- Daily - CERT.at

Tageszusammenfassung - 07.02.2024
by Daily end-of-shift report 07 Feb '24

07 Feb '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 06-02-2024 18:00 − Mittwoch 07-02-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Fortinet snafu: Critical FortiSIEM CVEs are duplicates, issued in error ∗∗∗ --------------------------------------------- It turns out that critical Fortinet FortiSIEM vulnerabilities tracked as CVE-2024-23108 and CVE-2024-23109 are not new and have been published this year in error. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fortinet-snafu-critical-fort… ∗∗∗ Schlüssel ausgelesen: Bastler umgeht Bitlocker-Schutz mit Raspberry Pi Pico ∗∗∗ --------------------------------------------- Möglich war ihm dies durch das Abfangen der Kommunikation des auf dem Mainboard des Notebooks verlöteten TPM-Chips mit der CPU. [..] Auf die Möglichkeit solcher Angriffe auf Systeme mit externen TPM-Chips wiesen Sicherheitsforscher schon im Sommer 2021 hin. Grund dafür sei die unverschlüsselte Übertragung des Verschlüsselungsschlüssels, so dass sich der Schlüssel einfach über die Kontakte des TPMs abfangen lasse, hieß es schon damals. --------------------------------------------- https://www.golem.de/news/schluessel-ausgelesen-bastler-umgeht-bitlocker-sc… ∗∗∗ Unleashing the Power of Scapy for Network Fuzzing ∗∗∗ --------------------------------------------- Cybersecurity is a critical aspect of any network or software system, and fuzzing is arguably one of the most potent techniques used to identify such security vulnerabilities. Fuzzing involves injecting unexpected or invalid data into the system, which can trigger unforeseen behaviours, potentially leading to security breaches or crashes. Scapy is one of the many tools that can be used for fuzzing, and it stands out as a versatile and efficient option. --------------------------------------------- https://www.darkrelay.com/post/unleashing-the-power-of-scapy-for-network-fu… ∗∗∗ Anydesk-Einbruch: Französisches BSI-Pendant vermutet Dezember als Einbruchsdatum ∗∗∗ --------------------------------------------- Der IT-Sicherheitsvorfall bei Anydesk datiert womöglich auf den Dezember 2023, wie den Hinweisen der französischen IT-Sicherheitsbehörde zu entnehmen ist. --------------------------------------------- https://www.heise.de/news/Anydesk-Einbruch-datiert-vermutlich-auf-Dezember-… ∗∗∗ E-Mail von DNS EU ist betrügerisch ∗∗∗ --------------------------------------------- Derzeit erhalten viele Website-Betreiber:innen E-Mails von einer vermeintlichen Firma namens DNS EU. Im E-Mail behauptet das Unternehmen, dass es einen „Registrierungsantrag“ für eine Domain erhalten hat, die Ihrer eigenen Domain sehr ähnlich ist. Ihnen wird angeboten, diese Domain für € 297,50 zu kaufen. Ignorieren Sie dieses E-Mail, das Angebot ist Fake. --------------------------------------------- https://www.watchlist-internet.at/news/e-mail-von-dns-eu-ist-betruegerisch/ ∗∗∗ Vermehrte Ransomware-Angriffe mit Lockbit 3.0 ∗∗∗ --------------------------------------------- In den letzten Tagen sind österreichische Unternehmen und Organisationen vermehrt von Angriffen mit der Ransomware Lockbit 3.0 betroffen. Dabei handelt es sich um Ransomware-as-a-Service, was es einer Vielzahl von Kriminellen ermöglicht, unabhängig voneinander zu agieren und eine grössere Anzahl von Zielen zu attackieren. Bedrohungsakteure, die im Rahmen ihrer Angriffe Lockbit 3.0 einsetzen erlangen vor allem über den Missbrauch von RDP-Verbindungen (beispielsweise unter Einsatz anderweitig gestohlener Zugangsdaten) und die Ausnutzung von Schwachstellen in aus dem Internet erreichbaren Applikationen Zugang zu den Netzwerken ihrer Opfer. Wir empfehlen nachdrücklich, die eigenen Sicherheitsmaßnahmen zu überprüfen [..] --------------------------------------------- https://cert.at/de/aktuelles/2024/2/vermehrte-ransomware-angriffe-mit-lockb… ∗∗∗ Cyber Security Glossary: The Ultimate List ∗∗∗ --------------------------------------------- If you have anything to do with cyber security, you know it employs its own unique and ever-evolving language. Jargon and acronyms are the enemies of clear writing—and are beloved by cyber security experts. So Morphisec has created a comprehensive cyber security glossary that explains commonly used cybersecurity terms, phrases, and technologies. We designed this list to demystify the terms that security professionals use when describing security tools, threats, processes, and techniques. We will periodically update it, and hope you find it useful. --------------------------------------------- https://blog.morphisec.com/cyber-security-glossary ===================== = Vulnerabilities = ===================== ∗∗∗ Kritische Sicherheitslücke in JetBrains TeamCity On-Premises ∗∗∗ --------------------------------------------- Das Softwareunternehmen JetBrains hat Informationen über eine kritische Sicherheitslücke in JetBrains TeamCity On-Premises veröffentlicht. Eine Ausnutzung der Schwachstelle, CVE-2024-23917, erlaubt unauthentifizierten Angreifer:innen mit HTTP(s)-Zugriff auf eine verwundbare Instanz von TeamCity das Umgehen von Authentifizierungskontrollen und somit die vollständige Übernahme der betroffenen Installation. --------------------------------------------- https://cert.at/de/aktuelles/2024/2/kritische-sicherheitslucke-in-jetbrains… ∗∗∗ Shim: Kritische Schwachstelle gefährdet Secure Boot unter Linux ∗∗∗ --------------------------------------------- In einer von den meisten gängigen Linux-Distributionen verwendeten EFI-Anwendung namens Shim wurde eine kritische Schwachstelle entdeckt, die es Angreifern ermöglicht, Schadcode auszuführen und die vollständige Kontrolle über ein Zielsystem zu übernehmen. Ausgenutzt werden könne der Fehler durch eine speziell gestaltete HTTP-Anfrage, die zu einem kontrollierten Out-of-bounds-Schreibvorgang führe, heißt es in der Beschreibung zu CVE-2023-40547. --------------------------------------------- https://www.golem.de/news/shim-kritische-schwachstelle-gefaehrdet-secure-bo… ∗∗∗ Zeroshell vulnerable to OS command injection ∗∗∗ --------------------------------------------- Zeroshell Linux distribution contains an OS command injection vulnerability. This vulnerability was reported on August 2020. The Zeroshell project reached EOL on April 2021. The communication with the developer was established on November 2023, and this JVN publication was agreed upon. --------------------------------------------- https://jvn.jp/en/jp/JVN44033918/ ∗∗∗ Cisco: (High) ClamAV OLE2 File Format Parsing Denial of Service Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the OLE2 file format parser of ClamAV could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. CVE-2024-20290 --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco: (Critical) Cisco Expressway Series Cross-Site Request Forgery Vulnerabilities ∗∗∗ --------------------------------------------- Multiple vulnerabilities in the Cisco Expressway Series could allow an unauthenticated, remote attacker to conduct cross-site request forgery (CSRF) attacks, which could allow the attacker to perform arbitrary actions on an affected device. CVE-2024-20255, CVE-2024-20254, CVE-2024-20252 --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ SolarWinds Platform 2024.1 Release Notes ∗∗∗ --------------------------------------------- SQL Injection Remote Code Execution Vulnerability was found using an update statement in the SolarWinds Platform. This vulnerability requires user authentication to be exploited and has not been reported outside of the initial report by the researcher. 8.0 High, CVE-2023-50395, CVE-2023-35188 --------------------------------------------- https://documentation.solarwinds.com/en/success_center/orionplatform/conten… ∗∗∗ VMware Aria: Sicherheitslücken erlauben etwa Rechteausweitung ∗∗∗ --------------------------------------------- Insgesamt fünf Sicherheitslücken dichtet VMware in Aria Operations for Networks – ehemals mit dem Namen vRealize im Umlauf – mit aktualisierter Software ab. Der Schweregrad reicht nach Einschätzung der Entwickler des Unternehmens bis zur Risikostufe "hoch". Bösartige Akteure können durch die Schwachstellen unbefugt ihre Rechte an verwundbaren Systemen erhöhen. --------------------------------------------- https://www.heise.de/-9621415 ∗∗∗ Rechtausweitung durch Lücken in Veeam Recovery Orchestrator möglich ∗∗∗ --------------------------------------------- Veeam flickt die Recovery Orchestrator-Software. Sicherheitslücken darin erlauben bösartigen Akteuren die Ausweitung von Rechten. --------------------------------------------- https://www.heise.de/-9621609 ∗∗∗ Sicherheitsupdates: Dell schließt ältere Lücken in Backuplösungen wie Avamar ∗∗∗ --------------------------------------------- Schwachstellen in Komponenten von Drittanbietern gefährden die Sicherheit von Dell-Backup-Software. Sicherheitsupdates sind verfügbar. --------------------------------------------- https://www.heise.de/9621283 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Red Hat (gimp) and Ubuntu (firefox, linux-oracle, linux-oracle-5.15, and python-django). --------------------------------------------- https://lwn.net/Articles/961173/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Google Chrome 121.0.6167.160/161 / 120.0.6099.283 mit Sicherheitsfixes ∗∗∗ --------------------------------------------- https://www.borncity.com/blog/2024/02/07/google-chrome-121-0-6167-160-161-1… ∗∗∗ [R1] Nessus Version 10.7.0 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2024-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.02.2024
by Daily end-of-shift report 06 Feb '24

06 Feb '24

===================== = End-of-Day report = ===================== Timeframe: Montag 05-02-2024 18:00 − Dienstag 06-02-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Rust Won’t Save Us: An Analysis of 2023’s Known Exploited Vulnerabilities ∗∗∗ --------------------------------------------- We have analyzed all critical vulnerabilities from the CISA KEV catalog starting from January 2023 through January 2024, categorized the vulnerability root causes, and attempted to analyze if the current efforts in the information security industry match with the current threat vectors being abused. --------------------------------------------- https://www.horizon3.ai/analysis-of-2023s-known-exploited-vulnerabilities/ ∗∗∗ Unseriöse Dirndl-Shops drohen mit Anzeige? Ignorieren Sie die Nachrichten! ∗∗∗ --------------------------------------------- Zahlreiche Betroffene wenden sich aktuell an die Watchlist Internet, weil unseriöse Bekleidungs- und Dirndl-Shops Monate nach den Bestellungen versuchen, Kund:innen einzuschüchtern und zu einer Zahlung zu drängen. Da völlig falsche Produkte geliefert wurden, besteht aber kein Grund zur Zahlung und somit auch kein Grund zur Sorge! --------------------------------------------- https://www.watchlist-internet.at/news/unserioese-dirndl-shops-drohen-mit-a… ∗∗∗ How are user credentials stolen and used by threat actors? ∗∗∗ --------------------------------------------- You’ve probably heard the phrase, “Attackers don’t hack anyone these days. They log on.” In this blog, we describe the various tools and techniques bad actors are using to steal credentials so they can log on with valid account details, and outline our recommendations for defense. --------------------------------------------- https://blog.talosintelligence.com/how-are-user-credentials-stolen-and-used… ∗∗∗ Navigating the Rising Tide of CI/CD Vulnerabilities: The Jenkins and TeamCity Case Studies ∗∗∗ --------------------------------------------- In the evolving landscape of cybersecurity, a new threat has emerged, targeting the core of software development processes. Recently, an alarming incident has brought to light a significant vulnerability in Jenkins CI/CD servers. Approximately 45,000 Jenkins servers have been left exposed to remote code execution (RCE) attacks, leveraging multiple exploit public POCs. This breach is not just a standalone event but a symptom of a growing trend of attacks on Continuous Integration/Continuous Deployment (CI/CD) software supply chains. --------------------------------------------- https://checkmarx.com/blog/navigating-the-rising-tide-of-ci-cd-vulnerabilit… ∗∗∗ Experts Detail New Flaws in Azure HDInsight Spark, Kafka, and Hadoop Services ∗∗∗ --------------------------------------------- Three new security vulnerabilities have been discovered in Azure HDInsights Apache Hadoop, Kafka, and Spark services that could be exploited to achieve privilege escalation and a regular expression denial-of-service (ReDoS) condition. [..] Following responsible disclosure, Microsoft has rolled out fixes as part of updates released on October 26, 2023. --------------------------------------------- https://thehackernews.com/2024/02/high-severity-flaws-found-in-azure.html ∗∗∗ Exploring the (Not So) Secret Code of Black Hunt Ransomware ∗∗∗ --------------------------------------------- In this analysis we examined the BlackHunt sample shared on X (formerly Twitter). During our analysis we found notable similarities between BlackHunt ransomware and LockBit, which suggested that it uses leaked code of Lockbit. In addition, it uses some techniques similar to REvil ransomware. --------------------------------------------- https://www.rapid7.com/blog/post/2024/02/05/exploring-the-not-so-secret-cod… ===================== = Vulnerabilities = ===================== ∗∗∗ Patchday Android: Kritische Schadcode-Lücke auf Systemebene geschlossen ∗∗∗ --------------------------------------------- Mehrere Sicherheitslücken gefährden Android-Geräte. Für bestimmte Smartphones und Tablets sind Updates erschienen. --------------------------------------------- https://www.heise.de/-9619910 ∗∗∗ Sicherheitsupdate: Mehrere Lücken gefährden Server-Monitoring-Tool Nagios XI ∗∗∗ --------------------------------------------- Unter bestimmten Bedingungen können Angreifer Schadcode auf Server mit Nagios XI laden. Ein Sicherheitsupdate schließt diese und weitere Schwachstellen. --------------------------------------------- https://www.heise.de/-9620155 ∗∗∗ Kritische Schwachstellen in Multifunktions- und Laserdruckern von Canon ∗∗∗ --------------------------------------------- Canon warnt vor kritischen Sicherheitslücken in einigen SOHO-Multifunktions- und Laserdruckern. Gegenmaßnahmen sollen helfen. --------------------------------------------- https://www.heise.de/-9620345 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (firefox, gstreamer1-plugins-bad-free, and tigervnc), Debian (ruby-sanitize), Fedora (kernel, kernel-headers, qt5-qtwebengine, and runc), Oracle (gnutls, kernel, libssh, rpm, runc, and tigervnc), Red Hat (runc), and SUSE (bouncycastle, jsch, python, and runc). --------------------------------------------- https://lwn.net/Articles/961083/ ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2024-0001 ∗∗∗ --------------------------------------------- CVE identifiers: CVE-2024-23222, CVE-2024-23206, CVE-2024-23213, CVE-2023-40414, CVE-2023-42833, CVE-2014-1745 --------------------------------------------- https://webkitgtk.org/security/WSA-2024-0001.html ∗∗∗ CISA Adds One Known Exploited Vulnerability to Catalog ∗∗∗ --------------------------------------------- Google Chromium V8 Type Confusion Vulnerability CVE-2023-4762 --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/02/06/cisa-adds-one-known-expl… ∗∗∗ MISP 2.4.184 released with performance improvements, security and bugs fixes. ∗∗∗ --------------------------------------------- A series of security fixes were done in this release, the vulnerabilities are accessible to authenticated users, especially those with specific privileges like Org admin. We urge users to update to this version especially if you have different organisations having access to your instances. --------------------------------------------- https://github.com/MISP/MISP/releases/tag/v2.4.184 ∗∗∗ ZDI-24-086: TP-Link Omada ER605 Access Control Command Injection Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-086/ ∗∗∗ ZDI-24-085: (Pwn2Own) TP-Link Omada ER605 DHCPv6 Client Options Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-085/ ∗∗∗ ZDI-24-087: (Pwn2Own) Western Digital MyCloud PR4100 RESTSDK Server-Side Request Forgery Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-24-087/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Pilz: Multiple products affected by uC/HTTP vulnerability ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2024-002/ ∗∗∗ HID Global Encoders ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-037-01 ∗∗∗ HID Global Reader Configuration Cards ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-037-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.02.2024
by Daily end-of-shift report 05 Feb '24

05 Feb '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 02-02-2024 18:00 − Montag 05-02-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Newest Ivanti SSRF zero-day now under mass exploitation ∗∗∗ --------------------------------------------- An Ivanti Connect Secure and Ivanti Policy Secure server-side request forgery (SSRF) vulnerability tracked as CVE-2024-21893 is currently under mass exploitation by multiple attackers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/newest-ivanti-ssrf-zero-day-… ∗∗∗ Cyberangriff: Fernwartungssoftware-Anbieter Anydesk gehackt ∗∗∗ --------------------------------------------- Anydesk ist Opfer eines Cyberangriffs geworden. Die Folgen sind noch nicht klar, aber möglicherweise gravierend. --------------------------------------------- https://www.golem.de/news/cyberangriff-fernwartungssoftware-anbieter-anydes… ∗∗∗ Darknet: Anydesk-Zugangsdaten in Hackerforen aufgetaucht ∗∗∗ --------------------------------------------- Quelle der Daten ist nach aktuellen Erkenntnissen wohl nicht der jüngste Sicherheitsvorfall bei Anydesk. Ein Passwortwechsel wird dennoch empfohlen. --------------------------------------------- https://www.golem.de/news/darknet-anydesk-zugangsdaten-in-hackerforen-aufge… ∗∗∗ How to hack the Airbus NAVBLUE Flysmart+ Manager ∗∗∗ --------------------------------------------- Airbus Navblue Flysmart+ Manager allowed attackers to tamper with the engine performance calculations and intercept data. Flysmart+ is a suite of apps for pilot EFBs, helping deliver efficient and safe departure and arrival of flights. Researchers from Pen Test Partners discovered a vulnerability in Navblue Flysmart+ Manager that can be exploited [...] --------------------------------------------- https://securityaffairs.com/158661/hacking/airbus-flysmart-flaw.html ∗∗∗ Encrypted Attacks: Impact on Public Sector ∗∗∗ --------------------------------------------- Following FBI and CISA warnings to public sector defenders in November regarding increased targeting by infamous ransomware groups, the imperative to understand and defend against evolving - and increasingly covert - cyber threats has intensified. According to Zscaler ThreatLabz analysis of the 2023 threat landscape, 86% of threats hide within encrypted traffic. What does this mean for the public sector? --------------------------------------------- https://www.zscaler.com/blogs/security-research/encrypted-attacks-impact-pu… ∗∗∗ Hacking a Smart Home Device ∗∗∗ --------------------------------------------- How I reverse engineered an ESP32-based smart home device to gain remote control access and integrate it with Home Assistant. --------------------------------------------- https://jmswrnr.com/blog/hacking-a-smart-home-device ∗∗∗ Videokonferenz voller KI-Klone: Angestellter schickt Betrügern 24 Millionen Euro ∗∗∗ --------------------------------------------- Bislang werden im Rahmen der "Chef-Masche" Angestellte zumeist von einer Person überzeugt, Geld herauszugeben. Ein Fall in Hongkong hat nun eine neue Qualität. --------------------------------------------- https://www.heise.de/-9618064.html ∗∗∗ Hartkodiertes Passwort: Wärmepumpen von Alpha Innotec und Novelan angreifbar ∗∗∗ --------------------------------------------- Ein IT-Forscher hat in der Firmware von Alpha Innotec- und Novelan-Wärmepumpen das hartkodierte Root-Passwort gefunden. Updates bieten Abhilfe. --------------------------------------------- https://www.heise.de/-9618846.html ∗∗∗ Ivanti Zero Day – Threat Actors observed leveraging CVE-2021-42278 and CVE-2021-42287 for quick privilege escalation to Domain Admin ∗∗∗ --------------------------------------------- TL;dr NCC Group has observed what we believe to be the attempted exploitation of CVE-2021-42278 and CVE-2021-42287 as a means of privilege escalation, following the successful compromise of an Ivanti Secure Connect VPN using the following zero-day vulnerabilities reported by Volexity1 on 10/01/2024: [...] --------------------------------------------- https://research.nccgroup.com/2024/02/05/ivanti-zero-day-threat-actors-obse… ∗∗∗ Achtung: E-Card mit 500 Euro Guthaben für Apothekenkäufe ist Fake ∗∗∗ --------------------------------------------- Auf Facebook wird eine „E-Card-Gutscheinkarte“ beworben. Wenn Sie eine kurze Umfrage ausfüllen und 2 Euro überweisen, erhalten Sie angeblich 500 Euro für Apothekeneinkäufe. Achtung, dabei handelt es sich um Betrug. Ein solches Angebot gibt es nicht! --------------------------------------------- https://www.watchlist-internet.at/news/achtung-e-card-mit-500-euro-guthaben… ∗∗∗ Sicherheitsvorfall bei der AnyDesk Software GmbH ∗∗∗ --------------------------------------------- Der deutsche Softwarehersteller AnyDesk Software GmbH, Entwickler der Fernwartungssoftware AnyDesk, hat am Abend des 02.02.2024 im Rahmen einer Pressemeldung über einen erfolgreichen Angriff gegen seine Infrastruktur informiert. Laut dem Unternehmen wurde direkt nach Entdeckung des Vorfalles ein externer Sicherheitsdienstleister zur Behandlung des Vorfalls hinzugezogen und die zuständigen Behörden informiert. Weiters gibt das Unternehmen an, dass keinerlei private Schlüssel, [...] --------------------------------------------- https://cert.at/de/aktuelles/2024/2/sicherheitsvorfall-bei-der-anydesk-soft… ===================== = Vulnerabilities = ===================== ∗∗∗ Docker, Kubernetes und co.: Hacker können aus Containern auf Hostsysteme zugreifen ∗∗∗ --------------------------------------------- Die Schwachstellen dafür beziehen sich auf Buildkit und das CLI-Tool runc. Eine davon erreicht mit einem CVSS von 10 den maximal möglichen Schweregrad. --------------------------------------------- https://www.golem.de/news/docker-kubernetes-und-co-hacker-koennen-aus-conta… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (rear, runc, sudo, and zbar), Fedora (chromium, grub2, libebml, mingw-python-pygments, and python-aiohttp), Gentoo (FreeType, GNAT Ada Suite, Microsoft Edge, NBD Tools, OpenSSL, QtGui, SDDM, Wireshark, and Xen), Mageia (dracut, glibc, nss and firefox, openssl, packages, perl, and thunderbird), Slackware (libxml2), SUSE (java-11-openjdk, java-17-openjdk, perl, python-uamqp, slurm, and xerces-c), and Ubuntu (libssh and openssl). --------------------------------------------- https://lwn.net/Articles/960952/ ∗∗∗ 2024-02-05: Cyber Security Advisory - B&R Automation Runtime FTP uses unsecure encryption mechanisms ∗∗∗ --------------------------------------------- https://www.br-automation.com/fileadmin/SA23P004_FTP_uses_unsecure_encrypti… ∗∗∗ Canon: CPE2024-001 – Regarding vulnerabilities for Small Office Multifunction Printers and Laser Printers – 05 February 2024 ∗∗∗ --------------------------------------------- https://www.canon-europe.com/support/product-security-latest-news/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ QNAP: Neue Firmware-Versionen beheben Befehlsschmuggel-Lücke ∗∗∗ --------------------------------------------- https://www.heise.de/-9617332.html ∗∗∗ IT-Sicherheitsüberwachung Juniper JSA für mehrere Attacken anfällig ∗∗∗ --------------------------------------------- https://www.heise.de/-9617677.html ∗∗∗ HCL schließt Sicherheitslücken in Bigfix, Devops Deploy und Launch ∗∗∗ --------------------------------------------- https://www.heise.de/-9618224.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.02.2024
by Daily end-of-shift report 02 Feb '24

02 Feb '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 01-02-2024 18:00 − Freitag 02-02-2024 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Abschaltbefehl: US-Behörden müssen Ivanti-Geräte vom Netz nehmen ∗∗∗ --------------------------------------------- In einer Notfallanordnung trägt die US-Cybersicherheitsbehörde betroffenen Stellen auf, in den nächsten Stunden zu handeln. Ivanti-Geräte sollen vom Netz. --------------------------------------------- https://www.heise.de/news/Abschaltbefehl-US-Behoerden-muessen-Ivanti-Geraet… ∗∗∗ Bericht: Wie Angreifer in das Netzwerk von Cloudflare eingedrungen sind ∗∗∗ --------------------------------------------- Nach Abschluss der Untersuchungen eines IT-Sicherheitsvorfalls schildert der CDN-Betreiber Cloudflare, wie die Attacke abgelaufen ist. --------------------------------------------- https://www.heise.de/news/Bericht-Wie-Angreifer-in-das-Netzwerk-von-Cloudfl… ∗∗∗ VajraSpy: Ein Patchwork-Sammelsurium voller Spionage-Apps ∗∗∗ --------------------------------------------- ESET-Forscher entdeckten mehrere Android-Apps, die VajraSpy beinhalten, ein RAT, der von der Patchwork APT-Gruppe verwendet wird. --------------------------------------------- https://www.welivesecurity.com/fr/cybersecurite/vajraspy-ein-patchwork-samm… ∗∗∗ Scheinbar harmloser PDF-Viewer leert Bankkonten ahnungsloser Android-Nutzer:innen ∗∗∗ --------------------------------------------- Derzeit ist eine neue Welle von Schadsoftware im Umlauf, die bereits in der Vergangenheit zahlreiche Bankkonten leergeräumt hat. Es handelt sich dabei um den Banking-Trojaner Anatsa, der über die Installation von Apps wie PDF Viewer oder PDF Reader über den Google Play Store verbreitet wird. --------------------------------------------- https://www.watchlist-internet.at/news/scheinbar-harmloser-pdf-viewer-leert… ∗∗∗ Exploring the Latest Mispadu Stealer Variant ∗∗∗ --------------------------------------------- Evaluation of a new variant of Mispadu, a banking Trojan, highlights how infostealers evolve over time and can be hard to pin to past campaigns. --------------------------------------------- https://unit42.paloaltonetworks.com/mispadu-infostealer-variant/ ∗∗∗ How Memory Forensics Revealed Exploitation of Ivanti Connect Secure VPN Zero-Day Vulnerabilities ∗∗∗ --------------------------------------------- As outlined in the previous blog series, while Volexity leveraged network packet captures and disk images to reconstruct parts of the attack, it was ultimately a memory sample that allowed Volexity to confirm exploitation. --------------------------------------------- https://www.volexity.com/blog/2024/02/01/how-memory-forensics-revealed-expl… ∗∗∗ Threat Actors Installing Linux Backdoor Accounts ∗∗∗ --------------------------------------------- Threat actors install malware by launching brute force and dictionary attacks against Linux systems that are poorly managed, such as using default settings or having a simple password. --------------------------------------------- https://asec.ahnlab.com/en/61185/ ∗∗∗ How We Were Able to Infiltrate Attacker Telegram Bots ∗∗∗ --------------------------------------------- It is not uncommon for attackers to publish malicious packages that exfiltrate victims’ data to them using Telegram bots. However, what if we could eavesdrop on what the attacker sees? --------------------------------------------- https://checkmarx.com/blog/how-we-were-able-to-infiltrate-attacker-telegram… ∗∗∗ Jenkins Vulnerability Estimated to Affect 43% of Cloud Environments ∗∗∗ --------------------------------------------- >From our scans on the Orca Cloud Security Platform, we found that 43% of organizations operate at least one unmanaged Jenkins server in their environment. --------------------------------------------- https://orca.security/resources/blog/jenkins-arbitrary-file-read-vulnerabil… ===================== = Vulnerabilities = ===================== ∗∗∗ CISA-Warnung: Alte iPhone-Schwachstelle wird aktiv ausgenutzt ∗∗∗ --------------------------------------------- Eine von Apple gestopfte Kernel-Lücke wird der US-Sicherheitsbehörde zufolge für Angriffe aktiv genutzt. Für ältere iPhones scheint es keinen Patch zu geben. --------------------------------------------- https://www.heise.de/news/CISA-Warnung-Alte-iPhone-Schwachstelle-wird-aktiv… ∗∗∗ Sicherheitsupdate: IBM-Sicherheitslösung QRadar SIEM unter Linux angreifbar ∗∗∗ --------------------------------------------- Mehrere Komponenten eines Add ons von IBMs Security Information and Event Management-System QRadar sind verwundbar. --------------------------------------------- https://www.heise.de/news/Sicherheitsupdate-IBM-Sicherheitsloesung-QRadar-S… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, man-db, and openjdk-17), Fedora (chromium, indent, jupyterlab, kernel, and python-notebook), Gentoo (glibc), Oracle (firefox, thunderbird, and tigervnc), Red Hat (rpm), SUSE (cpio, gdb, gstreamer, openconnect, slurm, slurm_18_08, slurm_20_02, slurm_20_11, slurm_22_05, slurm_23_02, squid, webkit2gtk3, and xerces-c), and Ubuntu (imagemagick and xorg-server, xwayland). --------------------------------------------- https://lwn.net/Articles/960604/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ QNAP Security Advisories ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisories/ ∗∗∗ Moby and Open Container Initiative Release Critical Updates for Multiple Vulnerabilities Affecting Docker-related Components ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/02/01/moby-and-open-container-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 01.02.2024
by Daily end-of-shift report 01 Feb '24

01 Feb '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 31-01-2024 18:00 − Donnerstag 01-02-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Exploit released for Android local elevation flaw impacting 7 OEMs ∗∗∗ --------------------------------------------- A proof-of-concept (PoC) exploit for a local privilege elevation flaw impacting at least seven Android original equipment manufacturers (OEMs) is now publicly available on GitHub. However, as the exploit requires local access, its release will mostly be helpful to researchers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/exploit-released-for-android… ∗∗∗ Hackers push USB malware payloads via news, media hosting sites ∗∗∗ --------------------------------------------- A financially motivated threat actor using USB devices for initial infection has been found abusing legitimate online platforms, including GitHub, Vimeo, and Ars Technica, to host encoded payloads embedded in seemingly benign content. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-push-usb-malware-pay… ∗∗∗ The Fun and Dangers of Top Level Domains (TLDs), (Wed, Jan 31st) ∗∗∗ --------------------------------------------- In the beginning, life was easy. We had a very limited set of top-level domains: .com, .edu, .gov, ..int, org, .mil, .net, .org, .edu. In addition, we had .arpa for infrastructure use and various two letter country level domains. [..] But yesterday, I noticed some news about a new interesting TLD that you may want to consider adopting: .internal. --------------------------------------------- https://isc.sans.edu/diary/rss/30608 ∗∗∗ FritzFrog Returns with Log4Shell and PwnKit, Spreading Malware Inside Your Network ∗∗∗ --------------------------------------------- The threat actor behind a peer-to-peer (P2P) botnet known as FritzFrog has made a return with a new variant that leverages the Log4Shell vulnerability to propagate internally within an already compromised network. --------------------------------------------- https://thehackernews.com/2024/02/fritzfrog-returns-with-log4shell-and.html ∗∗∗ Stealthy Persistence & PrivEsc in Entra ID by using the Federated Auth Secondary Token-signing Cert. ∗∗∗ --------------------------------------------- Microsoft Entra ID (formerly known as Azure AD) offers a feature called federation that allows you to delegate authentication to another Identity Provider (IdP), such as AD FS with on-prem Active Directory. When users log in, they will be redirected to the external IdP for authentication, before being redirected back to Entra ID who will then verify the successful authentication on the external IdP and the user’s identity. [..] The external IdP signs the token with a private key, which has an associated public key stored in a certificate. [..] In this post, I’ll show you where this certificate can be found and how attackers can add it (given the necessary privileges) and use it to forge malicious tokens. Finally, I will provide some recommendations for defense in light of this. --------------------------------------------- https://medium.com/tenable-techblog/stealthy-persistence-privesc-in-entra-i… ∗∗∗ OAS Engine Deep Dive: Abusing low-impact vulnerabilities to escalate privileges ∗∗∗ --------------------------------------------- Open Automation Software recently released patches for multiple vulnerabilities in their OAS Engine. Cisco Talos publicly disclosed these issues after working with Open Automation Software to ensure that patches were available for users. Now that a fix has been released with Version 19, we want to take the time to dive into a few of these vulnerabilities and show how a handful of bugs that could be viewed as low-impact could be exploited as a series to carry out various malicious actions, even going as far to gaining access to the underlying system. --------------------------------------------- https://blog.talosintelligence.com/oas-engine-deep-dive/ ===================== = Vulnerabilities = ===================== ∗∗∗ Mastodon: Diebstahl beliebiger Identitäten im föderierten Kurznachrichtendienst ∗∗∗ --------------------------------------------- Angreifer können jeden beliebigen Account übernehmen und fälschen. [..] Die Sicherheitslücke hat die CVE-ID CVE-2024-23832 erhalten und hat immerhin 9,4 von 10 CVSS-Punkten. Es handelt sich nach Einschätzung des Mastodon-Teams um eine leicht aus der Ferne ausnutzbare Lücke, die keinerlei Vorbedingungen mitbringt. Weder muss der Angreifer über besondere Privilegien verfügen, noch einen legitimen Nutzer austricksen, etwa mit einem gefälschten Link. Weitere Details verraten die Entwickler erst am 15. Februar. --------------------------------------------- https://www.heise.de/-9615961 ∗∗∗ Security Update for Ivanti Connect Secure and Ivanti Policy Secure Gateways ∗∗∗ --------------------------------------------- Update 1 February: A patch addressing all known vulnerabilities is now available for Ivanti Connect Secure version 22.5R2.2 and Ivanti Policy Secure 22.5R1.1. --------------------------------------------- https://www.ivanti.com/blog/security-update-for-ivanti-connect-secure-and-i… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (debian-security-support, firefox-esr, openjdk-11, and python-asyncssh), Fedora (glibc, python-templated-dictionary, thunderbird, and xorg-x11-server-Xwayland), Gentoo (Chromium, Google Chrome, Microsoft Edge and WebKitGTK+), Red Hat (firefox, gnutls, libssh, thunderbird, and tigervnc), SUSE (mbedtls, rear116, rear1172a, runc, squid, and tinyssh), and Ubuntu (glibc and runc). --------------------------------------------- https://lwn.net/Articles/960436/ ∗∗∗ Gessler GmbH WEB-MASTER ∗∗∗ --------------------------------------------- Successful exploitation of these vulnerabilities could allow a user to take control of the web management of the device. An attacker with access to the device could also extract and break the password hashes for all users stored on the device. CVSS v3 9.8 --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-032-01 ∗∗∗ Entity Delete Log - Moderately critical - Access bypass - SA-CONTRIB-2024-007 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2024-007 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Lexmark Security Advisories ∗∗∗ --------------------------------------------- https://www.lexmark.com/en_us/solutions/security/lexmark-security-advisorie… ∗∗∗ Juniper: (Critical) 2024-01 Security Bulletin: JSA Series: Multiple vulnerabilities resolved in JSA Applications ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-01-Security-Bulletin-JSA-S… ∗∗∗ Juniper: (Medium) 2024-01 Security Bulletin: JSA Series: Multiple vulnerabilities resolved in 7.5.0 UP7 IF04 ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-01-Security-Bulletin-JSA-S… ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (January 22, 2024 to January 28, 2024) ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2024/02/wordfence-intelligence-weekly-wordpr… ∗∗∗ AVEVA Edge products (formerly known as InduSoft Web Studio) ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-032-03 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 31.01.2024
by Daily end-of-shift report 31 Jan '24

31 Jan '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 30-01-2024 18:00 − Mittwoch 31-01-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Debian, Ubuntu und mehr: glibc-Schwachstelle ermöglicht Root-Zugriff unter Linux ∗∗∗ --------------------------------------------- Darüber hinaus wurden weitere Schwachstellen in der Gnu-C-Bibliothek aufgedeckt. Eine davon existiert wohl schon seit über 30 Jahren. --------------------------------------------- https://www.golem.de/news/debian-ubuntu-und-mehr-glibc-schwachstelle-ermoeg… ∗∗∗ Tracking 15 Years of Qakbot Development ∗∗∗ --------------------------------------------- Qakbot (aka QBot or Pinkslipbot) is a malware trojan that has been used to operate one of the oldest and longest running cybercriminal enterprises. Qakbot has evolved from a banking trojan to a malware implant that can be used for lateral movement and the eventual deployment of ransomware. In August 2023, the Qakbot infrastructure was dismantled by law enforcement. However, just several months later in December 2023, the fifth (and latest) version of Qakbot was released, [...] --------------------------------------------- https://www.zscaler.com/blogs/security-research/tracking-15-years-qakbot-de… ∗∗∗ Ransomware: Online-Tool entschlüsselt unter Umständen BlackCat & Co. ∗∗∗ --------------------------------------------- Stimmen die Voraussetzungen, können Ransomwareopfer auf einer Website Daten entschlüsseln, ohne Lösegeld zu zahlen. --------------------------------------------- https://www.heise.de/-9614278.html ∗∗∗ A zero-day vulnerability (and PoC) to blind defenses relying on Windows event logs ∗∗∗ --------------------------------------------- A zero-day vulnerability that, when triggered, could crash the Windows Event Log service on all supported (and some legacy) versions of Windows could spell trouble for enterprise defenders. Discovered by a security researcher named Florian and reported to Microsoft, the vulnerability is yet to be patched. In the meantime, the researcher has gotten the go-ahead from the company to publish a PoC exploit. --------------------------------------------- https://www.helpnetsecurity.com/2024/01/31/windows-event-log-vulnerability/ ∗∗∗ Cutting Edge: Suspected APT Targets Ivanti Connect Secure VPN in New Zero-Day Exploitation ∗∗∗ --------------------------------------------- Update (Jan. 31): We released a follow-up blog post containing additional details from our investigations into this threat, along with more recommendations for defenders. Note: This is a developing campaign under active analysis by Mandiant and Ivanti. We will continue to add more indicators, detections, and information to this blog post as needed. --------------------------------------------- https://www.mandiant.com/resources/blog/suspected-apt-targets-ivanti-zero-d… ∗∗∗ CISA and FBI Release Secure by Design Alert Urging Manufacturers to Eliminate Defects in SOHO Routers ∗∗∗ --------------------------------------------- Today, CISA and the Federal Bureau of Investigation (FBI) published guidance on Security Design Improvements for SOHO Device Manufacturers as a part of the new Secure by Design (SbD) Alert series that focuses on how manufacturers should shift the burden of security away from customers by integrating security into product design and development. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/01/31/cisa-and-fbi-release-sec… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (bind9 and glibc), Fedora (ncurses), Gentoo (containerd, libaom, and xorg-server, xwayland), Mageia (python-pillow and zlib), Oracle (grub2 and tomcat), Red Hat (avahi, c-ares, container-tools:3.0, curl, firefox, frr, kernel, kernel-rt, kpatch-patch, libfastjson, libmicrohttpd, linux-firmware, oniguruma, openssh, perl-HTTP-Tiny, python-pip, python-urllib3, python3, rpm, samba, sqlite, tcpdump, thunderbird, tigervnc, and virt:rhel and virt-devel:rhel modules), SUSE (python-Pillow, slurm, slurm_20_02, slurm_20_11, slurm_22_05, slurm_23_02, and xen), and Ubuntu (libde265, linux-nvidia, mysql-8.0, openldap, pillow, postfix, and xorg-server, xwayland). --------------------------------------------- https://lwn.net/Articles/960248/ ∗∗∗ Mattermost security updates 9.4.2 / 9.3.1 / 9.2.5 / 8.1.9 (ESR) released ∗∗∗ --------------------------------------------- We’re informing you about a Mattermost security update, which addresses low- to medium-level severity vulnerabilities. We highly recommend that you apply the update. --------------------------------------------- https://mattermost.com/blog/mattermost-security-updates-9-4-2-9-3-1-9-2-5-8… ∗∗∗ CISA ICS Advisories ∗∗∗ --------------------------------------------- - Hitron Systems Security Camera DVR - Rockwell Automation ControlLogix and GuardLogix - Rockwell Automation FactoryTalk Service Platform - Rockwell Automation LP30/40/50 and BM40 Operator Interface --------------------------------------------- https://www.cisa.gov/news-events/cybersecurity-advisories?f%5B0%5D=advisory… ∗∗∗ CISA Adds One Known Exploited Vulnerability to Catalog ∗∗∗ --------------------------------------------- CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. CVE-2022-48618 Apple Multiple Products Improper Authentication Vulnerability --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/01/31/cisa-adds-one-known-expl… ∗∗∗ Security Advisory Report - OBSO-2401-03 ∗∗∗ --------------------------------------------- A Command injection vulnerability has been identified in the MyPortal@Work application of Atos OpenScape Business which, if successfully exploited, could allow a malicious actor to execute arbitrary scripts on a client machine. The severity is rated high. Customers are advised to update the systems with the available fix release. --------------------------------------------- https://networks.unify.com/security/advisories/OBSO-2401-03.pdf ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Google Chrome: Update schließt vier Sicherheitslücken ∗∗∗ --------------------------------------------- https://www.heise.de/-9613823.html ∗∗∗ SVD-2024-0112: Third-Party Package Updates in Splunk Add-on Builder - January 2024 ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2024-0112 ∗∗∗ SVD-2024-0111: Sensitive Information Disclosure to Internal Log Files in Splunk Add-on Builder ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2024-0111 ∗∗∗ SVD-2024-0110: Session Token Disclosure to Internal Log Files in Splunk Add-on Builder ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2024-0110 ∗∗∗ The WordPress 6.4.3 Security Update – What You Need to Know ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2024/01/the-wordpress-6-4-3-security-update-… ∗∗∗ Tor Code Audit Finds 17 Vulnerabilities ∗∗∗ --------------------------------------------- https://www.securityweek.com/tor-code-audit-finds-17-vulnerabilities/ ∗∗∗ Update #5: Kritische Sicherheitslücken in Ivanti Connect Secure und Ivanti Policy Secure - aktiv ausgenützt - Patches verfügbar ∗∗∗ --------------------------------------------- https://cert.at/de/warnungen/2024/1/kritische-sicherheitslucken-in-ivanti-c… ∗∗∗ List of Security Fixes and Improvements in Veeam Backup for Nutanix AHV ∗∗∗ --------------------------------------------- https://www.veeam.com/kb4236 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.01.2024
by Daily end-of-shift report 30 Jan '24

30 Jan '24

===================== = End-of-Day report = ===================== Timeframe: Montag 29-01-2024 18:00 − Dienstag 30-01-2024 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Ransomwareattacke: Hacker greifen interne Daten von Schneider Electric ab ∗∗∗ --------------------------------------------- Angeblich steckt die Ransomwaregruppe Cactus hinter dem Angriff. Sie hat offenbar mehrere TByte an Daten exfiltriert und fordert ein Lösegeld. --------------------------------------------- https://www.golem.de/news/ransomwareattacke-hacker-greifen-interne-daten-vo… ∗∗∗ What did I say to make you stop talking to me?, (Tue, Jan 30th) ∗∗∗ --------------------------------------------- We use Cowrie to emulate an SSH and Telnet server for our honeypots. Cowrie is great software maintained by Michel Oosterhof. --------------------------------------------- https://isc.sans.edu/diary/rss/30604 ∗∗∗ New ZLoader Malware Variant Surfaces with 64-bit Windows Compatibility ∗∗∗ --------------------------------------------- Threat hunters have identified a new campaign that delivers the ZLoader malware, resurfacing nearly two years after the botnets infrastructure was dismantled in April 2022. --------------------------------------------- https://thehackernews.com/2024/01/new-zloader-malware-variant-surfaces.html ∗∗∗ Is Your SAP Cloud Connector Safe? The Risk You Can’t Ignore ∗∗∗ --------------------------------------------- In this article, we will discuss security issues and provide recommendations to mitigate the risks associated with using SAP CC on the Windows platform. --------------------------------------------- https://redrays.io/blog/sap-cloud-connector-security/ ∗∗∗ Ransomware-Bericht: Immer weniger Opfer zahlen Lösegeld ∗∗∗ --------------------------------------------- Sicherheitsforscher zeigen aktuelle Trends bei Verschlüsselungstrojanern auf. Unter anderem schrumpfen die Summen von Lösegeldern. --------------------------------------------- https://www.heise.de/news/Ransomware-Bericht-Immer-weniger-Opfer-zahlen-Loe… ∗∗∗ Lieber nicht: Abnehm-Pillen von Keto Base ∗∗∗ --------------------------------------------- In einem gefälschten Online-Artikel werden Abnehm-Pillen von Keto Base beworben. Angeblich wurde dieses „Wundermittel“ zum schnellen Abnehmen in der TV-Show „Höhle des Löwen“ vorgestellt und finanziert. Dabei handelt es sich aber um Fake News. Dieses Angebot ist unseriös und schädigt im schlimmsten Fall Ihrer Gesundheit. --------------------------------------------- https://www.watchlist-internet.at/news/lieber-nicht-abnehm-pillen-von-keto-… ∗∗∗ Trigona Ransomware Threat Actor Uses Mimic Ransomware ∗∗∗ --------------------------------------------- AhnLab SEcurity intelligence Center (ASEC) has recently identified a new activity of the Trigona ransomware threat actor installing Mimic ransomware. --------------------------------------------- https://asec.ahnlab.com/en/61000/ ∗∗∗ DarkGate malware delivered via Microsoft Teams - detection and response ∗∗∗ --------------------------------------------- While most end users are well-acquainted with the dangers of traditional phishing attacks, such as those delivered via email or other media, a large proportion are likely unaware that Microsoft Teams chats could be a phishing vector. --------------------------------------------- https://cybersecurity.att.com/blogs/security-essentials/darkgate-malware-de… ===================== = Vulnerabilities = ===================== ∗∗∗ DLL Proxying: Trend Micro liefert Updates, weitere Hersteller angreifbar ∗∗∗ --------------------------------------------- Bei Antivirenprogrammen mehrerer Hersteller haben IT-Forscher DLL-Proxying-Schwachstellen gefunden. Trend Micro hat schon Updates. --------------------------------------------- https://www.heise.de/news/DLL-Proxying-Trend-Micro-liefert-Updates-weitere-… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (pillow, postfix, and redis), Fedora (python-templated-dictionary and selinux-policy), Red Hat (gnutls, kpatch-patch, libssh, and tomcat), and Ubuntu (amanda, ceph, linux-azure, linux-azure-4.15, linux-kvm, and tinyxml). --------------------------------------------- https://lwn.net/Articles/960008/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ XSA-450 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-450.html ∗∗∗ XSA-449 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-449.html ∗∗∗ Festo: Multiple products contain CoDe16 vulnerability ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-063/ ∗∗∗ Pilz: Vulnerabiiity in PASvisu and PMI v8xx ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-050/ ∗∗∗ Emerson Rosemount GC370XA, GC700XA, GC1500XA ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-030-01 ∗∗∗ Mitsubishi Electric FA Engineering Software Products ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-030-02 ∗∗∗ Mitsubishi Electric MELSEC WS Series Ethernet Interface Module ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-030-03 ∗∗∗ Zyxel security advisory for post-authentication command injection vulnerability in NAS products ∗∗∗ --------------------------------------------- https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.01.2024
by Daily end-of-shift report 29 Jan '24

29 Jan '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 26-01-2024 18:00 − Montag 29-01-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Token-Leak: Quellcode von Mercedes-Benz lag wohl frei zugänglich im Netz ∗∗∗ --------------------------------------------- Ein Authentifizierungstoken von Mercedes-Benz lag wohl für mehrere Monate in einem öffentlichen Github-Repository - mit weitreichenden Zugriffsrechten. --------------------------------------------- https://www.golem.de/news/token-leak-quellcode-von-mercedes-benz-lag-wohl-f… ∗∗∗ Exploit Flare Up Against Older Altassian Confluence Vulnerability, (Mon, Jan 29th) ∗∗∗ --------------------------------------------- Last October, Atlassian released a patch for CVE-2023-22515 [1]. This vulnerability allowed attackers to create new admin users in Confluence. Today, I noticed a bit a "flare up" in a specific exploit variant. --------------------------------------------- https://isc.sans.edu/diary/rss/30600 ∗∗∗ Trusted Domain, Hidden Danger: Deceptive URL Redirections in Email Phishing Attacks ∗∗∗ --------------------------------------------- In this ever-evolving landscape of cyberthreats, email has become a prime target for phishing attacks. Cybercriminals continue to adapt and employ more sophisticated methods to effectively deceive users and bypass detection measures. One of the most prevalent tactics nowadays involves exploiting legitimate platforms for redirection through deceptive links. In this blog post, well explore how trusted platforms are increasingly being exploited as redirectors, [...] --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trusted-dom… ∗∗∗ Albabat, Kasseika, Kuiper: New Ransomware Gangs Rise with Rust and Golang ∗∗∗ --------------------------------------------- Cybersecurity researchers have detected in the wild yet another variant of the Phobos ransomware family known as Faust. Fortinet FortiGuard Labs, which detailed the latest iteration of the ransomware, said its being propagated by means of an infection that delivers a Microsoft Excel document (.XLAM) containing a VBA script. --------------------------------------------- https://thehackernews.com/2024/01/albabat-kasseika-kuiper-new-ransomware.ht… ∗∗∗ Jetzt updaten! Exploits für kritische Jenkins-Sicherheitslücke im Umlauf ∗∗∗ --------------------------------------------- Für die in der vergangenen Woche bekanntgewordene kritische Sicherheitslücke in Jenkins ist Exploit-Code aufgetaucht. Höchste Zeit zum Aktualisieren! --------------------------------------------- https://www.heise.de/-9611923.html ∗∗∗ Erpressung in Südwestfalen: Akira kam mit geratenem Passwort ins kommunale Netz ∗∗∗ --------------------------------------------- Ein nun vorliegender forensischer Bericht stellt dem kommunalen IT-Verbund ein mittelprächtiges Zeugnis aus. Die Krisenbewältigung läuft weiter. --------------------------------------------- https://www.heise.de/-9610102.html ∗∗∗ 10 things to do to improve your online privacy ∗∗∗ --------------------------------------------- Its Data Privacy Week so here are 10 tips from our VP of Consumer Privacy, Oren Arar, about how to stay private online. --------------------------------------------- https://www.malwarebytes.com/blog/personal/2024/01/10-things-to-do-to-impro… ∗∗∗ So werden Sie bei der Wohnungssuche abgezockt ∗∗∗ --------------------------------------------- Zentrale Lage, frisch renoviert, hochwertige Möbel - und das vergleichsweise günstig. Wer auf Wohnungssuche ist, stößt früher oder später auf ein solches Angebot und ist überwältigt. Leider handelt es sich hierbei sehr wahrscheinlich um ein betrügerisches Inserat. Kriminelle versuchen Ihnen mit einmaligen Angeboten, Vorauszahlungen zu entlocken. Wir zeigen Ihnen, wie Sie bei der Wohnungssuche nicht betrogen werden. --------------------------------------------- https://www.watchlist-internet.at/news/so-werden-sie-bei-der-wohnungssuche-… ∗∗∗ Akira Ransomware and exploitation of Cisco Anyconnect vulnerability CVE-2020-3259 ∗∗∗ --------------------------------------------- In several recent incident response missions, the Truesec CSIRT team made forensic observations indicating that the old vulnerability CVE-2020-3259 is likely to be actively exploited --------------------------------------------- https://www.truesec.com/hub/blog/akira-ransomware-and-exploitation-of-cisco… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (gstreamer-plugins-bad-free, java-1.8.0-openjdk, java-11-openjdk, kernel, LibRaw, python-pillow, and xorg-x11-server), Debian (gst-plugins-bad1.0, libspreadsheet-parsexlsx-perl, mariadb-10.3, and slurm-wlm), Fedora (atril, dotnet8.0, gnutls, prometheus-podman-exporter, python-jinja2, sudo, and vips), Oracle (frr, kernel, php:8.1, python-urllib3, python3.9, rpm, sqlite, and tomcat), Slackware (pam), SUSE (cpio, rear23a, rear27a, sevctl, and xorg-x11-server), and Ubuntu (exim4 and firefox). --------------------------------------------- https://lwn.net/Articles/959882/ ∗∗∗ Vulnerabilities in WatchGuard, Panda Security Products Lead to Code Execution ∗∗∗ --------------------------------------------- Two memory safety vulnerabilities in WatchGuard and Panda Security products could lead to code execution with System privileges. --------------------------------------------- https://www.securityweek.com/vulnerabilities-in-watchguard-panda-security-p… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Trumpf: Multiple products contain WIBU CodeMeter vulnerabilities ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2024-001/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.01.2024
by Daily end-of-shift report 26 Jan '24

26 Jan '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 25-01-2024 18:00 − Freitag 26-01-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Über Push-Benachrichtigungen: Prominente iOS-Apps spähen heimlich Gerätedaten aus ∗∗∗ --------------------------------------------- Zu den Datensammlern zählen wohl iOS-Apps namhafter Onlinedienste wie Tiktok, Facebook, Instagram, Threads, Linkedin, Bing und X. --------------------------------------------- https://www.golem.de/news/ueber-push-benachrichtigungen-prominente-ios-apps… ∗∗∗ MFA war inaktiv: Microsoft deckt auf, wie Hacker an interne Mails kamen ∗∗∗ --------------------------------------------- Die Angreifer haben laut Microsoft zuerst einen Testaccount mit inaktiver MFA infiltriert - unter Einsatz einer Proxy-Infrastruktur. --------------------------------------------- https://www.golem.de/news/mfa-war-inaktiv-microsoft-deckt-auf-wie-hacker-an… ∗∗∗ Präparierte URL kann für Juniper-Firewalls und Switches gefährlich werden ∗∗∗ --------------------------------------------- Entwickler von Juniper haben in Junos OS mehrere Sicherheitslücken geschlossen. Noch sind aber nicht alle Updates verfügbar. --------------------------------------------- https://www.heise.de/-9609333.html ∗∗∗ Verwirrend: Internet-Domain fritz.box zeigt NFT-Galerie statt Router-Verwaltung ∗∗∗ --------------------------------------------- Bereits vor einer Woche haben Unbekannte die Domain "fritz.box" für sich registriert. Ihr Vorhaben ist unklar, Fritz-Besitzer sollten sich vorsehen. --------------------------------------------- https://www.heise.de/-9610149.html ∗∗∗ Blackwood hackers hijack WPS Office update to install malware ∗∗∗ --------------------------------------------- A previously unknown advanced threat actor tracked as Blackwood is using sophisticated malware called NSPX30 in cyberespionage attacks against companies and individuals. --------------------------------------------- https://www.bleepingcomputer.com/news/security/blackwood-hackers-hijack-wps… ∗∗∗ Midnight Blizzard: Guidance for responders on nation-state attack ∗∗∗ --------------------------------------------- The Microsoft security team detected a nation-state attack on our corporate systems on January 12, 2024, and immediately activated our response process to investigate, disrupt malicious activity, mitigate the attack, and deny the threat actor further access. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-… ∗∗∗ A Batch File With Multiple Payloads, (Fri, Jan 26th) ∗∗∗ --------------------------------------------- Windows batch files (.bat) are often seen by people as very simple but they can be pretty complex or.. contain interesting encoded payloads! I found one that contains multiple payloads decoded and used by a Powershell process. The magic is behind how comments can be added to such files. --------------------------------------------- https://isc.sans.edu/diary/rss/30592 ∗∗∗ Erbschaft per SMS: Ignorieren Sie diese betrügerische Nachricht ∗∗∗ --------------------------------------------- Immer wieder warnen wir vor E-Mails, in denen Betrüger:innen das große Geld versprechen: Millionengewinne, eine Spende oder eine Erbschaft sollen die Empfänger:innen plötzlich reich machen. Aktuell setzen Kriminelle jedoch nicht nur auf E-Mails, sondern auch auf SMS, um mit potenziellen Opfern in Kontakt zu treten. Danach läuft die Masche wie gewohnt ab: Mit Angeboten, die zu schön sind, um wahr zu sein, werden gutgläubige Opfer um ihr Geld gebracht. --------------------------------------------- https://www.watchlist-internet.at/news/erbschaft-per-sms-ignorieren-sie-die… ∗∗∗ Assessing and mitigating supply chain cybersecurity risks ∗∗∗ --------------------------------------------- Blindly trusting your partners and suppliers on their security posture is not sustainable – it’s time to take control through effective supplier risk management --------------------------------------------- https://www.welivesecurity.com/en/business-security/assessing-mitigating-cy… ∗∗∗ Cybersecurity for Industrial Control Systems: Best practices ∗∗∗ --------------------------------------------- Network segmentation, software patching, and continual threats monitoring are key cybersecurity best practices for Industrial Control Systems (ICS). --------------------------------------------- https://cybersecurity.att.com/blogs/security-essentials/cybersecurity-for-i… ∗∗∗ Guidance: Assembling a Group of Products for SBOM ∗∗∗ --------------------------------------------- Today, CISA published Guidance on Assembling a Group of Products created by the Software Bill of Materials (SBOM) Tooling & Implementation Working Group, one of the five SBOM community-driven workstreams facilitated by CISA. CISA’s community-driven working groups publish documents and reports to advance and refine SBOM and ultimately promote adoption. Specifically, software producers often need to assemble and test products together before releasing them to customers. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/01/26/guidance-assembling-grou… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Unified Communications Products Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- Version 1.1 - Updated list of affected products and products confirmed not vulnerable. --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Jenkins CLI PoC CVE-2024-23897 ∗∗∗ --------------------------------------------- Remote Code Execution: Jenkins CLI arbitrary read (CVE-2024-23897 applies to versions below 2.442 and LTS 2.426.3) --------------------------------------------- https://github.com/gquere/pwn_jenkins/blob/master/README.md#jenkins-cli-arb… ∗∗∗ Microsoft Edge 121 unterstützt moderne Codecs und stopft Sicherheitslecks ∗∗∗ --------------------------------------------- Microsoft hat den Webbrowser Edge in Version 121 herausgegeben. Sie stopft eine kritische Sicherheitslücke und liefert Support für AV1-Videos. --------------------------------------------- https://www.heise.de/-9609475.html ∗∗∗ Diesmal bitte patchen: Security-Update behebt kritische Schwachstelle in GitLab ∗∗∗ --------------------------------------------- GitLab 16.x enthält fünf Schwachstellen, von denen eine als kritisch eingestuft ist. Patchen ist nicht selbstverständlich, wie jüngst eine Untersuchung zeigte. --------------------------------------------- https://www.heise.de/-9609319.html ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (xorg-server), Fedora (chromium, dotnet8.0, firefox, freeipa, and thunderbird), Red Hat (avahi, c-ares, curl, edk2, expat, freetype, frr, git, gnutls, grub2, kernel, kernel-rt, libcap, libfastjson, libssh, libtasn1, libxml2, linux-firmware, ncurses, oniguruma, openssh, openssl, perl-HTTP-Tiny, protobuf-c, python-urllib3, python3, python3.9, rpm, samba, shadow-utils, sqlite, tcpdump, tomcat, and virt:rhel and virt-devel:rhel modules), SUSE (cpio, jasper, rear23a, thunderbird, and xorg-x11-server), and Ubuntu (jinja2, kernel, linux, linux-aws, linux-aws-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gkeop, linux-gkeop-5.15, linux-hwe-5.15, linux-ibm, linux-ibm-5.15, linux-kvm, linux-lowlatency-hwe-5.15, linux-raspi, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-iot, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux-xilinx-zynqmp, linux, linux-aws, linux-aws-6.2, linux-azure, linux-azure-6.2, linux-azure-fde-6.2, linux-gcp, linux-hwe-6.5, linux-laptop, linux-lowlatency, linux-lowlatency-hwe-6.5, linux-oem-6.5, linux-oracle, linux-raspi, linux-starfive, linux, linux-aws, linux-aws-hwe, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux, linux-aws, linux-kvm, linux-lts-xenial, linux-aws, linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15, linux-oem-6.1, and mariadb, mariadb-10.3, mariadb-10.6). --------------------------------------------- https://lwn.net/Articles/959640/ ∗∗∗ 2024-01 Reference Advisory: Junos OS and Junos OS Evolved: Impact of Terrapin SSH Attack (CVE-2023-48795) ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-01-Reference-Advisory-Juno… ∗∗∗ 2024-01 Out-of-Cycle Security Bulletin: Junos OS: SRX Series and EX Series: Multiple vulnerabilities in J-Web have been addressed ∗∗∗ --------------------------------------------- https://supportportal.juniper.net/s/article/2024-01-Out-of-Cycle-Security-B… ∗∗∗ Security Vulnerabilities fixed in Focus for iOS 122 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2024-03/ ∗∗∗ Open redirect in parameter might affect IBM Storage Defender Data Protect. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7106918 ∗∗∗ AIX is vulnerable to a denial of service (CVE-2023-5678, CVE-2023-6129, CVE-2023-6237) and an attacker may obtain sensitive information (CVE-2023-5363) due to OpenSSL ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7111837 ∗∗∗ IBM Sterling Connect:Direct for UNIX is vulnerable to multiple issues due to Eclipse Jetty. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7111880 ∗∗∗ Vulnerabilities in GNU Binutils, Bootstrap, PortSmash, Node.js, and libarchive might affect IBM Storage Defender Data Protect. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7091980 ∗∗∗ Multiple vulnerabilities in IBM Semeru Runtime may affect IBM Decision Optimization for IBM Cloud Pak for Data (CVE-2023-22006, CVE-2023-22036 & CVE-2023-22049) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7112089 ∗∗∗ IBM Security Directory Integrator affected by multiple vulnerabilities affecting IBM Java SDK ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7047118 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.01.2024
by Daily end-of-shift report 25 Jan '24

25 Jan '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 24-01-2024 18:00 − Donnerstag 25-01-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ New CherryLoader Malware Mimics CherryTree to Deploy PrivEsc Exploits ∗∗∗ --------------------------------------------- A new Go-based malware loader called CherryLoader has been discovered by threat hunters in the wild to deliver additional payloads onto compromised hosts for follow-on exploitation. --------------------------------------------- https://thehackernews.com/2024/01/new-cherryloader-malware-mimics.html ∗∗∗ SystemBC Malwares C2 Server Analysis Exposes Payload Delivery Tricks ∗∗∗ --------------------------------------------- Cybersecurity researchers have shed light on the command-and-control (C2) server of a known malware family called SystemBC. --------------------------------------------- https://thehackernews.com/2024/01/systembc-malwares-c2-server-analysis.html ∗∗∗ Memory Scanning for the Masses ∗∗∗ --------------------------------------------- In this blog post we will go into a user-friendly memory scanning Python library that was created out of the necessity of having more control during memory scanning. --------------------------------------------- https://research.nccgroup.com/2024/01/25/memory-scanning-for-the-masses/ ∗∗∗ ADCS Attack Paths in BloodHound — Part 1 ∗∗∗ --------------------------------------------- This blog post details the ESC1 domain escalation requirements and explains how BloodHound incorporates the relevant components. --------------------------------------------- https://posts.specterops.io/adcs-attack-paths-in-bloodhound-part-1-799f3d3b… ∗∗∗ CERT.at/GovCERT Austria PGP Teamkey Rotation ∗∗∗ --------------------------------------------- Da diese in einem Monat ablaufen, haben wir gestern neue PGP Keys für team(a)cert.at, reports(a)cert.at, team(a)govcert.gv.at sowie reports(a)govcert.gv.at generiert und ausgerollt. --------------------------------------------- https://cert.at/de/aktuelles/2024/1/certatgovcert-austria-pgp-teamkey-rotat… ∗∗∗ Ablauf einer Schwachstellen-Information durch CERT.at am Beispiel Ivanti Connect Secure VPN (CVE-2024-21887, CVE-2023-46805) ∗∗∗ --------------------------------------------- Nach der Veröffentlichung begann nun der normale Prozess für CERTs weltweit, ebenso natürlich für CERT.at ... die Verbreitung der Information über die Schwachstellen vorzubreiten beziehungsweise zu finalisieren. Die CERTs veröffentlichten und sendeten ihre Warnung aus. Unsere Warnung, die laufend aktualisiert wird, wurde Donnerstag 11.01.24 gegen Mittag ins Netz gestellt, über den freien RSS-Feed für Abonnenten zugänglich gemacht und ausgesandt. --------------------------------------------- https://cert.at/de/blog/2024/1/ablauf-einer-schwachstellen-information-durc… ===================== = Vulnerabilities = ===================== ∗∗∗ Konfigurationsfehler: Unzählige Kubernetes-Cluster sind potenziell angreifbar ∗∗∗ --------------------------------------------- Viele Nutzer räumen der Gruppe system:authenticated ihres GKE-Clusters aufgrund einer Fehlannahme zu viele Rechte ein - mit gravierenden Folgen. --------------------------------------------- https://www.golem.de/news/konfigurationsfehler-unzaehlige-kubernetes-cluste… ∗∗∗ Trend Micro Apex Central: Update schließt im zweiten Anlauf Sicherheitslücken ∗∗∗ --------------------------------------------- Mehrere Sicherheitslücken in Trend Micros Apex Central ermöglichen Angreifern etwa, Schadcode einzuschleusen. Ein erstes Update machte Probleme. --------------------------------------------- https://www.heise.de/news/Trend-Micro-Apex-Central-Update-schliesst-im-zwei… ∗∗∗ Tausende Gitlab-Server noch für Zero-Click-Kontoklau anfällig ∗∗∗ --------------------------------------------- IT-Forscher haben das Netz durchforstet und dabei mehr als 5000 verwundbare Gitlab-Server gefunden. Angreifer können dort einfach Konten übernehmen. --------------------------------------------- https://www.heise.de/news/Tausende-Gitlab-Server-noch-fuer-Zero-Click-Konto… ∗∗∗ Cisco: Lücke erlaubt komplette Übernahme von Unified Communication-Produkten ∗∗∗ --------------------------------------------- Cisco warnt vor einer kritischen Lücke in Unified Communication-Produkten, durch die Angreifer die Kontrolle übernehmen können. --------------------------------------------- https://www.heise.de/news/Cisco-Luecke-erlauben-komplette-Uebernahme-von-Un… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, firefox-esr, php-phpseclib, phpseclib, thunderbird, and zabbix), Fedora (dotnet7.0, firefox, fonttools, and python-jinja2), Mageia (avahi and chromium-browser-stable), Oracle (java-1.8.0-openjdk, java-11-openjdk, LibRaw, openssl, and python-pillow), Red Hat (gnutls, kpatch-patch, php:8.1, and squid:4), SUSE (apache-parent, apache-sshd, bluez, cacti, cacti-spine, erlang, firefox, java-11-openjdk, opera, python-Pillow, tomcat, tomcat10, [...] --------------------------------------------- https://lwn.net/Articles/959455/ ∗∗∗ Potentielle Remote Code Execution in Jenkins - Patch verfügbar ∗∗∗ --------------------------------------------- Mit der neuesten Version der CI/CD-Plattform Jenkins haben die Entwickler:innen neun Sicherheitslücken behoben - darunter befindet sich auch eine kritische Schwachstelle, CVE-2024-23987. --------------------------------------------- https://cert.at/de/aktuelles/2024/1/potentielle-remote-code-execution-in-je… ∗∗∗ Swift Mailer - Moderately critical - Access bypass - SA-CONTRIB-2024-006 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2024-006 ∗∗∗ Open Social - Moderately critical - Information Disclosure - SA-CONTRIB-2024-005 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2024-005 ∗∗∗ Open Social - Moderately critical - Access bypass - SA-CONTRIB-2024-004 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2024-004 ∗∗∗ Two-factor Authentication (TFA) - Moderately critical - Access bypass - SA-CONTRIB-2024-003 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2024-003 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Publish SBA-ADV-20200707-02: CloudLinux CageFS Insufficiently Restric… ∗∗∗ --------------------------------------------- https://github.com/sbaresearch/advisories/commit/fd86295907334f9cd81d8c1a7f… ∗∗∗ Publish SBA-ADV-20200707-01: CloudLinux CageFS Token Disclosure ∗∗∗ --------------------------------------------- https://github.com/sbaresearch/advisories/commit/c2db0b1da76486e2876f1c64f9… ∗∗∗ SystemK NVR 504/508/516 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-025-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.01.2024
by Daily end-of-shift report 24 Jan '24

24 Jan '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 23-01-2024 18:00 − Mittwoch 24-01-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Firefox: Passkey-Unterstützung und Sicherheitsfixes ∗∗∗ --------------------------------------------- Die Version 122 von Firefox kann mit Passkeys umgehen. Außerdem schließen die Entwickler darin wie in Firefox ESR und Thunderbird 115.7 Sicherheitslecks. --------------------------------------------- https://www.heise.de/-9606909 ∗∗∗ "Mother of all Breaches": 26 Milliarden altbekannte Datensätze ∗∗∗ --------------------------------------------- Was die Entdecker als "Mutter aller Lücken" bezeichnen, entpuppt sich laut dem "Have I Been Pwned"- Gründer Troy Hunt als Sammlung längst bekannter Daten. --------------------------------------------- https://www.heise.de/-9604882 ∗∗∗ Trello API abused to link email addresses to 15 million accounts ∗∗∗ --------------------------------------------- An exposed Trello API allows linking private email addresses with Trello accounts, enabling the creation of millions of data profiles containing both public and private information. --------------------------------------------- https://www.bleepingcomputer.com/news/security/trello-api-abused-to-link-em… ∗∗∗ Cybercrime’s Silent Operator: The Unraveling of VexTrio’s Malicious Network Empire ∗∗∗ --------------------------------------------- VexTrio is a massive and complex malicious TDS (traffic direction system) organization. It has a network of more than 60 affiliates that divert traffic into VexTrio, while it also operates its own TDS network. While aspects of the operation have been discovered and analyzed by different researchers, the core network has remained largely unknown. --------------------------------------------- https://www.securityweek.com/cybercrimes-silent-operator-the-unraveling-of-… ∗∗∗ Orca Flags Dangerous Google Kubernetes Engine Misconfiguration ∗∗∗ --------------------------------------------- A misconfiguration in Google Kubernetes Engine (GKE) could allow attackers to take over Kubernetes clusters and access sensitive information, according to a warning from cloud security startup Orca Security. The issue is related to the privileges granted to users in the system:authenticated group, which includes all users with a Google account, although it could be mistakenly believed to include only verified identities. --------------------------------------------- https://www.securityweek.com/orca-flags-dangerous-google-kubernetes-engine-… ∗∗∗ PC- und Online-Gamer:innen: Vorsicht beim Account-Handel über Marktplätze! ∗∗∗ --------------------------------------------- Aktuell erreichen uns immer wieder Meldungen zu betrügerischen Angeboten im Gaming-Bereich auf Marktplätzen wie difmark.com oder in diversen Internet-Foren. Kriminelle bieten dort unter anderem Gaming-Accounts und Nutzungsprofile an. Das Problem: Diese dürften laut Nutzungsbedingungen eigentlich gar nicht verkauft werden und Sperren sind möglich. Auch nach erfolgreichen Käufen lauern noch Fallen, durch die Spielende plötzlich durch die Finger schauen können. --------------------------------------------- https://www.watchlist-internet.at/news/pc-und-online-gamerinnen-vorsicht-be… ∗∗∗ Update #3: Kritische Sicherheitslücken in Ivanti Connect Secure und Ivanti Policy Secure - aktiv ausgenützt ∗∗∗ --------------------------------------------- Update #3: 24. Jänner 2024: Mandiant und Volexity berichten davon, Exploits gegen diese Sicherheitslücken bereits Anfang Dezember 2023 beobachtet zu haben. Es empfiehlt sich daher, gegebenenfalls den Zeitraum etwaiger Untersuchungen auf stattgefundene Angriffsversuche zumindest bis inklusive Dezember 2023 auszudehnen. --------------------------------------------- https://cert.at/de/warnungen/2024/1/kritische-sicherheitslucken-in-ivanti-c… ===================== = Vulnerabilities = ===================== ∗∗∗ Fortra GoAnywhere MFT: Kritische Lücke macht Angreifer zu Admins ∗∗∗ --------------------------------------------- Jetzt patchen! Es ist Exploitcode für die Dateiübertragungslösung Fortra GoAnywhere MFT in Umlauf. --------------------------------------------- https://www.heise.de/-9606659 ∗∗∗ Codeschmuggel-Lücke in HPE Oneview ∗∗∗ --------------------------------------------- Mehrere Sicherheitslücken in der IT-Infrastrukturverwaltung HPE Oneview ermöglichen Angreifern, etwa Schadcode einzuschleusen. Updates stehen bereit. --------------------------------------------- https://www.heise.de/-9607490 ∗∗∗ Chrome-Update dichtet 17 Sicherheitslecks ab ∗∗∗ --------------------------------------------- Googles Entwickler aktualisieren den Chrome-Webbrowser und schließen 17 Sicherheitslücken darin. Einige ermöglichen wohl Codeschmuggel. --------------------------------------------- https://www.heise.de/-9606618 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (jinja2, openjdk-11, ruby-httparty, and xorg-server), Fedora (ansible-core and mingw-jasper), Gentoo (GOCR, Ruby, and sudo), Oracle (gstreamer-plugins-bad-free, java-17-openjdk, java-21-openjdk, python-cryptography, and xorg-x11-server), Red Hat (kernel, kernel-rt, kpatch-patch, LibRaw, python-pillow, and python-pip), Slackware (mozilla), SUSE (python-Pillow, rear118a, and redis7), and Ubuntu (libapache-session-ldap-perl and pycryptodome). --------------------------------------------- https://lwn.net/Articles/959325/ ∗∗∗ Cisco Unified Communications Products Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in multiple Cisco Unified Communications and Contact Center Solutions products could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device. CVE-2024-20253, CVSS Score: Base 9.9 --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Unity Connection Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Small Business Series Switches Stacked Reload ACL Bypass Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ High Severity Arbitrary File Upload Vulnerability Patched in File Manager Pro WordPress Plugin ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2024/01/high-severity-arbitrary-file-upload-… ∗∗∗ APsystems Energy Communication Unit (ECU-C) Power Control Software ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-023-01 ∗∗∗ CISA Adds One Known Exploited Vulnerability to Catalog ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/01/24/cisa-adds-one-known-expl… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.01.2024
by Daily end-of-shift report 23 Jan '24

23 Jan '24

===================== = End-of-Day report = ===================== Timeframe: Montag 22-01-2024 18:00 − Dienstag 23-01-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ MavenGate Attack Could Let Hackers Hijack Java and Android via Abandoned Libraries ∗∗∗ --------------------------------------------- Several public and popular libraries abandoned but still used in Java and Android applications have been found susceptible to a new software supply chain attack method called MavenGate. --------------------------------------------- https://thehackernews.com/2024/01/hackers-hijack-popular-java-and-android.h… ∗∗∗ Cactus Ransomware malware analysis ∗∗∗ --------------------------------------------- On January 20th the Cactus ransomware group attacked a number of victims across varying industries. The attacks were disclosed on their leak site with the accompanying victim data. --------------------------------------------- https://www.shadowstackre.com/analysis/cactus ∗∗∗ Vorsicht vor Peek & Cloppenburg Fake-Shops ∗∗∗ --------------------------------------------- Auf Facebook und Instagram werden gefälschte Angebote vom Modehaus „Peek & Cloppenburg“ beworben. In den gefälschten Werbeanzeigen werden Rabatte bis zu 90 % versprochen. Wenn Sie auf die Anzeige klicken, landen Sie in einem betrügerischen Shop, mit einer glaubwürdigen Internetadresse: „peek-cloppenburgsale.shop“. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-peek-cloppenburg-fake-s… ∗∗∗ Threat Assessment: BianLian ∗∗∗ --------------------------------------------- We analyze the extremely active ransomware group BianLian. Mostly targeting healthcare, they have moved from double-extortion to extortion without encryption. --------------------------------------------- https://unit42.paloaltonetworks.com/bianlian-ransomware-group-threat-assess… ∗∗∗ Conditional QR Code Routing Attacks ∗∗∗ --------------------------------------------- Over the summer, we saw a somewhat unexpected rise in QR-code based phishing attacks. These attacks were all fairly similar. The main goal was to induce the end-user to scan the QR Code, where they would be redirected to a credential harvesting page. --------------------------------------------- https://blog.checkpoint.com/harmony-email/conditional-qr-code-routing-attac… ∗∗∗ Lazarus Group Uses the DLL Side-Loading Technique (2) ∗∗∗ --------------------------------------------- Through the “Lazarus Group Uses the DLL Side-Loading Technique” [1] blog post, AhnLab SEcurity intelligence Center(ASEC) has previously covered how the Lazarus group used the DLL side-loading attack technique using legitimate applications in the initial access stage to achieve the next stage of their attack process. --------------------------------------------- https://asec.ahnlab.com/en/60792/ ∗∗∗ Kasseika Ransomware Deploys BYOVD Attacks, Abuses PsExec and Exploits Martini Driver ∗∗∗ --------------------------------------------- In this blog, we detail our investigation of the Kasseika ransomware and the indicators we found suggesting that the actors behind it have acquired access to the source code of the notorious BlackMatter ransomware. --------------------------------------------- https://www.trendmicro.com/en_us/research/24/a/kasseika-ransomware-deploys-… ===================== = Vulnerabilities = ===================== ∗∗∗ Fortra warns of new critical GoAnywhere MFT auth bypass, patch now ∗∗∗ --------------------------------------------- Fortra is warning of a new authentication bypass vulnerability impacting GoAnywhere MFT (Managed File Transfer) versions before 7.4.1 that allows an attacker to create a new admin user. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fortra-warns-of-new-critical… ∗∗∗ Exploiting 0-click Android Bluetooth vulnerability to inject keystrokes without pairing ∗∗∗ --------------------------------------------- A recently discovered critical vulnerabilities (CVE-2023-45866, CVE-2024-21306) in Bluetooth can be exploited to inject keystrokes without user confirmation – by accepting any Bluetooth pairing request. --------------------------------------------- https://www.mobile-hacker.com/2024/01/23/exploiting-0-click-android-bluetoo… ∗∗∗ Sicherheitsfixes: Apple aktualisiert ältere Systeme – und räumt Zero Days ein ∗∗∗ --------------------------------------------- Apple hat neben macOS 14.3 und iOS 17.3 auch neue Versionen von iOS 15, 16, macOS 12 und 13 sowie Safari veröffentlicht. Es gab einen erneuten Zero-Day-Exploit. --------------------------------------------- https://www.heise.de/news/Sicherheitsfixes-Apple-aktualisiert-aeltere-Syste… ∗∗∗ Konfigurationsübertragung kann Behelfslösung zum Schutz von Ivanti ICS aufheben ∗∗∗ --------------------------------------------- Bislang können Admins Ivanti Connect Secure und Policy Secure nur über einen Workaround vor laufenden Attacken schützen. Dieser funktioniert aber nicht immer. --------------------------------------------- https://www.heise.de/news/Konfigurationsuebertragung-kann-Behelfsloesung-zu… ∗∗∗ Barracuda WAF: Kritische Sicherherheitslücken ermöglichen Umgehung des Schutzes ∗∗∗ --------------------------------------------- Barracuda hat einen Sicherheitshinweis bezüglich der Web Application Firewall veröffentlicht. Sicherheitslücken ermöglichen das Umgehen des Schutzes. --------------------------------------------- https://www.heise.de/news/Barracuda-WAF-Kritische-Sicherherheitsluecken-erm… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (kodi and squid), Fedora (ansible-core, java-latest-openjdk, mingw-python-jinja2, openssh, and pgadmin4), Gentoo (Apache XML-RPC), Red Hat (gnutls and xorg-x11-server), Slackware (postfix), SUSE (bluez and openssl-3), and Ubuntu (gnutls28, libssh, and squid). --------------------------------------------- https://lwn.net/Articles/959127/ ∗∗∗ Splunk Security Advisories 2024-01-22 ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ XSA-448 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-448.html ∗∗∗ Security Vulnerabilities fixed in Thunderbird 115.7 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2024-04/ ∗∗∗ Security Vulnerabilities fixed in Firefox ESR 115.7 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2024-02/ ∗∗∗ Security Vulnerabilities fixed in Firefox 122 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2024-01/ ∗∗∗ TRUMPF: Oseon contains vulnerable version of OpenSSL 1.1.x ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2024-006/ ∗∗∗ TRUMPF: Multiple products include a vulnerable version of Notepad++ ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2024-003/ ∗∗∗ TRUMPF: Multiple products contain vulnerable version of 7-zip ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2024-005/ ∗∗∗ Citrix Hypervisor Security Bulletin for CVE-2023-46838 ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX587605/citrix-hypervisor-security-bul… ∗∗∗ Crestron AM-300 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-023-02 ∗∗∗ Lantronix XPort ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-023-05 ∗∗∗ Voltronic Power ViewPower Pro ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-023-03 ∗∗∗ Orthanc Osimis DICOM Web Viewer ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-medical-advisories/icsma-24-023-01 ∗∗∗ APsystems Energy Communication Unit (ECU-C) Power Control Software ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-023-01 ∗∗∗ Westermo Lynx 206-F2G ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-023-04 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.01.2024
by Daily end-of-shift report 22 Jan '24

22 Jan '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 19-01-2024 18:00 − Montag 22-01-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Cracked software beats gold: new macOS backdoor stealing cryptowallets ∗∗∗ --------------------------------------------- We review a new macOS backdoor that piggybacks on cracked software to replace Bitcoin and Exodus wallets with malware. --------------------------------------------- https://securelist.com/new-macos-backdoor-crypto-stealer/111778/ ∗∗∗ Apache ActiveMQ Flaw Exploited in New Godzilla Web Shell Attacks ∗∗∗ --------------------------------------------- Cybersecurity researchers are warning of a "notable increase" in threat actor activity actively exploiting a now-patched flaw in Apache ActiveMQ to deliver the Godzilla web shell on compromised hosts. --------------------------------------------- https://thehackernews.com/2024/01/apache-activemq-flaw-exploited-in-new.html ∗∗∗ Confluence: Kritische Sicherheitslücke in veralteten Versionen wird ausgenutzt ∗∗∗ --------------------------------------------- Wie das Shadowserver-Projekt auf Mastodon meldet, durchpflügen Angreifer derzeit von 600 verschiedenen IP-Adressen das Netz nach möglichen Opfern. Eine simple HTTP-POST-Anfrage genügt, um die Sicherheitslücke auszunutzen und den Confluence-Server zu übernehmen. [..] Der Hersteller wies seine Kunden bereits am vergangenen Dienstag auf die Sicherheitslücke hin, die er wie 27 weitere im Rahmen des Atlassian-Patchday behoben hat. --------------------------------------------- https://www.heise.de/-9605028 ∗∗∗ VMware vCenter Server seit Monaten über CVE-2023-3404 angegriffen; Attacken weiten sich aus ∗∗∗ --------------------------------------------- Inzwischen hat auch VMware bestätigt, dass eine im Oktober 2023 gepatchte vCenter Server-Sicherheitslücke jetzt aktiv ausgenutzt wird. vCenter Server ist die Management-Plattform für VMware vSphere-Umgebungen, die Administratoren bei der Verwaltung von ESX- und ESXi-Servern und virtuellen Maschinen (VMs) unterstützt. [..] Sicherheitsforscher von Mandiant haben in diesem Beitrag offen gelegt, dass die chinesische Spionage-Gruppe UNC3886 diese Schwachstelle CVE-2023-34048 längst kannte und diese seit mindestens Ende 2021 aktiv angegriffen habe. --------------------------------------------- https://www.borncity.com/blog/2024/01/22/vmware-vcenter-server-seit-monaten… ∗∗∗ NS-STEALER Uses Discord Bots to Exfiltrate Your Secrets from Popular Browsers ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered a new Java-based "sophisticated" information stealer that uses a Discord bot to exfiltrate sensitive data from compromised hosts. The malware, named NS-STEALER, is propagated via ZIP archives masquerading as cracked software, Trellix security researcher Gurumoorthi Ramanathan said in an analysis published last week. --------------------------------------------- https://thehackernews.com/2024/01/ns-stealer-uses-discord-bots-to.html ∗∗∗ Domain Escalation – Backup Operator ∗∗∗ --------------------------------------------- The Backup Operators is a Windows built-in group. Users which are part of this group have permissions to perform backup and restore operations. More specifically, these users have the SeBackupPrivilege assigned which enables them to read sensitive files from the domain controller i.e. Security Account Manager (SAM). --------------------------------------------- https://pentestlab.blog/2024/01/22/domain-escalation-backup-operator/ ∗∗∗ Vorsicht vor PayLife-E-Mails mit einem QR-Code ∗∗∗ --------------------------------------------- In einem gefälschten E-Mail werden Sie informiert, dass Ihre myPayLife App gesperrt ist. Angeblich können Sie keine Aufträge oder Internetzahlungen mehr freigeben. Um die Sperre aufzuheben, müssen Sie einen QR-Code scannen. Ignorieren Sie dieses E-Mail, es handelt sich um eine Phishing-Falle. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-paylife-e-mails-mit-ein… ∗∗∗ Parrot TDS: A Persistent and Evolving Malware Campaign ∗∗∗ --------------------------------------------- Traffic detection system Parrot has infected tens of thousands of websites worldwide. We outline the scripting evolution of this injection campaign and its scope. --------------------------------------------- https://unit42.paloaltonetworks.com/parrot-tds-javascript-evolution-analysi… ∗∗∗ Is the Google search bar enough to hack Belgian companies? ∗∗∗ --------------------------------------------- In this blog post, we will go over a technique called Google Dorking and demonstrate how it can be utilized to uncover severe security vulnerabilities in web applications hosted right here in Belgium, where NVISO was founded. --------------------------------------------- https://blog.nviso.eu/2024/01/22/is-the-google-search-bar-enough-to-hack-be… ∗∗∗ The Confusing History of F5 BIG-IP RCE Vulnerabilities ∗∗∗ --------------------------------------------- If you want to know way too much about attacks against F5 BIG-IP devices, then this is the blog for you! --------------------------------------------- https://www.greynoise.io/blog/the-confusing-history-of-f5-big-ip-rce-vulner… ===================== = Vulnerabilities = ===================== ∗∗∗ Gambio 4.9.2.0 - Insecure Deserialization ∗∗∗ --------------------------------------------- Gambio is software designed for running online shops. It provides various features and tools to help businesses manage their inventory, process orders, and handle customer interactions. According to their homepage, the software is used by more than 25.000 shops. Security Risk: Critical, CVE Number: Pending, Vendor Status: Not fixed --------------------------------------------- https://herolab.usd.de/security-advisories/usd-2023-0046/ ∗∗∗ Sicherheitsupdates: Schlupflöcher für Schadcode in Lexmark-Druckern geschlossen ∗∗∗ --------------------------------------------- Angreifer können an vielen Druckermodellen von Lexmark ansetzen, um Geräte zu kompromittieren. Derzeit soll es noch keine Attacken geben. --------------------------------------------- https://www.heise.de/-9604795 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (keystone and subunit), Fedora (dotnet6.0, golang, kernel, sos, and tigervnc), Mageia (erlang), Red Hat (openssl), SUSE (bluez, python-aiohttp, and seamonkey), and Ubuntu (postfix and xorg-server). --------------------------------------------- https://lwn.net/Articles/959006/ ∗∗∗ Critical Vulnerabilities Found in Open Source AI/ML Platforms ∗∗∗ --------------------------------------------- Security researchers flag multiple severe vulnerabilities in open source AI/ML solutions MLflow, ClearML, Hugging Face.The post Critical Vulnerabilities Found in Open Source AI/ML Platforms appeared first on SecurityWeek. --------------------------------------------- https://www.securityweek.com/critical-vulnerabilities-found-in-ai-ml-open-s… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ WAGO: WIBU-SYSTEMS CodeMeter Runtime vulnerabilities in multiple products ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2024-007/ ∗∗∗ Spring: CVE-2024-22233: Spring Framework server Web DoS Vulnerability ∗∗∗ --------------------------------------------- https://spring.io/blog/2024/01/22/cve-2024-22233-spring-framework-server-we… ∗∗∗ Roundcube: Update 1.6.6 released ∗∗∗ --------------------------------------------- https://roundcube.net/news/2024/01/20/update-1.6.6-released -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.01.2024
by Daily end-of-shift report 19 Jan '24

19 Jan '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 18-01-2024 18:00 − Freitag 19-01-2024 18:00 Handler: Robert Waldner Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ TeamViewer abused to breach networks in new ransomware attacks ∗∗∗ --------------------------------------------- Ransomware actors are again using TeamViewer to gain initial access to organization endpoints and attempt to deploy encryptors based on the leaked LockBit ransomware builder. --------------------------------------------- https://www.bleepingcomputer.com/news/security/teamviewer-abused-to-breach-… ∗∗∗ macOS Python Script Replacing Wallet Applications with Rogue Apps, (Fri, Jan 19th) ∗∗∗ --------------------------------------------- Still today, many people think that Apple and its macOS are less targeted by malware. But the landscape is changing and threats are emerging in this ecosystem too. --------------------------------------------- https://isc.sans.edu/diary/rss/30572 ∗∗∗ Experts Warn of macOS Backdoor Hidden in Pirated Versions of Popular Software ∗∗∗ --------------------------------------------- Pirated applications targeting Apple macOS users have been observed containing a backdoor capable of granting attackers remote control to infected machines. --------------------------------------------- https://thehackernews.com/2024/01/experts-warn-of-macos-backdoor-hidden.html ∗∗∗ Taking over WhatsApp accounts by reading voicemails ∗∗∗ --------------------------------------------- The investigation is centered on a vulnerability related to the Personal Identification Number (PIN) required for authenticating WhatsApp’s account backup feature. I describe how this PIN could be compromised through a voice call backup delivery method, forcing the call to go voicemail, and spoofing the victims phone number to read their voicemail. --------------------------------------------- https://medium.com/@rramgattie/taking-over-whatsapp-accounts-by-reading-voi… ∗∗∗ Recovery Scam: Kriminelle geben sich als blockchain.com aus und informieren über angeblich ruhende Bitcoin-Wallet ∗∗∗ --------------------------------------------- Opfer einer betrügerischen Trading-Plattform erleiden mitunter erhebliche finanzielle Verluste. Entsprechend groß ist die Verzweiflung und der Wunsch, das Geld zurückzubekommen. Kriminelle nutzen dies aus und kontaktieren die Opfer nach einiger Zeit erneut. --------------------------------------------- https://www.watchlist-internet.at/news/recovery-scam-kriminelle-geben-sich-… ∗∗∗ Virtual kidnapping: How to see through this terrifying scam ∗∗∗ --------------------------------------------- Phone fraud takes a frightening twist as fraudsters can tap into AI to cause serious emotional and financial damage to the victims. --------------------------------------------- https://www.welivesecurity.com/en/scams/virtual-kidnapping-see-through-scam/ ∗∗∗ Ivanti Connect Secure VPN Exploitation: New Observations ∗∗∗ --------------------------------------------- Volexity also recently learned of a potential issue that organizations may be facing when attempting to bring fresh Ivanti Connect Secure VPN appliances back online that leave them in a vulnerable state. These findings may partially account for why there has been an increase in compromised systems in subsequent scans. --------------------------------------------- https://www.volexity.com/blog/2024/01/18/ivanti-connect-secure-vpn-exploita… ===================== = Vulnerabilities = ===================== ∗∗∗ VMware confirms critical vCenter flaw now exploited in attacks ∗∗∗ --------------------------------------------- VMware has confirmed that a critical vCenter Server remote code execution vulnerability patched in October is now under active exploitation. --------------------------------------------- https://www.bleepingcomputer.com/news/security/vmware-confirms-critical-vce… ∗∗∗ Npm Trojan Bypasses UAC, Installs AnyDesk with "Oscompatible" Package ∗∗∗ --------------------------------------------- A malicious package uploaded to the npm registry has been found deploying a sophisticated remote access trojan on compromised Windows machines. --------------------------------------------- https://thehackernews.com/2024/01/npm-trojan-bypasses-uac-installs.html ∗∗∗ Smartphones und mehr: Auch Umgebungslichtsensoren können spionieren ∗∗∗ --------------------------------------------- Nicht nur Smartphone-Kameras können Personen ausspionieren, sondern auch Umgebungslichtsensoren. Das geht aus einer in "Science" veröffentlichen Studie hervor. --------------------------------------------- https://heise.de/-9601724 ∗∗∗ Angreifer attackieren Ivanti EPMM und MobileIron Core ∗∗∗ --------------------------------------------- Angreifer nutzen derzeit eine kritische Sicherheitslücke in Ivanti EPMM und MobileIron Core aus. --------------------------------------------- https://www.heise.de/news/Angreifer-attackieren-Ivanti-EPMM-und-MobileIron-… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (ImageMagick), Debian (chromium), Fedora (golang-x-crypto, golang-x-mod, golang-x-net, golang-x-text, gtkwave, redis, and zbar), Mageia (tinyxml), Oracle (.NET 7.0, .NET 8.0, java-1.8.0-openjdk, java-11-openjdk, python3, and sqlite), Red Hat (gstreamer-plugins-bad-free, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, and java-21-openjdk), SUSE (kernel, libqt5-qtbase, libssh, pam, rear23a, and rear27a), and Ubuntu (pam and zookeeper). --------------------------------------------- https://lwn.net/Articles/958676/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (chromium, golang-github-facebook-time, podman, and xorg-x11-server-Xwayland), Oracle (.NET 6.0, java-1.8.0-openjdk, java-11-openjdk, and python3.11-cryptography), Red Hat (java-11-openjdk, python-requests, and python-urllib3), SUSE (chromium, kernel, libcryptopp, libuev, perl-Spreadsheet-ParseExcel, suse-module-tools, and xwayland), and Ubuntu (filezilla and xerces-c). --------------------------------------------- https://lwn.net/Articles/958760/ ∗∗∗ Important Progress OpenEdge Critical Alert for Progress Application Server in OpenEdge (PASOE) - Arbitrary File Upload Vulnerability in WEB Transport ∗∗∗ --------------------------------------------- https://community.progress.com/s/article/Important-Progress-OpenEdge-Critic… ∗∗∗ ZDI Security Advisories ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/published/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.01.2024
by Daily end-of-shift report 18 Jan '24

18 Jan '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 17-01-2024 18:00 − Donnerstag 18-01-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Missbrauch möglich: Whatsapp lässt fremde Nutzer Geräteinformationen abgreifen ∗∗∗ --------------------------------------------- Anhand ihrer Rufnummer lässt sich zum Beispiel feststellen, wie viele Geräte eine Zielperson mit Whatsapp verwendet und wann sie diese wechselt. --------------------------------------------- https://www.golem.de/news/missbrauch-moeglich-whatsapp-laesst-fremde-nutzer… ∗∗∗ New Microsoft Incident Response guides help security teams analyze suspicious activity ∗∗∗ --------------------------------------------- Today Microsoft Incident Response are proud to introduce two one-page guides to help security teams investigate suspicious activity in Microsoft 365 and Microsoft Entra. These guides contain the artifacts that Microsoft Incident Response hunts for and uses daily to provide our customers with evidence of Threat Actor activity in their tenant. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2024/01/17/new-microsoft-inci… ∗∗∗ More Scans for Ivanti Connect "Secure" VPN. Exploits Public, (Thu, Jan 18th) ∗∗∗ --------------------------------------------- Exploits around the Ivanti Connect "Secure" VPN appliance, taking advantage of CVE-2023-46805, continue evolving. Late on Tuesday, more details became public, particularly the blog post by Rapid7 explaining the underlying vulnerability in depth. --------------------------------------------- https://isc.sans.edu/diary/rss/30568 ∗∗∗ PixieFail UEFI Flaws Expose Millions of Computers to RCE, DoS, and Data Theft ∗∗∗ --------------------------------------------- Multiple security vulnerabilities have been disclosed in the TCP/IP network protocol stack of an open-source reference implementation of the Unified Extensible Firmware Interface (UEFI) specification used widely in modern computers.Collectively dubbed PixieFail by Quarkslab, the nine issues reside in the TianoCore EFI Development Kit II (EDK II) and could be exploited to --------------------------------------------- https://thehackernews.com/2024/01/pixiefail-uefi-flaws-expose-millions-of.h… ∗∗∗ MFA Spamming and Fatigue: When Security Measures Go Wrong ∗∗∗ --------------------------------------------- MFA spamming refers to the malicious act of inundating a target user's email, phone, or other registered devices with numerous MFA prompts or confirmation codes. The objective behind this tactic is to overwhelm the user with notifications, in the hopes that they will inadvertently approve an unauthorized login. To execute this attack, hackers require the target victim's account credentials (username and password) to initiate the login process and trigger the MFA notifications. --------------------------------------------- https://thehackernews.com/2024/01/mfa-spamming-and-fatigue-when-security.ht… ∗∗∗ Russian COLDRIVER Hackers Expand Beyond Phishing with Custom Malware ∗∗∗ --------------------------------------------- [..] COLDRIVER has been observed evolving its tradecraft to go beyond credential harvesting to deliver its first-ever custom malware written in the Rust programming language.Googles Threat Analysis Group (TAG), which shared details of the latest activity, said the attack chains leverage PDFs as decoy documents to trigger the infection sequence. --------------------------------------------- https://thehackernews.com/2024/01/russian-coldriver-hackers-expand-beyond.h… ∗∗∗ Daten aus GPU belauscht: KI-Sicherheitslücke bei Apple Silicon, AMD und Qualcomm ∗∗∗ --------------------------------------------- Sicherheitsforscher haben ein Problem in den Grafikkernen älterer iPhones und Macs entdeckt, außerdem bei AMD und Qualcomm. Apple patcht – teilweise. --------------------------------------------- https://heise.de/-9600829 ∗∗∗ Exploring malicious Windows drivers (Part 1): Introduction to the kernel and drivers ∗∗∗ --------------------------------------------- Malicious drivers are difficult to detect and successfully leveraging one can give an attacker full access to a system. --------------------------------------------- https://blog.talosintelligence.com/exploring-malicious-windows-drivers-part… ∗∗∗ Critical vulnerability in ManageEngine could lead to file creation, dozens of other vulnerabilities disclosed by Talos to start 2024 ∗∗∗ --------------------------------------------- Cisco Talos’ Vulnerability Research team has disclosed dozens of vulnerabilities over the past month, including more than 30 advisories in GTKWave and a critical vulnerability in ManageEngine OpManager. Cisco ASIG also recently discovered an information disclosure vulnerability in DuoUniversalKeycloakAuthenticator [..] There are also multiple vulnerabilities in AVideo [..] All the vulnerabilities mentioned in this blog post have been patched by their respective vendors --------------------------------------------- https://blog.talosintelligence.com/vulnerability-roundup-jan-17-2024/ ===================== = Vulnerabilities = ===================== ∗∗∗ Drupal core - Moderately critical - Denial of Service - SA-CORE-2024-001 ∗∗∗ --------------------------------------------- The Comment module allows users to reply to comments. In certain cases, an attacker could make comment reply requests that would trigger a denial of service (DOS). Sites that do not use the Comment module are not affected. --------------------------------------------- https://www.drupal.org/sa-core-2024-001 ∗∗∗ MOVEit Transfer: Updates gegen DOS-Lücke ∗∗∗ --------------------------------------------- Updates für MOVEit Transfer dichten Sicherheitslecks ab, durch die Angreifer Rechenfehler provozieren oder den Dienst lahmlegen können. --------------------------------------------- https://heise.de/-9601492 ∗∗∗ Trend Micro: Sicherheitslücken in Security-Agents ermöglichen Rechteausweitung ∗∗∗ --------------------------------------------- Trend Micro warnt vor Sicherheitslücken in den Security-Agents, durch die Angreifer ihre Rechte ausweiten können. Software-Updates stehen bereit. --------------------------------------------- https://heise.de/-9601595 ∗∗∗ Nextcloud: Lücken in Apps gefährden Nutzerkonten und Datensicherheit ∗∗∗ --------------------------------------------- In mehreren Erweiterungen, etwa zur Lastverteilung, zur Anmeldung per OAuth und ZIP-Download, klaffen Löcher. Updates sind bereits verfügbar. --------------------------------------------- https://heise.de/-9601589 ∗∗∗ 2024-01 Security Bulletin: Junos OS and Junos OS Evolved: rpd process crash due to BGP flap on NSR-enabled devices (CVE-2024-21585) ∗∗∗ --------------------------------------------- An Improper Handling of Exceptional Conditions vulnerability in BGP session processing of Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated network-based attacker, using specific timing outside the attacker's control, to flap BGP sessions and cause the routing protocol daemon (rpd) process to crash and restart, leading to a Denial of Service (DoS) condition. Continued BGP session flapping will create a sustained Denial of Service (DoS) condition. --------------------------------------------- https://supportportal.juniper.net/s/article/2024-01-Security-Bulletin-Junos… ∗∗∗ 2024-01 Security Bulletin: JSA Series: Multiple vulnerabilities resolved ∗∗∗ --------------------------------------------- Multiple vulnerabilities have been resolved in Juniper Secure Analytics in 7.5.0 UP7 IF04. --------------------------------------------- https://supportportal.juniper.net/s/article/2024-01-Security-Bulletin-JSA-S… ∗∗∗ Oracle Releases Critical Patch Update Advisory for January 2024 ∗∗∗ --------------------------------------------- Oracle released its Critical Patch Update Advisory for January 2024 to address vulnerabilities in multiple products. A cyber threat actor could exploit some of these vulnerabilities to take control of an affected system. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/01/18/oracle-releases-critical… ∗∗∗ Multiple Dahua Technology products vulnerable to authentication bypass ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN83655695/ ∗∗∗ There is a vulnerability in batik-all-1.15.jar used by IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2022-44730 and CVE-2022-44729) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7107742 ∗∗∗ IBM Maximo Manage is vulnerable to attack due to Eclipse Jetty ( IBM X-Force ID 261776) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7107716 ∗∗∗ There is a vulnerability in CSRF Token used by IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2023-47718) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7107740 ∗∗∗ IBM Asset Data Dictionary Component uses bcprov-jdk18on-1.72.jar which is vulnerable to CVE-2023-33201 and CVE-2023-33202 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7108953 ∗∗∗ IBM Maximo Application Suite and IBM Maximo Application Suite - IoT Component uses Werkzeug-2.2.3-py3-none-any.whl which is vulnerable to CVE-2023-46136 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7108960 ∗∗∗ IBM Asset Data Dictionary Component uses netty-codec-http2-4.1.94, netty-handler-4.1.86 and netty-handler-4.1.92 which is vulnerable to CVE-2023-44487 and CVE-2023-34462 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7108959 ∗∗∗ IBM Storage Ceph is vulnerable to Use After Free in the RHEL UBI (CVE-2023-4813) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7108974 ∗∗∗ IBM Storage Ceph is vulnerable to Cross Site Scripting in Grafana (CVE-2022-39324) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/7108973 ∗∗∗ AVEVA PI Server ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-018-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.01.2024
by Daily end-of-shift report 17 Jan '24

17 Jan '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 16-01-2024 18:00 − Mittwoch 17-01-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Jetzt patchen! Vorsicht vor DoS-Angriffen auf Citrix NetScaler ADC und Gateway ∗∗∗ --------------------------------------------- Citrix hat Produkte seiner NetScaler-Serie auf den aktuellen Stand gebracht und gegen laufende Attacken gerüstet. --------------------------------------------- https://www.heise.de/-9599627.html ∗∗∗ Tausende Geräte kompromittiert durch Ivanti-Sicherheitslücken ∗∗∗ --------------------------------------------- Die Schwachstellen in Ivantis VPN-Software werden massiv angegriffen. IT-Forscher haben tausende kompromittierte Systeme gefunden. --------------------------------------------- https://www.heise.de/-9599887.html ∗∗∗ LKA warnt vor WhatsApp-Betrugsmasche ∗∗∗ --------------------------------------------- Eine neue Betrugsmasche setzt auf erneutes Kontaktieren von Opfern vorheriger Betrügereien. Davor warnt das LKA Niedersachsen. --------------------------------------------- https://www.heise.de/-9600403.html ∗∗∗ Apple, AMD, Qualcomm: GPUs mehrerer Hersteller anfällig für Datenklau ∗∗∗ --------------------------------------------- Ein Angriff ist wohl einfach ausführbar und benötigt weniger als 10 Zeilen Code. Abgreifen lassen sich zum Beispiel Unterhaltungen mit KI-Chatbots. --------------------------------------------- https://www.golem.de/news/apple-amd-qualcomm-gpus-mehrerer-hersteller-anfae… ∗∗∗ GitHub rotates keys to mitigate impact of credential-exposing flaw ∗∗∗ --------------------------------------------- GitHub rotated keys potentially exposed by a vulnerability patched in December that could let attackers access credentials within production containers via environment variables. --------------------------------------------- https://www.bleepingcomputer.com/news/security/github-rotates-keys-to-mitig… ∗∗∗ PAX PoS Terminal Flaw Could Allow Attackers to Tamper with Transactions ∗∗∗ --------------------------------------------- The point-of-sale (PoS) terminals from PAX Technology are impacted by a collection of high-severity vulnerabilities that can be weaponized by threat actors to execute arbitrary code. --------------------------------------------- https://thehackernews.com/2024/01/pax-pos-terminal-flaw-could-allow.html ∗∗∗ Whats worse than paying an extortion bot that auto-pwned your database? ∗∗∗ --------------------------------------------- Paying one that lied to you and only saved the first 20 rows of each table --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2024/01/17/extortion_bo… ∗∗∗ Website Takeover Campaign Takes Advantage of Unauthenticated Stored Cross-Site Scripting Vulnerability in Popup Builder Plugin ∗∗∗ --------------------------------------------- On December 11, 2023, we added an Unauthenticated Stored XSS vulnerability in the Popup Builder WordPress plugin to our Wordfence Intelligence Vulnerability Database. This vulnerability, which was originally reported by WPScan, allows an unauthenticated attacker to inject arbitrary JavaScript that will be executed whenever a user accesses an injected page. --------------------------------------------- https://www.wordfence.com/blog/2024/01/website-takeover-campaign-takes-adva… ∗∗∗ Vorsicht vor versteckten Kosten auf prosperi.academy! ∗∗∗ --------------------------------------------- Investieren für alle zugänglich zu machen. So lautet die Mission der Prosperi Academy, die derzeit auf Facebook und Instagram kräftig die Werbetrommel rührt. Mit Hilfe der Prosperi Plattform sollen Interessierte die wichtigsten Begriffe und Regeln rund ums Investieren lernen und zusätzliche Einnahmequellen entdecken. Doch wer sich entscheidet, Prosperi zu testen, muss mit versteckten Kosten rechnen. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-versteckten-kosten-auf-… ∗∗∗ Threat Brief: Ivanti Vulnerabilities CVE-2023-46805 and CVE-2024-21887 ∗∗∗ --------------------------------------------- Ivanti VPNs can be exploited by CVE-2023-46805 (High severity) and CVE-2024-21887 (Critical severity), chained together to run commands without authentication. --------------------------------------------- https://unit42.paloaltonetworks.com/threat-brief-ivanti-cve-2023-46805-cve-… ∗∗∗ The 7 deadly cloud security sins and how SMBs can do things better ∗∗∗ --------------------------------------------- By eliminating these mistakes and blind spots, your organization can take massive strides towards optimizing its use of cloud without exposing itself to cyber-risk --------------------------------------------- https://www.welivesecurity.com/en/business-security/7-deadly-cloud-security… ∗∗∗ Countdown für die NIS2-Richtline läuft ∗∗∗ --------------------------------------------- Zahlreiche Unternehmen müssen die NIS2-Richtlinie umsetzen. EU-Direktive schreibt strenge Maßnahmen zur Gewährleistung der Cybersicherheit vor. --------------------------------------------- https://www.zdnet.de/88413795/countdown-fuer-die-nis2-richtline-laeuft%e2%8… ∗∗∗ CISA Adds Three Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- CISA has added three new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. - CVE-2023-6549 Citrix NetScaler ADC and NetScaler Gateway Buffer Overflow Vulnerability - CVE-2023-6548 Citrix NetScaler ADC and NetScaler Gateway Code Injection Vulnerability - CVE-2024-0519 Google Chromium V8 Out-of-Bounds Memory Access Vulnerability --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/01/17/cisa-adds-three-known-ex… ∗∗∗ Static Code Analysis: Why Your Company’s Reputation Depends On It ∗∗∗ --------------------------------------------- Static application security testing (SAST) solutions provide organizations with peace of mind that their applications are secure. But SAST platforms differ from each other. A SAST tool that meets developers where they are can make AppSec team’s lives much easier, and significantly enhance the organization’s ability to defend itself from code vulnerabilities in the SDLC. This comprehensive guide covers all aspects of Static Application Security Testing, on your journey to choosing a SAST tool and vendor. --------------------------------------------- https://checkmarx.com/appsec-knowledge-hub/sast/static-code-analysis-why-yo… ===================== = Vulnerabilities = ===================== ∗∗∗ MOVEit Transfer Service Pack (January 2024) ∗∗∗ --------------------------------------------- This article contains the details of the specific updates within the MOVEit Transfer January 2024 Service Pack. The Service Pack contains fixes for (1) newly disclosed CVE described below. Progress Software highly recommends you apply this Service Pack for product updates and security improvements. For Service Pack content, please review the Service Pack Release Notes and this knowledgebase article carefully. --------------------------------------------- https://community.progress.com/s/article/MOVEit-Transfer-Service-Pack-Janua… ∗∗∗ MOVEit Automation Service Pack (January 2024) ∗∗∗ --------------------------------------------- As of January 17, 2024, the MOVEit Automation Service Pack is available for download from the Progress Download Center at https://community.progress.com/s/products-list using your Progress ID credentials. Progress Software highly recommends you apply this Service Pack for product updates and security improvements. For Service Pack content, please review the Service Pack Release Notes and this knowledgebase article carefully. --------------------------------------------- https://community.progress.com/s/article/MOVEit-Automation-Service-Pack-Jan… ∗∗∗ Google Chrome: Sicherheitslücke wird in freier Wildbahn ausgenutzt ∗∗∗ --------------------------------------------- Google aktualisiert den Webbrowser Chrome. Das Update schließt hochriskante Sicherheitslücken. Eine davon wird bereits missbraucht. --------------------------------------------- https://www.heise.de/-9599575.html ∗∗∗ Critical Patch Update: Oracle veröffentlicht 389 Sicherheitsupdates ∗∗∗ --------------------------------------------- Oracle hat in seinem Quartalsupdate unter anderem Banking Enterprise, MySQL und Solaris gegen mögliche Angriffe abgesichert. --------------------------------------------- https://www.heise.de/-9600083.html ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (zabbix), Gentoo (OpenJDK), Red Hat (kernel), Slackware (gnutls and xorg), SUSE (cloud-init, kernel, xorg-x11-server, and xwayland), and Ubuntu (freeimage, postgresql-10, and xorg-server, xwayland). --------------------------------------------- https://lwn.net/Articles/958497/ ∗∗∗ 2024-01-10: Cyber Security Advisory - AC500 V3 Multiple DoS vulnerabilities ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=3ADR011264&Language… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ K000138178 : Apache Tomcat vulnerability CVE-2023-42795 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000138178 ∗∗∗ K000138242 : OpenSSL vulnerability CVE-2023-5678 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000138242 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.01.2024
by Daily end-of-shift report 16 Jan '24

16 Jan '24

===================== = End-of-Day report = ===================== Timeframe: Montag 15-01-2024 18:00 − Dienstag 16-01-2024 18:00 Handler: Stephan Richter Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ A lightweight method to detect potential iOS malware ∗∗∗ --------------------------------------------- Analyzing Shutdown.log file as a lightweight method to detect indicators of infection with sophisticated iOS malware such as Pegasus, Reign and Predator. --------------------------------------------- https://securelist.com/shutdown-log-lightweight-ios-malware-detection-metho… ∗∗∗ DORA: Noch ein Jahr bis zur vollständigen Einhaltung des neuen Rechtsrahmens ∗∗∗ --------------------------------------------- In einem Jahr, am 17. Januar 2025, wird die EU-Verordnung über die über die digitale operationale Resilienz im Finanzsektor (DORA) in Kraft treten. --------------------------------------------- https://sec-consult.com/de/blog/detail/dora-noch-ein-jahr-bis-zur-vollstaen… ∗∗∗ Phemedrone-Infostealer umgeht Windows Defender Smartscreeen-Filter ∗∗∗ --------------------------------------------- Trend Micro hat den Phemedrone-Infostealer analysiert. Der schaffte es durch eine Lücke im Windows Defender Smartscreen-Filter auf Rechner. --------------------------------------------- https://www.heise.de/news/Phemedrone-Infostealer-umgeht-Windows-Defender-Sm… ∗∗∗ Deepfake-Videos mit bekannten Gesichtern locken in Investmentfallen ∗∗∗ --------------------------------------------- Kriminelle greifen bei der Bewerbung betrügerischer Finanzangebote besonders tief in die Trickkiste. Website-Kopien von Zeitungen mit gefälschten Promi-Artikel kennen wir nur zu gut. Mittlerweile kommen aber auch zum Teil sehr professionelle Deep-Fake-Videos zum Einsatz. Darin erklären Ihnen bekannte Promis, Moderator:innen oder Politiker:innen, wie Sie mit einer „geheimen“ Plattform schnell reich werden. --------------------------------------------- https://www.watchlist-internet.at/news/deepfake-videos-mit-bekannten-gesich… ∗∗∗ Vorsicht vor Kryptoscams, die in Wien auf der Straße liegen ∗∗∗ --------------------------------------------- Ein seltsamer Fund in der Nähe der Wiener Karlskirche legt nahe, dass Passanten derzeit mit gefälschten Paper-Wallets geködert werden --------------------------------------------- https://www.derstandard.at/story/3000000203274/vorsicht-vor-kryptoscams-die… ∗∗∗ CISA and FBI Release Known IOCs Associated with Androxgh0st Malware ∗∗∗ --------------------------------------------- Today, CISA and the Federal Bureau of Investigation (FBI) released a joint Cybersecurity Advisory (CSA), Known Indicators of Compromise Associated with Androxgh0st Malware, to disseminate known indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) associated with threat actors deploying Androxgh0st malware. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/01/16/cisa-and-fbi-release-kno… ∗∗∗ Ivanti Connect Secure VPN Exploitation Goes Global ∗∗∗ --------------------------------------------- Important: If your organization uses Ivanti Connect Secure VPN and you have not applied the mitigation, then please do that immediately! Organizations should immediately review the results of the built-in Integrity Check Tool for log entries indicating mismatched or new files. --------------------------------------------- https://www.volexity.com/blog/2024/01/15/ivanti-connect-secure-vpn-exploita… ===================== = Vulnerabilities = ===================== ∗∗∗ Sonicwall: Angreifer können über 178.000 Firewalls zum Absturz bringen ∗∗∗ --------------------------------------------- Die beiden Schwachstellen, über die der DoS-Angriff gelingt, sind eigentlich schon lange bekannt. Auch ein Exploit steht seit Monaten bereit. --------------------------------------------- https://www.golem.de/news/sonicwall-angreifer-koennen-ueber-178-000-firewal… ∗∗∗ Cross-Site-Scripting in Monitoringsoftware PRTG erlaubt Sessionklau ∗∗∗ --------------------------------------------- Mit einem präparierten Link können Angreifer PRTG-Nutzer in die Irre führen und die Authentifizierung umgehen. Ein Update schafft Abhilfe. --------------------------------------------- https://www.heise.de/news/Cross-Site-Scripting-in-Monitoringsoftware-PRTG-e… ∗∗∗ Atlassian: Updates zum Patchday schließen 28 hochriskante Schwachstellen ∗∗∗ --------------------------------------------- Atlassian veranstaltet einen Patchday und schließt dabei 28 Sicherheitslücken in diversen Programmen, die als hohes Risiko gelten. --------------------------------------------- https://www.heise.de/news/Atlassian-Updates-zum-Patchday-schliessen-28-hoch… ∗∗∗ Kritische Sicherheitslücke: VMware vergaß Zugriffskontrollen in Aria Automation ∗∗∗ --------------------------------------------- Angreifer mit einem gültigen Konto können sich erweiterte Rechte verschaffen. VMWare bietet Patches an, Cloud-Kunden bleiben verschont. --------------------------------------------- https://www.heise.de/news/Kritische-Sicherheitsluecke-VMware-vergass-Zugrif… ∗∗∗ Codeschmuggel in Juniper JunOS: Weltweit tausende Geräte betroffen ∗∗∗ --------------------------------------------- Ist auf einer Firewall der SRX-Serie oder einem Switch der EX-Reihe das Web-Management-Interface aktiviert, drohen Angriffe. Juniper hat Updates in petto. --------------------------------------------- https://www.heise.de/news/Codeschmuggel-in-Juniper-JunOS-Weltweit-tausende-… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Gentoo (KTextEditor, libspf2, libuv, and Nettle), Mageia (hplip), Oracle (container-tools:4.0, gnutls, idm:DL1, squid, squid34, and virt:ol, virt-devel:rhel), Red Hat (.NET 6.0, krb5, python3, rsync, and sqlite), SUSE (chromium, perl-Spreadsheet-ParseXLSX, postgresql, postgresql15, postgresql16, and rubygem-actionpack-5_1), and Ubuntu (binutils, libspf2, libssh2, mysql-5.7, w3m, webkit2gtk, and xerces-c). --------------------------------------------- https://lwn.net/Articles/958416/ ∗∗∗ VU#132380: Vulnerabilities in EDK2 NetworkPkg IP stack implementation. ∗∗∗ --------------------------------------------- https://kb.cert.org/vuls/id/132380 ∗∗∗ VU#302671: SMTP end-of-data uncertainty can be abused to spoof emails and bypass policies ∗∗∗ --------------------------------------------- https://kb.cert.org/vuls/id/302671 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ VMSA-2024-0001 - VMware Aria Automation (formerly vRealize Automation) update addresses a Missing Access Control vulnerability (CVE-2023-34063) ∗∗∗ --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2024-0001.html ∗∗∗ NetScaler ADC and NetScaler Gateway Security Bulletin for CVE-2023-6548 and CVE-2023-6549 ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX584986/netscaler-adc-and-netscaler-ga… ∗∗∗ Citrix Session Recording Security Bulletin for CVE-2023-6184 ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX583930/citrix-session-recording-secur… ∗∗∗ Citrix StoreFront Security Bulletin for CVE-2023-5914 ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX583759/citrix-storefront-security-bul… ∗∗∗ SFPMonitor.sys KOOB Write vulnerability ∗∗∗ --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2023-6340 ∗∗∗ SEW-EURODRIVE MOVITOOLS MotionStudio ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-016-01 ∗∗∗ Integration Objects OPC UA Server Toolkit ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-016-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.01.2024
by Daily end-of-shift report 15 Jan '24

15 Jan '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 12-01-2024 18:00 − Montag 15-01-2024 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ 2FA war wohl inaktiv: Aufarbeitung des Angriffs auf X-Konto der SEC gefordert ∗∗∗ --------------------------------------------- Die SEC hatte es wohl versäumt, die Zwei-Faktor-Authentifizierung ihres X-Accounts zu aktivieren. Einige US-Senatoren halten dies für "unentschuldbar". --------------------------------------------- https://www.golem.de/news/2fa-war-wohl-inaktiv-aufarbeitung-des-angriffs-au… ∗∗∗ Opera MyFlaw Bug Could Let Hackers Run ANY File on Your Mac or Windows ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed a security flaw in the Opera web browser for Microsoft Windows and Apple macOS that could be exploited to execute any file on the underlying operating system. The remote code execution vulnerability has been codenamed MyFlaw by the Guardio Labs research team owing to the fact that it takes advantage of a feature called My Flow [...] --------------------------------------------- https://thehackernews.com/2024/01/opera-myflaw-bug-could-let-hackers-run.ht… ∗∗∗ Cybersecurity Alert - Self-Service Password Reset ∗∗∗ --------------------------------------------- Effective controls are essential to authenticate users who access your information systems. As configured by some organizations, applications or features that allow users to reset passwords themselves, do not securely authenticate users. If your organization uses, or is considering using, these features (commonly referred to as self-service password reset or SSPR), please review the information below. --------------------------------------------- https://www.dfs.ny.gov/industry_guidance/industry_letters/il20240112_cyber_… ∗∗∗ Nvidia-Updates schließen kritische Sicherheitslücken in KI-Systemen ∗∗∗ --------------------------------------------- Nvidia hat aktualisierte Firmware für die KI-Systeme DGX A100 und H100 veröffentlicht. Sie dichtet kritische Sicherheitslecks ab. --------------------------------------------- https://www.heise.de/-9597460.html ∗∗∗ Vorsicht vor gefälschten FinanzOnline-E-Mails ∗∗∗ --------------------------------------------- „Bitte überprüfen Sie Ihre Angaben zur zusätzlichen Verpflichtung“ lautet der Betreff eines betrügerischen E-Mails angeblich von FinanzOnline. Im Mail wird behauptet, dass sich in Ihrem Briefkasten ein Dokument befindet. Dieses können Sie über einen Link aufrufen. Wenn Sie auf den Link klicken, landen Sie auf einer gefälschten FinanzOnline-Login-Seite. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-gefaelschten-finanzonli… ∗∗∗ Microsoft SharePoint Server: RCE-Schwachstelle CVE-2024-21318 patchen, und alte CVE-2023-29357 wird angegriffen ∗∗∗ --------------------------------------------- Noch ein Nachtrag vom Januar 2024-Patchday zu Microsoft SharePoint Server. Ich hatte in den Patchday-Artikeln die SharePoint Server RCE-Schwachstelle CVE-2024-21318 angesprochen. Diese wurde mit den Sicherheitsupdates vom 9. Januar 2023 geschlossen. Es gibt eine zweite, bereits im Juni 2023 geschlossene, Elevation of Privilege-Schwachstelle CVE-2023-29357, für die ein Exploit bekannt ist. Die US CISA hat eine Warnung veröffentlicht, weil inzwischen Angriffe auf die RCE-Schwachstelle beobachtet wurden. --------------------------------------------- https://www.borncity.com/blog/2024/01/13/microsoft-sharepoint-server-rce-sc… ∗∗∗ Bitdefender findet Schwachstellen in Bosch BCC100-Thermostaten ∗∗∗ --------------------------------------------- Kleiner Nachtrag von dieser Woche, denn der Sicherheitsanbieter Bitdefender hat mich darüber informiert, dass Sicherheitsforscher in seinen Labs Schwachstellen in Bosch BCC100-Thermostaten gefunden haben. Hacker können solche intelligenten Thermostate über diese Schwachstellen unter ihre Kontrolle bringen und sich einen Zugriff auf Smart-Home-Netzwerke verschaffen. --------------------------------------------- https://www.borncity.com/blog/2024/01/14/bitdefender-findet-schwachstellen-… ∗∗∗ Deobfuscating Android ARM64 strings with Ghidra: Emulating, Patching, and Automating ∗∗∗ --------------------------------------------- In a recent engagement I had to deal with some custom encrypted strings inside an Android ARM64 app. I had a lot of fun reversing the app and in the process I learned a few cool new techniques which are discussed in this writeup. This is mostly a beginner guide which explains step-by-step how you [...] --------------------------------------------- https://blog.nviso.eu/2024/01/15/deobfuscating-android-arm64-strings-with-g… ===================== = Vulnerabilities = ===================== ∗∗∗ OpenSSL Security Advisory - Excessive time spent checking invalid RSA public keys (CVE-2023-6237) ∗∗∗ --------------------------------------------- Impact summary: Applications that use the function EVP_PKEY_public_check() to check RSA public keys may experience long delays. Where the key that is being checked has been obtained from an untrusted source this may lead to a Denial of Service. --------------------------------------------- https://www.openssl.org/news/secadv/20240115.txt ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (bind, cups, curl, firefox, ipa, iperf3, java-1.8.0-openjdk, java-11-openjdk, kernel, libssh2, linux-firmware, open-vm-tools, openssh, postgresql, python, python3, squid, thunderbird, tigervnc, and xorg-x11-server), Fedora (chromium, python-flask-security-too, and tkimg), Gentoo (libgit2, Opera, QPDF, and zlib), Mageia (chromium-browser-stable, gnutls, openssh, packages, and vlc), Oracle (.NET 6.0, fence-agents, frr, ipa, kernel, nss, pixman, and tomcat), and SUSE (gstreamer-plugins-bad). --------------------------------------------- https://lwn.net/Articles/958315/ ∗∗∗ Mattermost security updates 9.2.4 / 9.1.5 / 8.1.8 (ESR) released ∗∗∗ --------------------------------------------- We’re informing you about a Mattermost security update, which addresses low- to medium-level severity vulnerabilities. We highly recommend that you apply the update. The security update is available for Mattermost dot releases 9.2.4, 9.1.5, and 8.1.8 (Extended Support Release) for both Team Edition and Enterprise Edition. --------------------------------------------- https://mattermost.com/blog/mattermost-security-updates-9-2-4-9-1-5-8-1-8-e… ∗∗∗ CVE-2024-0057 NET, .NET Framework, and Visual Studio Security Feature Bypass Vulnerability ∗∗∗ --------------------------------------------- Revised the Security Updates table as follows: Added PowerShell 7.2, PowerShell 7.3, and PowerShell 7.4 because these versions of PowerShell 7 are affected by this vulnerability. See [https://github.com/PowerShell/Announcements/issues/72](https://github.com/P… for more information. Corrected Download and Article links for .NET Framework 3.5 and 4.8.1 installed on Windows 10 version 22H2. --------------------------------------------- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-0057 ∗∗∗ ZDI-24-073: Paessler PRTG Network Monitor Cross-Site Scripting Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-24-073/ ∗∗∗ ZDI-24-072: Synology RT6600ax Qualcomm LDB Service Improper Input Validation Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-24-072/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ K000138219 : libssh2 vulnerability CVE-2020-22218 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000138219 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.01.2024
by Daily end-of-shift report 12 Jan '24

12 Jan '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 11-01-2024 18:00 − Freitag 12-01-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Sicherheitsrisiko: So einfach können Handy-Nutzer heimlich verfolgt werden ∗∗∗ --------------------------------------------- Ein niederländischer Radiosender bekam 80 Gigabyte an Standortdaten von der Berliner Plattform Datarade in die Hände und konnte so etwa Offiziere beschatten. --------------------------------------------- https://www.heise.de/-9596230.html ∗∗∗ Microsoft liefert Abhilfe zur Installation von Updates in WinRE-Partition ∗∗∗ --------------------------------------------- Am Januar-Patchday schlägt die Update-Intallation unter Windows 10 oft mit Fehler 0x80070643 fehl. Ein Microsoft-Skript soll helfen. --------------------------------------------- https://www.heise.de/-9595312.html ∗∗∗ Jetzt patchen! Kritische Sicherheitslücke in GitLab ermöglicht Accountklau ∗∗∗ --------------------------------------------- Der Fehler wird bereits aktiv von Kriminellen ausgenutzt, Administratoren sollten zügig handeln und ihre GitLab-Instanzen aktualisieren oder abschotten. --------------------------------------------- https://www.heise.de/-9595848.html ∗∗∗ Datenleck bei Halara: Persönliche Daten von 941.910 Kunden stehen wohl im Netz ∗∗∗ --------------------------------------------- Die Daten zahlreicher Halara-Kunden sind in einem Hackerforum aufgetaucht. Abgeflossen sein sollen sie über eine Schwachstelle in der Webseiten-API. --------------------------------------------- https://www.golem.de/news/bekleidungshersteller-halara-kundendaten-in-hacke… ∗∗∗ New Balada Injector campaign infects 6,700 WordPress sites ∗∗∗ --------------------------------------------- A new Balada Injector campaign launched in mid-December has infected over 6,700 WordPress websites using a vulnerable version of the Popup Builder campaign. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-balada-injector-campaign… ∗∗∗ Over 150k WordPress sites at takeover risk via vulnerable plugin ∗∗∗ --------------------------------------------- Two vulnerabilities impacting the POST SMTP Mailer WordPress plugin, an email delivery tool used by 300,000 websites, could help attackers take complete control of a site authentication. --------------------------------------------- https://www.bleepingcomputer.com/news/security/over-150k-wordpress-sites-at… ∗∗∗ One File, Two Payloads, (Fri, Jan 12th) ∗∗∗ --------------------------------------------- It has been a while since I discussed obfuscation techniques in malicious scripts. I found a VB script that pretends to be a PDF file. As usual, it was delivered through a phishing email with a zip archive. The filename is "rfw_po_docs_order_sheet_01_10_202400000000_pdf.vbs" (SHA256:6e6ecd38cc3c58c40daa4020b856550b1cbaf1dbc0fad517f7ca26d6e11a3d75[1]) --------------------------------------------- https://isc.sans.edu/diary/rss/30558 ∗∗∗ Cryptominers Targeting Misconfigured Apache Hadoop and Flink with Rootkit in New Attacks ∗∗∗ --------------------------------------------- Cybersecurity researchers have identified a new attack that exploits misconfigurations in Apache Hadoop and Flink to deploy cryptocurrency miners within targeted environments. "This attack is particularly intriguing due to the attackers use of packers and rootkits to conceal the malware," Aqua security researchers Nitzan Yaakov and Assaf Morag said in an analysis published earlier [...] --------------------------------------------- https://thehackernews.com/2024/01/cryptominers-targeting-misconfigured.html ∗∗∗ Nation-State Actors Weaponize Ivanti VPN Zero-Days, Deploying 5 Malware Families ∗∗∗ --------------------------------------------- As many as five different malware families were deployed by suspected nation-state actors as part of post-exploitation activities leveraging two zero-day vulnerabilities in Ivanti Connect Secure (ICS) VPN appliances since early December 2023. "These families allow the threat actors to circumvent authentication and provide backdoor access to these devices," Mandiant said [...] --------------------------------------------- https://thehackernews.com/2024/01/nation-state-actors-weaponize-ivanti.html ∗∗∗ Akira ransomware attackers are wiping NAS and tape backups ∗∗∗ --------------------------------------------- “The Akira ransomware malware, which was first detected in Finland in June 2023, has been particularly active at the end of the year,” the Finnish National Cybersecurity Center (NCSC-FI) has shared on Wednesday. NCSC-FI has received 12 reports of Akira ransomware hitting Finnish organizations in 2023, and three of the attacks happened during Christmas vacations. --------------------------------------------- https://www.helpnetsecurity.com/2024/01/12/finland-akira-ransomware/ ∗∗∗ Joomla! vulnerability is being actively exploited ∗∗∗ --------------------------------------------- A vulnerability in the popular Joomla! CMS has been added to CISAs known exploited vulnerabilities catalog. --------------------------------------------- https://www.malwarebytes.com/blog/news/2024/01/joomla-vulnerability-is-bein… ∗∗∗ An Introduction to AWS Security ∗∗∗ --------------------------------------------- Cloud providers are becoming a core part of IT infrastructure. Amazon Web Services (AWS), the worlds biggest cloud provider, is used by millions of organizations worldwide and is commonly used to run sensitive and mission-critical workloads. This makes it critical for IT and security professionals to understand the basics of AWS security and take measures to protect their data and workloads. --------------------------------------------- https://www.tripwire.com/state-of-security/introduction-aws-security ∗∗∗ Financial Fraud APK Campaign ∗∗∗ --------------------------------------------- Drawing attention to the ways threat actors steal PII for financial fraud, this article focuses on a malicious APK campaign aimed at Chinese users. --------------------------------------------- https://unit42.paloaltonetworks.com/malicious-apks-steal-pii-from-chinese-u… ∗∗∗ CVE-2023-36025 Exploited for Defense Evasion in Phemedrone Stealer Campaign ∗∗∗ --------------------------------------------- This blog delves into the Phemedrone Stealer campaigns exploitation of CVE-2023-36025, the Windows Defender SmartScreen Bypass vulnerability, for its defense evasion and investigates the malwares payload. --------------------------------------------- https://www.trendmicro.com/en_us/research/24/a/cve-2023-36025-exploited-for… ===================== = Vulnerabilities = ===================== ∗∗∗ Pufferüberlauf und andere Sicherheitslücken in IBM Business Automation Workflow ∗∗∗ --------------------------------------------- Angreifer können Code einschleusen, Komponenten zum Stillstand bringen und geheime Informationen abgreifen. IBM informiert Kunden über Gegenmaßnahmen. --------------------------------------------- https://www.heise.de/-9596204.html ∗∗∗ Splunk, cacti, checkmk: Sicherheitslücken in Monitoring-Software ∗∗∗ --------------------------------------------- In drei beliebten Monitoring-Produkten gibt es Sicherheitsprobleme. Admins sollten sich um Updates kümmern. --------------------------------------------- https://www.heise.de/-9595021.html ∗∗∗ Bluetooth-Lücke: Apple sichert Tastaturen mit neuer Firmware ab ∗∗∗ --------------------------------------------- Aufgrund eines Bugs war es möglich, Bluetooth-Datenverkehr mitzuzeichnen. Allerdings brauchte der Angreifer physischen Zugriff auf die Tastatur. --------------------------------------------- https://www.heise.de/-9595522.html ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (kernel, linux-5.10, php-phpseclib, php-phpseclib3, and phpseclib), Fedora (openssh and tinyxml), Gentoo (FreeRDP and Prometheus SNMP Exporter), Mageia (packages), Red Hat (openssl), SUSE (gstreamer-plugins-rs and python-django-grappelli), and Ubuntu (dotnet6, dotnet7, dotnet8, openssh, and xerces-c). --------------------------------------------- https://lwn.net/Articles/958124/ ∗∗∗ Security Bulletin for Trend Micro Apex Central ∗∗∗ --------------------------------------------- https://success.trendmicro.com/dcx/s/solution/000296153?language=en_US ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.01.2024
by Daily end-of-shift report 11 Jan '24

11 Jan '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 10-01-2024 18:00 − Donnerstag 11-01-2024 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Atomic Stealer rings in the new year with updated version ∗∗∗ --------------------------------------------- Mac users should be aware of an active distribution campaign via malicious ads delivering Atomic Stealer. The latest iteration of the malware is stealthy thanks to added encryption and obfuscation of its code. --------------------------------------------- https://www.malwarebytes.com/blog/threat-intelligence/2024/01/atomic-steale… ∗∗∗ SECGlitcher (Part 1) - Reproducible Voltage Glitching on STM32 Microcontrollers ∗∗∗ --------------------------------------------- Voltage glitching is a technique used in hardware security testing to try to bypass or modify the normal operation of a device by injecting a glitch. --------------------------------------------- https://sec-consult.com/blog/detail/secglitcher-part-1-reproducible-voltage… ∗∗∗ Achtung Nachahmer: Gefahren durch gefälschte Messaging-Apps und App-Mods ∗∗∗ --------------------------------------------- Klone und Mods von WhatsApp, Telegram und Signal sind nach wie vor ein beliebtes Mittel zur Verbreitung von Malware. Lassen Sie sich nicht für dumm verkaufen. --------------------------------------------- https://www.welivesecurity.com/de/mobile-sicherheit/achtung-nachahmer-gefah… ∗∗∗ Vorsicht vor Promi-Klonen auf Social Media: So täuschen Kriminelle treue Fans ∗∗∗ --------------------------------------------- Christina Stürmer, Hubert von Goisern oder Christopher Seiler: Das sind nur 3 von zahlreichen österreichischen Prominenten, die auf Facebook und Instagram vertreten sind -allerdings nicht nur mit einem einzigen Profil. Denn Kriminelle erstellen Fake-Profile, auf denen sie sich als diese Stars ausgeben, um den treuen Fans das Geld aus der Tasche zu ziehen. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-promi-klonen-auf-social… ∗∗∗ Medusa Ransomware Turning Your Files into Stone ∗∗∗ --------------------------------------------- Medusa ransomware gang has not only escalated activities but launched a leak site. We also analyze new TTPS encountered in an incident response case. --------------------------------------------- https://unit42.paloaltonetworks.com/medusa-ransomware-escalation-new-leak-s… ===================== = Vulnerabilities = ===================== ∗∗∗ Kein Patch verfügbar: Ivanti Connect Secure und Policy Secure sind angreifbar ∗∗∗ --------------------------------------------- In Ivanti Connect Secure und Policy Secure klaffen aktiv ausgenutzte Sicherheitslücken. Patches gibt es bisher nicht - nur einen Workaround. --------------------------------------------- https://www.golem.de/news/kein-patch-verfuegbar-ivanti-connect-secure-und-p… ∗∗∗ Zoho ManageEngine: Codeschmuggel in ADSelfService Plus möglich ∗∗∗ --------------------------------------------- In Zoho ManageEngine ADSelfService Plus klafft eine kritische Sicherheitslücke. Angreifer können dadurch Schadcode einschleusen. --------------------------------------------- https://www.heise.de/news/Zoho-ManageEngine-Codeschmuggel-in-ADSelfService-… ∗∗∗ Sicherheitspatch: API-Fehler in Cisco Unity Connection macht Angreifer zum Root ∗∗∗ --------------------------------------------- Verschiedene Netzwerkprodukte von Cisco sind verwundbar. Eine Lücke gilt als kritisch. --------------------------------------------- https://www.heise.de/news/Sicherheitspatch-API-Fehler-in-Cisco-Unity-Connec… ∗∗∗ BIOS-Sicherheitsupdates von Dell und Lenovo ∗∗∗ --------------------------------------------- Dell stellt aktualisierte BIOS-Versionen für einige Geräte bereit. AMI schließt mehrere Sicherheitslücken, Lenovo reicht diese durch. --------------------------------------------- https://www.heise.de/news/BIOS-Sicherheitsupdates-von-Dell-und-Lenovo-95940… ∗∗∗ Sicherheitspatch: IBM Security Verify für Root-Attacken anfällig ∗∗∗ --------------------------------------------- Die Entwickler haben in IBMs Zugriffsmanagementlösung Security Verify mehrere Sicherheitslücken geschlossen. --------------------------------------------- https://www.heise.de/news/Sicherheitspatch-IBM-Security-Verify-fuer-Root-At… ∗∗∗ Juniper Networks bessert zahlreiche Schwachstellen aus ∗∗∗ --------------------------------------------- Juniper Networks hat 27 Sicherheitsmitteilungen veröffentlicht. Sie betreffen Junos OS, Junos OS Evolved und diverse Hardware. --------------------------------------------- https://www.heise.de/news/Juniper-Networks-bessert-zahlreiche-Schwachstelle… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium), Fedora (chromium, python-paramiko, tigervnc, and xorg-x11-server), Oracle (ipa, libxml2, python-urllib3, python3, and squid), Red Hat (.NET 6.0, .NET 7.0, .NET 8.0, container-tools:4.0, fence-agents, frr, gnutls, idm:DL1, ipa, kernel, kernel-rt, libarchive, libxml2, nss, openssl, pixman, python-urllib3, python3, tigervnc, tomcat, and virt:rhel and virt-devel:rhel modules), SUSE (gstreamer-plugins-bad), and Ubuntu (firefox, Go, linux-aws, [...] --------------------------------------------- https://lwn.net/Articles/958029/ ∗∗∗ Active Exploitation of Two Zero-Day Vulnerabilities in Ivanti Connect Secure VPN ∗∗∗ --------------------------------------------- Volexity analyzed one of the collected memory samples and uncovered the exploit chain used by the attacker. Volexity discovered two different zero-day exploits which were being chained together to achieve unauthenticated remote code execution (RCE). --------------------------------------------- https://www.volexity.com/blog/2024/01/10/active-exploitation-of-two-zero-da… ∗∗∗ Cisco TelePresence Management Suite Cross-Site Scripting Vulnerabilities ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Apache ActiveMQ OpenWire Protocol Class Type Manipulation Arbitrary Code Execution Vulnerability affects Atos Unify OpenScape UC and Atos Unify Common Management Platform ∗∗∗ --------------------------------------------- https://networks.unify.com/security/advisories/OBSO-2401-02.pdf ∗∗∗ ZDI Security Advisories ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/published/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Rapid Software LLC Rapid SCADA ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-011-03 ∗∗∗ Horner Automation Cscape ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-011-04 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.01.2024
by Daily end-of-shift report 10 Jan '24

10 Jan '24

===================== = End-of-Day report = ===================== Timeframe: Dienstag 09-01-2024 18:00 − Mittwoch 10-01-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Absenderdaten entschlüsselt: China hat wohl Apples Airdrop-Protokoll "geknackt" ∗∗∗ --------------------------------------------- Forensikern aus Peking ist es angeblich gelungen, Telefonnummern und E-Mail-Adressen von Airdrop-Absendern zu entschlüsseln. --------------------------------------------- https://www.golem.de/news/absenderdaten-entschluesselt-china-hat-wohl-apple… ∗∗∗ Jenkins Brute Force Scans, (Tue, Jan 9th) ∗∗∗ --------------------------------------------- Our honeypots saw a number of scans for "/j_acegi_security_check" the last two days. This URL has not been hit much lately, but was hit pretty hard last March. The URL is associated with Jenkins, and can be used to brute force passwords. --------------------------------------------- https://isc.sans.edu/diary/rss/30546 ∗∗∗ Vorgaben der CISA: Mehr Sicherheit für die Microsoft-Cloud ∗∗∗ --------------------------------------------- Die Security-Vorgaben der CISA für die Microsoft-Cloud sind fertig. Wir zeigen, was hinter den Empfehlungen steckt und wo sie sich von MS und CIS unterscheiden. --------------------------------------------- https://www.heise.de/-9591800.html ∗∗∗ Patchday Microsoft: Kerberos-Authentifizierung unter Windows verwundbar ∗∗∗ --------------------------------------------- Es sind wichtige Sicherheitsupdates für Azure, Office, Windows und Co. erschienen. Attacken können bevorstehen. Ein Bitlocker-Patch macht Probleme. --------------------------------------------- https://www.heise.de/-9592648.html ∗∗∗ Type Juggling Leads to Two Vulnerabilities in POST SMTP Mailer WordPress Plugin ∗∗∗ --------------------------------------------- On December 14th, 2023, during our Bug Bounty Program Holiday Bug Extravaganza, we received a submission for an Authorization Bypass vulnerability in POST SMTP Mailer, a WordPress plugin with over 300,000+ active installations. This vulnerability makes it possible for unauthenticated threat actors to reset the API key used to authenticate to the mailer and view [...] --------------------------------------------- https://www.wordfence.com/blog/2024/01/type-juggling-leads-to-two-vulnerabi… ∗∗∗ Siemens, Schneider Electric Release First ICS Patch Tuesday Advisories of 2024 ∗∗∗ --------------------------------------------- Industrial giants Siemens and Schneider Electric publish a total of 7 new security advisories addressing 22 vulnerabilities. --------------------------------------------- https://www.securityweek.com/siemens-schneider-electric-release-first-ics-p… ∗∗∗ Achtung: Vermehrt PayLife Phishing-Mails im Umlauf ∗∗∗ --------------------------------------------- Schützen Sie Ihre Kreditkartendaten und nehmen Sie sich vor Phishing-Mails im Namen von PayLife in Acht. Kriminelle behaupten in den E-Mails, dass Sie aufgrund der Verpflichtung zur Zwei-Faktor-Authentifizierung Schritte setzen und einem Link folgen müssen. Sie landen auf einer kaum als Fälschung erkennbaren Kopie der PayLife-Seite. Geben Sie dort keine Daten ein! --------------------------------------------- https://www.watchlist-internet.at/news/achtung-vermehrt-paylife-phishing-ma… ∗∗∗ ‘Yet another Mirai-based botnet’ is spreading an illicit cryptominer ∗∗∗ --------------------------------------------- A well-designed operation is using a version of the infamous Mirai malware to secretly distribute cryptocurrency mining software, researchers said Wednesday. Calling it NoaBot, researchers at Akamai said the campaign has been active for about a year, and it has various quirks that complicate analysis of the malware and point to highly-skilled threat actors. --------------------------------------------- https://therecord.media/mirai-based-botnet-spreading-akamai ∗∗∗ CISA Adds One Known Exploited Vulnerability to Catalog ∗∗∗ --------------------------------------------- CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. CVE-2023-29357 Microsoft SharePoint Server Privilege Escalation Vulnerability These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/01/10/cisa-adds-one-known-expl… ∗∗∗ Apache Applications Targeted by Stealthy Attacker ∗∗∗ --------------------------------------------- Researchers at Aqua Nautilus have uncovered a new attack targeting Apache Hadoop and Flink applications. This attack is particularly intriguing due to the attackers use of packers and rootkits to conceal the malware. The simplicity with which these techniques are employed presents a significant challenge to traditional security defenses. --------------------------------------------- https://blog.aquasec.com/threat-alert-apache-applications-targeted-by-steal… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Security Advisories 2024-01-10 ∗∗∗ --------------------------------------------- Security Impact Rating: 1x Critical, 6x Medium --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/Search.x?publicationTypeIDs… ∗∗∗ Lenovo Security Advisories 2024-01-09 ∗∗∗ --------------------------------------------- - AMI MegaRAC Vulnerabilities - Lenovo XClarity Administrator (LXCA) Vulnerability - Lenovo Vantage Vulnerabilities - Lenovo Tablet Vulnerabilities - TianoCore EDK II BIOS Vulnerabilities --------------------------------------------- https://support.lenovo.com/at/en/product_security/home ∗∗∗ Patchday Adobe: Mehrere Schwachstellen in Substance 3D Stager geschlossen ∗∗∗ --------------------------------------------- Adobes Anwendung zum Erstellen von 3D-Szenen Substance 3D Stager ist angreifbar. Eine fehlerbereinigte Version steht zum Download bereit. --------------------------------------------- https://www.heise.de/-9592712.html ∗∗∗ Update für Google Chrome: Hochriskantes Sicherheitsleck abgedichtet ∗∗∗ --------------------------------------------- Google hat turnusgemäß den Webbrowser Chrome aktualisiert. Dabei haben die Entwickler eine als hohes Risiko eingestufte Sicherheitslücke gestopft. --------------------------------------------- https://www.heise.de/-9592658.html ∗∗∗ Update gegen Rechteausweitung in FortiOS und FortiProxy ∗∗∗ --------------------------------------------- Fortinet warnt vor einem Fehler in der Rechteverwaltung von FortiOS und FortiProxy in HA Clustern. Bösartige Akteure können ihre Rechte ausweiten. --------------------------------------------- https://www.heise.de/-9592816.html ∗∗∗ Webkonferenzen: Zoom-Sicherheitslücken ermöglichen Rechteausweitung ∗∗∗ --------------------------------------------- Zoom verteilt aktualisierte Videokonferenz-Software. Sie schließt eine Sicherheitslücke, durch die Angreifer ihre Rechte ausweiten können. --------------------------------------------- https://www.heise.de/-9593000.html ∗∗∗ 2022-01 Security Bulletin: Junos OS Evolved: Telnet service may be enabled when it is expected to be disabled. (CVE-2022-22164) ∗∗∗ --------------------------------------------- Modification History 2022-01-12: Initial Publication 2024-01-10: updated the JSA with information on an additional PR which fixed some releases which were not completely fixed originally --------------------------------------------- https://supportportal.juniper.net/s/article/2022-01-Security-Bulletin-Junos… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (libssh), Gentoo (FAAD2 and RedCloth), Red Hat (kpatch-patch and nss), SUSE (hawk2, LibreOffice, opera, and tar), and Ubuntu (glibc, golang-1.13, golang-1.16, linux-azure, linux-gkeop, monit, and postgresql-9.5). --------------------------------------------- https://lwn.net/Articles/957340/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ SVD-2024-0104: Splunk User Behavior Analytics (UBA) Third-Party Package Updates ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2024-0104 ∗∗∗ SVD-2024-0103: Splunk Enterprise Security (ES) Third-Party Package Updates - January 2024 ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2024-0103 ∗∗∗ SVD-2024-0102: Denial of Service in Splunk Enterprise Security of the Investigations manager through Investigation creation ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2024-0102 ∗∗∗ SVD-2024-0101: Denial of Service of an Investigation in Splunk Enterprise Security through Investigation attachments ∗∗∗ --------------------------------------------- https://advisory.splunk.com//advisories/SVD-2024-0101 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.01.2024
by Daily end-of-shift report 09 Jan '24

09 Jan '24

===================== = End-of-Day report = ===================== Timeframe: Montag 08-01-2024 18:00 − Dienstag 09-01-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Alert: Water Curupira Hackers Actively Distributing PikaBot Loader Malware ∗∗∗ --------------------------------------------- A threat actor called Water Curupira has been observed actively distributing the PikaBot loader malware as part of spam campaigns in 2023. --------------------------------------------- https://thehackernews.com/2024/01/alert-water-curupira-hackers-actively.html ∗∗∗ Skrupel nur vorgeschoben? Ransomware-Banden attackieren Kliniken ∗∗∗ --------------------------------------------- Zwar zürnt der Lockbit-Betreiber öffentlich mit einem Handlanger, ist sich dennoch für Krankenhaus-Erpressung nicht zu schade. Andere bedrohen gar Patienten. --------------------------------------------- https://www.heise.de/news/Skrupel-nur-vorgeschoben-Ransomware-Banden-attack… ∗∗∗ Vorsicht vor Phishing-Mails im Namen der KingBill GmbH ∗∗∗ --------------------------------------------- In einem gefälschten E-Mail im Namen der „KingBill GmbH“ werden Sie gebeten, Ihre offenen Zahlungen an KingBill zu sperren. Angeblich werden ausstehende Rechnungen nun auf eine Nebenkontoverbindung verrechnet. Sie werden aufgefordert, umgehend auf das E-Mail zu antworten. Bei diesem E-Mail handelt es sich aber um Betrug, um Ihnen Geld zu stehlen. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-phishing-mails-im-namen… ∗∗∗ Roles allowing to abuse Entra ID federation for persistence and privilege escalation ∗∗∗ --------------------------------------------- Microsoft Entra ID (formerly known as Azure AD) allows delegation of authentication to another identity provider through the legitimate federation feature. However, attackers with elevated privileges can abuse this feature, leading to persistence and privilege escalation. --------------------------------------------- https://medium.com/tenable-techblog/roles-allowing-to-abuse-entra-id-federa… ∗∗∗ New decryptor for Babuk Tortilla ransomware variant released ∗∗∗ --------------------------------------------- Cisco Talos obtained executable code capable of decrypting files affected by the Babuk Tortilla ransomware variant, allowing Talos to extract and share the private decryption key used by the threat actor. --------------------------------------------- https://blog.talosintelligence.com/decryptor-babuk-tortilla/ ===================== = Vulnerabilities = ===================== ∗∗∗ SAP-Patchday: Teils kritische Lücken in Geschäftssoftware ∗∗∗ --------------------------------------------- Der Januar-Patchday von SAP behandelt teils kritische Sicherheitslücken. Zu insgesamt zehn Schwachstellen gibt es Sicherheitsnotizen. --------------------------------------------- https://www.heise.de/news/SAP-Patchday-Teils-kritische-Luecken-in-Geschaeft… ∗∗∗ Synology warnt vor Sicherheitslücke im DSM-Betriebssystem ∗∗∗ --------------------------------------------- Synology gibt eine Warnung vor einer Sicherheitslücke im DSM-Betriebssystem für NAS-Systeme heraus. Updates stehen länger bereit. --------------------------------------------- https://www.heise.de/news/Synology-warnt-vor-Sicherheitsluecke-im-DSM-Betri… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (squid), Fedora (podman), Mageia (dropbear), SUSE (eclipse-jgit, jsch, gcc13, helm3, opusfile, qt6-base, thunderbird, and wireshark), and Ubuntu (clamav, libclamunrar, and qemu). --------------------------------------------- https://lwn.net/Articles/957236/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ SSA-794653 V1.0: Multiple File Parsing Vulnerabilities in Teamcenter Visualization and JT2Go ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-794653.html ∗∗∗ SSA-786191 V1.0: Local Privilege Escalation Vulnerability in Spectrum Power 7 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-786191.html ∗∗∗ SSA-777015 V1.0: Multiple Vulnerabilities in SIMATIC CN 4100 before V2.7 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-777015.html ∗∗∗ SSA-702935 V1.0: Redfish Server Vulnerability in maxView Storage Manager ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-702935.html ∗∗∗ SSA-589891 V1.0: Multiple PAR File Parsing Vulnerabilities in Solid Edge ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-589891.html ∗∗∗ SSA-583634 V1.0: Command Injection Vulnerability in the CPCI85 Firmware of SICAM A8000 Devices ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-583634.html ∗∗∗ Open Port 8899 in BCC Thermostat Product ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-473852.html ∗∗∗ CVE-2023-48795 Impact of Terrapin SSH Attack (Severity: NONE) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2023-48795 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.01.2024
by Daily end-of-shift report 08 Jan '24

08 Jan '24

===================== = End-of-Day report = ===================== Timeframe: Freitag 05-01-2024 18:00 − Montag 08-01-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Post-Quanten-Kryptografie: Verschlüsselungsverfahren Kyber birgt Schwachstellen ∗∗∗ --------------------------------------------- Durch die Messung der für bestimmte Divisionsoperationen benötigten Rechenzeit lassen sich wohl geheime Kyber-Schlüssel rekonstruieren. --------------------------------------------- https://www.golem.de/news/post-quanten-kryptografie-verschluesselungsverfah… ∗∗∗ Suspicious Prometei Botnet Activity, (Sun, Jan 7th) ∗∗∗ --------------------------------------------- On the 31 Dec 2023, after trying multiple username/password combination, actor using IP 194.30.53.68 successfully loging to the honeypot and uploaded eight files where 2 of them are protected with a 7zip password (updates1.7z & updates2.7z). Some of these files have been identified to be related to the Prometei trojan by Virustotal. --------------------------------------------- https://isc.sans.edu/diary/rss/30538 ∗∗∗ Bypass Cognito Account Enumeration Controls ∗∗∗ --------------------------------------------- Amazon Cognito is a popular “sign-in as a service” offering from AWS. It allows developers to push the responsibility of developing authentication, sign up, and secure credential storage to AWS so they can instead focus on building their app. [..] This bypass was originally reported via a GitHub issue in July 2020 and Cognito is still vulnerable as of early 2024. --------------------------------------------- https://hackingthe.cloud/aws/enumeration/bypass_cognito_user_enumeration_co… ∗∗∗ Jetzt patchen! Attacken auf Messaging-Plattform Apache RocketMQ ∗∗∗ --------------------------------------------- Sicherheitsforscher beobachten zurzeit Angriffsversuche auf die Messaging- und Streaming-Plattform Apache RocketMQ. Sicherheitsupdates sind bereits seit Mai 2023 verfügbar. --------------------------------------------- https://www.heise.de/-9590555 ∗∗∗ Sicherheitsupdates: Schadcode- und DoS-Attacken auf Qnap NAS möglich ∗∗∗ --------------------------------------------- Angreifer können Netzwerkspeicher von Qnap ins Visier nehmen. Sicherheitspatches schaffen Abhilfe. --------------------------------------------- https://www.heise.de/-9589870 ∗∗∗ Die OAuth-Hintertür: Google wiegelt ab ∗∗∗ --------------------------------------------- Der Suchmaschinenriese Google sieht keine Sicherheitslücke in der durch Kriminelle ausgenutzten Schnittstelle, sie funktioniere wie vorgesehen. --------------------------------------------- https://www.heise.de/-9589840 ∗∗∗ NIST: No Silver Bullet Against Adversarial Machine Learning Attacks ∗∗∗ --------------------------------------------- NIST has published a report on adversarial machine learning attacks and mitigations, and cautioned that there is no silver bullet for these types of threats. --------------------------------------------- https://www.securityweek.com/nist-no-silver-bullet-against-adversarial-mach… ∗∗∗ Werbung für verlorene Pakete der Post für € 1,95 ist Betrug ∗∗∗ --------------------------------------------- Auf Facebook und im Facebook Messenger kursiert eine Werbung, die verloren gegangene Pakete der Post um € 1,95 verspricht. Die Werbung vermittelt den Eindruck, dass Angebot käme von der Post selbst. In den Paketen befinden sich angeblich hochpreisige Elektronikprodukte wie Laptops, Spielkonsolen oder Smartwatches. Dabei handelt es sich aber um eine betrügerische Werbung, die nichts mit der Österreichischen Post zu tun hat! --------------------------------------------- https://www.watchlist-internet.at/news/werbung-fuer-verlorene-pakete-der-po… ===================== = Vulnerabilities = ===================== ∗∗∗ Multiple vulnerabilities in Lantronix EDS-MD IoT gateway for medical devices ∗∗∗ --------------------------------------------- Pentagrid identified several vulnerabilities in Lantronixs EDS-MD product during a penetration test. The EDS-MD is an IoT gateway for medical devices and equipment. The vulnerabilities include an authenticated command injection, cross-site request forgery, missing authentication for the AES-encrypted communication, cross-site scripting vulnerabilities, outdated software components, and more. --------------------------------------------- https://www.pentagrid.ch/en/blog/multiple-vulnerabilties-in-lantronix-eds-m… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (exim4), Fedora (chromium, perl-Spreadsheet-ParseExcel, python-aiohttp, python-pysqueezebox, and tinyxml), Gentoo (Apache Batik, Eclipse Mosquitto, firefox, R, Synapse, and util-linux), Mageia (libssh2 and putty), Red Hat (squid), SUSE (libxkbcommon), and Ubuntu (gnutls28). --------------------------------------------- https://lwn.net/Articles/957146/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Qt: Security advisory: Potential Integer Overflow in Qts HTTP2 implementation ∗∗∗ --------------------------------------------- https://www.qt.io/blog/security-advisory-potential-integer-overflow-in-qts-… ∗∗∗ BOSCH-SA-711465: Multiple vulnerabilities in Nexo cordless nutrunner ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-711465.html ∗∗∗ CISA Adds Six Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/alerts/2024/01/08/cisa-adds-six-known-expl… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.01.2024
by Daily end-of-shift report 05 Jan '24

05 Jan '24

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 04-01-2024 18:00 − Freitag 05-01-2024 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Kritische Schadcode-Lücke gefährdet Ivanti Endpoint Manager ∗∗∗ --------------------------------------------- Unter bestimmten Voraussetzungen können Angreifer Schadcode auf Ivanti-EPM-Servern ausführen. --------------------------------------------- https://www.heise.de/-9587991.html ∗∗∗ Ransomware: Nach der Erpressung folgt umgehend die nächste Erpressung ∗∗∗ --------------------------------------------- Online-Kriminelle werden immer dreister und schlachten Opfer von Erpressungstrojanern gleich mehrfach aus. --------------------------------------------- https://www.heise.de/-9588424.html ∗∗∗ Fitness-App „Mad Muscles“: Kostenfalle statt Unterstützung bei Neujahrsvorsätzen ∗∗∗ --------------------------------------------- Der unseriöse Anbieter „Mad Muscles“ schaltet derzeit massiv Werbung auf Facebook und Instagram. Die Botschaft? „Building muscle isnt as hard as it sounds!“ („Muskelaufbau ist nicht so schwer, wie es klingt!“) - gerade zum Jahreswechsel sind solche Botschaften beliebt, sollen die Angebote doch dabei helfen, Neujahrsvorsätze einzuhalten. Was die Werbung verschweigt: Die Betreiber:innen von madmuscles.com und der dazugehörigen „Mad Muscle App“ machen Informationen zum Unternehmen genauso wenig transparent wie die Gesamtkosten. Hinzu kommt: Kündigungen werden laut Erfahrungsberichten erschwert. --------------------------------------------- https://www.watchlist-internet.at/news/fitness-app-mad-muscles-kostenfalle-… ∗∗∗ The source code of Zeppelin Ransomware sold on a hacking forum ∗∗∗ --------------------------------------------- Researchers from cybersecurity firm KELA reported that a threat actor announced on a cybercrime forum the sale of the source code and a cracked version of the Zeppelin ransomware builder for $500. --------------------------------------------- https://securityaffairs.com/156974/cyber-crime/zeppelin-ransomware-source-c… ∗∗∗ New Bandook RAT Variant Resurfaces, Targeting Windows Machines ∗∗∗ --------------------------------------------- A new variant of remote access trojan called Bandook has been observed being propagated via phishing attacks with an aim to infiltrate Windows machines, underscoring the continuous evolution of the malware. Fortinet FortiGuard Labs, which identified the activity in October 2023, said the malware is distributed via a PDF file that embeds a link to a password-protected .7z archive.“ --------------------------------------------- https://thehackernews.com/2024/01/new-bandook-rat-variant-resurfaces.html ∗∗∗ SpectralBlur: New macOS Backdoor Threat from North Korean Hackers ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered a new Apple macOS backdoor called SpectralBlur that overlaps with a known malware family that has been attributed to North Korean threat actors. “SpectralBlur is a moderately capable backdoor that can upload/download files, run a shell, update its configuration, delete files, hibernate, or sleep, based on commands issued from the [...] --------------------------------------------- https://thehackernews.com/2024/01/spectralblur-new-macos-backdoor-threat.ht… ∗∗∗ Tackling Anti-Analysis Techniques of GuLoader and RedLine Stealer ∗∗∗ --------------------------------------------- Using extractors written in Python, we detail our system for extracting internal malware configurations from memory dumps. GuLoader and RedLine Stealer are our examples. --------------------------------------------- https://unit42.paloaltonetworks.com/malware-configuration-extraction-techni… ===================== = Vulnerabilities = ===================== ∗∗∗ Inductive Automation Trust Center Updates ∗∗∗ --------------------------------------------- Inductive Automation offers a special thanks to the following security researchers from Trend Micro Zero Day Initiative, Star Labs, Incite Team, and Claroty Research Team82 for their hard work in finding and responsibly disclosing security vulnerabilities described in this tech advisory. All reported issues have been resolved as of Ignition 8.1.35. Inductive Automation recommends upgrading Ignition to the current version to address known vulnerabilities. --------------------------------------------- https://security.inductiveautomation.com/?tcuUid=fc4c4515-046d-4365-b688-69… ∗∗∗ QNAP Security Advisories ∗∗∗ --------------------------------------------- - Vulnerability in QcalAgent - Multiple Vulnerabilities in QTS and QuTS hero - Multiple Vulnerabilities in QuMagie - Multiple Vulnerabilities in Video Station - Vulnerability in Netatalk --------------------------------------------- https://www.qnap.com/en-us/security-advisories ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (asterisk, chromium, exim4, netatalk, and tomcat9), Fedora (chromium), Gentoo (BlueZ, c-ares, CUPS filters, RDoc, and WebKitGTK+), Oracle (firefox, squid:4, thunderbird, and tigervnc), SUSE (python-aiohttp and python-paramiko), and Ubuntu (linux-intel-iotg). --------------------------------------------- https://lwn.net/Articles/957005/ ∗∗∗ Security Update for Ivanti EPM ∗∗∗ --------------------------------------------- [...] We are reporting this vulnerability as CVE-2023-39366. We have no indication that customers have been impacted by this vulnerability. This vulnerability impacts all supported versions of the product, and the issue has been resolved in Ivanti EPM 2022 Service Update 5. If exploited, an attacker with access to the internal network can leverage an unspecified SQL injection to execute arbitrary SQL queries and retrieve output without the need for authentication. --------------------------------------------- https://www.ivanti.com/blog/security-update-for-ivanti-epm ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.01.2024
by Daily end-of-shift report 04 Jan '24

04 Jan '24

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 03-01-2024 18:00 − Donnerstag 04-01-2024 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Mandiant’s account on X hacked to push cryptocurrency scam ∗∗∗ --------------------------------------------- The Twitter account of American cybersecurity firm and Google subsidiary Mandiant was hijacked earlier today to impersonate the Phantom crypto wallet and share a cryptocurrency scam. --------------------------------------------- https://www.bleepingcomputer.com/news/security/mandiants-account-on-x-hacke… ∗∗∗ UAC-0050 Group Using New Phishing Tactics to Distribute Remcos RAT ∗∗∗ --------------------------------------------- The threat actor known as UAC-0050 is leveraging phishing attacks to distribute Remcos RAT using new strategies to evade detection from security software. [..] "Leveraging pipes within the Windows operating system provides a covert channel for data transfer, skillfully evading detection by Endpoint Detection and Response (EDR) and antivirus systems," the researchers said. --------------------------------------------- https://thehackernews.com/2024/01/uac-0050-group-using-new-phishing.html ∗∗∗ Three Ways To Supercharge Your Software Supply Chain Security ∗∗∗ --------------------------------------------- If you make software and ever hope to sell it to one or more federal agencies, you have to pay attention to this. Even if you never plan to sell to a government, understanding your Software Supply Chain and learning how to secure it will pay dividends in a stronger security footing and the benefits it provides. --------------------------------------------- https://thehackernews.com/2024/01/three-ways-to-supercharge-your-software.h… ∗∗∗ Internetstörungen in Spanien: Orange-Konto bei RIPE geknackt ∗∗∗ --------------------------------------------- Im spanischen Internet kam es zu Störungen. Das Konto des Anbieters Orange bei RIPE wurde geknackt, die Angreifer haben Routen umgelenkt. [..] Durch ein schwaches Passwort ("ripeadmin") und den Verzicht auf Zwei-Faktor-Authentifizierung hatte der Angreifer leichtes Spiel. [..] Eine Antwort auf eine Anfrage beim RIPE NCC zu weiteren betroffenen oder gefährdeten Accounts und zu einer möglichen Verpflichtung, RIPE Accounts künftig zwingend mit Zwei-Faktor-Authentifizierung zu schützen, steht noch aus. Orange Spanien ist mit einem blauen Auge davongekommen; offenbar ging es dem Angreifer nur darum, den Provider bloßzustellen. --------------------------------------------- https://www.heise.de/-9587184 ∗∗∗ Terrapin-Attacke: Millionen SSH-Server angreifbar, Risiko trotzdem überschaubar ∗∗∗ --------------------------------------------- Zwar ist mehr als die Hälfte aller im Internet erreichbaren SSH-Server betroffen, Admins können jedoch aufatmen: Ein erfolgreicher Angriff ist schwierig. --------------------------------------------- https://www.heise.de/-9587473 ∗∗∗ Beyond Protocols: How Team Camaraderie Fortifies Security ∗∗∗ --------------------------------------------- The most efficient and effective teams have healthy and constructive cultures that encourage team members to go above and beyond the call of duty. --------------------------------------------- https://www.securityweek.com/beyond-protocols-how-team-camaraderie-fortifie… ∗∗∗ „Sofortiges Handeln erforderlich“: Massenhaft Phishing-Mails im Namen von A1 im Umlauf ∗∗∗ --------------------------------------------- Zahlreiche Konsument:innen wenden sich aktuell mit gefälschten E-Mails im Namen von A1 an die Watchlist Internet. Im E-Mail wird behauptet, dass „ungewöhnliche Verbindungen“ festgestellt wurden und daher „Ihre sofortige Aufmerksamkeit“ notwendig ist, „um die Sicherheit Ihres Kontos zu gewährleisten“. Gleichzeitig wird mit der Sperre des Kontos gedroht. Wir können entwarnen: Es handelt sich um Betrug. --------------------------------------------- https://www.watchlist-internet.at/news/sofortiges-handeln-erforderlich-mass… ∗∗∗ CVE-2022-1471: SnakeYAML Deserialization Deep Dive ∗∗∗ --------------------------------------------- Get an overview of SnakeYAML deserialization vulnerabilities (CVE-2022-1471) - how it works, why it works, and what it affects. --------------------------------------------- https://www.greynoise.io/blog/cve-2022-1471-snakeyaml-deserialization-deep-… ===================== = Vulnerabilities = ===================== ∗∗∗ Update für Google Chrome schließt sechs Sicherheitslücken ∗∗∗ --------------------------------------------- Google hat aktualisierte Chrome-Versionen herausgegeben. Sie schließen sechs Sicherheitslücken, davon mehrere mit hohem Risiko. --------------------------------------------- https://www.heise.de/-9586697 ∗∗∗ Patchday Android: Angreifer können sich höhere Rechte erschleichen ∗∗∗ --------------------------------------------- Android-Geräte sind für Attacken anfällig. Google, Samsung & Co. stellen Sicherheitsupdates bereit. --------------------------------------------- https://www.heise.de/-9586713 ∗∗∗ Netzwerkanalysetool Wireshark gegen mögliche Attacken abgesichert ∗∗∗ --------------------------------------------- Die Wireshark-Entwickler haben in aktuellen Versionen mehrere Sicherheitslücken geschlossen. --------------------------------------------- https://www.heise.de/-9587170 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Oracle (firefox, gstreamer1-plugins-bad-free, thunderbird, tigervnc, and xorg-x11-server), Red Hat (squid:4), SUSE (exim, libcryptopp, and proftpd), and Ubuntu (openssh and sqlite3). --------------------------------------------- https://lwn.net/Articles/956855/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Mitsubishi Electric Factory Automation Products ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-004-02 ∗∗∗ Rockwell Automation FactoryTalk Activation ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-24-004-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily