- Daily - CERT.at

Tageszusammenfassung - 13.03.2023
by Daily end-of-shift report 13 Mar '23

13 Mar '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 10-03-2023 18:00 − Montag 13-03-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Clop-Ransomware: Opfer der GoAnywhere-Attacken müssen jetzt zahlen ∗∗∗ --------------------------------------------- Aufgrund einer Sicherheitslücke in der Dateiübertragungslösung GoAnywhere MFT konnten Angreifer zuschlagen und erpressen nun Firmen. --------------------------------------------- https://heise.de/-7543629 ∗∗∗ Banking-Trojaner: 400 Einrichtungen im Visier von Android-Malware ∗∗∗ --------------------------------------------- IT-Forscher beobachten die Weiterentwicklung des Banking-Trojaners Xenomorph für Android. Inzwischen versteht er sich auf 400 Finanzinstitutionen. --------------------------------------------- https://heise.de/-7543682 ∗∗∗ Das Finanzamt versendet keine Pfändungsandrohung per SMS! ∗∗∗ --------------------------------------------- Aktuell werden erneut massenhaft Betrugs-SMS im Namen des Finanzamts versendet. Angeblich hätten Sie trotz mehrerer Mahnungen eine offene Forderung gegen Sie nicht bezahlt. Daher würde nun ein Gerichtsvollzieher Ihren Hausrat pfänden. Achtung: Bezahlen Sie die Forderung nicht! Die Nachricht stammt nicht vom Finanzamt und Ihr Geld landet bei Kriminellen. --------------------------------------------- https://www.watchlist-internet.at/news/das-finanzamt-versendet-keine-pfaend… ∗∗∗ Security researchers targeted with new malware via job offers on LinkedIn ∗∗∗ --------------------------------------------- A suspected North Korean hacking group is targeting security researchers and media organizations in the U.S. and Europe with fake job offers that lead to the deployment of three new, custom malware families. --------------------------------------------- https://www.bleepingcomputer.com/news/security/security-researchers-targete… ∗∗∗ Medusa ransomware gang picks up steam as it targets companies worldwide ∗∗∗ --------------------------------------------- A ransomware operation known as Medusa has begun to pick up steam in 2023, targeting corporate victims worldwide with million-dollar ransom demands. --------------------------------------------- https://www.bleepingcomputer.com/news/security/medusa-ransomware-gang-picks… ∗∗∗ DEV-1101 enables high-volume AiTM campaigns with open-source phishing kit ∗∗∗ --------------------------------------------- DEV-1101 is an actor tracked by Microsoft responsible for the development, support, and advertising of several AiTM phishing kits, including an open-source kit capable of circumventing MFA through reverse-proxy functionality. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2023/03/13/dev-1101-enables-h… ∗∗∗ Overview of a Mirai Payload Generator, (Sat, Mar 11th) ∗∗∗ --------------------------------------------- The Mirai[1] botnet is active for years. It was the first botnet targeting devices running Linux like camera recorders. Our first diary about it was in 2016![2]. Still today, my honeypot is hit by hundreds of Mirai requests every day! I found a Python script that generates a Mirai payload (SHA256:f56391e9645df1058847e28af6918c64ddc344d9f328b3dde9015213d5efdc7e[3]) and deploys networking services to serve it via FTP, HTTP, and TFTP. Nothing very fancy but it will give you a good idea about how Linux hosts are abused to deliver malicious payloads. --------------------------------------------- https://isc.sans.edu/diary/rss/29624 ∗∗∗ BATLOADER Malware Uses Google Ads to Deliver Vidar Stealer and Ursnif Payloads ∗∗∗ --------------------------------------------- The malware downloader known as BATLOADER has been observed abusing Google Ads to deliver secondary payloads like Vidar Stealer and Ursnif. According to cybersecurity company eSentire, the malicious ads are used to spoof a wide range of legitimate apps and services such as Adobe, OpenAPIs ChatGPT, Spotify, Tableau, and Zoom. --------------------------------------------- https://thehackernews.com/2023/03/batloader-malware-uses-google-ads-to.html ∗∗∗ "FakeGPT": New Variant of Fake-ChatGPT Chrome Extension Stealing Facebook Ad Accounts with Thousands of Daily Installs ∗∗∗ --------------------------------------------- A Chrome Extension propelling quick access to fake ChatGPT functionality was found to be hijacking Facebook accounts and installing hidden account backdoors. Particularly noticeable is the use of a malevolent silently forced Facebook app “backdoor” giving the threat actors super-admin permissions. --------------------------------------------- https://labs.guard.io/fakegpt-new-variant-of-fake-chatgpt-chrome-extension-… ∗∗∗ Threat Actors Abuse AI-Generated Youtube Videos to Spread Stealer Malware ∗∗∗ --------------------------------------------- Since November 2022 there has been a 200-300% month-on-month increase in Youtube videos containing links to stealer malware such as Vidar, RedLine, and Raccoon in their descriptions. The videos lure users by pretending to be tutorials on how to download cracked versions of software such as Photoshop, Premiere Pro, Autodesk 3ds Max, AutoCAD, and other products that are licensed products available only to paid users. --------------------------------------------- https://cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-t… ∗∗∗ Persistence - Context Menu ∗∗∗ --------------------------------------------- Context menu provides shortcuts to the user in order to perform a number of actions. The context menu is invoked with a right mouse click and it is a very common action for every Windows user. In offensive operations this action could be weaponized for persistence by executing shellcode every time the user attempts to use the context menu. --------------------------------------------- https://pentestlab.blog/2023/03/13/persistence-context-menu/ ∗∗∗ CISA Warns of Plex Vulnerability Linked to LastPass Hack ∗∗∗ --------------------------------------------- CISA has added vulnerabilities in Plex Media Server and VMware NSX-V to its Known Exploited Vulnerabilities catalog. --------------------------------------------- https://www.securityweek.com/cisa-warns-of-plex-vulnerability-linked-to-las… ===================== = Vulnerabilities = ===================== ∗∗∗ Clipchamp ( Microsoft Office Product) - Google IAP Authorization bypass allowed access to Internal Environment Leading to Zero Interaction Account takeover ∗∗∗ --------------------------------------------- [...] After further research it was discovered that the authorization checks are only at the front end https://app.*.clipchamp.com/ and not while invoking the /v2/ API endpoints with the expected parameters. Enumerating all the internal endpoints it was found that the https://app.smoke.clipchamp.com/v2 was leaking the JWT Authentication Bearer Token for any attacker-provided user on the platform leading to Zero Interaction Account takeover for any ClipChamp user on the Smoke Env. --------------------------------------------- https://blog.agilehunt.com/blogs/security/msrc-critical-google-iap-authoriz… ∗∗∗ Kritische Sicherheitslücken: Lexmark aktualisiert Firmware für viele Drucker ∗∗∗ --------------------------------------------- Diverse Drucker von Lexmark haben kritische Sicherheitslücken, die Angreifern das Ausführen von Schadcode ermöglichen. Updates stehen schon bereit. --------------------------------------------- https://heise.de/-7543959 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (imagemagick, libapache2-mod-auth-mellon, mpv, rails, and ruby-sidekiq), Fedora (chromium, dcmtk, and strongswan), Mageia (chromium-browser-stable, dcmtk, kernel, kernel-linus, libreswan, microcode, redis, and tmux), SUSE (postgresql14 and python39), and Ubuntu (linux-kvm, linux-raspi-5.4, and thunderbird). --------------------------------------------- https://lwn.net/Articles/925987/ ∗∗∗ Shodan Verified Vulns 2023-03-01 ∗∗∗ --------------------------------------------- Mit Stand 2023-03-01 sieht Shodan in Österreich die folgenden Schwachstellen: [...] Die Schwachstellen CVE-2021-43798 (Grafana Path Traversal Vulnerability) und CVE-2022-32548 (DrayTek Authentication Bypass Vulnerability) sind nun wieder in den Daten von Shodan enthalten. Im Vormonat fehlten diese Daten. Verglichen mit den Daten von Jänner 2023 sind keine auffälligen Änderungen zu erkennen. Ähnlich verhält sich die Schwachstelle CVE-2022-36804 [...] --------------------------------------------- https://cert.at/de/aktuelles/2023/3/shodan-verified-vulns-2023-03-01 ∗∗∗ IBM Security Bulletins 2023-03-13 ∗∗∗ --------------------------------------------- * A vulnerability (CVE-2022-21299) in IBM Java Runtime affects CICS Transaction Gateway for Multiplatforms and CICS Transaction Gateway Desktop Edition * A vulnerability has been identified in IBM Spectrum Scale which could allow unauthorized access to user data or injection of arbitrary data in the communication protocol (CVE-2020-4927) * EBICS Client of IBM Sterling B2B Interator vulnerable to multiple issues due to jQuery * IBM Cognos Analytics has addressed multiple vulnerabilities (CVE-2021-29469, CVE-2022-39160, CVE-2022-38708, CVE-2022-42003, CVE-2022-42004, CVE-2022-43883, CVE-2022-43887, CVE-2022-25647, CVE-2022-36364) * IBM Cognos Analytics has addressed multiple vulnerabilities (CVE-2022-34339, CVE-2021-3712, CVE-2021-3711, CVE-2021-4160, CVE-2021-29425, CVE-2021-3733, CVE-2021-3737, CVE-2022-0391, CVE-2021-43138, CVE-2022-24758) * IBM Security Guardium is affected by a denial of service vulnerability (CVE-2022-3171, CVE-2022-3510, CVE-2022-3509) * IBM Security Guardium is affected by multiple vulnerabilities * IBM Sterling B2B Integrator vulnerable to security bypass due to Apache Santuario XML Security for Java (CVE-2021-40690, CVE-2014-8152) * IBM Sterling B2B Integrator vulnerable to security bypass due to Spring Security (CVE-2022-31692, CVE-2022-22978) * June 2022 : Multiple vulnerabilities in IBM Java Runtime affect CICS Transaction Gateway for Multiplatforms and CICS Transaction Gateway Desktop Edition * Multiple Vulnerabilities (CVE-2022-21628, CVE-2022-21626, CVE-2022-21624, CVE-2022-21619) affects CICS Transaction Gateway for Multiplatforms and CICS Transaction Gateway Desktop Edition. * Multiple vulnerabilities in IBM Java Runtime affect CICS Transaction Gateway for Multiplatforms and CICS Transaction Gateway Desktop Edition * Multiple Vulnerabilities in Java affecting Watson Knowledge Catalog for IBM Cloud Pak for Data (CVE-2022-21628, CVE-2022-21626) * Security vulnerabilities are addressed with IBM Cloud Pak for Business Automation iFixes for Febuary 2023 * SNMPv3 server credentials are exposed in log files in IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products * The dashboard UI of IBM Sterling B2B Integrator is vulnerable to information disclosure (CVE-2023-22876) * There is a vulnerability in Apache Commons BCEL used by IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2022-42920) * Vulnerabilities with kernel, MariaDB, Gnu GnuTLS, OpenJDK, commons-fileupload affect IBM Cloud Object Storage Systems (Mar 2023v1) * Vulnerabilities with MariaDB affect IBM Cloud Object Storage Systems (Nov 2022v1) * Vulnerability in WebSphere Liberty affecting Watson Knowledge Catalog for IBM Cloud Pak for Data (CVE-2022-3509, CVE-2022-3171) --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ [R1] Tenable Plugin Feed ID #202212081952 Fixes Arbitrary Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2023-14 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.03.2023
by Daily end-of-shift report 10 Mar '23

10 Mar '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 09-03-2023 18:00 − Freitag 10-03-2023 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Security: Github führt verpflichtende 2FA ein ∗∗∗ --------------------------------------------- Wer von Github ausgewählt wurde, muss die Zwei-Faktor-Authentifizierung (2FA) innerhalb von 45 Tagen einrichten. --------------------------------------------- https://www.golem.de/news/security-github-fuehrt-verpflichtende-2fa-ein-230… ∗∗∗ Schwachstellen in Bitwarden Password-Manager-Browserweiterung können Passwörter verraten ∗∗∗ --------------------------------------------- Nutzer des Passwort-Managers Bitwarden laufen in das Risiko, dass die Auto-Fill-Funktion beim Besuch von Webseiten Anmeldeinformationen leckt. Bösartige Webseiten könnten über ein in vertrauenswürdigen Seiten eingebettetes IFRAME Anmeldeinformation stehlen und an einen Angreifer senden. --------------------------------------------- https://www.borncity.com/blog/2023/03/10/schwachstellen-in-bitwarden-passwo… ∗∗∗ New ScrubCrypt Crypter Used in Cryptojacking Attacks Targeting Oracle WebLogic ∗∗∗ --------------------------------------------- The infamous cryptocurrency miner group called 8220 Gang has been observed using a new crypter called ScrubCrypt to carry out cryptojacking operations. According to Fortinet FortiGuard Labs, the attack chain commences with the successful exploitation of susceptible Oracle WebLogic servers to download a PowerShell script that contains ScrubCrypt. --------------------------------------------- https://thehackernews.com/2023/03/new-scrubcrypt-crypter-used-in.html ∗∗∗ EJS - Server Side Prototype Pollution gadgets to RCE ∗∗∗ --------------------------------------------- Last month (February 2023), I took a look into NodeJS HTML templating libraries. During my research, I found an interesting Server Side Prototype Pollution (SSPP) gadget in the EJS library which can be leveraged to RCE. After finding this issue, I spent a week searching for an SSPP in express core or dependencies, but I didnt find any issue. Thats why, after reporting this issue to the repository maintainer, Im making an article to explain technical details. --------------------------------------------- https://mizu.re/post/ejs-server-side-prototype-pollution-gadgets-to-rce ∗∗∗ How to Avoid LDAP Injection Attacks ∗∗∗ --------------------------------------------- The key vulnerability that puts an application at risk of LDAP injection is improperly processed user input. Applications that don’t sanitize or validate user input are open to LDAP injection attacks because of the structure of LDAP statements and queries. --------------------------------------------- https://www.trendmicro.com/en_us/devops/23/c/avoid-ldap-injection-attacks.h… ∗∗∗ The Silent Spy Among Us: Modern Attacks Against Smart Intercoms ∗∗∗ --------------------------------------------- What started out as a journey to learn more about a new smart intercom inside the Claroty offices turned into an expansive Team82 research project that uncovered 13 vulnerabilities in the popular Akuvox E11. The vulnerabilities could allow attackers to execute code remotely in order to activate and control the device’s camera and microphone, steal video and images, or gain a network foothold. --------------------------------------------- https://claroty.com/team82/research/the-silent-spy-among-us-modern-attacks-… ∗∗∗ Multi-Technology Script Leading to Browser Hijacking ∗∗∗ --------------------------------------------- [..] in the real world, malware samples use multiple technologies to perform malicious actions. I spotted a VBScript file (I don’t know where it’s coming from, probably a phishing campaign). The script has been flagged by only one(!) AV product on VT --------------------------------------------- https://isc.sans.edu/diary/rss/29620 ∗∗∗ The oldest privesc: injecting careless administrators terminals using TTY pushback ∗∗∗ --------------------------------------------- This trick is possibly the oldest security bug that still exists today, it’s been traced as far back as 1985. It’s been discovered and rediscovered and re-rediscovered by sysadmins, developpers and pentesters every few years for close to 4 decades now. It’s been subject to multiple developper battles, countless posts, but still remains largely forgotten. This is just another attempt at shedding light on it, for both attackers and defenders. --------------------------------------------- https://www.errno.fr/TTYPushback.html ∗∗∗ When Partial Protection is Zero Protection: The MFA Blind Spots No One Talks About ∗∗∗ --------------------------------------------- Multi-factor Authentication (MFA) has long ago become a standard security practice. [..] While compatible with RDP connection and local desktop logins, they offer no protection to remote command line access tools like PsExec, Remote PowerShell and their likes. [..] In this article well explore this blind spot, understand its root cause and implications, and view the different options security teams can overcome it to maintain their environments protected. --------------------------------------------- https://thehackernews.com/2023/03/when-partial-protection-is-zero.html ∗∗∗ Leveraging ssh-keygen for Arbitrary Execution (and Privilege Escalation) ∗∗∗ --------------------------------------------- The ssh-keygen command can be used to load a shared library with the -D flag. This can be useful for privilege escalation (described in this blog post), or to translate to arbitrary code execution from argument injection, file overwrites, etc. --------------------------------------------- https://seanpesce.blogspot.com/2023/03/leveraging-ssh-keygen-for-arbitrary.… ∗∗∗ Unauthorized access to Codespace secrets in GitHub ∗∗∗ --------------------------------------------- We identified a security issue in GitHub’s Repository Security Advisory feature (https://docs.github.com/en/code-security/security-advisories/repository-sec…) that allowed us to retrieve plaintext Codespace secrets of any organization including GitHub. --------------------------------------------- https://ophionsecurity.com/blog/access-organization-secrets-in-github ∗∗∗ Pirated copies of Final Cut Pro infect Macs with cryptojacking malware ∗∗∗ --------------------------------------------- Torrents on The Pirate Bay which claim to contain Final Cut Pro are instead being used to distribute malware, designed to infect your Mac with cryptojacking malware. --------------------------------------------- https://grahamcluley.com/pirated-copies-of-final-cut-pro-infect-macs-with-c… ∗∗∗ GoBruteforcer: Golang-Based Botnet Actively Harvests Web Servers ∗∗∗ --------------------------------------------- New Golang-based malware we have dubbed GoBruteforcer targets web servers. Golang is becoming popular with malware programmers due to its versatility. --------------------------------------------- https://unit42.paloaltonetworks.com/gobruteforcer-golang-botnet/ ∗∗∗ Netcat Attack Cases Targeting MS-SQL Servers (LOLBins) ∗∗∗ --------------------------------------------- ASEC (AhnLab Security Emergency response Center) has recently discovered the distribution of the Netcat malware targeting poorly managed MS-SQL servers. Netcat is a utility that allows users to send and receive data from specific destinations on a network connected by the TCP/UDP protocol. Due to its various features and ability to be used on both Linux and Windows, it is utilized by network managers and threat actors alike. --------------------------------------------- https://asec.ahnlab.com/en/49249/ ∗∗∗ Everything You Didn’t Know About Cross-Account and Cross-Cloud Provider Attacks ∗∗∗ --------------------------------------------- Wait, did you say ‘Cross-Cloud Provider Attacks’? Yes, this is actually a growing type of attack path: As organizations increasingly adopt multiple cloud platforms, their lack of security visibility across the clouds makes them a sitting target for these types of attacks. --------------------------------------------- https://orca.security/resources/blog/cross-account-cross-provider-attack-pa… ∗∗∗ Suspected Chinese Campaign to Persist on SonicWall Devices, Highlights Importance of Monitoring Edge Devices ∗∗∗ --------------------------------------------- Mandiant, working in partnership with SonicWall Product Security and Incident Response Team (PSIRT), has identified a suspected Chinese campaign that involves maintaining long term persistence by running malware on an unpatched SonicWall Secure Mobile Access (SMA) appliance. The malware has functionality to steal user credentials, provide shell access, and persist through firmware upgrades. --------------------------------------------- https://www.mandiant.com/resources/blog/suspected-chinese-persist-sonicwall ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium and wireless-regdb), Fedora (caddy, python-cryptography, and redis), Oracle (gnutls), SUSE (hdf5, opera, python-Django, redis, tomcat, and xen), and Ubuntu (apache2 and snakeyaml). --------------------------------------------- https://lwn.net/Articles/925840/ ∗∗∗ IBM Security Bulletins 2023-03-10 ∗∗∗ --------------------------------------------- * Apache Commons Beanutils (Publicly disclosed vulnerability) affects IBM eDiscovery Manager (CVE-2019-10086, CVE-2014-0114) * Apache Commons FileUpload (Publicly disclosed vulnerability) affects IBM eDiscovery Manager (CVE-2023-24998) * Apache Commons IO (Publicly disclosed vulnerability) Affects IBM eDiscovery Manager (CVE-2021-29425) * IBM MQ is affected by a vulnerability in Apache Commons Net (CVE-2021-37533) * IBM QRadar WinCollect agent has multiple vulnerabilities * IBM QRadar Wincollect agent is vulnerable to server side request forgery (SSRF) (CVE-2022-43879) * IBM SDK, Java Technology Edition, Security Update February 2023 * multiple vulnerabilities in Java SE may affect CICS TX Advanced * multiple vulnerabilities in Java SE may affect CICS TX Standard * multiple vulnerabilities in Java SE may affect TXSeries for Multiplatforms * server-side request forgery vulnerability in Apache CXF (CVE-2022-46364) may affect CICS TX Advanced * server-side request forgery vulnerability in Apache CXF (CVE-2022-46364) may affect CICS TX Standard * server-side request forgery vulnerability in Apache CXF (CVE-2022-46364) may affect TXSeries for Multiplatforms * vulnerability in Apache James MIME4J (CVE-2022-45787) may affect CICS TX Advanced * vulnerability in Apache James MIME4J (CVE-2022-45787) may affect CICS TX Standard * vulnerability in Apache James MIME4J (CVE-2022-45787) may affect TXSeries for Multiplatforms * Watson CP4D Data Stores is vulnerable to jackson-databind due to FasterXML jackson-databind before 2.14.0-rc1 ( CVE-2022-42003 ) --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ [R1] Nessus Agent Version 10.3.2 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2023-12 ∗∗∗ [R1] Nessus Agent Version 8.3.5 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2023-13 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.03.2023
by Daily end-of-shift report 09 Mar '23

09 Mar '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 08-03-2023 18:00 − Donnerstag 09-03-2023 18:00 Handler: Robert Waldner Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Microsoft Word RCE-Lücke könnte auch Microsoft Outlook betreffen ∗∗∗ --------------------------------------------- Laut einem Bericht bei borncity könnte die mit dem Februar-Patchday gefixte Remote Code Execution - Lücke in Microsoft Word auch Microsoft Outlook (zumindest 2013) betreffen - auch wenn die Februar-Patches eingespielt wurden. Noch sind nicht alle Details dazu klar, wir raten Outlook-Nutzer:innen momentan aber trotzdem dringend dazu die Empfehlungen von Microsoft dazu umzusetzen, und Outlook so zu konfigurieren, dass Mails als reiner Text dargestellt werden. --------------------------------------------- https://cert.at/de/aktuelles/2023/3/microsoft-word-rce-lucke-konnte-auch-mi… ∗∗∗ IceFire Ransomware Exploits IBM Aspera Faspex to Attack Linux-Powered Enterprise Networks ∗∗∗ --------------------------------------------- A previously known Windows-based ransomware strain known as IceFire has expanded its focus to target Linux enterprise networks belonging to several media and entertainment sector organizations across the world. --------------------------------------------- https://thehackernews.com/2023/03/icefire-linux-ransomware.html ∗∗∗ Hackers Exploiting Remote Desktop Software Flaws to Deploy PlugX Malware ∗∗∗ --------------------------------------------- Security vulnerabilities in remote desktop programs such as Sunlogin and AweSun are being exploited by threat actors to deploy the PlugX malware. AhnLab Security Emergency Response Center (ASEC), in a new analysis, said it marks the continued abuse of the flaws to deliver a variety of payloads on compromised systems. --------------------------------------------- https://thehackernews.com/2023/03/hackers-exploiting-remote-desktop.html ===================== = Vulnerabilities = ===================== ∗∗∗ Drupal: Gutenberg - Less critical - Denial of Service - SA-CONTRIB-2023-009 ∗∗∗ --------------------------------------------- This vulnerability is mitigated by the fact an attacker must have "use gutenberg" permission to exploit it. If you use the Gutenberg module versions 8.x-2.x, upgrade to Gutenberg 8.x-2.7 --------------------------------------------- https://www.drupal.org/sa-contrib-2023-009 ∗∗∗ Oracle Database Vault Protected Table With Realm Data Extraction Vulnerability ∗∗∗ --------------------------------------------- This security issue is fixed from 21c on-wards [ I think back-port patch was released in October 2022 CPU cycle]. Still Exists in 19c (so far from version 19.18 and below). DB Vault is a security feature in Oracle that attempts to restrict “SYS” account power , in addition DB Vault will ensure seperation of duties in place such as account management and authorization can’t be performed by the DBA through SYS account anymore. --------------------------------------------- https://databasesecurityninja.wordpress.com/2023/03/07/oracle-database-vaul… ∗∗∗ Ivanti Avalanche: Security Alert - CVE-2022-44574 – Authentication Bypass for Remote Control RCServlet ∗∗∗ --------------------------------------------- This vulnerability enables an attacker to overwrite credentials which gives access to a Web Panel. This vulnerability affects all Avalanche Premise versions 6.3.x and below. This vulnerability has a CVE score of 6.5. --------------------------------------------- https://forums.ivanti.com/s/article/Avalanche-ZDI-CAN-19513-Security-Adviso… ∗∗∗ Foxit PDF Editor: Lücken erlauben einschleusen von Schadcode ∗∗∗ --------------------------------------------- Sicherheitslücken in Foxit PDF Editor ermöglichen Angreifern, mit manipulierten PDF-Dateien Schadcode einzuschmuggeln und auszuführen. Ein Update steht bereit. --------------------------------------------- https://heise.de/-7540068 ∗∗∗ Home Assistant: Sicherheitslücke entdeckt und geschlossen ∗∗∗ --------------------------------------------- Wer den Home Assistant mit Supervisor benutzt, sollte sein System jetzt aktualisieren. Ansonsten könnten Eindringlinge sich daran zu schaffen machen. --------------------------------------------- https://heise.de/-7540500 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (kernel, pesign, samba, and zlib), Oracle (kernel), Slackware (httpd), SUSE (emacs, libxslt, nodejs12, nodejs14, nodejs16, openssl, poppler, python-py, python-wheel, xen, and xorg-x11-server), and Ubuntu (linux-gcp-5.4, linux-gkeop, opusfile, and samba). --------------------------------------------- https://lwn.net/Articles/925723/ ∗∗∗ Cloud Pak for Security uses packages that are vulnerable to multiple CVEs ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6551876 ∗∗∗ IBM Liberty for Java for IBM Cloud is vulnerable to server-side request forgery due to Apache CXF (CVE-2022-46364) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6962195 ∗∗∗ Docker based datastores for IBM Instana do not currently require authentication ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6959969 ∗∗∗ Multiple Security Vulnerabilities may affect IBM Robotic Process Automation for Cloud Pak. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6962201 ∗∗∗ A vulnerability exists in IBM Robotic Process Automation where Queue Provider credentials are not obfuscated during editing (CVE-2023-25680) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6962207 ∗∗∗ IBM Robotic Process Automation for Cloud Pak may be vulnerable to a denial of service due to ISC BIND (CVE-2022-38177, CVE-2022-38178). ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6962223 ∗∗∗ Vulnerability in Apache Log4j may affect IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6536732 ∗∗∗ Multiple Vulnerabilities in IBM HTTP Server affect WebSphere Application Server shipped with IBM Security Access Manager for Enterprise Single Sign-On ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6962383 ∗∗∗ Multiple Vulnerabilities (CVE-2022-21628, CVE-2022-21626, CVE-2022-21624, CVE-2022-21619) affects CICS Transaction Gateway for Multiplatforms and CICS Transaction Gateway Desktop Edition. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6962407 ∗∗∗ June 2022 : Multiple vulnerabilities in IBM Java Runtime affect CICS Transaction Gateway for Multiplatforms and CICS Transaction Gateway Desktop Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6962411 ∗∗∗ z\/Transaction Processing Facility is affected by vulnerabilities in the Apache Kafka (kafka-clients) and cryptography packages ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6962437 ∗∗∗ IBM Liberty for Java for IBM Cloud is vulnerable to server-side request forgery due to Apache CXF (CVE-2022-46364) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6962195 ∗∗∗ IBM Maximo Manage application in IBM Maximo Application Suite is vulnerable to incorrect default permissions (CVE-2022-46774) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6962455 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.03.2023
by Daily end-of-shift report 08 Mar '23

08 Mar '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 07-03-2023 18:00 − Mittwoch 08-03-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ What is a Website Defacement? ∗∗∗ --------------------------------------------- Defacement is easily one the most obvious signs of a hacked website. In these attacks, bad actors gain unauthorized access to an environment and leave their mark through digital vandalism, altering its visual appearance or content in the process. --------------------------------------------- https://blog.sucuri.net/2023/03/what-is-website-defacement.html ∗∗∗ Persistence – Event Log Online Help ∗∗∗ --------------------------------------------- Event viewer is a component of Microsoft Windows that displays information related to application, security, system and setup events. Even though that Event Viewer is used mainly for troubleshooting windows errors by administrators could be also used as a form a persistence during red team operations. --------------------------------------------- https://pentestlab.blog/2023/03/07/persistence-event-log-online-help/ ∗∗∗ „Lidl Frauentagsgeschenk“: Fake-Gewinnspiel zum Frauentag ∗∗∗ --------------------------------------------- Derzeit verbreiten WhatsApp-, Messenger- oder Viber-Nutzer:innen unwissentlich einen Link mit einem betrügerischen Gewinnspiel unter ihren Kontakten. Angeblich verlost die Supermarktkette „Lidl“ anlässlich des Frauentags am 8.März „viele Geldgeschenke“, wie es in der Nachricht heißt. Klicken Sie nicht auf den Link. Kriminelle versuchen Schadsoftware auf Ihrem Gerät zu installieren! --------------------------------------------- https://www.watchlist-internet.at/news/lidl-frauentagsgeschenk-fake-gewinns… ∗∗∗ GlobeImposter Ransomware Being Distributed with MedusaLocker via RDP ∗∗∗ --------------------------------------------- ASEC (AhnLab Security Emergency response Center) has recently discovered the active distribution of the GlobeImposter ransomware. This attack is being carried out by the threat actors behind MedusaLocker. While the specific route could not be ascertained, it is assumed that the ransomware is being distributed through RDP due to the various pieces of evidence gathered from the infection logs. --------------------------------------------- https://asec.ahnlab.com/en/48940/ ===================== = Vulnerabilities = ===================== ∗∗∗ Authentication Bypass Vulnerability in Mura CMS and Masa CMS (CVE-2022-47003 and CVE-2022-47002) ∗∗∗ --------------------------------------------- Multiple versions of Mura CMS and Masa CMS contain an authentication bypass vulnerability that can allow an unauthenticated attacker to login as any Site Member or System User. --------------------------------------------- https://hoyahaxa.blogspot.com/2023/03/authentication-bypass-mura-masa.html ∗∗∗ ABB Substation management unit COM600 IEC-104 protocol stack vulnerability ∗∗∗ --------------------------------------------- Hitachi Energy disclosed a vulnerability (CVE-2022-29492) that affects certain HE products. This vulnerability also affects the IEC 68070-5-104 (IEC-104) protocol stack of ABB Substation Management Unit COM600. Subsequently, a successful exploit could allow attackers to cause a denial-of-service attack against the COM600 product. --------------------------------------------- https://web.apsis.one/wve/68c20aba-1b85-416f-bf3f-ce8b1779c260 ∗∗∗ CorePlague: Severe Vulnerabilities in Jenkins Server Lead to RCE ∗∗∗ --------------------------------------------- Aqua Nautilus researchers have discovered a chain of vulnerabilities, dubbed CorePlague, in the widely used Jenkins Server and Update Center (CVE-2023-27898, CVE-2023-27905). Exploiting these vulnerabilities could allow an unauthenticated attacker to execute arbitrary code on the victims Jenkins server, potentially leading to a complete compromise of the Jenkins server. --------------------------------------------- https://blog.aquasec.com/jenkins-server-vulnerabilities ∗∗∗ Problematische Sicherheitslücke in Apples GarageBand ∗∗∗ --------------------------------------------- Die kostenlose Musikproduktionssoftware von Apple lässt sich offenbar angreifen. Nutzer unter macOS sollten schnell aktualisieren. --------------------------------------------- https://heise.de/-7538801 ∗∗∗ Patchday: Fortinet dichtet 15 Schwachstellen ab, davon eine kritische ∗∗∗ --------------------------------------------- Der Patchday bei Fortinet bringt IT-Verantwortlichen Updates zum Schließen von 15 Sicherheitslücken. Eine davon ist kritisch und erlaubt Einschleusen von Code. --------------------------------------------- https://heise.de/-7538910 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (apr), Fedora (c-ares), Oracle (curl, kernel, pesign, samba, and zlib), Red Hat (curl, gnutls, kernel, kernel-rt, and pesign), Scientific Linux (kernel, pesign, samba, and zlib), SUSE (libX11, python-rsa, python3, python36, qemu, rubygem-rack, xorg-x11-server, and xwayland), and Ubuntu (libtpms, linux-ibm, linux-raspi, linux-raspi, python3.7, python3.8, and sofia-sip). --------------------------------------------- https://lwn.net/Articles/925606/ IBM Security Bulletins 2023-03-08 --------------------------------------------- IBM Robotic Process Automation, IBM WebSphere, IBM MQ, Financial Transaction Manager, IBM VM Recovery Manager, IBM Aspera faspio Gateway, IBM Security Verify Bridge, IBM Spectrum Scale, IBM Security Guardium. --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Veeam fixt kritische Schwachstelle CVE-2023-27532 in Backup & Replication V11a/V12 ∗∗∗ --------------------------------------------- Kleiner Hinweis für Nutzer der Backup-Software des Herstellers Veeam. Dieser hat zum 7. März 2023 eine kritische Schwachstelle (CVE-2023-27532) in seinem Produkt Backup & Replication in den Versionen V11a/V12 per Update behoben. --------------------------------------------- https://www.borncity.com/blog/2023/03/08/veeam-fixt-kritische-schwachstelle… ∗∗∗ Multiple vulnerabilities in SEIKO EPSON printers/network interface Web Config ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN82424996/ ∗∗∗ Cisco IOS XR Software for ASR 9000 Series Routers Bidirectional Forwarding Detection Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco IOS XR Software Bootloader Unauthenticated Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ [R1] Nessus Version 10.4.3 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2023-11 ∗∗∗ [R1] Nessus Version 8.15.9 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2023-10 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.03.2023
by Daily end-of-shift report 07 Mar '23

07 Mar '23

===================== = End-of-Day report = ===================== Timeframe: Montag 06-03-2023 18:00 − Dienstag 07-03-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Proof-of-Concept released for critical Microsoft Word RCE bug ∗∗∗ --------------------------------------------- A proof-of-concept for CVE-2023-21716, a critical vulnerability in Microsoft Word that allows remote code execution, has been published over the weekend. The vulnerability was assigned a 9.8 out of 10 severity score, with Microsoft addressing it in the February Patch Tuesday security updates along with a couple of workarounds. --------------------------------------------- https://www.bleepingcomputer.com/news/security/proof-of-concept-released-fo… ∗∗∗ Old Windows ‘Mock Folders’ UAC bypass used to drop malware ∗∗∗ --------------------------------------------- A new phishing campaign targets organizations in Eastern European countries with the Remcos RAT malware with aid from an old Windows User Account Control bypass discovered over two years ago. --------------------------------------------- https://www.bleepingcomputer.com/news/security/old-windows-mock-folders-uac… ∗∗∗ Sheins Android App Caught Transmitting Clipboard Data to Remote Servers ∗∗∗ --------------------------------------------- An older version of Sheins Android application suffered from a bug that periodically captured and transmitted clipboard contents to a remote server.The Microsoft 365 Defender Research Team said it discovered the problem in version 7.9.2 of the app that was released on December 16, 2021. The issue has since been addressed as of May 2022. --------------------------------------------- https://thehackernews.com/2023/03/sheins-android-app-caught-transmitting.ht… ∗∗∗ SYS01stealer: New Threat Using Facebook Ads to Target Critical Infrastructure Firms ∗∗∗ --------------------------------------------- Cybersecurity researchers have discovered a new information stealer dubbed SYS01stealer targeting critical government infrastructure employees, manufacturing companies, and other sectors."The threat actors behind the campaign are targeting Facebook business accounts by using Google ads and fake Facebook profiles that promote things like games, adult content, and cracked software, etc. to lure victims into downloading a malicious file," Morphisec said in a report [..] --------------------------------------------- https://thehackernews.com/2023/03/sys01stealer-new-threat-using-facebook.ht… ∗∗∗ Exploitation of Critical Vulnerability in End-of-Life VMware Product Ongoing ∗∗∗ --------------------------------------------- Wallarm Detect warns of ongoing exploitation of a critical vulnerability in VMware Cloud Foundation and NSX Data Center for vSphere (NSX-V). --------------------------------------------- https://www.securityweek.com/exploitation-of-critical-vulnerability-in-end-… ∗∗∗ Werbung für neue Fake-Investment-Plattform "TradeGPT" auf Facebook, Instagram & Co. ∗∗∗ --------------------------------------------- Kriminelle bewerben auf Instagram, Facebook und Co. betrügerische Investitionsplattformen wie trade-gpt.ai oder financialpronews.com. In den Fake-Beiträgen wird eine neue Trading-Plattform, entwickelt von Elon Musk und OpenAI, vorgestellt. Die Plattform mit dem Namen "TradeGPT" erleichtert angeblich „einfachen Menschen“ den Einstieg in den Aktien- und Rohstoffhandel. Die Plattform hat nichts mit Elon Musk oder OpenAI zu tun und ist betrügerisch! --------------------------------------------- https://www.watchlist-internet.at/news/werbung-fuer-neue-fake-investment-pl… ∗∗∗ Betrugsmasche gegen Verrechnung ∗∗∗ --------------------------------------------- Certitude nimmt eine Häufung von Online-Betrug gegen die Verrechnungsabteilungen von österreichischen Unternehmen wahr. Angreifer erwirken die Änderungen der Kontodaten von Lieferanten bei deren Kunden durch Social Engineering per E-Mail. Häufig betragen die Schadenssummen mehrere hunderttausend Euro und führen zu Rechtsstreitigkeiten zwischen den betroffenen Unternehmen. --------------------------------------------- https://certitude.consulting/blog/de/betrugsmasche-gegen-verrechnung/ ∗∗∗ Using Memory Analysis to Detect EDR-Nullifying Malware ∗∗∗ --------------------------------------------- One tool Trend Micro described, dubbed “AVBurner”, used a technique to patch process-creation callbacks in kernel memory to nullify security software running on a victim system. [..] Volexity conducted research and testing to determine ways this technique of attacking endpoint detection and response (EDR) and antivirus (AV) software could reliably be detected through memory analysis. --------------------------------------------- https://www.volexity.com/blog/2023/03/07/using-memory-analysis-to-detect-ed… ===================== = Vulnerabilities = ===================== ∗∗∗ Benutzt hier jemand SHA-3? Die Referenzimplementation ... ∗∗∗ --------------------------------------------- Benutzt hier jemand SHA-3? Die Referenzimplementation hat einen Integer Overflow. --------------------------------------------- http://blog.fefe.de/?ts=9af9c7a3 ∗∗∗ Multiple vulnerabilities in PostgreSQL extension module pg_ivm ∗∗∗ --------------------------------------------- * Exposure of sensitive information to an unauthorized actor - CVE-2023-22847 * Uncontrolled search path element - CVE-2023-23554 --------------------------------------------- https://jvn.jp/en/jp/JVN19872280/ ∗∗∗ ZDI-23-212: Open Design Alliance (ODA) Drawing SDK DWG File Parsing Use-After-Free Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Open Design Alliance (ODA) Drawing SDK. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-212/ ∗∗∗ ZDI-23-214: NETGEAR CAX30S SSO Command Injection Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR CAX30S routers. Authentication is not required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-214/ ∗∗∗ Patchday: Kritische System-Lücken bedrohen Android 11, 12 und 13 ∗∗∗ --------------------------------------------- Google hat wichtige Sicherheitsupdates für Android-Geräte veröffentlicht. Im schlimmsten Fall könnten Angreifer Schadcode ausführen. --------------------------------------------- https://heise.de/-7537197 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (kopanocore), Fedora (golang-github-projectdiscovery-chaos-client, rust-sequoia-octopus-librnp, rust-sequoia-sop, rust-sequoia-sq, and usd), Oracle (libjpeg-turbo and pesign), Red Hat (kernel, kernel-rt, kpatch-patch, osp-director-downloader-container, pesign, rh-mysql80-mysql, samba, and zlib), SUSE (mariadb), and Ubuntu (fribidi, gmp, linux, linux-aws, linux-kvm, linux-lts-xenial, linux-azure, linux-azure-4.15, linux-kvm, linux-raspi2, linux-snapdragon, linux-raspi, nss, python3.6, rsync, systemd, and tiff). --------------------------------------------- https://lwn.net/Articles/925469/ ∗∗∗ Cisco IP Phone 6800, 7800, 7900, and 8800 Series Web UI Vulnerabilities ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ PHOENIX CONTACT: Advisory for TC ROUTER and CLOUD CLIENT ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-053/ ∗∗∗ WordPress BuddyForms Plugin — Unauthenticated Insecure Deserialization (CVE-2023–26326) ∗∗∗ --------------------------------------------- https://medium.com/tenable-techblog/wordpress-buddyforms-plugin-unauthentic… ∗∗∗ Docker based datastores for IBM Instana do not currently require authentication ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6959969 ∗∗∗ IBM Aspera Faspex 4.4.2 PL2 has addressed multiple vulnerabilities (CVE-2022-28330, CVE-2023-22868, CVE-2022-30556, CVE-2022-31813, CVE-2022-30522, CVE-2022-47986, CVE-2022-28615, CVE-2022-26377, CVE-2018-25032, CVE-2022-2068) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6952319 ∗∗∗ IBM Spectrum Symphony is vulnerable to Host header injection ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6959369 ∗∗∗ IBM Data Risk Manager is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6960473 ∗∗∗ IBM Spectrum Control is vulnerable to multiple weaknesses related to Apache Groovy ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6960481 ∗∗∗ IBM Spectrum Control is vulnerable to multiple weaknesses related to Apache Camel ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6960485 ∗∗∗ IBM Cloud Transformation Advisor is vulnerable to multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6960493 ∗∗∗ IBM Observability with Instana (OnPrem) affected by OpenSSL vulnerabilities. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6960495 ∗∗∗ IBM DataPower Gateway potentially vulnerable to Denial of Service (CVE-2022-4450) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6960511 ∗∗∗ IBM Security Guardium is affected by a kernel vulnerability (CVE-2021-3715) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6828569 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.03.2023
by Daily end-of-shift report 06 Mar '23

06 Mar '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 03-03-2023 18:00 − Montag 06-03-2023 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Fake-Shops fälschen Zahlung mit Klarna ∗∗∗ --------------------------------------------- Die Fake-Shops scheubner.net und profibikes.de wirken sehr professionell. Vor allem die Möglichkeit mit Klarna zu bezahlen, wiegt viele in Sicherheit. Die Shops fälschen aber den Klarna-Zahlungsprozess. Geben Sie Ihre Zugangsdaten auf der nachgebauten Klarna-Zahlungsseite ein, landen diese bei Kriminellen. --------------------------------------------- https://www.watchlist-internet.at/news/fake-shops-faelschen-zahlung-mit-kla… ∗∗∗ DCOM-Härtung (CVE-2021-26414) zum 14. März 2023-Patchday für Windows 10/11 und Server ∗∗∗ --------------------------------------------- Kleine Erinnerung für Administratoren von Windows in Unternehmensumgebungen. In Microsofts Windows DCOM-Implementierung gibt es eine Schwachstelle (Windows DCOM Server Security Feature Bypass, CVE-2021-26414), die eine Umgehung der Sicherheitsfunktionen ermöglichte. Microsoft hat das 2021 dokumentiert, und dann auch gepatcht, wobei das Schließen dieser Schwachstelle in mehreren Stufen erfolgt. Kürzlich wurde ich erinnert, dass Microsoft am 14. März 2023 einen letzten Patch freigeben wird, der die Möglichkeit zum Abschalten dieser DCOM-Härtung entfernt. --------------------------------------------- https://www.borncity.com/blog/2023/03/05/dcom-hrtung-cve-2021-26414-zum-14-… ∗∗∗ Magbo Spam Injection Encoded with hex2bin ∗∗∗ --------------------------------------------- We recently had a new client come to us with a rather peculiar issue on their WordPress website: They were receiving unwanted popup advertisements but only when the website was accessed through links posted on FaceBook. Initially we thought that this must be a rogue ad coming through an otherwise legitimate advertising network but it turned out to be a very well crafted and hidden spam injection. --------------------------------------------- https://blog.sucuri.net/2023/03/magbo-spam-injection-encoded-with-hex2bin.h… ∗∗∗ New HiatusRAT Malware Targets Business-Grade Routers to Covertly Spy on Victims ∗∗∗ --------------------------------------------- A never-before-seen complex malware is targeting business-grade routers to covertly spy on victims in Latin America, Europe, and North America at least since July 2022. The elusive campaign, dubbed Hiatus by Lumen Black Lotus Labs, has been found to deploy two malicious binaries, a remote access trojan dubbed HiatusRAT and a variant of tcpdump that makes it possible to capture packet [...] --------------------------------------------- https://thehackernews.com/2023/03/new-hiatusrat-malware-targets-business.ht… ∗∗∗ How to prevent Microsoft OneNote files from infecting Windows with malware ∗∗∗ --------------------------------------------- The best way to prevent malicious Microsoft OneNote attachments from infecting Windows is to block the .one file extension at your secure mail gateways or mail servers. However, if that is not possible for your environment, you can also use Microsoft Office group policies to restrict the launching of embedded file attachments in Microsoft OneNote files. --------------------------------------------- https://www.bleepingcomputer.com/news/security/how-to-prevent-microsoft-one… ∗∗∗ Polynonce: A Tale of a Novel ECDSA Attack and Bitcoin Tears ∗∗∗ --------------------------------------------- In this blog post, we tell a tale of how we discovered a novel attack against ECDSA and how we applied it to datasets we found in the wild, including the Bitcoin and Ethereum networks. [...] We cover our journey, findings, and the rabbit holes we explored. We also provide an academic paper with the details of the attack and open-source code implementing it, so people building software and products using ECDSA can ensure they do not have this vulnerability in their systems. --------------------------------------------- https://research.kudelskisecurity.com/2023/03/06/polynonce-a-tale-of-a-nove… ===================== = Vulnerabilities = ===================== ∗∗∗ strongSwan Vulnerability (CVE-2023-26463) ∗∗∗ --------------------------------------------- A vulnerability related to certificate verification in TLS-based EAP methods was discovered in strongSwan that results in a denial of service but possibly even remote code execution. Versions 5.9.8 and 5.9.9 may be affected. [...] The just released strongSwan 5.9.10 fixes this vulnerability. For older releases, we provide a patch that fixes the vulnerability and should apply with appropriate hunk offsets. --------------------------------------------- https://www.strongswan.org/blog/2023/03/02/strongswan-vulnerability-(cve-20… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (apache2, libde265, libreswan, spip, syslog-ng, and xfig), Fedora (edk2, libtpms, python-django3, stb, sudo, vim, and xen), Red Hat (libjpeg-turbo and pesign), SUSE (kernel, python36, samba, and trivy), and Ubuntu (linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-gcp, linux-gke, linux-gkeop, linux-hwe-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux, linux-aws, linux-dell300x, linux-gcp-4.15, linux-oracle, linux-aws-hwe, linux-oracle, and linux-bluefield). --------------------------------------------- https://lwn.net/Articles/925323/ ∗∗∗ Multiple Vulnerabilities in Arris DG3450 Cable Gateway ∗∗∗ --------------------------------------------- https://sec-consult.com/vulnerability-lab/advisory/multiple-vulnerabilities… ∗∗∗ Multiple Vulnerabilities in Json4j Affects Watson Machine Learning Accelerator ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6959963 ∗∗∗ Docker based datastores for IBM Instana do not currently require authentication ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6959969 ∗∗∗ IBM Sterling Connect:Express for UNIX is vulnerable to denial of service due to OpenSSL (CVE-2022-4450) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6959973 ∗∗∗ IBM Aspera Faspex 4.4.2 PL2 has addressed multiple vulnerabilities (CVE-2022-28330, CVE-2023-22868, CVE-2022-30556, CVE-2022-31813, CVE-2022-30522, CVE-2022-47986, CVE-2022-28615, CVE-2022-26377, CVE-2018-25032, CVE-2022-2068) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6952319 ∗∗∗ A security vulnerability has been identified in IBM HTTP Server shipped with IBM WebSphere Remote Server (CVE-2023-26281) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6960159 ∗∗∗ Vulnerability in the Golang language affects IBM Event Streams (CVE-2022-3064) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6960175 ∗∗∗ IBM App Connect Enterprise Certified Container Dashboard and DesignerAuthoring operands may be vulnerable to cross-site scripting due to IBM X-Force ID 239963 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6960189 ∗∗∗ Insufficient authorization check in IBM supplied MQ Advanced for Integration container image (CVE-2023-26284) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6960201 ∗∗∗ IBM Security Guardium is affected by remote code execution and sensitive information vulnerabilities (CVE-2022-31684, CVE-2022-41853) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6960211 ∗∗∗ IBM Security Guardium is affected by an AWS SDK vulnerability ( CVE-2022-31159) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6960215 ∗∗∗ IBM Security Guardium is affected by an out-of-bounds access issue vulnerability (CVE-2022-2319, CVE-2022-2320) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6960213 ∗∗∗ Vulnerabilities in OpenSSL affect Bluemix Workflow (CVE-2014-3570, CVE-2014-3571, CVE-2014-3572, CVE-2014-8275, CVE-2015-204, CVE-2015-205, CVE-2015-206) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/258535 ∗∗∗ Multiple vulnerabilities in IBM Java SDK affect Bluemix Workflow ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/258547 ∗∗∗ Multiple vulnerabilities in IBM\u00ae SDK, Java\u2122 Technology Edition affected IBM Workflow for Bluemix October 2015 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/273103 ∗∗∗ Multiple vulnerabilities in IBM\u00ae SDK, Java\u2122 Technology Edition affected IBM Workflow for Bluemix April 2016 (CVE-2016-3426) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/278361 ∗∗∗ Multiple vulnerabilities in IBM\u00ae SDK, Java\u2122 Technology Edition affected IBM Workflow for Bluemix January 2016 (CVE-2015-7575, CVE-2016-0466, CVE-2016-0475) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/541019 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.03.2023
by Daily end-of-shift report 03 Mar '23

03 Mar '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 02-03-2023 18:00 − Freitag 03-03-2023 18:00 Handler: Robert Waldner Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ FBI and CISA warn of increasing Royal ransomware attack risks ∗∗∗ --------------------------------------------- CISA and the FBI have issued a joint advisory highlighting the increasing threat behind ongoing Royal ransomware attacks targeting many U.S. critical infrastructure sectors, including healthcare, communications, and education. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fbi-and-cisa-warn-of-increas… ∗∗∗ Persistence Techniques That Persist ∗∗∗ --------------------------------------------- In this blog post, we will focus on how malware can achieve persistence by abusing the Windows Registry. Specifically, we will focus on lesser-known techniques, many of which have been around since the days of Windows XP and are just as effective today on Windows 10 and 11. --------------------------------------------- https://www.cyberark.com/resources/threat-research-blog/persistence-techniq… ∗∗∗ NIST Cybersecurity Framework 2.0: Aktualisierte Leitlinien gegen Cybercrime ∗∗∗ --------------------------------------------- Weil sich die IT-Angriffslandschaft stetig ändert, hat das US-amerikanische Institute of Standards and Technology sein Cybersecurity-Framework aktualisiert. --------------------------------------------- https://heise.de/-7534206 ∗∗∗ FAQ: Welche Cyberangriffe es gibt und wie sich Risiken vermeiden lassen ∗∗∗ --------------------------------------------- Cyberangriffe können jeden betreffen, doch mit ein paar einfachen Maßnahmen können Sie Ihr persönliches Risiko zumindest minimieren. --------------------------------------------- https://heise.de/-7523370 ∗∗∗ Thousands of Websites Hijacked Using Compromised FTP Credentials ∗∗∗ --------------------------------------------- Cybersecurity startup Wiz warns of a widespread redirection campaign in which thousands of websites have been compromised using legitimate FTP credentials. --------------------------------------------- https://www.securityweek.com/thousands-of-websites-hijacked-using-compromis… ∗∗∗ Of Degens and Defrauders: Using Open-Source Investigative Tools to Investigate Decentralized Finance Frauds and Money Laundering. (arXiv:2303.00810v1 [cs.CR]) ∗∗∗ --------------------------------------------- This study demonstrates how open-source investigative tools can extract transaction-based evidence that could be used in a court of law to prosecute DeFi frauds. Additionally, we investigate how these funds are subsequently laundered. --------------------------------------------- http://arxiv.org/abs/2303.00810 ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins 2023-03-03 ∗∗∗ --------------------------------------------- IBM Cloud Pak, IBM Financial Transaction Manager, Operations Dashboard, IBM App Connect Enterprise Certified Container, IBM Sterling Connect:Express, IBM HTTP Server, IBM Spectrum Control, IBM Aspera Faspex, IBM SAN, IBM Storwize, IBM Spectrum Virtualize, IBM FlashSystem, IBM Maximo, IBM WebSphere Remote Server, IBM Business Automation Workflow, Rational Functional Tester. --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Schadcode-Attacken auf HPE Serviceguard unter Linux möglich ∗∗∗ --------------------------------------------- Die Entwickler haben in Serviceguard for Linux von HPE drei Sicherheitslücken geschlossen. Abgesicherte Version stehen zum Download bereit. --------------------------------------------- https://heise.de/-7534361 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (linux-5.10 and node-css-what), SUSE (gnutls, google-guest-agent, google-osconfig-agent, nodejs10, nodejs14, nodejs16, opera, pkgconf, python-cryptography, python-cryptography-vectors, rubygem-activesupport-4_2, thunderbird, and tpm2-0-tss), and Ubuntu (git, kernel, linux, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15, linux-azure-fde, linux-gcp, linux-gcp-5.15, linux-gke, linux-gke-5.15, linux-hwe-5.15, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-oracle, linux-oracle-5.15, linux, linux-aws, linux-azure, linux-gcp, linux-hwe-5.19, linux-ibm, linux-lowlatency, linux-oracle, linux-azure-fde, linux-oem-5.14, linux-oem-5.17, linux-oem-6.0, linux-oem-6.1, php7.0, python-pip, ruby-rack, spip, and sudo). --------------------------------------------- https://lwn.net/Articles/925060/ ∗∗∗ Lücken in Intel-CPUs: Microsoft veröffentlicht außerplanmäßiges Sicherheitsupdate ∗∗∗ --------------------------------------------- Es soll insgesamt vier Lücken stopfen. Die Schwachstellen sind allerdings schon seit Juni 2022 bekannt. Betroffen sind Windows 10, Windows 11 und Windows Server. --------------------------------------------- https://www.zdnet.de/88407530/luecken-in-intel-cpus-microsoft-veroeffentlic… ∗∗∗ [R1] Nessus Version 10.5.0 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2023-09 ∗∗∗ BOSCH-SA-931197: Vulnerability in routers FL MGUARD and TC MGUARD ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-931197.html ∗∗∗ SonicOS SSLVPN Improper Restriction of Excessive MFA Attempts Vulnerability ∗∗∗ --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2023-0005 ∗∗∗ SonicOS Unauthenticated Stack-Based Buffer Overflow Vulnerability ∗∗∗ --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2023-0004 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.03.2023
by Daily end-of-shift report 02 Mar '23

02 Mar '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 01-03-2023 18:00 − Donnerstag 02-03-2023 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ YARA: Detect The Unexpected ..., (Thu, Mar 2nd) ∗∗∗ --------------------------------------------- He has strings to detected any embedded file, and strings to detect embedded PNG files, JPEG files, ... So, in YARA, how can you use this to detect OneNote files that contain embedded files, but are not images? The trick is to count and compare string occurrences. --------------------------------------------- https://isc.sans.edu/diary/rss/29598 ∗∗∗ SysUpdate Malware Strikes Again with Linux Version and New Evasion Tactics ∗∗∗ --------------------------------------------- The threat actor known as Lucky Mouse has developed a Linux version of a malware toolkit called SysUpdate, expanding on its ability to target devices running the operating system. --------------------------------------------- https://thehackernews.com/2023/03/sysupdate-malware-strikes-again-with.html ∗∗∗ This Hacker Tool Can Pinpoint a DJI Drone Operators Exact Location ∗∗∗ --------------------------------------------- Every DJI quadcopter broadcasts its operators position via radio—unencrypted. Now, a group of researchers has learned to decode those coordinates. --------------------------------------------- https://www.wired.com/story/dji-droneid-operator-location-hacker-tool/ ∗∗∗ Helping Cyber Defenders “Decide” to Use MITRE ATT&CK ∗∗∗ --------------------------------------------- Since the Cybersecurity and Infrastructure Security Agency (CISA) announced its first edition of Best Practices for MITRE ATT&CK Mapping nearly two years ago, the ATT&CK framework has evolved, expanded, and improved its ability to support more than just optimized cyber threat intelligence to the cybersecurity community. To match these advances, CISA recently published a second edition of our mapping guide and today announces a new accompaniment to the guide, CISA’s Decider tool. --------------------------------------------- https://www.cisa.gov/news-events/news/helping-cyber-defenders-decide-use-mi… ∗∗∗ Application SecurityCase StudiesCloud Native SecurityVulnerabilities Gitpod remote code execution 0-day vulnerability via WebSockets ∗∗∗ --------------------------------------------- This article walks us through a current Snyk Security Labs research project focusing on cloud based development environments (CDEs) — which resulted in a full workspace takeover on the Gitpod platform and extended to the user’s SCM account. The issues here have been responsibly disclosed to Gitpod and were resolved within a single working day --------------------------------------------- https://snyk.io/blog/gitpod-remote-code-execution-vulnerability-websockets/ ∗∗∗ CISA Red Team Shares Key Findings to Improve Monitoring and Hardening of Networks ∗∗∗ --------------------------------------------- The Cybersecurity and Infrastructure Security Agency (CISA) is releasing this Cybersecurity Advisory (CSA) detailing activity and key findings from a recent CISA red team assessment—in coordination with the assessed organization—to provide network defenders recommendations for improving their organizations cyber posture. --------------------------------------------- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-059a ∗∗∗ Tainted Love: A Systematic Review of Online Romance Fraud. (arXiv:2303.00070v1 [cs.HC]) ∗∗∗ --------------------------------------------- Romance fraud involves cybercriminals engineering a romantic relationship ononline dating platforms. It is a cruel form of cybercrime whereby victims areleft heartbroken, often facing financial ruin. We characterise the literarylandscape on romance fraud, advancing the understanding of researchers andpractitioners by systematically reviewing and synthesising contemporaryqualitative and quantitative evidence. --------------------------------------------- http://arxiv.org/abs/2303.00070 ∗∗∗ Dishing Out DoS: How to Disable and Secure the Starlink User Terminal. (arXiv:2303.00582v1 [cs.CR]) ∗∗∗ --------------------------------------------- Satellite user terminals are a promising target for adversaries seeking totarget satellite communication networks. Despite this, many protectionscommonly found in terrestrial routers are not present in some user terminals.As a case study we audit the attack surface presented by the Starlinkrouters admin interface, using fuzzing to uncover a denial of service attackon the Starlink user terminal. --------------------------------------------- http://arxiv.org/abs/2303.00582 ===================== = Vulnerabilities = ===================== ∗∗∗ Group control for forums - Critical - Access bypass - SA-CONTRIB-2023-008 ∗∗∗ --------------------------------------------- Project: Group control for forums Security risk: Critical Description: This module enables you to associate Forums as Group 1.x content and use Group access permissions. Previous versions of the module incorrectly set node access on creation, and did not correctly restrict access to lists of forum topics. Solution: Install the latest version --------------------------------------------- https://www.drupal.org/sa-contrib-2023-008 ∗∗∗ Thunder - Moderately critical - Access bypass - SA-CONTRIB-2023-007 ∗∗∗ --------------------------------------------- Project: Thunder Security risk: Moderately critical Description: Thunder is a Drupal distribution for professional publishing. The thunder distribution ships the thunder_gqls module which provides a graphql interface.The module doesnt sufficiently check access when serving user data via graphql leading to an access bypass vulnerability --------------------------------------------- https://www.drupal.org/sa-contrib-2023-007 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (git), Debian (spip), Fedora (epiphany), Mageia (binwalk, chromium-browser-stable, crmsh, emacs, libraw, libtiff, nodejs, pkgconf, tar, and vim), Oracle (kernel and systemd), SUSE (emacs, kernel, nrpe, and rubygem-activerecord-4_2), and Ubuntu (c-ares, git, postgresql-12, postgresql-14, and sox). --------------------------------------------- https://lwn.net/Articles/924922/ ∗∗∗ Kritische Sicherheitslücken in ArubaOS - Updates teilweise verfügbar ∗∗∗ --------------------------------------------- Da Angreifende auf betroffenen Geräten beliebigen Code ausführen können, sind alle auf diesen Geräten befindlichen und darüber erreichbaren Daten gefährdet. Da es sich um Netzwerkkomponenten handelt, sind auch Szenarien denkbar wo darüber fliessende Daten gelesen, beeinträchtigt und/oder verändert werden können. --------------------------------------------- https://cert.at/de/warnungen/2023/3/kritische-sicherheitslucken-in-arubaos-… ∗∗∗ Better Social Sharing Buttons - Less critical - Cross Site Scripting - SA-CONTRIB-2023-006 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2023-006 ∗∗∗ ABB: Improper authentication vulnerability in S+ Operations (CVE ID: CVE-2023-0228) ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?Action=Launch&DocumentID=7PAA0… ∗∗∗ IBM Cognos Command Center is affected but not classified as vulnerable by a remote code execution in Spring Framework (CVE-2022-22965) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6590487 ∗∗∗ IBM Maximo Asset Management is vulnerable to stored cross-site scripting (CVE-2022-35645) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6959353 ∗∗∗ IBM Maximo Manage application in IBM Maximo Application Suite is vulnerable to stored cross-site scripting (CVE-2022-35645) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6959355 ∗∗∗ IBM Spectrum Symphony is vulnerable to Host header injection ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6959369 ∗∗∗ IBM Planning Analytics Workspace is affected by vulnerabilties (CVE-2022-43548, CVE-2020-7676, CVE-2021-42550, CVE-2021-38561, CVE-2022-32149) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6957836 ∗∗∗ There is a vulnerability in Apache SOAP used by IBM Maximo Asset Management (CVE-2022-40705) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6959357 ∗∗∗ There is a security vulnerability in Apache SOAP used by IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2022-40705) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6959359 ∗∗∗ Persistent cross-site scripting vulnerability affect IBM Business Automation Workflow - CVE-2023-22860 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958691 ∗∗∗ Vulnerability in bind affects IBM Integrated Analytics System [CVE-2022-2795] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6959567 ∗∗∗ IBM Cloud Pak for Network Automation v2.4.4 fixes multiple security vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6959583 ∗∗∗ There is a vulnerability in Eclipse Jetty used by IBM Maximo Asset Management (CVE-2022-2047) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6959601 ∗∗∗ IBM SDK, Java Technology Edition Quarterly CPU - Oct 2022 - Includes Oracle October 2022 CPU and IBM Java - OpenJ9 CVE-2022-3676 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6959625 ∗∗∗ IBM Security Guardium is affected by the following vulnerabilities [CVE-2022-39166, CVE-2022-34917, CVE-2022-42889] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6848317 ∗∗∗ IBM Security Guardium is affected by a redshift-jdbc42-2.0.0.3.jar vulnerability (CVE-2022-41828) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6956299 ∗∗∗ Operations Dashboard is vulnerable to denial of service and response splitting due to vulnerabilities in Netty (CVE-2022-41881 and CVE-2022-41915) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6959639 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 01.03.2023
by Daily end-of-shift report 01 Mar '23

01 Mar '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 28-02-2023 18:00 − Mittwoch 01-03-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ TPM-2.0-Spezifikationen: Angreifer könnten Schadcode auf TPM schmuggeln ∗∗∗ --------------------------------------------- In die Spezifikation der TPM-2.0-Referenzbibliothek haben sich Fehler eingeschlichen. Angreifer könnten verwundbaren Implementierungen eigenen Code unterjubeln. --------------------------------------------- https://heise.de/-7531171 ∗∗∗ Finish him! Kostenloses Entschlüsselungstool besiegt MortalKombat-Ransomware ∗∗∗ --------------------------------------------- Kaum hat der Erpressungstrojaner MortalKombat das Licht der Welt erblickt, holen Sicherheitsforscher zum finalen Schlag aus. --------------------------------------------- https://heise.de/-7531337 ∗∗∗ Gefälschter PayLife-Login in Anzeigen bei Google-Suche! ∗∗∗ --------------------------------------------- PayLife-User:innen aufgepasst: Kriminelle schalten aktuell Werbung auf Google, welche auf eine gefälschte PayLife-Website führt. Ein kleiner Tippfehler reicht aus, um die betrügerische Werbung als erstes Ergebnis angezeigt zu bekommen. Wer die eigenen Login-Daten auf der Phishing-Seite eingibt, ermöglicht es den Kriminellen, Zahlungen zu tätigen. Das Geld ist verloren! --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschter-paylife-login-in-anzeig… ∗∗∗ The dangers from across browser-windows ∗∗∗ --------------------------------------------- Beim Durchsuchen des Webs versucht Ihr Browser, Sie bestmöglich zu schützen, aber manchmal scheitert er daran, wenn er nicht ordnungsgemäß von der Website angewiesen wird, die Sie besuchen. Einer der wichtigsten Sicherheitsmechanismen des Browsers ist die Same-Origin Policy [1][2][3] (SOP), die einschränkt, wie Skripte und Dokumente aus einer Ursprungsquelle mit Ressourcen und Dokumenten aus einer [...] --------------------------------------------- https://certitude.consulting/blog/de/the-dangers-from-across-browser-window… ∗∗∗ BlackLotus UEFI-Bootkit überwindet Secure Boot in Windows 11 ∗∗∗ --------------------------------------------- Sicherheitsforscher von ESET haben eine BlackLotus getaufte Malware in freier Wildbahn entdeckt, die sich des UEFI bemächtigt. BlackLotus dürfte die erste UEFI-Bootkit-Malware in freier Wildbahn sein, die Secure Boot unter Windows 11 (und wohl auch Windows 10) aushebeln kann. --------------------------------------------- https://www.borncity.com/blog/2023/03/01/blacklotus-uefi-bootkit-berwindet-… ∗∗∗ CISA: ZK Java Framework RCE Flaw Under Active Exploit ∗∗∗ --------------------------------------------- The flaw, which drew attention in October when it was found in ConnectWise products, could pose a significant risk to the supply chain if not patched immediately. --------------------------------------------- https://www.darkreading.com/risk/cisa-zk-java-framework-rce-flaw-under-acti… ∗∗∗ SCARLETEEL: Operation leveraging Terraform, Kubernetes, and AWS for data theft ∗∗∗ --------------------------------------------- The Sysdig Threat Research Team recently discovered a sophisticated cloud operation in a customer environment, dubbed SCARLETEEL, that resulted in stolen proprietary data. The attacker exploited a containerized workload and then leveraged it to perform privilege escalation into an AWS account in order to steal proprietary software and credentials. --------------------------------------------- https://sysdig.com/blog/cloud-breach-terraform-data-theft/ ∗∗∗ DNS abuse: Advice for incident responders ∗∗∗ --------------------------------------------- What DNS abuse techniques are employed by cyber adversaries and which organizations can help incident responders and security teams detect, mitigate and prevent them? The DNS Abuse Techniques Matrix published by FIRST provides answers. --------------------------------------------- https://www.helpnetsecurity.com/2023/03/01/dns-abuse-advice-for-incident-re… ∗∗∗ Google Cloud Platform allows data exfiltration without a (forensic) trace ∗∗∗ --------------------------------------------- Attackers can exfiltrate company data stored in Google Cloud Platform (GCP) storage buckets without leaving obvious forensic traces of the malicious activity in GCP’s storage access logs, Mitiga researchers have discovered. [...] In short, the main problem is that GCP’s basic storage logs – which are, by the way, not enabled by default – use the same description/event (objects.get) for [...] --------------------------------------------- https://www.helpnetsecurity.com/2023/03/01/gcp-data-exfiltration/ ∗∗∗ Making New Connections – Leveraging Cisco AnyConnect Client to Drop and Run Payloads ∗∗∗ --------------------------------------------- The Cisco AnyConnect client has received a fair amount of scrutiny from the security community over the years, with a particular focus on leveraging the vpnagent.exe service for privilege escalation. A while ago, we started to look at whether AnyConnect could be used to deliver payloads during red team engagements [...] --------------------------------------------- https://research.nccgroup.com/2023/03/01/making-new-connections-leveraging-… ∗∗∗ The Level of Human Engagement Behind Automated Attacks ∗∗∗ --------------------------------------------- Even automated attacks are driven by humans, but the level of engagement we observed may surprise you! When the human or an organization behind an automated attack shows higher levels of innovation and sophistication in their attack tactics, the danger increases dramatically as they are no longer simply employing an opportunistic “spray and pray” strategy, but rather more highly evolved strategies that are closer to a so-called targeted attack. --------------------------------------------- https://www.gosecure.net/blog/2023/02/28/the-level-of-human-engagement-behi… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (multipath-tools and syslog-ng), Fedora (gnutls and guile-gnutls), Oracle (git, httpd, lua, openssl, php, python-setuptools, python3.9, sudo, tar, and vim), Red Hat (kpatch-patch), Scientific Linux (git), SUSE (compat-openssl098, glibc, openssl, postgresql13, python-Django, webkit2gtk3, and xterm), and Ubuntu (awstats, expat, firefox, gnutls28, lighttpd, php7.2, php7.4, php8.1, python-pip, and tar). --------------------------------------------- https://lwn.net/Articles/924794/ ∗∗∗ Critical Vulnerabilities Patched in ThingWorx, Kepware IIoT Products ∗∗∗ --------------------------------------------- Several ThingWorx and Kepware products are affected by two vulnerabilities that can be exploited for DoS attacks and unauthenticated remote code execution. The post Critical Vulnerabilities Patched in ThingWorx, Kepware IIoT Products appeared first on SecurityWeek. --------------------------------------------- https://www.securityweek.com/critical-vulnerabilities-patched-in-thingworx-… ∗∗∗ Cisco Prime Infrastructure and Evolved Programmable Network Manager Stored Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Webex App for Web Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco IP Phone 6800, 7800, 7900, and 8800 Series Web UI Vulnerabilities ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Finesse Reverse Proxy VPN-less Access to Finesse Desktop Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Unified Intelligence Center Vulnerabilities ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ TPM 2.0 Vulnerabilities ∗∗∗ --------------------------------------------- https://support.lenovo.com/product_security/PS500551-TPM-20-VULNERABILITIES ∗∗∗ Nuvoton TPM Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://support.lenovo.com/product_security/PS500550-NUVOTON-TPM-DENIAL-OF-… ∗∗∗ Malicious IKEv2 packet by authenticated peer can cause libreswan to restart ∗∗∗ --------------------------------------------- https://libreswan.org/security/CVE-2023-23009/CVE-2023-23009.txt ∗∗∗ [R1] Stand-alone Security Patch Available for Tenable.sc version 5.23.1: SC-202303.1-5 ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2023-08 ∗∗∗ [R1] Stand-alone Security Patch Available for Tenable.sc version 6.0.0: SC-202303.1-6 ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2023-07 ∗∗∗ IBM Planning Analytics and IBM Planning Analytics Workspace are affected by a security vulnerability in IBM WebSphere Application Server Liberty (CVE-2022-34165) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6856457 ∗∗∗ DataPower Operator vulnerable to Denial of Service (CVE-2022-41724) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958490 ∗∗∗ Financial Transaction Manager for Digital Payments, High Value Payments and Corporate Payment Services are impacted by multiple vulnerabilities. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958504 ∗∗∗ Security vulnerabilities have been identified in IBM Db2 shipped with IBM Security Guardium Key Lifecycle Manager (CVE-2022-22389, CVE-2022-25313, CVE-2022-25236, CVE-2022-25314, CVE-2022-25315, CVE-2022-25235 and CVE-2022-22390) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6959019 ∗∗∗ Multiple vulnerabilities in IBM SDK for Node.js and packaged modules affect IBM Business Automation Workflow Configuration Editor ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6959033 ∗∗∗ IBM Sterling Connect:Express for UNIX is affected by multiple vulnerabilities in OpenSSL ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958701 ∗∗∗ IBM MQ Blockchain bridge is vulnerable to multiple issues within protobuf-java-core (CVE-2022-3510, CVE-2022-3509) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6957688 ∗∗∗ IBM MQ is vulnerable to a denial of service attack caused by specially crafted PCF or MQSC messages. (CVE-2022-43902) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6957686 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.02.2023
by Daily end-of-shift report 28 Feb '23

28 Feb '23

===================== = End-of-Day report = ===================== Timeframe: Montag 27-02-2023 18:00 − Dienstag 28-02-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Critical flaws in WordPress Houzez theme exploited to hijack websites ∗∗∗ --------------------------------------------- Hackers are actively exploiting two critical-severity vulnerabilities in the Houzez theme and plugin for WordPress, two premium add-ons used primarily in real estate websites. --------------------------------------------- https://www.bleepingcomputer.com/news/security/critical-flaws-in-wordpress-… ∗∗∗ New Exfiltrator-22 post-exploitation kit linked to LockBit ransomware ∗∗∗ --------------------------------------------- Threat actors are promoting a new Exfiltrator-22 post-exploitation framework designed to spread ransomware in corporate networks while evading detection. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-exfiltrator-22-post-expl… ∗∗∗ Passwortmanager: Lastpass teilt weitere Details zum Dezember-Hack mit ∗∗∗ --------------------------------------------- Über einen Keylogger auf einem Privatrechner konnten Angreifer Adminzugriff auf diverse Lastpass-Kundendaten und dessen Quellcode erhalten. --------------------------------------------- https://www.golem.de/news/passwortmanager-lastpass-teilt-weitere-details-zu… ∗∗∗ Side-Channel Attack against CRYSTALS-Kyber ∗∗∗ --------------------------------------------- CRYSTALS-Kyber is one of the public-key algorithms currently recommended by NIST as part of its post-quantum cryptography standardization process. Researchers have just published a side-channel attack—using power consumption—against an implementation of the algorithm that was supposed to be resistant against that sort of attack. The algorithm is not “broken” or “cracked”—despite headlines to the contrary—this is just a side-channel attack. --------------------------------------------- https://www.schneier.com/blog/archives/2023/02/side-channel-attack-against-… ∗∗∗ CISA Issues Warning on Active Exploitation of ZK Java Web Framework Vulnerability ∗∗∗ --------------------------------------------- The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a high-severity flaw affecting the ZK Framework to its Known Exploited Vulnerabilities (KEV) catalog based on evidence of active exploitation. Tracked as CVE-2022-36537 (CVSS score: 7.5), the issue impacts ZK Framework versions 9.6.1, 9.6.0.1, 9.5.1.3, 9.0.1.2, and 8.6.4.1, and allows threat actors to retrieve sensitive information via specially crafted requests. --------------------------------------------- https://thehackernews.com/2023/02/cisa-issues-warning-on-active.html ∗∗∗ A Complete Kubernetes Config Review Methodology ∗∗∗ --------------------------------------------- The are many resources out there that tap into the subject of Kubernetes Pentesting or Configuration Review, however, they usually detail specific topics and misconfigurations and don’t offer a broad perspective on how to do a complete Security Review. That is why in this article I want to cover a more complete overview on all the possible aspects that should be reviewed when dealing with a Kubernetes Security Assessment. --------------------------------------------- https://securitycafe.ro/2023/02/27/a-complete-kubernetes-config-review-meth… ∗∗∗ Vulnerabilities Being Exploited Faster Than Ever: Analysis ∗∗∗ --------------------------------------------- The time from vulnerability disclosure to exploitation is decreasing, according to a new intelligence report from Rapid7. --------------------------------------------- https://www.securityweek.com/vulnerabilities-being-exploited-faster-than-ev… ∗∗∗ Konzertkarten auf Facebook kaufen: Vorsicht vor Betrug ∗∗∗ --------------------------------------------- Facebook ist eine beliebte Anlaufstelle, um Karten für ausverkaufte Konzerte zu ergattern. Bedenken Sie aber, dass hinter vielen Angeboten Fake-Profile stecken. Überprüfen Sie das Profil der Verkäufer:innen sehr genau und bezahlen Sie niemals mit der PayPal-Funktion „Geld an Freunde & Familie senden“. Wir zeigen Ihnen, wie Sie betrügerische Angebote auf Facebook erkennen. --------------------------------------------- https://www.watchlist-internet.at/news/konzertkarten-auf-facebook-kaufen-vo… ∗∗∗ Gefälschtes E-Mail von FinanzOnline über Sicherheitsaktualisierung im Umlauf ∗∗∗ --------------------------------------------- Nehmen Sie E-Mails vom Finanzamt bzw. von FinanzOnline sehr genau unter die Lupe. Im Moment sind unzählige betrügerische Schreiben im Umlauf. --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschtes-e-mail-von-finanzonline… ∗∗∗ Sicherheitsanbieter Cyren geht in Liquidation – NoSpamProxy betroffen ∗∗∗ --------------------------------------------- Kurze Information für Nutzer, die Sicherheitsfunktionen des Anbieters Cyren einsetzen (z. B. NoSpamProxy). Der Anbieter Cyren steckt in wirtschaftlichen Schwierigkeiten und wird wohl liquidiert – die betreffenden Dienste werden eingestellt. --------------------------------------------- https://www.borncity.com/blog/2023/02/28/sicherheitsanbieter-cyren-geht-in-… ∗∗∗ Bitdefender Releases Free MortalKombat Ransomware Decryptor ∗∗∗ --------------------------------------------- The free Mortal Kombat ransomware decryptor is now available for victims to recover their encrypted files without having to pay the ransom. --------------------------------------------- https://www.hackread.com/bitdefender-mortalkombat-ransomware-decryptor/ ===================== = Vulnerabilities = ===================== ∗∗∗ VMSA-2023-0006 ∗∗∗ --------------------------------------------- CVSSv3 Range: 6.3 CVE(s): CVE-2023-20857 Synopsis: VMware Workspace ONE Content update addresses a passcode bypass vulnerability (CVE-2023-20857) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2023-0006.html ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (curl, python-werkzeug, and spip), Fedora (curl), Mageia (apache-commons-fileupload, apr, c-ares, clamav, git, gnutls, ipython, jupyter-core, php, postgresql, python-cryptography, python-jupyterlab, python-twisted, sofia-sip, and sox), Red Hat (git, httpd, kernel, kernel-rt, kpatch-patch, lua, openssl, pcs, php, python-setuptools, python3.9, systemd, tar, vim, and zlib), SUSE (libxslt, php8, postgresql15, python3, tpm2-0-tss, and ucode-intel), and --------------------------------------------- https://lwn.net/Articles/924690/ ∗∗∗ IBM Security Bulletins 2023-02-23 ∗∗∗ --------------------------------------------- IBM VM Recovery Manager, IBM MQ Appliance, Red Hat OpenShift on IBM Cloud, IBM Business Automation Workflow, WebSphere Application Server, IBM SAN b-type switch, IBM FlashSystem, TMS RAMSAN, IBM HTTP Server, IBM CloudPak, Operations Dashboard, IBM QRadar SIEM Application Framework Base Image. --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ CVE-2022-38108: RCE in SolarWinds Network Performance Monitor ∗∗∗ --------------------------------------------- In this excerpt of a Trend Micro Vulnerability Research Service vulnerability report, Justin Hong and Lucas Miller of the Trend Micro Research Team detail a recently patched remote code execution vulnerability in the SolarWinds Network Performance Monitor. This bug was originally discovered and reported by ZDI Vulnerability Research Piotr Bazydło. The vulnerability results from the lack of proper validation of user-supplied data, which can result in the deserialization of untrusted data. --------------------------------------------- https://www.thezdi.com/blog/2023/2/27/cve-2022-38108-rce-in-solarwinds-netw… ∗∗∗ ASUS ASMB8 iKVM 1.14.51 SNMP Remote Root ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2023020047 ∗∗∗ ABUS Security Camera TVIP 20000-21150 LFI / Remote Code Execution ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2023020046 ∗∗∗ web2py development tool vulnerable to open redirect ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN78253670/ ∗∗∗ Osprey Pump Controller 1.0.1 Exploit Code released ∗∗∗ --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ ∗∗∗ OS Command Injection in Barracuda CloudGen WAN ∗∗∗ --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/os-command-injection-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.02.2023
by Daily end-of-shift report 27 Feb '23

27 Feb '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 24-02-2023 18:00 − Montag 27-02-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ QUICforge - Client-seitige Request-Forgery-Angriffe im QUIC Protokoll ∗∗∗ --------------------------------------------- Ein Überblick warum das QUIC Protokoll ein für die Sicherheit relevantes und besonders aktuelles Forschungsgebiet ist und welche Herausforderung die Nutzung von QUIC birgt. --------------------------------------------- https://sec-consult.com/de/blog/detail/quicforge-client-seitige-request-for… ∗∗∗ Exchange Server: Microsoft empfiehlt Aktualisierung der Antivirus-Ausnahmen (Feb. 2023) ∗∗∗ --------------------------------------------- Microsofts Exchange Server-Team hat seine Empfehlungen in Bezug auf Ausnahmen für Antivirus-Scans überarbeitet und bittet Administratoren die Einstellungen der Antivirus-Software zu überprüfen und gegebenenfalls anzupassen. --------------------------------------------- https://www.borncity.com/blog/2023/02/27/exchange-server-microsoft-empfiehl… ∗∗∗ Bösartige Authenticator-Apps auch im Google-Play-Store ∗∗∗ --------------------------------------------- Vergangene Woche haben App-Entwickler bösartige Authenticator-Apps in Apples App-Store entdeckt. Jetzt wurden sie auch im Google-Play-Store fündig. --------------------------------------------- https://heise.de/-7528469 ∗∗∗ Nur mit iPhone-PIN: Diebe räumen Apple-ID und Bankkonten ab ∗∗∗ --------------------------------------------- iPhone-Diebstähle können zu einer vollständigen Apple-ID- und Bankkonten-Übernahme führen. Schuld ist Apples (zu) einfache Passwort-Recovery per PIN. --------------------------------------------- https://heise.de/-7527961 ∗∗∗ Kleinanzeigenplattformen: Betrügerische Käufer:innen täuschen Zahlung auf gefälschter PayPal-Website vor ∗∗∗ --------------------------------------------- Willhaben, Ebay, Shpock und Co.: Nehmen Sie sich vor betrügerischen Interessent:innen in Acht! Betrügerische Interessent:innen auf Kleinanzeigenplattformen behaupten, den Kaufbetrag inklusive Versandkosten an den Zahlungsdienst PayPal überwiesen zu haben. Sie schicken Ihnen einen personalisierten Link, über den Sie das Geld angeblich anfordern können. Brechen Sie den Kontakt ab, Sie werden auf eine gefälschte PayPal-Seite gelockt. Kriminelle stehlen damit Ihre Zugangsdaten und Geld von Ihrem PayPal-Konto! --------------------------------------------- https://www.watchlist-internet.at/news/neue-betrugsmasche-auf-kleinanzeigen… ∗∗∗ PureCrypter malware hits govt orgs with ransomware, info-stealers ∗∗∗ --------------------------------------------- A threat actor has been targeting government entities with PureCrypter malware downloader that has been seen delivering multiple information stealers and ransomware strains. --------------------------------------------- https://www.bleepingcomputer.com/news/security/purecrypter-malware-hits-gov… ∗∗∗ RIG Exploit Kit still infects enterprise users via Internet Explorer ∗∗∗ --------------------------------------------- The RIG Exploit Kit is undergoing its most successful period, attempting roughly 2,000 intrusions daily and succeeding in about 30% of cases, the highest ratio in the services long operational history. --------------------------------------------- https://www.bleepingcomputer.com/news/security/rig-exploit-kit-still-infect… ∗∗∗ Is My Site Hacked? (13 Signs) ∗∗∗ --------------------------------------------- Symptoms of a hack can vary wildly. A concerning security alert from Google, a browser warning when you visit your site, or even a notice from your hosting provider that they’ve taken down your website - all of these events may indicate that your site has been hacked. Fortunately, there are a number of quick (and free) ways you can check and find out if your website has been compromised. --------------------------------------------- https://blog.sucuri.net/2023/02/is-my-website-hacked.html ∗∗∗ Open Source Security and Risk Analysis Report ∗∗∗ --------------------------------------------- In its 8 th edition this year, the 2023 “Open Source Security and Risk Analysis” (OSSRA) report delivers our annual in-depth look at the current state of open source security, compliance, licensing, and code quality risks in commercial software. https://www.synopsys.com/content/dam/synopsys/sig-assets/reports/rep-ossra-… --------------------------------------------- https://www.synopsys.com/software-integrity/resources/analyst-reports/open-… ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitsupdate: Zoho ManageEngine ServiceDesk Plus ist verwundbar ∗∗∗ --------------------------------------------- Angreifer könnten Systeme mit dem IT-Verwaltungssystem ManageEngine ServiceDesk Plus von Zoho attackieren. Eine ältere Zoho-Lücke wird derweil angegriffen. --------------------------------------------- https://heise.de/-7528332 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (apr-util, freeradius, mono, nodejs, php7.3, php7.4, and python-cryptography), Fedora (epiphany, haproxy, and podman), SUSE (chromium, libraw, php7, php74, python-pip, and rubygem-activerecord-4_2), and Ubuntu (apr, clamav, curl, intel-microcode, nss, openvswitch, webkit2gtk, and zoneminder). --------------------------------------------- https://lwn.net/Articles/924546/ ∗∗∗ Windows: Microsoft liefert cURL-Bibliothek weiterhin mit Schwachstellen aus (Feb. 2023) ∗∗∗ --------------------------------------------- Es ist eine unschöne Geschichte, die ich erneut hier im Blog einstelle. Microsoft gelingt es nicht, cURL mit Windows so auszuliefern, dass die Software auf dem aktuellen Stand ist und keine bekannte Sicherheitslücken mehr aufweist. --------------------------------------------- https://www.borncity.com/blog/2023/02/25/windows-microsoft-liefert-curl-bib… ∗∗∗ WAGO: Multiple vulnerabilities in web-based management of multiple products ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-060/ ∗∗∗ Advisory: Vulnerable TigerVNC Version used in B&R Products ∗∗∗ --------------------------------------------- https://www.br-automation.com/downloads_br_productcatalogue/assets/16769091… ∗∗∗ AIX is vulnerable to denial of service due to ISC BIND (CVE-2022-38178, CVE-2022-3080, CVE-2022-38177, CVE-2022-2795) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6851445 ∗∗∗ IBM MQ for HPE NonStop Server is affected by channel CCDT vulnerability CVE-2022-40237 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958136 ∗∗∗ Multiple Vulnerabilities in CloudPak for Watson AIOPs ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958146 ∗∗∗ IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to denial of service in Pypa Setuptools (CVE-2022-40897) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958142 ∗∗∗ IBM Security Verify Bridge (windows and docker versions) affected by a denial of service issue in Go (CVE-2022-32149) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958156 ∗∗∗ Certifi package as used by IBM QRadar User Behavior Analytics is vulnerable to improper certificate validation (CVE-2022-23491) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958452 ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Rational ClearCase (CVE-2023-23477) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958458 ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server traditional shipped with IBM Operations Analytics Predictive Insights (CVE-2022-38712) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958478 ∗∗∗ A security vulnerability ( CVE-2022-3509, CVE-2022-3171 ) has been identified in IBM WebSphere Application Server Liberty shipped with IBM Operations Analytics Predictive Insights ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958474 ∗∗∗ FasterXML-jackson-databinds vulnerabilities affect IBM Operations Analytics Predictive Insights (CVE-2022-42004,CVE-2022-42003) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958482 ∗∗∗ IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in LibTIFF ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6955937 ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server traditional shipped with IBM Operations Analytics Predictive Insights (CVE-2023-23477) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958476 ∗∗∗ Multiple vulnerabilities in IBM SDK, Java Technology Edition affect IBM Operations Analytics Predictive Insights ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958484 ∗∗∗ Multiple vulnerabilities in IBM SDK, Java Technology Edition affect IBM Operations Analytics Predictive Insights ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958486 ∗∗∗ IBM b-type SAN switches and directors affected by Open Source OpenSSL Vulnerabilities (CVE-2016-2177, CVE-2016-2178). ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/697949 ∗∗∗ IBM b-type SAN switches and directors affected by Open Source OpenSSL Vulnerabilities (CVE-2016-2180). ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/697951 ∗∗∗ IBM b-type SAN switches and directors affected by OpenSSL Security Advisory [22 Sep 2016] and [26 Sep 2016]. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/697953 ∗∗∗ IBM b-type SAN switches and directors affected by XSS vulnerabilities CVE-2017-6225. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/650695 ∗∗∗ IBM b-type SAN Network\/Storage switches is affected by a denial of service vulnerability, caused by a CPU consumption in the IPv6 stack (CVE-2017-6227). ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/650699 ∗∗∗ IBM b-type SAN directors and switches is affected by privilege escalation vulnerability (CVE-2016-8202). ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/697803 ∗∗∗ Vulnerabilities in OpenSSL affect IBM b-type SAN switches and directors (CVE-2016-2108) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/697943 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.02.2023
by Daily end-of-shift report 24 Feb '23

24 Feb '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 23-02-2023 18:00 − Freitag 24-02-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Vorsicht: ChatGPT-Scams nehmen stark zu ∗∗∗ --------------------------------------------- Im Internet gibt es viele Seiten, die vorgeben, der intelligente Chatbot zu sein. In Wahrheit verbreiten sie Schadsoftware. --------------------------------------------- https://futurezone.at/produkte/chatgpt-scam-malware-apps-android-chatbot-vo… ∗∗∗ KI: Journalist überlistet Bank mit künstlicher Intelligenz ∗∗∗ --------------------------------------------- Einem Journalisten ist es gelungen, die Stimmauthentifizierung einer Bank mit KI zu umgehen. Das könnten auch Betrüger. --------------------------------------------- https://www.golem.de/news/ki-journalist-ueberlistet-bank-mit-kuenstlicher-i… ∗∗∗ Privatsphäre: Chrome-Extensions können noch immer eine Menge anrichten ∗∗∗ --------------------------------------------- Eine Analyse zeigt, was sich trotz Googles Chrome Extension Manifest V3 alles ausspähen lässt, wenn Nutzer bei der Installation nicht vorsichtig sind. --------------------------------------------- https://www.golem.de/news/privatsphaere-chrome-extensions-koennen-noch-imme… ∗∗∗ The code that wasn’t there: Reading memory on an Android device by accident ∗∗∗ --------------------------------------------- CVE-2022-25664, a vulnerability in the Qualcomm Adreno GPU, can be used to leak large amounts of information to a malicious Android application. Learn more about how the vulnerability can be used to leak information in both the user space and kernel space level of pages, and how the GitHub Security Lab used the kernel space information leak to construct a KASLR bypass. --------------------------------------------- https://github.blog/2023-02-23-the-code-that-wasnt-there-reading-memory-on-… ∗∗∗ In Final Cut & Co: Warnung vor Cryptojacking durch gecrackte Mac-Apps ∗∗∗ --------------------------------------------- Malware für Cryptomining wird über gecrackte Mac-Apps verbreitet und verbirgt sich dabei immer besser, warnen Sicherheitsforscher. Apple reagiert. --------------------------------------------- https://heise.de/-7527273 ∗∗∗ Update on the Exchange Server Antivirus Exclusions ∗∗∗ --------------------------------------------- For years we have been saying how running antivirus (AV) software on your Exchange Servers can enhance the security and health of your Exchange organization. We’ve also said that if you are deploying file-level scanners on Exchange servers, make sure that the appropriate exclusions, such as directory exclusions, process exclusions, and file name extension exclusions, are in place for both scheduled and real-time scanning. But times have changed, and so has the cybersecurity landscape. --------------------------------------------- https://techcommunity.microsoft.com/t5/exchange-team-blog/update-on-the-exc… ∗∗∗ Investigating the PlugX Trojan Disguised as a Legitimate Windows Debugger Tool ∗∗∗ --------------------------------------------- Trend Micro’s Managed Extended Detection and Response (MxDR) team discovered that a file called x32dbg.exe was used to sideload a malicious DLL we identified as a variant of PlugX. --------------------------------------------- https://www.trendmicro.com/en_us/research/23/b/investigating-the-plugx-troj… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco stopft teils hochriskante Schwachstellen ∗∗∗ --------------------------------------------- Für mehrere Produkte stellt Netzwerkausrüster Cisco Sicherheitsupdates bereit. Sie schließen teils als hohe Bedrohung eingestufte Schwachstellen. --------------------------------------------- https://heise.de/-7526208 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (binwalk, chromium, curl, emacs, frr, git, libgit2, and tiff), Fedora (qt5-qtbase), SUSE (c-ares, kernel, openssl-1_1-livepatches, pesign, poppler, rubygem-activerecord-5_1, and webkit2gtk3), and Ubuntu (linux-aws). --------------------------------------------- https://lwn.net/Articles/924358/ ∗∗∗ Ineffective Cross Site Request Forgery (CSRF) protection in IBM Business Process Manager (BPM) (CVE-2017-1769) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/301273 ∗∗∗ IBM Maximo Manage application in IBM Maximo Application Suite is vulnerable to information disclosure (CVE-2022-43923) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6957654 ∗∗∗ AIX is vulnerable to denial of service due to ISC BIND (CVE-2022-38178, CVE-2022-3080, CVE-2022-38177, CVE-2022-2795) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6851445 ∗∗∗ A vulnerability in Node.js affects IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2022-21681, CVE-2022-21680) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958016 ∗∗∗ A vulnerability has been identified in IBM WebSphere Application Server used by IBM Rational ClearQuest (CVE-2023-23477) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958024 ∗∗∗ A vulnerability in Node.js affects IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2022-21681, CVE-2022-21680) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958016 ∗∗∗ Vulnerabilities found within Apache Storm that is used by IBM Tivoli Network Manager (ITNM) IP Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958056 ∗∗∗ Security vulnerabilities are addressed with IBM Cloud Pak for Business Automation iFixes for Febuary 2023 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958062 ∗∗∗ Multiple vulnerabilities in IBM HTTP Server used by WebSphere Application Server affect IBM Business Automation Workflow ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958064 ∗∗∗ CVE-2022-32149 may affect IBM CICS TX Advanced ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958066 ∗∗∗ CVE-2022-32149 may affect IBM CICS TX Standard ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958072 ∗∗∗ Multiple vulnerabilities in Go may affect IBM CICS TX Standard ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958068 ∗∗∗ CVE-2022-3676 may affect IBM CICS TX Advanced ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958086 ∗∗∗ CVE-2022-3676 may affect IBM CICS TX Standard ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958074 ∗∗∗ IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Go ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6855111 ∗∗∗ IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Golang Go ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6955929 ∗∗∗ CVE-2022-37734 may affect IBM CICS TX Advanced ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958076 ∗∗∗ CVE-2022-37734 may affect IBM CICS TX Standard ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958084 ∗∗∗ IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in LibTIFF ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6955937 ∗∗∗ CVE-2018-1099, CVE-2018-1098 may affect IBM CICS TX Advanced ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958080 ∗∗∗ CVE-2018-1099, CVE-2018-1098 may affect IBM CICS TX Standard ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6958082 ∗∗∗ IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by a vulnerability in JSON Web Token ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6955935 ∗∗∗ Vulnerability in moment-timezone affects IBM VM Recovery Manager DR GUI ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6957710 ∗∗∗ Multiple vulnerabilities in IBM Semeru Runtime affect z/Transaction Processing Facility ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6957822 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.02.2023
by Daily end-of-shift report 23 Feb '23

23 Feb '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 22-02-2023 18:00 − Donnerstag 23-02-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ New S1deload Stealer malware hijacks Youtube, Facebook accounts ∗∗∗ --------------------------------------------- An ongoing malware campaign targets YouTube and Facebook users, infecting their computers with a new information stealer that will hijack their social media accounts and use their devices to mine for cryptocurrency. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-s1deload-stealer-malware… ∗∗∗ Python Developers Warned of Trojanized PyPI Packages Mimicking Popular Libraries ∗∗∗ --------------------------------------------- Cybersecurity researchers are warning of "imposter packages" mimicking popular libraries available on the Python Package Index (PyPI) repository. The 41 malicious PyPI packages have been found to pose as typosquatted variants of legitimate modules such as HTTP, AIOHTTP, requests, urllib, and urllib3. --------------------------------------------- https://thehackernews.com/2023/02/python-developers-warned-of-trojanized.ht… ∗∗∗ Experts Sound Alarm Over Growing Attacks Exploiting Zoho ManageEngine Products ∗∗∗ --------------------------------------------- Multiple threat actors have been observed opportunistically weaponizing a now-patched critical security vulnerability impacting several Zoho ManageEngine products since January 20, 2023. Tracked as CVE-2022-47966 (CVSS score: 9.8), the remote code execution flaw allows a complete takeover of the susceptible systems by unauthenticated attackers. --------------------------------------------- https://thehackernews.com/2023/02/experts-sound-alarm-over-growing.html ∗∗∗ OffSec Tools ∗∗∗ --------------------------------------------- This repository is intended for pentesters and red teamers using a variety of offensive security tools during their assessments. The repository is a collection of useful tools suitable for assessments in internal environments. --------------------------------------------- https://github.com/Syslifters/offsec-tools ∗∗∗ Technical Analysis of BlackBasta Ransomware 2.0 ∗∗∗ --------------------------------------------- Zscaler ThreatLabz has been tracking prominent ransomware families and their tactics, techniques and procedures (TTPs) including the BlackBasta ransomware family. On November 16, 2022, ThreatLabz identified new samples of the BlackBasta ransomware that had significantly lower antivirus detection rates. --------------------------------------------- https://www.zscaler.com/blogs/security-research/back-black-basta ∗∗∗ Users looking for ChatGPT apps get malware instead ∗∗∗ --------------------------------------------- The massive popularity of OpenAI’s chatbot ChatGPT has not gone unnoticed by cyber criminals: they are exploiting the public’s eagerness to experiment with it to trick users into downloading Windows and Android malware and visit phishing pages. --------------------------------------------- https://www.helpnetsecurity.com/2023/02/23/chatgpt-windows-android/ ∗∗∗ Stealthy Mac Malware Delivered via Pirated Apps ∗∗∗ --------------------------------------------- Cybercriminals are delivering stealthy cryptojacking malware to Macs using pirated apps and they could use the same method for other malware. --------------------------------------------- https://www.securityweek.com/stealthy-mac-malware-delivered-via-pirated-app… ∗∗∗ Anti-Forensic Techniques Used By Lazarus Group ∗∗∗ --------------------------------------------- Since approximately a year ago, the Lazarus group’s malware has been discovered in various Korean companies related to national defense, satellites, software, and media press. The AhnLab ASEC analysis team has been continuously tracking the Lazarus threat group’s activities and other related TTPs. Among the recent cases, this post aims to share the anti-forensic traces and details found in the systems that were infiltrated by the Lazarus group. --------------------------------------------- https://asec.ahnlab.com/en/48223/ ∗∗∗ ChromeLoader Disguised as Illegal Game Programs Being Distributed ∗∗∗ --------------------------------------------- Since the previous year, there has been a steady increase in cases where disk image files, such as ISO and VHD, have been used in malware distribution. These have been covered several times in previous ASEC blog posts. This post will cover a recent discovery of ChromeLoader being distributed using VHD files. --------------------------------------------- https://asec.ahnlab.com/en/48211/ ===================== = Vulnerabilities = ===================== ∗∗∗ Vulnerability Spotlight: EIP Stack Group OpENer open to two remote code execution vulnerabilities ∗∗∗ --------------------------------------------- Two of the vulnerabilities are considered to be considered of critical importance, with a CVSS score of a maximum 10 out of 10. --------------------------------------------- https://blog.talosintelligence.com/vuln-spotlight-eip-stack-group-feb-2023/ ∗∗∗ BIOS-Sicherheitsupdates: HP-Computer für Schadcode-Attacken anfällig ∗∗∗ --------------------------------------------- In aktualisierten BIOS-Versionen für HP-Computer haben die Entwickler mehrere Sicherheitslücken geschlossen. --------------------------------------------- https://heise.de/-7524562 ∗∗∗ Firewall-Distribution: pfSense 23.01 schließt Sicherheitslücken ∗∗∗ --------------------------------------------- In der Firewall-Distribution pfSense 23.01 haben die Entwickler mehrere Sicherheitslücken geschlossen. Die Basis haben sie auch auf aktuellen Stand gehievt. --------------------------------------------- https://heise.de/-7525432 ∗∗∗ Wordfence Intelligence CE Weekly Vulnerability Report (Feb 13, 2023 to Feb 19, 2023) ∗∗∗ --------------------------------------------- Last week, there were 104 vulnerabilities disclosed in WordPress based software that have been added to the Wordfence Intelligence Community Edition Vulnerability Database. You can find those vulnerabilities below. --------------------------------------------- https://www.wordfence.com/blog/2023/02/wordfence-intelligence-ce-weekly-vul… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (firefox and thunderbird), Debian (asterisk, git, mariadb-10.3, node-url-parse, python-cryptography, and sofia-sip), Fedora (c-ares, golang-github-need-being-tree, golang-helm-3, golang-oras, golang-oras-1, and golang-oras-2), Oracle (httpd:2.4, kernel, php:8.0, python-setuptools, python3, samba, systemd, tar, and webkit2gtk3), Red Hat (webkit2gtk3), SUSE (phpMyAdmin, poppler, and postgresql12), and Ubuntu (dcmtk and linux-hwe). --------------------------------------------- https://lwn.net/Articles/924236/ ∗∗∗ Case update: DIVD-2022-00052 - Multiple vulnerabilities is Cloudflow software ∗∗∗ --------------------------------------------- https://csirt.divd.nl/cases/DIVD-2022-00052/ ∗∗∗ Vulnerability in sqlite affects IBM VM Recovery Manager HA GUI ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6957680 ∗∗∗ Vulnerability in sqlite affects IBM VM Recovery Manager DR GUI ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6957708 ∗∗∗ Vulnerability in moment-timezone affects IBM VM Recovery Manager DR GUI ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6957710 ∗∗∗ Vulnerability in moment-timezone affects IBM VM Recovery Manager HA GUI ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6957714 ∗∗∗ CVE-2022-3509, CVE-2022-3171 may affect IBM CICS TX Advanced ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6957754 ∗∗∗ CVE-2022-3509, CVE-2022-3171 may affect IBM CICS TX Standard ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6957758 ∗∗∗ CVE-2022-3509 and CVE-2022-3171 may affect IBM TXSeries for Multiplatforms ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6957764 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.02.2023
by Daily end-of-shift report 22 Feb '23

22 Feb '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 21-02-2023 18:00 − Mittwoch 22-02-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Warnung vor Angriffen auf IBM Aspera Faspex und Mitel MiVoice ∗∗∗ --------------------------------------------- Die US-IT-Sicherheitsbehörde CISA warnt davor, dass Cyberkriminelle Sicherheitslücken in IBM Aspera Faspex und Mitel MiVoice angreifen. Updates stehen bereit. --------------------------------------------- https://heise.de/-7523870 ∗∗∗ Jetzt patchen! Exploit-Code für kritische Fortinet FortiNAC-Lücke in Umlauf ∗∗∗ --------------------------------------------- Da Exploit-Code veröffentlicht wurde, könnten Angreifer Fortinets Netzwerk-Zugangskontrolllösung FortiNAC ins Visier nehmen. --------------------------------------------- https://heise.de/-7523427 ∗∗∗ Fake Give-Aways und Geschenkaktionen im Namen von ‚MrBeast‘! ∗∗∗ --------------------------------------------- Wer sich regelmäßig YouTube-Videos ansieht, kommt kaum an MrBeast vorbei. Der Youtuber mit über 134 Millionen Abonnent:innen ist für seine Give-Away-Videos bekannt, bei denen er Tausende oder gar Millionen von Dollar verschenkt. Diesen Ruf machen sich auch Kriminelle zunutze, indem sie betrügerische Gewinnversprechen und Geschenkaktionen im Namen von MrBeast verbreiten. --------------------------------------------- https://www.watchlist-internet.at/news/fake-give-aways-und-geschenkaktionen… ∗∗∗ Hydrochasma hackers target medical research labs, shipping firms ∗∗∗ --------------------------------------------- A previously unknown threat actor named Hydrochasma has been targeting shipping and medical laboratories involved in COVID-19 vaccine development and treatments. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hydrochasma-hackers-target-m… ∗∗∗ WhatsApp ignoriert seit Jahren ein Sicherheitsproblem, das alle betrifft ∗∗∗ --------------------------------------------- Fremde können das eigene Profil übernehmen und sich für euch ausgeben - ganz ohne Hacking oder Phishing. --------------------------------------------- https://futurezone.at/apps/whatsapp-sicherheit-problem-konto-telefonnummer-… ∗∗∗ Attackers Abuse Cron Jobs to Reinfect Websites ∗∗∗ --------------------------------------------- Malicious cron jobs are nothing new; we’ve seen attackers use them quite frequently to reinfect websites. However, in recent months we’ve noticed a distinctive new wave of these infections that appears to be closely related to this article about a backdoor that we’ve been tracking. --------------------------------------------- https://blog.sucuri.net/2023/02/attackers-abuse-cron-jobs-to-reinfect-websi… ∗∗∗ Threat Actors Adopt Havoc Framework for Post-Exploitation in Targeted Attacks ∗∗∗ --------------------------------------------- An open source command-and-control (C2) framework known as Havoc is being adopted by threat actors as an alternative to other well-known legitimate toolkits like Cobalt Strike, Sliver, and Brute Ratel. Cybersecurity firm Zscaler said it observed a new campaign in the beginning of January 2023 targeting an unnamed government organization that utilized Havoc. --------------------------------------------- https://thehackernews.com/2023/02/threat-actors-adopt-havoc-framework-for.h… ∗∗∗ Lets build a Chrome extension that steals everything ∗∗∗ --------------------------------------------- Manifest v3 may have taken some of the juice out of browser extensions, but I think there is still plenty left in the tank. To prove it, let’s build a Chrome extension that steals as much data as possible. --------------------------------------------- https://mattfrisbie.substack.com/p/spy-chrome-extension ∗∗∗ How NPM Packages Were Used to Spread Phishing Links ∗∗∗ --------------------------------------------- [...] On Monday, 20th of February, Checkmarx Labs discovered an anomaly in the NPM ecosystem when we cross-referenced new information with our databases. Clusters of packages had been published in large quantities to the NPM package manager. Further investigation revealed that the packages were part of a trending new attack vector, with attackers spamming the open-source ecosystem with packages containing links to phishing campaigns. --------------------------------------------- https://checkmarx.com/blog/how-npm-packages-were-used-to-spread-phishing-li… ∗∗∗ Android voice chat app with 5m installs leaked user chats ∗∗∗ --------------------------------------------- The voice chat app under discussion is OyeTalk, which is available for Android and iOS devices and is operated from Pakistan. --------------------------------------------- https://www.hackread.com/android-voice-chat-app-data-leak/ ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitsupdates: VMware dichtet kritisches Sicherheitsleck ab ∗∗∗ --------------------------------------------- VMware schließt mit Updates für Carbon Black App Control und vRealize sowie Cloud Foundation eine kritische und eine hochriskante Schwachstelle. --------------------------------------------- https://heise.de/-7523335 ∗∗∗ Foxit PDF-Updates dichten hochriskante Schwachstellen ab ∗∗∗ --------------------------------------------- In der PDF-Software Foxit klafften Sicherheitslücken, durch die Angreifer etwa mit manipulierten PDF-Dateien Schadcode einschleusen und ausführen hätten können. --------------------------------------------- https://heise.de/-7523313 ∗∗∗ Multiple vulnerabilities in Nokia BTS Airscale ASIKA [PDF] ∗∗∗ --------------------------------------------- Synacktiv performed an audit on the base transceiver station Nokia Airscale ASIKA, running the firmware version btsmed_5G19B_GNB_0007_001836_000863, and discovered multiple vulnerabilities. --------------------------------------------- https://www.synacktiv.com/sites/default/files/2023-02/Synacktiv-Nokia-BTS-A… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (amanda, apr-util, and tiff), Fedora (apptainer, git, gssntlmssp, OpenImageIO, openssl, webkit2gtk3, xorg-x11-server, and xorg-x11-server-Xwayland), Oracle (firefox and thunderbird), Red Hat (python3), SUSE (gnutls, php7, and python-Django), and Ubuntu (chromium-browser, libxpm, and mariadb-10.3, mariadb-10.6). --------------------------------------------- https://lwn.net/Articles/924070/ ∗∗∗ Synology-SA-23:01 ClamAV ∗∗∗ --------------------------------------------- Multiple vulnerabilities allow remote attackers to possibly execute arbitrary code or local users to obtain sensitive information via a susceptible version of Antivirus Essential, Synology Mail Server, and Synology MailPlus Server. --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_23_01 ∗∗∗ IBM Security Bulletins 2023-02-22 ∗∗∗ --------------------------------------------- * A vulnerability in IBM Java affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products * A vulnerability in the GUI affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products * BM Sterling B2B Integrator is vulnerable to cross-site scripting (CVE-2022-43578) * IBM Sterling Global Mailbox is vulnerable to arbitrary code execution due to Apache Commons Collections [CVE-2015-6420, CVE-2017-15708] * IBM WebSphere Application Server, which is bundled with IBM Cloud Pak for Applications, is vulnerable to a remote code execution vulnerability (CVE-2023-23477) * IBM WebSphere Application Server, which is bundled with IBM WebSphere Hybrid Edition, is vulnerable to a remote code execution vulnerability (CVE-2023-23477) * Multiple vulnerabilities in the Linux kernel affect IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products * SNMPv3 server credentials are exposed in log files in IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products * The dasboard UI of IBM Sterling B2B Integrator is vulnerable to improper permission control (CVE-2022-40231) * Vulnerabilities in jsonwebtoken affects IBM Watson Assistant for IBM Cloud Pak for Data * Vulnerability in Apache Tomcat affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products * Vulnerability in IBM WebSphere Application Server Liberty may affect IBM Spectrum Protect Plus (CVE-2019-11777) * Vulnerability in Log4j affects IBM Integrated Analytics System [CVE-2022-23305] --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Cisco Nexus 9000 Series Fabric Switches in ACI Mode Link Layer Discovery Protocol Memory Leak Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco FXOS Software and UCS Manager Software Configuration Backup Static Key Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco NX-OS Software SSH X.509v3 Certificate Authentication with Unsupported Remote Authorization Method Privilege Escalation Issues ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco NX-OS Software CLI Command Injection Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Firepower 4100 Series, Firepower 9300 Security Appliances, and UCS Fabric Interconnects Command Injection Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Nexus 9300-FX3 Series Fabric Extender for UCS Fabric Interconnects Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Application Policy Infrastructure Controller and Cisco Cloud Network Controller Cross-Site Request Forgery Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ [R1] Stand-alone Security Patch Available for Tenable.sc versions 5.22.0 to 6.0.0: SC-202302.2 ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2023-06 ∗∗∗ [R1] Stand-alone Security Patch Available for Tenable.sc versions 5.22.0 to 5.23.1: SC-202302.3 ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2023-05 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.02.2023
by Daily end-of-shift report 21 Feb '23

21 Feb '23

===================== = End-of-Day report = ===================== Timeframe: Montag 20-02-2023 18:00 − Dienstag 21-02-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Kriminalität: Ransomware will Versicherungspolice ∗∗∗ --------------------------------------------- Die Ransomware Hardbit 2.0 verlangt die Versicherungspolice der Unternehmen, um die Lösegeldforderung anzupassen. Nicht ungefährlich für die Betroffenen. --------------------------------------------- https://www.golem.de/news/kriminalitaet-ransomware-will-versicherungspolice… ∗∗∗ Researchers Discover Dozens Samples of Information Stealer Stealc in the Wild ∗∗∗ --------------------------------------------- A new information stealer called Stealc thats being advertised on the dark web could emerge as a worthy competitor to other malware of its ilk. "The threat actor presents Stealc as a fully featured and ready-to-use stealer, whose development relied on Vidar, Raccoon, Mars, and RedLine stealers," SEKOIA said in a Monday report. --------------------------------------------- https://thehackernews.com/2023/02/researchers-discover-dozens-samples-of.ht… ∗∗∗ Fortinet FortiNAC CVE-2022-39952 Deep-Dive and IOCs ∗∗∗ --------------------------------------------- On Thursday, 16 February 2022, Fortinet released a PSIRT that details CVE-2022-39952, a critical vulnerability affecting its FortiNAC product. This vulnerability, discovered by Gwendal Guégniaud of Fortinet, allows an unauthenticated attacker to write arbitrary files on the system and as a result obtain remote code execution in the context of the root user. --------------------------------------------- https://www.horizon3.ai/fortinet-fortinac-cve-2022-39952-deep-dive-and-iocs/ ∗∗∗ A Deep Dive Into a PoshC2 Implant ∗∗∗ --------------------------------------------- PoshC2 is an open-source C2 framework used by penetration testers and threat actors. It can generate a Powershell-based implant, a C#.NET implant that we analyze in this paper, and a Python3 implant. --------------------------------------------- https://resources.securityscorecard.com/research/poshc2-implant ∗∗∗ ClamAV Critical Patch Review ∗∗∗ --------------------------------------------- The description of those bugs got our attention since we have format handlers in unblob for both DMG and HFS+. We therefore decided to spend some time trying to understand them and learn if we may be affected by similar bugs. --------------------------------------------- https://onekey.com/blog/clamav-critical-patch-review/ ∗∗∗ OWASP Kubernetes Top 10 ∗∗∗ --------------------------------------------- The OWASP Kubernetes Top 10 is aimed at helping security practitioners, system administrators, and software developers prioritize risks around the Kubernetes ecosystem. The Top 10 is a prioritized list of common risks backed by data collected from organizations varying in maturity and complexity. --------------------------------------------- https://sysdig.com/blog/top-owasp-kubernetes/ ∗∗∗ iOS 16.3 und 16.3.1: Apple räumt weitere schwere Lücken ein ∗∗∗ --------------------------------------------- Apple neigt seit längerem dazu, nicht alle gestopften Löcher in seinen Betriebssystemen sofort zu kommunizieren. Nun wurden Infos zu iOS 16.3 nachgereicht. --------------------------------------------- https://heise.de/-7522282 ∗∗∗ What can we learn from the latest Coinbase cyberattack? ∗∗∗ --------------------------------------------- Cryptocurrency exchange Coinbase has fended off a cyberattack that might have been mounted by the same attackers that targeted Twillio, Cloudflare and many other companies last year. --------------------------------------------- https://www.helpnetsecurity.com/2023/02/21/coinbase-cyberattack/ ∗∗∗ Keine Pellets auf ferberpainting.de bestellen! ∗∗∗ --------------------------------------------- Auf der Suche nach Pellets für die Beheizung des Eigenheims stoßen aktuell zahlreiche Personen auf ferberpainting.de bzw. ferberpainting.com. Für 199,90 Euro werden dort 40 Säcke mit 25 KG Pellets abgebildet und angeboten. Wer hier bestellt erlebt eine böse Überraschung, denn geliefert werden 40 leere Säcke. --------------------------------------------- https://www.watchlist-internet.at/news/keine-pellets-auf-ferberpaintingde-b… ∗∗∗ Ihre Bank ruft an? Es könnte sich um Betrug handeln! ∗∗∗ --------------------------------------------- Sie erhalten einen Anruf. Angeblich eine Mitarbeiterin Ihrer Bank. Die Anruferin erklärt, dass sie ungewöhnliche Abbuchungen von Ihrem Konto festgestellt hat. Sie hilft Ihnen dabei, das Geld zurückzubekommen und Ihr Konto zu schützen. Vorsicht: Es handelt sich um Betrug. --------------------------------------------- https://www.watchlist-internet.at/news/ihre-bank-ruft-an-es-koennte-sich-um… ∗∗∗ HWP Malware Using the Steganography Technique: RedEyes (ScarCruft) ∗∗∗ --------------------------------------------- In January, the ASEC (AhnLab Security Emergency response Center) analysis team discovered that the RedEyes threat group (also known as APT37, ScarCruft) had been distributing malware by exploiting the HWP EPS (Encapsulated PostScript) vulnerability (CVE-2017-8291). This report will share the RedEyes group’s latest activity in Korea. --------------------------------------------- https://asec.ahnlab.com/en/48063/ ===================== = Vulnerabilities = ===================== ∗∗∗ VMSA-2023-0004 ∗∗∗ --------------------------------------------- CVSSv3 Range: 9.1 CVE(s): CVE-2023-20858 Synopsis: VMware Carbon Black App Control updates address an injection vulnerability (CVE-2023-20858) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2023-0004.html ∗∗∗ VMSA-2023-0005 ∗∗∗ --------------------------------------------- CVSSv3 Range: 8.8 CVE(s): CVE-2023-20855 Synopsis: VMware vRealize Orchestrator update addresses an XML External Entity (XXE) vulnerability (CVE-2023-20855) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2023-0005.html ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (libksba, thunderbird, and tigervnc and xorg-x11-server), Debian (clamav, nss, python-django, and sox), Fedora (kernel and thunderbird), Mageia (curl, firefox, nodejs-qs, qtbase5, thunderbird, upx, and webkit2), Red Hat (httpd:2.4, kernel, kernel-rt, kpatch-patch, pcs, php:8.0, python-setuptools, Red Hat build of Cryostat, Red Hat Virtualization Host 4.4.z SP 1, samba, systemd, tar, and thunderbird), Scientific Linux (firefox and thunderbird), and SUSE (clamav, firefox, jhead, mozilla-nss, prometheus-ha_cluster_exporter, tar, and ucode-intel). --------------------------------------------- https://lwn.net/Articles/923942/ ∗∗∗ TYPO3-EXT-SA-2023-002: Persisted Cross-Site Scripting in extension "Forms Export" (frp_form_answers) ∗∗∗ --------------------------------------------- https://typo3.org/security/advisory/typo3-ext-sa-2023-002 ∗∗∗ Mitsubishi Electric MELSOFT iQ AppPortal ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-23-052-01 ∗∗∗ IBM FlashSystem 710, 720, 810, and 820 systems and RamSan 710, 720, 810, and 820 systems are not affected by the Bash vulnerabilities (CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, and CVE-2014-6278)\nFlash ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/690011 ∗∗∗ Six (6) Vulnerabilities in Network Security Services (NSS) & Netscape Portable Runtime (NSPR) affect IBM FlashSystem and TMS RAMSAN 710, 720, 810, and 820 systems (CVE-2013-1740, CVE-2014-1490, CVE-2014-1491, CVE-2014-1492, CVE-2014-154 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/690125 ∗∗∗ Two (2) Vulnerabilities in glibc affect IBM FlashSystem (and TMS RAMSAN) 710, 720, 810, and 820 systems (CVE-2014-5119 and CVE-2014-0475) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/690127 ∗∗∗ Sixteen (16) Vulnerabilities in OpenSSL affect IBM FlashSystem (and TMS RAMSAN) 710, 720, 810, and 820 systems ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/690129 ∗∗∗ Four (4) Vulnerabilities in OpenSSL affect IBM FlashSystem (and TMS RAMSAN) 710, 720, 810, and 820 systems ( CVE-2014-3513, CVE-2014-3566, CVE-2014-3567, and CVE-2014-3568) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/690131 ∗∗∗ Four (4) Vulnerabilities in OpenSSL affect IBM FlashSystem (and TMS RAMSAN) 710, 720, 810, and 820 systems ( CVE-2014-3513, CVE-2014-3566, CVE-2014-3567, and CVE-2014-3568) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/690149 ∗∗∗ IBM InfoSphere Information Server is vulnerable to cross-site scripting (CVE-2023-25928) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6956598 ∗∗∗ Multiple vulnerabilities in IBM Java Runtime affect Rational Directory Server (Tivoli) & Rational Directory Administrator. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6328143 ∗∗∗ IBM Db2 is vulnerable to an information disclosure vulnerability as sensitive information may be included in a log file. (CVE-2022-43930) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6953755 ∗∗∗ IBM MQ is affected by multiple vulnerabilities in IBM Runtime Environment Java Technology Edition, Version 8 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6957066 ∗∗∗ IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to JSON5 code execution (CVE-2022-46175) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6957134 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.02.2023
by Daily end-of-shift report 20 Feb '23

20 Feb '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 17-02-2023 18:00 − Montag 20-02-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ CISA warnt: Mögliche System-Kompromittierung durch Lücken in Thunderbird ∗∗∗ --------------------------------------------- Die Version 102.8 von Thunderbird schließt Schwachstellen, durch die Angreifer die Kontrolle über ein System erlangen könnten. Davor warnt die CISA. --------------------------------------------- https://heise.de/-7521002 ∗∗∗ Microsoft-Updates: Nebenwirkungen für VMware und Windows Server 2022 ∗∗∗ --------------------------------------------- Die Februar-Updates zum Microsoft-Patchdays haben ungewollte Nebenwirkungen. Sie betreffen Windows Server 2022 unter VMware und die Windows-11-Updateverteilung. --------------------------------------------- https://heise.de/-7521199 ∗∗∗ Nach Cyber-Einbruch: Angreifer leiten GoDaddy-Webseiten um ∗∗∗ --------------------------------------------- Beim Webhoster GoDaddy konnten Angreifer Anfang Dezember 2022 Schadcode einschleusen, der dort gehostete Webseiten auf Malware-Seiten umleitete. --------------------------------------------- https://heise.de/-7521325 ∗∗∗ Achtung: Finanzamt schickt kein SMS ∗∗∗ --------------------------------------------- Kriminelle versenden im Namen des Finanzamtes gefälschte Nachrichten. Im SMS wird behauptet, dass Sie einen Betrag von € 286, 93 erhalten. Um das Geld zu bekommen, müssen Sie sich verifizieren und auf einen Link klicken. Klicken Sie nicht auf den Link, Sie landen auf einer Phishing-Seite. --------------------------------------------- https://www.watchlist-internet.at/news/achtung-finanzamt-schickt-kein-sms/ ∗∗∗ New WhiskerSpy malware delivered via trojanized codec installer ∗∗∗ --------------------------------------------- Security researchers have discovered a new backdoor called WhiskerSpy used in a campaign from a relatively new advanced threat actor tracked as Earth Kitsune, known for targeting individuals showing an interest in North Korea. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-whiskerspy-malware-deliv… ∗∗∗ OneNote Suricata Rules, (Sun, Feb 19th) ∗∗∗ --------------------------------------------- I end my diary entry "Detecting (Malicious) OneNote Files" with a set of Suricata rules to detect various OneNote files. --------------------------------------------- https://isc.sans.edu/diary/rss/29564 ∗∗∗ The Dangers of Installing Nulled WordPress Themes and Plugins ∗∗∗ --------------------------------------------- Nulled WordPress themes and plugins are a controversial topic for many in the web development world - and arguably one of the bigger threats to WordPress security. Essentially modified versions of official WordPress themes and plugins with their licensing restrictions removed, these nulled software copies are often touted as premium functionality packaged in a free download. --------------------------------------------- https://blog.sucuri.net/2023/02/the-dangers-of-installing-nulled-wordpress-… ∗∗∗ NimPlant - A light first-stage C2 implant written in Nim and Python ∗∗∗ --------------------------------------------- NimPlant was developed as a learning project and released to the public for transparency and educational purposes. For a large part, it makes no effort to hide its intentions. Additionally, protections have been put in place to prevent abuse. In other words, do NOT use NimPlant in production engagements as-is without thorough source code review and modifications! --------------------------------------------- https://github.com/chvancooten/NimPlant ∗∗∗ Finding forensics breadcrumbs in Android image storage ∗∗∗ --------------------------------------------- [...] In this post I’ll be talking about image scanning apps, and how to reverse engineer them to pinpoint user activity and tie a user to a particular image’s creation from a source file e.g. pages from a PDF. --------------------------------------------- https://www.pentestpartners.com/security-blog/finding-forensics-breadcrumbs… ∗∗∗ Royal Ransomware Expands Attacks by Targeting Linux ESXi Servers ∗∗∗ --------------------------------------------- Ransomware actors have been observed to expand their targets by increasingly developing Linux-based versions. Royal ransomware is following in the same path, a new variant targeting Linux systems emerged and we will provide a technical analysis on this variant in this blog. --------------------------------------------- https://www.trendmicro.com/en_us/research/23/b/royal-ransomware-expands-att… ∗∗∗ QR code generator My QR Code leaks users’ login data and addresses ∗∗∗ --------------------------------------------- My QR Code was informed about the leak almost two weeks ago, yet it failed to respond or secure its server. --------------------------------------------- https://www.hackread.com/qr-code-generator-my-qr-code-data-leak/ ===================== = Vulnerabilities = ===================== ∗∗∗ Patchday: Fortinet schließt 40 Sicherheitslücken, PoC-Exploit angekündigt ∗∗∗ --------------------------------------------- Fortinet hat im Februar Updates für diverse Produkte veröffentlicht, die insgesamt 40 Sicherheitslücken schließen. Davon gelten zwei als kritisch. --------------------------------------------- https://heise.de/-7520937 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (c-ares, gnutls28, golang-github-opencontainers-selinux, isc-dhcp, nss, openssl, snort, and thunderbird), Fedora (clamav, curl, phpMyAdmin, thunderbird, vim, webkitgtk, and xen), Red Hat (firefox), Slackware (kernel), SUSE (apache2-mod_security2, gssntlmssp, postgresql-jdbc, postgresql12, and timescaledb), and Ubuntu (firefox). --------------------------------------------- https://lwn.net/Articles/923803/ ∗∗∗ Newly Disclosed Vulnerability Exposes EOL Arris Routers to Attacks ∗∗∗ --------------------------------------------- Malwarebytes warns of a remote code execution vulnerability impacting Arris G2482A, TG2492, and SBG10 routers, which have reached end-of-life (EOL). --------------------------------------------- https://www.securityweek.com/newly-disclosed-vulnerability-exposes-eol-arri… ∗∗∗ Critical SQL injection vulnerabilities in MISP (fixed in v2.4.166 and v2.4.167) ∗∗∗ --------------------------------------------- As of the past 2 months, we’ve received two separate reports of two unrelated SQLi vector vulnerabilities in MISP that can lead to any authenticated user being able to execute arbitrary SQL queries in MISP. --------------------------------------------- https://www.misp-project.org/2023/02/20/Critical_SQL_Injection_Vulnerabilit… ∗∗∗ IBM Security Bulletins 2023-02-20 ∗∗∗ --------------------------------------------- Flash Storage->RamSan-710, Flash Storage->RamSan-720, Flash Storage->RamSan-810, Flash Storage->RamSan-820, IBM Cloud Object Storage System, IBM Cloud Pak for Applications, IBM FlashSystem 720, IBM FlashSystem 900, IBM Multi-Enterprise Integration Gateway, IBM Multi-Enterprise Integration Gateway, IBM Power E1050 (9043-MRX), IBM Power L1022 (9786-22H), IBM Power L1024 (9786-42H), IBM Power S1014 (9105-41B), IBM Power S1022 (9105-22A), IBM Power S1022s (9105-22B), IBM Power S1024 (9105-42A), IBM WebSphere Hybrid Edition, Tivoli System Automation Application Manager --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.02.2023
by Daily end-of-shift report 17 Feb '23

17 Feb '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 16-02-2023 18:00 − Freitag 17-02-2023 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ New Mirai Botnet Variant V3G4 Exploiting 13 Flaws to Target Linux and IoT Devices ∗∗∗ --------------------------------------------- A new variant of the notorious Mirai botnet has been found leveraging several security vulnerabilities to propagate itself to Linux and IoT devices. Observed during the second half of 2022, the new version has been dubbed V3G4 by Palo Alto Networks Unit 42, which identified three different campaigns likely conducted by the same threat actor. --------------------------------------------- https://thehackernews.com/2023/02/new-mirai-botnet-variant-v3g4.html ∗∗∗ Massenhaft SMS im Namen des Finanzamts im Umlauf ∗∗∗ --------------------------------------------- Wir erhalten derzeit zahlreiche Meldungen zu einer SMS, die im Namen des Finanzamtes versendet wird. Angeblich besteht eine offene Forderung, die trotz mehrfacher Mahnungen nicht beglichen wurde. Bei Nichtzahlung bis zum 18. Februar drohe der Gerichtsvollzieher und die Pfändung. Lassen Sie sich nicht unter Druck setzen. Es handelt sich um Betrug! --------------------------------------------- https://www.watchlist-internet.at/news/massenhaft-sms-im-namen-des-finanzam… ∗∗∗ Kritische Sicherheitslücken in ClamAV - Updates verfügbar ∗∗∗ --------------------------------------------- 17. Februar 2023 Beschreibung Zwei kritische Schwachstellen in ClamAV erlauben es unauthentisierten Angreifenden, beliebigen Code auszuführen. CVE-Nummer(n): CVE-2023-20032, CVE-2023-20052 Auswirkungen Die Lücken in ClamAV können durch präparierte HFS+ bzw. DMG Images ausgelöst werden. Da ClamAV oft als Virenscanner in Mailservern eingesetzt wird, können durch den Versand entsprechender Files per Email verwundbare Installationen kompromittiert werden. [...] --------------------------------------------- https://cert.at/de/warnungen/2023/2/kritische-sicherheitslucken-in-clamav ===================== = Vulnerabilities = ===================== ∗∗∗ Fortinet Security Advisories ∗∗∗ --------------------------------------------- Secerity Critical: * FortiNAC - External Control of File Name or Path in keyUpload scriptlet * FortiWeb - Stack-based buffer overflows in Proxyd Severity High: 15 Advisories * FortiADC, FortiExtender, FortiNAC, FortiOS, FortiProxy, FortiSwitchManager, FortiWAN, FortiWeb Severity Medium/Low: 23 Advisories --------------------------------------------- https://fortiguard.fortinet.com/psirt?date=02-2023 ∗∗∗ Node.js Thursday February 16 2023 Security Releases ∗∗∗ --------------------------------------------- * OpenSSL Security updates * Node.js Permissions policies can be bypassed via process.mainModule * Node.js OpenSSL error handling issues in nodejs crypto library * Fetch API in Node.js did not protect against CRLF injection in host headers * Regular Expression Denial of Service in Headers in Node.js fetch API * Node.js insecure loading of ICU data through ICU_DATA environment variable * npm update for Node.js 14 --------------------------------------------- https://nodejs.org/en/blog/vulnerability/february-2023-security-releases/ ∗∗∗ CISA Releases Fifteen Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- * Siemens Solid Edge * Siemens SCALANCE X-200 IRT * Siemens Brownfield Connectivity Client * Siemens Brownfield Connectivity Gateway * Siemens SiPass integrated AC5102/ACC-G2 and ACC-AP * Siemens Simcenter Femap * Siemens TIA Project Server * Siemens RUGGEDCOM APE1808 * Siemens SIMATIC Industrial Products * Siemens COMOS * Siemens Mendix * Siemens JT Open, JT Utilities, and Parasolid * Sub-IoT DASH 7 Alliance Protocol * Delta Electronic DIAEnergie (Update B) * BD Alaris Infusion Central --------------------------------------------- https://www.cisa.gov/uscert/ncas/current-activity/2023/02/16/cisa-releases-… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (webkit2gtk and wpewebkit), Fedora (firefox, phpMyAdmin, tpm2-tools, and tpm2-tss), Slackware (mozilla), SUSE (mozilla-nss, rubygem-actionpack-4_2, rubygem-actionpack-5_1, and tar), and Ubuntu (linux-azure and linux-hwe-5.19). --------------------------------------------- https://lwn.net/Articles/923644/ ∗∗∗ Vulnerability in IP Quorum affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products ∗∗∗ --------------------------------------------- * IBM Decision Optimization in IBM Cloud Pak for Data is vulnerable to jsonwebtoken CVEs * IBM FlashSystem 9100 family and IBM Storwize V7000 2076-724 (Gen3) systems are NOT affected by security vulnerabilities CVE-2018-12037 and CVE-2018-12038 * IBM MQ Operator and Queue Manager container images are vulnerable to vulnerabilities from libksba and sqlite (CVE-2022-47629 and CVE-2022-35737) * IBM Security Guardium Data Encryption is using Components with Known Vulnerabilities (CVE-2022-31129, CVE-2022-24785) * IBM Security Guardium is affected by a redshift-jdbc42-2.0.0.3.jar vulnerability (CVE-2022-41828) * IBM Security Guardium is affected by the following vulnerabilities [CVE-2022-39166, CVE-2022-34917, CVE-2022-42889] * Java vulnerabilities affect IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products * LDAP vulnerability affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products * Multiple Vulnerabilities in Multicloud Management Security Services * Multiple vulnerabilities found with third-party libraries used by IBM® MobileFirst Platform * Multiple vulnerabilities in Golang Go affect IBM Decision Optimization in IBM Cloud Pak for Data * Multiple vulnerabilities in IBM Java SDK affect IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products * Multiple vulnerabilities in IBM Java SDK affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products * Multiple vulnerabilities in the Linux kernel affect IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products * Multiple vulnerabilities in the Linux kernel affect IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products * Network Security (NSS) vulnerability affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products * OpenSLP vulnerability affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products * Vulnerabilities in IBM Java affect IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products * Vulnerabilities in IBM Java and Apache Tomcat affect IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem V9000 products * Vulnerabilities in the Linux kernel affect IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem V9000 products* Vulnerability in Apache Struts affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products (CVE-2018-11776) * Vulnerability in Apache Tomcat affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem V9000 products * Vulnerability in Apache Tomcat affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products * Vulnerability in Apache Tomcat affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products * Vulnerability in Apache Tomcat affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products ( CVE-2018-11784) * Vulnerability in DHCP affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products (CVE-2018-5732) * Vulnerability in IBM Java SDK affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products (CVE-2019-2602) * Vulnerability in IP Quorum affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products * Vulnerability in OpenSLP affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products ( CVE-2017-17833) * Vulnerability in OpenSSL affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products * Vulnerability in SSH protocols affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products (CVE-2008-5161) * Vulnerability in Service Assistant affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products (CVE-2018-1775) * Vulnerability in sed affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem V9000 products * Vulnerability in the Linux kernel affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products (CVE-2018-5391) * Vulnerability in zlib affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Atrocore 1.5.25 Shell Upload ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2023020029 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.02.2023
by Daily end-of-shift report 16 Feb '23

16 Feb '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 15-02-2023 18:00 − Donnerstag 16-02-2023 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Emsisoft says hackers are spoofing its certs to breach networks ∗∗∗ --------------------------------------------- A hacker is using fake code-signing certificates impersonating cybersecurity firm Emsisoft to target customers using its security products, hoping to bypass their defenses. --------------------------------------------- https://www.bleepingcomputer.com/news/security/emsisoft-says-hackers-are-sp… ∗∗∗ Hackers backdoor Microsoft IIS servers with new Frebniis malware ∗∗∗ --------------------------------------------- Hackers are deploying a new malware named Frebniss on Microsofts Internet Information Services (IIS) that stealthily executes commands sent via web requests. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-backdoor-microsoft-i… ∗∗∗ „Fake Customer Trick“: Kriminelle ergaunern hochwertige Produkte ∗∗∗ --------------------------------------------- Der Name des Halbleiterherstellers Infineon wird derzeit für kriminelle Zwecke missbraucht: Per Mail geben sich Betrüger:innen als Infineon-Mitarbeiter Marcus Schlenker aus und bekunden Interesse an einer Großbestellung. Für die Empfänger:innen klingt das nach einem unkomplizierten und schnellen Geschäft. Doch tatsächlich landen die versendeten Produkte in den Händen von Kriminellen, auf die Bezahlung warten die Opfer vergeblich. --------------------------------------------- https://www.watchlist-internet.at/news/fake-customer-trick-kriminelle-ergau… ∗∗∗ Malware Reverse Engineering for Beginners – Part 2 ∗∗∗ --------------------------------------------- Often, malware targeting Windows will be packed and delivered as a second stage. There are different ways to “deliver” malware to the endpoint. This blog will cover key concepts and examples regarding how malware is packed, obfuscated, delivered, and executed on the endpoint. --------------------------------------------- https://www.intezer.com/blog/incident-response/malware-reverse-engineering-… ===================== = Vulnerabilities = ===================== ∗∗∗ Patchday bei Intel: Angreifer könnten Server über Root-Lücke attackieren ∗∗∗ --------------------------------------------- Intel hat für verschiedene Firm- und Software wichtige Sicherheitsupdates veröffentlicht. In vielen Fällen könnten sich Angreifer höhere Rechte verschaffen. --------------------------------------------- https://heise.de/-7517141 ∗∗∗ Jetzt patchen! Entwickler des CMS Joomla warnen vor kritischer Sicherheitslücke ∗∗∗ --------------------------------------------- Es ist ein "sehr wichtiger" Sicherheitspatch für Joomla erscheinen. --------------------------------------------- https://heise.de/-7517312 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr), Fedora (community-mysql, edk2, firefox, and git), Slackware (curl and git), SUSE (apache2-mod_security2, aws-efs-utils, bind, curl, git, ImageMagick, java-11-openjdk, java-17-openjdk, java-1_8_0-openjdk, kernel, libksba, and mozilla-nss), and Ubuntu (golang-golang-x-text, golang-x-text, linux-aws, linux-intel-iotg, linux-aws-5.4, linux-gcp, linux-gcp-5.4, linux-hwe-5.4, linux linux-ibm-5.4, linux-oracle-5.4, linux-gke, linux-gke-5.15, nss, and xorg-server, xorg-server-hwe-16.04). --------------------------------------------- https://lwn.net/Articles/923503/ ∗∗∗ Splunk Enterprise Updates Patch High-Severity Vulnerabilities ∗∗∗ --------------------------------------------- Splunk updates for Enterprise products resolve multiple high-severity vulnerabilities, including several in third-party packages. --------------------------------------------- https://www.securityweek.com/splunk-enterprise-updates-patch-high-severity-… ∗∗∗ Security Vulnerabilities fixed in Thunderbird 102.8 ∗∗∗ --------------------------------------------- CVE-2023-0616: User Interface lockup with messages combining S/MIME and OpenPGP CVE-2023-25728: Content security policy leak in violation reports using iframes CVE-2023-25730: Screen hijack via browser fullscreen mode CVE-2023-0767: Arbitrary memory write via PKCS 12 in NSS CVE-2023-25735: Potential use-after-free from compartment mismatch in SpiderMonkey CVE-2023-25737: Invalid downcast in SVGUtils::SetupStrokeGeometry CVE-2023-25738: Printing on Windows could potentially crash Thunderbird with some device drivers CVE-2023-25739: Use-after-free in mozilla::dom::ScriptLoadContext::~ScriptLoadContext CVE-2023-25746: Memory safety bugs fixed in Thunderbird 102.8 ... --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2023-07/ ∗∗∗ MISP 2.4.168 released with bugs fixed, security fixes and major improvements in STIX support. ∗∗∗ --------------------------------------------- We are pleased to announce the immediate availability of MISP v2.4.168 with bugs fixed and various security fixes. --------------------------------------------- https://github.com/MISP/MISP/releases/tag/v2.4.168 ∗∗∗ ClamAV DMG File Parsing XML Entity Expansion Vulnerability Affecting Cisco Products: February 2023 ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ ClamAV HFS+ Partition Scanning Buffer Overflow Vulnerability Affecting Cisco Products: February 2023 ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ WAGO: Exposure of configuration interface in unmanaged switches ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-055/ ∗∗∗ IBM App Connect Enterprise is affected by a remote attacker due to the zip4j library [CVE-2023-22899] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6955913 ∗∗∗ Multiple vulnerabilities in moment.js affect IBM Maximo Asset Management and the IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2022-31129, CVE-2022-24785) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6852667 ∗∗∗ IBM Navigator for i is vulnerable to log file access, obtaining file attributes, and SQL Injection attacks due to multiple vulnerabilities. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6850801 ∗∗∗ WebSphere Application Server Liberty is vulnerable to server-side request forgery due to Apache CXF ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6956223 ∗∗∗ Intel Ethernet controllers as used in IBM QRadar SIEM are vulnerable to a denial of service (CVE-2021-0197, CVE-2021-0198, CVE-2021-0199, CVE-2021-0200) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6956287 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.02.2023
by Daily end-of-shift report 15 Feb '23

15 Feb '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 14-02-2023 18:00 − Mittwoch 15-02-2023 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Adobe Patchday: Schadcode-Attacken auf After Effects & Co. möglich ∗∗∗ --------------------------------------------- Adobe hat unter anderem für After Effects, InDesign und Photoshop Sicherheitsupdates veröffentlicht. --------------------------------------------- https://heise.de/-7496102 ∗∗∗ Bluetooth-Fehler in Android 13 kann Diabetiker gefährden ∗∗∗ --------------------------------------------- Ein Fehler in Android 13 kann die Kommunikation zwischen Blutzuckersensor und zugehöriger App stören. Dann warnt die App nicht vor gefährlicher Unterzuckerung. --------------------------------------------- https://heise.de/-7496644 ∗∗∗ Angreifer attackieren Microsoft 365 und Windows - Mehrere kritische Lücken ∗∗∗ --------------------------------------------- Es sind wichtige Sicherheitsupdates für unter anderem Azure, Exchange Server und Windows erschienen. Mehrere Lücken sind als "kritisch" eingestuft. --------------------------------------------- https://heise.de/-7496015 ∗∗∗ Abo-Falle beim Kauf von Handyhüllen auf puffcase-official.com ∗∗∗ --------------------------------------------- Wenn Sie auf der Suche nach einer Schutzhülle für Ihr Smartphone sind, nehmen Sie sich vor puffcase-official.com in Acht. Während die „Puffcases“ auf den ersten Blick günstig wirken und zu einem schnellen Kauf verleiten, stellt sich die Seite als Abo-Falle heraus. Davon erfahren Sie erst, wenn die neuerliche Abbuchung auf Ihrer Kreditkarte auftaucht. Bestellen Sie hier nicht! --------------------------------------------- https://www.watchlist-internet.at/news/abo-falle-beim-kauf-von-handyhuellen… ∗∗∗ NPM packages posing as speed testers install crypto miners instead ∗∗∗ --------------------------------------------- A new set of 16 malicious NPM packages are pretending to be internet speed testers but are, in reality, coinminers that hijack the compromised computers resources to mine cryptocurrency for the threat actors. --------------------------------------------- https://www.bleepingcomputer.com/news/security/npm-packages-posing-as-speed… ∗∗∗ Hyundai and Kia issue software upgrades to thwart killer TikTok car theft hack ∗∗∗ --------------------------------------------- Gone in 60 seconds using a USB-A plug and brute force instead of a key Korean car-makers Hyundai and Kia will issue software updates to some of their models after a method of stealing them circulated on TikTok, leading to many thefts and even some deaths. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2023/02/15/hyundai_kia_… ∗∗∗ PYbot DDoS Malware Being Distributed Disguised as a Discord Nitro Code Generator ∗∗∗ --------------------------------------------- The ASEC analysis team has recently discovered Pybot DDoS being distributed with illegal software. The program used as bait by the threat actor is a token generator called Nitro Generator. Nitro is a paid Discord service with various benefits which can be seen below in Figure 1. Nitro Generator is a tool that generates codes that can be used for free access to Nitro. --------------------------------------------- https://asec.ahnlab.com/en/47789/ ∗∗∗ cURL audit: How a joke led to significant findings ∗∗∗ --------------------------------------------- In fall 2022, Trail of Bits audited cURL, a widely-used command-line utility that transfers data between a server and supports various protocols. [..] the fuzzer quickly uncovered memory corruption bugs, specifically use-after-free issues, double-free issues, and memory leaks. Because the bugs are in libcurl, a cURL development library, they have the potential to affect the many software applications that use libcurl. This blog post describes how we found the following vulnerabilities --------------------------------------------- https://blog.trailofbits.com/2023/02/14/curl-audit-fuzzing-libcurl-command-… ∗∗∗ ICS Patch Tuesday: 100 Vulnerabilities Addressed by Siemens, Schneider Electric ∗∗∗ --------------------------------------------- Siemens has published 13 new advisories covering a total of 86 vulnerabilities. [..] Schneider Electric has published three advisories covering 10 vulnerabilities. --------------------------------------------- https://www.securityweek.com/ics-patch-tuesday-100-vulnerabilities-addresse… ∗∗∗ DNS Abuse Techniques Matrix ∗∗∗ --------------------------------------------- The FIRST DNS Abuse SIG has been working on a document for some time, which has now finally been published: a matrix of DNS abuse techniques and their stakeholders. Its intended to help people experiencing DNS abuse, particularly incident responders and security teams. --------------------------------------------- https://www.first.org/global/sigs/dns/DNS-Abuse-Techniques-Matrix_v1.1.pdf ∗∗∗ Sustained Activity by Threat Actors ∗∗∗ --------------------------------------------- The European Union Agency for Cybersecurity (ENISA) and the CERT of the EU institutions, bodies and agencies (CERT-EU) jointly published a report to alert on sustained activity by particular threat actors. The malicious cyber activities of the presented threat actors pose a significant and ongoing threat to the European Union. --------------------------------------------- https://www.enisa.europa.eu/news/sustained-activity-by-threat-actors ∗∗∗ Abusing Azure App Service Managed Identity Assignments ∗∗∗ --------------------------------------------- [...] Managed Identities are great and admins should absolutely use them. But admins also need to understand the risks that come with Managed Identities and how to deal with those risks. In this blog post I will explain those risks, demonstrate how an attacker can abuse App Service Managed Identity assignments, and show you how to identify and deal with those risks yourself. --------------------------------------------- https://posts.specterops.io/abusing-azure-app-service-managed-identity-assi… ===================== = Vulnerabilities = ===================== ∗∗∗ AMD: Cross-Thread Return Address Predictions ∗∗∗ --------------------------------------------- AMD internally discovered a potential vulnerability where certain AMD processors may speculatively execute instructions at an incorrect return site after an SMT mode switch that may potentially lead to information disclosure. AMD believes that due to existing mitigations applied to address other speculation-based issues, theoretical avenues for potential exploit of CVE-2022-27672 may be limited only to select virtualization environments where a virtual machine is given special privileges. --------------------------------------------- https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1045 ∗∗∗ HAProxy Security Update (CVE-2023-25725) ∗∗∗ --------------------------------------------- A team of security researchers notified me on Thursday evening that they had found a dirty bug in HAProxys headers processing, and that, when properly exploited, this bug allows to build an HTTP content smuggling attack. [..] The issue was fixed in all versions and all modes (HTX and legacy), and all versions were upgraded. [..] Distros were notified (not very long ago admittedly, the delay was quite short for them) and updated packages will appear soon. --------------------------------------------- https://www.mail-archive.com/haproxy@formilux.org/msg43229.html ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (gnutls28 and haproxy), Fedora (syslog-ng), Mageia (apr-util, chromium-browser-stable, editorconfig-core-c, ffmpeg, libzen, phpmyadmin, tpm2-tss, and webkit2), Oracle (kernel and kernel-container), Slackware (mozilla and php), SUSE (git, haproxy, kernel, nodejs18, phpMyAdmin, and timescaledb), and Ubuntu (APR-util, git, and haproxy). --------------------------------------------- https://lwn.net/Articles/923364/ ∗∗∗ Lenovo Product Security Advisories ∗∗∗ --------------------------------------------- * AMI MegaRAC SP-X BMC Redfish Vulnerabilities * AMI MegaRAC SP-X BMC Vulnerabilities * Crypto API Toolkit for Intel SGX Advisory * Intel Ethernet Controllers and Adapters Advisory * Intel Ethernet VMware Drivers Advisory * Intel Integrated Sensor Solution Advisory * Intel Server Platform Services (SPS) Vulnerabilities * Intel SGX SDK Advisory * Multi-Vendor BIOS Security Vulnerabilities (February 2023) --------------------------------------------- https://support.lenovo.com/at/en/product_security/home ∗∗∗ Released: February 2023 Exchange Server Security Updates ∗∗∗ --------------------------------------------- Microsoft has released Security Updates (SUs) for vulnerabilities found in:Exchange Server 2013Exchange Server 2016Exchange Server 2019SUs are available in a self-extracting auto-elevating .exe package, as well as the original update packages (.msp files), which can be downloaded from the Microsoft Update Catalog.SUs are available for the following specific versions of Exchange Server:Exchange Server 2013 CU23 (note that support and availability of SUs end on April 11, 2023)Exchange Server 2016 --------------------------------------------- https://techcommunity.microsoft.com/t5/exchange-team-blog/released-february… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ XSA-426 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-426.html ∗∗∗ Advisory: Impact of Insyde UEFI Boot Issues on B&R Products ∗∗∗ --------------------------------------------- https://www.br-automation.com/downloads_br_productcatalogue/assets/16759315… ∗∗∗ ClamAV HFS+ Partition Scanning Buffer Overflow Vulnerability Affecting Cisco Products: February 2023 ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Nexus Dashboard Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Nexus Dashboard Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Identity Services Engine Stored Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Email Security Appliance and Cisco Secure Email and Web Manager Vulnerabilities ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ ClamAV DMG File Parsing XML Entity Expansion Vulnerability Affecting Cisco Products: February 2023 ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.02.2023
by Daily end-of-shift report 14 Feb '23

14 Feb '23

===================== = End-of-Day report = ===================== Timeframe: Montag 13-02-2023 18:00 − Dienstag 14-02-2023 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ New stealthy Beep malware focuses heavily on evading detection ∗∗∗ --------------------------------------------- A new stealthy malware named Beep was discovered last week, featuring many features to evade analysis and detection by security software. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-stealthy-beep-malware-fo… ∗∗∗ Exploiting a remote heap overflow with a custom TCP stack ∗∗∗ --------------------------------------------- In November 2021 our team took part in the ZDI Pwn2Own Austin 2021 competition with multiple entries. One of them successfully compromised the Western Digital MyCloudHome connected hard drive via a 0-day in the Netatalk daemon. Our exploit was unusual because triggering the vulnerability required to mess with the remote TCP stack, so we wrote our own. This blog post will provide some technical details about it. --------------------------------------------- https://www.synacktiv.com/publications/exploiting-a-remote-heap-overflow-wi… ∗∗∗ Securing Open-Source Solutions: A Study of osTicket Vulnerabilities ∗∗∗ --------------------------------------------- One of the applications assessed was osTicket, an open-source ticketing system. With distinctive features and plugins, osTicket gives users the ability to “Manage, organize, and archive all your support requests and responses (...).” During our assessment, the Checkmarx Labs team found some interesting vulnerabilities. In this blog/report, not only will we disclose some of the identified vulnerabilities but also elaborate on the team’s approach to identifying them. --------------------------------------------- https://checkmarx.com/blog/securing-open-source-solutions-a-study-of-ostick… ∗∗∗ Amazon: Vorsicht vor Fake-Anrufen ∗∗∗ --------------------------------------------- Aktuell geben sich Kriminelle als Mitarbeiter:innen von Amazon aus und täuschen ein Problem mit Ihrer Bestellung vor. Sie werden aufgefordert Zahlungsdaten zu übermitteln, Zahlungen freizugeben und eine Wartungssoftware wie TeamViewer zu installieren. Legen Sie auf und blockieren Sie die Nummer. --------------------------------------------- https://www.watchlist-internet.at/news/amazon-vorsicht-vor-fake-anrufen/ ∗∗∗ A Deep Dive into Reversing CODESYS ∗∗∗ --------------------------------------------- This white paper offers a technical deep dive into PLC protocols and how to safely scan CODESYS-based ICS networking stacks. --------------------------------------------- https://www.rapid7.com/blog/post/2023/02/14/a-deep-dive-into-reversing-code… ∗∗∗ Typosquatting: Legit Abquery Package Duped with Malicious Aabquerys ∗∗∗ --------------------------------------------- Aabquerys use the typosquatting technique to encourage downloading malicious components, as it has been cleverly named to make it sound like the legitimate NPM module Abquery. --------------------------------------------- https://www.hackread.com/typosquatting-abquery-package-aabquerys/ ===================== = Vulnerabilities = ===================== ∗∗∗ Serious Security: GnuTLS follows OpenSSL, fixes timing attack bug ∗∗∗ --------------------------------------------- Conditional code considered cryptographically counterproductive. --------------------------------------------- https://nakedsecurity.sophos.com/2023/02/13/serious-security-gnutls-follows… ∗∗∗ Patch Now: Apples iOS, iPadOS, macOS, and Safari Under Attack with New Zero-Day Flaw ∗∗∗ --------------------------------------------- Apple on Monday rolled out security updates for iOS, iPadOS, macOS, and Safari to address a zero-day flaw that it said has been actively exploited in the wild.Tracked as CVE-2023-23529, the issue relates to a type confusion bug in the WebKit browser engine that could be activated when processing maliciously crafted web content, culminating in arbitrary code execution. --------------------------------------------- https://thehackernews.com/2023/02/patch-now-apples-ios-ipados-macos-and.html ∗∗∗ Patchday: SAP schützt seine Software vor möglichen Attacken ∗∗∗ --------------------------------------------- Es sind unter anderem für SAP BusinessObjects und SAP Start Service wichtige Sicherheitsupdates erschienen. --------------------------------------------- https://heise.de/-7494856 ∗∗∗ Bestimmte auf HP-Computern vorinstallierte Windows-10-Versionen sind verwundbar ∗∗∗ --------------------------------------------- Wer einen PC von HP mit einer älteren Windows-10-Ausgabe nutzt, sollte einen Sicherheitspatch installieren. --------------------------------------------- https://heise.de/-7494955 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (imagemagick), Fedora (xml-security-c), Red Hat (grub2), SUSE (chromium, freerdp, libbpf, and python-setuptools), and Ubuntu (fig2dev and python-django). --------------------------------------------- https://lwn.net/Articles/923267/ ∗∗∗ Citrix Virtual Apps and Desktops Security Bulletin for CVE-2023-24483 ∗∗∗ --------------------------------------------- A vulnerability has been identified that, if exploited, could result in a local user elevating their privilege level to NT AUTHORITY\SYSTEM on a Citrix Virtual Apps and Desktops Windows VDA. CVE-2023-24483 --------------------------------------------- https://support.citrix.com/article/CTX477616/citrix-virtual-apps-and-deskto… ∗∗∗ Citrix Workspace app for Windows Security Bulletin for CVE-2023-24484 & CVE-2023-24485 ∗∗∗ --------------------------------------------- A vulnerability has been identified that, if exploited, could result in a local user elevating their privilege level to NT AUTHORITY\SYSTEM on a Citrix Virtual Apps and Desktops Windows VDA. CVE-2023-24484 & CVE-2023-24485 --------------------------------------------- https://support.citrix.com/article/CTX477617/citrix-workspace-app-for-windo… ∗∗∗ Citrix Workspace app for Linux Security Bulletin for CVE-2023-24486 ∗∗∗ --------------------------------------------- A vulnerability has been identified in Citrix Workspace app for Linux that, if exploited, may result in a malicious local user being able to gain access to the Citrix Virtual Apps and Desktops session of another user who is using the same computer from which the ICA session is launched. CVE-2023-24486 --------------------------------------------- https://support.citrix.com/article/CTX477618/citrix-workspace-app-for-linux… ∗∗∗ SonicWall Email Security Information Discloser Vulnerability ∗∗∗ --------------------------------------------- SonicWall Email Security contains a vulnerability that could permit a remote unauthenticated attacker access to an error page that includes sensitive information about users email addresses. CVE: CVE-2023-0655 --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2023-0002 ∗∗∗ The installers of ELECOM Camera Assistant and QuickFileDealer may insecurely load Dynamic Link Libraries ∗∗∗ --------------------------------------------- The installers of ELECOM Camera Assistant and QuickFileDealer provided by ELECOM CO.,LTD. may insecurely load Dynamic Link Libraries. --------------------------------------------- https://jvn.jp/en/jp/JVN60263237/ ∗∗∗ Improper restriction of XML external entity reference (XXE) vulnerability in tsClinical Define.xml Generator and tsClinical Metadata Desktop Tools ∗∗∗ --------------------------------------------- tsClinical Define.xml Generator and tsClinical Metadata Desktop Tools provided by FUJITSU LIMITED contain an improper restriction of XML external entity reference (XXE) vulnerability. --------------------------------------------- https://jvn.jp/en/jp/JVN00712821/ ∗∗∗ 101news By Mayuri K 1.0 SQL Injection ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2023020025 ∗∗∗ Developed by Ameya Computers LOGIN SQL INJECTİON ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2023020024 ∗∗∗ SSA-953464 V1.0: Multiple Vulnerabilites in Siemens Brownfield Connectivity - Client before V2.15 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/pdf/ssa-953464.pdf ∗∗∗ SSA-847261 V1.0: Multiple SPP File Parsing Vulnerabilities in Tecnomatix Plant Simulation ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/pdf/ssa-847261.pdf ∗∗∗ SSA-836777 V1.0: JT File Parsing Vulnerabilities in JT Open, JT Utilities and Parasolid ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/pdf/ssa-836777.pdf ∗∗∗ SSA-744259 V1.0: Golang Vulnerabilities in Brownfield Connectivity - Gateway before V1.10.1 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/pdf/ssa-744259.pdf ∗∗∗ SSA-693110 V1.0: Buffer Overflow Vulnerability in COMOS ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/pdf/ssa-693110.pdf ∗∗∗ SSA-686975 V1.0: IPU 2022.3 Vulnerabilities in Siemens Industrial Products using Intel CPUs ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/pdf/ssa-686975.pdf ∗∗∗ SSA-658793 V1.0: Command Injection Vulnerability in SiPass integrated AC5102 / ACC-G2 and ACC-AP ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/pdf/ssa-658793.pdf ∗∗∗ SSA-640968 V1.0: Untrusted Search Path Vulnerability in TIA Project-Server formerly known as TIA Multiuser Server ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/pdf/ssa-640968.pdf ∗∗∗ SSA-617755 V1.0: Denial of Service Vulnerability in the SNMP Agent of SCALANCE X-200IRT Products ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/pdf/ssa-617755.pdf ∗∗∗ SSA-565356 V1.0: X_T File Parsing Vulnerabilities in Simcenter Femap before V2023.1 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/pdf/ssa-565356.pdf ∗∗∗ SSA-491245 V1.0: Multiple File Parsing Vulnerabilities in Solid Edge ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/pdf/ssa-491245.pdf ∗∗∗ SSA-450613 V1.0: Insyde BIOS Vulnerabilities in RUGGEDCOM APE1808 Product Family ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/pdf/ssa-450613.pdf ∗∗∗ SSA-252808 V1.0: XPath Constraint Vulnerability in Mendix Runtime ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/pdf/ssa-252808.pdf ∗∗∗ PHOENIX CONTACT: Multiple Vulnerabilities in PLCnext Firmware ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-001/ ∗∗∗ Weintek EasyBuilder Pro cMT Series ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-23-045-01 ∗∗∗ Advisory: Reflected Cross-Site Scripting Vulnerabitities in SDM ∗∗∗ --------------------------------------------- https://www.br-automation.com/downloads_br_productcatalogue/assets/16756072… ∗∗∗ IBM Db2 Web Query for i is vulnerable to arbitrary code execution due to Apache Commons Text [CVE-2022-42889] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6955251 ∗∗∗ IBM App Connect Enterprise Certified Container operands may be vulnerable to security restrictions bypass due to [CVE-2021-25743] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6955255 ∗∗∗ IBM Sterling Control Center is vulnerable to a denial of service due to Jave SE (CVE-2022-21626) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6955277 ∗∗∗ IBM Sterling Control Center is vulnerable to security bypass due to Eclipse Openj9 (CVE-2022-3676) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6955281 ∗∗∗ CVE-2022-21624 may affect IBM\u00ae SDK, Java\u2122 Technology Edition for Content Collector for Email, Content Collector for File Systems and Content Collector for Microsoft SharePoint ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6955493 ∗∗∗ CVE-2022-3676 may affect Eclipse Openj9 used by Content Collector for Email, Content Collector for File Systems and Content Collector for Microsoft SharePoint ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6955497 ∗∗∗ IBM QRadar SIEM is vulnerable to possible information disclosure [CVE-2023-22875] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6855643 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.02.2023
by Daily end-of-shift report 13 Feb '23

13 Feb '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 10-02-2023 18:00 − Montag 13-02-2023 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Erpressungstrojaner Play infiltriert Systeme von A10 Networks ∗∗∗ --------------------------------------------- Angreifer konnten auf interne Daten des Herstellers von Netzwerkgeräten A10 Networks zugreifen. Kundendaten sollen nicht betroffen sein. --------------------------------------------- https://heise.de/-7493748 ∗∗∗ Gefälschtes Therme Wien-Gewinnspiel auf Facebook ∗∗∗ --------------------------------------------- Auf Facebook kursiert momentan ein betrügerisches Gewinnspiel für einen Tagesurlaub inklusive Massage in der Therme Wien. Das Gewinnspiel, das von der Facebook-Seite „Freizeit-Helden“ beworben wird, steht aber in keinem Zusammenhang mit der Therme Wien und sammelt Daten. Nehmen Sie nicht teil und melden Sie das Posting. --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschtes-therme-wien-gewinnspiel… ∗∗∗ Details zur LocalPotato NTLM Authentication-Schwachstelle (CVE-2023-21746) ∗∗∗ --------------------------------------------- Mitte Januar 2023 Monat hatte ich im Blog-Beitrag Nach RemotePotato0 kommt die Windows Local Potato NTLM-Schwachstelle (CVE-2023-21746) auf eine lokale NTLM-Authentifizierungsschwachstelle (CVE-2023-21746) hingewiesen. Die Entdecker bezeichnen diese als LocalPotator, hatten seinerzeit aber keine Details offen gelegt. Jetzt wurde dies nachgeholt. --------------------------------------------- https://www.borncity.com/blog/2023/02/11/details-zur-localpotato-ntlm-authe… ∗∗∗ We had a security incident. Here’s what we know. ∗∗∗ --------------------------------------------- TL:DR Based on our investigation so far, Reddit user passwords and accounts are safe, but on Sunday night (pacific time), Reddit systems were hacked as a result of a sophisticated and highly-targeted phishing attack. They gained access to some internal documents, code, and some internal business systems. --------------------------------------------- https://www.reddit.com/r/netsec/comments/10y59q2/we_had_a_security_incident… ∗∗∗ Devs targeted by W4SP Stealer malware in malicious PyPi packages ∗∗∗ --------------------------------------------- Five malicious packages were found on the Python Package Index (PyPI), stealing passwords, Discord authentication cookies, and cryptocurrency wallets from unsuspecting developers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/devs-targeted-by-w4sp-steale… ∗∗∗ Security baseline for Microsoft Edge version 110 ∗∗∗ --------------------------------------------- We are pleased to announce the security review for Microsoft Edge, version 110! We have reviewed the new settings in Microsoft Edge version 110 and determined that there are no additional security settings that require enforcement. The Microsoft Edge version 107 security baseline continues to be our recommended configuration which can be downloaded from the Microsoft Security Compliance Toolkit. Microsoft Edge version 110 introduced 13 new computer settings and 13 new user settings. --------------------------------------------- https://techcommunity.microsoft.com/t5/microsoft-security-baselines/securit… ∗∗∗ PCAP Data Analysis with Zeek, (Sun, Feb 12th) ∗∗∗ --------------------------------------------- Having full packet captures of a device or an entire network can be extremely useful. It is also a lot of data to go through and process manually. Zeek [1] can help to simplify network traffic analysis. It can also help save a lot of storage space. I'll be going through and processing some PCAP data collected from my honeypot. --------------------------------------------- https://isc.sans.edu/diary/rss/29530 ∗∗∗ Linux auditd for Threat Hunting [Part 2] ∗∗∗ --------------------------------------------- In this part, I will highlight only 1 technique (process/command execution) and explain the fields. In Part 3, I will show you tests I ran for several other behaviors. --------------------------------------------- https://izyknows.medium.com/linux-auditd-for-threat-hunting-part-2-c75500f5… ∗∗∗ Crypto Wallet Address Replacement Attack ∗∗∗ --------------------------------------------- At around 17:49 UTC on 9 February 2023, Phylum’s automated risk detection platform began alerting us to a long series of suspicious publications which appear to be a revived attempt to deliver the same crypto wallet clipboard replacing malware. This time, however, the attacker changed the obfuscation technique and radically increased the volume of attacks. [..] over 451 unique packages. These targeted some very popular packages, many of them in the crypto/finance and web development space --------------------------------------------- https://blog.phylum.io/phylum-discovers-revived-crypto-wallet-address-repla… ∗∗∗ The Linux Kernel and the Cursed Driver (CVE-2022-4842) ∗∗∗ --------------------------------------------- TL;DR: We found a bug in the not-so-well-maintained NTFS3 driver in Linux. Abusing the vulnerability could lead to a denial-of-service (DoS) attack on machines with a mounted NTFS filesystem. --------------------------------------------- https://www.cyberark.com/resources/threat-research-blog/the-linux-kernel-an… ===================== = Vulnerabilities = ===================== ∗∗∗ Monitorr 1.7.6 Shell Upload ∗∗∗ --------------------------------------------- Topic: Monitorr 1.7.6 Shell Upload Risk: High Text:# Exploit Title: Monitorr v1.7.6 - Unauthenticated File upload to Remote Code Execution # Exploit Author: Achuth V P (retrymp3... --------------------------------------------- https://cxsecurity.com/issue/WLB-2023020021 ∗∗∗ Cisco Email Security Appliance URL Filtering Bypass Vulnerability ∗∗∗ --------------------------------------------- On January 18, 2023, Cisco disclosed the following: A vulnerability in the URL filtering mechanism of Cisco AsyncOS Software for Cisco Email Security Appliance (ESA) could allow an unauthenticated, remote attacker to bypass the URL reputation filters on an affected device. [...] After additional investigation, it was determined that this vulnerability is not exploitable. For more information, see the Workarounds section of this advisory. --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ ABB Cyber Security Advisory: Drive Composer multiple vulnerabilities ∗∗∗ --------------------------------------------- Affected products: CVE-2018-1285, CVE-2022-35737, CVE-2021-27293, CVE-2022-37434: - Drive Composer entry 2.8 and earlier - Drive Composer pro 2.8 and earlier. CVE-2018-1002205: - Drive Composer entry 2.4 and earlier - Drive Composer pro 2.4 and earlier An attacker who successfully exploited these vulnerabilities could cause the product to stop, make the product inaccessible or insert and run arbitrary code. --------------------------------------------- https://search.abb.com/library/Download.aspx?Action=Launch&DocumentID=9AKK1… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libde265 and snort), Fedora (chromium, openssl, php-symfony4, qt5-qtbase, qt6-qtbase, tigervnc, vim, wireshark, xorg-x11-server, and xorg-x11-server-Xwayland), Slackware (gnutls), SUSE (apr-util, grafana, java-1_8_0-ibm, kernel, less, libksba, opera, postgresql12, postgresql13, postgresql14, postgresql15, python-py, webkit2gtk3, wireshark, and xrdp), and Ubuntu (nova and webkit2gtk). --------------------------------------------- https://lwn.net/Articles/923163/ ∗∗∗ Wordpress Multiple themes - Unauthenticated Arbitrary File Upload ∗∗∗ --------------------------------------------- https://cxsecurity.com/issue/WLB-2023020022 ∗∗∗ NEC PC Settings Tool vulnerable to missing authentication for critical function ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN60320736/ ∗∗∗ Multiple vulnerabilities in PLANEX COMMUNICATIONS Network Camera CS-WMV02G ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN98612206/ ∗∗∗ IBM Security Bulletins 2023-02-13 ∗∗∗ --------------------------------------------- * AIX is vulnerable to denial of service vulnerabilities * IBM Cloud Pak for Network Automation v2.4.3 addresses multiple security vulnerabilities * IBM MQ Appliance is vulnerable to an unspecified Java SE vulnerability (CVE-2022-21626) * IBM PowerVM Novalink is vulnerable because Apache Commons IO could allow a remote attacker to traverse directories on the system * IBM PowerVM Novalink is vulnerable because IBM WebSphere Application Server Liberty vulnerable to protobuf-java core and lite are vulnerable to a denial of service. (CVE-2022-3509) * IBM PowerVM Novalink is vulnerable because Java SE is vulnerable to a denial of service, caused by a flaw in the Lightweight HTTP Server. (CVE-2022-21628) * IBM QRadar SIEM includes multiple components with known vulnerabilities * IBM QRadar SIEM is vulnerable to information exposure (CVE-2022-34351) * IBM Security Directory Integrator is affected by multiple security vulnerabilities * IBM Sterling B2B Integrator is vulnerable to cross-site scripting (CVE-2022-43579) * IBM Sterling B2B Integrator is vulnerable to denial of service due to Spring Framework (CVE-2022-22970) * IBM Sterling B2B Integrator is vulnerable to http header injection due to IBM WebSphere Application Server (CVE-2022-34165) * IBM Sterling Connect:Direct FTP+ is vulnerable to denial of service due to IBM Java (CVE-2022-21626) * IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to Node.js bunyan module command execution * The dasboard UI of IBM Sterling B2B Integrator is vulnerable to improper permission control (CVE-2022-40231) * Vulnerabilities with ca-certificates, OpenJDK, Sudo affect IBM Cloud Object Storage Systems (Feb 2023v1) --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.02.2023
by Daily end-of-shift report 10 Feb '23

10 Feb '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 09-02-2023 18:00 − Freitag 10-02-2023 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Obfuscated Deactivation of Script Block Logging, (Fri, Feb 10th) ∗∗∗ --------------------------------------------- PowerShell has a great built-in feature called "Script Block Logging"[1]. It helps to record all activities performed by a script and is a goldmine for incident handlers. That's the reason why attackers tend to try to disable this feature. There are many ways to achieve this, but I found an interesting one. --------------------------------------------- https://isc.sans.edu/diary/rss/29538 ∗∗∗ Bogus URL Shorteners Redirect Thousands of Hacked Sites in AdSense Fraud Campaign ∗∗∗ --------------------------------------------- Late last year we reported on a malware campaign targeting thousands of WordPress websites to redirect visitors to bogus Q&A websites. The sites themselves contained very little useful information to a regular visitor, but — more importantly — also contained Google Adsense advertisements. It appeared to be an attempt to artificially pump ad views to generate revenue. Since September, our SiteCheck remote scanner has detected this campaign on 10,890 infected sites. --------------------------------------------- https://blog.sucuri.net/2023/02/bogus-url-shorteners-redirect-thousands-of-… ∗∗∗ Cracking the Odd Case of Randomness in Java ∗∗∗ --------------------------------------------- During a recent white-box assessment, we came across the use of RandomStringUtils.randomAlphanumeric being used in a security sensitive context. We knew it used Java’s weak java.util.Random class but were interested in seeing how practically exploitable it actually was, so we decided to dig into it and see how it worked under the hood. --------------------------------------------- https://www.elttam.com/blog/cracking-randomness-in-java/ ∗∗∗ What are the writable shares in this big domain? ∗∗∗ --------------------------------------------- RSMBI is a python tool that answers to the question: What are the writable shares in this big domain? RSMBI connect to each target and it mounts the available shares in the /tmp folder (but that can also be changed). Once the shares are successfully mounted the threads (or the solo one) would start (os.)walking recursively all the folders, trying get a file handle with writing rights. --------------------------------------------- https://github.com/oldboy21/RSMBI ∗∗∗ 0Day Avalanche Blockchain API DoS ∗∗∗ --------------------------------------------- This is a remote API DoS/crash that should OOM chain P and render a vulnerable node mostly or entirely useless. --------------------------------------------- https://g.livejournal.com/15852.html ∗∗∗ Fake-Spendenaufrufe: Kriminelle missbrauchen Erdbebenkatastrophe ∗∗∗ --------------------------------------------- Das Erdbeben in der Türkei und in Nordsyrien löste eine Welle der Hilfsbereitschaft aus. Es gibt zahlreiche Möglichkeiten, um Überlebende finanziell zu unterstützen. Kriminelle missbrauchen die humanitäre Krise und versuchen auf verschiedenen Wegen die Solidarität durch Fake-Spendenaufrufe auszunutzen. --------------------------------------------- https://www.watchlist-internet.at/news/fake-spendenaufrufe-kriminelle-missb… ===================== = Vulnerabilities = ===================== ∗∗∗ CKSource CKEditor5 35.4.0 Cross Site Scripting ∗∗∗ --------------------------------------------- CKSource CKEditor5 35.4.0 was discovered to contain a cross-site scripting (XSS) vulnerability via Full Featured CKEditor5 Widget as the editor failsto sanitize user provided data. --------------------------------------------- https://cxsecurity.com/issue/WLB-2023020019 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (postgresql-11 and sox), Fedora (opusfile), SUSE (bind, jasper, libapr-util1, pkgconf, tiff, and xrdp), and Ubuntu (cinder, imagemagick, less, linux, linux-aws, linux-azure, linux-azure-5.4, linux-gkeop, linux-kvm, linux-oracle, linux-raspi, linux-raspi-5.4, linux, linux-aws, linux-gcp, linux-ibm, linux-kvm, linux-lowlatency, linux-oracle, linux-raspi, linux, linux-aws, linux-gcp-4.15, linux-kvm, linux-oracle, linux-raspi2, linux, linux-azure, linux-azure-5.15, linux-gkeop, linux-hwe-5.15, linux-ibm, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-oracle, linux-oracle-5.15, linux-raspi, linux-azure, linux-azure-4.15, linux-dell300x, linux-gke, linux-oem-5.14, linux-oem-5.17, linux-oem-6.0, linux-oem-6.1, linux-snapdragon, nova, and swift). --------------------------------------------- https://lwn.net/Articles/922929/ ∗∗∗ Statement About the DoS Vulnerability in the E5573Cs-322 ∗∗∗ --------------------------------------------- https://www.huawei.com/en/psirt/security-notices/2021/huawei-sn-20230210-01… ∗∗∗ Multiple vulnerabilities in IBM Java Runtime affects SPSS Collaboration and Deployment Services (CVE-2022-21628, CVE-2022-21626, CVE-2022-21624, CVE-2022-21619) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6954671 ∗∗∗ Vulnerabilities in IBM Semeru Runtime affect SPSS Collaboration and Deployment Services (CVE-2022-21628, CVE-2022-21626, CVE-2022-21618, CVE-2022-39399, CVE-2022-21624, CVE-2022-21619, CVE-2022-3676) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6954673 ∗∗∗ Vulnerability in IBM Java Runtime affect SPSS Collaboration and Deployment Services (CVE-2022-3676) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6954675 ∗∗∗ Vulnerability in IBM Java (CVE-2022-3676) affects Power HMC ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6954681 ∗∗∗ Vulnerability in IBM Java (CVE-2022-21628, CVE-2022-21626, CVE-2022-21624 and CVE-2022-21619) affects Power HMC ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6954683 ∗∗∗ Vulnerability in Firefox (CVE-2022-43926) affects Power HMC ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6954679 ∗∗∗ A security vulnerability has been identified in WebSphere Application Server traditional shipped with IBM Intelligent Operations Center (CVE-2023-23477) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6954685 ∗∗∗ IBM App Connect Enterprise Certified Container DesignerAuthoring operands that use mapping assistance may be vulnerable to arbitrary code execution due to [CVE-2022-45907] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6954691 ∗∗∗ Multiple Vulnerabilities (CVE-2022-21628, CVE-2022-21626, CVE-2022-21624, CVE-2022-21619) affects CICS Transaction Gateway. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6954695 ∗∗∗ CVE-2022-3676 may affect IBM TXSeries for Multiplatforms ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6954701 ∗∗∗ IBM MQ Appliance is vulnerable to identity spoofing (CVE-2022-22476) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6823807 ∗∗∗ IBM MQ Appliance is affected by kernel vulnerabilities (CVE-2021-45485, CVE-2021-45486 and CVE-2022-1012) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6851373 ∗∗∗ IBM MQ Appliance is vulnerable to HTTP header injection (CVE-2022-34165) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6622055 ∗∗∗ IBM MQ Appliance is vulnerable to cross-site scripting (CVE-2022-32750) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6622053 ∗∗∗ IBM MQ Appliance is vulnerable to improper session invalidation (CVE-2022-40230) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6622051 ∗∗∗ IBM MQ Appliance is vulnerable to an XML External Entity Injection attack (CVE-2022-31775) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6622041 ∗∗∗ IBM MQ Appliance is vulnerable to cross-site scripting (CVE-2022-31744) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6622047 ∗∗∗ IBM Sterling Connect:Direct for UNIX is vulnerable to denial of servce due to IBM Java (CVE-2022-21626) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6954727 ∗∗∗ A security vulnerability has been identified in WebSphere Application Server shipped with IBM Security Guardium Key Lifecycle Manager (SKLM\/GKLM) (CVE-2023-23477) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6954723 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.02.2023
by Daily end-of-shift report 09 Feb '23

09 Feb '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 08-02-2023 18:00 − Donnerstag 09-02-2023 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ New ESXiArgs ransomware version prevents VMware ESXi recovery ∗∗∗ --------------------------------------------- New ESXiArgs ransomware attacks are now encrypting more extensive amounts of data, making it much harder, if not impossible, to recover encrypted VMware ESXi virtual machines. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-esxiargs-ransomware-vers… ∗∗∗ Solving one of NOBELIUM’s most novel attacks: Cyberattack Series ∗∗∗ --------------------------------------------- This is the first in an ongoing series exploring some of the most notable cases of the Microsoft Detection and Response Team (DART), which investigates cyberattacks on behalf of our customers. The Cyberattack Series takes you behind the scenes for an inside look at the investigation and share lessons that you can apply to better protect your own organization. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2023/02/08/solving-one-of-nob… ∗∗∗ [SANS ISC] A Backdoor with Smart Screenshot Capability ∗∗∗ --------------------------------------------- Today, everything is “smart” or “intelligent”. We have smartphones, smart cars, smart doorbells, etc. Being “smart” means performing actions depending on the context, the environment, or user actions. For a while, backdoors and trojans have implemented screenshot capabilities. From an attacker’s point of view, it’s interesting to “see” what’s displayed on the victim’s computer. --------------------------------------------- https://blog.rootshell.be/2023/02/09/sans-isc-a-backdoor-with-smart-screens… ∗∗∗ Exploit Vector Analysis of Emerging ESXiArgs Ransomware ∗∗∗ --------------------------------------------- In recent days CVE-2021-21974, a heap-overflow vulnerability in VMWare ESXi’s OpenSLP service has been prominently mentioned in the news in relation to a wave of ransomware effecting numerous organizations. The relationship between CVE-2021-21974 and the ransomware campaign may be blown out of proportion. We do not currently know what the initial access vector is, and it is possible it could be any of the vulnerabilities related to ESXi’s OpenSLP service. --------------------------------------------- https://www.greynoise.io/blog/exploit-vector-analysis-of-emerging-esxiargs-… ∗∗∗ Passwort-Manager: Umstrittene Sicherheitslücke in KeePass beseitigt ∗∗∗ --------------------------------------------- Eine viel diskutierte Sicherheitslücke, die Einbrechern im System den Passwort-Export erleichterte, hat der Entwickler nun mit einem Update geschlossen. --------------------------------------------- https://heise.de/-7489944 ∗∗∗ Datenleck: Deezer informiert Kunden jetzt per E-Mail ∗∗∗ --------------------------------------------- 230 Millionen Deezer-Datensätze wurden entwendet und etwa beim Have-I-been-pwned-Projekt hinzugefügt. Jetzt informiert Deezer betroffene Kunden darüber. --------------------------------------------- https://heise.de/-7490760 ∗∗∗ Teures Visum bei asia-visa.com ∗∗∗ --------------------------------------------- Sie möchten ein Visum für Thailand oder Vietnam beantragen? Bei einer Internetrecherche stoßen Sie möglicherweise auf asia-visa.com – ein Anbieter, der Ihnen den „Papierkram“ abnimmt. Wir raten Ihnen ab, das überteuerte Angebot zu nutzen und empfehlen, die Einreisegenehmigung über die offizielle Stelle zu beantragen. --------------------------------------------- https://www.watchlist-internet.at/news/teures-visum-bei-asia-visacom/ ∗∗∗ CISA and FBI Release ESXiArgs Ransomware Recovery Guidance ∗∗∗ --------------------------------------------- Today, CISA and the Federal Bureau of Investigation (FBI) released a joint Cybersecurity Advisory, ESXiArgs Ransomware Virtual Machine Recovery Guidance. This advisory describes the ongoing ransomware campaign known as “ESXiArgs.” Malicious cyber actors may be exploiting known vulnerabilities in unpatched and out-of-service or out-of-date versions of VMware ESXi software to gain access to ESXi servers and deploy ESXiArgs ransomware. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2023/02/08/cisa-and-fbi-rele… ∗∗∗ Neue PayPal-Betrugsmasche – mit echten Push-Benachrichtigungen (Feb. 2023) ∗∗∗ --------------------------------------------- Über Twitter bin ich auf eine neue Betrugsmasche hingewiesen worden, die Leute schon mal ins Boxhorn jagen kann. Denn die Masche beginnt, dass das Opfer eine Push-Benachrichtigung von PayPal über eine Zahlung (per Einzug) bekommt. Aber die Nachricht ist trotzdem Betrug und hat das Ziel, an Daten des Opfers heranzukommen. Ich habe die Hinweise auf Twitter mal in diesem Beitrag zusammen gefasst. --------------------------------------------- https://www.borncity.com/blog/2023/02/08/neue-paypal-betrugsmasche-mit-echt… ∗∗∗ Sicherheitsvorfall bei wargaming.net (Feb. 2023)? ∗∗∗ --------------------------------------------- Ein Leser hat mich auf einen Sicherheitsvorfall beim Spieleentwickler wargaming.net aufmerksam gemacht. Ich habe dann ein wenig recherchiert, ist nicht der erste Vorfall bei diesem Anbieter. Es könnte aber auch ein Phishing-Versuch sein (das versuche ich noch zu klären). Hier einige Informationen, was mir bekannt ist. --------------------------------------------- https://www.borncity.com/blog/2023/02/09/sicherheitsvorfall-bei-wargaming-n… ∗∗∗ Evasion Techniques Uncovered: An Analysis of APT Methods ∗∗∗ --------------------------------------------- DLL search order hijacking and DLL sideloading are commonly used by nation state sponsored attackers to evade detection. --------------------------------------------- https://www.rapid7.com/blog/post/2023/02/09/evasion-techniques-uncovered-an… ===================== = Vulnerabilities = ===================== ∗∗∗ Zoho ManageEngine ServiceDesk Plus 14003 Remote Code Execution ∗∗∗ --------------------------------------------- This exploits an unauthenticated remote code execution vulnerability that affects Zoho ManageEngine ServiceDesk Plus versions 14003 and below (CVE-2022-47966). Due to a dependency to an outdated library (Apache Santuario version 1.4.1), it is possible to execute arbitrary code by providing a crafted `samlResponse` XML to the ServiceDesk Plus SAML endpoint. Note that the target is only vulnerable if it has been configured with SAML-based SSO at least once in the past, regardless of the current SAML-based SSO status. --------------------------------------------- https://cxsecurity.com/issue/WLB-2023020017 ∗∗∗ SOUND4 LinkAndShare Transmitter 1.1.2 Format String Stack Buffer Overflow ∗∗∗ --------------------------------------------- The application suffers from a format string memory leak and stack buffer overflow vulnerability because it fails to properly sanitize user supplied input when calling the getenv() function from MSVCR120.DLL resulting in a crash overflowing the memory stack and leaking sensitive information. The attacker can abuse the username environment variable to trigger and potentially execute code on the affected system. --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5744.php ∗∗∗ Angreifer könnten über Nvidia GeForce Experience Daten manipulieren ∗∗∗ --------------------------------------------- In der aktuellen Version das Grafikkarten-Tools GeForce Experience von Nvidia haben die Entwickler drei Sicherheitslücken geschlossen. --------------------------------------------- https://heise.de/-7490068 ∗∗∗ Notfallpatch für Dateiübertragungslösung GoAnywhere MFT erschienen ∗∗∗ --------------------------------------------- Admins können ihre GoAnywhere-MFT-Server (On-Premises) nun mit einem Sicherheitsupdate gegen aktuelle laufende Attacken absichern. --------------------------------------------- https://heise.de/-7490040 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, libsdl2, and wireshark), Fedora (pesign, tpm2-tss, and webkitgtk), Oracle (hsqldb, krb5, libksba, tigervnc, and tigervnc and xorg-x11-server), Red Hat (openvswitch2.13, openvswitch2.15, openvswitch2.16, openvswitch2.17, rh-varnish6-varnish, tigervnc, and tigervnc and xorg-x11-server), Scientific Linux (tigervnc and xorg-x11-server), and SUSE (apache2, apache2-mod_security2, apr-util, netatalk, podman, python-swift3, rubygem-globalid, syslog-ng, and thunderbird). --------------------------------------------- https://lwn.net/Articles/922756/ ∗∗∗ Vulnerability Allows Hackers to Remotely Tamper With Dahua Security Cameras ∗∗∗ --------------------------------------------- A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time. [...] Dahua device vulnerabilities may be targeted by DDoS botnets, but in the case of CVE-2022-30564, it would most likely be exploited in highly targeted attacks whose goal is to tamper with evidence, rather than cybercrime operations. The issue was reported to the vendor in the fall of 2022. Dahua has released patches for each of the impacted devices. --------------------------------------------- https://www.securityweek.com/vulnerability-allows-hackers-to-remotely-tampe… ∗∗∗ CVE-2023-0003 Cortex XSOAR: Local File Disclosure Vulnerability in the Cortex XSOAR Server (Severity: MEDIUM) ∗∗∗ --------------------------------------------- A file disclosure vulnerability in the Palo Alto Networks Cortex XSOAR server software enables an authenticated user with access to the web interface to read local files from the server. --------------------------------------------- https://security.paloaltonetworks.com/CVE-2023-0003 ∗∗∗ CVE-2023-0002 Cortex XDR Agent: Product Disruption by Local Windows User (Severity: MEDIUM) ∗∗∗ --------------------------------------------- A problem with a protection mechanism in the Palo Alto Networks Cortex XDR agent on Windows devices allows a local user to execute privileged cytool commands that disable or uninstall the agent. --------------------------------------------- https://security.paloaltonetworks.com/CVE-2023-0002 ∗∗∗ CVE-2023-0001 Cortex XDR Agent: Cleartext Exposure of Agent Admin Password (Severity: MEDIUM) ∗∗∗ --------------------------------------------- An information exposure vulnerability in the Palo Alto Networks Cortex XDR agent on Windows devices allows a local system administrator to disclose the admin password for the agent in cleartext, which bad actors can then use to execute privileged cytool commands that disable or uninstall the agent. --------------------------------------------- https://security.paloaltonetworks.com/CVE-2023-0001 ∗∗∗ IBM InfoSphere Information Server is affected by an information disclosure vulnerability (CVE-2023-24964) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6953519 ∗∗∗ IBM WebSphere Application Server is vulnerable to a remote code execution vulnerability (CVE-2023-23477) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6891111 ∗∗∗ IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to Eclipse Openj9 security bypass (CVE-2022-3676) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6953807 ∗∗∗ AIX is vulnerable to arbitrary code execution due to libxml2 (CVE-2022-40303 and CVE-2022-40304) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6953825 ∗∗∗ Vulnerabilities in IBM Java SDK and IBM Java Runtime affects Rational Business Developer ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6953873 ∗∗∗ Vulnerability in IBM Java SDK and IBM Java Runtime affects Rational Business Developer ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6953879 ∗∗∗ IBM SDK, Java Technology Edition Quarterly CPU - Oct 2022 - Includes Oracle October 2022 CPU ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6953641 ∗∗∗ IBM Sterling Connect:Direct for Microsoft Windows is vulnerable to denial of service due to FasterXML jackson-databind (217968) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6953593 ∗∗∗ Vulnerability in Axios affects IBM Process Mining . IBM X-Force ID: 232247 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6611183 ∗∗∗ Vulnerability in bpmn affects IBM Process Mining . WS-2019-0208 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6852405 ∗∗∗ Vulnerability in bpmn affects IBM Process Mining . WS-2019-0148 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6852407 ∗∗∗ Vulnerability in d3-color affects IBM Process Mining . WS-2022-0322 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6856473 ∗∗∗ IBM Cloud Pak for Multicloud Management Monitoring has applied security fixes for user privilege escalation ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6909427 ∗∗∗ IBM Tivoli Composite Application Manager for Application Diagnostics Installed WebSphere Application Server traditional is vulnerable to a remote code execution vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6954391 ∗∗∗ IBM Sterling Global Mailbox is vulnerable to HTTP header injection due WebSphere Liberty Server (CVE-2022-34165) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6954401 ∗∗∗ IBM Sterling Global Mailbox is vulnerable to denial of service due to FasterXML jackson-databind (CVE-2022-42003) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6954403 ∗∗∗ IBM Sterling Global Mailbox is vulnerable to security bypass due to Apache HttpClient (CVE-2020-13956) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6954405 ∗∗∗ Vulnerability in Apache Commons Text affects IBM Process Mining . CVE-2022-42889 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6954409 ∗∗∗ Vulnerability in IBM WebSphere Application Server Liberty and Open Liberty 17.0.0.3 through 22.0.0.5 affects CICS Transaction Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6954411 ∗∗∗ Vulnerability (CVE-2022-3676) in Eclipse Openj9 affects CICS Transaction Gateway Desktop Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6954421 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.02.2023
by Daily end-of-shift report 08 Feb '23

08 Feb '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 07-02-2023 18:00 − Mittwoch 08-02-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Ransomware-Attacke: CISA veröffentlicht Wiederherstellungsskript für VMware ESXi ∗∗∗ --------------------------------------------- Die US-amerikanische Cyber-Sicherheitsbehörde CISA hat ein Wiederherstellungsskript bereitgestellt, mit dem betroffene Server gerettet werden könnten. --------------------------------------------- https://heise.de/-7488498 ∗∗∗ Achtung: Betrügerische Rechnungen in E-Mails und PayPal-App! ∗∗∗ --------------------------------------------- PayPal-User:innen aufgepasst: Kriminelle stellen aktuell Coinbase-Rechnungen über PayPal. Diese Rechnungen landen dadurch sowohl in Ihrem Mail-Postfach, als auch Ihrer PayPal-App und können dadurch für echt gehalten werden! Ignorieren Sie die Rechnungen und setzen Sie sich bei Unklarheiten mit PayPal in Verbindung. Bezahlen Sie nichts und befolgen Sie keinesfalls die Händler-Anweisungen aus der Rechnung. --------------------------------------------- https://www.watchlist-internet.at/news/achtung-betruegerische-rechnungen-in… ∗∗∗ Sicherheitsupdate: Acht Sicherheitslücken in OpenSSL geschlossen ∗∗∗ --------------------------------------------- Angreifer könnten Systeme mit der Softwarebibliothek für verschlüsselte Verbindungen OpenSSL attackieren. Der Bedrohungsgrad hält sich aber in Grenzen. --------------------------------------------- https://heise.de/-7489560 ∗∗∗ Medusa botnet returns as a Mirai-based variant with ransomware sting ∗∗∗ --------------------------------------------- A new version of the Medusa DDoS (distributed denial of service) botnet, based on Mirai code, has appeared in the wild, featuring a ransomware module and a Telnet brute-forcer. --------------------------------------------- https://www.bleepingcomputer.com/news/security/medusa-botnet-returns-as-a-m… ∗∗∗ Simple HTML Phishing via Telegram Bot, (Wed, Feb 8th) ∗∗∗ --------------------------------------------- Monday, I wrote about the use of IP lookup APIs by bots. It turns out that it is not just bots using these APIs, but phishing e-mails are also taking advantage of them. --------------------------------------------- https://isc.sans.edu/diary/rss/29528 ∗∗∗ Post-Exploitation: Abusing the KeePass Plugin Cache ∗∗∗ --------------------------------------------- This blog post presents a post-exploitation approach to inject code into KeePass without process injection. It is performed by abusing the cache resulting from the compilation of PLGX plugin. --------------------------------------------- https://blog.quarkslab.com/post-exploitation-abusing-the-keepass-plugin-cac… ∗∗∗ A Detailed Analysis of a New Stealer Called Stealerium ∗∗∗ --------------------------------------------- Stealerium is an open-source stealer available on GitHub. The malware steals information from browsers, cryptocurrency wallets, and applications such as Discord, Pidgin, Outlook, Telegram, Skype, Element, Signal, Tox, Steam, Minecraft, and VPN clients. The binary also gathers data about the infected host, such as the running processes, Desktop and webcam screenshots, Wi-Fi networks, the Windows product key, and the public and private IP address. --------------------------------------------- https://securityscorecard.com/research/a-detailed-analysis-of-a-new-stealer… ∗∗∗ Rustproofing Linux (nccgroup) ∗∗∗ --------------------------------------------- The nccgroup blog is carrying afour-part series by Domen Puncer Kugler on how vulnerabilities can maketheir way into device drivers written in Rust. In other words, the CONFIG_INIT_STACK_ALL_ZERO build option does nothing for Rust code! Developers must be cautious to avoid shooting themselves in the foot when porting a driver from C to Rust, especially if they previously relied on this config option to mitigate this class of vulnerability. It seems that kernel info leaks and KASLR bypasses might be here to stay, at least, for a little while longer. --------------------------------------------- https://lwn.net/Articles/922638/ ∗∗∗ Pwn2Owning Two Hosts at the Same Time: Abusing Inductive Automation Ignition’s Custom Deserialization ∗∗∗ --------------------------------------------- Pwn2Own Miami 2022 was a fine competition. At the contest, I successfully exploited three different targets. In this blog post, I would like to show you my personal best research of the competition: the custom deserialization issue in Inductive Automation Ignition. --------------------------------------------- https://www.thezdi.com/blog/2023/2/6/pwn2owning-two-hosts-at-the-same-time-… ∗∗∗ CVE-2022-21587: Rapid7 Observed Exploitation of Oracle E-Business Suite Vulnerability ∗∗∗ --------------------------------------------- Emergent threats evolve quickly, and as we learn more about this vulnerability, this blog post will evolve, too. --------------------------------------------- https://www.rapid7.com/blog/post/2023/02/07/etr-cve-2022-21587-rapid7-obser… ∗∗∗ How to Use Cloud Access Security Brokers for Data Protection ∗∗∗ --------------------------------------------- A cloud access security broker is a security policy enforcement point that can be located on-premises or in the cloud. Its purpose is to aggregate and implement an enterprise’s security policies whenever cloud-based resources are accessed. --------------------------------------------- https://www.hackread.com/cloud-access-security-brokers-data-protection/ ===================== = Vulnerabilities = ===================== ∗∗∗ PMASA-2023-1 ∗∗∗ --------------------------------------------- XSS vulnerability in drag-and-drop upload Affected Versions: phpMyAdmin versions prior to 4.9.11 and 5.2.1 are affected. The vulnerability has existed since release version 4.3.0. --------------------------------------------- https://www.phpmyadmin.net/security/PMASA-2023-1/ ∗∗∗ Webbrowser: Google Chrome dichtet Sicherheitslecks ab und ändert Release-Zyklus ∗∗∗ --------------------------------------------- Der Webbrowser Google Chrome 110 schließt 15 teils hochriskante Schwachstellen. Der Hersteller stellt zudem auf ein neues Release-System um. --------------------------------------------- https://heise.de/-7488524 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (heimdal, openssl, shim, and xorg-server), Oracle (kernel and thunderbird), Red Hat (git, libksba, samba, and tigervnc), Scientific Linux (thunderbird), Slackware (openssl and xorg), SUSE (EternalTerminal, openssl-1_0_0, openssl-1_1, openssl-3, openssl1, polkit, and sssd), and Ubuntu (git, grunt, heimdal, openssl, openssl1.0, and xorg-server, xorg-server-hwe-18.04, xwayland). --------------------------------------------- https://lwn.net/Articles/922626/ ∗∗∗ Tuesday February 14 2023 Security Releases ∗∗∗ --------------------------------------------- The Node.js project will release new versions of the 14.x, 16.x, 18.x and 19.x releases lines on or shortly after, Tuesday February 14 2023 in order to address: 2 low severity issues. 2 medium severity issues. 1 high severity issues. --------------------------------------------- https://nodejs.org/en/blog/vulnerability/february-2023-security-releases ∗∗∗ Security Advisory - Identity Authentication Bypass Vulnerability in The Huawei Children Smart Watch (Simba-AL00) ∗∗∗ --------------------------------------------- https://www.huawei.com/en/psirt/security-advisories/2023/huawei-sa-iabvithc… ∗∗∗ IBM Security Bulletins 2023-02-08 ∗∗∗ --------------------------------------------- * A Security Vulnerability has been identified in the IBM Java SDK as shipped with IBM Security Verify Access. * IBM Aspera Orchestrator affected by vulnerability (CVE-2022-28615) * IBM® Db2® Connect Server is vulnerable due to the use of Apache HttpComponents. (CVE-2014-3577) * IBM® Db2® is vulnerable to an information disclosure vulnerabilitiy due to improper privilege management when a specially crafted table access is used. (CVE-2022-43927) * IBM® Db2® is vulnerable to an information disclosure vulnerability as sensitive information may be included in a log file. (CVE-2022-43930) * IBM® Db2® may be vulnerable to a denial of service when executing a specially crafted Load command. (CVE-2022-43929) * IBM Jazz for Service Management is vulnerable to All XStream (Publicly disclosed vulnerability) (CVE-2022-41966) * IBM MQ is affected by an identity spoofing issue in IBM WebSphere Application Server Liberty (CVE-2022-22475) * IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to Express.js Express denial of service (CVE-2022-24999) * IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to Moment denial of service (CVE-2022-31129) * IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to Node.js follow-redirects module information disclosure vulnerabilities (CVE-2022-0536, CVE-2022-0155) * IBM WebSphere Application Server Liberty is vulnerable to information disclosure due to Apache James MIME4J (CVE-2022-45787) * IBM WebSphere Application Server Liberty is vulnerable to server-side request forgery due to Apache CXF (CVE-2022-46364) * Multiple security vulnerabilities are addressed with IBM Business Automation Manager Open Editions 8.0.2 * Multiple vulnerabilities in the Expat library affect IBM® Db2® Net Search Extender may lead to denial of service or arbitrary code execution. * Security Vulnerabilities have been identifed in the IBM WebSphere Liberty product as shipped with the IBM Security Verify Access products. * Unspecified vulnerability in Java Affects IBM Infosphere Global Name Management (CVE-2022-21496) * Vulnerabilities in IBM WebSphere Liberty affects IBM InfoSphere Global Name Management (CVE-2022-22475, CVE-2022-22476) * Vulnerability in IBM WebSphere Liberty affects IBM InfoSphere Global Name Management (CVE-2022-34165) --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.02.2023
by Daily end-of-shift report 07 Feb '23

07 Feb '23

===================== = End-of-Day report = ===================== Timeframe: Montag 06-02-2023 18:00 − Dienstag 07-02-2023 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Researcher breaches Toyota supplier portal with info on 14,000 partners ∗∗∗ --------------------------------------------- The issues were responsibly disclosed to Toyota on November 3, 2022, and the Japanese car maker confirmed they had been fixed by November 23, 2022. EatonWorks published a detailed writeup about the discoveries today after 90 days disclosure process had passed. --------------------------------------------- https://www.bleepingcomputer.com/news/security/researcher-breaches-toyota-s… ∗∗∗ APIs Used by Bots to Detect Public IP address, (Mon, Feb 6th) ∗∗∗ --------------------------------------------- Many of the bots I am observing attempt to detect the infected system&#;x26;#;39;s public ("WAN") IP address. Most of these systems are assumed to be behind NAT. To detect the external IP address, these bots use various public APIs. It may be helpful to detect these requests. Many use unique host names. This will make detecting the request in DNS logs easy even if TLS is not intercepted. --------------------------------------------- https://isc.sans.edu/diary/rss/29516 ∗∗∗ Android Security Bulletin—February 2023 ∗∗∗ --------------------------------------------- The Android Security Bulletin contains details of security vulnerabilities affecting Android devices. Security patch levels of 2023-02-05 or later address all of these issues. [..] The most severe of these issues is a high security vulnerability in the Framework component that could lead to local escalation of privilege with no additional execution privileges needed. --------------------------------------------- https://source.android.com/docs/security/bulletin/2023-02-01 ∗∗∗ Discovering a weakness leading to a partial bypass of the login rate limiting in the AWS Console ∗∗∗ --------------------------------------------- AWS applies a rate limit to authentication requests made to the AWS Console, in an effort to prevent brute-force and credential stuffing attacks. In this post, we discuss a weakness we discovered in the AWS Console authentication flow that allowed us to partially bypass this rate limit and continuously attempt more than 280 passwords per minute (4.6 per second). The weakness was since mitigated by AWS. --------------------------------------------- https://securitylabs.datadoghq.com/articles/aws-console-rate-limit-bypass/ ∗∗∗ Smishing: Vorsicht vor Fake Magenta-SMS ∗∗∗ --------------------------------------------- Momentan sind vermehrt gefälschte Magenta-SMS im Umlauf. In der Nachricht wird behauptet, dass Ihre Rechnung nicht beglichen werden konnte. Klicken Sie nicht auf den Link – dieser führt zu einer gefälschten Magenta-Seite, wo Kriminelle Ihre Daten und Ihr Geld stehlen. --------------------------------------------- https://www.watchlist-internet.at/news/smishing-vorsicht-vor-diesem-fake-ma… ∗∗∗ Saferinternet.at-Studie: Jugendliche und Falschinformationen im Internet ∗∗∗ --------------------------------------------- Anlässlich des heutigen Safer Internet Day führte Saferinternet.at eine Studie zum Thema „Jugendliche und Falschinformationen im Internet“ durch. Die Studienergebnisse zeigen, dass Österreichs Jugendliche beim Umgang mit Informationen im Internet in einem Dilemma stecken: Die Jugendlichen informieren sich zu Alltagsthemen vor allem über soziale Medien, vertrauen den dort bezogenen Informationen jedoch kaum. --------------------------------------------- https://www.watchlist-internet.at/news/studie-jugendliche-und-falschinforma… ∗∗∗ Safer Internet Day: FAQ Internetsicherheit für Kinder und Jugendliche ∗∗∗ --------------------------------------------- Im Internet lauern für Heranwachsende viele Gefahren, die sie noch nicht einschätzen können. Mit Wissensvermittlung und Tools können sie geschützt werden. --------------------------------------------- https://heise.de/-7333482 ∗∗∗ This notorious ransomware has now found a new target ∗∗∗ --------------------------------------------- The authors of Clop ransomware are experimenting with a Linux variant - a warning that multiple different platforms are in the sights of cyber extortionists. --------------------------------------------- https://www.zdnet.com/article/this-notorious-ransomware-is-now-targeting-li… ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-23-094: Netatalk dsi_writeinit Heap-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Netatalk. Authentication is not required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-094/ ∗∗∗ TYPO3-CORE-SA-2023-001: Persisted Cross-Site Scripting in Frontend Rendering ∗∗∗ --------------------------------------------- Subcomponent: Frontend Rendering (ext:frontend, ext:core) Affected Versions: 8.7.0-8.7.50, 9.0.0-9.5.39, 10.0.0-10.4.34, 11.0.0-11.5.22, 12.0.0-12.1.3 Severity: High References: CVE-2023-24814, CWE-79 --------------------------------------------- https://typo3.org/security/advisory/typo3-core-sa-2023-001 ∗∗∗ Multiple DMS XSS (CVE-2022-47412 through CVE-20222-47419) ∗∗∗ --------------------------------------------- Through the course of routine security testing and analysis, Rapid7 has discovered several issues in on-premises installations of open source and freemium Document Management System (DMS) offerings from four vendors. ONLYOFFICE, OpenKM, LogicalDOC, Mayan [..] Unfortunately, none of these vendors were able to respond to Rapid7's disclosure outreach --------------------------------------------- https://www.rapid7.com/blog/post/2023/02/07/multiple-dms-xss-cve-2022-47412… ∗∗∗ OpenSSL Security Advisory [7th February 2023] ∗∗∗ --------------------------------------------- * Severity: High - X.400 address type confusion in X.509 GeneralName (CVE-2023-0286): [...] this vulnerability is most likely to only affect applications which have implemented their own functionality for retrieving CRLs over a network. * Severity: Moderate - CVE-2022-4304, CVE-2022-4203, CVE-2023-0215, CVE-2022-4450, CVE-2023-0216, CVE-2023-0217, CVE-2023-0401 --------------------------------------------- https://www.openssl.org/news/secadv/20230207.txt ∗∗∗ Dateiübertragungslösung: Zero-Day-Lücke in GoAnywhere-MFT-Servern ∗∗∗ --------------------------------------------- Angreifer haben es derzeit auf Server mit GoAnywhere MFT abgesehen. Bislang gibt es kein Sicherheitsupdate. Eine temporäre Übergangslösung sichert Systeme ab. --------------------------------------------- https://heise.de/-7487393 ∗∗∗ VMSA-2023-0003 ∗∗∗ --------------------------------------------- CVSSv3 Range: 7.8 CVE(s): CVE-2023-20854 Synopsis: VMware Workstation update addresses an arbitrary file deletion vulnerability (CVE-2023-20854) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2023-0003.html ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (graphite-web, openjdk-11, webkit2gtk, wpewebkit, and xorg-server), Mageia (advancecomp, apache, dojo, git, java/timezone, libtiff, libxpm, netatalk, nodejs-minimist, opusfile, python-django, python-future, python-mechanize, ruby-sinatra, sofia-sip, thunderbird, and tigervnc), Oracle (git and thunderbird), Red Hat (git, libksba, rh-git227-git, rh-nodejs14-nodejs and rh-nodejs14-nodejs-nodemon, and thunderbird), SUSE (apache2, nginx, php8-pear, redis, rubygem-activesupport-5_1, rubygem-rack, sssd, xorg-x11-server, and xwayland), and Ubuntu (tmux). --------------------------------------------- https://lwn.net/Articles/922519/ ∗∗∗ Ichiran App vulnerable to improper server certificate verification ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN11257333/ ∗∗∗ Cisco IOx Application Hosting Environment Command Injection Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ EnOcean SmartServer ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-23-037-01 ∗∗∗ IBM Security Verify Governance, Identity Manager software component is affected by a vulnerabilitiy CVE-2023-23477 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6953461 ∗∗∗ Multiple Vulnerabilities in IBM\u00ae Java SDK affect IBM WebSphere Application Server and IBM WebSphere Application Server Liberty due to the October 2022 CPU ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6839565 ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with Tivoli Netcool\/OMNIbus WebGUI (CVE-2023-23477) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6953483 ∗∗∗ A vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Buinses Automation Workflow (CVE-2023-23477) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6953497 ∗∗∗ Denial of Service vulnerability affects IBM Business Automation Workflow - CVE-2022-25887 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6952745 ∗∗∗ A vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Business Automation Workflow (CVE-2023-23477) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6953497 ∗∗∗ Apache POI is vulnerable to a denial of service, caused by an out of memory exception flaw in the HMEF package(CVE-2022-26336) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6953525 ∗∗∗ Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation Application Manager Oct 2022 CPU (CVE-2022-21628, CVE-2022-21626, CVE-2022-21624, CVE-2022-21619) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6953557 ∗∗∗ Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation for Multiplatforms Oct 2022 CPU (CVE-2022-21628, CVE-2022-21626, CVE-2022-21624, CVE-2022-21619) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6953559 ∗∗∗ IBM Java SDK and IBM Java Runtime for IBM i are vulnerable to bypassing security restrictions, denial of service attacks, and data integrity impacts due to multiple vulnerabilities. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6953579 ∗∗∗ IBM Sterling Connect:Direct for Microsoft Windows is vulnerable to denial of service due to IBM Runtime Environment Java Technology Edition (CVE-2022-21626) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6953583 ∗∗∗ IBM Sterling Connect:Direct for Microsoft Windows is vulnerable to denial of service due to FasterXML jackson-databind (CVE-2022-42003) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6953587 ∗∗∗ IBM Sterling Connect:Direct for Microsoft Windows is vulnerable to denial of service due to FasterXML jackson-databind (CVE-2022-42004) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6953589 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily