- Daily - CERT.at

Tageszusammenfassung - 22.02.2022
by Daily end-of-shift report 22 Feb '22

22 Feb '22

===================== = End-of-Day report = ===================== Timeframe: Montag 21-02-2022 18:00 − Dienstag 22-02-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Revamped CryptBot malware spread by pirated software sites ∗∗∗ --------------------------------------------- A new version of the CryptBot info stealer was seen in distribution via multiple websites that offer free downloads of cracks for games and pro-grade software. --------------------------------------------- https://www.bleepingcomputer.com/news/security/revamped-cryptbot-malware-sp… ∗∗∗ VU#229438: Mobile device monitoring services do not authenticate API requests ∗∗∗ --------------------------------------------- The backend infrastructure shared by multiple mobile device monitoring services does not adequately authenticate or authorize API requests, creating an IDOR (Insecure Direct Object Reference) vulnerability. [..] We are unaware of a practical solution to this problem. The infrastructure provider (according to the TechCrunch investigation, 1Byte Software), would need to address the IDOR vulnerability For advice on detecting and removing stalkerware apps, see "Your Android phone could have stalkerware, here's how to remove it." --------------------------------------------- https://kb.cert.org/vuls/id/229438 ∗∗∗ Hackers Backdoor Unpatched Microsoft SQL Database Servers with Cobalt Strike ∗∗∗ --------------------------------------------- Vulnerable internet-facing Microsoft SQL (MS SQL) Servers are being targeted by threat actors as part of a new campaign to deploy the Cobalt Strike adversary simulation tool on compromised hosts. --------------------------------------------- https://thehackernews.com/2022/02/hackers-backdoor-unpatched-microsoft.html ∗∗∗ Horde Webmail 5.2.22 - Account Takeover via Email ∗∗∗ --------------------------------------------- We discovered a code vulnerability in Horde that allows an attacker to gain full access to the email account of a victim when it loads the preview of a harmless-looking email attachment. [..] Although we reported this vulnerability almost 6 months ago, there is currently no official patch available. Hence, we provide recommendations on how to mitigate this code vulnerability at the end of this blog post. --------------------------------------------- https://blog.sonarsource.com/horde-webmail-account-takeover-via-email ∗∗∗ Empfehlungen: Mit kostenlosen IT-Security-Tools Computer sicherer machen ∗∗∗ --------------------------------------------- Admins aufgepasst: IT-Security ist komplex, doch es gibt jede Menge nützliche und vor allem kostenlose Services und Tools, die helfen können. Eine Auflistung. --------------------------------------------- https://heise.de/-6515891 ∗∗∗ Achtung: E-Mail von DNS Österreich ist Fake ∗∗∗ --------------------------------------------- Zahlreiche Webseiten-BetreiberInnen erhalten momentan ein E-Mail von DNS Österreich. Das vermeintliche Unternehmen behauptet darin, dass es einen „Registrierungsantrag“ für eine Domain erhalten hat, die Ihrer eigenen Domain sehr ähnlich ist. Ihnen wird angeboten, die Domain für € 297,50 vorab zu kaufen. Überweisen Sie nichts, Sie verlieren Ihr Geld. --------------------------------------------- https://www.watchlist-internet.at/news/achtung-e-mail-von-dns-oesterreich-i… ∗∗∗ Asustor NAS owners hit by DeadBolt ransomware attack ∗∗∗ --------------------------------------------- While Asustor investigates what is clearly a serious problem, it says it has disabled functionality which can allow remote access to its NAS drives: ASUSTOR EZ-Connect, ASUSTOR EZ Sync, and ezconnect.to. In addition, the company has published the following recommendations for customers to protect themselves from the DeadBolt ransomware --------------------------------------------- https://www.bitdefender.com/blog/hotforsecurity/asustor-nas-owners-hit-by-d… ∗∗∗ Ransomware victims are paying up. But then the gangs are coming back for more ∗∗∗ --------------------------------------------- Cybersecurity experts warn against paying ransoms - this is why. --------------------------------------------- https://www.zdnet.com/article/ransomware-victims-are-paying-up-but-the-croo… ∗∗∗ Integer overflow: How does it occur and how can it be prevented? ∗∗∗ --------------------------------------------- Make no mistake, counting on a computer is not as easy as it may seem. Here’s what happens when a number gets “too big”. --------------------------------------------- https://www.welivesecurity.com/2022/02/21/integer-overflow-how-it-occur-can… ∗∗∗ Kernel Karnage – Part 9 (Finishing Touches) ∗∗∗ --------------------------------------------- I also incorporated dynamic function imports using hashed function names and CIG to protect the spawned suspended process against injection of non-Microsoft-signed binaries. The Beacon payload is stored as an AES256 encrypted PE resource and decrypted in memory before being injected into the remote process. --------------------------------------------- https://blog.nviso.eu/2022/02/22/kernel-karnage-part-9-finishing-touches/ ===================== = Vulnerabilities = ===================== ∗∗∗ NAS: Sicherheitslücke in Synology DSM erlaubt Ausführen beliebiger Befehle ∗∗∗ --------------------------------------------- Angreifer könnten beliebige Befehle auf Synology-NAS-Geräten ausführen. Der Hersteller arbeitet an Updates zum Beheben der Fehler. Erste stehen bereit. --------------------------------------------- https://heise.de/-6515542 ∗∗∗ TYPO3-PSA-2022-001: Sanitization bypass in SVG Sanitizer ∗∗∗ --------------------------------------------- Third-party package enshrined/svg-sanitize, used by TYPO3 core packages, was susceptible to bypassing the sanitization strategy. --------------------------------------------- https://typo3.org/security/advisory/typo3-psa-2022-001 ∗∗∗ Reflected XSS in Header Footer Code Manager ∗∗∗ --------------------------------------------- On February 15, 2022, the Wordfence Threat Intelligence team responsibly disclosed a reflected Cross-Site Scripting (XSS) vulnerability in Header Footer Code Manager, a WordPress plugin with over 300,000 installations. The plugin publisher quickly acknowledged our initial contact and we sent the full disclosure details the same day, on February 15, 2022. A patched version, 1.1.17, was implemented a few days later and made available on February 18, 2022. --------------------------------------------- https://www.wordfence.com/blog/2022/02/reflected-xss-in-header-footer-code-… ∗∗∗ Webmin: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, authentisierter Angreifer kann mehrere Schwachstellen in Webmin ausnutzen, um Sicherheitsvorkehrungen zu umgehen oder Code auszuführen --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0217 ∗∗∗ EC-CUBE plugin "Mail Magazine Management Plugin" vulnerable to cross-site request forgery ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN67108459/ ∗∗∗ EC-CUBE improperly handles HTTP Host header values ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN53871926/ ∗∗∗ ICL ScadaFlex II SCADA Controllers SC-1/SC-2 1.03.07 Remote File CRUD ∗∗∗ --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5698.php ∗∗∗ Security Bulletin: App Connect Professional is affected by Quick Emulator vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-app-connect-professional-… ∗∗∗ Security Bulletin: WebSphere Cast Iron and App Connect Professional are affected by vulnerabilities in Pacemaker, ImageMagick, gd-libgd, libxslt, cURL libcurl , Ghostscript. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-cast-iron-and-a… ∗∗∗ Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU – Oct 2021 – Includes Oracle October 2021 CPU (minus CVE-2021-35550/35561/35603) plus CVE-2021-41035 affects IBM Tivoli Composite Application Manager for ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-e… ∗∗∗ Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU – Oct 2021 – Includes Oracle October 2021 CPU affects IBM Tivoli Composite Application Manager for Transactions-Robotic Response Time ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-e… ∗∗∗ GE Proficy CIMPLICITY-IPM ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-053-01 ∗∗∗ GE Proficy CIMPLICITY-Cleartext ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-053-02 ∗∗∗ WIN-911 2021 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-053-03 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.02.2022
by Daily end-of-shift report 21 Feb '22

21 Feb '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 18-02-2022 18:00 − Montag 21-02-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Versuchter Finanzbetrug nach Exchange-Einbruch ∗∗∗ --------------------------------------------- Nachdem die Exchange-Sicherheitslücken abgedichtet wurden, gingen Angriffe weiter. Mittels Spear-Phishing sollten die Opfer zu Überweisungen gedrängt werden. --------------------------------------------- https://heise.de/-6509718 ∗∗∗ Ungewöhnlicher Krypto-Raubzug erbeutet Millionen ∗∗∗ --------------------------------------------- Der Klayswap-Angriff hingegen attackierte Infrastruktur, auf die sich im Prinzip alle Internet-Dienste verlassen: das Routing, Zertifikate und Open-Source-Bibliotheken. Letztlich tauschten die Angreifer eine nachgeladene JavaScript-Datei durch eine trojanisierte Version aus, die Transaktionen auf ihr eigenes Konto umleitete. Spannend ist jedoch, wie sie das bewerkstelligten. --------------------------------------------- https://heise.de/-6496145 ∗∗∗ European Cybersecurity Agencies Issue Resilience Guidance for Decision Makers ∗∗∗ --------------------------------------------- The European Union Agency for Cybersecurity (ENISA) and the European Union’s Computer Emergency Response Team (CERT-EU) last week published a set of best practices to help organizations boost their cyber resilience. The joint guidance is meant for public and private organizations in the EU, specifically CISOs and other decision makers. The document is also recommended for entities that support organizational risk management. --------------------------------------------- https://www.securityweek.com/european-cybersecurity-agencies-issue-resilien… ∗∗∗ Schicken Sie Ihrer Internet-Bekanntschaft keine Steam-Guthaben-Codes ∗∗∗ --------------------------------------------- Soziale Netzwerke wie Facebook und Instagram sind beliebte Kanäle, um neue Bekanntschaften zu machen. Beim Austausch mit Fremden über das Internet besteht aber immer die Gefahr, dass sich die Person als jemand anderes ausgibt. Bittet Sie diese Person um Geld oder Guthabenkarten, sollten Sie den Kontakt abbrechen! --------------------------------------------- https://www.watchlist-internet.at/news/schicken-sie-ihrer-internet-bekannts… ∗∗∗ Ransomware trifft Europas industrielle Steuersysteme und Betriebstechnik so häufig wie IT-Systeme ∗∗∗ --------------------------------------------- Interessante Erkenntnisse aus einer Befragung von 1.100 Security-Spezialisten im Rahmen einer Studie im Hinblick auf die Sicherheit industrieller Anlagen und der kritischen Infrastruktur in Europa. Die Aussage der Studie war, dass industrielle Steuersysteme und Betriebstechnik in Europa fast ebenso häufig wie die IT-Systeme von Ransomware befallen wurde. --------------------------------------------- https://www.borncity.com/blog/2022/02/19/ransomware-trifft-europas-industri… ∗∗∗ Sicherheitslücke in diversen zebNet-Produkten entdeckt (Feb. 2022) ∗∗∗ --------------------------------------------- In Folge dieser Entdeckung hat zebNet für sämtliche betroffene Produkte, welche sich in der Unterstützung befinden, am 19.02.2022 (d.h. binnen 24-Stunden) fehlerbereinigte Versionen bereitgestellt. Der Hersteller weist darauf hin, dass diese Updates umgehend von allen Kunden, die ein betroffenes Produkt einsetzen, installiert werden sollten. --------------------------------------------- https://www.borncity.com/blog/2022/02/20/sicherheitslcke-in-diversen-zebnet… ∗∗∗ Chasing the Silver Petit Potam to Domain Admin ∗∗∗ --------------------------------------------- Exploiting Petit Potam in a different way to force some downgrade and protocol attacks. --------------------------------------------- https://blog.zsec.uk/chasing-the-silver-petit-potam/ ∗∗∗ Mobile malware evolution 2021 ∗∗∗ --------------------------------------------- In 2021, we observed a downward trend in the number of attacks on mobile users. But it is too early to celebrate: attacks are becoming more sophisticated in terms of both malware functionality and vectors. --------------------------------------------- https://securelist.com/mobile-malware-evolution-2021/105876/ ∗∗∗ New Android Banking Trojan Spreading via Google Play Store Targets Europeans ∗∗∗ --------------------------------------------- "Despite being a work-in-progress, Xenomorph is already sporting effective overlays and being actively distributed on official app stores," ThreatFabric's founder and CEO, Han Sahin, said. "In addition, it features a very detailed and modular engine to abuse accessibility services, which in the future could power very advanced capabilities, like ATS." --------------------------------------------- https://thehackernews.com/2022/02/xenomorph-android-banking.html ===================== = Vulnerabilities = ===================== ∗∗∗ Irony alert! PHP fixes security flaw in input validation code ∗∗∗ --------------------------------------------- If you’re using PHP in your network, check that you’re using the latest version, currently 8.1.3. Released yesterday [2022-02-17], this version fixes various memory mismanagement bugs, including CVE-2021-21708, which is a use-after-free blunder in a function called php_filter_float(). (Versions 8.0 and 7.4 are still supported, and are vulnerable too; if you aren’t using the latest 8.1 flavour of PHP then you need 8.0.16 and 7.4.28 respectively.) --------------------------------------------- https://nakedsecurity.sophos.com/2022/02/18/irony-alert-php-fixes-security-… ∗∗∗ Security Bulletin: Apache Log4j vulnerability may affect IBM Sterling B2B Integrator (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct Web Services is vulnerable to remote code execution due to Apache Log4j (CVE-2022-23302) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: Cloud Pak for Security vulnerable to information exposure (CVE-2021-35567) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cloud-pak-for-security-vu… ∗∗∗ Security Bulletin: IBM Cloud Pak for Multicloud Management is vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-45105 and CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-multicl… ∗∗∗ Security Bulletin: Apache Log4j Vulnerability Affects IBM Sterling B2B Integrator (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit… ∗∗∗ Security Bulletin: Multiple security vulnerabilities with IBM FileNet Content Manager component in IBM Business Automation Workflow -CVE-2021-31811, CVE-2021-31812, CVE-2021-23926, CVE-2021-38965 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Apache Log4j Vulnerability Affects IBM Sterling File Gateway (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit… ∗∗∗ Security Bulletin: Polkit as used by IBM® QRadar SIEM is vulnerable to privilege escalation (CVE-2021-4034) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-polkit-as-used-by-ibm-qra… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct Web Services is vulnerable to SQL injection due to Apache Log4j (CVE-2022-23305) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: OpenSSL as used by IBM QRadar SIEM is vulnerable to information disclosure (CVE-2021-3712) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-openssl-as-used-by-ibm-qr… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct Web Services is vulnerable to remote code execution due to Apache Log4j (CVE-2022-23307) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: IBM Java SDK and IBM Java Runtime for IBM i are affected by CVE-2021-2341 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-java-sdk-and-ibm-java… ∗∗∗ Security Bulletin: Apache Log4j Vulnerability Affects IBM Sterling File Gateway (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit… ∗∗∗ Security Bulletin: IBM Planning Analytics Workspace is affected by security vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-planning-analytics-wo… ∗∗∗ Security Bulletin: IBM Cloud Pak for Network Automation is vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-45105 and CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-network… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct Web Services is vulnerable to untrusted data deserialization due to Apache Log4j (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: IBM Planning Analytics and IBM Planning Analytics Workspace are affected by security vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-planning-analytics-an… ∗∗∗ Security Bulletin: A vulnerability in Kubernetes affects IBM InfoSphere Information Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-kubern… ∗∗∗ K28409053: Apache Tomcat vulnerability CVE-2022-23181 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K28409053?utm_source=f5support&utm_mediu… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.02.2022
by Daily end-of-shift report 18 Feb '22

18 Feb '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 17-02-2022 18:00 − Freitag 18-02-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Conti ransomware gang takes over TrickBot malware operation ∗∗∗ --------------------------------------------- After four years of activity and numerous takedown attempts, the death knell of TrickBot has sounded as its top members move under new management, the Conti ransomware syndicate, who plan to replace it with the stealthier BazarBackdoor malware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/conti-ransomware-gang-takes-… ∗∗∗ Remcos RAT Delivered Through Double Compressed Archive, (Fri, Feb 18th) ∗∗∗ --------------------------------------------- One of our readers shared an interesting sample received via email. --------------------------------------------- https://isc.sans.edu/diary/rss/28354 ∗∗∗ Microsoft Warns of Ice Phishing Threat on Web3 and Decentralized Networks ∗∗∗ --------------------------------------------- Microsoft has warned of emerging threats in the Web3 landscape, including "ice phishing" campaigns, as a surge in adoption of blockchain and DeFi technologies emphasizes the need to build security into the decentralized web while its still in its early stages. --------------------------------------------- https://thehackernews.com/2022/02/microsoft-warns-of-ice-phishing-threat.ht… ∗∗∗ Analyzing a PJL directory traversal vulnerability – exploiting the Lexmark MC3224i printer (part 2) ∗∗∗ --------------------------------------------- This post describes a vulnerability found and exploited in October 2021 by Alex Plaskett, Cedric Halbronn, and Aaron Adams working at the Exploit Development Group (EDG) of NCC Group. --------------------------------------------- https://research.nccgroup.com/2022/02/18/analyzing-a-pjl-directory-traversa… ∗∗∗ Microsoft Teams Abused for Malware Distribution in Recent Attacks ∗∗∗ --------------------------------------------- A recently identified malicious campaign has been abusing Microsoft Teams for the distribution of malware, enterprise email security firm Avanan reports. --------------------------------------------- https://www.securityweek.com/microsoft-teams-abused-malware-distribution-re… ∗∗∗ Vorsicht bei der Jobsuche: Ignorieren Sie Stellenangebote von skovgaardtransit.com! ∗∗∗ --------------------------------------------- LeserInnen der Watchlist Internet melden uns derzeit ein betrügerisches Stellenangebot eines angeblich globalen Logistikunternehmens namens Skovgaard Logistics Services LTD. Das unseriöse Unternehmen verspricht darin einen Job mit „hoher Bezahlung“, Vorkenntnisse sind keine notwendig. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-bei-der-jobsuche-ignorieren… ∗∗∗ NSA Best Practices for Selecting Cisco Password Types ∗∗∗ --------------------------------------------- The National Security Agency (NSA) has released a Cybersecurity Information (CSI) sheet with guidance on securing network infrastructure devices and credentials. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/02/17/nsa-best-practice… ∗∗∗ CISA Compiles Free Cybersecurity Services and Tools for Network Defenders ∗∗∗ --------------------------------------------- CISA has compiled and published a list of free cybersecurity services and tools to help organizations reduce cybersecurity risk and strengthen resiliency. This non-exhaustive living repository includes services provided by CISA, widely used open source tools, and free tools and services offered by private and public sector organizations across the cybersecurity community. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/02/18/cisa-compiles-fre… ∗∗∗ Academics publish method for recovering data encrypted by the Hive ransomware ∗∗∗ --------------------------------------------- A team of South Korean researchers has published an academic paper on Thursday detailing a method to recover files encrypted by the Hive ransomware without paying the attackers for the decryption key. --------------------------------------------- https://therecord.media/academics-publish-method-for-recovering-data-encryp… ∗∗∗ Distribution of Magniber Ransomware Stops (Since February 5th) ∗∗∗ --------------------------------------------- The ASEC analysis team constantly monitors ‘malvertising’ which is a term for the distribution of malware via browser online advertisement links. The team has recently discovered that Magniber ransomware, a typical malware distributed via malvertising has stopped its distribution. --------------------------------------------- https://asec.ahnlab.com/en/31690/ ∗∗∗ Log4Shell 2 Months Later: Security Strategies for the Internets New Normal ∗∗∗ --------------------------------------------- On Wednesday, February 16, Rapid7 experts Bob Rudis, Devin Krugly, and Glenn Thorpe sat down for a webinar on the current state of the Log4j vulnerability. --------------------------------------------- https://www.rapid7.com/blog/post/2022/02/17/log4shell-2-months-later-securi… ===================== = Vulnerabilities = ===================== ∗∗∗ Onlineshops: Erneut kritische Lücke in Adobe Commerce und Magento entdeckt ∗∗∗ --------------------------------------------- Aufgrund einer weiteren Sicherheitslücke hat Adobe einen Notfallpatch überarbeitet. Es gibt bereits Attacken auf Onlineshops. --------------------------------------------- https://heise.de/-6495424 ∗∗∗ Root-Rechte durch Schwachstelle in Softwareverteilungssystem Snap ∗∗∗ --------------------------------------------- Sicherheitslücken in der Software-Bereitstellung Snap ermöglichen Angreifern unter anderem, ihre Rechte im System auszuweiten. Updates beheben die Fehler. --------------------------------------------- https://heise.de/-6495740 ∗∗∗ Vulnerability found in WordPress plugin with over 3 million installations ∗∗∗ --------------------------------------------- UpdraftPlus patched the vulnerability on Thursday in version 1.22.3. --------------------------------------------- https://www.zdnet.com/article/vulnerability-found-in-wordpress-plugin-with-… ∗∗∗ Security Bulletin: Vulnerability in Linux Kernel affects IBM Integrated Analytics System. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-linux-ke… ∗∗∗ Security Bulletin: Vulnerability in Polkit affects IBM Cloud Pak for Data System 2.0. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-polkit-a… ∗∗∗ Security Bulletin: IBM WebSphere Application Server and IBM WebSphere Application Server Liberty are vulnerable to arbitrary code execution and SQL injection due to Apache Log4j. (CVE-2022-23302, CVE-2022-23307, CVE-2022-23305) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application… ∗∗∗ Security Bulletin: Vulnerability in OpenSSL affects IBM Integrated Analytics System. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-openssl-… ∗∗∗ Security Bulletin: IBM Maximo Asset Management is vulnerable to weak password requirements ( CVE-2021-38935 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-manageme… ∗∗∗ Security Bulletin: Due to use of IBM SDK, Java Technology Edition, IBM Tivoli Application Dependency Discovery Manager (TADDM) is vulnerable to denial of service ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-due-to-use-of-ibm-sdk-jav… ∗∗∗ Security Bulletin: IBM Guardium Data Encryption (GDE) has an information exposure vulnerability (CVE-2021-39026 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-guardium-data-encrypt… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct Web Services is vulnerable to SQL injection due to Apache Log4j (CVE-2022-23305) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: CVE-2021-42771 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2021-42771/ ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct Web Services is vulnerable to remote code execution due to Apache Log4j (CVE-2022-23307) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: Python (Publicly disclosed vulnerability) in IBM Tivoli Application Dependency Discovery Manager (CVE-2021-3733) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-python-publicly-disclosed… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct Web Services is vulnerable to untrusted data deserialization due to Apache Log4j (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2022-0003 ∗∗∗ --------------------------------------------- https://webkitgtk.org/security/WSA-2022-0003.html ∗∗∗ Bitdefender Antivirus: Schwachstelle ermöglicht Manipulation von Produkteinstellungen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0207 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.02.2022
by Daily end-of-shift report 17 Feb '22

17 Feb '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 16-02-2022 18:00 − Donnerstag 17-02-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Neue Welle von Spam-Mails: "Dein Paket wartet!" ∗∗∗ --------------------------------------------- Die E-Mails enthalten eine Zahlungsaufforderung und geben an, dass ein Paket abgeholt werden kann. --------------------------------------------- https://futurezone.at/digital-life/spam-e-mail-phishing-betrug-post-lieferu… ∗∗∗ Researchers Warn of a New Golang-based Botnet Under Continuous Development ∗∗∗ --------------------------------------------- Cybersecurity researchers have unpacked a new Golang-based botnet called Kraken thats under active development and features an array of backdoor capabilities to siphon sensitive information from compromised Windows hosts. --------------------------------------------- https://thehackernews.com/2022/02/researchers-warn-of-new-golang-based.html ∗∗∗ Tutorial: Kubernetes Vulnerability Scanning & Testing With Open Source ∗∗∗ --------------------------------------------- Kubernetes containers have several security risks, including runtime threats, vulnerabilities, exposures, and failed compliance audits. These insecurities motivated CyberArk to develop two open source tools: Kubesploit and KubiScan. These tools benefit the Kubernetes community by performing deep security operations while simultaneously mimicking a real attack. They allow us to test our resiliency. --------------------------------------------- https://www.conjur.org/blog/tutorial-kubernetes-vulnerability-scanning-test… ∗∗∗ Detecting Karakurt – an extortion focused threat actor ∗∗∗ --------------------------------------------- NCC Group’s Cyber Incident Response Team (CIRT) have responded to several extortion cases recently involving the threat actor Karakurt. During these investigations NCC Group CIRT have identified some key indicators that the threat actor has breached an environment and want to share this information to assist the cyber security community. --------------------------------------------- https://research.nccgroup.com/2022/02/17/detecting-karakurt-an-extortion-fo… ∗∗∗ Bypassing software update package encryption – extracting the Lexmark MC3224i printer firmware (part 1) ∗∗∗ --------------------------------------------- Lexmark encrypts the firmware update packages provided to consumers, making the binary analysis more difficult. With little over a month of research time assigned and few targets to look at, NCC Group decided to remove the flash memory and extract the firmware using a programmer, firmware which we (correctly) assumed would be stored unencrypted. This allowed us to bypass the firmware update package encryption. With the firmware extracted, the binaries could be reverse-engineered to find vulnerabilities that would allow remote code execution. --------------------------------------------- https://research.nccgroup.com/2022/02/17/bypassing-software-update-package-… ∗∗∗ Gefahr Datenleaks: Achten Sie auf Passwort-Sicherheit! ∗∗∗ --------------------------------------------- Um sich vor den Gefahren im Netz zu schützen, macht es Sinn, sich regelmäßig über Internetbetrug zu informieren und die Tricks der Kriminellen zu kennen. Doch leider können Sie auch zum Opfer werden, wenn Sie alles richtig machen und sich nicht in Internetfallen locken lassen. Das gilt zum Beispiel, wenn Ihre Daten bei einem sogenannten Datenleak veröffentlicht werden. --------------------------------------------- https://www.watchlist-internet.at/news/gefahr-datenleaks-achten-sie-auf-pas… ===================== = Vulnerabilities = ===================== ∗∗∗ Drupal core - Moderately critical - Information disclosure - SA-CORE-2022-004 ∗∗∗ --------------------------------------------- Project: Drupal core Security risk: Moderately critical Vulnerability: Information disclosure CVE IDs: CVE-2022-25270 Description: The Quick Edit module does not properly check entity access in some circumstances. --------------------------------------------- https://www.drupal.org/sa-core-2022-004 ∗∗∗ Drupal core - Moderately critical - Improper input validation - SA-CORE-2022-003 ∗∗∗ --------------------------------------------- Project: Drupal core Security risk: Moderately critical Vulnerability: Improper input validation CVE IDs: CVE-2022-25271 Description: Drupal cores form API has a vulnerability where certain contributed or custom modules forms may be vulnerable to improper input validation. This could allow an attacker to inject disallowed values or overwrite data. Affected forms are uncommon, but in certain cases an attacker could alter critical or sensitive data. --------------------------------------------- https://www.drupal.org/sa-core-2022-003 ∗∗∗ Quick Edit - Moderately critical - Information Disclosure - SA-CONTRIB-2022-025 ∗∗∗ --------------------------------------------- Project: Quick Edit Security risk: Moderately critical Vulnerability: Information Disclosure Description: This advisory addresses a similar issue to Drupal core - Moderately critical - Information disclosure - SA-CORE-2022-004. The Quick Edit module does not properly check entity access in some circumstances. --------------------------------------------- https://www.drupal.org/sa-contrib-2022-025 ∗∗∗ Sicherheitsupdate: Präparierte Mails können Thunderbird aus dem Tritt bringen ∗∗∗ --------------------------------------------- Es ist eine gegen mögliche Schadcode-Attacken abgesicherte Version des Mailclients Thunderbird erschienen. --------------------------------------------- https://heise.de/-6484606 ∗∗∗ VMSA-2022-0005 - VMware NSX Data Center for vSphere (NSX-V) VMware Cloud Foundation (Cloud Foundation) ∗∗∗ --------------------------------------------- CVSSv3 Range: 8.8 CVE(s): CVE-2022-22945 Synopsis: VMware NSX Data Center for vSphere update addresses CLI shell injection vulnerability (CVE-2022-22945) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2022-0005.html ∗∗∗ Reflected Cross-Site Scripting Vulnerability Patched in WordPress Profile Builder Plugin ∗∗∗ --------------------------------------------- On January 4, 2022 the Wordfence Threat Intelligence team initiated the responsible disclosure process for a vulnerability we discovered in “Profile Builder – User Profile & User Registration Forms”, a WordPress plugin that is installed on over 50,000 WordPress websites. [..] We sent the full disclosure details to the developer on January 6, 2022 after the vendor confirmed the inbox for handling the discussion. They were quick to acknowledge the report and released a fix on January 10, 2022. --------------------------------------------- https://www.wordfence.com/blog/2022/02/reflected-cross-site-scripting-vulne… ∗∗∗ PostgreSQL JDBC 42.3.3 Released ∗∗∗ --------------------------------------------- A security advisory has been created for the PostgreSQL JDBC Driver. The URL connection string loggerFile property could be mis-used to create an arbitrary file on the system that the driver is loaded. Additionally anything in the connection string will be logged and subsequently written into that file. In an insecure system it would be possible to execute this file through a webserver. --------------------------------------------- https://www.postgresql.org/about/news/postgresql-jdbc-4233-released-2410/ ∗∗∗ SSA-949188: File Parsing Vulnerabilities in Simcenter Femap before V2022.1.1 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-949188.txt ∗∗∗ Security Bulletin: IBM App Connect for Healthcare is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2022-23307) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-for-healt… ∗∗∗ Security Bulletin: Vulnerability in Polkit affects IBM Cloud Pak for Data System 1.0 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-polkit-a… ∗∗∗ Security Bulletin: IBM OpenPages for Cloud Pak for Data is vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-45105 and CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-openpages-for-cloud-p… ∗∗∗ Security Bulletin: IBM Cloud Pak for Data System 1.0 is vulnerable to arbitrary code execution due to Samba (CVE-2021-44142) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-data-sy… ∗∗∗ Security Bulletin: Vulnerability in OpenSSH affects IBM Integrated Analytics System ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-openssh-… ∗∗∗ Security Bulletin: Vulnerability which affects Rational Team Concert (RTC) and IBM Engineering Workflow Management (EWM) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-which-affec… ∗∗∗ Security Bulletin: IBM Cloud Pak for Data System 2.0 (ICPDS 2.0 ) is vulnerable to arbitrary code execution due to Apache Log4j CVE-2021-4104 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-data-sy… ∗∗∗ Security Bulletin: IBM Integrated Analytics System is vulnerable to arbitrary code execution due to Samba (CVE-2021-44142) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-integrated-analytics-… ∗∗∗ Security Bulletin: Financial Transaction Manager is vulnerable to arbitrary code execution (CVE-2021-45046) and denial of service (CVE-2021-45105) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-financial-transaction-man… ∗∗∗ Security Bulletin: Vulnerability in Polkit affects IBM Integrated Analytics System. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-polkit-a… ∗∗∗ Security Bulletin: IBM MQ is vulnerable to a denial of service attack caused by an issue within the channel process.(CVE-2021-39034) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-is-vulnerable-to-a… ∗∗∗ Security Bulletin: Log4j vulnerability affects IBM Integrated Analytics System. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-log4j-vulnerability-affec… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.02.2022
by Daily end-of-shift report 16 Feb '22

16 Feb '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 15-02-2022 18:00 − Mittwoch 16-02-2022 18:00 Handler: Robert Waldner Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Researcher fully recovers text from pixels: how to reverse redaction ∗∗∗ --------------------------------------------- A researcher has demonstrated how he was able to successfully recover text that had been redacted using the pixelation technique. --------------------------------------------- https://www.bleepingcomputer.com/news/security/researcher-fully-recovers-te… ∗∗∗ Trickbot Malware Targeted Customers of 60 High-Profile Companies Since 2020 ∗∗∗ --------------------------------------------- The notorious TrickBot malware is targeting customers of 60 financial and technology companies, including cryptocurrency firms, primarily located in the U.S., even as its operators have updated the botnet with new anti-analysis features. --------------------------------------------- https://thehackernews.com/2022/02/trickbot-malware-targeted-customers-of.ht… ∗∗∗ 25 years on, Microsoft makes another stab at stopping macro malware ∗∗∗ --------------------------------------------- Microsoft has announced that from April 2022 it is changing the default behavior of Office applications so that they block macros in files from the internet. What’s more, it won’t give users a simple one-click way to allow the macros to run, foiling much of the social engineering tricks commonly used by cybercriminals. --------------------------------------------- https://grahamcluley.com/microsoft-stab-macro-viruses/ ∗∗∗ OpSec. Hunting wireless ∗∗∗ --------------------------------------------- Continuing my series on OSINT techniques you can use for reviewing your own corporate OpSec, one of the most common services available in a modern corporate office is of course wireless. --------------------------------------------- https://www.pentestpartners.com/security-blog/opsec-hunting-wireless/ ∗∗∗ Characterising Cybercriminals: A Review. (arXiv:2202.07419v1 [cs.CY]) ∗∗∗ --------------------------------------------- This review provides an overview of current research on the knowncharacteristics and motivations of offenders engaging in cyber-dependentcrimes. --------------------------------------------- http://arxiv.org/abs/2202.07419 ===================== = Vulnerabilities = ===================== ∗∗∗ High-Severity RCE Security Bug Reported in Apache Cassandra Database Software ∗∗∗ --------------------------------------------- Researchers have revealed details of a now-patched high-severity security vulnerability in Apache Cassandra that, if left unaddressed, could be abused to gain remote code execution on affected installations. --------------------------------------------- https://thehackernews.com/2022/02/high-severity-rce-security-bug-reported.h… ∗∗∗ VMware-Sicherheitsupdates: Angreifer könnten Schadcode in Host-Systeme schieben ∗∗∗ --------------------------------------------- Die VMware-Entwickler haben Sicherheitslücken in mehreren Anwendungen geschlossen. Sie stufen das Risiko als "kritisch" ein. --------------------------------------------- https://heise.de/-6478188 ∗∗∗ Atlassian Confluence und Jira für mehrere Attacken anfällig ∗∗∗ --------------------------------------------- Admins sollten ihre Confluence und Jira Server vor möglichen Angriffen absichern. Sicherheitsupdates sind verfügbar. --------------------------------------------- https://heise.de/-6478758 ∗∗∗ ZDI-22-368: MariaDB CONNECT Storage Engine Stack-based Buffer Overflow Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-368/ ∗∗∗ ZDI-22-367: MariaDB CONNECT Storage Engine Heap-based Buffer Overflow Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-367/ ∗∗∗ ZDI-22-366: MariaDB CONNECT Storage Engine Heap-based Buffer Overflow Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-366/ ∗∗∗ ZDI-22-365: MariaDB CONNECT Storage Engine Format String Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-365/ ∗∗∗ ZDI-22-364: MariaDB CONNECT Storage Engine Use-After-Free Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-364/ ∗∗∗ ZDI-22-363: MariaDB CONNECT Storage Engine Stack-based Buffer Overflow Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-363/ ∗∗∗ Cisco Email Security Appliance DNS Verification Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Redundancy Configuration Manager for Cisco StarOS Software TCP Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Prime Infrastructure and Evolved Programmable Network Manager Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Security Bulletin: IBM Cloud Pak for Data System 1.0 is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-data-sy… ∗∗∗ Security Bulletin: IBM Maximo Anywhere applications have no binary obfuscation ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-anywhere-appli… ∗∗∗ Security Bulletin: IBM Integrated Analytics System is vulnerable to arbitrary code execution due to Samba (CVE-2021-44142) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-integrated-analytics-… ∗∗∗ Security Bulletin: IBM Maximo Anywhere applications have no binary obfuscation ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-anywhere-appli… ∗∗∗ Security Bulletin: IBM Maximo Anywhere Discloses Sensitive Information in Local Storage ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-anywhere-discl… ∗∗∗ Security Bulletin: App Connect Professional is affected by polkit's pkexec vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-app-connect-professional-… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct for Microsoft Windows may be vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-44832) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security Directory Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ SECURITY BULLETIN: February 2022 Security Bulletin for Trend Micro Apex One ∗∗∗ --------------------------------------------- https://success.trendmicro.com/solution/000290464 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.02.2022
by Daily end-of-shift report 15 Feb '22

15 Feb '22

===================== = End-of-Day report = ===================== Timeframe: Montag 14-02-2022 18:00 − Dienstag 15-02-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Domain-Hijacking: Tausende NPM-Accounts könnten sich übernehmen lassen ∗∗∗ --------------------------------------------- Laut einer Untersuchung lassen sich verwaiste NPM-Pakete leicht übernehmen. Außerdem könnten einige Maintainer überarbeitet sein. [..] Das hat auch NPM-Besitzer Github erkannt und führt deshalb langsam die zwingende Nutzung einer Zweifaktorauthentifizierung ein. --------------------------------------------- https://www.golem.de/news/domain-hijacking-tausende-npm-accounts-koennten-s… ∗∗∗ Who Are Those Bots?, (Tue, Feb 15th) ∗∗∗ --------------------------------------------- Im operating a mail server for multiple domains. This server is regularly targeted by bots that launch brute-force attacks to try to steal credentials. They try a list of common usernames but they also try targeted ones based on a list of email addresses that have been crawled. [..] I extracted the list of IP addresses that generated authentication failures for the last 30 days and got a list of 11K addresses. They are part of botnets used to launch these attacks. But who are those bots? What kind of host are we facing? --------------------------------------------- https://isc.sans.edu/diary/rss/28342 ∗∗∗ New MyloBot Malware Variant Sends Sextortion Emails Demanding $2,732 in Bitcoin ∗∗∗ --------------------------------------------- A new version of the MyloBot malware has been observed to deploy malicious payloads that are being used to send sextortion emails demanding victims to pay $2,732 in digital currency. MyloBot, first detected in 2018, is known to feature an array of sophisticated anti-debugging capabilities and propagation techniques to rope infected machines into a botnet, not to mention remove traces of other competing malware from the systems. --------------------------------------------- https://thehackernews.com/2022/02/new-mylobot-malware-variant-sends.html ∗∗∗ Dropping Files on a Domain Controller Using CVE-2021-43893 ∗∗∗ --------------------------------------------- On December 14, 2021, during the Log4Shell chaos, Microsoft published CVE-2021-43893, a remote privilege escalation vulnerability affecting the Windows Encrypted File System (EFS). The vulnerability was credited to James Forshaw of Google Project Zero, but perhaps owing to the Log4Shell atmosphere, the vulnerability gained little to no attention. --------------------------------------------- https://www.rapid7.com/blog/post/2022/02/14/dropping-files-on-a-domain-cont… ∗∗∗ macOS: Sicherheitsupdates für ältere Versionen ∗∗∗ --------------------------------------------- Big Sur und Catalina erhalten jeweils ein Patch-Paket – doch leider verrät Apple nichts zum Inhalt. --------------------------------------------- https://heise.de/-6457597 ∗∗∗ Qnap lässt Sicherheitsupdate-Support für einige NAS-Modelle aufleben ∗∗∗ --------------------------------------------- Wer einen älteren Netzwerkspeicher (NAS) von Qnap besitzt, könnte ab sofort wieder Sicherheitspatches bekommen. --------------------------------------------- https://heise.de/-6474074 ∗∗∗ Betrügerische Wohnungsinserate erkennen: So geht’s ∗∗∗ --------------------------------------------- Auf Plattformen wie immobilienscout24.at, willhaben.at oder im Facebook Marketplace werden immer wieder Fake-Inserate von Miet- und Eigentumswohnungen veröffentlicht. Fake-Inserate können aber anhand einiger Merkmale schnell entlarvt werden. Zum einen am günstigen Preis, zum anderen an der Kommunikation mit den Eigentümerinnen und Eigentümern. --------------------------------------------- https://www.watchlist-internet.at/news/betruegerische-wohnungsinserate-erke… ∗∗∗ New Emotet Infection Method ∗∗∗ --------------------------------------------- As early as Dec. 21, 2021, Unit 42 observed a new infection method for the highly prevalent malware family Emotet. [..] The new attack delivers an Excel file through email, and the document contains an obfuscated Excel 4.0 macro. When the macro is activated, it downloads and executes an HTML application that downloads two stages of PowerShell to retrieve and execute the final Emotet payload. --------------------------------------------- https://unit42.paloaltonetworks.com/new-emotet-infection-method/ ∗∗∗ Warning over mysterious hackers that have been targeting aerospace and defence industries for years ∗∗∗ --------------------------------------------- Cybersecurity researchers detail a hacking operation that has been conducting phishing campaigns and malware attacks since 2017, despite barely changing its tactics. --------------------------------------------- https://www.zdnet.com/article/these-prolific-hackers-have-been-targeting-th… ∗∗∗ Squirrelwaffle, Microsoft Exchange Server vulnerabilities exploited for financial fraud ∗∗∗ --------------------------------------------- Unpatched servers have been used to twist corporate email threads and conduct financial theft. --------------------------------------------- https://www.zdnet.com/article/squirrelwaffle-loader-leverages-microsoft-exc… ∗∗∗ FBI and USSS Release Advisory on BlackByte Ransomware ∗∗∗ --------------------------------------------- The Federal Bureau of Investigation (FBI) and the United States Secret Service (USSS) have released a joint Cybersecurity Advisory (CSA) identifying indicators of compromise associated with BlackByte ransomware. BlackByte is a Ransomware-as-a-Service group that encrypts files on compromised Windows host systems, including physical and virtual servers. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/02/15/fbi-and-usss-rele… ∗∗∗ Sicherheitswarnung von Tuxedo Computer – dringend Passwort ändern ∗∗∗ --------------------------------------------- TUXEDO Computers ist ein in Augsburg angesiedelter Anbieter von Computern. [..] Bei diesem Hersteller hat es eine Sicherheitslücke gegeben, so dass der Hersteller die Kunden auffordert, ihre Kennwörter für deren Online-Konten zu ändern. --------------------------------------------- https://www.borncity.com/blog/2022/02/15/sicherheitswarnung-von-tuxedo-comp… ∗∗∗ Current MFA Fatigue Attack Campaign Targeting Microsoft Office 365 Users ∗∗∗ --------------------------------------------- Multi-factor Authentication or MFA (sometimes referred as 2FA) is an excellent way to protect your Office 365 accounts from attackers trying to gain access to them. [..] In this case, we are examining MFA Fatigue by focusing on a current attack vector—Push Notification Spamming. We’ll describe what MFA fatigue is, how it is carried out and detail the steps for IT professionals to detect and mitigate it within their organizations. --------------------------------------------- https://www.gosecure.net/blog/2022/02/14/current-mfa-fatigue-attack-campaig… ===================== = Vulnerabilities = ===================== ∗∗∗ Google announces zero-day in Chrome browser – update now! ∗∗∗ --------------------------------------------- Zero-day buses: none for a while, then three at once. Heres Google joining Apple and Adobe in "zero-day week" --------------------------------------------- https://nakedsecurity.sophos.com/2022/02/15/google-announces-zero-day-in-ch… ∗∗∗ Security Bulletin: Trend Micro Antivirus for Mac Link Following Privilege Escalation Vulnerability (CVE-2022-24671) ∗∗∗ --------------------------------------------- The update resolves a vulnerability in the product that allows a local attacker to modify a file during the update process and escalate their privileges. Please note that an attacker must at least have low-level privileges on the system to attempt to exploit this vulnerability. --------------------------------------------- https://helpcenter.trendmicro.com/en-us/article/TMKA-10937 ∗∗∗ Unsichere Babymonitore von Nooie: Fremde könnten Vollzugriff erlangen ∗∗∗ --------------------------------------------- Bei der Analyse von zwei Babyphones von Nooie hat Bitdefender Sicherheitslücken entdeckt, durch die Angreifer etwa den Videostream anzapfen könnten. --------------------------------------------- https://heise.de/-6475088 ∗∗∗ Multiple Critical Vulnerabilities in multiple Zyxel devices ∗∗∗ --------------------------------------------- Multiple Zyxel devices are prone to different critical vulnerabilities resulting from insecure coding practices and insecure configuration. One of the worst vulnerabilities is the unauthenticated buffer overflow in the "zhttpd" webserver, which is developed by Zyxel. By bypassing ASLR, the buffer overflow can be turned into an unauthenticated remote code execution. Besides, vulnerabilities like unauthenticated file disclosure, authenticated command injection and processing of symbolic links in the FTP daemon were found in the firmware. --------------------------------------------- https://sec-consult.com/vulnerability-lab/advisory/multiple-critical-vulner… ∗∗∗ VMSA-2022-0004 ∗∗∗ --------------------------------------------- CVSSv3 Range: 5.3-8.4 CVE(s): CVE-2021-22040, CVE-2021-22041, CVE-2021-22042, CVE-2021-22043, CVE-2021-22050 Synopsis: VMware ESXi, Workstation, and Fusion updates address multiple security vulnerabilities --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2022-0004.html ∗∗∗ Symlink Directory Traversal in Linksys WLAN-Router (SYSS-2021-046) ∗∗∗ --------------------------------------------- Linksys WLAN-Router beinhaltet eine Schwachstelle, die es Angreifern erlaubt, Zugriff auf das gesamte interne Dateisystem des Routers zu erhalten. --------------------------------------------- https://www.syss.de/pentest-blog/symlink-directory-traversal-in-linksys-wla… ∗∗∗ Unzureichender Schutz für Medieninhalte bei AVMs FRITZ!Box (SYSS-2021-050) ∗∗∗ --------------------------------------------- AVMs FRITZ!Box-Heimrouter ermöglichen es Angreifenden, in Heimnetzwerken auf Mediendaten wie z. B. Bilder oder Videos zuzugreifen. --------------------------------------------- https://www.syss.de/pentest-blog/unzureichender-schutz-fuer-medieninhalte-b… ∗∗∗ Regarding vulnerability measure against buffer overflow for Laser Printers and Small Office Multifunction Printers – 15 February 2022 ∗∗∗ --------------------------------------------- Multiple cases of buffer overflow vulnerabilities have been identified with Canon Laser Printers and Small Office Multifunctional Printers. A list of affected models is given below. --------------------------------------------- https://www.canon-europe.com/support/product-security-latest-news/ ∗∗∗ ZDI-22-349: (Pwn2Own) Western Digital My Cloud Pro Series PR4100 ConnectivityService Insufficient Verification of Data Authenticity Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-349/ ∗∗∗ ZDI-22-348: (Pwn2Own) Western Digital MyCloud PR4100 cgi_api Server-Side Request Forgery Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-348/ ∗∗∗ ZDI-22-347: (Pwn2Own) Western Digital MyCloud PR4100 nasAdmin Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-347/ ∗∗∗ ZDI-22-346: (Pwn2Own) Western Digital MyCloud PR4100 samba Configuration Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-346/ ∗∗∗ Security Advisory - Privilege Escalation Vulnerability in Huawei Product ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2022/huawei-sa-20220216-… ∗∗∗ Security Bulletin: IBM Cloud Pak for Data System 1.0 is vulnerable to remote code execution due to Apache Log4j (CVE-2021-44832) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-data-sy… ∗∗∗ Security Bulletin: Vulnerability in Polkit affects IBM Integrated Analytics System. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-polkit-a… ∗∗∗ TYPO3-EXT-SA-2022-004: File Content Injection in extension "Hardcoded text to Locallang" (mqk_locallangtools) ∗∗∗ --------------------------------------------- https://typo3.org/security/advisory/typo3-ext-sa-2022-004 ∗∗∗ TYPO3-EXT-SA-2022-003: Insecure direct object reference in extension "Varnishcache" (varnishcache) ∗∗∗ --------------------------------------------- https://typo3.org/security/advisory/typo3-ext-sa-2022-003 ∗∗∗ TYPO3-EXT-SA-2022-002: Cross-Site Scripting in extension "Bookdatabase" (extbookdatabase) ∗∗∗ --------------------------------------------- https://typo3.org/security/advisory/typo3-ext-sa-2022-002 ∗∗∗ TYPO3-EXT-SA-2022-001: Server-side request forgery in extension "Kitodo.Presentation" (dlf) ∗∗∗ --------------------------------------------- https://typo3.org/security/advisory/typo3-ext-sa-2022-001 ∗∗∗ Schneider Electric IGSS ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-046-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.02.2022
by Daily end-of-shift report 14 Feb '22

14 Feb '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 11-02-2022 18:00 − Montag 14-02-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Google Project Zero: Vendors are now quicker at fixing zero-days ∗∗∗ --------------------------------------------- Googles Project Zero has published a report showing that organizations took less time to address the zero-day vulnerabilities that the team reported last year. --------------------------------------------- https://www.bleepingcomputer.com/news/security/google-project-zero-vendors-… ∗∗∗ Microsoft is making it harder to steal Windows passwords from memory ∗∗∗ --------------------------------------------- Microsoft is enabling an Attack Surface Reduction security feature rule by default to block hackers attempts to steal Windows credentials from the LSASS process. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-is-making-it-hard… ∗∗∗ Allcome clipbanker is a newcomer in underground forums ∗∗∗ --------------------------------------------- The malware underground market might seem astoundingly professional in marketing and support. Lets take a look under the covers of one particular malware-as-a-service—the clipboard banker Allcome. --------------------------------------------- https://www.gdatasoftware.com/blog/2022/02/37239-allcome-clipbanker-is-a-ne… ∗∗∗ DHL Spear Phishing to Capture Username/Password, (Sun, Feb 13th) ∗∗∗ --------------------------------------------- This week I got this run-of-the-mill DHL phishing in my ISC inbox. --------------------------------------------- https://isc.sans.edu/diary/rss/28332 ∗∗∗ Reminder: Decoding TLS Client Hellos to non TLS servers, (Mon, Feb 14th) ∗∗∗ --------------------------------------------- If you still run a non-TLS web server, you may occasionally find requests like the following in your weblogs. --------------------------------------------- https://isc.sans.edu/diary/rss/28338 ∗∗∗ Vulnerabilities that aren’t. Unquoted Spaces ∗∗∗ --------------------------------------------- I’ve covered a couple of web vulnerabilities that (mostly) aren’t, and now it’s time for a Windows specific one. --------------------------------------------- https://www.pentestpartners.com/security-blog/vulnerabilities-that-arent-un… ∗∗∗ E-Mail vom Bundeskriminalamt mit Betreff „BUNDESKRIMINALAMT VORLADUNG“ ist Fake ∗∗∗ --------------------------------------------- „Hallo, wir teilen Ihnen mit, dass Sie eine Straftat begangen haben“ lautet der Text in einem E-Mail – angeblich vom Bundeskriminalamt. In einem angehängten PDF-Dokument teilen Ihnen das Bundeskriminalamt, die Polizei sowie Europol mit, dass gegen Sie ein Verfahren wegen einer sexuellen Straftat eingeleitet wurde. Achtung: Dieses E-Mail ist Fake. --------------------------------------------- https://www.watchlist-internet.at/news/e-mail-vom-bundeskriminalamt-mit-bet… ∗∗∗ CISA Adds One Known Exploited Vulnerability to Catalog ∗∗∗ --------------------------------------------- CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence that threat actors are actively exploiting the vulnerability listed in the table below. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/02/11/cisa-adds-one-kno… ===================== = Vulnerabilities = ===================== ∗∗∗ Critical MQTT-Related Bugs Open Industrial Networks to RCE Via Moxa ∗∗∗ --------------------------------------------- A collection of five security vulnerabilities with a collective CVSS score of 10 out of 10 threaten critical infrastructure environments that use Moxa MXview. --------------------------------------------- https://threatpost.com/critical-mqtt-bugs-industrial-rce-moxa/178399/ ∗∗∗ Jetzt aktualisieren! Angriffe auf Shop-Systeme Adobe Commerce und Magento ∗∗∗ --------------------------------------------- Adobe meldet Angriffe auf die Shop-Systeme Commerce und Magento. Updates stehen bereit, die die ausgenutzte kritische Sicherheitslücke schließen sollen. --------------------------------------------- https://heise.de/-6455225 ∗∗∗ ZDI-22-318: MariaDB CONNECT Storage Engine Format String Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-318/ ∗∗∗ Security Bulletin: IBM Cognos Analytics Mobile is affected by security vulnerabilties ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cognos-analytics-mobi… ∗∗∗ Security Bulletin: Security vulnerabilities have been identified in IBM WebSphere Application Server used by IBM Master Data Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct for UNIX may be vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-44832) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: IBM Data Management Platform for EDB Postgres (Standard and Enterprise) for IBM Cloud Pak for Data are vulnerable to SQL injection from "man-in-the-middle" attack ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-data-management-platf… ∗∗∗ Security Bulletin: DS8000 Hardware Management Console is vulnerable to Apache Log4j (CVE-2021-45105 and CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ds8000-hardware-managemen… ∗∗∗ Security Bulletin: Security vulnerabilities have been identified in IBM WebSphere Application Server used by IBM Master Data Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: Security vulnerabilities have been identified in IBM WebSphere Application Server used by IBM Master Data Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: Operations Dashboard is vulnerable to arbitrary code execution in Log4j CVE-2021-44832 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-operations-dashboard-is-v… ∗∗∗ Security Bulletin: DS8000 Hardware Management Console uses Apache Log4j which is subject to a vulnerability alert CVE-2021-44228. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ds8000-hardware-managemen… ∗∗∗ Security Bulletin: Security vulnerabilities have been identified in IBM WebSphere Application Server used by IBM Master Data Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: Security vulnerabilities have been identified in IBM WebSphere Application Server used by IBM Master Data Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.02.2022
by Daily end-of-shift report 11 Feb '22

11 Feb '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 10-02-2022 18:00 − Freitag 11-02-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Microsoft starts killing off WMIC in Windows, will thwart attacks ∗∗∗ --------------------------------------------- Microsoft is moving forward with removing the Windows Management Instrumentation Command-line (WMIC) tool, wmic.exe, starting with the latest Windows 11 preview builds in the Dev channel. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-starts-killing-of… ∗∗∗ Zyxel Network Storage Devices Hunted By Mirai Variant, (Thu, Feb 10th) ∗∗∗ --------------------------------------------- I have been talking a lot about various network storage devices and how you never ever want to expose them to the Internet. The brands that usually come up are Synology and QNAP, which have a significant market share. But they are not alone. --------------------------------------------- https://isc.sans.edu/diary/rss/28324 ∗∗∗ CinaRAT Delivered Through HTML ID Attributes, (Fri, Feb 11th) ∗∗∗ --------------------------------------------- I found another sample that again drops a malicious ISO file but this time, it is much more obfuscated and the VT score is 0! Yes, not detected by any antivirus solution! --------------------------------------------- https://isc.sans.edu/diary/rss/28330 ∗∗∗ Use Zoom on a Mac? You might want to check your microphone settings ∗∗∗ --------------------------------------------- Big Brother Zoomer is listening to us, complain users Apple Mac users running the Zoom meetings app are reporting that its keeping their computers microphone on when they arent using it. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2022/02/10/zoom_mac_mic… ∗∗∗ Schwachstelle im Virenschutz Microsoft-Defender stillschweigend abgedichtet ∗∗∗ --------------------------------------------- Durch zu laxe Rechtevergabe hätten Angreifer auf die Microsoft-Defender-Ausnahmen zugreifen können. Die Lücke hat das Unternehmen ohne Ankündigung behoben. --------------------------------------------- https://heise.de/-6444399 ∗∗∗ Luftnummer: Warnung vor Geisterberührungen auf Touchscreens ∗∗∗ --------------------------------------------- Die TU Darmstadt warnt, dass gezielte Angriffe auf Touchscreens möglich seien. Praxistauglich ist der beschriebene "GhostTouch"-Angriff jedoch nicht. --------------------------------------------- https://heise.de/-6445488 ∗∗∗ CISA Adds 15 Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- CISA has added 15 new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence that threat actors are actively exploiting the vulnerabilities listed in the table below. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/02/10/cisa-adds-15-know… ∗∗∗ Malicious Chrome Browser Extension Exposed: ChromeBack Leverages Silent Extension Loading ∗∗∗ --------------------------------------------- GoSecure Titan Labs received a malicious Chrome extension sample that we are calling ChromeBack from GoSecures Titan Managed Detection and Response (MDR) team. --------------------------------------------- https://www.gosecure.net/blog/2022/02/10/malicious-chrome-browser-extension… ===================== = Vulnerabilities = ===================== ∗∗∗ Microsoft: SMB-Lücke in Windows wird aktiv ausgenutzt ∗∗∗ --------------------------------------------- Eine fast zwei Jahre alte kritische Lücke in Windows wird derzeit aktiv ausgenutzt. Exploits gibt es auch für eine sieben Jahre alte Windows-Lücke. --------------------------------------------- https://www.golem.de/news/microsoft-smb-luecke-in-windows-wird-aktiv-ausgen… ∗∗∗ Notfall-Patch für iPhones, iPads und Macs: iOS 15.3.1 und macOS 12.2.1 verfügbar ∗∗∗ --------------------------------------------- Apple schließt eine Lücke, die offenbar aktiv für Angriffe ausgenutzt wird. Außerdem beseitigt der Hersteller Bugs, darunter Bluetooth-Probleme bei Intel-Macs. --------------------------------------------- https://heise.de/-6440372 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (cryptsetup), Fedora (firefox, java-1.8.0-openjdk, microcode_ctl, python-django, rlwrap, and vim), openSUSE (kernel), and SUSE (kernel and ldb, samba). --------------------------------------------- https://lwn.net/Articles/884516/ ∗∗∗ Security Bulletin: A vulnerability in IBM Java Runtime affects IBM CICS TX on Cloud ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Security Bulletin: Multiple vulnerabilities affect IBM Cloud Object Storage Systems (Feb 2022 V1) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Xpat vulnerability affect IBM Cloud Object Storage Systems (Feb 2022 V1-a) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-xpat-vulnerability-affect… ∗∗∗ Security Bulletin: IBM Cloud Private is vulnerable to FasterXML jackson-databind vulnerabilities (CVE-2020-24750) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-private-is-vuln… ∗∗∗ Security Bulletin: EDB Postgres Advanced Server with IBM and IBM Data Management Platform for EDB Postgres (Standard or Enterprise) for IBM Cloud Pak for Data are vulnerable to SQL injection from "man-in-the-middle" attack. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-edb-postgres-advanced-ser… ∗∗∗ Security Bulletin: IBM Rational Build Forge is affected by Apache HTTP Server version used in it. (CVE-2021-44790) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-rational-build-forge-… ∗∗∗ QNAP NAS: Schwachstelle ermöglicht Codeausführung ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0178 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.02.2022
by Daily end-of-shift report 10 Feb '22

10 Feb '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 09-02-2022 18:00 − Donnerstag 10-02-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Wave of MageCart attacks target hundreds of outdated Magento sites ∗∗∗ --------------------------------------------- Analysts have found the source of a mass breach of over 500 e-commerce stores running the Magento 1 platform and involves a single domain loading a credit card skimmer on all of them. [...] The domain from where threat actors loaded the malware is naturalfreshmall[.]com, currently offline, and the goal of the threat actors was to steal the credit card information of customers on the targeted online stores. --------------------------------------------- https://www.bleepingcomputer.com/news/security/wave-of-magecart-attacks-tar… ∗∗∗ FritzFrog botnet grows 10x, hits healthcare, edu, and govt systems ∗∗∗ --------------------------------------------- Researchers at internet security company Akamai spotted a new version of the FritzFrog malware, which comes with interesting new functions, like using the Tor proxy chain. The new botnet variant also shows indications that its operators are preparing to add capabilities to target WordPress servers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fritzfrog-botnet-grows-10x-h… ∗∗∗ Linux Malware on the Rise ∗∗∗ --------------------------------------------- Ransomware, cryptojacking, and a cracked version of the penetration-testing tool Cobalt Strike have increasingly targeted Linux in multicloud infrastructure, report states. --------------------------------------------- https://www.darkreading.com/cloud/linux-malware-on-the-rise-including-illic… ∗∗∗ Cybercriminals Swarm Windows Utility Regsvr32 to Spread Malware ∗∗∗ --------------------------------------------- The living-off-the-land binary (LOLBin) is anchoring a rash of cyberattacks bent on evading security detection to drop Qbot and Lokibot. --------------------------------------------- https://threatpost.com/cybercriminals-windows-utility-regsvr32-malware/1783… ∗∗∗ SAP to Give Threat Briefing on Uber-Severe ‘ICMAD’ Bugs ∗∗∗ --------------------------------------------- SAP’s Patch Tuesday brought fixes for a trio of flaws in the ubiquitous ICM component in internet-exposed apps. One of them, with a risk score of 10, could allow attackers to hijack identities, steal data and more. [..] Onapsis also provided a free, open-source vulnerability scanner tool to assist SAP customers in addressing these serious issues, available to download [..] --------------------------------------------- https://threatpost.com/sap-threat-briefing-severe-icmad-bugs/178344/ ∗∗∗ Vorsicht vor betrügerischen Fortnite-Shops! ∗∗∗ --------------------------------------------- Betrügerische Fortnite-Onlineshops, wie premiumskins.net bieten beliebte Outfits, sogenannte „Fortnite-Skins“ zum Kauf an. Doch Vorsicht – oft werden die Skins nach Bezahlung nicht geliefert! Kaufen Sie Skins nur über den offiziellen Store, innerhalb des Spiels und vertrauen Sie keinen externen Anbietern. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-betruegerischen-fortnit… ∗∗∗ Ransomware tracker: the latest figures [February 2022] ∗∗∗ --------------------------------------------- Over the last two years, The Record and our parent company Recorded Future have updated this ransomware tracker using data collected from government agencies, news reports, hacking forums, and other sources. The trend is clear: despite bold efforts from governments around the world, ransomware isn’t going anywhere. Here are some of our most critical findings --------------------------------------------- https://therecord.media/ransomware-tracker-the-latest-figures/ ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-22-290: BMC Track-It! HTTP Module Improper Access Control Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to bypass authentication on affected installations of BMC Track-It!. Authentication is not required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-290/ ∗∗∗ WordPress-Übernahme durch kritische Lücken in PHP Everywhere ∗∗∗ --------------------------------------------- Angreifer hätten durch eine kritische Sicherheitslücke in PHP Everywhere beliebigen Code in WordPress-Instanzen ausführen können. Ein Update steht bereit. --------------------------------------------- https://heise.de/-6369318 ∗∗∗ Unauthenticated SQL Injection Vulnerability Patched in WordPress Statistics Plugin ∗∗∗ --------------------------------------------- On February 7, 2022, Security Researcher Cyku Hong from DEVCORE reported a vulnerability to us that they discovered in WP Statistics, a WordPress plugin installed on over 600,000 sites. This vulnerability made it possible for unauthenticated attackers to execute arbitrary SQL queries by appending them to an existing SQL query. --------------------------------------------- https://www.wordfence.com/blog/2022/02/unauthenticated-sql-injection-vulner… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr and openjdk-8), Fedora (phoronix-test-suite and php-laminas-form), Mageia (epiphany, firejail, and samba), Oracle (aide, kernel, kernel-container, and qemu), Red Hat (.NET 5.0 on RHEL 7 and .NET 6.0 on RHEL 7), Scientific Linux (aide), Slackware (mozilla), SUSE (clamav, expat, and xen), and Ubuntu (speex). --------------------------------------------- https://lwn.net/Articles/884381/ ∗∗∗ Dell Computer: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein lokaler Angreifer kann mehrere Schwachstellen in Dell Computer ausnutzen, um beliebigen Programmcode auszuführen oder modifizierte BIOS-Firmware zu installieren. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0174 ∗∗∗ Drupal: Mehrere Schwachstellen [in Plugins] ∗∗∗ --------------------------------------------- Über zahlreiche Extensions kann der Funktionsumfang der Core-Installation individuell erweitert werden. Ein entfernter, anonymer oderauthentisierter Angreifer kann mehrere Schwachstellen in Drupal [Plugins] ausnutzen, um Sicherheitsvorkehrungen zu umgehen und einen Cross-Site-Scripting-Angriff durchzuführen. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0173 ∗∗∗ Security Bulletin: IBM UrbanCode Build is affected by CVE-2021-30640 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-build-is-af… ∗∗∗ Security Bulletin: IBM UrbanCode Release is vulnerable to arbitrary code execution due to Apache Log4j( CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-release-is-… ∗∗∗ Security Bulletin: IBM UrbanCode Build is affected by CVE-2021-41079 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-build-is-af… ∗∗∗ Security Bulletin: IBM UrbanCode Build is affected by CVE-2021-33037 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-build-is-af… ∗∗∗ Security Bulletin: Netcool Operations Insight is vulnerable to arbitrary code execution and denial of service due to Apache Log4j (CVE-2021-45046, CVE-2021-45105) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-netcool-operations-insigh… ∗∗∗ Security Bulletin: IBM UrbanCode Build is affected by CVE-2021-25122 and CVE-2021-25329 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-build-is-af… ∗∗∗ CVE-2022-0016 GlobalProtect App: Privilege Escalation Vulnerability When Using Connect Before Logon (Severity: HIGH) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2022-0016 ∗∗∗ CVE-2022-0017 GlobalProtect App: Improper Link Resolution Vulnerability Leads to Local Privilege Escalation (Severity: HIGH) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2022-0017 ∗∗∗ CVE-2022-0018 GlobalProtect App: Information Exposure Vulnerability When Connecting to GlobalProtect Portal With Single Sign-On Enabled (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2022-0018 ∗∗∗ CVE-2022-0011 PAN-OS: URL Category Exceptions Match More URLs Than Intended in URL Filtering (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2022-0011 ∗∗∗ CVE-2022-0021 GlobalProtect App: Information Exposure Vulnerability When Using Connect Before Logon (Severity: LOW) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2022-0021 ∗∗∗ CVE-2022-0020 Cortex XSOAR: Stored Cross-Site Scripting (XSS) Vulnerability in Web Interface (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2022-0020 ∗∗∗ CVE-2022-0019 GlobalProtect App: Insufficiently Protected Credentials Vulnerability on Linux (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2022-0019 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.02.2022
by Daily end-of-shift report 09 Feb '22

09 Feb '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 08-02-2022 18:00 − Mittwoch 09-02-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Kimsuki hackers use commodity RATs with custom Gold Dragon malware ∗∗∗ --------------------------------------------- South Korean researchers have spotted a new wave of activity from the Kimsuky hacking group, involving commodity open-source remote access tools dropped with their custom backdoor, Gold Dragon. --------------------------------------------- https://www.bleepingcomputer.com/news/security/kimsuki-hackers-use-commodit… ∗∗∗ Fake Windows 11 upgrade installers infect you with RedLine malware ∗∗∗ --------------------------------------------- Threat actors have started distributing fake Windows 11 upgrade installers to users of Windows 10, tricking them into downloading and executing RedLine stealer malware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fake-windows-11-upgrade-inst… ∗∗∗ Ransomware dev releases Egregor, Maze master decryption keys ∗∗∗ --------------------------------------------- The master decryption keys for the Maze, Egregor, and Sekhmet ransomware operations were released last night on the BleepingComputer forums by the alleged malware developer. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ransomware-dev-releases-egre… ∗∗∗ Bios, UEFI, WLAN: Intel schließt zahlreiche Firmware-Sicherheitslücken ∗∗∗ --------------------------------------------- An einem groß angelegten Patch-Day stellt Intel Updates für Sicherheitslücken bereit. Diese lassen sich zum Ausweiten von Rechten nutzen. --------------------------------------------- https://www.golem.de/news/bios-uefi-wlan-intel-schliesst-zahlreiche-firmwar… ∗∗∗ Example of Cobalt Strike from Emotet infection, (Wed, Feb 9th) ∗∗∗ --------------------------------------------- Today's diary reviews another Cobalt Strike sample dropped by an Emotet infection on Tuesday 2022-02-08. --------------------------------------------- https://isc.sans.edu/diary/rss/28318 ∗∗∗ SpoolFool: Windows Print Spooler Privilege Escalation (CVE-2022–22718) ∗∗∗ --------------------------------------------- In this blog post, we’ll look at a Windows Print Spooler local privilege escalation vulnerability that I found and reported in November 2021. The vulnerability got patched as part of Microsoft’s Patch Tuesday in February 2022. --------------------------------------------- https://research.ifcr.dk/spoolfool-windows-print-spooler-privilege-escalati… ∗∗∗ CISA and SAP warn about major vulnerability ∗∗∗ --------------------------------------------- SAP patched the issue yesterday. CVE-2022-22536 is one of eight vulnerabilities that received a severity rating of 10/10 but is the one that CISA chose to highlight in its own security advisory, primarily due to its ease of exploitation and its ubiquity in SAP products. --------------------------------------------- https://therecord.media/cisa-and-sap-warn-about-major-vulnerability/ ∗∗∗ AA22-040A: 2021 Trends Show Increased Globalized Threat of Ransomware ∗∗∗ --------------------------------------------- Ransomware tactics and techniques continued to evolve in 2021, which demonstrates ransomware threat actors’ growing technological sophistication and an increased ransomware threat to organizations globally. --------------------------------------------- https://us-cert.cisa.gov/ncas/alerts/aa22-040a ===================== = Vulnerabilities = ===================== ∗∗∗ Ausführen von Schadcode denkbar: Sicherheitsupdates für Firefox und Thunderbird ∗∗∗ --------------------------------------------- Die Mozilla-Entwickler schließen in aktualisierten Versionen von Firefox und Thunderbird viele Sicherheitslücken. Einige davon stufen sie als hohes Risiko ein. --------------------------------------------- https://heise.de/-6360477 ∗∗∗ Patchday Microsoft: Angreifer könnten eine Kernel-Lücke in Windows ausnutzen ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitsupdates für Azure, Office, Windows & Co. Das ist selten: Keine der geschlossenen Lücken gilt als kritisch. --------------------------------------------- https://heise.de/-6360267 ∗∗∗ Patchday: Adobe schließt Schadcode-Lücken in Illustrator ∗∗∗ --------------------------------------------- Die Entwickler von Adobe haben ihr Software-Portfolio gegen mögliche Attacken abgesichert. --------------------------------------------- https://heise.de/-6360575 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (aide), Debian (connman), Fedora (perl-App-cpanminus and rust-afterburn), Mageia (glibc), Red Hat (.NET 5.0, .NET 6.0, aide, log4j, ovirt-engine, and samba), SUSE (elasticsearch, elasticsearch-kit, kafka, kafka-kit, logstash, openstack-monasca-agent, openstack-monasca-log-metrics, openstack-monasca-log-persister, openstack-monasca-log-transformer, openstack-monasca-persister-java, openstack-monasca-persister-java-kit, openstack-monasca-thresh,[...] --------------------------------------------- https://lwn.net/Articles/884242/ ∗∗∗ ICS Patch Tuesday: Siemens, Schneider Electric Address Nearly 50 Vulnerabilities ∗∗∗ --------------------------------------------- Industrial giants Siemens and Schneider Electric released a total of 15 advisories on Tuesday to address nearly 50 vulnerabilities discovered in their products. --------------------------------------------- https://www.securityweek.com/ics-patch-tuesday-siemens-schneider-electric-a… ∗∗∗ HPE Agentless Management registers unquoted service paths ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN12969207/ ∗∗∗ Security Advisory for Citrix Hypervisor (CVE-2022-23034, CVE-2022-23035, CVE-2021-0145) ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX337526 ∗∗∗ Security Bulletin: Log4j vulnerabilities affect IBM Netezza Analytics ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-log4j-vulnerabilities-aff… ∗∗∗ Security Bulletin: Security Bulletin: Vulnerability in Apache Log4j affects Netcool Operation Insight (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-bulletin-vulnera… ∗∗∗ Security Bulletin: Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to denial of service due to Go (CVE CVE-2021-41771 & CVE-2021-41772) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-platform-navigator-and-au… ∗∗∗ Security Bulletin: IBM TRIRIGA Reporting a component of IBM TRIRIGA Application Platform is vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-44228 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tririga-reporting-a-c… ∗∗∗ Security Bulletin: Multiple vulnerabilities affect IBM Cloud Object Storage Systems (Feb 2022 V1) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM OpenPages with Watson is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2019-17571) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-openpages-with-watson… ∗∗∗ Security Bulletin: Multiple security vulnerabilities have been identified in IBM® Java SDK that affect IBM Security Directory Suite – October 2021 CPU ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Multiple security vulnerabilities have been identified in IBM® WebSphere Application Server Liberty shipped with IBM Security Directory Suite ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Multiple security vulnerabilities have been identified in IBM® Java SDK that affect IBM Security Directory Suite – July 2021 CPU ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: IBM UrbanCode Build is affected by CVE-2021-30639 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-build-is-af… ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2022-0002 ∗∗∗ --------------------------------------------- https://webkitgtk.org/security/WSA-2022-0002.html ∗∗∗ Zoom Video Communications Zoom Client: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0158 ∗∗∗ QEMU: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit Administratorrechten ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0156 ∗∗∗ Grafana: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0159 ∗∗∗ QNAP: Multiple Vulnerabilities in Samba ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-22-03 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.02.2022
by Daily end-of-shift report 08 Feb '22

08 Feb '22

===================== = End-of-Day report = ===================== Timeframe: Montag 07-02-2022 18:00 − Dienstag 08-02-2022 18:00 Handler: Robert Waldner Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Internetsicherheit: So schützen Sie sich vor Account-Hijacking und Co. ∗∗∗ --------------------------------------------- Wir erklären Ihnen, worauf Sie achten sollten, damit Sie sicher im Internet unterwegs sind. --------------------------------------------- https://heise.de/-6355600 ∗∗∗ Microsoft Office soll VBA-Makros standardmäßig blockieren ∗∗∗ --------------------------------------------- Makros sind ein Einfallstor für Malware. VBA-Makros standardmäßig zu deaktivieren, ist längst überfällig. --------------------------------------------- https://heise.de/-6353429 ∗∗∗ Patchday: Lücken in SAP-Produkten ermöglichen Codeschmuggel ∗∗∗ --------------------------------------------- Am Februar-Patchday schließt SAP mehrere kritische Sicherheitslücken, durch die Angreifer Schadcode in betroffene Systeme einschleusen hätten können. --------------------------------------------- https://heise.de/-6356776 ∗∗∗ Open or Sneaky? Fast or Slow? Light or Heavy?: Investigating Security Releases of Open Source Packages ∗∗∗ --------------------------------------------- Specifically, in this paper, we study [..] security releases over a dataset of 4,377 security advisories across seven package ecosystems (Composer, Go, Maven, npm, NuGet, pip, and RubyGems). [..] Based on our findings, we make four recommendations for the package maintainers and the ecosystem administrators, such as using private fork for security fixes and standardizing the practice for announcing security releases. --------------------------------------------- https://arxiv.org/pdf/2112.06804.pdf ∗∗∗ “We absolutely do not care about you”: Sugar ransomware targets individuals ∗∗∗ --------------------------------------------- They call it Sugar ransomware, but its not sweet in any way. --------------------------------------------- https://blog.malwarebytes.com/ransomware/2022/02/we-absolutely-do-not-care-… ∗∗∗ Operation EmailThief: Active Exploitation of Zero-day XSS Vulnerability in Zimbra ∗∗∗ --------------------------------------------- [UPDATE] On February 4, 2022, Zimbra provided an update regarding this zero-day exploit vulnerability and reported that a hotfix for 8.8.15 P30 would be available on February 5, 2022. --------------------------------------------- https://www.volexity.com/blog/2022/02/03/operation-emailthief-active-exploi… ===================== = Vulnerabilities = ===================== ∗∗∗ WordPress IP2Location Country Blocker 2.26.7 Cross Site Scripting ∗∗∗ --------------------------------------------- An authenticated user is able to inject arbitrary Javascript or HTML code to the "Frontend Settings" interface available in settings page of the plugin (Country Blocker), due to incorrect sanitization of user-supplied data and achieve a Stored Cross-Site Scripting attack against the administrators or the other authenticated users. The plugin versions prior to 2.26.7 are affected by this vulnerability. --------------------------------------------- https://cxsecurity.com/issue/WLB-2022020031 ∗∗∗ CVE-2021-38130 Voltage SecureMail 7.3 Mail Relay Information Leakage Vuln. ∗∗∗ --------------------------------------------- An information leakage vulnerability with a CVSS of 4.1 was discovered in SecureMail Server for versions prior to 7.3.0.1. The vulnerability can be exploited to send sensitive information to an unauthorized user. A resolution of this vulnerability is available in the Voltage SecureMail version 7.3.0.1 patch release. --------------------------------------------- https://portal.microfocus.com/s/article/KM000003667?language=en_US ∗∗∗ Patchday: Kritische System-Lücke lässt Angreifer auf Android-Geräte zugreifen ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitsupdates für Android 10, 11, 12 und verschiedene Komponenten des Systems. --------------------------------------------- https://heise.de/-6355256 ∗∗∗ Critical Vulnerabilities in PHP Everywhere Allow Remote Code Execution ∗∗∗ --------------------------------------------- On January 4, 2022, the Wordfence Threat Intelligence team began the responsible disclosure process for several Remote Code Execution vulnerabilities in PHP Everywhere, a WordPress plugin installed on over 30,000 websites. One of these vulnerabilities allowed any authenticated user of any level, even subscribers and customers, to execute code on a site with the plugin [...] --------------------------------------------- https://www.wordfence.com/blog/2022/02/critical-vulnerabilities-in-php-ever… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (log4j), Debian (chromium, xterm, and zabbix), Fedora (kate, lua, and podman), Oracle (aide and log4j), and SUSE (xen). --------------------------------------------- https://lwn.net/Articles/884082/ ∗∗∗ K33484369: Linux kernel vulnerability CVE-2021-20194 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K33484369?utm_source=f5support&utm_mediu… ∗∗∗ K01217337: Linux kernel vulnerability CVE-2021-22543 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K01217337?utm_source=f5support&utm_mediu… ∗∗∗ Mitsubishi Electric FA Engineering Software Products (Update D) ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-049-02 ∗∗∗ Mitsubishi Electric Factory Automation Engineering Products (Update F) ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-20-212-04 ∗∗∗ SSA-914168: Multiple Vulnerabilities in SIMATIC WinCC Affecting Other SIMATIC Software Products ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-914168.txt ∗∗∗ SSA-669737: Improper Access Control Vulnerability in SICAM TOOLBOX II ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-669737.txt ∗∗∗ SSA-654775: Open Redirect Vulnerability in SINEMA Remote Connect Server ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-654775.txt ∗∗∗ SSA-609880: File Parsing Vulnerabilities in Simcenter Femap before V2022.1 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-609880.txt ∗∗∗ SSA-539476: Siemens SIMATIC NET CP, SINEMA and SCALANCE Products Affected by Vulnerabilities in Third-Party Component strongSwan ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-539476.txt ∗∗∗ SSA-301589: Multiple File Parsing Vulnerabilities in Solid Edge, JT2Go and Teamcenter Visualization ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-301589.txt ∗∗∗ SSA-244969: OpenSSL Vulnerability in Industrial Products ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-244969.txt ∗∗∗ SSA-838121: Multiple Denial of Service Vulnerabilities in Industrial Products ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-838121.txt ∗∗∗ SSA-831168: Cross-Site Scripting Vulnerability in Spectrum Power 4 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-831168.txt ∗∗∗ Security Bulletin: IBM Cloud Private is vulnerable to FasterXML jackson-databind vulnerabilities (CVE-2020-35728) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-private-is-vuln… ∗∗∗ Security Bulletin: IBM Cloud Private is vulnerable to FasterXML jackson-databind vulnerabilities (CVE-2021-20190) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-private-is-vuln… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j may affect Cúram Social Program Management (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: Apache Log4j vulnerability impacts IBM Sterling Global Mailbox (CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit… ∗∗∗ Security Bulletin: IBM Cloud Private is vulnerable to FasterXML jackson-databind vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-private-is-vuln… ∗∗∗ Security Bulletin: Log4Shell Vulnerability affects IBM SPSS Statistics (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-log4shell-vulnerability-a… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.02.2022
by Daily end-of-shift report 07 Feb '22

07 Feb '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 04-02-2022 18:00 − Montag 07-02-2022 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Medusa malware ramps up Android SMS phishing attacks ∗∗∗ --------------------------------------------- The Medusa Android banking Trojan is seeing increased infection rates as it targets more geographic regions to steal online credentials and perform financial fraud. --------------------------------------------- https://www.bleepingcomputer.com/news/security/medusa-malware-ramps-up-andr… ∗∗∗ An Insidious Mac Malware Is Growing More Sophisticated ∗∗∗ --------------------------------------------- When UpdateAgent emerged in late 2020, it utilized basic infiltration techniques. Its developers have since expanded it in dangerous ways. --------------------------------------------- https://www.wired.com/story/mac-malware-growing-more-sophisticated ∗∗∗ Shadow Credentials ∗∗∗ --------------------------------------------- During Black Hat Europe 2019 Michael Grafnetter discussed several attacks towards Windows Hello for Business including a domain persistence technique which involves the modification of the msDS-KeyCredentialLink attribute of a target computer or user account. [..] The following diagram visualize the steps of the technique Shadow Credentials in practice. --------------------------------------------- https://pentestlab.blog/2022/02/07/shadow-credentials/ ∗∗∗ web3 phishing via self-customizing landing pages ∗∗∗ --------------------------------------------- You may not quite understand what "web3" is all about (I do not claim to do so), but it appears phishers may already use it. [..] the JavaScript used to implement the phishing page is interesting. Not only does it customize the login dialog with the company logo, but it also replaces the entire page with a screenshot of the domain homepage. --------------------------------------------- https://isc.sans.edu/diary/rss/28312 ∗∗∗ Sextortion: Wenn ein harmloser Flirt in Erpressung endet ∗∗∗ --------------------------------------------- Sextortion ist eine Betrugsmasche, bei der meist männliche Opfer von Online-Bekanntschaften aufgefordert werden, sexuelles Bild- und Videomaterial von sich zu versenden oder sich nackt vor der Webcam zu zeigen. Mit diesen Bildern und Videos werden die Opfer dann erpresst: Zahlen oder das Material wird im Internet veröffentlicht! --------------------------------------------- https://www.watchlist-internet.at/news/sextortion-wenn-ein-harmloser-flirt-… ∗∗∗ FBI Releases Indicators of Compromise Associated with LockBit 2.0 Ransomware ∗∗∗ --------------------------------------------- The Federal Bureau of Investigation (FBI) has released a Flash report detailing indicators of compromise (IOCs) associated with attacks, using LockBit 2.0, a Ransomware-as-a-Service that employs a wide variety of tactics, techniques, and procedures, creating significant challenges for defense and mitigation. CISA encourages users and administrators to review the IOCs and technical details in FBI Flash CU-000162-MW and apply the recommend mitigations. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/02/07/fbi-releases-indi… ∗∗∗ Microsoft deaktiviert wegen Emotet & Co. MSIX ms-appinstaller Protokoll-Handler in Windows (Feb. 2022) ∗∗∗ --------------------------------------------- Nachdem Ransomware wie Emotet oder BazarLoader den MSIX ms-appinstaller Protokoll-Handler missbrauchten, hat Microsoft nun erneut reagiert. Der komplette MSIX ms-appinstaller Protokoll-Handler wurde vorerst in Windows – quasi als Schutz vor Emotet, BazarLoader oder ähnlicher Malware – deaktiviert. --------------------------------------------- https://www.borncity.com/blog/2022/02/05/microsoft-deaktiviert-msix-ms-appi… ∗∗∗ Vorsicht: audacity.de und keepass.de verbreiten Malware (Feb. 2022) ∗∗∗ --------------------------------------------- Kleiner Hinweis an Leute, die sich gerne Software aus dem Internet herunterladen. Es sieht so aus, als ob die Domains audacity.de und keepass.de in die Hände von Leuten gekommen sind, die damit Schindluder treiben. Statt ein Audio-Tool oder einen Passwort-Manager zu bekommen, wird über die betreffenden Seiten Malware verteilt. --------------------------------------------- https://www.borncity.com/blog/2022/02/07/vorsicht-audacity-de-und-keepass-d… ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco DNA Center Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the audit log of Cisco DNA Center could allow an authenticated, local attacker to view sensitive information in clear text. This vulnerability is due to the unsecured logging of sensitive information on an affected system. An attacker with administrative privileges could exploit this vulnerability by accessing the audit logs through the CLI. A successful exploit could allow the attacker to retrieve sensitive information that includes user credentials. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ldns and libphp-adodb), Fedora (kernel, kernel-headers, kernel-tools, mingw-binutils, mingw-openexr, mingw-python3, mingw-qt5-qtsvg, scap-security-guide, stratisd, util-linux, and webkit2gtk3), Mageia (lrzsz, qtwebengine5, and xterm), openSUSE (chromium), and Ubuntu (python-django). --------------------------------------------- https://lwn.net/Articles/884015/ ∗∗∗ OTRS: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0143 ∗∗∗ Multiple ESET products for macOS vulnerable to improper server certificate verification ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN95898697/ ∗∗∗ Security Bulletin: IBM App Connect for Healthcare is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2022-23302) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-for-healt… ∗∗∗ Security Bulletin: IBM Security Guardium Insights is affected by multipe vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-ins… ∗∗∗ Security Bulletin: IBM App Connect for Healthcare is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2022-23305) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-for-healt… ∗∗∗ Security Bulletin: IBM InfoSphere Information Server is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-44832) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-informatio… ∗∗∗ Security Bulletin: Liberty for Java for IBM Cloud is vulnerable to LDAP Injection (CVE-2021-39031) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-liberty-for-java-for-ibm-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in Apache Log4j affect IBM Tivoli Netcool Impact (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Liberty for Java for IBM Cloud is vulnerable to an Information Disclosure (CVE-2022-22310) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-liberty-for-java-for-ibm-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.02.2022
by Daily end-of-shift report 04 Feb '22

04 Feb '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 03-02-2022 18:00 − Freitag 04-02-2022 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Schwachstelle in GitOps-Tool: Argo CD über Path Traversal angreifbar ∗∗∗ --------------------------------------------- Angriffe mit manipulierten Helm-Charts ermöglichen Zugriff auf beliebige Verzeichnisse im Repository des Continuous-Delivery-Werkzeugs für Kubernetes. --------------------------------------------- https://heise.de/-6349810 ∗∗∗ Operation EmailThief: Active Exploitation of Zero-day XSS Vulnerability in Zimbra ∗∗∗ --------------------------------------------- - Volexity discovers XSS zero-day vulnerability against Zimbra - Targeted sectors include European government and media - Successful exploitation results in theft of email data from users --------------------------------------------- https://www.volexity.com/blog/2022/02/03/operation-emailthief-active-exploi… ∗∗∗ Cybersecurity for Industrial Control Systems: Part 1 ∗∗∗ --------------------------------------------- In this two-part series, we look into various cybersecurity threats that affected industrial control systems endpoints. We also discuss several insights and recommendations to mitigate such threats. --------------------------------------------- https://www.iiot-world.com/ics-security/cybersecurity/cybersecurity-for-ind… ∗∗∗ Vulnerabilities that aren’t. ETag headers ∗∗∗ --------------------------------------------- This time we’re looking at the ETag (Entity Tag) header. I take some of the blame for this one as I first added a dissector of the header to Nikto’s headers plugin back in 2008, then other scanners added it. --------------------------------------------- https://www.pentestpartners.com/security-blog/vulnerabilities-that-arent-et… ∗∗∗ Target open-sources its web skimmer detector ∗∗∗ --------------------------------------------- Targets cybersecurity team has open-sourced the code of Merry Maker, the companys internal application that it has used since 2018 to detect if any of its own websites have been compromised with malicious code that can steal payment card details from buyers. --------------------------------------------- https://therecord.media/target-open-sources-its-web-skimmer-detector/ ∗∗∗ An ALPHV (BlackCat) representative discusses the group’s plans for a ransomware ‘meta-universe’ ∗∗∗ --------------------------------------------- Late last year, cybersecurity researchers began to notice a ransomware strain called ALPHV that stood out for being particularly sophisticated and coded in the Rust programming language—a first for ransomware used in real-world attacks. --------------------------------------------- https://therecord.media/an-alphv-blackcat-representative-discusses-the-grou… ∗∗∗ Special Report: Die Tücken von Active Directory Certificate Services (AD CS) ∗∗∗ --------------------------------------------- Active Directory Certificate Services (ADCS) ist anfällig für Fehlkonfigurationen, mit denen eine komplette Kompromittierung des Netzes trivial möglich ist. Publiziert wurde das Problem im Sommer 2021, jetzt wird diese Methode bei APT-Angriffen benutzt. Kontrollieren Sie mit den bereitgestellten Tools ihr Setup. Stellen Sie mit den angeführten Präventiv-Maßnahmen höhere Sichtbarkeit her. Überprüfen Sie mit den vorgestellen Tools, ob eine Fehlkonfiguration bereits ausgenutzt wurde. --------------------------------------------- https://cert.at/de/spezielles/2022/2/special-report-die-tucken-von-active-d… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (apng2gif, ruby2.5, ruby2.7, and strongswan), Fedora (389-ds-base, glibc, java-latest-openjdk, keylime, mingw-python-pillow, perl-Image-ExifTool, python-pillow, rust-afterburn, rust-askalono-cli, rust-below, rust-cargo-c, rust-cargo-insta, rust-fd-find, rust-lsd, rust-oxipng, rust-python-launcher, rust-ripgrep, rust-skim, rust-thread_local, rust-tokei, strongswan, vim, xen, and zola), Mageia (cryptsetup and expat), openSUSE (containerd, docker, glibc, [...] --------------------------------------------- https://lwn.net/Articles/883828/ ∗∗∗ Mattermost security updates 6.3.3, 6.2.3, 6.1.3, 5.37.8 released ∗∗∗ --------------------------------------------- We’re informing you about a Mattermost security update, which addresses medium-level severity vulnerabilities. We highly recommend that you apply the update. The security update is available for Mattermost dot releases 6.3.3 (Extended Support Release), 6.2.3, 6.1.3, 5.37.8 (Extended Support Release) for both Team Edition and Enterprise Edition. --------------------------------------------- https://mattermost.com/blog/mattermost-security-updates-6-3-3-6-2-3-6-1-3-5… ∗∗∗ CISA Adds One Known Exploited Vulnerability to Catalog ∗∗∗ --------------------------------------------- CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence that threat actors are actively exploiting the vulnerabilities listed in the table below. These types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and pose significant risk to the federal enterprise. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/02/04/cisa-adds-one-kno… ∗∗∗ CSV+ vulnerable to cross-site scripting ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN67396225/ ∗∗∗ K40508224: Perl vulnerability CVE-2020-10878 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K40508224 ∗∗∗ K05295469: Expat vulnerability CVE-2019-15903 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K05295469 ∗∗∗ Security Bulletin: Log4j Vulnerability ( CVE-2021-44228 ) in IBM Informix Dynamic Server in Cloud Pak for Data ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-log4j-vulnerability-cve-2… ∗∗∗ Security Bulletin: Vulnerablity in Apache Log4j may affect IBM Tivoli Monitoring installed WebSphere Application Server (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerablity-in-apache-lo… ∗∗∗ Security Bulletin: IBM Planning Analytics and IBM Planning Analytics Workspace are affected by security vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-planning-analytics-an… ∗∗∗ Security Bulletin: IBM Informix Dynamic Server is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-informix-dynamic-serv… ∗∗∗ Security Bulletin: Multiple vulnerabilities in Apache Log4j affect IBM Tivoli Netcool Impact (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK (October 2021) affects IBM InfoSphere Information Server (CVE-2021-35578 CVE-2021-35564) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.02.2022
by Daily end-of-shift report 03 Feb '22

03 Feb '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 02-02-2022 18:00 − Donnerstag 03-02-2022 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Spam-Anrufe von Wiener Nummer: “This is the police” ∗∗∗ --------------------------------------------- Bei solchen Anrufen gilt es generell, sofort aufzulegen. Ist man sich unsicher, ob der Anruf echt war (im Falle eines englischsprachigen Tonbands ist er das jedenfalls nicht), kann man eigenständig die Polizei (133) anrufen. Die Polizei warnt, dass man nie eine "Polizei"-Telefonnummern zurückrufen soll, wenn das in solchen Anrufen gefordert wird. Hat man bereits mit der Person gesprochen und Daten herausgegeben, soll man umgehend Anzeige bei der Polizei erstatten. --------------------------------------------- https://futurezone.at/digital-life/spam-anrufe-wiener-nummer-federal-police… ∗∗∗ WooCommerce Skimmer Uses Fake Fonts and Favicon to Steal CC Details ∗∗∗ --------------------------------------------- Today’s investigation starts out much like many others, with our client reporting an antivirus warning appearing only on their checkout page, of course at the worst possible time right around the end of December. What first seemed to be a routine case of credit card theft turned out to be a much more interesting infection that leveraged both font, favicon and other less-commonly used files to pilfer credit card details. --------------------------------------------- https://blog.sucuri.net/2022/02/woocommerce-skimmer-uses-fake-fonts-and-fav… ∗∗∗ A comprehensive guide on [NTLM] relaying anno 2022 ∗∗∗ --------------------------------------------- For years now, Internal Penetration Testing teams have been successful in obtaining a foothold or even compromising entire domains through a technique called NTLM relaying. [..] This blog post aims to be a comprehensive resource that will walk through the attack primitives that continue to work today. While most will be well known techniques, some techniques involving Active Directory Certificate Services might be lesser known. --------------------------------------------- https://www.trustedsec.com/blog/a-comprehensive-guide-on-relaying-anno-2022/ ∗∗∗ Tattoo-Giveaways auf Instagram führen in eine Abo-Falle ∗∗∗ --------------------------------------------- Kriminelle versenden Nachrichten von Fake-Accounts und behaupten, dass Instagram-User bei einem Gewinnspiel gewonnen hätten. Doch der angebliche Gewinn führt nicht zu einem neuen Tattoo, sondern in eine gut getarnte Abo-Falle. --------------------------------------------- https://www.watchlist-internet.at/news/tattoo-giveaways-auf-instagram-fuehr… ===================== = Vulnerabilities = ===================== ∗∗∗ Multiple Vulnerabilities in Sante DICOM Viewer Pro ∗∗∗ --------------------------------------------- * J2K File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability * DCM File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability * DCM File ParsingOut-Of-Bounds Read Information Disclosure Vulnerability * DCM File Parsing Use-After-Free Information Disclosure Vulnerability * JP2 File Parsing Use-After-Free Remote Code Execution Vulnerability * JP2 File Parsing Memory Corruption Remote Code Execution Vulnerability * J2K File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability --------------------------------------------- https://www.zerodayinitiative.com/advisories/ ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (librecad), Fedora (flatpak, flatpak-builder, and glibc), Mageia (chromium-browser-stable, connman, libtiff, and rust), openSUSE (lighttpd), Oracle (cryptsetup, nodejs:14, and rpm), Red Hat (varnish:6), SUSE (kernel and unbound), and Ubuntu (linux, linux-aws, linux-aws-5.11, linux-aws-5.13, linux-gcp, linux-gcp-5.11, linux-hwe-5.13, linux-kvm, linux-oem-5.13, linux-oracle, linux-oracle-5.11, linux-raspi, linux, linux-aws, linux-aws-5.4, linux-bluefield, linux-gcp, linux-gcp-5.4, linux-gkeop, linux-gkeop-5.4, linux-hwe-5.4, linux-ibm, linux-kvm, linux-oracle, linux-oracle-5.4, linux, linux-aws, linux-aws-hwe, linux-azure, linux-dell300x, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux-raspi2, linux-snapdragon, linux-gke, linux-gke-5.4, mysql-5.7, mysql-8.0, python-django, samba). --------------------------------------------- https://lwn.net/Articles/883676/ ∗∗∗ Sensormatic PowerManage ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Improper Input Validation vulnerability in the Sensormatic PowerManage operating platform. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-034-01 ∗∗∗ Airspan Networks Mimosa ∗∗∗ --------------------------------------------- This advisory contains mitigations for Improper Authorization, Incorrect Authorization, Server-side Request Forgery, SQL Injection, Deserialization of Untrusted Data, OS Command Injection, and Use of a Broken or Risky Cryptographic Algorithm vulnerabilities in Airspan Networks Mimosa network management software. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-034-02 ∗∗∗ Zwei Schwachstellen in AudioCodes Session Border Controller (SYSS-2021-068/-075) ∗∗∗ --------------------------------------------- In AudioCodes Session Border Controller (SBC) kann Telefonbetrug begangen werden. Auch wurde eine Rechteeskalation in der Web Management-Konsole gefunden. --------------------------------------------- https://www.syss.de/pentest-blog/multiple-schwachstellen-im-coins-construct… ∗∗∗ InsydeH2O UEFI System Management Mode (SMM) Vulnerabilities ∗∗∗ --------------------------------------------- Mitigation Strategy for Customers (what you should do to protect yourself): Update system firmware to the version (or newer) indicated for your model in the Product Impact section. --------------------------------------------- http://support.lenovo.com/product_security/PS500463-INSYDEH2O-UEFI-SYSTEM-M… ∗∗∗ Cisco Content Security Management Appliance and Cisco Web Security Appliance Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Security Bulletin: A vulnerability in Apache Log4j affects some features of IBM® Db2® (CVE-2021-44832) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-apache… ∗∗∗ Security Bulletin: IBM Security Guardium Insights is affected by JWT-Go vulnerability (CVE-2020-26160) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-ins… ∗∗∗ Security Bulletin: IBM Data Management Platform for EDB Postgres Standard is vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-data-management-platf… ∗∗∗ Security Bulletin: This Power System update is being released to address CVE 2021-38960 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-this-power-system-update-… ∗∗∗ Security Bulletin: IBM Data Management Platform for EDB Postgres Enterprise is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-data-management-platf… ∗∗∗ K67416037: Linux kernel vulnerability CVE-2021-23133 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K67416037?utm_source=f5support&utm_mediu… ∗∗∗ Weidmueller: Remote I/O fieldbus couplers (IP20) affected by INFRA:HALT vulnerabilities ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2021-042/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.02.2022
by Daily end-of-shift report 02 Feb '22

02 Feb '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 01-02-2022 18:00 − Mittwoch 02-02-2022 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ VU#796611: InsydeH2O UEFI software impacted by multiple vulnerabilities in SMM ∗∗∗ --------------------------------------------- The InsydeH2O Hardware-2-Operating System (H2O) UEFI firmware contains multiple vulnerabilities related to memory management in System Management Mode (SMM). UEFI software provides an extensible interface between an operating system and platform firmware. UEFI software uses a highly privileged processor execution mode called System Management Mode (SMM) for handling system-wide functions like power management, system hardware control, or proprietary OEM-designed code. --------------------------------------------- https://kb.cert.org/vuls/id/796611 ∗∗∗ CISA Releases Securing Industrial Control Systems: A Unified Initiative ∗∗∗ --------------------------------------------- The Cybersecurity and Infrastructure Security Agency (CISA) has released its five-year industrial control systems (ICS) strategy: Securing Industrial Control Systems: A Unified Initiative. The strategy—developed in collaboration with industry and government partners—lays out CISA's plan to improve, unify, and focus the effort to secure ICS and protect critical infrastructure. --------------------------------------------- https://us-cert.cisa.gov/ics/cisa-releases-securing-industrial-control-syst… ∗∗∗ Kasper: a tool for finding speculative-execution vulnerabilities ∗∗∗ --------------------------------------------- The Systems and Network Security Group at Vrije Universiteit Amsterdam hasannounced a tool calledKasper that is able to scan the kernel source and locatespeculative-execution vulnerabilities: Namely, it models an attacker capable of controlling data (e.g., via memory massaging or value injection a la LVI), accessing secrets (e.g., via out-of-bounds or use-after-free accesses), and leaking these secrets (e.g., via cache-based, MDS-based, or port contention-based covert channels). --------------------------------------------- https://lwn.net/Articles/883448/ ∗∗∗ Post E-Mail „Dein Paket wartet !“ ist fake! ∗∗∗ --------------------------------------------- Kriminelle versenden gehäuft E-Mails im Namen der Post mit dem Betreff „Dein Paket wartet !“. Eine Liefergebühr über 1,69 Euro sei ausständig. Achtung: Die E-Mails sind frei erfunden. Die Kriminellen wenden Spoofing an, um die Mail-Adresse echt aussehen zu lassen und verlinken auf eine nachgebaute Post-Website. --------------------------------------------- https://www.watchlist-internet.at/news/post-e-mail-dein-paket-wartet-ist-fa… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (samba), Debian (apache2 and python-django), Fedora (kernel and phpMyAdmin), Mageia (kernel and kernel-linus), openSUSE (samba), Oracle (nginx:1.20 and samba), Red Hat (cryptsetup, java-1.8.0-ibm, kernel, nodejs:14, rpm, and vim), SUSE (kernel, python-Django, python-Django1, and samba), and Ubuntu (cron). --------------------------------------------- https://lwn.net/Articles/883541/ ∗∗∗ Google Releases Security Updates for Chrome ∗∗∗ --------------------------------------------- Google has released Chrome versions 98.0.4758.80/81/82 for Windows and 98.0.4758.80 for Mac and Linux. These versions address vulnerabilities that an attacker could exploit to take control of an affected system. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/02/02/google-releases-s… ∗∗∗ Vulnerability Spotlight: Multiple vulnerabilities in Sealevel SeaConnect ∗∗∗ --------------------------------------------- Cisco Talos recently discovered several vulnerabilities in Sealevel Systems Inc.’s SeaConnect internet-of-things edge device — many of which could allow an attacker to conduct a man-in-the-middle attack or execute remote code on the targeted device. The SeaConnect 370W is a WiFi-connected edge device commonly used in industrial control system (ICS) environments that allow users to remotely monitor and control the status of real-world I/O processes. This device offers remote control via MQTT, Modbus TCP and a manufacturer-specific interface referred to as the "SeaMAX API." --------------------------------------------- http://blog.talosintelligence.com/2022/02/vuln-spotlight-sea-level-connect.… ∗∗∗ Cisco Prime Service Catalog Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Umbrella Secure Web Gateway File Inspection Bypass Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Small Business RV Series Routers Vulnerabilities ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco DNA Center Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ FortiAuthenticator - Improper access control in HA service ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-20-217 ∗∗∗ FortiMail - reflected cross-site scripting vulnerability in FortiGuard URI protection ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-21-185 ∗∗∗ FortiExtender - Arbitrary command execution because of missing CLI input sanitization ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-21-148 ∗∗∗ FortiWeb - OS command injection due to unsafe input validation function ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-21-166 ∗∗∗ FortiWeb - Stack-based buffer overflow in command line interpreter ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-21-132 ∗∗∗ FortiWeb - OS command injection due to direct input interpolation in API controllers ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-21-180 ∗∗∗ FortiWeb - arbitrary file/directory deletion ∗∗∗ --------------------------------------------- https://fortiguard.fortinet.com/psirt/FG-IR-21-158 ∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container operands may be vulnerable to leaking sensitive information due to CVE-2021-3712 in OpenSSL ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ K74013101: Binutils vulnerability CVE-2021-42574 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K74013101?utm_source=f5support&utm_mediu… ∗∗∗ K28622040: Python vulnerability CVE-2019-9948 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K28622040?utm_source=f5support&utm_mediu… ∗∗∗ Advantech ADAM-3600 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-032-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 01.02.2022
by Daily end-of-shift report 01 Feb '22

01 Feb '22

===================== = End-of-Day report = ===================== Timeframe: Montag 31-01-2022 18:00 − Dienstag 01-02-2022 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ BSI-Grundschutz-Kompendium 2022: Neue Bausteine, schlankere Struktur ∗∗∗ --------------------------------------------- Das IT-Grundschutzkompendium in der Edition 2022 wartet mit einigen neuen Bausteinen, aber auch mit strukturellen Änderungen auf. --------------------------------------------- https://heise.de/-6344956 ∗∗∗ SMS der „Bawag“ mit „Ihr Konto wurde gesperrt!“ ist Fake ∗∗∗ --------------------------------------------- Vorsicht: Momentan kursiert ein betrügerisches SMS – angeblich von der Bawag. In der Nachricht werden Sie darüber informiert, dass Ihr Konto gesperrt wurde. Sie werden aufgefordert, auf einen Link zu klicken. Tun Sie das keinesfalls. Der Link führt auf eine gefälschte BAWAG-Login-Seite. --------------------------------------------- https://www.watchlist-internet.at/news/sms-der-bawag-mit-ihr-konto-wurde-ge… ∗∗∗ Domain Escalation – Machine Accounts ∗∗∗ --------------------------------------------- The pass the hash technique is not new and it was usually used for lateral movement on the network in scenarios where the administrator password hash could not be cracked due to complexity or assessment time constraints. However, performing pass the hash with machine accounts instead of local administrators accounts is not very common even though it has been described in an article by Adam Chester years ago and could be used in scenarios where the host is part of an elevated group such as the domain admins. --------------------------------------------- https://pentestlab.blog/2022/02/01/machine-accounts/ ∗∗∗ Updates released for multiple vulnerabilities found in 42 Gears SureMDM products ∗∗∗ --------------------------------------------- 42 Gears released an initial set of updates in November and more earlier this month. --------------------------------------------- https://www.zdnet.com/article/multiple-vulnerabilities-found-in-42-gears-su… ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-22-146: Esri ArcReader PMF File Parsing Use-After-Free Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of Esri ArcReader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-146/ ∗∗∗ ZDI-22-148: ESET Endpoint Antivirus Unnecessary Privileges Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows local attackers to escalate privileges on affected installations of ESET Endpoint Antivirus. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-148/ ∗∗∗ Rate - Critical - Unsupported - SA-CONTRIB-2022-010 ∗∗∗ --------------------------------------------- 2022-01-31 a new maintainer has step forward and this module has been updated. The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. If you would like to maintain this project, please read: [...] --------------------------------------------- https://www.drupal.org/sa-contrib-2022-010 ∗∗∗ WordPress-Plug-in Essential Addons for Elementor als Schadcode-Schleuder ∗∗∗ --------------------------------------------- In der aktuellen Version von Essential Addons for Elementor haben die Entwickler eine Sicherheitslücke geschlossen. --------------------------------------------- https://heise.de/-6344583 ∗∗∗ VMSA-2022-0003 ∗∗∗ --------------------------------------------- VMware Cloud Foundation contains an information disclosure vulnerability due to the logging of plaintext credentials within some log files. --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2022-0003.html ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ipython), Fedora (kernel and usbview), Gentoo (webkit-gtk), Oracle (java-1.8.0-openjdk), Red Hat (kpatch-patch and samba), Scientific Linux (samba), Slackware (kernel), SUSE (kernel and samba), and Ubuntu (samba). --------------------------------------------- https://lwn.net/Articles/883423/ ∗∗∗ Ricon Mobile Industrial Cellular Router ∗∗∗ --------------------------------------------- This advisory contains mitigations for an OS Command Injection vulnerability in the Ricon Mobile Industrial Cellular Router mobile network router. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-032-01 ∗∗∗ Advantech ADAM-3600 ∗∗∗ --------------------------------------------- This advisory contains mitigations for a Use of Hard-coded Cryptographic Key vulnerability in Advantech ADAM-3600 remote terminal units. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-032-02 ∗∗∗ January 31, 2022 TNS-2022-04 [R1] Nessus 10.1.0 Fixes One Third-Party Vulnerability ∗∗∗ --------------------------------------------- http://www.tenable.com/security/tns-2022-04 ∗∗∗ K59563964: Apache Log4j Remote Code Execution vulnerability CVE-2022-23302 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K59563964 ∗∗∗ K97120268: Apache Log4j SQL injection vulnerability CVE-2022-23305 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K97120268 ∗∗∗ K00322972: Apache Log4j Chainsaw vulnerability CVE-2022-23307 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K00322972 ∗∗∗ An update on the Apache Log4j 2.x vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-4422… ∗∗∗ Security Bulletin: Publicly disclosed vulnerability (CVE-2021-4034) in Polkit affects IBM Netezza PDA OS Security ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-publicly-disclosed-vulner… ∗∗∗ Security Bulletin: Vulnerabilities in PostgreSQL, Node.js, and Data Tables from Spry Media may affect IBM Spectrum Protect Plus ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-postgr… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j may affect IBM Spectrum Protect Plus Container Backup and Restore for Kubernetes and OpenShift (CVE-2021-44832) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: Vulnerabilities in Golang Go, MinIO, and Python may affect IBM Spectrum Protect Plus Container Backup and Restore for Kubernetes and OpenShift ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-golang… ∗∗∗ Security Bulletin: Vulnerablity in Apache Log4j may affect IBM Tivoli Monitoring (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerablity-in-apache-lo… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects some features of IBM® Db2® (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j may impact IBM Spectrum Protect Plus (CVE-2021-44832) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: IBM App Connect for Healthcare is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-for-healt… ∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container Designer Authoring operands and Integration Server operands that use the JDBC connector may be vulnerable to remote code execution due to CVE-2021-44228 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-45046) and denial of service due to Apache Log4j (CVE-2021-45105) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: IBM Security Verify Access fixed a security vulnerability in the product. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-acces… ∗∗∗ Security Bulletin: IBM TRIRIGA Indoor Maps, a component of IBM TRIRIGA Portfolio Data Manager is vulnerable to arbitrary code execution due to Apache Log4j library vulnerability (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tririga-indoor-maps-a… ∗∗∗ Security Bulletin: Cross-site scripting and session fixation vulnerability in IBM Financial Transaction Manager for SWIFT Services ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-and-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 31.01.2022
by Daily end-of-shift report 31 Jan '22

31 Jan '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 28-01-2022 18:00 − Montag 31-01-2022 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Log4Shell: Eine Bestandsaufnahme ∗∗∗ --------------------------------------------- Nach der Panik wegen der größten Sicherheitslücke aller Zeiten blieb der große Knall aus. Kommt der noch oder haben wir das Gröbste überstanden? --------------------------------------------- https://heise.de/-6342536 ∗∗∗ Unseriöse Umzugsfirmen: Vorsicht bei zu günstigen Angeboten ∗∗∗ --------------------------------------------- Sie ziehen gerade um und sind auf der Suche nach einer Umzugsfirma? Unser Tipp: Lassen Sie sich nicht von Billigangeboten täuschen! Festpreisangebote von „25 Euro pro Stunde für 2 Männer inklusive LKW“ sind vollkommen unrealistisch. Dabei handelt es sich um ein Lockangebot. Bei einer Beauftragung wird Ihnen schlussendlich der 3- bis 4-fache Preis verrechnet! --------------------------------------------- https://www.watchlist-internet.at/news/unserioese-umzugsfirmen-vorsicht-bei… ∗∗∗ 277,000 routers exposed to Eternal Silence attacks via UPnP ∗∗∗ --------------------------------------------- A malicious campaign known as Eternal Silence is abusing Universal Plug and Play (UPnP) turns your router into a proxy server used to launch malicious attacks while hiding the location of the threat actors. --------------------------------------------- https://www.bleepingcomputer.com/news/security/277-000-routers-exposed-to-e… ∗∗∗ Be careful with RPMSG files, (Mon, Jan 31st) ∗∗∗ --------------------------------------------- Not many people are aware of ".rpmsg" files. The file extension means "restricted-permission message". They are used to deliver email messages between people and implement some controls applied at the recipient side. Such permissions are, by example, the right to forward or copy the original email. --------------------------------------------- https://isc.sans.edu/diary/rss/28292 ∗∗∗ Rip Raw - A tool to analyse the memory of compromised Linux systems ∗∗∗ --------------------------------------------- It is similar in purpose to Bulk Extractor, but particularly focused on extracting system Logs from memory dumps from Linux systems. This enables you to analyse systems without needing to generate a profile. This is not a replacement for tools such as Rekall and Volatility which use a profile to perform a more structured analysis of memory. --------------------------------------------- https://github.com/cado-security/rip_raw ∗∗∗ TrendNET AC2600 RCE via WAN ∗∗∗ --------------------------------------------- This blog provides a walkthrough of how to gain RCE on the TrendNET AC2600 (model TEW-827DRU specifically) consumer router via the WAN interface. There is currently no publicly available patch for these issues; therefore only a subset of issues disclosed in TRA-2021–54 will be discussed in this post. --------------------------------------------- https://medium.com/tenable-techblog/trendnet-ac2600-rce-via-wan-8926b29908a4 ∗∗∗ In eigener Sache: CERT.at sucht Verstärkung (Junior IT-Security Analyst:in, IT-Security Analyst:in, Python Entwickler:in) ∗∗∗ --------------------------------------------- Wir suchen derzeit: - Berufsein- oder -umsteiger:in mit ausgeprägtem Interesse an IT-Security zur Unterstützung bei den täglich anfallenden Routineaufgaben - IT/OT-Security Generalist:in oder Spezialist:in im Bereich Windows Security, mit Praxiserfahrung - Python Entwickler:in zur Weiterentwicklung von bestehenden Open-Source-Projekten, insbesondere IntelMQ und Tuency Details finden sich auf unserer Jobs-Seite. --------------------------------------------- https://cert.at/de/blog/2022/1/in-eigener-sache-certat-sucht-verstarkung-ju… ===================== = Vulnerabilities = ===================== ∗∗∗ VU#119678: Samba vfs_fruit module insecurely handles extended file attributes ∗∗∗ --------------------------------------------- The Samba vfs_fruit module allows out-of-bounds heap read and write via extended file attributes (CVE-2021-44142). This vulnerability allows a remote attacker to execute arbitrary code with root privileges. --------------------------------------------- https://kb.cert.org/vuls/id/119678 ∗∗∗ ABB: SECURITY - OPC Server for AC 800M - Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- ABB is aware that OPC Server for AC 800M contains a Remote Code Execution vulnerability. An authenticated remote user with low privileges who successfully exploited this vulnerability could insert and execute arbitrary code in the node running the AC800M OPC Server. --------------------------------------------- https://www02.abb.com/GLOBAL/GAD/GAD01626.NSF/0/B0A9E56BA54C9C3AC12587DB002… ∗∗∗ Lenovo Security Advisory: LEN-78122 - Intel Graphics Drivers Advisory Intel Graphics Drivers Advisory ∗∗∗ --------------------------------------------- Intel reported potential security vulnerabilities in some Intel Graphics Drivers that may allow escalation of privilege or denial of service. --------------------------------------------- https://support.lenovo.com/at/en/product_security/ps500462-intel-graphics-d… ∗∗∗ OpenSSL Security Advisory [28 January 2022] - BN_mod_exp may produce incorrect results on MIPS (CVE-2021-4160) ∗∗∗ --------------------------------------------- There is a carry propagation bug in the MIPS32 and MIPS64 squaring procedure. Many EC algorithms are affected, including some of theTLS 1.3 default curves. Impact was not analyzed in detail, because the pre-requisites for attack are considered unlikely and include reusing private keys. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be significant. However, for an attack on TLS to be meaningful, the server would have to share the DH private key among multiple clients, which is no longer an option since CVE-2016-0701. --------------------------------------------- https://openssl.org/news/secadv/20220128.txt ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (apache-log4j1.2, expat, libraw, prosody, and python-nbxmpp), Fedora (chromium, hiredis, java-11-openjdk, java-latest-openjdk, lua, rust-afterburn, rust-ammonia, rust-askalono-cli, rust-below, rust-cargo-c, rust-cargo-insta, rust-fd-find, rust-insta, rust-lsd, rust-oxipng, rust-python-launcher, rust-ripgrep, rust-ron, rust-ron0.6, rust-similar, rust-similar-asserts, rust-skim, rust-thread_local, rust-tokei, vim, wpa_supplicant, and zola), Gentoo [...] --------------------------------------------- https://lwn.net/Articles/883322/ ∗∗∗ SBA-ADV-20220127-01: Shibboleth Identity Provider OIDC OP Plugin Server-Side Request Forgery ∗∗∗ --------------------------------------------- Shibboleth Identity Provider OIDC OP plugin 3.0.3 or below is prone to a server-side request forgery (SSRF) vulnerability due to an insufficient restriction of the `request_uri` parameter. This allows unauthenticated attackers to interact with arbitrary third-party HTTP services. --------------------------------------------- https://github.com/sbaresearch/advisories/commit/65856734acca54052de34b5206… ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Multiple Critical Vulnerabilities in Korenix Technology JetWave products ∗∗∗ --------------------------------------------- https://sec-consult.com/vulnerability-lab/advisory/multiple-critical-vulner… ∗∗∗ K54450124: NSS vulnerability CVE-2021-43527 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K54450124 ∗∗∗ K46015513: Polkit pkexec vulnerability CVE-2021-4034 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K46015513 ∗∗∗ WAGO: Vulnerable WIBU-SYSTEMS Codemeter installed through e!COCKPIT and WAGO-I/O-Pro ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-002/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.01.2022
by Daily end-of-shift report 28 Jan '22

28 Jan '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 27-01-2022 18:00 − Freitag 28-01-2022 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Lets Encrypt: Was Admins heute tun müssen ∗∗∗ --------------------------------------------- Heute um 17 Uhr werden bei Lets Encrypt Zertifikate zurückgezogen. Wir beschreiben, wie Admins prüfen können, ob sie betroffen sind. Eine Anleitung von Hanno Böck --------------------------------------------- https://www.golem.de/news/let-s-encrypt-was-admins-heute-tun-muessen-2201-1… ∗∗∗ Fake-Gewinnspiel führt in Abo-Falle: BetrügerInnen geben sich als Ö-Ticket aus! ∗∗∗ --------------------------------------------- Auf Facebook geben sich Kriminelle unter der Seite „Oeticket Österreich“ als Ö-Ticket aus und bewerben das „Gewinnspiel des Jahres“. Zu gewinnen gibt es 2 Tickets für ein Ed Sheeran Konzert. Doch Achtung: Mit dieser Masche versuchen die Kriminellen an Ihre Kreditkartendaten zu kommen und Sie in eine Abo-Falle zu locken. --------------------------------------------- https://www.watchlist-internet.at/news/fake-gewinnspiel-fuehrt-in-abo-falle… ∗∗∗ QNAP probt Zwangsupdate nach 3.600 DeadBolt-Ransomware-Infektionen ∗∗∗ --------------------------------------------- QNAP-Nutzer werden aktuell wohl Opfer der DeadBolt-Ransomware – ich hatte es nicht im Blog, aber binnen einer Woche waren es wohl über 3.600 Opfer. Der NAS-Hersteller greift nun zu drastischen Mitteln und versucht die Firmware betroffener Geräte zwangsweise zu aktualisieren. --------------------------------------------- https://www.borncity.com/blog/2022/01/28/qnap-probt-zwangsupdate-nach-3-600… ∗∗∗ EU to create pan-European cyber incident coordination framework ∗∗∗ --------------------------------------------- The European Systemic Risk Board (ESRB) proposed a new systemic cyber incident coordination framework that would allow EU relevant authorities to better coordinate when having to respond to major cross-border cyber incidents impacting the Unions financial sector. --------------------------------------------- https://www.bleepingcomputer.com/news/security/eu-to-create-pan-european-cy… ∗∗∗ Doctor Web’s December 2021 review of virus activity on mobile devices ∗∗∗ --------------------------------------------- According to detection statistics from Dr.Web for Android anti-virus products, adware trojans remained the most active Android threat in December. Another common threat detected on protected devices was malware that downloaded other apps. At the same time, more threats have been found on Google Play, like fake apps from the Android.FakeApp malware family. These are used in various fraudulent schemes. --------------------------------------------- https://news.drweb.com/show/?i=14408&lng=en&c=9 ∗∗∗ Doctor Web’s December 2021 virus activity review ∗∗∗ --------------------------------------------- Our December analysis of Dr.Web’s statistics revealed a 34% increase in the total number of threats compared to the previous month. The number of unique threats decreased by 15%. Nonetheless, adware still made up the majority of detected threats. These threats manifested with different types of malware. A variety of malware, including backdoors, was most often distributed in mail traffic. --------------------------------------------- https://news.drweb.com/show/?i=14410&lng=en&c=9 ∗∗∗ Why are WordPress Websites Targeted by Hackers? ∗∗∗ --------------------------------------------- If you are wondering why your wordpress site keeps getting hacked, or why you’re being targeted by hackers, we’ve compiled some of the top reasons for you. WordPress is one of the most commonly used Content Management Systems across the modern web. Currently over 445 million websites are utilizing WordPress. With a make up of over 40% of sites on the web utilizing WordPress to some extent, it’s only expected for bad actors to take advantage of its popularity. --------------------------------------------- https://blog.sucuri.net/2022/01/why-are-wordpress-sites-targeted-by-hackers… ∗∗∗ Hackers Using Device Registration Trick to Attack Enterprises with Lateral Phishing ∗∗∗ --------------------------------------------- Microsoft has disclosed details of a large-scale, multi-phase phishing campaign that uses stolen credentials to register devices on a victims network to further propagate spam emails and widen the infection pool. The tech giant said the attacks manifested through accounts that were not secured using multi-factor authentication (MFA), thereby making it possible for the adversary to take advantage of the target's bring-your-own-device (BYOD) policy and introduce their own rogue devices using the pilfered credentials. --------------------------------------------- https://thehackernews.com/2022/01/hackers-using-device-registration-trick.h… ∗∗∗ How to avoid an open source security nightmare ∗∗∗ --------------------------------------------- Just as it would be a mistake to say that all closed source projects are bug-free, its a mistake to say that all open source projects are security risks. Different projects have different focuses; some of them are much more concerned with the security of their releases. --------------------------------------------- https://www.zdnet.com/article/how-to-avoid-an-open-source-security-nightmar… ∗∗∗ Weekly Threat Report 28th January 2022 ∗∗∗ --------------------------------------------- Read about the Mirai-based malware exploiting poor security, CISA updates and New Scanning Made Easy trial service from the NCSC --------------------------------------------- https://www.ncsc.gov.uk/report/weekly-threat-report-28th-january-2022 ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates available in Foxit PDF Reader 11.2.1 and Foxit PDF Editor 11.2.1 ∗∗∗ --------------------------------------------- Foxit has released Foxit PDF Reader 11.2.1 and Foxit PDF Editor 11.2.1, which address potential security and stability issues. CVE-2018-1285, CVE-2021-40420, CVE-2021-44708, CVE-2021-44709, CVE-2021-44740, CVE-2021-44741, CVE-2022-22150 --------------------------------------------- https://www.foxit.com/support/security-bulletins.html ∗∗∗ VMSA-2021-0028 - VMware Response to Apache Log4j Remote Code Execution Vulnerabilities (CVE-2021-44228, CVE-2021-45046) ∗∗∗ --------------------------------------------- 2022-01-27: VMSA-2022-0028.10 - Revised advisory with updates to multiple products, including vCenter Server. --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2021-0028.html ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (java-1.8.0-openjdk), Debian (graphicsmagick), Fedora (grafana), Mageia (aom and roundcubemail), openSUSE (log4j and qemu), Oracle (parfait:0.5), Red Hat (java-1.7.1-ibm and java-1.8.0-openjdk), Slackware (expat), SUSE (containerd, docker, log4j, and strongswan), and Ubuntu (cpio, shadow, and webkit2gtk). --------------------------------------------- https://lwn.net/Articles/883047/ ∗∗∗ Denial of Service in Rexroth ActiveMover using Profinet protocol ∗∗∗ --------------------------------------------- BOSCH-SA-637429: The ActiveMover with Profinet communication module (Rexroth no. 3842 559 445) sold by Bosch Rexroth contains communication technology from Hilscher (PROFINET IO Device V3) in which a vulnerability with high severity has been discovered. A Denial of Service vulnerability may lead to unexpected loss of cyclic communication or interruption of acyclic communication. --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-637429.html ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.01.2022
by Daily end-of-shift report 27 Jan '22

27 Jan '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 26-01-2022 18:00 − Donnerstag 27-01-2022 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ CVE-2020-0696 - Microsoft Outlook Security Feature Bypass Vulnerability ∗∗∗ --------------------------------------------- How are the email security systems bypassed with vulnerability on ''Microsoft Outlook for Mac''? Improper hyperlink translation in ''Microsoft Outlook for Mac'' leads to the complete bypassing of email security systems and sending the malicious link to the victim as clickable. [..] The below investigation was performed with trial accounts provided by multiple vendors and reported responsibly to Microsoft, which has taken action to remedy the problem. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/cve-2020-06… ∗∗∗ Update-Reigen: macOS 12.2, watchOS 8.4 und tvOS 15.3 beheben Fehler ∗∗∗ --------------------------------------------- Apple hat neben iOS und iPadOS 15.3 auch alle anderen Betriebssysteme aktualisiert. Zudem gibts ein HomePod-OS-Update. --------------------------------------------- https://heise.de/-6340079 ∗∗∗ Hackers Using New Evasive Technique to Deliver AsyncRAT Malware ∗∗∗ --------------------------------------------- [..] Opening the decoy file redirects the message recipient to a web page prompting the user to save an ISO file. But unlike other attacks that route the victim to a phishing domain set up explicitly for downloading the next-stage malware, the latest RAT campaign cleverly uses JavaScript to locally create the ISO file from a Base64-encoded string and mimic the download process. --------------------------------------------- https://thehackernews.com/2022/01/hackers-using-new-evasive-technique-to.ht… ∗∗∗ Configuring Linux auditd for Threat Detection ∗∗∗ --------------------------------------------- The topics I look to cover in this article are - Quick intro to the Linux Audit System - Tips when writing audit rules - Designing a configuration for security monitoring - What to record with auditd - Tips on managing noise --------------------------------------------- https://izyknows.medium.com/linux-auditd-for-threat-detection-d06c8b941505 ∗∗∗ Financially Motivated Mobile Scamware Exceeds 100M Installations ∗∗∗ --------------------------------------------- In the pursuit of identifying and taking down similar financially motivated scams, zLabs researchers have discovered another premium service abuse campaign with upwards of 105 million victims globally, which we have named Dark Herring. [..] At the time of publishing, the scam services and phishing sites are no longer active, and Google has removed all the malicious applications from Google Play. --------------------------------------------- https://blog.zimperium.com/dark-herring-android-scamware-exceeds-100m-insta… ∗∗∗ Jetzt handeln! Erpressungstrojaner DeadBolt hat es auf Qnap NAS abgesehen ∗∗∗ --------------------------------------------- Der Hersteller von Netzwerkspeichern (NAS) Qnap warnt abermals vor Ransomware-Attacken und gibt wichtige Tipps zur Absicherung. --------------------------------------------- https://heise.de/-6340174 ∗∗∗ Betrug mit nachgebautem Käuferschutz auf ebay-kleinanzeigen.de ∗∗∗ --------------------------------------------- eBay-kleinanzeigen.de stellt eine beliebte Kleinanzeigen-Plattform dar. Wie bei einigen anderen bekannten Marktplätzen wird auch hier eine sichere Bezahlmethode direkt auf der Plattform angeboten. Kriminelle nützen dies aus, indem sie die Kommunikation von offizieller Website und App beispielsweise auf WhatsApp verlagern. Später verweisen sie auf nachgebaute Websites und zweigen Zahlungen direkt in die eigenen Taschen ab! --------------------------------------------- https://www.watchlist-internet.at/news/betrug-mit-nachgebautem-kaeuferschut… ∗∗∗ The January 2022 Security Update Review ∗∗∗ --------------------------------------------- The first patch Tuesday of the year is here, and with it comes the latest security patches from Adobe and Microsoft. Take a break from your regularly scheduled activities and join us as we review the details of their latest security offerings. --------------------------------------------- https://www.thezdi.com/blog/2022/1/11/the-january-2022-security-update-revi… ===================== = Vulnerabilities = ===================== ∗∗∗ Private Taxonomy Terms - Critical - Access bypass, Information Disclosure, Multiple vulnerabilities - SA-CONTRIB-2022-014 ∗∗∗ --------------------------------------------- Project: Private Taxonomy Terms Security risk: Critical Description: This module enables users to create private vocabularies.The module doesnt sufficiently check user access permissions when attempting to view, edit, or add terms to vocabularies, including vocabularies not managed by the module. --------------------------------------------- https://www.drupal.org/sa-contrib-2022-014 ∗∗∗ Navbar - Moderately critical - Cross Site Scripting - SA-CONTRIB-2022-011 ∗∗∗ --------------------------------------------- Project: Navbar Security risk: Moderately critical Description: This module provides a very simple, mobile-friendly navigation toolbar.The module doesnt sufficiently check for user-provided input. --------------------------------------------- https://www.drupal.org/sa-contrib-2022-011 ∗∗∗ Xerox Versalink Denial Of Service ∗∗∗ --------------------------------------------- A specifically crafted TIFF payload may be submitted to the printers job queue (in person or over the network) by unauthenticated/unprivileged users or network or internet attackers by means of a JavaScript payload. The device will panic upon attempting to read the submitted file and a physical reboot will be required. Upon reboot, the device will attempt to resume the last-printed job, triggering the panic once more. The process repeats ad-infinitum. --------------------------------------------- https://cxsecurity.com/issue/WLB-2022010119 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (polkit), Debian (uriparser), Fedora (cryptsetup, flatpak, flatpak-builder, and polkit), Gentoo (polkit), Mageia (virtualbox), Red Hat (httpd24-httpd, httpd:2.4, and parfait:0.5), SUSE (clamav, log4j, python-numpy, and strongswan), and Ubuntu (vim). --------------------------------------------- https://lwn.net/Articles/882882/ ∗∗∗ Synology-SA-22:02 Samba ∗∗∗ --------------------------------------------- A vulnerability allows remote authenticated users to execute arbitrary code via a susceptible version of Synology DiskStation Manager (DSM). --------------------------------------------- https://www.synology.com/en-global/support/security/Synology_SA_22_02 *** Drupal: Bugs in unsupporteten Sub-Projekten *** --------------------------------------------- The security team is marking this project unsupported. There is a known security issue with the project that has not been fixed by the maintainer. [..] If you use this project, you should uninstall it. - Printer, email and PDF versions - Critical - Unsupported - SA-CONTRIB-2022-022 https://www.drupal.org/sa-contrib-2022-022 - Image Media Export Import - Critical - Unsupported - SA-CONTRIB-2022-021 https://www.drupal.org/sa-contrib-2022-021 - Remote Stream Wrapper - Critical - Unsupported - SA-CONTRIB-2022-020 https://www.drupal.org/sa-contrib-2022-020 - Vendor Stream Wrapper - Critical - Unsupported - SA-CONTRIB-2022-019 https://www.drupal.org/sa-contrib-2022-019 - Cog - Critical - Unsupported - SA-CONTRIB-2022-018 https://www.drupal.org/sa-contrib-2022-018 - Media Entity Flickr - Critical - Unsupported - SA-CONTRIB-2022-017 https://www.drupal.org/sa-contrib-2022-017 - Vocabulary Permissions Per Role - Critical - Unsupported - SA-CONTRIB-2022-016 https://www.drupal.org/sa-contrib-2022-016 - Exif - Critical - Unsupported - SA-CONTRIB-2022-015 https://www.drupal.org/sa-contrib-2022-015 - Business Responsive Theme - Critical - Unsupported - SA-CONTRIB-2022-013 https://www.drupal.org/sa-contrib-2022-013 - Swiftype integration - Critical - Unsupported - SA-CONTRIB-2022-012 https://www.drupal.org/sa-contrib-2022-012 - Rate - Critical - Unsupported - SA-CONTRIB-2022-010 https://www.drupal.org/sa-contrib-2022-010 - Expire reset password link - Critical - Unsupported - SA-CONTRIB-2022-009 https://www.drupal.org/sa-contrib-2022-009 - Admin Toolbar Search - Critical - Unsupported - SA-CONTRIB-2022-008 https://www.drupal.org/sa-contrib-2022-008 - Colorbox - Critical - Unsupported - SA-CONTRIB-2022-007 https://www.drupal.org/sa-contrib-2022-007 - Prevent anonymous users to access Drupal pages - Critical - Unsupported - SA-CONTRIB-2022-005 https://www.drupal.org/sa-contrib-2022-005 - Taxonomy Access Control Lite - Critical - Unsupported - SA-CONTRIB-2022-006 https://www.drupal.org/sa-contrib-2022-006 --------------------------------------------- https://www.drupal.org/security/contrib ∗∗∗ Security Bulletin:IBM® Db2® On Openshift and IBM® Db2® and Db2 Warehouse® on Cloud Pak for Data is vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-45105 and CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletinibm-db2-on-openshift-and-i… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j may affect IBM Spectrum Archive Enterprise Edition (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j may affect IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: Vulnerabilities in Node.js affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) – CVE-2021-22960, CVE-2021-22959 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-node-j… ∗∗∗ Security Bulletin: IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-45105 and CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-speech-service… ∗∗∗ Security Bulletin: IBM MegaRAID Storage Manager is affected by a vulnerability in Log4j (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-megaraid-storage-mana… ∗∗∗ Security Bulletin: IBM QRadar hardware appliances are vulnerable to Intel privilege escalation (CVE-2021-0144) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-hardware-appli… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 26.01.2022
by Daily end-of-shift report 26 Jan '22

26 Jan '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 25-01-2022 18:00 − Mittwoch 26-01-2022 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ ALPN: Ein Prozent der Lets-Encrypt-Zertifikate wird zurückgezogen ∗∗∗ --------------------------------------------- Lets Encrypt teilt mit, dass es Probleme bei der ALPN-Validierungsmethode gab und damit ausgestellte Zertifikate zurückgezogen werden. --------------------------------------------- https://www.golem.de/news/alpn-ein-prozent-der-let-s-encrypt-zertifikate-wi… ∗∗∗ Over 20 thousand servers have their iLO interfaces exposed to the internet, many with outdated and vulnerable versions of FW, (Wed, Jan 26th) ∗∗∗ --------------------------------------------- Integrated Lights-Out (iLO) is a low-level server management system intended for out-of-band configuration, which is embedded by Hewlett-Packard Enterprise on some of their servers. Besides its use for maintenance, it is often used by administrators for an emergency access to the server when everything "above it" (hypervisor or OS) fails and/or is unreachable. Since these kinds of platforms/interfaces are quite sensitive from the security standpoint, access to them should always be limited to relevant administrator groups only and their firmware should always be kept up to date. --------------------------------------------- https://isc.sans.edu/diary/rss/28276 ∗∗∗ German govt warns of APT27 hackers backdooring business networks ∗∗∗ --------------------------------------------- "It cannot be ruled out that the actors, in addition to stealing business secrets and intellectual property, also try to infiltrate the networks of (corporate) customers or service providers (supply chain attack)." The BfV also published indicators of compromise (IOCs) and YARA rules to help targeted German organizations to check for HyperBro infections and connections to APT27 command-and-control (C2) servers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/german-govt-warns-of-apt27-h… ∗∗∗ Sysdig-Report: Container-Deployments weisen mehrheitlich Schwachstellen auf ∗∗∗ --------------------------------------------- Sysdig beobachtet einen anhaltenden Shift Left bei Container Security, viele Schwachstellen bleiben aber ungepatcht und Rechte-Konfigurationen unzureichend. --------------------------------------------- https://heise.de/-6336816 ∗∗∗ Root-Zugriff unter Linux durch Polkit-Lücke ∗∗∗ --------------------------------------------- Sicherheitsforscher haben eine Schwachstelle in Polkit entdeckt, die Rechteausweitung ermöglicht. Für die viele Distributionen sind bereits Patches verfügbar. --------------------------------------------- https://heise.de/-6338569 ∗∗∗ Fake-Shops geben sich als Shops für Warenhausauflösungen aus ∗∗∗ --------------------------------------------- Derzeit stoßen wir vermehrt auf Fake-Shops, die behaupten auf Warenhausauflösungen spezialisiert zu sein oder Überbestände von Amazon oder von Kaufhäusern zu verkaufen. Damit begründen Sie auch ihre günstigen Preise für Marken-Produkte wie KitchenAid, Weber oder DeLonghi. Doch wer genau hinsieht, erkennt, dass es sich um Fake-Shops handelt. --------------------------------------------- https://www.watchlist-internet.at/news/fake-shops-geben-sich-als-shops-fuer… ∗∗∗ Vidar Exploiting Social Media Platform (Mastodon) ∗∗∗ --------------------------------------------- The ASEC analysis team has recently discovered that Vidar is exploiting a social media platform named Mastodon to create C&C server addresses. Vidar is an info-stealer malware installed through spam emails and PUP, sometimes being disguised as a KMSAuto authenticator tool. It has been consistently distributed since the past, and there was a recent case of it being installed through other types of malware such as Stop ransomware. --------------------------------------------- https://asec.ahnlab.com/en/30875/ ===================== = Vulnerabilities = ===================== ∗∗∗ Multiple vulnerabilities in TransmitMail ∗∗∗ --------------------------------------------- TransmitMail is a PHP based mail form system. TransmitMail contains multiple vulnerabilities listed below. - Directory traversal vulnerability due to the improper validation of external input values (CWE-22) - CVE-2022-22146 - Cross-site scripting (CWE-79) - CVE-2022-21193 --------------------------------------------- https://jvn.jp/en/jp/JVN70100915/ ∗∗∗ Security Update - Fix available for a privilege escalation vulnerability ∗∗∗ --------------------------------------------- This notification is in regard to an elevation of privilege vulnerability (CVE-2022-23863) that was recently identified and fixed in Desktop Central and Desktop Central MSP. [...] A privilege escalation vulnerability that may allow an authenticated user to change passwords of a more privileged account. --------------------------------------------- https://pitstop.manageengine.com/portal/en/community/topic/security-update-… ∗∗∗ Denial of service & User Enumeration in WAGO 750-8xxx PLC ∗∗∗ --------------------------------------------- The Wago PLC models 750-8xxx are prone to multiple security vulnerabilities. These include a Denial-of-Service (DoS) of the connection to the Codesys service and the enumeration of usernames via a timing sidechannel. By exploiting these vulnerabilities, the remote usage of the Codesys services can be prevented and existing usernames on the device can be identified. [..] WAGO's customers should upgrade the firmware to the latest version available. --------------------------------------------- https://sec-consult.com/vulnerability-lab/advisory/denial-of-service-user-e… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (httpd), Debian (libxfont, lrzsz, nss, openjdk-17, policykit-1, webkit2gtk, and wpewebkit), Mageia (polkit), openSUSE (expat, json-c, kernel, polkit, qemu, rust1.55, rust1.57, thunderbird, unbound, and webkit2gtk3), Oracle (httpd:2.4, java-11-openjdk, and polkit), Red Hat (httpd:2.4, OpenShift Container Platform 3.11.570, polkit, and Red Hat OpenStack Platform 16.1 (etcd)), Scientific Linux (polkit), Slackware (polkit), SUSE (aide, expat, firefox, json-c, kernel, polkit, qemu, rust, rust1.55, rust1.57, thunderbird, unbound, and webkit2gtk3), and Ubuntu (policykit-1 and xorg-server). --------------------------------------------- https://lwn.net/Articles/882724/ ∗∗∗ Security Advisory - Laser Command Injection Vulnerability on Huawei Terminals ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2022/huawei-sa-20220126-… ∗∗∗ Security Bulletin: IBM Security Guardium Insights is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-ins… ∗∗∗ Security Bulletin: IBM UrbanCode Release is affected by CVE-2021-24122 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-release-is-… ∗∗∗ Security Bulletin: IBM UrbanCode Release is affected by CVE-2021-41079 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-release-is-… ∗∗∗ Security Bulletin: IBM UrbanCode Release is affected by CVE-2021-30639 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-release-is-… ∗∗∗ Security Bulletin: Multiple vulnerabilities affect IBM Cloud Object Storage Systems (Jan 2022 V1) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Cloud Pak for Automationis vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-45105 and CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-automat… ∗∗∗ Security Bulletin: Log4j remote code execution vulnerability in Apache Solr and Logstash shipped with IBM Operations Analytics – Log Analysis (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-log4j-remote-code-executi… ∗∗∗ Security Bulletin: IBM Observability by Instana and IBM Observability with Instana – Server and Agents are vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-observability-by-inst… ∗∗∗ Security Bulletin: Due to use of Apache Log4j, IBM Db2 Web Query for i is vulnerable to arbitrary code execution (CVE-2021-4104, CVE-2022-23302, and CVE-2022-23307) and SQL injection (CVE-2022-23305) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-due-to-use-of-apache-log4… ∗∗∗ Security Bulletin: Tivoli Network Manager IP Edition is vulnerable to a denial of service vulnerability (CVE-2021-30468) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-tivoli-network-manager-ip… ∗∗∗ Security Bulletin: IBM UrbanCode Release is affected by CVE-2020-17527 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-release-is-… ∗∗∗ Security Bulletin: IBM UrbanCode Release is affected by CVE-2020-13935 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-release-is-… ∗∗∗ Security Bulletin: IBM UrbanCode Release is affected by CVE-2021-30640 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-release-is-… ∗∗∗ Security Bulletin: IBM UrbanCode Release is affected by CVE-2021-33037 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-release-is-… ∗∗∗ Security Bulletin: IBM UrbanCode Release is affected by CVE-2021-25122 and CVE-2021-25329 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-release-is-… ∗∗∗ GE Gas Power ToolBoxST ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-025-01 ∗∗∗ Injection of arbitrary HTML code in Bosch Video Security Android App ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-844050-bt.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.01.2022
by Daily end-of-shift report 25 Jan '22

25 Jan '22

===================== = End-of-Day report = ===================== Timeframe: Montag 24-01-2022 18:00 − Dienstag 25-01-2022 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Responsible Disclosure: Vom Finden und Melden von Sicherheitslücken ∗∗∗ --------------------------------------------- Im Auftrag eines ISP habe ich mehrere Sicherheitslücken in einem Cisco-Router gefunden. Hier erkläre ich, wie ich vorgegangen bin. Ein Erfahrungsbericht von Marco Wiorek --------------------------------------------- https://www.golem.de/news/responsible-disclosure-vom-finden-und-melden-von-… ∗∗∗ Analyse: Linux- und ESXi-Varianten der LockBit-Ransomware ∗∗∗ --------------------------------------------- Die Forscher von Trend Micro Research haben das Thema LockBit-Ransomware in einer Analyse aufgegriffen. Denn diese Ransomware bedroht inzwischen nicht mehr nur Windows-Systeme. Es gibt bereits Samples, die auch Linux- und VMware ESXi-Instanzen befallen können. --------------------------------------------- https://www.borncity.com/blog/2022/01/25/analyse-linux-und-esxi-varianten-d… ∗∗∗ Vollzugriff durch Hintertür in WordPress-Erweiterungen ∗∗∗ --------------------------------------------- Bei einem Servereinbruch landete Hintertür-Schadcode in Plugins und Themes von AccessPress. Angreifer könnten dadurch WordPress-Instanzen übernehmen. --------------------------------------------- https://heise.de/-6337344 ∗∗∗ Jetzt patchen! Attacken auf Fernzugrifflösung SMA 100 von Sonicwall ∗∗∗ --------------------------------------------- Sicherheitsforscher warnen davor, dass Angreifer derzeit Sonicwall Secure Mobile Access im Visier haben. Dagegen lässt sich etwas tun. --------------------------------------------- https://heise.de/-6337222 ∗∗∗ Verkaufen auf willhaben, ebay & Co: Zahlung und Versand nicht über „Kurierdienst Post“ oder „ebay Selling“ abwickeln ∗∗∗ --------------------------------------------- Auf ebay, willhaben, Shpock und Co. treiben momentan vermehrt betrügerische KäuferInnen ihr Unwesen. Diese können aber rasch entlarvt werden: Betrügerische KäuferInnen wollen die Zahlung und Versendung Ihres Produktes über spezielle Dienstleistungen abwickeln. Dabei handelt es sich um angebliche Kurierdienste der Post oder ebay. Diese sind aber Fake! --------------------------------------------- https://www.watchlist-internet.at/news/verkaufen-auf-willhaben-ebay-co-zahl… ∗∗∗ BRATA Android Trojan Updated with ‘Kill Switch’ that Wipes Devices ∗∗∗ --------------------------------------------- Researchers identify three new versions of the banking trojan that include various new features, including GPS tracking and novel obfuscation techniques. --------------------------------------------- https://threatpost.com/brata-android-trojan-kill-switch-wipes/177921/ ∗∗∗ TrickBot Malware Using New Techniques to Evade Web Injection Attacks ∗∗∗ --------------------------------------------- The cybercrime operators behind the notorious TrickBot malware have once again upped the ante by fine-tuning its techniques by adding multiple layers of defense to slip past antimalware products. --------------------------------------------- https://thehackernews.com/2022/01/trickbot-malware-using-new-techniques.html ∗∗∗ Hackers Infect macOS with New DazzleSpy Backdoor in Watering-Hole Attacks ∗∗∗ --------------------------------------------- A previously undocumented cyber-espionage malware aimed at Apples macOS operating system leveraged a Safari web browser exploit as part of a watering hole attack targeting politically active, pro-democracy individuals in Hong Kong. Slovak cybersecurity firm ESET attributed the intrusion to an actor with "strong technical capabilities," [...] --------------------------------------------- https://thehackernews.com/2022/01/hackers-infect-macos-with-new-dazzlespy.h… ∗∗∗ Weaponization of Excel Add-Ins Part 1: Malicious XLL Files and Agent Tesla Case Studies ∗∗∗ --------------------------------------------- We observed a new surge of Agent Tesla and Dridex malware samples dropped by malicious Excel add-ins (XLL files). We focus here on Agent Tesla.The post Weaponization of Excel Add-Ins Part 1: Malicious XLL Files and Agent Tesla Case Studies appeared first on Unit42. --------------------------------------------- https://unit42.paloaltonetworks.com/excel-add-ins-malicious-xll-files-agent… ∗∗∗ Microsoft warns about this phishing attack that wants to read your emails ∗∗∗ --------------------------------------------- Attackers have targeted hundreds of organisations, says Microsoft security. --------------------------------------------- https://www.zdnet.com/article/microsoft-warns-about-this-phishing-attack-th… ∗∗∗ Introducing Scanning Made Easy ∗∗∗ --------------------------------------------- A joint effort between the i100 and the NCSC, Scanning Made Easy (SME) will be a collection of NMAP Scripting Engine scripts, designed to help system owners and administrators find systems with specific vulnerabilities. In this blog post I want to give you an idea of the motivation behind the project, and its capabilities. --------------------------------------------- https://www.ncsc.gov.uk/blog-post/introducing-scanning-made-easy ===================== = Vulnerabilities = ===================== ∗∗∗ PHOENIX CONTACT: FL SWITCH 2xxx series incorrect privilege assignment ∗∗∗ --------------------------------------------- CVE ID: CVE-2022-22509; CVSS 3.1: 8.8 In Phoenix Contact FL SWITCH Series 2xxx an incorrect privilege assignment allows an unprivileged user to enable full access to the device configuration. Solution: Upgrade to firmware 3.10 or higher --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-001/ ∗∗∗ Kritische Sicherheitslücke in Unisys Messaging Integration Services ∗∗∗ --------------------------------------------- Unbefugte Nutzer könnten aufgrund fehlerhafter Passwort-Prüfungen in den Messaging Integration Services (NTSI) von Unisys Zugang zu Servern erhalten. --------------------------------------------- https://heise.de/-6337226 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (java-11-openjdk), Debian (aide, apr, ipython, openjdk-11, qt4-x11, and strongswan), Fedora (binaryen and rust), Mageia (expat, htmldoc, libreswan, mysql-connector-c++, phpmyadmin, python-celery, python-numpy, and webkit2), openSUSE (kernel and virtualbox), Red Hat (etcd, libreswan, nodejs:14, OpenJDK 11.0.14, OpenJDK 17.0.2, and rpm), Slackware (expat), SUSE (java-1_7_1-ibm, kernel, and zxing-cpp), and Ubuntu (strongswan). --------------------------------------------- https://lwn.net/Articles/882552/ ∗∗∗ PrinterLogic Patches Code Execution Flaws in Printer Management Suite ∗∗∗ --------------------------------------------- PrinterLogic has released security updates to address a total of nine vulnerabilities in Web Stack and Virtual Appliance, including three security defects that carry "high severity" ratings. --------------------------------------------- https://www.securityweek.com/printerlogic-patches-code-execution-flaws-prin… ∗∗∗ Trend Micro Worry Free Business Security Critical Patch 2380 und der freie Disk-Speicher ∗∗∗ --------------------------------------------- Der Sicherheitsanbieter Trend Micro hat ein kritisches Update 2380 für seine Worry Free Business Security (WFBS) freigegeben. Der Patch soll ein Sicherheitsproblem in einer Komponente beseitigen, die die Virenschutzlösung angreifbar macht. Was aber nicht verraten wird: Um diesen kritischen Patch zu installieren, müssen mindestens 13 Gigabyte Festplattenspeicher auf dem Systemlaufwerk vorhanden sein. --------------------------------------------- https://www.borncity.com/blog/2022/01/25/trend-micro-worry-free-business-se… ∗∗∗ XSA-395 ∗∗∗ --------------------------------------------- Insufficient cleanup of passed-through device IRQs --------------------------------------------- https://xenbits.xen.org/xsa/advisory-395.html ∗∗∗ XSA-394 ∗∗∗ --------------------------------------------- A PV guest could DoS Xen while unmapping a grant --------------------------------------------- https://xenbits.xen.org/xsa/advisory-394.html ∗∗∗ XSA-393 ∗∗∗ --------------------------------------------- arm: guest_physmap_remove_page not removing the p2m mappings --------------------------------------------- https://xenbits.xen.org/xsa/advisory-393.html ∗∗∗ GNU libc: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0097 ∗∗∗ Foxit Reader: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0096 ∗∗∗ Node.js: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0094 ∗∗∗ Mattermost security updates 6.3.1, 6.2.2, 6.1.2, 5.37.7 released ∗∗∗ --------------------------------------------- https://mattermost.com/blog/mattermost-security-updates-6-3-1-6-2-2-6-1-2-5… ∗∗∗ An update on the Apache Log4j 2.x vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-4422… ∗∗∗ Security Bulletin: IBM WebSphere Application Server Liberty is vulnerable to LDAP Injection (CVE-2021-39031) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM® Java SDK affect Liberty for Java for IBM Cloud October 2021 CPU ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A vulnerability in Apache Log4j affects some features of IBM® Db2® (CVE-2021-44832) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-apache… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects IBM Data Studio Client (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: Log4j remote code execution vulnerability in Apache Solr and Logstash shipped with IBM Operations Analytics – Log Analysis (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-log4j-remote-code-executi… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j may affect IBM Spectrum Copy Data Management (CVE-2021-44832) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: IBM OpenPages with Watson has addressed Apache Log4j vulnerability (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-openpages-with-watson… ∗∗∗ Security Bulletin: IBM Security Guardium Insights is vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-ins… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.01.2022
by Daily end-of-shift report 24 Jan '22

24 Jan '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 21-01-2022 18:00 − Montag 24-01-2022 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Erfolgreicher Angriff auf Nutzerkonten bei Thalia ∗∗∗ --------------------------------------------- Um Schaden von den Kunden abzuwenden, wurden die Kennwörter der betroffenen Konten von Thalia geändert. Die entsprechenden Kunden wurden per E-Mail darüber informiert. Der Buchhändler ruft in der E-Mail auch dazu auf, das Thalia-Kennwort bei anderen Diensten zu ändern, falls dieses auch bei anderen Anbietern mit dem gleichen Benutzernamen verwendet wird. --------------------------------------------- https://www.golem.de/news/sicherheit-erfolgreicher-angriff-auf-nutzerkonten… ∗∗∗ Backup-Software: Dell EMC AppSync kompromittierbar ∗∗∗ --------------------------------------------- Durch mehrere Sicherheitslücken in der Backup-Software EMC AppSync von Dell hätten Angreifer in betroffene Systeme eindringen und sie manipulieren können. --------------------------------------------- https://heise.de/-6334745 ∗∗∗ SonicWall explains why firewalls were caught in reboot loops ∗∗∗ --------------------------------------------- In a weekend update, SonicWall said the widespread reboot loops that impacted next-gen firewalls worldwide were caused by signature updates published on Thursday evening not being correctly processed. --------------------------------------------- https://www.bleepingcomputer.com/news/technology/sonicwall-explains-why-fir… ∗∗∗ Mixed VBA & Excel4 Macro In a Targeted Excel Sheet, (Sat, Jan 22nd) ∗∗∗ --------------------------------------------- Yesterday, Nick, one of our readers, shared with us a very interesting Excel sheet and asked us to check if it was malicious. Guess what? Of course, it was and he accepted to be mentioned in a diary. Thanks to him! This time, we also have the context and how the file was used. It was delivered to the victim and this person was called beforehand to make it more confident with the file. A perfect example of social engineering attack. --------------------------------------------- https://isc.sans.edu/diary/rss/28264 ∗∗∗ Microsoft is now disabling Excel 4.0 macros by default ∗∗∗ --------------------------------------------- Microsoft says that all Excel 4.0 (XLM) macros will now be disabled by default. [...] Sometimes good news in the security world comes later than expected. After three decades of macro viruses, and three decades of trying to convince every single Excel user individually to disable macros, Microsoft is making it the default. --------------------------------------------- https://blog.malwarebytes.com/reports/2022/01/microsoft-is-now-disabling-ex… ∗∗∗ Emotet Now Using Unconventional IP Address Formats to Evade Detection ∗∗∗ --------------------------------------------- Social engineering campaigns involving the deployment of the Emotet malware botnet have been observed using "unconventional" IP address formats for the first time in a bid to sidestep detection by security solutions. This involves the use of hexadecimal and octal representations of the IP address that, when processed by the underlying operating systems, get automatically converted "to the dotted decimal quad representation to initiate the request from the remote servers, [...] --------------------------------------------- https://thehackernews.com/2022/01/emotet-now-using-unconventional-ip.html ∗∗∗ GoWard A robust and rapidly-deployable Red Team proxy ∗∗∗ --------------------------------------------- Generally, Red Teams and adversarys redirect their traffic through proxies to protect their backend infrastructure. GoWard proxies HTTP C2 traffic to specified Red Team servers based on the HTTP header of the traffic. GoWards intent is to help obfuscate Red Team traffic and provide some level of resiliency against Blue Team investigation and mitigation. --------------------------------------------- https://github.com/chdav/GoWard ∗∗∗ Crime Shop Sells Hacked Logins to Other Crime Shops ∗∗∗ --------------------------------------------- Up for the "Most Meta Cybercrime Offering" award this year is Accountz Club, a new cybercrime store that sells access to purloined accounts at services built for cybercriminals, including shops peddling stolen payment cards and identities, spamming tools, email and phone bombing services, and those selling authentication cookies for a slew of popular websites. --------------------------------------------- https://krebsonsecurity.com/2022/01/crime-shop-sells-hacked-logins-to-other… ∗∗∗ Dark Souls servers taken offline over hacking fears ∗∗∗ --------------------------------------------- We look at trouble in Dark Souls land after PvP servers were turned off to combat what looked like a nasty exploit. [...] It all begins with a popular streamer playing a Souls game in PvP mode. [...] You’ll also hear the incredibly confused streamer in the background, talking about seeing “powershell.exe” on their screen. This is, it has to be said, not a good sign. --------------------------------------------- https://blog.malwarebytes.com/hacking-2/2022/01/dark-souls-servers-taken-of… ∗∗∗ Cobalt Strike, a Defender’s Guide – Part 2 ∗∗∗ --------------------------------------------- Our previous article on Cobalt Strike focused on the most frequently used capabilities that we had observed. In this post, we will focus on the network traffic it produced, and [...] --------------------------------------------- https://thedfirreport.com/2022/01/24/cobalt-strike-a-defenders-guide-part-2/ ===================== = Vulnerabilities = ===================== ∗∗∗ High-Severity Rust Programming Bug Could Lead to File, Directory Deletion ∗∗∗ --------------------------------------------- The maintainers of the Rust programming language have released a security update for a high-severity vulnerability that could be abused by a malicious party to purge files and directories from a vulnerable system in an unauthorized manner. "An attacker could use this security issue to trick a privileged program into deleting files and directories the attacker couldnt otherwise access or delete, [...] --------------------------------------------- https://thehackernews.com/2022/01/high-severity-rust-programming-bug.html ∗∗∗ Multiple Cisco Products Snort Modbus Denial of Service Vulnerability ∗∗∗ --------------------------------------------- A vulnerability in the Modbus preprocessor of the Snort detection engine could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to an integer overflow while processing Modbus traffic. An attacker could exploit this vulnerability by sending crafted Modbus traffic through an affected device. A successful exploit could allow the attacker to cause the Snort process to hang, causing traffic inspection to stop. --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ CVE-2021-45467: CWP CentOS Web Panel – preauth RCE ∗∗∗ --------------------------------------------- CentOS Web Panel or commonly known as CWP is a popular web hosting management software, used by over 200,000 unique servers, that can be found on Shodan or Census. The vulnerability chain that we used to exploit a full preauth remote command execution as root uses file inclusion (CVE-2021-45467) and file write (CVE-2021-45466) vulnerabilities. In this post we hope to cover our vulnerability research journey, and how we approached this particular target. --------------------------------------------- https://octagon.net/blog/2022/01/22/cve-2021-45467-cwp-centos-web-panel-pre… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, golang-1.7, golang-1.8, pillow, qtsvg-opensource-src, util-linux, and wordpress), Fedora (expat, harfbuzz, kernel, qt5-qtsvg, vim, webkit2gtk3, and zabbix), Mageia (glibc, kernel, and kernel-linus), openSUSE (bind, chromium, and zxing-cpp), Oracle (kernel), Red Hat (java-11-openjdk and kpatch-patch), Scientific Linux (java-11-openjdk), SUSE (bind, clamav, zsh, and zxing-cpp), and Ubuntu (aide, dbus, and thunderbird). --------------------------------------------- https://lwn.net/Articles/882396/ ∗∗∗ phpMyAdmin: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0089 ∗∗∗ Security Bulletin: IBM InfoSphere Information Server is vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-informatio… ∗∗∗ Security Bulletin: IBM Netcool Agile Service Manager is vulnerable to arbitrary code execution and denial of service due to Apache Log4j (CVE-2021-44832, CVE-2021-45046, CVE-2021-45105) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-netcool-agile-service… ∗∗∗ Security Bulletin: IBM Sterling Control Center is vulnerable to remote code execution due to Apache Log4j (CVE-2021-44832) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-control-cent… ∗∗∗ Security Bulletin: Sensitive information in logs vulnerability affects IBM Sterling Gentran:Server for Windows (CVE-2021-39032) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-sensitive-information-in-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM i ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j may affect IBM Spectrum Archive Enterprise Edition (CVE-2021-44832) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: IBM QRadar hardware appliances are vulnerable to Intel privilege escalation (CVE-2021-0144) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-hardware-appli… ∗∗∗ Security Bulletin: Log4j vulnerability CVE-2021-44228 affects IBM Cloud Pak for Data System 1.0 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-log4j-vulnerability-cve-2… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.01.2022
by Daily end-of-shift report 21 Jan '22

21 Jan '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 20-01-2022 18:00 − Freitag 21-01-2022 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ iOS 15.3 & Co: Wichtige Bugfixes für iPhones, Macs und Watches in Vorbereitung ∗∗∗ --------------------------------------------- Apples anstehende Betriebssystem-Updates schließen ein schweres Datenschutzleck im Browser Safari und sollen Ladeprobleme bei der Apple Watch ausräumen. --------------------------------------------- https://heise.de/-6334675 ∗∗∗ Netzwerkausrüster F5 sichert BIG-IP & Co. gegen mögliche Attacken ab ∗∗∗ --------------------------------------------- Über Schwachstellen in verschiedenen BIG-IP Appliances könnte Schadcode auf Systeme gelangen. --------------------------------------------- https://heise.de/-6334437 ∗∗∗ Vorsicht: Gefälschte Europol-Vorladungen im Umlauf! ∗∗∗ --------------------------------------------- Kriminelle geben sich derzeit als Europol aus und versenden eine „Einberufung“, die für viele EmpfängerInnen sehr bedrohlich wirkt: So behaupten die Kriminellen, dass mehrere Gerichtsverfahren gegen die Betroffenen laufen würden. Konkret ginge es um Kinderpornografie, Pädophile und Ähnliches. Auch wenn die Mail sehr beängstigend klingt, besteht kein Grund zur Sorge! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-gefaelschte-europol-vorladu… ∗∗∗ SonicWall Gen7 Firewall Inaccessible/ Reboot Loop (20. Jan. 2022) ∗∗∗ --------------------------------------------- Aktuell sieht es so aus, als ob die SonicWall Gen7 Firewalls seit dem 20. Januar 2022 ein Problem verursachen. Es gibt Berichte, dass kein Zugriff mehr möglich ist oder die Gen7 Firewall in eine Neustart-Schleife fallen. Von SonicWall gibt es dazu bereits einen Supportbeitrag mit einem Workaround. --------------------------------------------- https://www.borncity.com/blog/2022/01/21/sonicwall-gen7-firewall-inaccessib… ∗∗∗ Over 90 WordPress themes, plugins backdoored in supply chain attack ∗∗∗ --------------------------------------------- A massive supply chain attack compromised 93 WordPress themes and plugins to contain a backdoor, giving threat-actors full access to websites. --------------------------------------------- https://www.bleepingcomputer.com/news/security/over-90-wordpress-themes-plu… ∗∗∗ Doctor Web’s overview of virus activity on mobile devices in 2021 ∗∗∗ --------------------------------------------- In 2021, making illegal profit remained one of the top cybercriminals’ priorities. That’s why adware trojans, malware that downloaded and installed other software, and trojans capable of downloading and executing arbitrary code, were among the most common threats on Android. Banking trojans also posed a significant threat whilst their activity increased. Moreover, users often encountered various adware apps. --------------------------------------------- https://news.drweb.com/show/?i=14395&lng=en&c=9 ∗∗∗ Doctor Web’s annual virus activity review for 2021 ∗∗∗ --------------------------------------------- Among the most popular threats in 2021 were numerous malware. Among them were trojan droppers destined to distribute malicious malware, and trojan downloader modifications–they download and run executable files with various payloads on the victims computer. Besides that, cybercriminals were actively distributing backdoors. Among the email threats, the most popular were stealers and various backdoor modifications written in VB.NET. --------------------------------------------- https://news.drweb.com/show/?i=14393&lng=en&c=9 ∗∗∗ Spyware Blitzes Compromise, Cannibalize ICS Networks ∗∗∗ --------------------------------------------- The brief spearphishing campaigns spread malware and use compromised networks to steal credentials that can be sold or used to commit financial fraud. --------------------------------------------- https://threatpost.com/spyware-blitzes-compromise-cannibalize-ics-networks/… ∗∗∗ AccessPress Themes Hit With Targeted Supply Chain Attack ∗∗∗ --------------------------------------------- Security researchers at Automattic recently reported that the popular WordPress plugin and theme authors AccessPress were compromised and their software replaced with backdoored versions. The compromise appears to have taken place in September of last year and was only recently made public. Users who used software obtained directly from the AccessPress website unknowingly provided attackers with backdoor access, resulting in an unknown number of compromised websites. --------------------------------------------- https://blog.sucuri.net/2022/01/accesspress-themes-hit-with-targeted-supply… ∗∗∗ A Detailed Analysis of WhisperGate Targeting Ukrainian Organizations ∗∗∗ --------------------------------------------- Microsoft reported evidence of destructive malware targeting organizations in Ukraine starting from January 13 [1]. The LIFARS threat intelligence team have analyzed the malicious samples and provided a detailed analysis of the execution flow. The main objective of this technical brief is to reveal the sophisticated TTPs demonstrated by threat actors. --------------------------------------------- https://lifars.com/2022/01/a-detailed-analysis-of-whispergate-targeting-ukr… ===================== = Vulnerabilities = ===================== ∗∗∗ VU#287178: McAfee Agent for Windows is vulnerable to privilege escalation due to OPENSSLDIR location ∗∗∗ --------------------------------------------- McAfee Agent, which comes with various McAfee products such as McAfee Endpoint Security, includes an OpenSSL component that specifies an OPENSSLDIR variable as a subdirectory that my be controllable by an unprivileged user on Windows. McAfee Agent contains a privileged service that uses this OpenSSL component. A user who can place a specially-crafted openssl.cnf file at an appropriate path may be able to achieve arbitrary code execution with SYSTEM privileges. --------------------------------------------- https://kb.cert.org/vuls/id/287178 ∗∗∗ Plugin "Email Template Designer" reißt Sicherheitslücke in WordPress ∗∗∗ --------------------------------------------- Durch eine Schwachstelle im WordPress-Plugin "WordPress Email Template Designer - WP HTML Mail" könnten Angreifer dem Administrator Schadcode unterschieben. --------------------------------------------- https://heise.de/-6334308 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (aide, flatpak, kernel, libspf2, and usbview), Fedora (kernel, libreswan, nodejs, texlive-base, and wireshark), openSUSE (aide, cryptsetup, grafana, permissions, rust1.56, and stb), SUSE (aide, apache2, cryptsetup, grafana, permissions, rust1.56, and webkit2gtk3), and Ubuntu (aide, thunderbird, and usbview). --------------------------------------------- https://lwn.net/Articles/882119/ ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2022-0001 ∗∗∗ --------------------------------------------- Several vulnerabilities were discovered in WebKitGTK and WPE WebKit. --------------------------------------------- https://webkitgtk.org/security/WSA-2022-0001.html ∗∗∗ Lexmark Laser Printers: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0087 ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects IBM Operational Decision Manager (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: IBM Security Guardium is vulnerable to a denial of service vulnerability in Apache log4j2 component (CVE-2021-45105 & CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: Vulnerability in Java Batch affects WebSphere Application Server Liberty (CVE-2021-20492) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-java-bat… ∗∗∗ Security Bulletin: IBM Operations Analytics Predictive Insights is vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-operations-analytics-… ∗∗∗ Security Bulletin: IBM Cognos Controller has addressed multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cognos-controller-has… ∗∗∗ Security Bulletin: IBM MaaS360 Cloud Extender and Modules have various vulnerabilities (CVE-2021-22924, CVE-2021-3712) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maas360-cloud-extende… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.01.2022
by Daily end-of-shift report 20 Jan '22

20 Jan '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 19-01-2022 18:00 − Donnerstag 20-01-2022 18:00 Handler: Robert Waldner Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Revamped Community-Based DDoS Defense Tool Improves Filtering ∗∗∗ --------------------------------------------- Team Cymru updates its Unwanted Traffic Removal Service (UTRS), adding more granular controls and greater ranges of both IPv4 and IPv6 addresses. --------------------------------------------- https://www.darkreading.com/perimeter/revamped-community-based-ddos-defense… ∗∗∗ MoonBounce: the dark side of UEFI firmware ∗∗∗ --------------------------------------------- At the end of 2021, we inspected UEFI firmware that was tampered with to embed a malicious code we dub MoonBounce. In this report we describe how the MoonBounce implant works and how it is connected to APT41. --------------------------------------------- https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/ ∗∗∗ What Should You do if Your WordPress Site was Hacked? ∗∗∗ --------------------------------------------- This article will provide insight on what to do if your website is hacked and how to move forward. WordPress sites can be hacked due to a variety of reasons, which we cover in Why are WordPress sites targeted by hackers? --------------------------------------------- https://blog.sucuri.net/2022/01/what-should-you-do-if-your-wordpress-site-w… ∗∗∗ Microsoft: Hackers Exploiting New SolarWinds Serv-U Bug Related to Log4j Attacks ∗∗∗ --------------------------------------------- Microsoft on Wednesday disclosed details of a new security vulnerability in SolarWinds Serv-U software that it said was being weaponized by threat actors to propagate attacks leveraging the Log4j flaws to compromise targets. Tracked as CVE-2021-35247 (CVSS score: 5.3), the issue is an " input validation vulnerability that could allow attackers to build a query given some input and [..] --------------------------------------------- https://thehackernews.com/2022/01/microsoft-hackers-exploiting-new.html ∗∗∗ New BHUNT Password Stealer Malware Targeting Cryptocurrency Wallets ∗∗∗ --------------------------------------------- "BHUNT is a modular stealer written in .NET, capable of exfiltrating wallet (Exodus, Electrum, Atomic, Jaxx, Ethereum, Bitcoin, Litecoin wallets) contents, passwords stored in the browser, and passphrases captured from the clipboard," Bitdefender researcher said in a technical report on Wednesday. --------------------------------------------- https://thehackernews.com/2022/01/new-bhunt-password-stealer-malware.html ∗∗∗ RedLine Stealer Delivered Through FTP ∗∗∗ --------------------------------------------- Here is a piece of malicious Python script that injects a RedLine stealer into its own process. Process injection is a common attacker’s technique these days (for a long time already). The difference, in this case, is that the payload is delivered through FTP! It’s pretty unusual because FTP is today less and less used for multiple reasons (lack of encryption by default, complex to filter with those passive/active modes). --------------------------------------------- https://blog.rootshell.be/2022/01/20/sans-isc-redline-stealer-delivered-thr… ∗∗∗ Kritische Sicherheitslücke in Google Chrome geschlossen ∗∗∗ --------------------------------------------- In der aktualisierten Version von Google Chrome schließt das Unternehmen zahlreiche Schwachstellen. Mindestens eine davon stuft der Hersteller als kritisch ein. --------------------------------------------- https://heise.de/-6332812 ∗∗∗ Knapp 7 Millionen Passwörter von Open Subtitles entwendet ∗∗∗ --------------------------------------------- Die Webseiten und das Forum von Open Subtitles wurden Opfer von Cyberkriminellen. Die konnten alle Zugangsdaten erbeuten. Nutzer müssen jetzt aktiv werden. --------------------------------------------- https://heise.de/-6332951 ∗∗∗ Zahlreiche Facebook-Seiten bewerben Fernseher um 1,95€ ∗∗∗ --------------------------------------------- Einen QLED-Fernseher um nur 1,95 Euro? Das versprechen derzeit zahlreiche Facebook-Seiten. Alles was Sie dafür machen müssen, ist an einer kurzen Umfrage teilnehmen. Anschließend sollen Sie noch die Kreditkartendaten eingeben, um 1,95 Euro zu bezahlen und schon wird ein hochwertiger Fernseher zu Ihnen nach Hause geliefert. Wie so oft gilt: Das Angebot ist zu gut, um wahr zu sein. Tatsächlich landen Ihre Kreditkartendaten in den Händen von Kriminellen. --------------------------------------------- https://www.watchlist-internet.at/news/zahlreiche-facebook-seiten-bewerben-… ===================== = Vulnerabilities = ===================== ∗∗∗ Drupal core - Moderately critical - Cross site scripting - SA-CORE-2022-002 ∗∗∗ --------------------------------------------- Project: Drupal core Security risk: Moderately critical Vulnerability: Cross site scripting Description: jQuery UI is a third-party library used by Drupal. This library was previously thought to be end-of-life. --------------------------------------------- https://www.drupal.org/sa-core-2022-002 ∗∗∗ Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2022-001 ∗∗∗ --------------------------------------------- Project: Drupal core Security risk: Moderately critical Vulnerability: Cross Site Scripting Description: jQuery UI is a third-party library used by Drupal. This library was previously thought to be end-of-life. Late in 2021, jQuery UI announced that they would be continuing development, and released a jQuery UI 1.13.0 version. As part of this 1.13.0 update, they disclosed the following security issue that may affect Drupal 9 and 7 --------------------------------------------- https://www.drupal.org/sa-core-2022-001 ∗∗∗ jQuery UI Datepicker - Moderately critical - Cross Site Scripting - SA-CONTRIB-2022-004 ∗∗∗ --------------------------------------------- Project: jQuery UI Datepicker Security risk: Moderately critical Vulnerability: Cross Site Scripting Description: jQuery UI is a third-party library used by Drupal. The jQuery UI Datepicker module provides the jQuery UI Datepicker library, which is not included in Drupal 9 core. --------------------------------------------- https://www.drupal.org/sa-contrib-2022-004 ∗∗∗ Improper copy algorithm and component validation in the project upload mechanism in B&R Automation Studio version >=4.0 may allow an unauthenticated attacker to execute code ∗∗∗ --------------------------------------------- CVE-2021-22282: RCE through Project Upload from Target All versions of Automation Studio 4 are affected. --------------------------------------------- https://www.br-automation.com/downloads_br_productcatalogue/assets/16405293… ∗∗∗ Local file inclusion Schwachstelle in Land Software - FAUST iServer ∗∗∗ --------------------------------------------- Der von Land Software entwickelte Webserver namens FAUST iServer ist anfällig auf eine local file inclusion Schwachstelle. Ein Angreifer kann alle lokalen Dateien des zugrunde liegenden Betriebssystems im Kontext der aktuellen Festplatte lesen. --------------------------------------------- https://sec-consult.com/de/vulnerability-lab/advisory/local-file-inclusion-… ∗∗∗ Rechenfehler im Linux-Kernel erlaubt Rechteausweitung ∗∗∗ --------------------------------------------- Vor allem in Cloud-Systemen problematisch: An Linux-Systemen angemeldete Nutzer könnten aufgrund eines potenziellen Pufferüberlaufs ihre Rechte ausweiten. --------------------------------------------- https://heise.de/-6333365 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (drupal7), Fedora (kernel, libreswan, nodejs, and wireshark), openSUSE (busybox, firefox, kernel, and python-numpy), Oracle (gegl, gegl04, httpd, java-17-openjdk, kernel, kernel-container, and libreswan), Red Hat (kernel, kernel-rt, and libreswan), Slackware (wpa_supplicant), SUSE (busybox, firefox, htmldoc, kernel, kubevirt, virt-api-container, virt-controller-container, virt-handler-container, virt-launcher-container, virt-operator-container, openstack-monasca-agent, spark, spark-kit, zookeeper, python-numpy) and Ubuntu (curl, linux, linux-aws, linux-aws-5.11, linux-aws-5.4, linux-azure, linux-azure-5.11, linux-azure-5.4, linux-bluefield, linux-gcp, linux-gcp-5.11, linux-gcp-5.4, linux-gke, linux-gke-5.4, linux-gkeop, linux-gkeop-5.4, linux-hwe-5.4, linux-ibm, linux-kvm, linux-oem-5.10, linux-oem-5.13, linux-oem-5.14, linux-oracle, linux-oracle-5.11, linux-oracle-5.4, linux-raspi, linux-raspi-5.4, openvswitch, qtsvg-opensource-src). --------------------------------------------- https://lwn.net/Articles/881956/ ∗∗∗ Canon: “Log4j” RCE [CVE-2021-44228], “Log4j” RCE [CVE-2021-45046] and “Log4j” DOS [CVE-2021-45105] vulnerabilities ∗∗∗ --------------------------------------------- We are currently in the process of investigating the impact of the ‘Log4j’ https://logging.apache.org/log4j/2.x/security.html vulnerability on Canon products. As information comes to light, we will update this article. --------------------------------------------- https://www.canon-europe.com/support/product-security-latest-news/ ∗∗∗ Canon: Cross-site scripting vulnerability for laser printers and multifunction devices for small offices ∗∗∗ --------------------------------------------- A cross-site scripting vulnerability has been identified in the Remote UI function of Canon laser printers and multifunction devices for small office – see the affected models below (vulnerability identification number: JVN # 64806328). --------------------------------------------- https://www.canon-europe.com/support/product-security-latest-news/ ∗∗∗ Security Advisory - Release of Invalid Pointer Vulnerability in Some Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2022/huawei-sa-20220112-… ∗∗∗ Security Advisory - Apache log4j2 remote code execution vulnerabilities in some Huawei products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2021/huawei-sa-20211215-… ∗∗∗ Security Bulletin: IBM Cloud Pak for Data System 2.0 (ICPDS 2.0 ) is vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-data-sy… ∗∗∗ Security Bulletin: Due to the use of Apache Log4j, IBM Spectrum Conductor is vulnerable to arbitrary code execution (CVE-2021-44832 and CVE-2021-45046) and denial of service (CVE-2021-45105) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-due-to-the-use-of-apache-… ∗∗∗ Security Bulletin: Due to the use of Apache Log4j, IBM Spectrum Symphony is vulnerable to arbitrary code execution (CVE-2021-44832 and CVE-2021-45046) and denial of service (CVE-2021-45105) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-due-to-the-use-of-apache-… ∗∗∗ Security Bulletin: IBM® Security SOAR could be vulnerable to a downgrade attack because of missing Strict-Transport-Security headers for some endpoints (CVE-2021-29785). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-soar-could-b… ∗∗∗ Security Bulletin: Apache Log4j vulnerability impacts IBM Sterling Global Mailbox (CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit… ∗∗∗ Security Bulletin: IBM Integrated Analytics System is vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-integrated-analytics-… ∗∗∗ Security Bulletin: Apache log4j Vulnerability Affects IBM Sterling Global Mailbox (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit… ∗∗∗ Security Bulletin: IBM Db2® Warehouse has released a fix in response to multiple vulnerabilities found in IBM Db2® ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-warehouse-has-rel… ∗∗∗ Security Bulletin: IBM® Disconnected Log Collector is vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-45105 and CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-disconnected-log-coll… ∗∗∗ Security Bulletin: API Connect is vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-45105, CVE-2021-45046 and CVE-2021-44832) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-api-connect-is-vulnerable… ∗∗∗ Security Bulletin: Log4j vulnerability affects IBM Cloud Pak for Data System 2.0 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-log4j-vulnerability-affec… ∗∗∗ Endress+Hauser: Multiple products affected by log4net vulnerability ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2021-044/ ∗∗∗ ICONICS and Mitsubishi Electric HMI SCADA ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-020-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.01.2022
by Daily end-of-shift report 19 Jan '22

19 Jan '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 18-01-2022 18:00 − Mittwoch 19-01-2022 18:00 Handler: Robert Waldner Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ 0.0.0.0 in Emotet Spambot Traffic, (Wed, Jan 19th) ∗∗∗ --------------------------------------------- [..] Emotet uses IP address 0.0.0.0 in spambot traffic, possibly attempting to hide the actual IP address of an Emotet-infected host. This ISC diary reviews the spoofed 0.0.0.0 address used in a recent Emotet infection from Tuesday 2022-01-18. --------------------------------------------- https://isc.sans.edu/diary/rss/28254 ∗∗∗ Project Zero: Zooming in on Zero-click Exploits ∗∗∗ --------------------------------------------- In the past, I hadn’t prioritized reviewing Zoom because I believed that any attack against a Zoom client would require multiple clicks from a user. However, a zero-click attack against the Windows Zoom client was recently revealed at Pwn2Own, showing that it does indeed have a fully remote attack surface. The following post details my investigation into Zoom. --------------------------------------------- https://googleprojectzero.blogspot.com//2022/01/zooming-in-on-zero-click-ex… ∗∗∗ Introducing TREVORproxy and TREVORspray 2.0 - Increasing the Speed and Effectiveness of Password Sprays ∗∗∗ --------------------------------------------- Classically, password spraying has been the single lowest-effort and highest-yield technique for gaining an initial foothold in an organization. [...] But alas, with increasing Multi-Factor coverage and defensive countermeasures like Smart Lockout, password spraying is becoming more and more of a chore. [...] When I set out to write these tools, the biggest problem I wanted to solve was Smart Lockout. Smart Lockout tries to lock out attackers without locking out legitimate users. So basically, --------------------------------------------- https://blog.blacklanternsecurity.com/p/introducing-trevorproxy-and-trevors… ∗∗∗ Betrügerische Geldversprechen auf Instagram ∗∗∗ --------------------------------------------- Kriminelle richten sich mit ihren betrügerischen Anfragen insbesondere an junge Frauen und Männer. Sie versprechen ihnen hohe Geldbeträge für anzügliche Fotos oder spielen vor, an der Finanzierung des Lifestyles der betroffenen Personen interessiert zu sein. Wer solche Angebote bekommt, sollte unbedingt Abstand nehmen. Denn es handelt sich um einen Vorschussbetrug, bei dem vorab Zahlungen verlangt werden. --------------------------------------------- https://www.watchlist-internet.at/news/betruegerische-geldversprechen-auf-i… ∗∗∗ The Perfect Cyber Crime ∗∗∗ --------------------------------------------- [..] what if criminals were able to acquire large amounts of victims’ credentials without infecting any victim, without the need to build or purchase anything, and without the risk of getting caught? We recently set out to explore this topic and validate our theory that this type of “perfect crime” could be a new reality in cyber security. In this blog, we’ll explain how we were able to obtain large amounts of sensitive data using Google’s VirusTotal service in combination with other known malware services and hacker forums. --------------------------------------------- https://safebreach.com/blog/2022/the-perfect-cyber-crime/ ∗∗∗ CVE-2022-21661: Exposing Database Info via WordPress SQL Injection ∗∗∗ --------------------------------------------- In October of this year, we received a report from ngocnb and khuyenn from GiaoHangTietKiem JSC covering a SQL injection vulnerability in WordPress. The bug could allow an attacker to expose data stored in a connected database. This vulnerability was recently addressed as CVE-2022-21661 (ZDI-22-220). This blog covers the root cause of the bug and looks at how the WordPress team chose to address it. --------------------------------------------- https://www.thezdi.com/blog/2022/1/18/cve-2021-21661-exposing-database-info… ===================== = Vulnerabilities = ===================== ∗∗∗ WordPress Plugin WP Visitor Statistics 4.7 SQL Injection ∗∗∗ --------------------------------------------- The plugin does not properly sanitise and escape the refUrl in the refDetails AJAX action, available to any authenticated user, which could allow users with a role as low as subscriber to perform SQL injection attacks CVE: CVE-2021-24750 --------------------------------------------- https://cxsecurity.com/issue/WLB-2022010098 ∗∗∗ Oracle Critical Patch Update Advisory - January 2022 ∗∗∗ --------------------------------------------- This Critical Patch Update contains 497 new security patches across the (Anm.: 165) product families listed below. --------------------------------------------- https://www.oracle.com/security-alerts/cpujan2022.html ∗∗∗ The ace(r) up your sleeve! Privilege Escalation vulnerability in Acer Care Center (CVE-2021-45975) ∗∗∗ --------------------------------------------- Acer ships most of the laptop it sells with a software suite called Care Center Service installed. In versions up to 4.00.3038 included, one of the suite’s programs is an executable named ListCheck.exe, which runs at logon with the highest privilege available and suffers from a phantom DLL hijacking. This can lead to a privilege escalation when an administrator logs in. --------------------------------------------- https://aptw.tf/2022/01/20/acer-care-center-privesc.html ∗∗∗ Sicherheitsupdate: Mediaplayer Nvidia Shield TV für Schadcode-Attacke anfällig ∗∗∗ --------------------------------------------- Die Entwickler haben mehrere Lücken in der Android-Version für Nvidia Shield TV geschlossen. Insgesamt gilt das Risiko als hoch. --------------------------------------------- https://heise.de/-6332144 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (firefox, gegl, kernel, and thunderbird), Debian (nvidia-graphics-drivers), Fedora (btrbk and thefuck), Mageia (clamav, kernel, kernel-linus, vim, and wpa_supplicant), openSUSE (java-1_8_0-ibm, jawn, nodejs12, nodejs14, SDL2, and virglrenderer), Red Hat (gegl, gegl04, java-17-openjdk, and kernel-rt), Scientific Linux (gegl and httpd), SUSE (apache2, firefox, java-1_7_1-ibm, java-1_8_0-ibm, libvirt, nodejs12, nodejs14, openstack-monasca-agent, spark, spark-kit, zookeeper, python-Django, python-Django1, python-numpy, virglrenderer), Ubuntu (byobu, clamav, ruby2.3, ruby2.5, ruby2.7). --------------------------------------------- https://lwn.net/Articles/881810/ ∗∗∗ Cisco Redundancy Configuration Manager for Cisco StarOS Software Multiple Vulnerabilities ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Webex Meetings Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Multiple Cisco Products Snort Modbus Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Multiple Cisco Products CLI Command Injection Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ ConfD CLI Command Injection Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Security Advisory - Release of Invalid Pointer Vulnerability in OptiX OSN 9800 U32 Product ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2022/huawei-sa-20220112-… ∗∗∗ Security Advisory - Information Exposure Vulnerability on Several Huawei Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2022/huawei-sa-20220112-… ∗∗∗ Security Bulletin: Vulnerabilities in Apache Log4j affect IBM App Connect Enterprise V11, V12 and IBM Integration Bus V10 (CVE-2021-44832) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-apache… ∗∗∗ Security Bulletin: Oracle Database Server Vulnerability Affects IBM Emptoris Strategic Supply Management Platform (CVE-2021-35619) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-oracle-database-server-vu… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects IBM Cloud Private (CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: Oracle Database Server Vulnerability Affects IBM Emptoris Program Management (CVE-2021-35619) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-oracle-database-server-vu… ∗∗∗ Security Bulletin: Apache Log4j vulnerability may affect IBM Sterling B2B Integrator (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit… ∗∗∗ Security Bulletin: Oracle Database Server Vulnerability Affects IBM Emptoris Contract Management (CVE-2021-35619) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-oracle-database-server-vu… ∗∗∗ Security Bulletin: Apache Log4j Vulnerability Affects IBM Sterling B2B Integrator (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit… ∗∗∗ Security Bulletin: Apache Log4j vulnerability affects IBM Cloud Pak for Multicloud Management (CVE-2021-44832) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit… ∗∗∗ Security Bulletin: Apache Log4j Vulnerability Affects IBM Sterling File Gateway (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects IBM Cloud Private (CVE-2021-45105) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: Oracle Database Server Vulnerability Affects IBM Emptoris Supplier Lifecycle Management (CVE-2021-35619) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-oracle-database-server-vu… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects IBM Cloud Private (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: IBM TRIRIGA Connector for Esri ArcGIS Indoors a component of IBM TRIRIGA Portfolio Data Manager is vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-45105 and CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tririga-connector-for… ∗∗∗ Security Bulletin: Due to use of Apache Log4j, IBM Cloud PAK for Watson AI Ops is vulnerable to arbitrary code execution (CVE-2021-45046) and denial of service (CVE-2021-45105) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-due-to-use-of-apache-log4… ∗∗∗ Security Bulletin: IBM WebSphere Application Server Liberty is vulnerable to an Information Disclosure (CVE-2022-22310) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application… ∗∗∗ Security Bulletin: Apache Log4j Vulnerability Affects IBM Sterling File Gateway (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit… ∗∗∗ Security Bulletin: Oracle Database Server Vulnerability Affects IBM Emptoris Sourcing (CVE-2021-35619) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-oracle-database-server-vu… ∗∗∗ Security Bulletin: Log4j vulnerability affects IBM Cloud Pak for Data System 1.0 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-log4j-vulnerability-affec… ∗∗∗ An update on the Apache Log4j 2.x vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-4422… ∗∗∗ K61112120: BIG-IP ASM and Advanced WAF TMUI vulnerability CVE-2022-23031 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K61112120 ∗∗∗ K96924184: F5 HTTP profile vulnerability CVE-2022-23022 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K96924184 ∗∗∗ K82793463: BIG-IP MRF Diameter vulnerability CVE-2022-23019 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K82793463 ∗∗∗ K41503304: Advanced WAF, BIG-IP ASM, and NGINX App Protect attack signature bypass security exposure ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K41503304 ∗∗∗ K53442005: BIG-IP VE vulnerability CVE-2022-23030 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K53442005 ∗∗∗ K16101409: BIG-IP AFM vulnerability CVE-2022-23028 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K16101409 ∗∗∗ K28042514: BIG-IP TMM and DNS profile vulnerability CVE-2022-23017 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K28042514 ∗∗∗ K91013510: SSL Forward Proxy vulnerability CVE-2022-23016 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K91013510 ∗∗∗ K08476614: BIG-IP Client SSL profile vulnerability CVE-2022-23015 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K08476614 ∗∗∗ K17514331: BIG-IP TMM vulnerability CVE-2022-23020 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K17514331 ∗∗∗ K93526903: BIG-IP APM portal access vulnerability CVE-2022-23014 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K93526903 ∗∗∗ K30525503: BIG-IP APM Edge Client proxy vulnerability CVE-2022-23032 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K30525503 ∗∗∗ K54892865: BIG-IP AFM vulnerability CVE-2022-23024 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K54892865 ∗∗∗ K29500533: TMUI XSS vulnerability CVE-2022-23013 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K29500533 ∗∗∗ K50343028: BIG-IP FastL4 profile vulnerability CVE-2022-23029 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K50343028 ∗∗∗ K68755210: BIG-IP SYN Cookie Protection vulnerability CVE-2022-23011 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K68755210 ∗∗∗ K26310765: HTTP/2 profile vulnerability CVE-2022-23012 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K26310765 ∗∗∗ K34360320: BIG-IP FastL4 vulnerability CVE-2022-23010 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K34360320 ∗∗∗ K30911244: Advanced WAF, BIG-IP ASM, and NGINX App Protect attack signature check failure ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K30911244 ∗∗∗ K17514331: BIG-IP TMM vulnerability CVE-2022-23020 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K17514331 ∗∗∗ K41415626: Transparent DNS Cache can consume excessive resources ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K41415626 ∗∗∗ K44110411: BIG-IP SIP ALG vulnerability CVE-2022-23025 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K44110411 ∗∗∗ K08402414: BIG-IP ASM and Advanced WAF REST API endpoint vulnerability CVE-2022-23026 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K08402414 ∗∗∗ K11742742: iControl REST vulnerability CVE-2022-23023 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K11742742 ∗∗∗ K30573026: BIG-IP virtual server with FastL4 profile vulnerability CVE-2022-23027 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K30573026 ∗∗∗ K24358905: BIG-IP AFM virtual server vulnerability CVE-2022-23018 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K24358905 ∗∗∗ Multiple vulnerabilities in Bosch AMC2 (Access Modular Controller) ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-940448-bt.html -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily