- Daily - CERT.at

Tageszusammenfassung - 18.04.2023
by Daily end-of-shift report 18 Apr '23

18 Apr '23

===================== = End-of-Day report = ===================== Timeframe: Montag 17-04-2023 18:00 − Dienstag 18-04-2023 18:00 Handler: Stephan Richter Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Recycled Core Routers Exposed Sensitive Corporate Network Info ∗∗∗ --------------------------------------------- Researchers warn about a dangerous wave of unwiped, secondhand core-routers found containing corporate network configurations, credentials, and application and customer data. --------------------------------------------- https://www.darkreading.com/vulnerabilities-threats/recycled-core-routers-e… ∗∗∗ YouTube Videos Distributing Aurora Stealer Malware via Highly Evasive Loader ∗∗∗ --------------------------------------------- Cybersecurity researchers have detailed the inner workings of a highly evasive loader named "in2al5d p3in4er" (read: invalid printer) thats used to deliver the Aurora information stealer malware. --------------------------------------------- https://thehackernews.com/2023/04/youtube-videos-distributing-aurora.html ∗∗∗ Memory corruption in JCRE: An unpatchable HSM may swallow your private key ∗∗∗ --------------------------------------------- The key has always been a core target of security protection. Due to the limitation of key slots, most cryptocurrency hardware wallets use MCU chips (such as STM32F205RE) to implement. However, people who have higher security requirements to safeguarding the private keys are often interested in Java cards [...] --------------------------------------------- https://hardenedvault.net/blog/2023-04-18-java-card-runtime-memory-corrupti… ∗∗∗ Living Off the Land (LOTL) attacks: Detecting ransomware gangs hiding in plain sight ∗∗∗ --------------------------------------------- [...] In order to truly protect ourselves from RaaS gangs, we have to ‘peel back the onion’, so to speak, and get a closer look at how, exactly, they behave. If we know how RaaS gangs evade detection once in a network, for example, we may be able to kick them out before they can do any damage. One of the most concerning behaviors we’ve observed from RaaS gangs is their use of Living off the Land (LOTL) attacks, where attackers leverage legitimate tools to evade detection, steal data, and more. --------------------------------------------- https://www.malwarebytes.com/blog/business/2023/04/living-off-the-land-lotl… ∗∗∗ New Captcha Protected Phishing Attack Targets Access to Payroll Files ∗∗∗ --------------------------------------------- We have discovered a new phishing attack that specifically targets individuals who need access to payroll files through Microsoft Teams. --------------------------------------------- https://cyberwarzone.com/new-captcha-protected-phishing-attack-targets-acce… ∗∗∗ Sicherheitsupdates: Trend Micro Security macht Windows-PCs verwundbar ∗∗∗ --------------------------------------------- Es gibt ein wichtiges Update für die Anti-Viren-Anwendung Trend Micro Security für Windows. --------------------------------------------- https://heise.de/-8969449 ∗∗∗ US-Behörde: Schwachstelle in altem macOS wird für Angriffe ausgenutzt ∗∗∗ --------------------------------------------- Nach Informationen der Cyber-Sicherheitsbehörde gibt es Hinweise auf aktiv durchgeführte Angriffe. Für sehr alte Macs liegen keine Patches vor. --------------------------------------------- https://heise.de/-8970903 ∗∗∗ Kleinanzeigenbetrug: Vorsicht, wenn jemand per Scheck bezahlen möchte ∗∗∗ --------------------------------------------- Sie verkaufen ein Fahrrad auf Ländleanzeiger.at. Ein Interessent meldet sich und möchte es kaufen. Weil der Interessent gerade keinen Zugriff auf sein Bankkonto hat, möchte er es per Scheck bezahlen. Nach einigen Tagen kommt tatsächlich ein Scheck an – aber mit einem viel zu hohen Betrag. Vorsicht: Der Scheck ist Fake. Brechen Sie den Kontakt ab, Sie werden betrogen. --------------------------------------------- https://www.watchlist-internet.at/news/kleinanzeigenbetrug-vorsicht-wenn-je… ∗∗∗ Shodan Verified Vulns 2023-04-01 ∗∗∗ --------------------------------------------- Mit Stand 2023-04-01 sieht Shodan in Österreich die folgenden Schwachstellen: Dieses Monat stechen keine wirklich nennenswerten Veränderungen ins Auge. --------------------------------------------- https://cert.at/de/aktuelles/2023/4/shodan-verified-vulns-2023-04-01 ∗∗∗ APT28 Exploits Known Vulnerability to Carry Out Reconnaissance and Deploy Malware on Cisco Routers ∗∗∗ --------------------------------------------- APT28 accesses poorly maintained Cisco routers and deploys malware on unpatched devices using CVE-2017-6742. --------------------------------------------- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-108 ∗∗∗ Windows 10/11: Microsoft veröffentlicht Fix für OOBE-Bitlocker-Ausfall-Bug ∗∗∗ --------------------------------------------- Microsoft propagiert zwar Bitlocker zur Verschlüsselung von Laufwerken unter Windows. Aber es gibt immer wieder Bugs, die die Verschlüsselung verhindern oder Dritten unbefugten Zugriff auf verschlüsselte Laufwerke ermöglichen. Ein Microsoft Supporter hat jetzt einen Fall enthüllt, bei dem Bitlocker in der Out-of-the-Box (OOBE) Phase der Windows-Installation nicht aktiviert wird. --------------------------------------------- https://www.borncity.com/blog/2023/04/18/windows-10-11-microsoft-verffentli… ∗∗∗ Automating Qakbot Detection at Scale With Velociraptor ∗∗∗ --------------------------------------------- This blog offers a practical methodology to extract configuration data from recent Qakbot samples. --------------------------------------------- https://www.rapid7.com/blog/post/2023/04/18/automating-qakbot-detection-at-… ===================== = Vulnerabilities = ===================== ∗∗∗ Garrett: PSA: upgrade your LUKS key derivation function ∗∗∗ --------------------------------------------- [...] the LUKS1 header format, and the only KDF supported in this format is PBKDF2. This is not a memory expensive KDF, and so is vulnerable to GPU-based attacks. But even so, systems using the LUKS2 header format used to default to argon2i, again not a memory expensive KDF. New versions default to argon2id, which is. You want to be using argon2id. --------------------------------------------- https://lwn.net/Articles/929343/ ∗∗∗ New sandbox escape PoC exploit available for VM2 library, patch now ∗∗∗ --------------------------------------------- Security researchers have released yet another sandbox escape proof of concept (PoC) exploit that makes it possible to execute unsafe code on the host running the VM2 sandbox. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-sandbox-escape-poc-explo… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (protobuf), Fedora (libpcap, libxml2, openssh, and tcpdump), Mageia (kernel and kernel-linus), Oracle (firefox, kernel, kernel-container, and thunderbird), Red Hat (thunderbird), Scientific Linux (thunderbird), SUSE (gradle, kernel, nodejs10, nodejs12, nodejs14, openssl-3, pgadmin4, rubygem-rack, and wayland), and Ubuntu (firefox). --------------------------------------------- https://lwn.net/Articles/929389/ ∗∗∗ Multiple critical vulnerabilities in Strapi versions <=4.7.1 ∗∗∗ --------------------------------------------- Strapi had multiple critical vulnerabilities that could be chained together to gain unauthenticated remote code execution. This is my public disclosure of the vulnerabilities i found in strapi, how they were patched and some nonsensical ramblings. --------------------------------------------- https://www.ghostccamm.com/blog/multi_strapi_vulns/ ∗∗∗ Hiding in Plain Sight: Cross-Site Scripting Vulnerabilities Patched in Weaver Products ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2023/04/hiding-in-plain-sight-cross-site-scr… ∗∗∗ Omron CS/CJ Series ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-108-01 ∗∗∗ Spring Security 6.1.0-RC1, 6.0.3, 5.8.3 and 5.7.8 released, fix CVE-2023-20862 ∗∗∗ --------------------------------------------- https://spring.io/blog/2023/04/17/spring-security-6-1-0-rc1-6-0-3-5-8-3-and… ∗∗∗ Kubernetes kube-apiserver vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6982927 ∗∗∗ IBM Sterling Order Management Golang Go Vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/search?q=IBM%20Sterling%20Order%… ∗∗∗ Security Bulletin: Multiple vulnerabilities affect IBM Db2® REST ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6984199 ∗∗∗ IBM InfoSphere Information Server is affected by a vulnerability in libcurl (CVE-2022-32221) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6984203 ∗∗∗ Vulnerabilities in IBM Java included with IBM Tivoli Monitoring. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6854647 ∗∗∗ Security Bulletin: A security vulnerability has been identified in WebSphere Application Server and Websphere Liberty shipped with IBM Security Guardium Key Lifecycle Manager (SKLM/GKLM) (CVE-2023-24998)) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6984345 ∗∗∗ Security Bulletin: The IBM® Engineering Requirements Management DOORS/DWA vulnerabilities fixes for 9.7.2.6 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6984347 ∗∗∗ Vulnerabilities in Apache Shiro (CVE-2022-40664) and Apache Commons FileUpload (CVE-2023-24998) affect IBM WebSphere Service Registry and Repository. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6962169 ∗∗∗ Security Bulletin: Multiple vulnerabilities affect IBM Db2® REST ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6984413 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.04.2023
by Daily end-of-shift report 17 Apr '23

17 Apr '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 14-04-2023 18:00 − Montag 17-04-2023 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Juice Jacking: FBI warnt ohne Anlass vor öffentlichen USB-Ladestationen ∗∗∗ --------------------------------------------- Angreifer könnten USB-Ladestationen an Flughäfen & Co. kompromittieren, um so Malware auf Smartphones zu schieben. Das ist jedoch nicht wirklich aktuell. --------------------------------------------- https://heise.de/-8966067 ∗∗∗ Zero-Day: Pinduoduo konnte Daten stehlen und Malware installieren ∗∗∗ --------------------------------------------- Die chinesische Android-App Pinduoduo konnte eine Zero-Day-Lücke in Android missbrauchen. Die CISA mahnt zum Anwenden des Android-Updates. --------------------------------------------- https://heise.de/-8968204 ∗∗∗ Sonderupdate: Google Chrome 112.0.5615.121 und Edge 112.0.1722.48 ∗∗∗ --------------------------------------------- Google hat zum 14. April 2023 außerplanmäßig Updates des Google Chrome Browsers 112 im Extended und Stable Channel für Mac, Linux und Windows freigegeben. Microsoft hat gleichzeitig den Edge Version 112 aktualisiert. Es sind Sicherheitsupdates, welche die als hoch eingestufte Schwachstelle CVE-2023-2033 schließen. --------------------------------------------- https://www.borncity.com/blog/2023/04/16/google-chrome-112-0-5615-121-sonde… ∗∗∗ Dating: Auf live-treffen.com & royacca.com chatten Sie kostenpflichtig mit Fake-Profilen ∗∗∗ --------------------------------------------- Auf den Dating-Plattformen live-treffen.com & royacca.com finden Sie schnell interessante Menschen. Ob es sich dabei um echte Personen handelt, ist unklar, denn die Plattformen nutzen „professionelle Animateure“, die mit Ihnen chatten. Das Problem dabei: Jede Nachricht kostet und Sie wissen nicht, ob Sie mit echten oder fiktiven Profilen schreiben. --------------------------------------------- https://www.watchlist-internet.at/news/dating-auf-live-treffencom-royaccaco… ∗∗∗ Android malware infiltrates 60 Google Play apps with 100M installs ∗∗∗ --------------------------------------------- A new Android malware named Goldoson has infiltrated the platforms official app store, Google Play, through 60 apps that collectively have 100 million downloads. --------------------------------------------- https://www.bleepingcomputer.com/news/security/android-malware-infiltrates-… ∗∗∗ Hackers start abusing Action1 RMM in ransomware attacks ∗∗∗ --------------------------------------------- Security researchers are warning that cybercriminals are increasingly using the Action1 remote access software for persistence on compromised networks and to execute commands, scripts, and binaries. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-start-abusing-action… ∗∗∗ QBot banker delivered through business correspondence ∗∗∗ --------------------------------------------- In early April, we detected a significant increase in attacks that use banking Trojans of the QBot family (aka QakBot, QuackBot, and Pinkslipbot). The malware would be delivered through e-mails that were based on real business letters the attackers had gotten access to. --------------------------------------------- https://securelist.com/qbot-banker-business-correspondence/109535/ ∗∗∗ FIN7 and Ex-Conti Cybercrime Gangs Join Forces in Domino Malware Attacks ∗∗∗ --------------------------------------------- A new strain of malware developed by threat actors likely affiliated with the FIN7 cybercrime group has been put to use by the members of the now-defunct Conti ransomware gang, indicating collaboration between the two crews. The malware, dubbed Domino, is primarily designed to facilitate follow-on exploitation on compromised systems, including delivering a lesser-known information stealer [...] --------------------------------------------- https://thehackernews.com/2023/04/fin7-and-ex-conti-cybercrime-gangs-join.h… ∗∗∗ Bypassing Windows Defender (10 Ways) ∗∗∗ --------------------------------------------- In this article I will be explaining 10 ways/techniques to bypass a fully updated Windows system with up-to-date Windows Defender intel in order to execute unrestricted code (other than permissions/ACLs, that is). --------------------------------------------- https://www.fo-sec.com/articles/10-defender-bypass-methods ∗∗∗ LockBit Ransomware Group Developing Malware to Encrypt Files on macOS ∗∗∗ --------------------------------------------- The LockBit ransomware gang is developing malware designed to encrypt files on macOS systems and researchers have analyzed if it poses a real threat. --------------------------------------------- https://www.securityweek.com/lockbit-ransomware-group-developing-malware-to… ∗∗∗ Trigona Ransomware Attacking MS-SQL Servers ∗∗∗ --------------------------------------------- AhnLab Security Emergency response Center (ASEC) has recently discovered the Trigona ransomware being installed on poorly managed MS-SQL servers. Trigona is a relatively recent ransomware that was first discovered in October 2022, and Unit 42 has recently published a report based on the similarity between Trigona and the CryLock ransomware. --------------------------------------------- https://asec.ahnlab.com/en/51343/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, rails, and ruby-rack), Fedora (firefox, ghostscript, libldb, samba, and tigervnc), Mageia (ceph, davmail, firefox, golang, jpegoptim, libheif, python-certifi, python-flask-restx, thunderbird, and tomcat), Oracle (firefox), Red Hat (firefox), Scientific Linux (firefox), SUSE (apache2-mod_auth_openidc, aws-nitro-enclaves-cli, container-suseconnect, firefox, golang-github-prometheus-prometheus, harfbuzz, java-1_8_0-ibm, kernel, liblouis, php7, tftpboot-installation images, tomcat, and wayland), and Ubuntu (chromium-browser, imagemagick, kamailio, and libreoffice). --------------------------------------------- https://lwn.net/Articles/929303/ ∗∗∗ K000133522 : Apache mod_proxy_wstunnel vulnerability CVE-2019-17567 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000133522?utm_source=f5support&utm_medi… ∗∗∗ Microsoft Defender Security Feature Bypass Vulnerability ∗∗∗ --------------------------------------------- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24934 ∗∗∗ Vulnerabilities in Samba shipped with IBM OS Image for Red Hat Enterprise Linux System (CVE-2022-32742) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6983851 ∗∗∗ IBM Workload Scheduler potentially affected by a vulnerability found in Json-smart library (CVE-2023-1370) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6984157 ∗∗∗ There is a security vulnerability in Node.js http-cache-semantics module used by IBM Maximo for Civil Infrastructure in Maximo Application Suite (CVE-2022-25881) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6984165 ∗∗∗ IBM Cloud Pak for Network Automation 2.4.5 addresses multiple security vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6984171 ∗∗∗ IBM Db2\u00ae Graph is vulnerable to remote execution of arbitrary commands due to Node.js CVE-2022-43548 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6984185 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.04.2023
by Daily end-of-shift report 14 Apr '23

14 Apr '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 13-04-2023 18:00 − Freitag 14-04-2023 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ VoIP-Software von 3CX: Erste Analyse-Ergebnisse ∗∗∗ --------------------------------------------- 3CX hat erste Ergebnisse der IT-Sicherheitsspezialisten von Mandiant bezüglich des Einbruchs und Lieferkettenangriffs auf die VoIP-Software herausgegeben. --------------------------------------------- https://heise.de/-8962595 ∗∗∗ Netzwerkausrüster Juniper verteilt viele Sicherheits-Aktualisierungen ∗∗∗ --------------------------------------------- In diversen Produkten des Netzwerkausrüsters Juniper klaffen Sicherheitslücken, die der Hersteller mit Updates schließt. Sie sollten zügig installiert werden. --------------------------------------------- https://heise.de/-8951334 ∗∗∗ Jetzt patchen! QueueJumper-Lücke gefährdet hunderttausende Windows-Systeme ∗∗∗ --------------------------------------------- Sicherheitsforscher haben nach weltweiten Scans über 400.000 potenziell angreifbare Windows-Systeme entdeckt. Sicherheitspatches sind verfügbar. --------------------------------------------- https://heise.de/-8961420 ∗∗∗ Passwortschutz umgehbar: Drupal-Modul Protected Pages verwundbar ∗∗∗ --------------------------------------------- Angreifer könnten auf eigentlich durch Passwörter abgeschottete Drupal-Websites zugreifen. Ein Sicherheitsupdate ist verfügbar. --------------------------------------------- https://heise.de/-8959518 ∗∗∗ Cloudflare: Botnetzwerke setzen auf gehackte VPS statt auf IoT ∗∗∗ --------------------------------------------- Laut Cloudflare setzen Botnetze auf gehackte Virtual Private Server (VPS), beispielsweise von Start-ups, die deutlich mehr Leistung für DDoS-Angriffe bieten. --------------------------------------------- https://www.golem.de/news/cloudflare-botnetzwerke-setzen-auf-gehackte-vps-s… ∗∗∗ HTTP: Whats Left of it and the OCSP Problem, (Thu, Apr 13th) ∗∗∗ --------------------------------------------- It has been well documented that most "web" traffic these days uses TLS, either as traditional HTTPS or the more modern QUIC protocol. So it is always interesting to see what traffic remains as HTTP. --------------------------------------------- https://isc.sans.edu/diary/rss/29744 ∗∗∗ How to Set Up a Content Security Policy (CSP) in 3 Steps ∗∗∗ --------------------------------------------- What is a Content Security Policy (CSP)? A Content Security Policy (CSP) is a security feature used to help protect websites and web apps from clickjacking, cross-site scripting (XSS), and other malicious code injection attacks. At the most basic level, a CSP is a set of rules that restricts or green lights what content loads onto your website. It is a widely-supported security standard recommended to anyone who operates a website. --------------------------------------------- https://blog.sucuri.net/2023/04/how-to-set-up-a-content-security-policy-csp… ∗∗∗ RTM Locker: Emerging Cybercrime Group Targeting Businesses with Ransomware ∗∗∗ --------------------------------------------- Cybersecurity researchers have detailed the tactics of a "rising" cybercriminal gang called "Read The Manual" (RTM) Locker that functions as a private ransomware-as-a-service (RaaS) provider and carries out opportunistic attacks to generate illicit profit. --------------------------------------------- https://thehackernews.com/2023/04/rtm-locker-emerging-cybercrime-group.html ∗∗∗ Google, CISA Warn of Android Flaw After Reports of Chinese App Zero-Day Exploitation ∗∗∗ --------------------------------------------- The Android vulnerability CVE-2023-20963, reportedly exploited as a zero-day by a Chinese app against millions of devices, was added to CISA’s KEV catalog. --------------------------------------------- https://www.securityweek.com/google-cisa-warn-of-android-flaw-after-reports… ∗∗∗ Automating Qakbot decode at scale ∗∗∗ --------------------------------------------- This is a technical post covering methodology to extract configuration data from recent Qakbot samples. I will provide background on Qakbot, walk through decode themes in an easy to visualize manner. I will then share a Velociraptor artifact to detect and automate the decode process at scale. --------------------------------------------- https://www.rapid7.com/blog/post/2023/04/14/automating-qakbot-decode/ ===================== = Vulnerabilities = ===================== ∗∗∗ CISA Releases Sixteen Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- CISA released sixteen Industrial Control Systems (ICS) advisories on April 13, 2023. * B. Braun Battery Pack SP with Wi-Fi * 13x Siemens * Datakit CrossCAD-WARE * Mitsubishi Electric GOC35 Series --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/04/13/cisa-releases-sixteen-in… ∗∗∗ Advisory SA23P002: Several Issues in B&R VC4 Visualization ∗∗∗ --------------------------------------------- An unauthenticated network-based attacker who successfully exploits these vulnerabilities could bypass the authentication mechanism of the VC4 visualization, read stack memory or execute code on an affected device. --------------------------------------------- https://www.br-automation.com/downloads_br_productcatalogue/assets/16810468… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (haproxy and openvswitch), Fedora (bzip3, libyang, mingw-glib2, thunderbird, xorg-x11-server, and xorg-x11-server-Xwayland), and Ubuntu (apport, ghostscript, linux-bluefield, node-thenify, and python-flask-cors). --------------------------------------------- https://lwn.net/Articles/929107/ ∗∗∗ Cross-Site Scripting in Timesheet Tracking for Jira (SYSS-2022-050) ∗∗∗ --------------------------------------------- Über Cross-Site Scripting-Schwachstellen im Plug-in "Timesheet Tracking for Jira" kann Schadcode eingebaut werden, der von allen Besuchern ausgeführt wird. --------------------------------------------- https://www.syss.de/pentest-blog/cross-site-scripting-in-timesheet-tracking… ∗∗∗ CPE2023-001 – Regarding vulnerabilities for Office/Small Office Multifunction Printers, Laser Printers and Inkjet Printers – 14 April 2023 ∗∗∗ --------------------------------------------- Several vulnerabilities have been identified for certain Office/Small Office Multifunction Printers, Laser Printers and Inkjet Printers. --------------------------------------------- https://www.canon-europe.com/support/product-security-latest-news/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.04.2023
by Daily end-of-shift report 13 Apr '23

13 Apr '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 12-04-2023 18:00 − Donnerstag 13-04-2023 18:00 Handler: Stephan Richter Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ (Gepatchte aber dennoch) üble Sicherheitslücke in (einer optionalen Komponente von) Microsoft Windows ∗∗∗ --------------------------------------------- Es entbehrt nicht einer gewissen Ironie, dass die meisten Blogeinträge, welche sich in den letzten Monaten mit Sicherheitslücken in Produkten von Microsoft beschäftigt haben, von dem Mitarbeiter des CERT stammen, dessen Kenntnisse rund um Windows, Office und den ganzen Rest wohl mit Abstand am schwächsten sind - und damit herzlich willkommen zu einem weiteren Beitrag, welcher diese Kriterien vollständig erfüllt. --------------------------------------------- https://cert.at/de/blog/2023/4/gepatchte-aber-dennoch-uble-sicherheitslucke… ∗∗∗ NTP-Schwachstelle: Offenbar weniger bedrohlich als zunächst vermutet ∗∗∗ --------------------------------------------- Entwarnung: Nach der BSI-Warnung vor einer kritischen Lücke in NTP kommen IT-Experten bei der Analyse auf eine geringere Bedrohung. NTP will Patches liefern. --------------------------------------------- https://heise.de/-8949340 ∗∗∗ Uncommon infection methods—part 2 ∗∗∗ --------------------------------------------- Kaspersky researchers discuss infection methods used by Mirai-based RapperBot, Rhadamantys stealer, and CUEMiner: smart brute forcing, malvertising, and distribution through BitTorrent and OneDrive. --------------------------------------------- https://securelist.com/crimeware-report-uncommon-infection-methods-2/109522/ ∗∗∗ New Python-Based "Legion" Hacking Tool Emerges on Telegram ∗∗∗ --------------------------------------------- An emerging Python-based credential harvester and a hacking tool named Legion is being marketed via Telegram as a way for threat actors to break into various online services for further exploitation. --------------------------------------------- https://thehackernews.com/2023/04/new-python-based-legion-hacking-tool.html ∗∗∗ Indirect Prompt Injection Threats ∗∗∗ --------------------------------------------- If allowed by the user, Bing Chat can see currently open websites. We show that an attacker can plant an injection in a website the user is visiting, which silently turns Bing Chat into a Social Engineer who seeks out and exfiltrates personal information. The user doesnt have to ask about the website or do anything except interact with Bing Chat while the website is opened in the browser. --------------------------------------------- https://greshake.github.io/ ∗∗∗ Malware Disguised as Document from Ukraines Energoatom Delivers Havoc Demon Backdoor ∗∗∗ --------------------------------------------- [...] FortiGuard Labs has encountered a malicious spoofed document pretending to be from the Ukrainian company, Energoatom, a state-owned enterprise that operates Ukraine’s nuclear power plants. [...] Aside from highlighting the technical details of this latest multi-staged attack [...] this article also discusses some strange artifacts that make us think this could be a work-in-progress or part of a red-team exercise. --------------------------------------------- https://www.fortinet.com/blog/threat-research/malware-disguised-as-document… ∗∗∗ BSI-Studie: Gängige Mikrocontroller sind für Hardware-Angriffe anfällig ∗∗∗ --------------------------------------------- Bei Hardware-Sicherheitstoken und Krypto-Wallets, smarten Schlössern und Kassensystemen haben Hacker leichtes Spiel, warnen Fraunhofer-Forscher im BSI-Auftrag. --------------------------------------------- https://heise.de/-8949244 ∗∗∗ Vorsicht vor Fake Urlaubsangeboten! ∗∗∗ --------------------------------------------- Die Urlaubszeit rückt langsam aber sicher näher, das treibt auch Kriminelle auf den Plan. Betrügerische Anbieter wie Kofi Vermittlung (kofireisen.com) versuchen Sie mit angeblich günstigen Angeboten abzuzocken! Achten Sie bei der Urlaubsbuchung auf folgende Warnsignale für entspannte Ferien statt einer Kostenfalle! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-fake-urlaubsangeboten/ ∗∗∗ Vice Society: A Tale of Victim Data Exfiltration via PowerShell, aka Stealing off the Land ∗∗∗ --------------------------------------------- The Vice Society ransomware gang exfiltrated victim network data using a custom Microsoft PowerShell script. We dissect how each function of it works. --------------------------------------------- https://unit42.paloaltonetworks.com/vice-society-ransomware-powershell/ ===================== = Vulnerabilities = ===================== ∗∗∗ Softwareentwicklung: Jenkins-Plug-ins verwundbar, viele Updates stehen noch aus ∗∗∗ --------------------------------------------- Software-Entwicklungsumgebungen mit Jenkins sind attackierbar. Bislang sind nur wenige betroffene Plug-ins abgesichert. --------------------------------------------- https://heise.de/-8949204 ∗∗∗ Sicherheitsupdates: Netzwerkanalysetool Wireshark anfällig für DoS-Attacken ∗∗∗ --------------------------------------------- Die Wireshark-Entwickler haben zwei neue Versionen des Tools veröffentlicht. Darin haben sie unter anderem drei Sicherheitslücken geschlossen. --------------------------------------------- https://heise.de/-8949661 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, firefox-esr, lldpd, and zabbix), Fedora (ffmpeg, firefox, pdns-recursor, polkit, and thunderbird), Oracle (kernel and nodejs:14), Red Hat (nodejs:14, openvswitch2.17, openvswitch3.1, and pki-core:10.6), Slackware (mozilla), SUSE (nextcloud-desktop), and Ubuntu (exo, linux, linux-kvm, linux-lts-xenial, linux-aws, smarty3, and thunderbird). --------------------------------------------- https://lwn.net/Articles/928976/ ∗∗∗ Windows 7/Server 2008 R2; Server 2012 R2: Updates (11. April 2023) ∗∗∗ --------------------------------------------- Zum 11. April 2023 wurden diverse Sicherheitsupdates für Windows Server 2008 R2 (im 4. ESU Jahr) sowie für Windows Server 2012/R2 veröffentlicht (die Updates lassen sich ggf. auch noch unter Windows 7 SP1). --------------------------------------------- https://www.borncity.com/blog/2023/04/13/windows-7-server-2008-r2-server-20… ∗∗∗ Patchday: Microsoft Office Updates (11. April 2023) ∗∗∗ --------------------------------------------- Am 11. April 2023 (zweiter Dienstag im Monat, Microsoft Patchday) hat Microsoft mehrere sicherheitsrelevante Updates für noch unterstützte Microsoft Office Versionen und andere Produkte veröffentlicht. Mit dem April 2023-Patchday endet der Support für Office 2013. --------------------------------------------- https://www.borncity.com/blog/2023/04/13/patchday-microsoft-office-updates-… ∗∗∗ Drupal: Protected Pages - Critical - Access bypass - SA-CONTRIB-2023-013 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2023-013 ∗∗∗ Critical Vulnerability in Hikvision Storage Solutions Exposes Video Security Data ∗∗∗ --------------------------------------------- https://www.securityweek.com/critical-vulnerability-in-hikvision-storage-so… ∗∗∗ Mattermost security updates 7.9.2 / 7.8.3 (ESR) / 7.7.4 / 7.1.8 (ESR) released ∗∗∗ --------------------------------------------- https://mattermost.com/blog/mattermost-security-updates-7-9-2-7-8-3-esr-7-7… ∗∗∗ Multiple Vulnerabilities in the Autodesk® AutoCAD® Desktop Software ∗∗∗ --------------------------------------------- https://www.autodesk.com/trust/security-advisories/adsk-sa-2023-0005 ∗∗∗ MISP 2.4.170 released with new features, workflow improvements and bugs fixed ∗∗∗ --------------------------------------------- https://github.com/MISP/MISP/releases/tag/v2.4.170 ∗∗∗ CVE-2023-0004 PAN-OS: Local File Deletion Vulnerability (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2023-0004 ∗∗∗ CVE-2023-0005 PAN-OS: Exposure of Sensitive Information Vulnerability (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2023-0005 ∗∗∗ CVE-2023-0006 GlobalProtect App: Local File Deletion Vulnerability (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2023-0006 ∗∗∗ Spring Framework 6.0.8, 5.3.27 and 5.2.24.RELEASE fix cve-2023-20863 ∗∗∗ --------------------------------------------- https://spring.io/blog/2023/04/13/spring-framework-6-0-8-5-3-27-and-5-2-24-… ∗∗∗ B. Braun Battery Pack SP with Wi-Fi ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-medical-advisories/icsma-23-103-01 ∗∗∗ DataPower Operations Dashboard vulnerable to multiple CVEs ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6983234 ∗∗∗ AIX is vulnerable to arbitrary command execution due to invscout (CVE-2023-28528) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6983232 ∗∗∗ AIX is vulnerable to arbitrary command execution (CVE-2023-26286) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6983236 ∗∗∗ Multiple Security Vulnerabilities may affect IBM Robotic Process Automation for Cloud Pak. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6983270 ∗∗∗ A CVE-2021-28165 vulnerability in Eclipse Jetty affects IBM Process Designer 8.5.7 shipped with IBM Business Automation Workflow ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6983272 ∗∗∗ Multiple security vulnerabilities has been identified in IBM WebSphere Application Server shipped with Tivoli Netcool\/OMNIbus WebGUI - January 2023 CPU plus deferred CVE-2022-21426 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6983454 ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with Tivoli Netcool\/OMNIbus WebGUI (CVE-2023-24998) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6983456 ∗∗∗ IBM Maximo Asset Management is vulnerable to HTML injection (CVE-2023-27864) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6983460 ∗∗∗ IBM Security Verify Governance is vulnerable to remote attacks to execute arbitrary code on the system [CVE-2013-4521, CVE-2013-2165 and CVE-2018-14667] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6983480 ∗∗∗ IBM Security Verify Governance is vulnerable to a denial of service caused by multiple vulnerabilities. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6983482 ∗∗∗ IBM App Connect Enterprise Certified Container DesignerAuthoring operands may be vulnerable to denial of service due to [CVE-2022-37603] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6983484 ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server and IBM WebSphere Application Server Liberty profile shipped with IBM Business Automation Workflow (CVE-2023-24998) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6983486 ∗∗∗ A vulnerability has been identified in IBM WebSphere Application Server Liberty profile shipped with IBM Business Automation Workflow (CVE-2023-0482) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6983490 ∗∗∗ A vulnerability has been identified in IBM WebSphere Application Server traditional and Liberty profile shipped with IBM Business Automation Workflow (IBM\u00ae Java SDK CPU January 2023) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6983492 ∗∗∗ AIX is vulnerable to arbitrary command execution (CVE-2023-26286) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6983236 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.04.2023
by Daily end-of-shift report 12 Apr '23

12 Apr '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 11-04-2023 18:00 − Mittwoch 12-04-2023 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Patchday: Angreifer infizieren Windows mit Nokoyawa-Ransomware ∗∗∗ --------------------------------------------- Microsoft hat wichtige Sicherheitsupdates für etwa Azure, Dynamics 365 und Windows veröffentlicht. --------------------------------------------- https://heise.de/-8935888 ∗∗∗ BSI warnt vor kritischen Zero-Day-Lücken im NTP-Server ∗∗∗ --------------------------------------------- Ein IT-Forscher hat fünf Sicherheitslücken im Zeitserver NTP gemeldet. Das BSI stuft die Lücken als kritisch ein. Ein Update steht bislang noch nicht bereit. --------------------------------------------- https://heise.de/-8948528 ∗∗∗ Warten auf Sicherheitspatches: BIOS-Lücken gefährden Lenovo-Laptops ∗∗∗ --------------------------------------------- Angreifer könnten Lenovo-Laptops attackieren und im schlimmsten Fall Schadcode ausführen. Updates sind noch nicht verfügbar. --------------------------------------------- https://heise.de/-8948481 ∗∗∗ Phishing-Alarm: „New Fax Document(s) has been received” ∗∗∗ --------------------------------------------- Derzeit werden willkürlich E-Mails an Unternehmen versendet, in denen behauptet wird, dass die Empfänger:innen ein neues Fax-Dokument erhalten hätten. Um das Dokument anzusehen, muss ein Link angeklickt werden. Achtung: Kriminelle versuchen das Microsoft-Konto der betroffenen Mitarbeiter:innen zu kapern. --------------------------------------------- https://www.watchlist-internet.at/news/phishing-alarm-new-fax-documents-has… ∗∗∗ Abo-Falle statt Kaffeemaschinen-Gewinnspiel im Namen von MediaMarkt ∗∗∗ --------------------------------------------- Auf Facebook wird ein betrügerisches Gewinnspiel im Namen von MediaMarkt durch Kriminelle beworben. Versprochen werden Kaffeemaschinen von DeLonghi für nur 1,95 Euro wegen einer angeblichen Vertragsauflösung zwischen dem Hersteller und MediaMarkt. Tatsächlich landen Sie hier aber in einer teuren Abo-Falle. Die Kaffeemaschinen gibt es nicht. --------------------------------------------- https://www.watchlist-internet.at/news/abo-falle-statt-kaffeemaschinen-gewi… ∗∗∗ Remote Code Execution (RCE) in Hashicorp Vault ∗∗∗ --------------------------------------------- Hashicorp's Vault is a secure, open-source secrets management tool that stores and provides access to sensitive information like API keys, passwords, and certificates. This vulnerability, in certain conditions, allows attackers to execute code remotely on the target system through a SQL injection attack. --------------------------------------------- https://www.oxeye.io/blog/rce-through-sql-injection-vulnerability-in-hashic… ∗∗∗ Hacked sites caught spreading malware via fake Chrome updates ∗∗∗ --------------------------------------------- Hackers are compromising websites to inject scripts that display fake Google Chrome automatic update errors that distribute malware to unaware visitors. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hacked-sites-caught-spreadin… ∗∗∗ Guidance for investigating attacks using CVE-2022-21894: The BlackLotus campaign ∗∗∗ --------------------------------------------- This guide provides steps that organizations can take to assess whether users have been targeted or compromised by threat actors exploiting CVE-2022-21894 via a Unified Extensible Firmware Interface (UEFI) bootkit called BlackLotus. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-inves… ∗∗∗ The Service Accounts Challenge: Cant See or Secure Them Until Its Too Late ∗∗∗ --------------------------------------------- Heres a hard question to answer: How many service accounts do you have in your environment?. A harder one is: Do you know what these accounts are doing?. And the hardest is probably: If any of your service account was compromised and used to access resources would you be able to detect and stop that in real-time? --------------------------------------------- https://thehackernews.com/2023/04/the-service-accounts-challenge-cant-see.h… ∗∗∗ Another zero-click Apple spyware maker just popped up on the radar again ∗∗∗ --------------------------------------------- Malware reportedly developed by a little-known Israeli commercial spyware maker has been found on devices of journalists, politicians, and an NGO worker in multiple countries, say researchers. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2023/04/12/quadream_spy… ∗∗∗ Recent IcedID (Bokbot) activity ∗∗∗ --------------------------------------------- This week, weve seen IcedID (Bokbot) distributed through thread-hijacked emails with PDF attachments. The PDF files have links that redirect to Google Firebase Storage URLs hosting password-protected zip archives. The password for the downloaded zip archive is shown in the PDF file. The downloaded zip archives contain EXE files that are digitally-signed using a certificate issued by SSL.com. --------------------------------------------- https://isc.sans.edu/diary/rss/29740 ∗∗∗ BumbleBee hunting with a Velociraptor ∗∗∗ --------------------------------------------- The various detection opportunities described in the report can be useful for organizations to detect an infection in its first stages and, therefore, prevent further malicious activity starting from BumbleBee. The detection opportunities rely on open-source tools (e.g., Velociraptor) and rules (e.g., Yara, Sigma) so they can be used by any company or the wider community. --------------------------------------------- https://sec-consult.com/blog/detail/bumblebee-hunting-with-a-velociraptor/ ∗∗∗ Cryptocurrency Stealer Malware Distributed via 13 NuGet Packages ∗∗∗ --------------------------------------------- Cybersecurity researchers have detailed the inner workings of the cryptocurrency stealer malware that was distributed via 13 malicious NuGet packages as part of a supply chain attack targeting .NET developers. The sophisticated typosquatting campaign, which was uncovered by JFrog late last month, impersonated legitimate packages to execute PowerShell code designed to retrieve a follow-on binary from a hard-coded server. --------------------------------------------- https://thehackernews.com/2023/04/cryptocurrency-stealer-malware.html ∗∗∗ Update Now! Severe Vulnerability Impacting 600,000 Sites Patched in Limit Login Attempts ∗∗∗ --------------------------------------------- On January 26, 2023, the Wordfence team responsibly disclosed an unauthenticated stored Cross-Site Scripting vulnerability in Limit Login Attempts, a WordPress plugin installed on over 600,000 sites that provides site owners with the ability to block IP addresses that have made repeated failed login attempts. --------------------------------------------- https://www.wordfence.com/blog/2023/04/update-now-severe-vulnerability-impa… ∗∗∗ On self-healing code and the obvious issue ∗∗∗ --------------------------------------------- While browsing the news in the morning Ive found an article on Ars Technica titles "Developer creates “self-healing” programs that fix themselves thanks to AI". Its about Wolverine, which is an automated extension of what was demoed during the GPT-4 reveal, i.e. the perceived ability of GPT-4 to understand error messages and suggest fixes. --------------------------------------------- https://gynvael.coldwind.pl/?id=766 ===================== = Vulnerabilities = ===================== ∗∗∗ Patchday: Fortinet schließt kritische und hochriskante Lücken ∗∗∗ --------------------------------------------- Am April-Patchday liefert Fortinet für zahlreiche Produkte Sicherheitsupdates aus. Eine der damit geschlossenen Lücken stuft der Hersteller als kritisch ein. --------------------------------------------- https://heise.de/-8939457 ∗∗∗ Patchday: Kritische Schadcode-Lücken in Adobe-Anwendungen geschlossen ∗∗∗ --------------------------------------------- Wer Anwendungen von Adobe nutzt, sollte diese aus Sicherheitsgründen auf den aktuellen Stand bringen. --------------------------------------------- https://heise.de/-8935948 ∗∗∗ Privilege Escalation Vulnerability Patched Promptly in WP Data Access WordPress Plugin ∗∗∗ --------------------------------------------- On April 5, 2023 the Wordfence Threat Intelligence team initiated the responsible disclosure process for a vulnerability we discovered in WP Data Access, a WordPress plugin that is installed on over 10,000 sites. This flaw makes it possible for an authenticated attacker to grant themselves administrative privileges via a profile update, [...] --------------------------------------------- https://www.wordfence.com/blog/2023/04/privilege-escalation-vulnerability-p… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (chromium, ghostscript, glusterfs, netatalk, php-Smarty, and skopeo), Mageia (ghostscript, imgagmagick, ipmitool, openssl, sudo, thunderbird, tigervnc/x11-server, and vim), Oracle (curl, haproxy, and postgresql), Red Hat (curl, haproxy, httpd:2.4, kernel, kernel-rt, kpatch-patch, and postgresql), Slackware (mozilla), SUSE (firefox), and Ubuntu (dotnet6, dotnet7, firefox, json-smart, linux-gcp, linux-intel-iotg, and sudo). --------------------------------------------- https://lwn.net/Articles/928870/ ∗∗∗ Patchday: Windows 11/Server 2022-Updates (11. April 2023) ∗∗∗ --------------------------------------------- Am 11. April 2023 (zweiter Dienstag im Monat, Patchday bei Microsoft) hat Microsoft auch kumulative Updates für Windows 11 22H1 und 22H2 veröffentlicht. Zudem erhielt Windows Server 2022 ein Update. Hier einige Details zu diesen Updates, die Schwachstellen sowie Probleme [...] --------------------------------------------- https://www.borncity.com/blog/2023/04/12/patchday-windows-11-server-2022-up… ∗∗∗ FANUC ROBOGUIDE-HandlingPRO ∗∗∗ --------------------------------------------- Successful exploitation of this vulnerability could allow an attacker to read and/or overwrite files on the system running the affected software. --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-101-01 ∗∗∗ NVIDIA Display Driver Advisory - March 2023 ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500558-NVIDIA-DISPLAY-DRIVER-A… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.04.2023
by Daily end-of-shift report 11 Apr '23

11 Apr '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 07-04-2023 18:00 − Dienstag 11-04-2023 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ YouTube warnt vor täuschend echter Betrugsmasche ∗∗∗ --------------------------------------------- Derzeit werden Phishing-E-Mails im Namen von YouTube versandt, die eine glaubwürdige Mailadresse verwenden. --------------------------------------------- https://futurezone.at/digital-life/youtube-warnt-vor-taeuschend-echter-betr… ∗∗∗ Hijacking Arch Linux Packages by Repo Jacking GitHub Repositories ∗∗∗ --------------------------------------------- Repo jacking is an attack on GitHub repositories, where attackers are able to hijack GitHub repositories by reregistering previously used usernames. In this blog post, we discuss how many AUR packages (use GitHub packages that) are vulnerable to repo jacking attacks. --------------------------------------------- https://blog.nietaanraken.nl/posts/aur-packages-github-repo-jacking/ ∗∗∗ Stepping Insyde System Management Mode ∗∗∗ --------------------------------------------- In October of 2022, Intel’s Alder Lake BIOS source code was leaked online. [..] I obtained a copy of the leaked code and began to hunt for vulnerabilities. [..] All these vulnerabilities share a common root cause (insufficient input validation) and a common impact (SMRAM corruption). Their details are summarized in the following table [..] --------------------------------------------- https://research.nccgroup.com/2023/04/11/stepping-insyde-system-management-… ∗∗∗ Jetzt patchen! ALPHV-Ransomware schlüpft durch Veritas-Backup-Lücken ∗∗∗ --------------------------------------------- Angreifer nehmen derzeit drei Sicherheitslücken in Veritas Backup Exec ins Visier. Patches sind verfügbar. --------------------------------------------- https://heise.de/-8875233 ∗∗∗ MSI-Hack: Hardware-Hersteller warnt vor Fake-BIOS-Updates ∗∗∗ --------------------------------------------- Bei MSI ist es zu einem IT-Sicherheitsvorfall gekommen. Die Angreifer sollen Zugriff auf interne Daten gehabt haben. --------------------------------------------- https://heise.de/-8875303 ∗∗∗ Studie: Kriminelle schmuggeln Trojaner-Apps ab 2000 US-Dollar in Google Play ∗∗∗ --------------------------------------------- Für die Abzocke von Android-Nutzern bieten Kriminelle in Untergrundforen All-in-one-Trojaner-Pakete zum Verkauf an. --------------------------------------------- https://heise.de/-8927162 ∗∗∗ Microsoft Azure Users Warned of Potential Shared Key Authorization Abuse ∗∗∗ --------------------------------------------- An exploitation path involving Azure shared key authorization could allow full access to accounts and business data and ultimately lead to remote code execution (RCE), cloud security company Orca warns. --------------------------------------------- https://www.securityweek.com/microsoft-azure-users-warned-of-potential-shar… ∗∗∗ Webinar: Sicher unterwegs in Sozialen Netzwerken ∗∗∗ --------------------------------------------- Soziale Netzwerke sind längst unsere täglichen Begleiter geworden. Doch worauf muss ich eigentlich achten, wenn ich Plattformen wie Facebook oder Instagram sicher nutzen will? Das Webinar gibt Tipps zum verantwortungsvollen Umgang mit Sozialen Netzwerken. Nehmen Sie kostenlos teil: Dienstag 18. April 2023, 18:30 - 20:00 Uhr via zoom --------------------------------------------- https://www.watchlist-internet.at/news/webinar-sicher-unterwegs-in-sozialen… ∗∗∗ Amazon ruft an? Legen Sie auf! ∗∗∗ --------------------------------------------- Am Telefon stellen sich Kriminelle als Amazon-Mitarbeiter:innen vor und behaupten, dass Ihr Amazon-Konto gehackt wurde. Sie hätten verdächtige Bestellungen entdeckt. Die „Amazon-Mitarbeiter:innen“ bieten Ihnen an, die Bestellung zu stornieren und Ihr Konto zu schützen. Dabei handelt es sich aber um Betrug! Kriminelle versuchen Ihnen Geld, Ausweiskopien und Amazon-Zugangsdaten zu stehlen! --------------------------------------------- https://www.watchlist-internet.at/news/amazon-ruft-an-legen-sie-auf/ ∗∗∗ AlienFox: Toolkit zur Kompromittierung von E-Mail- und Webhosting-Diensten in der Cloud ∗∗∗ --------------------------------------------- [English]AlienFox ist ein Toolkit zur Kompromittierung von E-Mail- und Webhosting-Diensten. Dieses Toolkit ist hochgradig modular, liegt in mehreren Versionen vor und versucht Fehlkonfigurationen in der Cloud auszunutzen, um die Anmeldedaten für Dienste wie AWS, Microsoft 365, Google Workspace, 1und1 etc. abzugreifen. --------------------------------------------- https://www.borncity.com/blog/2023/04/11/alienfox-toolkit-zur-kompromittier… ∗∗∗ WinVerifyTrust Signature Validation Vulnerability ∗∗∗ --------------------------------------------- Why is Microsoft republishing a CVE from 2013? We are republishing CVE-2013-3900 in the Security Update Guide to update the Security Updates table and to inform customers that the EnableCertPaddingCheck is available in all currently supported versions of Windows 10 and Windows 11. While the format is different from the original CVE published in 2013, the information herein remains unchanged from the original text published on December 10, 2013. --------------------------------------------- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2013-3900 ===================== = Vulnerabilities = ===================== ∗∗∗ Security Vulnerabilities fixed in Firefox 112, Firefox for Android 112, Focus for Android 112 ∗∗∗ --------------------------------------------- CVE-2023-29531, CVE-2023-29532, CVE-2023-29533, CVE-2023-29534, CVE-2023-29535, CVE-2023-29536, CVE-2023-29537, CVE-2023-29538, CVE-2023-29539, CVE-2023-29540, CVE-2023-29541, CVE-2023-29542, CVE-2023-29543, CVE-2023-29544, CVE-2023-29545, CVE-2023-29546, CVE-2023-29547, CVE-2023-29548, CVE-2023-29549, CVE-2023-29550, CVE-2023-29551 Davon 11x "Severity: high". --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2023-13/ ∗∗∗ Exploit-Code: Schadcode könnte aus JavaScript-Sandbox vm2 ausbrechen ∗∗∗ --------------------------------------------- Die populäre vm2-Sandbox hat eine kritische Sicherheitslücke und Exploit-Code ist bereits im Umlauf. --------------------------------------------- https://heise.de/-8875269 ∗∗∗ Patchday: SAP meldet 19 teils kritische Sicherheitslücken ∗∗∗ --------------------------------------------- Im April hat SAP 19 Schwachstellen in den eigenen Produkten mit Sicherheitsmeldungen bedacht. Davon stuft der Hersteller zwei als kritisch ein. --------------------------------------------- https://heise.de/-8931365 ∗∗∗ iOS 15, macOS 11 und 12: Apple schiebt Notfallfix nach ∗∗∗ --------------------------------------------- Nachdem iOS 16 und macOS 13 bereits voll gepatcht worden waren, legt Apple auch einen Fix für eine bereits ausgenutzte Lücke für ältere Betriebssysteme nach. --------------------------------------------- https://heise.de/-8922448 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (openimageio and udisks2), Fedora (chromium, curl, kernel, mediawiki, and seamonkey), Oracle (httpd:2.4), Red Hat (httpd and mod_http2 and tigervnc), SUSE (ghostscript and kernel), and Ubuntu (irssi). --------------------------------------------- https://lwn.net/Articles/928667/ ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (keepalived and lldpd), Oracle (kernel), and SUSE (kernel, podman, seamonkey, and upx). --------------------------------------------- https://lwn.net/Articles/928736/ ∗∗∗ ICS Patch Tuesday: Siemens, Schneider Electric Address Dozens of Vulnerabilities ∗∗∗ --------------------------------------------- Siemens and Schneider Electric’s Patch Tuesday advisories for April 2023 address a total of 38 vulnerabilities found in their products. --------------------------------------------- https://www.securityweek.com/ics-patch-tuesday-siemens-schneider-electric-a… ∗∗∗ PHOENIX CONTACT: Directory Traversal Vulnerability in ENERGY AXC PU Web service ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-004/ ∗∗∗ Insyde BIOS Vulnerabilities ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500557 ∗∗∗ Lenovo XClarity Controller (XCC) Vulnerabilities ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500556-LENOVO-XCLARITY-CONTROL… ∗∗∗ Lenovo Smart Clock Essential Vulnerability ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500555-LENOVO-SMART-CLOCK-ESSE… ∗∗∗ IBM WebSphere Application Server and IBM WebSphere Application Server Liberty, which are bundled with IBM Cloud Pak for Applications, are vulnerable to a denial of service due to Apache Commons FileUpload (CVE-2023-24998) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6982187 ∗∗∗ IBM i components are affected by CVE-2021-4104 (log4j version 1.x) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6539162 ∗∗∗ IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Apache Lucene ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6982359 ∗∗∗ IBM Watson Explorer affected by vulnerability in Apache Commons. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6964808 ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM WebSphere Remote Server (CVE-2023-24998) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6982539 ∗∗∗ Vulnerabilities in OpenSSL affect QLogic 8Gb Intelligent Pass-thru Module and SAN Switch Module for IBM BladeCenter and QLogic Virtual Fabric Extension Module for IBM BladeCenter ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/888295 ∗∗∗ Vulnerabilities in cURL affect QLogic Virtual Fabric Extension Module for IBM BladeCenter ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/888299 ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Business Monitor (CVE-2023-24998) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6982833 ∗∗∗ Netcool Operations Insight v1.6.8 addresses multiple security vulnerabilities. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6982841 ∗∗∗ The IBM\u00ae Engineering Lifecycle Engineering product using IBM Java - Eclipse OpenJ9 is vulnerable to CVE-2022-3676 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6982847 ∗∗∗ Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to Webpack (CVE-2023-28154) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6982851 ∗∗∗ IBM Engineering Requirements Management DOORS Next is vulnerable to XML external entity (XXE) attacks due to a vulnerability in XML processing in Apache Jena, in versions up to 4.1.0 (CVE-2021-39239) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6981111 ∗∗∗ IBM Operational Decision Manager March 2023 - CVE-2014-0114, CVE-2019-10086, CVE-2023-24998 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6982881 ∗∗∗ IBM WebSphere Application Server Liberty is vulnerable to a privilege escalation due to RESTEasy (CVE-2023-0482) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6982895 ∗∗∗ IBM WebSphere Application Server Liberty, which is bundled with IBM Cloud Pak for Applications, is vulnerable to a privilege escalation due to RESTEasy (CVE-2023-0482) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6982903 ∗∗∗ IBM WebSphere Application Server Liberty, which is bundled with IBM WebSphere Hybrid Edition, is vulnerable to a privilege escalation due to RESTEasy (CVE-2023-0482) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6982905 ∗∗∗ IBM WebSphere Application Server and IBM WebSphere Application Server Liberty are vulnerable to a denial of service due to Apache Commons FileUpload (CVE-2023-24998) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6982047 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.04.2023
by Daily end-of-shift report 07 Apr '23

07 Apr '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 06-04-2023 18:00 − Freitag 07-04-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Security baseline for Microsoft Edge v112 ∗∗∗ --------------------------------------------- Microsoft is pleased to announce the release of the security baseline for Microsoft Edge, version 112! We have reviewed the settings in Microsoft Edge version 112 and updated our guidance with the removal of three obsolete settings. A new Microsoft Edge security baseline package was just released to the Download Center. --------------------------------------------- https://techcommunity.microsoft.com/t5/microsoft-security-baselines/securit… ∗∗∗ Security headers you should add into your application to increase cyber risk protection, (Thu, Apr 6th) ∗∗∗ --------------------------------------------- Web applications are a wide world that is currently the object of numerous cyberattacks, mostly seeking to compromise the information directly in the clients that use them. --------------------------------------------- https://isc.sans.edu/diary/rss/29720 ∗∗∗ Detecting Suspicious API Usage with YARA Rules, (Fri, Apr 7th) ∗∗∗ --------------------------------------------- YARA is a beautiful tool for malware researchers and incident responders. No need to present it again. It became a standard tool to add to your arsenal. While teaching FOR610 (Malware Analysis & Reverse Engineering), a student asked me how to detect specific API calls with dangerous parameters during the triage phase. This phase will help you quickly assess the malware sample and help you decide how to perform the following steps. --------------------------------------------- https://isc.sans.edu/diary/rss/29724 ∗∗∗ Balada Injector: Synopsis of a Massive Ongoing WordPress Malware Campaign ∗∗∗ --------------------------------------------- Our team at Sucuri has been tracking a massive WordPress infection campaign since 2017 — but up until recently never bothered to give it a proper name. Typically, we refer to it as an ongoing long lasting massive WordPress infection campaign that leverages all known and recently discovered theme and plugin vulnerabilities. --------------------------------------------- https://blog.sucuri.net/2023/04/balada-injector-synopsis-of-a-massive-ongoi… ∗∗∗ With ICMP magic, you can snoop on vulnerable HiSilicon, Qualcomm-powered Wi-Fi ∗∗∗ --------------------------------------------- WPA stands for will-provide-access, if you can successfully exploit a targets setup. A vulnerability identified in at least 55 Wi-Fi router models can be exploited by miscreants to spy on victims data as its sent over a wireless network. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2023/04/07/wifi_access_… ∗∗∗ Pwning Pixel 6 with a leftover patch ∗∗∗ --------------------------------------------- In this post, I’ll look at a security-related change in version r40p0 of the Arm Mali driver that was AWOL in the January update of the Pixel bulletin, where other patches from r40p0 was applied, and how these two lines of changes can be exploited to gain arbitrary kernel code execution and root from a malicious app. This highlights how treacherous it can be when backporting security changes. --------------------------------------------- https://github.blog/2023-04-06-pwning-pixel-6-with-a-leftover-patch/ ∗∗∗ Umfrage: Softwarebedingte Schwachstellen sind das größte Sicherheitsproblem ∗∗∗ --------------------------------------------- Hacker setzen vermehrt auf bekannte Sicherheitslücken. Ransomware ist der Umfrage zufolge nur die viertgrößte Bedrohung. Ein weiteres Problem: viele Unternehmen weisen Mitarbeiter an, meldepflichtige Vorfälle zu verschweigen. --------------------------------------------- https://www.zdnet.de/88408311/umfrage-softwarebedingte-schwachstellen-sind-… ===================== = Vulnerabilities = ===================== ∗∗∗ Release notes for Microsoft Edge Security Updates (CVE-2023-28284, CVE-2023-24935, CVE-2023-28301) ∗∗∗ --------------------------------------------- April 6, 2023: Microsoft has released the latest Microsoft Edge Stable Channel (Version 112.0.1722.34) which incorporates the latest Security Updates of the Chromium project. --------------------------------------------- https://learn.microsoft.com/en-us/DeployEdge/microsoft-edge-relnotes-securi… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Mageia (ldb/samba, libapreq2, opencontainers-runc, peazip, python-cairosvg, stellarium, and zstd), Oracle (httpd and mod_http2, kernel, and nss), SUSE (conmon, go1.19, go1.20, libgit2, openssl-1_1, and openvswitch), and Ubuntu (emacs24). --------------------------------------------- https://lwn.net/Articles/928559/ ∗∗∗ F5: K000133432 : Intel CPU vulnerability CVE-2022-21216 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000133432 ∗∗∗ CISA Adds Five Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/04/07/cisa-adds-five-known-exp… ∗∗∗ IBM Informix Dynamic Server is affected when a specific function in the Spatial Datablade is called with an out-of-range parameter ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6343587 ∗∗∗ IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to arbitrary code execution in GnuPG Libksba [CVE-2022-3515] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6981855 ∗∗∗ IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to an arbitrary code execution in libexpat [CVE-2022-40674] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6981859 ∗∗∗ IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to arbitrary code execution in SQlite [CVE-2020-35527] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6981851 ∗∗∗ IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to an arbitrary commands execution in Python (CVE-2015-20107) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6981849 ∗∗∗ IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to a security restrictions bypass in GNU Libtasn1 [CVE-2021-46848] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6981853 ∗∗∗ IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to arbitrary code execution in Git [CVE-2022-23521] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6981857 ∗∗∗ IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to arbitrary code execution in Git [CVE-2022-41903] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6981861 ∗∗∗ Privilege Escalation vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6981911 ∗∗∗ Improper Error Handling ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6981917 ∗∗∗ IBM WebSphere Application Server and IBM WebSphere Application Server Liberty are vulnerable to a denial of service due to Apache Commons FileUpload (CVE-2023-24998) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6982047 ∗∗∗ Vulnerabilities in OpenSSL affect IBM InfoSphere Information Server ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/286971 ∗∗∗ IBM WebSphere Application Server and IBM WebSphere Application Server Liberty, which are bundled with IBM WebSphere Hybrid Edition, are vulnerable to a denial of service due to Apache Commons FileUpload (CVE-2023-24998) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6982141 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.04.2023
by Daily end-of-shift report 06 Apr '23

06 Apr '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 05-04-2023 18:00 − Donnerstag 06-04-2023 18:00 Handler: Stephan Richter Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Telegram now the go-to place for selling phishing tools and services ∗∗∗ --------------------------------------------- Telegram has become the working ground for the creators of phishing bots and kits looking to market their products to a larger audience or to recruit unpaid helpers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/telegram-now-the-go-to-place… ∗∗∗ CAN do attitude: How thieves steal cars using network bus ∗∗∗ --------------------------------------------- It starts with a headlamp and fake smart speaker, and ends in an injection attack and a vanished motor. Automotive security experts say they have uncovered a method of car theft relying on direct access to the vehicles system bus via a smart headlamps wiring. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2023/04/06/can_injectio… ∗∗∗ Technical analysis of the Genesis Market ∗∗∗ --------------------------------------------- [...] In case you are unfamiliar with this market, it was used to sell stolen login credentials, browser cookies and online fingerprints (in order to prevent ‘risky sign-in’ detections), by some referred to as IMPaas, or Impersonation-as-a-Service. [...] its activities have resulted in approximately two million victims. If you want to know more about this operation, you can read our other blog post. You can also check if your data has been compromised [...] --------------------------------------------- https://sector7.computest.nl/post/2023-04-technical-analysis-genesis-market/ ∗∗∗ CyberGhostVPN - the story of finding MITM, RCE, LPE in the Linux client ∗∗∗ --------------------------------------------- This article discloses the vulnerabilities that were present in the CyberGhostVPN Linux 1.3.5 client (and versions below). The latest version of the CyberGhostVPN Linux client is now free from these vulnerabilities. --------------------------------------------- https://mmmds.pl/cyberghostvpn-mitm-rce-lpe/ ∗∗∗ Cisco: Teils hochriskante Lücken in mehreren Produkten abgedichtet ∗∗∗ --------------------------------------------- Cisco-Administratoren bekommen über die Ostertage Arbeit: Der Hersteller hat in diversen Produkten Sicherheitslücken entdeckt. Updates sollen sie schließen. --------------------------------------------- https://heise.de/-8644498 ∗∗∗ Nexx Garagentorsteuerung: Schwachstelle erlaubt Zugriff für Hacker ∗∗∗ --------------------------------------------- Wer eine Home-Automatisierung von Nexx besitzt und diese per Fernsteuerung seiner Garagentore benutzt, hat nun ein fettes Problem. Eine Schwachstelle in der Nexx-Fernsteuerung ermöglicht Hackern den nicht autorisierten Zugriff auf die Garagentore. --------------------------------------------- https://www.borncity.com/blog/2023/04/06/nexx-garagentorsteuerung-schwachst… ∗∗∗ Beware of new YouTube phishing scam using authentic email address ∗∗∗ --------------------------------------------- Watch out for a new YouTube phishing scam and ignore any email from YouTube that claims to provide details about "Changes in YouTube rules and policies | Check the Description. --------------------------------------------- https://www.hackread.com/youtube-phishing-scam-authentic-email-address/ ===================== = Vulnerabilities = ===================== *** Cisco Security Advisories 2023-04-05 *** --------------------------------------------- Cisco has released 13 security advisories: (3x High, 9x Medium, 1x Informational) --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/Search.x?publicationTypeIDs… ∗∗∗ Trellix-Agent ermöglicht Rechteausweitung am System ∗∗∗ --------------------------------------------- Der Agent von Trellix – dem Zusammenschluss von McAfee und FireEye – ermöglicht Angreifern, ihre Rechte im System auszuweiten. Ein Update schließt die Lücke. --------------------------------------------- https://heise.de/-8645652 ∗∗∗ Datenleck: Mastodon-Lücke erlaubt Informationsabfluss ∗∗∗ --------------------------------------------- Aktualisierte Mastodon-Pakete dichten ein Datenleck in der LDAP-Authentifizierung ab. Administratorinnen und Administratoren sollten die Updates zügig anwenden. --------------------------------------------- https://heise.de/-8645580 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (cairosvg, ghostscript, grunt, tomcat9, and trafficserver), Fedora (golang, podman, xen, and zchunk), Red Hat (kpatch-patch), SUSE (systemd), and Ubuntu (apache-log4j1.2, liblouis, linux-aws, and linux-bluefield). --------------------------------------------- https://lwn.net/Articles/928476/ ∗∗∗ Celery as used by IBM QRadar Advisor With Watson App is vulnerable to arbitrary command execution (CVE-2021-23727) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6981595 ∗∗∗ Node.js passport is vulnerable to CVE-2022-25896 used in IBM Maximo Application Suite ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6966086 ∗∗∗ IBM TRIRIGA Application Platform discloses XML external entities injection (CVE-2023-27876) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6981115 ∗∗∗ IBM TRIRIGA Application Platform discloses Stored Cross Site Scripting (CVE-2022-43914) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6981597 ∗∗∗ AIX is vulnerable to denial of service due to ISC BIND (CVE-2022-38178, CVE-2022-3080, CVE-2022-38177, CVE-2022-2795) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6851445 ∗∗∗ decode-uri-component is vulnerable to CVE-2022-38900 used in IBM Maximo Application Suite ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6981607 ∗∗∗ AIX is vulnerable to arbitrary code execution due to libxml2 (CVE-2022-40303 and CVE-2022-40304) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6953825 ∗∗∗ AIX is vulnerable to denial of service vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6847947 ∗∗∗ Vulnerability in Apache Tomcat affects App Connect Professional. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6981763 ∗∗∗ IBM Security Verify Governance is vulnerable to cross-site scripting, caused by improper validation of user-supplied input related to the HtmlResponseWriter (CVE-2013-5855) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6981781 ∗∗∗ IBM Watson Explorer affected by vulnerability in OpenSSL. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6963622 ∗∗∗ IBM Watson Explorer affected by vulnerability in Apache Commons. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6964808 ∗∗∗ Korenix Jetwave ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-096-04 ∗∗∗ mySCADA myPRO ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-096-06 ∗∗∗ JTEKT ELECTRONICS Kostac PLC Programming Software ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-096-03 ∗∗∗ Hitachi Energy MicroSCADA System Data Manager SDM600 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-096-05 ∗∗∗ JTEKT ELECTRONICS Screen Creator Advance 2 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-096-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.04.2023
by Daily end-of-shift report 05 Apr '23

05 Apr '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 04-04-2023 18:00 − Mittwoch 05-04-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Open garage doors anywhere in the world by exploiting this “smart” device ∗∗∗ --------------------------------------------- A universal password. Unencrypted user data and commands. What could go wrong? A market-leading garage door controller is so riddled with severe security and privacy vulnerabilities that the researcher who discovered them, Sam Sabetan, is advising anyone using one to immediately disconnect it until they are fixed. Each $80 device, used to open and close garage doors and control home security alarms and smart power plugs, employs the same easy-to-find universal password to communicate with Nexx servers. The controllers also broadcast the unencrypted email address, device ID, first name, and last initial corresponding to each one, along with the message required to open or shut a door or turn on or off a smart plug or schedule such a command for a later time. Immediately unplug all Nexx devices --------------------------------------------- https://arstechnica.com/?p=1929120 ∗∗∗ Exploration of DShield Cowrie Data with jq, (Wed, Apr 5th) ∗∗∗ --------------------------------------------- There have been other diaries [1][2] showing how to explore JSON data with jq [3]. We'll review some options to understand unfamiliar JSON data and ways to filter that information. Using tools like Security Information and Event Management (SIEM) systems can help aggregate data and make it more easily searched and visualized. There are still times where being able to quickly search JSON data can be useful, especially if a SIEM option is not immediately available. --------------------------------------------- https://isc.sans.edu/diary/rss/29714 ∗∗∗ ALPHV/BlackCat ransomware affiliate targets Veritas Backup solution bugs ∗∗∗ --------------------------------------------- An ALPHV/BlackCat ransomware affiliate was spotted exploiting vulnerabilities in the Veritas Backup solution. An affiliate of the ALPHV/BlackCat ransomware gang, tracked as UNC4466, was observed exploiting three vulnerabilities in the Veritas Backup solution to gain initial access to the target network. Unlike other ALPHV affiliates, UNC4466 doesn’t rely on stolen credentials for initial access to victim environments. Mandiant [...] --------------------------------------------- https://securityaffairs.com/144438/cyber-crime/alphv-blackcat-ransomware-ve… ∗∗∗ Deobfuscating the Recent Emotet Epoch 4 Macro ∗∗∗ --------------------------------------------- This analysis is intended to help the cybersecurity community better understand the wider obfuscation and padding tricks Emotet is using. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/deobfuscati… ∗∗∗ Cyber-Betrüger: Zahlungsaufforderung für Lösegeld – jedoch ohne Ransomware ∗∗∗ --------------------------------------------- Auf die aktuell häufigen Cyber-Attacken stürzen sich weitere Betrüger. Sie verschicken Mails mit Zahlungsaufforderungen, ohne Ransomware eingeschleust zu haben. --------------------------------------------- https://heise.de/-8587724 ∗∗∗ Pre-ransomware notifications are paying off right from the bat ∗∗∗ --------------------------------------------- CISA (Cybersecurity and Infrastructure Security Agency) has published the first results of its pre-ransomware notifications that were introduced at the start of 2023. Even though this initiative is relatively young, CISA says it has notified over 60 entities across the energy, healthcare, water/wastewater, education, and other sectors about potential pre-ransomware intrusions, and we’ve confirmed that many of them identified and remediated the intrusion before encryption or data loss occurred. --------------------------------------------- https://www.malwarebytes.com/blog/news/2023/04/pre-ransomware-notifications… ∗∗∗ Detecting Karakurt – an extortion focused threat actor ∗∗∗ --------------------------------------------- NCC Group’s Cyber Incident Response Team (CIRT) have responded to several extortion cases recently involving the threat actor Karakurt. During these investigations NCC Group CIRT have identified some key indicators that the threat actor has breached an environment and want to share this information to assist the cyber security community. --------------------------------------------- https://research.nccgroup.com/2023/04/05/detecting-karakurt-an-extortion-fo… ∗∗∗ Markenfälschungen im Online-Handel – So schützen Sie sich! ∗∗∗ --------------------------------------------- Wer im Internet nach Markenkleidung, Uhren, Accessoires oder aber Medikamenten sucht, stößt häufig auf unseriöse Angebote. In einigen Fällen führt eine Bestellung günstiger Markenprodukte zum Erhalt eines gefälschten Produkts, manchmal erhält man gar nichts und insbesondere bei Medikamenten kann das Produkt sogar gefährlich sein. Worauf man in Online-Shops und auf Plattformen wie Amazon achten kann, um sich zu schützen [...] --------------------------------------------- https://www.watchlist-internet.at/news/markenfaelschungen-im-online-handel-… ∗∗∗ How we’re protecting users from government-backed attacks from North Korea ∗∗∗ --------------------------------------------- Googles Threat Analysis Group shares information on ARCHIPELAGO as well as the work to stop government-backed attackers. --------------------------------------------- https://blog.google/threat-analysis-group/how-were-protecting-users-from-go… ∗∗∗ MS OneNote soll künftig 120 gefährliche Filetypen blockieren ∗∗∗ --------------------------------------------- Microsoft reagiert wohl auf den Umstand, dass OneNote inzwischen als Malware-Schleuder für Systeme missbraucht wird. Die Anwendung soll zukünftig 120 gefährliche Filetypen blockieren, so dass diese durch Downloads aus dem Internet nicht mehr für Malware-Angriffe missbraucht werden können. --------------------------------------------- https://www.borncity.com/blog/2023/04/05/ms-onenote-soll-knftig-120-gefhrli… ===================== = Vulnerabilities = ===================== ∗∗∗ Multiple Vulnerabilities in Autodesk® InfoWorks® software ∗∗∗ --------------------------------------------- Autodesk® InfoWorks® WS Pro and InfoWorks® ICM have been affected by multiple vulnerabilities detailed below. Exploitation of these vulnerabilities may lead to remote code execution and/or denial-of-service to the software and user devices. Patch releases are available in Autodesk Access or the Accounts Portal or the Innovyze Web Portal to help resolve these vulnerabilities. The patch versions are listed below. --------------------------------------------- https://www.autodesk.com/trust/security-advisories/adsk-sa-2023-0001 ∗∗∗ Chrome 112: 16 Sicherheitslücken gestopft ∗∗∗ --------------------------------------------- Google hat den Webbrowser Chrome in Version 112 freigegeben. Die Entwickler dichten 16 Schwachstellen ab. Chromium-basierte Browser dürften bald nachziehen. --------------------------------------------- https://heise.de/-8572482 ∗∗∗ Technical Advisory – play-pac4j Authentication rule bypass ∗∗∗ --------------------------------------------- Regular expressions used for path-based authentication by the play-pac4j library are evaluated against the full URI provided in a user’s HTTP request. If a requested URI matches one of these expressions, the associated authentication rule will be applied. These rules are only intended to validate the path and query string section of a URL. --------------------------------------------- https://research.nccgroup.com/2023/04/05/technical-advisory-play-pac4j-auth… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ghostscript and openimageio), Fedora (kernel, rubygem-actioncable, rubygem-actionmailbox, rubygem-actionmailer, rubygem-actionpack, rubygem-actiontext, rubygem-actionview, rubygem-activejob, rubygem-activemodel, rubygem-activerecord, rubygem-activestorage, rubygem-activesupport, rubygem-rails, and rubygem-railties), Oracle (gnutls, httpd, kernel, nodejs:16, nodejs:18, pesign, postgresql:13, tigervnc, and tigervnc, xorg-x11-server), Red Hat (gnutls, httpd, httpd:2.4, kernel, kpatch-patch, pcs, pesign, postgresql:13, tigervnc, and tigervnc, xorg-x11-server), Scientific Linux (httpd and tigervnc, xorg-x11-server), SUSE (aws-efs-utils.11048, libheif, liblouis, openssl, python-cryptography, python-Werkzeug, skopeo, tomcat, and wireshark), and Ubuntu (imagemagick, ipmitool, and node-trim-newlines). --------------------------------------------- https://lwn.net/Articles/928408/ ∗∗∗ Kritische Schwachstelle CVE-2023-1707 in HP-Drucker-Firmware, kein Patch verfügbar ∗∗∗ --------------------------------------------- Die Firmware von verschiedenen Laser-Drucker ist gegenüber der Schwachstelle CVE-2023-1707 anfällig. Bestimmte HP Enterprise LaserJet und HP LaserJet sind in verwalteten Umgebungen potenziell anfällig für die Offenlegung von Informationen, wenn IPsec mit FutureSmart Version 5.6 aktiviert ist. --------------------------------------------- https://www.borncity.com/blog/2023/04/05/kritische-schwachstelle-cve-2023-1… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.04.2023
by Daily end-of-shift report 04 Apr '23

04 Apr '23

===================== = End-of-Day report = ===================== Timeframe: Montag 03-04-2023 18:00 − Dienstag 04-04-2023 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ WinRAR SFX archives can run PowerShell without being detected ∗∗∗ --------------------------------------------- Hackers are adding malicious functionality to WinRAR self-extracting archives that contain harmless decoy files, allowing them to plant backdoors without triggering the security agent on the target system. --------------------------------------------- https://www.bleepingcomputer.com/news/security/winrar-sfx-archives-can-run-… ∗∗∗ Analyzing the efile.com Malware "efail", (Tue, Apr 4th) ∗∗∗ --------------------------------------------- Yesterday, I wrote about efile.com serving malicious ake "Browser Updates" to some of its users. This morning, efile.com finally removed the malicious code from its site. The attacker reacted a bit faster and removed some of the additional malware. But luckily, I was able to retrieve some of the malware last evening before it was removed. --------------------------------------------- https://isc.sans.edu/diary/rss/29712 ∗∗∗ Rilide: A New Malicious Browser Extension for Stealing Cryptocurrencies ∗∗∗ --------------------------------------------- Trustwave SpiderLabs uncovered a new strain of malware that it dubbed Rilide, which targets Chromium-based browsers such as Google Chrome, Microsoft Edge, Brave, and Opera. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/rilide-a-ne… ∗∗∗ Microsoft Tightens OneNote Security by Auto-Blocking 120 Risky File Extensions ∗∗∗ --------------------------------------------- Microsoft has announced plans to automatically block embedded files with "dangerous extensions" in OneNote following reports that the note-taking service is being increasingly abused for malware delivery. Up until now, users were shown a dialog warning them that opening such attachments could harm their computer and data, but it was possible to dismiss the prompt and open the files That's going to change going forward. --------------------------------------------- https://thehackernews.com/2023/04/microsoft-tightens-onenote-security-by.ht… ∗∗∗ A fresh look at user enumeration in Microsoft Teams ∗∗∗ --------------------------------------------- The technique to enumerate user details and presence information via Microsoft Teams is not new and was described in a blog post by immunit.ch and their tool "TeamsUserEnum". This blog post adds more information related to user enumeration via Teams and covers different endpoints used by different account types. --------------------------------------------- https://www.securesystems.de/blog/a-fresh-look-at-user-enumeration-in-micro… ∗∗∗ Internationaler Monat zur Betrugsbekämpfung: Vorsicht vor Dark Patterns ∗∗∗ --------------------------------------------- Im März 2023 jährt sich der internationale Monat zur Betrugsbekämpfung („ICPEN Fraud Prevention Month"). Das diesjährige Schwerpunktthema sind Dark Patterns. Dark Patterns sind irreführende Designelemente und Webseiten-Gestaltungen, mit denen versucht wird, User:innen zu Entscheidungen zu verleiten, die nicht in ihrem besten Interesse liegen. Was Dark Patterns genau sind, wie Sie diese erkennen und sich am besten schützen, erfahren Sie hier! --------------------------------------------- https://www.watchlist-internet.at/news/fraud-prevention-month-vorsicht-vor-… ∗∗∗ Lebenslauf-Editor auf zety.de führt in Abo-Falle ∗∗∗ --------------------------------------------- Auf zety.de können Sie angeblich professionelle Lebensläufe und Bewerbungen erstellen. Per Klick wählen Sie eine gewünschte Vorlage und befüllen sie mit Ihren Daten – scheinbar kostenlos. Erst wenn Sie Ihr Dokument herunterladen möchten, erfahren Sie, dass der Dienst doch nicht gratis ist. Wenn Sie überweisen, schließen Sie ein Abo ab! --------------------------------------------- https://www.watchlist-internet.at/news/lebenslauf-editor-auf-zetyde-fuehrt-… ∗∗∗ Weitere Informationen zu Angriffen gegen 3CX Desktop App ∗∗∗ --------------------------------------------- Seit der Veröffentlichung unserer letzten Meldung zu den Angriffen gegen die bzw. durch Missbrauch der 3CX Desktop App sind inzwischen weitere Details und neue Informationen bekannt geworden. Die wichtigsten Details in dieser Hinsicht sind: [...] --------------------------------------------- https://cert.at/de/aktuelles/2023/4/weitere-informationen-zu-angriffen-gege… ∗∗∗ Typhon Reborn V2: Updated stealer features enhanced anti-analysis and evasion capabilities ∗∗∗ --------------------------------------------- The developer of the Typhon Reborn information stealer released version 2 (V2) in January, which included significant updates to its codebase and improved capabilities. Most notably, the new version features additional anti-analysis and anti-virtual machine (VM) capabilities to evade detection and make analysis more difficult. --------------------------------------------- https://blog.talosintelligence.com/typhon-reborn-v2-features-enhanced-anti-… ∗∗∗ Rorschach – A New Sophisticated and Fast Ransomware ∗∗∗ --------------------------------------------- Rorschach ransomware appears to be unique, sharing no overlaps that could easily attribute it to any known ransomware strain. In addition, it does not bear any kind of branding which is a common practice among ransomware groups. The ransomware is partly autonomous, carrying out tasks that are usually manually performed during enterprise-wide ransomware deployment, such as creating a domain group policy (GPO). --------------------------------------------- https://research.checkpoint.com/2023/rorschach-a-new-sophisticated-and-fast… ===================== = Vulnerabilities = ===================== ∗∗∗ VU#473698: uClibc, uClibc-ng libraries have monotonically increasing DNS transaction ID ∗∗∗ --------------------------------------------- The uClibc and uClibc-ng libraries, prior to uClibc-ng 1.0.41, are vulnerable to DNS cache poisoning due to the use of predicatble DNS transaction IDs when making DNS requests. This vulnerability can allow an attacker to perform DNS cache poisoning attacks against a vulnerable environment.[..] The uClibc library has not been updated since May of 2012. --------------------------------------------- https://kb.cert.org/vuls/id/473698 ∗∗∗ Pentah0wnage: Pre-Auth RCE in Pentaho Business Analytics Server (CVE-2022-43769, CVE-2022-43939, CVE-2022-43773, CVE-2022-43938) ∗∗∗ --------------------------------------------- A few months ago I was working on an engagement where Pentaho was used to collect data and generate reports. [..] I found a total of eight vulnerabilties, three of which enable command execution on the residing host. [..] 31 March 2023: Vendor released patches, but no public CVE disclosure. --------------------------------------------- https://research.aurainfosec.io/pentest/pentah0wnage/ ∗∗∗ Nexx Smart Home Device ∗∗∗ --------------------------------------------- AFFECTED PRODUCTS - Nexx Garage Door Controller (NXG-100B, NXG-200): Version nxg200v-p3-4-1 and prior - Nexx Smart Plug (NXPG-100W): Version nxpg100cv4-0-0 and prior - Nexx Smart Alarm (NXAL-100): Version nxal100v-p1-9-1and prior --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-094-01 ∗∗∗ Patchday: Android-Lücken mit kritischem Risiko gestopft ∗∗∗ --------------------------------------------- Zum April-Patchday hat Google Sicherheitslücken im Android-Betriebssystem geschlossen, die die Entwickler teils als kritisch einstufen. --------------------------------------------- https://heise.de/-8522365 ∗∗∗ Sophos: Kritische Sicherheitslücke in Web-Appliance ermöglicht Codeschmuggel ∗∗∗ --------------------------------------------- Sophos hat in der Web Appliance (SWA) Sicherheitslücken geschlossen, die Angreifern etwa das Ausführen beliebigen Codes ermöglichen. --------------------------------------------- https://heise.de/-8525279 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (openbgpd and seamonkey), Red Hat (httpd:2.4, kernel, kernel-rt, and pesign), SUSE (compat-openssl098, dpdk, drbd, ImageMagick, nextcloud, openssl, openssl-1_1, openssl-3, openssl1, oracleasm, pgadmin4, terraform-provider-helm, and yaml-cpp), and Ubuntu (haproxy, ldb, samba, and vim). --------------------------------------------- https://lwn.net/Articles/928294/ ∗∗∗ Netty Vulnerabilites 4.0.37 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6980407 ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Case Manager (CVE-2023-26283) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6980411 ∗∗∗ IBM Sterling Order Management Golang Go Vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6980457 ∗∗∗ Vulnerabilities with kernel, MariaDB, Gnu GnuTLS, OpenJDK, commons-fileupload affect IBM Cloud Object Storage Systems (Mar 2023v1) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6962855 ∗∗∗ IBM Aspera Faspex 5.0.5 has addressed CVE-2022-4304 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6980501 ∗∗∗ IBM Security Verify Access Appliance includes components with known vulnerabilities (CVE-2022-29154, CVE-2022-0391) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6980521 ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Case Manager (CVE-2023-23477) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6980519 ∗∗∗ Vulnerability in py library affects IBM Cloud Pak for Data System 1.0(CPDS 1.0) [CVE-2022-42969] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6980723 ∗∗∗ Vulnerability in cryptography affects IBM Cloud Pak for Data System 1.0(CPDS 1.0) [CVE-2023-0286] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6980351 ∗∗∗ A security vulnerability has been identified in WebSphere\u00ae Application Server shipped with IBM\u00ae Intelligent Operations Center (CVE-2023-26283) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6980725 ∗∗∗ IBM Event Streams is affected by vulnerabilities in the jsonwebtoken package (CVE-2022-23529, CVE-2022-23539, CVE-2022-23540, CVE-2022-23541) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6980727 ∗∗∗ IBM Event Streams is affected by vulnerabilities in Node.js (CVE-2022-25927 and CVE-2022-25881) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6980735 ∗∗∗ IBM Event Streams is affected by a vulnerability in Apache Kafka (CVE-2023-25194) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6980743 ∗∗∗ IBM Event Streams is vulnerable to a denial of service due to Redis (CVE-2023-25155) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6980747 ∗∗∗ Multiple vulnerabilities have been identified in IBM HTTP Server used by IBM Rational ClearQuest ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6980737 ∗∗∗ IBM Security Verify Governance is vulnerable to sensitive information exposure (CVE-2021-31403) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6956289 ∗∗∗ CVE-2022-41721 may affect IBM CICS TX Standard ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6980755 ∗∗∗ IBM Security Guardium is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6963075 ∗∗∗ IBM Security Guardium is affected by an AWS SDK vulnerability (CVE-2022-31159) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6960215 ∗∗∗ IBM HTTP Server is vulnerable to HTTP request splitting due to the included Apache HTTP Server (CVE-2023-25690) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6963650 ∗∗∗ IBM Security Guardium is affected by a denial of service vulnerability (CVE-2022-3171, CVE-2022-3510, CVE-2022-3509) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6963077 ∗∗∗ IBM Security Guardium is affected by remote code execution and sensitive information vulnerabilities (CVE-2022-31684, CVE-2022-41853) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6960211 ∗∗∗ There are several vulnerabilities in Bootstrap used by IBM Maximo Asset Management ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6980757 ∗∗∗ IBM Security Guardium is affected by a kernel vulnerability (CVE-2021-3715) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6828569 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.04.2023
by Daily end-of-shift report 03 Apr '23

03 Apr '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 31-03-2023 18:00 − Montag 03-04-2023 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ New Money Message ransomware demands million dollar ransoms ∗∗∗ --------------------------------------------- A new ransomware gang named Money Message has appeared, targeting victims worldwide and demanding million-dollar ransoms not to leak data and release a decryptor. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-money-message-ransomware… ∗∗∗ Hacken ist für alle: Die Austria Cyber Security Challenge startet ∗∗∗ --------------------------------------------- Der Hackerwettbewerb will heuer verstärkt Frauen für die IT-Security begeistern. --------------------------------------------- https://futurezone.at/digital-life/austria-cyber-security-challenge-acsc-be… ∗∗∗ With KEYPLUG, China’s RedGolf Spies On, Steals From Wide Field of Targets ∗∗∗ --------------------------------------------- The group remains highly active within a wide range of geographies and industry verticals, targeting aviation, automotive, education, government, media, information technology, and religious organizations. [..] Insikt Group has identified a wider cluster of KEYPLUG samples and infrastructure used by RedGolf from at least 2021 to 2023. (Anm.: das Paper enthält etliche beobachtenswerte IOCs). --------------------------------------------- https://go.recordedfuture.com/hubfs/reports/cta-2023-0330.pdf ∗∗∗ Angriffe auf hochriskante Sicherheitslücke in Wordpress-Plug-in Elementor Pro ∗∗∗ --------------------------------------------- Angreifer missbrauchen eine Sicherheitslücke im Wordpress-Plug-in Elementor Pro zum Einbrechen in Webseiten. Admins sollten die Updates umgehend installieren. --------------------------------------------- https://heise.de/-8384344 ∗∗∗ IT-Forscher: Mehr als 15 Millionen verwundbare Systeme offen im Netz ∗∗∗ --------------------------------------------- IT-Forscher haben den Known-Exploited-Vulnerabilities-Catalog der CISA mit der Datenbank Sh0dan abgeglichen und Millionen verwundbarer Systeme gefunden. --------------------------------------------- https://heise.de/-8511852 ∗∗∗ Jetzt updaten: Kritische Schwachstelle in Nextcloud ∗∗∗ --------------------------------------------- Eine als kritisch eingestufte Sicherheitslücke in der Kollaborationssoftware Nextcloud könnte Angreifern das Ausführen von Schadcode ermöglichen. --------------------------------------------- https://heise.de/-8515005 ∗∗∗ Microsoft OneNote Starts Blocking Dangerous File Extensions ∗∗∗ --------------------------------------------- Microsoft is boosting the security of OneNote users by blocking embedded files with extensions that are considered dangerous. --------------------------------------------- https://www.securityweek.com/microsoft-onenote-starts-blocking-dangerous-fi… ∗∗∗ Money Mule: Geldwäsche-Jobs über WhatsApp ∗∗∗ --------------------------------------------- Nehmen Sie sich vor betrügerischen Job-Angeboten auf WhatsApp in Acht. Kriminelle kontaktieren teils wahllos, teils gezielt Menschen auf Job-Suche über die bekannte Chat-Plattform. Ein Tageslohn von 50 bis 300 Euro täglich bei Arbeit aus dem Home-Office mag verlockend klingen. Doch Vorsicht: Sie werden hier zum Money Mule, helfen Kriminellen bei der Geldwäsche und machen sich womöglich selbst strafbar! --------------------------------------------- https://www.watchlist-internet.at/news/money-mule-geldwaesche-jobs-ueber-wh… ∗∗∗ Malicious ISO File Leads to Domain Wide Ransomware ∗∗∗ --------------------------------------------- IcedID continues to deliver malspam emails to facilitate a compromise. This case covers the activity from a campaign in late September of 2022. --------------------------------------------- https://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wid… ∗∗∗ Bi(n)gBang: Microsoft Azure-Schwachstelle ermöglicht Bing Search Hijacking und Office 365-Datenklau ∗∗∗ --------------------------------------------- Unschöne Geschichte, auf die alle gewartet haben, und die die Gefahren der Cloud aufzeigt. Microsoftsd Azure-Cloud-Dienste ermöglichten eine Fehlkonfigurierung, die dann eine Sicherheitslücke schuf. In der Folge konnten Angreifer potentiell Schadcode in die Suchergebnisseiten von Bing einschleusen, um diese zu [...] --------------------------------------------- https://www.borncity.com/blog/2023/03/30/bigbang-microsoft-azure-schwachste… ∗∗∗ Design-Schwäche im WiFi-Protokoll ermöglicht Angreifern das Abfangen des Netzwerkverkehrs ∗∗∗ --------------------------------------------- Noch ein kleiner Nachtrag von Ende März 2023. Sicherheitsforscher sind auf eine gravierende Design-Schwäche im IEEE 802.11 WiFi-Protokollstandards gestoßen. Diese Schwäche könnte es Angreifern ermöglichen, WLAN-Zugangspunkte abzuhören und Netzwerk-Frames im Klartext zu übermitteln. --------------------------------------------- https://www.borncity.com/blog/2023/04/02/design-schwche-im-wifi-protokoll-e… ===================== = Vulnerabilities = ===================== ∗∗∗ Multiple vulnerabilities in Aten PE8108 power distribution unit (CVE-2023-25413, CVE-2023-25415, CVE-2023-25407, CVE-2023-25409, CVE-2023-25414, CVE-2023-25411) ∗∗∗ --------------------------------------------- Pentagrid identified several vulnerabilities in the PE8108 rack power distribution unit (PDU) manufactured by Aten. [..] At the time of publication, the most recent firmware is version v2.4.232 from 2022-11-22 and there is no new firmware available via Atens website. --------------------------------------------- https://www.pentagrid.ch/en/blog/multiple-vulnerabilities-in-aten-PE8108-po… ∗∗∗ Nvidia schließt Sicherheitslücken in Treibern und Verwaltungssoftware ∗∗∗ --------------------------------------------- Nvidia hat zum Monatswechsel aktualisierte Treiber und Verwaltungssoftware veröffentlicht. Damit schließt der Hersteller teils hochriskante Sicherheitslecks. --------------------------------------------- https://heise.de/-8511759 ∗∗∗ Geräteverwaltung HCL Bigfix dichtet DoS-Lücke ab ∗∗∗ --------------------------------------------- Die Geräteverwaltungssoftware HCL Bigfix enthält eine Schwachstelle, die Angreifern das Lahmlegen der Software auf Endpoints ermöglicht. --------------------------------------------- https://heise.de/-8514805 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (duktape, firmware-nonfree, intel-microcode, svgpp, and systemd), Fedora (amanda, dino, flatpak, golang, libldb, netconsd, samba, tigervnc, and vim), Red Hat (nodejs:14), Slackware (ruby and seamonkey), SUSE (drbd, flatpak, glibc, grub2, ImageMagick, kernel, runc, thunderbird, and xwayland), and Ubuntu (amanda). --------------------------------------------- https://lwn.net/Articles/928204/ ∗∗∗ Multiple Vulnerabilities in the Autodesk® FBX® SDK software ∗∗∗ --------------------------------------------- Applications and services utilizing the Autodesk® FBX® SDK software have been affected by an Out-Of-Bounds Write and Stack Buffer Overflow vulnerabilities. Exploitation of these vulnerabilities may lead to information disclosure, code execution and/or denial-of-service. --------------------------------------------- https://www.autodesk.com/trust/security-advisories/adsk-sa-2023-0004 ∗∗∗ Vulnerabilities for Autodesk® Maya® USD plugin ∗∗∗ --------------------------------------------- USD (Universal Scene Description) plugin for Autodesk® Maya® has been affected by a file uninitialized variable, out-of-bounds read, and out-of-bounds write vulnerabilities. --------------------------------------------- https://www.autodesk.com/trust/security-advisories/adsk-sa-2023-0003 ∗∗∗ Vulnerability Spotlight: Buffer overflow vulnerability in ADMesh library ∗∗∗ --------------------------------------------- https://blog.talosintelligence.com/vulnerability-spotlight-buffer-overflow-… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ HAProxy vulnerable to HTTP request/response smuggling ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN38170084/ ∗∗∗ Multiple vulnerabilities in Seiko Solutions SkyBridge MB-A100/A110/A200/A130 SkySpider MB-R210 ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN40604023/ ∗∗∗ Cisco Identity Services Engine Vulnerabilities ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Identity Services Engine Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Secure Web Appliance Content Encoding Filter Bypass Vulnerabilities ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ ZDI-23-348: Bentley View SKP File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-23-348/ ∗∗∗ ZDI-23-347: Bentley View SKP File Parsing Use-After-Free Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-23-347/ ∗∗∗ ZDI-23-346: Bentley View SKP File Parsing Use-After-Free Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-23-346/ ∗∗∗ ZDI-23-345: Bentley View FBX File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-23-345/ ∗∗∗ ZDI-23-344: Bentley View FBX File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-23-344/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 31.03.2023
by Daily end-of-shift report 31 Mar '23

31 Mar '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 30-03-2023 18:00 − Freitag 31-03-2023 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ 10-year-old Windows bug with opt-in fix exploited in 3CX attack ∗∗∗ --------------------------------------------- A 10-year-old Windows vulnerability is still being exploited in attacks to make it appear that executables are legitimately signed, with the fix from Microsoft still "opt-in" after all these years. Even worse, the fix is removed after upgrading to Windows 11. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/10-year-old-windows-bug-wit… ∗∗∗ Realtek and Cacti flaws now actively exploited by malware botnets ∗∗∗ --------------------------------------------- Multiple malware botnets actively target Cacti and Realtek vulnerabilities in campaigns detected between January and March 2023, spreading ShellBot and Moobot malware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/realtek-and-cacti-flaws-now-… ∗∗∗ Hackers exploit bug in Elementor Pro WordPress plugin with 11M installs ∗∗∗ --------------------------------------------- Hackers are actively exploiting a high-severity vulnerability in the popular Elementor Pro WordPress plugin used by over eleven million websites. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-exploit-bug-in-eleme… ∗∗∗ Use of X-Frame-Options and CSP frame-ancestors security headers on 1 million most popular domains, (Fri, Mar 31st) ∗∗∗ --------------------------------------------- In my last Diary[1], I shortly mentioned the need for correctly set Content Security Policy and/or the obsolete[2] X-Frame-Options HTTP security headers (not just) in order to prevent phishing pages, which overlay a fake login prompt over a legitimate website, from functioning correctly. Or, to be more specific, to prevent them from dynamically loading a legitimate page in an iframe under the fake login prompt, since this makes such phishing websites look much less like a legitimate login page and thus much less effective. --------------------------------------------- https://isc.sans.edu/diary/rss/29698 ∗∗∗ WordPress Vulnerability & Patch Roundup March 2023 ∗∗∗ --------------------------------------------- Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises. To help educate website owners on emerging threats to their environments, we’ve compiled a list of important security updates and patches for the WordPress ecosystem this past month. --------------------------------------------- https://blog.sucuri.net/2023/03/wordpress-vulnerability-patch-roundup-march… ∗∗∗ Booby Trapping IBM i ∗∗∗ --------------------------------------------- In our first post about IBM i we noted that the operating system includes a database engine, Db2. This level of integration means that practically all objects of the system are accessible via SQL, a powerful tool to discover and analyze system configuration, and also to identify potential vulnerabilities. However, the “database view” of the operating system not only allows us to read data, but lets us insert additional data that can affect the behavior of the system too. --------------------------------------------- https://blog.silentsignal.eu/2023/03/30/booby-trapping-ibm-i/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (joblib, json-smart, libmicrohttpd, and xrdp), Fedora (thunderbird and xorg-x11-server-Xwayland), Mageia (dino, perl-Cpanel-JSON-XS, perl-Net-Server, snort, tigervnc/x11-server, and xapian), SUSE (curl, kernel, openssl-1_0_0, and shim), and Ubuntu (glusterfs, linux-gcp-4.15, musl, and xcftools). --------------------------------------------- https://lwn.net/Articles/928013/ ∗∗∗ Samba Releases Security Updates for Multiple Versions of Samba ∗∗∗ --------------------------------------------- The Samba Team has released security updates addressing vulnerabilities in multiple versions of Samba. An attacker could exploit these vulnerabilities to take control of an affected system. CISA encourages users and administrators to review the following announcements and apply the necessary updates: CVE-2023-0225 CVE-2023-0922 CVE-2023-0614 --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/03/31/samba-releases-security-… ∗∗∗ Vulnerability Spotlight: Specially crafted files could lead to denial of service, information disclosure in OpenImageIO parser ∗∗∗ --------------------------------------------- OpenImageIO is a library that converts, compares and processes various image files. Blender and AliceVision, two often used computer imaging services, utilize the library, among other software offerings. --------------------------------------------- https://blog.talosintelligence.com/vulnerability-spotlight-specially-crafte… ∗∗∗ Xcode 14.3 ∗∗∗ --------------------------------------------- https://support.apple.com/kb/HT213679 ∗∗∗ [webapps] WooCommerce v7.1.0 - Remote Code Execution(RCE) ∗∗∗ --------------------------------------------- https://www.exploit-db.com/exploits/51156 ∗∗∗ IBM Security Bulletins 2023-03-31 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.03.2023
by Daily end-of-shift report 30 Mar '23

30 Mar '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 29-03-2023 18:00 − Donnerstag 30-03-2023 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Cyberkriminelle versenden Schadsoftware im Namen von DocuSign ∗∗∗ --------------------------------------------- Elektronische Signaturdienste wie DocuSign sind spätestens seit der Covid19-Pandemie beliebt, um Verträge oder andere Dokumente zeitsparend und unkompliziert zu unterzeichnen. Ein Trend, der auch von Betrüger:innen aufgegriffen wird: So geben sich Cyberkriminelle per E-Mail als DocuSign aus, um Schadsoftware zu verbreiten. --------------------------------------------- https://www.watchlist-internet.at/news/cyberkriminelle-versenden-schadsoftw… ∗∗∗ Internationaler Monat zur Betrugsbekämpfung: Vorsicht vor Dark Patterns ∗∗∗ --------------------------------------------- Im März 2023 jährt sich der internationale Monat zur Betrugsbekämpfung („ICPEN Fraud Prevention Month"). Das diesjährige Schwerpunktthema ist Dark Patterns. Dark Patterns sind irreführende Designelemente und Webseiten-Gestaltungen, die versuchen User:innen zu verleiten Entscheidungen zu treffen, die nicht in Ihrem besten Interesse liegen. Was Dark Patterns sind, wie Sie diese erkennen und sich am besten schützen, erfahren Sie hier! --------------------------------------------- https://www.watchlist-internet.at/news/fraud-prevention-month-vorsicht-vor-… ∗∗∗ EDR Product Analysis of an Infostealer ∗∗∗ --------------------------------------------- As mentioned in the report, an Infostealer is being distributed through various platforms, and the leaked information is causing both direct and indirect harm to users. Understanding what information has been stolen and where it is being sent is crucial in order to minimize the damage caused by an Infostealer --------------------------------------------- https://asec.ahnlab.com/en/50685/ ===================== = Vulnerabilities = ===================== ∗∗∗ QNAP warns customers to patch Linux Sudo flaw in NAS devices ∗∗∗ --------------------------------------------- Taiwanese hardware vendor QNAP warns customers to secure their Linux-powered network-attached storage (NAS) devices against a high-severity Sudo privilege escalation vulnerability. --------------------------------------------- https://www.bleepingcomputer.com/news/security/qnap-warns-customers-to-patc… ∗∗∗ Xray Audit - Moderately critical - Cross site scripting - SA-CONTRIB-2023-012 ∗∗∗ --------------------------------------------- Security risk: Moderately critical Description: This module is a tool for developers, analysts, and administrators that allows them to generate reports on a given Drupal installation.The module does not sufficiently sanitize some data presented in its reports. --------------------------------------------- https://www.drupal.org/sa-contrib-2023-012 ∗∗∗ CVE-2022-37734: graphql-java Denial-of-Service ∗∗∗ --------------------------------------------- graphql-java is the most popular GraphQL server written in Java. It was found to be vulnerable to DoS attacks through the directive overload. [..] The vulnerability was fixed in two stages. The first fix introduced a security control, whereas the second one targeted the root cause. The first fix is presented in the versions of graphql-java 19.0 and later, 18.3, and 17.4. The second fix has been applied in the version 20.1 [..] --------------------------------------------- https://checkmarx.com/blog/cve-2022-37734-graphql-java-denial-of-service/ ∗∗∗ Vulnerability Spotlight: SNIProxy contains remote code execution vulnerability (CVE-2023-25076) ∗∗∗ --------------------------------------------- Talos discovered a remote code execution vulnerability that exists if the user is utilizing wildcard backend hosts when configuring SNIProxy. An attacker could exploit this vulnerability by sending a specially crafted HTTP, TLS or DTLS packet to the target machine, potentially causing a denial of service or gaining the ability to execute remote code. Cisco Talos worked with the managers of SNIProxy to ensure that these issues are resolved and an update is available [..] --------------------------------------------- https://blog.talosintelligence.com/vulnerability-spotlight-sniproxy-contain… ∗∗∗ X.org vulnerability and releases (CVE-2023-1393) ∗∗∗ --------------------------------------------- The X.Org project has announced a vulnerability in its X server and Xwayland. This issue can lead to local privileges elevation on systems where the X server is running privileged and remote code execution for ssh X forwarding sessions. [..] That has led to the release of xorg-server 21.1.8, xwayland 22.1.9, and xwayland 23.1.1. --------------------------------------------- https://lwn.net/Articles/927887/ ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (xorg-server and xrdp), Fedora (mingw-python-certifi, mingw-python3, mingw-zstd, moodle, python-cairosvg, python-markdown-it-py, redis, xorg-x11-server, and yarnpkg), Slackware (mozilla and xorg), SUSE (grub2, ldb, samba, libmicrohttpd, python-Werkzeug, rubygem-rack, samba, sudo, testng, tomcat, webkit2gtk3, xorg-x11-server, xstream, and zstd), and Ubuntu (linux, linux-aws, linux-dell300x, linux-kvm, linux-oracle, linux-raspi2, linux-aws-5.4, linux-azure-5.4, linux-gcp- linux-ibm-5.4, linux-oracle-5.4, linux-raspi-5.4, linux-gke, linux-gke-5.15, linux-ibm, linux-kvm, php-nette, and xorg-server, xorg-server-hwe-18.04, xwayland). --------------------------------------------- https://lwn.net/Articles/927855/ ∗∗∗ Synology-SA-23:02 Sudo ∗∗∗ --------------------------------------------- A vulnerability allows local users to conduct privilege escalation attacks via a susceptible version of Synology DiskStation Manager (DSM) and Synology Router Manager (SRM). --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_23_02 ∗∗∗ Popular PABX platform, 3CX Desktop App suffers supply chain attack ∗∗∗ --------------------------------------------- CrowdStrike and SentinelOne cybersecurity researchers identified an unusual spike in malicious activity from a single, legitimate binary, 3CX Voice Over Internet Protocol (VOIP) desktop App (3CX Desktop App). --------------------------------------------- https://www.hackread.com/3cx-desktop-app-supply-chain-attack/ ∗∗∗ Cisco Application Policy Infrastructure Controller and Cisco Cloud Network Controller Cross-Site Request Forgery Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Hitachi Energy IEC 61850 MMS-Server ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-089-01 ∗∗∗ Multiple vulnerabilities in the mongo-tools utility affect IBM WebSphere Automation ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6966998 ∗∗∗ IBM Maximo Asset Management is vulnerable to stored cross-site scripting (CVE-2022-35645) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6959353 ∗∗∗ IBM Maximo Manage application in IBM Maximo Application Suite is vulnerable to stored cross-site scripting (CVE-2022-35645) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6959355 ∗∗∗ IBM QRadar SIEM is vulnerable to using components with known vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6967016 ∗∗∗ Multiple Vulnerabilities in CloudPak for Watson AIOPs ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6967012 ∗∗∗ CVE-2022-27664, CVE-2022-21698, CVE-2021-43565 and CVE-2022-27191 may affect IBM CICS TX Standard ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6967018 ∗∗∗ CVE-2022-41723 may affect IBM CICS TX Advanced ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6967026 ∗∗∗ CVE-2022-41723 may affect IBM CICS TX Standard ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6967022 ∗∗∗ Multiple vulnerabilities may affect IBM SDK, Java Technology Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6967213 ∗∗∗ CVE-2022-21426 may affect IBM SDK, Java Technology Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6967221 ∗∗∗ Multiple Vulnerabilities in CloudPak for Watson AIOPs ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6967243 ∗∗∗ IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to an information exposure in WebSphere Application Server Liberty (CVE-2016-0378 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6967241 ∗∗∗ IBM QRadar User Behavior Analytics is vulnerable to components with known vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6967283 ∗∗∗ Vulnerabilities in PostgreSQL may affect IBM Spectrum Protect Plus (CVE-2022-2625, CVE-2022-1552, CVE-2021-3677) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6967285 ∗∗∗ A vulnerability in GNU Tar affects IBM MQ Operator and Queue manager container images (CVE-2022-48303) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6966198 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.03.2023
by Daily end-of-shift report 29 Mar '23

29 Mar '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 28-03-2023 18:00 − Mittwoch 29-03-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ WiFi protocol flaw allows attackers to hijack network traffic ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered a fundamental security flaw in the design of the IEEE 802.11 WiFi protocol standard, allowing attackers to trick access points into leaking network frames in plaintext form. --------------------------------------------- https://www.bleepingcomputer.com/news/security/wifi-protocol-flaw-allows-at… ∗∗∗ H26Forge: Mehrheit der Video-Decoder wohl systematisch angreifbar ∗∗∗ --------------------------------------------- Immer wieder sorgen Bugs in Video-Decodern für Sicherheitslücken bis hin zu Zero Days. Wissenschaftler zeigen nun eine riesige Angriffsfläche. --------------------------------------------- https://www.golem.de/news/h26forge-mehrheit-der-video-decoder-wohl-systemat… ∗∗∗ Network Data Collector Placement Makes a Difference, (Tue, Mar 28th) ∗∗∗ --------------------------------------------- A previous diary [1] described processing some local PCAP data with Zeek. This data was collected using tcpdump on a DShield Honeypot. When looking at the Zeek connection logs, the connection state information was unexpected. To help understand why, we will compare data from different locations on the network and process the data in a similar way. This will help narrow down where the discrepancies might be coming from, or at least where they are not coming from. --------------------------------------------- https://isc.sans.edu/diary/rss/29664 ∗∗∗ MacStealer: Mac-Malware will Passwörter und Krypto-Wallets klauen ∗∗∗ --------------------------------------------- Eine im Dark Web günstig angebotene Malware soll sensible Daten von Macs extrahieren und über den Messenger Telegram an Angreifer übermitteln. --------------------------------------------- https://heise.de/-8153293 ∗∗∗ Remote PowerShell: Einfallstor bei Exchange Online jetzt mit Gnadenfrist ∗∗∗ --------------------------------------------- Ein halbes Jahr länger bleibt Administratoren, bis sie sich von ihren unsicheren PowerShell-cmdlets für Exchange Online verabschieden müssen. --------------------------------------------- https://heise.de/-8186790 ∗∗∗ Kriminelle erfinden Behörden wie „finanzaufsichtsbehoerde.com“ für Authority-Scams ∗∗∗ --------------------------------------------- Um ihren Opfern das Geld aus der Tasche zu ziehen, greifen Kriminelle häufig zu kreativen Methoden. Aktuell erfinden sie Behörden wie zum Beispiel auf „finanzaufsichtsbehoerde.com“ und „betrugsdezernat.com“ oder imitieren echte Behörden und Institutionen. Egal, was man Ihnen hier verspricht, übermitteln Sie keine Daten und bezahlen Sie kein Geld an derartige Plattformen! --------------------------------------------- https://www.watchlist-internet.at/news/kriminelle-erfinden-behoerden-wie-fi… ∗∗∗ Spyware vendors use 0-days and n-days against popular platforms ∗∗∗ --------------------------------------------- [...] In this blog, we’re sharing details about two distinct campaigns we’ve recently discovered which used various 0-day exploits against Android, iOS and Chrome and were both limited and highly targeted. The 0-day exploits were used alongside n-day exploits and took advantage of the large time gap between the fix release and when it was fully deployed on end-user devices. Our findings underscore the extent to which commercial surveillance vendors have proliferated capabilities historically only used by governments with the technical expertise to develop and operationalize exploits. --------------------------------------------- https://blog.google/threat-analysis-group/spyware-vendors-use-0-days-and-n-… ∗∗∗ Active Exploitation of IBM Aspera Faspex CVE-2022-47986 ∗∗∗ --------------------------------------------- Rapid7 is aware of at least one incident where a customer was compromised via CVE-2022-47986. We strongly recommend patching on an emergency basis. --------------------------------------------- https://www.rapid7.com/blog/post/2023/03/28/etr-active-exploitation-of-ibm-… ∗∗∗ New OpcJacker Malware Distributed via Fake VPN Malvertising ∗∗∗ --------------------------------------------- We discovered a new malware, which we named “OpcJacker” (due to its opcode configuration design and its cryptocurrency hijacking ability), that has been distributed in the wild since the second half of 2022. --------------------------------------------- https://www.trendmicro.com/en_us/research/23/c/new-opcjacker-malware-distri… ∗∗∗ In eigener Sache: CERT.at sucht Verstärkung ∗∗∗ --------------------------------------------- Für unsere täglichen Routineaufgaben suchen wir derzeit 1 Berufsein- oder -umsteiger:in mit ausgeprägtem Interesse an IT-Security, welche:r uns bei den täglich anfallenden Standard-Aufgaben unterstützt. Details finden sich auf unserer Jobs-Seite. --------------------------------------------- https://cert.at/de/blog/2023/3/in-eigener-sache-certat-sucht-verstarkung-20… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (unbound and xorg-server), Fedora (stellarium), Oracle (kernel), SUSE (apache2, oracleasm, python-Werkzeug, rubygem-loofah, sudo, and tomcat), and Ubuntu (git, kernel, and linux-hwe-5.19). --------------------------------------------- https://lwn.net/Articles/927666/ ∗∗∗ Multiple Vulnerabilities in Rocket Software UniRPC server (Fixed) ∗∗∗ --------------------------------------------- In early 2023, Rapid7 discovered several vulnerabilities in Rocket Software UniData UniRPC. We worked with the company to fix issues and coordinate this disclosure. --------------------------------------------- https://www.rapid7.com/blog/post/2023/03/29/multiple-vulnerabilities-in-roc… ∗∗∗ [R1] Stand-alone Security Patches Available for Tenable.sc versions 5.22.0, 5.23.1, and 6.0.0: SC-202303.2 ∗∗∗ --------------------------------------------- [R1] Stand-alone Security Patches Available for Tenable.sc versions 5.22.0, 5.23.1, and 6.0.0: SC-202303.2Arnie CabralTue, 03/28/2023 - 11:10 Tenable.sc leverages third-party software to help provide underlying functionality. One of the third-party components in use (Apache) was found to contain vulnerabilities, and updated versions have been made available by the providers. --------------------------------------------- https://www.tenable.com/security/tns-2023-17 ∗∗∗ Security Advisory 2023-02 for PowerDNS Recursor up to and including 4.6.5, 4.7.4 and 4.8.3 ∗∗∗ --------------------------------------------- Hello, Today we have released PowerDNS Recursor 4.6.6, 4.7.5 and 4.8.4 due to a low severity security issue found. Please find the full text of the advisory below. The 4.6, 4.7 and 4.8 changelogs are available. The 4.6.6 (signature), 4.7.5 (signature) and 4.8.4 (signature) tarballs are available from our download server. Patches are available at patches. --------------------------------------------- https://blog.powerdns.com/2023/03/29/security-advisory-2023-02-for-powerdns… ∗∗∗ IBM Security Bulletins 2023-03-29 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ K000133135: NGINX Agent vulnerability CVE-2023-1550 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000133135 ∗∗∗ Security Vulnerabilities fixed in Thunderbird 102.9.1 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2023-12/ ∗∗∗ Buffer Overflow Vulnerabilities in Samba ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-23-02 ∗∗∗ Buffer Overflow Vulnerability in Samba ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-23-03 ∗∗∗ Vulnerabilities in QTS, QuTS hero, QuTScloud, and QVP ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-23-06 ∗∗∗ Vulnerability in QTS, QuTS hero, QuTScloud, QVP, and QVR ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-23-10 ∗∗∗ Vulnerability in sudo ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-23-11 ∗∗∗ Multiple Vulnerabilities in OpenSSL ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-23-15 ∗∗∗ Sielco Analog FM Transmitter 2.12 id Cookie Brute Force Session Hijacking ∗∗∗ --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5758.php ∗∗∗ Sielco Analog FM Transmitter 2.12 Cross-Site Request Forgery ∗∗∗ --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5757.php ∗∗∗ Sielco Analog FM Transmitter 2.12 Improper Access Control Change Admin Password ∗∗∗ --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5756.php ∗∗∗ Sielco Analog FM Transmitter 2.12 Remote Privilege Escalation ∗∗∗ --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5755.php -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.03.2023
by Daily end-of-shift report 28 Mar '23

28 Mar '23

===================== = End-of-Day report = ===================== Timeframe: Montag 27-03-2023 18:00 − Dienstag 28-03-2023 18:00 Handler: Robert Waldner Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ New MacStealer macOS malware steals passwords from iCloud Keychain ∗∗∗ --------------------------------------------- A new info-stealing malware named MacStealer is targeting Mac users, stealing their credentials stored in the iCloud KeyChain and web browsers, cryptocurrency wallets, and potentially sensitive files. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-macstealer-macos-malware… ∗∗∗ Exchange Online to block emails from vulnerable on-prem servers ∗∗∗ --------------------------------------------- Microsoft is introducing a new Exchange Online security feature that will automatically start throttling and eventually block all emails sent from "persistently vulnerable Exchange servers" 90 days after the admins are pinged to secure them. --------------------------------------------- https://www.bleepingcomputer.com/news/security/exchange-online-to-block-ema… ∗∗∗ Cybersecurity Challenges of Power Transformers ∗∗∗ --------------------------------------------- To the best of our knowledge, there is no study in the literature that systematically investigate the cybersecurity challenges against the newly emerged smart transformers. This paper addresses this shortcoming by exploring the vulnerabilities and the attack vectors of power transformers within electricity networks, the possible attack scenarios and the risks associated with these attacks. --------------------------------------------- https://arxiv.org/abs/2302.13161 ∗∗∗ OpenSSL 1.1.1 End of Life ∗∗∗ --------------------------------------------- We are now less than 6 months away from the End Of Life (EOL) date for the OpenSSL 1.1.1 series. Users of OpenSSL 1.1.1 should consider their options and plan any actions they might need to take. [..] OpenSSL 1.1.1 was released on 11th September 2018, and so it will be considered EOL on 11th September 2023. It will no longer be receiving publicly available security fixes after that date. --------------------------------------------- https://www.openssl.org/blog/blog/2023/03/28/1.1.1-EOL/ ∗∗∗ The curl quirk that exposed Burp Suite & Google Chrome ∗∗∗ --------------------------------------------- Although this feature took us (and Chrome) by surprise, it is fully documented so we dont consider it to be a vulnerability in curl itself. It reminds me of server-side template injection, where a sandbox escape can be as easy as reading a manual page everyone else overlooked. --------------------------------------------- https://portswigger.net/research/the-curl-quirk-that-exposed-burp-suite-amp… ∗∗∗ Abo-Falle auf produkttester-werden.org ∗∗∗ --------------------------------------------- Produkttester-werden.org wirbt mit der Möglichkeit, regelmäßig und gratis Produkte testen zu können und dafür bis zu 25 Euro Aufwandsentschädigung zu erhalten. Schon bei der Erstregistrierung werden aber persönliche Daten inklusive IBAN abgefragt, eine Einzugsermächtigung verlangt und ein kostenpflichtiges Abonnement über einen versteckten Kostenhinweis abgeschlossen. Wir raten zu Abstand! --------------------------------------------- https://www.watchlist-internet.at/news/abo-falle-auf-produkttester-werdenor… ∗∗∗ Emotet Being Distributed via OneNote ∗∗∗ --------------------------------------------- AhnLab Security Emergency response Center (ASEC) has recently discovered the distribution of Emotet being distributed via OneNote. A spear phishing email as below attached with a OneNote file prompts the reader to open the attachment which contains a malicious script file (JS file). Upon running the OneNote file, it directs the user to click the button to connect to the cloud to open the document. --------------------------------------------- https://asec.ahnlab.com/en/50564/ ===================== = Vulnerabilities = ===================== ∗∗∗ Apple patches everything, including a zero-day fix for iOS 15 users ∗∗∗ --------------------------------------------- Got an older iPhone that cant run iOS 16? Youve got a zero-day to deal with! That super-cool Studio Display monitor needs patching, too. --------------------------------------------- https://nakedsecurity.sophos.com/2023/03/28/apple-patches-everything-includ… ∗∗∗ FortiOS / FortiProxy - Unauthenticated access to static files containing logging information (CVE-2022-41329) ∗∗∗ --------------------------------------------- An exposure of sensitive information to an unauthorized actor vulnerability in FortiOS and FortiProxy administrative interface may allow an unauthenticated attacker to obtain sensitive logging information on the device via crafted HTTP or HTTPs GET requests. --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-22-364 ∗∗∗ OpenSSL Security Advisory: Invalid certificate policies in leaf certificates are silently ignored (CVE-2023-0465) ∗∗∗ --------------------------------------------- Severity: Low Applications that use a non-default option when verifying certificates may be vulnerable to an attack from a malicious CA to circumvent certain checks. nvalid certificate policies in leaf certificates are silently ignored by OpenSSL and other certificate policy checks are skipped for that certificate. [..] Policy processing is disabled by default --------------------------------------------- https://www.openssl.org/news/secadv/20230328.txt ∗∗∗ [webapps] Moodle LMS 4.0 - Cross-Site Scripting (XSS) ∗∗∗ --------------------------------------------- A Cross Site Scripting (XSS) vulnerability exists in Moodle is a free and open-source Learning Management System (LMS) written in PHP [..] --------------------------------------------- https://www.exploit-db.com/exploits/51115 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (dino-im and runc), Fedora (qemu), Red Hat (firefox), SUSE (chromium, containerd, docker, kernel, and systemd), and Ubuntu (graphicsmagick, linux-azure, linux-gcp, linux-oem-5.14, linux-oem-5.17, linux-oem-6.0, linux-oem-6.1, and node-url-parse). --------------------------------------------- https://lwn.net/Articles/927548/ ∗∗∗ Cisco SD-WAN vManage Software Cluster Mode Cross-Site Request Forgery Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ IBM Engineering Workflow Management (EWM) vulnerabilities CVE-2021-41182, CVE-2022-31160, CVE-2021-41184, CVE-2021-41183 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6966410 ∗∗∗ IBM Engineering Workflow Management (EWM) vulnerability CVE-2021-43138 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6966400 ∗∗∗ IBM Engineering Workflow Management (EWM) vulnerabilities CVE-2022-31129, CVE-2022-24785 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6966418 ∗∗∗ IBM Engineering Workflow Management (EWM) vulnerability CVE-2021-21252 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6966412 ∗∗∗ IBM Engineering Workflow Management (EWM) vulnerabilities CVE-2020-28500, CVE-2021-23337, CVE-2020-8203 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6966416 ∗∗∗ IBM Engineering Workflow Management (EWM) vulnerability CVE-2022-24999 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6966420 ∗∗∗ IBM WebSphere Application Server is vulnerable to cross-site scripting in the Admin Console (CVE-2023-26283) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6964836 ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server Liberty shipped with IBM Tivoli Netcool Impact(CVE-2022-3509, CVE-2022-3171) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6966436 ∗∗∗ There is a vulnerability in jQuery UI used by IBM Maximo Asset Management (CVE-2022-31160) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6966428 ∗∗∗ Maximo Application Suite is vulnerable to CVE-2022-40897 per setuptools dependency ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6966084 ∗∗∗ Maximo Application Suite uses jsonwebtoken package which is vulnerable to CVE-2022-23541, CVE-2022-23539, CVE-2022-23529 and CVE-2022-23540 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6966434 ∗∗∗ IBM Tivoli Netcool Impact is vulnerable to remote code execution from Apache Commons Net (CVE-2021-37533) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6966438 ∗∗∗ IBM Tivoli Netcool Impact is vulnerable to denial of service attack due to Apache Commons FileUpload (CVE-2023-24998) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6966440 ∗∗∗ There is a vulnerability in jQuery UI used by IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2022-31160) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6966442 ∗∗∗ IBM Aspera Cargo 4.2.5 and IBM Aspera Connect 4.2.5 have addressed multiple buffer overflow vulnerabilities (CVE-2023-27286, CVE-2023-27284) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6966588 ∗∗∗ A security vulnerability has been identified in IBM HTTP Server shipped with IBM Rational ClearCase [CVE-2023-26281] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6966600 ∗∗∗ A security vulnerability has been identified in IBM HTTP Server shipped with IBM Rational ClearCase [CVE-2023-25690] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6966602 ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Rational ClearCase (CVE-2023-26283) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6966604 ∗∗∗ IBM App Connect Enterprise Certified Container images may be vulnerable to denial of service due to libarchive [CVE-2017-14166] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6966610 ∗∗∗ IBM App Connect Enterprise Certified Container DesignerAuthoring operands that use mapping assistance may be vulnerable to denial of service due to [X-Force 247595] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6966612 ∗∗∗ IBM Cloud Pak for Data System (CPDS) is vulnerable to arbitrary code execution due to Apache Log4j [CVE-2022-23307] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6966636 ∗∗∗ There is a security vulnerability in snakeYAML used by IBM Maximo Data Loader (CVE-2022-41854) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6966646 ∗∗∗ There is a security vulnerability in TinyMCE used by IBM Maximo for Civil Infrastructure in Maximo Application Suite (CVE-2022-23494) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6966644 ∗∗∗ Vulnerability in jetty-http affects IBM Cloud Pak for Data System 2.0(CPDS 2.0) [CVE-2022-2047] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6966652 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.03.2023
by Daily end-of-shift report 27 Mar '23

27 Mar '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 24-03-2023 18:00 − Montag 27-03-2023 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Guidance for investigating attacks using CVE-2023-23397 ∗∗∗ --------------------------------------------- This guide provides steps organizations can take to assess whether users have been targeted or compromised by threat actors exploiting CVE-2023-23397. A successful exploit of this vulnerability can result in unauthorized access to an organization’s environment by triggering a Net-NTLMv2 hash leak. Understanding the vulnerability and how it has been leveraged by threat actors can help guide the overall investigative process. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-inves… ∗∗∗ WooCommerce Credit Card Skimmer Reveals Tampered Plugin ∗∗∗ --------------------------------------------- Disclaimer: The malware infection described in this article does not affect the software plugin as a whole and does not indicate any vulnerabilities or security flaws within WooCommerce or any associated WooCommerce plugin extensions. Overall they are both robust and secure payment platforms that are perfectly safe to use. Instead, this article highlights the importance of maintaining good security posture and keeping environments locked down to prevent tampering from threat actors. --------------------------------------------- https://blog.sucuri.net/2023/03/woocommerce-skimmer-reveals-tampered-plugin… ∗∗∗ Framing Frames: Bypassing Wi-Fi Encryption by Manipulating Transmit Queues Affecting Multiple Cisco Products ∗∗∗ --------------------------------------------- On March 27, 2023, the research paper Framing Frames: Bypassing Wi-Fi Encryption by Manipulating Transmit Queues was made public. This paper discusses vulnerabilities in the 802.11 standard that could allow an attacker to spoof a targeted wireless client and redirect frames that are present in the transmit queues in an access point to an attacker-controlled device. This attack is seen as an opportunistic attack and the information gained by the attacker would be of minimal value in a securely configured network. --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Visual Signature Spoofing in PDFs ∗∗∗ --------------------------------------------- Visual Signature Spoofing was partially successful in forging signed documents. Due to the limited support of JavaScript in the other PDF applications, it was only possible to create visual signature spoofs for Adobe Acrobat Reader DC. Other PDF applications may also become vulnerable in the future if they add support for the necessary JavaScript functions. --------------------------------------------- https://sec-consult.com/blog/detail/visual-signature-spoofing-in-pdfs/ ∗∗∗ Using an Undocumented Amplify API to Leak AWS Account IDs ∗∗∗ --------------------------------------------- In a previous blog post I mentioned that I was getting back into AWS vulnerability research in my free time. I’ve been taking a closer look at undocumented AWS APIs, trying to find hidden functionality that may be useful for an attacker or cross tenant boundaries. [...] I reported this API to AWS who responded that it did not “represent a security issue”, however, 3 days later, the API was disabled. --------------------------------------------- https://frichetten.com/blog/undocumented-amplify-api-leak-account-id/ ∗∗∗ Microsoft verteilt Sicherheitsupdate für Windows Snipping Tool ∗∗∗ --------------------------------------------- Microsoft hat ein außerplanmäßiges Sicherheitsupdate veröffentlicht. Es soll eine Schwachstelle im Windows Snipping Tool beseitigen – der in Windows 10 und Windows 11 integrierten Screenshot-App. Ähnlich wie zuletzt auch unter Android entfernt das Tool „gelöschte“ Bereiche von zugeschnittenen Screenshots nicht vollständig, sodass sie nachträglich wiederhergestellt werden können. --------------------------------------------- https://www.zdnet.de/88408044/microsoft-verteilt-sicherheitsupdate-fuer-win… ∗∗∗ Deprecation of Remote PowerShell in Exchange Online – Re-enabling or Extending RPS support ∗∗∗ --------------------------------------------- PowerShell (PS) cmdlets in Exchange Online use Remote PowerShell (RPS) for client to server communication. Unfortunately, RPS is legacy technology that is outdated and can pose security risks. As such, we recommend all customers move to the new more secure REST-based v3 PowerShell module, which will help us improve security – together. --------------------------------------------- https://techcommunity.microsoft.com/t5/exchange-team-blog/deprecation-of-re… ∗∗∗ OneNote Embedded URL Abuse ∗∗∗ --------------------------------------------- Whilst Microsoft is fixing the embedded files feature in OneNote I decided to abuse a whole other feature. Embedded URLs. Turns out this is something they may also have to fix. --------------------------------------------- https://blog.nviso.eu/2023/03/27/onenote-embedded-url-abuse/ ∗∗∗ Rhadamanthys: The “Everything Bagel” Infostealer ∗∗∗ --------------------------------------------- Key Takeaways: * Rhadamanthys is an advanced infostealer which debuted on the dark web in September of last year to a warm critical reception by cybercriminals. * A maximalist approach to features: functionality is added for its own sake, never mind the effort required or expected payoff. * Campaigns by default target countries indiscriminately, excluding the commonwealth of independent states. This is typical of this kind of malware. * Multiple-stage loader/shellcode execution has been researched in prior publications and has made it difficult to reach a proper interactive disassembly workflow with the actual information-stealing logic. --------------------------------------------- https://research.checkpoint.com/2023/rhadamanthys-the-everything-bagel-info… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco IOS XE Software Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the Cloud Management for Catalyst migration feature of Cisco IOS XE Software could allow an authenticated, local attacker to gain root-level privileges on an affected device. This vulnerability is due to insufficient memory protection in the Cisco IOS XE Meraki migration feature of an affected device. An attacker could exploit this vulnerability by modifying the Meraki registration parameters. A successful exploit could allow the attacker to elevate privileges to root. --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ ABB RCCMD – Use of default password (CVE-2022-4126) ∗∗∗ --------------------------------------------- A software update is available that resolves a privately reported vulnerability [...] An attacker who successfully exploited this vulnerability could take control of the computer the software runs on and possibly insert and run arbitrary code. --------------------------------------------- https://search.abb.com/library/Download.aspx?Action=Launch&DocumentID=2CMT0… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libreoffice and xen), Fedora (chromium, curl, and xen), Red Hat (kernel, kernel-rt, kpatch-patch, and thunderbird), Scientific Linux (thunderbird), Slackware (tar), SUSE (apache2, ceph, curl, dpdk, helm, libgit2, and php7), and Ubuntu (firefox and thunderbird). --------------------------------------------- https://lwn.net/Articles/927451/ ∗∗∗ baserCMS vulnerable to arbitrary file uploads ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN61105618/ ∗∗∗ IBM Security Bulletins 2023-03-25 - 2023-03-27 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.03.2023
by Daily end-of-shift report 24 Mar '23

24 Mar '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 23-03-2023 18:00 − Freitag 24-03-2023 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Critical WooCommerce Payments Plugin Flaw Patched for 500,000+ WordPress Sites ∗∗∗ --------------------------------------------- Patches have been released for a critical security flaw impacting the WooCommerce Payments plugin for WordPress, which is installed on over 500,000 websites. The flaw, if left unresolved, could enable a bad actor to gain unauthorized admin access to impacted stores, the company said in an advisory on March 23, 2023. It impacts versions 4.8.0 through 5.6.1. --------------------------------------------- https://thehackernews.com/2023/03/critical-woocommerce-payments-plugin.html ∗∗∗ GitHub publishes RSA SSH host keys by mistake, issues update ∗∗∗ --------------------------------------------- Getting connection failures? Dont panic. Get new keys GitHub has updated its SSH keys after accidentally publishing the private part to the world. Whoops. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2023/03/24/github_chang… ∗∗∗ ChinaZ DDoS Bot Malware Distributed to Linux SSH Servers ∗∗∗ --------------------------------------------- AhnLab Security Emergency response Center (ASEC) has recently discovered the ChinaZ DDoS Bot malware being installed on inadequately managed Linux SSH servers. [..] The threat group most likely scanned port 22, the area where SSH services operate, before finding an active SSH service and performing a dictionary attack using commonly used SSH account credentials. --------------------------------------------- https://asec.ahnlab.com/en/50316/ ∗∗∗ Hacking AI: System and Cloud Takeover via MLflow Exploit ∗∗∗ --------------------------------------------- Protect AI tested the security of MLflow and found a combined Local File Inclusion/Remote File Inclusion vulnerability which can lead to a complete system or cloud provider takeover. Organizations running an MLflow server are urged to update to the latest release immediately. --------------------------------------------- https://protectai.com/blog/hacking-ai-system-takeover-exploit-in-mlflow ∗∗∗ JavaScript-Runtime: Deno 1.32 schließt kritische Sicherheitslücke ∗∗∗ --------------------------------------------- Die JS-Runtime Deno 1.32 liefert weitere Verbesserungen für die Kompatibilität mit Node.js und neue Funktionen für den Befehl deno compile. --------------------------------------------- https://heise.de/-7971810 ∗∗∗ CISA Ships ‘Untitled Goose Tool’ to Hunt for Microsoft Azure Cloud Infections ∗∗∗ --------------------------------------------- The U.S. government’s cybersecurity agency ships a new tool to help network defenders hunt for signs of compromise in Microsoft’s Azure and M365 cloud deployments. --------------------------------------------- https://www.securityweek.com/cisa-ships-untitled-goose-tool-to-hunt-for-mic… ∗∗∗ APT attacks on industrial organizations in H2 2022 ∗∗∗ --------------------------------------------- This summary provides an overview of APT attacks on industrial enterprises and activity of groups that have been observed attacking industrial organizations and critical infrastructure facilities. --------------------------------------------- https://ics-cert.kaspersky.com/publications/apt-attacks-on-industrial-organ… ∗∗∗ Outlook-Schwachstelle CVE-2023-23397 nicht vollständig gepatcht – Absicherung erforderlich ∗∗∗ --------------------------------------------- Noch ein kurzer Nachtrag zum März 2023-Patchday. Microsoft hat zum 14. März 2023 die kritische RCE-Schwachstelle CVE-2023-23397 in Outlook zwar mit einem Sicherheitsupdate versehen. Aber der Patch ist unvollständig, der Angriff kann weiterhin mit etwas modifizierten E-Mails immer noch ausgelöst werden. Und inzwischen ist ein Proof of Concept öffentlich, was demonstriert, wie die Schwachstelle ausgenutzt wird. --------------------------------------------- https://www.borncity.com/blog/2023/03/24/outlook-schwachstelle-cve-2023-233… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco DNA Center Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the implementation of the Cisco Network Plug-and-Play (PnP) agent of Cisco DNA Center could allow an authenticated, remote attacker to view sensitive information in clear text. The attacker must have valid low-privileged user credentials. This vulnerability is due to improper role-based access control (RBAC) with the integration of PnP. An attacker could exploit this vulnerability by authenticating to the device and sending a query to an internal API. --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, libdatetime-timezone-perl, and tzdata), Fedora (flatpak and gmailctl), Mageia (firefox, flatpak, golang, gssntlmssp, libmicrohttpd, libtiff, python-flask-security, python-owslib, ruby-rack, thunderbird, unarj, and vim), Red Hat (firefox, kpatch-patch, nss, openssl, and thunderbird), SUSE (containerd, hdf5, qt6-base, and squirrel), and Ubuntu (amanda, gif2apng, graphviz, and linux, linux-aws, linux-azure, linux-gcp, linux-ibm, linux-kvm, linux-lowlatency, linux-oracle, linux-raspi). --------------------------------------------- https://lwn.net/Articles/927198/ ∗∗∗ Drupal core - Moderately critical - Information Disclosure - SA-CORE-2023-003 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-core-2023-003 ∗∗∗ ELECOM WAB-MAT registers its windows service executable with an unquoted file path ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN35246979/ ∗∗∗ TADDM is vulnerable to a denial of service vulnerability in Apache-Log4j (CVE-2023-26464) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6965790 ∗∗∗ IBM Tivoli Application Dependency Discovery Manager is vulnerable to a bypass vulnerability due to the use of Python (CVE-2023-24329) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6965792 ∗∗∗ IBM API Connect is impacted by an improper access control vulnerability (CVE-2023-28522) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6965612 ∗∗∗ Vulnerabilities in Node.js, libcurl, Golang Go, Jetty, Guava, Netty, OpenSSL, Linux kernel may affect IBM Spectrum Protect Plus ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6965816 ∗∗∗ Stored SMB credentials may allow access to vSnap after oracle backup in IBM Spectrum Protect Plus for Db2 and Oracle (CVE-2023-27863) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6965812 ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM WebSphere Remote Server (CVE-2023-26283) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6965822 ∗∗∗ Multiple vulnerabilies in Java affect IBM Robotic Process Automation for Cloud Pak which may result in a denial of service (CVE-2023-21830, CVE-2023-21835, CVE-2023-21843) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6965846 ∗∗∗ A vulnerability in Luxon may affect IBM Robotic Process Automation and result in a denial of service (CVE-2023-22467) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6965848 ∗∗∗ Multiple vulnerabilities in IBM Content Navigator may affect IBM Business Automation Workflow ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6965908 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.03.2023
by Daily end-of-shift report 23 Mar '23

23 Mar '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 22-03-2023 18:00 − Donnerstag 23-03-2023 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Developing an incident response playbook ∗∗∗ --------------------------------------------- Incident response playbooks help optimize the SOC processes, and are a major step forward to SOC maturity, but can be challenging for a company to develop. In this article, I want to share some insights on how to create the (almost) perfect playbook. --------------------------------------------- https://securelist.com/developing-an-incident-response-playbook/109145/ ∗∗∗ Cropping and Redacting Images Safely, (Thu, Mar 23rd) ∗∗∗ --------------------------------------------- The recent "acropalypse" vulnerabilities in Android and Windows 11 showed yet again the dangers of relying on image processing tools to redact images. [..] Here are some approaches to make image redaction safer. But please use them with caution. --------------------------------------------- https://isc.sans.edu/diary/rss/29666 ∗∗∗ German and South Korean Agencies Warn of Kimsukys Expanding Cyber Attack Tactics ∗∗∗ --------------------------------------------- German and South Korean government agencies have warned about cyber attacks mounted by a threat actor tracked as Kimsuky using rogue browser extensions to steal users Gmail inboxes. --------------------------------------------- https://thehackernews.com/2023/03/german-and-south-korean-agencies-warn.html ∗∗∗ AIIPot: Adaptive Intelligent-Interaction Honeypot for IoT Devices ∗∗∗ --------------------------------------------- In this paper, we propose a honeypot for IoT devices that uses machine learning techniques to learn and interact with attackers automatically. The evaluation of the proposed model indicates that our system can improve the session length with attackers and capture more attacks on the IoT network. --------------------------------------------- https://arxiv.org/abs/2303.12367 ∗∗∗ Memory Forensics R&D Illustrated: Detecting Hidden Windows Services ∗∗∗ --------------------------------------------- To begin the series, this post discusses a new detection technique for hidden services on Windows 7 through 11. Since not all readers will be familiar with hidden services and the danger they pose on live systems, we will start with some brief background. --------------------------------------------- https://volatility-labs.blogspot.com/2023/03/memory-forensics-r-d-illustrat… ∗∗∗ Malicious Actors Use Unicode Support in Python to Evade Detection ∗∗∗ --------------------------------------------- Phylum’s automated platform recently detected the onyxproxy package on PyPI, a malicious package that harvests and exfiltrates credentials and other sensitive data. In many ways, this package typifies other token stealers that we have found prevalent in PyPI. However, one feature of this particular package caught our eye: an obfuscation technique that was foreseen in 2007 during a discussion about Python’s support for Unicode [..] --------------------------------------------- https://blog.phylum.io/malicious-actors-use-unicode-support-in-python-to-ev… ∗∗∗ Joomla! CVE-2023-23752 to Code Execution ∗∗∗ --------------------------------------------- On February 16, 2023, Joomla! published a security advisory for CVE-2023-23752. [..] disclosure was followed by a stream of exploits hitting GitHub, and multiple indicators of exploitation in the wild. The public exploits focus on leaking the victim’s MySQL database credentials – an unexciting prospect (we thought), because exposing the database to the internet is a dangerous misconfiguration. Nonetheless, attackers seemed interested in the vulnerability, so we sought to find out why. --------------------------------------------- https://vulncheck.com/blog/joomla-for-rce ∗∗∗ Fehlalarm: Microsoft-Defender-Warnung vor deaktiviertem Schutz führt in die Irre ∗∗∗ --------------------------------------------- Unter Windows 11 zeigt Microsoft Defender auf vielen Systemen einen deaktivieren Schutz durch "die lokalen Sicherheitsautorität". Das ist ein Fehlalarm. --------------------------------------------- https://heise.de/-7659972 ∗∗∗ Technische Richtlinie zu Public Key Infrastrukturen für Technische Sicherheitseinrichtungen veröffentlicht ∗∗∗ --------------------------------------------- Das BSI hat am 23. März 2023 die neue Technische Richtlinie BSI TR-03145-5 für den sicheren Betrieb einer Public Key Infrastruktur für Technische Sicherheitseinrichtungen veröffentlicht. --------------------------------------------- https://www.bsi.bund.de/DE/Service-Navi/Presse/Alle-Meldungen-News/Meldunge… ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (Mar 13, 2023 to Mar 19, 2023) ∗∗∗ --------------------------------------------- Last week, there were 92 vulnerabilities disclosed in 76 WordPress Plugins and 7 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database [..] --------------------------------------------- https://www.wordfence.com/blog/2023/03/wordfence-intelligence-weekly-wordpr… ∗∗∗ Pack it Secretly: Earth Preta’s Updated Stealthy Strategies ∗∗∗ --------------------------------------------- After months of investigation, we found that several undisclosed malware and interesting tools used for exfiltration purposes were being used by Earth Preta. We also observed that the threat actors were actively changing their tools, tactics, and procedures (TTPs) to bypass security solutions. In this blog entry, we will introduce and analyze the other tools and malware used by the threat actor. --------------------------------------------- https://www.trendmicro.com/en_us/research/23/c/earth-preta-updated-stealthy… ===================== = Vulnerabilities = ===================== ∗∗∗ Virenschutz: Malwarebytes ermöglicht Rechteausweitung ∗∗∗ --------------------------------------------- Der Virenschutz von Malwarebytes ermöglicht Angreifern, beliebige Dateien zu löschen oder ihre Rechte im System auszuweiten. Ein Update schließt die Lücke. --------------------------------------------- https://heise.de/-7674565 ∗∗∗ Sicherheitslücke: Angreifer könnten Switches von Aruba kompromittieren (CVE-2023-1168) ∗∗∗ --------------------------------------------- Aufgrund einer Schwachstelle sind bestimmte Switches von Aruba verwundbar. Admins sollten Geräte jetzt absichern. Die Lücke betrifft die Network Analytics Engine. Dort könnte ein authentifizierter Angreifer für eine Schadcode-Attacke ansetzen, um Geräte vollständig zu kompromittieren. Wie eine Attacke ablaufen könnte, ist bislang nicht bekannt. --------------------------------------------- https://heise.de/-7658264 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (firefox, nss, and openssl), Fedora (firefox, liferea, python-cairosvg, and tar), Oracle (openssl and thunderbird), Scientific Linux (firefox, nss, and openssl), SUSE (container-suseconnect, grub2, libplist, and qemu), and Ubuntu (amanda, apache2, node-object-path, and python-git). --------------------------------------------- https://lwn.net/Articles/926972/ ∗∗∗ VARTA: Multiple devices prone to hard-coded credentials (CVE-2022-22512) ∗∗∗ --------------------------------------------- VARTA energy storage systems have a web user interface via which users and installers can access live data measurements and configure the system to their needs. It has been discovered that the corresponding credentials are hard-coded within the frontend and thus potentially exploitable. --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-061/ ∗∗∗ Warning for Asset Management Program (TCO!Stream) Vulnerability and Update Recommendation ∗∗∗ --------------------------------------------- Solution: Users must check their program version by following the steps below and update their program to the latest version (versions 8.0.23.215 or above). – Service operator: Replace with the latest version through MLsoft – Service user: Updated automatically when the operator switches to the latest version --------------------------------------------- https://asec.ahnlab.com/en/50213/ ∗∗∗ SAUTER EY-modulo 5 Building Automation Stations ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-082-03 ∗∗∗ RoboDK ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-082-01 ∗∗∗ Schneider Electric IGSS ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-082-04 ∗∗∗ CP Plus KVMS Pro ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-082-02 ∗∗∗ ABB Pulsar Plus Controller ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-082-05 ∗∗∗ ProPump and Controls Osprey Pump Controller ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-082-06 ∗∗∗ IBM Integration Bus is vulnerable to a remote attack & denial of service due to Apache Thrift & Apache Commons Codec (CVE-2018-1320, CVE-2019-0205, IBM X-Force ID: 177835) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6965298 ∗∗∗ IBM Watson CloudPak for Data Data Stores are vulnerable to web pages stored locally which can be read by another user on the system ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6965446 ∗∗∗ IBM Watson CloudPak for Data Data Stores is vulnerable to allowing a user with physical access and specific knowledge of the system to modify files or data on the system.(CVE-2023-26282) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6965452 ∗∗∗ IBM Watson CloudPak for Data Data Stores is vulnerable to an attacker with specific knowledge about the system to manipulate data due to improper input validation(CVE-2023-28512) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6965456 ∗∗∗ Security Bulletin: Watson CP4D Data Stores for Cloud Pak for Data does not encypt sensitive information before storage or transmission (CVE-2023-27291) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6965458 ∗∗∗ IBM API Connect is impacted by an improper access control vulnerability (CVE-2023-28522) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6965612 ∗∗∗ Vulnerabilities found within Java collectors used by IBM Tivoli Network Manager (ITNM) IP Edition. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6965698 ∗∗∗ WebSphere Application Server traditional is vulnerable to a remote code execution vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6965702 ∗∗∗ A vulnerability has been identified in IBM Spectrum Scale Data Access Services (DAS) which can cause denial of service. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6964532 ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with Asset and Service Management (CVE-2023-26283) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6965732 ∗∗∗ Vulnerabilites in OpenSSL may affect IBM Spectrum Protect Backup-Archive Client NetApp Services (CVE-2022-4304, CVE-2023-0215, CVE-2023-0286) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6963786 ∗∗∗ Stored cross-site vulnerability when performing a document upload using Responsive Document Explorer affect IBM Business Automation Workflow - CVE-2023-24957 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6965776 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.03.2023
by Daily end-of-shift report 22 Mar '23

22 Mar '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 21-03-2023 18:00 − Mittwoch 22-03-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ PoC exploits released for Netgear Orbi router vulnerabilities ∗∗∗ --------------------------------------------- Proof-of-concept exploits for vulnerabilities in Netgears Orbi 750 series router and extender satellites have been released, with one flaw a critical severity remote command execution bug. --------------------------------------------- https://www.bleepingcomputer.com/news/security/poc-exploits-released-for-ne… ∗∗∗ Windows Snipping-Tool anfällig für "Acropalypse" ∗∗∗ --------------------------------------------- Anfang der Woche wurde eine "Acropalypse" genannte Lücke im Screenshot-Tool von Google Pixel-Phones bekannt. Das Windows 11 Snipping-Tool verhält sich ebenso. --------------------------------------------- https://heise.de/-7619561 ∗∗∗ Cyber-Sicherheit für das Management ∗∗∗ --------------------------------------------- Das international erscheinende Handbuch „Management von Cyber-Risiken“, das durch das BSI in Zusammenarbeit mit der Internet Security Alliance entwickelt wurde, erhält ein weitreichendes Update --------------------------------------------- https://www.bsi.bund.de/DE/Service-Navi/Presse/Pressemitteilungen/Presse202… ∗∗∗ Blackmail Roulette: The Risks of Electronic Shelf Labels for Retail and Critical Infrastructure ∗∗∗ --------------------------------------------- During our research, we analyzed the unknown micro-controller (MCU) of the SUNY ESL tag, which is a common Chinese ESL tag vendor, gained debug access and reverse engineered the proprietary 433 MHz radio-frequency (RF) protocol. As no authentication is used, we were able to update any ESL tag within RF range with arbitrary content. --------------------------------------------- https://sec-consult.com/blog/detail/blackmail-roulette-the-risks-of-electro… ∗∗∗ Erpressungsmail: „Ich weiß von Ihrem sexuellen Interesse an kleinen Kindern“ ∗∗∗ --------------------------------------------- Aktuell wird uns vermehrt ein Erpressungsmail gemeldet, in dem Empfänger:innen beschuldigt werden, sexuelle Interessen an Kindern zu haben. Angeblich wurde beim Pornoschauen ein Programm heruntergeladen, welches die Kamera aktivierte und die Person beim Masturbieren filmte. Dieses Video wird verbreitet, wenn nicht innerhalb einer Woche Bitcoins überwiesen werden. Alles frei erfunden! Löschen Sie dieses E-Mail, es handelt sich um Fake. --------------------------------------------- https://www.watchlist-internet.at/news/erpressungsmail-ich-weiss-von-ihrem-… ===================== = Vulnerabilities = ===================== ∗∗∗ TYPO3-EXT-SA-2023-003: Cross-Site Scripting in extension "Fluid Components" (fluid_components) ∗∗∗ --------------------------------------------- The extension is vulnerable to cross-site scripting if user-controlled data is used as a component argument parameter. A detailed description of the issue as well as some examples are provided in the extension documentation. --------------------------------------------- https://typo3.org/security/advisory/typo3-ext-sa-2023-003 ∗∗∗ Java-Plattform: Kritische Lücke in VMware Tanzu Spring Framework geschlossen ∗∗∗ --------------------------------------------- Zwei Schwachstellen bedrohen das Spring Framework. Eine Lücke gilt als kritisch. Updates zum Schließen des Sicherheitslecks stehen bereit. --------------------------------------------- https://heise.de/-7614914 ∗∗∗ Webbrowser: Chrome-Update dichtet acht Sicherheitslücken ab ∗∗∗ --------------------------------------------- Der Webbrowser Chrome schließt acht Sicherheitslücken mit Updates. Angreifer können durch sie etwa mit manipulierten Webseiten Schadcode einschmuggeln. --------------------------------------------- https://heise.de/-7611326 ∗∗∗ OpenSSL Security Advisory: Excessive Resource Usage Verifying X.509 Policy Constraints (CVE-2023-0464) ∗∗∗ --------------------------------------------- Severity: Low A security vulnerability has been identified in all supported versions of OpenSSL related to the verification of X.509 certificate chains that include policy constraints. [..] Policy processing is disabled by default --------------------------------------------- https://www.openssl.org/news/secadv/20230322.txt ∗∗∗ Multiple Reflected Cross-Site Scripting Vulnerabilities in Three WordPress Plugins Patched ∗∗∗ --------------------------------------------- The Wordfence Threat Intelligence Team recently disclosed several Reflected Cross-Site Scripting vulnerabilities that we discovered in three different plugins – Watu Quiz (installed on 5,000 sites), GN-Publisher (installed on 40,000 sites), and Japanized For WooCommerce (installed on 10,000 sites). --------------------------------------------- https://www.wordfence.com/blog/2023/03/multiple-reflected-cross-site-script… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (firefox), Oracle (kernel, kernel-container, and nss), and SUSE (curl, dpdk, drbd, go1.18, kernel, openstack-cinder, openstack-glance, openstack-neutron-gbp, openstack-nova, python-oslo.utils, oracleasm, python3, slirp4netns, and xen). --------------------------------------------- https://lwn.net/Articles/926843/ ∗∗∗ [R1] Tenable.sc Version 6.1.0 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- Tenable.sc 6.1.0 updates Apache to version 2.4.56 and PHP to 8.1.16 to address the identified vulnerabilities. --------------------------------------------- https://www.tenable.com/security/tns-2023-16 ∗∗∗ CVE-2023-0391: MGT-COMMERCE CloudPanel Shared Certificate Vulnerability and Weak Installation Procedures ∗∗∗ --------------------------------------------- Rapid7 has discovered three security concerns in CloudPanel from MGT-COMMERCE, a self-hosted web administration solution. --------------------------------------------- https://www.rapid7.com/blog/post/2023/03/21/cve-2023-0391-mgt-commerce-clou… ∗∗∗ Cisco Access Point Software Command Injection Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco IOS XE Software Web UI Path Traversal Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco SD-WAN vManage Software Cross-Site Request Forgery Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco IOS XE Software Virtual Fragmentation Reassembly Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco IOS XE Software IOx Application Hosting Environment Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco IOS XE Software Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco IOS XE SD-WAN Software Command Injection Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco IOS XE Software Fragmented Tunnel Protocol Packet Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco IOS and IOS XE Software IPv6 DHCP (DHCPv6) Relay and Server Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco IOS XE Software for Wireless LAN Controllers HTTP Client Profiling Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco DNA Center Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco DNA Center Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco IOS XE Software for Wireless LAN Controllers CAPWAP Join Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco IOS XE Software for Cisco Catalyst 9300 Series Switches Secure Boot Bypass Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Adaptive Security Appliance Software, Firepower Threat Defense Software, IOS Software, and IOS XE Software IPv6 DHCP (DHCPv6) Client Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Low-Entropy Keys Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Access Point Software Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Access Point Software Association Request Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Security vulnerabilities have been identified in IBM DB2 used by IBM Security Verify Governance, Identity Manager virtual appliance component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6964832 ∗∗∗ Multiple vulnerabilities in IBM WebSphere eXtreme Scale Liberty Deployment. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6964844 ∗∗∗ IBM WebSphere Application Server is vulnerable to cross-site scripting in the Admin Console (CVE-2023-26283) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6964836 ∗∗∗ Multiple vulnerabilities in OpenSSL affect AIX ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6964854 ∗∗∗ IBM QRadar SIEM is vulnerable to privilege escalation (CVE-2022-43863) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6964862 ∗∗∗ Multiple vulnerabilities in Golang Go affect Cloud Pak System ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6612805 ∗∗∗ IBM Workload Scheduler is vulnerable to XML External Entity Injection (XXE) attack ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6890697 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.03.2023
by Daily end-of-shift report 21 Mar '23

21 Mar '23

===================== = End-of-Day report = ===================== Timeframe: Montag 20-03-2023 18:00 − Dienstag 21-03-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Windows 11 bug warns Local Security Authority protection is off ∗∗∗ --------------------------------------------- Windows 11 users report seeing widespread Windows Security warnings that Local Security Authority (LSA) Protection has been disabled even though it shows as being toggled on. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/windows-11-bug-warns-local-… ∗∗∗ From Phishing Kit To Telegram... or Not!, (Mon, Mar 20th) ∗∗∗ --------------------------------------------- Today, I spotted a phishing campaign that stores collected credentials via a Telegram bot! Telegram bots are common in malicious Python scripts but less common in Phishing campaigns! --------------------------------------------- https://isc.sans.edu/diary/rss/29650 ∗∗∗ Google Cloud Log Extraction ∗∗∗ --------------------------------------------- In this blog post, we review the methods through which we can extract logs from Google Cloud. --------------------------------------------- https://www.sans.org/blog/google-cloud-log-extraction/ ∗∗∗ Find Threats in Event Logs with Hayabusa ∗∗∗ --------------------------------------------- Hayabusa is a Windows event log fast forensics timeline generator and threat hunting tool created by the Yamato Security group in Japan. Hayabusa means "peregrine falcon" in Japanese and was chosen as peregrine falcons are the fastest animal in the world, great at hunting and highly trainable. --------------------------------------------- https://blog.ecapuano.com/p/find-threats-in-event-logs-with-hayabusa ∗∗∗ Black Angel Rootkit ∗∗∗ --------------------------------------------- Black Angel is a Windows 11/10 x64 kernel mode rootkit. Rootkit can be loaded with enabled DSE while maintaining its full functionality. Designed for Red Teams. --------------------------------------------- https://github.com/XaFF-XaFF/Black-Angel-Rootkit ∗∗∗ Linux auditd for Threat Detection [Final] ∗∗∗ --------------------------------------------- The focus of this article will be to describe what behaviors allow for which events to be recorded by auditd. Additionally, you will see where auditd is not capable of recording certain events, despite verbose settings. --------------------------------------------- https://izyknows.medium.com/linux-auditd-for-threat-detection-final-9d51737… ∗∗∗ Nexus: a new Android botnet? ∗∗∗ --------------------------------------------- On January 2023, a new Android banking trojan appeared on multiple hacking forums under the name of Nexus. However, Cleafy’s Threat Intelligence & Response Team traced the first Nexus infections way before the public announcement in June 2022. --------------------------------------------- https://www.cleafy.com/cleafy-labs/nexus-a-new-android-botnet ∗∗∗ Mitigating SSRF in 2023 ∗∗∗ --------------------------------------------- Server-Side Request Forgery (SSRF) is a vulnerability that allows an attacker to trick a server-side application to make a request to an unintended location. SSRF, unlike most other specific vulnerabilities, has gained its own spot on the OWASP Top 10 2021. This reflects both how common and how impactful this type of vulnerability has become. --------------------------------------------- https://blog.includesecurity.com/2023/03/mitigating-ssrf-in-2023/ ∗∗∗ Malicious NuGet Packages Used to Target .NET Developers ∗∗∗ --------------------------------------------- Software developers have been targeted in a new attack via malicious packages in the NuGet repository. --------------------------------------------- https://www.securityweek.com/malicious-nuget-packages-used-to-target-net-de… ∗∗∗ Achtung: Betrügerische Anrufe zu Eurojackpot-Gewinn! ∗∗∗ --------------------------------------------- Nehmen Sie sich vor angeblichen Gewinnbenachrichtigungen per Anruf, E-Mail, Post und Social Media im Namen von Eurojackpot in Acht. Kriminelle geben sich als die Lotterie aus und behaupten, dass Sie Geld gewonnen haben. Im weiteren Verlauf sollen Sie vorab Geld bezahlen, um die Auszahlung zu erhalten. --------------------------------------------- https://www.watchlist-internet.at/news/achtung-betruegerische-anrufe-zu-eur… ∗∗∗ Patch CVE-2023-23397 Immediately: What You Need To Know and Do ∗∗∗ --------------------------------------------- We break down the basic information of CVE-2023-23397, the zero-day, zero-touch vulnerability that was rated 9.8 on the Common Vulnerability Scoring System (CVSS) scale. --------------------------------------------- https://www.trendmicro.com/en_us/research/23/c/patch-cve-2023-23397-immedia… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (apache2), Oracle (firefox, nss, and openssl), Slackware (curl and vim), SUSE (dpdk, firefox, grafana, oracleasm, python-cffi, python-Django, and qemu), and Ubuntu (ruby2.7, sox, and tigervnc). --------------------------------------------- https://lwn.net/Articles/926759/ ∗∗∗ XSA-429 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-429.html ∗∗∗ XSA-428 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-428.html ∗∗∗ XSA-427 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-427.html ∗∗∗ Keysight N6845A Geolocation Server ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-080-01 ∗∗∗ Delta Electronics InfraSuite Device Master ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-080-02 ∗∗∗ VISAM VBASE Automation Base ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-080-05 ∗∗∗ Siemens RUGGEDCOM APE1808 Product Family ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-080-03 ∗∗∗ Rockwell Automation ThinManager ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-22-080-06 ∗∗∗ Vulnerability Spotlight: WellinTech ICS platform vulnerable to information disclosure, buffer overflow vulnerabilities ∗∗∗ --------------------------------------------- https://blog.talosintelligence.com/vulnerability-spotlight-wellintech-ics-p… ∗∗∗ Spring Vault 3.0.2 and 2.3.3 fix CVE-2023-20859 ∗∗∗ --------------------------------------------- https://spring.io/blog/2023/03/20/spring-vault-3-0-2-and-2-3-3-fix-cve-2023… ∗∗∗ Automation Assets in IBM Cloud Pak for Integration is vulnerable to denial of service due to Moment CVE-2023-22467 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6964588 ∗∗∗ A vulnerability in protobuf may affect IBM Robotic Process Automation and result in a denial of service (CVE-2022-1941) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6852651 ∗∗∗ IBM Aspera Faspex 4.4.2 PL3 has addressed multiple vulnerabilities (CVE-2023-27871, CVE-2023-27873, CVE-2023-27874) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6964694 ∗∗∗ IBM Aspera Faspex 5.0.4 can be vulnerable to improperly unauthorized password changes ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6963662 ∗∗∗ Vulnerability in Apache Commons FileUpload library affect Tivoli Netcool\/OMNIbus WebGUI (CVE-2023-24998) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6964742 ∗∗∗ Multiple vulnerabilities in IBM HTTP Server used by WebSphere Application Server affect IBM Business Automation Workflow (CVE-2023-25690) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6964752 ∗∗∗ Multiple vulnerabilities of Mozilla Firefox ESR have affected APM Synthetic Playback Agent ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6964754 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.03.2023
by Daily end-of-shift report 20 Mar '23

20 Mar '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 17-03-2023 18:00 − Montag 20-03-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ New ‘HinataBot’ botnet could launch massive 3.3 Tbps DDoS attacks ∗∗∗ --------------------------------------------- A new malware botnet was discovered targeting Realtek SDK, Huawei routers, and Hadoop YARN servers to recruit devices into DDoS (distributed denial of service) swarm with the potential for massive attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-hinatabot-botnet-could-l… ∗∗∗ Google: Bearbeitete Pixel-Screenshots lassen sich wiederherstellen ∗∗∗ --------------------------------------------- Wer Teile von Screenshots unkenntlich macht, verlässt sich darauf, dass dies auch so bleibt. Bei Pixel-Smartphones war das bisher nicht so. --------------------------------------------- https://www.golem.de/news/google-bearbeitete-pixel-screenshots-lassen-sich-… ∗∗∗ Ransomware: Emotet kehrt zurück – als OneNote-E-Mail-Anhang ∗∗∗ --------------------------------------------- Die hochentwickelte Schadsoftware Emotet ist wieder aktiv. Sie findet in Form von bösartigen OneNote-Dateien ihren Weg in den E-Mail-Eingang potenzieller Opfer. --------------------------------------------- https://heise.de/-7551285 ∗∗∗ Malware-Masche: Acrobat Sign-Dienst zum Unterschieben von Malware missbraucht ∗∗∗ --------------------------------------------- Avast hat eine neue Masche beobachtet, mit der Cyberkriminelle Opfern Malware unterjubeln wollten. Sie missbrauchen dazu den Adobe-Sign-Dienst. --------------------------------------------- https://heise.de/-7557288 ∗∗∗ Researchers Shed Light on CatB Ransomwares Evasion Techniques ∗∗∗ --------------------------------------------- The threat actors behind the CatB ransomware operation have been observed using a technique called DLL search order hijacking to evade detection and launch the payload. CatB, also referred to as CatB99 and Baxtoy, emerged late last year and is said to be an "evolution or direct rebrand" of another ransomware strain known as Pandora based on code-level similarities. --------------------------------------------- https://thehackernews.com/2023/03/researchers-shed-light-on-catb.html ∗∗∗ Bypassing CloudTrail in AWS Service Catalog, and Other Logging Research ∗∗∗ --------------------------------------------- In this blog post, we’ll share some of our latest research into bypassing CloudTrail. We’ll cover a method that allowed CloudTrail bypass with both read and write API actions for the Service Catalog service. This now-fixed vulnerability is noteworthy, because it was the first publicly known CloudTrail bypass that could permit an attacker to alter an AWS environment. --------------------------------------------- https://securitylabs.datadoghq.com/articles/bypass-cloudtrail-aws-service-c… ∗∗∗ IcedID’s VNC Backdoors: Dark Cat, Anubis & Keyhole ∗∗∗ --------------------------------------------- In this post we introduce Dark Cat, Anubis and Keyhole, three IcedID VNC backdoor variants NVISO observed. Well follow by exposing common TTPs before revealing information leaked through the attackers clipboard data. --------------------------------------------- https://blog.nviso.eu/2023/03/20/icedids-vnc-backdoors-dark-cat-anubis-keyh… ===================== = Vulnerabilities = ===================== ∗∗∗ Drupal-Sicherheitslücke könnte Angreifern die Systemübernahme ermöglichen ∗∗∗ --------------------------------------------- Die US-Cyber-Sicherheitsbehörde CISA warnt vor einer Sicherheitslücke im Content-Management-System Drupal. Angreifer könnten verwundbare Systeme kapern. --------------------------------------------- https://heise.de/-7550599 ∗∗∗ OpenSSH 9.3 dichtet Sicherheitslecks ab ∗∗∗ --------------------------------------------- Die Entwickler von OpenSSH haben Version 9.3 der Verschlüsselungssuite veröffentlicht. Sie schließt Sicherheitslücken und behebt kleinere Fehler. --------------------------------------------- https://heise.de/-7550738 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr, imagemagick, sox, thunderbird, and xapian-core), Fedora (chromium, containernetworking-plugins, guile-gnutls, mingw-python-OWSLib, pack, pypy3.7, sudo, thunderbird, tigervnc, and vim), Mageia (apache, epiphany, heimdal, jasper, libde265, libtpms, liferea, mysql-connector-c++, perl-HTML-StripScripts, protobuf, ruby-git, sqlite3, woodstox-core, and xfig), Oracle (kernel), Red Hat (firefox, nss, and openssl), SUSE (apache2, docker, drbd, kernel, and oracleasm), and Ubuntu (curl, python2.7, python3.10, python3.5, python3.6, python3.8, and vim). --------------------------------------------- https://lwn.net/Articles/926636/ ∗∗∗ IBM Security Bulletins 2023-03-20 ∗∗∗ --------------------------------------------- * Vulnerabilities in IBM Db2, IBM Java Runtime, and Golang Go may affect IBM Spectrum Protect Server (CVE-2022-21626, CVE-2022-41717, CVE-2022-43929, CVE-2022-43927, CVE-2022-43930) * Watson AI Gateway for Cloud Pak for Data is vulnerable to an OpenSSL denial of service caused by a type confusion error (CVE-2023-0286) * IBM Aspera Faspex 5.0.4 can be vulnerable to improperly authorized password changes * Watson AI Gateway for Cloud Pak for Data is vulnerable to Ansible Runner code execution and could allow a local authenticated attacker to execute arbitrary code on the system, caused by improper shell escaping of the shell command. * IBM Aspera Faspex can be vulnerable to improperly authorized password changes * Vulnerability in EFS affects AIX (CVE-2021-29861) * Vulnerability in libc affects AIX (CVE-2021-29860) * Vulnerabilites in OpenSSL may affect IBM Spectrum Protect Backup-Archive Client (CVE-2022-4304, CVE-2023-0215, CVE-2023-0286) * Vulnerabilites in OpenSSL may affect IBM Spectrum Protect Backup-Archive Client (CVE-2022-4450, CVE-2023-0216, CVE-2023-0401, CVE-2022-4203, CVE-2023-0217) * A denial of service vulnerability in JDOM affects IBM Spectrum Protect Backup-Archive Client, IBM Spectrum Protect for Virtual Environments and IBM Spectrum Protect for Space Management (CVE CVE-2021-33813) * Vulnerabilites in Java SE affect IBM Spectrum Protect Backup-Archive Client, IBM Spectrum Protect for Virtual Environments and IBM Spectrum Protect for Space Management (CVE-2022-21628, CVE-2022-21626, CVE-2022-21624, CVE-2022-21619) * Vulnerability in IBM WebSphere Application Server (CVE-2023-23477) shipped with IBM Workload Scheduler 9.4 * Vulnerability in Node.js affects IBM Voice Gateway * IBM Aspera Faspex 5.0.4 can be vulnerable to improperly unauthorized password changes * Multiple Vulnerabilities in IBM Security Guardium Key Lifecycle Manager (CVE-2023-25921, CVE-2023-25926, CVE-2023-25685, CVE-2023-25922, CVE-2023-25925) * Multiple vulnerabilities in IBM SDK Java Technology Edition affect IBM Workload Scheduler. * IBM Jazz for Service Management is vulnerable to commons-fileupload-1.4.jar (Publicly disclosed vulnerability found by Mend) (CVE-2023-24998) --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Spring Framework 5.2.23 fixes cve-2023-20861 ∗∗∗ --------------------------------------------- https://spring.io/blog/2023/03/20/spring-framework-5-2-23-fixes-cve-2023-20… ∗∗∗ Spring Framework 6.0.7 and 5.3.26 fix cve-2023-20860 and cve-2023-20861 ∗∗∗ --------------------------------------------- https://spring.io/blog/2023/03/20/spring-framework-6-0-7-and-5-3-26-fix-cve… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.03.2023
by Daily end-of-shift report 17 Mar '23

17 Mar '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 16-03-2023 18:00 − Freitag 17-03-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Adobe Acrobat Sign abused to push Redline info-stealing malware ∗∗∗ --------------------------------------------- Cybercriminals are abusing Adobe Acrobat Sign, an online document signing service, to distribute info-stealing malware to unsuspecting users. --------------------------------------------- https://www.bleepingcomputer.com/news/security/adobe-acrobat-sign-abused-to… ∗∗∗ Hitachi Energy confirms data breach after Clop GoAnywhere attacks ∗∗∗ --------------------------------------------- Hitachi Energy confirmed it suffered a data breach after the Clop ransomware gang stole data using a zero-day GoAnyway zero-day vulnerability. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hitachi-energy-confirms-data… ∗∗∗ How to Google Dork a Specific Website for Hacking ∗∗∗ --------------------------------------------- You might pride yourself on being savvy in cyber security but be prepared for surprises if you test the Google dorks provided. Done right, these Google dorks can identify high-priority vulnerabilities you can investigate further using penetration testing tools. --------------------------------------------- https://www.stationx.net/how-to-google-dork-a-specific-website/ ∗∗∗ Chaos Malware Quietly Evolves Persistence and Evasion Techniques ∗∗∗ --------------------------------------------- The name Chaos is being used for a ransomware strain, a remote access trojan (RAT), and now a DDoS malware variant too. Talk about chaos! In this case, Sysdig’s Threat Research Team captured attacks using the Chaos variant of the Kaiji botnet malware. There is very little reported information on this malware since September 2022, perhaps because of the unfortunately chaotic naming, or simply because it is relatively new. --------------------------------------------- https://sysdig.com/blog/chaos-malware-persistence-evasion-techniques/ ∗∗∗ Free decryptor released for Conti-based ransomware following data leak ∗∗∗ --------------------------------------------- Security researchers have released a new decryption tool that should come to the rescue of some victims of a modified version of the Conti ransomware, helping them to recover their encrypted data for free. --------------------------------------------- https://www.tripwire.com/state-of-security/free-decryptor-released-conti-ba… ∗∗∗ Phishing-Welle: Vorsicht vor Fake Disney+ Mails ∗∗∗ --------------------------------------------- Sie haben ein E-Mail erhalten, in dem Disney+ Sie darauf hinweist, dass eine Zahlung fehlgeschlagen ist? Löschen Sie die Nachricht oder schieben Sie sie in den SPAM-Ordner – es handelt sich um einen Phishing-Versuch! Die E-Mails werden mit dem Betreff „Aussetzung Ihres Disney+ Kontos“ oder „Sperrung Ihres Disney+ Kontos“ massenhaft verschickt! --------------------------------------------- https://www.watchlist-internet.at/news/phishing-welle-vorsicht-vor-fake-dis… ∗∗∗ #StopRansomware: LockBit 3.0 ∗∗∗ --------------------------------------------- This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. --------------------------------------------- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-075a ∗∗∗ Windows 10/11: Microsoft veröffentlicht Script für den WinRE BitLocker Bypass-Fix ∗∗∗ --------------------------------------------- Seit November 2022 ist bekannt, dass es eine Bitlocker-Bypass-Schwachstelle CVE-2022-41099 im Windows Recovery Environment (WinRE) gibt. Das Patchen ist aber alles andere als einfach. --------------------------------------------- https://www.borncity.com/blog/2023/03/17/windows-10-11-microsoft-verffentli… ∗∗∗ ShellBot Malware Being Distributed to Linux SSH Servers ∗∗∗ --------------------------------------------- AhnLab Security Emergency response Center (ASEC) has recently discovered the ShellBot malware being installed on poorly managed Linux SSH servers. ShellBot, also known as PerlBot, is a DDoS Bot malware developed in Perl and characteristically uses IRC protocol to communicate with the C&C server. --------------------------------------------- https://asec.ahnlab.com/en/49769/ ∗∗∗ Debugging D-Link: Emulating firmware and hacking hardware ∗∗∗ --------------------------------------------- GreyNoise researchers explain the process of gaining a foothold in firmware or a physical device for vulnerability research and achieving a debuggable interface. --------------------------------------------- https://www.greynoise.io/blog/debugging-d-link-emulating-firmware-and-hacki… ===================== = Vulnerabilities = ===================== ∗∗∗ Exynos: Google findet schwerwiegende Zero Days in Samsung-Chips ∗∗∗ --------------------------------------------- Die betroffenen Geräte lassen sich über das Internet hacken, darunter Smartphones von Samsung, Google und Vivo sowie Wearables und Autos. --------------------------------------------- https://www.golem.de/news/exynos-google-findet-schwerwiegende-zero-days-in-… ∗∗∗ Honeywell OneWireless Wireless Device Manager ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-075-06 ∗∗∗ Rockwell Automation Modbus TCP AOI Server ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-075-07 ∗∗∗ Omron CJ1M PLC ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-073-01 ∗∗∗ AVEVA Plant SCADA and AVEVA Telemetry Server ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-073-04 ∗∗∗ Autodesk FBX SDK ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-073-02 ∗∗∗ [R1] Sensor Proxy Version 1.0.7 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2023-15 ∗∗∗ IBM Planning Analytics Workspace is affected by vulnerabilties (CVE-2022-43548, CVE-2020-7676, CVE-2021-42550, CVE-2021-38561, CVE-2022-32149) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6957836 ∗∗∗ IBM Cognos Command Center is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6555376 ∗∗∗ InfoSphere Identity Insight vulnerable to server-side request forgery due to Apache CXF (CVE-2022-46364) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6963974 ∗∗∗ Security Vulnerabilities in moment, ansi-regex, Node.js, and minimatch may affect IBM Spectrum Protect Client and IBM Spectrum Protect for Space Management (CVE-2022-31129, CVE-2022-24785, CVE-2021-3807, CVE-2022-29244, CVE-2022-3517) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6956237 ∗∗∗ IBM App Connect Enterprise & IBM Integration Bus are vulnerable to a denial of service due to node.js module qs [CVE-2022-24999] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6964166 ∗∗∗ Vulnerabilities in IBM Db2, IBM Java Runtime, and Golang Go may affect IBM Spectrum Protect Server (CVE-2022-21626, CVE-2022-41717, CVE-2022-43929, CVE-2022-43927, CVE-2022-43930) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6963640 ∗∗∗ Vulnerability in Java SE may affect IBM Spectrum Protect Operations Center (CVE-2022-21626) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6963642 ∗∗∗ IBM Sterling Control Center is vulnerable to denial of service due to Node.js Angular (CVE-2022-25844) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6964174 ∗∗∗ IBM Sterling Control Center is vulnerable to denial of service due to Apache commons-fileupload (CVE-2023-24998) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6964176 ∗∗∗ AIX is vulnerable to denial of service vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6847947 ∗∗∗ IBM Planning Analytics Workspace is affected by vulnerabilties (CVE-2022-43548, CVE-2020-7676, CVE-2021-42550, CVE-2021-38561, CVE-2022-32149) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6957836 ∗∗∗ AIX is vulnerable to a denial of service due to lpd (CVE-2022-43382) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6848309 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.03.2023
by Daily end-of-shift report 16 Mar '23

16 Mar '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 15-03-2023 18:00 − Donnerstag 16-03-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ CVE-2023-23397 - der (interessante) Teufel steckt im Detail ∗∗∗ --------------------------------------------- Im Regelfall veröffentlichen wir zu Sicherheitslücken, die durch den Hersteller im Rahmen eines regulären Patchzyklus behoben werden, keine Warnung. Die Motivation dahinter ist, dass wir unsere Warnungen als Werkzeug betrachten, Informationen über kritische Schwachstellen mit entsprechender Urgenz an die jeweiligen Adressat:innen bringen wollen. Dementsprechend entscheiden wir relativ konservativ, wovor oder worüber wir warnen, um die Wirkung selbiger nicht zu verwässern. Aber, wie so oft, bestätigen Ausnahmen die Regel [...] --------------------------------------------- https://cert.at/de/blog/2023/3/cve-2023-23397-der-teufel-steckt-im-detail ∗∗∗ CISA warns of Adobe ColdFusion bug exploited as a zero-day ∗∗∗ --------------------------------------------- CISA has added a critical vulnerability impacting Adobe ColdFusion versions 2021 and 2018 to its catalog of security bugs exploited in the wild. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cisa-warns-of-adobe-coldfusi… ∗∗∗ Winter Vivern APT hackers use fake antivirus scans to install malware ∗∗∗ --------------------------------------------- An advanced hacking group named Winter Vivern targets European government organizations and telecommunication service providers to conduct espionage. --------------------------------------------- https://www.bleepingcomputer.com/news/security/winter-vivern-apt-hackers-us… ∗∗∗ BianLian Ransomware Pivots From Encryption to Pure Data-Theft Extortion ∗∗∗ --------------------------------------------- The ransomware group has already claimed 116 victim organizations so far on its site, and it continues to mature as a thriving cybercriminal business, researchers said. --------------------------------------------- https://www.darkreading.com/risk/bianlian-ransomware-pivots-encryption-pure… ∗∗∗ Simple Shellcode Dissection, (Thu, Mar 16th) ∗∗∗ --------------------------------------------- Most people will never execute a suspicious program or “executable”. Also, most of them cannot be delivered directly via email. Most antispam and antivirus solutions block them. But, then, how could people be so easily infected? I’ll explain with the help of a file I found in a phishing campaign. --------------------------------------------- https://isc.sans.edu/diary/rss/29642 ∗∗∗ Multiple Hacker Groups Exploit 3-Year-Old Vulnerability to Breach U.S. Federal Agency ∗∗∗ --------------------------------------------- Multiple threat actors, including a nation-state group, exploited a critical three-year-old security flaw in Progress Telerik to break into an unnamed federal entity in the U.S. The disclosure comes from a joint advisory issued by the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and Multi-State Information Sharing and Analysis Center (MS-ISAC). --------------------------------------------- https://thehackernews.com/2023/03/multiple-hacker-groups-exploit-3-year.html ∗∗∗ SSRF Cross Protocol Redirect Bypass ∗∗∗ --------------------------------------------- Server Side Request Forgery (SSRF) is a fairly known vulnerability with established prevention methods. So imagine my surprise when I bypassed an SSRF mitigation during a routine retest. Even worse, I have bypassed a filter that we have recommended ourselves! --------------------------------------------- https://blog.doyensec.com/2023/03/16/ssrf-remediation-bypass.html ∗∗∗ Falsche WhatsApp und Telegram Apps auf der Jagd nach Krypto‑Wallets ∗∗∗ --------------------------------------------- ESET-Forscher analysierten Android- und Windows-Clipper, die Sofortnachrichten manipulieren und OCR verwenden können, um Kryptowährungen zu stehlen. --------------------------------------------- https://www.welivesecurity.com/deutsch/2023/03/16/falsche-whatsapp-und-tele… ∗∗∗ Bee-Ware of Trigona, An Emerging Ransomware Strain ∗∗∗ --------------------------------------------- Trigona ransomware is a relatively new strain that security researchers first discovered in late October 2022. By analyzing Trigona ransomware binaries and ransom notes obtained from VirusTotal, as well as information from Unit 42 incident response, we determined that Trigona was very active during December 2022, with at least 15 potential victims being compromised. Affected organizations are in the manufacturing, finance, construction, agriculture, marketing and high technology industries. --------------------------------------------- https://unit42.paloaltonetworks.com/trigona-ransomware-update/ ∗∗∗ DotRunpeX – demystifying new virtualized .NET injector used in the wild ∗∗∗ --------------------------------------------- ImplMap2x64dbgInvoke-DotRunpeXextractThe post DotRunpeX – demystifying new virtualized .NET injector used in the wild appeared first on Check Point Research. --------------------------------------------- https://research.checkpoint.com/2023/dotrunpex-demystifying-new-virtualized… ===================== = Vulnerabilities = ===================== ∗∗∗ Webkonferenzen: Hochriskante Lücken in Zoom ∗∗∗ --------------------------------------------- In der Online-Konferenzsoftware Zoom haben die Entwickler mehrere Schwachstellen geschlossen. Einige gelten als hochriskant und könnten Codeschmuggel erlauben. --------------------------------------------- https://heise.de/-7547291 ∗∗∗ Kritisches Leck in SSL-VPN-Gateway von Array Networks ∗∗∗ --------------------------------------------- Die SSL-VPN-Gateways von Array Networks haben eine kritische Sicherheitslücke. Angreifer könnten aus dem Netz ohne Authentifizierung Code einschleusen. --------------------------------------------- https://heise.de/-7548009 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr and pcre2), Oracle (nss), Red Hat (kpatch-patch and nss), SUSE (java-11-openjdk, kernel, and python310), and Ubuntu (emacs24, ffmpeg, firefox, imagemagick, libphp-phpmailer, librecad, and openjpeg2). --------------------------------------------- https://lwn.net/Articles/926289/ ∗∗∗ Drupal core - Moderately critical - Access bypass - SA-CORE-2023-004 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-core-2023-004 ∗∗∗ Drupal core - Moderately critical - Information Disclosure - SA-CORE-2023-003 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-core-2023-003 ∗∗∗ Drupal core - Moderately critical - Information Disclosure - SA-CORE-2023-002 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-core-2023-002 ∗∗∗ Responsive media Image Formatter - Critical - Unsupported - SA-CONTRIB-2023-011 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2023-011 ∗∗∗ Media Responsive Thumbnail - Moderately critical - Information disclosure - SA-CONTRIB-2023-010 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2023-010 ∗∗∗ Multiple vulnerabilities within OpenSSL and Node.js affect IBM App Connect Enterprise and IBM Integration Bus ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6963634 ∗∗∗ EBICs client of IBM Sterling B2B Integrator vulnerable to multiple issues due to Dojo Toolkit ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6963652 ∗∗∗ IBM HTTP Server is vulnerable to HTTP request splitting due to the included Apache HTTP Server (CVE-2023-25690) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6963650 ∗∗∗ IBM Watson Assistant for Cloud pak for Data is affected by vulnerabilities in Pallets Werkzeug . ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6963668 ∗∗∗ IBM Aspera Faspex can be vulnerable to improperly authorized password changes ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6963662 ∗∗∗ Security Vulnerabilities in moment, ansi-regex, Node.js, and minimatch may affect IBM Spectrum Protect Plus Microsoft File Systems Backup and Restore (CVE-2022-31129, CVE-2022-24785, CVE-2021-3807, CVE-2022-29244, CVE-2022-3517) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6955067 ∗∗∗ Vulnerability in PyPI cryptography and Python may affect IBM Spectrum Protect Plus File Systems Agent (CVE-2023-23931, CVE-2023-0286, CVE-2023-24329) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6957718 ∗∗∗ Vulnerabilities in Linux Kernel may affect IBM Spectrum Protect Plus ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6963936 ∗∗∗ Multiple Vulnerabilities in Intel Firmware affect Cloud Pak System ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6611963 ∗∗∗ CVE-2022-2879, CVE-2022-41715, CVE-2022-2880, CVE-2022-41717, CVE-2022-41716 may affect IBM CICS TX Advanced ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6963940 ∗∗∗ CVE-2022-2879, CVE-2022-41715, CVE-2022-2880, CVE-2022-41717, CVE-2022-41716 may affect IBM CICS TX Standard ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6963942 ∗∗∗ Vulnerabilities in Golang Go and Java SE might affect IBM Spectrum Copy Data Management (CVE-2022-41717, CVE-2023-21830, CVE-2023-21835, CVE-2023-21843) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6960739 ∗∗∗ Vulnerabilities in Linux Kernel might affect IBM Spectrum Copy Data Management (CVE-2022-2964, CVE-2022-2601, CVE-2020-36557) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6960747 ∗∗∗ IBM Sterling B2B Integrator vulnerable to sensitive information exposure due to IBM MQ (CVE-2022-42436) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6963954 ∗∗∗ IBM Sterling Global Mailbox is vulnerable to denial of service due to WebSphere Liberty Server ( CVE-2022-3509, CVE-2022-3171) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6963956 ∗∗∗ IBM Sterling Global Mailbox is vulnerable to arbitrary command execution due to com.ibm.ws.org.apache.commons.collections (CVE-2015-7501) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6963962 ∗∗∗ IBM Sterling Global Mailbox is vulnerable to server-side request forgery due to Apache CXF (CVE-2022-46364) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6963958 ∗∗∗ IBM Sterling Global Mailbox is vulnerable to sensitive data exposure due to Apache CXF (CVE-2022-46363) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6963960 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.03.2023
by Daily end-of-shift report 15 Mar '23

15 Mar '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 14-03-2023 18:00 − Mittwoch 15-03-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ IPFS phishing and the need for correctly set HTTP security headers, (Wed, Mar 15th) ∗∗∗ --------------------------------------------- In the last couple of weeks, Ive noticed a small spike in the number of phishing messages that carried links to fake HTML login pages hosted on the InterPlanetary File System (IPFS)- an interesting web-based decentralized/peer-to-peer data storage system. Unfortunately, pretty much any type of internet-connected data storage solution is used to host malicious content by threat actors these days, and the IPFS is no exception. --------------------------------------------- https://isc.sans.edu/diary/rss/29638 ∗∗∗ How to Find & Fix: WordPress Pharma Hack ∗∗∗ --------------------------------------------- Finding bogus content and unexpected links for prescription drugs on your WordPress website can be a frustrating experience. But don’t blame your site: it just got caught up in a bad crowd of black hat SEO spammers and fell victim to a pharma hack. Pharma spam occurs when bad actors inject a website with keywords for pharmaceutical products. Their end goal is to use an innocent site’s good reputation to lure traffic to a scam. --------------------------------------------- https://blog.sucuri.net/2023/03/find-fix-wordpress-pharma-hack.html ∗∗∗ New Cryptojacking Operation Targeting Kubernetes Clusters for Dero Mining ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered the first-ever illicit cryptocurrency mining campaign used to mint Dero since the start of February 2023. "The novel Dero cryptojacking operation concentrates on locating Kubernetes clusters with anonymous access enabled on a Kubernetes API and listening on non-standard ports accessible from the internet," CrowdStrike said in a new report [...] --------------------------------------------- https://thehackernews.com/2023/03/new-cryptojacking-operation-targeting.html ∗∗∗ Exploiting CVE-2023-23397: Microsoft Outlook Elevation of Privilege Vulnerability ∗∗∗ --------------------------------------------- At MDSec, we’re continually looking to weaponise both private and public vulnerabilities to assist us during our red team operations. Having recently given a talk on leveraging NTLM relaying during red team engagements at FiestaCon, this vulnerability particularly stood out to me and warranted further analysis. --------------------------------------------- https://www.mdsec.co.uk/2023/03/exploiting-cve-2023-23397-microsoft-outlook… ∗∗∗ Apple räumt ein: iOS-Dienste können VPN-Tunnel umgehen ∗∗∗ --------------------------------------------- iOS schleust bestimmten Datenverkehr an einer aktiven VPN-Verbindung vorbei, warnen Sicherheitsforscher seit Längerem. Das ist laut Apple so gewollt. --------------------------------------------- https://heise.de/-7545702 ∗∗∗ Patchday: Microsoft dichtet aktiv angegriffene Sicherheitslücken ab ∗∗∗ --------------------------------------------- Neben zwei aktiv missbrauchten Sicherheitslücken liefert Microsoft zum März-Patchday Aktualisierungen für zahlreiche Produkte. Sie schließen zig Schwachstellen. --------------------------------------------- https://heise.de/-7545903 ∗∗∗ Gefälschtes SMS von DHL stiehlt Ihre Kreditkartendaten ∗∗∗ --------------------------------------------- In der betrügerischen DHL-Nachricht steht, dass Ihr Paket Lieferprobleme hat. Das Problem kann gelöst werden, indem Sie auf den Link klicken. Klicken Sie nicht auf den Link. Sie werden auf eine nachgebaute DHL-Website gelockt, wo persönliche Infos und Kreditkartendaten abgefragt werden. In weiterer Folge wird Ihre Kreditkarte auf einem fremden Gerät für Apple Pay aktiviert. --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschtes-sms-von-dhl-stiehlt-ihr… ∗∗∗ Uncovering Windows Events ∗∗∗ --------------------------------------------- Not all manifest-based Event Tracing for Windows (ETW) providers that are exposed through Windows are ingested into telemetry sensors/EDR’s. One provider commonly that is leveraged by vendors is the Threat-Intelligence ETW provider. Due to how often it is used, I wanted to map out how its events are being written within TelemetrySource. This post will focus on the process I followed to understand the events the Threat-Intelligence ETW provider logs and how to uncover the underlying mechanisms. One can use a similar process when trying to reverse other manifest-based ETW providers. This post isn’t a deep dive into how ETW works, [...] --------------------------------------------- https://posts.specterops.io/uncovering-windows-events-b4b9db7eac54?source=r… ∗∗∗ Released: March 2023 Exchange Server Security Updates ∗∗∗ --------------------------------------------- Microsoft has released Security Updates (SUs) for vulnerabilities found in: Exchange Server 2013 Exchange Server 2016 Exchange Server 2019 --------------------------------------------- https://techcommunity.microsoft.com/t5/exchange-team-blog/released-march-20… ∗∗∗ How does malware spread? Top 5 ways malware gets into your network ∗∗∗ --------------------------------------------- Threat actors use a variety of channels to distribute malware. Discover the most common attack vectors and how to protect your organization from malware. --------------------------------------------- https://www.emsisoft.com/en/blog/43733/how-does-malware-spread-top-5-ways-m… ∗∗∗ A look at CVE-2023–23415 — a Windows ICMP vulnerability + mitigations which is not a cyber meltdown ∗∗∗ --------------------------------------------- Yesterday Microsoft dropped a patch for a vulnerability found by @hexnomad@infosec.exchange. It’s a great vuln, in theory allowing code execution over ICMP. It also sounds really scary, as it’s a high CVSS score in Windows OS on a commonly used protocol. --------------------------------------------- https://doublepulsar.com/a-look-at-cve-2023-23415-a-windows-icmp-vulnerabil… ===================== = Vulnerabilities = ===================== ∗∗∗ Patchday: Adobe schließt Zero-Day-Lücke und mehr als 100 Schwachstellen ∗∗∗ --------------------------------------------- Adobe dichtet am März-Patchday 106 Sicherheitslecks ab. Eine davon in Adobe ColdFusion missbrauchen Cyberkriminelle bereits in Angriffen. --------------------------------------------- https://heise.de/-7546150 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (node-sqlite3 and qemu), Fedora (libmemcached-awesome, manifest-tool, sudo, and vim), Red Hat (gnutls, kernel, kernel-rt, lua, and openssl), Slackware (mozilla), SUSE (amanda, firefox, go1.19, go1.20, jakarta-commons-fileupload, java-1_8_0-openjdk, nodejs18, peazip, perl-Net-Server, python, python-cryptography, python-Django, python3, rubygem-rack, and xorg-x11-server), and Ubuntu (ipython, linux-ibm, linux-ibm-5.4, and linux-kvm). --------------------------------------------- https://lwn.net/Articles/926205/ ∗∗∗ SAP-Patchday enthält Updates für kritische Sicherheitslücken ∗∗∗ --------------------------------------------- Der aktuelle Patchday von SAP beinhaltet mehrere Schwachstellen mit einem CVSS-Score >9.0. Insbesondere eine kritische Sicherheitslücke in SAP NetWeaver AS for Java (CVE-2023-23857) ist trivial ausnutzbar; sie erlaubt Angreifer:innen aufgrund unzureichender Authentifizierungsprüfungen weitreichenden Systemzugriff ohne jegliche Form von Authentifizierung. Weitere Schwachstellen (unter anderem CVE-2023-25616, CVE-2023-25617) ermöglichen entfernte Codeausführung. --------------------------------------------- https://cert.at/de/aktuelles/2023/3/sap-patchday-enthalt-updates-fur-kritis… ∗∗∗ ZDI-23-245: TP-Link Archer AX21 tdpServer Logging Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-245/ ∗∗∗ ZDI-23-244: TP-Link Archer AX21 tmpServer Command 0x422 Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-244/ ∗∗∗ ThinkPad BIOS Vulnerabilities ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500554-THINKPAD-BIOS-VULNERABI… ∗∗∗ AIX is affected by a denial of service (CVE-2022-45061) due to Python ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6963342 ∗∗∗ Security vulnerabilities have been identified in IBM DB2 used by IBM Security Verify Governance, Identity Manager software component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6963372 ∗∗∗ Multiple Vulnerabilities (CVE-2022-45693, CVE-2022-4568) affects CICS Transaction Gateway for Multiplatforms. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6963612 ∗∗∗ Multiple vulnerabilities present in IBM Answer Retrieval for Watson Discovery versions 2.10 and earlier ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6963632 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.03.2023
by Daily end-of-shift report 14 Mar '23

14 Mar '23

===================== = End-of-Day report = ===================== Timeframe: Montag 13-03-2023 18:00 − Dienstag 14-03-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Cybercriminals exploit SVB collapse to steal money and data ∗∗∗ --------------------------------------------- The collapse of the Silicon Valley Bank (SVB) on March 10, 2023, has sent ripples of turbulence throughout the global financial system, but for hackers, scammers, and phishing campaigns, its becoming an excellent opportunity. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cybercriminals-exploit-svb-c… ∗∗∗ HUNT_RTF_CVE_2023_21716.yar ∗∗∗ --------------------------------------------- Detects RTF documents with an inflated fonttable. Hunting for CVE-2023-21716 --------------------------------------------- https://github.com/SIFalcon/Detection/blob/main/Yara/Hunting/HUNT_RTF_CVE_2… ∗∗∗ Kali Purple: Die Linux-Distribution für Sicherheitsforscher wird defensiver ∗∗∗ --------------------------------------------- Kali Linux feiert Geburtstag und ist in der neuen Version 2023.1 erschienen. Das neue Kali Purple ist auf defensive Sicherheitstests spezialisiert. --------------------------------------------- https://heise.de/-7544725 ∗∗∗ Fortinet Finds Zero-Day Exploit in Government Attacks After Devices Detect Integrity Breach ∗∗∗ --------------------------------------------- Fortinet says recently patched FortiOS vulnerability was exploited in sophisticated attacks targeting government entities. --------------------------------------------- https://www.securityweek.com/fortinet-finds-zero-day-exploit-in-government-… ∗∗∗ Kaufen Sie keine Amazon-Paletten oder Mystery-Boxen ∗∗∗ --------------------------------------------- Auf Facebook und Instagram bewirbt der gefälschte Amazon-Shop „datinted.com“ „Amazon-Paletten“. Die Paletten, sogenannte Mystery-Boxen, beinhalten angeblich unterschiedliche Produkte wie Kopfhörer, Drohnen und Spielkonsolen – und das für weniger als 50 Euro. Wer bestellt, bekommt aber keine Ware und verliert sein Geld! --------------------------------------------- https://www.watchlist-internet.at/news/kaufen-sie-keine-amazon-paletten-ode… ∗∗∗ Verbesserte Office-Makrosicherheit führt zu neuen Angriffsmethoden über OneNote & Co. ∗∗∗ --------------------------------------------- Seit Microsoft und Administratoren von Windows-Systemen mehr in die Makrosicherheit investieren, werden Angriffe über diesen Vektor schwieriger. Cyberkriminelle suchen nach neuen Wegen, um Malware an die Nutzer zu bringen. OneNote nimmt da eine prominente Position als Einfallstor ein – aber auch andere Dateien und die Mark of the Web-Schwachstelle in Windows werden neuerdings vermehr für Angriffe genutzt. --------------------------------------------- https://www.borncity.com/blog/2023/03/14/verbesserte-office-makrosicherheit… ∗∗∗ Talos uncovers espionage campaigns targeting CIS countries, embassies and EU health care agency ∗∗∗ --------------------------------------------- Cisco Talos has identified a new espionage oriented threat actor, which we are naming “YoroTrooper,” targeting a multitude of entities in Europe and Turkey. --------------------------------------------- https://blog.talosintelligence.com/yorotrooper-espionage-campaign-cis-turke… ∗∗∗ ZTNA vs VPN: Secure Remote Work and Access ∗∗∗ --------------------------------------------- Explore the drivers behind switching from VPN to Zero Trust Network Access (ZTNA) for any device access from anywhere. --------------------------------------------- https://www.trendmicro.com/en_us/ciso/22/h/ztna-vs-vpn-secure-remote-work.h… ===================== = Vulnerabilities = ===================== ∗∗∗ Siemens Security Advisories 2023-03-14 ∗∗∗ --------------------------------------------- * SSA-847261 V1.1 (Last Update: 2023-03-14): Multiple SPP File Parsing Vulnerabilities in Tecnomatix Plant Simulation * https://cert-portal.siemens.com/productcert/html/ssa-847261.html * SSA-840800 V1.2 (Last Update: 2023-03-14): Code Injection Vulnerability in RUGGEDCOM ROS * https://cert-portal.siemens.com/productcert/html/ssa-840800.html * SSA-787941 V1.1 (Last Update: 2023-03-14): Denial of Service Vulnerability in RUGGEDCOM ROS V4 * https://cert-portal.siemens.com/productcert/html/ssa-787941.html * SSA-772220 V2.2 (Last Update: 2023-03-14): OpenSSL Vulnerabilities in Industrial Products * https://cert-portal.siemens.com/productcert/html/ssa-772220.html * SSA-764417 V1.7 (Last Update: 2023-03-14): Weak Encryption Vulnerability in RUGGEDCOM ROS Devices * https://cert-portal.siemens.com/productcert/html/ssa-764417.html * SSA-726834 V1.0: Denial of Service Vulnerability in the RADIUS Client of SIPROTEC 5 Devices * https://cert-portal.siemens.com/productcert/html/ssa-726834.html * SSA-712929 V1.8 (Last Update: 2023-03-14): Denial of Service Vulnerability in OpenSSL (CVE-2022-0778) Affecting Industrial Products * https://cert-portal.siemens.com/productcert/html/ssa-712929.html * SSA-700053 V1.1 (Last Update: 2023-03-14): Multiple File Parsing Vulnerabilities in Teamcenter Visualization and JT2Go * https://cert-portal.siemens.com/productcert/html/ssa-700053.html * SSA-697140 V1.2 (Last Update: 2023-03-14): Denial of Service Vulnerability in the TCP Event Service of SCALANCE and RUGGEDCOM Products * https://cert-portal.siemens.com/productcert/html/ssa-697140.html * SSA-565386 V1.0: Third-Party Component Vulnerabilities in SCALANCE W-700 IEEE 802.11ax devices before V2.0 * https://cert-portal.siemens.com/productcert/html/ssa-565386.html * SSA-552702 V1.4 (Last Update: 2023-03-14): Privilege Escalation Vulnerability in the Web Interface of SCALANCE and RUGGEDCOM Products * https://cert-portal.siemens.com/productcert/html/ssa-552702.html * SSA-539476 V1.4 (Last Update: 2023-03-14): Siemens SIMATIC NET CP, SINEMA and SCALANCE Products Affected by Vulnerabilities in Third-Party Component strongSwan * https://cert-portal.siemens.com/productcert/html/ssa-539476.html * SSA-517377 V1.2 (Last Update: 2023-03-14): Multiple Vulnerabilities in the SRCS VPN Feature in SIMATIC CP Devices * https://cert-portal.siemens.com/productcert/html/ssa-517377.html * SSA-491245 V1.1 (Last Update: 2023-03-14): Multiple File Parsing Vulnerabilities in Solid Edge * https://cert-portal.siemens.com/productcert/html/ssa-491245.html * SSA-482757 V1.2 (Last Update: 2023-03-14): Missing Immutable Root of Trust in S7-1500 CPU devices * https://cert-portal.siemens.com/productcert/html/ssa-482757.html * SSA-476715 V1.1 (Last Update: 2023-03-14): Two Vulnerabilities in Automation License Manager * https://cert-portal.siemens.com/productcert/html/ssa-476715.html * SSB-439005 V5.1 (Last Update: 2023-03-14): Vulnerabilities in the additional GNU/Linux subsystem of the SIMATIC S7-1500 CPU 1518(F)-4 PN/DP MFP * https://cert-portal.siemens.com/productcert/html/ssb-439005.html * SSA-419740 V1.0: Multiple Third-Party Component Vulnerabilities in RUGGEDCOM and SCALANCE Products before V7.2 * https://cert-portal.siemens.com/productcert/html/ssa-419740.html * SSA-413565 V1.1 (Last Update: 2023-03-14): Multiple Vulnerabilities in SCALANCE Products * https://cert-portal.siemens.com/productcert/html/ssa-413565.html * SSA-324955 V2.0 (Last Update: 2023-03-14): SAD DNS Attack in Linux Based Products * https://cert-portal.siemens.com/productcert/html/ssa-324955.html * SSA-321292 V1.4 (Last Update: 2023-03-14): Denial of Service in the OPC Foundation Local Discovery Server (LDS) in Industrial Products * https://cert-portal.siemens.com/productcert/html/ssa-321292.html * SSA-320629 V1.0: Security Vulnerabilities Fixed in RUGGEDCOM CROSSBOW V5.3 * https://cert-portal.siemens.com/productcert/html/ssa-320629.html * SSA-260625 V1.0: Security Vulnerabilities Fixed in RUGGEDCOM CROSSBOW V5.2 * https://cert-portal.siemens.com/productcert/html/ssa-260625.html * SSA-256353 V1.3 (Last Update: 2023-03-14): Third-Party Component Vulnerabilities in RUGGEDCOM ROS * https://cert-portal.siemens.com/productcert/html/ssa-256353.html * SSA-250085 V1.2 (Last Update: 2023-03-14): Multiple Vulnerabilities in SINEC NMS and SINEMA Server * https://cert-portal.siemens.com/productcert/html/ssa-250085.html * SSA-244969 V1.9 (Last Update: 2023-03-14): OpenSSL Vulnerability in Industrial Products * https://cert-portal.siemens.com/productcert/html/ssa-244969.html * SSA-223771 V1.2 (Last Update: 2023-03-14): SISCO Stack Vulnerability in SIPROTEC 5 Devices * https://cert-portal.siemens.com/productcert/html/ssa-223771.html * SSA-203374 V1.0: Multiple OpenSSL Vulnerabilities in SCALANCE W1750D Devices * https://cert-portal.siemens.com/productcert/html/ssa-203374.html * SSA-941426 V1.4 (Last Update: 2023-03-14): Multiple LLDP Vulnerabilities in Industrial Products * https://cert-portal.siemens.com/productcert/html/ssa-941426.html * SSA-851884 V1.0: Authentication Bypass Vulnerability in Mendix SAML Module * https://cert-portal.siemens.com/productcert/html/ssa-851884.html --------------------------------------------- https://new.siemens.com/global/en/products/services/cert.html?d=2023-03#Sec… ∗∗∗ Dolibarr : unauthenticated contacts database theft ∗∗∗ --------------------------------------------- Our pentester discovered a critical vulnerability exploitable by an unauthenticated attacker. It provides access to a competitor’s entire customer file, prospects, suppliers, and potentially employee information if a contact file exists. Both public and private notes can also be retrieved. Very easy to exploit, it affects Dolibarr 16.x versions. --------------------------------------------- https://www.dsecbypass.com/en/dolibarr-pre-auth-contact-database-dump/ ∗∗∗ PaperCut MF/NG vulnerability bulletin (March 2023) ∗∗∗ --------------------------------------------- We have received two vulnerability reports from a 3rd party cyber security company (Trend Micro), for high/critical severity security issues in PaperCut MF/NG. We do not have any evidence of these vulnerabilities being used against customers at this point. --------------------------------------------- https://www.papercut.com/kb/Main/PO-1216-and-PO-1219 ∗∗∗ Schneider Elecronic Security Advisories 2023-03-14 ∗∗∗ --------------------------------------------- 3 new, 15 updated --------------------------------------------- https://www.se.com/ww/en/work/support/cybersecurity/security-notifications.… ∗∗∗ Patchday: SAP schließt 19 teils kritische Sicherheitslücken ∗∗∗ --------------------------------------------- Zum März-Patchday hat SAP Sicherheitsnotizen zu 19 Sicherheitslücken veröffentlicht. Davon stuft der Hersteller fünf als kritisch ein. Updates stehen bereit. --------------------------------------------- https://heise.de/-7544782 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (redis), Fedora (cairo, freetype, harfbuzz, and qt6-qtwebengine), Red Hat (kpatch-patch), SUSE (chromium, java-1_8_0-openj9, and nodejs18), and Ubuntu (chromium-browser, libxstream-java, php-twig, twig, protobuf, and python-werkzeug). --------------------------------------------- https://lwn.net/Articles/926083/ ∗∗∗ Android App "Wolt Delivery: Food and more" uses a hard-coded API key for an external service ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN64453490/ ∗∗∗ TXONE SECURITY BULLETIN: TXOne StellarOne Improper Access Control Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- https://success.trendmicro.com/dcx/s/solution/000292486?language=en_US ∗∗∗ PHOENIX CONTACT: Multiple vulnerabilities in ENERGY AXC PU ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-003/ ∗∗∗ Lenovo System Update Elevation of Privileges Vulnerability ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500553-LENOVO-SYSTEM-UPDATE-EL… ∗∗∗ Lenovo XClarity Controller (XCC) Vulnerabilities ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500552-LENOVO-XCLARITY-CONTROL… ∗∗∗ A security vulnerability has been identified in IBM HTTP Server, which is a required product for IBM Tivoli Network Manager IP Edition (CVE-2023-26281) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6963268 ∗∗∗ Multiple Vulnerabilities in IBM\u00ae Runtime Environment Java\u2122 Technology Edition affects WebSphere eXtreme Scale ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6963278 ∗∗∗ Multiple vulnerabilities in Curl affect PowerSC ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6963308 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily