- Daily - CERT.at

Tageszusammenfassung - 22.07.2022
by Daily end-of-shift report 22 Jul '22

22 Jul '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 21-07-2022 18:00 − Freitag 22-07-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ SATAn-Attacke: Zweckentfremdetes SATA-Kabel funkt geheime Infos ∗∗∗ --------------------------------------------- Sicherheitsforscher, die auf Attacken auf abgeschottete Air-Gap-Systeme spezialisiert sind, haben eine neue Methode vorgestellt. --------------------------------------------- https://heise.de/-7186463 ∗∗∗ Confluence Security Advisory 2022-07-20 ∗∗∗ --------------------------------------------- Confluence hat zum 20. Juli 2022 das Security Advisory 2022-07-20 veröffentlicht und heute aktualisiert. Im Sicherheitshinweis geht es um Confluence-Konten mit fest kodierten Anmeldeinformationen, die von Questions for Confluence erstellt wurden. Das betrifft die Confluence-App für Confluence Server und Confluence Data Center. --------------------------------------------- https://www.borncity.com/blog/2022/07/21/confluence-security-advisory-2022-… ∗∗∗ Zero-day used to infect Chrome users could pose threat to Edge and Safari users, too ∗∗∗ --------------------------------------------- After laying low, exploit seller Candiru rears its ugly head once more. --------------------------------------------- https://arstechnica.com/?p=1868594 ∗∗∗ Maldoc: non-ASCII VBA Identifiers, (Thu, Jul 21st) ∗∗∗ --------------------------------------------- I found a malicious Office document with VBA code where most of the identifiers (variables, function names, ...) consist solely out of characters that are not ASCII (.e.g, these characters have values between 128 and 255). --------------------------------------------- https://isc.sans.edu/diary/rss/28866 ∗∗∗ An Analysis of a Discerning Phishing Website , (Fri, Jul 22nd) ∗∗∗ --------------------------------------------- Cybercriminals and adversaries have long used phishing websites to obtain credentials and access systems they usually would not have access to. Indeed, it could be more cost-effective than other methods, such as buying zero-day vulnerabilities and weaponizing them. I was alerted to a phishing attempt and requested further details. After doing some analysis, I observed several differences and technological improvements that the adversaries had made as compared to the usual phishing attempts. --------------------------------------------- https://isc.sans.edu/diary/rss/28870 ∗∗∗ Month of PowerShell - Recording Your Session with Start-Transcript ∗∗∗ --------------------------------------------- PowerShell allows us to create a transaction file of all commands entered and output received, perfect for pentests, incident response, and more! --------------------------------------------- https://www.sans.org/blog/recording-your-session-with-start-transcript ∗∗∗ Cryptominers & WebAssembly in Website Malware ∗∗∗ --------------------------------------------- WebAssembly (also referred to as Wasm) is a binary instruction format that runs in the browser to enable high-performance applications on web pages and can be executed much faster than traditional JavaScript. WebAssembly can be executed in a variety of environments, including servers, IoT devices, and mobile or desktop apps — but was originally designed to run on the web. --------------------------------------------- https://blog.sucuri.net/2022/07/cryptominers-webassembly-in-website-malware… ∗∗∗ An Easier Way to Keep Old Python Code Healthy and Secure ∗∗∗ --------------------------------------------- Python has its pros and cons, but its nonetheless used extensively. For example, Python is frequently used in data crunching tasks even when there are more appropriate languages to choose from. Why? Well, Python is relatively easy to learn. Someone with a science background can pick up Python much more quickly than, say, C. However, Pythons inherent approachability also creates a couple of problems. --------------------------------------------- https://thehackernews.com/2022/07/an-easier-way-to-keep-old-python-code.html ∗∗∗ Sh*Load Exploits (Episode V: Return of the Error) ∗∗∗ --------------------------------------------- Our first post in the Firmware Developers Need To Know blog series, Episode I: The Last Error, pointed out the benefits of adopting clean error codes. And then two weeks later, TLStorm, bam. Armis’ research engineers announced the discovery of three vulnerabilities in APC devices –the key problem – ignoring error codes! Unfortunately, little attention or thought is paid to error codes within firmware code (and many critical open source projects). --------------------------------------------- https://dellfer.com/shload-exploits-episode-v-return-of-the-error/ ∗∗∗ PART 1: How I Met Your Beacon – Overview ∗∗∗ --------------------------------------------- During this research we will outline a number of effective strategies for hunting for beacons, supported by our BeaconHunter tool that we developed to execute these strategies and which we intend to open source in due course. --------------------------------------------- https://www.mdsec.co.uk/2022/07/part-1-how-i-met-your-beacon-overview/ ∗∗∗ Cloud Threat Detection: To Agent or Not to Agent? ∗∗∗ --------------------------------------------- Should you be using agents to secure cloud applications, or not? The answer depends on what exactly youre trying to secure. --------------------------------------------- https://www.rapid7.com/blog/post/2022/07/22/cloud-threat-detection-to-agent… ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins 2022-07-21 ∗∗∗ --------------------------------------------- IBM Cloud App Management, IBM Cloud Pak for Multicloud Management Monitoring, IBM Rational Build Forge, IBM Rational Build Forge, IBM Cloud App Management, IBM Tivoli Netcool Manager. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (gnupg2, oci-seccomp-bpf-hook, suricata, and vim), Oracle (java-11-openjdk), Slackware (net), and SUSE (kernel, nodejs16, rubygem-rack, and webkit2gtk3). --------------------------------------------- https://lwn.net/Articles/902184/ ∗∗∗ Moodle: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, authentisierter Angreifer kann mehrere Schwachstellen in Moodle ausnutzen, um beliebigen Programmcode auszuführen, Dateien zu manipulieren, Informationen offenzulegen oder einen Cross-Site-Scripting-Angriff durchzuführen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0797 ∗∗∗ Veritas NetBackup: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, authentisierter Angreifer kann mehrere Schwachstellen in Veritas NetBackup ausnutzen, um beliebigen Programmcode auszuführen oder seine Privilegien zu erweitern. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0801 ∗∗∗ Veritas NetBackup: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann eine Schwachstelle in Veritas NetBackup ausnutzen, um beliebigen Code auszuführen, vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszulösen, seine Privilegien zu erweitern und Verzeichnisse zu manipulieren. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0802 ∗∗∗ F-Secure Linux Security: Mehrere Schwachstellen ermöglichen Denial of Service ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in F-Secure Linux Security und F-Secure Internet Gatekeeper ausnutzen, um einen Denial of Service Angriff durchzuführen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0803 ∗∗∗ AutomationDirect Stride Field I/O ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Cleartext Transmission of Sensitive Information vulnerability in AutomationDirect products. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-202-05 ∗∗∗ ICONICS Suite and Mitsubishi Electric MC Works64 Products ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Path Traversal, Deserialization of Untrusted Data, Inclusion of Functionality from Untrusted Control Sphere, Out-of-Bounds Read vulnerabilities in the SCADA products. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-202-04 ∗∗∗ Rockwell Automation ISaGRAF Workbench ∗∗∗ --------------------------------------------- This advisory contains mitigations for a Missing Authentication for Critical Function vulnerability in the ISaGRAF Workbench. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-202-03 ∗∗∗ Johnson Controls Metasys ADS, ADX, OAS ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Missing Authentication for Critical Function vulnerability in the Metasys ADS, ADX, OAS. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-202-02 ∗∗∗ ABB Drive Composer, Automation Builder, Mint Workbench ∗∗∗ --------------------------------------------- This advisory contains mitigations for an Improper Privilege Management vulnerabilities in the ABB products. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-202-01 ∗∗∗ Unauthenticated SQL Injection in SonicWall GMS and Analytics ∗∗∗ --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0007 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.07.2022
by Daily end-of-shift report 21 Jul '22

21 Jul '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 20-07-2022 18:00 − Donnerstag 21-07-2022 18:00 Handler: Robert Waldner Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Apple Patches Everything Day, (Wed, Jul 20th) ∗∗∗ --------------------------------------------- Apple today released its usual "surprise patch day" in updating all of its operating systems. There may still be specific Safari updates, but for currently supported operating systems, the operating system upgrades should include respective Safari/WebKit fixes. --------------------------------------------- https://isc.sans.edu/diary/rss/28862 ∗∗∗ New Linux Malware Framework Lets Attackers Install Rootkit on Targeted Systems ∗∗∗ --------------------------------------------- A never-before-seen Linux malware has been dubbed a "Swiss Army Knife" for its modular architecture and its capability to install rootkits. This previously undetected Linux threat, called Lightning Framework by Intezer, is equipped with a plethora of features, making it one of the most intricate frameworks developed for targeting Linux systems. --------------------------------------------- https://thehackernews.com/2022/07/new-linux-malware-framework-let.html ∗∗∗ Outlook email users alerted to suspicious activity from Microsoft-owned IP address ∗∗∗ --------------------------------------------- People turn amateur sleuths to discover that the source of all those sign-ins seems to be in Redmond Strange things are afoot in the world of Microsoft email with multiple users reporting unusual sign-in notifications for their Outlook accounts. --------------------------------------------- https://www.theregister.com/2022/07/21/outlook_sign_ins/ ∗∗∗ [CVE-2022-34918] A crack in the Linux firewall ∗∗∗ --------------------------------------------- In our previous article Yet another bug into Netfilter, I presented a vulnerability found within the netfilter subsystem of the Linux kernel. During my investigation, I found a weird comparison that does not fully protect a copy within a buffer. It led to a heap buffer overflow that was exploited to obtain root privileges on Ubuntu 22.04. --------------------------------------------- https://www.randorisec.fr/crack-linux-firewall/ ∗∗∗ Gitlab Project Import RCE Analysis (CVE-2022-2185) ∗∗∗ --------------------------------------------- At the beginning of this month, GitLab released a security patch for versions 14->15. Interestingly in the advisory, there was a mention of a post-auth RCE bug with CVSS 9.9. The bug exists in GitLab’s Project Imports feature, which was found by @vakzz. Incidentally, when I rummaged in the author’s h1 profile. I discovered that four months ago, he also found a bug in the import project feature. --------------------------------------------- https://starlabs.sg/blog/2022/07-gitlab-project-import-rce-analysis-cve-202… ∗∗∗ Cybercrime: Industriesteuerungen im Visier ∗∗∗ --------------------------------------------- Ein Passwort-Cracker mit Trojaner an Bord liefert Passwörter für programmierbare Industrie-Steuersysteme frei Haus und wirft damit eine wichtige Frage auf. --------------------------------------------- https://heise.de/-7185890 ∗∗∗ Vorsicht vor Shops mit Abo-Fallen ∗∗∗ --------------------------------------------- Sie suchen nach einem Produkt online – sei es Make-Up, Sportkleidung oder Tiernahrung. Plötzlich stoßen Sie auf ein gutes Angebot und das Produkt ist sogar 60 % billiger, wenn Sie VIP-Mitglied werden. Doch im Kleingedruckten steht: Mit diesem Einkauf schließen Sie eine automatische Clubmitgliedschaft und ein teures Abo ab. Vorsicht vor diesen unseriösen Abo-Fallen! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-shops-mit-abo-fallen/ ∗∗∗ Shodan Verified Vulns 2022-07-01 ∗∗∗ --------------------------------------------- Mit Stand 2022-07-01 sieht Shodan in Österreich die folgenden Schwachstellen: Verglichen mit Juni 2022 ist durch die Bank ein leichter Abwärtstrend zu erkennen (insgesamt von 9355 auf 8987 verifizierte Schwachstellen). Spitzenreiter sind noch immer CVE-2015-0204 (SSL FREAK, 4090) und CVE-2015-4000 (Logjam, 3193). Davor schon relativ gering vertreten (35), jedoch auffällig gesunken ist die Schwachstelle CVE-2021-43798 (Grafana Path Traversal Vulnerability, -80%). Ausreißer nach oben oder Neuzugänge gibt es nicht. --------------------------------------------- https://cert.at/de/aktuelles/2022/7/shodan-verified-vulns-2022-07-01 ===================== = Vulnerabilities = ===================== ∗∗∗ Atlassian Rolls Out Security Patch for Critical Confluence Vulnerability ∗∗∗ --------------------------------------------- Atlassian has rolled out fixes to remediate a critical security vulnerability pertaining to the use of hard-coded credentials affecting the Questions For Confluence app for Confluence Server and Confluence Data Center. The flaw, tracked as CVE-2022-26138, arises when the app in question is enabled on either of two services, causing it to create a Confluence user account with the username "disabledsystemuser." --------------------------------------------- https://thehackernews.com/2022/07/atlassian-releases-patch-for-critical.html ∗∗∗ Schadcode-Attacken mit Root-Rechten auf Cisco Nexus Dashboard möglich ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitsupdates für Hard- und Software vom Netzwerkausrüster Cisco. --------------------------------------------- https://heise.de/-7185582 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Mageia (kernel and kernel-linus), SUSE (dovecot23), and Ubuntu (freetype, libxml-security-java, and linux-oem-5.17). --------------------------------------------- https://lwn.net/Articles/902011/ ∗∗∗ Request Tracker: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Request Tracker ausnutzen, um einen Cross-Site Scripting Angriff durchzuführen oder Sicherheitsmaßnahmen zu umgehen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0788 ∗∗∗ Security Bulletin: IBM Tivoli Network Manager is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2019-1757) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tivoli-network-manage… ∗∗∗ Security Bulletin: Security Vulnerabilities have been fixed in IBM Security Access Manager appliance (CVE-2022-24407, CVE-2020-25709, CVE-2020-25710) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Security Verify Information Queue uses an Oracle JDBC jar with multiple vulnerabilities (CVE-2019-2444, CVE-2019-2619, CVE-2017-10321, CVE-2017-10202) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-infor… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Security Verify Information Queue connect image (CVE-2020-9493, CVE-2022-23307) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple security vulnerabilities have been identified in IBM® DB2® shipped with IBM PureData System for Operational Analytics ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: IBM Security Verify Information Queue uses a Wire Schema jar with multiple vulnerabilities (CVE-2020-27853, CVE-2021-41093) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-infor… ∗∗∗ Security Bulletin: IBM Security Verify Information Queue uses a Google gRPC framework with multiple vulnerabilities (CVE-2017-7860, CVE-2017-7861, CVE-2017-9431) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-infor… ∗∗∗ Security Bulletin: IBM Security Guardium Insights is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-ins… ∗∗∗ Security Bulletin: IBM QRadar SIEM is vulnerable to information disclosure (CVE-2021-38936) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulner… ∗∗∗ Security Bulletin: Multiple security vulnerabilities found in open source code that is shipped with IBM Security Verify Governance, Identity Manager virtual appliance component ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: OpenSSL vulnerabilities in the IBM Security Verify Information Queue web server (CVE-2021-3711, CVE-2021-3712) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-openssl-vulnerabilities-i… ∗∗∗ Security Bulletin: Vulnerability in async opensource package affects IBM VM Recovery Manager HA & DR GUI ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-async-op… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ CVE-2022-0778: Sicherheitslücken mit Denial of Service-Potential in OpenSSL ∗∗∗ --------------------------------------------- https://www.sprecher-automation.com/it-sicherheit/security-alerts ∗∗∗ Drupal core - Moderately critical - Multiple vulnerabilities - SA-CORE-2022-015 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-core-2022-015 ∗∗∗ Drupal core - Critical - Arbitrary PHP code execution - SA-CORE-2022-014 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-core-2022-014 ∗∗∗ Drupal core - Moderately critical - Access Bypass - SA-CORE-2022-013 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-core-2022-013 *** Drupal core - Moderately critical - Information Disclosure - SA-CORE-2022-012 *** --------------------------------------------- https://www.drupal.org/sa-core-2022-012 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.07.2022
by Daily end-of-shift report 20 Jul '22

20 Jul '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 19-07-2022 18:00 − Mittwoch 20-07-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Sicherheitslücken in GPS-Tracker von MiCODUS können Menschenleben gefährden ∗∗∗ --------------------------------------------- Sicherheitsforscher warnen davor, dass Angreifer unter anderem PKWs der Regierung aus der Ferne stoppen könnten. Sicherheitspatches gibt es bislang nicht. --------------------------------------------- https://heise.de/-7184324 ∗∗∗ Phishing-Mail zu „unbefugten Aktivitäten“ ignorieren! ∗∗∗ --------------------------------------------- Aktuell kursiert eine Phishing Nachricht im Namen der Raiffeisen Bank, die nach einer Authentifizierung verlangt. Angeblich wurde eine Zahlung in Höhe von 1259,00 EUR vorgenommen, die blockiert wurde. Achtung: Es handelt sich lediglich um einen erfundenen Grund, mit dem Kriminelle Sie zum Klick auf eine Phishing-Seite bewegen wollen. Löschen Sie die Nachricht einfach! --------------------------------------------- https://www.watchlist-internet.at/news/phishing-mail-zu-unbefugten-aktivita… ∗∗∗ Breaking down CISs new software supply chain security guidance ∗∗∗ --------------------------------------------- Securing the software supply chain continues to be one of the most discussed topics currently among IT and cybersecurity leaders. A study by In-Q-Tel researchers shows a rapid rise in software supply chain attacks starting around 2016, going from almost none in 2015 to about 1,500 in 2020. The Cloud Native Computing Foundation’s (CNCF’s) catalog of software supply chain attacks also supports a rise in this attack vector. --------------------------------------------- https://www.csoonline.com/article/3666742/breaking-down-ciss-new-software-s… ∗∗∗ Luna and Black Basta — new ransomware for Windows, Linux and ESXi ∗∗∗ --------------------------------------------- This report discusses new ransomware, that targets Windows, Linux and ESXi systems: Luna written in Rust and Black Basta. --------------------------------------------- https://securelist.com/luna-black-basta-ransomware/106950/ ∗∗∗ PrestaShop Skimmer Concealed in One Page Checkout Module ∗∗∗ --------------------------------------------- PrestaShop is a popular freemium open source e-commerce platform used by hundreds of thousands of webmasters to sell products and services to website visitors. While PrestaShop’s CMS market share is only 0.8%, it should still come as no surprise that attackers have been crafting malware to specifically target environments who use this software. --------------------------------------------- https://blog.sucuri.net/2022/07/prestashop-skimmer-concealed-in-one-page-ch… ∗∗∗ LockBit: Ransomware Puts Servers in the Crosshairs ∗∗∗ --------------------------------------------- LockBit affiliates using servers to spread ransomware throughout networks. --------------------------------------------- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lo… ∗∗∗ Analysis of a trojanized jQuery script: GootLoader unleashed ∗∗∗ --------------------------------------------- In this blog post, we will perform a deep analysis into GootLoader, malware which is known to deliver several types of payloads, such as Kronos trojan, REvil, IcedID, GootKit payloads and in this case Cobalt Strike. --------------------------------------------- https://blog.nviso.eu/2022/07/20/analysis-of-a-trojanized-jquery-script-goo… ∗∗∗ 4 Strategies for Achieving Greater Visibility in the Cloud ∗∗∗ --------------------------------------------- Here are four ways to put visibility at the center of your cloud security approach and better understand whats going on in your environment. --------------------------------------------- https://www.rapid7.com/blog/post/2022/07/20/4-strategies-for-achieving-grea… ===================== = Vulnerabilities = ===================== ∗∗∗ Jetzt patchen! Oracle sichert seine Produkte mit 349 Updates ab ∗∗∗ --------------------------------------------- Wichtige Sicherheitspatches schließen unter anderem kritische Lücken in Oracle-Anwendungen. --------------------------------------------- https://heise.de/-7184179 ∗∗∗ Sicherheitsupdates: Root-Lücke bedroht Zyxel-Firewalls ∗∗∗ --------------------------------------------- Mehrere Firewall-Modelle von Zyxel sind über Sicherheitslücken attackierbar. --------------------------------------------- https://heise.de/-7184526 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (golang-github-gosexy-gettext, golang-github-hub, oci-seccomp-bpf-hook, and popub), Oracle (kernel and kernel-container), SUSE (python2-numpy), and Ubuntu (check-mk and pyjwt). --------------------------------------------- https://lwn.net/Articles/901879/ ∗∗∗ Chrome 103 Update Patches High-Severity Vulnerabilities ∗∗∗ --------------------------------------------- Google this week announced a Chrome update that resolves a total of 11 vulnerabilities in the browser, including six reported by external researchers. Of these, five are use-after-free issues, including four that are considered “high severity.” --------------------------------------------- https://www.securityweek.com/chrome-103-update-patches-high-severity-vulner… ∗∗∗ HCL BigFix: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, authentisierter Angreifer kann mehrere Schwachstellen in HCL BigFix ausnutzen, um Sicherheitsvorkehrungen zu umgehen oder Informationen offenzulegen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0733 ∗∗∗ OpenJDK: Mehrere Schwachstellen ermöglichen Codeausführung ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in OpenJDK ausnutzen, um beliebigen Programmcode auszuführen, Sicherheitsvorkehrungen zu umgehen oder Dateien zu manipulieren. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0746 ∗∗∗ Arista EOS: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Arista EOS ausnutzen, um Sicherheitsvorkehrungen zu umgehen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0761 ∗∗∗ Red Hat OpenShift (Logging Subsystem): Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Red Hat OpenShift (Logging Subsystem) ausnutzen, um einen Denial of Service Angriff durchzuführen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0707 ∗∗∗ Security Bulletin: IBM Resilient Platform could allow formula injection in Excel (CVE-2020-4633) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-resilient-platform-co… ∗∗∗ Security Bulletin: IBM InfoSphere Information Analyzer is affected by a cross-site scripting vulnerability in jQuery-UI(CVE-2021-41184) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-informatio… ∗∗∗ Security Bulletin: Multiple cross-site scripting vulnerabilities in JQuery affect IBM InfoSphere Information Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-cross-site-scrip… ∗∗∗ Security Bulletin: Apache log4j security vulnerability as it relates to IBM Maximo Scheduler Optimization – Apache Log4j – CVE-2021-45105 (affecting v2.16) and CVE-2021-45046 (affecting v2.15) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-security-vul… ∗∗∗ Security Bulletin: IBM QRadar Network Security is affected by multiple vulnerabilities in Expact library. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-network-securi… ∗∗∗ Security Bulletin: IBM WebSphere Application Server is vulnerable to Cross-site Scripting (CVE-2022-22477) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application… ∗∗∗ Security Bulletin: IBM QRadar SIEM is vulnerable to improper certificate validation (CVE-2021-29755) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulner… ∗∗∗ Security Bulletin: IBM QRadar Network Security is affected by multiple vulnerabilities. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-network-securi… ∗∗∗ Security Bulletin: IBM QRadar SIEM is vulnerable to infomation disclosured due to incorrect file permissions (CVE-2022-22424) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulner… ∗∗∗ Security Bulletin: A vulnerability in IBM Java SDK and IBM Java Runtime affects IBM QRadar SIEM ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Security Bulletin: IBM QRadar SIEM is vulnerable to infomarion discosure (CVE-2021-38936) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulner… ∗∗∗ Security Bulletin: Vulnerability in Java SE related to the JSSE component affects DB2 Recovery Expert for Linux, Unix and Windows ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-java-se-… ∗∗∗ Security Bulletin: A security vulnerability in Node.js nconf affects IBM Cloud Pak for Multicloud Management Managed Services ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: IBM Resilient SOAR is Using Components with Known Vulnerabilities – Java SE (CVE-2020-2773) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-resilient-soar-is-usi… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 19.07.2022
by Daily end-of-shift report 19 Jul '22

19 Jul '22

===================== = End-of-Day report = ===================== Timeframe: Montag 18-07-2022 18:00 − Dienstag 19-07-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Authentication Risks Discovered in Okta Platform ∗∗∗ --------------------------------------------- Four newly discovered attack paths could lead to PII exposure, account takeover, even organizational data destruction. --------------------------------------------- https://threatpost.com/risks-okta-sso/180249/ ∗∗∗ Requests For beacon.http-get. Help Us Figure Out What They Are Looking For, (Tue, Jul 19th) ∗∗∗ --------------------------------------------- Based on our First Seen URLs page, we started seeing more requests for 'beacon.http-get' these last few days. The requests are going back a while now but have been increasing. --------------------------------------------- https://isc.sans.edu/diary/rss/28856 ∗∗∗ Sicherheit bei Mac-Office: Microsoft fordert zur Systemaktualisierung auf ∗∗∗ --------------------------------------------- Nur mit den jüngsten Versionen von Monterey und Big Sur lassen sich Angriffe über Makro-Exploits verhindern, so der Konzern. --------------------------------------------- https://heise.de/-7182296 ∗∗∗ WhatsApp-Nachricht über einen Covid-19-Zuschuss von UNICEF ist Fake ∗∗∗ --------------------------------------------- Sie haben auf WhatsApp eine Nachricht von UNICEF erhalten? Man will Ihnen einen Covid-19-Zuschuss von 50.000 Euro überweisen? Vorsicht: Dabei handelt es sich um Betrug. Kriminelle geben sich als UNICEF aus und täuschen Spenden oder Gewinne vor. In Wirklichkeit will man Ihnen Geld stehlen! Antworten Sie nicht und blockieren Sie die Nummer! --------------------------------------------- https://www.watchlist-internet.at/news/whatsapp-nachricht-ueber-einen-covid… ∗∗∗ I see what you did there: A look at the CloudMensis macOS spyware ∗∗∗ --------------------------------------------- Previously unknown macOS malware uses cloud storage as its C&C channel and to exfiltrate documents, keystrokes, and screen captures from compromised Macs --------------------------------------------- https://www.welivesecurity.com/2022/07/19/i-see-what-you-did-there-look-clo… ∗∗∗ Riding the InfoRail to Exploit Ivanti Avalanche ∗∗∗ --------------------------------------------- I was able to quickly identify a chain of three vulnerabilities in the Ivanti Avalanche Web Application: [...] Even though this chain is powerful, its first part heavily depends on factors that are not within the attacker’s control. We can do better, right? --------------------------------------------- https://www.thezdi.com/blog/2022/7/19/riding-the-inforail-to-exploit-ivanti… ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins 2022-07-18 ∗∗∗ --------------------------------------------- IBM UrbanCode Build, IBM UrbanCode Release, IBM Sterling Partner Engagement Manager, IBM MQ, App Connect professional, IBM WebSphere Application Server Liberty, IBM Tivoli Netcool Configuration Manager, IBM UrbanCode Build. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Sicherheitsupdates: Angreifer könnten Juniper-Software mit Schadcode attackieren ∗∗∗ --------------------------------------------- Der Netzwerkausrüster Juniper hat unter anderem in Contrail Networking kritische Sicherheitslücken geschlossen. --------------------------------------------- https://heise.de/-7183158 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (buildah), SUSE (dovecot23 and nodejs12), and Ubuntu (harfbuzz, libhttp-daemon-perl, tiff, and webkit2gtk). --------------------------------------------- https://lwn.net/Articles/901787/ ∗∗∗ EMC Avamar: Mehrere Schwachstellen ermöglichen Privilegieneskalation ∗∗∗ --------------------------------------------- Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann mehrere Schwachstellen in EMC Avamar und EMC NetWorker ausnutzen, um seine Privilegien zu erweitern, beliebigen Code auszuführen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen und einen Denial-of-Service-Zustand auszulösen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0715 ∗∗∗ QEMU: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- Ein lokaler Angreifer kann eine Schwachstelle in QEMU ausnutzen, um einen Denial of Service Angriff durchzuführen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0713 ∗∗∗ Apache CloudStack: Schwachstelle ermöglicht Manipulation von Dateien ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Apache CloudStack ausnutzen, um vertrauliche Informationen offenzulegen, einen Denial-of-Service-Zustand auszulösen und Serverdaten zu manipulieren. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0711 ∗∗∗ Redis: Schwachstelle ermöglicht Codeausführung ∗∗∗ --------------------------------------------- Ein entfernter Angreifer kann eine Schwachstelle in Redis ausnutzen, um beliebigen Programmcode auszuführen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0709 ∗∗∗ jQuery: Schwachstelle ermöglicht Cross-Site Scripting ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann eine Schwachstelle in jQuery ausnutzen, um einen Cross-Site Scripting Angriff durchzuführen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0708 ∗∗∗ CVE-2022-30526 (Fixed): Zyxel Firewall Local Privilege Escalation ∗∗∗ --------------------------------------------- Rapid7 discovered a local privilege escalation vulnerability affecting Zyxel firewalls. The vulnerability allows a low privileged user, such as `nobody`, to escalate to `root` on affected firewalls. --------------------------------------------- https://www.rapid7.com/blog/post/2022/07/19/cve-2022-30526-fixed-zyxel-fire… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.07.2022
by Daily end-of-shift report 18 Jul '22

18 Jul '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 15-07-2022 18:00 − Montag 18-07-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Cybercrime und Trickbot-Leaks: "Wir zahlen Krankengeld und 13. Monatsgehalt" ∗∗∗ --------------------------------------------- Cybercrime goes Business: Ein Bewerbungsgespräch im Cybercrime-Untergrund zeigt eindrucksvoll, wie sehr sich organisiertes Verbrechen schon "normalisiert" hat. --------------------------------------------- https://heise.de/-7182800 ∗∗∗ Fake-Shop für Pellets und Brennholz kontaktiert Kund:innen auf WhatsApp ∗∗∗ --------------------------------------------- Aktuell boomen Fake-Shops für Brennholz, Pellets, Photovoltaik-Anlagen und Öfen. Der betrügerische Shop wibois.com gibt sich besonders viel Mühe, um Ihnen Geld zu stehlen. Neben professionell gestalteten Werbeanzeigen auf Facebook und Instagram, senden die Kriminellen Ihnen Bestellbestätigung und Überweisungsaufforderung auf WhatsApp. Das stiftet Vertrauen und vermittelt das Gefühl von Erreichbarkeit. Zahlen Sie nicht und blockieren Sie die Nummer! --------------------------------------------- https://www.watchlist-internet.at/news/fake-shop-fuer-pellets-und-brennholz… ∗∗∗ Mit Sality-Malware infiziertes Passwort Cracking-Tool für Industrie-Steuerungen/Leitsysteme verteilt ∗∗∗ --------------------------------------------- Cyberkriminelle bewerben in sozialen Netzwerken wohl ein Tool, mit denen Kennwörter in Industriesteuerungen (ICS, PLCs) geknackt werden können. --------------------------------------------- https://www.borncity.com/blog/2022/07/16/mit-sality-malware-infiziertes-pas… ∗∗∗ Supply Chain Attack Technique Spoofs GitHub Commit Metadata ∗∗∗ --------------------------------------------- Security researchers at Checkmarx are warning of a new supply chain attack technique that relies on spoofed commit metadata to add legitimacy to malicious GitHub repositories. --------------------------------------------- https://www.securityweek.com/supply-chain-attack-technique-spoofs-github-co… ∗∗∗ Mitigation for Azure Storage SDK Client-Side Encryption Padding Oracle Vulnerability ∗∗∗ --------------------------------------------- Google informed Microsoft under Coordinated Vulnerability Disclosure (CVD) of a padding oracle vulnerability that may affect customers using Azure Storage SDK (for Python, .NET, Java) client-side encryption (CVE-2022-30187). To mitigate this vulnerability, we released a new General Availability (GA) version of the Azure Storage SDK client-side encryption feature (v2) on July 12, 2022. --------------------------------------------- https://msrc-blog.microsoft.com/2022/07/18/mitigation-for-azure-storage-sdk… ∗∗∗ Month of PowerShell - Working with the Event Log, Part 3 - Accessing Message Elements ∗∗∗ --------------------------------------------- In part 3 of Working with the Event Log we look at using a third-party function to make accessing event log data much easier. --------------------------------------------- https://www.sans.org/blog/working-with-the-event-log-part-3-accessing-messa… ∗∗∗ Month of PowerShell - Working with the Event Log, Part 4 - Tweaking Event Log Settings ∗∗∗ --------------------------------------------- In this final part of this series on working with the event log in PowerShell, we look at tips and commands for tweaking event log settings. --------------------------------------------- https://www.sans.org/blog/working-with-the-event-log-part-4-tweaking-event-… ∗∗∗ Genesis - The Birth of a Windows Process (Part 2) ∗∗∗ --------------------------------------------- In this second and final part of the series, we will go through the exact flow CreateProcess carries out to launch a process on Windows using the APIs and Data Structure we discussed in Part 1. --------------------------------------------- https://fourcore.io/blogs/how-a-windows-process-is-created-part-2 ===================== = Vulnerabilities = ===================== ∗∗∗ New Netwrix Auditor Bug Could Let Attackers Compromise Active Directory Domain ∗∗∗ --------------------------------------------- Researchers have disclosed details about a security vulnerability in the Netwrix Auditor application that, if successfully exploited, could lead to arbitrary code execution on affected devices. "Since this service is typically executed with extensive privileges in an Active Directory environment, the attacker would likely be able to compromise the Active Directory domain," [...] --------------------------------------------- https://thehackernews.com/2022/07/new-netwrix-auditor-bug-could-let.html ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (mat2 and xen), Fedora (butane, caddy, clash, direnv, geoipupdate, gitjacker, golang-bug-serial-1, golang-github-a8m-envsubst, golang-github-apache-beam-2, golang-github-aws-lambda, golang-github-cespare-xxhash, golang-github-chromedp, golang-github-cloudflare, golang-github-cloudflare-redoctober, golang-github-cockroachdb-pebble, golang-github-cucumber-godog, golang-github-dreamacro-shadowsocks2, golang-github-dustinkirkland-petname, [...] --------------------------------------------- https://lwn.net/Articles/901699/ ∗∗∗ Log4J-Schwachstelle: Mittelstand schläft, DHS sieht Problem für Jahre ∗∗∗ --------------------------------------------- Die in Java ausnutzbare Log4Shell-Schwachstelle in der Log4j-Bibliothek steckt mutmaßlich in vielen Systemen bzw. Software-Paketen. Das Problem dürfte uns noch für Jahre tangieren, schätzen Experten und im deutschen Mittelstand ist das noch nicht angekommen. Auch das Department of Homeland Security [...] --------------------------------------------- https://www.borncity.com/blog/2022/07/17/log4j-schwachstelle-mittelstand-sc… ∗∗∗ SonicWall Switch Post-Authenticated Remote Code Execution ∗∗∗ --------------------------------------------- A vulnerability in SonicWall Switch 1.1.1.0-2s and earlier allows an authenticated malicious user to perform remote code execution in the host system. --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0013 ∗∗∗ Festo: Controller CECC-S,LK,D family firmware 2.4.2.0 - multiple vulnerabilities in CODESYS V3 runtime system ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-027/ ∗∗∗ Festo: Controller CECC-S,LK,D family <= 2.3.8.1 - multiple vulnerabilities in CODESYS V3 runtime system ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-022/ ∗∗∗ Security Bulletin: IBM UrbanCode Deploy (UCD) could disclose sensitive database information to a local user in plain text. (CVE-2022-22367) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-deploy-ucd-… ∗∗∗ Security Bulletin: The CVE-2022-34305 vulnerability in Apache Tomcat affects App Connect Professional. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-the-cve-2022-34305-vulner… ∗∗∗ Security Bulletin: There are multiple vulnerabilites that affect IBM Engineering Requirements Quality Assistant On-Premises (CVE-2022-0778, CVE-2021-38868, CVE-2021-29799, CVE-2021-29790, CVE-2021-29788) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-there-are-multiple-vulner… ∗∗∗ Security Bulletin: IBM Cloud Pak for Multicloud Management Monitoring is vulnerable to multiple vulnerabilities due to its use of IBM JAVA (CVE-2021-35560, CVE-2021-35578, CVE-2021-35565, CVE-2021-35603) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-multicl… ∗∗∗ Security Bulletin: An attacker that gains service access to the FSP (POWER9 only) or gains admin authority to a partition can compromise partition firmware. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-an-attacker-that-gains-se… ∗∗∗ Security Bulletin: IBM Cloud Pak for Multicloud Management Monitoring is vulnerable to a denial server due to its use of Apache Xerces2 (CVE-2022-23437) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-multicl… ∗∗∗ Security Bulletin: Vulnerability in OpenSSL (CVE-2022-0778) affects PowerVM ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-openssl-… ∗∗∗ Security Bulletin: The vulnerability CVE-2022-21299 in IBM Java SDK affects IBM WebSphere Cast Iron Solution & App Connect Professional ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-the-vulnerability-cve-202… ∗∗∗ Security Bulletin: IBM Urbancode Deploy (UCD) vulnerable to information disclosure which can be read by a local user. (CVE-2022-22366) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-deploy-ucd-… ∗∗∗ Security Bulletin: IBM Cloud Pak for Multicloud Management Monitoring is vulnerable to multiple security vulnerabilities due to its use of NodeJS (CVE-2021-22918, CVE-2021-22960, CVE-2021-22959) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-multicl… ∗∗∗ Security Bulletin: Vulnerability in async opensource package affects IBM VM Recovery Manager HA & DR GUI ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-async-op… ∗∗∗ Security Bulletin: Vulnerability in the jackson-databind component affects IBM Event Streams ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-the-jack… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.07.2022
by Daily end-of-shift report 15 Jul '22

15 Jul '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 14-07-2022 18:00 − Freitag 15-07-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Callback-Phishing: Dringender Rückruf erbeten ∗∗∗ --------------------------------------------- Angreifer geben sich in E-Mails als Sicherheitsunternehmen aus und bitten um einen Rückruf. Doch statt einer Überprüfung wird der Rechner gehackt. --------------------------------------------- https://www.golem.de/news/callback-phishing-dringender-rueckruf-erbeten-220… ∗∗∗ Android-Malware mit 3 Millionen Installationen aus Google Play entfernt ∗∗∗ --------------------------------------------- Die Android-Malware Autolycos hat es auf insgesamt drei Millionen Installationen gebracht. Nach der Entdeckung hat Google die betroffenen Apps entfernt. --------------------------------------------- https://heise.de/-7180469 ∗∗∗ Windows Autopatch ab sofort allgemein verfügbar ∗∗∗ --------------------------------------------- Automatisch abgesicherte Updates für Windows verspricht Microsoft mit Autopatch – Administratoren steht so deutlich weniger händische Arbeit ins Haus. --------------------------------------------- https://heise.de/-7180876 ∗∗∗ Was kann ich bei Problemen mit Klarna tun? ∗∗∗ --------------------------------------------- „Das Produkt ist noch gar nicht gekommen, trotzdem will Klarna, das ich bezahle.“ „Klarna schickt trotz Rücksendung Mahnungen.“ „Ich habe Ramsch bekommen, Klarna fordert aber eine Zahlung.“ Immer wieder berichten uns Konsument:innen von Problemen mit Klarna und sind ratlos. Wir zeigen Ihnen, was Sie bei ungerechtfertigten Zahlungsaufforderungen und Mahnungen von Klarna tun können. --------------------------------------------- https://www.watchlist-internet.at/news/was-kann-ich-bei-problemen-mit-klarn… ∗∗∗ YouTuber-Cash: Vorsicht vor Abzocke ∗∗∗ --------------------------------------------- YouTube-Videos schauen und damit Geld verdienen? Angebote wie das von youtuber.ltd klingen verlockend, doch statt der Auszahlung warten Abzocke-Maschen auf Sie. Vertrauen Sie keinen Versprechen online, schnell viel Geld zu verdienen! Die Kriminellen, die hinter diesen Angeboten stecken sind lediglich auf Ihre Daten oder Ihr Geld aus. --------------------------------------------- https://www.watchlist-internet.at/news/youtuber-cash-vorsicht-vor-abzocke/ ∗∗∗ WordPress: Schwachstelle in Kaswara Modern WPBakery Page Builder wird angegriffen ∗∗∗ --------------------------------------------- WordPress-Nutzer, die das Kaswara Modern WPBakery Page Builder im Einsatz haben, sollten zügig handeln. In älteren Fassungen ist die Schwachstelle CVE-2021-24284 enthalten, die eine Übernahme der WordPress-Installation ermöglicht. --------------------------------------------- https://www.borncity.com/blog/2022/07/15/wordpress-schwachstelle-in-kaswara… ∗∗∗ New Phishing Kit Hijacks WordPress Sites for PayPal Scam ∗∗∗ --------------------------------------------- Attackers use scam security checks to steal victims government documents, photos, banking information, and email passwords, researchers warn. --------------------------------------------- https://www.darkreading.com/attacks-breaches/new-phishing-kit-hijacks-wordp… ∗∗∗ The real reason why malware detection is hard—and underestimated ∗∗∗ --------------------------------------------- Researchers develop an AI with a 98% malware detection rate and 5% false positive rate. If you think this is a splendid technology for antivirus software, this article might change your mind. --------------------------------------------- https://www.gdatasoftware.com/blog/2022/06/37445-malware-detection-is-hard ∗∗∗ Month of PowerShell: Working with Log Files ∗∗∗ --------------------------------------------- In this article we look at how we can leverage PowerShells object-passing pipeline to parse and retrieve data from an IIS web server log file. --------------------------------------------- https://www.sans.org/blog/powershell-working-with-log-files ∗∗∗ Software Vendors Start Patching Retbleed CPU Vulnerabilities ∗∗∗ --------------------------------------------- Vendors have started rolling out software updates to address the recently disclosed Retbleed speculative execution attack targeting Intel and AMD processors. --------------------------------------------- https://www.securityweek.com/software-vendors-start-patching-retbleed-cpu-v… ∗∗∗ Powerful Mantis DDoS Botnet Hits 1,000 Organizations in One Month ∗∗∗ --------------------------------------------- Web protection firm Cloudflare warns that a small but powerful botnet has launched distributed denial-of-service (DDoS) attacks on roughly 1,000 organizations over the past month alone. --------------------------------------------- https://www.securityweek.com/powerful-mantis-ddos-botnet-hits-1000-organiza… ∗∗∗ Digium Phones Under Attack: Insight Into the Web Shell Implant ∗∗∗ --------------------------------------------- We witnessed more than 500,000 unique samples of malicious traffic targeting Digium Asterisk software for VoIP phone devices. --------------------------------------------- https://unit42.paloaltonetworks.com/digium-phones-web-shell/ ∗∗∗ CVE-2022-30136: Microsoft Windows Network File System v4 Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- In this excerpt of a Trend Micro Vulnerability Research Service vulnerability report, Guy Lederfein and Quintin Crist of the Trend Micro Research Team detail a recently patched remote code execution vulnerability in the Microsoft Windows operating system, originally discovered and reported by Yuki Chen. The bug is found in the implementation of Network File System (NFS)and is due to improper handling of NFSv4 requests. An unauthenticated attacker could exploit this bug to execute arbitrary code in the context of SYSTEM. --------------------------------------------- https://www.thezdi.com/blog/2022/7/13/cve-2022-30136-microsoft-windows-netw… ===================== = Vulnerabilities = ===================== ∗∗∗ Security Update Available for Adobe InDesign APSB22-30 ∗∗∗ --------------------------------------------- Adobe has released a security update for Adobe InDesign. This update addresses multiple critical and an important vulnerability. Successful exploitation could lead to arbitrary code execution and memory leak. --------------------------------------------- https://helpx.adobe.com/security/products/indesign/apsb22-30.html ∗∗∗ Security Update Available for Adobe InCopy APSB22-29 ∗∗∗ --------------------------------------------- Adobe has released a security update for Adobe InCopy. This update addresses multiple  critical and an important vulnerability. Successful exploitation could lead to arbitrary code execution and memory leak. --------------------------------------------- https://helpx.adobe.com/security/products/incopy/apsb22-29.html ∗∗∗ ABB Flow Computer and Remote Controllers Path Traversal Vulnerability in Totalflow TCP protocol can lead to root access ∗∗∗ --------------------------------------------- ABB is aware of private reports of a vulnerability in the flow computer and remote controller product versions listed above. A flash update is available that resolves the vulnerability in the product versions listed above. Mitigation can be accomplished by proper network segmentation [...] --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=9AKK108467A0927&Lan… ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (webkit2gtk and wpewebkit), Fedora (curl, kernel, openssl1.1, php, subversion, xorg-x11-server, and xorg-x11-server-Xwayland), Oracle (grub2), SUSE (gnutls, kernel, logrotate, oracleasm, p11-kit, and python-PyJWT), and Ubuntu (libhttp-daemon-perl and python2.7, python3.10, python3.4, python3.5, python3.6, python3.8, python3.9). --------------------------------------------- https://lwn.net/Articles/901412/ ∗∗∗ Grafana: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, authentisierter Angreifer kann mehrere Schwachstellen in Grafana ausnutzen, um einen Cross-Site Scripting Angriff durchzuführen und Sicherheitsmaßnahmen zu umgehen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0696 ∗∗∗ SonicWall Hosted Email Security Capture ATP Bypass ∗∗∗ --------------------------------------------- Improperly Implemented Security Check vulnerability in the SonicWall Hosted Email Security leads to bypass of Capture ATP security service in the appliance. --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0014 ∗∗∗ OpenSSL c_rehash script allows command injection CVE-2022-1292 ∗∗∗ --------------------------------------------- A critical vulnerability (CVE-2022-1292) was found in OpenSSL c_rehash script. This is due to shell metacharacters not being properly sanitized, resulting in command injection. An attacker could execute arbitrary commands with the privileges of the script. After review, it has been determined that vulnerability tracked as CVE-2022-1292 is not applicable to the SonicWall product suite. However, SonicWall has decided to update the impacted OpenSSL package to the fixed version (OpenSSL 1.1.1o) [...] --------------------------------------------- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0011 ∗∗∗ SolarWinds Dameware: Schwachstelle ermöglicht Nutzerzugriff ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0697 ∗∗∗ Mattermost: Mehrere Schwachstellen ermöglichen nicht spezifizierten Angriff ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0695 ∗∗∗ Autodesk AutoCAD: Schwachstelle ermöglicht Codeausführung ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0694 ∗∗∗ Security Bulletin: Denial of Service vulnerability affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) – CVE-2020-35618 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-denial-of-service-vulnera… ∗∗∗ Security Bulletin: IBM MQ Appliance is affected by FasterXML jackson-databind vulnerabilities (CVE-2020-36518) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-affec… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in Apache Commons Compress affect WebSphere Application Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Python (Publicly disclosed vulnerability) in IBM Tivoli Application Dependency Discovery Manager (CVE-2022-0391) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-python-publicly-disclosed… ∗∗∗ Security Bulletin: Vulnerability in Json-schema library affect Tivoli Netcool/OMNIbus WebGUI (CVE-2021-3918) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-json-sch… ∗∗∗ Security Bulletin: Vulnerability in Axios affects IBM Process Mining . CVE-2022-1214 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-axios-af… ∗∗∗ Security Bulletin: IBM MQ Appliance is affected by follow-redirects vulnerabilities (CVE-2022-0155 and CVE-2022-0536) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-affec… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.07.2022
by Daily end-of-shift report 14 Jul '22

14 Jul '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 13-07-2022 18:00 − Donnerstag 14-07-2022 18:00 Handler: Robert Waldner Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Month of PowerShell - Working with the Event Log, Part 2 - Threat Hunting with Event Logs ∗∗∗ --------------------------------------------- We continue our look at working with the Windows event log using PowerShell with 10 threat hunting techniques. --------------------------------------------- https://www.sans.org/blog/working-with-event-log-part-2-threat-hunting-with… ∗∗∗ Introducing Decompiler Explorer ∗∗∗ --------------------------------------------- Today, we’re releasing a little side project a few of our developers have been working with the community on: the Decompiler Explorer! This new (free, open source) web service lets you compare the output of different decompilers on small executables. In other words: It’s basically the same thing as Matt Godbolt’s awesome Compiler Explorer, but in reverse. --------------------------------------------- https://binary.ninja/2022/07/13/introducing-decompiler-explorer.html ∗∗∗ CVE-2022-29885 - Dont Open That Port - A Denial Of Service vulnerability on Apache Tomcat Cluster Service Listener ∗∗∗ --------------------------------------------- While performing the analysis I discovered that this was a part of a research made by 4ra1n, who reported the issue to the Apache Tomcat Security Team on 17 April 2022 and marked as CVE-2022-29885. Nonetheless, I had no luck finding a suitable PoC of the vulnerability. --------------------------------------------- https://voidzone.me/cve-2022-29885-apache-tomcat-cluster-service-dos/ ∗∗∗ Genesis - The Birth of a Windows Process (Part 1) ∗∗∗ --------------------------------------------- This is the first part of a two part series. In this post, I cover how Windows spawns a process, the various APIs and data structures involved and different types of processess available on Windows. The Windows API provides several functions for creating a process. We will go through some of the important APIs and structures Win32 offers before diving into the process creation procedure. --------------------------------------------- https://fourcore.io/blogs/how-a-windows-process-is-created-part-1 ∗∗∗ Exploiting Arbitrary Object Instantiations in PHP without Custom Classes ∗∗∗ --------------------------------------------- PHP’s Arbitrary Object Instantiation is a flaw in which an attacker can create arbitrary objects. This flaw can come in all shapes and sizes. --------------------------------------------- https://swarm.ptsecurity.com/exploiting-arbitrary-object-instantiations/ ∗∗∗ “RedAlert,” LILITH and 0mega leading a wave of Ransomware Campaigns ∗∗∗ --------------------------------------------- Multiple new ransomware groups have surfaced recently, highlighting the adoption of ransomware attacks by TAs for monetary gains. --------------------------------------------- https://blog.cyble.com/2022/07/12/new-ransomware-groups-on-the-rise/ ∗∗∗ Office-Nutzer im Visier: Phishing-Kampagne umgeht Multi-Faktor-Authentifizierung ∗∗∗ --------------------------------------------- Microsofts Sicherheitsforscher haben eine große Phishing-Kampagne aufgedeckt. Dabei stehlen Angreifer Session-Cookies, um MFA-Schutzmaßnahmen zu umgehen. --------------------------------------------- https://heise.de/-7179750 ∗∗∗ PSA: Sudden Increase In Attacks On Modern WPBakery Page Builder Addons Vulnerability ∗∗∗ --------------------------------------------- The Wordfence Threat Intelligence team has been monitoring a sudden increase in attack attempts targeting Kaswara Modern WPBakery Page Builder Addons. This ongoing campaign is attempting to take advantage of an arbitrary file upload vulnerability, tracked as CVE-2021-24284, which has been previously disclosed and has not been patched on the now closed plugin. --------------------------------------------- https://www.wordfence.com/blog/2022/07/attacks-on-modern-wpbakery-page-buil… ∗∗∗ YouTuber-Cash: Vorsicht vor Abzocke ∗∗∗ --------------------------------------------- YouTube-Videos schauen und damit Geld verdienen? Angebote wie das von youtuber.ltd klingen verlockend, doch statt der Auszahlung warten Abzocke-Maschen auf Sie. Vertrauen Sie keinen Versprechen online, schnell viel Geld zu verdienen! --------------------------------------------- https://www.watchlist-internet.at/news/youtuber-cash-vorsicht-vor-abzocke/ ===================== = Vulnerabilities = ===================== ∗∗∗ X.org servers update closes 2 security holes, adds neat component tweaks ∗∗∗ --------------------------------------------- Arbitrary code execution flaws in the X Keyboard Extension were bad news X.org has released a bunch of updates, which includes closing two security holes and, yes, this affects Wayland users too. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2022/07/13/xorg_servers… ∗∗∗ Tableau Server Leaks Sensitive Information From Reflected XSS ∗∗∗ --------------------------------------------- GoSecure Titan Labs has identified a vulnerability within the Tableau Server that could allow malicious actors to extract sensitive data from the application. Tableau Server is an analytics platform owned by Salesforce used to see and understand data. --------------------------------------------- https://www.gosecure.net/blog/2022/07/13/tableau-server-leaks-sensitive-inf… ∗∗∗ IBM Security Bulletins 2022-07-13 ∗∗∗ --------------------------------------------- IBM Db2, IBM MQ Appliance, IBM i, IBM WebSphere Application Server, IBM Engineering Lifecycle Optimization, IBM Cloud Pak, IBM Netezza Platform, IBM Security Verify Information Queue, IBM Security Verify Governance. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Lücke in VMware vCenter Server und Cloud Foundation zum Teil abgedichtet ∗∗∗ --------------------------------------------- In VMwares vCenter Server und der Cloud Foundation klafft eine Sicherheitslücke in der Integrated Windows Authentication. Nun gibt es ein Software-Update. --------------------------------------------- https://heise.de/-7179181 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (request-tracker4), Fedora (kernel and vim), Mageia (gerbv, gnupg2, pgadmin4, and python-coookiecutter), Slackware (xorg), SUSE (cifs-utils, gmp, gnutls, libnettle, kernel, libsolv, libzypp, zypper, logrotate, openssl-1_1, opera, squid, and virglrenderer), and Ubuntu (ca-certificates, git, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux-raspi2, linux-snapdragon, linux, linux-aws, linux-azure, linux-azure-5.4, linux-azure-fde, linux-gke, linux-gkeop, linux-hwe-5.4, linux-ibm, linux-kvm, linux, linux-aws, linux-azure, linux-gcp, linux-gke, linux-ibm, linux-kvm, linux-lowlatency, linux-oracle, linux-aws, linux-oem-5.14, and vim). --------------------------------------------- https://lwn.net/Articles/901190/ ∗∗∗ UEFI-Firmware-Bug gefährdet über 70 Lenovo Notebooks (Juli 2022) ∗∗∗ --------------------------------------------- Hinweis für Blog-Leser und -Leserinnen, die Notebooks von Lenovo (und IBM) verwenden. Sicherheitsforscher von ESET haben gravierenden Schwachstellen in der UEFI-Firmware von Lenovo Notebooks gefunden, die eine Übernahme des Betriebssystems in der frühen Boot-Phase ermöglicht. --------------------------------------------- https://www.borncity.com/blog/2022/07/14/uefi-firmware-bug-gefhrdet-ber-70-… ∗∗∗ Internet Explorer 11: Update KB5015805 (12. Juli 2022) ∗∗∗ --------------------------------------------- Microsoft hat zum 12. Juli 2022 ein Sicherheitsupdate (KB5015805) für den Internet Explorer freigegeben. Dieses ist aber nur für ausgesuchte Windows-Versionen als kumulatives Update separat erhältlich. Hier ein Überblick über diesen Patch, der Schwachstellen im Browser schließen soll. --------------------------------------------- https://www.borncity.com/blog/2022/07/14/internet-explorer-11-update-kb5015… ∗∗∗ Entity Print - Moderately critical - Multiple: Remote Code Execution, Information disclosure - SA-CONTRIB-2022-048 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2022-048 ∗∗∗ K14335949: Intel processors vulnerability CVE-2022-24436 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K14335949 ∗∗∗ K43357358: AMD processors vulnerability CVE-2022-23823 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K43357358 ∗∗∗ Juniper JUNOS (EX, MX, PTX, QFX Series): Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0684 ∗∗∗ Juniper JUNOS (Verschiedene Plattformen): Mehrere Schwachstellen ermöglichen Denial of Service ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0683 ∗∗∗ Lenovo XClarity: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0687 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 13.07.2022
by Daily end-of-shift report 13 Jul '22

13 Jul '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 12-07-2022 18:00 − Mittwoch 13-07-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ From cookie theft to BEC: Attackers use AiTM phishing sites as entry point to further financial fraud ∗∗∗ --------------------------------------------- A large-scale phishing campaign that attempted to target over 10,000 organizations since September 2021 used adversary-in-the-middle (AiTM) phishing sites to steal passwords, hijack a user’s sign-in session, and skip the authentication process, even if the user had enabled multifactor authentication (MFA). --------------------------------------------- https://www.microsoft.com/security/blog/2022/07/12/from-cookie-theft-to-bec… ∗∗∗ Using Referers to Detect Phishing Attacks, (Wed, Jul 13th) ∗∗∗ --------------------------------------------- Referers are useful information for webmasters and system administrators that would like to have a better overview of the visitors browsing their websites. The referer is an HTTP header that identifies the address of the web page from which the resource has been requested. --------------------------------------------- https://isc.sans.edu/diary/rss/28836 ∗∗∗ Infected WordPress Site Reveals Malicious C&C Script ∗∗∗ --------------------------------------------- Cryptomining infections accounted for less than 4% of total detections last year. Despite the fact that CoinHive – one of the most popular JavaScript based miners – shut down its operations in 2019, we still find occasional infections on compromised environments during remote and server-side scans. --------------------------------------------- https://blog.sucuri.net/2022/07/infected-wordpress-site-reveals-malicious-c… ∗∗∗ Researchers Uncover New Attempts by Qakbot Malware to Evade Detection ∗∗∗ --------------------------------------------- The operators behind the Qakbot malware are transforming their delivery vectors in an attempt to sidestep detection. --------------------------------------------- https://thehackernews.com/2022/07/researchers-uncover-new-attempts-by.html ∗∗∗ Open-Source-Tool von Microsoft erstellt "Software Bill of Materials" ∗∗∗ --------------------------------------------- Das SBOM-Tool Salus listet alle Komponenten und Dependencies von Projekten auf, um potenzielle Schwachstellen in der Software Supply Chain aufzuspüren. --------------------------------------------- https://heise.de/-7177889 ∗∗∗ Vorsicht vor Fake-Shops am Energiesektor! ∗∗∗ --------------------------------------------- Zahlreichen Fake-Shops mit Brennholz, lassen Kriminelle nun Photovoltaik-Shops wie solanex.de und solarnetz.at folgen. Die aktuelle Energiekrise soll offenbar maximal ausgenützt werden. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-fake-shops-am-energiese… ∗∗∗ Cobalt Strike Analysis and Tutorial: CS Metadata Encryption and Decryption ∗∗∗ --------------------------------------------- We show how metadata encryption and decryption contributes to making Cobalt Strike an effective emulator that is difficult to defend against. --------------------------------------------- https://unit42.paloaltonetworks.com/cobalt-strike-metadata-encryption-decry… ===================== = Vulnerabilities = ===================== ∗∗∗ AMD Prozessoren: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein lokaler Angreifer kann mehrere Schwachstellen in AMD Prozessoren ausnutzen, um beliebigen Programmcode auszuführen oder Informationen offenzulegen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0665 ∗∗∗ Intel Prozessoren: Mehrere Schwachstellen ermöglichen Offenlegung von Informationen ∗∗∗ --------------------------------------------- Ein lokaler Angreifer kann mehrere Schwachstellen in Intel Prozessoren ausnutzen, um Informationen offenzulegen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0650 ∗∗∗ Microsoft Security Update Summary (12. Juli 2022) ∗∗∗ --------------------------------------------- Am 12. Juli 2022 hat Microsoft Sicherheitsupdates für Windows-Clients und -Server, für Office usw. – sowie für weitere Produkte – veröffentlicht. Die Sicherheitsupdates beseitigen zudem 84 Schwachstellen, davon einen 0-day. --------------------------------------------- https://www.borncity.com/blog/2022/07/12/microsoft-security-update-summary-… ∗∗∗ Adobe dichtet teils kritische Lücken ab ∗∗∗ --------------------------------------------- In Adobe Acrobat und Reader, Photoshop, RoboHelp und Character Animator schließt der Hersteller Sicherheitslücken. Einige sind kritisch. --------------------------------------------- https://heise.de/-7177696 ∗∗∗ IBM Security Bulletins 2022-07-12 ∗∗∗ --------------------------------------------- IBM Answer Retrieval for Watson Discovery, IBM Event Streams, IBM QRadar Network Security, IBM Cloud, Content Manager OnDemand, IBM Rational Build Forge, IBM App Connect Enterprise, IBM Sterling Connect, Digital Certificate Manager, Enterprise Content Management System Monitor. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (xen), Mageia (x11-server), SUSE (chromium, kernel, pcre, pcre2, squid, and xorg-x11-server), and Ubuntu (gnupg, gnupg2, uriparser, xorg-server, xorg-server-hwe-16.04, and xorg-server, xorg-server-hwe-18.04, xwayland). --------------------------------------------- https://lwn.net/Articles/901029/ ∗∗∗ Ruby on Rails: Schwachstelle ermöglicht Codeausführung ∗∗∗ --------------------------------------------- Ein entfernter Angreifer kann eine Schwachstelle in Ruby on Rails ausnutzen, um beliebigen Programmcode auszuführen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0662 ∗∗∗ ZDI-22-968: BMC Track-It! HTTP Module Improper Access Control Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-968/ ∗∗∗ ZDI-22-967: BMC Track-It! GetPopupSubQueryDetails SQL Injection Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-967/ ∗∗∗ VMSA-2022-0020 - VMware ESXi addresses Return-Stack-Buffer-Underflow and Branch Type Confusion vulnerabilities ∗∗∗ --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2022-0020.html ∗∗∗ VMSA-2022-0019 - VMware vRealize Log Insight contains multiple stored cross-site scripting vulnerabilities ∗∗∗ --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2022-0019.html ∗∗∗ VMSA-2022-0018 - VMware vCenter Server updates address a server-side request forgery vulnerability ∗∗∗ --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2022-0018.html ∗∗∗ Dahua ASI7213X-T1 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-193-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 12.07.2022
by Daily end-of-shift report 12 Jul '22

12 Jul '22

===================== = End-of-Day report = ===================== Timeframe: Montag 11-07-2022 18:00 − Dienstag 12-07-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ IBM-Middleware: Schwachstelle in MQ kann zu Rechtausweitung führen ∗∗∗ --------------------------------------------- Mehrere Sicherheitslücken in IBM MQ ermöglichen Angreifern, ihre Rechte an betroffenen Systemen auszuweiten oder diese lahmzulegen. Updates stehen bereit. --------------------------------------------- https://heise.de/-7169603 ∗∗∗ Wurm-Infektion: Malware-Kampagne Raspberry Robin befällt Windows und Qnap-NAS ∗∗∗ --------------------------------------------- IT-Forscher von Cybereason haben einen Netzwerkwurm entdeckt, der sich auf Windows- und Qnap-Geräten verbreitet. Sie nennen die Kampagne Raspberry Robin. --------------------------------------------- https://heise.de/-7170350 ∗∗∗ Month of PowerShell: Threat Hunting with PowerShell Differential Analysis ∗∗∗ --------------------------------------------- One of the most powerful techniques for threat hunting on Windows: differential analysis. --------------------------------------------- https://www.sans.org/blog/threat-hunting-with-powershell-differential-analy… ∗∗∗ CVE-2022-29593- Authentication Bypass by Capture Replay (Dingtian-DT-R002) ∗∗∗ --------------------------------------------- This blog post describes an authentication bypass within one such device, that allows an attacker with access to the IP network the ability to capture and subsequently replay discrete device commands, which allows for the switching on and off the physical relays on the device. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/cve-2022-29… ∗∗∗ Exploiting Authentication in AWS IAM Authenticator for Kubernetes ∗∗∗ --------------------------------------------- During my research on the AWS IAM Authenticator component, I found several flaws in the authentication process that could bypass the protection against replay attacks or allow an attacker to gain higher permissions in the cluster by impersonating other identities. --------------------------------------------- https://blog.lightspin.io/exploiting-eks-authentication-vulnerability-in-aw… ∗∗∗ Scanning for security.txt files ∗∗∗ --------------------------------------------- RFC 9116 was written by E. Foudil and Y. Shafranovich and left draft status in April 2022. This RFC formally defines the unofficial security.txt file that has been an unofficial standard for many years, initially created back in 2017 and documented at https://securitytxt.org/. --------------------------------------------- https://www.pentestpartners.com/security-blog/scanning-for-security-txt-fil… ∗∗∗ ChromeLoader: New Stubborn Malware Campaign ∗∗∗ --------------------------------------------- A malicious browser extension is the payload of the ChromeLoader malware family, serving as adware and an infostealer, leaking users’ search queries. --------------------------------------------- https://unit42.paloaltonetworks.com/chromeloader-malware/ ∗∗∗ Is exploiting a null pointer deref for LPE just a pipe dream? ∗∗∗ --------------------------------------------- A lot of blog posts I have read go over interesting vulnerabilities and exploits but do not typically share the process behind discovery. I want to show how sometimes just manually poking around can quickly uncover vulnerabilities you might miss with other approaches to vulnerability discovery. --------------------------------------------- https://www.thezdi.com/blog/2022/6/1/is-exploiting-a-null-pointer-deref-for… ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-22-962: Trend Micro Maximum Security Out-Of-Bounds Read Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows local attackers to disclose sensitive information on affected installations of Trend Micro Maximum Security. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-962/ ∗∗∗ Siemens ProductCERT published 19 and updated 15 advisories/bulletins ∗∗∗ --------------------------------------------- Opcenter Quality, SINAMICS PERFECT HARMONY GH180 Drives, EN100 Ethernet Module, RUGGEDCOM ROS, SIMATIC WinCC, Teamcenter Visualization, JT2Go, Industrial Products, TIA Administrator, Mendix Excel Importer Module, RUGGEDCOM ROX, SIMATIC eaSie Core Package, SCALANCE X Switches, SIMATIC CP Devices, Mendix Applications, SICAM A8000 Devicesm Simcenter Femap, PROFINET Stack, PADS Standard/Plus Viewer, SIMATIC S7-1500, Mendix, SIMATIC MV500 Devices, OPC Foundation Local Discovery Server, OPC-UA, Parasolid, SICAM GridEdge. --------------------------------------------- https://new.siemens.com/global/en/products/services/cert.html?d=2022-07#Sec… ∗∗∗ SAP-Patchday: 20 neue Sicherheitslücken im Juli abgedichtet ∗∗∗ --------------------------------------------- Mit den Updates zum Juli-Patchday schließt SAP 20 neue Sicherheitslücken. Zudem aktualisiert der Hersteller drei ältere Security-Bulletins. --------------------------------------------- https://heise.de/-7170698 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium), Mageia (openssl and webkit2), Slackware (seamonkey), SUSE (crash, curl, freerdp, ignition, libnbd, and python3), and Ubuntu (dovecot and python-ldap). --------------------------------------------- https://lwn.net/Articles/900855/ ∗∗∗ ICS Patch Tuesday: Siemens, Schneider Electric Address 59 Vulnerabilities ∗∗∗ --------------------------------------------- Industrial giants Siemens and Schneider Electric have released their Patch Tuesday security advisories for July 2022, with a total of 13 advisories describing 59 vulnerabilities. --------------------------------------------- https://www.securityweek.com/ics-patch-tuesday-siemens-schneider-electric-a… ∗∗∗ TYPO3-EXT-SA-2022-014: SQL Injection in extension "LUX - TYPO3 Marketing Automation" (lux) ∗∗∗ --------------------------------------------- https://typo3.org/security/advisory/typo3-ext-sa-2022-014 ∗∗∗ MariaDB: Mehrere Schwachstellen ermöglichen Denial of Service ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0641 ∗∗∗ Symantec Advanced Secure Gateway: Schwachstelle ermöglicht Manipulation und Offenlegung von Informationen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0638 ∗∗∗ Security Bulletin: Vulnerabilities in the Golang language affect IBM Event Streams (CVE-2022-24921) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-the-go… ∗∗∗ Security Bulletin: IBM Security SiteProtector System is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-siteprotecto… ∗∗∗ Security Bulletin: IBM OpenPages with Watson has addressed Apache Log4j vulnerability (CVE-2022-23305) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-openpages-with-watson… ∗∗∗ Security Bulletin: IBM Security Verify Governance is vulnerable to multiple security issues due to Node.js ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-gover… ∗∗∗ Security Bulletin: IBM QRadar SIEM is vulnerable to denial of service attack due to CVE-2021-39041 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulner… ∗∗∗ Security Bulletin: IBM Integration Bus is vulnerable to arbitrary code execution due to Node.js ejs module (CVE-2022-29078) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-integration-bus-is-vu… ∗∗∗ Security Bulletin: IBM MQ for HPE NonStop Server is affected by OpenSSL vulnerability CVE-2022-0778 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-for-hpe-nonstop-se… ∗∗∗ Security Bulletin: IBM Security Verify Information Queue uses Apache LDAP API with a known vulnerability (CVE-2018-1337) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-verify-infor… ∗∗∗ Security Bulletin: IBM i Modernization Engine for Lifecycle Integration is vulnerable to multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-i-modernization-engin… ∗∗∗ Security Bulletin: A security vulnerability has been identified in Postgresql shipped with IBM Tivoli Netcool Impact (CVE-2022-26520, CVE-2022-21724, WS-2022-0080) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-security-vulnerability-… ∗∗∗ Security Bulletin: Vulnerabilities in the Golang language affect IBM Event Streams (CVE-2022-29526) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-the-go… ∗∗∗ Security Bulletin: IBM WebSphere Application Server Liberty is vulnerable to Identity Spoofing (CVE-2022-22476) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application… ∗∗∗ Security Bulletin: IBM MQ for HPE NonStop Server is affected by OpenSSL vulnerability CVE-2021-4160 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-for-hpe-nonstop-se… ∗∗∗ Security Bulletin: IBM OpenPages with Watson has addressed Apache Log4j vulnerability (CVE-2022-23302) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-openpages-with-watson… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.07.2022
by Daily end-of-shift report 11 Jul '22

11 Jul '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 08-07-2022 18:00 − Montag 11-07-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ New 0mega ransomware targets businesses in double-extortion attacks ∗∗∗ --------------------------------------------- A new ransomware operation named 0mega targets organizations worldwide in double-extortion attacks and demands millions of dollars in ransoms. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-0mega-ransomware-targets… ∗∗∗ Hackers Exploiting Follina Bug to Deploy Rozena Backdoor ∗∗∗ --------------------------------------------- A newly observed phishing campaign is leveraging the recently disclosed Follina security vulnerability to distribute a previously undocumented backdoor on Windows systems. --------------------------------------------- https://thehackernews.com/2022/07/hackers-exploiting-follina-bug-to.html ∗∗∗ Raspberry Robin Windows Worm Abuses QNAP Devices ∗∗∗ --------------------------------------------- A recently discovered Windows worm is abusing compromised QNAP network-attached storage (NAS) devices as stagers to spread to new systems, according to Cybereason. Dubbed Raspberry Robin, the malware was initially spotted in September 2021, spreading mainly via removable devices, such as USB drives. --------------------------------------------- https://www.securityweek.com/raspberry-robin-windows-worm-abuses-qnap-devic… ∗∗∗ The History and Evolution of Zero Trust ∗∗∗ --------------------------------------------- “The term ‘zero trust’ is now used so much and so widely that it has almost lost its meaning”. --------------------------------------------- https://www.securityweek.com/history-and-evolution-zero-trust ∗∗∗ WhatsApp: Kriminelle geben sich als Ihr Kind aus ∗∗∗ --------------------------------------------- „Hallo Papa. Mein Handy ist kaputt. Das ist meine neue Nummer.“ Vorsicht: Diese Nachricht könnte von Kriminellen stammen. Werden Sie um eine Überweisung gebeten, handelt es sich eindeutig um Betrug! --------------------------------------------- https://www.watchlist-internet.at/news/whatsapp-kriminelle-geben-sich-als-i… ∗∗∗ SELECT XMRig FROM SQLServer ∗∗∗ --------------------------------------------- Over the month of March, we observed a cluster of activity targeting MSSQL servers. The activity started via password brute force attempts for the MSSQL SA account. These brute force attempts were observed repeatedly over the month. --------------------------------------------- https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/ ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitslücken in node.js abgedichtet ∗∗∗ --------------------------------------------- Neue Versionen der node.js-Laufzeitumgebung beheben sicherheitskritische Fehler mit hohem Risiko. Angreifer könnten Opfern dadurch Schadcode unterjubeln. --------------------------------------------- https://heise.de/-7167912 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (php7.4), Fedora (gerbv, kernel, openssl, and podman-tui), Oracle (squid:4), Slackware (wavpack), and SUSE (apache2, chafa, containerd, docker and runc, fwupd, fwupdate, libqt5-qtwebengine, oracleasm, and python). --------------------------------------------- https://lwn.net/Articles/900670/ ∗∗∗ vim: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in vim ausnutzen, um einen Denial of Service Angriff durchzuführen, beliebigen Code auszuführen, Speicher zu verändern und vertrauliche Informationen offenzulegen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0630 ∗∗∗ ZDI-22-959: (0Day) Vinchin Backup and Recovery MySQL Server Use of Hard-coded Credentials Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-959/ ∗∗∗ Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM Tivoli Netcool System Service Monitors/Application Service Monitors ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: CVE-2021-23337 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2021-23337/ ∗∗∗ Security Bulletin: CVE-2020-28500 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2020-28500/ ∗∗∗ Security Bulletin: CVE-2020-8203 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2020-8203-2/ ∗∗∗ Security Bulletin: IBM Content Manager Enterprise Edition is is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-content-manager-enter… ∗∗∗ Security Bulletin: IBM CICS TX Standard is vulnerable to HTML injection (CVE-2022-34160) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cics-tx-standard-is-v… ∗∗∗ Security Bulletin: IBM MQ Operator and Queue manager container images are vulnerable to vulnerabilities from Golang Go and IBM WebSphere Application Server Liberty (CVE-2021-39293 and CVE-2021-39038) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-operator-and-queue… ∗∗∗ Security Bulletin: IBM MQ Operator and Queue manager container images are vulnerable to an issue in OPM and Golang Go packages (CVE-2020-15257, CVE-2021-21334 and CVE-2021-41771) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-operator-and-queue… ∗∗∗ Security Bulletin: CVE-2020-8203 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2020-8203/ ∗∗∗ Security Bulletin: CVE-2021-23369 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2021-23369/ ∗∗∗ Security Bulletin: CVE-2020-7774 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2020-7774/ ∗∗∗ Security Bulletin: IBM CICS TX Advanced is vulnerable to HTML injection (CVE-2022-34160) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cics-tx-advanced-is-v… ∗∗∗ K40582331: Apache HTTP server vulnerability CVE-2022-28615 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K40582331 ∗∗∗ K08006936: Apache Commons Configuration vulnerability CVE-2022-33980 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K08006936 ∗∗∗ K74251611: Linux kernel vulnerability CVE-2021-38166 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K74251611 ∗∗∗ K36462841: Linux kernel vulnerability CVE-2018-18281 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K36462841 ∗∗∗ ILIAS: Schwachstelle ermöglicht Erlangen von Benutzerrechten ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0629 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.07.2022
by Daily end-of-shift report 08 Jul '22

08 Jul '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 07-07-2022 18:00 − Freitag 08-07-2022 18:00 Handler: Robert Waldner Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Gesundheitseinrichtungen im Visier nordkoreanischer Cyberkrimineller ∗∗∗ --------------------------------------------- US-amerikanische Sicherheitsbehörden warnen vor der Maui-Ransomware. Mit ihr greifen nordkoreanische Cybergangs Organisationen des Gesundheitswesens an. --------------------------------------------- https://heise.de/-7166692 ∗∗∗ Free decryptor released for AstraLocker, Yashma ransomware victims ∗∗∗ --------------------------------------------- New Zealand-based cybersecurity firm Emsisoft has released a free decryption tool to help AstraLocker and Yashma ransomware victims recover their files without paying a ransom. --------------------------------------------- https://www.bleepingcomputer.com/news/security/free-decryptor-released-for-… ∗∗∗ SiteCheck Malware Trends Report – Q2 2022 ∗∗∗ --------------------------------------------- Conducting an external website scan for indicators of compromise is one of the easiest ways to identify security issues. While remote scanners may not provide as comprehensive of a scan as server-side scanners, they allow users to instantly identify malicious code and detect security issues on their website without installing any software or applications. --------------------------------------------- https://blog.sucuri.net/2022/07/sitecheck-malware-trends-report-q2-2022.html ∗∗∗ Over 1,200 NPM Packages Found Involved in "CuteBoi" Cryptomining Campaign ∗∗∗ --------------------------------------------- Researchers have disclosed what they say could be an attempt to kick-off a new large-scale cryptocurrency mining campaign targeting the NPM JavaScript package repository. The malicious activity, attributed to a software supply chain threat actor dubbed CuteBoi, involves an array of 1,283 rogue modules that were published in an automated fashion from over 1,000 different user accounts. --------------------------------------------- https://thehackernews.com/2022/07/over-1200-npm-packages-found-involved.html ∗∗∗ Koh: The Token Stealer ∗∗∗ --------------------------------------------- In this post I will introduce a toolkit called Koh that can indefinitely (..) harvest and reuse tokens for accounts that connect to a machine you have administrative rights on. I’ll go over the motivation for this approach, the technical background of why it’s possible and what changed in 2016, and briefly show what Koh can do. --------------------------------------------- https://posts.specterops.io/koh-the-token-stealer-41ca07a40ed6 ∗∗∗ New HavanaCrypt Ransomware Distributed as Fake Google Software Update ∗∗∗ --------------------------------------------- Security researchers at Trend Micro have identified a new ransomware family that is being delivered as a fake Google Software Update application. --------------------------------------------- https://www.securityweek.com/new-havanacrypt-ransomware-distributed-fake-go… ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins 2022-07-07 ∗∗∗ --------------------------------------------- IBM QRadar Network Security, IBM Engineering Lifecycle Management, IBM Rational Build Forge, IBM Tivoli Netcool/Omnibus, IBM Tivoli Network Manager, IBM Engineering Lifecycle Management, IBM CICS TX Standard, IBM CICS TX Advanced, IBM WebSphere Application Server Liberty, IBM Security Verify Information Queue, IBM Event Streams. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Sicherheitsupdates: Root-Lücke in Dell-EMC-Software geschlossen ∗∗∗ --------------------------------------------- Angreifer könnten Systeme mit Dell PowerProtect Cyber Recovery oder Cloud Mobility for Dell EMC Storage attackieren. Hiergegen gibt es jetzt ein Update. --------------------------------------------- https://heise.de/-7166118 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (direnv, golang-github-mattn-colorable, matrix-synapse, pypy3.7, pypy3.8, and pypy3.9), Oracle (squid), SUSE (curl, openssl-1_1, pcre, python-ipython, resource-agents, and rsyslog), and Ubuntu (nss, php7.2, and vim). --------------------------------------------- https://lwn.net/Articles/900443/ ∗∗∗ NetApp ActiveIQ Unified Manager: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in NetApp ActiveIQ Unified Manager ausnutzen, um Informationen offenzulegen, Daten zu manipulieren oder zu verändern und einen Denial of Service Zustand auszulösen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0608 ∗∗∗ Red Hat FUSE: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer, authentisierter oder lokaler Angreifer kann mehrere Schwachstellen in Red Hat FUSE ausnutzen, um vertrauliche Informationen offenzulegen, beliebigen Code auszuführen, einen Denial of Service Zustand herbeizuführen, Sicherheitsmaßnahmen zu umgehen, Daten und Informationen zu manipulieren und seine Privilegien zu erweitern. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0607 ∗∗∗ July 7th 2022 Security Releases ∗∗∗ --------------------------------------------- Updates are now available for the v18.x, v16.x, and v14.x Node.js release [...] --------------------------------------------- https://nodejs.org/en/blog/vulnerability/july-2022-security-releases ∗∗∗ Exploitation of Mitel MiVoice Connect SA CVE-2022-29499 ∗∗∗ --------------------------------------------- Mitel MiVoice Connect customers who use vulnerable versions of the Service Appliance in their deployments should update to a fixed version of the appliance immediately. Mitel released patches for CVE-2022-29499 in early June 2022; organizations that have not updated the firmware on their appliances since before that timeframe should apply fixes as soon as possible. Appliances should not be exposed to the open internet. --------------------------------------------- https://www.rapid7.com/blog/post/2022/07/07/exploitation-of-mitel-mivoice-c… ∗∗∗ ZDI-22-955: Sante PACS Server SQL Injection Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-955/ ∗∗∗ K06524534: Linux kernel vulnerability CVE-2021-22555 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K06524534 ∗∗∗ K49622415: Apache Tomcat vulnerability CVE-2022-25762 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K49622415 ∗∗∗ 10 Vulnerabilities Found in Widely Used Robustel Industrial Routers ∗∗∗ --------------------------------------------- https://www.securityweek.com/10-vulnerabilities-found-widely-used-robustel-… ∗∗∗ Eclipse Jetty: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0614 ∗∗∗ Foxit PDF Editor: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0613 ∗∗∗ tribe29 checkmk: Mehrere Schwachstellen ermöglichen nicht spezifizierten Angriff ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0622 ∗∗∗ Rockwell Automation MicroLogix ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-188-01 ∗∗∗ Bently Nevada ADAPT 3701/4X Series and 60M100 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-188-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.07.2022
by Daily end-of-shift report 07 Jul '22

07 Jul '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 06-07-2022 18:00 − Donnerstag 07-07-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Ransomware, hacking groups move from Cobalt Strike to Brute Ratel ∗∗∗ --------------------------------------------- Hacking groups and ransomware operations are moving away from Cobalt Strike to the newer Brute Ratel post-exploitation toolkit to evade detection by EDR and antivirus solutions. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ransomware-hacking-groups-mo… ∗∗∗ Online programming IDEs can be used to launch remote cyberattacks ∗∗∗ --------------------------------------------- Security researchers are warning that hackers can abuse online programming learning platforms to remotely launch cyberattacks, steal data, and scan for vulnerable devices, simply by using a web browser. --------------------------------------------- https://www.bleepingcomputer.com/news/security/online-programming-ides-can-… ∗∗∗ Automating binary vulnerability discovery with Ghidra and Semgrep ∗∗∗ --------------------------------------------- Semgrep is a static analysis tool that works on source code, but thanks to Haruspex we can leverage its power also against closed source binaries. --------------------------------------------- https://security.humanativaspa.it/automating-binary-vulnerability-discovery… ∗∗∗ Liste betrügerischer Investitionsplattformen ∗∗∗ --------------------------------------------- Betrügerische Investitionsplattformen versprechen hohe Gewinne – risikofrei und ohne Finanzwissen. Der Handel erfolgt automatisiert oder mit persönlicher Beratung. Bereits mit kleinen Investitionen können angeblich hohe Gewinne erzielt werden. Klingt sehr verlockend, ist aber Betrug! --------------------------------------------- https://www.watchlist-internet.at/news/liste-betruegerischer-investitionspl… ∗∗∗ AsyncRAT Being Distributed to Vulnerable MySQL Servers ∗∗∗ --------------------------------------------- The ShadowServer foundation has recently released a report showing that there are about 3.6 million MySQL servers exposed to outside. --------------------------------------------- https://asec.ahnlab.com/en/36315/ ===================== = Vulnerabilities = ===================== ∗∗∗ Jetzt aktualisieren! Codeschmuggel durch Lücke in OpenSSL möglich∗∗∗ --------------------------------------------- Die gravierendere Schwachstelle betrifft OpenSSL 3.0.4, das am 21. Juni veröffentlicht wurde. Darin haben die Entwickler laut eigener Beschreibung einen ernsthaften Fehler eingebaut, der die RSA-Implementierung auf Prozessoren mit Unterstützung für die AVX-512 IFMA-Befehlssatzerweiterung betrifft. Die Implementierung mit privaten Schlüsseln mit 2048-Bit ist nicht korrekt und ein Speicherfehler tritt bei der Berechnung auf. Ein Angreifer könnte als Folge davon aus dem Internet Code einschleusen und ausführen (CVE-2022-2274, noch kein CVSS-Score, Risiko "hoch"). --------------------------------------------- https://www.heise.de/news/Jetzt-aktualisieren-Codeschmuggel-durch-Luecke-in… ∗∗∗ Cisco Security Advisories 2022-07-06 ∗∗∗ --------------------------------------------- Cisco published 9 Security Advisories (1 Critical, 1 High, 7 Medium Severity) --------------------------------------------- https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&first… ∗∗∗ IBM Security Bulletins 2022-07-06 ∗∗∗ --------------------------------------------- IBM CICS TX Standard, IBM Tivoli Netcool Impact, IBM Security Verify Access Product, App Connect professional, IBM Engineering Lifecycle Management, IBM CICS TX Advanced, IBM CICS TX Standard, IBM Security Verify Access Appliance, IBM Tivoli Application Dependency Discovery Manager. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Patchday Android: Systemlücke lässt Schadcode passieren ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitsupdates für Android-Smartphones und -Tablets. Einige Lücken sind als kritisch eingestuft. --------------------------------------------- https://heise.de/-7164810 ∗∗∗ Schwachstellen in OpenVPN Access Server geschlossen ∗∗∗ --------------------------------------------- Version 2.11.0 des OpenVPN Access Server schließt einige Sicherheitslücken. Angreifer hätten die Server etwa für DDoS-Verstärkungs-Angriffe missbrauchen können. --------------------------------------------- https://heise.de/-7165442 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (intel-microcode), Fedora (dotnet3.1 and gnupg2), Oracle (grub2, kernel, php:7.4, php:8.0, and qemu-kvm), SUSE (389-ds, apache2, crash, curl, expat, firefox, fwupd, fwupdate, ImageMagick, ldb, samba, liblouis, librttopo, openssl, openssl-1_0_0, openssl-1_1, openssl-3, oracleasm, php7, php8, python-Twisted, python310, rsyslog, s390-tools, salt, thunderbird, and xen), and Ubuntu (linux-lts-xenial, linux-kvm and openssl). --------------------------------------------- https://lwn.net/Articles/900286/ ∗∗∗ Apache Commons: Schwachstelle ermöglicht Codeausführung ∗∗∗ --------------------------------------------- Ein entfernter Angreifer kann eine Schwachstelle in Apache Commons ausnutzen, um beliebigen Programmcode auszuführen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0590 ∗∗∗ ZDI-22-949: (0Day) xhyve e1000 Stack-based Buffer Overflow Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-949/ ∗∗∗ Dovecot: Schwachstelle ermöglicht Privilegieneskalation ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0589 ∗∗∗ Nextcloud Mail: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0594 ∗∗∗ HCL BigFix: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0606 ∗∗∗ XSS-Schwachstelle in Jira-App (SYSS-2022-039) ∗∗∗ --------------------------------------------- https://www.syss.de/pentest-blog/xss-schwachstelle-in-jira-app-syss-2022-039 ∗∗∗ QNAP: Checkmate Ransomware via SMB Services Exposed to the Internet ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-22-21 ∗∗∗ Microsoft Edge 103.0.1264.49 (6. Juli 2022) ∗∗∗ --------------------------------------------- https://www.borncity.com/blog/2022/07/07/microsoft-edge-103-0-1264-49-6-jul… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 06.07.2022
by Daily end-of-shift report 06 Jul '22

06 Jul '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 05-07-2022 18:00 − Mittwoch 06-07-2022 18:00 Handler: Robert Waldner Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Microsoft quietly fixes ShadowCoerce Windows NTLM Relay bug ∗∗∗ --------------------------------------------- Microsoft has confirmed it fixed a previously disclosed ShadowCoerce vulnerability as part of the June 2022 updates that enabled attackers to target Windows servers in NTLM relay attacks. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-quietly-fixes-sha… ∗∗∗ NPM supply-chain attack impacts hundreds of websites and apps ∗∗∗ --------------------------------------------- An NPM supply-chain attack dating back to December 2021 used dozens of malicious NPM modules containing obfuscated Javascript code to compromise hundreds of downstream desktop apps and websites. --------------------------------------------- https://www.bleepingcomputer.com/news/security/npm-supply-chain-attack-impa… ∗∗∗ Kryptographie: NIST gibt Post-Quanten-Algorithmen bekannt ∗∗∗ --------------------------------------------- Nach einem Wettbewerb kürt die US-Behörde Verschlüsselungs- und Signaturalgorithmen, die vor Quantencomputern sicher sein sollen. --------------------------------------------- https://www.golem.de/news/kryptographie-nist-gibt-post-quanten-algorithmen-… ∗∗∗ Top 5 Most Common WordPress Malware Infections: An Anatomy Lesson ∗∗∗ --------------------------------------------- WordPress security is serious business – and an essential consideration for anyone using the world’s most popular CMS (Content Management System). While the WordPress team quickly addresses known security issues in WordPress’ core to protect the millions of website owners who rely and depend on the software, the reality is that the same cannot be said for all plugin and theme developers. --------------------------------------------- https://blog.sucuri.net/2022/07/top-5-most-common-wordpress-malware-infecti… ∗∗∗ Fake-Shop-Alarm: Vorsicht beim Online-Kauf von Brennholz! ∗∗∗ --------------------------------------------- Die aktuelle Energiekrise lässt die Preise für Brennholz steigen. Der befürchtete Gasmangel führt dazu, dass Holz gehamstert und dementsprechend knapper wird. Eine perfekte Ausgangslage für Kriminelle: Sie nutzen die Situation aus und erstellen Fake-Shops, auf denen sie günstiges Brennholz anbieten. --------------------------------------------- https://www.watchlist-internet.at/news/fake-shop-alarm-vorsicht-beim-online… ∗∗∗ Electric Vehicle Charging: a Survey on the Security Issues and Challenges of the Open Charge Point Protocol (OCPP) ∗∗∗ --------------------------------------------- The increased use of smart Electric Vehicles (EVs) and Plug-in ElectricVehicles (PEV) opened a new area of research and development. The number of EVcharging sites has considerably increased in residential as well as in publicareas. Within these EV charging sites, various entities need to communicate in a secure and efficient way. --------------------------------------------- http://arxiv.org/abs/2207.01950 ∗∗∗ OrBit: New Undetected Linux Threat Uses Unique Hijack of Execution Flow ∗∗∗ --------------------------------------------- Linux is a popular operating system for servers and cloud infrastructures, and as such it’s not a surprise that it attracts threat actors’ interest and we see a continued growth and innovation of malware that targets Linux, such as the recent Symbiote malware that was discovered by our research team. --------------------------------------------- https://www.intezer.com/blog/incident-response/orbit-new-undetected-linux-t… ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (ldap-account-manager), Fedora (openssl1.1, thunderbird, and yubihsm-connector), Mageia (curl, cyrus-imapd, firefox, ruby-git, ruby-rack, squid, and thunderbird), Oracle (firefox, kernel, and thunderbird), Slackware (openssl), SUSE (dpdk, haproxy, and php7), and Ubuntu (gnupg2 and openssl). --------------------------------------------- https://lwn.net/Articles/900172/ ∗∗∗ Security Bulletin: IBM Maximo Asset Management and the IBM Maximo Manage application in IBM Maximo Application Suite are vulnerable to cross-site scripting (CVE-2022-22436) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-manageme… ∗∗∗ Security Bulletin: IBM Maximo Asset Management and the IBM Maximo Manage application in IBM Maximo Application Suite are vulnerable to cross-site scripting (CVE-2022-22435) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-manageme… ∗∗∗ Security Bulletin: IBM Rational Build Forge is affected by Apache Tomcat version used in it. (CVE-2021-42340) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-rational-build-forge-… ∗∗∗ Security Bulletin: IBM Tivoli Netcool Impact is affected but not classified as vulnerable by a remote code execution in Spring Framework (CVE-2022-22965) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tivoli-netcool-impact… ∗∗∗ Security Bulletin: IBM Event Streams is vulnerable to arbitrary code execution due to the Fabric8 Kubernetes client (CVE-2021-4178) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-event-streams-is-vuln… ∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container DesignerAuthoring operands may be vulnerable to loss of confidentiality due to CVE-2022-32210 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: IBM QRadar Network Packet Capture includes multiple vulnerable components. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-network-packet… ∗∗∗ K58003591: Apache HTTP server vulnerability CVE-2022-28614 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K58003591 ∗∗∗ vim: Schwachstelle ermöglicht Manipulation von Speicher ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0583 ∗∗∗ tribe29 checkmk: Mehrere Schwachstellen ermöglichen nicht spezifizierten Angriff ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0581 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 05.07.2022
by Daily end-of-shift report 05 Jul '22

05 Jul '22

===================== = End-of-Day report = ===================== Timeframe: Montag 04-07-2022 18:00 − Dienstag 05-07-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Jetzt aktualisieren! Zero-Day-Lücke in Google Chrome geschlossen ∗∗∗ --------------------------------------------- Im Webbrowser Google Chrome hat der Hersteller mehrere Sicherheitslücken geschlossen. Angreifer missbrauchen eine davon bereits in freier Wildbahn. --------------------------------------------- https://heise.de/-7162462 ∗∗∗ Erpressungstrojaner AstraLocker ist Geschichte, Entschlüsselungstools verfügbar ∗∗∗ --------------------------------------------- Die Drahtzieher der Ransomware AstraLocker wollen die Cybercrime-Branche wechseln und veröffentlichen Tools, über die Opfer auf ihre Daten zugreifen können. --------------------------------------------- https://heise.de/-7163123 ∗∗∗ Memory Sanitizer: Neues Kernel-Werkzeug findet 300 Speicherfehler ∗∗∗ --------------------------------------------- Trotz Compilerwarnungen und -Werkzeuge gibt es weiter neue Speicherfehler im Linux-Kernel. Ein Memory Sanitizer soll das zum Teil verhindern. --------------------------------------------- https://www.golem.de/news/memory-sanitizer-neues-kernel-werkzeug-findet-300… ∗∗∗ Abo-Falle auf lebenslaufschreiben.com ∗∗∗ --------------------------------------------- Sie erstellen gerade einen Lebenslauf und suchen im Internet nach Vorlagen? Möglicherweise landen Sie bei lebenslaufschreiben.com – einem Lebenslaufgenerator. Online können alle Informationen eingetippt und ein sehr professioneller Lebenslauf gebastelt werden. Doch Vorsicht: Sie werden in eine Abo-Falle gelockt. --------------------------------------------- https://www.watchlist-internet.at/news/abo-falle-auf-lebenslaufschreibencom/ ∗∗∗ EternalBlue 5 years after WannaCry and NotPetya, (Tue, Jul 5th) ∗∗∗ --------------------------------------------- We are about two months past the 5-year anniversary of WannaCry outbreak[1] and about a week past the 5-year anniversary of NotPetya outbreak[2]. Since both WannaCry and NotPetya used the EternalBlue[3] exploit in order to spread, I thought that it might be interesting to take a look at how many internet-facing systems still remain vulnerable to it. --------------------------------------------- https://isc.sans.edu/diary/rss/28816 ∗∗∗ When Pentest Tools Go Brutal: Red-Teaming Tool Being Abused by Malicious Actors ∗∗∗ --------------------------------------------- Penetration testing and adversary emulation tool Brute Ratel C4 is effective at defeating modern detection capabilities – and malicious actors have begun to adopt it. --------------------------------------------- https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/ ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitsupdate für Django Web Framework ∗∗∗ --------------------------------------------- Eine Sicherheitslücke im Django Web-Framework ermöglichte Angreifern das Einschleusen von SQL-Befehlen. Aktualisierte Software bessert die Schwachstelle aus. --------------------------------------------- https://heise.de/-7163246 ∗∗∗ IBM Security Bulletins 2022-07-04 ∗∗∗ --------------------------------------------- IBM Tivoli Network Manager, IBM App Connect Enterprise, IBM Integration Bus, IBM Engineering Test Management, IBM WebSphere Cast Iron Solution, IBM App Connect Professional, IBM Cloud Pak, IBM Tivoli Netcool, IBM Netezza, IBM Operations Analytics, App Connect professional. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Fortinet Security Advisories 2022-07-05 ∗∗∗ --------------------------------------------- On Jul 05, 2022, Fortinet has released 11 advisories for issues resolved in Fortinet products. (Severity: Low (1), Medium (6), High (4)) --------------------------------------------- https://fortiguard.fortinet.com/psirt ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (blender and thunderbird), SUSE (ImageMagick, qemu, and sysstat), and Ubuntu (php7.0). --------------------------------------------- https://lwn.net/Articles/900064/ ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2022-0006 ∗∗∗ --------------------------------------------- Several vulnerabilities were discovered in WebKitGTK and WPE WebKit. CVE-2022-22662 Versions affected: WebKitGTK and WPE WebKit before 2.36.0. --------------------------------------------- https://webkitgtk.org/security/WSA-2022-0006.html ∗∗∗ OpenSSL: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- Ein Angreifer kann eine Schwachstelle in OpenSSL ausnutzen, um Informationen offenzulegen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0561 ∗∗∗ JFrog Artifactory: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in JFrog Artifactory ausnutzen, um Cross-Site Scripting- und Cross-Site Request Forgery Angriffe durchzuführen und um Informationen offenzulegen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0562 ∗∗∗ July 5th 2022 Security Releases ∗∗∗ --------------------------------------------- The Node.js project will release new versions of the 14.x, 16.x, and 18.x releases lines on or shortly after Tuesday, July 5th, 2022 in order to address: Three medium severity issues. Two high severity issues. --------------------------------------------- https://nodejs.org/en/blog/vulnerability/july-2022-security-releases ∗∗∗ LiteCart vulnerable to cross-site scripting ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN32625020/ ∗∗∗ Xen Security Advisory CVE-2022-33743 / XSA-405 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-405.html ∗∗∗ Xen Security Advisory CVE-2022-33744 / XSA-406 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-406.html ∗∗∗ Xen Security Advisory CVE-2022-26365,CVE-2022-33740,CVE-2022-33741,CVE-2022-33742 / XSA-403 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-403.html ∗∗∗ Nextcloud: Schwachstelle ermöglicht Injektion von Kommandos ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0558 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.07.2022
by Daily end-of-shift report 04 Jul '22

04 Jul '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 01-07-2022 18:00 − Montag 04-07-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Stephan Richter ===================== = News = ===================== ∗∗∗ Raspberry Robin: Microsoft warnt vor mysteriösem Wurm ∗∗∗ --------------------------------------------- Die Schadsoftware verbreitet sich über USB-Sticks. Unklar bleibt, wer die Urheber*innen sind und welches Ziel damit verfolgt wird. --------------------------------------------- https://futurezone.at/digital-life/raspberry-robin-wurm-windows-microsoft-w… ∗∗∗ Warnung vor Hackerangriffen auf Politiker ∗∗∗ --------------------------------------------- Das BSI und der Verfassungsschutz warnen vor Hackern, die durch einen einfachen Trick den Zugang zu Chats von hochrangigen Politikern erlangen könnten. --------------------------------------------- https://www.tagesschau.de/investigativ/ndr-wdr/hacker-angriffe-verfassungss… ∗∗∗ Gefälschtes ÖBB-Gewinnspiel auf WhatsApp ∗∗∗ --------------------------------------------- Viele WhatsApp-Nutzer:innen verbreiten unter ihren Kontakten unwissentlich ein Fake-ÖBB-Gewinnspiel. Die Nachricht lautet „ÖBB 100 Jahre Staatliche Verkehrsförderung! Jeder Bürger kann sich über…“. Darunter ist ein Link. Der Link führt zu einem gefälschten Gewinnspiel. Klicken Sie nicht auf den Link, Sie werden abgezockt. Ignorieren Sie die Nachricht und melden Sie sie an WhatsApp. --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschtes-oebb-gewinnspiel-auf-wh… ∗∗∗ CISA fordert US-Einrichtungen zum Patchen von CVE-2022-26925 in AD-Umgebungen auf ∗∗∗ --------------------------------------------- Zum 1. Juli 2022 hat die US Cybersecurity & Infrastructur Security Agency (CISA) erneut den Patch für die Schwachstelle CVE-2022-26925 (Active Directory) in die Liste der zu schließenden Schwachstellen aufgenommen (soll bis 22. 7. 2022 geschlossen werden). --------------------------------------------- https://www.borncity.com/blog/2022/07/04/cisa-fordert-us-einrichtungen-zum-… ∗∗∗ Cloud OSINT. Finding Interesting Resources ∗∗∗ --------------------------------------------- Locating sensitive information, personally identifiable information (PII) and questionable assets in the cloud. TL; DR I had a curiosity driven excursion into the public clouds of AWS and Azure to [...] --------------------------------------------- https://www.pentestpartners.com/security-blog/cloud-osint-finding-interesti… ===================== = Vulnerabilities = ===================== ∗∗∗ Django fixes SQL Injection vulnerability in new releases ∗∗∗ --------------------------------------------- Django, an open source Python-based web framework has patched a high severity vulnerability in its latest releases. Tracked as CVE-2022-34265, the potential SQL Injection vulnerability impacts Djangos main branch, and versions 4.1 (currently in beta), 4.0, and 3.2, with patches and new releases issued fixing the vulnerability. --------------------------------------------- https://www.bleepingcomputer.com/news/security/django-fixes-sql-injection-v… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (gnupg2 and kernel), Fedora (golang-github-apache-beam-2, golang-github-etcd-io-gofail, golang-github-intel-goresctrl, golang-github-spf13-cobra, golang-k8s-pod-security-admission, and vim), Oracle (.NET 6.0, compat-openssl10, compat-openssl11, cups, curl, expat, firefox, go-toolset:ol8, grub2,, gzip, java-1.8.0-openjdk, java-11-openjdk, java-17-openjdk, kernel, libarchive, libgcrypt, libinput, libxml2, pcre2, postgresql, python, rsync, rsyslog, [...] --------------------------------------------- https://lwn.net/Articles/899963/ ∗∗∗ libTIFF: Mehrere Schwachstellen ermöglichen Denial of Service ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0544 ∗∗∗ xpdf: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0543 ∗∗∗ HPE FlexNetwork und FlexFabric Switches: Schwachstelle ermöglicht Cross-Site Scripting ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0542 ∗∗∗ Kyocera Drucker: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0551 ∗∗∗ Trend Micro Maximum Security: Schwachstelle ermöglicht Privilegieneskalation ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0550 ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects IBM WebSphere Cast Iron Solution & App Connect Professional. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple security vulnerabilities are addressed with IBM Cloud Pak for Business Automation iFixes for June 2022 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects IBM WebSphere Cast Iron Solution & App Connect Professional. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects IBM WebSphere Cast Iron Solution & App Connect Professional. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects IBM WebSphere Cast Iron Solution & App Connect Professional. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Remote code execution vulnerability affect IBM Business Automation Workflow – CVE-2021-43138 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-remote-code-execution-vul… ∗∗∗ Security Bulletin: junrar Denial of Service (DoS) security vulnerability in IBM FileNet Content Manager Content Search Services (CSS) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-junrar-denial-of-service-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect Rational Functional Tester ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: junrar v7.4.0 and prior Denial of Service (DoS) security vulnerability in IBM FileNet Content Manager Content Search Services (CSS) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-junrar-v7-4-0-and-prior-d… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 01.07.2022
by Daily end-of-shift report 01 Jul '22

01 Jul '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 30-06-2022 18:00 − Freitag 01-07-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Microsoft-Analyse: Linux-Malware-Kampagne erhält bemerkenswertes Update ∗∗∗ --------------------------------------------- Ein Sicherheitsteam von Microsoft hat beobachtet, dass die Malware-Gruppe "8220 Gang" ihre Kampagne signifikant aktualisiert hat. Im Visier: Linux-Systeme. --------------------------------------------- https://heise.de/-7159495 ∗∗∗ FBI and CISA warn: This ransomware is using RDP flaws to break into networks ∗∗∗ --------------------------------------------- US exposes MedusaLocker, one of the ransomware gangs that ramped up activity as the pandemic gripped the world. --------------------------------------------- https://www.zdnet.com/article/fbi-and-cisa-warn-this-ransomware-is-using-rd… ∗∗∗ RanSim: a ransomware simulation script written in PowerShell ∗∗∗ --------------------------------------------- You can use RanSim to test your defenses and backups against real ransomware-like activity in a controlled setting. The same script can be used to decrypt the files if needed. --------------------------------------------- https://github.com/lawndoc/RanSim ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitsupdates: Viele Jenkins-Plug-ins als Schlupflöcher für Angreifer ∗∗∗ --------------------------------------------- Software-Entwickler aufgepasst: Lücken in Plug-ins für den Automation-Server Jenkins geschlossen. Etliche Patches lassen aber noch auf sich warten. --------------------------------------------- https://heise.de/-7160083 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr, isync, kernel, and systemd), Fedora (chromium, curl, firefox, golang-github-vultr-govultr-2, and xen), Mageia (openssl, python-bottle, and python-pyjwt), Red Hat (compat-openssl10, curl, expat, firefox, go-toolset-1.17 and go-toolset-1.17-golang, go-toolset:rhel8, kernel, kpatch-patch, libarchive, libgcrypt, libinput, libxml2, pcre2, php:7.4, php:8.0, qemu-kvm, ruby:2.6, thunderbird, and vim), and Ubuntu (curl, libjpeg6b, and vim). --------------------------------------------- https://lwn.net/Articles/899701/ ∗∗∗ GitLab: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in GitLab ausnutzen, um Informationen offenzulegen, Sicherheitseinstellungen zu umgehen, einen Denial of Service zu verursachen, Daten zu manipulieren und Code zur Ausführung zu bringen. --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0531 ∗∗∗ Microsoft Edge 103.0.1264.44 fixt CVE-2022-33680 (30. Juni 2022) ∗∗∗ --------------------------------------------- Microsoft hat zum 30. Juni 2022 den Edge-Browser im Stable Channel auf die Version 103.0.1264.44 aktualisiert. Es ist ein Wartungsupdate, welches die als kritisch eingestufte Elevation of Privilege-Schwachstelle CVE-2022-33680 (Ausbruch aus der Sandbox) beseitigt. --------------------------------------------- https://www.borncity.com/blog/2022/07/01/microsoft-edge-103-0-1264-44-fixt-… ∗∗∗ ZDI-22-948: Parallels Access Agent Uncontrolled Search Path Element Local Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-948/ ∗∗∗ Carel pCOWeb HVAC BACnet Gateway 2.1.0 Unauthenticated Directory Traversal ∗∗∗ --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5709.php ∗∗∗ Security Bulletin: IBM UrbanCode Deploy (UCD) could disclose sensitive database information to a local user in plain text. (CVE-2022-22367) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-deploy-ucd-… ∗∗∗ Security Bulletin: IBM Urbancode Deploy (UCD) vulnerable to information disclosure which can be read by a local user. (CVE-2022-22366) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-deploy-ucd-… ∗∗∗ Security Bulletin: Vulnerabilities in Samba, OpenSSL, Python, and XStream affect IBM Spectrum Protect Plus (CVE-2021-20254, CVE-2021-3712, CVE-2021-43859, CVE-2022-0778, CVE-2020-25717, CVE-2021-23192, CVE-2021-3733) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-samba-… ∗∗∗ Security Bulletin: IBM InfoSphere Information Server Pack for SAP Apps and BW Packs is affected by an improper validation vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-infosphere-informatio… ∗∗∗ Security Bulletin: UrbanCode Deploy is vulnerable to denial of service due to Jackson-databind (CVE-2020-36518) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-urbancode-deploy-is-vulne… ∗∗∗ Security Bulletin: Vulnerability in PostgreSQL may affect IBM Spectrum Protect Plus ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-postgres… ∗∗∗ Kibana: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0527 ∗∗∗ npm: Schwachstelle ermöglicht Cross-Site Scripting ∗∗∗ --------------------------------------------- https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2022-0524 ∗∗∗ Exemys RME1 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-181-01 ∗∗∗ Yokogawa Wide Area Communication Router ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-181-02 ∗∗∗ Emerson DeltaV Distributed Control System ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-181-03 ∗∗∗ Distributed Data Systems WebHMI ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-181-04 ∗∗∗ 2022-09 FragAttacks ProSoft RadioLinx RLX2 ∗∗∗ --------------------------------------------- https://dam.belden.com/dmm3bwsv3/assetstream.aspx?assetid=14521&mediaformat… ∗∗∗ Unauthorized RCE CVE-2022-28219 in Zoho ManageEngine ADAudit Plus ∗∗∗ --------------------------------------------- https://www.borncity.com/blog/2022/07/01/unauthorized-rce-cve-2022-28219-in… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 30.06.2022
by Daily end-of-shift report 30 Jun '22

30 Jun '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 29-06-2022 18:00 − Donnerstag 30-06-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Atlassian warnt vor Sicherheitslücke in Projektverwaltung Jira ∗∗∗ --------------------------------------------- Vor einer Sicherheitslücke mit hohem Risiko in Jira warnt Hersteller Atlassian. Updates stehen bereit. Auch ein Workaround bietet das Unternehmen an. --------------------------------------------- https://heise.de/-7157892 ∗∗∗ Recovery-Scams: Kriminelle geben sich als FMA und Börsenaufsicht aus! ∗∗∗ --------------------------------------------- Sind Sie Opfer einer unseriösen Trading-Plattform geworden? Anbieter wie börsenaufsicht.net, finanzmarktaufsicht.net und payback-ltd.com versprechen Ihr verlorenes Geld zurückzuholen. Vorsicht! Es handelt sich um betrügerische Dienste, die Sie noch weiter abzocken wollen. --------------------------------------------- https://www.watchlist-internet.at/news/recovery-scams-kriminelle-geben-sich… ∗∗∗ Microsoft Exchange Server: Remote Code Execution-Schwachstelle CVE-2022-23277 trotz Patch ausnutzbar? ∗∗∗ --------------------------------------------- Sind auf dem aktuellen Patch-Stand befindliche Microsoft Exchange Server über die Remote Code Execution-Schwachstelle CVE-2022-23277 immer noch angreifbar? Mir sind gerade einige Informationsfragmente unter die Augen gekommen, die dies zumindest nahelegen, dass der betreffende Patch die Möglichkeiten zur Ausnutzung nicht [...] --------------------------------------------- https://www.borncity.com/blog/2022/06/30/microsoft-exchange-server-remote-c… ∗∗∗ CISA warns of hackers exploiting PwnKit Linux vulnerability ∗∗∗ --------------------------------------------- The Cybersecurity and Infrastructure Security Agency (CISA) has added a high-severity Linux vulnerability known as PwnKit to its list of bugs exploited in the wild. --------------------------------------------- https://www.bleepingcomputer.com/news/security/cisa-warns-of-hackers-exploi… ∗∗∗ AstraLocker 2.0 infects users directly from Word attachments ∗∗∗ --------------------------------------------- A lesser-known ransomware strain called AstraLocker has recently released its second major version, and according to threat analysts, its operators engage in rapid attacks that drop its payload directly from email attachments. --------------------------------------------- https://www.bleepingcomputer.com/news/security/astralocker-20-infects-users… ∗∗∗ XFiles info-stealing malware adds support for Follina delivery ∗∗∗ --------------------------------------------- The XFiles info-stealer malware has added a delivery module that exploits CVE-2022-30190, aka Follina, for dropping the payload on target computers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/xfiles-info-stealing-malware… ∗∗∗ The SessionManager IIS backdoor ∗∗∗ --------------------------------------------- In early 2022, we investigated an IIS backdoor called SessionManager. It has been used against NGOs, government, military and industrial organizations in Africa, South America, Asia, Europe, Russia and the Middle East. --------------------------------------------- https://securelist.com/the-sessionmanager-iis-backdoor/106868/ ∗∗∗ Toll fraud malware: How an Android application can drain your wallet ∗∗∗ --------------------------------------------- Toll fraud malware, a subcategory of billing fraud in which malicious applications subscribe users to premium services without their knowledge or consent, is one of the most prevalent types of Android malware - and it continues to evolve. --------------------------------------------- https://www.microsoft.com/security/blog/2022/06/30/toll-fraud-malware-how-a… ∗∗∗ Case Study: Cobalt Strike Server Lives on After Its Domain Is Suspended, (Thu, Jun 30th) ∗∗∗ --------------------------------------------- How do threat actors behind a Cobalt Strike server keep it running after its domain is taken down? If the server is not hosted through the domain registrar, it merely keeps running on the same IP address. Today's diary is a case study where Cobalt Strike remained active on the same IP address at least one week after its domain was suspended. --------------------------------------------- https://isc.sans.edu/diary/rss/28804 ∗∗∗ Flubot: the evolution of a notorious Android Banking Malware ∗∗∗ --------------------------------------------- Flubot is an Android based malware that has been distributed in the past 1.5 years in Europe, Asia and Oceania affecting thousands of devices of mostly unsuspecting victims. Like the majority of Android banking malware, Flubot abuses Accessibility Permissions and Services in order to steal the [...] --------------------------------------------- https://blog.fox-it.com/2022/06/29/flubot-the-evolution-of-a-notorious-andr… ∗∗∗ Amazon Photos vulnerability could have given attackers access to user files and data ∗∗∗ --------------------------------------------- The retail giant patched a serious flaw in its Amazon Photos app that left user access token exposed to potential attackers. --------------------------------------------- https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/06/amazon-p… ∗∗∗ Cloudy with a Chance of Risk: Managing Risks in Cloud-Managed OT Networks ∗∗∗ --------------------------------------------- In this blog, we'll examine the potential threats and risks of OT cloud migration, offering guidance on how to manage and mitigate them effectively. --------------------------------------------- https://claroty.com/2022/06/30/blog-research-cloudy-with-a-chance-of-risk/ ∗∗∗ Reducing data exfiltration by malicious insiders ∗∗∗ --------------------------------------------- Advice and recommendations for mitigating this type of insider behaviour. --------------------------------------------- https://www.ncsc.gov.uk/guidance/reducing-data-exfiltration-by-malicious-in… ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins 2022-06-29 ∗∗∗ --------------------------------------------- IBM Spectrum Protect, IBM Watson Discovery, IBM Sterling B2B Integrator, IBM Sterling Connect, IBM Cloud Pak, IBM Tivoli Netcool Impact, IBM Db2 --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr, firejail, and ublock-origin), Fedora (chromium, firefox, thunderbird, and vim), Mageia (kernel and kernel-linus), Oracle (389-ds-base and python-virtualenv), SUSE (chromium), and Ubuntu (cloud-init). --------------------------------------------- https://lwn.net/Articles/899483/ ∗∗∗ Mitsubishi Electric FA Engineering Software (Update A) ∗∗∗ --------------------------------------------- This updated advisory is a follow-up to the original advisory titled ICSA-21-350-05 Mitsubishi Electric FA Engineering Software that was published December 16, 2021, on the ICS webpage on cisa.gov/ics. This advisory contains mitigations for Out-of-bounds Read, and Integer Underflow vulnerabilities in Mitsubishi Electrics FA Engineering Software products. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-350-05 ∗∗∗ CODESYS Gateway Server (Update A) ∗∗∗ --------------------------------------------- This updated advisory is a follow-up to the original advisory titled ICSA-15-258-02 3S CODESYS Gateway Server Buffer overflow Vulnerability that was published September 15, 2015, on the ICS webpage at cisa.gov/ics. This advisory provides mitigation details for a heap-based buffer overflow vulnerability in CODESYS Gateway Server products. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/ICSA-15-258-02 ∗∗∗ Revision von CVE-2021-26414 (Windows DCOM Server Security Feature Bypass) vom 28. Juni 2022 ∗∗∗ --------------------------------------------- Microsoft hat seine Beschreibung von CVE-2021-26414 (Windows DCOM Server Security Feature Bypass) zum 28. Juni 2022 revidiert. Es wurden die Sicherheitsupdates für Windows 10 Version 21H2, Windows 11 und Windows Server 2022 hinzugefügt, da diese Windows-Versionen ebenfalls von dieser Sicherheitslücke [...] --------------------------------------------- https://www.borncity.com/blog/2022/06/29/revision-von-cve-2022-26414-window… ∗∗∗ Config Terms - Critical - Access bypass - SA-CONTRIB-2022-047 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2022-047 ∗∗∗ Lottiefiles Field - Moderately critical - Cross Site Scripting - SA-CONTRIB-2022-046 ∗∗∗ --------------------------------------------- https://www.drupal.org/sa-contrib-2022-046 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 29.06.2022
by Daily end-of-shift report 29 Jun '22

29 Jun '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 28-06-2022 18:00 − Mittwoch 29-06-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ MITM at the Edge: Abusing Cloudflare Workers ∗∗∗ --------------------------------------------- Cloudflare Workers provide a powerful serverless solution to run code that sits between every HTTP request and response. In this post, we’ll see how an attacker compromising a Cloudflare account can abuse Workers to establish persistence and exfiltrate sensitive data. --------------------------------------------- https://blog.christophetd.fr/abusing-cloudflare-workers/ ∗∗∗ Achtung vor Fake-Shops mit Gartenmöbeln! ∗∗∗ --------------------------------------------- Kriminelle passen ihre Fake-Shops aktuell wieder an die Sommersaison an, indem sie vermehrt Gartenmöbel, Rasenmäher oder sonstige Gartengeräte anbieten. Beispiele sind waganu.de, bbvipanswer.shop, strandkorbia.com oder zzyha.shop. --------------------------------------------- https://www.watchlist-internet.at/news/achtung-vor-fake-shops-mit-gartenmoe… ∗∗∗ CISA Releases Guidance on Switching to Modern Auth in Exchange Online before October 1 ∗∗∗ --------------------------------------------- CISA has released guidance on switching from Basic Authentication (“Basic Auth”) in Microsoft Exchange Online to Modern Authentication ("Modern Auth") before Microsoft begins permanently disabling Basic Auth on October 1, 2022. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/06/28/cisa-releases-gui… ∗∗∗ YTStealer Malware: “YouTube Cookies! Om Nom Nom Nom” ∗∗∗ --------------------------------------------- YTStealer is a malware whose objective is to steal YouTube authentication cookies. --------------------------------------------- https://www.intezer.com/blog/research/ytstealer-malware-youtube-cookies/ ∗∗∗ Decryptor für Hive Ransomware v1 bis v4 verfügbar ∗∗∗ --------------------------------------------- Opfer der Hive Ransomware können ggf. hoffen, ihre verschlüsselten Dateien wieder entschlüsseln zu können. Denn koreanischen Sicherheitsforschern ist es gelungen, einen Decryptor für die Versionen 1 bis 4 dieser Hive Ransomware zu entwickeln. --------------------------------------------- https://www.borncity.com/blog/2022/06/29/decryptor-fr-hive-ransomware-v1-bi… ∗∗∗ Did You Know Your Browser’s Autofill Credentials Could Be Stolen via Cross-Site Scripting (XSS) ∗∗∗ --------------------------------------------- Cross-Site Scripting (XSS) is a well-known vulnerability that has been around for a long time and can be used to steal sessions, create fake logins and carry out actions as someone else, etc. In addition, many users are unaware of the potential dangers associated with their browser’s credential autofill feature. --------------------------------------------- https://www.gosecure.net/blog/2022/06/29/did-you-know-your-browsers-autofil… ===================== = Vulnerabilities = ===================== ∗∗∗ CVE-2022-30522 – Denial of Service (DoS) Vulnerability in Apache httpd “mod_sed” filter ∗∗∗ --------------------------------------------- This past March we posted an analysis of a vulnerability in the Apache HTTP Server mod_sed filter module, CVE-2022-23943, in which a Denial of Service (DoS) can be triggered due to a miscalculation of buffers’ sizes. While analyzing this Apache httpd vulnerability and its patch, we suspected that although the fix resolved the issue, it created a new unwanted behavior. --------------------------------------------- https://jfrog.com/blog/cve-2022-30522-denial-of-service-dos-vulnerability-i… ∗∗∗ Groupware: Präparierte E-Mails könnten zur Codeausführung in Zimbra führen ∗∗∗ --------------------------------------------- Angreifer könnten in Zimbra Backdoors per E-Mail hochladen. Schuld daran ist eine Lücke im Entpacker unrar, die die Erstellung beliebiger Dateien erlaubt. --------------------------------------------- https://heise.de/-7156812 ∗∗∗ Datenverwaltung: Kritische Lücke in Dell EMC PowerScale OneFS abgedichtet ∗∗∗ --------------------------------------------- Dell EMC PowerScale OneFS zur skalierbaren Datenspeicherung und -verwaltung enthält teils kritische Sicherheitslücken. Updates sollen sie schließen. --------------------------------------------- https://heise.de/-7156674 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (blender, libsndfile, and maven-shared-utils), Fedora (openssl), Red Hat (389-ds-base, kernel, kernel-rt, kpatch-patch, and python-virtualenv), Scientific Linux (389-ds-base, kernel, python, and python-virtualenv), and Slackware (curl, mozilla, and openssl). --------------------------------------------- https://lwn.net/Articles/899364/ ∗∗∗ FabricScape: Escaping Service Fabric and Taking Over the Cluster ∗∗∗ --------------------------------------------- Unit 42 researchers identified FabricScape (CVE-2022-30137), a vulnerability of important severity in Microsoft’s Service Fabric – commonly used with Azure – that allows Linux containers to escalate their privileges in order to gain root privileges on the node, and then compromise all of the nodes in the cluster. The vulnerability could be exploited on containers that are configured to have runtime access, which is granted by default to every container. --------------------------------------------- https://unit42.paloaltonetworks.com/fabricscape-cve-2022-30137/ ∗∗∗ Security Bulletin: IBM Netezza as a Service is vulnerable to denial of service due to Golang net package (CVE-2021-33194, CVE-2021-44716, CVE-2021-31525) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-netezza-as-a-service-… ∗∗∗ Security Bulletin: OpenSSL for IBM i is vulnerable to command injection due to a flaw in c_rehash script (CVE-2022-1292) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-openssl-for-ibm-i-is-vuln… ∗∗∗ Security Bulletin: Zlib for IBM i is vulnerable to a denial of service attack due to memory corruption (CVE-2018-25032) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-zlib-for-ibm-i-is-vulnera… ∗∗∗ Security Vulnerabilities fixed in Thunderbird 91.11 and Thunderbird 102 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2022-26/ ∗∗∗ Security Vulnerabilities fixed in Firefox for iOS 102 ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2022-27/ ∗∗∗ Advantech iView ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-179-03 ∗∗∗ Motorola Solutions MOSCAD IP and ACE IP Gateways ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-179-04 ∗∗∗ Motorola Solutions MDLC ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-179-05 ∗∗∗ Motorola Solutions ACE1000 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-179-06 ∗∗∗ Omron SYSMAC CS/CJ/CP Series and NJ/NX Series ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-179-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.06.2022
by Daily end-of-shift report 28 Jun '22

28 Jun '22

===================== = End-of-Day report = ===================== Timeframe: Montag 27-06-2022 18:00 − Dienstag 28-06-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Over 900,000 Kubernetes instances found exposed online ∗∗∗ --------------------------------------------- Over 900,000 misconfigured Kubernetes clusters were found exposed on the Internet to potentially malicious scans, some even vulnerable to data-exposing cyberattacks. --------------------------------------------- https://www.bleepingcomputer.com/news/security/over-900-000-kubernetes-inst… ∗∗∗ Raccoon Stealer is back with a new version to steal your passwords ∗∗∗ --------------------------------------------- The Raccoon Stealer malware is back with a second major version circulating on cybercrime forums, offering hackers elevated password-stealing functionality and upgraded operational capacity. --------------------------------------------- https://www.bleepingcomputer.com/news/security/raccoon-stealer-is-back-with… ∗∗∗ ZuoRAT Malware Hijacking Home-Office Routers to Spy on Targeted Networks ∗∗∗ --------------------------------------------- A never-before-seen remote access trojan dubbed ZuoRAT has been singling out small office/home office (SOHO) routers as part of a sophisticated campaign targeting North American and European networks. --------------------------------------------- https://thehackernews.com/2022/06/zuorat-malware-hijacking-home-office.html ∗∗∗ Microsoft: Support-Ende von Exchange 2013 naht - jetzt Migration planen ∗∗∗ --------------------------------------------- Der Exchange-Server 2013 erreicht in neun Monaten sein absolutes Support-Ende. Daran erinnert Microsofts Exchange-Team und empfiehlt die zügige Migration. --------------------------------------------- https://heise.de/-7155579 ∗∗∗ Lockbit-Ransomware-Gruppe stellt sich professioneller auf ∗∗∗ --------------------------------------------- Die Erpresserbande hinter der Ransomware Lockbit hebt den Professionalisierungsgrad auf eine neue Stufe. Sogar ein Bug-Bounty-Programm hat sie aufgelegt. --------------------------------------------- https://heise.de/-7155742 ∗∗∗ Krypto-Lovescam: Wenn Tinder-Matches Investment-Tipps geben ∗∗∗ --------------------------------------------- Betrügerische Internetbekanntschaften zielen nicht darauf ab, Sie näher kennenzulernen. Sie bauen Vertrauen auf, um Sie später auf gefälschte Investitionsplattformen zu locken. --------------------------------------------- https://www.watchlist-internet.at/news/krypto-lovescam-wenn-tinder-matches-… ∗∗∗ Understanding the Function Call Stack ∗∗∗ --------------------------------------------- That thread was inspired by a series of tweets by inversecos who shared how malware authors will often use Native APIs instead of Win32 APIs as a mechanism to evade naive detections that assume every application will use the Win32 API function. --------------------------------------------- https://posts.specterops.io/understanding-the-function-call-stack-f08b5341e… ∗∗∗ De-anonymizing ransomware domains on the dark web ∗∗∗ --------------------------------------------- We have developed three techniques to identify ransomware operators dark websites hosted on public IP addresses, allowing us to uncover previously unknown infrastructure for the DarkAngels, Snatch, Quantum and Nokoyawa ransomware groups. --------------------------------------------- http://blog.talosintelligence.com/2022/06/de-anonymizing-ransomware-domains… ===================== = Vulnerabilities = ===================== ∗∗∗ Firefox 102: Mehrere Sicherheitslücken geschlossen ∗∗∗ --------------------------------------------- Mozilla hat Version 102 von Firefox veröffentlicht. Diese Major-Version des Browsers ist die neue Basis für Firefox ESR und behebt einige Sicherheitsprobleme. --------------------------------------------- https://heise.de/-7156179 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (nodejs and squid), Fedora (uboot-tools), Red Hat (kernel-rt, kpatch-patch, and python), SUSE (drbd, openssl-1_0_0, oracleasm, and rubygem-rack), and Ubuntu (curl). --------------------------------------------- https://lwn.net/Articles/899239/ ∗∗∗ 2022 CWE Top 25 Most Dangerous Software Weaknesses ∗∗∗ --------------------------------------------- The Homeland Security Systems Engineering and Development Institute, sponsored by CISA and operated by MITRE, has released the 2022 Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software Weaknesses list. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/06/28/2022-cwe-top-25-m… ∗∗∗ Security Advisory - Password Verification Vulnerability of Huawei Router ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2022/huawei-sa-20220628-… ∗∗∗ Security Bulletin: IBM Cloud Transformation Advisor is vulnerable to multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-transformation-… ∗∗∗ Security Bulletin: IBM SDK, Java Technology Edition, Security Update October 2021 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-e… ∗∗∗ Security Bulletin: A Remote Attack Vulnerability in Apache Log4j affects IBM Common Licensing's License Key Server (LKS) Administration And Reporting Tool (ART) and its Agent(CVE-2021-4104,CVE-2021-44832,CVE-2021-3100,CVE-2022-33915). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-remote-attack-vulnerabi… ∗∗∗ Security Bulletin: Vulnerabilities in the Java JDK affect IBM Event Streams (CVE-2022-21365, CVE-2022-21360, CVE-2022-21349, CVE-2022-21341, CVE-2022-21340, CVE-2022-21305, CVE-2022-21294, CVE-2022-21293, CVE-2022-21291, CVE-2022-21248) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-the-ja… ∗∗∗ Security Bulletin: Vulnerabilities in lodash library affect Tivoli Netcool/OMNIbus WebGUI (CVE-2019-1010266, CVE-2020-28500, CVE-2018-16487, CVE-2018-3721, CVE-2020-8203, CVE-2021-23337, CVE-2019-10744) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-lodash… ∗∗∗ Security Bulletin: IBM Robotic Process Automation may be affected by multiple vulnerabilities in open source components (CVE-2019-0820, CVE-2020-15522, CVE-2021-43569) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-robotic-process-autom… ∗∗∗ Security Bulletin: IBM SDK, Java Technology Edition, Security Update October 2021 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-e… ∗∗∗ Security Bulletin: Vulnerability in Apache Struts library affect Tivoli Netcool/OMNIbus WebGUI (CVE-2021-31805) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-s… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a Cross-Site Scripting vulnerability (CVE-2021-39074) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM Java SDK affect IBM Virtualization Engine TS7700 – October 2021 & January 2022 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ K01311313: Linux kernel vulnerability CVE-2021-3612 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K01311313 ∗∗∗ Long Term Support Channel Update for ChromeOS ∗∗∗ --------------------------------------------- http://chromereleases.googleblog.com/2022/06/long-term-support-channel-upda… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 27.06.2022
by Daily end-of-shift report 27 Jun '22

27 Jun '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 24-06-2022 18:00 − Montag 27-06-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Fake copyright infringement emails install LockBit ransomware ∗∗∗ --------------------------------------------- LockBit ransomware affiliates are using an interesting trick to get people into infecting their devices by disguising their malware as copyright claims. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fake-copyright-infringement-… ∗∗∗ Clever phishing method bypasses MFA using Microsoft WebView2 apps ∗∗∗ --------------------------------------------- A clever, new phishing technique uses Microsoft Edge WebView2 applications to steal victims authentication cookies, allowing threat actors to bypass multi-factor authentication when logging into stolen accounts. --------------------------------------------- https://www.bleepingcomputer.com/news/security/clever-phishing-method-bypas… ∗∗∗ NetSec Goggle shows search results only from cybersecurity sites ∗∗∗ --------------------------------------------- A new Brave Search Goggle modifies Brave Search results to only show reputable cybersecurity sites, making it easier to search for and find security information. --------------------------------------------- https://www.bleepingcomputer.com/news/security/netsec-goggle-shows-search-r… ∗∗∗ LockBit 3.0 introduces the first ransomware bug bounty program ∗∗∗ --------------------------------------------- The LockBit ransomware operation has released LockBit 3.0, introducing the first ransomware bug bounty program and leaking new extortion tactics and Zcash cryptocurrency payment options. --------------------------------------------- https://www.bleepingcomputer.com/news/security/lockbit-30-introduces-the-fi… ∗∗∗ Malicious Code Passed to PowerShell via the Clipboard, (Sat, Jun 25th) ∗∗∗ --------------------------------------------- Another day, another malicious script was found! Today, the script is a Windows bat file that executes malicious PowerShell code but the way it works is interesting. --------------------------------------------- https://isc.sans.edu/diary/rss/28784 ∗∗∗ Encrypted Client Hello: Anybody Using it Yet?, (Mon, Jun 27th) ∗∗∗ --------------------------------------------- The first payload sent by a TLS client to a TLS server is a "Client Hello." It includes several parameters supported by the client, such as available cipher suites, to start negotiating a compatible set of TLS parameters with the server. --------------------------------------------- https://isc.sans.edu/diary/rss/28792 ∗∗∗ Ransomware-Gang Conti schließt Leak- und Verhandlungsplattform ∗∗∗ --------------------------------------------- Die Conti-Gruppe hinter dem gleichnamigen Erpressungstrojaner finalisiert ihren Rückzug und teilt sich weiter in kleinere Gangs auf. --------------------------------------------- https://heise.de/-7154035 ∗∗∗ Flut von Angriffen auf Paketmanager PyPI schleust Backdoor in Python-Pakete ein ∗∗∗ --------------------------------------------- Nachdem zunächst Sonatype einen Angriff auf fünf Pakete im Python-Paketmanager entdeckt hat, füllt sich die CVE-Schwachstellendatenbank mit weiteren Vorfällen. --------------------------------------------- https://heise.de/-7154405 ∗∗∗ Ransomware: Unternehmen im Gesundheitswesen zahlen am häufigsten Lösegeld ∗∗∗ --------------------------------------------- Verschlüsselungsangriffe haben vor allem in der Gesundheitsbranche in den vergangenen Monaten stark zugenommen. Die Daten sind bei Angreifern beliebt. --------------------------------------------- https://heise.de/-7154906 ∗∗∗ NIST Releases New macOS Security Guidance for Organizations ∗∗∗ --------------------------------------------- The National Institute of Standards and Technology (NIST) has published the final version of its guidance on securing macOS endpoints and assessing their security. --------------------------------------------- https://www.securityweek.com/nist-releases-new-macos-security-guidance-orga… ∗∗∗ Vorsicht vor Fake-E-Mails der Wiener Polizei ∗∗∗ --------------------------------------------- In einem gefälschten E-Mail der Polizei werden Sie beschuldigt, eine Straftat begangen zu haben. Es geht um Kinderpornografie, Pädophilie, Cyberpornografie und Exhibitionismus. Sie werden aufgefordert, per E-Mail eine Rechtfertigung zu schicken. Antworten Sie nicht und ignorieren Sie dieses Schreiben. Es ist Fake! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-fake-e-mails-der-wiener… ∗∗∗ CISA Adds Eight Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- CISA has added eight new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/06/27/cisa-adds-eight-k… ===================== = Vulnerabilities = ===================== ∗∗∗ Citrix dichtet Sicherheitslücken in Hypervisor ab ∗∗∗ --------------------------------------------- Der Hypervisor von Citrix enthält mehrere Schwachstellen. Angreifer könnten die Kontrolle übernehmen. Aktualisierte Pakete dichten die Lücken ab. --------------------------------------------- https://heise.de/-7154435 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (openssl), Fedora (dotnet6.0, mediawiki, and python2.7), Mageia (389-ds-base, chromium-browser-stable, exo, and libtiff), Oracle (httpd:2.4 and microcode_ctl), SUSE (dbus-broker, drbd, kernel, liblouis, mariadb, openssl, openssl-1_1, openSUSE kernel modules, oracleasm, php7, php72, python39, salt, and wdiff), and Ubuntu (linux, linux-hwe, mozjs91, and vim). --------------------------------------------- https://lwn.net/Articles/899158/ ∗∗∗ Security Bulletin: Multiple Vulnerabilities found in Apache Tika used by Content Collector for Email, Content Collector for File Systems, Content Collector for Microsoft SharePoint and Content Collector for IBM Connections ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct for Microsoft Windows is vulnerable to an unspecified vulnerability due to IBM Java Runtime (CVE-2021-35603) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: Vulnerability in IBM Java SDK and IBM Java Runtime affects Rational Business Developer ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect Rational Business Developer ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Vulnerability in IBM Java SDK and IBM Java Runtime affects Rational Business Developer ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct for Microsoft Windows is vulnerable to an unspecified vulnerability due to IBM Java Runtime (CVE-2021-35550) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: IBM MQ is vulnerable to an issue within Jackson ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-is-vulnerable-to-a… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct for Microsoft Windows is vulnerable to denial of service due to zlib (CVE-2018-25032) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM® Runtime Environment Java™ Technology Edition affects WebSphere eXtreme Scale ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM QRadar SIEM is affected by a remote code execution in Spring Framework (CVE-2022-22963, CVE-2022-22965, CVE-2022-22950) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-affect… ∗∗∗ Spring Function Cloud DoS (CVE-2022-22979) and Unintended Function Invocation ∗∗∗ --------------------------------------------- https://checkmarx.com/blog/spring-function-cloud-dos-cve-2022-22979-and-uni… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.06.2022
by Daily end-of-shift report 24 Jun '22

24 Jun '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 23-06-2022 18:00 − Freitag 24-06-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ 2FA: Wie sicher sind TOTP, Fido, SMS und Push-Apps? ∗∗∗ --------------------------------------------- Zwei- oder Multi-Faktor-Authentifizierung soll uns sicherer machen. Wir erklären, wie TOTP, Fido & Co. funktionieren und wovor sie schützen. --------------------------------------------- https://www.golem.de/news/2fa-wie-sicher-sind-totp-fido-sms-und-push-apps-2… ∗∗∗ Multiple Backdoored Python Libraries Caught Stealing AWS Secrets and Keys ∗∗∗ --------------------------------------------- Researchers have discovered a number of malicious Python packages in the official third-party software repository that are engineered to exfiltrate AWS credentials and environment variables to a publicly exposed endpoint. --------------------------------------------- https://thehackernews.com/2022/06/multiple-backdoored-python-libraries.html ∗∗∗ Black Basta Ransomware Becomes Major Threat in Two Months ∗∗∗ --------------------------------------------- Black Basta ransomware has become a major new threat in just a couple months. Evidence suggests it was still in development in February 2022, and only became operational in April 2022. --------------------------------------------- https://www.securityweek.com/black-basta-ransomware-becomes-major-threat-tw… ∗∗∗ There Is More Than One Way to Sleep: Dive Deep Into the Implementations of API Hammering by Various Malware Families ∗∗∗ --------------------------------------------- Learn about the unique implementations of API Hammering malware samples and how to mitigate them. --------------------------------------------- https://unit42.paloaltonetworks.com/api-hammering-malware-families/ ===================== = Vulnerabilities = ===================== ∗∗∗ Angreifer nutzen kontinuierlich Log4Shell-Lücke in VMware Horizon aus ∗∗∗ --------------------------------------------- Die Cybersecurity & Infrastructure Security Agency warnt vor Attacken auf die Virtualisierungslösung VMware Horizon. Admins sollten zügig handeln. --------------------------------------------- https://heise.de/-7152258 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (ntfs-3g and ntfs-3g-system-compression), SUSE (389-ds, chafa, containerd, mariadb, php74, python3, salt, and xen), and Ubuntu (apache2). --------------------------------------------- https://lwn.net/Articles/898925/ ∗∗∗ Codesys Patches 11 Flaws Likely Affecting Controllers From Several ICS Vendors ∗∗∗ --------------------------------------------- Codesys this week announced patches for nearly a dozen vulnerabilities discovered in the company’s products by researchers at Chinese cybersecurity firm NSFocus. --------------------------------------------- https://www.securityweek.com/codesys-patches-11-flaws-likely-affecting-cont… ∗∗∗ ZDI-22-872: DevExpress SafeBinaryFormatter Deserialization of Untrusted Data Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-872/ ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to a denial of service (CVE-2022-22389) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… ∗∗∗ Security Bulletin: One or more security vulnerabilities has been identified in IBM® DB2® shipped with IBM PureData System for Operational Analytics (CVE-2020-4230,CVE-2020-4135,CVE-2020-4204,CVE-2020-4200) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-one-or-more-security-vuln… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities (CVE-2019-10086, CVE-2021-41617) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Robotic Process Automation is vulnerable to configuration credentials unencrypted in system memory (CVE-2022-22414) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-robotic-process-autom… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM® Db2® is affected by multiple vulnerabilities due to the consumed Expat library ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-affected-by-mu… ∗∗∗ Security Bulletin: CVE-2021-35603 may affect IBM® SDK, Java™ Technology Edition for IBM Content Collector for SAP Applications ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2021-35603-may-affect… ∗∗∗ Security Bulletin: IBM® Db2® is vulnerable to an information disclosure caused by improper privilege management when table function is used. (CVE-2022-22390) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-… ∗∗∗ Security Bulletin: Multiple vulnerabilities has been identified in IBM® DB2® shipped with IBM PureData System for Operational Analytics ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by an information leak vulnerability within Kafka (CVE-2021-38153) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: A vulnerability in zlib affects IBM Common Inventory Technology (CIT). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-zlib-a… ∗∗∗ Security Bulletin: CVE-2020-35550 may affect IBM® SDK, Java™ Technology Edition for IBM Content Collector for SAP Applications ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2020-35550-may-affect… ∗∗∗ K26314875: Apache vulnerability CVE-2022-26377 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K26314875 ∗∗∗ Citrix Hypervisor Security Update ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX460064/citrix-hypervisor-security-upd… ∗∗∗ OFFIS DCMTK ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsma-22-174-01 ∗∗∗ Yokogawa STARDOM ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-174-01 ∗∗∗ Yokogawa CAMS for HIS ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-174-02 ∗∗∗ Secheron SEPCOS Control and Protection Relay ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-174-03 ∗∗∗ Pyramid Solutions EtherNet/IP Adapter Development Kit ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-174-04 ∗∗∗ Elcomplus SmartICS ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-174-05 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.06.2022
by Daily end-of-shift report 23 Jun '22

23 Jun '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 22-06-2022 18:00 − Donnerstag 23-06-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Conti ransomware hacking spree breaches over 40 orgs in a month ∗∗∗ --------------------------------------------- The Conti cybercrime syndicate runs one of the most aggressive ransomware operations and has grown highly organized, to the point that affiliates were able to hack more than 40 companies in a little over a month. --------------------------------------------- https://www.bleepingcomputer.com/news/security/conti-ransomware-hacking-spr… ∗∗∗ Malicious Windows LNK attacks made easy with new Quantum builder ∗∗∗ --------------------------------------------- Malware researchers have noticed a new tool that helps cybercriminals build malicious .LNK files to deliver payloads for the initial stages of an attack. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malicious-windows-lnk-attack… ∗∗∗ The hateful eight: Kaspersky’s guide to modern ransomware groups’ TTPs ∗∗∗ --------------------------------------------- We want to familiarize the reader with the different stages of ransomware deployment and provide a visual guide to defending against targeted ransomware attacks. --------------------------------------------- https://securelist.com/modern-ransomware-groups-ttps/106824/ ∗∗∗ Understanding the Compound File Binary Format and OLE Structures to Mess with CVE-2022-30190 ∗∗∗ --------------------------------------------- Initially, I began this research to generate weaponized RTF files delivering the CVE-2022-30190(Follina) exploit. --------------------------------------------- https://cymulate.com/blog/cve-2022-30190-2/ ∗∗∗ Miracle - One Vulnerability To Rule Them All ∗∗∗ --------------------------------------------- As mentioned in Jang blog, We (me and Jang) found a mega 0-day. After April Critical Patch, finally the vulnerability was patched properly. If you never known about this vulnerability, please patch your system ASAP! --------------------------------------------- https://peterjson.medium.com/miracle-one-vulnerability-to-rule-them-all-c3a… ∗∗∗ Vorsicht vor betrügerischen „Remote Jobs“ auf LinkedIn ∗∗∗ --------------------------------------------- “Work from Home Jobs No Experience Required” – von zuhause aus arbeiten, dabei bis zu 2.000€ pro Woche verdienen und das alles ohne Berufserfahrung? Laut der massenhaft geschaltenen Stellenanzeigen von KADANSE ist das möglich. Was nicht erwähnt wird: Für diesen scheinbar lukrativen Job müssen Sie erst Geld bezahlen, der Job existiert so nicht. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-betruegerischen-remote-… ∗∗∗ Schwachstellen in Programmierschnittstellen ∗∗∗ --------------------------------------------- Weltweit sind 4,1 bis 7,5 Prozent der Cybersecurity-Vorfälle und -schäden auf Schwachstellen in Programmierschnittstellen (Application Programming Interfaces, APIs) zurückzuführen und verursachen Kosten in Milliardenhöhe. --------------------------------------------- https://www.zdnet.de/88402008/schwachstellen-in-programmierschnittstellen/ ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins 2022-06-22 ∗∗∗ --------------------------------------------- IBM App Connect Enterprise, IBM Engineering Lifecycle Management, WebSphere Liberty, CICS Transaction Gateway, Watson Knowledge Catalog for IBM Cloud Pak for Data, IBM Robotic Process Automation, IBM Tivoli Business Service Manager, IBM MQ Internet Pass-Thru, IBM Cognos Analytics, IBM Sterling Global Mailbox. --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Synology: Aktualisierte Firmware dichtet Sicherheitslecks in Routern ab ∗∗∗ --------------------------------------------- In Firmware von Synology-Geräten hat der Hersteller Sicherheitslücken gefunden. Angreifer könnten unter anderem unberechtigt auf Dateien zugreifen. --------------------------------------------- https://heise.de/-7151202 ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, firejail, and request-tracker4), Fedora (ghex, golang-github-emicklei-restful, and openssl1.1), Oracle (postgresql), Scientific Linux (postgresql), Slackware (openssl), SUSE (salt and tor), and Ubuntu (apache2 and squid, squid3). --------------------------------------------- https://lwn.net/Articles/898720/ ∗∗∗ Cisco Adaptive Security Device Manager and Adaptive Security Appliance Software Client-side Arbitrary Code Execution Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco FirePOWER Software for ASA FirePOWER Module Command Injection Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ K55051330: Intel BIOS vulnerability CVE-2021-33123 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K55051330 ∗∗∗ K87351324: Intel BIOS vulnerability CVE-2021-33124 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K87351324 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.06.2022
by Daily end-of-shift report 22 Jun '22

22 Jun '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 21-06-2022 18:00 − Mittwoch 22-06-2022 18:00 Handler: Michael Schlagenhaufer Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Newly Discovered Magecart Infrastructure Reveals the Scale of Ongoing Campaign ∗∗∗ --------------------------------------------- A newly discovered Magecart skimming campaign has its roots in a previous attack activity going all the way back to November 2021. --------------------------------------------- https://thehackernews.com/2022/06/newly-discovered-magecart.html ∗∗∗ Du kommst hier nicht rein: Adobes PDF-Tools blockieren Antivirenschutz ∗∗∗ --------------------------------------------- Adobe Acrobat und Reader legen einen Registry-Eintrag an. Dieser hält über Chromiums libcef.dll Sicherheitsprogramm-DLLs aus den PDF-Programmen fern. --------------------------------------------- https://heise.de/-7147804 ∗∗∗ Sharehoster Mega: Sicherheitsforscher entschlüsseln eigentlich geschützte Daten ∗∗∗ --------------------------------------------- Eine problematische Kryptografie-Implementierung kann verschlüsselte Dateien für den Betreiber oder Angreifer lesbar machen. --------------------------------------------- https://heise.de/-7148227 ∗∗∗ Machen Sie mit bei unserer Studie zum Fake-Shop-Detector! ∗∗∗ --------------------------------------------- Fake-Shops stellen Konsument:innen vor große Herausforderungen: Sie werden immer zahlreicher und sind gleichzeitig schwieriger zu erkennen. Um das Einkaufen im Internet sicherer zu machen, haben wir den Fake-Shop Detector entwickelt. --------------------------------------------- https://www.watchlist-internet.at/news/machen-sie-mit-bei-unserer-studie-zu… ∗∗∗ Keeping PowerShell: Measures to Use and Embrace ∗∗∗ --------------------------------------------- Cybersecurity authorities from the United States, New Zealand, and the United Kingdom have released a joint Cybersecurity Information Sheet (CIS) on PowerShell. The CIS provides recommendations for proper configuration and monitoring of PowerShell, as opposed to removing or disabling it entirely due to its use by malicious actors after gaining access into victim networks. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/06/22/keeping-powershel… ===================== = Vulnerabilities = ===================== ∗∗∗ Webbrowser: Google schließt 14 Sicherheitslücken in Chrome ∗∗∗ --------------------------------------------- Mit dem Sprung auf das 103er-Release dichtet Google im Webbrowser Chrome 14 Schwachstellen ab. Auch für Android und iOS steht die neue Version bereit. --------------------------------------------- https://heise.de/-7147522 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (exo and ntfs-3g), Fedora (collectd, golang-github-cli-gh, grub2, qemu, and xen), Red Hat (httpd:2.4, kernel, and postgresql), SUSE (drbd, fwupdate, neomutt, and trivy), and Ubuntu (apache2, openssl, openssl1.0, and qemu). --------------------------------------------- https://lwn.net/Articles/898605/ ∗∗∗ JTEKT TOYOPUC ∗∗∗ --------------------------------------------- This advisory contains mitigations for a Missing Authentication for Critical Function vulnerability in the JTEKT TOYOPUC programmable logic controller. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-172-02 ∗∗∗ VU#142546: SMA Technologies OpCon UNIX agent adds the same SSH key to all installations ∗∗∗ --------------------------------------------- https://kb.cert.org/vuls/id/142546 ∗∗∗ Security Bulletin: June 2022 :Multiple vulnerabilities in IBM Java Runtime affect CICS Transaction Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-june-2022-multiple-vulner… ∗∗∗ Security Bulletin: A vulnerability (CVE-2021-35550) in IBM Java Runtime affects CICS Transaction Gateway ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-cve-2021-… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct Browser User Interface is vulnerable to multiple vulnerabilities due to Jetty ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct File Agent is vulnerable to an unspecified vulnerability due to IBM Java Runtime (CVE-2021-35603) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: Rational Team Concert (RTC) and IBM Engineering Workflow Management (EWM) OpenSSL vulnerability CVE-2021-4044 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-rational-team-concert-rtc… ∗∗∗ Security Bulletin: Security vulnerability has been identified in IBM DB2 used by IBM Security Verify Governance, Identity Manager virtual appliance component ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerability-ha… ∗∗∗ Security Bulletin: Vulnerabilities in IBM WebSphere Application Server and WebSphere Application Server Liberty affect IBM Watson Explorer (CVE-2022-22475, CVE-2021-39038) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-we… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct FTP+ is vulnerable to unauthorized sensitive information access due to IBM Java vulnerability (CVE-2021-35603) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: Vulnerability in Spring Framework affects IBM Watson Explorer (CVE-2022-22971, CVE-2022-22968, CVE-2022-22970) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-spring-f… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct File Agent is vulnerable to an unspecified vulnerability due to IBM Java Runtime (CVE-2021-35550) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affects IBM WebSphere Application Server January 2022 CPU that is bundled with IBM WebSphere Application Server Patterns ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct FTP+ is vulnerable to unauthorized data access due to IBM Java (CVE-2021-35550) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: Vulnerability in OpenSSL affects IBM Watson Explorer (CVE-2022-0778) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-openssl-… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct Browser User Interface has multiple vulnerabilities due to IBM Java ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU – Jan 2022 – Includes Oracle® January 2022 CPU affects IBM Tivoli Composite Application Manager for Transactions-Robotic Response Time ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-e… ∗∗∗ K53252134: Intel BIOS vulnerability CVE-2021-0155 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K53252134 ∗∗∗ K16162257: Intel BIOS vulnerability CVE-2021-0154 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K16162257 ∗∗∗ K14454359: Intel BIOS vulnerability CVE-2021-0153 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K14454359 ∗∗∗ K04303225: Intel BIOS vulnerability CVE-2021-0190 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K04303225 ∗∗∗ Multiple Vulnerabilities PRA-ES8P2S Ethernet-Switch ∗∗∗ --------------------------------------------- https://psirt.bosch.com/security-advisories/bosch-sa-247052-bt.html ∗∗∗ PHP Vulnerability ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-22-20 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.06.2022
by Daily end-of-shift report 21 Jun '22

21 Jun '22

===================== = End-of-Day report = ===================== Timeframe: Montag 20-06-2022 18:00 − Dienstag 21-06-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ New DFSCoerce NTLM Relay attack allows Windows domain takeover ∗∗∗ --------------------------------------------- A new Windows NTLM relay attack called DFSCoerce has been discovered that uses MS-DFSNM, Microsofts Distributed File System, to completely take over a Windows domain. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/new-dfscoerce-ntlm-relay-at… ∗∗∗ APT ToddyCat ∗∗∗ --------------------------------------------- ToddyCat is a relatively new APT actor responsible for multiple sets of attacks against high-profile entities in Europe and Asia. Its main distinctive signs are two formerly unknown tools that we call ‘Samurai backdoor’ and ‘Ninja Trojan’. --------------------------------------------- https://securelist.com/toddycat/106799/ ∗∗∗ Office 365 Config Loophole Opens OneDrive, SharePoint Data to Ransomware Attack ∗∗∗ --------------------------------------------- A reported a "potentially dangerous piece of functionality" allows an attacker to launch an attack on cloud infrastructure and ransom files stored in SharePoint and OneDrive. --------------------------------------------- https://threatpost.com/office-365-opens-ransomware-attacks-on-onedrive-shar… ∗∗∗ Bestellen Sie nicht bei funkelnmarkt.de ∗∗∗ --------------------------------------------- Der Online-Shop funkelnmarkt.de bietet Laptops, Waschmaschinen, Konsolen und Co. Die Preise sind teilweise etwas günstiger als bei anderen Shops und die Webseite wirkt professionell. Grund genug dort zu bestellen. Oder? Lieber nicht! Wenn Sie dort bestellen, erhalten Sie keine Ware und verlieren Ihr Geld! --------------------------------------------- https://www.watchlist-internet.at/news/bestellen-sie-nicht-bei-funkelnmarkt… ===================== = Vulnerabilities = ===================== ∗∗∗ Icefall: 56 flaws impact thousands of exposed industrial devices ∗∗∗ --------------------------------------------- A security report has been published on a set of 56 vulnerabilities that are collectively called Icefall and affect operational technology (OT) equipment used in various critical infrastructure environments. --------------------------------------------- https://www.bleepingcomputer.com/news/security/icefall-56-flaws-impact-thou… ∗∗∗ OpenSSL Security Advisory [21 June 2022] ∗∗∗ --------------------------------------------- When the CVE-2022-1292 was fixed it was not discovered that there are other places in the script where the file names of certificates being hashed were possibly passed to a command executed through the shell. --------------------------------------------- https://openssl.org/news/secadv/20220621.txt ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (tzdata), Oracle (cups), and SUSE (atheme, golang-github-prometheus-alertmanager, golang-github-prometheus-node_exporter, node_exporter, python36, release-notes-susemanager, release-notes-susemanager-proxy, SUSE Manager 4.1.15 Release Notes, SUSE Manager Client Tools, and SUSE Manager Server 4.2). --------------------------------------------- https://lwn.net/Articles/898504/ ∗∗∗ SSA-111512: Client-side Authentication in SIMATIC WinCC OA ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-111512.txt ∗∗∗ ABB Security Advisory: ABB Relion REX640 Insufficient file access control ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=2NGA001421 ∗∗∗ Security Bulletin: Multiple security vulnerabilities are addressed with IBM Cloud Pak for Business Automation iFixes for May 2022 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Flaw in Go may affect DataPower Operator (CVE-2021-44717) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-flaw-in-go-may-affect-dat… ∗∗∗ Security Bulletin: An Unspecified Vulnerability in Java runtime affects IBM SPSS Statistics (CVE-2021-35603) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-an-unspecified-vulnerabil… ∗∗∗ Security Bulletin: An Unspecified Vulnerability in Java runtime affects IBM SPSS (CVE-2022-21496) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-an-unspecified-vulnerabil… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities in Apache Thrift ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: An Unspecified Vulnerability in Java runtime affects IBM SPSS Statistics (CVE-2022-21496) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-an-unspecified-vulnerabil… ∗∗∗ Security Bulletin: IBM DataPower Operator affected by flaw in Go (CVE-2022-23773) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-operator-af… ∗∗∗ Security Bulletin: IBM Spectrum Symphony is affected but not classified as vulnerable by a remote code execution in Spring Framework (CVE-2022-22965) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-spectrum-symphony-is-… ∗∗∗ Security Bulletin: IBM Spectrum Conductor is affected but not classified as vulnerable by a remote code execution in Spring Framework (CVE-2022-22965) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-spectrum-conductor-is… ∗∗∗ Security Bulletin: IBM DataPower Gateway affected by prototype pollution in DOJO (CVE-2021-23450) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-gateway-aff… ∗∗∗ Security Bulletin: IBM DataPower Operator potentially vulnerable to Denial of Service (CVE-2021-44716) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-operator-po… ∗∗∗ Security Bulletin: IBM QRadar Wincollect agent is vulnerable to information disclosure ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-wincollect-age… ∗∗∗ Security Bulletin: DataPower Operator vulnerable to a Denial of Service (CVE-2022-23806) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-datapower-operator-vulner… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a postgresql-42.0.0.jar vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by a mongodb-driver-legacy-4.1.1.jar vulnerability (CVE-2021-20328) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ PHOENIX CONTACT: Missing Authentication in ProConOS/ProConOS eCLR SDK and MULTIPROG Engineering tool ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-028/ ∗∗∗ PHOENIX CONTACT: Vulnerability in ProConOS/ProConOS eCLR SDK and MULTIPROG Engineering tool ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-026/ ∗∗∗ PHOENIX CONTACT: Vulnerability in classic line industrial controllers ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-025/ ∗∗∗ WEIDMUELLER: EtherNet/IP Fieldbus Coupler out-of-bounds write ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2021-004/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 20.06.2022
by Daily end-of-shift report 20 Jun '22

20 Jun '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 17-06-2022 18:00 − Montag 20-06-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Michael Schlagenhaufer ===================== = News = ===================== ∗∗∗ Kritische CVE-2022-20825 in Cisco Small-Business-Routern wird nicht gefixt ∗∗∗ --------------------------------------------- In den Small-Business-Routern RV110W, RV130, RV130W und RV215W gibt es eine kritische Schwachstelle CVE-2022-20825, die mit dem CVE-Wert von 9.8 bewertet wurde. Auf Grund einer fehlenden Authentifizierung ermöglicht die Schwachstelle sowohl eine Remote Command Execution als auch Denial of Service-Angriffe. --------------------------------------------- https://www.borncity.com/blog/2022/06/20/kritische-cve-2022-20825-in-cisco-… ∗∗∗ New phishing attack infects devices with Cobalt Strike ∗∗∗ --------------------------------------------- Security researchers have noticed a new malicious spam campaign that delivers the Matanbuchus malware to drop Cobalt Strike beacons on compromised machines. --------------------------------------------- https://www.bleepingcomputer.com/news/security/new-phishing-attack-infects-… ∗∗∗ Android-wiping BRATA malware is evolving into a persistent threat ∗∗∗ --------------------------------------------- The threat actors operating the BRATA banking trojan have evolved their tactics and incorporated new information-stealing features into their malware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/android-wiping-brata-malware… ∗∗∗ Decoding Obfuscated BASE64 Statistically ∗∗∗ --------------------------------------------- In diary entry "Houdini is Back Delivered Through a JavaScript Dropper", Xavier mentions that he had to deal with an obfuscated BASE64 string. --------------------------------------------- https://isc.sans.edu/diary/rss/28758 ∗∗∗ The Importance of White-Box Testing: A Dive into CVE-2022-21662 ∗∗∗ --------------------------------------------- When CVE-2022-21662 came out there wasn’t a much-published material regarding this vulnerability. I want to take some time to explain the importance of using a white-box approach when testing applications for vulnerabilities. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/the-importa… ∗∗∗ Cerber2021 Ransomware Back in Action ∗∗∗ --------------------------------------------- In December 2021, researchers identified a new version of Cerber ransomware targeting both Linux and Windows users. In this infection, Cerber2021 was delivered by targeting the vulnerabilities in the Confluence and Gitlab servers. These vulnerabilities are tracked as CVE-2021-26084 and CVE-2021-22205, respectively. --------------------------------------------- https://blog.cyble.com/2022/06/17/cerber2021-ransomware-back-in-action/ ∗∗∗ Europol-Masche: Neue Welle betrügerischer Anrufe ∗∗∗ --------------------------------------------- Die Telefonbetrugsmasche, bei der sich die Kriminellen als Ermittlungsbehörde ausgeben, ist nicht neu. Dennoch rollt aktuell wieder eine Welle solcher Anrufe. --------------------------------------------- https://heise.de/-7146013 ∗∗∗ Erpressung per E-Mail: Hacker fordert die Überweisung von Bitcoins ∗∗∗ --------------------------------------------- Sie haben ein E-Mail von einem Hacker bekommen? Er schreibt, dass er Ihren Computer gehackt hat und Sie beim Masturbieren gefilmt hat? Er droht damit das Video zu verbreiten, wenn Sie keine Bitcoins überweisen? Im E-Mail wird sogar eines Ihrer Passwörter genannt? Machen Sie sich keine Sorgen! Dieses E-Mail ist Fake. Lassen Sie sich nicht erpressen und überweisen Sie keinesfalls Bitcoins. Ändern Sie aber umgehend Ihr Passwort! --------------------------------------------- https://www.watchlist-internet.at/news/erpressung-per-e-mail-hacker-fordert… ∗∗∗ Azure Attack Paths: Common Findings and Fixes (Part 1) ∗∗∗ --------------------------------------------- This post will walk through various services within the Azure catalogue and look at potential attack paths. --------------------------------------------- https://blog.zsec.uk/azure-fundamentals-pt1/ ===================== = Vulnerabilities = ===================== ∗∗∗ AWS: Amazon-Hotpatch für log4j-Lücke ermöglicht Rechteausweitung ∗∗∗ --------------------------------------------- In einem Skript zum Absichern vor der log4j-Lücke von Amazon findet sich eine Sicherheitslücke. Angreifer könnten ihre Rechte damit ausweiten. --------------------------------------------- https://heise.de/-7145383 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (cyrus-imapd, exo, sleuthkit, slurm-wlm, vim, and vlc), Fedora (golang-github-docker-libnetwork, kernel, moby-engine, ntfs-3g-system-compression, python-cookiecutter, python2.7, python3.6, python3.7, python3.8, python3.9, rubygem-mechanize, and webkit2gtk3), Mageia (bluez, dnsmasq, exempi, halibut, and php), Oracle (.NET 6.0, .NET Core 3.1, and xz), SUSE (chafa, firejail, kernel, python-Twisted, and tensorflow2), and Ubuntu (intel-microcode). --------------------------------------------- https://lwn.net/Articles/898413/ ∗∗∗ Security Advisory - Input Verification Vulnerability Involving Huawei Printer Products ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2022/huawei-sa-20220620-… ∗∗∗ Security Bulletin: An Unspecified Vulnerability in Java runtime affects IBM SPSS (CVE-2021-35550) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-an-unspecified-vulnerabil… ∗∗∗ Security Bulletin: StoredIQ Is Vulnerable To Arbitrary Code Execution Due to Apache Log4j (CVE-2021-44228). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-storediq-is-vulnerable-to… ∗∗∗ Security Bulletin: StoredIQ Is Vulnerable To Arbitrary Code Execution Due To Apache Log4j (CVE-2021-4104). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-storediq-is-vulnerable-to… ∗∗∗ Security Bulletin: Potential module resolution error in DataPower Operator ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-potential-module-resoluti… ∗∗∗ Security Bulletin: Cúram Social Program Management may be affected by Denial of Service vulnerability in jackson-databind (217968) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cram-social-program-manag… ∗∗∗ Security Bulletin: StoredIQ is vulnerable to denial of service and remote code execution in Apache Log4j (CVE-2021-44228, CVE-2021-45046). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-storediq-is-vulnerable-to… ∗∗∗ Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities in Apache Thrift ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-… ∗∗∗ Security Bulletin: IBM Robotic Process Automation is vulnerable to configuration credentials unencrypted in system memory (CVE-2022-22414) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-robotic-process-autom… ∗∗∗ Security Bulletin: IBM QRadar WinCollect is vulnerable to using components with known vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-wincollect-is-… ∗∗∗ Security Bulletin: Potential Denial of Service in IBM DataPower Gateway (CVE-2022-23806) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-potential-denial-of-servi… ∗∗∗ Security Bulletin: IBM Integration Bus is vulnerable to arbitrary code execution due to json-schema (CVE-2021-3918) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-integration-bus-is-vu… ∗∗∗ Security Bulletin: IBM Analytic Accelerator Framework for Communication Service Providers & IBM Customer and Network Analytics for Communications Service Providers and Datasets Impacted by Log4j Vulnerabilities ( CVE-2021-44832) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-analytic-accelerator-… ∗∗∗ Security Bulletin: Cúram Social Program Management may be affected by Denial of Service vulnerability in JDOM (CVE-2021-33813) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cram-social-program-manag… ∗∗∗ Security Bulletin: AIX is vulnerable to a denial of service due to lpd (CVE-2022-22444) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-aix-is-vulnerable-to-a-de… ∗∗∗ Security Bulletin: Vulnerabilities with Kernel, Eclipse Jetty, and OpenJDK affect IBM Cloud Object Storage Systems (June 2022) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-with-kern… ∗∗∗ Security Bulletin: Cúram Social Program Management is affected by session timeout issues (CVE-2022-22318, CVE-2022-22317) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cram-social-program-manag… ∗∗∗ Spring Data MongoDB SpEL Expression Injection Vulnerability (CVE-2022-22980) ∗∗∗ --------------------------------------------- https://spring.io/blog/2022/06/20/spring-data-mongodb-spel-expression-injec… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily