=====================
= End-of-Day report =
=====================
Timeframe: Freitag 11-02-2022 18:00 โ Montag 14-02-2022 18:00
Handler: Thomas Pribitzer
Co-Handler: n/a
=====================
= News =
=====================
โโโ Google Project Zero: Vendors are now quicker at fixing zero-days โโโ
---------------------------------------------
Googles Project Zero has published a report showing that organizations took less time to address the zero-day vulnerabilities that the team reported last year.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/google-project-zero-vendors-โฆ
โโโ Microsoft is making it harder to steal Windows passwords from memory โโโ
---------------------------------------------
Microsoft is enabling an Attack Surface Reduction security feature rule by default to block hackers attempts to steal Windows credentials from the LSASS process.
---------------------------------------------
https://www.bleepingcomputer.com/news/microsoft/microsoft-is-making-it-hardโฆ
โโโ Allcome clipbanker is a newcomer in underground forums โโโ
---------------------------------------------
The malware underground market might seem astoundingly professional in marketing and support. Lets take a look under the covers of one particular malware-as-a-serviceโthe clipboard banker Allcome.
---------------------------------------------
https://www.gdatasoftware.com/blog/2022/02/37239-allcome-clipbanker-is-a-neโฆ
โโโ DHL Spear Phishing to Capture Username/Password, (Sun, Feb 13th) โโโ
---------------------------------------------
This week I got this run-of-the-mill DHL phishing in my ISC inbox.
---------------------------------------------
https://isc.sans.edu/diary/rss/28332
โโโ Reminder: Decoding TLS Client Hellos to non TLS servers, (Mon, Feb 14th) โโโ
---------------------------------------------
If you still run a non-TLS web server, you may occasionally find requests like the following in your weblogs.
---------------------------------------------
https://isc.sans.edu/diary/rss/28338
โโโ Vulnerabilities that arenโt. Unquoted Spaces โโโ
---------------------------------------------
Iโve covered a couple of web vulnerabilities that (mostly) arenโt, and now itโs time for a Windows specific one.
---------------------------------------------
https://www.pentestpartners.com/security-blog/vulnerabilities-that-arent-unโฆ
โโโ E-Mail vom Bundeskriminalamt mit Betreff โBUNDESKRIMINALAMT VORLADUNGโ ist Fake โโโ
---------------------------------------------
โHallo, wir teilen Ihnen mit, dass Sie eine Straftat begangen habenโ lautet der Text in einem E-Mail โ angeblich vom Bundeskriminalamt. In einem angehรคngten PDF-Dokument teilen Ihnen das Bundeskriminalamt, die Polizei sowie Europol mit, dass gegen Sie ein Verfahren wegen einer sexuellen Straftat eingeleitet wurde. Achtung: Dieses E-Mail ist Fake.
---------------------------------------------
https://www.watchlist-internet.at/news/e-mail-vom-bundeskriminalamt-mit-betโฆ
โโโ CISA Adds One Known Exploited Vulnerability to Catalog โโโ
---------------------------------------------
CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence that threat actors are actively exploiting the vulnerability listed in the table below.
---------------------------------------------
https://us-cert.cisa.gov/ncas/current-activity/2022/02/11/cisa-adds-one-knoโฆ
=====================
= Vulnerabilities =
=====================
โโโ Critical MQTT-Related Bugs Open Industrial Networks to RCE Via Moxa โโโ
---------------------------------------------
A collection of five security vulnerabilities with a collective CVSS score of 10 out of 10 threaten critical infrastructure environments that use Moxa MXview.
---------------------------------------------
https://threatpost.com/critical-mqtt-bugs-industrial-rce-moxa/178399/
โโโ Jetzt aktualisieren! Angriffe auf Shop-Systeme Adobe Commerce und Magento โโโ
---------------------------------------------
Adobe meldet Angriffe auf die Shop-Systeme Commerce und Magento. Updates stehen bereit, die die ausgenutzte kritische Sicherheitslรผcke schlieรen sollen.
---------------------------------------------
https://heise.de/-6455225
โโโ ZDI-22-318: MariaDB CONNECT Storage Engine Format String Privilege Escalation Vulnerability โโโ
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-22-318/
โโโ Security Bulletin: IBM Cognos Analytics Mobile is affected by security vulnerabilties โโโ
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cognos-analytics-mobiโฆ
โโโ Security Bulletin: Security vulnerabilities have been identified in IBM WebSphere Application Server used by IBM Master Data Management โโโ
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-โฆ
โโโ Security Bulletin: IBM Sterling Connect:Direct for UNIX may be vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-44832) โโโ
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirecโฆ
โโโ Security Bulletin: IBM Data Management Platform for EDB Postgres (Standard and Enterprise) for IBM Cloud Pak for Data are vulnerable to SQL injection from "man-in-the-middle" attack โโโ
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-data-management-platfโฆ
โโโ Security Bulletin: DS8000 Hardware Management Console is vulnerable to Apache Log4j (CVE-2021-45105 and CVE-2021-45046) โโโ
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ds8000-hardware-managemenโฆ
โโโ Security Bulletin: Security vulnerabilities have been identified in IBM WebSphere Application Server used by IBM Master Data Management โโโ
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-โฆ
โโโ Security Bulletin: Security vulnerabilities have been identified in IBM WebSphere Application Server used by IBM Master Data Management โโโ
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-โฆ
โโโ Security Bulletin: Operations Dashboard is vulnerable to arbitrary code execution in Log4j CVE-2021-44832 โโโ
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-operations-dashboard-is-vโฆ
โโโ Security Bulletin: DS8000 Hardware Management Console uses Apache Log4j which is subject to a vulnerability alert CVE-2021-44228. โโโ
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ds8000-hardware-managemenโฆ
โโโ Security Bulletin: Security vulnerabilities have been identified in IBM WebSphere Application Server used by IBM Master Data Management โโโ
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-โฆ
โโโ Security Bulletin: Security vulnerabilities have been identified in IBM WebSphere Application Server used by IBM Master Data Management โโโ
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-โฆ
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 10-02-2022 18:00 โ Freitag 11-02-2022 18:00
Handler: Thomas Pribitzer
Co-Handler: n/a
=====================
= News =
=====================
โโโ Microsoft starts killing off WMIC in Windows, will thwart attacks โโโ
---------------------------------------------
Microsoft is moving forward with removing the Windows Management Instrumentation Command-line (WMIC) tool, wmic.exe, starting with the latest Windows 11 preview builds in the Dev channel.
---------------------------------------------
https://www.bleepingcomputer.com/news/microsoft/microsoft-starts-killing-ofโฆ
โโโ Zyxel Network Storage Devices Hunted By Mirai Variant, (Thu, Feb 10th) โโโ
---------------------------------------------
I have been talking a lot about various network storage devices and how you never ever want to expose them to the Internet. The brands that usually come up are Synology and QNAP, which have a significant market share. But they are not alone.
---------------------------------------------
https://isc.sans.edu/diary/rss/28324
โโโ CinaRAT Delivered Through HTML ID Attributes, (Fri, Feb 11th) โโโ
---------------------------------------------
I found another sample that again drops a malicious ISO file but this time, it is much more obfuscated and the VT score is 0! Yes, not detected by any antivirus solution!
---------------------------------------------
https://isc.sans.edu/diary/rss/28330
โโโ Use Zoom on a Mac? You might want to check your microphone settings โโโ
---------------------------------------------
Big Brother Zoomer is listening to us, complain users Apple Mac users running the Zoom meetings app are reporting that its keeping their computers microphone on when they arent using it.
---------------------------------------------
https://go.theregister.com/feed/www.theregister.com/2022/02/10/zoom_mac_micโฆ
โโโ Schwachstelle im Virenschutz Microsoft-Defender stillschweigend abgedichtet โโโ
---------------------------------------------
Durch zu laxe Rechtevergabe hรคtten Angreifer auf die Microsoft-Defender-Ausnahmen zugreifen kรถnnen. Die Lรผcke hat das Unternehmen ohne Ankรผndigung behoben.
---------------------------------------------
https://heise.de/-6444399
โโโ Luftnummer: Warnung vor Geisterberรผhrungen auf Touchscreens โโโ
---------------------------------------------
Die TU Darmstadt warnt, dass gezielte Angriffe auf Touchscreens mรถglich seien. Praxistauglich ist der beschriebene "GhostTouch"-Angriff jedoch nicht.
---------------------------------------------
https://heise.de/-6445488
โโโ CISA Adds 15 Known Exploited Vulnerabilities to Catalog โโโ
---------------------------------------------
CISA has added 15 new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence that threat actors are actively exploiting the vulnerabilities listed in the table below.
---------------------------------------------
https://us-cert.cisa.gov/ncas/current-activity/2022/02/10/cisa-adds-15-knowโฆ
โโโ Malicious Chrome Browser Extension Exposed: ChromeBack Leverages Silent Extension Loading โโโ
---------------------------------------------
GoSecure Titan Labs received a malicious Chrome extension sample that we are calling ChromeBack from GoSecures Titan Managed Detection and Response (MDR) team.
---------------------------------------------
https://www.gosecure.net/blog/2022/02/10/malicious-chrome-browser-extensionโฆ
=====================
= Vulnerabilities =
=====================
โโโ Microsoft: SMB-Lรผcke in Windows wird aktiv ausgenutzt โโโ
---------------------------------------------
Eine fast zwei Jahre alte kritische Lรผcke in Windows wird derzeit aktiv ausgenutzt. Exploits gibt es auch fรผr eine sieben Jahre alte Windows-Lรผcke.
---------------------------------------------
https://www.golem.de/news/microsoft-smb-luecke-in-windows-wird-aktiv-ausgenโฆ
โโโ Notfall-Patch fรผr iPhones, iPads und Macs: iOS 15.3.1 und macOS 12.2.1 verfรผgbar โโโ
---------------------------------------------
Apple schlieรt eine Lรผcke, die offenbar aktiv fรผr Angriffe ausgenutzt wird. Auรerdem beseitigt der Hersteller Bugs, darunter Bluetooth-Probleme bei Intel-Macs.
---------------------------------------------
https://heise.de/-6440372
โโโ Security updates for Friday โโโ
---------------------------------------------
Security updates have been issued by Debian (cryptsetup), Fedora (firefox, java-1.8.0-openjdk, microcode_ctl, python-django, rlwrap, and vim), openSUSE (kernel), and SUSE (kernel and ldb, samba).
---------------------------------------------
https://lwn.net/Articles/884516/
โโโ Security Bulletin: A vulnerability in IBM Java Runtime affects IBM CICS TX on Cloud โโโ
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-jaโฆ
โโโ Security Bulletin: Multiple vulnerabilities affect IBM Cloud Object Storage Systems (Feb 2022 V1) โโโ
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-โฆ
โโโ Security Bulletin: Xpat vulnerability affect IBM Cloud Object Storage Systems (Feb 2022 V1-a) โโโ
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-xpat-vulnerability-affectโฆ
โโโ Security Bulletin: IBM Cloud Private is vulnerable to FasterXML jackson-databind vulnerabilities (CVE-2020-24750) โโโ
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-private-is-vulnโฆ
โโโ Security Bulletin: EDB Postgres Advanced Server with IBM and IBM Data Management Platform for EDB Postgres (Standard or Enterprise) for IBM Cloud Pak for Data are vulnerable to SQL injection from "man-in-the-middle" attack. โโโ
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-edb-postgres-advanced-serโฆ
โโโ Security Bulletin: IBM Rational Build Forge is affected by Apache HTTP Server version used in it. (CVE-2021-44790) โโโ
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-rational-build-forge-โฆ
โโโ QNAP NAS: Schwachstelle ermรถglicht Codeausfรผhrung โโโ
---------------------------------------------
http://www.cert-bund.de/advisoryshort/CB-K22-0178
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 09-02-2022 18:00 โ Donnerstag 10-02-2022 18:00
Handler: Thomas Pribitzer
Co-Handler: Robert Waldner
=====================
= News =
=====================
โโโ Wave of MageCart attacks target hundreds of outdated Magento sites โโโ
---------------------------------------------
Analysts have found the source of a mass breach of over 500 e-commerce stores running the Magento 1 platform and involves a single domain loading a credit card skimmer on all of them. [...] The domain from where threat actors loaded the malware is naturalfreshmall[.]com, currently offline, and the goal of the threat actors was to steal the credit card information of customers on the targeted online stores.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/wave-of-magecart-attacks-tarโฆ
โโโ FritzFrog botnet grows 10x, hits healthcare, edu, and govt systems โโโ
---------------------------------------------
Researchers at internet security company Akamai spotted a new version of the FritzFrog malware, which comes with interesting new functions, like using the Tor proxy chain. The new botnet variant also shows indications that its operators are preparing to add capabilities to target WordPress servers.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/fritzfrog-botnet-grows-10x-hโฆ
โโโ Linux Malware on the Rise โโโ
---------------------------------------------
Ransomware, cryptojacking, and a cracked version of the penetration-testing tool Cobalt Strike have increasingly targeted Linux in multicloud infrastructure, report states.
---------------------------------------------
https://www.darkreading.com/cloud/linux-malware-on-the-rise-including-illicโฆ
โโโ Cybercriminals Swarm Windows Utility Regsvr32 to Spread Malware โโโ
---------------------------------------------
The living-off-the-land binary (LOLBin) is anchoring a rash of cyberattacks bent on evading security detection to drop Qbot and Lokibot.
---------------------------------------------
https://threatpost.com/cybercriminals-windows-utility-regsvr32-malware/1783โฆ
โโโ SAP to Give Threat Briefing on Uber-Severe โICMADโ Bugs โโโ
---------------------------------------------
SAPโs Patch Tuesday brought fixes for a trio of flaws in the ubiquitous ICM component in internet-exposed apps. One of them, with a risk score of 10, could allow attackers to hijack identities, steal data and more. [..] Onapsis also provided a free, open-source vulnerability scanner tool to assist SAP customers in addressing these serious issues, available to download [..]
---------------------------------------------
https://threatpost.com/sap-threat-briefing-severe-icmad-bugs/178344/
โโโ Vorsicht vor betrรผgerischen Fortnite-Shops! โโโ
---------------------------------------------
Betrรผgerische Fortnite-Onlineshops, wie premiumskins.net bieten beliebte Outfits, sogenannte โFortnite-Skinsโ zum Kauf an. Doch Vorsicht โ oft werden die Skins nach Bezahlung nicht geliefert! Kaufen Sie Skins nur รผber den offiziellen Store, innerhalb des Spiels und vertrauen Sie keinen externen Anbietern.
---------------------------------------------
https://www.watchlist-internet.at/news/vorsicht-vor-betruegerischen-fortnitโฆ
โโโ Ransomware tracker: the latest figures [February 2022] โโโ
---------------------------------------------
Over the last two years, The Record and our parent company Recorded Future have updated this ransomware tracker using data collected from government agencies, news reports, hacking forums, and other sources. The trend is clear: despite bold efforts from governments around the world, ransomware isnโt going anywhere.
Here are some of our most critical findings
---------------------------------------------
https://therecord.media/ransomware-tracker-the-latest-figures/
=====================
= Vulnerabilities =
=====================
โโโ ZDI-22-290: BMC Track-It! HTTP Module Improper Access Control Authentication Bypass Vulnerability โโโ
---------------------------------------------
This vulnerability allows remote attackers to bypass authentication on affected installations of BMC Track-It!. Authentication is not required to exploit this vulnerability.
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-22-290/
โโโ WordPress-รbernahme durch kritische Lรผcken in PHP Everywhere โโโ
---------------------------------------------
Angreifer hรคtten durch eine kritische Sicherheitslรผcke in PHP Everywhere beliebigen Code in WordPress-Instanzen ausfรผhren kรถnnen. Ein Update steht bereit.
---------------------------------------------
https://heise.de/-6369318
โโโ Unauthenticated SQL Injection Vulnerability Patched in WordPress Statistics Plugin โโโ
---------------------------------------------
On February 7, 2022, Security Researcher Cyku Hong from DEVCORE reported a vulnerability to us that they discovered in WP Statistics, a WordPress plugin installed on over 600,000 sites. This vulnerability made it possible for unauthenticated attackers to execute arbitrary SQL queries by appending them to an existing SQL query.
---------------------------------------------
https://www.wordfence.com/blog/2022/02/unauthenticated-sql-injection-vulnerโฆ
โโโ Security updates for Thursday โโโ
---------------------------------------------
Security updates have been issued by Debian (firefox-esr and openjdk-8), Fedora (phoronix-test-suite and php-laminas-form), Mageia (epiphany, firejail, and samba), Oracle (aide, kernel, kernel-container, and qemu), Red Hat (.NET 5.0 on RHEL 7 and .NET 6.0 on RHEL 7), Scientific Linux (aide), Slackware (mozilla), SUSE (clamav, expat, and xen), and Ubuntu (speex).
---------------------------------------------
https://lwn.net/Articles/884381/
โโโ Dell Computer: Mehrere Schwachstellen โโโ
---------------------------------------------
Ein lokaler Angreifer kann mehrere Schwachstellen in Dell Computer ausnutzen, um beliebigen Programmcode auszufรผhren oder modifizierte BIOS-Firmware zu installieren.
---------------------------------------------
http://www.cert-bund.de/advisoryshort/CB-K22-0174
โโโ Drupal: Mehrere Schwachstellen [in Plugins] โโโ
---------------------------------------------
รber zahlreiche Extensions kann der Funktionsumfang der Core-Installation individuell erweitert werden.
Ein entfernter, anonymer oderauthentisierter Angreifer kann mehrere Schwachstellen in Drupal [Plugins] ausnutzen, um Sicherheitsvorkehrungen zu umgehen und einen Cross-Site-Scripting-Angriff durchzufรผhren.
---------------------------------------------
http://www.cert-bund.de/advisoryshort/CB-K22-0173
โโโ Security Bulletin: IBM UrbanCode Build is affected by CVE-2021-30640 โโโ
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-build-is-afโฆ
โโโ Security Bulletin: IBM UrbanCode Release is vulnerable to arbitrary code execution due to Apache Log4j( CVE-2021-44228) โโโ
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-release-is-โฆ
โโโ Security Bulletin: IBM UrbanCode Build is affected by CVE-2021-41079 โโโ
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-build-is-afโฆ
โโโ Security Bulletin: IBM UrbanCode Build is affected by CVE-2021-33037 โโโ
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-build-is-afโฆ
โโโ Security Bulletin: Netcool Operations Insight is vulnerable to arbitrary code execution and denial of service due to Apache Log4j (CVE-2021-45046, CVE-2021-45105) โโโ
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-netcool-operations-insighโฆ
โโโ Security Bulletin: IBM UrbanCode Build is affected by CVE-2021-25122 and CVE-2021-25329 โโโ
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-build-is-afโฆ
โโโ CVE-2022-0016 GlobalProtect App: Privilege Escalation Vulnerability When Using Connect Before Logon (Severity: HIGH) โโโ
---------------------------------------------
https://security.paloaltonetworks.com/CVE-2022-0016
โโโ CVE-2022-0017 GlobalProtect App: Improper Link Resolution Vulnerability Leads to Local Privilege Escalation (Severity: HIGH) โโโ
---------------------------------------------
https://security.paloaltonetworks.com/CVE-2022-0017
โโโ CVE-2022-0018 GlobalProtect App: Information Exposure Vulnerability When Connecting to GlobalProtect Portal With Single Sign-On Enabled (Severity: MEDIUM) โโโ
---------------------------------------------
https://security.paloaltonetworks.com/CVE-2022-0018
โโโ CVE-2022-0011 PAN-OS: URL Category Exceptions Match More URLs Than Intended in URL Filtering (Severity: MEDIUM) โโโ
---------------------------------------------
https://security.paloaltonetworks.com/CVE-2022-0011
โโโ CVE-2022-0021 GlobalProtect App: Information Exposure Vulnerability When Using Connect Before Logon (Severity: LOW) โโโ
---------------------------------------------
https://security.paloaltonetworks.com/CVE-2022-0021
โโโ CVE-2022-0020 Cortex XSOAR: Stored Cross-Site Scripting (XSS) Vulnerability in Web Interface (Severity: MEDIUM) โโโ
---------------------------------------------
https://security.paloaltonetworks.com/CVE-2022-0020
โโโ CVE-2022-0019 GlobalProtect App: Insufficiently Protected Credentials Vulnerability on Linux (Severity: MEDIUM) โโโ
---------------------------------------------
https://security.paloaltonetworks.com/CVE-2022-0019
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 08-02-2022 18:00 โ Mittwoch 09-02-2022 18:00
Handler: Thomas Pribitzer
Co-Handler: n/a
=====================
= News =
=====================
โโโ Kimsuki hackers use commodity RATs with custom Gold Dragon malware โโโ
---------------------------------------------
South Korean researchers have spotted a new wave of activity from the Kimsuky hacking group, involving commodity open-source remote access tools dropped with their custom backdoor, Gold Dragon.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/kimsuki-hackers-use-commoditโฆ
โโโ Fake Windows 11 upgrade installers infect you with RedLine malware โโโ
---------------------------------------------
Threat actors have started distributing fake Windows 11 upgrade installers to users of Windows 10, tricking them into downloading and executing RedLine stealer malware.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/fake-windows-11-upgrade-instโฆ
โโโ Ransomware dev releases Egregor, Maze master decryption keys โโโ
---------------------------------------------
The master decryption keys for the Maze, Egregor, and Sekhmet ransomware operations were released last night on the BleepingComputer forums by the alleged malware developer.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/ransomware-dev-releases-egreโฆ
โโโ Bios, UEFI, WLAN: Intel schlieรt zahlreiche Firmware-Sicherheitslรผcken โโโ
---------------------------------------------
An einem groร angelegten Patch-Day stellt Intel Updates fรผr Sicherheitslรผcken bereit. Diese lassen sich zum Ausweiten von Rechten nutzen.
---------------------------------------------
https://www.golem.de/news/bios-uefi-wlan-intel-schliesst-zahlreiche-firmwarโฆ
โโโ Example of Cobalt Strike from Emotet infection, (Wed, Feb 9th) โโโ
---------------------------------------------
Today's diary reviews another Cobalt Strike sample dropped by an Emotet infection on Tuesday 2022-02-08.
---------------------------------------------
https://isc.sans.edu/diary/rss/28318
โโโ SpoolFool: Windows Print Spooler Privilege Escalation (CVE-2022โ22718) โโโ
---------------------------------------------
In this blog post, weโll look at a Windows Print Spooler local privilege escalation vulnerability that I found and reported in November 2021. The vulnerability got patched as part of Microsoftโs Patch Tuesday in February 2022.
---------------------------------------------
https://research.ifcr.dk/spoolfool-windows-print-spooler-privilege-escalatiโฆ
โโโ CISA and SAP warn about major vulnerability โโโ
---------------------------------------------
SAP patched the issue yesterday. CVE-2022-22536 is one of eight vulnerabilities that received a severity rating of 10/10 but is the one that CISA chose to highlight in its own security advisory, primarily due to its ease of exploitation and its ubiquity in SAP products.
---------------------------------------------
https://therecord.media/cisa-and-sap-warn-about-major-vulnerability/
โโโ AA22-040A: 2021 Trends Show Increased Globalized Threat of Ransomware โโโ
---------------------------------------------
Ransomware tactics and techniques continued to evolve in 2021, which demonstrates ransomware threat actorsโ growing technological sophistication and an increased ransomware threat to organizations globally.
---------------------------------------------
https://us-cert.cisa.gov/ncas/alerts/aa22-040a
=====================
= Vulnerabilities =
=====================
โโโ Ausfรผhren von Schadcode denkbar: Sicherheitsupdates fรผr Firefox und Thunderbird โโโ
---------------------------------------------
Die Mozilla-Entwickler schlieรen in aktualisierten Versionen von Firefox und Thunderbird viele Sicherheitslรผcken. Einige davon stufen sie als hohes Risiko ein.
---------------------------------------------
https://heise.de/-6360477
โโโ Patchday Microsoft: Angreifer kรถnnten eine Kernel-Lรผcke in Windows ausnutzen โโโ
---------------------------------------------
Es gibt wichtige Sicherheitsupdates fรผr Azure, Office, Windows & Co. Das ist selten: Keine der geschlossenen Lรผcken gilt als kritisch.
---------------------------------------------
https://heise.de/-6360267
โโโ Patchday: Adobe schlieรt Schadcode-Lรผcken in Illustrator โโโ
---------------------------------------------
Die Entwickler von Adobe haben ihr Software-Portfolio gegen mรถgliche Attacken abgesichert.
---------------------------------------------
https://heise.de/-6360575
โโโ Security updates for Wednesday โโโ
---------------------------------------------
Security updates have been issued by CentOS (aide), Debian (connman), Fedora (perl-App-cpanminus and rust-afterburn), Mageia (glibc), Red Hat (.NET 5.0, .NET 6.0, aide, log4j, ovirt-engine, and samba), SUSE (elasticsearch, elasticsearch-kit, kafka, kafka-kit, logstash, openstack-monasca-agent, openstack-monasca-log-metrics, openstack-monasca-log-persister, openstack-monasca-log-transformer, openstack-monasca-persister-java, openstack-monasca-persister-java-kit, openstack-monasca-thresh,[...]
---------------------------------------------
https://lwn.net/Articles/884242/
โโโ ICS Patch Tuesday: Siemens, Schneider Electric Address Nearly 50 Vulnerabilities โโโ
---------------------------------------------
Industrial giants Siemens and Schneider Electric released a total of 15 advisories on Tuesday to address nearly 50 vulnerabilities discovered in their products.
---------------------------------------------
https://www.securityweek.com/ics-patch-tuesday-siemens-schneider-electric-aโฆ
โโโ HPE Agentless Management registers unquoted service paths โโโ
---------------------------------------------
https://jvn.jp/en/jp/JVN12969207/
โโโ Security Advisory for Citrix Hypervisor (CVE-2022-23034, CVE-2022-23035, CVE-2021-0145) โโโ
---------------------------------------------
https://support.citrix.com/article/CTX337526
โโโ Security Bulletin: Log4j vulnerabilities affect IBM Netezza Analytics โโโ
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-log4j-vulnerabilities-affโฆ
โโโ Security Bulletin: Security Bulletin: Vulnerability in Apache Log4j affects Netcool Operation Insight (CVE-2021-44228) โโโ
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-security-bulletin-vulneraโฆ
โโโ Security Bulletin: Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to denial of service due to Go (CVE CVE-2021-41771 & CVE-2021-41772) โโโ
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-platform-navigator-and-auโฆ
โโโ Security Bulletin: IBM TRIRIGA Reporting a component of IBM TRIRIGA Application Platform is vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-44228 ) โโโ
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tririga-reporting-a-cโฆ
โโโ Security Bulletin: Multiple vulnerabilities affect IBM Cloud Object Storage Systems (Feb 2022 V1) โโโ
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-โฆ
โโโ Security Bulletin: IBM OpenPages with Watson is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2019-17571) โโโ
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-openpages-with-watsonโฆ
โโโ Security Bulletin: Multiple security vulnerabilities have been identified in IBMยฎ Java SDK that affect IBM Security Directory Suite โ October 2021 CPU โโโ
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulneraโฆ
โโโ Security Bulletin: Multiple security vulnerabilities have been identified in IBMยฎ WebSphere Application Server Liberty shipped with IBM Security Directory Suite โโโ
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulneraโฆ
โโโ Security Bulletin: Multiple security vulnerabilities have been identified in IBMยฎ Java SDK that affect IBM Security Directory Suite โ July 2021 CPU โโโ
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulneraโฆ
โโโ Security Bulletin: IBM UrbanCode Build is affected by CVE-2021-30639 โโโ
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-build-is-afโฆ
โโโ WebKitGTK and WPE WebKit Security Advisory WSA-2022-0002 โโโ
---------------------------------------------
https://webkitgtk.org/security/WSA-2022-0002.html
โโโ Zoom Video Communications Zoom Client: Mehrere Schwachstellen โโโ
---------------------------------------------
http://www.cert-bund.de/advisoryshort/CB-K22-0158
โโโ QEMU: Schwachstelle ermรถglicht Ausfรผhren von beliebigem Programmcode mit Administratorrechten โโโ
---------------------------------------------
http://www.cert-bund.de/advisoryshort/CB-K22-0156
โโโ Grafana: Mehrere Schwachstellen โโโ
---------------------------------------------
http://www.cert-bund.de/advisoryshort/CB-K22-0159
โโโ QNAP: Multiple Vulnerabilities in Samba โโโ
---------------------------------------------
https://www.qnap.com/en-us/security-advisory/QSA-22-03
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Montag 07-02-2022 18:00 โ Dienstag 08-02-2022 18:00
Handler: Robert Waldner
Co-Handler: Thomas Pribitzer
=====================
= News =
=====================
โโโ Internetsicherheit: So schรผtzen Sie sich vor Account-Hijacking und Co. โโโ
---------------------------------------------
Wir erklรคren Ihnen, worauf Sie achten sollten, damit Sie sicher im Internet unterwegs sind.
---------------------------------------------
https://heise.de/-6355600
โโโ Microsoft Office soll VBA-Makros standardmรครig blockieren โโโ
---------------------------------------------
Makros sind ein Einfallstor fรผr Malware. VBA-Makros standardmรครig zu deaktivieren, ist lรคngst รผberfรคllig.
---------------------------------------------
https://heise.de/-6353429
โโโ Patchday: Lรผcken in SAP-Produkten ermรถglichen Codeschmuggel โโโ
---------------------------------------------
Am Februar-Patchday schlieรt SAP mehrere kritische Sicherheitslรผcken, durch die Angreifer Schadcode in betroffene Systeme einschleusen hรคtten kรถnnen.
---------------------------------------------
https://heise.de/-6356776
โโโ Open or Sneaky? Fast or Slow? Light or Heavy?: Investigating Security Releases of Open Source Packages โโโ
---------------------------------------------
Specifically, in this paper, we study [..] security releases over a dataset of 4,377 security advisories across seven package ecosystems (Composer, Go, Maven, npm, NuGet, pip, and RubyGems). [..] Based on our findings, we make four recommendations for the package maintainers and the ecosystem administrators, such as using private fork for security fixes and standardizing the practice for announcing security releases.
---------------------------------------------
https://arxiv.org/pdf/2112.06804.pdf
โโโ โWe absolutely do not care about youโ: Sugar ransomware targets individuals โโโ
---------------------------------------------
They call it Sugar ransomware, but its not sweet in any way.
---------------------------------------------
https://blog.malwarebytes.com/ransomware/2022/02/we-absolutely-do-not-care-โฆ
โโโ Operation EmailThief: Active Exploitation of Zero-day XSS Vulnerability in Zimbra โโโ
---------------------------------------------
[UPDATE] On February 4, 2022, Zimbra provided an update regarding this zero-day exploit vulnerability and reported that a hotfix for 8.8.15 P30 would be available on February 5, 2022.
---------------------------------------------
https://www.volexity.com/blog/2022/02/03/operation-emailthief-active-exploiโฆ
=====================
= Vulnerabilities =
=====================
โโโ WordPress IP2Location Country Blocker 2.26.7 Cross Site Scripting โโโ
---------------------------------------------
An authenticated user is able to inject arbitrary Javascript or HTML code to the "Frontend Settings" interface available in settings page of the plugin (Country Blocker), due to incorrect sanitization of user-supplied data and achieve a Stored Cross-Site Scripting attack against the administrators or the other authenticated users. The plugin versions prior to 2.26.7 are affected by this vulnerability.
---------------------------------------------
https://cxsecurity.com/issue/WLB-2022020031
โโโ CVE-2021-38130 Voltage SecureMail 7.3 Mail Relay Information Leakage Vuln. โโโ
---------------------------------------------
An information leakage vulnerability with a CVSS of 4.1 was discovered in SecureMail Server for versions prior to 7.3.0.1. The vulnerability can be exploited to send sensitive information to an unauthorized user. A resolution of this vulnerability is available in the Voltage SecureMail version 7.3.0.1 patch release.
---------------------------------------------
https://portal.microfocus.com/s/article/KM000003667?language=en_US
โโโ Patchday: Kritische System-Lรผcke lรคsst Angreifer auf Android-Gerรคte zugreifen โโโ
---------------------------------------------
Es gibt wichtige Sicherheitsupdates fรผr Android 10, 11, 12 und verschiedene Komponenten des Systems.
---------------------------------------------
https://heise.de/-6355256
โโโ Critical Vulnerabilities in PHP Everywhere Allow Remote Code Execution โโโ
---------------------------------------------
On January 4, 2022, the Wordfence Threat Intelligence team began the responsible disclosure process for several Remote Code Execution vulnerabilities in PHP Everywhere, a WordPress plugin installed on over 30,000 websites. One of these vulnerabilities allowed any authenticated user of any level, even subscribers and customers, to execute code on a site with the plugin [...]
---------------------------------------------
https://www.wordfence.com/blog/2022/02/critical-vulnerabilities-in-php-everโฆ
โโโ Security updates for Tuesday โโโ
---------------------------------------------
Security updates have been issued by CentOS (log4j), Debian (chromium, xterm, and zabbix), Fedora (kate, lua, and podman), Oracle (aide and log4j), and SUSE (xen).
---------------------------------------------
https://lwn.net/Articles/884082/
โโโ K33484369: Linux kernel vulnerability CVE-2021-20194 โโโ
---------------------------------------------
https://support.f5.com/csp/article/K33484369?utm_source=f5support&utm_mediuโฆ
โโโ K01217337: Linux kernel vulnerability CVE-2021-22543 โโโ
---------------------------------------------
https://support.f5.com/csp/article/K01217337?utm_source=f5support&utm_mediuโฆ
โโโ Mitsubishi Electric FA Engineering Software Products (Update D) โโโ
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-21-049-02
โโโ Mitsubishi Electric Factory Automation Engineering Products (Update F) โโโ
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-20-212-04
โโโ SSA-914168: Multiple Vulnerabilities in SIMATIC WinCC Affecting Other SIMATIC Software Products โโโ
---------------------------------------------
https://cert-portal.siemens.com/productcert/txt/ssa-914168.txt
โโโ SSA-669737: Improper Access Control Vulnerability in SICAM TOOLBOX II โโโ
---------------------------------------------
https://cert-portal.siemens.com/productcert/txt/ssa-669737.txt
โโโ SSA-654775: Open Redirect Vulnerability in SINEMA Remote Connect Server โโโ
---------------------------------------------
https://cert-portal.siemens.com/productcert/txt/ssa-654775.txt
โโโ SSA-609880: File Parsing Vulnerabilities in Simcenter Femap before V2022.1 โโโ
---------------------------------------------
https://cert-portal.siemens.com/productcert/txt/ssa-609880.txt
โโโ SSA-539476: Siemens SIMATIC NET CP, SINEMA and SCALANCE Products Affected by Vulnerabilities in Third-Party Component strongSwan โโโ
---------------------------------------------
https://cert-portal.siemens.com/productcert/txt/ssa-539476.txt
โโโ SSA-301589: Multiple File Parsing Vulnerabilities in Solid Edge, JT2Go and Teamcenter Visualization โโโ
---------------------------------------------
https://cert-portal.siemens.com/productcert/txt/ssa-301589.txt
โโโ SSA-244969: OpenSSL Vulnerability in Industrial Products โโโ
---------------------------------------------
https://cert-portal.siemens.com/productcert/txt/ssa-244969.txt
โโโ SSA-838121: Multiple Denial of Service Vulnerabilities in Industrial Products โโโ
---------------------------------------------
https://cert-portal.siemens.com/productcert/txt/ssa-838121.txt
โโโ SSA-831168: Cross-Site Scripting Vulnerability in Spectrum Power 4 โโโ
---------------------------------------------
https://cert-portal.siemens.com/productcert/txt/ssa-831168.txt
โโโ Security Bulletin: IBM Cloud Private is vulnerable to FasterXML jackson-databind vulnerabilities (CVE-2020-35728) โโโ
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-private-is-vulnโฆ
โโโ Security Bulletin: IBM Cloud Private is vulnerable to FasterXML jackson-databind vulnerabilities (CVE-2021-20190) โโโ
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-private-is-vulnโฆ
โโโ Security Bulletin: Vulnerability in Apache Log4j may affect Cรบram Social Program Management (CVE-2021-4104) โโโ
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-lโฆ
โโโ Security Bulletin: Apache Log4j vulnerability impacts IBM Sterling Global Mailbox (CVE-2021-45046) โโโ
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilitโฆ
โโโ Security Bulletin: IBM Cloud Private is vulnerable to FasterXML jackson-databind vulnerabilities โโโ
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-private-is-vulnโฆ
โโโ Security Bulletin: Log4Shell Vulnerability affects IBM SPSS Statistics (CVE-2021-44228) โโโ
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-log4shell-vulnerability-aโฆ
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 04-02-2022 18:00 โ Montag 07-02-2022 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
=====================
= News =
=====================
โโโ Medusa malware ramps up Android SMS phishing attacks โโโ
---------------------------------------------
The Medusa Android banking Trojan is seeing increased infection rates as it targets more geographic regions to steal online credentials and perform financial fraud.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/medusa-malware-ramps-up-andrโฆ
โโโ An Insidious Mac Malware Is Growing More Sophisticated โโโ
---------------------------------------------
When UpdateAgent emerged in late 2020, it utilized basic infiltration techniques. Its developers have since expanded it in dangerous ways.
---------------------------------------------
https://www.wired.com/story/mac-malware-growing-more-sophisticated
โโโ Shadow Credentials โโโ
---------------------------------------------
During Black Hat Europe 2019 Michael Grafnetter discussed several attacks towards Windows Hello for Business including a domain persistence technique which involves the modification of the msDS-KeyCredentialLink attribute of a target computer or user account. [..] The following diagram visualize the steps of the technique Shadow Credentials in practice.
---------------------------------------------
https://pentestlab.blog/2022/02/07/shadow-credentials/
โโโ web3 phishing via self-customizing landing pages โโโ
---------------------------------------------
You may not quite understand what "web3" is all about (I do not claim to do so), but it appears phishers may already use it. [..] the JavaScript used to implement the phishing page is interesting. Not only does it customize the login dialog with the company logo, but it also replaces the entire page with a screenshot of the domain homepage.
---------------------------------------------
https://isc.sans.edu/diary/rss/28312
โโโ Sextortion: Wenn ein harmloser Flirt in Erpressung endet โโโ
---------------------------------------------
Sextortion ist eine Betrugsmasche, bei der meist mรคnnliche Opfer von Online-Bekanntschaften aufgefordert werden, sexuelles Bild- und Videomaterial von sich zu versenden oder sich nackt vor der Webcam zu zeigen. Mit diesen Bildern und Videos werden die Opfer dann erpresst: Zahlen oder das Material wird im Internet verรถffentlicht!
---------------------------------------------
https://www.watchlist-internet.at/news/sextortion-wenn-ein-harmloser-flirt-โฆ
โโโ FBI Releases Indicators of Compromise Associated with LockBit 2.0 Ransomware โโโ
---------------------------------------------
The Federal Bureau of Investigation (FBI) has released a Flash report detailing indicators of compromise (IOCs) associated with attacks, using LockBit 2.0, a Ransomware-as-a-Service that employs a wide variety of tactics, techniques, and procedures, creating significant challenges for defense and mitigation. CISA encourages users and administrators to review the IOCs and technical details in FBI Flash CU-000162-MW and apply the recommend mitigations.
---------------------------------------------
https://us-cert.cisa.gov/ncas/current-activity/2022/02/07/fbi-releases-indiโฆ
โโโ Microsoft deaktiviert wegen Emotet & Co. MSIX ms-appinstaller Protokoll-Handler in Windows (Feb. 2022) โโโ
---------------------------------------------
Nachdem Ransomware wie Emotet oder BazarLoader den MSIX ms-appinstaller Protokoll-Handler missbrauchten, hat Microsoft nun erneut reagiert. Der komplette MSIX ms-appinstaller Protokoll-Handler wurde vorerst in Windows โ quasi als Schutz vor Emotet, BazarLoader oder รคhnlicher Malware โ deaktiviert.
---------------------------------------------
https://www.borncity.com/blog/2022/02/05/microsoft-deaktiviert-msix-ms-appiโฆ
โโโ Vorsicht: audacity.de und keepass.de verbreiten Malware (Feb. 2022) โโโ
---------------------------------------------
Kleiner Hinweis an Leute, die sich gerne Software aus dem Internet herunterladen. Es sieht so aus, als ob die Domains audacity.de und keepass.de in die Hรคnde von Leuten gekommen sind, die damit Schindluder treiben. Statt ein Audio-Tool oder einen Passwort-Manager zu bekommen, wird รผber die betreffenden Seiten Malware verteilt.
---------------------------------------------
https://www.borncity.com/blog/2022/02/07/vorsicht-audacity-de-und-keepass-dโฆ
=====================
= Vulnerabilities =
=====================
โโโ Cisco DNA Center Information Disclosure Vulnerability โโโ
---------------------------------------------
A vulnerability in the audit log of Cisco DNA Center could allow an authenticated, local attacker to view sensitive information in clear text. This vulnerability is due to the unsecured logging of sensitive information on an affected system. An attacker with administrative privileges could exploit this vulnerability by accessing the audit logs through the CLI. A successful exploit could allow the attacker to retrieve sensitive information that includes user credentials.
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ciscoโฆ
โโโ Security updates for Monday โโโ
---------------------------------------------
Security updates have been issued by Debian (ldns and libphp-adodb), Fedora (kernel, kernel-headers, kernel-tools, mingw-binutils, mingw-openexr, mingw-python3, mingw-qt5-qtsvg, scap-security-guide, stratisd, util-linux, and webkit2gtk3), Mageia (lrzsz, qtwebengine5, and xterm), openSUSE (chromium), and Ubuntu (python-django).
---------------------------------------------
https://lwn.net/Articles/884015/
โโโ OTRS: Mehrere Schwachstellen โโโ
---------------------------------------------
https://www.cert-bund.de/advisoryshort/CB-K22-0143
โโโ Multiple ESET products for macOS vulnerable to improper server certificate verification โโโ
---------------------------------------------
https://jvn.jp/en/jp/JVN95898697/
โโโ Security Bulletin: IBM App Connect for Healthcare is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2022-23302) โโโ
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-for-healtโฆ
โโโ Security Bulletin: IBM Security Guardium Insights is affected by multipe vulnerabilities โโโ
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-insโฆ
โโโ Security Bulletin: IBM App Connect for Healthcare is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2022-23305) โโโ
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-for-healtโฆ
โโโ Security Bulletin: IBM InfoSphere Information Server is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-44832) โโโ
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-informatioโฆ
โโโ Security Bulletin: Liberty for Java for IBM Cloud is vulnerable to LDAP Injection (CVE-2021-39031) โโโ
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-liberty-for-java-for-ibm-โฆ
โโโ Security Bulletin: Multiple vulnerabilities in Apache Log4j affect IBM Tivoli Netcool Impact (CVE-2021-45105, CVE-2021-45046) โโโ
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-โฆ
โโโ Security Bulletin: Liberty for Java for IBM Cloud is vulnerable to an Information Disclosure (CVE-2022-22310) โโโ
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-liberty-for-java-for-ibm-โฆ
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 03-02-2022 18:00 โ Freitag 04-02-2022 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
=====================
= News =
=====================
โโโ Schwachstelle in GitOps-Tool: Argo CD รผber Path Traversal angreifbar โโโ
---------------------------------------------
Angriffe mit manipulierten Helm-Charts ermรถglichen Zugriff auf beliebige Verzeichnisse im Repository des Continuous-Delivery-Werkzeugs fรผr Kubernetes.
---------------------------------------------
https://heise.de/-6349810
โโโ Operation EmailThief: Active Exploitation of Zero-day XSS Vulnerability in Zimbra โโโ
---------------------------------------------
- Volexity discovers XSS zero-day vulnerability against Zimbra
- Targeted sectors include European government and media
- Successful exploitation results in theft of email data from users
---------------------------------------------
https://www.volexity.com/blog/2022/02/03/operation-emailthief-active-exploiโฆ
โโโ Cybersecurity for Industrial Control Systems: Part 1 โโโ
---------------------------------------------
In this two-part series, we look into various cybersecurity threats that affected industrial control systems endpoints. We also discuss several insights and recommendations to mitigate such threats.
---------------------------------------------
https://www.iiot-world.com/ics-security/cybersecurity/cybersecurity-for-indโฆ
โโโ Vulnerabilities that arenโt. ETag headers โโโ
---------------------------------------------
This time weโre looking at the ETag (Entity Tag) header. I take some of the blame for this one as I first added a dissector of the header to Niktoโs headers plugin back in 2008, then other scanners added it.
---------------------------------------------
https://www.pentestpartners.com/security-blog/vulnerabilities-that-arent-etโฆ
โโโ Target open-sources its web skimmer detector โโโ
---------------------------------------------
Targets cybersecurity team has open-sourced the code of Merry Maker, the companys internal application that it has used since 2018 to detect if any of its own websites have been compromised with malicious code that can steal payment card details from buyers.
---------------------------------------------
https://therecord.media/target-open-sources-its-web-skimmer-detector/
โโโ An ALPHV (BlackCat) representative discusses the groupโs plans for a ransomware โmeta-universeโ โโโ
---------------------------------------------
Late last year, cybersecurity researchers began to notice a ransomware strain called ALPHV that stood out for being particularly sophisticated and coded in the Rust programming languageโa first for ransomware used in real-world attacks.
---------------------------------------------
https://therecord.media/an-alphv-blackcat-representative-discusses-the-grouโฆ
โโโ Special Report: Die Tรผcken von Active Directory Certificate Services (AD CS) โโโ
---------------------------------------------
Active Directory Certificate Services (ADCS) ist anfรคllig fรผr Fehlkonfigurationen, mit denen eine komplette Kompromittierung des Netzes trivial mรถglich ist. Publiziert wurde das Problem im Sommer 2021, jetzt wird diese Methode bei APT-Angriffen benutzt. Kontrollieren Sie mit den bereitgestellten Tools ihr Setup. Stellen Sie mit den angefรผhrten Prรคventiv-Maรnahmen hรถhere Sichtbarkeit her. รberprรผfen Sie mit den vorgestellen Tools, ob eine Fehlkonfiguration bereits ausgenutzt wurde.
---------------------------------------------
https://cert.at/de/spezielles/2022/2/special-report-die-tucken-von-active-dโฆ
=====================
= Vulnerabilities =
=====================
โโโ Security updates for Friday โโโ
---------------------------------------------
Security updates have been issued by Debian (apng2gif, ruby2.5, ruby2.7, and strongswan), Fedora (389-ds-base, glibc, java-latest-openjdk, keylime, mingw-python-pillow, perl-Image-ExifTool, python-pillow, rust-afterburn, rust-askalono-cli, rust-below, rust-cargo-c, rust-cargo-insta, rust-fd-find, rust-lsd, rust-oxipng, rust-python-launcher, rust-ripgrep, rust-skim, rust-thread_local, rust-tokei, strongswan, vim, xen, and zola), Mageia (cryptsetup and expat), openSUSE (containerd, docker, glibc, [...]
---------------------------------------------
https://lwn.net/Articles/883828/
โโโ Mattermost security updates 6.3.3, 6.2.3, 6.1.3, 5.37.8 released โโโ
---------------------------------------------
Weโre informing you about a Mattermost security update, which addresses medium-level severity vulnerabilities. We highly recommend that you apply the update. The security update is available for Mattermost dot releases 6.3.3 (Extended Support Release), 6.2.3, 6.1.3, 5.37.8 (Extended Support Release) for both Team Edition and Enterprise Edition.
---------------------------------------------
https://mattermost.com/blog/mattermost-security-updates-6-3-3-6-2-3-6-1-3-5โฆ
โโโ CISA Adds One Known Exploited Vulnerability to Catalog โโโ
---------------------------------------------
CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence that threat actors are actively exploiting the vulnerabilities listed in the table below. These types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and pose significant risk to the federal enterprise.
---------------------------------------------
https://us-cert.cisa.gov/ncas/current-activity/2022/02/04/cisa-adds-one-knoโฆ
โโโ CSV+ vulnerable to cross-site scripting โโโ
---------------------------------------------
https://jvn.jp/en/jp/JVN67396225/
โโโ K40508224: Perl vulnerability CVE-2020-10878 โโโ
---------------------------------------------
https://support.f5.com/csp/article/K40508224
โโโ K05295469: Expat vulnerability CVE-2019-15903 โโโ
---------------------------------------------
https://support.f5.com/csp/article/K05295469
โโโ Security Bulletin: Log4j Vulnerability ( CVE-2021-44228 ) in IBM Informix Dynamic Server in Cloud Pak for Data โโโ
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-log4j-vulnerability-cve-2โฆ
โโโ Security Bulletin: Vulnerablity in Apache Log4j may affect IBM Tivoli Monitoring installed WebSphere Application Server (CVE-2021-44228) โโโ
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerablity-in-apache-loโฆ
โโโ Security Bulletin: IBM Planning Analytics and IBM Planning Analytics Workspace are affected by security vulnerabilities โโโ
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-planning-analytics-anโฆ
โโโ Security Bulletin: IBM Informix Dynamic Server is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-44228) โโโ
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-informix-dynamic-servโฆ
โโโ Security Bulletin: Multiple vulnerabilities in Apache Log4j affect IBM Tivoli Netcool Impact (CVE-2021-45105, CVE-2021-45046) โโโ
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-โฆ
โโโ Security Bulletin: Multiple vulnerabilities in IBM Java SDK (October 2021) affects IBM InfoSphere Information Server (CVE-2021-35578 CVE-2021-35564) โโโ
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-โฆ
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 02-02-2022 18:00 โ Donnerstag 03-02-2022 18:00
Handler: Robert Waldner
Co-Handler: n/a
=====================
= News =
=====================
โโโ Spam-Anrufe von Wiener Nummer: โThis is the policeโ โโโ
---------------------------------------------
Bei solchen Anrufen gilt es generell, sofort aufzulegen. Ist man sich unsicher, ob der Anruf echt war (im Falle eines englischsprachigen Tonbands ist er das jedenfalls nicht), kann man eigenstรคndig die Polizei (133) anrufen. Die Polizei warnt, dass man nie eine "Polizei"-Telefonnummern zurรผckrufen soll, wenn das in solchen Anrufen gefordert wird.
Hat man bereits mit der Person gesprochen und Daten herausgegeben, soll man umgehend Anzeige bei der Polizei erstatten.
---------------------------------------------
https://futurezone.at/digital-life/spam-anrufe-wiener-nummer-federal-policeโฆ
โโโ WooCommerce Skimmer Uses Fake Fonts and Favicon to Steal CC Details โโโ
---------------------------------------------
Todayโs investigation starts out much like many others, with our client reporting an antivirus warning appearing only on their checkout page, of course at the worst possible time right around the end of December. What first seemed to be a routine case of credit card theft turned out to be a much more interesting infection that leveraged both font, favicon and other less-commonly used files to pilfer credit card details.
---------------------------------------------
https://blog.sucuri.net/2022/02/woocommerce-skimmer-uses-fake-fonts-and-favโฆ
โโโ A comprehensive guide on [NTLM] relaying anno 2022 โโโ
---------------------------------------------
For years now, Internal Penetration Testing teams have been successful in obtaining a foothold or even compromising entire domains through a technique called NTLM relaying. [..] This blog post aims to be a comprehensive resource that will walk through the attack primitives that continue to work today. While most will be well known techniques, some techniques involving Active Directory Certificate Services might be lesser known.
---------------------------------------------
https://www.trustedsec.com/blog/a-comprehensive-guide-on-relaying-anno-2022/
โโโ Tattoo-Giveaways auf Instagram fรผhren in eine Abo-Falle โโโ
---------------------------------------------
Kriminelle versenden Nachrichten von Fake-Accounts und behaupten, dass Instagram-User bei einem Gewinnspiel gewonnen hรคtten. Doch der angebliche Gewinn fรผhrt nicht zu einem neuen Tattoo, sondern in eine gut getarnte Abo-Falle.
---------------------------------------------
https://www.watchlist-internet.at/news/tattoo-giveaways-auf-instagram-fuehrโฆ
=====================
= Vulnerabilities =
=====================
โโโ Multiple Vulnerabilities in Sante DICOM Viewer Pro โโโ
---------------------------------------------
* J2K File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability
* DCM File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability
* DCM File ParsingOut-Of-Bounds Read Information Disclosure Vulnerability
* DCM File Parsing Use-After-Free Information Disclosure Vulnerability
* JP2 File Parsing Use-After-Free Remote Code Execution Vulnerability
* JP2 File Parsing Memory Corruption Remote Code Execution Vulnerability
* J2K File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability
---------------------------------------------
https://www.zerodayinitiative.com/advisories/
โโโ Security updates for Thursday โโโ
---------------------------------------------
Security updates have been issued by Debian (librecad), Fedora (flatpak, flatpak-builder, and glibc), Mageia (chromium-browser-stable, connman, libtiff, and rust), openSUSE (lighttpd), Oracle (cryptsetup, nodejs:14, and rpm), Red Hat (varnish:6), SUSE (kernel and unbound), and Ubuntu (linux, linux-aws, linux-aws-5.11, linux-aws-5.13, linux-gcp, linux-gcp-5.11, linux-hwe-5.13, linux-kvm, linux-oem-5.13, linux-oracle, linux-oracle-5.11, linux-raspi, linux, linux-aws, linux-aws-5.4, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-gkeop, linux-gkeop-5.4, linux-hwe-5.4, linux-ibm, linux-kvm, linux-oracle, linux-oracle-5.4, linux, linux-aws, linux-aws-hwe, linux-azure, linux-dell300x, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux-raspi2, linux-snapdragon, linux-gke, linux-gke-5.4, mysql-5.7, mysql-8.0, python-django, samba).
---------------------------------------------
https://lwn.net/Articles/883676/
โโโ Sensormatic PowerManage โโโ
---------------------------------------------
This advisory contains mitigations for an Improper Input Validation vulnerability in the Sensormatic PowerManage operating platform.
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-034-01
โโโ Airspan Networks Mimosa โโโ
---------------------------------------------
This advisory contains mitigations for Improper Authorization, Incorrect Authorization, Server-side Request Forgery, SQL Injection, Deserialization of Untrusted Data, OS Command Injection, and Use of a Broken or Risky Cryptographic Algorithm vulnerabilities in Airspan Networks Mimosa network management software.
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-034-02
โโโ Zwei Schwachstellen in AudioCodes Session Border Controller (SYSS-2021-068/-075) โโโ
---------------------------------------------
In AudioCodes Session Border Controller (SBC) kann Telefonbetrug begangen werden. Auch wurde eine Rechteeskalation in der Web Management-Konsole gefunden.
---------------------------------------------
https://www.syss.de/pentest-blog/multiple-schwachstellen-im-coins-constructโฆ
โโโ InsydeH2O UEFI System Management Mode (SMM) Vulnerabilities โโโ
---------------------------------------------
Mitigation Strategy for Customers (what you should do to protect yourself): Update system firmware to the version (or newer) indicated for your model in the Product Impact section.
---------------------------------------------
http://support.lenovo.com/product_security/PS500463-INSYDEH2O-UEFI-SYSTEM-Mโฆ
โโโ Cisco Content Security Management Appliance and Cisco Web Security Appliance Information Disclosure Vulnerability โโโ
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ciscoโฆ
โโโ Security Bulletin: A vulnerability in Apache Log4j affects some features of IBMยฎ Db2ยฎ (CVE-2021-44832) โโโ
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-apacheโฆ
โโโ Security Bulletin: IBM Security Guardium Insights is affected by JWT-Go vulnerability (CVE-2020-26160) โโโ
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-insโฆ
โโโ Security Bulletin: IBM Data Management Platform for EDB Postgres Standard is vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-45105, CVE-2021-45046) โโโ
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-data-management-platfโฆ
โโโ Security Bulletin: This Power System update is being released to address CVE 2021-38960 โโโ
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-this-power-system-update-โฆ
โโโ Security Bulletin: IBM Data Management Platform for EDB Postgres Enterprise is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-45105, CVE-2021-45046) โโโ
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-data-management-platfโฆ
โโโ K67416037: Linux kernel vulnerability CVE-2021-23133 โโโ
---------------------------------------------
https://support.f5.com/csp/article/K67416037?utm_source=f5support&utm_mediuโฆ
โโโ Weidmueller: Remote I/O fieldbus couplers (IP20) affected by INFRA:HALT vulnerabilities โโโ
---------------------------------------------
https://cert.vde.com/de/advisories/VDE-2021-042/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 01-02-2022 18:00 โ Mittwoch 02-02-2022 18:00
Handler: Robert Waldner
Co-Handler: n/a
=====================
= News =
=====================
โโโ VU#796611: InsydeH2O UEFI software impacted by multiple vulnerabilities in SMM โโโ
---------------------------------------------
The InsydeH2O Hardware-2-Operating System (H2O) UEFI firmware contains multiple vulnerabilities related to memory management in System Management Mode (SMM). UEFI software provides an extensible interface between an operating system and platform firmware. UEFI software uses a highly privileged processor execution mode called System Management Mode (SMM) for handling system-wide functions like power management, system hardware control, or proprietary OEM-designed code.
---------------------------------------------
https://kb.cert.org/vuls/id/796611
โโโ CISA Releases Securing Industrial Control Systems: A Unified Initiative โโโ
---------------------------------------------
The Cybersecurity and Infrastructure Security Agency (CISA) has released its five-year industrial control systems (ICS) strategy: Securing Industrial Control Systems: A Unified Initiative. The strategyโdeveloped in collaboration with industry and government partnersโlays out CISA's plan to improve, unify, and focus the effort to secure ICS and protect critical infrastructure.
---------------------------------------------
https://us-cert.cisa.gov/ics/cisa-releases-securing-industrial-control-systโฆ
โโโ Kasper: a tool for finding speculative-execution vulnerabilities โโโ
---------------------------------------------
The Systems and Network Security Group at Vrije Universiteit Amsterdam hasannounced a tool calledKasper that is able to scan the kernel source and locatespeculative-execution vulnerabilities: Namely, it models an attacker capable of controlling data (e.g., via memory massaging or value injection a la LVI), accessing secrets (e.g., via out-of-bounds or use-after-free accesses), and leaking these secrets (e.g., via cache-based, MDS-based, or port contention-based covert channels).
---------------------------------------------
https://lwn.net/Articles/883448/
โโโ Post E-Mail โDein Paket wartet !โ ist fake! โโโ
---------------------------------------------
Kriminelle versenden gehรคuft E-Mails im Namen der Post mit dem Betreff โDein Paket wartet !โ. Eine Liefergebรผhr รผber 1,69 Euro sei ausstรคndig. Achtung: Die E-Mails sind frei erfunden. Die Kriminellen wenden Spoofing an, um die Mail-Adresse echt aussehen zu lassen und verlinken auf eine nachgebaute Post-Website.
---------------------------------------------
https://www.watchlist-internet.at/news/post-e-mail-dein-paket-wartet-ist-faโฆ
=====================
= Vulnerabilities =
=====================
โโโ Security updates for Wednesday โโโ
---------------------------------------------
Security updates have been issued by CentOS (samba), Debian (apache2 and python-django), Fedora (kernel and phpMyAdmin), Mageia (kernel and kernel-linus), openSUSE (samba), Oracle (nginx:1.20 and samba), Red Hat (cryptsetup, java-1.8.0-ibm, kernel, nodejs:14, rpm, and vim), SUSE (kernel, python-Django, python-Django1, and samba), and Ubuntu (cron).
---------------------------------------------
https://lwn.net/Articles/883541/
โโโ Google Releases Security Updates for Chrome โโโ
---------------------------------------------
Google has released Chrome versions 98.0.4758.80/81/82 for Windows and 98.0.4758.80 for Mac and Linux. These versions address vulnerabilities that an attacker could exploit to take control of an affected system.
---------------------------------------------
https://us-cert.cisa.gov/ncas/current-activity/2022/02/02/google-releases-sโฆ
โโโ Vulnerability Spotlight: Multiple vulnerabilities in Sealevel SeaConnect โโโ
---------------------------------------------
Cisco Talos recently discovered several vulnerabilities in Sealevel Systems Inc.โs SeaConnect internet-of-things edge device โ many of which could allow an attacker to conduct a man-in-the-middle attack or execute remote code on the targeted device.
The SeaConnect 370W is a WiFi-connected edge device commonly used in industrial control system (ICS) environments that allow users to remotely monitor and control the status of real-world I/O processes. This device offers remote control via MQTT, Modbus TCP and a manufacturer-specific interface referred to as the "SeaMAX API."
---------------------------------------------
http://blog.talosintelligence.com/2022/02/vuln-spotlight-sea-level-connect.โฆ
โโโ Cisco Prime Service Catalog Information Disclosure Vulnerability โโโ
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ciscoโฆ
โโโ Cisco Umbrella Secure Web Gateway File Inspection Bypass Vulnerability โโโ
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ciscoโฆ
โโโ Cisco Small Business RV Series Routers Vulnerabilities โโโ
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ciscoโฆ
โโโ Cisco DNA Center Information Disclosure Vulnerability โโโ
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ciscoโฆ
โโโ FortiAuthenticator - Improper access control in HA service โโโ
---------------------------------------------
https://fortiguard.fortinet.com/psirt/FG-IR-20-217
โโโ FortiMail - reflected cross-site scripting vulnerability in FortiGuard URI protection โโโ
---------------------------------------------
https://fortiguard.fortinet.com/psirt/FG-IR-21-185
โโโ FortiExtender - Arbitrary command execution because of missing CLI input sanitization โโโ
---------------------------------------------
https://fortiguard.fortinet.com/psirt/FG-IR-21-148
โโโ FortiWeb - OS command injection due to unsafe input validation function โโโ
---------------------------------------------
https://fortiguard.fortinet.com/psirt/FG-IR-21-166
โโโ FortiWeb - Stack-based buffer overflow in command line interpreter โโโ
---------------------------------------------
https://fortiguard.fortinet.com/psirt/FG-IR-21-132
โโโ FortiWeb - OS command injection due to direct input interpolation in API controllers โโโ
---------------------------------------------
https://fortiguard.fortinet.com/psirt/FG-IR-21-180
โโโ FortiWeb - arbitrary file/directory deletion โโโ
---------------------------------------------
https://fortiguard.fortinet.com/psirt/FG-IR-21-158
โโโ Security Bulletin: IBM App Connect Enterprise Certified Container operands may be vulnerable to leaking sensitive information due to CVE-2021-3712 in OpenSSL โโโ
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterprisโฆ
โโโ K74013101: Binutils vulnerability CVE-2021-42574 โโโ
---------------------------------------------
https://support.f5.com/csp/article/K74013101?utm_source=f5support&utm_mediuโฆ
โโโ K28622040: Python vulnerability CVE-2019-9948 โโโ
---------------------------------------------
https://support.f5.com/csp/article/K28622040?utm_source=f5support&utm_mediuโฆ
โโโ Advantech ADAM-3600 โโโ
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-032-02
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Montag 31-01-2022 18:00 โ Dienstag 01-02-2022 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
=====================
= News =
=====================
โโโ BSI-Grundschutz-Kompendium 2022: Neue Bausteine, schlankere Struktur โโโ
---------------------------------------------
Das IT-Grundschutzkompendium in der Edition 2022 wartet mit einigen neuen Bausteinen, aber auch mit strukturellen รnderungen auf.
---------------------------------------------
https://heise.de/-6344956
โโโ SMS der โBawagโ mit โIhr Konto wurde gesperrt!โ ist Fake โโโ
---------------------------------------------
Vorsicht: Momentan kursiert ein betrรผgerisches SMS โ angeblich von der Bawag. In der Nachricht werden Sie darรผber informiert, dass Ihr Konto gesperrt wurde. Sie werden aufgefordert, auf einen Link zu klicken. Tun Sie das keinesfalls. Der Link fรผhrt auf eine gefรคlschte BAWAG-Login-Seite.
---------------------------------------------
https://www.watchlist-internet.at/news/sms-der-bawag-mit-ihr-konto-wurde-geโฆ
โโโ Domain Escalation โ Machine Accounts โโโ
---------------------------------------------
The pass the hash technique is not new and it was usually used for lateral movement on the network in scenarios where the administrator password hash could not be cracked due to complexity or assessment time constraints. However, performing pass the hash with machine accounts instead of local administrators accounts is not very common even though it has been described in an article by Adam Chester years ago and could be used in scenarios where the host is part of an elevated group such as the domain admins.
---------------------------------------------
https://pentestlab.blog/2022/02/01/machine-accounts/
โโโ Updates released for multiple vulnerabilities found in 42 Gears SureMDM products โโโ
---------------------------------------------
42 Gears released an initial set of updates in November and more earlier this month.
---------------------------------------------
https://www.zdnet.com/article/multiple-vulnerabilities-found-in-42-gears-suโฆ
=====================
= Vulnerabilities =
=====================
โโโ ZDI-22-146: Esri ArcReader PMF File Parsing Use-After-Free Remote Code Execution Vulnerability โโโ
---------------------------------------------
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Esri ArcReader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-22-146/
โโโ ZDI-22-148: ESET Endpoint Antivirus Unnecessary Privileges Local Privilege Escalation Vulnerability โโโ
---------------------------------------------
This vulnerability allows local attackers to escalate privileges on affected installations of ESET Endpoint Antivirus. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-22-148/
โโโ Rate - Critical - Unsupported - SA-CONTRIB-2022-010 โโโ
---------------------------------------------
2022-01-31 a new maintainer has step forward and this module has been updated. The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: [...]
---------------------------------------------
https://www.drupal.org/sa-contrib-2022-010
โโโ WordPress-Plug-in Essential Addons for Elementor als Schadcode-Schleuder โโโ
---------------------------------------------
In der aktuellen Version von Essential Addons for Elementor haben die Entwickler eine Sicherheitslรผcke geschlossen.
---------------------------------------------
https://heise.de/-6344583
โโโ VMSA-2022-0003 โโโ
---------------------------------------------
VMware Cloud Foundation contains an information disclosure vulnerability due to the logging of plaintext credentials within some log files.
---------------------------------------------
https://www.vmware.com/security/advisories/VMSA-2022-0003.html
โโโ Security updates for Tuesday โโโ
---------------------------------------------
Security updates have been issued by Debian (ipython), Fedora (kernel and usbview), Gentoo (webkit-gtk), Oracle (java-1.8.0-openjdk), Red Hat (kpatch-patch and samba), Scientific Linux (samba), Slackware (kernel), SUSE (kernel and samba), and Ubuntu (samba).
---------------------------------------------
https://lwn.net/Articles/883423/
โโโ Ricon Mobile Industrial Cellular Router โโโ
---------------------------------------------
This advisory contains mitigations for an OS Command Injection vulnerability in the Ricon Mobile Industrial Cellular Router mobile network router.
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-032-01
โโโ Advantech ADAM-3600 โโโ
---------------------------------------------
This advisory contains mitigations for a Use of Hard-coded Cryptographic Key vulnerability in Advantech ADAM-3600 remote terminal units.
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-21-032-02
โโโ January 31, 2022 TNS-2022-04 [R1] Nessus 10.1.0 Fixes One Third-Party Vulnerability โโโ
---------------------------------------------
http://www.tenable.com/security/tns-2022-04
โโโ K59563964: Apache Log4j Remote Code Execution vulnerability CVE-2022-23302 โโโ
---------------------------------------------
https://support.f5.com/csp/article/K59563964
โโโ K97120268: Apache Log4j SQL injection vulnerability CVE-2022-23305 โโโ
---------------------------------------------
https://support.f5.com/csp/article/K97120268
โโโ K00322972: Apache Log4j Chainsaw vulnerability CVE-2022-23307 โโโ
---------------------------------------------
https://support.f5.com/csp/article/K00322972
โโโ An update on the Apache Log4j 2.x vulnerabilities โโโ
---------------------------------------------
https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-4422โฆ
โโโ Security Bulletin: Publicly disclosed vulnerability (CVE-2021-4034) in Polkit affects IBM Netezza PDA OS Security โโโ
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-publicly-disclosed-vulnerโฆ
โโโ Security Bulletin: Vulnerabilities in PostgreSQL, Node.js, and Data Tables from Spry Media may affect IBM Spectrum Protect Plus โโโ
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-postgrโฆ
โโโ Security Bulletin: Vulnerability in Apache Log4j may affect IBM Spectrum Protect Plus Container Backup and Restore for Kubernetes and OpenShift (CVE-2021-44832) โโโ
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-lโฆ
โโโ Security Bulletin: Vulnerabilities in Golang Go, MinIO, and Python may affect IBM Spectrum Protect Plus Container Backup and Restore for Kubernetes and OpenShift โโโ
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-golangโฆ
โโโ Security Bulletin: Vulnerablity in Apache Log4j may affect IBM Tivoli Monitoring (CVE-2021-4104) โโโ
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerablity-in-apache-loโฆ
โโโ Security Bulletin: Vulnerability in Apache Log4j affects some features of IBMยฎ Db2ยฎ (CVE-2021-4104) โโโ
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-lโฆ
โโโ Security Bulletin: Vulnerability in Apache Log4j may impact IBM Spectrum Protect Plus (CVE-2021-44832) โโโ
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-lโฆ
โโโ Security Bulletin: IBM App Connect for Healthcare is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-4104) โโโ
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-for-healtโฆ
โโโ Security Bulletin: IBM App Connect Enterprise Certified Container Designer Authoring operands and Integration Server operands that use the JDBC connector may be vulnerable to remote code execution due to CVE-2021-44228 โโโ
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterprisโฆ
โโโ Security Bulletin: IBM App Connect Enterprise Certified Container is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-45046) and denial of service due to Apache Log4j (CVE-2021-45105) โโโ
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterprisโฆ
โโโ Security Bulletin: IBM Security Verify Access fixed a security vulnerability in the product. โโโ
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-accesโฆ
โโโ Security Bulletin: IBM TRIRIGA Indoor Maps, a component of IBM TRIRIGA Portfolio Data Manager is vulnerable to arbitrary code execution due to Apache Log4j library vulnerability (CVE-2021-44228) โโโ
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tririga-indoor-maps-aโฆ
โโโ Security Bulletin: Cross-site scripting and session fixation vulnerability in IBM Financial Transaction Manager for SWIFT Services โโโ
---------------------------------------------
https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-and-โฆ
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily