- Daily - CERT.at

Tageszusammenfassung - 10.06.2022
by Daily end-of-shift report 10 Jun '22

10 Jun '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 09-06-2022 18:00 − Freitag 10-06-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Cyber Europe 2022 – europaweite Cyber-Sicherheitsübung ∗∗∗ --------------------------------------------- Im Zuge der 2-tägigen Cyber-Sicherheitsübung „Cyber Europe“ arbeiteten Behörden und nationale Computer-Notfallteams in ganz Europa intensiv an Schutz und Abwehr der angegriffenen IT-Bereiche. Über 800 Teilnehmer:innen waren dazu EU-weit an der Übung beteiligt. In Österreich war für die Koordination das Bundeskanzleramt zuständig. Das Gesundheitsministerium, das Innenministerium, das Außenministerium, das Verteidigungsministerium und die zuständigen Computernotfallteams waren in die Übung eingebunden. --------------------------------------------- https://www.ots.at/presseaussendung/OTS_20220609_OTS0200/cyber-europe-2022-… ∗∗∗ Phishing Campaigns featuring Ursnif Trojan on the Rise ∗∗∗ --------------------------------------------- McAfee Labs have been observing a spike in phishing campaigns that utilize Microsoft office macro capabilities. These malicious documents reach victims via mass spam E-mail campaigns and generally invoke urgency, fear, or similar emotions, leading unsuspecting users to promptly open them. --------------------------------------------- https://www.mcafee.com/blogs/other-blogs/mcafee-labs/phishing-campaigns-fea… ∗∗∗ Neue Linux-Malware aufgespürt ∗∗∗ --------------------------------------------- Eine gemeinsame Forschungsarbeit hat zur Entdeckung von Symbiote geführt, einer neuen Form von Linux-Malware, die nur schwer zu erkennen ist. Hacker erhalten damit Rootkit-Zugriff. --------------------------------------------- https://www.zdnet.de/88401771/neue-linux-malware-aufgespuert/ ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins 2022-06-09 - 2022-06-10 ∗∗∗ --------------------------------------------- IBM TXSeries, IBM Connections, IBM Watson, IBM Spectrum, IBM SDK, IBM Cloud Pak, IBM Db2 Mirror for i and IBM StoredIQ. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Schwachstellen in Infiray IRAY-A8Z3 Wärmebildkamera ∗∗∗ --------------------------------------------- Die IRAY A8Z3 Wärmebildkamera für Industrieapplikationen von Infiray/IRay Technologies ist anfällig auf verschiedene Schwachstellen, welche sich aus unsicherer Programmierung, unsicherer Konfiguration sowie veralteten eingebetteten Softwarekomponenten ergeben. Mehrere Angriffsmöglichkeiten für Remote Code Execution (RCE) wurden gefunden. Der Hersteller hat sich im Zuge unserer Responsible Disclosure nicht mehr gemeldet, weshalb unklar ist, ob Patches verfügbar sind. --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/schwachstellen-infira… ∗∗∗ PHP: Updates verhindern Einschleusen von Schadcode ∗∗∗ --------------------------------------------- Fehler in PHP-Modulen zur Verbindung mit SQL-Datenbanken erlauben die Ausführung beliebigen Codes. Admins von Shared-Hosting-Servern sollten schnell updaten. --------------------------------------------- https://heise.de/-7136766 ∗∗∗ Fortinet entfernt hartcodierten Schlüssel und verhindert unberechtigte Zugriffe ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitsupdates für mehrere Produkte von Fortinet. Einige Lücken gelten als kritisch. --------------------------------------------- https://heise.de/-7136620 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (python-bottle), Fedora (grub2 and kernel), Mageia (python-pypdf2, python-ujson, and vim), and SUSE (fribidi, grub2, mozilla-nss, and webkit2gtk3). --------------------------------------------- https://lwn.net/Articles/897518/ ∗∗∗ Vulnerabilities in HID Mercury Access Controllers Allow Hackers to Unlock Doors ∗∗∗ --------------------------------------------- https://www.securityweek.com/vulnerabilities-hid-mercury-access-controllers… ∗∗∗ Mitsubishi Electric Air Conditioning Systems ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-160-01 ∗∗∗ "Undocumented Functionality" (Backdoor) in Mitel Desk Phones (SYSS-2022-021) ∗∗∗ --------------------------------------------- https://www.syss.de/pentest-blog/undocumented-functionality-backdoor-in-mit… ∗∗∗ Kritische Schwachstelle in Crypto USB Flash Drive Lepin EP-KP001 (SYSS-2022-024) ∗∗∗ --------------------------------------------- https://www.syss.de/pentest-blog/kritische-schwachstelle-in-crypto-usb-flas… ∗∗∗ Chrome 102.0.5005.115 fixt Schwachstellen ∗∗∗ --------------------------------------------- https://www.borncity.com/blog/2022/06/10/chrome-102-0-5005-115-fixt-schwach… ∗∗∗ Microsoft Edge: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0697 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.06.2022
by Daily end-of-shift report 09 Jun '22

09 Jun '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 08-06-2022 18:00 − Donnerstag 09-06-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ New Emotet Variant Stealing Users Credit Card Information from Google Chrome ∗∗∗ --------------------------------------------- The notorious Emotet malware has turned to deploy a new module designed to siphon credit card information stored in the Chrome web browser. --------------------------------------------- https://thehackernews.com/2022/06/new-emotet-variant-stealing-users.html ∗∗∗ MakeMoney malvertising campaign adds fake update template ∗∗∗ --------------------------------------------- We catch up with some old acquaintances that just arent ready to hang up the towel just yet. The post MakeMoney malvertising campaign adds fake update template appeared first on Malwarebytes Labs. --------------------------------------------- https://blog.malwarebytes.com/threat-intelligence/2022/06/makemoney-malvert… ∗∗∗ ASyncRat surpasses Dridex, TrickBot and Emotet to become dominant email threat ∗∗∗ --------------------------------------------- A review of whats changed in malware in 2022, and what hasnt, based on Adam Kujawas talk at RSAC 2022. The post ASyncRat surpasses Dridex, TrickBot and Emotet to become dominant email threat appeared first on Malwarebytes Labs. --------------------------------------------- https://blog.malwarebytes.com/threat-analysis/2022/06/asyncrat-surpasses-dr… ∗∗∗ Nebenjob als Betrugshelfer:in – Vorsicht vor europost-eu.biz ∗∗∗ --------------------------------------------- Ein vielversprechender Nebenjob als Paketempfänger:in lockt mit Home-Office und guten Arbeitsbedingungen. Für 25 € pro Stunde müssen Sie Pakete empfangen und weiterversenden. Was nicht erwähnt wird: Nehmen Sie den Job an, beteiligen Sie sich möglicherweise an Bestellbetrug und machen sich strafbar! --------------------------------------------- https://www.watchlist-internet.at/news/nebenjob-als-betrugshelferin-vorsich… ∗∗∗ LockBit 2.0: How This RaaS Operates and How to Protect Against It ∗∗∗ --------------------------------------------- LockBit 2.0 has so far been this years most active ransomware gang on double-extortion leak sites. Learn about their tactics. --------------------------------------------- https://unit42.paloaltonetworks.com/lockbit-2-ransomware/ ∗∗∗ How to audit Node.js modules ∗∗∗ --------------------------------------------- Node.js is one of the best and most widely used Javascript runtimes used for building APIs. But, this popularity status has led to many hackers distributing insecure modules that exploit the Node.js application or provide a weak point for exploitation. --------------------------------------------- https://mattermost.com/blog/how-to-audit-nodejs-modules/ ∗∗∗ Follina-Schwachstelle (CVE-2022-30190): Neue Erkenntnisse, neue Risiken (9.6.2022) ∗∗∗ --------------------------------------------- Die seit Ende Mai 2022 bekannt gewordene Schwachstelle CVE-2022-30190 (Follina) in Windows entwickelt sich langsam zum Problembär. Die von Microsoft und hier im Blog beschriebenen Gegenmaßnahmen erscheinen nicht ausreichend. --------------------------------------------- https://www.borncity.com/blog/2022/06/09/follina-schwachstelle-cve-2022-301… ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitslücken in veralteten Zyxel-Firewalls: Neukauf als Fix ∗∗∗ --------------------------------------------- Der Netzwerkausrüster Zyxel warnt vor Sicherheitslücken in älteren Firewalls, deren Support ausgelaufen ist. Abhilfe schaffe der Austausch mit neueren Geräten. --------------------------------------------- https://heise.de/-7135405 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (mailman and python-bottle), Red Hat (java-1.7.1-ibm, java-1.8.0-ibm, subversion:1.14, and xz), Scientific Linux (python-twisted-web), Slackware (httpd), and Ubuntu (ca-certificates, ffmpeg, ghostscript, and varnish). --------------------------------------------- https://lwn.net/Articles/897372/ ∗∗∗ Symbiote Deep-Dive: Analysis of a New, Nearly-Impossible-to-Detect Linux Threat ∗∗∗ --------------------------------------------- Symbiote is a new Linux malware we discovered that acts in a parasitic nature, infecting other running processes to inflict damage on machines. --------------------------------------------- https://www.intezer.com/blog/research/new-linux-threat-symbiote/ ∗∗∗ Security Bulletin: IBM Db2 Mirror for i is vulnerable to directory traversal due to Moment.js (CVE-2022-24785) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-mirror-for-i-is-v… ∗∗∗ Security Bulletin: IBM Security Identity Governance and Intelligence is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-identity-gov… ∗∗∗ Security Bulletin: IBM Db2 Mirror for i is vulnerable to cross-site scripting due to Angular (220414) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-mirror-for-i-is-v… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK (January 2022) affects IBM InfoSphere Information Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Rational Software Architect RealTime Edition (RSA RT) is vulnerable to Apache Log4j2 – CVE-2021-44832 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-rational-software-arc… ∗∗∗ Security Bulletin: IBM Db2 Mirror for i is vulnerable to denial of service due to gson 217225 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-mirror-for-i-is-v… ∗∗∗ Security Bulletin: IBM Security Identity Governance and Intelligence is vulnerable to exposure of sensitive information (CVE-2021-35603) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-identity-gov… ∗∗∗ Security Bulletin: Vulnerability in jackson-databind affects IBM Process Mining (Multiple CVEs) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-jackson-… ∗∗∗ K13559191: Linux kernel vulnerability CVE-2022-25636 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K13559191?utm_source=f5support&utm_mediu… ∗∗∗ Xen Security Advisory CVE-2022-26363, CVE-2022-26364 / XSA-402 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-402.html ∗∗∗ Xen Security Advisory CVE-2022-26362 / XSA-401 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-401.html ∗∗∗ Case opened: DIVD-2021-00037 - Critical vulnerabilities in ITarian MSP platform and on-premise solution ∗∗∗ --------------------------------------------- https://csirt.divd.nl/cases/DIVD-2021-00037/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.06.2022
by Daily end-of-shift report 08 Jun '22

08 Jun '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 07-06-2022 18:00 − Mittwoch 08-06-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Linux version of Black Basta ransomware targets VMware ESXi servers ∗∗∗ --------------------------------------------- Black Basta is the latest ransomware gang to add support for encrypting VMware ESXi virtual machines running on enterprise Linux servers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/linux-version-of-black-basta… ∗∗∗ Poisoned CCleaner search results spread information-stealing malware ∗∗∗ --------------------------------------------- Malware that steals your passwords, credit cards, and crypto wallets is being promoted through search results for a pirated copy of the CCleaner Pro Windows optimization program. --------------------------------------------- https://www.bleepingcomputer.com/news/security/poisoned-ccleaner-search-res… ∗∗∗ Cuba ransomware returns to extorting victims with updated encryptor ∗∗∗ --------------------------------------------- The Cuba ransomware operation has returned to regular operations with a new version of its malware found used in recent attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cuba-ransomware-returns-to-e… ∗∗∗ Targeted phishing past defender ∗∗∗ --------------------------------------------- Signature based detections has shortcomings that matter in real scenarios. Depending only on prevention through an EDR like Defender is not enough in a modern attack scenario. --------------------------------------------- https://www.derant.com/network%20monitoring/2022/06/07/Targetted-phishing-p… ∗∗∗ New Technique Used by Attackers in NPM to Avoid Detection ∗∗∗ --------------------------------------------- Checkmarx SCS team recently detected several malicious NPM packages using a new evasion technique, enhancing dependency confusion attacks to help malicious packages avoid detection. --------------------------------------------- https://checkmarx.com/blog/new-technique-used-by-attackers-in-npm-to-avoid-… ===================== = Vulnerabilities = ===================== ∗∗∗ Researchers Warn of Unpatched "DogWalk" Microsoft Windows Vulnerability ∗∗∗ --------------------------------------------- An unofficial security patch has been made available for a new Windows zero-day vulnerability in the Microsoft Support Diagnostic Tool (MSDT), even as the Follina flaw continues to be exploited in the wild. --------------------------------------------- https://thehackernews.com/2022/06/researchers-warn-of-unpatched-dogwalk.html ∗∗∗ Zero-Day-Lücke: Cybergangs missbrauchen MSDT-Leck für Qakbot-Infektionen ∗∗∗ --------------------------------------------- Die Cybergang hinter der Malware Quakbot missbraucht in Phishing-Kampagnen die MSDT-Zero-Day-Lücke. Infizierte Rechner verkauft sie meist an Ransomware-Banden. --------------------------------------------- https://heise.de/-7134949 ∗∗∗ Fehler in Linux-Kernel ermöglicht Rechteausweitung ∗∗∗ --------------------------------------------- Ein Fehler im Firewall-Code des Linux-Kernels ermöglicht es Nutzern, Befehle als Root auszuführen. Administratoren können einen Workaround anwenden. --------------------------------------------- https://heise.de/-7134791 ∗∗∗ Kritische Schadcode-Lücke bedroht Universal Boot Loader U-Boot ∗∗∗ --------------------------------------------- Die Entwickler von U-Boot haben zwei gefährliche Sicherheitslücken geschlossen. --------------------------------------------- https://heise.de/-7134785 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (avahi), Fedora (firefox), Oracle (grub2, python-twisted-web, shim, shim-signed, and thunderbird), Red Hat (kernel and python-twisted-web), SUSE (gcc48, go1.17, go1.18, and mariadb), and Ubuntu (e2fsprogs, linux, linux-aws, linux-aws-5.13, linux-azure, linux-azure-5.13, linux-gcp, linux-gcp-5.13, linux-hwe-5.13, linux-intel-5.13, linux-kvm, linux-oracle, linux-oracle-5.13, linux-raspi, linux, linux-aws, linux-aws-5.4, linux-azure, linux-azure-5.4, [...] --------------------------------------------- https://lwn.net/Articles/897297/ ∗∗∗ Technical Details Released for Recently Patched Zyxel Firewall Vulnerabilities ∗∗∗ --------------------------------------------- Security researchers with HN Security have published technical details on two vulnerabilities affecting many Zyxel products. --------------------------------------------- https://www.securityweek.com/technical-details-released-recently-patched-zy… ∗∗∗ Owl Labs Patches Severe Vulnerability in Video Conferencing Devices ∗∗∗ --------------------------------------------- Video conferencing company Owl Labs has released patches for a severe vulnerability affecting its Meeting Owl Pro and Whiteboard Owl devices. --------------------------------------------- https://www.securityweek.com/owl-labs-patches-severe-vulnerability-video-co… ∗∗∗ Attackers Exploit MSDT Follina Bug to Drop RAT, Infostealer ∗∗∗ --------------------------------------------- Symantec has observed threat actors exploiting remote code execution flaw to drop AsyncRAT and information stealer. --------------------------------------------- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/fo… ∗∗∗ Security Bulletin: A vulnerability in Apache Log4j affects some features of IBM® Db2® (CVE-2021-44832) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-apache… ∗∗∗ Security Bulletin: IBM Cognos Command Center is affected but not classified as vulnerable by a remote code execution in Spring Framework (CVE-2022-22965) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cognos-command-center… ∗∗∗ Security Bulletin: IBM WebSphere Application Server is vulnerable to Spoofing (CVE-2022-22365) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects some features of IBM® Db2® (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects some features of IBM® Db2® (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct Web Services is affected but not classified as vulnerable by a remote code execution in Spring Framework (CVE-2022-22965) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: Vulnerabilities have been identified in Spring Framework, OpenSSL and Apache HTTP Server shipped with the DS8000 Hardware Management Console (HMC) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-have-been… ∗∗∗ Security Bulletin: Multiple vulnerabilities in Apache Log4j affects some features of IBM® Db2® (CVE-2021-45046, CVE-2021-45105) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Cognos Command Center is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cognos-command-center… ∗∗∗ FESTO: CECC-X-M1 - command injection vulnerabilities ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-020/ ∗∗∗ Apache HTTP Server: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0692 ∗∗∗ Mehrere Schwachstellen in "sicheren" mobilen Festplatten und Crypto-USB-Sticks von Verbatim (SYSS-2022-001/-017) ∗∗∗ --------------------------------------------- https://www.syss.de/pentest-blog/mehrere-schwachstellen-in-sicheren-mobilen… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.06.2022
by Daily end-of-shift report 07 Jun '22

07 Jun '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 03-06-2022 18:00 − Dienstag 07-06-2022 18:15 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ WatchDog hacking group launches new Docker cryptojacking campaign ∗∗∗ --------------------------------------------- The WatchDog hacking group is conducting a new cryptojacking campaign with advanced techniques for intrusion, worm-like propagation, and evasion of security software. --------------------------------------------- https://www.bleepingcomputer.com/news/security/watchdog-hacking-group-launc… ∗∗∗ QBot now pushes Black Basta ransomware in bot-powered attacks ∗∗∗ --------------------------------------------- The Black Basta ransomware gang has partnered with the QBot malware operation to gain spread laterally through hacked corporate environments. --------------------------------------------- https://www.bleepingcomputer.com/news/security/qbot-now-pushes-black-basta-… ∗∗∗ Researchers Warn of Spam Campaign Targeting Victims with SVCReady Malware ∗∗∗ --------------------------------------------- A new wave of phishing campaigns has been observed spreading a previously documented malware called SVCReady. --------------------------------------------- https://thehackernews.com/2022/06/researchers-warn-of-spam-campaign.html ∗∗∗ Neues Phishing-E-Mail der Erste Bank und Sparkasse ∗∗∗ --------------------------------------------- Aktuell kursiert ein neues Phishing-E-Mail im Namen der Erste Bank und Sparkasse. Im Schreiben werden Sie über eine angebliche Abbuchung von 1 259 Euro informiert. --------------------------------------------- https://www.watchlist-internet.at/news/neues-phishing-e-mail-der-erste-bank… ===================== = Vulnerabilities = ===================== ∗∗∗ Fortiguard June 2022 Vulnerability Advisories ∗∗∗ --------------------------------------------- FortiAP-U, FortiDDoS, FortiOS, FortiAnalyzer, FortiManager, FortiSandbox, FortiTokenMobile, FortiAuthenticator, Apache Airflow and FortiClient. --------------------------------------------- https://www.fortiguard.com/psirt-monthly-advisory/june-2022-vulnerability-a… ∗∗∗ Jetzt patchen! Lage um Attacken auf Atlassian Confluence spitzt sich zu ∗∗∗ --------------------------------------------- Aufgrund von öffentlich verfügbarem Exploit-Code steigen die Attacken auf Confluence-Instanzen. Patches sind jetzt verfügbar. --------------------------------------------- https://heise.de/-7132633 ∗∗∗ Patchday: Google schließt Kernel- und Software-Lücken in Android ∗∗∗ --------------------------------------------- Besitzer von Android-Hardware sollte ihre Geräte aus Sicherheitsgründen auf den aktuellen Stand bringen. --------------------------------------------- https://heise.de/-7133294 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (clamav, firefox-esr, pidgin, and thunderbird), Fedora (dotnet3.1, firefox, kernel, vim, and webkit2gtk3), Mageia (firefox/nss/nspr, gimp, logrotate, mariadb, thunderbird, trojita, webkit2, and webmin), Oracle (thunderbird), Red Hat (compat-openssl11, postgresql:10, postgresql:12, and thunderbird), Slackware (pidgin), and SUSE (openvpn). --------------------------------------------- https://lwn.net/Articles/897163/ ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (glib2.0, librecad, and php-horde-mime-viewer), Fedora (vim), and Ubuntu (freerdp2, ruby2.3, ruby2.5, ruby2.7, ruby3.0, and vim). --------------------------------------------- https://lwn.net/Articles/897226/ ∗∗∗ Critical U-Boot Vulnerability Allows Rooting of Embedded Systems ∗∗∗ --------------------------------------------- A critical vulnerability in the U-Boot boot loader could be exploited to write arbitrary data, which can allow an attacker to root Linux-based embedded systems, according to NCC Group. --------------------------------------------- https://www.securityweek.com/critical-u-boot-vulnerability-allows-rooting-e… ∗∗∗ Security Advisory -Input Verification Vulnerabilities Involved in Huawei Printer Product ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2022/huawei-sa-20220608-… ∗∗∗ Security Bulletin: IBM Cognos Controller is affected but not vulnerable to arbitrary code execution and SQL injection due to Apache Log4j v1 vulnerabilities (CVE-2022-23305, CVE-2022-23302, CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cognos-controller-is-… ∗∗∗ Security Bulletin: Publicly disclosed vulnerabilities from Kernel affect IBM Netezza Host Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-publicly-disclosed-vulner… ∗∗∗ Security Bulletin: Public disclosed vulnerability from OpenSSL affects IBM Netezza Host Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-public-disclosed-vulnerab… ∗∗∗ Security Bulletin: IBM DataPower Gateway affected by prototype pollution in DOJO (CVE-2021-23450) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-gateway-aff… ∗∗∗ Security Bulletin: IBM InfoSphere Information Server is vulnerable to SQL Injection (CVE-2022-31768) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-informatio… ∗∗∗ Security Bulletin: Apache Commons as used by IBM QRadar SIEM is vulnerable to denial of service (CVE-2021-35515, CVE-2021-35516, CVE-2021-36090, CVE-2021-35517) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-commons-as-used-by… ∗∗∗ Security Bulletin: CP4D Match 360 is vulnerable to remote attacker executing arbitrary code within IBM WebSphere Application Server Liberty (CVE-2021-23450) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cp4d-match-360-is-vulnera… ∗∗∗ Security Bulletin: Vulnerabilities have been identified in Apache Log4j and the application code shipped with the DS8000 Hardware Management Console (HMC) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-have-been… ∗∗∗ Security Bulletin: IBM Security SiteProtector System is affected by multiple Apache HTTP Server Vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-siteprotecto… ∗∗∗ Security Bulletin: IBM Cloud Pak for Data System 1.0 is vulnerable to denial of service due to Apache Log4j (CVE-2021-45105) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-data-sy… ∗∗∗ Security Bulletin: Multiple vulnerabilities in multiple dependencies affect IBM MessageGateway/ MessageSight ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM MaaS360 Mobile Enterprise Gateway uses Eclipse Jetty with multiple known vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maas360-mobile-enterp… ∗∗∗ Security Bulletin: IBM MaaS360 Cloud Extender Agent, Mobile Enterprise Gateway and VPN module have multiple vulnerabilities (CVE-2021-22060, CVE-2022-22950, CVE-2022-0547, CVE-2022-0778, CVE-2022-22965) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maas360-cloud-extende… ∗∗∗ Security Bulletin: IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to a denial of service in NumPy. (CVE-2021-33430). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-speech-service… ∗∗∗ K29421535: Intel processor vulnerability CVE-2021-33117 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K29421535 ∗∗∗ K95204515: Intel CPU vulnerability CVE-2022-21151 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K95204515 ∗∗∗ Grafana: Mehrere Schwachstellen ermöglichen Offenlegung von Informationen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0690 ∗∗∗ Case update: DIVD-2022-00032 - Exchange backdoor ∗∗∗ --------------------------------------------- https://csirt.divd.nl/cases/DIVD-2022-00032/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.06.2022
by Daily end-of-shift report 03 Jun '22

03 Jun '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 02-06-2022 18:00 − Freitag 03-06-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Chinese LuoYu hackers deploy cyber-espionage malware via app updates ∗∗∗ --------------------------------------------- A Chinese-speaking hacking group known as LuoYu is infecting victims WinDealer information stealer malware deployed by switching legitimate app updates with malicious payloads in man-on-the-side attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/chinese-luoyu-hackers-deploy… ∗∗∗ Evil Corp switches to LockBit ransomware to evade sanctions ∗∗∗ --------------------------------------------- The Evil Corp cybercrime group has now switched to deploying LockBit ransomware on targets networks to evade sanctions imposed by the U.S. Treasury Departments Office of Foreign Assets Control (OFAC). --------------------------------------------- https://www.bleepingcomputer.com/news/security/evil-corp-switches-to-lockbi… ∗∗∗ Analysis of the Massive NDSW/NDSX Malware Campaign ∗∗∗ --------------------------------------------- Recently, Avast’s researchers Pavel Novák and Jan Rubín posted a detailed writeup about the “Parrot TDS” campaign involving more than 16,500 infected websites. Such massive infections don’t go unnoticed by Sucuri and we immediately recognized that the infection in their writeup belonged to the campaign we internally refer to as “ndsw/ndsx” malware. --------------------------------------------- https://blog.sucuri.net/2022/06/analysis-massive-ndsw-ndsx-malware-campaign… ∗∗∗ Reich mit Öl? Vorsicht vor der betrügerischen Investment-Plattform „Öl-Profit“! ∗∗∗ --------------------------------------------- Noch nie war der Online-Ölhandel so einfach wie heute. Jede Person könne hier reich werden – ohne etwas über Öl oder Wirtschaft zu wissen. So heißt es in einem angeblichen Artikel der deutschen Tageszeitung BILD. --------------------------------------------- https://www.watchlist-internet.at/news/reich-mit-oel-vorsicht-vor-der-betru… ∗∗∗ Popping Eagle: How We Leveraged Global Analytics to Discover a Sophisticated Threat Actor ∗∗∗ --------------------------------------------- We observed a specially crafted DLL hijacking attack used by a previously unknown piece of malware that we dubbed Popping Eagle. --------------------------------------------- https://unit42.paloaltonetworks.com/popping-eagle-malware/ ===================== = Vulnerabilities = ===================== ∗∗∗ Angriffe auf Code-Execution-Lücke bedrohen Confluence-Installationen ∗∗∗ --------------------------------------------- Seit Anfang der Woche installieren Angreifer Backdoors über eine neue Lücke in Confluence. Admins sollten noch vor dem langen Wochenende Maßnahmen ergreifen. --------------------------------------------- https://heise.de/-7131081 ∗∗∗ GitLab Issues Security Patch for Critical Account Takeover Vulnerability ∗∗∗ --------------------------------------------- GitLab has moved to address a critical security flaw in its service that, if successfully exploited, could result in an account takeover. Tracked as CVE-2022-1680, the issue has a CVSS severity score of 9.9 and was discovered internally by the company. --------------------------------------------- https://thehackernews.com/2022/06/gitlab-issues-security-patch-for.html ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (cifs-utils, debian-security-support, and pypdf2), Fedora (fapolicyd, mariadb, openssl, and qt5-qtbase), Oracle (firefox, maven:3.5, maven:3.6, postgresql:10, postgresql:12, and postgresql:13), Red Hat (.NET 6.0, firefox, gzip, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, pcs, rsync, subversion, thunderbird, and zlib), Scientific Linux (thunderbird), Slackware (mozilla), SUSE (firefox, hdf5, suse-hpc, kernel-firmware, libarchive, patch, php8, and redis), and Ubuntu (cifs-utils and vim). --------------------------------------------- https://lwn.net/Articles/897016/ ∗∗∗ Security Bulletin: IBM Edge Application Manager is affected but not classified as vulnerable by a remote code execution in Spring Framework (CVE-2022-22965)) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-edge-application-mana… ∗∗∗ Security Bulletin: IBM DataPower Gateway Virtual Edition uses out of date ICU libraries in open-vm-tools ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-gateway-vir… ∗∗∗ Security Bulletin: IBM Telco Network Cloud Manager – Performance is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-44832,CVE-2022-23302 and CVE-2022-23305) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-telco-network-cloud-m… ∗∗∗ Security Bulletin: IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to improper input validation in Spring Framework (CVE-2022-22950) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-speech-service… ∗∗∗ Security Bulletin: IBM DataPower Gateway affected by vulnerabilities in Kerberos ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-gateway-aff… ∗∗∗ Security Bulletin: IBM Flex System switch firmware products are affected by a vulnerability in glibc (CVE-2021-35942) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-flex-system-switch-fi… ∗∗∗ Security Bulletin: IBM RackSwitch firmware products are affected by a vulnerability in glibc (CVE-2021-35942) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-rackswitch-firmware-p… ∗∗∗ Security Bulletin: IBM Java SDK and IBM Java Runtime for IBM i are vulnerable to unauthenticated attacker obtaining sensitive information and other attacks due to multiple vulnerabilities. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-java-sdk-and-ibm-java… ∗∗∗ Security Bulletin: IBM Spectrum Protect Plus may disclose sensitive information in virgo log file (CVE-2022-22396) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-spectrum-protect-plus… ∗∗∗ D-LINK Router: Schwachstelle ermöglicht Codeausführung ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0682 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.06.2022
by Daily end-of-shift report 02 Jun '22

02 Jun '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 01-06-2022 18:00 − Donnerstag 02-06-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Conti ransomware targeted Intel firmware for stealthy attacks ∗∗∗ --------------------------------------------- Researchers analyzing the leaked chats of the notorious Conti ransomware operation have discovered that teams inside the Russian cybercrime group were actively developing firmware hacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/conti-ransomware-targeted-in… ∗∗∗ Researchers Demonstrate Ransomware for IoT Devices That Targets IT and OT Networks ∗∗∗ --------------------------------------------- As ransomware infections have evolved from purely encrypting data to schemes such as double and triple extortion, a new attack vector is likely to set the stage for future campaigns. --------------------------------------------- https://thehackernews.com/2022/06/researchers-demonstrate-ransomware-for.ht… ∗∗∗ Europol: FluBot-Infrastruktur unter Kontrolle von Strafverfolgern ∗∗∗ --------------------------------------------- Internationale Strafverfolger konnten die SMS-basierte Android-Spyware FluBot einbremsen. Dies gelang durch die Übernahme der FluBot-Infrastruktur. --------------------------------------------- https://heise.de/-7130270 ∗∗∗ Warnung vor Spoofing mit BSI-Rufnummer ∗∗∗ --------------------------------------------- Das BSI erhält derzeit Meldungen, dass vermehrte Anrufe mit der Rufnummer des BSI und einer zweistelligen Durchwahl erfolgen. Es handelt sich nicht um Anrufe des BSI. --------------------------------------------- https://www.bsi.bund.de/DE/Service-Navi/Presse/Alle-Meldungen-News/Meldunge… ∗∗∗ Vorsicht Telefon-Betrug: Tonbandstimme lockt in die Falle! ∗∗∗ --------------------------------------------- Zahlreiche Meldungen berichten von Anrufen einer Tonbandstimme, die dazu auffordert auf die Taste 1 zu drücken. Folgen Sie den Anweisungen nicht! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-telefon-betrug-tonbandstimm… ===================== = Vulnerabilities = ===================== ∗∗∗ SearchNightmare: Windows 10 search-ms: URI Handler 0-day Exploit mit Office 2019 ∗∗∗ --------------------------------------------- Nach der Entdeckung des Missbrauchs der Follina-Schwachstelle (CVE-2022-30190) über das Windows ms-msdt-Protokolls wird diese Bastion "sturmreif" geschossen. Ein Hacker hat sich den search-ms: URI Handler in Windows 10 angesehen und einen ähnlichen Exploit wie Follina entwickelt. --------------------------------------------- https://www.borncity.com/blog/2022/06/02/searchnightmare-windows-10-search-… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr), Fedora (thunderbird and vim), Red Hat (firefox, postgresql:10, postgresql:12, and postgresql:13), Scientific Linux (firefox and rsyslog), SUSE (hdf5, hdf5, suse-hpc, postgresql14, rubygem-yajl-ruby, and udisks2), and Ubuntu (imagemagick and influxdb). --------------------------------------------- https://lwn.net/Articles/896896/ ∗∗∗ Millions of Budget Smartphones With UNISOC Chips Vulnerable to Remote DoS Attacks ∗∗∗ --------------------------------------------- Millions of budget smartphones that use UNISOC chipsets could have their communications remotely disrupted by hackers due to a critical vulnerability discovered recently by researchers at cybersecurity firm Check Point. --------------------------------------------- https://www.securityweek.com/millions-budget-smartphones-unisoc-chips-vulne… ∗∗∗ Security Bulletin: IBM Security SOAR is using a component with known vulnerabilities (CVE-2022-0391) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-soar-is-usin… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in Node.js affects IBM Netcool Agile Service Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Enterprise Content Management System Monitor is affected by a vulnerability CVE-2021-35550 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-enterprise-content-manage… ∗∗∗ Security Bulletin: IBM Db2 Mirror for i is vulnerable to directory traversal due to Moment.js (CVE-2022-24785) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-mirror-for-i-is-v… ∗∗∗ Security Bulletin: IBM Common Licensing is vulnerable by a remote code attack in Spring Framework (CVE-2021-22096,CVE-2021-22060,CVE-2022-22950,CVE-2022-22968) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-common-licensing-is-v… ∗∗∗ Security Bulletin: Multiple vulnerabilities in Java SE that could allow an unauthenticated attacker to obtain sensitive information affect IBM® Db2®. (CVE-2021-35603, CVE-2021-35550, CVE-2021-2341) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by OpenSSL denial of service vulnerabilities (CVE-2021-23840, CVE-2021-23841) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: Vulnerability in Nginx affects IBM Cloud Private and could allow a remote attacker to obtain sensitive information (177988) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-nginx-af… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct Web Service is vulnerable to multiple vulnerabilities due to IBM Java ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct Web Services is vulnerable to multiple vulnerabilities due to Eclipse Jetty ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: Watson Machine Learning Accelerator is affected but not classified as vulnerable by a remote code execution in Spring Framework (CVE-2022-22965) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-watson-machine-learning-a… ∗∗∗ Security Bulletin: CVE-2022-21299 may affect IBM® SDK, Java™ Technology Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2022-21299-may-affect… ∗∗∗ Security Bulletin: HMC is affected but not classified as vulnerable by a remote code execution in Spring Framework (CVE-2022-22965) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-hmc-is-affected-but-not-c… ∗∗∗ Security Bulletin: IBM Db2 Mirror for i is vulnerable to cross-site scripting due to Angular (220414) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-mirror-for-i-is-v… ∗∗∗ Security Bulletin: Enterprise Content Management System Monitor is affected by a vulnerability in IBM® SDK Java™ Technology Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-enterprise-content-manage… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct Web Services is vulnerable to denial of service due to FasterXML jackson-databind ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: IBM Db2 Mirror for i is vulnerable to denial of service due to gson 217225 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-mirror-for-i-is-v… ∗∗∗ Security Bulletin: IBM Security SOAR is using a component with multiple known vulnerabilities – IBM JDK 8.0.7.0 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-soar-is-usin… ∗∗∗ Security Bulletin: IBM Robotic Process Automation is vulnerable to cross tenant information exposure (CVE-2022-22506) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-robotic-process-autom… ∗∗∗ Security Bulletin: Multiple vulnerabilities may affect IBM® SDK, Java™ Technology Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: CVE-2021-35561 may affect IBM® SDK, Java™ Technology Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2021-35561-may-affect… ∗∗∗ Long Term Support Channel Update for ChromeOS ∗∗∗ --------------------------------------------- http://chromereleases.googleblog.com/2022/05/long-term-support-channel-upda… ∗∗∗ Security Vulnerabilities fixed in Firefox for iOS 101 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2022-23/ ∗∗∗ Autodesk AutoCAD: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit Benutzerrechten ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0677 ∗∗∗ Illumina Local Run Manager ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-153-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 01.06.2022
by Daily end-of-shift report 01 Jun '22

01 Jun '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 31-05-2022 18:00 − Mittwoch 01-06-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Zero-Day-Lücke: Erste Cybergangs greifen MSDT-Sicherheitslücke an ∗∗∗ --------------------------------------------- Die Zero-Day-Lücke von Microsoft wird inzwischen von Cybergangs für Angriffe missbraucht. Der Hersteller ordnete das Problem erst falsch als irrelevant ein. --------------------------------------------- https://heise.de/-7128265 ∗∗∗ FluBot Android malware operation shutdown by law enforcement ∗∗∗ --------------------------------------------- Europol has announced the takedown of the FluBot operation, one of the largest and fastest-growing Android malware operations in existence. --------------------------------------------- https://www.bleepingcomputer.com/news/security/flubot-android-malware-opera… ∗∗∗ New XLoader Botnet Version Using Probability Theory to Hide its C&C Servers ∗∗∗ --------------------------------------------- An enhanced version of the XLoader malware has been spotted adopting a probability-based approach to camouflage its command-and-control (C&C) infrastructure, according to the latest research. --------------------------------------------- https://thehackernews.com/2022/06/new-xloader-botnet-version-using.html ∗∗∗ New Unpatched Horde Webmail Bug Lets Hackers Take Over Server by Sending Email ∗∗∗ --------------------------------------------- A new unpatched security vulnerability has been disclosed in the open-source Horde Webmail client that could be exploited to achieve remote code execution on the email server simply by sending a specially crafted email to a victim. --------------------------------------------- https://thehackernews.com/2022/06/new-unpatched-horde-webmail-bug-lets.html ∗∗∗ Watch out for phishing emails that inject spyware trio ∗∗∗ --------------------------------------------- You wait for one infection and then three come along at once. An emailed report seemingly about a payment will, when opened in Excel on a Windows system, attempt to inject three pieces of file-less malware that steal sensitive information. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2022/06/01/phishing-rat… ∗∗∗ Certificate Transparency data is used to compromise WordPress before installation ∗∗∗ --------------------------------------------- Recently in the community forums of WordPress and Lets Encrypt, reports have shown up about webshells on freshly installed WordPress blogs that were later used for DDoS attacks. --------------------------------------------- https://www.feistyduck.com/bulletproof-tls-newsletter/issue_89_certificate_… ∗∗∗ AA22-152A: Karakurt Data Extortion Group ∗∗∗ --------------------------------------------- The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Department of the Treasury (Treasury), and the Financial Crimes Enforcement Network (FinCEN) are releasing this joint Cybersecurity Advisory (CSA) to provide information on the Karakurt data extortion group, also known as the Karakurt Team and Karakurt Lair. --------------------------------------------- https://us-cert.cisa.gov/ncas/alerts/aa22-152a ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (libjpeg-turbo, webkit2gtk, and wpewebkit), Fedora (golang-github-opencontainers-runc, mingw-pcre2, python-jwt, python-ujson, and weechat), Oracle (nodejs:16 and rsyslog), Red Hat (container-tools:3.0, expat, fapolicyd, kernel, kernel-rt, kpatch-patch, mariadb:10.3, postgresql:12, rsyslog and rsyslog7, and zlib), Slackware (mozilla), SUSE (bind, dpdk, fribidi, hdf5, librelp, php74, postgresql12, and postgresql13), and Ubuntu (cups, linux-gcp-5.13, linux-oracle, linux-oracle-5.13, linux-gcp-5.4, linux-gkeop, linux-gkeop-5.4, linux-ibm-5.4, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, and webkit2gtk). --------------------------------------------- https://lwn.net/Articles/896803/ ∗∗∗ T&D Data Server and THERMO RECORDER DATA SERVER vulnerable to directory traversal ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN28659051/ ∗∗∗ Security Advisory - Insufficient Input Verification Vulnerability In Huawei Product ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2022/huawei-sa-20220601-… ∗∗∗ Security Bulletin: IBM® PureData System for Operational Analytics is vulnerable to arbitrary code execution, remote code execution and denial of service due to Apache Log4j (CVE-2021-44228, CVE-2021-45046, CVE-2021-45105) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-puredata-system-for-o… ∗∗∗ Security Bulletin: IBM CICS TX Standard is vulnerable to arbitrary code execution due to IBM WebSphere Application Server Liberty (CVE-2021-23450) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cics-tx-standard-is-v… ∗∗∗ Security Bulletin: Vulnerability in bind (CVE-2021-25214) affects Power HMC ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-bind-cve… ∗∗∗ Security Bulletin: Publicly disclosed vulnerabilities from Kernel affect IBM Netezza Host Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-publicly-disclosed-vulner… ∗∗∗ Security Bulletin: IBM CICS TX Advanced is vulnerable to arbitrary code execution due to IBM WebSphere Application Server Liberty (CVE-2021-23450) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cics-tx-advanced-is-v… ∗∗∗ Security Bulletin: Multiple vulnerabilities affect IBM Tivoli Monitoring included WebSphere Application Server and IBM HTTP Server used by WebSphere Application Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect Rational Service Tester ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container DesignerAuthoring and IntegrationServer operands may be vulnerable to code injection due to CVE-2022-29078 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: IBM QRadar Data Synchronization App for IBM QRadar SIEM is vulnerable to using components with known vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-data-synchroni… ∗∗∗ Security Bulletin: A vulnerability has been identified in IBM Spectrum Scale that could allow an attacker to decrypt highly sensitive information(CVE-2022-22368) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-has-been-… ∗∗∗ Security Bulletin: Vulnerability in Apache HTTP (CVE-2022-22720) affects Power HMC ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-h… ∗∗∗ K43541501: Intel CPU vulnerabilities CVE-2022-21131 and CVE-2022-21136 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K43541501 ∗∗∗ Security Vulnerabilities fixed in Thunderbird 91.10 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2022-22/ ∗∗∗ BD Pyxis ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsma-22-151-01 ∗∗∗ BD Synapsys ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsma-22-151-02 ∗∗∗ Fuji Electric Alpha7 PC Loader ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-151-01 ∗∗∗ SSRF-Schwachstelle in Canto Cumulus (SYSS-2022-023) ∗∗∗ --------------------------------------------- https://www.syss.de/pentest-blog/ssrf-schwachstelle-in-canto-cumulus-syss-2… ∗∗∗ Microsoft Edge 102.0.1245.30 schließt Schwachstellen ∗∗∗ --------------------------------------------- https://www.borncity.com/blog/2022/06/01/microsoft-edge-102-0-1245-30-schli… ∗∗∗ Security Advisory: Multiple Vulnerabilities Impact 3CX Phone System ∗∗∗ --------------------------------------------- https://www.gosecure.net/blog/2022/05/31/security-advisory-multiple-vulnera… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 31.05.2022
by Daily end-of-shift report 31 May '22

31 May '22

===================== = End-of-Day report = ===================== Timeframe: Montag 30-05-2022 18:00 − Dienstag 31-05-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Meeting Owl Pro: Konferenzeule hat viele Sicherheitslücken ∗∗∗ --------------------------------------------- Das Konferenzsystem Meeting Owl Pro sieht putzig aus, hat aber viele Sicherheitslücken, die auch nach vier Monaten nicht geschlossen wurden. --------------------------------------------- https://www.golem.de/news/meeting-owl-pro-konferenzeule-hat-viele-sicherhei… ∗∗∗ GSM-Codes: Whatsapp-Konten per Anruf übernehmen ∗∗∗ --------------------------------------------- Mit einer neuen Masche können Betrüger Whatsapp-Konten übernehmen. Nutzer sollen zum Anrufen dubioser Telefonnummern verleitet werden. --------------------------------------------- https://www.golem.de/news/gsm-codes-whatsapp-konten-per-anruf-uebernehmen-2… ∗∗∗ Over 3.6 million exposed MySQL servers on IPv4 and IPv6 ∗∗∗ --------------------------------------------- We have recently began scanning for accessible MySQL server instances on port 3306/TCP. These are instances that respond to our MySQL connection request with a Server Greeting. Surprisingly to us, we found around 2.3M IPv4 addresses responding with such a greeting to our queries. Even more surprisingly, we found over 1.3M IPv6 devices responding as well (though mostly associated with a single AS). IPv4 and IPv6 scans together uncover 3.6M accessible MySQL servers worldwide. --------------------------------------------- https://www.shadowserver.org/news/over-3-6m-exposed-mysql-servers-on-ipv4-a… ∗∗∗ Buchen Sie Ihre Unterkunft nicht auf ferienhaeuser-porec.de ∗∗∗ --------------------------------------------- ferienhaeuser-porec.de ist eine betrügerische Buchungswebseite für „Exklusive Villen und Ferienhäuser“ in Porec, Kroatien. Auf den ersten Blick wirkt die Webseite professionell. Das Impressum sowie das Foto der deutschen Inhaber stiften Vertrauen. Aber: Wer dort bucht und bezahlt verliert sein Geld und hat keine Unterkunft. --------------------------------------------- https://www.watchlist-internet.at/news/buchen-sie-ihre-unterkunft-nicht-auf… ∗∗∗ Nächste Runde: FluBot-Banking-Malware (Mai 2022) ∗∗∗ --------------------------------------------- Kleines Update in Sachen Flubot. Die Cyberkriminellen hinter FluBot greifen Smartphone-Nutzer in Europa mit einer Neuauflage ihrer Smishing-Kampagne an, um die Malware zum Stehlen persönlicher Banking-Daten auf mobilen Telefonen in Europa zu verbreiten. --------------------------------------------- https://www.borncity.com/blog/2022/05/31/nchste-rund-flubot-banking-malware… ∗∗∗ CVE Farming through Software Center – A group effort to flush out zero-day privilege escalations ∗∗∗ --------------------------------------------- In this blogpost we discuss a zero-day topic for finding privilege escalation vulnerabilities discovered by Ahmad Mahfouz. It abuses applications like Software Center, which are typically used in large-scale environments for automated software deployment performed on demand by regular (i.e. unprivileged) users. --------------------------------------------- https://blog.nviso.eu/2022/05/31/cve-farming-through-software-center-a-grou… ===================== = Vulnerabilities = ===================== ∗∗∗ Zero-Day-Lücke in MS Office: Microsoft gibt Empfehlungen ∗∗∗ --------------------------------------------- Microsoft gibt Handlungsempfehlungen gegen die Zero-Day-Schwachstelle in Office. Angreifer könnten diese zum Einschleusen von Schadcode missbrauchen. --------------------------------------------- https://heise.de/-7126993 ∗∗∗ Content Management System: Sicherheitslücke in Drupal erlaubt Website-Übernahme ∗∗∗ --------------------------------------------- Die Sicherheitslücke findet sich nicht im eigentlichen Drupal-Code, sondern in der Drittherstellerbibliothek Guzzle. Darüber wickelt Drupal HTTP-Anfragen und -Antworten an externe Dienste ab. Das Guzzle-Projekt hat ein Update veröffentlicht, dass zwar nicht den Drupal-Core betreffe, jedoch Auswirkungen auf beigesteuerte Projekte oder individuell angepassten Code von Drupal-Seiten haben könnte. --------------------------------------------- https://heise.de/-7127268 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (haproxy, libdbi-perl, pjproject, spip, and trafficserver), Oracle (firefox, kernel, kernel-container, libvirt libvirt-python, and thunderbird), Red Hat (maven:3.5, maven:3.6, nodejs:16, postgresql, postgresql:10, and rsyslog), SUSE (gimp, helm-mirror, ImageMagick, mailman, openstack-neutron, pcmanfm, pcre2, postgresql10, and tiff), and Ubuntu (dpkg and freetype). --------------------------------------------- https://lwn.net/Articles/896721/ ∗∗∗ Siemens Healthineers SHSA-455016: Deserialization Vulnerability in Healthcare Products ∗∗∗ --------------------------------------------- https://www.siemens-healthineers.com/support-documentation/cybersecurity/sh… ∗∗∗ Security Bulletin: Multiple vulnerabilities in Apache Log4j affect IBM Cloud Pak System ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerability in OpenSSL (CVE-2022-0778) affects Power HMC ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-openssl-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in Spring Framework affect SPSS Collaboration and Deployment Services ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerabilities in Apache HTTP (CVE-2021-34798 and CVE-2021-39275) affects Power HMC ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-apache… ∗∗∗ Security Bulletin:IBM Common Licensing is affected but not classified as vulnerable by a remote code execution in Spring Framework (220575,CVE-2022-22965) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletinibm-common-licensing-is-af… ∗∗∗ Security Bulletin: Vulnerability in IBM SDK, Java Technology (CVE-2022-21341, CVE-2022-21294, CVE-2022-21293 and CVE-2022-21248) affects Power HMC ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-sdk-… ∗∗∗ Security Bulletin: Vulnerability in OpenSSL (CVE-2021-3712) affects Power HMC ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-openssl-… ∗∗∗ Security Vulnerabilities fixed in Firefox ESR 91.10 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2022-21/ ∗∗∗ Security Vulnerabilities fixed in Firefox 101 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2022-20/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.05.2022
by Daily end-of-shift report 30 May '22

30 May '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 27-05-2022 18:00 − Montag 30-05-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Clop ransomware gang is back, hits 21 victims in a single month ∗∗∗ --------------------------------------------- After effectively shutting down their entire operation for several months, between November and February, the Clop ransomware is now back according to NCC Group researchers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/clop-ransomware-gang-is-back… ∗∗∗ New Windows Subsystem for Linux malware steals browser auth cookies ∗∗∗ --------------------------------------------- Hackers are showing an increased interest in the Windows Subsystem for Linux (WSL) as an attack surface as they build new malware, the more advanced samples being suitable for espionage and downloading additional malicious modules. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-windows-subsystem-for-li… ∗∗∗ New GoodWill Ransomware Forces Victims to Donate Money and Clothes to the Poor ∗∗∗ --------------------------------------------- Cybersecurity researchers have disclosed a new ransomware strain called GoodWill that compels victims into donating for social causes and provide financial assistance to people in need. --------------------------------------------- https://thehackernews.com/2022/05/new-goodwill-ransomware-forces-victims.ht… ∗∗∗ Understanding CVE-2022-22972 (VMWare Workspace One Access Auth Bypass) ∗∗∗ --------------------------------------------- We’ve got a copy of the vulnerable version of VMWare Workspace One Access, and we’ve gone through the extremely boring process of setting it up (oh the joys of vulnerability research). At this stage, we want to try and narrow down exactly where this vulnerability exists in code. --------------------------------------------- https://blog.assetnote.io/2022/05/27/understanding-cve-2022-22972-vmware-wo… ∗∗∗ Bösartige Browser-Erweiterung: ChromeLoader kommt als ISO getarnt ∗∗∗ --------------------------------------------- Eine bösartige Erweiterung kann allen Browserverkehr über unerwünschte Server leiten und so Daten abschöpfen. ChromeLoader geht dabei trickreich vor. --------------------------------------------- https://heise.de/-7126317 ∗∗∗ Probleme mit Ihrer Lebensversicherung? Vorsicht vor Beratungsleistungen von konsumentenschuetzer.com ∗∗∗ --------------------------------------------- Im Internet finden Sie die Beratungsagentur „Konsumentenschützer“, die Ihren Vertrag prüft und bei Bedarf eine Klage bei Ihrer Versicherung einbringt. Wir raten zur Vorsicht. --------------------------------------------- https://www.watchlist-internet.at/news/probleme-mit-ihrer-lebensversicherun… ∗∗∗ Microsoft findet Schwachstellen in Apps großer Mobilfunkprovider (Mai 2022) ∗∗∗ --------------------------------------------- Das Microsoft 365 Defender Research Team hat in einem mobilen Framework von mce Systems einige Schwachstellen gefunden. --------------------------------------------- https://www.borncity.com/blog/2022/05/30/microsoft-findet-schwachstellen-in… ∗∗∗ Detecting BCD Changes To Inhibit System Recovery ∗∗∗ --------------------------------------------- Earlier this year, we observed a rise in malware that inhibits system recovery. This tactic is mostly used by ransomware and wiper malware. One notable example of such malware is “Hermetic wiper”. To inhibit recovery an attacker has many possibilities, one of which is changing the Boot Configuration Database (BCD). --------------------------------------------- https://blog.nviso.eu/2022/05/30/detecting-bcd-changes-to-inhibit-system-re… ∗∗∗ Rapidly evolving IoT malware EnemyBot now targeting Content Management System servers and Android devices ∗∗∗ --------------------------------------------- Alien Labs has discovered that EnemyBot is expanding its capabilities, exploiting recently identified vulnerabilities (2022), and now targeting IoT devices, web servers, Android devices and content management system (CMS) servers. --------------------------------------------- https://cybersecurity.att.com/blogs/labs-research/rapidly-evolving-iot-malw… ∗∗∗ GitHub RepoJacking Weakness Exploited in the Wild by Attackers ∗∗∗ --------------------------------------------- A logical flaw in GitHub allows attackers to take control over thousands of repositories, enabling the poisoning of popular open-source packages. This flaw is yet to be fixed and the steps to exploit it were recently published. --------------------------------------------- https://checkmarx.com/blog/github-repojacking-weakness-exploited-in-the-wil… ===================== = Vulnerabilities = ===================== ∗∗∗ New Microsoft Office Attack Vector via "ms-msdt" Protocol Scheme, (Mon, May 30th) ∗∗∗ --------------------------------------------- It was a long weekend for many European countries and it’s an off-day in the US but we were aware of a new attack vector for Microsoft Office documents. --------------------------------------------- https://isc.sans.edu/diary/rss/28694 ∗∗∗ Zero-Day-Lücke in Microsoft Office ermöglicht Codeschmuggel ∗∗∗ --------------------------------------------- Sicherheitsforscher haben ein Word-Dokument entdeckt, das beim Öffnen Schadcode nachladen und ausführen kann. Aktuelle Software scheint davor zu schützen. --------------------------------------------- https://heise.de/-7125635 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (modsecurity-apache, pngcheck, rsyslog, and smarty3), Fedora (firefox, golang-github-opencontainers-runc, gron, kernel, kernel-headers, kernel-tools, logrotate, mingw-pcre2, and rubygem-git), Mageia (admesh, chromium-browser-stable, golang, kernel, kernel-linus, and pidgin), Red Hat (firefox, openvswitch2.13, openvswitch2.15, openvswitch2.16, rsyslog, and thunderbird), SUSE (bind, curl, opera, pcp, postgresql12, and postgresql14), [...] --------------------------------------------- https://lwn.net/Articles/896640/ ∗∗∗ Security Bulletin: PowerVC installation on RHEL is vulnerable to MariaDB with CVE-2021-46669, CVE-2022-24048, MariaDB – 219814, MariaDB – 219815, CVE-2022-24050, CVE-2022-24052 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-powervc-installation-on-r… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a number of security vulnerabilities in Netty, which is used by Guardium (CVE-2021-21290, CVE-2021-21295, CVE-2021-21409, CVE-2021-37136, CVE-2021-37137) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities in Apache Thrift ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: A vulnerability exists in golang x/crypto (CVE-2020-9283) which is consumed by IBM CICS TX Standard ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-exists-in… ∗∗∗ Security Bulletin: A vulnerability exists in golang x/crypto (CVE-2020-9283) which is consumed by IBM CICS TX Advanced ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-exists-in… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by FasterXML jackson-databind vulnerabilities (CVE-2020-25649, X-Force ID 217968) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: Automation Assets in IBM Cloud Pak for Integration is vulnerable to remote attack due to Moment.js CVE-2022-24785 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-automation-assets-in-ibm-… ∗∗∗ Security Bulletin: Cross-Site Request Forgery vulnerability affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) – CVE-2022-22361 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-request-forger… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by path traversal and crypto vulnerabilities (CVE-2021-29425, CVE-2021-39076) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ MariaDB: Mehrere Schwachstellen ermöglichen Denial of Service ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0665 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.05.2022
by Daily end-of-shift report 27 May '22

27 May '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 25-05-2022 18:00 − Freitag 27-05-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ New ChromeLoader malware surge threatens browsers worldwide ∗∗∗ --------------------------------------------- The ChromeLoader malware is seeing an uptick in detections this month, following a relatively stable operation volume since the start of the year, which means that the malvertiser is now becoming a widespread threat. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-chromeloader-malware-sur… ∗∗∗ New ‘Cheers’ Linux ransomware targets VMware ESXi servers ∗∗∗ --------------------------------------------- A new ransomware named Cheers has appeared in the cybercrime space and has started its operations by targeting vulnerable VMware ESXi servers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-cheers-linux-ransomware-… ∗∗∗ New ERMAC 2.0 Android malware steals accounts, wallets from 467 apps ∗∗∗ --------------------------------------------- The ERMAC Android banking trojan has released version 2.0, increasing the number of applications targeted from 378 to 467, covering a much wider range of apps to steal account credentials and crypto wallets. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-ermac-20-android-malware… ∗∗∗ Microsoft shares mitigation for Windows KrbRelayUp LPE attacks ∗∗∗ --------------------------------------------- Microsoft has shared guidance to help admins defend their Windows enterprise environments against KrbRelayUp attacks that enable attackers to gain SYSTEM privileges on Windows systems with default configurations. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-shares-mitigation-… ∗∗∗ Windows 11 KB5014019 breaks Trend Micro ransomware protection ∗∗∗ --------------------------------------------- This weeks Windows optional cumulative update previews have introduced a compatibility issue with some of Trend Micros security products that breaks some of their capabilities, including the ransomware protection feature. --------------------------------------------- https://www.bleepingcomputer.com/news/security/windows-11-kb5014019-breaks-… ∗∗∗ Warten auf abgesicherte Version: Anonymes Surfen unter Tails gefährdet ∗∗∗ --------------------------------------------- Wer mit dem Tor Browser des Tails-Systems surft, könnte Passwörter an Angreifer preisgeben. --------------------------------------------- https://heise.de/-7123771 ∗∗∗ Sie sollen Zollgebühren mit einer Paysafecard bezahlen? Achtung, Betrug! ∗∗∗ --------------------------------------------- Kriminelle versenden betrügerische E-Mails im Namen des Zolls und behaupten, dass Sie Zollgebühren bezahlen müssen, und zwar in Form einer Paysafecard. Nur so könne Ihr Paket zugestellt werden. Ignorieren Sie solche E-Mails, Kriminelle versuchen nur an Ihr Geld zu kommen. --------------------------------------------- https://www.watchlist-internet.at/news/sie-sollen-zollgebuehren-mit-einer-p… ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins 2022-05-26 - 2022-05-27 ∗∗∗ --------------------------------------------- IBM MQ Internet Pass-Thru, IBM MQ Operator, IBM MQ Appliance, IBM MQ trace, IBM Semeru Runtime, IBM Sterling Control Center, IBM App Connect Enterprise, IBM Watson Discovery, IBM Spectrum Control, IBM Netezza Host Management, IBM Tivoli Netcool/OMNIbus Probe Integrations, IBM DataPower. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Sicherheitsupdates: Angreifer könnten Netzwerk-Hardware von Citrix lahmlegen ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitspatches für Citritx ADC und Citrix Gateway. Angreifer könnten die Netzwerk-Hardware lahmlegen. --------------------------------------------- https://heise.de/-7123795 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, dpkg, filezilla, irssi, puma, and python-django), Fedora (firefox, ignition, and pcre2), Mageia (cockpit, firefox/thunderbird, openldap, supertux, unrar, and vim), Oracle (firefox and thunderbird), Red Hat (rh-varnish6-varnish), SUSE (cups, fribidi, kernel-firmware, redis, and wpa_supplicant), and Ubuntu (dpkg, logrotate, and subversion). --------------------------------------------- https://lwn.net/Articles/896346/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (atftp, cups, neutron, and zipios++), Fedora (clash, moodle, python-jwt, and thunderbird), Red Hat (thunderbird), Slackware (cups), SUSE (go1.17, libredwg, opera, seamonkey, and varnish), and Ubuntu (libxv, ncurses, openssl, and subversion). --------------------------------------------- https://lwn.net/Articles/896465/ ∗∗∗ ABB Cyber Security Advisory: e-Design - Multiple vulnerabilities ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=2%20CMT%200%200%206… ∗∗∗ K32760744: libxml2 vulnerability CVE-2022-23308 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K32760744 ∗∗∗ K54724312: Linux kernel vulnerability CVE-2022-0492 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K54724312 ∗∗∗ Drupal: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0661 ∗∗∗ Drupal CORE: Schwachstelle ermöglicht nicht spezifizierten Angriff ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0662 ∗∗∗ Keysight N6854A Geolocation server and N6841A RF Sensor software ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-146-01 ∗∗∗ Horner Automation Cscape Csfont ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-146-02 ∗∗∗ Cross-Site Request Forgery Vulnerability in Proxy Server ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-22-18 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.05.2022
by Daily end-of-shift report 25 May '22

25 May '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 24-05-2022 18:00 − Mittwoch 25-05-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Vorsicht vor unseriösen Spendenaufrufen für krebskranke Kinder ∗∗∗ --------------------------------------------- Immer wieder stoßen Watchlist Internet Leser:innen auf betrügerische Spendenaufrufe für krebskranke Kinder. Insbesondere in Werbeeinschaltungen auf YouTube werden häufig derartige Kampagnen angezeigt. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-unserioesen-spendenaufr… ∗∗∗ Bablosoft; Lowering the Barrier of Entry for Malicious Actors ∗∗∗ --------------------------------------------- Summary Evidence suggests an increasing number of threat actor groups are making use of a free-to-use browser automation framework. The framework contains numerous features which we assess may be utilized in the enablement of malicious activities. --------------------------------------------- https://team-cymru.com/blog/2022/05/25/bablosoft-lowering-the-barrier-of-en… ∗∗∗ How the Saitama backdoor uses DNS tunnelling ∗∗∗ --------------------------------------------- A walkthrough of one of the stealthy communication techniques employed in a recent attack using APT34s Saitama backdoor. --------------------------------------------- https://blog.malwarebytes.com/threat-intelligence/2022/05/how-the-saitama-b… ∗∗∗ Vulnerability Spotlight: Vulnerabilities in Open Automation Software Platform could lead to information disclosure, denial of service ∗∗∗ --------------------------------------------- Cisco Talos recently discovered eight vulnerabilities in the Open Automation Software Platform that could allow an adversary to carry out a variety of malicious actions, including improperly authenticating into the targeted device and causing a denial of service. --------------------------------------------- http://blog.talosintelligence.com/2022/05/vuln-spotlight-open-automation-pl… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (lrzip and puma), Fedora (plantuml and plib), Oracle (kernel and kernel-container), Red Hat (firefox, kernel, kpatch-patch, subversion:1.14, and thunderbird), Scientific Linux (firefox and thunderbird), SUSE (kernel-firmware, libxml2, pcre2, and postgresql13), and Ubuntu (accountsservice, postgresql-10, postgresql-12, postgresql-13, postgresql-14, and rsyslog). --------------------------------------------- https://lwn.net/Articles/896216/ ∗∗∗ CISA Adds 34 Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- CISA has added 34 new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/05/25/cisa-adds-34-know… ∗∗∗ Chrome 102.0.5005.61/62/63 fixen kritische Schwachstellen ∗∗∗ --------------------------------------------- Google hat zum 24. Mai 2022 die Updates des 102.0.5005.61/62/63 Google Chrome Browsers für Windows und Mac auf dem Desktop im Stable Channel freigegeben (Chrome 102 wird auch im Stable Channel für Windows und Mac aufgenommen). --------------------------------------------- https://www.borncity.com/blog/2022/05/25/chrome-102-0-5005-61-62-63-fixen-s… ∗∗∗ Security Bulletin: IBM Aspera Faspex is vulnerable to exposing data improperly (CVE-2022-22497) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-aspera-faspex-is-vuln… ∗∗∗ Security Bulletin: Node.js as used by IBM Security QRadar Analyst Workflow App for IBM QRadar SIEM is vulnerable to multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-node-js-as-used-by-ibm-se… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct for UNIX is affected but not classified as vulnerable by a remote code execution in Spring Framework (CVE-2022-22965) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: IBM QRadar Deployment Intelligence app for IBM QRadar SIEM is vulnerable to using components with known vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-deployment-int… ∗∗∗ Security Bulletin: IBM Aspera Faspex is vulnerable to exposing data improperly (CVE-2022-22497) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-aspera-faspex-is-vuln… ∗∗∗ Security Bulletin: IBM Aspera Faspex is vulnerable to exposing data improperly (CVE-2022-22497) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-aspera-faspex-is-vuln… ∗∗∗ VMSA-2022-0015 ∗∗∗ --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2022-0015.html ∗∗∗ Citrix ADC and Citrix Gateway Security Bulletin for CVE-2022-27507 and CVE-2022-27508 ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX457048 ∗∗∗ Rockwell Automation Logix Controllers ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-144-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.05.2022
by Daily end-of-shift report 24 May '22

24 May '22

===================== = End-of-Day report = ===================== Timeframe: Montag 23-05-2022 18:00 − Dienstag 24-05-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Researchers to release exploit for new VMware auth bypass, patch now ∗∗∗ --------------------------------------------- Proof-of-concept exploit code is about to be published for a vulnerability that allows administrative access without authentication in several VMware products. --------------------------------------------- https://www.bleepingcomputer.com/news/security/researchers-to-release-explo… ∗∗∗ Beneath the surface: Uncovering the shift in web skimming ∗∗∗ --------------------------------------------- Web skimming campaigns now employ various obfuscation techniques to deliver and hide the skimming scripts. It’s a shift from earlier tactics where attackers conspicuously injected the malicious scripts into e-commerce platforms and content management systems (CMSs) via vulnerability exploitation, making this threat highly evasive to traditional security solutions. --------------------------------------------- https://www.microsoft.com/security/blog/2022/05/23/beneath-the-surface-unco… ∗∗∗ Anatomy of a DDoS amplification attack ∗∗∗ --------------------------------------------- Amplification attacks are one of the most common distributed denial of service (DDoS) attack vectors. These attacks are typically categorized as flooding or volumetric attacks, where the attacker succeeds in generating more traffic than the target can process, resulting in exhausting its resources due to the amount of traffic it receives. --------------------------------------------- https://www.microsoft.com/security/blog/2022/05/23/anatomy-of-ddos-amplific… ∗∗∗ New Research Paper: Pre-hijacking Attacks on Web User Accounts ∗∗∗ --------------------------------------------- In 2020, MSRC awarded two Identity Project Research Grants to support external researchers working to further strengthen the security of identity protocols and systems. Today we are pleased to release the results of the first of these projects. --------------------------------------------- https://msrc-blog.microsoft.com/2022/05/23/pre-hijacking-attacks/ ∗∗∗ Cybersecurity Community Warned of Fake PoC Exploits Delivering Malware ∗∗∗ --------------------------------------------- Researchers have spotted fake proof-of-concept (PoC) exploits that appear to have been created by threat actors in an effort to deliver malware to members of the cybersecurity community. --------------------------------------------- https://www.securityweek.com/cybersecurity-community-warned-fake-poc-exploi… ∗∗∗ Die wichtigsten Einstellungen für ein sicheres Smartphone ∗∗∗ --------------------------------------------- Das Smartphone ist mittlerweile ein treuer Begleiter. Kontaktinformationen, Termine, Fotos, Bankdaten und Nachrichten befinden sich auf unseren Geräten. Kein Wunder, dass uns ein ungutes Gefühl überkommt, wenn das Smartphone nicht auffindbar und möglicherweise verloren gegangen ist. Am Smartphone sind viele persönliche Daten gespeichert und diese gilt es zu schützen. --------------------------------------------- https://www.watchlist-internet.at/news/die-wichtigsten-einstellungen-fuer-e… ∗∗∗ Breaking out of Windows Kiosks using only Microsoft Edge ∗∗∗ --------------------------------------------- I will take you through the steps that I performed to get code execution on a Windows kiosk host using ONLY Microsoft Edge. --------------------------------------------- https://blog.nviso.eu/2022/05/24/breaking-out-of-windows-kiosks-using-only-… ===================== = Vulnerabilities = ===================== ∗∗∗ Zyxel: Lücken in Access-Points, Access-Point-Controllern und Firewalls ∗∗∗ --------------------------------------------- Der Netzwerkausrüster Zyxel warnt vor mehreren Sicherheitslücken in den Access-Points, Access-Point-Controllern sowie Firewalls. Updates sind verfügbar. --------------------------------------------- https://heise.de/-7108626 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr and openldap), Fedora (curl), Oracle (kernel and kernel-container), Red Hat (maven:3.5), SUSE (cacti, cacti-spine, firefox, go1.18, openldap2, python-requests, rsyslog, and slurm_20_11), and Ubuntu (firefox, htmldoc, libpng, libxfixes, libxrender, thunderbird, and vim). --------------------------------------------- https://lwn.net/Articles/896114/ ∗∗∗ CVE-2022-25237: Bonitasoft Authorization Bypass and RCE ∗∗∗ --------------------------------------------- https://rhinosecuritylabs.com/application-security/cve-2022-25237-bonitasof… ∗∗∗ Security Bulletin: A vulnerability has been identified in IBM Spectrum Scale which is packaged in IBM ESS (CVE-2022-22368) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-has-been-… ∗∗∗ Security Bulletin: IBM DataPower Gateway Operand affected by vulnerabilities in Go (CVE-2021-44716, CVE-2021-44717) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-gateway-ope… ∗∗∗ Security Bulletin: IBM DataPower Gateway potentially vulnerable to DNS spoofing ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-gateway-pot… ∗∗∗ Security Bulletin: A vulnerability has been identified in IBM Spectrum Scale where an unauthorized user can send arbitrary data to the CLI commands and daemon (CVE-2020-4926) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-has-been-… ∗∗∗ Security Bulletin: This Power System update is being released to address CVE 2022-22309 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-this-power-system-update-… ∗∗∗ Security Bulletin: A vulnerability in IBM WebSphere Application Server Liberty affects IBM Spectrum Scale packaged in IBM ESS ( CVE-2021-39031) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-we… ∗∗∗ Security Bulletin: Linux Kernel vulnerability may affect IBM Elastic Storage System (CVE-2021-4083) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-linux-kernel-vulnerabilit… ∗∗∗ Security Bulletin: A vulnerability in IBM JAVA JDK affects IBM Spectrum Scale packaged in IBM Elastic Storage System (CVE-2022-21291) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Security Bulletin: A vulnerability in IBM WebSphere Application Server Liberty affects IBM Spectrum Scale packaged in IBM Elastic Storage System (CVE-2021-39031) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-we… ∗∗∗ Security Bulletin: This Power System update is being released to address CVE-2020-1968 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-this-power-system-update-… ∗∗∗ Security Bulletin: IBM Security Verify Adapters are vulnerable to denial of service and bypass security restrictions due to OpenSSL (CVE-2021-3449, CVE-2021-3450) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-adapt… ∗∗∗ Security Bulletin: IBM Navigator for i is vulnerable to an SQL injection (CVE-2022-22495) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-navigator-for-i-is-vu… ∗∗∗ Security Bulletin: IBM DataPower Gateway affected by vulnerability in JRE ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-gateway-aff… ∗∗∗ Security Bulletin: A vulnerability has been identified in IBM Spectrum Scale that could allow an attacker to decrypt highly sensitive information(CVE-2022-22368) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-has-been-… ∗∗∗ Security Bulletin: A vulnerability has been identified in IBM Spectrum Scale which is packaged in IBM ESS (CVE-2020-4926) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-has-been-… ∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container Operator may be vulnerable to denial of service due to CVE-2021-38561 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ F-Secure Produkte: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0646 ∗∗∗ Matrikon OPC Server ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-144-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.05.2022
by Daily end-of-shift report 23 May '22

23 May '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 20-05-2022 18:00 − Montag 23-05-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Malicious PyPI package opens backdoors on Windows, Linux, and Macs ∗∗∗ --------------------------------------------- Yet another malicious Python package has been spotted in the PyPI registry performing supply chain attacks to drop Cobalt Strike beacons and backdoors on Windows, Linux, and macOS systems. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malicious-pypi-package-opens… ∗∗∗ How to find NPM dependencies vulnerable to account hijacking ∗∗∗ --------------------------------------------- Following the recent disclosure of a technique for hijacking certain NPM packages, security engineer Danish Tariq has proposed a defensive strategy for those looking to assess whether their web apps include dependencies tied to subvertable email domains. --------------------------------------------- https://www.theregister.com/2022/05/23/npm_dependencies_vulnerable/ ∗∗∗ Conti Ransomware Operation Shut Down After Brand Becomes Toxic ∗∗∗ --------------------------------------------- The Conti brand’s downfall appears to have started in late February, after Russia launched an invasion of Ukraine. --------------------------------------------- https://www.securityweek.com/conti-ransomware-operation-shut-down-after-bra… ∗∗∗ Wenn nach einer Bestellung auf Vinted ein Zalando-Paket ankommt… ∗∗∗ --------------------------------------------- Sie haben etwas auf Vinted gekauft aber ein Zalando-Paket erhalten? Dann sollten Sie rasch handeln. Dabei handelt es sich nämlich um eine Betrugsmasche. --------------------------------------------- https://www.watchlist-internet.at/news/wenn-nach-einer-bestellung-auf-vinte… ∗∗∗ Botnet bedroht Linux-Server ∗∗∗ --------------------------------------------- Schützen Sie Ihre Linux-Server vor XorDdoS, einem Botnet, das im Internet nach SSH-Servern mit schwachen Passwörtern sucht, warnt Microsoft. --------------------------------------------- https://www.zdnet.de/88401426/botnet-bedroht-linux-server/ ∗∗∗ Windows Defender Application Control: Empfohlene Blockierungsregeln (Mai 2022) ∗∗∗ --------------------------------------------- In Windows 10 und Windows 11 sind Windows Defender Application Control (WDAC) und AppLocker als Features in den Unternehmensvarianten (Windows 10/11 Enterprise) als Sicherheitsfunktionen verfügbar. Nun hat Microsoft Mitte Mai 2022 eine Liste der empfohlenen Blockierungsregeln veröffentlicht. --------------------------------------------- https://www.borncity.com/blog/2022/05/22/windows-defender-application-contr… ===================== = Vulnerabilities = ===================== ∗∗∗ PDF smuggles Microsoft Word doc to drop Snake Keylogger malware ∗∗∗ --------------------------------------------- Threat analysts have discovered a recent malware distribution campaign using PDF attachments to smuggle malicious Word documents that infect users with malware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/pdf-smuggles-microsoft-word-… ∗∗∗ Jetzt patchen! Angreifer attackieren Cisco 8000 Series Router ∗∗∗ --------------------------------------------- Der Netzwerkausrüster Cisco hat Sicherheitsupdates für verschiedene Netzwerk-Komponenten veröffentlicht. --------------------------------------------- https://heise.de/-7102828 ∗∗∗ Oracle warnt vor Sicherheitslücke in E-Business Suite ∗∗∗ --------------------------------------------- Oracle veröffentlicht Updates eigentlich quartalsweise zum Critical-Patch-Update-Termin. Ein Patch schließt bereits jetzt eine Lücke in der E-Business-Suite. --------------------------------------------- https://heise.de/-7102875 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (admesh, condor, firefox-esr, libpgjava, libxml2, rsyslog, and thunderbird), Fedora (dotnet6.0, libarchive, php-openpsa-universalfeedcreator, thunderbird, and vim), Mageia (ffmpeg, kernel, kernel-linus, microcode, netatalk, nvidia-current, nvidia390, opencontainers-runc, postgresql, and ruby-nokogiri), Slackware (mariadb and mozilla), and SUSE (curl, firefox, libarchive, librecad, libxls, openldap2, php7, and postgresql10). --------------------------------------------- https://lwn.net/Articles/896032/ ∗∗∗ Password policy guidance ∗∗∗ --------------------------------------------- Why do we need strong passwords? Passwords are stored by using a one-way hashing algorithm to generate a representation of the original password on a securely designed system. --------------------------------------------- https://www.pentestpartners.com/security-blog/password-policy-guidance/ ∗∗∗ Denial of Service Vulnerability in some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2022/huawei-sa-20220601-… ∗∗∗ Security Bulletin: IBM Tivoli Monitoring is vulnerable to remote code execution and denial of service due to multiple Expat CVEs ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tivoli-monitoring-is-… ∗∗∗ Security Bulletin: IBM MQ for HPE NonStop Server is affected by OpenSSL vulnerability CVE-2022-0778 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-for-hpe-nonstop-se… ∗∗∗ Security Bulletin: IBM Cloud Private is vulnerable to server-side request forgery due to Python (CVE-2021-29921) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-private-is-vuln… ∗∗∗ Security Bulletin: TXSeries for Multiplatforms is vulnerable to arbitrary code execution due to IBM WebSphere Application Server Liberty (CVE-2021-23450) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-txseries-for-multiplatfor… ∗∗∗ Security Bulletin: Vulnerability in Curl affects IBM Cloud Private and could allow a remote attacker to bypass security restrictions (CVE-2021-22926) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-curl-aff… ∗∗∗ Security Bulletin: IBM Tivoli Monitoring is affected but not classified as vulnerable by a remote code execution in Spring Framework (CVE-2022-22965) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tivoli-monitoring-is-… ∗∗∗ Security Bulletin: IBM MQ for HPE NonStop Server is affected by OpenSSL vulnerability CVE-2021-4160 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-for-hpe-nonstop-se… ∗∗∗ K08832573: DHCP vulnerability CVE-2021-25217 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K08832573 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.05.2022
by Daily end-of-shift report 20 May '22

20 May '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 19-05-2022 18:00 − Freitag 20-05-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Rise in XorDdos: A deeper look at the stealthy DDoS malware targeting Linux devices ∗∗∗ --------------------------------------------- Observing a 254% increase in activity over the last six months from a versatile Linux trojan called XorDdos, the Microsoft 365 Defender research team provides in-depth analysis into this stealthy malwares capabilities and key infection signs. --------------------------------------------- https://www.microsoft.com/security/blog/2022/05/19/rise-in-xorddos-a-deeper… ∗∗∗ Hackers Trick Users with Fake Windows 11 Downloads to Distribute Vidar Malware ∗∗∗ --------------------------------------------- Fraudulent domains masquerading as Microsofts Windows 11 download portal are attempting to trick users into deploying trojanized installation files to infect systems with the Vidar information stealer malware. --------------------------------------------- https://thehackernews.com/2022/05/hackers-trick-users-with-fake-windows.html ∗∗∗ Cytroxs Predator Spyware Targeted Android Users with Zero-Day Exploits ∗∗∗ --------------------------------------------- Googles Threat Analysis Group (TAG) on Thursday pointed fingers at a North Macedonian spyware developer named Cytrox for developing exploits against five zero-day (aka 0-day) flaws, four in Chrome and one in Android, to target Android users. --------------------------------------------- https://thehackernews.com/2022/05/cytroxs-predator-spyware-target-android.h… ∗∗∗ Metastealer – filling the Racoon void ∗∗∗ --------------------------------------------- MetaStealer is a new information stealer variant designed to fill the void following Racoon stealer suspending operations in March of this year. --------------------------------------------- https://research.nccgroup.com/2022/05/20/metastealer-filling-the-racoon-voi… ∗∗∗ Emotet Being Distributed Using Various Files ∗∗∗ --------------------------------------------- The ASEC analysis team has recently discovered the distribution of Emotet through link files (.lnk). The malware has been steadily distributed in the past, but starting from April, it was found that the Emotet downloader uses Excel files as well as link files (.lnk). --------------------------------------------- https://asec.ahnlab.com/en/34556/ ===================== = Vulnerabilities = ===================== ∗∗∗ Oracle Security Alert for CVE-2022-21500 - 19 May 2022 ∗∗∗ --------------------------------------------- This Security Alert addresses vulnerability CVE-2022-21500, which affects some deployments of Oracle E-Business Suite. --------------------------------------------- https://www.oracle.com/security-alerts/alert-cve-2022-21500.html ∗∗∗ Angreifer könnten mit DNS-Software BIND erstellte TLS-Sessions "zerstören" ∗∗∗ --------------------------------------------- Es gibt ein wichtiges Sicherheitsupdate für BIND, welches Admins zeitnah installieren sollten. --------------------------------------------- https://heise.de/-7101032 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (kernel), Debian (ark, openldap, and thunderbird), Fedora (freetype and vim), Oracle (.NET 5.0, .NET 6.0, .NET Core 3.1, container-tools:3.0, glibc, kernel, rsync, and subversion:1.10), Scientific Linux (kernel), SUSE (dcraw, firefox, glib2, ImageMagick, kernel-firmware, libxml2, libyajl, php7, ucode-intel, and unrar), and Ubuntu (openldap). --------------------------------------------- https://lwn.net/Articles/895862/ ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Process Designer in IBM Business Automation Workflow and IBM Business Process Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Rational Asset Analyzer is affected by two WebSphere Application Server vulnerabilities. (CVE-2021-23450, CVE-1999-0001) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-rational-asset-analyzer-i… ∗∗∗ Security Bulletin: IBM WebSphere Application Server is vulnerable to Spoofing (CVE-2022-22365) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application… ∗∗∗ Security Bulletin: IBM Robotic Process Automation with Automation Anywhere is affected but not classified as vulnerable by a remote code execution in Spring Framework (CVE-2022-22965) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-robotic-process-autom… ∗∗∗ Security Bulletin: Rational Asset Analyzer is affected by two WebSphere Application Server vulnerabilities. (CVE-2021-39038, CVE-1999-0002) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-rational-asset-analyzer-i… ∗∗∗ Security Bulletin: IBM Engineering Lifecycle Management is vulnerable to Cross-site Scripting (XSS) vulnerability (CVE-2021-39043) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-engineering-lifecycle… ∗∗∗ Galleon NTS-6002-GPS Command Injection vulnerability (CVE-2022-27224) ∗∗∗ --------------------------------------------- https://www.pentestpartners.com/security-blog/galleon-nts-6002-gps-command-… ∗∗∗ Security Vulnerabilities fixed in Firefox 100.0.2, Firefox for Android 100.3.0, Firefox ESR 91.9.1, Thunderbird 91.9.1 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2022-19/ ∗∗∗ Grafana: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0639 ∗∗∗ Trend Micro Security Produkte: Mehrere Schwachstellen ermöglichen Offenlegung von Informationen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0638 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.05.2022
by Daily end-of-shift report 19 May '22

19 May '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 18-05-2022 18:00 − Donnerstag 19-05-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Lazarus hackers target VMware servers with Log4Shell exploits ∗∗∗ --------------------------------------------- The North Korean hacking group known as Lazarus is exploiting the Log4J remote code execution vulnerability to inject backdoors that fetch information-stealing payloads on VMware Horizon servers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/lazarus-hackers-target-vmwar… ∗∗∗ iPhone aus, Funk bleibt an: Sicherheitsforscher sehen neue Angriffsfläche ∗∗∗ --------------------------------------------- Auf einem abgeschalteten iPhone kann Malware laufen, warnt ein Forschungsteam der TU Darmstadt. Apples Low-Power-Mode fehlen Schutzvorkehrungen. --------------------------------------------- https://heise.de/-7099330 ∗∗∗ Qnap warnt vor Ransomware-Angriffen auf Netzwerkspeicher ∗∗∗ --------------------------------------------- Der Hersteller Qnap warnt vor neuen Angriffen mit Ransomware auf die Netzwerkspeicher des Unternehmens. Admins sollen bereitstehende Updates zügig installieren. --------------------------------------------- https://heise.de/-7099676 ∗∗∗ „Domain ist abgelaufen“: Ignorieren Sie die E-Mail im Namen von domaintechnik.at ∗∗∗ --------------------------------------------- Sie besitzen eine Website? Dann sollten Sie sich vor betrügerischen Phishing-Mails in Acht nehmen, die derzeit im Namen von domaintechnik.at versendet werden. Darin behaupten Kriminelle, dass sie eine Bestellung nicht bearbeiten konnten und daher Ihre Domain sperren mussten. Um die Domain zu verlängern, werden Sie dazu aufgefordert auf einen Link zu klicken und Ihre Kreditkartendaten einzugeben. --------------------------------------------- https://www.watchlist-internet.at/news/domain-ist-abgelaufen-ignorieren-sie… ===================== = Vulnerabilities = ===================== ∗∗∗ Attacken auf VMware-Sicherheitslücken: Jetzt updaten! ∗∗∗ --------------------------------------------- Die US-amerikanische CISA warnt vor Angriffen auf mehrere Sicherheitslücken in VMware-Produkten. VMware dichtet zudem neu entdeckte Schwachstellen ab. --------------------------------------------- https://heise.de/-7099531 ∗∗∗ iTunes 12.12.4 for Windows ∗∗∗ --------------------------------------------- This document describes the security content of iTunes 12.12.4 for Windows. --------------------------------------------- https://support.apple.com/kb/HT213259 ∗∗∗ Cisco Security Advisories 2022-05-18 ∗∗∗ --------------------------------------------- Cisco published 5 Security Advisories (5 Medium Severity) --------------------------------------------- https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&first… ∗∗∗ Sicherheitsupdates: Admin-Lücke bedroht WordPress-Websites mit Jupiter Theme ∗∗∗ --------------------------------------------- Mit dem Theme-Builder Jupiter Theme oder Jupiter X Core Plugin erstellte WordPress-Websites sind verwundbar. --------------------------------------------- https://heise.de/-7099655 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (microcode_ctl, rubygem-nokogiri, and vim), Mageia (htmldoc, python-django, and python-oslo-utils), Red Hat (container-tools:2.0, kernel, kernel-rt, kpatch-patch, and pcs), SUSE (ardana-barbican, grafana, openstack-barbican, openstack-cinder, openstack-heat-gbp, openstack-horizon-plugin-gbp-ui, openstack-ironic, openstack-keystone, openstack-neutron-gbp, python-lxml, release-notes-suse-openstack-cloud, autotrace, curl, firefox, libslirp, php7, poppler, slurm_20_11, and ucode-intel), and Ubuntu (bind9, gnome-control-center, and libxrandr). --------------------------------------------- https://lwn.net/Articles/895771/ ∗∗∗ Zoom Video Communications Zoom Client: Mehrere Schwachstellen ermöglichen Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- CB-K22/0632: Zoom Video Communications Zoom Client: Mehrere Schwachstellen ermöglichen Umgehen von Sicherheitsvorkehrungen. Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in Zoom Video Communications Zoom Client ausnutzen, um Sicherheitsvorkehrungen zu umgehen. --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0632 ∗∗∗ Wingsuit - Storybook for UI Patterns - Critical - Access bypass - SA-CONTRIB-2022-040 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2022-040 ∗∗∗ Security Bulletin: IBM Security Identity Governance and Intelligence is vulnerable to Denial of Service (CVE-2021-35578) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-identity-gov… ∗∗∗ Security Bulletin: IBM Security Identity Governance and Intelligence is vulnarable to exposure of sensitive information (CVE-20204970) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-identity-gov… ∗∗∗ Security Bulletin: IBM Security Identity Governance and Intelligence is vulnerable to exposure of sensitive information (CVE-2021-35603) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-identity-gov… ∗∗∗ Security Bulletin: PowerVC installation on RHEL is vulnerable to MariaDB with CVE-2021-27928 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-powervc-installation-on-r… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in Apache Commons Compress affect WebSphere Application Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Due to use of IBM SDK, Java Technology Edition, IBM Tivoli Application Dependency Discovery Manager (TADDM) is vulnerable to denial of service ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-due-to-use-of-ibm-sdk-jav… ∗∗∗ K18484125: Eclipse Jetty vulnerability CVE-2020-27216 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K18484125 ∗∗∗ K82896488: Cyrus SASL vulnerability CVE-2022-24407 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K82896488 ∗∗∗ K21548854: zlib vulnerability CVE-2018-25032 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K21548854 ∗∗∗ K83120834: Diffie-Hellman key agreement protocol vulnerability CVE-2002-20001 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K83120834 ∗∗∗ Mitsubishi Electric MELSEC iQ-F Series ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-139-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.05.2022
by Daily end-of-shift report 18 May '22

18 May '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 17-05-2022 18:00 − Mittwoch 18-05-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Microsoft warns of brute-force attacks targeting MSSQL servers ∗∗∗ --------------------------------------------- Microsoft warned of brute-forcing attacks targeting Internet-exposed and poorly secured Microsoft SQL Server (MSSQL) database servers using weak passwords. --------------------------------------------- https://www.bleepingcomputer.com/news/security/microsoft-warns-of-brute-for… ∗∗∗ Researchers Expose Inner Workings of Billion-Dollar Wizard Spider Cybercrime Gang ∗∗∗ --------------------------------------------- The inner workings of a cybercriminal group known as the Wizard Spider have been exposed, shedding light on its organizational structure and motivations. --------------------------------------------- https://thehackernews.com/2022/05/researchers-expose-inner-working-of.html ∗∗∗ We Love Relaying Credentials: A Technical Guide to Relaying Credentials Everywhere ∗∗∗ --------------------------------------------- A guide to relaying credentials everywhere in 2022. --------------------------------------------- https://www.secureauth.com/blog/we-love-relaying-credentials-a-technical-gu… ∗∗∗ Gefährliche PayPal-Phishing-Nachricht in Umlauf ∗∗∗ --------------------------------------------- In einer gefährlichen PayPal-Phishing-Mail wird behauptet „Aktion fur Ihr PayPal-Konto erforderlich“. Die Nachricht ist im PayPal-Design gehalten und spielt vor, dass eine Transaktion für Glücksspiel aufgehalten und Ihr Konto deshalb eingeschränkt wurde. Schenken Sie dem keinen Glauben und geben Sie keine Daten bekannt! Man versucht Ihre PayPal-Login-Daten und Ihre Kreditkartendaten zu stehlen! --------------------------------------------- https://www.watchlist-internet.at/news/gefaehrliche-paypal-phishing-nachric… ∗∗∗ EntropyCapture: Simple Extraction of DPAPI Optional Entropy ∗∗∗ --------------------------------------------- During a short application assessment, enumeration and decryption of a third-party application’s Windows Data Protection API (DPAPI) blobs using SharpDPAPI produced non-readable data because optional entropy was being used. --------------------------------------------- https://posts.specterops.io/entropycapture-simple-extraction-of-dpapi-optio… ===================== = Vulnerabilities = ===================== ∗∗∗ BIND: Destroying a TLS session early causes assertion failure (CVE-2022-1183) ∗∗∗ --------------------------------------------- An assertion failure can be triggered if a TLS connection to a configured http TLS listener with a defined endpoint is destroyed too early. --------------------------------------------- https://kb.isc.org/docs/cve-2022-1183 ∗∗∗ VMSA-2022-0014 ∗∗∗ --------------------------------------------- VMware Workspace ONE Access, Identity Manager and vRealize Automation updates address multiple vulnerabilities. --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2022-0014.html ∗∗∗ Sicherheitsupdates: Schadcode-Lücken in GPU-Treibern von Nvidia geschlossen ∗∗∗ --------------------------------------------- Berechnen Nvidia-Grafikkarten von Angreifern präparierte Shader, kann es zu Sicherheitsproblemen kommen. --------------------------------------------- https://heise.de/-7097875 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (elog, needrestart, openssl, and waitress), Fedora (curl, libxml2, slurm, and vim), Scientific Linux (zlib), SUSE (e2fsprogs, nodejs10, php72, and thunderbird), and Ubuntu (apport, clamav, needrestart, and pcre3). --------------------------------------------- https://lwn.net/Articles/895642/ ∗∗∗ Security Bulletin: OpenSSL publicly disclosed vulnerability affects IBM MobileFirst Platform Foundation ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-openssl-publicly-disclose… ∗∗∗ Security Bulletin: IBM DataPower Gateway vulnerable to HTTP header injection ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-gateway-vul… ∗∗∗ Security Bulletin: IBM DataPower Gateway vulnerable to temporary DoS ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-gateway-vul… ∗∗∗ Security Bulletin: Heap-Based Buffer Overflow in Mozilla Network Security Services (NSS) may affect IBM Spectrum Protect Plus (CVE-2021-43527) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-heap-based-buffer-overflo… ∗∗∗ Security Bulletin: Vulnerabilities in IBM HTTP Server affect IBM Netezza Performance Portal ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-ht… ∗∗∗ Security Bulletin: IBM Planning Analytics Workspace is affected but not classified as vulnerable by a remote code execution in Spring Framework (CVE-2022-22965) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-planning-analytics-wo… ∗∗∗ Security Bulletin: IBM Sterling Connect:Express for UNIX is vulnerable to denial of service due to OpenSSL (CVE-2022-0778) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectexpre… ∗∗∗ Security Bulletin: IBM DataPower Gateway: Update Redis to remediate two CVEs ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-gateway-upd… ∗∗∗ Synology-SA-22:07 Synology Calendar ∗∗∗ --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_22_07 ∗∗∗ GIMP: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0623 ∗∗∗ SMA100 post-authentication Remote Command Execution vulnerability ∗∗∗ --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0010 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.05.2022
by Daily end-of-shift report 17 May '22

17 May '22

===================== = End-of-Day report = ===================== Timeframe: Montag 16-05-2022 18:00 − Dienstag 17-05-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Hackers target Tatsu WordPress plugin in millions of attacks ∗∗∗ --------------------------------------------- All users of the Tatsu Builder plugin are strongly recommended to upgrade to version 3.3.13 to avoid attack risks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hackers-target-tatsu-wordpre… ∗∗∗ Over 380 000 open Kubernetes API servers ∗∗∗ --------------------------------------------- We have recently started scanning for accessible Kubernetes API instances that respond with a 200 OK HTTP response to our probes. Kubernetes is an open-source system for automating deployment, scaling, and management of containerized applications. We find over 380 000 Kubernetes API daily that allow for some form of access, out of over 450 000 that we are able to identify. Data on these is shared daily in our Accessible Kubernetes API Server Report. --------------------------------------------- https://www.shadowserver.org/news/over-380-000-open-kubernetes-api-servers/ ∗∗∗ UpdateAgent Returns with New macOS Malware Dropper Written in Swift ∗∗∗ --------------------------------------------- A new variant of the macOS malware tracked as UpdateAgent has been spotted in the wild, indicating ongoing attempts on the part of its authors to upgrade its functionalities. --------------------------------------------- https://thehackernews.com/2022/05/updateagent-returns-with-new-macos.html ∗∗∗ Weak Security Controls and Practices Routinely Exploited for Initial Access ∗∗∗ --------------------------------------------- This joint Cybersecurity Advisory identifies commonly exploited controls and practices and includes best practices to mitigate the issues. --------------------------------------------- https://www.cisa.gov/uscert/ncas/alerts/aa22-137a ∗∗∗ Fahrräder im Internet kaufen: Vorsicht vor Fake-Shops ∗∗∗ --------------------------------------------- Im Internet gibt es zahlreiche Fake-Shops für Fahrräder und Zubehör. vandeyk-sport.com, motaza.shop oder nemino.net sind nur einige wenige Beispiele. Diese Fake-Shops bieten Fahrräder, die sonst schon überall ausverkauft sind – auch noch zu einem günstigeren Preis als andere Online-Shops! Außerdem können Sie nur vorab bezahlen. Finger weg: Sie erhalten keine Lieferung! --------------------------------------------- https://www.watchlist-internet.at/news/fahrraeder-im-internet-kaufen-vorsic… ===================== = Vulnerabilities = ===================== ∗∗∗ iOS und iPadOS 15.5 sind da: Bugfixes und kleinere Verbesserungen ∗∗∗ --------------------------------------------- Apple hat in der Nacht zum Dienstag iOS 15.5 und iPadOS 15.5 freigegeben. Es handelt sich um kleinere Aktualisierungen, die Fehler beheben und minimale Verbesserungen bringen. --------------------------------------------- https://heise.de/-7096570 ∗∗∗ macOS 12.4 und Sicherheitsupdates für Big Sur und Catalina erhältlich ∗∗∗ --------------------------------------------- Neben iOS 15.5 liefert Apple auch neue Betriebssysteme für Mac, Apple TV, Apple Watch, HomePod und das Studio Display. --------------------------------------------- https://heise.de/-7096585 ∗∗∗ Zugangskontrolle: Aruba schließt Sicherheitslücken in ClearPass Policy Manager ∗∗∗ --------------------------------------------- Mit Arubas ClearPass Policy Manager können Administratoren die Zugangskontrolle regeln. Sicherheitslücken darin ermöglichen Angreifern die komplette Übernahme. --------------------------------------------- https://heise.de/-7097151 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (cifs-utils, ffmpeg, libxml2, and vim), Fedora (rsyslog), Mageia (chromium-browser-stable), SUSE (chromium, containerd, docker, e2fsprogs, gzip, jackson-databind, jackson-dataformats-binary, jackson-annotations, jackson-bom, jackson-core, kernel, nodejs8, openldap2, pidgin, podofo, slurm, and tiff), and Ubuntu (clamav, containerd, libxml2, and openldap). --------------------------------------------- https://lwn.net/Articles/895521/ ∗∗∗ Apache Releases Security Advisory for Tomcat ∗∗∗ --------------------------------------------- Original release date: May 16, 2022The Apache Software Foundation has released a security advisory to address a vulnerability in multiple versions of Tomcat. An attacker could exploit this vulnerability to obtain sensitive information. CISA encourages users and administrators to review Apache’s security advisory and apply the necessary updates. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/05/16/apache-releases-s… ∗∗∗ Nvidia Sicherheitsupdates für Kepler GTX 700/600 GPU WHQL-Treiber (473.47) freigegeben ∗∗∗ --------------------------------------------- Hersteller Nvidia hat zum 16. Mai 2022 ein Sicherheitsupdate für den Grafiktreiber der Kepler GeForce GPUs freigegeben. --------------------------------------------- https://www.borncity.com/blog/2022/05/17/nvidia-sicherheitsupdates-fr-keple… ∗∗∗ Vulnerability Spotlight: Multiple memory corruption vulnerabilities in NVIDIA GPU driver ∗∗∗ --------------------------------------------- Piotr Bania of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw. Cisco Talos recently discovered four vulnerabilities in the NVIDIA D3D10 driver for graphics cards that could allow an attacker to corrupt memory and write arbitrary memory on the card. --------------------------------------------- http://blog.talosintelligence.com/2022/05/vuln-spotlight-nvidia-driver-memo… ∗∗∗ Spring Security 5.7.0, 5.6.4, 5.5.7 Released - Fixes CVE-2022-22975 & CVE-2022-22976 ∗∗∗ --------------------------------------------- Spring Security 5.7.0 (release notes), 5.6.4 (release notes), 5.5.7 (release notes) have been released which fix CVE-2022-22978, CVE-2022-22976. Please update as soon as possible. --------------------------------------------- https://spring.io/blog/2022/05/15/spring-security-5-7-0-5-6-4-5-5-7-release… ∗∗∗ Security Bulletin: IBM MQ Operator and IBM supplied MQ Advanced container images are vulnerable to multiple issues from Red Hat UBI packages and the IBM WebSphere Application Server Liberty ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-operator-and-ibm-s… ∗∗∗ Security Bulletin: Potential Denial of Service in IBM DataPower Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-potential-denial-of-servi… ∗∗∗ Security Bulletin: IBM Security Identity Governance and Intelligence is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-identity-gov… ∗∗∗ Security Bulletin: IBM Sterling External Authentication Server is vulnerable to multiple vulnerabilities due to IBM Java Runtime ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-external-aut… ∗∗∗ Security Bulletin: IBM Process Mining is vulnerable to cross-site scripting due to Select2 CVE-2016-10744 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-process-mining-is-vul… ∗∗∗ Security Bulletin: IBM Security Verify Governance is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-gover… ∗∗∗ Security Bulletin: OpenSSL (Publicly disclosed vulnerability) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-openssl-publicly-disclose… ∗∗∗ Security Bulletin: IBM DataPower vulnerable to DoS ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-vulnerable-… ∗∗∗ Security Bulletin: IBM DataPower Gateway API Gateway component potentially vulnerable to a Denial of Service ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-gateway-api… ∗∗∗ Security Bulletin: IBM MQ Operator and Queue manager container images are vulnerable to multiple vulnerabilities from expat, Golang Go, gcc, openssl and libxml. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-operator-and-queue… ∗∗∗ Security Bulletin: IBM Sterling External Authentication Server is vulnerable to improper validation of certificates ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-external-aut… ∗∗∗ Security Bulletin: IBM WebSphere Application Server Liberty is vulnerable to Identity Spoofing (CVE-2022-22475) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application… ∗∗∗ Security Bulletin: IBM Sterling Secure Proxy is vulnerable to multiple vulnerabilities due to IBM Java Runtime ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-secure-proxy… ∗∗∗ Security Bulletin: IBM Process Mining is vulnerable to DOS due to Eclipse Jetty CVE-2018-12545 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-process-mining-is-vul… ∗∗∗ Security Bulletin: IBM Sterling B2B Integrator is vulnerable to permission control vulnerability (CVE-2022-22482) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-b2b-integrat… ∗∗∗ Security Bulletin: IBM Sterling Secure Proxy is vulnerable to improper validation of certificates (CVE-2021-29726) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-secure-proxy… ∗∗∗ Security Bulletin: IBM Process Mining is vulnerable to phishing attacks due to URI.js. CVE-2022-0868 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-process-mining-is-vul… ∗∗∗ QEMU: Schwachstelle ermöglicht Denial of Service und Codeausführung ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0618 ∗∗∗ Circutor COMPACT DC-S BASIC ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-137-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.05.2022
by Daily end-of-shift report 16 May '22

16 May '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 13-05-2022 18:00 − Montag 16-05-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Microsoft warnt vor Sysrv-Botnet ∗∗∗ --------------------------------------------- Eine neue Variante des Sysrv-Botnets hat Microsoft beobachtet, die Windows- und Linux-Systeme befällt, um Kryptowährungen zu schürfen. --------------------------------------------- https://heise.de/-7095053 ∗∗∗ HTML attachments in phishing e-mails ∗∗∗ --------------------------------------------- In this article we review phishing HTML attachments, explaining common tricks the attackers use, and give statistics on HTML attachments detected by Kaspersky solutions. --------------------------------------------- https://securelist.com/html-attachments-in-phishing-e-mails/106481/ ∗∗∗ Fake Mobile Apps Steal Facebook Credentials, Cryptocurrency-Related Keys ∗∗∗ --------------------------------------------- We recently observed a number of apps on Google Play designed to perform malicious activities such as stealing user credentials and other sensitive user information, including private keys. Because of the number and popularity of these apps — some of them have been installed over a hundred thousand times — we decided to shed some light on what these apps actually do by focusing on some of the more notable examples. --------------------------------------------- https://www.trendmicro.com/en_us/research/22/e/fake-mobile-apps-steal-faceb… ∗∗∗ SIP Digest Leak: Angriff auf SIP-Konten ∗∗∗ --------------------------------------------- Im Fachartikel "SIP Digest Leak" beschreibt IT Security Consultant Moritz Abrell einen SIP-spezifischen Angriff auf VoIP-Systeme. --------------------------------------------- https://www.syss.de/pentest-blog/sip-digest-leak-angriff-auf-sip-konten ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitslücken in Sonicwall SMA 1000 und SSL-VPN erlauben unbefugten Zugriff ∗∗∗ --------------------------------------------- Sonicwall schließt mehrere Sicherheitslücken in Firmwares von SMA-1000-Geräten und in SSL-VPN NetExtender. Angreifer könnten sich etwa Zugriff verschaffen. --------------------------------------------- https://heise.de/-7092533 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (gzip, java-1.8.0-openjdk, java-11-openjdk, and zlib), Debian (adminer, htmldoc, imagemagick, libgoogle-gson-java, lrzip, openjdk-8, openssl, and ruby-nokogiri), Fedora (ecdsautils, et, libxml2, podman, and supertux), Mageia (cairo, clamav, curl, fish, freetype2, golang-github-prometheus-client, python-django-registration, python-nbxmpp, python-waitress, and xmlrpc-c), Red Hat (pcs), SUSE (curl, kernel, pidgin, and webkit2gtk3), and Ubuntu (tiff). --------------------------------------------- https://lwn.net/Articles/895392/ ∗∗∗ Security Bulletin: IBM Maximo Asset Management may be vulnerable to arbitrary code execution due to Apache Log4j 1.2 (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-manageme… ∗∗∗ Security Bulletin: Information Disclosure in IBM Spectrum Protect Operations Center Browser's History (CVE-2022-22484) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-information-disclosure-in… ∗∗∗ Security Bulletin: IBM Planning Analytics Workspace is affected by multiple vulnerabilities (CVE-2022-22950, XFID:217968) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-planning-analytics-wo… ∗∗∗ Security Bulletin: AIX is vulnerable to a denial of service due to OpenSSL (CVE-2022-0778) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-aix-is-vulnerable-to-a-de… ∗∗∗ Security Bulletin: IBM Security Identity Governance and Intelligence is vulnerable to sensitive information disclosure (CVE-2020-4957) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-identity-gov… ∗∗∗ Security Bulletin: IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to a potential issue in jackson-databind – fasterxml-jackson (217968) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-speech-service… ∗∗∗ Security Bulletin: IBM Case Manager is vulnerable to cross-site scripting – CVE-2020-4768 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-case-manager-is-vulne… ∗∗∗ Security Bulletin: Vulnerabilities with OpenSSL affect IBM Cloud Object Storage Systems (May 2022 V1) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-with-open… ∗∗∗ Security Bulletin: Multiple Vulnerabilities have been identified in IBM Cloud Pak System ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Technical Advisory – BLE Proximity Authentication Vulnerable to Relay Attacks ∗∗∗ --------------------------------------------- https://research.nccgroup.com/2022/05/15/technical-advisory-ble-proximity-a… ∗∗∗ Pepperl+Fuchs: RSM-EX devices - Multiple Bluetooth vulnerabilities ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-021/ ∗∗∗ Webmin: Schwachstelle ermöglicht Codeausführung ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0609 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.05.2022
by Daily end-of-shift report 13 May '22

13 May '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 12-05-2022 18:00 − Freitag 13-05-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Jetzt patchen! Zyxel Firewalls als Schlupfloch in Firmen-Netzwerke ∗∗∗ --------------------------------------------- Ein wichtiges Sicherheitsupdate schließt eine kritische Lücke in mehreren Firewall-Modellen von Zyxel. --------------------------------------------- https://heise.de/-7090269 ∗∗∗ Desktop-Firewall ZoneAlarm: Kritische Lücke ermöglicht Rechteausweitung ∗∗∗ --------------------------------------------- Eine Sicherheitslücke in der Desktop-Firewall ZoneAlarm könnte Angreifern ermöglichen, ihre Rechte im System auszuweiten und somit die Kontrolle zu übernehmen. --------------------------------------------- https://heise.de/-7090411 ∗∗∗ Crypto-Betrug: Vorsicht vor Yuan Pay Group ∗∗∗ --------------------------------------------- Investitionsplattformen für Crypto-Währungen gibt es wie Sand am Meer. Sie locken mit dem großen Geld bei nur 250€ Investment. Der Haken: Haben Sie einmal investiert, sehen Sie ihr Geld oft nie wieder. Hier finden Sie eine Anleitung wie Sie Crypto-Scams erkennen. --------------------------------------------- https://www.watchlist-internet.at/news/crypto-betrug-vorsicht-vor-yuan-pay-… ∗∗∗ BIOS-Updates fixen kritische Schwachstellen in HPs Business- und Consumer-Modellen sowie in Intel-CPUs (Mai 2022) ∗∗∗ --------------------------------------------- Der Hersteller Hewlett Packard (HP) hat die Tage einen Sicherheitshinweis (Security Advisory) veröffentlicht. Diese Warnung adressiert zwei Schwachstellen in der Firmware von über 200 HP-Modellen (Business- und Consumer-Varianten), die ein Überschreiben der Firmware ermöglichen. Die Schwachstellen wurden mit einem Sicherheits-Score von 8.8 eingestuft – Updates stehen zur Verfügung. Weiterhin hat Intel einen Sicherheitshinweis auf eine Schwachstelle im BIOS von Intel-Systemen hingewiesen, die ebenfalls mit dem Score von 8.2 versehen sind und eine Privilegien-Ausweitung ermöglichen. --------------------------------------------- https://www.borncity.com/blog/2022/05/13/bios-updates-fixen-kritische-schwa… ∗∗∗ Eternity malware kit offers stealer, miner, worm, ransomware tools ∗∗∗ --------------------------------------------- Threat actors have launched the Eternity Project, a new malware-as-a-service where threat actors can purchase a malware toolkit that can be customized with different modules depending on the attack being conducted. --------------------------------------------- https://www.bleepingcomputer.com/news/security/eternity-malware-kit-offers-… ∗∗∗ Harmful Help: Analyzing a Malicious Compiled HTML Help File Delivering Agent Tesla ∗∗∗ --------------------------------------------- We analyze a malicious compiled HTML help file delivering Agent Tesla, following the chain of attack through JavaScript and multiple stages of PowerShell. --------------------------------------------- https://unit42.paloaltonetworks.com/malicious-compiled-html-help-file-agent… ===================== = Vulnerabilities = ===================== ∗∗∗ DSA-2022-068: Dell iDRAC9 Security Update for an Improper Authentication Vulnerability ∗∗∗ --------------------------------------------- Dell iDRAC9 versions 5.00.00.00 and later but before 5.10.10.00, contain an improper authentication vulnerability. A remote unauthenticated attacker may potentially exploit this vulnerability to gain access to the VNC Console. --------------------------------------------- https://www.dell.com/support/kbdoc/en-us/000199267/dsa-2022-068-dell-idrac9… ∗∗∗ CVE-2022-1552 Autovacuum, REINDEX, and others omit "security restricted operation" sandbox ∗∗∗ --------------------------------------------- Autovacuum, REINDEX, CREATE INDEX, REFRESH MATERIALIZED VIEW, CLUSTER, and pg_amcheck made incomplete efforts to operate safely when a privileged user is maintaining another users objects. Those commands activated relevant protections too late or not at all. An attacker having permission to create non-temp objects in at least one schema could execute arbitrary SQL functions under a superuser identity. --------------------------------------------- https://www.postgresql.org/support/security/CVE-2022-1552/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, postgresql-11, postgresql-13, and waitress), Fedora (curl, java-1.8.0-openjdk-aarch32, keylime, and pcre2), Oracle (gzip and zlib), Red Hat (subversion:1.10), SUSE (clamav, documentation-suse-openstack-cloud, kibana, openstack-keystone, openstack-monasca-notification, e2fsprogs, gzip, and kernel), and Ubuntu (libvorbis and rsyslog). --------------------------------------------- https://lwn.net/Articles/895202/ ∗∗∗ Vulnerability Spotlight: How an attacker could chain several vulnerabilities in an industrial wireless router to gain root access ∗∗∗ --------------------------------------------- Cisco Talos recently discovered several vulnerabilities in InHand Networks’ InRouter302 that could allow an attacker to escalate their privileges on the targeted device from a non-privileged user to a privileged one. There are also multiple vulnerabilities that could allow an adversary to reach unconstrained root privileges. The router has one privileged user and several non-privileged ones. --------------------------------------------- https://blog.talosintelligence.com/2022/05/blog-post-.html ∗∗∗ Delta Electronics CNCSoft ∗∗∗ --------------------------------------------- This advisory contains mitigations for Stack-based Buffer Overflow, and Out-of-bounds Read vulnerabilities in the Delta Electronics CNCSoft software management platform. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-132-01 ∗∗∗ Mitsubishi Electric MELSOFT iQ AppPortal ∗∗∗ --------------------------------------------- This advisory contains mitigations for Missing Authorization, Out-of-bounds Write, NULL Pointer Dereference, Classic Buffer Overflow, HTTP Request Smuggling, and Infinite Loop vulnerabilities in Mitsubishi Electric MELSOFT iQ AppPortal products. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-132-02 ∗∗∗ Cambium Networks cnMaestro ∗∗∗ --------------------------------------------- This advisory contains mitigations for OS Command Injection, SQL Injection, Path Traversal, and Use of Potentially Dangerous Function vulnerabilities in the Cambium Networks cnMaestro network management system. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-132-04 ∗∗∗ SonicWall SSLVPN SMA1000 series affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- SonicWall SSLVPN SMA1000 series appliances are affected by the below listed multiple vulnerabilities, organizations running previous versions of SSLVPN SMA1000 series firmware should upgrade to new firmware release versions. --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0009 ∗∗∗ ZDI-CAN-15739 Trend Micro Maximum Security Link Following Arbitrary File Deletion Vulnerability ∗∗∗ --------------------------------------------- https://helpcenter.trendmicro.com/en-us/article/TMKA-11017 ∗∗∗ K67090077: Apache HTTP Server vulnerability CVE-2022-22720 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K67090077 ∗∗∗ HP Computer: Schwachstelle ermöglicht Privilegieneskalation ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0606 ∗∗∗ Security Bulletin: IBM MQ for HP NonStop Server is affected by vulnerability CVE-2022-22316 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-for-hp-nonstop-ser… ∗∗∗ Security Bulletin: WebSphere MQ for HP NonStop Server is affected by OpenSSL vulnerability CVE-2021-4160 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-mq-for-hp-nonst… ∗∗∗ Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU – Oct 2021and Jan 2022 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-e… ∗∗∗ Security Bulletin: Vulnerabilities in Node.js affect IBM App Connect Enterprise & IBM Integration Bus (CVE-2021-4160) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-node-j… ∗∗∗ Security Bulletin: WebSphere MQ for HP NonStop Server is affected by OpenSSL vulnerability CVE-2022-0778 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-mq-for-hp-nonst… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by OpenSSL denial of service vulnerabilities (CVE-2021-23840, CVE-2021-23841) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: Operations Dashboard is vulnerable to denial of service by Go CVE-2021-43565 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-operations-dashboard-is-v… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities in Apache Thrift ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: A vulnerability in Samba affects IBM Spectrum Scale SMB protocol access method (CVE-2021-44142) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-samba-… ∗∗∗ Security Bulletin: Multiple Security vulnerabilities may affect IBM Robotic Process Automation ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to stack exhaustion by Go CVE-2022-24921 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-platform-navigator-and-au… ∗∗∗ Security Bulletin: IBM Robotic Process Automation is vulnerable to SQL Injection (CVE-2022-22413) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-robotic-process-autom… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a PolicyKit vulnerability (CVE-2021-4034) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: Vulnerabilities in Node.js affect IBM App Connect Enterprise & IBM Integration Bus (CVE-2022-0155 & CVE-2022-0536) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-node-j… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM MQ for HP NonStop Server is affected by vulnerability CVE-2022-22325 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-for-hp-nonstop-ser… ∗∗∗ Security Bulletin: IBM WebSphere Application Server Liberty is vulnerable to an Information Disclosure (CVE-2022-22393) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: A vulnerability in Spring Framework affects IBM Tivoli Application Dependency Discovery Manager (CVE-2022-22950, CVE-2021-22096, CVE-2022-22968, CVE-2021-22060). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-spring… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.05.2022
by Daily end-of-shift report 12 May '22

12 May '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 11-05-2022 18:00 − Donnerstag 12-05-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Backdoor in public repository used new form of attack to target big firms ∗∗∗ --------------------------------------------- A backdoor that researchers found hiding inside open source code targeting four German companies was the work of a professional penetration tester. The tester was checking clients’ resilience against a new class of attacks that exploit public repositories used by millions of software projects worldwide. But it could have been bad. Very bad. --------------------------------------------- https://arstechnica.com/?p=1853739 ∗∗∗ "Ive Found Some Bad Domains—Now What?" ∗∗∗ --------------------------------------------- When we talk about investigating bad domains, the focus of the story is usually the starting clues, but what about after you’ve identified bad domains? This blog discusses the approaches to take once a bad domain has been identified. --------------------------------------------- https://www.domaintools.com/resources/blog/ive-found-some-bad-domains-now-w… ∗∗∗ Massive WordPress JavaScript Injection Campaign Redirects to Ads ∗∗∗ --------------------------------------------- As outlined in our latest hacked website report, we’ve been tracking a long-lasting campaign responsible for injecting malicious scripts into compromised WordPress websites. This campaign leverages known vulnerabilities in WordPress themes and plugins and has impacted an enormous number of websites over the year — for example, according to PublicWWW, the April wave for this campaign was responsible for nearly 6,000 infected websites alone. --------------------------------------------- https://blog.sucuri.net/2022/05/massive-wordpress-javascript-injection-camp… ∗∗∗ Everything We Learned From the LAPSUS$ Attacks ∗∗∗ --------------------------------------------- There are two major takeaways from the LAPSUS$ attacks that organizations must pay attention to. First, the LAPSUS$ attacks clearly illustrate that gangs of cybercriminals are no longer content to perform run-of-the-mill ransomware attacks. Rather than just encrypting data as has so often been done in the past, LAPSUS$ seems far more focused on cyber extortion. LAPSUS$ gains access to an organization's most valuable intellectual property and threatens to leak that information unless a ransom is paid. --------------------------------------------- https://thehackernews.com/2022/05/everything-we-learned-from-lapsus.html ∗∗∗ Spoofing SaaS Vanity URLs for Social Engineering Attacks ∗∗∗ --------------------------------------------- While vanity URLs provide a custom, easy-to-remember link, Varonis Threat Labs discovered that some applications do not validate the legitimacy of the vanity URL’s subdomain (e.g., yourcompany.example.com), but instead only validate the URI (e.g., /s/1234). As a result, threat actors can use their own SaaS accounts to generate links to malicious content (files, folders, landing pages, forms, etc.) that appears to be hosted by your company’s sanctioned SaaS account. --------------------------------------------- https://www.varonis.com/blog/url-spoofing ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-22-759: Trend Micro Password Manager Link Following Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows local attackers to escalate privileges on affected installations of Trend Micro Password Manager. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-759/ ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (microcode_ctl, mingw-SDL2_ttf, seamonkey, and thunderbird), Mageia (cifs-utils, gerbv, golang, libcaca, libxml2, openssl, python-pillow, python-rencode, python-twisted, python-ujson, slurm, and sqlite3), Red Hat (gzip, kernel, kpatch-patch, podman, rsync, subversion:1.10, and zlib), Scientific Linux (gzip), Slackware (curl), SUSE (clamav), and Ubuntu (curl, firefox, linux, linux-aws, linux-aws-5.13, linux-azure, linux-azure-5.13, linux-gcp, linux-gcp-5.13, linux-hwe-5.13, linux-kvm, linux-oracle, linux-raspi, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-dell300x, linux-gcp, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux-snapdragon, linux, linux-aws, linux-azure, linux-azure-5.4, linux-azure-fde, linux-gcp, linux-gcp-5.4, linux-gke, linux-gkeop, linux-gkeop-5.4, linux-hwe-5.4, linux-ibm, linux-ibm-5.4, linux-kvm, linux-oracle, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, linux, linux-aws, linux-kvm, linux-lts-xenial, and linux-oem-5.14) --------------------------------------------- https://lwn.net/Articles/895063/ ∗∗∗ Sandbox Escape mit Root Access & Klartext-Passwörtern in zahlreichen Konica Minolta bizhub MFP Drucker Terminals ∗∗∗ --------------------------------------------- Zahlreiche Konica Minolta MFP bizhub Geräte, sowie Geräte anderer Hersteller mit derselben Firmware, sind anfällig für einen Sandbox Breakout über den internen Browser, der die Hilfe-Menüs anzeigt. Der Browser selbst ist mit root-Rechten gestartet, was einen Zugriff auf das komplette Dateisystem ermöglicht. In einer Datei des Dateisystems befand sich das Administratorpasswort für das Webinterface des Druckers im Klartext. --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/sandbox-escape-with-r… ∗∗∗ CVE-2022-0024 PAN-OS: Improper Neutralization Vulnerability Leads to Unintended Program Execution During Configuration Commit (Severity: HIGH) ∗∗∗ --------------------------------------------- A vulnerability exists in Palo Alto Networks PAN-OS software that enables an authenticated network-based PAN-OS administrator to upload a specifically created configuration that disrupts system processes and potentially execute arbitrary code with root privileges when the configuration is committed on both hardware and virtual firewalls. --------------------------------------------- https://security.paloaltonetworks.com/CVE-2022-0024 ∗∗∗ CVE-2022-30525 (FIXED): Zyxel Firewall Unauthenticated Remote Command Injection ∗∗∗ --------------------------------------------- Rapid7 discovered and reported a vulnerability that affects Zyxel firewalls supporting Zero Touch Provisioning (ZTP), which includes the ATP series, VPN series, and the USG FLEX series (including USG20-VPN and USG20W-VPN). The vulnerability, identified as CVE-2022-30525, allows an unauthenticated and remote attacker to achieve arbitrary code execution as the nobody user on the affected device. --------------------------------------------- https://www.rapid7.com/blog/post/2022/05/12/cve-2022-30525-fixed-zyxel-fire… ∗∗∗ Intel: May 2022 Patchday ∗∗∗ --------------------------------------------- https://www.intel.com/content/www/us/en/security-center/default.html ∗∗∗ Security Bulletin: IBM Security Guardium is vulnerable to arbitrary code execution due to Apache log4j (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: Vulnerability in IBM SDK Java affects IBM Cloud Pak System (CVE-2020-27221) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-sdk-… ∗∗∗ Security Bulletin: IBM Security Verify Password Synchronization Plug-in for Windows AD affected by multiple vulnerabilities (CVE-2021-20488, CVE-2021-20494, CVE-2021-20572, CVE-2021-20573, CVE-2021-20574) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-passw… ∗∗∗ Security Bulletin: Crypto Hardware Initialization and Maintenance is vulnerable to arbitrary code execution due to Apache Log4j (CVE 2021-4104, CVE 2022-23302, CVE 2022-23305, CVE 2022-23307) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-crypto-hardware-initializ… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities (CVE-2018-10237, CVE-2020-8908) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a Missing HTTP Strict-Transport-Security Header vulnerability (CVE-2021-39072) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by FasterXML jackson-databind vulnerabilities (CVE-2020-25649, X-Force ID 217968) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM MQ is vulnerable to multiple issues in IBM® Runtime Environment Java™ Technology Edition, Version 8 and Version 7 (CVE-2021-35578, CVE-2021-35588, CVE-2021-41035) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-is-vulnerable-to-m… ∗∗∗ Security Bulletin: IBM MQ is vulnerable to multiple Eclipse Jetty issues ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-is-vulnerable-to-m… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by path traversal and crypto vulnerabilities (CVE-2021-29425, CVE-2021-39076) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct for Microsoft Windows is affected but not classified as vulnerable by a remote code execution in Spring Framework (CVE-2022-22965) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a jsoup vulnerability (CVE-2021-37714) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM MQ WebConsole and REST API are affected by CVE-2021-39031. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-webconsole-and-res… ∗∗∗ Check Point Zone Alarm: Schwachstelle ermöglicht Privilegieneskalation ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0595 ∗∗∗ CVE-2022-0025 Cortex XDR Agent: An Uncontrolled Search Path Element Leads to Local Privilege Escalation (PE) Vulnerability (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2022-0025 ∗∗∗ CVE-2022-0026 Cortex XDR Agent: Unintended Program Execution Leads to Local Privilege Escalation (PE) Vulnerability (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2022-0026 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.05.2022
by Daily end-of-shift report 11 May '22

11 May '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 10-05-2022 18:00 − Mittwoch 11-05-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ New IceApple exploit toolset deployed on Microsoft Exchange servers ∗∗∗ --------------------------------------------- Security researchers have found a new post-exploitation framework that they dubbed IceApple, deployed mainly on Microsoft Exchange servers across a wide geography. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-iceapple-exploit-toolset… ∗∗∗ New stealthy Nerbian RAT malware spotted in ongoing attacks ∗∗∗ --------------------------------------------- A new remote access trojan called Nerbian RAT has been discovered that includes a rich set of features, including the ability to evade detection and analysis by researchers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-stealthy-nerbian-rat-mal… ∗∗∗ TA578 using thread-hijacked emails to push ISO files for Bumblebee malware, (Wed, May 11th) ∗∗∗ --------------------------------------------- Identified by Proofpoint as the threat actor behind the Contact Forms campaign, TA578 also appears to be pushing ISO files for Bumblebee malware through thread-hijacked emails. --------------------------------------------- https://isc.sans.edu/diary/rss/28636 ∗∗∗ Vorsicht vor aktuellen BAWAG-Phishing-Mails! ∗∗∗ --------------------------------------------- Auch aktuell kursieren unzählige Phishing-Nachrichten und landen in den E-Mail-Postfächern potenzieller Opfer. Bei neuen Betrugs-Mails im Namen der BAWAG P.S.K. haben sich die Kriminellen wieder etwas Neues einfallen lassen. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-aktuellen-bawag-phishin… ∗∗∗ From Project File to Code Execution: Exploiting Vulnerabilities in XINJE PLC Program Tool ∗∗∗ --------------------------------------------- Team82 has uncovered two vulnerabilities in XINJE’s PLC Program Tool, an engineering workstation. --------------------------------------------- https://claroty.com/2022/05/11/blog-research-from-project-file-to-code-exec… ===================== = Vulnerabilities = ===================== ∗∗∗ Microsoft May 2022 Patch Tuesday fixes 3 zero-days, 75 flaws ∗∗∗ --------------------------------------------- Today is Microsofts May 2022 Patch Tuesday, and with it comes fixes for three zero-day vulnerabilities, with one actively exploited, and a total of 75 flaws. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-may-2022-patch-tu… ∗∗∗ HP fixes bug letting attackers overwrite firmware in over 200 models ∗∗∗ --------------------------------------------- HP has released BIOS updates today to fix two high-severity vulnerabilities affecting a wide range of PC and notebook products, which might allow arbitrary code execution. --------------------------------------------- https://www.bleepingcomputer.com/news/security/hp-fixes-bug-letting-attacke… ∗∗∗ Patchday Adobe: Schadcode-Lücken bedrohen ColdFusion, InDesign & Co. ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitsupdates für Anwendungen von Adobe. Den Großteil der Lücken stuft der Software-Hersteller als kritisch ein. --------------------------------------------- https://heise.de/-7081357 ∗∗∗ Patchday: SAP behebt acht neu entdeckte Sicherheitsprobleme ∗∗∗ --------------------------------------------- Zum Mai-Patchday meldet SAP acht neue Sicherheitslücken und aktualisiert Artikel zu vier Schwachstellen, die das Unternehmen bereits früher abgedichtet hat. --------------------------------------------- https://heise.de/-7081276 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (mutt), Fedora (blender, freerdp, kernel, kernel-headers, kernel-tools, mingw-freetype, and vim), Oracle (kernel and kernel-container), Red Hat (aspell, bind, bluez, c-ares, cairo and pixman, cockpit, compat-exiv2-026, container-tools:3.0, container-tools:rhel8, cpio, dovecot, exiv2, fapolicyd, fetchmail, flatpak, gfbgraph, gnome-shell, go-toolset:rhel8, grafana, grub2, httpd:2.4, keepalived, kernel, kernel-rt, libpq, libreoffice, libsndfile, libssh, [...] --------------------------------------------- https://lwn.net/Articles/894802/ ∗∗∗ Intel: May 2022 Patchday ∗∗∗ --------------------------------------------- https://www.intel.com/content/www/us/en/security-center/default.html ∗∗∗ Security Bulletin: IBM Engineering Lifecycle Management is vulnerable to Cross-site Scripting (XSS). (CVE-2021-39059) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-engineering-lifecycle… ∗∗∗ Security Bulletin: Vulnerability in remote support authentication affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-remote-s… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in VMware ESXi affect IBM Cloud Pak System (CVE-2021-21994, CVE-2021-21995) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM SDK, Java Technology Edition, Security Update October 2021 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-e… ∗∗∗ Security Bulletin: IBM QRadar SIEM is vulnerable to cross-site scripting (XSS) (CVE-2022-22345) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulner… ∗∗∗ ICS Patch Tuesday: Siemens, Schneider Electric Address 43 Vulnerabilities ∗∗∗ --------------------------------------------- https://www.securityweek.com/ics-patch-tuesday-siemens-schneider-electric-a… ∗∗∗ PHOENIX CONTACT: Multiple vulnerabilities in RAD-ISM-900-EN-BD devices ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-018/ ∗∗∗ AMD Prozessoren: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0567 ∗∗∗ Google Releases Security Updates for Chrome ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/05/11/google-releases-s… ∗∗∗ Intel Boot Guard and Intel TXT Advisory ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500488-INTEL-BOOT-GUARD-AND-IN… ∗∗∗ Intel SSD Firmware Advisory ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500487-INTEL-SSD-FIRMWARE-ADVI… ∗∗∗ Lenovo Smart Standby Driver Vulnerability ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500486-LENOVO-SMART-STANDBY-DR… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.05.2022
by Daily end-of-shift report 10 May '22

10 May '22

===================== = End-of-Day report = ===================== Timeframe: Montag 09-05-2022 18:00 − Dienstag 10-05-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Experts Detail Saintstealer and Prynt Stealer Info-Stealing Malware Families ∗∗∗ --------------------------------------------- Cybersecurity researchers have dissected the inner workings of an information-stealing malware called Saintstealer thats designed to siphon credentials and system information. --------------------------------------------- https://thehackernews.com/2022/05/experts-detail-saintstealer-and-prynt.html ∗∗∗ SEO Poisoning – A Gootloader Story ∗∗∗ --------------------------------------------- Gootloader was the name assigned to the multi-staged payload distribution by Sophos in March 2021. The threat actors utilize SEO (search engine optimization) poisoning tactics to move compromised websites hosting malware to the top of certain search requests such as “what is the difference between a grand agreement and a contract?” or “freddie mac shared driveway agreement?” --------------------------------------------- https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/ ∗∗∗ Hilfe, Kriminelle bestellen Produkte in meinem Namen! ∗∗∗ --------------------------------------------- Erhalten Sie Rechnungen, Mahnungen, ja vielleicht sogar Inkasso-Schreiben für Bestellungen, die Sie nie getätigt haben? Dann kann es sein, dass Verbrecher:innen Ihre Daten für Bestellbetrug missbrauchen. --------------------------------------------- https://www.watchlist-internet.at/news/hilfe-kriminelle-bestellen-produkte-… ===================== = Vulnerabilities = ===================== ∗∗∗ Hackers Actively Exploit F5 BIG-IP Bug ∗∗∗ --------------------------------------------- The bug has a severe rating of 9.8, public exploits are released. --------------------------------------------- https://threatpost.com/exploit-f5-big-ip-bug/179563/ ∗∗∗ Vulnerability mitigated in the third-party Data Connector used in Azure Synapse pipelines and Azure Data Factory (CVE-2022-29972) ∗∗∗ --------------------------------------------- Microsoft recently mitigated a vulnerability in Azure Data Factory and Azure Synapse pipelines. The vulnerability was specific to the third-party Open Database Connectivity (ODBC) driver used to connect to Amazon Redshift in Azure Synapse pipelines and Azure Data Factory Integration Runtime (IR) and did not impact Azure Synapse as a whole. --------------------------------------------- https://msrc-blog.microsoft.com/2022/05/09/vulnerability-mitigated-in-the-t… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (kicad and qemu), Fedora (thunderbird), Oracle (expat), Red Hat (samba), Slackware (kernel), and SUSE (firefox, ldb, and rsyslog). --------------------------------------------- https://lwn.net/Articles/894499/ ∗∗∗ GENEREX RCCMD vulnerable to directory traversal ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN60801132/ ∗∗∗ SSA-285795 V1.0: Denial of Service in OPC-UA in Industrial Products ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-285795.txt ∗∗∗ SSA-321292 V1.0: Denial of Service in the OPC Foundation Local Discovery Server (LDS) in Industrial Products ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-321292.txt ∗∗∗ SSA-363107 V1.0: An Improper Initialization Vulnerability Affects SIMATIC WinCC Kiosk Mode ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-363107.txt ∗∗∗ SSA-480937 V1.0: Denial of Service Vulnerability in CP 44x-1 RNA before V1.5.18 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-480937.txt ∗∗∗ SSA-553086 V1.0: Multiple File Parsing Vulnerabilities in JT2Go and Teamcenter Visualization ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-553086.txt ∗∗∗ SSA-626968 V1.0: Multiple Webserver Vulnerabilities in Desigo PXC and DXR Devices ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-626968.txt ∗∗∗ SSA-662649 V1.0: Denial of Service Vulnerability in Desigo DXR and PXC Controllers ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-662649.txt ∗∗∗ SSA-732250 V1.0: Libcurl Vulnerabilities in Industrial Devices ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-732250.txt ∗∗∗ SSA-736385 V1.0: Memory Corruption Vulnerability in OpenV2G ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-736385.txt ∗∗∗ SSA-789162 V1.0: Vulnerabilities in Teamcenter ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-789162.txt ∗∗∗ SSA-165073: Multiple Vulnerabilities in the Webinterface of SICAM P850 and SICAM P855 Devices ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-165073.txt ∗∗∗ SSA-162616: File Parsing Vulnerabilities in Simcenter Femap before V2022.2 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-162616.txt ∗∗∗ [CA8268] Local privilege escalation vulnerabilities in installers for ESET products for Windows fixed ∗∗∗ --------------------------------------------- https://support.eset.com/en/ca8268-local-privilege-escalation-vulnerabiliti… ∗∗∗ Security Bulletin: IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to string injection vulnerability due to Node.js (CVE-2021-44532, CVE-2021-44532 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-assistant-for-… ∗∗∗ Security Bulletin: Cúram Social Program Management is vulnerable to arbitrary code execution and SQL injection issues due to Apache Log4j (CVE-2022-23302, CVE-2022-23305, CVE-2022-23307) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cram-social-program-manag… ∗∗∗ Security Bulletin: Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to denial of service due to Go CVE-2022-23806 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-platform-navigator-and-au… ∗∗∗ Security Bulletin: IBM InfoSphere Information Server is vulnerable to OS command injection (CVE-2022-22454) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-informatio… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in VMware ESXi affect IBM Cloud Pak System (CVE-2021-21994, CVE-2021-21995) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Security vulnerabilities in IBM SDK for Node.js might affect the configuration editor used by IBM Business Automation Workflow and IBM Business Process Manager (BPM) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerability CVE-2021-39024 in IBM Guardium Data Encryption (GDE) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-cve-2021-39… ∗∗∗ Adminer in Industrial Products ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-130-01 ∗∗∗ Eaton Intelligent Power Protector ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-130-02 ∗∗∗ Eaton Intelligent Power Manager Infrastructure ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-130-03 ∗∗∗ Eaton Intelligent Power Manager ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-130-04 ∗∗∗ AVEVA InTouch Access Anywhere and Plant SCADA Access Anywhere ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-130-05 ∗∗∗ Mitsubishi Electric MELSOFT GT OPC UA ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-130-06 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.05.2022
by Daily end-of-shift report 09 May '22

09 May '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 06-05-2022 18:00 − Montag 09-05-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Hilfestellung für die Analyse schadbringender Dokumente ∗∗∗ --------------------------------------------- Das SANS-Institut veröffentlicht einen neuen "Spickzettel", der bei der Malware-Analyse verschiedener Dokumenttypen helfen soll. --------------------------------------------- https://heise.de/-7079601 ∗∗∗ Utimaco, der Krypto-Miner und ein Disclosure-Desaster ∗∗∗ --------------------------------------------- Auch Anbieter von Hochsicherheitslösungen sind vor Securityproblemen nicht gefeit. Man sollte sich vorbereiten, bevor man davon erfährt, sagt Jürgen Schmidt. --------------------------------------------- https://heise.de/-7079962 ∗∗∗ Jetzt patchen! Attacken auf F5 BIG-IP-Systeme könnten bevorstehen ∗∗∗ --------------------------------------------- Sicherheitsforscher habe in vergleichsweise kurzer Zeit Exploit-Code entwickelt. Das könnten Angreifer auch. Admins sollten BIP-IP-Produkte aktualisieren. --------------------------------------------- https://heise.de/-7079049 ∗∗∗ Kaufen Sie keine Schuhe vom Instagram-Account „wesleyroberts375“ ∗∗∗ --------------------------------------------- Auf der Instagram-Seite „wesleyroberts375“ finden sich zahlreiche Fotos von Nike-Schuhen, meist Modelle, die sonst überall ausverkauft sind. Wer einen Schuh kaufen oder den Preis erfahren möchte, muss dem Instagram-Nutzer eine private Nachricht senden. Achtung: Hinter dem Profil von „wesleyroberts375“ steckt kein echter Online-Shop. Sie werden betrogen. Schicken Sie kein Geld oder Gutscheincodes! --------------------------------------------- https://www.watchlist-internet.at/news/kaufen-sie-keine-schuhe-vom-instagra… ∗∗∗ Bedrohungen in der Cloud ∗∗∗ --------------------------------------------- Die größten Sicherheitsrisiken bei der Cloud-Nutzung und wie Hacker zu mehr Sicherheit beitragen, schildert Laurie Mercer, Security Engineer bei HackerOne, in einem Gastbeitrag. --------------------------------------------- https://www.zdnet.de/88401108/bedrohungen-in-der-cloud/ ∗∗∗ Gehärteter Online-Banking-Browser S-Protect, ein Totalausfall ∗∗∗ --------------------------------------------- Es klingt gut, was der Deutsche Sparkassen- und Giroverband da angestoßen hat. Mit S-Protect legt man einen "gehärteten" Browser vor, der Online-Banking-Kunden vor den Risiken bei Bankgeschäften auf Windows PCs oder Macs besser schützen soll. Der Haken an der Geschichte: [...] --------------------------------------------- https://www.borncity.com/blog/2022/05/09/gehrteter-online-banking-browser-s… ∗∗∗ Caramel credit card stealing service is growing in popularity ∗∗∗ --------------------------------------------- A credit card stealing service is growing in popularity, allowing any low-skilled threat actors an easy and automated way to get started in the world of financial fraud. --------------------------------------------- https://www.bleepingcomputer.com/news/security/caramel-credit-card-stealing… ∗∗∗ Constrained environment breakout. .NET Assembly exfiltration via Internet Options ∗∗∗ --------------------------------------------- It’s not uncommon for developers to find that they need to help their end users. For starter, the business requirements for software can be highly convoluted and technical. Working with [...] --------------------------------------------- https://www.pentestpartners.com/security-blog/constrained-environment-break… ∗∗∗ Beware: This cheap and homemade malware is surprisingly effective ∗∗∗ --------------------------------------------- DCRat malware targets Windows devices. And its cheap and popular, which makes it a problem. --------------------------------------------- https://www.zdnet.com/article/beware-this-cheap-and-homemade-malware-is-sur… ∗∗∗ Introducing pyCobaltHound – Let Cobalt Strike unleash the Hound ∗∗∗ --------------------------------------------- During our engagements, red team operators often find themselves operating within complex Active Directory environments. The question then becomes finding the needle in the haystack that allows the red team to further escalate and/or reach their objectives. Luckily, the security community has already come up with ways to assist operators in answering these questions, [...] --------------------------------------------- https://blog.nviso.eu/2022/05/09/introducing-pycobalthound/ ∗∗∗ Backdoor (*.chm) Disguised as Document Editing Software and Messenger Application ∗∗∗ --------------------------------------------- The ASEC analysis team confirmed that a backdoor malware disguised as document editing software and messenger application used by many Korean users is being distributed in Korea through malicious CHM files. The team recently introduced malicious CHM files distributed in various forms twice in the ASEC blog in March. The malicious files discussed in this post execute additional malicious files via a process that is different from the previous cases. --------------------------------------------- https://asec.ahnlab.com/en/34010/ ∗∗∗ BPFDoor - an active Chinese global surveillance tool ∗∗∗ --------------------------------------------- Recently, PwC Threat Intelligence documented the existence of BPFDoor, a passive network implant for Linux they attribute to [...] --------------------------------------------- https://doublepulsar.com/bpfdoor-an-active-chinese-global-surveillance-tool… ∗∗∗ [Infographic] Cloud Misconfigurations: Dont Become a Breach Statistic ∗∗∗ --------------------------------------------- Our latest infographic highlights some key commonalities uncovered in our 2022 Cloud Misconfigurations Report. --------------------------------------------- https://www.rapid7.com/blog/post/2022/05/09/infographic-cloud-misconfigurat… ===================== = Vulnerabilities = ===================== ∗∗∗ Advisory: New installations fail with HTTP Error 403 from https://sus.sophosupd.com/ in Sophos Intercept X for Windows ∗∗∗ --------------------------------------------- Overview: New installation and/or device updates fail with HTTP Error 403 from https://sus.sophosupd.com/. This error is seen in C:\ProramData\Sophos\AutoUpdate\SophosUpdate.log. --------------------------------------------- https://support.sophos.com/support/s/article/KB-000043980?language=en_US ∗∗∗ Patchday: Fortinet schützt IP-Telefone vor Schadcode-Attacken ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitsupdates für unter anderem FortiClient, FortiFone und FortiOS. Eine Lücke gilt als kritisch. --------------------------------------------- https://heise.de/-7079563 ∗∗∗ Freifunk: Einschleusen schädlicher Firmware durch kritische Lücke möglich ∗∗∗ --------------------------------------------- Freifunk aktualisiert seine Router-Firmware und schließt eine kritische Sicherheitslücke, durch die Angreifer eigene Firmware auf die Geräte aufspielen könnten. --------------------------------------------- https://heise.de/-7079644 ∗∗∗ Technical Advisory: Ruby on Rails – Possible XSS Vulnerability in ActionView tag helpers (CVE-2022-27777) ∗∗∗ --------------------------------------------- Ruby on Rails is a web application framework that follows the Model-view-controller (MVC) pattern. It offers some protections against Cross-site scripting (XSS) attacks in its helpers for the views. Several tag helpers in ActionView::Helpers::FormTagHelper and ActionView::Helpers::TagHelper are vulnerable against XSS because their current protection does not restrict properly the set of characters allowed in [...] --------------------------------------------- https://research.nccgroup.com/2022/05/06/technical-advisory-ruby-on-rails-p… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (firefox and thunderbird), Debian (ecdsautils and libz-mingw-w64), Fedora (cifs-utils, firefox, galera, git, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-latest-openjdk, mariadb, maven-shared-utils, mingw-freetype, redis, and seamonkey), Mageia (dcraw, firefox, lighttpd, rsyslog, ruby-nokogiri, and thunderbird), Scientific Linux (thunderbird), SUSE (giflib, kernel, and libwmf), and Ubuntu (dbus and rsyslog). --------------------------------------------- https://lwn.net/Articles/894353/ ∗∗∗ RubyGems Fixes Critical Gem Takeover Vulnerability ∗∗∗ --------------------------------------------- RubyGems has addressed a critical vulnerability that could have allowed any RubyGems.org user to remove and replace certain Ruby gems. A package hosting service for the Ruby programming language, RubyGems.org hosts more than 170,000 gems. RubyGems also functions as a package manager. --------------------------------------------- https://www.securityweek.com/rubygems-fixes-critical-gem-takeover-vulnerabi… ∗∗∗ SonicWall SSL-VPN NetExtender Windows Client Buffer Overflow Vulnerability ∗∗∗ --------------------------------------------- A buffer overflow vulnerability in the SonicWall SSL-VPN NetExtender Windows Client (32 and 64 bit) in 10.2.322 and earlier versions, allows an attacker to potentially execute arbitrary code in the host windows operating system. CVE: CVE-2022-22281 --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0008 ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ K12492858: Appliance mode authenticated F5 BIG-IP Guided Configuration third-party lodash and jQuery vulnerabilities CVE-2021-23337, CVE-2020-28500, and CVE-2016-7103 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K12492858 ∗∗∗ Foxit Reader: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0549 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.05.2022
by Daily end-of-shift report 06 May '22

06 May '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 05-05-2022 18:00 − Freitag 06-05-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ New Raspberry Robin worm uses Windows Installer to drop malware ∗∗∗ --------------------------------------------- Red Canary intelligence analysts have discovered a new Windows malware with worm capabilities that spreads using external USB drives. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-raspberry-robin-worm-use… ∗∗∗ Tipps zur Passwortsicherheit am World Password Day ∗∗∗ --------------------------------------------- Heute jährt sich der Welt-Passwort-Tag. Was können Sie tun, um sich online bestmöglich zu schützen? Hier finden Sie Tipps und Tricks für den sicheren Umgang mit Ihren Daten! --------------------------------------------- https://www.watchlist-internet.at/news/tipps-zur-passwortsicherheit-am-worl… ===================== = Vulnerabilities = ===================== ∗∗∗ ClamAV 0.105.0, 0.104.3, 0.103.6 released ∗∗∗ --------------------------------------------- Today, were also publishing the 0.104.3 and 0.103.6 security patch versions, including several CVE fixes. --------------------------------------------- https://blog.clamav.net/2022/05/clamav-01050-01043-01036-released.html ∗∗∗ Schadcode-Attacken auf Videoüberwachungssystem und NAS von Qnap möglich ∗∗∗ --------------------------------------------- Wichtige Sicherheitsupdates schließen mehreren Lücken in Netzwerkprodukten von Qnap. --------------------------------------------- https://heise.de/-7077449 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (dpdk, mruby, openjdk-11, and smarty3), Oracle (thunderbird), Red Hat (thunderbird), SUSE (chromium, libvirt, python-Twisted, and tar), and Ubuntu (cron and jbig2dec). --------------------------------------------- https://lwn.net/Articles/894141/ ∗∗∗ Security Bulletin: IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is affected but not classified as vulnerable by a remote code execution in Spring Framework (CVE-2022-22965) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-speech-service… ∗∗∗ Security Bulletin: Rational Asset Analyzer is affected by two WebSphere Application Server vulnerabilities (CVE-2018-25031, CVE-2021-46708) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-rational-asset-analyzer-i… ∗∗∗ Security Bulletin: Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to denial of service due to Go CVE-2022-23772 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-platform-navigator-and-au… ∗∗∗ Security Bulletin: TS3000 (TSSC/IMC) is vulnerable to privilege escalation vulnerability due to polkit ( CVE-2021-4034 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ts3000-tssc-imc-is-vulner… ∗∗∗ Security Bulletin: IBM Watson Assistant for IBM Cloud Pak for Data is affected but not classified as vulnerable by a remote code execution in Spring Framework (CVE-2022-22965) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-assistant-for-… ∗∗∗ Security Bulletin: IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to arbitrary code execution with IBM WebSphere Application Server (CVE-2021-23450). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-speech-service… ∗∗∗ Security Bulletin: Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to denial of service due to Go CVE-2021-44716 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-platform-navigator-and-au… ∗∗∗ Security Bulletin: Rational Asset Analyzer is affected by a WebSphere Application Server vulnerability (CVE-2022-22310). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-rational-asset-analyzer-i… ∗∗∗ Security Bulletin: A vulnerability in IBM® SDK, Java™ may affect Rational Asset Analyzer (CVE-2021-35550) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-sd… ∗∗∗ Security Bulletin: IBM Cloud Transformation Advisor is vulnerable to multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-transformation-… ∗∗∗ Security Bulletin: Vulnerability CVE-2021-39023 in IBM Guardium Data Encryption (GDE) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-cve-2021-39… ∗∗∗ Security Bulletin: Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to remote attack due to Go CVE-2021-44717 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-platform-navigator-and-au… ∗∗∗ Security Bulletin: IBM Guardium Data Encryption is vulnerable to missing data encoding issue (CVE-2021-39027) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-guardium-data-encrypt… ∗∗∗ Security Bulletin: A vulnerability in IBM® SDK, Java™ affects Rational Asset Analyzer (CVE-2021-35603) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-sd… ∗∗∗ Security Bulletin: Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to attack under error due to Go CVE-2022-23773 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-platform-navigator-and-au… ∗∗∗ Security Bulletin: API Connect V10 is vulnerable to a remote code execution in Spring Framework (CVE-2022-22965) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-api-connect-v10-is-vulner… ∗∗∗ K52379673: Linux kernel vulnerability for CVE-2021-4083 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K52379673 ∗∗∗ K50899356: file vulnerability CVE-2018-10360 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K50899356 ∗∗∗ poppler: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0545 ∗∗∗ Foxit Reader: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0544 ∗∗∗ Johnson Controls Metasys ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-125-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.05.2022
by Daily end-of-shift report 05 May '22

05 May '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 04-05-2022 18:00 − Donnerstag 05-05-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ New NetDooka malware spreads via poisoned search results ∗∗∗ --------------------------------------------- A new malware framework known as NetDooka has been discovered being distributed through the PrivateLoader pay-per-install (PPI) malware distribution service, allowing threat actors full access to an infected device. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-netdooka-malware-spreads… ∗∗∗ The strange link between a destructive malware and a ransomware-gang linked custom loader: IsaacWiper vs Vatet ∗∗∗ --------------------------------------------- Cluster25 researchers, during a comparative analysis performed at the beginning of March 2022, found evidence that suggests a possible relationships between a piece of malware belonging to the Sprite Spider arsenal (or some elements that are or were part of it) and Vavet Loader. --------------------------------------------- https://cluster25.io/2022/05/03/a-strange-link-between-a-destructive-malwar… ∗∗∗ The curious case of mavinject.exe ∗∗∗ --------------------------------------------- Mavinject is a LOLBIN currently employed by the infamous adversary group Lazarus successfully evades detection by various security products because the execution is masked under a legitimate process. --------------------------------------------- https://fourcore.io/blogs/mavinject-curious-process-injection ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco Security Advisories 2022-05-04 ∗∗∗ --------------------------------------------- Cisco published 9 Security Advisories (1 Critical, 8 Medium Severity) --------------------------------------------- https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&first… ∗∗∗ Angreifer könnten die volle Kontrolle über F5 BIG-IP-Systeme erlangen ∗∗∗ --------------------------------------------- Wichtige Sicherheitsupdates schließen unter anderem eine kritische Lücke in BIG-IP-Systemen. Admins sollten jetzt handeln. --------------------------------------------- https://heise.de/-7075530 ∗∗∗ Sicherheitsupdates: Cisco schließt VM-Ausbruch-Lücken mit Root-Zugriff ∗∗∗ --------------------------------------------- Der Netzwerkausrüster Cisco hat unter anderem in Enterprise NFV Infrastrucutre Software eine kritische Lücke geschlossen. --------------------------------------------- https://heise.de/-7075725 ∗∗∗ Sicherheitsupdate schützt IBMs Datenbanksystem Informix Dynamic Server ∗∗∗ --------------------------------------------- Ein wichtiger Sicherheitspatch schließt eine Schwachstelle in IBMs Informix Dynamic Server. --------------------------------------------- https://heise.de/-7076231 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr), Fedora (firefox, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-latest-openjdk, recutils, suricata, and zchunk), Oracle (firefox and kernel), Red Hat (firefox), Scientific Linux (firefox), Slackware (mozilla, openssl, and seamonkey), SUSE (apache2-mod_auth_mellon, libvirt, and pgadmin4), and Ubuntu (dpdk, mysql-5.7, networkd-dispatcher, openssl, openssl1.0, sqlite3, and twisted). --------------------------------------------- https://lwn.net/Articles/894036/ ∗∗∗ 10 Jahre alte Schwachstellen in Avast und AVG gefährden Millionen Nutzer ∗∗∗ --------------------------------------------- Sicherheitsforscher von Sentinel One haben in den Sicherheitsprodukten von Avast und AVG zwei seit 10 Jahren bestehende, schwerwiegende Schwachstellen entdeckt, die Millionen von Nutzern gefährden. --------------------------------------------- https://www.borncity.com/blog/2022/05/05/10-jahre-alte-schwachstellen-in-av… ∗∗∗ Image Field Caption - Moderately critical - Cross Site Scripting - SA-CONTRIB-2022-036 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2022-036 ∗∗∗ Doubleclick for Publishers (DFP) - Moderately critical - Cross site scripting - SA-CONTRIB-2022-035 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2022-035 ∗∗∗ Link - Moderately critical - Cross site scripting - SA-CONTRIB-2022-034 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2022-034 ∗∗∗ Duo Two-Factor Authentication - Critical - Unsupported - SA-CONTRIB-2022-039 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2022-039 ∗∗∗ Quick Node Clone - Moderately critical - Access bypass - SA-CONTRIB-2022-038 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2022-038 ∗∗∗ Security Bulletin: Cross-site scripting vulnerabilities in jQuery may affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) – CVE-2020-11022, CVE-2020-11023 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-vuln… ∗∗∗ Security Bulletin: Multiple Vulnerabilities may affect IBM Robotic Process Automation ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Robotic Process Automation could allow a user with physical access to create an API request modified to create additional objects (CVE-2022-22434) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-robotic-process-autom… ∗∗∗ Security Bulletin: IBM Robotic Process Automation is vulnerable to an issue where an API could be used to perform a DNS lookup via a third party provider. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-robotic-process-autom… ∗∗∗ Security Bulletin: Cross Site Scripting vulnerabilities in jQuery might affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) – CVE-2020-7656, CVE-2020-11022, CVE-2020-11023 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-vuln… ∗∗∗ Security Bulletin: IBM Robotic Process Automation may allow regular users to view some admin pages. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-robotic-process-autom… ∗∗∗ Security Bulletin: Multiple Vulnerabilities may affect IBM Robotic Process Automation ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Security Guardium Data Encryption has vulnerability ( CVE-2021-39020) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-dat… ∗∗∗ Security Vulnerabilities fixed in Thunderbird 91.9 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2022-18/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily