- Daily - CERT.at

Tageszusammenfassung - 14.03.2022
by Daily end-of-shift report 14 Mar '22

14 Mar '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 11-03-2022 18:00 − Montag 14-03-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Android malware Escobar steals your Google Authenticator MFA codes ∗∗∗ --------------------------------------------- The Aberebot banking trojan appears to have returned, as its author is actively promoting a new version of the tool on dark web markets and forums. --------------------------------------------- https://www.bleepingcomputer.com/news/security/android-malware-escobar-stea… ∗∗∗ Curl on Windows, (Mon, Mar 14th) ∗∗∗ --------------------------------------------- It's about 2 years ago that Xavier wrote a diary entry ("Keep an Eye on Command-Line Browsers") mentioning that curl was now build into Windows. [...] So with this particular malicious script, it's rather easy to detect (especially if you are in a network environment without Linux machines): search for curl UAS. If you are in a corporate environment, there's something else to know about curl on Windows. --------------------------------------------- https://isc.sans.edu/diary/rss/28436 ∗∗∗ New Linux Bug in Netfilter Firewall Module Lets Attackers Gain Root Access ∗∗∗ --------------------------------------------- Tracked as CVE-2022-25636 (CVSS score: 7.8), the vulnerability impacts Linux kernel versions 5.4 through 5.6.10 and is a result of a heap out-of-bounds write in the netfilter subcomponent in the kernel. [..] "This flaw allows a local attacker with a user account on the system to gain access to out-of-bounds memory, leading to a system crash or a privilege escalation threat," Red Hat said in an advisory published on February 22, 2022. Similar alerts have been released by Debian, Oracle Linux, SUSE, and Ubuntu. --------------------------------------------- https://thehackernews.com/2022/03/new-linux-bug-in-netfilter-firewall.html ∗∗∗ Reverse Engineering a Netgear Nday ∗∗∗ --------------------------------------------- This post will detail how I went about developing a proof of concept for a Netgear Nday vulnerability. --------------------------------------------- https://nstarke.github.io/netgear/nday/2022/03/13/reverse-engineering-a-net… ∗∗∗ Making Sense of the Dirty Pipe Vulnerability (CVE-2022-0847) ∗∗∗ --------------------------------------------- [..] the flaw could allow anyone with read access on a system to write arbitrary data into arbitrary files. In this blog post, we analyze the vulnerability details in-depth and demonstrate how the exploit works to successfully escalate privileges. --------------------------------------------- https://redhuntlabs.com/blog/the-dirty-pipe-vulnerability.html ∗∗∗ Multiple Security Flaws Discovered in Popular Software Package Managers ∗∗∗ --------------------------------------------- Following responsible disclosure on September 9, 2021, fixes have been released to address the issues in Composer, Bundler, Bower, Poetry, Yarn, and Pnpm. But Composer, Pip, and Pipenv, all three of which are affected by the untrusted search path flaw, have opted not to address the bug. --------------------------------------------- https://thehackernews.com/2022/03/multiple-security-flaws-discovered-in.html ∗∗∗ Shodan: Introducing the InternetDB API ∗∗∗ --------------------------------------------- The major differences between the InternetDB API and the main Shodan API are: - No API key required - Much higher rate limit - Weekly updates - Minimal port/ service information - Non-commercial use only --------------------------------------------- https://blog.shodan.io/introducing-the-internetdb-api/ ∗∗∗ Diskrepanz zwischen erwarteten und tatsächlichen Cyberattacken im Ukraine-Krieg ∗∗∗ --------------------------------------------- c’t: Ukrainische Behörden haben Freiwillige in aller Welt aufgerufen, sich an Cyberattacken gegen Russland zu beteiligen. Halten Sie es für sinnvoll, dabei mitzumachen? Dr. Sven Herpig: Nein. Natürlich könnten Freiwillige irgendwelche Ziele in Russland ärgern, aber das wird weit weg sein von kriegsentscheidend. Gleichzeitig ist es aus drei Gründen ziemlich gefährlich. --------------------------------------------- https://heise.de/-6540223 ∗∗∗ Gefälschte Otto-Shops werben auf Facebook ∗∗∗ --------------------------------------------- ottot.shop, otto.us.com und ghrh.shop sind betrügerische Online-Shops. Diese Shops imitieren das deutsche Handelsunternehmen „OTTO“ und bieten Produkte zu sehr günstigen Preisen an. Aber: Ware, die dort bestellt und bezahlt wird, wird nicht geliefert. Geschädigte können versuchen ihr Geld über den Käuferschutz von PayPal zurückzubekommen. --------------------------------------------- https://www.watchlist-internet.at/news/gefaelschte-otto-shops-werben-auf-fa… ===================== = Vulnerabilities = ===================== ∗∗∗ Veeam Backup & Replication - CVE-2022-26500 | CVE-2022-26501 ∗∗∗ --------------------------------------------- Multiple vulnerabilities in Veeam Backup & Replication allow executing malicious code remotely without authentication. This may lead to gaining control over the target system. CVSS v3 score: 9.8 --------------------------------------------- https://www.veeam.com/kb4288 ∗∗∗ High-Severity Vulnerabilities Patched in Omron PLC Programming Software ∗∗∗ --------------------------------------------- Several high-severity vulnerabilities that can be exploited for remote code execution were patched recently in the CX-Programmer software of Japanese electronics giant Omron. An advisory released earlier this month by Japan’s JPCERT/CC revealed that the product is affected by five use-after-free and out-of-bounds vulnerabilities, all with a CVSS score of 7.8. --------------------------------------------- https://www.securityweek.com/high-severity-vulnerabilities-patched-omron-pl… ∗∗∗ Riverbed spinoff Aternity ships emergency software patch ∗∗∗ --------------------------------------------- Riverbed’s performance monitoring spinoff Aternity has published seven security advisories describing now-patched vulnerabilities in its AppInternals monitoring agent software. The most serious of the bugs gave attackers remote code execution with system-level privilege. [..] Riverbed has shipped AppInternals Agent versions 11.8.8 and 12.14.0, which include patches for the bugs. --------------------------------------------- https://www.itnews.com.au/news/riverbed-spinoff-aternity-ships-emergency-so… ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (expat, haproxy, libphp-adodb, nbd, and vim), Fedora (chromium, cobbler, firefox, gnutls, linux-firmware, radare2, thunderbird, and usbguard), Mageia (gnutls), Oracle (.NET 5.0, .NET 6.0, .NET Core 3.1, firefox, and kernel), SUSE (firefox, tomcat, and webkit2gtk3), and Ubuntu (libxml2 and nbd). --------------------------------------------- https://lwn.net/Articles/887807/ ∗∗∗ Dell BIOS: Mehrere Schwachstellen ermöglichen Codeausführung ∗∗∗ --------------------------------------------- CVE Liste: CVE-2022-24415, CVE-2022-24416, CVE-2022-24419, CVE-2022-24420, CVE-2022-24421 Ein lokaler Angreifer kann mehrere Schwachstellen in Dell BIOS und Dell Computer ausnutzen, um beliebigen Programmcode auszuführen. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0308 ∗∗∗ Apache HTTP Server: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- CVE Liste: CVE-2022-22719, CVE-2022-22720, CVE-2022-22721, CVE-2022-23943 Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Apache HTTP Server ausnutzen, um beliebigen Programmcode auszuführen, Informationen offenzulegen, Dateien zu manipulieren oder einen Denial of Service Zustand herbeizuführen. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0306 ∗∗∗ Security Bulletin: Data masking rules are not enforced when CREATE TABLE AS SELECT statement is executed in IBM Data Virtualization on Cloud Pak for Data ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-data-masking-rules-are-no… ∗∗∗ Security Bulletin: WebSphere Application Server is vulnerable to a Privilege Escalation vulnerability and affects Content Collector for Email ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-application-ser… ∗∗∗ Security Bulletin: IBM Spectrum Protect Plus is vulnerable to PostgreSQL Man-in-the-Middle and Slowloris Denial of Service attacks (CVE-2021-23222, CVE-2022-22354) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-spectrum-protect-plus… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects IBM Analytical Decision Management (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j affects SPSS Collaboration and Deployment Services (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: Vulnerabilities in IBM Db2 affect IBM Spectrum Protect Server (CVE-2021-38931, CVE-2021-29678, CVE-2021-20373, CVE-2021-39002, CVE-2021-38926) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-db… ∗∗∗ Security Bulletin: Data masking rules are not enforced when CREATE TABLE AS SELECT statement is executed in IBM Big SQL ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-data-masking-rules-are-no… ∗∗∗ Security Bulletin: Vulnerabilities in IBM Java Runtime and Golang Go affect IBM Spectrum Protect Server (CVE-2021-35578, CVE-2021-44716, CVE-2021-44717) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-ja… ∗∗∗ Security Bulletin: IBM WebSphere Application Server Liberty vulnerabilities affect IBM Spectrum Protect Backup-Archive Client, IBM Spectrum Protect for Virtual Environments, and IBM Spectrum Protect for Space Management (CVE-2021-35517, ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application… ∗∗∗ Security Bulletin: IBM Integration Designer is vulnerable to arbitrary code execution because of Apache Log4j (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-integration-designer-… ∗∗∗ Security Bulletin: Vulnerabilities in the Linux Kernel, Samba, Sudo, Python, and tcmu-runner affect IBM Spectrum Protect Plus ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-the-li… ∗∗∗ Security Bulletin: IBM Spectrum Copy Data Management is vulnerable to Slowloris, HTTP header injection, XSS, and CSRF (CVE-2022-22354, CVE-2022-22344, CVE-2021-39055, CVE-2021-39051) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-spectrum-copy-data-ma… ∗∗∗ Security Bulletin: Vulnerabilities in Celery, Golang Go, and Python affect IBM Spectrum Protect Plus Container Backup and Restore for Kubernetes and Red Hat OpenShift ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-celery… ∗∗∗ Security Bulletin: Vulnerability in Flask and Python affects IBM Spectrum Protect Plus Microsoft File Systems Backup and Restore (CVE-2021-33026, CVE-2022-0391) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-flask-an… ∗∗∗ Security Bulletin: Vulnerabilities in IBM Java Runtime and Golang Go affect IBM Spectrum Protect Server (CVE-2021-35578, CVE-2021-44716, CVE-2021-44717) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-ja… ∗∗∗ Security Bulletin: Vulnerabilities in Polkit, PostgreSQL, OpenSSL, OpenSSH, and jQuery affect IBM Spectrum Copy Data Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-polkit… ∗∗∗ Security Bulletin: Vulnerabilities in IBM Java Runtime and IBM WebSphere Application Server Liberty affect IBM Operations Center and Client Management Service (CVE-2021-35578, CVE-2021-35517, CVE-2021-36090) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-ja… ∗∗∗ Security Bulletin: Vulnerabilities in Polkit, Node.js, OpenSSH, and Golang Go affect IBM Spectrum Protect Plus (CVE-2021-4034, CVE-2022-21681, CVE-2022-21680, CVE-2022-0235, CVE-2021-41617, CVE-2021-44716, CVE-2021-44717, 218243) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-polkit… ∗∗∗ Security Bulletin: Reverse Tabnabbing and Cross-Site Request Forgery vulnerabilities in IBM Spectrum Protect Operations Center (CVE-2020-22348, CVE-2020-22346) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-reverse-tabnabbing-and-cr… ∗∗∗ K63603485: Linux kernel vulnerability CVE-2022-0847 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K63603485 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.03.2022
by Daily end-of-shift report 11 Mar '22

11 Mar '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 10-03-2022 18:00 − Freitag 11-03-2022 18:00 Handler: Robert Waldner Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Raccoon Stealer Crawls Into Telegram ∗∗∗ --------------------------------------------- The credential-stealing trash panda is using the chat app to store and update C2 addresses as crooks find creative new ways to distribute the malware. --------------------------------------------- https://threatpost.com/raccoon-stealer-telegram/178881/ ∗∗∗ Keep an Eye on WebSockets, (Fri, Mar 11th) ∗∗∗ --------------------------------------------- It has been a while that I did not spot WebSockets used by malware. Yesterday I discovered an interesting piece of Powershell. Very small and almost undetected according to its Virustotal score (2/54)[1]. A quick reminder for those that don't know what a "WebSocket" is. --------------------------------------------- https://isc.sans.edu/diary/rss/28430 ∗∗∗ Bypassing MFA: A Pentest Case Study ∗∗∗ --------------------------------------------- When a company implements multifactor authentication, the organization is usually confident that it’s using the best system possible. However, not all MFA is built the same and there are times when the MFA solution being implemented is not delivering the protection required. --------------------------------------------- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/bypassing-m… ∗∗∗ Multiple Security Flaws Discovered in Popular Software Package Managers ∗∗∗ --------------------------------------------- Multiple security vulnerabilities have been disclosed in popular package managers that, if potentially exploited, could be abused to run arbitrary code and access sensitive information, including source code and access tokens, from compromised machines. Its, however, worth noting that the flaws require the targeted developers to handle a malicious package in conjunction with one of the affected package managers. --------------------------------------------- https://thehackernews.com/2022/03/multiple-security-flaws-discovered-in.html ∗∗∗ Whats up with in-the-wild exploits? Plus, what were doing about it. ∗∗∗ --------------------------------------------- If you are a regular reader of our Chrome release blog, you may have noticed that phrases like exploit for CVE-1234-567 exists in the wild have been appearing more often recently. In this post well explore why there seems to be such an increase in exploits, and clarify some misconceptions in the process. Well then share how Chrome is continuing to make it harder for attackers to achieve their goals. --------------------------------------------- http://security.googleblog.com/2022/03/whats-up-with-in-wild-exploits-plus.… ∗∗∗ WordPress 5.9.2 Security Update Fixes XSS and Prototype Pollution Vulnerabilities ∗∗∗ --------------------------------------------- Last night, just after 6pm Pacific time, on Thursday March 10, 2022, the WordPress core team released WordPress version 5.9.2, which contains security patches for a high-severity vulnerability as well as two medium-severity issues. The high-severity issue affects version 5.9.0 and 5.9.1 and allows contributor-level users and above to insert malicious JavaScript into WordPress posts. --------------------------------------------- https://www.wordfence.com/blog/2022/03/wordpress-5-9-2-security-update-fixe… ∗∗∗ Cobalt Strike: Memory Dumps – Part 6 ∗∗∗ --------------------------------------------- This is an overview of different methods to create and analyze memory dumps of Cobalt Strike beacons. This series of blog posts describes different methods to decrypt Cobalt Strike traffic. --------------------------------------------- https://blog.nviso.eu/2022/03/11/cobalt-strike-memory-dumps-part-6/ ∗∗∗ Infostealer Being Distributed via YouTube ∗∗∗ --------------------------------------------- The ASEC analysis team has recently discovered an infostealer that is being distributed via YouTube. The attacker disguised the malware as a game hack for Valorant, and uploaded the following video with the download link for the malware, then guided the user to turn off the anti-malware program. The team has introduced another case of distribution disguised as a game hack or crack via YouTube in a previous ASEC blog post. --------------------------------------------- https://asec.ahnlab.com/en/32499/ ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-22-503: MyBB Admin Control Panel Code Injection Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to execute arbitrary code on affected installations of MyBB. Authentication is required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-503/ ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (nbd, ruby-sidekiq, tryton-proteus, and tryton-server), Mageia (shapelib and thunderbird), openSUSE (minidlna, python-libxml2-python, python-lxml, and thunderbird), Oracle (kernel, kernel-container, and python-pip), Red Hat (.NET 5.0, .NET 6.0, .NET Core 3.1, firefox, kernel, and kernel-rt), Scientific Linux (firefox), SUSE (openssh, python-libxml2-python, python-lxml, and thunderbird), and Ubuntu (expat vulnerabilities and, firefox, and subversion). --------------------------------------------- https://lwn.net/Articles/887635/ ∗∗∗ Mattermost security updates 6.4.2, 6.3.5, 6.2.5, 5.37.9 released ∗∗∗ --------------------------------------------- We’re informing you about a Mattermost security update, which addresses medium-level severity vulnerabilities. We highly recommend that you apply the update. The security update is available for Mattermost dot releases 6.4.2, 6.3.5 (Extended Support Release), 6.2.5, 5.37.9 (Extended Support Release) for both Team Edition and Enterprise Edition. --------------------------------------------- https://mattermost.com/blog/mattermost-security-updates-6-4-2-6-3-5-6-2-5-5… ∗∗∗ Siemens Solid Edge, JT2Go, and Teamcenter Visualization ∗∗∗ --------------------------------------------- This updated advisory is a follow-up to the original advisory titled ICSA-22-041-07 Siemens Solid Edge, JT2Go, and Teamcenter Visualization that was published February 10, 2022, on the ICS webpage at www.cisa.gov/uscert. This advisory contains mitigations for Improper Restriction of Operations within the Bounds of a Memory Buffer, Out-of-bounds Write, Heap-based Buffer Overflow, and Out-of-bounds Read vulnerabilities in Siemens Solid Edge, JT2Go, and Teamcenter Visualization software products. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-041-07 ∗∗∗ Mehrere Schwachstellen in PONTON X/P Messenger (SYSS-2021-077/-078/-079/-080) ∗∗∗ --------------------------------------------- Der PONTON X/P Messenger der PONTON GmbH ist in den Versionen 3.8.0 und 3.10.0 unter eingeschränkten Voraussetzungen anfällig für mehrere Schwachstellen. --------------------------------------------- https://www.syss.de/pentest-blog/mehrere-schwachstellen-in-ponton-x/p-messe… ∗∗∗ CERT-EU warnt vor SMBv3-Schwachstelle CVE-2022-24508, Fix durch Windows März 2022-Updates ∗∗∗ --------------------------------------------- Mit den Sicherheitsupdates vom 8. März 2022 für Windows hat Microsoft eine Reihe Schwachstellen geschlossen. Darunter ist auch eine als wichtig eingestufte Remote Code Execution-Schwachstelle (REC) im Windows SMBv3 Client/Server. CERT-EU warnt in einer aktuellen Mitteilung vor dieser SMBv3-Schwachstelle CVE-2022-24508 [...] --------------------------------------------- https://www.borncity.com/blog/2022/03/11/cert-eu-warnt-vor-smbv3-schwachste… ∗∗∗ Regarding vulnerability measure against buffer overflow for Laser Printers and Small Office Multifunction Printers – 10 March 2022 ∗∗∗ --------------------------------------------- Multiple cases of buffer overflow vulnerabilities have been identified with Canon Laser Printers and Small Office Multifunctional Printers. Related CVEs are: CVE-2022-24672, CVE-2022-24673 and CVE-2022-24674. A list of affected models is given below. --------------------------------------------- https://www.canon-europe.com/support/product-security-latest-news/ ∗∗∗ D-LINK Router: Mehrere Schwachstellen ermöglichen Codeausführung ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0299 ∗∗∗ phpMyAdmin: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0304 ∗∗∗ McAfee Total Protection: Schwachstelle ermöglicht Privilegieneskalation ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0302 ∗∗∗ Security Bulletin: IBM Guardium Data Encryption (GDE) has a vulnerability (CVE-2021-39022), related to hazardous input. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-guardium-data-encrypt… ∗∗∗ Security Bulletin: A Python Issue Affects IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-python-issue-affects-ib… ∗∗∗ Security Bulletin: Multiple security vulnerability are addressed in monthly security fix for IBM Cloud Pak for Business Automation February 2022 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: IBM Integration Designer is vulnerable to an attacker obtaining sensitive information (CVE-2021-35550, CVE-2021-35603) and denial of service (CVE-2021-35578) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-integration-designer-… ∗∗∗ Security Bulletin: Cross-Site Scripting vulnerability affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) – CVE-2021-38893 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-vuln… ∗∗∗ Security Bulletin: Cross-Site Scripting vulnerability affect IBM Cloud Pak for Automation Workflow Process Service (CVE-2021-38893 CVE-2021-38966) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-vuln… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.03.2022
by Daily end-of-shift report 10 Mar '22

10 Mar '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 09-03-2022 18:00 − Donnerstag 10-03-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Nearly 30% of critical WordPress plugin bugs dont get a patch ∗∗∗ --------------------------------------------- Patchstack, a leader in WordPress security and threat intelligence, has released a whitepaper to present the state of WordPress security in 2021, and the report paints a dire picture. --------------------------------------------- https://www.bleepingcomputer.com/news/security/nearly-30-percent-of-critica… ∗∗∗ What Security Controls Do I Need for My Kubernetes Cluster? ∗∗∗ --------------------------------------------- This Tech Tip offers some security controls to embed in your organizations CI/CD pipeline to protect Kubernetes clusters and corporate networks. --------------------------------------------- https://www.darkreading.com/dr-tech/what-security-controls-do-i-need-for-my… ∗∗∗ Qakbot Botnet Sprouts Fangs, Injects Malware into Email Threads ∗∗∗ --------------------------------------------- The ever-shifting, ever-more-powerful malware is now hijacking email threads to download malicious DLLs that inject password-stealing code into webpages, among other foul things. --------------------------------------------- https://threatpost.com/qakbot-botnet-sprouts-fangs-injects-malware-into-ema… ∗∗∗ Credentials Leaks on VirusTotal, (Thu, Mar 10th) ∗∗∗ --------------------------------------------- A few weeks ago, researchers published some information about stolen credentials that were posted on Virustotal[1]. Im keeping an eye on VT for my customers and searching for data related to them. For example, I looking for their domain name(s) inside files posted on VT. I may confirm what researchers said, there are a lot of passwords leaks shared on VTI but yesterday, there was a peak of files uploaded on this platform. --------------------------------------------- https://isc.sans.edu/diary/rss/28426 ∗∗∗ Demystifying E-Commerce Website Security ∗∗∗ --------------------------------------------- Here we’ll be discussing the main aspects that are important to an E-Commerce website, the kinds of vulnerabilities that can impact your business, and how to take better preventative measures. --------------------------------------------- https://blog.sucuri.net/2022/03/demystifying-e-commerce-website-security.ht… ∗∗∗ Pre-announcement of 4 BIND security issues scheduled for disclosure 16 March 2022 ∗∗∗ --------------------------------------------- As part of our policy of pre-notification of upcoming security releases, we are writing to inform you that the March 2022 BIND maintenance releases that will be released on Wednesday, 16 March, will contain a patches for a security vulnerabilities affecting the BIND 9.11.x, 9.16.x and 9.18.x release branches. Further details about those vulnerabilities will be publicly disclosed at the time the releases are published. --------------------------------------------- https://lists.isc.org/pipermail/bind-announce/2022-March/001211.html ∗∗∗ Getting Critical: Making Sense of the EU Cybersecurity Framework for Cloud Providers ∗∗∗ --------------------------------------------- In this chapter, we review how the EU cybersecurity regulatory framework impacts providers of cloud computing services. We examine the evolving regulatory treatment of cloud services as an enabler of the EUs digital economy and question whether all cloud services should be treated as critical infrastructure. Further, we look at how the safeguarding and incident notification obligations under the General Data Protection Regulation (GDPR) and the Network and Information Systems Directive (NISD) --------------------------------------------- https://arxiv.org/abs/2203.04887 ∗∗∗ The Conti Leaks: Insight into a Ransomware Unicorn ∗∗∗ --------------------------------------------- In late February 2022, the internal chat logs of the Conti ransomware group were disclosed. This blog dissects the internal chat logs that illuminate how Conti’s organizational infrastructure is run, details key figureheads, tooling as well as bitcoin transactions. --------------------------------------------- https://www.breachquest.com/conti-leaks-insight-into-a-ransomware-unicorn/ ∗∗∗ Spectre V2 ist auch bei ARM und Intel zurück: Angriff auf Branch History Buffer ∗∗∗ --------------------------------------------- Bisherige Schutzmechanismen von Intel-Prozessoren und ARM-Kernen gegen Seitenkanalangriffe vom Typ Spectre V2 reichen nicht aus. --------------------------------------------- https://heise.de/-6545263 ∗∗∗ „Ihr ID-Betriebssystem wird gesperrt“ – Apple E-Mail ist Fake! ∗∗∗ --------------------------------------------- Im betrügerischen E-Mail, das angeblich von Apple versendet wird, werden Sie aufgefordert Ihre Apple ID zu überprüfen. Doch Vorsicht – es handelt sich um Phishing! Hier sind Kriminelle auf Ihre Daten aus! Am besten ignorieren Sie das E-Mail. --------------------------------------------- https://www.watchlist-internet.at/news/ihr-id-betriebssystem-wird-gesperrt-… ∗∗∗ Threat advisory: Cybercriminals compromise users with malware disguised as pro-Ukraine cyber tools ∗∗∗ --------------------------------------------- Opportunistic cybercriminals are attempting to exploit Ukrainian sympathizers by offering malware purporting to be offensive cyber tools to target Russian entities. Once downloaded, these files infect unwitting users rather than delivering the tools originally advertised. --------------------------------------------- http://blog.talosintelligence.com/2022/03/threat-advisory-cybercriminals.ht… ===================== = Vulnerabilities = ===================== ∗∗∗ [webapps] Zabbix 5.0.17 - Remote Code Execution (RCE) (Authenticated) ∗∗∗ --------------------------------------------- # note : this is blind RCE so don't expect to see results on the site # this exploit is tested against Zabbix 5.0.17 only --------------------------------------------- https://www.exploit-db.com/exploits/50816 ∗∗∗ XSA-396 ∗∗∗ --------------------------------------------- CVEs: CVE-2022-23036 CVE-2022-23037 CVE-2022-23038 CVE-2022-23039 CVE-2022-23040 CVE-2022-23041 CVE-2022-23042 Several Linux PV device frontends are using the grant table interfaces for removing access rights of the backends in ways being subject to race conditions, resulting in potential data leaks, data corruption by malicious backends, and denial of service triggered by malicious backends --------------------------------------------- https://xenbits.xen.org/xsa/advisory-396.html ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr and kernel), Fedora (cyrus-sasl, mingw-protobuf, and thunderbird), Mageia (kernel-linus), openSUSE (firefox, kernel, and libcaca), Oracle (.NET 6.0, kernel, kernel-container, and ruby:2.5), Slackware (mozilla-thunderbird), and SUSE (firefox, mariadb, and tomcat). --------------------------------------------- https://lwn.net/Articles/887484/ ∗∗∗ Drupal: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- - SVG Formatter - Critical - Cross Site Scripting - SA-CONTRIB-2022-028 - Opigno Learning path - Moderately critical - Access bypass - SA-CONTRIB-2022-029 --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0298 ∗∗∗ CVE-2022-0022 PAN-OS: Use of a Weak Cryptographic Algorithm for Stored Password Hashes (Severity: MEDIUM) ∗∗∗ --------------------------------------------- Usage of a weak cryptographic algorithm in Palo Alto Networks PAN-OS software where the password hashes of administrator and local user accounts are not created with a sufficient level of computational effort, which allows for password cracking attacks on accounts in normal (non-FIPS-CC) operational mode. [..] Fixed versions of PAN-OS software use a secure cryptographic algorithm for account password hashes. --------------------------------------------- https://security.paloaltonetworks.com/CVE-2022-0022 ∗∗∗ UNIVERGE WA Series vulnerable to OS command injection ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN72801744/ ∗∗∗ [remote] Siemens S7-1200 - Unauthenticated Start/Stop Command ∗∗∗ --------------------------------------------- https://www.exploit-db.com/exploits/50820 ∗∗∗ Security Bulletin: IBM Guardium Data Encryption (GDE) has an information exposure vulnerability (CVE-2021-39025) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-guardium-data-encrypt… ∗∗∗ Security Bulletin: Vulnerabilities in IBM WebSphere Application Server Liberty affects IBM Cloud Application Business Insights CVE-2021-23450 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-ibm-we… ∗∗∗ Security Bulletin: IBM Guardium Data Encryption is vulnerable to cross-site scripting (CVE-2020-7676) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-guardium-data-encrypt… ∗∗∗ Security Bulletin: Vulnerability in Intel Xeon affects IBM Cloud Pak System (CVE-2021-0144) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-intel-xe… ∗∗∗ Security Bulletin: Vulnerability in BIND affects AIX (CVE-2021-25219) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-bind-aff… ∗∗∗ Security Bulletin: IBM DataPower Gateway permits reflected JSON injection (CVE-2021-38910) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-gateway-per… ∗∗∗ Security Bulletin: Due to use of Apache Log4j, OmniFind Text Search Server for DB2 for i is vulnerable to arbitrary code execution (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-due-to-use-of-apache-log4… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.03.2022
by Daily end-of-shift report 09 Mar '22

09 Mar '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 08-03-2022 18:00 − Mittwoch 09-03-2022 18:00 Handler: Robert Waldner Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Betrug auf Discord: „Sorry, ich habe deinen Steam-Account gemeldet!“ ∗∗∗ --------------------------------------------- Gamerinnen und Gamer aufgepasst: Auf Discord kommt es momentan zu Kontaktaufnahmen durch Kriminelle, die sich für das Melden des Steam-Accounts entschuldigen. --------------------------------------------- https://www.watchlist-internet.at/news/betrug-auf-discord-sorry-ich-habe-de… ∗∗∗ Daxin Backdoor: In-Depth Analysis, Part Two ∗∗∗ --------------------------------------------- In the second of a two-part series of blogs, we examine the communications and networking features of Daxin. --------------------------------------------- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/da… ===================== = Vulnerabilities = ===================== ∗∗∗ Guidance for CVE-2022-23278 spoofing in Microsoft Defender for Endpoint ∗∗∗ --------------------------------------------- Microsoft released a security update to address CVE-2022-23278 in Microsoft Defender for Endpoint. This important class spoofing vulnerability impacts all platforms. --------------------------------------------- https://msrc-blog.microsoft.com/2022/03/08/guidance-for-cve-2022-23278-spoo… ∗∗∗ New 16 High-Severity UEFI Firmware Flaws Discovered in Millions of HP Devices ∗∗∗ --------------------------------------------- Cybersecurity researchers on Tuesday disclosed 16 new high-severity vulnerabilities in various implementations of Unified Extensible Firmware Interface (UEFI) firmware impacting multiple HP enterprise devices. --------------------------------------------- https://thehackernews.com/2022/03/new-16-high-severity-uefi-firmware.html ∗∗∗ Critical RCE Bugs Found in Pascom Cloud Phone System Used by Businesses ∗∗∗ --------------------------------------------- Researchers have disclosed three security vulnerabilities affecting Pascom Cloud Phone System (CPS) that could be combined to achieve a full pre-authenticated remote code execution of affected systems. --------------------------------------------- https://thehackernews.com/2022/03/critical-rce-bugs-found-in-pascom-cloud.h… ∗∗∗ TLStorm: Three critical vulnerabilities discovered in APC Smart-UPS devices ∗∗∗ --------------------------------------------- Armis has discovered a set of three critical zero-day vulnerabilities in APC Smart-UPS devices that can allow remote attackers to take over Smart-UPS devices and carry out extreme attacks targeting both physical devices and IT assets. --------------------------------------------- https://www.armis.com/research/tlstorm/ ∗∗∗ Patchday: SAP behebt 16 Schwachstellen ∗∗∗ --------------------------------------------- Zum März-Patchday bei SAP liefert das Unternehmen Aktualisierungen für zwölf neue Sicherheitslücken aus. Zudem aktualisiert es vier ältere Sicherheitsmeldungen. --------------------------------------------- https://heise.de/-6543439 ∗∗∗ Alte Lücke in Pulse Connect Secure-VPN wird angegriffen ∗∗∗ --------------------------------------------- Schon Mitte 2020 hat Pulse Secure in seiner VPN-Lösung Aktualisierungen veröffentlicht, die Sicherheitslücken schließen. Die Lücken werden jetzt angegriffen. --------------------------------------------- https://heise.de/-6544328 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (kernel, linux-4.19, spip, and thunderbird), Fedora (cyrus-sasl and libxml2), Mageia (firefox and thunderbird), openSUSE (buildah and tcpdump), Red Hat (cyrus-sasl, kernel, kernel-rt, and kpatch-patch), Slackware (kernel), SUSE (buildah, kernel, libcaca, and tcpdump), and Ubuntu (linux, linux-aws, linux-aws-5.13, linux-azure, linux-azure-5.13, linux-gcp, linux-gcp-5.13, linux-hwe-5.13, linux-kvm, linux-oem-5.14, linux-oracle, linux-oracle-5.13, [...] --------------------------------------------- https://lwn.net/Articles/887309/ ∗∗∗ Microsoft Releases March 2022 Security Updates ∗∗∗ --------------------------------------------- Microsoft has released updates to address multiple vulnerabilities in Microsoft software. A remote attacker could exploit some of these vulnerabilities to take control of an affected system. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/03/08/microsoft-release… ∗∗∗ SAP Releases March 2022 Security Updates ∗∗∗ --------------------------------------------- SAP has released security updates to address vulnerabilities affecting multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected system. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/03/08/sap-releases-marc… ∗∗∗ Adobe Releases Security Updates for Multiple Products ∗∗∗ --------------------------------------------- Adobe has released security updates to address vulnerabilities in multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected system. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/03/08/adobe-releases-se… ∗∗∗ ZDI-22-492: (0Day) Ecava IntegraXor Inkscape EMF File Parsing Out-Of-Bound Read Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-492/ ∗∗∗ ZDI-22-491: (0Day) Ecava IntegraXor Inkscape EMF File Parsing Out-Of-Bound Write Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-491/ ∗∗∗ ZDI-22-490: (0Day) Ecava IntegraXor Inkscape WMF File Parsing Memory Corruption Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-490/ ∗∗∗ ZDI-22-489: (0Day) Ecava IntegraXor Inkscape EMF File Parsing Uninitialized Pointer Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-489/ ∗∗∗ ZDI-22-488: (0Day) Ecava IntegraXor Inkscape EMF File Parsing Uninitialized Pointer Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-488/ ∗∗∗ ZDI-22-487: (0Day) Ecava IntegraXor Inkscape EMF File Parsing Out-Of-Bound Read Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-487/ ∗∗∗ ZDI-22-486: (0Day) Ecava IntegraXor Inkscape EMF File Parsing Out-Of-Bound Read Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-486/ ∗∗∗ ZDI-22-485: (0Day) Ecava IntegraXor Inkscape PCX File Parsing Out-Of-Bound Read Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-485/ ∗∗∗ AMD: LFENCE/JMP Mitigation Update for CVE-2017-5715 ∗∗∗ --------------------------------------------- https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1036 ∗∗∗ Intel Processor Advisory: INTEL-SA-00598 ∗∗∗ --------------------------------------------- https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-0… ∗∗∗ Security Bulletin: A vulnerability in Apache Log4j affects some features of IBM® Db2® (CVE-2021-44832) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-apache… ∗∗∗ Security Bulletin: Vulnerability in ISC BIND affects IBM Integrated Analytics System. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-isc-bind… ∗∗∗ Security Bulletin: Vulnerability in IBM Java Runtime affects Watson Explorer Content Analytics Studio ( CVE-2021-2341) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-java… ∗∗∗ Security Bulletin: Vulnerability in Intel Xeon affects IBM Cloud Pak System (CVE-2021-0144) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-intel-xe… ∗∗∗ XSA-398 ∗∗∗ --------------------------------------------- https://xenbits.xen.org/xsa/advisory-398.html ∗∗∗ F-Secure Produkte: Schwachstelle ermöglicht Codeausführung ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0279 ∗∗∗ Ruby on Rails: Schwachstelle ermöglicht Codeausführung ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0276 ∗∗∗ Citrix Hypervisor Security Update ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX341586 ∗∗∗ NetApp SnapCenter Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500477-NETAPP-SNAPCENTER-INFOR… ∗∗∗ Brocade Fabric OS Vulnerabilities ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500476-BROCADE-FABRIC-OS-VULNE… ∗∗∗ Lenovo Thin Installer Denial of Service Vulnerability ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500475-LENOVO-THIN-INSTALLER-D… ∗∗∗ Glance by Mirametrix Vulnerability ∗∗∗ --------------------------------------------- http://support.lenovo.com/product_security/PS500474-GLANCE-BY-MIRAMETRIX-VU… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.03.2022
by Daily end-of-shift report 08 Mar '22

08 Mar '22

===================== = End-of-Day report = ===================== Timeframe: Montag 07-03-2022 18:00 − Dienstag 08-03-2022 18:00 Handler: Robert Waldner Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Fernverwaltung mit Sicherheitslücke gefährdet medizinische Geräte ∗∗∗ --------------------------------------------- Viele medizinische IoT-Geräte enthalten Fernverwaltungssoftware von Axeda/PTC. Sicherheitslücken ermöglichen Angreifern das Einschleusen von Schadcode. --------------------------------------------- https://heise.de/-6542436 ∗∗∗ Stecker zum Stromsparen auf „getecotex.com“ ist Betrug ∗∗∗ --------------------------------------------- Auf getecotex.com wird ein Stecker zum Stromsparen angeboten. Für 59 Euro kann angeblich der Stromfluss stabilisiert, hochfrequenter Strom entfernt und die Energierechnung reduziert werden. Vorsicht: Diese Versprechen sind frei erfunden - ein solches Gerät existiert nicht. Sie werden betrogen und verlieren Ihr Geld! --------------------------------------------- https://www.watchlist-internet.at/news/stecker-zum-stromsparen-auf-getecote… ∗∗∗ CVE-2022-26143: TP240PhoneHome Reflection/Amplification DDoS Attack Vector ∗∗∗ --------------------------------------------- A new reflection/amplification distributed denial of service (DDoS) vector with a record-breaking potential amplification ratio of 4,294,967,296:1 has been abused by attackers in the wild to launch multiple high-impact DDoS attacks. Attacks have been observed on broadband access ISPs, financial institutions, logistics companies, gaming companies, and organizations in other vertical markets. Security researchers, network operators, and security vendors observed these attacks and formed a task force to investigate the new DDoS vector and provide mitigation guidance. Approximately 2,600 Mitel MiCollab and MiVoice Business Express collaboration systems acting as PBX-to-Internet gateways were incorrectly deployed with an abusable system test facility exposed to the public Internet. --------------------------------------------- https://www.shadowserver.org/news/cve-2022-26143-tp240phonehome-reflection-… ∗∗∗ Emotet growing slowly but steadily since November resurgence ∗∗∗ --------------------------------------------- The notorious Emotet botnet is still being distributed steadily in the wild, having now infected 92,000 systems in 172 countries. --------------------------------------------- https://www.bleepingcomputer.com/news/security/emotet-growing-slowly-but-st… ∗∗∗ An attackers toolchest: Living off the land ∗∗∗ --------------------------------------------- If you’ve been keeping up with the information security world, you’ve certainly heard that recent ransomware attacks and other advanced persistent threats are sometimes using special kind of tools. But for the most part, the tools will be very familiar to you. --------------------------------------------- https://www.gdatasoftware.com/blog/2022/02/37248-living-off-the-land ∗∗∗ Androids March 2022 Security Updates Patch 39 Vulnerabilities ∗∗∗ --------------------------------------------- Google this week announced the release of patches for 39 vulnerabilities as part of the March 2022 security update for Android. The most serious vulnerability is CVE-2021-39708, a remotely exploitable elevation of privilege issue identified in the System component. --------------------------------------------- https://www.securityweek.com/androids-march-2022-security-updates-patch-39-… ∗∗∗ Container Escape to Shadow Admin: GKE Autopilot Vulnerabilities ∗∗∗ --------------------------------------------- We disclosed several GKE Autopilot vulnerabilities and attack techniques to Google. The issues are now fixed - we provide a technical analysis. --------------------------------------------- https://unit42.paloaltonetworks.com/gke-autopilot-vulnerabilities/ ∗∗∗ Phishing attempts from FancyBear and Ghostwriter stepping up says Google ∗∗∗ --------------------------------------------- Google TAG also sees Chinese Mustang Panda going after Europeans and DDoS attempts against Ukrainian targets. --------------------------------------------- https://www.zdnet.com/article/phishing-attempts-from-fancybear-and-ghostwri… ∗∗∗ Daxin Backdoor: In-Depth Analysis, Part One ∗∗∗ --------------------------------------------- In the first of a two-part series of blogs, we will delve deeper into Daxin, examining the driver initialization, networking, key exchange, and backdoor functionality of the malware. --------------------------------------------- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/da… ∗∗∗ FBI Releases Indicators of Compromise for RagnarLocker Ransomware ∗∗∗ --------------------------------------------- The Federal Bureau of Investigation (FBI) has released a Flash report detailing indicators of compromise (IOCs) associated with ransomware attacks by RagnarLocker, a group of a ransomware actors targeting critical infrastructure sectors. CISA encourages users and administrators to review the IOCs and technical details in FBI Flash CU-000163-MW and apply the recommended mitigations. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/03/08/fbi-releases-indi… ∗∗∗ Ukraine-Krise - Aktuelle Informationen ∗∗∗ --------------------------------------------- 08.03.2022 16:40 Bereich "Indirekte Angriffsfläche" erweitert --------------------------------------------- https://cert.at/de/aktuelles/2022/3/ukraine-krise-aktuelle-informationen ===================== = Vulnerabilities = ===================== ∗∗∗ Jetzt patchen! Kritische Sicherheitslecks in APC Smart-UPS ∗∗∗ --------------------------------------------- In den APC Smart-UPS von Schneider Electric könnten Angreifer Sicherheitslücken ausnutzen, um Schadcode einzuschleusen oder die Geräte außer Funktion zu setzen. --------------------------------------------- https://heise.de/-6542950 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (gif2apng and twisted), Mageia (golang, kernel, and webmin), openSUSE (chromium, cyrus-sasl, and opera), Red Hat (virt:rhel and virt-devel:rhel), Slackware (mozilla), SUSE (cyrus-sasl), and Ubuntu (glibc and redis). --------------------------------------------- https://lwn.net/Articles/887159/ ∗∗∗ AVEVA System Platform ∗∗∗ --------------------------------------------- This advisory contains mitigations for a Cleartext Storage of Sensitive Information in Memory vulnerability in the AVEVA System Platform, a software management product. --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-067-02 ∗∗∗ Sensormatic PowerManage (Update A) ∗∗∗ --------------------------------------------- This update advisory is a follow-up to the original advisory titled ICSA-22-034-01 Sensormatic PowerManage that was published February 3, 2022, on the ICS webpage on www.cisa.gov/uscert. This advisory contains mitigations for an Improper Input Validation vulnerability in the Sensormatic PowerManage operating platform. Update A (Part 1 of 1): Upgrade PowerManage to Version 4.10 --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-034-01 ∗∗∗ D-LINK Router: Schwachstelle ermöglicht Denial of Service ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0268 ∗∗∗ Citrix Federated Authentication Service (FAS) Security Update ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX341587 ∗∗∗ Security Bulletin: Vulnerability in IBM Guardium Data Encryption (GDE) (CVE-2021-20414) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-ibm-guar… ∗∗∗ Security Bulletin: Multiple security vulnerability are addressed in monthly security fix for IBM Cloud Pak for Business Automation February 2022 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: IBM Maximo Asset Management is vulnerable to weak password requirements ( CVE-2021-38935 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-manageme… ∗∗∗ Security Bulletin: IBM Cloud Pak System is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-45046, CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-system-is-v… ∗∗∗ Security Bulletin: IBM Security Directory Integrator has upgraded log4j ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-directory-in… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in WebSphere Application Server Liberty affect IBM Virtualization Engine TS7700 (CVE-2021-35517, CVE-2021-36090) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A vulnerability has been identified in IBM WebSphere Liberty shipped with IBM Tivoli Netcool Impact (CVE-2021-29842) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-has-been-… ∗∗∗ Security Bulletin: IBM Spectrum Control is vulnerable to multiple weaknesses related to IBM Dojo (CVE-2021-234550), Java SE (CVE-2021-35578), IBM WebSphere Application Server – Liberty (CVE-2021-39031), Apache Log4j (CVE-2021-44832) and Gson ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-spectrum-control-is-v… ∗∗∗ SSA-250085: Multiple Vulnerabilities in SINEC NMS ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-250085.txt ∗∗∗ SSA-223353: Multiple Vulnerabilities in Nucleus RTOS based SIMOTICS CONNECT 400 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-223353.txt ∗∗∗ SSA-166747: Scene File Parsing Vulnerability in Simcenter STAR-CCM+ Viewer before V2022.1 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-166747.txt ∗∗∗ SSA-155599: File Parsing Vulnerabilities in COMOS ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-155599.txt ∗∗∗ SSA-148641: XPath Constraint Vulnerability in Mendix Runtime ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-148641.txt ∗∗∗ SSA-134279: Vulnerability in Mendix Forgot Password Appstore module ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-134279.txt ∗∗∗ SSA-764417: Multiple Vulnerabilities in RUGGEDCOM Devices ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-764417.txt ∗∗∗ SSA-594438: Remote Code Execution and Denial-of-Service Vulnerability in multiple RUGGEDCOM ROX products ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-594438.txt ∗∗∗ SSA-562051: Cross-Site Scripting Vulnerability in Polarion ALM ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-562051.txt ∗∗∗ SSA-415938: Improper Access Control Vulnerability in Mendix ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-415938.txt ∗∗∗ SSA-406691: Buffer Vulnerabilities in DHCP function of RUGGEDCOM ROX products ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-406691.txt ∗∗∗ SSA-389290: Third-Party Component Vulnerabilities in SINEC INS ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-389290.txt ∗∗∗ SSA-337210: Privilege Escalation Vulnerability in SINUMERIK MC ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-337210.txt ∗∗∗ SSA-256353: Third-Party Component Vulnerabilities in RUGGEDCOM ROS ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-256353.txt ∗∗∗ SSA-252466: Multiple Vulnerabilities in Climatix POL909 (AWM and AWB) ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-252466.txt -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 07.03.2022
by Daily end-of-shift report 07 Mar '22

07 Mar '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 04-03-2022 18:00 − Montag 07-03-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ E-Mail vom "Zoll Kundenservice" ist Fake ∗∗∗ --------------------------------------------- Im betrügerischen E-Mail von "[email protected]" wird behauptet, dass Ihr Paket nicht geliefert werden kann, da Zollgebühren nicht bezahlt wurden. Um die Zollgebühren zu begleichen, werden Sie aufgefordert, einen Paysafecard-Pin um 75 Euro zu schicken. Ignorieren Sie dieses E-Mail, es handelt sich um Betrug. --------------------------------------------- https://www.watchlist-internet.at/news/e-mail-vom-zoll-kundenservice-ist-fa… ∗∗∗ Notfallupdate: Sicherheitslücken in Firefox und Thunderbird werden angegriffen ∗∗∗ --------------------------------------------- Die Mozilla-Stiftung hat außer der Reihe Sicherheitsupdates für Firefox, Klar und Thunderbird herausgegeben, die bereits aktiv angegriffene Lücken schließen. --------------------------------------------- https://heise.de/-6540649 ∗∗∗ Sicherheitsprobleme bei Samsung: Quellcode geklaut, unsichere Kryptografie ∗∗∗ --------------------------------------------- Einbrecher haben bei Samsung Quellcode entwendet. Zudem patzte der Hersteller bei Kryptografie in der Trusted Execution Environment von Flaggschiff-Smartphones. --------------------------------------------- https://heise.de/-6540849 ∗∗∗ Dirty Pipe: Linux-Kernel-Lücke erlaubt Schreibzugriff mit Root-Rechten ∗∗∗ --------------------------------------------- Ein Fehler bei der Verarbeitung von Pipes im Linux-Kernel lässt sich ausnutzen, um Root-Rechte zu erlangen. --------------------------------------------- https://www.golem.de/news/dirty-pipe-linux-kernel-luecke-erlaubt-schreibzug… ∗∗∗ Microsoft fixes critical Azure bug that exposed customer data ∗∗∗ --------------------------------------------- Microsoft has addressed a critical vulnerability in the Azure Automation service that could have allowed attackers to take full control over other Azure customers data. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-fixes-critical-az… ∗∗∗ Massive Meris Botnet Embeds Ransomware Notes from REvil ∗∗∗ --------------------------------------------- Notes threatening to tank targeted companies stock price were embedded into the DDoS ransomware attacks as a string_of_text directed to CEOs and webops_geeks in the URL. --------------------------------------------- https://threatpost.com/massive-meris-botnet-embeds-ransomware-notes-revil/1… ∗∗∗ Scam E-Mail Impersonating Red Cross, (Fri, Mar 4th) ∗∗∗ --------------------------------------------- Earlier today, I received a scam email that impersonates the Ukrainian Red Cross. It attempts to solicit donations via Bitcoin. The email is almost certainly not related to any valid Red Cross effort. --------------------------------------------- https://isc.sans.edu/diary/rss/28404 ∗∗∗ oledumps Extra Option, (Sat, Mar 5th) ∗∗∗ --------------------------------------------- A colleague asked if it was possible with oledump.py, to search through a set of malicious documents and filter out all streams that have identical VBA source code. --------------------------------------------- https://isc.sans.edu/diary/rss/28406 ∗∗∗ Critical Bugs in TerraMaster TOS Could Open NAS Devices to Remote Hacking ∗∗∗ --------------------------------------------- Researchers have disclosed details of critical security vulnerabilities in TerraMaster network-attached storage (TNAS) devices that could be chained to attain unauthenticated remote code execution with the highest privileges. The issues reside in TOS, an abbreviation for TerraMaster Operating System, and "can grant unauthenticated attackers access to the victims box simply by knowing the IP [...] --------------------------------------------- https://thehackernews.com/2022/03/critical-bugs-in-terramaster-tos-could.ht… ∗∗∗ Backdooring WordPress using PyShell ∗∗∗ --------------------------------------------- PyShell is new tool made for bug bounty, ethical hacking, penetration testers or red-teamers. This tool helps you to obtain a shell-like interface on a web server to be remotely accessed. --------------------------------------------- https://blog.wpsec.com/backdooring-wordpress-using-pyshell/ ∗∗∗ Beware of malware offering “Warm greetings from Saudi Aramco” ∗∗∗ --------------------------------------------- A new Formbook campaign is targeting oil and gas companies. --------------------------------------------- https://blog.malwarebytes.com/threat-intelligence/2022/03/beware-of-malware… ∗∗∗ Amcache contains SHA-1 Hash – It Depends! ∗∗∗ --------------------------------------------- If you read about the Amcache registry hive and what information it contains, you will find a lot of references that it contains the SHA-1 hash of the file in the corresponding registry entry. Now that especially comes in handy if files are deleted from disk. --------------------------------------------- https://blog.nviso.eu/2022/03/07/amcache-contains-sha-1-hash-it-depends/ ∗∗∗ Webhook Party – Malicious packages caught exfiltrating data via legit webhook services ∗∗∗ --------------------------------------------- Checkmarx Supply Chain Security (SCS) team (previously Dustico) has found several malicious packages attempting to use a dependency confusion attack. Those packages were detected by the team’s malicious package detection system. Findings show all packages caught contained malicious payload [...] --------------------------------------------- https://checkmarx.com/blog/webhook-party-malicious-packages-caught-exfiltra… ===================== = Vulnerabilities = ===================== ∗∗∗ New Security Vulnerability Affects Thousands of Self-Managed GitLab Instances ∗∗∗ --------------------------------------------- Researchers have disclosed details of a new security vulnerability in GitLab, an open-source DevOps software, that could potentially allow a remote, unauthenticated attacker to recover user-related information. Tracked as CVE-2021-4191 (CVSS score: 5.3), the medium-severity flaw affects all versions of GitLab Community Edition and Enterprise Edition starting from 13.0 and all versions starting from 14.4 and prior to 14.8. --------------------------------------------- https://thehackernews.com/2022/03/new-security-vulnerability-affects.html ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (chromium, containerd, cyrus-sasl2, expat, firefox-esr, freecad, kernel, and tiff), Fedora (seamonkey, swtpm, and webkit2gtk3), Mageia (docker-containerd, firefox, flac, libtiff, libxml2, and mc), openSUSE (containerd, expat, flatpak, gnutls, go1.16, go1.17, libeconf, shadow and util-linux, mariadb, nodejs14, perl-App-cpanminus, vim, wireshark, wpa_supplicant, and zsh), SUSE (containerd, expat, flatpak, gnutls, go1.16, go1.17, java-11-openjdk, [...] --------------------------------------------- https://lwn.net/Articles/887055/ ∗∗∗ Deep dive: Vulnerabilities in ZTE router could lead to complete attacker control of the device ∗∗∗ --------------------------------------------- Cisco Talos’ vulnerability research team disclosed multiple vulnerabilities in the ZTE MF971R wireless hotspot and router in October. Several months removed from that disclosure and ZTE’s patch, we decided to take an even closer look at two of these vulnerabilities — CVE-2021-21748 and CVE-2021-21745 — to show how they could be chained together by an attacker to completely take over a device. --------------------------------------------- https://blog.talosintelligence.com/2022/03/deep-dive-vulnerabilities-in-zte… ∗∗∗ Security Bulletin: Vulnerability in AIX nimsh (CVE-2022-22351) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-aix-nims… ∗∗∗ Security Bulletin: Multiple security vulnerability are addressed in monthly security fix for IBM Cloud Pak for Business Automation February 2022 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Vulnerability in the AIX kernel (CVE-2021-38988) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-the-aix-… ∗∗∗ Security Bulletin: Vulnerability in the AIX kernel (CVE-2021-38989) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-the-aix-… ∗∗∗ Security Bulletin: Some unspecified vulnerabilities in Java SE result in the unauthenticated attacker to take control of the system or some impact ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-some-unspecified-vulnerab… ∗∗∗ Bitdefender Produkte: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0264 ∗∗∗ Webmin: Mehrere Schwachstellen ermöglichen Privilegieneskalation ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0267 ∗∗∗ Asterisk: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0266 ∗∗∗ D-LINK Router: Mehrere Schwachstellen ermöglichen Umgehen von Sicherheitsvorkehrungen ∗∗∗ --------------------------------------------- https://www.cert-bund.de/advisoryshort/CB-K22-0265 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 04.03.2022
by Daily end-of-shift report 04 Mar '22

04 Mar '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 03-03-2022 18:00 − Freitag 04-03-2022 18:00 Handler: Robert Waldner Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ 8-Character Passwords Can Be Cracked in Less than 60 Minutes ∗∗∗ --------------------------------------------- Researchers say passwords with less than seven characters can be hacked "instantly." --------------------------------------------- https://www.darkreading.com/attacks-breaches/8-character-passwords-can-be-c… ∗∗∗ 5 Risks That Can Cause Your Website to Get Reinfected ∗∗∗ --------------------------------------------- Re-infections are one of the most frustrating encounters site owners experience. Like a game of whack-a-mole, when you think you’ve found and removed everything malicious, more malicious content pops up. --------------------------------------------- https://blog.sucuri.net/2022/03/5-risks-that-can-cause-your-website-to-get-… ∗∗∗ SharkBot: a “new” generation Android banking Trojan being distributed on Google Play Store ∗∗∗ --------------------------------------------- NCC Group, as well as many other researchers noticed a rise in Android malware last year, especillay Android banking malware. --------------------------------------------- https://blog.fox-it.com/2022/03/03/sharkbot-a-new-generation-android-bankin… ∗∗∗ Nvidias geleakte Code-Signing-Zertifikate missbraucht ∗∗∗ --------------------------------------------- Die Einbrecher haben bei Nvidia auch Code-Signing-Zertifikate entwendet und veröffentlicht. Mit denen werden nun Angriffs-Tools signiert. --------------------------------------------- https://heise.de/-6537255 ∗∗∗ Betrügerische Spendenaufrufe: Kriminelle missbrauchen Krieg in der Ukraine ∗∗∗ --------------------------------------------- Um Menschen in der Ukraine finanziell zu unterstützen, gibt es derzeit zahlreiche Möglichkeiten. Doch auch Kriminelle missbrauchen diese Situation und erstellen betrügerische Webseiten mit Spendenaufrufen. --------------------------------------------- https://www.watchlist-internet.at/news/betruegerische-spendenaufrufe-krimin… ∗∗∗ A Backdoor Lockpick ∗∗∗ --------------------------------------------- In early September, 2021, a fairly ordinary and inexpensive residential router came into the Zero Day research team’s possession. --------------------------------------------- https://medium.com/tenable-techblog/a-backdoor-lockpick-d847a83f4496 ∗∗∗ Die Renaissance des Cybervigilantismus ∗∗∗ --------------------------------------------- Der Krieg zwischen Russland und der Ukraine hat als - bis zu einem gewissen Grad überraschenden - Nebeneffekt die Renaissance von Software, die der durch Anonymous bekannt und populär gemachten, zu DDoS-Zwecken verwendeten "Low Orbit Ion Cannon" ähnelt. Dutzende solcher Programme oder auf dem selben Prinzip basierende Webseiten werden aktuell auf den sozialen Netzwerken verteilt und fast schon begeistert von vielen Menschen genutzt. --------------------------------------------- https://cert.at/de/blog/2022/3/die-renaissance-des-cybervigilantismus ∗∗∗ NSA Releases Network Infrastructure Security Guidance ∗∗∗ --------------------------------------------- The report captures best practices based on the depth and breadth of experience in supporting customers and responding to threats. Recommendations include perimeter and internal network defenses to improve monitoring and access controls throughout the network. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/03/03/nsa-releases-netw… ===================== = Vulnerabilities = ===================== ∗∗∗ Amazon Alexa can be hijacked via commands from own speaker ∗∗∗ --------------------------------------------- Without a critical update, Amazon Alexa devices could wake themselves up and start executing audio commands issued by a remote attacker, according to infosec researchers at Royal Holloway, University of London. --------------------------------------------- https://www.theregister.com/2022/03/03/amazon_alexa_speaker_vuln/ ∗∗∗ New Linux Vulnerability CVE-2022-0492 Affecting Cgroups: Can Containers Escape? ∗∗∗ --------------------------------------------- CVE-2022-0492 marks a logical bug in control groups (cgroups), a Linux feature that is a fundamental building block of containers. --------------------------------------------- https://unit42.paloaltonetworks.com/cve-2022-0492-cgroups/ ∗∗∗ Kritische Root-Lücken gefährden Ciscos Fernzugriff-Software Expressway Series ∗∗∗ --------------------------------------------- Der Netzwerkhersteller Cisco hat wichtige Sicherheitsupdates für Expressway Series, StarOS & Co. veröffentlicht. --------------------------------------------- https://heise.de/-6537019 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (varnish), Fedora (barrier and polkit), openSUSE (bitcoin, conmon, libcontainers-common, libseccomp, podman, firefox, nodejs-electron, nodejs8, php7, and webkit2gtk3), SUSE (conmon, libcontainers-common, libseccomp, podman, cyrus-sasl, expat, firefox, nodejs8, php7, tomcat, and webkit2gtk3), and Ubuntu (containerd). --------------------------------------------- https://lwn.net/Articles/886792/ ∗∗∗ pfSense-pkg-WireGuard vulnerable to directory traversal ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN85572374/ ∗∗∗ B&R APROL and B&R APROL: A flaw in Chainsaw component of Log4j can lead to code execution ∗∗∗ --------------------------------------------- https://www.br-automation.com/downloads_br_productcatalogue/assets/16449471… ∗∗∗ Security Bulletin: IBM Security QRadar SOAR is using a component vulnerable to Cross Site Scripting (CVE-2021-41182, CVE-2021-41183, CVE-2021-41184) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-qradar-soar-… ∗∗∗ Security Bulletin: A vulnerability has been identified in IBM Spectrum Scale where mmfsd daemon can be prevented from servicing requests (CVE-2020-4925) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-has-been-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM Security QRadar SOAR ( CVE-2021-35560, CVE-2021-35578, CVE-2021-35564, CVE-2021-35565, CVE-2021-35588) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in Sterling Connect:Direct Browser User Interface ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Spectrum Control is vulnerable to multiple weaknesses related to IBM Dojo (CVE-2021-234550), Java SE (CVE-2021-35578), IBM WebSphere Application Server – Liberty (CVE-2021-39031), Apache Log4j (CVE-2021-44832) and Gson ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-spectrum-control-is-v… ∗∗∗ Trailer Power Line Communications (PLC) J2497 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-063-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 03.03.2022
by Daily end-of-shift report 03 Mar '22

03 Mar '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 02-03-2022 18:00 − Donnerstag 03-03-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Free decryptor released for HermeticRansom victims in Ukraine ∗∗∗ --------------------------------------------- Avast Threat Labs has released a decryptor for the HermeticRansom ransomware strain used predominately in targeted attacks against Ukrainian systems in the past ten days. --------------------------------------------- https://www.bleepingcomputer.com/news/security/free-decryptor-released-for-… ∗∗∗ Researchers Devise Attack for Stealing Data During Homomorphic Encryption ∗∗∗ --------------------------------------------- A vulnerability in a Microsoft crypto library gives attackers a way to figure out what data is being encrypted in lockpicker-like fashion. --------------------------------------------- https://www.darkreading.com/application-security/researchers-devise-attack-… ∗∗∗ Threat landscape for industrial automation systems, H2 2021 ∗∗∗ --------------------------------------------- By 2021 everyone got used to pandemic limitations – industrial organization employees and IT security professionals and threat actors. If we compare the numbers from 2020 and 2021, we see that 2021 looks more stable, particularly in H2. --------------------------------------------- https://securelist.com/threat-landscape-for-industrial-automation-systems-h… ∗∗∗ The Truth About USB Device Serial Numbers – (and the lies your tools tell) ∗∗∗ --------------------------------------------- Evidence surrounding the use of USB devices is an often sought-after forensic treasure trove, due to its verbosity in the operating system, as well as the Windows Registry. The difficulty comes in attempting to make sense of all this data. When the many, disparate breadcrumbs of usage are pulled together in a coherent assemblage of user activity, the results can be shocking in their clarity. --------------------------------------------- https://www.sans.org/blog/the-truth-about-usb-device-serial-numbers?msc=rss ∗∗∗ Vorsicht vor diesen betrügerischen Handwerksdiensten! ∗∗∗ --------------------------------------------- Ihnen ist die Tür zugefallen, der Schlüssel abgebrochen, oder ein Abflussrohr ist verstopft? Solche Notsituationen werden zunehmend von Kriminellen ausgenutzt: Sie bieten schnelle und einfache Hilfe an, doch Vorsicht! Diese unseriösen Anbieter verlangen Wucherpreise in bar und beheben oft nicht einmal das Problem! --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-diesen-betruegerischen-… ∗∗∗ Update: Ukraine-Krise - Aktuelle Informationen ∗∗∗ --------------------------------------------- Version 1.3 03.03.2022 15:45 * Weitere Empfehlungen, "Weitere Lektüre" Sektion * Aufgrund der Ukraine-Krise herrscht momentan eine sehr hohe allgemeine Gefährdungslage im Cyberraum. Eine spezifische Gefährdung für Österreich ist aktuell noch nicht auszumachen. --------------------------------------------- https://cert.at/de/aktuelles/2022/3/ukraine-krise-aktuelle-informationen ===================== = Vulnerabilities = ===================== ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (cyrus-sasl), Fedora (kicad), Mageia (php), openSUSE (envoy-proxy, ldns, libdxfrw, librecad, php7, and shapelib), Red Hat (cyrus-sasl), SUSE (firefox, gnutls, ldns, and php7), and Ubuntu (haproxy and php7.2, php7.4). --------------------------------------------- https://lwn.net/Articles/886683/ ∗∗∗ Zoho ManageEngine Desktop Central: Schwachstelle ermöglicht Offenlegung von Informationen ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Zoho ManageEngine Desktop Central ausnutzen, um Informationen offenzulegen. CVE Liste: CVE-2022-23779 --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0253 ∗∗∗ Autodesk AutoCAD: Mehrere Schwachstellen ermöglichen Codeausführung ∗∗∗ --------------------------------------------- Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Autodesk AutoCAD ausnutzen, um beliebigen Programmcode auszuführen. CVE Liste: CVE-2022-25789, CVE-2022-25790, CVE-2022-25791, CVE-2022-25792, CVE-2022-25795 --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0252 ∗∗∗ Security Bulletin: IBM i is vulnerable to bypass security restrictions due to Samba SMB1 (CVE-2021-43566 and CVE-2021-44141) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-i-is-vulnerable-to-by… ∗∗∗ Security Bulletin: Multiple vulnerabilities may affect IBM Robotic Process Automation ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM HTTP Server used by IBM WebSphere Application Server due to Expat vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM HTTP Server used by IBM WebSphere Application Server due to Expat vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM OpenPages with Watson has addressed Apache Log4j vulnerability (CVE-2021-44832) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-openpages-with-watson… ∗∗∗ Security Bulletin: IBM i components are affected by CVE-2021-4104 (log4j version 1.x) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-i-components-are-affe… ∗∗∗ Security Bulletin: IBM DataPower affected by vulnerabilities in Node.js ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-datapower-affected-by… ∗∗∗ Security Bulletin: IBM Rational Build Forge is affected by Apache HTTP Server version used in it. (CVE-2021-44790) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-rational-build-forge-… ∗∗∗ K73200428: Linux kernel vulnerability CVE-2022-0185 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K73200428?utm_source=f5support&utm_mediu… ∗∗∗ BD Pyxis ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsma-22-062-01 ∗∗∗ BD Viper LT ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsma-22-062-02 ∗∗∗ IPCOMM ipDIO ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-062-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 02.03.2022
by Daily end-of-shift report 02 Mar '22

02 Mar '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 01-03-2022 18:00 − Mittwoch 02-03-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Phishing attacks target countries aiding Ukrainian refugees ∗∗∗ --------------------------------------------- A spear-phishing campaign likely coordinated by a state-backed threat actor has been targeting European government personnel providing logistics support to Ukrainian refugees. --------------------------------------------- https://www.bleepingcomputer.com/news/security/phishing-attacks-target-coun… ∗∗∗ Geoblocking when you cant Geoblock, (Tue, Mar 1st) ∗∗∗ --------------------------------------------- Given recent events, I've gotten a flood of calls from clients who want to start blocking egress traffic to specific countries, or block ingress traffic from specific countries (or both). --------------------------------------------- https://isc.sans.edu/diary/rss/28392 ∗∗∗ TeaBot Android Banking Malware Spreads Again Through Google Play Store Apps ∗∗∗ --------------------------------------------- An Android banking trojan designed to steal credentials and SMS messages has been observed once again sneaking past Google Play Store protections to target users of more than 400 banking and financial apps, including those from Russia, China, and the U.S. --------------------------------------------- https://thehackernews.com/2022/03/teabot-android-banking-malware-spreads.ht… ∗∗∗ "Authority-Scam": Kriminelle imitieren Behörden für Investment-Betrug ∗∗∗ --------------------------------------------- Beim „Authority-Scam“ geben sich die Kriminellen als Behörde aus und fordern Zahlungen wegen der Investments. Nicht bezahlen! --------------------------------------------- https://www.watchlist-internet.at/news/authority-scam-kriminelle-imitieren-… ∗∗∗ Know Your Infusion Pump Vulnerabilities and Secure Your Healthcare Organization ∗∗∗ --------------------------------------------- Scans of more than 200,000 infusion pumps on the networks of hospitals and other healthcare organizations found 75% had known security gaps. --------------------------------------------- https://unit42.paloaltonetworks.com/infusion-pump-vulnerabilities/ ===================== = Vulnerabilities = ===================== ∗∗∗ Critical Bugs Reported in Popular Open Source PJSIP SIP and Media Stack ∗∗∗ --------------------------------------------- As many as five security vulnerabilities have been disclosed in the PJSIP open-source multimedia communication library that could be abused by an attacker to trigger arbitrary code execution and denial-of-service (DoS) in applications that use the protocol stack. --------------------------------------------- https://thehackernews.com/2022/03/critical-bugs-reported-in-popular-open.ht… ∗∗∗ IBM warnt vor zahlreichen Sicherheitslücken ∗∗∗ --------------------------------------------- IBM hat für diverse Produkte Updates veröffentlicht, die teils kritische Sicherheitslücken schließen. Administratoren sollten sie zeitnah installieren. --------------------------------------------- https://heise.de/-6531076 ∗∗∗ Sicherheitsupdates von Fortinet: Angreifer könnten Admin-Zugänge erraten ∗∗∗ --------------------------------------------- Unter anderen FortiMail und FortiWLC sind verwundbar. Eine Lücke gilt als kritisch. --------------------------------------------- https://heise.de/-6531249 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (mingw-expat and seamonkey), openSUSE (mc, mysql-connector-java, nodejs12, and sphinx), Red Hat (kernel and kpatch-patch), SUSE (cyrus-sasl, kernel, nodejs12, and php74), and Ubuntu (glibc). --------------------------------------------- https://lwn.net/Articles/886560/ ∗∗∗ Cisco Expressway Series and Cisco TelePresence Video Communication Server Vulnerabilities ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Ultra Cloud Core - Subscriber Microservices Infrastructure Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco StarOS Command Injection Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Identity Services Engine RADIUS Service Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Security Bulletin: Vulnerabilities in AIX CAA (CVE-2022-22350, CVE-2021-38996) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-aix-ca… ∗∗∗ Security Bulletin: SQL injection vulnerability in PostgreSQL affects IBM Connect:Direct Web Services (CVE-2021-23214) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-sql-injection-vulnerabili… ∗∗∗ Security Bulletin: Vulnerability in BIND affects AIX (CVE-2021-25219) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-bind-aff… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct Web Services is vulnerable to remote attacker due to Apache Log4j (CVE-2021-44832) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM Java Runtime Affect IBM Connect:Direct Web Services ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Security Bulletin: IBM InfoSphere Master Data Management Server vulnerability in OpenSSL ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-bulletin-ibm-inf… ∗∗∗ Security Bulletin: Vulnerabilities with Expat, Spring Framework and Apache HTTP Server affect IBM Cloud Object Storage Systems (Feb 2022 V2) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-with-expa… ∗∗∗ VMSA-2022-0007 ∗∗∗ --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2022-0007.html ∗∗∗ K34519550: Linux kernel vulnerability CVE-2021-27364 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K34519550 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 01.03.2022
by Daily end-of-shift report 01 Mar '22

01 Mar '22

===================== = End-of-Day report = ===================== Timeframe: Montag 28-02-2022 18:00 − Dienstag 01-03-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Axis Communications shares details on disruptive cyberattack ∗∗∗ --------------------------------------------- Axis Communications has published a post mortem about a cyberattack that caused severe disruption in their systems, with some systems still partially offline. --------------------------------------------- https://www.bleepingcomputer.com/news/security/axis-communications-shares-d… ∗∗∗ Cyber threat activity in Ukraine: analysis and resources ∗∗∗ --------------------------------------------- Microsoft has been monitoring escalating cyber activity in Ukraine and has published analysis on observed activity in order to give organizations the latest intelligence to guide investigations into potential attacks and information to implement proactive protections against future attempts. We’ve brought together all our analysis and guidance for customers who may be impacted by events ... --------------------------------------------- https://msrc-blog.microsoft.com:443/2022/02/28/analysis-resources-cyber-thr… ∗∗∗ Instagram scammers as busy as ever: passwords and 2FA codes at risk ∗∗∗ --------------------------------------------- Instagram scams dont seem to be dying out - were seeing more variety and trickiness than ever... --------------------------------------------- https://nakedsecurity.sophos.com/2022/02/28/instagram-scammers-as-busy-as-e… ∗∗∗ Triaging A Malicious Docker Container ∗∗∗ --------------------------------------------- Malicious Docker containers are a relatively new form of attack, taking advantage of an exposed Docker API or vulnerable host to do their evil plotting. In this article, we will walk through the triage of a malicious image containing a previously undetected-in-VirusTotal (at the time of this writing) piece of malware --------------------------------------------- https://sysdig.com/blog/triaging-malicious-docker-container/ ∗∗∗ How To Protect Magento Websites ∗∗∗ --------------------------------------------- As of recently, Magento1 has become outdated and no longer supported. Adobe’s goal is to move all users away to Magento2 instead, which has 2FA and a non-standard login URL enabled by default, being generally more secure. Migrating is very costly for an average business, however, so this article will hopefully shed some light on how you can still protect your site regardless of which version of Magento is currently being used. --------------------------------------------- https://blog.sucuri.net/2022/02/how-to-protect-magento-websites.html ∗∗∗ Trickbot Malware Gang Upgrades its AnchorDNS Backdoor to AnchorMail ∗∗∗ --------------------------------------------- Even as the TrickBot infrastructure closed shop, the operators of the malware are continuing to refine and retool their arsenal to carry out attacks that culminated in the deployment of Conti ransomware. IBM Security X-Force, which discovered the revamped version of the criminal gangs AnchorDNS backdoor, dubbed the new, upgraded variant AnchorMail. --------------------------------------------- https://thehackernews.com/2022/03/trickbot-malware-gang-upgrades-its.html ∗∗∗ Nein, Signal wurde nicht gehackt ∗∗∗ --------------------------------------------- Auf Twitter tritt Signal derzeit Gerüchten entgegen, die behaupten, der Messenger sei gehackt oder anderweitig kompromittiert worden. Die Gerüchte "sind falsch. Signal wurde nicht gehackt", betont Signal auf Twitter. "Wir glauben, dass diese Gerüchte Teil einer koordinierten Fehlinformationskampagne sind, die die Menschen dazu bringen soll, weniger sichere Alternativen zu nutzen." --------------------------------------------- https://www.golem.de/news/messenger-nein-signal-wurde-nicht-gehackt-2203-16… ∗∗∗ Unusual sign-in activity mail goes phishing for Microsoft account holders ∗∗∗ --------------------------------------------- We look at a phishing mail which may cause concern for users of Microsoft services as it claims theres been a suspicious login from Russia.The post Unusual sign-in activity mail goes phishing for Microsoft account holders appeared first on Malwarebytes Labs. --------------------------------------------- https://blog.malwarebytes.com/scams/2022/03/unusual-sign-in-activity-mail-g… ∗∗∗ DDoS Attacks Abuse Network Middleboxes for Reflection, Amplification ∗∗∗ --------------------------------------------- Threat actors specializing in distributed denial-of-service (DDoS) attacks have started abusing network middleboxes for reflection and amplification, Akamai warns. --------------------------------------------- https://www.securityweek.com/ddos-attacks-abuse-network-middleboxes-reflect… ∗∗∗ Betrügerische Investitionsplattformen: Checken Sie unsere Liste ∗∗∗ --------------------------------------------- Betrügerische Investitionsplattformen versprechen hohe Gewinne – risikofrei und ohne Finanzwissen. Der Handel erfolgt automatisiert oder mit persönlicher Beratung. Bereits mit kleinen Investitionen können angeblich hohe Gewinne erzielt werden. Klingt sehr verlockend, ist aber Betrug! In diesem Artikel listen wir betrügerische Investitionsplattformen. --------------------------------------------- https://www.watchlist-internet.at/news/betruegerische-investitionsplattform… ∗∗∗ Tales from the Field: Coin-Operated Culprit ∗∗∗ --------------------------------------------- Due to a lack of proper visibility and segmentation, a breakroom vending machine was provided unfettered access to an operational network worth billions of dollars. --------------------------------------------- https://claroty.com/2022/02/28/blog-tales-from-the-field-coin-operated-culp… ===================== = Vulnerabilities = ===================== ∗∗∗ Multiple vulnerabilities in VoipMonitor ∗∗∗ --------------------------------------------- I discovered and reported a few bugs in VoipMonitor ranging from a simple authentication bypass to a full RCE chain. Here I'll describe "most" of these bugs. The issues have been patched in VoipMonitor GUI version 24.97. --------------------------------------------- https://kerbit.io/research/read/blog/3 ∗∗∗ Cloud-Schutzlösung von Okta könnte Schadcode auf Server lassen ∗∗∗ --------------------------------------------- Ein wichtiges Sicherheitsupdate schließt ein Schadcode-Schlupfloch in Okta Advanced Server Client. --------------------------------------------- https://heise.de/-6529223 ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (thunderbird), Oracle (kernel, kernel-container, and ruby:2.5), Red Hat (rh-ruby26-ruby), Slackware (libxml2 and libxslt), SUSE (htmldoc and SUSE Manager Server 4.2), and Ubuntu (mariadb-10.3, mariadb-10.5, policykit-1, qemu, virglrenderer, and webkit2gtk). --------------------------------------------- https://lwn.net/Articles/886472/ ∗∗∗ Vulnerability Spotlight: Vulnerabilities in Lansweeper could lead to JavaScript, SQL injections ∗∗∗ --------------------------------------------- Cisco Talos recently discovered multiple vulnerabilities in the Lansweeper IT asset management solution that could allow an attacker to inject JavaScript or SQL code on the targeted device. [..] Users are encouraged to update these affected products as soon as possible: Lansweeper version 9.1.20.2. Talos tested and confirmed this version is affected by these vulnerabilities. Lansweeper 9.2.0 incorporates fixes for these issues. --------------------------------------------- http://blog.talosintelligence.com/2022/03/vuln-spotlight-.html ∗∗∗ ZDI-22-424: (0Day) Delta Industrial Automation DIAEnergie AM_Handler SQL Injection Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-424/ ∗∗∗ ZDI-22-423: (0Day) Delta Industrial Automation DIAEnergie HandlerPage_KID Arbitrary File Upload Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-423/ ∗∗∗ ZDI-22-422: (0Day) Delta Industrial Automation CNCSoft ScreenEditor DPB File Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-422/ ∗∗∗ ZDI-22-421: (0Day) Delta Industrial Automation CNCSoft ScreenEditor DPB File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-421/ ∗∗∗ Security Bulletin: Oracle Database Server Vulnerability Affects IBM Emptoris Sourcing (CVE-2021-2332) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-oracle-database-server-vu… ∗∗∗ Security Bulletin: Apache HTTP Server as used by IBM QRadar SIEM is vulnerable to buffer overflow and denial of service (CVE-2021-44790, CVE-2021-34798, CVE-2021-39275) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-http-server-as-use… ∗∗∗ Security Bulletin: Ansible vulnerability affects IBM Elastic Storage System (CVE-2021-3583) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ansible-vulnerability-aff… ∗∗∗ Security Bulletin: A vulnerability has been identified in IBM Spectrum Scale where mmfsd daemon can be prevented from servicing requests (CVE-2020-4925) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-has-been-… ∗∗∗ Security Bulletin: Oracle Database Server Vulnerability Affects IBM Emptoris Sourcing (CVE-2021-35558) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-oracle-database-server-vu… ∗∗∗ Security Bulletin: Oracle Database Server Vulnerability Affects IBM Emptoris Sourcing (CVE-2021-35557) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-oracle-database-server-vu… ∗∗∗ Security Bulletin: Oracle Database Server Vulnerability Affects IBM Emptoris Program Management (CVE-2021-35557) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-oracle-database-server-vu… ∗∗∗ Security Bulletin: Oracle Database Server Vulnerability Affects IBM Emptoris Contract Management(CVE-2021-35557) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-oracle-database-server-vu… ∗∗∗ Security Bulletin: Oracle Database Server Vulnerability Affects IBM Emptoris Strategic Supply Management Platform (CVE-2021-35557) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-oracle-database-server-vu… ∗∗∗ Security Bulletin: IBM MQ Appliance is affected by an incorrect session invalidation vulnerability (CVE-2021-38986) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-affec… ∗∗∗ Security Bulletin: IBM App Connect Enterprise Certified Container Dashboards may be vulnerable to a denial of service vulnerability due to IBM X-Force vulnerability 220063 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterpris… ∗∗∗ Security Bulletin: Oracle Database Server Vulnerability Affects IBM Emptoris Supplier Lifecycle Management (CVE-2021-2332) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-oracle-database-server-vu… ∗∗∗ Security Bulletin: Vulnerability in AIX audit commands (CVE-2021-38955) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-aix-audi… ∗∗∗ Security Bulletin: IBM RackSwitch firmware products are affected by vulnerabilities in OpenSSL ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-rackswitch-firmware-p… ∗∗∗ Security Bulletin: Oracle Database Server Vulnerability Affects IBM Emptoris Strategic Supply Management Platform (CVE-2021-2332) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-oracle-database-server-vu… ∗∗∗ Security Bulletin: Oracle Database Server Vulnerability Affects IBM Emptoris Contract Management (CVE-2021-35558) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-oracle-database-server-vu… ∗∗∗ Security Bulletin: Oracle Database Server Vulnerability Affects IBM Emptoris Contract Management (CVE-2021-2332) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-oracle-database-server-vu… ∗∗∗ Security Bulletin: Oracle Database Server Vulnerability Affects IBM Emptoris Program Management (CVE-2021-35558) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-oracle-database-server-vu… ∗∗∗ Security Bulletin: Multiple vulnerabilities may affect IBM® Semeru Runtime ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM MQ Appliance is affected by a Java vulnerability (CVE-2021-35578) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-is-affec… ∗∗∗ Security Bulletin: IBM Flex System switch firmware products are affected by vulnerabilities in Libxml2 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-flex-system-switch-fi… ∗∗∗ Security Bulletin: IBM HTTP Server (powered by Apache) for i is vulnerable to CVE-2021-44224 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-http-server-powered-b… ∗∗∗ Security Bulletin: IBM RackSwitch firmware products are affected by vulnerabilities in Libxml2 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-rackswitch-firmware-p… ∗∗∗ Security Bulletin: Oracle Database Server Vulnerability Affects IBM Emptoris Strategic Supply Management Platform (CVE-2021-35558) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-oracle-database-server-vu… ∗∗∗ Security Bulletin: Oracle Database Server Vulnerability Affects IBM Emptoris Supplier Lifecycle Management (CVE-2021-35557) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-oracle-database-server-vu… ∗∗∗ Security Bulletin: IBM MQ Appliance could allow unauthorized viewing of logs and files (CVE-2022-22326) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-could-al… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct for UNIX Certified Container is affected by multiple vulnerabilities in Red Hat Universal Base Image version 8.4-206.1626828523 and Binutils version 2.30-93 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM Java SDK affect IBM Virtualization Engine TS7700 – October 2021 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Flex System switch firmware products are affected by vulnerabilities in OpenSSL ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-flex-system-switch-fi… ∗∗∗ Security Bulletin: Oracle Database Server Vulnerability Affects IBM Emptoris Program Management (CVE-2021-2332) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-oracle-database-server-vu… ∗∗∗ Security Bulletin: glibc vulnerability affects IBM Elastic Storage System (CVE-2021-27645) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-glibc-vulnerability-affec… ∗∗∗ Security Bulletin: Oracle Database Server Vulnerability Affects IBM Emptoris Supplier Lifecycle Management (CVE-2021-35558) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-oracle-database-server-vu… ∗∗∗ Security Bulletin: IBM MQ Appliance affected by a password hash that provides insufficient protection (CVE-2022-22321) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-appliance-affected… ∗∗∗ Security Bulletin: Due to use of Apache Log4j, IBM Datacap is vulnerable to arbitrary code execution (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-due-to-use-of-apache-log4… ∗∗∗ BECKHOFF: Null Pointer Dereference vulnerability in products with OPC UA technology ∗∗∗ --------------------------------------------- https://cert.vde.com/de/advisories/VDE-2022-003/ -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 28.02.2022
by Daily end-of-shift report 28 Feb '22

28 Feb '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 25-02-2022 18:00 − Montag 28-02-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Visual Voice Mail on Android may be vulnerable to eavesdropping ∗∗∗ --------------------------------------------- The security researcher, Chris Talbot, discovered the flaw on June 21, 2021, and filed the vulnerability under CVE-2022-23835. The bug is not a flaw in the Android operating system but rather how the service is implemented by mobile carriers. However, the flaw has a "disputed" status because AT&T and T-Mobile dismissed the report for describing a non-exploitable risk, while Sprint and Verizon have not responded. --------------------------------------------- https://www.bleepingcomputer.com/news/security/visual-voice-mail-on-android… ∗∗∗ Reborn of Emotet: New Features of the Botnet and How to Detect it ∗∗∗ --------------------------------------------- One of the most dangerous and infamous threats is back again. In January 2021, global officials took down the botnet. Law enforcement sent a destructive update to the Emotets executables. And it looked like the end of the trojans story. But the malware never ceased to surprise. November 2021, it was reported that TrickBot no longer works alone and delivers Emotet. --------------------------------------------- https://thehackernews.com/2022/02/reborn-of-emotet-new-features-of-botnet.h… ∗∗∗ CISA Warns of High-Severity Flaws in Schneider and GE Digitals SCADA Software ∗∗∗ --------------------------------------------- The U.S. Cybersecurity and Infrastructure Security Agency (CISA) last week published an industrial control system (ICS) advisory related to multiple vulnerabilities impacting Schneider Electrics Easergy medium voltage protection relays. --------------------------------------------- https://thehackernews.com/2022/02/cisa-warns-of-high-severity-flaws-in.html ∗∗∗ Rogue RDP – Revisiting Initial Access Methods ∗∗∗ --------------------------------------------- With the default disablement of VBA macros originating from the internet, Microsoft may be pitching a curveball to threat actors and red teams that will inevitably make initial access a bit more difficult to achieve. Over the last year, I have invested some research time in pursuing the use of the Remote Desktop Protocol as an alternative initial access vector, which this post will cover. --------------------------------------------- https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-metho… ∗∗∗ BSI liefert "Maßnahmenkatalog Ransomware" ∗∗∗ --------------------------------------------- Das Bundesamt für Sicherheit in der Informationstechnik stellt im "Maßnahmenkatalog Ransomware" für Unternehmen und Behörden wichtige Präventionsmaßnahmen vor. --------------------------------------------- https://heise.de/-6528055 ∗∗∗ BrokenPrint: A Netgear stack overflow ∗∗∗ --------------------------------------------- This blog post describes a stack-based overflow vulnerability found and exploited in September 2021 in the Netgear R6700v3 --------------------------------------------- https://research.nccgroup.com/2022/02/28/brokenprint-a-netgear-stack-overfl… ∗∗∗ Bestellungen bei herzens-mensch.de und heimfroh.com führen zu Problemen ∗∗∗ --------------------------------------------- Bei den Online-Shops herzens-mensch.de und heimfroh.com handelt es sich um sogenannte Dropshipping-Shops. Die Shops geben an, ein österreichisches Unternehmen zu sein, liefern jedoch aus Asien. Diese Vorgehensweise ist nicht unbedingt betrügerisch, eine Bestellung bei herzens-mensch.de oder heimfroh.com kann aber sehr teuer werden und zu zahlreichen Problemen führen. --------------------------------------------- https://www.watchlist-internet.at/news/bestellungen-bei-herzens-menschde-un… ∗∗∗ Daxin: Stealthy Backdoor Designed for Attacks Against Hardened Networks ∗∗∗ --------------------------------------------- The malware appears to be used in a long-running espionage campaign against select governments and other critical infrastructure targets. There is strong evidence to suggest the malware, Backdoor.Daxin, which allows the attacker to perform various communications and data-gathering operations on the infected computer, has been used as recently as November 2021 [..] --------------------------------------------- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/da… ∗∗∗ Ukraine-Krise - Aktuelle Informationen ∗∗∗ --------------------------------------------- Auf Grund der Ukraine-Krise herrscht momentan eine sehr hohe allgemeine Gefährdungslage im Cyberraum. Eine spezifsch hohe Gefährdung für Österreich ist aktuell noch nicht auszumachen. Wir sind in laufendem Kontakt mit unseren Kollegen im europäischen CSIRTs Network und in den nationalen Koordinierungsstrukturen. --------------------------------------------- https://cert.at/de/aktuelles/2022/2/ukraine-krise-aktuelle-informationen ∗∗∗ BlackCat ransomware ∗∗∗ --------------------------------------------- AT&T Alien Labs is writing this report about recently created ransomware malware dubbed BlackCat which was used in a January 2022 campaign against two international oil companies headquartered in Germany, Oiltanking and Mabanaft. The attack had little impact on end customers, but it does serve to remind the cybersecurity community of the potential for threat actors to continue attacks against critical infrastructure --------------------------------------------- https://cybersecurity.att.com/blogs/labs-research/blackcat-ransomware ===================== = Vulnerabilities = ===================== ∗∗∗ Mozillas VPN-Client könnte Schadcode nachladen ∗∗∗ --------------------------------------------- Es gibt ein wichtiges Sicherheitsupdate für Mozilla VPN. Nach erfolgreichen Attacken könnten Angreifer Systeme übernehmen. --------------------------------------------- https://heise.de/-6527681 ∗∗∗ Programmiersprache: Sicherheitslücke ermöglicht Codeschmuggel in PHP ∗∗∗ --------------------------------------------- Mit neuen PHP-Versionen schließen die Entwickler Sicherheitslücken, die Angreifern unter Umständen das Einschleusen von Schadcode ermöglichen könnten. --------------------------------------------- https://heise.de/-6527558 ∗∗∗ Security updates for Monday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (389-ds-base, cyrus-sasl, kernel, openldap, and python-pillow), Debian (cyrus-sasl2, htmldoc, and ujson), Fedora (flac, gnutls, java-11-openjdk, kernel, qemu, and vim), openSUSE (ucode-intel), SUSE (php72 and ucode-intel), and Ubuntu (php7.4, php8.0). --------------------------------------------- https://lwn.net/Articles/886358/ ∗∗∗ Vulnerability Spotlight: Vulnerabilities in Gerbv could lead to code execution, information disclosure ∗∗∗ --------------------------------------------- Cisco Talos recently discovered multiple vulnerabilities in the Gerbv file viewing software that could allow an attacker to execute arbitrary remote code or disclose sensitive information. [..] Cisco Talos worked with Gerbv to responsibly disclose these vulnerabilities in adherence to Cisco’s vulnerability disclosure policy. However, an update is not available to fix these issues as of Feb. 28, 2022. CVE IDs: CVE-2021-40391, CVE-2021-40393, CVE-2021-40394, CVE-2021-40401, CVE-2021-40400, CVE-2021-40402, CVE-2021-40403 --------------------------------------------- http://blog.talosintelligence.com/2022/02/vuln-spotlight-gerbv-g.html ∗∗∗ ABB CYBER SECURITY ADVISORY - AC 800M MMS - DENIAL OF SERVICE VULNERABILITY IN MMS COMMUNICATION ∗∗∗ --------------------------------------------- https://search.abb.com/library/Download.aspx?DocumentID=7PAA001499&Language… ∗∗∗ Security Bulletin: Vulnerability in Java SE -CVE-2021-2161 may affect IBM Watson Assistant for IBM Cloud Pak for Data ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-java-se-… ∗∗∗ Security Bulletin: Vulnerability in Node.js- CVE – 2021-22930 may affect IBM Watson Assistant for IBM Cloud Pak for Data. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-node-js-… ∗∗∗ Security Bulletin: Due to use of Apache Log4j, IBM Content Navigator is vulnerable to arbitrary code execution (CVE-2021-45046) and denial of service (CVE-2021-45105) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-due-to-use-of-apache-log4… ∗∗∗ Security Bulletin: IBM Netezza for Cloud Pak for Data is vulnerable to arbitrary code execution (CVE-2021-44142). ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-netezza-for-cloud-pak… ∗∗∗ Security Bulletin: Vulnerability in Node.js- CVE-2021-22959, CVE-2021-22960 may affect IBM Watson Assistant for IBM Cloud Pak for Data. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-node-js-… ∗∗∗ Security Bulletin: IBM Cloud Pak for Data System 2.0 is vulnerable to arbitrary code execution due to Samba (CVE-2021-44142) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-data-sy… ∗∗∗ Security Bulletin: Security Bulletin: Vulnerability in Node.js-CVE-2021-23362, CVE-2021-22921, CVE-2021-22918, CVE-2021-27290 may affect IBM Watson Assistant for IBM Cloud Pak for Data. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-bulletin-vulnera… ∗∗∗ Security Bulletin: Lodash versions prior to 4.17.21 vulnerability in PowerHA ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-lodash-versions-prior-to-… ∗∗∗ Security Bulletin: IBM Netezza for Cloud Pak for Data is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-netezza-for-cloud-pak… ∗∗∗ Security Bulletin: A Vulnerability In Apache HttpClient Affects IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-apache… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 25.02.2022
by Daily end-of-shift report 25 Feb '22

25 Feb '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 24-02-2022 18:00 − Freitag 25-02-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ US and UK expose new malware used by MuddyWater hackers ∗∗∗ --------------------------------------------- MuddyWater is "targeting a range of government and private-sector organizations across sectors—including telecommunications, defense, local government, and oil and natural gas—in Asia, Africa, Europe, and North America. --------------------------------------------- https://www.bleepingcomputer.com/news/security/us-and-uk-expose-new-malware… ∗∗∗ Jester Stealer malware adds more capabilities to entice hackers ∗∗∗ --------------------------------------------- An infostealing piece of malware called Jester Stealer has been gaining popularity in the underground cybercrime community for its functionality and affordable prices. --------------------------------------------- https://www.bleepingcomputer.com/news/security/jester-stealer-malware-adds-… ∗∗∗ Cyberangriffe im Ukraine-Krieg: BSI warnt Behörden und Unternehmen nachdrücklich ∗∗∗ --------------------------------------------- Das BSI hat ein weiteres Warnschreiben an Unternehmen und Behörden geschickt. Demnach gibt es Netzwerkscans und erste Wiper in Partnerstaaten. --------------------------------------------- https://www.golem.de/news/cyberangriffe-im-ukraine-krieg-bsi-warnt-behoerde… ∗∗∗ Some details of the DDoS attacks targeting Ukraine and Russia in recent days ∗∗∗ --------------------------------------------- At 360Netlab, we continuously track botnets on a global scale through our BotMon system. In particular, for DDoS-related botnets, we further tap into their C2 communications to enable us really see the details of the attacks. --------------------------------------------- https://blog.netlab.360.com/some_details_of_the_ddos_attacks_targeting_ukra… ∗∗∗ Notorious TrickBot Malware Gang Shuts Down its Botnet Infrastructure ∗∗∗ --------------------------------------------- The modular Windows crimeware platform known as TrickBot formally shuttered its infrastructure on Thursday after reports emerged of its imminent retirement amid a lull in its activity for almost two months, marking an end to one of the most persistent malware campaigns in recent years. --------------------------------------------- https://thehackernews.com/2022/02/notorious-trickbot-malware-gang-shuts.html ∗∗∗ „ID-app aktivieren“: Betrügerisches Mail im Namen der Volksbank im Umlauf ∗∗∗ --------------------------------------------- Kriminelle versenden derzeit betrügerische E-Mails im Namen der Volksbank, in der dazu aufgefordert wird die ID-app zu aktivieren. Diese App wird von der Volksbank tatsächlich angeboten, um mehr Sicherheit zu gewährleisten. In diesem Fall missbrauchen aber Kriminelle diese Sicherheitsmaßnahme, um an Ihre Zugangsdaten zu kommen. --------------------------------------------- https://www.watchlist-internet.at/news/id-app-aktivieren-betruegerisches-ma… ∗∗∗ Russia-Ukraine Crisis: How to Protect Against the Cyber Impact (Updated Feb. 24 to Include New Information on DDoS, HermeticWiper and Defacement) ∗∗∗ --------------------------------------------- We provide an overview of known cyberthreats related to the Russia-Ukraine crisis including DDoS attacks, HermeticWiper and defacement and share recommendations for proactive defense. --------------------------------------------- https://unit42.paloaltonetworks.com/preparing-for-cyber-impact-russia-ukrai… ∗∗∗ Mac-Malware auf dem Vormarsch ∗∗∗ --------------------------------------------- Die Sicherheitsgefahren für mobile Geräte und Macs nehmen zu. Festgestellt wurden die Mac-Malware-Familien Cimpli, Pirrit, Imobie, Shlayer und Genieo. --------------------------------------------- https://www.zdnet.de/88399571/mac-malware-auf-dem-vormarsch/ ∗∗∗ Threat Update – Ukraine & Russia conflict ∗∗∗ --------------------------------------------- In this report, NVISO CTI describes the cyber threat landscape of Ukraine and by extension the current situation. --------------------------------------------- https://blog.nviso.eu/2022/02/24/threat-update-ukraine-russia-tensions/ ∗∗∗ New Infostealer ‘ColdStealer’ Being Distributed ∗∗∗ --------------------------------------------- The ASEC analysis team has discovered the distribution of ColdStealer that appears to be a new type of infostealer. --------------------------------------------- https://asec.ahnlab.com/en/32090/ ===================== = Vulnerabilities = ===================== ∗∗∗ Sicherheitsupdates: Java- und Kernel-Lücken in IBM AIX bedrohen Server ∗∗∗ --------------------------------------------- Angreifer könnten Server mit IBM AIX attackieren und im schlimmsten Fall die volle Kontrolle über Systeme erlangen. --------------------------------------------- https://heise.de/-6526120 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Fedora (dotnet6.0, kernel, libarchive, libxml2, and wireshark), openSUSE (opera), Oracle (cyrus-sasl), Red Hat (cyrus-sasl, python-pillow, and ruby:2.5), Scientific Linux (cyrus-sasl), and Ubuntu (snapd). --------------------------------------------- https://lwn.net/Articles/886124/ ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM HTTP Server used by IBM WebSphere Application Server due to Expat vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: A vulnerability in Apache Log4j affects some features of IBM® Db2® (CVE-2021-44832) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-apache… ∗∗∗ Security Bulletin: CVE-2021-35550 may affect IBM® SDK, Java™ Technology Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2021-35550-may-affect… ∗∗∗ Security Bulletin: Vulnerabilities in Java SE affect IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-java-s… ∗∗∗ Security Bulletin: CVE-2021-35603 may affect IBM® SDK, Java™ Technology Edition ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2021-35603-may-affect… ∗∗∗ Security Bulletin: Vulnerability in the AIX smbcd daemon (CVE-2021-38993) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-the-aix-… ∗∗∗ Security Bulletin: IBM PowerVM Novalink is vulnerable to provide weaker than expected security. A remote attacker could exploit this weakness to obtain sensitive information and gain unauthorized access to JAX-WS applications. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-powervm-novalink-is-v… ∗∗∗ Security Bulletin: IBM PowerVM Novalink could allow a remote authenticated attacker to conduct an LDAP injection. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-powervm-novalink-coul… ∗∗∗ Security Bulletin: Multiple Vulnerabilities in IBM® Java SDK affect IBM WebSphere Application Server and IBM Application Server Liberty due to January 2022 CPU plus deferred CVE-2021-35550 and CVE-2021-35603 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Mozilla VPN local privilege escalation via uncontrolled OpenSSL search path ∗∗∗ --------------------------------------------- https://www.mozilla.org/en-US/security/advisories/mfsa2022-08/ ∗∗∗ FATEK Automation FvDesigner ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-055-01 ∗∗∗ Mitsubishi Electric EcoWebServerIII ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-055-02 ∗∗∗ Schneider Electric Easergy P5 and P3 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-055-03 ∗∗∗ Baker Hughes Bently Nevada 3500 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-231-02 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 24.02.2022
by Daily end-of-shift report 24 Feb '22

24 Feb '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 23-02-2022 18:00 − Donnerstag 24-02-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Malware infiltrates Microsoft Store via clones of popular games ∗∗∗ --------------------------------------------- A malware named Electron Bot has found its way into Microsofts Official Store through clones of popular games such as Subway Surfer and Temple Run, leading to the infection of 5,000 computers in Sweden, Israel, Spain, and Bermuda. --------------------------------------------- https://www.bleepingcomputer.com/news/security/malware-infiltrates-microsof… ∗∗∗ Malware: Mit Wipern und DDoS gegen ukrainische IT-Systeme ∗∗∗ --------------------------------------------- Etliche Webseiten in der Ukraine sind nicht erreichbar. Zudem sind Hunderte Rechner von einer vernichtenden Schadsoftware befallen. --------------------------------------------- https://www.golem.de/news/malware-mit-wipern-und-ddos-gegen-ukrainische-it-… ∗∗∗ Ukraine & Russia Situation From a Domain Names Perspective , (Thu, Feb 24th) ∗∗∗ --------------------------------------------- Every time, something happens in the world like an earthquake, big floods, or even major sports events, it is followed by a peak of new domains registrations. --------------------------------------------- https://isc.sans.edu/diary/rss/28376 ∗∗∗ Shadowserver Special Reports - Cyclops Blink ∗∗∗ --------------------------------------------- In May 2018, the US DoJ, FBI and industry partners sinkholed the modular network device infecting malware known as VPNFilter, which Shadowserver has been reporting out for remediation to nCSIRTs and network owners each day since. In February 2022 the UK NCSC, US FBI, CISA and NSA jointly announced the discovery of new network device malware, which they have called Cyclops Blink, and see as a more advanced replacement for VPNFilter. --------------------------------------------- https://www.shadowserver.org/news/shadowserver-special-reports-cyclops-blin… ∗∗∗ HermeticWiper: New Destructive Malware Used In Cyber Attacks on Ukraine ∗∗∗ --------------------------------------------- On February 23rd, the threat intelligence community began observing a new wiper malware sample circulating in Ukrainian organizations. --------------------------------------------- https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/ ∗∗∗ SockDetour – a Silent, Fileless, Socketless Backdoor – Targets U.S. Defense Contractors ∗∗∗ --------------------------------------------- SockDetour is a custom backdoor being used to maintain persistence, designed to serve as a backup backdoor in case the primary one is removed. --------------------------------------------- https://unit42.paloaltonetworks.com/sockdetour/ ∗∗∗ Clang Checkers and CodeQL Queries for Detecting Untrusted Pointer Derefs and Tainted Loop Conditions ∗∗∗ --------------------------------------------- In this final blog of the series, we experiment with CodeQL’s IR and Clang checkers for detecting such bug classes. --------------------------------------------- https://www.thezdi.com/blog/2022/2/22/clang-checkers-and-codeql-queries-for… ∗∗∗ Vulnerability Spotlight: Buffer overflow vulnerabilities in Accusoft ImageGear could lead to code execution ∗∗∗ --------------------------------------------- Cisco Talos recently discovered multiple vulnerabilities in Accusoft ImageGear. --------------------------------------------- http://blog.talosintelligence.com/2022/02/vuln-spotlight-accusoft-code.html ===================== = Vulnerabilities = ===================== ∗∗∗ Cisco schließt Root-Lücke in Netzwerk-OS, gibt wichtige Hinweise für Firewalls ∗∗∗ --------------------------------------------- Wer eine Firewall von Cisco nutzt, sollte diese aus Sicherheitsgründen bis Anfang März aktualisieren. Außerdem gibt es Patches für NX-OS. --------------------------------------------- https://heise.de/-6524029 ∗∗∗ Stored Cross-Site Scripting Vulnerability Patched in a WordPress Photo Gallery Plugin ∗∗∗ --------------------------------------------- On November 11, 2021 the Wordfence Threat Intelligence team initiated the responsible disclosure process for a vulnerability we discovered in “Photoswipe Masonry Gallery”, a WordPress plugin that is installed on over 10,000 sites. --------------------------------------------- https://www.wordfence.com/blog/2022/02/stored-cross-site-scripting-vulnerab… ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (expat), Fedora (php and vim), Mageia (cpanminus, expat, htmldoc, nodejs, polkit, util-linux, and varnish), Red Hat (389-ds-base, curl, kernel, kernel-rt, openldap, python-pillow, rpm, sysstat, and unbound), Scientific Linux (389-ds-base, kernel, openldap, and python-pillow), and Ubuntu (cyrus-sasl2, linux-oem-5.14, and php7.0). --------------------------------------------- https://lwn.net/Articles/885885/ ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (thunderbird), Fedora (php), openSUSE (jasper and thunderbird), Oracle (389-ds-base, kernel, openldap, and python-pillow), Red Hat (cyrus-sasl and samba), and SUSE (cyrus-sasl, firefox, jasper, kernel-rt, nodejs10, nodejs14, nodejs8, and thunderbird). --------------------------------------------- https://lwn.net/Articles/885997/ ∗∗∗ Security Bulletin: Datastax Enterprise with IBM is vulnerable to exploiting Apache Cassandra User-Defined Functions for Remote Code Execution ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-datastax-enterprise-with-… ∗∗∗ Security Bulletin: A vulnerability in IBM Java Runtime affects TXSeries for Multiplatforms ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Security Bulletin: Multiple vulnerabilities were detected in IBM Sterling External Authentication Server (CVE-2022-22333, CVE-2022-22349) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Log4j vulnerabilities affect IBM Netezza Analytics ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-log4j-vulnerabilities-aff… ∗∗∗ Security Bulletin: Log4j vulnerability affects IBM Netezza Analytics for NPS ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-log4j-vulnerability-affec… ∗∗∗ Security Bulletin: IBM Operational Decision Manager is vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-45105 and CVE-2021-45046) . ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-operational-decision-… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Content Collector for SAP Applications ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM WebSphere Application Server and IBM WebSphere Application Server Liberty are vulnerable to Clickjacking (CVE-2021-39038) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application… ∗∗∗ Security Bulletin: Vulnerabilities in the AIX kernel (CVE-2021-38994, CVE-2021-38995) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerabilities-in-the-ai… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect AIX ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Apache Log4j ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-… ∗∗∗ Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Logback ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-… ∗∗∗ Security Bulletin: Multiple Vulnerabilities were detected in IBM Sterling Secure Proxy (CVE-2022-22336, CVE-2022-22333) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Java ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-watson-discovery-for-… ∗∗∗ Security Bulletin: Log4j vulnerabilities affect IBM Netezza Analytics for NPS ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-log4j-vulnerabilities-aff… ∗∗∗ VMSA-2022-0006 ∗∗∗ --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2022-0006.html ∗∗∗ Drupal: Mehrere Schwachstellen ermöglichen Cross-Site Scripting ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0232 ∗∗∗ XSS Vulnerabilities in Proxy Server ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-22-04 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 23.02.2022
by Daily end-of-shift report 23 Feb '22

23 Feb '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 22-02-2022 18:00 − Mittwoch 23-02-2022 18:00 Handler: Robert Waldner Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ LockBit, Conti most active ransomware targeting industrial sector ∗∗∗ --------------------------------------------- Ransomware attacks extended into the industrial sector last year to such a degree that this type of incident became the number one threat in the industrial sector. --------------------------------------------- https://www.bleepingcomputer.com/news/security/lockbit-conti-most-active-ra… ∗∗∗ Entropy ransomware linked to Dridex malware downloader ∗∗∗ --------------------------------------------- Analysis of the recently-emerged Entropy ransomware reveals code-level similarities with the general purpose Dridex malware that started as a banking trojan. --------------------------------------------- https://www.bleepingcomputer.com/news/security/entropy-ransomware-linked-to… ∗∗∗ Creaky Old WannaCry, GandCrab Top the Ransomware Scene ∗∗∗ --------------------------------------------- Nothing like zombie campaigns: WannaCrys old as dirt, and GandCrab threw in the towel years ago. Theyre on auto-pilot at this point, researchers say. --------------------------------------------- https://threatpost.com/wannacry-gandcrab-top-ransomware-scene/178589/ ∗∗∗ How to Fix the specialadves WordPress Redirect Hack ∗∗∗ --------------------------------------------- Attackers are regularly exploiting vulnerable plugins to compromise WordPress websites and redirect visitors to spam and scam websites. --------------------------------------------- https://blog.sucuri.net/2022/02/how-to-fix-the-specialadves-wordpress-redir… ∗∗∗ 25 Malicious JavaScript Libraries Distributed via Official NPM Package Repository ∗∗∗ --------------------------------------------- Another batch of 25 malicious JavaScript libraries have made their way to the official NPM package registry with the goal of stealing Discord tokens and environment variables from compromised systems, more than two months after 17 similar packages were taken down. --------------------------------------------- https://thehackernews.com/2022/02/25-malicious-javascript-libraries.html ∗∗∗ Cisco warns firewall customers of four-day window for urgent updates ∗∗∗ --------------------------------------------- Firewalls are supposed to update so they block new threats – miss this deadline and they might not. --------------------------------------------- https://www.theregister.com/2022/02/23/cisco_firepower_rapid_update_require… ∗∗∗ SameSite: Hax – Exploiting CSRF With The Default SameSite Policy ∗∗∗ --------------------------------------------- Default SameSite settings are not the same as SameSite: Lax set explicitly. TLDR? A two-minute window from when a cookie is issued is open to exploit CSRF. --------------------------------------------- https://pulsesecurity.co.nz/articles/samesite-lax-csrf ∗∗∗ Shadowserver Starts Conducting Daily Scans to Help Secure ICS ∗∗∗ --------------------------------------------- The Shadowserver Foundation this week announced that it has started conducting daily internet scans in an effort to identify exposed industrial control systems (ICS) and help organizations reduce their exposure to attacks. --------------------------------------------- https://www.securityweek.com/shadowserver-starts-conducting-daily-scans-hel… ∗∗∗ Investieren Sie nicht bei bottic.org! ∗∗∗ --------------------------------------------- Schnell, viel Geld verdienen mit Crypto-Investments, das verspricht eine Vielzahl an unseriösen Investitionsplattformen. Wir raten zur Vorsicht! --------------------------------------------- https://www.watchlist-internet.at/news/investieren-sie-nicht-bei-botticorg/ ∗∗∗ Increased Phishing Attacks Disguised as Microsoft ∗∗∗ --------------------------------------------- The ASEC analysis team has recently discovered phishing emails disguised as Microsoft login pages. --------------------------------------------- https://asec.ahnlab.com/en/31994/ ∗∗∗ (Ex)Change of Pace: UNC2596 Observed Leveraging Vulnerabilities to Deploy Cuba Ransomware ∗∗∗ --------------------------------------------- UNC2596 is currently the only threat actor tracked by Mandiant that uses COLDDRAW ransomware, which may suggest it’s exclusively used by the group. --------------------------------------------- https://www.mandiant.com/resources/unc2596-cuba-ransomware ===================== = Vulnerabilities = ===================== ∗∗∗ IBM Security Bulletins ∗∗∗ --------------------------------------------- IBM Planning Analytics, IBM Planning Analytics Workspace, IBM Cúram Social Program Management, IBM SDK Java Technology Edition, IBM Cloud Application Business Insights, IBM Sterling Global Mailbox, Content Collector, IBM WebSphere Application Server, CICS Transaction Gateway --------------------------------------------- https://www.ibm.com/blogs/psirt/ ∗∗∗ Cisco Security Advisories 2022-02-23 ∗∗∗ --------------------------------------------- Cisco has published 4 Security Advisories: 3 High, 1 Medium Severity --------------------------------------------- https://tools.cisco.com/security/center/Search.x?publicationTypeIDs=1&secur… ∗∗∗ ZDI-22-404: (0Day) WECON LeviStudioU UMP File Parsing Trend Tag WordAddr1 Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-404/ ∗∗∗ ZDI-22-403: (0Day) WECON LeviStudioU UMP File Parsing XY Tag WordAddr4 Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-403/ ∗∗∗ ZDI-22-402: (0Day) WECON LeviStudioU UMP File Parsing Trend Tag WordAddr2 Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-402/ ∗∗∗ ZDI-22-401: (0Day) WECON LeviStudioU UMP File Parsing Alarm Tag WordAddr9 Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-401/ ∗∗∗ ZDI-22-400: (0Day) WECON LeviStudioU UMP File Parsing Alarm Tag WordAddr9 Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-400/ ∗∗∗ ZDI-22-399: (0Day) WECON LeviStudioU UMP File Parsing Extra Tag WordAddr Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-399/ ∗∗∗ ZDI-22-398: (0Day) WECON LeviStudioU UMP File Parsing Alarm Tag bitaddr Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-398/ ∗∗∗ ZDI-22-397: (0Day) WECON LeviStudioU UMP File Parsing Extra Tag bitaddr Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-397/ ∗∗∗ ZDI-22-396: (0Day) WECON LeviStudioU UMP File Parsing Alarm Tag WordAddr Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-396/ ∗∗∗ ZDI-22-395: (0Day) WECON LeviStudioU UMP File Parsing Disc Tag WordAddr4 Stack-based Buffer Overflow Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-395/ ∗∗∗ SSA-306654: Insyde BIOS Vulnerabilities in Siemens Industrial Products ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-306654.txt ∗∗∗ Remote Code Execution in pfSense <= 2.5.2 ∗∗∗ --------------------------------------------- https://www.shielder.it/advisories/pfsense-remote-command-execution/ ∗∗∗ CISA Warns of Attacks Exploiting Recent Vulnerabilities in Zabbix Monitoring Tool ∗∗∗ --------------------------------------------- https://www.securityweek.com/cisa-warns-attacks-exploiting-recent-vulnerabi… ∗∗∗ Trend Micro ServerProtect: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0223 ∗∗∗ SA45038 - CVE-2022-23852 - Expat (aka libexpat) before 2.4.4 has a signed integer overflow in XML_GetBuffer, for configurations with a nonzero XML_CONTEXT_BYTES ∗∗∗ --------------------------------------------- https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/CVE-2022-2385… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 22.02.2022
by Daily end-of-shift report 22 Feb '22

22 Feb '22

===================== = End-of-Day report = ===================== Timeframe: Montag 21-02-2022 18:00 − Dienstag 22-02-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Revamped CryptBot malware spread by pirated software sites ∗∗∗ --------------------------------------------- A new version of the CryptBot info stealer was seen in distribution via multiple websites that offer free downloads of cracks for games and pro-grade software. --------------------------------------------- https://www.bleepingcomputer.com/news/security/revamped-cryptbot-malware-sp… ∗∗∗ VU#229438: Mobile device monitoring services do not authenticate API requests ∗∗∗ --------------------------------------------- The backend infrastructure shared by multiple mobile device monitoring services does not adequately authenticate or authorize API requests, creating an IDOR (Insecure Direct Object Reference) vulnerability. [..] We are unaware of a practical solution to this problem. The infrastructure provider (according to the TechCrunch investigation, 1Byte Software), would need to address the IDOR vulnerability For advice on detecting and removing stalkerware apps, see "Your Android phone could have stalkerware, here's how to remove it." --------------------------------------------- https://kb.cert.org/vuls/id/229438 ∗∗∗ Hackers Backdoor Unpatched Microsoft SQL Database Servers with Cobalt Strike ∗∗∗ --------------------------------------------- Vulnerable internet-facing Microsoft SQL (MS SQL) Servers are being targeted by threat actors as part of a new campaign to deploy the Cobalt Strike adversary simulation tool on compromised hosts. --------------------------------------------- https://thehackernews.com/2022/02/hackers-backdoor-unpatched-microsoft.html ∗∗∗ Horde Webmail 5.2.22 - Account Takeover via Email ∗∗∗ --------------------------------------------- We discovered a code vulnerability in Horde that allows an attacker to gain full access to the email account of a victim when it loads the preview of a harmless-looking email attachment. [..] Although we reported this vulnerability almost 6 months ago, there is currently no official patch available. Hence, we provide recommendations on how to mitigate this code vulnerability at the end of this blog post. --------------------------------------------- https://blog.sonarsource.com/horde-webmail-account-takeover-via-email ∗∗∗ Empfehlungen: Mit kostenlosen IT-Security-Tools Computer sicherer machen ∗∗∗ --------------------------------------------- Admins aufgepasst: IT-Security ist komplex, doch es gibt jede Menge nützliche und vor allem kostenlose Services und Tools, die helfen können. Eine Auflistung. --------------------------------------------- https://heise.de/-6515891 ∗∗∗ Achtung: E-Mail von DNS Österreich ist Fake ∗∗∗ --------------------------------------------- Zahlreiche Webseiten-BetreiberInnen erhalten momentan ein E-Mail von DNS Österreich. Das vermeintliche Unternehmen behauptet darin, dass es einen „Registrierungsantrag“ für eine Domain erhalten hat, die Ihrer eigenen Domain sehr ähnlich ist. Ihnen wird angeboten, die Domain für € 297,50 vorab zu kaufen. Überweisen Sie nichts, Sie verlieren Ihr Geld. --------------------------------------------- https://www.watchlist-internet.at/news/achtung-e-mail-von-dns-oesterreich-i… ∗∗∗ Asustor NAS owners hit by DeadBolt ransomware attack ∗∗∗ --------------------------------------------- While Asustor investigates what is clearly a serious problem, it says it has disabled functionality which can allow remote access to its NAS drives: ASUSTOR EZ-Connect, ASUSTOR EZ Sync, and ezconnect.to. In addition, the company has published the following recommendations for customers to protect themselves from the DeadBolt ransomware --------------------------------------------- https://www.bitdefender.com/blog/hotforsecurity/asustor-nas-owners-hit-by-d… ∗∗∗ Ransomware victims are paying up. But then the gangs are coming back for more ∗∗∗ --------------------------------------------- Cybersecurity experts warn against paying ransoms - this is why. --------------------------------------------- https://www.zdnet.com/article/ransomware-victims-are-paying-up-but-the-croo… ∗∗∗ Integer overflow: How does it occur and how can it be prevented? ∗∗∗ --------------------------------------------- Make no mistake, counting on a computer is not as easy as it may seem. Here’s what happens when a number gets “too big”. --------------------------------------------- https://www.welivesecurity.com/2022/02/21/integer-overflow-how-it-occur-can… ∗∗∗ Kernel Karnage – Part 9 (Finishing Touches) ∗∗∗ --------------------------------------------- I also incorporated dynamic function imports using hashed function names and CIG to protect the spawned suspended process against injection of non-Microsoft-signed binaries. The Beacon payload is stored as an AES256 encrypted PE resource and decrypted in memory before being injected into the remote process. --------------------------------------------- https://blog.nviso.eu/2022/02/22/kernel-karnage-part-9-finishing-touches/ ===================== = Vulnerabilities = ===================== ∗∗∗ NAS: Sicherheitslücke in Synology DSM erlaubt Ausführen beliebiger Befehle ∗∗∗ --------------------------------------------- Angreifer könnten beliebige Befehle auf Synology-NAS-Geräten ausführen. Der Hersteller arbeitet an Updates zum Beheben der Fehler. Erste stehen bereit. --------------------------------------------- https://heise.de/-6515542 ∗∗∗ TYPO3-PSA-2022-001: Sanitization bypass in SVG Sanitizer ∗∗∗ --------------------------------------------- Third-party package enshrined/svg-sanitize, used by TYPO3 core packages, was susceptible to bypassing the sanitization strategy. --------------------------------------------- https://typo3.org/security/advisory/typo3-psa-2022-001 ∗∗∗ Reflected XSS in Header Footer Code Manager ∗∗∗ --------------------------------------------- On February 15, 2022, the Wordfence Threat Intelligence team responsibly disclosed a reflected Cross-Site Scripting (XSS) vulnerability in Header Footer Code Manager, a WordPress plugin with over 300,000 installations. The plugin publisher quickly acknowledged our initial contact and we sent the full disclosure details the same day, on February 15, 2022. A patched version, 1.1.17, was implemented a few days later and made available on February 18, 2022. --------------------------------------------- https://www.wordfence.com/blog/2022/02/reflected-xss-in-header-footer-code-… ∗∗∗ Webmin: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein entfernter, authentisierter Angreifer kann mehrere Schwachstellen in Webmin ausnutzen, um Sicherheitsvorkehrungen zu umgehen oder Code auszuführen --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0217 ∗∗∗ EC-CUBE plugin "Mail Magazine Management Plugin" vulnerable to cross-site request forgery ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN67108459/ ∗∗∗ EC-CUBE improperly handles HTTP Host header values ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN53871926/ ∗∗∗ ICL ScadaFlex II SCADA Controllers SC-1/SC-2 1.03.07 Remote File CRUD ∗∗∗ --------------------------------------------- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5698.php ∗∗∗ Security Bulletin: App Connect Professional is affected by Quick Emulator vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-app-connect-professional-… ∗∗∗ Security Bulletin: WebSphere Cast Iron and App Connect Professional are affected by vulnerabilities in Pacemaker, ImageMagick, gd-libgd, libxslt, cURL libcurl , Ghostscript. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-websphere-cast-iron-and-a… ∗∗∗ Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU – Oct 2021 – Includes Oracle October 2021 CPU (minus CVE-2021-35550/35561/35603) plus CVE-2021-41035 affects IBM Tivoli Composite Application Manager for ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-e… ∗∗∗ Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU – Oct 2021 – Includes Oracle October 2021 CPU affects IBM Tivoli Composite Application Manager for Transactions-Robotic Response Time ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sdk-java-technology-e… ∗∗∗ GE Proficy CIMPLICITY-IPM ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-053-01 ∗∗∗ GE Proficy CIMPLICITY-Cleartext ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-053-02 ∗∗∗ WIN-911 2021 ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-053-03 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 21.02.2022
by Daily end-of-shift report 21 Feb '22

21 Feb '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 18-02-2022 18:00 − Montag 21-02-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Versuchter Finanzbetrug nach Exchange-Einbruch ∗∗∗ --------------------------------------------- Nachdem die Exchange-Sicherheitslücken abgedichtet wurden, gingen Angriffe weiter. Mittels Spear-Phishing sollten die Opfer zu Überweisungen gedrängt werden. --------------------------------------------- https://heise.de/-6509718 ∗∗∗ Ungewöhnlicher Krypto-Raubzug erbeutet Millionen ∗∗∗ --------------------------------------------- Der Klayswap-Angriff hingegen attackierte Infrastruktur, auf die sich im Prinzip alle Internet-Dienste verlassen: das Routing, Zertifikate und Open-Source-Bibliotheken. Letztlich tauschten die Angreifer eine nachgeladene JavaScript-Datei durch eine trojanisierte Version aus, die Transaktionen auf ihr eigenes Konto umleitete. Spannend ist jedoch, wie sie das bewerkstelligten. --------------------------------------------- https://heise.de/-6496145 ∗∗∗ European Cybersecurity Agencies Issue Resilience Guidance for Decision Makers ∗∗∗ --------------------------------------------- The European Union Agency for Cybersecurity (ENISA) and the European Union’s Computer Emergency Response Team (CERT-EU) last week published a set of best practices to help organizations boost their cyber resilience. The joint guidance is meant for public and private organizations in the EU, specifically CISOs and other decision makers. The document is also recommended for entities that support organizational risk management. --------------------------------------------- https://www.securityweek.com/european-cybersecurity-agencies-issue-resilien… ∗∗∗ Schicken Sie Ihrer Internet-Bekanntschaft keine Steam-Guthaben-Codes ∗∗∗ --------------------------------------------- Soziale Netzwerke wie Facebook und Instagram sind beliebte Kanäle, um neue Bekanntschaften zu machen. Beim Austausch mit Fremden über das Internet besteht aber immer die Gefahr, dass sich die Person als jemand anderes ausgibt. Bittet Sie diese Person um Geld oder Guthabenkarten, sollten Sie den Kontakt abbrechen! --------------------------------------------- https://www.watchlist-internet.at/news/schicken-sie-ihrer-internet-bekannts… ∗∗∗ Ransomware trifft Europas industrielle Steuersysteme und Betriebstechnik so häufig wie IT-Systeme ∗∗∗ --------------------------------------------- Interessante Erkenntnisse aus einer Befragung von 1.100 Security-Spezialisten im Rahmen einer Studie im Hinblick auf die Sicherheit industrieller Anlagen und der kritischen Infrastruktur in Europa. Die Aussage der Studie war, dass industrielle Steuersysteme und Betriebstechnik in Europa fast ebenso häufig wie die IT-Systeme von Ransomware befallen wurde. --------------------------------------------- https://www.borncity.com/blog/2022/02/19/ransomware-trifft-europas-industri… ∗∗∗ Sicherheitslücke in diversen zebNet-Produkten entdeckt (Feb. 2022) ∗∗∗ --------------------------------------------- In Folge dieser Entdeckung hat zebNet für sämtliche betroffene Produkte, welche sich in der Unterstützung befinden, am 19.02.2022 (d.h. binnen 24-Stunden) fehlerbereinigte Versionen bereitgestellt. Der Hersteller weist darauf hin, dass diese Updates umgehend von allen Kunden, die ein betroffenes Produkt einsetzen, installiert werden sollten. --------------------------------------------- https://www.borncity.com/blog/2022/02/20/sicherheitslcke-in-diversen-zebnet… ∗∗∗ Chasing the Silver Petit Potam to Domain Admin ∗∗∗ --------------------------------------------- Exploiting Petit Potam in a different way to force some downgrade and protocol attacks. --------------------------------------------- https://blog.zsec.uk/chasing-the-silver-petit-potam/ ∗∗∗ Mobile malware evolution 2021 ∗∗∗ --------------------------------------------- In 2021, we observed a downward trend in the number of attacks on mobile users. But it is too early to celebrate: attacks are becoming more sophisticated in terms of both malware functionality and vectors. --------------------------------------------- https://securelist.com/mobile-malware-evolution-2021/105876/ ∗∗∗ New Android Banking Trojan Spreading via Google Play Store Targets Europeans ∗∗∗ --------------------------------------------- "Despite being a work-in-progress, Xenomorph is already sporting effective overlays and being actively distributed on official app stores," ThreatFabric's founder and CEO, Han Sahin, said. "In addition, it features a very detailed and modular engine to abuse accessibility services, which in the future could power very advanced capabilities, like ATS." --------------------------------------------- https://thehackernews.com/2022/02/xenomorph-android-banking.html ===================== = Vulnerabilities = ===================== ∗∗∗ Irony alert! PHP fixes security flaw in input validation code ∗∗∗ --------------------------------------------- If you’re using PHP in your network, check that you’re using the latest version, currently 8.1.3. Released yesterday [2022-02-17], this version fixes various memory mismanagement bugs, including CVE-2021-21708, which is a use-after-free blunder in a function called php_filter_float(). (Versions 8.0 and 7.4 are still supported, and are vulnerable too; if you aren’t using the latest 8.1 flavour of PHP then you need 8.0.16 and 7.4.28 respectively.) --------------------------------------------- https://nakedsecurity.sophos.com/2022/02/18/irony-alert-php-fixes-security-… ∗∗∗ Security Bulletin: Apache Log4j vulnerability may affect IBM Sterling B2B Integrator (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct Web Services is vulnerable to remote code execution due to Apache Log4j (CVE-2022-23302) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: Cloud Pak for Security vulnerable to information exposure (CVE-2021-35567) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cloud-pak-for-security-vu… ∗∗∗ Security Bulletin: IBM Cloud Pak for Multicloud Management is vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-45105 and CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-multicl… ∗∗∗ Security Bulletin: Apache Log4j Vulnerability Affects IBM Sterling B2B Integrator (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit… ∗∗∗ Security Bulletin: Multiple security vulnerabilities with IBM FileNet Content Manager component in IBM Business Automation Workflow -CVE-2021-31811, CVE-2021-31812, CVE-2021-23926, CVE-2021-38965 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Apache Log4j Vulnerability Affects IBM Sterling File Gateway (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit… ∗∗∗ Security Bulletin: Polkit as used by IBM® QRadar SIEM is vulnerable to privilege escalation (CVE-2021-4034) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-polkit-as-used-by-ibm-qra… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct Web Services is vulnerable to SQL injection due to Apache Log4j (CVE-2022-23305) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: OpenSSL as used by IBM QRadar SIEM is vulnerable to information disclosure (CVE-2021-3712) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-openssl-as-used-by-ibm-qr… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct Web Services is vulnerable to remote code execution due to Apache Log4j (CVE-2022-23307) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: IBM Java SDK and IBM Java Runtime for IBM i are affected by CVE-2021-2341 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-java-sdk-and-ibm-java… ∗∗∗ Security Bulletin: Apache Log4j Vulnerability Affects IBM Sterling File Gateway (CVE-2021-45105, CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit… ∗∗∗ Security Bulletin: IBM Planning Analytics Workspace is affected by security vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-planning-analytics-wo… ∗∗∗ Security Bulletin: IBM Cloud Pak for Network Automation is vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-45105 and CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-network… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct Web Services is vulnerable to untrusted data deserialization due to Apache Log4j (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: IBM Planning Analytics and IBM Planning Analytics Workspace are affected by security vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-planning-analytics-an… ∗∗∗ Security Bulletin: A vulnerability in Kubernetes affects IBM InfoSphere Information Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-kubern… ∗∗∗ K28409053: Apache Tomcat vulnerability CVE-2022-23181 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K28409053?utm_source=f5support&utm_mediu… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 18.02.2022
by Daily end-of-shift report 18 Feb '22

18 Feb '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 17-02-2022 18:00 − Freitag 18-02-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Conti ransomware gang takes over TrickBot malware operation ∗∗∗ --------------------------------------------- After four years of activity and numerous takedown attempts, the death knell of TrickBot has sounded as its top members move under new management, the Conti ransomware syndicate, who plan to replace it with the stealthier BazarBackdoor malware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/conti-ransomware-gang-takes-… ∗∗∗ Remcos RAT Delivered Through Double Compressed Archive, (Fri, Feb 18th) ∗∗∗ --------------------------------------------- One of our readers shared an interesting sample received via email. --------------------------------------------- https://isc.sans.edu/diary/rss/28354 ∗∗∗ Microsoft Warns of Ice Phishing Threat on Web3 and Decentralized Networks ∗∗∗ --------------------------------------------- Microsoft has warned of emerging threats in the Web3 landscape, including "ice phishing" campaigns, as a surge in adoption of blockchain and DeFi technologies emphasizes the need to build security into the decentralized web while its still in its early stages. --------------------------------------------- https://thehackernews.com/2022/02/microsoft-warns-of-ice-phishing-threat.ht… ∗∗∗ Analyzing a PJL directory traversal vulnerability – exploiting the Lexmark MC3224i printer (part 2) ∗∗∗ --------------------------------------------- This post describes a vulnerability found and exploited in October 2021 by Alex Plaskett, Cedric Halbronn, and Aaron Adams working at the Exploit Development Group (EDG) of NCC Group. --------------------------------------------- https://research.nccgroup.com/2022/02/18/analyzing-a-pjl-directory-traversa… ∗∗∗ Microsoft Teams Abused for Malware Distribution in Recent Attacks ∗∗∗ --------------------------------------------- A recently identified malicious campaign has been abusing Microsoft Teams for the distribution of malware, enterprise email security firm Avanan reports. --------------------------------------------- https://www.securityweek.com/microsoft-teams-abused-malware-distribution-re… ∗∗∗ Vorsicht bei der Jobsuche: Ignorieren Sie Stellenangebote von skovgaardtransit.com! ∗∗∗ --------------------------------------------- LeserInnen der Watchlist Internet melden uns derzeit ein betrügerisches Stellenangebot eines angeblich globalen Logistikunternehmens namens Skovgaard Logistics Services LTD. Das unseriöse Unternehmen verspricht darin einen Job mit „hoher Bezahlung“, Vorkenntnisse sind keine notwendig. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-bei-der-jobsuche-ignorieren… ∗∗∗ NSA Best Practices for Selecting Cisco Password Types ∗∗∗ --------------------------------------------- The National Security Agency (NSA) has released a Cybersecurity Information (CSI) sheet with guidance on securing network infrastructure devices and credentials. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/02/17/nsa-best-practice… ∗∗∗ CISA Compiles Free Cybersecurity Services and Tools for Network Defenders ∗∗∗ --------------------------------------------- CISA has compiled and published a list of free cybersecurity services and tools to help organizations reduce cybersecurity risk and strengthen resiliency. This non-exhaustive living repository includes services provided by CISA, widely used open source tools, and free tools and services offered by private and public sector organizations across the cybersecurity community. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/02/18/cisa-compiles-fre… ∗∗∗ Academics publish method for recovering data encrypted by the Hive ransomware ∗∗∗ --------------------------------------------- A team of South Korean researchers has published an academic paper on Thursday detailing a method to recover files encrypted by the Hive ransomware without paying the attackers for the decryption key. --------------------------------------------- https://therecord.media/academics-publish-method-for-recovering-data-encryp… ∗∗∗ Distribution of Magniber Ransomware Stops (Since February 5th) ∗∗∗ --------------------------------------------- The ASEC analysis team constantly monitors ‘malvertising’ which is a term for the distribution of malware via browser online advertisement links. The team has recently discovered that Magniber ransomware, a typical malware distributed via malvertising has stopped its distribution. --------------------------------------------- https://asec.ahnlab.com/en/31690/ ∗∗∗ Log4Shell 2 Months Later: Security Strategies for the Internets New Normal ∗∗∗ --------------------------------------------- On Wednesday, February 16, Rapid7 experts Bob Rudis, Devin Krugly, and Glenn Thorpe sat down for a webinar on the current state of the Log4j vulnerability. --------------------------------------------- https://www.rapid7.com/blog/post/2022/02/17/log4shell-2-months-later-securi… ===================== = Vulnerabilities = ===================== ∗∗∗ Onlineshops: Erneut kritische Lücke in Adobe Commerce und Magento entdeckt ∗∗∗ --------------------------------------------- Aufgrund einer weiteren Sicherheitslücke hat Adobe einen Notfallpatch überarbeitet. Es gibt bereits Attacken auf Onlineshops. --------------------------------------------- https://heise.de/-6495424 ∗∗∗ Root-Rechte durch Schwachstelle in Softwareverteilungssystem Snap ∗∗∗ --------------------------------------------- Sicherheitslücken in der Software-Bereitstellung Snap ermöglichen Angreifern unter anderem, ihre Rechte im System auszuweiten. Updates beheben die Fehler. --------------------------------------------- https://heise.de/-6495740 ∗∗∗ Vulnerability found in WordPress plugin with over 3 million installations ∗∗∗ --------------------------------------------- UpdraftPlus patched the vulnerability on Thursday in version 1.22.3. --------------------------------------------- https://www.zdnet.com/article/vulnerability-found-in-wordpress-plugin-with-… ∗∗∗ Security Bulletin: Vulnerability in Linux Kernel affects IBM Integrated Analytics System. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-linux-ke… ∗∗∗ Security Bulletin: Vulnerability in Polkit affects IBM Cloud Pak for Data System 2.0. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-polkit-a… ∗∗∗ Security Bulletin: IBM WebSphere Application Server and IBM WebSphere Application Server Liberty are vulnerable to arbitrary code execution and SQL injection due to Apache Log4j. (CVE-2022-23302, CVE-2022-23307, CVE-2022-23305) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-websphere-application… ∗∗∗ Security Bulletin: Vulnerability in OpenSSL affects IBM Integrated Analytics System. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-openssl-… ∗∗∗ Security Bulletin: IBM Maximo Asset Management is vulnerable to weak password requirements ( CVE-2021-38935 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-asset-manageme… ∗∗∗ Security Bulletin: Due to use of IBM SDK, Java Technology Edition, IBM Tivoli Application Dependency Discovery Manager (TADDM) is vulnerable to denial of service ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-due-to-use-of-ibm-sdk-jav… ∗∗∗ Security Bulletin: IBM Guardium Data Encryption (GDE) has an information exposure vulnerability (CVE-2021-39026 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-guardium-data-encrypt… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct Web Services is vulnerable to SQL injection due to Apache Log4j (CVE-2022-23305) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: CVE-2021-42771 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-cve-2021-42771/ ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct Web Services is vulnerable to remote code execution due to Apache Log4j (CVE-2022-23307) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: Python (Publicly disclosed vulnerability) in IBM Tivoli Application Dependency Discovery Manager (CVE-2021-3733) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-python-publicly-disclosed… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct Web Services is vulnerable to untrusted data deserialization due to Apache Log4j (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2022-0003 ∗∗∗ --------------------------------------------- https://webkitgtk.org/security/WSA-2022-0003.html ∗∗∗ Bitdefender Antivirus: Schwachstelle ermöglicht Manipulation von Produkteinstellungen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0207 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 17.02.2022
by Daily end-of-shift report 17 Feb '22

17 Feb '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 16-02-2022 18:00 − Donnerstag 17-02-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Neue Welle von Spam-Mails: "Dein Paket wartet!" ∗∗∗ --------------------------------------------- Die E-Mails enthalten eine Zahlungsaufforderung und geben an, dass ein Paket abgeholt werden kann. --------------------------------------------- https://futurezone.at/digital-life/spam-e-mail-phishing-betrug-post-lieferu… ∗∗∗ Researchers Warn of a New Golang-based Botnet Under Continuous Development ∗∗∗ --------------------------------------------- Cybersecurity researchers have unpacked a new Golang-based botnet called Kraken thats under active development and features an array of backdoor capabilities to siphon sensitive information from compromised Windows hosts. --------------------------------------------- https://thehackernews.com/2022/02/researchers-warn-of-new-golang-based.html ∗∗∗ Tutorial: Kubernetes Vulnerability Scanning & Testing With Open Source ∗∗∗ --------------------------------------------- Kubernetes containers have several security risks, including runtime threats, vulnerabilities, exposures, and failed compliance audits. These insecurities motivated CyberArk to develop two open source tools: Kubesploit and KubiScan. These tools benefit the Kubernetes community by performing deep security operations while simultaneously mimicking a real attack. They allow us to test our resiliency. --------------------------------------------- https://www.conjur.org/blog/tutorial-kubernetes-vulnerability-scanning-test… ∗∗∗ Detecting Karakurt – an extortion focused threat actor ∗∗∗ --------------------------------------------- NCC Group’s Cyber Incident Response Team (CIRT) have responded to several extortion cases recently involving the threat actor Karakurt. During these investigations NCC Group CIRT have identified some key indicators that the threat actor has breached an environment and want to share this information to assist the cyber security community. --------------------------------------------- https://research.nccgroup.com/2022/02/17/detecting-karakurt-an-extortion-fo… ∗∗∗ Bypassing software update package encryption – extracting the Lexmark MC3224i printer firmware (part 1) ∗∗∗ --------------------------------------------- Lexmark encrypts the firmware update packages provided to consumers, making the binary analysis more difficult. With little over a month of research time assigned and few targets to look at, NCC Group decided to remove the flash memory and extract the firmware using a programmer, firmware which we (correctly) assumed would be stored unencrypted. This allowed us to bypass the firmware update package encryption. With the firmware extracted, the binaries could be reverse-engineered to find vulnerabilities that would allow remote code execution. --------------------------------------------- https://research.nccgroup.com/2022/02/17/bypassing-software-update-package-… ∗∗∗ Gefahr Datenleaks: Achten Sie auf Passwort-Sicherheit! ∗∗∗ --------------------------------------------- Um sich vor den Gefahren im Netz zu schützen, macht es Sinn, sich regelmäßig über Internetbetrug zu informieren und die Tricks der Kriminellen zu kennen. Doch leider können Sie auch zum Opfer werden, wenn Sie alles richtig machen und sich nicht in Internetfallen locken lassen. Das gilt zum Beispiel, wenn Ihre Daten bei einem sogenannten Datenleak veröffentlicht werden. --------------------------------------------- https://www.watchlist-internet.at/news/gefahr-datenleaks-achten-sie-auf-pas… ===================== = Vulnerabilities = ===================== ∗∗∗ Drupal core - Moderately critical - Information disclosure - SA-CORE-2022-004 ∗∗∗ --------------------------------------------- Project: Drupal core Security risk: Moderately critical Vulnerability: Information disclosure CVE IDs: CVE-2022-25270 Description: The Quick Edit module does not properly check entity access in some circumstances. --------------------------------------------- https://www.drupal.org/sa-core-2022-004 ∗∗∗ Drupal core - Moderately critical - Improper input validation - SA-CORE-2022-003 ∗∗∗ --------------------------------------------- Project: Drupal core Security risk: Moderately critical Vulnerability: Improper input validation CVE IDs: CVE-2022-25271 Description: Drupal cores form API has a vulnerability where certain contributed or custom modules forms may be vulnerable to improper input validation. This could allow an attacker to inject disallowed values or overwrite data. Affected forms are uncommon, but in certain cases an attacker could alter critical or sensitive data. --------------------------------------------- https://www.drupal.org/sa-core-2022-003 ∗∗∗ Quick Edit - Moderately critical - Information Disclosure - SA-CONTRIB-2022-025 ∗∗∗ --------------------------------------------- Project: Quick Edit Security risk: Moderately critical Vulnerability: Information Disclosure Description: This advisory addresses a similar issue to Drupal core - Moderately critical - Information disclosure - SA-CORE-2022-004. The Quick Edit module does not properly check entity access in some circumstances. --------------------------------------------- https://www.drupal.org/sa-contrib-2022-025 ∗∗∗ Sicherheitsupdate: Präparierte Mails können Thunderbird aus dem Tritt bringen ∗∗∗ --------------------------------------------- Es ist eine gegen mögliche Schadcode-Attacken abgesicherte Version des Mailclients Thunderbird erschienen. --------------------------------------------- https://heise.de/-6484606 ∗∗∗ VMSA-2022-0005 - VMware NSX Data Center for vSphere (NSX-V) VMware Cloud Foundation (Cloud Foundation) ∗∗∗ --------------------------------------------- CVSSv3 Range: 8.8 CVE(s): CVE-2022-22945 Synopsis: VMware NSX Data Center for vSphere update addresses CLI shell injection vulnerability (CVE-2022-22945) --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2022-0005.html ∗∗∗ Reflected Cross-Site Scripting Vulnerability Patched in WordPress Profile Builder Plugin ∗∗∗ --------------------------------------------- On January 4, 2022 the Wordfence Threat Intelligence team initiated the responsible disclosure process for a vulnerability we discovered in “Profile Builder – User Profile & User Registration Forms”, a WordPress plugin that is installed on over 50,000 WordPress websites. [..] We sent the full disclosure details to the developer on January 6, 2022 after the vendor confirmed the inbox for handling the discussion. They were quick to acknowledge the report and released a fix on January 10, 2022. --------------------------------------------- https://www.wordfence.com/blog/2022/02/reflected-cross-site-scripting-vulne… ∗∗∗ PostgreSQL JDBC 42.3.3 Released ∗∗∗ --------------------------------------------- A security advisory has been created for the PostgreSQL JDBC Driver. The URL connection string loggerFile property could be mis-used to create an arbitrary file on the system that the driver is loaded. Additionally anything in the connection string will be logged and subsequently written into that file. In an insecure system it would be possible to execute this file through a webserver. --------------------------------------------- https://www.postgresql.org/about/news/postgresql-jdbc-4233-released-2410/ ∗∗∗ SSA-949188: File Parsing Vulnerabilities in Simcenter Femap before V2022.1.1 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-949188.txt ∗∗∗ Security Bulletin: IBM App Connect for Healthcare is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2022-23307) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-for-healt… ∗∗∗ Security Bulletin: Vulnerability in Polkit affects IBM Cloud Pak for Data System 1.0 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-polkit-a… ∗∗∗ Security Bulletin: IBM OpenPages for Cloud Pak for Data is vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-45105 and CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-openpages-for-cloud-p… ∗∗∗ Security Bulletin: IBM Cloud Pak for Data System 1.0 is vulnerable to arbitrary code execution due to Samba (CVE-2021-44142) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-data-sy… ∗∗∗ Security Bulletin: Vulnerability in OpenSSH affects IBM Integrated Analytics System ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-openssh-… ∗∗∗ Security Bulletin: Vulnerability which affects Rational Team Concert (RTC) and IBM Engineering Workflow Management (EWM) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-which-affec… ∗∗∗ Security Bulletin: IBM Cloud Pak for Data System 2.0 (ICPDS 2.0 ) is vulnerable to arbitrary code execution due to Apache Log4j CVE-2021-4104 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-data-sy… ∗∗∗ Security Bulletin: IBM Integrated Analytics System is vulnerable to arbitrary code execution due to Samba (CVE-2021-44142) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-integrated-analytics-… ∗∗∗ Security Bulletin: Financial Transaction Manager is vulnerable to arbitrary code execution (CVE-2021-45046) and denial of service (CVE-2021-45105) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-financial-transaction-man… ∗∗∗ Security Bulletin: Vulnerability in Polkit affects IBM Integrated Analytics System. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-polkit-a… ∗∗∗ Security Bulletin: IBM MQ is vulnerable to a denial of service attack caused by an issue within the channel process.(CVE-2021-39034) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-is-vulnerable-to-a… ∗∗∗ Security Bulletin: Log4j vulnerability affects IBM Integrated Analytics System. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-log4j-vulnerability-affec… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 16.02.2022
by Daily end-of-shift report 16 Feb '22

16 Feb '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 15-02-2022 18:00 − Mittwoch 16-02-2022 18:00 Handler: Robert Waldner Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Researcher fully recovers text from pixels: how to reverse redaction ∗∗∗ --------------------------------------------- A researcher has demonstrated how he was able to successfully recover text that had been redacted using the pixelation technique. --------------------------------------------- https://www.bleepingcomputer.com/news/security/researcher-fully-recovers-te… ∗∗∗ Trickbot Malware Targeted Customers of 60 High-Profile Companies Since 2020 ∗∗∗ --------------------------------------------- The notorious TrickBot malware is targeting customers of 60 financial and technology companies, including cryptocurrency firms, primarily located in the U.S., even as its operators have updated the botnet with new anti-analysis features. --------------------------------------------- https://thehackernews.com/2022/02/trickbot-malware-targeted-customers-of.ht… ∗∗∗ 25 years on, Microsoft makes another stab at stopping macro malware ∗∗∗ --------------------------------------------- Microsoft has announced that from April 2022 it is changing the default behavior of Office applications so that they block macros in files from the internet. What’s more, it won’t give users a simple one-click way to allow the macros to run, foiling much of the social engineering tricks commonly used by cybercriminals. --------------------------------------------- https://grahamcluley.com/microsoft-stab-macro-viruses/ ∗∗∗ OpSec. Hunting wireless ∗∗∗ --------------------------------------------- Continuing my series on OSINT techniques you can use for reviewing your own corporate OpSec, one of the most common services available in a modern corporate office is of course wireless. --------------------------------------------- https://www.pentestpartners.com/security-blog/opsec-hunting-wireless/ ∗∗∗ Characterising Cybercriminals: A Review. (arXiv:2202.07419v1 [cs.CY]) ∗∗∗ --------------------------------------------- This review provides an overview of current research on the knowncharacteristics and motivations of offenders engaging in cyber-dependentcrimes. --------------------------------------------- http://arxiv.org/abs/2202.07419 ===================== = Vulnerabilities = ===================== ∗∗∗ High-Severity RCE Security Bug Reported in Apache Cassandra Database Software ∗∗∗ --------------------------------------------- Researchers have revealed details of a now-patched high-severity security vulnerability in Apache Cassandra that, if left unaddressed, could be abused to gain remote code execution on affected installations. --------------------------------------------- https://thehackernews.com/2022/02/high-severity-rce-security-bug-reported.h… ∗∗∗ VMware-Sicherheitsupdates: Angreifer könnten Schadcode in Host-Systeme schieben ∗∗∗ --------------------------------------------- Die VMware-Entwickler haben Sicherheitslücken in mehreren Anwendungen geschlossen. Sie stufen das Risiko als "kritisch" ein. --------------------------------------------- https://heise.de/-6478188 ∗∗∗ Atlassian Confluence und Jira für mehrere Attacken anfällig ∗∗∗ --------------------------------------------- Admins sollten ihre Confluence und Jira Server vor möglichen Angriffen absichern. Sicherheitsupdates sind verfügbar. --------------------------------------------- https://heise.de/-6478758 ∗∗∗ ZDI-22-368: MariaDB CONNECT Storage Engine Stack-based Buffer Overflow Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-368/ ∗∗∗ ZDI-22-367: MariaDB CONNECT Storage Engine Heap-based Buffer Overflow Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-367/ ∗∗∗ ZDI-22-366: MariaDB CONNECT Storage Engine Heap-based Buffer Overflow Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-366/ ∗∗∗ ZDI-22-365: MariaDB CONNECT Storage Engine Format String Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-365/ ∗∗∗ ZDI-22-364: MariaDB CONNECT Storage Engine Use-After-Free Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-364/ ∗∗∗ ZDI-22-363: MariaDB CONNECT Storage Engine Stack-based Buffer Overflow Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-363/ ∗∗∗ Cisco Email Security Appliance DNS Verification Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Redundancy Configuration Manager for Cisco StarOS Software TCP Denial of Service Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Cisco Prime Infrastructure and Evolved Programmable Network Manager Cross-Site Scripting Vulnerability ∗∗∗ --------------------------------------------- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco… ∗∗∗ Security Bulletin: IBM Cloud Pak for Data System 1.0 is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-data-sy… ∗∗∗ Security Bulletin: IBM Maximo Anywhere applications have no binary obfuscation ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-anywhere-appli… ∗∗∗ Security Bulletin: IBM Integrated Analytics System is vulnerable to arbitrary code execution due to Samba (CVE-2021-44142) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-integrated-analytics-… ∗∗∗ Security Bulletin: IBM Maximo Anywhere applications have no binary obfuscation ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-anywhere-appli… ∗∗∗ Security Bulletin: IBM Maximo Anywhere Discloses Sensitive Information in Local Storage ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-maximo-anywhere-discl… ∗∗∗ Security Bulletin: App Connect Professional is affected by polkit's pkexec vulnerability ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-app-connect-professional-… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct for Microsoft Windows may be vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-44832) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Security Directory Server ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ SECURITY BULLETIN: February 2022 Security Bulletin for Trend Micro Apex One ∗∗∗ --------------------------------------------- https://success.trendmicro.com/solution/000290464 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 15.02.2022
by Daily end-of-shift report 15 Feb '22

15 Feb '22

===================== = End-of-Day report = ===================== Timeframe: Montag 14-02-2022 18:00 − Dienstag 15-02-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Domain-Hijacking: Tausende NPM-Accounts könnten sich übernehmen lassen ∗∗∗ --------------------------------------------- Laut einer Untersuchung lassen sich verwaiste NPM-Pakete leicht übernehmen. Außerdem könnten einige Maintainer überarbeitet sein. [..] Das hat auch NPM-Besitzer Github erkannt und führt deshalb langsam die zwingende Nutzung einer Zweifaktorauthentifizierung ein. --------------------------------------------- https://www.golem.de/news/domain-hijacking-tausende-npm-accounts-koennten-s… ∗∗∗ Who Are Those Bots?, (Tue, Feb 15th) ∗∗∗ --------------------------------------------- Im operating a mail server for multiple domains. This server is regularly targeted by bots that launch brute-force attacks to try to steal credentials. They try a list of common usernames but they also try targeted ones based on a list of email addresses that have been crawled. [..] I extracted the list of IP addresses that generated authentication failures for the last 30 days and got a list of 11K addresses. They are part of botnets used to launch these attacks. But who are those bots? What kind of host are we facing? --------------------------------------------- https://isc.sans.edu/diary/rss/28342 ∗∗∗ New MyloBot Malware Variant Sends Sextortion Emails Demanding $2,732 in Bitcoin ∗∗∗ --------------------------------------------- A new version of the MyloBot malware has been observed to deploy malicious payloads that are being used to send sextortion emails demanding victims to pay $2,732 in digital currency. MyloBot, first detected in 2018, is known to feature an array of sophisticated anti-debugging capabilities and propagation techniques to rope infected machines into a botnet, not to mention remove traces of other competing malware from the systems. --------------------------------------------- https://thehackernews.com/2022/02/new-mylobot-malware-variant-sends.html ∗∗∗ Dropping Files on a Domain Controller Using CVE-2021-43893 ∗∗∗ --------------------------------------------- On December 14, 2021, during the Log4Shell chaos, Microsoft published CVE-2021-43893, a remote privilege escalation vulnerability affecting the Windows Encrypted File System (EFS). The vulnerability was credited to James Forshaw of Google Project Zero, but perhaps owing to the Log4Shell atmosphere, the vulnerability gained little to no attention. --------------------------------------------- https://www.rapid7.com/blog/post/2022/02/14/dropping-files-on-a-domain-cont… ∗∗∗ macOS: Sicherheitsupdates für ältere Versionen ∗∗∗ --------------------------------------------- Big Sur und Catalina erhalten jeweils ein Patch-Paket – doch leider verrät Apple nichts zum Inhalt. --------------------------------------------- https://heise.de/-6457597 ∗∗∗ Qnap lässt Sicherheitsupdate-Support für einige NAS-Modelle aufleben ∗∗∗ --------------------------------------------- Wer einen älteren Netzwerkspeicher (NAS) von Qnap besitzt, könnte ab sofort wieder Sicherheitspatches bekommen. --------------------------------------------- https://heise.de/-6474074 ∗∗∗ Betrügerische Wohnungsinserate erkennen: So geht’s ∗∗∗ --------------------------------------------- Auf Plattformen wie immobilienscout24.at, willhaben.at oder im Facebook Marketplace werden immer wieder Fake-Inserate von Miet- und Eigentumswohnungen veröffentlicht. Fake-Inserate können aber anhand einiger Merkmale schnell entlarvt werden. Zum einen am günstigen Preis, zum anderen an der Kommunikation mit den Eigentümerinnen und Eigentümern. --------------------------------------------- https://www.watchlist-internet.at/news/betruegerische-wohnungsinserate-erke… ∗∗∗ New Emotet Infection Method ∗∗∗ --------------------------------------------- As early as Dec. 21, 2021, Unit 42 observed a new infection method for the highly prevalent malware family Emotet. [..] The new attack delivers an Excel file through email, and the document contains an obfuscated Excel 4.0 macro. When the macro is activated, it downloads and executes an HTML application that downloads two stages of PowerShell to retrieve and execute the final Emotet payload. --------------------------------------------- https://unit42.paloaltonetworks.com/new-emotet-infection-method/ ∗∗∗ Warning over mysterious hackers that have been targeting aerospace and defence industries for years ∗∗∗ --------------------------------------------- Cybersecurity researchers detail a hacking operation that has been conducting phishing campaigns and malware attacks since 2017, despite barely changing its tactics. --------------------------------------------- https://www.zdnet.com/article/these-prolific-hackers-have-been-targeting-th… ∗∗∗ Squirrelwaffle, Microsoft Exchange Server vulnerabilities exploited for financial fraud ∗∗∗ --------------------------------------------- Unpatched servers have been used to twist corporate email threads and conduct financial theft. --------------------------------------------- https://www.zdnet.com/article/squirrelwaffle-loader-leverages-microsoft-exc… ∗∗∗ FBI and USSS Release Advisory on BlackByte Ransomware ∗∗∗ --------------------------------------------- The Federal Bureau of Investigation (FBI) and the United States Secret Service (USSS) have released a joint Cybersecurity Advisory (CSA) identifying indicators of compromise associated with BlackByte ransomware. BlackByte is a Ransomware-as-a-Service group that encrypts files on compromised Windows host systems, including physical and virtual servers. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/02/15/fbi-and-usss-rele… ∗∗∗ Sicherheitswarnung von Tuxedo Computer – dringend Passwort ändern ∗∗∗ --------------------------------------------- TUXEDO Computers ist ein in Augsburg angesiedelter Anbieter von Computern. [..] Bei diesem Hersteller hat es eine Sicherheitslücke gegeben, so dass der Hersteller die Kunden auffordert, ihre Kennwörter für deren Online-Konten zu ändern. --------------------------------------------- https://www.borncity.com/blog/2022/02/15/sicherheitswarnung-von-tuxedo-comp… ∗∗∗ Current MFA Fatigue Attack Campaign Targeting Microsoft Office 365 Users ∗∗∗ --------------------------------------------- Multi-factor Authentication or MFA (sometimes referred as 2FA) is an excellent way to protect your Office 365 accounts from attackers trying to gain access to them. [..] In this case, we are examining MFA Fatigue by focusing on a current attack vector—Push Notification Spamming. We’ll describe what MFA fatigue is, how it is carried out and detail the steps for IT professionals to detect and mitigate it within their organizations. --------------------------------------------- https://www.gosecure.net/blog/2022/02/14/current-mfa-fatigue-attack-campaig… ===================== = Vulnerabilities = ===================== ∗∗∗ Google announces zero-day in Chrome browser – update now! ∗∗∗ --------------------------------------------- Zero-day buses: none for a while, then three at once. Heres Google joining Apple and Adobe in "zero-day week" --------------------------------------------- https://nakedsecurity.sophos.com/2022/02/15/google-announces-zero-day-in-ch… ∗∗∗ Security Bulletin: Trend Micro Antivirus for Mac Link Following Privilege Escalation Vulnerability (CVE-2022-24671) ∗∗∗ --------------------------------------------- The update resolves a vulnerability in the product that allows a local attacker to modify a file during the update process and escalate their privileges. Please note that an attacker must at least have low-level privileges on the system to attempt to exploit this vulnerability. --------------------------------------------- https://helpcenter.trendmicro.com/en-us/article/TMKA-10937 ∗∗∗ Unsichere Babymonitore von Nooie: Fremde könnten Vollzugriff erlangen ∗∗∗ --------------------------------------------- Bei der Analyse von zwei Babyphones von Nooie hat Bitdefender Sicherheitslücken entdeckt, durch die Angreifer etwa den Videostream anzapfen könnten. --------------------------------------------- https://heise.de/-6475088 ∗∗∗ Multiple Critical Vulnerabilities in multiple Zyxel devices ∗∗∗ --------------------------------------------- Multiple Zyxel devices are prone to different critical vulnerabilities resulting from insecure coding practices and insecure configuration. One of the worst vulnerabilities is the unauthenticated buffer overflow in the "zhttpd" webserver, which is developed by Zyxel. By bypassing ASLR, the buffer overflow can be turned into an unauthenticated remote code execution. Besides, vulnerabilities like unauthenticated file disclosure, authenticated command injection and processing of symbolic links in the FTP daemon were found in the firmware. --------------------------------------------- https://sec-consult.com/vulnerability-lab/advisory/multiple-critical-vulner… ∗∗∗ VMSA-2022-0004 ∗∗∗ --------------------------------------------- CVSSv3 Range: 5.3-8.4 CVE(s): CVE-2021-22040, CVE-2021-22041, CVE-2021-22042, CVE-2021-22043, CVE-2021-22050 Synopsis: VMware ESXi, Workstation, and Fusion updates address multiple security vulnerabilities --------------------------------------------- https://www.vmware.com/security/advisories/VMSA-2022-0004.html ∗∗∗ Symlink Directory Traversal in Linksys WLAN-Router (SYSS-2021-046) ∗∗∗ --------------------------------------------- Linksys WLAN-Router beinhaltet eine Schwachstelle, die es Angreifern erlaubt, Zugriff auf das gesamte interne Dateisystem des Routers zu erhalten. --------------------------------------------- https://www.syss.de/pentest-blog/symlink-directory-traversal-in-linksys-wla… ∗∗∗ Unzureichender Schutz für Medieninhalte bei AVMs FRITZ!Box (SYSS-2021-050) ∗∗∗ --------------------------------------------- AVMs FRITZ!Box-Heimrouter ermöglichen es Angreifenden, in Heimnetzwerken auf Mediendaten wie z. B. Bilder oder Videos zuzugreifen. --------------------------------------------- https://www.syss.de/pentest-blog/unzureichender-schutz-fuer-medieninhalte-b… ∗∗∗ Regarding vulnerability measure against buffer overflow for Laser Printers and Small Office Multifunction Printers – 15 February 2022 ∗∗∗ --------------------------------------------- Multiple cases of buffer overflow vulnerabilities have been identified with Canon Laser Printers and Small Office Multifunctional Printers. A list of affected models is given below. --------------------------------------------- https://www.canon-europe.com/support/product-security-latest-news/ ∗∗∗ ZDI-22-349: (Pwn2Own) Western Digital My Cloud Pro Series PR4100 ConnectivityService Insufficient Verification of Data Authenticity Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-349/ ∗∗∗ ZDI-22-348: (Pwn2Own) Western Digital MyCloud PR4100 cgi_api Server-Side Request Forgery Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-348/ ∗∗∗ ZDI-22-347: (Pwn2Own) Western Digital MyCloud PR4100 nasAdmin Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-347/ ∗∗∗ ZDI-22-346: (Pwn2Own) Western Digital MyCloud PR4100 samba Configuration Remote Code Execution Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-346/ ∗∗∗ Security Advisory - Privilege Escalation Vulnerability in Huawei Product ∗∗∗ --------------------------------------------- http://www.huawei.com/en/psirt/security-advisories/2022/huawei-sa-20220216-… ∗∗∗ Security Bulletin: IBM Cloud Pak for Data System 1.0 is vulnerable to remote code execution due to Apache Log4j (CVE-2021-44832) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-data-sy… ∗∗∗ Security Bulletin: Vulnerability in Polkit affects IBM Integrated Analytics System. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-polkit-a… ∗∗∗ TYPO3-EXT-SA-2022-004: File Content Injection in extension "Hardcoded text to Locallang" (mqk_locallangtools) ∗∗∗ --------------------------------------------- https://typo3.org/security/advisory/typo3-ext-sa-2022-004 ∗∗∗ TYPO3-EXT-SA-2022-003: Insecure direct object reference in extension "Varnishcache" (varnishcache) ∗∗∗ --------------------------------------------- https://typo3.org/security/advisory/typo3-ext-sa-2022-003 ∗∗∗ TYPO3-EXT-SA-2022-002: Cross-Site Scripting in extension "Bookdatabase" (extbookdatabase) ∗∗∗ --------------------------------------------- https://typo3.org/security/advisory/typo3-ext-sa-2022-002 ∗∗∗ TYPO3-EXT-SA-2022-001: Server-side request forgery in extension "Kitodo.Presentation" (dlf) ∗∗∗ --------------------------------------------- https://typo3.org/security/advisory/typo3-ext-sa-2022-001 ∗∗∗ Schneider Electric IGSS ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-22-046-01 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 14.02.2022
by Daily end-of-shift report 14 Feb '22

14 Feb '22

===================== = End-of-Day report = ===================== Timeframe: Freitag 11-02-2022 18:00 − Montag 14-02-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Google Project Zero: Vendors are now quicker at fixing zero-days ∗∗∗ --------------------------------------------- Googles Project Zero has published a report showing that organizations took less time to address the zero-day vulnerabilities that the team reported last year. --------------------------------------------- https://www.bleepingcomputer.com/news/security/google-project-zero-vendors-… ∗∗∗ Microsoft is making it harder to steal Windows passwords from memory ∗∗∗ --------------------------------------------- Microsoft is enabling an Attack Surface Reduction security feature rule by default to block hackers attempts to steal Windows credentials from the LSASS process. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-is-making-it-hard… ∗∗∗ Allcome clipbanker is a newcomer in underground forums ∗∗∗ --------------------------------------------- The malware underground market might seem astoundingly professional in marketing and support. Lets take a look under the covers of one particular malware-as-a-service—the clipboard banker Allcome. --------------------------------------------- https://www.gdatasoftware.com/blog/2022/02/37239-allcome-clipbanker-is-a-ne… ∗∗∗ DHL Spear Phishing to Capture Username/Password, (Sun, Feb 13th) ∗∗∗ --------------------------------------------- This week I got this run-of-the-mill DHL phishing in my ISC inbox. --------------------------------------------- https://isc.sans.edu/diary/rss/28332 ∗∗∗ Reminder: Decoding TLS Client Hellos to non TLS servers, (Mon, Feb 14th) ∗∗∗ --------------------------------------------- If you still run a non-TLS web server, you may occasionally find requests like the following in your weblogs. --------------------------------------------- https://isc.sans.edu/diary/rss/28338 ∗∗∗ Vulnerabilities that aren’t. Unquoted Spaces ∗∗∗ --------------------------------------------- I’ve covered a couple of web vulnerabilities that (mostly) aren’t, and now it’s time for a Windows specific one. --------------------------------------------- https://www.pentestpartners.com/security-blog/vulnerabilities-that-arent-un… ∗∗∗ E-Mail vom Bundeskriminalamt mit Betreff „BUNDESKRIMINALAMT VORLADUNG“ ist Fake ∗∗∗ --------------------------------------------- „Hallo, wir teilen Ihnen mit, dass Sie eine Straftat begangen haben“ lautet der Text in einem E-Mail – angeblich vom Bundeskriminalamt. In einem angehängten PDF-Dokument teilen Ihnen das Bundeskriminalamt, die Polizei sowie Europol mit, dass gegen Sie ein Verfahren wegen einer sexuellen Straftat eingeleitet wurde. Achtung: Dieses E-Mail ist Fake. --------------------------------------------- https://www.watchlist-internet.at/news/e-mail-vom-bundeskriminalamt-mit-bet… ∗∗∗ CISA Adds One Known Exploited Vulnerability to Catalog ∗∗∗ --------------------------------------------- CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence that threat actors are actively exploiting the vulnerability listed in the table below. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/02/11/cisa-adds-one-kno… ===================== = Vulnerabilities = ===================== ∗∗∗ Critical MQTT-Related Bugs Open Industrial Networks to RCE Via Moxa ∗∗∗ --------------------------------------------- A collection of five security vulnerabilities with a collective CVSS score of 10 out of 10 threaten critical infrastructure environments that use Moxa MXview. --------------------------------------------- https://threatpost.com/critical-mqtt-bugs-industrial-rce-moxa/178399/ ∗∗∗ Jetzt aktualisieren! Angriffe auf Shop-Systeme Adobe Commerce und Magento ∗∗∗ --------------------------------------------- Adobe meldet Angriffe auf die Shop-Systeme Commerce und Magento. Updates stehen bereit, die die ausgenutzte kritische Sicherheitslücke schließen sollen. --------------------------------------------- https://heise.de/-6455225 ∗∗∗ ZDI-22-318: MariaDB CONNECT Storage Engine Format String Privilege Escalation Vulnerability ∗∗∗ --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-318/ ∗∗∗ Security Bulletin: IBM Cognos Analytics Mobile is affected by security vulnerabilties ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cognos-analytics-mobi… ∗∗∗ Security Bulletin: Security vulnerabilities have been identified in IBM WebSphere Application Server used by IBM Master Data Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: IBM Sterling Connect:Direct for UNIX may be vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-44832) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-connectdirec… ∗∗∗ Security Bulletin: IBM Data Management Platform for EDB Postgres (Standard and Enterprise) for IBM Cloud Pak for Data are vulnerable to SQL injection from "man-in-the-middle" attack ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-data-management-platf… ∗∗∗ Security Bulletin: DS8000 Hardware Management Console is vulnerable to Apache Log4j (CVE-2021-45105 and CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ds8000-hardware-managemen… ∗∗∗ Security Bulletin: Security vulnerabilities have been identified in IBM WebSphere Application Server used by IBM Master Data Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: Security vulnerabilities have been identified in IBM WebSphere Application Server used by IBM Master Data Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: Operations Dashboard is vulnerable to arbitrary code execution in Log4j CVE-2021-44832 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-operations-dashboard-is-v… ∗∗∗ Security Bulletin: DS8000 Hardware Management Console uses Apache Log4j which is subject to a vulnerability alert CVE-2021-44228. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ds8000-hardware-managemen… ∗∗∗ Security Bulletin: Security vulnerabilities have been identified in IBM WebSphere Application Server used by IBM Master Data Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… ∗∗∗ Security Bulletin: Security vulnerabilities have been identified in IBM WebSphere Application Server used by IBM Master Data Management ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-vulnerabilities-… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 11.02.2022
by Daily end-of-shift report 11 Feb '22

11 Feb '22

===================== = End-of-Day report = ===================== Timeframe: Donnerstag 10-02-2022 18:00 − Freitag 11-02-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Microsoft starts killing off WMIC in Windows, will thwart attacks ∗∗∗ --------------------------------------------- Microsoft is moving forward with removing the Windows Management Instrumentation Command-line (WMIC) tool, wmic.exe, starting with the latest Windows 11 preview builds in the Dev channel. --------------------------------------------- https://www.bleepingcomputer.com/news/microsoft/microsoft-starts-killing-of… ∗∗∗ Zyxel Network Storage Devices Hunted By Mirai Variant, (Thu, Feb 10th) ∗∗∗ --------------------------------------------- I have been talking a lot about various network storage devices and how you never ever want to expose them to the Internet. The brands that usually come up are Synology and QNAP, which have a significant market share. But they are not alone. --------------------------------------------- https://isc.sans.edu/diary/rss/28324 ∗∗∗ CinaRAT Delivered Through HTML ID Attributes, (Fri, Feb 11th) ∗∗∗ --------------------------------------------- I found another sample that again drops a malicious ISO file but this time, it is much more obfuscated and the VT score is 0! Yes, not detected by any antivirus solution! --------------------------------------------- https://isc.sans.edu/diary/rss/28330 ∗∗∗ Use Zoom on a Mac? You might want to check your microphone settings ∗∗∗ --------------------------------------------- Big Brother Zoomer is listening to us, complain users Apple Mac users running the Zoom meetings app are reporting that its keeping their computers microphone on when they arent using it. --------------------------------------------- https://go.theregister.com/feed/www.theregister.com/2022/02/10/zoom_mac_mic… ∗∗∗ Schwachstelle im Virenschutz Microsoft-Defender stillschweigend abgedichtet ∗∗∗ --------------------------------------------- Durch zu laxe Rechtevergabe hätten Angreifer auf die Microsoft-Defender-Ausnahmen zugreifen können. Die Lücke hat das Unternehmen ohne Ankündigung behoben. --------------------------------------------- https://heise.de/-6444399 ∗∗∗ Luftnummer: Warnung vor Geisterberührungen auf Touchscreens ∗∗∗ --------------------------------------------- Die TU Darmstadt warnt, dass gezielte Angriffe auf Touchscreens möglich seien. Praxistauglich ist der beschriebene "GhostTouch"-Angriff jedoch nicht. --------------------------------------------- https://heise.de/-6445488 ∗∗∗ CISA Adds 15 Known Exploited Vulnerabilities to Catalog ∗∗∗ --------------------------------------------- CISA has added 15 new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence that threat actors are actively exploiting the vulnerabilities listed in the table below. --------------------------------------------- https://us-cert.cisa.gov/ncas/current-activity/2022/02/10/cisa-adds-15-know… ∗∗∗ Malicious Chrome Browser Extension Exposed: ChromeBack Leverages Silent Extension Loading ∗∗∗ --------------------------------------------- GoSecure Titan Labs received a malicious Chrome extension sample that we are calling ChromeBack from GoSecures Titan Managed Detection and Response (MDR) team. --------------------------------------------- https://www.gosecure.net/blog/2022/02/10/malicious-chrome-browser-extension… ===================== = Vulnerabilities = ===================== ∗∗∗ Microsoft: SMB-Lücke in Windows wird aktiv ausgenutzt ∗∗∗ --------------------------------------------- Eine fast zwei Jahre alte kritische Lücke in Windows wird derzeit aktiv ausgenutzt. Exploits gibt es auch für eine sieben Jahre alte Windows-Lücke. --------------------------------------------- https://www.golem.de/news/microsoft-smb-luecke-in-windows-wird-aktiv-ausgen… ∗∗∗ Notfall-Patch für iPhones, iPads und Macs: iOS 15.3.1 und macOS 12.2.1 verfügbar ∗∗∗ --------------------------------------------- Apple schließt eine Lücke, die offenbar aktiv für Angriffe ausgenutzt wird. Außerdem beseitigt der Hersteller Bugs, darunter Bluetooth-Probleme bei Intel-Macs. --------------------------------------------- https://heise.de/-6440372 ∗∗∗ Security updates for Friday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (cryptsetup), Fedora (firefox, java-1.8.0-openjdk, microcode_ctl, python-django, rlwrap, and vim), openSUSE (kernel), and SUSE (kernel and ldb, samba). --------------------------------------------- https://lwn.net/Articles/884516/ ∗∗∗ Security Bulletin: A vulnerability in IBM Java Runtime affects IBM CICS TX on Cloud ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-ja… ∗∗∗ Security Bulletin: Multiple vulnerabilities affect IBM Cloud Object Storage Systems (Feb 2022 V1) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: Xpat vulnerability affect IBM Cloud Object Storage Systems (Feb 2022 V1-a) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-xpat-vulnerability-affect… ∗∗∗ Security Bulletin: IBM Cloud Private is vulnerable to FasterXML jackson-databind vulnerabilities (CVE-2020-24750) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-private-is-vuln… ∗∗∗ Security Bulletin: EDB Postgres Advanced Server with IBM and IBM Data Management Platform for EDB Postgres (Standard or Enterprise) for IBM Cloud Pak for Data are vulnerable to SQL injection from "man-in-the-middle" attack. ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-edb-postgres-advanced-ser… ∗∗∗ Security Bulletin: IBM Rational Build Forge is affected by Apache HTTP Server version used in it. (CVE-2021-44790) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-rational-build-forge-… ∗∗∗ QNAP NAS: Schwachstelle ermöglicht Codeausführung ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0178 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 10.02.2022
by Daily end-of-shift report 10 Feb '22

10 Feb '22

===================== = End-of-Day report = ===================== Timeframe: Mittwoch 09-02-2022 18:00 − Donnerstag 10-02-2022 18:00 Handler: Thomas Pribitzer Co-Handler: Robert Waldner ===================== = News = ===================== ∗∗∗ Wave of MageCart attacks target hundreds of outdated Magento sites ∗∗∗ --------------------------------------------- Analysts have found the source of a mass breach of over 500 e-commerce stores running the Magento 1 platform and involves a single domain loading a credit card skimmer on all of them. [...] The domain from where threat actors loaded the malware is naturalfreshmall[.]com, currently offline, and the goal of the threat actors was to steal the credit card information of customers on the targeted online stores. --------------------------------------------- https://www.bleepingcomputer.com/news/security/wave-of-magecart-attacks-tar… ∗∗∗ FritzFrog botnet grows 10x, hits healthcare, edu, and govt systems ∗∗∗ --------------------------------------------- Researchers at internet security company Akamai spotted a new version of the FritzFrog malware, which comes with interesting new functions, like using the Tor proxy chain. The new botnet variant also shows indications that its operators are preparing to add capabilities to target WordPress servers. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fritzfrog-botnet-grows-10x-h… ∗∗∗ Linux Malware on the Rise ∗∗∗ --------------------------------------------- Ransomware, cryptojacking, and a cracked version of the penetration-testing tool Cobalt Strike have increasingly targeted Linux in multicloud infrastructure, report states. --------------------------------------------- https://www.darkreading.com/cloud/linux-malware-on-the-rise-including-illic… ∗∗∗ Cybercriminals Swarm Windows Utility Regsvr32 to Spread Malware ∗∗∗ --------------------------------------------- The living-off-the-land binary (LOLBin) is anchoring a rash of cyberattacks bent on evading security detection to drop Qbot and Lokibot. --------------------------------------------- https://threatpost.com/cybercriminals-windows-utility-regsvr32-malware/1783… ∗∗∗ SAP to Give Threat Briefing on Uber-Severe ‘ICMAD’ Bugs ∗∗∗ --------------------------------------------- SAP’s Patch Tuesday brought fixes for a trio of flaws in the ubiquitous ICM component in internet-exposed apps. One of them, with a risk score of 10, could allow attackers to hijack identities, steal data and more. [..] Onapsis also provided a free, open-source vulnerability scanner tool to assist SAP customers in addressing these serious issues, available to download [..] --------------------------------------------- https://threatpost.com/sap-threat-briefing-severe-icmad-bugs/178344/ ∗∗∗ Vorsicht vor betrügerischen Fortnite-Shops! ∗∗∗ --------------------------------------------- Betrügerische Fortnite-Onlineshops, wie premiumskins.net bieten beliebte Outfits, sogenannte „Fortnite-Skins“ zum Kauf an. Doch Vorsicht – oft werden die Skins nach Bezahlung nicht geliefert! Kaufen Sie Skins nur über den offiziellen Store, innerhalb des Spiels und vertrauen Sie keinen externen Anbietern. --------------------------------------------- https://www.watchlist-internet.at/news/vorsicht-vor-betruegerischen-fortnit… ∗∗∗ Ransomware tracker: the latest figures [February 2022] ∗∗∗ --------------------------------------------- Over the last two years, The Record and our parent company Recorded Future have updated this ransomware tracker using data collected from government agencies, news reports, hacking forums, and other sources. The trend is clear: despite bold efforts from governments around the world, ransomware isn’t going anywhere. Here are some of our most critical findings --------------------------------------------- https://therecord.media/ransomware-tracker-the-latest-figures/ ===================== = Vulnerabilities = ===================== ∗∗∗ ZDI-22-290: BMC Track-It! HTTP Module Improper Access Control Authentication Bypass Vulnerability ∗∗∗ --------------------------------------------- This vulnerability allows remote attackers to bypass authentication on affected installations of BMC Track-It!. Authentication is not required to exploit this vulnerability. --------------------------------------------- http://www.zerodayinitiative.com/advisories/ZDI-22-290/ ∗∗∗ WordPress-Übernahme durch kritische Lücken in PHP Everywhere ∗∗∗ --------------------------------------------- Angreifer hätten durch eine kritische Sicherheitslücke in PHP Everywhere beliebigen Code in WordPress-Instanzen ausführen können. Ein Update steht bereit. --------------------------------------------- https://heise.de/-6369318 ∗∗∗ Unauthenticated SQL Injection Vulnerability Patched in WordPress Statistics Plugin ∗∗∗ --------------------------------------------- On February 7, 2022, Security Researcher Cyku Hong from DEVCORE reported a vulnerability to us that they discovered in WP Statistics, a WordPress plugin installed on over 600,000 sites. This vulnerability made it possible for unauthenticated attackers to execute arbitrary SQL queries by appending them to an existing SQL query. --------------------------------------------- https://www.wordfence.com/blog/2022/02/unauthenticated-sql-injection-vulner… ∗∗∗ Security updates for Thursday ∗∗∗ --------------------------------------------- Security updates have been issued by Debian (firefox-esr and openjdk-8), Fedora (phoronix-test-suite and php-laminas-form), Mageia (epiphany, firejail, and samba), Oracle (aide, kernel, kernel-container, and qemu), Red Hat (.NET 5.0 on RHEL 7 and .NET 6.0 on RHEL 7), Scientific Linux (aide), Slackware (mozilla), SUSE (clamav, expat, and xen), and Ubuntu (speex). --------------------------------------------- https://lwn.net/Articles/884381/ ∗∗∗ Dell Computer: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- Ein lokaler Angreifer kann mehrere Schwachstellen in Dell Computer ausnutzen, um beliebigen Programmcode auszuführen oder modifizierte BIOS-Firmware zu installieren. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0174 ∗∗∗ Drupal: Mehrere Schwachstellen [in Plugins] ∗∗∗ --------------------------------------------- Über zahlreiche Extensions kann der Funktionsumfang der Core-Installation individuell erweitert werden. Ein entfernter, anonymer oderauthentisierter Angreifer kann mehrere Schwachstellen in Drupal [Plugins] ausnutzen, um Sicherheitsvorkehrungen zu umgehen und einen Cross-Site-Scripting-Angriff durchzuführen. --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0173 ∗∗∗ Security Bulletin: IBM UrbanCode Build is affected by CVE-2021-30640 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-build-is-af… ∗∗∗ Security Bulletin: IBM UrbanCode Release is vulnerable to arbitrary code execution due to Apache Log4j( CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-release-is-… ∗∗∗ Security Bulletin: IBM UrbanCode Build is affected by CVE-2021-41079 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-build-is-af… ∗∗∗ Security Bulletin: IBM UrbanCode Build is affected by CVE-2021-33037 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-build-is-af… ∗∗∗ Security Bulletin: Netcool Operations Insight is vulnerable to arbitrary code execution and denial of service due to Apache Log4j (CVE-2021-45046, CVE-2021-45105) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-netcool-operations-insigh… ∗∗∗ Security Bulletin: IBM UrbanCode Build is affected by CVE-2021-25122 and CVE-2021-25329 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-build-is-af… ∗∗∗ CVE-2022-0016 GlobalProtect App: Privilege Escalation Vulnerability When Using Connect Before Logon (Severity: HIGH) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2022-0016 ∗∗∗ CVE-2022-0017 GlobalProtect App: Improper Link Resolution Vulnerability Leads to Local Privilege Escalation (Severity: HIGH) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2022-0017 ∗∗∗ CVE-2022-0018 GlobalProtect App: Information Exposure Vulnerability When Connecting to GlobalProtect Portal With Single Sign-On Enabled (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2022-0018 ∗∗∗ CVE-2022-0011 PAN-OS: URL Category Exceptions Match More URLs Than Intended in URL Filtering (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2022-0011 ∗∗∗ CVE-2022-0021 GlobalProtect App: Information Exposure Vulnerability When Using Connect Before Logon (Severity: LOW) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2022-0021 ∗∗∗ CVE-2022-0020 Cortex XSOAR: Stored Cross-Site Scripting (XSS) Vulnerability in Web Interface (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2022-0020 ∗∗∗ CVE-2022-0019 GlobalProtect App: Insufficiently Protected Credentials Vulnerability on Linux (Severity: MEDIUM) ∗∗∗ --------------------------------------------- https://security.paloaltonetworks.com/CVE-2022-0019 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 09.02.2022
by Daily end-of-shift report 09 Feb '22

09 Feb '22

===================== = End-of-Day report = ===================== Timeframe: Dienstag 08-02-2022 18:00 − Mittwoch 09-02-2022 18:00 Handler: Thomas Pribitzer Co-Handler: n/a ===================== = News = ===================== ∗∗∗ Kimsuki hackers use commodity RATs with custom Gold Dragon malware ∗∗∗ --------------------------------------------- South Korean researchers have spotted a new wave of activity from the Kimsuky hacking group, involving commodity open-source remote access tools dropped with their custom backdoor, Gold Dragon. --------------------------------------------- https://www.bleepingcomputer.com/news/security/kimsuki-hackers-use-commodit… ∗∗∗ Fake Windows 11 upgrade installers infect you with RedLine malware ∗∗∗ --------------------------------------------- Threat actors have started distributing fake Windows 11 upgrade installers to users of Windows 10, tricking them into downloading and executing RedLine stealer malware. --------------------------------------------- https://www.bleepingcomputer.com/news/security/fake-windows-11-upgrade-inst… ∗∗∗ Ransomware dev releases Egregor, Maze master decryption keys ∗∗∗ --------------------------------------------- The master decryption keys for the Maze, Egregor, and Sekhmet ransomware operations were released last night on the BleepingComputer forums by the alleged malware developer. --------------------------------------------- https://www.bleepingcomputer.com/news/security/ransomware-dev-releases-egre… ∗∗∗ Bios, UEFI, WLAN: Intel schließt zahlreiche Firmware-Sicherheitslücken ∗∗∗ --------------------------------------------- An einem groß angelegten Patch-Day stellt Intel Updates für Sicherheitslücken bereit. Diese lassen sich zum Ausweiten von Rechten nutzen. --------------------------------------------- https://www.golem.de/news/bios-uefi-wlan-intel-schliesst-zahlreiche-firmwar… ∗∗∗ Example of Cobalt Strike from Emotet infection, (Wed, Feb 9th) ∗∗∗ --------------------------------------------- Today's diary reviews another Cobalt Strike sample dropped by an Emotet infection on Tuesday 2022-02-08. --------------------------------------------- https://isc.sans.edu/diary/rss/28318 ∗∗∗ SpoolFool: Windows Print Spooler Privilege Escalation (CVE-2022–22718) ∗∗∗ --------------------------------------------- In this blog post, we’ll look at a Windows Print Spooler local privilege escalation vulnerability that I found and reported in November 2021. The vulnerability got patched as part of Microsoft’s Patch Tuesday in February 2022. --------------------------------------------- https://research.ifcr.dk/spoolfool-windows-print-spooler-privilege-escalati… ∗∗∗ CISA and SAP warn about major vulnerability ∗∗∗ --------------------------------------------- SAP patched the issue yesterday. CVE-2022-22536 is one of eight vulnerabilities that received a severity rating of 10/10 but is the one that CISA chose to highlight in its own security advisory, primarily due to its ease of exploitation and its ubiquity in SAP products. --------------------------------------------- https://therecord.media/cisa-and-sap-warn-about-major-vulnerability/ ∗∗∗ AA22-040A: 2021 Trends Show Increased Globalized Threat of Ransomware ∗∗∗ --------------------------------------------- Ransomware tactics and techniques continued to evolve in 2021, which demonstrates ransomware threat actors’ growing technological sophistication and an increased ransomware threat to organizations globally. --------------------------------------------- https://us-cert.cisa.gov/ncas/alerts/aa22-040a ===================== = Vulnerabilities = ===================== ∗∗∗ Ausführen von Schadcode denkbar: Sicherheitsupdates für Firefox und Thunderbird ∗∗∗ --------------------------------------------- Die Mozilla-Entwickler schließen in aktualisierten Versionen von Firefox und Thunderbird viele Sicherheitslücken. Einige davon stufen sie als hohes Risiko ein. --------------------------------------------- https://heise.de/-6360477 ∗∗∗ Patchday Microsoft: Angreifer könnten eine Kernel-Lücke in Windows ausnutzen ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitsupdates für Azure, Office, Windows & Co. Das ist selten: Keine der geschlossenen Lücken gilt als kritisch. --------------------------------------------- https://heise.de/-6360267 ∗∗∗ Patchday: Adobe schließt Schadcode-Lücken in Illustrator ∗∗∗ --------------------------------------------- Die Entwickler von Adobe haben ihr Software-Portfolio gegen mögliche Attacken abgesichert. --------------------------------------------- https://heise.de/-6360575 ∗∗∗ Security updates for Wednesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (aide), Debian (connman), Fedora (perl-App-cpanminus and rust-afterburn), Mageia (glibc), Red Hat (.NET 5.0, .NET 6.0, aide, log4j, ovirt-engine, and samba), SUSE (elasticsearch, elasticsearch-kit, kafka, kafka-kit, logstash, openstack-monasca-agent, openstack-monasca-log-metrics, openstack-monasca-log-persister, openstack-monasca-log-transformer, openstack-monasca-persister-java, openstack-monasca-persister-java-kit, openstack-monasca-thresh,[...] --------------------------------------------- https://lwn.net/Articles/884242/ ∗∗∗ ICS Patch Tuesday: Siemens, Schneider Electric Address Nearly 50 Vulnerabilities ∗∗∗ --------------------------------------------- Industrial giants Siemens and Schneider Electric released a total of 15 advisories on Tuesday to address nearly 50 vulnerabilities discovered in their products. --------------------------------------------- https://www.securityweek.com/ics-patch-tuesday-siemens-schneider-electric-a… ∗∗∗ HPE Agentless Management registers unquoted service paths ∗∗∗ --------------------------------------------- https://jvn.jp/en/jp/JVN12969207/ ∗∗∗ Security Advisory for Citrix Hypervisor (CVE-2022-23034, CVE-2022-23035, CVE-2021-0145) ∗∗∗ --------------------------------------------- https://support.citrix.com/article/CTX337526 ∗∗∗ Security Bulletin: Log4j vulnerabilities affect IBM Netezza Analytics ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-log4j-vulnerabilities-aff… ∗∗∗ Security Bulletin: Security Bulletin: Vulnerability in Apache Log4j affects Netcool Operation Insight (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-security-bulletin-vulnera… ∗∗∗ Security Bulletin: Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to denial of service due to Go (CVE CVE-2021-41771 & CVE-2021-41772) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-platform-navigator-and-au… ∗∗∗ Security Bulletin: IBM TRIRIGA Reporting a component of IBM TRIRIGA Application Platform is vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-44228 ) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-tririga-reporting-a-c… ∗∗∗ Security Bulletin: Multiple vulnerabilities affect IBM Cloud Object Storage Systems (Feb 2022 V1) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-… ∗∗∗ Security Bulletin: IBM OpenPages with Watson is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2019-17571) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-openpages-with-watson… ∗∗∗ Security Bulletin: Multiple security vulnerabilities have been identified in IBM® Java SDK that affect IBM Security Directory Suite – October 2021 CPU ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Multiple security vulnerabilities have been identified in IBM® WebSphere Application Server Liberty shipped with IBM Security Directory Suite ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: Multiple security vulnerabilities have been identified in IBM® Java SDK that affect IBM Security Directory Suite – July 2021 CPU ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnera… ∗∗∗ Security Bulletin: IBM UrbanCode Build is affected by CVE-2021-30639 ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-urbancode-build-is-af… ∗∗∗ WebKitGTK and WPE WebKit Security Advisory WSA-2022-0002 ∗∗∗ --------------------------------------------- https://webkitgtk.org/security/WSA-2022-0002.html ∗∗∗ Zoom Video Communications Zoom Client: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0158 ∗∗∗ QEMU: Schwachstelle ermöglicht Ausführen von beliebigem Programmcode mit Administratorrechten ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0156 ∗∗∗ Grafana: Mehrere Schwachstellen ∗∗∗ --------------------------------------------- http://www.cert-bund.de/advisoryshort/CB-K22-0159 ∗∗∗ QNAP: Multiple Vulnerabilities in Samba ∗∗∗ --------------------------------------------- https://www.qnap.com/en-us/security-advisory/QSA-22-03 -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

Tageszusammenfassung - 08.02.2022
by Daily end-of-shift report 08 Feb '22

08 Feb '22

===================== = End-of-Day report = ===================== Timeframe: Montag 07-02-2022 18:00 − Dienstag 08-02-2022 18:00 Handler: Robert Waldner Co-Handler: Thomas Pribitzer ===================== = News = ===================== ∗∗∗ Internetsicherheit: So schützen Sie sich vor Account-Hijacking und Co. ∗∗∗ --------------------------------------------- Wir erklären Ihnen, worauf Sie achten sollten, damit Sie sicher im Internet unterwegs sind. --------------------------------------------- https://heise.de/-6355600 ∗∗∗ Microsoft Office soll VBA-Makros standardmäßig blockieren ∗∗∗ --------------------------------------------- Makros sind ein Einfallstor für Malware. VBA-Makros standardmäßig zu deaktivieren, ist längst überfällig. --------------------------------------------- https://heise.de/-6353429 ∗∗∗ Patchday: Lücken in SAP-Produkten ermöglichen Codeschmuggel ∗∗∗ --------------------------------------------- Am Februar-Patchday schließt SAP mehrere kritische Sicherheitslücken, durch die Angreifer Schadcode in betroffene Systeme einschleusen hätten können. --------------------------------------------- https://heise.de/-6356776 ∗∗∗ Open or Sneaky? Fast or Slow? Light or Heavy?: Investigating Security Releases of Open Source Packages ∗∗∗ --------------------------------------------- Specifically, in this paper, we study [..] security releases over a dataset of 4,377 security advisories across seven package ecosystems (Composer, Go, Maven, npm, NuGet, pip, and RubyGems). [..] Based on our findings, we make four recommendations for the package maintainers and the ecosystem administrators, such as using private fork for security fixes and standardizing the practice for announcing security releases. --------------------------------------------- https://arxiv.org/pdf/2112.06804.pdf ∗∗∗ “We absolutely do not care about you”: Sugar ransomware targets individuals ∗∗∗ --------------------------------------------- They call it Sugar ransomware, but its not sweet in any way. --------------------------------------------- https://blog.malwarebytes.com/ransomware/2022/02/we-absolutely-do-not-care-… ∗∗∗ Operation EmailThief: Active Exploitation of Zero-day XSS Vulnerability in Zimbra ∗∗∗ --------------------------------------------- [UPDATE] On February 4, 2022, Zimbra provided an update regarding this zero-day exploit vulnerability and reported that a hotfix for 8.8.15 P30 would be available on February 5, 2022. --------------------------------------------- https://www.volexity.com/blog/2022/02/03/operation-emailthief-active-exploi… ===================== = Vulnerabilities = ===================== ∗∗∗ WordPress IP2Location Country Blocker 2.26.7 Cross Site Scripting ∗∗∗ --------------------------------------------- An authenticated user is able to inject arbitrary Javascript or HTML code to the "Frontend Settings" interface available in settings page of the plugin (Country Blocker), due to incorrect sanitization of user-supplied data and achieve a Stored Cross-Site Scripting attack against the administrators or the other authenticated users. The plugin versions prior to 2.26.7 are affected by this vulnerability. --------------------------------------------- https://cxsecurity.com/issue/WLB-2022020031 ∗∗∗ CVE-2021-38130 Voltage SecureMail 7.3 Mail Relay Information Leakage Vuln. ∗∗∗ --------------------------------------------- An information leakage vulnerability with a CVSS of 4.1 was discovered in SecureMail Server for versions prior to 7.3.0.1. The vulnerability can be exploited to send sensitive information to an unauthorized user. A resolution of this vulnerability is available in the Voltage SecureMail version 7.3.0.1 patch release. --------------------------------------------- https://portal.microfocus.com/s/article/KM000003667?language=en_US ∗∗∗ Patchday: Kritische System-Lücke lässt Angreifer auf Android-Geräte zugreifen ∗∗∗ --------------------------------------------- Es gibt wichtige Sicherheitsupdates für Android 10, 11, 12 und verschiedene Komponenten des Systems. --------------------------------------------- https://heise.de/-6355256 ∗∗∗ Critical Vulnerabilities in PHP Everywhere Allow Remote Code Execution ∗∗∗ --------------------------------------------- On January 4, 2022, the Wordfence Threat Intelligence team began the responsible disclosure process for several Remote Code Execution vulnerabilities in PHP Everywhere, a WordPress plugin installed on over 30,000 websites. One of these vulnerabilities allowed any authenticated user of any level, even subscribers and customers, to execute code on a site with the plugin [...] --------------------------------------------- https://www.wordfence.com/blog/2022/02/critical-vulnerabilities-in-php-ever… ∗∗∗ Security updates for Tuesday ∗∗∗ --------------------------------------------- Security updates have been issued by CentOS (log4j), Debian (chromium, xterm, and zabbix), Fedora (kate, lua, and podman), Oracle (aide and log4j), and SUSE (xen). --------------------------------------------- https://lwn.net/Articles/884082/ ∗∗∗ K33484369: Linux kernel vulnerability CVE-2021-20194 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K33484369?utm_source=f5support&utm_mediu… ∗∗∗ K01217337: Linux kernel vulnerability CVE-2021-22543 ∗∗∗ --------------------------------------------- https://support.f5.com/csp/article/K01217337?utm_source=f5support&utm_mediu… ∗∗∗ Mitsubishi Electric FA Engineering Software Products (Update D) ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-21-049-02 ∗∗∗ Mitsubishi Electric Factory Automation Engineering Products (Update F) ∗∗∗ --------------------------------------------- https://us-cert.cisa.gov/ics/advisories/icsa-20-212-04 ∗∗∗ SSA-914168: Multiple Vulnerabilities in SIMATIC WinCC Affecting Other SIMATIC Software Products ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-914168.txt ∗∗∗ SSA-669737: Improper Access Control Vulnerability in SICAM TOOLBOX II ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-669737.txt ∗∗∗ SSA-654775: Open Redirect Vulnerability in SINEMA Remote Connect Server ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-654775.txt ∗∗∗ SSA-609880: File Parsing Vulnerabilities in Simcenter Femap before V2022.1 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-609880.txt ∗∗∗ SSA-539476: Siemens SIMATIC NET CP, SINEMA and SCALANCE Products Affected by Vulnerabilities in Third-Party Component strongSwan ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-539476.txt ∗∗∗ SSA-301589: Multiple File Parsing Vulnerabilities in Solid Edge, JT2Go and Teamcenter Visualization ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-301589.txt ∗∗∗ SSA-244969: OpenSSL Vulnerability in Industrial Products ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-244969.txt ∗∗∗ SSA-838121: Multiple Denial of Service Vulnerabilities in Industrial Products ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-838121.txt ∗∗∗ SSA-831168: Cross-Site Scripting Vulnerability in Spectrum Power 4 ∗∗∗ --------------------------------------------- https://cert-portal.siemens.com/productcert/txt/ssa-831168.txt ∗∗∗ Security Bulletin: IBM Cloud Private is vulnerable to FasterXML jackson-databind vulnerabilities (CVE-2020-35728) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-private-is-vuln… ∗∗∗ Security Bulletin: IBM Cloud Private is vulnerable to FasterXML jackson-databind vulnerabilities (CVE-2021-20190) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-private-is-vuln… ∗∗∗ Security Bulletin: Vulnerability in Apache Log4j may affect Cúram Social Program Management (CVE-2021-4104) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-apache-l… ∗∗∗ Security Bulletin: Apache Log4j vulnerability impacts IBM Sterling Global Mailbox (CVE-2021-45046) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-apache-log4j-vulnerabilit… ∗∗∗ Security Bulletin: IBM Cloud Private is vulnerable to FasterXML jackson-databind vulnerabilities ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-private-is-vuln… ∗∗∗ Security Bulletin: Log4Shell Vulnerability affects IBM SPSS Statistics (CVE-2021-44228) ∗∗∗ --------------------------------------------- https://www.ibm.com/blogs/psirt/security-bulletin-log4shell-vulnerability-a… -- CERT.at Daily mailing list Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

Daily