Daily

daily@lists.cert.at

3157 discussions

Tageszusammenfassung - 03.01.2023
by Daily end-of-shift report 03 Jan '23

03 Jan '23

===================== = End-of-Day report = ===================== Timeframe: Montag 02-01-2023 18:00 − Dienstag 03-01-2023 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ BMW, Mercedes, Kia, Porsche: Sicherheitsforscher hacken etliche Autohersteller ∗∗∗ --------------------------------------------- Forschern ist es gelungen die API-Endpunkte etlicher Autohersteller wie BMW oder Kia zu hacken - von der Konten- bis zur Autoübernahme war alles möglich. --------------------------------------------- https://www.golem.de/news/bmw-mercedes-kia-porsche-sicherheitsforscher-hack… ∗∗∗ Schadcode auf PyPI: Supply-Chain-Angriff auf PyTorch Nightly Builds ∗∗∗ --------------------------------------------- Wer kürzlich PyTorch-nightly unter Linux via pip installiert hat, erhielt Schadcode. Das PyTorch-Team hat Gegenmaßnahmen eingeleitet. --------------------------------------------- https://heise.de/-7447195 ∗∗∗ Its about time: OS Fingerprinting using NTP, (Tue, Jan 3rd) ∗∗∗ --------------------------------------------- Most current operating systems, including many small systems like IoT devices, use some form of NTP to sync time. NTP is lightweight and reasonably accurate in most use cases to synchronize time across the internet with millisecond accuracy [1]. Some protocols, like PTP, are more accurate but are designed for local networks and may require special hardware on the host [2]. Smaller systems with less stringent accuracy requirements sometimes use SNTP, a variant of NTP. --------------------------------------------- https://isc.sans.edu/diary/rss/29394 ∗∗∗ Raspberry Robin Worm Evolves to Attack Financial and Insurance Sectors in Europe ∗∗∗ --------------------------------------------- Financial and insurance sectors in Europe have been targeted by the Raspberry Robin worm, as the malware continues to evolve its post-exploitation capabilities while remaining under the radar. "What is unique about the malware is that it is heavily obfuscated and highly complex to statically disassemble," Security Joes said in a new report published Monday. --------------------------------------------- https://thehackernews.com/2023/01/raspberry-robin-worm-evolves-to-attack.ht… ∗∗∗ Cloud Metadata - AWS IAM Credential Abuse ∗∗∗ --------------------------------------------- [...] In this run through we have a vulnerable AWS EC2 instance configured to use IMDSv1 (Instance Metadata Service) which we will exploit, escalate our privileges and carry out post-compromise activities. While not every AWS EC2 instance has an associated IAM role (AWS Identity and Access Management), when they do these role profiles contain credentials/keys. --------------------------------------------- https://sneakymonkey.net/cloud-credential-abuse/ ∗∗∗ SSRF vulnerabilities caused by SNI proxy misconfigurations ∗∗∗ --------------------------------------------- SNI proxies are load balancers that use the SNI extension field to select backend systems. When misconfigured, SNI proxies can be vulnerable to SSRF attacks that provide access to web application backends. --------------------------------------------- https://www.invicti.com/blog/web-security/ssrf-vulnerabilities-caused-by-sn… ∗∗∗ Exploiting GraphQL Query Depth ∗∗∗ --------------------------------------------- GraphQL was created and developed with flexibility in mind: clients should be given the power to ask for exactly what they need and nothing more. Much of this flexibility involves allowing customers to execute multiple queries in a single request, [...] --------------------------------------------- https://checkmarx.com/blog/exploiting-graphql-query-depth/ ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins 2023-01-03 ∗∗∗ --------------------------------------------- IBM Business Automation Workflow, IBM InfoSphere Information Server, IBM Integrated Analytics System, IBM Process Mining, IBM Security SOAR, IBM Security Verify Governance, IBM Sterling B2B Integrator, Platform Navigator and Automation Assets in IBM Cloud Pak for Integration, Rational Directory Server (Tivoli) & Rational Directory Administrator --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Trend Micros Sicherheitslösung Maximum Security benötigt einen Sicherheitspatch ∗∗∗ --------------------------------------------- Angreifer könnten Windows-PCs mit Sicherheitssoftware von Trend Micro attackieren. Ein Sicherheitspatch ist verfügbar. --------------------------------------------- https://heise.de/-7446553 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Oracle (bcel), SUSE (ca-certificates-mozilla, glibc, minetest, multimon-ng, nautilus, ovmf, python-Django, samba, saphanabootstrap-formula, and xrdp), and Ubuntu (usbredir). --------------------------------------------- https://lwn.net/Articles/918965/ ∗∗∗ ThinkPad X13s BIOS Vulnerabilities ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500537 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.01.2023
by Daily end-of-shift report 02 Jan '23

02 Jan '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 30-12-2022 18:00 − Montag 02-01-2023 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ EarSpy-Lauschangriff auf Smartphones: Forschern gelingt Abhören aus der Ferne ∗∗∗ --------------------------------------------- In Mobiltelefone integrierte Ohrlautsprecher werden immer leistungsstärker. Dies hat den Nachteil, dass die verursachten Mini-Vibrationen verräterischer sind. --------------------------------------------- https://heise.de/-7444910 ∗∗∗ Rund 230 Millionen Deezer-Datensätze zu Have I been pwned hinzugefügt ∗∗∗ --------------------------------------------- Bei einem Einbruch in einen Deezer-Dienstleister konnten offenbar rund 230 Millionen Datensätze kopiert werden. Have I been pwned hat sie jetzt hinzugefügt. --------------------------------------------- https://heise.de/-7445237 ∗∗∗ Sicherheitsrisiko Microsoft Outlook App: Überträgt Anmeldedaten und Mails in die Cloud ∗∗∗ --------------------------------------------- Ich hole zum Jahresanfang 2023 nochmals ein Thema hoch, welches ich hier im Blog bereits 2015 und im Januar 2021 angesprochen habe. Es geht um die Microsoft Outlook App, die für Android- und iOS-Geräte angeboten und meines Erachtens breit eingesetzt [...] --------------------------------------------- https://www.borncity.com/blog/2023/01/01/sicherheitsrisiko-microsoft-outloo… ∗∗∗ Ransomware gang cloned victim’s website to leak stolen data ∗∗∗ --------------------------------------------- The ALPHV ransomware operators have gotten creative with their extortion tactic and, in at least one case, created a replica of the victims site to publish stolen data on it. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ransomware-gang-cloned-victi… ∗∗∗ NetworkMiner 2.8 Released, (Mon, Jan 2nd) ∗∗∗ --------------------------------------------- First of all, happy new year to all our Readers! There exist tools that are very popular for a long time because they are regularly updated and... just make the job! NetworkMiner is one of them (the first release was in 2007). I don't use it regularly but it is part of my forensic toolbox for a while and already helped me in many investigations. --------------------------------------------- https://isc.sans.edu/diary/rss/29390 ∗∗∗ WordPress Security Alert: New Linux Malware Exploiting Over Two Dozen CMS Flaws ∗∗∗ --------------------------------------------- WordPress sites are being targeted by a previously unknown strain of Linux malware that exploits flaws in over two dozen plugins and themes to compromise vulnerable systems. "If sites use outdated versions of such add-ons, lacking crucial fixes, the targeted web pages are injected with malicious JavaScripts," Russian security vendor Doctor Web said in a report published last week. --------------------------------------------- https://thehackernews.com/2023/01/wordpress-security-alert-new-linux.html ∗∗∗ Python developers, uninstall this malicious package right now ∗∗∗ --------------------------------------------- If youre a Python developer and one who is accustomed to installed the latest preview builds of libraries, you might want to take immediate mitigative action. PyTorch, an open-source machine learning framework initially developed by Meta and now under the Linux Foundation, has seemingly been the target of a supply chain attack, which has potentially led to many users installing a malicious package. --------------------------------------------- https://www.neowin.net/news/python-developers-uninstall-this-malicious-pack… ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins 2022-12-30 ∗∗∗ --------------------------------------------- IBM Content Collector, IBM Tivoli Monitoring --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Jetzt patchen: Netgear schließt hochriskante Lücke in mehreren Routern ∗∗∗ --------------------------------------------- Netgear empfiehlt ein dringendes Sicherheitsupdate für mehrere seiner Router-Modelle. Betroffen sind von der Lücke auch Modelle der Nighthawk-Reihe. --------------------------------------------- https://heise.de/-7444672 ∗∗∗ Synology warnt vor kritischer Lücke in VPN-Plus-Server ∗∗∗ --------------------------------------------- Wer Synology-Router als VPN-Server einsetzt, muss die Software zügig aktualisieren. Eine kritische Sicherheitslücke ermöglicht Angreifern sonst Codeschmuggel. --------------------------------------------- https://heise.de/-7444783 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (cacti, emacs, exuberant-ctags, libjettison-java, mplayer, node-loader-utils, node-xmldom, openvswitch, ruby-image-processing, webkit2gtk, wpewebkit, and xorg-server), Fedora (OpenImageIO, systemd, w3m, and webkit2gtk3), Mageia (curl, freeradius, libksba, libtar, python-ujson, sogo, thunderbird, and webkit2), Red Hat (bcel), and SUSE (ffmpeg, ffmpeg-4, mbedtls, opera, saphanabootstrap-formula, sbd, vlc, and webkit2gtk3). --------------------------------------------- https://lwn.net/Articles/918883/ ∗∗∗ Vulnerabilities in Java and IBM WebSphere Application Server Liberty affects IBM Cloud Application Business Insights - CVE-2022-34165, CVE-2022-21628, CVE-2022-21626, CVE-2022-21624, CVE-2022-21619 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6852357 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.12.2022
by Daily end-of-shift report 30 Dec '22

30 Dec '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 29-12-2022 18:00 − Freitag 30-12-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Netgear warns users to patch recently fixed WiFi router bug ∗∗∗ --------------------------------------------- Netgear has fixed a high-severity vulnerability affecting multiple WiFi router models and advised customers to update their devices to the latest available firmware as soon as possible. --------------------------------------------- https://www.bleepingcomputer.com/news/security/netgear-warns-users-to-patch… ∗∗∗ New Linux malware uses 30 plugin exploits to backdoor WordPress sites ∗∗∗ --------------------------------------------- A previously unknown Linux malware has been exploiting 30 vulnerabilities in multiple outdated WordPress plugins and themes to inject malicious JavaScript. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-linux-malware-uses-30-pl… ∗∗∗ Security Update Guide Improvement – Representing Hotpatch Updates ∗∗∗ --------------------------------------------- Today we are updating the way Microsoft Security Update Guide (SUG) represents the Windows Hotpatch feature to make it easier for users to identify the hotpatch and security updates. --------------------------------------------- https://msrc-blog.microsoft.com/2022/12/29/security-update-guide-improvemen… ∗∗∗ Opening the Door for a Knock: Creating a Custom DShield Listener, (Thu, Dec 29th) ∗∗∗ --------------------------------------------- There are a variety of services listening for connections on DShield honeypots. Different systems scanning the internet can connect to these listening services due to exceptions in the firewall. Any attempted connections blocked by the firewall are logged and can be analyzed later. This can be useful to see TCP port connection attempts, but it usefulness is limited. --------------------------------------------- https://isc.sans.edu/diary/rss/29382 ∗∗∗ SPF and DMARC use on GOV domains in different ccTLDs, (Fri, Dec 30th) ∗∗∗ --------------------------------------------- Although e-mail is one of the cornerstones of modern interpersonal communication, its underlying Simple Mail Transfer Protocol (SMTP) is far from what we might call robust or secure. By itself, the protocol lacks any security features related to ensuring (among other factors) integrity or authenticity of transferred data or the identity of their sender, and creating a “spoofed” e-mail is therefore quite easy. --------------------------------------------- https://isc.sans.edu/diary/rss/29384 ∗∗∗ CISA Warns of Active exploitation of JasperReports Vulnerabilities ∗∗∗ --------------------------------------------- The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two-years-old security flaws impacting TIBCO Softwares JasperReports product to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. The flaws, tracked as CVE-2018-5430 (CVSS score: 7.7) and CVE-2018-18809 (CVSS score: 9.9), were addressed by TIBCO in April 2018 and March 2019, respectively. --------------------------------------------- https://thehackernews.com/2022/12/cisa-warns-of-active-exploitation-of.html ∗∗∗ ENLBufferPwn (CVE-2022-47949) ∗∗∗ --------------------------------------------- ENLBufferPwn is a vulnerability in the common network code of several first party Nintendo games since the Nintendo 3DS that allows an attacker to execute code remotely in the victims console by just having an online game with them (remote code execution). --------------------------------------------- https://github.com/PabloMK7/ENLBufferPwn ∗∗∗ Chrome Browser Exploitation, Part 3: Analyzing and Exploiting CVE-2018-17463 ∗∗∗ --------------------------------------------- Welcome to the third and final installment of the “Chrome Browser Exploitation” series. The main objective of this series has been to provide an introduction to browser internals and delve into the topic of Chrome browser exploitation on Windows in greater depth. --------------------------------------------- https://jhalon.github.io/chrome-browser-exploitation-3/ ∗∗∗ EU-Regeln für Cybersicherheit bald in Kraft: Rund 20.000 Betriebe betroffen ∗∗∗ --------------------------------------------- Die EU hat die novellierte Richtlinie zur Netz- und Informationssicherheit (NIS2) im Amtsblatt veröffentlicht. Der Countdown zur Umsetzung in Deutschland läuft. --------------------------------------------- https://heise.de/-7444366 ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins 2022-12-30 ∗∗∗ --------------------------------------------- IBM Cloud Pak for Automation, IBM Cloud Pak for Business Automation, IBM Cloud Application Business Insights, IBM Cloud Transformation Advisor, Tivoli Netcool/OMNIbus, Netcool/System Service Monitor --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libcommons-net-java), Fedora (python3.6), and SUSE (conmon, polkit-default-privs, thunderbird, and webkit2gtk3). --------------------------------------------- https://lwn.net/Articles/918778/ ∗∗∗ Synology-SA-22:26 VPN Plus Server ∗∗∗ --------------------------------------------- A vulnerability allows remote attackers to possible execute arbitrary command via a susceptible version of Synology VPN Plus Server. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_22_26 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.12.2022
by Daily end-of-shift report 29 Dec '22

29 Dec '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 28-12-2022 18:00 − Donnerstag 29-12-2022 18:00 Handler: Stephan Richter Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Google Home speakers allowed hackers to snoop on conversations ∗∗∗ --------------------------------------------- A bug in Google Home smart speaker allowed installing a backdoor account that could be used to control it remotely and to turn it into a snooping device by accessing the microphone feed. --------------------------------------------- https://www.bleepingcomputer.com/news/security/google-home-speakers-allowed… ∗∗∗ WordPress Vulnerability & Patch Roundup December 2022 ∗∗∗ --------------------------------------------- Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises. --------------------------------------------- https://blog.sucuri.net/2022/12/wordpress-vulnerability-patch-roundup-decem… ∗∗∗ The Worst Hacks of 2022 ∗∗∗ --------------------------------------------- The year was marked by sinister new twists on cybersecurity classics, including phishing, breaches, and ransomware attacks. --------------------------------------------- https://www.wired.com/story/worst-hacks-2022/ ∗∗∗ New CatB Ransomware Employs 2-Year Old DLL Hijacking Technique To Evade Detection ∗∗∗ --------------------------------------------- We recently discovered ransomware, which performs MSDTC service DLL Hijacking to silently execute its payload. We have named this ransomware CatB, based on the contact email that the ransomware group uses. --------------------------------------------- https://minerva-labs.com/blog/new-catb-ransomware-employs-2-year-old-dll-hi… ∗∗∗ One Bad Apple Spoils the Barrel: Understanding the Security Risks Introduced by Third-Party Components in IoT Firmware. (arXiv:2212.13716v1 [cs.CR]) ∗∗∗ --------------------------------------------- Currently, the development of IoT firmware heavily depends on third-partycomponents (TPCs) to improve development efficiency. Nevertheless, TPCs are notsecure, and the vulnerabilities in TPCs will influence the security of IoTf irmware. --------------------------------------------- http://arxiv.org/abs/2212.13716 ∗∗∗ A survey and analysis of TLS interception mechanisms and motivations. (arXiv:2010.16388v2 [cs.CR] UPDATED) ∗∗∗ --------------------------------------------- TLS is an end-to-end protocol designed to provide confidentiality andintegrity guarantees that improve end-user security and privacy. While TLShelps defend against pervasive surveillance of intercepted unencrypted traffic,it also hinders several common beneficial operations typically performed bymiddleboxes on the network traffic. --------------------------------------------- http://arxiv.org/abs/2010.16388 ∗∗∗ HardCIDR – Network CIDR and Range Discovery Tool ∗∗∗ --------------------------------------------- HardCIDR is a Linux Bash script to discover the netblocks, or ranges, (in CIDR notation) owned by the target organization during the intelligence gathering phase of a penetration test. --------------------------------------------- https://www.darknet.org.uk/2022/12/hardcidr-network-cidr-and-range-discover… ===================== = Vulnerabilities = ===================== ∗∗∗ Hughes Satellite Router Remote File Inclusion Cross-Frame Scripting ∗∗∗ --------------------------------------------- The router contains a cross-frame scripting via remote file inclusion vulnerability that may potentially be exploited by malicious users to compromise an affected system. --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5743.php ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (multipath-tools), Fedora (containerd and trafficserver), Gentoo (libksba and openssh), and SUSE (webkit2gtk3). --------------------------------------------- https://lwn.net/Articles/918715/ ∗∗∗ Several DoS, Code Execution Vulnerabilities Found in Rockwell Automation Controllers ∗∗∗ --------------------------------------------- Organizations using controllers made by Rockwell Automation have been informed recently about several potentially serious vulnerabilities. --------------------------------------------- https://www.securityweek.com/several-dos-code-execution-vulnerabilities-fou… ∗∗∗ Ungepatchte Citrix-Server zu Tausenden über kritische Schwachstellen angreifbar ∗∗∗ --------------------------------------------- Citrix hat in den letzten Monaten Sicherheitsupdates für kritische Schwachstellen in Citrix ADC- und Gateway-Produkten freigegeben und entsprechende Sicherheitswarnungen veröffentlicht. --------------------------------------------- https://www.borncity.com/blog/2022/12/29/ungepatchte-citrix-server-zu-tause… ∗∗∗ (Non-US) DIR-825/EE : H/W Rev. R2 & DIR-825/AC Rev. G1A:: F/W 1.0.9 :: Multiple Vulnerabilities by Trend Micro, the Zero Day Initiative (ZDI) ∗∗∗ --------------------------------------------- https://supportannouncement.us.dlink.com/announcement/publication.aspx?name… ∗∗∗ AIX is vulnerable to denial of service due to ISC BIND (CVE-2022-38178, CVE-2022-3080, CVE-2022-38177, CVE-2022-2795) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6851445 ∗∗∗ IBM Synthetic Playback Agent is vulnerable due to its use of Apache Commons Text [CVE-2022-42889] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6852105 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.12.2022
by Daily end-of-shift report 28 Dec '22

28 Dec '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 27-12-2022 18:00 − Mittwoch 28-12-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ KI-Wunder ChatGPT kann bösartige E-Mails und Code generieren ∗∗∗ --------------------------------------------- Check Point Research (CPR) warnt vor Hackern, die ChatGPT und Codex von OpenAI nutzen könnten, um gezielte Cyberangriffe durchzuführen. https://research.checkpoint.com/2022/opwnai-ai-that-can-save-the-day-or-hac… --------------------------------------------- https://www.zdnet.de/88406214/ki-wunder-chatgpt-kann-boesartige-e-mails-und… ∗∗∗ Droht eine Exchange ProxyNotShell-Katastrophe zum Jahreswechsel 2022/2023? ∗∗∗ --------------------------------------------- Beunruhigende Informationen, die mich gerade erreicht haben. Nicht auf dem aktuellen Patchstand befindliche Microsoft Exchange On-Premises-Server sind anfällig für Angriffe über die ProxyNotShell-Schwachstellen. Vor Weihnachten gab es dann die Information, dass die Hackergruppe FIN7 seit längerem eine automatisierte Angriffsplattform zum [...] --------------------------------------------- https://www.borncity.com/blog/2022/12/28/droht-eine-exchange-proxynotshell-… ∗∗∗ Why Attackers Target GitHub, and How You Can Secure It ∗∗∗ --------------------------------------------- The unfettered collaboration of the GitHub model creates a security headache. Follow these seven principles to help relieve the pain. --------------------------------------------- https://www.darkreading.com/edge-articles/why-attackers-target-github-and-h… ∗∗∗ Playing with Powershell and JSON (and Amazon and Firewalls), (Wed, Dec 28th) ∗∗∗ --------------------------------------------- In this post we'll take a look at parsing and manipulating JSON in Powershell. --------------------------------------------- https://isc.sans.edu/diary/rss/29380 ∗∗∗ CVE-2022-27510, CVE-2022-27518 - Measuring Citrix ADC & Gateway version adoption on the Internet ∗∗∗ --------------------------------------------- Recently, two critical vulnerabilities were reported in Citrix ADC and Citrix Gateway; where one of them was being exploited in the wild by a threat actor. Due to these vulnerabilities being exploitable remotely and given the situation of past Citrix vulnerabilities, RIFT started to research on how to identify the [...] --------------------------------------------- https://blog.fox-it.com/2022/12/28/cve-2022-27510-cve-2022-27518-measuring-… ∗∗∗ EarSpy: Spying on Phone Calls via Ear Speaker Vibrations Captured by Accelerometer ∗∗∗ --------------------------------------------- As smartphone manufacturers are improving the ear speakers in their devices, it can become easier for malicious actors to leverage a particular side-channel for eavesdropping on a targeted user’s conversations, according to a team of researchers from several universities in the United States. --------------------------------------------- https://www.securityweek.com/earspy-spying-phone-calls-ear-speaker-vibratio… ∗∗∗ Alias and Directive Overloading in GraphQL ∗∗∗ --------------------------------------------- Denial of Service (DoS) attacks in GraphQL APIs are nothing new. It turns out that when you let clients control what data they want to receive from the server, malicious users try to abuse this flexibility to exhaust resources. --------------------------------------------- https://checkmarx.com/blog/alias-and-directive-overloading-in-graphql/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (curl) and SUSE (curl, freeradius-server, sqlite3, systemd, and vim). --------------------------------------------- https://lwn.net/Articles/918655/ ∗∗∗ Microsoft Patches Azure Cross-Tenant Data Access Flaw ∗∗∗ --------------------------------------------- Microsoft has silently fixed an important-severity security flaw in its Azure Cognitive Search (ACS) after an external researcher warned that a buggy feature allowed cross-tenant network bypass attacks. --------------------------------------------- https://www.securityweek.com/microsoft-patches-azure-cross-tenant-data-acce… ∗∗∗ ABB Security Advisory: NE843 Pulsar Plus Controller ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=9AKK108467A6732&Lan… ∗∗∗ A security vulnerability has been identified in WebSphere Liberty Profile shipped with IBM License Metric Tool v9 (CVE-2022-34165). ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6851953 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.12.2022
by Daily end-of-shift report 27 Dec '22

27 Dec '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 23-12-2022 18:00 − Dienstag 27-12-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ EarSpy attack eavesdrops on Android phones via motion sensors ∗∗∗ --------------------------------------------- A team of researchers has developed an eavesdropping attack for Android devices that can, to various degrees, recognize the callers gender and identity, and even discern private speech. --------------------------------------------- https://www.bleepingcomputer.com/news/security/earspy-attack-eavesdrops-on-… ∗∗∗ Container Verification Bug Allows Malicious Images to Cloud Up Kubernetes ∗∗∗ --------------------------------------------- A complete bypass of the Kyverno security mechanism for container image imports allows cyberattackers to completely take over a Kubernetes pod to steal data and inject malware. --------------------------------------------- https://www.darkreading.com/cloud/container-verification-bug-malicious-imag… ∗∗∗ BlueNoroff introduces new methods bypassing MoTW ∗∗∗ --------------------------------------------- We continue to track the BlueNoroff group’s activities and this October we observed the adoption of new malware strains in its arsenal. --------------------------------------------- https://securelist.com/bluenoroff-methods-bypass-motw/108383/ ∗∗∗ DShield Sensor Setup in Azure, (Wed, Dec 21st) ∗∗∗ --------------------------------------------- In November I setup the DShield sensor in my Azure tenant using Ubuntu version 20.04. Here are the steps I followed. --------------------------------------------- https://isc.sans.edu/diary/rss/29370 ∗∗∗ GuLoader Malware Utilizing New Techniques to Evade Security Software ∗∗∗ --------------------------------------------- Cybersecurity researchers have exposed a wide variety of techniques adopted by an advanced malware downloader called GuLoader to evade security software. --------------------------------------------- https://thehackernews.com/2022/12/guloader-malware-utilizing-new.html ∗∗∗ Navigating the Vast Ocean of Sandbox Evasions ∗∗∗ --------------------------------------------- After creating a bespoke sandbox environment, we discuss techniques used to target malware evasions with memory detection and more. --------------------------------------------- https://unit42.paloaltonetworks.com/sandbox-evasion-memory-detection/ ∗∗∗ Erinnerung: Basic Authentication in Exchange Online wird 2023 abgeschaltet ∗∗∗ --------------------------------------------- Microsoft hat die Tage daran erinnert, dass die sogenannte Basic Authentication in Exchange Online ausläuft und im kommenden Jahr abgeschaltet wird. --------------------------------------------- https://www.borncity.com/blog/2022/12/27/erinnerung-basic-authentication-in… ∗∗∗ Caution! Malware Signed With Microsoft Certificate ∗∗∗ --------------------------------------------- Microsoft announced details on the distribution of malware signed with a Microsoft certificate. According to the announcement, a driver authenticated with the Windows Hardware Developer Program had been abused due to the leakage of multiple Windows developer accounts. To prevent damage, Microsoft blocked the related accounts and applied a security update (Microsoft Defender 1.377.987.0 or later). --------------------------------------------- https://asec.ahnlab.com/en/44726/ ∗∗∗ Distribution of Magniber Ransomware Stops (Since November 29th) ∗∗∗ --------------------------------------------- Through a continuous monitoring process, the AhnLab ASEC analysis team is swiftly responding to Magniber, the main malware that is actively being distributed using the typosquatting method which exploits typos in domain address input. Through such continuous responses, we have detected that as of November 29th, the distribution of the Magniber ransomware has halted. --------------------------------------------- https://asec.ahnlab.com/en/43858/ ∗∗∗ Inside the IcedID BackConnect Protocol ∗∗∗ --------------------------------------------- As part of our ongoing tracking of IcedID / BokBot, we wanted to share some insights derived from infrastructure associated with IcedID’s BackConnect (BC) protocol. --------------------------------------------- https://www.team-cymru.com/post/inside-the-icedid-backconnect-protocol ===================== = Vulnerabilities = ===================== ∗∗∗ Ksmbd: Kritische Lücke im SMB-Dienst des Linux-Kernels ∗∗∗ --------------------------------------------- Der Linux-Kernel verfügt seit vergangenem Jahr über eine eigene SMB-Implementierung. Diese enthält eine sehr gefährliche Lücke - Updates stehen bereit. --------------------------------------------- https://www.golem.de/news/ksmbd-kritische-luecke-im-smb-dienst-des-linux-ke… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (kernel, libksba, and mbedtls), Fedora (containerd, curl, firefox, kernel, mod_auth_openidc, and xorg-x11-server), and Mageia (chromium-browser-stable). --------------------------------------------- https://lwn.net/Articles/918607/ ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (gerbv), Fedora (webkitgtk), and SUSE (ca-certificates-mozilla, freeradius-server, multimon-ng, vim, and vlc). --------------------------------------------- https://lwn.net/Articles/918631/ ∗∗∗ Critical Vulnerability in Premium Gift Cards WordPress Plugin Exploited in Attacks ∗∗∗ --------------------------------------------- Defiant’s Wordfence team warns of a critical-severity vulnerability in the YITH WooCommerce Gift Cards premium WordPress plugin being exploited in attacks. --------------------------------------------- https://www.securityweek.com/critical-vulnerability-premium-gift-cards-word… ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2022-0011 ∗∗∗ --------------------------------------------- Several vulnerabilities were discovered in WebKitGTK and WPE WebKit. --------------------------------------------- https://webkitgtk.org/security/WSA-2022-0011.html ∗∗∗ Cross-Site Scripting im Admin-Panel von Lucee Server (SYSS-2022-051) ∗∗∗ --------------------------------------------- Im Admin-Panel von Lucee Server besteht eine Cross-Site Scripting (XSS)-Schwachstelle. Angreifende können somit JavaScript-Code im Browser ausführen. --------------------------------------------- https://www.syss.de/pentest-blog/cross-site-scripting-im-admin-panel-von-lu… ∗∗∗ MISP 2.4.167 released with many improvements, bugs fixed and security fixes. ∗∗∗ --------------------------------------------- https://github.com/MISP/MISP/releases/tag/v2.4.167 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.12.2022
by Daily end-of-shift report 23 Dec '22

23 Dec '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 22-12-2022 18:00 − Freitag 23-12-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Vice Society ransomware gang switches to new custom encryptor ∗∗∗ --------------------------------------------- The Vice Society ransomware operation has switched to using a custom ransomware encrypt that implements a strong, hybrid encryption scheme based on NTRUEncrypt and ChaCha20-Poly1305. --------------------------------------------- https://www.bleepingcomputer.com/news/security/vice-society-ransomware-gang… ∗∗∗ Google ad traffic leads to stealer packages based on free software, (Thu, Dec 22nd) ∗∗∗ --------------------------------------------- Earlier this month, I wrote a diary about Google ad traffic leading to a fake AnyDesk page pushing IcedID malware. This week, the same type of ad traffic led to a fake TeamViewer page, and that page led to a different type of malware. --------------------------------------------- https://isc.sans.edu/diary/rss/29376 ∗∗∗ Passwortmanager: LastPass-Hacker haben Zugriff auf Kennworttresore von Kunden ∗∗∗ --------------------------------------------- Bei einem IT-Sicherheitsvorfall beim Anbieter des Passwortmanagers LastPass konnten Angreifer doch auf Kundendaten inklusive gespeicherter Passwörter zugreifen. --------------------------------------------- https://heise.de/-7441929 ∗∗∗ Sourcecode vom Zugriffsmanagementdienst Okta geleakt ∗∗∗ --------------------------------------------- Unbekannte Angreifer konnten auf das Github-Repository von Okta zugreifen und Code kopieren. Die Sicherheit des Dienstes soll dadurch nicht gefährdet sein. --------------------------------------------- https://heise.de/-7442131 ∗∗∗ IcedID Botnet Distributors Abuse Google PPC to Distribute Malware ∗∗∗ --------------------------------------------- We analyze the latest changes in IcedID botnet from a campaign that abuses Google pay per click (PPC) ads to distribute IcedID via malvertising attacks. --------------------------------------------- https://www.trendmicro.com/en_us/research/22/l/icedid-botnet-distributors-a… ===================== = Vulnerabilities = ===================== ∗∗∗ Is this CVSS 10 Linux Kernel vuln going to ruin your Christmas? ∗∗∗ --------------------------------------------- Before Linux users worldwide get panties in a panicked bunch, there appears to be more positive news however: At first glance the vulnerability only appears to affect ksmbd, an in-kernel SMB file server that was merged to mainline in the Linux 5.15 release in August 2021; i.e. users running SMB servers via the much more widely deployed Samba, rather than ksmbd can more likely than not get back their mince pies unpurturbed. --------------------------------------------- https://thestack.technology/is-this-cvss-10-linux-kernel-vulnerability-ksmb… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (node-hawk and node-trim-newlines), Fedora (insight, ntfs-3g, and suricata), and SUSE (conmon, helm, kernel, and mbedtls). --------------------------------------------- https://lwn.net/Articles/918486/ ∗∗∗ Threat Brief: OWASSRF Vulnerability Exploitation ∗∗∗ --------------------------------------------- We analyze the new exploit method for Microsoft Exchange Server, OWASSRF, noting that all exploit attempts weve observed use the same PowerShell backdoor, which we track as SilverArrow. --------------------------------------------- https://unit42.paloaltonetworks.com/threat-brief-owassrf/ ∗∗∗ CVE-2022-42889 Text4shell Apache Commons Text RCE Vulnerability ∗∗∗ --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0022 ∗∗∗ PSA: YITH WooCommerce Gift Cards Premium Plugin Exploited in the Wild ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2022/12/psa-yith-woocommerce-gift-cards-prem… ∗∗∗ Multiple vulnerabilities in IBM Java SDK affect AIX ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6851437 ∗∗∗ AIX is vulnerable to denial of service due to ISC BIND (CVE-2022-38178, CVE-2022-3080, CVE-2022-38177, CVE-2022-2795) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6851445 ∗∗∗ AIX is affected by a denial of service (CVE-2022-43680) due to Python ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6851439 ∗∗∗ Security vulnerability is addressed with IBM Cloud Pak for Business Automation iFixes for November 2022 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6848295 ∗∗∗ IBM Integration Designer is vulnerable to denial of service ( CVE-2022-21626) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6851449 ∗∗∗ Multiple vulnerabilities in IBM Java SDK affects IBM WebSphere Application Server April and July 2022 CPU that is bundled with IBM WebSphere Application Server Patterns ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6851613 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.12.2022
by Daily end-of-shift report 22 Dec '22

22 Dec '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 21-12-2022 18:00 − Donnerstag 22-12-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ FIN7 hackers create auto-attack platform to breach Exchange servers ∗∗∗ --------------------------------------------- The notorious FIN7 hacking group uses an auto-attack system that exploits Microsoft Exchange and SQL injection vulnerabilities to breach corporate networks, steal data, and select targets for ransomware attacks based on financial size. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fin7-hackers-create-auto-att… ∗∗∗ Ransomware and wiper signed with stolen certificates ∗∗∗ --------------------------------------------- In this report, we compare the ROADSWEEP ransomware and ZEROCLEARE wiper versions used in two waves of attacks against Albanian government organizations. --------------------------------------------- https://securelist.com/ransomware-and-wiper-signed-with-stolen-certificates… ∗∗∗ Microsoft research uncovers new Zerobot capabilities ∗∗∗ --------------------------------------------- The Microsoft Defender for IoT research team details information on the recent distribution of a Go-based botnet, known as Zerobot, that spreads primarily through IoT and web-application vulnerabilities. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2022/12/21/microsoft-research… ∗∗∗ “Suspicious login” scammers up their game – take care at Christmas ∗∗∗ --------------------------------------------- A picture is worth 1024 words - we clicked through so you dont have to. --------------------------------------------- https://nakedsecurity.sophos.com/2022/12/21/suspicious-login-scammers-up-th… ∗∗∗ Neuer Android-Trojaner zielt auf Banking-Apps und Krypto-Plattformen ab ∗∗∗ --------------------------------------------- Eine neue Banking-Malware namens Godfather hat 16 Länder im Visier. Deutschland fällt darunter. Sie zeichnet Eingaben in über 415 Banking- und Krypto-Apps auf. --------------------------------------------- https://heise.de/-7441440 ∗∗∗ Exploiting WordPress Plugin Vulnerabilities to Steal AWS Metadata ∗∗∗ --------------------------------------------- If the site is hosted on an Amazon Web Services (AWS) server, then collecting the AWS metadata is relatively simple. This exploit only requires calling the appropriate REST API endpoint with the right payload in the ‘url’ parameter to achieve a successful exploit. --------------------------------------------- https://www.wordfence.com/blog/2022/12/exploiting-wordpress-plugin-vulnerab… ∗∗∗ Qakbot Being Distributed via Virtual Disk Files (*.vhd) ∗∗∗ --------------------------------------------- There’s been a recent increase in the distribution of malware using disk image files. --------------------------------------------- https://asec.ahnlab.com/en/44662/ ∗∗∗ Vidar Stealer Exploiting Various Platforms ∗∗∗ --------------------------------------------- Vidar Malware is one of the active Infostealers, and its distribution has been significantly increasing. Its characteristics include the use of famous platforms such as Telegram and Mastodon as an intermediary C2. --------------------------------------------- https://asec.ahnlab.com/en/44554/ ===================== = Vulnerabilities = ===================== ∗∗∗ Critical Windows code-execution vulnerability went undetected until now ∗∗∗ --------------------------------------------- Like EternalBlue, CVE-2022-37958, as the latest vulnerability is tracked, allows attackers to execute malicious code with no authentication required. Also, like EternalBlue, it’s wormable, meaning that a single exploit can trigger a chain reaction of self-replicating follow-on exploits on other vulnerable systems. --------------------------------------------- https://arstechnica.com/information-technology/2022/12/critical-windows-cod… ∗∗∗ Sicherheitsupdates: Angreifer könnten Synology-Router kompromittieren ∗∗∗ --------------------------------------------- Aktuelle Versionen von Synology Router Manager schließen mehrere Sicherheitslücken. Der Hersteller stuft den Schweregrad als kritisch ein. --------------------------------------------- https://heise.de/-7440888 ∗∗∗ Wichtige Sicherheitsupdates für Avira Security, AVG Antivirus & Co. ∗∗∗ --------------------------------------------- Norton hat in seinem Portfolio von Anti-Viren-Software mehrere Sicherheitslücken geschlossen. Angreifer könnten sich höhere Nutzerrechte verschaffen. --------------------------------------------- https://heise.de/-7441040 ∗∗∗ Puckungfu: A NETGEAR WAN Command Injection ∗∗∗ --------------------------------------------- This blog post describes a command injection vulnerability found and exploited in November 2022 by NCC Group in the Netgear RAX30 router’s WAN interface. --------------------------------------------- https://research.nccgroup.com/2022/12/22/puckungfu-a-netgear-wan-command-in… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libksba and linux-5.10), Slackware (mozilla), and SUSE (curl, java-1_8_0-ibm, and sqlite3). --------------------------------------------- https://lwn.net/Articles/918379/ ∗∗∗ Vulnerability Spotlight: OpenImageIO file processing issues could lead to arbitrary code execution, sensitive information leak and denial of service ∗∗∗ --------------------------------------------- Cisco Talos recently discovered nineteen vulnerabilities in OpenImageIO, an image processing library, which could lead to sensitive information disclosure, denial of service and heap buffer overflows which could further lead to code execution. --------------------------------------------- https://blog.talosintelligence.com/vulnerability-spotlight-openimageio-file… ∗∗∗ Two New Security Flaws Reported in Ghost CMS Blogging Software ∗∗∗ --------------------------------------------- https://thehackernews.com/2022/12/two-new-security-flaws-reported-in.html ∗∗∗ Security Vulnerabilities fixed in Thunderbird 102.6.1 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2022-54/ ∗∗∗ Priva TopControl Suite ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-356-01 ∗∗∗ Rockwell Automation Studio 5000 Logix Emulate ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-356-02 ∗∗∗ Mitsubishi Electric MELSEC iQ-R, iQ-L Series and MELIPC Series ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-356-03 ∗∗∗ Omron CX-Programmer ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-356-04 ∗∗∗ IBM Content Navigator is vulnerable to missing authorization. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6844453 ∗∗∗ Vulnerability (CVE-2022-3676) in Eclipse Openj9 affects CICS Transaction Gateway Desktop Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6851347 ∗∗∗ Vulnerabilities (CVE-2022-21541 and CVE-2022-21540 ) in IBM Java Runtime affects CICS Transaction Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6851337 ∗∗∗ Vulnerabilities (CVE-2022-21541 and CVE-2022-21540) in IBM Java Runtime affects CICS Transaction Gateway Desktop Editon ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6851351 ∗∗∗ Vulnerability (CVE-2021-41041) in Eclipse Openj9 affects CICS Transaction Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6851339 ∗∗∗ Vulnerability (CVE-2021-41041) in Eclipse Openj9 affects CICS Transaction Gateway Desktop Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6851345 ∗∗∗ Vulnerability (CVE-2021-2163) in IBM Java Runtime affects CICS Transaction Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6851343 ∗∗∗ Vulnerability (CVE-2021-2163) in IBM Java Runtime affects CICS Transaction Gateway Desktop Editon ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6851349 ∗∗∗ Vulnerability (CVE-2021-28167) in Eclipse Openj9 affects CICS Transaction Gateway Desktop Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6851341 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.12.2022
by Daily end-of-shift report 21 Dec '22

21 Dec '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 20-12-2022 18:00 − Mittwoch 21-12-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Hackers bombard PyPi platform with information-stealing malware ∗∗∗ --------------------------------------------- The PyPi python package repository is being bombarded by a wave of information-stealing malware hiding inside malicious packages uploaded to the platform to steal software developers data. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-bombard-pypi-platfor… ∗∗∗ VirusTotal cheat sheet makes it easy to search for specific results ∗∗∗ --------------------------------------------- VirusTotal has published a cheat sheet to help researchers create queries leading to more specific results from the malware intelligence platform. --------------------------------------------- https://www.bleepingcomputer.com/news/security/virustotal-cheat-sheet-makes… ∗∗∗ FBI warns of search engine ads pushing malware, phishing ∗∗∗ --------------------------------------------- The FBI warns that threat actors are using search engine advertisements to promote websites distributing ransomware or stealing login credentials for financial institutions and crypto exchanges. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fbi-warns-of-search-engine-a… ∗∗∗ Malicious Macros Adapt to Use Microsoft Publisher to Push Ekipa RAT ∗∗∗ --------------------------------------------- After Microsoft announced this year that macros from the Internet will be blocked by default in Office , many threat actors have switched to different file types such as Windows Shortcut (LNK), ISO or ZIP files, to distribute their malware. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/malicious-m… ∗∗∗ Fake jQuery Domain Redirects Site Visitors to Scam Pages ∗∗∗ --------------------------------------------- A recent infection has been making its rounds across vulnerable WordPress sites, detected on over 160 websites so far at the time of writing. --------------------------------------------- https://blog.sucuri.net/2022/12/fake-jquery-domain-redirects-site-visitors-… ∗∗∗ Kindersicherungs-Apps: Smarte Kids könnten Eltern attackieren ∗∗∗ --------------------------------------------- Sicherheitsforscher haben Android-Apps untersucht, über die Eltern Internetzugriffe von Kindern einschränken können. Doch Schwachstellen weichen den Schutz auf. --------------------------------------------- https://heise.de/-7435146 ∗∗∗ Adult popunder campaign used in mainstream ad fraud scheme ∗∗∗ --------------------------------------------- Taking advantage of cost effective and high traffic adult portals, a threat actor is secretly defrauding advertisers by displaying Google ads under the disguise of an XXX page. --------------------------------------------- https://www.malwarebytes.com/blog/threat-intelligence/2022/12/adult-popunde… ∗∗∗ Meddler-in-the-Middle Phishing Attacks Explained ∗∗∗ --------------------------------------------- Meddler-in-the-Middle (MitM) phishing attacks show how threat actors find ways to get around traditional defenses and advice. --------------------------------------------- https://unit42.paloaltonetworks.com/meddler-phishing-attacks/ ∗∗∗ Godfather: A banking Trojan that is impossible to refuse ∗∗∗ --------------------------------------------- Group-IB discovers banking Trojan targeting users of more than 400 apps in 16 countries. --------------------------------------------- https://blog.group-ib.com/godfather-trojan ∗∗∗ Didn’t Notice Your Rate Limiting: GraphQL Batching Attack ∗∗∗ --------------------------------------------- In this article, we will discuss how allowing multiple queries or requesting multiple object instances in a single network call can be abused leading to massive data leaks or Denial of Service (DoS). --------------------------------------------- https://checkmarx.com/blog/didnt-notice-your-rate-limiting-graphql-batching… ∗∗∗ A Technical Analysis of CVE-2022-22583 and CVE-2022-32800 ∗∗∗ --------------------------------------------- This blog entry discusses the technical details of how we exploited CVE-2022-22583 using a different method. We also tackle the technical details of CVE-2022-32800, another SIP-bypass that we discovered more recently, in this report. --------------------------------------------- https://www.trendmicro.com/en_us/research/22/l/a-technical-analysis-of-cve-… ∗∗∗ Conti Team One Splinter Group Resurfaces as Royal Ransomware with Callback Phishing Attacks ∗∗∗ --------------------------------------------- In this blog entry, we discuss findings from our investigation of this ransomware and the tools that Royal ransomware actors used to carry out their attacks. --------------------------------------------- https://www.trendmicro.com/en_us/research/22/l/conti-team-one-splinter-grou… ===================== = Vulnerabilities = ===================== ∗∗∗ Jetzt patchen! Attacken auf Exchange Server im ProxyNotShell-Kontext gesichtet ∗∗∗ --------------------------------------------- Sicherheitsforscher warnen vor einem neuen Exploit, der ProxyNotShell-Schutzkonzepte umgeht. Es gibt aber Sicherheitsupdates. --------------------------------------------- https://heise.de/-7434860 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (xorg-server), Fedora (samba, snakeyaml, thunderbird, xorg-x11-server, and xrdp), Slackware (libksba and sdl), and SUSE (cni, cni-plugins, java-1_7_1-ibm, kernel, openssl-3, and supportutils). --------------------------------------------- https://lwn.net/Articles/918313/ ∗∗∗ Passwordless Persistence and Privilege Escalation in Azure ∗∗∗ --------------------------------------------- Adversaries are always looking for stealthy means of maintaining long-term and stealthy persistence and privilege in a target environment. Certificate-Based Authentication (CBA) is an extremely attractive persistence option in Azure for three big reasons. --------------------------------------------- https://posts.specterops.io/passwordless-persistence-and-privilege-escalati… ∗∗∗ Installers generated by Squirrel.Windows may insecurely load Dynamic Link Libraries ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN29902403/ ∗∗∗ Critical Vulnerability in Hikvision Wireless Bridges Allows CCTV Hacking ∗∗∗ --------------------------------------------- https://www.securityweek.com/critical-vulnerability-hikvision-wireless-brid… ∗∗∗ Mattermost security updates 7.5.2, 7.4.1, 7.1.5 (ESR) released ∗∗∗ --------------------------------------------- https://mattermost.com/blog/mattermost-security-updates-7-5-2-7-4-1-7-1-5-e… ∗∗∗ Rechteausweitung in Razer Synapse (SYSS-2022-047) ∗∗∗ --------------------------------------------- https://www.syss.de/pentest-blog/rechteausweitung-in-razer-synapse-syss-202… ∗∗∗ IBM App Connect Enterprise and IBM Integration Bus are vulnerable to denial of service due to the package org.yaml:snakeyaml and jackson-databind ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6849213 ∗∗∗ GraphQL Denial of Service security vulnerability CVE-2022-37734 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6828663 ∗∗∗ IBM App Connect Enterprise and IBM Integration Bus are vulnerable to a remote attacker due to Node.js (CVE-2022-43548 & CVE-2022-35256) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6849223 ∗∗∗ Security vulnerabilities have been fixed in IBM Security Verify Governance, Identity Manager virtual appliance component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6849249 ∗∗∗ OpenSSH as used by IBM Cloud Pak for Security is vulnerable to privilege escalation (CVE-2021-41617) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6850775 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.12.2022
by Daily end-of-shift report 20 Dec '22

20 Dec '22

===================== = End-of-Day report = ===================== Timeframe: Montag 19-12-2022 18:00 − Dienstag 20-12-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Linux File System Monitoring & Actions, (Tue, Dec 20th) ∗∗∗ --------------------------------------------- There can be multiple reasons to keep an eye on a critical/suspicious file or directory. For example, you could track an attacker and wait for some access to the captured credentials in a phishing kit installed on a compromised server. You could deploy an EDR solution or an OSSEC agent that implements an FIM (File Integrity Monitoring). Upon a file change, an action can be triggered. Nice, but what if you would like a quick solution but agentless? --------------------------------------------- https://isc.sans.edu/diary/rss/29362 ∗∗∗ ChatGPT: Emerging AI Threat Landscape ∗∗∗ --------------------------------------------- ChatGPT is a prototype chatbot released by OpenAI. The chatbot is powered by AI and is gaining more traction than previous chatbots because it not only interacts in a conversational manner but has the capability to create code and many other complex questions and requests. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chatgpt-eme… ∗∗∗ Microsoft Details Gatekeeper Bypass Vulnerability in Apple macOS Systems ∗∗∗ --------------------------------------------- Microsoft has disclosed details of a now-patched security flaw in Apple macOS that could be exploited by an attacker to get around security protections imposed to prevent the execution of malicious applications. --------------------------------------------- https://thehackernews.com/2022/12/microsoft-details-gatekeeper-bypass.html ∗∗∗ Linux Kernel: Exploiting a Netfilter Use-after-Free in kmalloc-cg ∗∗∗ --------------------------------------------- We describe a method to exploit a use-after-free in the Linux kernel when objects are allocated in a specific slab cache, namely the kmalloc-cg series of SLUB caches used for cgroups. This vulnerability is assigned CVE-2022-32250 and exists in Linux kernel versions 5.18.1 and prior. --------------------------------------------- https://blog.exodusintel.com/2022/12/19/linux-kernel-exploiting-a-netfilter… ∗∗∗ clif - simple command-line application fuzzer ∗∗∗ --------------------------------------------- clif is a command-line application fuzzer, pretty much what a wfuzz or ffuf are for web. It was inspired by sudo vulnerability CVE-2021-3156 and the fact that, for some reasons, Googles alf-fuzz doesnt allow for unlimited argument or option specification. --------------------------------------------- https://andy.codes/content/blog/2022-12-20-clif.html ∗∗∗ Better Make Sure Your Password Manager Is Secure ∗∗∗ --------------------------------------------- As part of a security analysis, our colleagues kuekerino, ubahnverleih and parzel examined the password management solution Passwordstate of Click Studios and identified multiple high severity vulnerabilities (CVE-2022-3875, CVE-2022-3876, CVE-2022-3877). Successful exploitation allows an unauthenticated attacker to exfiltrate passwords from an instance, overwrite all stored passwords within the database, or elevate their privileges within the application. --------------------------------------------- https://www.modzero.com/modlog/archives/2022/12/19/better_make_sure_your_pa… ∗∗∗ New RisePro Infostealer Increasingly Popular Among Cybercriminals ∗∗∗ --------------------------------------------- A recently identified information stealer named ‘RisePro’ is being distributed by pay-per-install malware downloader service ‘PrivateLoader’, cyberthreat firm Flashpoint reports. Written in C++, RisePro harvests potentially sensitive information from the compromised machines and then attempts to exfiltrate it as logs. --------------------------------------------- https://www.securityweek.com/new-risepro-infostealer-increasingly-popular-a… ∗∗∗ Threat Spotlight: XLLing in Excel - threat actors using malicious add-ins ∗∗∗ --------------------------------------------- As more and more users adopt new versions of Microsoft Office, it is likely that threat actors will turn away from VBA-based malicious documents to other formats such as XLLs or rely on exploiting newly discovered vulnerabilities to launch malicious code. --------------------------------------------- https://blog.talosintelligence.com/xlling-in-excel-malicious-add-ins/ ∗∗∗ Diving into an Old Exploit Chain and Discovering 3 new SIP-Bypass Vulnerabilities ∗∗∗ --------------------------------------------- More than two years ago, a researcher, A2nkF demonstrated the exploit chain from root privilege escalation to SIP-Bypass up to arbitrary kernel extension loading. In this blog entry, we will discuss how we discovered 3 more vulnerabilities from the old exploit chain. --------------------------------------------- https://www.trendmicro.com/en_us/research/22/l/diving-into-an-old-exploit-c… ∗∗∗ Raspberry Robin Malware Targets Telecom, Governments ∗∗∗ --------------------------------------------- We found samples of the Raspberry Robin malware spreading in telecommunications and government office systems beginning September. The main payload itself is packed with more than 10 layers for obfuscation and is capable of delivering a fake payload once it detects sandboxing and security analytics tools. --------------------------------------------- https://www.trendmicro.com/en_us/research/22/l/raspberry-robin-malware-targ… ∗∗∗ Web3 IPFS Only Used for Phishing - So Far ∗∗∗ --------------------------------------------- We discuss the use of the InterPlanetary File System (IPFS) in phishing attacks. --------------------------------------------- https://www.trendmicro.com/en_us/research/22/l/web3-ipfs-only-used-for-phis… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (mujs) and SUSE (kernel and thunderbird). --------------------------------------------- https://lwn.net/Articles/918268/ ∗∗∗ FoxIt Patches Code Execution Flaws in PDF Tools ∗∗∗ --------------------------------------------- Foxit Software has rolled out a critical-severity patch to cover a dangerous remote code execution flaw in its flagship PDF Reader and PDF Editor products. --------------------------------------------- https://www.securityweek.com/foxit-patches-code-execution-flaws-pdf-tools ∗∗∗ [R1] Nessus Network Monitor Version 6.2.0 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2022-28 ∗∗∗ Fuji Electric Tellus Lite V-Simulator ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-354-01 ∗∗∗ Rockwell Automation GuardLogix and ControlLogix controllers ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-354-02 ∗∗∗ ARC Informatique PcVue ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-354-03 ∗∗∗ Rockwell Automation MicroLogix 1100 and 1400 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-354-04 ∗∗∗ Delta 4G Router DX-3021 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-354-05 ∗∗∗ Multiple vulnerabilities of Mozilla Firefox (less than Firefox 102.5ESR) have affected Synthetic Playback Agent 8.1.4.0-8.1.4 IF16 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6849101 ∗∗∗ IBM UrbanCode Build is affected by CVE-2022-42252 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6849111 ∗∗∗ IBM UrbanCode Build is affected by CVE-2021-43980 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6849109 ∗∗∗ IBM UrbanCode Build is affected by CVE-2022-34305 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6849107 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily