erratum 1508412 could deadlock the core. This will ultimately result to a deadlock of the system. --------------------------------------------- https://lists.xenproject.org/archives/html/xen-announce/2023-08/msg00000.ht… ∗∗∗ SVD-2023-0702: Unauthenticated Log Injection In Splunk SOAR ∗∗∗ --------------------------------------------- Splunk SOAR versions 6.0.2 and earlier are indirectly affected by a potential vulnerability accessed through the user’s terminal. A third party can send Splunk SOAR a maliciously crafted web request containing special ANSI characters to cause log file poisoning. When a terminal user attempts to view the poisoned logs, this can tamper with the terminal and cause possible malicious code execution from the terminal user’s action. --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2023-0702 ∗∗∗ WebToffee Addresses Authentication Bypass Vulnerability in Stripe Payment Plugin for WooCommerce WordPress Plugin ∗∗∗ --------------------------------------------- Description: Stripe Payment Plugin for WooCommerce <= 3.7.7 – Authentication Bypass Affected Plugin: Stripe Payment Plugin for WooCommerce Plugin Slug: payment-gateway-stripe-and-woocommerce-integration Affected Versions: <= 3.7.7 Fully Patched Version: 3.7.8 CVE ID: CVE-2023-3162 CVSS Score: 9.8 (Critical) --------------------------------------------- https://www.wordfence.com/blog/2023/08/webtoffee-addresses-authentication-b… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (tiff), Fedora (curl), Red Hat (bind, ghostscript, iperf3, java-1.8.0-ibm, nodejs, nodejs:18, openssh, postgresql:15, and samba), Scientific Linux (iperf3), Slackware (mozilla and seamonkey), SUSE (compat-openssl098, gnuplot, guava, openssl-1_0_0, pipewire, python-requests, qemu, samba, and xmltooling), and Ubuntu (librsvg, openjdk-8, openjdk-lts, openjdk-17, openssh, rabbitmq-server, and webkit2gtk). --------------------------------------------- https://lwn.net/Articles/939917/ ∗∗∗ Security Vulnerabilities fixed in Firefox 116 ∗∗∗ --------------------------------------------- Impact high: CVE-2023-4045, CVE-2023-4046, CVE-2023-4047, CVE-2023-4048, CVE-2023-4049, CVE-2023-4050 --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2023-29/ ∗∗∗ IBM Cloud Pak for Security includes components with multiple known vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7015859 ∗∗∗ IBM Cloud Pak for Security includes components with multiple known vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7015865 ∗∗∗ IBM App Connect Enterprise Certified Container operator and operands are vulnerable to arbitrary code execution due to [CVE-2023-29402] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7015871 ∗∗∗ IBM App Connect Enterprise Certified Container IntegrationServer and IntegrationRuntime operands that use Google PubSub nodes are vulnerable to arbitrary code execution due to [CVE-2023-36665] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7015873 ∗∗∗ IBM Robotic Process Automation for Cloud Pak is vulnerable to cross-protocol attacks due to sendmail (CVE-2021-3618) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7013521 ∗∗∗ Vulnerabilities in Node.js affects IBM Voice Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7013909 ∗∗∗ IBM Virtualization Engine TS7700 is susceptible to multiple vulnerabilities due to use of IBM SDK Java Technology Edition, Version 8 (CVE-2023-21967, CVE-2023-21939, CVE-2023-21968, CVE-2023-21937) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7015879 ∗∗∗ IBM MQ Operator and Queue manager container images are vulnerable to multiple vulnerabilities from openssl-libs, libssh, libarchive, sqlite and go-toolset ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7016688 ∗∗∗ Multiple security vulnerabilities have been identified in IBM Db2 shipped with IBM Security Guardium Key Lifecycle Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7016660 ∗∗∗ IBM PowerVM Novalink is vulnerable because RESTEasy could allow a local authenticated attacker to gain elevated privileges on the system, caused by the creation of insecure temp files in the File. (CVE-2023-0482) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7016690 ∗∗∗ IBM PowerVM Novalink is vulnerable because An unspecified vulnerability in Oracle Java SE. (CVE-2023-21930) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7016696 ∗∗∗ IBM PowerVM Novalink is vulnerable because GraphQL Java is vulnerable to a denial of service, caused by a stack-based buffer overflow. (CVE-2023-28867) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7016698 ∗∗∗ Multiple Vulnerabilities in Rational Synergy 7.2.2.5 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014913 ∗∗∗ Vulnerability in Rational Change 5.3.2 Fix Pack 05 and earlier versions. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014915 ∗∗∗ Multiple Vulnerabilities in Rational Change 5.3.2 Fix Pack 05 and earlier versions. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014917 ∗∗∗ Multiple Vulnerabilities in Rational Synergy 7.2.2 Fix Pack 05 and earlier versions. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014919 ∗∗∗ The IBM Engineering Lifecycle Engineering product using IBM WebSphere Application Server Liberty is vulnerable to spoofing - CVE-2022-39161 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7010669 ∗∗∗ The IBM Engineering Lifecycle Engineering product using IBM WebSphere Application Server traditional is vulnerable to an XML External Entity (XXE) Injection vulnerability - CVE-2023-27554 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7016810 ∗∗∗ CVE-2022-40609 affects IBM SDK, Java Technology Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7017032 ∗∗∗ The IBM Engineering Lifecycle Engineering products using IBM Java versions 8.0.7.0 - 8.0.7.11 are vulnerable to crypto attacks. (CVE-2023-30441) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7015777 ∗∗∗ IBM Cloud Pak for Security includes components with multiple known vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7015859 ∗∗∗ IBM Cloud Pak for Security includes components with multiple known vulnerabilities (CVE-2023-24998 , CVE-2022-31129) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7015061 ∗∗∗ IBM Robotic Process Automation is vulnerable to unauthorized access to data due to insufficient authorization validation on some API routes (CVE-2023-23476) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7017490 ∗∗∗ Decision Optimization for Cloud Pak for Data is vulnerable to a server-side request forgery (CVE-2023-28155). ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7017586 ∗∗∗ IBM Event Streams is affected by a vulnerability in Node.js Request package (CVE-2023-28155) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7017628 ∗∗∗ IBM Event Streams is affected by a vulnerability in Golang Go (CVE-2023-29406) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7017634 ∗∗∗ APSystems Altenergy Power Control ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-213-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily August 2023