- Daily - CERT.at

Tageszusammenfassung - 28.03.2023
by Daily end-of-shift report 28 Mar '23

28 Mar '23

===================== = End-of-Day report = ===================== Timeframe: Montag 27-03-2023 18:00 − Dienstag 28-03-2023 18:00 Handler: Robert Waldner Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ New MacStealer macOS malware steals passwords from iCloud Keychain ∗∗∗ --------------------------------------------- A new info-stealing malware named MacStealer is targeting Mac users, stealing their credentials stored in the iCloud KeyChain and web browsers, cryptocurrency wallets, and potentially sensitive files. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-macstealer-macos-malware… ∗∗∗ Exchange Online to block emails from vulnerable on-prem servers ∗∗∗ --------------------------------------------- Microsoft is introducing a new Exchange Online security feature that will automatically start throttling and eventually block all emails sent from "persistently vulnerable Exchange servers" 90 days after the admins are pinged to secure them. --------------------------------------------- https://www.bleepingcomputer.com/news/security/exchange-online-to-block-ema… ∗∗∗ Cybersecurity Challenges of Power Transformers ∗∗∗ --------------------------------------------- To the best of our knowledge, there is no study in the literature that systematically investigate the cybersecurity challenges against the newly emerged smart transformers. This paper addresses this shortcoming by exploring the vulnerabilities and the attack vectors of power transformers within electricity networks, the possible attack scenarios and the risks associated with these attacks. --------------------------------------------- https://arxiv.org/abs/2302.13161 ∗∗∗ OpenSSL 1.1.1 End of Life ∗∗∗ --------------------------------------------- We are now less than 6 months away from the End Of Life (EOL) date for the OpenSSL 1.1.1 series. Users of OpenSSL 1.1.1 should consider their options and plan any actions they might need to take. [..] OpenSSL 1.1.1 was released on 11th September 2018, and so it will be considered EOL on 11th September 2023. It will no longer be receiving publicly available security fixes after that date. --------------------------------------------- https://www.openssl.org/blog/blog/2023/03/28/1.1.1-EOL/ ∗∗∗ The curl quirk that exposed Burp Suite & Google Chrome ∗∗∗ --------------------------------------------- Although this feature took us (and Chrome) by surprise, it is fully documented so we dont consider it to be a vulnerability in curl itself. It reminds me of server-side template injection, where a sandbox escape can be as easy as reading a manual page everyone else overlooked. --------------------------------------------- https://portswigger.net/research/the-curl-quirk-that-exposed-burp-suite-amp… ∗∗∗ Abo-Falle auf produkttester-werden.org ∗∗∗ --------------------------------------------- Produkttester-werden.org wirbt mit der Möglichkeit, regelmäßig und gratis Produkte testen zu können und dafür bis zu 25 Euro Aufwandsentschädigung zu erhalten. Schon bei der Erstregistrierung werden aber persönliche Daten inklusive IBAN abgefragt, eine Einzugsermächtigung verlangt und ein kostenpflichtiges Abonnement über einen versteckten Kostenhinweis abgeschlossen. Wir raten zu Abstand! --------------------------------------------- https://www.watchlist-internet.at/news/abo-falle-auf-produkttester-werdenor… ∗∗∗ Emotet Being Distributed via OneNote ∗∗∗ --------------------------------------------- AhnLab Security Emergency response Center (ASEC) has recently discovered the distribution of Emotet being distributed via OneNote. A spear phishing email as below attached with a OneNote file prompts the reader to open the attachment which contains a malicious script file (JS file). Upon running the OneNote file, it directs the user to click the button to connect to the cloud to open the document. --------------------------------------------- https://asec.ahnlab.com/en/50564/ ===================== = Vulnerabilities = ===================== ∗∗∗ Apple patches everything, including a zero-day fix for iOS 15 users ∗∗∗ --------------------------------------------- Got an older iPhone that cant run iOS 16? Youve got a zero-day to deal with! That super-cool Studio Display monitor needs patching, too. --------------------------------------------- https://nakedsecurity.sophos.com/2023/03/28/apple-patches-everything-includ… ∗∗∗ FortiOS / FortiProxy - Unauthenticated access to static files containing logging information (CVE-2022-41329) ∗∗∗ --------------------------------------------- An exposure of sensitive information to an unauthorized actor vulnerability in FortiOS and FortiProxy administrative interface may allow an unauthenticated attacker to obtain sensitive logging information on the device via crafted HTTP or HTTPs GET requests. --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-22-364 ∗∗∗ OpenSSL Security Advisory: Invalid certificate policies in leaf certificates are silently ignored (CVE-2023-0465) ∗∗∗ --------------------------------------------- Severity: Low Applications that use a non-default option when verifying certificates may be vulnerable to an attack from a malicious CA to circumvent certain checks. nvalid certificate policies in leaf certificates are silently ignored by OpenSSL and other certificate policy checks are skipped for that certificate. [..] Policy processing is disabled by default --------------------------------------------- https://www.openssl.org/news/secadv/20230328.txt ∗∗∗ [webapps] Moodle LMS 4.0 - Cross-Site Scripting (XSS) ∗∗∗ --------------------------------------------- A Cross Site Scripting (XSS) vulnerability exists in Moodle is a free and open-source Learning Management System (LMS) written in PHP [..] --------------------------------------------- https://www.exploit-db.com/exploits/51115 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (dino-im and runc), Fedora (qemu), Red Hat (firefox), SUSE (chromium, containerd, docker, kernel, and systemd), and Ubuntu (graphicsmagick, linux-azure, linux-gcp, linux-oem-5.14, linux-oem-5.17, linux-oem-6.0, linux-oem-6.1, and node-url-parse). --------------------------------------------- https://lwn.net/Articles/927548/ ∗∗∗ Cisco SD-WAN vManage Software Cluster Mode Cross-Site Request Forgery Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ IBM Engineering Workflow Management (EWM) vulnerabilities CVE-2021-41182, CVE-2022-31160, CVE-2021-41184, CVE-2021-41183 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6966410 ∗∗∗ IBM Engineering Workflow Management (EWM) vulnerability CVE-2021-43138 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6966400 ∗∗∗ IBM Engineering Workflow Management (EWM) vulnerabilities CVE-2022-31129, CVE-2022-24785 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6966418 ∗∗∗ IBM Engineering Workflow Management (EWM) vulnerability CVE-2021-21252 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6966412 ∗∗∗ IBM Engineering Workflow Management (EWM) vulnerabilities CVE-2020-28500, CVE-2021-23337, CVE-2020-8203 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6966416 ∗∗∗ IBM Engineering Workflow Management (EWM) vulnerability CVE-2022-24999 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6966420 ∗∗∗ IBM WebSphere Application Server is vulnerable to cross-site scripting in the Admin Console (CVE-2023-26283) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6964836 ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server Liberty shipped with IBM Tivoli Netcool Impact(CVE-2022-3509, CVE-2022-3171) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6966436 ∗∗∗ There is a vulnerability in jQuery UI used by IBM Maximo Asset Management (CVE-2022-31160) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6966428 ∗∗∗ Maximo Application Suite is vulnerable to CVE-2022-40897 per setuptools dependency ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6966084 ∗∗∗ Maximo Application Suite uses jsonwebtoken package which is vulnerable to CVE-2022-23541, CVE-2022-23539, CVE-2022-23529 and CVE-2022-23540 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6966434 ∗∗∗ IBM Tivoli Netcool Impact is vulnerable to remote code execution from Apache Commons Net (CVE-2021-37533) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6966438 ∗∗∗ IBM Tivoli Netcool Impact is vulnerable to denial of service attack due to Apache Commons FileUpload (CVE-2023-24998) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6966440 ∗∗∗ There is a vulnerability in jQuery UI used by IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2022-31160) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6966442 ∗∗∗ IBM Aspera Cargo 4.2.5 and IBM Aspera Connect 4.2.5 have addressed multiple buffer overflow vulnerabilities (CVE-2023-27286, CVE-2023-27284) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6966588 ∗∗∗ A security vulnerability has been identified in IBM HTTP Server shipped with IBM Rational ClearCase [CVE-2023-26281] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6966600 ∗∗∗ A security vulnerability has been identified in IBM HTTP Server shipped with IBM Rational ClearCase [CVE-2023-25690] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6966602 ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Rational ClearCase (CVE-2023-26283) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6966604 ∗∗∗ IBM App Connect Enterprise Certified Container images may be vulnerable to denial of service due to libarchive [CVE-2017-14166] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6966610 ∗∗∗ IBM App Connect Enterprise Certified Container DesignerAuthoring operands that use mapping assistance may be vulnerable to denial of service due to [X-Force 247595] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6966612 ∗∗∗ IBM Cloud Pak for Data System (CPDS) is vulnerable to arbitrary code execution due to Apache Log4j [CVE-2022-23307] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6966636 ∗∗∗ There is a security vulnerability in snakeYAML used by IBM Maximo Data Loader (CVE-2022-41854) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6966646 ∗∗∗ There is a security vulnerability in TinyMCE used by IBM Maximo for Civil Infrastructure in Maximo Application Suite (CVE-2022-23494) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6966644 ∗∗∗ Vulnerability in jetty-http affects IBM Cloud Pak for Data System 2.0(CPDS 2.0) [CVE-2022-2047] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6966652 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.03.2023
by Daily end-of-shift report 27 Mar '23

27 Mar '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 24-03-2023 18:00 − Montag 27-03-2023 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Guidance for investigating attacks using CVE-2023-23397 ∗∗∗ --------------------------------------------- This guide provides steps organizations can take to assess whether users have been targeted or compromised by threat actors exploiting CVE-2023-23397. A successful exploit of this vulnerability can result in unauthorized access to an organization’s environment by triggering a Net-NTLMv2 hash leak. Understanding the vulnerability and how it has been leveraged by threat actors can help guide the overall investigative process. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-inves… ∗∗∗ WooCommerce Credit Card Skimmer Reveals Tampered Plugin ∗∗∗ --------------------------------------------- Disclaimer: The malware infection described in this article does not affect the software plugin as a whole and does not indicate any vulnerabilities or security flaws within WooCommerce or any associated WooCommerce plugin extensions. Overall they are both robust and secure payment platforms that are perfectly safe to use. Instead, this article highlights the importance of maintaining good security posture and keeping environments locked down to prevent tampering from threat actors. --------------------------------------------- https://blog.sucuri.net/2023/03/woocommerce-skimmer-reveals-tampered-plugin… ∗∗∗ Framing Frames: Bypassing Wi-Fi Encryption by Manipulating Transmit Queues Affecting Multiple Cisco Products ∗∗∗ --------------------------------------------- On March 27, 2023, the research paper Framing Frames: Bypassing Wi-Fi Encryption by Manipulating Transmit Queues was made public. This paper discusses vulnerabilities in the 802.11 standard that could allow an attacker to spoof a targeted wireless client and redirect frames that are present in the transmit queues in an access point to an attacker-controlled device. This attack is seen as an opportunistic attack and the information gained by the attacker would be of minimal value in a securely configured network. --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Visual Signature Spoofing in PDFs ∗∗∗ --------------------------------------------- Visual Signature Spoofing was partially successful in forging signed documents. Due to the limited support of JavaScript in the other PDF applications, it was only possible to create visual signature spoofs for Adobe Acrobat Reader DC. Other PDF applications may also become vulnerable in the future if they add support for the necessary JavaScript functions. --------------------------------------------- https://sec-consult.com/blog/detail/visual-signature-spoofing-in-pdfs/ ∗∗∗ Using an Undocumented Amplify API to Leak AWS Account IDs ∗∗∗ --------------------------------------------- In a previous blog post I mentioned that I was getting back into AWS vulnerability research in my free time. I’ve been taking a closer look at undocumented AWS APIs, trying to find hidden functionality that may be useful for an attacker or cross tenant boundaries. [...] I reported this API to AWS who responded that it did not “represent a security issue”, however, 3 days later, the API was disabled. --------------------------------------------- https://frichetten.com/blog/undocumented-amplify-api-leak-account-id/ ∗∗∗ Microsoft verteilt Sicherheitsupdate für Windows Snipping Tool ∗∗∗ --------------------------------------------- Microsoft hat ein außerplanmäßiges Sicherheitsupdate veröffentlicht. Es soll eine Schwachstelle im Windows Snipping Tool beseitigen – der in Windows 10 und Windows 11 integrierten Screenshot-App. Ähnlich wie zuletzt auch unter Android entfernt das Tool „gelöschte“ Bereiche von zugeschnittenen Screenshots nicht vollständig, sodass sie nachträglich wiederhergestellt werden können. --------------------------------------------- https://www.zdnet.de/88408044/microsoft-verteilt-sicherheitsupdate-fuer-win… ∗∗∗ Deprecation of Remote PowerShell in Exchange Online – Re-enabling or Extending RPS support ∗∗∗ --------------------------------------------- PowerShell (PS) cmdlets in Exchange Online use Remote PowerShell (RPS) for client to server communication. Unfortunately, RPS is legacy technology that is outdated and can pose security risks. As such, we recommend all customers move to the new more secure REST-based v3 PowerShell module, which will help us improve security – together. --------------------------------------------- https://techcommunity.microsoft.com/t5/exchange-team-blog/deprecation-of-re… ∗∗∗ OneNote Embedded URL Abuse ∗∗∗ --------------------------------------------- Whilst Microsoft is fixing the embedded files feature in OneNote I decided to abuse a whole other feature. Embedded URLs. Turns out this is something they may also have to fix. --------------------------------------------- https://blog.nviso.eu/2023/03/27/onenote-embedded-url-abuse/ ∗∗∗ Rhadamanthys: The “Everything Bagel” Infostealer ∗∗∗ --------------------------------------------- Key Takeaways: * Rhadamanthys is an advanced infostealer which debuted on the dark web in September of last year to a warm critical reception by cybercriminals. * A maximalist approach to features: functionality is added for its own sake, never mind the effort required or expected payoff. * Campaigns by default target countries indiscriminately, excluding the commonwealth of independent states. This is typical of this kind of malware. * Multiple-stage loader/shellcode execution has been researched in prior publications and has made it difficult to reach a proper interactive disassembly workflow with the actual information-stealing logic. --------------------------------------------- https://research.checkpoint.com/2023/rhadamanthys-the-everything-bagel-info… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco IOS XE Software Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the Cloud Management for Catalyst migration feature of Cisco IOS XE Software could allow an authenticated, local attacker to gain root-level privileges on an affected device. This vulnerability is due to insufficient memory protection in the Cisco IOS XE Meraki migration feature of an affected device. An attacker could exploit this vulnerability by modifying the Meraki registration parameters. A successful exploit could allow the attacker to elevate privileges to root. --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ ABB RCCMD – Use of default password (CVE-2022-4126) ∗∗∗ --------------------------------------------- A software update is available that resolves a privately reported vulnerability [...] An attacker who successfully exploited this vulnerability could take control of the computer the software runs on and possibly insert and run arbitrary code. --------------------------------------------- https://search.abb.com/library/Download.aspx?Action=Launch&DocumentID=2CMT0… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libreoffice and xen), Fedora (chromium, curl, and xen), Red Hat (kernel, kernel-rt, kpatch-patch, and thunderbird), Scientific Linux (thunderbird), Slackware (tar), SUSE (apache2, ceph, curl, dpdk, helm, libgit2, and php7), and Ubuntu (firefox and thunderbird). --------------------------------------------- https://lwn.net/Articles/927451/ ∗∗∗ baserCMS vulnerable to arbitrary file uploads ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN61105618/ ∗∗∗ IBM Security Bulletins 2023-03-25 - 2023-03-27 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.03.2023
by Daily end-of-shift report 24 Mar '23

24 Mar '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 23-03-2023 18:00 − Freitag 24-03-2023 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Critical WooCommerce Payments Plugin Flaw Patched for 500,000+ WordPress Sites ∗∗∗ --------------------------------------------- Patches have been released for a critical security flaw impacting the WooCommerce Payments plugin for WordPress, which is installed on over 500,000 websites. The flaw, if left unresolved, could enable a bad actor to gain unauthorized admin access to impacted stores, the company said in an advisory on March 23, 2023. It impacts versions 4.8.0 through 5.6.1. --------------------------------------------- https://thehackernews.com/2023/03/critical-woocommerce-payments-plugin.html ∗∗∗ GitHub publishes RSA SSH host keys by mistake, issues update ∗∗∗ --------------------------------------------- Getting connection failures? Dont panic. Get new keys GitHub has updated its SSH keys after accidentally publishing the private part to the world. Whoops. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2023/03/24/github_chang… ∗∗∗ ChinaZ DDoS Bot Malware Distributed to Linux SSH Servers ∗∗∗ --------------------------------------------- AhnLab Security Emergency response Center (ASEC) has recently discovered the ChinaZ DDoS Bot malware being installed on inadequately managed Linux SSH servers. [..] The threat group most likely scanned port 22, the area where SSH services operate, before finding an active SSH service and performing a dictionary attack using commonly used SSH account credentials. --------------------------------------------- https://asec.ahnlab.com/en/50316/ ∗∗∗ Hacking AI: System and Cloud Takeover via MLflow Exploit ∗∗∗ --------------------------------------------- Protect AI tested the security of MLflow and found a combined Local File Inclusion/Remote File Inclusion vulnerability which can lead to a complete system or cloud provider takeover. Organizations running an MLflow server are urged to update to the latest release immediately. --------------------------------------------- https://protectai.com/blog/hacking-ai-system-takeover-exploit-in-mlflow ∗∗∗ JavaScript-Runtime: Deno 1.32 schließt kritische Sicherheitslücke ∗∗∗ --------------------------------------------- Die JS-Runtime Deno 1.32 liefert weitere Verbesserungen für die Kompatibilität mit Node.js und neue Funktionen für den Befehl deno compile. --------------------------------------------- https://heise.de/-7971810 ∗∗∗ CISA Ships ‘Untitled Goose Tool’ to Hunt for Microsoft Azure Cloud Infections ∗∗∗ --------------------------------------------- The U.S. government’s cybersecurity agency ships a new tool to help network defenders hunt for signs of compromise in Microsoft’s Azure and M365 cloud deployments. --------------------------------------------- https://www.securityweek.com/cisa-ships-untitled-goose-tool-to-hunt-for-mic… ∗∗∗ APT attacks on industrial organizations in H2 2022 ∗∗∗ --------------------------------------------- This summary provides an overview of APT attacks on industrial enterprises and activity of groups that have been observed attacking industrial organizations and critical infrastructure facilities. --------------------------------------------- https://ics-cert.kaspersky.com/publications/apt-attacks-on-industrial-organ… ∗∗∗ Outlook-Schwachstelle CVE-2023-23397 nicht vollständig gepatcht – Absicherung erforderlich ∗∗∗ --------------------------------------------- Noch ein kurzer Nachtrag zum März 2023-Patchday. Microsoft hat zum 14. März 2023 die kritische RCE-Schwachstelle CVE-2023-23397 in Outlook zwar mit einem Sicherheitsupdate versehen. Aber der Patch ist unvollständig, der Angriff kann weiterhin mit etwas modifizierten E-Mails immer noch ausgelöst werden. Und inzwischen ist ein Proof of Concept öffentlich, was demonstriert, wie die Schwachstelle ausgenutzt wird. --------------------------------------------- https://www.borncity.com/blog/2023/03/24/outlook-schwachstelle-cve-2023-233… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco DNA Center Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the implementation of the Cisco Network Plug-and-Play (PnP) agent of Cisco DNA Center could allow an authenticated, remote attacker to view sensitive information in clear text. The attacker must have valid low-privileged user credentials. This vulnerability is due to improper role-based access control (RBAC) with the integration of PnP. An attacker could exploit this vulnerability by authenticating to the device and sending a query to an internal API. --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, libdatetime-timezone-perl, and tzdata), Fedora (flatpak and gmailctl), Mageia (firefox, flatpak, golang, gssntlmssp, libmicrohttpd, libtiff, python-flask-security, python-owslib, ruby-rack, thunderbird, unarj, and vim), Red Hat (firefox, kpatch-patch, nss, openssl, and thunderbird), SUSE (containerd, hdf5, qt6-base, and squirrel), and Ubuntu (amanda, gif2apng, graphviz, and linux, linux-aws, linux-azure, linux-gcp, linux-ibm, linux-kvm, linux-lowlatency, linux-oracle, linux-raspi). --------------------------------------------- https://lwn.net/Articles/927198/ ∗∗∗ Drupal core - Moderately critical - Information Disclosure - SA-CORE-2023-003 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-core-2023-003 ∗∗∗ ELECOM WAB-MAT registers its windows service executable with an unquoted file path ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN35246979/ ∗∗∗ TADDM is vulnerable to a denial of service vulnerability in Apache-Log4j (CVE-2023-26464) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6965790 ∗∗∗ IBM Tivoli Application Dependency Discovery Manager is vulnerable to a bypass vulnerability due to the use of Python (CVE-2023-24329) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6965792 ∗∗∗ IBM API Connect is impacted by an improper access control vulnerability (CVE-2023-28522) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6965612 ∗∗∗ Vulnerabilities in Node.js, libcurl, Golang Go, Jetty, Guava, Netty, OpenSSL, Linux kernel may affect IBM Spectrum Protect Plus ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6965816 ∗∗∗ Stored SMB credentials may allow access to vSnap after oracle backup in IBM Spectrum Protect Plus for Db2 and Oracle (CVE-2023-27863) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6965812 ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM WebSphere Remote Server (CVE-2023-26283) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6965822 ∗∗∗ Multiple vulnerabilies in Java affect IBM Robotic Process Automation for Cloud Pak which may result in a denial of service (CVE-2023-21830, CVE-2023-21835, CVE-2023-21843) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6965846 ∗∗∗ A vulnerability in Luxon may affect IBM Robotic Process Automation and result in a denial of service (CVE-2023-22467) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6965848 ∗∗∗ Multiple vulnerabilities in IBM Content Navigator may affect IBM Business Automation Workflow ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6965908 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.03.2023
by Daily end-of-shift report 23 Mar '23

23 Mar '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 22-03-2023 18:00 − Donnerstag 23-03-2023 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Developing an incident response playbook ∗∗∗ --------------------------------------------- Incident response playbooks help optimize the SOC processes, and are a major step forward to SOC maturity, but can be challenging for a company to develop. In this article, I want to share some insights on how to create the (almost) perfect playbook. --------------------------------------------- https://securelist.com/developing-an-incident-response-playbook/109145/ ∗∗∗ Cropping and Redacting Images Safely, (Thu, Mar 23rd) ∗∗∗ --------------------------------------------- The recent "acropalypse" vulnerabilities in Android and Windows 11 showed yet again the dangers of relying on image processing tools to redact images. [..] Here are some approaches to make image redaction safer. But please use them with caution. --------------------------------------------- https://isc.sans.edu/diary/rss/29666 ∗∗∗ German and South Korean Agencies Warn of Kimsukys Expanding Cyber Attack Tactics ∗∗∗ --------------------------------------------- German and South Korean government agencies have warned about cyber attacks mounted by a threat actor tracked as Kimsuky using rogue browser extensions to steal users Gmail inboxes. --------------------------------------------- https://thehackernews.com/2023/03/german-and-south-korean-agencies-warn.html ∗∗∗ AIIPot: Adaptive Intelligent-Interaction Honeypot for IoT Devices ∗∗∗ --------------------------------------------- In this paper, we propose a honeypot for IoT devices that uses machine learning techniques to learn and interact with attackers automatically. The evaluation of the proposed model indicates that our system can improve the session length with attackers and capture more attacks on the IoT network. --------------------------------------------- https://arxiv.org/abs/2303.12367 ∗∗∗ Memory Forensics R&D Illustrated: Detecting Hidden Windows Services ∗∗∗ --------------------------------------------- To begin the series, this post discusses a new detection technique for hidden services on Windows 7 through 11. Since not all readers will be familiar with hidden services and the danger they pose on live systems, we will start with some brief background. --------------------------------------------- https://volatility-labs.blogspot.com/2023/03/memory-forensics-r-d-illustrat… ∗∗∗ Malicious Actors Use Unicode Support in Python to Evade Detection ∗∗∗ --------------------------------------------- Phylum’s automated platform recently detected the onyxproxy package on PyPI, a malicious package that harvests and exfiltrates credentials and other sensitive data. In many ways, this package typifies other token stealers that we have found prevalent in PyPI. However, one feature of this particular package caught our eye: an obfuscation technique that was foreseen in 2007 during a discussion about Python’s support for Unicode [..] --------------------------------------------- https://blog.phylum.io/malicious-actors-use-unicode-support-in-python-to-ev… ∗∗∗ Joomla! CVE-2023-23752 to Code Execution ∗∗∗ --------------------------------------------- On February 16, 2023, Joomla! published a security advisory for CVE-2023-23752. [..] disclosure was followed by a stream of exploits hitting GitHub, and multiple indicators of exploitation in the wild. The public exploits focus on leaking the victim’s MySQL database credentials – an unexciting prospect (we thought), because exposing the database to the internet is a dangerous misconfiguration. Nonetheless, attackers seemed interested in the vulnerability, so we sought to find out why. --------------------------------------------- https://vulncheck.com/blog/joomla-for-rce ∗∗∗ Fehlalarm: Microsoft-Defender-Warnung vor deaktiviertem Schutz führt in die Irre ∗∗∗ --------------------------------------------- Unter Windows 11 zeigt Microsoft Defender auf vielen Systemen einen deaktivieren Schutz durch "die lokalen Sicherheitsautorität". Das ist ein Fehlalarm. --------------------------------------------- https://heise.de/-7659972 ∗∗∗ Technische Richtlinie zu Public Key Infrastrukturen für Technische Sicherheitseinrichtungen veröffentlicht ∗∗∗ --------------------------------------------- Das BSI hat am 23. März 2023 die neue Technische Richtlinie BSI TR-03145-5 für den sicheren Betrieb einer Public Key Infrastruktur für Technische Sicherheitseinrichtungen veröffentlicht. --------------------------------------------- https://www.bsi.bund.de/DE/Service-Navi/Presse/Alle-Meldungen-News/Meldunge… ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (Mar 13, 2023 to Mar 19, 2023) ∗∗∗ --------------------------------------------- Last week, there were 92 vulnerabilities disclosed in 76 WordPress Plugins and 7 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database [..] --------------------------------------------- https://www.wordfence.com/blog/2023/03/wordfence-intelligence-weekly-wordpr… ∗∗∗ Pack it Secretly: Earth Preta’s Updated Stealthy Strategies ∗∗∗ --------------------------------------------- After months of investigation, we found that several undisclosed malware and interesting tools used for exfiltration purposes were being used by Earth Preta. We also observed that the threat actors were actively changing their tools, tactics, and procedures (TTPs) to bypass security solutions. In this blog entry, we will introduce and analyze the other tools and malware used by the threat actor. --------------------------------------------- https://www.trendmicro.com/en_us/research/23/c/earth-preta-updated-stealthy… ===================== = Vulnerabilities = ===================== ∗∗∗ Virenschutz: Malwarebytes ermöglicht Rechteausweitung ∗∗∗ --------------------------------------------- Der Virenschutz von Malwarebytes ermöglicht Angreifern, beliebige Dateien zu löschen oder ihre Rechte im System auszuweiten. Ein Update schließt die Lücke. --------------------------------------------- https://heise.de/-7674565 ∗∗∗ Sicherheitslücke: Angreifer könnten Switches von Aruba kompromittieren (CVE-2023-1168) ∗∗∗ --------------------------------------------- Aufgrund einer Schwachstelle sind bestimmte Switches von Aruba verwundbar. Admins sollten Geräte jetzt absichern. Die Lücke betrifft die Network Analytics Engine. Dort könnte ein authentifizierter Angreifer für eine Schadcode-Attacke ansetzen, um Geräte vollständig zu kompromittieren. Wie eine Attacke ablaufen könnte, ist bislang nicht bekannt. --------------------------------------------- https://heise.de/-7658264 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (firefox, nss, and openssl), Fedora (firefox, liferea, python-cairosvg, and tar), Oracle (openssl and thunderbird), Scientific Linux (firefox, nss, and openssl), SUSE (container-suseconnect, grub2, libplist, and qemu), and Ubuntu (amanda, apache2, node-object-path, and python-git). --------------------------------------------- https://lwn.net/Articles/926972/ ∗∗∗ VARTA: Multiple devices prone to hard-coded credentials (CVE-2022-22512) ∗∗∗ --------------------------------------------- VARTA energy storage systems have a web user interface via which users and installers can access live data measurements and configure the system to their needs. It has been discovered that the corresponding credentials are hard-coded within the frontend and thus potentially exploitable. --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-061/ ∗∗∗ Warning for Asset Management Program (TCO!Stream) Vulnerability and Update Recommendation ∗∗∗ --------------------------------------------- Solution: Users must check their program version by following the steps below and update their program to the latest version (versions 8.0.23.215 or above). – Service operator: Replace with the latest version through MLsoft – Service user: Updated automatically when the operator switches to the latest version --------------------------------------------- https://asec.ahnlab.com/en/50213/ ∗∗∗ SAUTER EY-modulo 5 Building Automation Stations ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-082-03 ∗∗∗ RoboDK ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-082-01 ∗∗∗ Schneider Electric IGSS ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-082-04 ∗∗∗ CP Plus KVMS Pro ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-082-02 ∗∗∗ ABB Pulsar Plus Controller ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-082-05 ∗∗∗ ProPump and Controls Osprey Pump Controller ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-082-06 ∗∗∗ IBM Integration Bus is vulnerable to a remote attack & denial of service due to Apache Thrift & Apache Commons Codec (CVE-2018-1320, CVE-2019-0205, IBM X-Force ID: 177835) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6965298 ∗∗∗ IBM Watson CloudPak for Data Data Stores are vulnerable to web pages stored locally which can be read by another user on the system ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6965446 ∗∗∗ IBM Watson CloudPak for Data Data Stores is vulnerable to allowing a user with physical access and specific knowledge of the system to modify files or data on the system.(CVE-2023-26282) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6965452 ∗∗∗ IBM Watson CloudPak for Data Data Stores is vulnerable to an attacker with specific knowledge about the system to manipulate data due to improper input validation(CVE-2023-28512) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6965456 ∗∗∗ Security Bulletin: Watson CP4D Data Stores for Cloud Pak for Data does not encypt sensitive information before storage or transmission (CVE-2023-27291) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6965458 ∗∗∗ IBM API Connect is impacted by an improper access control vulnerability (CVE-2023-28522) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6965612 ∗∗∗ Vulnerabilities found within Java collectors used by IBM Tivoli Network Manager (ITNM) IP Edition. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6965698 ∗∗∗ WebSphere Application Server traditional is vulnerable to a remote code execution vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6965702 ∗∗∗ A vulnerability has been identified in IBM Spectrum Scale Data Access Services (DAS) which can cause denial of service. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6964532 ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with Asset and Service Management (CVE-2023-26283) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6965732 ∗∗∗ Vulnerabilites in OpenSSL may affect IBM Spectrum Protect Backup-Archive Client NetApp Services (CVE-2022-4304, CVE-2023-0215, CVE-2023-0286) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6963786 ∗∗∗ Stored cross-site vulnerability when performing a document upload using Responsive Document Explorer affect IBM Business Automation Workflow - CVE-2023-24957 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6965776 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.03.2023
by Daily end-of-shift report 22 Mar '23

22 Mar '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 21-03-2023 18:00 − Mittwoch 22-03-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ PoC exploits released for Netgear Orbi router vulnerabilities ∗∗∗ --------------------------------------------- Proof-of-concept exploits for vulnerabilities in Netgears Orbi 750 series router and extender satellites have been released, with one flaw a critical severity remote command execution bug. --------------------------------------------- https://www.bleepingcomputer.com/news/security/poc-exploits-released-for-ne… ∗∗∗ Windows Snipping-Tool anfällig für "Acropalypse" ∗∗∗ --------------------------------------------- Anfang der Woche wurde eine "Acropalypse" genannte Lücke im Screenshot-Tool von Google Pixel-Phones bekannt. Das Windows 11 Snipping-Tool verhält sich ebenso. --------------------------------------------- https://heise.de/-7619561 ∗∗∗ Cyber-Sicherheit für das Management ∗∗∗ --------------------------------------------- Das international erscheinende Handbuch „Management von Cyber-Risiken“, das durch das BSI in Zusammenarbeit mit der Internet Security Alliance entwickelt wurde, erhält ein weitreichendes Update --------------------------------------------- https://www.bsi.bund.de/DE/Service-Navi/Presse/Pressemitteilungen/Presse202… ∗∗∗ Blackmail Roulette: The Risks of Electronic Shelf Labels for Retail and Critical Infrastructure ∗∗∗ --------------------------------------------- During our research, we analyzed the unknown micro-controller (MCU) of the SUNY ESL tag, which is a common Chinese ESL tag vendor, gained debug access and reverse engineered the proprietary 433 MHz radio-frequency (RF) protocol. As no authentication is used, we were able to update any ESL tag within RF range with arbitrary content. --------------------------------------------- https://sec-consult.com/blog/detail/blackmail-roulette-the-risks-of-electro… ∗∗∗ Erpressungsmail: „Ich weiß von Ihrem sexuellen Interesse an kleinen Kindern“ ∗∗∗ --------------------------------------------- Aktuell wird uns vermehrt ein Erpressungsmail gemeldet, in dem Empfänger:innen beschuldigt werden, sexuelle Interessen an Kindern zu haben. Angeblich wurde beim Pornoschauen ein Programm heruntergeladen, welches die Kamera aktivierte und die Person beim Masturbieren filmte. Dieses Video wird verbreitet, wenn nicht innerhalb einer Woche Bitcoins überwiesen werden. Alles frei erfunden! Löschen Sie dieses E-Mail, es handelt sich um Fake. --------------------------------------------- https://www.watchlist-internet.at/news/erpressungsmail-ich-weiss-von-ihrem-… ===================== = Vulnerabilities = ===================== ∗∗∗ TYPO3-EXT-SA-2023-003: Cross-Site Scripting in extension "Fluid Components" (fluid_components) ∗∗∗ --------------------------------------------- The extension is vulnerable to cross-site scripting if user-controlled data is used as a component argument parameter. A detailed description of the issue as well as some examples are provided in the extension documentation. --------------------------------------------- https://typo3.org/security/advisory/typo3-ext-sa-2023-003 ∗∗∗ Java-Plattform: Kritische Lücke in VMware Tanzu Spring Framework geschlossen ∗∗∗ --------------------------------------------- Zwei Schwachstellen bedrohen das Spring Framework. Eine Lücke gilt als kritisch. Updates zum Schließen des Sicherheitslecks stehen bereit. --------------------------------------------- https://heise.de/-7614914 ∗∗∗ Webbrowser: Chrome-Update dichtet acht Sicherheitslücken ab ∗∗∗ --------------------------------------------- Der Webbrowser Chrome schließt acht Sicherheitslücken mit Updates. Angreifer können durch sie etwa mit manipulierten Webseiten Schadcode einschmuggeln. --------------------------------------------- https://heise.de/-7611326 ∗∗∗ OpenSSL Security Advisory: Excessive Resource Usage Verifying X.509 Policy Constraints (CVE-2023-0464) ∗∗∗ --------------------------------------------- Severity: Low A security vulnerability has been identified in all supported versions of OpenSSL related to the verification of X.509 certificate chains that include policy constraints. [..] Policy processing is disabled by default --------------------------------------------- https://www.openssl.org/news/secadv/20230322.txt ∗∗∗ Multiple Reflected Cross-Site Scripting Vulnerabilities in Three WordPress Plugins Patched ∗∗∗ --------------------------------------------- The Wordfence Threat Intelligence Team recently disclosed several Reflected Cross-Site Scripting vulnerabilities that we discovered in three different plugins – Watu Quiz (installed on 5,000 sites), GN-Publisher (installed on 40,000 sites), and Japanized For WooCommerce (installed on 10,000 sites). --------------------------------------------- https://www.wordfence.com/blog/2023/03/multiple-reflected-cross-site-script… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (firefox), Oracle (kernel, kernel-container, and nss), and SUSE (curl, dpdk, drbd, go1.18, kernel, openstack-cinder, openstack-glance, openstack-neutron-gbp, openstack-nova, python-oslo.utils, oracleasm, python3, slirp4netns, and xen). --------------------------------------------- https://lwn.net/Articles/926843/ ∗∗∗ [R1] Tenable.sc Version 6.1.0 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- Tenable.sc 6.1.0 updates Apache to version 2.4.56 and PHP to 8.1.16 to address the identified vulnerabilities. --------------------------------------------- https://www.tenable.com/security/tns-2023-16 ∗∗∗ CVE-2023-0391: MGT-COMMERCE CloudPanel Shared Certificate Vulnerability and Weak Installation Procedures ∗∗∗ --------------------------------------------- Rapid7 has discovered three security concerns in CloudPanel from MGT-COMMERCE, a self-hosted web administration solution. --------------------------------------------- https://www.rapid7.com/blog/post/2023/03/21/cve-2023-0391-mgt-commerce-clou… ∗∗∗ Cisco Access Point Software Command Injection Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco IOS XE Software Web UI Path Traversal Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco SD-WAN vManage Software Cross-Site Request Forgery Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco IOS XE Software Virtual Fragmentation Reassembly Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco IOS XE Software IOx Application Hosting Environment Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco IOS XE Software Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco IOS XE SD-WAN Software Command Injection Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco IOS XE Software Fragmented Tunnel Protocol Packet Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco IOS and IOS XE Software IPv6 DHCP (DHCPv6) Relay and Server Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco IOS XE Software for Wireless LAN Controllers HTTP Client Profiling Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco DNA Center Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco DNA Center Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco IOS XE Software for Wireless LAN Controllers CAPWAP Join Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco IOS XE Software for Cisco Catalyst 9300 Series Switches Secure Boot Bypass Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Adaptive Security Appliance Software, Firepower Threat Defense Software, IOS Software, and IOS XE Software IPv6 DHCP (DHCPv6) Client Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Low-Entropy Keys Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Access Point Software Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Access Point Software Association Request Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Security vulnerabilities have been identified in IBM DB2 used by IBM Security Verify Governance, Identity Manager virtual appliance component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6964832 ∗∗∗ Multiple vulnerabilities in IBM WebSphere eXtreme Scale Liberty Deployment. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6964844 ∗∗∗ IBM WebSphere Application Server is vulnerable to cross-site scripting in the Admin Console (CVE-2023-26283) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6964836 ∗∗∗ Multiple vulnerabilities in OpenSSL affect AIX ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6964854 ∗∗∗ IBM QRadar SIEM is vulnerable to privilege escalation (CVE-2022-43863) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6964862 ∗∗∗ Multiple vulnerabilities in Golang Go affect Cloud Pak System ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6612805 ∗∗∗ IBM Workload Scheduler is vulnerable to XML External Entity Injection (XXE) attack ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6890697 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.03.2023
by Daily end-of-shift report 21 Mar '23

21 Mar '23

===================== = End-of-Day report = ===================== Timeframe: Montag 20-03-2023 18:00 − Dienstag 21-03-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Windows 11 bug warns Local Security Authority protection is off ∗∗∗ --------------------------------------------- Windows 11 users report seeing widespread Windows Security warnings that Local Security Authority (LSA) Protection has been disabled even though it shows as being toggled on. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/windows-11-bug-warns-local-… ∗∗∗ From Phishing Kit To Telegram... or Not!, (Mon, Mar 20th) ∗∗∗ --------------------------------------------- Today, I spotted a phishing campaign that stores collected credentials via a Telegram bot! Telegram bots are common in malicious Python scripts but less common in Phishing campaigns! --------------------------------------------- https://isc.sans.edu/diary/rss/29650 ∗∗∗ Google Cloud Log Extraction ∗∗∗ --------------------------------------------- In this blog post, we review the methods through which we can extract logs from Google Cloud. --------------------------------------------- https://www.sans.org/blog/google-cloud-log-extraction/ ∗∗∗ Find Threats in Event Logs with Hayabusa ∗∗∗ --------------------------------------------- Hayabusa is a Windows event log fast forensics timeline generator and threat hunting tool created by the Yamato Security group in Japan. Hayabusa means "peregrine falcon" in Japanese and was chosen as peregrine falcons are the fastest animal in the world, great at hunting and highly trainable. --------------------------------------------- https://blog.ecapuano.com/p/find-threats-in-event-logs-with-hayabusa ∗∗∗ Black Angel Rootkit ∗∗∗ --------------------------------------------- Black Angel is a Windows 11/10 x64 kernel mode rootkit. Rootkit can be loaded with enabled DSE while maintaining its full functionality. Designed for Red Teams. --------------------------------------------- https://github.com/XaFF-XaFF/Black-Angel-Rootkit ∗∗∗ Linux auditd for Threat Detection [Final] ∗∗∗ --------------------------------------------- The focus of this article will be to describe what behaviors allow for which events to be recorded by auditd. Additionally, you will see where auditd is not capable of recording certain events, despite verbose settings. --------------------------------------------- https://izyknows.medium.com/linux-auditd-for-threat-detection-final-9d51737… ∗∗∗ Nexus: a new Android botnet? ∗∗∗ --------------------------------------------- On January 2023, a new Android banking trojan appeared on multiple hacking forums under the name of Nexus. However, Cleafy’s Threat Intelligence & Response Team traced the first Nexus infections way before the public announcement in June 2022. --------------------------------------------- https://www.cleafy.com/cleafy-labs/nexus-a-new-android-botnet ∗∗∗ Mitigating SSRF in 2023 ∗∗∗ --------------------------------------------- Server-Side Request Forgery (SSRF) is a vulnerability that allows an attacker to trick a server-side application to make a request to an unintended location. SSRF, unlike most other specific vulnerabilities, has gained its own spot on the OWASP Top 10 2021. This reflects both how common and how impactful this type of vulnerability has become. --------------------------------------------- https://blog.includesecurity.com/2023/03/mitigating-ssrf-in-2023/ ∗∗∗ Malicious NuGet Packages Used to Target .NET Developers ∗∗∗ --------------------------------------------- Software developers have been targeted in a new attack via malicious packages in the NuGet repository. --------------------------------------------- https://www.securityweek.com/malicious-nuget-packages-used-to-target-net-de… ∗∗∗ Achtung: Betrügerische Anrufe zu Eurojackpot-Gewinn! ∗∗∗ --------------------------------------------- Nehmen Sie sich vor angeblichen Gewinnbenachrichtigungen per Anruf, E-Mail, Post und Social Media im Namen von Eurojackpot in Acht. Kriminelle geben sich als die Lotterie aus und behaupten, dass Sie Geld gewonnen haben. Im weiteren Verlauf sollen Sie vorab Geld bezahlen, um die Auszahlung zu erhalten. --------------------------------------------- https://www.watchlist-internet.at/news/achtung-betruegerische-anrufe-zu-eur… ∗∗∗ Patch CVE-2023-23397 Immediately: What You Need To Know and Do ∗∗∗ --------------------------------------------- We break down the basic information of CVE-2023-23397, the zero-day, zero-touch vulnerability that was rated 9.8 on the Common Vulnerability Scoring System (CVSS) scale. --------------------------------------------- https://www.trendmicro.com/en_us/research/23/c/patch-cve-2023-23397-immedia… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (apache2), Oracle (firefox, nss, and openssl), Slackware (curl and vim), SUSE (dpdk, firefox, grafana, oracleasm, python-cffi, python-Django, and qemu), and Ubuntu (ruby2.7, sox, and tigervnc). --------------------------------------------- https://lwn.net/Articles/926759/ ∗∗∗ XSA-429 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-429.html ∗∗∗ XSA-428 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-428.html ∗∗∗ XSA-427 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-427.html ∗∗∗ Keysight N6845A Geolocation Server ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-080-01 ∗∗∗ Delta Electronics InfraSuite Device Master ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-080-02 ∗∗∗ VISAM VBASE Automation Base ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-080-05 ∗∗∗ Siemens RUGGEDCOM APE1808 Product Family ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-080-03 ∗∗∗ Rockwell Automation ThinManager ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-22-080-06 ∗∗∗ Vulnerability Spotlight: WellinTech ICS platform vulnerable to information disclosure, buffer overflow vulnerabilities ∗∗∗ --------------------------------------------- https://blog.talosintelligence.com/vulnerability-spotlight-wellintech-ics-p… ∗∗∗ Spring Vault 3.0.2 and 2.3.3 fix CVE-2023-20859 ∗∗∗ --------------------------------------------- https://spring.io/blog/2023/03/20/spring-vault-3-0-2-and-2-3-3-fix-cve-2023… ∗∗∗ Automation Assets in IBM Cloud Pak for Integration is vulnerable to denial of service due to Moment CVE-2023-22467 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6964588 ∗∗∗ A vulnerability in protobuf may affect IBM Robotic Process Automation and result in a denial of service (CVE-2022-1941) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6852651 ∗∗∗ IBM Aspera Faspex 4.4.2 PL3 has addressed multiple vulnerabilities (CVE-2023-27871, CVE-2023-27873, CVE-2023-27874) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6964694 ∗∗∗ IBM Aspera Faspex 5.0.4 can be vulnerable to improperly unauthorized password changes ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6963662 ∗∗∗ Vulnerability in Apache Commons FileUpload library affect Tivoli Netcool\/OMNIbus WebGUI (CVE-2023-24998) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6964742 ∗∗∗ Multiple vulnerabilities in IBM HTTP Server used by WebSphere Application Server affect IBM Business Automation Workflow (CVE-2023-25690) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6964752 ∗∗∗ Multiple vulnerabilities of Mozilla Firefox ESR have affected APM Synthetic Playback Agent ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6964754 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.03.2023
by Daily end-of-shift report 20 Mar '23

20 Mar '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 17-03-2023 18:00 − Montag 20-03-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ New ‘HinataBot’ botnet could launch massive 3.3 Tbps DDoS attacks ∗∗∗ --------------------------------------------- A new malware botnet was discovered targeting Realtek SDK, Huawei routers, and Hadoop YARN servers to recruit devices into DDoS (distributed denial of service) swarm with the potential for massive attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-hinatabot-botnet-could-l… ∗∗∗ Google: Bearbeitete Pixel-Screenshots lassen sich wiederherstellen ∗∗∗ --------------------------------------------- Wer Teile von Screenshots unkenntlich macht, verlässt sich darauf, dass dies auch so bleibt. Bei Pixel-Smartphones war das bisher nicht so. --------------------------------------------- https://www.golem.de/news/google-bearbeitete-pixel-screenshots-lassen-sich-… ∗∗∗ Ransomware: Emotet kehrt zurück – als OneNote-E-Mail-Anhang ∗∗∗ --------------------------------------------- Die hochentwickelte Schadsoftware Emotet ist wieder aktiv. Sie findet in Form von bösartigen OneNote-Dateien ihren Weg in den E-Mail-Eingang potenzieller Opfer. --------------------------------------------- https://heise.de/-7551285 ∗∗∗ Malware-Masche: Acrobat Sign-Dienst zum Unterschieben von Malware missbraucht ∗∗∗ --------------------------------------------- Avast hat eine neue Masche beobachtet, mit der Cyberkriminelle Opfern Malware unterjubeln wollten. Sie missbrauchen dazu den Adobe-Sign-Dienst. --------------------------------------------- https://heise.de/-7557288 ∗∗∗ Researchers Shed Light on CatB Ransomwares Evasion Techniques ∗∗∗ --------------------------------------------- The threat actors behind the CatB ransomware operation have been observed using a technique called DLL search order hijacking to evade detection and launch the payload. CatB, also referred to as CatB99 and Baxtoy, emerged late last year and is said to be an "evolution or direct rebrand" of another ransomware strain known as Pandora based on code-level similarities. --------------------------------------------- https://thehackernews.com/2023/03/researchers-shed-light-on-catb.html ∗∗∗ Bypassing CloudTrail in AWS Service Catalog, and Other Logging Research ∗∗∗ --------------------------------------------- In this blog post, we’ll share some of our latest research into bypassing CloudTrail. We’ll cover a method that allowed CloudTrail bypass with both read and write API actions for the Service Catalog service. This now-fixed vulnerability is noteworthy, because it was the first publicly known CloudTrail bypass that could permit an attacker to alter an AWS environment. --------------------------------------------- https://securitylabs.datadoghq.com/articles/bypass-cloudtrail-aws-service-c… ∗∗∗ IcedID’s VNC Backdoors: Dark Cat, Anubis & Keyhole ∗∗∗ --------------------------------------------- In this post we introduce Dark Cat, Anubis and Keyhole, three IcedID VNC backdoor variants NVISO observed. Well follow by exposing common TTPs before revealing information leaked through the attackers clipboard data. --------------------------------------------- https://blog.nviso.eu/2023/03/20/icedids-vnc-backdoors-dark-cat-anubis-keyh… ===================== = Vulnerabilities = ===================== ∗∗∗ Drupal-Sicherheitslücke könnte Angreifern die Systemübernahme ermöglichen ∗∗∗ --------------------------------------------- Die US-Cyber-Sicherheitsbehörde CISA warnt vor einer Sicherheitslücke im Content-Management-System Drupal. Angreifer könnten verwundbare Systeme kapern. --------------------------------------------- https://heise.de/-7550599 ∗∗∗ OpenSSH 9.3 dichtet Sicherheitslecks ab ∗∗∗ --------------------------------------------- Die Entwickler von OpenSSH haben Version 9.3 der Verschlüsselungssuite veröffentlicht. Sie schließt Sicherheitslücken und behebt kleinere Fehler. --------------------------------------------- https://heise.de/-7550738 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr, imagemagick, sox, thunderbird, and xapian-core), Fedora (chromium, containernetworking-plugins, guile-gnutls, mingw-python-OWSLib, pack, pypy3.7, sudo, thunderbird, tigervnc, and vim), Mageia (apache, epiphany, heimdal, jasper, libde265, libtpms, liferea, mysql-connector-c++, perl-HTML-StripScripts, protobuf, ruby-git, sqlite3, woodstox-core, and xfig), Oracle (kernel), Red Hat (firefox, nss, and openssl), SUSE (apache2, docker, drbd, kernel, and oracleasm), and Ubuntu (curl, python2.7, python3.10, python3.5, python3.6, python3.8, and vim). --------------------------------------------- https://lwn.net/Articles/926636/ ∗∗∗ IBM Security Bulletins 2023-03-20 ∗∗∗ --------------------------------------------- * Vulnerabilities in IBM Db2, IBM Java Runtime, and Golang Go may affect IBM Spectrum Protect Server (CVE-2022-21626, CVE-2022-41717, CVE-2022-43929, CVE-2022-43927, CVE-2022-43930) * Watson AI Gateway for Cloud Pak for Data is vulnerable to an OpenSSL denial of service caused by a type confusion error (CVE-2023-0286) * IBM Aspera Faspex 5.0.4 can be vulnerable to improperly authorized password changes * Watson AI Gateway for Cloud Pak for Data is vulnerable to Ansible Runner code execution and could allow a local authenticated attacker to execute arbitrary code on the system, caused by improper shell escaping of the shell command. * IBM Aspera Faspex can be vulnerable to improperly authorized password changes * Vulnerability in EFS affects AIX (CVE-2021-29861) * Vulnerability in libc affects AIX (CVE-2021-29860) * Vulnerabilites in OpenSSL may affect IBM Spectrum Protect Backup-Archive Client (CVE-2022-4304, CVE-2023-0215, CVE-2023-0286) * Vulnerabilites in OpenSSL may affect IBM Spectrum Protect Backup-Archive Client (CVE-2022-4450, CVE-2023-0216, CVE-2023-0401, CVE-2022-4203, CVE-2023-0217) * A denial of service vulnerability in JDOM affects IBM Spectrum Protect Backup-Archive Client, IBM Spectrum Protect for Virtual Environments and IBM Spectrum Protect for Space Management (CVE CVE-2021-33813) * Vulnerabilites in Java SE affect IBM Spectrum Protect Backup-Archive Client, IBM Spectrum Protect for Virtual Environments and IBM Spectrum Protect for Space Management (CVE-2022-21628, CVE-2022-21626, CVE-2022-21624, CVE-2022-21619) * Vulnerability in IBM WebSphere Application Server (CVE-2023-23477) shipped with IBM Workload Scheduler 9.4 * Vulnerability in Node.js affects IBM Voice Gateway * IBM Aspera Faspex 5.0.4 can be vulnerable to improperly unauthorized password changes * Multiple Vulnerabilities in IBM Security Guardium Key Lifecycle Manager (CVE-2023-25921, CVE-2023-25926, CVE-2023-25685, CVE-2023-25922, CVE-2023-25925) * Multiple vulnerabilities in IBM SDK Java Technology Edition affect IBM Workload Scheduler. * IBM Jazz for Service Management is vulnerable to commons-fileupload-1.4.jar (Publicly disclosed vulnerability found by Mend) (CVE-2023-24998) --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Spring Framework 5.2.23 fixes cve-2023-20861 ∗∗∗ --------------------------------------------- https://spring.io/blog/2023/03/20/spring-framework-5-2-23-fixes-cve-2023-20… ∗∗∗ Spring Framework 6.0.7 and 5.3.26 fix cve-2023-20860 and cve-2023-20861 ∗∗∗ --------------------------------------------- https://spring.io/blog/2023/03/20/spring-framework-6-0-7-and-5-3-26-fix-cve… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.03.2023
by Daily end-of-shift report 17 Mar '23

17 Mar '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 16-03-2023 18:00 − Freitag 17-03-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Adobe Acrobat Sign abused to push Redline info-stealing malware ∗∗∗ --------------------------------------------- Cybercriminals are abusing Adobe Acrobat Sign, an online document signing service, to distribute info-stealing malware to unsuspecting users. --------------------------------------------- https://www.bleepingcomputer.com/news/security/adobe-acrobat-sign-abused-to… ∗∗∗ Hitachi Energy confirms data breach after Clop GoAnywhere attacks ∗∗∗ --------------------------------------------- Hitachi Energy confirmed it suffered a data breach after the Clop ransomware gang stole data using a zero-day GoAnyway zero-day vulnerability. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hitachi-energy-confirms-data… ∗∗∗ How to Google Dork a Specific Website for Hacking ∗∗∗ --------------------------------------------- You might pride yourself on being savvy in cyber security but be prepared for surprises if you test the Google dorks provided. Done right, these Google dorks can identify high-priority vulnerabilities you can investigate further using penetration testing tools. --------------------------------------------- https://www.stationx.net/how-to-google-dork-a-specific-website/ ∗∗∗ Chaos Malware Quietly Evolves Persistence and Evasion Techniques ∗∗∗ --------------------------------------------- The name Chaos is being used for a ransomware strain, a remote access trojan (RAT), and now a DDoS malware variant too. Talk about chaos! In this case, Sysdig’s Threat Research Team captured attacks using the Chaos variant of the Kaiji botnet malware. There is very little reported information on this malware since September 2022, perhaps because of the unfortunately chaotic naming, or simply because it is relatively new. --------------------------------------------- https://sysdig.com/blog/chaos-malware-persistence-evasion-techniques/ ∗∗∗ Free decryptor released for Conti-based ransomware following data leak ∗∗∗ --------------------------------------------- Security researchers have released a new decryption tool that should come to the rescue of some victims of a modified version of the Conti ransomware, helping them to recover their encrypted data for free. --------------------------------------------- https://www.tripwire.com/state-of-security/free-decryptor-released-conti-ba… ∗∗∗ Phishing-Welle: Vorsicht vor Fake Disney+ Mails ∗∗∗ --------------------------------------------- Sie haben ein E-Mail erhalten, in dem Disney+ Sie darauf hinweist, dass eine Zahlung fehlgeschlagen ist? Löschen Sie die Nachricht oder schieben Sie sie in den SPAM-Ordner – es handelt sich um einen Phishing-Versuch! Die E-Mails werden mit dem Betreff „Aussetzung Ihres Disney+ Kontos“ oder „Sperrung Ihres Disney+ Kontos“ massenhaft verschickt! --------------------------------------------- https://www.watchlist-internet.at/news/phishing-welle-vorsicht-vor-fake-dis… ∗∗∗ #StopRansomware: LockBit 3.0 ∗∗∗ --------------------------------------------- This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. --------------------------------------------- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-075a ∗∗∗ Windows 10/11: Microsoft veröffentlicht Script für den WinRE BitLocker Bypass-Fix ∗∗∗ --------------------------------------------- Seit November 2022 ist bekannt, dass es eine Bitlocker-Bypass-Schwachstelle CVE-2022-41099 im Windows Recovery Environment (WinRE) gibt. Das Patchen ist aber alles andere als einfach. --------------------------------------------- https://www.borncity.com/blog/2023/03/17/windows-10-11-microsoft-verffentli… ∗∗∗ ShellBot Malware Being Distributed to Linux SSH Servers ∗∗∗ --------------------------------------------- AhnLab Security Emergency response Center (ASEC) has recently discovered the ShellBot malware being installed on poorly managed Linux SSH servers. ShellBot, also known as PerlBot, is a DDoS Bot malware developed in Perl and characteristically uses IRC protocol to communicate with the C&C server. --------------------------------------------- https://asec.ahnlab.com/en/49769/ ∗∗∗ Debugging D-Link: Emulating firmware and hacking hardware ∗∗∗ --------------------------------------------- GreyNoise researchers explain the process of gaining a foothold in firmware or a physical device for vulnerability research and achieving a debuggable interface. --------------------------------------------- https://www.greynoise.io/blog/debugging-d-link-emulating-firmware-and-hacki… ===================== = Vulnerabilities = ===================== ∗∗∗ Exynos: Google findet schwerwiegende Zero Days in Samsung-Chips ∗∗∗ --------------------------------------------- Die betroffenen Geräte lassen sich über das Internet hacken, darunter Smartphones von Samsung, Google und Vivo sowie Wearables und Autos. --------------------------------------------- https://www.golem.de/news/exynos-google-findet-schwerwiegende-zero-days-in-… ∗∗∗ Honeywell OneWireless Wireless Device Manager ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-075-06 ∗∗∗ Rockwell Automation Modbus TCP AOI Server ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-075-07 ∗∗∗ Omron CJ1M PLC ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-073-01 ∗∗∗ AVEVA Plant SCADA and AVEVA Telemetry Server ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-073-04 ∗∗∗ Autodesk FBX SDK ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-073-02 ∗∗∗ [R1] Sensor Proxy Version 1.0.7 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2023-15 ∗∗∗ IBM Planning Analytics Workspace is affected by vulnerabilties (CVE-2022-43548, CVE-2020-7676, CVE-2021-42550, CVE-2021-38561, CVE-2022-32149) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6957836 ∗∗∗ IBM Cognos Command Center is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6555376 ∗∗∗ InfoSphere Identity Insight vulnerable to server-side request forgery due to Apache CXF (CVE-2022-46364) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6963974 ∗∗∗ Security Vulnerabilities in moment, ansi-regex, Node.js, and minimatch may affect IBM Spectrum Protect Client and IBM Spectrum Protect for Space Management (CVE-2022-31129, CVE-2022-24785, CVE-2021-3807, CVE-2022-29244, CVE-2022-3517) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6956237 ∗∗∗ IBM App Connect Enterprise & IBM Integration Bus are vulnerable to a denial of service due to node.js module qs [CVE-2022-24999] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6964166 ∗∗∗ Vulnerabilities in IBM Db2, IBM Java Runtime, and Golang Go may affect IBM Spectrum Protect Server (CVE-2022-21626, CVE-2022-41717, CVE-2022-43929, CVE-2022-43927, CVE-2022-43930) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6963640 ∗∗∗ Vulnerability in Java SE may affect IBM Spectrum Protect Operations Center (CVE-2022-21626) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6963642 ∗∗∗ IBM Sterling Control Center is vulnerable to denial of service due to Node.js Angular (CVE-2022-25844) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6964174 ∗∗∗ IBM Sterling Control Center is vulnerable to denial of service due to Apache commons-fileupload (CVE-2023-24998) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6964176 ∗∗∗ AIX is vulnerable to denial of service vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6847947 ∗∗∗ IBM Planning Analytics Workspace is affected by vulnerabilties (CVE-2022-43548, CVE-2020-7676, CVE-2021-42550, CVE-2021-38561, CVE-2022-32149) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6957836 ∗∗∗ AIX is vulnerable to a denial of service due to lpd (CVE-2022-43382) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6848309 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.03.2023
by Daily end-of-shift report 16 Mar '23

16 Mar '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 15-03-2023 18:00 − Donnerstag 16-03-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ CVE-2023-23397 - der (interessante) Teufel steckt im Detail ∗∗∗ --------------------------------------------- Im Regelfall veröffentlichen wir zu Sicherheitslücken, die durch den Hersteller im Rahmen eines regulären Patchzyklus behoben werden, keine Warnung. Die Motivation dahinter ist, dass wir unsere Warnungen als Werkzeug betrachten, Informationen über kritische Schwachstellen mit entsprechender Urgenz an die jeweiligen Adressat:innen bringen wollen. Dementsprechend entscheiden wir relativ konservativ, wovor oder worüber wir warnen, um die Wirkung selbiger nicht zu verwässern. Aber, wie so oft, bestätigen Ausnahmen die Regel [...] --------------------------------------------- https://cert.at/de/blog/2023/3/cve-2023-23397-der-teufel-steckt-im-detail ∗∗∗ CISA warns of Adobe ColdFusion bug exploited as a zero-day ∗∗∗ --------------------------------------------- CISA has added a critical vulnerability impacting Adobe ColdFusion versions 2021 and 2018 to its catalog of security bugs exploited in the wild. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cisa-warns-of-adobe-coldfusi… ∗∗∗ Winter Vivern APT hackers use fake antivirus scans to install malware ∗∗∗ --------------------------------------------- An advanced hacking group named Winter Vivern targets European government organizations and telecommunication service providers to conduct espionage. --------------------------------------------- https://www.bleepingcomputer.com/news/security/winter-vivern-apt-hackers-us… ∗∗∗ BianLian Ransomware Pivots From Encryption to Pure Data-Theft Extortion ∗∗∗ --------------------------------------------- The ransomware group has already claimed 116 victim organizations so far on its site, and it continues to mature as a thriving cybercriminal business, researchers said. --------------------------------------------- https://www.darkreading.com/risk/bianlian-ransomware-pivots-encryption-pure… ∗∗∗ Simple Shellcode Dissection, (Thu, Mar 16th) ∗∗∗ --------------------------------------------- Most people will never execute a suspicious program or “executable”. Also, most of them cannot be delivered directly via email. Most antispam and antivirus solutions block them. But, then, how could people be so easily infected? I’ll explain with the help of a file I found in a phishing campaign. --------------------------------------------- https://isc.sans.edu/diary/rss/29642 ∗∗∗ Multiple Hacker Groups Exploit 3-Year-Old Vulnerability to Breach U.S. Federal Agency ∗∗∗ --------------------------------------------- Multiple threat actors, including a nation-state group, exploited a critical three-year-old security flaw in Progress Telerik to break into an unnamed federal entity in the U.S. The disclosure comes from a joint advisory issued by the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and Multi-State Information Sharing and Analysis Center (MS-ISAC). --------------------------------------------- https://thehackernews.com/2023/03/multiple-hacker-groups-exploit-3-year.html ∗∗∗ SSRF Cross Protocol Redirect Bypass ∗∗∗ --------------------------------------------- Server Side Request Forgery (SSRF) is a fairly known vulnerability with established prevention methods. So imagine my surprise when I bypassed an SSRF mitigation during a routine retest. Even worse, I have bypassed a filter that we have recommended ourselves! --------------------------------------------- https://blog.doyensec.com/2023/03/16/ssrf-remediation-bypass.html ∗∗∗ Falsche WhatsApp und Telegram Apps auf der Jagd nach Krypto‑Wallets ∗∗∗ --------------------------------------------- ESET-Forscher analysierten Android- und Windows-Clipper, die Sofortnachrichten manipulieren und OCR verwenden können, um Kryptowährungen zu stehlen. --------------------------------------------- https://www.welivesecurity.com/deutsch/2023/03/16/falsche-whatsapp-und-tele… ∗∗∗ Bee-Ware of Trigona, An Emerging Ransomware Strain ∗∗∗ --------------------------------------------- Trigona ransomware is a relatively new strain that security researchers first discovered in late October 2022. By analyzing Trigona ransomware binaries and ransom notes obtained from VirusTotal, as well as information from Unit 42 incident response, we determined that Trigona was very active during December 2022, with at least 15 potential victims being compromised. Affected organizations are in the manufacturing, finance, construction, agriculture, marketing and high technology industries. --------------------------------------------- https://unit42.paloaltonetworks.com/trigona-ransomware-update/ ∗∗∗ DotRunpeX – demystifying new virtualized .NET injector used in the wild ∗∗∗ --------------------------------------------- ImplMap2x64dbgInvoke-DotRunpeXextractThe post DotRunpeX – demystifying new virtualized .NET injector used in the wild appeared first on Check Point Research. --------------------------------------------- https://research.checkpoint.com/2023/dotrunpex-demystifying-new-virtualized… ===================== = Vulnerabilities = ===================== ∗∗∗ Webkonferenzen: Hochriskante Lücken in Zoom ∗∗∗ --------------------------------------------- In der Online-Konferenzsoftware Zoom haben die Entwickler mehrere Schwachstellen geschlossen. Einige gelten als hochriskant und könnten Codeschmuggel erlauben. --------------------------------------------- https://heise.de/-7547291 ∗∗∗ Kritisches Leck in SSL-VPN-Gateway von Array Networks ∗∗∗ --------------------------------------------- Die SSL-VPN-Gateways von Array Networks haben eine kritische Sicherheitslücke. Angreifer könnten aus dem Netz ohne Authentifizierung Code einschleusen. --------------------------------------------- https://heise.de/-7548009 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr and pcre2), Oracle (nss), Red Hat (kpatch-patch and nss), SUSE (java-11-openjdk, kernel, and python310), and Ubuntu (emacs24, ffmpeg, firefox, imagemagick, libphp-phpmailer, librecad, and openjpeg2). --------------------------------------------- https://lwn.net/Articles/926289/ ∗∗∗ Drupal core - Moderately critical - Access bypass - SA-CORE-2023-004 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-core-2023-004 ∗∗∗ Drupal core - Moderately critical - Information Disclosure - SA-CORE-2023-003 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-core-2023-003 ∗∗∗ Drupal core - Moderately critical - Information Disclosure - SA-CORE-2023-002 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-core-2023-002 ∗∗∗ Responsive media Image Formatter - Critical - Unsupported - SA-CONTRIB-2023-011 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2023-011 ∗∗∗ Media Responsive Thumbnail - Moderately critical - Information disclosure - SA-CONTRIB-2023-010 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2023-010 ∗∗∗ Multiple vulnerabilities within OpenSSL and Node.js affect IBM App Connect Enterprise and IBM Integration Bus ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6963634 ∗∗∗ EBICs client of IBM Sterling B2B Integrator vulnerable to multiple issues due to Dojo Toolkit ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6963652 ∗∗∗ IBM HTTP Server is vulnerable to HTTP request splitting due to the included Apache HTTP Server (CVE-2023-25690) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6963650 ∗∗∗ IBM Watson Assistant for Cloud pak for Data is affected by vulnerabilities in Pallets Werkzeug . ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6963668 ∗∗∗ IBM Aspera Faspex can be vulnerable to improperly authorized password changes ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6963662 ∗∗∗ Security Vulnerabilities in moment, ansi-regex, Node.js, and minimatch may affect IBM Spectrum Protect Plus Microsoft File Systems Backup and Restore (CVE-2022-31129, CVE-2022-24785, CVE-2021-3807, CVE-2022-29244, CVE-2022-3517) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6955067 ∗∗∗ Vulnerability in PyPI cryptography and Python may affect IBM Spectrum Protect Plus File Systems Agent (CVE-2023-23931, CVE-2023-0286, CVE-2023-24329) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6957718 ∗∗∗ Vulnerabilities in Linux Kernel may affect IBM Spectrum Protect Plus ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6963936 ∗∗∗ Multiple Vulnerabilities in Intel Firmware affect Cloud Pak System ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6611963 ∗∗∗ CVE-2022-2879, CVE-2022-41715, CVE-2022-2880, CVE-2022-41717, CVE-2022-41716 may affect IBM CICS TX Advanced ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6963940 ∗∗∗ CVE-2022-2879, CVE-2022-41715, CVE-2022-2880, CVE-2022-41717, CVE-2022-41716 may affect IBM CICS TX Standard ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6963942 ∗∗∗ Vulnerabilities in Golang Go and Java SE might affect IBM Spectrum Copy Data Management (CVE-2022-41717, CVE-2023-21830, CVE-2023-21835, CVE-2023-21843) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6960739 ∗∗∗ Vulnerabilities in Linux Kernel might affect IBM Spectrum Copy Data Management (CVE-2022-2964, CVE-2022-2601, CVE-2020-36557) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6960747 ∗∗∗ IBM Sterling B2B Integrator vulnerable to sensitive information exposure due to IBM MQ (CVE-2022-42436) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6963954 ∗∗∗ IBM Sterling Global Mailbox is vulnerable to denial of service due to WebSphere Liberty Server ( CVE-2022-3509, CVE-2022-3171) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6963956 ∗∗∗ IBM Sterling Global Mailbox is vulnerable to arbitrary command execution due to com.ibm.ws.org.apache.commons.collections (CVE-2015-7501) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6963962 ∗∗∗ IBM Sterling Global Mailbox is vulnerable to server-side request forgery due to Apache CXF (CVE-2022-46364) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6963958 ∗∗∗ IBM Sterling Global Mailbox is vulnerable to sensitive data exposure due to Apache CXF (CVE-2022-46363) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6963960 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.03.2023
by Daily end-of-shift report 15 Mar '23

15 Mar '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 14-03-2023 18:00 − Mittwoch 15-03-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ IPFS phishing and the need for correctly set HTTP security headers, (Wed, Mar 15th) ∗∗∗ --------------------------------------------- In the last couple of weeks, Ive noticed a small spike in the number of phishing messages that carried links to fake HTML login pages hosted on the InterPlanetary File System (IPFS)- an interesting web-based decentralized/peer-to-peer data storage system. Unfortunately, pretty much any type of internet-connected data storage solution is used to host malicious content by threat actors these days, and the IPFS is no exception. --------------------------------------------- https://isc.sans.edu/diary/rss/29638 ∗∗∗ How to Find & Fix: WordPress Pharma Hack ∗∗∗ --------------------------------------------- Finding bogus content and unexpected links for prescription drugs on your WordPress website can be a frustrating experience. But don’t blame your site: it just got caught up in a bad crowd of black hat SEO spammers and fell victim to a pharma hack. Pharma spam occurs when bad actors inject a website with keywords for pharmaceutical products. Their end goal is to use an innocent site’s good reputation to lure traffic to a scam. --------------------------------------------- https://blog.sucuri.net/2023/03/find-fix-wordpress-pharma-hack.html ∗∗∗ New Cryptojacking Operation Targeting Kubernetes Clusters for Dero Mining ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered the first-ever illicit cryptocurrency mining campaign used to mint Dero since the start of February 2023. "The novel Dero cryptojacking operation concentrates on locating Kubernetes clusters with anonymous access enabled on a Kubernetes API and listening on non-standard ports accessible from the internet," CrowdStrike said in a new report [...] --------------------------------------------- https://thehackernews.com/2023/03/new-cryptojacking-operation-targeting.html ∗∗∗ Exploiting CVE-2023-23397: Microsoft Outlook Elevation of Privilege Vulnerability ∗∗∗ --------------------------------------------- At MDSec, we’re continually looking to weaponise both private and public vulnerabilities to assist us during our red team operations. Having recently given a talk on leveraging NTLM relaying during red team engagements at FiestaCon, this vulnerability particularly stood out to me and warranted further analysis. --------------------------------------------- https://www.mdsec.co.uk/2023/03/exploiting-cve-2023-23397-microsoft-outlook… ∗∗∗ Apple räumt ein: iOS-Dienste können VPN-Tunnel umgehen ∗∗∗ --------------------------------------------- iOS schleust bestimmten Datenverkehr an einer aktiven VPN-Verbindung vorbei, warnen Sicherheitsforscher seit Längerem. Das ist laut Apple so gewollt. --------------------------------------------- https://heise.de/-7545702 ∗∗∗ Patchday: Microsoft dichtet aktiv angegriffene Sicherheitslücken ab ∗∗∗ --------------------------------------------- Neben zwei aktiv missbrauchten Sicherheitslücken liefert Microsoft zum März-Patchday Aktualisierungen für zahlreiche Produkte. Sie schließen zig Schwachstellen. --------------------------------------------- https://heise.de/-7545903 ∗∗∗ Gefälschtes SMS von DHL stiehlt Ihre Kreditkartendaten ∗∗∗ --------------------------------------------- In der betrügerischen DHL-Nachricht steht, dass Ihr Paket Lieferprobleme hat. Das Problem kann gelöst werden, indem Sie auf den Link klicken. Klicken Sie nicht auf den Link. Sie werden auf eine nachgebaute DHL-Website gelockt, wo persönliche Infos und Kreditkartendaten abgefragt werden. In weiterer Folge wird Ihre Kreditkarte auf einem fremden Gerät für Apple Pay aktiviert. --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschtes-sms-von-dhl-stiehlt-ihr… ∗∗∗ Uncovering Windows Events ∗∗∗ --------------------------------------------- Not all manifest-based Event Tracing for Windows (ETW) providers that are exposed through Windows are ingested into telemetry sensors/EDR’s. One provider commonly that is leveraged by vendors is the Threat-Intelligence ETW provider. Due to how often it is used, I wanted to map out how its events are being written within TelemetrySource. This post will focus on the process I followed to understand the events the Threat-Intelligence ETW provider logs and how to uncover the underlying mechanisms. One can use a similar process when trying to reverse other manifest-based ETW providers. This post isn’t a deep dive into how ETW works, [...] --------------------------------------------- https://posts.specterops.io/uncovering-windows-events-b4b9db7eac54?source=r… ∗∗∗ Released: March 2023 Exchange Server Security Updates ∗∗∗ --------------------------------------------- Microsoft has released Security Updates (SUs) for vulnerabilities found in: Exchange Server 2013 Exchange Server 2016 Exchange Server 2019 --------------------------------------------- https://techcommunity.microsoft.com/t5/exchange-team-blog/released-march-20… ∗∗∗ How does malware spread? Top 5 ways malware gets into your network ∗∗∗ --------------------------------------------- Threat actors use a variety of channels to distribute malware. Discover the most common attack vectors and how to protect your organization from malware. --------------------------------------------- https://www.emsisoft.com/en/blog/43733/how-does-malware-spread-top-5-ways-m… ∗∗∗ A look at CVE-2023–23415 — a Windows ICMP vulnerability + mitigations which is not a cyber meltdown ∗∗∗ --------------------------------------------- Yesterday Microsoft dropped a patch for a vulnerability found by @hexnomad@infosec.exchange. It’s a great vuln, in theory allowing code execution over ICMP. It also sounds really scary, as it’s a high CVSS score in Windows OS on a commonly used protocol. --------------------------------------------- https://doublepulsar.com/a-look-at-cve-2023-23415-a-windows-icmp-vulnerabil… ===================== = Vulnerabilities = ===================== ∗∗∗ Patchday: Adobe schließt Zero-Day-Lücke und mehr als 100 Schwachstellen ∗∗∗ --------------------------------------------- Adobe dichtet am März-Patchday 106 Sicherheitslecks ab. Eine davon in Adobe ColdFusion missbrauchen Cyberkriminelle bereits in Angriffen. --------------------------------------------- https://heise.de/-7546150 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (node-sqlite3 and qemu), Fedora (libmemcached-awesome, manifest-tool, sudo, and vim), Red Hat (gnutls, kernel, kernel-rt, lua, and openssl), Slackware (mozilla), SUSE (amanda, firefox, go1.19, go1.20, jakarta-commons-fileupload, java-1_8_0-openjdk, nodejs18, peazip, perl-Net-Server, python, python-cryptography, python-Django, python3, rubygem-rack, and xorg-x11-server), and Ubuntu (ipython, linux-ibm, linux-ibm-5.4, and linux-kvm). --------------------------------------------- https://lwn.net/Articles/926205/ ∗∗∗ SAP-Patchday enthält Updates für kritische Sicherheitslücken ∗∗∗ --------------------------------------------- Der aktuelle Patchday von SAP beinhaltet mehrere Schwachstellen mit einem CVSS-Score >9.0. Insbesondere eine kritische Sicherheitslücke in SAP NetWeaver AS for Java (CVE-2023-23857) ist trivial ausnutzbar; sie erlaubt Angreifer:innen aufgrund unzureichender Authentifizierungsprüfungen weitreichenden Systemzugriff ohne jegliche Form von Authentifizierung. Weitere Schwachstellen (unter anderem CVE-2023-25616, CVE-2023-25617) ermöglichen entfernte Codeausführung. --------------------------------------------- https://cert.at/de/aktuelles/2023/3/sap-patchday-enthalt-updates-fur-kritis… ∗∗∗ ZDI-23-245: TP-Link Archer AX21 tdpServer Logging Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-245/ ∗∗∗ ZDI-23-244: TP-Link Archer AX21 tmpServer Command 0x422 Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-244/ ∗∗∗ ThinkPad BIOS Vulnerabilities ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500554-THINKPAD-BIOS-VULNERABI… ∗∗∗ AIX is affected by a denial of service (CVE-2022-45061) due to Python ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6963342 ∗∗∗ Security vulnerabilities have been identified in IBM DB2 used by IBM Security Verify Governance, Identity Manager software component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6963372 ∗∗∗ Multiple Vulnerabilities (CVE-2022-45693, CVE-2022-4568) affects CICS Transaction Gateway for Multiplatforms. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6963612 ∗∗∗ Multiple vulnerabilities present in IBM Answer Retrieval for Watson Discovery versions 2.10 and earlier ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6963632 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.03.2023
by Daily end-of-shift report 14 Mar '23

14 Mar '23

===================== = End-of-Day report = ===================== Timeframe: Montag 13-03-2023 18:00 − Dienstag 14-03-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Cybercriminals exploit SVB collapse to steal money and data ∗∗∗ --------------------------------------------- The collapse of the Silicon Valley Bank (SVB) on March 10, 2023, has sent ripples of turbulence throughout the global financial system, but for hackers, scammers, and phishing campaigns, its becoming an excellent opportunity. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cybercriminals-exploit-svb-c… ∗∗∗ HUNT_RTF_CVE_2023_21716.yar ∗∗∗ --------------------------------------------- Detects RTF documents with an inflated fonttable. Hunting for CVE-2023-21716 --------------------------------------------- https://github.com/SIFalcon/Detection/blob/main/Yara/Hunting/HUNT_RTF_CVE_2… ∗∗∗ Kali Purple: Die Linux-Distribution für Sicherheitsforscher wird defensiver ∗∗∗ --------------------------------------------- Kali Linux feiert Geburtstag und ist in der neuen Version 2023.1 erschienen. Das neue Kali Purple ist auf defensive Sicherheitstests spezialisiert. --------------------------------------------- https://heise.de/-7544725 ∗∗∗ Fortinet Finds Zero-Day Exploit in Government Attacks After Devices Detect Integrity Breach ∗∗∗ --------------------------------------------- Fortinet says recently patched FortiOS vulnerability was exploited in sophisticated attacks targeting government entities. --------------------------------------------- https://www.securityweek.com/fortinet-finds-zero-day-exploit-in-government-… ∗∗∗ Kaufen Sie keine Amazon-Paletten oder Mystery-Boxen ∗∗∗ --------------------------------------------- Auf Facebook und Instagram bewirbt der gefälschte Amazon-Shop „datinted.com“ „Amazon-Paletten“. Die Paletten, sogenannte Mystery-Boxen, beinhalten angeblich unterschiedliche Produkte wie Kopfhörer, Drohnen und Spielkonsolen – und das für weniger als 50 Euro. Wer bestellt, bekommt aber keine Ware und verliert sein Geld! --------------------------------------------- https://www.watchlist-internet.at/news/kaufen-sie-keine-amazon-paletten-ode… ∗∗∗ Verbesserte Office-Makrosicherheit führt zu neuen Angriffsmethoden über OneNote & Co. ∗∗∗ --------------------------------------------- Seit Microsoft und Administratoren von Windows-Systemen mehr in die Makrosicherheit investieren, werden Angriffe über diesen Vektor schwieriger. Cyberkriminelle suchen nach neuen Wegen, um Malware an die Nutzer zu bringen. OneNote nimmt da eine prominente Position als Einfallstor ein – aber auch andere Dateien und die Mark of the Web-Schwachstelle in Windows werden neuerdings vermehr für Angriffe genutzt. --------------------------------------------- https://www.borncity.com/blog/2023/03/14/verbesserte-office-makrosicherheit… ∗∗∗ Talos uncovers espionage campaigns targeting CIS countries, embassies and EU health care agency ∗∗∗ --------------------------------------------- Cisco Talos has identified a new espionage oriented threat actor, which we are naming “YoroTrooper,” targeting a multitude of entities in Europe and Turkey. --------------------------------------------- https://blog.talosintelligence.com/yorotrooper-espionage-campaign-cis-turke… ∗∗∗ ZTNA vs VPN: Secure Remote Work and Access ∗∗∗ --------------------------------------------- Explore the drivers behind switching from VPN to Zero Trust Network Access (ZTNA) for any device access from anywhere. --------------------------------------------- https://www.trendmicro.com/en_us/ciso/22/h/ztna-vs-vpn-secure-remote-work.h… ===================== = Vulnerabilities = ===================== ∗∗∗ Siemens Security Advisories 2023-03-14 ∗∗∗ --------------------------------------------- * SSA-847261 V1.1 (Last Update: 2023-03-14): Multiple SPP File Parsing Vulnerabilities in Tecnomatix Plant Simulation * https://cert-portal.siemens.com/productcert/html/ssa-847261.html * SSA-840800 V1.2 (Last Update: 2023-03-14): Code Injection Vulnerability in RUGGEDCOM ROS * https://cert-portal.siemens.com/productcert/html/ssa-840800.html * SSA-787941 V1.1 (Last Update: 2023-03-14): Denial of Service Vulnerability in RUGGEDCOM ROS V4 * https://cert-portal.siemens.com/productcert/html/ssa-787941.html * SSA-772220 V2.2 (Last Update: 2023-03-14): OpenSSL Vulnerabilities in Industrial Products * https://cert-portal.siemens.com/productcert/html/ssa-772220.html * SSA-764417 V1.7 (Last Update: 2023-03-14): Weak Encryption Vulnerability in RUGGEDCOM ROS Devices * https://cert-portal.siemens.com/productcert/html/ssa-764417.html * SSA-726834 V1.0: Denial of Service Vulnerability in the RADIUS Client of SIPROTEC 5 Devices * https://cert-portal.siemens.com/productcert/html/ssa-726834.html * SSA-712929 V1.8 (Last Update: 2023-03-14): Denial of Service Vulnerability in OpenSSL (CVE-2022-0778) Affecting Industrial Products * https://cert-portal.siemens.com/productcert/html/ssa-712929.html * SSA-700053 V1.1 (Last Update: 2023-03-14): Multiple File Parsing Vulnerabilities in Teamcenter Visualization and JT2Go * https://cert-portal.siemens.com/productcert/html/ssa-700053.html * SSA-697140 V1.2 (Last Update: 2023-03-14): Denial of Service Vulnerability in the TCP Event Service of SCALANCE and RUGGEDCOM Products * https://cert-portal.siemens.com/productcert/html/ssa-697140.html * SSA-565386 V1.0: Third-Party Component Vulnerabilities in SCALANCE W-700 IEEE 802.11ax devices before V2.0 * https://cert-portal.siemens.com/productcert/html/ssa-565386.html * SSA-552702 V1.4 (Last Update: 2023-03-14): Privilege Escalation Vulnerability in the Web Interface of SCALANCE and RUGGEDCOM Products * https://cert-portal.siemens.com/productcert/html/ssa-552702.html * SSA-539476 V1.4 (Last Update: 2023-03-14): Siemens SIMATIC NET CP, SINEMA and SCALANCE Products Affected by Vulnerabilities in Third-Party Component strongSwan * https://cert-portal.siemens.com/productcert/html/ssa-539476.html * SSA-517377 V1.2 (Last Update: 2023-03-14): Multiple Vulnerabilities in the SRCS VPN Feature in SIMATIC CP Devices * https://cert-portal.siemens.com/productcert/html/ssa-517377.html * SSA-491245 V1.1 (Last Update: 2023-03-14): Multiple File Parsing Vulnerabilities in Solid Edge * https://cert-portal.siemens.com/productcert/html/ssa-491245.html * SSA-482757 V1.2 (Last Update: 2023-03-14): Missing Immutable Root of Trust in S7-1500 CPU devices * https://cert-portal.siemens.com/productcert/html/ssa-482757.html * SSA-476715 V1.1 (Last Update: 2023-03-14): Two Vulnerabilities in Automation License Manager * https://cert-portal.siemens.com/productcert/html/ssa-476715.html * SSB-439005 V5.1 (Last Update: 2023-03-14): Vulnerabilities in the additional GNU/Linux subsystem of the SIMATIC S7-1500 CPU 1518(F)-4 PN/DP MFP * https://cert-portal.siemens.com/productcert/html/ssb-439005.html * SSA-419740 V1.0: Multiple Third-Party Component Vulnerabilities in RUGGEDCOM and SCALANCE Products before V7.2 * https://cert-portal.siemens.com/productcert/html/ssa-419740.html * SSA-413565 V1.1 (Last Update: 2023-03-14): Multiple Vulnerabilities in SCALANCE Products * https://cert-portal.siemens.com/productcert/html/ssa-413565.html * SSA-324955 V2.0 (Last Update: 2023-03-14): SAD DNS Attack in Linux Based Products * https://cert-portal.siemens.com/productcert/html/ssa-324955.html * SSA-321292 V1.4 (Last Update: 2023-03-14): Denial of Service in the OPC Foundation Local Discovery Server (LDS) in Industrial Products * https://cert-portal.siemens.com/productcert/html/ssa-321292.html * SSA-320629 V1.0: Security Vulnerabilities Fixed in RUGGEDCOM CROSSBOW V5.3 * https://cert-portal.siemens.com/productcert/html/ssa-320629.html * SSA-260625 V1.0: Security Vulnerabilities Fixed in RUGGEDCOM CROSSBOW V5.2 * https://cert-portal.siemens.com/productcert/html/ssa-260625.html * SSA-256353 V1.3 (Last Update: 2023-03-14): Third-Party Component Vulnerabilities in RUGGEDCOM ROS * https://cert-portal.siemens.com/productcert/html/ssa-256353.html * SSA-250085 V1.2 (Last Update: 2023-03-14): Multiple Vulnerabilities in SINEC NMS and SINEMA Server * https://cert-portal.siemens.com/productcert/html/ssa-250085.html * SSA-244969 V1.9 (Last Update: 2023-03-14): OpenSSL Vulnerability in Industrial Products * https://cert-portal.siemens.com/productcert/html/ssa-244969.html * SSA-223771 V1.2 (Last Update: 2023-03-14): SISCO Stack Vulnerability in SIPROTEC 5 Devices * https://cert-portal.siemens.com/productcert/html/ssa-223771.html * SSA-203374 V1.0: Multiple OpenSSL Vulnerabilities in SCALANCE W1750D Devices * https://cert-portal.siemens.com/productcert/html/ssa-203374.html * SSA-941426 V1.4 (Last Update: 2023-03-14): Multiple LLDP Vulnerabilities in Industrial Products * https://cert-portal.siemens.com/productcert/html/ssa-941426.html * SSA-851884 V1.0: Authentication Bypass Vulnerability in Mendix SAML Module * https://cert-portal.siemens.com/productcert/html/ssa-851884.html --------------------------------------------- https://new.siemens.com/global/en/products/services/cert.html?d=2023-03#Sec… ∗∗∗ Dolibarr : unauthenticated contacts database theft ∗∗∗ --------------------------------------------- Our pentester discovered a critical vulnerability exploitable by an unauthenticated attacker. It provides access to a competitor’s entire customer file, prospects, suppliers, and potentially employee information if a contact file exists. Both public and private notes can also be retrieved. Very easy to exploit, it affects Dolibarr 16.x versions. --------------------------------------------- https://www.dsecbypass.com/en/dolibarr-pre-auth-contact-database-dump/ ∗∗∗ PaperCut MF/NG vulnerability bulletin (March 2023) ∗∗∗ --------------------------------------------- We have received two vulnerability reports from a 3rd party cyber security company (Trend Micro), for high/critical severity security issues in PaperCut MF/NG. We do not have any evidence of these vulnerabilities being used against customers at this point. --------------------------------------------- https://www.papercut.com/kb/Main/PO-1216-and-PO-1219 ∗∗∗ Schneider Elecronic Security Advisories 2023-03-14 ∗∗∗ --------------------------------------------- 3 new, 15 updated --------------------------------------------- https://www.se.com/ww/en/work/support/cybersecurity/security-notifications.… ∗∗∗ Patchday: SAP schließt 19 teils kritische Sicherheitslücken ∗∗∗ --------------------------------------------- Zum März-Patchday hat SAP Sicherheitsnotizen zu 19 Sicherheitslücken veröffentlicht. Davon stuft der Hersteller fünf als kritisch ein. Updates stehen bereit. --------------------------------------------- https://heise.de/-7544782 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (redis), Fedora (cairo, freetype, harfbuzz, and qt6-qtwebengine), Red Hat (kpatch-patch), SUSE (chromium, java-1_8_0-openj9, and nodejs18), and Ubuntu (chromium-browser, libxstream-java, php-twig, twig, protobuf, and python-werkzeug). --------------------------------------------- https://lwn.net/Articles/926083/ ∗∗∗ Android App "Wolt Delivery: Food and more" uses a hard-coded API key for an external service ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN64453490/ ∗∗∗ TXONE SECURITY BULLETIN: TXOne StellarOne Improper Access Control Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- https://success.trendmicro.com/dcx/s/solution/000292486?language=en_US ∗∗∗ PHOENIX CONTACT: Multiple vulnerabilities in ENERGY AXC PU ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-003/ ∗∗∗ Lenovo System Update Elevation of Privileges Vulnerability ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500553-LENOVO-SYSTEM-UPDATE-EL… ∗∗∗ Lenovo XClarity Controller (XCC) Vulnerabilities ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500552-LENOVO-XCLARITY-CONTROL… ∗∗∗ A security vulnerability has been identified in IBM HTTP Server, which is a required product for IBM Tivoli Network Manager IP Edition (CVE-2023-26281) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6963268 ∗∗∗ Multiple Vulnerabilities in IBM\u00ae Runtime Environment Java\u2122 Technology Edition affects WebSphere eXtreme Scale ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6963278 ∗∗∗ Multiple vulnerabilities in Curl affect PowerSC ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6963308 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.03.2023
by Daily end-of-shift report 13 Mar '23

13 Mar '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 10-03-2023 18:00 − Montag 13-03-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Clop-Ransomware: Opfer der GoAnywhere-Attacken müssen jetzt zahlen ∗∗∗ --------------------------------------------- Aufgrund einer Sicherheitslücke in der Dateiübertragungslösung GoAnywhere MFT konnten Angreifer zuschlagen und erpressen nun Firmen. --------------------------------------------- https://heise.de/-7543629 ∗∗∗ Banking-Trojaner: 400 Einrichtungen im Visier von Android-Malware ∗∗∗ --------------------------------------------- IT-Forscher beobachten die Weiterentwicklung des Banking-Trojaners Xenomorph für Android. Inzwischen versteht er sich auf 400 Finanzinstitutionen. --------------------------------------------- https://heise.de/-7543682 ∗∗∗ Das Finanzamt versendet keine Pfändungsandrohung per SMS! ∗∗∗ --------------------------------------------- Aktuell werden erneut massenhaft Betrugs-SMS im Namen des Finanzamts versendet. Angeblich hätten Sie trotz mehrerer Mahnungen eine offene Forderung gegen Sie nicht bezahlt. Daher würde nun ein Gerichtsvollzieher Ihren Hausrat pfänden. Achtung: Bezahlen Sie die Forderung nicht! Die Nachricht stammt nicht vom Finanzamt und Ihr Geld landet bei Kriminellen. --------------------------------------------- https://www.watchlist-internet.at/news/das-finanzamt-versendet-keine-pfaend… ∗∗∗ Security researchers targeted with new malware via job offers on LinkedIn ∗∗∗ --------------------------------------------- A suspected North Korean hacking group is targeting security researchers and media organizations in the U.S. and Europe with fake job offers that lead to the deployment of three new, custom malware families. --------------------------------------------- https://www.bleepingcomputer.com/news/security/security-researchers-targete… ∗∗∗ Medusa ransomware gang picks up steam as it targets companies worldwide ∗∗∗ --------------------------------------------- A ransomware operation known as Medusa has begun to pick up steam in 2023, targeting corporate victims worldwide with million-dollar ransom demands. --------------------------------------------- https://www.bleepingcomputer.com/news/security/medusa-ransomware-gang-picks… ∗∗∗ DEV-1101 enables high-volume AiTM campaigns with open-source phishing kit ∗∗∗ --------------------------------------------- DEV-1101 is an actor tracked by Microsoft responsible for the development, support, and advertising of several AiTM phishing kits, including an open-source kit capable of circumventing MFA through reverse-proxy functionality. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2023/03/13/dev-1101-enables-h… ∗∗∗ Overview of a Mirai Payload Generator, (Sat, Mar 11th) ∗∗∗ --------------------------------------------- The Mirai[1] botnet is active for years. It was the first botnet targeting devices running Linux like camera recorders. Our first diary about it was in 2016![2]. Still today, my honeypot is hit by hundreds of Mirai requests every day! I found a Python script that generates a Mirai payload (SHA256:f56391e9645df1058847e28af6918c64ddc344d9f328b3dde9015213d5efdc7e[3]) and deploys networking services to serve it via FTP, HTTP, and TFTP. Nothing very fancy but it will give you a good idea about how Linux hosts are abused to deliver malicious payloads. --------------------------------------------- https://isc.sans.edu/diary/rss/29624 ∗∗∗ BATLOADER Malware Uses Google Ads to Deliver Vidar Stealer and Ursnif Payloads ∗∗∗ --------------------------------------------- The malware downloader known as BATLOADER has been observed abusing Google Ads to deliver secondary payloads like Vidar Stealer and Ursnif. According to cybersecurity company eSentire, the malicious ads are used to spoof a wide range of legitimate apps and services such as Adobe, OpenAPIs ChatGPT, Spotify, Tableau, and Zoom. --------------------------------------------- https://thehackernews.com/2023/03/batloader-malware-uses-google-ads-to.html ∗∗∗ "FakeGPT": New Variant of Fake-ChatGPT Chrome Extension Stealing Facebook Ad Accounts with Thousands of Daily Installs ∗∗∗ --------------------------------------------- A Chrome Extension propelling quick access to fake ChatGPT functionality was found to be hijacking Facebook accounts and installing hidden account backdoors. Particularly noticeable is the use of a malevolent silently forced Facebook app “backdoor” giving the threat actors super-admin permissions. --------------------------------------------- https://labs.guard.io/fakegpt-new-variant-of-fake-chatgpt-chrome-extension-… ∗∗∗ Threat Actors Abuse AI-Generated Youtube Videos to Spread Stealer Malware ∗∗∗ --------------------------------------------- Since November 2022 there has been a 200-300% month-on-month increase in Youtube videos containing links to stealer malware such as Vidar, RedLine, and Raccoon in their descriptions. The videos lure users by pretending to be tutorials on how to download cracked versions of software such as Photoshop, Premiere Pro, Autodesk 3ds Max, AutoCAD, and other products that are licensed products available only to paid users. --------------------------------------------- https://cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-t… ∗∗∗ Persistence - Context Menu ∗∗∗ --------------------------------------------- Context menu provides shortcuts to the user in order to perform a number of actions. The context menu is invoked with a right mouse click and it is a very common action for every Windows user. In offensive operations this action could be weaponized for persistence by executing shellcode every time the user attempts to use the context menu. --------------------------------------------- https://pentestlab.blog/2023/03/13/persistence-context-menu/ ∗∗∗ CISA Warns of Plex Vulnerability Linked to LastPass Hack ∗∗∗ --------------------------------------------- CISA has added vulnerabilities in Plex Media Server and VMware NSX-V to its Known Exploited Vulnerabilities catalog. --------------------------------------------- https://www.securityweek.com/cisa-warns-of-plex-vulnerability-linked-to-las… ===================== = Vulnerabilities = ===================== ∗∗∗ Clipchamp ( Microsoft Office Product) - Google IAP Authorization bypass allowed access to Internal Environment Leading to Zero Interaction Account takeover ∗∗∗ --------------------------------------------- [...] After further research it was discovered that the authorization checks are only at the front end https://app.*.clipchamp.com/ and not while invoking the /v2/ API endpoints with the expected parameters. Enumerating all the internal endpoints it was found that the https://app.smoke.clipchamp.com/v2 was leaking the JWT Authentication Bearer Token for any attacker-provided user on the platform leading to Zero Interaction Account takeover for any ClipChamp user on the Smoke Env. --------------------------------------------- https://blog.agilehunt.com/blogs/security/msrc-critical-google-iap-authoriz… ∗∗∗ Kritische Sicherheitslücken: Lexmark aktualisiert Firmware für viele Drucker ∗∗∗ --------------------------------------------- Diverse Drucker von Lexmark haben kritische Sicherheitslücken, die Angreifern das Ausführen von Schadcode ermöglichen. Updates stehen schon bereit. --------------------------------------------- https://heise.de/-7543959 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (imagemagick, libapache2-mod-auth-mellon, mpv, rails, and ruby-sidekiq), Fedora (chromium, dcmtk, and strongswan), Mageia (chromium-browser-stable, dcmtk, kernel, kernel-linus, libreswan, microcode, redis, and tmux), SUSE (postgresql14 and python39), and Ubuntu (linux-kvm, linux-raspi-5.4, and thunderbird). --------------------------------------------- https://lwn.net/Articles/925987/ ∗∗∗ Shodan Verified Vulns 2023-03-01 ∗∗∗ --------------------------------------------- Mit Stand 2023-03-01 sieht Shodan in Österreich die folgenden Schwachstellen: [...] Die Schwachstellen CVE-2021-43798 (Grafana Path Traversal Vulnerability) und CVE-2022-32548 (DrayTek Authentication Bypass Vulnerability) sind nun wieder in den Daten von Shodan enthalten. Im Vormonat fehlten diese Daten. Verglichen mit den Daten von Jänner 2023 sind keine auffälligen Änderungen zu erkennen. Ähnlich verhält sich die Schwachstelle CVE-2022-36804 [...] --------------------------------------------- https://cert.at/de/aktuelles/2023/3/shodan-verified-vulns-2023-03-01 ∗∗∗ IBM Security Bulletins 2023-03-13 ∗∗∗ --------------------------------------------- * A vulnerability (CVE-2022-21299) in IBM Java Runtime affects CICS Transaction Gateway for Multiplatforms and CICS Transaction Gateway Desktop Edition * A vulnerability has been identified in IBM Spectrum Scale which could allow unauthorized access to user data or injection of arbitrary data in the communication protocol (CVE-2020-4927) * EBICS Client of IBM Sterling B2B Interator vulnerable to multiple issues due to jQuery * IBM Cognos Analytics has addressed multiple vulnerabilities (CVE-2021-29469, CVE-2022-39160, CVE-2022-38708, CVE-2022-42003, CVE-2022-42004, CVE-2022-43883, CVE-2022-43887, CVE-2022-25647, CVE-2022-36364) * IBM Cognos Analytics has addressed multiple vulnerabilities (CVE-2022-34339, CVE-2021-3712, CVE-2021-3711, CVE-2021-4160, CVE-2021-29425, CVE-2021-3733, CVE-2021-3737, CVE-2022-0391, CVE-2021-43138, CVE-2022-24758) * IBM Security Guardium is affected by a denial of service vulnerability (CVE-2022-3171, CVE-2022-3510, CVE-2022-3509) * IBM Security Guardium is affected by multiple vulnerabilities * IBM Sterling B2B Integrator vulnerable to security bypass due to Apache Santuario XML Security for Java (CVE-2021-40690, CVE-2014-8152) * IBM Sterling B2B Integrator vulnerable to security bypass due to Spring Security (CVE-2022-31692, CVE-2022-22978) * June 2022 : Multiple vulnerabilities in IBM Java Runtime affect CICS Transaction Gateway for Multiplatforms and CICS Transaction Gateway Desktop Edition * Multiple Vulnerabilities (CVE-2022-21628, CVE-2022-21626, CVE-2022-21624, CVE-2022-21619) affects CICS Transaction Gateway for Multiplatforms and CICS Transaction Gateway Desktop Edition. * Multiple vulnerabilities in IBM Java Runtime affect CICS Transaction Gateway for Multiplatforms and CICS Transaction Gateway Desktop Edition * Multiple Vulnerabilities in Java affecting Watson Knowledge Catalog for IBM Cloud Pak for Data (CVE-2022-21628, CVE-2022-21626) * Security vulnerabilities are addressed with IBM Cloud Pak for Business Automation iFixes for Febuary 2023 * SNMPv3 server credentials are exposed in log files in IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products * The dashboard UI of IBM Sterling B2B Integrator is vulnerable to information disclosure (CVE-2023-22876) * There is a vulnerability in Apache Commons BCEL used by IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2022-42920) * Vulnerabilities with kernel, MariaDB, Gnu GnuTLS, OpenJDK, commons-fileupload affect IBM Cloud Object Storage Systems (Mar 2023v1) * Vulnerabilities with MariaDB affect IBM Cloud Object Storage Systems (Nov 2022v1) * Vulnerability in WebSphere Liberty affecting Watson Knowledge Catalog for IBM Cloud Pak for Data (CVE-2022-3509, CVE-2022-3171) --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ [R1] Tenable Plugin Feed ID #202212081952 Fixes Arbitrary Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2023-14 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.03.2023
by Daily end-of-shift report 10 Mar '23

10 Mar '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 09-03-2023 18:00 − Freitag 10-03-2023 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Security: Github führt verpflichtende 2FA ein ∗∗∗ --------------------------------------------- Wer von Github ausgewählt wurde, muss die Zwei-Faktor-Authentifizierung (2FA) innerhalb von 45 Tagen einrichten. --------------------------------------------- https://www.golem.de/news/security-github-fuehrt-verpflichtende-2fa-ein-230… ∗∗∗ Schwachstellen in Bitwarden Password-Manager-Browserweiterung können Passwörter verraten ∗∗∗ --------------------------------------------- Nutzer des Passwort-Managers Bitwarden laufen in das Risiko, dass die Auto-Fill-Funktion beim Besuch von Webseiten Anmeldeinformationen leckt. Bösartige Webseiten könnten über ein in vertrauenswürdigen Seiten eingebettetes IFRAME Anmeldeinformation stehlen und an einen Angreifer senden. --------------------------------------------- https://www.borncity.com/blog/2023/03/10/schwachstellen-in-bitwarden-passwo… ∗∗∗ New ScrubCrypt Crypter Used in Cryptojacking Attacks Targeting Oracle WebLogic ∗∗∗ --------------------------------------------- The infamous cryptocurrency miner group called 8220 Gang has been observed using a new crypter called ScrubCrypt to carry out cryptojacking operations. According to Fortinet FortiGuard Labs, the attack chain commences with the successful exploitation of susceptible Oracle WebLogic servers to download a PowerShell script that contains ScrubCrypt. --------------------------------------------- https://thehackernews.com/2023/03/new-scrubcrypt-crypter-used-in.html ∗∗∗ EJS - Server Side Prototype Pollution gadgets to RCE ∗∗∗ --------------------------------------------- Last month (February 2023), I took a look into NodeJS HTML templating libraries. During my research, I found an interesting Server Side Prototype Pollution (SSPP) gadget in the EJS library which can be leveraged to RCE. After finding this issue, I spent a week searching for an SSPP in express core or dependencies, but I didnt find any issue. Thats why, after reporting this issue to the repository maintainer, Im making an article to explain technical details. --------------------------------------------- https://mizu.re/post/ejs-server-side-prototype-pollution-gadgets-to-rce ∗∗∗ How to Avoid LDAP Injection Attacks ∗∗∗ --------------------------------------------- The key vulnerability that puts an application at risk of LDAP injection is improperly processed user input. Applications that don’t sanitize or validate user input are open to LDAP injection attacks because of the structure of LDAP statements and queries. --------------------------------------------- https://www.trendmicro.com/en_us/devops/23/c/avoid-ldap-injection-attacks.h… ∗∗∗ The Silent Spy Among Us: Modern Attacks Against Smart Intercoms ∗∗∗ --------------------------------------------- What started out as a journey to learn more about a new smart intercom inside the Claroty offices turned into an expansive Team82 research project that uncovered 13 vulnerabilities in the popular Akuvox E11. The vulnerabilities could allow attackers to execute code remotely in order to activate and control the device’s camera and microphone, steal video and images, or gain a network foothold. --------------------------------------------- https://claroty.com/team82/research/the-silent-spy-among-us-modern-attacks-… ∗∗∗ Multi-Technology Script Leading to Browser Hijacking ∗∗∗ --------------------------------------------- [..] in the real world, malware samples use multiple technologies to perform malicious actions. I spotted a VBScript file (I don’t know where it’s coming from, probably a phishing campaign). The script has been flagged by only one(!) AV product on VT --------------------------------------------- https://isc.sans.edu/diary/rss/29620 ∗∗∗ The oldest privesc: injecting careless administrators terminals using TTY pushback ∗∗∗ --------------------------------------------- This trick is possibly the oldest security bug that still exists today, it’s been traced as far back as 1985. It’s been discovered and rediscovered and re-rediscovered by sysadmins, developpers and pentesters every few years for close to 4 decades now. It’s been subject to multiple developper battles, countless posts, but still remains largely forgotten. This is just another attempt at shedding light on it, for both attackers and defenders. --------------------------------------------- https://www.errno.fr/TTYPushback.html ∗∗∗ When Partial Protection is Zero Protection: The MFA Blind Spots No One Talks About ∗∗∗ --------------------------------------------- Multi-factor Authentication (MFA) has long ago become a standard security practice. [..] While compatible with RDP connection and local desktop logins, they offer no protection to remote command line access tools like PsExec, Remote PowerShell and their likes. [..] In this article well explore this blind spot, understand its root cause and implications, and view the different options security teams can overcome it to maintain their environments protected. --------------------------------------------- https://thehackernews.com/2023/03/when-partial-protection-is-zero.html ∗∗∗ Leveraging ssh-keygen for Arbitrary Execution (and Privilege Escalation) ∗∗∗ --------------------------------------------- The ssh-keygen command can be used to load a shared library with the -D flag. This can be useful for privilege escalation (described in this blog post), or to translate to arbitrary code execution from argument injection, file overwrites, etc. --------------------------------------------- https://seanpesce.blogspot.com/2023/03/leveraging-ssh-keygen-for-arbitrary.… ∗∗∗ Unauthorized access to Codespace secrets in GitHub ∗∗∗ --------------------------------------------- We identified a security issue in GitHub’s Repository Security Advisory feature (https://docs.github.com/en/code-security/security-advisories/repository-sec…) that allowed us to retrieve plaintext Codespace secrets of any organization including GitHub. --------------------------------------------- https://ophionsecurity.com/blog/access-organization-secrets-in-github ∗∗∗ Pirated copies of Final Cut Pro infect Macs with cryptojacking malware ∗∗∗ --------------------------------------------- Torrents on The Pirate Bay which claim to contain Final Cut Pro are instead being used to distribute malware, designed to infect your Mac with cryptojacking malware. --------------------------------------------- https://grahamcluley.com/pirated-copies-of-final-cut-pro-infect-macs-with-c… ∗∗∗ GoBruteforcer: Golang-Based Botnet Actively Harvests Web Servers ∗∗∗ --------------------------------------------- New Golang-based malware we have dubbed GoBruteforcer targets web servers. Golang is becoming popular with malware programmers due to its versatility. --------------------------------------------- https://unit42.paloaltonetworks.com/gobruteforcer-golang-botnet/ ∗∗∗ Netcat Attack Cases Targeting MS-SQL Servers (LOLBins) ∗∗∗ --------------------------------------------- ASEC (AhnLab Security Emergency response Center) has recently discovered the distribution of the Netcat malware targeting poorly managed MS-SQL servers. Netcat is a utility that allows users to send and receive data from specific destinations on a network connected by the TCP/UDP protocol. Due to its various features and ability to be used on both Linux and Windows, it is utilized by network managers and threat actors alike. --------------------------------------------- https://asec.ahnlab.com/en/49249/ ∗∗∗ Everything You Didn’t Know About Cross-Account and Cross-Cloud Provider Attacks ∗∗∗ --------------------------------------------- Wait, did you say ‘Cross-Cloud Provider Attacks’? Yes, this is actually a growing type of attack path: As organizations increasingly adopt multiple cloud platforms, their lack of security visibility across the clouds makes them a sitting target for these types of attacks. --------------------------------------------- https://orca.security/resources/blog/cross-account-cross-provider-attack-pa… ∗∗∗ Suspected Chinese Campaign to Persist on SonicWall Devices, Highlights Importance of Monitoring Edge Devices ∗∗∗ --------------------------------------------- Mandiant, working in partnership with SonicWall Product Security and Incident Response Team (PSIRT), has identified a suspected Chinese campaign that involves maintaining long term persistence by running malware on an unpatched SonicWall Secure Mobile Access (SMA) appliance. The malware has functionality to steal user credentials, provide shell access, and persist through firmware upgrades. --------------------------------------------- https://www.mandiant.com/resources/blog/suspected-chinese-persist-sonicwall ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium and wireless-regdb), Fedora (caddy, python-cryptography, and redis), Oracle (gnutls), SUSE (hdf5, opera, python-Django, redis, tomcat, and xen), and Ubuntu (apache2 and snakeyaml). --------------------------------------------- https://lwn.net/Articles/925840/ ∗∗∗ IBM Security Bulletins 2023-03-10 ∗∗∗ --------------------------------------------- * Apache Commons Beanutils (Publicly disclosed vulnerability) affects IBM eDiscovery Manager (CVE-2019-10086, CVE-2014-0114) * Apache Commons FileUpload (Publicly disclosed vulnerability) affects IBM eDiscovery Manager (CVE-2023-24998) * Apache Commons IO (Publicly disclosed vulnerability) Affects IBM eDiscovery Manager (CVE-2021-29425) * IBM MQ is affected by a vulnerability in Apache Commons Net (CVE-2021-37533) * IBM QRadar WinCollect agent has multiple vulnerabilities * IBM QRadar Wincollect agent is vulnerable to server side request forgery (SSRF) (CVE-2022-43879) * IBM SDK, Java Technology Edition, Security Update February 2023 * multiple vulnerabilities in Java SE may affect CICS TX Advanced * multiple vulnerabilities in Java SE may affect CICS TX Standard * multiple vulnerabilities in Java SE may affect TXSeries for Multiplatforms * server-side request forgery vulnerability in Apache CXF (CVE-2022-46364) may affect CICS TX Advanced * server-side request forgery vulnerability in Apache CXF (CVE-2022-46364) may affect CICS TX Standard * server-side request forgery vulnerability in Apache CXF (CVE-2022-46364) may affect TXSeries for Multiplatforms * vulnerability in Apache James MIME4J (CVE-2022-45787) may affect CICS TX Advanced * vulnerability in Apache James MIME4J (CVE-2022-45787) may affect CICS TX Standard * vulnerability in Apache James MIME4J (CVE-2022-45787) may affect TXSeries for Multiplatforms * Watson CP4D Data Stores is vulnerable to jackson-databind due to FasterXML jackson-databind before 2.14.0-rc1 ( CVE-2022-42003 ) --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ [R1] Nessus Agent Version 10.3.2 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2023-12 ∗∗∗ [R1] Nessus Agent Version 8.3.5 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2023-13 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.03.2023
by Daily end-of-shift report 09 Mar '23

09 Mar '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 08-03-2023 18:00 − Donnerstag 09-03-2023 18:00 Handler: Robert Waldner Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Microsoft Word RCE-Lücke könnte auch Microsoft Outlook betreffen ∗∗∗ --------------------------------------------- Laut einem Bericht bei borncity könnte die mit dem Februar-Patchday gefixte Remote Code Execution - Lücke in Microsoft Word auch Microsoft Outlook (zumindest 2013) betreffen - auch wenn die Februar-Patches eingespielt wurden. Noch sind nicht alle Details dazu klar, wir raten Outlook-Nutzer:innen momentan aber trotzdem dringend dazu die Empfehlungen von Microsoft dazu umzusetzen, und Outlook so zu konfigurieren, dass Mails als reiner Text dargestellt werden. --------------------------------------------- https://cert.at/de/aktuelles/2023/3/microsoft-word-rce-lucke-konnte-auch-mi… ∗∗∗ IceFire Ransomware Exploits IBM Aspera Faspex to Attack Linux-Powered Enterprise Networks ∗∗∗ --------------------------------------------- A previously known Windows-based ransomware strain known as IceFire has expanded its focus to target Linux enterprise networks belonging to several media and entertainment sector organizations across the world. --------------------------------------------- https://thehackernews.com/2023/03/icefire-linux-ransomware.html ∗∗∗ Hackers Exploiting Remote Desktop Software Flaws to Deploy PlugX Malware ∗∗∗ --------------------------------------------- Security vulnerabilities in remote desktop programs such as Sunlogin and AweSun are being exploited by threat actors to deploy the PlugX malware. AhnLab Security Emergency Response Center (ASEC), in a new analysis, said it marks the continued abuse of the flaws to deliver a variety of payloads on compromised systems. --------------------------------------------- https://thehackernews.com/2023/03/hackers-exploiting-remote-desktop.html ===================== = Vulnerabilities = ===================== ∗∗∗ Drupal: Gutenberg - Less critical - Denial of Service - SA-CONTRIB-2023-009 ∗∗∗ --------------------------------------------- This vulnerability is mitigated by the fact an attacker must have "use gutenberg" permission to exploit it. If you use the Gutenberg module versions 8.x-2.x, upgrade to Gutenberg 8.x-2.7 --------------------------------------------- https://www.drupal.org/sa-contrib-2023-009 ∗∗∗ Oracle Database Vault Protected Table With Realm Data Extraction Vulnerability ∗∗∗ --------------------------------------------- This security issue is fixed from 21c on-wards [ I think back-port patch was released in October 2022 CPU cycle]. Still Exists in 19c (so far from version 19.18 and below). DB Vault is a security feature in Oracle that attempts to restrict “SYS” account power , in addition DB Vault will ensure seperation of duties in place such as account management and authorization can’t be performed by the DBA through SYS account anymore. --------------------------------------------- https://databasesecurityninja.wordpress.com/2023/03/07/oracle-database-vaul… ∗∗∗ Ivanti Avalanche: Security Alert - CVE-2022-44574 – Authentication Bypass for Remote Control RCServlet ∗∗∗ --------------------------------------------- This vulnerability enables an attacker to overwrite credentials which gives access to a Web Panel. This vulnerability affects all Avalanche Premise versions 6.3.x and below. This vulnerability has a CVE score of 6.5. --------------------------------------------- https://forums.ivanti.com/s/article/Avalanche-ZDI-CAN-19513-Security-Adviso… ∗∗∗ Foxit PDF Editor: Lücken erlauben einschleusen von Schadcode ∗∗∗ --------------------------------------------- Sicherheitslücken in Foxit PDF Editor ermöglichen Angreifern, mit manipulierten PDF-Dateien Schadcode einzuschmuggeln und auszuführen. Ein Update steht bereit. --------------------------------------------- https://heise.de/-7540068 ∗∗∗ Home Assistant: Sicherheitslücke entdeckt und geschlossen ∗∗∗ --------------------------------------------- Wer den Home Assistant mit Supervisor benutzt, sollte sein System jetzt aktualisieren. Ansonsten könnten Eindringlinge sich daran zu schaffen machen. --------------------------------------------- https://heise.de/-7540500 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (kernel, pesign, samba, and zlib), Oracle (kernel), Slackware (httpd), SUSE (emacs, libxslt, nodejs12, nodejs14, nodejs16, openssl, poppler, python-py, python-wheel, xen, and xorg-x11-server), and Ubuntu (linux-gcp-5.4, linux-gkeop, opusfile, and samba). --------------------------------------------- https://lwn.net/Articles/925723/ ∗∗∗ Cloud Pak for Security uses packages that are vulnerable to multiple CVEs ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6551876 ∗∗∗ IBM Liberty for Java for IBM Cloud is vulnerable to server-side request forgery due to Apache CXF (CVE-2022-46364) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6962195 ∗∗∗ Docker based datastores for IBM Instana do not currently require authentication ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6959969 ∗∗∗ Multiple Security Vulnerabilities may affect IBM Robotic Process Automation for Cloud Pak. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6962201 ∗∗∗ A vulnerability exists in IBM Robotic Process Automation where Queue Provider credentials are not obfuscated during editing (CVE-2023-25680) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6962207 ∗∗∗ IBM Robotic Process Automation for Cloud Pak may be vulnerable to a denial of service due to ISC BIND (CVE-2022-38177, CVE-2022-38178). ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6962223 ∗∗∗ Vulnerability in Apache Log4j may affect IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6536732 ∗∗∗ Multiple Vulnerabilities in IBM HTTP Server affect WebSphere Application Server shipped with IBM Security Access Manager for Enterprise Single Sign-On ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6962383 ∗∗∗ Multiple Vulnerabilities (CVE-2022-21628, CVE-2022-21626, CVE-2022-21624, CVE-2022-21619) affects CICS Transaction Gateway for Multiplatforms and CICS Transaction Gateway Desktop Edition. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6962407 ∗∗∗ June 2022 : Multiple vulnerabilities in IBM Java Runtime affect CICS Transaction Gateway for Multiplatforms and CICS Transaction Gateway Desktop Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6962411 ∗∗∗ z\/Transaction Processing Facility is affected by vulnerabilities in the Apache Kafka (kafka-clients) and cryptography packages ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6962437 ∗∗∗ IBM Liberty for Java for IBM Cloud is vulnerable to server-side request forgery due to Apache CXF (CVE-2022-46364) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6962195 ∗∗∗ IBM Maximo Manage application in IBM Maximo Application Suite is vulnerable to incorrect default permissions (CVE-2022-46774) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6962455 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.03.2023
by Daily end-of-shift report 08 Mar '23

08 Mar '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 07-03-2023 18:00 − Mittwoch 08-03-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ What is a Website Defacement? ∗∗∗ --------------------------------------------- Defacement is easily one the most obvious signs of a hacked website. In these attacks, bad actors gain unauthorized access to an environment and leave their mark through digital vandalism, altering its visual appearance or content in the process. --------------------------------------------- https://blog.sucuri.net/2023/03/what-is-website-defacement.html ∗∗∗ Persistence – Event Log Online Help ∗∗∗ --------------------------------------------- Event viewer is a component of Microsoft Windows that displays information related to application, security, system and setup events. Even though that Event Viewer is used mainly for troubleshooting windows errors by administrators could be also used as a form a persistence during red team operations. --------------------------------------------- https://pentestlab.blog/2023/03/07/persistence-event-log-online-help/ ∗∗∗ „Lidl Frauentagsgeschenk“: Fake-Gewinnspiel zum Frauentag ∗∗∗ --------------------------------------------- Derzeit verbreiten WhatsApp-, Messenger- oder Viber-Nutzer:innen unwissentlich einen Link mit einem betrügerischen Gewinnspiel unter ihren Kontakten. Angeblich verlost die Supermarktkette „Lidl“ anlässlich des Frauentags am 8.März „viele Geldgeschenke“, wie es in der Nachricht heißt. Klicken Sie nicht auf den Link. Kriminelle versuchen Schadsoftware auf Ihrem Gerät zu installieren! --------------------------------------------- https://www.watchlist-internet.at/news/lidl-frauentagsgeschenk-fake-gewinns… ∗∗∗ GlobeImposter Ransomware Being Distributed with MedusaLocker via RDP ∗∗∗ --------------------------------------------- ASEC (AhnLab Security Emergency response Center) has recently discovered the active distribution of the GlobeImposter ransomware. This attack is being carried out by the threat actors behind MedusaLocker. While the specific route could not be ascertained, it is assumed that the ransomware is being distributed through RDP due to the various pieces of evidence gathered from the infection logs. --------------------------------------------- https://asec.ahnlab.com/en/48940/ ===================== = Vulnerabilities = ===================== ∗∗∗ Authentication Bypass Vulnerability in Mura CMS and Masa CMS (CVE-2022-47003 and CVE-2022-47002) ∗∗∗ --------------------------------------------- Multiple versions of Mura CMS and Masa CMS contain an authentication bypass vulnerability that can allow an unauthenticated attacker to login as any Site Member or System User. --------------------------------------------- https://hoyahaxa.blogspot.com/2023/03/authentication-bypass-mura-masa.html ∗∗∗ ABB Substation management unit COM600 IEC-104 protocol stack vulnerability ∗∗∗ --------------------------------------------- Hitachi Energy disclosed a vulnerability (CVE-2022-29492) that affects certain HE products. This vulnerability also affects the IEC 68070-5-104 (IEC-104) protocol stack of ABB Substation Management Unit COM600. Subsequently, a successful exploit could allow attackers to cause a denial-of-service attack against the COM600 product. --------------------------------------------- https://web.apsis.one/wve/68c20aba-1b85-416f-bf3f-ce8b1779c260 ∗∗∗ CorePlague: Severe Vulnerabilities in Jenkins Server Lead to RCE ∗∗∗ --------------------------------------------- Aqua Nautilus researchers have discovered a chain of vulnerabilities, dubbed CorePlague, in the widely used Jenkins Server and Update Center (CVE-2023-27898, CVE-2023-27905). Exploiting these vulnerabilities could allow an unauthenticated attacker to execute arbitrary code on the victims Jenkins server, potentially leading to a complete compromise of the Jenkins server. --------------------------------------------- https://blog.aquasec.com/jenkins-server-vulnerabilities ∗∗∗ Problematische Sicherheitslücke in Apples GarageBand ∗∗∗ --------------------------------------------- Die kostenlose Musikproduktionssoftware von Apple lässt sich offenbar angreifen. Nutzer unter macOS sollten schnell aktualisieren. --------------------------------------------- https://heise.de/-7538801 ∗∗∗ Patchday: Fortinet dichtet 15 Schwachstellen ab, davon eine kritische ∗∗∗ --------------------------------------------- Der Patchday bei Fortinet bringt IT-Verantwortlichen Updates zum Schließen von 15 Sicherheitslücken. Eine davon ist kritisch und erlaubt Einschleusen von Code. --------------------------------------------- https://heise.de/-7538910 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (apr), Fedora (c-ares), Oracle (curl, kernel, pesign, samba, and zlib), Red Hat (curl, gnutls, kernel, kernel-rt, and pesign), Scientific Linux (kernel, pesign, samba, and zlib), SUSE (libX11, python-rsa, python3, python36, qemu, rubygem-rack, xorg-x11-server, and xwayland), and Ubuntu (libtpms, linux-ibm, linux-raspi, linux-raspi, python3.7, python3.8, and sofia-sip). --------------------------------------------- https://lwn.net/Articles/925606/ IBM Security Bulletins 2023-03-08 --------------------------------------------- IBM Robotic Process Automation, IBM WebSphere, IBM MQ, Financial Transaction Manager, IBM VM Recovery Manager, IBM Aspera faspio Gateway, IBM Security Verify Bridge, IBM Spectrum Scale, IBM Security Guardium. --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Veeam fixt kritische Schwachstelle CVE-2023-27532 in Backup & Replication V11a/V12 ∗∗∗ --------------------------------------------- Kleiner Hinweis für Nutzer der Backup-Software des Herstellers Veeam. Dieser hat zum 7. März 2023 eine kritische Schwachstelle (CVE-2023-27532) in seinem Produkt Backup & Replication in den Versionen V11a/V12 per Update behoben. --------------------------------------------- https://www.borncity.com/blog/2023/03/08/veeam-fixt-kritische-schwachstelle… ∗∗∗ Multiple vulnerabilities in SEIKO EPSON printers/network interface Web Config ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN82424996/ ∗∗∗ Cisco IOS XR Software for ASR 9000 Series Routers Bidirectional Forwarding Detection Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco IOS XR Software Bootloader Unauthenticated Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ [R1] Nessus Version 10.4.3 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2023-11 ∗∗∗ [R1] Nessus Version 8.15.9 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2023-10 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.03.2023
by Daily end-of-shift report 07 Mar '23

07 Mar '23

===================== = End-of-Day report = ===================== Timeframe: Montag 06-03-2023 18:00 − Dienstag 07-03-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Proof-of-Concept released for critical Microsoft Word RCE bug ∗∗∗ --------------------------------------------- A proof-of-concept for CVE-2023-21716, a critical vulnerability in Microsoft Word that allows remote code execution, has been published over the weekend. The vulnerability was assigned a 9.8 out of 10 severity score, with Microsoft addressing it in the February Patch Tuesday security updates along with a couple of workarounds. --------------------------------------------- https://www.bleepingcomputer.com/news/security/proof-of-concept-released-fo… ∗∗∗ Old Windows ‘Mock Folders’ UAC bypass used to drop malware ∗∗∗ --------------------------------------------- A new phishing campaign targets organizations in Eastern European countries with the Remcos RAT malware with aid from an old Windows User Account Control bypass discovered over two years ago. --------------------------------------------- https://www.bleepingcomputer.com/news/security/old-windows-mock-folders-uac… ∗∗∗ Sheins Android App Caught Transmitting Clipboard Data to Remote Servers ∗∗∗ --------------------------------------------- An older version of Sheins Android application suffered from a bug that periodically captured and transmitted clipboard contents to a remote server.The Microsoft 365 Defender Research Team said it discovered the problem in version 7.9.2 of the app that was released on December 16, 2021. The issue has since been addressed as of May 2022. --------------------------------------------- https://thehackernews.com/2023/03/sheins-android-app-caught-transmitting.ht… ∗∗∗ SYS01stealer: New Threat Using Facebook Ads to Target Critical Infrastructure Firms ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered a new information stealer dubbed SYS01stealer targeting critical government infrastructure employees, manufacturing companies, and other sectors."The threat actors behind the campaign are targeting Facebook business accounts by using Google ads and fake Facebook profiles that promote things like games, adult content, and cracked software, etc. to lure victims into downloading a malicious file," Morphisec said in a report [..] --------------------------------------------- https://thehackernews.com/2023/03/sys01stealer-new-threat-using-facebook.ht… ∗∗∗ Exploitation of Critical Vulnerability in End-of-Life VMware Product Ongoing ∗∗∗ --------------------------------------------- Wallarm Detect warns of ongoing exploitation of a critical vulnerability in VMware Cloud Foundation and NSX Data Center for vSphere (NSX-V). --------------------------------------------- https://www.securityweek.com/exploitation-of-critical-vulnerability-in-end-… ∗∗∗ Werbung für neue Fake-Investment-Plattform "TradeGPT" auf Facebook, Instagram & Co. ∗∗∗ --------------------------------------------- Kriminelle bewerben auf Instagram, Facebook und Co. betrügerische Investitionsplattformen wie trade-gpt.ai oder financialpronews.com. In den Fake-Beiträgen wird eine neue Trading-Plattform, entwickelt von Elon Musk und OpenAI, vorgestellt. Die Plattform mit dem Namen "TradeGPT" erleichtert angeblich „einfachen Menschen“ den Einstieg in den Aktien- und Rohstoffhandel. Die Plattform hat nichts mit Elon Musk oder OpenAI zu tun und ist betrügerisch! --------------------------------------------- https://www.watchlist-internet.at/news/werbung-fuer-neue-fake-investment-pl… ∗∗∗ Betrugsmasche gegen Verrechnung ∗∗∗ --------------------------------------------- Certitude nimmt eine Häufung von Online-Betrug gegen die Verrechnungsabteilungen von österreichischen Unternehmen wahr. Angreifer erwirken die Änderungen der Kontodaten von Lieferanten bei deren Kunden durch Social Engineering per E-Mail. Häufig betragen die Schadenssummen mehrere hunderttausend Euro und führen zu Rechtsstreitigkeiten zwischen den betroffenen Unternehmen. --------------------------------------------- https://certitude.consulting/blog/de/betrugsmasche-gegen-verrechnung/ ∗∗∗ Using Memory Analysis to Detect EDR-Nullifying Malware ∗∗∗ --------------------------------------------- One tool Trend Micro described, dubbed “AVBurner”, used a technique to patch process-creation callbacks in kernel memory to nullify security software running on a victim system. [..] Volexity conducted research and testing to determine ways this technique of attacking endpoint detection and response (EDR) and antivirus (AV) software could reliably be detected through memory analysis. --------------------------------------------- https://www.volexity.com/blog/2023/03/07/using-memory-analysis-to-detect-ed… ===================== = Vulnerabilities = ===================== ∗∗∗ Benutzt hier jemand SHA-3? Die Referenzimplementation ... ∗∗∗ --------------------------------------------- Benutzt hier jemand SHA-3? Die Referenzimplementation hat einen Integer Overflow. --------------------------------------------- http://blog.fefe.de/?ts=9af9c7a3 ∗∗∗ Multiple vulnerabilities in PostgreSQL extension module pg_ivm ∗∗∗ --------------------------------------------- * Exposure of sensitive information to an unauthorized actor - CVE-2023-22847 * Uncontrolled search path element - CVE-2023-23554 --------------------------------------------- https://jvn.jp/en/jp/JVN19872280/ ∗∗∗ ZDI-23-212: Open Design Alliance (ODA) Drawing SDK DWG File Parsing Use-After-Free Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Open Design Alliance (ODA) Drawing SDK. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-212/ ∗∗∗ ZDI-23-214: NETGEAR CAX30S SSO Command Injection Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR CAX30S routers. Authentication is not required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-214/ ∗∗∗ Patchday: Kritische System-Lücken bedrohen Android 11, 12 und 13 ∗∗∗ --------------------------------------------- Google hat wichtige Sicherheitsupdates für Android-Geräte veröffentlicht. Im schlimmsten Fall könnten Angreifer Schadcode ausführen. --------------------------------------------- https://heise.de/-7537197 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (kopanocore), Fedora (golang-github-projectdiscovery-chaos-client, rust-sequoia-octopus-librnp, rust-sequoia-sop, rust-sequoia-sq, and usd), Oracle (libjpeg-turbo and pesign), Red Hat (kernel, kernel-rt, kpatch-patch, osp-director-downloader-container, pesign, rh-mysql80-mysql, samba, and zlib), SUSE (mariadb), and Ubuntu (fribidi, gmp, linux, linux-aws, linux-kvm, linux-lts-xenial, linux-azure, linux-azure-4.15, linux-kvm, linux-raspi2, linux-snapdragon, linux-raspi, nss, python3.6, rsync, systemd, and tiff). --------------------------------------------- https://lwn.net/Articles/925469/ ∗∗∗ Cisco IP Phone 6800, 7800, 7900, and 8800 Series Web UI Vulnerabilities ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ PHOENIX CONTACT: Advisory for TC ROUTER and CLOUD CLIENT ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-053/ ∗∗∗ WordPress BuddyForms Plugin — Unauthenticated Insecure Deserialization (CVE-2023–26326) ∗∗∗ --------------------------------------------- https://medium.com/tenable-techblog/wordpress-buddyforms-plugin-unauthentic… ∗∗∗ Docker based datastores for IBM Instana do not currently require authentication ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6959969 ∗∗∗ IBM Aspera Faspex 4.4.2 PL2 has addressed multiple vulnerabilities (CVE-2022-28330, CVE-2023-22868, CVE-2022-30556, CVE-2022-31813, CVE-2022-30522, CVE-2022-47986, CVE-2022-28615, CVE-2022-26377, CVE-2018-25032, CVE-2022-2068) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6952319 ∗∗∗ IBM Spectrum Symphony is vulnerable to Host header injection ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6959369 ∗∗∗ IBM Data Risk Manager is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6960473 ∗∗∗ IBM Spectrum Control is vulnerable to multiple weaknesses related to Apache Groovy ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6960481 ∗∗∗ IBM Spectrum Control is vulnerable to multiple weaknesses related to Apache Camel ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6960485 ∗∗∗ IBM Cloud Transformation Advisor is vulnerable to multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6960493 ∗∗∗ IBM Observability with Instana (OnPrem) affected by OpenSSL vulnerabilities. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6960495 ∗∗∗ IBM DataPower Gateway potentially vulnerable to Denial of Service (CVE-2022-4450) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6960511 ∗∗∗ IBM Security Guardium is affected by a kernel vulnerability (CVE-2021-3715) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6828569 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.03.2023
by Daily end-of-shift report 06 Mar '23

06 Mar '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 03-03-2023 18:00 − Montag 06-03-2023 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Fake-Shops fälschen Zahlung mit Klarna ∗∗∗ --------------------------------------------- Die Fake-Shops scheubner.net und profibikes.de wirken sehr professionell. Vor allem die Möglichkeit mit Klarna zu bezahlen, wiegt viele in Sicherheit. Die Shops fälschen aber den Klarna-Zahlungsprozess. Geben Sie Ihre Zugangsdaten auf der nachgebauten Klarna-Zahlungsseite ein, landen diese bei Kriminellen. --------------------------------------------- https://www.watchlist-internet.at/news/fake-shops-faelschen-zahlung-mit-kla… ∗∗∗ DCOM-Härtung (CVE-2021-26414) zum 14. März 2023-Patchday für Windows 10/11 und Server ∗∗∗ --------------------------------------------- Kleine Erinnerung für Administratoren von Windows in Unternehmensumgebungen. In Microsofts Windows DCOM-Implementierung gibt es eine Schwachstelle (Windows DCOM Server Security Feature Bypass, CVE-2021-26414), die eine Umgehung der Sicherheitsfunktionen ermöglichte. Microsoft hat das 2021 dokumentiert, und dann auch gepatcht, wobei das Schließen dieser Schwachstelle in mehreren Stufen erfolgt. Kürzlich wurde ich erinnert, dass Microsoft am 14. März 2023 einen letzten Patch freigeben wird, der die Möglichkeit zum Abschalten dieser DCOM-Härtung entfernt. --------------------------------------------- https://www.borncity.com/blog/2023/03/05/dcom-hrtung-cve-2021-26414-zum-14-… ∗∗∗ Magbo Spam Injection Encoded with hex2bin ∗∗∗ --------------------------------------------- We recently had a new client come to us with a rather peculiar issue on their WordPress website: They were receiving unwanted popup advertisements but only when the website was accessed through links posted on FaceBook. Initially we thought that this must be a rogue ad coming through an otherwise legitimate advertising network but it turned out to be a very well crafted and hidden spam injection. --------------------------------------------- https://blog.sucuri.net/2023/03/magbo-spam-injection-encoded-with-hex2bin.h… ∗∗∗ New HiatusRAT Malware Targets Business-Grade Routers to Covertly Spy on Victims ∗∗∗ --------------------------------------------- A never-before-seen complex malware is targeting business-grade routers to covertly spy on victims in Latin America, Europe, and North America at least since July 2022. The elusive campaign, dubbed Hiatus by Lumen Black Lotus Labs, has been found to deploy two malicious binaries, a remote access trojan dubbed HiatusRAT and a variant of tcpdump that makes it possible to capture packet [...] --------------------------------------------- https://thehackernews.com/2023/03/new-hiatusrat-malware-targets-business.ht… ∗∗∗ How to prevent Microsoft OneNote files from infecting Windows with malware ∗∗∗ --------------------------------------------- The best way to prevent malicious Microsoft OneNote attachments from infecting Windows is to block the .one file extension at your secure mail gateways or mail servers. However, if that is not possible for your environment, you can also use Microsoft Office group policies to restrict the launching of embedded file attachments in Microsoft OneNote files. --------------------------------------------- https://www.bleepingcomputer.com/news/security/how-to-prevent-microsoft-one… ∗∗∗ Polynonce: A Tale of a Novel ECDSA Attack and Bitcoin Tears ∗∗∗ --------------------------------------------- In this blog post, we tell a tale of how we discovered a novel attack against ECDSA and how we applied it to datasets we found in the wild, including the Bitcoin and Ethereum networks. [...] We cover our journey, findings, and the rabbit holes we explored. We also provide an academic paper with the details of the attack and open-source code implementing it, so people building software and products using ECDSA can ensure they do not have this vulnerability in their systems. --------------------------------------------- https://research.kudelskisecurity.com/2023/03/06/polynonce-a-tale-of-a-nove… ===================== = Vulnerabilities = ===================== ∗∗∗ strongSwan Vulnerability (CVE-2023-26463) ∗∗∗ --------------------------------------------- A vulnerability related to certificate verification in TLS-based EAP methods was discovered in strongSwan that results in a denial of service but possibly even remote code execution. Versions 5.9.8 and 5.9.9 may be affected. [...] The just released strongSwan 5.9.10 fixes this vulnerability. For older releases, we provide a patch that fixes the vulnerability and should apply with appropriate hunk offsets. --------------------------------------------- https://www.strongswan.org/blog/2023/03/02/strongswan-vulnerability-(cve-20… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (apache2, libde265, libreswan, spip, syslog-ng, and xfig), Fedora (edk2, libtpms, python-django3, stb, sudo, vim, and xen), Red Hat (libjpeg-turbo and pesign), SUSE (kernel, python36, samba, and trivy), and Ubuntu (linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gke, linux-gkeop, linux-hwe-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux, linux-aws, linux-dell300x, linux-gcp-4.15, linux-oracle, linux-aws-hwe, linux-oracle, and linux-bluefield). --------------------------------------------- https://lwn.net/Articles/925323/ ∗∗∗ Multiple Vulnerabilities in Arris DG3450 Cable Gateway ∗∗∗ --------------------------------------------- https://sec-consult.com/vulnerability-lab/advisory/multiple-vulnerabilities… ∗∗∗ Multiple Vulnerabilities in Json4j Affects Watson Machine Learning Accelerator ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6959963 ∗∗∗ Docker based datastores for IBM Instana do not currently require authentication ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6959969 ∗∗∗ IBM Sterling Connect:Express for UNIX is vulnerable to denial of service due to OpenSSL (CVE-2022-4450) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6959973 ∗∗∗ IBM Aspera Faspex 4.4.2 PL2 has addressed multiple vulnerabilities (CVE-2022-28330, CVE-2023-22868, CVE-2022-30556, CVE-2022-31813, CVE-2022-30522, CVE-2022-47986, CVE-2022-28615, CVE-2022-26377, CVE-2018-25032, CVE-2022-2068) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6952319 ∗∗∗ A security vulnerability has been identified in IBM HTTP Server shipped with IBM WebSphere Remote Server (CVE-2023-26281) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6960159 ∗∗∗ Vulnerability in the Golang language affects IBM Event Streams (CVE-2022-3064) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6960175 ∗∗∗ IBM App Connect Enterprise Certified Container Dashboard and DesignerAuthoring operands may be vulnerable to cross-site scripting due to IBM X-Force ID 239963 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6960189 ∗∗∗ Insufficient authorization check in IBM supplied MQ Advanced for Integration container image (CVE-2023-26284) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6960201 ∗∗∗ IBM Security Guardium is affected by remote code execution and sensitive information vulnerabilities (CVE-2022-31684, CVE-2022-41853) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6960211 ∗∗∗ IBM Security Guardium is affected by an AWS SDK vulnerability ( CVE-2022-31159) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6960215 ∗∗∗ IBM Security Guardium is affected by an out-of-bounds access issue vulnerability (CVE-2022-2319, CVE-2022-2320) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6960213 ∗∗∗ Vulnerabilities in OpenSSL affect Bluemix Workflow (CVE-2014-3570, CVE-2014-3571, CVE-2014-3572, CVE-2014-8275, CVE-2015-204, CVE-2015-205, CVE-2015-206) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/258535 ∗∗∗ Multiple vulnerabilities in IBM Java SDK affect Bluemix Workflow ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/258547 ∗∗∗ Multiple vulnerabilities in IBM\u00ae SDK, Java\u2122 Technology Edition affected IBM Workflow for Bluemix October 2015 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/273103 ∗∗∗ Multiple vulnerabilities in IBM\u00ae SDK, Java\u2122 Technology Edition affected IBM Workflow for Bluemix April 2016 (CVE-2016-3426) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/278361 ∗∗∗ Multiple vulnerabilities in IBM\u00ae SDK, Java\u2122 Technology Edition affected IBM Workflow for Bluemix January 2016 (CVE-2015-7575, CVE-2016-0466, CVE-2016-0475) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/541019 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.03.2023
by Daily end-of-shift report 03 Mar '23

03 Mar '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 02-03-2023 18:00 − Freitag 03-03-2023 18:00 Handler: Robert Waldner Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ FBI and CISA warn of increasing Royal ransomware attack risks ∗∗∗ --------------------------------------------- CISA and the FBI have issued a joint advisory highlighting the increasing threat behind ongoing Royal ransomware attacks targeting many U.S. critical infrastructure sectors, including healthcare, communications, and education. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fbi-and-cisa-warn-of-increas… ∗∗∗ Persistence Techniques That Persist ∗∗∗ --------------------------------------------- In this blog post, we will focus on how malware can achieve persistence by abusing the Windows Registry. Specifically, we will focus on lesser-known techniques, many of which have been around since the days of Windows XP and are just as effective today on Windows 10 and 11. --------------------------------------------- https://www.cyberark.com/resources/threat-research-blog/persistence-techniq… ∗∗∗ NIST Cybersecurity Framework 2.0: Aktualisierte Leitlinien gegen Cybercrime ∗∗∗ --------------------------------------------- Weil sich die IT-Angriffslandschaft stetig ändert, hat das US-amerikanische Institute of Standards and Technology sein Cybersecurity-Framework aktualisiert. --------------------------------------------- https://heise.de/-7534206 ∗∗∗ FAQ: Welche Cyberangriffe es gibt und wie sich Risiken vermeiden lassen ∗∗∗ --------------------------------------------- Cyberangriffe können jeden betreffen, doch mit ein paar einfachen Maßnahmen können Sie Ihr persönliches Risiko zumindest minimieren. --------------------------------------------- https://heise.de/-7523370 ∗∗∗ Thousands of Websites Hijacked Using Compromised FTP Credentials ∗∗∗ --------------------------------------------- Cybersecurity startup Wiz warns of a widespread redirection campaign in which thousands of websites have been compromised using legitimate FTP credentials. --------------------------------------------- https://www.securityweek.com/thousands-of-websites-hijacked-using-compromis… ∗∗∗ Of Degens and Defrauders: Using Open-Source Investigative Tools to Investigate Decentralized Finance Frauds and Money Laundering. (arXiv:2303.00810v1 [cs.CR]) ∗∗∗ --------------------------------------------- This study demonstrates how open-source investigative tools can extract transaction-based evidence that could be used in a court of law to prosecute DeFi frauds. Additionally, we investigate how these funds are subsequently laundered. --------------------------------------------- http://arxiv.org/abs/2303.00810 ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins 2023-03-03 ∗∗∗ --------------------------------------------- IBM Cloud Pak, IBM Financial Transaction Manager, Operations Dashboard, IBM App Connect Enterprise Certified Container, IBM Sterling Connect:Express, IBM HTTP Server, IBM Spectrum Control, IBM Aspera Faspex, IBM SAN, IBM Storwize, IBM Spectrum Virtualize, IBM FlashSystem, IBM Maximo, IBM WebSphere Remote Server, IBM Business Automation Workflow, Rational Functional Tester. --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Schadcode-Attacken auf HPE Serviceguard unter Linux möglich ∗∗∗ --------------------------------------------- Die Entwickler haben in Serviceguard for Linux von HPE drei Sicherheitslücken geschlossen. Abgesicherte Version stehen zum Download bereit. --------------------------------------------- https://heise.de/-7534361 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (linux-5.10 and node-css-what), SUSE (gnutls, google-guest-agent, google-osconfig-agent, nodejs10, nodejs14, nodejs16, opera, pkgconf, python-cryptography, python-cryptography-vectors, rubygem-activesupport-4_2, thunderbird, and tpm2-0-tss), and Ubuntu (git, kernel, linux, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15, linux-azure-fde, linux-gcp, linux-gcp-5.15, linux-gke, linux-gke-5.15, linux-hwe-5.15, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-oracle, linux-oracle-5.15, linux, linux-aws, linux-azure, linux-gcp, linux-hwe-5.19, linux-ibm, linux-lowlatency, linux-oracle, linux-azure-fde, linux-oem-5.14, linux-oem-5.17, linux-oem-6.0, linux-oem-6.1, php7.0, python-pip, ruby-rack, spip, and sudo). --------------------------------------------- https://lwn.net/Articles/925060/ ∗∗∗ Lücken in Intel-CPUs: Microsoft veröffentlicht außerplanmäßiges Sicherheitsupdate ∗∗∗ --------------------------------------------- Es soll insgesamt vier Lücken stopfen. Die Schwachstellen sind allerdings schon seit Juni 2022 bekannt. Betroffen sind Windows 10, Windows 11 und Windows Server. --------------------------------------------- https://www.zdnet.de/88407530/luecken-in-intel-cpus-microsoft-veroeffentlic… ∗∗∗ [R1] Nessus Version 10.5.0 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2023-09 ∗∗∗ BOSCH-SA-931197: Vulnerability in routers FL MGUARD and TC MGUARD ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-931197.html ∗∗∗ SonicOS SSLVPN Improper Restriction of Excessive MFA Attempts Vulnerability ∗∗∗ --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2023-0005 ∗∗∗ SonicOS Unauthenticated Stack-Based Buffer Overflow Vulnerability ∗∗∗ --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2023-0004 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.03.2023
by Daily end-of-shift report 02 Mar '23

02 Mar '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 01-03-2023 18:00 − Donnerstag 02-03-2023 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ YARA: Detect The Unexpected ..., (Thu, Mar 2nd) ∗∗∗ --------------------------------------------- He has strings to detected any embedded file, and strings to detect embedded PNG files, JPEG files, ... So, in YARA, how can you use this to detect OneNote files that contain embedded files, but are not images? The trick is to count and compare string occurrences. --------------------------------------------- https://isc.sans.edu/diary/rss/29598 ∗∗∗ SysUpdate Malware Strikes Again with Linux Version and New Evasion Tactics ∗∗∗ --------------------------------------------- The threat actor known as Lucky Mouse has developed a Linux version of a malware toolkit called SysUpdate, expanding on its ability to target devices running the operating system. --------------------------------------------- https://thehackernews.com/2023/03/sysupdate-malware-strikes-again-with.html ∗∗∗ This Hacker Tool Can Pinpoint a DJI Drone Operators Exact Location ∗∗∗ --------------------------------------------- Every DJI quadcopter broadcasts its operators position via radio—unencrypted. Now, a group of researchers has learned to decode those coordinates. --------------------------------------------- https://www.wired.com/story/dji-droneid-operator-location-hacker-tool/ ∗∗∗ Helping Cyber Defenders “Decide” to Use MITRE ATT&CK ∗∗∗ --------------------------------------------- Since the Cybersecurity and Infrastructure Security Agency (CISA) announced its first edition of Best Practices for MITRE ATT&CK Mapping nearly two years ago, the ATT&CK framework has evolved, expanded, and improved its ability to support more than just optimized cyber threat intelligence to the cybersecurity community. To match these advances, CISA recently published a second edition of our mapping guide and today announces a new accompaniment to the guide, CISA’s Decider tool. --------------------------------------------- https://www.cisa.gov/news-events/news/helping-cyber-defenders-decide-use-mi… ∗∗∗ Application SecurityCase StudiesCloud Native SecurityVulnerabilities Gitpod remote code execution 0-day vulnerability via WebSockets ∗∗∗ --------------------------------------------- This article walks us through a current Snyk Security Labs research project focusing on cloud based development environments (CDEs) — which resulted in a full workspace takeover on the Gitpod platform and extended to the user’s SCM account. The issues here have been responsibly disclosed to Gitpod and were resolved within a single working day --------------------------------------------- https://snyk.io/blog/gitpod-remote-code-execution-vulnerability-websockets/ ∗∗∗ CISA Red Team Shares Key Findings to Improve Monitoring and Hardening of Networks ∗∗∗ --------------------------------------------- The Cybersecurity and Infrastructure Security Agency (CISA) is releasing this Cybersecurity Advisory (CSA) detailing activity and key findings from a recent CISA red team assessment—in coordination with the assessed organization—to provide network defenders recommendations for improving their organizations cyber posture. --------------------------------------------- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-059a ∗∗∗ Tainted Love: A Systematic Review of Online Romance Fraud. (arXiv:2303.00070v1 [cs.HC]) ∗∗∗ --------------------------------------------- Romance fraud involves cybercriminals engineering a romantic relationship ononline dating platforms. It is a cruel form of cybercrime whereby victims areleft heartbroken, often facing financial ruin. We characterise the literarylandscape on romance fraud, advancing the understanding of researchers andpractitioners by systematically reviewing and synthesising contemporaryqualitative and quantitative evidence. --------------------------------------------- http://arxiv.org/abs/2303.00070 ∗∗∗ Dishing Out DoS: How to Disable and Secure the Starlink User Terminal. (arXiv:2303.00582v1 [cs.CR]) ∗∗∗ --------------------------------------------- Satellite user terminals are a promising target for adversaries seeking totarget satellite communication networks. Despite this, many protectionscommonly found in terrestrial routers are not present in some user terminals.As a case study we audit the attack surface presented by the Starlinkrouters admin interface, using fuzzing to uncover a denial of service attackon the Starlink user terminal. --------------------------------------------- http://arxiv.org/abs/2303.00582 ===================== = Vulnerabilities = ===================== ∗∗∗ Group control for forums - Critical - Access bypass - SA-CONTRIB-2023-008 ∗∗∗ --------------------------------------------- Project: Group control for forums Security risk: Critical Description: This module enables you to associate Forums as Group 1.x content and use Group access permissions. Previous versions of the module incorrectly set node access on creation, and did not correctly restrict access to lists of forum topics. Solution: Install the latest version --------------------------------------------- https://www.drupal.org/sa-contrib-2023-008 ∗∗∗ Thunder - Moderately critical - Access bypass - SA-CONTRIB-2023-007 ∗∗∗ --------------------------------------------- Project: Thunder Security risk: Moderately critical Description: Thunder is a Drupal distribution for professional publishing. The thunder distribution ships the thunder_gqls module which provides a graphql interface.The module doesnt sufficiently check access when serving user data via graphql leading to an access bypass vulnerability --------------------------------------------- https://www.drupal.org/sa-contrib-2023-007 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (git), Debian (spip), Fedora (epiphany), Mageia (binwalk, chromium-browser-stable, crmsh, emacs, libraw, libtiff, nodejs, pkgconf, tar, and vim), Oracle (kernel and systemd), SUSE (emacs, kernel, nrpe, and rubygem-activerecord-4_2), and Ubuntu (c-ares, git, postgresql-12, postgresql-14, and sox). --------------------------------------------- https://lwn.net/Articles/924922/ ∗∗∗ Kritische Sicherheitslücken in ArubaOS - Updates teilweise verfügbar ∗∗∗ --------------------------------------------- Da Angreifende auf betroffenen Geräten beliebigen Code ausführen können, sind alle auf diesen Geräten befindlichen und darüber erreichbaren Daten gefährdet. Da es sich um Netzwerkkomponenten handelt, sind auch Szenarien denkbar wo darüber fliessende Daten gelesen, beeinträchtigt und/oder verändert werden können. --------------------------------------------- https://cert.at/de/warnungen/2023/3/kritische-sicherheitslucken-in-arubaos-… ∗∗∗ Better Social Sharing Buttons - Less critical - Cross Site Scripting - SA-CONTRIB-2023-006 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2023-006 ∗∗∗ ABB: Improper authentication vulnerability in S+ Operations (CVE ID: CVE-2023-0228) ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?Action=Launch&DocumentID=7PAA0… ∗∗∗ IBM Cognos Command Center is affected but not classified as vulnerable by a remote code execution in Spring Framework (CVE-2022-22965) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6590487 ∗∗∗ IBM Maximo Asset Management is vulnerable to stored cross-site scripting (CVE-2022-35645) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6959353 ∗∗∗ IBM Maximo Manage application in IBM Maximo Application Suite is vulnerable to stored cross-site scripting (CVE-2022-35645) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6959355 ∗∗∗ IBM Spectrum Symphony is vulnerable to Host header injection ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6959369 ∗∗∗ IBM Planning Analytics Workspace is affected by vulnerabilties (CVE-2022-43548, CVE-2020-7676, CVE-2021-42550, CVE-2021-38561, CVE-2022-32149) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6957836 ∗∗∗ There is a vulnerability in Apache SOAP used by IBM Maximo Asset Management (CVE-2022-40705) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6959357 ∗∗∗ There is a security vulnerability in Apache SOAP used by IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2022-40705) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6959359 ∗∗∗ Persistent cross-site scripting vulnerability affect IBM Business Automation Workflow - CVE-2023-22860 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958691 ∗∗∗ Vulnerability in bind affects IBM Integrated Analytics System [CVE-2022-2795] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6959567 ∗∗∗ IBM Cloud Pak for Network Automation v2.4.4 fixes multiple security vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6959583 ∗∗∗ There is a vulnerability in Eclipse Jetty used by IBM Maximo Asset Management (CVE-2022-2047) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6959601 ∗∗∗ IBM SDK, Java Technology Edition Quarterly CPU - Oct 2022 - Includes Oracle October 2022 CPU and IBM Java - OpenJ9 CVE-2022-3676 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6959625 ∗∗∗ IBM Security Guardium is affected by the following vulnerabilities [CVE-2022-39166, CVE-2022-34917, CVE-2022-42889] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6848317 ∗∗∗ IBM Security Guardium is affected by a redshift-jdbc42-2.0.0.3.jar vulnerability (CVE-2022-41828) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6956299 ∗∗∗ Operations Dashboard is vulnerable to denial of service and response splitting due to vulnerabilities in Netty (CVE-2022-41881 and CVE-2022-41915) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6959639 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 01.03.2023
by Daily end-of-shift report 01 Mar '23

01 Mar '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 28-02-2023 18:00 − Mittwoch 01-03-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ TPM-2.0-Spezifikationen: Angreifer könnten Schadcode auf TPM schmuggeln ∗∗∗ --------------------------------------------- In die Spezifikation der TPM-2.0-Referenzbibliothek haben sich Fehler eingeschlichen. Angreifer könnten verwundbaren Implementierungen eigenen Code unterjubeln. --------------------------------------------- https://heise.de/-7531171 ∗∗∗ Finish him! Kostenloses Entschlüsselungstool besiegt MortalKombat-Ransomware ∗∗∗ --------------------------------------------- Kaum hat der Erpressungstrojaner MortalKombat das Licht der Welt erblickt, holen Sicherheitsforscher zum finalen Schlag aus. --------------------------------------------- https://heise.de/-7531337 ∗∗∗ Gefälschter PayLife-Login in Anzeigen bei Google-Suche! ∗∗∗ --------------------------------------------- PayLife-User:innen aufgepasst: Kriminelle schalten aktuell Werbung auf Google, welche auf eine gefälschte PayLife-Website führt. Ein kleiner Tippfehler reicht aus, um die betrügerische Werbung als erstes Ergebnis angezeigt zu bekommen. Wer die eigenen Login-Daten auf der Phishing-Seite eingibt, ermöglicht es den Kriminellen, Zahlungen zu tätigen. Das Geld ist verloren! --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschter-paylife-login-in-anzeig… ∗∗∗ The dangers from across browser-windows ∗∗∗ --------------------------------------------- Beim Durchsuchen des Webs versucht Ihr Browser, Sie bestmöglich zu schützen, aber manchmal scheitert er daran, wenn er nicht ordnungsgemäß von der Website angewiesen wird, die Sie besuchen. Einer der wichtigsten Sicherheitsmechanismen des Browsers ist die Same-Origin Policy [1][2][3] (SOP), die einschränkt, wie Skripte und Dokumente aus einer Ursprungsquelle mit Ressourcen und Dokumenten aus einer [...] --------------------------------------------- https://certitude.consulting/blog/de/the-dangers-from-across-browser-window… ∗∗∗ BlackLotus UEFI-Bootkit überwindet Secure Boot in Windows 11 ∗∗∗ --------------------------------------------- Sicherheitsforscher von ESET haben eine BlackLotus getaufte Malware in freier Wildbahn entdeckt, die sich des UEFI bemächtigt. BlackLotus dürfte die erste UEFI-Bootkit-Malware in freier Wildbahn sein, die Secure Boot unter Windows 11 (und wohl auch Windows 10) aushebeln kann. --------------------------------------------- https://www.borncity.com/blog/2023/03/01/blacklotus-uefi-bootkit-berwindet-… ∗∗∗ CISA: ZK Java Framework RCE Flaw Under Active Exploit ∗∗∗ --------------------------------------------- The flaw, which drew attention in October when it was found in ConnectWise products, could pose a significant risk to the supply chain if not patched immediately. --------------------------------------------- https://www.darkreading.com/risk/cisa-zk-java-framework-rce-flaw-under-acti… ∗∗∗ SCARLETEEL: Operation leveraging Terraform, Kubernetes, and AWS for data theft ∗∗∗ --------------------------------------------- The Sysdig Threat Research Team recently discovered a sophisticated cloud operation in a customer environment, dubbed SCARLETEEL, that resulted in stolen proprietary data. The attacker exploited a containerized workload and then leveraged it to perform privilege escalation into an AWS account in order to steal proprietary software and credentials. --------------------------------------------- https://sysdig.com/blog/cloud-breach-terraform-data-theft/ ∗∗∗ DNS abuse: Advice for incident responders ∗∗∗ --------------------------------------------- What DNS abuse techniques are employed by cyber adversaries and which organizations can help incident responders and security teams detect, mitigate and prevent them? The DNS Abuse Techniques Matrix published by FIRST provides answers. --------------------------------------------- https://www.helpnetsecurity.com/2023/03/01/dns-abuse-advice-for-incident-re… ∗∗∗ Google Cloud Platform allows data exfiltration without a (forensic) trace ∗∗∗ --------------------------------------------- Attackers can exfiltrate company data stored in Google Cloud Platform (GCP) storage buckets without leaving obvious forensic traces of the malicious activity in GCP’s storage access logs, Mitiga researchers have discovered. [...] In short, the main problem is that GCP’s basic storage logs – which are, by the way, not enabled by default – use the same description/event (objects.get) for [...] --------------------------------------------- https://www.helpnetsecurity.com/2023/03/01/gcp-data-exfiltration/ ∗∗∗ Making New Connections – Leveraging Cisco AnyConnect Client to Drop and Run Payloads ∗∗∗ --------------------------------------------- The Cisco AnyConnect client has received a fair amount of scrutiny from the security community over the years, with a particular focus on leveraging the vpnagent.exe service for privilege escalation. A while ago, we started to look at whether AnyConnect could be used to deliver payloads during red team engagements [...] --------------------------------------------- https://research.nccgroup.com/2023/03/01/making-new-connections-leveraging-… ∗∗∗ The Level of Human Engagement Behind Automated Attacks ∗∗∗ --------------------------------------------- Even automated attacks are driven by humans, but the level of engagement we observed may surprise you! When the human or an organization behind an automated attack shows higher levels of innovation and sophistication in their attack tactics, the danger increases dramatically as they are no longer simply employing an opportunistic “spray and pray” strategy, but rather more highly evolved strategies that are closer to a so-called targeted attack. --------------------------------------------- https://www.gosecure.net/blog/2023/02/28/the-level-of-human-engagement-behi… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (multipath-tools and syslog-ng), Fedora (gnutls and guile-gnutls), Oracle (git, httpd, lua, openssl, php, python-setuptools, python3.9, sudo, tar, and vim), Red Hat (kpatch-patch), Scientific Linux (git), SUSE (compat-openssl098, glibc, openssl, postgresql13, python-Django, webkit2gtk3, and xterm), and Ubuntu (awstats, expat, firefox, gnutls28, lighttpd, php7.2, php7.4, php8.1, python-pip, and tar). --------------------------------------------- https://lwn.net/Articles/924794/ ∗∗∗ Critical Vulnerabilities Patched in ThingWorx, Kepware IIoT Products ∗∗∗ --------------------------------------------- Several ThingWorx and Kepware products are affected by two vulnerabilities that can be exploited for DoS attacks and unauthenticated remote code execution. The post Critical Vulnerabilities Patched in ThingWorx, Kepware IIoT Products appeared first on SecurityWeek. --------------------------------------------- https://www.securityweek.com/critical-vulnerabilities-patched-in-thingworx-… ∗∗∗ Cisco Prime Infrastructure and Evolved Programmable Network Manager Stored Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Webex App for Web Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco IP Phone 6800, 7800, 7900, and 8800 Series Web UI Vulnerabilities ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Finesse Reverse Proxy VPN-less Access to Finesse Desktop Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Unified Intelligence Center Vulnerabilities ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ TPM 2.0 Vulnerabilities ∗∗∗ --------------------------------------------- https://support.lenovo.com/product_security/PS500551-TPM-20-VULNERABILITIES ∗∗∗ Nuvoton TPM Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://support.lenovo.com/product_security/PS500550-NUVOTON-TPM-DENIAL-OF-… ∗∗∗ Malicious IKEv2 packet by authenticated peer can cause libreswan to restart ∗∗∗ --------------------------------------------- https://libreswan.org/security/CVE-2023-23009/CVE-2023-23009.txt ∗∗∗ [R1] Stand-alone Security Patch Available for Tenable.sc version 5.23.1: SC-202303.1-5 ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2023-08 ∗∗∗ [R1] Stand-alone Security Patch Available for Tenable.sc version 6.0.0: SC-202303.1-6 ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2023-07 ∗∗∗ IBM Planning Analytics and IBM Planning Analytics Workspace are affected by a security vulnerability in IBM WebSphere Application Server Liberty (CVE-2022-34165) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6856457 ∗∗∗ DataPower Operator vulnerable to Denial of Service (CVE-2022-41724) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958490 ∗∗∗ Financial Transaction Manager for Digital Payments, High Value Payments and Corporate Payment Services are impacted by multiple vulnerabilities. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958504 ∗∗∗ Security vulnerabilities have been identified in IBM Db2 shipped with IBM Security Guardium Key Lifecycle Manager (CVE-2022-22389, CVE-2022-25313, CVE-2022-25236, CVE-2022-25314, CVE-2022-25315, CVE-2022-25235 and CVE-2022-22390) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6959019 ∗∗∗ Multiple vulnerabilities in IBM SDK for Node.js and packaged modules affect IBM Business Automation Workflow Configuration Editor ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6959033 ∗∗∗ IBM Sterling Connect:Express for UNIX is affected by multiple vulnerabilities in OpenSSL ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958701 ∗∗∗ IBM MQ Blockchain bridge is vulnerable to multiple issues within protobuf-java-core (CVE-2022-3510, CVE-2022-3509) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6957688 ∗∗∗ IBM MQ is vulnerable to a denial of service attack caused by specially crafted PCF or MQSC messages. (CVE-2022-43902) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6957686 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.02.2023
by Daily end-of-shift report 28 Feb '23

28 Feb '23

===================== = End-of-Day report = ===================== Timeframe: Montag 27-02-2023 18:00 − Dienstag 28-02-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Critical flaws in WordPress Houzez theme exploited to hijack websites ∗∗∗ --------------------------------------------- Hackers are actively exploiting two critical-severity vulnerabilities in the Houzez theme and plugin for WordPress, two premium add-ons used primarily in real estate websites. --------------------------------------------- https://www.bleepingcomputer.com/news/security/critical-flaws-in-wordpress-… ∗∗∗ New Exfiltrator-22 post-exploitation kit linked to LockBit ransomware ∗∗∗ --------------------------------------------- Threat actors are promoting a new Exfiltrator-22 post-exploitation framework designed to spread ransomware in corporate networks while evading detection. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-exfiltrator-22-post-expl… ∗∗∗ Passwortmanager: Lastpass teilt weitere Details zum Dezember-Hack mit ∗∗∗ --------------------------------------------- Über einen Keylogger auf einem Privatrechner konnten Angreifer Adminzugriff auf diverse Lastpass-Kundendaten und dessen Quellcode erhalten. --------------------------------------------- https://www.golem.de/news/passwortmanager-lastpass-teilt-weitere-details-zu… ∗∗∗ Side-Channel Attack against CRYSTALS-Kyber ∗∗∗ --------------------------------------------- CRYSTALS-Kyber is one of the public-key algorithms currently recommended by NIST as part of its post-quantum cryptography standardization process. Researchers have just published a side-channel attack—using power consumption—against an implementation of the algorithm that was supposed to be resistant against that sort of attack. The algorithm is not “broken” or “cracked”—despite headlines to the contrary—this is just a side-channel attack. --------------------------------------------- https://www.schneier.com/blog/archives/2023/02/side-channel-attack-against-… ∗∗∗ CISA Issues Warning on Active Exploitation of ZK Java Web Framework Vulnerability ∗∗∗ --------------------------------------------- The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a high-severity flaw affecting the ZK Framework to its Known Exploited Vulnerabilities (KEV) catalog based on evidence of active exploitation. Tracked as CVE-2022-36537 (CVSS score: 7.5), the issue impacts ZK Framework versions 9.6.1, 9.6.0.1, 9.5.1.3, 9.0.1.2, and 8.6.4.1, and allows threat actors to retrieve sensitive information via specially crafted requests. --------------------------------------------- https://thehackernews.com/2023/02/cisa-issues-warning-on-active.html ∗∗∗ A Complete Kubernetes Config Review Methodology ∗∗∗ --------------------------------------------- The are many resources out there that tap into the subject of Kubernetes Pentesting or Configuration Review, however, they usually detail specific topics and misconfigurations and don’t offer a broad perspective on how to do a complete Security Review. That is why in this article I want to cover a more complete overview on all the possible aspects that should be reviewed when dealing with a Kubernetes Security Assessment. --------------------------------------------- https://securitycafe.ro/2023/02/27/a-complete-kubernetes-config-review-meth… ∗∗∗ Vulnerabilities Being Exploited Faster Than Ever: Analysis ∗∗∗ --------------------------------------------- The time from vulnerability disclosure to exploitation is decreasing, according to a new intelligence report from Rapid7. --------------------------------------------- https://www.securityweek.com/vulnerabilities-being-exploited-faster-than-ev… ∗∗∗ Konzertkarten auf Facebook kaufen: Vorsicht vor Betrug ∗∗∗ --------------------------------------------- Facebook ist eine beliebte Anlaufstelle, um Karten für ausverkaufte Konzerte zu ergattern. Bedenken Sie aber, dass hinter vielen Angeboten Fake-Profile stecken. Überprüfen Sie das Profil der Verkäufer:innen sehr genau und bezahlen Sie niemals mit der PayPal-Funktion „Geld an Freunde & Familie senden“. Wir zeigen Ihnen, wie Sie betrügerische Angebote auf Facebook erkennen. --------------------------------------------- https://www.watchlist-internet.at/news/konzertkarten-auf-facebook-kaufen-vo… ∗∗∗ Gefälschtes E-Mail von FinanzOnline über Sicherheitsaktualisierung im Umlauf ∗∗∗ --------------------------------------------- Nehmen Sie E-Mails vom Finanzamt bzw. von FinanzOnline sehr genau unter die Lupe. Im Moment sind unzählige betrügerische Schreiben im Umlauf. --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschtes-e-mail-von-finanzonline… ∗∗∗ Sicherheitsanbieter Cyren geht in Liquidation – NoSpamProxy betroffen ∗∗∗ --------------------------------------------- Kurze Information für Nutzer, die Sicherheitsfunktionen des Anbieters Cyren einsetzen (z. B. NoSpamProxy). Der Anbieter Cyren steckt in wirtschaftlichen Schwierigkeiten und wird wohl liquidiert – die betreffenden Dienste werden eingestellt. --------------------------------------------- https://www.borncity.com/blog/2023/02/28/sicherheitsanbieter-cyren-geht-in-… ∗∗∗ Bitdefender Releases Free MortalKombat Ransomware Decryptor ∗∗∗ --------------------------------------------- The free Mortal Kombat ransomware decryptor is now available for victims to recover their encrypted files without having to pay the ransom. --------------------------------------------- https://www.hackread.com/bitdefender-mortalkombat-ransomware-decryptor/ ===================== = Vulnerabilities = ===================== ∗∗∗ VMSA-2023-0006 ∗∗∗ --------------------------------------------- CVSSv3 Range: 6.3 CVE(s): CVE-2023-20857 Synopsis: VMware Workspace ONE Content update addresses a passcode bypass vulnerability (CVE-2023-20857) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2023-0006.html ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (curl, python-werkzeug, and spip), Fedora (curl), Mageia (apache-commons-fileupload, apr, c-ares, clamav, git, gnutls, ipython, jupyter-core, php, postgresql, python-cryptography, python-jupyterlab, python-twisted, sofia-sip, and sox), Red Hat (git, httpd, kernel, kernel-rt, kpatch-patch, lua, openssl, pcs, php, python-setuptools, python3.9, systemd, tar, vim, and zlib), SUSE (libxslt, php8, postgresql15, python3, tpm2-0-tss, and ucode-intel), and --------------------------------------------- https://lwn.net/Articles/924690/ ∗∗∗ IBM Security Bulletins 2023-02-23 ∗∗∗ --------------------------------------------- IBM VM Recovery Manager, IBM MQ Appliance, Red Hat OpenShift on IBM Cloud, IBM Business Automation Workflow, WebSphere Application Server, IBM SAN b-type switch, IBM FlashSystem, TMS RAMSAN, IBM HTTP Server, IBM CloudPak, Operations Dashboard, IBM QRadar SIEM Application Framework Base Image. --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ CVE-2022-38108: RCE in SolarWinds Network Performance Monitor ∗∗∗ --------------------------------------------- In this excerpt of a Trend Micro Vulnerability Research Service vulnerability report, Justin Hong and Lucas Miller of the Trend Micro Research Team detail a recently patched remote code execution vulnerability in the SolarWinds Network Performance Monitor. This bug was originally discovered and reported by ZDI Vulnerability Research Piotr Bazydło. The vulnerability results from the lack of proper validation of user-supplied data, which can result in the deserialization of untrusted data. --------------------------------------------- https://www.thezdi.com/blog/2023/2/27/cve-2022-38108-rce-in-solarwinds-netw… ∗∗∗ ASUS ASMB8 iKVM 1.14.51 SNMP Remote Root ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2023020047 ∗∗∗ ABUS Security Camera TVIP 20000-21150 LFI / Remote Code Execution ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2023020046 ∗∗∗ web2py development tool vulnerable to open redirect ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN78253670/ ∗∗∗ Osprey Pump Controller 1.0.1 Exploit Code released ∗∗∗ --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ ∗∗∗ OS Command Injection in Barracuda CloudGen WAN ∗∗∗ --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/os-command-injection-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.02.2023
by Daily end-of-shift report 27 Feb '23

27 Feb '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 24-02-2023 18:00 − Montag 27-02-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ QUICforge - Client-seitige Request-Forgery-Angriffe im QUIC Protokoll ∗∗∗ --------------------------------------------- Ein Überblick warum das QUIC Protokoll ein für die Sicherheit relevantes und besonders aktuelles Forschungsgebiet ist und welche Herausforderung die Nutzung von QUIC birgt. --------------------------------------------- https://sec-consult.com/de/blog/detail/quicforge-client-seitige-request-for… ∗∗∗ Exchange Server: Microsoft empfiehlt Aktualisierung der Antivirus-Ausnahmen (Feb. 2023) ∗∗∗ --------------------------------------------- Microsofts Exchange Server-Team hat seine Empfehlungen in Bezug auf Ausnahmen für Antivirus-Scans überarbeitet und bittet Administratoren die Einstellungen der Antivirus-Software zu überprüfen und gegebenenfalls anzupassen. --------------------------------------------- https://www.borncity.com/blog/2023/02/27/exchange-server-microsoft-empfiehl… ∗∗∗ Bösartige Authenticator-Apps auch im Google-Play-Store ∗∗∗ --------------------------------------------- Vergangene Woche haben App-Entwickler bösartige Authenticator-Apps in Apples App-Store entdeckt. Jetzt wurden sie auch im Google-Play-Store fündig. --------------------------------------------- https://heise.de/-7528469 ∗∗∗ Nur mit iPhone-PIN: Diebe räumen Apple-ID und Bankkonten ab ∗∗∗ --------------------------------------------- iPhone-Diebstähle können zu einer vollständigen Apple-ID- und Bankkonten-Übernahme führen. Schuld ist Apples (zu) einfache Passwort-Recovery per PIN. --------------------------------------------- https://heise.de/-7527961 ∗∗∗ Kleinanzeigenplattformen: Betrügerische Käufer:innen täuschen Zahlung auf gefälschter PayPal-Website vor ∗∗∗ --------------------------------------------- Willhaben, Ebay, Shpock und Co.: Nehmen Sie sich vor betrügerischen Interessent:innen in Acht! Betrügerische Interessent:innen auf Kleinanzeigenplattformen behaupten, den Kaufbetrag inklusive Versandkosten an den Zahlungsdienst PayPal überwiesen zu haben. Sie schicken Ihnen einen personalisierten Link, über den Sie das Geld angeblich anfordern können. Brechen Sie den Kontakt ab, Sie werden auf eine gefälschte PayPal-Seite gelockt. Kriminelle stehlen damit Ihre Zugangsdaten und Geld von Ihrem PayPal-Konto! --------------------------------------------- https://www.watchlist-internet.at/news/neue-betrugsmasche-auf-kleinanzeigen… ∗∗∗ PureCrypter malware hits govt orgs with ransomware, info-stealers ∗∗∗ --------------------------------------------- A threat actor has been targeting government entities with PureCrypter malware downloader that has been seen delivering multiple information stealers and ransomware strains. --------------------------------------------- https://www.bleepingcomputer.com/news/security/purecrypter-malware-hits-gov… ∗∗∗ RIG Exploit Kit still infects enterprise users via Internet Explorer ∗∗∗ --------------------------------------------- The RIG Exploit Kit is undergoing its most successful period, attempting roughly 2,000 intrusions daily and succeeding in about 30% of cases, the highest ratio in the services long operational history. --------------------------------------------- https://www.bleepingcomputer.com/news/security/rig-exploit-kit-still-infect… ∗∗∗ Is My Site Hacked? (13 Signs) ∗∗∗ --------------------------------------------- Symptoms of a hack can vary wildly. A concerning security alert from Google, a browser warning when you visit your site, or even a notice from your hosting provider that they’ve taken down your website - all of these events may indicate that your site has been hacked. Fortunately, there are a number of quick (and free) ways you can check and find out if your website has been compromised. --------------------------------------------- https://blog.sucuri.net/2023/02/is-my-website-hacked.html ∗∗∗ Open Source Security and Risk Analysis Report ∗∗∗ --------------------------------------------- In its 8 th edition this year, the 2023 “Open Source Security and Risk Analysis” (OSSRA) report delivers our annual in-depth look at the current state of open source security, compliance, licensing, and code quality risks in commercial software. https://www.synopsys.com/content/dam/synopsys/sig-assets/reports/rep-ossra-… --------------------------------------------- https://www.synopsys.com/software-integrity/resources/analyst-reports/open-… ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitsupdate: Zoho ManageEngine ServiceDesk Plus ist verwundbar ∗∗∗ --------------------------------------------- Angreifer könnten Systeme mit dem IT-Verwaltungssystem ManageEngine ServiceDesk Plus von Zoho attackieren. Eine ältere Zoho-Lücke wird derweil angegriffen. --------------------------------------------- https://heise.de/-7528332 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (apr-util, freeradius, mono, nodejs, php7.3, php7.4, and python-cryptography), Fedora (epiphany, haproxy, and podman), SUSE (chromium, libraw, php7, php74, python-pip, and rubygem-activerecord-4_2), and Ubuntu (apr, clamav, curl, intel-microcode, nss, openvswitch, webkit2gtk, and zoneminder). --------------------------------------------- https://lwn.net/Articles/924546/ ∗∗∗ Windows: Microsoft liefert cURL-Bibliothek weiterhin mit Schwachstellen aus (Feb. 2023) ∗∗∗ --------------------------------------------- Es ist eine unschöne Geschichte, die ich erneut hier im Blog einstelle. Microsoft gelingt es nicht, cURL mit Windows so auszuliefern, dass die Software auf dem aktuellen Stand ist und keine bekannte Sicherheitslücken mehr aufweist. --------------------------------------------- https://www.borncity.com/blog/2023/02/25/windows-microsoft-liefert-curl-bib… ∗∗∗ WAGO: Multiple vulnerabilities in web-based management of multiple products ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-060/ ∗∗∗ Advisory: Vulnerable TigerVNC Version used in B&R Products ∗∗∗ --------------------------------------------- https://www.br-automation.com/downloads_br_productcatalogue/assets/16769091… ∗∗∗ AIX is vulnerable to denial of service due to ISC BIND (CVE-2022-38178, CVE-2022-3080, CVE-2022-38177, CVE-2022-2795) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6851445 ∗∗∗ IBM MQ for HPE NonStop Server is affected by channel CCDT vulnerability CVE-2022-40237 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958136 ∗∗∗ Multiple Vulnerabilities in CloudPak for Watson AIOPs ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958146 ∗∗∗ IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to denial of service in Pypa Setuptools (CVE-2022-40897) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958142 ∗∗∗ IBM Security Verify Bridge (windows and docker versions) affected by a denial of service issue in Go (CVE-2022-32149) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958156 ∗∗∗ Certifi package as used by IBM QRadar User Behavior Analytics is vulnerable to improper certificate validation (CVE-2022-23491) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958452 ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Rational ClearCase (CVE-2023-23477) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958458 ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server traditional shipped with IBM Operations Analytics Predictive Insights (CVE-2022-38712) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958478 ∗∗∗ A security vulnerability ( CVE-2022-3509, CVE-2022-3171 ) has been identified in IBM WebSphere Application Server Liberty shipped with IBM Operations Analytics Predictive Insights ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958474 ∗∗∗ FasterXML-jackson-databinds vulnerabilities affect IBM Operations Analytics Predictive Insights (CVE-2022-42004,CVE-2022-42003) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958482 ∗∗∗ IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in LibTIFF ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6955937 ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server traditional shipped with IBM Operations Analytics Predictive Insights (CVE-2023-23477) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958476 ∗∗∗ Multiple vulnerabilities in IBM SDK, Java Technology Edition affect IBM Operations Analytics Predictive Insights ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958484 ∗∗∗ Multiple vulnerabilities in IBM SDK, Java Technology Edition affect IBM Operations Analytics Predictive Insights ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958486 ∗∗∗ IBM b-type SAN switches and directors affected by Open Source OpenSSL Vulnerabilities (CVE-2016-2177, CVE-2016-2178). ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/697949 ∗∗∗ IBM b-type SAN switches and directors affected by Open Source OpenSSL Vulnerabilities (CVE-2016-2180). ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/697951 ∗∗∗ IBM b-type SAN switches and directors affected by OpenSSL Security Advisory [22 Sep 2016] and [26 Sep 2016]. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/697953 ∗∗∗ IBM b-type SAN switches and directors affected by XSS vulnerabilities CVE-2017-6225. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/650695 ∗∗∗ IBM b-type SAN Network\/Storage switches is affected by a denial of service vulnerability, caused by a CPU consumption in the IPv6 stack (CVE-2017-6227). ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/650699 ∗∗∗ IBM b-type SAN directors and switches is affected by privilege escalation vulnerability (CVE-2016-8202). ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/697803 ∗∗∗ Vulnerabilities in OpenSSL affect IBM b-type SAN switches and directors (CVE-2016-2108) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/697943 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.02.2023
by Daily end-of-shift report 24 Feb '23

24 Feb '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 23-02-2023 18:00 − Freitag 24-02-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Vorsicht: ChatGPT-Scams nehmen stark zu ∗∗∗ --------------------------------------------- Im Internet gibt es viele Seiten, die vorgeben, der intelligente Chatbot zu sein. In Wahrheit verbreiten sie Schadsoftware. --------------------------------------------- https://futurezone.at/produkte/chatgpt-scam-malware-apps-android-chatbot-vo… ∗∗∗ KI: Journalist überlistet Bank mit künstlicher Intelligenz ∗∗∗ --------------------------------------------- Einem Journalisten ist es gelungen, die Stimmauthentifizierung einer Bank mit KI zu umgehen. Das könnten auch Betrüger. --------------------------------------------- https://www.golem.de/news/ki-journalist-ueberlistet-bank-mit-kuenstlicher-i… ∗∗∗ Privatsphäre: Chrome-Extensions können noch immer eine Menge anrichten ∗∗∗ --------------------------------------------- Eine Analyse zeigt, was sich trotz Googles Chrome Extension Manifest V3 alles ausspähen lässt, wenn Nutzer bei der Installation nicht vorsichtig sind. --------------------------------------------- https://www.golem.de/news/privatsphaere-chrome-extensions-koennen-noch-imme… ∗∗∗ The code that wasn’t there: Reading memory on an Android device by accident ∗∗∗ --------------------------------------------- CVE-2022-25664, a vulnerability in the Qualcomm Adreno GPU, can be used to leak large amounts of information to a malicious Android application. Learn more about how the vulnerability can be used to leak information in both the user space and kernel space level of pages, and how the GitHub Security Lab used the kernel space information leak to construct a KASLR bypass. --------------------------------------------- https://github.blog/2023-02-23-the-code-that-wasnt-there-reading-memory-on-… ∗∗∗ In Final Cut & Co: Warnung vor Cryptojacking durch gecrackte Mac-Apps ∗∗∗ --------------------------------------------- Malware für Cryptomining wird über gecrackte Mac-Apps verbreitet und verbirgt sich dabei immer besser, warnen Sicherheitsforscher. Apple reagiert. --------------------------------------------- https://heise.de/-7527273 ∗∗∗ Update on the Exchange Server Antivirus Exclusions ∗∗∗ --------------------------------------------- For years we have been saying how running antivirus (AV) software on your Exchange Servers can enhance the security and health of your Exchange organization. We’ve also said that if you are deploying file-level scanners on Exchange servers, make sure that the appropriate exclusions, such as directory exclusions, process exclusions, and file name extension exclusions, are in place for both scheduled and real-time scanning. But times have changed, and so has the cybersecurity landscape. --------------------------------------------- https://techcommunity.microsoft.com/t5/exchange-team-blog/update-on-the-exc… ∗∗∗ Investigating the PlugX Trojan Disguised as a Legitimate Windows Debugger Tool ∗∗∗ --------------------------------------------- Trend Micro’s Managed Extended Detection and Response (MxDR) team discovered that a file called x32dbg.exe was used to sideload a malicious DLL we identified as a variant of PlugX. --------------------------------------------- https://www.trendmicro.com/en_us/research/23/b/investigating-the-plugx-troj… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco stopft teils hochriskante Schwachstellen ∗∗∗ --------------------------------------------- Für mehrere Produkte stellt Netzwerkausrüster Cisco Sicherheitsupdates bereit. Sie schließen teils als hohe Bedrohung eingestufte Schwachstellen. --------------------------------------------- https://heise.de/-7526208 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (binwalk, chromium, curl, emacs, frr, git, libgit2, and tiff), Fedora (qt5-qtbase), SUSE (c-ares, kernel, openssl-1_1-livepatches, pesign, poppler, rubygem-activerecord-5_1, and webkit2gtk3), and Ubuntu (linux-aws). --------------------------------------------- https://lwn.net/Articles/924358/ ∗∗∗ Ineffective Cross Site Request Forgery (CSRF) protection in IBM Business Process Manager (BPM) (CVE-2017-1769) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/301273 ∗∗∗ IBM Maximo Manage application in IBM Maximo Application Suite is vulnerable to information disclosure (CVE-2022-43923) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6957654 ∗∗∗ AIX is vulnerable to denial of service due to ISC BIND (CVE-2022-38178, CVE-2022-3080, CVE-2022-38177, CVE-2022-2795) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6851445 ∗∗∗ A vulnerability in Node.js affects IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2022-21681, CVE-2022-21680) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958016 ∗∗∗ A vulnerability has been identified in IBM WebSphere Application Server used by IBM Rational ClearQuest (CVE-2023-23477) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958024 ∗∗∗ A vulnerability in Node.js affects IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2022-21681, CVE-2022-21680) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958016 ∗∗∗ Vulnerabilities found within Apache Storm that is used by IBM Tivoli Network Manager (ITNM) IP Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958056 ∗∗∗ Security vulnerabilities are addressed with IBM Cloud Pak for Business Automation iFixes for Febuary 2023 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958062 ∗∗∗ Multiple vulnerabilities in IBM HTTP Server used by WebSphere Application Server affect IBM Business Automation Workflow ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958064 ∗∗∗ CVE-2022-32149 may affect IBM CICS TX Advanced ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958066 ∗∗∗ CVE-2022-32149 may affect IBM CICS TX Standard ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958072 ∗∗∗ Multiple vulnerabilities in Go may affect IBM CICS TX Standard ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958068 ∗∗∗ CVE-2022-3676 may affect IBM CICS TX Advanced ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958086 ∗∗∗ CVE-2022-3676 may affect IBM CICS TX Standard ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958074 ∗∗∗ IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Go ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6855111 ∗∗∗ IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Golang Go ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6955929 ∗∗∗ CVE-2022-37734 may affect IBM CICS TX Advanced ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958076 ∗∗∗ CVE-2022-37734 may affect IBM CICS TX Standard ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958084 ∗∗∗ IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in LibTIFF ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6955937 ∗∗∗ CVE-2018-1099, CVE-2018-1098 may affect IBM CICS TX Advanced ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958080 ∗∗∗ CVE-2018-1099, CVE-2018-1098 may affect IBM CICS TX Standard ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958082 ∗∗∗ IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by a vulnerability in JSON Web Token ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6955935 ∗∗∗ Vulnerability in moment-timezone affects IBM VM Recovery Manager DR GUI ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6957710 ∗∗∗ Multiple vulnerabilities in IBM Semeru Runtime affect z/Transaction Processing Facility ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6957822 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.02.2023
by Daily end-of-shift report 23 Feb '23

23 Feb '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 22-02-2023 18:00 − Donnerstag 23-02-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ New S1deload Stealer malware hijacks Youtube, Facebook accounts ∗∗∗ --------------------------------------------- An ongoing malware campaign targets YouTube and Facebook users, infecting their computers with a new information stealer that will hijack their social media accounts and use their devices to mine for cryptocurrency. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-s1deload-stealer-malware… ∗∗∗ Python Developers Warned of Trojanized PyPI Packages Mimicking Popular Libraries ∗∗∗ --------------------------------------------- Cybersecurity researchers are warning of "imposter packages" mimicking popular libraries available on the Python Package Index (PyPI) repository. The 41 malicious PyPI packages have been found to pose as typosquatted variants of legitimate modules such as HTTP, AIOHTTP, requests, urllib, and urllib3. --------------------------------------------- https://thehackernews.com/2023/02/python-developers-warned-of-trojanized.ht… ∗∗∗ Experts Sound Alarm Over Growing Attacks Exploiting Zoho ManageEngine Products ∗∗∗ --------------------------------------------- Multiple threat actors have been observed opportunistically weaponizing a now-patched critical security vulnerability impacting several Zoho ManageEngine products since January 20, 2023. Tracked as CVE-2022-47966 (CVSS score: 9.8), the remote code execution flaw allows a complete takeover of the susceptible systems by unauthenticated attackers. --------------------------------------------- https://thehackernews.com/2023/02/experts-sound-alarm-over-growing.html ∗∗∗ OffSec Tools ∗∗∗ --------------------------------------------- This repository is intended for pentesters and red teamers using a variety of offensive security tools during their assessments. The repository is a collection of useful tools suitable for assessments in internal environments. --------------------------------------------- https://github.com/Syslifters/offsec-tools ∗∗∗ Technical Analysis of BlackBasta Ransomware 2.0 ∗∗∗ --------------------------------------------- Zscaler ThreatLabz has been tracking prominent ransomware families and their tactics, techniques and procedures (TTPs) including the BlackBasta ransomware family. On November 16, 2022, ThreatLabz identified new samples of the BlackBasta ransomware that had significantly lower antivirus detection rates. --------------------------------------------- https://www.zscaler.com/blogs/security-research/back-black-basta ∗∗∗ Users looking for ChatGPT apps get malware instead ∗∗∗ --------------------------------------------- The massive popularity of OpenAI’s chatbot ChatGPT has not gone unnoticed by cyber criminals: they are exploiting the public’s eagerness to experiment with it to trick users into downloading Windows and Android malware and visit phishing pages. --------------------------------------------- https://www.helpnetsecurity.com/2023/02/23/chatgpt-windows-android/ ∗∗∗ Stealthy Mac Malware Delivered via Pirated Apps ∗∗∗ --------------------------------------------- Cybercriminals are delivering stealthy cryptojacking malware to Macs using pirated apps and they could use the same method for other malware. --------------------------------------------- https://www.securityweek.com/stealthy-mac-malware-delivered-via-pirated-app… ∗∗∗ Anti-Forensic Techniques Used By Lazarus Group ∗∗∗ --------------------------------------------- Since approximately a year ago, the Lazarus group’s malware has been discovered in various Korean companies related to national defense, satellites, software, and media press. The AhnLab ASEC analysis team has been continuously tracking the Lazarus threat group’s activities and other related TTPs. Among the recent cases, this post aims to share the anti-forensic traces and details found in the systems that were infiltrated by the Lazarus group. --------------------------------------------- https://asec.ahnlab.com/en/48223/ ∗∗∗ ChromeLoader Disguised as Illegal Game Programs Being Distributed ∗∗∗ --------------------------------------------- Since the previous year, there has been a steady increase in cases where disk image files, such as ISO and VHD, have been used in malware distribution. These have been covered several times in previous ASEC blog posts. This post will cover a recent discovery of ChromeLoader being distributed using VHD files. --------------------------------------------- https://asec.ahnlab.com/en/48211/ ===================== = Vulnerabilities = ===================== ∗∗∗ Vulnerability Spotlight: EIP Stack Group OpENer open to two remote code execution vulnerabilities ∗∗∗ --------------------------------------------- Two of the vulnerabilities are considered to be considered of critical importance, with a CVSS score of a maximum 10 out of 10. --------------------------------------------- https://blog.talosintelligence.com/vuln-spotlight-eip-stack-group-feb-2023/ ∗∗∗ BIOS-Sicherheitsupdates: HP-Computer für Schadcode-Attacken anfällig ∗∗∗ --------------------------------------------- In aktualisierten BIOS-Versionen für HP-Computer haben die Entwickler mehrere Sicherheitslücken geschlossen. --------------------------------------------- https://heise.de/-7524562 ∗∗∗ Firewall-Distribution: pfSense 23.01 schließt Sicherheitslücken ∗∗∗ --------------------------------------------- In der Firewall-Distribution pfSense 23.01 haben die Entwickler mehrere Sicherheitslücken geschlossen. Die Basis haben sie auch auf aktuellen Stand gehievt. --------------------------------------------- https://heise.de/-7525432 ∗∗∗ Wordfence Intelligence CE Weekly Vulnerability Report (Feb 13, 2023 to Feb 19, 2023) ∗∗∗ --------------------------------------------- Last week, there were 104 vulnerabilities disclosed in WordPress based software that have been added to the Wordfence Intelligence Community Edition Vulnerability Database. You can find those vulnerabilities below. --------------------------------------------- https://www.wordfence.com/blog/2023/02/wordfence-intelligence-ce-weekly-vul… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (firefox and thunderbird), Debian (asterisk, git, mariadb-10.3, node-url-parse, python-cryptography, and sofia-sip), Fedora (c-ares, golang-github-need-being-tree, golang-helm-3, golang-oras, golang-oras-1, and golang-oras-2), Oracle (httpd:2.4, kernel, php:8.0, python-setuptools, python3, samba, systemd, tar, and webkit2gtk3), Red Hat (webkit2gtk3), SUSE (phpMyAdmin, poppler, and postgresql12), and Ubuntu (dcmtk and linux-hwe). --------------------------------------------- https://lwn.net/Articles/924236/ ∗∗∗ Case update: DIVD-2022-00052 - Multiple vulnerabilities is Cloudflow software ∗∗∗ --------------------------------------------- https://csirt.divd.nl/cases/DIVD-2022-00052/ ∗∗∗ Vulnerability in sqlite affects IBM VM Recovery Manager HA GUI ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6957680 ∗∗∗ Vulnerability in sqlite affects IBM VM Recovery Manager DR GUI ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6957708 ∗∗∗ Vulnerability in moment-timezone affects IBM VM Recovery Manager DR GUI ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6957710 ∗∗∗ Vulnerability in moment-timezone affects IBM VM Recovery Manager HA GUI ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6957714 ∗∗∗ CVE-2022-3509, CVE-2022-3171 may affect IBM CICS TX Advanced ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6957754 ∗∗∗ CVE-2022-3509, CVE-2022-3171 may affect IBM CICS TX Standard ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6957758 ∗∗∗ CVE-2022-3509 and CVE-2022-3171 may affect IBM TXSeries for Multiplatforms ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6957764 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.02.2023
by Daily end-of-shift report 22 Feb '23

22 Feb '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 21-02-2023 18:00 − Mittwoch 22-02-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Warnung vor Angriffen auf IBM Aspera Faspex und Mitel MiVoice ∗∗∗ --------------------------------------------- Die US-IT-Sicherheitsbehörde CISA warnt davor, dass Cyberkriminelle Sicherheitslücken in IBM Aspera Faspex und Mitel MiVoice angreifen. Updates stehen bereit. --------------------------------------------- https://heise.de/-7523870 ∗∗∗ Jetzt patchen! Exploit-Code für kritische Fortinet FortiNAC-Lücke in Umlauf ∗∗∗ --------------------------------------------- Da Exploit-Code veröffentlicht wurde, könnten Angreifer Fortinets Netzwerk-Zugangskontrolllösung FortiNAC ins Visier nehmen. --------------------------------------------- https://heise.de/-7523427 ∗∗∗ Fake Give-Aways und Geschenkaktionen im Namen von ‚MrBeast‘! ∗∗∗ --------------------------------------------- Wer sich regelmäßig YouTube-Videos ansieht, kommt kaum an MrBeast vorbei. Der Youtuber mit über 134 Millionen Abonnent:innen ist für seine Give-Away-Videos bekannt, bei denen er Tausende oder gar Millionen von Dollar verschenkt. Diesen Ruf machen sich auch Kriminelle zunutze, indem sie betrügerische Gewinnversprechen und Geschenkaktionen im Namen von MrBeast verbreiten. --------------------------------------------- https://www.watchlist-internet.at/news/fake-give-aways-und-geschenkaktionen… ∗∗∗ Hydrochasma hackers target medical research labs, shipping firms ∗∗∗ --------------------------------------------- A previously unknown threat actor named Hydrochasma has been targeting shipping and medical laboratories involved in COVID-19 vaccine development and treatments. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hydrochasma-hackers-target-m… ∗∗∗ WhatsApp ignoriert seit Jahren ein Sicherheitsproblem, das alle betrifft ∗∗∗ --------------------------------------------- Fremde können das eigene Profil übernehmen und sich für euch ausgeben - ganz ohne Hacking oder Phishing. --------------------------------------------- https://futurezone.at/apps/whatsapp-sicherheit-problem-konto-telefonnummer-… ∗∗∗ Attackers Abuse Cron Jobs to Reinfect Websites ∗∗∗ --------------------------------------------- Malicious cron jobs are nothing new; we’ve seen attackers use them quite frequently to reinfect websites. However, in recent months we’ve noticed a distinctive new wave of these infections that appears to be closely related to this article about a backdoor that we’ve been tracking. --------------------------------------------- https://blog.sucuri.net/2023/02/attackers-abuse-cron-jobs-to-reinfect-websi… ∗∗∗ Threat Actors Adopt Havoc Framework for Post-Exploitation in Targeted Attacks ∗∗∗ --------------------------------------------- An open source command-and-control (C2) framework known as Havoc is being adopted by threat actors as an alternative to other well-known legitimate toolkits like Cobalt Strike, Sliver, and Brute Ratel. Cybersecurity firm Zscaler said it observed a new campaign in the beginning of January 2023 targeting an unnamed government organization that utilized Havoc. --------------------------------------------- https://thehackernews.com/2023/02/threat-actors-adopt-havoc-framework-for.h… ∗∗∗ Lets build a Chrome extension that steals everything ∗∗∗ --------------------------------------------- Manifest v3 may have taken some of the juice out of browser extensions, but I think there is still plenty left in the tank. To prove it, let’s build a Chrome extension that steals as much data as possible. --------------------------------------------- https://mattfrisbie.substack.com/p/spy-chrome-extension ∗∗∗ How NPM Packages Were Used to Spread Phishing Links ∗∗∗ --------------------------------------------- [...] On Monday, 20th of February, Checkmarx Labs discovered an anomaly in the NPM ecosystem when we cross-referenced new information with our databases. Clusters of packages had been published in large quantities to the NPM package manager. Further investigation revealed that the packages were part of a trending new attack vector, with attackers spamming the open-source ecosystem with packages containing links to phishing campaigns. --------------------------------------------- https://checkmarx.com/blog/how-npm-packages-were-used-to-spread-phishing-li… ∗∗∗ Android voice chat app with 5m installs leaked user chats ∗∗∗ --------------------------------------------- The voice chat app under discussion is OyeTalk, which is available for Android and iOS devices and is operated from Pakistan. --------------------------------------------- https://www.hackread.com/android-voice-chat-app-data-leak/ ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitsupdates: VMware dichtet kritisches Sicherheitsleck ab ∗∗∗ --------------------------------------------- VMware schließt mit Updates für Carbon Black App Control und vRealize sowie Cloud Foundation eine kritische und eine hochriskante Schwachstelle. --------------------------------------------- https://heise.de/-7523335 ∗∗∗ Foxit PDF-Updates dichten hochriskante Schwachstellen ab ∗∗∗ --------------------------------------------- In der PDF-Software Foxit klafften Sicherheitslücken, durch die Angreifer etwa mit manipulierten PDF-Dateien Schadcode einschleusen und ausführen hätten können. --------------------------------------------- https://heise.de/-7523313 ∗∗∗ Multiple vulnerabilities in Nokia BTS Airscale ASIKA [PDF] ∗∗∗ --------------------------------------------- Synacktiv performed an audit on the base transceiver station Nokia Airscale ASIKA, running the firmware version btsmed_5G19B_GNB_0007_001836_000863, and discovered multiple vulnerabilities. --------------------------------------------- https://www.synacktiv.com/sites/default/files/2023-02/Synacktiv-Nokia-BTS-A… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (amanda, apr-util, and tiff), Fedora (apptainer, git, gssntlmssp, OpenImageIO, openssl, webkit2gtk3, xorg-x11-server, and xorg-x11-server-Xwayland), Oracle (firefox and thunderbird), Red Hat (python3), SUSE (gnutls, php7, and python-Django), and Ubuntu (chromium-browser, libxpm, and mariadb-10.3, mariadb-10.6). --------------------------------------------- https://lwn.net/Articles/924070/ ∗∗∗ Synology-SA-23:01 ClamAV ∗∗∗ --------------------------------------------- Multiple vulnerabilities allow remote attackers to possibly execute arbitrary code or local users to obtain sensitive information via a susceptible version of Antivirus Essential, Synology Mail Server, and Synology MailPlus Server. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_23_01 ∗∗∗ IBM Security Bulletins 2023-02-22 ∗∗∗ --------------------------------------------- * A vulnerability in IBM Java affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products * A vulnerability in the GUI affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products * BM Sterling B2B Integrator is vulnerable to cross-site scripting (CVE-2022-43578) * IBM Sterling Global Mailbox is vulnerable to arbitrary code execution due to Apache Commons Collections [CVE-2015-6420, CVE-2017-15708] * IBM WebSphere Application Server, which is bundled with IBM Cloud Pak for Applications, is vulnerable to a remote code execution vulnerability (CVE-2023-23477) * IBM WebSphere Application Server, which is bundled with IBM WebSphere Hybrid Edition, is vulnerable to a remote code execution vulnerability (CVE-2023-23477) * Multiple vulnerabilities in the Linux kernel affect IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products * SNMPv3 server credentials are exposed in log files in IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products * The dasboard UI of IBM Sterling B2B Integrator is vulnerable to improper permission control (CVE-2022-40231) * Vulnerabilities in jsonwebtoken affects IBM Watson Assistant for IBM Cloud Pak for Data * Vulnerability in Apache Tomcat affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products * Vulnerability in IBM WebSphere Application Server Liberty may affect IBM Spectrum Protect Plus (CVE-2019-11777) * Vulnerability in Log4j affects IBM Integrated Analytics System [CVE-2022-23305] --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Cisco Nexus 9000 Series Fabric Switches in ACI Mode Link Layer Discovery Protocol Memory Leak Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco FXOS Software and UCS Manager Software Configuration Backup Static Key Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco NX-OS Software SSH X.509v3 Certificate Authentication with Unsupported Remote Authorization Method Privilege Escalation Issues ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco NX-OS Software CLI Command Injection Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Firepower 4100 Series, Firepower 9300 Security Appliances, and UCS Fabric Interconnects Command Injection Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Nexus 9300-FX3 Series Fabric Extender for UCS Fabric Interconnects Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Application Policy Infrastructure Controller and Cisco Cloud Network Controller Cross-Site Request Forgery Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ [R1] Stand-alone Security Patch Available for Tenable.sc versions 5.22.0 to 6.0.0: SC-202302.2 ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2023-06 ∗∗∗ [R1] Stand-alone Security Patch Available for Tenable.sc versions 5.22.0 to 5.23.1: SC-202302.3 ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2023-05 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily