Daily January 2024

daily@lists.cert.at

1 participants
22 discussions

Tageszusammenfassung - 31.01.2024
by Daily end-of-shift report 31 Jan '24

31 Jan '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 30-01-2024 18:00 − Mittwoch 31-01-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Debian, Ubuntu und mehr: glibc-Schwachstelle ermöglicht Root-Zugriff unter Linux ∗∗∗ --------------------------------------------- Darüber hinaus wurden weitere Schwachstellen in der Gnu-C-Bibliothek aufgedeckt. Eine davon existiert wohl schon seit über 30 Jahren. --------------------------------------------- https://www.golem.de/news/debian-ubuntu-und-mehr-glibc-schwachstelle-ermoeg… ∗∗∗ Tracking 15 Years of Qakbot Development ∗∗∗ --------------------------------------------- Qakbot (aka QBot or Pinkslipbot) is a malware trojan that has been used to operate one of the oldest and longest running cybercriminal enterprises. Qakbot has evolved from a banking trojan to a malware implant that can be used for lateral movement and the eventual deployment of ransomware. In August 2023, the Qakbot infrastructure was dismantled by law enforcement. However, just several months later in December 2023, the fifth (and latest) version of Qakbot was released, [...] --------------------------------------------- https://www.zscaler.com/blogs/security-research/tracking-15-years-qakbot-de… ∗∗∗ Ransomware: Online-Tool entschlüsselt unter Umständen BlackCat & Co. ∗∗∗ --------------------------------------------- Stimmen die Voraussetzungen, können Ransomwareopfer auf einer Website Daten entschlüsseln, ohne Lösegeld zu zahlen. --------------------------------------------- https://www.heise.de/-9614278.html ∗∗∗ A zero-day vulnerability (and PoC) to blind defenses relying on Windows event logs ∗∗∗ --------------------------------------------- A zero-day vulnerability that, when triggered, could crash the Windows Event Log service on all supported (and some legacy) versions of Windows could spell trouble for enterprise defenders. Discovered by a security researcher named Florian and reported to Microsoft, the vulnerability is yet to be patched. In the meantime, the researcher has gotten the go-ahead from the company to publish a PoC exploit. --------------------------------------------- https://www.helpnetsecurity.com/2024/01/31/windows-event-log-vulnerability/ ∗∗∗ Cutting Edge: Suspected APT Targets Ivanti Connect Secure VPN in New Zero-Day Exploitation ∗∗∗ --------------------------------------------- Update (Jan. 31): We released a follow-up blog post containing additional details from our investigations into this threat, along with more recommendations for defenders. Note: This is a developing campaign under active analysis by Mandiant and Ivanti. We will continue to add more indicators, detections, and information to this blog post as needed. --------------------------------------------- https://www.mandiant.com/resources/blog/suspected-apt-targets-ivanti-zero-d… ∗∗∗ CISA and FBI Release Secure by Design Alert Urging Manufacturers to Eliminate Defects in SOHO Routers ∗∗∗ --------------------------------------------- Today, CISA and the Federal Bureau of Investigation (FBI) published guidance on Security Design Improvements for SOHO Device Manufacturers as a part of the new Secure by Design (SbD) Alert series that focuses on how manufacturers should shift the burden of security away from customers by integrating security into product design and development. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/01/31/cisa-and-fbi-release-sec… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (bind9 and glibc), Fedora (ncurses), Gentoo (containerd, libaom, and xorg-server, xwayland), Mageia (python-pillow and zlib), Oracle (grub2 and tomcat), Red Hat (avahi, c-ares, container-tools:3.0, curl, firefox, frr, kernel, kernel-rt, kpatch-patch, libfastjson, libmicrohttpd, linux-firmware, oniguruma, openssh, perl-HTTP-Tiny, python-pip, python-urllib3, python3, rpm, samba, sqlite, tcpdump, thunderbird, tigervnc, and virt:rhel and virt-devel:rhel modules), SUSE (python-Pillow, slurm, slurm_20_02, slurm_20_11, slurm_22_05, slurm_23_02, and xen), and Ubuntu (libde265, linux-nvidia, mysql-8.0, openldap, pillow, postfix, and xorg-server, xwayland). --------------------------------------------- https://lwn.net/Articles/960248/ ∗∗∗ Mattermost security updates 9.4.2 / 9.3.1 / 9.2.5 / 8.1.9 (ESR) released ∗∗∗ --------------------------------------------- We’re informing you about a Mattermost security update, which addresses low- to medium-level severity vulnerabilities. We highly recommend that you apply the update. --------------------------------------------- https://mattermost.com/blog/mattermost-security-updates-9-4-2-9-3-1-9-2-5-8… ∗∗∗ CISA ICS Advisories ∗∗∗ --------------------------------------------- - Hitron Systems Security Camera DVR - Rockwell Automation ControlLogix and GuardLogix - Rockwell Automation FactoryTalk Service Platform - Rockwell Automation LP30/40/50 and BM40 Operator Interface --------------------------------------------- https://www.cisa.gov/news-events/cybersecurity-advisories?f%5B0%5D=advisory… ∗∗∗ CISA Adds One Known Exploited Vulnerability to Catalog ∗∗∗ --------------------------------------------- CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. CVE-2022-48618 Apple Multiple Products Improper Authentication Vulnerability --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/01/31/cisa-adds-one-known-expl… ∗∗∗ Security Advisory Report - OBSO-2401-03 ∗∗∗ --------------------------------------------- A Command injection vulnerability has been identified in the MyPortal@Work application of Atos OpenScape Business which, if successfully exploited, could allow a malicious actor to execute arbitrary scripts on a client machine. The severity is rated high. Customers are advised to update the systems with the available fix release. --------------------------------------------- https://networks.unify.com/security/advisories/OBSO-2401-03.pdf ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Google Chrome: Update schließt vier Sicherheitslücken ∗∗∗ --------------------------------------------- https://www.heise.de/-9613823.html ∗∗∗ SVD-2024-0112: Third-Party Package Updates in Splunk Add-on Builder - January 2024 ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2024-0112 ∗∗∗ SVD-2024-0111: Sensitive Information Disclosure to Internal Log Files in Splunk Add-on Builder ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2024-0111 ∗∗∗ SVD-2024-0110: Session Token Disclosure to Internal Log Files in Splunk Add-on Builder ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2024-0110 ∗∗∗ The WordPress 6.4.3 Security Update – What You Need to Know ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2024/01/the-wordpress-6-4-3-security-update-… ∗∗∗ Tor Code Audit Finds 17 Vulnerabilities ∗∗∗ --------------------------------------------- https://www.securityweek.com/tor-code-audit-finds-17-vulnerabilities/ ∗∗∗ Update #5: Kritische Sicherheitslücken in Ivanti Connect Secure und Ivanti Policy Secure - aktiv ausgenützt - Patches verfügbar ∗∗∗ --------------------------------------------- https://cert.at/de/warnungen/2024/1/kritische-sicherheitslucken-in-ivanti-c… ∗∗∗ List of Security Fixes and Improvements in Veeam Backup for Nutanix AHV ∗∗∗ --------------------------------------------- https://www.veeam.com/kb4236 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.01.2024
by Daily end-of-shift report 30 Jan '24

30 Jan '24

===================== = End-of-Day report = ===================== Timeframe: Montag 29-01-2024 18:00 − Dienstag 30-01-2024 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Ransomwareattacke: Hacker greifen interne Daten von Schneider Electric ab ∗∗∗ --------------------------------------------- Angeblich steckt die Ransomwaregruppe Cactus hinter dem Angriff. Sie hat offenbar mehrere TByte an Daten exfiltriert und fordert ein Lösegeld. --------------------------------------------- https://www.golem.de/news/ransomwareattacke-hacker-greifen-interne-daten-vo… ∗∗∗ What did I say to make you stop talking to me?, (Tue, Jan 30th) ∗∗∗ --------------------------------------------- We use Cowrie to emulate an SSH and Telnet server for our honeypots. Cowrie is great software maintained by Michel Oosterhof. --------------------------------------------- https://isc.sans.edu/diary/rss/30604 ∗∗∗ New ZLoader Malware Variant Surfaces with 64-bit Windows Compatibility ∗∗∗ --------------------------------------------- Threat hunters have identified a new campaign that delivers the ZLoader malware, resurfacing nearly two years after the botnets infrastructure was dismantled in April 2022. --------------------------------------------- https://thehackernews.com/2024/01/new-zloader-malware-variant-surfaces.html ∗∗∗ Is Your SAP Cloud Connector Safe? The Risk You Can’t Ignore ∗∗∗ --------------------------------------------- In this article, we will discuss security issues and provide recommendations to mitigate the risks associated with using SAP CC on the Windows platform. --------------------------------------------- https://redrays.io/blog/sap-cloud-connector-security/ ∗∗∗ Ransomware-Bericht: Immer weniger Opfer zahlen Lösegeld ∗∗∗ --------------------------------------------- Sicherheitsforscher zeigen aktuelle Trends bei Verschlüsselungstrojanern auf. Unter anderem schrumpfen die Summen von Lösegeldern. --------------------------------------------- https://www.heise.de/news/Ransomware-Bericht-Immer-weniger-Opfer-zahlen-Loe… ∗∗∗ Lieber nicht: Abnehm-Pillen von Keto Base ∗∗∗ --------------------------------------------- In einem gefälschten Online-Artikel werden Abnehm-Pillen von Keto Base beworben. Angeblich wurde dieses „Wundermittel“ zum schnellen Abnehmen in der TV-Show „Höhle des Löwen“ vorgestellt und finanziert. Dabei handelt es sich aber um Fake News. Dieses Angebot ist unseriös und schädigt im schlimmsten Fall Ihrer Gesundheit. --------------------------------------------- https://www.watchlist-internet.at/news/lieber-nicht-abnehm-pillen-von-keto-… ∗∗∗ Trigona Ransomware Threat Actor Uses Mimic Ransomware ∗∗∗ --------------------------------------------- AhnLab SEcurity intelligence Center (ASEC) has recently identified a new activity of the Trigona ransomware threat actor installing Mimic ransomware. --------------------------------------------- https://asec.ahnlab.com/en/61000/ ∗∗∗ DarkGate malware delivered via Microsoft Teams - detection and response ∗∗∗ --------------------------------------------- While most end users are well-acquainted with the dangers of traditional phishing attacks, such as those delivered via email or other media, a large proportion are likely unaware that Microsoft Teams chats could be a phishing vector. --------------------------------------------- https://cybersecurity.att.com/blogs/security-essentials/darkgate-malware-de… ===================== = Vulnerabilities = ===================== ∗∗∗ DLL Proxying: Trend Micro liefert Updates, weitere Hersteller angreifbar ∗∗∗ --------------------------------------------- Bei Antivirenprogrammen mehrerer Hersteller haben IT-Forscher DLL-Proxying-Schwachstellen gefunden. Trend Micro hat schon Updates. --------------------------------------------- https://www.heise.de/news/DLL-Proxying-Trend-Micro-liefert-Updates-weitere-… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (pillow, postfix, and redis), Fedora (python-templated-dictionary and selinux-policy), Red Hat (gnutls, kpatch-patch, libssh, and tomcat), and Ubuntu (amanda, ceph, linux-azure, linux-azure-4.15, linux-kvm, and tinyxml). --------------------------------------------- https://lwn.net/Articles/960008/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ XSA-450 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-450.html ∗∗∗ XSA-449 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-449.html ∗∗∗ Festo: Multiple products contain CoDe16 vulnerability ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-063/ ∗∗∗ Pilz: Vulnerabiiity in PASvisu and PMI v8xx ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-050/ ∗∗∗ Emerson Rosemount GC370XA, GC700XA, GC1500XA ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-030-01 ∗∗∗ Mitsubishi Electric FA Engineering Software Products ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-030-02 ∗∗∗ Mitsubishi Electric MELSEC WS Series Ethernet Interface Module ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-030-03 ∗∗∗ Zyxel security advisory for post-authentication command injection vulnerability in NAS products ∗∗∗ --------------------------------------------- https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.01.2024
by Daily end-of-shift report 29 Jan '24

29 Jan '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 26-01-2024 18:00 − Montag 29-01-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Token-Leak: Quellcode von Mercedes-Benz lag wohl frei zugänglich im Netz ∗∗∗ --------------------------------------------- Ein Authentifizierungstoken von Mercedes-Benz lag wohl für mehrere Monate in einem öffentlichen Github-Repository - mit weitreichenden Zugriffsrechten. --------------------------------------------- https://www.golem.de/news/token-leak-quellcode-von-mercedes-benz-lag-wohl-f… ∗∗∗ Exploit Flare Up Against Older Altassian Confluence Vulnerability, (Mon, Jan 29th) ∗∗∗ --------------------------------------------- Last October, Atlassian released a patch for CVE-2023-22515 [1]. This vulnerability allowed attackers to create new admin users in Confluence. Today, I noticed a bit a "flare up" in a specific exploit variant. --------------------------------------------- https://isc.sans.edu/diary/rss/30600 ∗∗∗ Trusted Domain, Hidden Danger: Deceptive URL Redirections in Email Phishing Attacks ∗∗∗ --------------------------------------------- In this ever-evolving landscape of cyberthreats, email has become a prime target for phishing attacks. Cybercriminals continue to adapt and employ more sophisticated methods to effectively deceive users and bypass detection measures. One of the most prevalent tactics nowadays involves exploiting legitimate platforms for redirection through deceptive links. In this blog post, well explore how trusted platforms are increasingly being exploited as redirectors, [...] --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trusted-dom… ∗∗∗ Albabat, Kasseika, Kuiper: New Ransomware Gangs Rise with Rust and Golang ∗∗∗ --------------------------------------------- Cybersecurity researchers have detected in the wild yet another variant of the Phobos ransomware family known as Faust. Fortinet FortiGuard Labs, which detailed the latest iteration of the ransomware, said its being propagated by means of an infection that delivers a Microsoft Excel document (.XLAM) containing a VBA script. --------------------------------------------- https://thehackernews.com/2024/01/albabat-kasseika-kuiper-new-ransomware.ht… ∗∗∗ Jetzt updaten! Exploits für kritische Jenkins-Sicherheitslücke im Umlauf ∗∗∗ --------------------------------------------- Für die in der vergangenen Woche bekanntgewordene kritische Sicherheitslücke in Jenkins ist Exploit-Code aufgetaucht. Höchste Zeit zum Aktualisieren! --------------------------------------------- https://www.heise.de/-9611923.html ∗∗∗ Erpressung in Südwestfalen: Akira kam mit geratenem Passwort ins kommunale Netz ∗∗∗ --------------------------------------------- Ein nun vorliegender forensischer Bericht stellt dem kommunalen IT-Verbund ein mittelprächtiges Zeugnis aus. Die Krisenbewältigung läuft weiter. --------------------------------------------- https://www.heise.de/-9610102.html ∗∗∗ 10 things to do to improve your online privacy ∗∗∗ --------------------------------------------- Its Data Privacy Week so here are 10 tips from our VP of Consumer Privacy, Oren Arar, about how to stay private online. --------------------------------------------- https://www.malwarebytes.com/blog/personal/2024/01/10-things-to-do-to-impro… ∗∗∗ So werden Sie bei der Wohnungssuche abgezockt ∗∗∗ --------------------------------------------- Zentrale Lage, frisch renoviert, hochwertige Möbel - und das vergleichsweise günstig. Wer auf Wohnungssuche ist, stößt früher oder später auf ein solches Angebot und ist überwältigt. Leider handelt es sich hierbei sehr wahrscheinlich um ein betrügerisches Inserat. Kriminelle versuchen Ihnen mit einmaligen Angeboten, Vorauszahlungen zu entlocken. Wir zeigen Ihnen, wie Sie bei der Wohnungssuche nicht betrogen werden. --------------------------------------------- https://www.watchlist-internet.at/news/so-werden-sie-bei-der-wohnungssuche-… ∗∗∗ Akira Ransomware and exploitation of Cisco Anyconnect vulnerability CVE-2020-3259 ∗∗∗ --------------------------------------------- In several recent incident response missions, the Truesec CSIRT team made forensic observations indicating that the old vulnerability CVE-2020-3259 is likely to be actively exploited --------------------------------------------- https://www.truesec.com/hub/blog/akira-ransomware-and-exploitation-of-cisco… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (gstreamer-plugins-bad-free, java-1.8.0-openjdk, java-11-openjdk, kernel, LibRaw, python-pillow, and xorg-x11-server), Debian (gst-plugins-bad1.0, libspreadsheet-parsexlsx-perl, mariadb-10.3, and slurm-wlm), Fedora (atril, dotnet8.0, gnutls, prometheus-podman-exporter, python-jinja2, sudo, and vips), Oracle (frr, kernel, php:8.1, python-urllib3, python3.9, rpm, sqlite, and tomcat), Slackware (pam), SUSE (cpio, rear23a, rear27a, sevctl, and xorg-x11-server), and Ubuntu (exim4 and firefox). --------------------------------------------- https://lwn.net/Articles/959882/ ∗∗∗ Vulnerabilities in WatchGuard, Panda Security Products Lead to Code Execution ∗∗∗ --------------------------------------------- Two memory safety vulnerabilities in WatchGuard and Panda Security products could lead to code execution with System privileges. --------------------------------------------- https://www.securityweek.com/vulnerabilities-in-watchguard-panda-security-p… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Trumpf: Multiple products contain WIBU CodeMeter vulnerabilities ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2024-001/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.01.2024
by Daily end-of-shift report 26 Jan '24

26 Jan '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 25-01-2024 18:00 − Freitag 26-01-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Über Push-Benachrichtigungen: Prominente iOS-Apps spähen heimlich Gerätedaten aus ∗∗∗ --------------------------------------------- Zu den Datensammlern zählen wohl iOS-Apps namhafter Onlinedienste wie Tiktok, Facebook, Instagram, Threads, Linkedin, Bing und X. --------------------------------------------- https://www.golem.de/news/ueber-push-benachrichtigungen-prominente-ios-apps… ∗∗∗ MFA war inaktiv: Microsoft deckt auf, wie Hacker an interne Mails kamen ∗∗∗ --------------------------------------------- Die Angreifer haben laut Microsoft zuerst einen Testaccount mit inaktiver MFA infiltriert - unter Einsatz einer Proxy-Infrastruktur. --------------------------------------------- https://www.golem.de/news/mfa-war-inaktiv-microsoft-deckt-auf-wie-hacker-an… ∗∗∗ Präparierte URL kann für Juniper-Firewalls und Switches gefährlich werden ∗∗∗ --------------------------------------------- Entwickler von Juniper haben in Junos OS mehrere Sicherheitslücken geschlossen. Noch sind aber nicht alle Updates verfügbar. --------------------------------------------- https://www.heise.de/-9609333.html ∗∗∗ Verwirrend: Internet-Domain fritz.box zeigt NFT-Galerie statt Router-Verwaltung ∗∗∗ --------------------------------------------- Bereits vor einer Woche haben Unbekannte die Domain "fritz.box" für sich registriert. Ihr Vorhaben ist unklar, Fritz-Besitzer sollten sich vorsehen. --------------------------------------------- https://www.heise.de/-9610149.html ∗∗∗ Blackwood hackers hijack WPS Office update to install malware ∗∗∗ --------------------------------------------- A previously unknown advanced threat actor tracked as Blackwood is using sophisticated malware called NSPX30 in cyberespionage attacks against companies and individuals. --------------------------------------------- https://www.bleepingcomputer.com/news/security/blackwood-hackers-hijack-wps… ∗∗∗ Midnight Blizzard: Guidance for responders on nation-state attack ∗∗∗ --------------------------------------------- The Microsoft security team detected a nation-state attack on our corporate systems on January 12, 2024, and immediately activated our response process to investigate, disrupt malicious activity, mitigate the attack, and deny the threat actor further access. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-… ∗∗∗ A Batch File With Multiple Payloads, (Fri, Jan 26th) ∗∗∗ --------------------------------------------- Windows batch files (.bat) are often seen by people as very simple but they can be pretty complex or.. contain interesting encoded payloads! I found one that contains multiple payloads decoded and used by a Powershell process. The magic is behind how comments can be added to such files. --------------------------------------------- https://isc.sans.edu/diary/rss/30592 ∗∗∗ Erbschaft per SMS: Ignorieren Sie diese betrügerische Nachricht ∗∗∗ --------------------------------------------- Immer wieder warnen wir vor E-Mails, in denen Betrüger:innen das große Geld versprechen: Millionengewinne, eine Spende oder eine Erbschaft sollen die Empfänger:innen plötzlich reich machen. Aktuell setzen Kriminelle jedoch nicht nur auf E-Mails, sondern auch auf SMS, um mit potenziellen Opfern in Kontakt zu treten. Danach läuft die Masche wie gewohnt ab: Mit Angeboten, die zu schön sind, um wahr zu sein, werden gutgläubige Opfer um ihr Geld gebracht. --------------------------------------------- https://www.watchlist-internet.at/news/erbschaft-per-sms-ignorieren-sie-die… ∗∗∗ Assessing and mitigating supply chain cybersecurity risks ∗∗∗ --------------------------------------------- Blindly trusting your partners and suppliers on their security posture is not sustainable – it’s time to take control through effective supplier risk management --------------------------------------------- https://www.welivesecurity.com/en/business-security/assessing-mitigating-cy… ∗∗∗ Cybersecurity for Industrial Control Systems: Best practices ∗∗∗ --------------------------------------------- Network segmentation, software patching, and continual threats monitoring are key cybersecurity best practices for Industrial Control Systems (ICS). --------------------------------------------- https://cybersecurity.att.com/blogs/security-essentials/cybersecurity-for-i… ∗∗∗ Guidance: Assembling a Group of Products for SBOM ∗∗∗ --------------------------------------------- Today, CISA published Guidance on Assembling a Group of Products created by the Software Bill of Materials (SBOM) Tooling & Implementation Working Group, one of the five SBOM community-driven workstreams facilitated by CISA. CISA’s community-driven working groups publish documents and reports to advance and refine SBOM and ultimately promote adoption. Specifically, software producers often need to assemble and test products together before releasing them to customers. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/01/26/guidance-assembling-grou… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Unified Communications Products Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- Version 1.1 - Updated list of affected products and products confirmed not vulnerable. --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Jenkins CLI PoC CVE-2024-23897 ∗∗∗ --------------------------------------------- Remote Code Execution: Jenkins CLI arbitrary read (CVE-2024-23897 applies to versions below 2.442 and LTS 2.426.3) --------------------------------------------- https://github.com/gquere/pwn_jenkins/blob/master/README.md#jenkins-cli-arb… ∗∗∗ Microsoft Edge 121 unterstützt moderne Codecs und stopft Sicherheitslecks ∗∗∗ --------------------------------------------- Microsoft hat den Webbrowser Edge in Version 121 herausgegeben. Sie stopft eine kritische Sicherheitslücke und liefert Support für AV1-Videos. --------------------------------------------- https://www.heise.de/-9609475.html ∗∗∗ Diesmal bitte patchen: Security-Update behebt kritische Schwachstelle in GitLab ∗∗∗ --------------------------------------------- GitLab 16.x enthält fünf Schwachstellen, von denen eine als kritisch eingestuft ist. Patchen ist nicht selbstverständlich, wie jüngst eine Untersuchung zeigte. --------------------------------------------- https://www.heise.de/-9609319.html ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (xorg-server), Fedora (chromium, dotnet8.0, firefox, freeipa, and thunderbird), Red Hat (avahi, c-ares, curl, edk2, expat, freetype, frr, git, gnutls, grub2, kernel, kernel-rt, libcap, libfastjson, libssh, libtasn1, libxml2, linux-firmware, ncurses, oniguruma, openssh, openssl, perl-HTTP-Tiny, protobuf-c, python-urllib3, python3, python3.9, rpm, samba, shadow-utils, sqlite, tcpdump, tomcat, and virt:rhel and virt-devel:rhel modules), SUSE (cpio, jasper, rear23a, thunderbird, and xorg-x11-server), and Ubuntu (jinja2, kernel, linux, linux-aws, linux-aws-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-gkeop-5.15, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-kvm, linux-lowlatency-hwe-5.15, linux-raspi, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-iot, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux-xilinx-zynqmp, linux, linux-aws, linux-aws-6.2, linux-azure, linux-azure-6.2, linux-azure-fde-6.2, linux-gcp, linux-hwe-6.5, linux-laptop, linux-lowlatency, linux-lowlatency-hwe-6.5, linux-oem-6.5, linux-oracle, linux-raspi, linux-starfive, linux, linux-aws, linux-aws-hwe, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux, linux-aws, linux-kvm, linux-lts-xenial, linux-aws, linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15, linux-oem-6.1, and mariadb, mariadb-10.3, mariadb-10.6). --------------------------------------------- https://lwn.net/Articles/959640/ ∗∗∗ 2024-01 Reference Advisory: Junos OS and Junos OS Evolved: Impact of Terrapin SSH Attack (CVE-2023-48795) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-01-Reference-Advisory-Juno… ∗∗∗ 2024-01 Out-of-Cycle Security Bulletin: Junos OS: SRX Series and EX Series: Multiple vulnerabilities in J-Web have been addressed ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-01-Out-of-Cycle-Security-B… ∗∗∗ Security Vulnerabilities fixed in Focus for iOS 122 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2024-03/ ∗∗∗ Open redirect in parameter might affect IBM Storage Defender Data Protect. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7106918 ∗∗∗ AIX is vulnerable to a denial of service (CVE-2023-5678, CVE-2023-6129, CVE-2023-6237) and an attacker may obtain sensitive information (CVE-2023-5363) due to OpenSSL ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7111837 ∗∗∗ IBM Sterling Connect:Direct for UNIX is vulnerable to multiple issues due to Eclipse Jetty. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7111880 ∗∗∗ Vulnerabilities in GNU Binutils, Bootstrap, PortSmash, Node.js, and libarchive might affect IBM Storage Defender Data Protect. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7091980 ∗∗∗ Multiple vulnerabilities in IBM Semeru Runtime may affect IBM Decision Optimization for IBM Cloud Pak for Data (CVE-2023-22006, CVE-2023-22036 & CVE-2023-22049) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7112089 ∗∗∗ IBM Security Directory Integrator affected by multiple vulnerabilities affecting IBM Java SDK ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7047118 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.01.2024
by Daily end-of-shift report 25 Jan '24

25 Jan '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 24-01-2024 18:00 − Donnerstag 25-01-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ New CherryLoader Malware Mimics CherryTree to Deploy PrivEsc Exploits ∗∗∗ --------------------------------------------- A new Go-based malware loader called CherryLoader has been discovered by threat hunters in the wild to deliver additional payloads onto compromised hosts for follow-on exploitation. --------------------------------------------- https://thehackernews.com/2024/01/new-cherryloader-malware-mimics.html ∗∗∗ SystemBC Malwares C2 Server Analysis Exposes Payload Delivery Tricks ∗∗∗ --------------------------------------------- Cybersecurity researchers have shed light on the command-and-control (C2) server of a known malware family called SystemBC. --------------------------------------------- https://thehackernews.com/2024/01/systembc-malwares-c2-server-analysis.html ∗∗∗ Memory Scanning for the Masses ∗∗∗ --------------------------------------------- In this blog post we will go into a user-friendly memory scanning Python library that was created out of the necessity of having more control during memory scanning. --------------------------------------------- https://research.nccgroup.com/2024/01/25/memory-scanning-for-the-masses/ ∗∗∗ ADCS Attack Paths in BloodHound — Part 1 ∗∗∗ --------------------------------------------- This blog post details the ESC1 domain escalation requirements and explains how BloodHound incorporates the relevant components. --------------------------------------------- https://posts.specterops.io/adcs-attack-paths-in-bloodhound-part-1-799f3d3b… ∗∗∗ CERT.at/GovCERT Austria PGP Teamkey Rotation ∗∗∗ --------------------------------------------- Da diese in einem Monat ablaufen, haben wir gestern neue PGP Keys für team(a)cert.at, reports(a)cert.at, team(a)govcert.gv.at sowie reports(a)govcert.gv.at generiert und ausgerollt. --------------------------------------------- https://cert.at/de/aktuelles/2024/1/certatgovcert-austria-pgp-teamkey-rotat… ∗∗∗ Ablauf einer Schwachstellen-Information durch CERT.at am Beispiel Ivanti Connect Secure VPN (CVE-2024-21887, CVE-2023-46805) ∗∗∗ --------------------------------------------- Nach der Veröffentlichung begann nun der normale Prozess für CERTs weltweit, ebenso natürlich für CERT.at ... die Verbreitung der Information über die Schwachstellen vorzubreiten beziehungsweise zu finalisieren. Die CERTs veröffentlichten und sendeten ihre Warnung aus. Unsere Warnung, die laufend aktualisiert wird, wurde Donnerstag 11.01.24 gegen Mittag ins Netz gestellt, über den freien RSS-Feed für Abonnenten zugänglich gemacht und ausgesandt. --------------------------------------------- https://cert.at/de/blog/2024/1/ablauf-einer-schwachstellen-information-durc… ===================== = Vulnerabilities = ===================== ∗∗∗ Konfigurationsfehler: Unzählige Kubernetes-Cluster sind potenziell angreifbar ∗∗∗ --------------------------------------------- Viele Nutzer räumen der Gruppe system:authenticated ihres GKE-Clusters aufgrund einer Fehlannahme zu viele Rechte ein - mit gravierenden Folgen. --------------------------------------------- https://www.golem.de/news/konfigurationsfehler-unzaehlige-kubernetes-cluste… ∗∗∗ Trend Micro Apex Central: Update schließt im zweiten Anlauf Sicherheitslücken ∗∗∗ --------------------------------------------- Mehrere Sicherheitslücken in Trend Micros Apex Central ermöglichen Angreifern etwa, Schadcode einzuschleusen. Ein erstes Update machte Probleme. --------------------------------------------- https://www.heise.de/news/Trend-Micro-Apex-Central-Update-schliesst-im-zwei… ∗∗∗ Tausende Gitlab-Server noch für Zero-Click-Kontoklau anfällig ∗∗∗ --------------------------------------------- IT-Forscher haben das Netz durchforstet und dabei mehr als 5000 verwundbare Gitlab-Server gefunden. Angreifer können dort einfach Konten übernehmen. --------------------------------------------- https://www.heise.de/news/Tausende-Gitlab-Server-noch-fuer-Zero-Click-Konto… ∗∗∗ Cisco: Lücke erlaubt komplette Übernahme von Unified Communication-Produkten ∗∗∗ --------------------------------------------- Cisco warnt vor einer kritischen Lücke in Unified Communication-Produkten, durch die Angreifer die Kontrolle übernehmen können. --------------------------------------------- https://www.heise.de/news/Cisco-Luecke-erlauben-komplette-Uebernahme-von-Un… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, firefox-esr, php-phpseclib, phpseclib, thunderbird, and zabbix), Fedora (dotnet7.0, firefox, fonttools, and python-jinja2), Mageia (avahi and chromium-browser-stable), Oracle (java-1.8.0-openjdk, java-11-openjdk, LibRaw, openssl, and python-pillow), Red Hat (gnutls, kpatch-patch, php:8.1, and squid:4), SUSE (apache-parent, apache-sshd, bluez, cacti, cacti-spine, erlang, firefox, java-11-openjdk, opera, python-Pillow, tomcat, tomcat10, [...] --------------------------------------------- https://lwn.net/Articles/959455/ ∗∗∗ Potentielle Remote Code Execution in Jenkins - Patch verfügbar ∗∗∗ --------------------------------------------- Mit der neuesten Version der CI/CD-Plattform Jenkins haben die Entwickler:innen neun Sicherheitslücken behoben - darunter befindet sich auch eine kritische Schwachstelle, CVE-2024-23987. --------------------------------------------- https://cert.at/de/aktuelles/2024/1/potentielle-remote-code-execution-in-je… ∗∗∗ Swift Mailer - Moderately critical - Access bypass - SA-CONTRIB-2024-006 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2024-006 ∗∗∗ Open Social - Moderately critical - Information Disclosure - SA-CONTRIB-2024-005 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2024-005 ∗∗∗ Open Social - Moderately critical - Access bypass - SA-CONTRIB-2024-004 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2024-004 ∗∗∗ Two-factor Authentication (TFA) - Moderately critical - Access bypass - SA-CONTRIB-2024-003 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2024-003 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Publish SBA-ADV-20200707-02: CloudLinux CageFS Insufficiently Restric… ∗∗∗ --------------------------------------------- https://github.com/sbaresearch/advisories/commit/fd86295907334f9cd81d8c1a7f… ∗∗∗ Publish SBA-ADV-20200707-01: CloudLinux CageFS Token Disclosure ∗∗∗ --------------------------------------------- https://github.com/sbaresearch/advisories/commit/c2db0b1da76486e2876f1c64f9… ∗∗∗ SystemK NVR 504/508/516 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-025-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.01.2024
by Daily end-of-shift report 24 Jan '24

24 Jan '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 23-01-2024 18:00 − Mittwoch 24-01-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Firefox: Passkey-Unterstützung und Sicherheitsfixes ∗∗∗ --------------------------------------------- Die Version 122 von Firefox kann mit Passkeys umgehen. Außerdem schließen die Entwickler darin wie in Firefox ESR und Thunderbird 115.7 Sicherheitslecks. --------------------------------------------- https://www.heise.de/-9606909 ∗∗∗ "Mother of all Breaches": 26 Milliarden altbekannte Datensätze ∗∗∗ --------------------------------------------- Was die Entdecker als "Mutter aller Lücken" bezeichnen, entpuppt sich laut dem "Have I Been Pwned"- Gründer Troy Hunt als Sammlung längst bekannter Daten. --------------------------------------------- https://www.heise.de/-9604882 ∗∗∗ Trello API abused to link email addresses to 15 million accounts ∗∗∗ --------------------------------------------- An exposed Trello API allows linking private email addresses with Trello accounts, enabling the creation of millions of data profiles containing both public and private information. --------------------------------------------- https://www.bleepingcomputer.com/news/security/trello-api-abused-to-link-em… ∗∗∗ Cybercrime’s Silent Operator: The Unraveling of VexTrio’s Malicious Network Empire ∗∗∗ --------------------------------------------- VexTrio is a massive and complex malicious TDS (traffic direction system) organization. It has a network of more than 60 affiliates that divert traffic into VexTrio, while it also operates its own TDS network. While aspects of the operation have been discovered and analyzed by different researchers, the core network has remained largely unknown. --------------------------------------------- https://www.securityweek.com/cybercrimes-silent-operator-the-unraveling-of-… ∗∗∗ Orca Flags Dangerous Google Kubernetes Engine Misconfiguration ∗∗∗ --------------------------------------------- A misconfiguration in Google Kubernetes Engine (GKE) could allow attackers to take over Kubernetes clusters and access sensitive information, according to a warning from cloud security startup Orca Security. The issue is related to the privileges granted to users in the system:authenticated group, which includes all users with a Google account, although it could be mistakenly believed to include only verified identities. --------------------------------------------- https://www.securityweek.com/orca-flags-dangerous-google-kubernetes-engine-… ∗∗∗ PC- und Online-Gamer:innen: Vorsicht beim Account-Handel über Marktplätze! ∗∗∗ --------------------------------------------- Aktuell erreichen uns immer wieder Meldungen zu betrügerischen Angeboten im Gaming-Bereich auf Marktplätzen wie difmark.com oder in diversen Internet-Foren. Kriminelle bieten dort unter anderem Gaming-Accounts und Nutzungsprofile an. Das Problem: Diese dürften laut Nutzungsbedingungen eigentlich gar nicht verkauft werden und Sperren sind möglich. Auch nach erfolgreichen Käufen lauern noch Fallen, durch die Spielende plötzlich durch die Finger schauen können. --------------------------------------------- https://www.watchlist-internet.at/news/pc-und-online-gamerinnen-vorsicht-be… ∗∗∗ Update #3: Kritische Sicherheitslücken in Ivanti Connect Secure und Ivanti Policy Secure - aktiv ausgenützt ∗∗∗ --------------------------------------------- Update #3: 24. Jänner 2024: Mandiant und Volexity berichten davon, Exploits gegen diese Sicherheitslücken bereits Anfang Dezember 2023 beobachtet zu haben. Es empfiehlt sich daher, gegebenenfalls den Zeitraum etwaiger Untersuchungen auf stattgefundene Angriffsversuche zumindest bis inklusive Dezember 2023 auszudehnen. --------------------------------------------- https://cert.at/de/warnungen/2024/1/kritische-sicherheitslucken-in-ivanti-c… ===================== = Vulnerabilities = ===================== ∗∗∗ Fortra GoAnywhere MFT: Kritische Lücke macht Angreifer zu Admins ∗∗∗ --------------------------------------------- Jetzt patchen! Es ist Exploitcode für die Dateiübertragungslösung Fortra GoAnywhere MFT in Umlauf. --------------------------------------------- https://www.heise.de/-9606659 ∗∗∗ Codeschmuggel-Lücke in HPE Oneview ∗∗∗ --------------------------------------------- Mehrere Sicherheitslücken in der IT-Infrastrukturverwaltung HPE Oneview ermöglichen Angreifern, etwa Schadcode einzuschleusen. Updates stehen bereit. --------------------------------------------- https://www.heise.de/-9607490 ∗∗∗ Chrome-Update dichtet 17 Sicherheitslecks ab ∗∗∗ --------------------------------------------- Googles Entwickler aktualisieren den Chrome-Webbrowser und schließen 17 Sicherheitslücken darin. Einige ermöglichen wohl Codeschmuggel. --------------------------------------------- https://www.heise.de/-9606618 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (jinja2, openjdk-11, ruby-httparty, and xorg-server), Fedora (ansible-core and mingw-jasper), Gentoo (GOCR, Ruby, and sudo), Oracle (gstreamer-plugins-bad-free, java-17-openjdk, java-21-openjdk, python-cryptography, and xorg-x11-server), Red Hat (kernel, kernel-rt, kpatch-patch, LibRaw, python-pillow, and python-pip), Slackware (mozilla), SUSE (python-Pillow, rear118a, and redis7), and Ubuntu (libapache-session-ldap-perl and pycryptodome). --------------------------------------------- https://lwn.net/Articles/959325/ ∗∗∗ Cisco Unified Communications Products Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in multiple Cisco Unified Communications and Contact Center Solutions products could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device. CVE-2024-20253, CVSS Score: Base 9.9 --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Unity Connection Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Small Business Series Switches Stacked Reload ACL Bypass Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ High Severity Arbitrary File Upload Vulnerability Patched in File Manager Pro WordPress Plugin ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2024/01/high-severity-arbitrary-file-upload-… ∗∗∗ APsystems Energy Communication Unit (ECU-C) Power Control Software ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-023-01 ∗∗∗ CISA Adds One Known Exploited Vulnerability to Catalog ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/01/24/cisa-adds-one-known-expl… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.01.2024
by Daily end-of-shift report 23 Jan '24

23 Jan '24

===================== = End-of-Day report = ===================== Timeframe: Montag 22-01-2024 18:00 − Dienstag 23-01-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ MavenGate Attack Could Let Hackers Hijack Java and Android via Abandoned Libraries ∗∗∗ --------------------------------------------- Several public and popular libraries abandoned but still used in Java and Android applications have been found susceptible to a new software supply chain attack method called MavenGate. --------------------------------------------- https://thehackernews.com/2024/01/hackers-hijack-popular-java-and-android.h… ∗∗∗ Cactus Ransomware malware analysis ∗∗∗ --------------------------------------------- On January 20th the Cactus ransomware group attacked a number of victims across varying industries. The attacks were disclosed on their leak site with the accompanying victim data. --------------------------------------------- https://www.shadowstackre.com/analysis/cactus ∗∗∗ Vorsicht vor Peek & Cloppenburg Fake-Shops ∗∗∗ --------------------------------------------- Auf Facebook und Instagram werden gefälschte Angebote vom Modehaus „Peek & Cloppenburg“ beworben. In den gefälschten Werbeanzeigen werden Rabatte bis zu 90 % versprochen. Wenn Sie auf die Anzeige klicken, landen Sie in einem betrügerischen Shop, mit einer glaubwürdigen Internetadresse: „peek-cloppenburgsale.shop“. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-peek-cloppenburg-fake-s… ∗∗∗ Threat Assessment: BianLian ∗∗∗ --------------------------------------------- We analyze the extremely active ransomware group BianLian. Mostly targeting healthcare, they have moved from double-extortion to extortion without encryption. --------------------------------------------- https://unit42.paloaltonetworks.com/bianlian-ransomware-group-threat-assess… ∗∗∗ Conditional QR Code Routing Attacks ∗∗∗ --------------------------------------------- Over the summer, we saw a somewhat unexpected rise in QR-code based phishing attacks. These attacks were all fairly similar. The main goal was to induce the end-user to scan the QR Code, where they would be redirected to a credential harvesting page. --------------------------------------------- https://blog.checkpoint.com/harmony-email/conditional-qr-code-routing-attac… ∗∗∗ Lazarus Group Uses the DLL Side-Loading Technique (2) ∗∗∗ --------------------------------------------- Through the “Lazarus Group Uses the DLL Side-Loading Technique” [1] blog post, AhnLab SEcurity intelligence Center(ASEC) has previously covered how the Lazarus group used the DLL side-loading attack technique using legitimate applications in the initial access stage to achieve the next stage of their attack process. --------------------------------------------- https://asec.ahnlab.com/en/60792/ ∗∗∗ Kasseika Ransomware Deploys BYOVD Attacks, Abuses PsExec and Exploits Martini Driver ∗∗∗ --------------------------------------------- In this blog, we detail our investigation of the Kasseika ransomware and the indicators we found suggesting that the actors behind it have acquired access to the source code of the notorious BlackMatter ransomware. --------------------------------------------- https://www.trendmicro.com/en_us/research/24/a/kasseika-ransomware-deploys-… ===================== = Vulnerabilities = ===================== ∗∗∗ Fortra warns of new critical GoAnywhere MFT auth bypass, patch now ∗∗∗ --------------------------------------------- Fortra is warning of a new authentication bypass vulnerability impacting GoAnywhere MFT (Managed File Transfer) versions before 7.4.1 that allows an attacker to create a new admin user. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fortra-warns-of-new-critical… ∗∗∗ Exploiting 0-click Android Bluetooth vulnerability to inject keystrokes without pairing ∗∗∗ --------------------------------------------- A recently discovered critical vulnerabilities (CVE-2023-45866, CVE-2024-21306) in Bluetooth can be exploited to inject keystrokes without user confirmation – by accepting any Bluetooth pairing request. --------------------------------------------- https://www.mobile-hacker.com/2024/01/23/exploiting-0-click-android-bluetoo… ∗∗∗ Sicherheitsfixes: Apple aktualisiert ältere Systeme – und räumt Zero Days ein ∗∗∗ --------------------------------------------- Apple hat neben macOS 14.3 und iOS 17.3 auch neue Versionen von iOS 15, 16, macOS 12 und 13 sowie Safari veröffentlicht. Es gab einen erneuten Zero-Day-Exploit. --------------------------------------------- https://www.heise.de/news/Sicherheitsfixes-Apple-aktualisiert-aeltere-Syste… ∗∗∗ Konfigurationsübertragung kann Behelfslösung zum Schutz von Ivanti ICS aufheben ∗∗∗ --------------------------------------------- Bislang können Admins Ivanti Connect Secure und Policy Secure nur über einen Workaround vor laufenden Attacken schützen. Dieser funktioniert aber nicht immer. --------------------------------------------- https://www.heise.de/news/Konfigurationsuebertragung-kann-Behelfsloesung-zu… ∗∗∗ Barracuda WAF: Kritische Sicherherheitslücken ermöglichen Umgehung des Schutzes ∗∗∗ --------------------------------------------- Barracuda hat einen Sicherheitshinweis bezüglich der Web Application Firewall veröffentlicht. Sicherheitslücken ermöglichen das Umgehen des Schutzes. --------------------------------------------- https://www.heise.de/news/Barracuda-WAF-Kritische-Sicherherheitsluecken-erm… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (kodi and squid), Fedora (ansible-core, java-latest-openjdk, mingw-python-jinja2, openssh, and pgadmin4), Gentoo (Apache XML-RPC), Red Hat (gnutls and xorg-x11-server), Slackware (postfix), SUSE (bluez and openssl-3), and Ubuntu (gnutls28, libssh, and squid). --------------------------------------------- https://lwn.net/Articles/959127/ ∗∗∗ Splunk Security Advisories 2024-01-22 ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ XSA-448 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-448.html ∗∗∗ Security Vulnerabilities fixed in Thunderbird 115.7 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2024-04/ ∗∗∗ Security Vulnerabilities fixed in Firefox ESR 115.7 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2024-02/ ∗∗∗ Security Vulnerabilities fixed in Firefox 122 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2024-01/ ∗∗∗ TRUMPF: Oseon contains vulnerable version of OpenSSL 1.1.x ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2024-006/ ∗∗∗ TRUMPF: Multiple products include a vulnerable version of Notepad++ ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2024-003/ ∗∗∗ TRUMPF: Multiple products contain vulnerable version of 7-zip ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2024-005/ ∗∗∗ Citrix Hypervisor Security Bulletin for CVE-2023-46838 ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX587605/citrix-hypervisor-security-bul… ∗∗∗ Crestron AM-300 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-023-02 ∗∗∗ Lantronix XPort ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-023-05 ∗∗∗ Voltronic Power ViewPower Pro ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-023-03 ∗∗∗ Orthanc Osimis DICOM Web Viewer ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-medical-advisories/icsma-24-023-01 ∗∗∗ APsystems Energy Communication Unit (ECU-C) Power Control Software ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-023-01 ∗∗∗ Westermo Lynx 206-F2G ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-023-04 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.01.2024
by Daily end-of-shift report 22 Jan '24

22 Jan '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 19-01-2024 18:00 − Montag 22-01-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Cracked software beats gold: new macOS backdoor stealing cryptowallets ∗∗∗ --------------------------------------------- We review a new macOS backdoor that piggybacks on cracked software to replace Bitcoin and Exodus wallets with malware. --------------------------------------------- https://securelist.com/new-macos-backdoor-crypto-stealer/111778/ ∗∗∗ Apache ActiveMQ Flaw Exploited in New Godzilla Web Shell Attacks ∗∗∗ --------------------------------------------- Cybersecurity researchers are warning of a "notable increase" in threat actor activity actively exploiting a now-patched flaw in Apache ActiveMQ to deliver the Godzilla web shell on compromised hosts. --------------------------------------------- https://thehackernews.com/2024/01/apache-activemq-flaw-exploited-in-new.html ∗∗∗ Confluence: Kritische Sicherheitslücke in veralteten Versionen wird ausgenutzt ∗∗∗ --------------------------------------------- Wie das Shadowserver-Projekt auf Mastodon meldet, durchpflügen Angreifer derzeit von 600 verschiedenen IP-Adressen das Netz nach möglichen Opfern. Eine simple HTTP-POST-Anfrage genügt, um die Sicherheitslücke auszunutzen und den Confluence-Server zu übernehmen. [..] Der Hersteller wies seine Kunden bereits am vergangenen Dienstag auf die Sicherheitslücke hin, die er wie 27 weitere im Rahmen des Atlassian-Patchday behoben hat. --------------------------------------------- https://www.heise.de/-9605028 ∗∗∗ VMware vCenter Server seit Monaten über CVE-2023-3404 angegriffen; Attacken weiten sich aus ∗∗∗ --------------------------------------------- Inzwischen hat auch VMware bestätigt, dass eine im Oktober 2023 gepatchte vCenter Server-Sicherheitslücke jetzt aktiv ausgenutzt wird. vCenter Server ist die Management-Plattform für VMware vSphere-Umgebungen, die Administratoren bei der Verwaltung von ESX- und ESXi-Servern und virtuellen Maschinen (VMs) unterstützt. [..] Sicherheitsforscher von Mandiant haben in diesem Beitrag offen gelegt, dass die chinesische Spionage-Gruppe UNC3886 diese Schwachstelle CVE-2023-34048 längst kannte und diese seit mindestens Ende 2021 aktiv angegriffen habe. --------------------------------------------- https://www.borncity.com/blog/2024/01/22/vmware-vcenter-server-seit-monaten… ∗∗∗ NS-STEALER Uses Discord Bots to Exfiltrate Your Secrets from Popular Browsers ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered a new Java-based "sophisticated" information stealer that uses a Discord bot to exfiltrate sensitive data from compromised hosts. The malware, named NS-STEALER, is propagated via ZIP archives masquerading as cracked software, Trellix security researcher Gurumoorthi Ramanathan said in an analysis published last week. --------------------------------------------- https://thehackernews.com/2024/01/ns-stealer-uses-discord-bots-to.html ∗∗∗ Domain Escalation – Backup Operator ∗∗∗ --------------------------------------------- The Backup Operators is a Windows built-in group. Users which are part of this group have permissions to perform backup and restore operations. More specifically, these users have the SeBackupPrivilege assigned which enables them to read sensitive files from the domain controller i.e. Security Account Manager (SAM). --------------------------------------------- https://pentestlab.blog/2024/01/22/domain-escalation-backup-operator/ ∗∗∗ Vorsicht vor PayLife-E-Mails mit einem QR-Code ∗∗∗ --------------------------------------------- In einem gefälschten E-Mail werden Sie informiert, dass Ihre myPayLife App gesperrt ist. Angeblich können Sie keine Aufträge oder Internetzahlungen mehr freigeben. Um die Sperre aufzuheben, müssen Sie einen QR-Code scannen. Ignorieren Sie dieses E-Mail, es handelt sich um eine Phishing-Falle. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-paylife-e-mails-mit-ein… ∗∗∗ Parrot TDS: A Persistent and Evolving Malware Campaign ∗∗∗ --------------------------------------------- Traffic detection system Parrot has infected tens of thousands of websites worldwide. We outline the scripting evolution of this injection campaign and its scope. --------------------------------------------- https://unit42.paloaltonetworks.com/parrot-tds-javascript-evolution-analysi… ∗∗∗ Is the Google search bar enough to hack Belgian companies? ∗∗∗ --------------------------------------------- In this blog post, we will go over a technique called Google Dorking and demonstrate how it can be utilized to uncover severe security vulnerabilities in web applications hosted right here in Belgium, where NVISO was founded. --------------------------------------------- https://blog.nviso.eu/2024/01/22/is-the-google-search-bar-enough-to-hack-be… ∗∗∗ The Confusing History of F5 BIG-IP RCE Vulnerabilities ∗∗∗ --------------------------------------------- If you want to know way too much about attacks against F5 BIG-IP devices, then this is the blog for you! --------------------------------------------- https://www.greynoise.io/blog/the-confusing-history-of-f5-big-ip-rce-vulner… ===================== = Vulnerabilities = ===================== ∗∗∗ Gambio 4.9.2.0 - Insecure Deserialization ∗∗∗ --------------------------------------------- Gambio is software designed for running online shops. It provides various features and tools to help businesses manage their inventory, process orders, and handle customer interactions. According to their homepage, the software is used by more than 25.000 shops. Security Risk: Critical, CVE Number: Pending, Vendor Status: Not fixed --------------------------------------------- https://herolab.usd.de/security-advisories/usd-2023-0046/ ∗∗∗ Sicherheitsupdates: Schlupflöcher für Schadcode in Lexmark-Druckern geschlossen ∗∗∗ --------------------------------------------- Angreifer können an vielen Druckermodellen von Lexmark ansetzen, um Geräte zu kompromittieren. Derzeit soll es noch keine Attacken geben. --------------------------------------------- https://www.heise.de/-9604795 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (keystone and subunit), Fedora (dotnet6.0, golang, kernel, sos, and tigervnc), Mageia (erlang), Red Hat (openssl), SUSE (bluez, python-aiohttp, and seamonkey), and Ubuntu (postfix and xorg-server). --------------------------------------------- https://lwn.net/Articles/959006/ ∗∗∗ Critical Vulnerabilities Found in Open Source AI/ML Platforms ∗∗∗ --------------------------------------------- Security researchers flag multiple severe vulnerabilities in open source AI/ML solutions MLflow, ClearML, Hugging Face.The post Critical Vulnerabilities Found in Open Source AI/ML Platforms appeared first on SecurityWeek. --------------------------------------------- https://www.securityweek.com/critical-vulnerabilities-found-in-ai-ml-open-s… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ WAGO: WIBU-SYSTEMS CodeMeter Runtime vulnerabilities in multiple products ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2024-007/ ∗∗∗ Spring: CVE-2024-22233: Spring Framework server Web DoS Vulnerability ∗∗∗ --------------------------------------------- https://spring.io/blog/2024/01/22/cve-2024-22233-spring-framework-server-we… ∗∗∗ Roundcube: Update 1.6.6 released ∗∗∗ --------------------------------------------- https://roundcube.net/news/2024/01/20/update-1.6.6-released -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.01.2024
by Daily end-of-shift report 19 Jan '24

19 Jan '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 18-01-2024 18:00 − Freitag 19-01-2024 18:00 Handler: Robert Waldner Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ TeamViewer abused to breach networks in new ransomware attacks ∗∗∗ --------------------------------------------- Ransomware actors are again using TeamViewer to gain initial access to organization endpoints and attempt to deploy encryptors based on the leaked LockBit ransomware builder. --------------------------------------------- https://www.bleepingcomputer.com/news/security/teamviewer-abused-to-breach-… ∗∗∗ macOS Python Script Replacing Wallet Applications with Rogue Apps, (Fri, Jan 19th) ∗∗∗ --------------------------------------------- Still today, many people think that Apple and its macOS are less targeted by malware. But the landscape is changing and threats are emerging in this ecosystem too. --------------------------------------------- https://isc.sans.edu/diary/rss/30572 ∗∗∗ Experts Warn of macOS Backdoor Hidden in Pirated Versions of Popular Software ∗∗∗ --------------------------------------------- Pirated applications targeting Apple macOS users have been observed containing a backdoor capable of granting attackers remote control to infected machines. --------------------------------------------- https://thehackernews.com/2024/01/experts-warn-of-macos-backdoor-hidden.html ∗∗∗ Taking over WhatsApp accounts by reading voicemails ∗∗∗ --------------------------------------------- The investigation is centered on a vulnerability related to the Personal Identification Number (PIN) required for authenticating WhatsApp’s account backup feature. I describe how this PIN could be compromised through a voice call backup delivery method, forcing the call to go voicemail, and spoofing the victims phone number to read their voicemail. --------------------------------------------- https://medium.com/@rramgattie/taking-over-whatsapp-accounts-by-reading-voi… ∗∗∗ Recovery Scam: Kriminelle geben sich als blockchain.com aus und informieren über angeblich ruhende Bitcoin-Wallet ∗∗∗ --------------------------------------------- Opfer einer betrügerischen Trading-Plattform erleiden mitunter erhebliche finanzielle Verluste. Entsprechend groß ist die Verzweiflung und der Wunsch, das Geld zurückzubekommen. Kriminelle nutzen dies aus und kontaktieren die Opfer nach einiger Zeit erneut. --------------------------------------------- https://www.watchlist-internet.at/news/recovery-scam-kriminelle-geben-sich-… ∗∗∗ Virtual kidnapping: How to see through this terrifying scam ∗∗∗ --------------------------------------------- Phone fraud takes a frightening twist as fraudsters can tap into AI to cause serious emotional and financial damage to the victims. --------------------------------------------- https://www.welivesecurity.com/en/scams/virtual-kidnapping-see-through-scam/ ∗∗∗ Ivanti Connect Secure VPN Exploitation: New Observations ∗∗∗ --------------------------------------------- Volexity also recently learned of a potential issue that organizations may be facing when attempting to bring fresh Ivanti Connect Secure VPN appliances back online that leave them in a vulnerable state. These findings may partially account for why there has been an increase in compromised systems in subsequent scans. --------------------------------------------- https://www.volexity.com/blog/2024/01/18/ivanti-connect-secure-vpn-exploita… ===================== = Vulnerabilities = ===================== ∗∗∗ VMware confirms critical vCenter flaw now exploited in attacks ∗∗∗ --------------------------------------------- VMware has confirmed that a critical vCenter Server remote code execution vulnerability patched in October is now under active exploitation. --------------------------------------------- https://www.bleepingcomputer.com/news/security/vmware-confirms-critical-vce… ∗∗∗ Npm Trojan Bypasses UAC, Installs AnyDesk with "Oscompatible" Package ∗∗∗ --------------------------------------------- A malicious package uploaded to the npm registry has been found deploying a sophisticated remote access trojan on compromised Windows machines. --------------------------------------------- https://thehackernews.com/2024/01/npm-trojan-bypasses-uac-installs.html ∗∗∗ Smartphones und mehr: Auch Umgebungslichtsensoren können spionieren ∗∗∗ --------------------------------------------- Nicht nur Smartphone-Kameras können Personen ausspionieren, sondern auch Umgebungslichtsensoren. Das geht aus einer in "Science" veröffentlichen Studie hervor. --------------------------------------------- https://heise.de/-9601724 ∗∗∗ Angreifer attackieren Ivanti EPMM und MobileIron Core ∗∗∗ --------------------------------------------- Angreifer nutzen derzeit eine kritische Sicherheitslücke in Ivanti EPMM und MobileIron Core aus. --------------------------------------------- https://www.heise.de/news/Angreifer-attackieren-Ivanti-EPMM-und-MobileIron-… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (ImageMagick), Debian (chromium), Fedora (golang-x-crypto, golang-x-mod, golang-x-net, golang-x-text, gtkwave, redis, and zbar), Mageia (tinyxml), Oracle (.NET 7.0, .NET 8.0, java-1.8.0-openjdk, java-11-openjdk, python3, and sqlite), Red Hat (gstreamer-plugins-bad-free, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, and java-21-openjdk), SUSE (kernel, libqt5-qtbase, libssh, pam, rear23a, and rear27a), and Ubuntu (pam and zookeeper). --------------------------------------------- https://lwn.net/Articles/958676/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (chromium, golang-github-facebook-time, podman, and xorg-x11-server-Xwayland), Oracle (.NET 6.0, java-1.8.0-openjdk, java-11-openjdk, and python3.11-cryptography), Red Hat (java-11-openjdk, python-requests, and python-urllib3), SUSE (chromium, kernel, libcryptopp, libuev, perl-Spreadsheet-ParseExcel, suse-module-tools, and xwayland), and Ubuntu (filezilla and xerces-c). --------------------------------------------- https://lwn.net/Articles/958760/ ∗∗∗ Important Progress OpenEdge Critical Alert for Progress Application Server in OpenEdge (PASOE) - Arbitrary File Upload Vulnerability in WEB Transport ∗∗∗ --------------------------------------------- https://community.progress.com/s/article/Important-Progress-OpenEdge-Critic… ∗∗∗ ZDI Security Advisories ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/published/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.01.2024
by Daily end-of-shift report 18 Jan '24

18 Jan '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 17-01-2024 18:00 − Donnerstag 18-01-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Missbrauch möglich: Whatsapp lässt fremde Nutzer Geräteinformationen abgreifen ∗∗∗ --------------------------------------------- Anhand ihrer Rufnummer lässt sich zum Beispiel feststellen, wie viele Geräte eine Zielperson mit Whatsapp verwendet und wann sie diese wechselt. --------------------------------------------- https://www.golem.de/news/missbrauch-moeglich-whatsapp-laesst-fremde-nutzer… ∗∗∗ New Microsoft Incident Response guides help security teams analyze suspicious activity ∗∗∗ --------------------------------------------- Today Microsoft Incident Response are proud to introduce two one-page guides to help security teams investigate suspicious activity in Microsoft 365 and Microsoft Entra. These guides contain the artifacts that Microsoft Incident Response hunts for and uses daily to provide our customers with evidence of Threat Actor activity in their tenant. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2024/01/17/new-microsoft-inci… ∗∗∗ More Scans for Ivanti Connect "Secure" VPN. Exploits Public, (Thu, Jan 18th) ∗∗∗ --------------------------------------------- Exploits around the Ivanti Connect "Secure" VPN appliance, taking advantage of CVE-2023-46805, continue evolving. Late on Tuesday, more details became public, particularly the blog post by Rapid7 explaining the underlying vulnerability in depth. --------------------------------------------- https://isc.sans.edu/diary/rss/30568 ∗∗∗ PixieFail UEFI Flaws Expose Millions of Computers to RCE, DoS, and Data Theft ∗∗∗ --------------------------------------------- Multiple security vulnerabilities have been disclosed in the TCP/IP network protocol stack of an open-source reference implementation of the Unified Extensible Firmware Interface (UEFI) specification used widely in modern computers.Collectively dubbed PixieFail by Quarkslab, the nine issues reside in the TianoCore EFI Development Kit II (EDK II) and could be exploited to --------------------------------------------- https://thehackernews.com/2024/01/pixiefail-uefi-flaws-expose-millions-of.h… ∗∗∗ MFA Spamming and Fatigue: When Security Measures Go Wrong ∗∗∗ --------------------------------------------- MFA spamming refers to the malicious act of inundating a target user's email, phone, or other registered devices with numerous MFA prompts or confirmation codes. The objective behind this tactic is to overwhelm the user with notifications, in the hopes that they will inadvertently approve an unauthorized login. To execute this attack, hackers require the target victim's account credentials (username and password) to initiate the login process and trigger the MFA notifications. --------------------------------------------- https://thehackernews.com/2024/01/mfa-spamming-and-fatigue-when-security.ht… ∗∗∗ Russian COLDRIVER Hackers Expand Beyond Phishing with Custom Malware ∗∗∗ --------------------------------------------- [..] COLDRIVER has been observed evolving its tradecraft to go beyond credential harvesting to deliver its first-ever custom malware written in the Rust programming language.Googles Threat Analysis Group (TAG), which shared details of the latest activity, said the attack chains leverage PDFs as decoy documents to trigger the infection sequence. --------------------------------------------- https://thehackernews.com/2024/01/russian-coldriver-hackers-expand-beyond.h… ∗∗∗ Daten aus GPU belauscht: KI-Sicherheitslücke bei Apple Silicon, AMD und Qualcomm ∗∗∗ --------------------------------------------- Sicherheitsforscher haben ein Problem in den Grafikkernen älterer iPhones und Macs entdeckt, außerdem bei AMD und Qualcomm. Apple patcht – teilweise. --------------------------------------------- https://heise.de/-9600829 ∗∗∗ Exploring malicious Windows drivers (Part 1): Introduction to the kernel and drivers ∗∗∗ --------------------------------------------- Malicious drivers are difficult to detect and successfully leveraging one can give an attacker full access to a system. --------------------------------------------- https://blog.talosintelligence.com/exploring-malicious-windows-drivers-part… ∗∗∗ Critical vulnerability in ManageEngine could lead to file creation, dozens of other vulnerabilities disclosed by Talos to start 2024 ∗∗∗ --------------------------------------------- Cisco Talos’ Vulnerability Research team has disclosed dozens of vulnerabilities over the past month, including more than 30 advisories in GTKWave and a critical vulnerability in ManageEngine OpManager. Cisco ASIG also recently discovered an information disclosure vulnerability in DuoUniversalKeycloakAuthenticator [..] There are also multiple vulnerabilities in AVideo [..] All the vulnerabilities mentioned in this blog post have been patched by their respective vendors --------------------------------------------- https://blog.talosintelligence.com/vulnerability-roundup-jan-17-2024/ ===================== = Vulnerabilities = ===================== ∗∗∗ Drupal core - Moderately critical - Denial of Service - SA-CORE-2024-001 ∗∗∗ --------------------------------------------- The Comment module allows users to reply to comments. In certain cases, an attacker could make comment reply requests that would trigger a denial of service (DOS). Sites that do not use the Comment module are not affected. --------------------------------------------- https://www.drupal.org/sa-core-2024-001 ∗∗∗ MOVEit Transfer: Updates gegen DOS-Lücke ∗∗∗ --------------------------------------------- Updates für MOVEit Transfer dichten Sicherheitslecks ab, durch die Angreifer Rechenfehler provozieren oder den Dienst lahmlegen können. --------------------------------------------- https://heise.de/-9601492 ∗∗∗ Trend Micro: Sicherheitslücken in Security-Agents ermöglichen Rechteausweitung ∗∗∗ --------------------------------------------- Trend Micro warnt vor Sicherheitslücken in den Security-Agents, durch die Angreifer ihre Rechte ausweiten können. Software-Updates stehen bereit. --------------------------------------------- https://heise.de/-9601595 ∗∗∗ Nextcloud: Lücken in Apps gefährden Nutzerkonten und Datensicherheit ∗∗∗ --------------------------------------------- In mehreren Erweiterungen, etwa zur Lastverteilung, zur Anmeldung per OAuth und ZIP-Download, klaffen Löcher. Updates sind bereits verfügbar. --------------------------------------------- https://heise.de/-9601589 ∗∗∗ 2024-01 Security Bulletin: Junos OS and Junos OS Evolved: rpd process crash due to BGP flap on NSR-enabled devices (CVE-2024-21585) ∗∗∗ --------------------------------------------- An Improper Handling of Exceptional Conditions vulnerability in BGP session processing of Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated network-based attacker, using specific timing outside the attacker's control, to flap BGP sessions and cause the routing protocol daemon (rpd) process to crash and restart, leading to a Denial of Service (DoS) condition. Continued BGP session flapping will create a sustained Denial of Service (DoS) condition. --------------------------------------------- https://supportportal.juniper.net/s/article/2024-01-Security-Bulletin-Junos… ∗∗∗ 2024-01 Security Bulletin: JSA Series: Multiple vulnerabilities resolved ∗∗∗ --------------------------------------------- Multiple vulnerabilities have been resolved in Juniper Secure Analytics in 7.5.0 UP7 IF04. --------------------------------------------- https://supportportal.juniper.net/s/article/2024-01-Security-Bulletin-JSA-S… ∗∗∗ Oracle Releases Critical Patch Update Advisory for January 2024 ∗∗∗ --------------------------------------------- Oracle released its Critical Patch Update Advisory for January 2024 to address vulnerabilities in multiple products. A cyber threat actor could exploit some of these vulnerabilities to take control of an affected system. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/01/18/oracle-releases-critical… ∗∗∗ Multiple Dahua Technology products vulnerable to authentication bypass ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN83655695/ ∗∗∗ There is a vulnerability in batik-all-1.15.jar used by IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2022-44730 and CVE-2022-44729) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7107742 ∗∗∗ IBM Maximo Manage is vulnerable to attack due to Eclipse Jetty ( IBM X-Force ID 261776) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7107716 ∗∗∗ There is a vulnerability in CSRF Token used by IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2023-47718) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7107740 ∗∗∗ IBM Asset Data Dictionary Component uses bcprov-jdk18on-1.72.jar which is vulnerable to CVE-2023-33201 and CVE-2023-33202 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7108953 ∗∗∗ IBM Maximo Application Suite and IBM Maximo Application Suite - IoT Component uses Werkzeug-2.2.3-py3-none-any.whl which is vulnerable to CVE-2023-46136 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7108960 ∗∗∗ IBM Asset Data Dictionary Component uses netty-codec-http2-4.1.94, netty-handler-4.1.86 and netty-handler-4.1.92 which is vulnerable to CVE-2023-44487 and CVE-2023-34462 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7108959 ∗∗∗ IBM Storage Ceph is vulnerable to Use After Free in the RHEL UBI (CVE-2023-4813) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7108974 ∗∗∗ IBM Storage Ceph is vulnerable to Cross Site Scripting in Grafana (CVE-2022-39324) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7108973 ∗∗∗ AVEVA PI Server ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-018-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily January 2024