- Daily - CERT.at

Tageszusammenfassung - 25.05.2023
by Daily end-of-shift report 25 May '23

25 May '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 24-05-2023 18:00 − Donnerstag 25-05-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Hackers target 1.5M WordPress sites with cookie consent plugin exploit ∗∗∗ --------------------------------------------- Ongoing attacks are targeting an Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability in a WordPress cookie consent plugin named Beautiful Cookie Consent Banner with more than 40,000 active installs. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-target-15m-wordpress… ∗∗∗ A new OAuth vulnerability that may impact hundreds of online services ∗∗∗ --------------------------------------------- This post details issues identified in Expo, a popular framework used by many online services to implement OAuth (as well as other functionality). The vulnerability in the expo-auth-session library warranted a CVE assignment – CVE-2023-28131. Expo created a hotfix within the day that automatically provided mitigation, but Expo recommends that customers update their deployment to deprecate this service to fully remove the risk (see the Expo security advisory on the topic). --------------------------------------------- https://salt.security/blog/a-new-oauth-vulnerability-that-may-impact-hundre… ∗∗∗ codeexplain.vim: A nvim plugin Powered by GPT4ALL for Real-time Code Explanation and Vulnerability Detection (no internet necessary) ∗∗∗ --------------------------------------------- codeexplain.nvim is a NeoVim plugin that uses the powerful GPT4ALL language model to provide on-the-fly, line-by-line explanations and potential security vulnerabilities for selected code directly in your NeoVim editor. Its like having your personal code assistant right inside your editor without leaking your codebase to any company. --------------------------------------------- https://github.com/mthbernardes/codeexplain.nvim ∗∗∗ Google Authenticator: Geräteverschlüsselung versprochen, aber nicht geliefert ∗∗∗ --------------------------------------------- Google hat dem Authenticator eine Backup-Funktion spendiert, die Geheimnisse jedoch nicht verschlüsselt. Ein Update soll das ändern. Das tut es aber nicht. --------------------------------------------- https://heise.de/-9065547 ∗∗∗ Buhti: New Ransomware Operation Relies on Repurposed Payloads ∗∗∗ --------------------------------------------- Attackers use rebranded variants of leaked LockBit and Babuk ransomware payloads but use own custom exfiltration tool. --------------------------------------------- https://symantec-enterprise-blogs.security.com/threat-intelligence/buhti-ra… ∗∗∗ Mercenary mayhem: A technical analysis of Intellexas PREDATOR spyware ∗∗∗ --------------------------------------------- Commercial spyware use is on the rise, with actors leveraging these sophisticated tools to conduct surveillance operations against a growing number of targets. Cisco Talos has new details of a commercial spyware product sold by the spyware firm Intellexa (formerly known as Cytrox). --------------------------------------------- https://blog.talosintelligence.com/mercenary-intellexa-predator/ ∗∗∗ Abusing Web Services Using Automated CAPTCHA-Breaking Services and Residential Proxies ∗∗∗ --------------------------------------------- This blog entry features three case studies that show how malicious actors evade the antispam, antibot, and antiabuse measures of online web services via residential proxies and CAPTCHA-breaking services. --------------------------------------------- https://www.trendmicro.com/en_us/research/23/e/abusing-web-services-using-a… ===================== = Vulnerabilities = ===================== ∗∗∗ Teils kritische Sicherheitslücken in Mitel MiVoice Connect ∗∗∗ --------------------------------------------- In Mitels MiVoice Connect und Connect Mobility Router klaffen teils kritische Sicherheitslücken. Updates zum Schließen stehen bereit. --------------------------------------------- https://heise.de/-9064992 ∗∗∗ Kritisches Sicherheitsupdate (24. Mai 2023) für alle Zyxel-Firewall-Produkte – Angriffe laufen bereits ∗∗∗ --------------------------------------------- Der taiwanesische Hersteller Zyxel hat ein sehr kritisches Security Update für sämtliche Security Produkte veröffentlicht. Die Sicherheitswarnung gibt an, dass gleich mehrere Buffer Overflow-Schwachstellen (CVE-2023-33009, CVE-2023-33010) betroffen seien. --------------------------------------------- https://www.borncity.com/blog/2023/05/25/kritisches-sicherheitsupdate-24-ma… ∗∗∗ Kritische Sicherheitslücke mit Höchstwertung bedroht GitLab ∗∗∗ --------------------------------------------- Es gibt eine wichtiges Sicherheitsupdate für die Versionsverwaltung GitLab. Entwickler sollten jetzt reagieren. --------------------------------------------- https://heise.de/-9065150 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (python2.7), Fedora (maradns), Red Hat (devtoolset-12-binutils, go-toolset and golang, httpd24-httpd, jenkins and jenkins-2-plugins, rh-ruby27-ruby, and sudo), Scientific Linux (git), Slackware (texlive), SUSE (cups-filters, poppler, texlive, distribution, golang-github-vpenso-prometheus_slurm_exporter, kubernetes1.18, kubernetes1.23, openvswitch, rmt-server, and ucode-intel), and Ubuntu (ca-certificates, calamares-settings-ubuntu, Jhead, libhtml-stripscripts-perl, and postgresql-10, postgresql-12, postgresql-14, postgresql-15). --------------------------------------------- https://lwn.net/Articles/932994/ ∗∗∗ Wacom Tablet Driver installer for macOS vulnerable to improper link resolution before file access ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN90278893/ ∗∗∗ D-Link D-View 8 : v2.0.1.27 and below : TrendMicro (ZDI) Reported Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://supportannouncement.us.dlink.com/announcement/publication.aspx?name… ∗∗∗ Autodesk: Multiple Vulnerabilities in PSKernel component used by specific Autodesk products ∗∗∗ --------------------------------------------- https://www.autodesk.com/trust/security-advisories/adsk-sa-2023-0009 ∗∗∗ Autodesk: Privilege Escalation Vulnerability in the Autodesk Installer Software ∗∗∗ --------------------------------------------- https://www.autodesk.com/trust/security-advisories/adsk-sa-2023-0010 ∗∗∗ F5: K000134768 : Linux kernel vulnerability CVE-2022-4378 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000134768 ∗∗∗ F5: K000134770 : Linux kernel vulnerability CVE-2022-42703 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000134770 ∗∗∗ Moxa MXsecurity Series ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-145-01 ∗∗∗ Nextcloud: Blind SSRF in the Mail app on avatar endpoint ∗∗∗ --------------------------------------------- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-8… ∗∗∗ Nextcloud: Contacts - PHOTO svg only sanitized if mime type is all lower case ∗∗∗ --------------------------------------------- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-h… ∗∗∗ Nextcloud: Error in calendar when booking an appointment reveals the full path of the website ∗∗∗ --------------------------------------------- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-2… ∗∗∗ Multiple Security Vulnerabilities may affect IBM Robotic Process Automation for Cloud Pak. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6987493 ∗∗∗ IBM HTTP Server is vulnerable to information disclosure due to IBM GSKit (CVE-2023-32342) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6998037 ∗∗∗ IBM Planning Analytics Workspace has addressed a vulnerability in SnakeYaml (CVE-2022-1471) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6998025 ∗∗∗ Vulnerability from log4j-1.2.16.jar affect IBM Operations Analytics - Log Analysis (CVE-2023-26464) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6998333 ∗∗∗ IBM App Connect Enterprise Certified Container IntegrationServer operands that run Designer flows is vulnerable to arbitrary code execution due to [CVE-2022-37614] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6998341 ∗∗∗ IBM App Connect Enterprise Certified Container DesignerAuthoring operands are vulnerable to denial of service due to [CVE-2023-2251] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6998357 ∗∗∗ A vulnerability in Etcd-io could affect IBM CICS TX Standard [CVE-2021-28235] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6998361 ∗∗∗ A vulnerability in Etcd-io could affect IBM CICS TX Advanced [CVE-2021-28235] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6998367 ∗∗∗ IBM App Connect Enterprise Certified Container DesignerAuthoring operands is vulnerable to arbitrary code execution due to [CVE-2023-30547] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6998381 ∗∗∗ Due to the use of Apache spring-web, IBM ECM Content Management Interoperability Services (CMIS) is affected by remote code execution (RCE) security vulnerability CVE-2016-1000027 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6998405 ∗∗∗ Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to multiple vulnerabilities in Go ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6998391 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.05.2023
by Daily end-of-shift report 24 May '23

24 May '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 23-05-2023 18:00 − Mittwoch 24-05-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Barracuda warns of email gateways breached via zero-day flaw ∗∗∗ --------------------------------------------- Barracuda, a company known for its email and network security solutions, warned customers today that some of their Email Security Gateway (ESG) appliances were breached last week by targeting a now-patched zero-day vulnerability. --------------------------------------------- https://www.bleepingcomputer.com/news/security/barracuda-warns-of-email-gat… ∗∗∗ Legion Malware Upgraded to Target SSH Servers and AWS Credentials ∗∗∗ --------------------------------------------- An updated version of the commodity malware called Legion comes with expanded features to compromise SSH servers and Amazon Web Services (AWS) credentials associated with DynamoDB and CloudWatch. --------------------------------------------- https://thehackernews.com/2023/05/legion-malware-upgraded-to-target-ssh.html ∗∗∗ Malvertising via brand impersonation is back again ∗∗∗ --------------------------------------------- In recent months, numerous incidents have shown that malvertising is on the rise again and affecting the user experience and trust in their favorite search engine. Indeed, Search Engine Results Pages (SERPs) include paid Google ads that in some cases lead to scams or malware. --------------------------------------------- https://www.malwarebytes.com/blog/threat-intelligence/2023/05/malvertising-… ∗∗∗ Von legitim zu bösartig: Die Verwandlung einer Android‑App innerhalb eines Jahres ∗∗∗ --------------------------------------------- ESET-Forscher entdecken AhRat - ein neuer Android-RAT auf der Basis von AhMyth - der Dateien exfiltriert und Audio aufzeichnet. --------------------------------------------- https://www.welivesecurity.com/deutsch/2023/05/23/von-legitim-zu-bosartig-a… ∗∗∗ Mikrotik Belatedly Patches RouterOS Flaw Exploited at Pwn2Own ∗∗∗ --------------------------------------------- MikroTik patches a major security defect in its RouterOS product a full five months after it was exploited at Pwn2Own Toronto. --------------------------------------------- https://www.securityweek.com/mikrotik-belatedly-patches-routeros-flaw-explo… ∗∗∗ Zahlreiche World4You Phishing-Mails im Umlauf! ∗∗∗ --------------------------------------------- Website-Betreiber:innen aufgepasst: Kriminelle versenden aktuell vermehrt E-Mails im Namen des österreichischen Hosting-Providers World4You. Darin wird meist fälschlicherweise behauptet, dass Rechnungen nicht beglichen oder Webadressen gesperrt wurden. --------------------------------------------- https://www.watchlist-internet.at/news/zahlreiche-world4you-phishing-mails-… ∗∗∗ CISA and Partners Update the #StopRansomware Guide, Developed through the Joint Ransomware Task Force (JRTF) ∗∗∗ --------------------------------------------- Today, CISA, the Federal Bureau of Investigation (FBI), the National Security Agency (NSA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) published an updated version of the #StopRansomware Guide, as ransomware actors have accelerated their tactics and techniques since its initial release in 2020. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/05/23/cisa-and-partners-update… ===================== = Vulnerabilities = ===================== ∗∗∗ VMSA-2023-0010 ∗∗∗ --------------------------------------------- NSX-T contains a reflected cross-site scripting vulnerability due to a lack of input validation. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 4.3. --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2023-0010.html ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libssh and sofia-sip), Fedora (cups-filters, dokuwiki, qt5-qtbase, and vim), Oracle (git, python-pip, and python3-setuptools), Red Hat (git, kernel, kpatch-patch, rh-git227-git, and sudo), SUSE (openvswitch, rmt-server, and texlive), and Ubuntu (binutils, cinder, cloud-init, firefox, golang-1.13, Jhead, liblouis, ncurses, node-json-schema, node-xmldom, nova, python-glance-store, python-os-brick, and runc). --------------------------------------------- https://lwn.net/Articles/932827/ ∗∗∗ Nextcloud: user_oidc app is missing bruteforce protection ∗∗∗ --------------------------------------------- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-x… ∗∗∗ Nextcloud: User session not correctly destroyed on logout ∗∗∗ --------------------------------------------- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-q… ∗∗∗ Nextcloud: Basic auth header on WebDAV requests is not brute-force protected ∗∗∗ --------------------------------------------- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-m… ∗∗∗ Apple security updates: iTunes 12.12.9 for Windows ∗∗∗ --------------------------------------------- https://support.apple.com/kb/HT213763 ∗∗∗ F5: K000134744 : Intel BIOS vulnerability CVE-2022-38087 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000134744 ∗∗∗ F5: K000134747 : PHP vulnerability CVE-2023-0568 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000134747 ∗∗∗ Bosch: Unrestricted SSH port forwarding in BVMS ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-025794-bt.html ∗∗∗ Bosch: Vulnerability in Wiegand card data interpretation ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-391095-bt.html ∗∗∗ Bosch: .NET Remote Code Execution Vulnerability in BVMS, BIS and AMS ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-110112-bt.html ∗∗∗ IBM App Connect Enterprise and IBM Integration Bus are vulnerable to a remote attacker due to the module xml2js (CVE-2023-0842) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6997617 ∗∗∗ IBM App Connect Enterprise is vulnerable to a denial of service due to cURL libcurl and Google protobuf-java. (CVE-2022-42915, CVE-2021-22569, CVE-2022-3509, CVE-2022-3171, CVE-2022-3510) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6997631 ∗∗∗ IBM InfoSphere Information Server is affected by a remote code execution vulnerability (CVE-2023-32336) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6995879 ∗∗∗ This Power System update is being released to address CVE 2023-30438 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6993021 ∗∗∗ TADDM affected by multiple vulnerabilities due to IBM Java and its runtime ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6997919 ∗∗∗ Vulnerability in IBM\u00ae Runtime Environment Java\u2122 Version 8 \u00a0affect Cloud Pak System. [CVE-2023-30441] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6997913 ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server used by IBM Rational ClearQuest (CVE-2023-27554) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6997097 ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server used by IBM Rational ClearQuest (CVE-2022-39161) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6997921 ∗∗∗ A security vulnerability has been identified in IBM HTTP Server shipped with IBM WebSphere Application Server used by IBM Rational ClearQuest (CVE-2022-39161) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6997923 ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server used by IBM Rational ClearQuest (CVE-2023-24966) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6997925 ∗∗∗ Red Hat OpenShift on IBM Cloud is affected by a Kubernetes API server security vulnerability (CVE-2022-3172) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6997115 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.05.2023
by Daily end-of-shift report 23 May '23

23 May '23

===================== = End-of-Day report = ===================== Timeframe: Montag 22-05-2023 18:00 − Dienstag 23-05-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Malicious Windows kernel drivers used in BlackCat ransomware attacks ∗∗∗ --------------------------------------------- The ALPHV ransomware group (aka BlackCat) was observed employing signed malicious Windows kernel drivers to evade detection by security software during attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malicious-windows-kernel-dri… ∗∗∗ Sicherheitslücke in Samsung-Smartphones wird angegriffen ∗∗∗ --------------------------------------------- Eine Sicherheitslücke in Samsung-Smartphones, die das Unternehmen mit den Mai-Updates schließt, wird von Angreifern missbraucht. Einige Details sind unklar. --------------------------------------------- https://heise.de/-9062566 ∗∗∗ BrutePrint: Attacke knackt Schutz mit Fingerabdrucksensoren ∗∗∗ --------------------------------------------- IT-Sicherheitsforscher haben einen Angriff namens BrutePrint auf den Zugangsschutz von Smartphones mit Fingerabdrucksensoren vorgestellt. --------------------------------------------- https://heise.de/-9062997 ∗∗∗ OffensiveCon 2023 – Exploit Engineering – Attacking the Linux Kernel ∗∗∗ --------------------------------------------- Cedric Halbronn and Alex Plaskett presented at OffensiveCon on the 19th of May 2023 on Exploit Engineering – Attacking the Linux kernel. --------------------------------------------- https://research.nccgroup.com/2023/05/23/offensivecon-2023-exploit-engineer… ∗∗∗ Willhaben: Betrug mit PayLivery erkennen ∗∗∗ --------------------------------------------- Betrügerische Käufer:innen fälschen den PayLivery-Dienst von Willhaben und täuschen Ihnen vor, dass sie bereits bezahlt haben. Sie locken Sie auf eine Fake-Zahlungsplattform, wo Sie Ihre Kreditkartendaten zur Anforderung der Zahlung angeben müssen. Anschließend fordert man Sie auf, den Zahlungseingang in Ihrer Bank-App zu bestätigen. In Wirklichkeit geben Sie aber eine Zahlung frei und verlieren Ihr Geld. --------------------------------------------- https://www.watchlist-internet.at/news/willhaben-betrug-mit-paylivery-erken… ∗∗∗ Android app breaking bad: From legitimate screen recording to file exfiltration within a year ∗∗∗ --------------------------------------------- ESET researchers discover AhRat – a new Android RAT based on AhMyth – that exfiltrates files and records audio --------------------------------------------- https://www.welivesecurity.com/2023/05/23/android-app-breaking-bad-legitima… ∗∗∗ Hacker nutzen Dropbox für betrügerische E-Mails ∗∗∗ --------------------------------------------- Aufgrund der Verbindung zu Dropbox scheinen die Nachrichten harmlos zu sein. Auch Sicherheitslösungen beanstanden unter Umständen die URLs zu Dropbox nicht. Nutzer laufen indes Gefahr, ihre Anmeldedaten an Hacker weiterzugeben. --------------------------------------------- https://www.zdnet.de/88409355/hacker-nutzen-dropbox-fuer-betruegerische-e-m… ∗∗∗ DarkCloud Infostealer Being Distributed via Spam Emails ∗∗∗ --------------------------------------------- AhnLab Security Emergency response Center (ASEC) has recently discovered the DarkCloud malware being distributed via spam email. DarkCloud is an Infostealer that steals account credentials saved on infected systems, and the threat actor installed ClipBanker alongside DarkCloud. --------------------------------------------- https://asec.ahnlab.com/en/53128/ ∗∗∗ Lazarus Group Targeting Windows IIS Web Servers ∗∗∗ --------------------------------------------- AhnLab Security Emergency response Center (ASEC) has recently confirmed the Lazarus group, a group known to receive support on a national scale, carrying out attacks against Windows IIS web servers. --------------------------------------------- https://asec.ahnlab.com/en/53132/ ∗∗∗ Info Stealer Abusing Codespaces Puts Discord Users at Risk ∗∗∗ --------------------------------------------- In this entry, we detail our research findings on how an info stealer is able to achieve persistence on a victim’s machine by modifying the victim’s Discord client. --------------------------------------------- https://www.trendmicro.com/en_us/research/23/e/info-stealer-abusing-codespa… ===================== = Vulnerabilities = ===================== ∗∗∗ WordPress 6.2.2: Durch Sicherheitspatch ausgelösten Fehler ausgebügelt ∗∗∗ --------------------------------------------- Die WordPress-Entwickler haben ein Sicherheitsupdate korrigiert. Die aktuelle Version steht ab sofort zum Download bereit. --------------------------------------------- https://heise.de/-9062515 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (node-nth-check), Mageia (mariadb and python-reportlab), Slackware (c-ares), SUSE (geoipupdate and qt6-svg), and Ubuntu (linux, linux-aws, linux-azure, linux-azure-5.4, linux-gcp, linux-gcp-5.4, linux-gke, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-bluefield, linux-gcp, linux-hwe, linux-raspi2, linux-snapdragon, and linux-gcp, linux-hwe-5.19). --------------------------------------------- https://lwn.net/Articles/932693/ ∗∗∗ CISA Releases Four Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- CISA released four Industrial Control Systems (ICS) advisories on May 23, 2023. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. * ICSA-23-143-01 Hitachi Energy AFS65x, AFS67x, AFR67x and AFF66x Products * ICSA-23-143-02 Hitachi Energy RTU500 * ICSA-23-143-03 Mitsubishi Electric MELSEC Series CPU module * ICSA-23-143-04 Horner Automation Cscape --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/05/23/cisa-releases-four-indus… ∗∗∗ This Power System update is being released to address CVE 2023-30440 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6997133 ∗∗∗ IBM® MobileFirst Platform is vulnerable to CVE-2023-24998 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6997293 ∗∗∗ Vulnerabilities in Python may affect IBM Spectrum Protect Plus Container backup and restore for Kubernetes and OpenShift ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6997507 ∗∗∗ IBM Java SDK and IBM Java Runtime for IBM i are vulnerable to exposing sensitive information due to flaws and configurations (CVE-2023-30441). ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6997499 ∗∗∗ IBM App Connect Enterprise Certified Container DesignerAuthoring and IntegrationServer operands may be vulnerable to denial of service due to [CVE-2012-0881], [CVE-2013-4002] and [CVE-2022-23437] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6985605 ∗∗∗ Multiple Security Vulnerabilities have been fixed in the IBM Directory Server and IBM Directory Suite products (CVE-2022-22476, CVE-2022-34165) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6997581 ∗∗∗ Multiple Security Vulnerabilities have been fixed in the IBM Directory Server and IBM Directory Suite products (CVE-2022-22473. CVE-2021-38951) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6997587 ∗∗∗ Multiple Security Vulnerabilities have been fixed in IBM Security Directory Server, IBM Security Directory Suite and IBM Security Verify Directory. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6997593 ∗∗∗ Multiple Security Vulnerabilities have been fixed in the IBM Directory Server and IBM Directory Suite products (CVE-2022-21496, CVE-2021-35550, CVE-2021-2163, CVE-2021-35603) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6997585 ∗∗∗ A vulnerability in IBM SDK, Java Technology Edition affect IBM Operations Analytics Predictive Insights ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6997589 ∗∗∗ CVE-2022-41723 and CVE-2022-41721 may affect IBM CICS TX Advanced ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6997601 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.05.2023
by Daily end-of-shift report 22 May '23

22 May '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 19-05-2023 18:00 − Montag 22-05-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Aktuelle Qakbot/Pikabot-Welle in Österreich ∗∗∗ --------------------------------------------- Aktuell ist neben anderen Ländern auch Österreich wieder von einer Phishing/Malspam-Welle durch Qakbot/Pikabot betroffen. Die aktuelle Kampagne läuft unter dem Namen BB28 und führt nach einer erfolgten Infektion zum Nachladen von Cobalt Strike und in weiterer Folge oft zu Ransomware - hier im Speziellen häufig BlackBasta. Eine Besonderheit dieser Kampagne ist das Auftreten eines potentiellen Nachfolgers oder Mitstreiters von Qakbot namens Pikabot. --------------------------------------------- https://cert.at/de/aktuelles/2023/5/aktuelle-qakbotpikabot-welle-in-osterre… ∗∗∗ CISA warns of Samsung ASLR bypass flaw exploited in attacks ∗∗∗ --------------------------------------------- CISA warned today of a security vulnerability affecting Samsung devices used in attacks to bypass Android address space layout randomization (ASLR) protection. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cisa-warns-of-samsung-aslr-b… ∗∗∗ Cloned CapCut websites push information stealing malware ∗∗∗ --------------------------------------------- A new malware distribution campaign is underway impersonating the CapCut video editing tool to push various malware strains to unsuspecting victims. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cloned-capcut-websites-push-… ∗∗∗ Notorious Cyber Gang FIN7 Returns Cl0p Ransomware in New Wave of Attacks ∗∗∗ --------------------------------------------- The notorious cybercrime group known as FIN7 has been observed deploying Cl0p (aka Clop) ransomware, marking the threat actor's first ransomware campaign since late 2021. Microsoft, which detected the activity in April 2023, is tracking the financially motivated actor under its new taxonomy Sangria Tempest. --------------------------------------------- https://thehackernews.com/2023/05/notorious-cyber-gang-fin7-returns-cl0p.ht… ∗∗∗ IcedID Macro Ends in Nokoyawa Ransomware ∗∗∗ --------------------------------------------- In this case we document an incident taking place during Q4 of 2022 consisting of threat actors targeting Italian organizations with Excel maldocs that deploy IcedID. The threat actors deploying such a campaign may hope to target organizations who have not updated their Microsoft Office deployments after the newly released patches to block macros on documents downloaded from the internet. --------------------------------------------- https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomwa… ∗∗∗ Microsoft: BEC Scammers Use Residential IPs to Evade Detection ∗∗∗ --------------------------------------------- BEC scammers use residential IP addresses in attacks to make them seem locally generated and evade detection. --------------------------------------------- https://www.securityweek.com/microsoft-bec-scammers-use-residential-ips-to-… ∗∗∗ Webinar: Wie schütze ich mich vor Love Scams? ∗∗∗ --------------------------------------------- Sie täuschen die große Liebe vor und bringen ihr Gegenüber damit um hohe Geldsummen: Beim Love-Scamming erschleichen sich Betrüger:innen auf Online-Partnerbörsen und in Sozialen Netzwerken das Vertrauen ihrer Opfer, um an deren Geld zu kommen. Nehmen Sie kostenlos teil: Dienstag 30. Mai 2023, 18:30 - 20:00 Uhr via zoom --------------------------------------------- https://www.watchlist-internet.at/news/webinar-wie-schuetze-ich-mich-vor-lo… ∗∗∗ Gratis-Testangebot einer Lichttherapie nur ein Verkaufsgespräch ∗∗∗ --------------------------------------------- Um Kund:innen zu gewinnen, verspricht Lumina Vital Ihnen Gratis-Anwendungen. Telefonisch wird auf einen Besuch bei Ihnen zu Hause gedrängt. Auch wenn Sie keinem Datum zusagen, bekommen Sie einen Brief mit einem fixierten Termin zugeschickt. Lassen Sie sich nicht unter Druck setzen, wenn Sie nichts kaufen möchten! --------------------------------------------- https://www.watchlist-internet.at/news/gratis-testangebot-einer-lichttherap… ∗∗∗ Threat Hunting mit PowerShell – Sicherheit auch mit kleinem Budget ∗∗∗ --------------------------------------------- [English]IT-Sicherheit sollte keine Frage des Geldes sein – das sind oft vorgeschobene Ausreden. MVP Tom Wechsler hat sich einige Gedanken um das Thema gemacht und zeigt, wie man sogar mit der PowerShell und wenigen Zeilen Code nach Problemen in der … Weiterlesen → --------------------------------------------- https://www.borncity.com/blog/2023/05/22/threat-hunting-mit-powershell-sich… ∗∗∗ Distribution of Remcos RAT Exploiting sqlps.exe Utility of MS-SQL Servers ∗∗∗ --------------------------------------------- AhnLab Security Emergency response Center (ASEC) has recently discovered the case of Remcos RAT being installed on poorly managed MS-SQL servers. Unlike the past attack, the recent case showed the threat actor using sqlps to distribute the malware. --------------------------------------------- https://asec.ahnlab.com/en/52920/ ∗∗∗ Cloud-Based Malware Delivery: The Evolution of GuLoader ∗∗∗ --------------------------------------------- Antivirus products are constantly evolving to become more sophisticated and better equipped to handle complex threats. As a result, malware developers strive to create new threats that can bypass the defenses of antivirus products. “Packing” and “crypting” services are specifically designed to resist analysis. GuLoader is one of the most prominent services cybercriminals use to evade antivirus detection. --------------------------------------------- https://research.checkpoint.com/2023/cloud-based-malware-delivery-the-evolu… ===================== = Vulnerabilities = ===================== ∗∗∗ CUPS: Sicherheitslücke in Drucksystem ermöglicht Schadcodeausführung ∗∗∗ --------------------------------------------- Im Drucksystem CUPS können Angreifer im Netz eine Sicherheitslücke missbrauchen, um beliebigen Code einzuschmuggeln und auszuführen. --------------------------------------------- https://heise.de/-9061315 ∗∗∗ Angreifer könnten Entwicklungsumgebungen mit Jenkins attackieren ∗∗∗ --------------------------------------------- Softwareentwickler aufgepasst: Es gibt wichtige Sicherheitsupdates für mehrere Jenkins-Plug-ins. Angreifer könnten auf Log-in-Daten zugreifen. --------------------------------------------- https://heise.de/-9061545 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (cups-filters, imagemagick, libwebp, sqlite, and texlive-bin), Fedora (chromium and vim), Gentoo (librecad, mediawiki, modsecurity-crs, snakeyaml, and tinyproxy), Mageia (apache-mod_security, cmark, dmidecode, freetype2, glib2.0, libssh, patchelf, python-sqlparse, sniproxy, suricata, and webkit2), Oracle (apr-util and firefox), Red Hat (git), SUSE (containerd, openvswitch, python-Flask, runc, terraform-provider-aws, and terraform-provider-null), and Ubuntu (tar). --------------------------------------------- https://lwn.net/Articles/932625/ ∗∗∗ Tornado vulnerable to open redirect ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN45127776/ ∗∗∗ WordPress 6.2.2 Security Release ∗∗∗ --------------------------------------------- https://wordpress.org/news/2023/05/wordpress-6-2-2-security-release/ ∗∗∗ F5: K000134681 : Spring Framework vulnerability CVE-2023-20861 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000134681 ∗∗∗ F5: K000134706 : Python IDNA vulnerability CVE-2022-45061 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000134706 ∗∗∗ CISA Adds Three Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/05/22/cisa-adds-three-known-ex… ∗∗∗ Vulnerability in IBM Java SDK affects IBM Tivoli Business Service Manager (CVE-2023-30441) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6995893 ∗∗∗ Security vulnerability in IBM Java SDK affect IBM Tivoli Netcool Impact (CVE-2023-30441) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6995895 ∗∗∗ Multiple vulnerabilities in IBM Java SDK affect AIX ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6995887 ∗∗∗ IBM Security Guardium is affected by an AWS SDK vulnerability (CVE-2022-31159) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6960215 ∗∗∗ IBM Operational Decision Manager April 2023 - Multiple CVEs ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6997063 ∗∗∗ Multiple vulnerabilities of Mozilla Firefox (less than Firefox 102.9ESR) have affected APM Synthetic Playback Agent ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6997069 ∗∗∗ A vulnerability in IBM Java SDK affects IBM Tivoli Monitoring for Virtual Environments Base(CVE-2023-30441) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6997075 ∗∗∗ A vulnerability in IBM Java SDK affects IBM Tivoli Monitoring for Virtual Environments Agent for Linux Kernel-based Virtual Machines (CVE-2023-30441) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6997083 ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server used by IBM Rational ClearQuest (CVE-2023-27554) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6997097 ∗∗∗ There are multiple vulnerabilites that affect IBM Engineering Requirements Quality Assistant On-Premises ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6997107 ∗∗∗ IBM App Connect Enterprise and IBM Integration Bus are affected by a vulnerability in the IBM SDK, Java Technology Edition [CVE-2023-30441] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6997131 ∗∗∗ IBM b-type SAN switches and directors affected by XSS vulnerabilities CVE-2017-6225. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/650695 ∗∗∗ IBM b-type SAN Network\/Storage switches is affected by a denial of service vulnerability, caused by a CPU consumption in the IPv6 stack (CVE-2017-6227). ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/650699 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.05.2023
by Daily end-of-shift report 19 May '23

19 May '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 17-05-2023 18:00 − Freitag 19-05-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Attacken könnten bevorstehen: Kritische Root-Lücken bedrohen Cisco-Switches ∗∗∗ --------------------------------------------- Cisco hat unter anderem mehrere kritische Sicherheitslücken in verschiedenen Small-Business-Switches geschlossen. Aber nicht alle Modelle bekommen Updates. --------------------------------------------- https://heise.de/-9059775 ∗∗∗ Passwortmanager KeePass: Sicherheitsforscher liest Master-Passwort aus ∗∗∗ --------------------------------------------- Einem Sicherheitsforscher ist es gelungen, Master-Passwörter von KeePass auszulesen. Entsprechende Angriffe sind allerdings aufwendig. --------------------------------------------- https://heise.de/-9059945 ∗∗∗ Zero-Days und mehr: Ein Blick auf Apples jüngste Sicherheitspatches ∗∗∗ --------------------------------------------- iOS 16.5, macOS 13.4 und die anderen Updates patchen wie üblich auch Sicherheitsfehler. Auch bereits ausgenutzte Fehler sind dabei. --------------------------------------------- https://heise.de/-9059799 ∗∗∗ Malware infizierte fast 10 Millionen Android-Handys ∗∗∗ --------------------------------------------- Zahlreiche Smartphones wurden mit vorinstallierter, schädlicher Software ausgeliefert. --------------------------------------------- https://futurezone.at/produkte/android-schadsoftware-infiziert-10-millionen… ∗∗∗ MalasLocker ransomware targets Zimbra servers, demands charity donation ∗∗∗ --------------------------------------------- A new ransomware operation is hacking Zimbra servers to steal emails and encrypt files. However, instead of demanding a ransom payment, the threat actors claim to require a donation to charity to provide an encryptor and prevent data leaking. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malaslocker-ransomware-targe… ∗∗∗ Hackers target vulnerable Wordpress Elementor plugin after PoC released ∗∗∗ --------------------------------------------- Hackers are now actively probing for vulnerable Essential Addons for Elementor plugin versions on thousands of WordPress websites in massive Internet scans, attempting to exploit a critical account password reset flaw disclosed earlier in the month. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-target-vulnerable-wo… ∗∗∗ Playing for the Wrong Team: Dangerous Functionalities in Microsoft Teams Enable Phishing and Malware Delivery by Attackers ∗∗∗ --------------------------------------------- Microsoft is a major productivity partner for many organizations and enterprises. These organizations widely trust Microsoft Office’s suite of products as a reliable foundation for their daily cloud ecosystem needs. However, as Proofpoint has shown in the past, this migration to the cloud also introduces new kinds of threats. --------------------------------------------- https://www.proofpoint.com/us/blog/threat-insight/dangerous-functionalities… ∗∗∗ RATs found hiding in the npm attic ∗∗∗ --------------------------------------------- ReversingLabs researchers discovered two malicious packages that contained TurkoRat, an open source infostealer that lurked on npm for two months before being detected. --------------------------------------------- https://www.reversinglabs.com/blog/rats-found-hiding-in-the-npm-attic ∗∗∗ The Paillier Cryptosystem with Applications to Threshold ECDSA ∗∗∗ --------------------------------------------- You may have heard of RSA (b. 1977), but have you heard of its cousin, Paillier (b. 1999)? In this post, we provide a close look at the Paillier homomorphic encryption scheme [Paillier1999], what it offers, how it’s used in complex protocols, and how to implement it securely. --------------------------------------------- https://research.nccgroup.com/2023/05/19/the-paillier-cryptosystem-with-app… ∗∗∗ All your building are belong to us ∗∗∗ --------------------------------------------- TL;DR: Building Management Systems (BMS) bring new risks to businesses that haven’t had previous experience of securing Operational Technology (OT). While there might not be direct financial gain from hacking BMS, these systems can be a soft target for attackers to pivot into your business operations. IoT offerings in this space can help manage risk within your networks, but can also provide unintended access to sensitive information. --------------------------------------------- https://www.pentestpartners.com/security-blog/all-your-building-are-belong-… ∗∗∗ CVE-2023-20869/20870: Exploiting VMware Workstation at Pwn2Own Vancouver ∗∗∗ --------------------------------------------- This post covers an exploit chain demonstrated by Nguyễn Hoàng Thạch (@hi_im_d4rkn3ss) of STAR Labs SG Pte. Ltd. during the Pwn2Own Vancouver event in 2023. During the contest, he used an uninitialized variable bug and a stack-based buffer overflow in VMware to escalate from a guest OS to execute code on the underlying hypervisor. --------------------------------------------- https://www.thezdi.com/blog/2023/5/17/cve-2023-2086920870-exploiting-vmware… ∗∗∗ VSCode Security: Malicious Extensions Detected- More Than 45,000 Downloads- PII Exposed, and Backdoors Enabled ∗∗∗ --------------------------------------------- Highlights: CloudGuard Spectral detected malicious extensions on the VSCode marketplace Users installing these extensions were enabling attackers to steal PII records and to set remote shell to their machines Once detected, we’ve alerted VSCode on these extensions. Soon after notification, they were removed by the VSCode marketplace team. VSCode (short for Visual Studio Code) is a popular and free source code editor developed by Microsoft. --------------------------------------------- https://blog.checkpoint.com/securing-the-cloud/malicious-vscode-extensions-… ∗∗∗ Visualizing QakBot Infrastructure ∗∗∗ --------------------------------------------- This blog post seeks to draw out some high-level trends and anomalies based on our ongoing tracking of QakBot command and control (C2) infrastructure. By looking at the data with a broader scope, we hope to supplement other research into this particular threat family, which in general focuses on specific infrastructure elements; e.g., daily alerting on active C2 servers. --------------------------------------------- https://www.team-cymru.com/post/visualizing-qakbot-infrastructure ===================== = Vulnerabilities = ===================== ∗∗∗ File Chooser Field - Moderately critical - Server Side Request Forgery, Information Disclosure - SA-CONTRIB-2023-015 ∗∗∗ --------------------------------------------- The File Chooser Field allows users to upload files using 3rd party plugins such as Google Drive and Dropbox. This module fails to validate user input sufficiently which could under certain circumstances lead to a Server Side Request Forgery (SSRF) vulnerability [...] --------------------------------------------- https://www.drupal.org/sa-contrib-2023-015 ∗∗∗ SECURITY BULLETIN: May 2023 Security Bulletin for Trend Micro Apex Central ∗∗∗ --------------------------------------------- Trend Micro has released a new build for Trend Micro Apex Central that resolves several known vulnerabilities. --------------------------------------------- https://success.trendmicro.com/dcx/s/solution/000293107?language=en_US ∗∗∗ SECURITY BULLETIN: May 2023 Security Bulletin for Trend Micro Apex One ∗∗∗ --------------------------------------------- Trend Micro has released a new Critical Patch (CP) for Trend Micro Apex One and Trend Micro Apex One as a Service that resolves several known vulnerabilities. --------------------------------------------- https://success.trendmicro.com/dcx/s/solution/000293108?language=en_US ∗∗∗ Cisco Security Advisories 2023-05-17 ∗∗∗ --------------------------------------------- Cisco has published 9 security advisories: (1x Critical, 8x Medium) --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/Search.x?publicationTypeIDs… ∗∗∗ CISA Releases Five Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- * ICSA-23-138-04 Johnson Controls OpenBlue Enterprise Manager Data Collector * ICSA-23-138-03 Hitachi Energy’s MicroSCADA Pro/X SYS600 Products * ICSA-23-138-02 Mitsubishi Electric MELSEC WS Series * ICSA-23-138-01 Carlo Gavazzi Powersoft * ICSA-20-051-02 Rockwell Automation FactoryTalk Diagnostics (Update B) --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/05/18/cisa-releases-five-indus… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium and libapache2-mod-auth-openidc), Fedora (clevis-pin-tpm2, greetd, keyring-ima-signer, libkrun, mirrorlist-server, nispor, nmstate, qt5-qtbase, rust-afterburn, rust-below, rust-bodhi-cli, rust-cargo-c, rust-coreos-installer, rust-fedora-update-feedback, rust-git-delta, rust-gst-plugin-reqwest, rust-pore, rust-rpm-sequoia, rust-sequoia-octopus-librnp, rust-sequoia-policy-config, rust-sequoia-sq, rust-sevctl, rust-tealdeer, and rust-ybaas), Oracle (apr-util, curl, emacs, firefox, kernel, libreswan, mysql, nodejs and nodejs-nodemon, openssh, thunderbird, and webkit2gtk3), Red Hat (apr-util, emacs, firefox, git, jenkins and jenkins-2-plugins, kernel, kpatch-patch, and thunderbird), Scientific Linux (apr-util, firefox, and thunderbird), Slackware (curl), SUSE (cups-filters, curl, java-1_8_0-openjdk, kernel, mysql-connector-java, and ovmf), and Ubuntu (cups-filters, git, linux-gcp-4.15, linux-oracle, linux-raspi, node-minimatch, ruby2.3, ruby2.5, ruby2.7, and runc). --------------------------------------------- https://lwn.net/Articles/932371/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (cups-filters, kitty, mingw-LibRaw, nispor, rust-ybaas, and rust-yubibomb), Mageia (kernel-linus), Red Hat (jenkins and jenkins-2-plugins), SUSE (openvswitch and ucode-intel), and Ubuntu (linux-azure, linux-azure-4.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gke-5.15, linux-gkeop, linux-oracle-5.15, linux-ibm, linux-oracle, and linux-oem-6.0). --------------------------------------------- https://lwn.net/Articles/932464/ ∗∗∗ Path Traversal in SymBox, SymOS (SYSS-2023-014) ∗∗∗ --------------------------------------------- Das Webinterface von SymBox, SymOS ermöglicht ein Path Traversal, wodurch Zugriff auf Systemdateien außerhalb des Web Root erlangt werden kann. --------------------------------------------- https://www.syss.de/pentest-blog/path-traversal-in-symbox-symos-syss-2023-0… ∗∗∗ Spring Boot available now, fixing CVE-2023-20883 ∗∗∗ --------------------------------------------- https://spring.io/security/cve-2023-20883 ∗∗∗ Mattermost security updates 7.10.1 / 7.9.4 / 7.8.5 (ESR) released ∗∗∗ --------------------------------------------- https://mattermost.com/blog/mattermost-security-updates-7-10-1-7-9-4-7-8-5-… ∗∗∗ CPE2023-002 Vulnerabilities of IJ Network Tool regarding Wi-Fi connection setup – 18 May 2023 ∗∗∗ --------------------------------------------- https://www.canon-europe.com/support/product-security-latest-news/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.05.2023
by Daily end-of-shift report 17 May '23

17 May '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 16-05-2023 18:00 − Mittwoch 17-05-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Hackers use Azure Serial Console for stealthy access to VMs ∗∗∗ --------------------------------------------- A financially motivated cybergang tracked by Mandiant as UNC3944 is using phishing and SIM swapping attacks to hijack Microsoft Azure admin accounts and gain access to virtual machines. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-use-azure-serial-con… ∗∗∗ Phishing: Streit um Google-TLDs .zip und .mov ∗∗∗ --------------------------------------------- IT- und Sicherheitsexperten streiten sich um die Sinnhaftigkeit und Risiken neuer gTLD. Neu sind die Probleme allerdings nicht. --------------------------------------------- https://www.golem.de/news/phishing-streit-um-google-tlds-zip-und-mov-2305-1… ∗∗∗ Minas – on the way to complexity ∗∗∗ --------------------------------------------- Kaspersky analysis of a complicated multi-stage attack dubbed Minas that features a number of detection evasion and persistence techniques and results in a cryptocurrency miner infection. --------------------------------------------- https://securelist.com/minas-miner-on-the-way-to-complexity/109692/ ∗∗∗ Wemo Wont Fix Smart Plug Vulnerability Allowing Remote Operation ∗∗∗ --------------------------------------------- IoT security research firm Sternum has discovered (and disclosed) a buffer overflow vulnerability in the Wemo Mini Smart Plug V2. The firms blog post is full of interesting details about how this device works (and doesnt), but a key takeaway is that you can predictably trigger a buffer overflow by passing the device a name longer than its 30-character limit -- a limit enforced solely by Wemos own apps -- with third-party tools. --------------------------------------------- https://it.slashdot.org/story/23/05/17/141200/wemo-wont-fix-smart-plug-vuln… ∗∗∗ Respawning Malware Persists on PyPI ∗∗∗ --------------------------------------------- A bad actor on GitHub laces his repositories with malware written in Python and hosted on PyPI. Minutes after his malware is taken down from PyPI, the same malware respawns on PyPI under a slightly different name. He then immediately updates all of his repositories to point to this new package. Most of his GitHub projects are bots or some variety of a stealer. --------------------------------------------- https://blog.phylum.io/respawning-malware-persists-on-pypi/ ∗∗∗ Neue Scam-Website im Umlauf: finanavas.com ∗∗∗ --------------------------------------------- Investmentbetrüger versuchen mit einer neuen Website Leuten Geld aus der Tasche zu ziehen. Sie nutzen Telegram, um "Investoren" um den Finger zu wickeln. --------------------------------------------- https://heise.de/-9058909 ∗∗∗ Abo-Falle statt Informationen zu Telefonnummern auf reversera.com/de ∗∗∗ --------------------------------------------- In einer Zeit ständiger betrügerischer Anrufe und „Cold-Calls“ ist ein Service, der einem Informationen zu Telefonnummern und den Besitzer:innen liefert, äußerst nützlich. Reversera.com/de der АLРНАСLІС LТD bietet angeblich genau das an. Tatsächlich spielte man uns im Test bei erfundenen Nummern ein Ergebnis vor. Um dieses einsehen zu können, hätten wir 50 Cent per Kreditkarte bezahlen müssen, doch die Zahlung führt in eine Abo-Falle! --------------------------------------------- https://www.watchlist-internet.at/news/abo-falle-statt-informationen-zu-tel… ∗∗∗ How to encrypt your email (and why you should) ∗∗∗ --------------------------------------------- If you send emails with sensitive or private info inside, you should consider email encryption. Heres what to know. --------------------------------------------- https://www.zdnet.com/article/how-to-encrypt-your-email-and-why-you-should/ ∗∗∗ WordPress 6.2.1 freigegeben ∗∗∗ --------------------------------------------- Die Entwickler haben zum 16. Mai 2023 WordPress Version 6.2.1 veröffentlicht. Es handelt sich um ein Wartungs- und Sicherheitsupdate, welches 30 Fehler behebt. Details lassen sich in den Veröffentlichungsmitteilungen nachlesen. --------------------------------------------- https://www.borncity.com/blog/2023/05/16/wordpress-6-2-1-freigegeben/ ∗∗∗ SIM Swapping and Abuse of the Microsoft Azure Serial Console: Serial Is Part of a Well Balanced Attack ∗∗∗ --------------------------------------------- In 2022, Mandiant identified attacker activity centered in Microsoft Azure that Mandiant attributed to UNC3944. Mandiant’s investigation revealed that the attacker employed malicious use of the Serial Console on Azure Virtual Machines (VM) to install third-party remote management software within client environments. This method of attack was unique in that it avoided many of the traditional detection methods employed within Azure and provided the attacker with full administrative access to the VM. Unfortunately, cloud resources are often poorly misunderstood, leading to misconfigurations that can leave these assets vulnerable to attackers. While methods of initial access, lateral movement, and persistence vary from one attacker to another, one thing is clear: Attackers have their eyes on the cloud. --------------------------------------------- https://www.mandiant.com/resources/blog/sim-swapping-abuse-azure-serial ∗∗∗ CISA and Partners Release BianLian Ransomware Cybersecurity Advisory ∗∗∗ --------------------------------------------- CISA, the Federal Bureau of Investigation (FBI), and the Australian Cyber Security Centre (ACSC) have released a joint Cybersecurity Advisory (CSA) with known BianLian ransomware and data extortion group technical details. Microsoft and Sophos contributed to the advisory. To reduce the likelihood and impact of BianLian and other ransomware incidents, CISA encourages organizations to implement mitigations recommended in this advisory. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/05/16/cisa-and-partners-releas… ===================== = Vulnerabilities = ===================== ∗∗∗ Webbrowser: Kritische Sicherheitslücke in Google Chrome ∗∗∗ --------------------------------------------- Google hat ein Update für den Chrome-Webbrowser herausgegeben. Es schließt mindestens eine kritische Sicherheitslücke. Angreifer könnten Schadcode einschleusen. --------------------------------------------- https://heise.de/-9057932 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (netatalk), Mageia (connman, firefox/nss/rootcerts, freeimage, golang, indent, kernel, python-django, python-pillow, and thunderbird), Red Hat (apr-util, firefox, java-1.8.0-ibm, libreswan, and thunderbird), SUSE (conmon, curl, java-11-openjdk, and libheif), and Ubuntu (libwebp, linux, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure-fde-5.15, linux-hwe-5.15, linux-ibm, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-oracle, linux, linux-aws, linux-aws-hwe, linux-kvm, linux, linux-aws, linux-azure, linux-azure-5.19, linux-kvm, linux-lowlatency, linux-raspi, node-eventsource, and openjdk-8, openjdk-lts, openjdk-17, openjdk-20). --------------------------------------------- https://lwn.net/Articles/932130/ ∗∗∗ Vulnerability Summary for the Week of May 8, 2023 ∗∗∗ --------------------------------------------- The CISA Vulnerability Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. NVD is sponsored by CISA. In some cases, the vulnerabilities in the bulletin may not yet have assigned CVSS scores. Please visit NVD for updated vulnerability entries, which include CVSS scores once they are available. --------------------------------------------- https://www.cisa.gov/news-events/bulletins/sb23-135 ∗∗∗ Path Traversal in IP-Symcon (SYSS-2023-014) ∗∗∗ --------------------------------------------- Das Webinterface von IP-Symcon ermöglicht ein Path Traversal, wodurch Zugriff auf Systemdateien außerhalb des Web Root erlangt werden kann. --------------------------------------------- https://www.syss.de/pentest-blog/path-traversal-in-ip-symcon-syss-2023-014 ∗∗∗ Security Advisory - Traffic Hijacking Vulnerability in Huawei Routers ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2023/huawei-sa-thvihr-70… ∗∗∗ Stored XSS Schwachstelle in der Umbenennen Funktionalität von Wekan (Open-Source Kanban) ∗∗∗ --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/stored-xss-schwachste… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.05.2023
by Daily end-of-shift report 16 May '23

16 May '23

===================== = End-of-Day report = ===================== Timeframe: Montag 15-05-2023 18:00 − Dienstag 16-05-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ VirusTotal AI code analysis expands Windows, Linux script support ∗∗∗ --------------------------------------------- Google has added support for more scripting languages to VirusTotal Code Insight, a recently introduced artificial intelligence-based code analysis feature. --------------------------------------------- https://www.bleepingcomputer.com/news/security/virustotal-ai-code-analysis-… ∗∗∗ Open-source Cobalt Strike port Geacon used in macOS attacks ∗∗∗ --------------------------------------------- Geacon, a Go-based implementation of the beacon from the widely abused penetration testing suite Cobalt Strike, is being used more and more to target macOS devices. --------------------------------------------- https://www.bleepingcomputer.com/news/security/open-source-cobalt-strike-po… ∗∗∗ Signals Defense With Faraday Bags & Flipper Zero, (Tue, May 16th) ∗∗∗ --------------------------------------------- There are situations where it is desired to block signals between devices. Commonly scenarios are when traveling, in a location of uncertain safety, or otherwise concerned with data privacy and geolocation. I was curious how well a faraday bags and similar products protected wireless communications. --------------------------------------------- https://isc.sans.edu/diary/rss/29840 ∗∗∗ Triple Threat: Breaking Teltonika Routers Three Ways ∗∗∗ --------------------------------------------- Comprehensive research was conducted on Teltonika Networks’ IIoT products, with a focus on industrial cellular devices widely used in various industries, specifically, the Teltonika Remote Management System, and RUT model routers. --------------------------------------------- https://claroty.com/team82/research/triple-threat-breaking-teltonika-router… ∗∗∗ You’ve been kept in the dark (web): exposing Qilin’s RaaS program ∗∗∗ --------------------------------------------- All you need to know about Qilin ransomware and its operations targeting critical sectors. --------------------------------------------- https://www.group-ib.com/blog/qilin-ransomware/ ∗∗∗ Seitenkanalangriff auf Cortex-M: Zugriff auf sensible Informationen ∗∗∗ --------------------------------------------- Auf der Blackhat Asia haben IT-Forscher Seitenkanalangriffe auf ARM-Cortex-M-Mikroprozessoren vorgestellt. Sie ermöglichen Zugriff auf sensible Informationen. --------------------------------------------- https://heise.de/-9057108 ∗∗∗ It’s always DNS, here’s why… ∗∗∗ --------------------------------------------- There’s an old adage in network and Internet support: When something breaks in any network “it was DNS”. Sadly it’s usually true. --------------------------------------------- https://www.pentestpartners.com/security-blog/its-always-dns-heres-why/ ∗∗∗ Vorsicht vor Anrufen von „austriamegachance.com“ ∗∗∗ --------------------------------------------- Ihr Telefon klingelt. Austria Mega Chance meldet sich, eine Lotto-Tipp-Dienstleistung. Ihnen werden hohe Gewinnchancen beim Lotto versprochen und eine Dienstleistung für Gemeinschaftstipps angeboten. Die aufdringliche Person entlockt Ihnen Kontodaten. Einige Zeit später werden Ihnen dann monatlich, ohne schriftliche Infos oder einen Vertrag unterschieben zu haben, knapp 70 Euro von Ihrem Konto abgebucht. Wir zeigen Ihnen, was Sie tun können! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-anrufen-von-austriamega… ∗∗∗ Microsoft SharePoint scannt Password-geschützte ZIP-Archive ∗∗∗ --------------------------------------------- Es sieht so aus, dass Microsoft in seinen Cloud-Speichern auch ZIP-Archive auf schädliche Inhalte (und ggf. weitere Inhalte) scannt – auch Archive, die vom Benutzer mit einem Kennwort vor der Einsichtnahme geschützt sind. --------------------------------------------- https://www.borncity.com/blog/2023/05/16/microsoft-sharepoint-scannt-passwo… ∗∗∗ The Dragon Who Sold His Camaro: Analyzing Custom Router Implant ∗∗∗ --------------------------------------------- Through our investigation, we have gained a deeper comprehension of the ways in which attackers are employing malware to target edge devices, particularly routers. Our efforts have led us to uncover several of the tactics and tools utilized by Camaro Dragon in their attacks. --------------------------------------------- https://research.checkpoint.com/2023/the-dragon-who-sold-his-camaro-analyzi… ∗∗∗ 8220 Gang Evolves With New Strategies ∗∗∗ --------------------------------------------- We observed the threat actor group known as “8220 Gang” employing new strategies for their respective campaigns, including exploits for the Linux utility “lwp-download” and CVE-2017-3506, an Oracle WebLogic vulnerability. --------------------------------------------- https://www.trendmicro.com/en_us/research/23/e/8220-gang-evolution-new-stra… ∗∗∗ How to Write a PoC for an Uninitialized Smart Contract Vulnerability in BadgerDAO Using Foundry ∗∗∗ --------------------------------------------- In this post, we’re going to learn how Foundry can be used to write a proof of concept (PoC) for uninitialized smart contract vulnerabilities. --------------------------------------------- https://www.cyberark.com/resources/threat-research-blog/how-to-write-a-poc-… ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- IBM Cloud Pak for Network Automation, IBM Control Desk, IBM Maximo, IBM Edge Application Manager, IBM Cloud Automation Manager, Tivoli Monitoring, IBM Business Monitor, IBM Business Automation Workflow Enterprise Service Bus, WebSphere Application Server, Tivoli Application Dependency Discovery Manager, IBM Operations Analytics - Predictive Insights, IBM Security Verify Information Queue. --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ CISA Releases Three Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- * ICSA-23-136-02 Rockwell ArmorStart * ICSA-23-136-03 Rockwell Automation FactoryTalk Vantagepoint * ICSA-23-136-01 Snap One OvrC Cloud --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/05/16/cisa-releases-three-indu… ∗∗∗ JavaScript-Sandbox vm2: PoC zeigt neuen Sandbox-Ausbruch ∗∗∗ --------------------------------------------- Eine kritische Lücke in der JavaScript-Sandbox vm2 können Angreifer zum Ausbruch missbrauchen. Aktualisierte Software steht bereit, die die Lücken schließt. --------------------------------------------- https://heise.de/-9056842 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (epiphany-browser, python-ipaddress, and sqlparse), Fedora (python-django3 and qemu), Red Hat (apr-util, autotrace, bind, bind9.16, container-tools:4.0, container-tools:rhel8, ctags, curl, device-mapper-multipath, dhcp, edk2, emacs, freeradius:3.0, freerdp, frr, gcc-toolset-12-binutils, git, git-lfs, go-toolset:rhel8, grafana, grafana-pcp, gssntlmssp, Image Builder, kernel, kernel-rt, libarchive, libreswan, libtar, libtiff, mingw-expat, mysql:8.0, net-snmp, pcs, php:7.4, poppler, postgresql-jdbc, python-mako, python27:2.7, python38:3.8 and python38-devel:3.8, python39:3.9 and python39-devel:3.9, samba, sysstat, tigervnc, unbound, virt:rhel and virt-devel:rhel, wayland, webkit2gtk3, xorg-x11-server, and xorg-x11-server-Xwayland), SUSE (dmidecode, postgresql13, prometheus-sap_host_exporter, python-cryptography, rekor, and thunderbird), and Ubuntu (firefox, matrix-synapse, and mysql-8.0). --------------------------------------------- https://lwn.net/Articles/932033/ ∗∗∗ D-Link DIR-2150 DIR-2150 Firmware Release Notes v1.06 ∗∗∗ --------------------------------------------- https://support.dlink.com.au/Download/download.aspx?product=DIR-2150 ∗∗∗ XSA-431 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-431.html ∗∗∗ Zahlreiche Schwachstellen in Serenity and StartSharp Software ∗∗∗ --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/zahlreiche-schwachste… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.05.2023
by Daily end-of-shift report 15 May '23

15 May '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 12-05-2023 18:00 − Montag 15-05-2023 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ The .zip gTLD: Risks and Opportunities, (Fri, May 12th) ∗∗∗ --------------------------------------------- About ten years ago, ICANN started the "gTLD" program. "Generic TLDs" allows various brands to register their own trademark as a TLD. Instead of "google.com", you now can have ".google"! Applying for a gTLD isn't cheap, and success isn't guaranteed. But since its inception, dozens of new gTLDs have been approved and started to be used [1]. The reputation of these new gTLDs has been somewhat mixed. --------------------------------------------- https://isc.sans.edu/diary/rss/29838 ∗∗∗ XWorm Malware Exploits Follina Vulnerability in New Wave of Attacks ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered an ongoing phishing campaign that makes use of a unique attack chain to deliver the XWorm malware on targeted systems. Securonix, which is tracking the activity cluster under the name MEME#4CHAN, said some of the attacks have primarily targeted manufacturing firms and healthcare clinics located in Germany. --------------------------------------------- https://thehackernews.com/2023/05/xworm-malware-exploits-follina.html ∗∗∗ CLR SqlShell Malware Targets MS SQL Servers for Crypto Mining and Ransomware ∗∗∗ --------------------------------------------- Poorly managed Microsoft SQL (MS SQL) servers are the target of a new campaign thats designed to propagate a category of malware called CLR SqlShell that ultimately facilitates the deployment of cryptocurrency miners and ransomware. --------------------------------------------- https://thehackernews.com/2023/05/clr-sqlshell-malware-targets-ms-sql.html ∗∗∗ New MichaelKors Ransomware-as-a-Service Targeting Linux and VMware ESXi Systems ∗∗∗ --------------------------------------------- A new ransomware-as-service (RaaS) operation called MichaelKors has become the latest file-encrypting malware to target Linux and VMware ESXi systems as of April 2023. The development points to cybercriminal actors increasingly setting their eyes on the ESXi, cybersecurity firm CrowdStrike said in a report shared with The Hacker News. --------------------------------------------- https://thehackernews.com/2023/05/new-michaelkors-ransomware-as-service.html ∗∗∗ WordPress Field Builder Plugin Vulnerability Exploited in Attacks Two Days After Patch ∗∗∗ --------------------------------------------- PoC exploit targeting an XSS vulnerability in the Advanced Custom Fields WordPress plugin started being used in malicious attacks two days after patch. --------------------------------------------- https://www.securityweek.com/wordpress-field-builder-plugin-vulnerability-e… ∗∗∗ Webinar: Smartphone, Tablet & Co. sicher nutzen ∗∗∗ --------------------------------------------- Wie kann ich meine persönlichen Daten am Smartphone, Tablet & Co. schützen? In diesem Webinar zeigen wir Ihnen die wichtigsten Sicherheitseinstellungen – von Berechtigungen über Datenschutz bis hin zu Nutzungszeiten. Nehmen Sie kostenlos teil: Dienstag 23. Mai 2023, 18:30 - 20:00 Uhr via zoom --------------------------------------------- https://www.watchlist-internet.at/news/webinar-smartphone-tablet-co-sicher-… ∗∗∗ Mit diesen 3 Einstellungen schützen Sie Ihr Smartphone ∗∗∗ --------------------------------------------- Sie denken Ihr Smartphone ist mit einer Bildschirmsperre vor fremden Zugriffen gut geschützt? Falsch! Kriminelle finden Wege, um in gestohlene oder verlorene Smartphones einzudringen. Im schlimmsten Fall greifen sie auf Ihre Banking-App zu und räumen Ihr Konto ab. Wir zeigen Ihnen 3 wichtige Einstellungen, um Ihr Smartphone bei Verlust oder Diebstahl zu schützen. --------------------------------------------- https://www.watchlist-internet.at/news/mit-diesen-3-einstellungen-schuetzen… ∗∗∗ Ransomware tracker: The latest figures [May 2023] ∗∗∗ --------------------------------------------- Note: this Ransomware Tracker is updated on the second Sunday of each month to stay current Although ransomware attacks overall were down in April compared to the prior month, attacks against healthcare organizations shot up to one of its highest levels in years as hospitals and doctors offices increasingly find themselves targeted by hackers. --------------------------------------------- https://therecord.media/ransomware-tracker-the-latest-figures ===================== = Vulnerabilities = ===================== ∗∗∗ Industrial Cellular Routers at Risk: 11 New Vulnerabilities Expose OT Networks ∗∗∗ --------------------------------------------- Several security vulnerabilities have been disclosed in cloud management platforms associated with three industrial cellular router vendors that could expose operational technology (OT) networks to external attacks. The findings were presented by Israeli industrial cybersecurity firm OTORIO at the Black Hat Asia 2023 conference last week. The 11 vulnerabilities allow "remote code execution and full control over hundreds of thousands of devices and OT networks - in some cases, even those not actively configured to use the cloud." --------------------------------------------- https://thehackernews.com/2023/05/industrial-cellular-routers-at-risk-11.ht… ∗∗∗ Screen SFT DAB 600/C: Multiple Vulnerabilities ∗∗∗ --------------------------------------------- * Authentication Bypass Account Creation Exploit * Authentication Bypass Password Change Exploit * Authentication Bypass Erase Account Exploit * Authentication Bypass Admin Password Change Exploit * Authentication Bypass Reset Board Config Exploit * Unauthenticated Information Disclosure (userManager.cgx) --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ ∗∗∗ SECURITY BULLETIN: May 2023 Security Bulletin for Trend Micro Mobile Security (Enterprise) ∗∗∗ --------------------------------------------- CVE Identifier(s): CVE-2023-32521 through CVE-2023-32528 Trend Micro has released a new build for Trend Micro Mobile Security (Enterprise) that resolves several vulnerabilities. --------------------------------------------- https://success.trendmicro.com/dcx/s/solution/000293106?language=en_US ∗∗∗ Multiple Vulnerabilities in Kiddoware Kids Place Parental Control Android App ∗∗∗ --------------------------------------------- Multiple vulnerabilities have been identified in the Kiddoware Kids Place Parental Control Android App. Users of the parent's web dashboard can be attacked via cross site scripting or cross site request forgery vulnerabilities, or attackers may upload arbitrary files to the children's devices. Furthermore, children are able to bypass any restrictions without the parents noticing. --------------------------------------------- https://sec-consult.com/vulnerability-lab/advisory/multiple-vulnerabilities… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (golang-websocket, kernel, postgresql-11, and thunderbird), Fedora (firefox, kernel, libreswan, libssh, tcpreplay, and thunderbird), SUSE (dcmtk, gradle, libraw, postgresql12, postgresql13, postgresql14, and postgresql15), and Ubuntu (firefox, nova, and thunderbird). --------------------------------------------- https://lwn.net/Articles/931892/ ∗∗∗ VM2 Security Advisory: Inspect Manipulation ∗∗∗ --------------------------------------------- A threat actor can edit options for console.log. --------------------------------------------- https://github.com//patriksimek/vm2/security/advisories/GHSA-p5gc-c584-jj6v ∗∗∗ VM2 Security Advisory: Sandbox Escape ∗∗∗ --------------------------------------------- A threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. --------------------------------------------- https://github.com//patriksimek/vm2/security/advisories/GHSA-whpj-8f3w-67p5 ∗∗∗ WAGO: Unauthenticated command execution via Web-based-management ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-007/ ∗∗∗ Helmholz: Multiple vulnerabilites in myREX24 and myREX24.virtual ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-008/ ∗∗∗ MB Connect Line: Multiple vulnerabilities in mbConnect24 and mymbConnect24 ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-002/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.05.2023
by Daily end-of-shift report 12 May '23

12 May '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 11-05-2023 18:00 − Freitag 12-05-2023 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Windows: Windows-Sicherheitspatch kann Bootmedien unbrauchbar machen ∗∗∗ --------------------------------------------- Aktuell lässt sich Secure Boot in Windows durch eine Lücke umgehen. Bis die gefixt ist, wird es wohl noch bis 2024 dauern - aus Gründen. --------------------------------------------- https://www.golem.de/news/windows-windows-sicherheitspatch-kann-bootmedien-… ∗∗∗ New Stealthy Variant of Linux Backdoor BPFDoor Emerges from the Shadows ∗∗∗ --------------------------------------------- A previously undocumented and mostly undetected variant of a Linux backdoor called BPFDoor has been spotted in the wild, cybersecurity firm Deep Instinct said in a technical report published this week. "BPFDoor retains its reputation as an extremely stealthy and difficult-to-detect malware with this latest iteration," security researchers Shaul Vilkomir-Preisman and Eliran Nissan said. --------------------------------------------- https://thehackernews.com/2023/05/new-variant-of-linux-backdoor-bpfdoor.html ∗∗∗ Malicious Actors Exploit CVE-2023-27350 in PaperCut MF and NG ∗∗∗ --------------------------------------------- This joint advisory provides detection methods for exploitation of CVE-2023-27350 as well and indicators of compromise (IOCs) associated with Bl00dy Ransomware Gang activity. FBI and CISA strongly encourage users and administrators to immediately apply patches, and workarounds if unable to patch. FBI and CISA especially encourage organizations who did not patch immediately to assume compromise and hunt for malicious activity using the detection signatures in this CSA. --------------------------------------------- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-131a ∗∗∗ Mehrere Sicherheitslücken in VMwares Cloud-Management Aria Operations ∗∗∗ --------------------------------------------- Patches schließen mehrere Sicherheitslücken, die die Ausweitung von Rechten innerhalb von VMwares Cloud-Management Aria Operationse erlauben. --------------------------------------------- https://heise.de/-9012909 ∗∗∗ Verschlüsselungstrojaner: Es gibt Hoffnung für BlackCat-Opfer ∗∗∗ --------------------------------------------- Stimmen die Voraussetzungen, können Opfer des Verschlüsselungstrojaner BlackCat wieder auf ihre Daten zugreifen. --------------------------------------------- https://heise.de/-9010373 ∗∗∗ Shopsystem: Kritische Sicherheitslücke in Prestashop wird angegriffen ∗∗∗ --------------------------------------------- Eine kritische Sicherheitslücke klafft im Shopping-System Prestashop. Angreifer missbrauchen sie bereits. Ein aktueller Softwarestand schützt. --------------------------------------------- https://heise.de/-9010286 ∗∗∗ Cisco: SD-WAN-Zertifikate abgelaufen, jetzt updaten! ∗∗∗ --------------------------------------------- Cisco Systems weist seine Kundschaft darauf hin, dass einige SD-WAN Appliances der vEdge-Reihe dringende Updates benötigen. --------------------------------------------- https://heise.de/-9014471 ∗∗∗ Enforce Zero Trust in Microsoft 365 – Part 2: Protect against external users and applications ∗∗∗ --------------------------------------------- In the first blog post of this series, we have seen how strong authentication, i.e., Multi-Factor Authentication (MFA), could be enforced for users using a free Azure Active Directory subscription within the Microsoft 365 environment. In this blog post, we will continue to harden the configuration of our Azure AD tenant to enforce Zero Trust [...] --------------------------------------------- https://blog.nviso.eu/2023/05/12/enforce-zero-trust-in-microsoft-365-part-2… ===================== = Vulnerabilities = ===================== ∗∗∗ Severe Security Flaw Exposes Over a Million WordPress Sites to Hijack ∗∗∗ --------------------------------------------- The issue, tracked as CVE-2023-32243, has been addressed by the plugin maintainers in version 5.7.2 that was shipped on May 11, 2023. Essential Addons for Elementor has over one million active installations. --------------------------------------------- https://thehackernews.com/2023/05/severe-security-flaw-exposes-over.html ∗∗∗ VMSA-2023-0009: VMware Aria Operations (formerly vRealize Operations) ∗∗∗ --------------------------------------------- CVSSv3 Range: 6.4-8.8 CVE(s): CVE-2023-20877, CVE-2023-20878, CVE-2023-20879, CVE-2023-20880 VMware Aria Operations update addresses multiple Local Privilege Escalations and a Deserialization issue --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2023-0009.html ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (postgresql-13 and webkit2gtk), Fedora (git), SUSE (helm and skopeo), and Ubuntu (cinder, nova, python-glance-store, and python-os-brick). --------------------------------------------- https://lwn.net/Articles/931760/ ∗∗∗ Case update: DIVD-2022-00068 - Multiple vulnerabilities identified within White Rabbit Switch from CERN ∗∗∗ --------------------------------------------- Last event: 11 Apr 2023 - CERN released White Rabbit Switch 6.0.2, which contains a fix for CVE-2023-22577 and CVE-2023-22581. --------------------------------------------- https://csirt.divd.nl/cases/DIVD-2022-00068/ ∗∗∗ Beekeeper Studio vulnerable to code injection ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN11705010/ ∗∗∗ [R1] Nessus Version 10.5.2 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2023-20 ∗∗∗ IBM WebSphere Application Server, which is bundled with IBM Cloud Pak for Applications, is vulnerable to an XML External Entity (XXE) Injection vulnerability (CVE-2023-27554) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6989667 ∗∗∗ IBM WebSphere Application Server, which is bundled with IBM WebSphere Hybrid Edition, is vulnerable to an XML External Entity (XXE) Injection vulnerability (CVE-2023-27554) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6989665 ∗∗∗ Deserialization vulnerability affect IBM Business Automation Workflow BPM Event Emitters - CVE-2022-1471 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6988027 ∗∗∗ Multiple Vulnerabilities in Multicloud Management Security Services ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6991215 ∗∗∗ IBM i Modernization Engine for Lifecycle Integration is vulnerable to cross-site scripting (CVE-2022-0225) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6991217 ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM WebSphere Remote Server (CVE-2023-27554) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6991213 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.05.2023
by Daily end-of-shift report 11 May '23

11 May '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 10-05-2023 18:00 − Donnerstag 11-05-2023 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Interview: Hacker Witold Waligóra über Seitenkanalangriffe ∗∗∗ --------------------------------------------- Wir haben beim Hacker Witold Waligóra nachgehakt, was man mit Seitenkanalattacken erreichen kann und wie man sich dagegen schützt. --------------------------------------------- https://heise.de/-8983428 ∗∗∗ Smishing: Vorsicht vor betrügerischer Reisepass-SMS! ∗∗∗ --------------------------------------------- Haben Sie ein SMS bekommen, in dem behauptet wird Ihr Reisepass wäre fertig? Klicken Sie nicht auf den Link "oesterreich.at-anmelden.net", es handelt sich um einen Betrugsversuch! --------------------------------------------- https://www.watchlist-internet.at/news/smishing-vorsicht-vor-betruegerische… ∗∗∗ Fake in-browser Windows updates push Aurora info-stealer malware ∗∗∗ --------------------------------------------- A recently spotted malvertising campaign tricked users with an in-browser Windows update simulation to deliver the Aurora information stealing malware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fake-in-browser-windows-upda… ∗∗∗ RapperBot DDoS malware adds cryptojacking as new revenue stream ∗∗∗ --------------------------------------------- New samples of the RapperBot botnet malware have added cryptojacking capabilites to mine for cryptocurrency on compromised Intel x64 machines. --------------------------------------------- https://www.bleepingcomputer.com/news/security/rapperbot-ddos-malware-adds-… ∗∗∗ Multiple Ransomware Groups Adapt Babuk Code to Target ESXi VMs ∗∗∗ --------------------------------------------- Two years ago, a popular ransomware-as-a-service groups source code got leaked. Now other ransomware groups are using it for their own purposes. --------------------------------------------- https://www.darkreading.com/cloud/multiple-ransomware-groups-adapt-babuk-co… ∗∗∗ New ransomware trends in 2023 ∗∗∗ --------------------------------------------- On the eve of the global Anti-Ransomware Day, Kaspersky researchers share an overview of the key trends observed among ransomware groups. --------------------------------------------- https://securelist.com/new-ransomware-trends-in-2023/109660/ ∗∗∗ Analysis of CLR SqlShell Used to Attack MS-SQL Servers ∗∗∗ --------------------------------------------- This blog post will analyze the CLR SqlShell malware that is being used to target MS-SQL servers. Similar to WebShell, which can be installed on web servers, SqlShell is a malware strain that supports various features after being installed on an MS-SQL server, such as executing commands from threat actors and carrying out all sorts of malicious behavior. --------------------------------------------- https://asec.ahnlab.com/en/52479/ ===================== = Vulnerabilities = ===================== ∗∗∗ Experts share details of five flaws that can be chained to hack Netgear RAX30 Routers ∗∗∗ --------------------------------------------- Researchers disclosed the details of five vulnerabilities that can be chained to take over some Netgear router models. --------------------------------------------- https://securityaffairs.com/146111/hacking/netgear-router-exploit-2.html ∗∗∗ Zyxel Chained Remote Code Execution ∗∗∗ --------------------------------------------- This module exploits multiple vulnerabilities in the `zhttpd` binary (/bin/zhttpd) and `zcmd` binary (/bin/zcmd). It is present on more than 40 Zyxel routers and CPE devices. The remote code execution vulnerability can be exploited by chaining the local file disclosure vulnerability in the zhttpd binary that allows an unauthenticated attacker to read the entire configuration of the router [..] --------------------------------------------- https://cxsecurity.com/issue/WLB-2023050030 ∗∗∗ Multiple vulnerabilities in Danfoss EM100 ∗∗∗ --------------------------------------------- Multiple injection-related vulnerabilities exist in a set of Danfoss products, among which the EM100. These vulnerabilities should be considered serious and could lead to the full compromise of your system. It is advised to phase out the EM100, as its vendor Danfoss confirms the EM100 to be End of Life and that it will not be releasing a patch for this product. [..] If this is not possible, ensure it is not connected to the public Internet. --------------------------------------------- https://csirt.divd.nl/cases/DIVD-2023-00021/ ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (May 1, 2023 to May 7, 2023) ∗∗∗ --------------------------------------------- Last week, there were 58 vulnerabilities disclosed in 43 WordPress Plugins and 3 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database [..] Review those vulnerabilities in this report now to ensure your site is not affected. --------------------------------------------- https://www.wordfence.com/blog/2023/05/wordfence-intelligence-weekly-wordpr… ∗∗∗ CISA Releases Fifteen Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- * ICSA-23-131-01 Siemens Solid Edge * ICSA-23-131-02 Siemens SCALANCE W1750D * ICSA-23-131-03 Siemens Siveillance * ICSA-23-131-04 Siemens SIMATIC Cloud Connect 7 * ICSA-23-131-05 Siemens SINEC NMS Third-Party * ICSA-23-131-06 Siemens SCALANCE LPE9403 * ICSA-23-131-07 Sierra Wireless AirVantage * ICSA-23-131-08 Teltonika Remote Management System and RUT Model Routers * ICSA-23-131-09 Rockwell Automation Kinetix 5500 EtherNetIP Servo Drive * ICSA-23-131-10 Rockwell Automation Arena Simulation Software * ICSA-23-131-11 BirdDog Cameras & Encoders * ICSA-23-131-12 SDG PnPSCADA * ICSA-23-131-13 PTC Vuforia Studio * ICSA-23-131-14 Rockwell PanelView 800 * ICSA-23-131-15 Rockwell ThinManager --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/05/11/cisa-releases-fifteen-in… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr and nvidia-graphics-drivers-legacy-390xx), Fedora (firefox, java-11-openjdk, LibRaw, moodle, python-django3, and vtk), Slackware (mozilla), SUSE (buildah, cloud-init, container-suseconnect, firefox, golang-github-prometheus-prometheus, kernel, and ntp), and Ubuntu (heat, linux-azure-fde-5.15, linux-raspi, linux-oem-5.17, linux-oem-6.0, linux-raspi, linux-raspi-5.4, linux-raspi2, neutron, openvswitch, and sqlparse). --------------------------------------------- https://lwn.net/Articles/931638/ ∗∗∗ ThinkPad Dock Firmware Update Tool Elevation of Privilege Vulnerability ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500562-THINKPAD-DOCK-DRIVER-EL… ∗∗∗ CVE-2023-0008 PAN-OS: Local File Disclosure Vulnerability in the PAN-OS Web Interface (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2023-0008 ∗∗∗ CVE-2023-0007 PAN-OS: Stored Cross-Site Scripting (XSS) Vulnerability in the Panorama Web Interface (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2023-0007 ∗∗∗ Security vulnerabilities have been identified in IBM Db2 shipped with IBM Security Guardium Key Lifecycle Manager (CVE-2022-43930, CVE-2014-3577, CVE-2022-43927, CVE-2022-43929) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6989465 ∗∗∗ IBM Content Manager Enterprise Edition is affected by a vulnerability in Eclipse Openj9 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6987029 ∗∗∗ Content Manager Enterprise Edition is affected by a vulnerability in FasterXML jackson ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6856659 ∗∗∗ Content Manager Enterprise Edition is affected by a vulnerability in FasterXML jackson ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6856661 ∗∗∗ Content Manager Enterprise Edition is affected by a vulnerability in FasterXML jackson ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6856663 ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with Tivoli Netcool\/OMNIbus WebGUI - IBM\u00ae Java SDK CVE-2023-30441 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6989589 ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with Tivoli Netcool\/OMNIbus WebGUI (CVE-2023-24966) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6989591 ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with Tivoli Netcool\/OMNIbus WebGUI (CVE-2022-39161) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6989593 ∗∗∗ Vega Vulnerabilities affect IBM Decision Optimization in IBM Cloud Pak for Data (CVE-2023-26486, CVE-2023-26487) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6989625 ∗∗∗ IBM WebSphere Application Server is vulnerable to an XML External Entity (XXE) Injection vulnerability (CVE-2023-27554) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6989451 ∗∗∗ Multiple Security Vulnerabilities have been fixed in IBM Security Verify Access ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6989653 ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with Asset and Service Management (CVE-2023-27554) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6989657 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.05.2023
by Daily end-of-shift report 10 May '23

10 May '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 09-05-2023 18:00 − Mittwoch 10-05-2023 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Patchday: Adobe schließt Schadcode-Lücke in Substance 3D Painter ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitsupdates für Adobe Substance 3D Painter. Wer damit 3D-Modelle bearbeitet, sollte die Anwendung aktualisieren. --------------------------------------------- https://heise.de/-8991973 ∗∗∗ Microsoft Patchday: Angreifer verschaffen sich System-Rechte unter Windows ∗∗∗ --------------------------------------------- Microsoft schließt unter anderem in Windows mehrere kritische Schadcode-Lücken. Attacken laufen bereits, weitere könnten bevorstehen. --------------------------------------------- https://heise.de/-8991967 ∗∗∗ Kritische Schwachstellen ermöglichen Übernahme von Aruba Access Points ∗∗∗ --------------------------------------------- Die HPE-Tochter Aruba schließt mehrere, zum Teil kritische Sicherheitslücken in den Access Points. Angreifer aus dem Netz könnten Schadcode einschleusen. --------------------------------------------- https://heise.de/-8992292 ∗∗∗ Patchday: 18 Sicherheitsnotizen zu teils kritischen Lücken in SAP-Software ∗∗∗ --------------------------------------------- Am Mai-Patchday dichtet SAP zum Teil kritische Sicherheitslücken in der Software des Unternehmens ab. IT-Verantwortliche sollten die Updates zügig anwenden. --------------------------------------------- https://heise.de/-8992005 ∗∗∗ Root-Rechte für lokale Angreifer dank Lücken im Linux-Kernel ∗∗∗ --------------------------------------------- In zwei Komponenten des Linuxkernels verstecken sich Sicherheitslücken, die lokalen Angreifern eine Rootshell spendieren. Ein erster Exploit ist öffentlich. --------------------------------------------- https://heise.de/-8992648 ∗∗∗ Easily bypassed patch makes zero-click Outlook flaw exploitable again (CVE-2023-29324) ∗∗∗ --------------------------------------------- Among the vulnerabilities fixed by Microsoft on May 2023 Patch Tuesday is CVE-2023-29324, a bug in the Windows MSHTML platform that Microsoft rates as “important.” Akamai’s research team and Ben Barnea, the researcher who’s credited with finding the flaw, disagree with that assessment, because “the new vulnerability [CVE-2023-29324] re-enables the exploitation of a critical vulnerability [CVE-2023-23397] that was seen in the wild and used by APT operators.” --------------------------------------------- https://www.helpnetsecurity.com/2023/05/10/cve-2023-29324/ ∗∗∗ Vorsicht vor betrügerischem Tier-, Welpen- und Katzenhandel im Internet ∗∗∗ --------------------------------------------- Vermehrt werden der Watchlist Internet aktuell betrügerische Tierangebote aus dem Internet und auf Social Media wie Facebook gemeldet. Süße Bilder junger Kätzchen und Hunde auf Websites, die Vertrauen schaffen sollen, verleiten zu einer unüberlegten Bestellung und Vorabzahlung. Eine Lieferung erfolgt nie – egal wie vielen Zahlungsaufforderungen der kriminellen Züchter:innen nachgekommen wird! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-betruegerischem-tier-we… ∗∗∗ Free Tool Unlocks Some Encrypted Data in Ransomware Attacks ∗∗∗ --------------------------------------------- "White Phoenix" automated tool for recovering data on partially encrypted files hit with ransomware is available on GitHub. --------------------------------------------- https://www.darkreading.com/attacks-breaches/free-tool-unlocks-some-encrypt… ∗∗∗ PwnAssistant - Controlling /homes via a Home Assistant RCE ∗∗∗ --------------------------------------------- [..] we decided to look into the very established and known open-source automation ecosystem known as Home Assistant. [..] So without further ado, come with us on this journey to understanding the Home Assistant architecture, enumerating the attack surface and trawling for pre-authentication vulnerabilities within the code base. --------------------------------------------- https://www.elttam.com/blog/pwnassistant/ ∗∗∗ Xjquery Wave of WordPress SocGholish Injections ∗∗∗ --------------------------------------------- By the end of March, 2023, we started noticing a new wave of SocGholish injections that used the intermediary xjquery[.]com domain. It appeared to be another evolution of the same malware. This time, however, attackers were using the same tricks in a different way. --------------------------------------------- https://blog.sucuri.net/2023/05/xjquery-wave-of-wordpress-socgholish-inject… ∗∗∗ ESET APT Activity Report Q4 2022–Q1 2023 ∗∗∗ --------------------------------------------- An overview of the activities of selected APT groups investigated and analyzed by ESET Research in Q4 2022 and Q1 2023 --------------------------------------------- https://www.welivesecurity.com/2023/05/09/eset-apt-activity-report-q42022-q… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (emacs), Fedora (chromium, community-mysql, and LibRaw), Red Hat (nodejs nodejs-nodemon, nodejs:18, and webkit2gtk3), Slackware (mozilla), SUSE (amazon-ssm-agent, conmon, distribution, docker-distribution, google-cloud-sap-agent, ignition, kernel, ntp, prometheus-ha_cluster_exporter, protobuf-c, python-cryptography, runc, and shim), and Ubuntu (ceph, freetype, and node-css-what). --------------------------------------------- https://lwn.net/Articles/931488/ ∗∗∗ ICS Patch Tuesday: Siemens, Schneider Electric Address Few Dozen Vulnerabilities ∗∗∗ --------------------------------------------- Siemens and Schneider Electric’s Patch Tuesday advisories for May 2023 address a few dozen vulnerabilities found in their products. --------------------------------------------- https://www.securityweek.com/ics-patch-tuesday-siemens-schneider-electric-a… ∗∗∗ Chipmaker Patch Tuesday: Intel, AMD Address Over 100 Vulnerabilities ∗∗∗ --------------------------------------------- Intel and AMD have informed their customers about a total of more than 100 vulnerabilities found in their products. --------------------------------------------- https://www.securityweek.com/chipmaker-patch-tuesday-intel-amd-address-over… ∗∗∗ Hitachi Energy MSM ∗∗∗ --------------------------------------------- CVSS v3 9.8 ATTENTION: Exploitable remotely/low attack complexity Vendor: Hitachi Energy Equipment: Modular Switchgear Monitoring (MSM) Vulnerabilities: Improper Restriction of Excessive Authentication Attempts, Authentication Bypass by Capture-replay, Code Injection, Improper Restriction of Operations within the Bounds of a Memory Buffer, NULL Pointer Dereference, Insufficient Entropy --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-129-02 ∗∗∗ Vulnerability Spotlight: Authentication bypass, use-after-free vulnerabilities found in a library for the µC/OS open-source operating system ∗∗∗ --------------------------------------------- TALOS-2022-1680 (CVE-2022-41985) could allow an attacker to bypass the authentication protocol on the operating system, or cause a denial-of-service, by sending the targeted machine a specially crafted set of network packets. --------------------------------------------- https://blog.talosintelligence.com/vulnerability-spotlight-authentication-b… ∗∗∗ SLP Protocol Denial-of-Service Guidance ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500563-SLP-PROTOCOL-DENIAL-OF-… ∗∗∗ Multi-vendor BIOS Security Vulnerabilities (May 2023) ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500559-MULTI-VENDOR-BIOS-SECUR… ∗∗∗ ThinkPad Dock Driver Elevation of Privilege Vulnerability ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500562-THINKPAD-DOCK-DRIVER-EL… ∗∗∗ [R1] Nessus Network Monitor Version 6.2.1 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2023-19 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.05.2023
by Daily end-of-shift report 09 May '23

09 May '23

===================== = End-of-Day report = ===================== Timeframe: Montag 08-05-2023 18:00 − Dienstag 09-05-2023 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ A new, stealthier type of Typosquatting attack spotted targeting NPM ∗∗∗ --------------------------------------------- Attackers have been using lowercase letters in package names on the Node Package Manager (NPM) registry for potential malicious package impersonation. This deceptive tactic presents a dangerous twist on a well-known attack method -- "Typosquatting." --------------------------------------------- https://checkmarx.com/blog/a-new-stealthier-type-of-typosquatting-attack-sp… ∗∗∗ AndoryuBot DDoS Botnet Exploiting Ruckus AP Vulnerability ∗∗∗ --------------------------------------------- Owners of Ruckus access points (APs) have been warned that a DDoS botnet named AndoryuBot has been exploiting a recently patched vulnerability to hack devices. The vulnerability in question is tracked as CVE-2023-25717 and it was patched by Ruckus in February in many of its wireless APs. --------------------------------------------- https://www.securityweek.com/andoryubot-ddos-botnet-exploiting-ruckus-ap-vu… ∗∗∗ Building Automation System Exploit Brings KNX Security Back in Spotlight ∗∗∗ --------------------------------------------- A public exploit targeting building automation systems has brought KNX security back into the spotlight, with industrial giant Schneider Electric releasing a security bulletin to warn customers about the potential risks. --------------------------------------------- https://www.securityweek.com/building-automation-system-exploit-brings-knx-… ∗∗∗ Buchen Sie Ihre Unterkunft nicht über booked.net oder hotel-mix.de ∗∗∗ --------------------------------------------- Sie suchen eine Unterkunft? Buchen Sie lieber nicht auf booked.net oder hotel-mix.de, denn die beiden Buchungsplattformen listen Unterkünfte, die keinen Vertrag mit der Plattform haben. In der gebuchten Unterkunft angekommen, kann es Ihnen passieren, dass die Betreiber:innen gar nichts von Ihrer Buchung wissen und Sie kurzfristig eine neue Schlafmöglichkeit suchen müssen. --------------------------------------------- https://www.watchlist-internet.at/news/buchen-sie-ihre-unterkunft-nicht-ueb… ∗∗∗ New phishing-as-a-service tool “Greatness” already seen in the wild ∗∗∗ --------------------------------------------- A previously unreported phishing-as-a-service (PaaS) offering named “Greatness” has been used in several phishing campaigns since at least mid-2022. Greatness incorporates features seen in some of the most advanced PaaS offerings, such as multi-factor authentication (MFA) bypass, IP filtering and integration with Telegram bots. --------------------------------------------- https://blog.talosintelligence.com/new-phishing-as-a-service-tool-greatness… ===================== = Vulnerabilities = ===================== ∗∗∗ WordPress Plugin "Newsletter" vulnerable to cross-site scripting ∗∗∗ --------------------------------------------- WordPress Plugin "Newsletter" provided by Stefano Lissa & The Newsletter Team contains a cross-site scripting vulnerability (CWE-79). An arbitrary script may be executed on the web browser of the user who is logging in to the WordPress using the plugin. --------------------------------------------- https://jvn.jp/en/jp/JVN59341308/ ∗∗∗ WordPress Plugin "VK Blocks" and "VK All in One Expansion Unit" vulnerable to cross-site scripting ∗∗∗ --------------------------------------------- * An arbitrary script may be executed on the web browser of the user who is logging in to the product - CVE-2023-27923, CVE-2023-28367 * An arbitrary script may be executed on the web browser of the user who is accessing the site using the product - CVE-2023-27925, CVE-2023-27926 --------------------------------------------- https://jvn.jp/en/jp/JVN95792402/ ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (java-11-openjdk-portable and rubygem-redcarpet), Red Hat (autotrace, bind, buildah, butane, conmon, containernetworking-plugins, curl, device-mapper-multipath, dhcp, edk2, emacs, fence-agents, freeradius, freerdp, frr, fwupd, gdk-pixbuf2, git, git-lfs, golang-github-cpuguy83-md2man, grafana, grafana-pcp, gstreamer1-plugins-good, Image Builder, jackson, kernel, kernel-rt, krb5, libarchive, libguestfs-winsupport, libreswan, libtiff, libtpms, lua, mysql, net-snmp, openssh, openssl, pcs, php:8.1, pki-core, podman, poppler, postgresql-jdbc, python-mako, qemu-kvm, samba, skopeo, sysstat, tigervnc, toolbox, unbound, webkit2gtk3, wireshark, xorg-x11-server, and xorg-x11-server-Xwayland), SUSE (cfengine, cfengine-masterfiles, go1.19, go1.20, libfastjson, python-cryptography, and python-ujson), and Ubuntu (mysql-5.7). --------------------------------------------- https://lwn.net/Articles/931384/ ∗∗∗ Citrix ADC and Citrix Gateway Security Bulletin ∗∗∗ --------------------------------------------- * CVE-2023-24488, Cross site scripting, CVSS 6.1 * CVE-2023-24487, Arbitrary file read, CVSS 6.3 --------------------------------------------- https://support.citrix.com/article/CTX477714/citrix-adc-and-citrix-gateway-… ∗∗∗ SSA-932528 V1.0: Multiple File Parsing Vulnerabilities in Solid Edge ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-932528.html ∗∗∗ SSA-892048 V1.0: Third-Party Component Vulnerabilities in SINEC NMS before V1.0.3.1 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-892048.html ∗∗∗ SSA-789345 V1.0: Code Execution Vulnerabilities in Siveillance Video Event and Management Servers ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-789345.html ∗∗∗ SSA-555292 V1.0: Security Vulnerabilities Fixed in SIMATIC Cloud Connect 7 V2.1 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-555292.html ∗∗∗ SSA-516174 V1.0: Wi-Fi Encryption Bypass Vulnerabilities in SCALANCE W1750D ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-516174.html ∗∗∗ SSA-325383 V1.0: Multiple Vulnerabilities in SCALANCE LPE9403 before V2.1 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-325383.html ∗∗∗ F5: K000133759 : Python vulnerability CVE-2020-26116 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000133759 ∗∗∗ F5: K000134496 : Jettison vulnerability CVE-2022-45685 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000134496 ∗∗∗ Security vulnerabilities have been identified in IBM DB2 shipped with IBM License Metric Tool v9. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6988953 ∗∗∗ Tensorflow is vulnerable to security CVEs used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6988959 ∗∗∗ IBM WebSphere Application Server is vulnerable to cross-site scripting in the Admin Console (CVE-2023-24966) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6986333 ∗∗∗ TensorFlow is vulnerable to security CVEs used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6988979 ∗∗∗ Ansi-html is vulnerable to CVE-2021-23424 used in IBM Maximo Application Suite ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6988981 ∗∗∗ Node-forge is vulnerable to security CVEs used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6988969 ∗∗∗ Apache Log4j is vulnerable to CVE-2021-45105 and CVE-2021-45046 used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6988975 ∗∗∗ Vulnerabilities in OpenSSL affect QLogic 8Gb Intelligent Pass-thru Module and SAN Switch Module for IBM BladeCenter and QLogic Virtual Fabric Extension Module for IBM BladeCenter ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/888295 ∗∗∗ IBM Cloud Pak for Network Automation 2.4.6 fixes multiple security vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6989099 ∗∗∗ CVE-2023-24536, CVE-2023-24537 and CVE-2023-24534 may affect IBM CICS TX Standard ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6989115 ∗∗∗ CVE-2023-24536, CVE-2023-24537, CVE-2023-24534 may affect IBM CICS TX Advanced ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6989117 ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM WebSphere Remote Server (CVE-2022-39161) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6989119 ∗∗∗ WebSphere Application Server Liberty is vulnerable to CVE-2022-3509 and CVE-2022-3171 used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6989133 ∗∗∗ IBM WebSphere Application Server Liberty and Open Liberty is vulnerable to CVE-2022-22475 used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6989131 ∗∗∗ IBM WebSphere Application Server Liberty is vulnerable to CVE-2022-22393 used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6989127 ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with Asset and Service Management (CVE-2022-39161) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6989145 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.05.2023
by Daily end-of-shift report 08 May '23

08 May '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 05-05-2023 18:00 − Montag 08-05-2023 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Meet Akira — A new ransomware operation targeting the enterprise ∗∗∗ --------------------------------------------- The new Akira ransomware operation has slowly been building a list of victims as they breach corporate networks worldwide, encrypt files, and then demand million-dollar ransoms. --------------------------------------------- https://www.bleepingcomputer.com/news/security/meet-akira-a-new-ransomware-… ∗∗∗ Datenleck: Firmware- und Bootguard-Schlüssel von MSI veröffentlicht ∗∗∗ --------------------------------------------- Eine Ransomwaregruppe hat nach einem Hack etliche interne Daten von MSI veröffentlicht. Darunter auch private Schlüssel zum Signieren. --------------------------------------------- https://www.golem.de/news/datenleck-firmware-und-bootguard-schluessel-von-m… ∗∗∗ New Cactus ransomware encrypts itself to evade antivirus ∗∗∗ --------------------------------------------- While the new threat actor adopted the usual tactics seen in ransomware attacks - file encryption and data theft - it added its own touch to avoid detection. [..] Researchers at Kroll corporate investigation and risk consulting firm believe that Cactus obtains initial access into the victim network by exploiting known vulnerabilities in Fortinet VPN appliances. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-cactus-ransomware-encryp… ∗∗∗ Breaking down Reverse shell commands ∗∗∗ --------------------------------------------- In pentesting assessments and CTFs we always need reverse shells to execute commands on target machine once we have exploited a system and have a command injection at some point in our engagement. For that we have an awesome project: revshells.com or reverse-shell-generator where we have a ton of reverse shell payloads listed. This blog post tries to explain their working. --------------------------------------------- https://adityatelange.in/blog/revshells/ ∗∗∗ Quickly Finding Encoded Payloads in Office Documents ∗∗∗ --------------------------------------------- Malicious documents like this RevengeRAT ppam file found on MalwareBazaar contain VBA code that you can analyze with oledump.py. Some shortcuts can be used [..] But there is a quicker method: let zipdump.py produce JSON output that contains the decompressed content of each file, and then let base64dump.py consume this JSON output. --------------------------------------------- https://isc.sans.edu/diary/rss/29818 ∗∗∗ Dependabot Confusion: Gaining Access to Private GitHub Repositories using Dependabot ∗∗∗ --------------------------------------------- Dependabot is one of the most widely deployed tools to improve software supply chain security. But like all other software, it is not immune to security vulnerabilities. By using it, users take on the risk that any vulnerabilities in Dependabot itself may lead to the compromise of the very supply chain they are trying to secure. This article is about a vulnerability in Dependabot that allowed arbitrary user to gain access to a subset of GitHub repositories that have Dependabot enabled. --------------------------------------------- https://giraffesecurity.dev/posts/dependabot-confusion/ ∗∗∗ Microsoft-Webbrowser: Edge 113 schließt Sicherheitslücken ∗∗∗ --------------------------------------------- Microsoft hat den Webbrowser Edge in Version 113 veröffentlicht. Einige Funktionen haben die Entwickler darin verbessert sowie Schwachstellen abgedichtet. --------------------------------------------- https://heise.de/-8990437 ∗∗∗ Achtung! Diese Kosmetika sind gesundheitsschädigend! ∗∗∗ --------------------------------------------- Derzeit warnen die Agentur für Gesundheit und Ernährungssicherheit (AGES) und das Bundesamt für Verbrauchergesundheit (BAVG) vor kosmetischen Produkten, die verbotene und gesundheitsschädigende Duftstoffe enthalten. Die Produkte werden vor allem online verkauft. Wir zeigen Ihnen, von welchen Produkten Sie lieber die Finger lassen sollten. --------------------------------------------- https://www.watchlist-internet.at/news/achtung-diese-kosmetika-sind-gesundh… ∗∗∗ Webinar: Sicher (ver)kaufen über Willhaben, Shpock & Co. ∗∗∗ --------------------------------------------- Was muss ich beachten, wenn ich auf Kleinanzeigenplattformen wie Willhaben, Shpock, Vinted & Co. etwas als Privatperson kaufen oder verkaufen möchte? Unser Rechtsexperte der Internet Ombudsstelle gibt Tipps für die sichere Abwicklung solcher Online-Geschäfte. Nehmen Sie kostenlos teil: Dienstag 16. Mai 2023, 18:30 - 20:00 Uhr via zoom --------------------------------------------- https://www.watchlist-internet.at/news/webinar-sicher-verkaufen-ueber-willh… ∗∗∗ PRFs, PRPs and other fantastic things ∗∗∗ --------------------------------------------- A few weeks ago I ran into a conversation on Twitter about the weaknesses of applied cryptography textbooks, and how they tend to spend way too much time lecturing people about Feistel networks and the boring details of AES. Some of the folks in this conversation suggested that instead of these things, we should be into more fundamental topics like “what is a pseudorandom function.” --------------------------------------------- https://blog.cryptographyengineering.com/2023/05/08/prfs-prps-and-other-fan… ∗∗∗ WordPress plugin vulnerability puts two million websites at risk ∗∗∗ --------------------------------------------- Millions of WordPress-powered websites are using the Advanced Custom Fields and Advanced Custom Fields Pro plugins, which security researchers say have been vulnerable to cross-site scripting (XSS) attacks. --------------------------------------------- https://grahamcluley.com/wordpress-plugin-vulnerability-puts-two-million-we… ∗∗∗ Cisco SPA112 2-Port Telefonadapter unsicher, es bleibt nur noch entsorgen ∗∗∗ --------------------------------------------- Die US-Anbieter Cisco warnt in eine Meldung vor einer kritischen Schwachstelle in einem seiner Telefonadapter. Diese Schwachstelle ermöglicht einem Angreifer die Kontrolle über das Gerät zu übernehmen. Leider bleibt betroffenen Nutzern nur, diesen Telefonadapter zu entsorgen [...] --------------------------------------------- https://www.borncity.com/blog/2023/05/06/cisco-spa112-2-port-telefonadapter… ===================== = Vulnerabilities = ===================== ∗∗∗ ads-tec: Multiple Vulnerabilities in IRF1000, IRF2000 and IRF3000 ∗∗∗ --------------------------------------------- Vendor: ads-tec Industrial IT GmbH Product name: IRF1000, IRF3000, IRF3000 CVE Numbers: CVE-2014-3669, CVE-2014-8142, CVE-2014-9425, CVE-2015-0231, CVE-2015-2348, CVE-2015-2787, CVE-2015-3414, CVE-2015-3415, CVE-2015-4602, CVE-2015-6835, CVE-2015-8876, CVE-2016-10161, CVE-2016-7124, CVE-2016-7411, CVE-2016-9138, CVE-2017-11142, CVE-2017-12933, CVE-2017-8923 CVSS Score: up to 9.8 --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-009/ ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (rust-cargo-c, rust-coreos-installer, rust-fedora-update-feedback, rust-git-delta, rust-gst-plugin-reqwest, rust-pore, rust-rpm-sequoia, rust-sequoia-octopus-librnp, rust-sequoia-policy-config, rust-sequoia-sq, rust-sevctl, rust-tealdeer, and rust-ybaas), Mageia (avahi, git, imagemagick, libfastjson, libxml2, parcellite, and virtualbox), SUSE (containerd, dnsmasq, ffmpeg, git, indent, installation-images, java-17-openjdk, maven and recommended update for antlr3, minlog, sbt, xmvn, ncurses, netty, netty-tcnative, openssl-1_0_0, python-Django1, redis, shim, terraform-provider-helm, and zstd), and Ubuntu (erlang, mysql-5.7, mysql-8.0, ruby2.3, ruby2.5, ruby2.7, and webkit2gtk). --------------------------------------------- https://lwn.net/Articles/931259/ ∗∗∗ 3 Schwachstellen in MS Azure API-Management entdeckt ∗∗∗ --------------------------------------------- Sicherheitsforscher des israelischen Sicherheitsanbieters Ermetic haben drei Schwachstellen in Microsofts Azure API-Management entdeckt. Zwei SSRF-Schwachstellen (Server-Side Request Forgery) und ein Problem beim uneingeschränkten Datei-Upload schaffen Risiken für die Microsoft Cloud-Umgebung. Die Schwachstellen können von böswilligen Akteuren missbraucht werden [...] --------------------------------------------- https://www.borncity.com/blog/2023/05/06/3-schwachstellen-in-ms-azure-api-m… ∗∗∗ Multiple vulnerabilities in IBM Java SDK (January 2023) affect IBM InfoSphere Information Server ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6988347 ∗∗∗ Security Vulnerabilities in IBM WebSphere Liberty and xml2js affect IBM Voice Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6988603 ∗∗∗ Vulnerability in Jettison affects IBM Process Mining . CVE-2023-1436 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6988673 ∗∗∗ Vulnerabilities have been identified in IBM WebSphere Application Server traditional and Liberty profile shipped with IBM Business Automation Workflow (CVE-2023-24966, CVE-2022-39161) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6988885 ∗∗∗ Atlas eDiscovery Process Management is affected by a vulnerable dom4j-1.6.1.jar ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6988889 ∗∗∗ Atlas eDiscovery Process Management is affected by a vulnerable xstream-1.4.17.jar ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6988899 ∗∗∗ Atlas eDiscovery Process Management is affected by a vulnerable poi-ooxml-3.9.jar ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6988895 ∗∗∗ Atlas eDiscovery Process Management is affected by a vulnerable org.apache.xerces_2.9.0.v201101211617-4.8.0.jar ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6988893 ∗∗∗ Atlas eDiscovery Process Management is affected by a vulnerable xmlbeans-2.3.0.jar ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6988897 ∗∗∗ Vulnerability in paramiko affects IBM Cloud Pak for Data System 2.0 (CPDS 2.0) [CVE-2022-24302] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6988909 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.05.2023
by Daily end-of-shift report 05 May '23

05 May '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 04-05-2023 18:00 − Freitag 05-05-2023 18:00 Handler: Robert Waldner Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ What is XML-RPC? Security Risks & How to Disable ∗∗∗ --------------------------------------------- In this article, we will discuss what xmlrpc.php is, why disabling it can improve your website’s security, and how to determine if it’s currently active on your WordPress site. --------------------------------------------- https://blog.sucuri.net/2023/05/what-is-xml-rpc-security-risks-how-to-disab… ∗∗∗ Fleckpe Android Malware Sneaks onto Google Play Store with Over 620,000 Downloads ∗∗∗ --------------------------------------------- The list of the offending apps is as follows: - Beauty Camera Plus - Beauty Photo Camera - Beauty Slimming Photo Editor - Fingertip Graffiti - GIF Camera Editor - HD 4K Wallpaper - Impressionism Pro Camera - Microclip Video Editor - Night Mode Camera Pro - Photo Camera Editor - Photo Effect Editor --------------------------------------------- https://thehackernews.com/2023/05/fleckpe-android-malware-sneaks-onto.html ∗∗∗ Packagist Repository Hacked: Over a Dozen PHP Packages with 500 Million Compromised ∗∗∗ --------------------------------------------- PHP software package repository Packagist revealed that an "attacker" gained access to four inactive accounts on the platform to hijack over a dozen packages with over 500 million installs to date. "The attacker forked each of the packages and replaced the package description in composer.json with their own message but did not otherwise make any malicious changes," [..] --------------------------------------------- https://thehackernews.com/2023/05/packagist-repository-hacked-over-dozen.ht… ∗∗∗ An overview of the OSI model and its security threats ∗∗∗ --------------------------------------------- The OSI model is a representation of how communications between devices occur. The conceptual model makes it easier to understand how data is transmitted. In its complex process, threat actors have found ways to exploit and compromise systems. It is very important to identify the kind of attacks and vulnerabilities available on each layer and implement proper defense strategies to protect a network. --------------------------------------------- https://www.tripwire.com/state-of-security/overview-osi-model-and-its-secur… ∗∗∗ „Login mit neuem Gerät“: Kriminelle versenden personalisierte E-Mail im Namen der BAWAG ∗∗∗ --------------------------------------------- Kriminelle versenden derzeit betrügerische Nachrichten im Namen der BAWAG. Die E-Mails sind personalisiert und daher besonders glaubwürdig. Sie werden zwar nicht mit Ihrem Namen, allerdings mit ihrer E-Mail-Adresse angesprochen. In der Nachricht behaupten die Kriminellen, dass mit einem neuen Gerät auf Ihr Konto zugegriffen wurde. --------------------------------------------- https://www.watchlist-internet.at/news/login-mit-neuem-geraet-kriminelle-ve… ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-23-547: (0Day) Linux Kernel IPv6 RPL Protocol Reachable Assertion Denial-of-Service Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of Linux Kernel. Authentication is not required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-547/ ∗∗∗ Sante DICOM Viewer Vulnerabilites ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-23-523/ https://www.zerodayinitiative.com/advisories/ZDI-23-524/ https://www.zerodayinitiative.com/advisories/ZDI-23-525/ https://www.zerodayinitiative.com/advisories/ZDI-23-526/ https://www.zerodayinitiative.com/advisories/ZDI-23-527/ --------------------------------------------- https://www.zerodayinitiative.com/advisories/published/ ∗∗∗ Synology-SA-23:04 VPN Plus Server ∗∗∗ --------------------------------------------- A vulnerability allows remote attackers to inject SQL commands via a susceptible version of Synology VPN Plus Server. Affected Products: VPN Plus Server for SRM 1.3, VPN Plus Server for SRM 1.2 --------------------------------------------- https://www.synology.com/en-global/security/advisory/Synology_SA_23_04 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- IBM Elastic Storage System, IBM Spectrum Scale, IBM Maximo Application Suite, IBM Cognos Command Center, AIX, IBMid, IBM SAN Volume Controller, IBM CICS TX, IBM PowerVM Novalink, IBM Process Mining, IBM Cognos Analytics, IBM Planning Analytics. --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, evolution, and odoo), Fedora (java-11-openjdk), Oracle (samba), Red Hat (libreswan and samba), Slackware (libssh), SUSE (amazon-ssm-agent, apache2-mod_auth_openidc, cmark, containerd, editorconfig-core-c, ffmpeg, go1.20, harfbuzz, helm, java-11-openjdk, java-1_8_0-ibm, liblouis, podman, and vim), and Ubuntu (linux-aws, linux-aws-hwe, linux-intel-iotg, and linux-oem-6.1). --------------------------------------------- https://lwn.net/Articles/931050/ ∗∗∗ K000134469 : MySQL vulnerability CVE-2023-21963 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000134469 ∗∗∗ Spring Cloud Data Flow 2.10.3 Released ∗∗∗ --------------------------------------------- https://spring.io/blog/2023/05/05/spring-cloud-data-flow-2-10-3-released -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.05.2023
by Daily end-of-shift report 04 May '23

04 May '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 03-05-2023 18:00 − Donnerstag 04-05-2023 18:00 Handler: Robert Waldner Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Windows admins can now sign up for ‘known issue’ email alerts ∗∗∗ --------------------------------------------- Microsoft announced today that Windows admins can now choose to be emailed when new known issues are added to the Windows release health section of the Microsoft 365 admin center. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/windows-admins-can-now-sign… ∗∗∗ Infostealer Embedded in a Word Document, (Thu, May 4th) ∗∗∗ --------------------------------------------- hen attackers design malicious documents, one of their challenges is to make the potential victim confident to perform dangerous actions: click on a link, disable a security feature, etc. The best example is probably VBA macros in Microsoft Office documents. Disabled by default, the attacker must make the user confident to enable them by clicking on the “yellow ribbon” on top of the document. Yesterday I found a malicious document that implements another approach. --------------------------------------------- https://isc.sans.edu/diary/rss/29810 ∗∗∗ How to Analyze Java Malware – A Case Study of STRRAT ∗∗∗ --------------------------------------------- STRRAT is a Java-based malware that executes multiple commands transmitted by the C2 server. The JAR file was obfuscated using the Allatori obfuscator. It establishes persistence on the host by copying to the Startup folder and creating a scheduled task and a Run registry entry. The functionalities of the implemented commands include: reboot the machine, uninstall the malware and delete all its traces, download and execute files [..] --------------------------------------------- https://resources.securityscorecard.com/cybersecurity/analyze-java-malware-… ===================== = Vulnerabilities = ===================== ∗∗∗ S3 File System - Moderately critical - Access bypass - SA-CONTRIB-2023-014 ∗∗∗ --------------------------------------------- S3 File System (s3fs) provides an additional file system to your Drupal site, which stores files in Amazon's Simple Storage Service (S3) or any other S3-compatible storage service. This module may fail to validate that a file being requested to be moved to storage was uploaded during the same web request, possibly allowing an attacker to move files that should normally be inaccessible to them. --------------------------------------------- https://www.drupal.org/sa-contrib-2023-014 ∗∗∗ Cisco SPA112 2-Port Phone Adapters Remote Command Execution Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the web-based management interface of Cisco SPA112 2-Port Phone Adapters could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device. This vulnerability is due to a missing authentication process within the firmware upgrade function. --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Patchday Fortinet: Angreifer könnten eigene Befehle ausführen ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitsupdates für verschiedene Produkte von Fortinet. Keine Lücke gilt als kritisch. --------------------------------------------- https://heise.de/-8986618 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (python-sentry-sdk) and Ubuntu (python-django and ruby2.3, ruby2.5, ruby2.7). --------------------------------------------- https://lwn.net/Articles/930903/ ∗∗∗ Malicious IKEv1 packet by unauthenticated peer can cause libreswan to restart ∗∗∗ --------------------------------------------- The Libreswan Project was notified by github user "XU-huai" of an issue with receiving a malformed IKEv1 Aggressive Mode packet that would cause a crash and restart of the libreswan pluto daemon. When sent continuously, this could lead to a denial of service attack. --------------------------------------------- https://libreswan.org/security/CVE-2023-30570/CVE-2023-30570.txt ∗∗∗ Apple: Beats Firmware Update 5B66 ∗∗∗ --------------------------------------------- http://support.apple.com/kb/HT213752 ∗∗∗ Apple: AirPods Firmware Update 5E133 ∗∗∗ --------------------------------------------- http://support.apple.com/kb/HT213752 ∗∗∗ IBM ECM Content Management Interoperability Services (CMIS) spring-expression security vulnerability CVE-2023-20861 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6988109 ∗∗∗ IBM ECM Content Management Interoperability Services (CMIS) cfx-core security vulnerabilities CVE-2022-46363, CVE-2022-46364 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6988115 ∗∗∗ IBM ECM Content Management Interoperability Services (CMIS) woodstox\/XStream security vulnerability CVE-2022-40152 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6988117 ∗∗∗ IBM InfoSphere Information Server is affected but not classified as vulnerable to a denial of service vulnerability in NumPy (CVE-2021-34141) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6988125 ∗∗∗ A vulnerability has been identified in IBM HTTP Server used by IBM Rational ClearQuest (CVE-2023-25690) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6988293 ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server used by IBM Rational ClearQuest (CVE-2023-26283) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6988295 ∗∗∗ IBM Virtualization Engine TS7700 is vulnerable to a privilege escalation threat (CVE-2023-24958) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6980845 ∗∗∗ IBM ECM Content Management Interoperability Services (CMIS) spring-expression\/spring-core security vulnerability [CVE-2023-20863] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6988341 ∗∗∗ IBM Cloud Transformation Advisor is vulnerable to multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6988351 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.05.2023
by Daily end-of-shift report 03 May '23

03 May '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 02-05-2023 18:00 − Mittwoch 03-05-2023 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Firmware-TPM: faulTPM knackt AMD-CPUs nach drei Stunden lokalem Zugriff ∗∗∗ --------------------------------------------- TPMs sollen Geheimnisse wie kryptographische Schlüssel schützen. IT-Forscher haben jetzt mit "faulTPM" unbefugten Zugriff auf AMDs Firmware-TPM erlangt. --------------------------------------------- https://heise.de/-8985704 ∗∗∗ OpenCore: Apples erste Sicherheitsmaßnahme macht gepatchten Macs Probleme ∗∗∗ --------------------------------------------- Mit OpenCore auf macOS Ventura aktualisierte Macs starten nach der Installation von Apples jüngstem Update unter Umständen nicht mehr. Es gibt einen Workaround. --------------------------------------------- https://heise.de/-8986252 ∗∗∗ Exploitation of BGP Implementation Vulnerabilities Can Lead to Disruptions ∗∗∗ --------------------------------------------- Open source BGP implementation FRRouting is affected by three vulnerabilities that can be exploited to cause disruption via DoS attacks. --------------------------------------------- https://www.securityweek.com/exploitation-of-bgp-implementation-vulnerabili… ∗∗∗ Betrügerische Werbung auf Microsoft Edge Startseite! ∗∗∗ --------------------------------------------- Wer Microsoft Windows nützt, bekommt automatisch auch den Edge Browser fürs Surfen im Internet mitgeliefert. Die Startseite bietet neben der Suche per Bing auch eine Auflistung zahlreicher Newsartikel, unter die sich auch Werbeanzeigen mischen. Ein genauer Blick auf die Werbungen zeigt: Fast alle Werbeschaltungen führen zu Trading-Betrug oder anderen dubiosen Seiten. Vorsicht! --------------------------------------------- https://www.watchlist-internet.at/news/betruegerische-werbung-auf-microsoft… ∗∗∗ CVE-2023-28231: RCE in the Microsoft Windows DHCPv6 Service ∗∗∗ --------------------------------------------- In this excerpt of a Trend Micro Vulnerability Research Service vulnerability report, Guy Lederfein and Lucas Miller of the Trend Micro Research Team detail a recently patched remote code execution vulnerability in the Microsoft Windows DHCPv6 Service. This bug was originally discovered by YanZiShuang@BigCJTeam of cyberkl. The vulnerability results from the improper processing of DHCPv6 Relay-forward messages. A network-adjacent attacker can leverage this vulnerability to execute code [...] --------------------------------------------- https://www.thezdi.com/blog/2023/5/1/cve-2023-28231-rce-in-the-microsoft-wi… ===================== = Vulnerabilities = ===================== ∗∗∗ Google Chrome 113: Sicherheitsupdate für den Webbrowser ∗∗∗ --------------------------------------------- Die Entwickler haben in Google Chrome 113 insgesamt 15 Schwachstellen ausgebessert. Für die Zukunft kündigen sie an, dass das Schlosssymbol ausgetauscht wird. --------------------------------------------- https://heise.de/-8985368 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (avahi, kernel, linux-5.10, nodejs, webkit2gtk, and wpewebkit), Gentoo (chromium, google-chrome, microsoft-edge, dbus, dbus-broker, dhcp, firefox, firejail-lts, libapreq2, libsdl, libsdl2, lua, proftpd, python, PyPy3, sudo, syslog-ng, systemd, tor, uptimed, vim, and xfce4-settings), Oracle (emacs and libwebp), Red Hat (libwebp), Scientific Linux (libwebp), and SUSE (ceph, ffmpeg-4, git, pdns-recursor, and shim). --------------------------------------------- https://lwn.net/Articles/930775/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ K000132719 : BIG-IQ iControl REST vulnerability CVE-2023-29240 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000132719 ∗∗∗ K000133417 : NGINX Management Suite vulnerability CVE-2023-28656 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000133417 ∗∗∗ K000132522 : BIG-IP Edge Client for Windows and macOS vulnerability CVE-2023-22372 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000132522 ∗∗∗ K000133132 : BIG-IP TMM SSL vulnerability CVE-2023-24594 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000133132 ∗∗∗ K000132768 : BIG-IP Configuration utility vulnerability CVE-2023-28406 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000132768 ∗∗∗ K000132972 : BIG-IP iQuery mesh vulnerability CVE-2023-28742 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000132972 ∗∗∗ K000132726 : BIG-IP Configuration utility XSS vulnerability CVE-2023-27378 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000132726 ∗∗∗ K000133233 : NGINX Management Suite vulnerability CVE-2023-28724 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000133233 ∗∗∗ K000132539 : BIG-IP Edge Client for Windows and macOS vulnerability CVE-2023-24461 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000132539 ∗∗∗ K20145107 : BIG-IP UDP profile vulnerability CVE-2023-29163 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K20145107? -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.05.2023
by Daily end-of-shift report 02 May '23

02 May '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 28-04-2023 18:00 − Dienstag 02-05-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Hackers target vulnerable Veeam backup servers exposed online ∗∗∗ --------------------------------------------- Veeam backup servers are being targeted by at least one group of threat actors known to work with multiple high-profile ransomware gangs. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-target-vulnerable-ve… ∗∗∗ New LOBSHOT malware gives hackers hidden VNC access to Windows devices ∗∗∗ --------------------------------------------- A new malware known as LOBSHOT distributed using Google ads allows threat actors to stealthily take over infected Windows devices using hVNC. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-lobshot-malware-gives-ha… ∗∗∗ Researchers Uncover New BGP Flaws in Popular Internet Routing Protocol Software ∗∗∗ --------------------------------------------- Cybersecurity researchers have uncovered weaknesses in a software implementation of the Border Gateway Protocol (BGP) that could be weaponized to achieve a denial-of-service (DoS) condition on vulnerable BGP peers. --------------------------------------------- https://thehackernews.com/2023/05/researchers-uncover-new-bgp-flaws-in.html ∗∗∗ trawler: Dredging Windows for Persistence ∗∗∗ --------------------------------------------- Trawler is a PowerShell script designed to help Incident Responders discover potential indicators of compromise on Windows hosts, primarily focused on persistence mechanisms including Scheduled Tasks, Services, Registry Modifications, Startup Items, Binary Modifications and more. --------------------------------------------- https://github.com/joeavanzato/Trawler ∗∗∗ Angriffe auf Lücken in TP-Link Archer, Apache Log4j2 und Oracle Weblogic ∗∗∗ --------------------------------------------- Angreifer nutzen Sicherheitslücken in TP-Link Archer, Apache Log4j2 und Oracle Weblogic aus, um Zugriff auf Netzwerke von Opfern zu erlangen. --------------------------------------------- https://heise.de/-8984237 ∗∗∗ Medizin-Geräte: Warnung vor kritischer Sicherheitslücke in Illumina-Software ∗∗∗ --------------------------------------------- Die US-IT-Sicherheitsbehörde CISA warnt vor kritischen Sicherheitslücken in den medizinischen Geräten von Illumina. Angreifer könnten die Kontrolle übernehmen. --------------------------------------------- https://heise.de/-8983960 ∗∗∗ Exploitation of 5-Year-Old TBK DVR Vulnerability Spikes ∗∗∗ --------------------------------------------- Fortinet warns of a massive spike in malicious attacks targeting a five-year-old authentication bypass vulnerability in TBK DVR devices. --------------------------------------------- https://www.securityweek.com/exploitation-of-5-year-old-tbk-dvr-vulnerabili… ∗∗∗ Critical Infrastructure Organizations Urged to Identify Risky Communications Equipment ∗∗∗ --------------------------------------------- CISA urges organizations to review FCC’s Covered List of risky communications equipment and incorporate it in their supply chain risk management efforts. --------------------------------------------- https://www.securityweek.com/critical-infrastructure-organizations-urged-to… ∗∗∗ Webinar: Recherchetools im Internet richtig nutzen ∗∗∗ --------------------------------------------- Wie kann ich Google, aber auch andere Suchmaschinen richtig nutzen? Welche Recherchetools und Suchmethoden gibt es noch? In diesem Webinar zeigen wir Ihnen, wie eine gute und effiziente Onlinerecherche aussehen kann. Nehmen Sie kostenlos teil: Dienstag 09. Mai 2023, 18:30 - 20:00 Uhr via zoom. --------------------------------------------- https://www.watchlist-internet.at/news/webinar-recherchetools-im-internet-r… ∗∗∗ Online-Shopping: Bezahlen Sie nicht mit der PayPal-Funktion „Geld an einen Freund senden“ ∗∗∗ --------------------------------------------- Neuerdings missbrauchen Fake-Shops die PayPal-Funktion „Geld an Freunde und Familie senden“. Die Kriminellen hinter den Fake-Shops erstellen PayPal.Me-Zahlungslinks. Durch kleine Anpassungen der Kriminellen ist der Kaufbetrag dort hinterlegt und die Zahlungsart „Geld an einen Freund senden“ voreingestellt. Wenn Sie mit dieser Zahlungsart bezahlen, entfällt der Käuferschutz. Ihr Geld ist dann weg und kann nicht zurückgeholt werden. --------------------------------------------- https://www.watchlist-internet.at/news/online-shopping-bezahlen-sie-nicht-m… ∗∗∗ Apple veröffentlicht „schnelle Sicherheitsmaßnahme“ für iOS, iPadOS und macOS ∗∗∗ --------------------------------------------- Die neue Updatemethode verkürzt den Installationsvorgang deutlich. Apple will mit schnellen Sicherheitsmaßnahmen künftig beispielsweise Bedrohungen wie Zero-Day-Lücken schneller beseitigen. --------------------------------------------- https://www.zdnet.de/88408872/apple-veroeffentlicht-schnelle-sicherheitsmas… ∗∗∗ Enforce Zero Trust in Microsoft 365 – Part 1: Setting the basics ∗∗∗ --------------------------------------------- This first blog post is part of a series of blog posts related to the implementation of Zero Trust approach in Microsoft 365. This series will first cover the basics and then deep dive into the different features such as Azure Active Directory (Azure AD) Conditional Access policies, Microsoft Defender for Cloud Apps policies, Information Protection and Microsoft Endpoint Manager, to only cite a few. --------------------------------------------- https://blog.nviso.eu/2023/05/02/enforce-zero-trust-in-microsoft-365-part-1… ∗∗∗ CoinMiner (KONO DIO DA) Distributed to Linux SSH Servers ∗∗∗ --------------------------------------------- AhnLab Security Emergency response Center (ASEC) has recently discovered XMRig CoinMiner being installed on poorly managed Linux SSH servers. --------------------------------------------- https://asec.ahnlab.com/en/51908/ ∗∗∗ A LNK Between Browsers: Hunting Methodologies and Extension Abusing Actors ∗∗∗ --------------------------------------------- Two pillars in sleight of hand magic are User Initiated Action, where the target needs to believe their actions are their own, and Hidden Action, the trick needs to be concealed behind something ordinary and nonthreatening. Mandiant became aware of a chain of adversary methodologies that leverage these two pillars to achieve persistence. --------------------------------------------- https://www.mandiant.com/resources/blog/lnk-between-browsers ===================== = Vulnerabilities = ===================== ∗∗∗ Wireshark 4.0.5 Released, (Sat, Apr 29th) ∗∗∗ --------------------------------------------- Wireshark version 4.0.5 was released with 11 bugs and 3 vulnerabilities fixed. --------------------------------------------- https://isc.sans.edu/diary/rss/29790 ∗∗∗ Azure DevOps CICD Pipelines - Command Injection with Parameters, Variables and a discussion on Runner hijacking ∗∗∗ --------------------------------------------- This article discusses a vulnerability with Azure DevOps that can be exploited by users able to run pipelines with user-controlled variables. The vulnerability allows malicious users with access to edit runtime parameter values to inject shell commands that execute on the pipeline runner. This can compromise the runner and allow access to sensitive information such as secrets used for deployments and Azure service principal credentials. --------------------------------------------- https://pulsesecurity.co.nz/advisories/Azure-Devops-Command-Injection ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (distro-info-data, ffmpeg, jackson-databind, jruby, libapache2-mod-auth-openidc, libxml2, openvswitch, sniproxy, and wireshark), Fedora (git, libsignal-protocol-c, php-nyholm-psr7, python-setuptools, rust-askama, rust-askama_shared, rust-comrak, thunderbird, and webkitgtk), SUSE (git, glib2, shadow, thunderbird, and webkit2gtk3), and Ubuntu (Apache Commons Net, git, linux-azure-5.15, linux-azure-fde, linux-kvm, linux-ibm-5.4, linux-snapdragon, netty, and ZenLib). --------------------------------------------- https://lwn.net/Articles/930588/ ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libdatetime-timezone-perl and tzdata), Fedora (chromium), Red Hat (emacs and libwebp), Slackware (netatalk), and Ubuntu (php7.0). --------------------------------------------- https://lwn.net/Articles/930649/ ∗∗∗ IBM Security Bulletins 2023-04-28 - 2023-05-02 ∗∗∗ --------------------------------------------- IBM Engineering Test Management, IBM Spectrum Scale, IBM DataPower Gateway, IBM i, Rational ClearQuest, IBM Business Automation Workflow, IBM Business Automation Workflow Enterprise Service Bus, IBM Case Manager, BladeCenter, PureFlex System and Flex System, System x, IBM Maximo, IBM Control Desk, Db2 for Linux, UNIX and Windows, IBM Robotic Process Automation, Tivoli Business Service Manager, Content Manager Client, IBM Sterling Secure Proxy, IBM App Connect Enterprise, IBM Security Key Lifecycle Manager, IBM MQ, IBM MQ Appliance, Tivoli Application Dependency Discovery Manager, IBM Cloud Pak, IBM InfoSphere Information, WebSphere Remote Server, IBM Workload Scheduler. --------------------------------------------- ∗∗∗ ZDI-23-503: (Pwn2Own) NETGEAR RAX30 logCtrl Command Injection Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-503/ ∗∗∗ ZDI-23-502: (Pwn2Own) NETGEAR RAX30 SOAP Request SQL Injection Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-502/ ∗∗∗ ZDI-23-501: (Pwn2Own) NETGEAR RAX30 Device Configuration Cleartext Storage Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-501/ ∗∗∗ ZDI-23-496: NETGEAR RAX30 lighttpd Misconfiguration Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-496/ ∗∗∗ ZDI-23-495: NETGEAR RAX30 rex_cgi JSON Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-495/ ∗∗∗ Android-Sicherheitsbulletin – Mai 2023 ∗∗∗ --------------------------------------------- https://source.android.com/docs/security/bulletin/2023-05-01?hl=de ∗∗∗ F5: K000133706 : OpenSSL vulnerability CVE-2023-0464 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000133706 ∗∗∗ F5: K000133615 : device-mapper-multipath vulnerability CVE-2022-41974 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000133615 ∗∗∗ F5: K000133753 : PHP vulnerability CVE-2023-0662 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000133753 ∗∗∗ Securing Databricks cluster init scripts ∗∗∗ --------------------------------------------- https://sec-consult.com/blog/detail/securing-databricks-cluster-init-script… ∗∗∗ Vulnerabilities in the Autodesk® 3ds Max® USD plugin ∗∗∗ --------------------------------------------- https://www.autodesk.com/trust/security-advisories/adsk-sa-2023-0008 ∗∗∗ Mitsubishi Electric Factory Automation Products ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-122-01 ∗∗∗ Zyxel security advisory for post-authentication command injection vulnerability in NBG6604 home router ∗∗∗ --------------------------------------------- https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-… ∗∗∗ Zyxel security advisory for multiple vulnerabilities in NBG-418N v2 home router ∗∗∗ --------------------------------------------- https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.04.2023
by Daily end-of-shift report 28 Apr '23

28 Apr '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 27-04-2023 18:00 − Freitag 28-04-2023 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ CISA warns of critical bugs in Illumina DNA sequencing systems ∗∗∗ --------------------------------------------- The U.S. Cybersecurity Infrastructure Security Agency (CISA) and the FDA have issued an urgent alert about two vulnerabilities that impact Illuminas Universal Copy Service (UCS), used for DNA sequencing in medical facilities and labs worldwide. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cisa-warns-of-critical-bugs-… ∗∗∗ Quick IOC Scan With Docker, (Fri, Apr 28th) ∗∗∗ --------------------------------------------- When investigating an incident, you must perform initial tasks quickly. There is one tool in my arsenal that I'm using to quickly scan for interesting IOCs ("Indicators of Compromise"). This tool is called Loki[1], the free version of the Thor scanner. I like this tool because you can scan for a computer (processes & files) or a specific directory (only files) for suspicious content. --------------------------------------------- https://isc.sans.edu/diary/rss/29788 ∗∗∗ WordPress Vulnerability & Patch Roundup April 2023 ∗∗∗ --------------------------------------------- Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises. To help educate website owners on emerging threats to their environments, we’ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this past month. --------------------------------------------- https://blog.sucuri.net/2023/04/wordpress-vulnerability-patch-roundup-april… ∗∗∗ Attention Online Shoppers: Dont Be Fooled by Their Sleek, Modern Looks — Its Magecart! ∗∗∗ --------------------------------------------- An ongoing Magecart campaign has attracted the attention of cybersecurity researchers for leveraging realistic-looking fake payment screens to capture sensitive data entered by unsuspecting users. --------------------------------------------- https://thehackernews.com/2023/04/attention-online-shoppers-dont-be.html ∗∗∗ New Atomic macOS Malware Steals Keychain Passwords and Crypto Wallets ∗∗∗ --------------------------------------------- Threat actors are advertising a new information stealer for the Apple macOS operating system called Atomic macOS Stealer (or AMOS) on Telegram for $1,000 per month, joining the likes of MacStealer. "The Atomic macOS Stealer can steal various types of information from the victims machine, including Keychain passwords, complete system information, files from the desktop and documents folder, and [...] --------------------------------------------- https://thehackernews.com/2023/04/new-atomic-macos-stealer-can-steal-your.h… ∗∗∗ Microsoft Exchange Powershell Remoting Deserialization leading to RCE (CVE-2023-21707) ∗∗∗ --------------------------------------------- While analyzing CVE-2022-41082, also known as ProxyNotShell, we discovered this vulnerability which we have detailed in this blog. However, for a comprehensive understanding, we highly recommend reading the thorough analysis written by team ZDI. --------------------------------------------- https://starlabs.sg/blog/2023/04-microsoft-exchange-powershell-remoting-des… ∗∗∗ Many Public Salesforce Sites are Leaking Private Data ∗∗∗ --------------------------------------------- A shocking number of organizations -- including banks and healthcare providers -- are leaking private and sensitive information from their public Salesforce Community websites, KrebsOnSecurity has learned. The data exposures all stem from a misconfiguration in Salesforce Community that allows an unauthenticated user to access records that should only be available after logging in. --------------------------------------------- https://krebsonsecurity.com/2023/04/many-public-salesforce-sites-are-leakin… ∗∗∗ Rapture, a Ransomware Family With Similarities to Paradise ∗∗∗ --------------------------------------------- In March and April 2023, we observed a type of ransomware targeting its victims via a minimalistic approach with tools that leave only a minimal footprint behind. Our findings revealed many of the preparations made by the perpetrators and how quickly they managed to carry out the ransomware attack. --------------------------------------------- https://www.trendmicro.com/en_us/research/23/d/rapture-a-ransomware-family-… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco IP Phone 7800 and 8800 Series Cisco Discovery Protocol Stack Overflow Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the Cisco Discovery Protocol processing feature of Cisco IP Phone 7800 and 8800 Series firmware could allow an unauthenticated, adjacent attacker to cause a stack overflow on an affected device. This vulnerability is due to insufficient input validation of received Cisco Discovery Protocol packets. An attacker could exploit this vulnerability by sending crafted Cisco Discovery Protocol traffic to an affected device. --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Grafana: Update schließt hochriskante Schwachstelle im Datenvisualisierungs-Tool ∗∗∗ --------------------------------------------- Grafana hat Updates für zahlreiche Versionszweige veröffentlicht. Sie schließen unter anderem eine Denial-of-Service-Lücke, die als hochriskant gilt. --------------------------------------------- https://heise.de/-8981605 ∗∗∗ Long Term Support Channel Update for ChromeOS ∗∗∗ --------------------------------------------- LTS-108 is being updated in the LTS channel to 108.0.5359.230 (Platform Version: 15183.93.0) for most ChromeOS devices. [...] This update contains multiple Security fixes [...] --------------------------------------------- https://chromereleases.googleblog.com/2023/04/long-term-support-channel-upd… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (git, libpcap, php-laminas-diactoros2, php-nyholm-psr7, tcpdump, and xen), Oracle (cloud-init), Scientific Linux (kernel), SUSE (conmon, docker, glib2, glibc, libmicrohttpd, libX11, liferea, python3, qemu, rubygem-actionview-5_1, s390-tools, stellarium, vim, and xen), and Ubuntu (linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-4.15, linux-azure-5.4, linux-gcp, linux-gcp-4.15, linux-gcp-5.4, linux-gke, linux-gkeop, linux-hwe, linux-hwe-5.4, linux-ibm, linux-kvm, linux-oracle, linux-oracle-5.4 and openssl-ibmca). --------------------------------------------- https://lwn.net/Articles/930462/ ∗∗∗ Use of Telnet in the interface module SLC-0-GPNT00300 ∗∗∗ --------------------------------------------- BOSCH-SA-387640: The SLC-0-GPNT00300 from Bosch Rexroth contains technology from SICK AG. The manufacturer has published a security bulletin [1] regarding the availability of a Telnet interface for debugging.The SLC-0-GPNT00300 provides a Telnet interface for debugging, which is enabled by factory default. No password is set in the default configuration. If the password is not set by the customer, a remote unauthorized adversary could connect via Telnet. --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-387640.html ∗∗∗ SonicOS SSLVPN: Schwachstelle CVE-2023-1101 bei MFA – neue Firmware für Gen6-Firewalls (6.5.4.12-101n) ∗∗∗ --------------------------------------------- Kleine Erinnerung für Administratoren, die Produkte von Sonic Wall verwenden. In SonicOS SSLVPN gibt es eine kritische Schwachstelle, die einem authentifizierten Angreifer ermöglicht, exzessive MFA-Codes zu verwenden. Die Schwachstelle CVE-2023-1101 hat von SonicWall [...] --------------------------------------------- https://www.borncity.com/blog/2023/04/27/sonicos-sslvpn-schwachstelle-cve-2… ∗∗∗ Illumina Universal Copy Service ∗∗∗ --------------------------------------------- [...] Successful exploitation of these vulnerabilities could allow an attacker to take any action at the operating system level. A threat actor could impact settings, configurations, software, or data on the affected product; [...] --------------------------------------------- https://www.cisa.gov/news-events/ics-medical-advisories/icsma-23-117-01 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.04.2023
by Daily end-of-shift report 27 Apr '23

27 Apr '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 26-04-2023 18:00 − Donnerstag 27-04-2023 18:00 Handler: Stephan Richter Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Google disrupts the CryptBot info-stealing malware operation ∗∗∗ --------------------------------------------- Google is taking down malware infrastructure linked to the Cryptbot info stealer after suing those using it to infect Google Chrome users and steal their data. --------------------------------------------- https://www.bleepingcomputer.com/news/security/google-disrupts-the-cryptbot… ∗∗∗ Cisco discloses XSS zero-day flaw in server management tool ∗∗∗ --------------------------------------------- Cisco disclosed today a zero-day vulnerability in the companys Prime Collaboration Deployment (PCD) software that can be exploited for cross-site scripting attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cisco-discloses-xss-zero-day… ∗∗∗ LimeRAT Malware Analysis: Extracting the Config ∗∗∗ --------------------------------------------- ANY.RUN researchers have recently conducted an in-depth analysis of a LimeRAT sample and successfully extracted its configuration. In this article, we'll provide a brief overview of that analysis. --------------------------------------------- https://thehackernews.com/2023/04/limerat-malware-analysis-extracting.html ∗∗∗ Healthy security habits to fight credential breaches: Cyberattack Series ∗∗∗ --------------------------------------------- This is the second in an ongoing series exploring some of the most notable cases of the Microsoft Incident Response Team. In this story, we’ll explore how organizations can adopt a defense-in-depth security posture to help protect against credential breaches and ransomware attacks. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2023/04/26/healthy-security-h… ∗∗∗ Microsoft Confirms PaperCut Servers Used to Deliver LockBit and Cl0p Ransomware ∗∗∗ --------------------------------------------- Microsoft has confirmed that the active exploitation of PaperCut servers is linked to attacks designed to deliver Cl0p and LockBit ransomware families. The tech giant's threat intelligence team is attributing a subset of the intrusions to a financially motivated actor it tracks under the name Lace Tempest (formerly DEV-0950), which overlaps with other hacking groups like FIN11, TA505, and Evil Corp. --------------------------------------------- https://thehackernews.com/2023/04/microsoft-confirms-papercut-servers.html ∗∗∗ RTM Lockers First Linux Ransomware Strain Targeting NAS and ESXi Hosts ∗∗∗ --------------------------------------------- The threat actors behind RTM Locker have developed a ransomware strain thats capable of targeting Linux machines, marking the groups first foray into the open source operating system. --------------------------------------------- https://thehackernews.com/2023/04/rtm-lockers-first-linux-ransomware.html ∗∗∗ LUKS: Alte verschlüsselte Container unsicher? Ein Ratgeber für Updates ∗∗∗ --------------------------------------------- Angeblich konnte die französische Polizei einen LUKS-Container knacken. Kein Grund zur Panik, aber ein Anlass, Passwörter und LUKS-Parameter zu hinterfragen. --------------------------------------------- https://heise.de/-8981054 ∗∗∗ State of DNS Rebinding in 2023 ∗∗∗ --------------------------------------------- This update documents the state of DNS rebinding for April 2023. We describe Local Network Access, a new draft W3C specification currently implemented in some browsers that aims to prevent DNS rebinding, and show two potential ways to bypass these restrictions. --------------------------------------------- https://research.nccgroup.com/2023/04/27/state-of-dns-rebinding-in-2023/ ∗∗∗ Bringing IT & OT Security Together: Part 1 ∗∗∗ --------------------------------------------- Learn about the evolution of converged IT/OT environments and the impact on security control validation in this new blog series. --------------------------------------------- https://www.safebreach.com/resources/blog/bringing-it-and-ot-security-toget… ===================== = Vulnerabilities = ===================== ∗∗∗ Onlineshop-System PrestaShop: Angreifer könnten Datenbank manipulieren ∗∗∗ --------------------------------------------- Eine kritische Sicherheitslücke bedroht mit PrestaShop erstellte Onlineshops. Abgesicherte Versionen sind verfügbar. --------------------------------------------- https://heise.de/-8980645 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (chromium, perl-Alien-ProtoBuf, and redis), Oracle (kernel), SUSE (dmidecode, fwupd, libtpms, libxml2, openssl-ibmca, and webkit2gtk3), and Ubuntu (cloud-init, ghostscript, linux, linux-aws, linux-aws-5.15, linux-azure, linux-gke, linux-gke-5.15, linux-gkeop, linux-hwe-5.15, linux-ibm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-oracle, linux-oracle-5.15, linux, linux-aws, linux-azure, linux-gcp, linux-hwe-5.19, linux-ibm, linux-kvm, linux-lowlatency, linux-oracle, linux-raspi, and linux, linux-aws, linux-kvm, linux-lts-xenial). --------------------------------------------- https://lwn.net/Articles/930367/ ∗∗∗ Apache Superset: Schwachstelle CVE-2023-27524 ermöglicht Remote Code Execution (RCE) ∗∗∗ --------------------------------------------- Kurzer Hinweis für Nutzer, die Apache Superset in ihrem Umfeld einsetzen. Es gibt in der Standardkonfiguration das Problem, dass die Software per Remote Code Execution-Schwachstelle angegriffen werden kann. Das wird zum Problem, wenn der Server per Internet erreichbar ist. --------------------------------------------- https://www.borncity.com/blog/2023/04/27/apache-superset-schwachstelle-cve-… ∗∗∗ F5: K000133673 : Bootstrap vulnerability CVE-2016-10735 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000133673 ∗∗∗ F5: K000133652 : Python vulnerability CVE-2018-18074 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000133652 ∗∗∗ F5: K000133448 : Python urllib3 vulnerability CVE-2019-11324 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000133448 ∗∗∗ F5: K000133668 : Python urllib3 vulnerability CVE-2018-20060 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000133668 ∗∗∗ IBM WebSphere Application Server, which is bundled with IBM Cloud Pak for Applications, is vulnerable to cross-site scripting in the Admin Console (CVE-2023-24966) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6986343 ∗∗∗ IBM WebSphere Application Server, which is bundled with IBM WebSphere Hybrid Edition, is vulnerable to cross-site scripting in the Admin Console (CVE-2023-24966) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6986341 ∗∗∗ Multiple Security Vulnerabilities may affect IBM Robotic Process Automation for Cloud Pak. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6986361 ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with Asset and Service Management (CVE-2023-24966) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6986365 ∗∗∗ IBM Planning Analytics Workspace is affected by vulnerabilities in Node,js (CVE-2022-43548, CVE-2020-7676, CVE-2021-42550, CVE-2021-38561, CVE-2022-32149) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6985675 ∗∗∗ IBM Integration Designer is vulnerable to a denial of service due to commons-fileupload-1.4.jar (CVE-2023-24998) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6986509 ∗∗∗ Vulnerability in libXpm (CVE-2022-4883, CVE-2022-44617 and CVE-2022-46285) affects Power HMC ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6986543 ∗∗∗ Vulnerability in libtasn1 (CVE-2021-46848) affects Power HMC ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6986547 ∗∗∗ Multiple publicly disclosed Libcurl vulnerabilities affect IBM Safer Payments ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6986573 ∗∗∗ IBM App Connect Enterprise Certified Container DesignerAuthoring operands may be vulnerable to arbitrary code execution due to [CVE-2022-37601] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6986575 ∗∗∗ Multiple Vulnerabilities in CloudPak for Watson AIOPs ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6986577 ∗∗∗ IBM MQ Operator and Queue manager container images are vulnerable to multiple vulnerabilities from libcurl, openssl, gnutls, libarchive and libsepol ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6986323 ∗∗∗ Multiple vulnerabilities in Spring Framework affects IBM Tivoli Application Dependency Discovery Manager (CVE-2023-20860, CVE-2023-20861). ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6986585 ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Business Monitor (CVE-2023-24966) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6986619 ∗∗∗ Vulnerability in IBM\u00ae Java SDK affects IBM WebSphere Application Server and IBM WebSphere Application Server Liberty due to CVE-2023-30441 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6986617 ∗∗∗ IBM App Connect Enterprise Certified Container IntegrationServer and Integration Runtime operands that run Designer flows containing a Box node may be vulnerable to arbitrary code execution due to [CVE-2023-29017] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6986625 ∗∗∗ IBM App Connect Enterprise Certified Container IntegrationServer and Integration Runtime operands that run Designer flows containing a Box node may be vulnerable to arbitrary code execution due to [CVE-2023-29199] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6986629 ∗∗∗ IBM App Connect Enterprise & IBM Integration Bus are vulnerable to a denial of service due to Eclipse Mosquitto (CVE-2021-41039, CVE-2021-34432, CVE-2021-34431) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6986627 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.04.2023
by Daily end-of-shift report 26 Apr '23

26 Apr '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 25-04-2023 18:00 − Mittwoch 26-04-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Never Connect to RDP Servers Over Untrusted Networks ∗∗∗ --------------------------------------------- In this article, we will demonstrate why connecting using the Remote Desktop Protocol (RDP) must be avoided on untrusted networks like in hotels, conferences, or public Wi-Fi. Protecting the connection with a VPN or a Remote Desktop Gateway is the only safe alternative. --------------------------------------------- https://www.gosecure.net/blog/2023/04/26/never-connect-to-rdp-servers-over-… ∗∗∗ So you think you can block Macros? ∗∗∗ --------------------------------------------- For the purpose of securing Microsoft Office installs we see many of our customers moving to a macro signing strategy. Furthermore, Microsoft is trying to battle macro malware by enforcing Mark-of-the-Web (MotW) control on macro-enabled documents. In this blog we will dive into some of the quirks of Microsoft Office macro security, various commonly used configuration options and their bypasses. --------------------------------------------- https://outflank.nl/blog/2023/04/25/so-you-think-you-can-block-macros/ ∗∗∗ Google Authenticator: Warnung - Backup der geheimen "Saat" im Klartext ∗∗∗ --------------------------------------------- Google spendierte dem Authenticator ein Backup der Geheimnisse, die zur Erstellung der Einmalpasswörter nötig sind. Google bekommt diese Daten aber im Klartext. --------------------------------------------- https://heise.de/-8979932 ∗∗∗ VMware Workstation und Fusion: Hersteller stopft kritische Zero-Day-Lücke ∗∗∗ --------------------------------------------- VMware stopft teils kritische Sicherheitslücken in Workstation und Fusion. Da sie auf der Pwn2Own-Konferenz vorgeführt wurden, handelt es sich um Zero-Days. --------------------------------------------- https://heise.de/-8979106 ∗∗∗ GuLoader returns with a rotten shipment ∗∗∗ --------------------------------------------- We take a look at a GuLoader campaign which comes bundled with an Italian language fake shipment email. --------------------------------------------- https://www.malwarebytes.com/blog/news/2023/04/guloader-returns-with-a-rott… ∗∗∗ So bleiben Sie mit der Watchlist Internet am Laufenden! ∗∗∗ --------------------------------------------- Das Angebot der Watchlist Internet wächst stetig: Wir geben Ihnen einen Überblick, wie Sie mit uns in puncto Internetbetrug up to date bleiben, welche Angebote Sie wo finden und auf welchen Kanälen wir vertreten sind. --------------------------------------------- https://www.watchlist-internet.at/news/so-bleiben-sie-mit-der-watchlist-int… ∗∗∗ Hacker greifen kritische Sicherheitslücke in Druckersoftware PaperCut an ∗∗∗ --------------------------------------------- Sie können die Kontrolle über einen PaperCut-Server übernehmen. Zudem steht nun auch Beispielcode für einen Exploit öffentlich zur Verfügung. --------------------------------------------- https://www.zdnet.de/88408703/hacker-greifen-kritische-sicherheitsluecke-in… ∗∗∗ Attackers Use Containers for Profit via TrafficStealer ∗∗∗ --------------------------------------------- We found TrafficStealer abusing open container APIs in order to redirect traffic to specific websites and manipulate engagement with ads. --------------------------------------------- https://www.trendmicro.com/en_us/research/23/d/attackers-use-containers-for… ===================== = Vulnerabilities = ===================== ∗∗∗ VMSA-2023-0008 ∗∗∗ --------------------------------------------- VMware Workstation and Fusion updates address multiple security vulnerabilities (CVE-2023-20869, CVE-2023-20870, CVE-2023-20871, CVE-2023-20872) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2023-0008.html ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (chromium, lilypond, and lilypond-doc), Oracle (java-1.8.0-openjdk), Red Hat (emacs, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, kernel, kernel-rt, pesign, and virt:rhel, virt-devel:rhel), Scientific Linux (java-1.8.0-openjdk and java-11-openjdk), Slackware (git), SUSE (fwupd, git, helm, and runc), and Ubuntu (firefox, golang-1.18, linux-hwe-5.15, and openssl, openssl1.0). --------------------------------------------- https://lwn.net/Articles/930258/ ∗∗∗ Insecure authentication in B420 legacy communication module ∗∗∗ --------------------------------------------- BOSCH-SA-341298-BT: An authentication vulnerability was found in the B420 Ethernet communication module from Bosch Security Systems. This is a legacy product which is currently obsolete and was announced to reach End on Life (EoL) on 2013. The B420 was last sold in July 2013 and was replaced by the B426. An EoL notice was provided to customers. --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-341298-bt.html ∗∗∗ Scada-LTS Third Party Component ∗∗∗ --------------------------------------------- Successful exploitation of this vulnerability could allow loss of sensitive information and execution of arbitrary code. --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-115-02 ∗∗∗ Keysight N8844A Data Analytics Web Service ∗∗∗ --------------------------------------------- Successful exploitation of this vulnerability could lead to remote code execution. --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-115-01 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Security Advisory - Misinterpretation of Input Vulnerability in Huawei Printer ∗∗∗ --------------------------------------------- https://www.huawei.com/en/psirt/security-advisories/2023/huawei-sa-moivihp-… ∗∗∗ Security Advisory - Identity Authentication Bypass Vulnerability in Huawei HiLink AI Life Product ∗∗∗ --------------------------------------------- https://www.huawei.com/en/psirt/security-advisories/2023/huawei-sa-iabvihha… ∗∗∗ Security Advisory - Misinterpretation of Input Vulnerability in Huawei Printer ∗∗∗ --------------------------------------------- https://www.huawei.com/en/psirt/security-advisories/2023/huawei-sa-moivihp-… ∗∗∗ Security Advisory - System Command Injection Vulnerability in a Huawei Printer Product ∗∗∗ --------------------------------------------- https://www.huawei.com/en/psirt/security-advisories/2023/huawei-sa-sciviahp… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.04.2023
by Daily end-of-shift report 25 Apr '23

25 Apr '23

===================== = End-of-Day report = ===================== Timeframe: Montag 24-04-2023 18:00 − Dienstag 25-04-2023 18:00 Handler: Stephan Richter Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Intel CPUs vulnerable to new transient execution side-channel attack ∗∗∗ --------------------------------------------- A new side-channel attack impacting multiple generations of Intel CPUs has been discovered, allowing data to be leaked through the EFLAGS register. --------------------------------------------- https://www.bleepingcomputer.com/news/security/intel-cpus-vulnerable-to-new… ∗∗∗ New .NET Malware “WhiteSnake” Targets Python Developers, Uses Tor for C&C Communication ∗∗∗ --------------------------------------------- The JFrog Security Research team recently discovered a new malware payload in the PyPI repository, written in C#. This is uncommon since PyPI is primarily a repository for Python packages, and its codebase consists mostly of Python code, or natively compiled libraries used by Python programs. This finding raised our concerns about the potential for cross-language malware attacks. Our team identified 22 malicious packages, containing the same payload, targeting both Windows and Linux systems[...] --------------------------------------------- https://jfrog.com/blog/new-malware-targets-python-developers-uses-tor-for-c… ∗∗∗ Release of a Technical Report into Intel Trust Domain Extensions ∗∗∗ --------------------------------------------- Today, members of Google Project Zero and Google Cloud are releasing a report on a security review of Intels Trust Domain Extensions (TDX). [...] The result of the review was the discovery of 10 confirmed security vulnerabilities which were fixed before the final release of products with the TDX feature. The final report highlights the most interesting of these issues and provides an overview of the features architecture. 5 additional areas were identified for defense-in-depth changes [...] --------------------------------------------- https://googleprojectzero.blogspot.com/2023/04/technical-report-into-intel-… ∗∗∗ New high-severity vulnerability (CVE-2023-29552) discovered in the Service Location Protocol (SLP) ∗∗∗ --------------------------------------------- Researchers from Bitsight and Curesec have jointly discovered a high-severity vulnerability — tracked as CVE-2023-29552 — in the Service Location Protocol (SLP), a legacy Internet protocol. Attackers exploiting this vulnerability could leverage vulnerable instances to launch massive Denial-of-Service (DoS) amplification attacks with a factor as high as 2200 times, potentially making it one of the largest amplification attacks ever reported. --------------------------------------------- https://www.bitsight.com/blog/new-high-severity-vulnerability-cve-2023-2955… ∗∗∗ PoC for Pre-Auth RCE in Sophos Web Appliance (CVE-2023-1671) Published ∗∗∗ --------------------------------------------- The cybersecurity community is buzzing with the recent publication of a Proof-of-Concept (PoC) for CVE-2023-1671, a critical code execution vulnerability in Sophos Web Appliance with a CVSS score of 9.8. This high-risk vulnerability, caused by a pre-auth command injection flaw in the warn-proceed handler, poses significant risks to users. --------------------------------------------- https://securityonline.info/poc-for-pre-auth-rce-in-sophos-web-appliance-cv… ∗∗∗ Attackers are logging in instead of breaking in ∗∗∗ --------------------------------------------- Cyberattackers leveraged more than 500 unique tools and tactics in 2022, according to Sophos. The data, analyzed from more than 150 Sophos Incident Response (IR) cases, identified more than 500 unique tools and techniques, including 118 “Living off the Land” binaries (LOLBins). Unlike malware, LOLBins are executables naturally found on operating systems, making them much more difficult for defenders to block when attackers exploit them for malicious activity. --------------------------------------------- https://www.helpnetsecurity.com/2023/04/25/attacks-dwell-time/ ∗∗∗ Gefälschte Facebook-Seite vom Tiergarten Schönbrunn verbreitet Fake-Gewinnspiel ∗∗∗ --------------------------------------------- Die gefälschte Facebook-Seite „ZooPark Wien“ verbreitet ein betrügerisches Gewinnspiel. Im Posting werden 4 Eintrittskarten verlost. Teilnehmer:innen müssen den Beitrag nur mit „Alles Gute zum Geburtstag“ kommentieren. Mit diesem Gewinnspiel versuchen Kriminelle aber an Ihre Kreditkartendaten zu kommen und Sie in eine Abo-Falle zu locken. --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschte-facebook-seite-vom-tierg… ===================== = Vulnerabilities = ===================== ∗∗∗ CVE-2023-27524: Insecure Default Configuration in Apache Superset Leads to Remote Code Execution ∗∗∗ --------------------------------------------- Apache Superset is an open source data visualization and exploration tool. [...] there are more than 3000 instances of it exposed to the Internet. [...] at least 2000 (two-thirds of all servers) – are running with a dangerous default configuration. As a result, many of these servers are effectively open to the public. Any attacker can “log in” to these servers with administrative privileges, access and modify data connected to these servers, harvest credentials, and execute remote code. --------------------------------------------- https://www.horizon3.ai/cve-2023-27524-insecure-default-configuration-in-ap… ∗∗∗ Xen Security Advisory CVE-2022-42335 / XSA-430 - x86 shadow paging arbitrary pointer dereference ∗∗∗ --------------------------------------------- Guests running in shadow mode and having a PCI device passed through may be able to cause Denial of Service and other problems, escalation of privilege cannot be ruled out. --------------------------------------------- https://xenbits.xen.org/xsa/advisory-430.html ∗∗∗ Zyxel schließt teils kritische Sicherheitslücken in Firewalls und Access Points ∗∗∗ --------------------------------------------- Zyxel hat Warnungen vor Sicherheitslücken in Firewalls und Access Points herausgegeben. Firmware-Updates zum Abdichten der Lecks stehen bereit. --------------------------------------------- https://heise.de/-8977831 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (firefox, java-11-openjdk, and thunderbird), Debian (apache2), Fedora (kernel), Oracle (emacs), Red Hat (emacs, haproxy, java-1.8.0-openjdk, kernel, kernel-rt, kpatch-patch, pcs, pki-core:10.6, and qatzip), and SUSE (avahi, cdi-apiserver-container, cdi-cloner-container, cdi- controller-container, cdi-importer-container, cdi-operator-container, cdi- uploadproxy-container, cdi-uploadserver-container, cont, giflib, kernel, kubevirt, virt-api-container, virt-controller-container, virt-handler-container, virt-launcher-container, virt-libguestfs-tools- container, virt-operator-container, ovmf, and protobuf-c). --------------------------------------------- https://lwn.net/Articles/930128/ ∗∗∗ WordPress Plugin "Appointment and Event Booking Calendar for WordPress - Amelia" vulnerable to cross-site scripting ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN00971105/ ∗∗∗ ZDI-23-458: SolarWinds Network Performance Monitor TFTP Link Following Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-458/ ∗∗∗ ZDI-23-457: SolarWinds Network Performance Monitor ExecuteExternalProgram Command Injection Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-457/ ∗∗∗ F5: K000133630 : Intel processor vulnerability CVE-2022-26343 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000133630 ∗∗∗ F5: K000133633 : Intel BIOS firmware vulnerability CVE-2022-32231 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000133633 ∗∗∗ Multiple Vulnerabilities Patched in Shield Security ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2023/04/multiple-vulnerabilities-patched-in-… ∗∗∗ Belden: 2022-26 Multiple libexpat vulnerabilities in HiOS, Classic, HiSecOS, Wireless BAT-C2, Lite Managed, Edge ∗∗∗ --------------------------------------------- https://assets.belden.com/m/6f2d4e1f6bbaeb54/original/BSECV-2022-26.pdf ∗∗∗ Belden: 2022-29 strongSwan: integer overflow when replacing certificates in cache ∗∗∗ --------------------------------------------- https://assets.belden.com/m/25e4130e915c61a1/original/Belden_Security_Bulle… ∗∗∗ [R1] Stand-alone Security Patch Available for Tenable.sc versions 5.22.0, 5.23.1, and 6.0.0: SC-202304.1 ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2023-18 ∗∗∗ Nextcloud: Missing brute force protection for passwords of password protected share links ∗∗∗ --------------------------------------------- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-r… ∗∗∗ Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect Rational Functional Tester ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6985649 ∗∗∗ IBM Tivoli Composite Application Manager for Application Diagnostics Installed WebSphere Application Server is vulnerable to cross-site scripting in the Admin Console (CVE-2023-26283) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6985651 ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to a denial of service as the server may crash when using a specially crafted subquery. (CVE-2023-27559)) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6985667 ∗∗∗ IBM® Db2® is vulnerable to a denial of service as the server may crash when an Out of Memory occurs. (CVE-2023-26022) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6985669 ∗∗∗ IBM® Db2® is vulnerable to a denial of service. Under rare conditions, setting a special register may cause the Db2 server to terminate abnormally. (CVE-2023-25930) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6985677 ∗∗∗ IBM® Db2® is vulnerable to a denial of service as the server may crash when compiling a specially crafted SQL query using a LIMIT clause. (CVE-2023-26021) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6985681 ∗∗∗ IBM® Db2® is vulnerable to a denial of service as the server may crash when when attempting to use ACR client affinity for unfenced DRDA federation wrappers. (CVE-2023-27555) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6985683 ∗∗∗ IBM® Db2® is vulnerable to a denial of service as as it may trap when compiling a variation of an anonymous block. (CVE-2023-29255) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6985687 ∗∗∗ IBM® Db2® is vulnerable to remote code execution as a database administrator of one database may execute code or read\/write files from another database within the same instance. (CVE-2023-29257) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6985691 ∗∗∗ IBM Maximo Asset Management is vulnerable to cross-site scripting (CVE-2023-27860) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6985679 ∗∗∗ Multiple vulnerabilities affect IBM Db2\u00ae Graph ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6985689 ∗∗∗ IBM WebSphere Application Server shipped with IBM Security Access Manager for Enterprise Single Sign-On is vulnerable to a denial of service due to IBM HTTP Server (CVE-2023-26281) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6985851 ∗∗∗ Docker based datastores for IBM Instana do not currently require authentication ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6959969 ∗∗∗ IBM® Engineering Requirements Management DOORS/DWA vulnerabilities fixed in 9.7.2.7 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6984347 ∗∗∗ IBM Safer Payments is vulnerable to OpenSSL Denial of Sevice Attack (CVE-2022-0778) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6985865 ∗∗∗ TADDM is vulnerable to a denial of service due to vulnerabilities in Apache HttpClient ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6985905 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.04.2023
by Daily end-of-shift report 24 Apr '23

24 Apr '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 21-04-2023 18:00 − Montag 24-04-2023 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Decoy Dog malware toolkit found after analyzing 70 billion DNS queries ∗∗∗ --------------------------------------------- A new enterprise-targeting malware toolkit called Decoy Dog has been discovered after inspecting anomalous DNS traffic that is distinctive from regular internet activity. --------------------------------------------- https://www.bleepingcomputer.com/news/security/decoy-dog-malware-toolkit-fo… ∗∗∗ Open Source: Gelöschte Curl-Instanz zerschießt Windows-Updates ∗∗∗ --------------------------------------------- Auch wenn Security-Scanner vor ungepatchter Software warnen, sollten Windows-Systemkomponenten wie Curl nicht manipuliert werden. --------------------------------------------- https://www.golem.de/news/open-source-geloeschte-curl-instanz-zerschiesst-w… ∗∗∗ New All-in-One "EvilExtractor" Stealer for Windows Systems Surfaces on the Dark Web ∗∗∗ --------------------------------------------- A new "all-in-one" stealer malware named EvilExtractor (also spelled Evil Extractor) is being marketed for sale for other threat actors to steal data and files from Windows systems. "It includes several modules that all work via an FTP service," Fortinet FortiGuard Labs researcher Cara Lin said. --------------------------------------------- https://thehackernews.com/2023/04/new-all-in-one-evilextractor-stealer.html ∗∗∗ XWorm RAT: Avira-Sicherheitsexperten warnen vor Malware ∗∗∗ --------------------------------------------- Sicherheitsexperten von Avira warnen vor der Malware XWorm RAT --------------------------------------------- https://heise.de/-8976282 ∗∗∗ "Notstart" über CAN-Bus-Hack: Altes Nokia-Handy erlaubt Auto-Diebstahl per Klick ∗∗∗ --------------------------------------------- Der jüngst aufgezeigte CAN-Injection-Angriff auf das Bussystem Controller Area Network zieht weitere Kreise. Es tauchen immer mehr Kits zum "Notstarten" auf. --------------------------------------------- https://heise.de/-8976444 ∗∗∗ Bumblebee-Malware: Opfersuche mit Malvertising für trojanisierte Installer ∗∗∗ --------------------------------------------- IT-Forscher haben trojanisierte Installer für professionelle Software entdeckt. Sie würden mit Malvertising beworben und enthielten den Schädling Bumblebee. --------------------------------------------- https://heise.de/-8977016 ∗∗∗ Fake-Shops für Autoreifen boomen ∗∗∗ --------------------------------------------- Sie suchen im Internet nach günstigen Autoreifen? Nehmen Sie den Online-Shop genau unter die Lupe, es kursieren unzählige Fake-Shops! Die betrügerischen Shops wirken sehr professionell, haben ein Impressum und unschlagbare Preise. Wir zeigen Ihnen, wie Sie Shops überprüfen. --------------------------------------------- https://www.watchlist-internet.at/news/fake-shops-fuer-autoreifen-boomen/ ∗∗∗ TP-Link WAN-side Vulnerability CVE-2023-1389 Added to the Mirai Botnet Arsenal ∗∗∗ --------------------------------------------- Last week, the Zero Day Initiative (ZDI) threat-hunting team observed new exploit attempts coming from our telemetry system in Eastern Europe indicating that the Mirai botnet has updated its arsenal to include CVE-2023-1389, also known as ZDI-CAN-19557/ZDI-23-451. --------------------------------------------- https://www.thezdi.com/blog/2023/4/21/tp-link-wan-side-vulnerability-cve-20… ∗∗∗ Updates and Timeline for 3CX and X_Trader Hacks ∗∗∗ --------------------------------------------- Mandiant revealed this week that the hack of 3CX was actually a double supply-chain hack that first involved hacking and compromising another companys software. Heres a timeline of the events. --------------------------------------------- https://zetter.substack.com/p/updates-and-timeline-for-3cx-and ∗∗∗ Knapp zwei Drittel der XIoT-Schwachstellen remote ausnutzbar ∗∗∗ --------------------------------------------- Sicherheitstechnisch droht uns wohl ein Desaster - ich habe den State of XIoT Security Report: 2H 2022 von Claroty bereits einige Tage vorliegen. Dieser zeigt zwar die positiven Auswirkungen verstärkter Schwachstellen-Forschung und höheren Investitionen der Anbieter im Hinblick auf die XIoT-Sicherheit. Aber die Botschaft ist auch, dass Zahl der entdeckten Schwachstellen in diesem Bereit um 80 % zugenommen hat. Viele XIoT-Schwachstellen sind zudem remote ausnutzbar. --------------------------------------------- https://www.borncity.com/blog/2023/04/23/knapp-zwei-drittel-der-xiot-schwac… ∗∗∗ ViperSoftX Updates Encryption, Steals Data ∗∗∗ --------------------------------------------- We observed cryptocurrency and information stealer ViperSoftX evading initial loader detection and making its lure more believable by making the initial package loader via cracks, keygens, activators, and packers non-malicious. We also noted more sophisticated encryption and basic anti-analysis techniques, such as byte remapping and web browser communication blocking. --------------------------------------------- https://www.trendmicro.com/en_us/research/23/d/vipersoftx-updates-encryptio… ∗∗∗ Fortune 500 at Risk: 250M Artifacts Exposed via Misconfigured Registries ∗∗∗ --------------------------------------------- What if you were told that you had a misconfigured registry with hundreds of millions of software artifacts containing highly confidential and sensitive proprietary code and secrets exposed in your environment right now? This would be what you’d call a really bad day for security. Recently, the Aqua Nautilus research team found just that in some of the world’s largest organizations, including five Fortune 500 companies. --------------------------------------------- https://blog.aquasec.com/250m-artifacts-exposed-via-misconfigured-registries ===================== = Vulnerabilities = ===================== ∗∗∗ Vulnerability Spotlight: Vulnerabilities in IBM AIX could lead to command injection with elevated privileges ∗∗∗ --------------------------------------------- The issue could then allow the malicious actor to generate arbitrary logs which can trigger malicious commands to be run with elevated privileges. --------------------------------------------- https://blog.talosintelligence.com/vuln-spotlight-ibm-aix-privilege-escalat… ∗∗∗ APC warns of critical unauthenticated RCE flaws in UPS software ∗∗∗ --------------------------------------------- APCs Easy UPS Online Monitoring Software is vulnerable to unauthenticated arbitrary remote code execution, allowing hackers to take over devices and, in a worst-case scenario, disabling its functionality altogether. --------------------------------------------- https://www.bleepingcomputer.com/news/security/apc-warns-of-critical-unauth… ∗∗∗ Jetzt patchen! Angreifer attackieren Druck-Management-Lösung Papercut MF/NG ∗∗∗ --------------------------------------------- Eine kritische Sicherheitslücke gefährdet Systeme, auf denen Papercut läuft. Sicherheitsupdates sind verfügbar. --------------------------------------------- https://heise.de/-8976755 ∗∗∗ Solarwinds-Update dichtet zwei hochriskante Sicherheitslücken ab ∗∗∗ --------------------------------------------- Solarwinds stopft mit Software-Updates mehrere Sicherheitslücken, zwei davon gelten als hochriskant. IT-Verantwortliche sollten zügig aktualisieren. --------------------------------------------- https://heise.de/-8976832 ∗∗∗ Sicherheitspatches: Angreifer könnten Nvidia Cuda, DGX-1 & Co. attackieren ∗∗∗ --------------------------------------------- Nvidia hat wichtige Sicherheitsupdates für verschiedene Produkte veröffentlicht. Admins sollten schnell handeln. --------------------------------------------- https://heise.de/-8976961 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (389-ds-base, chromium, connman, curl, redis, and thunderbird), Fedora (ceph, doctl, dr_libs, ffmpeg, freeimage, golang-github-digitalocean-godo, insight, libreswan, mingw-binutils, mingw-freeimage, mingw-freetype, openvswitch, rnp, suricata, webkitgtk, and wireshark), Mageia (dnsmasq, emacs, openimageio, php-smarty, redis, squirrel/supertux, and tcpdump), Red Hat (emacs), and SUSE (avahi, chromium, dmidecode, indent, jettison, openssl, openstack-cinder, openstack-nova, python-oslo.utils, and ovmf). --------------------------------------------- https://lwn.net/Articles/930052/ ∗∗∗ Multiple Vulnerabilities in Autodesk® InfraWorks® Software ∗∗∗ --------------------------------------------- Autodesk® InfraWorks® has been affected by multiple vulnerabilities detailed below. Exploitation of these vulnerabilities may lead to remote code execution and/or denial-of-service to the software and user devices. Hotfixes are available in the Autodesk Desktop App or the Accounts Portal to help resolve these vulnerabilities. --------------------------------------------- https://www.autodesk.com/trust/security-advisories/adsk-sa-2023-0007 ∗∗∗ ZDI-23-451: (Pwn2Own) TP-Link Archer AX21 merge_country_config Command Injection Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-451/ ∗∗∗ ZDI-23-452: (Pwn2Own) TP-Link AX1800 hotplugd Firewall Rule Race Condition Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-452/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.04.2023
by Daily end-of-shift report 21 Apr '23

21 Apr '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 20-04-2023 18:00 − Freitag 21-04-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ GhostToken Flaw Could Let Attackers Hide Malicious Apps in Google Cloud Platform ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed details of a now-patched zero-day flaw in Google Cloud Platform (GCP) that could have enabled threat actors to conceal an unremovable, malicious application inside a victims Google account. --------------------------------------------- https://thehackernews.com/2023/04/ghosttoken-flaw-could-let-attackers.html ∗∗∗ Kubernetes RBAC Exploited in Large-Scale Campaign for Cryptocurrency Mining ∗∗∗ --------------------------------------------- A large-scale attack campaign discovered in the wild has been exploiting Kubernetes (K8s) Role-Based Access Control (RBAC) to create backdoors and run cryptocurrency miners. "The attackers also deployed DaemonSets to take over and hijack resources of the K8s clusters they attack," cloud security firm Aqua said in a report shared with The Hacker News. --------------------------------------------- https://thehackernews.com/2023/04/kubernetes-rbac-exploited-in-large.html ∗∗∗ VoIP-Anbieter 3CX: Die doppelte Supply-Chain-Attacke ∗∗∗ --------------------------------------------- Eine Analyse zeigt, dass die Verteilung des kompromittierten VoIP-Clients von 3CX auf einen vorausgehenden Lieferketten-Angriff zurückgeht. --------------------------------------------- https://heise.de/-8974948 ∗∗∗ CVE-2022-29844: A Classic Buffer Overflow on the Western Digital My Cloud Pro Series PR4100 ∗∗∗ --------------------------------------------- This post covers an exploit chain demonstrated by Luca Moro (@johncool__) during Pwn2Own Toronto 2022. At the contest, he used a classic buffer overflow to gain code execution on the My Cloud Pro Series PR4100 Network Attached Storage (NAS) device. He also displayed a nifty message on the device. --------------------------------------------- https://www.zerodayinitiative.com/blog/2023/4/19/cve-2022-29844-a-classic-b… ∗∗∗ GitHub Announces New Security Improvements ∗∗∗ --------------------------------------------- GitHub this week introduced NPM package provenance and deployment protection rules and announced general availability of private vulnerability reporting. --------------------------------------------- https://www.securityweek.com/github-announces-new-security-improvements/ ∗∗∗ Abandoned WordPress Plugin Abused for Backdoor Deployment ∗∗∗ --------------------------------------------- Attackers are installing the abandoned Eval PHP plugin on compromised WordPress sites to inject PHP code into web pages. --------------------------------------------- https://www.securityweek.com/abandoned-wordpress-plugin-abused-for-backdoor… ∗∗∗ Online-Händler:innen aufgepasst: Kriminelle machen Fake-Bestellungen und holen sich per SEPA-Lastschrift das Geld zurück ∗∗∗ --------------------------------------------- Mit vermeintlichen Bestellungen versuchen Kriminelle derzeit an das Geld von Online-Händler:innen zu kommen: Kriminellen bestellen „unabsichtlich“ zu viel, verlangen anschließend den bereits bezahlten Betrag von den Händler:innen zurück. Gleichzeitig nutzen die Betrüger:innen die Funktion der SEPA-Lastschrift, bei der Zahlungsanfechtungen in einem bestimmten Zeitraum automatisch anerkannt werden. --------------------------------------------- https://www.watchlist-internet.at/news/online-haendlerinnen-aufgepasst-krim… ===================== = Vulnerabilities = ===================== ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2023-0003 ∗∗∗ --------------------------------------------- CVE identifiers: CVE-2023-25358, CVE-2022-0108, CVE-2022-32885, CVE-2023-27932, CVE-2023-27954, CVE-2023-28205. Several vulnerabilities were discovered in WebKitGTK and WPE WebKit. --------------------------------------------- https://webkitgtk.org/security/WSA-2023-0003.html ∗∗∗ VMSA-2023-0007 ∗∗∗ --------------------------------------------- VMware Aria Operations for Logs contains a deserialization vulnerability. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8. --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2023-0007.html ∗∗∗ OpenSSL: Input buffer over-read in AES-XTS implementation on 64 bit ARM (CVE-2023-1255) ∗∗∗ --------------------------------------------- Severity: Low Issue summary: The AES-XTS cipher decryption implementation for 64 bit ARM platform contains a bug that could cause it to read past the input buffer, leading to a crash. --------------------------------------------- https://www.openssl.org/news/secadv/20230420.txt ∗∗∗ Kritische Lücken bedrohen Cisco Industrial Network Director und Modeling Labs ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitsupdates für mehrere Cisco-Produkte. Zwei Schwachstellen gelten als kritisch. --------------------------------------------- https://heise.de/-8975027 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (golang-1.11 and libxml2), Fedora (chromium, dr_libs, frr, ruby, and runc), Oracle (java-11-openjdk and java-17-openjdk), Red Hat (emacs, httpd and mod_http2, kpatch-patch, and webkit2gtk3), SUSE (libmicrohttpd, nodejs16, ovmf, and wireshark), and Ubuntu (kauth and patchelf). --------------------------------------------- https://lwn.net/Articles/929828/ ∗∗∗ CISA Adds Three Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/04/21/cisa-adds-three-known-ex… ∗∗∗ IBM InfoSphere DataStage Flow Designer is vulnerable to Server-Side Request Forgery ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6509084 ∗∗∗ Python is vulnerable to CVE-2022-26488 used in IBM Maximo Application Suite ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6985049 ∗∗∗ iText.jar in Tom Sawyer Perspective is vulnerable to XML External Entity ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6985225 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.04.2023
by Daily end-of-shift report 20 Apr '23

20 Apr '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 19-04-2023 18:00 − Donnerstag 20-04-2023 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Schwachstelle ermöglicht es Dieben, iPhones zu übernehmen ∗∗∗ --------------------------------------------- Über eine Sicherheitslücke verschaffen sich Kriminelle Zugang zu den Apple-IDs ihrer Opfer. --------------------------------------------- https://futurezone.at/produkte/schwachstelle-diebstahl-iphones-uebernehmen-… ∗∗∗ Goldoson Android Malware Infects Over 100 Million Google Play Store Downloads ∗∗∗ --------------------------------------------- hA new Android malware strain named Goldoson has been detected in the official Google Play Store spanning more than 60 legitimate apps that collectively have over 100 million downloads. [..] Following responsible disclosure to Google, 36 of the 63 offending apps have been pulled from the Google Play Store. The remaining 27 apps have been updated to remove the malicious library. --------------------------------------------- https://thehackernews.com/2023/04/goldoson-android-malware-infects-over.html ∗∗∗ The Huge 3CX Breach Was Actually 2 Linked Supply Chain Attacks ∗∗∗ --------------------------------------------- The mass compromise of the VoIP firms customers is the first confirmed incident where one software supply chain attack enabled another, researchers say. --------------------------------------------- https://www.wired.com/story/3cx-supply-chain-attack-times-two/ ∗∗∗ ‘AuKill’ EDR killer malware abuses Process Explorer driver ∗∗∗ --------------------------------------------- The AuKill tool abuses an outdated version of the driver used by version 16.32 of the Microsoft utility, Process Explorer, to disable EDR processes before deploying either a backdoor or ransomware on the target system. --------------------------------------------- https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-p… ∗∗∗ Breaking Docker Named Pipes SYSTEMatically: Docker Desktop Privilege Escalation – Part 2 ∗∗∗ --------------------------------------------- In the previous blog post, we described how the Docker research started and showed how we could gain a full privilege escalation through a vulnerability in Docker Desktop. In this follow-up blog post, we will show the other vulnerable functions we were able to exploit. --------------------------------------------- https://www.cyberark.com/resources/threat-research-blog/breaking-docker-nam… ∗∗∗ Vermehrte Angriffe auf Cisco Router und Switche mit Cisco IOS und IOS-XE ∗∗∗ --------------------------------------------- Mehrere Sicherheitsbehörden und Cisco selbst warnen vor der gehäuften Ausnutzung alter Schwachstellen in Cisco IOS und IOS-XE. --------------------------------------------- https://heise.de/-8973626 ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (Apr 10, 2023 to Apr 16, 2023) ∗∗∗ --------------------------------------------- Last week, there were 69 vulnerabilities disclosed in 60 WordPress plugins and 4 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 32 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected. --------------------------------------------- https://www.wordfence.com/blog/2023/04/wordfence-intelligence-weekly-wordpr… ∗∗∗ LockBit-Ransomware bereitet Angriffe auf Apple vor ∗∗∗ --------------------------------------------- Hacker haben ihre Malware offenbar weiterentwickelt und eine neue Variante in Umlauf gebracht, die es auf Apple-Computer abgesehen hat. --------------------------------------------- https://www.zdnet.de/88408574/lockbit-ransomware-bereitet-angriffe-auf-appl… ∗∗∗ CISA and Partners Release Cybersecurity Best Practices for Smart Cities ∗∗∗ --------------------------------------------- Today, CISA, NSA, FBI, NCSC-UK, ACSC, CCCS and NCSC-NZ released a joint guide: Cybersecurity Best Practices for Smart Cities. Smart cities may create safer, more efficient, resilient communities through technological innovation and data-driven decision making. However, this opportunity also introduces potential vulnerabilities and weaknesses that—if exploited—could impact national security, economic security, public health and safety, and critical infrastructure operations. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/04/19/cisa-and-partners-releas… ===================== = Vulnerabilities = ===================== ∗∗∗ Drupal core - Moderately critical - Access bypass - SA-CORE-2023-005 ∗∗∗ --------------------------------------------- Security risk: Moderately critical The file download facility doesnt sufficiently sanitize file paths in certain situations. This may result in users gaining access to private files that they should not have access to.Some sites may require configuration changes following this security release. --------------------------------------------- https://www.drupal.org/sa-core-2023-005 ∗∗∗ Cisco Security Advisories Published on April 19, 2023 - 2 Critical, 2 High, 2 Medium ∗∗∗ --------------------------------------------- * StarOS Software Key-Based SSH Authentication Privilege Escalation Vulnerability * SD-WAN vManage Software Arbitrary File Deletion Vulnerability * TelePresence Collaboration Endpoint and RoomOS Arbitrary File Write Vulnerabilities * Industrial Network Director Vulnerabilities * Modeling Labs External Authentication Bypass Vulnerability * BroadWorks Network Server TCP Denial of Service Vulnerability --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/Search.x?publicationTypeIDs… ∗∗∗ Mehrere Schadcode-Lücken in Foxit PDF geschlossen ∗∗∗ --------------------------------------------- Wer Foxit PDF Reader oder PDF Editor unter Windows nutzt, ist angreifbar. --------------------------------------------- https://heise.de/-8974063 ∗∗∗ Stable Channel Update for Desktop ∗∗∗ --------------------------------------------- The Stable and extended stable channel has been updated to 112.0.5615.137/138 for Windows and 112.0.5615.137 for Mac and 112.0.5615.165 for Linux which will roll out over the coming days/weeks. [..] Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. --------------------------------------------- http://chromereleases.googleblog.com/2023/04/stable-channel-update-for-desk… ∗∗∗ Blubrry Addresses Authenticated Stored XSS Vulnerability in PowerPress WordPress Plugin ∗∗∗ --------------------------------------------- On April 5, 2023, our Wordfence Threat Intelligence team identified and began the responsible disclosure process for a stored Cross-Site Scripting (XSS) vulnerability in Blubrry’s PowerPress plugin, which is actively installed on more than 50,000 WordPress websites. --------------------------------------------- https://www.wordfence.com/blog/2023/04/blubrry-addresses-authenticated-stor… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (golang-1.11), Fedora (chromium, golang-github-cenkalti-backoff, golang-github-cli-crypto, golang-github-cli-gh, golang-github-cli-oauth, golang-github-gabriel-vasile-mimetype, libpcap, lldpd, parcellite, tcpdump, thunderbird, and zchunk), Red Hat (java-11-openjdk, java-17-openjdk, and kernel), SUSE (chromium, dnsmasq, ImageMagick, nodejs16, openssl-1_0_0, openssl1, ovmf, and python-Flask), and Ubuntu (dnsmasq, libxml2, linux, linux-aws, linux-aws-5.4, linux-azure, linu linux-raspi-5.4, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15 linux-oracle, linux-raspi2, linux-oem-5.17, linux-oem-6.0, linux-oem-6.1, and linux-snapdragon). --------------------------------------------- https://lwn.net/Articles/929671/ ∗∗∗ Chromium: CVE-2023-2136 Integer overflow in Skia ∗∗∗ --------------------------------------------- This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. Google is aware that an exploit for CVE-2023-2136 exists in the wild. --------------------------------------------- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-2136 ∗∗∗ Spring Boot 2.7.11 available now fixing CVE-2023-20873 ∗∗∗ --------------------------------------------- https://spring.io/blog/2023/04/20/spring-boot-2-7-11-available-now-fixing-c… ∗∗∗ Spring Boot 3.0.6 available now fixing CVE-2023-20873 ∗∗∗ --------------------------------------------- https://spring.io/blog/2023/04/20/spring-boot-3-0-6-available-now-fixing-cv… ∗∗∗ Security Vulnerabilities have been identifed in the IBM WebSphere Liberty product as shipped with the IBM Security Verify Access products. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6953617 ∗∗∗ Unprivileged GPU access vulnerability - CVE-2013-5987 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/864038 ∗∗∗ Multiple vulnerabilities found in third party libraries used by IBM\u00ae MobileFirst Platform ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6984763 ∗∗∗ Multiple Vulnerabilities in Apache Commons Compress affect WebSphere Application Server used by IBM Maximo Application Suite ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6984785 ∗∗∗ IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to Node.js npm module information disclosure (CVE-2022-29244) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6984799 ∗∗∗ IBM WebSphere Application Server shipped with IBM Security Access Manager for Enterprise Single Sign-On is vulnerable to a denial of service due to Apache Commons FileUpload (CVE-2023-24998) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6984945 ∗∗∗ Unprivileged GPU access vulnerability - CVE-2013-5987 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/864038 ∗∗∗ IBM Security Verify Governance is vulnerable to sensitive information exposure (CVE-2021-31403) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6984957 ∗∗∗ IBM Security Verify Governance is vulnerable to denial of service and security bypass (CVE-2018-10237, CVE-2020-8908) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6984959 ∗∗∗ IBM Security Verify Governance is vulnerable to a denial of service (CVE-2022-42004, CVE-2022-42003) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6984967 ∗∗∗ IBM Security Verify Governance is vulnerable to sensitive information exposure and denial of service (CVE-2021-31403, CVE-2021-33609) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6984971 ∗∗∗ IBM Security Verify Governance is vulnerable to denial of service (CVE-2022-24839) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6984973 ∗∗∗ IBM Security Verify Governance is vulnerable to arbitrary code execution (CVE-2020-10650) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6984963 ∗∗∗ IBM Security Verify Governance is vulnerable to denial of service ( CVE-2023-24998) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6984969 ∗∗∗ Security vulnerability has been identified in WebSphere Application Server shipped with WebSphere Service Registry and Repository (CVE-2023-24998) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6984965 ∗∗∗ IBM Rational Build Forge is vulnerable and could allow an unauthenticated attacker to obtain sensitive information due to the use of JSSE component (CVE-2021-35603) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6984975 ∗∗∗ IBM App Connect Enterprise is vulnerable to a denial of service due to the ua-parser-js module (CVE-2022-25927) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6984987 ∗∗∗ Multiple vulnerabilities may affect IBM\u00ae SDK, Java\u2122 Technology Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6839127 ∗∗∗ Multiple vulnerabilities may affect IBM\u00ae SDK, Java\u2122 Technology Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6967213 ∗∗∗ CVE-2022-3676 may affect IBM\u00ae SDK, Java\u2122 Technology Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6839777 ∗∗∗ IBM Rational Build Forge is vulnerable and could allow attacker to obtain sensitive information due to the use of JSSE component(CVE-2021-35550) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6985007 ∗∗∗ CVE-2023-30441 affects IBM\u00ae SDK, Java\u2122 Technology Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6985011 ∗∗∗ AIX is vulnerable to arbitrary command execution (CVE-2023-26286) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6983236 ∗∗∗ INEA ME RTU ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-110-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.04.2023
by Daily end-of-shift report 19 Apr '23

19 Apr '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 18-04-2023 18:00 − Mittwoch 19-04-2023 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Critical Patch Update: Oracle kümmert sich um 433 Sicherheitslücken ∗∗∗ --------------------------------------------- Der Softwarehersteller Oracle hat für seine Anwendungen zahlreiche Sicherheitsupdates veröffentlicht. Einige Lücken gelten als kritisch. --------------------------------------------- https://heise.de/-8971485 ∗∗∗ Sicherheitsupdates: Dell sichert seit 2022 verwundbare Laptops erst jetzt ab ∗∗∗ --------------------------------------------- BIOS-Updates für unter anderem Dell-Modelle der Alienware- und Inspiron-Serien schließen zwei Sicherheitslücken. --------------------------------------------- https://heise.de/-8971821 ∗∗∗ Wenn alte Router Firmengeheimnisse preisgeben ∗∗∗ --------------------------------------------- Bei der Stilllegung ihrer alten Hardware schütten viele Unternehmen das Kind mit dem Bade aus. --------------------------------------------- https://www.welivesecurity.com/deutsch/2023/04/18/wenn-alte-router-firmenge… ∗∗∗ Hackers actively exploit critical RCE bug in PaperCut servers ∗∗∗ --------------------------------------------- Print management software developer PaperCut is warning customers to update their software immediately, as hackers are actively exploiting flaws to gain access to vulnerable servers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-actively-exploit-cri… ∗∗∗ Zaraza Bot Targets Google Chrome to Extract Login Credentials ∗∗∗ --------------------------------------------- The data-stealing malware threatens the cyber safety of individual and organizational privacy by infecting a range of Web browsers. --------------------------------------------- https://www.darkreading.com/remote-workforce/zaraza-bot-targets-google-chro… ∗∗∗ SecurePwn Part 1: Bypassing SecurePoint UTM’s Authentication (CVE-2023-22620) ∗∗∗ --------------------------------------------- While working on a recent customer penetration test, I discovered two fascinating and somewhat weird bugs in SecurePoint’s UTM firewall solution. The first one, aka CVE-2023-22620, is rated critical for an attacker to bypass the entire authentication and gain access to the firewall’s administrative panel. [...] The second one, aka CVE-2023-22897 is a heartbleed-like bug that allows the leaking of remote memory contents and is discussed in a second blog post. --------------------------------------------- https://www.rcesecurity.com/2023/04/securepwn-part-1-bypassing-securepoint-… ∗∗∗ SecurePwn Part 2: Leaking Remote Memory Contents (CVE-2023-22897) ∗∗∗ --------------------------------------------- While my last finding affecting SecurePoint’s UTM was quite interesting already, I was hit by a really hard OpenSSL Heartbleed flashback with this one. [...] I’ve responsibly coordinated both vulnerabilities with the vendor SecurePoint and notified them about both issues on 5th January 2023. They did an amazing job acknowledging the vulnerability and providing a fix within a single business day. I barely see (hardware) vendors reacting so fast. Well done! --------------------------------------------- https://www.rcesecurity.com/2023/04/securepwn-part-2-leaking-remote-memory-… ∗∗∗ Threat Actors Rapidly Adopt Web3 IPFS Technology ∗∗∗ --------------------------------------------- Web3 technologies are seeing widespread adoption — including by TAs. We discuss Web3 technology InterPlanetary File System (IPFS), and malicious use of it. --------------------------------------------- https://unit42.paloaltonetworks.com/ipfs-used-maliciously/ ∗∗∗ Play Ransomware Group Using New Custom Data-Gathering Tools ∗∗∗ --------------------------------------------- Tools allow attackers to harvest data typically locked by the operating system. --------------------------------------------- https://symantec-enterprise-blogs.security.com/threat-intelligence/play-ran… ∗∗∗ Raspberry Robin: Anti-Evasion How-To & Exploit Analysis ∗∗∗ --------------------------------------------- During the last year, Raspberry Robin has evolved to be one of the most distributed malware currently active. During this time, it is likely to be used by many actors to distribute their own malware such as IcedID, Clop ransomware and more. --------------------------------------------- https://research.checkpoint.com/2023/raspberry-robin-anti-evasion-how-to-ex… ∗∗∗ Breaking Docker Named Pipes SYSTEMatically: Docker Desktop Privilege Escalation – Part 2 ∗∗∗ --------------------------------------------- In the previous blog post, we described how the Docker research started and showed how we could gain a full privilege escalation through a vulnerability in Docker Desktop. In this follow-up blog [...] --------------------------------------------- https://www.cyberark.com/resources/threat-research-blog/breaking-docker-nam… ∗∗∗ DDosia Project: How NoName057(16) is trying to improve the efficiency of DDoS attacks ∗∗∗ --------------------------------------------- NoName057(16) is still conducting DDoS attacks on the websites of institutions and companies in European countries. The new Go variant of bots implemented an authentication mechanism to communicate with C2 servers and their proxies. Moreover, the mechanism also provides IP address blocklisting, presumably to hinder the tracking of the project. --------------------------------------------- https://decoded.avast.io/martinchlumecky/ddosia-project-how-noname05716-is-… ===================== = Vulnerabilities = ===================== ∗∗∗ Webbrowser: Neue Zero-Day-Lücke in Google Chrome ∗∗∗ --------------------------------------------- Im Webbrowser Chrome greifen Cyberkriminelle eine neue Zero-Day-Lücke in freier Wildbahn an. Google verteilt Software-Updates, um die Lücke zu schließen. --------------------------------------------- https://heise.de/-8971427 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (asterisk), Fedora (lldpd and openssh), Red Hat (curl, kernel, and openvswitch2.13), SUSE (compat-openssl098, glib2, grafana, helm, libgit2, openssl, and openssl-1_1), and Ubuntu (linux, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15, linux-azure-fde, linux-gcp, linux-gcp-5.15, linux-gke, linux-gke-5.15, linux-gkeop, linux-ibm, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-oracle, linux-oracle-5.15, linux-raspi, linux, linux-aws, linux-azure, linux-gcp, linux-hwe-5.19, linux-kvm, linux-lowlatency, linux-oracle, linux-raspi, and vim). --------------------------------------------- https://lwn.net/Articles/929533/ ∗∗∗ Research by Positive Technologies helps to fix vulnerabilities in Nokia NetAct network management system ∗∗∗ --------------------------------------------- Nokia has fixed five vulnerabilities in Nokia NetAct found by Positive Technologies experts Vladimir Razov and Alexander Ustinov. Nokia NetAct is used by more than 500 communications service providers to monitor and control telecommunication networks, base stations, and other systems. The vendor was notified of the threat as part of standard responsible disclosure and has fixed the vulnerabilities in new versions of the software. --------------------------------------------- https://www.ptsecurity.com/ww-en/about/news/research-by-positive-technologi… ∗∗∗ WordPress plugin "LIQUID SPEECH BALLOON” vulnerable to cross-site request forgery ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN99657911/ ∗∗∗ Oracle Critical Patch Update Advisory - April 2023 ∗∗∗ --------------------------------------------- https://www.oracle.com/security-alerts/cpuapr2023.html ∗∗∗ K000133390 : Apache Tomcat vulnerability CVE-2022-45143 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000133390 ∗∗∗ K000133547 : Python urllib3 vulnerability CVE-2020-26137 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000133547 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0