- Daily - CERT.at

Tageszusammenfassung - 12.09.2022
by Daily end-of-shift report 12 Sep '22

12 Sep '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 09-09-2022 18:00 − Montag 12-09-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Krypto-Malware Shikitega überlistet den herkömmlichen Linux-Schutz ∗∗∗ --------------------------------------------- AT&T Alien Labs hat eine Analyse zur neuen Linux-Malware Shikitega veröffentlicht. Der Schädling verschafft sich Root-Zugriff, seine Entdeckung ist schwierig. --------------------------------------------- https://heise.de/-7260803 ∗∗∗ Bericht: Um nicht erwischt zu werden, verschlüsselt Ransomware Daten partiell ∗∗∗ --------------------------------------------- Sicherheitsforscher beobachten bei Erpressungstrojanern einen Trend zur schnelleren Verschlüsselung. --------------------------------------------- https://heise.de/-7261001 ∗∗∗ SMS von der Post? Klicken Sie nicht auf den Link! ∗∗∗ --------------------------------------------- „Die Zustellung Ihres letzten Pakets hat sich aufgrund zusätzlicher Zollgebühren verzögert“ lautet eine SMS-Benachrichtigung von der Post. Im SMS ist ein Link, den Sie anklicken sollten, um das Problem zu lösen. Wir raten zur Vorsicht: Diese Nachricht ist nicht von der Post. Wer auf den Link klickt, tappt in eine Internetfalle! --------------------------------------------- https://www.watchlist-internet.at/news/sms-von-der-post-klicken-sie-nicht-a… ∗∗∗ SharkBot-Trojaner im Play Store – Risiko "Antivirus-Apps" ∗∗∗ --------------------------------------------- Im Google Play Store ist erneut der Banking-Trojaner SharkBot aufgetaucht und hat sich als Antiviren- und Cleaner-App getarnt. Sicherheitsforscher von CyberNews schreiben: Android-Nutzer sollten es sich zweimal überlegen, bevor sie kostenlose Apps zur Reinigung ihres Mobiltelefons und zum "Schutz" vor Viren herunterladen - denn viele von ihnen enthalten Daten-Tracker und einige scheinen sogar Links zu potenziell bösartigen Domains zu beinhalten. --------------------------------------------- https://www.borncity.com/blog/2022/09/12/sharkbot-trojaner-im-play-store-ri… ∗∗∗ Maldoc With Decoy BASE64, (Fri, Sep 9th) ∗∗∗ --------------------------------------------- There is also a video for this analysis: "Maldoc Analysis: Rehearsed vs. Unrehearsed". I analysed this maldoc. It contains an old exploit for the equation editor. Nothing special. And it's easy to analyze. But there is one more thing: it contains a very long BASE64 string, 800,000+ characters, and it turns out to be a decoy. --------------------------------------------- https://isc.sans.edu/diary/rss/29032 ∗∗∗ WMI Internals Part 3 ∗∗∗ --------------------------------------------- In a previous blog post of mine — WMI Internals Part 2: Reversing a WMI Provider I walked through how the WMI architecture is foundationally built upon COM and in turn how WMI classes can end up invoking COM methods to perform actions. I used the PS_ScheduledTask WMI class as an example and how when an instance of this class is created the COM method ITaskServices:NewTask is invoked. This blog will take this process a step further and look at what happens after the COM method ITaskServices:NewTask. --------------------------------------------- https://posts.specterops.io/wmi-internals-part-3-38e5dad016be?source=rss---… ∗∗∗ Dead or Alive? An Emotet Story ∗∗∗ --------------------------------------------- In this intrusion from May 2022, we observed a domain-wide compromise that started from a malware ridden Excel document containing the never-dying malware, Emotet. The post-exploitation started very soon after [...] --------------------------------------------- https://thedfirreport.com/2022/09/12/dead-or-alive-an-emotet-story/ ∗∗∗ Ransomware attacks on retail increase, average retail payment grows to more than $200K ∗∗∗ --------------------------------------------- More than 300 organizations in the retail industry said they were hit with ransomware attacks in 2021, according to a survey conducted by security company Sophos. Sophos researchers spoke to 422 IT workers at mid-sized organizations in the retail sector across 31 countries, finding startling increases in the number of respondents who said their organizations [...] --------------------------------------------- https://therecord.media/ransomware-attacks-on-retail-increase-average-retai… ∗∗∗ Security Breaks: TeamTNT’s DockerHub Credentials Leak ∗∗∗ --------------------------------------------- One of our honeypots based on exposed Docker REST APIs showed cybercriminal group TeamTNT’s potential attack scenario and leak of container registry credentials for docker-abuse malware. The full version of this research will be presented at the c0c0n XV Hacking and Cyber Security Conference in September 2022. --------------------------------------------- https://www.trendmicro.com/en_us/research/22/i/security-breaks-teamtnts-doc… ===================== = Vulnerabilities = ===================== ∗∗∗ Firmware bugs in many HP computer models left unfixed for over a year ∗∗∗ --------------------------------------------- A set of six high-severity firmware vulnerabilities impacting a broad range of HP devices used in enterprise environments are still waiting to be patched, although some of them were publicly disclosed since July 2021. --------------------------------------------- https://www.bleepingcomputer.com/news/security/firmware-bugs-in-many-hp-com… ∗∗∗ Patchday: Ansatzpunkte für Angreifer in Android 10, 11 und 12 geschlossen ∗∗∗ --------------------------------------------- Angreifer könnten sich auf Android-Geräten weitreichende Nutzerrechte erschleichen. In Googles Pixel-Serie wurden kritische Lücken ausgebessert. --------------------------------------------- https://heise.de/-7260572 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (gdk-pixbuf, libxslt, linux-5.10, paramiko, and zlib), Fedora (webkit2gtk3), Mageia (gstreamer1.0-plugins-good, jupyter-notebook, kernel, and rpm), Slackware (vim), SUSE (bluez, clamav, freetype2, frr, gdk-pixbuf, keepalived, libyang, nodejs16, python-PyYAML, qpdf, samba, and vim), and Ubuntu (linux-azure-fde and tiff). --------------------------------------------- https://lwn.net/Articles/907770/ ∗∗∗ Critical KEPServerEX Flaws Can Put Attackers in Powerful Position in OT Networks ∗∗∗ --------------------------------------------- Critical KEPServerEX vulnerabilities that impact the products of several major industrial automation vendors can put attackers in a powerful position in OT networks.read more --------------------------------------------- https://www.securityweek.com/critical-kepserverex-flaws-can-put-attackers-p… ∗∗∗ Octopus Deploy: Schwachstelle ermöglicht Codeausführung ∗∗∗ --------------------------------------------- Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in Octopus Deploy ausnutzen, um beliebigen Programmcode auszuführen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1376 ∗∗∗ JFrog Artifactory: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in JFrog Artifactory ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1375 ∗∗∗ Jenkins: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Jenkins ausnutzen, um einen Denial of Service Angriff durchzuführen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1373 ∗∗∗ Security Bulletin: IBM Maximo Asset Management and the IBM Maximo Manage application in IBM Maximo Application Suite may be vulnerable to arbitrary code execution due to Apache Log4j 1.2 (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-manageme… ∗∗∗ Security Bulletin: Multiple vulnerabilities in WebSphere Liberty affect SPSS Collaboration and Deployment Services ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: qs (QueryString) package in the Service Portal of IBM Control Desk is vulnerable (CVE-2014-7191 and CVE-2017-1000048) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-qs-querystring-package-in… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.09.2022
by Daily end-of-shift report 09 Sep '22

09 Sep '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 08-09-2022 18:00 − Freitag 09-09-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Bumblebee malware adds post-exploitation tool for stealthy infections ∗∗∗ --------------------------------------------- A new version of the Bumblebee malware loader has been spotted in the wild, featuring a new infection chain that uses the PowerSploit framework for stealthy reflective injection of a DLL payload into memory. --------------------------------------------- https://www.bleepingcomputer.com/news/security/bumblebee-malware-adds-post-… ∗∗∗ GIFShell attack creates reverse shell using Microsoft Teams GIFs ∗∗∗ --------------------------------------------- A new attack technique called GIFShell allows threat actors to abuse Microsoft Teams for novel phishing attacks and covertly executing commands to steal data using ... GIFs. --------------------------------------------- https://www.bleepingcomputer.com/news/security/gifshell-attack-creates-reve… ∗∗∗ What Is Clickjacking and How Do I Prevent It? ∗∗∗ --------------------------------------------- There are a plethora of techniques that attackers use to redirect site visitors and harvest sensitive information on compromised websites. But when most webmasters think about securing their website, they often don’t think about how attackers can inject clicks on it from another site. --------------------------------------------- https://blog.sucuri.net/2022/09/what-is-clickjacking-and-how-do-i-prevent-i… ∗∗∗ Credential Gathering From Third-Party Software ∗∗∗ --------------------------------------------- Users often store passwords in third-party software for convenience – but credential gathering techniques can target this behavior. --------------------------------------------- https://unit42.paloaltonetworks.com/credential-gathering-third-party-softwa… ===================== = Vulnerabilities = ===================== ∗∗∗ Hackers Exploit Zero-Day in WordPress BackupBuddy Plugin in ~5 Million Attempts ∗∗∗ --------------------------------------------- A zero-day flaw in a WordPress plugin called BackupBuddy is being actively exploited, WordPress security company Wordfence has disclosed. "This vulnerability makes it possible for unauthenticated users to download arbitrary files from the affected site which can include sensitive information," it said. --------------------------------------------- https://thehackernews.com/2022/09/hackers-exploit-zero-day-in-wordpress.html ∗∗∗ Sicherheitslücke in vorinstalliertem Tool HP Support Assistant geschlossen ∗∗∗ --------------------------------------------- HP Support Assistant ist standardmäßig auf HP-Computern installiert. Eine Schwachstelle gefährdet nun Systeme. --------------------------------------------- https://heise.de/-7258790 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (mediawiki), SUSE (libEMF, libnl-1_1, libnl3, mariadb, nodejs16, php8-pear, postgresql12, and rubygem-rake), and Ubuntu (linux-raspi, linux-raspi-5.4, and tiff). --------------------------------------------- https://lwn.net/Articles/907573/ ∗∗∗ CISA Adds Twelve Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- CISA has added twelve new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/09/08/cisa-adds-twelve-… ∗∗∗ Security Bulletin: Multiple vulnerabilities have been identified in Oracle April 2022 CPU for Java 8 shipped with IBM® Intelligent Operations Center(CVE-2022-21496, CVE-2022-21434, CVE-2022-21443) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A vulnerability foud in IBM Installation Manager which is shipped with IBM® Intelligent Operations Center(CVE-2021-36374) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-foud-in-i… ∗∗∗ Security Bulletin: A vulnerability have been identified in Java 8 shipped with IBM® Intelligent Operations Center (CVE-2021-35561) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-have-been… ∗∗∗ Security Bulletin: A vulneraqbility in Zlib affects IBM Cloud Application Performance Managment R esponse Time Monitoring Agent (CVE-2018-25032) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulneraqbility-in-zlib-… ∗∗∗ Security Bulletin: A vulnerability foud in IBM Installation Manager which is shipped with IBM® Intelligent Operations Center(CVE-2021-36373) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-foud-in-i… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct for i5/OS is vulnerable to denial of service due to Zlib (CVE-2018-25032) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: Multiple vulnerabilities found in IBM DB2 which is shipped with IBM® Intelligent Operations Center(CVE-2021-38931, CVE-2021-29678, CVE-2021-20373, CVE-2021-39002, CVE-2021-38926) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A vulnerability found in Apache HttpClient which is shipped with IBM® Intelligent Operations Center (CVE-2020-13956) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-found-in-… ∗∗∗ Security Bulletin: XML vulnerability found in IBM Java 8.0 which is shipped with IBM® Intelligent Operations Center (CVE-2022-21299) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-xml-vulnerability-found-i… ∗∗∗ Security Bulletin: A vulnerability found in XMLBeans which hipped with IBM® Intelligent Operations Center (CVE-2021-23926) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-found-in-… ∗∗∗ Security Bulletin: Multiple vulnerabilities found in IBM MQ and Java 8 which is shipped with IBM® Intelligent Operations Center(CVE-2021-2388, CVE-2021-2369, CVE-2021-2432) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A vulnerability have been identified in IBM Java 8 shipped with IBM® Intelligent Operations Center (CVE-2021-35603) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-have-been… ∗∗∗ Security Bulletin: A vulneraqbility in Zlib affects IBM Tivoli Composite Application Manager for Transactions Response Time agents (CVE-2018-25032) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulneraqbility-in-zlib-… ∗∗∗ Security Bulletin: A vulnerabilities have been identified in IBM WebSphere Application Server Liberty shipped with IBM® Intelligent Operations Center (CVE-2021-29842) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerabilities-have-be… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.09.2022
by Daily end-of-shift report 08 Sep '22

08 Sep '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 07-09-2022 18:00 − Donnerstag 08-09-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ RAID-Manager von Hitachi könnte Ansatzpunkt für Schadcode-Attacken sein ∗∗∗ --------------------------------------------- Für einige Versionen von Hitachi RAID Manager SRA sind Sicherheitsupdates erschienen. Für einige Ausgaben gibt es jedoch keinen Support mehr. --------------------------------------------- https://heise.de/-7257664 ∗∗∗ Threat landscape for industrial automation systems for H1 2022 ∗∗∗ --------------------------------------------- This report is based on an analysis of statistical data collected through the Kaspersky Security Network (KSN), a distributed antivirus network. --------------------------------------------- https://securelist.com/threat-landscape-for-industrial-automation-systems-f… ∗∗∗ Profiling DEV-0270: PHOSPHORUS’ ransomware operations ∗∗∗ --------------------------------------------- Microsoft threat intelligence teams have been tracking multiple ransomware campaigns and have tied these attacks to DEV-0270, also known as Nemesis Kitten, a sub-group of Iranian actor PHOSPHORUS. --------------------------------------------- https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosp… ∗∗∗ Analyzing Obfuscated VBS with CyberChef, (Thu, Sep 8th) ∗∗∗ --------------------------------------------- I took a closer look at this sample on MalwareBazaar, because it had no tags (now it has a VBS tag). --------------------------------------------- https://isc.sans.edu/diary/rss/29028 ∗∗∗ HTTPS-Zertifikate: Die Rückkehr der Sperrlisten ∗∗∗ --------------------------------------------- Zukünftig soll es endlich wieder möglich sein, kompromittierte Zertifikate einfach zu sperren. Apple und Mozilla preschen vor und Lets Encrypt zieht mit. --------------------------------------------- https://heise.de/-7257554 ∗∗∗ Tensel-markt.de ist Fake! ∗∗∗ --------------------------------------------- Vorsicht vor Fake-Elektronik und Technik-Shops! Tensel-markt.de, gohlke-shop.de und Techno-max.de locken mit ihrem professionellen Design zahlreiche Konsument:innen in die Falle. Bestellen Sie nicht bei diesen Shops, Sie verlieren Ihr Geld! --------------------------------------------- https://www.watchlist-internet.at/news/tensel-marktde-ist-fake/ ∗∗∗ Lazarus and the tale of three RATs ∗∗∗ --------------------------------------------- Cisco Talos has been tracking a new campaign operated by the Lazarus APT group, attributed to North Korea by the United States government. This campaign involved the exploitation of vulnerabilities in VMWare Horizon to gain an initial foothold into targeted organizations. --------------------------------------------- http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html ∗∗∗ How Malicious Actors Abuse Native Linux Tools in Attacks ∗∗∗ --------------------------------------------- Through our honeypots and telemetry, we were able to observe instances in which malicious actors abused native Linux tools to launch attacks on Linux environments. In this blog entry, we discuss how these utilities were used and provide recommendations on how to minimize their impact. --------------------------------------------- https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-n… ===================== = Vulnerabilities = ===================== ∗∗∗ HP fixes severe bug in pre-installed Support Assistant tool ∗∗∗ --------------------------------------------- HP issued a security advisory alerting users about a newly discovered vulnerability in HP Support Assistant, a software tool that comes pre-installed on all HP laptops and desktop computers, including the Omen sub-brand. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hp-fixes-severe-bug-in-pre-i… ∗∗∗ Cisco Security Advisories 2022-09-07 ∗∗∗ --------------------------------------------- Cisco published 4 security advisories (2 high, 2 medium severity) --------------------------------------------- https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&secur… ∗∗∗ VPN-Lücke in älteren Cisco-Routern wird nicht mehr geschlossen ∗∗∗ --------------------------------------------- Für einige Cisco-Router ist der Support ausgelaufen. Es gibt wichtige Sicherheitsupdates für unter anderem Webex. --------------------------------------------- https://heise.de/-7257206 ∗∗∗ IBM Security Bulletins 2022-09-07 ∗∗∗ --------------------------------------------- IBM Java 8, IBM Aspera Faspex, IBM WebSphere Application Server, IBM WebSphere Application Server Liberty, Enterprise Content Management System Monitor, IBM DB2, IBM Semeru Runtime, IBM Robotic Process Automation for Cloud Pak, IBM Intelligent Operations Center --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libgoogle-gson-java), Fedora (autotrace, insight, and open-vm-tools), Oracle (open-vm-tools), Red Hat (open-vm-tools, openvswitch2.13, openvswitch2.15, openvswitch2.16, openvswitch2.17, ovirt-host, and rh-nodejs14-nodejs and rh-nodejs14-nodejs-nodemon), Scientific Linux (open-vm-tools), Slackware (python3), SUSE (clamav, gdk-pixbuf, gpg2, icu, ImageMagick, java-1_8_0-ibm, libyajl, mariadb, udisks2, webkit2gtk3, and yast2-samba-provision), and Ubuntu (dnsmasq). --------------------------------------------- https://lwn.net/Articles/907508/ ∗∗∗ Nagios Enterprises Nagios XI: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Nagios Enterprises Nagios XI ausnutzen, um einen Cross-Site Scripting Angriff durchzuführen und Daten zu manipulieren. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1338 ∗∗∗ Xerox FreeFlow Print Server: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Xerox FreeFlow Print Server ausnutzen, um die Vertraulichkeit, Verfügbarkeit und Integrität des Systems zu gefährden. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1335 ∗∗∗ Drupal: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Drupal ausnutzen, um Sicherheitsvorkehrungen zu umgehen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1341 ∗∗∗ Aruba ClearPass Policy Manager: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein Angreifer kann mehrere Schwachstellen in Aruba ClearPass Policy Manager ausnutzen, um Daten zu manipulieren oder offenzulegen, seine Rechte zu erweitern, Code auszuführen oder einen Denial of Service zu verursachen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1340 ∗∗∗ MZ Automation libIEC61850 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-251-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.09.2022
by Daily end-of-shift report 07 Sep '22

07 Sep '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 06-09-2022 18:00 − Mittwoch 07-09-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ So schützen Sie sich vor Schadsoftware! ∗∗∗ --------------------------------------------- Auf dubiosen Websites, in betrügerischen E-Mails, in scheinbar harmlosen Chat-Nachrichten oder durch Sicherheitslücken in nicht aktualisierten Programmen: Schadsoftware kann auf unterschiedlichen Wegen auf Ihren Computer gelangen, um dort beispielsweise sensible Daten auszulesen und zu stehlen oder gar ganze Systeme lahmzulegen. --------------------------------------------- https://www.watchlist-internet.at/news/so-schuetzen-sie-sich-vor-schadsoftw… ∗∗∗ Worok: The big picture ∗∗∗ --------------------------------------------- Focused mostly on Asia, this new cyberespionage group uses undocumented tools, including steganographically extracting PowerShell payloads from PNG files. --------------------------------------------- https://www.welivesecurity.com/2022/09/06/worok-big-picture/ ∗∗∗ Wie Cyberkriminelle USB missbrauchen ∗∗∗ --------------------------------------------- Den Fluch des Universal Serial Bus (USB) und die Attraktion für Cyberkriminelle untersucht Andrew Rose, Resident CISO, EMEA bei Proofpoint, in einem Gastbeitrag. --------------------------------------------- https://www.zdnet.de/88403293/wie-cyberkriminelle-usb-missbrauchen/?utm_sou… ∗∗∗ AA22-249A: #StopRansomware: Vice Society ∗∗∗ --------------------------------------------- This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. --------------------------------------------- https://us-cert.cisa.gov/ncas/alerts/aa22-249a ∗∗∗ Multiple ransomware data leak sites experience DDoS attacks, facing intermittent outages and connectivity issues ∗∗∗ --------------------------------------------- Since Aug. 20, 2022, Cisco Talos has been monitoring suspected distributed denial-of-service (DDoS) attacks resulting in intermittent downtime and outages affecting several ransomware-as-a-service (RaaS) data leak sites. --------------------------------------------- http://blog.talosintelligence.com/2022/09/ransomware-leaksite-ddos.html ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins 2022-09-06 ∗∗∗ --------------------------------------------- IBM Elastic Storage System, IBM Planning Analytics Workspace, IBM Rational Asset analyzer, IBM App Connect Enterprise, IBM Integration Bus, IBM WebSphere Application Server Liberty, IBM Sterling Connect, IBM Spectrum Scale, IBM SPSS Analytic Server, IBM Business Automation Workflow. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Auf NAS-Systeme von Zyxel könnte Schadcode gelangen ∗∗∗ --------------------------------------------- Aktualisierte Firmware-Versionen schließen eine kritische Sicherheitslücke in mehreren NAS-Modellen des Herstellers Zyxel. --------------------------------------------- https://heise.de/-7255585 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (curl, protobuf-c, and vim) and SUSE (gimp, java-1_8_0-openj9, libostree, openvswitch, python-bottle, python-Flask-Security-Too, and zabbix). --------------------------------------------- https://lwn.net/Articles/907382/ ∗∗∗ K12055286: Intel CPU vulnerability CVE-2021-33060 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K12055286 ∗∗∗ Helmholz: Multiple vulnerabilites in myREX24 and myREX24.virtual ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-039/ ∗∗∗ Helmholz: Unauthenticated user enumeration in myREX24 and myREX24.virtual ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-017/ ∗∗∗ MB connect line: Unauthenticated user enumeration in mbCONNECT24 and mymbCONNECT24 ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-011/ ∗∗∗ [R1] Stand-alone Security Patch Available for Tenable.sc versions 5.19.0 to 5.21.0: Patch SC-202209.1 ∗∗∗ --------------------------------------------- https://www.tenable.com/security/tns-2022-18 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.09.2022
by Daily end-of-shift report 06 Sep '22

06 Sep '22

===================== = End-of-Day report = ===================== Timeframe: Montag 05-09-2022 18:00 − Dienstag 06-09-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ New EvilProxy service lets all hackers use advanced phishing tactics ∗∗∗ --------------------------------------------- A reverse-proxy Phishing-as-a-Service (PaaS) platform called EvilProxy has emerged, promising to steal authentication tokens to bypass multi-factor authentication (MFA) on Apple, Google, Facebook, Microsoft, Twitter, GitHub, GoDaddy, and even PyPI. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-evilproxy-service-lets-a… ∗∗∗ Mythic Case Study: Assessing Common Offensive Security Tools ∗∗∗ --------------------------------------------- Having covered the Sliver C2 framework in a previous post (May 2022), this blog will continue our examination of Cobalt Strike “alternatives”, focusing on the Mythic C2 framework. --------------------------------------------- https://team-cymru.com/blog/2022/09/06/mythic-case-study-assessing-common-o… ∗∗∗ Analysis of an Encoded Cobalt Strike Beacon, (Tue, Sep 6th) ∗∗∗ --------------------------------------------- Someone reached out to me for the analysis of a Cobalt Strike beacon. This is the sample. --------------------------------------------- https://isc.sans.edu/diary/rss/29014 ∗∗∗ TA505 Groups TeslaGun In-Depth Analysis ∗∗∗ --------------------------------------------- TA505 is a financially motivated threat group that has been active since 2014. The group frequently changes its malware attack strategies in response to global cybercrime trends. It opportunistically adopts new technologies in order to gain leverage over victims before the wider cybersecurity industry catches on. --------------------------------------------- https://www.prodaft.com/resource/detail/ta505-ta505-groups-tesla-gun-depth-… ∗∗∗ Vorsicht vor gefälschten PayPal-Nachrichten ∗∗∗ --------------------------------------------- Gefälschte PayPal-Nachrichten befinden sich momentan vermehrt im Umlauf. Sie haben eine angebliche Rechnung von PayPal erhalten, über ein Produkt, das Sie nicht bestellt haben? Oder es wird eine Vorabzahlung für eine angebliche Transaktion gefordert? Ignorieren Sie diese Nachrichten, sie sind Fake! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-gefaelschten-paypal-nac… ∗∗∗ Mirai Variant MooBot Targeting D-Link Devices ∗∗∗ --------------------------------------------- Attackers are leveraging known vulnerabilities in D-Link devices to deliver MooBot, a Mirai variant, potentially leading to further DDoS attacks. --------------------------------------------- https://unit42.paloaltonetworks.com/moobot-d-link-devices/ ∗∗∗ Shikitega - New stealthy malware targeting Linux ∗∗∗ --------------------------------------------- Alien Labs has discovered a new malware targeting endpoints and IoT devices that are running Linux operating systems. Shikitega is delivered in a multistage infection chain where each module responds to a part of the payload and downloads and executes the next one. An attacker can gain full control of the system, in addition to the cryptocurrency miner that will be executed and set to persist. --------------------------------------------- https://cybersecurity.att.com/blogs/labs-research/shikitega-new-stealthy-ma… ∗∗∗ Over Half of Global Firms Supply Chains Compromised by Ransomware ∗∗∗ --------------------------------------------- Cybersecurity leader Trend Micro announced new research today that reveals global organizations are increasingly at risk of ransomware compromise via their extensive supply chains. --------------------------------------------- https://newsroom.trendmicro.com/2022-09-06-Over-Half-of-Global-Firms-Supply… ∗∗∗ Play Ransomwares Attack Playbook Similar to that of Hive, Nokoyawa ∗∗∗ --------------------------------------------- Play is a new ransomware that takes a page out of Hive and Nokoyawas playbook. The many similarities among them indicate that Play, like Nokoyawa, are operated by the same people. --------------------------------------------- https://www.trendmicro.com/en_us/research/22/i/play-ransomware-s-attack-pla… ===================== = Vulnerabilities = ===================== ∗∗∗ Fortinet Security Advisories 2022-09-06 ∗∗∗ --------------------------------------------- On Sep 06, 2022, Fortinet has released 12 advisories for issues resolved in Fortinet products. (Severity: Low (2), Medium (9), High (1)) --------------------------------------------- https://fortiguard.fortinet.com/psirt?date=09-2022 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Red Hat (pcs), SUSE (389-ds and firefox), and Ubuntu (linux-hwe-5.4 and linux-oracle). --------------------------------------------- https://lwn.net/Articles/907275/ ∗∗∗ Hitachi Storage: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein Angreifer kann mehrere Schwachstellen in Hitachi Storage ausnutzen, um Informationen offenzulegen und beliebigen Code zur Ausführung zu bringen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1292 ∗∗∗ Hitachi Energy TXpert Hub CoreTec 4 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-249-04 ∗∗∗ Triangle Microworks Libraries ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-249-01 ∗∗∗ AVEVA Edge 2020 R2 SP1 and all prior versions ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-249-02 ∗∗∗ Cognex 3D-A1000 Dimensioning System ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-249-03 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.09.2022
by Daily end-of-shift report 05 Sep '22

05 Sep '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 02-09-2022 18:00 − Montag 05-09-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Malware dev open-sources CodeRAT after being exposed ∗∗∗ --------------------------------------------- The source code of a remote access trojan (RAT) dubbed CodeRAT has been leaked on GitHub after malware analysts confronted the developer about attacks that used the tool. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malware-dev-open-sources-cod… ∗∗∗ Quickie: Grep & Tail -f With Notepad++, (Mon, Sep 5th) ∗∗∗ --------------------------------------------- Notepad++ is a free and open source text editor for Windows. You can simulate grep-like functionality with Notepad++ in 2 steps. --------------------------------------------- https://isc.sans.edu/diary/rss/29018 ∗∗∗ Prynt Stealer Contains a Backdoor to Steal Victims Data Stolen by Other Cybercriminals ∗∗∗ --------------------------------------------- Researchers discovered a private Telegram channel-based backdoor in the information stealing malware, dubbed Prynt Stealer, which its developer added with the intention of secretly stealing a copy of victims exfiltrated data when used by other cybercriminals. --------------------------------------------- https://thehackernews.com/2022/09/prynt-stealer-contains-backdoor-to.html ∗∗∗ Win32/Hive.ZY: Update stoppt Fehlalarmserie von Microsoft Defender unter Windows ∗∗∗ --------------------------------------------- Die Windows-Virenabwehr Defender hat fälschlicherweise Chrome, Edge & Co. als Trojaner eingestuft. --------------------------------------------- https://heise.de/-7253919 ∗∗∗ Ransomware: Der Trend geht zum Angriff auf Linux-Server ∗∗∗ --------------------------------------------- Trend Micro sieht im ersten Halbjahr 2022 ein Wachstum bei Ransomware-Angriffen. Linux-Umgebungen sind 75 Prozent häufiger ein Ziel als im Vorjahreszeitraum. --------------------------------------------- https://heise.de/-7254059 ∗∗∗ There’s Another Hole In Your SoC: Unisoc ROM Vulnerabilities ∗∗∗ --------------------------------------------- As part of this research, NCC Group focused on the secure boot chain implemented by UNISOC processors used in Android phones and tablets. Several vulnerabilities in the Boot ROM were discovered which could persistently undermine secure boot. --------------------------------------------- https://research.nccgroup.com/2022/09/02/theres-another-hole-in-your-soc-un… ∗∗∗ Was tun, wenn mein Gerät mit Schadsoftware infiziert wurde? ∗∗∗ --------------------------------------------- Schadsoftware (auch Malware) kann viele Formen annehmen und mit unterschiedlichen Bedrohungen für Sie und Ihr Gerät einhergehen. Schäden, die dabei entstehen können, bewegen sich vom Datendiebstahl, über das Zuspammen mit Werbung bis hin zu Lösegeldforderungen. --------------------------------------------- https://www.watchlist-internet.at/news/was-tun-wenn-mein-geraet-mit-schadso… ===================== = Vulnerabilities = ===================== ∗∗∗ Jetzt patchen! Google warnt vor möglichen Attacken auf Chrome ∗∗∗ --------------------------------------------- Ein wichtiges Sicherheitsupdate schließt eine Lücke im Webbrowser Chrome. --------------------------------------------- https://heise.de/-7253510 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (flac, ghostscript, libmodbus, qemu, rails, ruby-rack, and thunderbird), Fedora (kernel, kernel-headers, kernel-tools, libtar, qt5-qtwebengine, subscription-manager-cockpit, tcpreplay, and vim), Mageia (chromium-browser-stable, webkit2, and ytnef), SUSE (curl, firefox, freerdp, gdk-pixbuf, ImageMagick, json-c, libgda, php-composer2, and python-pyxdg), and Ubuntu (libzstd, linux-aws, linux-aws-5.4, linux-azure-5.4, and linux-oem-5.17). --------------------------------------------- https://lwn.net/Articles/907201/ ∗∗∗ DeadBolt Ransomware ∗∗∗ --------------------------------------------- QNAP detected a new DeadBolt ransomware campaign on the morning of September 3rd, 2022 (GMT+8). --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-22-24 ∗∗∗ Security Bulletin: DataStage on Cloud Pak for Data Is Vulnerable to Sensitive Information Disclosure Error (CVE-2022-38714) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-datastage-on-cloud-pak-fo… ∗∗∗ Security Bulletin: Information Disclosure and Denial of Service Vulnerabilities in the IBM Spectrum Protect Backup-Archive Client may affect IBM Spectrum Protect for Space Management (CVE-2022-22478, CVE-2022-22474) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-information-disclosure-an… ∗∗∗ Security Bulletin: Multiple security vulnerabilities are addressed with IBM Cloud Pak for Business Automation iFixes for August 2022 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Prototype pollution vulnerability affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) – [CVE-2021-23450] ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-prototype-pollution-vulne… ∗∗∗ Security Bulletin: Persistent Cross-Site scripting vulnerability affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) – CVE-2022-35644 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-persistent-cross-site-scr… ∗∗∗ OTRS: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1286 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.09.2022
by Daily end-of-shift report 02 Sep '22

02 Sep '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 01-09-2022 18:00 − Freitag 02-09-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Microsoft will disable Exchange Online basic auth next month ∗∗∗ --------------------------------------------- Microsoft warned customers today that it will finally disable basic authentication in random tenants worldwide to improve Exchange Online security starting October 1, 2022. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-will-disable-exch… ∗∗∗ Sharkbot is back in Google Play ∗∗∗ --------------------------------------------- This new dropper doesn’t rely Accessibility permissions to automatically perform the installation of the dropper Sharkbot malware. Instead, this new version ask the victim to install the malware as a fake update for the antivirus to stay protected against threats. --------------------------------------------- https://blog.fox-it.com/2022/09/02/sharkbot-is-back-in-google-play/ ∗∗∗ NSA gibt Sicherheitstipps gegen Supply-Chain-Attacken ∗∗∗ --------------------------------------------- Die Cybersecurity and Infrastructure Agency (CISA), die National Security Agency (NSA) und das Office of the Director of National Intelligence (ODNI) haben wichtige Tipps zum Entwickeln von sicherer Software veröffentlicht. --------------------------------------------- https://heise.de/-7251765 ∗∗∗ Unverschlüsselte Access Tokens: Sicherheitslücke in tausenden Apps ∗∗∗ --------------------------------------------- Sicherheitsforscher warnen vor unverschlüsselten Access Tokens in Apps. Oft holen sich Entwickler Probleme ungewollt ins Haus. Besonders betroffen: iOS-Apps. --------------------------------------------- https://heise.de/-7252134 ∗∗∗ When disclosure goes wrong. People ∗∗∗ --------------------------------------------- My experience of vulnerability disclosure is that it is rarely as easy or simple as it could be. I had hoped that bug bounty programmes and vulnerability disclosure programmes (VDPs) would help matters. Broadly that doesn’t seem to be the case, often for unexpected reasons. --------------------------------------------- https://www.pentestpartners.com/security-blog/when-disclosure-goes-wrong-pe… ∗∗∗ Ransomware auf IoT: Anderer Sicherheitsansatz bei IoT-Geräten erforderlich ∗∗∗ --------------------------------------------- Wir haben uns vermutlich an die täglichen Ransomware-Angriffe auf IT-Systeme gewöhnt. Aber mit der Zunahme von IoT-Geräten droht eine wachsende Gefahr für solche Sicherheitsvorfälle. CheckPoint meint, dass IoT-Geräte einen anderen Sicherheitsansatz brauchen, um dieser Gefahr (z.B. Infektionen durch Ransomware) zu begegnen. --------------------------------------------- https://www.borncity.com/blog/2022/09/02/ransomware-auf-iot-anderer-sicherh… ∗∗∗ Architecting for Extortion: Acting on the IST’s Blueprint for Ransomware Defense ∗∗∗ --------------------------------------------- Last month, the Institute for Security and Technology’s Ransomware Task Force launched the Blueprint for Ransomware Defense. --------------------------------------------- https://www.rapid7.com/blog/post/2022/09/02/architecting-for-extortion-acti… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (firefox, rsync, systemd, and thunderbird), Debian (chromium, dpdk, and sofia-sip), Fedora (kernel, thunderbird, and zlib), Red Hat (pcs and rh-mariadb103-galera and rh-mariadb103-mariadb), Slackware (poppler), SUSE (cifs-utils, curl, dwarves and elfutils, firefox, flatpak, gnutls, gpg2, harfbuzz, ignition, kernel, ldb, samba, libslirp, libsolv, libzypp, zypper, libtirpc, logrotate, mozilla-nss, ncurses, open-vm-tools, openssl-1_1, p11-kit, pcre, pcre2, podman, postgresql12, postgresql13, postgresql14, python-M2Crypto, python3, rsync, salt, spice, systemd-presets-common-SUSE, tiff, ucode-intel, xen, and zlib), and Ubuntu (curl, linux, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gke-5.15, linux-gkeop, linux-ibm, linux-kvm, linux-lowlatency, linux, linux-azure-4.15, linux-dell300x, linux-gcp-4.15, linux-kvm, linux-snapdragon, linux-aws, linux-azure, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-gke, linux-gkeop, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, and linux-aws-hwe). --------------------------------------------- https://lwn.net/Articles/906973/ ∗∗∗ NetApp ActiveIQ Unified Manager: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, authentisierter Angreifer kann mehrere Schwachstellen in NetApp ActiveIQ Unified Manager ausnutzen, um einen Cross-Site Scripting Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen oder einen Denial of Service zu verursachen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1263 ∗∗∗ Security Bulletin: Vulnerability in IBM® Java SDK affects IBM WebSphere Application Server and IBM WebSphere Application Server Liberty due to July 2022 CPU plus deferred CVE-2021-2163 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Security Bulletin: Vulnerabilities with Kernel, GnuTLS affect IBM Cloud Object Storage Systems (August 2022v1) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-with-kern… ∗∗∗ Security Bulletin: IBM DataPower Gateway vulnerable to CSRF attack ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-gateway-vul… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 01.09.2022
by Daily end-of-shift report 01 Sep '22

01 Sep '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 31-08-2022 18:00 − Donnerstag 01-09-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Apple backports fix for actively exploited iOS zero-day to older iPhones ∗∗∗ --------------------------------------------- Apple has released new security updates to backport patches released earlier this month to older iPhones and iPads addressing a remotely exploitable WebKit zero-day that allows attackers to execute arbitrary code on unpatched devices. --------------------------------------------- https://www.bleepingcomputer.com/news/apple/apple-backports-fix-for-activel… ∗∗∗ Underscores and DNS: The Privacy Story, (Wed, Aug 31st) ∗∗∗ --------------------------------------------- The use of underscores in DNS records can easily trigger DNS purists into a rage. Since the beginning of (DNS) time, only the letters a-z, numbers, and dashes are allowed in DNS labels (RFC 1035 section 2.3.1). After all, we want to remain compatible with ARPANET. --------------------------------------------- https://isc.sans.edu/diary/rss/29002 ∗∗∗ Jolokia Scans: Possible Hunt for Vulnerable Apache Geode Servers (CVE-2022-37021), (Thu, Sep 1st) ∗∗∗ --------------------------------------------- On Tuesday, the Apache project released an update for Geode. The update patches a typical deserialization issue we often see in Java software like Geode (CVE-2022-37021). [...] But the vulnerability has a few dependencies: [...] JMX and RMI are used for the attack. [...] And here comes Jolokia. "JMX on Capsaicin," as it calls itself. It provides a simple HTTP to JMX gateway. So it is somewhat interesting that I also saw some scans for Jol[o]kia starting yesterday. --------------------------------------------- https://isc.sans.edu/diary/rss/29006 ∗∗∗ Authority-Scam: Neue Welle von Fake-Mails der Polizei ∗∗∗ --------------------------------------------- Kriminelle geben dem Authority-Scam einen neuen Anstrich: Momentan befinden sich wieder viele gefälschte E-Mails der Polizei im Umlauf. Die Empfänger:innen werden beschuldigt eine Straftat begangen zu haben. Die Anschuldigungen umfassen Pädophilie, Cyberpornographie und Exhibitionismus. Antworten Sie nicht und ignorieren Sie das Schreiben, es ist Fake! --------------------------------------------- https://www.watchlist-internet.at/news/authority-scam-neue-welle-von-fake-m… ∗∗∗ Over 900K Kubernetes clusters are misconfigured! Is your cluster a target? ∗∗∗ --------------------------------------------- Kubernetes is an amazing platform for managing containers at scale. However, a recent study found that over 900,000 Kubernetes clusters are vulnerable to attack because they are misconfigured! This means that your Kubernetes cluster could be a target for malicious actors if it is not properly secured. In this blog post, we will discuss how to secure your Kubernetes cluster and protect it from attack. --------------------------------------------- https://grahamcluley.com/feed-sponsor-teleport-4/ ∗∗∗ Android TikTok-App: Microsoft findet 1-Klick-Schwachstelle, die Kontenübernahme erlaubte ∗∗∗ --------------------------------------------- Microsoft hat eine gefährliche Sicherheitslücke in der TikTok-App für Android entdeckt, die es ermöglichte, Benutzerkonten mit einem einzigen Klick zu kompromittieren. Inzwischen wurde diese Schwachstelle in der TikTok-App für Android geschlossen. --------------------------------------------- https://www.borncity.com/blog/2022/09/01/android-tiktok-app-microsoft-finde… ∗∗∗ RAT Tool Disguised as Solution File (*.sln) Being Distributed on Github ∗∗∗ --------------------------------------------- The ASEC analysis team has recently discovered the distribution of a RAT Tool disguised as a solution file (*.sln) on GitHub. As shown in Figure 1, the malware distributor is sharing a source code on GitHub titled “Jpg Png Exploit Downloader Fud Cryter Malware Builder Cve 2022”. The file composition looks normal, but the solution file (*.sln) is actually a RAT tool. It is through methods like this that the malware distributor lures users to run the RAT tool by disguising it as a solution file (*.sln). Generally, programmers who receive the code that includes the solution file run the file in order to open the project. Users should take caution against social engineering techniques that take advantage of such a thought process. --------------------------------------------- https://asec.ahnlab.com/en/38150/ ∗∗∗ Azure Synapse: Local Privilege Escalation Vulnerability in Spark ∗∗∗ --------------------------------------------- The story of a simple race condition leading to a Local Privilege Escalation, and how we discovered, in retrospect, that we crossed paths with another researcher and a previous Microsoft case. --------------------------------------------- https://orca.security/resources/blog/synapse-local-privilege-escalation-vul… ===================== = Vulnerabilities = ===================== ∗∗∗ Kritische Lücke in zlib-Bibliothek ermöglicht Codeschmuggel ∗∗∗ --------------------------------------------- In der weit verbreiteten Kompressionsbibliothek zlib könnten Angreifer unter Umständen Schadcode einschleusen und ausführen. Erste Patches sind verfügbar. --------------------------------------------- https://heise.de/-7250044 ∗∗∗ Sicherheitsupdate: Präparierte Mails könnten Thunderbird gefährlich werden ∗∗∗ --------------------------------------------- Es ist ein wichtiges Sicherheitsupdate für den Mailclient Thunderbird erschienen. Damit haben die Entwickler vier Lücken geschlossen. --------------------------------------------- https://heise.de/-7250566 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (pdns-recursor, thunderbird, and vim), Gentoo (firefox, thunderbird-bin, virtualbox, and webkit-gtk), Red Hat (convert2rhel), SUSE (gstreamer-plugins-good, open-vm-tools, postgresql12, rsync, and ucode-intel), and Ubuntu (linux-azure, linux-gcp, linux-hwe). --------------------------------------------- https://lwn.net/Articles/906778/ ∗∗∗ libTIFF: Mehrere Schwachstellen ermöglichen Denial of Service ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in libTIFF ausnutzen, um einen Denial of Service Angriff durchzuführen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1250 ∗∗∗ D-LINK Router: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, authentisierter Angreifer kann mehrere Schwachstellen in D-LINK Router ausnutzen, um Code auszuführen oder einen Denial of Service zu verursachen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1253 ∗∗∗ Xerox FreeFlow Print Server: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Xerox FreeFlow Print Server ausnutzen, um die Vertraulichkeit, Verfügbarkeit und Integrität des Systems zu gefährden. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1251 ∗∗∗ Security Advisory - Out-of-bounds Read and Write Vulnerability in Some Huawei Headset Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2022/huawei-sa-20220826-… ∗∗∗ Security Bulletin:IBM MQ Operator and Queue manager container images are vulnerable to multiple vulnerabilities from openssl, pcre2 and Golang Go ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletinibm-mq-operator-and-queue-… ∗∗∗ Security Bulletin: CVE-2021-2163 may affect IBM® SDK, Java™ Technology Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2021-2163-may-affect-… ∗∗∗ Security Bulletin: Netcool Operations Insight v1.6.5 contains fixes for multiple security vulnerabilities. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-netcool-operations-insigh… ∗∗∗ Security Bulletin: Liberty for Java for IBM Cloud is vulnerable to spoofing due to Eclipse Paho (CVE-2019-11777) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-liberty-for-java-for-ibm-… ∗∗∗ Security Bulletin: IBM Cognos Analytics has addressed multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cognos-analytics-has-… ∗∗∗ Security Bulletin: IBM Maximo Asset Management and the IBM Maximo Manage application in IBM Maximo Application Suite are vulnerable to cross-site scripting (CVE-2022-35714) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-manageme… ∗∗∗ Security Bulletin: Multiple vulnerabilities may affect IBM® SDK, Java™ Technology Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM® SDK Java™ Technology Edition, Version 8, affect IBM Workload Scheduler. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Delta Electronics DOPSoft ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-244-01 ∗∗∗ Contec Health CMS8000 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsma-22-244-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 31.08.2022
by Daily end-of-shift report 31 Aug '22

31 Aug '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 30-08-2022 18:00 − Mittwoch 31-08-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Hackers hide malware in James Webb telescope images ∗∗∗ --------------------------------------------- Threat analysts have spotted a new malware campaign dubbed GO#WEBBFUSCATOR that relies on phishing emails, malicious documents, and space images from the James Webb telescope to spread malware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-hide-malware-in-jame… ∗∗∗ Watering Hole Attacks Push ScanBox Keylogger ∗∗∗ --------------------------------------------- Researchers uncover a watering hole attack likely carried out by APT TA423, which attempts to plant the ScanBox JavaScript-based reconnaissance tool. --------------------------------------------- https://threatpost.com/watering-hole-attacks-push-scanbox-keylogger/180490/ ∗∗∗ Infoblox Threat Intelligence: IOCs related to the Russia-Ukraine conflict ∗∗∗ --------------------------------------------- This folder contains IOCs related to the Russian invasion of Ukraine. The majority of the content is based on Infoblox internal analytics and validation analysis, though some OSINT is also included. --------------------------------------------- https://github.com/infobloxopen/threat-intelligence/tree/main/ukraine ∗∗∗ Webinar: Betrugsfallen im Internet erkennen ∗∗∗ --------------------------------------------- Am Dienstag, den 06.09.2022 von 18:30 – 20:00 Uhr findet das kostenlose Webinar zum Thema „Betrugsfallen im Internet erkennen" statt. Melden Sie sich jetzt an! --------------------------------------------- https://www.watchlist-internet.at/news/webinar-betrugsfallen-im-internet-er… ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins 2022-08-30 ∗∗∗ --------------------------------------------- IBM TRIRIGA Application Platform, IBM b-type SAN directors and switches, IBM Integration Bus, IBM App Connect Enterprise, IBM Watson Assistant for IBM Cloud Pak for Data, IBM Engineering Lifecycle Engineering, IBM Cloud Transformation Advisor, IBM Cloud Object Storage Systems. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Sicherheitsupdate: Angreifer könnten WordPress-Websites attackieren ∗∗∗ --------------------------------------------- Die WordPress-Entwickler haben drei Lücken im Content-Management-System geschlossen. --------------------------------------------- https://heise.de/-7249431 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (dpdk, net-snmp, php-horde-mime-viewer, php-horde-turba, and webkit2gtk), Fedora (rsync), Oracle (openssl and systemd), Red Hat (booth, kernel, kernel-rt, and openssl), Slackware (vim), SUSE (bluez, java-1_8_0-ibm, postgresql10, and zlib), and Ubuntu (kernel, linux, linux-raspi, linux-aws, and linux-oem-5.14). --------------------------------------------- https://lwn.net/Articles/906579/ ∗∗∗ Security Advisory - Traffic Hijacking Vulnerability in Huawei Routers ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2022/huawei-sa-20220831-… ∗∗∗ Grafana: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1221 ∗∗∗ GitLab: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1239 ∗∗∗ ArubaOS: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1238 ∗∗∗ GNU libc: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1234 ∗∗∗ tribe29 checkmk: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1230 ∗∗∗ Xerox FreeFlow Print Server: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1228 ∗∗∗ Chrome 105.0.5195.5x fixt 24 Schwachstellen ∗∗∗ --------------------------------------------- https://www.borncity.com/blog/2022/08/31/chrome-105-0-5195-5x-fixt-24-schwa… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.08.2022
by Daily end-of-shift report 30 Aug '22

30 Aug '22

===================== = End-of-Day report = ===================== Timeframe: Montag 29-08-2022 18:00 − Dienstag 30-08-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Windows malware delays coinminer install by a month to evade detection ∗∗∗ --------------------------------------------- A new malware campaign disguised as Google Translate or MP3 downloader programs was found distributing cryptocurrency mining malware across 11 countries. --------------------------------------------- https://www.bleepingcomputer.com/news/security/windows-malware-delays-coinm… ∗∗∗ Two things that will never die: bash scripts and IRC!, (Tue, Aug 30th) ∗∗∗ --------------------------------------------- Last week, Brock Perry, one of our SANS.edu undergraduate students, came across a neat bash script uploaded to the honeypot as part of an attack. I am sure this isn't new, but I never quite saw something like this before myself. --------------------------------------------- https://isc.sans.edu/diary/rss/28998 ∗∗∗ Malicious Cookie Stuffing Chrome Extensions with 1.4 Million Users ∗∗∗ --------------------------------------------- A few months ago, we blogged about malicious extensions redirecting users to phishing sites and inserting affiliate IDs into cookies of eCommerce sites. Since that time, we have investigated several other malicious extensions and discovered 5 extensions with a total install base of over 1,400,000. --------------------------------------------- https://www.mcafee.com/blogs/other-blogs/mcafee-labs/malicious-cookie-stuff… ∗∗∗ Keine „Testzahlungen“ auf Kleinanzeigen-Plattformen durchführen! ∗∗∗ --------------------------------------------- Auf Kleinanzeigen-Plattformen wie Willhaben, Vinted, eBay Kleinanzeigen und Co finden Sie tolle Schnäppchen oder können Gebrauchtes zu Geld machen. Doch Vorsicht: Auch Kriminelle, die Ihnen das Geld aus der Tasche ziehen wollen, tummeln sich dort zuhauf. Bei einer aktuellen Masche fälschen diese die Zahlungsseiten der Plattformen und fordern zu Testzahlungen auf. Brechen Sie sofort den Kontakt ab. Man will Sie betrügen! --------------------------------------------- https://www.watchlist-internet.at/news/keine-testzahlungen-auf-kleinanzeige… ∗∗∗ ModernLoader delivers multiple stealers, cryptominers and RATs ∗∗∗ --------------------------------------------- Cisco Talos recently observed three separate, but related, campaigns between March and June 2022 delivering a variety of threats, including the ModernLoader bot, RedLine information-stealer and cryptocurrency-mining malware to victims. --------------------------------------------- http://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-st… ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitslücken in Foxit PDF Editor und Reader ermöglichen Codeschmuggel ∗∗∗ --------------------------------------------- Angreifer könnten etwa mit manipulierten Dokumenten in Foxit PDF Editor und Reader Schadcode einschleusen. Aktualisierte Software schließt die Sicherheitslücke. --------------------------------------------- https://heise.de/-7247760 ∗∗∗ Sicherheitslücke: Zwischenablage in Chromium-basierten Browsern frei zugreifbar ∗∗∗ --------------------------------------------- Webseiten können derzeit in aktuellen Chromium-basierten Webbrowsern beliebig auf die Zwischenablage zugreifen. Das ermöglicht etwa Angriffe auf Nutzer. --------------------------------------------- https://heise.de/-7248070 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (thunderbird), Fedora (ctk, dcmtk, OpenImageIO, and varnish-modules), Red Hat (systemd), SUSE (libslirp, open-vm-tools, and opera), and Ubuntu (jupyter-notebook, libsdl1.2, and systemd). --------------------------------------------- https://lwn.net/Articles/906461/ ∗∗∗ [20220801] - Core - Multiple Full Path Disclosures because of missing _JEXEC or die check ∗∗∗ --------------------------------------------- https://developer.joomla.org:443/security-centre/884-20220801-core-multiple… ∗∗∗ Security Bulletin: Tririga is vulnerable to remote hacker due to dom4j open source ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-tririga-is-vulnerable-to-… ∗∗∗ Security Bulletin: A security vulnerability has been fixed in IBM Security Identity Manager (CVE-2021-29864) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: glibc vulnerability affects IBM Elastic Storage System (CVE-2021-3999) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-glibc-vulnerability-affec… ∗∗∗ Security Bulletin: Linux Kernel vulnerability may affect IBM Elastic Storage System (CVE-2021-4203) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-linux-kernel-vulnerabilit… ∗∗∗ Security Bulletin: There are multiple vulnerabilities in the Linux Kernel used in IBM Elastic Storage System ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-there-are-multiple-vulner… ∗∗∗ Security Bulletin: Due to use of OpenSSL, IBM Virtualization Engine TS7700 is vulnerable to denial of service (CVE-2022-0778) and privilege escalation (CVE-2022-1292) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-due-to-use-of-openssl-ibm… ∗∗∗ Security Bulletin: A vulneraqbility in SQLite affects IBM Cloud Application Performance Managment R esponse Time Monitoring Agent (CVE-2021-45346) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulneraqbility-in-sqlit… ∗∗∗ Security Bulletin: There are multiple vulnerabilities in the Linux Kernel used in IBM Elastic Storage System ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-there-are-multiple-vulner… ∗∗∗ K00994461: GSON vulnerability CVE-2022-25647 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K00994461 ∗∗∗ poppler: Schwachstelle ermöglicht Codeausführung ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1214 ∗∗∗ Moodle: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1212 ∗∗∗ Hitachi Energy FACTS Control Platform (FCP) Product ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-242-01 ∗∗∗ Hitachi Energy Gateway Station (GWS) Product ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-242-02 ∗∗∗ Hitachi Energy MSM Product ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-242-03 ∗∗∗ Hitachi Energy RTU500 series ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-242-04 ∗∗∗ Fuji Electric D300win ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-242-05 ∗∗∗ Honeywell ControlEdge ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-242-06 ∗∗∗ Honeywell Experion LX ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-242-07 ∗∗∗ Honeywell Trend Controls Inter-Controller Protocol ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-242-08 ∗∗∗ Omron CX-Programmer ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-242-09 ∗∗∗ PTC Kepware KEPServerEX ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-242-10 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.08.2022
by Daily end-of-shift report 29 Aug '22

29 Aug '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 26-08-2022 18:00 − Montag 29-08-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Fake Cthulhu World P2E project used to push info-stealing malware ∗∗∗ --------------------------------------------- Hackers have created a fake Cthulhu World play-to-earn community, including websites, Discord groups, social accounts, and a Medium developer site, to distribute the Raccoon Stealer, AsyncRAT, and RedLine password-stealing malware infections on unsuspecting victims. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fake-cthulhu-world-p2e-proje… ∗∗∗ HTTP/2 Packet Analysis with Wireshark, (Fri, Aug 26th) ∗∗∗ --------------------------------------------- I have been getting these queries in my honeypot logs since end of December 2021 and decided to a diary on some of these packets using some basic analysis with Wireshark. --------------------------------------------- https://isc.sans.edu/diary/rss/28986 ∗∗∗ Sysinternals Updates: Sysmon v14.0 and ZoomIt v6.01, (Sun, Aug 28th) ∗∗∗ --------------------------------------------- Both Sysinternals utilities (Sysmon and ZoomIt) received updates that significantly extends their scope: Sysmon can now also block actions, and ZoomIt can record videos. --------------------------------------------- https://isc.sans.edu/diary/rss/28988 ∗∗∗ Dealing With False Positives when Scanning Memory Dumps for Cobalt Strike Beacons, (Sun, Aug 28th) ∗∗∗ --------------------------------------------- I updated my Cobalt Strike beacon analysis tool 1768.py to deal with false positives in Windows system's memory dumps. --------------------------------------------- https://isc.sans.edu/diary/rss/28990 ∗∗∗ Aggressive Adware: PDF-Reader für Android mit Millionen Downloads ∗∗∗ --------------------------------------------- Ein PDF-Reader im Google Play-Store kommt auf über eine Million Downloads. Es handelt sich jedoch um Adware, die sogar ungenutzt Vollbild-Werbung einblendet. --------------------------------------------- https://heise.de/-7246842 ∗∗∗ Fake Wohnungsinserate auf eBay und Co.! ∗∗∗ --------------------------------------------- Fake-Inserate finden Sie auf allen gängigen Portalen zur Wohnungssuche. Kriminelle kontaktieren Sie auch direkt, wenn Sie eine „Gesucht-Anzeige“ veröffentlicht haben. Gefälschte Wohnungsinserate erkennen Sie an zwei Merkmalen: Die gebotenen Wohnungen sind sehr günstig und Sie müssen noch vor der Besichtigung die Kaution und erste Monatsmiete bezahlen. --------------------------------------------- https://www.watchlist-internet.at/news/fake-wohnungsinserate-auf-ebay-und-c… ∗∗∗ Tor 101: How Tor Works and its Risks to the Enterprise ∗∗∗ --------------------------------------------- The Tor project provides one of the most well-known tools that users can leverage to stay anonymous on the internet. People use Tor for many different reasons, both benign and malicious. However, allowing Tor traffic on enterprise networks opens the door to a variety of potential abuses and security risks. --------------------------------------------- https://unit42.paloaltonetworks.com/tor-traffic-enterprise-networks/ ∗∗∗ Lookout: Wie man sich vor SMS-Phishing und ähnlichen Angriffen schützt ∗∗∗ --------------------------------------------- Momentan gibt fast jede Woche ein anderes bekanntes Unternehmen bekannt, dass es Opfer eines Hacks geworden ist, bei dem Daten abgeflossen sind. Für Administratoren in Unternehmen stellt sich die Frage, wie man die internen Systeme vor SMS-Phishing und ähnlichen Angriffen, die auf Mitarbeiter zielen, schützen kann. --------------------------------------------- https://www.borncity.com/blog/2022/08/28/lookout-wie-man-sich-vor-sms-phish… ===================== = Vulnerabilities = ===================== ∗∗∗ Atlassian Bitbucket Server vulnerable to critical RCE vulnerability ∗∗∗ --------------------------------------------- Atlassian has published a security advisory warning Bitbucket Server and Data Center users of a critical security flaw that attackers could leverage to execute arbitrary code on vulnerable instances. --------------------------------------------- https://www.bleepingcomputer.com/news/security/atlassian-bitbucket-server-v… ∗∗∗ Lexmark: Angreifer können sich durch Firmware-Lücke einnisten ∗∗∗ --------------------------------------------- In über 100 Drucker-Modellen von Lexmark steckt eine kritische Lücke in der Firmware. Angreifer könnten sich nach einem Einbruch in den Geräten einnisten. --------------------------------------------- https://heise.de/-7247068 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (curl, exim4, maven-shared-utils, ndpi, puma, webkit2gtk, and wpewebkit), Fedora (dotnet3.1, firefox, and webkit2gtk3), Mageia (clamav, mariadb, net-snmp, postgresql, python-ldap, and thunderbird), SUSE (freeciv, gnutls, keepalived, libyang, nim, python-Django, and varnish), and Ubuntu (schroot). --------------------------------------------- https://lwn.net/Articles/906355/ ∗∗∗ Security Bulletin: Custom "Execution States" names on IBM Engineering Test Management TCER pages are vulnerable to XSS ( CVE-2021-38934 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-custom-execution-states-n… ∗∗∗ D-LINK Router: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1203 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.08.2022
by Daily end-of-shift report 26 Aug '22

26 Aug '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 25-08-2022 18:00 − Freitag 26-08-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Living off the land, AD CS style ∗∗∗ --------------------------------------------- Unless you have been living under a rock for the last year or so, Active Directory Certificate Services (AD CS) abuse continues to be a hot topic in offensive security, ever since the excellent research released by Will Schroeder (@harmj0y) and Lee Christensen (@tifkin_). --------------------------------------------- https://www.pentestpartners.com/security-blog/living-off-the-land-ad-cs-sty… ∗∗∗ Threat Assessment: Black Basta Ransomware ∗∗∗ --------------------------------------------- Black Basta is ransomware as a service (RaaS) that first emerged in April 2022. However, evidence suggests that it has been in development since February. The Black Basta operator(s) use the double extortion technique, meaning that in addition to encrypting files on the systems of targeted organizations and demanding ransom to make decryption possible, they also maintain a dark web leak site where they threaten to post sensitive information if an organization chooses not to pay ransom. --------------------------------------------- https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomwar… ∗∗∗ Automatic Execution of Code Upon Package Download on Python Package Manager ∗∗∗ --------------------------------------------- Automatic code execution is triggered upon downloading approximately one third of the packages on PyPi. A worrying feature in pip/PyPi allows code to automatically run when developers are merely downloading a package. --------------------------------------------- https://checkmarx.com/blog/automatic-execution-of-code-upon-package-downloa… ===================== = Vulnerabilities = ===================== ∗∗∗ Lücken in Ciscos FXOS und NX-OS ermöglichen Übernahme der Kontrolle ∗∗∗ --------------------------------------------- In Ciscos Router- und Firewall-Betriebssystemen FXOS und NX-OS hätten Angreifer beliebigen Code mit root-Rechten ausführen können. Updates stehen bereit. --------------------------------------------- https://heise.de/-7244032 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (zlib), Fedora (dotnet3.1, firefox, java-1.8.0-openjdk-aarch32, thunderbird, and zlib), Mageia (canna, chromium-browser-stable, dovecot, firefox/nss, freeciv, freetype2, gnutls, kernel, kernel-linus, kicad, ldb/samba/sssd, libgsasl, microcode, nodejs, rsync, thunderbird, and unbound), Oracle (php:7.4 and systemd), Scientific Linux (firefox, rsync, systemd, and thunderbird), Slackware (vim), and SUSE (bluez, gstreamer-plugins-good, java-1_7_1-ibm, java-1_8_0-ibm, kernel, libcroco, postgresql10, postgresql13, python-lxml, and webkit2gtk3). --------------------------------------------- https://lwn.net/Articles/906232/ ∗∗∗ CISA Adds Ten Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- CISA has added ten new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/08/25/cisa-adds-ten-kno… ∗∗∗ [R1] Nessus Agent Version 8.3.4 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- Custom audit files bring tremendous power and flexibility when assessing the configuration of your assets. Two separate vulnerabilities that utilize this custom Audit functionality were identified, reported and fixed. With the release of Nessus Agent 8.3.4, Tenable has mitigated the reported issues by enabling the ability to sign and verify custom audit files. --------------------------------------------- https://www.tenable.com/security/tns-2022-17 ∗∗∗ ABB Security Advisory: ARM600 Cyber Security Notification: UEFI vulnerability ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=2NGA001477&Language… ∗∗∗ Security Bulletin: Vulnerability in IBM Java Runtime(CVE-2021-35603) affects DB2 Recovery Expert for Linux, Unix and Windows ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Security Bulletin: Multiple Security Vulnerabilities may affect IBM Robotic Process Automation for Cloud Pak ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: IBM MQ is vulnerable to issues with libcurl (CVE-2022-27780, CVE-2022-30115) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-is-vulnerable-to-i… ∗∗∗ Security Bulletin: IBM DataPower Gateway vulnerable to CSRF attack ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-gateway-vul… ∗∗∗ Security Bulletin: IBM Maximo Asset Management and the IBM Maximo Manage application in IBM Maximo Application Suite are vulnerable to cross-site scripting (CVE-2022-35714) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-manageme… ∗∗∗ Security Bulletin: Multiple vulnerabilities may affect IBM Robotic Process Automation for Cloud Pak ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Security Directory Integrator as shipped with IBM Security Directory Suite is affected by Apache Log4j vulnerability (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-directory-in… ∗∗∗ Security Bulletin: Enterprise Content Management System Monitor is affected by a vulnerability in Java SE related to the JSSE component ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-enterprise-content-manage… ∗∗∗ F5: K42795243: Apache Xalan Java Library vulnerability CVE-2022-34169 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K42795243 ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2022-0008 ∗∗∗ --------------------------------------------- https://webkitgtk.org/security/WSA-2022-0008.html ∗∗∗ vBulletin Connect: Schwachstelle ermöglicht nicht spezifizierten Angriff ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1190 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.08.2022
by Daily end-of-shift report 25 Aug '22

25 Aug '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 24-08-2022 18:00 − Donnerstag 25-08-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ PyPI packages hijacked after developers fall for phishing emails ∗∗∗ --------------------------------------------- A phishing campaign caught yesterday was seen targeting maintainers of Python packages published to the PyPI registry. Python packages exotel and spam are among hundreds seen laced with malware after attackers successfully compromised accounts of maintainers who fell for the phishing email. --------------------------------------------- https://www.bleepingcomputer.com/news/security/pypi-packages-hijacked-after… ∗∗∗ More hackers adopt Sliver toolkit as a Cobalt Strike alternative ∗∗∗ --------------------------------------------- Threat actors are dumping the Cobalt Strike penetration testing suite in favor of similar frameworks that are less known. After Brute Ratel, the open-source, cross-platform kit called Sliver is becoming an attractive alternative. --------------------------------------------- https://www.bleepingcomputer.com/news/security/more-hackers-adopt-sliver-to… ∗∗∗ Twilio hackers hit over 130 orgs in massive Okta phishing attack ∗∗∗ --------------------------------------------- Threat analysts have discovered the phishing kit responsible for thousands of attacks against 136 high-profile organizations that have compromised 9,931 accounts. --------------------------------------------- https://www.bleepingcomputer.com/news/security/twilio-hackers-hit-over-130-… ∗∗∗ MagicWeb: NOBELIUM’s post-compromise trick to authenticate as anyone ∗∗∗ --------------------------------------------- Microsoft security researchers have discovered a post-compromise capability we’re calling MagicWeb, which is used by a threat actor we track as NOBELIUM to maintain persistent access to compromised environments. --------------------------------------------- https://www.microsoft.com/security/blog/2022/08/24/magicweb-nobeliums-post-… ∗∗∗ whids - Open Source EDR for Windows ∗∗∗ --------------------------------------------- EDR with artifact collection driven by detection. The detection engine is built on top of a previous project Gene specially designed to match Windows events against user defined rules. --------------------------------------------- https://github.com/0xrawsec/whids ∗∗∗ EDR: Nachfolger der Antiviren-Software kämpfen mit altbekannten Problemen ∗∗∗ --------------------------------------------- Die Security-Industrie preist Endpoint Detection & Response als das bessere Antivirus an. Tests zeigen, dass es oft an den gleichen Problemen scheitert. --------------------------------------------- https://heise.de/-7241955 ∗∗∗ Firefox ESR, Thunderbird: Angreifer könnten Nutzereingaben abfangen ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitsupdates für den Mailclient Thunderbird und den Webbrowser Firefox ESR. --------------------------------------------- https://heise.de/-7242897 ∗∗∗ Doxing – was ist das und wie schützt man sich davor? ∗∗∗ --------------------------------------------- Doxing kann jeden treffen - hier erfahren Sie, wie Sie die Wahrscheinlichkeit verringern können, dass Ihre persönlichen Daten als Waffe gegen Sie eingesetzt werden. --------------------------------------------- https://www.welivesecurity.com/deutsch/2022/08/25/doxing-was-ist-das-und-wi… ∗∗∗ Vorsicht vor Coin-Fallen auf Dating-Portalen ∗∗∗ --------------------------------------------- Sie wollen herausfinden, ob es Ihrer Internetbekanntschaft wirklich ernst ist? Haben Sie Geld für Coins oder Guthaben investiert, um mit Ihrer Bekanntschaft zu chatten, es kommt aber nie zu einem persönlichen Treffen? Hier erfahren Sie alles über die Maschen von moderierten Dating-Portalen. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-coin-fallen-auf-dating-… ∗∗∗ Preparing Critical Infrastructure for Post-Quantum Cryptography ∗∗∗ --------------------------------------------- CISA has released CISA Insights: Preparing Critical Infrastructure for Post-Quantum Cryptography, which outlines the actions that critical infrastructure stakeholders should take now to prepare for their future migration to the post-quantum cryptographic standard that the National Institute of Standards and Technology (NIST) will publish in 2024. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/08/24/preparing-critica… ∗∗∗ Palo Alto warns of firewall vulnerability used in DDoS attack on service provider ∗∗∗ --------------------------------------------- Palo Alto Networks is urging customers to patch a line of firewall products after finding that the vulnerability was used in a distributed denial-of-service (DDoS) attack. On August 19, the company made all patches available for CVE-2022-0028 – which affects the PA-Series, VM-Series and CN-Series of the PAN-OS firewall software. --------------------------------------------- https://therecord.media/palo-alto-warns-of-firewall-vulnerability-used-in-d… ∗∗∗ New Golang Ransomware Agenda Customizes Attacks ∗∗∗ --------------------------------------------- A new piece of ransomware written in the Go language has been targeting healthcare and education enterprises in Asia and Africa. This ransomware is called Agenda and is customized per victim. --------------------------------------------- https://www.trendmicro.com/en_us/research/22/h/new-golang-ransomware-agenda… ===================== = Vulnerabilities = ===================== ∗∗∗ VU#309662: Signed third party UEFI bootloaders are vulnerable to Secure Boot bypass ∗∗∗ --------------------------------------------- The following vendor-specific bootloaders were found vulnerable: Inherently vulnerable bootloader to bypass Secure Boot New Horizon Datasys Inc (CVE-2022-34302) UEFI Shell execution to bypass Secure Boot CryptoPro Secure Disk (CVE-2022-34301) Eurosoft (UK) Ltd (CVE-2022-34303) Microsoft has provided details with their KB5012170 article released on August 9th 2022. Note, these updates can be delivered from your OEM vendor or the OS vendor to install an updated Secure Boot Forbidden Signature Database (DBX). --------------------------------------------- https://kb.cert.org/vuls/id/309662 ∗∗∗ Movable Type XMLRPC API vulnerable to command injection ∗∗∗ --------------------------------------------- Movable Type XMLRPC API provided by Six Apart Ltd. contains a command injection vulnerability. --------------------------------------------- https://jvn.jp/en/jp/JVN57728859/ ∗∗∗ Commerce Elavon - Moderately critical - Access bypass - SA-CONTRIB-2022-053 ∗∗∗ --------------------------------------------- Project: Commerce Elavon Security risk: Moderately critical Vulnerability: Access bypass Description: This module enables you to accept payments from the Elavon payment provider. [..] This vulnerability is mitigated by the fact that an attacker must be able to spoof the Elavon DNS received by your site. --------------------------------------------- https://www.drupal.org/sa-contrib-2022-053 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr, libxslt, and open-vm-tools), Fedora (dotnet6.0 and firefox), Oracle (curl, firefox, rsync, and thunderbird), Red Hat (curl, firefox, php:7.4, rsync, systemd, and thunderbird), SUSE (bluez, chromium, freerdp, glibc, gnutls, kernel, postgresql10, raptor, rubygem-rails-html-sanitizer, and spice), and Ubuntu (firefox, linux, linux-kvm, linux-lts-xenial, linux-aws, linux-azure-fde, open-vm-tools, and varnish). --------------------------------------------- https://lwn.net/Articles/906055/ ∗∗∗ Atlassian Bitbucket: Schwachstelle ermöglicht Codeausführung ∗∗∗ --------------------------------------------- Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in Atlassian Bitbucket ausnutzen, um beliebigen Programmcode auszuführen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1185 ∗∗∗ HCL Notes und Domino: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann eine Schwachstelle in HCL Notes und HCL Domino ausnutzen, um Sicherheitsvorkehrungen zu umgehen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1180 ∗∗∗ Mattermost security updates 7.1.3 (ESR), 7.0.2, 6.3.10 (ESR) released ∗∗∗ --------------------------------------------- We’re informing you about a Mattermost security update, which addresses a medium-level severity vulnerability. We highly recommend that you apply the update. The security update is available for Mattermost dot releases 7.1.3 (Extended Support Release), 7.0.2, and 6.3.10 (Extended Support Release) for both Team Edition and Enterprise Edition. --------------------------------------------- https://mattermost.com/blog/mattermost-security-updates-7-1-3-esr-7-0-2-6-3… ∗∗∗ Cisco Releases Security Updates for Multiple Products ∗∗∗ --------------------------------------------- Cisco has released security updates for vulnerabilities affecting ACI Multi-Site Orchestrator, FXOS, and NX-OS software. A remote attacker could exploit some of these vulnerabilities to take control of an affected system. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/08/25/cisco-releases-se… ∗∗∗ SMA100 Exposure of Sensitive Information to an Unauthorized Actor ∗∗∗ --------------------------------------------- A vulnerability in the SonicWall SMA100 appliance could potentially expose sensitive information i.e., third-party packages and library versions used in the appliance firmware to a pre-authenticated actor.IMPORTANT: SMA 1000 series products are not affected by this vulnerability. --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0020 ∗∗∗ SonicWall SMA100 Post-Auth Heap-based Buffer Overflow Vulnerability ∗∗∗ --------------------------------------------- A Heap-based Buffer Overflow vulnerability in the SonicWall SMA100 appliance allows a remote authenticated attacker to cause Denial of Service (DoS) on the appliance or potentially lead to code execution. This vulnerability impacts 10.2.1.5-34sv and earlier versions.IMPORTANT: SMA 1000 series products are not affected by this vulnerability. CVE: CVE-2022-2915 --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0019 ∗∗∗ Security Bulletin: IBM Connect:Direct Web Services vulnerable to remote security bypass due to PostgreSQL (CVE-2022-1552) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-connectdirect-web-ser… ∗∗∗ Security Bulletin: IBM MQ Appliance is vulnerable to a denial of service due to Linux Kernel (CVE-2020-35513) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-vulne… ∗∗∗ FATEK Automation FvDesigner ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-237-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.08.2022
by Daily end-of-shift report 24 Aug '22

24 Aug '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 23-08-2022 18:00 − Mittwoch 24-08-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Fake Chrome extension Internet Download Manager has 200,000 installs ∗∗∗ --------------------------------------------- Google Chrome extension Internet Download Manager installed by more than 200,000 users is adware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fake-chrome-extension-intern… ∗∗∗ Hackers use AiTM attack to monitor Microsoft 365 accounts for BEC scams ∗∗∗ --------------------------------------------- A new business email compromise (BEC) campaign has been discovered combining sophisticated spear-phishing with Adversary-in-The-Middle (AiTM) tactics to hack corporate executives Microsoft 365 accounts, even those protected by MFA. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-use-aitm-attack-to-m… ∗∗∗ Ransomware updates & 1-day exploits ∗∗∗ --------------------------------------------- In this report, we discuss the new multi-platform ransomware RedAlert (aka N13V) and Monster, as well as private 1-day exploits for the CVE-2022-24521 vulnerability. --------------------------------------------- https://securelist.com/ransomware-updates-1-day-exploits/107291/ ∗∗∗ Monster Libra (TA551/Shathak) --> IcedID (Bokbot) --> Cobalt Strike & DarkVNC, (Wed, Aug 24th) ∗∗∗ --------------------------------------------- On Monday, 2022-08-22, I generated an IcedID (Bokbot) infection based on Monster Libra (also known as TA551 or Shathak). --------------------------------------------- https://isc.sans.edu/diary/rss/28974 ∗∗∗ Bomber is an application that scans SBoMs for security vulnerabilities. ∗∗∗ --------------------------------------------- So youve asked a vendor for an Software Bill of Materials (SBOM) for one of their products, and they provided one to you in a JSON file... now what? --------------------------------------------- https://github.com/devops-kung-fu/bomber ∗∗∗ Cyber-Angriff: Griechischer Gasnetzbetreiber Desfa Opfer von Ransomware-Gang ∗∗∗ --------------------------------------------- Die Ransomware-Gang hinter Ragnar Locker ist in die Netze des Betreibers des griechischen Erdgas-Netzes Desfa eingebrochen. Die Versorgung bleibt gesichert. --------------------------------------------- https://heise.de/-7241322 ∗∗∗ Einbruch bei Plex: Daten abgezogen, Passwortänderung nötig ∗∗∗ --------------------------------------------- Bösartige Akteure sind offenbar in die Datenbanken des Streaming-Dienstes und Medienservers Plex eingebrochen. Dort konnten sie persönliche Daten stehlen. --------------------------------------------- https://heise.de/-7241975 ∗∗∗ Ethernet LEDs Can Be Used to Exfiltrate Data From Air-Gapped Systems ∗∗∗ --------------------------------------------- A researcher from the Ben-Gurion University of the Negev in Israel has published a paper describing a method that can be used to silently exfiltrate data from air-gapped systems using the LEDs of various types of networked devices. --------------------------------------------- https://www.securityweek.com/ethernet-leds-can-be-used-exfiltrate-data-air-… ∗∗∗ Old, Inconspicuous Vulnerabilities Commonly Targeted in OT Scanning Activity ∗∗∗ --------------------------------------------- Data collected by IBM shows that old and inconspicuous vulnerabilities affecting industrial products are commonly targeted in scanning activity seen by organizations that use operational technology (OT). --------------------------------------------- https://www.securityweek.com/old-inconspicuous-vulnerabilities-commonly-tar… ∗∗∗ HavanaCrypt Ransomware tarnt sich als Google Update ∗∗∗ --------------------------------------------- Die neu entdeckte HavanaCrypt Ransomware nutzt ausgefeilte Techniken und verkleidet sich als Google Update. Lösegeldforderungen gab es bisher nicht. --------------------------------------------- https://www.zdnet.de/88403049/havanacrypt-ransomware-tarnt-sich-als-google-… ∗∗∗ But You Told Me You Were Safe: Attacking the Mozilla Firefox Sandbox (Part 2) ∗∗∗ --------------------------------------------- In this blog post, we discuss a second prototype pollution vulnerability that allowed the execution of attacker-controlled JavaScript in the privileged parent process, escaping the sandbox. --------------------------------------------- https://www.thezdi.com/blog/2022/8/23/but-you-told-me-you-were-safe-attacki… ∗∗∗ BitRAT and XMRig CoinMiner Being Distributed via Windows License Verification Tool ∗∗∗ --------------------------------------------- The ASEC analysis team has recently discovered the distribution of BitRAT and XMRig CoinMiner disguised as a Windows license verification tool. --------------------------------------------- https://asec.ahnlab.com/en/37939/ ∗∗∗ AsyncRAT Being Distributed in Fileless Form ∗∗∗ --------------------------------------------- The ASEC analysis team has recently discovered that malicious AsyncRAT codes are being distributed in fileless form. --------------------------------------------- https://asec.ahnlab.com/en/37954/ ===================== = Vulnerabilities = ===================== ∗∗∗ Gefährliche Lücken bedrohen Sicherheit von kritischen Infrastrukturen ∗∗∗ --------------------------------------------- Angreifer könnten Industrie-Steuerungssysteme attackieren und im schlimmsten Fall die volle Kontrolle erlangen. Sicherheitsupdates sind verfügbar. --------------------------------------------- https://heise.de/-7241733 ∗∗∗ Updates für GitLab schließen kritische Sicherheitslücke ∗∗∗ --------------------------------------------- Für die GitLab Community- und Enterprise-Edition haben die Entwickler aktualisierte Versionen veröffentlicht, die eine kritische Sicherheitslücke schließen. --------------------------------------------- https://heise.de/-7241481 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (vim), SUSE (cosign, dpdk, freeciv, gfbgraph, kernel, nim, p11-kit, perl-HTTP-Daemon, python-lxml, and python-treq), and Ubuntu (linux-oem-5.14, open-vm-tools, and twisted). --------------------------------------------- https://lwn.net/Articles/905853/ ∗∗∗ Oracle SBC: Multiple Security Vulnerabilities Leading to Unauthorized Access and Denial of Service ∗∗∗ --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/oracle-sbc-… ∗∗∗ Security Bulletin: IBM Security Identity Governance and Intelligence is vulnerable to sensitive information exposure (CVE-2021-35550) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-identity-gov… ∗∗∗ Security Bulletin: A security vulnerability has been identified in in IBM Java SDK shipped with IBM Tivoli Business Service Manager (CVE-2021-35603) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: IBM Spectrum Discover is vulnerable to multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-spectrum-discover-is-… ∗∗∗ Security Bulletin: IBM Security Verify Governance is vulnerable to Denial of Service (CVE-2021-35578) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-gover… ∗∗∗ Security Bulletin: IBM Security Identity Governance and Intelligence is vulnerable to exposure of sensitive information (CVE-2021-35603) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-identity-gov… ∗∗∗ Security Bulletin: IBM Security Verify Governance is vulnerable to identity spoofing due to IBM WebSphere Application Server Liberty (CVE-2022-22475) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-gover… ∗∗∗ Security Bulletin: IBM QRadar SIEM includes components with multiple known vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-includes-… ∗∗∗ VMSA-2022-0024 ∗∗∗ --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2022-0024.html ∗∗∗ vim: Schwachstelle ermöglicht Codeausführung ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1157 ∗∗∗ Jenkins Plugins: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1166 ∗∗∗ F-Secure Produkte: Mehrere Schwachstellen ermöglichen Denial of Service ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1165 ∗∗∗ tribe29 checkmk: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1160 ∗∗∗ Mozilla Releases Security Updates for Firefox, Firefox ESR, and Thunderbird ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/08/23/mozilla-releases-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.08.2022
by Daily end-of-shift report 23 Aug '22

23 Aug '22

===================== = End-of-Day report = ===================== Timeframe: Montag 22-08-2022 18:00 − Dienstag 23-08-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Internet-Kernprotokoll: Das Transmission Control Protocol erhält Update ∗∗∗ --------------------------------------------- TCP ist der Motor des Internet. Mit einem gerade aktualisierten RFC bekommt er eine Generalüberholung. Aber kann er sich gegen neue Konkurrenz behaupten? --------------------------------------------- https://heise.de/-7239713 ∗∗∗ Cyber-Attacken: CISA warnt vor Angriffen auf neu entdeckte Sicherheitslücken ∗∗∗ --------------------------------------------- Die US-Cybersicherheitsbehörde CISA warnt vor einigen erst seit Kurzem bekannten Sicherheitslücken. Cyberkriminelle greifen diese bereits aktiv an. --------------------------------------------- https://heise.de/-7240372 ∗∗∗ Whos Looking at Your security.txt File? ∗∗∗ --------------------------------------------- In April 2022, the RFC related to the small file “security.txt” was released. It was already popular for a while, but an RFC is always a good way to “promote” some best practices! If you're unaware of this file, it helps to communicate security contacts (email addresses, phone, ...) to people who would like to contact you to report an issue with your website or your organization. --------------------------------------------- https://isc.sans.edu/diary/rss/28972 ∗∗∗ Researchers Find Counterfeit Phones with Backdoor to Hack WhatsApp Accounts ∗∗∗ --------------------------------------------- Budget Android device models that are counterfeit versions associated with popular smartphone brands are harboring multiple trojans designed to target WhatsApp and WhatsApp Business messaging apps. --------------------------------------------- https://thehackernews.com/2022/08/researchers-find-counterfeit-phones.html ∗∗∗ New Air-Gap Attack Uses MEMS Gyroscope Ultrasonic Covert Channel to Leak Data ∗∗∗ --------------------------------------------- A novel data exfiltration technique has been found to leverage a covert ultrasonic channel to leak sensitive information from isolated, air-gapped computers to a nearby smartphone that doesn't even require a microphone to pick up the sound waves. --------------------------------------------- https://thehackernews.com/2022/08/new-air-gap-attack-uses-mems-gyroscope.ht… ∗∗∗ If you havent patched Zimbra holes by now, assume youre toast ∗∗∗ --------------------------------------------- Heres how to detect an intrusion via vulnerable email systems Organizations that didnt immediately patch their Zimbra email systems should assume miscreants have already found and exploited the bugs, and should start hunting for malicious activity across IT networks, according to Uncle Sam. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2022/08/23/cisa_zimbra_… ∗∗∗ Ransomware Gang Leaks Data Allegedly Stolen From Greek Gas Supplier ∗∗∗ --------------------------------------------- The cybergang behind the Ragnar Locker ransomware has published more than 360 gigabytes of data allegedly stolen from Greece’s largest natural gas supplier Desfa.Established in 2007 as a subsidiary of Depa (Public Gas Corporation of Greece), Desfa operates both the country’s natural gas transmission system and its gas distribution networks. --------------------------------------------- https://www.securityweek.com/ransomware-gang-leaks-data-allegedly-stolen-gr… ∗∗∗ Online-Marktplatz: Vorsicht, wenn Käufer:innen Links zu Kurierdiensten und Zahlungsplattformen schicken ∗∗∗ --------------------------------------------- Sie verkaufen über willhaben, laendleanzeiger.at, shpock und Co? Nehmen Sie sich vor betrügerischen Käufer:innen in Acht. --------------------------------------------- https://www.watchlist-internet.at/news/online-marktplatz-vorsicht-wenn-kaeu… ∗∗∗ The Rise of Data Exfiltration and Why It Is a Greater Risk Than Ransomware ∗∗∗ --------------------------------------------- Threat actors have been searching for another opportunity – and found one. It's called data exfiltration, or exfil, a type of espionage causing headaches at organizations worldwide. Let's take a look. --------------------------------------------- https://thehackernews.com/2022/08/the-rise-of-data-exfiltration-and-why.html ===================== = Vulnerabilities = ===================== ∗∗∗ GitLab Critical Security Release: 15.3.1, 15.2.3, 15.1.5 ∗∗∗ --------------------------------------------- Today we are releasing versions 15.3.1, 15.2.3, 15.1.5 for GitLab Community Edition (CE) and Enterprise Edition (EE). These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version. --------------------------------------------- https://about.gitlab.com/releases/2022/08/22/critical-security-release-gitl… ∗∗∗ SECURITY BULLETIN AVEVA-2022-005 ∗∗∗ --------------------------------------------- Multiple vulnerabilities in AVEVA Edge (formerly known as InduSoft Web Studio). Rating: High --------------------------------------------- https://www.aveva.com/content/dam/aveva/documents/support/cyber-security-up… ∗∗∗ [CVE-2020-2733] JD Edwards EnterpriseOne Tools admin password not adequately protected ∗∗∗ --------------------------------------------- JD Edwards EnterpriseOne Tools 9.2 or lower versions allow unauthenticated attackers to bypass the authentication and get Administrator rights on the system. --------------------------------------------- https://redrays.io/cve-2020-2733-jd-edwards/ ∗∗∗ Einbruchsgefahr: Über 80.000 Hikvision-Kameras verwundbar ∗∗∗ --------------------------------------------- Hikvision hat zwar Updates für die Kameras veröffentlicht, mehr als 2300 Firmen ignorieren diese jedoch. Angreifer könnten dadurch in deren Netze einbrechen. --------------------------------------------- https://heise.de/-7239986 ∗∗∗ Firefox 104: Verbesserungen am PDF-Viewer und Stromverbrauch-Profiler ∗∗∗ --------------------------------------------- Die neue Version von Firefox bringt neben sechs gefixten Sicherheitslücken auch Re-Snapping sowie die Möglichkeit, im PDF-Viewer zu unterschreiben. --------------------------------------------- https://heise.de/-7240408 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Oracle (kernel and kernel-container), SUSE (bluez, gimp, rubygem-rails-html-sanitizer, systemd-presets-common-SUSE, and u-boot), and Ubuntu (libxslt). --------------------------------------------- https://lwn.net/Articles/905730/ ∗∗∗ Security Bulletin: Vulnerability in SANNav Software used by IBM b-type SAN directors and switches. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-sannav-s… ∗∗∗ Security Bulletin: Multiple security vulnerabilities have been identified in dojo library shipped with IBM Security Guardium Key Lifecycle Manager (SKLM/GKLM) (CVE-2019-10785, CVE-2020-5259, CVE-2020-4051, CVE-2018-15494, CVE-2021-23450) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Verify Governance in response to a security vulnerability (CVE-2021-22931) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-relea… ∗∗∗ Security Bulletin: IBM has announced a release for IBM Security Verify Governance in response to a security vulnerability (CVE-2022-21824) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-has-announced-a-relea… ∗∗∗ Security Bulletin: IBM Security Verify Governance is vulnerable to multiple security issues due to Node.js ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-gover… ∗∗∗ Security Bulletin: IBM MQ is vulnerable to issues with libcurl (CVE-2022-27780, CVE-2022-30115) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-is-vulnerable-to-i… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct for UNIX is vulnerable to denial of service due to Google Gson (CVE-2022-25647) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: IBM Security Verify Governance is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-gover… ∗∗∗ Security Bulletin: IBM Sterling B2B Integrator vulnerable to multiple vulnerabilities due to Apache Commons Compress ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-b2b-integrat… ∗∗∗ D-LINK Router: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1151 ∗∗∗ Trellix Data Loss Prevention: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1149 ∗∗∗ xpdf: Schwachstelle ermöglicht Codeausführung ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1144 ∗∗∗ PowerDNS: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1152 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.08.2022
by Daily end-of-shift report 22 Aug '22

22 Aug '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 19-08-2022 18:00 − Montag 22-08-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ 241 npm and PyPI packages caught dropping Linux cryptominers ∗∗∗ --------------------------------------------- More than 200 malicious packages were discovered infiltrating the PyPI and npm open source registries this week. These packages are largely typosquats of widely used libraries and each one of them downloads a Bash script on Linux systems that run cryptominers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/241-npm-and-pypi-packages-ca… ∗∗∗ New tool checks if in-app mobile browsers inject risky code on sites ∗∗∗ --------------------------------------------- A new online tool named InAppBrowser lets you analyze the behavior of in-app browsers embedded within mobile apps and determine if they inject privacy-threatening JavaScript into websites you visit. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-tool-checks-if-in-app-mo… ∗∗∗ LockBit claims ransomware attack on security giant Entrust, leaks data ∗∗∗ --------------------------------------------- The LockBit ransomware gang has claimed responsibility for the June cyberattack on digital security giant Entrust. --------------------------------------------- https://www.bleepingcomputer.com/news/security/lockbit-claims-ransomware-at… ∗∗∗ Multi-Faktor-Authentisierung umgehen: Malware klaut automatisiert Cookies ∗∗∗ --------------------------------------------- Um Multi-Faktor-Authentisierung umgehen zu können, klauen Kriminelle vermehrt Browser-Cookies mittels Malware. --------------------------------------------- https://www.golem.de/news/multi-faktor-authentisierung-umgehen-malware-klau… ∗∗∗ Meet Borat RAT, a New Unique Triple Threat ∗∗∗ --------------------------------------------- Atlanta-based cyber risk intelligence company, Cyble discovered a new Remote Access Trojan (RAT) malware. What makes this particular RAT malware distinct enough to be named after the comic creation of Sacha Baron Cohen? --------------------------------------------- https://thehackernews.com/2022/08/meet-borat-rat-new-unique-triple-threat.h… ∗∗∗ Sicherer im Internet surfen: Obacht vor gefälschten DDoS-Check-Websites ∗∗∗ --------------------------------------------- Wer im Internet ohne Nachzudenken klickt, kann sich schnell einen Trojaner einfangen. Nun warnen Sicherheitsforscher vor einer weiteren Malware-Masche. --------------------------------------------- https://heise.de/-7238985 ∗∗∗ Bösartige Apps im Google Play Store: Mehr als zwei Millionen Downloads ∗∗∗ --------------------------------------------- Bitdefender hat 35 bösartige Apps in Googles Play Store entdeckt. Sie kommen zusammen auf mehr als zwei Millionen Downloads. --------------------------------------------- https://heise.de/-7239109 ∗∗∗ Kriminelle kapern Facebook-Konten und bewerben Fake-Investment-Plattformen ∗∗∗ --------------------------------------------- Tom und zahlreiche andere Personen wurden von Claudia auf Facebook bei einem Beitrag markiert. Der Beitrag ist ein Link zu einem Artikel, wie man mit einer Investment-Plattform in kurzer Zeit viel Geld verdienen kann. Vorsicht: Dabei handelt es sich um Betrug. --------------------------------------------- https://www.watchlist-internet.at/news/kriminelle-kapern-facebook-konten-un… ∗∗∗ Network Security Trends: Recent Exploits Observed in the Wild Include Remote Code Execution, Cross-Site Scripting and More ∗∗∗ --------------------------------------------- Recent exploits observed in the wild are highlighted based on the availability of proofs of concept, the severity of the vulnerabilities the exploits are based on and the ease of exploitation. --------------------------------------------- https://unit42.paloaltonetworks.com/recent-exploits-network-security-trends/ ∗∗∗ Hackers are using this sneaky exploit to bypass Microsofts multi-factor authentication ∗∗∗ --------------------------------------------- Attackers guessed the password of a dormant account and were able to apply their own MFA to it - providing access to the victims network. --------------------------------------------- https://www.zdnet.com/article/hackers-are-using-this-sneaky-trick-to-exploi… ∗∗∗ Sicherheitslücken - jetzt auch in deiner Appliance ∗∗∗ --------------------------------------------- Die Entwickler des quelloffenen Frameworks YARA haben vor knapp zwei Wochen fast schon heimlich still und leise eine neue Version veröffentlicht, v4.2.3, welche in der medialen Berichterstattung beinahe untergegangen ist. --------------------------------------------- https://cert.at/de/blog/2022/8/sicherheitslucken-jetzt-auch-in-deiner-appli… ∗∗∗ CISA Adds One Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- CISA has added a new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/08/22/cisa-adds-one-kno… ∗∗∗ Sicherheit: Wenn plötzlich ein (Fake-)"Office 365-Paket" per Post kommt ∗∗∗ --------------------------------------------- Kleine Warnung, die sich vor allem an unerfahrene Leser dieses Blogs bzw. Nutzer richtet. Kriminelle verschicken wohl Päckchen an (vorwiegend ältere Leute), in denen vorgeblich ein Microsoft Office enthalten ist. --------------------------------------------- https://www.borncity.com/blog/2022/08/21/sicherheit-wenn-pltzlich-ein-offic… ===================== = Vulnerabilities = ===================== ∗∗∗ Uncovering a ChromeOS remote memory corruption vulnerability ∗∗∗ --------------------------------------------- Microsoft discovered a memory corruption vulnerability in a ChromeOS component that could have been triggered remotely, allowing attackers to perform either a denial-of-service (DoS) or, in extreme cases, remote code execution (RCE). --------------------------------------------- https://www.microsoft.com/security/blog/2022/08/19/uncovering-a-chromeos-re… ∗∗∗ "As Nasty as Dirty Pipe" — 8 Year Old Linux Kernel Vulnerability Uncovered ∗∗∗ --------------------------------------------- Details of an eight-year-old security vulnerability in the Linux kernel have emerged that the researchers say is "as nasty as Dirty Pipe." Dubbed DirtyCred by a group of academics from Northwestern University, the security weakness exploits a previously unknown flaw (CVE-2022-2588) to escalate privileges to the maximum level. --------------------------------------------- https://thehackernews.com/2022/08/as-nasty-as-dirty-pipe-8-year-old-linux.h… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (jetty9 and kicad), Fedora (community-mysql and trafficserver), Gentoo (chromium, gettext, tomcat, and vim), Mageia (apache-mod_wsgi, libitrpc, libxml2, teeworlds, wavpack, and webkit2), Red Hat (podman), Slackware (vim), SUSE (java-1_8_0-openjdk, nodejs10, open-iscsi, rsync, and trivy), and Ubuntu (exim4). --------------------------------------------- https://lwn.net/Articles/905590/ ∗∗∗ YARA 4.2.3 Released, (Sat, Aug 20th) ∗∗∗ --------------------------------------------- https://isc.sans.edu/diary/rss/28964 ∗∗∗ Security Bulletin: This Power System update is being released to address CVE 2021-29891 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-this-power-system-update-… ∗∗∗ Security Bulletin: This Power System update is being released to address CVE-2019-16649 and CVE-2019-16650 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-this-power-system-update-… ∗∗∗ Security Bulletin: Vulnerabilities with OpenJDK affect IBM Cloud Object Storage Systems (August 2022v1) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-with-open… ∗∗∗ Security Bulletin: This Power System update is being released to address CVE 2022-0778 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-this-power-system-update-… ∗∗∗ Security Bulletin: A vulneraqbility in SQLite affects IBM Cloud Application Performance Managment R esponse Time Monitoring RRT Agent (CVE-2021-45346) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulneraqbility-in-sqlit… ∗∗∗ Security Bulletin: Multiple Security Vulnerabilities may affect IBM Robotic Process Automation for Cloud Pak ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Multiple Security Vulnerabilities may affect IBM Robotic Process Automation for Cloud Pak ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Multiple Security Vulnerabilities may affect IBM Robotic Process Automation for Cloud Pak ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.08.2022
by Daily end-of-shift report 19 Aug '22

19 Aug '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 18-08-2022 18:00 − Freitag 19-08-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Honeypot Attack Summaries with Python ∗∗∗ --------------------------------------------- We are lucky to have a variety of tools available to enrich existing honeypot data, but also automate that enrichment. I put together a script to try and help myself achieve a simple goal. --------------------------------------------- https://isc.sans.edu/diary/rss/28956 ∗∗∗ Fake DDoS Pages On WordPress Sites Lead to Drive-By-Downloads ∗∗∗ --------------------------------------------- Under normal circumstances, DDoS pages usually don’t affect users much — they simply perform a check or request a skill testing question in order to proceed to the desired webpage. However, a recent surge in JavaScript injections targeting WordPress sites has resulted in fake DDoS prevent prompts which lead victims to download remote access trojan malware. --------------------------------------------- https://blog.sucuri.net/2022/08/fake-ddos-pages-on-wordpress-lead-to-drive-… ∗∗∗ But You Told Me You Were Safe: Attacking the Mozilla Firefox Renderer (Part 1) ∗∗∗ --------------------------------------------- At Pwn2Own Vancouver 2022, Manfred Paul compromised the Mozilla Firefox browser using a full chain exploit that broke the mold. Although his exploit used some memory corruptions, the vulnerable code was written in a memory-safe programming language: JavaScript! --------------------------------------------- https://www.zerodayinitiative.com/blog/2022/8/17/but-you-told-me-you-were-s… ∗∗∗ Auch TikTok-App soll mit internem iPhone-Browser spionieren können ∗∗∗ --------------------------------------------- Nachdem das Problem bereits bei Facebook und Instagram aufgedeckt worden war, hat sich ein Sicherheitsforscher nun auch den chinesischen Videodienst angesehen. --------------------------------------------- https://heise.de/-7235891 ∗∗∗ Aktive Angriffe auf iPhones, iPads und Macs: Was Nutzer jetzt tun sollten ∗∗∗ --------------------------------------------- Erneut warnt Apple vor schweren Sicherheitslücken, die wohl aktiv ausgenutzt werden. Es gibt Patches, aber nicht für alle Systeme und Bugs. Ein Überblick. --------------------------------------------- https://heise.de/-7237518 ∗∗∗ Back in Black: Unlocking a LockBit 3.0 Ransomware Attack ∗∗∗ --------------------------------------------- This post explores some of the TTPs employed by a threat actor who were observed deploying LockBit 3.0 ransomware during an incident response engagement. --------------------------------------------- https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-… ∗∗∗ SAP Vulnerability Exploited in Attacks After Details Disclosed at Hacker Conferences ∗∗∗ --------------------------------------------- The US Cybersecurity and Infrastructure Security Agency (CISA) has added a critical SAP vulnerability to its Known Exploited Vulnerabilities Catalog less than one week after its details were disclosed at the Black Hat and Def Con hacker conferences. --------------------------------------------- https://www.securityweek.com/sap-vulnerability-exploited-attacks-after-deta… ∗∗∗ Fake-Shop-Alarm: getvoltplug.com hilft Ihnen nicht beim Stromsparen ∗∗∗ --------------------------------------------- In Zeiten der Energiekrise wirbt getvoltplug.com mit einem attraktiven Angebot: Ein Gerät soll Ihnen helfen bis zu 90% Ihrer Stromrechnung zu sparen. Aber Achtung! Dieses Gerät existiert gar nicht, es handelt sich um Betrug. --------------------------------------------- https://www.watchlist-internet.at/news/fake-shop-alarm-getvoltplugcom-hilft… ∗∗∗ Wissen: Webseite als kompromittiert gemeldet? Wie geht man vor? ∗∗∗ --------------------------------------------- Wer eine Webseite betreibt, wird möglicherweise gelegentlich mit dem Problem konfrontiert, dass diese von Sicherheitsportalen oder Benutzern als "riskant" gemeldet wird. Dann stellt sich die Frage, wie man vorgehen könnte, um herauszufinden, ob dies ein Fehlalarm ist oder die Webseite kompromittiert wurde. --------------------------------------------- https://www.borncity.com/blog/2022/08/19/wissen-webseite-als-kompromittiert… ∗∗∗ Ukraine war spotlights agriculture sectors vulnerability to cyber attack ∗∗∗ --------------------------------------------- The agriculture sector is highly vulnerable to cyber-attacks given its low downtime tolerance, insufficient cyber defenses, and far-reaching ripple effects of disruption. We assess those future threats to the agriculture section will mainly include financially motivated ransomware actors and disruptive attacks carried out by state-sponsored APTs. --------------------------------------------- http://blog.talosintelligence.com/2022/08/ukraine-and-fragility-of-agricult… ∗∗∗ Business Email Compromise Attack Tactics ∗∗∗ --------------------------------------------- Is BEC more damaging than ransomware? What tactics are BEC actors using? How can organizations bolster their defenses? --------------------------------------------- https://www.trendmicro.com/en_us/ciso/22/h/business-email-compromise-bec-at… ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-22-1076: PDF-XChange Editor submitForm Out-Of-Bounds Read Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of PDF-XChange Editor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-1076/ ∗∗∗ DSA-2022-241: Dell EMC PowerFlex Rack Security Update for Multiple Third-Party Component Vulnerabilities ∗∗∗ --------------------------------------------- Dell EMC PowerFlex Rack remediation is available for multiple security vulnerabilities that could be exploited by malicious users to compromise the affected system. --------------------------------------------- https://www.dell.com/support/kbdoc/de-at/000202540/dsa-2022-241-dell-emc-po… ∗∗∗ Virenscanner: Schwachstelle von McAfee erleichtert Angreifern das Einnisten ∗∗∗ --------------------------------------------- Angreifer hätten aufgrund einer Sicherheitslücke im Virenschutz McAfee Security Scan Plus ihre Rechte erhöhen können. Das erleichterte das Einnisten im System. --------------------------------------------- https://heise.de/-7235809 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ruby-tzinfo), Mageia (nvidia-current and nvidia390), SUSE (python-PyYAML, ucode-intel, and zlib), and Ubuntu (linux-aws, postgresql-10, postgresql-12, postgresql-14, and rsync). --------------------------------------------- https://lwn.net/Articles/905265/ ∗∗∗ vim: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in vim ausnutzen, um beliebigen Programmcode auszuführen, Dateien zu manipulieren oder einen Denial of Service Zustand herbeizuführen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1076 ∗∗∗ Security Advisory - JAD-AL50: Permission Bypass Vulnerability in Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2022/huawei-sa-20220819-… ∗∗∗ Security Bulletin: IBM MQ Explorer is vulnerable to an XML External Entity Injection (XXE) attack (CVE-2022-22489) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-explorer-is-vulner… ∗∗∗ Security Bulletin: Vulnerability in SANNav Software used by IBM b-type SAN directors and switches. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-sannav-s… ∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container DesignerAuthoring operands may be vulnerable to loss of confidentiality due to CVE-2022-35948 and CVE-2022-35949 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Spectrum Discover is vulnerable to Docker CLI (CVE-2021-41092) and Apache Log4j (CVE-2021-4104, CVE-2022-23302, CVE-2022-23305, CVE-2022-23307) weaknesses ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-spectrum-discover-is-… ∗∗∗ Security Bulletin: IBM Spectrum Control is vulnerable to multiple weaknesses related to IBM WebSphere Application Server Liberty and OpenSSL (CVE-2022-2068, CVE-2022-2097, CVE-2022-22475) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-spectrum-control-is-v… ∗∗∗ Security Bulletin: IBM DataPower Gateway affected by vulnerabilities in ICU [CVE-2017-14952 and CVE-2020-10531] ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-gateway-aff… ∗∗∗ Security Bulletin: Vulnerability in SANNav Software used by IBM b-type SAN directors and switches. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-sannav-s… ∗∗∗ Security Bulletin: Vulnerability in Eclipse Jetty affects IBM Process Mining . CVE-2022-2048 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-eclipse-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.08.2022
by Daily end-of-shift report 18 Aug '22

18 Aug '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 17-08-2022 18:00 − Donnerstag 18-08-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ BlackByte ransomware gang is back with new extortion tactics ∗∗∗ --------------------------------------------- The BlackByte ransomware is back with version 2.0 of their operation, including a new data leak site utilizing new extortion techniques borrowed from LockBit. --------------------------------------------- https://www.bleepingcomputer.com/news/security/blackbyte-ransomware-gang-is… ∗∗∗ Microsoft Sysmon can now block malicious EXEs from being created ∗∗∗ --------------------------------------------- Microsoft has released Sysmon 14 with a new FileBlockExecutable option that lets you block the creation of malicious executables, such as EXE, DLL, and SYS files, for better protection against malware. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-sysmon-can-now-bl… ∗∗∗ Schwere Lücken: Vorsicht bei VPN-Nutzung auf Apple-Geräten ∗∗∗ --------------------------------------------- Wer über Apples iOS einen VPN-Dienst nutzt, ist nicht so sicher unterwegs, wie man es eigentlich vermuten würde. --------------------------------------------- https://futurezone.at/produkte/schwere-luecken-vorsicht-vpn-apple-iphone-ip… ∗∗∗ Clop: Ransomwaregruppe erpresst wohl falsches Wasserwerk ∗∗∗ --------------------------------------------- Eine Ransomwaregruppe hat sich nach einem Hack eines Wasserversorgungsunternehmens in Großbritannien offenbar vertan und ein anderes Werk erpresst. --------------------------------------------- https://www.golem.de/news/clop-ransomwaregruppe-erpresst-scheinbar-falsches… ∗∗∗ Hacking: Der Bad-USB-Stick Rubber Ducky wird noch gefährlicher ∗∗∗ --------------------------------------------- Mit einer neuen Version des Bad-USB-Sticks Rubber Ducky lassen sich Rechner noch leichter angreifen und neuerdings auch heimlich Daten ausleiten. --------------------------------------------- https://www.golem.de/news/hacking-der-bad-usb-stick-rubber-ducky-wird-noch-… ∗∗∗ Hackers Using Bumblebee Loader to Compromise Active Directory Services ∗∗∗ --------------------------------------------- The malware loader known as Bumblebee is being increasingly co-opted by threat actors associated with BazarLoader, TrickBot, and IcedID in their campaigns to breach target networks for post-exploitation activities. --------------------------------------------- https://thehackernews.com/2022/08/hackers-using-bumblebee-loader-to.html ∗∗∗ Deluge of of entries to Spamhaus blocklists includes various household names ∗∗∗ --------------------------------------------- Nastymail tracking service blames sloppy sending practices for swelling lists of dangerous mailers Spam-tracking service Spamhaus reported Tuesday that some of the worlds biggest brands are getting loose with their email practices, causing its spam blocklists (SBL) to swell significantly. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2022/08/18/deluge_of_en… ∗∗∗ Real-Time Behavior-Based Detection on Android Reveals Dozens of Malicious Apps on Google Play Store ∗∗∗ --------------------------------------------- Cybersecurity researchers identify 35 apps, many downloaded over 100,000 times, that have been serving up malware to millions of Android users. --------------------------------------------- https://www.bitdefender.com/blog/labs/real-time-behavior-based-detection-on… ∗∗∗ PayPal Phishing Scam Uses Invoices Sent Via PayPal ∗∗∗ --------------------------------------------- Scammers are using invoices sent through PayPal.com to trick recipients into calling a number to dispute a pending charge. --------------------------------------------- https://krebsonsecurity.com/2022/08/paypal-phishing-scam-uses-invoices-sent… ∗∗∗ ASEC Weekly Malware Statistics (August 8th, 2022 – August 14th, 2022) ∗∗∗ --------------------------------------------- This post will list weekly statistics collected from August 8th, 2022 (Monday) to August 14th, 2022 (Sunday). --------------------------------------------- https://asec.ahnlab.com/en/37837/ ∗∗∗ Analyzing the Hidden Danger of Environment Variables for Keeping Secrets ∗∗∗ --------------------------------------------- While DevOps practitioners use environment variables to regularly keep secrets in applications, these could be conveniently abused by cybercriminals for their malicious activities, as our analysis shows. --------------------------------------------- https://www.trendmicro.com/en_us/research/22/h/analyzing-hidden-danger-of-e… ===================== = Vulnerabilities = ===================== ∗∗∗ Aktive Exploits: macOS 12.5.1, iOS 15.6.1 und iPadOS 15.6.1 verfügbar ∗∗∗ --------------------------------------------- Apple legt nochmals Aktualisierungen für seine 2021er Betriebssysteme vor. Grund sind wichtige Sicherheitsfixes. Für die Apple Watch kommt ein Extra-Update. --------------------------------------------- https://heise.de/-7223549 ∗∗∗ Cisco Secure Web Appliance Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the web management interface of Cisco AsyncOS for Cisco Secure Web Appliance, formerly Cisco Web Security Appliance (WSA), could allow an authenticated, remote attacker to perform a command injection and elevate privileges to root. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Webkonferenzen: Teils kritische Lücken in Zoom ∗∗∗ --------------------------------------------- In mehreren Zoom-Varianten stecken teilweise kritische Sicherheitslücken. Updates sollen sie abdichten. Mac-Nutzer müssen erneut aktualisieren. --------------------------------------------- https://heise.de/-7223873 ∗∗∗ TP-Link: Schadcode-Schmuggel durch Sicherheitslücke in Routern ∗∗∗ --------------------------------------------- Sicherheitsforscher aus Vietnam haben im WLAN-Router TL-WR841N von TP-Link einen kritischen Fehler festgestellt, der Code-Ausführung auf dem Gerät ermöglicht. --------------------------------------------- https://heise.de/-7224392 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, epiphany-browser, freecad, and schroot), Fedora (freeciv, microcode_ctl, qemu, and rsync), Oracle (httpd), SUSE (aws-efs-utils, python-ansi2html, python-py, python-pytest-html, python-pytest-metadata, python-pytest-rerunfailures, python-coverage, python-oniconfig, python-unittest-mixins, bluez, curl, gnutls, kernel, ntfs-3g_ntfsprogs, podman, and ucode-intel), and Ubuntu (zlib). --------------------------------------------- https://lwn.net/Articles/905072/ ∗∗∗ Apache ActiveMQ Artemis: Schwachstelle ermöglicht Darstellen falscher Informationen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Apache ActiveMQ Artemis ausnutzen, um falsche Informationen darzustellen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1069 ∗∗∗ TypeORM 0.3.7 Information Disclosure ∗∗∗ --------------------------------------------- TypeORM 0.3.7 Information Disclosure Risk: I found what I think is a vulnerability in the latest typeorm 0.3.7. --------------------------------------------- https://cxsecurity.com/issue/WLB-2022080057 ∗∗∗ DSA-2022-238: Dell Client BIOS Security Update for Multiple Tianocore EDK2 Vulnerabilities ∗∗∗ --------------------------------------------- https://www.dell.com/support/kbdoc/de-at/000202475/dsa-2022-238-dell-client… ∗∗∗ Security Bulletin: Vulnerability in Moment affects IBM Process Mining . CVE-2022-31129 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-moment-a… ∗∗∗ Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU – Apr 2022 – Includes Oracle April 2022 CPU (minus CVE-2022-21426)affects IBM Security Verify Governance, Identity Manager virtual appliance component ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-e… ∗∗∗ Security Bulletin: Vulnerability in FasterXML jackson-databind affects IBM Process Mining . CVE-2020-36518 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-fasterxm… ∗∗∗ Security Bulletin: AIX is vulnerable to arbitrary command execution (CVE-2022-1292 and CVE-2022-2068) or an attacker may obtain sensitive information (CVE-2022-2097) due to OpenSSL ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-aix-is-vulnerable-to-arbi… ∗∗∗ Security Bulletin: Multiple vulnerabilities due to OpenSSL and Node js which affect IBM App Connect Enterprise and IBM Integration Bus ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in Node.js affect IBM Cloud Pak System ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: An Eclipse Jetty vulnerability affects IBM Rational Functional Tester ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-an-eclipse-jetty-vulnerab… ∗∗∗ Security Bulletin: Samba for IBM i is vulnerable to attacker obtaining sensitive information due to a memory leak with SMB1 requests (CVE-2022-32742) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-samba-for-ibm-i-is-vulner… ∗∗∗ Security Bulletin: Vulnerability in Eclipse Jetty affects IBM Process Mining . CVE-2020-36518 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-eclipse-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.08.2022
by Daily end-of-shift report 17 Aug '22

17 Aug '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 16-08-2022 18:00 − Mittwoch 17-08-2022 18:00 Handler: Stephan Richter Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Malware devs already bypassed Android 13s new security feature ∗∗∗ --------------------------------------------- Android malware developers are already adjusting their tactics to bypass a new Restricted settings security feature introduced by Google in the newly released Android 13. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malware-devs-already-bypasse… ∗∗∗ SocGholish: 5+ Years of Massive Website Infections ∗∗∗ --------------------------------------------- Earlier this June, we shared information about the ongoing NDSW/NDSX malware campaign which has been one of the most common website infections detected and cleaned by our remediation team in the last few years.This NDSW/NDSX malware — also referred to as FakeUpdates or SocGholish by other research groups — is responsible for redirecting site visitors to malicious pages designed to trick victims into loading and installing fake browser updates. --------------------------------------------- https://blog.sucuri.net/2022/08/socgholish-5-years-of-massive-website-infec… ∗∗∗ RubyGems now requires multi-factor auth for top package maintainers ∗∗∗ --------------------------------------------- Sign-on you crazy diamond: RubyGems.org, the Ruby programming communitys software package registry, now requires maintainers of popular "gems" to secure their accounts using multi-factor authentication (MFA). --------------------------------------------- https://www.theregister.com/2022/08/16/rubygems_package_registry_mfa/ ∗∗∗ Phishing Site used to Spread Typhon Stealer ∗∗∗ --------------------------------------------- During a routine threat hunting exercise, Cyble Research Labs (CRL) came across a Twitter post wherein researchers mentioned a URL that hosts a Windows executable payload with the name systemupdate.exe. --------------------------------------------- https://blog.cyble.com/2022/08/16/phishing-site-used-to-spread-typhon-steal… ∗∗∗ Cisco-ASA-Firewalls hacken per Metasploit und Open-Source-Tools ∗∗∗ --------------------------------------------- Ein Forscher hat zahlreiche Tools und Metasploit-Module zum Hacken von Cisco-Firewalls veröffentlicht. Ein aktuelles Update hilft nicht gegen eines der Tools. --------------------------------------------- https://heise.de/-7222976 ∗∗∗ Achtung: Disney+ Phishing-Mails im Umlauf! ∗∗∗ --------------------------------------------- Besitzen Sie ein Disney+ Konto? Dann nehmen Sie sich vor betrügerischen Phishing-Nachrichten in Acht. Kriminelle versenden massenhaft E-Mails, in denen behauptet wird, Sie müssten Ihre Zahlungsinformationen aktualisieren, da Ihr Abonnement abgelaufen sei. --------------------------------------------- https://www.watchlist-internet.at/news/achtung-disney-phishing-mails-im-uml… ∗∗∗ How a spoofed email passed the SPF check and landed in my inbox ∗∗∗ --------------------------------------------- The Sender Policy Framework can’t help prevent spam and phishing if you allow billions of IP addresses to send as your domain. --------------------------------------------- https://www.welivesecurity.com/2022/08/16/spoofed-email-passed-spf-check-in… ∗∗∗ Los VMware, noch einmal! ∗∗∗ --------------------------------------------- In den Monaten April und Mai dieses Jahres veröffentlichte VMware zwei Security Advisories (VMSA-2022-0011 & VMSA-2022-0014) zu schwerwiegenden Sicherheitslücken in mehreren Produkten, zu denen teilweise bereits Patches zur Verfügung standen. Besagte Sicherheitsaktualisierungen wurden daraufhin von verschiedenen Bedrohungsakteuren untersucht und dienten als Basis für erste Exploits, welche wiederum bereits binnen 48 Stunden nach dem Erscheinen der Advisories genutzt wurden um großflächig Systeme zu kompromittieren. --------------------------------------------- https://cert.at/de/blog/2022/8/los-vmware-machs-nochmal ∗∗∗ GCP, therefore IAM ∗∗∗ --------------------------------------------- Managing access authorization for your cloud assets is a challenging task. Certainly, when dealing with multiple public/private resources, environments, services, providers, and users. --------------------------------------------- https://blog.checkpoint.com/2022/08/17/gcp-therefore-iam/ ∗∗∗ Vulnerability Spotlight: Vulnerabilities in WWBN AVideo web app could lead to command injection, authentication bypass ∗∗∗ --------------------------------------------- Cisco Talos recently discovered multiple vulnerabilities in the WWBN AVideo web application that could allow an attacker to carry out a wide range of malicious actions, including command injection and authentication bypass. --------------------------------------------- http://blog.talosintelligence.com/2022/08/vuln-spotlight-wwbn-avideo-stream… ∗∗∗ Top Five Patch Management & Process Best Practices ∗∗∗ --------------------------------------------- Explore the top patch management best practices to mitigate the growing threat of vulnerability exploits in your organization. --------------------------------------------- https://www.trendmicro.com/en_us/ciso/22/h/patch-management-process-best-pr… ===================== = Vulnerabilities = ===================== ∗∗∗ RTLS systems vulnerable to MiTM attacks, location manipulation ∗∗∗ --------------------------------------------- Security researchers have uncovered multiple vulnerabilities impacting UWB (ultra-wideband) RTLS (real-time locating systems), enabling threat actors to conduct man-in-the-middle attacks and manipulate tag geo-location data. --------------------------------------------- https://www.bleepingcomputer.com/news/security/rtls-systems-vulnerable-to-m… ∗∗∗ IBM Security Bulletins 2022-08-16 ∗∗∗ --------------------------------------------- IBM Cloud Pak System, BM Security Verify Governance, IBM Sterling Connect:Direct for Microsoft Windows, IBM InfoSphere Identity Insight, PowerVC. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Google Chrome-Update: Exploit im Umlauf ∗∗∗ --------------------------------------------- Google hat in Chrome mehrere Sicherheitslücken gestopft. Mindestens eine davon gilt dem Hersteller als kritisch. Für eine weitere kursiert bereits ein Exploit. --------------------------------------------- https://heise.de/-7222389 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (epiphany-browser, net-snmp, webkit2gtk, and wpewebkit), Fedora (python-yara and yara), Red Hat (kernel and kpatch-patch), SUSE (ceph, compat-openssl098, java-1_8_0-openjdk, kernel, python-Twisted, rsync, and webkit2gtk3), and Ubuntu (pyjwt and unbound). --------------------------------------------- https://lwn.net/Articles/904955/ ∗∗∗ Quarterly Security Patches Released for Splunk Enterprise ∗∗∗ --------------------------------------------- Splunk this week announced the release of a new set of quarterly patches, to address multiple vulnerabilities in Splunk Enterprise. --------------------------------------------- https://www.securityweek.com/quarterly-security-patches-released-splunk-ent… ∗∗∗ WAGO: Multiple Products Series affected by multiple CODESYS vulnerabilities ∗∗∗ --------------------------------------------- VDE-2022-031Vendor(s)WAGO GmbH & Co. KGProduct(s) Article No° Product Name Affected Version(s) 752-8303/8000-0002EC300 750-8100/xxx-xxxPFC 100 750-8102/xxx-xxxPFC 100 750-8101/xxx-xxxPFC 100 750-8217/xxx-xxxPFC 200 750-8216/xxx-xxxPFC 200 750-8215/xxx-xxxPFC 200 750-8214/xxx-xxxPFC 200 750-8213/xxx-xxxPFC 200 750-8212/xxx-xxxPFC 200 750-8211/xxx-xxxPFC 200 750-8210/xxx-xxxPFC 200 750-8207/xxx-xxxPFC 200 750-8206/xxx-xxxPFC 200 750-8204/xxx-xxxPFC 200 750-8203/xxx-xxxPFC 200 --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-031/ ∗∗∗ WAGO: Multiple product series affected by multiple CODESYS vulnerabilities ∗∗∗ --------------------------------------------- VDE-2022-035Vendor(s)WAGO GmbH & Co. KGProduct(s) Article No° Product Name Affected Version(s) 751-9301CC100 752-8303/8000-0002EC300 750-8100/xxx-xxxPFC 100 750-8102/xxx-xxxPFC 100 750-8101/xxx-xxxPFC 100 750-8216/xxx-xxxPFC 200 750-8215/xxx-xxxPFC 200 750-8214/xxx-xxxPFC 200 750-8213/xxx-xxxPFC 200 750-8212/xxx-xxxPFC 200 750-8211/xxx-xxxPFC 200 750-8210/xxx-xxxPFC 200 750-8207/xxx-xxxPFC 200 750-8206/xxx-xxxPFC 200 750-8204/xxx-xxxPFC 200 750-8203/xxx-xxxPFC 200 750-8202/xxx-xxxPFC --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-035/ ∗∗∗ Microsoft Windows Defender: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1053 ∗∗∗ Ansible Automation Platform: Schwachstelle ermöglicht Privilegieneskalation ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1058 ∗∗∗ Delta Industrial Automation DRAS ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-228-03 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.08.2022
by Daily end-of-shift report 16 Aug '22

16 Aug '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 12-08-2022 18:00 − Dienstag 16-08-2022 18:00 Handler: Stephan Richter Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ SOVA malware adds ransomware feature to encrypt Android devices ∗∗∗ --------------------------------------------- The SOVA Android banking trojan continues to evolve with new features, code improvements, and the addition of a new ransomware feature that encrypts files on mobile devices. --------------------------------------------- https://www.bleepingcomputer.com/news/security/sova-malware-adds-ransomware… ∗∗∗ John Deere: Hacker präsentiert Jailbreak für Traktoren ∗∗∗ --------------------------------------------- Nicht nur Telefonhersteller vernageln ihre Geräte. Der Hacker Sick Codes zeigt, wie Root-Zugriff auf die Systeme der Traktoren zu erlangen ist. --------------------------------------------- https://www.golem.de/news/john-deere-ein-hacker-praesentiert-ein-jailbreak-… ∗∗∗ Threat in your browser: what dangers innocent-looking extensions hold for users ∗∗∗ --------------------------------------------- In this research, we observed various types of threats that mimic useful web browser extensions, and the number of users attacked by them. --------------------------------------------- https://securelist.com/threat-in-your-browser-extensions/107181/ ∗∗∗ Two more malicious Python packages in the PyPI ∗∗∗ --------------------------------------------- We used our internal automated system for monitoring open-source repositories and discovered two other malicious Python packages in the PyPI. --------------------------------------------- https://securelist.com/two-more-malicious-python-packages-in-the-pypi/10721… ∗∗∗ Disrupting SEABORGIUM’s ongoing phishing operations ∗∗∗ --------------------------------------------- The Microsoft Threat Intelligence Center (MSTIC) has observed and taken actions to disrupt campaigns launched by SEABORGIUM in campaigns involve persistent phishing and credential theft campaigns leading to intrusions and data theft. --------------------------------------------- https://www.microsoft.com/security/blog/2022/08/15/disrupting-seaborgiums-o… ∗∗∗ Realtek SDK SIP ALG Vulnerability: A Big Deal, but not much you can do about it. CVE 2022-27255, (Sun, Aug 14th) ∗∗∗ --------------------------------------------- On Friday, Octavio Gianatiempo & Octavio Galland released details about a vulnerability in Realtek's eCos SDK. --------------------------------------------- https://isc.sans.edu/diary/rss/28940 ∗∗∗ Finanzsanierungen nicht mit Krediten verwechseln! ∗∗∗ --------------------------------------------- Kreditsuchende stoßen bei ihren Recherchen immer wieder auf Werbeanzeigen für Finanzsanierungsangebote. Achtung: Bei Finanzsanierungsangeboten handelt es sich um keine Kredite, sondern um eine sogenannte Schuldenregulierung. Diese ist in Österreich kostenlos erhältlich, weshalb bei kostenpflichtigen Angeboten zu Abstand zu raten ist! --------------------------------------------- https://www.watchlist-internet.at/news/finanzsanierungen-nicht-mit-krediten… ∗∗∗ Typosquatting Campaign Targeting Python’s Top Packages, Dropping GitHub Hosted Malware with DGA Capabilities ∗∗∗ --------------------------------------------- On Saturday, August 13th, Checkmarx’s Software Supply Chain Security Typosquatting engine detected a large-scale attack on the Python ecosystem with multi-stage persistent malware. --------------------------------------------- https://checkmarx.com/blog/typosquatting-campaign-targeting-pythons-top-pac… ∗∗∗ What Exposed OPA Servers Can Tell You About Your Applications ∗∗∗ --------------------------------------------- This blog entry discusses what an OPA is and what it’s for, what we’ve discovered after identifying 389 exposed OPA servers via Shodan, and how exposed OPAs can negatively impact your applications’ overall security. --------------------------------------------- https://www.trendmicro.com/en_us/research/22/h/what-exposed-opa-servers-can… ===================== = Vulnerabilities = ===================== ∗∗∗ Evil PLC Attack: Using a Controller as Predator Rather than Prey ∗∗∗ --------------------------------------------- Team82 has developed a novel attack that weaponizes programmable logic controllers (PLCs) in order to exploit engineering workstations and further invade OT and enterprise networks. --------------------------------------------- https://claroty.com/team82/blog/evil-plc-attack-using-a-controller-as-preda… ∗∗∗ Process injection: breaking all macOS security layers with a single vulnerability ∗∗∗ --------------------------------------------- In this post, we will first describe what process injection is, then the details of this vulnerability and finally how we abused it. --------------------------------------------- https://sector7.computest.nl/post/2022-08-process-injection-breaking-all-ma… ∗∗∗ Database Integrity Vulnerabilities in Boeing’s Onboard Performance Tool ∗∗∗ --------------------------------------------- Security gaps in older, unprotected Windows desktop versions of Boeing’s Onboard Performance Tool (OPT) could make certain Electronic Flight Bags (EFB) more susceptible to attack. --------------------------------------------- https://www.pentestpartners.com/security-blog/database-integrity-vulnerabil… ∗∗∗ IBM Security Bulletins 2022-08-15 ∗∗∗ --------------------------------------------- IBM Sterling B2B Integrator, IBM SPSS Modeler, IBM Cloud Pak System, IBM Sterling File Gateway --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Zoom für macOS: Update-Funktion reißt Sicherheitslücke ∗∗∗ --------------------------------------------- Die populäre Videokonferenz-App hat auf dem Mac einmal mehr ein Security-Problem. Nutzer sollten dringend aktualisieren. Perfekt ist der Fix noch nicht. --------------------------------------------- https://heise.de/-7219942 ∗∗∗ DefCon 30: Unsicherheiten durch Microsoft in UEFI Secure Boot ∗∗∗ --------------------------------------------- Microsofts ausschweifende Signier-Praxis produziert Schwachstellen der Secure-Boot-Umgebung. Das kritisierten Sicherheitsforscher auf der DefCon 30. --------------------------------------------- https://heise.de/-7221728 ∗∗∗ Fernwartung: Kritische Sicherheitslücken in HPE Integrated Lights-Out (iLO) ∗∗∗ --------------------------------------------- Die Fernverwaltung HPE Integrated Lights-Out ermöglichte Angreifern das Einschmuggeln von Schadcode. Aktualisierte Software behebt die Fehler. --------------------------------------------- https://heise.de/-7219923 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (trafficserver), Fedora (freeciv, gnutls, kernel, libldb, mingw-gdk-pixbuf, owncloud-client, rust-ffsend, samba, thunderbird, and zlib), Gentoo (apache, binutils, chromium, glibc, gstreamer, libarchive, libebml, nokogiri, puma, qemu, xen, and xterm), Mageia (golang, libtiff, poppler, python-django, and ruby-sinatra), Red Hat (.NET 6.0 and .NET Core 3.1), SUSE (chromium, cifs-utils, kernel, open-iscsi, and trousers), and Ubuntu (webkit2gtk). --------------------------------------------- https://lwn.net/Articles/904741/ ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (kernel), Debian (kernel), Fedora (webkit2gtk3), Oracle (.NET 6.0, .NET Core 3.1, kernel, and kernel-container), Slackware (rsync), and SUSE (canna, ceph, chromium, curl, kernel, opera, python-Twisted, and seamonkey). --------------------------------------------- https://lwn.net/Articles/904842/ ∗∗∗ Vulnerability Spotlight: Three vulnerabilities in HDF5 file format could lead to remote code execution ∗∗∗ --------------------------------------------- Cisco Talos recently discovered three vulnerabilities in a library that works with the HDF5 file format that could allow an attacker to execute remote code on a targeted device. --------------------------------------------- http://blog.talosintelligence.com/2022/08/vuln-spotlight-hdf5-library.html ∗∗∗ TRUMPF: Products prone to Unified Automation vulnerabilities ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-034/ ∗∗∗ Google Android: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1042 ∗∗∗ CoreDNS: Mehrere Schwachstellen ermöglichen Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1047 ∗∗∗ ESRI ArcGIS: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1046 ∗∗∗ npm: Schwachstelle ermöglicht Manipulation von Dateien ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1049 ∗∗∗ vim: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1048 ∗∗∗ Yokogawa CENTUM Controller FCS ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-228-01 ∗∗∗ LS ELECTRIC PLC and XG5000 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-228-02 ∗∗∗ Softing Secure Integration Server ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-228-04 ∗∗∗ B&R Industrial Automation Automation Studio 4 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-228-05 ∗∗∗ Emerson Proficy Machine Edition ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-228-06 ∗∗∗ Sequi PortBloque S ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-228-07 ∗∗∗ Two DoS vulnerabilities eliminated from Mitsubishi industrial controllers ∗∗∗ --------------------------------------------- https://www.ptsecurity.com/ww-en/about/news/two-dos-vulnerabilities-elimina… ∗∗∗ Multiple Vulnerabilities in Samba ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-22-22 ∗∗∗ Multiple Vulnerabilities in Apache HTTP Server ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-22-23 ∗∗∗ Remote Support Authentication Vulnerability in IBM Spectrum Virtualize and Lenovo Storage V Series ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500514-REMOTE-SUPPORT-AUTHENTI… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.08.2022
by Daily end-of-shift report 12 Aug '22

12 Aug '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 11-08-2022 18:00 − Freitag 12-08-2022 18:00 Handler: Stephan Richter Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ I’m a security reporter and got fooled by a blatant phish ∗∗∗ --------------------------------------------- Think youre too smart to be fooled by a phisher? Think again. --------------------------------------------- https://arstechnica.com/?p=1873356 ∗∗∗ The Importance of Website Logs ∗∗∗ --------------------------------------------- In this post, we’ll explain why logs are so important and help you understand how to use website logs to level up your security and maintain compliance. --------------------------------------------- https://blog.sucuri.net/2022/08/importance-of-website-logs-for-security.html ∗∗∗ Conti Cybercrime Cartel Using BazarCall Phishing Attacks as Initial Attack Vector ∗∗∗ --------------------------------------------- A trio of offshoots from the notorious Conti cybercrime cartel have resorted to the technique of call-back phishing as an initial access vector to breach targeted networks. --------------------------------------------- https://thehackernews.com/2022/08/conti-cybercrime-cartel-using-bazarcall.h… ∗∗∗ Sloppy Software Patches Are a ‘Disturbing Trend’ ∗∗∗ --------------------------------------------- The Zero Day Initiative has found a concerning uptick in security updates that fail to fix vulnerabilities. --------------------------------------------- https://www.wired.com/story/software-patch-flaw-uptick-zdi/ ∗∗∗ Monster Libra (TA551/Shathak) pushes IcedID (Bokbot) with Dark VNC and Cobalt Strike ∗∗∗ --------------------------------------------- Since 2019, threat actor Monster Libra (also known as TA551 or Shathak) has pushed different families of malware. --------------------------------------------- https://isc.sans.edu/diary/rss/28934 ∗∗∗ Details zum Einbruch bei Cisco – Einfallstor persönliches Google-Konto ∗∗∗ --------------------------------------------- Cisco wurde Opfer eines Cyber-Angriffs, bei dem Kriminelle Zugriff auf das interne Netz erlangten. Jetzt veröffentlicht das Unternehmen Details dazu. --------------------------------------------- https://heise.de/-7218236 ∗∗∗ Input-Device-Monitoring bei Windows: Finde die Wanze! ∗∗∗ --------------------------------------------- Für moderne Malware, die im Userland agiert, sind forensische Aufspürmethoden für Abhörversuche quasi nicht existent. Ein Forscherteam will Abhilfe schaffen. --------------------------------------------- https://heise.de/-7218864 ∗∗∗ O’Neill-Kleidung online kaufen? Nicht auf backmanboats.com! ∗∗∗ --------------------------------------------- Wir erhalten immer wieder Meldungen zu Online-Shops, die entweder gar keine Ware verschicken oder etwas, das nichts mit der Produktbeschreibung zu tun hat. Haben Sie ein teures Marken T-Shirt bestellt, aber eine billige Kopie erhalten? Solche Online-Shops nennt man Markenfälscher, da sie angeben, bekannte Marken wie O'Neill zu verkaufen. --------------------------------------------- https://www.watchlist-internet.at/news/oneill-kleidung-online-kaufen-nicht-… ∗∗∗ CISA Adds Two Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/08/11/cisa-adds-two-kno… ∗∗∗ Windows Sicherheitsupdate KB5012170 für Secure Boot DBX (9. August 2022) ∗∗∗ --------------------------------------------- Noch ein kurzer Nachtrag vom Patchday, 9. August 2022. Dort wurde auch ein Sicherheitsupdate für das Secure Boot Modul durch Microsoft bereitgestellt. --------------------------------------------- https://www.borncity.com/blog/2022/08/12/windows-sicherheitsupdate-kb501217… ===================== = Vulnerabilities = ===================== ∗∗∗ Researchers Find Vulnerability in Software Underlying Discord, Microsoft Teams, and Other Apps ∗∗∗ --------------------------------------------- The popular apps used by millions of users all run the same software, called Electron. --------------------------------------------- https://www.vice.com/en/article/m7gb7y/researchers-find-vulnerability-in-so… ∗∗∗ Groupware Zimbra "trivial angreifbar" – Admins sollten schnell updaten ∗∗∗ --------------------------------------------- Mit der Verkettung zweier Security-Bugs in der Groupware haben Angreifer seit Ende Juni tausende Zimbra-Installationen übernommen. --------------------------------------------- https://heise.de/-7218354 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (gnutls28, libtirpc, postgresql-11, and samba), Fedora (microcode_ctl, wpebackend-fdo, and xen), Oracle (.NET 6.0, galera, mariadb, and mysql-selinux, and kernel), SUSE (dbus-1 and python-numpy), and Ubuntu (booth). --------------------------------------------- https://lwn.net/Articles/904549/ ∗∗∗ OT Security Firm Warns of Safety Risks Posed by Alerton Building System Vulnerabilities ∗∗∗ --------------------------------------------- OT and IoT cybersecurity company SCADAfence has discovered potentially serious vulnerabilities in a widely used building management system made by Alerton, a brand of industrial giant Honeywell. --------------------------------------------- https://www.securityweek.com/ot-security-firm-warns-safety-risks-posed-aler… ∗∗∗ Realtek SDK Vulnerability Exposes Routers From Many Vendors to Remote Attacks ∗∗∗ --------------------------------------------- A serious vulnerability affecting the eCos SDK made by Taiwanese semiconductor company Realtek could expose the networking devices of many vendors to remote attacks. --------------------------------------------- https://www.securityweek.com/realtek-sdk-vulnerability-exposes-routers-many… ∗∗∗ Bitdefender: Schwachstelle in Device42 ∗∗∗ --------------------------------------------- Wegen einer mittlerweile behobenen Schwachstelle in Device42 gibt Bitdefender eine Empfehlung zum Update auf die Version 18.01.00 von Device42. --------------------------------------------- https://www.zdnet.de/88402845/bitdefender-schwachstelle-in-device42/ ∗∗∗ Vulnerabilities on Xiaomi’s mobile payment mechanism which could allow forged transactions : A Check Point Research analysis ∗∗∗ --------------------------------------------- Check Point Research (CPR) analyzed the payment system built into Xiaomi smartphones powered by MediaTek chips CPR found vulnerabilities that could allow forging of payment and disabling the payment system directly. --------------------------------------------- https://blog.checkpoint.com/2022/08/12/vulnerabilities-on-xiaomis-mobile-pa… ∗∗∗ VU#309662: Signed third party UEFI bootloaders are vulnerable to Secure Boot bypass ∗∗∗ --------------------------------------------- https://kb.cert.org/vuls/id/309662 ∗∗∗ Security Bulletin: Watson Knowledge Catalog InstaScan is vulnerable to an XML External Entity (XXE) Injection vulnerability due to IBM WebSphere Application Server Liberty ( CVE-2021-20492 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-watson-knowledge-catalog-… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct File Agent is vulnerable to remote code execution due to Apache Commons Configuration (CVE-2022-33980) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: Multiple security vulnerabilities are addressed with IBM Cloud Pak for Business Automation iFixes for July 2022 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Operations Dashboard is vulnerable to remote connection exploit by Go CVE-2022-30629 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-operations-dashboard-is-v… ∗∗∗ Security Bulletin: Automation Assets in IBM Cloud Pak for Integration is vulnerable to remote code execution due to ejs [CVE-2022-29078] ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-automation-assets-in-ibm-… ∗∗∗ Security Bulletin: IBM App Connect Enterprise and IBM Integration Bus are vulnerable to a remote authenticated attacker due to Node.js (CVE-2022-29244, CVE-2022-33987) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: IBM Java SDK and IBM Java Runtime for IBM i are vulnerable to unauthenticated attacker to cause a denial of service or low integrity impact due to multiple vulnerabilities. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-java-sdk-and-ibm-java… ∗∗∗ PostgreSQL: Schwachstelle ermöglicht Codeausführung ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-1013 ∗∗∗ Emerson ROC800, ROC800L and DL8000 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-223-04 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.08.2022
by Daily end-of-shift report 11 Aug '22

11 Aug '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 10-08-2022 18:00 − Donnerstag 11-08-2022 18:00 Handler: Stephan Richter Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ OpenTIP, command line edition ∗∗∗ --------------------------------------------- We released Python-based command line tools for our OpenTIP service that also implement a client class that you can reuse in your own tools. --------------------------------------------- https://securelist.com/opentip-command-line-edition/107109/ ∗∗∗ InfoStealer Script Based on Curl and NSudo, (Thu, Aug 11th) ∗∗∗ --------------------------------------------- If sudo is a well known tool used daily by most UNIX system administrators, NSudo remains less below the radar. This is a tool running on Microsoft Windows which allows you to execute processes with different access tokens and privileges like System, TrustedInstaller and CurrentUser. --------------------------------------------- https://isc.sans.edu/diary/rss/28932 ∗∗∗ capa v4: casting a wider .NET ∗∗∗ --------------------------------------------- We are excited to announce version 4.0 of capa with support for analyzing .NET executables. This open-source tool automatically identifies capabilities in programs using an extensible rule set. The tool supports both malware triage and deep dive reverse engineering. --------------------------------------------- https://www.mandiant.com/resources/capa-v4-casting-wider-net ∗∗∗ Detecting DNS implants: Old kitten, new tricks – A Saitama Case Study ∗∗∗ --------------------------------------------- A recently uncovered malware sample dubbed ‘Saitama’ was uncovered by security firm Malwarebytes in a weaponized document, possibly targeted towards the Jordan government. This Saitama implant uses DNS as its sole Command and Control channel and utilizes long sleep times and (sub)domain randomization to evade detection. --------------------------------------------- https://research.nccgroup.com/2022/08/11/detecting-dns-implants-old-kitten-… ∗∗∗ Palo Alto Networks Firewalls Targeted for Reflected, Amplified DDoS Attacks ∗∗∗ --------------------------------------------- Palo Alto Networks is working on fixes for a reflected amplification denial-of-service (DoS) vulnerability that impacts PAN-OS, the platform powering its next-gen firewalls. --------------------------------------------- https://www.securityweek.com/palo-alto-networks-firewalls-targeted-reflecte… ∗∗∗ Years after claiming DogWalk wasn’t a vulnerability, Microsoft confirms flaw is being exploited and issues patch ∗∗∗ --------------------------------------------- This week Microsoft finally released a patch for a zero-day security flaw being exploited by hackers, that the company had claimed since 2019 was not actually a vulnerability. --------------------------------------------- https://www.bitdefender.com/blog/hotforsecurity/years-after-claiming-dogwal… ∗∗∗ BlueSky Ransomware: Fast Encryption via Multithreading ∗∗∗ --------------------------------------------- BlueSky ransomware is an emerging family that has adopted modern techniques to evade security defenses. --------------------------------------------- https://unit42.paloaltonetworks.com/bluesky-ransomware/ ∗∗∗ AA22-223A: #StopRansomware: Zeppelin Ransomware ∗∗∗ --------------------------------------------- The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint CSA to disseminate known Zeppelin ransomware IOCs and TTPs associated with ransomware variants identified through FBI investigations as recently as 21 June 2022. --------------------------------------------- https://us-cert.cisa.gov/ncas/alerts/aa22-223a ∗∗∗ Cisco Talos shares insights related to recent cyber attack on Cisco ∗∗∗ --------------------------------------------- On May 24, 2022, Cisco became aware of a potential compromise. Since that point, Cisco Security Incident Response (CSIRT) and Cisco Talos have been working to remediate. --------------------------------------------- http://blog.talosintelligence.com/2022/08/recent-cyber-attack.html ===================== = Vulnerabilities = ===================== ∗∗∗ Critical Flaws Disclosed in Device42 IT Asset Management Software ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed multiple severe security vulnerabilities asset management platform Device42 that, if successfully exploited, could enable a malicious actor to seize control of affected systems. --------------------------------------------- https://thehackernews.com/2022/08/critical-flaws-disclosed-in-device42-it.h… ∗∗∗ [R1] Nessus Version 8.15.6 Fixes Multiple Vulnerabilities ∗∗∗ --------------------------------------------- Two separate vulnerabilities that utilize the Audit functionality in Nessus were discovered, reported and fixed. --------------------------------------------- https://www.tenable.com/security/tns-2022-16 ∗∗∗ Cisco: Angreifer könnten an private RSA-Schlüssel in ASA und Firepower gelangen ∗∗∗ --------------------------------------------- Der Netzwerkausrüster Cisco schließt mit aktualisierter Software eine Sicherheitslücke in ASA und Firepower. Angreifer könnten private RSA-Keys auslesen. --------------------------------------------- https://heise.de/-7216863 ∗∗∗ Kritische Sicherheitslücke in Zoho ManageEngine OpManager ∗∗∗ --------------------------------------------- Zoho hat Updates veröffentlicht, die eine kritische und weitere Sicherheitslücken in ManageEngine OpManager schließen. Angreifer könnten unbefugt zugreifen. --------------------------------------------- https://heise.de/-7217521 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Gentoo (aiohttp, faac, isync, motion, and nextcloud), Red Hat (.NET 6.0), SUSE (libnbd, oracleasm, python-codecov, rubygem-tzinfo, sssd, and thunderbird), and Ubuntu (http-parser, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-gke, linux-gke-5.4, linux-gkeop, linux-gkeop-5.4, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux, linux-hwe-5.15, linux-lowlatency, linux-lowlatency-hwe-5.15, linux-aws, linux-aws-5.15, linux-azure, linux-azure-5.15, linux-gcp, linux-gcp-5.15, linux-gke, linux-gke-5.15, linux-ibm, linux-kvm, linux-oracle, linux-raspi, linux-intel-iotg, linux-oem-5.14, linux-oem-5.17, and node-moment). --------------------------------------------- https://lwn.net/Articles/904457/ ∗∗∗ Organizations Warned of Critical Vulnerabilities in NetModule Routers ∗∗∗ --------------------------------------------- Flashpoint is warning organizations of two newly identified critical vulnerabilities in NetModule Router Software (NRSW) that could be exploited in attacks. --------------------------------------------- https://www.securityweek.com/organizations-warned-critical-vulnerabilities-… ∗∗∗ BOSCH-SA-463993: SafeLogic Designer vulnerabilities ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-463993.html ∗∗∗ Drupal: jQuery UI Checkboxradio - Moderately critical - Cross site scripting - SA-CONTRIB-2022-052 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2022-052 ∗∗∗ Security Bulletin: Vulnerability in the Node.js got module affects IBM Event Streams (CVE-2022-33987) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-the-node… ∗∗∗ Security Bulletin: Automation Assets in IBM Cloud Pak for Integration is vulnerable to denial of service due to CVE-2022-31129 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-automation-assets-in-ibm-… ∗∗∗ Security Bulletin: Multiple security vulnerabilities has been identified in IBM® DB2® shipped with IBM PureData System for Operational Analytics ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-platform-navigator-and-au… ∗∗∗ Security Bulletin: Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to remote access due to Go CVE-2022-29526 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-platform-navigator-and-au… ∗∗∗ Security Bulletin: Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to information disclosure CVE-2022-30629 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-platform-navigator-and-au… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.08.2022
by Daily end-of-shift report 10 Aug '22

10 Aug '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 09-08-2022 18:00 − Mittwoch 10-08-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ BSI warnt vor dem Einsatz unsicherer Funk-Türschlösser der Marke ABUS ∗∗∗ --------------------------------------------- Das Bundesamt für Sicherheit in der Informationstechnik (BSI) warnt nach §7 BSI-Gesetz vor dem Einsatz des digitalen Türschlosses "HomeTec Pro CFA3000" des Herstellers ABUS und empfiehlt, das Produkt zu ersetzen. --------------------------------------------- https://www.bsi.bund.de/DE/Service-Navi/Presse/Pressemitteilungen/Presse202… ∗∗∗ Achtung: Fake-Shops! Kaufen Sie nichts bei diesen Garten-Online-Shops ∗∗∗ --------------------------------------------- Online finden Sie viele Shops zu jedem Bereich. Auch Garten-Shops bilden da keine Ausnahme. Die Online-Shops gartenland-paradies.de, home-garten-shop.de und rasengarten.com sind allesamt Fake-Shops und versuchen, Sie zu betrügen. --------------------------------------------- https://www.watchlist-internet.at/news/achtung-fake-shops-kaufen-sie-nichts… ∗∗∗ Microsoft veröffentlicht Bedrohungsmatrix zu Azure für Sicherheits-Evaluierungen ∗∗∗ --------------------------------------------- Analog zum in Sicherheitskreisen vielgenutzten MITRE ATT&CK Framework hat Microsoft für Azure und Azure AD Informationen zu potenziellen Angriffen aufbereitet. --------------------------------------------- https://heise.de/-7216398 ∗∗∗ UnRAR Vulnerability Exploited in the Wild, Likely Against Zimbra Servers ∗∗∗ --------------------------------------------- The US Cybersecurity and Infrastructure Security Agency (CISA) revealed on Tuesday that a recently patched vulnerability affecting the UnRAR archive extraction tool is being exploited in the wild. --------------------------------------------- https://www.securityweek.com/unrar-vulnerability-exploited-wild-likely-agai… ∗∗∗ Novel News on Cuba Ransomware aka Greetings From Tropical Scorpius ∗∗∗ --------------------------------------------- Beginning in early May 2022, Unit 42 observed a threat actor deploying Cuba Ransomware using novel tools and techniques. Using our naming schema, Unit 42 tracks the threat actor as Tropical Scorpius. --------------------------------------------- https://unit42.paloaltonetworks.com/cuba-ransomware-tropical-scorpius/ ∗∗∗ 10 malicious PyPI packages found stealing developers credentials ∗∗∗ --------------------------------------------- Threat analysts have discovered ten malicious Python packages on the PyPI repository, used to infect developers systems with password-stealing malware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/10-malicious-pypi-packages-f… ∗∗∗ VileRAT: DeathStalker’s continuous strike at foreign and cryptocurrency exchanges ∗∗∗ --------------------------------------------- VileRAT is a Python implant, part of an evasive and highly intricate attack campaign against foreign exchange and cryptocurrency trading companies. --------------------------------------------- https://securelist.com/vilerat-deathstalkers-continuous-strike/107075/ ∗∗∗ Security Update Guide Notification System News: Create your profile now ∗∗∗ --------------------------------------------- Sharing information through the Security Update Guide (SUG) is an important part of our ongoing effort to help customers manage security risks and keep systems protected. --------------------------------------------- https://msrc-blog.microsoft.com/2022/08/09/security-update-guide-notificati… ∗∗∗ Attacking and Remediating Excessive Network Share Permissions in Active Directory Environments ∗∗∗ --------------------------------------------- In this blog, I’ll explain how to quickly inventory, exploit, and remediate network shares configured with excessive permissions at scale in Active Directory environments. Excessive share permissions represent a risk that can lead to data exposure, privilege escalation, and ransomware attacks within enterprise environments. --------------------------------------------- https://www.netspi.com/blog/technical/network-penetration-testing/network-s… ∗∗∗ Discovering Domains via a Timing Attack on Certificate Transparency ∗∗∗ --------------------------------------------- There is a flaw in a way that deployment of TLS certificates might be set up. It allows anyone to discover all domain names used by the same server. Sometimes, even when there is no HTTPS there! --------------------------------------------- https://swarm.ptsecurity.com/discovering-domains-via-timing-attack/ ∗∗∗ The Security Pros and Cons of Using Email Aliases ∗∗∗ --------------------------------------------- One way to tame your email inbox is to get in the habit of using unique email aliases when signing up for new accounts online. Adding a "+" character after the username portion of your email address -- followed by a notation specific to the site youre signing up at -- lets you create an infinite number of unique email addresses tied to the same account. --------------------------------------------- https://krebsonsecurity.com/2022/08/the-security-pros-and-cons-of-using-ema… ===================== = Vulnerabilities = ===================== ∗∗∗ Neue Sicherheitslücken in AMD- und Intel-Prozessoren: AEPIC & SQUIP ∗∗∗ --------------------------------------------- Internationale Expertenteams weisen Schwachstellen in zahlreichen aktuellen CPU-Typen von AMD und Intel nach, die auch künftige ARM-Chips treffen könnten. --------------------------------------------- https://heise.de/-7211904 ∗∗∗ Intel Patches Severe Vulnerabilities in Firmware, Management Software ∗∗∗ --------------------------------------------- Intel on Tuesday published 27 security advisories detailing roughly 60 vulnerabilities across firmware, software libraries, and endpoint and data center management products. --------------------------------------------- https://www.securityweek.com/intel-patches-severe-vulnerabilities-firmware-… ∗∗∗ Microsoft Security Update Summary (9. August 2022) ∗∗∗ --------------------------------------------- Am 9. August 2022 hat Microsoft Sicherheitsupdates für Windows-Clients und -Server, für Office usw. – sowie für weitere Produkte – veröffentlicht. Die Sicherheitsupdates beseitigen zudem 118 Schwachstellen, davon 17 kritisch und zwei 0-day-Schwachstellen. --------------------------------------------- https://www.borncity.com/blog/2022/08/10/microsoft-security-update-summary-… ∗∗∗ Exchange Server Sicherheitsupdates (9. August 2022) ∗∗∗ --------------------------------------------- Microsoft hat zum 9. August Sicherheitsupdates für Exchange Server 2013, Exchange Server 2016 und Exchange Server 2019 veröffentlicht. --------------------------------------------- https://www.borncity.com/blog/2022/08/10/exchange-server-sicherheitsupdates… ∗∗∗ Patchday: Adobe schließt kritische Lücken in Commerce und Kreativprogrammen ∗∗∗ --------------------------------------------- Adobe schließt zum August-Patchday mehrere, teils kritische Sicherheitslücken. Betroffen sind Adobe Commerce und Magento sowie PDF- und Kreativ-Software. --------------------------------------------- https://heise.de/-7215839 ∗∗∗ Jetzt handeln! Exploit-Code für VMware-Lücke aufgetaucht, neue Updates verfügbar ∗∗∗ --------------------------------------------- VMware hat für neu entdeckte Sicherheitslücken Updates bereitgestellt. Für eine ältere Schwachstelle ist jetzt Exploit-Code aufgetaucht, warnt der Hersteller. --------------------------------------------- https://heise.de/-7216296 ∗∗∗ IBM Security Bulletins 2022-08-09 ∗∗∗ --------------------------------------------- IBM Netezza, IBM Sterling Connect, IBM MQ Operator, IBM Queue manager, IBM Cloud Pak, IBM Sterling B2B Integrator, IBM Event Streams, IBM InfoSphere Information Server, IBM Process Mining. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Lenovo Product Security Advisories and Announcements 2022-08-09 ∗∗∗ --------------------------------------------- Lenovo published 9 security advisories. --------------------------------------------- https://support.lenovo.com/de/de/product_security/home ∗∗∗ Dell Security Advisories and Notices ∗∗∗ --------------------------------------------- Dell published 1 security advisory. --------------------------------------------- https://www.dell.com/support/security/en-us/ ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (gst-plugins-good1.0), Fedora (firefox and ghostscript), Gentoo (consul, firefox, libass, libraw, lxml, mdbtools, pam_u2f, spice, and thunderbird), Oracle (kernel, kernel-container, and vim), Red Hat (galera, mariadb, and mysql-selinux, kernel, and kernel-rt), Scientific Linux (kernel), SUSE (bind, java-11-openjdk, kernel, mokutil, ncurses, and u-boot), and Ubuntu (epiphany-browser, libcdio, linux, linux-aws, linux-azure-4.15, linux-dell300x, linux-gcp-4.15, linux-kvm, linux-oracle, linux-raspi2, linux-snapdragon, linux, linux-aws, linux-kvm, linux-lts-xenial, and linux-hwe, linux-aws-hwe, linux-azure, linux-gcp, linux-oracle). --------------------------------------------- https://lwn.net/Articles/904374/ ∗∗∗ PaloAlto Networks PAN-OS: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in PaloAlto Networks PAN-OS ausnutzen, um einen Cross-Site Scripting Angriff durchzuführen, Code zur Ausführung zu bringen, einen Denial of Service Angriff durchzuführen oder vertrauliche Daten einzusehen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0952 ∗∗∗ FreeBSD: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, authentisierter Angreifer kann mehrere Schwachstellen in FreeBSD ausnutzen, um einen Denial of Service Angriff durchzuführen, Informationen offenzulegen oder Code auszuführen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0995 ∗∗∗ F5: K21600298: OpenSSL vulnerability CVE-2022-1292 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K21600298 ∗∗∗ Red Hat Ceph Storage: Schwachstelle ermöglicht Manipulation von Dateien ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0979 ∗∗∗ Apache Traffic Server: Mehrere Schwachstellen ermöglichen Manipulation von Dateien ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0992 ∗∗∗ Atlassian Jira Software: Schwachstelle ermöglicht Cross-Site Scripting ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0989 ∗∗∗ Citrix Hypervisor Security Bulletin for CVE-2022-33745 ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX463455/citrix-hypervisor-security-bul… ∗∗∗ SonicWall SMA1000 CVE-2021-33909 and CVE-2022-0847 ∗∗∗ --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0015 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.08.2022
by Daily end-of-shift report 09 Aug '22

09 Aug '22

===================== = End-of-Day report = ===================== Timeframe: Montag 08-08-2022 18:00 − Dienstag 09-08-2022 18:00 Handler: Stephan Richter Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Kollaborationssoftware: Slack schließt jahrelanges Datenleck ∗∗∗ --------------------------------------------- Slack hat etliche Nutzer aufgefordert, ihr Passwort zu ändern. Über eine Sicherheitslücke wurden über Jahre Hashes der Passwörter versendet. --------------------------------------------- https://www.golem.de/news/kollaborationssoftware-slack-schliesst-jahrelange… ∗∗∗ The Truth About False Positives in Security ∗∗∗ --------------------------------------------- As weird as it might sound, seeing a few false positives reported by a security scanner is probably a good sign and certainly better than seeing none. Lets explain why. --------------------------------------------- https://thehackernews.com/2022/08/the-truth-about-false-positives-in.html ∗∗∗ Cyberangriffe auf Medizingeräte: Risikobewusstsein hoch, aber wenig Prävention ∗∗∗ --------------------------------------------- Seit 2020 fahren Cyberkriminelle ihre Angriffe verstärkt auf Gesundheitsinfrastrukturen. Schlecht gesicherte IoMT/IoT-Geräte erleichtern ihnen die Arbeit. --------------------------------------------- https://heise.de/-7206153 ∗∗∗ IT-Sicherheit: meistverbreitete Malware-Stämme im Jahr 2021 ∗∗∗ --------------------------------------------- Die US-IT-Sicherheitsbehörde CISA und das australische Cyber Security Center haben zusammengetragen, welche Malware-Stämme 2021 am häufigsten beobachtet wurden. --------------------------------------------- https://heise.de/-7206775 ∗∗∗ Twilio: Konten von Mitarbeitern und Kunden kompromittiert ∗∗∗ --------------------------------------------- Angestellte des Diensteanbieters Twilio sind Opfer von Phishing-Angriffen geworden. Die Angreifer konnten unbefugt auf Informationen zugreifen. --------------------------------------------- https://heise.de/-7207070 ∗∗∗ Open Redirect Flaws in American Express and Snapchat Exploited in Phishing Attacks ∗∗∗ --------------------------------------------- Open redirect vulnerabilities affecting American Express and Snapchat websites were exploited earlier this year as part of phishing campaigns targeting Microsoft 365 users, email security firm Inky reports. --------------------------------------------- https://www.securityweek.com/open-redirect-flaws-american-express-and-snapc… ∗∗∗ Günstiges Brennholz: Vorsicht vor Fake-Angeboten im Facebook Marketplace ∗∗∗ --------------------------------------------- Sie haben auf Facebook ein günstiges Angebot für Brennholz gefunden? Vorsicht: Möglicherweise handelt es sich um ein betrügerisches Inserat. Überprüfen Sie das Angebot und Verkäufer:innen sehr genau und zahlen Sie nicht vorab! --------------------------------------------- https://www.watchlist-internet.at/news/guenstiges-brennholz-vorsicht-vor-fa… ∗∗∗ Shodan Verified Vulns 2022-08-01 ∗∗∗ --------------------------------------------- Im Vergleich zum Juli gab es praktisch keine Veränderung. Die Schwachstellen FREAK (CVE-2015-0204) und Logjam (CVE-2015-4000) sind in den Daten für diesen Monat nicht enthalten (bzw. wird die Anzahl für beide mit 0 angegeben). Dabei handelt es sich aber offensichtlich um einen Fehler, auch bei den Shodan Trends ist für beide Schwachstellen ein plötzlicher Abfall zu sehen. Ob das seitens Shodan beabsichtig ist, da vielleicht nicht mehr nach diesen CVEs gescannt wird, wissen wir derzeit nicht; sachdienliche Hinweise dazu nehmen wir aber dankend entgegen. --------------------------------------------- https://cert.at/de/aktuelles/2022/8/shodan-verified-vulns-2022-08-01 ∗∗∗ SmarterTrack Full disclosure ∗∗∗ --------------------------------------------- On 27 October 2021 Wietse Boonstra found several vulnerabilities in the latest version of SmarterTrack. There were two XSS, an unauthenticated download and an upload / overwrite vulnerability. The researcher Wietse Boonstra and Finn van der Knaap, examined the vulnerability and made the proof of concept. --------------------------------------------- https://csirt.divd.nl/2022/08/09/Smartertrak-Full-Disclosure/ ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- Platform Navigator and Automation Assets in IBM Cloud Pak for Integration, IBM Netezza for Cloud Pak for Data, node.js, IBM® SDK Java Technology Edition (Version 8), IBM Security SiteProtector System, Spring Framework, IBM Workload Scheduler, Liberty for Java for IBM Cloud. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Siemens Security Advisories ∗∗∗ --------------------------------------------- 4 new, 38 updated --------------------------------------------- https://new.siemens.com/global/en/products/services/cert.html?d=2022-08#Sec… ∗∗∗ Schneider Electric Security Advisories ∗∗∗ --------------------------------------------- Schneider Electric released 11 security advisories. --------------------------------------------- https://www.se.com/ww/en/work/support/cybersecurity/security-notifications.… ∗∗∗ AUMA: Multiple Vulnerabilities in Automation Runtime NTP Service ∗∗∗ --------------------------------------------- The SIMA² Master Station features an NTP service based on ntpd, a reference implementation of the Network Time Protocol (NTP). --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-032/ ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (gnutls28 and unzip), Fedora (dovecot and net-snmp), Red Hat (kernel-rt and vim), and Ubuntu (gst-plugins-good1.0). --------------------------------------------- https://lwn.net/Articles/904271/ ∗∗∗ SAP Patchday August 2022 ∗∗∗ --------------------------------------------- Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in SAP Software ausnutzen, um Sicherheitsvorkehrungen zu umgehen und vertrauliche Informationen offenzulegen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0949 ∗∗∗ Keycloak: Schwachstelle ermöglicht Codeausführung ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0948 ∗∗∗ ImageMagick: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0946 ∗∗∗ NetApp StorageGRID: Schwachstelle ermöglicht Manipulation von Dateien ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0945 ∗∗∗ Red Hat OpenShift Service Mesh: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0944 ∗∗∗ Mitsubishi Electric GT SoftGOT2000 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-221-01 ∗∗∗ Emerson ControlWave ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-221-02 ∗∗∗ Emerson OpenBSI ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-221-03 ∗∗∗ Open Source Varnish Cache Denial of Service ∗∗∗ --------------------------------------------- https://docs.varnish-software.com/security/VSV00009/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.08.2022
by Daily end-of-shift report 08 Aug '22

08 Aug '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 05-08-2022 18:00 − Montag 08-08-2022 18:00 Handler: Stephan Richter Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ New GwisinLocker ransomware encrypts Windows and Linux ESXi servers ∗∗∗ --------------------------------------------- A new ransomware family called GwisinLocker targets South Korean healthcare, industrial, and pharmaceutical companies with Windows and Linux encryptors, including support for encrypting VMware ESXi servers and virtual machines. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-gwisinlocker-ransomware-… ∗∗∗ Microsoft Office to publish symbols starting August 2022 ∗∗∗ --------------------------------------------- We are excited to announce that Microsoft Office will begin publishing Office symbols for Windows via the Microsoft Public Symbol Server on August 9th 2022. The publication of Office symbols is a part of our continuing investment to improve security and performance for customers and partners. --------------------------------------------- https://msrc-blog.microsoft.com/2022/08/08/microsoft-office-to-publish-symb… ∗∗∗ BumbleBee Roasts Its Way to Domain Admin ∗∗∗ --------------------------------------------- In this intrusion from April 2022, the threat actors used BumbleBee as the initial access vector. BumbleBee is a malware loader that was first reported by Google Threat Analysis Group in March 2022. Google TAG attributes this malware to an initial access broker (IAB) dubbed EXOTIC LILY, working with the cybercrime group FIN12/WIZARD SPIDER/DEV-0193. --------------------------------------------- https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-adm… ∗∗∗ "Command&Control as a Service" – Cybercrime auf dem Weg in die Cloud ∗∗∗ --------------------------------------------- Ein neues As-a-Service-Angebot hat im Cybercrime-Untergrund innerhalb weniger Monate bereits tausende Kunden gewonnen. --------------------------------------------- https://heise.de/-7204112 ∗∗∗ Security-Informationen: Neues Ampel-Protokoll soll Vertraulichkeit vereinfachen ∗∗∗ --------------------------------------------- Das Trafic Light Protocol hat sich für die Kennzeichnung vertraulicher Informationen etabliert. TLP Version 2.0 soll die Absicht des Autors klarer machen. --------------------------------------------- https://heise.de/-7205920 ∗∗∗ Fake-Gewinnspiel für JBL-Lautsprecher auf Instagram ∗∗∗ --------------------------------------------- Zahlreiche Instagram-Nutzer:innen werden momentan von Fake-JBL-Profilen auf Beiträgen markiert: „Wenn du markiert wurdest, hast du einen tragbaren Lautsprecher von JBL gewonnen“ lautet der Beitrag. --------------------------------------------- https://www.watchlist-internet.at/news/fake-gewinnspiel-fuer-jbl-lautsprech… ∗∗∗ Ransomware-Attacken zurück im Geschäft ∗∗∗ --------------------------------------------- Doch keine Sommerpause: Nach einem leichten Rückgang zu Beginn des Jahres hat die Zahl der Ransomware-Angriffe im zweiten Quartal 2022 erneut zugelegt. --------------------------------------------- https://www.zdnet.de/88402769/ransomware-attacken-zurueck-im-geschaeft/ ∗∗∗ Google-Report von VirusTotal über Trends bei Malware ∗∗∗ --------------------------------------------- Auf seinem Dienst VirusTotal erhält Google täglich zahlreiche Einreichungen von Dateien zur Überprüfung, ob es sich um Malware handelt. In einem neuen Bericht "Deception at scale: Wie Malware Vertrauen missbraucht" hat ein Team von Google die Erkenntnisse zu verschiedene Techniken zusammengetragen, die Malware einsetzt, um Abwehrmechanismen zu umgehen und Social-Engineering-Angriffe effektiver zu gestalten. --------------------------------------------- https://www.borncity.com/blog/2022/08/07/google-report-von-virustotal-ber-t… ∗∗∗ Small-time cybercrime is about to explode — We arent ready ∗∗∗ --------------------------------------------- The cybersecurity industry tends to focus on extremely large-scale or sophisticated, state-sponsored attacks. Rightfully so, as it can be the most interesting, technically speaking. When most people think of cybercrime they think of large-scale breaches because thats what dominates the headlines. However, the problem is much bigger. --------------------------------------------- http://blog.talosintelligence.com/2022/08/smalltime-cybercrime.html ===================== = Vulnerabilities = ===================== ∗∗∗ Cross-Site Request Forgery Vulnerability Patched in Ecwid Ecommerce Shopping Cart Plugin ∗∗∗ --------------------------------------------- On June 24, 2022, the Wordfence Threat Intelligence team initiated the responsible disclosure process for a Cross-Site Request Forgery vulnerability we discovered in Ecwid Ecommerce Shopping Cart, a WordPress plugin installed on over 30,000 sites. This vulnerability made it possible for attackers to modify some of the plugin’s more advanced settings via a forged request. --------------------------------------------- https://www.wordfence.com/blog/2022/08/cross-site-request-forgery-vulnerabi… ∗∗∗ Webbrowser: Google Chrome und Microsoft Edge 104 schließen Sicherheitslücken ∗∗∗ --------------------------------------------- Die Version 104 der Webbrowser Chrome und Edge dichten zahlreiche Sicherheitslecks ab. Einige Features von Chrome haben zudem eine Politur erfahren. --------------------------------------------- https://heise.de/-7205970 ∗∗∗ Übernahme möglich: DrayTek-Router mit kritischer Sicherheitslücke ∗∗∗ --------------------------------------------- Eine Schwachstelle in den Routern von DrayTek ermöglicht Angreifern aus dem Netz die Kompromittierung der Geräte. Nicht einmal eine Anmeldung ist dafür nötig. --------------------------------------------- https://heise.de/-7206059 ∗∗∗ Patchday: F5 dichtet Schwachstellen in BIG IP und Nginx ab ∗∗∗ --------------------------------------------- Zum Schließen von 21 Sicherheitslücken liefert F5 Software-Updates aus. Die meisten Fehler mit hohem Risiko betreffen die BIG-IP-Systeme des Anbieters. --------------------------------------------- https://heise.de/-7205758 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, libtirpc, and xorg-server), Fedora (giflib, mingw-giflib, and teeworlds), Mageia (chromium-browser-stable, kernel, kernel-linus, mingw-giflib, osmo, python-m2crypto, and sqlite3), Oracle (httpd, php, vim, virt:ol and virt-devel:ol, and xorg-x11-server), SUSE (caddy, crash, dpkg, fwupd, python-M2Crypto, and trivy), and Ubuntu (gdk-pixbuf, libjpeg-turbo, and phpliteadmin). --------------------------------------------- https://lwn.net/Articles/904191/ ∗∗∗ Security Bulletin: Apache log4j vulnerabilities in Spark and Zookeeper affect QRadar User Behavior Analytics(CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit… ∗∗∗ Security Bulletin: Multiple vulnerabilities in Jquery-Ui, highcharts, and datatables are affecting QRadar User Behavior Analytics (CVE-2021-41182, CVE-2021-41183, CVE-2021-41184, CVE-2021-23445, CVE-2021-29489) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Nextcloud Talk: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0935 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily