- Daily - CERT.at

Tageszusammenfassung - 09.05.2023
by Daily end-of-shift report 09 May '23

09 May '23

===================== = End-of-Day report = ===================== Timeframe: Montag 08-05-2023 18:00 − Dienstag 09-05-2023 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ A new, stealthier type of Typosquatting attack spotted targeting NPM ∗∗∗ --------------------------------------------- Attackers have been using lowercase letters in package names on the Node Package Manager (NPM) registry for potential malicious package impersonation. This deceptive tactic presents a dangerous twist on a well-known attack method -- "Typosquatting." --------------------------------------------- https://checkmarx.com/blog/a-new-stealthier-type-of-typosquatting-attack-sp… ∗∗∗ AndoryuBot DDoS Botnet Exploiting Ruckus AP Vulnerability ∗∗∗ --------------------------------------------- Owners of Ruckus access points (APs) have been warned that a DDoS botnet named AndoryuBot has been exploiting a recently patched vulnerability to hack devices. The vulnerability in question is tracked as CVE-2023-25717 and it was patched by Ruckus in February in many of its wireless APs. --------------------------------------------- https://www.securityweek.com/andoryubot-ddos-botnet-exploiting-ruckus-ap-vu… ∗∗∗ Building Automation System Exploit Brings KNX Security Back in Spotlight ∗∗∗ --------------------------------------------- A public exploit targeting building automation systems has brought KNX security back into the spotlight, with industrial giant Schneider Electric releasing a security bulletin to warn customers about the potential risks. --------------------------------------------- https://www.securityweek.com/building-automation-system-exploit-brings-knx-… ∗∗∗ Buchen Sie Ihre Unterkunft nicht über booked.net oder hotel-mix.de ∗∗∗ --------------------------------------------- Sie suchen eine Unterkunft? Buchen Sie lieber nicht auf booked.net oder hotel-mix.de, denn die beiden Buchungsplattformen listen Unterkünfte, die keinen Vertrag mit der Plattform haben. In der gebuchten Unterkunft angekommen, kann es Ihnen passieren, dass die Betreiber:innen gar nichts von Ihrer Buchung wissen und Sie kurzfristig eine neue Schlafmöglichkeit suchen müssen. --------------------------------------------- https://www.watchlist-internet.at/news/buchen-sie-ihre-unterkunft-nicht-ueb… ∗∗∗ New phishing-as-a-service tool “Greatness” already seen in the wild ∗∗∗ --------------------------------------------- A previously unreported phishing-as-a-service (PaaS) offering named “Greatness” has been used in several phishing campaigns since at least mid-2022. Greatness incorporates features seen in some of the most advanced PaaS offerings, such as multi-factor authentication (MFA) bypass, IP filtering and integration with Telegram bots. --------------------------------------------- https://blog.talosintelligence.com/new-phishing-as-a-service-tool-greatness… ===================== = Vulnerabilities = ===================== ∗∗∗ WordPress Plugin "Newsletter" vulnerable to cross-site scripting ∗∗∗ --------------------------------------------- WordPress Plugin "Newsletter" provided by Stefano Lissa & The Newsletter Team contains a cross-site scripting vulnerability (CWE-79). An arbitrary script may be executed on the web browser of the user who is logging in to the WordPress using the plugin. --------------------------------------------- https://jvn.jp/en/jp/JVN59341308/ ∗∗∗ WordPress Plugin "VK Blocks" and "VK All in One Expansion Unit" vulnerable to cross-site scripting ∗∗∗ --------------------------------------------- * An arbitrary script may be executed on the web browser of the user who is logging in to the product - CVE-2023-27923, CVE-2023-28367 * An arbitrary script may be executed on the web browser of the user who is accessing the site using the product - CVE-2023-27925, CVE-2023-27926 --------------------------------------------- https://jvn.jp/en/jp/JVN95792402/ ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (java-11-openjdk-portable and rubygem-redcarpet), Red Hat (autotrace, bind, buildah, butane, conmon, containernetworking-plugins, curl, device-mapper-multipath, dhcp, edk2, emacs, fence-agents, freeradius, freerdp, frr, fwupd, gdk-pixbuf2, git, git-lfs, golang-github-cpuguy83-md2man, grafana, grafana-pcp, gstreamer1-plugins-good, Image Builder, jackson, kernel, kernel-rt, krb5, libarchive, libguestfs-winsupport, libreswan, libtiff, libtpms, lua, mysql, net-snmp, openssh, openssl, pcs, php:8.1, pki-core, podman, poppler, postgresql-jdbc, python-mako, qemu-kvm, samba, skopeo, sysstat, tigervnc, toolbox, unbound, webkit2gtk3, wireshark, xorg-x11-server, and xorg-x11-server-Xwayland), SUSE (cfengine, cfengine-masterfiles, go1.19, go1.20, libfastjson, python-cryptography, and python-ujson), and Ubuntu (mysql-5.7). --------------------------------------------- https://lwn.net/Articles/931384/ ∗∗∗ Citrix ADC and Citrix Gateway Security Bulletin ∗∗∗ --------------------------------------------- * CVE-2023-24488, Cross site scripting, CVSS 6.1 * CVE-2023-24487, Arbitrary file read, CVSS 6.3 --------------------------------------------- https://support.citrix.com/article/CTX477714/citrix-adc-and-citrix-gateway-… ∗∗∗ SSA-932528 V1.0: Multiple File Parsing Vulnerabilities in Solid Edge ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-932528.html ∗∗∗ SSA-892048 V1.0: Third-Party Component Vulnerabilities in SINEC NMS before V1.0.3.1 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-892048.html ∗∗∗ SSA-789345 V1.0: Code Execution Vulnerabilities in Siveillance Video Event and Management Servers ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-789345.html ∗∗∗ SSA-555292 V1.0: Security Vulnerabilities Fixed in SIMATIC Cloud Connect 7 V2.1 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-555292.html ∗∗∗ SSA-516174 V1.0: Wi-Fi Encryption Bypass Vulnerabilities in SCALANCE W1750D ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-516174.html ∗∗∗ SSA-325383 V1.0: Multiple Vulnerabilities in SCALANCE LPE9403 before V2.1 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/html/ssa-325383.html ∗∗∗ F5: K000133759 : Python vulnerability CVE-2020-26116 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000133759 ∗∗∗ F5: K000134496 : Jettison vulnerability CVE-2022-45685 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000134496 ∗∗∗ Security vulnerabilities have been identified in IBM DB2 shipped with IBM License Metric Tool v9. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6988953 ∗∗∗ Tensorflow is vulnerable to security CVEs used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6988959 ∗∗∗ IBM WebSphere Application Server is vulnerable to cross-site scripting in the Admin Console (CVE-2023-24966) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6986333 ∗∗∗ TensorFlow is vulnerable to security CVEs used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6988979 ∗∗∗ Ansi-html is vulnerable to CVE-2021-23424 used in IBM Maximo Application Suite ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6988981 ∗∗∗ Node-forge is vulnerable to security CVEs used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6988969 ∗∗∗ Apache Log4j is vulnerable to CVE-2021-45105 and CVE-2021-45046 used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6988975 ∗∗∗ Vulnerabilities in OpenSSL affect QLogic 8Gb Intelligent Pass-thru Module and SAN Switch Module for IBM BladeCenter and QLogic Virtual Fabric Extension Module for IBM BladeCenter ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/888295 ∗∗∗ IBM Cloud Pak for Network Automation 2.4.6 fixes multiple security vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6989099 ∗∗∗ CVE-2023-24536, CVE-2023-24537 and CVE-2023-24534 may affect IBM CICS TX Standard ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6989115 ∗∗∗ CVE-2023-24536, CVE-2023-24537, CVE-2023-24534 may affect IBM CICS TX Advanced ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6989117 ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM WebSphere Remote Server (CVE-2022-39161) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6989119 ∗∗∗ WebSphere Application Server Liberty is vulnerable to CVE-2022-3509 and CVE-2022-3171 used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6989133 ∗∗∗ IBM WebSphere Application Server Liberty and Open Liberty is vulnerable to CVE-2022-22475 used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6989131 ∗∗∗ IBM WebSphere Application Server Liberty is vulnerable to CVE-2022-22393 used in IBM Maximo Application Suite - Monitor Component ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6989127 ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with Asset and Service Management (CVE-2022-39161) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6989145 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.05.2023
by Daily end-of-shift report 08 May '23

08 May '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 05-05-2023 18:00 − Montag 08-05-2023 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Meet Akira — A new ransomware operation targeting the enterprise ∗∗∗ --------------------------------------------- The new Akira ransomware operation has slowly been building a list of victims as they breach corporate networks worldwide, encrypt files, and then demand million-dollar ransoms. --------------------------------------------- https://www.bleepingcomputer.com/news/security/meet-akira-a-new-ransomware-… ∗∗∗ Datenleck: Firmware- und Bootguard-Schlüssel von MSI veröffentlicht ∗∗∗ --------------------------------------------- Eine Ransomwaregruppe hat nach einem Hack etliche interne Daten von MSI veröffentlicht. Darunter auch private Schlüssel zum Signieren. --------------------------------------------- https://www.golem.de/news/datenleck-firmware-und-bootguard-schluessel-von-m… ∗∗∗ New Cactus ransomware encrypts itself to evade antivirus ∗∗∗ --------------------------------------------- While the new threat actor adopted the usual tactics seen in ransomware attacks - file encryption and data theft - it added its own touch to avoid detection. [..] Researchers at Kroll corporate investigation and risk consulting firm believe that Cactus obtains initial access into the victim network by exploiting known vulnerabilities in Fortinet VPN appliances. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-cactus-ransomware-encryp… ∗∗∗ Breaking down Reverse shell commands ∗∗∗ --------------------------------------------- In pentesting assessments and CTFs we always need reverse shells to execute commands on target machine once we have exploited a system and have a command injection at some point in our engagement. For that we have an awesome project: revshells.com or reverse-shell-generator where we have a ton of reverse shell payloads listed. This blog post tries to explain their working. --------------------------------------------- https://adityatelange.in/blog/revshells/ ∗∗∗ Quickly Finding Encoded Payloads in Office Documents ∗∗∗ --------------------------------------------- Malicious documents like this RevengeRAT ppam file found on MalwareBazaar contain VBA code that you can analyze with oledump.py. Some shortcuts can be used [..] But there is a quicker method: let zipdump.py produce JSON output that contains the decompressed content of each file, and then let base64dump.py consume this JSON output. --------------------------------------------- https://isc.sans.edu/diary/rss/29818 ∗∗∗ Dependabot Confusion: Gaining Access to Private GitHub Repositories using Dependabot ∗∗∗ --------------------------------------------- Dependabot is one of the most widely deployed tools to improve software supply chain security. But like all other software, it is not immune to security vulnerabilities. By using it, users take on the risk that any vulnerabilities in Dependabot itself may lead to the compromise of the very supply chain they are trying to secure. This article is about a vulnerability in Dependabot that allowed arbitrary user to gain access to a subset of GitHub repositories that have Dependabot enabled. --------------------------------------------- https://giraffesecurity.dev/posts/dependabot-confusion/ ∗∗∗ Microsoft-Webbrowser: Edge 113 schließt Sicherheitslücken ∗∗∗ --------------------------------------------- Microsoft hat den Webbrowser Edge in Version 113 veröffentlicht. Einige Funktionen haben die Entwickler darin verbessert sowie Schwachstellen abgedichtet. --------------------------------------------- https://heise.de/-8990437 ∗∗∗ Achtung! Diese Kosmetika sind gesundheitsschädigend! ∗∗∗ --------------------------------------------- Derzeit warnen die Agentur für Gesundheit und Ernährungssicherheit (AGES) und das Bundesamt für Verbrauchergesundheit (BAVG) vor kosmetischen Produkten, die verbotene und gesundheitsschädigende Duftstoffe enthalten. Die Produkte werden vor allem online verkauft. Wir zeigen Ihnen, von welchen Produkten Sie lieber die Finger lassen sollten. --------------------------------------------- https://www.watchlist-internet.at/news/achtung-diese-kosmetika-sind-gesundh… ∗∗∗ Webinar: Sicher (ver)kaufen über Willhaben, Shpock & Co. ∗∗∗ --------------------------------------------- Was muss ich beachten, wenn ich auf Kleinanzeigenplattformen wie Willhaben, Shpock, Vinted & Co. etwas als Privatperson kaufen oder verkaufen möchte? Unser Rechtsexperte der Internet Ombudsstelle gibt Tipps für die sichere Abwicklung solcher Online-Geschäfte. Nehmen Sie kostenlos teil: Dienstag 16. Mai 2023, 18:30 - 20:00 Uhr via zoom --------------------------------------------- https://www.watchlist-internet.at/news/webinar-sicher-verkaufen-ueber-willh… ∗∗∗ PRFs, PRPs and other fantastic things ∗∗∗ --------------------------------------------- A few weeks ago I ran into a conversation on Twitter about the weaknesses of applied cryptography textbooks, and how they tend to spend way too much time lecturing people about Feistel networks and the boring details of AES. Some of the folks in this conversation suggested that instead of these things, we should be into more fundamental topics like “what is a pseudorandom function.” --------------------------------------------- https://blog.cryptographyengineering.com/2023/05/08/prfs-prps-and-other-fan… ∗∗∗ WordPress plugin vulnerability puts two million websites at risk ∗∗∗ --------------------------------------------- Millions of WordPress-powered websites are using the Advanced Custom Fields and Advanced Custom Fields Pro plugins, which security researchers say have been vulnerable to cross-site scripting (XSS) attacks. --------------------------------------------- https://grahamcluley.com/wordpress-plugin-vulnerability-puts-two-million-we… ∗∗∗ Cisco SPA112 2-Port Telefonadapter unsicher, es bleibt nur noch entsorgen ∗∗∗ --------------------------------------------- Die US-Anbieter Cisco warnt in eine Meldung vor einer kritischen Schwachstelle in einem seiner Telefonadapter. Diese Schwachstelle ermöglicht einem Angreifer die Kontrolle über das Gerät zu übernehmen. Leider bleibt betroffenen Nutzern nur, diesen Telefonadapter zu entsorgen [...] --------------------------------------------- https://www.borncity.com/blog/2023/05/06/cisco-spa112-2-port-telefonadapter… ===================== = Vulnerabilities = ===================== ∗∗∗ ads-tec: Multiple Vulnerabilities in IRF1000, IRF2000 and IRF3000 ∗∗∗ --------------------------------------------- Vendor: ads-tec Industrial IT GmbH Product name: IRF1000, IRF3000, IRF3000 CVE Numbers: CVE-2014-3669, CVE-2014-8142, CVE-2014-9425, CVE-2015-0231, CVE-2015-2348, CVE-2015-2787, CVE-2015-3414, CVE-2015-3415, CVE-2015-4602, CVE-2015-6835, CVE-2015-8876, CVE-2016-10161, CVE-2016-7124, CVE-2016-7411, CVE-2016-9138, CVE-2017-11142, CVE-2017-12933, CVE-2017-8923 CVSS Score: up to 9.8 --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-009/ ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (rust-cargo-c, rust-coreos-installer, rust-fedora-update-feedback, rust-git-delta, rust-gst-plugin-reqwest, rust-pore, rust-rpm-sequoia, rust-sequoia-octopus-librnp, rust-sequoia-policy-config, rust-sequoia-sq, rust-sevctl, rust-tealdeer, and rust-ybaas), Mageia (avahi, git, imagemagick, libfastjson, libxml2, parcellite, and virtualbox), SUSE (containerd, dnsmasq, ffmpeg, git, indent, installation-images, java-17-openjdk, maven and recommended update for antlr3, minlog, sbt, xmvn, ncurses, netty, netty-tcnative, openssl-1_0_0, python-Django1, redis, shim, terraform-provider-helm, and zstd), and Ubuntu (erlang, mysql-5.7, mysql-8.0, ruby2.3, ruby2.5, ruby2.7, and webkit2gtk). --------------------------------------------- https://lwn.net/Articles/931259/ ∗∗∗ 3 Schwachstellen in MS Azure API-Management entdeckt ∗∗∗ --------------------------------------------- Sicherheitsforscher des israelischen Sicherheitsanbieters Ermetic haben drei Schwachstellen in Microsofts Azure API-Management entdeckt. Zwei SSRF-Schwachstellen (Server-Side Request Forgery) und ein Problem beim uneingeschränkten Datei-Upload schaffen Risiken für die Microsoft Cloud-Umgebung. Die Schwachstellen können von böswilligen Akteuren missbraucht werden [...] --------------------------------------------- https://www.borncity.com/blog/2023/05/06/3-schwachstellen-in-ms-azure-api-m… ∗∗∗ Multiple vulnerabilities in IBM Java SDK (January 2023) affect IBM InfoSphere Information Server ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6988347 ∗∗∗ Security Vulnerabilities in IBM WebSphere Liberty and xml2js affect IBM Voice Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6988603 ∗∗∗ Vulnerability in Jettison affects IBM Process Mining . CVE-2023-1436 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6988673 ∗∗∗ Vulnerabilities have been identified in IBM WebSphere Application Server traditional and Liberty profile shipped with IBM Business Automation Workflow (CVE-2023-24966, CVE-2022-39161) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6988885 ∗∗∗ Atlas eDiscovery Process Management is affected by a vulnerable dom4j-1.6.1.jar ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6988889 ∗∗∗ Atlas eDiscovery Process Management is affected by a vulnerable xstream-1.4.17.jar ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6988899 ∗∗∗ Atlas eDiscovery Process Management is affected by a vulnerable poi-ooxml-3.9.jar ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6988895 ∗∗∗ Atlas eDiscovery Process Management is affected by a vulnerable org.apache.xerces_2.9.0.v201101211617-4.8.0.jar ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6988893 ∗∗∗ Atlas eDiscovery Process Management is affected by a vulnerable xmlbeans-2.3.0.jar ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6988897 ∗∗∗ Vulnerability in paramiko affects IBM Cloud Pak for Data System 2.0 (CPDS 2.0) [CVE-2022-24302] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6988909 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.05.2023
by Daily end-of-shift report 05 May '23

05 May '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 04-05-2023 18:00 − Freitag 05-05-2023 18:00 Handler: Robert Waldner Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ What is XML-RPC? Security Risks & How to Disable ∗∗∗ --------------------------------------------- In this article, we will discuss what xmlrpc.php is, why disabling it can improve your website’s security, and how to determine if it’s currently active on your WordPress site. --------------------------------------------- https://blog.sucuri.net/2023/05/what-is-xml-rpc-security-risks-how-to-disab… ∗∗∗ Fleckpe Android Malware Sneaks onto Google Play Store with Over 620,000 Downloads ∗∗∗ --------------------------------------------- The list of the offending apps is as follows: - Beauty Camera Plus - Beauty Photo Camera - Beauty Slimming Photo Editor - Fingertip Graffiti - GIF Camera Editor - HD 4K Wallpaper - Impressionism Pro Camera - Microclip Video Editor - Night Mode Camera Pro - Photo Camera Editor - Photo Effect Editor --------------------------------------------- https://thehackernews.com/2023/05/fleckpe-android-malware-sneaks-onto.html ∗∗∗ Packagist Repository Hacked: Over a Dozen PHP Packages with 500 Million Compromised ∗∗∗ --------------------------------------------- PHP software package repository Packagist revealed that an "attacker" gained access to four inactive accounts on the platform to hijack over a dozen packages with over 500 million installs to date. "The attacker forked each of the packages and replaced the package description in composer.json with their own message but did not otherwise make any malicious changes," [..] --------------------------------------------- https://thehackernews.com/2023/05/packagist-repository-hacked-over-dozen.ht… ∗∗∗ An overview of the OSI model and its security threats ∗∗∗ --------------------------------------------- The OSI model is a representation of how communications between devices occur. The conceptual model makes it easier to understand how data is transmitted. In its complex process, threat actors have found ways to exploit and compromise systems. It is very important to identify the kind of attacks and vulnerabilities available on each layer and implement proper defense strategies to protect a network. --------------------------------------------- https://www.tripwire.com/state-of-security/overview-osi-model-and-its-secur… ∗∗∗ „Login mit neuem Gerät“: Kriminelle versenden personalisierte E-Mail im Namen der BAWAG ∗∗∗ --------------------------------------------- Kriminelle versenden derzeit betrügerische Nachrichten im Namen der BAWAG. Die E-Mails sind personalisiert und daher besonders glaubwürdig. Sie werden zwar nicht mit Ihrem Namen, allerdings mit ihrer E-Mail-Adresse angesprochen. In der Nachricht behaupten die Kriminellen, dass mit einem neuen Gerät auf Ihr Konto zugegriffen wurde. --------------------------------------------- https://www.watchlist-internet.at/news/login-mit-neuem-geraet-kriminelle-ve… ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-23-547: (0Day) Linux Kernel IPv6 RPL Protocol Reachable Assertion Denial-of-Service Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of Linux Kernel. Authentication is not required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-547/ ∗∗∗ Sante DICOM Viewer Vulnerabilites ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-23-523/ https://www.zerodayinitiative.com/advisories/ZDI-23-524/ https://www.zerodayinitiative.com/advisories/ZDI-23-525/ https://www.zerodayinitiative.com/advisories/ZDI-23-526/ https://www.zerodayinitiative.com/advisories/ZDI-23-527/ --------------------------------------------- https://www.zerodayinitiative.com/advisories/published/ ∗∗∗ Synology-SA-23:04 VPN Plus Server ∗∗∗ --------------------------------------------- A vulnerability allows remote attackers to inject SQL commands via a susceptible version of Synology VPN Plus Server. Affected Products: VPN Plus Server for SRM 1.3, VPN Plus Server for SRM 1.2 --------------------------------------------- https://www.synology.com/en-global/security/advisory/Synology_SA_23_04 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- IBM Elastic Storage System, IBM Spectrum Scale, IBM Maximo Application Suite, IBM Cognos Command Center, AIX, IBMid, IBM SAN Volume Controller, IBM CICS TX, IBM PowerVM Novalink, IBM Process Mining, IBM Cognos Analytics, IBM Planning Analytics. --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, evolution, and odoo), Fedora (java-11-openjdk), Oracle (samba), Red Hat (libreswan and samba), Slackware (libssh), SUSE (amazon-ssm-agent, apache2-mod_auth_openidc, cmark, containerd, editorconfig-core-c, ffmpeg, go1.20, harfbuzz, helm, java-11-openjdk, java-1_8_0-ibm, liblouis, podman, and vim), and Ubuntu (linux-aws, linux-aws-hwe, linux-intel-iotg, and linux-oem-6.1). --------------------------------------------- https://lwn.net/Articles/931050/ ∗∗∗ K000134469 : MySQL vulnerability CVE-2023-21963 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000134469 ∗∗∗ Spring Cloud Data Flow 2.10.3 Released ∗∗∗ --------------------------------------------- https://spring.io/blog/2023/05/05/spring-cloud-data-flow-2-10-3-released -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.05.2023
by Daily end-of-shift report 04 May '23

04 May '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 03-05-2023 18:00 − Donnerstag 04-05-2023 18:00 Handler: Robert Waldner Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Windows admins can now sign up for ‘known issue’ email alerts ∗∗∗ --------------------------------------------- Microsoft announced today that Windows admins can now choose to be emailed when new known issues are added to the Windows release health section of the Microsoft 365 admin center. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/windows-admins-can-now-sign… ∗∗∗ Infostealer Embedded in a Word Document, (Thu, May 4th) ∗∗∗ --------------------------------------------- hen attackers design malicious documents, one of their challenges is to make the potential victim confident to perform dangerous actions: click on a link, disable a security feature, etc. The best example is probably VBA macros in Microsoft Office documents. Disabled by default, the attacker must make the user confident to enable them by clicking on the “yellow ribbon” on top of the document. Yesterday I found a malicious document that implements another approach. --------------------------------------------- https://isc.sans.edu/diary/rss/29810 ∗∗∗ How to Analyze Java Malware – A Case Study of STRRAT ∗∗∗ --------------------------------------------- STRRAT is a Java-based malware that executes multiple commands transmitted by the C2 server. The JAR file was obfuscated using the Allatori obfuscator. It establishes persistence on the host by copying to the Startup folder and creating a scheduled task and a Run registry entry. The functionalities of the implemented commands include: reboot the machine, uninstall the malware and delete all its traces, download and execute files [..] --------------------------------------------- https://resources.securityscorecard.com/cybersecurity/analyze-java-malware-… ===================== = Vulnerabilities = ===================== ∗∗∗ S3 File System - Moderately critical - Access bypass - SA-CONTRIB-2023-014 ∗∗∗ --------------------------------------------- S3 File System (s3fs) provides an additional file system to your Drupal site, which stores files in Amazon's Simple Storage Service (S3) or any other S3-compatible storage service. This module may fail to validate that a file being requested to be moved to storage was uploaded during the same web request, possibly allowing an attacker to move files that should normally be inaccessible to them. --------------------------------------------- https://www.drupal.org/sa-contrib-2023-014 ∗∗∗ Cisco SPA112 2-Port Phone Adapters Remote Command Execution Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the web-based management interface of Cisco SPA112 2-Port Phone Adapters could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device. This vulnerability is due to a missing authentication process within the firmware upgrade function. --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Patchday Fortinet: Angreifer könnten eigene Befehle ausführen ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitsupdates für verschiedene Produkte von Fortinet. Keine Lücke gilt als kritisch. --------------------------------------------- https://heise.de/-8986618 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (python-sentry-sdk) and Ubuntu (python-django and ruby2.3, ruby2.5, ruby2.7). --------------------------------------------- https://lwn.net/Articles/930903/ ∗∗∗ Malicious IKEv1 packet by unauthenticated peer can cause libreswan to restart ∗∗∗ --------------------------------------------- The Libreswan Project was notified by github user "XU-huai" of an issue with receiving a malformed IKEv1 Aggressive Mode packet that would cause a crash and restart of the libreswan pluto daemon. When sent continuously, this could lead to a denial of service attack. --------------------------------------------- https://libreswan.org/security/CVE-2023-30570/CVE-2023-30570.txt ∗∗∗ Apple: Beats Firmware Update 5B66 ∗∗∗ --------------------------------------------- http://support.apple.com/kb/HT213752 ∗∗∗ Apple: AirPods Firmware Update 5E133 ∗∗∗ --------------------------------------------- http://support.apple.com/kb/HT213752 ∗∗∗ IBM ECM Content Management Interoperability Services (CMIS) spring-expression security vulnerability CVE-2023-20861 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6988109 ∗∗∗ IBM ECM Content Management Interoperability Services (CMIS) cfx-core security vulnerabilities CVE-2022-46363, CVE-2022-46364 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6988115 ∗∗∗ IBM ECM Content Management Interoperability Services (CMIS) woodstox\/XStream security vulnerability CVE-2022-40152 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6988117 ∗∗∗ IBM InfoSphere Information Server is affected but not classified as vulnerable to a denial of service vulnerability in NumPy (CVE-2021-34141) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6988125 ∗∗∗ A vulnerability has been identified in IBM HTTP Server used by IBM Rational ClearQuest (CVE-2023-25690) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6988293 ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server used by IBM Rational ClearQuest (CVE-2023-26283) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6988295 ∗∗∗ IBM Virtualization Engine TS7700 is vulnerable to a privilege escalation threat (CVE-2023-24958) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6980845 ∗∗∗ IBM ECM Content Management Interoperability Services (CMIS) spring-expression\/spring-core security vulnerability [CVE-2023-20863] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6988341 ∗∗∗ IBM Cloud Transformation Advisor is vulnerable to multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6988351 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.05.2023
by Daily end-of-shift report 03 May '23

03 May '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 02-05-2023 18:00 − Mittwoch 03-05-2023 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Firmware-TPM: faulTPM knackt AMD-CPUs nach drei Stunden lokalem Zugriff ∗∗∗ --------------------------------------------- TPMs sollen Geheimnisse wie kryptographische Schlüssel schützen. IT-Forscher haben jetzt mit "faulTPM" unbefugten Zugriff auf AMDs Firmware-TPM erlangt. --------------------------------------------- https://heise.de/-8985704 ∗∗∗ OpenCore: Apples erste Sicherheitsmaßnahme macht gepatchten Macs Probleme ∗∗∗ --------------------------------------------- Mit OpenCore auf macOS Ventura aktualisierte Macs starten nach der Installation von Apples jüngstem Update unter Umständen nicht mehr. Es gibt einen Workaround. --------------------------------------------- https://heise.de/-8986252 ∗∗∗ Exploitation of BGP Implementation Vulnerabilities Can Lead to Disruptions ∗∗∗ --------------------------------------------- Open source BGP implementation FRRouting is affected by three vulnerabilities that can be exploited to cause disruption via DoS attacks. --------------------------------------------- https://www.securityweek.com/exploitation-of-bgp-implementation-vulnerabili… ∗∗∗ Betrügerische Werbung auf Microsoft Edge Startseite! ∗∗∗ --------------------------------------------- Wer Microsoft Windows nützt, bekommt automatisch auch den Edge Browser fürs Surfen im Internet mitgeliefert. Die Startseite bietet neben der Suche per Bing auch eine Auflistung zahlreicher Newsartikel, unter die sich auch Werbeanzeigen mischen. Ein genauer Blick auf die Werbungen zeigt: Fast alle Werbeschaltungen führen zu Trading-Betrug oder anderen dubiosen Seiten. Vorsicht! --------------------------------------------- https://www.watchlist-internet.at/news/betruegerische-werbung-auf-microsoft… ∗∗∗ CVE-2023-28231: RCE in the Microsoft Windows DHCPv6 Service ∗∗∗ --------------------------------------------- In this excerpt of a Trend Micro Vulnerability Research Service vulnerability report, Guy Lederfein and Lucas Miller of the Trend Micro Research Team detail a recently patched remote code execution vulnerability in the Microsoft Windows DHCPv6 Service. This bug was originally discovered by YanZiShuang@BigCJTeam of cyberkl. The vulnerability results from the improper processing of DHCPv6 Relay-forward messages. A network-adjacent attacker can leverage this vulnerability to execute code [...] --------------------------------------------- https://www.thezdi.com/blog/2023/5/1/cve-2023-28231-rce-in-the-microsoft-wi… ===================== = Vulnerabilities = ===================== ∗∗∗ Google Chrome 113: Sicherheitsupdate für den Webbrowser ∗∗∗ --------------------------------------------- Die Entwickler haben in Google Chrome 113 insgesamt 15 Schwachstellen ausgebessert. Für die Zukunft kündigen sie an, dass das Schlosssymbol ausgetauscht wird. --------------------------------------------- https://heise.de/-8985368 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (avahi, kernel, linux-5.10, nodejs, webkit2gtk, and wpewebkit), Gentoo (chromium, google-chrome, microsoft-edge, dbus, dbus-broker, dhcp, firefox, firejail-lts, libapreq2, libsdl, libsdl2, lua, proftpd, python, PyPy3, sudo, syslog-ng, systemd, tor, uptimed, vim, and xfce4-settings), Oracle (emacs and libwebp), Red Hat (libwebp), Scientific Linux (libwebp), and SUSE (ceph, ffmpeg-4, git, pdns-recursor, and shim). --------------------------------------------- https://lwn.net/Articles/930775/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ K000132719 : BIG-IQ iControl REST vulnerability CVE-2023-29240 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000132719 ∗∗∗ K000133417 : NGINX Management Suite vulnerability CVE-2023-28656 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000133417 ∗∗∗ K000132522 : BIG-IP Edge Client for Windows and macOS vulnerability CVE-2023-22372 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000132522 ∗∗∗ K000133132 : BIG-IP TMM SSL vulnerability CVE-2023-24594 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000133132 ∗∗∗ K000132768 : BIG-IP Configuration utility vulnerability CVE-2023-28406 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000132768 ∗∗∗ K000132972 : BIG-IP iQuery mesh vulnerability CVE-2023-28742 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000132972 ∗∗∗ K000132726 : BIG-IP Configuration utility XSS vulnerability CVE-2023-27378 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000132726 ∗∗∗ K000133233 : NGINX Management Suite vulnerability CVE-2023-28724 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000133233 ∗∗∗ K000132539 : BIG-IP Edge Client for Windows and macOS vulnerability CVE-2023-24461 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000132539 ∗∗∗ K20145107 : BIG-IP UDP profile vulnerability CVE-2023-29163 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K20145107? -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.05.2023
by Daily end-of-shift report 02 May '23

02 May '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 28-04-2023 18:00 − Dienstag 02-05-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Hackers target vulnerable Veeam backup servers exposed online ∗∗∗ --------------------------------------------- Veeam backup servers are being targeted by at least one group of threat actors known to work with multiple high-profile ransomware gangs. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-target-vulnerable-ve… ∗∗∗ New LOBSHOT malware gives hackers hidden VNC access to Windows devices ∗∗∗ --------------------------------------------- A new malware known as LOBSHOT distributed using Google ads allows threat actors to stealthily take over infected Windows devices using hVNC. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-lobshot-malware-gives-ha… ∗∗∗ Researchers Uncover New BGP Flaws in Popular Internet Routing Protocol Software ∗∗∗ --------------------------------------------- Cybersecurity researchers have uncovered weaknesses in a software implementation of the Border Gateway Protocol (BGP) that could be weaponized to achieve a denial-of-service (DoS) condition on vulnerable BGP peers. --------------------------------------------- https://thehackernews.com/2023/05/researchers-uncover-new-bgp-flaws-in.html ∗∗∗ trawler: Dredging Windows for Persistence ∗∗∗ --------------------------------------------- Trawler is a PowerShell script designed to help Incident Responders discover potential indicators of compromise on Windows hosts, primarily focused on persistence mechanisms including Scheduled Tasks, Services, Registry Modifications, Startup Items, Binary Modifications and more. --------------------------------------------- https://github.com/joeavanzato/Trawler ∗∗∗ Angriffe auf Lücken in TP-Link Archer, Apache Log4j2 und Oracle Weblogic ∗∗∗ --------------------------------------------- Angreifer nutzen Sicherheitslücken in TP-Link Archer, Apache Log4j2 und Oracle Weblogic aus, um Zugriff auf Netzwerke von Opfern zu erlangen. --------------------------------------------- https://heise.de/-8984237 ∗∗∗ Medizin-Geräte: Warnung vor kritischer Sicherheitslücke in Illumina-Software ∗∗∗ --------------------------------------------- Die US-IT-Sicherheitsbehörde CISA warnt vor kritischen Sicherheitslücken in den medizinischen Geräten von Illumina. Angreifer könnten die Kontrolle übernehmen. --------------------------------------------- https://heise.de/-8983960 ∗∗∗ Exploitation of 5-Year-Old TBK DVR Vulnerability Spikes ∗∗∗ --------------------------------------------- Fortinet warns of a massive spike in malicious attacks targeting a five-year-old authentication bypass vulnerability in TBK DVR devices. --------------------------------------------- https://www.securityweek.com/exploitation-of-5-year-old-tbk-dvr-vulnerabili… ∗∗∗ Critical Infrastructure Organizations Urged to Identify Risky Communications Equipment ∗∗∗ --------------------------------------------- CISA urges organizations to review FCC’s Covered List of risky communications equipment and incorporate it in their supply chain risk management efforts. --------------------------------------------- https://www.securityweek.com/critical-infrastructure-organizations-urged-to… ∗∗∗ Webinar: Recherchetools im Internet richtig nutzen ∗∗∗ --------------------------------------------- Wie kann ich Google, aber auch andere Suchmaschinen richtig nutzen? Welche Recherchetools und Suchmethoden gibt es noch? In diesem Webinar zeigen wir Ihnen, wie eine gute und effiziente Onlinerecherche aussehen kann. Nehmen Sie kostenlos teil: Dienstag 09. Mai 2023, 18:30 - 20:00 Uhr via zoom. --------------------------------------------- https://www.watchlist-internet.at/news/webinar-recherchetools-im-internet-r… ∗∗∗ Online-Shopping: Bezahlen Sie nicht mit der PayPal-Funktion „Geld an einen Freund senden“ ∗∗∗ --------------------------------------------- Neuerdings missbrauchen Fake-Shops die PayPal-Funktion „Geld an Freunde und Familie senden“. Die Kriminellen hinter den Fake-Shops erstellen PayPal.Me-Zahlungslinks. Durch kleine Anpassungen der Kriminellen ist der Kaufbetrag dort hinterlegt und die Zahlungsart „Geld an einen Freund senden“ voreingestellt. Wenn Sie mit dieser Zahlungsart bezahlen, entfällt der Käuferschutz. Ihr Geld ist dann weg und kann nicht zurückgeholt werden. --------------------------------------------- https://www.watchlist-internet.at/news/online-shopping-bezahlen-sie-nicht-m… ∗∗∗ Apple veröffentlicht „schnelle Sicherheitsmaßnahme“ für iOS, iPadOS und macOS ∗∗∗ --------------------------------------------- Die neue Updatemethode verkürzt den Installationsvorgang deutlich. Apple will mit schnellen Sicherheitsmaßnahmen künftig beispielsweise Bedrohungen wie Zero-Day-Lücken schneller beseitigen. --------------------------------------------- https://www.zdnet.de/88408872/apple-veroeffentlicht-schnelle-sicherheitsmas… ∗∗∗ Enforce Zero Trust in Microsoft 365 – Part 1: Setting the basics ∗∗∗ --------------------------------------------- This first blog post is part of a series of blog posts related to the implementation of Zero Trust approach in Microsoft 365. This series will first cover the basics and then deep dive into the different features such as Azure Active Directory (Azure AD) Conditional Access policies, Microsoft Defender for Cloud Apps policies, Information Protection and Microsoft Endpoint Manager, to only cite a few. --------------------------------------------- https://blog.nviso.eu/2023/05/02/enforce-zero-trust-in-microsoft-365-part-1… ∗∗∗ CoinMiner (KONO DIO DA) Distributed to Linux SSH Servers ∗∗∗ --------------------------------------------- AhnLab Security Emergency response Center (ASEC) has recently discovered XMRig CoinMiner being installed on poorly managed Linux SSH servers. --------------------------------------------- https://asec.ahnlab.com/en/51908/ ∗∗∗ A LNK Between Browsers: Hunting Methodologies and Extension Abusing Actors ∗∗∗ --------------------------------------------- Two pillars in sleight of hand magic are User Initiated Action, where the target needs to believe their actions are their own, and Hidden Action, the trick needs to be concealed behind something ordinary and nonthreatening. Mandiant became aware of a chain of adversary methodologies that leverage these two pillars to achieve persistence. --------------------------------------------- https://www.mandiant.com/resources/blog/lnk-between-browsers ===================== = Vulnerabilities = ===================== ∗∗∗ Wireshark 4.0.5 Released, (Sat, Apr 29th) ∗∗∗ --------------------------------------------- Wireshark version 4.0.5 was released with 11 bugs and 3 vulnerabilities fixed. --------------------------------------------- https://isc.sans.edu/diary/rss/29790 ∗∗∗ Azure DevOps CICD Pipelines - Command Injection with Parameters, Variables and a discussion on Runner hijacking ∗∗∗ --------------------------------------------- This article discusses a vulnerability with Azure DevOps that can be exploited by users able to run pipelines with user-controlled variables. The vulnerability allows malicious users with access to edit runtime parameter values to inject shell commands that execute on the pipeline runner. This can compromise the runner and allow access to sensitive information such as secrets used for deployments and Azure service principal credentials. --------------------------------------------- https://pulsesecurity.co.nz/advisories/Azure-Devops-Command-Injection ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (distro-info-data, ffmpeg, jackson-databind, jruby, libapache2-mod-auth-openidc, libxml2, openvswitch, sniproxy, and wireshark), Fedora (git, libsignal-protocol-c, php-nyholm-psr7, python-setuptools, rust-askama, rust-askama_shared, rust-comrak, thunderbird, and webkitgtk), SUSE (git, glib2, shadow, thunderbird, and webkit2gtk3), and Ubuntu (Apache Commons Net, git, linux-azure-5.15, linux-azure-fde, linux-kvm, linux-ibm-5.4, linux-snapdragon, netty, and ZenLib). --------------------------------------------- https://lwn.net/Articles/930588/ ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libdatetime-timezone-perl and tzdata), Fedora (chromium), Red Hat (emacs and libwebp), Slackware (netatalk), and Ubuntu (php7.0). --------------------------------------------- https://lwn.net/Articles/930649/ ∗∗∗ IBM Security Bulletins 2023-04-28 - 2023-05-02 ∗∗∗ --------------------------------------------- IBM Engineering Test Management, IBM Spectrum Scale, IBM DataPower Gateway, IBM i, Rational ClearQuest, IBM Business Automation Workflow, IBM Business Automation Workflow Enterprise Service Bus, IBM Case Manager, BladeCenter, PureFlex System and Flex System, System x, IBM Maximo, IBM Control Desk, Db2 for Linux, UNIX and Windows, IBM Robotic Process Automation, Tivoli Business Service Manager, Content Manager Client, IBM Sterling Secure Proxy, IBM App Connect Enterprise, IBM Security Key Lifecycle Manager, IBM MQ, IBM MQ Appliance, Tivoli Application Dependency Discovery Manager, IBM Cloud Pak, IBM InfoSphere Information, WebSphere Remote Server, IBM Workload Scheduler. --------------------------------------------- ∗∗∗ ZDI-23-503: (Pwn2Own) NETGEAR RAX30 logCtrl Command Injection Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-503/ ∗∗∗ ZDI-23-502: (Pwn2Own) NETGEAR RAX30 SOAP Request SQL Injection Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-502/ ∗∗∗ ZDI-23-501: (Pwn2Own) NETGEAR RAX30 Device Configuration Cleartext Storage Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-501/ ∗∗∗ ZDI-23-496: NETGEAR RAX30 lighttpd Misconfiguration Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-496/ ∗∗∗ ZDI-23-495: NETGEAR RAX30 rex_cgi JSON Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-495/ ∗∗∗ Android-Sicherheitsbulletin – Mai 2023 ∗∗∗ --------------------------------------------- https://source.android.com/docs/security/bulletin/2023-05-01?hl=de ∗∗∗ F5: K000133706 : OpenSSL vulnerability CVE-2023-0464 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000133706 ∗∗∗ F5: K000133615 : device-mapper-multipath vulnerability CVE-2022-41974 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000133615 ∗∗∗ F5: K000133753 : PHP vulnerability CVE-2023-0662 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000133753 ∗∗∗ Securing Databricks cluster init scripts ∗∗∗ --------------------------------------------- https://sec-consult.com/blog/detail/securing-databricks-cluster-init-script… ∗∗∗ Vulnerabilities in the Autodesk® 3ds Max® USD plugin ∗∗∗ --------------------------------------------- https://www.autodesk.com/trust/security-advisories/adsk-sa-2023-0008 ∗∗∗ Mitsubishi Electric Factory Automation Products ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-122-01 ∗∗∗ Zyxel security advisory for post-authentication command injection vulnerability in NBG6604 home router ∗∗∗ --------------------------------------------- https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-… ∗∗∗ Zyxel security advisory for multiple vulnerabilities in NBG-418N v2 home router ∗∗∗ --------------------------------------------- https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.04.2023
by Daily end-of-shift report 28 Apr '23

28 Apr '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 27-04-2023 18:00 − Freitag 28-04-2023 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ CISA warns of critical bugs in Illumina DNA sequencing systems ∗∗∗ --------------------------------------------- The U.S. Cybersecurity Infrastructure Security Agency (CISA) and the FDA have issued an urgent alert about two vulnerabilities that impact Illuminas Universal Copy Service (UCS), used for DNA sequencing in medical facilities and labs worldwide. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cisa-warns-of-critical-bugs-… ∗∗∗ Quick IOC Scan With Docker, (Fri, Apr 28th) ∗∗∗ --------------------------------------------- When investigating an incident, you must perform initial tasks quickly. There is one tool in my arsenal that I'm using to quickly scan for interesting IOCs ("Indicators of Compromise"). This tool is called Loki[1], the free version of the Thor scanner. I like this tool because you can scan for a computer (processes & files) or a specific directory (only files) for suspicious content. --------------------------------------------- https://isc.sans.edu/diary/rss/29788 ∗∗∗ WordPress Vulnerability & Patch Roundup April 2023 ∗∗∗ --------------------------------------------- Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises. To help educate website owners on emerging threats to their environments, we’ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this past month. --------------------------------------------- https://blog.sucuri.net/2023/04/wordpress-vulnerability-patch-roundup-april… ∗∗∗ Attention Online Shoppers: Dont Be Fooled by Their Sleek, Modern Looks — Its Magecart! ∗∗∗ --------------------------------------------- An ongoing Magecart campaign has attracted the attention of cybersecurity researchers for leveraging realistic-looking fake payment screens to capture sensitive data entered by unsuspecting users. --------------------------------------------- https://thehackernews.com/2023/04/attention-online-shoppers-dont-be.html ∗∗∗ New Atomic macOS Malware Steals Keychain Passwords and Crypto Wallets ∗∗∗ --------------------------------------------- Threat actors are advertising a new information stealer for the Apple macOS operating system called Atomic macOS Stealer (or AMOS) on Telegram for $1,000 per month, joining the likes of MacStealer. "The Atomic macOS Stealer can steal various types of information from the victims machine, including Keychain passwords, complete system information, files from the desktop and documents folder, and [...] --------------------------------------------- https://thehackernews.com/2023/04/new-atomic-macos-stealer-can-steal-your.h… ∗∗∗ Microsoft Exchange Powershell Remoting Deserialization leading to RCE (CVE-2023-21707) ∗∗∗ --------------------------------------------- While analyzing CVE-2022-41082, also known as ProxyNotShell, we discovered this vulnerability which we have detailed in this blog. However, for a comprehensive understanding, we highly recommend reading the thorough analysis written by team ZDI. --------------------------------------------- https://starlabs.sg/blog/2023/04-microsoft-exchange-powershell-remoting-des… ∗∗∗ Many Public Salesforce Sites are Leaking Private Data ∗∗∗ --------------------------------------------- A shocking number of organizations -- including banks and healthcare providers -- are leaking private and sensitive information from their public Salesforce Community websites, KrebsOnSecurity has learned. The data exposures all stem from a misconfiguration in Salesforce Community that allows an unauthenticated user to access records that should only be available after logging in. --------------------------------------------- https://krebsonsecurity.com/2023/04/many-public-salesforce-sites-are-leakin… ∗∗∗ Rapture, a Ransomware Family With Similarities to Paradise ∗∗∗ --------------------------------------------- In March and April 2023, we observed a type of ransomware targeting its victims via a minimalistic approach with tools that leave only a minimal footprint behind. Our findings revealed many of the preparations made by the perpetrators and how quickly they managed to carry out the ransomware attack. --------------------------------------------- https://www.trendmicro.com/en_us/research/23/d/rapture-a-ransomware-family-… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco IP Phone 7800 and 8800 Series Cisco Discovery Protocol Stack Overflow Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the Cisco Discovery Protocol processing feature of Cisco IP Phone 7800 and 8800 Series firmware could allow an unauthenticated, adjacent attacker to cause a stack overflow on an affected device. This vulnerability is due to insufficient input validation of received Cisco Discovery Protocol packets. An attacker could exploit this vulnerability by sending crafted Cisco Discovery Protocol traffic to an affected device. --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Grafana: Update schließt hochriskante Schwachstelle im Datenvisualisierungs-Tool ∗∗∗ --------------------------------------------- Grafana hat Updates für zahlreiche Versionszweige veröffentlicht. Sie schließen unter anderem eine Denial-of-Service-Lücke, die als hochriskant gilt. --------------------------------------------- https://heise.de/-8981605 ∗∗∗ Long Term Support Channel Update for ChromeOS ∗∗∗ --------------------------------------------- LTS-108 is being updated in the LTS channel to 108.0.5359.230 (Platform Version: 15183.93.0) for most ChromeOS devices. [...] This update contains multiple Security fixes [...] --------------------------------------------- https://chromereleases.googleblog.com/2023/04/long-term-support-channel-upd… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (git, libpcap, php-laminas-diactoros2, php-nyholm-psr7, tcpdump, and xen), Oracle (cloud-init), Scientific Linux (kernel), SUSE (conmon, docker, glib2, glibc, libmicrohttpd, libX11, liferea, python3, qemu, rubygem-actionview-5_1, s390-tools, stellarium, vim, and xen), and Ubuntu (linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-4.15, linux-azure-5.4, linux-gcp, linux-gcp-4.15, linux-gcp-5.4, linux-gke, linux-gkeop, linux-hwe, linux-hwe-5.4, linux-ibm, linux-kvm, linux-oracle, linux-oracle-5.4 and openssl-ibmca). --------------------------------------------- https://lwn.net/Articles/930462/ ∗∗∗ Use of Telnet in the interface module SLC-0-GPNT00300 ∗∗∗ --------------------------------------------- BOSCH-SA-387640: The SLC-0-GPNT00300 from Bosch Rexroth contains technology from SICK AG. The manufacturer has published a security bulletin [1] regarding the availability of a Telnet interface for debugging.The SLC-0-GPNT00300 provides a Telnet interface for debugging, which is enabled by factory default. No password is set in the default configuration. If the password is not set by the customer, a remote unauthorized adversary could connect via Telnet. --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-387640.html ∗∗∗ SonicOS SSLVPN: Schwachstelle CVE-2023-1101 bei MFA – neue Firmware für Gen6-Firewalls (6.5.4.12-101n) ∗∗∗ --------------------------------------------- Kleine Erinnerung für Administratoren, die Produkte von Sonic Wall verwenden. In SonicOS SSLVPN gibt es eine kritische Schwachstelle, die einem authentifizierten Angreifer ermöglicht, exzessive MFA-Codes zu verwenden. Die Schwachstelle CVE-2023-1101 hat von SonicWall [...] --------------------------------------------- https://www.borncity.com/blog/2023/04/27/sonicos-sslvpn-schwachstelle-cve-2… ∗∗∗ Illumina Universal Copy Service ∗∗∗ --------------------------------------------- [...] Successful exploitation of these vulnerabilities could allow an attacker to take any action at the operating system level. A threat actor could impact settings, configurations, software, or data on the affected product; [...] --------------------------------------------- https://www.cisa.gov/news-events/ics-medical-advisories/icsma-23-117-01 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.04.2023
by Daily end-of-shift report 27 Apr '23

27 Apr '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 26-04-2023 18:00 − Donnerstag 27-04-2023 18:00 Handler: Stephan Richter Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Google disrupts the CryptBot info-stealing malware operation ∗∗∗ --------------------------------------------- Google is taking down malware infrastructure linked to the Cryptbot info stealer after suing those using it to infect Google Chrome users and steal their data. --------------------------------------------- https://www.bleepingcomputer.com/news/security/google-disrupts-the-cryptbot… ∗∗∗ Cisco discloses XSS zero-day flaw in server management tool ∗∗∗ --------------------------------------------- Cisco disclosed today a zero-day vulnerability in the companys Prime Collaboration Deployment (PCD) software that can be exploited for cross-site scripting attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cisco-discloses-xss-zero-day… ∗∗∗ LimeRAT Malware Analysis: Extracting the Config ∗∗∗ --------------------------------------------- ANY.RUN researchers have recently conducted an in-depth analysis of a LimeRAT sample and successfully extracted its configuration. In this article, we'll provide a brief overview of that analysis. --------------------------------------------- https://thehackernews.com/2023/04/limerat-malware-analysis-extracting.html ∗∗∗ Healthy security habits to fight credential breaches: Cyberattack Series ∗∗∗ --------------------------------------------- This is the second in an ongoing series exploring some of the most notable cases of the Microsoft Incident Response Team. In this story, we’ll explore how organizations can adopt a defense-in-depth security posture to help protect against credential breaches and ransomware attacks. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2023/04/26/healthy-security-h… ∗∗∗ Microsoft Confirms PaperCut Servers Used to Deliver LockBit and Cl0p Ransomware ∗∗∗ --------------------------------------------- Microsoft has confirmed that the active exploitation of PaperCut servers is linked to attacks designed to deliver Cl0p and LockBit ransomware families. The tech giant's threat intelligence team is attributing a subset of the intrusions to a financially motivated actor it tracks under the name Lace Tempest (formerly DEV-0950), which overlaps with other hacking groups like FIN11, TA505, and Evil Corp. --------------------------------------------- https://thehackernews.com/2023/04/microsoft-confirms-papercut-servers.html ∗∗∗ RTM Lockers First Linux Ransomware Strain Targeting NAS and ESXi Hosts ∗∗∗ --------------------------------------------- The threat actors behind RTM Locker have developed a ransomware strain thats capable of targeting Linux machines, marking the groups first foray into the open source operating system. --------------------------------------------- https://thehackernews.com/2023/04/rtm-lockers-first-linux-ransomware.html ∗∗∗ LUKS: Alte verschlüsselte Container unsicher? Ein Ratgeber für Updates ∗∗∗ --------------------------------------------- Angeblich konnte die französische Polizei einen LUKS-Container knacken. Kein Grund zur Panik, aber ein Anlass, Passwörter und LUKS-Parameter zu hinterfragen. --------------------------------------------- https://heise.de/-8981054 ∗∗∗ State of DNS Rebinding in 2023 ∗∗∗ --------------------------------------------- This update documents the state of DNS rebinding for April 2023. We describe Local Network Access, a new draft W3C specification currently implemented in some browsers that aims to prevent DNS rebinding, and show two potential ways to bypass these restrictions. --------------------------------------------- https://research.nccgroup.com/2023/04/27/state-of-dns-rebinding-in-2023/ ∗∗∗ Bringing IT & OT Security Together: Part 1 ∗∗∗ --------------------------------------------- Learn about the evolution of converged IT/OT environments and the impact on security control validation in this new blog series. --------------------------------------------- https://www.safebreach.com/resources/blog/bringing-it-and-ot-security-toget… ===================== = Vulnerabilities = ===================== ∗∗∗ Onlineshop-System PrestaShop: Angreifer könnten Datenbank manipulieren ∗∗∗ --------------------------------------------- Eine kritische Sicherheitslücke bedroht mit PrestaShop erstellte Onlineshops. Abgesicherte Versionen sind verfügbar. --------------------------------------------- https://heise.de/-8980645 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (chromium, perl-Alien-ProtoBuf, and redis), Oracle (kernel), SUSE (dmidecode, fwupd, libtpms, libxml2, openssl-ibmca, and webkit2gtk3), and Ubuntu (cloud-init, ghostscript, linux, linux-aws, linux-aws-5.15, linux-azure, linux-gke, linux-gke-5.15, linux-gkeop, linux-hwe-5.15, linux-ibm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-oracle, linux-oracle-5.15, linux, linux-aws, linux-azure, linux-gcp, linux-hwe-5.19, linux-ibm, linux-kvm, linux-lowlatency, linux-oracle, linux-raspi, and linux, linux-aws, linux-kvm, linux-lts-xenial). --------------------------------------------- https://lwn.net/Articles/930367/ ∗∗∗ Apache Superset: Schwachstelle CVE-2023-27524 ermöglicht Remote Code Execution (RCE) ∗∗∗ --------------------------------------------- Kurzer Hinweis für Nutzer, die Apache Superset in ihrem Umfeld einsetzen. Es gibt in der Standardkonfiguration das Problem, dass die Software per Remote Code Execution-Schwachstelle angegriffen werden kann. Das wird zum Problem, wenn der Server per Internet erreichbar ist. --------------------------------------------- https://www.borncity.com/blog/2023/04/27/apache-superset-schwachstelle-cve-… ∗∗∗ F5: K000133673 : Bootstrap vulnerability CVE-2016-10735 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000133673 ∗∗∗ F5: K000133652 : Python vulnerability CVE-2018-18074 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000133652 ∗∗∗ F5: K000133448 : Python urllib3 vulnerability CVE-2019-11324 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000133448 ∗∗∗ F5: K000133668 : Python urllib3 vulnerability CVE-2018-20060 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000133668 ∗∗∗ IBM WebSphere Application Server, which is bundled with IBM Cloud Pak for Applications, is vulnerable to cross-site scripting in the Admin Console (CVE-2023-24966) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6986343 ∗∗∗ IBM WebSphere Application Server, which is bundled with IBM WebSphere Hybrid Edition, is vulnerable to cross-site scripting in the Admin Console (CVE-2023-24966) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6986341 ∗∗∗ Multiple Security Vulnerabilities may affect IBM Robotic Process Automation for Cloud Pak. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6986361 ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with Asset and Service Management (CVE-2023-24966) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6986365 ∗∗∗ IBM Planning Analytics Workspace is affected by vulnerabilities in Node,js (CVE-2022-43548, CVE-2020-7676, CVE-2021-42550, CVE-2021-38561, CVE-2022-32149) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6985675 ∗∗∗ IBM Integration Designer is vulnerable to a denial of service due to commons-fileupload-1.4.jar (CVE-2023-24998) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6986509 ∗∗∗ Vulnerability in libXpm (CVE-2022-4883, CVE-2022-44617 and CVE-2022-46285) affects Power HMC ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6986543 ∗∗∗ Vulnerability in libtasn1 (CVE-2021-46848) affects Power HMC ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6986547 ∗∗∗ Multiple publicly disclosed Libcurl vulnerabilities affect IBM Safer Payments ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6986573 ∗∗∗ IBM App Connect Enterprise Certified Container DesignerAuthoring operands may be vulnerable to arbitrary code execution due to [CVE-2022-37601] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6986575 ∗∗∗ Multiple Vulnerabilities in CloudPak for Watson AIOPs ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6986577 ∗∗∗ IBM MQ Operator and Queue manager container images are vulnerable to multiple vulnerabilities from libcurl, openssl, gnutls, libarchive and libsepol ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6986323 ∗∗∗ Multiple vulnerabilities in Spring Framework affects IBM Tivoli Application Dependency Discovery Manager (CVE-2023-20860, CVE-2023-20861). ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6986585 ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Business Monitor (CVE-2023-24966) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6986619 ∗∗∗ Vulnerability in IBM\u00ae Java SDK affects IBM WebSphere Application Server and IBM WebSphere Application Server Liberty due to CVE-2023-30441 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6986617 ∗∗∗ IBM App Connect Enterprise Certified Container IntegrationServer and Integration Runtime operands that run Designer flows containing a Box node may be vulnerable to arbitrary code execution due to [CVE-2023-29017] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6986625 ∗∗∗ IBM App Connect Enterprise Certified Container IntegrationServer and Integration Runtime operands that run Designer flows containing a Box node may be vulnerable to arbitrary code execution due to [CVE-2023-29199] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6986629 ∗∗∗ IBM App Connect Enterprise & IBM Integration Bus are vulnerable to a denial of service due to Eclipse Mosquitto (CVE-2021-41039, CVE-2021-34432, CVE-2021-34431) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6986627 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.04.2023
by Daily end-of-shift report 26 Apr '23

26 Apr '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 25-04-2023 18:00 − Mittwoch 26-04-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Never Connect to RDP Servers Over Untrusted Networks ∗∗∗ --------------------------------------------- In this article, we will demonstrate why connecting using the Remote Desktop Protocol (RDP) must be avoided on untrusted networks like in hotels, conferences, or public Wi-Fi. Protecting the connection with a VPN or a Remote Desktop Gateway is the only safe alternative. --------------------------------------------- https://www.gosecure.net/blog/2023/04/26/never-connect-to-rdp-servers-over-… ∗∗∗ So you think you can block Macros? ∗∗∗ --------------------------------------------- For the purpose of securing Microsoft Office installs we see many of our customers moving to a macro signing strategy. Furthermore, Microsoft is trying to battle macro malware by enforcing Mark-of-the-Web (MotW) control on macro-enabled documents. In this blog we will dive into some of the quirks of Microsoft Office macro security, various commonly used configuration options and their bypasses. --------------------------------------------- https://outflank.nl/blog/2023/04/25/so-you-think-you-can-block-macros/ ∗∗∗ Google Authenticator: Warnung - Backup der geheimen "Saat" im Klartext ∗∗∗ --------------------------------------------- Google spendierte dem Authenticator ein Backup der Geheimnisse, die zur Erstellung der Einmalpasswörter nötig sind. Google bekommt diese Daten aber im Klartext. --------------------------------------------- https://heise.de/-8979932 ∗∗∗ VMware Workstation und Fusion: Hersteller stopft kritische Zero-Day-Lücke ∗∗∗ --------------------------------------------- VMware stopft teils kritische Sicherheitslücken in Workstation und Fusion. Da sie auf der Pwn2Own-Konferenz vorgeführt wurden, handelt es sich um Zero-Days. --------------------------------------------- https://heise.de/-8979106 ∗∗∗ GuLoader returns with a rotten shipment ∗∗∗ --------------------------------------------- We take a look at a GuLoader campaign which comes bundled with an Italian language fake shipment email. --------------------------------------------- https://www.malwarebytes.com/blog/news/2023/04/guloader-returns-with-a-rott… ∗∗∗ So bleiben Sie mit der Watchlist Internet am Laufenden! ∗∗∗ --------------------------------------------- Das Angebot der Watchlist Internet wächst stetig: Wir geben Ihnen einen Überblick, wie Sie mit uns in puncto Internetbetrug up to date bleiben, welche Angebote Sie wo finden und auf welchen Kanälen wir vertreten sind. --------------------------------------------- https://www.watchlist-internet.at/news/so-bleiben-sie-mit-der-watchlist-int… ∗∗∗ Hacker greifen kritische Sicherheitslücke in Druckersoftware PaperCut an ∗∗∗ --------------------------------------------- Sie können die Kontrolle über einen PaperCut-Server übernehmen. Zudem steht nun auch Beispielcode für einen Exploit öffentlich zur Verfügung. --------------------------------------------- https://www.zdnet.de/88408703/hacker-greifen-kritische-sicherheitsluecke-in… ∗∗∗ Attackers Use Containers for Profit via TrafficStealer ∗∗∗ --------------------------------------------- We found TrafficStealer abusing open container APIs in order to redirect traffic to specific websites and manipulate engagement with ads. --------------------------------------------- https://www.trendmicro.com/en_us/research/23/d/attackers-use-containers-for… ===================== = Vulnerabilities = ===================== ∗∗∗ VMSA-2023-0008 ∗∗∗ --------------------------------------------- VMware Workstation and Fusion updates address multiple security vulnerabilities (CVE-2023-20869, CVE-2023-20870, CVE-2023-20871, CVE-2023-20872) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2023-0008.html ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (chromium, lilypond, and lilypond-doc), Oracle (java-1.8.0-openjdk), Red Hat (emacs, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, kernel, kernel-rt, pesign, and virt:rhel, virt-devel:rhel), Scientific Linux (java-1.8.0-openjdk and java-11-openjdk), Slackware (git), SUSE (fwupd, git, helm, and runc), and Ubuntu (firefox, golang-1.18, linux-hwe-5.15, and openssl, openssl1.0). --------------------------------------------- https://lwn.net/Articles/930258/ ∗∗∗ Insecure authentication in B420 legacy communication module ∗∗∗ --------------------------------------------- BOSCH-SA-341298-BT: An authentication vulnerability was found in the B420 Ethernet communication module from Bosch Security Systems. This is a legacy product which is currently obsolete and was announced to reach End on Life (EoL) on 2013. The B420 was last sold in July 2013 and was replaced by the B426. An EoL notice was provided to customers. --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-341298-bt.html ∗∗∗ Scada-LTS Third Party Component ∗∗∗ --------------------------------------------- Successful exploitation of this vulnerability could allow loss of sensitive information and execution of arbitrary code. --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-115-02 ∗∗∗ Keysight N8844A Data Analytics Web Service ∗∗∗ --------------------------------------------- Successful exploitation of this vulnerability could lead to remote code execution. --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-115-01 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ Security Advisory - Misinterpretation of Input Vulnerability in Huawei Printer ∗∗∗ --------------------------------------------- https://www.huawei.com/en/psirt/security-advisories/2023/huawei-sa-moivihp-… ∗∗∗ Security Advisory - Identity Authentication Bypass Vulnerability in Huawei HiLink AI Life Product ∗∗∗ --------------------------------------------- https://www.huawei.com/en/psirt/security-advisories/2023/huawei-sa-iabvihha… ∗∗∗ Security Advisory - Misinterpretation of Input Vulnerability in Huawei Printer ∗∗∗ --------------------------------------------- https://www.huawei.com/en/psirt/security-advisories/2023/huawei-sa-moivihp-… ∗∗∗ Security Advisory - System Command Injection Vulnerability in a Huawei Printer Product ∗∗∗ --------------------------------------------- https://www.huawei.com/en/psirt/security-advisories/2023/huawei-sa-sciviahp… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.04.2023
by Daily end-of-shift report 25 Apr '23

25 Apr '23

===================== = End-of-Day report = ===================== Timeframe: Montag 24-04-2023 18:00 − Dienstag 25-04-2023 18:00 Handler: Stephan Richter Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Intel CPUs vulnerable to new transient execution side-channel attack ∗∗∗ --------------------------------------------- A new side-channel attack impacting multiple generations of Intel CPUs has been discovered, allowing data to be leaked through the EFLAGS register. --------------------------------------------- https://www.bleepingcomputer.com/news/security/intel-cpus-vulnerable-to-new… ∗∗∗ New .NET Malware “WhiteSnake” Targets Python Developers, Uses Tor for C&C Communication ∗∗∗ --------------------------------------------- The JFrog Security Research team recently discovered a new malware payload in the PyPI repository, written in C#. This is uncommon since PyPI is primarily a repository for Python packages, and its codebase consists mostly of Python code, or natively compiled libraries used by Python programs. This finding raised our concerns about the potential for cross-language malware attacks. Our team identified 22 malicious packages, containing the same payload, targeting both Windows and Linux systems[...] --------------------------------------------- https://jfrog.com/blog/new-malware-targets-python-developers-uses-tor-for-c… ∗∗∗ Release of a Technical Report into Intel Trust Domain Extensions ∗∗∗ --------------------------------------------- Today, members of Google Project Zero and Google Cloud are releasing a report on a security review of Intels Trust Domain Extensions (TDX). [...] The result of the review was the discovery of 10 confirmed security vulnerabilities which were fixed before the final release of products with the TDX feature. The final report highlights the most interesting of these issues and provides an overview of the features architecture. 5 additional areas were identified for defense-in-depth changes [...] --------------------------------------------- https://googleprojectzero.blogspot.com/2023/04/technical-report-into-intel-… ∗∗∗ New high-severity vulnerability (CVE-2023-29552) discovered in the Service Location Protocol (SLP) ∗∗∗ --------------------------------------------- Researchers from Bitsight and Curesec have jointly discovered a high-severity vulnerability — tracked as CVE-2023-29552 — in the Service Location Protocol (SLP), a legacy Internet protocol. Attackers exploiting this vulnerability could leverage vulnerable instances to launch massive Denial-of-Service (DoS) amplification attacks with a factor as high as 2200 times, potentially making it one of the largest amplification attacks ever reported. --------------------------------------------- https://www.bitsight.com/blog/new-high-severity-vulnerability-cve-2023-2955… ∗∗∗ PoC for Pre-Auth RCE in Sophos Web Appliance (CVE-2023-1671) Published ∗∗∗ --------------------------------------------- The cybersecurity community is buzzing with the recent publication of a Proof-of-Concept (PoC) for CVE-2023-1671, a critical code execution vulnerability in Sophos Web Appliance with a CVSS score of 9.8. This high-risk vulnerability, caused by a pre-auth command injection flaw in the warn-proceed handler, poses significant risks to users. --------------------------------------------- https://securityonline.info/poc-for-pre-auth-rce-in-sophos-web-appliance-cv… ∗∗∗ Attackers are logging in instead of breaking in ∗∗∗ --------------------------------------------- Cyberattackers leveraged more than 500 unique tools and tactics in 2022, according to Sophos. The data, analyzed from more than 150 Sophos Incident Response (IR) cases, identified more than 500 unique tools and techniques, including 118 “Living off the Land” binaries (LOLBins). Unlike malware, LOLBins are executables naturally found on operating systems, making them much more difficult for defenders to block when attackers exploit them for malicious activity. --------------------------------------------- https://www.helpnetsecurity.com/2023/04/25/attacks-dwell-time/ ∗∗∗ Gefälschte Facebook-Seite vom Tiergarten Schönbrunn verbreitet Fake-Gewinnspiel ∗∗∗ --------------------------------------------- Die gefälschte Facebook-Seite „ZooPark Wien“ verbreitet ein betrügerisches Gewinnspiel. Im Posting werden 4 Eintrittskarten verlost. Teilnehmer:innen müssen den Beitrag nur mit „Alles Gute zum Geburtstag“ kommentieren. Mit diesem Gewinnspiel versuchen Kriminelle aber an Ihre Kreditkartendaten zu kommen und Sie in eine Abo-Falle zu locken. --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschte-facebook-seite-vom-tierg… ===================== = Vulnerabilities = ===================== ∗∗∗ CVE-2023-27524: Insecure Default Configuration in Apache Superset Leads to Remote Code Execution ∗∗∗ --------------------------------------------- Apache Superset is an open source data visualization and exploration tool. [...] there are more than 3000 instances of it exposed to the Internet. [...] at least 2000 (two-thirds of all servers) – are running with a dangerous default configuration. As a result, many of these servers are effectively open to the public. Any attacker can “log in” to these servers with administrative privileges, access and modify data connected to these servers, harvest credentials, and execute remote code. --------------------------------------------- https://www.horizon3.ai/cve-2023-27524-insecure-default-configuration-in-ap… ∗∗∗ Xen Security Advisory CVE-2022-42335 / XSA-430 - x86 shadow paging arbitrary pointer dereference ∗∗∗ --------------------------------------------- Guests running in shadow mode and having a PCI device passed through may be able to cause Denial of Service and other problems, escalation of privilege cannot be ruled out. --------------------------------------------- https://xenbits.xen.org/xsa/advisory-430.html ∗∗∗ Zyxel schließt teils kritische Sicherheitslücken in Firewalls und Access Points ∗∗∗ --------------------------------------------- Zyxel hat Warnungen vor Sicherheitslücken in Firewalls und Access Points herausgegeben. Firmware-Updates zum Abdichten der Lecks stehen bereit. --------------------------------------------- https://heise.de/-8977831 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (firefox, java-11-openjdk, and thunderbird), Debian (apache2), Fedora (kernel), Oracle (emacs), Red Hat (emacs, haproxy, java-1.8.0-openjdk, kernel, kernel-rt, kpatch-patch, pcs, pki-core:10.6, and qatzip), and SUSE (avahi, cdi-apiserver-container, cdi-cloner-container, cdi- controller-container, cdi-importer-container, cdi-operator-container, cdi- uploadproxy-container, cdi-uploadserver-container, cont, giflib, kernel, kubevirt, virt-api-container, virt-controller-container, virt-handler-container, virt-launcher-container, virt-libguestfs-tools- container, virt-operator-container, ovmf, and protobuf-c). --------------------------------------------- https://lwn.net/Articles/930128/ ∗∗∗ WordPress Plugin "Appointment and Event Booking Calendar for WordPress - Amelia" vulnerable to cross-site scripting ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN00971105/ ∗∗∗ ZDI-23-458: SolarWinds Network Performance Monitor TFTP Link Following Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-458/ ∗∗∗ ZDI-23-457: SolarWinds Network Performance Monitor ExecuteExternalProgram Command Injection Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-457/ ∗∗∗ F5: K000133630 : Intel processor vulnerability CVE-2022-26343 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000133630 ∗∗∗ F5: K000133633 : Intel BIOS firmware vulnerability CVE-2022-32231 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000133633 ∗∗∗ Multiple Vulnerabilities Patched in Shield Security ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2023/04/multiple-vulnerabilities-patched-in-… ∗∗∗ Belden: 2022-26 Multiple libexpat vulnerabilities in HiOS, Classic, HiSecOS, Wireless BAT-C2, Lite Managed, Edge ∗∗∗ --------------------------------------------- https://assets.belden.com/m/6f2d4e1f6bbaeb54/original/BSECV-2022-26.pdf ∗∗∗ Belden: 2022-29 strongSwan: integer overflow when replacing certificates in cache ∗∗∗ --------------------------------------------- https://assets.belden.com/m/25e4130e915c61a1/original/Belden_Security_Bulle… ∗∗∗ [R1] Stand-alone Security Patch Available for Tenable.sc versions 5.22.0, 5.23.1, and 6.0.0: SC-202304.1 ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2023-18 ∗∗∗ Nextcloud: Missing brute force protection for passwords of password protected share links ∗∗∗ --------------------------------------------- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-r… ∗∗∗ Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect Rational Functional Tester ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6985649 ∗∗∗ IBM Tivoli Composite Application Manager for Application Diagnostics Installed WebSphere Application Server is vulnerable to cross-site scripting in the Admin Console (CVE-2023-26283) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6985651 ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to a denial of service as the server may crash when using a specially crafted subquery. (CVE-2023-27559)) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6985667 ∗∗∗ IBM® Db2® is vulnerable to a denial of service as the server may crash when an Out of Memory occurs. (CVE-2023-26022) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6985669 ∗∗∗ IBM® Db2® is vulnerable to a denial of service. Under rare conditions, setting a special register may cause the Db2 server to terminate abnormally. (CVE-2023-25930) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6985677 ∗∗∗ IBM® Db2® is vulnerable to a denial of service as the server may crash when compiling a specially crafted SQL query using a LIMIT clause. (CVE-2023-26021) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6985681 ∗∗∗ IBM® Db2® is vulnerable to a denial of service as the server may crash when when attempting to use ACR client affinity for unfenced DRDA federation wrappers. (CVE-2023-27555) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6985683 ∗∗∗ IBM® Db2® is vulnerable to a denial of service as as it may trap when compiling a variation of an anonymous block. (CVE-2023-29255) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6985687 ∗∗∗ IBM® Db2® is vulnerable to remote code execution as a database administrator of one database may execute code or read\/write files from another database within the same instance. (CVE-2023-29257) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6985691 ∗∗∗ IBM Maximo Asset Management is vulnerable to cross-site scripting (CVE-2023-27860) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6985679 ∗∗∗ Multiple vulnerabilities affect IBM Db2\u00ae Graph ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6985689 ∗∗∗ IBM WebSphere Application Server shipped with IBM Security Access Manager for Enterprise Single Sign-On is vulnerable to a denial of service due to IBM HTTP Server (CVE-2023-26281) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6985851 ∗∗∗ Docker based datastores for IBM Instana do not currently require authentication ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6959969 ∗∗∗ IBM® Engineering Requirements Management DOORS/DWA vulnerabilities fixed in 9.7.2.7 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6984347 ∗∗∗ IBM Safer Payments is vulnerable to OpenSSL Denial of Sevice Attack (CVE-2022-0778) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6985865 ∗∗∗ TADDM is vulnerable to a denial of service due to vulnerabilities in Apache HttpClient ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6985905 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.04.2023
by Daily end-of-shift report 24 Apr '23

24 Apr '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 21-04-2023 18:00 − Montag 24-04-2023 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Decoy Dog malware toolkit found after analyzing 70 billion DNS queries ∗∗∗ --------------------------------------------- A new enterprise-targeting malware toolkit called Decoy Dog has been discovered after inspecting anomalous DNS traffic that is distinctive from regular internet activity. --------------------------------------------- https://www.bleepingcomputer.com/news/security/decoy-dog-malware-toolkit-fo… ∗∗∗ Open Source: Gelöschte Curl-Instanz zerschießt Windows-Updates ∗∗∗ --------------------------------------------- Auch wenn Security-Scanner vor ungepatchter Software warnen, sollten Windows-Systemkomponenten wie Curl nicht manipuliert werden. --------------------------------------------- https://www.golem.de/news/open-source-geloeschte-curl-instanz-zerschiesst-w… ∗∗∗ New All-in-One "EvilExtractor" Stealer for Windows Systems Surfaces on the Dark Web ∗∗∗ --------------------------------------------- A new "all-in-one" stealer malware named EvilExtractor (also spelled Evil Extractor) is being marketed for sale for other threat actors to steal data and files from Windows systems. "It includes several modules that all work via an FTP service," Fortinet FortiGuard Labs researcher Cara Lin said. --------------------------------------------- https://thehackernews.com/2023/04/new-all-in-one-evilextractor-stealer.html ∗∗∗ XWorm RAT: Avira-Sicherheitsexperten warnen vor Malware ∗∗∗ --------------------------------------------- Sicherheitsexperten von Avira warnen vor der Malware XWorm RAT --------------------------------------------- https://heise.de/-8976282 ∗∗∗ "Notstart" über CAN-Bus-Hack: Altes Nokia-Handy erlaubt Auto-Diebstahl per Klick ∗∗∗ --------------------------------------------- Der jüngst aufgezeigte CAN-Injection-Angriff auf das Bussystem Controller Area Network zieht weitere Kreise. Es tauchen immer mehr Kits zum "Notstarten" auf. --------------------------------------------- https://heise.de/-8976444 ∗∗∗ Bumblebee-Malware: Opfersuche mit Malvertising für trojanisierte Installer ∗∗∗ --------------------------------------------- IT-Forscher haben trojanisierte Installer für professionelle Software entdeckt. Sie würden mit Malvertising beworben und enthielten den Schädling Bumblebee. --------------------------------------------- https://heise.de/-8977016 ∗∗∗ Fake-Shops für Autoreifen boomen ∗∗∗ --------------------------------------------- Sie suchen im Internet nach günstigen Autoreifen? Nehmen Sie den Online-Shop genau unter die Lupe, es kursieren unzählige Fake-Shops! Die betrügerischen Shops wirken sehr professionell, haben ein Impressum und unschlagbare Preise. Wir zeigen Ihnen, wie Sie Shops überprüfen. --------------------------------------------- https://www.watchlist-internet.at/news/fake-shops-fuer-autoreifen-boomen/ ∗∗∗ TP-Link WAN-side Vulnerability CVE-2023-1389 Added to the Mirai Botnet Arsenal ∗∗∗ --------------------------------------------- Last week, the Zero Day Initiative (ZDI) threat-hunting team observed new exploit attempts coming from our telemetry system in Eastern Europe indicating that the Mirai botnet has updated its arsenal to include CVE-2023-1389, also known as ZDI-CAN-19557/ZDI-23-451. --------------------------------------------- https://www.thezdi.com/blog/2023/4/21/tp-link-wan-side-vulnerability-cve-20… ∗∗∗ Updates and Timeline for 3CX and X_Trader Hacks ∗∗∗ --------------------------------------------- Mandiant revealed this week that the hack of 3CX was actually a double supply-chain hack that first involved hacking and compromising another companys software. Heres a timeline of the events. --------------------------------------------- https://zetter.substack.com/p/updates-and-timeline-for-3cx-and ∗∗∗ Knapp zwei Drittel der XIoT-Schwachstellen remote ausnutzbar ∗∗∗ --------------------------------------------- Sicherheitstechnisch droht uns wohl ein Desaster - ich habe den State of XIoT Security Report: 2H 2022 von Claroty bereits einige Tage vorliegen. Dieser zeigt zwar die positiven Auswirkungen verstärkter Schwachstellen-Forschung und höheren Investitionen der Anbieter im Hinblick auf die XIoT-Sicherheit. Aber die Botschaft ist auch, dass Zahl der entdeckten Schwachstellen in diesem Bereit um 80 % zugenommen hat. Viele XIoT-Schwachstellen sind zudem remote ausnutzbar. --------------------------------------------- https://www.borncity.com/blog/2023/04/23/knapp-zwei-drittel-der-xiot-schwac… ∗∗∗ ViperSoftX Updates Encryption, Steals Data ∗∗∗ --------------------------------------------- We observed cryptocurrency and information stealer ViperSoftX evading initial loader detection and making its lure more believable by making the initial package loader via cracks, keygens, activators, and packers non-malicious. We also noted more sophisticated encryption and basic anti-analysis techniques, such as byte remapping and web browser communication blocking. --------------------------------------------- https://www.trendmicro.com/en_us/research/23/d/vipersoftx-updates-encryptio… ∗∗∗ Fortune 500 at Risk: 250M Artifacts Exposed via Misconfigured Registries ∗∗∗ --------------------------------------------- What if you were told that you had a misconfigured registry with hundreds of millions of software artifacts containing highly confidential and sensitive proprietary code and secrets exposed in your environment right now? This would be what you’d call a really bad day for security. Recently, the Aqua Nautilus research team found just that in some of the world’s largest organizations, including five Fortune 500 companies. --------------------------------------------- https://blog.aquasec.com/250m-artifacts-exposed-via-misconfigured-registries ===================== = Vulnerabilities = ===================== ∗∗∗ Vulnerability Spotlight: Vulnerabilities in IBM AIX could lead to command injection with elevated privileges ∗∗∗ --------------------------------------------- The issue could then allow the malicious actor to generate arbitrary logs which can trigger malicious commands to be run with elevated privileges. --------------------------------------------- https://blog.talosintelligence.com/vuln-spotlight-ibm-aix-privilege-escalat… ∗∗∗ APC warns of critical unauthenticated RCE flaws in UPS software ∗∗∗ --------------------------------------------- APCs Easy UPS Online Monitoring Software is vulnerable to unauthenticated arbitrary remote code execution, allowing hackers to take over devices and, in a worst-case scenario, disabling its functionality altogether. --------------------------------------------- https://www.bleepingcomputer.com/news/security/apc-warns-of-critical-unauth… ∗∗∗ Jetzt patchen! Angreifer attackieren Druck-Management-Lösung Papercut MF/NG ∗∗∗ --------------------------------------------- Eine kritische Sicherheitslücke gefährdet Systeme, auf denen Papercut läuft. Sicherheitsupdates sind verfügbar. --------------------------------------------- https://heise.de/-8976755 ∗∗∗ Solarwinds-Update dichtet zwei hochriskante Sicherheitslücken ab ∗∗∗ --------------------------------------------- Solarwinds stopft mit Software-Updates mehrere Sicherheitslücken, zwei davon gelten als hochriskant. IT-Verantwortliche sollten zügig aktualisieren. --------------------------------------------- https://heise.de/-8976832 ∗∗∗ Sicherheitspatches: Angreifer könnten Nvidia Cuda, DGX-1 & Co. attackieren ∗∗∗ --------------------------------------------- Nvidia hat wichtige Sicherheitsupdates für verschiedene Produkte veröffentlicht. Admins sollten schnell handeln. --------------------------------------------- https://heise.de/-8976961 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (389-ds-base, chromium, connman, curl, redis, and thunderbird), Fedora (ceph, doctl, dr_libs, ffmpeg, freeimage, golang-github-digitalocean-godo, insight, libreswan, mingw-binutils, mingw-freeimage, mingw-freetype, openvswitch, rnp, suricata, webkitgtk, and wireshark), Mageia (dnsmasq, emacs, openimageio, php-smarty, redis, squirrel/supertux, and tcpdump), Red Hat (emacs), and SUSE (avahi, chromium, dmidecode, indent, jettison, openssl, openstack-cinder, openstack-nova, python-oslo.utils, and ovmf). --------------------------------------------- https://lwn.net/Articles/930052/ ∗∗∗ Multiple Vulnerabilities in Autodesk® InfraWorks® Software ∗∗∗ --------------------------------------------- Autodesk® InfraWorks® has been affected by multiple vulnerabilities detailed below. Exploitation of these vulnerabilities may lead to remote code execution and/or denial-of-service to the software and user devices. Hotfixes are available in the Autodesk Desktop App or the Accounts Portal to help resolve these vulnerabilities. --------------------------------------------- https://www.autodesk.com/trust/security-advisories/adsk-sa-2023-0007 ∗∗∗ ZDI-23-451: (Pwn2Own) TP-Link Archer AX21 merge_country_config Command Injection Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-451/ ∗∗∗ ZDI-23-452: (Pwn2Own) TP-Link AX1800 hotplugd Firewall Rule Race Condition Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-23-452/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.04.2023
by Daily end-of-shift report 21 Apr '23

21 Apr '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 20-04-2023 18:00 − Freitag 21-04-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ GhostToken Flaw Could Let Attackers Hide Malicious Apps in Google Cloud Platform ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed details of a now-patched zero-day flaw in Google Cloud Platform (GCP) that could have enabled threat actors to conceal an unremovable, malicious application inside a victims Google account. --------------------------------------------- https://thehackernews.com/2023/04/ghosttoken-flaw-could-let-attackers.html ∗∗∗ Kubernetes RBAC Exploited in Large-Scale Campaign for Cryptocurrency Mining ∗∗∗ --------------------------------------------- A large-scale attack campaign discovered in the wild has been exploiting Kubernetes (K8s) Role-Based Access Control (RBAC) to create backdoors and run cryptocurrency miners. "The attackers also deployed DaemonSets to take over and hijack resources of the K8s clusters they attack," cloud security firm Aqua said in a report shared with The Hacker News. --------------------------------------------- https://thehackernews.com/2023/04/kubernetes-rbac-exploited-in-large.html ∗∗∗ VoIP-Anbieter 3CX: Die doppelte Supply-Chain-Attacke ∗∗∗ --------------------------------------------- Eine Analyse zeigt, dass die Verteilung des kompromittierten VoIP-Clients von 3CX auf einen vorausgehenden Lieferketten-Angriff zurückgeht. --------------------------------------------- https://heise.de/-8974948 ∗∗∗ CVE-2022-29844: A Classic Buffer Overflow on the Western Digital My Cloud Pro Series PR4100 ∗∗∗ --------------------------------------------- This post covers an exploit chain demonstrated by Luca Moro (@johncool__) during Pwn2Own Toronto 2022. At the contest, he used a classic buffer overflow to gain code execution on the My Cloud Pro Series PR4100 Network Attached Storage (NAS) device. He also displayed a nifty message on the device. --------------------------------------------- https://www.zerodayinitiative.com/blog/2023/4/19/cve-2022-29844-a-classic-b… ∗∗∗ GitHub Announces New Security Improvements ∗∗∗ --------------------------------------------- GitHub this week introduced NPM package provenance and deployment protection rules and announced general availability of private vulnerability reporting. --------------------------------------------- https://www.securityweek.com/github-announces-new-security-improvements/ ∗∗∗ Abandoned WordPress Plugin Abused for Backdoor Deployment ∗∗∗ --------------------------------------------- Attackers are installing the abandoned Eval PHP plugin on compromised WordPress sites to inject PHP code into web pages. --------------------------------------------- https://www.securityweek.com/abandoned-wordpress-plugin-abused-for-backdoor… ∗∗∗ Online-Händler:innen aufgepasst: Kriminelle machen Fake-Bestellungen und holen sich per SEPA-Lastschrift das Geld zurück ∗∗∗ --------------------------------------------- Mit vermeintlichen Bestellungen versuchen Kriminelle derzeit an das Geld von Online-Händler:innen zu kommen: Kriminellen bestellen „unabsichtlich“ zu viel, verlangen anschließend den bereits bezahlten Betrag von den Händler:innen zurück. Gleichzeitig nutzen die Betrüger:innen die Funktion der SEPA-Lastschrift, bei der Zahlungsanfechtungen in einem bestimmten Zeitraum automatisch anerkannt werden. --------------------------------------------- https://www.watchlist-internet.at/news/online-haendlerinnen-aufgepasst-krim… ===================== = Vulnerabilities = ===================== ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2023-0003 ∗∗∗ --------------------------------------------- CVE identifiers: CVE-2023-25358, CVE-2022-0108, CVE-2022-32885, CVE-2023-27932, CVE-2023-27954, CVE-2023-28205. Several vulnerabilities were discovered in WebKitGTK and WPE WebKit. --------------------------------------------- https://webkitgtk.org/security/WSA-2023-0003.html ∗∗∗ VMSA-2023-0007 ∗∗∗ --------------------------------------------- VMware Aria Operations for Logs contains a deserialization vulnerability. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8. --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2023-0007.html ∗∗∗ OpenSSL: Input buffer over-read in AES-XTS implementation on 64 bit ARM (CVE-2023-1255) ∗∗∗ --------------------------------------------- Severity: Low Issue summary: The AES-XTS cipher decryption implementation for 64 bit ARM platform contains a bug that could cause it to read past the input buffer, leading to a crash. --------------------------------------------- https://www.openssl.org/news/secadv/20230420.txt ∗∗∗ Kritische Lücken bedrohen Cisco Industrial Network Director und Modeling Labs ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitsupdates für mehrere Cisco-Produkte. Zwei Schwachstellen gelten als kritisch. --------------------------------------------- https://heise.de/-8975027 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (golang-1.11 and libxml2), Fedora (chromium, dr_libs, frr, ruby, and runc), Oracle (java-11-openjdk and java-17-openjdk), Red Hat (emacs, httpd and mod_http2, kpatch-patch, and webkit2gtk3), SUSE (libmicrohttpd, nodejs16, ovmf, and wireshark), and Ubuntu (kauth and patchelf). --------------------------------------------- https://lwn.net/Articles/929828/ ∗∗∗ CISA Adds Three Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/04/21/cisa-adds-three-known-ex… ∗∗∗ IBM InfoSphere DataStage Flow Designer is vulnerable to Server-Side Request Forgery ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6509084 ∗∗∗ Python is vulnerable to CVE-2022-26488 used in IBM Maximo Application Suite ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6985049 ∗∗∗ iText.jar in Tom Sawyer Perspective is vulnerable to XML External Entity ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6985225 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.04.2023
by Daily end-of-shift report 20 Apr '23

20 Apr '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 19-04-2023 18:00 − Donnerstag 20-04-2023 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Schwachstelle ermöglicht es Dieben, iPhones zu übernehmen ∗∗∗ --------------------------------------------- Über eine Sicherheitslücke verschaffen sich Kriminelle Zugang zu den Apple-IDs ihrer Opfer. --------------------------------------------- https://futurezone.at/produkte/schwachstelle-diebstahl-iphones-uebernehmen-… ∗∗∗ Goldoson Android Malware Infects Over 100 Million Google Play Store Downloads ∗∗∗ --------------------------------------------- hA new Android malware strain named Goldoson has been detected in the official Google Play Store spanning more than 60 legitimate apps that collectively have over 100 million downloads. [..] Following responsible disclosure to Google, 36 of the 63 offending apps have been pulled from the Google Play Store. The remaining 27 apps have been updated to remove the malicious library. --------------------------------------------- https://thehackernews.com/2023/04/goldoson-android-malware-infects-over.html ∗∗∗ The Huge 3CX Breach Was Actually 2 Linked Supply Chain Attacks ∗∗∗ --------------------------------------------- The mass compromise of the VoIP firms customers is the first confirmed incident where one software supply chain attack enabled another, researchers say. --------------------------------------------- https://www.wired.com/story/3cx-supply-chain-attack-times-two/ ∗∗∗ ‘AuKill’ EDR killer malware abuses Process Explorer driver ∗∗∗ --------------------------------------------- The AuKill tool abuses an outdated version of the driver used by version 16.32 of the Microsoft utility, Process Explorer, to disable EDR processes before deploying either a backdoor or ransomware on the target system. --------------------------------------------- https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-p… ∗∗∗ Breaking Docker Named Pipes SYSTEMatically: Docker Desktop Privilege Escalation – Part 2 ∗∗∗ --------------------------------------------- In the previous blog post, we described how the Docker research started and showed how we could gain a full privilege escalation through a vulnerability in Docker Desktop. In this follow-up blog post, we will show the other vulnerable functions we were able to exploit. --------------------------------------------- https://www.cyberark.com/resources/threat-research-blog/breaking-docker-nam… ∗∗∗ Vermehrte Angriffe auf Cisco Router und Switche mit Cisco IOS und IOS-XE ∗∗∗ --------------------------------------------- Mehrere Sicherheitsbehörden und Cisco selbst warnen vor der gehäuften Ausnutzung alter Schwachstellen in Cisco IOS und IOS-XE. --------------------------------------------- https://heise.de/-8973626 ∗∗∗ Wordfence Intelligence Weekly WordPress Vulnerability Report (Apr 10, 2023 to Apr 16, 2023) ∗∗∗ --------------------------------------------- Last week, there were 69 vulnerabilities disclosed in 60 WordPress plugins and 4 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 32 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected. --------------------------------------------- https://www.wordfence.com/blog/2023/04/wordfence-intelligence-weekly-wordpr… ∗∗∗ LockBit-Ransomware bereitet Angriffe auf Apple vor ∗∗∗ --------------------------------------------- Hacker haben ihre Malware offenbar weiterentwickelt und eine neue Variante in Umlauf gebracht, die es auf Apple-Computer abgesehen hat. --------------------------------------------- https://www.zdnet.de/88408574/lockbit-ransomware-bereitet-angriffe-auf-appl… ∗∗∗ CISA and Partners Release Cybersecurity Best Practices for Smart Cities ∗∗∗ --------------------------------------------- Today, CISA, NSA, FBI, NCSC-UK, ACSC, CCCS and NCSC-NZ released a joint guide: Cybersecurity Best Practices for Smart Cities. Smart cities may create safer, more efficient, resilient communities through technological innovation and data-driven decision making. However, this opportunity also introduces potential vulnerabilities and weaknesses that—if exploited—could impact national security, economic security, public health and safety, and critical infrastructure operations. --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/04/19/cisa-and-partners-releas… ===================== = Vulnerabilities = ===================== ∗∗∗ Drupal core - Moderately critical - Access bypass - SA-CORE-2023-005 ∗∗∗ --------------------------------------------- Security risk: Moderately critical The file download facility doesnt sufficiently sanitize file paths in certain situations. This may result in users gaining access to private files that they should not have access to.Some sites may require configuration changes following this security release. --------------------------------------------- https://www.drupal.org/sa-core-2023-005 ∗∗∗ Cisco Security Advisories Published on April 19, 2023 - 2 Critical, 2 High, 2 Medium ∗∗∗ --------------------------------------------- * StarOS Software Key-Based SSH Authentication Privilege Escalation Vulnerability * SD-WAN vManage Software Arbitrary File Deletion Vulnerability * TelePresence Collaboration Endpoint and RoomOS Arbitrary File Write Vulnerabilities * Industrial Network Director Vulnerabilities * Modeling Labs External Authentication Bypass Vulnerability * BroadWorks Network Server TCP Denial of Service Vulnerability --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/Search.x?publicationTypeIDs… ∗∗∗ Mehrere Schadcode-Lücken in Foxit PDF geschlossen ∗∗∗ --------------------------------------------- Wer Foxit PDF Reader oder PDF Editor unter Windows nutzt, ist angreifbar. --------------------------------------------- https://heise.de/-8974063 ∗∗∗ Stable Channel Update for Desktop ∗∗∗ --------------------------------------------- The Stable and extended stable channel has been updated to 112.0.5615.137/138 for Windows and 112.0.5615.137 for Mac and 112.0.5615.165 for Linux which will roll out over the coming days/weeks. [..] Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. --------------------------------------------- http://chromereleases.googleblog.com/2023/04/stable-channel-update-for-desk… ∗∗∗ Blubrry Addresses Authenticated Stored XSS Vulnerability in PowerPress WordPress Plugin ∗∗∗ --------------------------------------------- On April 5, 2023, our Wordfence Threat Intelligence team identified and began the responsible disclosure process for a stored Cross-Site Scripting (XSS) vulnerability in Blubrry’s PowerPress plugin, which is actively installed on more than 50,000 WordPress websites. --------------------------------------------- https://www.wordfence.com/blog/2023/04/blubrry-addresses-authenticated-stor… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (golang-1.11), Fedora (chromium, golang-github-cenkalti-backoff, golang-github-cli-crypto, golang-github-cli-gh, golang-github-cli-oauth, golang-github-gabriel-vasile-mimetype, libpcap, lldpd, parcellite, tcpdump, thunderbird, and zchunk), Red Hat (java-11-openjdk, java-17-openjdk, and kernel), SUSE (chromium, dnsmasq, ImageMagick, nodejs16, openssl-1_0_0, openssl1, ovmf, and python-Flask), and Ubuntu (dnsmasq, libxml2, linux, linux-aws, linux-aws-5.4, linux-azure, linu linux-raspi-5.4, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15 linux-oracle, linux-raspi2, linux-oem-5.17, linux-oem-6.0, linux-oem-6.1, and linux-snapdragon). --------------------------------------------- https://lwn.net/Articles/929671/ ∗∗∗ Chromium: CVE-2023-2136 Integer overflow in Skia ∗∗∗ --------------------------------------------- This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information. Google is aware that an exploit for CVE-2023-2136 exists in the wild. --------------------------------------------- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-2136 ∗∗∗ Spring Boot 2.7.11 available now fixing CVE-2023-20873 ∗∗∗ --------------------------------------------- https://spring.io/blog/2023/04/20/spring-boot-2-7-11-available-now-fixing-c… ∗∗∗ Spring Boot 3.0.6 available now fixing CVE-2023-20873 ∗∗∗ --------------------------------------------- https://spring.io/blog/2023/04/20/spring-boot-3-0-6-available-now-fixing-cv… ∗∗∗ Security Vulnerabilities have been identifed in the IBM WebSphere Liberty product as shipped with the IBM Security Verify Access products. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6953617 ∗∗∗ Unprivileged GPU access vulnerability - CVE-2013-5987 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/864038 ∗∗∗ Multiple vulnerabilities found in third party libraries used by IBM\u00ae MobileFirst Platform ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6984763 ∗∗∗ Multiple Vulnerabilities in Apache Commons Compress affect WebSphere Application Server used by IBM Maximo Application Suite ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6984785 ∗∗∗ IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to Node.js npm module information disclosure (CVE-2022-29244) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6984799 ∗∗∗ IBM WebSphere Application Server shipped with IBM Security Access Manager for Enterprise Single Sign-On is vulnerable to a denial of service due to Apache Commons FileUpload (CVE-2023-24998) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6984945 ∗∗∗ Unprivileged GPU access vulnerability - CVE-2013-5987 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/864038 ∗∗∗ IBM Security Verify Governance is vulnerable to sensitive information exposure (CVE-2021-31403) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6984957 ∗∗∗ IBM Security Verify Governance is vulnerable to denial of service and security bypass (CVE-2018-10237, CVE-2020-8908) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6984959 ∗∗∗ IBM Security Verify Governance is vulnerable to a denial of service (CVE-2022-42004, CVE-2022-42003) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6984967 ∗∗∗ IBM Security Verify Governance is vulnerable to sensitive information exposure and denial of service (CVE-2021-31403, CVE-2021-33609) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6984971 ∗∗∗ IBM Security Verify Governance is vulnerable to denial of service (CVE-2022-24839) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6984973 ∗∗∗ IBM Security Verify Governance is vulnerable to arbitrary code execution (CVE-2020-10650) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6984963 ∗∗∗ IBM Security Verify Governance is vulnerable to denial of service ( CVE-2023-24998) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6984969 ∗∗∗ Security vulnerability has been identified in WebSphere Application Server shipped with WebSphere Service Registry and Repository (CVE-2023-24998) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6984965 ∗∗∗ IBM Rational Build Forge is vulnerable and could allow an unauthenticated attacker to obtain sensitive information due to the use of JSSE component (CVE-2021-35603) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6984975 ∗∗∗ IBM App Connect Enterprise is vulnerable to a denial of service due to the ua-parser-js module (CVE-2022-25927) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6984987 ∗∗∗ Multiple vulnerabilities may affect IBM\u00ae SDK, Java\u2122 Technology Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6839127 ∗∗∗ Multiple vulnerabilities may affect IBM\u00ae SDK, Java\u2122 Technology Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6967213 ∗∗∗ CVE-2022-3676 may affect IBM\u00ae SDK, Java\u2122 Technology Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6839777 ∗∗∗ IBM Rational Build Forge is vulnerable and could allow attacker to obtain sensitive information due to the use of JSSE component(CVE-2021-35550) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6985007 ∗∗∗ CVE-2023-30441 affects IBM\u00ae SDK, Java\u2122 Technology Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6985011 ∗∗∗ AIX is vulnerable to arbitrary command execution (CVE-2023-26286) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6983236 ∗∗∗ INEA ME RTU ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-110-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.04.2023
by Daily end-of-shift report 19 Apr '23

19 Apr '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 18-04-2023 18:00 − Mittwoch 19-04-2023 18:00 Handler: Stephan Richter Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Critical Patch Update: Oracle kümmert sich um 433 Sicherheitslücken ∗∗∗ --------------------------------------------- Der Softwarehersteller Oracle hat für seine Anwendungen zahlreiche Sicherheitsupdates veröffentlicht. Einige Lücken gelten als kritisch. --------------------------------------------- https://heise.de/-8971485 ∗∗∗ Sicherheitsupdates: Dell sichert seit 2022 verwundbare Laptops erst jetzt ab ∗∗∗ --------------------------------------------- BIOS-Updates für unter anderem Dell-Modelle der Alienware- und Inspiron-Serien schließen zwei Sicherheitslücken. --------------------------------------------- https://heise.de/-8971821 ∗∗∗ Wenn alte Router Firmengeheimnisse preisgeben ∗∗∗ --------------------------------------------- Bei der Stilllegung ihrer alten Hardware schütten viele Unternehmen das Kind mit dem Bade aus. --------------------------------------------- https://www.welivesecurity.com/deutsch/2023/04/18/wenn-alte-router-firmenge… ∗∗∗ Hackers actively exploit critical RCE bug in PaperCut servers ∗∗∗ --------------------------------------------- Print management software developer PaperCut is warning customers to update their software immediately, as hackers are actively exploiting flaws to gain access to vulnerable servers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-actively-exploit-cri… ∗∗∗ Zaraza Bot Targets Google Chrome to Extract Login Credentials ∗∗∗ --------------------------------------------- The data-stealing malware threatens the cyber safety of individual and organizational privacy by infecting a range of Web browsers. --------------------------------------------- https://www.darkreading.com/remote-workforce/zaraza-bot-targets-google-chro… ∗∗∗ SecurePwn Part 1: Bypassing SecurePoint UTM’s Authentication (CVE-2023-22620) ∗∗∗ --------------------------------------------- While working on a recent customer penetration test, I discovered two fascinating and somewhat weird bugs in SecurePoint’s UTM firewall solution. The first one, aka CVE-2023-22620, is rated critical for an attacker to bypass the entire authentication and gain access to the firewall’s administrative panel. [...] The second one, aka CVE-2023-22897 is a heartbleed-like bug that allows the leaking of remote memory contents and is discussed in a second blog post. --------------------------------------------- https://www.rcesecurity.com/2023/04/securepwn-part-1-bypassing-securepoint-… ∗∗∗ SecurePwn Part 2: Leaking Remote Memory Contents (CVE-2023-22897) ∗∗∗ --------------------------------------------- While my last finding affecting SecurePoint’s UTM was quite interesting already, I was hit by a really hard OpenSSL Heartbleed flashback with this one. [...] I’ve responsibly coordinated both vulnerabilities with the vendor SecurePoint and notified them about both issues on 5th January 2023. They did an amazing job acknowledging the vulnerability and providing a fix within a single business day. I barely see (hardware) vendors reacting so fast. Well done! --------------------------------------------- https://www.rcesecurity.com/2023/04/securepwn-part-2-leaking-remote-memory-… ∗∗∗ Threat Actors Rapidly Adopt Web3 IPFS Technology ∗∗∗ --------------------------------------------- Web3 technologies are seeing widespread adoption — including by TAs. We discuss Web3 technology InterPlanetary File System (IPFS), and malicious use of it. --------------------------------------------- https://unit42.paloaltonetworks.com/ipfs-used-maliciously/ ∗∗∗ Play Ransomware Group Using New Custom Data-Gathering Tools ∗∗∗ --------------------------------------------- Tools allow attackers to harvest data typically locked by the operating system. --------------------------------------------- https://symantec-enterprise-blogs.security.com/threat-intelligence/play-ran… ∗∗∗ Raspberry Robin: Anti-Evasion How-To & Exploit Analysis ∗∗∗ --------------------------------------------- During the last year, Raspberry Robin has evolved to be one of the most distributed malware currently active. During this time, it is likely to be used by many actors to distribute their own malware such as IcedID, Clop ransomware and more. --------------------------------------------- https://research.checkpoint.com/2023/raspberry-robin-anti-evasion-how-to-ex… ∗∗∗ Breaking Docker Named Pipes SYSTEMatically: Docker Desktop Privilege Escalation – Part 2 ∗∗∗ --------------------------------------------- In the previous blog post, we described how the Docker research started and showed how we could gain a full privilege escalation through a vulnerability in Docker Desktop. In this follow-up blog [...] --------------------------------------------- https://www.cyberark.com/resources/threat-research-blog/breaking-docker-nam… ∗∗∗ DDosia Project: How NoName057(16) is trying to improve the efficiency of DDoS attacks ∗∗∗ --------------------------------------------- NoName057(16) is still conducting DDoS attacks on the websites of institutions and companies in European countries. The new Go variant of bots implemented an authentication mechanism to communicate with C2 servers and their proxies. Moreover, the mechanism also provides IP address blocklisting, presumably to hinder the tracking of the project. --------------------------------------------- https://decoded.avast.io/martinchlumecky/ddosia-project-how-noname05716-is-… ===================== = Vulnerabilities = ===================== ∗∗∗ Webbrowser: Neue Zero-Day-Lücke in Google Chrome ∗∗∗ --------------------------------------------- Im Webbrowser Chrome greifen Cyberkriminelle eine neue Zero-Day-Lücke in freier Wildbahn an. Google verteilt Software-Updates, um die Lücke zu schließen. --------------------------------------------- https://heise.de/-8971427 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (asterisk), Fedora (lldpd and openssh), Red Hat (curl, kernel, and openvswitch2.13), SUSE (compat-openssl098, glib2, grafana, helm, libgit2, openssl, and openssl-1_1), and Ubuntu (linux, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15, linux-azure-fde, linux-gcp, linux-gcp-5.15, linux-gke, linux-gke-5.15, linux-gkeop, linux-ibm, linux-kvm, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-oracle, linux-oracle-5.15, linux-raspi, linux, linux-aws, linux-azure, linux-gcp, linux-hwe-5.19, linux-kvm, linux-lowlatency, linux-oracle, linux-raspi, and vim). --------------------------------------------- https://lwn.net/Articles/929533/ ∗∗∗ Research by Positive Technologies helps to fix vulnerabilities in Nokia NetAct network management system ∗∗∗ --------------------------------------------- Nokia has fixed five vulnerabilities in Nokia NetAct found by Positive Technologies experts Vladimir Razov and Alexander Ustinov. Nokia NetAct is used by more than 500 communications service providers to monitor and control telecommunication networks, base stations, and other systems. The vendor was notified of the threat as part of standard responsible disclosure and has fixed the vulnerabilities in new versions of the software. --------------------------------------------- https://www.ptsecurity.com/ww-en/about/news/research-by-positive-technologi… ∗∗∗ WordPress plugin "LIQUID SPEECH BALLOON” vulnerable to cross-site request forgery ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN99657911/ ∗∗∗ Oracle Critical Patch Update Advisory - April 2023 ∗∗∗ --------------------------------------------- https://www.oracle.com/security-alerts/cpuapr2023.html ∗∗∗ K000133390 : Apache Tomcat vulnerability CVE-2022-45143 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000133390 ∗∗∗ K000133547 : Python urllib3 vulnerability CVE-2020-26137 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000133547 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.04.2023
by Daily end-of-shift report 18 Apr '23

18 Apr '23

===================== = End-of-Day report = ===================== Timeframe: Montag 17-04-2023 18:00 − Dienstag 18-04-2023 18:00 Handler: Stephan Richter Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Recycled Core Routers Exposed Sensitive Corporate Network Info ∗∗∗ --------------------------------------------- Researchers warn about a dangerous wave of unwiped, secondhand core-routers found containing corporate network configurations, credentials, and application and customer data. --------------------------------------------- https://www.darkreading.com/vulnerabilities-threats/recycled-core-routers-e… ∗∗∗ YouTube Videos Distributing Aurora Stealer Malware via Highly Evasive Loader ∗∗∗ --------------------------------------------- Cybersecurity researchers have detailed the inner workings of a highly evasive loader named "in2al5d p3in4er" (read: invalid printer) thats used to deliver the Aurora information stealer malware. --------------------------------------------- https://thehackernews.com/2023/04/youtube-videos-distributing-aurora.html ∗∗∗ Memory corruption in JCRE: An unpatchable HSM may swallow your private key ∗∗∗ --------------------------------------------- The key has always been a core target of security protection. Due to the limitation of key slots, most cryptocurrency hardware wallets use MCU chips (such as STM32F205RE) to implement. However, people who have higher security requirements to safeguarding the private keys are often interested in Java cards [...] --------------------------------------------- https://hardenedvault.net/blog/2023-04-18-java-card-runtime-memory-corrupti… ∗∗∗ Living Off the Land (LOTL) attacks: Detecting ransomware gangs hiding in plain sight ∗∗∗ --------------------------------------------- [...] In order to truly protect ourselves from RaaS gangs, we have to ‘peel back the onion’, so to speak, and get a closer look at how, exactly, they behave. If we know how RaaS gangs evade detection once in a network, for example, we may be able to kick them out before they can do any damage. One of the most concerning behaviors we’ve observed from RaaS gangs is their use of Living off the Land (LOTL) attacks, where attackers leverage legitimate tools to evade detection, steal data, and more. --------------------------------------------- https://www.malwarebytes.com/blog/business/2023/04/living-off-the-land-lotl… ∗∗∗ New Captcha Protected Phishing Attack Targets Access to Payroll Files ∗∗∗ --------------------------------------------- We have discovered a new phishing attack that specifically targets individuals who need access to payroll files through Microsoft Teams. --------------------------------------------- https://cyberwarzone.com/new-captcha-protected-phishing-attack-targets-acce… ∗∗∗ Sicherheitsupdates: Trend Micro Security macht Windows-PCs verwundbar ∗∗∗ --------------------------------------------- Es gibt ein wichtiges Update für die Anti-Viren-Anwendung Trend Micro Security für Windows. --------------------------------------------- https://heise.de/-8969449 ∗∗∗ US-Behörde: Schwachstelle in altem macOS wird für Angriffe ausgenutzt ∗∗∗ --------------------------------------------- Nach Informationen der Cyber-Sicherheitsbehörde gibt es Hinweise auf aktiv durchgeführte Angriffe. Für sehr alte Macs liegen keine Patches vor. --------------------------------------------- https://heise.de/-8970903 ∗∗∗ Kleinanzeigenbetrug: Vorsicht, wenn jemand per Scheck bezahlen möchte ∗∗∗ --------------------------------------------- Sie verkaufen ein Fahrrad auf Ländleanzeiger.at. Ein Interessent meldet sich und möchte es kaufen. Weil der Interessent gerade keinen Zugriff auf sein Bankkonto hat, möchte er es per Scheck bezahlen. Nach einigen Tagen kommt tatsächlich ein Scheck an – aber mit einem viel zu hohen Betrag. Vorsicht: Der Scheck ist Fake. Brechen Sie den Kontakt ab, Sie werden betrogen. --------------------------------------------- https://www.watchlist-internet.at/news/kleinanzeigenbetrug-vorsicht-wenn-je… ∗∗∗ Shodan Verified Vulns 2023-04-01 ∗∗∗ --------------------------------------------- Mit Stand 2023-04-01 sieht Shodan in Österreich die folgenden Schwachstellen: Dieses Monat stechen keine wirklich nennenswerten Veränderungen ins Auge. --------------------------------------------- https://cert.at/de/aktuelles/2023/4/shodan-verified-vulns-2023-04-01 ∗∗∗ APT28 Exploits Known Vulnerability to Carry Out Reconnaissance and Deploy Malware on Cisco Routers ∗∗∗ --------------------------------------------- APT28 accesses poorly maintained Cisco routers and deploys malware on unpatched devices using CVE-2017-6742. --------------------------------------------- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-108 ∗∗∗ Windows 10/11: Microsoft veröffentlicht Fix für OOBE-Bitlocker-Ausfall-Bug ∗∗∗ --------------------------------------------- Microsoft propagiert zwar Bitlocker zur Verschlüsselung von Laufwerken unter Windows. Aber es gibt immer wieder Bugs, die die Verschlüsselung verhindern oder Dritten unbefugten Zugriff auf verschlüsselte Laufwerke ermöglichen. Ein Microsoft Supporter hat jetzt einen Fall enthüllt, bei dem Bitlocker in der Out-of-the-Box (OOBE) Phase der Windows-Installation nicht aktiviert wird. --------------------------------------------- https://www.borncity.com/blog/2023/04/18/windows-10-11-microsoft-verffentli… ∗∗∗ Automating Qakbot Detection at Scale With Velociraptor ∗∗∗ --------------------------------------------- This blog offers a practical methodology to extract configuration data from recent Qakbot samples. --------------------------------------------- https://www.rapid7.com/blog/post/2023/04/18/automating-qakbot-detection-at-… ===================== = Vulnerabilities = ===================== ∗∗∗ Garrett: PSA: upgrade your LUKS key derivation function ∗∗∗ --------------------------------------------- [...] the LUKS1 header format, and the only KDF supported in this format is PBKDF2. This is not a memory expensive KDF, and so is vulnerable to GPU-based attacks. But even so, systems using the LUKS2 header format used to default to argon2i, again not a memory expensive KDF. New versions default to argon2id, which is. You want to be using argon2id. --------------------------------------------- https://lwn.net/Articles/929343/ ∗∗∗ New sandbox escape PoC exploit available for VM2 library, patch now ∗∗∗ --------------------------------------------- Security researchers have released yet another sandbox escape proof of concept (PoC) exploit that makes it possible to execute unsafe code on the host running the VM2 sandbox. [...] --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-sandbox-escape-poc-explo… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (protobuf), Fedora (libpcap, libxml2, openssh, and tcpdump), Mageia (kernel and kernel-linus), Oracle (firefox, kernel, kernel-container, and thunderbird), Red Hat (thunderbird), Scientific Linux (thunderbird), SUSE (gradle, kernel, nodejs10, nodejs12, nodejs14, openssl-3, pgadmin4, rubygem-rack, and wayland), and Ubuntu (firefox). --------------------------------------------- https://lwn.net/Articles/929389/ ∗∗∗ Multiple critical vulnerabilities in Strapi versions <=4.7.1 ∗∗∗ --------------------------------------------- Strapi had multiple critical vulnerabilities that could be chained together to gain unauthenticated remote code execution. This is my public disclosure of the vulnerabilities i found in strapi, how they were patched and some nonsensical ramblings. --------------------------------------------- https://www.ghostccamm.com/blog/multi_strapi_vulns/ ∗∗∗ Hiding in Plain Sight: Cross-Site Scripting Vulnerabilities Patched in Weaver Products ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2023/04/hiding-in-plain-sight-cross-site-scr… ∗∗∗ Omron CS/CJ Series ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-108-01 ∗∗∗ Spring Security 6.1.0-RC1, 6.0.3, 5.8.3 and 5.7.8 released, fix CVE-2023-20862 ∗∗∗ --------------------------------------------- https://spring.io/blog/2023/04/17/spring-security-6-1-0-rc1-6-0-3-5-8-3-and… ∗∗∗ Kubernetes kube-apiserver vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6982927 ∗∗∗ IBM Sterling Order Management Golang Go Vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/search?q=IBM%20Sterling%20Order%… ∗∗∗ Security Bulletin: Multiple vulnerabilities affect IBM Db2® REST ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6984199 ∗∗∗ IBM InfoSphere Information Server is affected by a vulnerability in libcurl (CVE-2022-32221) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6984203 ∗∗∗ Vulnerabilities in IBM Java included with IBM Tivoli Monitoring. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6854647 ∗∗∗ Security Bulletin: A security vulnerability has been identified in WebSphere Application Server and Websphere Liberty shipped with IBM Security Guardium Key Lifecycle Manager (SKLM/GKLM) (CVE-2023-24998)) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6984345 ∗∗∗ Security Bulletin: The IBM® Engineering Requirements Management DOORS/DWA vulnerabilities fixes for 9.7.2.6 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6984347 ∗∗∗ Vulnerabilities in Apache Shiro (CVE-2022-40664) and Apache Commons FileUpload (CVE-2023-24998) affect IBM WebSphere Service Registry and Repository. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6962169 ∗∗∗ Security Bulletin: Multiple vulnerabilities affect IBM Db2® REST ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6984413 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.04.2023
by Daily end-of-shift report 17 Apr '23

17 Apr '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 14-04-2023 18:00 − Montag 17-04-2023 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Juice Jacking: FBI warnt ohne Anlass vor öffentlichen USB-Ladestationen ∗∗∗ --------------------------------------------- Angreifer könnten USB-Ladestationen an Flughäfen & Co. kompromittieren, um so Malware auf Smartphones zu schieben. Das ist jedoch nicht wirklich aktuell. --------------------------------------------- https://heise.de/-8966067 ∗∗∗ Zero-Day: Pinduoduo konnte Daten stehlen und Malware installieren ∗∗∗ --------------------------------------------- Die chinesische Android-App Pinduoduo konnte eine Zero-Day-Lücke in Android missbrauchen. Die CISA mahnt zum Anwenden des Android-Updates. --------------------------------------------- https://heise.de/-8968204 ∗∗∗ Sonderupdate: Google Chrome 112.0.5615.121 und Edge 112.0.1722.48 ∗∗∗ --------------------------------------------- Google hat zum 14. April 2023 außerplanmäßig Updates des Google Chrome Browsers 112 im Extended und Stable Channel für Mac, Linux und Windows freigegeben. Microsoft hat gleichzeitig den Edge Version 112 aktualisiert. Es sind Sicherheitsupdates, welche die als hoch eingestufte Schwachstelle CVE-2023-2033 schließen. --------------------------------------------- https://www.borncity.com/blog/2023/04/16/google-chrome-112-0-5615-121-sonde… ∗∗∗ Dating: Auf live-treffen.com & royacca.com chatten Sie kostenpflichtig mit Fake-Profilen ∗∗∗ --------------------------------------------- Auf den Dating-Plattformen live-treffen.com & royacca.com finden Sie schnell interessante Menschen. Ob es sich dabei um echte Personen handelt, ist unklar, denn die Plattformen nutzen „professionelle Animateure“, die mit Ihnen chatten. Das Problem dabei: Jede Nachricht kostet und Sie wissen nicht, ob Sie mit echten oder fiktiven Profilen schreiben. --------------------------------------------- https://www.watchlist-internet.at/news/dating-auf-live-treffencom-royaccaco… ∗∗∗ Android malware infiltrates 60 Google Play apps with 100M installs ∗∗∗ --------------------------------------------- A new Android malware named Goldoson has infiltrated the platforms official app store, Google Play, through 60 apps that collectively have 100 million downloads. --------------------------------------------- https://www.bleepingcomputer.com/news/security/android-malware-infiltrates-… ∗∗∗ Hackers start abusing Action1 RMM in ransomware attacks ∗∗∗ --------------------------------------------- Security researchers are warning that cybercriminals are increasingly using the Action1 remote access software for persistence on compromised networks and to execute commands, scripts, and binaries. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-start-abusing-action… ∗∗∗ QBot banker delivered through business correspondence ∗∗∗ --------------------------------------------- In early April, we detected a significant increase in attacks that use banking Trojans of the QBot family (aka QakBot, QuackBot, and Pinkslipbot). The malware would be delivered through e-mails that were based on real business letters the attackers had gotten access to. --------------------------------------------- https://securelist.com/qbot-banker-business-correspondence/109535/ ∗∗∗ FIN7 and Ex-Conti Cybercrime Gangs Join Forces in Domino Malware Attacks ∗∗∗ --------------------------------------------- A new strain of malware developed by threat actors likely affiliated with the FIN7 cybercrime group has been put to use by the members of the now-defunct Conti ransomware gang, indicating collaboration between the two crews. The malware, dubbed Domino, is primarily designed to facilitate follow-on exploitation on compromised systems, including delivering a lesser-known information stealer [...] --------------------------------------------- https://thehackernews.com/2023/04/fin7-and-ex-conti-cybercrime-gangs-join.h… ∗∗∗ Bypassing Windows Defender (10 Ways) ∗∗∗ --------------------------------------------- In this article I will be explaining 10 ways/techniques to bypass a fully updated Windows system with up-to-date Windows Defender intel in order to execute unrestricted code (other than permissions/ACLs, that is). --------------------------------------------- https://www.fo-sec.com/articles/10-defender-bypass-methods ∗∗∗ LockBit Ransomware Group Developing Malware to Encrypt Files on macOS ∗∗∗ --------------------------------------------- The LockBit ransomware gang is developing malware designed to encrypt files on macOS systems and researchers have analyzed if it poses a real threat. --------------------------------------------- https://www.securityweek.com/lockbit-ransomware-group-developing-malware-to… ∗∗∗ Trigona Ransomware Attacking MS-SQL Servers ∗∗∗ --------------------------------------------- AhnLab Security Emergency response Center (ASEC) has recently discovered the Trigona ransomware being installed on poorly managed MS-SQL servers. Trigona is a relatively recent ransomware that was first discovered in October 2022, and Unit 42 has recently published a report based on the similarity between Trigona and the CryLock ransomware. --------------------------------------------- https://asec.ahnlab.com/en/51343/ ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, rails, and ruby-rack), Fedora (firefox, ghostscript, libldb, samba, and tigervnc), Mageia (ceph, davmail, firefox, golang, jpegoptim, libheif, python-certifi, python-flask-restx, thunderbird, and tomcat), Oracle (firefox), Red Hat (firefox), Scientific Linux (firefox), SUSE (apache2-mod_auth_openidc, aws-nitro-enclaves-cli, container-suseconnect, firefox, golang-github-prometheus-prometheus, harfbuzz, java-1_8_0-ibm, kernel, liblouis, php7, tftpboot-installation images, tomcat, and wayland), and Ubuntu (chromium-browser, imagemagick, kamailio, and libreoffice). --------------------------------------------- https://lwn.net/Articles/929303/ ∗∗∗ K000133522 : Apache mod_proxy_wstunnel vulnerability CVE-2019-17567 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000133522?utm_source=f5support&utm_medi… ∗∗∗ Microsoft Defender Security Feature Bypass Vulnerability ∗∗∗ --------------------------------------------- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24934 ∗∗∗ Vulnerabilities in Samba shipped with IBM OS Image for Red Hat Enterprise Linux System (CVE-2022-32742) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6983851 ∗∗∗ IBM Workload Scheduler potentially affected by a vulnerability found in Json-smart library (CVE-2023-1370) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6984157 ∗∗∗ There is a security vulnerability in Node.js http-cache-semantics module used by IBM Maximo for Civil Infrastructure in Maximo Application Suite (CVE-2022-25881) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6984165 ∗∗∗ IBM Cloud Pak for Network Automation 2.4.5 addresses multiple security vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6984171 ∗∗∗ IBM Db2\u00ae Graph is vulnerable to remote execution of arbitrary commands due to Node.js CVE-2022-43548 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6984185 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.04.2023
by Daily end-of-shift report 14 Apr '23

14 Apr '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 13-04-2023 18:00 − Freitag 14-04-2023 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ VoIP-Software von 3CX: Erste Analyse-Ergebnisse ∗∗∗ --------------------------------------------- 3CX hat erste Ergebnisse der IT-Sicherheitsspezialisten von Mandiant bezüglich des Einbruchs und Lieferkettenangriffs auf die VoIP-Software herausgegeben. --------------------------------------------- https://heise.de/-8962595 ∗∗∗ Netzwerkausrüster Juniper verteilt viele Sicherheits-Aktualisierungen ∗∗∗ --------------------------------------------- In diversen Produkten des Netzwerkausrüsters Juniper klaffen Sicherheitslücken, die der Hersteller mit Updates schließt. Sie sollten zügig installiert werden. --------------------------------------------- https://heise.de/-8951334 ∗∗∗ Jetzt patchen! QueueJumper-Lücke gefährdet hunderttausende Windows-Systeme ∗∗∗ --------------------------------------------- Sicherheitsforscher haben nach weltweiten Scans über 400.000 potenziell angreifbare Windows-Systeme entdeckt. Sicherheitspatches sind verfügbar. --------------------------------------------- https://heise.de/-8961420 ∗∗∗ Passwortschutz umgehbar: Drupal-Modul Protected Pages verwundbar ∗∗∗ --------------------------------------------- Angreifer könnten auf eigentlich durch Passwörter abgeschottete Drupal-Websites zugreifen. Ein Sicherheitsupdate ist verfügbar. --------------------------------------------- https://heise.de/-8959518 ∗∗∗ Cloudflare: Botnetzwerke setzen auf gehackte VPS statt auf IoT ∗∗∗ --------------------------------------------- Laut Cloudflare setzen Botnetze auf gehackte Virtual Private Server (VPS), beispielsweise von Start-ups, die deutlich mehr Leistung für DDoS-Angriffe bieten. --------------------------------------------- https://www.golem.de/news/cloudflare-botnetzwerke-setzen-auf-gehackte-vps-s… ∗∗∗ HTTP: Whats Left of it and the OCSP Problem, (Thu, Apr 13th) ∗∗∗ --------------------------------------------- It has been well documented that most "web" traffic these days uses TLS, either as traditional HTTPS or the more modern QUIC protocol. So it is always interesting to see what traffic remains as HTTP. --------------------------------------------- https://isc.sans.edu/diary/rss/29744 ∗∗∗ How to Set Up a Content Security Policy (CSP) in 3 Steps ∗∗∗ --------------------------------------------- What is a Content Security Policy (CSP)? A Content Security Policy (CSP) is a security feature used to help protect websites and web apps from clickjacking, cross-site scripting (XSS), and other malicious code injection attacks. At the most basic level, a CSP is a set of rules that restricts or green lights what content loads onto your website. It is a widely-supported security standard recommended to anyone who operates a website. --------------------------------------------- https://blog.sucuri.net/2023/04/how-to-set-up-a-content-security-policy-csp… ∗∗∗ RTM Locker: Emerging Cybercrime Group Targeting Businesses with Ransomware ∗∗∗ --------------------------------------------- Cybersecurity researchers have detailed the tactics of a "rising" cybercriminal gang called "Read The Manual" (RTM) Locker that functions as a private ransomware-as-a-service (RaaS) provider and carries out opportunistic attacks to generate illicit profit. --------------------------------------------- https://thehackernews.com/2023/04/rtm-locker-emerging-cybercrime-group.html ∗∗∗ Google, CISA Warn of Android Flaw After Reports of Chinese App Zero-Day Exploitation ∗∗∗ --------------------------------------------- The Android vulnerability CVE-2023-20963, reportedly exploited as a zero-day by a Chinese app against millions of devices, was added to CISA’s KEV catalog. --------------------------------------------- https://www.securityweek.com/google-cisa-warn-of-android-flaw-after-reports… ∗∗∗ Automating Qakbot decode at scale ∗∗∗ --------------------------------------------- This is a technical post covering methodology to extract configuration data from recent Qakbot samples. I will provide background on Qakbot, walk through decode themes in an easy to visualize manner. I will then share a Velociraptor artifact to detect and automate the decode process at scale. --------------------------------------------- https://www.rapid7.com/blog/post/2023/04/14/automating-qakbot-decode/ ===================== = Vulnerabilities = ===================== ∗∗∗ CISA Releases Sixteen Industrial Control Systems Advisories ∗∗∗ --------------------------------------------- CISA released sixteen Industrial Control Systems (ICS) advisories on April 13, 2023. * B. Braun Battery Pack SP with Wi-Fi * 13x Siemens * Datakit CrossCAD-WARE * Mitsubishi Electric GOC35 Series --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/04/13/cisa-releases-sixteen-in… ∗∗∗ Advisory SA23P002: Several Issues in B&R VC4 Visualization ∗∗∗ --------------------------------------------- An unauthenticated network-based attacker who successfully exploits these vulnerabilities could bypass the authentication mechanism of the VC4 visualization, read stack memory or execute code on an affected device. --------------------------------------------- https://www.br-automation.com/downloads_br_productcatalogue/assets/16810468… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (haproxy and openvswitch), Fedora (bzip3, libyang, mingw-glib2, thunderbird, xorg-x11-server, and xorg-x11-server-Xwayland), and Ubuntu (apport, ghostscript, linux-bluefield, node-thenify, and python-flask-cors). --------------------------------------------- https://lwn.net/Articles/929107/ ∗∗∗ Cross-Site Scripting in Timesheet Tracking for Jira (SYSS-2022-050) ∗∗∗ --------------------------------------------- Über Cross-Site Scripting-Schwachstellen im Plug-in "Timesheet Tracking for Jira" kann Schadcode eingebaut werden, der von allen Besuchern ausgeführt wird. --------------------------------------------- https://www.syss.de/pentest-blog/cross-site-scripting-in-timesheet-tracking… ∗∗∗ CPE2023-001 – Regarding vulnerabilities for Office/Small Office Multifunction Printers, Laser Printers and Inkjet Printers – 14 April 2023 ∗∗∗ --------------------------------------------- Several vulnerabilities have been identified for certain Office/Small Office Multifunction Printers, Laser Printers and Inkjet Printers. --------------------------------------------- https://www.canon-europe.com/support/product-security-latest-news/ ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.04.2023
by Daily end-of-shift report 13 Apr '23

13 Apr '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 12-04-2023 18:00 − Donnerstag 13-04-2023 18:00 Handler: Stephan Richter Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ (Gepatchte aber dennoch) üble Sicherheitslücke in (einer optionalen Komponente von) Microsoft Windows ∗∗∗ --------------------------------------------- Es entbehrt nicht einer gewissen Ironie, dass die meisten Blogeinträge, welche sich in den letzten Monaten mit Sicherheitslücken in Produkten von Microsoft beschäftigt haben, von dem Mitarbeiter des CERT stammen, dessen Kenntnisse rund um Windows, Office und den ganzen Rest wohl mit Abstand am schwächsten sind - und damit herzlich willkommen zu einem weiteren Beitrag, welcher diese Kriterien vollständig erfüllt. --------------------------------------------- https://cert.at/de/blog/2023/4/gepatchte-aber-dennoch-uble-sicherheitslucke… ∗∗∗ NTP-Schwachstelle: Offenbar weniger bedrohlich als zunächst vermutet ∗∗∗ --------------------------------------------- Entwarnung: Nach der BSI-Warnung vor einer kritischen Lücke in NTP kommen IT-Experten bei der Analyse auf eine geringere Bedrohung. NTP will Patches liefern. --------------------------------------------- https://heise.de/-8949340 ∗∗∗ Uncommon infection methods—part 2 ∗∗∗ --------------------------------------------- Kaspersky researchers discuss infection methods used by Mirai-based RapperBot, Rhadamantys stealer, and CUEMiner: smart brute forcing, malvertising, and distribution through BitTorrent and OneDrive. --------------------------------------------- https://securelist.com/crimeware-report-uncommon-infection-methods-2/109522/ ∗∗∗ New Python-Based "Legion" Hacking Tool Emerges on Telegram ∗∗∗ --------------------------------------------- An emerging Python-based credential harvester and a hacking tool named Legion is being marketed via Telegram as a way for threat actors to break into various online services for further exploitation. --------------------------------------------- https://thehackernews.com/2023/04/new-python-based-legion-hacking-tool.html ∗∗∗ Indirect Prompt Injection Threats ∗∗∗ --------------------------------------------- If allowed by the user, Bing Chat can see currently open websites. We show that an attacker can plant an injection in a website the user is visiting, which silently turns Bing Chat into a Social Engineer who seeks out and exfiltrates personal information. The user doesnt have to ask about the website or do anything except interact with Bing Chat while the website is opened in the browser. --------------------------------------------- https://greshake.github.io/ ∗∗∗ Malware Disguised as Document from Ukraines Energoatom Delivers Havoc Demon Backdoor ∗∗∗ --------------------------------------------- [...] FortiGuard Labs has encountered a malicious spoofed document pretending to be from the Ukrainian company, Energoatom, a state-owned enterprise that operates Ukraine’s nuclear power plants. [...] Aside from highlighting the technical details of this latest multi-staged attack [...] this article also discusses some strange artifacts that make us think this could be a work-in-progress or part of a red-team exercise. --------------------------------------------- https://www.fortinet.com/blog/threat-research/malware-disguised-as-document… ∗∗∗ BSI-Studie: Gängige Mikrocontroller sind für Hardware-Angriffe anfällig ∗∗∗ --------------------------------------------- Bei Hardware-Sicherheitstoken und Krypto-Wallets, smarten Schlössern und Kassensystemen haben Hacker leichtes Spiel, warnen Fraunhofer-Forscher im BSI-Auftrag. --------------------------------------------- https://heise.de/-8949244 ∗∗∗ Vorsicht vor Fake Urlaubsangeboten! ∗∗∗ --------------------------------------------- Die Urlaubszeit rückt langsam aber sicher näher, das treibt auch Kriminelle auf den Plan. Betrügerische Anbieter wie Kofi Vermittlung (kofireisen.com) versuchen Sie mit angeblich günstigen Angeboten abzuzocken! Achten Sie bei der Urlaubsbuchung auf folgende Warnsignale für entspannte Ferien statt einer Kostenfalle! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-fake-urlaubsangeboten/ ∗∗∗ Vice Society: A Tale of Victim Data Exfiltration via PowerShell, aka Stealing off the Land ∗∗∗ --------------------------------------------- The Vice Society ransomware gang exfiltrated victim network data using a custom Microsoft PowerShell script. We dissect how each function of it works. --------------------------------------------- https://unit42.paloaltonetworks.com/vice-society-ransomware-powershell/ ===================== = Vulnerabilities = ===================== ∗∗∗ Softwareentwicklung: Jenkins-Plug-ins verwundbar, viele Updates stehen noch aus ∗∗∗ --------------------------------------------- Software-Entwicklungsumgebungen mit Jenkins sind attackierbar. Bislang sind nur wenige betroffene Plug-ins abgesichert. --------------------------------------------- https://heise.de/-8949204 ∗∗∗ Sicherheitsupdates: Netzwerkanalysetool Wireshark anfällig für DoS-Attacken ∗∗∗ --------------------------------------------- Die Wireshark-Entwickler haben zwei neue Versionen des Tools veröffentlicht. Darin haben sie unter anderem drei Sicherheitslücken geschlossen. --------------------------------------------- https://heise.de/-8949661 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, firefox-esr, lldpd, and zabbix), Fedora (ffmpeg, firefox, pdns-recursor, polkit, and thunderbird), Oracle (kernel and nodejs:14), Red Hat (nodejs:14, openvswitch2.17, openvswitch3.1, and pki-core:10.6), Slackware (mozilla), SUSE (nextcloud-desktop), and Ubuntu (exo, linux, linux-kvm, linux-lts-xenial, linux-aws, smarty3, and thunderbird). --------------------------------------------- https://lwn.net/Articles/928976/ ∗∗∗ Windows 7/Server 2008 R2; Server 2012 R2: Updates (11. April 2023) ∗∗∗ --------------------------------------------- Zum 11. April 2023 wurden diverse Sicherheitsupdates für Windows Server 2008 R2 (im 4. ESU Jahr) sowie für Windows Server 2012/R2 veröffentlicht (die Updates lassen sich ggf. auch noch unter Windows 7 SP1). --------------------------------------------- https://www.borncity.com/blog/2023/04/13/windows-7-server-2008-r2-server-20… ∗∗∗ Patchday: Microsoft Office Updates (11. April 2023) ∗∗∗ --------------------------------------------- Am 11. April 2023 (zweiter Dienstag im Monat, Microsoft Patchday) hat Microsoft mehrere sicherheitsrelevante Updates für noch unterstützte Microsoft Office Versionen und andere Produkte veröffentlicht. Mit dem April 2023-Patchday endet der Support für Office 2013. --------------------------------------------- https://www.borncity.com/blog/2023/04/13/patchday-microsoft-office-updates-… ∗∗∗ Drupal: Protected Pages - Critical - Access bypass - SA-CONTRIB-2023-013 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2023-013 ∗∗∗ Critical Vulnerability in Hikvision Storage Solutions Exposes Video Security Data ∗∗∗ --------------------------------------------- https://www.securityweek.com/critical-vulnerability-in-hikvision-storage-so… ∗∗∗ Mattermost security updates 7.9.2 / 7.8.3 (ESR) / 7.7.4 / 7.1.8 (ESR) released ∗∗∗ --------------------------------------------- https://mattermost.com/blog/mattermost-security-updates-7-9-2-7-8-3-esr-7-7… ∗∗∗ Multiple Vulnerabilities in the Autodesk® AutoCAD® Desktop Software ∗∗∗ --------------------------------------------- https://www.autodesk.com/trust/security-advisories/adsk-sa-2023-0005 ∗∗∗ MISP 2.4.170 released with new features, workflow improvements and bugs fixed ∗∗∗ --------------------------------------------- https://github.com/MISP/MISP/releases/tag/v2.4.170 ∗∗∗ CVE-2023-0004 PAN-OS: Local File Deletion Vulnerability (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2023-0004 ∗∗∗ CVE-2023-0005 PAN-OS: Exposure of Sensitive Information Vulnerability (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2023-0005 ∗∗∗ CVE-2023-0006 GlobalProtect App: Local File Deletion Vulnerability (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2023-0006 ∗∗∗ Spring Framework 6.0.8, 5.3.27 and 5.2.24.RELEASE fix cve-2023-20863 ∗∗∗ --------------------------------------------- https://spring.io/blog/2023/04/13/spring-framework-6-0-8-5-3-27-and-5-2-24-… ∗∗∗ B. Braun Battery Pack SP with Wi-Fi ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-medical-advisories/icsma-23-103-01 ∗∗∗ DataPower Operations Dashboard vulnerable to multiple CVEs ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6983234 ∗∗∗ AIX is vulnerable to arbitrary command execution due to invscout (CVE-2023-28528) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6983232 ∗∗∗ AIX is vulnerable to arbitrary command execution (CVE-2023-26286) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6983236 ∗∗∗ Multiple Security Vulnerabilities may affect IBM Robotic Process Automation for Cloud Pak. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6983270 ∗∗∗ A CVE-2021-28165 vulnerability in Eclipse Jetty affects IBM Process Designer 8.5.7 shipped with IBM Business Automation Workflow ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6983272 ∗∗∗ Multiple security vulnerabilities has been identified in IBM WebSphere Application Server shipped with Tivoli Netcool\/OMNIbus WebGUI - January 2023 CPU plus deferred CVE-2022-21426 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6983454 ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with Tivoli Netcool\/OMNIbus WebGUI (CVE-2023-24998) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6983456 ∗∗∗ IBM Maximo Asset Management is vulnerable to HTML injection (CVE-2023-27864) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6983460 ∗∗∗ IBM Security Verify Governance is vulnerable to remote attacks to execute arbitrary code on the system [CVE-2013-4521, CVE-2013-2165 and CVE-2018-14667] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6983480 ∗∗∗ IBM Security Verify Governance is vulnerable to a denial of service caused by multiple vulnerabilities. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6983482 ∗∗∗ IBM App Connect Enterprise Certified Container DesignerAuthoring operands may be vulnerable to denial of service due to [CVE-2022-37603] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6983484 ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server and IBM WebSphere Application Server Liberty profile shipped with IBM Business Automation Workflow (CVE-2023-24998) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6983486 ∗∗∗ A vulnerability has been identified in IBM WebSphere Application Server Liberty profile shipped with IBM Business Automation Workflow (CVE-2023-0482) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6983490 ∗∗∗ A vulnerability has been identified in IBM WebSphere Application Server traditional and Liberty profile shipped with IBM Business Automation Workflow (IBM\u00ae Java SDK CPU January 2023) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6983492 ∗∗∗ AIX is vulnerable to arbitrary command execution (CVE-2023-26286) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6983236 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.04.2023
by Daily end-of-shift report 12 Apr '23

12 Apr '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 11-04-2023 18:00 − Mittwoch 12-04-2023 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Patchday: Angreifer infizieren Windows mit Nokoyawa-Ransomware ∗∗∗ --------------------------------------------- Microsoft hat wichtige Sicherheitsupdates für etwa Azure, Dynamics 365 und Windows veröffentlicht. --------------------------------------------- https://heise.de/-8935888 ∗∗∗ BSI warnt vor kritischen Zero-Day-Lücken im NTP-Server ∗∗∗ --------------------------------------------- Ein IT-Forscher hat fünf Sicherheitslücken im Zeitserver NTP gemeldet. Das BSI stuft die Lücken als kritisch ein. Ein Update steht bislang noch nicht bereit. --------------------------------------------- https://heise.de/-8948528 ∗∗∗ Warten auf Sicherheitspatches: BIOS-Lücken gefährden Lenovo-Laptops ∗∗∗ --------------------------------------------- Angreifer könnten Lenovo-Laptops attackieren und im schlimmsten Fall Schadcode ausführen. Updates sind noch nicht verfügbar. --------------------------------------------- https://heise.de/-8948481 ∗∗∗ Phishing-Alarm: „New Fax Document(s) has been received” ∗∗∗ --------------------------------------------- Derzeit werden willkürlich E-Mails an Unternehmen versendet, in denen behauptet wird, dass die Empfänger:innen ein neues Fax-Dokument erhalten hätten. Um das Dokument anzusehen, muss ein Link angeklickt werden. Achtung: Kriminelle versuchen das Microsoft-Konto der betroffenen Mitarbeiter:innen zu kapern. --------------------------------------------- https://www.watchlist-internet.at/news/phishing-alarm-new-fax-documents-has… ∗∗∗ Abo-Falle statt Kaffeemaschinen-Gewinnspiel im Namen von MediaMarkt ∗∗∗ --------------------------------------------- Auf Facebook wird ein betrügerisches Gewinnspiel im Namen von MediaMarkt durch Kriminelle beworben. Versprochen werden Kaffeemaschinen von DeLonghi für nur 1,95 Euro wegen einer angeblichen Vertragsauflösung zwischen dem Hersteller und MediaMarkt. Tatsächlich landen Sie hier aber in einer teuren Abo-Falle. Die Kaffeemaschinen gibt es nicht. --------------------------------------------- https://www.watchlist-internet.at/news/abo-falle-statt-kaffeemaschinen-gewi… ∗∗∗ Remote Code Execution (RCE) in Hashicorp Vault ∗∗∗ --------------------------------------------- Hashicorp's Vault is a secure, open-source secrets management tool that stores and provides access to sensitive information like API keys, passwords, and certificates. This vulnerability, in certain conditions, allows attackers to execute code remotely on the target system through a SQL injection attack. --------------------------------------------- https://www.oxeye.io/blog/rce-through-sql-injection-vulnerability-in-hashic… ∗∗∗ Hacked sites caught spreading malware via fake Chrome updates ∗∗∗ --------------------------------------------- Hackers are compromising websites to inject scripts that display fake Google Chrome automatic update errors that distribute malware to unaware visitors. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hacked-sites-caught-spreadin… ∗∗∗ Guidance for investigating attacks using CVE-2022-21894: The BlackLotus campaign ∗∗∗ --------------------------------------------- This guide provides steps that organizations can take to assess whether users have been targeted or compromised by threat actors exploiting CVE-2022-21894 via a Unified Extensible Firmware Interface (UEFI) bootkit called BlackLotus. --------------------------------------------- https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-inves… ∗∗∗ The Service Accounts Challenge: Cant See or Secure Them Until Its Too Late ∗∗∗ --------------------------------------------- Heres a hard question to answer: How many service accounts do you have in your environment?. A harder one is: Do you know what these accounts are doing?. And the hardest is probably: If any of your service account was compromised and used to access resources would you be able to detect and stop that in real-time? --------------------------------------------- https://thehackernews.com/2023/04/the-service-accounts-challenge-cant-see.h… ∗∗∗ Another zero-click Apple spyware maker just popped up on the radar again ∗∗∗ --------------------------------------------- Malware reportedly developed by a little-known Israeli commercial spyware maker has been found on devices of journalists, politicians, and an NGO worker in multiple countries, say researchers. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2023/04/12/quadream_spy… ∗∗∗ Recent IcedID (Bokbot) activity ∗∗∗ --------------------------------------------- This week, weve seen IcedID (Bokbot) distributed through thread-hijacked emails with PDF attachments. The PDF files have links that redirect to Google Firebase Storage URLs hosting password-protected zip archives. The password for the downloaded zip archive is shown in the PDF file. The downloaded zip archives contain EXE files that are digitally-signed using a certificate issued by SSL.com. --------------------------------------------- https://isc.sans.edu/diary/rss/29740 ∗∗∗ BumbleBee hunting with a Velociraptor ∗∗∗ --------------------------------------------- The various detection opportunities described in the report can be useful for organizations to detect an infection in its first stages and, therefore, prevent further malicious activity starting from BumbleBee. The detection opportunities rely on open-source tools (e.g., Velociraptor) and rules (e.g., Yara, Sigma) so they can be used by any company or the wider community. --------------------------------------------- https://sec-consult.com/blog/detail/bumblebee-hunting-with-a-velociraptor/ ∗∗∗ Cryptocurrency Stealer Malware Distributed via 13 NuGet Packages ∗∗∗ --------------------------------------------- Cybersecurity researchers have detailed the inner workings of the cryptocurrency stealer malware that was distributed via 13 malicious NuGet packages as part of a supply chain attack targeting .NET developers. The sophisticated typosquatting campaign, which was uncovered by JFrog late last month, impersonated legitimate packages to execute PowerShell code designed to retrieve a follow-on binary from a hard-coded server. --------------------------------------------- https://thehackernews.com/2023/04/cryptocurrency-stealer-malware.html ∗∗∗ Update Now! Severe Vulnerability Impacting 600,000 Sites Patched in Limit Login Attempts ∗∗∗ --------------------------------------------- On January 26, 2023, the Wordfence team responsibly disclosed an unauthenticated stored Cross-Site Scripting vulnerability in Limit Login Attempts, a WordPress plugin installed on over 600,000 sites that provides site owners with the ability to block IP addresses that have made repeated failed login attempts. --------------------------------------------- https://www.wordfence.com/blog/2023/04/update-now-severe-vulnerability-impa… ∗∗∗ On self-healing code and the obvious issue ∗∗∗ --------------------------------------------- While browsing the news in the morning Ive found an article on Ars Technica titles "Developer creates “self-healing” programs that fix themselves thanks to AI". Its about Wolverine, which is an automated extension of what was demoed during the GPT-4 reveal, i.e. the perceived ability of GPT-4 to understand error messages and suggest fixes. --------------------------------------------- https://gynvael.coldwind.pl/?id=766 ===================== = Vulnerabilities = ===================== ∗∗∗ Patchday: Fortinet schließt kritische und hochriskante Lücken ∗∗∗ --------------------------------------------- Am April-Patchday liefert Fortinet für zahlreiche Produkte Sicherheitsupdates aus. Eine der damit geschlossenen Lücken stuft der Hersteller als kritisch ein. --------------------------------------------- https://heise.de/-8939457 ∗∗∗ Patchday: Kritische Schadcode-Lücken in Adobe-Anwendungen geschlossen ∗∗∗ --------------------------------------------- Wer Anwendungen von Adobe nutzt, sollte diese aus Sicherheitsgründen auf den aktuellen Stand bringen. --------------------------------------------- https://heise.de/-8935948 ∗∗∗ Privilege Escalation Vulnerability Patched Promptly in WP Data Access WordPress Plugin ∗∗∗ --------------------------------------------- On April 5, 2023 the Wordfence Threat Intelligence team initiated the responsible disclosure process for a vulnerability we discovered in WP Data Access, a WordPress plugin that is installed on over 10,000 sites. This flaw makes it possible for an authenticated attacker to grant themselves administrative privileges via a profile update, [...] --------------------------------------------- https://www.wordfence.com/blog/2023/04/privilege-escalation-vulnerability-p… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (chromium, ghostscript, glusterfs, netatalk, php-Smarty, and skopeo), Mageia (ghostscript, imgagmagick, ipmitool, openssl, sudo, thunderbird, tigervnc/x11-server, and vim), Oracle (curl, haproxy, and postgresql), Red Hat (curl, haproxy, httpd:2.4, kernel, kernel-rt, kpatch-patch, and postgresql), Slackware (mozilla), SUSE (firefox), and Ubuntu (dotnet6, dotnet7, firefox, json-smart, linux-gcp, linux-intel-iotg, and sudo). --------------------------------------------- https://lwn.net/Articles/928870/ ∗∗∗ Patchday: Windows 11/Server 2022-Updates (11. April 2023) ∗∗∗ --------------------------------------------- Am 11. April 2023 (zweiter Dienstag im Monat, Patchday bei Microsoft) hat Microsoft auch kumulative Updates für Windows 11 22H1 und 22H2 veröffentlicht. Zudem erhielt Windows Server 2022 ein Update. Hier einige Details zu diesen Updates, die Schwachstellen sowie Probleme [...] --------------------------------------------- https://www.borncity.com/blog/2023/04/12/patchday-windows-11-server-2022-up… ∗∗∗ FANUC ROBOGUIDE-HandlingPRO ∗∗∗ --------------------------------------------- Successful exploitation of this vulnerability could allow an attacker to read and/or overwrite files on the system running the affected software. --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-101-01 ∗∗∗ NVIDIA Display Driver Advisory - March 2023 ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500558-NVIDIA-DISPLAY-DRIVER-A… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.04.2023
by Daily end-of-shift report 11 Apr '23

11 Apr '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 07-04-2023 18:00 − Dienstag 11-04-2023 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ YouTube warnt vor täuschend echter Betrugsmasche ∗∗∗ --------------------------------------------- Derzeit werden Phishing-E-Mails im Namen von YouTube versandt, die eine glaubwürdige Mailadresse verwenden. --------------------------------------------- https://futurezone.at/digital-life/youtube-warnt-vor-taeuschend-echter-betr… ∗∗∗ Hijacking Arch Linux Packages by Repo Jacking GitHub Repositories ∗∗∗ --------------------------------------------- Repo jacking is an attack on GitHub repositories, where attackers are able to hijack GitHub repositories by reregistering previously used usernames. In this blog post, we discuss how many AUR packages (use GitHub packages that) are vulnerable to repo jacking attacks. --------------------------------------------- https://blog.nietaanraken.nl/posts/aur-packages-github-repo-jacking/ ∗∗∗ Stepping Insyde System Management Mode ∗∗∗ --------------------------------------------- In October of 2022, Intel’s Alder Lake BIOS source code was leaked online. [..] I obtained a copy of the leaked code and began to hunt for vulnerabilities. [..] All these vulnerabilities share a common root cause (insufficient input validation) and a common impact (SMRAM corruption). Their details are summarized in the following table [..] --------------------------------------------- https://research.nccgroup.com/2023/04/11/stepping-insyde-system-management-… ∗∗∗ Jetzt patchen! ALPHV-Ransomware schlüpft durch Veritas-Backup-Lücken ∗∗∗ --------------------------------------------- Angreifer nehmen derzeit drei Sicherheitslücken in Veritas Backup Exec ins Visier. Patches sind verfügbar. --------------------------------------------- https://heise.de/-8875233 ∗∗∗ MSI-Hack: Hardware-Hersteller warnt vor Fake-BIOS-Updates ∗∗∗ --------------------------------------------- Bei MSI ist es zu einem IT-Sicherheitsvorfall gekommen. Die Angreifer sollen Zugriff auf interne Daten gehabt haben. --------------------------------------------- https://heise.de/-8875303 ∗∗∗ Studie: Kriminelle schmuggeln Trojaner-Apps ab 2000 US-Dollar in Google Play ∗∗∗ --------------------------------------------- Für die Abzocke von Android-Nutzern bieten Kriminelle in Untergrundforen All-in-one-Trojaner-Pakete zum Verkauf an. --------------------------------------------- https://heise.de/-8927162 ∗∗∗ Microsoft Azure Users Warned of Potential Shared Key Authorization Abuse ∗∗∗ --------------------------------------------- An exploitation path involving Azure shared key authorization could allow full access to accounts and business data and ultimately lead to remote code execution (RCE), cloud security company Orca warns. --------------------------------------------- https://www.securityweek.com/microsoft-azure-users-warned-of-potential-shar… ∗∗∗ Webinar: Sicher unterwegs in Sozialen Netzwerken ∗∗∗ --------------------------------------------- Soziale Netzwerke sind längst unsere täglichen Begleiter geworden. Doch worauf muss ich eigentlich achten, wenn ich Plattformen wie Facebook oder Instagram sicher nutzen will? Das Webinar gibt Tipps zum verantwortungsvollen Umgang mit Sozialen Netzwerken. Nehmen Sie kostenlos teil: Dienstag 18. April 2023, 18:30 - 20:00 Uhr via zoom --------------------------------------------- https://www.watchlist-internet.at/news/webinar-sicher-unterwegs-in-sozialen… ∗∗∗ Amazon ruft an? Legen Sie auf! ∗∗∗ --------------------------------------------- Am Telefon stellen sich Kriminelle als Amazon-Mitarbeiter:innen vor und behaupten, dass Ihr Amazon-Konto gehackt wurde. Sie hätten verdächtige Bestellungen entdeckt. Die „Amazon-Mitarbeiter:innen“ bieten Ihnen an, die Bestellung zu stornieren und Ihr Konto zu schützen. Dabei handelt es sich aber um Betrug! Kriminelle versuchen Ihnen Geld, Ausweiskopien und Amazon-Zugangsdaten zu stehlen! --------------------------------------------- https://www.watchlist-internet.at/news/amazon-ruft-an-legen-sie-auf/ ∗∗∗ AlienFox: Toolkit zur Kompromittierung von E-Mail- und Webhosting-Diensten in der Cloud ∗∗∗ --------------------------------------------- [English]AlienFox ist ein Toolkit zur Kompromittierung von E-Mail- und Webhosting-Diensten. Dieses Toolkit ist hochgradig modular, liegt in mehreren Versionen vor und versucht Fehlkonfigurationen in der Cloud auszunutzen, um die Anmeldedaten für Dienste wie AWS, Microsoft 365, Google Workspace, 1und1 etc. abzugreifen. --------------------------------------------- https://www.borncity.com/blog/2023/04/11/alienfox-toolkit-zur-kompromittier… ∗∗∗ WinVerifyTrust Signature Validation Vulnerability ∗∗∗ --------------------------------------------- Why is Microsoft republishing a CVE from 2013? We are republishing CVE-2013-3900 in the Security Update Guide to update the Security Updates table and to inform customers that the EnableCertPaddingCheck is available in all currently supported versions of Windows 10 and Windows 11. While the format is different from the original CVE published in 2013, the information herein remains unchanged from the original text published on December 10, 2013. --------------------------------------------- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2013-3900 ===================== = Vulnerabilities = ===================== ∗∗∗ Security Vulnerabilities fixed in Firefox 112, Firefox for Android 112, Focus for Android 112 ∗∗∗ --------------------------------------------- CVE-2023-29531, CVE-2023-29532, CVE-2023-29533, CVE-2023-29534, CVE-2023-29535, CVE-2023-29536, CVE-2023-29537, CVE-2023-29538, CVE-2023-29539, CVE-2023-29540, CVE-2023-29541, CVE-2023-29542, CVE-2023-29543, CVE-2023-29544, CVE-2023-29545, CVE-2023-29546, CVE-2023-29547, CVE-2023-29548, CVE-2023-29549, CVE-2023-29550, CVE-2023-29551 Davon 11x "Severity: high". --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2023-13/ ∗∗∗ Exploit-Code: Schadcode könnte aus JavaScript-Sandbox vm2 ausbrechen ∗∗∗ --------------------------------------------- Die populäre vm2-Sandbox hat eine kritische Sicherheitslücke und Exploit-Code ist bereits im Umlauf. --------------------------------------------- https://heise.de/-8875269 ∗∗∗ Patchday: SAP meldet 19 teils kritische Sicherheitslücken ∗∗∗ --------------------------------------------- Im April hat SAP 19 Schwachstellen in den eigenen Produkten mit Sicherheitsmeldungen bedacht. Davon stuft der Hersteller zwei als kritisch ein. --------------------------------------------- https://heise.de/-8931365 ∗∗∗ iOS 15, macOS 11 und 12: Apple schiebt Notfallfix nach ∗∗∗ --------------------------------------------- Nachdem iOS 16 und macOS 13 bereits voll gepatcht worden waren, legt Apple auch einen Fix für eine bereits ausgenutzte Lücke für ältere Betriebssysteme nach. --------------------------------------------- https://heise.de/-8922448 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (openimageio and udisks2), Fedora (chromium, curl, kernel, mediawiki, and seamonkey), Oracle (httpd:2.4), Red Hat (httpd and mod_http2 and tigervnc), SUSE (ghostscript and kernel), and Ubuntu (irssi). --------------------------------------------- https://lwn.net/Articles/928667/ ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (keepalived and lldpd), Oracle (kernel), and SUSE (kernel, podman, seamonkey, and upx). --------------------------------------------- https://lwn.net/Articles/928736/ ∗∗∗ ICS Patch Tuesday: Siemens, Schneider Electric Address Dozens of Vulnerabilities ∗∗∗ --------------------------------------------- Siemens and Schneider Electric’s Patch Tuesday advisories for April 2023 address a total of 38 vulnerabilities found in their products. --------------------------------------------- https://www.securityweek.com/ics-patch-tuesday-siemens-schneider-electric-a… ∗∗∗ PHOENIX CONTACT: Directory Traversal Vulnerability in ENERGY AXC PU Web service ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2023-004/ ∗∗∗ Insyde BIOS Vulnerabilities ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500557 ∗∗∗ Lenovo XClarity Controller (XCC) Vulnerabilities ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500556-LENOVO-XCLARITY-CONTROL… ∗∗∗ Lenovo Smart Clock Essential Vulnerability ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500555-LENOVO-SMART-CLOCK-ESSE… ∗∗∗ IBM WebSphere Application Server and IBM WebSphere Application Server Liberty, which are bundled with IBM Cloud Pak for Applications, are vulnerable to a denial of service due to Apache Commons FileUpload (CVE-2023-24998) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6982187 ∗∗∗ IBM i components are affected by CVE-2021-4104 (log4j version 1.x) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6539162 ∗∗∗ IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Apache Lucene ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6982359 ∗∗∗ IBM Watson Explorer affected by vulnerability in Apache Commons. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6964808 ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM WebSphere Remote Server (CVE-2023-24998) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6982539 ∗∗∗ Vulnerabilities in OpenSSL affect QLogic 8Gb Intelligent Pass-thru Module and SAN Switch Module for IBM BladeCenter and QLogic Virtual Fabric Extension Module for IBM BladeCenter ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/888295 ∗∗∗ Vulnerabilities in cURL affect QLogic Virtual Fabric Extension Module for IBM BladeCenter ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/888299 ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Business Monitor (CVE-2023-24998) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6982833 ∗∗∗ Netcool Operations Insight v1.6.8 addresses multiple security vulnerabilities. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6982841 ∗∗∗ The IBM\u00ae Engineering Lifecycle Engineering product using IBM Java - Eclipse OpenJ9 is vulnerable to CVE-2022-3676 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6982847 ∗∗∗ Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to Webpack (CVE-2023-28154) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6982851 ∗∗∗ IBM Engineering Requirements Management DOORS Next is vulnerable to XML external entity (XXE) attacks due to a vulnerability in XML processing in Apache Jena, in versions up to 4.1.0 (CVE-2021-39239) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6981111 ∗∗∗ IBM Operational Decision Manager March 2023 - CVE-2014-0114, CVE-2019-10086, CVE-2023-24998 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6982881 ∗∗∗ IBM WebSphere Application Server Liberty is vulnerable to a privilege escalation due to RESTEasy (CVE-2023-0482) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6982895 ∗∗∗ IBM WebSphere Application Server Liberty, which is bundled with IBM Cloud Pak for Applications, is vulnerable to a privilege escalation due to RESTEasy (CVE-2023-0482) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6982903 ∗∗∗ IBM WebSphere Application Server Liberty, which is bundled with IBM WebSphere Hybrid Edition, is vulnerable to a privilege escalation due to RESTEasy (CVE-2023-0482) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6982905 ∗∗∗ IBM WebSphere Application Server and IBM WebSphere Application Server Liberty are vulnerable to a denial of service due to Apache Commons FileUpload (CVE-2023-24998) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6982047 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.04.2023
by Daily end-of-shift report 07 Apr '23

07 Apr '23

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 06-04-2023 18:00 − Freitag 07-04-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Security baseline for Microsoft Edge v112 ∗∗∗ --------------------------------------------- Microsoft is pleased to announce the release of the security baseline for Microsoft Edge, version 112! We have reviewed the settings in Microsoft Edge version 112 and updated our guidance with the removal of three obsolete settings. A new Microsoft Edge security baseline package was just released to the Download Center. --------------------------------------------- https://techcommunity.microsoft.com/t5/microsoft-security-baselines/securit… ∗∗∗ Security headers you should add into your application to increase cyber risk protection, (Thu, Apr 6th) ∗∗∗ --------------------------------------------- Web applications are a wide world that is currently the object of numerous cyberattacks, mostly seeking to compromise the information directly in the clients that use them. --------------------------------------------- https://isc.sans.edu/diary/rss/29720 ∗∗∗ Detecting Suspicious API Usage with YARA Rules, (Fri, Apr 7th) ∗∗∗ --------------------------------------------- YARA is a beautiful tool for malware researchers and incident responders. No need to present it again. It became a standard tool to add to your arsenal. While teaching FOR610 (Malware Analysis & Reverse Engineering), a student asked me how to detect specific API calls with dangerous parameters during the triage phase. This phase will help you quickly assess the malware sample and help you decide how to perform the following steps. --------------------------------------------- https://isc.sans.edu/diary/rss/29724 ∗∗∗ Balada Injector: Synopsis of a Massive Ongoing WordPress Malware Campaign ∗∗∗ --------------------------------------------- Our team at Sucuri has been tracking a massive WordPress infection campaign since 2017 — but up until recently never bothered to give it a proper name. Typically, we refer to it as an ongoing long lasting massive WordPress infection campaign that leverages all known and recently discovered theme and plugin vulnerabilities. --------------------------------------------- https://blog.sucuri.net/2023/04/balada-injector-synopsis-of-a-massive-ongoi… ∗∗∗ With ICMP magic, you can snoop on vulnerable HiSilicon, Qualcomm-powered Wi-Fi ∗∗∗ --------------------------------------------- WPA stands for will-provide-access, if you can successfully exploit a targets setup. A vulnerability identified in at least 55 Wi-Fi router models can be exploited by miscreants to spy on victims data as its sent over a wireless network. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2023/04/07/wifi_access_… ∗∗∗ Pwning Pixel 6 with a leftover patch ∗∗∗ --------------------------------------------- In this post, I’ll look at a security-related change in version r40p0 of the Arm Mali driver that was AWOL in the January update of the Pixel bulletin, where other patches from r40p0 was applied, and how these two lines of changes can be exploited to gain arbitrary kernel code execution and root from a malicious app. This highlights how treacherous it can be when backporting security changes. --------------------------------------------- https://github.blog/2023-04-06-pwning-pixel-6-with-a-leftover-patch/ ∗∗∗ Umfrage: Softwarebedingte Schwachstellen sind das größte Sicherheitsproblem ∗∗∗ --------------------------------------------- Hacker setzen vermehrt auf bekannte Sicherheitslücken. Ransomware ist der Umfrage zufolge nur die viertgrößte Bedrohung. Ein weiteres Problem: viele Unternehmen weisen Mitarbeiter an, meldepflichtige Vorfälle zu verschweigen. --------------------------------------------- https://www.zdnet.de/88408311/umfrage-softwarebedingte-schwachstellen-sind-… ===================== = Vulnerabilities = ===================== ∗∗∗ Release notes for Microsoft Edge Security Updates (CVE-2023-28284, CVE-2023-24935, CVE-2023-28301) ∗∗∗ --------------------------------------------- April 6, 2023: Microsoft has released the latest Microsoft Edge Stable Channel (Version 112.0.1722.34) which incorporates the latest Security Updates of the Chromium project. --------------------------------------------- https://learn.microsoft.com/en-us/DeployEdge/microsoft-edge-relnotes-securi… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Mageia (ldb/samba, libapreq2, opencontainers-runc, peazip, python-cairosvg, stellarium, and zstd), Oracle (httpd and mod_http2, kernel, and nss), SUSE (conmon, go1.19, go1.20, libgit2, openssl-1_1, and openvswitch), and Ubuntu (emacs24). --------------------------------------------- https://lwn.net/Articles/928559/ ∗∗∗ F5: K000133432 : Intel CPU vulnerability CVE-2022-21216 ∗∗∗ --------------------------------------------- https://my.f5.com/manage/s/article/K000133432 ∗∗∗ CISA Adds Five Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/alerts/2023/04/07/cisa-adds-five-known-exp… ∗∗∗ IBM Informix Dynamic Server is affected when a specific function in the Spatial Datablade is called with an out-of-range parameter ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6343587 ∗∗∗ IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to arbitrary code execution in GnuPG Libksba [CVE-2022-3515] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6981855 ∗∗∗ IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to an arbitrary code execution in libexpat [CVE-2022-40674] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6981859 ∗∗∗ IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to arbitrary code execution in SQlite [CVE-2020-35527] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6981851 ∗∗∗ IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to an arbitrary commands execution in Python (CVE-2015-20107) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6981849 ∗∗∗ IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to a security restrictions bypass in GNU Libtasn1 [CVE-2021-46848] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6981853 ∗∗∗ IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to arbitrary code execution in Git [CVE-2022-23521] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6981857 ∗∗∗ IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to arbitrary code execution in Git [CVE-2022-41903] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6981861 ∗∗∗ Privilege Escalation vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6981911 ∗∗∗ Improper Error Handling ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6981917 ∗∗∗ IBM WebSphere Application Server and IBM WebSphere Application Server Liberty are vulnerable to a denial of service due to Apache Commons FileUpload (CVE-2023-24998) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6982047 ∗∗∗ Vulnerabilities in OpenSSL affect IBM InfoSphere Information Server ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/286971 ∗∗∗ IBM WebSphere Application Server and IBM WebSphere Application Server Liberty, which are bundled with IBM WebSphere Hybrid Edition, are vulnerable to a denial of service due to Apache Commons FileUpload (CVE-2023-24998) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6982141 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.04.2023
by Daily end-of-shift report 06 Apr '23

06 Apr '23

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 05-04-2023 18:00 − Donnerstag 06-04-2023 18:00 Handler: Stephan Richter Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Telegram now the go-to place for selling phishing tools and services ∗∗∗ --------------------------------------------- Telegram has become the working ground for the creators of phishing bots and kits looking to market their products to a larger audience or to recruit unpaid helpers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/telegram-now-the-go-to-place… ∗∗∗ CAN do attitude: How thieves steal cars using network bus ∗∗∗ --------------------------------------------- It starts with a headlamp and fake smart speaker, and ends in an injection attack and a vanished motor. Automotive security experts say they have uncovered a method of car theft relying on direct access to the vehicles system bus via a smart headlamps wiring. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2023/04/06/can_injectio… ∗∗∗ Technical analysis of the Genesis Market ∗∗∗ --------------------------------------------- [...] In case you are unfamiliar with this market, it was used to sell stolen login credentials, browser cookies and online fingerprints (in order to prevent ‘risky sign-in’ detections), by some referred to as IMPaas, or Impersonation-as-a-Service. [...] its activities have resulted in approximately two million victims. If you want to know more about this operation, you can read our other blog post. You can also check if your data has been compromised [...] --------------------------------------------- https://sector7.computest.nl/post/2023-04-technical-analysis-genesis-market/ ∗∗∗ CyberGhostVPN - the story of finding MITM, RCE, LPE in the Linux client ∗∗∗ --------------------------------------------- This article discloses the vulnerabilities that were present in the CyberGhostVPN Linux 1.3.5 client (and versions below). The latest version of the CyberGhostVPN Linux client is now free from these vulnerabilities. --------------------------------------------- https://mmmds.pl/cyberghostvpn-mitm-rce-lpe/ ∗∗∗ Cisco: Teils hochriskante Lücken in mehreren Produkten abgedichtet ∗∗∗ --------------------------------------------- Cisco-Administratoren bekommen über die Ostertage Arbeit: Der Hersteller hat in diversen Produkten Sicherheitslücken entdeckt. Updates sollen sie schließen. --------------------------------------------- https://heise.de/-8644498 ∗∗∗ Nexx Garagentorsteuerung: Schwachstelle erlaubt Zugriff für Hacker ∗∗∗ --------------------------------------------- Wer eine Home-Automatisierung von Nexx besitzt und diese per Fernsteuerung seiner Garagentore benutzt, hat nun ein fettes Problem. Eine Schwachstelle in der Nexx-Fernsteuerung ermöglicht Hackern den nicht autorisierten Zugriff auf die Garagentore. --------------------------------------------- https://www.borncity.com/blog/2023/04/06/nexx-garagentorsteuerung-schwachst… ∗∗∗ Beware of new YouTube phishing scam using authentic email address ∗∗∗ --------------------------------------------- Watch out for a new YouTube phishing scam and ignore any email from YouTube that claims to provide details about "Changes in YouTube rules and policies | Check the Description. --------------------------------------------- https://www.hackread.com/youtube-phishing-scam-authentic-email-address/ ===================== = Vulnerabilities = ===================== *** Cisco Security Advisories 2023-04-05 *** --------------------------------------------- Cisco has released 13 security advisories: (3x High, 9x Medium, 1x Informational) --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/Search.x?publicationTypeIDs… ∗∗∗ Trellix-Agent ermöglicht Rechteausweitung am System ∗∗∗ --------------------------------------------- Der Agent von Trellix – dem Zusammenschluss von McAfee und FireEye – ermöglicht Angreifern, ihre Rechte im System auszuweiten. Ein Update schließt die Lücke. --------------------------------------------- https://heise.de/-8645652 ∗∗∗ Datenleck: Mastodon-Lücke erlaubt Informationsabfluss ∗∗∗ --------------------------------------------- Aktualisierte Mastodon-Pakete dichten ein Datenleck in der LDAP-Authentifizierung ab. Administratorinnen und Administratoren sollten die Updates zügig anwenden. --------------------------------------------- https://heise.de/-8645580 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (cairosvg, ghostscript, grunt, tomcat9, and trafficserver), Fedora (golang, podman, xen, and zchunk), Red Hat (kpatch-patch), SUSE (systemd), and Ubuntu (apache-log4j1.2, liblouis, linux-aws, and linux-bluefield). --------------------------------------------- https://lwn.net/Articles/928476/ ∗∗∗ Celery as used by IBM QRadar Advisor With Watson App is vulnerable to arbitrary command execution (CVE-2021-23727) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6981595 ∗∗∗ Node.js passport is vulnerable to CVE-2022-25896 used in IBM Maximo Application Suite ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6966086 ∗∗∗ IBM TRIRIGA Application Platform discloses XML external entities injection (CVE-2023-27876) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6981115 ∗∗∗ IBM TRIRIGA Application Platform discloses Stored Cross Site Scripting (CVE-2022-43914) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6981597 ∗∗∗ AIX is vulnerable to denial of service due to ISC BIND (CVE-2022-38178, CVE-2022-3080, CVE-2022-38177, CVE-2022-2795) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6851445 ∗∗∗ decode-uri-component is vulnerable to CVE-2022-38900 used in IBM Maximo Application Suite ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6981607 ∗∗∗ AIX is vulnerable to arbitrary code execution due to libxml2 (CVE-2022-40303 and CVE-2022-40304) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6953825 ∗∗∗ AIX is vulnerable to denial of service vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6847947 ∗∗∗ Vulnerability in Apache Tomcat affects App Connect Professional. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6981763 ∗∗∗ IBM Security Verify Governance is vulnerable to cross-site scripting, caused by improper validation of user-supplied input related to the HtmlResponseWriter (CVE-2013-5855) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6981781 ∗∗∗ IBM Watson Explorer affected by vulnerability in OpenSSL. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6963622 ∗∗∗ IBM Watson Explorer affected by vulnerability in Apache Commons. ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6964808 ∗∗∗ Korenix Jetwave ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-096-04 ∗∗∗ mySCADA myPRO ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-096-06 ∗∗∗ JTEKT ELECTRONICS Kostac PLC Programming Software ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-096-03 ∗∗∗ Hitachi Energy MicroSCADA System Data Manager SDM600 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-096-05 ∗∗∗ JTEKT ELECTRONICS Screen Creator Advance 2 ∗∗∗ --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-096-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.04.2023
by Daily end-of-shift report 05 Apr '23

05 Apr '23

===================== = End-of-Day report = ===================== Timeframe: Dienstag 04-04-2023 18:00 − Mittwoch 05-04-2023 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Open garage doors anywhere in the world by exploiting this “smart” device ∗∗∗ --------------------------------------------- A universal password. Unencrypted user data and commands. What could go wrong? A market-leading garage door controller is so riddled with severe security and privacy vulnerabilities that the researcher who discovered them, Sam Sabetan, is advising anyone using one to immediately disconnect it until they are fixed. Each $80 device, used to open and close garage doors and control home security alarms and smart power plugs, employs the same easy-to-find universal password to communicate with Nexx servers. The controllers also broadcast the unencrypted email address, device ID, first name, and last initial corresponding to each one, along with the message required to open or shut a door or turn on or off a smart plug or schedule such a command for a later time. Immediately unplug all Nexx devices --------------------------------------------- https://arstechnica.com/?p=1929120 ∗∗∗ Exploration of DShield Cowrie Data with jq, (Wed, Apr 5th) ∗∗∗ --------------------------------------------- There have been other diaries [1][2] showing how to explore JSON data with jq [3]. We'll review some options to understand unfamiliar JSON data and ways to filter that information. Using tools like Security Information and Event Management (SIEM) systems can help aggregate data and make it more easily searched and visualized. There are still times where being able to quickly search JSON data can be useful, especially if a SIEM option is not immediately available. --------------------------------------------- https://isc.sans.edu/diary/rss/29714 ∗∗∗ ALPHV/BlackCat ransomware affiliate targets Veritas Backup solution bugs ∗∗∗ --------------------------------------------- An ALPHV/BlackCat ransomware affiliate was spotted exploiting vulnerabilities in the Veritas Backup solution. An affiliate of the ALPHV/BlackCat ransomware gang, tracked as UNC4466, was observed exploiting three vulnerabilities in the Veritas Backup solution to gain initial access to the target network. Unlike other ALPHV affiliates, UNC4466 doesn’t rely on stolen credentials for initial access to victim environments. Mandiant [...] --------------------------------------------- https://securityaffairs.com/144438/cyber-crime/alphv-blackcat-ransomware-ve… ∗∗∗ Deobfuscating the Recent Emotet Epoch 4 Macro ∗∗∗ --------------------------------------------- This analysis is intended to help the cybersecurity community better understand the wider obfuscation and padding tricks Emotet is using. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/deobfuscati… ∗∗∗ Cyber-Betrüger: Zahlungsaufforderung für Lösegeld – jedoch ohne Ransomware ∗∗∗ --------------------------------------------- Auf die aktuell häufigen Cyber-Attacken stürzen sich weitere Betrüger. Sie verschicken Mails mit Zahlungsaufforderungen, ohne Ransomware eingeschleust zu haben. --------------------------------------------- https://heise.de/-8587724 ∗∗∗ Pre-ransomware notifications are paying off right from the bat ∗∗∗ --------------------------------------------- CISA (Cybersecurity and Infrastructure Security Agency) has published the first results of its pre-ransomware notifications that were introduced at the start of 2023. Even though this initiative is relatively young, CISA says it has notified over 60 entities across the energy, healthcare, water/wastewater, education, and other sectors about potential pre-ransomware intrusions, and we’ve confirmed that many of them identified and remediated the intrusion before encryption or data loss occurred. --------------------------------------------- https://www.malwarebytes.com/blog/news/2023/04/pre-ransomware-notifications… ∗∗∗ Detecting Karakurt – an extortion focused threat actor ∗∗∗ --------------------------------------------- NCC Group’s Cyber Incident Response Team (CIRT) have responded to several extortion cases recently involving the threat actor Karakurt. During these investigations NCC Group CIRT have identified some key indicators that the threat actor has breached an environment and want to share this information to assist the cyber security community. --------------------------------------------- https://research.nccgroup.com/2023/04/05/detecting-karakurt-an-extortion-fo… ∗∗∗ Markenfälschungen im Online-Handel – So schützen Sie sich! ∗∗∗ --------------------------------------------- Wer im Internet nach Markenkleidung, Uhren, Accessoires oder aber Medikamenten sucht, stößt häufig auf unseriöse Angebote. In einigen Fällen führt eine Bestellung günstiger Markenprodukte zum Erhalt eines gefälschten Produkts, manchmal erhält man gar nichts und insbesondere bei Medikamenten kann das Produkt sogar gefährlich sein. Worauf man in Online-Shops und auf Plattformen wie Amazon achten kann, um sich zu schützen [...] --------------------------------------------- https://www.watchlist-internet.at/news/markenfaelschungen-im-online-handel-… ∗∗∗ How we’re protecting users from government-backed attacks from North Korea ∗∗∗ --------------------------------------------- Googles Threat Analysis Group shares information on ARCHIPELAGO as well as the work to stop government-backed attackers. --------------------------------------------- https://blog.google/threat-analysis-group/how-were-protecting-users-from-go… ∗∗∗ MS OneNote soll künftig 120 gefährliche Filetypen blockieren ∗∗∗ --------------------------------------------- Microsoft reagiert wohl auf den Umstand, dass OneNote inzwischen als Malware-Schleuder für Systeme missbraucht wird. Die Anwendung soll zukünftig 120 gefährliche Filetypen blockieren, so dass diese durch Downloads aus dem Internet nicht mehr für Malware-Angriffe missbraucht werden können. --------------------------------------------- https://www.borncity.com/blog/2023/04/05/ms-onenote-soll-knftig-120-gefhrli… ===================== = Vulnerabilities = ===================== ∗∗∗ Multiple Vulnerabilities in Autodesk® InfoWorks® software ∗∗∗ --------------------------------------------- Autodesk® InfoWorks® WS Pro and InfoWorks® ICM have been affected by multiple vulnerabilities detailed below. Exploitation of these vulnerabilities may lead to remote code execution and/or denial-of-service to the software and user devices. Patch releases are available in Autodesk Access or the Accounts Portal or the Innovyze Web Portal to help resolve these vulnerabilities. The patch versions are listed below. --------------------------------------------- https://www.autodesk.com/trust/security-advisories/adsk-sa-2023-0001 ∗∗∗ Chrome 112: 16 Sicherheitslücken gestopft ∗∗∗ --------------------------------------------- Google hat den Webbrowser Chrome in Version 112 freigegeben. Die Entwickler dichten 16 Schwachstellen ab. Chromium-basierte Browser dürften bald nachziehen. --------------------------------------------- https://heise.de/-8572482 ∗∗∗ Technical Advisory – play-pac4j Authentication rule bypass ∗∗∗ --------------------------------------------- Regular expressions used for path-based authentication by the play-pac4j library are evaluated against the full URI provided in a user’s HTTP request. If a requested URI matches one of these expressions, the associated authentication rule will be applied. These rules are only intended to validate the path and query string section of a URL. --------------------------------------------- https://research.nccgroup.com/2023/04/05/technical-advisory-play-pac4j-auth… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ghostscript and openimageio), Fedora (kernel, rubygem-actioncable, rubygem-actionmailbox, rubygem-actionmailer, rubygem-actionpack, rubygem-actiontext, rubygem-actionview, rubygem-activejob, rubygem-activemodel, rubygem-activerecord, rubygem-activestorage, rubygem-activesupport, rubygem-rails, and rubygem-railties), Oracle (gnutls, httpd, kernel, nodejs:16, nodejs:18, pesign, postgresql:13, tigervnc, and tigervnc, xorg-x11-server), Red Hat (gnutls, httpd, httpd:2.4, kernel, kpatch-patch, pcs, pesign, postgresql:13, tigervnc, and tigervnc, xorg-x11-server), Scientific Linux (httpd and tigervnc, xorg-x11-server), SUSE (aws-efs-utils.11048, libheif, liblouis, openssl, python-cryptography, python-Werkzeug, skopeo, tomcat, and wireshark), and Ubuntu (imagemagick, ipmitool, and node-trim-newlines). --------------------------------------------- https://lwn.net/Articles/928408/ ∗∗∗ Kritische Schwachstelle CVE-2023-1707 in HP-Drucker-Firmware, kein Patch verfügbar ∗∗∗ --------------------------------------------- Die Firmware von verschiedenen Laser-Drucker ist gegenüber der Schwachstelle CVE-2023-1707 anfällig. Bestimmte HP Enterprise LaserJet und HP LaserJet sind in verwalteten Umgebungen potenziell anfällig für die Offenlegung von Informationen, wenn IPsec mit FutureSmart Version 5.6 aktiviert ist. --------------------------------------------- https://www.borncity.com/blog/2023/04/05/kritische-schwachstelle-cve-2023-1… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.04.2023
by Daily end-of-shift report 04 Apr '23

04 Apr '23

===================== = End-of-Day report = ===================== Timeframe: Montag 03-04-2023 18:00 − Dienstag 04-04-2023 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ WinRAR SFX archives can run PowerShell without being detected ∗∗∗ --------------------------------------------- Hackers are adding malicious functionality to WinRAR self-extracting archives that contain harmless decoy files, allowing them to plant backdoors without triggering the security agent on the target system. --------------------------------------------- https://www.bleepingcomputer.com/news/security/winrar-sfx-archives-can-run-… ∗∗∗ Analyzing the efile.com Malware "efail", (Tue, Apr 4th) ∗∗∗ --------------------------------------------- Yesterday, I wrote about efile.com serving malicious ake "Browser Updates" to some of its users. This morning, efile.com finally removed the malicious code from its site. The attacker reacted a bit faster and removed some of the additional malware. But luckily, I was able to retrieve some of the malware last evening before it was removed. --------------------------------------------- https://isc.sans.edu/diary/rss/29712 ∗∗∗ Rilide: A New Malicious Browser Extension for Stealing Cryptocurrencies ∗∗∗ --------------------------------------------- Trustwave SpiderLabs uncovered a new strain of malware that it dubbed Rilide, which targets Chromium-based browsers such as Google Chrome, Microsoft Edge, Brave, and Opera. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/rilide-a-ne… ∗∗∗ Microsoft Tightens OneNote Security by Auto-Blocking 120 Risky File Extensions ∗∗∗ --------------------------------------------- Microsoft has announced plans to automatically block embedded files with "dangerous extensions" in OneNote following reports that the note-taking service is being increasingly abused for malware delivery. Up until now, users were shown a dialog warning them that opening such attachments could harm their computer and data, but it was possible to dismiss the prompt and open the files That's going to change going forward. --------------------------------------------- https://thehackernews.com/2023/04/microsoft-tightens-onenote-security-by.ht… ∗∗∗ A fresh look at user enumeration in Microsoft Teams ∗∗∗ --------------------------------------------- The technique to enumerate user details and presence information via Microsoft Teams is not new and was described in a blog post by immunit.ch and their tool "TeamsUserEnum". This blog post adds more information related to user enumeration via Teams and covers different endpoints used by different account types. --------------------------------------------- https://www.securesystems.de/blog/a-fresh-look-at-user-enumeration-in-micro… ∗∗∗ Internationaler Monat zur Betrugsbekämpfung: Vorsicht vor Dark Patterns ∗∗∗ --------------------------------------------- Im März 2023 jährt sich der internationale Monat zur Betrugsbekämpfung („ICPEN Fraud Prevention Month"). Das diesjährige Schwerpunktthema sind Dark Patterns. Dark Patterns sind irreführende Designelemente und Webseiten-Gestaltungen, mit denen versucht wird, User:innen zu Entscheidungen zu verleiten, die nicht in ihrem besten Interesse liegen. Was Dark Patterns genau sind, wie Sie diese erkennen und sich am besten schützen, erfahren Sie hier! --------------------------------------------- https://www.watchlist-internet.at/news/fraud-prevention-month-vorsicht-vor-… ∗∗∗ Lebenslauf-Editor auf zety.de führt in Abo-Falle ∗∗∗ --------------------------------------------- Auf zety.de können Sie angeblich professionelle Lebensläufe und Bewerbungen erstellen. Per Klick wählen Sie eine gewünschte Vorlage und befüllen sie mit Ihren Daten – scheinbar kostenlos. Erst wenn Sie Ihr Dokument herunterladen möchten, erfahren Sie, dass der Dienst doch nicht gratis ist. Wenn Sie überweisen, schließen Sie ein Abo ab! --------------------------------------------- https://www.watchlist-internet.at/news/lebenslauf-editor-auf-zetyde-fuehrt-… ∗∗∗ Weitere Informationen zu Angriffen gegen 3CX Desktop App ∗∗∗ --------------------------------------------- Seit der Veröffentlichung unserer letzten Meldung zu den Angriffen gegen die bzw. durch Missbrauch der 3CX Desktop App sind inzwischen weitere Details und neue Informationen bekannt geworden. Die wichtigsten Details in dieser Hinsicht sind: [...] --------------------------------------------- https://cert.at/de/aktuelles/2023/4/weitere-informationen-zu-angriffen-gege… ∗∗∗ Typhon Reborn V2: Updated stealer features enhanced anti-analysis and evasion capabilities ∗∗∗ --------------------------------------------- The developer of the Typhon Reborn information stealer released version 2 (V2) in January, which included significant updates to its codebase and improved capabilities. Most notably, the new version features additional anti-analysis and anti-virtual machine (VM) capabilities to evade detection and make analysis more difficult. --------------------------------------------- https://blog.talosintelligence.com/typhon-reborn-v2-features-enhanced-anti-… ∗∗∗ Rorschach – A New Sophisticated and Fast Ransomware ∗∗∗ --------------------------------------------- Rorschach ransomware appears to be unique, sharing no overlaps that could easily attribute it to any known ransomware strain. In addition, it does not bear any kind of branding which is a common practice among ransomware groups. The ransomware is partly autonomous, carrying out tasks that are usually manually performed during enterprise-wide ransomware deployment, such as creating a domain group policy (GPO). --------------------------------------------- https://research.checkpoint.com/2023/rorschach-a-new-sophisticated-and-fast… ===================== = Vulnerabilities = ===================== ∗∗∗ VU#473698: uClibc, uClibc-ng libraries have monotonically increasing DNS transaction ID ∗∗∗ --------------------------------------------- The uClibc and uClibc-ng libraries, prior to uClibc-ng 1.0.41, are vulnerable to DNS cache poisoning due to the use of predicatble DNS transaction IDs when making DNS requests. This vulnerability can allow an attacker to perform DNS cache poisoning attacks against a vulnerable environment.[..] The uClibc library has not been updated since May of 2012. --------------------------------------------- https://kb.cert.org/vuls/id/473698 ∗∗∗ Pentah0wnage: Pre-Auth RCE in Pentaho Business Analytics Server (CVE-2022-43769, CVE-2022-43939, CVE-2022-43773, CVE-2022-43938) ∗∗∗ --------------------------------------------- A few months ago I was working on an engagement where Pentaho was used to collect data and generate reports. [..] I found a total of eight vulnerabilties, three of which enable command execution on the residing host. [..] 31 March 2023: Vendor released patches, but no public CVE disclosure. --------------------------------------------- https://research.aurainfosec.io/pentest/pentah0wnage/ ∗∗∗ Nexx Smart Home Device ∗∗∗ --------------------------------------------- AFFECTED PRODUCTS - Nexx Garage Door Controller (NXG-100B, NXG-200): Version nxg200v-p3-4-1 and prior - Nexx Smart Plug (NXPG-100W): Version nxpg100cv4-0-0 and prior - Nexx Smart Alarm (NXAL-100): Version nxal100v-p1-9-1and prior --------------------------------------------- https://www.cisa.gov/news-events/ics-advisories/icsa-23-094-01 ∗∗∗ Patchday: Android-Lücken mit kritischem Risiko gestopft ∗∗∗ --------------------------------------------- Zum April-Patchday hat Google Sicherheitslücken im Android-Betriebssystem geschlossen, die die Entwickler teils als kritisch einstufen. --------------------------------------------- https://heise.de/-8522365 ∗∗∗ Sophos: Kritische Sicherheitslücke in Web-Appliance ermöglicht Codeschmuggel ∗∗∗ --------------------------------------------- Sophos hat in der Web Appliance (SWA) Sicherheitslücken geschlossen, die Angreifern etwa das Ausführen beliebigen Codes ermöglichen. --------------------------------------------- https://heise.de/-8525279 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (openbgpd and seamonkey), Red Hat (httpd:2.4, kernel, kernel-rt, and pesign), SUSE (compat-openssl098, dpdk, drbd, ImageMagick, nextcloud, openssl, openssl-1_1, openssl-3, openssl1, oracleasm, pgadmin4, terraform-provider-helm, and yaml-cpp), and Ubuntu (haproxy, ldb, samba, and vim). --------------------------------------------- https://lwn.net/Articles/928294/ ∗∗∗ Netty Vulnerabilites 4.0.37 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6980407 ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Case Manager (CVE-2023-26283) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6980411 ∗∗∗ IBM Sterling Order Management Golang Go Vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6980457 ∗∗∗ Vulnerabilities with kernel, MariaDB, Gnu GnuTLS, OpenJDK, commons-fileupload affect IBM Cloud Object Storage Systems (Mar 2023v1) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6962855 ∗∗∗ IBM Aspera Faspex 5.0.5 has addressed CVE-2022-4304 ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6980501 ∗∗∗ IBM Security Verify Access Appliance includes components with known vulnerabilities (CVE-2022-29154, CVE-2022-0391) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6980521 ∗∗∗ A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Case Manager (CVE-2023-23477) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6980519 ∗∗∗ Vulnerability in py library affects IBM Cloud Pak for Data System 1.0(CPDS 1.0) [CVE-2022-42969] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6980723 ∗∗∗ Vulnerability in cryptography affects IBM Cloud Pak for Data System 1.0(CPDS 1.0) [CVE-2023-0286] ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6980351 ∗∗∗ A security vulnerability has been identified in WebSphere\u00ae Application Server shipped with IBM\u00ae Intelligent Operations Center (CVE-2023-26283) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6980725 ∗∗∗ IBM Event Streams is affected by vulnerabilities in the jsonwebtoken package (CVE-2022-23529, CVE-2022-23539, CVE-2022-23540, CVE-2022-23541) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6980727 ∗∗∗ IBM Event Streams is affected by vulnerabilities in Node.js (CVE-2022-25927 and CVE-2022-25881) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6980735 ∗∗∗ IBM Event Streams is affected by a vulnerability in Apache Kafka (CVE-2023-25194) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6980743 ∗∗∗ IBM Event Streams is vulnerable to a denial of service due to Redis (CVE-2023-25155) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6980747 ∗∗∗ Multiple vulnerabilities have been identified in IBM HTTP Server used by IBM Rational ClearQuest ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6980737 ∗∗∗ IBM Security Verify Governance is vulnerable to sensitive information exposure (CVE-2021-31403) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6956289 ∗∗∗ CVE-2022-41721 may affect IBM CICS TX Standard ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6980755 ∗∗∗ IBM Security Guardium is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6963075 ∗∗∗ IBM Security Guardium is affected by an AWS SDK vulnerability (CVE-2022-31159) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6960215 ∗∗∗ IBM HTTP Server is vulnerable to HTTP request splitting due to the included Apache HTTP Server (CVE-2023-25690) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6963650 ∗∗∗ IBM Security Guardium is affected by a denial of service vulnerability (CVE-2022-3171, CVE-2022-3510, CVE-2022-3509) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6963077 ∗∗∗ IBM Security Guardium is affected by remote code execution and sensitive information vulnerabilities (CVE-2022-31684, CVE-2022-41853) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6960211 ∗∗∗ There are several vulnerabilities in Bootstrap used by IBM Maximo Asset Management ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6980757 ∗∗∗ IBM Security Guardium is affected by a kernel vulnerability (CVE-2021-3715) ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/node/6828569 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.04.2023
by Daily end-of-shift report 03 Apr '23

03 Apr '23

===================== = End-of-Day report = ===================== Timeframe: Freitag 31-03-2023 18:00 − Montag 03-04-2023 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ New Money Message ransomware demands million dollar ransoms ∗∗∗ --------------------------------------------- A new ransomware gang named Money Message has appeared, targeting victims worldwide and demanding million-dollar ransoms not to leak data and release a decryptor. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-money-message-ransomware… ∗∗∗ Hacken ist für alle: Die Austria Cyber Security Challenge startet ∗∗∗ --------------------------------------------- Der Hackerwettbewerb will heuer verstärkt Frauen für die IT-Security begeistern. --------------------------------------------- https://futurezone.at/digital-life/austria-cyber-security-challenge-acsc-be… ∗∗∗ With KEYPLUG, China’s RedGolf Spies On, Steals From Wide Field of Targets ∗∗∗ --------------------------------------------- The group remains highly active within a wide range of geographies and industry verticals, targeting aviation, automotive, education, government, media, information technology, and religious organizations. [..] Insikt Group has identified a wider cluster of KEYPLUG samples and infrastructure used by RedGolf from at least 2021 to 2023. (Anm.: das Paper enthält etliche beobachtenswerte IOCs). --------------------------------------------- https://go.recordedfuture.com/hubfs/reports/cta-2023-0330.pdf ∗∗∗ Angriffe auf hochriskante Sicherheitslücke in Wordpress-Plug-in Elementor Pro ∗∗∗ --------------------------------------------- Angreifer missbrauchen eine Sicherheitslücke im Wordpress-Plug-in Elementor Pro zum Einbrechen in Webseiten. Admins sollten die Updates umgehend installieren. --------------------------------------------- https://heise.de/-8384344 ∗∗∗ IT-Forscher: Mehr als 15 Millionen verwundbare Systeme offen im Netz ∗∗∗ --------------------------------------------- IT-Forscher haben den Known-Exploited-Vulnerabilities-Catalog der CISA mit der Datenbank Sh0dan abgeglichen und Millionen verwundbarer Systeme gefunden. --------------------------------------------- https://heise.de/-8511852 ∗∗∗ Jetzt updaten: Kritische Schwachstelle in Nextcloud ∗∗∗ --------------------------------------------- Eine als kritisch eingestufte Sicherheitslücke in der Kollaborationssoftware Nextcloud könnte Angreifern das Ausführen von Schadcode ermöglichen. --------------------------------------------- https://heise.de/-8515005 ∗∗∗ Microsoft OneNote Starts Blocking Dangerous File Extensions ∗∗∗ --------------------------------------------- Microsoft is boosting the security of OneNote users by blocking embedded files with extensions that are considered dangerous. --------------------------------------------- https://www.securityweek.com/microsoft-onenote-starts-blocking-dangerous-fi… ∗∗∗ Money Mule: Geldwäsche-Jobs über WhatsApp ∗∗∗ --------------------------------------------- Nehmen Sie sich vor betrügerischen Job-Angeboten auf WhatsApp in Acht. Kriminelle kontaktieren teils wahllos, teils gezielt Menschen auf Job-Suche über die bekannte Chat-Plattform. Ein Tageslohn von 50 bis 300 Euro täglich bei Arbeit aus dem Home-Office mag verlockend klingen. Doch Vorsicht: Sie werden hier zum Money Mule, helfen Kriminellen bei der Geldwäsche und machen sich womöglich selbst strafbar! --------------------------------------------- https://www.watchlist-internet.at/news/money-mule-geldwaesche-jobs-ueber-wh… ∗∗∗ Malicious ISO File Leads to Domain Wide Ransomware ∗∗∗ --------------------------------------------- IcedID continues to deliver malspam emails to facilitate a compromise. This case covers the activity from a campaign in late September of 2022. --------------------------------------------- https://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wid… ∗∗∗ Bi(n)gBang: Microsoft Azure-Schwachstelle ermöglicht Bing Search Hijacking und Office 365-Datenklau ∗∗∗ --------------------------------------------- Unschöne Geschichte, auf die alle gewartet haben, und die die Gefahren der Cloud aufzeigt. Microsoftsd Azure-Cloud-Dienste ermöglichten eine Fehlkonfigurierung, die dann eine Sicherheitslücke schuf. In der Folge konnten Angreifer potentiell Schadcode in die Suchergebnisseiten von Bing einschleusen, um diese zu [...] --------------------------------------------- https://www.borncity.com/blog/2023/03/30/bigbang-microsoft-azure-schwachste… ∗∗∗ Design-Schwäche im WiFi-Protokoll ermöglicht Angreifern das Abfangen des Netzwerkverkehrs ∗∗∗ --------------------------------------------- Noch ein kleiner Nachtrag von Ende März 2023. Sicherheitsforscher sind auf eine gravierende Design-Schwäche im IEEE 802.11 WiFi-Protokollstandards gestoßen. Diese Schwäche könnte es Angreifern ermöglichen, WLAN-Zugangspunkte abzuhören und Netzwerk-Frames im Klartext zu übermitteln. --------------------------------------------- https://www.borncity.com/blog/2023/04/02/design-schwche-im-wifi-protokoll-e… ===================== = Vulnerabilities = ===================== ∗∗∗ Multiple vulnerabilities in Aten PE8108 power distribution unit (CVE-2023-25413, CVE-2023-25415, CVE-2023-25407, CVE-2023-25409, CVE-2023-25414, CVE-2023-25411) ∗∗∗ --------------------------------------------- Pentagrid identified several vulnerabilities in the PE8108 rack power distribution unit (PDU) manufactured by Aten. [..] At the time of publication, the most recent firmware is version v2.4.232 from 2022-11-22 and there is no new firmware available via Atens website. --------------------------------------------- https://www.pentagrid.ch/en/blog/multiple-vulnerabilities-in-aten-PE8108-po… ∗∗∗ Nvidia schließt Sicherheitslücken in Treibern und Verwaltungssoftware ∗∗∗ --------------------------------------------- Nvidia hat zum Monatswechsel aktualisierte Treiber und Verwaltungssoftware veröffentlicht. Damit schließt der Hersteller teils hochriskante Sicherheitslecks. --------------------------------------------- https://heise.de/-8511759 ∗∗∗ Geräteverwaltung HCL Bigfix dichtet DoS-Lücke ab ∗∗∗ --------------------------------------------- Die Geräteverwaltungssoftware HCL Bigfix enthält eine Schwachstelle, die Angreifern das Lahmlegen der Software auf Endpoints ermöglicht. --------------------------------------------- https://heise.de/-8514805 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (duktape, firmware-nonfree, intel-microcode, svgpp, and systemd), Fedora (amanda, dino, flatpak, golang, libldb, netconsd, samba, tigervnc, and vim), Red Hat (nodejs:14), Slackware (ruby and seamonkey), SUSE (drbd, flatpak, glibc, grub2, ImageMagick, kernel, runc, thunderbird, and xwayland), and Ubuntu (amanda). --------------------------------------------- https://lwn.net/Articles/928204/ ∗∗∗ Multiple Vulnerabilities in the Autodesk® FBX® SDK software ∗∗∗ --------------------------------------------- Applications and services utilizing the Autodesk® FBX® SDK software have been affected by an Out-Of-Bounds Write and Stack Buffer Overflow vulnerabilities. Exploitation of these vulnerabilities may lead to information disclosure, code execution and/or denial-of-service. --------------------------------------------- https://www.autodesk.com/trust/security-advisories/adsk-sa-2023-0004 ∗∗∗ Vulnerabilities for Autodesk® Maya® USD plugin ∗∗∗ --------------------------------------------- USD (Universal Scene Description) plugin for Autodesk® Maya® has been affected by a file uninitialized variable, out-of-bounds read, and out-of-bounds write vulnerabilities. --------------------------------------------- https://www.autodesk.com/trust/security-advisories/adsk-sa-2023-0003 ∗∗∗ Vulnerability Spotlight: Buffer overflow vulnerability in ADMesh library ∗∗∗ --------------------------------------------- https://blog.talosintelligence.com/vulnerability-spotlight-buffer-overflow-… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/support/pages/bulletin/ ∗∗∗ HAProxy vulnerable to HTTP request/response smuggling ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN38170084/ ∗∗∗ Multiple vulnerabilities in Seiko Solutions SkyBridge MB-A100/A110/A200/A130 SkySpider MB-R210 ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN40604023/ ∗∗∗ Cisco Identity Services Engine Vulnerabilities ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Identity Services Engine Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ Cisco Secure Web Appliance Content Encoding Filter Bypass Vulnerabilities ∗∗∗ --------------------------------------------- https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdviso… ∗∗∗ ZDI-23-348: Bentley View SKP File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-23-348/ ∗∗∗ ZDI-23-347: Bentley View SKP File Parsing Use-After-Free Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-23-347/ ∗∗∗ ZDI-23-346: Bentley View SKP File Parsing Use-After-Free Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-23-346/ ∗∗∗ ZDI-23-345: Bentley View FBX File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-23-345/ ∗∗∗ ZDI-23-344: Bentley View FBX File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-23-344/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily