=====================
= End-of-Day report =
=====================
Timeframe: Montag 16-01-2023 18:00 − Dienstag 17-01-2023 18:00
Handler: Stephan Richter
Co-Handler: Thomas Pribitzer
=====================
= News =
=====================
∗∗∗ Finding that one GPO Setting in a Pool of Hundreds of GPOs, (Tue, Jan 17th) ∗∗∗
---------------------------------------------
I had a call recently from a client, they were looking for which Group Policy in their AD had a specific setting in it.
---------------------------------------------
https://isc.sans.edu/diary/rss/29442
∗∗∗ The misadventures of an SPF record ∗∗∗
---------------------------------------------
I ran a scan against the three million most visited domains and discovered that the Ukrainian MoD, MIT, University, University of Miami, along with 1000+ other domains had mistakenly used the “+all” SPF mechanism at the end of their respective SPF records - effectively meaning any public IP address can send SPF authenticated emails on their behalf.
---------------------------------------------
https://caniphish.com/phishing-resources/blog/scanning-spf-records
∗∗∗ Windows: Verschwundene Start-Menüs und Taskbars sorgen für Verwirrung ∗∗∗
---------------------------------------------
Update 16.01.2023 07:44 Uhr: Microsoft hat inzwischen einen Support-Artikel in der Techcommunity herausgegeben, der PowerShell-Skripte und Anleitungen zur automatischen Ausführung für IT-Verantwortliche enthält, die zumindest einen Teil von gelöschten Verknüpfungen wiederherstellen können sollen.
---------------------------------------------
https://www.heise.de/news/Windows-Verschwundene-Start-Menues-und-Taskbars-s…
∗∗∗ Beware of DDosia, a botnet created to facilitate DDoS attacks ∗∗∗
---------------------------------------------
The DDosia project is a successor of the Bobik botnet linked to the pro-Russian hacker group called NoName(057)16, as revealed in a recent analysis by Avast researcher Martin Chlumecky.
---------------------------------------------
https://blog.avast.com/ddosia-project
∗∗∗ The prevalence of RCE exploits and what you should know about RCEs ∗∗∗
---------------------------------------------
Recent headlines have indicated that some major companies were affected by Remote Code Execution (RCE) vulnerabilities, just in the month of October. RCE flaws are largely exploited in the wild, and organizations are continually releasing patches to mitigate the problem.
---------------------------------------------
https://www.tripwire.com/state-of-security/prevalence-rce-exploits-and-what…
∗∗∗ Attackers Can Abuse GitHub Codespaces for Malware Delivery ∗∗∗
---------------------------------------------
A GitHub Codespaces feature meant to help with code development and collaboration can be abused for malware delivery, Trend Micro reports.
---------------------------------------------
https://www.securityweek.com/attackers-can-abuse-github-codespaces-malware-…
∗∗∗ Gefälschtes Post-SMS im Umlauf ∗∗∗
---------------------------------------------
Kriminelle versenden per SMS gefälschte Paket-Benachrichtigungen. Darin steht, dass Ihr Paket im Sortierzentrum angekommen ist und Sie noch Importkosten zahlen müssen. Klicken Sie nicht auf den Link. Sie werden auf eine gefälschte Post-Seite geführt, wo Kriminelle Ihre Daten stehlen.
---------------------------------------------
https://www.watchlist-internet.at/news/gefaelschtes-post-sms-im-umlauf/
∗∗∗ Batloader Malware Abuses Legitimate Tools, Uses Obfuscated JavaScript Files in Q4 2022 Attacks ∗∗∗
---------------------------------------------
We discuss the Batloader malware campaigns we observed in the last quarter of 2022, including our analysis of Water Minyades-related events.
---------------------------------------------
https://www.trendmicro.com/en_us/research/23/a/batloader-malware-abuses-leg…
=====================
= Vulnerabilities =
=====================
∗∗∗ Microsoft resolves four SSRF vulnerabilities in Azure cloud services ∗∗∗
---------------------------------------------
Microsoft recently fixed a set of Server-Side Request Forgery (SSRF) vulnerabilities in four Azure services (Azure API Management, Azure Functions, Azure Machine Learning, and Azure Digital Twins) reported by Orca Security.
---------------------------------------------
https://msrc-blog.microsoft.com/2023/01/17/microsoft-resolves-four-ssrf-vul…
∗∗∗ Attacken auf kritische Lücke in ManageEngine-Produkte von Zoho bald möglich ∗∗∗
---------------------------------------------
Angreifer könnten ManageEngine-Produkte wie Access Manager Plus und Password Manager Pro mit Schadcode attackieren.
---------------------------------------------
https://heise.de/-7461118
∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (tor) and SUSE (python-setuptools, python36-setuptools, and tor).
---------------------------------------------
https://lwn.net/Articles/920217/
∗∗∗ Schwere Sicherheitslücke in InRouter-Firmware von InHand Networks bedroht Roboter, Stromzähler, med. Geräte etc. ∗∗∗
---------------------------------------------
Sicherheitsforscher sind auf eine schwere Sicherheitslücke Schwachstelle CVE-2023-22598 in der InRouter-Firmware des Herstellers InHand Networks GmbH gestoßen.
---------------------------------------------
https://www.borncity.com/blog/2023/01/17/schwere-sicherheitslcken-inrouter-…
∗∗∗ LDAP-Schwachstellen: Domain Controller mit Januar 2023-Updates patchen ∗∗∗
---------------------------------------------
Noch ein kleiner Nachtrag zum Januar 2023-Patchday (10. Januar 2023). Administratoren sollten sich darum kümmern, dass ihre als Domain Controller fungierenden Windows Server auf dem aktuellen Patchstand sind. Denn mit den Januar 2023-Updates wurden zwei gravierende Schwachstellen im Lightweight Directory Access Protocol (LDAP) geschlossen.
---------------------------------------------
https://www.borncity.com/blog/2023/01/17/ldap-schwachstellen-domain-control…
∗∗∗ Security Vulnerabilities fixed in Firefox ESR 102.7 ∗∗∗
---------------------------------------------
https://www.mozilla.org/en-US/security/advisories/mfsa2023-02/
∗∗∗ Security Vulnerabilities fixed in Firefox 109 ∗∗∗
---------------------------------------------
https://www.mozilla.org/en-US/security/advisories/mfsa2023-01/
∗∗∗ A vulnerability in IBM Java Runtime affects SPSS Collaboration and Deployment Services (CVE-2021-28167) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6855731
∗∗∗ There are multiple vulnerabilites that affect IBM Engineering Requirements Quality Assistant On-Premises (CVE-2021-22939, CVE-2021-22931, CVE-2020-7598) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6855777
∗∗∗ Due to the use of XStream, IBM Tivoli Netcool Configuration Manager is vulnerable to denial of service (CVE-2021-43859) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6855831
∗∗∗ AIX is vulnerable to a buffer overflow due to X11 (CVE-2022-47990) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6855827
∗∗∗ IBM Robotic Process Automation is vulnerable to Cross-Site Scripting. ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6855835
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 13-01-2023 18:00 − Montag 16-01-2023 18:00
Handler: Robert Waldner
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ Jetzt patchen! Viele Cacti-Server öffentlich erreichbar und verwundbar ∗∗∗
---------------------------------------------
Sicherheitsforscher stoßen auf tausende über das Internet erreichbare Server mit dem IT-Monitoring-Tool Cacti. Zahlreiche Instanzen wurden noch nicht gepatcht.
---------------------------------------------
https://heise.de/-7459904
∗∗∗ CircleCI-Hack: 2FA-Zugangsdaten von Mitarbeiter ergaunert ∗∗∗
---------------------------------------------
Die Betreiber der Cloud-basierten Continuous-Integration-Plattform CircleCI haben ihren Bericht über den Sicherheitsvorfall veröffentlicht.
---------------------------------------------
https://heise.de/-7460123
∗∗∗ Gefälschte Job-Angebote im Namen der Wirtschafskammer auf Facebook ∗∗∗
---------------------------------------------
Auf Facebook kursieren gefälschte Jobangebote im Namen der Wirtschaftskammer Österreich. Die Anzeigen versprechen Gehälter zwischen 50 und 200 Euro pro Stunde. Die Wirtschaftskammern selbst warnen bereits auf Facebook vor den gefälschten Stellenangeboten. Bewerben Sie sich nicht und klicken Sie nicht auf den Link!
---------------------------------------------
https://www.watchlist-internet.at/news/gefaelschte-job-angebote-im-namen-de…
∗∗∗ Avast releases free BianLian ransomware decryptor ∗∗∗
---------------------------------------------
Security software company Avast has released a free decryptor for the BianLian ransomware strain to help victims of the malware recover locked files without paying the hackers.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/avast-releases-free-bianlian…
∗∗∗ Malicious ‘Lolip0p’ PyPi packages install info-stealing malware ∗∗∗
---------------------------------------------
A threat actor has uploaded to the PyPI (Python Package Index) repository three malicious packages that carry code to drop info-stealing malware on developers systems.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/malicious-lolip0p-pypi-packa…
∗∗∗ PSA: Why you must run an ad blocker when using Google, (Mon, Jan 16th) ∗∗∗
---------------------------------------------
Today, I just have a short public service announcement: You MUST run an adblocker while using Google. It may be best just to keep the adblocker enabled all the time.
---------------------------------------------
https://isc.sans.edu/diary/rss/29438
∗∗∗ Beware: Tainted VPNs Being Used to Spread EyeSpy Surveillanceware ∗∗∗
---------------------------------------------
Tainted VPN installers are being used to deliver a piece of surveillanceware dubbed EyeSpy as part of a malware campaign that started in May 2022.
---------------------------------------------
https://thehackernews.com/2023/01/beware-tainted-vpns-being-used-to.html
∗∗∗ Raccoon and Vidar Stealers Spreading via Massive Network of Fake Cracked Software ∗∗∗
---------------------------------------------
A "large and resilient infrastructure" comprising over 250 domains is being used to distribute information-stealing malware such as Raccoon and Vidar since early 2020.
---------------------------------------------
https://thehackernews.com/2023/01/raccoon-and-vidar-stealers-spreading.html
∗∗∗ Hacked! My Twitter user data is out on the dark web -- now what? ∗∗∗
---------------------------------------------
Your Twitter user data may now be out there too, including your phone number. Heres how to check and what you can do about it.
---------------------------------------------
https://www.zdnet.com/article/hacked-my-twitter-user-data-is-out-on-the-dar…
∗∗∗ Vulnerability Spotlight: Integer and buffer overflow vulnerabilities found in QT QML ∗∗∗
---------------------------------------------
Cisco ASIG and Cisco Talos recently discovered code execution vulnerabilities in QT QML. Qt is a popular software suite primarily used to create graphical user interfaces. It also contains several supporting libraries which all [...]
---------------------------------------------
https://blog.talosintelligence.com/vulnerability-spotlight-integer-and-buff…
=====================
= Vulnerabilities =
=====================
∗∗∗ PoC exploits released for critical bugs in popular WordPress plugins ∗∗∗
---------------------------------------------
Three popular WordPress plugins with tens of thousands of active installations are vulnerable to high-severity or critical SQL injection vulnerabilities, with proof-of-concept exploits now publicly available.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/poc-exploits-released-for-cr…
∗∗∗ Webbrowser: Microsoft Edge-Update schließt hochriskante Lücken ∗∗∗
---------------------------------------------
Microsoft hat in einem Update des Webbrowsers Edge Sicherheitslücken aus dem Chromium-Projekt abgedichtet. Sie schließt auch weitere hochriskante Lücken.
---------------------------------------------
https://heise.de/-7459742
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (chromium, lava, libapreq2, net-snmp, node-minimatch, and openvswitch), Fedora (jpegoptim, kernel, kernel-headers, kernel-tools, and python2.7), Mageia (ctags, ffmpeg, minetest, python-gitpython, w3m, and xrdp), Oracle (kernel), Red Hat (dpdk and libxml2), Slackware (netatalk), SUSE (apptainer, chromium, libheimdal, python-wheel, python310-setuptools, and SDL2), and Ubuntu (linux-aws, linux-gcp-4.15, maven, and net-snmp).
---------------------------------------------
https://lwn.net/Articles/920120/
∗∗∗ Nach RemotePotato0 kommt die Windows Local Potato NTLM-Schwachstelle (CVE-2023-21746) ∗∗∗
---------------------------------------------
Im April 2021 hatten Sicherheitsforscher eine Privilege Escalation Schwachstelle im Windows RPC-Protokoll entdeckt, der eine lokale Privilegienerweiterung durch NTLM-Relay-Angriffe ermöglichte. Nun scheint ein Sicherheitsforscher auf eine nicht so bekannte Möglichkeit zur Durchführung von NTLM Reflection-Angriffen gestoßen zu sein, die er [...]
---------------------------------------------
https://www.borncity.com/blog/2023/01/15/nach-remotepotato0-kommt-die-windo…
∗∗∗ IBM Security Bulletins 2023-01-16 ∗∗∗
---------------------------------------------
IBM App Connect Enterprise, IBM® Engineering Lifecycle Engineering products, IBM Integration Bus, IBM Maximo Asset Management, IBM MQ Internet Pass-Thru, IBM QRadar SIEM, IBM Sterling Partner Engagement Manager, IBM Tivoli Application Dependency Discovery Manager (TADDM), IBM Tivoli Netcool Configuration Manager, IBM Tivoli Network Manager (ITNM), IBM WebSphere Application Server shipped with Jazz for Service Management (JazzSM), Rational Functional Tester
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/
∗∗∗ HIMA: unquoted path vulnerabilities in X-OPC and X-OTS ∗∗∗
---------------------------------------------
https://cert.vde.com/de/advisories/VDE-2022-059/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 12-01-2023 18:00 − Freitag 13-01-2023 18:00
Handler: Robert Waldner
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ Fortinet says hackers exploited critical vulnerability to infect VPN customers ∗∗∗
---------------------------------------------
Remote code-execution bug was exploited to backdoor vulnerable servers.
---------------------------------------------
https://arstechnica.com/?p=1909594
∗∗∗ NortonLifeLock warns that hackers breached Password Manager accounts ∗∗∗
---------------------------------------------
Gen Digital, formerly Symantec Corporation and NortonLifeLock, is sending data breach notifications to customers, informing them that hackers have successfully breached Norton Password Manager accounts in credential-stuffing attacks.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/nortonlifelock-warns-that-ha…
∗∗∗ Malware: Android-TV-Box mit vorinstallierter Schadsoftware gekauft ∗∗∗
---------------------------------------------
Auf Amazon hat ein Sicherheitsforscher eine Android-TV-Box gekauft - und entdeckte eine tief ins System integrierte Schadsoftware.
---------------------------------------------
https://www.golem.de/news/malware-android-tv-box-mit-vorinstallierter-schad…
∗∗∗ Cybercriminals Using Polyglot Files in Malware Distribution to Fly Under the Radar ∗∗∗
---------------------------------------------
Remote access trojans such as StrRAT and Ratty are being distributed as a combination of polyglot and malicious Java archive (JAR) files, once again highlighting how threat actors are continuously finding new ways to fly under the radar.
---------------------------------------------
https://thehackernews.com/2023/01/cybercriminals-using-polyglot-files-in.ht…
∗∗∗ Keeping the wolves out of wolfSSL ∗∗∗
---------------------------------------------
Trail of Bits is publicly disclosing four vulnerabilities that affect wolfSSL: CVE-2022-38152, CVE-2022-38153, CVE-2022-39173, and CVE-2022-42905. The four issues, which have CVSS scores ranging from medium to critical, can all result in a denial of service (DoS).
---------------------------------------------
https://blog.trailofbits.com/2023/01/12/wolfssl-vulnerabilities-tlspuffin-f…
∗∗∗ Bad things come in large packages: .pkg signature verification bypass on macOS ∗∗∗
---------------------------------------------
Besides signing applications, it is also possible to sign installer packages (.pkg files). During a short review of the xar source code, we found a vulnerability (CVE-2022-42841) that could be used to modify a signed installer package without invalidating its signature. This vulnerability could be abused to bypass Gatekeeper, SIP and under certain conditions elevate privileges to root. [..] This was fixed by Apple with a 2 character fix: changing uint32_t to uint64_t in macOS 13.1.
---------------------------------------------
https://sector7.computest.nl/post/2023-01-xar/
∗∗∗ Crassus Windows privilege escalation discovery tool ∗∗∗
---------------------------------------------
Accenture made a tool called Spartacus, which finds DLL hijacking opportunities on Windows. Using Spartacus as a starting point, we created Crassus to extend Windows privilege escalation finding capabilities beyond simply looking for missing files. The ACLs used by files and directories of privileged processes can find more than just looking for missing files to achieve the goal.
---------------------------------------------
https://github.com/vullabs/Crassus
∗∗∗ Cyber-Attacken auf kritische Lücke in Control Web Panel ∗∗∗
---------------------------------------------
Cyberkriminelle greifen eine kritische Sicherheitslücke in CWP (Control Web Panel, ehemals CentOS Web Panel) an. Sie kompromittieren die verwundbaren Systeme.
---------------------------------------------
https://heise.de/-7458440
∗∗∗ Red Hat ergänzt Malware-Erkennungsdienst für RHEL ∗∗∗
---------------------------------------------
Im Rahmen von Red Hat Insights ergänzt das Unternehmen nun einen Malware-Erkennungsdienst. Der ist für RHEL 8 und 9 verfügbar.
---------------------------------------------
https://heise.de/-7458189
∗∗∗ Most Cacti Installations Unpatched Against Exploited Vulnerability ∗∗∗
---------------------------------------------
Most internet-exposed Cacti installations have not been patched against a critical-severity command injection vulnerability that is being exploited in attacks.
---------------------------------------------
https://www.securityweek.com/most-cacti-installations-unpatched-against-exp…
∗∗∗ Bestellen Sie nicht auf Cardione.at! ∗∗∗
---------------------------------------------
Cardione ist ein Nahrungsergänzungsmittel, das angeblich bei Bluthochdruck helfen soll. Cardione.at wirbt mit gefälschten Empfehlungen eines Arztes, es gibt keine Impressums- oder sonstige Unternehmensdaten. Wir raten: Bestellen Sie keine Cardione Tabletten!
---------------------------------------------
https://www.watchlist-internet.at/news/vorsicht-vor-bestellung-auf-cardione…
∗∗∗ Fake-Shop alvensleben.net imitiert Sofortüberweisung und fragt TANs ab! ∗∗∗
---------------------------------------------
Nehmen Sie sich vor Fake-Shops wie alvensleben.net in Acht. Der Shop hat insbesondere Kinderspielzeug, Brettspiele und Sportgeräte im Sortiment, bietet aber auch Gartenmöbel und Klettergerüste sowie Bettwäsche an. Bezahlt werden soll per Sofortüberweisung. Achtung: Die Daten werden nicht an den Zahlungsdienstleister weitergeleitet, sondern von den Kriminellen abgegriffen. Später werden Sie zur Übermittlung von TAN-Codes überredet und dadurch um Ihr Geld gebracht!
---------------------------------------------
https://www.watchlist-internet.at/news/fake-shop-alvenslebennet-imitiert-so…
∗∗∗ Microsoft ASR/Defender Update kann Desktop-/Startmenü-Verknüpfungen löschen ∗∗∗
---------------------------------------------
Wie aktuell in mehreren Medien berichtet wird, scheint das letzte Update von MS ASR/Defender Auswirkungen auf Desktop-/Startmenüverknüpfungen zu haben, und kann unter anderem dazu führen dass O365 Applikationen nicht mehr gestartet werden können. Gängiger Workaround scheint momentan zu sein, die entsprechenden Regeln auf "Audit" zu setzen. Microsoft hat die Regel wieder entfernt, es kann aber noch dauern, bis das global wirksam wird. Inzwischen wird empfohlen, im Admin Center auf SI MO497128 zu schauen.
---------------------------------------------
https://cert.at/de/aktuelles/2023/1/microsoft-asrdefender-update-kann-deskt…
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Fedora (cacti, cacti-spine, mbedtls, postgresql-jdbc, and rust), Oracle (.NET 6.0, dbus, expat, grub2, kernel, kernel-container, libtasn1, libtiff, sqlite, and usbguard), Red Hat (rh-postgresql10-postgresql), SUSE (php7), and Ubuntu (heimdal, linux, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15, linux-gcp, linux-gcp-5.15, linux-hwe-5.15, linux-ibm, linux-kvm, linux-oracle, linux-raspi,, linux, linux-aws, linux-aws-hwe, linux-azure, [...]
---------------------------------------------
https://lwn.net/Articles/919907/
∗∗∗ IBM Security Bulletins 2023-01-13 ∗∗∗
---------------------------------------------
IBM Cloud Pak for Data, IBM Cloud Pak for Security, IBM Security Verify Access Appliance, IBM Watson Speech Services, IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data, IBM Watson Text to Speech and Speech to Text (IBM Watson™ Speech Services 1.1), ICP Speech to Text and Text to Speech
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/
∗∗∗ CISA Releases Twelve Industrial Control Systems Advisories ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ncas/current-activity/2023/01/12/cisa-releases-twe…
∗∗∗ Juniper Networks Releases Security Updates for Multiple Products ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ncas/current-activity/2023/01/12/juniper-networks-…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 11-01-2023 18:00 − Donnerstag 12-01-2023 18:00
Handler: Thomas Pribitzer
Co-Handler: Robert Waldner
=====================
= News =
=====================
∗∗∗ Konten leergeräumt: Neue Phishing-Welle mit Apple Pay ∗∗∗
---------------------------------------------
Mit einem ausgeklügelten Trick versuchen Kriminelle an Kreditkartendaten zu kommen. Wer Grundlegendes beachtet, ist allerdings ausreichend geschützt.
---------------------------------------------
https://futurezone.at/digital-life/apple-pay-phishing-welle-mail-kreditkart…
∗∗∗ Hack: Sicherheitslücke in SugarCRM-Servern wird aktiv ausgenutzt ∗∗∗
---------------------------------------------
Etliche SugarCRM-Server in den USA und Deutschland wurden schon gehackt. Ein Hotfix wurde bereits veröffentlicht.
---------------------------------------------
https://www.golem.de/news/hack-sicherheitsluecke-in-sugarcrm-servern-wird-a…
∗∗∗ Alert: Hackers Actively Exploiting Critical "Control Web Panel" RCE Vulnerability ∗∗∗
---------------------------------------------
Malicious actors are actively attempting to exploit a recently patched critical vulnerability in Control Web Panel (CWP) that enables elevated privileges and unauthenticated remote code execution (RCE) on susceptible servers.
---------------------------------------------
https://thehackernews.com/2023/01/alert-hackers-actively-exploiting.html
∗∗∗ New Analysis Reveals Raspberry Robin Can be Repurposed by Other Threat Actors ∗∗∗
---------------------------------------------
A new analysis of Raspberry Robins attack infrastructure has revealed that its possible for other threat actors to repurpose the infections for their own malicious activities, making it an even more potent threat.
---------------------------------------------
https://thehackernews.com/2023/01/new-analysis-reveals-raspberry-robin.html
∗∗∗ IcedID Malware Strikes Again: Active Directory Domain Compromised in Under 24 Hours ∗∗∗
---------------------------------------------
A recent IcedID malware attack enabled the threat actor to compromise the Active Directory domain of an unnamed target less than 24 hours after gaining initial access.
---------------------------------------------
https://thehackernews.com/2023/01/icedid-malware-strikes-again-active.html
∗∗∗ Prowler v3: AWS & Azure security assessments ∗∗∗
---------------------------------------------
Prowler is an open source security tool to perform AWS and Azure security best practices assessments, audits, incident response, continuous monitoring, hardening and forensics readiness. Prowler v3 is now multi-cloud with Azure added as the second supported cloud provider.
---------------------------------------------
https://isc.sans.edu/diary/rss/29430
∗∗∗ Exfiltration Over a Blocked Port on a Next-Gen Firewall ∗∗∗
---------------------------------------------
[..] all successfully exfiltrated data packets were in small formats [..], smaller than the MTU (maximum transmit unit). This meant that these data types could only be exfiltrated in single packets, rather than multiple, to avoid exceeding the MTU size. When asked about this finding, the NG-FW vendor acknowledged that "to determine which application is being used, and whether the session aligned with the protocol’s standard, the NG-FW must allow at least one packet to pass."
---------------------------------------------
https://cymulate.com/blog/data-exfiltration-firewall/
∗∗∗ Kritische Sicherheitslücke bedroht End-of-Life-Router von Cisco ∗∗∗
---------------------------------------------
Der Netzwerkausrüster Cisco hat wichtige Sicherheitsupdates für etwa verschiedene Router, IP-Telefone und Webex veröffentlicht.
---------------------------------------------
https://heise.de/-7456480
∗∗∗ AI-generated phishing attacks are becoming more convincing ∗∗∗
---------------------------------------------
Its time for you and your colleagues to become more skeptical about what you read. Thats a takeaway from a series of experiments undertaken using GPT-3 AI text-generating interfaces to create malicious messages designed to spear-phish, scam, harrass, and spread fake news. Experts at WithSecure have described their investigations into just how easy it is to automate the creation of credible yet malicious content at incredible speed.
---------------------------------------------
https://www.tripwire.com/state-of-security/ai-generated-phishing-attacks-ar…
∗∗∗ Threema Under Fire After Downplaying Security Research ∗∗∗
---------------------------------------------
The developers of the open source secure messaging app Threema have come under fire over their public response to a security analysis conducted by researchers at the Swiss university ETH Zurich.
---------------------------------------------
https://www.securityweek.com/threema-under-fire-after-downplaying-security-…
∗∗∗ SCCM Site Takeover via Automatic Client Push Installation ∗∗∗
---------------------------------------------
tl;dr: Install hotfix KB15599094 and disable NTLM for client push installation.
---------------------------------------------
https://posts.specterops.io/sccm-site-takeover-via-automatic-client-push-in…
∗∗∗ Gefährliche Fehlkonfigurationen von Active Directory-Dienstkonten ∗∗∗
---------------------------------------------
Das Identifizieren von Schwachstellen in der AD-Konfiguration kann sich als Albtraum erweisen, warnt Gastautor Guido Grillenmeier von Semperis.
---------------------------------------------
https://www.zdnet.de/88406475/gefaehrliche-fehlkonfigurationen-von-active-d…
∗∗∗ Microsoft Exchange Januar 2023 Patchday-Nachlese: Dienste starten nicht etc. ∗∗∗
---------------------------------------------
Zum 10. Januar 2023 (Patchday) hat Microsoft Sicherheitsupdates für Exchange Server 2013, Exchange Server 2016 und Exchange Server 2019 veröffentlicht. Diese Sicherheitsupdates schließen zwei Schwachstellen (Elevation of Privilege und Spoofing) in dieser Software, haben aber bekannte Fehler und verursachen neue neue Probleme bei der Installation. Hier ein kurzer Überblick über den Sachstand.
---------------------------------------------
https://www.borncity.com/blog/2023/01/12/microsoft-exchange-januar-2023-pat…
∗∗∗ What is Red Teaming & How it Benefits Orgs ∗∗∗
---------------------------------------------
Running real-world attack simulations can help improve organizations cybersecurity resilience
---------------------------------------------
https://www.trendmicro.com/en_us/research/23/a/what-is-red-teaming.html
∗∗∗ Shodan Verified Vulns 2023-01-01 ∗∗∗
---------------------------------------------
Mit Stand 2023-01-01 sieht Shodan in Österreich die folgenden Schwachstellen: [...]
---------------------------------------------
https://cert.at/de/aktuelles/2023/1/shodan-verified-vulns-2023-01-01
=====================
= Vulnerabilities =
=====================
∗∗∗ Private Taxonomy Terms - Moderately critical - Access bypass - SA-CONTRIB-2023-001 ∗∗∗
---------------------------------------------
Description: This module enables users to create private vocabularies. The module doesnt enforce permissions appropriately for the taxonomy overview page and overview form.
---------------------------------------------
https://www.drupal.org/sa-contrib-2023-001
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (emacs, libxstream-java, and netty), Fedora (mingw-binutils, pgadmin4, phoronix-test-suite, vim, and yarnpkg), Red Hat (.NET 6.0, dbus, expat, java-1.8.0-ibm, kernel, kernel-rt, kpatch-patch, libreoffice, libtasn1, libtiff, postgresql:10, sqlite, systemd, usbguard, and virt:rhel and virt-devel:rhel), and SUSE (net-snmp, openstack-barbican, openstack-barbican, openstack-heat-gbp, openstack-horizon-plugin-gbp-ui, openstack-neutron, [...]
---------------------------------------------
https://lwn.net/Articles/919785/
∗∗∗ TP-Link SG105PE vulnerable to authentication bypass ∗∗∗
---------------------------------------------
https://jvn.jp/en/jp/JVN78481846/
∗∗∗ WAGO: Unauthenticated Configuration Export in web-based management in multiple devices ∗∗∗
---------------------------------------------
https://cert.vde.com/de/advisories/VDE-2022-054/
∗∗∗ Visual Studio Code Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21779
∗∗∗ Security vulnerability in Apache CXF affects IBM InfoSphere Master Data Management ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6854685
∗∗∗ Multiple Vulnerabilities in Java and Node.js packages affect IBM Voice Gateway ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6854713
∗∗∗ Vulnerabilities in IBM Java included with IBM Tivoli Monitoring. ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6854647
∗∗∗ Vulnerabilities in IBM Java Runtime affect IBM WebSphere Application Servers used by IBM Master Data Management (CVE-2022-21496, CVE-2022-21434, CVE-2022-21443) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6854595
∗∗∗ The IBM\u00ae Engineering Lifecycle Engineering products using IBM Java - Eclipse OpenJ9 is vulnerable to CVE-2022-3676 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6851835
∗∗∗ IBM Security Verify Governance is vulnerable to arbitrary code execution, sensitive information exposure and unauthorized access due to PostgreSQL ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6854915
∗∗∗ Multiple vulnerabilities in IBM Java - OpenJ9 affect IBM Tivoli System Automation Application Manager (CVE-2021-41041) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6854927
∗∗∗ IBM App Connect Enterprise Certified Container DesignerAuthoring and IntegrationServer operands may be vulnerable to arbitrary code execution due to [CVE-2022-25893] ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6854929
∗∗∗ Multiple vulnerabilities in IBM Java - OpenJ9 affect IBM Tivoli System Automation for Multiplatforms (CVE-2021-41041) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6854931
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 10-01-2023 18:00 − Mittwoch 11-01-2023 18:00
Handler: Robert Waldner
Co-Handler: Thomas Pribitzer
=====================
= News =
=====================
∗∗∗ Lorenz ransomware gang plants backdoors to use months later ∗∗∗
---------------------------------------------
Security researchers are warning that patching critical vulnerabilities allowing access to the network is insufficient to defend against ransomware attacks.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/lorenz-ransomware-gang-plant…
∗∗∗ Bad Paths & The Importance of Using Valid URL Characters ∗∗∗
---------------------------------------------
To ensure that your web files and pages are accessible to a wide range of users with various different devices and operating systems, it’s important to use valid URL characters. Unsafe characters are known to cause compatibility issues with various browser clients, web servers, and even lead to incompatibility issues with web application firewalls.
---------------------------------------------
https://blog.sucuri.net/2023/01/bad-paths-the-importance-of-using-valid-url…
∗∗∗ Gefälschte Telegram-App spioniert unter Android ∗∗∗
---------------------------------------------
IT-Forscher von Eset haben eine gefälschte Telegram-App aufgespürt, die ihre Opfer umfassend ausspioniert. Sie wird jedoch außerhalb von Google Play verteilt.
---------------------------------------------
https://heise.de/-7455996
∗∗∗ Cybercrime Group Exploiting Old Windows Driver Vulnerability to Bypass Security Products ∗∗∗
---------------------------------------------
A cybercrime group tracked as Scattered Spider has been observed exploiting an old vulnerability in an Intel Ethernet diagnostics driver for Windows in recent attacks on telecom and BPO firms.
---------------------------------------------
https://www.securityweek.com/cybercrime-group-exploiting-old-windows-driver…
∗∗∗ SMB “Access is denied” caused by anti-NTLM relay protection ∗∗∗
---------------------------------------------
We investigated a situation where an SMB client could not connect to an SMB server. The SMB server returned an “Access Denied” during the NTLM authentication, even though the credentials were correct and there were no restrictions on both the server-side share and client-side (notably UNC Hardened Access).
---------------------------------------------
https://medium.com/tenable-techblog/smb-access-is-denied-caused-by-anti-ntl…
∗∗∗ Dark Pink ∗∗∗
---------------------------------------------
New APT hitting Asia-Pacific, Europe that goes deeper and darker
---------------------------------------------
https://blog.group-ib.com/dark-pink-apt
=====================
= Vulnerabilities =
=====================
∗∗∗ Webbrowser: 17 Sicherheitslücken in Google Chrome gestopft ∗∗∗
---------------------------------------------
Das erste Update des Jahres hievt den Webbrowser Chrome auf Stand 109. Die Entwickler schließen darin 17 Schwachstellen, von denen einige hochriskant sind.
---------------------------------------------
https://heise.de/-7455130
∗∗∗ Patchday: Schadcode-Attacken auf Adobe InCopy und InDesign möglich ∗∗∗
---------------------------------------------
Die Entwickler von Adobe haben in mehreren Anwendungen gefährliche Sicherheitslücken geschlossen.
---------------------------------------------
https://heise.de/-7455222
∗∗∗ Patchday: Angreifer verschaffen sich unter Windows System-Rechte ∗∗∗
---------------------------------------------
Microsoft hat wichtige Sicherheitsupdates für unter anderem Exchange Server, Office und Windows veröffentlicht.
---------------------------------------------
https://heise.de/-7455122
∗∗∗ Exploit-Code gesichtet: Attacken auf IT-Monitoring-Tool Cacti möglich ∗∗∗
---------------------------------------------
Angreifer könnten an einer kritischen Sicherheitslücke in Cacti ansetzen und Schadcode auf Servern ausführen.
---------------------------------------------
https://heise.de/-7455833
∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (exiv2, hsqldb, libjettison-java, ruby-sinatra, and viewvc), Fedora (golang-github-docker, mbedtls, and vim), Gentoo (alpine, commons-text, jupyter_core, liblouis, mbedtls, ntfs3g, protobuf-java, scikit-learn, and twisted), Red Hat (kernel and kpatch-patch), SUSE (rubygem-activerecord-5.2, tiff, and webkit2gtk3), and Ubuntu (dotnet6, linux-azure-5.4, linux-azure-fde, linux-gcp, linux-oracle, linux-ibm, and linux-oem-5.17, linux-oem-6.0).
---------------------------------------------
https://lwn.net/Articles/919649/
∗∗∗ Unpatchable Hardware Vulnerability Allows Hacking of Siemens PLCs ∗∗∗
---------------------------------------------
Researchers at firmware security company Red Balloon Security have discovered a potentially serious vulnerability affecting many of Siemens’ programmable logic controllers (PLCs).
---------------------------------------------
https://www.securityweek.com/unpatchable-hardware-vulnerability-allows-hack…
∗∗∗ Exchange Server Sicherheitsupdates (10. Januar 2023), dringend patchen ∗∗∗
---------------------------------------------
Microsoft hat zum 10. Januar 2023 Sicherheitsupdates für Exchange Server 2013, Exchange Server 2016 und Exchange Server 2019 veröffentlicht. Diese Sicherheitsupdates schließen zwei Schwachstellen (Elevation of Privilege und Spoofing) in dieser Software.
---------------------------------------------
https://www.borncity.com/blog/2023/01/11/exchange-server-sicherheitsupdates…
∗∗∗ AMD Client Vulnerabilities - January 2023 ∗∗∗
---------------------------------------------
http://support.lenovo.com/product_security/PS500539-AMD-CLIENT-VULNERABILIT…
∗∗∗ AMD Server Vulnerabilities - January 2023 ∗∗∗
---------------------------------------------
http://support.lenovo.com/product_security/PS500538-AMD-SERVER-VULNERABILIT…
∗∗∗ Multiple Vulnerabilities in IBM Java SDK affects Liberty for Java for IBM Cloud due to the October 2022 CPU plus CVE-2022-3676 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6854413
∗∗∗ Vulnerability in IBM WebSphere Liberty Profile affects IBM InfoSphere Identity Insight (CVE-2022-34165) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6854451
∗∗∗ IBM Security Verify Governance is vulnerable to denial of service due to an OpenSSL vulnerability ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6854571
∗∗∗ IBM Security Verify Governance is vulnerable to denial of service due to OpenSSL as a part of Node.js ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6854575
∗∗∗ IBM Security Verify Governance is vulnerable to multiple vulnerabilities due to Eclipse Jetty ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6854577
∗∗∗ The IBM Engineering System Design Rhapsody products on IBM Jazz Technology contains additional security fixes for Log4j vulnerabilities CVE-2021-4104 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6825215
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Montag 09-01-2023 18:00 − Dienstag 10-01-2023 18:00
Handler: Stephan Richter
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Interview: Sönke Huster über Lücken im WLAN-Stack des Linux-Kernels ∗∗∗
---------------------------------------------
Sönke Huster hat Sicherheitslücken im WLAN-Stack des Linux-Kernels gefunden, die einen Angriff theoretisch ermöglichen, nur weil das WLAN eingeschaltet ist.
---------------------------------------------
https://heise.de/-7447684
∗∗∗ Meeting-Client Zoom unter Android, macOS und Windows angreifbar ∗∗∗
---------------------------------------------
Nach erfolgreichen Attacken auf Zoom Rooms könnten sich Angreifer etwa unter macOS Root-Rechte verschaffen. Sicherheitsupdates sind verfügbar.
---------------------------------------------
https://heise.de/-7453606
∗∗∗ Sourcecode-Editor Visual Studio Code: Fake Extensions lassen sich leicht tarnen ∗∗∗
---------------------------------------------
Sicherheitsforscher haben eine als Prettier getarnte Erweiterung im Marktplatz veröffentlicht, die es auf gut 1000 Downloads innerhalb von 48 Stunden brachte.
---------------------------------------------
https://heise.de/-7453534
∗∗∗ Patchday: SAP behandelt vier kritische Schwachstellen ∗∗∗
---------------------------------------------
SAP liefert Updates zum Beheben von teils kritischen Sicherheitslücken in den Produkten des Herstellers. IT-Verantwortliche sollten sie rasch installieren.
---------------------------------------------
https://heise.de/-7454402
∗∗∗ Heads up! Xdr33, A Variant Of CIA’s HIVE Attack Kit Emerges ∗∗∗
---------------------------------------------
On Oct 21, 2022, 360Netlabs honeypot system captured a suspicious ELF file ee07a74d12c0bb3594965b51d0e45b6f, which propagated via F5 vulnerability with zero VT detection, our system observces that it communicates with IP 45.9.150.144 using SSL with forged Kaspersky certificates, this caught our attention.
---------------------------------------------
https://blog.netlab.360.com/headsup_xdr33_variant_of_ciahive_emeerges/
∗∗∗ New year, old tricks: Hunting for CircleCI configuration files, (Mon, Jan 9th) ∗∗∗
---------------------------------------------
I have written before about attackers looking for exposed configuration files. Configuration files often include credentials or other sensitive information. Today, I noticed some scans for a files called "/.circleci/config.yml". Given the recent breach at CircleCI, I dug in a bit deeper.
---------------------------------------------
https://isc.sans.edu/diary/rss/29416
∗∗∗ ChatGPT-Written Malware ∗∗∗
---------------------------------------------
I don’t know how much of a thing this will end up being, but we are seeing ChatGPT-written malware in the wild.…within a few weeks of ChatGPT going live, participants in cybercrime forums—some with little or no coding experience—were using it to write software and emails that could be used for espionage, ransomware, malicious spam, and other malicious tasks.
---------------------------------------------
https://www.schneier.com/blog/archives/2023/01/chatgpt-written-malware.html
∗∗∗ Kinsing Crypto Malware Hits Kubernetes Clusters via Misconfigured PostgreSQL ∗∗∗
---------------------------------------------
The threat actors behind the Kinsing cryptojacking operation have been spotted exploiting misconfigured and exposed PostgreSQL servers to obtain initial access to Kubernetes environments. A second initial access vector technique entails the use of vulnerable images, Sunders Bruskin, security researcher at Microsoft Defender for Cloud, said in a report last week.
---------------------------------------------
https://thehackernews.com/2023/01/kinsing-cryptojacking-hits-kubernetes.html
∗∗∗ The Dark Side of Gmail ∗∗∗
---------------------------------------------
Behind one of Gmail’s lesser-known features lies a potential threat to websites and platforms managers.
---------------------------------------------
https://osintmatter.com/the-dark-side-of-gmail/
∗∗∗ Crypto-inspired Magecart skimmer surfaces via digital crime haven ∗∗∗
---------------------------------------------
One criminal scheme often leads to another. This blog digs into a credit card skimmer and its ties with other malicious services.
---------------------------------------------
https://www.malwarebytes.com/blog/threat-intelligence/2023/01/crypto-inspir…
∗∗∗ Malware-based attacks on ATMs - A summary ∗∗∗
---------------------------------------------
Today we will take a first look at malware-based attacks on ATMs in general, while future articles will go into more detail on the individual subtopics.
---------------------------------------------
https://blog.nviso.eu/2023/01/10/malware-based-attacks-on-atms-a-summary/
=====================
= Vulnerabilities =
=====================
∗∗∗ Securepoint UTM: Hotfix schließt kritische Sicherheitslücke ∗∗∗
---------------------------------------------
In den Securepoint UTM klafft eine kritische Sicherheitslücke. Das Unternehmen hat einen Hotfix bereitgestellt, der die Schwachstelle abdichtet.
---------------------------------------------
https://heise.de/-7453560
∗∗∗ UEFI-Sicherheitslücken bedrohen ARM-Geräte wie Microsoft Surface ∗∗∗
---------------------------------------------
Supply-Chain-Attacken möglich: Angreifer könnten auf Lenovo ThinkPads und Microsoft Surface den Schutzmechanismus Secure Boot umgehen.
---------------------------------------------
https://heise.de/-7454141
∗∗∗ Eleven Vulnerabilities Patched in Royal Elementor Addons ∗∗∗
---------------------------------------------
On December 23, 2022, the Wordfence Threat Intelligence team initiated the responsible disclosure process for a set of 11 vulnerabilities in Royal Elementor Addons, a WordPress plugin with over 100,000 installations. The plugin developers responded on December 26, and we sent over the full disclosure that day.
---------------------------------------------
https://www.wordfence.com/blog/2023/01/eleven-vulnerabilities-patched-in-ro…
∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (libtasn1-6), Fedora (nautilus), Oracle (kernel, kernel-container, nodejs:14, tigervnc, and xorg-x11-server), Red Hat (grub2, nodejs:14, tigervnc, and xorg-x11-server), Scientific Linux (tigervnc and xorg-x11-server), SUSE (systemd), and Ubuntu (firefox, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15, linux-azure-fde, linux-azure, w3m, and webkit2gtk).
---------------------------------------------
https://lwn.net/Articles/919543/
∗∗∗ 2023 ICS Patch Tuesday Debuts With 12 Security Advisories From Siemens, Schneider ∗∗∗
---------------------------------------------
The first ICS Patch Tuesday of 2023 brings a dozen security advisories from Siemens and Schneider Electric, addressing a total of 27 vulnerabilities.
---------------------------------------------
https://www.securityweek.com/2023-ics-patch-tuesday-debuts-12-security-advi…
∗∗∗ CISA Releases Two Industrial Control Systems Advisories ∗∗∗
---------------------------------------------
CISA released two Industrial Control Systems (ICS) advisories on January 10, 2023. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. CISA encourages users and administrators to review the newly released ICS advisories for technical details and mitigations: ICSA-23-010-01 Black Box KVM ICSA-22-298-07 Delta Electronics InfraSuite Device Master (Update A)
---------------------------------------------
https://us-cert.cisa.gov/ncas/current-activity/2023/01/10/cisa-releases-two…
∗∗∗ Vulnerability Spotlight: Asus router access, information disclosure, denial of service vulnerabilities discovered ∗∗∗
---------------------------------------------
Cisco Talos recently discovered three vulnerabilities in Asus router software. The Asus RT-AX82U router is one of the newer Wi-Fi 6 (802.11ax)-enabled routers that also supports mesh networking with other Asus routers.
---------------------------------------------
https://blog.talosintelligence.com/vulnerability-spotlight-asus-router-acce…
∗∗∗ IBM Maximo Asset Management, IBM Maximo Manage in IBM Maximo Application Suite and IBM Maximo Manage in IBM Maximo Application Suite as a Service may be affected by XML External Entity (XXE) attacks (CVE-2021-33813) ∗∗∗
---------------------------------------------
CICS Transaction Gateway, IBM Answer Retrieval for Watson Discovery, IBM Business Automation Workflow, IBM Cloud Object Storage Systems, IBM Master Data Management, IBM Maximo Application Suite, IBM Sterling Partner Engagement Manager, IBM WebSphere Application Server, TADDM
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/
∗∗∗ Siemens Security Advisories (7 new, 15 updated) ∗∗∗
---------------------------------------------
SSA-997779 V1.0: File Parsing Vulnerability in Solid Edge before V2023 MP1
SSA-936212 V1.0: JT File Parsing Vulnerabilities in JT Open, JT Utilities and Solid Edge
SSA-712929 V1.6 (Last Update: 2023-01-10): Denial of Service Vulnerability in OpenSSL (CVE-2022-0778) Affecting Industrial Products
SSA-710008 V1.2 (Last Update: 2023-01-10): Multiple Web Vulnerabilities in SCALANCE Products
SSA-697140 V1.1 (Last Update: 2023-01-10): Denial of Service Vulnerability in the TCP Event Service of SCALANCE and RUGGEDCOM Products
SSA-593272 V1.9 (Last Update: 2023-01-10): SegmentSmack in Interniche IP-Stack based Industrial Devices
SSA-592007 V1.9 (Last Update: 2023-01-10): Denial of Service Vulnerability in Industrial Products
SSA-552702 V1.3 (Last Update: 2023-01-10): Privilege Escalation Vulnerability in the Web Interface of SCALANCE and RUGGEDCOM Products
SSA-547714 V1.1 (Last Update: 2023-01-10): Argument Injection Vulnerability in SIMATIC WinCC OA Ultralight Client
SSA-496604 V1.0: Cross-Site Scripting Vulnerability in Mendix SAML Module
SSA-482757 V1.0: Missing Immutable Root of Trust in S7-1500 CPU devices
SSA-480230 V2.5 (Last Update: 2023-01-10): Denial of Service Vulnerability in Webserver of Industrial Products
SSA-478960 V1.2 (Last Update: 2023-01-10): Missing CSRF Protection in the Web Server Login Page of Industrial Controllers
SSA-476715 V1.0: Two Vulnerabilities in Automation License Manager
SSA-473245 V2.5 (Last Update: 2023-01-10): Denial-of-Service Vulnerability in Profinet Devices
SSA-446448 V1.6 (Last Update: 2023-01-10): Denial of Service Vulnerability in PROFINET Stack Integrated on Interniche Stack
SSA-431678 V1.4 (Last Update: 2023-01-10): Denial of Service Vulnerability in SIMATIC S7 CPU Families
SSA-382653 V1.1 (Last Update: 2023-01-10): Multiple Denial of Service Vulnerabilities in Industrial Products
SSA-349422 V1.8 (Last Update: 2023-01-10): Denial of Service Vulnerability in Industrial Real-Time (IRT) Devices
SSA-332410 V1.0: Multiple Vulnerabilities in SINEC INS before V1.0 SP2 Update 1
SSA-210822 V1.1 (Last Update: 2023-01-10): Improper Access Control Vulnerability in Mendix Workflow Commons Module
SSA-113131 V1.4 (Last Update: 2023-01-10): Denial of Service Vulnerabilities in SIMATIC S7-400 CPUs
---------------------------------------------
https://new.siemens.com/global/en/products/services/cert.html?d=2023-01#Sec…
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 05-01-2023 18:00 − Montag 09-01-2023 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Thomas Pribitzer
=====================
= News =
=====================
∗∗∗ Security: Kunden-Secrets von CircleCI wohl komplett kompromittiert ∗∗∗
---------------------------------------------
CircleCI warnt Kunden dringend, sämtliche Secrets zu tauschen. Builds und Netzwerke könnten über zwei Wochen lang kompromittiert worden sein.
---------------------------------------------
https://www.golem.de/news/security-kunden-secrets-von-circleci-wohl-komplet…
∗∗∗ Verschlüsselung: RSA zerstört? Experten zweifeln ∗∗∗
---------------------------------------------
Ein neuer Algorithmus knackt die Verschlüsselung RSA angeblich schneller als jemals zuvor - diesmal mit einem Quantencomputer. Experten zweifeln daran.
---------------------------------------------
https://heise.de/-7449806
∗∗∗ Rust: bis zu 2500 Projekte durch Bibliothek Hyper für DoS verwundbar ∗∗∗
---------------------------------------------
Enthält die to_bytes-Funktion von Hyper keine Längenbeschränkung, so lassen sich schnell DoS-Attacken ausführen. Abhilfe schafft die offizielle Doku.
---------------------------------------------
https://heise.de/-7451019
∗∗∗ BaFin warnt vor "Godfather"-Banking-Trojaner ∗∗∗
---------------------------------------------
Die BaFin warnt vor einem Banking-Trojaner, der Android-Geräte angreift. Die "Godfather" genannte Malware kann 400 internationale Finanzinstitutionen ausspähen.
---------------------------------------------
https://heise.de/-7453238
∗∗∗ Android-Malware: Neue Version von SpyNote stiehlt Banking-Daten ∗∗∗
---------------------------------------------
Die Verbreitung erfolgt über Phishing-E-Mails. Seit Oktober 2022 ist der Quellcode von SpyNote frei verfügbar. Seitdem nehmen die Aktivitäten von SpyNote deutlich zu.
---------------------------------------------
https://www.zdnet.de/88406317/android-malware-neue-version-von-spynote-stie…
∗∗∗ Kostenloses Entschlüsselungs-Tool für Ransomware MegaCortex veröffentlicht ∗∗∗
---------------------------------------------
Das Tool ist eine gemeinsame Entwicklung von Bitdefender und No More Ransom. Es funktioniert mit allen Varianten von MegaCortex.
---------------------------------------------
https://www.zdnet.de/88406357/kostenloses-entschluesselungs-tool-fuer-ranso…
∗∗∗ Windows 11 GPO "Enable MPR notifications ..." zur Sicherheit setzen ∗∗∗
---------------------------------------------
Kleiner Tipp für Administratoren, die so langsam Windows 11 in Unternehmensumgebungen einführen. In den Standardeinstellungen des Betriebssystems lassen sich mittels einer einfachen DLL die Winlogon-Anmeldeinformationen im Klartext auslesen. Die neue Gruppenrichtlinie "Enable MPR notifications" soll dies nun verhindern.
---------------------------------------------
https://www.borncity.com/blog/2023/01/08/windows-11-gpo-enable-mpr-notifica…
∗∗∗ VSCode Marketplace can be abused to host malicious extensions ∗∗∗
---------------------------------------------
Threat analysts at AquaSec have experimented with the security of VSCode Marketplace and found that its surprisingly easy to upload malicious extensions from accounts that appear verified on the platform.
---------------------------------------------
https://www.bleepingcomputer.com/news/microsoft/vscode-marketplace-can-be-a…
∗∗∗ Malicious PyPi packages create CloudFlare Tunnels to bypass firewalls ∗∗∗
---------------------------------------------
Six malicious packages on PyPI, the Python Package Index, were found installing information-stealing and RAT (remote access trojan) malware while using Cloudflare Tunnel to bypass firewall restrictions for remote access.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/malicious-pypi-packages-crea…
∗∗∗ Unraveling the techniques of Mac ransomware ∗∗∗
---------------------------------------------
Understanding how Mac ransomware works is critical in protecting today’s hybrid environments. We analyzed several known Mac ransomware families and highlighted these families’ techniques, which defenders can study further to prevent attacks.
---------------------------------------------
https://www.microsoft.com/en-us/security/blog/2023/01/05/unraveling-the-tec…
∗∗∗ Finding & Removing Malware From Weebly Sites ∗∗∗
---------------------------------------------
Weebly is an easy-to-use website builder that allows admins to quickly create and publish responsive blogs and sites. Website builder environments are usually considered to be very safe and not prone to malware infections, but during a recent investigation I found some malicious behavior which revealed that even closed proprietary systems for WYSIWYG website builders like Weebly can be abused.
---------------------------------------------
https://blog.sucuri.net/2023/01/finding-removing-malware-from-weebly-sites.…
∗∗∗ Dridex Malware Now Attacking macOS Systems with Novel Infection Method ∗∗∗
---------------------------------------------
A variant of the infamous Dridex banking malware has set its sights on Apples macOS operating system using a previously undocumented infection method, according to latest research.
---------------------------------------------
https://thehackernews.com/2023/01/dridex-malware-now-attacking-macos.html
∗∗∗ LummaC2 Stealer: A Potent Threat to Crypto Users ∗∗∗
---------------------------------------------
During a threat-hunting exercise, Cyble Research and Intelligence Labs (CRIL) discovered a post on the cybercrime forum about an information stealer targeting both Chromium and Mozilla-based browsers. This stealer was named LummaC2 Stealer, which targets crypto wallets, extensions, and two-factor authentication (2FA) and steals sensitive information from the victim’s machine.
---------------------------------------------
https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto…
∗∗∗ Unwrapping Ursnifs Gifts ∗∗∗
---------------------------------------------
In late August 2022, we investigated an incident involving Ursnif malware, which resulted in Cobalt Strike being deployed. This was followed by the threat actors moving laterally throughout the environment [...]
---------------------------------------------
https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/
∗∗∗ Distribution of NetSupport RAT Malware Disguised as a Pokemon Game ∗∗∗
---------------------------------------------
NetSupport Manager is a remote control tool that can be installed and used by ordinary or corporate users for the purpose of remotely controlling systems. However, it is being abused by many threat actors because it allows external control over specific systems.
---------------------------------------------
https://asec.ahnlab.com/en/45312/
=====================
= Vulnerabilities =
=====================
∗∗∗ Kritische Sicherheitslücke in MatrixSSL ermöglicht Codeschmuggel ∗∗∗
---------------------------------------------
In der IoT-Bibliothek MatrixSSL haben IT-Forscher eine als kritisch eingestufte Sicherheitslücke entdeckt. Angreifer könnten dadurch Code einschleusen.
---------------------------------------------
https://heise.de/-7453087
∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (libetpan and smarty3), SUSE (libksba, rpmlint-mini, tcl, and xrdp), and Ubuntu (curl, firefox, and linux-oem-5.14).
---------------------------------------------
https://lwn.net/Articles/919202/
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Fedora (python2.7), SUSE (ca-certificates-mozilla, libksba, and ovmf), and Ubuntu (linux, linux-aws, linux-aws-5.4, linux-gcp, linux-gcp-5.4, linux-gke, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-dell300x, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux-raspi2, linux-snapdragon, linux, [...]
---------------------------------------------
https://lwn.net/Articles/919422/
∗∗∗ Kritische Sicherheitslücke in Open-Source-Projekt JsonWebToken entdeckt ∗∗∗
---------------------------------------------
Die Schwachstelle erlaubt unter Umständen eine Remotecodeausführung. Nutzer sollten auf die fehlerbereinigte Version 9.0.0 von JsonWebToken umsteigen.
---------------------------------------------
https://www.zdnet.de/88406385/kritische-sicherheitsluecke-in-open-source-pr…
∗∗∗ ThinkPad X13s: BIOS-Update schließt Schwachstellen ∗∗∗
---------------------------------------------
Der Hersteller Lenovo hat in einer Sicherheitsmeldung auf eine Reihe Schwachstellen im BIOS des ThinkPad X13s hingewiesen. Diese ermöglichen eine Speicherbeschädigung (Memory Corruption) und die Offenlegung von Informationen. Es steht ein BIOS-Update zum Schließen der Schwachstellen bereit.
---------------------------------------------
https://www.borncity.com/blog/2023/01/07/thinkpad-x13s-bios-update-schliet-…
∗∗∗ IBM Security Bulletins 2023-01-06 - 2023-01-09 ∗∗∗
---------------------------------------------
AIX, CICS Transaction Gateway, Enterprise Content Management System Monitor, IBM App Connect Enterprise, IBM Business Automation Workflow, IBM Connect:Direct Web Services, IBM InfoSphere Information Server, IBM Integration Bus, IBM Maximo Application Suite, IBM MQ, IBM Process Mining, IBM Robotic Process Automation for Cloud Pak, IBM Spectrum Protect Server, IBM SPSS Analytic Server, IBM Sterling B2B Integrator, IBM Sterling Connect:Direct Web Services, IBM Tivoli Netcool Impact, Power HMC
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/
∗∗∗ Centos Web Panel 7 Unauthenticated Remote Code Execution - CVE-2022-44877 ∗∗∗
---------------------------------------------
https://github.com/numanturle/CVE-2022-44877
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 04-01-2023 18:00 − Donnerstag 05-01-2023 18:00
Handler: Stephan Richter
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ Bluebottle hackers used signed Windows driver in attacks on banks ∗∗∗
---------------------------------------------
A signed Windows driver has been used in attacks on banks in French-speaking countries, likely from a threat actor that stole more than $11 million from various banks.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/bluebottle-hackers-used-sign…
∗∗∗ SpyNote Android malware infections surge after source code leak ∗∗∗
---------------------------------------------
The Android malware family tracked as SpyNote (or SpyMax) has had a sudden increase in detections in the final quarter of 2022, which is attributed to a source code leak of one of its latest, known as CypherRat.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/spynote-android-malware-infe…
∗∗∗ PurpleUrchin Bypasses CAPTCHA and Steals Cloud Platform Resources ∗∗∗
---------------------------------------------
We take a deep dive into Automated Libra, the cloud threat actor group behind the freejacking campaign PurpleUrchin.
---------------------------------------------
https://unit42.paloaltonetworks.com/purpleurchin-steals-cloud-resources/
∗∗∗ ProxyNotShell Mitigations K.O. ∗∗∗
---------------------------------------------
Warum ist ProxyNotShell noch ein Thema? Die Schwachstellen wurden doch von Microsoft Anfang November geschlossen? Kurz gesagt, weil sich viele auf die letzte Mitigation von Microsoft verlassen haben, anstatt auf den November-Patch.
---------------------------------------------
https://cert.at/de/blog/2023/1/proxynotshell-mitigations-ko
∗∗∗ The dos and don’ts of ransomware negotiations ∗∗∗
---------------------------------------------
Has your organization suddenly been attacked by a ransomware virus? Take a deep breath and try to remain composed. It can be easy to panic or become overwhelmed in the face of an attack, but it is vital to remain calm and focused in order to make the best decisions for your organization.
---------------------------------------------
https://cybersecurity.att.com/blogs/security-essentials/the-dos-and-donts-o…
∗∗∗ Dridex Returns, Targets MacOS Using New Entry Method ∗∗∗
---------------------------------------------
The Dridex variant we analyzed targets MacOS platforms with a new technique to deliver documents embedded with malicious macros to users.
---------------------------------------------
https://www.trendmicro.com/en_us/research/23/a/-dridex-targets-macos-using-…
=====================
= Vulnerabilities =
=====================
∗∗∗ IBM Security Bulletins 2023-01-05 ∗∗∗
---------------------------------------------
AIX, IBM Content Navigator, IBM Maximo Application Suite, IBM Robotic Process Automation, IBM Robotic Process Automation for Cloud Pak, IBM Security Verify Governance, IBM Sterling B2B Integrator, IBM TXSeries for Multiplatforms, IBM Tivoli Network Manager, ITNM, Operations Dashboard, TADDM, IBM Cloud Object Storage Systems
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/
∗∗∗ Zoho fixt Datenbank-Lücke in Password Manager Pro und Zugriffskontroll-Software ∗∗∗
---------------------------------------------
Es gibt wichtige Sicherheitsupdates für die ManageEngine-Produkte Access Manager Plus, PAM360 und Password Manager Pro.
---------------------------------------------
https://heise.de/-7449108
∗∗∗ Patchday: Kritische Kernel-Lücken bedrohen Android ∗∗∗
---------------------------------------------
Google stellt gegen mögliche Attacken abgesicherte Android-Versionen 10, 11, 12, 12L und 13 zum Download bereit. Angreifer können sich Nutzerrechte verschaffen.
---------------------------------------------
https://heise.de/-7449147
∗∗∗ Fortinet stopft Schadcode-Lücken in Netzwerk-Produkten ∗∗∗
---------------------------------------------
Angreifer könnten unberechtigt unter anderem auf FortiManager zugreifen. Sicherheitsupdates stehen zum Download bereit.
---------------------------------------------
https://heise.de/-7449288
∗∗∗ Sicherheitspatch: Angreifer könnten Systeme mit IBM Tivoli Monitoring übernehmen ∗∗∗
---------------------------------------------
Schwachstellen in mehreren Komponenten bedrohen die System- und Netzwerküberwachungslösung IBM Tivoli Monitoring.
---------------------------------------------
https://heise.de/-7449768
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Fedora (binwalk), Oracle (kernel and webkit2gtk3), Red Hat (webkit2gtk3), Slackware (vim), and Ubuntu (libksba and nautilus).
---------------------------------------------
https://lwn.net/Articles/919112/
∗∗∗ Hitachi Energy UNEM ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-23-005-01
∗∗∗ Hitachi Energy FOXMAN-UN ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-23-005-02
∗∗∗ Hitachi Energy Lumada Asset Performance Management ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-23-005-03
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 03-01-2023 18:00 − Mittwoch 04-01-2023 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ Jetzt patchen! Noch 60.000 Exchange-Server für ProxyNotShell-Attacken anfällig ∗∗∗
---------------------------------------------
Sicherheitsforscher warnen vor verwundbaren Exchange-Servern. 30.000 davon sind in Europa – der Großteil in Deutschland. Sicherheitspatches sind verfügbar.
---------------------------------------------
https://heise.de/-7448029
∗∗∗ l+f: Flipper Zero – Delfin auf Phishing-Tour ∗∗∗
---------------------------------------------
Vorsicht beim Kauf des beliebten Hacking-Gadgets Flipper Zero. Cyberkriminelle haben Fake-Shops eingerichtet, um Interessierte abzukassieren.
---------------------------------------------
https://heise.de/-7448371
∗∗∗ Nur noch eine Woche Zeit: Support-Ende von Windows 8.1 ∗∗∗
---------------------------------------------
Die letzten Stunden für Windows 8.1 haben geschlagen. In nicht einmal einer Woche stellt Microsoft die Unterstützung für Windows 8.1 endgültig ein.
---------------------------------------------
https://heise.de/-7448516
∗∗∗ Update to RTRBK - Diff and File Dates in PowerShell, (Wed, Jan 4th) ∗∗∗
---------------------------------------------
I use my RTRBK script pretty much every week, every single time that I work with a client that doesn't have their network gear in a backup cycle in fact. (for a review of this tool, see the original post https://isc.sans.edu/diary/RTRBK+Router+Switch+Firewall+Backups+in+PowerShe… ) Anyway, I was considering how I could improve this script, aside from adding more and more device types to the backups. A "diff" report was my obvious first thought - [...]
---------------------------------------------
https://isc.sans.edu/diary/rss/29400
∗∗∗ Breaking RSA with a Quantum Computer ∗∗∗
---------------------------------------------
A group of Chinese researchers have just published a paper claiming that they can—although they have not yet done so—break 2048-bit RSA. This is something to take seriously. It might not be correct, but it’s not obviously wrong. We have long known from Shor’s algorithm that factoring with a quantum computer is easy. But it takes a big quantum computer, on the orders of millions of qbits, to factor anything resembling the key sizes we use today. What the researchers have done is combine classical lattice reduction factoring techniques with a quantum approximate optimization algorithm.
---------------------------------------------
https://www.schneier.com/blog/archives/2023/01/breaking-rsa-with-a-quantum-…
∗∗∗ Androids First Security Updates for 2023 Patch 60 Vulnerabilities ∗∗∗
---------------------------------------------
Google announced on Tuesday the first Android security updates for 2023, which patch a total of 60 vulnerabilities. The first part of the update, which arrives on devices as the 2023-01-01 security patch level, addresses 19 security defects in the Framework and System components.
---------------------------------------------
https://www.securityweek.com/androids-first-security-updates-2023-patch-60-…
∗∗∗ Ransomware predictions in 2023: more gov’t action and a pivot to data extortion ∗∗∗
---------------------------------------------
There were thousands of ransomware attacks in 2022, from breaches targeting militaries to incidents that brought entire governments to a standstill. Ransomware giants like Conti closed shop, while groups like LockBit and Hive took their place, attacking thousands of hospitals, governments, businesses and schools across the world. So what does 2023 have in store for us?
---------------------------------------------
https://therecord.media/ransomware-predictions-in-2023-more-govt-action-and…
∗∗∗ DeTT&CT: Automate your detection coverage with dettectinator ∗∗∗
---------------------------------------------
Last year, I published an article on mapping detection to the MITRE ATT&CK framework using DeTT&CT. In the article, we introduced DeTT&CT and explored its features and usage. If you missed it, you can find the article here. Although, after writing that article, I encountered some challenges. For instance, I considered using DeTT&CT in a production environment but there were hundreds of existing detection rules to consider, and it would have been a tedious process to manually create the necessary YAML file for building a detection coverage layer.
---------------------------------------------
https://blog.nviso.eu/2023/01/04/dettct-automate-your-detection-coverage-wi…
∗∗∗ Shc Linux Malware Installing CoinMiner ∗∗∗
---------------------------------------------
The ASEC analysis team recently discovered that a Linux malware developed with Shc has been installing a CoinMiner. It is presumed that after successful authentication through a dictionary attack on inadequately managed Linux SSH servers, various malware were installed on the target system. Among those installed were the Shc downloader, XMRig CoinMiner installed through the former, and DDoS IRC Bot, developed with Perl.
---------------------------------------------
https://asec.ahnlab.com/en/45182/
∗∗∗ Three easy steps to dramatically improve your AWS security posture: Step 1, set up IAM properly ∗∗∗
---------------------------------------------
Have you ever heard the saying that the greatest benefit of the cloud is that limitless resources can be spun-up with just a few clicks of the mouse? If so, you would be best served by forgetting that saying altogether. Just because cloud resources can be spun-up with a few clicks of the mouse does not mean that they should be. Rather, prior to launching anything in the cloud, careful consideration and planning are a necessity.
---------------------------------------------
https://cybersecurity.att.com/blogs/security-essentials/three-easy-steps-to…
=====================
= Vulnerabilities =
=====================
∗∗∗ January 2023 Vulnerability Advisories ∗∗∗
---------------------------------------------
FortiTester (CVSS Score: 7.6), FortiPortal (CVSS Score: 6.6), FortiWeb (CVSS Score: 5.3), FortiManager (CVSS Score: 6), FortiADC (CVSS Score: 8.6)
---------------------------------------------
https://fortiguard.fortinet.com/psirt-monthly-advisory/january-2023-vulnera…
∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Fedora (xorg-x11-server-Xwayland), Red Hat (webkit2gtk3), SUSE (rmt-server), and Ubuntu (freeradius).
---------------------------------------------
https://lwn.net/Articles/919051/
∗∗∗ IBM Security Bulletins 2023-01-04 ∗∗∗
---------------------------------------------
IBM Common Licensings Administration And Reporting Tool (ART), IBM DataPower Gateway, IBM Global Mailbox, IBM Integration Bus, IBM MQ, IBM Security Verify Governance, IBM Sterling Global Mailbox, IBM WebSphere MQ, IBM WebSphere Message Broker, ITNM
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Montag 02-01-2023 18:00 − Dienstag 03-01-2023 18:00
Handler: Stephan Richter
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ BMW, Mercedes, Kia, Porsche: Sicherheitsforscher hacken etliche Autohersteller ∗∗∗
---------------------------------------------
Forschern ist es gelungen die API-Endpunkte etlicher Autohersteller wie BMW oder Kia zu hacken - von der Konten- bis zur Autoübernahme war alles möglich.
---------------------------------------------
https://www.golem.de/news/bmw-mercedes-kia-porsche-sicherheitsforscher-hack…
∗∗∗ Schadcode auf PyPI: Supply-Chain-Angriff auf PyTorch Nightly Builds ∗∗∗
---------------------------------------------
Wer kürzlich PyTorch-nightly unter Linux via pip installiert hat, erhielt Schadcode. Das PyTorch-Team hat Gegenmaßnahmen eingeleitet.
---------------------------------------------
https://heise.de/-7447195
∗∗∗ Its about time: OS Fingerprinting using NTP, (Tue, Jan 3rd) ∗∗∗
---------------------------------------------
Most current operating systems, including many small systems like IoT devices, use some form of NTP to sync time. NTP is lightweight and reasonably accurate in most use cases to synchronize time across the internet with millisecond accuracy [1]. Some protocols, like PTP, are more accurate but are designed for local networks and may require special hardware on the host [2]. Smaller systems with less stringent accuracy requirements sometimes use SNTP, a variant of NTP.
---------------------------------------------
https://isc.sans.edu/diary/rss/29394
∗∗∗ Raspberry Robin Worm Evolves to Attack Financial and Insurance Sectors in Europe ∗∗∗
---------------------------------------------
Financial and insurance sectors in Europe have been targeted by the Raspberry Robin worm, as the malware continues to evolve its post-exploitation capabilities while remaining under the radar. "What is unique about the malware is that it is heavily obfuscated and highly complex to statically disassemble," Security Joes said in a new report published Monday.
---------------------------------------------
https://thehackernews.com/2023/01/raspberry-robin-worm-evolves-to-attack.ht…
∗∗∗ Cloud Metadata - AWS IAM Credential Abuse ∗∗∗
---------------------------------------------
[...] In this run through we have a vulnerable AWS EC2 instance configured to use IMDSv1 (Instance Metadata Service) which we will exploit, escalate our privileges and carry out post-compromise activities. While not every AWS EC2 instance has an associated IAM role (AWS Identity and Access Management), when they do these role profiles contain credentials/keys.
---------------------------------------------
https://sneakymonkey.net/cloud-credential-abuse/
∗∗∗ SSRF vulnerabilities caused by SNI proxy misconfigurations ∗∗∗
---------------------------------------------
SNI proxies are load balancers that use the SNI extension field to select backend systems. When misconfigured, SNI proxies can be vulnerable to SSRF attacks that provide access to web application backends.
---------------------------------------------
https://www.invicti.com/blog/web-security/ssrf-vulnerabilities-caused-by-sn…
∗∗∗ Exploiting GraphQL Query Depth ∗∗∗
---------------------------------------------
GraphQL was created and developed with flexibility in mind: clients should be given the power to ask for exactly what they need and nothing more. Much of this flexibility involves allowing customers to execute multiple queries in a single request, [...]
---------------------------------------------
https://checkmarx.com/blog/exploiting-graphql-query-depth/
=====================
= Vulnerabilities =
=====================
∗∗∗ IBM Security Bulletins 2023-01-03 ∗∗∗
---------------------------------------------
IBM Business Automation Workflow, IBM InfoSphere Information Server, IBM Integrated Analytics System, IBM Process Mining, IBM Security SOAR, IBM Security Verify Governance, IBM Sterling B2B Integrator, Platform Navigator and Automation Assets in IBM Cloud Pak for Integration, Rational Directory Server (Tivoli) & Rational Directory Administrator
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/
∗∗∗ Trend Micros Sicherheitslösung Maximum Security benötigt einen Sicherheitspatch ∗∗∗
---------------------------------------------
Angreifer könnten Windows-PCs mit Sicherheitssoftware von Trend Micro attackieren. Ein Sicherheitspatch ist verfügbar.
---------------------------------------------
https://heise.de/-7446553
∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Oracle (bcel), SUSE (ca-certificates-mozilla, glibc, minetest, multimon-ng, nautilus, ovmf, python-Django, samba, saphanabootstrap-formula, and xrdp), and Ubuntu (usbredir).
---------------------------------------------
https://lwn.net/Articles/918965/
∗∗∗ ThinkPad X13s BIOS Vulnerabilities ∗∗∗
---------------------------------------------
http://support.lenovo.com/product_security/PS500537
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 30-12-2022 18:00 − Montag 02-01-2023 18:00
Handler: Thomas Pribitzer
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ EarSpy-Lauschangriff auf Smartphones: Forschern gelingt Abhören aus der Ferne ∗∗∗
---------------------------------------------
In Mobiltelefone integrierte Ohrlautsprecher werden immer leistungsstärker. Dies hat den Nachteil, dass die verursachten Mini-Vibrationen verräterischer sind.
---------------------------------------------
https://heise.de/-7444910
∗∗∗ Rund 230 Millionen Deezer-Datensätze zu Have I been pwned hinzugefügt ∗∗∗
---------------------------------------------
Bei einem Einbruch in einen Deezer-Dienstleister konnten offenbar rund 230 Millionen Datensätze kopiert werden. Have I been pwned hat sie jetzt hinzugefügt.
---------------------------------------------
https://heise.de/-7445237
∗∗∗ Sicherheitsrisiko Microsoft Outlook App: Überträgt Anmeldedaten und Mails in die Cloud ∗∗∗
---------------------------------------------
Ich hole zum Jahresanfang 2023 nochmals ein Thema hoch, welches ich hier im Blog bereits 2015 und im Januar 2021 angesprochen habe. Es geht um die Microsoft Outlook App, die für Android- und iOS-Geräte angeboten und meines Erachtens breit eingesetzt [...]
---------------------------------------------
https://www.borncity.com/blog/2023/01/01/sicherheitsrisiko-microsoft-outloo…
∗∗∗ Ransomware gang cloned victim’s website to leak stolen data ∗∗∗
---------------------------------------------
The ALPHV ransomware operators have gotten creative with their extortion tactic and, in at least one case, created a replica of the victims site to publish stolen data on it.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/ransomware-gang-cloned-victi…
∗∗∗ NetworkMiner 2.8 Released, (Mon, Jan 2nd) ∗∗∗
---------------------------------------------
First of all, happy new year to all our Readers! There exist tools that are very popular for a long time because they are regularly updated and... just make the job! NetworkMiner is one of them (the first release was in 2007). I don't use it regularly but it is part of my forensic toolbox for a while and already helped me in many investigations.
---------------------------------------------
https://isc.sans.edu/diary/rss/29390
∗∗∗ WordPress Security Alert: New Linux Malware Exploiting Over Two Dozen CMS Flaws ∗∗∗
---------------------------------------------
WordPress sites are being targeted by a previously unknown strain of Linux malware that exploits flaws in over two dozen plugins and themes to compromise vulnerable systems. "If sites use outdated versions of such add-ons, lacking crucial fixes, the targeted web pages are injected with malicious JavaScripts," Russian security vendor Doctor Web said in a report published last week.
---------------------------------------------
https://thehackernews.com/2023/01/wordpress-security-alert-new-linux.html
∗∗∗ Python developers, uninstall this malicious package right now ∗∗∗
---------------------------------------------
If youre a Python developer and one who is accustomed to installed the latest preview builds of libraries, you might want to take immediate mitigative action. PyTorch, an open-source machine learning framework initially developed by Meta and now under the Linux Foundation, has seemingly been the target of a supply chain attack, which has potentially led to many users installing a malicious package.
---------------------------------------------
https://www.neowin.net/news/python-developers-uninstall-this-malicious-pack…
=====================
= Vulnerabilities =
=====================
∗∗∗ IBM Security Bulletins 2022-12-30 ∗∗∗
---------------------------------------------
IBM Content Collector, IBM Tivoli Monitoring
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/
∗∗∗ Jetzt patchen: Netgear schließt hochriskante Lücke in mehreren Routern ∗∗∗
---------------------------------------------
Netgear empfiehlt ein dringendes Sicherheitsupdate für mehrere seiner Router-Modelle. Betroffen sind von der Lücke auch Modelle der Nighthawk-Reihe.
---------------------------------------------
https://heise.de/-7444672
∗∗∗ Synology warnt vor kritischer Lücke in VPN-Plus-Server ∗∗∗
---------------------------------------------
Wer Synology-Router als VPN-Server einsetzt, muss die Software zügig aktualisieren. Eine kritische Sicherheitslücke ermöglicht Angreifern sonst Codeschmuggel.
---------------------------------------------
https://heise.de/-7444783
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (cacti, emacs, exuberant-ctags, libjettison-java, mplayer, node-loader-utils, node-xmldom, openvswitch, ruby-image-processing, webkit2gtk, wpewebkit, and xorg-server), Fedora (OpenImageIO, systemd, w3m, and webkit2gtk3), Mageia (curl, freeradius, libksba, libtar, python-ujson, sogo, thunderbird, and webkit2), Red Hat (bcel), and SUSE (ffmpeg, ffmpeg-4, mbedtls, opera, saphanabootstrap-formula, sbd, vlc, and webkit2gtk3).
---------------------------------------------
https://lwn.net/Articles/918883/
∗∗∗ Vulnerabilities in Java and IBM WebSphere Application Server Liberty affects IBM Cloud Application Business Insights - CVE-2022-34165, CVE-2022-21628, CVE-2022-21626, CVE-2022-21624, CVE-2022-21619 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6852357
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 29-12-2022 18:00 − Freitag 30-12-2022 18:00
Handler: Thomas Pribitzer
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ Netgear warns users to patch recently fixed WiFi router bug ∗∗∗
---------------------------------------------
Netgear has fixed a high-severity vulnerability affecting multiple WiFi router models and advised customers to update their devices to the latest available firmware as soon as possible.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/netgear-warns-users-to-patch…
∗∗∗ New Linux malware uses 30 plugin exploits to backdoor WordPress sites ∗∗∗
---------------------------------------------
A previously unknown Linux malware has been exploiting 30 vulnerabilities in multiple outdated WordPress plugins and themes to inject malicious JavaScript.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/new-linux-malware-uses-30-pl…
∗∗∗ Security Update Guide Improvement – Representing Hotpatch Updates ∗∗∗
---------------------------------------------
Today we are updating the way Microsoft Security Update Guide (SUG) represents the Windows Hotpatch feature to make it easier for users to identify the hotpatch and security updates.
---------------------------------------------
https://msrc-blog.microsoft.com/2022/12/29/security-update-guide-improvemen…
∗∗∗ Opening the Door for a Knock: Creating a Custom DShield Listener, (Thu, Dec 29th) ∗∗∗
---------------------------------------------
There are a variety of services listening for connections on DShield honeypots. Different systems scanning the internet can connect to these listening services due to exceptions in the firewall. Any attempted connections blocked by the firewall are logged and can be analyzed later. This can be useful to see TCP port connection attempts, but it usefulness is limited.
---------------------------------------------
https://isc.sans.edu/diary/rss/29382
∗∗∗ SPF and DMARC use on GOV domains in different ccTLDs, (Fri, Dec 30th) ∗∗∗
---------------------------------------------
Although e-mail is one of the cornerstones of modern interpersonal communication, its underlying Simple Mail Transfer Protocol (SMTP) is far from what we might call robust or secure. By itself, the protocol lacks any security features related to ensuring (among other factors) integrity or authenticity of transferred data or the identity of their sender, and creating a “spoofed” e-mail is therefore quite easy.
---------------------------------------------
https://isc.sans.edu/diary/rss/29384
∗∗∗ CISA Warns of Active exploitation of JasperReports Vulnerabilities ∗∗∗
---------------------------------------------
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two-years-old security flaws impacting TIBCO Softwares JasperReports product to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. The flaws, tracked as CVE-2018-5430 (CVSS score: 7.7) and CVE-2018-18809 (CVSS score: 9.9), were addressed by TIBCO in April 2018 and March 2019, respectively.
---------------------------------------------
https://thehackernews.com/2022/12/cisa-warns-of-active-exploitation-of.html
∗∗∗ ENLBufferPwn (CVE-2022-47949) ∗∗∗
---------------------------------------------
ENLBufferPwn is a vulnerability in the common network code of several first party Nintendo games since the Nintendo 3DS that allows an attacker to execute code remotely in the victims console by just having an online game with them (remote code execution).
---------------------------------------------
https://github.com/PabloMK7/ENLBufferPwn
∗∗∗ Chrome Browser Exploitation, Part 3: Analyzing and Exploiting CVE-2018-17463 ∗∗∗
---------------------------------------------
Welcome to the third and final installment of the “Chrome Browser Exploitation” series. The main objective of this series has been to provide an introduction to browser internals and delve into the topic of Chrome browser exploitation on Windows in greater depth.
---------------------------------------------
https://jhalon.github.io/chrome-browser-exploitation-3/
∗∗∗ EU-Regeln für Cybersicherheit bald in Kraft: Rund 20.000 Betriebe betroffen ∗∗∗
---------------------------------------------
Die EU hat die novellierte Richtlinie zur Netz- und Informationssicherheit (NIS2) im Amtsblatt veröffentlicht. Der Countdown zur Umsetzung in Deutschland läuft.
---------------------------------------------
https://heise.de/-7444366
=====================
= Vulnerabilities =
=====================
∗∗∗ IBM Security Bulletins 2022-12-30 ∗∗∗
---------------------------------------------
IBM Cloud Pak for Automation, IBM Cloud Pak for Business Automation, IBM Cloud Application Business Insights, IBM Cloud Transformation Advisor, Tivoli Netcool/OMNIbus, Netcool/System Service Monitor
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/
∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (libcommons-net-java), Fedora (python3.6), and SUSE (conmon, polkit-default-privs, thunderbird, and webkit2gtk3).
---------------------------------------------
https://lwn.net/Articles/918778/
∗∗∗ Synology-SA-22:26 VPN Plus Server ∗∗∗
---------------------------------------------
A vulnerability allows remote attackers to possible execute arbitrary command via a susceptible version of Synology VPN Plus Server.
---------------------------------------------
https://www.synology.com/en-global/support/security/Synology_SA_22_26
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 28-12-2022 18:00 − Donnerstag 29-12-2022 18:00
Handler: Stephan Richter
Co-Handler: Thomas Pribitzer
=====================
= News =
=====================
∗∗∗ Google Home speakers allowed hackers to snoop on conversations ∗∗∗
---------------------------------------------
A bug in Google Home smart speaker allowed installing a backdoor account that could be used to control it remotely and to turn it into a snooping device by accessing the microphone feed.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/google-home-speakers-allowed…
∗∗∗ WordPress Vulnerability & Patch Roundup December 2022 ∗∗∗
---------------------------------------------
Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises.
---------------------------------------------
https://blog.sucuri.net/2022/12/wordpress-vulnerability-patch-roundup-decem…
∗∗∗ The Worst Hacks of 2022 ∗∗∗
---------------------------------------------
The year was marked by sinister new twists on cybersecurity classics, including phishing, breaches, and ransomware attacks.
---------------------------------------------
https://www.wired.com/story/worst-hacks-2022/
∗∗∗ New CatB Ransomware Employs 2-Year Old DLL Hijacking Technique To Evade Detection ∗∗∗
---------------------------------------------
We recently discovered ransomware, which performs MSDTC service DLL Hijacking to silently execute its payload. We have named this ransomware CatB, based on the contact email that the ransomware group uses.
---------------------------------------------
https://minerva-labs.com/blog/new-catb-ransomware-employs-2-year-old-dll-hi…
∗∗∗ One Bad Apple Spoils the Barrel: Understanding the Security Risks Introduced by Third-Party Components in IoT Firmware. (arXiv:2212.13716v1 [cs.CR]) ∗∗∗
---------------------------------------------
Currently, the development of IoT firmware heavily depends on third-partycomponents (TPCs) to improve development efficiency. Nevertheless, TPCs are notsecure, and the vulnerabilities in TPCs will influence the security of IoTf irmware.
---------------------------------------------
http://arxiv.org/abs/2212.13716
∗∗∗ A survey and analysis of TLS interception mechanisms and motivations. (arXiv:2010.16388v2 [cs.CR] UPDATED) ∗∗∗
---------------------------------------------
TLS is an end-to-end protocol designed to provide confidentiality andintegrity guarantees that improve end-user security and privacy. While TLShelps defend against pervasive surveillance of intercepted unencrypted traffic,it also hinders several common beneficial operations typically performed bymiddleboxes on the network traffic.
---------------------------------------------
http://arxiv.org/abs/2010.16388
∗∗∗ HardCIDR – Network CIDR and Range Discovery Tool ∗∗∗
---------------------------------------------
HardCIDR is a Linux Bash script to discover the netblocks, or ranges, (in CIDR notation) owned by the target organization during the intelligence gathering phase of a penetration test.
---------------------------------------------
https://www.darknet.org.uk/2022/12/hardcidr-network-cidr-and-range-discover…
=====================
= Vulnerabilities =
=====================
∗∗∗ Hughes Satellite Router Remote File Inclusion Cross-Frame Scripting ∗∗∗
---------------------------------------------
The router contains a cross-frame scripting via remote file inclusion vulnerability that may potentially be exploited by malicious users to compromise an affected system.
---------------------------------------------
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5743.php
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (multipath-tools), Fedora (containerd and trafficserver), Gentoo (libksba and openssh), and SUSE (webkit2gtk3).
---------------------------------------------
https://lwn.net/Articles/918715/
∗∗∗ Several DoS, Code Execution Vulnerabilities Found in Rockwell Automation Controllers ∗∗∗
---------------------------------------------
Organizations using controllers made by Rockwell Automation have been informed recently about several potentially serious vulnerabilities.
---------------------------------------------
https://www.securityweek.com/several-dos-code-execution-vulnerabilities-fou…
∗∗∗ Ungepatchte Citrix-Server zu Tausenden über kritische Schwachstellen angreifbar ∗∗∗
---------------------------------------------
Citrix hat in den letzten Monaten Sicherheitsupdates für kritische Schwachstellen in Citrix ADC- und Gateway-Produkten freigegeben und entsprechende Sicherheitswarnungen veröffentlicht.
---------------------------------------------
https://www.borncity.com/blog/2022/12/29/ungepatchte-citrix-server-zu-tause…
∗∗∗ (Non-US) DIR-825/EE : H/W Rev. R2 & DIR-825/AC Rev. G1A:: F/W 1.0.9 :: Multiple Vulnerabilities by Trend Micro, the Zero Day Initiative (ZDI) ∗∗∗
---------------------------------------------
https://supportannouncement.us.dlink.com/announcement/publication.aspx?name…
∗∗∗ AIX is vulnerable to denial of service due to ISC BIND (CVE-2022-38178, CVE-2022-3080, CVE-2022-38177, CVE-2022-2795) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6851445
∗∗∗ IBM Synthetic Playback Agent is vulnerable due to its use of Apache Commons Text [CVE-2022-42889] ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6852105
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 27-12-2022 18:00 − Mittwoch 28-12-2022 18:00
Handler: Thomas Pribitzer
Co-Handler: Stephan Richter
=====================
= News =
=====================
∗∗∗ KI-Wunder ChatGPT kann bösartige E-Mails und Code generieren ∗∗∗
---------------------------------------------
Check Point Research (CPR) warnt vor Hackern, die ChatGPT und Codex von OpenAI nutzen könnten, um gezielte Cyberangriffe durchzuführen.
https://research.checkpoint.com/2022/opwnai-ai-that-can-save-the-day-or-hac…
---------------------------------------------
https://www.zdnet.de/88406214/ki-wunder-chatgpt-kann-boesartige-e-mails-und…
∗∗∗ Droht eine Exchange ProxyNotShell-Katastrophe zum Jahreswechsel 2022/2023? ∗∗∗
---------------------------------------------
Beunruhigende Informationen, die mich gerade erreicht haben. Nicht auf dem aktuellen Patchstand befindliche Microsoft Exchange On-Premises-Server sind anfällig für Angriffe über die ProxyNotShell-Schwachstellen. Vor Weihnachten gab es dann die Information, dass die Hackergruppe FIN7 seit längerem eine automatisierte Angriffsplattform zum [...]
---------------------------------------------
https://www.borncity.com/blog/2022/12/28/droht-eine-exchange-proxynotshell-…
∗∗∗ Why Attackers Target GitHub, and How You Can Secure It ∗∗∗
---------------------------------------------
The unfettered collaboration of the GitHub model creates a security headache. Follow these seven principles to help relieve the pain.
---------------------------------------------
https://www.darkreading.com/edge-articles/why-attackers-target-github-and-h…
∗∗∗ Playing with Powershell and JSON (and Amazon and Firewalls), (Wed, Dec 28th) ∗∗∗
---------------------------------------------
In this post we'll take a look at parsing and manipulating JSON in Powershell.
---------------------------------------------
https://isc.sans.edu/diary/rss/29380
∗∗∗ CVE-2022-27510, CVE-2022-27518 - Measuring Citrix ADC & Gateway version adoption on the Internet ∗∗∗
---------------------------------------------
Recently, two critical vulnerabilities were reported in Citrix ADC and Citrix Gateway; where one of them was being exploited in the wild by a threat actor. Due to these vulnerabilities being exploitable remotely and given the situation of past Citrix vulnerabilities, RIFT started to research on how to identify the [...]
---------------------------------------------
https://blog.fox-it.com/2022/12/28/cve-2022-27510-cve-2022-27518-measuring-…
∗∗∗ EarSpy: Spying on Phone Calls via Ear Speaker Vibrations Captured by Accelerometer ∗∗∗
---------------------------------------------
As smartphone manufacturers are improving the ear speakers in their devices, it can become easier for malicious actors to leverage a particular side-channel for eavesdropping on a targeted user’s conversations, according to a team of researchers from several universities in the United States.
---------------------------------------------
https://www.securityweek.com/earspy-spying-phone-calls-ear-speaker-vibratio…
∗∗∗ Alias and Directive Overloading in GraphQL ∗∗∗
---------------------------------------------
Denial of Service (DoS) attacks in GraphQL APIs are nothing new. It turns out that when you let clients control what data they want to receive from the server, malicious users try to abuse this flexibility to exhaust resources.
---------------------------------------------
https://checkmarx.com/blog/alias-and-directive-overloading-in-graphql/
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Fedora (curl) and SUSE (curl, freeradius-server, sqlite3, systemd, and vim).
---------------------------------------------
https://lwn.net/Articles/918655/
∗∗∗ Microsoft Patches Azure Cross-Tenant Data Access Flaw ∗∗∗
---------------------------------------------
Microsoft has silently fixed an important-severity security flaw in its Azure Cognitive Search (ACS) after an external researcher warned that a buggy feature allowed cross-tenant network bypass attacks.
---------------------------------------------
https://www.securityweek.com/microsoft-patches-azure-cross-tenant-data-acce…
∗∗∗ ABB Security Advisory: NE843 Pulsar Plus Controller ∗∗∗
---------------------------------------------
https://search.abb.com/library/Download.aspx?DocumentID=9AKK108467A6732&Lan…
∗∗∗ A security vulnerability has been identified in WebSphere Liberty Profile shipped with IBM License Metric Tool v9 (CVE-2022-34165). ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6851953
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 23-12-2022 18:00 − Dienstag 27-12-2022 18:00
Handler: Thomas Pribitzer
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ EarSpy attack eavesdrops on Android phones via motion sensors ∗∗∗
---------------------------------------------
A team of researchers has developed an eavesdropping attack for Android devices that can, to various degrees, recognize the callers gender and identity, and even discern private speech.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/earspy-attack-eavesdrops-on-…
∗∗∗ Container Verification Bug Allows Malicious Images to Cloud Up Kubernetes ∗∗∗
---------------------------------------------
A complete bypass of the Kyverno security mechanism for container image imports allows cyberattackers to completely take over a Kubernetes pod to steal data and inject malware.
---------------------------------------------
https://www.darkreading.com/cloud/container-verification-bug-malicious-imag…
∗∗∗ BlueNoroff introduces new methods bypassing MoTW ∗∗∗
---------------------------------------------
We continue to track the BlueNoroff group’s activities and this October we observed the adoption of new malware strains in its arsenal.
---------------------------------------------
https://securelist.com/bluenoroff-methods-bypass-motw/108383/
∗∗∗ DShield Sensor Setup in Azure, (Wed, Dec 21st) ∗∗∗
---------------------------------------------
In November I setup the DShield sensor in my Azure tenant using Ubuntu version 20.04. Here are the steps I followed.
---------------------------------------------
https://isc.sans.edu/diary/rss/29370
∗∗∗ GuLoader Malware Utilizing New Techniques to Evade Security Software ∗∗∗
---------------------------------------------
Cybersecurity researchers have exposed a wide variety of techniques adopted by an advanced malware downloader called GuLoader to evade security software.
---------------------------------------------
https://thehackernews.com/2022/12/guloader-malware-utilizing-new.html
∗∗∗ Navigating the Vast Ocean of Sandbox Evasions ∗∗∗
---------------------------------------------
After creating a bespoke sandbox environment, we discuss techniques used to target malware evasions with memory detection and more.
---------------------------------------------
https://unit42.paloaltonetworks.com/sandbox-evasion-memory-detection/
∗∗∗ Erinnerung: Basic Authentication in Exchange Online wird 2023 abgeschaltet ∗∗∗
---------------------------------------------
Microsoft hat die Tage daran erinnert, dass die sogenannte Basic Authentication in Exchange Online ausläuft und im kommenden Jahr abgeschaltet wird.
---------------------------------------------
https://www.borncity.com/blog/2022/12/27/erinnerung-basic-authentication-in…
∗∗∗ Caution! Malware Signed With Microsoft Certificate ∗∗∗
---------------------------------------------
Microsoft announced details on the distribution of malware signed with a Microsoft certificate. According to the announcement, a driver authenticated with the Windows Hardware Developer Program had been abused due to the leakage of multiple Windows developer accounts. To prevent damage, Microsoft blocked the related accounts and applied a security update (Microsoft Defender 1.377.987.0 or later).
---------------------------------------------
https://asec.ahnlab.com/en/44726/
∗∗∗ Distribution of Magniber Ransomware Stops (Since November 29th) ∗∗∗
---------------------------------------------
Through a continuous monitoring process, the AhnLab ASEC analysis team is swiftly responding to Magniber, the main malware that is actively being distributed using the typosquatting method which exploits typos in domain address input. Through such continuous responses, we have detected that as of November 29th, the distribution of the Magniber ransomware has halted.
---------------------------------------------
https://asec.ahnlab.com/en/43858/
∗∗∗ Inside the IcedID BackConnect Protocol ∗∗∗
---------------------------------------------
As part of our ongoing tracking of IcedID / BokBot, we wanted to share some insights derived from infrastructure associated with IcedID’s BackConnect (BC) protocol.
---------------------------------------------
https://www.team-cymru.com/post/inside-the-icedid-backconnect-protocol
=====================
= Vulnerabilities =
=====================
∗∗∗ Ksmbd: Kritische Lücke im SMB-Dienst des Linux-Kernels ∗∗∗
---------------------------------------------
Der Linux-Kernel verfügt seit vergangenem Jahr über eine eigene SMB-Implementierung. Diese enthält eine sehr gefährliche Lücke - Updates stehen bereit.
---------------------------------------------
https://www.golem.de/news/ksmbd-kritische-luecke-im-smb-dienst-des-linux-ke…
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (kernel, libksba, and mbedtls), Fedora (containerd, curl, firefox, kernel, mod_auth_openidc, and xorg-x11-server), and Mageia (chromium-browser-stable).
---------------------------------------------
https://lwn.net/Articles/918607/
∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (gerbv), Fedora (webkitgtk), and SUSE (ca-certificates-mozilla, freeradius-server, multimon-ng, vim, and vlc).
---------------------------------------------
https://lwn.net/Articles/918631/
∗∗∗ Critical Vulnerability in Premium Gift Cards WordPress Plugin Exploited in Attacks ∗∗∗
---------------------------------------------
Defiant’s Wordfence team warns of a critical-severity vulnerability in the YITH WooCommerce Gift Cards premium WordPress plugin being exploited in attacks.
---------------------------------------------
https://www.securityweek.com/critical-vulnerability-premium-gift-cards-word…
∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2022-0011 ∗∗∗
---------------------------------------------
Several vulnerabilities were discovered in WebKitGTK and WPE WebKit.
---------------------------------------------
https://webkitgtk.org/security/WSA-2022-0011.html
∗∗∗ Cross-Site Scripting im Admin-Panel von Lucee Server (SYSS-2022-051) ∗∗∗
---------------------------------------------
Im Admin-Panel von Lucee Server besteht eine Cross-Site Scripting (XSS)-Schwachstelle. Angreifende können somit JavaScript-Code im Browser ausführen.
---------------------------------------------
https://www.syss.de/pentest-blog/cross-site-scripting-im-admin-panel-von-lu…
∗∗∗ MISP 2.4.167 released with many improvements, bugs fixed and security fixes. ∗∗∗
---------------------------------------------
https://github.com/MISP/MISP/releases/tag/v2.4.167
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 22-12-2022 18:00 − Freitag 23-12-2022 18:00
Handler: Thomas Pribitzer
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Vice Society ransomware gang switches to new custom encryptor ∗∗∗
---------------------------------------------
The Vice Society ransomware operation has switched to using a custom ransomware encrypt that implements a strong, hybrid encryption scheme based on NTRUEncrypt and ChaCha20-Poly1305.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/vice-society-ransomware-gang…
∗∗∗ Google ad traffic leads to stealer packages based on free software, (Thu, Dec 22nd) ∗∗∗
---------------------------------------------
Earlier this month, I wrote a diary about Google ad traffic leading to a fake AnyDesk page pushing IcedID malware. This week, the same type of ad traffic led to a fake TeamViewer page, and that page led to a different type of malware.
---------------------------------------------
https://isc.sans.edu/diary/rss/29376
∗∗∗ Passwortmanager: LastPass-Hacker haben Zugriff auf Kennworttresore von Kunden ∗∗∗
---------------------------------------------
Bei einem IT-Sicherheitsvorfall beim Anbieter des Passwortmanagers LastPass konnten Angreifer doch auf Kundendaten inklusive gespeicherter Passwörter zugreifen.
---------------------------------------------
https://heise.de/-7441929
∗∗∗ Sourcecode vom Zugriffsmanagementdienst Okta geleakt ∗∗∗
---------------------------------------------
Unbekannte Angreifer konnten auf das Github-Repository von Okta zugreifen und Code kopieren. Die Sicherheit des Dienstes soll dadurch nicht gefährdet sein.
---------------------------------------------
https://heise.de/-7442131
∗∗∗ IcedID Botnet Distributors Abuse Google PPC to Distribute Malware ∗∗∗
---------------------------------------------
We analyze the latest changes in IcedID botnet from a campaign that abuses Google pay per click (PPC) ads to distribute IcedID via malvertising attacks.
---------------------------------------------
https://www.trendmicro.com/en_us/research/22/l/icedid-botnet-distributors-a…
=====================
= Vulnerabilities =
=====================
∗∗∗ Is this CVSS 10 Linux Kernel vuln going to ruin your Christmas? ∗∗∗
---------------------------------------------
Before Linux users worldwide get panties in a panicked bunch, there appears to be more positive news however: At first glance the vulnerability only appears to affect ksmbd, an in-kernel SMB file server that was merged to mainline in the Linux 5.15 release in August 2021; i.e. users running SMB servers via the much more widely deployed Samba, rather than ksmbd can more likely than not get back their mince pies unpurturbed.
---------------------------------------------
https://thestack.technology/is-this-cvss-10-linux-kernel-vulnerability-ksmb…
∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (node-hawk and node-trim-newlines), Fedora (insight, ntfs-3g, and suricata), and SUSE (conmon, helm, kernel, and mbedtls).
---------------------------------------------
https://lwn.net/Articles/918486/
∗∗∗ Threat Brief: OWASSRF Vulnerability Exploitation ∗∗∗
---------------------------------------------
We analyze the new exploit method for Microsoft Exchange Server, OWASSRF, noting that all exploit attempts weve observed use the same PowerShell backdoor, which we track as SilverArrow.
---------------------------------------------
https://unit42.paloaltonetworks.com/threat-brief-owassrf/
∗∗∗ CVE-2022-42889 Text4shell Apache Commons Text RCE Vulnerability ∗∗∗
---------------------------------------------
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0022
∗∗∗ PSA: YITH WooCommerce Gift Cards Premium Plugin Exploited in the Wild ∗∗∗
---------------------------------------------
https://www.wordfence.com/blog/2022/12/psa-yith-woocommerce-gift-cards-prem…
∗∗∗ Multiple vulnerabilities in IBM Java SDK affect AIX ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6851437
∗∗∗ AIX is vulnerable to denial of service due to ISC BIND (CVE-2022-38178, CVE-2022-3080, CVE-2022-38177, CVE-2022-2795) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6851445
∗∗∗ AIX is affected by a denial of service (CVE-2022-43680) due to Python ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6851439
∗∗∗ Security vulnerability is addressed with IBM Cloud Pak for Business Automation iFixes for November 2022 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6848295
∗∗∗ IBM Integration Designer is vulnerable to denial of service ( CVE-2022-21626) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6851449
∗∗∗ Multiple vulnerabilities in IBM Java SDK affects IBM WebSphere Application Server April and July 2022 CPU that is bundled with IBM WebSphere Application Server Patterns ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6851613
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 21-12-2022 18:00 − Donnerstag 22-12-2022 18:00
Handler: Thomas Pribitzer
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ FIN7 hackers create auto-attack platform to breach Exchange servers ∗∗∗
---------------------------------------------
The notorious FIN7 hacking group uses an auto-attack system that exploits Microsoft Exchange and SQL injection vulnerabilities to breach corporate networks, steal data, and select targets for ransomware attacks based on financial size.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/fin7-hackers-create-auto-att…
∗∗∗ Ransomware and wiper signed with stolen certificates ∗∗∗
---------------------------------------------
In this report, we compare the ROADSWEEP ransomware and ZEROCLEARE wiper versions used in two waves of attacks against Albanian government organizations.
---------------------------------------------
https://securelist.com/ransomware-and-wiper-signed-with-stolen-certificates…
∗∗∗ Microsoft research uncovers new Zerobot capabilities ∗∗∗
---------------------------------------------
The Microsoft Defender for IoT research team details information on the recent distribution of a Go-based botnet, known as Zerobot, that spreads primarily through IoT and web-application vulnerabilities.
---------------------------------------------
https://www.microsoft.com/en-us/security/blog/2022/12/21/microsoft-research…
∗∗∗ “Suspicious login” scammers up their game – take care at Christmas ∗∗∗
---------------------------------------------
A picture is worth 1024 words - we clicked through so you dont have to.
---------------------------------------------
https://nakedsecurity.sophos.com/2022/12/21/suspicious-login-scammers-up-th…
∗∗∗ Neuer Android-Trojaner zielt auf Banking-Apps und Krypto-Plattformen ab ∗∗∗
---------------------------------------------
Eine neue Banking-Malware namens Godfather hat 16 Länder im Visier. Deutschland fällt darunter. Sie zeichnet Eingaben in über 415 Banking- und Krypto-Apps auf.
---------------------------------------------
https://heise.de/-7441440
∗∗∗ Exploiting WordPress Plugin Vulnerabilities to Steal AWS Metadata ∗∗∗
---------------------------------------------
If the site is hosted on an Amazon Web Services (AWS) server, then collecting the AWS metadata is relatively simple. This exploit only requires calling the appropriate REST API endpoint with the right payload in the ‘url’ parameter to achieve a successful exploit.
---------------------------------------------
https://www.wordfence.com/blog/2022/12/exploiting-wordpress-plugin-vulnerab…
∗∗∗ Qakbot Being Distributed via Virtual Disk Files (*.vhd) ∗∗∗
---------------------------------------------
There’s been a recent increase in the distribution of malware using disk image files.
---------------------------------------------
https://asec.ahnlab.com/en/44662/
∗∗∗ Vidar Stealer Exploiting Various Platforms ∗∗∗
---------------------------------------------
Vidar Malware is one of the active Infostealers, and its distribution has been significantly increasing. Its characteristics include the use of famous platforms such as Telegram and Mastodon as an intermediary C2.
---------------------------------------------
https://asec.ahnlab.com/en/44554/
=====================
= Vulnerabilities =
=====================
∗∗∗ Critical Windows code-execution vulnerability went undetected until now ∗∗∗
---------------------------------------------
Like EternalBlue, CVE-2022-37958, as the latest vulnerability is tracked, allows attackers to execute malicious code with no authentication required. Also, like EternalBlue, it’s wormable, meaning that a single exploit can trigger a chain reaction of self-replicating follow-on exploits on other vulnerable systems.
---------------------------------------------
https://arstechnica.com/information-technology/2022/12/critical-windows-cod…
∗∗∗ Sicherheitsupdates: Angreifer könnten Synology-Router kompromittieren ∗∗∗
---------------------------------------------
Aktuelle Versionen von Synology Router Manager schließen mehrere Sicherheitslücken. Der Hersteller stuft den Schweregrad als kritisch ein.
---------------------------------------------
https://heise.de/-7440888
∗∗∗ Wichtige Sicherheitsupdates für Avira Security, AVG Antivirus & Co. ∗∗∗
---------------------------------------------
Norton hat in seinem Portfolio von Anti-Viren-Software mehrere Sicherheitslücken geschlossen. Angreifer könnten sich höhere Nutzerrechte verschaffen.
---------------------------------------------
https://heise.de/-7441040
∗∗∗ Puckungfu: A NETGEAR WAN Command Injection ∗∗∗
---------------------------------------------
This blog post describes a command injection vulnerability found and exploited in November 2022 by NCC Group in the Netgear RAX30 router’s WAN interface.
---------------------------------------------
https://research.nccgroup.com/2022/12/22/puckungfu-a-netgear-wan-command-in…
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (libksba and linux-5.10), Slackware (mozilla), and SUSE (curl, java-1_8_0-ibm, and sqlite3).
---------------------------------------------
https://lwn.net/Articles/918379/
∗∗∗ Vulnerability Spotlight: OpenImageIO file processing issues could lead to arbitrary code execution, sensitive information leak and denial of service ∗∗∗
---------------------------------------------
Cisco Talos recently discovered nineteen vulnerabilities in OpenImageIO, an image processing library, which could lead to sensitive information disclosure, denial of service and heap buffer overflows which could further lead to code execution.
---------------------------------------------
https://blog.talosintelligence.com/vulnerability-spotlight-openimageio-file…
∗∗∗ Two New Security Flaws Reported in Ghost CMS Blogging Software ∗∗∗
---------------------------------------------
https://thehackernews.com/2022/12/two-new-security-flaws-reported-in.html
∗∗∗ Security Vulnerabilities fixed in Thunderbird 102.6.1 ∗∗∗
---------------------------------------------
https://www.mozilla.org/en-US/security/advisories/mfsa2022-54/
∗∗∗ Priva TopControl Suite ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-356-01
∗∗∗ Rockwell Automation Studio 5000 Logix Emulate ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-356-02
∗∗∗ Mitsubishi Electric MELSEC iQ-R, iQ-L Series and MELIPC Series ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-356-03
∗∗∗ Omron CX-Programmer ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-356-04
∗∗∗ IBM Content Navigator is vulnerable to missing authorization. ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6844453
∗∗∗ Vulnerability (CVE-2022-3676) in Eclipse Openj9 affects CICS Transaction Gateway Desktop Edition ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6851347
∗∗∗ Vulnerabilities (CVE-2022-21541 and CVE-2022-21540 ) in IBM Java Runtime affects CICS Transaction Gateway ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6851337
∗∗∗ Vulnerabilities (CVE-2022-21541 and CVE-2022-21540) in IBM Java Runtime affects CICS Transaction Gateway Desktop Editon ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6851351
∗∗∗ Vulnerability (CVE-2021-41041) in Eclipse Openj9 affects CICS Transaction Gateway ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6851339
∗∗∗ Vulnerability (CVE-2021-41041) in Eclipse Openj9 affects CICS Transaction Gateway Desktop Edition ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6851345
∗∗∗ Vulnerability (CVE-2021-2163) in IBM Java Runtime affects CICS Transaction Gateway ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6851343
∗∗∗ Vulnerability (CVE-2021-2163) in IBM Java Runtime affects CICS Transaction Gateway Desktop Editon ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6851349
∗∗∗ Vulnerability (CVE-2021-28167) in Eclipse Openj9 affects CICS Transaction Gateway Desktop Edition ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6851341
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 20-12-2022 18:00 − Mittwoch 21-12-2022 18:00
Handler: Thomas Pribitzer
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Hackers bombard PyPi platform with information-stealing malware ∗∗∗
---------------------------------------------
The PyPi python package repository is being bombarded by a wave of information-stealing malware hiding inside malicious packages uploaded to the platform to steal software developers data.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/hackers-bombard-pypi-platfor…
∗∗∗ VirusTotal cheat sheet makes it easy to search for specific results ∗∗∗
---------------------------------------------
VirusTotal has published a cheat sheet to help researchers create queries leading to more specific results from the malware intelligence platform.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/virustotal-cheat-sheet-makes…
∗∗∗ FBI warns of search engine ads pushing malware, phishing ∗∗∗
---------------------------------------------
The FBI warns that threat actors are using search engine advertisements to promote websites distributing ransomware or stealing login credentials for financial institutions and crypto exchanges.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/fbi-warns-of-search-engine-a…
∗∗∗ Malicious Macros Adapt to Use Microsoft Publisher to Push Ekipa RAT ∗∗∗
---------------------------------------------
After Microsoft announced this year that macros from the Internet will be blocked by default in Office , many threat actors have switched to different file types such as Windows Shortcut (LNK), ISO or ZIP files, to distribute their malware.
---------------------------------------------
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/malicious-m…
∗∗∗ Fake jQuery Domain Redirects Site Visitors to Scam Pages ∗∗∗
---------------------------------------------
A recent infection has been making its rounds across vulnerable WordPress sites, detected on over 160 websites so far at the time of writing.
---------------------------------------------
https://blog.sucuri.net/2022/12/fake-jquery-domain-redirects-site-visitors-…
∗∗∗ Kindersicherungs-Apps: Smarte Kids könnten Eltern attackieren ∗∗∗
---------------------------------------------
Sicherheitsforscher haben Android-Apps untersucht, über die Eltern Internetzugriffe von Kindern einschränken können. Doch Schwachstellen weichen den Schutz auf.
---------------------------------------------
https://heise.de/-7435146
∗∗∗ Adult popunder campaign used in mainstream ad fraud scheme ∗∗∗
---------------------------------------------
Taking advantage of cost effective and high traffic adult portals, a threat actor is secretly defrauding advertisers by displaying Google ads under the disguise of an XXX page.
---------------------------------------------
https://www.malwarebytes.com/blog/threat-intelligence/2022/12/adult-popunde…
∗∗∗ Meddler-in-the-Middle Phishing Attacks Explained ∗∗∗
---------------------------------------------
Meddler-in-the-Middle (MitM) phishing attacks show how threat actors find ways to get around traditional defenses and advice.
---------------------------------------------
https://unit42.paloaltonetworks.com/meddler-phishing-attacks/
∗∗∗ Godfather: A banking Trojan that is impossible to refuse ∗∗∗
---------------------------------------------
Group-IB discovers banking Trojan targeting users of more than 400 apps in 16 countries.
---------------------------------------------
https://blog.group-ib.com/godfather-trojan
∗∗∗ Didn’t Notice Your Rate Limiting: GraphQL Batching Attack ∗∗∗
---------------------------------------------
In this article, we will discuss how allowing multiple queries or requesting multiple object instances in a single network call can be abused leading to massive data leaks or Denial of Service (DoS).
---------------------------------------------
https://checkmarx.com/blog/didnt-notice-your-rate-limiting-graphql-batching…
∗∗∗ A Technical Analysis of CVE-2022-22583 and CVE-2022-32800 ∗∗∗
---------------------------------------------
This blog entry discusses the technical details of how we exploited CVE-2022-22583 using a different method. We also tackle the technical details of CVE-2022-32800, another SIP-bypass that we discovered more recently, in this report.
---------------------------------------------
https://www.trendmicro.com/en_us/research/22/l/a-technical-analysis-of-cve-…
∗∗∗ Conti Team One Splinter Group Resurfaces as Royal Ransomware with Callback Phishing Attacks ∗∗∗
---------------------------------------------
In this blog entry, we discuss findings from our investigation of this ransomware and the tools that Royal ransomware actors used to carry out their attacks.
---------------------------------------------
https://www.trendmicro.com/en_us/research/22/l/conti-team-one-splinter-grou…
=====================
= Vulnerabilities =
=====================
∗∗∗ Jetzt patchen! Attacken auf Exchange Server im ProxyNotShell-Kontext gesichtet ∗∗∗
---------------------------------------------
Sicherheitsforscher warnen vor einem neuen Exploit, der ProxyNotShell-Schutzkonzepte umgeht. Es gibt aber Sicherheitsupdates.
---------------------------------------------
https://heise.de/-7434860
∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (xorg-server), Fedora (samba, snakeyaml, thunderbird, xorg-x11-server, and xrdp), Slackware (libksba and sdl), and SUSE (cni, cni-plugins, java-1_7_1-ibm, kernel, openssl-3, and supportutils).
---------------------------------------------
https://lwn.net/Articles/918313/
∗∗∗ Passwordless Persistence and Privilege Escalation in Azure ∗∗∗
---------------------------------------------
Adversaries are always looking for stealthy means of maintaining long-term and stealthy persistence and privilege in a target environment. Certificate-Based Authentication (CBA) is an extremely attractive persistence option in Azure for three big reasons.
---------------------------------------------
https://posts.specterops.io/passwordless-persistence-and-privilege-escalati…
∗∗∗ Installers generated by Squirrel.Windows may insecurely load Dynamic Link Libraries ∗∗∗
---------------------------------------------
https://jvn.jp/en/jp/JVN29902403/
∗∗∗ Critical Vulnerability in Hikvision Wireless Bridges Allows CCTV Hacking ∗∗∗
---------------------------------------------
https://www.securityweek.com/critical-vulnerability-hikvision-wireless-brid…
∗∗∗ Mattermost security updates 7.5.2, 7.4.1, 7.1.5 (ESR) released ∗∗∗
---------------------------------------------
https://mattermost.com/blog/mattermost-security-updates-7-5-2-7-4-1-7-1-5-e…
∗∗∗ Rechteausweitung in Razer Synapse (SYSS-2022-047) ∗∗∗
---------------------------------------------
https://www.syss.de/pentest-blog/rechteausweitung-in-razer-synapse-syss-202…
∗∗∗ IBM App Connect Enterprise and IBM Integration Bus are vulnerable to denial of service due to the package org.yaml:snakeyaml and jackson-databind ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6849213
∗∗∗ GraphQL Denial of Service security vulnerability CVE-2022-37734 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6828663
∗∗∗ IBM App Connect Enterprise and IBM Integration Bus are vulnerable to a remote attacker due to Node.js (CVE-2022-43548 & CVE-2022-35256) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6849223
∗∗∗ Security vulnerabilities have been fixed in IBM Security Verify Governance, Identity Manager virtual appliance component ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6849249
∗∗∗ OpenSSH as used by IBM Cloud Pak for Security is vulnerable to privilege escalation (CVE-2021-41617) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6850775
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Montag 19-12-2022 18:00 − Dienstag 20-12-2022 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Thomas Pribitzer
=====================
= News =
=====================
∗∗∗ Linux File System Monitoring & Actions, (Tue, Dec 20th) ∗∗∗
---------------------------------------------
There can be multiple reasons to keep an eye on a critical/suspicious file or directory. For example, you could track an attacker and wait for some access to the captured credentials in a phishing kit installed on a compromised server. You could deploy an EDR solution or an OSSEC agent that implements an FIM (File Integrity Monitoring). Upon a file change, an action can be triggered. Nice, but what if you would like a quick solution but agentless?
---------------------------------------------
https://isc.sans.edu/diary/rss/29362
∗∗∗ ChatGPT: Emerging AI Threat Landscape ∗∗∗
---------------------------------------------
ChatGPT is a prototype chatbot released by OpenAI. The chatbot is powered by AI and is gaining more traction than previous chatbots because it not only interacts in a conversational manner but has the capability to create code and many other complex questions and requests.
---------------------------------------------
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chatgpt-eme…
∗∗∗ Microsoft Details Gatekeeper Bypass Vulnerability in Apple macOS Systems ∗∗∗
---------------------------------------------
Microsoft has disclosed details of a now-patched security flaw in Apple macOS that could be exploited by an attacker to get around security protections imposed to prevent the execution of malicious applications.
---------------------------------------------
https://thehackernews.com/2022/12/microsoft-details-gatekeeper-bypass.html
∗∗∗ Linux Kernel: Exploiting a Netfilter Use-after-Free in kmalloc-cg ∗∗∗
---------------------------------------------
We describe a method to exploit a use-after-free in the Linux kernel when objects are allocated in a specific slab cache, namely the kmalloc-cg series of SLUB caches used for cgroups. This vulnerability is assigned CVE-2022-32250 and exists in Linux kernel versions 5.18.1 and prior.
---------------------------------------------
https://blog.exodusintel.com/2022/12/19/linux-kernel-exploiting-a-netfilter…
∗∗∗ clif - simple command-line application fuzzer ∗∗∗
---------------------------------------------
clif is a command-line application fuzzer, pretty much what a wfuzz or ffuf are for web. It was inspired by sudo vulnerability CVE-2021-3156 and the fact that, for some reasons, Googles alf-fuzz doesnt allow for unlimited argument or option specification.
---------------------------------------------
https://andy.codes/content/blog/2022-12-20-clif.html
∗∗∗ Better Make Sure Your Password Manager Is Secure ∗∗∗
---------------------------------------------
As part of a security analysis, our colleagues kuekerino, ubahnverleih and parzel examined the password management solution Passwordstate of Click Studios and identified multiple high severity vulnerabilities (CVE-2022-3875, CVE-2022-3876, CVE-2022-3877). Successful exploitation allows an unauthenticated attacker to exfiltrate passwords from an instance, overwrite all stored passwords within the database, or elevate their privileges within the application.
---------------------------------------------
https://www.modzero.com/modlog/archives/2022/12/19/better_make_sure_your_pa…
∗∗∗ New RisePro Infostealer Increasingly Popular Among Cybercriminals ∗∗∗
---------------------------------------------
A recently identified information stealer named ‘RisePro’ is being distributed by pay-per-install malware downloader service ‘PrivateLoader’, cyberthreat firm Flashpoint reports. Written in C++, RisePro harvests potentially sensitive information from the compromised machines and then attempts to exfiltrate it as logs.
---------------------------------------------
https://www.securityweek.com/new-risepro-infostealer-increasingly-popular-a…
∗∗∗ Threat Spotlight: XLLing in Excel - threat actors using malicious add-ins ∗∗∗
---------------------------------------------
As more and more users adopt new versions of Microsoft Office, it is likely that threat actors will turn away from VBA-based malicious documents to other formats such as XLLs or rely on exploiting newly discovered vulnerabilities to launch malicious code.
---------------------------------------------
https://blog.talosintelligence.com/xlling-in-excel-malicious-add-ins/
∗∗∗ Diving into an Old Exploit Chain and Discovering 3 new SIP-Bypass Vulnerabilities ∗∗∗
---------------------------------------------
More than two years ago, a researcher, A2nkF demonstrated the exploit chain from root privilege escalation to SIP-Bypass up to arbitrary kernel extension loading. In this blog entry, we will discuss how we discovered 3 more vulnerabilities from the old exploit chain.
---------------------------------------------
https://www.trendmicro.com/en_us/research/22/l/diving-into-an-old-exploit-c…
∗∗∗ Raspberry Robin Malware Targets Telecom, Governments ∗∗∗
---------------------------------------------
We found samples of the Raspberry Robin malware spreading in telecommunications and government office systems beginning September. The main payload itself is packed with more than 10 layers for obfuscation and is capable of delivering a fake payload once it detects sandboxing and security analytics tools.
---------------------------------------------
https://www.trendmicro.com/en_us/research/22/l/raspberry-robin-malware-targ…
∗∗∗ Web3 IPFS Only Used for Phishing - So Far ∗∗∗
---------------------------------------------
We discuss the use of the InterPlanetary File System (IPFS) in phishing attacks.
---------------------------------------------
https://www.trendmicro.com/en_us/research/22/l/web3-ipfs-only-used-for-phis…
=====================
= Vulnerabilities =
=====================
∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Fedora (mujs) and SUSE (kernel and thunderbird).
---------------------------------------------
https://lwn.net/Articles/918268/
∗∗∗ FoxIt Patches Code Execution Flaws in PDF Tools ∗∗∗
---------------------------------------------
Foxit Software has rolled out a critical-severity patch to cover a dangerous remote code execution flaw in its flagship PDF Reader and PDF Editor products.
---------------------------------------------
https://www.securityweek.com/foxit-patches-code-execution-flaws-pdf-tools
∗∗∗ [R1] Nessus Network Monitor Version 6.2.0 Fixes Multiple Vulnerabilities ∗∗∗
---------------------------------------------
https://www.tenable.com/security/tns-2022-28
∗∗∗ Fuji Electric Tellus Lite V-Simulator ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-354-01
∗∗∗ Rockwell Automation GuardLogix and ControlLogix controllers ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-354-02
∗∗∗ ARC Informatique PcVue ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-354-03
∗∗∗ Rockwell Automation MicroLogix 1100 and 1400 ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-354-04
∗∗∗ Delta 4G Router DX-3021 ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ics/advisories/icsa-22-354-05
∗∗∗ Multiple vulnerabilities of Mozilla Firefox (less than Firefox 102.5ESR) have affected Synthetic Playback Agent 8.1.4.0-8.1.4 IF16 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6849101
∗∗∗ IBM UrbanCode Build is affected by CVE-2022-42252 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6849111
∗∗∗ IBM UrbanCode Build is affected by CVE-2021-43980 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6849109
∗∗∗ IBM UrbanCode Build is affected by CVE-2022-34305 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6849107
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 16-12-2022 18:00 − Montag 19-12-2022 18:00
Handler: Robert Waldner
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ Infostealer Malware with Double Extension, (Sun, Dec 18th) ∗∗∗
---------------------------------------------
Got this file attachment this week pretending to be from HSBC Global Payments and Cash Management. The attachment payment_copy.pdf.z is a rar archive, kind of unusual with this type of file archive but when extracted, it comes out as a double extension with pdf.exe. The file is a trojan infostealer and detected by multiple scanning engines.
---------------------------------------------
https://isc.sans.edu/diary/rss/29354
∗∗∗ Day 3 — Next Level Font Obfuscation ∗∗∗
---------------------------------------------
Today I learned how to obfuscate text using custom fonts. I made a program to automatically create deceptive fonts to demonstrate their danger. Using a custom font, I was able to make a letter look like a different letter to trick a plagiarism checker while still being human-readable.
---------------------------------------------
https://medium.com/@doctoreww/day-3-next-level-font-obfuscation-7a6cd978c7a5
∗∗∗ Venom ∗∗∗
---------------------------------------------
Venom is a C++ library that is meant to give an alternative way to communicate, instead of creating a socket that could be traced back to the process, it creates a new "hidden" (there is no window shown) detached edge process (edge was chosen because it is a browser that is installed on every Windows 10+ and wont raise suspicious) and stealing one of its sockets to perform the network operations.
---------------------------------------------
https://github.com/Idov31/Venom
∗∗∗ Exploiting API Framework Flexibility ∗∗∗
---------------------------------------------
The modern frameworks are often very flexible with what they accept, and will happily treat a POST with a JSON body as interchangeable with a URL encoded body, or even with query parameters. Due to this, an unexploitable JSON XSS vector can sometimes be made exploitable by flipping it to one of these alternative approaches.
---------------------------------------------
https://attackshipsonfi.re/p/exploiting-api-framework-flexibility
∗∗∗ Fake Shops und Phishing-SMS: Die Betrugsmaschen im Online-Weihnachtsgeschäft ∗∗∗
---------------------------------------------
Weihnachten bedeutet auch wieder Hochsaison für Betrüger, die mit gefälschten Shops und irreführenden SMS auf das Geld ihrer Opfer aus sind.
---------------------------------------------
https://www.derstandard.at/story/2000141845543/fake-shops-und-phishing-sms-…
∗∗∗ BSI legt 19 IT-Grundschutz-Bausteine als Final Draft vor ∗∗∗
---------------------------------------------
Kurzer Hinweis für Administratoren und IT-Dienstleister, die im Unternehmensumfeld aktiv sind. Das Bundesamt für Sicherheit in der Informationstechnik (BSI) hat diese Woche 19 sogenannte IT-Grundschutz-Bausteine als sogenannte Final Drafts vorgelegt. Das reicht von .NET über Active Directory Domain Services bis hin zu Windows Server.
---------------------------------------------
https://www.borncity.com/blog/2022/12/18/bsi-legt-19-it-grundschutz-baustei…
=====================
= Vulnerabilities =
=====================
∗∗∗ Cisco Security Advisories 2022-12-16 - 2022-12-18 ∗∗∗
---------------------------------------------
Cisco has updated 9 security advisories: (1x Critical, 5x High, 3x Medium)
---------------------------------------------
https://sec.cloudapps.cisco.com/security/center/Search.x?publicationTypeIDs…
∗∗∗ HP kümmert sich mit BIOS-Updates um Schadcode-Lücken ∗∗∗
---------------------------------------------
Sicherheitsupdates schließen mehrere Schwachstellen in HP-Computern. Einige Lücken betreffen ausschließlich AMD-Systeme.
---------------------------------------------
https://heise.de/-7398783
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (chromium and thunderbird), Fedora (keylime, libarchive, libtasn1, pgadmin4, rubygem-nokogiri, samba, thunderbird, wireshark, and xorg-x11-server-Xwayland), Gentoo (curl, libreoffice, nss, unbound, and virtualbox), Mageia (advancecomp, couchdb, firefox, freerdp, golang, heimdal, kernel, kernel linus, krb5, leptonica, libetpan, python-slixmpp, thunderbird, and xfce4-settings), Oracle (firefox, nodejs:16, and thunderbird), Scientific Linux (firefox and thunderbird), Slackware (samba), SUSE (chromium and kernel), and Ubuntu (linux-oem-5.17).
---------------------------------------------
https://lwn.net/Articles/918203/
∗∗∗ Synology-SA-22:24 Samba AD DC ∗∗∗
---------------------------------------------
Multiple vulnerabilities allow remote attackers or remote authenticated users to bypass security constraint via a susceptible version of Synology Directory Server.
---------------------------------------------
https://www.synology.com/en-global/support/security/Synology_SA_22_24
∗∗∗ Citrix Hypervisor Security Bulletin for CVE-2022-3643, CVE-2022-42328 & CVE-2022-42329 ∗∗∗
---------------------------------------------
Several security issues have been identified in Citrix Hypervisor 8.2 LTSR CU1, each of which may allow a privileged user in a guest VM to cause the host to become unresponsive or crash.
---------------------------------------------
https://support.citrix.com/article/CTX473048/citrix-hypervisor-security-bul…
∗∗∗ Zenphoto vulnerable to cross-site scripting ∗∗∗
---------------------------------------------
https://jvn.jp/en/jp/JVN06093462/
∗∗∗ Corel Roxio Creator LJB starts a program with an unquoted file path ∗∗∗
---------------------------------------------
https://jvn.jp/en/jp/JVN13075438/
∗∗∗ ZDI-22-1681: Autodesk 3DS Max SKP File Parsing Use-After-Free Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
http://www.zerodayinitiative.com/advisories/ZDI-22-1681/
∗∗∗ DLL Search Order Hijacking Vulnerability in the DWG TrueView™ Desktop Software ∗∗∗
---------------------------------------------
https://www.autodesk.com/trust/security-advisories/adsk-sa-2022-0024
∗∗∗ Vulnerabilities in PHP may affect IBM Spectrum Sentinel Anomaly Scan Engine (CVE-2021-21703, CVE-2021-21708, CVE-2021-21707, CVE-2022-31629, CVE-2022-31628) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6845928
∗∗∗ IBM Cognos Analytics has addressed multiple vulnerabilities (CVE-2021-29469, CVE-2022-39160, CVE-2022-38708, CVE-2022-42003, CVE-2022-42004, CVE-2022-43883, CVE-2022-43887, CVE-2022-25647, CVE-2022-36364) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6841801
∗∗∗ IBM DataPower Gateway vulnerable to HTTP request smuggling (CVE-2022-35256) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6848587
∗∗∗ IBM DataPower Gateway potentially affected by CPU side-channel (CVE-2022-21166) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6848585
∗∗∗ IBM DataPower Gateway subject to a memory leak in TCP source port generation (CVE-2022-1012) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6848583
∗∗∗ IBM DataPower Gateway vulnerable to network state information leakage (CVE-2021-20322, CVE-2021-45485, CVE-2021-45486) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6848577
∗∗∗ UDP source port randomization flaw in IBM DataPower Gateway (CVE-2020-25705) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6848581
∗∗∗ Multiple vulnerabilities in IBM Java Runtime affect Rational Directory Server (Tivoli) & Rational Directory Administrator ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6848847
∗∗∗ IBM i Modernization Engine for Lifecycle Integration is vulnerable to multiple vulnerabilities ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6848879
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Donnerstag 15-12-2022 18:00 − Freitag 16-12-2022 18:00
Handler: Robert Waldner
Co-Handler: Michael Schlagenhaufer
=====================
= News =
=====================
∗∗∗ Phishing attack uses Facebook posts to evade email security ∗∗∗
---------------------------------------------
A new phishing campaign uses Facebook posts as part of its attack chain to trick users into giving away their account credentials and personally identifiable information (PII).
---------------------------------------------
https://www.bleepingcomputer.com/news/security/phishing-attack-uses-faceboo…
∗∗∗ Backdoor Targets FreePBX Asterisk Management Portal ∗∗∗
---------------------------------------------
Written in PHP and JavaScript, FreePBX is a web-based open-source GUI that manages Asterisk, a voice over IP and telephony server. This open-source software allows users to build customer phone systems. During a recent investigation, I came across a simple piece of malware targeting FreePBX’s Asterisk Management portal which allowed attackers to arbitrarily add and delete users, as well as modify the website’s .htaccess file. Let’s take a closer look at this backdoor.
---------------------------------------------
https://blog.sucuri.net/2022/12/backdoor-targets-freepbx-asterisk-managemen…
∗∗∗ Decentralized Identity Attack Surface – Part 2 ∗∗∗
---------------------------------------------
This is the second part of our Decentralized Identity (DID) blog series. In case you’re not familiar with DID concepts, we highly encourage you to start with the first part. This time we will cover a different DID implementation — Sovrin. We will also see what a critical (CVSS 10) DID vulnerability looks like by reviewing the one we found in this popular implementation.
---------------------------------------------
https://www.cyberark.com/resources/threat-research-blog/decentralized-ident…
∗∗∗ Das Ende vom unsicheren Hash-Algorithmus SHA-1 zieht sich wie Kaugummi ∗∗∗
---------------------------------------------
Das National Institute of Standards and Technology schickt das längst geknackte SHA-1-Verfahren in Rente – endgültig aber erst in acht Jahren.
---------------------------------------------
https://heise.de/-7396973
∗∗∗ Codeschmuggel möglich: Microsoft stuft Sicherheitslücke auf "kritisch" herauf ∗∗∗
---------------------------------------------
Eine Sicherheitslücke, für die Microsoft ein Update bereitgestellt hat, ermöglicht unerwartet Angreifern ohne Anmeldung, Schadcode einzuschleusen.
---------------------------------------------
https://heise.de/-7396879
∗∗∗ The Data Protection Officer, an ubiquitous role nobody really knows. (arXiv:2212.07712v1 [cs.CR]) ∗∗∗
---------------------------------------------
Among all cybersecurity and privacy workers, the Data Protection Officer (DPO) stands between those auditing a company's compliance and those acting as management advisors. A person that must be somehow versed in legal, management, and cybersecurity technical skills. We describe how this role tackles socio-technical risks in everyday scenarios.
---------------------------------------------
http://arxiv.org/abs/2212.07712
∗∗∗ FBI, FDA OCI, and USDA Release Joint Cybersecurity Advisory Regarding Business Email Compromise Schemes Used to Steal Food ∗∗∗
---------------------------------------------
The joint CSA analyzes the common tactics, techniques, and procedures (TTPs) utilized by criminal actors to spoof emails and domains to impersonate legitimate employees and order goods that went unpaid and were possibly resold at devalued prices with labeling that lacked industry standard “need-to-knows” (i.e., necessary information about ingredients, allergens, or expiration dates).
---------------------------------------------
https://us-cert.cisa.gov/ncas/current-activity/2022/12/16/fbi-fda-oci-and-u…
∗∗∗ Agenda Ransomware Uses Rust to Target More Vital Industries ∗∗∗
---------------------------------------------
This year, various ransomware-as-a-service groups have developed versions of their ransomware in Rust, including Agenda. Agendas Rust variant has targeted vital industries like its Go counterpart. In this blog, we will discuss how the Rust variant works.
---------------------------------------------
https://www.trendmicro.com/en_us/research/22/l/agenda-ransomware-uses-rust-…
=====================
= Vulnerabilities =
=====================
∗∗∗ VMSA-2022-0034 ∗∗∗
---------------------------------------------
vRealize Operations (vROps) contains a privilege escalation vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 7.2.
---------------------------------------------
https://www.vmware.com/security/advisories/VMSA-2022-0034.html
*** Cisco Security Advisories 2022-12-16 ***
---------------------------------------------
Cisco has updated 18 security advisories: (4x Critical, 11x High, 3x Medium)
---------------------------------------------
https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&lastP…
*** Vulnerabilities in Autodesk Image Processing component used by Autodesk products II ***
---------------------------------------------
Applications and services that utilize Image Processing component used by Autodesk products may be impacted by Out-of-bound Read, Heap-based Overflow, Out-of-bound Write, Memory corruption, and Use-after-free vulnerabilities.
---------------------------------------------
https://www.autodesk.com/trust/security-advisories/adsk-sa-2022-0025
∗∗∗ Security updates for Friday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (firefox-esr, libde265, php7.3, and thunderbird), Fedora (firefox, freeradius, freerdp, and xorg-x11-server), Oracle (firefox, prometheus-jmx-exporter, and thunderbird), Red Hat (firefox, nodejs:16, prometheus-jmx-exporter, and thunderbird), and SUSE (ceph and chromium).
---------------------------------------------
https://lwn.net/Articles/918047/
∗∗∗ Samba Releases Security Updates ∗∗∗
---------------------------------------------
The Samba Team has released security updates to address vulnerabilities in multiple versions of Samba. An attacker could exploit some of these vulnerabilities to take control of an affected system.
---------------------------------------------
https://us-cert.cisa.gov/ncas/current-activity/2022/12/16/samba-releases-se…
∗∗∗ Remote code execution bypass in Eclipse Business Intelligence Reporting Tool (BiRT) ∗∗∗
---------------------------------------------
https://sec-consult.com/vulnerability-lab/advisory/remote-code-execution-by…
∗∗∗ IBM Security Guardium is affected by the following vulnerabilities [CVE-2022-39166, CVE-2022-34917, CVE-2022-42889] ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6848317
∗∗∗ Multiple Vulnerabilities in base image packages affect IBM Voice Gateway ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6848319
∗∗∗ Multiple vulnerabilities affect IBM Tivoli Monitoring included WebSphere Application Server and IBM HTTP Server used by WebSphere Application Server ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6848279
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Mittwoch 14-12-2022 18:00 − Donnerstag 15-12-2022 18:00
Handler: Robert Waldner
Co-Handler: Thomas Pribitzer
=====================
= News =
=====================
∗∗∗ LEGO BrickLink bugs let hackers hijack accounts, breach servers ∗∗∗
---------------------------------------------
Security analysts have discovered two API security vulnerabilities in BrickLink.com, LEGO Groups official second-hand and vintage marketplace for LEGO bricks.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/lego-bricklink-bugs-let-hack…
∗∗∗ Hacking Using SVG Files to Smuggle QBot Malware onto Windows Systems ∗∗∗
---------------------------------------------
Phishing campaigns involving the Qakbot malware are using Scalable Vector Graphics (SVG) images embedded in HTML email attachments.
---------------------------------------------
https://thehackernews.com/2022/12/hacking-using-svg-files-to-smuggle-qbot.h…
∗∗∗ Technical Review: A Deep Analysis of the Dirty Pipe Vulnerability ∗∗∗
---------------------------------------------
Dirty Pipe (CVE-2022-0847) proved that there is a new way to exploit Linux syscalls to write to files with a read-only privileges.
---------------------------------------------
https://blog.aquasec.com/deep-analysis-of-the-dirty-pipe-vulnerability
∗∗∗ Digging Inside Azure Functions: HyperV Is the Last Line of Defense ∗∗∗
---------------------------------------------
We investigated Azures serverless architecture and found that a HyperV VM was the remaining defense after a container breakout.
---------------------------------------------
https://unit42.paloaltonetworks.com/azure-serverless-functions-security/
∗∗∗ Patch Tuesday: (zur Abwechslung) Augen auf! ∗∗∗
---------------------------------------------
Manchmal gelangen wir die verzwickte Lage, dass sich in den Patchnotes Updates für Schwachstellen verbergen, aufgrund derer wir zwar keine Warnung veröffentlichen, aber auf die wir dennoch explizit hinweisen wollen. Diesen Monat ist es wieder einmal soweit.
---------------------------------------------
https://cert.at/de/blog/2022/12/patch-tuesday-zur-abwechslung-augen-auf
∗∗∗ Windows Server 2019/2022: Dezember 2022-Sicherheitsupdates verursachen Hyper-V-Probleme ∗∗∗
---------------------------------------------
Die zum Dezember 2022 Patchday von Microsoft ausgerollten Sicherheitsupdates führen in bestimmten Konstellationen zum Problemen mit Hyper-V.
---------------------------------------------
https://www.borncity.com/blog/2022/12/15/windows-server-2019-2022-dezember-…
∗∗∗ Microsoft-Zertifikate zur Signatur von Malware missbraucht (Dez. 2022) ∗∗∗
---------------------------------------------
Sicherheitsforscher sind auf Fälle gestoßen, wo es Cyberkriminellen gelungen ist, Malware durch gültige digitale Zertifikate von Microsoft zu signieren.
---------------------------------------------
https://www.borncity.com/blog/2022/12/15/microsoft-zertifikate-zur-signatur…
=====================
= Vulnerabilities =
=====================
∗∗∗ Microsoft Reclassifies SPNEGO Extended Negotiation Security Vulnerability as Critical ∗∗∗
---------------------------------------------
Microsoft has revised the severity of a security vulnerability it originally patched in September 2022, upgrading it to "Critical" after it emerged that it could be exploited to achieve remote code execution.
---------------------------------------------
https://thehackernews.com/2022/12/microsoft-reclassifies-spnego-extended.ht…
∗∗∗ Typo3: Neue Fassungen schließen hochriskante Sicherheitslücke ∗∗∗
---------------------------------------------
Angreifer könnten in Typo3 etwa eigenen PHP-Code einschleusen. Mit neuen Versionen schließen die Entwickler diese und weitere Sicherheitslücken.
---------------------------------------------
https://heise.de/-7395790
∗∗∗ Microsoft Patch Tuesday, December 2022 Edition ∗∗∗
---------------------------------------------
Microsoft has released its final monthly batch of security updates for 2022, fixing more than four dozen security holes in its various Windows operating systems and related software.
---------------------------------------------
https://krebsonsecurity.com/2022/12/microsoft-patch-tuesday-december-2022-e…
∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (firefox-esr and git), Slackware (mozilla and xorg), SUSE (apache2-mod_wsgi, capnproto, xorg-x11-server, xwayland, and zabbix), and Ubuntu (emacs24, firefox, linux-azure, linux-azure-5.15, linux-azure-fde, linux-oem-6.0, and xorg-server, xorg-server-hwe-18.04, xwayland).
---------------------------------------------
https://lwn.net/Articles/917947/
∗∗∗ Der unsichtbare Feind: Buffer Overflow Schwachstellen in Zyxel Routern nach wie vor problematisch ∗∗∗
---------------------------------------------
https://sec-consult.com/de/blog/detail/enemy-within-unauthenticated-buffer-…
∗∗∗ Drupal Releases Security Updates to Address Vulnerabilities in H5P and File (Field) Paths ∗∗∗
---------------------------------------------
https://us-cert.cisa.gov/ncas/current-activity/2022/12/15/drupal-releases-s…
∗∗∗ [R1] Tenable.ad Versions 3.29.4, 3.19.12 and 3.11.9 Fix One Vulnerability ∗∗∗
---------------------------------------------
https://www.tenable.com/security/tns-2022-27
∗∗∗ Multiple Vulnerabilities in CloudPak for Watson AIOPs ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6848189
∗∗∗ Multiple Vulnerabilities in CloudPak for Watson AIOPs ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6848195
∗∗∗ Multiple vulnerabilities in IBM Java SDK affect IBM License Metric Tool v9. ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6848221
∗∗∗ Netcool Operations Insight v1.6.7 contains fixes for multiple security vulnerabilities. ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6848225
∗∗∗ A vulnerability in Python affects IBM Elastic Storage System (CVE-2022-0391) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6848229
∗∗∗ IBM Spectrum Control is vulnerable to multiple weaknesses related to Node [CVE-2022-39353] ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6848213
∗∗∗ Vulnerabilities in IBM Java SDK affect IBM Spectrum Control ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6847605
∗∗∗ IBM Spectrum Control is vulnerable to multiple weaknesses related IBM WebSphere Application Server Liberty and FasterXML jackson-databind ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6847541
∗∗∗ Security vulnerability is addressed with IBM Cloud Pak for Business Automation iFixes for November 2022 ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6848295
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Dienstag 13-12-2022 18:00 − Mittwoch 14-12-2022 18:00
Handler: Robert Waldner
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Microsoft-signed malicious Windows drivers used in ransomware attacks ∗∗∗
---------------------------------------------
Microsoft has revoked several Microsoft hardware developer accounts after drivers signed through their profiles were used in cyberattacks, including ransomware incidents.
---------------------------------------------
https://www.bleepingcomputer.com/news/microsoft/microsoft-signed-malicious-…
∗∗∗ Open-source repositories flooded by 144,000 phishing packages ∗∗∗
---------------------------------------------
Unknown threat actors have uploaded a total of 144,294 phishing-related packages on the open-source package repositories NuGet, PyPI, and NPM.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/open-source-repositories-flo…
∗∗∗ Input Validation for Website Security ∗∗∗
---------------------------------------------
Web forms are incredibly useful tools. They allow you to gather important information about potential clients and site visitors, collect comments and feedback, upload files, subscribe new users to your blog, or even collect payment details. But if your forms aren’t properly validating user inputs, you might be in for a nasty surprise: a variety of issues can occur if data is uploaded to your site’s environment without specific controls.
---------------------------------------------
https://blog.sucuri.net/2022/12/input-validation-for-website-security.html
∗∗∗ Google Launches OSV-Scanner Tool to Identify Open Source Vulnerabilities ∗∗∗
---------------------------------------------
Google on Tuesday announced the open source availability of OSV-Scanner, a scanner that aims to offer easy access to vulnerability information about various projects.The Go-based tool, powered by the Open Source Vulnerabilities (OSV) database, is designed to connect "a projects list of dependencies with the vulnerabilities that affect them," [..]
---------------------------------------------
https://thehackernews.com/2022/12/google-launches-largest-distributed.html
∗∗∗ New GoTrim Botnet Attempting to Break into WordPress Sites Admin Accounts ∗∗∗
---------------------------------------------
A new Go-based botnet has been spotted scanning and brute-forcing self-hosted websites using the WordPress content management system (CMS) to seize control of the targeted systems."This new brute forcer is part of a new campaign we have named GoTrim because it was written in Go and uses :::trim::: to split data communicated to and from the C2 server,"
---------------------------------------------
https://thehackernews.com/2022/12/new-gotrim-botnet-attempting-to-break.html
∗∗∗ Ade iOS 15: Apple stellt Support auf neueren iPhones offenbar ein ∗∗∗
---------------------------------------------
iPhones ab Baujahr 2017 erhalten Sicherheits-Updates nur noch nach Upgrade auf iOS 16. Lücken in iOS 15 werden laut Apple aktiv ausgenutzt.
---------------------------------------------
https://heise.de/-7394913
∗∗∗ BSI-Magazin mit Schwerpunkt "Ransomware" veröffentlicht ∗∗∗
---------------------------------------------
Die zweite Ausgabe des BSI-Magazins "Mit Sicherheit" in diesem Jahr ist erschienen. Das BSI stellt in diesem BSI-Magazin eine der aktuell größten Bedrohungen für die IT-Sicherheit in einem Sonderteil in den Mittelpunkt: Ransomware. [..] Weitere Themen sind Automotive Security, der Digitale Verbraucherschutz sowie die Zusammenarbeit von BSI und NATO zur Gestaltung der Cloud-Sicherheit im Bündnis. Außerdem gibt es im neuen BSI-Magazin eine neue Checkliste mit Tipps für ein sicheres Heimnetzwerk.
---------------------------------------------
https://www.bsi.bund.de/DE/Service-Navi/Presse/Alle-Meldungen-News/Meldunge…
∗∗∗ NSA, CISA, and ODNI Release Guidance on Potential Threats to 5G Network Slicing ∗∗∗
---------------------------------------------
Original release date: December 13, 2022Today, the National Security Agency (NSA), CISA, and the Office of the Director of National Intelligence (ODNI), published Potential Threats to 5G Network Slicing. This guidance—created by the Enduring Security Framework (ESF), a public-private cross-sector working group led by the NSA and CISA—presents both the benefits and risks associated with 5G network slicing. It also provides mitigation strategies that address potential threats to 5G network slicing.
---------------------------------------------
https://us-cert.cisa.gov/ncas/current-activity/2022/12/13/nsa-cisa-and-odni…
=====================
= Vulnerabilities =
=====================
∗∗∗ Vulnerabilities found on Arcadyan Routers ∗∗∗
---------------------------------------------
The two vulnerabilities were found by Asher Davila L. in Arcadyan wireless modems with model number VRV9506JAC23. It is probable that they are also present in other Arcadyan models as well because their web interfaces are similar and they have common features. The following are the two found vulnerabilities:
* CVE-2020-9420: Cleartext transmission of sensitive information
* CVE-2020-9419: Stored cross-site scripting
---------------------------------------------
https://gist.github.com/AsherDLL/03d0762b5a535e300f1121caebe333ce
∗∗∗ Webbrowser: Chrome-Update dichtet acht Sicherheitslecks ab ∗∗∗
---------------------------------------------
Google hat eine aktualisierte Version des Webbrowsers Chrome bereitgestellt. Sie schließt mindestens vier hochriskante Sicherheitslücken.
---------------------------------------------
https://heise.de/-7394554
∗∗∗ VMSA-2022-0032: VMware Workspace ONE Access (Access), VMware Identity Manager (vIDM), VMware Cloud Foundation (Cloud Foundation) ∗∗∗
---------------------------------------------
Synopsis: VMware Workspace ONE Access and Identity Manager updates address multiple vulnerabilities (CVE-2022-31700, CVE-2022-31701).
---------------------------------------------
https://www.vmware.com/security/advisories/VMSA-2022-0032.html
∗∗∗ Security updates for Wednesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (pngcheck), Fedora (qemu), Mageia (admesh, busybox, emacs, libarchive, netkit-telnet, ruby, rxvt-unicode, and shadowutils), Oracle (bcel and kernel), Red Hat (389-ds-base, bcel, dbus, firefox, grub2, kernel, kernel-rt, kpatch-patch, thunderbird, and usbguard), Scientific Linux (bcel), SUSE (containerd, firefox, grafana, java-1_8_0-openjdk, libtpms, net-snmp, and wireshark), and Ubuntu (pillow).
---------------------------------------------
https://lwn.net/Articles/917839/
∗∗∗ Adobe Patches 38 Flaws in Enterprise Software Products ∗∗∗
---------------------------------------------
After skipping last month, Adobe returned to its scheduled Patch Tuesday cadence with the release of fixes for at least 38 vulnerabilities in multiple enterprise-facing products.The San Jose, California software maker said the flaws could expose users to code execution and privilege escalation attacks across all computer platforms.
---------------------------------------------
https://www.securityweek.com/adobe-patches-38-flaws-enterprise-software-pro…
∗∗∗ ICS Patch Tuesday: Siemens Fixes 80 OpenSSL, OpenSSH Flaws in Switches ∗∗∗
---------------------------------------------
Industrial giants Siemens and Schneider Electric have addressed over 140 vulnerabilities with their December 2022 Patch Tuesday updates.Siemensread more
---------------------------------------------
https://www.securityweek.com/ics-patch-tuesday-siemens-fixes-80-openssl-ope…
∗∗∗ Apple Releases Security Updates for Multiple Products ∗∗∗
---------------------------------------------
Original release date: December 13, 2022Apple has released security updates to address vulnerabilities in multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected device.CISA encourages users and administrators to review the Apple security updates page for the following products and apply the necessary updates as soon as possible:
iCloud for Windows 14.1
Safari 16.2
macOS Monterey 12.6.2
macOS Big Sur 11.7.2
tvOS 16.2
watchOS 9.2
iOS 15.7.2 and iPadOS 15.7.2
iOS 16.2 and iPadOS 16.2
macOS Ventura 13.1
---------------------------------------------
https://us-cert.cisa.gov/ncas/current-activity/2022/12/13/apple-releases-se…
∗∗∗ Sonicwall Capture Client Local Privilege Escalation via SentinelOne Agent (Aikido) ∗∗∗
---------------------------------------------
An arbitrary file deletion vulnerability (Aikido) in Sonicwall Capture Client via SentinelOne Agent could allow a local attacker to escalate privileges and delete files. The exploit was confirmed to work with 6 vulnerable EDR products, including the SentinelOne Agent for Windows.Please note: an attacker must first obtain low-privileged access on the target system in order to exploit this vulnerability.
---------------------------------------------
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0025
∗∗∗ Cisco Identity Services Engine Unauthorized File Access Vulnerability ∗∗∗
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco…
∗∗∗ Weidmueller: Multiple IoT and control products affected by JavaScript injection vulnerability ∗∗∗
---------------------------------------------
https://cert.vde.com/de/advisories/VDE-2022-056/
∗∗∗ NVIDIA GPU Display Driver Advisory - November 2022 ∗∗∗
---------------------------------------------
http://support.lenovo.com/product_security/PS500536-NVIDIA-GPU-DISPLAY-DRIV…
∗∗∗ Vulnerabilities in Linux Kernel, Golang Go, and cURL libcurl may affect IBM Spectrum Protect Plus ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6847643
∗∗∗ Vulnerability in IBM WebSphere Application Server Liberty may affect IBM Spectrum Protect Operations Center and Client Management Service (CVE-2022-34165) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6847655
∗∗∗ Vulnerabilities in zlib and Golang Go may affect the IBM Spectrum Protect Server (CVE-2018-25032, CVE-2022-27664) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6847653
∗∗∗ IBM Copy Services Manager is vulnerable to a remote attack vulnerabilities due to IBM WebSphere Application Server Liberty vulnerabilities (CVE-2022-22476) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6847789
∗∗∗ IBM Tivoli Netcool\/OMNIbus Transport Module Common Integration Library is affected by vulnerability in Apache Kafka (CVE-2022-34917) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6847829
∗∗∗ IBM Tivoli Netcool\/OMNIbus Probe and Integrations Library are affected by vulnerabilities in FasterXML jackson-databind (CVE-2022-42004, CVE-2022-42003) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6846525
∗∗∗ IBM Sterling Connect:Direct for UNIX is vulnerable to denial of service due to FasterXML jackson-databind (CVE-2022-42003) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6847939
∗∗∗ IBM Sterling Connect:Direct for UNIX is vulnerable to denial of service due to FasterXML jackson-databind (CVE-2022-42004) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6847945
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Montag 12-12-2022 18:00 − Dienstag 13-12-2022 18:00
Handler: Stephan Richter
Co-Handler: Robert Waldner
=====================
= News =
=====================
∗∗∗ Amazon ECR Public Gallery flaw could have wiped or poisoned any image ∗∗∗
---------------------------------------------
The researcher reported the vulnerability to AWS Security on November 15, 2022, and Amazon rolled out a fix in under 24 hours.
While there are no signs of this flaw being abused in the wild, threat actors could have used it in massive-scale supply chain attacks against many users.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/amazon-ecr-public-gallery-fl…
∗∗∗ IIS modules: The evolution of web shells and how to detect them ∗∗∗
---------------------------------------------
This blog aims to provide further guidance on detecting malicious IIS modules and other capabilities that you can use during your own incident response investigations.
---------------------------------------------
https://www.microsoft.com/en-us/security/blog/2022/12/12/iis-modules-the-ev…
∗∗∗ A Deep Dive into BianLian Ransomware ∗∗∗
---------------------------------------------
BianLian ransomware is a Golang malware that performed targeted attacks across multiple industries in 2022. The ransomware employed anti-analysis techniques consisting of API calls that would likely crash some sandboxes/automated analysis systems. The malware targets all drives identified on the machine and deletes itself after the encryption is complete.
---------------------------------------------
https://resources.securityscorecard.com/research/bian-lian-deep-dive
∗∗∗ New Python-Based Backdoor Targeting VMware ESXi Servers ∗∗∗
---------------------------------------------
Security researchers with Juniper Networks’ Threat Labs warn of a new Python-based backdoor targeting VMware ESXi virtualization servers. The targeted servers were impacted by known security defects (such as CVE-2019-5544 and CVE-2020-3992) that were likely used for initial compromise, but what caught the researchers’ attention was the simplicity, persistence, and capabilities of the deployed backdoor.
---------------------------------------------
https://www.securityweek.com/new-python-based-backdoor-targeting-vmware-esx…
∗∗∗ What’s My Name Again? Reolink camera command injection ∗∗∗
---------------------------------------------
TL;DR Research on Reolink’s RLC-520A smart motion detection camera has turned up an authenticated command injection vulnerability. Exploiting this vulnerability with an injected system command can render the device useless.
---------------------------------------------
https://www.pentestpartners.com/security-blog/whats-my-name-again-reolink-c…
∗∗∗ Aktuelle Welle an DDoS Angriffen auf staatsnahe und kritische Infrastruktur in Österreich ∗∗∗
---------------------------------------------
Seit ca. zwei Wochen sehen sich vermehrt österreichische staatliche/staatsnahe Organisationen sowie Unternehmen der kritischen Infrastruktur mit DDoS Angriffen konfrontiert. Die genauen Hintergründe und Motive der Attacken sind uns zurzeit nicht bekannt. Die Täter:innen greifen hierbei zu verschiedenen Methoden und versuchen auch, sich an getroffene Gegenmaßnahmen anzupassen.
---------------------------------------------
https://cert.at/de/aktuelles/2022/12/aktuelle-welle-an-ddos-angriffen-auf-s…
∗∗∗ REPORT: A new trick from Facebook scammers and Sharkbot Android malware returns ∗∗∗
---------------------------------------------
A new wave of scams utilizes Facebook’s tagging feature to trick Page owners into believing they’ve violated Facebook’s terms and conditions. Several variations of the attack exist, but all lead to phishing sites designed to steal Page owner’s credentials.
---------------------------------------------
https://blog.f-secure.com/f-alert-report-a-new-trick-from-facebook-scammers…
=====================
= Vulnerabilities =
=====================
∗∗∗ Redmine vulnerable to cross-site scripting ∗∗∗
---------------------------------------------
Redmine contains a cross-site scripting vulnerability.
---------------------------------------------
https://jvn.jp/en/jp/JVN60211811/
∗∗∗ Announcing TYPO3 12.1.1 [12.1.2], 11.5.20 and 10.4.33 security releases ∗∗∗
---------------------------------------------
today weve released TYPO3 12.1.1, 11.5.20 LTS and 10.4.33 LTS, which are ready for you to download. All versions are security releases and contain important security fixes [unfortunately TYPO3 v12.1.1 contained a regression, which has been fixed in TYPO3 v12.1.2.]
---------------------------------------------
https://lists.typo3.org/pipermail/typo3-announce/2022/000523.html
∗∗∗ Vulnerabilities in multiple third party TYPO3 CMS extensions ∗∗∗
---------------------------------------------
several vulnerabilities have been found in the following third party TYPO3 extensions:
* "Change password for frontend users" (fe_change_pwd)
* "Newsletter subscriber management" (fp_newsletter)
* "Master-Quiz" (fp_masterquiz)
For further information on the issues, please read the related advisories TYPO3-EXT-SA-2022-016, TYPO3-EXT-SA-2022-017 and TYPO3-EXT-SA-2022-018 which were published today
---------------------------------------------
https://lists.typo3.org/pipermail/typo3-announce/2022/000524.html
∗∗∗ OpenSSL: X.509 Policy Constraints Double Locking (CVE-2022-3996) ∗∗∗
---------------------------------------------
Severity: Low
If an X.509 certificate contains a malformed policy constraint and policy processing is enabled, then a write lock will be taken twice recursively. On some operating systems (most widely: Windows) this results in a denial of service when the affected process hangs. Policy processing being enabled on a publicly facing server is not considered to be a common setup.
---------------------------------------------
https://www.openssl.org/news/secadv/20221213.txt
∗∗∗ Patchday SAP: 14 neue Sicherheitsmeldungen im Dezember ∗∗∗
---------------------------------------------
Zum Jahresende behandelt SAP in 14 Sicherheitsnotizen Schwachstellen in der Software des Unternehmens. IT-Verantwortliche sollten die Updates rasch anwenden.
---------------------------------------------
https://heise.de/-7392718
∗∗∗ Jetzt patchen! Kritische Zero-Day-Lücke in FortiOS wird angegriffen ∗∗∗
---------------------------------------------
Fortinet meldet eine kritische Sicherheitslücke in FortiOS. Cyberkriminelle missbrauchen diese bereits für Angriffe. Updates stehen bereit.
---------------------------------------------
https://heise.de/-7392455
∗∗∗ VMSA-2022-0031 ∗∗∗
---------------------------------------------
Synopsis: VMware vRealize Network Insight (vRNI) updates address command injection and directory traversal security vulnerabilities (CVE-2022-31702, CVE-2022-31703)
---------------------------------------------
https://www.vmware.com/security/advisories/VMSA-2022-0031.html
∗∗∗ VMSA-2022-0033 ∗∗∗
---------------------------------------------
Synopsis: VMware ESXi, Workstation, and Fusion updates address a heap out-of-bounds write vulnerability (CVE-2022-31705)
---------------------------------------------
https://www.vmware.com/security/advisories/VMSA-2022-0033.html
∗∗∗ Security updates for Tuesday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (node-tar and pngcheck), SUSE (colord, containerd, and tiff), and Ubuntu (containerd, linux-azure, linux-azure, linux-azure-5.4, linux-oem-5.17, and vim).
---------------------------------------------
https://lwn.net/Articles/917749/
∗∗∗ Security Vulnerabilities fixed in Thunderbird 102.6 ∗∗∗
---------------------------------------------
In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts.
---------------------------------------------
https://www.mozilla.org/en-US/security/advisories/mfsa2022-53/
∗∗∗ Security Vulnerabilities fixed in Firefox ESR 102.6 ∗∗∗
---------------------------------------------
CVE-2022-46880: Use-after-free in WebGL
CVE-2022-46872: Arbitrary file read from a compromised content process
CVE-2022-46881: Memory corruption in WebGL
CVE-2022-46874: Drag and Dropped Filenames could have been truncated to malicious extensions
CVE-2022-46875: Download Protections were bypassed by .atloc and .ftploc files on Mac OS
CVE-2022-46882: Use-after-free in WebGL
CVE-2022-46878: Memory safety bugs fixed in Firefox 108 and Firefox ESR 102.6
---------------------------------------------
https://www.mozilla.org/en-US/security/advisories/mfsa2022-52/
∗∗∗ Security Vulnerabilities fixed in Firefox 108 ∗∗∗
---------------------------------------------
CVE-2022-46871: libusrsctp library out of date
CVE-2022-46872: Arbitrary file read from a compromised content process
CVE-2022-46873: Firefox did not implement the CSP directive unsafe-hashes
CVE-2022-46874: Drag and Dropped Filenames could have been truncated to malicious extensions
CVE-2022-46875: Download Protections were bypassed by .atloc and .ftploc files on Mac OS
CVE-2022-46877: Fullscreen notification bypass
CVE-2022-46878: Memory safety bugs fixed in Firefox 108 and Firefox ESR 102.6
CVE-2022-46879: Memory safety bugs fixed in Firefox 108
---------------------------------------------
https://www.mozilla.org/en-US/security/advisories/mfsa2022-51/
∗∗∗ Citrix ADC and Citrix Gateway Security Bulletin for CVE-2022-27518 ∗∗∗
---------------------------------------------
A vulnerability has been discovered in Citrix Gateway and Citrix ADC, listed below, that, if exploited, could allow an unauthenticated remote attacker to perform arbitrary code execution on the appliance.
CVE-ID: CVE-2022-27518
---------------------------------------------
https://support.citrix.com/article/CTX474995/citrix-adc-and-citrix-gateway-…
∗∗∗ Privilege Escalation Schwachstellen (UNIX Insecure File Handling) in SAP® Host Agent (saposcol) ∗∗∗
---------------------------------------------
Due to insecure file handling issues of the SAP® Host Agent, a local attacker can exploit the helper binary saposcol to escalate privileges on UNIX systems. Successful exploitation leads to full system compromise with root access.
---------------------------------------------
https://sec-consult.com/de/vulnerability-lab/advisory/privilege-escalation-…
∗∗∗ ICS Advisory (ICSA-22-347-03): Contec CONPROSSYS HMI System (CHS) ∗∗∗
---------------------------------------------
https://www.cisa.gov/uscert/ics/advisories/icsa-22-347-03
∗∗∗ ICS Advisory (ICSA-22-347-02): Schneider Electric APC Easy UPS Online ∗∗∗
---------------------------------------------
https://www.cisa.gov/uscert/ics/advisories/icsa-22-347-02
∗∗∗ ICS Advisory (ICSA-22-347-01): ICONICS and Mitsubishi Electric Products ∗∗∗
---------------------------------------------
https://www.cisa.gov/uscert/ics/advisories/icsa-22-347-01
∗∗∗ Wiesemann & Theis multiple products prone to web interface vulnerability ∗∗∗
---------------------------------------------
https://cert.vde.com/de/advisories/VDE-2022-057/
∗∗∗ Festo: Vulnerable WIBU-SYSTEMS CodeMeter Runtime in multiple products ∗∗∗
---------------------------------------------
https://cert.vde.com/de/advisories/VDE-2022-038/
∗∗∗ A vulnerability in IBM WebSphere Application Server Liberty affects IBM Spectrum Scale packaged in IBM Elastic Storage Server ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6847315
∗∗∗ AIX is vulnerable to a denial of service due to libxml2 (CVE-2022-29824) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6619729
∗∗∗ IBM QRadar Network Packet Capture has released 7.3.1 Patch 1, and 7.2.8 Patch 1 in response to the vulnerabilities known as Spectre and Meltdown. ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/571419
∗∗∗ Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli Netcool Impact (CVE-2021-41041, CVE-2022-3676) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6847341
∗∗∗ Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli Netcool Impact ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6847351
∗∗∗ Multiple vulnerabilities have been identified in IBM WebSphere Application Server Liberty shipped with IBM Tivoli Netcool Impact (CVE-2022-24839, CVE-2022-37734, CVE-2022-34165) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6847349
∗∗∗ Multiple vulnerabilities have been identified in Smack API shipped with IBM Tivoli Netcool Impact (CVE-2014-0363, CVE-2014-0364) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6847337
∗∗∗ Multiple Linux Kernel vulnerabilities may affect IBM Elastic Storage System ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6847563
∗∗∗ WebSphere Application Server is vulnerable to SOAPAction spoofing when processing JAX-WS Web Services requests which affects Content Collector for Email ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6847593
∗∗∗ Content Collector for Email is affected by a vulnerability found in embedded WebSphere Application Server ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6847591
∗∗∗ Content Collector for Email is affected by a vulnerability found in embedded WebSphere Application Server ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6847587
∗∗∗ Content Collector for Email is affected by a vulnerability found in embedded WebSphere Application Server ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6847595
∗∗∗ Vulnerability in OAuthlib affects IBM Spectrum Protect Plus Container backup and restore for Kubernetes and OpenShift (CVE-2022-36087) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6842215
∗∗∗ Vulnerabilities in Redis affect IBM Spectrum Protect Plus Container backup and restore for Kubernetes and OpenShift (CVE-2022-24736, CVE-2022-24735) ∗∗∗
---------------------------------------------
https://www.ibm.com/support/pages/node/6842235
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily
=====================
= End-of-Day report =
=====================
Timeframe: Freitag 09-12-2022 18:00 − Montag 12-12-2022 18:00
Handler: Robert Waldner
Co-Handler: n/a
=====================
= News =
=====================
∗∗∗ Clop ransomware partners with TrueBot malware for access to networks ∗∗∗
---------------------------------------------
Security researchers have noticed a spike in devices infected with the TrueBot malware downloader created by a Russian-speaking hacking group known as Silence.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/clop-ransomware-partners-wit…
∗∗∗ Popular WAFs Subverted by JSON Bypass ∗∗∗
---------------------------------------------
Web application firewalls from AWS, Cloudflare, F5, Imperva, and Palo Alto Networks are vulnerable to a database attack using the popular JavaScript Object Notation (JSON) format.
---------------------------------------------
https://www.darkreading.com/application-security/popular-wafs-json-bypass
∗∗∗ On-device WebAuthn and what makes it hard to do well ∗∗∗
---------------------------------------------
WebAuthn improves login security a lot by making it significantly harder for a users credentials to be misused - a WebAuthn token will only respond to a challenge if its issued by the site a secret was issued to, and in general will only do so if the user provides proof of physical presence[1]. But giving people tokens is tedious and also I have a new laptop which only has USB-C but does have a working fingerprint reader and I [...]
---------------------------------------------
https://mjg59.dreamwidth.org/62746.html
∗∗∗ Hack-for-Hire Group Targets Travel and Financial Entities with New Janicab Malware Variant ∗∗∗
---------------------------------------------
Travel agencies have emerged as the target of a hack-for-hire group dubbed Evilnum as part of a broader campaign aimed at legal and financial investment institutions in the Middle East and Europe. The attacks, which took place during 2020 and 2021 and likely went as far back as 2015, involved a revamped variant of a malware called Janicab that leverages a number of public services like WordPress [...]
---------------------------------------------
https://thehackernews.com/2022/12/hack-for-hire-group-targets-travel-and.ht…
∗∗∗ Log4j’s Log4Shell Vulnerability: One Year Later, It’s Still Lurking ∗∗∗
---------------------------------------------
Despite mitigation, one of the worst bugs in internet history is still prevalent—and being exploited.
---------------------------------------------
https://www.wired.com/story/log4j-log4shell-one-year-later/
∗∗∗ Practically-exploitable Cryptographic Vulnerabilities in Matrix ∗∗∗
---------------------------------------------
We report several practically-exploitable cryptographic vulnerabilities in the end-to-end encryption in Matrix and describe proof-of-concept attacks exploiting these vulnerabilities. [...] Whilst the language of the paper and this website is in present tense, many of the vulnerabilities disclosed have been fixed. See our paper (or Matrix’ website) for more details.
---------------------------------------------
https://nebuchadnezzar-megolm.github.io/
∗∗∗ Cisco Working on Patch for Publicly Disclosed IP Phone Vulnerability ∗∗∗
---------------------------------------------
Cisco informed customers on Thursday that it’s working on patches for a high-severity vulnerability affecting some of its IP phones.
---------------------------------------------
https://www.securityweek.com/cisco-working-patch-publicly-disclosed-ip-phon…
∗∗∗ So schützen Sie sich vor problematischen Online-Shops ∗∗∗
---------------------------------------------
Immer wieder werden uns Online-Shops gemeldet, die zwar keine Fake-Shops, aber trotzdem problematisch sind. Lieferzeiten werden nicht eingehalten, die Qualität der Produkte lässt zu wünschen übrig, oder es kommt zu hohen Zoll- oder Retourenkosten. Wir zeigen Ihnen, worauf Sie achten müssen, um keine bösen Überraschungen beim Online-Shopping zu erleben!
---------------------------------------------
https://www.watchlist-internet.at/news/so-schuetzen-sie-sich-vor-problemati…
∗∗∗ So schützen Sie sich vor Abo-Fallen im Internet ∗∗∗
---------------------------------------------
Auch im Internet hat niemand etwas zu verschenken! Lassen Sie Vorsicht walten bei Angeboten, die zu gut sind, um wahr zu sein. Diese „Angebote“ nutzen Kriminelle, um Sie in die Falle zu locken. Wenn Sie bemerken, dass Geldbeträge ohne Ihre Zustimmung von Ihrem Konto abgebucht werden, handelt es sich möglicherweise um eine Abo-Falle!
---------------------------------------------
https://www.watchlist-internet.at/news/so-schuetzen-sie-sich-vor-abo-fallen…
∗∗∗ Was tun, wenn Sie in eine Abo-Falle getappt sind? ∗∗∗
---------------------------------------------
Auf der Suche nach kostenlosen Angeboten und gratis Testversionen werden Sie im Internet schnell fündig. Doch Vorsicht: Hier ist nicht alles Gold, was glänzt! Oft handelt es sich nämlich um Abo-Fallen, bei denen Ihnen unbegründet Rechnungen zugeschickt oder Geldbeträge vom Konto abgebucht werden und man Ihnen mit Inkassobüros oder Rechtsanwaltsschreiben droht. Die Lösung? Auf keinen Fall bezahlen!
---------------------------------------------
https://www.watchlist-internet.at/news/was-tun-wenn-sie-in-eine-abo-falle-g…
∗∗∗ Precious Gemstones: The New Generation of Kerberos Attacks ∗∗∗
---------------------------------------------
Unit 42 researchers show new methods to improve detection of a next-gen line of Kerberos attacks, which allow attackers to modify Kerberos tickets to maintain privileged access.
---------------------------------------------
https://unit42.paloaltonetworks.com/next-gen-kerberos-attacks/
=====================
= Vulnerabilities =
=====================
∗∗∗ FortiOS - heap-based buffer overflow in sslvpnd ∗∗∗
---------------------------------------------
A heap-based buffer overflow vulnerability [CWE-122] in FortiOS SSL-VPN may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests. Fortinet is aware of an instance where this vulnerability was exploited in the wild, and recommends immediately validating your systems against the following indicators of compromise: [...]
---------------------------------------------
https://www.fortiguard.com/psirt/FG-IR-22-398
∗∗∗ Security updates for Monday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (cacti, grub2, hsqldb, node-eventsource, and openexr), Fedora (bcel, keylime, rust-capnp, rust-sequoia-octopus-librnp, xfce4-screenshooter, and xfce4-settings), Oracle (nodejs:18), Scientific Linux (grub2), Slackware (libarchive), SUSE (go1.18, go1.19, nautilus, opera, python-slixmpp, and samba), and Ubuntu (python2.7, python3.5, qemu, and squid3).
---------------------------------------------
https://lwn.net/Articles/917690/
∗∗∗ IFM: weak password recovery vulnerability in moneo appliance ∗∗∗
---------------------------------------------
Summary: An unauthenticated remote attacker could reset the administrators password with information from the default, self-signed certificate.
Impact: An unathenticated attacker can remotely reset the administrator password.
Solution:
Mitigation: The certificate is renewed by adjusting the hostname to an own customer-specific, so it does not contain the serial number.
Remediation: The password-reset mechanism will be updated in a future version.
---------------------------------------------
https://cert.vde.com/de/advisories/VDE-2022-050/
∗∗∗ IBM Security Bulletins 2022-12-09 - 2022-12-12 ∗∗∗
---------------------------------------------
Apache Commons HttpClient 3.x (and few others), Apache POI, IBM App Connect Enterprise, IBM® Db2® Net Search Extender, IBM Elastic Storage System, IBM Engineering Workflow Management (EWM), IBM InfoSphere Information Server, IBM Spectrum Copy Data Management, IBM Spectrum Protect Backup-Archive Client, IBM Spectrum Protect for Virtual Environments, IBM Spectrum Scale packaged in IBM Elastic Storage Server, IBM Spectrum Scale packaged in IBM Elastic Storage System, IBM Tivoli Application Dependency Discovery Manager (TADDM), Rational Team Concert (RTC), z/Transaction Processing Facility
---------------------------------------------
https://www.ibm.com/support/pages/bulletin/
∗∗∗ Intel Data Center Manager 5.1 Local Privilege Escalation ∗∗∗
---------------------------------------------
https://cxsecurity.com/issue/WLB-2022120027
--
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily