Daily

daily@lists.cert.at

1 participants
3156 discussions

Tageszusammenfassung - 20.09.2023
by Daily end-of-shift report 20 Sep '23

20 Sep '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 19-09-2023 18:00 − Mittwoch 20-09-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Gitlab warnt vor kritischer Sicherheitslücke ∗∗∗ --------------------------------------------- Eine kritische Sicherheitslücke bedroht die Enterprise-Anwender des Repository-Diensts Gitlab. Kunden sollten unverzüglich ein Update einspielen. --------------------------------------------- https://www.heise.de/-9311249.html ∗∗∗ Atlassian stopft Sicherheitslecks in Bitbucket, Confluence und Jira ∗∗∗ --------------------------------------------- Atlassian warnt vor Sicherheitslücken in Bitbucket, Confluence und Jira. Aktualisierte Fassungen dichten sie ab. --------------------------------------------- https://www.heise.de/-9311520.html ∗∗∗ Trend Micro: Update schließt ausgenutzte, kritische Schwachstelle CVE-2023-41179 ∗∗∗ --------------------------------------------- Kurzer Hinweis für Nutzer und Administratoren von Trend Micro die Sicherheitsprodukte Apex One und Worry-Free Business Security unter Windows einsetzen. In den Produkten gibt es eine kritische Sicherheitslücke (CVE-2023-41179), die bereits in freier Wildbahn ausgenutzt wird. Der Hersteller bietet aber [...] --------------------------------------------- https://www.borncity.com/blog/2023/09/20/trend-micro-notfall-update-schliet… ∗∗∗ Analyzing a Modern In-the-wild Android Exploit ∗∗∗ --------------------------------------------- In December 2022, Google’s Threat Analysis Group (TAG) discovered an in-the-wild exploit chain targeting Samsung Android devices. TAG’s blog post covers the targeting and the actor behind the campaign. This is a technical analysis of the final stage of one of the exploit chains, specifically CVE-2023-0266 (a 0-day in the ALSA compatibility layer) and CVE-2023-26083 (a 0-day in the Mali GPU driver) as well as the techniques used by the [...] --------------------------------------------- https://googleprojectzero.blogspot.com/2023/09/analyzing-modern-in-wild-and… ∗∗∗ Fresh Wave of Malicious npm Packages Threaten Kubernetes Configs and SSH Keys ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered a fresh batch of malicious packages in the npm package registry that are designed to exfiltrate Kubernetes configurations and SSH keys from compromised machines to a remote server. Sonatype said it has discovered 14 different npm packages so far: [...] --------------------------------------------- https://thehackernews.com/2023/09/fresh-wave-of-malicious-npm-packages.html ∗∗∗ The mystery of the CVEs that are not vulnerabilities ∗∗∗ --------------------------------------------- Researchers have raised the alarm about a large set of CVE for older bugs that never were vulnerabilities. --------------------------------------------- https://www.malwarebytes.com/blog/news/2023/09/the-mystery-of-the-cves-that… ∗∗∗ Shodan Verified Vulns 2023-09-01 ∗∗∗ --------------------------------------------- Mit Stand 2023-09-01 sieht Shodan in Österreich die folgenden Schwachstellen: [...] In diesem Monat folgen die Schwachstellen in den unteren zwei Dritteln wieder dem Abwärtstrend und nähern sich der Nullmarke oder haben diese bereits erreicht. Im oberen Drittel ist im Gegensatz zu den Vormonaten ein leichter Anstieg bei FREAK (CVE-2015-0204) (+131) und Logjam (CVE-2015-4000) (+63) zu verzeichnen. --------------------------------------------- https://cert.at/de/aktuelles/2023/9/shodan-verified-vulns-2023-09-01 ∗∗∗ #StopRansomware: Snatch Ransomware ∗∗∗ --------------------------------------------- This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more [...] --------------------------------------------- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-263a ∗∗∗ Attacker Unleashes Stealthy Crypto Mining via Malicious Python Package ∗∗∗ --------------------------------------------- Recently, our team came across a Python package named “culturestreak”. A closer look reveals a darker purpose: unauthorized cryptocurrency mining. Let’s break down how “culturestreak” operates, its potential impact, and the broader implications for user security and ethical [...] --------------------------------------------- https://checkmarx.com/blog/attacker-unleashes-stealthy-crypto-mining-via-ma… ∗∗∗ Protect CNC Machines in Networked IT/OT Environments ∗∗∗ --------------------------------------------- Networking IT/OT environments is a bit like walking a tightrope, balancing the pursuit of intelligence and efficiency against the risks of exposing OT systems to the wider world. Trend Micro recently teamed up with global machine tool company Celada to identify specific risks associated with industrial CNC machines—and how to mitigate them. --------------------------------------------- https://www.trendmicro.com/en_us/ciso/23/i/cnc-machine-security.html ===================== = Vulnerabilities = ===================== ∗∗∗ Critical Security Flaws Exposed in Nagios XI Network Monitoring Software ∗∗∗ --------------------------------------------- Multiple security flaws have been disclosed in the Nagios XI network monitoring software that could result in privilege escalation and information disclosure. The four security vulnerabilities, tracked from CVE-2023-40931 through CVE-2023-40934, impact Nagios XI versions 5.11.1 and lower. Following responsible disclosure on August 4, 2023, They have been patched as of September 11, 2023, [...] --------------------------------------------- https://thehackernews.com/2023/09/critical-security-flaws-exposed-in.html ∗∗∗ Xen Security Advisory CVE-2023-34322 / XSA-438 ∗∗∗ --------------------------------------------- top-level shadow reference dropped too early for 64-bit PV guests | Impact: Privilege escalation, Denial of Service (DoS) affecting the entire host, and information leaks all cannot be ruled out. --------------------------------------------- https://xenbits.xen.org/xsa/advisory-438.html ∗∗∗ IBM Security Guardium is affected by several vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7007815 ∗∗∗ IBM Security Guardium is affected by an SQL Injection vulnerability (CVE-2023-33852) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7028514 ∗∗∗ IBM Security Guardium is affected by a denial of service vulnerability in MIT keb5 (CVE-2022-42898) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6981101 ∗∗∗ IBM Security Guardium is affected by multiple vulnerabilities (CVE-2023-30435, CVE-2023-30436, CVE-2023-30437) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7028506 ∗∗∗ IBM Security Guardium is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7028511 ∗∗∗ IBM Security Guardium is affected by an Improper Restriction of Excessive Authentication Attempts vulnerability (CVE-2022-43904) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7028509 ∗∗∗ IBM Security Guardium is affected by an Hazardous Input Validation vulnerability (CVE-2022-43903) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7030110 ∗∗∗ IBM Storage Protect is vulnerable to a remote attack due to Java ( CVE-2023-21967 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7034474 ∗∗∗ IBM Storage Protect is vulnerable to deserialization issues due to Java ( CVE-2022-40609 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7034467 ∗∗∗ Vulnerability in moment-timezone affects IBM VM Recovery Manager DR GUI ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7035336 ∗∗∗ IBM App Connect Enterprise and IBM Integration Bus are vulnerable to a denial of service due to IBM MQ (CVE-2023-28513). ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7035334 ∗∗∗ The IBM Engineering Lifecycle Engineering product using IBM WebSphere Application Server Liberty is vulnerable to Identity Spoofing (CVE-2022-22476) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7035367 ∗∗∗ A vulnerability in python-request affects IBM Robotic Process Automation for Cloud Pak and may result in an attacker obtaining sensitive information (CVE-2023-32681) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7034002 ∗∗∗ A vulnerability in gRPC may affect IBM Robotic Process Automation and result in an attacker obtaining sensitive information. (CVE-2023-32731) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7034007 ∗∗∗ A vulnerability in Apache Johnzon may affect IBM Robotic Process Automation and result in a denial of service (CVE-2023-33008) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7034006 ∗∗∗ A vulnerability in Microsoft ASP.NET Core may affect IBM Robotic Process Automation and result in an exposure of sensitive information (CVE-2023-35391). ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7034005 ∗∗∗ IBM Security Guardium is affected by a Command injection in CLI vulnerability [CVE-2023-35893] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7027853 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.09.2023
by Daily end-of-shift report 19 Sep '23

19 Sep '23

===================== = End-of-Day report = ===================== Timeframe: Montag 18-09-2023 18:00 − Dienstag 19-09-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Jetzt patchen! Tausende Juniper-Firewalls immer noch ohne Sicherheitsupdate ∗∗∗ --------------------------------------------- Aufgrund eines neuen Exploits sind Attacken auf Juniper-Firewalls jetzt noch einfacher. Sicherheitspatches sind verfügbar. --------------------------------------------- https://www.heise.de/news/Jetzt-patchen-Tausende-Juniper-Firewalls-immer-no… ∗∗∗ Bumblebee malware returns in new attacks abusing WebDAV folders ∗∗∗ --------------------------------------------- The malware loader Bumblebee has broken its two-month vacation with a new campaign that employs new distribution techniques that abuse 4shared WebDAV services. --------------------------------------------- https://www.bleepingcomputer.com/news/security/bumblebee-malware-returns-in… ∗∗∗ Security baseline for Microsoft Edge version 117 ∗∗∗ --------------------------------------------- Automatically open downloaded MHT or MHTML files from the web in Internet Explorer mode (Added) --------------------------------------------- https://techcommunity.microsoft.com/t5/microsoft-security-baselines/securit… ∗∗∗ Härtung des Dateitransfers: Microsoft sichert das SMB-Protokoll ab ∗∗∗ --------------------------------------------- Mit zwei Maßnahmen sichert Microsoft sowohl die SMB Client- als auch die Serverseite besser ab. Wir zeigen, worauf Administratoren achten müssen. --------------------------------------------- https://www.heise.de/news/Haertung-des-Dateitransfers-Microsoft-sichert-das… ∗∗∗ CISA Says Owl Labs Vulnerabilities Requiring Close Physical Range Exploited in Attacks ∗∗∗ --------------------------------------------- The US cybersecurity agency CISA says four vulnerabilities found last year in Owl Labs video conferencing devices — flaws that require the attacker to be in close range of the target — have been exploited in attacks. --------------------------------------------- https://www.securityweek.com/cisa-says-owl-labs-vulnerabilities-requiring-c… ∗∗∗ Fake-Shop-Trends im Herbst und Winter ∗∗∗ --------------------------------------------- Warme Jacken, Skianzüge und Regenstiefel haben wieder Saison. Auch die Nachfrage nach Pellets und Holz steigt langsam wieder. Das wissen auch Kriminelle und stellen ihre Fake-Shops auf Herbst- und Winterangebote um. Wir zeigen Ihnen, welche Fake-Shop-Trends es gerade gibt und wie Sie sich vor betrügerischen Angeboten schützen. --------------------------------------------- https://www.watchlist-internet.at/news/fake-shop-trends-im-herbst-und-winte… ∗∗∗ Fake CVE-2023-40477 Proof of Concept Leads to VenomRAT ∗∗∗ --------------------------------------------- Researchers should be aware of threat actors repurposing older proof of concept (PoC) code to quickly craft a fake PoC for a newly released vulnerability. On Aug. 17, 2023, the Zero Day Initiative publicly reported a remote code execution (RCE) vulnerability in WinRAR tracked as CVE-2023-40477. They had disclosed it to the vendor on June 8, 2023. Four days after the public reporting of CVE-2023-40477, an actor using an alias of whalersplonk committed a fake PoC script to their GitHub repository. --------------------------------------------- https://unit42.paloaltonetworks.com/fake-cve-2023-40477-poc-hides-venomrat/ ===================== = Vulnerabilities = ===================== ∗∗∗ Wind River VxWorks tarExtract directory traversal vulnerability (CVE-2023-38346) ∗∗∗ --------------------------------------------- VxWorks is a real-time operating system used in many embedded devices in high-availability environments with high safety and security requirements. This includes important industrial, medical, airospace, networking and automotive devices. For example, NASAs Curiosity rover currently deployed on planet Mars is using Wind Rivers VxWorks operating system. --------------------------------------------- https://www.pentagrid.ch/en/blog/wind-river-vxworks-tarextract-directory-tr… ∗∗∗ SolarWinds Platform 2023.3.1 Release Notes ∗∗∗ --------------------------------------------- SolarWinds Platform 2023.3.1 is a service release providing bug and security fixes for release 2023.3. For information about the 2023.3 release, including EOL notices and upgrade information, see SolarWinds Platform 2023.3 Release Notes. --------------------------------------------- https://documentation.solarwinds.com/en/success_center/orionplatform/conten… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, flac, gnome-shell, libwebp, openjdk-11, and xrdp), Fedora (giflib), Oracle (kernel), Red Hat (busybox, dbus, firefox, frr, kpatch-patch, libwebp, open-vm-tools, and thunderbird), Slackware (netatalk), SUSE (flac, gcc12, kernel, libeconf, libwebp, libxml2, and thunderbird), and Ubuntu (binutils, c-ares, libraw, linux-intel-iotg, nodejs, python-django, and vsftpd). --------------------------------------------- https://lwn.net/Articles/944848/ ∗∗∗ Trend Micro Patches Exploited Zero-Day Vulnerability in Endpoint Security Products ∗∗∗ --------------------------------------------- Trend Micro on Tuesday released an advisory to warn customers that a critical vulnerability affecting Apex One and other endpoint security products has been exploited in the wild. --------------------------------------------- https://www.securityweek.com/trend-micro-patches-exploited-zero-day-vulnera… ∗∗∗ Spring Security 5.8.7, 6.0.7, 6.1.4, 6.2.0-M1 Released, including fixes for CVE-2023-34042 ∗∗∗ --------------------------------------------- https://spring.io/blog/2023/09/18/spring-security-5-8-7-6-0-7-6-1-4-6-2-0-m… ∗∗∗ Spring for GraphQL 1.0.5, 1.1.6, 1.2.3 released ∗∗∗ --------------------------------------------- https://spring.io/blog/2023/09/19/spring-for-graphql-1-0-5-1-1-6-1-2-3-rele… ∗∗∗ Zyxel security advisory for command injection vulnerability in EMG2926-Q10A Ethernet CPE ∗∗∗ --------------------------------------------- https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-… ∗∗∗ PHOENIX CONTACT: Multiple products affected by WIBU Codemeter Vulnerabilities ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-030/ ∗∗∗ Omron CJ/CS/CP Series ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-262-05 ∗∗∗ Omron Engineering Software ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-262-04 ∗∗∗ Omron Engineering Software Zip-Slip ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-262-03 ∗∗∗ Vulnerabilities in Bash affect ProtecTIER (CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, CVE-2014-6278) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/690049 ∗∗∗ Multiple vulnerabilities in OpenSSL affect ProtecTIER ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/691201 ∗∗∗ Multiple vulnerabilities in Samba – including Badlock – affect ProtecTIER ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/691257 ∗∗∗ Vulnerability in Linux Kernel affects ProtecTIER: Dirty COW vulnerability (CVE-2016-5195) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/696401 ∗∗∗ Vulnerability in glibc library affects ProtecTIER(CVE-2014-5119) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/690187 ∗∗∗ Vulnerability in OpenSSL affects ProtecTIER (CVE-2016-2108) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/695443 ∗∗∗ IBM Security Guardium is affected by a multiple vulnerabilities (CVE-2023-22809, CVE-2019-12490, CVE-2023-0041) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7000021 ∗∗∗ IBM Storage Protect Operations Center is vulnerable to denial of service due to Websphere Application Server Liberty ( CVE-2023-28867 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7034039 ∗∗∗ IBM Storage Protect Server is vulnerable to denial of service and other attacks due to Db2 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7034037 ∗∗∗ Vulnerability in moment-timezone affects IBM VM Recovery Manager DR GUI ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7034198 ∗∗∗ Vulnerabilities in Linux kernel and Python can affect IBM Spectrum Protect Plus ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7034265 ∗∗∗ IBM App Connect Enterprise is vulnerable to a remote attack and a denial of service due to Node.js modules tough-cookie and semver (CVE-2023-26136, CVE-2022-25883). ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7031733 ∗∗∗ A vulnerability in the Administrative command line client affects IBM Storage Protect Client, IBM Storage Protect for Virtual Environments, and IBM Storage Protect for Space Management (CVE-2023-40368) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7034288 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.09.2023
by Daily end-of-shift report 18 Sep '23

18 Sep '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 15-09-2023 18:00 − Montag 18-09-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ BlackCat ransomware hits Azure Storage with Sphynx encryptor ∗∗∗ --------------------------------------------- The BlackCat (ALPHV) ransomware gang now uses stolen Microsoft accounts and the recently spotted Sphynx encryptor to encrypt targets Azure cloud storage. --------------------------------------------- https://www.bleepingcomputer.com/news/security/blackcat-ransomware-hits-azu… ∗∗∗ Microsoft leaks 38TB of private data via unsecured Azure storage ∗∗∗ --------------------------------------------- The Microsoft AI research division accidentally leaked dozens of terabytes of sensitive data starting in July 2020 while contributing open-source AI learning models to a public GitHub repository. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-leaks-38tb-of-pri… ∗∗∗ Retool Falls Victim to SMS-Based Phishing Attack Affecting 27 Cloud Clients ∗∗∗ --------------------------------------------- Software development company Retool has disclosed that the accounts of 27 of its cloud customers were compromised following a targeted and SMS-based social engineering attack. The San Francisco-based firm blamed a Google Account cloud synchronization feature recently introduced in April 2023 for making the breach worse, calling it a "dark pattern." "The fact that Google Authenticator syncs to the cloud is a novel attack vector," Snir Kodesh, Retool's head of engineering, said. "What we had originally implemented was multi-factor authentication. But through this Google update, what was previously multi-factor-authentication had silently (to administrators) become single-factor-authentication." --------------------------------------------- https://thehackernews.com/2023/09/retool-falls-victim-to-sms-based.html ∗∗∗ Fuzzing with multiple servers in parallel: AFL++ with Network File Systems ∗∗∗ --------------------------------------------- When fuzzing large-scale applications, using a single server (even with 4 64-core AMD Ryzen CPUs) may not be powerful enough by itself. That’s where parallelized/distributed fuzzing comes in (i.e. automatic sharing of results between fuzzing systems). In this guide, we’ll take a look at how to set up multiple servers fuzzing the same program using AFL++, linked all together with an NFS (Network File System). --------------------------------------------- https://joshua.hu/fuzzing-multiple-servers-parallel-aflplusplus-nfs ∗∗∗ donut-decryptor ∗∗∗ --------------------------------------------- donut-decryptor checks file(s) for known signatures of the donut obfuscators loader shellcode. If located, it will parse the shellcode to locate, decrypt, and extract the DONUT_INSTANCE structure embedded in the binary, and report pertinent configuration data. If a DONUT_MODULE is present in the binary it is decrypted and dumped to disk. --------------------------------------------- https://github.com/volexity/donut-decryptor ∗∗∗ CVE-2023-34040 Spring Kafka Deserialization Remote Code Execution ∗∗∗ --------------------------------------------- MEDIUM | AUGUST 23, 2023 | CVE-2023-34040: In Spring for Apache Kafka 3.0.9 and earlier and versions 2.9.10 and earlier, a possible deserialization attack vector existed, but only if unusual configuration was applied. An attacker would have to construct a malicious serialized object in one of the deserialization exception record headers [...] According to the description in security bulletin, we can simply attain some critical points resulting in the vulnerability. --------------------------------------------- https://pyn3rd.github.io/2023/09/15/CVE-2023-34040-Spring-Kafka-Deserializa… ∗∗∗ AWS’s Hidden Threat: AMBERSQUID Cloud-Native Cryptojacking Operation ∗∗∗ --------------------------------------------- The Sysdig Threat Research Team (TRT) has uncovered a novel cloud-native cryptojacking operation which they’ve named AMBERSQUID. This operation leverages AWS services not commonly used by attackers, such as AWS Amplify, AWS Fargate, and Amazon SageMaker. The uncommon nature of these services means that they are often overlooked from a security perspective, and the AMBERSQUID operation can cost victims more than $10,000/day. --------------------------------------------- https://sysdig.com/blog/ambersquid/ ∗∗∗ Fileless Remote Code Execution on Juniper Firewalls ∗∗∗ --------------------------------------------- CVE-2023-36845 is a PHP environment variable manipulation vulnerability affecting Juniper SRX firewalls and EX switches. Juniper scored the vulnerability as a medium severity issue. However, in this blog, we’ll show you how this vulnerability alone can achieve remote, unauthenticated code execution without even touching the disk. --------------------------------------------- https://vulncheck.com/blog/juniper-cve-2023-36845 ∗∗∗ Sherlock: Spyware kommt über Online-Werbung ∗∗∗ --------------------------------------------- Die israelische Firma Insanet soll eine Spähsoftware entwickelt haben, die über gezielte Werbebanner auf Windows-PCs und gängige Smartphones ausgespielt wird. --------------------------------------------- https://www.heise.de/-9308891.html ∗∗∗ CISA Releases New Identity and Access Management Guidance ∗∗∗ --------------------------------------------- CISA has released new guidance on how federal agencies can integrate identity and access management into their ICAM architecture. --------------------------------------------- https://www.securityweek.com/cisa-releases-new-identity-and-access-manageme… ∗∗∗ Verkaufen auf Vinted: Vermeintliche Käufer:innen locken auf gefälschte Zahlungsplattform ∗∗∗ --------------------------------------------- Sie verkaufen etwas auf Vinted? Vorsicht, wenn interessierte Käufer:innen nach Ihrer E-Mail-Adresse fragen. Dahinter steckt eine Betrugsmasche, die darauf abzielt, Sie auf eine gefälschte Vinted-Zahlungsplattform zu locken. Auf dieser Plattform erhalten Sie angeblich den Kaufbetrag. Tatsächlich stehlen die Kriminellen dort Ihre Bank- oder Kreditkartendaten und überzeugen Sie, Zahlungen freizugeben. --------------------------------------------- https://www.watchlist-internet.at/news/verkaufen-auf-vinted-vermeintliche-k… ∗∗∗ Vorsicht: Steam Fake Accounts und Scam-Methoden ∗∗∗ --------------------------------------------- Kurze Warnung für Leser und Leserinnen, die auf der Plattform Steam unterwegs sind. Ein Leser hat mich auf eine Betrugswelle aufmerksam gemacht, die gerade läuft und mit gefälschten Konten operiert. --------------------------------------------- https://www.borncity.com/blog/2023/09/16/vorsicht-steam-fake-accounts-und-s… ∗∗∗ 18th September – Threat Intelligence Report ∗∗∗ --------------------------------------------- For the latest discoveries in cyber research for the week of 11th September, please download our Threat_Intelligence Bulletin. --------------------------------------------- https://research.checkpoint.com/2023/18th-september-threat-intelligence-rep… ∗∗∗ Earth Lusca Employs New Linux Backdoor, Uses Cobalt Strike for Lateral Movement ∗∗∗ --------------------------------------------- While monitoring Earth Lusca, we discovered an intriguing, encrypted file on the threat actors server - a Linux-based malware, which appears to originate from the open-source Windows backdoor Trochilus, which weve dubbed SprySOCKS due to its swift behavior and SOCKS implementation. --------------------------------------------- https://www.trendmicro.com/en_us/research/23/i/earth-lusca-employs-new-linu… ∗∗∗ MidgeDropper Variant Targets Work-from-Home Employees on Windows PCs ∗∗∗ --------------------------------------------- If you are working from home, you need to be on the lookout for the new and complex variant of MidgeDropper malware. --------------------------------------------- https://www.hackread.com/midgedropper-variant-work-from-home-windows/ ===================== = Vulnerabilities = ===================== ∗∗∗ Qnap-Updates schließen hochriskante Lücke ∗∗∗ --------------------------------------------- Qnap hat aktualisierte Betriebssysteme veröffentlicht. Die neuen QTS-, QuTS-hero- und QuTScloud-Releases schließen teils hochriskante Lücken. --------------------------------------------- https://www.heise.de/-9308427.html ∗∗∗ Anonymisierendes Linux: Kritische libWebP-Lücke in Tails 5.17.1 geschlossen ∗∗∗ --------------------------------------------- Die Maintainer des anonymisierenden Linux Tails für den USB-Stick haben in Version 5.17.1 die bereits angegriffene, kritische libWebP-Lücke geschlossen. --------------------------------------------- https://www.heise.de/-9307906.html ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr, libwebp, and thunderbird), Fedora (chromium, curl, flac, libtommath, libwebp, matrix-synapse, python-matrix-common, redis, and rust-pythonize), Gentoo (binwalk, ghostscript, python-requests, rar, samba, and wireshark), Oracle (.NET 6.0, kernel, and kernel-container), Slackware (python3), and SUSE (firefox). --------------------------------------------- https://lwn.net/Articles/944744/ ∗∗∗ Authenticated Remote Code Execution und fehlende Authentifizierung in Atos Unify OpenScape ∗∗∗ --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/authenticated-remote-… ∗∗∗ Vulnerabilities in Apache Struts library affect Tivoli Netcool\/OMNIbus WebGUI ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7033228 ∗∗∗ Vulnerabilities in Certifi, cryptography, python-requests and Tornado can affect IBM Storage Protect Plus Microsoft File Systems Backup and Restore [CVE-2023-37920, CVE-2023-38325, CVE-2023-32681, CVE-2023-28370] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7031489 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.09.2023
by Daily end-of-shift report 15 Sep '23

15 Sep '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 14-09-2023 18:00 − Freitag 15-09-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ What is Secure Shell (SSH) & How to Use It: Security & Best Practices ∗∗∗ --------------------------------------------- In this blog post, we’re going to delve deeper into what Secure Shell (SSH) is, how it operates, and why it’s useful. We’ll cover everything from the basics of connecting with SSH to common commands and best practices for ensuring secure communications and file transfers. --------------------------------------------- https://blog.sucuri.net/2023/09/what-is-secure-shell-ssh-how-to-use-it-secu… ∗∗∗ A detailed analysis of the Money Message Ransomware ∗∗∗ --------------------------------------------- The threat actor group, Money Message ransomware, first appeared in March 2023, demanding million-dollar ransoms from its targets. Its configuration, which contains the services and processes to stop a ransomware attack, can be found at the end of the executable. The ransomware creates a mutex and deletes the Volume Shadow Copies using vssadmin.exe. --------------------------------------------- https://resources.securityscorecard.com/research/analysis-money-message-ran… ∗∗∗ Mehr Sicherheit für (Open-)Sourcecode: OpenSSF veröffentlicht Leitfaden ∗∗∗ --------------------------------------------- Ein Leitfaden der Open Source Security Foundation zeigt Tools und Best Practices zum Absichern von Code auf Versionsverwaltungsplattformen auf. --------------------------------------------- https://www.heise.de/-9306112.html ∗∗∗ Watch out, this LastPass email with "Important information about your account" is a phish ∗∗∗ --------------------------------------------- The consequences of last year's LastPass breach continue to be felt, with the latest insult to users coming in the form of a highly convincing phishing email. --------------------------------------------- https://www.malwarebytes.com/blog/news/2023/09/nasty-lastpass-phish ∗∗∗ Threat Group Assessment: Turla (aka Pensive Ursa) ∗∗∗ --------------------------------------------- Pensive Ursa was chosen to be the main focus for the 2023 MITRE ATT&CK evaluation. MITRE has described Turla as being “known for their targeted intrusions and innovative stealth.” The results of this evaluation, including Palo Alto Networks scoring, will be published in late September 2023. --------------------------------------------- https://unit42.paloaltonetworks.com/turla-pensive-ursa-threat-assessment/ ∗∗∗ Why Are You Texting Me? UNC3944 Leverages SMS Phishing Campaigns for SIM Swapping, Ransomware, Extortion, and Notoriety ∗∗∗ --------------------------------------------- UNC3944 is a financially motivated threat cluster that has persistently used phone-based social engineering and SMS phishing campaigns (smshing) to obtain credentials to gain and escalate access to victim organizations. At least some UNC3944 threat actors appear to operate in underground communities, such as Telegram and underground forums, which they may leverage to acquire tools, services, and/or other support to augment their operations. --------------------------------------------- https://www.mandiant.com/resources/blog/unc3944-sms-phishing-sim-swapping-r… ===================== = Vulnerabilities = ===================== ∗∗∗ Jetzt patchen! Sicherheitslösungen von Fortinet als Sicherheitsrisiko ∗∗∗ --------------------------------------------- Mehrere Produkte von Fortinet sind verwundbar. Sicherheitsupdates schaffen Abhilfe. --------------------------------------------- https://www.heise.de/-9306543.html ∗∗∗ Management-Controller Lenovo XCC: Angreifer können Passwörter manipulieren ∗∗∗ --------------------------------------------- Der Computerhersteller Lenovo hat in XClarity Controller mehrere Sicherheitslücken geschlossen. --------------------------------------------- https://www.heise.de/-9304734.html ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (c-ares and samba), Fedora (borgbackup, firefox, and libwebp), Oracle (.NET 6.0 and kernel), Slackware (libwebp), SUSE (chromium and firefox), and Ubuntu (atftp, dbus, gawk, libssh2, libwebp, modsecurity-apache, and mutt). --------------------------------------------- https://lwn.net/Articles/944581/ ∗∗∗ QRadar Pulse application add on to IBM QRadar SIEM is vulnerable to using components with known vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7032220 ∗∗∗ Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to HTTP header injection due to Go CVE-2023-29406 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7032249 ∗∗∗ Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to bypassing security restrictions due to multiple Node.js vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7032238 ∗∗∗ IBM Virtualization Engine TS7700 is susceptible to a denial of service due to use of Apache Commons FileUpload (CVE-2023-24998) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7031979 ∗∗∗ Due to use of Golang Go, IBM Cloud Pak for Multicloud Management Monitoring is vulnerable to multiple vulnerabilities. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7032901 ∗∗∗ Multiple vulnerabilities in jackson-databind affect IBM Application Performance Management products ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7032899 ∗∗∗ IBM Operational Decision Manager August 2023 - Multiple CVEs addressed ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7032928 ∗∗∗ Vulnerabilities in Linux Kernel might affect IBM Spectrum Copy Data Management ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7029387 ∗∗∗ CVE-2023-24539, CVE-2023-29400, CVE-2023-29403, CVE-2023-24540, CVE-2023-29402, CVE-2023-29404, CVE-2023-29405 related to Go affect IBM CICS TX Standard 11.1 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7033006 ∗∗∗ CVE-2023-24540, CVE-2023-29402, CVE-2023-29404, CVE-2023-29405 related to Go affect IBM CICS TX Advanced 11.1 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7033004 ∗∗∗ Vulnerabilities in Golang, openSSH and openJDK might affect IBM Spectrum Copy Data Management ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7029389 ∗∗∗ Vulnerabilities in snappy-java might affect IBM Spectrum Copy Data Management ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7029381 ∗∗∗ Vulnerabilities in cURL libcurl might affect IBM Spectrum Copy Data Management ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7029380 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.09.2023
by Daily end-of-shift report 14 Sep '23

14 Sep '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 13-09-2023 18:00 − Donnerstag 14-09-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Windows 11 ‘ThemeBleed’ RCE bug gets proof-of-concept exploit ∗∗∗ --------------------------------------------- Security researcher Gabe Kirkpatrick has made a proof-of-concept (PoC) exploit available for CVE-2023-38146, aka "ThemeBleed," which enables attackers to trigger arbitrary remote code execution if the target opens a specially crafted .theme file. --------------------------------------------- https://www.bleepingcomputer.com/news/security/windows-11-themebleed-rce-bu… ∗∗∗ Top 10 Facts About MOVEit Breach ∗∗∗ --------------------------------------------- This breach exposed the vulnerabilities inherent in some of the world’s most trusted platforms and highlighted the audacity and capabilities of modern cybercriminals. Furthermore, becoming the primary attack vector for the Cl0p ransomware group, it has led to many other attacks. --------------------------------------------- https://socradar.io/top-10-facts-about-moveit-breach/ ∗∗∗ Column-Level Encryption 101: What is It, implementation & Benefits ∗∗∗ --------------------------------------------- By encrypting individual columns of data, organizations can limit access to the data, reduce the potential damage of a breach and help ensure the privacy of their customers information. In this post, we will explore the power of column-level encryption for data security. So let’s dive in. --------------------------------------------- https://www.piiano.com/blog/column-level-encryption ∗∗∗ Uncursing the ncurses: Memory corruption vulnerabilities found in library ∗∗∗ --------------------------------------------- Microsoft has discovered a set of memory corruption vulnerabilities in a library called ncurses, which provides APIs that support text-based user interfaces (TUI). Released in 1993, the ncurses library is commonly used by various programs on Portable Operating System Interface (POSIX) operating systems, including Linux, macOS, and FreeBSD. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2023/09/14/uncursing-the-ncur… ∗∗∗ PSA: Ongoing Webex malvertising campaign drops BatLoader ∗∗∗ --------------------------------------------- A new malvertising campaign is targeting corporate users who are downloading the popular web conferencing software Webex. Threat actors have bought an advert that impersonates Cisco's brand and is displayed first when performing a Google search. --------------------------------------------- https://www.malwarebytes.com/blog/threat-intelligence/2023/09/ongoing-webex… ∗∗∗ QR-Code in E-Mails von vermeintlichen Lieferanten führt zu Phishing-Seite ∗∗∗ --------------------------------------------- Aktuell ist ein besonders perfides Phishing-Mail im Umlauf: Unternehmen werden von ihnen bekannten Lieferanten kontaktiert, die ein Angebot per QR-Code übermitteln. Zumindest wird das in der Nachricht behauptet. Tatsächlich führt das Scannen des QR-Codes auf eine Phishing-Seite. Kriminelle versuchen dabei, an die Zugangsdaten für das Microsoft-Konto der Mitarbeiter:innen zu kommen. --------------------------------------------- https://www.watchlist-internet.at/news/qr-code-in-e-mails-von-vermeintliche… ∗∗∗ Vorsicht vor Phishing-E-Mails von "oesterreich.gv.at" & "a-trust.at" ∗∗∗ --------------------------------------------- Momentan befinden sich zahlreiche Phishing-Nachrichten von vermeintlich vertrauenswürdigen Absendern in Umlauf. Die Nachrichten versprechen angebliche Rückerstattungen von Oesterreich.gv.at. Klicken Sie nicht auf die Links, Ihre Daten werden gestohlen! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-phishing-e-mails-von-oe… ===================== = Vulnerabilities = ===================== ∗∗∗ FortiGuard PSIRT Advisories ∗∗∗ --------------------------------------------- Fortiguard Labs have released 12 Advisories for FortiADC, FortiAPs, FortiAP-U, FortiClient-EMS, FortiManager & FortiAnalyzer, FortiOS & FortiProxy, FortiPresence, FortiSIEM, FortiTester and FortiWeb. (Severity: 3x High, 8x Medium, 1x Low) --------------------------------------------- https://fortiguard.fortinet.com/psirt?date=2023&product=FortiWeb,FortiSIEM,… ∗∗∗ Siemens hat mit 14.09.2023 weitere 2 Security Advisories veröffentlicht ∗∗∗ --------------------------------------------- SSA-646240: Sensitive Information Disclosure in SIMATIC PCS neo Administration Console (5.5), SSA-357182: Local Privilege Escalation Vulnerability in Spectrum Power 7 (8.2) --------------------------------------------- https://www.siemens.com/global/en/products/services/cert.html#SecurityPubli… ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (September 4, 2023 to September 10, 2023) ∗∗∗ --------------------------------------------- Last week, there were 107 vulnerabilities disclosed in 89 WordPress Plugins and 5 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 36 Vulnerability Researchers that contributed to WordPress Security last week. --------------------------------------------- https://www.wordfence.com/blog/2023/09/wordfence-intelligence-weekly-wordpr… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr, libwebp, ruby-loofah, and ruby-rails-html-sanitizer), Fedora (open-vm-tools and salt), Oracle (.NET 7.0, dmidecode, flac, gcc, httpd:2.4, keylime, libcap, librsvg2, and qemu-kvm), Red Hat (.NET 6.0 and .NET 7.0), Slackware (libarchive and mozilla), SUSE (chromium and kernel), and Ubuntu (curl, firefox, ghostscript, open-vm-tools, postgresql-9.5, and thunderbird). --------------------------------------------- https://lwn.net/Articles/944481/ ∗∗∗ Drupal: Mail Login - Critical - Access bypass - SA-CONTRIB-2023-045 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2023-045 ∗∗∗ Rockwell Automation Pavilion8 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-257-07 ∗∗∗ Palo Alto: CVE-2023-3280 Cortex XDR Agent: Local Windows User Can Disable the Agent (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2023-3280 ∗∗∗ Palo Alto: CVE-2023-38802 PAN-OS: Denial-of-Service (DoS) Vulnerability in BGP Software (Severity: HIGH) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2023-38802 ∗∗∗ : PostgreSQL Vulnerability Affects IBM Connect:Direct Web Service (CVE-2023-39417) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7032120 ∗∗∗ CISA Adds Three Known Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/09/13/cisa-adds-three-known-vu… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.09.2023
by Daily end-of-shift report 13 Sep '23

13 Sep '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 12-09-2023 18:00 − Mittwoch 13-09-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Patchday: Angriffe mittels präparierter PDF-Dateien auf Adobe Acrobat ∗∗∗ --------------------------------------------- Adobe hat in Acrobat und Reader, Connect und Experience Manager mehrere Sicherheitslücken geschlossen. --------------------------------------------- https://heise.de/-9303487 ∗∗∗ Notfallpatch sichert Firefox und Thunderbird gegen Attacken ab ∗∗∗ --------------------------------------------- Mozilla hat in seinen Webbrowsern und seinem Mailclient eine Sicherheitslücke geschlossen, die Angreifer bereits ausnutzen. --------------------------------------------- https://heise.de/-9303536 ∗∗∗ Microsoft Security Update Summary (12. September 2023) ∗∗∗ --------------------------------------------- Am 12. September 2023 hat Microsoft Sicherheitsupdates für Windows-Clients und -Server, für Office- sowie für weitere Produkte – veröffentlicht. Die Sicherheitsupdates beseitigen 61 CVE-Schwachstellen, zwei sind 0-day Schwachstellen. Nachfolgend findet sich ein kompakter Überblick über diese Updates [...] --------------------------------------------- https://www.borncity.com/blog/2023/09/13/microsoft-security-update-summary-… ∗∗∗ Threat landscape for industrial automation systems. Statistics for H1 2023 ∗∗∗ --------------------------------------------- In the first half of 2023, the percentage of ICS computers on which malicious objects were blocked decreased from H2 2022 by just 0.3 pp to 34%. --------------------------------------------- https://securelist.com/threat-landscape-for-industrial-automation-systems-s… ∗∗∗ Malware distributor Storm-0324 facilitates ransomware access ∗∗∗ --------------------------------------------- The threat actor that Microsoft tracks as Storm-0324 is a financially motivated group known to gain initial access using email-based initial infection vectors and then hand off access to compromised networks to other threat actors. These handoffs frequently lead to ransomware deployment. Beginning in July 2023, Storm-0324 was observed distributing payloads using an open-source tool [...] --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2023/09/12/malware-distributo… ∗∗∗ Alert: New Kubernetes Vulnerabilities Enable Remote Attacks on Windows Endpoints ∗∗∗ --------------------------------------------- Three interrelated high-severity security flaws discovered in Kubernetes could be exploited to achieve remote code execution with elevated privileges on Windows endpoints within a cluster. The issues, tracked as CVE-2023-3676, CVE-2023-3893, and CVE-2023-3955, carry CVSS scores of 8.8 and impact all Kubernetes environments with Windows nodes. Fixes for the vulnerabilities were released on August 23, 2023, [...] --------------------------------------------- https://thehackernews.com/2023/09/alert-new-kubernetes-vulnerabilities.html ∗∗∗ OpenSSL 1.1.1 reaches end of life for all but the well-heeled ∗∗∗ --------------------------------------------- $50k to breathe new life into its corpse. The rest of us must move on to OpenSSL 3.0 OpenSSL 1.1.1 has reached the end of its life, making a move to a later version essential for all, bar those with extremely deep pockets. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2023/09/12/openssl_111_… ∗∗∗ macOS Info-Stealer Malware ‘MetaStealer’ Targeting Businesses ∗∗∗ --------------------------------------------- The MetaStealer macOS information stealer has been targeting businesses to exfiltrate keychain and other valuable information. --------------------------------------------- https://www.securityweek.com/macos-info-stealer-malware-metastealer-targeti… ∗∗∗ How Next-Gen Threats Are Taking a Page From APTs ∗∗∗ --------------------------------------------- Cybercriminals are increasingly trying to find ways to get around security, detection, intelligence and controls as APTs start to merge with conventional cybercrime. --------------------------------------------- https://www.securityweek.com/how-next-gen-threats-are-taking-a-page-from-ap… ∗∗∗ How Three Letters Brought Down UK Air Traffic Control ∗∗∗ --------------------------------------------- The UK bank holiday weekend at the end of August is a national holiday in which it sometimes seems the entire country ups sticks and makes for somewhere with a beach. This year though, many of them couldn’t, because the country’s NATS air traffic system went down and stranded many to grumble in the heat of a crowded terminal. At the time it was blamed on faulty flight data, but news now emerges that the data which brought down an entire country’s air traffic control may have not been faulty at all. --------------------------------------------- https://hackaday.com/2023/09/13/how-three-letters-brought-down-uk-air-traff… ∗∗∗ 3AM: New Ransomware Family Used As Fallback in Failed LockBit Attack ∗∗∗ --------------------------------------------- Attackers resorted to new ransomware after deployment of LockBit was blocked on targeted network. --------------------------------------------- https://symantec-enterprise-blogs.security.com/threat-intelligence/3am-rans… ∗∗∗ White House urging dozens of countries to publicly commit to not pay ransoms ∗∗∗ --------------------------------------------- The U.S. National Security Council (NSC) is urging the governments of all countries participating in the International Counter Ransomware Initiative (CRI) to issue a joint statement announcing they will not pay ransoms to cybercriminals, according to three sources with knowledge of the plans. --------------------------------------------- https://therecord.media/counter-ransomware-initiative-members-ransom-paymen… ∗∗∗ September 2023 release of new Exchange Server CVEs (resolved by August 2023 Security Updates) ∗∗∗ --------------------------------------------- You may have noticed there were several new Exchange Server CVEs that were released today (a part of September 2023 ‘Patch Tuesday’). If you haven’t yet, you can go to the Security Update Guide and filter on Exchange Server under Product Family to review CVE information. The CVEs released today were actually addressed in the August 2023 Exchange Server Security Update (SU). Due to the timing of validation of those fixes and release dates, we decided to release the CVEs as a part of September 2023 ‘Patch Tuesday’ release cycle. We know that many customers are accustomed to checking for Microsoft security releases on the second Tuesday of every month, and we did not want these CVEs to go unnoticed. --------------------------------------------- https://techcommunity.microsoft.com/t5/exchange-team-blog/september-2023-re… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (e2guardian), Fedora (libeconf), Red Hat (dmidecode, kernel, kernel-rt, keylime, kpatch-patch, libcap, librsvg2, linux-firmware, and qemu-kvm), Slackware (mozilla), SUSE (chromium and shadow), and Ubuntu (cups, dotnet6, dotnet7, file, flac, and ruby-redcloth). --------------------------------------------- https://lwn.net/Articles/944354/ ∗∗∗ BSRT-2023-001 Vulnerabilities in Management Console and Self Service Impact AtHoc Server ∗∗∗ --------------------------------------------- https://support.blackberry.com/kb/articleDetail?language=en_US&articleNumbe… ∗∗∗ VU#347067: Multiple BGP implementations are vulnerable to improperly formatted BGP updates ∗∗∗ --------------------------------------------- https://kb.cert.org/vuls/id/347067 ∗∗∗ PHP Shopping Cart-4.2 Multiple-SQLi ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2023090037 ∗∗∗ Cisco IOS XR Software Compression ACL Bypass Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco IOS XR Software Image Verification Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco IOS XR Software iPXE Boot Signature Bypass Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco IOS XR Software Model-Driven Programmability Behavior with AAA Authorization ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco IOS XR Software Connectivity Fault Management Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco IOS XR Software Access Control List Bypass Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ K000136157 : sssd vulnerability CVE-2022-4254 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000136157?utm_source=f5support&utm_medi… ∗∗∗ Trumpf: Multiple Products affected by WIBU Codemeter Vulnerability ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-031/ ∗∗∗ Elliptic Labs Virtual Lock Sensor Vulnerability ∗∗∗ --------------------------------------------- https://support.lenovo.com/product_security/PS500576-ELLIPTIC-LABS-VIRTUAL-… ∗∗∗ Lenovo XClarity Controller (XCC) Vulnerabilities ∗∗∗ --------------------------------------------- https://support.lenovo.com/product_security/PS500578 ∗∗∗ Intel Dynamic Tuning Technology Advisory ∗∗∗ --------------------------------------------- https://support.lenovo.com/product_security/PS500577-INTEL-DYNAMIC-TUNING-T… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.09.2023
by Daily end-of-shift report 12 Sep '23

12 Sep '23

===================== = End-of-Day report = ===================== Timeframe: Montag 11-09-2023 18:00 − Dienstag 12-09-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ New WiKI-Eve attack can steal numerical passwords over WiFi ∗∗∗ --------------------------------------------- A new attack dubbed WiKI-Eve can intercept the cleartext transmissions of smartphones connected to modern WiFi routers and deduce individual numeric keystrokes at an accuracy rate of up to 90%, allowing numerical passwords to be stolen. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-wiki-eve-attack-can-stea… ∗∗∗ Free Download Manager backdoored – a possible supply chain attack on Linux machines ∗∗∗ --------------------------------------------- Kaspersky researchers analyzed a Linux backdoor disguised as Free Download Manager software that remained under the radar for at least three years. --------------------------------------------- https://securelist.com/backdoored-free-download-manager-linux-malware/11046… ∗∗∗ Sophisticated Phishing Campaign Deploying Agent Tesla, OriginBotnet, and RedLine Clipper ∗∗∗ --------------------------------------------- "A phishing email delivers the Word document as an attachment, presenting a deliberately blurred image and a counterfeit reCAPTCHA to lure the recipient into clicking on it," Fortinet FortiGuard Labs researcher Cara Lin said. --------------------------------------------- https://thehackernews.com/2023/09/sophisticated-phishing-campaign.html ∗∗∗ Gefälschte Post-, DHL und UPS-Benachrichtigungen im Umlauf ∗∗∗ --------------------------------------------- Sie warten gerade auf ein Paket? Nehmen Sie Benachrichtigungen über den Lieferstatus genau unter die Lupe. Momentan kursieren viele betrügerische Infos. Per E-Mail oder SMS werden Sie informiert, dass noch Zollgebühren oder Versandkosten bezahlt werden müssen. Klicken Sie nicht auf den Link. Sie landen auf einer betrügerischen Seite, die Kreditkartendaten abgreift. --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschte-post-dhl-und-ups-benachr… ∗∗∗ Das European Cyber Shield ∗∗∗ --------------------------------------------- Die EU will im Rahmen vom "Digital Europe Programme" mit Förderungen für die Vernetzung von SOCs die Sicherheit der EU stärken und das System über einen neuen "Cyber Solidarity Act" dauerhaft einrichten. Ich hab dazu im Rahmen des CSIRTs Network Meetings im Juni einen Vortrag gehalten, dessen Inhalt ich jetzt auf ein ausformuliertes Paper (auf Englisch) erweitert habe. --------------------------------------------- https://cert.at/de/blog/2023/9/european-cyber-shield ∗∗∗ Persistent Threat: New Exploit Puts Thousands of GitHub Repositories and Millions of Users at Risk ∗∗∗ --------------------------------------------- A new vulnerability has been discovered that could allow an attacker to exploit a race condition within GitHub's repository creation and username renaming operations. This technique could be used to perform a Repojacking attack (hijacking popular repositories to distribute malicious code). --------------------------------------------- https://checkmarx.com/blog/persistent-threat-new-exploit-puts-thousands-of-… ∗∗∗ Deleting Your Way Into SYSTEM: Why Arbitrary File Deletion Vulnerabilities Matter ∗∗∗ --------------------------------------------- Windows arbitrary file deletion vulnerabilities should no longer be considered mere annoyances or tools for Denial-of-Service (DoS) attacks. Over the past couple of years, these vulnerabilities have matured into potent threats capable of unearthing a portal to full system compromise. This transformation is exemplified in CVE-2023-27470 (an arbitrary file deletion vulnerability in N-Able’s Take Control Agent with a CVSS Base Score of 8.8) demonstrating that what might initially seem innocuous can, in fact, expose unexpected weaknesses within your system. --------------------------------------------- https://www.mandiant.com/resources/blog/arbitrary-file-deletion-vulnerabili… ===================== = Vulnerabilities = ===================== ∗∗∗ NSO-Exploit: Apple fixt auch ältere Versionen von macOS, iOS und iPadOS ∗∗∗ --------------------------------------------- Nach Notfall-Updates für aktuelle Betriebssysteme schiebt Apple nun auch Patches für ältere Versionen nach. Man sollte flott aktualisieren. --------------------------------------------- https://heise.de/-9301842 ∗∗∗ Patchday: SAP schließt kritische Datenleak-Lücke in BusinessObjects ∗∗∗ --------------------------------------------- Es sind wichtige Sicherheitsupdates für SAP-Software erschienen. Admins sollten zeitnah handeln. --------------------------------------------- https://heise.de/-9302399 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (node-cookiejar and orthanc), Oracle (firefox, kernel, and kernel-container), Red Hat (flac and httpd:2.4), Slackware (vim), SUSE (python-Django, terraform-provider-aws, terraform-provider-helm, and terraform-provider-null), and Ubuntu (c-ares, curl, linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15, linux-raspi, and linux-ibm, linux-ibm-5.4). --------------------------------------------- https://lwn.net/Articles/944263/ ∗∗∗ ICS Patch Tuesday: Critical CodeMeter Vulnerability Impacts Several Siemens Products ∗∗∗ --------------------------------------------- ICS Patch Tuesday: Siemens has released 7 new advisories and Schneider Electric has released 1 new advisory. --------------------------------------------- https://www.securityweek.com/ics-patch-tuesday-critical-codemeter-vulnerabi… ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2023-0008 ∗∗∗ --------------------------------------------- CVE identifiers: CVE-2023-28198, CVE-2023-32370,CVE-2023-40397. --------------------------------------------- https://webkitgtk.org/security/WSA-2023-0008.html ∗∗∗ Google Chrome 116.0.5845.187/.188 fixt kritische Schwachstelle ∗∗∗ --------------------------------------------- Google hat zum 11. September 2023 Updates des Google Chrome Browsers 116 im Stable und Extended Channel für Mac, Linux und Windows freigegeben. Es sind Sicherheitsupdates, die ausgerollt werden und eine Schwachstelle (Einstufung als "kritisch") beseitigen sollen. --------------------------------------------- https://www.borncity.com/blog/2023/09/11/google-chrome-116-0-5845-187-188-f… ∗∗∗ Fujitsu Software Infrastructure Manager ∗∗∗ --------------------------------------------- An issue was discovered in Fujitsu Software Infrastructure Manager (ISM) before 2.8.0.061. The ismsnap component (in this specific case at /var/log/fujitsu/ServerViewSuite/ism/FirmwareManagement/FirmwareManagement.log) allows insecure collection and storage of authorization credentials in cleartext. --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-255-02 ∗∗∗ Sicherheitsupdates in Foxit PDF Reader 2023.2 und Foxit PDF Editor 2023.2 verfügbar ∗∗∗ --------------------------------------------- https://www.foxit.com/de/support/security-bulletins.html ∗∗∗ Hitachi Energy Lumada APM Edge ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-255-01 ∗∗∗ Multiple vulnerabilities in OpenSSL affect AIX ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7031625 ∗∗∗ Control Access issues in PCOMM ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7031707 ∗∗∗ Multiple Security vulnerabilities in IBM Java in FileNet Content Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7001699 ∗∗∗ A vulnerability in FasterXML Jackson Core may affect IBM Robotic Process Automation and result in an application crash (IBM X-Force ID: 256137). ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7031716 ∗∗∗ IBM WebSphere Application Server shipped with Jazz for Service Management (JazzSM) is vulnerable could provide weaker than expected security. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7031051 ∗∗∗ Vulnerability in Open JDK affecting Rational Functional Tester ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7031729 ∗∗∗ IBM App Connect Enterprise is vulnerable to a remote attack and a denial of service due to Node.js modules tough-cookie and semver (CVE-2023-26136, CVE-2022-25883). ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7031733 ∗∗∗ IBM Cloud Pak for Security includes components with multiple known vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7031754 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.09.2023
by Daily end-of-shift report 11 Sep '23

11 Sep '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 08-09-2023 18:00 − Montag 11-09-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Microsoft Teams phishing attack pushes DarkGate malware ∗∗∗ --------------------------------------------- A new phishing campaign is abusing Microsoft Teams messages to send malicious attachments that install the DarkGate Loader malware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-teams-phishing-att… ∗∗∗ Facebook Messenger phishing wave targets 100K business accounts per week ∗∗∗ --------------------------------------------- Hackers use a massive network of fake and compromised Facebook accounts to send out millions of Messenger phishing messages to target Facebook business accounts with password-stealing malware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/facebook-messenger-phishing-… ∗∗∗ From Caribbean shores to your devices: analyzing Cuba ransomware ∗∗∗ --------------------------------------------- The article analyzes the malicious tactics, techniques and procedures (TTP) used by the operator of the Cuba ransomware, and details a Cuba attack incident. --------------------------------------------- https://securelist.com/cuba-ransomware/110533/ ∗∗∗ New HijackLoader Modular Malware Loader Making Waves in the Cybercrime World ∗∗∗ --------------------------------------------- A new malware loader called HijackLoader is gaining traction among the cybercriminal community to deliver various payloads such as DanaBot, SystemBC, and RedLine Stealer. --------------------------------------------- https://thehackernews.com/2023/09/new-hijackloader-modular-malware-loader.h… ∗∗∗ Cybercriminals Using PowerShell to Steal NTLMv2 Hashes from Compromised Windows ∗∗∗ --------------------------------------------- A new cyber attack campaign is leveraging the PowerShell script associated with a legitimate red teaming tool to plunder NTLMv2 hashes from compromised Windows systems primarily located in Australia, Poland, and Belgium. The activity has been codenamed Steal-It by Zscaler ThreatLabz. --------------------------------------------- https://thehackernews.com/2023/09/cybercriminals-using-powershell-to.html ∗∗∗ Passwortmanager: LastPass-Hacker scheinen Kennworttresore zu knacken ∗∗∗ --------------------------------------------- Cyberkriminelle haben vergangenes Jahr LastPass-Kennworttresore kopiert. Nun scheinen sie diese zu knacken und Krypto-Wallets leerzuräumen. --------------------------------------------- https://heise.de/-9300583 ∗∗∗ From ERMAC to Hook: Investigating the technical differences between two Android malware variants ∗∗∗ --------------------------------------------- Hook and ERMAC are Android based malware families that are both advertised by the actor named “DukeEugene”. Hook is the latest variant to be released by this actor and was first announced at the start of 2023. In this announcement, the actor claims that Hook was written from scratch [1]. In our research, we have analysed two samples of Hook and two samples of ERMAC to further examine the technical differences between these malware families. --------------------------------------------- https://research.nccgroup.com/2023/09/11/from-ermac-to-hook-investigating-t… ∗∗∗ Zahlreiche unseriöse Dirndl-Shops im Umlauf ∗∗∗ --------------------------------------------- Wiesenzeit ist Dirndlzeit! Das wissen auch unseriöse Shop-Betreiber:innen. Damit möglichst viele potenzielle Opfer davon erfahren, wird auf Werbung via Facebook und Instagram gesetzt. Versprochen werden hochwertige Dirndl zu einem unschlagbar günstigen Preis. Erfahrungsberichte zeigen jedoch, dass nur minderwertige Kleidung bei den Konsument:innen ankommt. --------------------------------------------- https://www.watchlist-internet.at/news/zahlreiche-unserioese-dirndl-shops-i… ∗∗∗ A classification of CTI Data feeds ∗∗∗ --------------------------------------------- We at CERT.at process and share a wide selection of cyber threat intelligence (CTI) as part of our core mission as Austria’s hub for IT security information. Right now, we are involved in two projects that involve the purchase of commercial CTI. I encountered some varying views on what CTI is and what one should do with the indicators of compromise (IoCs) that are part of a CTI feed. This blog post describes my view on this topic. --------------------------------------------- https://cert.at/en/blog/2023/9/cti-data-feeds ===================== = Vulnerabilities = ===================== ∗∗∗ Pyramid vulnerable to directory traversal ∗∗∗ --------------------------------------------- Pyramid provided by Pylons Project contains a directory traversal vulnerability. --------------------------------------------- https://jvn.jp/en/jp/JVN41113329/ ∗∗∗ HPE OneView: Kritische Lücke erlaubt Umgehung von Authentifizierung ∗∗∗ --------------------------------------------- HPE warnt vor mehreren Sicherheitslücken in OneView, einer Infrastrukurverwaltungssoftware. Angreifer könnten etwa die Anmeldung umgehen. --------------------------------------------- https://heise.de/-9301047 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (frr, kernel, libraw, mutt, and open-vm-tools), Fedora (cjose, pypy, vim, wireshark, and xrdp), Gentoo (apache), Mageia (chromium-browser-stable, clamav, ghostscript, librsvg, libtiff, openssl, poppler, postgresql, python-pypdf2, and unrar), Red Hat (flac), SUSE (firefox, geoipupdate, icu73_2, libssh2_org, rekor, skopeo, and webkit2gtk3), and Ubuntu (linux-azure, linux-azure-4.15, linux-azure-5.4, linux-gcp-5.4, linux-gkeop, linux-raspi, linux-raspi-5.4, linux-xilinx-zynqmp, linux-gcp, linux-gcp-6.2, linux-ibm, linux-oracle, linux-starfive, linux-gcp-5.15, linux-gkeop-5.15, and opendmarc). --------------------------------------------- https://lwn.net/Articles/944190/ ∗∗∗ Security updates available in PDF-XChange Editor/Tools 10.1.0.380 ∗∗∗ --------------------------------------------- https://www.tracker-software.com/support/security-bulletins.html ∗∗∗ Mattermost security updates 8.1.2 (ESR) / 8.0.3 / 7.8.11 (ESR) released ∗∗∗ --------------------------------------------- https://mattermost.com/blog/mattermost-security-updates-8-1-2-esr-8-0-3-7-8… ∗∗∗ AIX is vulnerable to arbitrary command execution (CVE-2023-26286) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6983236 ∗∗∗ IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in TensorFlow ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7031271 ∗∗∗ Vulnerability in BIND affects IBM Integrated Analytics System (Sailfish)[CVE-2023-2828] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7031294 ∗∗∗ Vulnerability in OpenSSH affects IBM Integrated Analytics System (Sailfish)[CVE-2023-38408] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7031293 ∗∗∗ Vulnerabilities in IBM Websphere Application Server affects IBM Application Performance Management. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7031576 ∗∗∗ Due to use of, IBM Application Performance Management is vulnerable to a local authenticated attacker to obtain sensitive information. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7031614 ∗∗∗ A vulnerability in Microsoft .NET may affect IBM Robotic Process Automation allowing an attacker to conduct spoofing attacks (CVE-2022-34716) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7031620 ∗∗∗ A vulnerability in Microsoft .NET Core may affect IBM Robotic Process Automation and result in a remote attacker obtaining sensitive information (CVE-2018-8292). ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7029529 ∗∗∗ A vulnerability in Microsoft .NET Framework may affect IBM Robotic Process Automation and result in an exposure of sensitive information (CVE-2022-41064) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7031621 ∗∗∗ IBM Robotic Process Automation could disclose sensitive information from access to RPA scripts, workflows and related data (CVE-2023-38718) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7031619 ∗∗∗ IBM App Connect Enterprise is vulnerable to a remote attack and a denial of service due to Node.js modules protobuf.js, vm2 and word-wrap [CVE-2023-36665, CVE-2023-37903, CVE-2023-37466 and CVE-2023-26115] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7031624 ∗∗∗ A vulnerability in Newtonsoft.Json may affect IBM Robotic Process Automation and result in a denial of service (IBM X-Force ID: 234366). ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7031623 ∗∗∗ IBM Cognos Command Center is affected by multiple vulnerabilities (CVE-2023-21939, CVE-2023-21967, CVE-2022-29117, XFID: 234366) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7012455 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.09.2023
by Daily end-of-shift report 08 Sep '23

08 Sep '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 07-09-2023 18:00 − Freitag 08-09-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Post-Quantum Cryptography ∗∗∗ --------------------------------------------- Das Aufkommen von fähigen Quantencomputern hat massive Seiteneffekte auf die Sicherheit diverser kryptografischer Grundoperationen. Diese sind in den letzten Jahren zu essentiellen Bausteinen unserer IT Architektur – insbesondere in vernetzten Systemen – geworden. Noch funktioniert alles, aber wenn wir nicht bald anfangen, uns auf die diese kommende Gefahr vorzubereiten, dann wird die Transition zu „post-quantum cryptography“ eine Schmerzhafte werden. [..] Ich darf nächste Woche bei einer Veranstaltung dazu am Podium sitzen. Und wenn ich mich schon darauf vorbereite, dann teile ich doch gleich meine Quellen und Schlussfolgerungen. --------------------------------------------- https://cert.at/de/blog/2023/9/post-quantum-cryptography ∗∗∗ CISA warns of critical Apache RocketMQ bug exploited in attacks ∗∗∗ --------------------------------------------- The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added to its catalog of known exploited vulnerabilities (KEV) a critical-severity issue tracked as CVE-2023-33246 that affects Apaches RocketMQ distributed messaging and streaming platform. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cisa-warns-of-critical-apach… ∗∗∗ Paranoids Vulnerability Research: Ivanti Issues Security Alert ∗∗∗ --------------------------------------------- The vulnerability allowed for remote code execution — giving a bad actor a method to distribute malicious software through a tool that sends out security updates. And, as part of the research process, we confirmed the feasibility of this by developing an end-to-end exploit that showcases how malware can be distributed to managed endpoints (demo). --------------------------------------------- https://www.yahooinc.com/paranoids/paranoids-vulnerability-research-ivanti-… ∗∗∗ Malvertising-Kampagne will Mac-Nutzern Atomic Stealer unterjubeln ∗∗∗ --------------------------------------------- IT-Forscher beobachten eine Malvertising-Kampagne, deren Urheber Mac-Nutzern den Atomic Stealer unterschieben wollen. Der klaut etwa Krypto-Währungen. --------------------------------------------- https://heise.de/-9298637 ∗∗∗ Emsisoft Tells Users to Update Products, Reboot Systems Due to Certificate Mishap ∗∗∗ --------------------------------------------- The problem, the company says, affects its Extended Validation (EV) code signing certificate that was renewed on August 23 and used to sign all program files compiled after that date, including the latest software version, released on September 4. --------------------------------------------- https://www.securityweek.com/emsisoft-tells-users-to-update-products-reboot… ∗∗∗ New Phishing Campaign Launched via Google Looker Studio ∗∗∗ --------------------------------------------- Cybersecurity firm Check Point is warning of a new type of phishing attacks that abuse Google Looker Studio to bypass protections. --------------------------------------------- https://www.securityweek.com/new-phishing-campaign-launched-via-google-look… ∗∗∗ MAR-10454006.r5.v1 SUBMARINE, SKIPJACK, SEASPRAY, WHIRLPOOL, and SALTWATER Backdoors ∗∗∗ --------------------------------------------- CISA obtained five malware samples - including artifacts related to SUBMARINE, SKIPJACK, SEASPRAY, WHIRLPOOL, and SALTWATER backdoors. The device was compromised by threat actors exploiting CVE-2023-2868, a former zero-day vulnerability affecting versions 5.1.3.001-9.2.0.006 of Barracuda Email Security Gateway (ESG). --------------------------------------------- https://www.cisa.gov/news-events/analysis-reports/ar23-250a-0 ∗∗∗ W3LL-Phishing Kit kann Multifaktor-Authentifizierung aushebeln; Tausende von Microsoft 365-Konten gekapert ∗∗∗ --------------------------------------------- Der in Singapur angesiedelte Sicherheitsanbieter Group-IB hat die Tage einen Sicherheits-Report veröffentlicht, der auf spezielle Aktivitäten einer W3LL genannten Gruppe von Cyberkriminellen hinweist. Die Cybergang hat ein spezielles Phishing-Kit entwickelt, um Microsoft 365-Konten zu kapern und bietet diese Dienstleistung mindestens 500 anderen Cybergangs über einen geheimen W3LL Store an. --------------------------------------------- https://www.borncity.com/blog/2023/09/08/w3ll-phishing-kit-kann-multifaktor… ∗∗∗ A Deep Dive into 70 Layers of Obfuscated Info-Stealer Malware ∗∗∗ --------------------------------------------- In the battle of hackers against defenders, we consistently find hackers trying to disguise their true intent. We have analyzed an interesting sample that was armed with multiple layers of obfuscation. These packages were quite the challenge. --------------------------------------------- https://checkmarx.com/blog/a-deep-dive-into-70-layers-of-obfuscated-info-st… ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitsupdates für macOS, iOS/iPadOS schließen zwei 0-Days der NSO-Group (Pegasus Spyware) ∗∗∗ --------------------------------------------- Apple hat zum 7. September 2023 wieder einen Schwung Sicherheitsupdates für seine Betriebssysteme macOS, iOS/iPadOS und auch WatchOS veröffentlicht. Mit diesen Updates werden zwei 0-Day-Schwachstellen geschlossen, die von der Pegasus Spyware der NSO-Group für die Überwachung von Mobilgeräten missbraucht wurden. --------------------------------------------- https://www.borncity.com/blog/2023/09/08/sicherheitsupdates-fr-macos-ios-ip… ∗∗∗ OpenSSL Security Advisory [8th September 2023] ∗∗∗ --------------------------------------------- POLY1305 MAC implementation corrupts XMM registers on Windows (CVE-2023-4807). Severity: Low --------------------------------------------- https://www.openssl.org/news/secadv/20230908.txt ∗∗∗ QNAP Security Advisories 2023-09-08 ∗∗∗ --------------------------------------------- QNAP has released 4 security advisories: (1x High, 3x Medium) --------------------------------------------- https://www.qnap.com/en-us/security-advisories?ref=security_advisory_details ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, libssh2, memcached, and python-django), Fedora (netconsd), Oracle (firefox and thunderbird), Scientific Linux (firefox), SUSE (open-vm-tools), and Ubuntu (grub2-signed, grub2-unsigned, shim, and shim-signed, plib, and python2.7, python3.5). --------------------------------------------- https://lwn.net/Articles/943990/ ∗∗∗ Notepad++ v8.5.7 fixt Schwachstellen ∗∗∗ --------------------------------------------- Mitte August 2023 hatte Sicherheitsforscher Jaroslav Lobacevski vier Schwachstellen (CVE-2023-40031, CVE-2023-40036, CVE-2023-40164, CVE-2023-40166) im Editor Notepad ++ für Windows öffentlich gemacht. Die Einstufung der Schwachstellen reicht von mittel bis hoch. Der Entwickler hat diese Schwachstellen, nachdem ihm diese seit Monaten bekannt sind, nun mit dem Update auf Notepad++ v8.5.7 beseitigt. --------------------------------------------- https://www.borncity.com/blog/2023/09/08/notepad-v8-5-7-fixt-schwachstellen/ ∗∗∗ PHOENIX CONTACT: Multiple vulnerabilities in WP 6xxx Web panels ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-018/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.09.2023
by Daily end-of-shift report 07 Sep '23

07 Sep '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 06-09-2023 18:00 − Donnerstag 07-09-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Next-Generation Context Aware Password Cracking ∗∗∗ --------------------------------------------- TLDR; Using ChatGPT, an attacker can generate a list of password guesses based on the context of the target such as a company’s description or social media accounts. --------------------------------------------- https://medium.com/@doctoreww/next-generation-context-aware-password-cracki… ∗∗∗ Cisco warnt vor teils kritischen Lücken und liefert Updates für mehrere Produkte ∗∗∗ --------------------------------------------- In mehreren Cisco-Produkten lauern Sicherheitslücken, die Updates schließen sollen. Eine gilt sogar als kritisch. --------------------------------------------- https://heise.de/-9297182 ∗∗∗ FreeWorld ransomware attacks MSSQL—get your databases off the Internet ∗∗∗ --------------------------------------------- When we think of ransomware and brute force password guessing attacks, we normally think of RDP, but recent research from Securonix reminds us that anything secured with a password and exposed to the internet is of interest to cybercriminals. --------------------------------------------- https://www.malwarebytes.com/blog/news/2023/09/freeworld-ransomware-attacks… ∗∗∗ Ozempic, Wegovy & Co: Vorsicht vor Fake-Shops mit „Schlankheitsmitteln“ ∗∗∗ --------------------------------------------- Diabetes-Medikamente wie Ozempic, Saxenda oder Metformin sind seit einiger Zeit von Lieferengpässen betroffen. Der Grund: Elon Musk, Kim Kardashian und andere Prominente nutzen diese und ähnliche Medikamente zum Abnehmen, der Hype dieser „Abnehmspritzen“ ließ nicht lange auf sich warten. Ein Trend, den sich auch Kriminelle zunutze machen. Sie bieten die eigentlich verschreibungspflichtigen Medikamente in Fake-Shops als Schlankheitsmittel an. --------------------------------------------- https://www.watchlist-internet.at/news/ozempic-wegovy-co-vorsicht-vor-fake-… ∗∗∗ A classification of CTI Data feeds ∗∗∗ --------------------------------------------- We at CERT.at process and share a wide selection of cyber threat intelligence (CTI) as part of our core mission as Austria’s hub for IT security information. Right now, we are involved in two projects that involve the purchase of commercial CTI. I encountered some varying views on what CTI is and what one should do with the indicators of compromise (IoCs) that are part of a CTI feed. This blog post describes my view on this topic. --------------------------------------------- https://cert.at/en/blog/2023/9/cti-data-feeds ∗∗∗ Cybercriminals target graphic designers with GPU miners ∗∗∗ --------------------------------------------- Cybercriminals are abusing Advanced Installer, a legitimate Windows tool used for creating software packages, to drop cryptocurrency-mining malware including PhoenixMiner and lolMiner on infected machines. --------------------------------------------- https://blog.talosintelligence.com/cybercriminals-target-graphic-designers-… ∗∗∗ CISA Releases Update to Threat Actors Exploiting Citrix CVE-2023-3519 to Implant Webshells ∗∗∗ --------------------------------------------- This Cybersecurity Advisory has been updated with new tactics, techniques, and procedures (TTPs) as well as indicators of compromise (IOCs) received from an additional victim and trusted third parties. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/09/06/cisa-releases-update-thr… ∗∗∗ MAR-10430311-1.v1 Multiple Nation-State Threat Actors Exploit CVE-2022-47966 and CVE-2022-42475 ∗∗∗ --------------------------------------------- CISA received 4 files for analysis from an incident response engagement conducted at an Aeronautical Sector organization [..] CISA has provided indicators of compromise (IOCs) and YARA rules for detection within this Malware Analysis Report (MAR). --------------------------------------------- https://www.cisa.gov/news-events/analysis-reports/ar23-250a ===================== = Vulnerabilities = ===================== ∗∗∗ Aruba-Controller und -Gateways mit hochriskanten Sicherheitslücken ∗∗∗ --------------------------------------------- Für Aruba-Controller und -Gateways der Serien 9000 und 9200 gibt es Updates, die hochriskante Sicherheitslücken schließen. --------------------------------------------- https://heise.de/-9297925 ∗∗∗ Cisco Security Advisories 2023-09-06 - 2023-09-06 ∗∗∗ --------------------------------------------- Cisco has released 6 security advisories: (1x Critical, 1x High, 4x Medium) --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/Search.x?publicationTypeIDs… ∗∗∗ Sicherheitsupdates: Unbefugte Zugriffe auf TP-Link-Router möglich ∗∗∗ --------------------------------------------- Angreifer können verschiedene Router von TP-Link attackieren und im schlimmsten Fall eigene Befehle auf Geräten ausführen. --------------------------------------------- https://heise.de/-9297306 ∗∗∗ 2023-08 Out-of-Cycle Security Bulletin: Junos OS: SRX Series and EX Series: Multiple vulnerabilities in J-Web can be combined to allow a preAuth Remote Code Execution ∗∗∗ --------------------------------------------- Update - September 5th 2023: A new variant of the SRX upload vulnerability has been published by external researchers (CVE-2023-36851). All fixes listed under Solution below break the RCE chain --------------------------------------------- https://supportportal.juniper.net/s/article/2023-08-Out-of-Cycle-Security-B… ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (August 28, 2023 to September 3, 2023) ∗∗∗ --------------------------------------------- Last week, there were 64 vulnerabilities disclosed in 61 WordPress Plugins and 2 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 32 Vulnerability Researchers that contributed to WordPress Security last week. --------------------------------------------- https://www.wordfence.com/blog/2023/09/wordfence-intelligence-weekly-wordpr… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (erofs-utils, htmltest, indent, libeconf, netconsd, php-phpmailer6, tinyexr, and vim), Red Hat (firefox), and Ubuntu (linux-aws, linux-aws-5.15, linux-ibm-5.15, linux-oracle, linux-oracle-5.15, linux-azure, linux-azure-fde-5.15, linux-gke, linux-gkeop, linux-intel-iotg-5.15, linux-raspi, linux-oem-6.1, linux-raspi, linux-raspi-5.4, shiro, and sox). --------------------------------------------- https://lwn.net/Articles/943856/ ∗∗∗ CVE-2023-4528: Java Deserialization Vulnerability in JSCAPE MFT (Fixed) ∗∗∗ --------------------------------------------- CVE-2023-4528 affects all versions of JSCAPE MFT Server prior to version 2023.1.9 on all platforms (Windows, Linux, and MacOS). See the JSCAPE advisory for more information [..] CVE-2023-4528 has been addressed in JSCAPE version 2023.1.9 which is now available for customer deployment. --------------------------------------------- https://www.rapid7.com/blog/post/2023/09/07/cve-2023-4528-java-deserializat… ∗∗∗ CISA Releases Four Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- ICSA-23-250-01 Dover Fueling Solutions MAGLINK LX Console (CVSS v3 9.1), ICSA-23-250-02 Phoenix Contact TC ROUTER and TC CLOUD CLIENT (CVSS v3 9.6), ICSA-23-250-03 Socomec MOD3GP-SY-120K (CVSS v3 10.0), ICSA-23-157-01 Delta Electronics CNCSoft-B DOPSoft (Update) (CVSS v3 7.8) --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/09/07/cisa-releases-four-indus… ∗∗∗ Drupal: WebProfiler - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-044 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2023-044 ∗∗∗ Drupal: highlight.php - Moderately critical - Cross Site Scripting - SA-CONTRIB-2023-043 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2023-043 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily