- Daily - CERT.at

Tageszusammenfassung - 05.08.2022
by Daily end-of-shift report 05 Aug '22

05 Aug '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 04-08-2022 18:00 − Freitag 05-08-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ ENISA Threat Landscape for Ransomware Attacks ∗∗∗ --------------------------------------------- This report aims to bring new insights into the reality of ransomware incidents through mapping and studying ransomware incidents from May 2021 to June 2022. --------------------------------------------- https://www.enisa.europa.eu/publications/enisa-threat-landscape-for-ransomw… ∗∗∗ Kopieren mit rsync anfällig für Angriffe ∗∗∗ --------------------------------------------- Die angekündigte neue rsync-Version soll verhindern, dass ein Server gezielt Dateien auf dem Client überschreibt und diesen damit kompromittiert. --------------------------------------------- https://heise.de/-7202888 ∗∗∗ VMware-Updates: Schnelles Handeln "extrem wichtig" ∗∗∗ --------------------------------------------- Admin-Zugang ohne Passwort – und das ist nur eine der zehn Lücken, für die VMware dringliche Updates bringt. --------------------------------------------- https://heise.de/-7204524 ∗∗∗ Achtung vor falschen Polizeianrufen! ∗∗∗ --------------------------------------------- Werden Sie von einer unauffälligen Nummer angerufen, wo Ihnen angeblich die Polizei verwirft, ein Verbrechen begangen zu haben? Bekommen Sie viele Anrufe, Nachrichten oder Sprachboxnachrichten von fremden Personen, die auf ein Telefongespräch hinweisen, welches Sie nicht führten? Das ist alles Teil einer Betrugsmasche. --------------------------------------------- https://www.watchlist-internet.at/news/achtung-vor-falschen-polizeianrufen/ ∗∗∗ New Linux malware brute-forces SSH servers to breach networks ∗∗∗ --------------------------------------------- A new botnet called RapperBot has emerged in the wild since mid-June 2022, focusing on brute-forcing its way into Linux SSH servers and then establishing persistence. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-linux-malware-brute-forc… ∗∗∗ Facebook finds new Android malware used by APT hackers ∗∗∗ --------------------------------------------- Meta (Facebook) has released its Q2 2022 adversarial threat report, and among the highlights is the discovery of two cyber-espionage clusters connected to hacker groups known as Bitter APT and APT36 (aka Transparent Tribe) using new Android malware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/facebook-finds-new-android-m… ∗∗∗ Finding hooks with windbg ∗∗∗ --------------------------------------------- In this blogpost we are going to look into hooks, how to find them, and how to restore the original functions. --------------------------------------------- https://blog.nviso.eu/2022/08/05/finding-hooks-with-windbg/ ===================== = Vulnerabilities = ===================== ∗∗∗ Kritische Lücken in Ciscos SMB-Routern ∗∗∗ --------------------------------------------- Das Web-Interface der Cisco-Router der RV-Serie ermöglicht diverse unauthentifizierte Aktionen - Updates stellen das ab. --------------------------------------------- https://heise.de/-7203891 ∗∗∗ VU#495801: muhttpd versions 1.1.5 and earlier are vulnerable to path traversal ∗∗∗ --------------------------------------------- Versions 1.1.5 and earlier of the mu HTTP deamon (muhttpd) are vulnerable to path traversal via crafted HTTP request from an unauthenticated user. This vulnerability can allow unauthenticated users to download arbitrary files and collect private information on the target device. --------------------------------------------- https://kb.cert.org/vuls/id/495801 ∗∗∗ IBM Security Bulletins 2022-08-04 ∗∗∗ --------------------------------------------- IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data, IBM Security Identity Manager Virtual Appliance, IBM Robotic Process Automation, IBM Spectrum Scale Data Access Services, IBM Sterling Connect:Direct for UNIX Certified Container --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Security update available in Foxit Reader for Linux 2.4.5 ∗∗∗ --------------------------------------------- Addressed a potential issue where the application could be exposed to Use-After-Free vulnerability. This occurs as the application executes the destructor under png_safe_execute. (CVE-2019-7317) --------------------------------------------- https://www.foxit.com/support/security-bulletins.html ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (firefox, thunderbird, and xorg-x11-server), Debian (xorg-server), Gentoo (Babel, go, icingaweb2, lib3mf, and libmcpp), Oracle (389-ds:1.4, go-toolset:ol8, httpd, mariadb:10.5, microcode_ctl, and ruby:2.5), Red Hat (xorg-x11-server), Scientific Linux (xorg-x11-server), SUSE (buildah, go1.17, go1.18, harfbuzz, python-ujson, qpdf, u-boot, and wavpack), and Ubuntu (gnutls28, libxml2, mod-wsgi, openjdk-8, openjdk-8, openjdk-lts, openjdk-17, openjdk-18, [...] --------------------------------------------- https://lwn.net/Articles/903997/ ∗∗∗ Regarding vulnerability measure against buffer overflow for Laser Printers and Small Office Multifunction Printers – 04 August 2022 ∗∗∗ --------------------------------------------- Multiple cases of buffer overflow vulnerabilities have been identified with Canon Laser Printers and Small Office Multifunctional Printers. Related CVEs are: CVE-2022-24672, CVE-2022-24673 and CVE-2022-24674. A list of affected models is given below. --------------------------------------------- https://www.canon-europe.com/support/product-security-latest-news/ ∗∗∗ ZDI-22-1064: OPC Foundation UA .NET Standard BrowseRequest Missing Authentication Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-1064/ ∗∗∗ F-Secure Linux Security und Internet GateKeeper: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0928 ∗∗∗ vim: Schwachstelle ermöglicht Codeausführung ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0926 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.08.2022
by Daily end-of-shift report 04 Aug '22

04 Aug '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 03-08-2022 18:00 − Donnerstag 04-08-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ TLP 2.0 is here ∗∗∗ --------------------------------------------- Earlier this week, the global Forum of Incident Response and Security Teams – or FIRST, as it is commonly known – published a new version of its Traffic Light Protocol standard. The Traffic Light Protocol (TLP) is commonly used in the incident response community, as well as in the wider security space, to quickly and in a standardized way indicate any limitations on further sharing of any transferred information. --------------------------------------------- https://isc.sans.edu/diary/rss/28914 ∗∗∗ PersistenceSniper ∗∗∗ --------------------------------------------- PersistenceSniper is a Powershell script that can be used by Blue Teams, Incident Responders and System Administrators to hunt persistences implanted in Windows machines. --------------------------------------------- https://github.com/last-byte/PersistenceSniper ∗∗∗ Woody RAT: A new feature-rich malware spotted in the wild ∗∗∗ --------------------------------------------- The Malwarebytes Threat Intelligence team has identified a new Remote Access Trojan we are calling Woody Rat that has been in the wild for at least one year. --------------------------------------------- https://blog.malwarebytes.com/threat-intelligence/2022/08/woody-rat-a-new-f… ∗∗∗ Dreiecksbetrug beim Verkauf von Gaming-Accounts über Kleinanzeigen ∗∗∗ --------------------------------------------- Vorsicht beim Kauf und Verkauf von Gaming-Accounts. Abgesehen davon, dass Kauf und Verkauf häufig durch die Spieleentwickler:innen verboten werden, kommt es immer wieder zu einem Dreiecksbetrug. Verkaufende verlieren ihren Gaming-Account und bekommen kein Geld oder Kaufende bekommen keinen Account und buchen das Geld zurück. --------------------------------------------- https://www.watchlist-internet.at/news/dreiecksbetrug-beim-verkauf-von-gami… ∗∗∗ Flight of the Bumblebee: Email Lures and File Sharing Services Lead to Malware ∗∗∗ --------------------------------------------- This blog presents a case study from recent Bumblebee malware activity distributed through Projector Libra that led to Cobalt Strike. Information presented here should provide a clearer picture of the group’s tactics and help security professionals better defend their organizations against this threat. --------------------------------------------- https://unit42.paloaltonetworks.com/bumblebee-malware-projector-libra/ ∗∗∗ Attackers leveraging Dark Utilities "C2aaS" platform in malware campaigns ∗∗∗ --------------------------------------------- In early 2022, a new C2 platform called "Dark Utilities" was established, offering a variety of services such as remote system access, DDoS capabilities and cryptocurrency mining. The operators of the service also established Discord and Telegram communities where they provide technical support and assistance for customers on the platform. --------------------------------------------- http://blog.talosintelligence.com/2022/08/dark-utilities.html ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco fixes critical remote code execution bug in VPN routers ∗∗∗ --------------------------------------------- Cisco has fixed critical security vulnerabilities affecting Small Business VPN routers and enabling unauthenticated, remote attackers to execute arbitrary code or commands and trigger denial of service (DoS) conditions on vulnerable devices. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cisco-fixes-critical-remote-… ∗∗∗ Critical RCE Bug in DrayTek Routers Opens SMBs to Zero-Click Attacks ∗∗∗ --------------------------------------------- A critical, pre-authenticated remote code execution (RCE) vulnerability has cropped up in the widely used line of DrayTek Vigor routers for smaller businesses. If it's exploited, researchers warn that it could allow complete device takeover, along with access to the broader network. --------------------------------------------- https://www.darkreading.com/endpoint/critical-rce-bug-draytek-routers-smbs-… ∗∗∗ IBM Security Bulletins 2022-08-03 ∗∗∗ --------------------------------------------- IBM Watson Discovery for IBM Cloud Pak for Data, IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data, IBM Db2, IBM Sterling File Gateway, IBM Sterling B2B Integrator, IBM Data Risk Manager, IBM Tivoli Application Dependency Discovery Manager, IBM Java SDK Technology Edition. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Security Advisory - The input verification vulnerability of a Huawei Device product is involved. ∗∗∗ --------------------------------------------- A Huawei device has an input verification vulnerability. Successful exploitation of this vulnerability may lead to DoS attacks. (Vulnerability ID: HWPSIRT-2022-49379) Affected Product: CV81-WDM FW --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2022/huawei-sa-20220810-… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (lua), Oracle (kernel), Red Hat (389-ds:1.4, django, firefox, go-toolset and golang, go-toolset-1.17 and go-toolset-1.17-golang, go-toolset:rhel8, java-1.8.0-ibm, java-17-openjdk, kernel, kernel-rt, kpatch-patch, mariadb:10.5, openssl, pcre2, php, rh-mariadb105-galera and rh-mariadb105-mariadb, ruby:2.5, thunderbird, vim, and virt:rhel and virt-devel:rhel), Scientific Linux (firefox and thunderbird), SUSE (drbd, java-17-openjdk, java-1_8_0-ibm, keylime, ldb, samba, mokutil, oracleasm, pcre2, permissions, postgresql-jdbc, python-numpy, samba, tiff, u-boot, and xscreensaver), and Ubuntu (nvidia-graphics-drivers-390, nvidia-graphics-drivers-450-server, nvidia-graphics-drivers-470, nvidia-graphics-drivers-470-server, nvidia-graphics-drivers-510, nvidia-graphics-drivers-510-server, nvidia-graphics-drivers-515, nvidia-graphics-drivers-515-server). --------------------------------------------- https://lwn.net/Articles/903816/ ∗∗∗ genua genugate: Schwachstelle ermöglicht nicht spezifizierten Angriff ∗∗∗ --------------------------------------------- Ein Angreifer kann eine Schwachstelle in genua genugate ausnutzen, um einen nicht näher spezifizierten Angriff durchzuführen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0906 ∗∗∗ D-LINK Router: Mehrere Schwachstellen ermöglichen Codeausführung ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in D-LINK Router ausnutzen, um beliebigen Programmcode auszuführen oder einen Denial of Service Zustand herbeizuführen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0907 ∗∗∗ PostgreSQL: Schwachstelle ermöglicht SQL Injection ∗∗∗ --------------------------------------------- Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in PostgreSQL ausnutzen, um eine SQL Injection durchzuführen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0910 ∗∗∗ Nextcloud Server und Nextcloud Mail: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein Angreifer aus dem angrenzenden Netzwerk oder ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in Nextcloud ausnutzen, um Informationen offenzulegen, Sicherheitsmaßnahmen zu umgehen und einen Denial-of-Service-Zustand zu verursachen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0912 ∗∗∗ Cisco Security Advisories 2022-08-03 ∗∗∗ --------------------------------------------- Cisco published 5 security advisories (1 critical, 4 medium severity). --------------------------------------------- https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&secur… ∗∗∗ Red Hat JBoss Enterprise Application Platform: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0901 ∗∗∗ Digi ConnectPort X2D ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-216-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.08.2022
by Daily end-of-shift report 03 Aug '22

03 Aug '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 02-08-2022 18:00 − Mittwoch 03-08-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Wolf in sheep’s clothing: how malware tricks users and antivirus ∗∗∗ --------------------------------------------- One of the primary methods used by malware distributors to infect devices is by deceiving people into downloading and running malicious files, and to achieve this deception, malware authors are using a variety of tricks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/wolf-in-sheep-s-clothing-how… ∗∗∗ Open Source: Gut getarnte Malware-Kampagne in Tausenden Github Repos ∗∗∗ --------------------------------------------- Ein Sicherheitsforscher hat eine groß angelegte Malware-Kampagne entdeckt, die versucht, sich durch einfache Pull Requests einzuschmuggeln. --------------------------------------------- https://www.golem.de/news/open-source-gut-getarnte-malware-kampagne-in-taus… ∗∗∗ Creating Processes Using System Calls ∗∗∗ --------------------------------------------- When we think about EDR or AV evasion, one of the most widespread methods adopted by offensive teams is the use of system calls (syscalls) to carry out specific actions. --------------------------------------------- https://www.coresecurity.com/core-labs/articles/creating-processes-using-sy… ∗∗∗ EMBA v1.1.0: The security analyzer for embedded device firmware ∗∗∗ --------------------------------------------- EMBA is designed as the central firmware analysis tool for penetration testers. It supports the complete security analysis process starting with the firmware extraction process, doing static analysis and dynamic analysis via emulation and finally generating a report. --------------------------------------------- https://github.com/e-m-b-a/emba/releases ∗∗∗ PART 3: How I Met Your Beacon – Brute Ratel ∗∗∗ --------------------------------------------- In part three of this series, we will analyse Brute Ratel, a command and control framework developed by Dark Vortex. --------------------------------------------- https://www.mdsec.co.uk/2022/08/part-3-how-i-met-your-beacon-brute-ratel/ ∗∗∗ Ransomware in Python-Paketmanager PyPI: Die Rückkehr der Skriptkiddies ∗∗∗ --------------------------------------------- Eine Reihe von Paketen hat auf Typosquatting gesetzt und Code verbreitet, der unter Windows Dateien verschlüsselt. Die Motive sind schleierhaft. --------------------------------------------- https://heise.de/-7200335 ∗∗∗ Vorsicht vor Fake-Mails der bank99 ∗∗∗ --------------------------------------------- Kriminelle geben sich als bank99 aus und wollen, dass Sie die „Okay99 App“ herunterladen. Klicken Sie nicht auf „Aktivierung starten“, da sonst Ihre Daten in die Hände der Kriminellen kommen. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-fake-mails-der-bank99/ ∗∗∗ Detection Rules for Lightning Framework (and How to Make Them With Osquery) ∗∗∗ --------------------------------------------- On 21 July, 2022, we released a blog post about a new malware called Lightning Framework. Lightning is a modular malware framework targeting Linux. At the time of the publication, the Core module had one suspicious detection and the Downloader module was not detected by any scanning engines on VirusTotal. --------------------------------------------- https://www.intezer.com/blog/threat-hunting/lightning-framework-linux-detec… ===================== = Vulnerabilities = ===================== ∗∗∗ Forti Security Advisories 2022-08-02 ∗∗∗ --------------------------------------------- Forti published 3 Security Advisories (1 High, 2 Medium Severity). --------------------------------------------- https://fortiguard.fortinet.com/psirt?date=08-2022 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (389-ds-base, firefox, java-1.8.0-openjdk, java-11-openjdk, kernel, postgresql, python, python-twisted-web, python-virtualenv, squid, thunderbird, and xz), Fedora (ceph, firefox, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, java-latest-openjdk, and kubernetes), Oracle (firefox, go-toolset and golang, libvirt libvirt-python, openssl, pcre2, qemu, and thunderbird), SUSE (connman, drbd, kernel, python-jupyterlab, samba, and seamonkey), [...] --------------------------------------------- https://lwn.net/Articles/903676/ ∗∗∗ Android Patchday August 2022 ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Google Android ausnutzen, um seine Privilegien zu erweitern, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen und beliebigen Code auszuführen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0887 ∗∗∗ Chrome 104.0.5112.x fixt Schwachstellen ∗∗∗ --------------------------------------------- Google hat zum 2. August 2022 das Update des Google Chrome 104.0.5112.79 für Linux und MacOS sowie 104.0.5112.79/80/81 für Windows auf dem Desktop im Stable Channel freigegeben. Mit dem Sicherheitsupdate werden zahlreiche Schwachstellen geschlossen. --------------------------------------------- https://www.borncity.com/blog/2022/08/03/chrome-104-0-5112-x-fixt-schwachst… ∗∗∗ Security Bulletin: IBM Security SOAR is using a component with multiple known vulnerabilities – IBM JDK 8.0.7.6 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-soar-is-usin… ∗∗∗ K14649763: Overview of F5 vulnerabilities (August 2022) ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K14649763 ∗∗∗ High Severity Vulnerability Patched in Download Manager Plugin ∗∗∗ --------------------------------------------- https://www.wordfence.com/blog/2022/08/high-severity-vulnerability-patched-… ∗∗∗ Synology-SA-22:14 USB Copy ∗∗∗ --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_22_14 ∗∗∗ Synology-SA-22:13 SSO Server ∗∗∗ --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_22_13 ∗∗∗ Synology-SA-22:12 Synology Note Station Client ∗∗∗ --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_22_12 ∗∗∗ Synology-SA-22:11 Storage Analyzer ∗∗∗ --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_22_11 ∗∗∗ Ipswitch WS_FTP Server: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0895 ∗∗∗ Nvidia GPU Treiber und NVIDIA vGPU software: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0894 ∗∗∗ Rsync: Schwachstelle ermöglicht Manipulation von Dateien ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0891 ∗∗∗ 2022-13 Denial of Service Vulnerability in EagleSDV ∗∗∗ --------------------------------------------- https://dam.belden.com/dmm3bwsv3/assetstream.aspx?assetid=14662&mediaformat… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.08.2022
by Daily end-of-shift report 02 Aug '22

02 Aug '22

===================== = End-of-Day report = ===================== Timeframe: Montag 01-08-2022 18:00 − Dienstag 02-08-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Microsoft announces new solutions for threat intelligence and attack surface management ∗∗∗ --------------------------------------------- Defenders are up against the most sophisticated threat landscape we’ve ever seen. Today, we’re proud to execute our threat intelligence vision behind that acquisition and announce several new solutions to help security teams get ahead of adversaries and catch what others miss. --------------------------------------------- https://www.microsoft.com/security/blog/2022/08/02/microsoft-announces-new-… ∗∗∗ Raccoon Stealer v2: The Latest Generation of the Raccoon Family ∗∗∗ --------------------------------------------- In this blog, ThreatLabz will analyze Raccoon Stealer v2 in the exe format, and highlight key differences from its predecessors. --------------------------------------------- https://www.zscaler.com/blogs/security-research/raccoon-stealer-v2-latest-g… ∗∗∗ Analyzing Attack Data and Trends Targeting Log4J ∗∗∗ --------------------------------------------- The Log4j vulnerability, initially reported in November 2021, has affected millions of devices and applications around the world. --------------------------------------------- https://www.wordfence.com/blog/2022/08/analyzing-attack-data-and-trends-tar… ∗∗∗ Die Watchlist Internet ist jetzt auf Instagram ∗∗∗ --------------------------------------------- Wir versorgen Sie ab sofort auch auf Instagram mit Warnungen vor Internetbetrug. In den Beiträgen und Storys zeigen wir Ihnen, wie Sie sich vor Internetbetrug schützen, Fallen rasch erkennen und sicher im Internet surfen. --------------------------------------------- https://www.watchlist-internet.at/news/die-watchlist-internet-ist-jetzt-auf… ∗∗∗ giesler-drogerie.com ist Fake ∗∗∗ --------------------------------------------- Bei giesler-drogerie.com finden Sie günstige Parfums, Styling-Produkte und Kosmetikartikel. Das vollständige Impressum sowie die angeführten Kontaktmöglichkeiten vermitteln einen seriösen Eindruck. Die Angaben sind aber gefälscht. Wenn Sie dort einkaufen, verlieren Sie Ihr Geld und erhalten keine Lieferung. --------------------------------------------- https://www.watchlist-internet.at/news/giesler-drogeriecom-ist-fake/ ∗∗∗ Vulnerability Spotlight: How misusing properly serialized data opened TCL LinkHub Mesh Wi-Fi system to 17 vulnerabilities ∗∗∗ --------------------------------------------- The TCL LinkHub Mesh Wi-Fi system is a multi-device Wi-Fi system that allows users to expand access to their network over a large physical area. --------------------------------------------- http://blog.talosintelligence.com/2022/08/vulnerability-spotlight-how-misus… ∗∗∗ Manjusaka: A Chinese sibling of Sliver and Cobalt Strike ∗∗∗ --------------------------------------------- Cisco Talos recently discovered a new attack framework called "Manjusaka" being used in the wild that has the potential to become prevalent across the threat landscape. This framework is advertised as an imitation of the Cobalt Strike framework. --------------------------------------------- http://blog.talosintelligence.com/2022/08/manjusaka-offensive-framework.html ===================== = Vulnerabilities = ===================== ∗∗∗ VMware urges admins to patch critical auth bypass bug immediately ∗∗∗ --------------------------------------------- VMware has warned admins today to patch a critical authentication bypass security flaw affecting local domain users in multiple products and enabling unauthenticated attackers to gain admin privileges. --------------------------------------------- https://www.bleepingcomputer.com/news/security/vmware-urges-admins-to-patch… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (curl and jetty9), Fedora (dovecot), Gentoo (vault), Scientific Linux (java-1.8.0-openjdk, java-11-openjdk, and squid), SUSE (booth, dovecot22, dwarves and elfutils, firefox, gimp, java-11-openjdk, kernel, and oracleasm), and Ubuntu (linux, linux-hwe-5.15, linux-lowlatency, linux-lowlatency-hwe-5.15, net-snmp, and samba). --------------------------------------------- https://lwn.net/Articles/903555/ ∗∗∗ Go-Based Apps Vulnerable to Attacks Due to URL Parsing Issue ∗∗∗ --------------------------------------------- Israeli cloud-native application security testing firm Oxeye discovered that the way URL parsing is implemented in some Go-based applications creates vulnerabilities that could allow threat actors to conduct unauthorized actions. --------------------------------------------- https://www.securityweek.com/go-based-apps-vulnerable-attacks-due-url-parsi… ∗∗∗ GnuTLS patches memory mismanagement bug – update now! ∗∗∗ --------------------------------------------- https://nakedsecurity.sophos.com/2022/08/01/gnutls-patches-memory-mismanage… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct for UNIX Certified Container is affected by arbitrary code executiondue to GNU cpio (CVE-2021-38185) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ VMSA-2022-0021 ∗∗∗ --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2022-0021.html ∗∗∗ vim: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0880 ∗∗∗ FastStone ImageViewer: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit Benutzerrechten ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0883 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 01.08.2022
by Daily end-of-shift report 01 Aug '22

01 Aug '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 29-07-2022 18:00 − Montag 01-08-2022 18:00 Handler: Robert Waldner Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Sicherheitslücken als Türöffner in Nuki Smart Lock entdeckt und geschlossen ∗∗∗ --------------------------------------------- Angreifer könnten an zahlreichen Schwachstellen in verschiedenen smarten Türschlössern Nuki Smart Lock ansetzen. Die WLAN Bridge Nuki Bridge ist auch betroffen. --------------------------------------------- https://heise.de/-7194709 ∗∗∗ Adware-Apps aus Google Play tarnen sich auf Android-Geräten als Gestaltenwandler ∗∗∗ --------------------------------------------- Werbung auf Facebook für Fake-Apps zur Android-Systemoptimierung führt zu rund 7 Millionen Installationen. Opfer werden mit Werbeanzeigen belästigt. --------------------------------------------- https://heise.de/-7194655 ∗∗∗ Post-Quanten-Kryptographie: Verschlüsselung mit Isogenien ist unsicher ∗∗∗ --------------------------------------------- Ein Angriff auf den Schlüsselaustausch SIDH zeigt erneut, wie riskant experimentelle kryptographische Algorithmen sein können. --------------------------------------------- https://www.golem.de/news/post-quanten-kryptographie-verschluesselung-mit-i… ∗∗∗ BlackCat ransomware claims attack on European gas pipeline ∗∗∗ --------------------------------------------- The ransomware group known as ALPHV (aka BlackCat) has assumed over the weekend responsibility for the cyberattack that hit Creos Luxembourg last week, a natural gas pipeline and electricity network operator in the central European country. --------------------------------------------- https://www.bleepingcomputer.com/news/security/blackcat-ransomware-claims-a… ∗∗∗ A Detailed Analysis of the RedLine Stealer ∗∗∗ --------------------------------------------- RedLine is a stealer distributed as cracked games, applications, and services. The malware steals information from web browsers, cryptocurrency wallets, and applications such as FileZilla, Discord, Steam, Telegram, and VPN clients. The binary also gathers data about the infected machine, such as the running processes, antivirus products, installed programs, the Windows product name, the processor architecture, etc. --------------------------------------------- https://securityscorecard.com/research/detailed-analysis-redline-stealer ∗∗∗ Researchers Discover Nearly 3,200 Mobile Apps Leaking Twitter API Keys ∗∗∗ --------------------------------------------- Researchers have uncovered a list of 3,207 apps, some of which can be utilized to gain unauthorized access to Twitter accounts. The takeover is made possible, thanks to a leak of legitimate Consumer Key and Consumer Secret information, respectively, Singapore-based cybersecurity firm CloudSEK said in a report exclusively shared with The Hacker News. --------------------------------------------- https://thehackernews.com/2022/08/researchers-discover-nearly-3200-mobile.h… ∗∗∗ A Little DDoS In the Morning, (Mon, Aug 1st) ∗∗∗ --------------------------------------------- Friday morning (at least it wasn't Friday afternoon), we got an alert that our database and web servers exceeded the expected load. Sometimes, this "happens." Often it is just some user innocently flooding our API with requests. We do use quite a bit of caching and such for requests, but it can happen that things pile up at the wrong time. So I took a look at the logs. In these cases, I first look at the top IPs sending requests to our API. --------------------------------------------- https://isc.sans.edu/diary/rss/28900 ∗∗∗ Month of PowerShell - PowerShell Remoting, Part 2 ∗∗∗ --------------------------------------------- In this article we finish up our look at PowerShell remoting by examining several options to run PowerShell commands on multiple remote systems. --------------------------------------------- https://www.sans.org/blog/powershell-remoting-part-2/ ∗∗∗ Month of PowerShell - Offensive PowerShell with Metasploit Meterpreter ∗∗∗ --------------------------------------------- In this article we look at how Metasploit Meterpreter can integrate PowerShell for extensible attacks in a red team or pen test engagement. --------------------------------------------- https://www.sans.org/blog/offensive-powershell-metasploit-meterpreter/ ∗∗∗ Month of PowerShell - Keyboard Shortcuts Like a Boss ∗∗∗ --------------------------------------------- In this article we look at several keyboard shortcuts to speed up your PowerShell sessions. --------------------------------------------- https://www.sans.org/blog/keyboard-shortcuts-boss/ ===================== = Vulnerabilities = ===================== ∗∗∗ WordPress Vulnerabilities & Patch Roundup — July 2022 ∗∗∗ --------------------------------------------- Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are one of the leading causes of website compromises. To help educate website owners on emerging threats to their environments, we’ve compiled a list of important security updates and vulnerability patches for the WordPress ecosystem this past month. --------------------------------------------- https://blog.sucuri.net/2022/07/wordpress-vulnerabilities-patch-roundup-jul… ∗∗∗ Arris / Arris-variant DSL/Fiber router critical vulnerability exposure ∗∗∗ --------------------------------------------- Multiple vulnerabilities exist in the MIT-licensed muhttpd web server. This web server is widely used in ISP customer premise equipment (CPE), most notably in Arris firmware used in router models (at least, possibly other) NVG443, NVG599, NVG589, NVG510, as well as ISP-customized variants such as BGW210 and BGW320 (Arris has declined to confirm affected models). --------------------------------------------- https://derekabdine.com/blog/2022-arris-advisory ∗∗∗ IBM Security Bulletins 2022-07-29 ∗∗∗ --------------------------------------------- IBM CICS TX Advanced, IBM CICS TX Standard, IBM PowerVM Novalink, IBM Sterling Secure Proxy, IBM DataPower Gateway, Rational Performance Tester, Rational Service Tester, Urbancode Deploy, IBM Robotic Process Automation, Cloud Pak System, IBM PowerVM Novalink, IBM Secure External Authentication Server. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Sicherheitsupdates: Schadcode-Attacken auf Thunderbird vorstellbar ∗∗∗ --------------------------------------------- Die Entwickler von Mozilla haben im E-Mail-Client Thunderbird mehrere Sicherheitslücken geschlossen. --------------------------------------------- https://heise.de/-7194671 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (booth, libpgjava, and thunderbird), Fedora (3mux, act, age, antlr4-project, apache-cloudstack-cloudmonkey, apptainer, aquatone, aron, asnip, assetfinder, astral, bettercap, buildah, butane, caddy, cadvisor, cheat, chisel, clash, clipman, commit-stream, containerd, cri-o, darkman, deepin-gir-generator, direnv, dnscrypt-proxy, dnsx, docker-distribution, doctl, douceur, duf, ffuf, fzf, geoipupdate, git-lfs, git-octopus, git-time-metric, glide, gmailctl, [...] --------------------------------------------- https://lwn.net/Articles/903455/ ∗∗∗ HPE ProLiant und HP Integrated Lights-Out: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein lokaler Angreifer oder ein Angreifer aus dem angrenzenden Netzwerk kann mehrere Schwachstellen in HPE ProLiant und HPE Integrated Lights-Out ausnutzen, um beliebigen Programmcode auszuführen, Daten zu manipulieren, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand zu verursachen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0870 ∗∗∗ D-LINK Router: Mehrere Schwachstellen ermöglichen Ausführen von beliebigem Programmcode mit Administratorrechten ∗∗∗ --------------------------------------------- Ein entfernter, authentisierter Angreifer kann mehrere Schwachstellen in D-LINK Router ausnutzen, um beliebigen Programmcode mit Administratorrechten auszuführen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0867 ∗∗∗ HCL Commerce: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- Ein lokaler Angreifer kann eine Schwachstelle in HCL Commerce ausnutzen, um Informationen offenzulegen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0866 ∗∗∗ Multiple Vulnerabilities in BF-OS ∗∗∗ --------------------------------------------- BOSCH-SA-013924-BT: Multiple vulnerabilities were identified in BF-OS version 3.x up to and including 3.83 used by Bigfish V3 and PR21 (Energy Platform) devices and Bigfish VM image, which are part of the data collection infrastructure of the Energy Platform solution. The most critical vulnerability may allow an unauthenticated remote attacker to gain administrative privileges to the device by brute-forcing a weak password. --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-013924-bt.html ∗∗∗ K21192332: Apache HTTP Server vulnerability CVE-2022-31813 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K21192332 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.07.2022
by Daily end-of-shift report 29 Jul '22

29 Jul '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 28-07-2022 18:00 − Freitag 29-07-2022 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Web-Portale: Seit sechs Jahren kostenlose Hilfe für Ransomware-Opfer ∗∗∗ --------------------------------------------- Mit etwas Glück findet man auf den Websites von ID Ransomware und No More Ransom Infos zu kostenlosen Entschlüsselungstools für einige Erpressungstrojaner. --------------------------------------------- https://heise.de/-7193953 ∗∗∗ Jetzt patchen! Attacken auf Atlassian Confluence ∗∗∗ --------------------------------------------- Nachdem ein Standard-Passwort auf Social-Media-Plattformen aufgetaucht ist, nehmen Angreifer Confluence ins Visier. Aber nicht alle Instanzen sind verwundbar. --------------------------------------------- https://heise.de/-7193458 ∗∗∗ LockBit operator abuses Windows Defender to load Cobalt Strike ∗∗∗ --------------------------------------------- Security analysts have observed an affiliate of the LockBit 3.0 ransomware operation abusing a Windows Defender command line tool to decrypt and load Cobalt Strike beacons on the target systems. --------------------------------------------- https://www.bleepingcomputer.com/news/security/lockbit-operator-abuses-wind… ∗∗∗ Month of PowerShell - Renaming Groups of Files ∗∗∗ --------------------------------------------- In this article we look at how to automate a massive file-rename task using PowerShell. --------------------------------------------- https://www.sans.org/blog/renaming-groups-files?msc=rss ∗∗∗ Researchers Warns of Increase in Phishing Attacks Using Decentralized IPFS Network ∗∗∗ --------------------------------------------- The decentralized file system solution known as IPFS is becoming the new "hotbed" for hosting phishing sites, researchers have warned. Cybersecurity firm Trustwave SpiderLabs, which disclosed specifics of the attack campaigns, said it identified no less than 3,000 emails containing IPFS phishing URLs as an attack vector in the last three months. --------------------------------------------- https://thehackernews.com/2022/07/researchers-warns-of-increase-in.html ∗∗∗ ENISA: Telecom Security Incidents 2021 ∗∗∗ --------------------------------------------- This report provides anonymised and aggregated information about major telecom security incidents in 2021. The 2021 annual summary contains reports of 168 incidents submitted by national authorities from 26 EU Member States (MS) and 2 EFTA countries. --------------------------------------------- https://www.enisa.europa.eu/publications/telecom-security-incidents-2021 ∗∗∗ UEFI rootkits and UEFI secure boot ∗∗∗ --------------------------------------------- Kaspersky describes a UEFI-implant used to attack Windows systems. Based on it appearing to require patching of the system firmware image, they hypothesise that its propagated by manually dumping the contents of the system flash, modifying it, and then reflashing it back to the board. [..] But lets think about why this is in the firmware at all. --------------------------------------------- https://mjg59.dreamwidth.org/60654.html ∗∗∗ Microsoft has blocked hackers favourite trick. So now they are looking for a new route of attack ∗∗∗ --------------------------------------------- Microsofts default block on Office macro malware is working, which means hackers need to find a new way to carry out their attacks. --------------------------------------------- https://www.zdnet.com/article/microsoft-has-blocked-hackers-favourite-trick… ∗∗∗ Vulnerability Spotlight: How a code re-use issue led to vulnerabilities across multiple products ∗∗∗ --------------------------------------------- Recently, I was performing some research on a wireless router and noticed the following piece of code: This unescape function will revert the URL encoded bytes to its original form. But something specifically caught my attention: There was no size check for the performed operations and the function assumes that after a ‘%’ there are always two bytes. So, what would happen if after ‘%’, only one character existed? --------------------------------------------- https://blog.talosintelligence.com/2022/07/vulnerability-spotlight-how-code… ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-22-1031: OPC Labs QuickOPC Connectivity Explorer Deserialization of Untrusted Data Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of OPC Labs QuickOPC. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. --------------------------------------------- https://www.zerodayinitiative.com/advisories/ZDI-22-1031/ ∗∗∗ ABB Cyber Security Advisory: ABB Ability TM Operations Data Management Zenon Log Server file access control ∗∗∗ --------------------------------------------- These vulnerabilities affect the ABB Ability™ Operations Data Management Zenon. Subsequently, a successful exploit could allow attackers to log additional messages and access files from the Zenon system. While the passwords in the INI files are not stored in clear text, they can be subjected to further attacks against the hash algorithm. --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=2NGA001479&Language… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (xorg-x11-server and xorg-x11-server-Xwayland), SUSE (aws-iam-authenticator, ldb, samba, libguestfs, samba, and u-boot), and Ubuntu (firefox, intel-microcode, libtirpc, linux, linux-aws, linux-kvm, linux-lts-xenial, linux-azure, linux-bluefield, linux-gcp-5.4, linux-gke-5.4, mysql-5.7, and mysql-5.7, mysql-8.0). --------------------------------------------- https://lwn.net/Articles/902913/ ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2022-0007 ∗∗∗ --------------------------------------------- Several vulnerabilities were discovered in WebKitGTK and WPE WebKit. [...] Impact: Processing maliciously crafted web content may lead to arbitrary code execution. --------------------------------------------- https://webkitgtk.org/security/WSA-2022-0007.html ∗∗∗ Synology-SA-22:10 Samba ∗∗∗ --------------------------------------------- CVE-2022-32742 allows remote authenticated users to obtain sensitive information via a susceptible version of Synology DiskStation Manager (DSM), Synology Router Manager (SRM) and SMB Service. CVE-2022-2031, CVE-2022-32744, and CVE-2022-32746 allow remote authenticated users to bypass security constraint and conduct denial-of-service attacks via a susceptible version of Synology Directory Server. None of Synologys products are affected by CVE-2022-32745 as [...] --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_22_10 ∗∗∗ JetBrains IntelliJ IDEA: Mehrere Schwachstellen ermöglichen Codeausführung ∗∗∗ --------------------------------------------- Ein lokaler Angreifer kann mehrere Schwachstellen in JetBrains IntelliJ IDEA ausnutzen, um beliebigen Programmcode auszuführen oder Sicherheitsvorkehrungen zu umgehen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0860 ∗∗∗ Foxit Reader und Foxit PDF Editor: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Foxit Reader und Foxit PDF Editor ausnutzen, um beliebigen Code auszuführen, vertrauliche Informationen preiszugeben und einen Denial-of-Service-Zustand zu verursachen --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0862 ∗∗∗ GitLab: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in GitLab ausnutzen, um Sicherheitsmaßnahmen zu umgehen, einen Cross-Site-Scripting-Angriff durchzuführen und vertrauliche Informationen offenzulegen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0861 ∗∗∗ Rockwell Products Impacted by Chromium Type Confusion ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-209-01 ∗∗∗ Security Bulletin: IBM App Connect Enterprise and IBM Integration Bus are vulnerable to arbitrary code execution due to node.js minimist module ( CVE-2021-44906) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: IBM PowerVM VIOS could allow a remote attacker to tamper with system configuration or cause a denial of service (CVE-2022-35643) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-powervm-vios-could-al… ∗∗∗ Security Bulletin: Multiple vulnerabilities affect IBM Tivoli Monitoring included WebSphere Application Server and IBM HTTP Server used by WebSphere Application Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Apache Log4j (CVE-2021-44228) vulnerability in IBM Engineering Systems Design Rhapsody (Rhapsody) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-cve-2021-442… ∗∗∗ Security Bulletin: IBM HTTP Server (powered by Apache) for IBM i is vulnerable to bypass security restrictions and obtain sensitive information due to multiple vulnerabilities. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-http-server-powered-b… ∗∗∗ Security Bulletin: AIX is affected by multiple vulnerabilities in Python ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-aix-is-affected-by-multip… ∗∗∗ Security Bulletin: Denial of service vulnerability in OpenSSL as shipped with IBM Security Verify Bridge Docker image (CVE-2022-0778) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-denial-of-service-vulnera… ∗∗∗ Security Bulletin: A Remote Attack Vulnerability in Apache Log4j affects IBM Engineering Lifecycle Optimization – Publishing ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-remote-attack-vulnerabi… ∗∗∗ Security Bulletin: AIX is vulnerable to cache poisoning due to ISC BIND (CVE-2021-25220) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-aix-is-vulnerable-to-cach… ∗∗∗ Security Bulletin: IBM Db2® Warehouse has released a fix in response to multiple vulnerabilities found in IBM Db2® ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-warehouse-has-rel… ∗∗∗ Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server Liberty shipped with IBM Tivoli Netcool Impact (CVE-2018-25031, CVE-2021-46708) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.07.2022
by Daily end-of-shift report 28 Jul '22

28 Jul '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 27-07-2022 18:00 − Donnerstag 28-07-2022 18:00 Handler: Stephan Richter Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ LofyLife: malicious npm packages steal Discord tokens and bank card data ∗∗∗ --------------------------------------------- This week, we identified four suspicious packages in the Node Package Manager (npm) repository. All these packages contained highly obfuscated malicious Python and JavaScript code. We dubbed this malicious campaign “LofyLife”. --------------------------------------------- https://securelist.com/lofylife-malicious-npm-packages/107014/ ∗∗∗ Month of PowerShell - PowerShell Remoting, Part 1 ∗∗∗ --------------------------------------------- In this article, we discuss perhaps the most immediately-valuable feature in PowerShell for Windows administrators, the ability to run PowerShell commands on remote systems. --------------------------------------------- https://www.sans.org/blog/powershell-remoting-part-1?msc=rss ∗∗∗ Looking at Patch Gap Vulnerabilities in the VMware ESXi TCP/IP Stack ∗∗∗ --------------------------------------------- In this blog post, we explore another remotely reachable attack surface: ESXi’s TCP/IP stack implemented as a VMkernel module. The most interesting outcome of this analysis is that ESXi’s TCP/IP stack is based on FreeBSD 8.2 and does not include security patches for the vulnerabilities disclosed over the years since that release of FreeBSD. This result also prompted us to analyze the nature of vulnerabilities disclosed in other open-source components used by VMware, such as OpenSLP and ISC-DHCP. --------------------------------------------- https://www.zerodayinitiative.com/blog/2022/7/25/looking-at-patch-gap-vulne… ∗∗∗ Vorsicht vor Fake Last-Minute-Angeboten auf Mallorca und Ibiza! ∗∗∗ --------------------------------------------- Die Hitze schlägt zu und Kurzentschlossene suchen nach den letzten verfügbaren Ferienhäusern, um ein paar Tage am Meer zu verbringen. Doch Vorsicht: Kriminelle versuchen Sie mit attraktiven Angeboten in die Falle zu locken! Wird eine Vorauszahlung für ein Ferienhaus verlangt, brechen Sie den Kontakt ab, Ihr Geld ist sonst verloren! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-fake-last-minute-angebo… ∗∗∗ MFA hilft gegen Ransomware ∗∗∗ --------------------------------------------- Die Multi-Faktor-Authentifizierung (MFA) funktioniert. Die europäische Polizeibehörde Europol erklärt, wie Ransomware-Banden ihre Angriffe aufgegeben haben, als sie auf die MFA-Sicherheit trafen. --------------------------------------------- https://www.zdnet.de/88402613/mfa-hilft-gegen-ransomware/ ∗∗∗ IIS-Attacken auf Exchange Server ∗∗∗ --------------------------------------------- Microsoft warnt vor heimlichen Backdoor-Angriffen auf Exchange Server mittels bösartiger IIS-Erweiterungen. --------------------------------------------- https://www.zdnet.de/88402615/iis-attacken-auf-exchange-server/ ∗∗∗ CISA Releases Log4Shell-Related MAR ∗∗∗ --------------------------------------------- >From May through June 2022, CISA responded to an organization that was compromised by an exploitation of an unpatched and unmitigated Log4Shell vulnerability in a VMware Horizon server. CISA analyzed five malware samples obtained from the organization’s network and released a Malware Analysis Report of the findings. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/07/28/cisa-releases-log… ∗∗∗ SharpTongue Deploys Clever Mail-Stealing Browser Extension “SHARPEXT” ∗∗∗ --------------------------------------------- One frequently encountered—that often results in forensics investigations on compromised systems—is tracked by Volexity as SharpTongue. [..] Volexity frequently observes SharpTongue targeting and victimizing individuals working for organizations in the United States, Europe and South Korea ... --------------------------------------------- https://www.volexity.com/blog/2022/07/28/sharptongue-deploys-clever-mail-st… ===================== = Vulnerabilities = ===================== ∗∗∗ "JustSystems JUST Online Update for J-License" starts a program with an unquoted file path ∗∗∗ --------------------------------------------- "JustSystems JUST Online Update for J-License" bundled with multiple JustSystems products for corporate users starts another program with an unquoted file path. --------------------------------------------- https://jvn.jp/en/jp/JVN57073973/ ∗∗∗ Tagify - Moderately critical - Access bypass - SA-CONTRIB-2022-051 ∗∗∗ --------------------------------------------- Project: Tagify Security risk: Moderately critical Description: This module provides a widget to transform entity reference fields into a more user-friendly tags input component with a great performance.The module doesnt sufficiently check access for the add operation. --------------------------------------------- https://www.drupal.org/sa-contrib-2022-051 ∗∗∗ PDF generator API - Moderately critical - Remote Code Execution - SA-CONTRIB-2022-050 ∗∗∗ --------------------------------------------- Project: PDF generator API Security risk: Moderately critical Description: This module enables you to generate PDF versions of content.Some installations of the module make use of the dompdf/dompdf third-party dependency.Security vulnerabilities exist for versions of dompdf/dompdf before 2.0.0 as described in the 2.0.0 release notes. --------------------------------------------- https://www.drupal.org/sa-contrib-2022-050 ∗∗∗ Context - Moderately critical - Cross Site Scripting - SA-CONTRIB-2022-049 ∗∗∗ --------------------------------------------- Project: Context Security risk: Moderately critical Description: This module enables you to conditionally display blocks in particular theme regions. The module doesn't sufficiently sanitize the title of a block as displayed in the admin UI when a site administrator edits a context block reaction. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer blocks". --------------------------------------------- https://www.drupal.org/sa-contrib-2022-049 ∗∗∗ Sicherheitsupdates: Angreifer könnten Veritas NetBackup vielfältig attackieren ∗∗∗ --------------------------------------------- Die Entwickler haben in aktuellen Versionen der Backuplösung NetBackup von Veritas unter anderem kritische Lücken geschlossen. --------------------------------------------- https://heise.de/-7192562 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr), Fedora (chromium, gnupg1, java-17-openjdk, osmo, and podman), Oracle (grafana and java-17-openjdk), Red Hat (389-ds:1.4, container-tools:rhel8, grafana, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, kernel, kernel-rt, kpatch-patch, pandoc, squid, and squid:4), Slackware (samba), and SUSE (crash, mariadb, pcre2, python-M2Crypto, virtualbox, and xen). --------------------------------------------- https://lwn.net/Articles/902795/ ∗∗∗ Trend Micro Produkte: Schwachstelle ermöglicht Privilegieneskalation ∗∗∗ --------------------------------------------- Ein lokaler Angreifer kann eine Schwachstelle in Trend Micro Apex One und Trend Micro Worry-Free Business Security ausnutzen, um seine Privilegien zu erhöhen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0850 ∗∗∗ Atlassian Jira Software: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in Atlassian Jira Software ausnutzen, um Informationen offenzulegen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0849 ∗∗∗ McAfee Agent: Schwachstelle ermöglicht Privilegieneskalation ∗∗∗ --------------------------------------------- Ein lokaler Angreifer kann eine Schwachstelle im McAfee Agent ausnutzen, um seine Privilegien zu erhöhen und beliebigen Code mit Administratorrechten auszuführen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0848 ∗∗∗ Jenkins: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Jenkins ausnutzen, um einen Cross Site Scripting oder CSRF Angriff durchzuführen, Sicherheitsvorkehrungen zu umgehen, Informationen offenzulegen oder Daten zu manipulieren --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0852 ∗∗∗ Security Bulletin: OpenSSL for IBM i is vulnerable to arbitrary command execution (CVE-2022-2068) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-openssl-for-ibm-i-is-vuln… ∗∗∗ Security Bulletin: IBM Cloud Transformation Advisor is vulnerable to multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-transformation-… ∗∗∗ Security Bulletin: Vulnerability in Golang Go affects IBM Spectrum Protect Plus Container Backup and Restore for Kubernetes and Red Hat OpenShift (CVE-2022-29526) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-golang-g… ∗∗∗ Security Bulletin: IBM WebSphere Application Server Liberty is vulnerable to Identity Spoofing (CVE-2022-22476) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.07.2022
by Daily end-of-shift report 27 Jul '22

27 Jul '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 26-07-2022 18:00 − Mittwoch 27-07-2022 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ 15 Minuten nach Bekanntwerden einer Lücke starten Scans nach verwundbaren PCs ∗∗∗ --------------------------------------------- Einem aktuellen Bericht über IT-Sicherheitsvorfälle zufolge verschärft sich das Katz-und-Maus-Spiel zwischen Admins und Cyberkriminellen. --------------------------------------------- https://heise.de/-7191301 ∗∗∗ Cyberkriminalität: Weniger Ransomware, aber wieder mehr Malware ∗∗∗ --------------------------------------------- 2022 stieg das Malware-Volumen erstmals wieder, bei gleichzeitig weniger Ransomware-Attacken - zumindest global, denn in Europa gilt der gegensätzliche Trend. --------------------------------------------- https://heise.de/-7191680 ∗∗∗ Student:innen aufgepasst: akademischeslektorat.com ist unseriös! ∗∗∗ --------------------------------------------- Wenn Sie auf der Suche nach einem Lektorat, einer Plagiatsprüfung oder Übersetzungsarbeiten für wissenschaftliche Arbeiten sind, stoßen Sie bei Ihrer Suche womöglich auf akademischeslektorat.com. Wir raten dazu, Abstand von den Angeboten zu nehmen, denn die Leistungen werden Erfahrungsberichten nach minderwertig oder gar nicht erbracht und auch frühere Mitarbeiter:innen sowie die Bewertungsseite Trustpilot warnen vor dem Angebot. --------------------------------------------- https://www.watchlist-internet.at/news/studentinnen-aufgepasst-akademisches… ∗∗∗ Untangling KNOTWEED: European private-sector offensive actor using 0-day exploits ∗∗∗ --------------------------------------------- MSTIC and MSRC disclose technical details of a private-sector offensive actor (PSOA) tracked as KNOTWEED using multiple Windows and Adobe 0-day exploits, including one for the recently patched CVE-2022-22047, in limited and targeted attacks against European and Central American customers. --------------------------------------------- https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-euro… ∗∗∗ Month of PowerShell: Fileless Malware with Get-Clipboard ∗∗∗ --------------------------------------------- In this article we look at using PowerShell maliciously while evading detection. --------------------------------------------- https://www.sans.org/blog/fileless-malware-get-clipboard/ ∗∗∗ DHL Phishing Page Uses Telegram Bot for Exfiltration ∗∗∗ --------------------------------------------- One of the quickest ways for an attacker to harvest financial data, credentials, and sensitive personal information is through phishing. These social engineering attacks can typically be found masquerading as a trusted or recognizable service, intent on tricking unsuspecting users into submitting sensitive information on the attacker’s customized web page. --------------------------------------------- https://blog.sucuri.net/2022/07/dhl-phishing-page-uses-telegram-bot-for-exf… ∗∗∗ Inside Matanbuchus: A Quirky Loader ∗∗∗ --------------------------------------------- This blog post will shed light on Matanbuchus’ main stage, the second stage of the loader. From our point of view, the second stage is the more interesting component of the loader, as it involves many payload loading techniques. By dissecting the loader’s features and capabilities, we will attempt to answer whether Matanbuchus is a loader malware, as it markets itself, or if it is more like a bot service. --------------------------------------------- https://www.cyberark.com/resources/threat-research-blog/inside-matanbuchus-… ∗∗∗ Top 10 Awesome Open-Source Adversary Simulation Tools ∗∗∗ --------------------------------------------- Cyberattack simulation, aka Threat Simulation, is an emerging IT security technology that can help discover gaps, vulnerabilities, and misconfigurations in your security infrastructure. We will take a look at the need for adversary simulation and the top ten open-source adversary simulation tools. --------------------------------------------- https://fourcore.io/blogs/top-10-open-source-adversary-emulation-tools ∗∗∗ Looking at Patch Gap Vulnerabilities in the VMware ESXi TCP/IP Stack ∗∗∗ --------------------------------------------- Over the last few years, multiple VMware ESXi remote, unauthenticated code execution vulnerabilities have been publicly disclosed. Some were also found to be exploited in the wild. Since these bugs were found in ESXi’s implementation of the SLP service, VMware provided workarounds to turn off the service. VMware also disabled the service by default starting with ESX 7.0 Update 2c. In this blog post, we explore another remotely reachable attack surface: ESXi’s TCP/IP stack --------------------------------------------- https://www.thezdi.com/blog/2022/7/25/looking-at-patch-gap-vulnerabilities-… ∗∗∗ What Talos Incident Response learned from a recent Qakbot attack hijacking old email threads ∗∗∗ --------------------------------------------- In a recent malspam campaign delivering the Qakbot banking trojan, Cisco Talos Incident Response (CTIR) observed the adversary using aggregated, old email threads from multiple organizations that we assess were likely harvested during the 2021 ProxyLogon-related compromises targeting vulnerable Microsoft Exchange servers. This campaign relies on external thread hijacking, whereby the adversary is likely using a bulk aggregation of multiple organizations’ harvested emails to launch focused phishing campaigns against previously uncompromised organizations. This differs from the more common approach to thread hijacking, in which attackers use a single compromised organization’s emails to deliver their threat. --------------------------------------------- http://blog.talosintelligence.com/2022/07/what-talos-incident-response-lear… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (kernel and openjdk-17), Fedora (ceph, lua, and moodle), Oracle (java-1.8.0-openjdk), Red Hat (grafana), SUSE (git, kernel, libxml2, nodejs16, and squid), and Ubuntu (imagemagick, protobuf-c, and vim). --------------------------------------------- https://lwn.net/Articles/902642/ ∗∗∗ Samba: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, authentisierter Angreifer kann mehrere Schwachstellen in Samba ausnutzen, um Sicherheitsvorkehrungen zu umgehen, Informationen offenzulegen, einen Denial of Service Zustand zu verursachen oder seine Rechte zu erweitern. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0842 ∗∗∗ MOXA NPort 5110 ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Out-of-bounds Write vulnerability in MOXA NPort 5110, a device server. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-207-04 ∗∗∗ Honeywell Saia Burgess PG5 PCD ∗∗∗ --------------------------------------------- This advisory contains mitigations for Authentication Bypass and Use of a Broken or Risky Cryptographic Algorithm vulnerabilities in Honeywell Saia Burgess PG5 PCD, a PLC. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-207-03 ∗∗∗ Honeywell Safety Manager ∗∗∗ --------------------------------------------- This advisory contains mitigations for Insufficient Verification of Data Authenticity, Missing Authentication for Critical Function, and Use of Hard-coded Credentials vulnerabilities in Honeywell Safety Manager, a safety solution of the Experion Process Knowledge System. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-207-02 ∗∗∗ Inductive Automation Ignition ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Improper Restriction of XML External Entity Reference vulnerability in versions of Inductive Automation Ignition software. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-207-01 ∗∗∗ CVE-2022-35629..35632 Velociraptor Multiple Vulnerabilities (FIXED) ∗∗∗ --------------------------------------------- This advisory covers a number of issues identified in Velociraptor and fixed as of Version 0.6.5-2, released July 26, 2022. --------------------------------------------- https://www.rapid7.com/blog/post/2022/07/26/cve-2022-35629-35632-velocirapt… ∗∗∗ Security Bulletin: Multiple vulnerabilities in the IBM Java Runtime affect IBM Rational ClearQuest (CVE-2021-35561, CVE-2022-21299, CVE-2022-21496) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple security vulnerabilities are addressed with IBM Cloud Pak for Business Automation iFixes for June 2022 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: IBM QRadar SIEM is vulnerable to local privilege escalation (CVE-2021-39088) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulner… ∗∗∗ Security Bulletin: Vulnerabilities in OpenSSL affect IBM Rational ClearQuest (CVE-2022-0778, CVE-2022-1292) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-openss… ∗∗∗ Security Bulletin: OpenSSL as used by IBM QRadar SIEM is vulnerable to denial of service (CVE-2022-0778) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-openssl-as-used-by-ibm-qr… ∗∗∗ Security Bulletin: Multiple vulnerabilities in the IBM Java Runtime affect IBM Rational ClearQuest ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM QRadar SIEM Application Framework Base Image is vulnerable to using components with Known Vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-applicati… ∗∗∗ Security Bulletin: Apache Commons Email as used by IBM QRadar SIEM is vulnerable to information disclosure (CVE-2017-9801, CVE-2018-1294) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-commons-email-as-u… ∗∗∗ Security Bulletin: IBM Integration Bus and IBM App Connect Enterprise are vulnerable to a denial of service due to jackson-databind (CVE-2020-36518) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-integration-bus-and-i… ∗∗∗ Security Bulletin: IBM Maximo Asset Management, IBM Maximo Manage in IBM Maximo Application Suite and IBM Maximo Manage in IBM Maximo Application Suite as a Service may be affected by XML External Entity (XXE) attacks (CVE-2021-33813) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-manageme… ∗∗∗ Security Bulletin: Multiple vulnerabilites affect IBM Engineering Test Management product due to XStream ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilites-a… ∗∗∗ Security Bulletin: Apache Derby security vulnerabilities in IBM System Dashboard for Enterprise Content Manager (affected, not vulnerable) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-derby-security-vul… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.07.2022
by Daily end-of-shift report 26 Jul '22

26 Jul '22

===================== = End-of-Day report = ===================== Timeframe: Montag 25-07-2022 18:00 − Dienstag 26-07-2022 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Betrugsmasche nimmt auf Willhaben zu: Konsumentenschützer warnen ∗∗∗ --------------------------------------------- Wer im auf Handelsplattformen wie Willhaben unterwegs ist, sollte vorsichtig mit seinen persönlichen Daten umgehen. --------------------------------------------- https://futurezone.at/digital-life/phishing-willhaben-betrug-opfer-sicherhe… ∗∗∗ Sicherheit: Forscher greifen Smartphones über Ladebuchse an ∗∗∗ --------------------------------------------- Ghost Touches sind erzwungene Berührungen auf Touchscreens von Smartphones und Tablets - Forscher konnten diese über ein Ladekabel auslösen. --------------------------------------------- https://www.golem.de/news/sicherheit-forscher-greifen-smartphones-ueber-lad… ∗∗∗ How is Your macOS Security Posture?, (Tue, Jul 26th) ∗∗∗ --------------------------------------------- Many people who use Apple devices daily often have a wrong sense of security. A few years ago, Apple devices were left aside of many security issues that Windows users faced for a long time. Also, based on a BSD layer, the OS wasn' a juicy target for attackers. Today, the landscape changed: Apple devices, especially Macbooks, are used not only by "creators" (musicians, designers, ...) and geeks but by many interesting profiles like managers and security researchers. --------------------------------------------- https://isc.sans.edu/diary/rss/28882 ∗∗∗ Month of PowerShell - PowerShell Version of Keeper (Save Useful Command Lines) ∗∗∗ --------------------------------------------- In this article we build a useful PowerShell function to save useful commands for later reference: Save-Keeper! --------------------------------------------- https://www.sans.org/blog/powershell-version-keeper?msc=rss ∗∗∗ How to analyze Linux malware – A case study of Symbiote ∗∗∗ --------------------------------------------- Symbiote is a Linux threat that hooks libc and libpcap functions to hide the malicious activity. The malware hides processes and files that are used during the activity by implementing two functions called hidden_proc and hidden_file. It can also hide network connections based on a list of ports and by hijacking any injected packet filtering bytecode. The malware’s purpose is to steal credentials from the SSH and SCP processes by hooking the libc read function. --------------------------------------------- https://cybergeeks.tech/how-to-analyze-linux-malware-a-case-study-of-symbio… ∗∗∗ CVE-2022-31813: Forwarding addresses is hard ∗∗∗ --------------------------------------------- A few weeks ago, version 2.4.54 of Apache HTTPD server was released. It includes a fix for CVE-2022-31813, a vulnerability we identified in mod_proxy that could affect unsuspecting applications served by an Apache reverse proxy. Lets see why it is rated as low in the software changelog and why it still matters. TL;DR: when in doubt, patch! --------------------------------------------- https://www.synacktiv.com/publications/cve-2022-31813-forwarding-addresses-… ∗∗∗ Brennholz, Pellets, Photovoltaik & Co: Vorsicht vor Fake-Shops ∗∗∗ --------------------------------------------- Zahlreichen Fake-Shops mit Brennholz, lassen Kriminelle nun Photovoltaik-Shops wie solanex.de und solarnetz.at folgen. Die aktuelle Energiekrise soll offenbar maximal ausgenützt werden. Wechselrichter, Solaranlagen und Stromspeicher – all jene Produkte, die am Markt momentan schwer zu erhalten sind, sind bei solanex.de und solarnetz.at nicht nur lagernd, sondern teils weit unter Marktpreis zu haben. Kaufen Sie hier nichts, denn die Vorkassezahlungen sind verloren! --------------------------------------------- https://www.watchlist-internet.at/news/brennholz-pellets-photovoltaik-co-vo… ∗∗∗ Ransomware: 1.5 million people have got their files back without paying the gangs. Heres how ∗∗∗ --------------------------------------------- No More Ransom project now offers free tools for decrypting 165 families of ransomware as the fight against extortion groups continues. --------------------------------------------- https://www.zdnet.com/article/ransomware-1-5-million-people-have-got-their-… ===================== = Vulnerabilities = ===================== ∗∗∗ Hackers Exploit PrestaShop Zero-Day to Steal Payment Data from Online Stores ∗∗∗ --------------------------------------------- The issue in question is an SQL injection vulnerability affecting versions 1.6.0.10 or greater, and is being tracked as CVE-2022-36408. ... The PrestaShop maintainers also said they found a zero-day flaw in its service that they said has been addressed in version 1.7.8.7, although they cautioned that "we cannot be sure that it's the only way for them to perform the attack." --------------------------------------------- https://thehackernews.com/2022/07/hackers-exploit-prestashop-zero-day-to.ht… ∗∗∗ Critical FileWave MDM Flaws Open Organization-Managed Devices to Remote Hackers ∗∗∗ --------------------------------------------- FileWaves mobile device management (MDM) system has been found vulnerable to two critical security flaws that could be leveraged to carry out remote attacks and seize control of a fleet of devices connected to it."The vulnerabilities are remotely exploitable and enable an attacker to bypass authentication mechanisms and gain full control over the MDM platform and its managed devices," Claroty security researcher Noam Moshe said in a Monday report. --------------------------------------------- https://thehackernews.com/2022/07/critical-filewave-mdm-flaws-open.html ∗∗∗ Xen XSA-408 - insufficient TLB flush for x86 PV guests in shadow mode ∗∗∗ --------------------------------------------- For migration as well as to work around kernels unaware of L1TF (see XSA-273), PV guests may be run in shadow paging mode. To address XSA-401, code was moved inside a function in Xen. This code movement missed a variable changing meaning / value between old and new code positions. The now wrong use of the variable did lead to a wrong TLB flush condition, omitting flushes where such are necessary. --------------------------------------------- https://xenbits.xen.org/xsa/advisory-408.html ∗∗∗ Weitere Lücken in Videokonferenz-Hardware Meeting Owl geschlossen ∗∗∗ --------------------------------------------- Owl Labs hat seine Geräte mit zusätzlichen Sicherheitsupdates gegen mögliche Attacken abgesichert. --------------------------------------------- https://heise.de/-7189904 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (spip), Mageia (libtiff and logrotate), Oracle (java-1.8.0-openjdk and java-11-openjdk), SUSE (gpg2, logrotate, and phpPgAdmin), and Ubuntu (python-bottle). --------------------------------------------- https://lwn.net/Articles/902547/ ∗∗∗ LibreOffice: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer oder lokaler Angreifer kann mehrere Schwachstellen in LibreOffice ausnutzen, um Sicherheitsvorkehrungen zu umgehen und vertrauliche Informationen offenzulegen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0821 ∗∗∗ Citrix ADC and Citrix Gateway Security Bulletin for CVE-2022-27509 ∗∗∗ --------------------------------------------- A vulnerability has been discovered in Citrix ADC and Citrix Gateway which enables an attacker to create a specially crafted URL that redirects to a malicious website. Pre-conditions: - Appliance must be configured as a VPN (Gateway) or AAA virtual server - A victim user must use an attacker-crafted link --------------------------------------------- https://support.citrix.com/article/CTX457836/citrix-adc-and-citrix-gateway-… ∗∗∗ Security Bulletin: Vulnerability in libcURL affect IBM Rational ClearCase ( CVE-2022-27778, CVE-2022-27779, CVE-2022-27780, CVE-2022-27782, CVE-2022-30115, CVE-2022-27774 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-libcurl-… ∗∗∗ Security Bulletin: IBM Security Verify Information Queue web UI is vulnerable to cross-site request forgery (CVE-2022-35286) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-infor… ∗∗∗ Security Bulletin: IBM Common Licensing is vulnerable by a remote code attack in Spring Framework and Apache Commons(CVE-2022-22970,CVE-2022-22971,CVE-2022-33980) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-common-licensing-is-v… ∗∗∗ Security Bulletin: IBM Robotic Process Automation is vulnerable to insufficiently protected access tokens (CVE-2022-22412) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-robotic-process-autom… ∗∗∗ Security Bulletin: A security vulnerability in Node.js nconf affects IBM Cloud Automation Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: IBM App Connect Enterprise and IBM Integration Bus are vulnerable to arbitrary code execution due to node.js minimist module ( CVE-2021-44906) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: A security vulnerability in Node.js node-forge affects IBM Cloud Automation Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in Expat component shipped with IBM Rational ClearCase ( CVE-2021-45960, CVE-2021-46143 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in Expat component shipped with IBM Rational ClearCase ( CVE-2022-23852, CVE-2022-23990, CVE-2022-25235, CVE-2022-25315 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM HTTP Server used by IBM WebSphere Application Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: WebSphere network security vulnerability in IBM Content Foundation on Cloud ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-network-securit… ∗∗∗ Security Bulletin: A security vulnerability in Node.js node-forge affects IBM Cloud Automation Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: IBM Sterling Partner Engagement Manager is vulnerable to Slowloris HTTP DOS attack (CVE-2022-35639) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-partner-enga… ∗∗∗ Security Bulletin: A security vulnerability in GO affects IBM Cloud Automation Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: A security vulnerability in GO affects IBM Cloud Automation Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in Expat component shipped with IBM Rational ClearCase ( CVE-2022-22822, CVE-2022-22823, CVE-2022-22824, CVE-2022-22825, CVE-2022-22826, CVE-2022-22827 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A security vulnerability in Node.js node-forge affects IBM Cloud Automation Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: Vulnerability in OpenSSL affects IBM Rational ClearCase (CVE-2022-1292, CVE-2022-0778) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-openssl-… ∗∗∗ Security Bulletin: IBM Cloud Pak for Security is vulnerable to Using Components with Known Vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-securit… ∗∗∗ Security Bulletin: Java SE as used by IBM Cloud Pak For Security is vulnerable to information disclosure and denial of service. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-java-se-as-used-by-ibm-cl… ∗∗∗ Security Bulletin: IBM Robotic Process Automation is vulnerable to arbitrary code execution due to async (CVE-2021-43138) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-robotic-process-autom… ∗∗∗ Security Bulletin: A security vulnerability in GO affects IBM Cloud Automation Manager ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: IBM Sterling Control Center vulnerable to arbitrary file upload and sensitive information exposure due to IBM Cognos Analytics (CVE-2021-38945, CVE-2021-29768) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-control-cent… ∗∗∗ Security Bulletin: Vulnerability in Spring Framework affects IBM Process Mining and could allow a local attacker to execute arbitrary code on the system (CVE-2022-22965) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-spring-f… ∗∗∗ Security Bulletin: Multiple vulnerabilities in the IBM Java Runtime affect IBM Rational ClearCase ( CVE-2021-35578, CVE-2021-35603, CVE-2021-35550, CVE-2021-35561, CVE-2022-21299 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.07.2022
by Daily end-of-shift report 25 Jul '22

25 Jul '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 22-07-2022 18:00 − Montag 25-07-2022 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Windows-Sicherheit: Microsoft härtet RDP, MS-Office und geschützte Prozesse ∗∗∗ --------------------------------------------- Automatische Login-Sperren, Schutz vor Makros und Passwortklau - hinter den Kulissen tut sich einiges. Mit der Kommunikation tut sich Microsoft jedoch schwer. --------------------------------------------- https://heise.de/-7189313 ∗∗∗ Vorsicht vor gefälschten Post und DHL-Mails ∗∗∗ --------------------------------------------- Kriminelle geben sich als Post oder DHL aus und versenden wahllos betrügerische E-Mails. In den E-Mails mit dem Betreff „Ihr Paket wartet auf die Zustellung“ oder „Ihr Paket ist gerade bei der örtlichen Post angekommen“ wird behauptet, dass ein Paket angekommen sei, es aber nicht zugestellt werden kann, weil noch Zoll- bzw. Lieferkosten offen seien. Sie werden aufgefordert, auf einen Link zu klicken. Ignorieren Sie derartige E-Mails. Es handelt sich um Fake! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-gefaelschten-post-und-d… ∗∗∗ CosmicStrand: the discovery of a sophisticated UEFI firmware rootkit ∗∗∗ --------------------------------------------- In this report, we present a UEFI firmware rootkit that we called CosmicStrand and attribute to an unknown Chinese-speaking threat actor. --------------------------------------------- https://securelist.com/cosmicstrand-uefi-firmware-rootkit/106973/ ∗∗∗ Month of PowerShell: Process Threat Hunting, Part 1 ∗∗∗ --------------------------------------------- PowerShell is a powerful tool for threat hunting. Here we look at PowerShell threat hunting steps by assessing processes on Windows. --------------------------------------------- https://www.sans.org/blog/process-threat-hunting-part-1/ ∗∗∗ Month of PowerShell - The Curious Case of AD User Properties ∗∗∗ --------------------------------------------- Where are all of the user properties for Active Directory users for Get-ADUSer? --------------------------------------------- https://www.sans.org/blog/curious-case-ad-user-properties/ ∗∗∗ Month of PowerShell: Process Threat Hunting, Part 2 ∗∗∗ --------------------------------------------- We continue our look at PowerShell threat hunting through process analysis, identifying Command & Control/C2 threats on a Windows system. --------------------------------------------- https://www.sans.org/blog/process-threat-hunting-part-2/ ∗∗∗ Defeating Javascript Obfuscation ∗∗∗ --------------------------------------------- To make a long story short, I’m releasing a Javascript deobfuscation tool called REstringer. To make a short story long - I want to share my incentive for creating the tool, some design decisions, and the process through which I’m adding new capabilities to it - so you can join in on the fun! --------------------------------------------- https://www.perimeterx.com/tech-blog/2022/defeating-javascript-obfuscation/ ∗∗∗ A repository of Windows persistence mechanisms ∗∗∗ --------------------------------------------- The repository tries to gather an information about Windows persistence mechanisms to make the protection/detection more efficient. Most of the information is well known for years, being actively used within various scenarios. --------------------------------------------- https://persistence-info.github.io/ ∗∗∗ IAM-Deescalate: An Open Source Tool to Help Users Reduce the Risk of Privilege Escalation ∗∗∗ --------------------------------------------- We developed an open source tool, IAM-Deescalate, to help mitigate the privilege escalation risks of overly permissive identities in AWS. --------------------------------------------- https://unit42.paloaltonetworks.com/iam-deescalate/ ∗∗∗ Case closed: DIVD-2022-00009 - SolarMan backend administrator account/password ∗∗∗ --------------------------------------------- DIVD researcher Jelle Ursem found the password of the super user of the web backend for all SolarMan / Solis / Omnik / Ginlong inverters, loggers, and batteries. The password has been changed now, and the repository containing the password has been deleted. --------------------------------------------- https://csirt.divd.nl/cases/DIVD-2022-00009/ ∗∗∗ Cases of Attacks Targeting Vulnerable Atlassian Confluence Servers ∗∗∗ --------------------------------------------- The ASEC analysis team has been monitoring attacks that are targeting vulnerable systems. This post will discuss cases of attacks targeting vulnerable Atlassian Confluence Servers that are not patched. --------------------------------------------- https://asec.ahnlab.com/en/36820/ ===================== = Vulnerabilities = ===================== ∗∗∗ Google Chrome: Update schließt Hochrisiko-Sicherheitslöcher ∗∗∗ --------------------------------------------- Google veröffentlicht ein Update für Chrome, das elf potenzielle Sicherheitsschwachstellen schließt - fünf davon sind mit High Risk bewertet. --------------------------------------------- https://www.golem.de/news/google-chrome-update-schliesst-hochrisiko-sicherh… ∗∗∗ Angreifer könnten Scan-Engine von F-Secure und WithSecure crashen lassen ∗∗∗ --------------------------------------------- Patches schließen mehrere Lücken in Sicherheitsprodukten von WithSecure ehemals F-Secure. --------------------------------------------- https://heise.de/-7189082 ∗∗∗ Technical Advisory – Multiple vulnerabilities in Nuki smart locks (CVE-2022-32509, CVE-2022-32504, CVE-2022-32502, CVE-2022-32507, CVE-2022-32503, CVE-2022-32510, CVE-2022-32506, CVE-2022-32508, CVE-2022-32505) ∗∗∗ --------------------------------------------- The following vulnerabilities were found as part of a research project looking at the state of security of the different Nuki (smart lock) products. The main goal was to look for vulnerabilities which could affect to the availability, integrity or confidentiality of the different devices, from hardware to software. Eleven vulnerabilities were discovered. --------------------------------------------- https://research.nccgroup.com/2022/07/25/technical-advisory-multiple-vulner… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, djangorestframework, gsasl, and openjdk-11), Fedora (giflib, openssl, python-ujson, and xen), Mageia (virtualbox), SUSE (git, gpg2, java-1_7_1-ibm, java-1_8_0-ibm, java-1_8_0-openjdk, mozilla-nspr, mozilla-nss, mozilla-nss, python-M2Crypto, and s390-tools), and Ubuntu (php8.1). --------------------------------------------- https://lwn.net/Articles/902400/ ∗∗∗ WordPress Plugin "Newsletter" vulnerable to cross-site scripting ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN77850327/ ∗∗∗ Multiple vulnerabilities in untangle ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN30454777/ ∗∗∗ K08152433: Intel processors MMIO stale data vulnerability CVE-2022-21166 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K08152433/ ∗∗∗ Unify OpenScape Branch: Schwachstelle ermöglicht Codeausführung ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0814 ∗∗∗ Security Bulletin: A failed attempt to regenerate an IBM Security Verify Information Queue API token reveals sensitive data (CVE-2022-35288) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-failed-attempt-to-regen… ∗∗∗ Security Bulletin: A security vulnerability in Node.js node-forge affects IBM Cloud Pak for Multicloud Management Managed Services ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: Vulnerabilities from log4j affect IBM Operations Analytics – Log Analysis (CVE-2019-17571, CVE-2020-9488) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-from-log4… ∗∗∗ Security Bulletin: Multiple Security Vulnerabilities in Apache Struts Affect IBM Sterling File Gateway (CVE-2019-0233, CVE-2019-0230) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: IBM Security Verify Information Queue distributes configuration files with hard-coded credentials (CVE-2022-35287) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-infor… ∗∗∗ Security Bulletin: IBM OpenPages with Watson has addressed Apache Log4j vulnerability (CVE-2022-23307). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-openpages-with-watson… ∗∗∗ Security Bulletin: Vulnerabilities from log4j-core-2.16.0.jar affect IBM Operations Analytics – Log Analysis (CVE-2021-44832, CVE-2021-45105) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-from-log4… ∗∗∗ Security Bulletin: Multiple vulnerabilities in log4j-1.2.16.jar used by IBM Operations Analytics – Log Analysis ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Audit events query facility in IBM Security Verify Information Queue is vulnerable to SQL injection (CVE-2022-35285) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-audit-events-query-facili… ∗∗∗ Security Bulletin: Session cookie used by IBM Security Verify Information Queue is not properly secured (CVE-2022-35284) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-session-cookie-used-by-ib… ∗∗∗ Security Bulletin: A security vulnerability in Node.js node-forge affects IBM Cloud Pak for Multicloud Management Managed Services ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.07.2022
by Daily end-of-shift report 22 Jul '22

22 Jul '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 21-07-2022 18:00 − Freitag 22-07-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ SATAn-Attacke: Zweckentfremdetes SATA-Kabel funkt geheime Infos ∗∗∗ --------------------------------------------- Sicherheitsforscher, die auf Attacken auf abgeschottete Air-Gap-Systeme spezialisiert sind, haben eine neue Methode vorgestellt. --------------------------------------------- https://heise.de/-7186463 ∗∗∗ Confluence Security Advisory 2022-07-20 ∗∗∗ --------------------------------------------- Confluence hat zum 20. Juli 2022 das Security Advisory 2022-07-20 veröffentlicht und heute aktualisiert. Im Sicherheitshinweis geht es um Confluence-Konten mit fest kodierten Anmeldeinformationen, die von Questions for Confluence erstellt wurden. Das betrifft die Confluence-App für Confluence Server und Confluence Data Center. --------------------------------------------- https://www.borncity.com/blog/2022/07/21/confluence-security-advisory-2022-… ∗∗∗ Zero-day used to infect Chrome users could pose threat to Edge and Safari users, too ∗∗∗ --------------------------------------------- After laying low, exploit seller Candiru rears its ugly head once more. --------------------------------------------- https://arstechnica.com/?p=1868594 ∗∗∗ Maldoc: non-ASCII VBA Identifiers, (Thu, Jul 21st) ∗∗∗ --------------------------------------------- I found a malicious Office document with VBA code where most of the identifiers (variables, function names, ...) consist solely out of characters that are not ASCII (.e.g, these characters have values between 128 and 255). --------------------------------------------- https://isc.sans.edu/diary/rss/28866 ∗∗∗ An Analysis of a Discerning Phishing Website , (Fri, Jul 22nd) ∗∗∗ --------------------------------------------- Cybercriminals and adversaries have long used phishing websites to obtain credentials and access systems they usually would not have access to. Indeed, it could be more cost-effective than other methods, such as buying zero-day vulnerabilities and weaponizing them. I was alerted to a phishing attempt and requested further details. After doing some analysis, I observed several differences and technological improvements that the adversaries had made as compared to the usual phishing attempts. --------------------------------------------- https://isc.sans.edu/diary/rss/28870 ∗∗∗ Month of PowerShell - Recording Your Session with Start-Transcript ∗∗∗ --------------------------------------------- PowerShell allows us to create a transaction file of all commands entered and output received, perfect for pentests, incident response, and more! --------------------------------------------- https://www.sans.org/blog/recording-your-session-with-start-transcript ∗∗∗ Cryptominers & WebAssembly in Website Malware ∗∗∗ --------------------------------------------- WebAssembly (also referred to as Wasm) is a binary instruction format that runs in the browser to enable high-performance applications on web pages and can be executed much faster than traditional JavaScript. WebAssembly can be executed in a variety of environments, including servers, IoT devices, and mobile or desktop apps — but was originally designed to run on the web. --------------------------------------------- https://blog.sucuri.net/2022/07/cryptominers-webassembly-in-website-malware… ∗∗∗ An Easier Way to Keep Old Python Code Healthy and Secure ∗∗∗ --------------------------------------------- Python has its pros and cons, but its nonetheless used extensively. For example, Python is frequently used in data crunching tasks even when there are more appropriate languages to choose from. Why? Well, Python is relatively easy to learn. Someone with a science background can pick up Python much more quickly than, say, C. However, Pythons inherent approachability also creates a couple of problems. --------------------------------------------- https://thehackernews.com/2022/07/an-easier-way-to-keep-old-python-code.html ∗∗∗ Sh*Load Exploits (Episode V: Return of the Error) ∗∗∗ --------------------------------------------- Our first post in the Firmware Developers Need To Know blog series, Episode I: The Last Error, pointed out the benefits of adopting clean error codes. And then two weeks later, TLStorm, bam. Armis’ research engineers announced the discovery of three vulnerabilities in APC devices –the key problem – ignoring error codes! Unfortunately, little attention or thought is paid to error codes within firmware code (and many critical open source projects). --------------------------------------------- https://dellfer.com/shload-exploits-episode-v-return-of-the-error/ ∗∗∗ PART 1: How I Met Your Beacon – Overview ∗∗∗ --------------------------------------------- During this research we will outline a number of effective strategies for hunting for beacons, supported by our BeaconHunter tool that we developed to execute these strategies and which we intend to open source in due course. --------------------------------------------- https://www.mdsec.co.uk/2022/07/part-1-how-i-met-your-beacon-overview/ ∗∗∗ Cloud Threat Detection: To Agent or Not to Agent? ∗∗∗ --------------------------------------------- Should you be using agents to secure cloud applications, or not? The answer depends on what exactly youre trying to secure. --------------------------------------------- https://www.rapid7.com/blog/post/2022/07/22/cloud-threat-detection-to-agent… ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins 2022-07-21 ∗∗∗ --------------------------------------------- IBM Cloud App Management, IBM Cloud Pak for Multicloud Management Monitoring, IBM Rational Build Forge, IBM Rational Build Forge, IBM Cloud App Management, IBM Tivoli Netcool Manager. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (gnupg2, oci-seccomp-bpf-hook, suricata, and vim), Oracle (java-11-openjdk), Slackware (net), and SUSE (kernel, nodejs16, rubygem-rack, and webkit2gtk3). --------------------------------------------- https://lwn.net/Articles/902184/ ∗∗∗ Moodle: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, authentisierter Angreifer kann mehrere Schwachstellen in Moodle ausnutzen, um beliebigen Programmcode auszuführen, Dateien zu manipulieren, Informationen offenzulegen oder einen Cross-Site-Scripting-Angriff durchzuführen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0797 ∗∗∗ Veritas NetBackup: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, authentisierter Angreifer kann mehrere Schwachstellen in Veritas NetBackup ausnutzen, um beliebigen Programmcode auszuführen oder seine Privilegien zu erweitern. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0801 ∗∗∗ Veritas NetBackup: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann eine Schwachstelle in Veritas NetBackup ausnutzen, um beliebigen Code auszuführen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszulösen, seine Privilegien zu erweitern und Verzeichnisse zu manipulieren. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0802 ∗∗∗ F-Secure Linux Security: Mehrere Schwachstellen ermöglichen Denial of Service ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in F-Secure Linux Security und F-Secure Internet Gatekeeper ausnutzen, um einen Denial of Service Angriff durchzuführen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0803 ∗∗∗ AutomationDirect Stride Field I/O ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Cleartext Transmission of Sensitive Information vulnerability in AutomationDirect products. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-202-05 ∗∗∗ ICONICS Suite and Mitsubishi Electric MC Works64 Products ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Path Traversal, Deserialization of Untrusted Data, Inclusion of Functionality from Untrusted Control Sphere, Out-of-Bounds Read vulnerabilities in the SCADA products. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-202-04 ∗∗∗ Rockwell Automation ISaGRAF Workbench ∗∗∗ --------------------------------------------- This advisory contains mitigations for a Missing Authentication for Critical Function vulnerability in the ISaGRAF Workbench. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-202-03 ∗∗∗ Johnson Controls Metasys ADS, ADX, OAS ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Missing Authentication for Critical Function vulnerability in the Metasys ADS, ADX, OAS. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-202-02 ∗∗∗ ABB Drive Composer, Automation Builder, Mint Workbench ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Improper Privilege Management vulnerabilities in the ABB products. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-202-01 ∗∗∗ Unauthenticated SQL Injection in SonicWall GMS and Analytics ∗∗∗ --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0007 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.07.2022
by Daily end-of-shift report 21 Jul '22

21 Jul '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 20-07-2022 18:00 − Donnerstag 21-07-2022 18:00 Handler: Robert Waldner Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Apple Patches Everything Day, (Wed, Jul 20th) ∗∗∗ --------------------------------------------- Apple today released its usual "surprise patch day" in updating all of its operating systems. There may still be specific Safari updates, but for currently supported operating systems, the operating system upgrades should include respective Safari/WebKit fixes. --------------------------------------------- https://isc.sans.edu/diary/rss/28862 ∗∗∗ New Linux Malware Framework Lets Attackers Install Rootkit on Targeted Systems ∗∗∗ --------------------------------------------- A never-before-seen Linux malware has been dubbed a "Swiss Army Knife" for its modular architecture and its capability to install rootkits. This previously undetected Linux threat, called Lightning Framework by Intezer, is equipped with a plethora of features, making it one of the most intricate frameworks developed for targeting Linux systems. --------------------------------------------- https://thehackernews.com/2022/07/new-linux-malware-framework-let.html ∗∗∗ Outlook email users alerted to suspicious activity from Microsoft-owned IP address ∗∗∗ --------------------------------------------- People turn amateur sleuths to discover that the source of all those sign-ins seems to be in Redmond Strange things are afoot in the world of Microsoft email with multiple users reporting unusual sign-in notifications for their Outlook accounts. --------------------------------------------- https://www.theregister.com/2022/07/21/outlook_sign_ins/ ∗∗∗ [CVE-2022-34918] A crack in the Linux firewall ∗∗∗ --------------------------------------------- In our previous article Yet another bug into Netfilter, I presented a vulnerability found within the netfilter subsystem of the Linux kernel. During my investigation, I found a weird comparison that does not fully protect a copy within a buffer. It led to a heap buffer overflow that was exploited to obtain root privileges on Ubuntu 22.04. --------------------------------------------- https://www.randorisec.fr/crack-linux-firewall/ ∗∗∗ Gitlab Project Import RCE Analysis (CVE-2022-2185) ∗∗∗ --------------------------------------------- At the beginning of this month, GitLab released a security patch for versions 14->15. Interestingly in the advisory, there was a mention of a post-auth RCE bug with CVSS 9.9. The bug exists in GitLab’s Project Imports feature, which was found by @vakzz. Incidentally, when I rummaged in the author’s h1 profile. I discovered that four months ago, he also found a bug in the import project feature. --------------------------------------------- https://starlabs.sg/blog/2022/07-gitlab-project-import-rce-analysis-cve-202… ∗∗∗ Cybercrime: Industriesteuerungen im Visier ∗∗∗ --------------------------------------------- Ein Passwort-Cracker mit Trojaner an Bord liefert Passwörter für programmierbare Industrie-Steuersysteme frei Haus und wirft damit eine wichtige Frage auf. --------------------------------------------- https://heise.de/-7185890 ∗∗∗ Vorsicht vor Shops mit Abo-Fallen ∗∗∗ --------------------------------------------- Sie suchen nach einem Produkt online – sei es Make-Up, Sportkleidung oder Tiernahrung. Plötzlich stoßen Sie auf ein gutes Angebot und das Produkt ist sogar 60 % billiger, wenn Sie VIP-Mitglied werden. Doch im Kleingedruckten steht: Mit diesem Einkauf schließen Sie eine automatische Clubmitgliedschaft und ein teures Abo ab. Vorsicht vor diesen unseriösen Abo-Fallen! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-shops-mit-abo-fallen/ ∗∗∗ Shodan Verified Vulns 2022-07-01 ∗∗∗ --------------------------------------------- Mit Stand 2022-07-01 sieht Shodan in Österreich die folgenden Schwachstellen: Verglichen mit Juni 2022 ist durch die Bank ein leichter Abwärtstrend zu erkennen (insgesamt von 9355 auf 8987 verifizierte Schwachstellen). Spitzenreiter sind noch immer CVE-2015-0204 (SSL FREAK, 4090) und CVE-2015-4000 (Logjam, 3193). Davor schon relativ gering vertreten (35), jedoch auffällig gesunken ist die Schwachstelle CVE-2021-43798 (Grafana Path Traversal Vulnerability, -80%). Ausreißer nach oben oder Neuzugänge gibt es nicht. --------------------------------------------- https://cert.at/de/aktuelles/2022/7/shodan-verified-vulns-2022-07-01 ===================== = Vulnerabilities = ===================== ∗∗∗ Atlassian Rolls Out Security Patch for Critical Confluence Vulnerability ∗∗∗ --------------------------------------------- Atlassian has rolled out fixes to remediate a critical security vulnerability pertaining to the use of hard-coded credentials affecting the Questions For Confluence app for Confluence Server and Confluence Data Center. The flaw, tracked as CVE-2022-26138, arises when the app in question is enabled on either of two services, causing it to create a Confluence user account with the username "disabledsystemuser." --------------------------------------------- https://thehackernews.com/2022/07/atlassian-releases-patch-for-critical.html ∗∗∗ Schadcode-Attacken mit Root-Rechten auf Cisco Nexus Dashboard möglich ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitsupdates für Hard- und Software vom Netzwerkausrüster Cisco. --------------------------------------------- https://heise.de/-7185582 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Mageia (kernel and kernel-linus), SUSE (dovecot23), and Ubuntu (freetype, libxml-security-java, and linux-oem-5.17). --------------------------------------------- https://lwn.net/Articles/902011/ ∗∗∗ Request Tracker: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Request Tracker ausnutzen, um einen Cross-Site Scripting Angriff durchzuführen oder Sicherheitsmaßnahmen zu umgehen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0788 ∗∗∗ Security Bulletin: IBM Tivoli Network Manager is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2019-1757) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tivoli-network-manage… ∗∗∗ Security Bulletin: Security Vulnerabilities have been fixed in IBM Security Access Manager appliance (CVE-2022-24407, CVE-2020-25709, CVE-2020-25710) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Security Verify Information Queue uses an Oracle JDBC jar with multiple vulnerabilities (CVE-2019-2444, CVE-2019-2619, CVE-2017-10321, CVE-2017-10202) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-infor… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Security Verify Information Queue connect image (CVE-2020-9493, CVE-2022-23307) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple security vulnerabilities have been identified in IBM® DB2® shipped with IBM PureData System for Operational Analytics ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: IBM Security Verify Information Queue uses a Wire Schema jar with multiple vulnerabilities (CVE-2020-27853, CVE-2021-41093) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-infor… ∗∗∗ Security Bulletin: IBM Security Verify Information Queue uses a Google gRPC framework with multiple vulnerabilities (CVE-2017-7860, CVE-2017-7861, CVE-2017-9431) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-infor… ∗∗∗ Security Bulletin: IBM Security Guardium Insights is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-ins… ∗∗∗ Security Bulletin: IBM QRadar SIEM is vulnerable to information disclosure (CVE-2021-38936) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulner… ∗∗∗ Security Bulletin: Multiple security vulnerabilities found in open source code that is shipped with IBM Security Verify Governance, Identity Manager virtual appliance component ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: OpenSSL vulnerabilities in the IBM Security Verify Information Queue web server (CVE-2021-3711, CVE-2021-3712) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-openssl-vulnerabilities-i… ∗∗∗ Security Bulletin: Vulnerability in async opensource package affects IBM VM Recovery Manager HA & DR GUI ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-async-op… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ CVE-2022-0778: Sicherheitslücken mit Denial of Service-Potential in OpenSSL ∗∗∗ --------------------------------------------- https://www.sprecher-automation.com/it-sicherheit/security-alerts ∗∗∗ Drupal core - Moderately critical - Multiple vulnerabilities - SA-CORE-2022-015 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-core-2022-015 ∗∗∗ Drupal core - Critical - Arbitrary PHP code execution - SA-CORE-2022-014 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-core-2022-014 ∗∗∗ Drupal core - Moderately critical - Access Bypass - SA-CORE-2022-013 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-core-2022-013 *** Drupal core - Moderately critical - Information Disclosure - SA-CORE-2022-012 *** --------------------------------------------- https://www.drupal.org/sa-core-2022-012 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.07.2022
by Daily end-of-shift report 20 Jul '22

20 Jul '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 19-07-2022 18:00 − Mittwoch 20-07-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Sicherheitslücken in GPS-Tracker von MiCODUS können Menschenleben gefährden ∗∗∗ --------------------------------------------- Sicherheitsforscher warnen davor, dass Angreifer unter anderem PKWs der Regierung aus der Ferne stoppen könnten. Sicherheitspatches gibt es bislang nicht. --------------------------------------------- https://heise.de/-7184324 ∗∗∗ Phishing-Mail zu „unbefugten Aktivitäten“ ignorieren! ∗∗∗ --------------------------------------------- Aktuell kursiert eine Phishing Nachricht im Namen der Raiffeisen Bank, die nach einer Authentifizierung verlangt. Angeblich wurde eine Zahlung in Höhe von 1259,00 EUR vorgenommen, die blockiert wurde. Achtung: Es handelt sich lediglich um einen erfundenen Grund, mit dem Kriminelle Sie zum Klick auf eine Phishing-Seite bewegen wollen. Löschen Sie die Nachricht einfach! --------------------------------------------- https://www.watchlist-internet.at/news/phishing-mail-zu-unbefugten-aktivita… ∗∗∗ Breaking down CISs new software supply chain security guidance ∗∗∗ --------------------------------------------- Securing the software supply chain continues to be one of the most discussed topics currently among IT and cybersecurity leaders. A study by In-Q-Tel researchers shows a rapid rise in software supply chain attacks starting around 2016, going from almost none in 2015 to about 1,500 in 2020. The Cloud Native Computing Foundation’s (CNCF’s) catalog of software supply chain attacks also supports a rise in this attack vector. --------------------------------------------- https://www.csoonline.com/article/3666742/breaking-down-ciss-new-software-s… ∗∗∗ Luna and Black Basta — new ransomware for Windows, Linux and ESXi ∗∗∗ --------------------------------------------- This report discusses new ransomware, that targets Windows, Linux and ESXi systems: Luna written in Rust and Black Basta. --------------------------------------------- https://securelist.com/luna-black-basta-ransomware/106950/ ∗∗∗ PrestaShop Skimmer Concealed in One Page Checkout Module ∗∗∗ --------------------------------------------- PrestaShop is a popular freemium open source e-commerce platform used by hundreds of thousands of webmasters to sell products and services to website visitors. While PrestaShop’s CMS market share is only 0.8%, it should still come as no surprise that attackers have been crafting malware to specifically target environments who use this software. --------------------------------------------- https://blog.sucuri.net/2022/07/prestashop-skimmer-concealed-in-one-page-ch… ∗∗∗ LockBit: Ransomware Puts Servers in the Crosshairs ∗∗∗ --------------------------------------------- LockBit affiliates using servers to spread ransomware throughout networks. --------------------------------------------- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lo… ∗∗∗ Analysis of a trojanized jQuery script: GootLoader unleashed ∗∗∗ --------------------------------------------- In this blog post, we will perform a deep analysis into GootLoader, malware which is known to deliver several types of payloads, such as Kronos trojan, REvil, IcedID, GootKit payloads and in this case Cobalt Strike. --------------------------------------------- https://blog.nviso.eu/2022/07/20/analysis-of-a-trojanized-jquery-script-goo… ∗∗∗ 4 Strategies for Achieving Greater Visibility in the Cloud ∗∗∗ --------------------------------------------- Here are four ways to put visibility at the center of your cloud security approach and better understand whats going on in your environment. --------------------------------------------- https://www.rapid7.com/blog/post/2022/07/20/4-strategies-for-achieving-grea… ===================== = Vulnerabilities = ===================== ∗∗∗ Jetzt patchen! Oracle sichert seine Produkte mit 349 Updates ab ∗∗∗ --------------------------------------------- Wichtige Sicherheitspatches schließen unter anderem kritische Lücken in Oracle-Anwendungen. --------------------------------------------- https://heise.de/-7184179 ∗∗∗ Sicherheitsupdates: Root-Lücke bedroht Zyxel-Firewalls ∗∗∗ --------------------------------------------- Mehrere Firewall-Modelle von Zyxel sind über Sicherheitslücken attackierbar. --------------------------------------------- https://heise.de/-7184526 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (golang-github-gosexy-gettext, golang-github-hub, oci-seccomp-bpf-hook, and popub), Oracle (kernel and kernel-container), SUSE (python2-numpy), and Ubuntu (check-mk and pyjwt). --------------------------------------------- https://lwn.net/Articles/901879/ ∗∗∗ Chrome 103 Update Patches High-Severity Vulnerabilities ∗∗∗ --------------------------------------------- Google this week announced a Chrome update that resolves a total of 11 vulnerabilities in the browser, including six reported by external researchers. Of these, five are use-after-free issues, including four that are considered “high severity.” --------------------------------------------- https://www.securityweek.com/chrome-103-update-patches-high-severity-vulner… ∗∗∗ HCL BigFix: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, authentisierter Angreifer kann mehrere Schwachstellen in HCL BigFix ausnutzen, um Sicherheitsvorkehrungen zu umgehen oder Informationen offenzulegen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0733 ∗∗∗ OpenJDK: Mehrere Schwachstellen ermöglichen Codeausführung ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in OpenJDK ausnutzen, um beliebigen Programmcode auszuführen, Sicherheitsvorkehrungen zu umgehen oder Dateien zu manipulieren. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0746 ∗∗∗ Arista EOS: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Arista EOS ausnutzen, um Sicherheitsvorkehrungen zu umgehen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0761 ∗∗∗ Red Hat OpenShift (Logging Subsystem): Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Red Hat OpenShift (Logging Subsystem) ausnutzen, um einen Denial of Service Angriff durchzuführen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0707 ∗∗∗ Security Bulletin: IBM Resilient Platform could allow formula injection in Excel (CVE-2020-4633) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-resilient-platform-co… ∗∗∗ Security Bulletin: IBM InfoSphere Information Analyzer is affected by a cross-site scripting vulnerability in jQuery-UI(CVE-2021-41184) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-informatio… ∗∗∗ Security Bulletin: Multiple cross-site scripting vulnerabilities in JQuery affect IBM InfoSphere Information Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-cross-site-scrip… ∗∗∗ Security Bulletin: Apache log4j security vulnerability as it relates to IBM Maximo Scheduler Optimization – Apache Log4j – CVE-2021-45105 (affecting v2.16) and CVE-2021-45046 (affecting v2.15) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-security-vul… ∗∗∗ Security Bulletin: IBM QRadar Network Security is affected by multiple vulnerabilities in Expact library. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-network-securi… ∗∗∗ Security Bulletin: IBM WebSphere Application Server is vulnerable to Cross-site Scripting (CVE-2022-22477) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application… ∗∗∗ Security Bulletin: IBM QRadar SIEM is vulnerable to improper certificate validation (CVE-2021-29755) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulner… ∗∗∗ Security Bulletin: IBM QRadar Network Security is affected by multiple vulnerabilities. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-network-securi… ∗∗∗ Security Bulletin: IBM QRadar SIEM is vulnerable to infomation disclosured due to incorrect file permissions (CVE-2022-22424) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulner… ∗∗∗ Security Bulletin: A vulnerability in IBM Java SDK and IBM Java Runtime affects IBM QRadar SIEM ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Security Bulletin: IBM QRadar SIEM is vulnerable to infomarion discosure (CVE-2021-38936) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulner… ∗∗∗ Security Bulletin: Vulnerability in Java SE related to the JSSE component affects DB2 Recovery Expert for Linux, Unix and Windows ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-java-se-… ∗∗∗ Security Bulletin: A security vulnerability in Node.js nconf affects IBM Cloud Pak for Multicloud Management Managed Services ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: IBM Resilient SOAR is Using Components with Known Vulnerabilities – Java SE (CVE-2020-2773) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-resilient-soar-is-usi… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.07.2022
by Daily end-of-shift report 19 Jul '22

19 Jul '22

===================== = End-of-Day report = ===================== Timeframe: Montag 18-07-2022 18:00 − Dienstag 19-07-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Authentication Risks Discovered in Okta Platform ∗∗∗ --------------------------------------------- Four newly discovered attack paths could lead to PII exposure, account takeover, even organizational data destruction. --------------------------------------------- https://threatpost.com/risks-okta-sso/180249/ ∗∗∗ Requests For beacon.http-get. Help Us Figure Out What They Are Looking For, (Tue, Jul 19th) ∗∗∗ --------------------------------------------- Based on our First Seen URLs page, we started seeing more requests for 'beacon.http-get' these last few days. The requests are going back a while now but have been increasing. --------------------------------------------- https://isc.sans.edu/diary/rss/28856 ∗∗∗ Sicherheit bei Mac-Office: Microsoft fordert zur Systemaktualisierung auf ∗∗∗ --------------------------------------------- Nur mit den jüngsten Versionen von Monterey und Big Sur lassen sich Angriffe über Makro-Exploits verhindern, so der Konzern. --------------------------------------------- https://heise.de/-7182296 ∗∗∗ WhatsApp-Nachricht über einen Covid-19-Zuschuss von UNICEF ist Fake ∗∗∗ --------------------------------------------- Sie haben auf WhatsApp eine Nachricht von UNICEF erhalten? Man will Ihnen einen Covid-19-Zuschuss von 50.000 Euro überweisen? Vorsicht: Dabei handelt es sich um Betrug. Kriminelle geben sich als UNICEF aus und täuschen Spenden oder Gewinne vor. In Wirklichkeit will man Ihnen Geld stehlen! Antworten Sie nicht und blockieren Sie die Nummer! --------------------------------------------- https://www.watchlist-internet.at/news/whatsapp-nachricht-ueber-einen-covid… ∗∗∗ I see what you did there: A look at the CloudMensis macOS spyware ∗∗∗ --------------------------------------------- Previously unknown macOS malware uses cloud storage as its C&C channel and to exfiltrate documents, keystrokes, and screen captures from compromised Macs --------------------------------------------- https://www.welivesecurity.com/2022/07/19/i-see-what-you-did-there-look-clo… ∗∗∗ Riding the InfoRail to Exploit Ivanti Avalanche ∗∗∗ --------------------------------------------- I was able to quickly identify a chain of three vulnerabilities in the Ivanti Avalanche Web Application: [...] Even though this chain is powerful, its first part heavily depends on factors that are not within the attacker’s control. We can do better, right? --------------------------------------------- https://www.thezdi.com/blog/2022/7/19/riding-the-inforail-to-exploit-ivanti… ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins 2022-07-18 ∗∗∗ --------------------------------------------- IBM UrbanCode Build, IBM UrbanCode Release, IBM Sterling Partner Engagement Manager, IBM MQ, App Connect professional, IBM WebSphere Application Server Liberty, IBM Tivoli Netcool Configuration Manager, IBM UrbanCode Build. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Sicherheitsupdates: Angreifer könnten Juniper-Software mit Schadcode attackieren ∗∗∗ --------------------------------------------- Der Netzwerkausrüster Juniper hat unter anderem in Contrail Networking kritische Sicherheitslücken geschlossen. --------------------------------------------- https://heise.de/-7183158 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (buildah), SUSE (dovecot23 and nodejs12), and Ubuntu (harfbuzz, libhttp-daemon-perl, tiff, and webkit2gtk). --------------------------------------------- https://lwn.net/Articles/901787/ ∗∗∗ EMC Avamar: Mehrere Schwachstellen ermöglichen Privilegieneskalation ∗∗∗ --------------------------------------------- Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann mehrere Schwachstellen in EMC Avamar und EMC NetWorker ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0715 ∗∗∗ QEMU: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- Ein lokaler Angreifer kann eine Schwachstelle in QEMU ausnutzen, um einen Denial of Service Angriff durchzuführen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0713 ∗∗∗ Apache CloudStack: Schwachstelle ermöglicht Manipulation von Dateien ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Apache CloudStack ausnutzen, um vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszulösen und Serverdaten zu manipulieren. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0711 ∗∗∗ Redis: Schwachstelle ermöglicht Codeausführung ∗∗∗ --------------------------------------------- Ein entfernter Angreifer kann eine Schwachstelle in Redis ausnutzen, um beliebigen Programmcode auszuführen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0709 ∗∗∗ jQuery: Schwachstelle ermöglicht Cross-Site Scripting ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann eine Schwachstelle in jQuery ausnutzen, um einen Cross-Site Scripting Angriff durchzuführen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0708 ∗∗∗ CVE-2022-30526 (Fixed): Zyxel Firewall Local Privilege Escalation ∗∗∗ --------------------------------------------- Rapid7 discovered a local privilege escalation vulnerability affecting Zyxel firewalls. The vulnerability allows a low privileged user, such as `nobody`, to escalate to `root` on affected firewalls. --------------------------------------------- https://www.rapid7.com/blog/post/2022/07/19/cve-2022-30526-fixed-zyxel-fire… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.07.2022
by Daily end-of-shift report 18 Jul '22

18 Jul '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 15-07-2022 18:00 − Montag 18-07-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Cybercrime und Trickbot-Leaks: "Wir zahlen Krankengeld und 13. Monatsgehalt" ∗∗∗ --------------------------------------------- Cybercrime goes Business: Ein Bewerbungsgespräch im Cybercrime-Untergrund zeigt eindrucksvoll, wie sehr sich organisiertes Verbrechen schon "normalisiert" hat. --------------------------------------------- https://heise.de/-7182800 ∗∗∗ Fake-Shop für Pellets und Brennholz kontaktiert Kund:innen auf WhatsApp ∗∗∗ --------------------------------------------- Aktuell boomen Fake-Shops für Brennholz, Pellets, Photovoltaik-Anlagen und Öfen. Der betrügerische Shop wibois.com gibt sich besonders viel Mühe, um Ihnen Geld zu stehlen. Neben professionell gestalteten Werbeanzeigen auf Facebook und Instagram, senden die Kriminellen Ihnen Bestellbestätigung und Überweisungsaufforderung auf WhatsApp. Das stiftet Vertrauen und vermittelt das Gefühl von Erreichbarkeit. Zahlen Sie nicht und blockieren Sie die Nummer! --------------------------------------------- https://www.watchlist-internet.at/news/fake-shop-fuer-pellets-und-brennholz… ∗∗∗ Mit Sality-Malware infiziertes Passwort Cracking-Tool für Industrie-Steuerungen/Leitsysteme verteilt ∗∗∗ --------------------------------------------- Cyberkriminelle bewerben in sozialen Netzwerken wohl ein Tool, mit denen Kennwörter in Industriesteuerungen (ICS, PLCs) geknackt werden können. --------------------------------------------- https://www.borncity.com/blog/2022/07/16/mit-sality-malware-infiziertes-pas… ∗∗∗ Supply Chain Attack Technique Spoofs GitHub Commit Metadata ∗∗∗ --------------------------------------------- Security researchers at Checkmarx are warning of a new supply chain attack technique that relies on spoofed commit metadata to add legitimacy to malicious GitHub repositories. --------------------------------------------- https://www.securityweek.com/supply-chain-attack-technique-spoofs-github-co… ∗∗∗ Mitigation for Azure Storage SDK Client-Side Encryption Padding Oracle Vulnerability ∗∗∗ --------------------------------------------- Google informed Microsoft under Coordinated Vulnerability Disclosure (CVD) of a padding oracle vulnerability that may affect customers using Azure Storage SDK (for Python, .NET, Java) client-side encryption (CVE-2022-30187). To mitigate this vulnerability, we released a new General Availability (GA) version of the Azure Storage SDK client-side encryption feature (v2) on July 12, 2022. --------------------------------------------- https://msrc-blog.microsoft.com/2022/07/18/mitigation-for-azure-storage-sdk… ∗∗∗ Month of PowerShell - Working with the Event Log, Part 3 - Accessing Message Elements ∗∗∗ --------------------------------------------- In part 3 of Working with the Event Log we look at using a third-party function to make accessing event log data much easier. --------------------------------------------- https://www.sans.org/blog/working-with-the-event-log-part-3-accessing-messa… ∗∗∗ Month of PowerShell - Working with the Event Log, Part 4 - Tweaking Event Log Settings ∗∗∗ --------------------------------------------- In this final part of this series on working with the event log in PowerShell, we look at tips and commands for tweaking event log settings. --------------------------------------------- https://www.sans.org/blog/working-with-the-event-log-part-4-tweaking-event-… ∗∗∗ Genesis - The Birth of a Windows Process (Part 2) ∗∗∗ --------------------------------------------- In this second and final part of the series, we will go through the exact flow CreateProcess carries out to launch a process on Windows using the APIs and Data Structure we discussed in Part 1. --------------------------------------------- https://fourcore.io/blogs/how-a-windows-process-is-created-part-2 ===================== = Vulnerabilities = ===================== ∗∗∗ New Netwrix Auditor Bug Could Let Attackers Compromise Active Directory Domain ∗∗∗ --------------------------------------------- Researchers have disclosed details about a security vulnerability in the Netwrix Auditor application that, if successfully exploited, could lead to arbitrary code execution on affected devices. "Since this service is typically executed with extensive privileges in an Active Directory environment, the attacker would likely be able to compromise the Active Directory domain," [...] --------------------------------------------- https://thehackernews.com/2022/07/new-netwrix-auditor-bug-could-let.html ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (mat2 and xen), Fedora (butane, caddy, clash, direnv, geoipupdate, gitjacker, golang-bug-serial-1, golang-github-a8m-envsubst, golang-github-apache-beam-2, golang-github-aws-lambda, golang-github-cespare-xxhash, golang-github-chromedp, golang-github-cloudflare, golang-github-cloudflare-redoctober, golang-github-cockroachdb-pebble, golang-github-cucumber-godog, golang-github-dreamacro-shadowsocks2, golang-github-dustinkirkland-petname, [...] --------------------------------------------- https://lwn.net/Articles/901699/ ∗∗∗ Log4J-Schwachstelle: Mittelstand schläft, DHS sieht Problem für Jahre ∗∗∗ --------------------------------------------- Die in Java ausnutzbare Log4Shell-Schwachstelle in der Log4j-Bibliothek steckt mutmaßlich in vielen Systemen bzw. Software-Paketen. Das Problem dürfte uns noch für Jahre tangieren, schätzen Experten und im deutschen Mittelstand ist das noch nicht angekommen. Auch das Department of Homeland Security [...] --------------------------------------------- https://www.borncity.com/blog/2022/07/17/log4j-schwachstelle-mittelstand-sc… ∗∗∗ SonicWall Switch Post-Authenticated Remote Code Execution ∗∗∗ --------------------------------------------- A vulnerability in SonicWall Switch 1.1.1.0-2s and earlier allows an authenticated malicious user to perform remote code execution in the host system. --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0013 ∗∗∗ Festo: Controller CECC-S,LK,D family firmware 2.4.2.0 - multiple vulnerabilities in CODESYS V3 runtime system ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-027/ ∗∗∗ Festo: Controller CECC-S,LK,D family <= 2.3.8.1 - multiple vulnerabilities in CODESYS V3 runtime system ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-022/ ∗∗∗ Security Bulletin: IBM UrbanCode Deploy (UCD) could disclose sensitive database information to a local user in plain text. (CVE-2022-22367) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-deploy-ucd-… ∗∗∗ Security Bulletin: The CVE-2022-34305 vulnerability in Apache Tomcat affects App Connect Professional. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-the-cve-2022-34305-vulner… ∗∗∗ Security Bulletin: There are multiple vulnerabilites that affect IBM Engineering Requirements Quality Assistant On-Premises (CVE-2022-0778, CVE-2021-38868, CVE-2021-29799, CVE-2021-29790, CVE-2021-29788) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-there-are-multiple-vulner… ∗∗∗ Security Bulletin: IBM Cloud Pak for Multicloud Management Monitoring is vulnerable to multiple vulnerabilities due to its use of IBM JAVA (CVE-2021-35560, CVE-2021-35578, CVE-2021-35565, CVE-2021-35603) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-multicl… ∗∗∗ Security Bulletin: An attacker that gains service access to the FSP (POWER9 only) or gains admin authority to a partition can compromise partition firmware. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-an-attacker-that-gains-se… ∗∗∗ Security Bulletin: IBM Cloud Pak for Multicloud Management Monitoring is vulnerable to a denial server due to its use of Apache Xerces2 (CVE-2022-23437) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-multicl… ∗∗∗ Security Bulletin: Vulnerability in OpenSSL (CVE-2022-0778) affects PowerVM ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-openssl-… ∗∗∗ Security Bulletin: The vulnerability CVE-2022-21299 in IBM Java SDK affects IBM WebSphere Cast Iron Solution & App Connect Professional ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-the-vulnerability-cve-202… ∗∗∗ Security Bulletin: IBM Urbancode Deploy (UCD) vulnerable to information disclosure which can be read by a local user. (CVE-2022-22366) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-deploy-ucd-… ∗∗∗ Security Bulletin: IBM Cloud Pak for Multicloud Management Monitoring is vulnerable to multiple security vulnerabilities due to its use of NodeJS (CVE-2021-22918, CVE-2021-22960, CVE-2021-22959) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-multicl… ∗∗∗ Security Bulletin: Vulnerability in async opensource package affects IBM VM Recovery Manager HA & DR GUI ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-async-op… ∗∗∗ Security Bulletin: Vulnerability in the jackson-databind component affects IBM Event Streams ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-the-jack… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.07.2022
by Daily end-of-shift report 15 Jul '22

15 Jul '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 14-07-2022 18:00 − Freitag 15-07-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Callback-Phishing: Dringender Rückruf erbeten ∗∗∗ --------------------------------------------- Angreifer geben sich in E-Mails als Sicherheitsunternehmen aus und bitten um einen Rückruf. Doch statt einer Überprüfung wird der Rechner gehackt. --------------------------------------------- https://www.golem.de/news/callback-phishing-dringender-rueckruf-erbeten-220… ∗∗∗ Android-Malware mit 3 Millionen Installationen aus Google Play entfernt ∗∗∗ --------------------------------------------- Die Android-Malware Autolycos hat es auf insgesamt drei Millionen Installationen gebracht. Nach der Entdeckung hat Google die betroffenen Apps entfernt. --------------------------------------------- https://heise.de/-7180469 ∗∗∗ Windows Autopatch ab sofort allgemein verfügbar ∗∗∗ --------------------------------------------- Automatisch abgesicherte Updates für Windows verspricht Microsoft mit Autopatch – Administratoren steht so deutlich weniger händische Arbeit ins Haus. --------------------------------------------- https://heise.de/-7180876 ∗∗∗ Was kann ich bei Problemen mit Klarna tun? ∗∗∗ --------------------------------------------- „Das Produkt ist noch gar nicht gekommen, trotzdem will Klarna, das ich bezahle.“ „Klarna schickt trotz Rücksendung Mahnungen.“ „Ich habe Ramsch bekommen, Klarna fordert aber eine Zahlung.“ Immer wieder berichten uns Konsument:innen von Problemen mit Klarna und sind ratlos. Wir zeigen Ihnen, was Sie bei ungerechtfertigten Zahlungsaufforderungen und Mahnungen von Klarna tun können. --------------------------------------------- https://www.watchlist-internet.at/news/was-kann-ich-bei-problemen-mit-klarn… ∗∗∗ YouTuber-Cash: Vorsicht vor Abzocke ∗∗∗ --------------------------------------------- YouTube-Videos schauen und damit Geld verdienen? Angebote wie das von youtuber.ltd klingen verlockend, doch statt der Auszahlung warten Abzocke-Maschen auf Sie. Vertrauen Sie keinen Versprechen online, schnell viel Geld zu verdienen! Die Kriminellen, die hinter diesen Angeboten stecken sind lediglich auf Ihre Daten oder Ihr Geld aus. --------------------------------------------- https://www.watchlist-internet.at/news/youtuber-cash-vorsicht-vor-abzocke/ ∗∗∗ WordPress: Schwachstelle in Kaswara Modern WPBakery Page Builder wird angegriffen ∗∗∗ --------------------------------------------- WordPress-Nutzer, die das Kaswara Modern WPBakery Page Builder im Einsatz haben, sollten zügig handeln. In älteren Fassungen ist die Schwachstelle CVE-2021-24284 enthalten, die eine Übernahme der WordPress-Installation ermöglicht. --------------------------------------------- https://www.borncity.com/blog/2022/07/15/wordpress-schwachstelle-in-kaswara… ∗∗∗ New Phishing Kit Hijacks WordPress Sites for PayPal Scam ∗∗∗ --------------------------------------------- Attackers use scam security checks to steal victims government documents, photos, banking information, and email passwords, researchers warn. --------------------------------------------- https://www.darkreading.com/attacks-breaches/new-phishing-kit-hijacks-wordp… ∗∗∗ The real reason why malware detection is hard—and underestimated ∗∗∗ --------------------------------------------- Researchers develop an AI with a 98% malware detection rate and 5% false positive rate. If you think this is a splendid technology for antivirus software, this article might change your mind. --------------------------------------------- https://www.gdatasoftware.com/blog/2022/06/37445-malware-detection-is-hard ∗∗∗ Month of PowerShell: Working with Log Files ∗∗∗ --------------------------------------------- In this article we look at how we can leverage PowerShells object-passing pipeline to parse and retrieve data from an IIS web server log file. --------------------------------------------- https://www.sans.org/blog/powershell-working-with-log-files ∗∗∗ Software Vendors Start Patching Retbleed CPU Vulnerabilities ∗∗∗ --------------------------------------------- Vendors have started rolling out software updates to address the recently disclosed Retbleed speculative execution attack targeting Intel and AMD processors. --------------------------------------------- https://www.securityweek.com/software-vendors-start-patching-retbleed-cpu-v… ∗∗∗ Powerful Mantis DDoS Botnet Hits 1,000 Organizations in One Month ∗∗∗ --------------------------------------------- Web protection firm Cloudflare warns that a small but powerful botnet has launched distributed denial-of-service (DDoS) attacks on roughly 1,000 organizations over the past month alone. --------------------------------------------- https://www.securityweek.com/powerful-mantis-ddos-botnet-hits-1000-organiza… ∗∗∗ Digium Phones Under Attack: Insight Into the Web Shell Implant ∗∗∗ --------------------------------------------- We witnessed more than 500,000 unique samples of malicious traffic targeting Digium Asterisk software for VoIP phone devices. --------------------------------------------- https://unit42.paloaltonetworks.com/digium-phones-web-shell/ ∗∗∗ CVE-2022-30136: Microsoft Windows Network File System v4 Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- In this excerpt of a Trend Micro Vulnerability Research Service vulnerability report, Guy Lederfein and Quintin Crist of the Trend Micro Research Team detail a recently patched remote code execution vulnerability in the Microsoft Windows operating system, originally discovered and reported by Yuki Chen. The bug is found in the implementation of Network File System (NFS)and is due to improper handling of NFSv4 requests. An unauthenticated attacker could exploit this bug to execute arbitrary code in the context of SYSTEM. --------------------------------------------- https://www.thezdi.com/blog/2022/7/13/cve-2022-30136-microsoft-windows-netw… ===================== = Vulnerabilities = ===================== ∗∗∗ Security Update Available for Adobe InDesign APSB22-30 ∗∗∗ --------------------------------------------- Adobe has released a security update for Adobe InDesign. This update addresses multiple critical and an important vulnerability. Successful exploitation could lead to arbitrary code execution and memory leak. --------------------------------------------- https://helpx.adobe.com/security/products/indesign/apsb22-30.html ∗∗∗ Security Update Available for Adobe InCopy APSB22-29 ∗∗∗ --------------------------------------------- Adobe has released a security update for Adobe InCopy. This update addresses multiple  critical and an important vulnerability. Successful exploitation could lead to arbitrary code execution and memory leak. --------------------------------------------- https://helpx.adobe.com/security/products/incopy/apsb22-29.html ∗∗∗ ABB Flow Computer and Remote Controllers Path Traversal Vulnerability in Totalflow TCP protocol can lead to root access ∗∗∗ --------------------------------------------- ABB is aware of private reports of a vulnerability in the flow computer and remote controller product versions listed above. A flash update is available that resolves the vulnerability in the product versions listed above. Mitigation can be accomplished by proper network segmentation [...] --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=9AKK108467A0927&Lan… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (webkit2gtk and wpewebkit), Fedora (curl, kernel, openssl1.1, php, subversion, xorg-x11-server, and xorg-x11-server-Xwayland), Oracle (grub2), SUSE (gnutls, kernel, logrotate, oracleasm, p11-kit, and python-PyJWT), and Ubuntu (libhttp-daemon-perl and python2.7, python3.10, python3.4, python3.5, python3.6, python3.8, python3.9). --------------------------------------------- https://lwn.net/Articles/901412/ ∗∗∗ Grafana: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, authentisierter Angreifer kann mehrere Schwachstellen in Grafana ausnutzen, um einen Cross-Site Scripting Angriff durchzuführen und Sicherheitsmaßnahmen zu umgehen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0696 ∗∗∗ SonicWall Hosted Email Security Capture ATP Bypass ∗∗∗ --------------------------------------------- Improperly Implemented Security Check vulnerability in the SonicWall Hosted Email Security leads to bypass of Capture ATP security service in the appliance. --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0014 ∗∗∗ OpenSSL c_rehash script allows command injection CVE-2022-1292 ∗∗∗ --------------------------------------------- A critical vulnerability (CVE-2022-1292) was found in OpenSSL c_rehash script. This is due to shell metacharacters not being properly sanitized, resulting in command injection. An attacker could execute arbitrary commands with the privileges of the script. After review, it has been determined that vulnerability tracked as CVE-2022-1292 is not applicable to the SonicWall product suite. However, SonicWall has decided to update the impacted OpenSSL package to the fixed version (OpenSSL 1.1.1o) [...] --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0011 ∗∗∗ SolarWinds Dameware: Schwachstelle ermöglicht Nutzerzugriff ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0697 ∗∗∗ Mattermost: Mehrere Schwachstellen ermöglichen nicht spezifizierten Angriff ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0695 ∗∗∗ Autodesk AutoCAD: Schwachstelle ermöglicht Codeausführung ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0694 ∗∗∗ Security Bulletin: Denial of Service vulnerability affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) – CVE-2020-35618 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-denial-of-service-vulnera… ∗∗∗ Security Bulletin: IBM MQ Appliance is affected by FasterXML jackson-databind vulnerabilities (CVE-2020-36518) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-affec… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in Apache Commons Compress affect WebSphere Application Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Python (Publicly disclosed vulnerability) in IBM Tivoli Application Dependency Discovery Manager (CVE-2022-0391) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-python-publicly-disclosed… ∗∗∗ Security Bulletin: Vulnerability in Json-schema library affect Tivoli Netcool/OMNIbus WebGUI (CVE-2021-3918) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-json-sch… ∗∗∗ Security Bulletin: Vulnerability in Axios affects IBM Process Mining . CVE-2022-1214 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-axios-af… ∗∗∗ Security Bulletin: IBM MQ Appliance is affected by follow-redirects vulnerabilities (CVE-2022-0155 and CVE-2022-0536) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-affec… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.07.2022
by Daily end-of-shift report 14 Jul '22

14 Jul '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 13-07-2022 18:00 − Donnerstag 14-07-2022 18:00 Handler: Robert Waldner Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Month of PowerShell - Working with the Event Log, Part 2 - Threat Hunting with Event Logs ∗∗∗ --------------------------------------------- We continue our look at working with the Windows event log using PowerShell with 10 threat hunting techniques. --------------------------------------------- https://www.sans.org/blog/working-with-event-log-part-2-threat-hunting-with… ∗∗∗ Introducing Decompiler Explorer ∗∗∗ --------------------------------------------- Today, we’re releasing a little side project a few of our developers have been working with the community on: the Decompiler Explorer! This new (free, open source) web service lets you compare the output of different decompilers on small executables. In other words: It’s basically the same thing as Matt Godbolt’s awesome Compiler Explorer, but in reverse. --------------------------------------------- https://binary.ninja/2022/07/13/introducing-decompiler-explorer.html ∗∗∗ CVE-2022-29885 - Dont Open That Port - A Denial Of Service vulnerability on Apache Tomcat Cluster Service Listener ∗∗∗ --------------------------------------------- While performing the analysis I discovered that this was a part of a research made by 4ra1n, who reported the issue to the Apache Tomcat Security Team on 17 April 2022 and marked as CVE-2022-29885. Nonetheless, I had no luck finding a suitable PoC of the vulnerability. --------------------------------------------- https://voidzone.me/cve-2022-29885-apache-tomcat-cluster-service-dos/ ∗∗∗ Genesis - The Birth of a Windows Process (Part 1) ∗∗∗ --------------------------------------------- This is the first part of a two part series. In this post, I cover how Windows spawns a process, the various APIs and data structures involved and different types of processess available on Windows. The Windows API provides several functions for creating a process. We will go through some of the important APIs and structures Win32 offers before diving into the process creation procedure. --------------------------------------------- https://fourcore.io/blogs/how-a-windows-process-is-created-part-1 ∗∗∗ Exploiting Arbitrary Object Instantiations in PHP without Custom Classes ∗∗∗ --------------------------------------------- PHP’s Arbitrary Object Instantiation is a flaw in which an attacker can create arbitrary objects. This flaw can come in all shapes and sizes. --------------------------------------------- https://swarm.ptsecurity.com/exploiting-arbitrary-object-instantiations/ ∗∗∗ “RedAlert,” LILITH and 0mega leading a wave of Ransomware Campaigns ∗∗∗ --------------------------------------------- Multiple new ransomware groups have surfaced recently, highlighting the adoption of ransomware attacks by TAs for monetary gains. --------------------------------------------- https://blog.cyble.com/2022/07/12/new-ransomware-groups-on-the-rise/ ∗∗∗ Office-Nutzer im Visier: Phishing-Kampagne umgeht Multi-Faktor-Authentifizierung ∗∗∗ --------------------------------------------- Microsofts Sicherheitsforscher haben eine große Phishing-Kampagne aufgedeckt. Dabei stehlen Angreifer Session-Cookies, um MFA-Schutzmaßnahmen zu umgehen. --------------------------------------------- https://heise.de/-7179750 ∗∗∗ PSA: Sudden Increase In Attacks On Modern WPBakery Page Builder Addons Vulnerability ∗∗∗ --------------------------------------------- The Wordfence Threat Intelligence team has been monitoring a sudden increase in attack attempts targeting Kaswara Modern WPBakery Page Builder Addons. This ongoing campaign is attempting to take advantage of an arbitrary file upload vulnerability, tracked as CVE-2021-24284, which has been previously disclosed and has not been patched on the now closed plugin. --------------------------------------------- https://www.wordfence.com/blog/2022/07/attacks-on-modern-wpbakery-page-buil… ∗∗∗ YouTuber-Cash: Vorsicht vor Abzocke ∗∗∗ --------------------------------------------- YouTube-Videos schauen und damit Geld verdienen? Angebote wie das von youtuber.ltd klingen verlockend, doch statt der Auszahlung warten Abzocke-Maschen auf Sie. Vertrauen Sie keinen Versprechen online, schnell viel Geld zu verdienen! --------------------------------------------- https://www.watchlist-internet.at/news/youtuber-cash-vorsicht-vor-abzocke/ ===================== = Vulnerabilities = ===================== ∗∗∗ X.org servers update closes 2 security holes, adds neat component tweaks ∗∗∗ --------------------------------------------- Arbitrary code execution flaws in the X Keyboard Extension were bad news X.org has released a bunch of updates, which includes closing two security holes and, yes, this affects Wayland users too. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2022/07/13/xorg_servers… ∗∗∗ Tableau Server Leaks Sensitive Information From Reflected XSS ∗∗∗ --------------------------------------------- GoSecure Titan Labs has identified a vulnerability within the Tableau Server that could allow malicious actors to extract sensitive data from the application. Tableau Server is an analytics platform owned by Salesforce used to see and understand data. --------------------------------------------- https://www.gosecure.net/blog/2022/07/13/tableau-server-leaks-sensitive-inf… ∗∗∗ IBM Security Bulletins 2022-07-13 ∗∗∗ --------------------------------------------- IBM Db2, IBM MQ Appliance, IBM i, IBM WebSphere Application Server, IBM Engineering Lifecycle Optimization, IBM Cloud Pak, IBM Netezza Platform, IBM Security Verify Information Queue, IBM Security Verify Governance. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Lücke in VMware vCenter Server und Cloud Foundation zum Teil abgedichtet ∗∗∗ --------------------------------------------- In VMwares vCenter Server und der Cloud Foundation klafft eine Sicherheitslücke in der Integrated Windows Authentication. Nun gibt es ein Software-Update. --------------------------------------------- https://heise.de/-7179181 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (request-tracker4), Fedora (kernel and vim), Mageia (gerbv, gnupg2, pgadmin4, and python-coookiecutter), Slackware (xorg), SUSE (cifs-utils, gmp, gnutls, libnettle, kernel, libsolv, libzypp, zypper, logrotate, openssl-1_1, opera, squid, and virglrenderer), and Ubuntu (ca-certificates, git, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux-raspi2, linux-snapdragon, linux, linux-aws, linux-azure, linux-azure-5.4, linux-azure-fde, linux-gke, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-kvm, linux, linux-aws, linux-azure, linux-gcp, linux-gke, linux-ibm, linux-kvm, linux-lowlatency, linux-oracle, linux-aws, linux-oem-5.14, and vim). --------------------------------------------- https://lwn.net/Articles/901190/ ∗∗∗ UEFI-Firmware-Bug gefährdet über 70 Lenovo Notebooks (Juli 2022) ∗∗∗ --------------------------------------------- Hinweis für Blog-Leser und -Leserinnen, die Notebooks von Lenovo (und IBM) verwenden. Sicherheitsforscher von ESET haben gravierenden Schwachstellen in der UEFI-Firmware von Lenovo Notebooks gefunden, die eine Übernahme des Betriebssystems in der frühen Boot-Phase ermöglicht. --------------------------------------------- https://www.borncity.com/blog/2022/07/14/uefi-firmware-bug-gefhrdet-ber-70-… ∗∗∗ Internet Explorer 11: Update KB5015805 (12. Juli 2022) ∗∗∗ --------------------------------------------- Microsoft hat zum 12. Juli 2022 ein Sicherheitsupdate (KB5015805) für den Internet Explorer freigegeben. Dieses ist aber nur für ausgesuchte Windows-Versionen als kumulatives Update separat erhältlich. Hier ein Überblick über diesen Patch, der Schwachstellen im Browser schließen soll. --------------------------------------------- https://www.borncity.com/blog/2022/07/14/internet-explorer-11-update-kb5015… ∗∗∗ Entity Print - Moderately critical - Multiple: Remote Code Execution, Information disclosure - SA-CONTRIB-2022-048 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2022-048 ∗∗∗ K14335949: Intel processors vulnerability CVE-2022-24436 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K14335949 ∗∗∗ K43357358: AMD processors vulnerability CVE-2022-23823 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K43357358 ∗∗∗ Juniper JUNOS (EX, MX, PTX, QFX Series): Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0684 ∗∗∗ Juniper JUNOS (Verschiedene Plattformen): Mehrere Schwachstellen ermöglichen Denial of Service ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0683 ∗∗∗ Lenovo XClarity: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0687 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.07.2022
by Daily end-of-shift report 13 Jul '22

13 Jul '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 12-07-2022 18:00 − Mittwoch 13-07-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ From cookie theft to BEC: Attackers use AiTM phishing sites as entry point to further financial fraud ∗∗∗ --------------------------------------------- A large-scale phishing campaign that attempted to target over 10,000 organizations since September 2021 used adversary-in-the-middle (AiTM) phishing sites to steal passwords, hijack a user’s sign-in session, and skip the authentication process, even if the user had enabled multifactor authentication (MFA). --------------------------------------------- https://www.microsoft.com/security/blog/2022/07/12/from-cookie-theft-to-bec… ∗∗∗ Using Referers to Detect Phishing Attacks, (Wed, Jul 13th) ∗∗∗ --------------------------------------------- Referers are useful information for webmasters and system administrators that would like to have a better overview of the visitors browsing their websites. The referer is an HTTP header that identifies the address of the web page from which the resource has been requested. --------------------------------------------- https://isc.sans.edu/diary/rss/28836 ∗∗∗ Infected WordPress Site Reveals Malicious C&C Script ∗∗∗ --------------------------------------------- Cryptomining infections accounted for less than 4% of total detections last year. Despite the fact that CoinHive – one of the most popular JavaScript based miners – shut down its operations in 2019, we still find occasional infections on compromised environments during remote and server-side scans. --------------------------------------------- https://blog.sucuri.net/2022/07/infected-wordpress-site-reveals-malicious-c… ∗∗∗ Researchers Uncover New Attempts by Qakbot Malware to Evade Detection ∗∗∗ --------------------------------------------- The operators behind the Qakbot malware are transforming their delivery vectors in an attempt to sidestep detection. --------------------------------------------- https://thehackernews.com/2022/07/researchers-uncover-new-attempts-by.html ∗∗∗ Open-Source-Tool von Microsoft erstellt "Software Bill of Materials" ∗∗∗ --------------------------------------------- Das SBOM-Tool Salus listet alle Komponenten und Dependencies von Projekten auf, um potenzielle Schwachstellen in der Software Supply Chain aufzuspüren. --------------------------------------------- https://heise.de/-7177889 ∗∗∗ Vorsicht vor Fake-Shops am Energiesektor! ∗∗∗ --------------------------------------------- Zahlreichen Fake-Shops mit Brennholz, lassen Kriminelle nun Photovoltaik-Shops wie solanex.de und solarnetz.at folgen. Die aktuelle Energiekrise soll offenbar maximal ausgenützt werden. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-fake-shops-am-energiese… ∗∗∗ Cobalt Strike Analysis and Tutorial: CS Metadata Encryption and Decryption ∗∗∗ --------------------------------------------- We show how metadata encryption and decryption contributes to making Cobalt Strike an effective emulator that is difficult to defend against. --------------------------------------------- https://unit42.paloaltonetworks.com/cobalt-strike-metadata-encryption-decry… ===================== = Vulnerabilities = ===================== ∗∗∗ AMD Prozessoren: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein lokaler Angreifer kann mehrere Schwachstellen in AMD Prozessoren ausnutzen, um beliebigen Programmcode auszuführen oder Informationen offenzulegen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0665 ∗∗∗ Intel Prozessoren: Mehrere Schwachstellen ermöglichen Offenlegung von Informationen ∗∗∗ --------------------------------------------- Ein lokaler Angreifer kann mehrere Schwachstellen in Intel Prozessoren ausnutzen, um Informationen offenzulegen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0650 ∗∗∗ Microsoft Security Update Summary (12. Juli 2022) ∗∗∗ --------------------------------------------- Am 12. Juli 2022 hat Microsoft Sicherheitsupdates für Windows-Clients und -Server, für Office usw. – sowie für weitere Produkte – veröffentlicht. Die Sicherheitsupdates beseitigen zudem 84 Schwachstellen, davon einen 0-day. --------------------------------------------- https://www.borncity.com/blog/2022/07/12/microsoft-security-update-summary-… ∗∗∗ Adobe dichtet teils kritische Lücken ab ∗∗∗ --------------------------------------------- In Adobe Acrobat und Reader, Photoshop, RoboHelp und Character Animator schließt der Hersteller Sicherheitslücken. Einige sind kritisch. --------------------------------------------- https://heise.de/-7177696 ∗∗∗ IBM Security Bulletins 2022-07-12 ∗∗∗ --------------------------------------------- IBM Answer Retrieval for Watson Discovery, IBM Event Streams, IBM QRadar Network Security, IBM Cloud, Content Manager OnDemand, IBM Rational Build Forge, IBM App Connect Enterprise, IBM Sterling Connect, Digital Certificate Manager, Enterprise Content Management System Monitor. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (xen), Mageia (x11-server), SUSE (chromium, kernel, pcre, pcre2, squid, and xorg-x11-server), and Ubuntu (gnupg, gnupg2, uriparser, xorg-server, xorg-server-hwe-16.04, and xorg-server, xorg-server-hwe-18.04, xwayland). --------------------------------------------- https://lwn.net/Articles/901029/ ∗∗∗ Ruby on Rails: Schwachstelle ermöglicht Codeausführung ∗∗∗ --------------------------------------------- Ein entfernter Angreifer kann eine Schwachstelle in Ruby on Rails ausnutzen, um beliebigen Programmcode auszuführen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0662 ∗∗∗ ZDI-22-968: BMC Track-It! HTTP Module Improper Access Control Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-968/ ∗∗∗ ZDI-22-967: BMC Track-It! GetPopupSubQueryDetails SQL Injection Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-967/ ∗∗∗ VMSA-2022-0020 - VMware ESXi addresses Return-Stack-Buffer-Underflow and Branch Type Confusion vulnerabilities ∗∗∗ --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2022-0020.html ∗∗∗ VMSA-2022-0019 - VMware vRealize Log Insight contains multiple stored cross-site scripting vulnerabilities ∗∗∗ --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2022-0019.html ∗∗∗ VMSA-2022-0018 - VMware vCenter Server updates address a server-side request forgery vulnerability ∗∗∗ --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2022-0018.html ∗∗∗ Dahua ASI7213X-T1 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-193-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.07.2022
by Daily end-of-shift report 12 Jul '22

12 Jul '22

===================== = End-of-Day report = ===================== Timeframe: Montag 11-07-2022 18:00 − Dienstag 12-07-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ IBM-Middleware: Schwachstelle in MQ kann zu Rechtausweitung führen ∗∗∗ --------------------------------------------- Mehrere Sicherheitslücken in IBM MQ ermöglichen Angreifern, ihre Rechte an betroffenen Systemen auszuweiten oder diese lahmzulegen. Updates stehen bereit. --------------------------------------------- https://heise.de/-7169603 ∗∗∗ Wurm-Infektion: Malware-Kampagne Raspberry Robin befällt Windows und Qnap-NAS ∗∗∗ --------------------------------------------- IT-Forscher von Cybereason haben einen Netzwerkwurm entdeckt, der sich auf Windows- und Qnap-Geräten verbreitet. Sie nennen die Kampagne Raspberry Robin. --------------------------------------------- https://heise.de/-7170350 ∗∗∗ Month of PowerShell: Threat Hunting with PowerShell Differential Analysis ∗∗∗ --------------------------------------------- One of the most powerful techniques for threat hunting on Windows: differential analysis. --------------------------------------------- https://www.sans.org/blog/threat-hunting-with-powershell-differential-analy… ∗∗∗ CVE-2022-29593- Authentication Bypass by Capture Replay (Dingtian-DT-R002) ∗∗∗ --------------------------------------------- This blog post describes an authentication bypass within one such device, that allows an attacker with access to the IP network the ability to capture and subsequently replay discrete device commands, which allows for the switching on and off the physical relays on the device. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/cve-2022-29… ∗∗∗ Exploiting Authentication in AWS IAM Authenticator for Kubernetes ∗∗∗ --------------------------------------------- During my research on the AWS IAM Authenticator component, I found several flaws in the authentication process that could bypass the protection against replay attacks or allow an attacker to gain higher permissions in the cluster by impersonating other identities. --------------------------------------------- https://blog.lightspin.io/exploiting-eks-authentication-vulnerability-in-aw… ∗∗∗ Scanning for security.txt files ∗∗∗ --------------------------------------------- RFC 9116 was written by E. Foudil and Y. Shafranovich and left draft status in April 2022. This RFC formally defines the unofficial security.txt file that has been an unofficial standard for many years, initially created back in 2017 and documented at https://securitytxt.org/. --------------------------------------------- https://www.pentestpartners.com/security-blog/scanning-for-security-txt-fil… ∗∗∗ ChromeLoader: New Stubborn Malware Campaign ∗∗∗ --------------------------------------------- A malicious browser extension is the payload of the ChromeLoader malware family, serving as adware and an infostealer, leaking users’ search queries. --------------------------------------------- https://unit42.paloaltonetworks.com/chromeloader-malware/ ∗∗∗ Is exploiting a null pointer deref for LPE just a pipe dream? ∗∗∗ --------------------------------------------- A lot of blog posts I have read go over interesting vulnerabilities and exploits but do not typically share the process behind discovery. I want to show how sometimes just manually poking around can quickly uncover vulnerabilities you might miss with other approaches to vulnerability discovery. --------------------------------------------- https://www.thezdi.com/blog/2022/6/1/is-exploiting-a-null-pointer-deref-for… ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-22-962: Trend Micro Maximum Security Out-Of-Bounds Read Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows local attackers to disclose sensitive information on affected installations of Trend Micro Maximum Security. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-962/ ∗∗∗ Siemens ProductCERT published 19 and updated 15 advisories/bulletins ∗∗∗ --------------------------------------------- Opcenter Quality, SINAMICS PERFECT HARMONY GH180 Drives, EN100 Ethernet Module, RUGGEDCOM ROS, SIMATIC WinCC, Teamcenter Visualization, JT2Go, Industrial Products, TIA Administrator, Mendix Excel Importer Module, RUGGEDCOM ROX, SIMATIC eaSie Core Package, SCALANCE X Switches, SIMATIC CP Devices, Mendix Applications, SICAM A8000 Devicesm Simcenter Femap, PROFINET Stack, PADS Standard/Plus Viewer, SIMATIC S7-1500, Mendix, SIMATIC MV500 Devices, OPC Foundation Local Discovery Server, OPC-UA, Parasolid, SICAM GridEdge. --------------------------------------------- https://new.siemens.com/global/en/products/services/cert.html?d=2022-07#Sec… ∗∗∗ SAP-Patchday: 20 neue Sicherheitslücken im Juli abgedichtet ∗∗∗ --------------------------------------------- Mit den Updates zum Juli-Patchday schließt SAP 20 neue Sicherheitslücken. Zudem aktualisiert der Hersteller drei ältere Security-Bulletins. --------------------------------------------- https://heise.de/-7170698 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium), Mageia (openssl and webkit2), Slackware (seamonkey), SUSE (crash, curl, freerdp, ignition, libnbd, and python3), and Ubuntu (dovecot and python-ldap). --------------------------------------------- https://lwn.net/Articles/900855/ ∗∗∗ ICS Patch Tuesday: Siemens, Schneider Electric Address 59 Vulnerabilities ∗∗∗ --------------------------------------------- Industrial giants Siemens and Schneider Electric have released their Patch Tuesday security advisories for July 2022, with a total of 13 advisories describing 59 vulnerabilities. --------------------------------------------- https://www.securityweek.com/ics-patch-tuesday-siemens-schneider-electric-a… ∗∗∗ TYPO3-EXT-SA-2022-014: SQL Injection in extension "LUX - TYPO3 Marketing Automation" (lux) ∗∗∗ --------------------------------------------- https://typo3.org/security/advisory/typo3-ext-sa-2022-014 ∗∗∗ MariaDB: Mehrere Schwachstellen ermöglichen Denial of Service ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0641 ∗∗∗ Symantec Advanced Secure Gateway: Schwachstelle ermöglicht Manipulation und Offenlegung von Informationen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0638 ∗∗∗ Security Bulletin: Vulnerabilities in the Golang language affect IBM Event Streams (CVE-2022-24921) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-the-go… ∗∗∗ Security Bulletin: IBM Security SiteProtector System is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-siteprotecto… ∗∗∗ Security Bulletin: IBM OpenPages with Watson has addressed Apache Log4j vulnerability (CVE-2022-23305) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-openpages-with-watson… ∗∗∗ Security Bulletin: IBM Security Verify Governance is vulnerable to multiple security issues due to Node.js ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-gover… ∗∗∗ Security Bulletin: IBM QRadar SIEM is vulnerable to denial of service attack due to CVE-2021-39041 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulner… ∗∗∗ Security Bulletin: IBM Integration Bus is vulnerable to arbitrary code execution due to Node.js ejs module (CVE-2022-29078) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-integration-bus-is-vu… ∗∗∗ Security Bulletin: IBM MQ for HPE NonStop Server is affected by OpenSSL vulnerability CVE-2022-0778 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-for-hpe-nonstop-se… ∗∗∗ Security Bulletin: IBM Security Verify Information Queue uses Apache LDAP API with a known vulnerability (CVE-2018-1337) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-infor… ∗∗∗ Security Bulletin: IBM i Modernization Engine for Lifecycle Integration is vulnerable to multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-i-modernization-engin… ∗∗∗ Security Bulletin: A security vulnerability has been identified in Postgresql shipped with IBM Tivoli Netcool Impact (CVE-2022-26520, CVE-2022-21724, WS-2022-0080) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: Vulnerabilities in the Golang language affect IBM Event Streams (CVE-2022-29526) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-the-go… ∗∗∗ Security Bulletin: IBM WebSphere Application Server Liberty is vulnerable to Identity Spoofing (CVE-2022-22476) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application… ∗∗∗ Security Bulletin: IBM MQ for HPE NonStop Server is affected by OpenSSL vulnerability CVE-2021-4160 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-for-hpe-nonstop-se… ∗∗∗ Security Bulletin: IBM OpenPages with Watson has addressed Apache Log4j vulnerability (CVE-2022-23302) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-openpages-with-watson… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.07.2022
by Daily end-of-shift report 11 Jul '22

11 Jul '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 08-07-2022 18:00 − Montag 11-07-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ New 0mega ransomware targets businesses in double-extortion attacks ∗∗∗ --------------------------------------------- A new ransomware operation named 0mega targets organizations worldwide in double-extortion attacks and demands millions of dollars in ransoms. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-0mega-ransomware-targets… ∗∗∗ Hackers Exploiting Follina Bug to Deploy Rozena Backdoor ∗∗∗ --------------------------------------------- A newly observed phishing campaign is leveraging the recently disclosed Follina security vulnerability to distribute a previously undocumented backdoor on Windows systems. --------------------------------------------- https://thehackernews.com/2022/07/hackers-exploiting-follina-bug-to.html ∗∗∗ Raspberry Robin Windows Worm Abuses QNAP Devices ∗∗∗ --------------------------------------------- A recently discovered Windows worm is abusing compromised QNAP network-attached storage (NAS) devices as stagers to spread to new systems, according to Cybereason. Dubbed Raspberry Robin, the malware was initially spotted in September 2021, spreading mainly via removable devices, such as USB drives. --------------------------------------------- https://www.securityweek.com/raspberry-robin-windows-worm-abuses-qnap-devic… ∗∗∗ The History and Evolution of Zero Trust ∗∗∗ --------------------------------------------- “The term ‘zero trust’ is now used so much and so widely that it has almost lost its meaning”. --------------------------------------------- https://www.securityweek.com/history-and-evolution-zero-trust ∗∗∗ WhatsApp: Kriminelle geben sich als Ihr Kind aus ∗∗∗ --------------------------------------------- „Hallo Papa. Mein Handy ist kaputt. Das ist meine neue Nummer.“ Vorsicht: Diese Nachricht könnte von Kriminellen stammen. Werden Sie um eine Überweisung gebeten, handelt es sich eindeutig um Betrug! --------------------------------------------- https://www.watchlist-internet.at/news/whatsapp-kriminelle-geben-sich-als-i… ∗∗∗ SELECT XMRig FROM SQLServer ∗∗∗ --------------------------------------------- Over the month of March, we observed a cluster of activity targeting MSSQL servers. The activity started via password brute force attempts for the MSSQL SA account. These brute force attempts were observed repeatedly over the month. --------------------------------------------- https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/ ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitslücken in node.js abgedichtet ∗∗∗ --------------------------------------------- Neue Versionen der node.js-Laufzeitumgebung beheben sicherheitskritische Fehler mit hohem Risiko. Angreifer könnten Opfern dadurch Schadcode unterjubeln. --------------------------------------------- https://heise.de/-7167912 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (php7.4), Fedora (gerbv, kernel, openssl, and podman-tui), Oracle (squid:4), Slackware (wavpack), and SUSE (apache2, chafa, containerd, docker and runc, fwupd, fwupdate, libqt5-qtwebengine, oracleasm, and python). --------------------------------------------- https://lwn.net/Articles/900670/ ∗∗∗ vim: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in vim ausnutzen, um einen Denial of Service Angriff durchzuführen, beliebigen Code auszuführen, Speicher zu verändern und vertrauliche Informationen offenzulegen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0630 ∗∗∗ ZDI-22-959: (0Day) Vinchin Backup and Recovery MySQL Server Use of Hard-coded Credentials Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-959/ ∗∗∗ Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM Tivoli Netcool System Service Monitors/Application Service Monitors ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: CVE-2021-23337 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2021-23337/ ∗∗∗ Security Bulletin: CVE-2020-28500 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2020-28500/ ∗∗∗ Security Bulletin: CVE-2020-8203 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2020-8203-2/ ∗∗∗ Security Bulletin: IBM Content Manager Enterprise Edition is is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-content-manager-enter… ∗∗∗ Security Bulletin: IBM CICS TX Standard is vulnerable to HTML injection (CVE-2022-34160) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cics-tx-standard-is-v… ∗∗∗ Security Bulletin: IBM MQ Operator and Queue manager container images are vulnerable to vulnerabilities from Golang Go and IBM WebSphere Application Server Liberty (CVE-2021-39293 and CVE-2021-39038) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-operator-and-queue… ∗∗∗ Security Bulletin: IBM MQ Operator and Queue manager container images are vulnerable to an issue in OPM and Golang Go packages (CVE-2020-15257, CVE-2021-21334 and CVE-2021-41771) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-operator-and-queue… ∗∗∗ Security Bulletin: CVE-2020-8203 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2020-8203/ ∗∗∗ Security Bulletin: CVE-2021-23369 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2021-23369/ ∗∗∗ Security Bulletin: CVE-2020-7774 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2020-7774/ ∗∗∗ Security Bulletin: IBM CICS TX Advanced is vulnerable to HTML injection (CVE-2022-34160) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cics-tx-advanced-is-v… ∗∗∗ K40582331: Apache HTTP server vulnerability CVE-2022-28615 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K40582331 ∗∗∗ K08006936: Apache Commons Configuration vulnerability CVE-2022-33980 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K08006936 ∗∗∗ K74251611: Linux kernel vulnerability CVE-2021-38166 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K74251611 ∗∗∗ K36462841: Linux kernel vulnerability CVE-2018-18281 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K36462841 ∗∗∗ ILIAS: Schwachstelle ermöglicht Erlangen von Benutzerrechten ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0629 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.07.2022
by Daily end-of-shift report 08 Jul '22

08 Jul '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 07-07-2022 18:00 − Freitag 08-07-2022 18:00 Handler: Robert Waldner Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Gesundheitseinrichtungen im Visier nordkoreanischer Cyberkrimineller ∗∗∗ --------------------------------------------- US-amerikanische Sicherheitsbehörden warnen vor der Maui-Ransomware. Mit ihr greifen nordkoreanische Cybergangs Organisationen des Gesundheitswesens an. --------------------------------------------- https://heise.de/-7166692 ∗∗∗ Free decryptor released for AstraLocker, Yashma ransomware victims ∗∗∗ --------------------------------------------- New Zealand-based cybersecurity firm Emsisoft has released a free decryption tool to help AstraLocker and Yashma ransomware victims recover their files without paying a ransom. --------------------------------------------- https://www.bleepingcomputer.com/news/security/free-decryptor-released-for-… ∗∗∗ SiteCheck Malware Trends Report – Q2 2022 ∗∗∗ --------------------------------------------- Conducting an external website scan for indicators of compromise is one of the easiest ways to identify security issues. While remote scanners may not provide as comprehensive of a scan as server-side scanners, they allow users to instantly identify malicious code and detect security issues on their website without installing any software or applications. --------------------------------------------- https://blog.sucuri.net/2022/07/sitecheck-malware-trends-report-q2-2022.html ∗∗∗ Over 1,200 NPM Packages Found Involved in "CuteBoi" Cryptomining Campaign ∗∗∗ --------------------------------------------- Researchers have disclosed what they say could be an attempt to kick-off a new large-scale cryptocurrency mining campaign targeting the NPM JavaScript package repository. The malicious activity, attributed to a software supply chain threat actor dubbed CuteBoi, involves an array of 1,283 rogue modules that were published in an automated fashion from over 1,000 different user accounts. --------------------------------------------- https://thehackernews.com/2022/07/over-1200-npm-packages-found-involved.html ∗∗∗ Koh: The Token Stealer ∗∗∗ --------------------------------------------- In this post I will introduce a toolkit called Koh that can indefinitely (..) harvest and reuse tokens for accounts that connect to a machine you have administrative rights on. I’ll go over the motivation for this approach, the technical background of why it’s possible and what changed in 2016, and briefly show what Koh can do. --------------------------------------------- https://posts.specterops.io/koh-the-token-stealer-41ca07a40ed6 ∗∗∗ New HavanaCrypt Ransomware Distributed as Fake Google Software Update ∗∗∗ --------------------------------------------- Security researchers at Trend Micro have identified a new ransomware family that is being delivered as a fake Google Software Update application. --------------------------------------------- https://www.securityweek.com/new-havanacrypt-ransomware-distributed-fake-go… ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins 2022-07-07 ∗∗∗ --------------------------------------------- IBM QRadar Network Security, IBM Engineering Lifecycle Management, IBM Rational Build Forge, IBM Tivoli Netcool/Omnibus, IBM Tivoli Network Manager, IBM Engineering Lifecycle Management, IBM CICS TX Standard, IBM CICS TX Advanced, IBM WebSphere Application Server Liberty, IBM Security Verify Information Queue, IBM Event Streams. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Sicherheitsupdates: Root-Lücke in Dell-EMC-Software geschlossen ∗∗∗ --------------------------------------------- Angreifer könnten Systeme mit Dell PowerProtect Cyber Recovery oder Cloud Mobility for Dell EMC Storage attackieren. Hiergegen gibt es jetzt ein Update. --------------------------------------------- https://heise.de/-7166118 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (direnv, golang-github-mattn-colorable, matrix-synapse, pypy3.7, pypy3.8, and pypy3.9), Oracle (squid), SUSE (curl, openssl-1_1, pcre, python-ipython, resource-agents, and rsyslog), and Ubuntu (nss, php7.2, and vim). --------------------------------------------- https://lwn.net/Articles/900443/ ∗∗∗ NetApp ActiveIQ Unified Manager: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in NetApp ActiveIQ Unified Manager ausnutzen, um Informationen offenzulegen, Daten zu manipulieren oder zu verändern und einen Denial of Service Zustand auszulösen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0608 ∗∗∗ Red Hat FUSE: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann mehrere Schwachstellen in Red Hat FUSE ausnutzen, um vertrauliche Informationen offenzulegen, beliebigen Code auszuführen, einen Denial of Service Zustand herbeizuführen, Sicherheitsmaßnahmen zu umgehen, Daten und Informationen zu manipulieren und seine Privilegien zu erweitern. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0607 ∗∗∗ July 7th 2022 Security Releases ∗∗∗ --------------------------------------------- Updates are now available for the v18.x, v16.x, and v14.x Node.js release [...] --------------------------------------------- https://nodejs.org/en/blog/vulnerability/july-2022-security-releases ∗∗∗ Exploitation of Mitel MiVoice Connect SA CVE-2022-29499 ∗∗∗ --------------------------------------------- Mitel MiVoice Connect customers who use vulnerable versions of the Service Appliance in their deployments should update to a fixed version of the appliance immediately. Mitel released patches for CVE-2022-29499 in early June 2022; organizations that have not updated the firmware on their appliances since before that timeframe should apply fixes as soon as possible. Appliances should not be exposed to the open internet. --------------------------------------------- https://www.rapid7.com/blog/post/2022/07/07/exploitation-of-mitel-mivoice-c… ∗∗∗ ZDI-22-955: Sante PACS Server SQL Injection Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-955/ ∗∗∗ K06524534: Linux kernel vulnerability CVE-2021-22555 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K06524534 ∗∗∗ K49622415: Apache Tomcat vulnerability CVE-2022-25762 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K49622415 ∗∗∗ 10 Vulnerabilities Found in Widely Used Robustel Industrial Routers ∗∗∗ --------------------------------------------- https://www.securityweek.com/10-vulnerabilities-found-widely-used-robustel-… ∗∗∗ Eclipse Jetty: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0614 ∗∗∗ Foxit PDF Editor: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0613 ∗∗∗ tribe29 checkmk: Mehrere Schwachstellen ermöglichen nicht spezifizierten Angriff ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0622 ∗∗∗ Rockwell Automation MicroLogix ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-188-01 ∗∗∗ Bently Nevada ADAPT 3701/4X Series and 60M100 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-188-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.07.2022
by Daily end-of-shift report 07 Jul '22

07 Jul '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 06-07-2022 18:00 − Donnerstag 07-07-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Ransomware, hacking groups move from Cobalt Strike to Brute Ratel ∗∗∗ --------------------------------------------- Hacking groups and ransomware operations are moving away from Cobalt Strike to the newer Brute Ratel post-exploitation toolkit to evade detection by EDR and antivirus solutions. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ransomware-hacking-groups-mo… ∗∗∗ Online programming IDEs can be used to launch remote cyberattacks ∗∗∗ --------------------------------------------- Security researchers are warning that hackers can abuse online programming learning platforms to remotely launch cyberattacks, steal data, and scan for vulnerable devices, simply by using a web browser. --------------------------------------------- https://www.bleepingcomputer.com/news/security/online-programming-ides-can-… ∗∗∗ Automating binary vulnerability discovery with Ghidra and Semgrep ∗∗∗ --------------------------------------------- Semgrep is a static analysis tool that works on source code, but thanks to Haruspex we can leverage its power also against closed source binaries. --------------------------------------------- https://security.humanativaspa.it/automating-binary-vulnerability-discovery… ∗∗∗ Liste betrügerischer Investitionsplattformen ∗∗∗ --------------------------------------------- Betrügerische Investitionsplattformen versprechen hohe Gewinne – risikofrei und ohne Finanzwissen. Der Handel erfolgt automatisiert oder mit persönlicher Beratung. Bereits mit kleinen Investitionen können angeblich hohe Gewinne erzielt werden. Klingt sehr verlockend, ist aber Betrug! --------------------------------------------- https://www.watchlist-internet.at/news/liste-betruegerischer-investitionspl… ∗∗∗ AsyncRAT Being Distributed to Vulnerable MySQL Servers ∗∗∗ --------------------------------------------- The ShadowServer foundation has recently released a report showing that there are about 3.6 million MySQL servers exposed to outside. --------------------------------------------- https://asec.ahnlab.com/en/36315/ ===================== = Vulnerabilities = ===================== ∗∗∗ Jetzt aktualisieren! Codeschmuggel durch Lücke in OpenSSL möglich∗∗∗ --------------------------------------------- Die gravierendere Schwachstelle betrifft OpenSSL 3.0.4, das am 21. Juni veröffentlicht wurde. Darin haben die Entwickler laut eigener Beschreibung einen ernsthaften Fehler eingebaut, der die RSA-Implementierung auf Prozessoren mit Unterstützung für die AVX-512 IFMA-Befehlssatzerweiterung betrifft. Die Implementierung mit privaten Schlüsseln mit 2048-Bit ist nicht korrekt und ein Speicherfehler tritt bei der Berechnung auf. Ein Angreifer könnte als Folge davon aus dem Internet Code einschleusen und ausführen (CVE-2022-2274, noch kein CVSS-Score, Risiko "hoch"). --------------------------------------------- https://www.heise.de/news/Jetzt-aktualisieren-Codeschmuggel-durch-Luecke-in… ∗∗∗ Cisco Security Advisories 2022-07-06 ∗∗∗ --------------------------------------------- Cisco published 9 Security Advisories (1 Critical, 1 High, 7 Medium Severity) --------------------------------------------- https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&first… ∗∗∗ IBM Security Bulletins 2022-07-06 ∗∗∗ --------------------------------------------- IBM CICS TX Standard, IBM Tivoli Netcool Impact, IBM Security Verify Access Product, App Connect professional, IBM Engineering Lifecycle Management, IBM CICS TX Advanced, IBM CICS TX Standard, IBM Security Verify Access Appliance, IBM Tivoli Application Dependency Discovery Manager. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Patchday Android: Systemlücke lässt Schadcode passieren ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitsupdates für Android-Smartphones und -Tablets. Einige Lücken sind als kritisch eingestuft. --------------------------------------------- https://heise.de/-7164810 ∗∗∗ Schwachstellen in OpenVPN Access Server geschlossen ∗∗∗ --------------------------------------------- Version 2.11.0 des OpenVPN Access Server schließt einige Sicherheitslücken. Angreifer hätten die Server etwa für DDoS-Verstärkungs-Angriffe missbrauchen können. --------------------------------------------- https://heise.de/-7165442 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (intel-microcode), Fedora (dotnet3.1 and gnupg2), Oracle (grub2, kernel, php:7.4, php:8.0, and qemu-kvm), SUSE (389-ds, apache2, crash, curl, expat, firefox, fwupd, fwupdate, ImageMagick, ldb, samba, liblouis, librttopo, openssl, openssl-1_0_0, openssl-1_1, openssl-3, oracleasm, php7, php8, python-Twisted, python310, rsyslog, s390-tools, salt, thunderbird, and xen), and Ubuntu (linux-lts-xenial, linux-kvm and openssl). --------------------------------------------- https://lwn.net/Articles/900286/ ∗∗∗ Apache Commons: Schwachstelle ermöglicht Codeausführung ∗∗∗ --------------------------------------------- Ein entfernter Angreifer kann eine Schwachstelle in Apache Commons ausnutzen, um beliebigen Programmcode auszuführen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0590 ∗∗∗ ZDI-22-949: (0Day) xhyve e1000 Stack-based Buffer Overflow Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-949/ ∗∗∗ Dovecot: Schwachstelle ermöglicht Privilegieneskalation ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0589 ∗∗∗ Nextcloud Mail: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0594 ∗∗∗ HCL BigFix: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0606 ∗∗∗ XSS-Schwachstelle in Jira-App (SYSS-2022-039) ∗∗∗ --------------------------------------------- https://www.syss.de/pentest-blog/xss-schwachstelle-in-jira-app-syss-2022-039 ∗∗∗ QNAP: Checkmate Ransomware via SMB Services Exposed to the Internet ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-22-21 ∗∗∗ Microsoft Edge 103.0.1264.49 (6. Juli 2022) ∗∗∗ --------------------------------------------- https://www.borncity.com/blog/2022/07/07/microsoft-edge-103-0-1264-49-6-jul… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.07.2022
by Daily end-of-shift report 06 Jul '22

06 Jul '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 05-07-2022 18:00 − Mittwoch 06-07-2022 18:00 Handler: Robert Waldner Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Microsoft quietly fixes ShadowCoerce Windows NTLM Relay bug ∗∗∗ --------------------------------------------- Microsoft has confirmed it fixed a previously disclosed ShadowCoerce vulnerability as part of the June 2022 updates that enabled attackers to target Windows servers in NTLM relay attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-quietly-fixes-sha… ∗∗∗ NPM supply-chain attack impacts hundreds of websites and apps ∗∗∗ --------------------------------------------- An NPM supply-chain attack dating back to December 2021 used dozens of malicious NPM modules containing obfuscated Javascript code to compromise hundreds of downstream desktop apps and websites. --------------------------------------------- https://www.bleepingcomputer.com/news/security/npm-supply-chain-attack-impa… ∗∗∗ Kryptographie: NIST gibt Post-Quanten-Algorithmen bekannt ∗∗∗ --------------------------------------------- Nach einem Wettbewerb kürt die US-Behörde Verschlüsselungs- und Signaturalgorithmen, die vor Quantencomputern sicher sein sollen. --------------------------------------------- https://www.golem.de/news/kryptographie-nist-gibt-post-quanten-algorithmen-… ∗∗∗ Top 5 Most Common WordPress Malware Infections: An Anatomy Lesson ∗∗∗ --------------------------------------------- WordPress security is serious business – and an essential consideration for anyone using the world’s most popular CMS (Content Management System). While the WordPress team quickly addresses known security issues in WordPress’ core to protect the millions of website owners who rely and depend on the software, the reality is that the same cannot be said for all plugin and theme developers. --------------------------------------------- https://blog.sucuri.net/2022/07/top-5-most-common-wordpress-malware-infecti… ∗∗∗ Fake-Shop-Alarm: Vorsicht beim Online-Kauf von Brennholz! ∗∗∗ --------------------------------------------- Die aktuelle Energiekrise lässt die Preise für Brennholz steigen. Der befürchtete Gasmangel führt dazu, dass Holz gehamstert und dementsprechend knapper wird. Eine perfekte Ausgangslage für Kriminelle: Sie nutzen die Situation aus und erstellen Fake-Shops, auf denen sie günstiges Brennholz anbieten. --------------------------------------------- https://www.watchlist-internet.at/news/fake-shop-alarm-vorsicht-beim-online… ∗∗∗ Electric Vehicle Charging: a Survey on the Security Issues and Challenges of the Open Charge Point Protocol (OCPP) ∗∗∗ --------------------------------------------- The increased use of smart Electric Vehicles (EVs) and Plug-in ElectricVehicles (PEV) opened a new area of research and development. The number of EVcharging sites has considerably increased in residential as well as in publicareas. Within these EV charging sites, various entities need to communicate in a secure and efficient way. --------------------------------------------- http://arxiv.org/abs/2207.01950 ∗∗∗ OrBit: New Undetected Linux Threat Uses Unique Hijack of Execution Flow ∗∗∗ --------------------------------------------- Linux is a popular operating system for servers and cloud infrastructures, and as such it’s not a surprise that it attracts threat actors’ interest and we see a continued growth and innovation of malware that targets Linux, such as the recent Symbiote malware that was discovered by our research team. --------------------------------------------- https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-t… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ldap-account-manager), Fedora (openssl1.1, thunderbird, and yubihsm-connector), Mageia (curl, cyrus-imapd, firefox, ruby-git, ruby-rack, squid, and thunderbird), Oracle (firefox, kernel, and thunderbird), Slackware (openssl), SUSE (dpdk, haproxy, and php7), and Ubuntu (gnupg2 and openssl). --------------------------------------------- https://lwn.net/Articles/900172/ ∗∗∗ Security Bulletin: IBM Maximo Asset Management and the IBM Maximo Manage application in IBM Maximo Application Suite are vulnerable to cross-site scripting (CVE-2022-22436) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-manageme… ∗∗∗ Security Bulletin: IBM Maximo Asset Management and the IBM Maximo Manage application in IBM Maximo Application Suite are vulnerable to cross-site scripting (CVE-2022-22435) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-manageme… ∗∗∗ Security Bulletin: IBM Rational Build Forge is affected by Apache Tomcat version used in it. (CVE-2021-42340) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-rational-build-forge-… ∗∗∗ Security Bulletin: IBM Tivoli Netcool Impact is affected but not classified as vulnerable by a remote code execution in Spring Framework (CVE-2022-22965) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tivoli-netcool-impact… ∗∗∗ Security Bulletin: IBM Event Streams is vulnerable to arbitrary code execution due to the Fabric8 Kubernetes client (CVE-2021-4178) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-event-streams-is-vuln… ∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container DesignerAuthoring operands may be vulnerable to loss of confidentiality due to CVE-2022-32210 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: IBM QRadar Network Packet Capture includes multiple vulnerable components. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-network-packet… ∗∗∗ K58003591: Apache HTTP server vulnerability CVE-2022-28614 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K58003591 ∗∗∗ vim: Schwachstelle ermöglicht Manipulation von Speicher ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0583 ∗∗∗ tribe29 checkmk: Mehrere Schwachstellen ermöglichen nicht spezifizierten Angriff ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0581 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.07.2022
by Daily end-of-shift report 05 Jul '22

05 Jul '22

===================== = End-of-Day report = ===================== Timeframe: Montag 04-07-2022 18:00 − Dienstag 05-07-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Jetzt aktualisieren! Zero-Day-Lücke in Google Chrome geschlossen ∗∗∗ --------------------------------------------- Im Webbrowser Google Chrome hat der Hersteller mehrere Sicherheitslücken geschlossen. Angreifer missbrauchen eine davon bereits in freier Wildbahn. --------------------------------------------- https://heise.de/-7162462 ∗∗∗ Erpressungstrojaner AstraLocker ist Geschichte, Entschlüsselungstools verfügbar ∗∗∗ --------------------------------------------- Die Drahtzieher der Ransomware AstraLocker wollen die Cybercrime-Branche wechseln und veröffentlichen Tools, über die Opfer auf ihre Daten zugreifen können. --------------------------------------------- https://heise.de/-7163123 ∗∗∗ Memory Sanitizer: Neues Kernel-Werkzeug findet 300 Speicherfehler ∗∗∗ --------------------------------------------- Trotz Compilerwarnungen und -Werkzeuge gibt es weiter neue Speicherfehler im Linux-Kernel. Ein Memory Sanitizer soll das zum Teil verhindern. --------------------------------------------- https://www.golem.de/news/memory-sanitizer-neues-kernel-werkzeug-findet-300… ∗∗∗ Abo-Falle auf lebenslaufschreiben.com ∗∗∗ --------------------------------------------- Sie erstellen gerade einen Lebenslauf und suchen im Internet nach Vorlagen? Möglicherweise landen Sie bei lebenslaufschreiben.com – einem Lebenslaufgenerator. Online können alle Informationen eingetippt und ein sehr professioneller Lebenslauf gebastelt werden. Doch Vorsicht: Sie werden in eine Abo-Falle gelockt. --------------------------------------------- https://www.watchlist-internet.at/news/abo-falle-auf-lebenslaufschreibencom/ ∗∗∗ EternalBlue 5 years after WannaCry and NotPetya, (Tue, Jul 5th) ∗∗∗ --------------------------------------------- We are about two months past the 5-year anniversary of WannaCry outbreak[1] and about a week past the 5-year anniversary of NotPetya outbreak[2]. Since both WannaCry and NotPetya used the EternalBlue[3] exploit in order to spread, I thought that it might be interesting to take a look at how many internet-facing systems still remain vulnerable to it. --------------------------------------------- https://isc.sans.edu/diary/rss/28816 ∗∗∗ When Pentest Tools Go Brutal: Red-Teaming Tool Being Abused by Malicious Actors ∗∗∗ --------------------------------------------- Penetration testing and adversary emulation tool Brute Ratel C4 is effective at defeating modern detection capabilities – and malicious actors have begun to adopt it. --------------------------------------------- https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/ ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitsupdate für Django Web Framework ∗∗∗ --------------------------------------------- Eine Sicherheitslücke im Django Web-Framework ermöglichte Angreifern das Einschleusen von SQL-Befehlen. Aktualisierte Software bessert die Schwachstelle aus. --------------------------------------------- https://heise.de/-7163246 ∗∗∗ IBM Security Bulletins 2022-07-04 ∗∗∗ --------------------------------------------- IBM Tivoli Network Manager, IBM App Connect Enterprise, IBM Integration Bus, IBM Engineering Test Management, IBM WebSphere Cast Iron Solution, IBM App Connect Professional, IBM Cloud Pak, IBM Tivoli Netcool, IBM Netezza, IBM Operations Analytics, App Connect professional. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Fortinet Security Advisories 2022-07-05 ∗∗∗ --------------------------------------------- On Jul 05, 2022, Fortinet has released 11 advisories for issues resolved in Fortinet products. (Severity: Low (1), Medium (6), High (4)) --------------------------------------------- https://fortiguard.fortinet.com/psirt ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (blender and thunderbird), SUSE (ImageMagick, qemu, and sysstat), and Ubuntu (php7.0). --------------------------------------------- https://lwn.net/Articles/900064/ ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2022-0006 ∗∗∗ --------------------------------------------- Several vulnerabilities were discovered in WebKitGTK and WPE WebKit. CVE-2022-22662 Versions affected: WebKitGTK and WPE WebKit before 2.36.0. --------------------------------------------- https://webkitgtk.org/security/WSA-2022-0006.html ∗∗∗ OpenSSL: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- Ein Angreifer kann eine Schwachstelle in OpenSSL ausnutzen, um Informationen offenzulegen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0561 ∗∗∗ JFrog Artifactory: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in JFrog Artifactory ausnutzen, um Cross-Site Scripting- und Cross-Site Request Forgery Angriffe durchzuführen und um Informationen offenzulegen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0562 ∗∗∗ July 5th 2022 Security Releases ∗∗∗ --------------------------------------------- The Node.js project will release new versions of the 14.x, 16.x, and 18.x releases lines on or shortly after Tuesday, July 5th, 2022 in order to address: Three medium severity issues. Two high severity issues. --------------------------------------------- https://nodejs.org/en/blog/vulnerability/july-2022-security-releases ∗∗∗ LiteCart vulnerable to cross-site scripting ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN32625020/ ∗∗∗ Xen Security Advisory CVE-2022-33743 / XSA-405 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-405.html ∗∗∗ Xen Security Advisory CVE-2022-33744 / XSA-406 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-406.html ∗∗∗ Xen Security Advisory CVE-2022-26365,CVE-2022-33740,CVE-2022-33741,CVE-2022-33742 / XSA-403 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-403.html ∗∗∗ Nextcloud: Schwachstelle ermöglicht Injektion von Kommandos ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0558 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.07.2022
by Daily end-of-shift report 04 Jul '22

04 Jul '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 01-07-2022 18:00 − Montag 04-07-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Raspberry Robin: Microsoft warnt vor mysteriösem Wurm ∗∗∗ --------------------------------------------- Die Schadsoftware verbreitet sich über USB-Sticks. Unklar bleibt, wer die Urheber*innen sind und welches Ziel damit verfolgt wird. --------------------------------------------- https://futurezone.at/digital-life/raspberry-robin-wurm-windows-microsoft-w… ∗∗∗ Warnung vor Hackerangriffen auf Politiker ∗∗∗ --------------------------------------------- Das BSI und der Verfassungsschutz warnen vor Hackern, die durch einen einfachen Trick den Zugang zu Chats von hochrangigen Politikern erlangen könnten. --------------------------------------------- https://www.tagesschau.de/investigativ/ndr-wdr/hacker-angriffe-verfassungss… ∗∗∗ Gefälschtes ÖBB-Gewinnspiel auf WhatsApp ∗∗∗ --------------------------------------------- Viele WhatsApp-Nutzer:innen verbreiten unter ihren Kontakten unwissentlich ein Fake-ÖBB-Gewinnspiel. Die Nachricht lautet „ÖBB 100 Jahre Staatliche Verkehrsförderung! Jeder Bürger kann sich über…“. Darunter ist ein Link. Der Link führt zu einem gefälschten Gewinnspiel. Klicken Sie nicht auf den Link, Sie werden abgezockt. Ignorieren Sie die Nachricht und melden Sie sie an WhatsApp. --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschtes-oebb-gewinnspiel-auf-wh… ∗∗∗ CISA fordert US-Einrichtungen zum Patchen von CVE-2022-26925 in AD-Umgebungen auf ∗∗∗ --------------------------------------------- Zum 1. Juli 2022 hat die US Cybersecurity & Infrastructur Security Agency (CISA) erneut den Patch für die Schwachstelle CVE-2022-26925 (Active Directory) in die Liste der zu schließenden Schwachstellen aufgenommen (soll bis 22. 7. 2022 geschlossen werden). --------------------------------------------- https://www.borncity.com/blog/2022/07/04/cisa-fordert-us-einrichtungen-zum-… ∗∗∗ Cloud OSINT. Finding Interesting Resources ∗∗∗ --------------------------------------------- Locating sensitive information, personally identifiable information (PII) and questionable assets in the cloud. TL; DR I had a curiosity driven excursion into the public clouds of AWS and Azure to [...] --------------------------------------------- https://www.pentestpartners.com/security-blog/cloud-osint-finding-interesti… ===================== = Vulnerabilities = ===================== ∗∗∗ Django fixes SQL Injection vulnerability in new releases ∗∗∗ --------------------------------------------- Django, an open source Python-based web framework has patched a high severity vulnerability in its latest releases. Tracked as CVE-2022-34265, the potential SQL Injection vulnerability impacts Djangos main branch, and versions 4.1 (currently in beta), 4.0, and 3.2, with patches and new releases issued fixing the vulnerability. --------------------------------------------- https://www.bleepingcomputer.com/news/security/django-fixes-sql-injection-v… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (gnupg2 and kernel), Fedora (golang-github-apache-beam-2, golang-github-etcd-io-gofail, golang-github-intel-goresctrl, golang-github-spf13-cobra, golang-k8s-pod-security-admission, and vim), Oracle (.NET 6.0, compat-openssl10, compat-openssl11, cups, curl, expat, firefox, go-toolset:ol8, grub2,, gzip, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, kernel, libarchive, libgcrypt, libinput, libxml2, pcre2, postgresql, python, rsync, rsyslog, [...] --------------------------------------------- https://lwn.net/Articles/899963/ ∗∗∗ libTIFF: Mehrere Schwachstellen ermöglichen Denial of Service ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0544 ∗∗∗ xpdf: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0543 ∗∗∗ HPE FlexNetwork und FlexFabric Switches: Schwachstelle ermöglicht Cross-Site Scripting ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0542 ∗∗∗ Kyocera Drucker: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0551 ∗∗∗ Trend Micro Maximum Security: Schwachstelle ermöglicht Privilegieneskalation ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0550 ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects IBM WebSphere Cast Iron Solution & App Connect Professional. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple security vulnerabilities are addressed with IBM Cloud Pak for Business Automation iFixes for June 2022 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects IBM WebSphere Cast Iron Solution & App Connect Professional. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects IBM WebSphere Cast Iron Solution & App Connect Professional. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects IBM WebSphere Cast Iron Solution & App Connect Professional. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Remote code execution vulnerability affect IBM Business Automation Workflow – CVE-2021-43138 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-remote-code-execution-vul… ∗∗∗ Security Bulletin: junrar Denial of Service (DoS) security vulnerability in IBM FileNet Content Manager Content Search Services (CSS) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-junrar-denial-of-service-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect Rational Functional Tester ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: junrar v7.4.0 and prior Denial of Service (DoS) security vulnerability in IBM FileNet Content Manager Content Search Services (CSS) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-junrar-v7-4-0-and-prior-d… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily