Daily

daily@lists.cert.at

1 participants
3156 discussions

Tageszusammenfassung - 23.08.2023
by Daily end-of-shift report 23 Aug '23

23 Aug '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 22-08-2023 18:00 − Mittwoch 23-08-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Schwachstellen im Web-Interface machen Aruba Orchestrator angreifbar ∗∗∗ --------------------------------------------- Angreifer können Arubas SD-WAN-Managementlösung EdgeConnect SD-WAN Orchestrator attackieren. --------------------------------------------- https://heise.de/-9282524 ∗∗∗ CISA warnt vor Angriffen auf Veeam-Backup-Sicherheitslücke ∗∗∗ --------------------------------------------- Die Cybersicherheitsbehörde CISA warnt vor aktuell laufenden Angriffen auf eine Veeam-Backup-Schwachstelle. Updates stehen bereit. --------------------------------------------- https://heise.de/-9282365 ∗∗∗ Die beliebteste WLAN-Glühbirne auf Amazon lässt Hacker in euer Netzwerk ∗∗∗ --------------------------------------------- Die TP-Link Tapo L530E hat Sicherheitslücken, mit denen sich Fremde Zugriff auf euer WLAN und damit auch auf die Geräte darin verschaffen können. --------------------------------------------- https://futurezone.at/produkte/wlan-lampe-gluehbrine-amazon-hacker-tp-link-… ∗∗∗ Vorsicht: Gefälschte Versionen von Google Bard verbreiten Malware ∗∗∗ --------------------------------------------- Achtung vor Fake-Werbung mit Google Bard: Hinter den Links befindet sich Malware. --------------------------------------------- https://futurezone.at/digital-life/google-bard-malware-faelschungen-fake-so… ∗∗∗ More Exotic Excel Files Dropping AgentTesla, (Wed, Aug 23rd) ∗∗∗ --------------------------------------------- Excel is an excellent target for attackers. The Microsoft Office suite is installed on millions of computers, and people trust these files. If we have the classic xls, xls, xlsm file extensions, Excel supports many others! Just check your local registry: [...] --------------------------------------------- https://isc.sans.edu/diary/rss/30150 ∗∗∗ Lateral movement: A conceptual overview ∗∗∗ --------------------------------------------- I think it would help a lot of those people to look at lateral movement from a conceptual point of view, instead of trying to understand all the techniques and ways in which lateral movement is achieved. [...] The goal is to hopefully enable more people to learn about how they can restructure or design their environments to be more resilient against lateral movement. --------------------------------------------- https://diablohorn.com/2023/08/22/lateral-movement-a-conceptual-overview/ ∗∗∗ Tourists Give Themselves Away by Looking Up. So Do Most Network Intruders. ∗∗∗ --------------------------------------------- In large metropolitan areas, tourists are often easy to spot because theyre far more inclined than locals to gaze upward at the surrounding skyscrapers. Security experts say this same tourist dynamic is a dead giveaway in virtually all computer intrusions that lead to devastating attacks like ransomware, and that more organizations should set simple virtual tripwires that sound the alarm when authorized users and devices are spotted exhibiting this behavior. --------------------------------------------- https://krebsonsecurity.com/2023/08/tourists-give-themselves-away-by-lookin… ∗∗∗ Hackergruppe CosmicBeetle verbreitet Ransomware in Europa ∗∗∗ --------------------------------------------- Gruppe verwendet das Toolset Spacecolon, um Ransomware unter ihren Opfern zu verbreiten und Lösegeld zu erpressen. --------------------------------------------- https://www.zdnet.de/88411341/hackergruppe-cosmicbeetle-verbreitet-ransomwa… ∗∗∗ NVMe: New Vulnerabilities Made Easy ∗∗∗ --------------------------------------------- As vulnerability researchers, our primary mission is to find as many vulnerabilities as possible with the highest severity as possible. Finding vulnerabilities is usually challenging. But could there be a way, in some cases, to reach the same results with less effort? --------------------------------------------- https://www.cyberark.com/resources/threat-research-blog/nvme-new-vulnerabil… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (mediawiki and qt4-x11), Fedora (java-17-openjdk, linux-firmware, and python-yfinance), Red Hat (kernel, kpatch-patch, and subscription-manager), SUSE (evolution, janino, kernel, nodejs16, nodejs18, postgresql15, qt6-base, and ucode-intel), and Ubuntu (inetutils). --------------------------------------------- https://lwn.net/Articles/942514/ ∗∗∗ Google Chrome 116.0.5845.110/.111 Sicherheitsupdates ∗∗∗ --------------------------------------------- Google hat zum 22. August 2023 Updates des Google Chrome Browsers 116 im Stable Channel für Mac, Linux und Windows freigegeben. Es sind Sicherheitsupdates, die in den kommenden Wochen ausgerollt werden und 5 Schwachstellen (Einstufung als "hoch") beseitigen soll. --------------------------------------------- https://www.borncity.com/blog/2023/08/23/google-chrome-116-0-5845-110-111-s… ∗∗∗ CVE-2022-40609 may affect IBM Java shipped with IBM CICS TX Standard ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7028405 ∗∗∗ CVE-2022-40609 may affect IBM Java shipped with IBM CICS TX Advanced ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7028403 ∗∗∗ CVE-2022-40609 may affect IBM Java shipped with IBM TXSeries for Multiplatforms ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7028404 ∗∗∗ Multiple vulnerabilities may affect IBM Semeru Runtime ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7028407 ∗∗∗ AIX is vulnerable to unauthorized file access and arbitrary code execution due to OpenSSH (CVE-2023-40371 and CVE-2023-38408) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7028420 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.08.2023
by Daily end-of-shift report 22 Aug '23

22 Aug '23

===================== = End-of-Day report = ===================== Timeframe: Montag 21-08-2023 18:00 − Dienstag 22-08-2023 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Sneaky Amazon Google ad leads to Microsoft support scam ∗∗∗ --------------------------------------------- A legitimate-looking ad for Amazon in Google search results redirects visitors to a Microsoft Defender tech support scam that locks up their browser. --------------------------------------------- https://www.bleepingcomputer.com/news/security/sneaky-amazon-google-ad-lead… ∗∗∗ Akira ransomware targets Cisco VPNs to breach organizations ∗∗∗ --------------------------------------------- Theres mounting evidence that Akira ransomware targets Cisco VPN (virtual private network) products as an attack vector to breach corporate networks, steal, and eventually encrypt data. --------------------------------------------- https://www.bleepingcomputer.com/news/security/akira-ransomware-targets-cis… ∗∗∗ Security review for Microsoft Edge version 116 ∗∗∗ --------------------------------------------- We are pleased to announce the security review for Microsoft Edge, version 116! We have reviewed the new settings in Microsoft Edge version 116 and determined that there are no additional security settings that require enforcement. The Microsoft Edge version 114 security baseline continues to be our recommended configuration which can be downloaded from the Microsoft Security Compliance Toolkit. --------------------------------------------- https://techcommunity.microsoft.com/t5/microsoft-security-baselines/securit… ∗∗∗ New Variant of XLoader macOS Malware Disguised as OfficeNote Productivity App ∗∗∗ --------------------------------------------- A new variant of an Apple macOS malware called XLoader has surfaced in the wild, masquerading its malicious features under the guise of an office productivity app called "OfficeNote.""The new version of XLoader is bundled inside a standard Apple disk image with the name OfficeNote.dmg," SentinelOne security researchers Dinesh Devadoss and Phil Stokes said in a Monday analysis. --------------------------------------------- https://thehackernews.com/2023/08/new-variant-of-xloader-macos-malware.html ∗∗∗ CISA, NSA, and NIST Publish Factsheet on Quantum Readiness ∗∗∗ --------------------------------------------- Today, [CISA, NSA, NIST] released a joint factsheet, Quantum-Readiness: Migration to Post-Quantum Cryptography (PQC), to inform organizations—especially those that support Critical Infrastructure—of the impacts of quantum capabilities, and to encourage the early planning for migration to post-quantum cryptographic standards by developing a Quantum-Readiness Roadmap. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/08/21/cisa-nsa-and-nist-publis… ∗∗∗ Exploitation of Openfire CVE-2023-32315 ∗∗∗ --------------------------------------------- This vulnerability has flown under the radar on the defensive side of the industry. CVE-2023-32315 has been exploited in the wild, but you won’t find it in the CISA KEV catalog. There has also been minimal discussion about indicators of compromise and very few detections (although to their credit, Ignite Realtime put out patches and a great mitigation guide back in May). --------------------------------------------- https://vulncheck.com/blog/openfire-cve-2023-32315 ∗∗∗ Kritische Sicherheitslücke in Ivanti Sentry wird bereits missbraucht ∗∗∗ --------------------------------------------- Ivanti schließt in Sentry, vormals MobileIron Sentry, eine kritische Sicherheitslücke. Sie wird bereits angegriffen. --------------------------------------------- https://heise.de/-9278280 ∗∗∗ Facebook: Vorsicht vor Fake-Gewinnspielen von Kronehit und Radio Arabella ∗∗∗ --------------------------------------------- Kriminelle erstellen auf Facebook Fake-Profile von österreichischen Radiomoderator:innen. Betroffen sind aktuell Melanie See von Radio Arabella und Christian Mederitsch von Kronehit. Auf den Fake-Profilen werden betrügerische Gewinnspiele verbreitet. „Gewinner:innen“ werden per Kommentar benachrichtigt und müssen dann einen Link aufrufen oder dem Fake-Profil eine Privatnachricht schreiben. Melden Sie das Fake-Gewinnspiel und antworten Sie nicht! --------------------------------------------- https://www.watchlist-internet.at/news/facebook-vorsicht-vor-fake-gewinnspi… ∗∗∗ This AI-generated crypto invoice scam almost got me, and Im a security pro ∗∗∗ --------------------------------------------- Even a tech pro can fall for a well-laid phishing trap. Heres what happened to me - and how you can avoid a similar fate, too. --------------------------------------------- https://www.zdnet.com/article/this-ai-generated-crypto-invoice-scam-almost-… ∗∗∗ Verbraucherzentrale warnt vor Fake-Paypal-Betrugsanrufen ∗∗∗ --------------------------------------------- Ich nehme mal die Warnung vor einer Betrugsmasche hier mit im Blog auf, vor der die Verbraucherzentrale Baden-Württemberg aktuell warnt. Betrüger versuchen wohl über Call Center Opfer in Deutschland mit Schockanrufen über den Tisch zu ziehen. --------------------------------------------- https://www.borncity.com/blog/2023/08/22/verbraucherzentrale-warnt-vor-fake… ===================== = Vulnerabilities = ===================== ∗∗∗ TP-Link smart bulbs can let hackers steal your WiFi password ∗∗∗ --------------------------------------------- Researchers from Italy and the UK have discovered four vulnerabilities in the TP-Link Tapo L530E smart bulb and TP-Links Tapo app, which could allow attackers to steal their targets WiFi password. --------------------------------------------- https://www.bleepingcomputer.com/news/security/tp-link-smart-bulbs-can-let-… ∗∗∗ McAfee Security Bulletin – McAfee Safe Connect update fixes Privilege Escalation vulnerability (CVE-2023-40352) ∗∗∗ --------------------------------------------- This Security Bulletin describes a vulnerability in a McAfee program, and provides ways to remediate (fix) the issue or mitigate (minimize) its impact. --------------------------------------------- https://www.mcafee.com/support/?articleId=TS103462&page=shell&shell=article… ∗∗∗ Hitachi Energy AFF66x ∗∗∗ --------------------------------------------- CVSS v3 9.6 Successful exploitation of these vulnerabilities could allow an attacker to compromise availability, integrity, and confidentiality of the targeted devices. CVE-2021-43523, CVE-2020-13817, CVE-2020-11868, CVE-2019-11477, CVE-2022-3204, CVE-2018-18066 --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-234-01 ∗∗∗ Rockwell Automation ThinManager ThinServer ∗∗∗ --------------------------------------------- CVSS v3 9.8 Rockwell Automation reports this vulnerability affects the following versions of ThinManager ThinServer, a thin client and remote desktop protocol (RDP) server management software CVE-2023-2914, CVE-2023-2915, CVE-2023-2917 --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-234-03 ∗∗∗ Trane Thermostats ∗∗∗ --------------------------------------------- CVSS v3 6.8 Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands as root using a specially crafted filename. CVE-2023-4212 --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-234-02 ∗∗∗ Jetzt patchen! Angreifer schieben Schadcode durch Lücke in Adobe ColdFusion ∗∗∗ --------------------------------------------- Angreifer attackieren Adobes Middleware ColdFusion. Sicherheitsupdates sind verfügbar. --------------------------------------------- https://heise.de/-9278446 ∗∗∗ K000135921 : Python urllib.parse vulnerability CVE-2023-24329 ∗∗∗ --------------------------------------------- An issue in the urllib.parse component of Python before 3.11.4 allows attackers to bypass blocklisting methods by supplying a URL that starts with blank characters. --------------------------------------------- https://my.f5.com/manage/s/article/K000135921?utm_source=f5support&utm_medi… ∗∗∗ Critical Privilege Escalation Vulnerability in Charitable WordPress Plugin Affects Over 10,000 sites ∗∗∗ --------------------------------------------- After providing full disclosure details, the developer released a patch on August 17, 2023. We would like to commend the WP Charitable Team for their prompt response and timely patch, which was released in just one day. We urge users to update their sites with the latest patched version of Charitable, which is version 1.7.0.13 at the time of this writing, as soon as possible. --------------------------------------------- https://www.wordfence.com/blog/2023/08/critical-privilege-escalation-vulner… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (intel-microcode, lxc, and zabbix), Fedora (clamav), SUSE (python-configobj), and Ubuntu (clamav). --------------------------------------------- https://lwn.net/Articles/942405/ ∗∗∗ IBM Robotic Process Automation is vulnerable to exposure of sensitive information in application logs (CVE-2023-38732) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7028221 ∗∗∗ IBM Robotic Process Automation is vulnerable to information disclosure of script content (CVE-2023-40370) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7028218 ∗∗∗ Security vulnerabilities have been identified in IBM WebSphere Application Server used by IBM Master Data Management ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7028226 ∗∗∗ IBM Robotic Process Automation is vulnerable to sensitive information disclosure in installation logs (CVE-2023-38733) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7028223 ∗∗∗ A vulnerability in urlib3 affects IBM Robotic Process Automation for Cloud Pak which may result in CRLF injection (CVE-2020-26137). ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7028229 ∗∗∗ Multiple security vulnerabilities in .NET may affect IBM Robotic Process Automation for Cloud Pak (CVE-2023-24936, CVE-2023-29337, CVE-2023-33128) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7028228 ∗∗∗ IBM Robotic Process Automation is vulnerable to incorrect privilege assignment when importing user from an LDAP directory (CVE-2023-38734). ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7028227 ∗∗∗ AWS SDK for Java as used by IBM QRadar SIEM is vulnerable to path traversal (CVE-2022-31159) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7027598 ∗∗∗ IBM Decision Optimization for Cloud Pak for Data is vulnerable to denial of service due to Apache Log4j (CVE-2021-45105) and arbitrary code execution due to Apache Log4j (CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6551376 ∗∗∗ IBM Cloud Pak for Data is vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6551326 ∗∗∗ IBM Informix JDBC Driver Is Vulnerable to Remote Code Execution (CVE-2023-27866) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7007615 ∗∗∗ Multiple vulnerabilities in IBM Semeru Runtime may affect IBM Decision Optimization for IBM Cloud Pak for Data (CVE-2022-21282, CVE-2022-21296, CVE-2022-21299) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6565069 ∗∗∗ A Unspecified Java Vulnerability is affecting Watson Knowledge Catalog for IBM Cloud Pak for Data (CVE-2021-35550) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6594121 ∗∗∗ Vulnerabilities in Linux kernel, libssh, and Java can affect IBM Spectrum Protect Plus ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7028316 ∗∗∗ Vulnerabilities in Oracle Java and the IBM Java SDK (CVE-2023-21930, CVE-2023-21967, CVE-2023-21954, CVE-2023-21939, CVE-2023-21968 and CVE-2023-21937 ) affect Power HMC ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7028209 ∗∗∗ Multiple Vulnerabilities in IBM\u00ae Java SDK affect IBM WebSphere Application Server and IBM WebSphere Application Server Liberty due to July 2023 CPU ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7028350 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.08.2023
by Daily end-of-shift report 21 Aug '23

21 Aug '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 18-08-2023 18:00 − Montag 21-08-2023 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ The Week in Ransomware - August 18th 2023 - LockBit on Thin Ice ∗∗∗ --------------------------------------------- While there was quite a bit of ransomware news this week, the highlighted story was the release of Jon DiMaggios third article in the Ransomware Diaries series, with the focus of this article on the LockBit ransomware operation. --------------------------------------------- https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-augus… ∗∗∗ WoofLocker Toolkit Hides Malicious Codes in Images to Run Tech Support Scams ∗∗∗ --------------------------------------------- Cybersecurity researchers have detailed an updated version of an advanced fingerprinting and redirection toolkit called WoofLocker thats engineered to conduct tech support scams.The sophisticated traffic redirection scheme was first documented by Malwarebytes in January 2020, leveraging JavaScript embedded in compromised websites to perform anti-bot and web traffic filtering checks [..] --------------------------------------------- https://thehackernews.com/2023/08/wooflocker-toolkit-hides-malicious.html ∗∗∗ How to Investigate an OAuth Grant for Suspicious Activity or Overly Permissive Scopes ∗∗∗ --------------------------------------------- >From a user’s perspective, OAuth works like magic. In just a few keystrokes, you can whisk through the account creation process and gain immediate access to whatever new app or integration you’re seeking. Unfortunately, few users understand the implications of the permissions they allow when they create a new OAuth grant, making it easy for malicious actors to manipulate employees into giving away unintended access to corporate environments. --------------------------------------------- https://thehackernews.com/2023/08/how-to-investigate-oauth-grant-for.html ∗∗∗ Journey into Windows Kernel Exploitation: The Basics ∗∗∗ --------------------------------------------- This blogpost embarks on the initial stages of kernel exploitation. The content serves as an introduction, leading to an imminent and comprehensive whitepaper centered around this subject matter. Through this, a foundation is laid for understanding how kernel drivers are developed, as well as basic understanding around key concepts that will be instrumental to comprehending the paper itself. --------------------------------------------- https://blog.neuvik.com/journey-into-windows-kernel-exploitation-the-basics… ∗∗∗ mTLS: When certificate authentication is done wrong ∗∗∗ --------------------------------------------- In this post, well deep dive into some interesting attacks on mTLS authentication. Well have a look at implementation vulnerabilities and how developers can make their mTLS systems vulnerable to user impersonation, privilege escalation, and information leakages. --------------------------------------------- https://github.blog/2023-08-17-mtls-when-certificate-authentication-is-done… ∗∗∗ ScienceLogic Dumpster Fire ∗∗∗ --------------------------------------------- In the last email correspondence with the vendor, nearly 9 months ago, the security director asserted that the vulnerabilities were addressed. However, they remained reluctant to proceed with CVE issuance. Considering the extensive duration that’s transpired, we opted to independently proceed with CVE issuance and disclosure. As a result, the vulnerabilities we identified are logged as CVE-2022-48580 through CVE-2022-48604. --------------------------------------------- https://www.securifera.com/blog/2023/08/16/sciencelogic-dumpster-fire/ ∗∗∗ Volatility Workbench: Empowering memory forensics investigations ∗∗∗ --------------------------------------------- Memory forensics plays a crucial role in digital investigations, allowing forensic analysts to extract valuable information from a computers volatile memory. Two popular tools in this field are Volatility Workbench and Volatility Framework. This article aims to compare and explore these tools, highlighting their features and differences to help investigators choose the right one for their needs. --------------------------------------------- https://cybersecurity.att.com/blogs/security-essentials/volatility-workbenc… ∗∗∗ Vorsicht vor Investment-Tipps aus Telegram-Gruppen ∗∗∗ --------------------------------------------- Zahlreiche Telegram-Gruppen wie „Didi Random“, „Glück liebt Geld“ oder „Geld-Leuchtturm“ versprechen schnellen Reichtum. In diesen Gruppen erhalten Sie angebliche Investmenttipps, Erfolgsgeschichten von Anleger:innen und Kontakte zu „Finanz-Gurus“, die Ihnen bei der Geldanlage helfen. Wenn Sie bei den empfohlenen Plattformen investieren, verlieren Sie viel Geld! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-investment-tipps-aus-te… ===================== = Vulnerabilities = ===================== ∗∗∗ WordPress Plugin "Advanced Custom Fields" vulnerable to cross-site scripting (CVE-2023-40068) ∗∗∗ --------------------------------------------- Description: WordPress Plugin "Advanced Custom Fields" provided by WP Engine contains a cross-site scripting vulnerability (CWE-79). Impact: An arbitrary script may be executed on the web browser of the user who is logging in to the product with the editor or higher privilege. --------------------------------------------- https://jvn.jp/en/jp/JVN98946408/ ∗∗∗ Multiple vulnerabilities in LuxCal Web Calendar ∗∗∗ --------------------------------------------- Impact: - An arbitrary script may be executed on the web browser of the user who is using the product - CVE-2023-39543 - A remote attacker may execute arbitrary queries against the database and obtain or alter the information in it - CVE-2023-39939 --------------------------------------------- https://jvn.jp/en/jp/JVN04876736/ ∗∗∗ CD_SVA_2023_3: Wibu Systems - CodeMeter Runtime - security vulnerability addressed ∗∗∗ --------------------------------------------- A report has been received for the following security vulnerability in the zenon software platform: CVE-2023-3935 Further details regarding the vulnerability, mitigation options and product fixes that may be available, can be found in [...] --------------------------------------------- https://selfservice.copadata.com/portal/en/kb/articles/cd-sva-2023-3-wibu-s… ∗∗∗ CVE-2023-38035 - Vulnerability affecting Ivanti Sentry ∗∗∗ --------------------------------------------- A vulnerability has been discovered in Ivanti Sentry, formerly MobileIron Sentry. We have reported this as CVE-2023-38035. This vulnerability impacts all supported versions – Versions 9.18. 9.17 and 9.16. Older versions/releases are also at risk. This vulnerability does not affect other Ivanti products or solutions [..] While the issue has a high CVSS score, there is low risk of exploitation for customers who do not expose 8443 to the internet. --------------------------------------------- https://www.ivanti.com/blog/cve-2023-38035-vulnerability-affecting-ivanti-s… ∗∗∗ Update bereits ausgespielt: Kritische Lücke in WinRAR erlaubte Code-Ausführung ∗∗∗ --------------------------------------------- Das verbreitete Kompressionstool WinRAR besaß in älteren Versionen eine schwere Lücke, die beliebige Codeausführung erlaubte. Die aktuelle Version schließt sie. --------------------------------------------- https://heise.de/-9268105 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (fastdds, flask, and kernel), Fedora (chromium, dotnet6.0, dotnet7.0, gerbv, java-1.8.0-openjdk, libreswan, procps-ng, and spectre-meltdown-checker), SUSE (chromium, kernel-firmware, krb5, opensuse-welcome, and python-mitmproxy), and Ubuntu (clamav, firefox, and vim). --------------------------------------------- https://lwn.net/Articles/942311/ ∗∗∗ GraphQL Java component is vulnerable to CVE-2023-28867 is used by IBM Maximo Application Suite ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7028108 ∗∗∗ Google Guava component is vulnerable to CVE-2023-2976 is used by IBM Maximo Application Suite ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7028091 ∗∗∗ Mutiple Vulnerabilties Affecting IBM Watson Machine Learning Accelerator ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7028166 ∗∗∗ IBM Java SDK and IBM Java Runtime for IBM i are vulnerable to denial of service, availability, integrity, and confidentiality impacts due to multiple vulnerabilities. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7028168 ∗∗∗ IBM Connect:Direct Web Services vulnerable to sensitive information exposure due to PostgreSQL (CVE-2023-2454) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7028185 ∗∗∗ A security vulnerability in Microsoft.NET affects IBM Robotic Process Automation and may result in a denial of service (CVE-2023-29331). ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7026762 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.08.2023
by Daily end-of-shift report 18 Aug '23

18 Aug '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 17-08-2023 18:00 − Freitag 18-08-2023 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ „Ihre Rückerstattung ist online verfügbar“: Phishing-Mail im Namen von oesterreich.gv.at ∗∗∗ --------------------------------------------- Aktuell melden uns zahlreiche Leser:innen eine betrügerische E-Mail, die im Namen von oesterreich.gv.at verschickt wird. In der E-Mail wird behauptet, dass eine Rückerstattung von 176,88 Euro aussteht. Achtung: Dahinter stecken Kriminelle! --------------------------------------------- https://www.watchlist-internet.at/news/ihre-rueckerstattung-ist-online-verf… ∗∗∗ Microsoft: BlackCats Sphynx ransomware embeds Impacket, RemCom ∗∗∗ --------------------------------------------- Microsoft has discovered a new version of the BlackCat ransomware that embeds the Impacket networking framework and the Remcom hacking tool, both enabling spreading laterally across a breached network. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-blackcats-sphynx-… ∗∗∗ From a Zalando Phishing to a RAT, (Fri, Aug 18th) ∗∗∗ --------------------------------------------- Phishing remains a lucrative threat. We get daily emails from well-known brands (like DHL, PayPal, Netflix, Microsoft, Dropbox, Apple, etc). Recently, I received a bunch of phishing emails targeting Zalando customers. Zalando is a German retailer of shoes, fashion across Europe. It was the first time that I saw them used in a phishing campaign. --------------------------------------------- https://isc.sans.edu/diary/rss/30136 ∗∗∗ Critical Security Update for Magento Open Source & Adobe Commerce ∗∗∗ --------------------------------------------- Last week on August 8th, 2023, Adobe released a critical security patch for Adobe Commerce and the Magento Open Source CMS. The patch provides fixes for three vulnerabilities which affect the popular ecommerce platforms. Successful exploitation could lead to arbitrary code execution, privilege escalation and arbitrary file system read. --------------------------------------------- https://blog.sucuri.net/2023/08/critical-security-update-for-magento-adobe-… ∗∗∗ New BlackCat Ransomware Variant Adopts Advanced Impacket and RemCom Tools ∗∗∗ --------------------------------------------- Microsoft on Thursday disclosed that it found a new version of the BlackCat ransomware (aka ALPHV and Noberus) that embeds tools like Impacket and RemCom to facilitate lateral movement and remote code execution. "The Impacket tool has credential dumping and remote service execution modules that could be used for broad deployment of the BlackCat ransomware in target environments," the companys [...] --------------------------------------------- https://thehackernews.com/2023/08/new-blackcat-ransomware-variant-adopts.ht… ∗∗∗ Catching up with WoofLocker, the most elaborate traffic redirection scheme to tech support scams ∗∗∗ --------------------------------------------- [...] another 3 years have gone by and this campaign is still going as if nothing has happened. The tactics and techniques are very similar, but the infrastructure is now more robust than before to defeat potential takedown attempts. [...] This blog post summarizes our latest findings and provides indicators of compromise that may be helpful to the security community. --------------------------------------------- https://www.malwarebytes.com/blog/threat-intelligence/2023/08/wooflocker2 ∗∗∗ Recapping the top stories from Black Hat and DEF CON ∗∗∗ --------------------------------------------- If you’re in the same boat as me and couldn’t attend BlackHat or DEF CON in person, I wanted to use this space to recap what I felt were the top stories and headlines coming out of the various new research that was published, talks, interviews and more. --------------------------------------------- https://blog.talosintelligence.com/threat-source-newsletter-aug-17-2023/ ∗∗∗ NoFilter Attack: Sneaky Privilege Escalation Method Bypasses Windows Security ∗∗∗ --------------------------------------------- A previously undetected attack method called NoFilter has been found to abuse the Windows Filtering Platform (WFP) to achieve privilege escalation in the Windows operating system. "If an attacker has the ability to execute code with admin privilege and the target is to perform LSASS Shtinkering, these privileges are not enough," Ron Ben Yizhak, a security researcher at Deep Instinct, told The Hacker News. "Running as "NT AUTHORITY\SYSTEM" is required. --------------------------------------------- https://thehackernews.com/2023/08/nofilter-attack-sneaky-privilege.html ∗∗∗ Kommentar zum Azure-Master-Key-Diebstahl: Microsofts Reaktion lässt tief blicken ∗∗∗ --------------------------------------------- Microsoft lässt sich einen Signing Key für Azure klauen. Bis jetzt ist die Tragweite des Angriffs unklar. Das ist unverantwortlich, kommentiert Oliver Diedrich. --------------------------------------------- https://heise.de/-9258697 ∗∗∗ Gefälschte Buchungsseite vom Hotel Regina ∗∗∗ --------------------------------------------- Planen Sie gerade einen Urlaub in Wien? Vorsicht, wenn Sie das Hotel Regina buchen wollen. Kriminelle haben eine gefälschte Buchungsseite ins Netz gestellt. Die Internetadresse der betrügerischen Buchungsseite lautet regina-hotel-vienna.h-rez.com. Wenn Sie dort buchen, stehlen Kriminelle Ihnen persönliche Daten und Kreditkartendaten. --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschte-buchungsseite-vom-hotel-… ===================== = Vulnerabilities = ===================== ∗∗∗ 2023-08 Out-of-Cycle Security Bulletin: Junos OS: SRX Series and EX Series: Multiple vulnerabilities in J-Web can be combined to allow a preAuth Remote Code Execution ∗∗∗ --------------------------------------------- Multiple vulnerabilities in the J-Web component of Juniper Networks Junos OS on SRX Series and EX Series have been resolved through the application of specific fixes to address each vulnerability. By chaining exploitation of these vulnerabilities, an unauthenticated, network-based attacker may be able to remotely execute code on the devices. CVE IDs: CVE-2023-36844, CVE-2023-36845, CVE-2023-36846, CVE-2023-36847 --------------------------------------------- https://supportportal.juniper.net/s/article/2023-08-Out-of-Cycle-Security-B… ∗∗∗ K30444545 : libxslt vulnerability CVE-2019-11068 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K30444545 ∗∗∗ IBM Match 360 is vulnerable to a denial of service due to Apache Commons FileUpload in IBM WebSphere Application Server Liberty (CVE-2023-24998) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7027948 ∗∗∗ IBM Match 360 is vulnerable to a denial of service due to Apache Commons FileUpload in IBM WebSphere Application Server Liberty (CVE-2023-24998) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7027944 ∗∗∗ Automation Assets in IBM Cloud Pak for Integration is vulnerable to remote information transfer due to CouchDB CVE-2023-26268 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7028066 ∗∗∗ Multiple vulnerabilities affect IBM SDK, Java Technology Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7028074 ∗∗∗ Multiple vulnerabilities in IBM DB2 affect IBM Operations Analytics Predictive Insights ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7028087 ∗∗∗ A security vulnerability has been identified in the Apache POI, which is vulnerable to Denial of Service. (CVE-2017-5644) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/711741 ∗∗∗ AIX is affected by security restrictions bypass (CVE-2023-24329) due to Python ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7028095 ∗∗∗ RESTEasy component is vulnerable to CVE-2023-0482 is used by IBM Maximo Application Suite ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7028099 ∗∗∗ netplex json-smart-v2 component is vulnerable to CVE-2023-1370 is used by IBM Maximo Application Suite ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7028097 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.08.2023
by Daily end-of-shift report 17 Aug '23

17 Aug '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 16-08-2023 18:00 − Donnerstag 17-08-2023 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Triple Extortion Ransomware and the Cybercrime Supply Chain ∗∗∗ --------------------------------------------- Ransomware attacks continue to grow both in sophistication and quantity. 2023 has already seen more ransomware attacks involving data exfiltration and extortion than all of 2022, an increasing trend we expect to continue. This article will explore the business model of ransomware groups and the complex cybercrime ecosystem that has sprung up around them. --------------------------------------------- https://www.bleepingcomputer.com/news/security/triple-extortion-ransomware-… ∗∗∗ New Apple iOS 16 Exploit Enables Stealthy Cellular Access Under Fake Airplane Mode ∗∗∗ --------------------------------------------- The method "tricks the victim into thinking their devices Airplane Mode works when in reality the attacker (following successful device exploit) has planted an artificial Airplane Mode which edits the UI to display Airplane Mode icon and cuts internet connection to all apps except the attacker application," [..] --------------------------------------------- https://thehackernews.com/2023/08/new-apple-ios-16-exploit-enables.html ∗∗∗ CISA Releases JCDC Remote Monitoring and Management (RMM) Cyber Defense Plan ∗∗∗ --------------------------------------------- This plan addresses systemic risks facing the exploitation of RMM software. Cyber threat actors can gain footholds via RMM software into managed service providers (MSPs) or manage security service providers (MSSPs) servers and, by extension, can cause cascading impacts for the small and medium-sized organizations that are MSP/MSSP customers. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/08/16/cisa-releases-jcdc-remot… ∗∗∗ Angreifer attackieren Citrix ShareFile ∗∗∗ --------------------------------------------- Die US-Behörde [CISA] hat die "kritische" Sicherheitslücke (CVE-2023-24489) in ihren Katalog bekannter ausgenutzter Sicherheitslücken eingetragen. In welchem Umfang die Attacken ablaufen, ist derzeit nicht bekannt. [..] Die Lücke ist seit Juni 2023 bekannt. Seitdem gibt es auch die gepatchte Version 5.11.24. --------------------------------------------- https://www.heise.de/news/Jetzt-patchen-Angreifer-attackieren-Citrix-ShareF… ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (August 7, 2023 to August 13, 2023) ∗∗∗ --------------------------------------------- Last week, there were 86 vulnerabilities disclosed in 68 WordPress Plugins and 3 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database [..] Patch Status : - Unpatched 25 - Patched 61 --------------------------------------------- https://www.wordfence.com/blog/2023/08/wordfence-intelligence-weekly-wordpr… ∗∗∗ Phishing-Kampagne zielt auf Zimbra-Nutzer ab ∗∗∗ --------------------------------------------- Die Kampagne ist seit mindestens April 2023 aktiv und dauert laut Security-Forschern von ESET an. --------------------------------------------- https://www.zdnet.de/88411237/phishing-kampagne-zielt-auf-zimbra-nutzer-ab/ ===================== = Vulnerabilities = ===================== ∗∗∗ PAN-SA-2023-0004 Informational Bulletin: Impact of TunnelCrack Vulnerabilities (CVE-2023-36671 CVE-2023-36672 CVE-2023-35838 CVE-2023-36673) ∗∗∗ --------------------------------------------- LocalNet attack is only applicable to GlobalProtect Agent configurations that allow direct access to the local network setting in the Split Tunnel tab on the firewall configuration. ServerIP attack is relevant only to PAN-OS firewall configurations with a GlobalProtect gateway enabled. You can verify whether you have a GlobalProtect portal or gateway configured by checking for entries in Network > GlobalProtect > Gateways from the web interface. --------------------------------------------- https://security.paloaltonetworks.com/PAN-SA-2023-0004 ∗∗∗ ClamAV 1.1.1, 1.0.2, 0.103.9 patch versions published ∗∗∗ --------------------------------------------- - CVE-2023-20197 Fixed a possible denial of service vulnerability in the HFS+ file parser. - CVE-2023-20212 Fixed a possible denial of service vulnerability in the AutoIt file parser. This issue affects versions 1.0.1 and 1.0.0. This issue does not affect version 1.1.0. ClamAV 0.105 and 0.104 have reached end-of-life according to the ClamAV’s End of Life (EOL) policy and will not be patched. --------------------------------------------- https://blog.clamav.net/2023/07/2023-08-16-releases.html ∗∗∗ Parsec Remote Desktop App is prone to a local elevation of privilege due to a logical flaw in its code integrity verification process ∗∗∗ --------------------------------------------- By exploiting this race condition, a local attacker could swap out the officially signed Parsec DLL with a DLL that they created, which would subsequently be executed as the SYSTEM user as described in CVE-2023-37250. The vulnerability applies to a "Per User" installation as opposed to a "Shared User". There is an update that has been made available. --------------------------------------------- https://kb.cert.org/vuls/id/287122 ∗∗∗ TYPO3-EXT-SA-2023-007: Broken Access Control in extension "hCaptcha for EXT:form" (hcaptcha) ∗∗∗ --------------------------------------------- The extension fails to check the requirement of the captcha field in submitted form data allowing a remote user to bypass the captcha check. [..] An updated version 2.1.2 is available --------------------------------------------- https://typo3.org/security/advisory/typo3-ext-sa-2023-007 ∗∗∗ Varnish Enterprise/Cache: Base64 decoding vulnerability in vmod-digest ∗∗∗ --------------------------------------------- The potential outcome of the vulnerability can be both authentication bypass and information disclosure, however the exact attack surface will depend on the particular VCL configuration in use. [..] Affected software versions: - vmod-digest shipped with Varnish Enterprise 6.0 series up to and including 6.0.11r4. - vmod-digest for Varnish Cache 6.0 LTS built on upstream source code prior to 2023-08-17. - vmod-digest for Varnish Cache trunk built on upstream source code prior to 2023-08-17. --------------------------------------------- https://docs.varnish-software.com/security/VSV00012/ ∗∗∗ IP-Telefonie: Schwachstellen in der Provisionierung von Zoom und Audiocodes ∗∗∗ --------------------------------------------- Der Security-Experte Moritz Abrell von SySS hat Schwachstellen bei der IP-Telefonie mithilfe des Zoom Zero Touch Provisioning-Prozesses in Kombination mit Audiocodes 400HD Telefonen entdeckt. [..] Angreifer könnten gemäß den Darstellungen Gesprächsinhalte mithören, ein Botnetz aus infizierten Geräten bilden oder auf Basis der Kompromittierung der Endgeräte die Netzwerke attackieren, in denen diese betrieben werden. --------------------------------------------- https://www.heise.de/news/IP-Telefonie-Schwachstellen-in-der-Provisionierun… ∗∗∗ Synology-SA-23:11 Synology Camera ∗∗∗ --------------------------------------------- A vulnerability allows remote attackers to execute arbitrary code via a susceptible version of Synology Camera BC500 Firmware and Synology Camera TC500 Firmware. Solution: Upgrade to 1.0.5-0185 or above. Workaround: Setting up firewall rules to allow only trusted clients to connect can be used as a temporary mitigation. --------------------------------------------- https://www.synology.com/en-global/security/advisory/Synology_SA_23_11 ∗∗∗ CISA Releases Three Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- - ICSA-23-229-01 ICONICS and Mitsubishi Electric Products: CVE-2022-3602, CVE-2022-3786, CVE-2022-4203, CVE-2022-4304, CVE-2022-4450, CVE-2023-0401 - ICSA-23-229-03 Schnieder Electric PowerLogic ION7400 PM8000 ION9000 Power Meters: CVE-2022-46680 - ICSA-23-229-04 Walchem Intuition 9: CVE-2022-3602, CVE-2022-3786, CVE-2022-4203, CVE-2022-4304, CVE-2022-4450, CVE-2023-0401 --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/08/17/cisa-releases-three-indu… ∗∗∗ Privilege Escalation in IBM Spectrum Virtualize ∗∗∗ --------------------------------------------- Im Rahmen einer oberflächlichen Sicherheitsprüfung stellte Certitude zwei Schwachstellen in der Firmware der IBM Spectrum Virtualize Storage-Lösung fest. Eine der Schwachstellen erlaubt es einem Benutzer der Administrationsschnittstelle, der nur über eingeschränkte Berechtigungen verfügt, beliebigen Code auszuführen. --------------------------------------------- https://certitude.consulting/blog/de/privilege-escalation-in-ibm-spectrum-v… ∗∗∗ Atlassian Releases Security Update for Confluence Server and Data Center ∗∗∗ --------------------------------------------- Atlassian has released its security bulletin for August 2023 to address a vulnerability in Confluence Server and Data Center, CVE-2023-28709. A remote attacker can exploit this vulnerability to cause a denial-of-service condition.CISA encourages users and administrators to review Atlassian’s August 2003 Security Bulletin and apply the necessary update. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/08/17/atlassian-releases-secur… ∗∗∗ Cisco Integrated Management Controller Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Umbrella Virtual Appliance Undocumented Support Tunnel Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Unified Contact Center Express Finesse Portal Web Cache Poisoning Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco ThousandEyes Enterprise Agent Virtual Appliance Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco ThousandEyes Enterprise Agent Virtual Appliance Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Prime Infrastructure and Evolved Programmable Network Manager Stored Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Prime Infrastructure and Evolved Programmable Network Manager Cross-Site Scripting Vulnerabilities ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Intersight Private Virtual Appliance Command Injection Vulnerabilities ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Identity Services Engine Device Credential Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco IP Phone 6800, 7800, and 8800 Series with Multiplatform Firmware Cross-Site Request Forgery Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Intersight Virtual Appliance Unauthenticated Port Forwarding Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Expressway Series and Cisco TelePresence Video Communication Server Command Injection Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Duo Device Health Application for Windows Arbitrary File Write Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Unified Communications Manager SQL Injection Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Unified Communications Products Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ ClamAV HFS+ File Scanning Infinite Loop Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ ClamAV AutoIt Module Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Vulnerability in Apache Tomcat Server (CVE-2023-28709 ) affects Power HMC ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7005499 ∗∗∗ IBM Security Guardium is affected by Using Components with Known Vulnerabilities [CVE-2018-8909, CVE-2021-41100 and CVE-2021-41119] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7027854 ∗∗∗ IBM Security Guardium is affected by a Command injection in CLI vulnerability [CVE-2023-35893] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7027853 ∗∗∗ IBM Security Guardium is affected by several vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7007815 ∗∗∗ Vulnerability in IBM Java SDK and IBM Java Runtime affect Rational Functional Tester ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7027855 ∗∗∗ IBM Security Guardium is affected by a multiple vulnerabilities (CVE-2023-22809, CVE-2019-12490, CVE-2023-0041) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7000021 ∗∗∗ IBM Security Guardium is affected by multiple Oracle\u00ae MySQL vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6981105 ∗∗∗ IBM Security Guardium is affected by a denial of service vulnerability in MIT keb5 (CVE-2022-42898) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6981101 ∗∗∗ Security Vulnerabilities affect IBM Cloud Pak for Data - Python (CVE-2019-20907) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6380954 ∗∗∗ Security Vulnerabilities affect IBM Cloud Pak for Data - Golang (CVE-2020-24553) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6380968 ∗∗∗ Security Vulnerabilities in GNU glibc affect IBM Cloud Pak for Data - GNU glibc (CVE-2020-1751) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6381220 ∗∗∗ Vulnerability in IBM JDK (CVE-2022-40609 ) affects Power HMC ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7027898 ∗∗∗ IBM WebSphere Application Server Liberty, which is bundled with IBM Cloud Pak for Applications, is vulnerable to a denial of service (CVE-2023-38737) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7027921 ∗∗∗ IBM WebSphere Application Server Liberty, which is bundled with IBM WebSphere Hybrid Edition, is vulnerable to a denial of service (CVE-2023-38737) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7027919 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.08.2023
by Daily end-of-shift report 16 Aug '23

16 Aug '23

===================== = End-of-Day report = ===================== Timeframe: Montag 14-08-2023 18:00 − Mittwoch 16-08-2023 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Jetzt 2FA aktivieren: Hackerangriffe auf Linkedin-Konten nehmen massiv zu ∗∗∗ --------------------------------------------- Cyberkriminelle haben es zuletzt vermehrt auf Linkedin-Konten abgesehen. Bei Google getätigte Suchanfragen bestätigen diesen Trend. --------------------------------------------- https://www.golem.de/news/jetzt-2fa-aktivieren-hackerangriffe-auf-linkedin-… ∗∗∗ Vielfältige Attacken auf Ivanti Enterprise Mobility Management möglich (CVE-2023-32560) ∗∗∗ --------------------------------------------- Die Forscher geben an, die Schwachstelle im April 2023 gemeldet zu haben. Die gegen die Attacke abgesicherte EMM-Version 6.4.1 ist Anfang August erschienen. Mitte August haben die Sicherheitsforscher ihren Bericht veröffentlicht. --------------------------------------------- https://www.heise.de/news/Vielfaeltige-Attacken-auf-Ivanti-Enterprise-Mobil… ∗∗∗ IT-Schutz für Kommunen: 18 Checklisten für den Schnelleinstieg ∗∗∗ --------------------------------------------- Kommunen sind zunehmend Ziele von Cyber-Angriffen. Für angemessenen Schutz mangelt es oft an Wissen und Personal. 18 WiBA-Checklisten des BSI sollen das ändern. --------------------------------------------- https://heise.de/-9246027 ∗∗∗ TR-75 - Unauthenticated remote code execution vulnerability in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway) - CVE-2023-3519 ∗∗∗ --------------------------------------------- Use this Checklist to identify if your infrastructure already shows indications of a successful compromise --------------------------------------------- https://www.circl.lu/pub/tr-75/ ∗∗∗ Indicators of Compromise Scanner for Citrix ADC Zero-Day (CVE-2023-3519) ∗∗∗ --------------------------------------------- Today we are releasing a tool to help organizations scan their Citrix appliances for evidence of post-exploitation activity related to CVE-2023-3519. The tool contains indicators of compromise (IOCs) collected during Mandiant investigations and sourced from our partners and the community. Head over to the Mandiant GitHub page to download the tool today to scan your appliances. --------------------------------------------- https://www.mandiant.com/resources/blog/citrix-adc-vulnerability-ioc-scanner ∗∗∗ l+f: Trojaner unterscheiden nicht zwischen Gut und Böse ∗∗∗ --------------------------------------------- D’oh! Sicherheitsforscher sind auf rund 120.000 mit Malware infizierte PCs gestoßen – von Cybergangstern. --------------------------------------------- https://heise.de/-9244810 ∗∗∗ Instagram-Nachricht: Gefälschte Beschwerde über Produktqualität führt zu Schadsoftware ∗∗∗ --------------------------------------------- Sie erhalten eine Nachricht auf Instagram. Darin beschwert sich eine Kundin, dass Ihre Produktqualität schlecht ist und das Produkt bereits nach 2 Tagen kaputt war. Ein Bild wird mitgeschickt. Laden Sie das Dokument mit der Endung .rar nicht herunter, es handelt sich um Schadsoftware. --------------------------------------------- https://www.watchlist-internet.at/news/instagram-nachricht-gefaelschte-besc… ∗∗∗ An Apple malware-flagging tool is “trivially” easy to bypass ∗∗∗ --------------------------------------------- Background Task Manager can potentially miss malicious software on your machine. --------------------------------------------- https://arstechnica.com/?p=1960742 ∗∗∗ Ongoing scam tricks kids playing Roblox and Fortnite ∗∗∗ --------------------------------------------- The scams are often disguised as promotions, and they can all be linked to one network. --------------------------------------------- https://arstechnica.com/?p=1961085 ∗∗∗ Raccoon Stealer malware returns with new stealthier version ∗∗∗ --------------------------------------------- The developers of Raccoon Stealer information-stealing malware have ended their 6-month hiatus from hacker forums to promote a new 2.3.0 version of the malware to cyber criminals. --------------------------------------------- https://www.bleepingcomputer.com/news/security/raccoon-stealer-malware-retu… ∗∗∗ Massive 400,000 proxy botnet built with stealthy malware infections ∗∗∗ --------------------------------------------- A new campaign involving the delivery of proxy server apps to Windows systems has been uncovered, where users are reportedly involuntarily acting as residential exit nodes controlled by a private company. --------------------------------------------- https://www.bleepingcomputer.com/news/security/massive-400-000-proxy-botnet… ∗∗∗ QwixxRAT: New Remote Access Trojan Emerges via Telegram and Discord ∗∗∗ --------------------------------------------- A new remote access trojan (RAT) called QwixxRAT is being advertised for sale by its threat actor through Telegram and Discord platforms. "Once installed on the victims Windows platform machines, the RAT stealthily collects sensitive data, which is then sent to the attackers Telegram bot, providing them with unauthorized access to the victims sensitive information," [...] --------------------------------------------- https://thehackernews.com/2023/08/qwixxrat-new-remote-access-trojan.html ∗∗∗ Cookie Crumbles: Breaking and Fixing Web Session Integrity ∗∗∗ --------------------------------------------- In this paper, we question the effectiveness of existing protections and study the real-world security implications of cookie integrity issues. In particular, we focus on network and same-site attackers, a class of attackers increasingly becoming a significant threat to Web application security. --------------------------------------------- https://www.usenix.org/system/files/usenixsecurity23-squarcina.pdf ∗∗∗ Chrome 116 Patches 26 Vulnerabilities ∗∗∗ --------------------------------------------- Google has released Chrome 116 with patches for 26 vulnerabilities and plans to ship weekly security updates for the popular web browser. --------------------------------------------- https://www.securityweek.com/chrome-116-patches-26-vulnerabilities/ ∗∗∗ Monti ransomware targets legal and gov’t entities with new Linux-based variant ∗∗∗ --------------------------------------------- The Monti hacker gang appears to have resumed its operations after a two-month break, this time claiming to target legal and government entities with a fresh Linux-based ransomware variant, according to new research. Monti was first discovered in June 2022, shortly after the infamous Conti ransomware group went out of business. --------------------------------------------- https://therecord.media/monti-ransomware-targets-govt-entities ∗∗∗ CISA Adds One Known Exploited Vulnerability to Catalog ∗∗∗ --------------------------------------------- CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. CVE-2023-24489 Citrix Content Collaboration ShareFile Improper Access Control Vulnerability - These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/08/16/cisa-adds-one-known-expl… ∗∗∗ PowerHell: Active Flaws in PowerShell Gallery Expose Users to Attacks ∗∗∗ --------------------------------------------- Recent findings by Aqua Nautilus have exposed significant flaws that are still active in the PowerShell Gallerys policy regarding package names and owners. These flaws make typosquatting attacks inevitable in this registry, while also making it extremely difficult for users to identify the true owner of a package. Consequently, these flaws pave the way for potential supply chain attacks on the registrys vast user base. --------------------------------------------- https://blog.aquasec.com/powerhell-active-flaws-in-powershell-gallery-expos… ∗∗∗ Verwundbare Webserver: Status in Österreich ∗∗∗ --------------------------------------------- Nachdem wir in den letzten Wochen von Schwachstellen in Systemen von Citrix, Ivanti und Fortinet berichtet haben, wollte ich wissen, wie weit Österreich beim Patchen ist. Wir bekommen von ShadowServer täglich Reports mit den Ergebnissen ihrer Scans über das ganze Internet. Im „Vulnerable HTTP Report“ geht es unter anderem um Schwachstellen, die in Web-Applikationen gefunden wurden. Auf Hersteller bezogen kann man aus den Daten für Österreich folgende folgende Entwicklung ablesen: [...] --------------------------------------------- https://cert.at/de/aktuelles/2023/8/verwundbare-webserver-status-in-osterre… ===================== = Vulnerabilities = ===================== ∗∗∗ Advisory | NetModule Router Software Race Condition Leads to Remote Code Execution ∗∗∗ --------------------------------------------- CVSSv3.1 Score: 8.4 Affected Vendor & Products: NetModule NB1601, NB1800, NB1810, NB2800, NB2810, NB3701, NB3800, NB800, NG800 Vulnerable version: < 4.6.0.105, < 4.7.0.103 --------------------------------------------- https://pentest.blog/advisory-netmodule-router-software-race-condition-lead… ∗∗∗ Sicherheitslücken: Angreifer können Hintertüren in Datenzentren platzieren ∗∗∗ --------------------------------------------- Schwachstellen in Software von CyberPower und Dataprobe zur Energieüberwachung und -Verteilung gefährden Datenzentren. --------------------------------------------- https://heise.de/-9245788 ∗∗∗ Lücken in Kennzeichenerkennungssoftware gefährden Axis-Überwachungskamera ∗∗∗ --------------------------------------------- Mehrere Sicherheitslücken in Software für Überwachungskameras von Axis gefährden Geräte. --------------------------------------------- https://heise.de/-9245978 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (samba), Red Hat (.NET 6.0, .NET 7.0, rh-dotnet60-dotnet, rust, rust-toolset-1.66-rust, and rust-toolset:rhel8), and SUSE (kernel and opensuse-welcome). --------------------------------------------- https://lwn.net/Articles/941658/ ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (datatables.js and openssl), Fedora (ghostscript, java-11-openjdk, java-latest-openjdk, microcode_ctl, and xen), Red Hat (redhat-ds:11), SUSE (java-1_8_0-openj9, kernel, krb5, pcre2, and perl-HTTP-Tiny), and Ubuntu (gstreamer1.0, mysql-8.0, tiff, and webkit2gtk). --------------------------------------------- https://lwn.net/Articles/941722/ ∗∗∗ Schneider Electric EcoStruxure Control Expert, Process Expert, Modicon M340, M580 and M580 CPU ∗∗∗ --------------------------------------------- Successful exploitation of this vulnerability could allow an attacker to execute unauthorized Modbus functions on the controller when hijacking an authenticated Modbus session. --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-227-01 ∗∗∗ Rockwell Automation Armor PowerFlex ∗∗∗ --------------------------------------------- Successful exploitation of this vulnerability could allow an attacker to send an influx of network commands, causing the product to generate an influx of event log traffic at a high rate, resulting in the stop of normal operation. --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-227-02 ∗∗∗ K000135852 : FasterXML jackson-databind vulnerability CVE-2022-42003 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000135852 ∗∗∗ CPE2023-003 Vulnerability Mitigation/Remediation for Inkjet Printers (Home and Office/Large Format) – 15 August 2023 ∗∗∗ --------------------------------------------- https://www.canon-europe.com/support/product-security-latest-news/ ∗∗∗ [R1] Sensor Proxy Version 1.0.8 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2023-28 ∗∗∗ Vulnerabilities in Node.js modules affect IBM Voice Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7026694 ∗∗∗ Security Vulnerabilities affect IBM Cloud Pak for Data - Python (CVE-2019-20907) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6380956 ∗∗∗ Multiple Eclipse Jetty Vulnerabilities Affect IBM Analytic Accelerator Framework for Communication Service Providers & IBM Customer and Network Analytics ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7027483 ∗∗∗ AWS SDK for Java as used by IBM QRadar SIEM is vulnerable to path traversal (CVE-2022-31159) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7027598 ∗∗∗ IBM WebSphere Application Server Liberty is vulnerable to a denial of service (CVE-2023-38737) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7027509 ∗∗∗ IBM Cognos Analytics has addressed multiple security vulnerabilities (CVE-2022-48285, CVE-2023-35009, CVE-2023-35011) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7026692 ∗∗∗ Zyxel security advisory for post-authentication command injection in NTP feature of NBG6604 home router ∗∗∗ --------------------------------------------- https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-… ∗∗∗ Zyxel security advisory for DoS vulnerability of XGS2220, XMG1930, and XS1930 series switches ∗∗∗ --------------------------------------------- https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.08.2023
by Daily end-of-shift report 14 Aug '23

14 Aug '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 11-08-2023 18:00 − Montag 14-08-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ MaginotDNS attacks exploit weak checks for DNS cache poisoning ∗∗∗ --------------------------------------------- A team of researchers from UC Irvine and Tsinghua University has developed a new powerful cache poisoning attack named MaginotDNS, that targets Conditional DNS (CDNS) resolvers and can compromise entire TLDs top-level domains. --------------------------------------------- https://www.bleepingcomputer.com/news/security/maginotdns-attacks-exploit-w… ∗∗∗ Phishing with hacked sites ∗∗∗ --------------------------------------------- Scammers are hacking websites powered by WordPress and placing phishing pages inside hidden directories. We share some statistics and tips on recognizing a hacked site. --------------------------------------------- https://securelist.com/phishing-with-hacked-sites/110334/ ∗∗∗ Zoom ZTP & AudioCodes Phones Flaws Uncovered, Exposing Users to Eavesdropping ∗∗∗ --------------------------------------------- Multiple security vulnerabilities have been disclosed in AudioCodes desk phones and Zooms Zero Touch Provisioning (ZTP) that could be potentially exploited by a malicious attacker to conduct remote attacks. "An external attacker who leverages the vulnerabilities discovered in AudioCodes Ltd.'s desk phones and Zoom's Zero Touch Provisioning feature can gain full remote control of the devices," SySS security researcher Moritz Abrell said in an analysis published Friday. --------------------------------------------- https://thehackernews.com/2023/08/zoom-ztp-audiocodes-phones-flaws.html ∗∗∗ Ongoing Xurum Attacks on E-commerce Sites Exploiting Critical Magento 2 Vulnerability ∗∗∗ --------------------------------------------- E-commerce sites using Adobes Magento 2 software are the target of an ongoing campaign that has been active since at least January 2023. The attacks, dubbed Xurum by Akamai, leverage a now-patched critical security flaw (CVE-2022-24086, CVSS score: 9.8) in Adobe Commerce and Magento Open Source that, if successfully exploited, could lead to arbitrary code execution. --------------------------------------------- https://thehackernews.com/2023/08/ongoing-xurum-attacks-on-e-commerce.html ∗∗∗ HAK5 BashBunny USB Gadget IoC Removal ∗∗∗ --------------------------------------------- StealthBunny is a tool designed to modify HAK5s BashBunny USB gadget kernel driver to remove possible indicators of compromise. --------------------------------------------- https://github.com/emptynebuli/StealthBunny ∗∗∗ Microsofts Cloud-Hack: Überprüfung durch US Cyber Safety Review Board ∗∗∗ --------------------------------------------- Die Cybervorfälle der letzten Monate haben die US-Sicherheitsbehörden aufgeschreckt. Nun will sich das US Cyber Safety Review Board (CSRB) den Hack der Microsoft Cloud durch die mutmaßlich chinesische Hackergruppe Storm-0558 genauer ansehen. Der Fall war im Juli 2023 bekannt geworden und hatte wegen der Umstände Wellen geschlagen. --------------------------------------------- https://www.borncity.com/blog/2023/08/12/microsofts-cloud-hack-berprfung-du… ∗∗∗ Whats New in CVSS v4 ∗∗∗ --------------------------------------------- The standard has been improved over time with the release of v1 in Feb. 2005, v2 in June 2007, and v3 in June 2015. The current version (v3.1) debuted in June 2019. Version 4 is slated for release on October 1, 2023. --------------------------------------------- https://www.rapid7.com/blog/post/2023/08/14/whats-new-in-cvss-v4/ ===================== = Vulnerabilities = ===================== ∗∗∗ VU#127587: Python Parsing Error Enabling Bypass CVE-2023-24329 ∗∗∗ --------------------------------------------- An issue in the urllib.parse component of Python before v3.11 allows attackers to bypass blocklisting methods by supplying a URL that starts with blank characters. --------------------------------------------- https://kb.cert.org/vuls/id/127587 ∗∗∗ Schwachstelle in Sync 3: Infotainmentsystem von Ford ermöglicht Angriff via Wi-Fi ∗∗∗ --------------------------------------------- Das in vielen Ford-Modellen genutzte Infotainmentsystem Sync 3 hat eine Schwachstelle, durch die Angreifer böswilligen Code ausführen können. --------------------------------------------- https://www.golem.de/news/schwachstelle-in-sync-3-infotainmentsystem-von-fo… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (gst-plugins-ugly1.0, libreoffice, linux-5.10, netatalk, poppler, and sox), Fedora (chromium, ghostscript, java-1.8.0-openjdk-portable, java-11-openjdk, java-11-openjdk-portable, java-17-openjdk-portable, java-latest-openjdk-portable, kernel, linux-firmware, mingw-python-certifi, ntpsec, and php), Oracle (.NET 6.0, .NET 7.0, 15, 18, bind, bind9.16, buildah, cjose, curl, dbus, emacs, firefox, go-toolset and golang, go-toolset:ol8, grafana, iperf3, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, kernel, libcap, libeconf, libssh, libtiff, libxml2, linux-firmware, mod_auth_openidc:2.3, nodejs, nodejs:16, nodejs:18, open-vm-tools, openssh, postgresql:12, postgresql:13, python-requests, python27:2.7, python3, python38:3.8 and python38-devel:3.8, python39:3.9 and python39-devel:3.9, ruby:2.7, samba, sqlite, systemd, thunderbird, virt:ol and virt-devel:rhel, and webkit2gtk3), SUSE (docker, java-1_8_0-openj9, kernel, kernel-firmware, libyajl, nodejs14, openssl-1_0_0, poppler, and webkit2gtk3), and Ubuntu (golang-yaml.v2, intel-microcode, linux, linux-aws, linux-aws-5.4, linux-gcp, linux-gcp-5.4, linux-gkeop, linux-iot, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux, linux-aws, linux-azure, linux-gcp, linux-ibm, linux-kvm, linux-lowlatency, linux-oracle, linux-raspi, linux-oem-6.1, pygments, and pypdf2). --------------------------------------------- https://lwn.net/Articles/941587/ ∗∗∗ F5: K000135795 : Downfall Attacks CVE-2022-40982 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000135795 ∗∗∗ F5: K000135831 : Node.js vulnerability CVE-2023-32067 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000135831 ∗∗∗ A vulnerability in IBM WebSphere Application Server Liberty affects IBM Storage Scale packaged in IBM Elastic Storage System (CVE-2023-24998) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7025515 ∗∗∗ Multiple Linux Kernel vulnerabilities may affect IBM Elastic Storage System ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7025507 ∗∗∗ IBM Elastic Storage System is affected by a vulnerability in OpenSSL (CVE-2022-4450) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7025510 ∗∗∗ Postgresql JDBC drivers shipped with IBM Security Verify Access have a vulnerability (CVE-2022-41946) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014261 ∗∗∗ IBM GSKit as shipped with IBM Security Verify Access has fixed a reported vulnerability (CVE-2023-32342) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014259 ∗∗∗ Security Vulnerabilities fixed in IBM Security Verify Access (CVE-2022-40303) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7009741 ∗∗∗ Apache Log4j Vulnerability affects Cloud Pak for Data (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6529302 ∗∗∗ IBM PowerVM Novalink is vulnerable because flaw was found in IBM SDK, Java Technology Edition, which could allow a remote attacker to execute arbitrary code on the system caused by an unsafe deserialization flaw. (CVE-2022-40609) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7026380 ∗∗∗ Kafka nodes in IBM App Connect Enterprise and IBM Integration Bus are vulnerable to a denial of service due to snappy-java (CVE-2023-34453, CVE-2023-34455, CVE-2023-34454). ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7026403 ∗∗∗ IBM ELM affected as Java deserialization filters (JEP 290) ignored during IBM ORB deserialization (CVE-2022-40609) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7026536 ∗∗∗ Vulnerability in IBM Java SDK affects WebSphere Service Registry and Repository (CVE-2022-40609) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7026489 ∗∗∗ Security Vulnerabilities in JRE and Java packages affect IBM Voice Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7026553 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.08.2023
by Daily end-of-shift report 11 Aug '23

11 Aug '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 10-08-2023 18:00 − Freitag 11-08-2023 18:00 Handler: Robert Waldner Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Gafgyt malware exploits five-years-old flaw in EoL Zyxel router ∗∗∗ --------------------------------------------- Fortinet has issued an alert warning that the Gafgyt botnet malware is actively trying to exploit a vulnerability in the end-of-life Zyxel P660HN-T1A router in thousands of daily attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/gafgyt-malware-exploits-five… ∗∗∗ Nutzerdaten in Gefahr: Microsoft Onedrive als Werkzeug für Ransomware-Angriffe ∗∗∗ --------------------------------------------- Onedrive soll die Daten von Windows-Nutzern eigentlich vor Ransomware-Angriffen schützen. Effektiv ist das aber offenbar nicht immer. --------------------------------------------- https://www.golem.de/news/nutzerdaten-in-gefahr-microsoft-onedrive-als-werk… ∗∗∗ 16 New CODESYS SDK Flaws Expose OT Environments to Remote Attacks ∗∗∗ --------------------------------------------- A set of 16 high-severity security flaws have been disclosed in the CODESYS V3 software development kit (SDK) that could result in remote code execution and denial-of-service under specific conditions, posing risks to operational technology (OT) environments. The flaws, tracked from CVE-2022-47378 through CVE-2022-47393 and dubbed CoDe16, carry a CVSS score of 8.8 with the exception of CVE-2022-47391, which has a severity rating of 7.5. Twelve of the flaws are buffer overflow vulnerabilities. --------------------------------------------- https://thehackernews.com/2023/08/15-new-codesys-sdk-flaws-expose-ot.html ∗∗∗ When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM Zero-Day Vulnerability ∗∗∗ --------------------------------------------- While the SugarCRM CVE-2023-22952 zero-day authentication bypass and remote code execution vulnerability might seem like a typical exploit, there’s actually more for defenders to be aware of. [..] This article maps out various attacks against AWS environments following the MITRE ATT&CK Matrix framework, wrapping up with multiple prevention mechanisms an organization can put in place to protect themselves. Some of these protections include taking advantage of controls and services provided by AWS, cloud best practices, and ensuring sufficient data retention to catch the full attack. --------------------------------------------- https://unit42.paloaltonetworks.com/sugarcrm-cloud-incident-black-hat/ ∗∗∗ Lexmark Command Injection Vulnerability ZDI-CAN-19470 Pwn2Own Toronto 2022 ∗∗∗ --------------------------------------------- In December 2022, we competed at our first pwn2own. We were able to successfully exploit the Lexmark MC3224i using a command injection 0-day. This post will detail the process we used to discover, weaponize, and have some fun with this vulnerability. --------------------------------------------- https://www.horizon3.ai/lexmark-command-injection-vulnerability-zdi-can-194… ∗∗∗ Theres a good chance your VPN is vulnerable to privacy-menacing TunnelCrack attack ∗∗∗ --------------------------------------------- A couple of techniques collectively known as TunnelCrack can, in the right circumstances, be used by snoops to force victims network traffic to go outside their encrypted VPNs, it was demonstrated this week. [..] Their co-authored Usenix-accepted paper [PDF] has all the details. The researchers said they tested more than 60 VPN clients, and found that "all VPN apps" on iOS are vulnerable. Android appears to be most secure of the bunch. --------------------------------------------- https://www.theregister.com/2023/08/10/tunnelcrack_vpn/ ∗∗∗ Site Takeover via SCCM’s AdminService API ∗∗∗ --------------------------------------------- tl:dr: The SCCM AdminService API is vulnerable to NTLM relaying and can be abused for SCCM site takeover. --------------------------------------------- https://posts.specterops.io/site-takeover-via-sccms-adminservice-api-d932e2… ∗∗∗ A-Z: OPNsense - Penetration Test ∗∗∗ --------------------------------------------- We reported found vulnerabilities to OPNsense maintainers and we really want to thank them for a great response. They handled the whole process very professionally, quickly prepared effective patches for many vulnerabilities and included them in the newest release - OPNsense 23.7 “Restless Roadrunner”. Also, they provided us with reasoning behind decision to not patch some of them right now. --------------------------------------------- https://logicaltrust.net/blog/2023/08/opnsense.html ∗∗∗ Lesetipp: Wenn der Microsoft Defender zum Angreifer wird ∗∗∗ --------------------------------------------- Forscher haben spannende Details zu einer im April gefixten Lücke im Defender-Signaturupdateprozess veröffentlicht. Sie sehen Potenzial für künftige Angriffe. --------------------------------------------- https://heise.de/-9241230 ∗∗∗ Samsonite-Gewinnspiel auf Facebook führt in teure Abo-Falle! ∗∗∗ --------------------------------------------- Die betrügerische Facebook-Seite „Koffer-Paradies“ verbreitet derzeit ein Gewinnspiel, das in eine teure Abo-Falle führt. Versprochen wird ein Koffer der Marke Samsonite. Achtung! Wer mitspielt, erhält keinen Gewinn, sondern soll monatlich 70 Euro an Kriminelle bezahlen. --------------------------------------------- https://www.watchlist-internet.at/news/samsonite-gewinnspiel-auf-facebook-f… ∗∗∗ Phishing über Amazon Web Services ∗∗∗ --------------------------------------------- Sicherheitsforscher von Check Point haben vor einiger Zeit einen weiteren Dienst entdeckt, der für fortschrittliche Phishing-Kampagnen von Hackern missbraucht wird. Diesmal erfolgt der Missbrauch für Phishing-Kampagnen über die Amazon Web Services (AWS). . Das Programm wird zum Versenden von Phishing-E-Mails genutzt, um diesen einen täuschend echten Anstrich zu geben. --------------------------------------------- https://www.borncity.com/blog/2023/08/11/phishing-ber-amazon-web-services/ ===================== = Vulnerabilities = ===================== ∗∗∗ AMD and Intel CPU security bugs bring Linux patches ∗∗∗ --------------------------------------------- Its not really a Linux problem, but as is so often the case, Linux kernel developers have to clean up after AMD and Intel. It happened again with the chipmakers latest CPU vulnerabilities: AMD Inception and Intel Downfall. To fix these, Linux creator Linus Torvalds has released a new set of patches. Oddly, both are speculative side-channel attacks, which can lead to privileged data leakage to unprivileged processes. --------------------------------------------- https://www.zdnet.com/article/amd-and-intel-cpu-security-bugs-bring-linux-p… ∗∗∗ Statischer Schlüssel in Dell Compellent leakt Zugangsdaten für VMware vCenter ∗∗∗ --------------------------------------------- Aufgrund einer Schwachstelle in Dells Compellent Integration Tools for VMware (CITV) können Angreifer Log-in-Daten entschlüsseln. --------------------------------------------- https://heise.de/-9241495 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (intel-microcode, kernel, and php-dompdf), Fedora (linux-firmware, OpenImageIO, and php), Oracle (aardvark-dns, kernel, linux-firmware, python-flask, and python-werkzeug), SUSE (container-suseconnect, go1.19, gstreamer-plugins-bad, gstreamer-plugins-base, gstreamer-plugins-good, java-11-openjdk, kernel-firmware, kubernetes1.24, openssl-1_1, poppler, python-scipy, qatengine, ucode-intel, util-linux, and vim), and Ubuntu (dotnet6, dotnet7, php-dompdf, and velocity-tools). --------------------------------------------- https://lwn.net/Articles/941271/ ∗∗∗ IBM Operational Decision Manager July 2023 - Multiple CVEs ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7014699 ∗∗∗ IBM InfoSphere Global Name Management Vulnerable to CVE-2023-30441 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7025193 ∗∗∗ App Connect Professional is affected by Bouncy Castle vulnerability. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7025330 ∗∗∗ Multiple Linux Kernel vulnerabilities may affect IBM Elastic Storage System ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7025344 ∗∗∗ Vulnerability in the Flask repo may affect affect IBM Elastic Storage System (CVE-2023-30861) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7025351 ∗∗∗ Multiple vulnerabilities in the werkzeug repo affect IBM Elastic Storage System ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7025349 ∗∗∗ A vulnerability in IBM WebSphere Application Server Liberty affects IBM Storage Scale packaged in IBM Elastic Storage Server (CVE-2023-24998) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7025354 ∗∗∗ Multiple vulnerabilities may affect CICS Transaction Gateway for Multiplatforms and CICS Transaction Gateway Desktop Edition. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7025446 ∗∗∗ Multiple vulnerabilities may affect CICS Transaction Gateway for Multiplatforms and CICS Transaction Gateway Desktop Edition. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7025170 ∗∗∗ IBM TXSeries for Multiplatforms Web Services is vulnerable to Slowloris attack which is a type of denial-of-service (DoS) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7025476 ∗∗∗ A vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Business Automation Workflow (CVE-2022-40609) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7024675 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.08.2023
by Daily end-of-shift report 10 Aug '23

10 Aug '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 09-08-2023 18:00 − Donnerstag 10-08-2023 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Common TTPs of attacks against industrial organizations ∗∗∗ --------------------------------------------- In 2022 we investigated a series of attacks against industrial organizations in Eastern Europe. In the campaigns, the attackers aimed to establish a permanent channel for data exfiltration, including data stored on air-gapped systems. --------------------------------------------- https://securelist.com/common-ttps-of-attacks-against-industrial-organizati… ∗∗∗ Cryptographic Flaw in Libbitcoin Explorer Cryptocurrency Wallet ∗∗∗ --------------------------------------------- Cryptographic flaws still matter. Here’s a flaw in the random-number generator used to create private keys. The seed has only 32 bits of entropy.Seems like this flaw is being exploited in the wild. --------------------------------------------- https://www.schneier.com/blog/archives/2023/08/cryptographic-flaw-in-libbit… ∗∗∗ Cybercriminals Increasingly Using EvilProxy Phishing Kit to Target Executives ∗∗∗ --------------------------------------------- Threat actors are increasingly using a phishing-as-a-service (PhaaS) toolkit dubbed EvilProxy to pull off account takeover attacks aimed at high-ranking executives at prominent companies.According to Proofpoint, an ongoing hybrid campaign has leveraged the service to target thousands of Microsoft 365 user accounts, sending approximately 120,000 phishing emails to hundreds of organizations --------------------------------------------- https://thehackernews.com/2023/08/cybercriminals-increasingly-using.html ∗∗∗ New Statc Stealer Malware Emerges: Your Sensitive Data at Risk ∗∗∗ --------------------------------------------- A new information malware strain called Statc Stealer has been found infecting devices running Microsoft Windows to siphon sensitive personal and payment information."Statc Stealer exhibits a broad range of stealing capabilities, making it a significant threat," Zscaler ThreatLabz researchers Shivam Sharma and Amandeep Kumar said in a technical report published this week. --------------------------------------------- https://thehackernews.com/2023/08/new-statc-stealer-malware-emerges-your.ht… ∗∗∗ CISA Analysis Report: MAR-10454006.r4.v2 SEASPY and WHIRLPOOL Backdoors ∗∗∗ --------------------------------------------- CISA obtained four malware samples - including SEASPY and WHIRLPOOL backdoors. The device was compromised by threat actors exploiting CVE-2023-2868, a former zero-day vulnerability affecting versions 5.1.3.001-9.2.0.006 of Barracuda Email Security Gateway (ESG). --------------------------------------------- https://www.cisa.gov/news-events/analysis-reports/ar23-221a ∗∗∗ Microsoft Azure Machine Learning Compute Instance certificate Exposure of Resource to Wrong Sphere Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to disclose sensitive information on Microsoft Azure. An attacker must first obtain the ability to execute high-privileged code on the target environment in order to exploit this vulnerability. The specific flaw exists within the handling of certificates. The issue results from the exposure of a resource to the wrong control sphere. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-23-1056/ ∗∗∗ Some things never change ? such as SQL Authentication ?encryption? ∗∗∗ --------------------------------------------- Fat client applications running on (usually) Windows are still extremely common in enterprises. [..] “traditional” fat client applications will most of the time connect directly to a database (again, since we’re looking at Windows environment primarily here, this will be most of the time a Microsoft SQL Server database). [..] Finally, how do we prevent this? Well, one solution is easy – do not use SQL Server authentication but instead have users use their Windows credentials --------------------------------------------- https://isc.sans.edu/diary/rss/30112 ∗∗∗ Honeypot: Forscher lockten Hacker in über 20.000 RDP-Sitzungen ∗∗∗ --------------------------------------------- Die Sicherheitsforscher planen für die kommenden Monate die Veröffentlichung einer Blog-Post-Serie, in der sie die Strategien und Tools der beobachteten Hacker näher erläutern wollen. Die Erkenntnisse sollen vor allem Strafverfolgern sowie anderen Sicherheitsexperten dienen, um effektive Abwehrstrategien gegen Cyberangriffe zu entwickeln und Ermittlungen gegen kriminelle Akteure in Zukunft schneller voranzutreiben --------------------------------------------- https://www.golem.de/news/honeypot-forscher-lockten-hacker-in-ueber-20-000-… ∗∗∗ Emerging Attacker Exploit: Microsoft Cross-Tenant Synchronization ∗∗∗ --------------------------------------------- Attackers continue to target Microsoft identities to gain access to connected Microsoft applications and federated SaaS applications. Additionally, attackers continue to progress their attacks in these environments, not by exploiting vulnerabilities, but by abusing native Microsoft functionality to achieve their objective. [..] This article demonstrates an additional native functionality that when leveraged by an attacker enables persistent access to a Microsoft cloud tenant and lateral movement --------------------------------------------- https://thehackernews.com/2023/08/emerging-attacker-exploit-microsoft.html ∗∗∗ A Pain in the NAS: Exploiting Cloud Connectivity to PWN your NAS: WD PR4100 Edition ∗∗∗ --------------------------------------------- Team82 today shares some details about a unique attack technique that could allow an attacker to impersonate Western Digital (WD) network-attached storage (NAS) devices. [..] Western Digital has provided firmware updates for all affected devices and also released advisories (here, here, here). Connected devices have been updated automatically. Any device yet to be updated has been banned by WD from connecting to the MyCloud service until it’s running the current firmware version. --------------------------------------------- https://claroty.com/team82/research/a-pain-in-the-nas-exploiting-cloud-conn… ∗∗∗ A Pain in the NAS: Exploiting Cloud Connectivity to PWN your NAS: Synology DS920+ Edition ∗∗∗ --------------------------------------------- Team82 has developed a unique technique that allowed us to impersonate Synology’s DS920+ network-attached storage device and force its QuickConnect cloud service to redirect users to an attacker-controlled device. Synology, a top-tier NAS vendor, has addressed the vulnerabilities we uncovered, and has updated its cloud service to protect its users. [..] We uncovered not only credential theft flaws, but also remote code execution vulnerabilities [..] --------------------------------------------- https://claroty.com/team82/research/a-pain-in-the-nas-exploiting-cloud-conn… ∗∗∗ Smashing the state machine: the true potential of web race conditions ∗∗∗ --------------------------------------------- For too long, web race condition attacks have focused on a tiny handful of scenarios. Their true potential has been masked thanks to tricky workflows, missing tooling, and simple network jitter hiding all but the most trivial, obvious examples. In this paper, Ill introduce new classes of race condition that go far beyond the limit-overrun exploits youre probably already familiar with. --------------------------------------------- https://portswigger.net/research/smashing-the-state-machine? ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (July 31, 2023 to August 6, 2023) ∗∗∗ --------------------------------------------- Last week, there were 29 vulnerabilities disclosed in 24 WordPress Plugins and no WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 18 Vulnerability Researchers that contributed to WordPress Security last week. --------------------------------------------- https://www.wordfence.com/blog/2023/08/wordfence-intelligence-weekly-wordpr… ∗∗∗ Achtung, Smishing-Welle zu Online-Banking im Umlauf! ∗∗∗ --------------------------------------------- Derzeit melden uns zahlreiche Leser:innen eine SMS, die im Namen von verschiedenen Banken versendet wird. Kriminelle behaupten dabei, dass „Ihre George Registrierung“, "Ihre Bawag Security App" oder „Ihre Mein-Elba Registrierung“ abläuft. Die „Legitimation“ könne man mit einem Klick auf einen Link verlängern. Wer auf den mitgeschickten Link klickt, wird aufgefordert Bankdaten und andere persönliche Daten einzugeben. Ignorieren Sie diese SMS und geben Sie keine Daten preis. --------------------------------------------- https://www.watchlist-internet.at/news/achtung-smishing-welle-zu-online-ban… ∗∗∗ Ein Deepdive in die ESXiArgs Ransomware Kampagne ∗∗∗ --------------------------------------------- Da dieser Vorfall inzwischen schon etwas weiter in der Vergangenheit liegt, ist Ruhe um ihn eingekehrt. Allerdings gibt es doch so manch interessanten Aspekt, der - zumindest mir bekannt - so noch nicht berichtet wurde. --------------------------------------------- https://cert.at/de/blog/2023/8/ein-deepdive-in-die-esxiargs-ransomware-kamp… ∗∗∗ Mac systems turned into proxy exit nodes by AdLoad ∗∗∗ --------------------------------------------- AdLoad malware is still infecting Mac systems years after its first appearance in 2017. AdLoad, a package bundler, has been observed delivering a wide range of payloads throughout its existence. During AT&T Alien Labs’ investigation of its most recent payload, it was discovered that the most common component dropped by AdLoad during the past year has been a proxy application turning MacOS AdLoad victims into a giant, residential proxy botnet. --------------------------------------------- https://cybersecurity.att.com/blogs/labs-research/mac-systems-turned-into-p… ===================== = Vulnerabilities = ===================== ∗∗∗ Multiple Vulnerabilities in Nextcloud/Nextcloud Enterprise/Nextcloud Talk Android app ∗∗∗ --------------------------------------------- High severity: - Missing password confirmation when creating app passwords, CVSS 8.1 - Path traversal allows tricking the Talk Android app into writing files into its root directory, CVSS 7.2 - Users can delete external storage mount points, CVSS 7.7 3x Moderate Severity, 4x Low Severity --------------------------------------------- https://github.com/nextcloud/security-advisories/security ∗∗∗ Multiple Vulnerabilities in Softing edgeAggregator/Secure Integration Server/edgeConnector Siemens ∗∗∗ --------------------------------------------- CVE-2023-27335/CVSS 8.8, CVE-2023-38126/CVSS 7.2, CVE-2023-38125/CVSS 7.5, CVE-2023-39478/CSS 6.6, CVE-2023-39479/CVSS 6.6, CVE-2023-39480/CVSS 4.4, CVE-2023-39481/CVSS 6.6, CVE-2023-39482/CVSS 4.9, CVE-2023-27336/CVSS 7.5, CVE-2023-27334/CVSS 7.5, CVE-2023-29377/CVSS 6.6 --------------------------------------------- https://www.zerodayinitiative.com/advisories/published/ ∗∗∗ Videomeeting-Anwendungen: Zoom rüstet Produkte gegen mögliche Attacken ∗∗∗ --------------------------------------------- Wichtige Sicherheitsupdates, für unter anderem den Windows-Client von Zoom, schließen mehrere Lücken. --------------------------------------------- https://heise.de/-9240044 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr), Fedora (chromium, kernel, krb5, and rust), and Ubuntu (graphite-web and velocity). --------------------------------------------- https://lwn.net/Articles/941082/ ∗∗∗ Vulnerability in IBM\u00ae Java SDK affects IBM Liberty for Java for IBM Cloud due to CVE-2022-40609 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7024969 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.08.2023
by Daily end-of-shift report 09 Aug '23

09 Aug '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 08-08-2023 18:00 − Mittwoch 09-08-2023 18:00 Handler: Robert Waldner Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Malicious extensions can abuse VS Code flaw to steal auth tokens ∗∗∗ --------------------------------------------- Microsofts Visual Studio Code (VS Code) code editor and development environment contains a flaw that allows malicious extensions to retrieve authentication tokens stored in Windows, Linux, and macOS credential managers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malicious-extensions-can-abu… ∗∗∗ EvilProxy phishing campaign targets 120,000 Microsoft 365 users ∗∗∗ --------------------------------------------- EvilProxy is becoming one of the more popular phishing platforms to target MFA-protected accounts, with researchers seeing 120,000 phishing emails sent to over a hundred organizations to steal Microsoft 365 accounts. --------------------------------------------- https://www.bleepingcomputer.com/news/security/evilproxy-phishing-campaign-… ∗∗∗ Malicious Campaigns Exploit Weak Kubernetes Clusters for Crypto Mining ∗∗∗ --------------------------------------------- Exposed Kubernetes (K8s) clusters are being exploited by malicious actors to deploy cryptocurrency miners and other backdoors. Cloud security firm Aqua, in a report shared with The Hacker News, said a majority of the clusters belonged to small to medium-sized organizations, with a smaller subset tied to bigger companies, spanning financial, aerospace, automotive, industrial, and security sectors. --------------------------------------------- https://thehackernews.com/2023/08/malicious-campaigns-exploit-weak.html ∗∗∗ Achtung, Smishing-Welle zu Online-Banking im Umlauf! ∗∗∗ --------------------------------------------- Derzeit melden uns zahlreiche Leser:innen eine SMS, die im Namen von verschiedenen Banken versendet wird. Kriminelle behaupten dabei, dass „Ihre George Registrierung“ oder „Ihre Mein-Elba Registrierung“ abläuft. Die „Legitimation“ könne man mit einem Klick auf einen Link verlängern. Wer auf den mitgeschickten Link klickt, wird aufgefordert Bankdaten und andere persönliche Daten einzugeben. Ignorieren Sie diese SMS und geben Sie keine Daten preis. --------------------------------------------- https://www.watchlist-internet.at/news/achtung-smishing-welle-zu-online-ban… ∗∗∗ Ein Deepdive in die ESXiArgs Ransomware Kampagne ∗∗∗ --------------------------------------------- Es war ein schöner Tag dieser Freitag der 03. Februar 2023, aber wie es Freitage im Cybersicherheits-Umfeld leider so an sich haben, sollte sich das schnell ändern. Da dieser Vorfall inzwischen schon etwas weiter in der Vergangenheit liegt, ist Ruhe um ihn eingekehrt. Allerdings gibt es doch so manch interessanten Aspekt, der - zumindest mir bekannt - so noch nicht berichtet wurde. --------------------------------------------- https://cert.at/de/blog/2023/8/ein-deepdive-in-die-esxiargs-ransomware-kamp… ∗∗∗ Fantastic Rootkits: And Where To Find Them (Part 3) – ARM Edition ∗∗∗ --------------------------------------------- In this blog, we will discuss innovative rootkit techniques on a non-traditional architecture, Windows 11 on ARM64. --------------------------------------------- https://www.cyberark.com/resources/threat-research-blog/fantastic-rootkits-… ===================== = Vulnerabilities = ===================== ∗∗∗ FortiOS - Buffer overflow in execute extender command (CVE-2023-29182) ∗∗∗ --------------------------------------------- A stack-based buffer overflow vulnerability [CWE-121] in FortiOS may allow a privileged attacker to execute arbitrary code via specially crafted CLI commands, provided the attacker were able to evade FortiOS stack protections. --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-23-149 ∗∗∗ Lenovo: Multi-vendor BIOS Security Vulnerabilities (August 2023) ∗∗∗ --------------------------------------------- The following list of vulnerabilities were reported by suppliers and researchers or were found during our regular internal testing. CVE Identifier: CVE-2022-24351, CVE-2022-27879, CVE-2022-37343, CVE-2022-38083, CVE-2022-40982, CVE-2022-41804, CVE-2022-43505, CVE-2022-44611, CVE-2022-46897, CVE-2023-2004, CVE-2023-20555, CVE-2023-20569, CVE-2023-23908, CVE-2023-26090, CVE-2023-27471, CVE-2023-28468, CVE-2023-31041, CVE-2023-34419, CVE-2023-4028, CVE-2023-4029, CVE-2023-4030 --------------------------------------------- https://support.lenovo.com/at/en/product_security/ps500572-multi-vendor-bio… ∗∗∗ Lenovo: AMD Graphics OpenSSL Vulnerabilities ∗∗∗ --------------------------------------------- CVE Identifier: CVE-2022-3602, CVE-2022-3786 Summary Description: AMD reported two high severity OpenSSL vulnerabilities affecting certain versions of their product. Mitigation Strategy for Customers (what you should do to protect yourself): Update AMD Graphics Driver to the version (or newer) indicated for your model in the Product Impact section. --------------------------------------------- https://support.lenovo.com/at/en/product_security/ps500575-amd-graphics-ope… ∗∗∗ Lenovo: Intel PROSet Wireless WiFi and Killer WiFi Advisory ∗∗∗ --------------------------------------------- CVE Identifier: CVE-2022-27635, CVE-2022-46329, CVE-2022-40964, CVE-2022-36351, CVE-2022-38076 Summary Description: Intel reported potential security vulnerabilities in some Intel PROSet/Wireless WiFi and Killer WiFi products that may allow escalation of privilege or denial of service. Mitigation Strategy for Customers (what you should do to protect yourself): Update to the firmware or software version (or higher) as recommended in the Product Impact section below. --------------------------------------------- https://support.lenovo.com/at/en/product_security/ps500574-intel-proset-wir… ∗∗∗ Lenovo: Intel Chipset Firmware Advisory ∗∗∗ --------------------------------------------- CVE Identifier: CVE-2022-36392, CVE-2022-38102, CVE-2022-29871 Summary Description: Intel reported potential security vulnerabilities in the Intel Converged Security Management Engine (CSME) that may allow escalation of privilege and Denial of Service. Mitigation Strategy for Customers (what you should do to protect yourself): Update to the firmware or software version (or higher) as recommended in the Product Impact section below. --------------------------------------------- https://support.lenovo.com/at/en/product_security/ps500573-intel-chipset-fi… ∗∗∗ Xen XSA-432: Linux: buffer overrun in netback due to unusual packet (CVE-2023-34319) ∗∗∗ --------------------------------------------- The fix for XSA-423 added logic to Linuxes netback driver to deal with a frontend splitting a packet in a way such that not all of the headers would come in one piece. Unfortunately the logic introduced there didnt account for the extreme case of the entire packet being split into as many pieces as permitted by the protocol, yet still being smaller than the area thats specially dealt with to keep all (possible) headers together. --------------------------------------------- https://xenbits.xen.org/xsa/advisory-432.html ∗∗∗ Xen XSA-434 x86/AMD: Speculative Return Stack Overflow (CVE-2023-20569) ∗∗∗ --------------------------------------------- It is possible to poison the branch type and target predictions such that, at a point of the attackers choosing, the branch predictor predicts enough CALLs back-to-back to wrap around the entire RAS and overwrite a correct return prediction with one of the attackers choosing. This allows the attacker to control RET speculation in a victim context, and leak arbitrary data as a result. --------------------------------------------- https://xenbits.xen.org/xsa/advisory-434.html ∗∗∗ Xen XSA-435 x86/Intel: Gather Data Sampling ∗∗∗ --------------------------------------------- A researcher has discovered Gather Data Sampling, a transient execution side-channel whereby the AVX GATHER instructions can forward the content of stale vector registers to dependent instructions. The physical register file is a structure competitively shared between sibling threads. Therefore an attacker can infer data from the sibling thread, or from a more privileged context. --------------------------------------------- https://xenbits.xen.org/xsa/advisory-435.html ∗∗∗ Citrix Hypervisor Security Bulletin for CVE-2023-20569, CVE-2023-34319 and CVE-2022-40982 ∗∗∗ --------------------------------------------- - An issue has been discovered in Citrix Hypervisor 8.2 CU1 LTSR that may allow malicious, privileged code in a guest VM to cause the host to crash. (CVE-2023-34319) - In addition, Intel has disclosed a security issue affecting certain Intel CPUs [..] (CVE-2022-40982) - In addition, AMD has disclosed a security issue affecting AMD CPUs [..] (CVE-2023-20569) --------------------------------------------- https://support.citrix.com/article/CTX569353/citrix-hypervisor-security-bul… ∗∗∗ LibreSwan: CVE-2023-38710: Invalid IKEv2 REKEY proposal causes restart ∗∗∗ --------------------------------------------- When an IKEv2 Child SA REKEY packet contains an invalid IPsec protocol ID number of 0 or 1, an error notify INVALID_SPI is sent back. The notify payloads protocol ID is copied from the incoming packet, but the code that verifies outgoing packets fails an assertion that the protocol ID must be ESP (2) or AH(3) and causes the pluto daemon to crash and restart. --------------------------------------------- https://libreswan.org/security/CVE-2023-38710/CVE-2023-38710.txt ∗∗∗ LibreSwan: CVE-2023-38711: Invalid IKEv1 Quick Mode ID causes restart ∗∗∗ --------------------------------------------- When an IKEv1 Quick Mode connection configured with ID_IPV4_ADDR or ID_IPV6_ADDR, receives an IDcr payload with ID_FQDN, a null pointer dereference causes a crash and restart of the pluto daemon. --------------------------------------------- https://libreswan.org/security/CVE-2023-38711/CVE-2023-38711.txt ∗∗∗ LibreSwan: CVE-2023-38712: Invalid IKEv1 repeat IKE SA delete causes crash and restart ∗∗∗ --------------------------------------------- When an IKEv1 ISAKMP SA Informational Exchange packet contains a Delete/Notify payload followed by further Notifies that act on the ISAKMP SA, such as a duplicated Delete/Notify message, a null pointer dereference on the deleted state causes the pluto daemon to crash and restart. --------------------------------------------- https://libreswan.org/security/CVE-2023-38712/CVE-2023-38712.txt ∗∗∗ LWN: Stable kernels with security fixes ∗∗∗ --------------------------------------------- The 6.4.9, 6.1.44, 5.15.125, 5.10.189, 5.4.252, 4.19.290, and 4.14.321 stable kernel updates have all been released; they are dominated by fixes for the latest round of speculative-execution vulnerabilities. Do note the warning attached to each of these releases --------------------------------------------- https://lwn.net/Articles/940798/ ∗∗∗ Neue Sicherheitslücken in AMD- und Intel-Prozessoren entdeckt ∗∗∗ --------------------------------------------- Die Security-Konferenz Black Hat ist für AMD und Intel kein Spaß. Beide Hersteller müssen sich mit zahlreichen Sicherheitslücken befassen – BIOS-Updates kommen. --------------------------------------------- https://heise.de/-9239339 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (cjose, hdf5, and orthanc), Fedora (java-17-openjdk and seamonkey), Red Hat (curl, dbus, iperf3, kernel, kpatch-patch, libcap, libxml2, nodejs:16, nodejs:18, postgresql:10, postgresql:12, postgresql:13, and python-requests), SUSE (bluez, cjose, gstreamer-plugins-bad, gstreamer-plugins-base, gstreamer-plugins-good, gstreamer-plugins-ugly, keylime, openssl-1_1, openssl-3, pipewire, poppler, qemu, rubygem-actionpack-4_2, rubygem-actionpack-5_1, rust1.71, tomcat, webkit2gtk3, and wireshark), and Ubuntu (binutils, dotnet6, dotnet7, openssh, php-dompdf, and unixodbc). --------------------------------------------- https://lwn.net/Articles/940912/ ∗∗∗ SAP Patches Critical Vulnerability in PowerDesigner Product ∗∗∗ --------------------------------------------- SAP has fixed over a dozen new vulnerabilities with its Patch Tuesday updates, including a critical flaw in its PowerDesigner product. --------------------------------------------- https://www.securityweek.com/sap-patches-critical-vulnerability-in-powerdes… ∗∗∗ Microsoft Releases August 2023 Security Updates ∗∗∗ --------------------------------------------- Microsoft has released updates to address multiple vulnerabilities in Microsoft software. An attacker can exploit some of these vulnerabilities to take control of an affected system. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/08/08/microsoft-releases-augus… ∗∗∗ Released: August 2023 Exchange Server Security Updates ∗∗∗ --------------------------------------------- We are aware of Setup issues on non-English servers and have temporarily removed August SU from Windows / Microsoft update. If you are using a non-English language server, we recommend you wait with deployment of August SU until we provide more information. --------------------------------------------- https://techcommunity.microsoft.com/t5/exchange-team-blog/released-august-2… ∗∗∗ Adobe Releases Security Updates for Multiple Products ∗∗∗ --------------------------------------------- Adobe has released security updates to address multiple vulnerabilities in Adobe software. An attacker can exploit some of these vulnerabilities to take control of an affected system. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/08/08/adobe-releases-security-… ∗∗∗ Certifi component is vulnerable to CVE-2022-23491 used by IBM Maximo Application Suite ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7023647 ∗∗∗ protobuf-java component is vulnerable to CVE-2022-3510 and CVE-2022-3509 is used by IBM Maximo Application Suite ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7023656 ∗∗∗ A vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Buinses Automation Workflow (CVE-2022-40609) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7024675 ∗∗∗ Multiple Vulnerabilities in IBM\u00ae Java SDK affect IBM WebSphere Application Server shipped with IBM Business Automation Workflow containers - April 2023 CPU ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7024729 ∗∗∗ Multiple security vulnerabilities have been identified in IBM Db2 shipped with IBM Security Guardium Key Lifecycle Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7016660 ∗∗∗ IBM Facsimile Support for i is vulnerable to local privilege escalation (CVE-2023-38721) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7023423 ∗∗∗ IBM App Connect Enterprise toolkit and IBM Integration Bus toolkit are vulnerable to a local authenticated attacker and a denial of service due to Guava and JDOM (CVE-2023-2976, CVE-2021-33813). ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7024862 ∗∗∗ IBM MQ is affected by multiple Angular JS vulnerabilities. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7023212 ∗∗∗ IBM MQ Appliance is affected by multiple AngularJS vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7013499 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily