Daily

daily@lists.cert.at

3157 discussions

Tageszusammenfassung - 16.02.2022
by Daily end-of-shift report 16 Feb '22

16 Feb '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 15-02-2022 18:00 − Mittwoch 16-02-2022 18:00 Handler: Robert Waldner Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Researcher fully recovers text from pixels: how to reverse redaction ∗∗∗ --------------------------------------------- A researcher has demonstrated how he was able to successfully recover text that had been redacted using the pixelation technique. --------------------------------------------- https://www.bleepingcomputer.com/news/security/researcher-fully-recovers-te… ∗∗∗ Trickbot Malware Targeted Customers of 60 High-Profile Companies Since 2020 ∗∗∗ --------------------------------------------- The notorious TrickBot malware is targeting customers of 60 financial and technology companies, including cryptocurrency firms, primarily located in the U.S., even as its operators have updated the botnet with new anti-analysis features. --------------------------------------------- https://thehackernews.com/2022/02/trickbot-malware-targeted-customers-of.ht… ∗∗∗ 25 years on, Microsoft makes another stab at stopping macro malware ∗∗∗ --------------------------------------------- Microsoft has announced that from April 2022 it is changing the default behavior of Office applications so that they block macros in files from the internet. What’s more, it won’t give users a simple one-click way to allow the macros to run, foiling much of the social engineering tricks commonly used by cybercriminals. --------------------------------------------- https://grahamcluley.com/microsoft-stab-macro-viruses/ ∗∗∗ OpSec. Hunting wireless ∗∗∗ --------------------------------------------- Continuing my series on OSINT techniques you can use for reviewing your own corporate OpSec, one of the most common services available in a modern corporate office is of course wireless. --------------------------------------------- https://www.pentestpartners.com/security-blog/opsec-hunting-wireless/ ∗∗∗ Characterising Cybercriminals: A Review. (arXiv:2202.07419v1 [cs.CY]) ∗∗∗ --------------------------------------------- This review provides an overview of current research on the knowncharacteristics and motivations of offenders engaging in cyber-dependentcrimes. --------------------------------------------- http://arxiv.org/abs/2202.07419 ===================== = Vulnerabilities = ===================== ∗∗∗ High-Severity RCE Security Bug Reported in Apache Cassandra Database Software ∗∗∗ --------------------------------------------- Researchers have revealed details of a now-patched high-severity security vulnerability in Apache Cassandra that, if left unaddressed, could be abused to gain remote code execution on affected installations. --------------------------------------------- https://thehackernews.com/2022/02/high-severity-rce-security-bug-reported.h… ∗∗∗ VMware-Sicherheitsupdates: Angreifer könnten Schadcode in Host-Systeme schieben ∗∗∗ --------------------------------------------- Die VMware-Entwickler haben Sicherheitslücken in mehreren Anwendungen geschlossen. Sie stufen das Risiko als "kritisch" ein. --------------------------------------------- https://heise.de/-6478188 ∗∗∗ Atlassian Confluence und Jira für mehrere Attacken anfällig ∗∗∗ --------------------------------------------- Admins sollten ihre Confluence und Jira Server vor möglichen Angriffen absichern. Sicherheitsupdates sind verfügbar. --------------------------------------------- https://heise.de/-6478758 ∗∗∗ ZDI-22-368: MariaDB CONNECT Storage Engine Stack-based Buffer Overflow Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-368/ ∗∗∗ ZDI-22-367: MariaDB CONNECT Storage Engine Heap-based Buffer Overflow Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-367/ ∗∗∗ ZDI-22-366: MariaDB CONNECT Storage Engine Heap-based Buffer Overflow Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-366/ ∗∗∗ ZDI-22-365: MariaDB CONNECT Storage Engine Format String Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-365/ ∗∗∗ ZDI-22-364: MariaDB CONNECT Storage Engine Use-After-Free Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-364/ ∗∗∗ ZDI-22-363: MariaDB CONNECT Storage Engine Stack-based Buffer Overflow Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-363/ ∗∗∗ Cisco Email Security Appliance DNS Verification Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Redundancy Configuration Manager for Cisco StarOS Software TCP Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Prime Infrastructure and Evolved Programmable Network Manager Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Security Bulletin: IBM Cloud Pak for Data System 1.0 is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-data-sy… ∗∗∗ Security Bulletin: IBM Maximo Anywhere applications have no binary obfuscation ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-anywhere-appli… ∗∗∗ Security Bulletin: IBM Integrated Analytics System is vulnerable to arbitrary code execution due to Samba (CVE-2021-44142) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-integrated-analytics-… ∗∗∗ Security Bulletin: IBM Maximo Anywhere applications have no binary obfuscation ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-anywhere-appli… ∗∗∗ Security Bulletin: IBM Maximo Anywhere Discloses Sensitive Information in Local Storage ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-anywhere-discl… ∗∗∗ Security Bulletin: App Connect Professional is affected by polkit's pkexec vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-app-connect-professional-… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct for Microsoft Windows may be vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-44832) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security Directory Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ SECURITY BULLETIN: February 2022 Security Bulletin for Trend Micro Apex One ∗∗∗ --------------------------------------------- https://success.trendmicro.com/solution/000290464 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.02.2022
by Daily end-of-shift report 15 Feb '22

15 Feb '22

===================== = End-of-Day report = ===================== Timeframe: Montag 14-02-2022 18:00 − Dienstag 15-02-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Domain-Hijacking: Tausende NPM-Accounts könnten sich übernehmen lassen ∗∗∗ --------------------------------------------- Laut einer Untersuchung lassen sich verwaiste NPM-Pakete leicht übernehmen. Außerdem könnten einige Maintainer überarbeitet sein. [..] Das hat auch NPM-Besitzer Github erkannt und führt deshalb langsam die zwingende Nutzung einer Zweifaktorauthentifizierung ein. --------------------------------------------- https://www.golem.de/news/domain-hijacking-tausende-npm-accounts-koennten-s… ∗∗∗ Who Are Those Bots?, (Tue, Feb 15th) ∗∗∗ --------------------------------------------- Im operating a mail server for multiple domains. This server is regularly targeted by bots that launch brute-force attacks to try to steal credentials. They try a list of common usernames but they also try targeted ones based on a list of email addresses that have been crawled. [..] I extracted the list of IP addresses that generated authentication failures for the last 30 days and got a list of 11K addresses. They are part of botnets used to launch these attacks. But who are those bots? What kind of host are we facing? --------------------------------------------- https://isc.sans.edu/diary/rss/28342 ∗∗∗ New MyloBot Malware Variant Sends Sextortion Emails Demanding $2,732 in Bitcoin ∗∗∗ --------------------------------------------- A new version of the MyloBot malware has been observed to deploy malicious payloads that are being used to send sextortion emails demanding victims to pay $2,732 in digital currency. MyloBot, first detected in 2018, is known to feature an array of sophisticated anti-debugging capabilities and propagation techniques to rope infected machines into a botnet, not to mention remove traces of other competing malware from the systems. --------------------------------------------- https://thehackernews.com/2022/02/new-mylobot-malware-variant-sends.html ∗∗∗ Dropping Files on a Domain Controller Using CVE-2021-43893 ∗∗∗ --------------------------------------------- On December 14, 2021, during the Log4Shell chaos, Microsoft published CVE-2021-43893, a remote privilege escalation vulnerability affecting the Windows Encrypted File System (EFS). The vulnerability was credited to James Forshaw of Google Project Zero, but perhaps owing to the Log4Shell atmosphere, the vulnerability gained little to no attention. --------------------------------------------- https://www.rapid7.com/blog/post/2022/02/14/dropping-files-on-a-domain-cont… ∗∗∗ macOS: Sicherheitsupdates für ältere Versionen ∗∗∗ --------------------------------------------- Big Sur und Catalina erhalten jeweils ein Patch-Paket – doch leider verrät Apple nichts zum Inhalt. --------------------------------------------- https://heise.de/-6457597 ∗∗∗ Qnap lässt Sicherheitsupdate-Support für einige NAS-Modelle aufleben ∗∗∗ --------------------------------------------- Wer einen älteren Netzwerkspeicher (NAS) von Qnap besitzt, könnte ab sofort wieder Sicherheitspatches bekommen. --------------------------------------------- https://heise.de/-6474074 ∗∗∗ Betrügerische Wohnungsinserate erkennen: So geht’s ∗∗∗ --------------------------------------------- Auf Plattformen wie immobilienscout24.at, willhaben.at oder im Facebook Marketplace werden immer wieder Fake-Inserate von Miet- und Eigentumswohnungen veröffentlicht. Fake-Inserate können aber anhand einiger Merkmale schnell entlarvt werden. Zum einen am günstigen Preis, zum anderen an der Kommunikation mit den Eigentümerinnen und Eigentümern. --------------------------------------------- https://www.watchlist-internet.at/news/betruegerische-wohnungsinserate-erke… ∗∗∗ New Emotet Infection Method ∗∗∗ --------------------------------------------- As early as Dec. 21, 2021, Unit 42 observed a new infection method for the highly prevalent malware family Emotet. [..] The new attack delivers an Excel file through email, and the document contains an obfuscated Excel 4.0 macro. When the macro is activated, it downloads and executes an HTML application that downloads two stages of PowerShell to retrieve and execute the final Emotet payload. --------------------------------------------- https://unit42.paloaltonetworks.com/new-emotet-infection-method/ ∗∗∗ Warning over mysterious hackers that have been targeting aerospace and defence industries for years ∗∗∗ --------------------------------------------- Cybersecurity researchers detail a hacking operation that has been conducting phishing campaigns and malware attacks since 2017, despite barely changing its tactics. --------------------------------------------- https://www.zdnet.com/article/these-prolific-hackers-have-been-targeting-th… ∗∗∗ Squirrelwaffle, Microsoft Exchange Server vulnerabilities exploited for financial fraud ∗∗∗ --------------------------------------------- Unpatched servers have been used to twist corporate email threads and conduct financial theft. --------------------------------------------- https://www.zdnet.com/article/squirrelwaffle-loader-leverages-microsoft-exc… ∗∗∗ FBI and USSS Release Advisory on BlackByte Ransomware ∗∗∗ --------------------------------------------- The Federal Bureau of Investigation (FBI) and the United States Secret Service (USSS) have released a joint Cybersecurity Advisory (CSA) identifying indicators of compromise associated with BlackByte ransomware. BlackByte is a Ransomware-as-a-Service group that encrypts files on compromised Windows host systems, including physical and virtual servers. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/02/15/fbi-and-usss-rele… ∗∗∗ Sicherheitswarnung von Tuxedo Computer – dringend Passwort ändern ∗∗∗ --------------------------------------------- TUXEDO Computers ist ein in Augsburg angesiedelter Anbieter von Computern. [..] Bei diesem Hersteller hat es eine Sicherheitslücke gegeben, so dass der Hersteller die Kunden auffordert, ihre Kennwörter für deren Online-Konten zu ändern. --------------------------------------------- https://www.borncity.com/blog/2022/02/15/sicherheitswarnung-von-tuxedo-comp… ∗∗∗ Current MFA Fatigue Attack Campaign Targeting Microsoft Office 365 Users ∗∗∗ --------------------------------------------- Multi-factor Authentication or MFA (sometimes referred as 2FA) is an excellent way to protect your Office 365 accounts from attackers trying to gain access to them. [..] In this case, we are examining MFA Fatigue by focusing on a current attack vector—Push Notification Spamming. We’ll describe what MFA fatigue is, how it is carried out and detail the steps for IT professionals to detect and mitigate it within their organizations. --------------------------------------------- https://www.gosecure.net/blog/2022/02/14/current-mfa-fatigue-attack-campaig… ===================== = Vulnerabilities = ===================== ∗∗∗ Google announces zero-day in Chrome browser – update now! ∗∗∗ --------------------------------------------- Zero-day buses: none for a while, then three at once. Heres Google joining Apple and Adobe in "zero-day week" --------------------------------------------- https://nakedsecurity.sophos.com/2022/02/15/google-announces-zero-day-in-ch… ∗∗∗ Security Bulletin: Trend Micro Antivirus for Mac Link Following Privilege Escalation Vulnerability (CVE-2022-24671) ∗∗∗ --------------------------------------------- The update resolves a vulnerability in the product that allows a local attacker to modify a file during the update process and escalate their privileges. Please note that an attacker must at least have low-level privileges on the system to attempt to exploit this vulnerability. --------------------------------------------- https://helpcenter.trendmicro.com/en-us/article/TMKA-10937 ∗∗∗ Unsichere Babymonitore von Nooie: Fremde könnten Vollzugriff erlangen ∗∗∗ --------------------------------------------- Bei der Analyse von zwei Babyphones von Nooie hat Bitdefender Sicherheitslücken entdeckt, durch die Angreifer etwa den Videostream anzapfen könnten. --------------------------------------------- https://heise.de/-6475088 ∗∗∗ Multiple Critical Vulnerabilities in multiple Zyxel devices ∗∗∗ --------------------------------------------- Multiple Zyxel devices are prone to different critical vulnerabilities resulting from insecure coding practices and insecure configuration. One of the worst vulnerabilities is the unauthenticated buffer overflow in the "zhttpd" webserver, which is developed by Zyxel. By bypassing ASLR, the buffer overflow can be turned into an unauthenticated remote code execution. Besides, vulnerabilities like unauthenticated file disclosure, authenticated command injection and processing of symbolic links in the FTP daemon were found in the firmware. --------------------------------------------- https://sec-consult.com/vulnerability-lab/advisory/multiple-critical-vulner… ∗∗∗ VMSA-2022-0004 ∗∗∗ --------------------------------------------- CVSSv3 Range: 5.3-8.4 CVE(s): CVE-2021-22040, CVE-2021-22041, CVE-2021-22042, CVE-2021-22043, CVE-2021-22050 Synopsis: VMware ESXi, Workstation, and Fusion updates address multiple security vulnerabilities --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2022-0004.html ∗∗∗ Symlink Directory Traversal in Linksys WLAN-Router (SYSS-2021-046) ∗∗∗ --------------------------------------------- Linksys WLAN-Router beinhaltet eine Schwachstelle, die es Angreifern erlaubt, Zugriff auf das gesamte interne Dateisystem des Routers zu erhalten. --------------------------------------------- https://www.syss.de/pentest-blog/symlink-directory-traversal-in-linksys-wla… ∗∗∗ Unzureichender Schutz für Medieninhalte bei AVMs FRITZ!Box (SYSS-2021-050) ∗∗∗ --------------------------------------------- AVMs FRITZ!Box-Heimrouter ermöglichen es Angreifenden, in Heimnetzwerken auf Mediendaten wie z. B. Bilder oder Videos zuzugreifen. --------------------------------------------- https://www.syss.de/pentest-blog/unzureichender-schutz-fuer-medieninhalte-b… ∗∗∗ Regarding vulnerability measure against buffer overflow for Laser Printers and Small Office Multifunction Printers – 15 February 2022 ∗∗∗ --------------------------------------------- Multiple cases of buffer overflow vulnerabilities have been identified with Canon Laser Printers and Small Office Multifunctional Printers. A list of affected models is given below. --------------------------------------------- https://www.canon-europe.com/support/product-security-latest-news/ ∗∗∗ ZDI-22-349: (Pwn2Own) Western Digital My Cloud Pro Series PR4100 ConnectivityService Insufficient Verification of Data Authenticity Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-349/ ∗∗∗ ZDI-22-348: (Pwn2Own) Western Digital MyCloud PR4100 cgi_api Server-Side Request Forgery Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-348/ ∗∗∗ ZDI-22-347: (Pwn2Own) Western Digital MyCloud PR4100 nasAdmin Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-347/ ∗∗∗ ZDI-22-346: (Pwn2Own) Western Digital MyCloud PR4100 samba Configuration Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-346/ ∗∗∗ Security Advisory - Privilege Escalation Vulnerability in Huawei Product ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2022/huawei-sa-20220216-… ∗∗∗ Security Bulletin: IBM Cloud Pak for Data System 1.0 is vulnerable to remote code execution due to Apache Log4j (CVE-2021-44832) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-data-sy… ∗∗∗ Security Bulletin: Vulnerability in Polkit affects IBM Integrated Analytics System. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-polkit-a… ∗∗∗ TYPO3-EXT-SA-2022-004: File Content Injection in extension "Hardcoded text to Locallang" (mqk_locallangtools) ∗∗∗ --------------------------------------------- https://typo3.org/security/advisory/typo3-ext-sa-2022-004 ∗∗∗ TYPO3-EXT-SA-2022-003: Insecure direct object reference in extension "Varnishcache" (varnishcache) ∗∗∗ --------------------------------------------- https://typo3.org/security/advisory/typo3-ext-sa-2022-003 ∗∗∗ TYPO3-EXT-SA-2022-002: Cross-Site Scripting in extension "Bookdatabase" (extbookdatabase) ∗∗∗ --------------------------------------------- https://typo3.org/security/advisory/typo3-ext-sa-2022-002 ∗∗∗ TYPO3-EXT-SA-2022-001: Server-side request forgery in extension "Kitodo.Presentation" (dlf) ∗∗∗ --------------------------------------------- https://typo3.org/security/advisory/typo3-ext-sa-2022-001 ∗∗∗ Schneider Electric IGSS ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-046-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.02.2022
by Daily end-of-shift report 14 Feb '22

14 Feb '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 11-02-2022 18:00 − Montag 14-02-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Google Project Zero: Vendors are now quicker at fixing zero-days ∗∗∗ --------------------------------------------- Googles Project Zero has published a report showing that organizations took less time to address the zero-day vulnerabilities that the team reported last year. --------------------------------------------- https://www.bleepingcomputer.com/news/security/google-project-zero-vendors-… ∗∗∗ Microsoft is making it harder to steal Windows passwords from memory ∗∗∗ --------------------------------------------- Microsoft is enabling an Attack Surface Reduction security feature rule by default to block hackers attempts to steal Windows credentials from the LSASS process. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-is-making-it-hard… ∗∗∗ Allcome clipbanker is a newcomer in underground forums ∗∗∗ --------------------------------------------- The malware underground market might seem astoundingly professional in marketing and support. Lets take a look under the covers of one particular malware-as-a-service—the clipboard banker Allcome. --------------------------------------------- https://www.gdatasoftware.com/blog/2022/02/37239-allcome-clipbanker-is-a-ne… ∗∗∗ DHL Spear Phishing to Capture Username/Password, (Sun, Feb 13th) ∗∗∗ --------------------------------------------- This week I got this run-of-the-mill DHL phishing in my ISC inbox. --------------------------------------------- https://isc.sans.edu/diary/rss/28332 ∗∗∗ Reminder: Decoding TLS Client Hellos to non TLS servers, (Mon, Feb 14th) ∗∗∗ --------------------------------------------- If you still run a non-TLS web server, you may occasionally find requests like the following in your weblogs. --------------------------------------------- https://isc.sans.edu/diary/rss/28338 ∗∗∗ Vulnerabilities that aren’t. Unquoted Spaces ∗∗∗ --------------------------------------------- I’ve covered a couple of web vulnerabilities that (mostly) aren’t, and now it’s time for a Windows specific one. --------------------------------------------- https://www.pentestpartners.com/security-blog/vulnerabilities-that-arent-un… ∗∗∗ E-Mail vom Bundeskriminalamt mit Betreff „BUNDESKRIMINALAMT VORLADUNG“ ist Fake ∗∗∗ --------------------------------------------- „Hallo, wir teilen Ihnen mit, dass Sie eine Straftat begangen haben“ lautet der Text in einem E-Mail – angeblich vom Bundeskriminalamt. In einem angehängten PDF-Dokument teilen Ihnen das Bundeskriminalamt, die Polizei sowie Europol mit, dass gegen Sie ein Verfahren wegen einer sexuellen Straftat eingeleitet wurde. Achtung: Dieses E-Mail ist Fake. --------------------------------------------- https://www.watchlist-internet.at/news/e-mail-vom-bundeskriminalamt-mit-bet… ∗∗∗ CISA Adds One Known Exploited Vulnerability to Catalog ∗∗∗ --------------------------------------------- CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence that threat actors are actively exploiting the vulnerability listed in the table below. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/02/11/cisa-adds-one-kno… ===================== = Vulnerabilities = ===================== ∗∗∗ Critical MQTT-Related Bugs Open Industrial Networks to RCE Via Moxa ∗∗∗ --------------------------------------------- A collection of five security vulnerabilities with a collective CVSS score of 10 out of 10 threaten critical infrastructure environments that use Moxa MXview. --------------------------------------------- https://threatpost.com/critical-mqtt-bugs-industrial-rce-moxa/178399/ ∗∗∗ Jetzt aktualisieren! Angriffe auf Shop-Systeme Adobe Commerce und Magento ∗∗∗ --------------------------------------------- Adobe meldet Angriffe auf die Shop-Systeme Commerce und Magento. Updates stehen bereit, die die ausgenutzte kritische Sicherheitslücke schließen sollen. --------------------------------------------- https://heise.de/-6455225 ∗∗∗ ZDI-22-318: MariaDB CONNECT Storage Engine Format String Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-318/ ∗∗∗ Security Bulletin: IBM Cognos Analytics Mobile is affected by security vulnerabilties ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cognos-analytics-mobi… ∗∗∗ Security Bulletin: Security vulnerabilities have been identified in IBM WebSphere Application Server used by IBM Master Data Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct for UNIX may be vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-44832) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: IBM Data Management Platform for EDB Postgres (Standard and Enterprise) for IBM Cloud Pak for Data are vulnerable to SQL injection from "man-in-the-middle" attack ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-data-management-platf… ∗∗∗ Security Bulletin: DS8000 Hardware Management Console is vulnerable to Apache Log4j (CVE-2021-45105 and CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ds8000-hardware-managemen… ∗∗∗ Security Bulletin: Security vulnerabilities have been identified in IBM WebSphere Application Server used by IBM Master Data Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: Security vulnerabilities have been identified in IBM WebSphere Application Server used by IBM Master Data Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: Operations Dashboard is vulnerable to arbitrary code execution in Log4j CVE-2021-44832 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-operations-dashboard-is-v… ∗∗∗ Security Bulletin: DS8000 Hardware Management Console uses Apache Log4j which is subject to a vulnerability alert CVE-2021-44228. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ds8000-hardware-managemen… ∗∗∗ Security Bulletin: Security vulnerabilities have been identified in IBM WebSphere Application Server used by IBM Master Data Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: Security vulnerabilities have been identified in IBM WebSphere Application Server used by IBM Master Data Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.02.2022
by Daily end-of-shift report 11 Feb '22

11 Feb '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 10-02-2022 18:00 − Freitag 11-02-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Microsoft starts killing off WMIC in Windows, will thwart attacks ∗∗∗ --------------------------------------------- Microsoft is moving forward with removing the Windows Management Instrumentation Command-line (WMIC) tool, wmic.exe, starting with the latest Windows 11 preview builds in the Dev channel. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-starts-killing-of… ∗∗∗ Zyxel Network Storage Devices Hunted By Mirai Variant, (Thu, Feb 10th) ∗∗∗ --------------------------------------------- I have been talking a lot about various network storage devices and how you never ever want to expose them to the Internet. The brands that usually come up are Synology and QNAP, which have a significant market share. But they are not alone. --------------------------------------------- https://isc.sans.edu/diary/rss/28324 ∗∗∗ CinaRAT Delivered Through HTML ID Attributes, (Fri, Feb 11th) ∗∗∗ --------------------------------------------- I found another sample that again drops a malicious ISO file but this time, it is much more obfuscated and the VT score is 0! Yes, not detected by any antivirus solution! --------------------------------------------- https://isc.sans.edu/diary/rss/28330 ∗∗∗ Use Zoom on a Mac? You might want to check your microphone settings ∗∗∗ --------------------------------------------- Big Brother Zoomer is listening to us, complain users Apple Mac users running the Zoom meetings app are reporting that its keeping their computers microphone on when they arent using it. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2022/02/10/zoom_mac_mic… ∗∗∗ Schwachstelle im Virenschutz Microsoft-Defender stillschweigend abgedichtet ∗∗∗ --------------------------------------------- Durch zu laxe Rechtevergabe hätten Angreifer auf die Microsoft-Defender-Ausnahmen zugreifen können. Die Lücke hat das Unternehmen ohne Ankündigung behoben. --------------------------------------------- https://heise.de/-6444399 ∗∗∗ Luftnummer: Warnung vor Geisterberührungen auf Touchscreens ∗∗∗ --------------------------------------------- Die TU Darmstadt warnt, dass gezielte Angriffe auf Touchscreens möglich seien. Praxistauglich ist der beschriebene "GhostTouch"-Angriff jedoch nicht. --------------------------------------------- https://heise.de/-6445488 ∗∗∗ CISA Adds 15 Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- CISA has added 15 new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence that threat actors are actively exploiting the vulnerabilities listed in the table below. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/02/10/cisa-adds-15-know… ∗∗∗ Malicious Chrome Browser Extension Exposed: ChromeBack Leverages Silent Extension Loading ∗∗∗ --------------------------------------------- GoSecure Titan Labs received a malicious Chrome extension sample that we are calling ChromeBack from GoSecures Titan Managed Detection and Response (MDR) team. --------------------------------------------- https://www.gosecure.net/blog/2022/02/10/malicious-chrome-browser-extension… ===================== = Vulnerabilities = ===================== ∗∗∗ Microsoft: SMB-Lücke in Windows wird aktiv ausgenutzt ∗∗∗ --------------------------------------------- Eine fast zwei Jahre alte kritische Lücke in Windows wird derzeit aktiv ausgenutzt. Exploits gibt es auch für eine sieben Jahre alte Windows-Lücke. --------------------------------------------- https://www.golem.de/news/microsoft-smb-luecke-in-windows-wird-aktiv-ausgen… ∗∗∗ Notfall-Patch für iPhones, iPads und Macs: iOS 15.3.1 und macOS 12.2.1 verfügbar ∗∗∗ --------------------------------------------- Apple schließt eine Lücke, die offenbar aktiv für Angriffe ausgenutzt wird. Außerdem beseitigt der Hersteller Bugs, darunter Bluetooth-Probleme bei Intel-Macs. --------------------------------------------- https://heise.de/-6440372 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (cryptsetup), Fedora (firefox, java-1.8.0-openjdk, microcode_ctl, python-django, rlwrap, and vim), openSUSE (kernel), and SUSE (kernel and ldb, samba). --------------------------------------------- https://lwn.net/Articles/884516/ ∗∗∗ Security Bulletin: A vulnerability in IBM Java Runtime affects IBM CICS TX on Cloud ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Security Bulletin: Multiple vulnerabilities affect IBM Cloud Object Storage Systems (Feb 2022 V1) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Xpat vulnerability affect IBM Cloud Object Storage Systems (Feb 2022 V1-a) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-xpat-vulnerability-affect… ∗∗∗ Security Bulletin: IBM Cloud Private is vulnerable to FasterXML jackson-databind vulnerabilities (CVE-2020-24750) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-private-is-vuln… ∗∗∗ Security Bulletin: EDB Postgres Advanced Server with IBM and IBM Data Management Platform for EDB Postgres (Standard or Enterprise) for IBM Cloud Pak for Data are vulnerable to SQL injection from "man-in-the-middle" attack. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-edb-postgres-advanced-ser… ∗∗∗ Security Bulletin: IBM Rational Build Forge is affected by Apache HTTP Server version used in it. (CVE-2021-44790) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-rational-build-forge-… ∗∗∗ QNAP NAS: Schwachstelle ermöglicht Codeausführung ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0178 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.02.2022
by Daily end-of-shift report 10 Feb '22

10 Feb '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 09-02-2022 18:00 − Donnerstag 10-02-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Wave of MageCart attacks target hundreds of outdated Magento sites ∗∗∗ --------------------------------------------- Analysts have found the source of a mass breach of over 500 e-commerce stores running the Magento 1 platform and involves a single domain loading a credit card skimmer on all of them. [...] The domain from where threat actors loaded the malware is naturalfreshmall[.]com, currently offline, and the goal of the threat actors was to steal the credit card information of customers on the targeted online stores. --------------------------------------------- https://www.bleepingcomputer.com/news/security/wave-of-magecart-attacks-tar… ∗∗∗ FritzFrog botnet grows 10x, hits healthcare, edu, and govt systems ∗∗∗ --------------------------------------------- Researchers at internet security company Akamai spotted a new version of the FritzFrog malware, which comes with interesting new functions, like using the Tor proxy chain. The new botnet variant also shows indications that its operators are preparing to add capabilities to target WordPress servers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fritzfrog-botnet-grows-10x-h… ∗∗∗ Linux Malware on the Rise ∗∗∗ --------------------------------------------- Ransomware, cryptojacking, and a cracked version of the penetration-testing tool Cobalt Strike have increasingly targeted Linux in multicloud infrastructure, report states. --------------------------------------------- https://www.darkreading.com/cloud/linux-malware-on-the-rise-including-illic… ∗∗∗ Cybercriminals Swarm Windows Utility Regsvr32 to Spread Malware ∗∗∗ --------------------------------------------- The living-off-the-land binary (LOLBin) is anchoring a rash of cyberattacks bent on evading security detection to drop Qbot and Lokibot. --------------------------------------------- https://threatpost.com/cybercriminals-windows-utility-regsvr32-malware/1783… ∗∗∗ SAP to Give Threat Briefing on Uber-Severe ‘ICMAD’ Bugs ∗∗∗ --------------------------------------------- SAP’s Patch Tuesday brought fixes for a trio of flaws in the ubiquitous ICM component in internet-exposed apps. One of them, with a risk score of 10, could allow attackers to hijack identities, steal data and more. [..] Onapsis also provided a free, open-source vulnerability scanner tool to assist SAP customers in addressing these serious issues, available to download [..] --------------------------------------------- https://threatpost.com/sap-threat-briefing-severe-icmad-bugs/178344/ ∗∗∗ Vorsicht vor betrügerischen Fortnite-Shops! ∗∗∗ --------------------------------------------- Betrügerische Fortnite-Onlineshops, wie premiumskins.net bieten beliebte Outfits, sogenannte „Fortnite-Skins“ zum Kauf an. Doch Vorsicht – oft werden die Skins nach Bezahlung nicht geliefert! Kaufen Sie Skins nur über den offiziellen Store, innerhalb des Spiels und vertrauen Sie keinen externen Anbietern. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-betruegerischen-fortnit… ∗∗∗ Ransomware tracker: the latest figures [February 2022] ∗∗∗ --------------------------------------------- Over the last two years, The Record and our parent company Recorded Future have updated this ransomware tracker using data collected from government agencies, news reports, hacking forums, and other sources. The trend is clear: despite bold efforts from governments around the world, ransomware isn’t going anywhere. Here are some of our most critical findings --------------------------------------------- https://therecord.media/ransomware-tracker-the-latest-figures/ ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-22-290: BMC Track-It! HTTP Module Improper Access Control Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to bypass authentication on affected installations of BMC Track-It!. Authentication is not required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-290/ ∗∗∗ WordPress-Übernahme durch kritische Lücken in PHP Everywhere ∗∗∗ --------------------------------------------- Angreifer hätten durch eine kritische Sicherheitslücke in PHP Everywhere beliebigen Code in WordPress-Instanzen ausführen können. Ein Update steht bereit. --------------------------------------------- https://heise.de/-6369318 ∗∗∗ Unauthenticated SQL Injection Vulnerability Patched in WordPress Statistics Plugin ∗∗∗ --------------------------------------------- On February 7, 2022, Security Researcher Cyku Hong from DEVCORE reported a vulnerability to us that they discovered in WP Statistics, a WordPress plugin installed on over 600,000 sites. This vulnerability made it possible for unauthenticated attackers to execute arbitrary SQL queries by appending them to an existing SQL query. --------------------------------------------- https://www.wordfence.com/blog/2022/02/unauthenticated-sql-injection-vulner… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr and openjdk-8), Fedora (phoronix-test-suite and php-laminas-form), Mageia (epiphany, firejail, and samba), Oracle (aide, kernel, kernel-container, and qemu), Red Hat (.NET 5.0 on RHEL 7 and .NET 6.0 on RHEL 7), Scientific Linux (aide), Slackware (mozilla), SUSE (clamav, expat, and xen), and Ubuntu (speex). --------------------------------------------- https://lwn.net/Articles/884381/ ∗∗∗ Dell Computer: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein lokaler Angreifer kann mehrere Schwachstellen in Dell Computer ausnutzen, um beliebigen Programmcode auszuführen oder modifizierte BIOS-Firmware zu installieren. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0174 ∗∗∗ Drupal: Mehrere Schwachstellen [in Plugins] ∗∗∗ --------------------------------------------- Über zahlreiche Extensions kann der Funktionsumfang der Core-Installation individuell erweitert werden. Ein entfernter, anonymer oderauthentisierter Angreifer kann mehrere Schwachstellen in Drupal [Plugins] ausnutzen, um Sicherheitsvorkehrungen zu umgehen und einen Cross-Site-Scripting-Angriff durchzuführen. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0173 ∗∗∗ Security Bulletin: IBM UrbanCode Build is affected by CVE-2021-30640 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-build-is-af… ∗∗∗ Security Bulletin: IBM UrbanCode Release is vulnerable to arbitrary code execution due to Apache Log4j( CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-release-is-… ∗∗∗ Security Bulletin: IBM UrbanCode Build is affected by CVE-2021-41079 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-build-is-af… ∗∗∗ Security Bulletin: IBM UrbanCode Build is affected by CVE-2021-33037 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-build-is-af… ∗∗∗ Security Bulletin: Netcool Operations Insight is vulnerable to arbitrary code execution and denial of service due to Apache Log4j (CVE-2021-45046, CVE-2021-45105) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-netcool-operations-insigh… ∗∗∗ Security Bulletin: IBM UrbanCode Build is affected by CVE-2021-25122 and CVE-2021-25329 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-build-is-af… ∗∗∗ CVE-2022-0016 GlobalProtect App: Privilege Escalation Vulnerability When Using Connect Before Logon (Severity: HIGH) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2022-0016 ∗∗∗ CVE-2022-0017 GlobalProtect App: Improper Link Resolution Vulnerability Leads to Local Privilege Escalation (Severity: HIGH) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2022-0017 ∗∗∗ CVE-2022-0018 GlobalProtect App: Information Exposure Vulnerability When Connecting to GlobalProtect Portal With Single Sign-On Enabled (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2022-0018 ∗∗∗ CVE-2022-0011 PAN-OS: URL Category Exceptions Match More URLs Than Intended in URL Filtering (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2022-0011 ∗∗∗ CVE-2022-0021 GlobalProtect App: Information Exposure Vulnerability When Using Connect Before Logon (Severity: LOW) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2022-0021 ∗∗∗ CVE-2022-0020 Cortex XSOAR: Stored Cross-Site Scripting (XSS) Vulnerability in Web Interface (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2022-0020 ∗∗∗ CVE-2022-0019 GlobalProtect App: Insufficiently Protected Credentials Vulnerability on Linux (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2022-0019 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.02.2022
by Daily end-of-shift report 09 Feb '22

09 Feb '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 08-02-2022 18:00 − Mittwoch 09-02-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Kimsuki hackers use commodity RATs with custom Gold Dragon malware ∗∗∗ --------------------------------------------- South Korean researchers have spotted a new wave of activity from the Kimsuky hacking group, involving commodity open-source remote access tools dropped with their custom backdoor, Gold Dragon. --------------------------------------------- https://www.bleepingcomputer.com/news/security/kimsuki-hackers-use-commodit… ∗∗∗ Fake Windows 11 upgrade installers infect you with RedLine malware ∗∗∗ --------------------------------------------- Threat actors have started distributing fake Windows 11 upgrade installers to users of Windows 10, tricking them into downloading and executing RedLine stealer malware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fake-windows-11-upgrade-inst… ∗∗∗ Ransomware dev releases Egregor, Maze master decryption keys ∗∗∗ --------------------------------------------- The master decryption keys for the Maze, Egregor, and Sekhmet ransomware operations were released last night on the BleepingComputer forums by the alleged malware developer. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ransomware-dev-releases-egre… ∗∗∗ Bios, UEFI, WLAN: Intel schließt zahlreiche Firmware-Sicherheitslücken ∗∗∗ --------------------------------------------- An einem groß angelegten Patch-Day stellt Intel Updates für Sicherheitslücken bereit. Diese lassen sich zum Ausweiten von Rechten nutzen. --------------------------------------------- https://www.golem.de/news/bios-uefi-wlan-intel-schliesst-zahlreiche-firmwar… ∗∗∗ Example of Cobalt Strike from Emotet infection, (Wed, Feb 9th) ∗∗∗ --------------------------------------------- Today's diary reviews another Cobalt Strike sample dropped by an Emotet infection on Tuesday 2022-02-08. --------------------------------------------- https://isc.sans.edu/diary/rss/28318 ∗∗∗ SpoolFool: Windows Print Spooler Privilege Escalation (CVE-2022–22718) ∗∗∗ --------------------------------------------- In this blog post, we’ll look at a Windows Print Spooler local privilege escalation vulnerability that I found and reported in November 2021. The vulnerability got patched as part of Microsoft’s Patch Tuesday in February 2022. --------------------------------------------- https://research.ifcr.dk/spoolfool-windows-print-spooler-privilege-escalati… ∗∗∗ CISA and SAP warn about major vulnerability ∗∗∗ --------------------------------------------- SAP patched the issue yesterday. CVE-2022-22536 is one of eight vulnerabilities that received a severity rating of 10/10 but is the one that CISA chose to highlight in its own security advisory, primarily due to its ease of exploitation and its ubiquity in SAP products. --------------------------------------------- https://therecord.media/cisa-and-sap-warn-about-major-vulnerability/ ∗∗∗ AA22-040A: 2021 Trends Show Increased Globalized Threat of Ransomware ∗∗∗ --------------------------------------------- Ransomware tactics and techniques continued to evolve in 2021, which demonstrates ransomware threat actors’ growing technological sophistication and an increased ransomware threat to organizations globally. --------------------------------------------- https://us-cert.cisa.gov/ncas/alerts/aa22-040a ===================== = Vulnerabilities = ===================== ∗∗∗ Ausführen von Schadcode denkbar: Sicherheitsupdates für Firefox und Thunderbird ∗∗∗ --------------------------------------------- Die Mozilla-Entwickler schließen in aktualisierten Versionen von Firefox und Thunderbird viele Sicherheitslücken. Einige davon stufen sie als hohes Risiko ein. --------------------------------------------- https://heise.de/-6360477 ∗∗∗ Patchday Microsoft: Angreifer könnten eine Kernel-Lücke in Windows ausnutzen ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitsupdates für Azure, Office, Windows & Co. Das ist selten: Keine der geschlossenen Lücken gilt als kritisch. --------------------------------------------- https://heise.de/-6360267 ∗∗∗ Patchday: Adobe schließt Schadcode-Lücken in Illustrator ∗∗∗ --------------------------------------------- Die Entwickler von Adobe haben ihr Software-Portfolio gegen mögliche Attacken abgesichert. --------------------------------------------- https://heise.de/-6360575 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (aide), Debian (connman), Fedora (perl-App-cpanminus and rust-afterburn), Mageia (glibc), Red Hat (.NET 5.0, .NET 6.0, aide, log4j, ovirt-engine, and samba), SUSE (elasticsearch, elasticsearch-kit, kafka, kafka-kit, logstash, openstack-monasca-agent, openstack-monasca-log-metrics, openstack-monasca-log-persister, openstack-monasca-log-transformer, openstack-monasca-persister-java, openstack-monasca-persister-java-kit, openstack-monasca-thresh,[...] --------------------------------------------- https://lwn.net/Articles/884242/ ∗∗∗ ICS Patch Tuesday: Siemens, Schneider Electric Address Nearly 50 Vulnerabilities ∗∗∗ --------------------------------------------- Industrial giants Siemens and Schneider Electric released a total of 15 advisories on Tuesday to address nearly 50 vulnerabilities discovered in their products. --------------------------------------------- https://www.securityweek.com/ics-patch-tuesday-siemens-schneider-electric-a… ∗∗∗ HPE Agentless Management registers unquoted service paths ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN12969207/ ∗∗∗ Security Advisory for Citrix Hypervisor (CVE-2022-23034, CVE-2022-23035, CVE-2021-0145) ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX337526 ∗∗∗ Security Bulletin: Log4j vulnerabilities affect IBM Netezza Analytics ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-log4j-vulnerabilities-aff… ∗∗∗ Security Bulletin: Security Bulletin: Vulnerability in Apache Log4j affects Netcool Operation Insight (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-bulletin-vulnera… ∗∗∗ Security Bulletin: Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to denial of service due to Go (CVE CVE-2021-41771 & CVE-2021-41772) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-platform-navigator-and-au… ∗∗∗ Security Bulletin: IBM TRIRIGA Reporting a component of IBM TRIRIGA Application Platform is vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-44228 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tririga-reporting-a-c… ∗∗∗ Security Bulletin: Multiple vulnerabilities affect IBM Cloud Object Storage Systems (Feb 2022 V1) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM OpenPages with Watson is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2019-17571) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-openpages-with-watson… ∗∗∗ Security Bulletin: Multiple security vulnerabilities have been identified in IBM® Java SDK that affect IBM Security Directory Suite – October 2021 CPU ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Multiple security vulnerabilities have been identified in IBM® WebSphere Application Server Liberty shipped with IBM Security Directory Suite ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Multiple security vulnerabilities have been identified in IBM® Java SDK that affect IBM Security Directory Suite – July 2021 CPU ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: IBM UrbanCode Build is affected by CVE-2021-30639 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-build-is-af… ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2022-0002 ∗∗∗ --------------------------------------------- https://webkitgtk.org/security/WSA-2022-0002.html ∗∗∗ Zoom Video Communications Zoom Client: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0158 ∗∗∗ QEMU: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit Administratorrechten ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0156 ∗∗∗ Grafana: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0159 ∗∗∗ QNAP: Multiple Vulnerabilities in Samba ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-22-03 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.02.2022
by Daily end-of-shift report 08 Feb '22

08 Feb '22

===================== = End-of-Day report = ===================== Timeframe: Montag 07-02-2022 18:00 − Dienstag 08-02-2022 18:00 Handler: Robert Waldner Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Internetsicherheit: So schützen Sie sich vor Account-Hijacking und Co. ∗∗∗ --------------------------------------------- Wir erklären Ihnen, worauf Sie achten sollten, damit Sie sicher im Internet unterwegs sind. --------------------------------------------- https://heise.de/-6355600 ∗∗∗ Microsoft Office soll VBA-Makros standardmäßig blockieren ∗∗∗ --------------------------------------------- Makros sind ein Einfallstor für Malware. VBA-Makros standardmäßig zu deaktivieren, ist längst überfällig. --------------------------------------------- https://heise.de/-6353429 ∗∗∗ Patchday: Lücken in SAP-Produkten ermöglichen Codeschmuggel ∗∗∗ --------------------------------------------- Am Februar-Patchday schließt SAP mehrere kritische Sicherheitslücken, durch die Angreifer Schadcode in betroffene Systeme einschleusen hätten können. --------------------------------------------- https://heise.de/-6356776 ∗∗∗ Open or Sneaky? Fast or Slow? Light or Heavy?: Investigating Security Releases of Open Source Packages ∗∗∗ --------------------------------------------- Specifically, in this paper, we study [..] security releases over a dataset of 4,377 security advisories across seven package ecosystems (Composer, Go, Maven, npm, NuGet, pip, and RubyGems). [..] Based on our findings, we make four recommendations for the package maintainers and the ecosystem administrators, such as using private fork for security fixes and standardizing the practice for announcing security releases. --------------------------------------------- https://arxiv.org/pdf/2112.06804.pdf ∗∗∗ “We absolutely do not care about you”: Sugar ransomware targets individuals ∗∗∗ --------------------------------------------- They call it Sugar ransomware, but its not sweet in any way. --------------------------------------------- https://blog.malwarebytes.com/ransomware/2022/02/we-absolutely-do-not-care-… ∗∗∗ Operation EmailThief: Active Exploitation of Zero-day XSS Vulnerability in Zimbra ∗∗∗ --------------------------------------------- [UPDATE] On February 4, 2022, Zimbra provided an update regarding this zero-day exploit vulnerability and reported that a hotfix for 8.8.15 P30 would be available on February 5, 2022. --------------------------------------------- https://www.volexity.com/blog/2022/02/03/operation-emailthief-active-exploi… ===================== = Vulnerabilities = ===================== ∗∗∗ WordPress IP2Location Country Blocker 2.26.7 Cross Site Scripting ∗∗∗ --------------------------------------------- An authenticated user is able to inject arbitrary Javascript or HTML code to the "Frontend Settings" interface available in settings page of the plugin (Country Blocker), due to incorrect sanitization of user-supplied data and achieve a Stored Cross-Site Scripting attack against the administrators or the other authenticated users. The plugin versions prior to 2.26.7 are affected by this vulnerability. --------------------------------------------- https://cxsecurity.com/issue/WLB-2022020031 ∗∗∗ CVE-2021-38130 Voltage SecureMail 7.3 Mail Relay Information Leakage Vuln. ∗∗∗ --------------------------------------------- An information leakage vulnerability with a CVSS of 4.1 was discovered in SecureMail Server for versions prior to 7.3.0.1. The vulnerability can be exploited to send sensitive information to an unauthorized user. A resolution of this vulnerability is available in the Voltage SecureMail version 7.3.0.1 patch release. --------------------------------------------- https://portal.microfocus.com/s/article/KM000003667?language=en_US ∗∗∗ Patchday: Kritische System-Lücke lässt Angreifer auf Android-Geräte zugreifen ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitsupdates für Android 10, 11, 12 und verschiedene Komponenten des Systems. --------------------------------------------- https://heise.de/-6355256 ∗∗∗ Critical Vulnerabilities in PHP Everywhere Allow Remote Code Execution ∗∗∗ --------------------------------------------- On January 4, 2022, the Wordfence Threat Intelligence team began the responsible disclosure process for several Remote Code Execution vulnerabilities in PHP Everywhere, a WordPress plugin installed on over 30,000 websites. One of these vulnerabilities allowed any authenticated user of any level, even subscribers and customers, to execute code on a site with the plugin [...] --------------------------------------------- https://www.wordfence.com/blog/2022/02/critical-vulnerabilities-in-php-ever… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (log4j), Debian (chromium, xterm, and zabbix), Fedora (kate, lua, and podman), Oracle (aide and log4j), and SUSE (xen). --------------------------------------------- https://lwn.net/Articles/884082/ ∗∗∗ K33484369: Linux kernel vulnerability CVE-2021-20194 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K33484369?utm_source=f5support&utm_mediu… ∗∗∗ K01217337: Linux kernel vulnerability CVE-2021-22543 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K01217337?utm_source=f5support&utm_mediu… ∗∗∗ Mitsubishi Electric FA Engineering Software Products (Update D) ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-049-02 ∗∗∗ Mitsubishi Electric Factory Automation Engineering Products (Update F) ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-20-212-04 ∗∗∗ SSA-914168: Multiple Vulnerabilities in SIMATIC WinCC Affecting Other SIMATIC Software Products ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-914168.txt ∗∗∗ SSA-669737: Improper Access Control Vulnerability in SICAM TOOLBOX II ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-669737.txt ∗∗∗ SSA-654775: Open Redirect Vulnerability in SINEMA Remote Connect Server ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-654775.txt ∗∗∗ SSA-609880: File Parsing Vulnerabilities in Simcenter Femap before V2022.1 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-609880.txt ∗∗∗ SSA-539476: Siemens SIMATIC NET CP, SINEMA and SCALANCE Products Affected by Vulnerabilities in Third-Party Component strongSwan ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-539476.txt ∗∗∗ SSA-301589: Multiple File Parsing Vulnerabilities in Solid Edge, JT2Go and Teamcenter Visualization ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-301589.txt ∗∗∗ SSA-244969: OpenSSL Vulnerability in Industrial Products ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-244969.txt ∗∗∗ SSA-838121: Multiple Denial of Service Vulnerabilities in Industrial Products ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-838121.txt ∗∗∗ SSA-831168: Cross-Site Scripting Vulnerability in Spectrum Power 4 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-831168.txt ∗∗∗ Security Bulletin: IBM Cloud Private is vulnerable to FasterXML jackson-databind vulnerabilities (CVE-2020-35728) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-private-is-vuln… ∗∗∗ Security Bulletin: IBM Cloud Private is vulnerable to FasterXML jackson-databind vulnerabilities (CVE-2021-20190) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-private-is-vuln… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j may affect Cúram Social Program Management (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: Apache Log4j vulnerability impacts IBM Sterling Global Mailbox (CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit… ∗∗∗ Security Bulletin: IBM Cloud Private is vulnerable to FasterXML jackson-databind vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-private-is-vuln… ∗∗∗ Security Bulletin: Log4Shell Vulnerability affects IBM SPSS Statistics (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-log4shell-vulnerability-a… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.02.2022
by Daily end-of-shift report 07 Feb '22

07 Feb '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 04-02-2022 18:00 − Montag 07-02-2022 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Medusa malware ramps up Android SMS phishing attacks ∗∗∗ --------------------------------------------- The Medusa Android banking Trojan is seeing increased infection rates as it targets more geographic regions to steal online credentials and perform financial fraud. --------------------------------------------- https://www.bleepingcomputer.com/news/security/medusa-malware-ramps-up-andr… ∗∗∗ An Insidious Mac Malware Is Growing More Sophisticated ∗∗∗ --------------------------------------------- When UpdateAgent emerged in late 2020, it utilized basic infiltration techniques. Its developers have since expanded it in dangerous ways. --------------------------------------------- https://www.wired.com/story/mac-malware-growing-more-sophisticated ∗∗∗ Shadow Credentials ∗∗∗ --------------------------------------------- During Black Hat Europe 2019 Michael Grafnetter discussed several attacks towards Windows Hello for Business including a domain persistence technique which involves the modification of the msDS-KeyCredentialLink attribute of a target computer or user account. [..] The following diagram visualize the steps of the technique Shadow Credentials in practice. --------------------------------------------- https://pentestlab.blog/2022/02/07/shadow-credentials/ ∗∗∗ web3 phishing via self-customizing landing pages ∗∗∗ --------------------------------------------- You may not quite understand what "web3" is all about (I do not claim to do so), but it appears phishers may already use it. [..] the JavaScript used to implement the phishing page is interesting. Not only does it customize the login dialog with the company logo, but it also replaces the entire page with a screenshot of the domain homepage. --------------------------------------------- https://isc.sans.edu/diary/rss/28312 ∗∗∗ Sextortion: Wenn ein harmloser Flirt in Erpressung endet ∗∗∗ --------------------------------------------- Sextortion ist eine Betrugsmasche, bei der meist männliche Opfer von Online-Bekanntschaften aufgefordert werden, sexuelles Bild- und Videomaterial von sich zu versenden oder sich nackt vor der Webcam zu zeigen. Mit diesen Bildern und Videos werden die Opfer dann erpresst: Zahlen oder das Material wird im Internet veröffentlicht! --------------------------------------------- https://www.watchlist-internet.at/news/sextortion-wenn-ein-harmloser-flirt-… ∗∗∗ FBI Releases Indicators of Compromise Associated with LockBit 2.0 Ransomware ∗∗∗ --------------------------------------------- The Federal Bureau of Investigation (FBI) has released a Flash report detailing indicators of compromise (IOCs) associated with attacks, using LockBit 2.0, a Ransomware-as-a-Service that employs a wide variety of tactics, techniques, and procedures, creating significant challenges for defense and mitigation. CISA encourages users and administrators to review the IOCs and technical details in FBI Flash CU-000162-MW and apply the recommend mitigations. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/02/07/fbi-releases-indi… ∗∗∗ Microsoft deaktiviert wegen Emotet & Co. MSIX ms-appinstaller Protokoll-Handler in Windows (Feb. 2022) ∗∗∗ --------------------------------------------- Nachdem Ransomware wie Emotet oder BazarLoader den MSIX ms-appinstaller Protokoll-Handler missbrauchten, hat Microsoft nun erneut reagiert. Der komplette MSIX ms-appinstaller Protokoll-Handler wurde vorerst in Windows – quasi als Schutz vor Emotet, BazarLoader oder ähnlicher Malware – deaktiviert. --------------------------------------------- https://www.borncity.com/blog/2022/02/05/microsoft-deaktiviert-msix-ms-appi… ∗∗∗ Vorsicht: audacity.de und keepass.de verbreiten Malware (Feb. 2022) ∗∗∗ --------------------------------------------- Kleiner Hinweis an Leute, die sich gerne Software aus dem Internet herunterladen. Es sieht so aus, als ob die Domains audacity.de und keepass.de in die Hände von Leuten gekommen sind, die damit Schindluder treiben. Statt ein Audio-Tool oder einen Passwort-Manager zu bekommen, wird über die betreffenden Seiten Malware verteilt. --------------------------------------------- https://www.borncity.com/blog/2022/02/07/vorsicht-audacity-de-und-keepass-d… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco DNA Center Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the audit log of Cisco DNA Center could allow an authenticated, local attacker to view sensitive information in clear text. This vulnerability is due to the unsecured logging of sensitive information on an affected system. An attacker with administrative privileges could exploit this vulnerability by accessing the audit logs through the CLI. A successful exploit could allow the attacker to retrieve sensitive information that includes user credentials. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ldns and libphp-adodb), Fedora (kernel, kernel-headers, kernel-tools, mingw-binutils, mingw-openexr, mingw-python3, mingw-qt5-qtsvg, scap-security-guide, stratisd, util-linux, and webkit2gtk3), Mageia (lrzsz, qtwebengine5, and xterm), openSUSE (chromium), and Ubuntu (python-django). --------------------------------------------- https://lwn.net/Articles/884015/ ∗∗∗ OTRS: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0143 ∗∗∗ Multiple ESET products for macOS vulnerable to improper server certificate verification ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN95898697/ ∗∗∗ Security Bulletin: IBM App Connect for Healthcare is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2022-23302) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-for-healt… ∗∗∗ Security Bulletin: IBM Security Guardium Insights is affected by multipe vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-ins… ∗∗∗ Security Bulletin: IBM App Connect for Healthcare is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2022-23305) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-for-healt… ∗∗∗ Security Bulletin: IBM InfoSphere Information Server is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-44832) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-informatio… ∗∗∗ Security Bulletin: Liberty for Java for IBM Cloud is vulnerable to LDAP Injection (CVE-2021-39031) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-liberty-for-java-for-ibm-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in Apache Log4j affect IBM Tivoli Netcool Impact (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Liberty for Java for IBM Cloud is vulnerable to an Information Disclosure (CVE-2022-22310) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-liberty-for-java-for-ibm-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.02.2022
by Daily end-of-shift report 04 Feb '22

04 Feb '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 03-02-2022 18:00 − Freitag 04-02-2022 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Schwachstelle in GitOps-Tool: Argo CD über Path Traversal angreifbar ∗∗∗ --------------------------------------------- Angriffe mit manipulierten Helm-Charts ermöglichen Zugriff auf beliebige Verzeichnisse im Repository des Continuous-Delivery-Werkzeugs für Kubernetes. --------------------------------------------- https://heise.de/-6349810 ∗∗∗ Operation EmailThief: Active Exploitation of Zero-day XSS Vulnerability in Zimbra ∗∗∗ --------------------------------------------- - Volexity discovers XSS zero-day vulnerability against Zimbra - Targeted sectors include European government and media - Successful exploitation results in theft of email data from users --------------------------------------------- https://www.volexity.com/blog/2022/02/03/operation-emailthief-active-exploi… ∗∗∗ Cybersecurity for Industrial Control Systems: Part 1 ∗∗∗ --------------------------------------------- In this two-part series, we look into various cybersecurity threats that affected industrial control systems endpoints. We also discuss several insights and recommendations to mitigate such threats. --------------------------------------------- https://www.iiot-world.com/ics-security/cybersecurity/cybersecurity-for-ind… ∗∗∗ Vulnerabilities that aren’t. ETag headers ∗∗∗ --------------------------------------------- This time we’re looking at the ETag (Entity Tag) header. I take some of the blame for this one as I first added a dissector of the header to Nikto’s headers plugin back in 2008, then other scanners added it. --------------------------------------------- https://www.pentestpartners.com/security-blog/vulnerabilities-that-arent-et… ∗∗∗ Target open-sources its web skimmer detector ∗∗∗ --------------------------------------------- Targets cybersecurity team has open-sourced the code of Merry Maker, the companys internal application that it has used since 2018 to detect if any of its own websites have been compromised with malicious code that can steal payment card details from buyers. --------------------------------------------- https://therecord.media/target-open-sources-its-web-skimmer-detector/ ∗∗∗ An ALPHV (BlackCat) representative discusses the group’s plans for a ransomware ‘meta-universe’ ∗∗∗ --------------------------------------------- Late last year, cybersecurity researchers began to notice a ransomware strain called ALPHV that stood out for being particularly sophisticated and coded in the Rust programming language—a first for ransomware used in real-world attacks. --------------------------------------------- https://therecord.media/an-alphv-blackcat-representative-discusses-the-grou… ∗∗∗ Special Report: Die Tücken von Active Directory Certificate Services (AD CS) ∗∗∗ --------------------------------------------- Active Directory Certificate Services (ADCS) ist anfällig für Fehlkonfigurationen, mit denen eine komplette Kompromittierung des Netzes trivial möglich ist. Publiziert wurde das Problem im Sommer 2021, jetzt wird diese Methode bei APT-Angriffen benutzt. Kontrollieren Sie mit den bereitgestellten Tools ihr Setup. Stellen Sie mit den angeführten Präventiv-Maßnahmen höhere Sichtbarkeit her. Überprüfen Sie mit den vorgestellen Tools, ob eine Fehlkonfiguration bereits ausgenutzt wurde. --------------------------------------------- https://cert.at/de/spezielles/2022/2/special-report-die-tucken-von-active-d… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (apng2gif, ruby2.5, ruby2.7, and strongswan), Fedora (389-ds-base, glibc, java-latest-openjdk, keylime, mingw-python-pillow, perl-Image-ExifTool, python-pillow, rust-afterburn, rust-askalono-cli, rust-below, rust-cargo-c, rust-cargo-insta, rust-fd-find, rust-lsd, rust-oxipng, rust-python-launcher, rust-ripgrep, rust-skim, rust-thread_local, rust-tokei, strongswan, vim, xen, and zola), Mageia (cryptsetup and expat), openSUSE (containerd, docker, glibc, [...] --------------------------------------------- https://lwn.net/Articles/883828/ ∗∗∗ Mattermost security updates 6.3.3, 6.2.3, 6.1.3, 5.37.8 released ∗∗∗ --------------------------------------------- We’re informing you about a Mattermost security update, which addresses medium-level severity vulnerabilities. We highly recommend that you apply the update. The security update is available for Mattermost dot releases 6.3.3 (Extended Support Release), 6.2.3, 6.1.3, 5.37.8 (Extended Support Release) for both Team Edition and Enterprise Edition. --------------------------------------------- https://mattermost.com/blog/mattermost-security-updates-6-3-3-6-2-3-6-1-3-5… ∗∗∗ CISA Adds One Known Exploited Vulnerability to Catalog ∗∗∗ --------------------------------------------- CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence that threat actors are actively exploiting the vulnerabilities listed in the table below. These types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and pose significant risk to the federal enterprise. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/02/04/cisa-adds-one-kno… ∗∗∗ CSV+ vulnerable to cross-site scripting ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN67396225/ ∗∗∗ K40508224: Perl vulnerability CVE-2020-10878 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K40508224 ∗∗∗ K05295469: Expat vulnerability CVE-2019-15903 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K05295469 ∗∗∗ Security Bulletin: Log4j Vulnerability ( CVE-2021-44228 ) in IBM Informix Dynamic Server in Cloud Pak for Data ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-log4j-vulnerability-cve-2… ∗∗∗ Security Bulletin: Vulnerablity in Apache Log4j may affect IBM Tivoli Monitoring installed WebSphere Application Server (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerablity-in-apache-lo… ∗∗∗ Security Bulletin: IBM Planning Analytics and IBM Planning Analytics Workspace are affected by security vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-planning-analytics-an… ∗∗∗ Security Bulletin: IBM Informix Dynamic Server is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-informix-dynamic-serv… ∗∗∗ Security Bulletin: Multiple vulnerabilities in Apache Log4j affect IBM Tivoli Netcool Impact (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK (October 2021) affects IBM InfoSphere Information Server (CVE-2021-35578 CVE-2021-35564) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.02.2022
by Daily end-of-shift report 03 Feb '22

03 Feb '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 02-02-2022 18:00 − Donnerstag 03-02-2022 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Spam-Anrufe von Wiener Nummer: “This is the police” ∗∗∗ --------------------------------------------- Bei solchen Anrufen gilt es generell, sofort aufzulegen. Ist man sich unsicher, ob der Anruf echt war (im Falle eines englischsprachigen Tonbands ist er das jedenfalls nicht), kann man eigenständig die Polizei (133) anrufen. Die Polizei warnt, dass man nie eine "Polizei"-Telefonnummern zurückrufen soll, wenn das in solchen Anrufen gefordert wird. Hat man bereits mit der Person gesprochen und Daten herausgegeben, soll man umgehend Anzeige bei der Polizei erstatten. --------------------------------------------- https://futurezone.at/digital-life/spam-anrufe-wiener-nummer-federal-police… ∗∗∗ WooCommerce Skimmer Uses Fake Fonts and Favicon to Steal CC Details ∗∗∗ --------------------------------------------- Today’s investigation starts out much like many others, with our client reporting an antivirus warning appearing only on their checkout page, of course at the worst possible time right around the end of December. What first seemed to be a routine case of credit card theft turned out to be a much more interesting infection that leveraged both font, favicon and other less-commonly used files to pilfer credit card details. --------------------------------------------- https://blog.sucuri.net/2022/02/woocommerce-skimmer-uses-fake-fonts-and-fav… ∗∗∗ A comprehensive guide on [NTLM] relaying anno 2022 ∗∗∗ --------------------------------------------- For years now, Internal Penetration Testing teams have been successful in obtaining a foothold or even compromising entire domains through a technique called NTLM relaying. [..] This blog post aims to be a comprehensive resource that will walk through the attack primitives that continue to work today. While most will be well known techniques, some techniques involving Active Directory Certificate Services might be lesser known. --------------------------------------------- https://www.trustedsec.com/blog/a-comprehensive-guide-on-relaying-anno-2022/ ∗∗∗ Tattoo-Giveaways auf Instagram führen in eine Abo-Falle ∗∗∗ --------------------------------------------- Kriminelle versenden Nachrichten von Fake-Accounts und behaupten, dass Instagram-User bei einem Gewinnspiel gewonnen hätten. Doch der angebliche Gewinn führt nicht zu einem neuen Tattoo, sondern in eine gut getarnte Abo-Falle. --------------------------------------------- https://www.watchlist-internet.at/news/tattoo-giveaways-auf-instagram-fuehr… ===================== = Vulnerabilities = ===================== ∗∗∗ Multiple Vulnerabilities in Sante DICOM Viewer Pro ∗∗∗ --------------------------------------------- * J2K File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability * DCM File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability * DCM File ParsingOut-Of-Bounds Read Information Disclosure Vulnerability * DCM File Parsing Use-After-Free Information Disclosure Vulnerability * JP2 File Parsing Use-After-Free Remote Code Execution Vulnerability * JP2 File Parsing Memory Corruption Remote Code Execution Vulnerability * J2K File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability --------------------------------------------- https://www.zerodayinitiative.com/advisories/ ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (librecad), Fedora (flatpak, flatpak-builder, and glibc), Mageia (chromium-browser-stable, connman, libtiff, and rust), openSUSE (lighttpd), Oracle (cryptsetup, nodejs:14, and rpm), Red Hat (varnish:6), SUSE (kernel and unbound), and Ubuntu (linux, linux-aws, linux-aws-5.11, linux-aws-5.13, linux-gcp, linux-gcp-5.11, linux-hwe-5.13, linux-kvm, linux-oem-5.13, linux-oracle, linux-oracle-5.11, linux-raspi, linux, linux-aws, linux-aws-5.4, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-gkeop, linux-gkeop-5.4, linux-hwe-5.4, linux-ibm, linux-kvm, linux-oracle, linux-oracle-5.4, linux, linux-aws, linux-aws-hwe, linux-azure, linux-dell300x, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux-raspi2, linux-snapdragon, linux-gke, linux-gke-5.4, mysql-5.7, mysql-8.0, python-django, samba). --------------------------------------------- https://lwn.net/Articles/883676/ ∗∗∗ Sensormatic PowerManage ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Improper Input Validation vulnerability in the Sensormatic PowerManage operating platform. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-034-01 ∗∗∗ Airspan Networks Mimosa ∗∗∗ --------------------------------------------- This advisory contains mitigations for Improper Authorization, Incorrect Authorization, Server-side Request Forgery, SQL Injection, Deserialization of Untrusted Data, OS Command Injection, and Use of a Broken or Risky Cryptographic Algorithm vulnerabilities in Airspan Networks Mimosa network management software. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-034-02 ∗∗∗ Zwei Schwachstellen in AudioCodes Session Border Controller (SYSS-2021-068/-075) ∗∗∗ --------------------------------------------- In AudioCodes Session Border Controller (SBC) kann Telefonbetrug begangen werden. Auch wurde eine Rechteeskalation in der Web Management-Konsole gefunden. --------------------------------------------- https://www.syss.de/pentest-blog/multiple-schwachstellen-im-coins-construct… ∗∗∗ InsydeH2O UEFI System Management Mode (SMM) Vulnerabilities ∗∗∗ --------------------------------------------- Mitigation Strategy for Customers (what you should do to protect yourself): Update system firmware to the version (or newer) indicated for your model in the Product Impact section. --------------------------------------------- http://support.lenovo.com/product_security/PS500463-INSYDEH2O-UEFI-SYSTEM-M… ∗∗∗ Cisco Content Security Management Appliance and Cisco Web Security Appliance Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Security Bulletin: A vulnerability in Apache Log4j affects some features of IBM® Db2® (CVE-2021-44832) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-apache… ∗∗∗ Security Bulletin: IBM Security Guardium Insights is affected by JWT-Go vulnerability (CVE-2020-26160) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-ins… ∗∗∗ Security Bulletin: IBM Data Management Platform for EDB Postgres Standard is vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-data-management-platf… ∗∗∗ Security Bulletin: This Power System update is being released to address CVE 2021-38960 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-this-power-system-update-… ∗∗∗ Security Bulletin: IBM Data Management Platform for EDB Postgres Enterprise is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-data-management-platf… ∗∗∗ K67416037: Linux kernel vulnerability CVE-2021-23133 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K67416037?utm_source=f5support&utm_mediu… ∗∗∗ Weidmueller: Remote I/O fieldbus couplers (IP20) affected by INFRA:HALT vulnerabilities ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2021-042/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily